You can run ssh-keygen from wherever you want as long as you use the appropriate keys on the appropriate server.

Here is what you need:

• Generate a key pair
• Copy the private key to a gitlab CI variable (let's call it SSH_PRIVATE_KEY)
• Copy the public key to the server gitlab will connect to and add it to your ~/.ssh/authorized_keys file
• Tell your CI pipeline to use the private key that is stored in the Gitlab CI variable

In order to do that last step, just add the following to your .gitlab-ci.yml in the script or before_script section of the job of interest:

- 'which ssh-agent || ( apt-get update -y && apt-get install openssh-client -y )'
# Run ssh-agent (inside the build environment)
- eval $(ssh-agent -s)
# Add the SSH key stored in SSH_PRIVATE_KEY variable to the agent store
- ssh-add <(echo "$SSH_PRIVATE_KEY")
- mkdir -p ~/.ssh
- '[[ -f /.dockerenv ]] && echo -e "Host *\n\tStrictHostKeyChecking no\n\n" > ~/.ssh/config'

Then do your SSH connections and voilà !

EDIT: I couldn't remember where I had found this info the first time but here it is : https://docs.gitlab.com/ee/ci/ssh_keys/README.html