Gitlab CD Django app on DigitalOcean droplet return permission denied for SSH

Infrastructure as Code & Cloud Native
,
1

I’m trying to implement CD for my containerized(Docker, nginx) Django app using gitlab on DigitalOcean droplet.

I have created a pair of SSH keys and add the public key to DigitalOcean platform. I can login to my droplet using that SSH key.

Now, I have added the private key as the environment variable at gitlab as: $PRIVATE_KEY , so now when I run the deployment it return the permission denied error.

Here’s my : .gitlab-ci.yml:

image:
  name: docker/compose:1.29.2
  entrypoint: [""]

services:
  - docker:dind

stages:
  - build
  - deploy

variables:
  DOCKER_HOST: tcp://docker:2375
  DOCKER_DRIVER: overlay2

before_script:
  - export IMAGE=$CI_REGISTRY/$CI_PROJECT_NAMESPACE/$CI_PROJECT_NAME
  - export WEB_IMAGE=$IMAGE/web:web
  - export NGINX_IMAGE=$IMAGE/nginx:nginx
  - apk add --no-cache openssh-client bash
  - chmod +x ./setup_env.sh
  - bash ./setup_env.sh
  - docker login -u $CI_REGISTRY_USER -p $CI_JOB_TOKEN $CI_REGISTRY

build:
  stage: build
  script:
    - docker pull $IMAGE/web:web || true
    - docker pull $IMAGE/nginx:nginx || true
    - docker-compose -f docker-compose.prod.yml build
    - docker push $IMAGE/web:web
    - docker push $IMAGE/nginx:nginx

deploy:
  stage: deploy
  script:
    - mkdir -p ~/.ssh
    - echo "$PRIVATE_KEY" | tr -d '\r' > ~/.ssh/id_ed25519
    - cat ~/.ssh/id_ed25519
    - chmod 700 ~/.ssh/id_ed25519
    - eval "$(ssh-agent -s)"
    - ssh-add ~/.ssh/id_ed25519
    - ssh-keyscan -H 'gitlab.com' >> ~/.ssh/known_hosts
    - chmod +x ./deploy.sh
    - scp  -o StrictHostKeyChecking=no -r ./.env ./docker-compose.prod.yml root@$DO_PUBLIC_IP_ADDRESS:/root/Pythonist.org
    - bash ./deploy.sh

The build stage is passed but the deploy is failed with the following error:

$ chmod +x ./setup_env.sh
$ bash ./setup_env.sh
$ docker login -u $CI_REGISTRY_USER -p $CI_JOB_TOKEN $CI_REGISTRY
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
$ mkdir -p ~/.ssh
$ echo "$PRIVATE_KEY" | tr -d '\r' > ~/.ssh/id_ed25519
$ cat ~/.ssh/id_ed25519
   <MY_PRIVATE_KEY>
$ chmod 700 ~/.ssh/id_ed25519
$ eval "$(ssh-agent -s)"
Agent pid 27
$ ssh-add ~/.ssh/id_ed25519
Identity added: /root/.ssh/id_ed25519 (<COMMENT>)
$ ssh-keyscan -H 'gitlab.com' >> ~/.ssh/known_hosts
# gitlab.com:22 SSH-2.0-OpenSSH_7.9p1 Debian-10+deb10u2
# gitlab.com:22 SSH-2.0-OpenSSH_7.9p1 Debian-10+deb10u2
# gitlab.com:22 SSH-2.0-OpenSSH_7.9p1 Debian-10+deb10u2
# gitlab.com:22 SSH-2.0-OpenSSH_7.9p1 Debian-10+deb10u2
# gitlab.com:22 SSH-2.0-OpenSSH_7.9p1 Debian-10+deb10u2
$ chmod +x ./deploy.sh
$ scp  -o StrictHostKeyChecking=no -r ./.env ./docker-compose.prod.yml root@$DO_PUBLIC_IP_ADDRESS:/root/app
Warning: Permanently added '143.198.103.99' (ECDSA) to the list of known hosts.
Permission denied, please try again.
Permission denied, please try again.
root@143.198.103.99: Permission denied (publickey,password).
lost connection
Cleaning up project directory and file based variables
00:01
ERROR: Job failed: exit code 1

Here’s my deploy.sh:

#!/bin/sh

ssh -o StrictHostKeyChecking=no root@$DO_PUBLIC_IP_ADDRESS << 'ENDSSH'
  cd /root/Pythonist.org
  export $(cat .env | xargs)
  docker login -u $CI_REGISTRY_USER -p $CI_JOB_TOKEN $CI_REGISTRY
  docker pull $IMAGE/web:web
  docker pull $IMAGE/nginx:nginx
  docker-compose -f docker-compose.prod.yml up -d
ENDSSH