Issue
I Recently Maked A Pipeline For Myself To Auto Pull After A Tag Is Created In My Project In Gitlab
But It Has SERIOUS Security Issue Because I Use Echo Function In Docker Image To Import My Private Key
And My Public Key To Image
My Question Is
How Can I Read Public And Private Key From My Gitlab Profile Safely In Variables Helps Appreciated
## Author : RaminSubZero (0VERL0RD Corporation)
## PLEASE READ COMMENTS
## This CI Pulls Your Repository On Your Server With Some Statements
## This CI Triggers Only When You Make A Tag For Your Repo
## Start
image: trion/ng-cli-karma
## Setting Server Configuration For CI/CD Integration
## Config This Variables As You Need
## We Set This Stage Deploy
deploy_stage:
variables:
SSH_PRIVATE_KEY_PATH : "/root/.ssh/id_rsa"
SSH_PRIVATE_KEY : "-----BEGIN RSA PRIVATE KEY-----
example
-----END RSA PRIVATE KEY-----"
SSH_PUBLIC_KEY : "ssh-rsa AAAAB3NzaC1yc2EAAAADAQAexample3v3P RaminSub-Zero@PC"
SERVER: "example.com"
USER: "root"
PORT: "22"
PROJECT_DIR: "public_html/"
BRANCH: "master"
## This Git Pre Commands Save Your Local Changes To Server For Allowing Save Your Custom Files In Server
## You Can Set This Variables Empty If You Want
## For Setting This Variables Empty Replace This Lines With This Code
## GIT_PRESAVE_COMMAND: ""
## GIT_POSTSAVE_COMMAND: ""
## Start Saving Variables
GIT_PRESAVE_COMMAND: "&& git stash"
GIT_POSTSAVE_COMMAND: "&& git stash apply"
## End Saving Variables
CUSTOM_COMMAND: ""
CUSTOM_COMMAND2: ""
## You Can Run Any Command In Your Server You Want | For Example (CUSTOM_COMMAND: "&& systemctl restart nginx")
## Note : You Have To Use && First Of Your Command
# Here We Set Rule For Trigger This CI Per Tag Release
rules:
- if: '$CI_COMMIT_TAG != null'
stage: deploy
script:
- apt-get update
- apt-get update -y && apt-get install openssh-client -y
- mkdir /root/.ssh
- chmod 777 /root/.ssh
- touch /root/.ssh/id_rsa /root/.ssh/id_rsa.pub
- echo "$SSH_PRIVATE_KEY" > /root/.ssh/id_rsa ; echo "$SSH_PUBLIC_KEY" > /root/.ssh/id_rsa.pub
- chmod 600 /root/.ssh/id_rsa.pub
- chmod 600 /root/.ssh/id_rsa
- ssh -o "StrictHostKeyChecking no" -i $SSH_PRIVATE_KEY_PATH $USER@$SERVER -p $PORT "cd $PROJECT_DIR $GIT_PRESAVE_COMMAND && git pull origin $BRANCH $GIT_POSTSAVE_COMMAND $CUSTOM_COMMAND $CUSTOM_COMMAND2 && exit"
## In The End We Exit From Server To Finish Our Updating Session
## End
Solution
You should remove the variable with private key from .gitlab-ci.yml and add it via UI: https://gitlab.com/help/ci/variables/README#create-a-custom-variable-in-the-ui. That way it won't be commited in the repository.
As for CI logs, you should move everything under script: to a separate *.sh file - then every line won't show separately in the logs.
Answered By - Konrad Botor