Skip to content

walex999/nginx-cert

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

11 Commits
ansible
ansible
 
 
docs
docs
 
 
kind
kind
 
 
nginx
nginx
 
 
scripts
scripts
 
 
terraform
terraform
 
 
web
web
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 

Repository files navigation

Cert-Demo-Environment

The point of this repo is to enable setting up demo environments for PKI solutions easily through IaC. Meaning, Terraform is used to provision the resources and Ansible will be used in the future to configure the resources. The goal is to include as many use cases as possible as time goes on.

Terraform

The AWS provider for Terraform is used to provision the appropriate environment (open to suggestions for architecture/code improvements). Here's the detailed diagram and some notes:

UI preview

This environment is deployed with the following commands:

terraform validate
terraform plan -var-file=values.tfvars -out tfplan
terraform apply -var-file=values.tfvars tfplan

NGINX use case

The first use case implemented in this demo environment is nginx. An Ubuntu VM is deployed through terraform for this use case.

Script creating the webpage with the certificate information

To maintain a dependance free static HTML page that is as simple as possible, the certificate is fetched on service start/restart. Since the service needs to be restarted when the x.509 certificate is changed, this is not an issue and can be done easily by modifying the service itself. Running the script once before modifying the nginx service is the right starting point to test verify permissions etc.

The script is very straightforward.

Modifying Nginx to actually display this page

Next step is adding a /cert endpoint which will actually display the new page with the certificate info.

Editing the nginx service

The best way to ensure the new static HTML page is created with the new certificate info is to have the script run as a pre-step.

sudo EDITOR=vim systemctl edit nginx
[Service]
ExecStartPre=/home/ubuntu/update_cert_info.sh #to replace with the actual path of the script
ExecReloadPre=/home/ubuntu/update_cert_info.sh #to replace with the actual path of the script

This can then be tested out with a restart of the service.

Customizing the webpage's UI

Asking AI for a basic CSS to highlight those elements does the trick. Here's the final result:

UI preview

Ansible

Here are the files impacted by the Ansible playbook for nginx

/
├── etc
│   ├── nginx 
│   │   ├── conf.d
│   │   │   └── demo-https.conf
│   │   └── ssl
│   │       ├── nginxcrt.crt
│   │       └── nginxkey.key
│   └── systemd
│       └── system
│           ├── nginx.service.d
│           └── override.conf
├── usr
│   └── local
│       └── bin
│           └── update_cert_info.sh
└── var
    └── www
        └── html
            ├── cert.html
            └── style.css

First step is documenting the inventory.ini file to connect to the instance on the right port with the right user name. Connection is then tested using this command

ansible nginx-vm --inventory inventory.ini -m ping --private-key <private_key_path>

Syntax is tested using this:

ansible-playbook nginx.yaml --check -vvv

Improvements

  • Ansible to configure the EC2 instances
  • Improvements to the Terraform for AWS
  • Terraform to reproduce AWS's environment on other cloud providers (GCP, Scaleway)
  • Demonstrating PKI capabilities for Ansible Terraform and Kubernetes workloads

About

Reproducible demo environment for PKI solutions

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Contributors

Languages