I'm imagining running a Kubernetes cluster containing pods where the pods are running Node-RED. My sniff tests show this to work just fine. What is puzzling me is this story and its relationship with credentials security.
Imagine my Node-RED flow is calling outbound to some external services that need authentication. I am imagining creating some Node-RED credentials that contain a userid/password pair that are then used by Node-RED during run-time execution. For this to work, I think I need to edit my settings.js such that there is a value for credentialsSecret which can decode the credentials JSON file. And it is here I am getting nervous.
It seems that if I have a container that contains both my credentialsSecret and my credentials.json then we have a path to someone obtaining my 3rd party super secret userid/password (which I wish to prevent).
If I don't have a value for credentialsSecret in my settings.json, then the credentials are worthless and my solution won't run as Node-RED won't have the info it needs to perform a remote connection at run-time.
Are there any recipes or thinking on creating containers for execution under Kubernetes where credentials required to access remote 3rd party APIs?
This isn't specific to Node-RED - any application deployed in k8s that requires credentials needs to be able to access them securely.
The k8s docs cover this is great detail - https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/
That covers how to get the credentials available either as files on the pod's local filesystem, or via environment variables. Pick whichever approach you want (env var is probably a bit easier), and then edit your settings file to pickup the the value of credentialSecret from the corresponding place.
Thank you sir. Super excellent response speed to the community (as always). Your link makes sense and am now going to study it in depth. However, I have what I think is a Node-RED oriented query:
If I understand correctly, the key that Node-RED uses to encrypt/decrypt the credentials is contained in the settings.js file under the key credentialsSecret. If I do not wish to supply this in a hard-coded form in pre-supplied settings.js file, is there an alternate way of telling Node-RED (at run-time) my credentialsSecret? For example, is there a run-time flag used when starting Node-RED or an existing environment variable that Node-RED looks at? Failing this, my resort is to create a "wrapper" that performs some form of text substitution in the settings.js before starting Node-RED itself.
The key thing to remember is that settings.js is a JavaScript file - not a static JSON file. So you can have code in settings.js that does whatever work it needs to generate the settings.
The most simple thing to do would be:
credentialSecret: process.env.MY_CREDENTIAL_SECRET
And that will use the environment variable MY_CREDENTIAL_SECRET.
Oh dear goodness I are dumb!!! And miss the wood for the trees. Thank you again kind sir!!!
