Is it possible to include credentials (env variables) in a flow json?

Developing Nodes
1

Hi everybody !

I'm trying to package a subflow as a module. This subflow should transparently subscribe to a MQTT topic and change it's output accordingly.

It will be deployed on a Kubernetes cluster, and the goal is to have the MQTT broker configuration node retrieve it's credentials from environment variables. The MQTT settings of this node are implementation details, and ideally I'd like to hide all of them including the credentials, to avoid users breaking anything.

I searched a bit, and found somewhere (maybe on this forum, but I can't find the post anymore Found it again: https://groups.google.com/g/node-red/c/Dfhkiu9X8r0/m/vz2URAdsBgAJ) that it may be possible to just include them on the node in the flows.json file like so:

[
    // previous nodes...
    {
      "id": "338acaed95291164",
      "type": "mqtt-broker",
      "name": "Semi-public broker",
      "broker": "my-mqtt-broker.com",
      "port": "8883",
      "tls": "e422096c3f00881b",
      "clientid": "",
      "autoConnect": true,
      "usetls": true,
      "protocolVersion": "5",
      "keepalive": 60,
      "cleansession": true,
      "autoUnsubscribe": true,
      "birthTopic": "",
      "birthQos": "0",
      "birthRetain": "false",
      "birthPayload": "",
      "birthMsg": {},
      "closeTopic": "",
      "closeQos": "0",
      "closeRetain": "false",
      "closePayload": "",
      "closeMsg": {},
      "willTopic": "",
      "willQos": "0",
      "willRetain": "false",
      "willPayload": "",
      "willMsg": {},
      "userProps": "",
      "sessionExpiry": "",
      "credentials": {
        "user": "${MQTT_BROKER_USERNAME}",
        "password": "${MQTT_BROKER_PASSWORD}"
      }
    },
    // next nodes ...
],

And by extension, maybe I could do the same in my subflow json. This would be perfect for my use case as the credentials are just references to environment variables so there is no sensitive data stored in the subflow json file, and the subflow would be self-contained.

When I tried, at first it seemed like everything would be working fine as the credentials were picked up by the editor before packaging it.

Credentials from subflow JSON picked up by Node-RED editor
Credentials from subflow JSON picked up by Node-RED editor1308Ă—996 35 KB

However, at runtime, it cannot connect to the broker, and it seems like the credentials are undefined. Setting the same credentials in flows_cred.json works as expected.

Only official documentation I could find about inline credentials in a flow is for the POST /flows endpoint ( POST /flows : Node-RED ) which I guess is kinda unrelated to the way the runtime reads the flow.json file and the packaged subflows.

So my question is, is that use case supported ? Has anyone done that ?
Or was it not supposed to be picked up by the editor which is why it confuses me ?

Thanks for your help !

Edit 1
I'm running Node-RED v4.1.4

Edit 2
I found a few related posts including

When considering exported flows, the answer makes sense, but in my case this is about flows/subflows which are edited manually to include the env variables to use when imported

Edit 3
Found again the post where @knolleary mentionned flows can include credentials

2

Completely forgot, but during my research I also ended up on this issue where @knolleary seems to imply that my use case should be supported ?

The runtime API's support the flow including credentials as that is what the editor uses to set them in the first place.

So the question now is, is that not supported anymore ? Or is it a bug ?

3

Welcome to the forum @mattjcj

Have you looked at combining environment variables with dynamic subscription for the mqtt nodes?

Perhaps set the variables in the flow tab where they will be in plain text but unobtrusive.

image
image500Ă—275 25.5 KB
.

Use a function node to retrieve them and connect/disconnect/publish/etc dynamically.

1 Like
4

Hey, thanks !

Thank you for the suggestion. I was actually planning on using dynamic subscription as a workaround :slight_smile:

I'll pre-configure these environment variables probably in settings.js or in the entrypoint of the container, so that they're fetched automatically from a secret manager with all the different credentials the users might need.

But I still wanted to figure out if the behavior I encountered was expected or an eventual bug. Fortunately the MQTT nodes are quite flexible and can be configured dynamically, but I'm not sure it'll be the case with all the nodes I'll end up working with later in my subflows.