52
Gitlab's Deploy Keys and Deploy Tokens for CI/CD
Scenario: Need to install a requirement that is only available on a private repository, from my CI pipeline.
There are two ways (I found) to do this, and the one you use depends on what you need to do:
For context and illustration I used gitlab, python and poetry.
A deploy token allows you to access a repository without your user name and password or ssh keys, and it is setup per repository or group.
Dependency on pyproject.toml
[tool.poetry.dependencies]
python = "^3.9"
private-project = {git = "ssh://git@gitlab.com/mundo03/sample-private-repo.git", rev = "main"}
Note the SSH URL is kept so you don;t have to use a Personal Access Token every time you install your dependencies locally.
gitlab-ci.yml
image: python:3.9-buster
poetry_token:
script:
# Install Poetry
- pip install poetry
# setup string replacement
- export SSH_URL=ssh:\\/\\/git@gitlab.com\\/mundo03
- export TOKEN_URL=https:\\/\\/$deploy_user:$deploy_token@gitlab.com\\/mundo03
- sed -i "s/$SSH_URL/$TOKEN_URL/g" pyproject.toml
# Install repo
- poetry install
# Use Clonned Repo
- poetry run print_something "LOOK AT ME!!"
Notice
sed
is being used to replace the SSH URL with an HTTP URL that has the Deploy Token in it.There are also Public deploy keys setup at Gitlab Instance level and can be given access to any of the projects in that instance by an admin.
Dependency on pyproject.toml
[tool.poetry.dependencies]
python = "^3.9"
private-project = {git = "ssh://git@gitlab.com/mundo03/sample-private-repo.git", rev = "main"}
gitlab-ci.yml
image: python:3.9-buster
poetry_key:
script:
# Install OS dependencies
- apt-get update -y -qq && apt-get install -y -qq make openssh-client python3-pip
# Start ssh-agent
- eval $(ssh-agent -s)
# Add Private key to SSH Agent
- ssh-add <(echo "$SSH_PK")
# Add gitlab as known host
- mkdir -p ~/.ssh
- chmod 700 ~/.ssh
- ssh-keyscan gitlab.com >> ~/.ssh/known_hosts
# Install Poetry
- pip install poetry
# Install repo
- poetry install
# Use Clonned Repo
- poetry run print_something "LOOK AT ME!!"
CI Variables are not the best way available to store a secret, for that gitlab has Secrets, which is meant to store things like SSH keys, Passwords Etc.
Read up: Secrets
Spoilers: You need a Hashicorp's Vault account
Spoilers: You need a Hashicorp's Vault account
I have a dependency in my project that is hosted on a private repository, I need to install it during my CI/CD, I have two options:
52