- Generate a new deploy key. You should not add a password (leave blank) since you would have to provide it every time, rendering the automatization useless. Save the private part of the key to the file
my-key.key
. - Add the generated key as deploy key to your GitHub repository. You should make sure to keep the key read-only (default).
- Add a secret to Now which can be used in the Deployment:
$ now secret add example-deploy-key "$(cat my-key.key | base64)"
Encoding the file using base64
is no "Security through obscurity" but instead ensures there are no encoding problems (e.g. newlines \n
cause errors in the Now CLI). We trust Now to transmit and store the secret values in a secure manner.
- Reference the secret as build-time environment variable (
--build-arg
in Docker).
Part of now.json
:
{
"env": {
"NODE_ENV": "production"
},
"build": {
"env": {
"EXAMPLE_DEPLOY_KEY": "@example-deploy-key"
}
}
}
Putting the @
in front of an identifier tries to resolve the secret with the same name.
We can now access the value in the Dockerfile
:
ARG EXAMPLE_DEPLOY_KEY
RUN echo $EXAMPLE_DEPLOY_KEY
NOTE: You can only read secrets from the current scope, e.g. if you created the secret with a team scope (now --team peerigon secret add some-secret-name some-secret-value
you'll need to run the now
command with the same scope.
I hope this helps someone!
@leomelzer Thanks for replying!
I've been struggling for a while with this trying to install from GitLab.
I noticed NOW has ssh and git installed by default on their machines so I tried to add necessary deploy SSH keys for GitLab in the preinstall script:
ssh-keyscan -t rsa gitlab.com >> ~/.ssh/known_hosts && eval `ssh-agent` && ssh-add .ssh/my_gitlab_repo_deploy_key
Everything ran smoothly in deploy until I got the Host key verification error:
I also tried removing the host with ssh-keygen -R but to no avail. I verified that ~/.ssh/known_hosts is indeed being correctly created.
It seems like ssh on NOW machine is reading a different known_hosts file from that I created in preinstall or they even run a separate machine during deployment that is using different config, I wasn't able to figure that out.
Do you have any idea what could go wrong in this setup?
Thanks for the private npm token tip I will try this.