How to authenticate with a certificate

You want to authenticate with a certificate rather than password (which is highly recommended). You can do this with the identity_file option of ssh (see man pages, search for identity_file). Following is what you need to do:

1. Copy the pem file to the CI/CD environment: Since GitLab 11.11 this can be achieved with “File” variable types. When creating a File variable, GitLab will create a file with the contents of your variable and store the path to this file in an environment variable named after your CI/CD variable key.
2. Set permissions on the pem file correctly (otherwise ssh will discard it, see this post). Add this to your deploy job’s script section, before running the ssh commands (it will remove all permissions on “group” and “others”): chmod og= $SERVER_PASSWORD ($SERVER_PASSWORD being your CI/CD variable key that holds the contents of your pem file)
3. Run ssh with the identity_file option: ssh -i $SERVER_PASSWORD -o StrictHostKeyChecking=no $SERVER_USER@$SERVER_IP “command to execute on remote”

Here’s an example .yml configuration for a deploy job:

deploy:
  stage: deploy
  script:
    - apk upgrade && apk update
    - apk add openssh-client
    - ssh -i "$STAGING_SERVER_PASSWORD" -o StrictHostKeyChecking=no $STAGING_SERVER_USER@$STAGING_SERVER docker login -u gitlab-ci-token -p $CI_BUILD_TOKEN registry.gitlab.com
  environment:
    name: staging
    url: https://mathflake.com
  only:
    - develop