I'm imagining running a Kubernetes cluster containing pods where the pods are running Node-RED. My sniff tests show this to work just fine. What is puzzling me is this story and its relationship with credentials security.
Imagine my Node-RED flow is calling outbound to some external services that need authentication. I am imagining creating some Node-RED credentials that contain a userid/password pair that are then used by Node-RED during run-time execution. For this to work, I think I need to edit my settings.js such that there is a value for credentialsSecret which can decode the credentials JSON file. And it is here I am getting nervous.
It seems that if I have a container that contains both my credentialsSecret and my credentials.json then we have a path to someone obtaining my 3rd party super secret userid/password (which I wish to prevent).
If I don't have a value for credentialsSecret in my settings.json, then the credentials are worthless and my solution won't run as Node-RED won't have the info it needs to perform a remote connection at run-time.
Are there any recipes or thinking on creating containers for execution under Kubernetes where credentials required to access remote 3rd party APIs?
This isn't specific to Node-RED - any application deployed in k8s that requires credentials needs to be able to access them securely.
The k8s docs cover this is great detail - https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/
That covers how to get the credentials available either as files on the pod's local filesystem, or via environment variables. Pick whichever approach you want (env var is probably a bit easier), and then edit your settings file to pickup the the value of credentialSecret
from the corresponding place.
1 Like
Thank you sir. Super excellent response speed to the community (as always). Your link makes sense and am now going to study it in depth. However, I have what I think is a Node-RED oriented query:
If I understand correctly, the key that Node-RED uses to encrypt/decrypt the credentials is contained in the settings.js
file under the key credentialsSecret
. If I do not wish to supply this in a hard-coded form in pre-supplied settings.js
file, is there an alternate way of telling Node-RED (at run-time) my credentialsSecret
? For example, is there a run-time flag used when starting Node-RED or an existing environment variable that Node-RED looks at? Failing this, my resort is to create a "wrapper" that performs some form of text substitution in the settings.js
before starting Node-RED itself.
The key thing to remember is that settings.js
is a JavaScript file - not a static JSON file. So you can have code in settings.js that does whatever work it needs to generate the settings.
The most simple thing to do would be:
credentialSecret: process.env.MY_CREDENTIAL_SECRET
And that will use the environment variable MY_CREDENTIAL_SECRET
.
1 Like
Oh dear goodness I are dumb!!! And miss the wood for the trees. Thank you again kind sir!!!
1 Like