Kubernetes and Node-RED credentials security

I'm imagining running a Kubernetes cluster containing pods where the pods are running Node-RED. My sniff tests show this to work just fine. What is puzzling me is this story and its relationship with credentials security.

Imagine my Node-RED flow is calling outbound to some external services that need authentication. I am imagining creating some Node-RED credentials that contain a userid/password pair that are then used by Node-RED during run-time execution. For this to work, I think I need to edit my settings.js such that there is a value for credentialsSecret which can decode the credentials JSON file. And it is here I am getting nervous.

It seems that if I have a container that contains both my credentialsSecret and my credentials.json then we have a path to someone obtaining my 3rd party super secret userid/password (which I wish to prevent).

If I don't have a value for credentialsSecret in my settings.json, then the credentials are worthless and my solution won't run as Node-RED won't have the info it needs to perform a remote connection at run-time.

Are there any recipes or thinking on creating containers for execution under Kubernetes where credentials required to access remote 3rd party APIs?

This isn't specific to Node-RED - any application deployed in k8s that requires credentials needs to be able to access them securely.

The k8s docs cover this is great detail - https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/

That covers how to get the credentials available either as files on the pod's local filesystem, or via environment variables. Pick whichever approach you want (env var is probably a bit easier), and then edit your settings file to pickup the the value of credentialSecret from the corresponding place.

1 Like

Thank you sir. Super excellent response speed to the community (as always). Your link makes sense and am now going to study it in depth. However, I have what I think is a Node-RED oriented query:

If I understand correctly, the key that Node-RED uses to encrypt/decrypt the credentials is contained in the settings.js file under the key credentialsSecret. If I do not wish to supply this in a hard-coded form in pre-supplied settings.js file, is there an alternate way of telling Node-RED (at run-time) my credentialsSecret? For example, is there a run-time flag used when starting Node-RED or an existing environment variable that Node-RED looks at? Failing this, my resort is to create a "wrapper" that performs some form of text substitution in the settings.js before starting Node-RED itself.

The key thing to remember is that settings.js is a JavaScript file - not a static JSON file. So you can have code in settings.js that does whatever work it needs to generate the settings.

The most simple thing to do would be:

   credentialSecret: process.env.MY_CREDENTIAL_SECRET

And that will use the environment variable MY_CREDENTIAL_SECRET.

1 Like

Oh dear goodness I are dumb!!! And miss the wood for the trees. Thank you again kind sir!!!