Setting up communication between GitLab Runner and Deployment Server with SSH

#cicd #gitlab #gitlabci

If you are setting up gitlab-ci pipeline, you will need to establish a secure connection between the runner machine and server where you are going to deploy.
Here's a quick and easy way to do it.

Prerequisite

Gitlab CI Pipeline
OpenSSH client & server installed on runner and deployment server.

SSH (Secure Shell) protocol uses public-key cryptography to authenticate Client machine with a remote Server machine on a network.

Let's get started, we will first create SSH key-pair.

What is ssh-keygen & How to Use It to Generate a New SSH Key?

Ssh-keygen is a tool for creating new authentication key pairs for SSH. Such key pairs are used for automating logins, single sign-on, and for authenticating hosts.

ssh.com

I have created these keys for illustration on linux, SSH key paths may differ based on your OS.

Private key (~/.ssh/id_rsa)

Public key (~/.ssh/id_rsa.pub)

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQCAD0ZKDVKEyqPd+N+7N1O/fPjDYAHa8xL24ADRHegqurUa8cTLtCQX82ysu6uxqfVyOMY3YGOh2HCH8S+jB6GTuSY1tIsYaU46d5H9w7YXAr/MMWRJL9wkUoU7bB/I8vK3eTVHsC72ufYhohQVXDY6+ZoG3Bsxyxy7SDbJqVBqXw==

What Next, Where do we store these keys ?
The SSH keys created above will be stored in the following locations to enable an encrypted and authenticated session between Gitlab Runner & the deployment Server.

1. Gitlab CI Environment Variables

GitLab CI/CD variables | GitLab

GitLab product documentation.

docs.gitlab.com

Store both private & public key by giving them a name (SSH_PRIVATE_KEY/SSH_PUBLIC_KEY), you can store the keys at the group level and inherit it in your project by selecting from the Environment Scope dropdown.

2. Gitlab Runner Machine (SSH folder)
The private & public keys should be stored in the Gitlab Runner machine’s [~/.ssh ]folder. To do that, you need to add following bash commands in your projects .gitlab-ci.yml file.

$SSH_PRIVATE_KEY & $SSH_PUBLIC_KEY are variables which we created in the step above.

Replace gitlab.local.net with url where you have hosted your Gitlab.

before_script:
  - eval $(ssh-agent -s)
  - mkdir -p ~/.ssh
  - chmod 700 ~/.ssh
  - echo -e "Host *\n\tStrictHostKeyChecking no\n" > ~/.ssh/config;
  - cat "$SSH_PRIVATE_KEY" | tr -d '\r' > ~/.ssh/id_rsa
  - cat "$SSH_PUBLIC_KEY" | tr -d '\r' > ~/.ssh/id_rsa.pub
  - chmod 600 ~/.ssh/id_rsa;
  - chmod 764 ~/.ssh/id_rsa.pub;
  - ssh-keyscan -H gitlab.local.net >> ~/.ssh/known_hosts

3. Create authorized_keys on the Server
On the server where you will be deploying your application, create a authorized_keys file inside ~/.ssh.

Now, You would either be running your application on a Physical Server (nostalgic) or a VM — Virtual Machine (still there) or a Container (there you are).
Then, Copy and paste the public key to the end of authorized_keysfile

~/.ssh/authorized_keys

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQCAD0ZKDVKEyqPd+N+7N1O/fPjDYAHa8xL24ADRHegqurUa8cTLtCQX82ysu6uxqfVyOMY3YGOh2HCH8S+jB6GTuSY1tIsYaU46d5H9w7YXAr/MMWRJL9wkUoU7bB/I8vK3eTVHsC72ufYhohQVXDY6+ZoG3Bsxyxy7SDbJqVBqXw==

Please note that you can append as many public keys as you want here, depending on the connections you wish to establish.

With that final step, you have successfully setup an encrypted communication channel between Gitlab Runner and the server on which you will be deploying your application.

Do keep in mind
You need to be very careful with SSH keys, set the right permissions and ownership.

Thank You !!