Monday, May 11, 2020

GitLab Deploy Keys and Deploy Tokens

GitLab is a web-based DevOps lifecycle tool that provides a Git-repository manager providing wiki, issue-tracking and CI/CD pipeline features, using an open-source license, developed by GitLab Inc.

Both Deploy Keys and Deploy Tokens allow you to checkout code without using your personal GitLab username/password.  And as their name indicates, they are best suited for deployments, usually automated/scripted. What are their features?

Deploy Keys
  • Utilize SSH keys (public and private)
  • Checkout via SSH (requires port 22 open)
  • GitLab will store the public SSH key
  • The server doing the checkout will have to have the private SSH key
  • Allows read and/or write of repository
  • More steps for setup
Deploy Tokens
  • Use a generate once password ie token
  • Check via HTTPS (requires port 443 open, more common)
  • Token can have an expiration date
  • Allows read only of repository
  • Simpler setup

How to create and use Deploy Keys (SSH)


By default, when you use SSH, it reads from ~/.ssh/id_rsa
But that is your personal SSH key

Create a SSH key for GitLab deployments with a unique name
Login to the server where you will clone/deploy your code
> ssh-keygen -t rsa -b 4096 -f ~/.ssh/gitlab_deploy_rsa

Tell ssh about the new gitlab key
> vim ~/.ssh/config
Host gitlab.yourdomain.com
  Preferredauthentications publickey
  IdentityFile ~/.ssh/gitlab_deploy_rsa

Note: for the Host, use the host GitLab references
GitLab: Repo: Clone button
git@gitlab.yourdomain.com:dir/repo.git

For security, and to allow SSH, make the config read only by you
> chmod 600 ~/.ssh/config

So GitLab knows about your new key, create a GitLab Deploy Key

GitLab: Repo: Settings -> Repository, scroll to Deploy Keys
Copy the contents of your public key ~/.ssh/gitlab_rsa.pub to the Key section

Back on your server,
Test that SSH access works
> ssh -vT git@gitlab.yourdomain.com
-T Disable pseudo-terminal allocation ie just give return result "as is"
-v verbose

If SSH times out, try a public site to ensure port 22 is open
> ssh -vT gitlab.com

If SSH gitlab.com does not work, then enable port 22 on your server, most likely via it's firewall.
If SSH gitlab.com does work, then maybe SSH is not enabled or accessible on your GitLab server. Review your GitLabs firewall ie iptables, tcp wrappers ie /etc/hosts.deny and /etc/hosts.allow, and the SSH daemon configuration ie /etc/sshd_config

Assuming
> ssh -vT git@gitlab.yourdomain.com
finally works

You should be able to checkout your code using SSH, using
> git clone git@gitlab.yourdomain.com:dir/repo.git target_dir
which is a slight shorthand for
> git clone ssh://git@gitlab.yourdomain.com/dir/repo.git target_dir

Note: If you cannot get SSH working, you can try using Deploy Tokens, which uses HTTPS, which is more often accessible.

How to create and use Deploy Tokens (HTTPS)


Create a GitLab Deploy Token

GitLab: Repo: Settings -> Repository, scroll to Deploy Tokens
 

After creating the Deploy Token, make sure to copy and save the token
 

From your server, you can checkout your code using
> git clone https://<username>:<token>@gitlab.yourdomain.com/dir/repo.git target_dir

After cloning, you can simply Pull changes
> git pull

So, should you use SSH or HTTPS?
Ideally you should use SSH keys as they are a way to identify trusted computers, without involving passwords, but HTTPS is the easiest to set up on the widest range of networks and platforms.


-End of Document-
Thanks for reading