As a user of NGINX Plus, I often build NGINX containers to try out new features or functionality. However, to build an NGINX Plus container, I must store sensitive information like the NGINX repository certificate and key on my local filesystem. While adding these sensitive files to my repository .gitignore file is straightforward, this is not ideal or secure; there are plenty of examples of engineers accidentally committing sensitive information to a repository. A better way is to store these secrets in a secrets management solution.
I have long been a fan of 1Password and recently discovered their CLI tool. This tool makes it easier for developers and platform engineers to interact with secrets in their day-to-day workflow. In this article, I will explain how to use 1Password to securely build an NGINX Plus container. This example assumes you have an NGINX Plus subscription, 1Password subscription, and access to an environment with a shell (bash or zsh) and Docker installed.
To start this process, we must first store our secrets in 1Password. 1Password supports multiple secret types like API credentials, files, notes, passwords, etc. We will leverage the secure file feature for our NGINX Plus use case. Note: For this step, you must obtain your NGINX repository certificate and key from the my.f5.com portal. Follow the 1Password documentation to create a secure document for both the NGINX repository certificate and key; currently, 1Passsword does not support multiple files on the same record. Once you have created the two secure files, you’ll follow the steps to collect the 1Password secret reference.
We can now build the NGINX Plus container leveraging our secure files and their secret reference URIs. This step will utilize the example Dockerfile from the NGINX Plus Admin Guide. Once you’ve saved the Dockerfile to a new directory on your laptop, we can start preparing the Docker build process. To pass our 1Password secrets into the Docker build, we will first store each secret reference URI in an environment variable. Open a new bash terminal in the directory you saved your Docker file and enter the following commands:
export NGINX_CRT="op://Work/nginx-repo-crt/nginx-repo.crt"
export NGINX_KEY="op://Work/nginx-repo-key/nginx-repo.key"Using the op run command, the 1Password CLI can replace secret reference URIs in environment variables with the secret’s value. We will leverage this in our docker build command to pass the NGINX repository certificate and key into the build container.
To build our container, run the following commands in the same terminal used in the previous step:
op run -- docker build --no-cache --secret id=nginx-key,env=NGINX_KEY --secret id=nginx-crt,env=NGINX_CRT -t nginxplus --load .In this command, op run executes the docker build command for us and detects two environment variable references (NGINX_CRT and NGINX_KEY) with 1Password secret reference URIs. The op command replaces the URI with the secret’s actual value.
With these steps, you can now securely build an NGINX Plus container against the NGINX Plus registry without storing the registry certificate and key on your local filesystem.
Cody Green 