Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
I
I
Ilya Konstantinov2022-02-17 12:40:02
Nginx
Ilya Konstantinov, 2022-02-17 12:40:02

How to supply ssl certificates for docker image nginx to gitlab ci?

There is an option to add certificates to the image during assembly, and store certificates in ci variables in gitlab.
But they can't be masked as it's not just a string. Then you will have to make two certificates, and duplicate the variables as protected .

But this is also not flexible, pushing certificates into the image. Unless they are wildcarded.

(deliberately simplified configs for clarity)
Dockerfile :

FROM nginx AS web

COPY ./nginx/.cert /etc/ssl/


.gitlab-ci.yml :
build:
  stage: build
  script:
    - echo $SSL_KEY >> nginx/.cert/ssl.key # retrive content from var and create file
    - echo $SSL_CERT >> nginx/.cert/ssl.crt
    - docker build -t $IMAGE .
    - rm -rf nginx/.cert/* # remove local certs


or mount certificates as volumes , but updating them later will be extra manual work

docker-compose.yml :
version: "3.4"

services:
  app:
    image: nginx
    volumes:
      - "nginx/.cert:/etc/ssl/"


Which option is better or is there another one? There is an idea to eventually use traefik , but this option is not considered yet.

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

3 answer(s)
Report
I
Ilya Konstantinov, 2022-02-18
@Ilya95

As a result, on the advice of Alexander Karabanov , I will store masked variables in GitLab CI as base64, and decode them at the time of service deployment:
(examples are deliberately simplified)
Dockerfile :

FROM nginx:1.21

COPY nginx/bin/40-ssl-decoding.sh /docker-entrypoint.d/
RUN  chmod +x /docker-entrypoint.d/40-ssl-decoding.sh

40-ssl-decoding.sh :
#!/bin/sh

echo "Decoding SSL certs...";

echo $SSL_KEY | base64 -d >> /etc/ssl/ssl.key;
echo $SSL_CRT | base64 -d >> /etc/ssl/ssl.crt;

echo "SSL certs decoded!";

Report
S
Saboteur, 2022-02-17
@saboteur_kiev

Certificates should not be part of the docker image, and should be externally mounted. Then the renewal of the certificate will not require a new build of the product.
You can throw them outside through mount
Then I updated the certificate on the mount and restarted the container.
If you live in a cuber / openshift - there you can store the certificate in secret and mount it as a file.

Report
V
Vadim, 2022-02-17
@Viji

Actually, another option is to save certificates to some medium or to a cloud secret, to which only the container can be given access to nginx. Create a bash script in the container, the cat will run before ngixn starts and pull certificates from this media
For example...
Dockerfile:

.....................................
.....................................
ENTRYPOINT ["/bin/bash", "/usr/local/bin/entrypoint.sh"]
CMD ["/bin/bash", "-c", "nginx -g 'daemon off;'; nginx -s reload;"]

Similar questions
V
vgrayster2010-12-07 15:02:32
Disable text/html caching for nginx 1Reply
A
andymitrich2015-09-22 19:18:03
Is it possible to use one port for Nginx virtual hosts? 3Reply
V
vixh2010-12-29 00:53:04
concurrent connections in Nginx 3Reply
Y
Youri_M4U2011-01-06 01:22:56
Problem with InstantCMS and Apache+Nginx? 3Reply
S
stanlee2015-09-25 18:22:39
How to get rid of Mixed Content on ssl? 3Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question