mirror of
https://gitlab.com/openstapps/openstapps.git
synced 2026-01-21 17:12:43 +00:00
refactor: handle ssh secrets as base64 encoded
This commit is contained in:
Rainer Killinger
@@ -26,6 +26,7 @@ web:
|
|||||||
- >
|
- >
|
||||||
if [ "$RELEASE_TYPE" == "staging" ]; then
|
if [ "$RELEASE_TYPE" == "staging" ]; then
|
||||||
# USE GITLAB PROTECTED & MASKED CI VARIABLES TO PROVIDE THE FOLLOWING DATA!
|
# USE GITLAB PROTECTED & MASKED CI VARIABLES TO PROVIDE THE FOLLOWING DATA!
|
||||||
|
# THUS $STAGING_TARGET_SSH_PRIVATE_KEY HAS TO BE BASE64 ENCODED
|
||||||
# USE AN UNPRIVILIGED USER WITH ACCESS ONLY TO THIS DIRECTORY
|
# USE AN UNPRIVILIGED USER WITH ACCESS ONLY TO THIS DIRECTORY
|
||||||
# example: $STAGING_SCP_TARGET = deployuser@staging.environment.com:/path/for/web/data
|
# example: $STAGING_SCP_TARGET = deployuser@staging.environment.com:/path/for/web/data
|
||||||
sh static/scripts/ssh_deploy.sh $STAGING_SCP_TARGET $STAGING_TARGET_SSH_PRIVATE_KEY
|
sh static/scripts/ssh_deploy.sh $STAGING_SCP_TARGET $STAGING_TARGET_SSH_PRIVATE_KEY
|
||||||
@@ -33,6 +34,7 @@ web:
|
|||||||
|
|
||||||
if [ "$RELEASE_TYPE" == "production" ]; then
|
if [ "$RELEASE_TYPE" == "production" ]; then
|
||||||
# USE GITLAB PROTECTED & MASKED CI VARIABLES TO PROVIDE THE FOLLOWING DATA!
|
# USE GITLAB PROTECTED & MASKED CI VARIABLES TO PROVIDE THE FOLLOWING DATA!
|
||||||
|
# THUS $PRODUCTION_TARGET_SSH_PRIVATE_KEY HAS TO BE BASE64 ENCODED
|
||||||
# USE AN UNPRIVILIGED USER WITH ACCESS ONLY TO THIS DIRECTORY
|
# USE AN UNPRIVILIGED USER WITH ACCESS ONLY TO THIS DIRECTORY
|
||||||
# example: $PRODUCTION_SCP_TARGET = deployuser@production.environment.com:/path/for/web/data
|
# example: $PRODUCTION_SCP_TARGET = deployuser@production.environment.com:/path/for/web/data
|
||||||
sh static/scripts/ssh_deploy.sh $PRODUCTION_SCP_TARGET $PRODUCTION_TARGET_SSH_PRIVATE_KEY
|
sh static/scripts/ssh_deploy.sh $PRODUCTION_SCP_TARGET $PRODUCTION_TARGET_SSH_PRIVATE_KEY
|
||||||
|
|||||||
@@ -1,12 +1,12 @@
|
|||||||
#!/usr/bin/env bash
|
#!/usr/bin/env sh
|
||||||
|
|
||||||
set -e
|
set -e
|
||||||
|
|
||||||
SSH_DEPLOY_TARGET=$1
|
SSH_DEPLOY_TARGET=$1
|
||||||
SSH_DEPLOY_TARGET="${SSH_DEPLOY_TARGET:-"missingtarget"}"
|
SSH_DEPLOY_TARGET="${SSH_DEPLOY_TARGET:-'missingtarget'}"
|
||||||
|
|
||||||
SSH_PRIVATE_KEY=$2
|
SSH_PRIVATE_KEY=$2
|
||||||
SSH_PRIVATE_KEY="${SSH_PRIVATE_KEY:-"missingkey"}"
|
SSH_PRIVATE_KEY="${SSH_PRIVATE_KEY:-'missingkey'}"
|
||||||
|
|
||||||
GOTO_FAIL=false
|
GOTO_FAIL=false
|
||||||
|
|
||||||
@@ -24,28 +24,32 @@ if [ "$GOTO_FAIL" = true ]; then
|
|||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
IFS='@' read -ra TARGET_COMPONENTS <<< "$SSH_DEPLOY_TARGET"
|
|
||||||
|
|
||||||
SSH_DEPLOY_TARGET_USER="${TARGET_COMPONENTS[0]:-"missinguser"}"
|
TARGET_COMPONENTS=$(echo "$SSH_DEPLOY_TARGET" | tr '@' "\n")
|
||||||
|
TARGET_COMPONENTS=$(echo "$TARGET_COMPONENTS" | tr ':' "\n")
|
||||||
|
|
||||||
IFS=':' read -ra TARGET_COMPONENTS <<< "$TARGET_COMPONENTS"
|
SSH_DEPLOY_TARGET_USER=$(echo "$TARGET_COMPONENTS" | head -n 1 | tail -n 1)
|
||||||
|
SSH_DEPLOY_TARGET_HOST=$(echo "$TARGET_COMPONENTS" | head -n 2 | tail -n 1)
|
||||||
|
SSH_DEPLOY_TARGET_PATH=$(echo "$TARGET_COMPONENTS" | head -n 3 | tail -n 1)
|
||||||
|
|
||||||
SSH_DEPLOY_TARGET_HOST="${TARGET_COMPONENTS[0]:-"missinghost"}"
|
SSH_DEPLOY_TARGET_USER="${SSH_DEPLOY_TARGET_USER:-'missinguser'}"
|
||||||
SSH_DEPLOY_TARGET_PATH="${TARGET_COMPONENTS[1]:-"missingpath"}"
|
SSH_DEPLOY_TARGET_HOST="${SSH_DEPLOY_TARGET_HOST:-'missinghost'}"
|
||||||
|
SSH_DEPLOY_TARGET_PATH="${SSH_DEPLOY_TARGET_PATH:-'missingpath'}"
|
||||||
|
|
||||||
## Add the SSH key stored in SSH_PRIVATE_KEY variable to the agent store
|
## Add the SSH key stored in SSH_PRIVATE_KEY variable to the agent store
|
||||||
## We're using tr to fix line endings which makes ed25519 keys work
|
## We're using tr to fix line endings which makes ed25519 keys work
|
||||||
## without extra base64 encoding.
|
## without extra base64 encoding.
|
||||||
## https://gitlab.com/gitlab-examples/ssh-private-key/issues/1#note_48526556
|
## https://gitlab.com/gitlab-examples/ssh-private-key/issues/1#note_48526556
|
||||||
##
|
##
|
||||||
echo "$SSH_PRIVATE_KEY" | tr -d '\r' | ssh-add -
|
mkdir -p ~/.ssh
|
||||||
|
chmod 700 ~/.ssh
|
||||||
|
eval `ssh-agent -s`
|
||||||
|
echo "$SSH_PRIVATE_KEY" | base64 -d | tr -d '\r' | ssh-add -
|
||||||
##
|
##
|
||||||
## Use ssh-keyscan to scan the keys of your private server. Replace gitlab.com
|
## Use ssh-keyscan to scan the keys of your private server. Replace gitlab.com
|
||||||
## with your own domain name. You can copy and repeat that command if you have
|
## with your own domain name. You can copy and repeat that command if you have
|
||||||
## more than one server to connect to.
|
## more than one server to connect to.
|
||||||
|
|
||||||
mkdir -p ~/.ssh
|
|
||||||
chmod 700 ~/.ssh
|
|
||||||
ssh-keyscan $SSH_DEPLOY_TARGET_HOST >> ~/.ssh/known_hosts
|
ssh-keyscan $SSH_DEPLOY_TARGET_HOST >> ~/.ssh/known_hosts
|
||||||
chmod 644 ~/.ssh/known_hosts
|
chmod 644 ~/.ssh/known_hosts
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user