gitlab-ci: installing multiple gitlab repos as npm modules with different ssh keys

Question

I have a project on gitlab that must install two other gitlab projects as npm packages. When there was only one package, I had my .gitlab-ci.yml set up like this:

stages:
    - lint

variables:
  PROJECT_1_KEY: $PROJECT_1_KEY

lint:
  stage: lint
  image: node-chrome:latest
  before_script:
    # install ssh-agent
    - 'which ssh-agent || ( apt-get update -y && apt-get install openssh-client -y )'
    # run ssh-agent
    - eval $(ssh-agent -s)
    - ssh-add <(echo "$PROJECT_1_KEY")
    - mkdir -p ~/.ssh
    - echo -e "Host *\n\tStrictHostKeyChecking no\n\n" > ~/.ssh/config
    - cd app
    - npm install

This worked just fine.

However, trying to add in a second project, which requires its own deploy key, has been unsuccessful so far.

I've added a second env variable PROJECT_2_KEY to the variables section.

Thing I've tried:

Using ssh-add to add both keys

  before_script:
    # install ssh-agent
    - 'which ssh-agent || ( apt-get update -y && apt-get install openssh-client -y )'
    # run ssh-agent
    - eval $(ssh-agent -s)
    - ssh-add <(echo "$PROJECT_1_KEY")
    - ssh-add <(echo "$PROJECT_2_KEY")
    - mkdir -p ~/.ssh
    - echo -e "Host *\n\tStrictHostKeyChecking no\n\n" > ~/.ssh/config
    - cd app
    - npm install

Building separate files, one for each deploy key, and adding them to an .ssh/config file

  before_script:
    # install ssh-agent
    - 'which ssh-agent || ( apt-get update -y && apt-get install openssh-client -y )'
    # run ssh-agent
    - eval $(ssh-agent -s)
    - mkdir -p ~/.ssh
    - echo "$PROJECT_1_KEY" > ~/.ssh/project_1
    - echo "$PROJECT_2_KEY" > ~/.ssh/project_2
    - echo -e "Host project_1\n\tHostName gitlab.com\n\tIdentityFile $HOME/.ssh/project_1" > ~/.ssh/config
    - echo -e "Host project_2\n\tHostName gitlab.com\n\tIdentityFile $HOME/.ssh/project_2" >> ~/.ssh/config
    - cd app
    - npm install

Adding both keys to the same id_rsa file and adding gitlab.com to known_hosts

  before_script:
    # install ssh-agent
    - 'which ssh-agent || ( apt-get update -y && apt-get install openssh-client -y )'
    # run ssh-agent
    - eval $(ssh-agent -s)
    - mkdir -p ~/.ssh
    - echo "$PROJECT_1_KEY" >> ~/.ssh/id_rsa
    - echo "$PROJECT_2_KEY" >> ~/.ssh/id_rsa
    - chmod 600 ~/.ssh/id_rsa
    - touch ~/.ssh/known_hosts
    - ssh-keyscan gitlab.com >> ~/.ssh/known_hosts
    - cd app
    - npm install

I'm flying a bit blind. Is there a correct technique for what I'm trying to do?

Answer 1

I fought a similar battle just in a different context (PHP Composer requiring a private gitlab repo). I couldn't get the SSH based example to work in a way I was satisfied with so I opted to take advantage of composer setting that used a custom url as the reference for a defined dependency.

In PHP it looked like this:

"require": {
       "foo/bar": "dev-master",
...
"repositories": [
    {
        "type": "vcs",
        "url": "https://gitlab+deploy-token-1234:abc-def-ghijk@gitlab.com/path/to/repo.git"
    }
]

So given the npm context, can you use the dependencies keyword to define the projects using git urls that contain the token data to authenticate?

"dependencies" : {
  "foo/bar" : "https://gitlab+deploy-token-1234:abc-def-ghijk@gitlab.com/path/to/repo.git",
}

If you don't like include auth data in the committed package.json you might try omitting that and just use the raw git url. In some projects during the build I just do a straight git clone of another private project and it appears the build process has permission to clone without configuring anything. (I'm not entirely sure "who" the build process is authed as, but presumably the user who triggered the build?)