If you are setting up gitlab-ci pipeline, you will need to establish a secure connection between the runner machine and server where you are going to deploy.
Here's a quick and easy way to do it.
Prerequisite
- Gitlab CI Pipeline
- OpenSSH client & server installed on runner and deployment server.
SSH (Secure Shell) protocol uses public-key cryptography to authenticate Client machine with a remote Server machine on a network.
Let's get started, we will first create SSH key-pair.
I have created these keys for illustration on linux, SSH key paths may differ based on your OS.
Private key (~/.ssh/id_rsa)
-----BEGIN RSA PRIVATE KEY-----
MIICWwIBAAKBgQCAD0ZKDVKEyqPd+N+7N1O/fPjDYAHa8xL24ADRHegqurUa8cTL
tCQX82ysu6uxqfVyOMY3YGOh2HCH8S+jB6GTuSY1tIsYaU46d5H9w7YXAr/MMWRJ
L9wkUoU7bB/I8vK3eTVHsC72ufYhohQVXDY6+ZoG3Bsxyxy7SDbJqVBqXwIDAQAB
AoGABCH6D7u8VQLBJRG6Dq2razuaP5vik3FSxFrYS+deLbrWy2bQBg7rN0ao1C4+
TT6B6EzCwNjAfmGgyBJVijpd0X3iQzt5iPT5vMA2TrybbpMLZnikRtbo5rkgk+Tg
m7AiqXzOSHv02ZtrpgDV3pQ+qa/Tk9FU/7hjefKMF2Ru6EkCQQDINwkKizU3Uw4T
IwMAMTITOrLiswR4tJOmsG01Xe47dMkmERrtI47fYJcPLsNgnBjs6Pus8ALscOCM
xinMBwFdAkEAo72Ir7d0BL/GmogKgmELXmVS6t1jzNok0ioi4w7EefYMaDrlMrlk
rI7VMnExScPHc8ksezRBOJSS89cIIzYy6wJABrrq3+LcEBcHoxcLM8dzknfnqX0x
CkmvqOvHUALvTipX1KLAj/YhCFs72LPOt4GnyNbwFtkekAofUjwbDZOytQJAXd8X
McX22ZIohgdgHwcLwX5NXyC1Sof1fBd0EMAym8kXq9m39LCcquDoERcbrrJy8kpv
GeMHUSy8Ytbwb19vKQJAT/lYWZqTpr+DfmTdmvRbCOz9hWOw4Hj+nfjfSsfzU9vg
bWqKz2KvKlSvYBV4uKBfxsv6ML5dkaiHb5l3pKfDUw==
-----END RSA PRIVATE KEY-----
Public key (~/.ssh/id_rsa.pub)
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQCAD0ZKDVKEyqPd+N+7N1O/fPjDYAHa8xL24ADRHegqurUa8cTLtCQX82ysu6uxqfVyOMY3YGOh2HCH8S+jB6GTuSY1tIsYaU46d5H9w7YXAr/MMWRJL9wkUoU7bB/I8vK3eTVHsC72ufYhohQVXDY6+ZoG3Bsxyxy7SDbJqVBqXw==
What Next, Where do we store these keys ?
The SSH keys created above will be stored in the following locations to enable an encrypted and authenticated session between Gitlab Runner & the deployment Server.
1. Gitlab CI Environment Variables
Store both private & public key by giving them a name (SSH_PRIVATE_KEY/SSH_PUBLIC_KEY), you can store the keys at the group level and inherit it in your project by selecting from the Environment Scope dropdown.
2. Gitlab Runner Machine (SSH folder)
The private & public keys should be stored in the Gitlab Runner machineโs [~/.ssh ]folder. To do that, you need to add following bash commands in your projects .gitlab-ci.yml file.
$SSH_PRIVATE_KEY
&$SSH_PUBLIC_KEY
are variables which we created in the step above.
Replace gitlab.local.net with url where you have hosted your Gitlab.
before_script:
- eval $(ssh-agent -s)
- mkdir -p ~/.ssh
- chmod 700 ~/.ssh
- echo -e "Host *\n\tStrictHostKeyChecking no\n" > ~/.ssh/config;
- cat "$SSH_PRIVATE_KEY" | tr -d '\r' > ~/.ssh/id_rsa
- cat "$SSH_PUBLIC_KEY" | tr -d '\r' > ~/.ssh/id_rsa.pub
- chmod 600 ~/.ssh/id_rsa;
- chmod 764 ~/.ssh/id_rsa.pub;
- ssh-keyscan -H gitlab.local.net >> ~/.ssh/known_hosts
3. Create authorized_keys
on the Server
On the server where you will be deploying your application, create a authorized_keys file inside ~/.ssh.
Now, You would either be running your application on a Physical Server (nostalgic) or a VM โ Virtual Machine (still there) or a Container (there you are).
Then, Copy and paste the public key to the end ofauthorized_keys
file
~/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQCAD0ZKDVKEyqPd+N+7N1O/fPjDYAHa8xL24ADRHegqurUa8cTLtCQX82ysu6uxqfVyOMY3YGOh2HCH8S+jB6GTuSY1tIsYaU46d5H9w7YXAr/MMWRJL9wkUoU7bB/I8vK3eTVHsC72ufYhohQVXDY6+ZoG3Bsxyxy7SDbJqVBqXw==
Please note that you can append as many public keys as you want here, depending on the connections you wish to establish.
With that final step, you have successfully setup an encrypted communication channel between Gitlab Runner and the server on which you will be deploying your application.
Do keep in mind
You need to be very careful with SSH keys, set the right permissions and ownership.
Thank You !!
Top comments (1)
Thanks man! saved my day