Deploying with docker-compose via SSH tunnel in Gitlab CI

.gitlab-ci.yml

deploy:live:
  image: 1drop/docker:git
  stage: deploy
  when: manual
  environment:
    name: production
    url: https://www.somecustomer.de
  before_script:
    - eval $(ssh-agent -s)
    - ssh-add <(echo "$SSH_PRIVATE_KEY")
    - mkdir -p ~/.ssh
    - echo -e "Host *\n\tStrictHostKeyChecking no\n\n" > ~/.ssh/config
    - apk add socat
  script:
    - ./bin/deploy.sh
  tags:
    - vpn
  only:
    - master

deploy.sh

#!/usr/bin/env bash

set -o pipefail  # trace ERR through pipes
set -o errtrace  # trace ERR through 'time command' and other functions
set -o nounset   ## set -u : exit the script if you try to use an uninitialised variable
set -o errexit   ## set -e : exit the script if any statement returns a non-true return value

[email protected] # todo: change here
TYPO3_IMAGE=registry.gitlab.com/vendor/customer/typo3 # todo: change here

echo " * OPENING DOCKER SOCKET TUNNEL"
socat \
  "UNIX-LISTEN:/tmp/docker.sock,reuseaddr,fork" \
  "EXEC:'ssh -kTax $REMOTE socat STDIO UNIX-CONNECT\:/var/run/docker.sock'" \
  &
export DOCKER_HOST=unix:///tmp/docker.sock
export COMPOSE_PROJECT_NAME=some-fixed-name # todo: change here
echo " * LOGIN WITH GITLAB-CI TOKEN"
docker login -u gitlab-ci-token -p $CI_BUILD_TOKEN $CI_REGISTRY
# backup current image if already present locally
if [[ ! "$(docker images -q ${TYPO3_IMAGE} 2> /dev/null)" == "" ]]; then
  echo " * BACKING UP CURRENT IMAGE VERSION"
  docker tag ${TYPO3_IMAGE} typo3-backup
fi
echo " * PULLING NEW IMAGES"
docker-compose -f docker-compose.live.yml pull
echo " * UPDATING RUNNING CONTAINERS"
docker-compose -f docker-compose.live.yml up -d
echo " * CLEANING OLD IMAGES"
ssh -t ${REMOTE} "docker-clean images"

Excelent solution! Thanks for sharing!

However, just a heads up: setting "Host StrictHostKeyChecking no" could be a security issue. A better solution would be to setup the known_hosts file with the hosts key before trying to connect to it.