I'm imagining running a Kubernetes cluster containing pods where the pods are running Node-RED. My sniff tests show this to work just fine. What is puzzling me is this story and its relationship with credentials security.
Imagine my Node-RED flow is calling outbound to some external services that need authentication. I am imagining creating some Node-RED credentials that contain a userid/password pair that are then used by Node-RED during run-time execution. For this to work, I think I need to edit my settings.js such that there is a value for credentialsSecret which can decode the credentials JSON file. And it is here I am getting nervous.
It seems that if I have a container that contains both my credentialsSecret and my credentials.json then we have a path to someone obtaining my 3rd party super secret userid/password (which I wish to prevent).
If I don't have a value for credentialsSecret in my settings.json, then the credentials are worthless and my solution won't run as Node-RED won't have the info it needs to perform a remote connection at run-time.
Are there any recipes or thinking on creating containers for execution under Kubernetes where credentials required to access remote 3rd party APIs?