If you’re a regular user of F5 NGINX Plus, it’s likely that you’re building containers to try out new features or functionality. And when building NGINX Plus containers, you often end up storing sensitive information like the NGINX repository certificate and key on your local file system. While it’s straightforward to add sensitive files to a .gitignore
repository file, that process is not ideal nor secure – in fact, there are many examples where engineers accidentally commit sensitive information to a repository.
A better method is to use a secrets management solution. Personally, I’m a longtime fan of 1Password and recently discovered their CLI tool. This tool makes it easier for developers and platform engineers to interact with secrets in their day-to-day workflow.
In this blog post, we outline how to use 1Password CLI to securely build an NGINX Plus container. This example assumes you have an NGINX Plus subscription, a 1Password subscription with the CLI tool installed, access to an environment with a shell (Bash or Zsh), and Docker installed.
The first step is to store your secrets in 1Password, which supports multiple secret types like API credentials, files, notes, and passwords. In this NGINX Plus use case, we leverage 1Password’s secure file feature.
You can obtain your NGINX repository certificate and key from the MyF5 portal. Follow the 1Password documentation to create a secure document for both the NGINX repository certificate and key. Once you have created the two secure documents , follow the steps to collect the 1Password secret reference.
Note: At the time of this writing, 1Password does not support multiple files on the same record.
Now it’s time to build the NGINX Plus container that leverages your secure files and their secret reference Uniform Resource Identifiers (URIs). This step uses the example Dockerfile from the NGINX Plus Admin Guide.
docker build
ProcessAfter saving the Dockerfile to a new directory, prepare the docker build
process. To pass your 1Password secrets into the docker build
, first store each secret reference URI in an environment variable. Then, open a new Bash terminal in the directory where you saved your Dockerfile.
Enter these commands into the Bash terminal:
export NGINX_CRT="op://Work/nginx-repo-crt/nginx-repo.crt"export NGINX_KEY="op://Work/nginx-repo-key/nginx-repo.key"
The op run
command enables your 1Password CLI to replace secret reference URIs in environment variables with the secret’s value. You can leverage this in your docker build
command to pass the NGINX repository certificate and key into the build container.
To finish building your container, run the following commands in the same terminal used in the previous step:
op run -- docker build --no-cache --secret id=nginx-key,env=NGINX_KEY --secret id=nginx-crt,env=NGINX_CRT -t nginxplus --load .
In this command, op run
executes the docker build
command and detects two environment variable references (NGINX_CRT
and NGINX_KEY
) with the 1Password secret reference URIs. The op
command replaces the URI with the secret’s actual value.
By following the simple steps and using 1Password CLI, you can build NGINX Plus containers against the NGINX Plus repository without storing the certificate and key on your local file system – creating an environment for better security.
If you’re new to NGINX Plus, you can start your 30-day free trial today or contact us to discuss your use cases.
"This blog post may reference products that are no longer available and/or no longer supported. For the most current information about available F5 NGINX products and solutions, explore our NGINX product family. NGINX is now part of F5. All previous NGINX.com links will redirect to similar NGINX content on F5.com."