Month: February 2019

Or: How my wife created The Small Batch Project, a company that’s importing award-winning chocolate into Switzerland.

Let’s start with some context. Seth Godin lays out a concept to revoluzionize school and education. If you care about the next generation, then Stop Stealing Dreams is a must read (or at least a must watch of the 20min long TED talk).

This idea, the fact that everyone can excel, and that the best education can happen online, anytime and independent of location made me and my wife discuss a lot. It was a time when she was looking to quit her day job and start an adventure on her own. And then we found the altMBA, an investment of roughly 4’000 USD and 1 month of intense workshops. Signed up. And it all happened in August 2018.

So, did it help? My wife started the year 2018 with a pipe dream of building a company which would have cost probably more than a million to start, and likely years to execute. Ideas we all have in our head, but never get to execute. Simply, it’s too big to even start. The coaching, the constant feedback of peers and the intense reading mainly simplified “mission impossible”. There are no guidelines, no instructions. Just feedback from peers, constant coaching pushing you to make a leap and convert your dream into an executable project. All of a sudden ideas like “start writing a blog” or “do workshops” were discussed. Zero or close to zero capital investment, easy to test, easy to pivot and also not a full crash in case of a failure.

With that, she started her idea to import award winning bean-to-bar chocolate from around the world to Switzerland, online available at The Small Batch Project. She started with visiting a chocolate fair in September 2018, got a company incorporated and a website based on Shopify up and running in October 2018, had an appearance in a market stand in November 2018, another one in December 2018, her first chocolate tasting event in January 2019, and well, a few month into starting the adventure learned a lot, made interesting connections, received broad support from her friends and got positive and re-inforcing feedback from all corners, including an alumni of the altMBA contacting her with some suggestions to improve her marketing strategy.

So all the altMBA did was simplifying a huge business idea into something actionable? Dare to jump? Dare to take action? Kind of. At least it did the most scary part. There was no point anymore of saying “that’s impossible”. Almost no point of going back. And most of that by following the philosophy of doing something good in this world and making it happen.

With all that, my new job title is “professional chocolate taster”.

The GitLab Runner defaults to having read access only to the current repository. Git pushes such as tagging a commit won’t work. There are some suggestion out there, such as issue #23894, but I didn’t find anything more straight forward than what I’m writing here.

GitLab Personal Access Tokens are one way of using git pushes. However, they are tied to a user and needs changes in case the user leaves the company or simply changes the team. And if you use a shared “service” user, it’ll consume a license in the Enterprise Licensing model.

GitLab deploy keys are an alternative. This article shows how to use the GitLab deploy keys to push tags to a git repository.

Create and configure deploy keys

The long anwer can be found on the GitLab and SSH keys documentation. The short answer is:

ssh-keygen -o -t rsa -b 4096 -C "me@example.com"

1	ssh-keygen -o -t rsa -b 4096 -C "me@example.com"

Copy the content of the public key (by default named id_rsa.pub) to your project. It’s located at GitLab Project -> Settings -> Repository -> Deploy Keys. Once added, the SSH keys fingerprint is displayed on the user interface. You can double check for a match by extracting the fingerprint from your private key locally via:

ssh-keygen -lf id_rsa

1	ssh-keygen -lf id_rsa

Encrypt deploy keys in your repository

I recommend encrypting the private key in your repository, and decrypt it at runtime. I’m using AWS Key Management Service (KMS), but there are many alternatives available, and also corresponding implementations at different cloud providers. Anyway, here’s how to get the private key encrypted:

aws kms encrypt --key-id &lt;guid of key from AWS KMS> --plaintext fileb://id_rsa --output text --query CiphertextBlob --region eu-west-1 | base64 --decode > gitlab-deploy-key-encrypted

1	aws kms encrypt --key-id <guid of key from AWS KMS> --plaintext fileb://id_rsa --output text --query CiphertextBlob --region eu-west-1 \| base64 --decode > gitlab-deploy-key-encrypted

Build file

The trick part of the build file, besides decrypting the private key, is configuring the git push URL and comment correctly. See inline comments of the following file:

#!/usr/bin/env bash

set -e
set -u

# decrypt the private key
aws kms decrypt --ciphertext-blob fileb://gitlab-deploy-key-encrypted --output text --query Plaintext --region eu-west-1 | base64 --decode > ./gitlab-deploy-key
chmod 400 ./gitlab-deploy-key

# set the git username/email to be able to perform git operations
echo git version: $(git --version)
git config --global user.name "${GITLAB_USER_NAME}"
git config --global user.email "${GITLAB_USER_EMAIL}"

# set the push URL differently to leverage SSH protocol
git remote set-url --push origin git@cimpress.githost.io:&lt;your-team>/&lt;your-project>.git
git remote -v

# set the git tag to the current version
VERSION=1.0.$CI_PIPELINE_ID
git tag -a $VERSION -m "Setting version as tag during build."

# push the git tag
# leverage GIT_SSH option to use a dedicated SSH key
# see https://git-scm.com/docs/git#git-codeGITSSHcode for documentation of this feature
echo 'ssh -i ./gitlab-deploy-key -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no $*' > ssh
chmod +x ssh
GIT_SSH='./ssh' git push origin $VERSION

#!/usr/bin/env bash

set -e

set -u

# decrypt the private key

aws kms decrypt --ciphertext-blob fileb://gitlab-deploy-key-encrypted --output text --query Plaintext --region eu-west-1 | base64 --decode > ./gitlab-deploy-key

chmod 400 ./gitlab-deploy-key

# set the git username/email to be able to perform git operations

echo git version: $(git --version)

git config --global user.name "${GITLAB_USER_NAME}"

git config --global user.email "${GITLAB_USER_EMAIL}"

# set the push URL differently to leverage SSH protocol

git remote set-url --push origin git@cimpress.githost.io:<your-team>/<your-project>.git

git remote -v

# set the git tag to the current version

VERSION=1.0.$CI_PIPELINE_ID

git tag -a $VERSION -m "Setting version as tag during build."

# push the git tag

# leverage GIT_SSH option to use a dedicated SSH key

# see https://git-scm.com/docs/git#git-codeGITSSHcode for documentation of this feature

echo 'ssh -i ./gitlab-deploy-key -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no $*' > ssh

chmod +x ssh

GIT_SSH='./ssh' git push origin $VERSION

.gitlab-ci.yml

Eventually, the script needs to be invoked on in the .gitlab-ci.yml file. Additionally, all other stages need to be excluded when tags are pushed to avoid an infinite loop of builds when each build pushes a tag and triggers a build (yes, I did it).

stages:
  - build
  - push_git_tag

build:
  stage: build
  script: ./build.sh
  except:
    - tags

push_git_tag:
  stage: push_git_tag
  only:
    refs:
      - master
  except:
    - tags
  script:
    - ./push_git_tag.sh
  dependencies:
    - build

stages:

- build

- push_git_tag

build:

stage: build

script: ./build.sh

except:

- tags

push_git_tag:

stage: push_git_tag

only:

refs:

- master

except:

- tags

script:

- ./push_git_tag.sh

dependencies:

- build

Once figured out, it’s straight forward to create an SSH key, encrypt it, store it in source code, update the git remote push URL and put those components together.

Month: February 2019

From pipe dream to a small company

Push Git Tag from GitLab Runner

Create and configure deploy keys

Encrypt deploy keys in your repository

Build file

.gitlab-ci.yml