How best to create node-red docker applications having flow credentials?

I would like to build a docker application that exists of a node-red application using nodes having credentials (which are stored in the flows_cred.json).

I am especially struggling with the credentials aspect.

  1. I would like to share my docker application without sharing my credentials.
  2. When deploying the docker application it should be possible somehow to specify the credentials.
  3. When deploying the docker application the actual credentials might also be different than the ones used when developing the application.

Just brainstorming, but deploying through ansible playbooks where you have different sets for example for development and production, where the playbook manages which parts of the /data, where different sets of credentials for the flow are prepared beforehand and the value for the credentials key in settings.js encoded through the Ansible Vault, and substituted in place?

1 Like

I just discovered that instead of specifying the actual credentials (tokens/passwords) when configuring nodes I can specify environments variables (e.g. ${MQTT_PASSWORD}).

So in that case the actual credentials are not stored in the credential flow but just the environment variable names. This means that there is also no longer a need to encrypt the credentials flow.

The only thing I must assure that the environment variables are properly set when starting node-red.

1 Like

Does that mean they have to stored in plain text on the machine somewhere?

It means that the environment variables should be set with passwords / tokens before the node-red application is launched.

In case of a docker application you can specify those environment variables as options of your docker run command (see How do I pass environment variables to Docker containers?)

I am not directly using the docker commands, instead I am using for deploying my docker applications. allows to set environment variables in your personal balena dashboard.

... but yes, in case someone can open a shell script on your docker application then by typing env he will be able to see all the environment variables values in clear.

@afelix i need to do exactly that (using Ansible to manipulate NodeRed configuration) but have two issues :

  1. Credentials can stay the same, if possible to change that would be great but i can't see how i can generate new credentials without using the UI ? Is there a way to do that ?
  2. Since i am making a duplicate of the nodered instance and all the serveres that it connects to i also need to change the url/ip address to few things, all of these are in flows.json so i can't template it since i would also mess up with the flows everytime i use the template e.g i will revert changes in it so is there a way to pull that information out to something separately ?

I need to be able to do this both for production and development environment. Essentially best thing would be if i can create a file with the servers where ip/ulr and credentials are correct then NodeRed would use that on startup.

As my post before was just brainstorming rather than actually trying it out, I’m afraid I can’t really help you. I do know that @Colin is working with ansible and node-red, he might be of help here

@afelix thx, maybe @Colin knows more how he uses ansible with nodered and if there are any ways to solve my issues.

I do use Ansible to setup systems, including installing node-red. I don't use the projects feature, I found it too restrictive in what I could do. I do use git for project control and include the credentials file in the repository so when I clone a repository I get the complete setup, and just need to npm install to get all the extra nodes installed.

Each of my systems is unique so I don't have the problem of setting anything in flows.json to personalise each system. If I did need anything like that I would look at Environment variables or possibly a configuration file that would be read in by settings.js. That may not be sufficient for credentials though.