COA displays git credentials in job failure message

[gberche-orange]

Expected behavior

Gitlab credentials should not be displayed in concourse UI job logs, as this may result into credentials leak by operators when sharing diagnostic traces

Observed behavior

the job teams/main/pipelines/cloudflare-depls-tf-generated/jobs/terraform-apply/builds/10 was producing the following (redacted) output including login/password in the http url scheme

remote: error: cannot lock ref 'refs/heads/master': is at 741eed27503195c717bd8925140684050f5202d2 but expected a9157d66de44c3ae0d4fa0dbc91abc18cfebd8d8        
    
To https://elpaaso-gitlab.my.domain.com/fe-group/secrets.git
    
 ! [remote rejected] HEAD -> master (failed to update ref)
    
error: failed to push some refs to 'https://redacted_user:redacted_password@elpaaso-gitlab.my.domain.com/fe-group/secrets.git'
    
failed with non-rebase error

Root cause is that currently coes not support specifying git repo private keys supported by the git-resource private_key

cf-ops-automation/concourse/pipelines/template/tf-pipeline.yml.erb

Lines 19 to 23 in e577677

	source:
	uri: ((secrets-uri))
	paths: ["<%= depls %>/"]
	branch: ((secrets-branch))
	skip_ssl_verification: true

Suggested fix

• Add support for SSH private keys in pipelines

Affected release

Reproduced on version 3.2.2

[o-orand]

an alternative is to remove user/password from url and migrates to dedicated properties provided by git-resource:

• username: Optional. Username for HTTP(S) auth when pulling/pushing. This is needed when only HTTP/HTTPS protocol for git is available (which does not support private key auth) and auth is required.
• password: Optional. Password for HTTP(S) auth when pulling/pushing.

We will have something like:

  - name: paas-templates
    type: git
    source:
      uri: ((paas-templates-uri))
      branch: pipeline-current-((paas-templates-wip-branch))
      username: ((paas-templates-git-username))
      password: ((paas-templates-git-password))