Skip to content

Instantly share code, notes, and snippets.

@yannhowe
Created September 26, 2016 18:06
Show Gist options
  • Save yannhowe/5ab1501156bd84c8ac261e2c17b8e3e0 to your computer and use it in GitHub Desktop.
Save yannhowe/5ab1501156bd84c8ac261e2c17b8e3e0 to your computer and use it in GitHub Desktop.
.gitlab.ci.yml for SSH with private key.
# Image neeeds to have ssh-client
image: docker:git
services:
- docker:dind
stages:
- staging
before_script:
- docker login -u gitlab-ci-token -p $CI_BUILD_TOKEN $CI_REGISTRY
- mkdir -p ~/.ssh
# Paste the PRIVATE key into a gitlab variable. Pay attention to the linebreak at the end when pasting
- echo "$DEPLOY_SERVER_PRIVATE_KEY" | tr -d '\r' > ~/.ssh/id_rsa
- chmod 600 ~/.ssh/id_rsa
- eval "$(ssh-agent -s)"
- ssh-add ~/.ssh/id_rsa
- ssh-keyscan -H 'your.server.hostname' >> ~/.ssh/known_hosts
staging:
stage: staging
tags:
- docker
only:
- staging
script:
- docker build --pull -t $CI_REGISTRY_IMAGE:staging .
- docker push $CI_REGISTRY_IMAGE:staging
# your own server details here
- ssh $SERVER_USER@$SERVER_HOSTNAME < deploy.sh
@rafaelstz
Copy link

I had to unprotect the variable to make it work.

Capture d’écran, le 2020-08-09 à 18 19 55

@mochadwi
Copy link

I had to unprotect the variable to make it work.

Capture d’écran, le 2020-08-09 à 18 19 55

This also happened to me. Thanks!

@nwpray
Copy link

nwpray commented Dec 13, 2020

@van4oza

$ echo "$TEST_SSH_PRIVATE_KEY" | tr -d '\r' | ssh-add - >/dev/null
Error loading key "(stdin)": invalid format

I have had the same error.
You added TEST_SSH_PRIVATE_KEY as protected variable to the GitLab CI/CD config. This is fine. But the variable then only gets exposed to protected branches (master for example is per default) and protected tags. I configured the v* wildcard (matches my use case) as protected tags and it did run.

This was exactly what is going on for me. And anyone else that feels like they need to unprotect their variable, don't do that. Just go configure your protected branches and tags to inject these variables like @richardhj said.

@DurandSacha
Copy link

DurandSacha commented Feb 22, 2021

eval $(ssh-agent -s) echo "$SSH_PRIVATE_KEY" | tr -d '\r' | ssh-add - > /dev/null mkdir -p ~/.ssh chmod 700 ~/.ssh ssh-keyscan xxx.xxx.xxx.xxx >> ~/.ssh/known_hosts chmod 644 ~/.ssh/known_hosts

is worked for me
( add a SSH_PRIVATE_KEY in var settings )

@xyj404
Copy link

xyj404 commented Mar 23, 2021

Thanks @amatiash !

@Aiswariyasugavanam
Copy link

How to add multiple Private keys to known_host??

@alljinx
Copy link

alljinx commented Feb 3, 2023

Hey all, just tackled this today. FYI, this is how you can do git operations (i.e. tagging) from within CI as of today (variable of type 'File'):

tagging_job:
  stage: release
  image: ubuntu
  before_script:
    - mkdir -p ~/.ssh
    # Settings > Repository > Deploy Keys > "DEPLOY_KEY_PUBLIC" is the public key of the utitlized SSH pair (choose `Write access allowed` on creation)
    # Settings > CI/CD > Variables > "DEPLOY_KEY_PRIVATE" is the private key of the utitlized SSH pair, type is 'File' and ends with empty line
    - mv "$DEPLOY_KEY_PRIVATE" ~/.ssh/id_rsa
    - chmod 600 ~/.ssh/id_rsa
    - 'which ssh-agent || ( apt-get update -y && apt-get install openssh-client git -y )'
    - eval "$(ssh-agent -s)"
    - ssh-add ~/.ssh/id_rsa
    - ssh-keyscan -H 'gitlab.com' >> ~/.ssh/known_hosts
  script:
    # try to connect to GitLab.com
    - ssh [email protected]
    # fresh clone
    - mkdir ~/source && cd $_
    - git clone [email protected]:$CI_PROJECT_PATH.git
    - cd $CI_PROJECT_NAME
    # Version tag
    - git tag my-tag
    - git push --tags -o ci.skip

The -o ci.skip part causes the generated pipeline to be skipped (not auto-ran). If you want to not generate a pipeline at all for your tag push, add this to the top of the .gitlab-ci.yml:

workflow:
  rules:
    - if: $CI_COMMIT_TAG
      when: never
    - when: always

Peace

Thx, you made my day !

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment