GitLab CI/CD中使用SSH私钥

[lqshow]

通过配置.gitlab-ci.yml将SSH密钥注入到构建环境中，这是一种可与任何类型的执行程序（Docker，shell等）一起使用的解决方案。

.gitlab-ci.yml配置

install_deps:
  stage: install_deps
  only:
    - master
  script:
    - 'which ssh-agent || ( apt-get update -y && apt-get install openssh-client -y )'
    - eval $(ssh-agent -s) 
    - ssh-add <(echo "$SSH_PRIVATE_KEY")
    - mkdir -p ~/.ssh
    - echo -e "Host *\n\tStrictHostKeyChecking no\n\n" > ~/.ssh/config
    - ssh -T git@xxx
    - node --version
    - npm install

$SSH_PRIVATE_KEY说明

1. 这里$SSH_PRIVATE_KEY为gitlab项目中私密变量。创建方式参考：Secret variables
2. 它的具体内容是SSH私钥，即~/.ssh/id_rsa

例子

Dockerfile结合gitlab-ci的完整实例

Dockerfile

针对于resource/id_rsa说明下，id_rsa不需要提交到git仓库，本地如果需要跑镜像的话，只需将本机的id_rsa复制到resource目录下即可

FROM node:latest

# Change timezone
RUN echo "Asia/Shanghai" > /etc/timezone && \
    dpkg-reconfigure -f noninteractive tzdata && \
    npm config set registry https://registry.npm.taobao.org

# Add credentials on build
RUN mkdir -p /root/.ssh
Add resource/id_rsa /root/.ssh/id_rsa
RUN chmod 600 /root/.ssh/id_rsa && \
      echo "StrictHostKeyChecking no\nUserKnownHostsFile /dev/null" >> /root/.ssh/config

WORKDIR /data/project
COPY ./ ./

# Run project dependencies
WORKDIR /data/project/service
RUN npm install

# Remove SSH keys
RUN rm -rf /root/.ssh/

CMD ["npm","start"]

.gitlab-ci.yml

由于Dockerfile依赖于resource目录下的id_rsa，需要在build之前事先将私钥写入

image: node:latest

variables:
  IMAGE_NAME: test_image
  CONTAINER_NAME: test_container
  STAGING_VERSION: $STAGING_VERSION
  PRODUCTION_VERSION: $PRODUCTION_VERSION

cache:
  paths:
    - node_modules/

stages:
 - install_deps
 - staging

install_deps:
  stage: install_deps
  only:
    - master
  script:
    - 'which ssh-agent || ( apt-get update -y && apt-get install openssh-client -y )'
    - eval $(ssh-agent -s) 
    - ssh-add <(echo "$SSH_PRIVATE_KEY")
    - mkdir -p ~/.ssh
    - echo -e "Host *\n\tStrictHostKeyChecking no\n\n" > ~/.ssh/config
    - npm install

deploy_to_staging:
  image: docker:latest
  stage: staging
  only:
    - master
  script:
    - echo "$SSH_PRIVATE_KEY" | tr -d '\r' > ./resource/id_rsa
    - docker build -t ${IMAGE_NAME}:${STAGING_VERSION} .
    - docker stop ${CONTAINER_NAME} && docker rm ${CONTAINER_NAME}
    - docker run -d --name ${CONTAINER_NAME} --restart always -p 3200:3200 --env NODE_ENV=test ${IMAGE_NAME}:${STAGING_VERSION}