Docker and the _cred file

I've been using this fantastic tutorial https://nodered.org/docs/getting-started/docker and I have been able to use a bindMount to update and persist my flows.json file. It works great - but I cannot get the credentials to stick.

I understand and use the environmental variable FLOWS, ex -e FLOWS=my_flows.json
however I would like to have a CRED equivalent. I have not been able to find the environmental variable to match up my flows.json with my flows_cred.json. I thought that Node-Red would look for flows_cred.json in the same directory as flows.json, but my testing shows that to not be the case. I can have a flows file at /bindMount/flows.json but when I deploy, the flows_cred.json is created in the Node-Red root directory instead.

Perhaps I am missing the boat entirely and I am asking the wrong questions. What is the best way to persist and distribute credentials in Node-Red nodes such as the email node across docker deployments?

To anyone else that comes across this - I ended up just using environmental variables. I've come to the conclusion that using the _cred.json file across multiple docker containers is basically impossible; instead, pass in an environmental variable like so:

sudo docker run -d -p 1890:1880 -e NR_EMAIL_PW='xxxxxxxx' aw-node-red:latest

And then in Node-Red, in the password field of the email node for example, put:

${NR_EMAIL_PW}

For additional context, see:

https://stackoverflow.com/questions/74564175/how-to-pass-mysql-credentials-to-node-red-running-in-docker

or

https://nodered.org/docs/user-guide/environment-variables

Turns out that environmental variables is also not the answer - as entering something like

${NR_EMAIL_PW}

in the email node password field just encrypts that in to the _cred file, which when you move between dockers doesn't track anyways.

Instead, I think the answer is to use the special configuration options in the settings.js file: Configuration : Node-RED

In my Dockerfile, I utilize the /data directory for storage, and the /bindMount folder to move flows files in and out of the container. So, for example, my Dockerfile is like:

FROM nodered/node-red
WORKDIR /usr/src/node-red
WORKDIR /data
WORKDIR /bindMount
COPY package.json /data/package.json
COPY settings.js /data/settings.js
USER root
RUN chown -R node-red:node-red /data
RUN chown -R node-red:node-red /bindMount
USER node-red
WORKDIR /data
RUN npm install --unsafe-perm --no-update-notifier --no-fund --only=production
WORKDIR /usr/src/node-red

but in my settings.js file I set two special fields:

userDir: '/bindMount/code/',

and

nodesDir: '/data/',

which allows Node-Red to search for my _cred file in the /bindMount directory.

In summary, this allows me to distribute pairs of Node-Red code files, the flows.json and the flows_cred.json, between different docker files via the /bindMount folder, as long as they are all using the same credential secret in the settings.js file that I've built in to the /data directory.

Yup - turns out that updating the Node-Red settings file alone does not solve this, because the official docker build has this line in the ENTRYPOINT file:

/usr/local/bin/node $NODE_OPTIONS node_modules/node-red/red.js --userDir /data $FLOWS &

Well that special flag, --userDir /data, basically overwrites whatever you put in the settings.js file. So even though you can specify where to keep your flows via the FLOWS environmental variable, the _cred.json file is always placed in to the /data folder inside the docker container.

The solution was to overwrite the entrypoint.sh with my own, by adding an entrypoint.sh file to my docker folder and this line to my dockerfile:

COPY entrypoint.sh /usr/src/node-red/entrypoint.sh

So this was a bit of a journey but its working now and I learned a lot!