If you’re a regular user of F5 NGINX Plus, it’s likely that you’re building containers to try out new features or functionality. And when building NGINX Plus containers, you often end up storing sensitive information like the NGINX repository certificate and key on your local file system. While it’s straightforward to add sensitive files to a .gitignore repository file, that process is not ideal nor secure – in fact, there are many examples where engineers accidentally commit sensitive information to a repository.
A better method is to use a secrets management solution. Personally, I’m a longtime fan of 1Password and recently discovered their CLI tool. This tool makes it easier for developers and platform engineers to interact with secrets in their day-to-day workflow.
In this blog post, we outline how to use 1Password CLI to securely build an NGINX Plus container. This example assumes you have an NGINX Plus subscription, a 1Password subscription with the CLI tool installed, access to an environment with a shell (Bash or Zsh), and Docker installed.
Store Secrets in 1Password
The first step is to store your secrets in 1Password, which supports multiple secret types like API credentials, files, notes, and passwords. In this NGINX Plus use case, we leverage 1Password’s secure file feature.
You can obtain your NGINX repository certificate and key from the MyF5 portal. Follow the 1Password documentation to create a secure document for both the NGINX repository certificate and key. Once you have created the two secure documents , follow the steps to collect the 1Password secret reference.
Note: At the time of this writing, 1Password does not support multiple files on the same record.
Build the NGINX Plus Container
Now it’s time to build the NGINX Plus container that leverages your secure files and their secret reference Uniform Resource Identifiers (URIs). This step uses the example Dockerfile from the NGINX Plus Admin Guide.
Prepare the docker build Process
After saving the Dockerfile to a new directory, prepare the docker build process. To pass your 1Password secrets into the docker build, first store each secret reference URI in an environment variable. Then, open a new Bash terminal in the directory where you saved your Dockerfile.
Enter these commands into the Bash terminal:
export NGINX_CRT="op://Work/nginx-repo-crt/nginx-repo.crt"
export NGINX_KEY="op://Work/nginx-repo-key/nginx-repo.key"Replace Secret Reference URIs
The op run command enables your 1Password CLI to replace secret reference URIs in environment variables with the secret’s value. You can leverage this in your docker build command to pass the NGINX repository certificate and key into the build container.
To finish building your container, run the following commands in the same terminal used in the previous step:
op run -- docker build --no-cache --secret id=nginx-key,env=NGINX_KEY --secret id=nginx-crt,env=NGINX_CRT -t nginxplus --load .In this command, op run executes the docker build command and detects two environment variable references (NGINX_CRT and NGINX_KEY) with the 1Password secret reference URIs. The op command replaces the URI with the secret’s actual value.
Get Started Today
By following the simple steps and using 1Password CLI, you can build NGINX Plus containers against the NGINX Plus repository without storing the certificate and key on your local file system – creating an environment for better security.
If you’re new to NGINX Plus, you can start your 30-day free trial today or contact us to discuss your use cases.
