Skip to main content
When your GitLab instance isn’t accessible from the internet, you can’t use Upsun’s standard GitLab integration. Instead, you can create a GitLab CI/CD pipeline that pushes code to Upsun and manages environments through API calls. This approach gives you full control over your deployment process while maintaining the security of your private GitLab instance.

Why the standard GitLab integration won’t work

The standard Upsun GitLab integration relies on a webhook-based architecture:
  1. GitLab sends webhooks - When you push code, create branches, or open Merge Requests, GitLab sends HTTP webhooks to Upsun’s servers
  2. Upsun pulls your code - Upon receiving the webhook, Upsun attempts to connect back to your GitLab instance to pull the repository
  3. The connection fails - Since your GitLab instance isn’t accessible from the internet, Upsun can’t reach it to pull the code
This webhook-pull pattern requires bidirectional connectivity between GitLab and Upsun. When your GitLab instance sits behind a firewall or on a private network, Upsun’s servers can’t establish the return connection needed to fetch your code.

The push-based solution

Instead of relying on Upsun pulling from GitLab, you can implement a push-based workflow where your GitLab CI/CD pipeline actively pushes code to Upsun. This approach works because:
  • Your GitLab runners can reach external services (including Upsun)
  • No inbound connections to your GitLab instance are required
  • You maintain full control over when and how deployments occur
  • Your GitLab instance remains completely isolated from the internet
This CI/CD pipeline approach effectively reverses the flow: instead of Upsun pulling from GitLab, your pipeline pushes to Upsun, bypassing the connectivity requirements of the standard integration. The pipeline will take care of pushing to the main production environment when the branch is updated and will create preview environments whenever a new merge request is created.

Prerequisites

Before setting up your pipeline, you’ll need:
  • A GitLab runner with internet access to reach Upsun
  • An Upsun project
  • An Upsun API token for environment management
  • SSH keys configured on Upsun for Git operations

Setting up authentication

Generate an SSH key pair

Create a dedicated SSH key for your GitLab CI/CD pipeline:
ssh-keygen -t ed25519 -C "gitlab-ci@example.com" -f upsun_deploy_key
Grab the content of the public key:
cat upsun_deploy_key.pub | pbcopy
In the Upsun interface, create a new SSH key for your user: Add SSH Key

Configure GitLab CI/CD variables

Add these variables to your GitLab project’s CI/CD settings:
  • UPSUN_PROJECT_ID: Your Upsun project ID (e.g., abcdefgh1234567)
  • UPSUN_API_TOKEN: Your Upsun API token (masked variable)
  • UPSUN_SSH_PRIVATE_KEY: Contents of your private SSH key (It unfortunately can’t be a masked variable due to the key format)
  • UPSUN_GIT_REMOTE: Your Upsun Git remote URL
  • UPSUN_REGION: The Upsun region the project is hosted on (us-3.platform.sh, fr-1.platform.sh, etc.)