This is related to "node-red-contrib-mssql-plus" node.
While i have opened a FR request for the same , i wanted to check with the forum as well.
I have a situation where i cannot change the node credentials while deploying to prod env. And we need to put the DB credentials using env variables in settings.js so that the same deployment can work across envs.
(Its a docker env).
The challenge is - if we put the DB password in settings.js - its in plainview - leading to security risk.
Is there any way to pass the password as an encrypted value (the env variable value) and then the node will decrypt it ?
can't you use environment variables for the password property - ${My_password} etc - see Using environment variables : Node-RED and then pass them into your docker via the command line -E option ?
No there is not. Nor is there a standard mechanism or agreed method (AFAIK) for passing encrypted credentials to a config node. However, if you store the details in the config node they are encrypted in the flow.creds.json file.
My challenge is whether i pass it with -E or as an entry in settings.js - it would be in plain text and anyone can see it . Causing security challenge. So i want to pass an encrypted via. and some way for the node to decrypt it.
I am already exploring with the teams if this can work.
In absence of their agreement, wanted to explore if the password can be passed as encrypted value and maybe some way to decrypt it.
I have added it as a FR for future. Let me go to my team and see if i can convince them.
Coming back to this.
We implemented the env variables for MSSQL config node. But what i see is even in case of mustache format the user and password (which are now env variables) are not exported .
I would have assumed that since we have now env variables there - the placeholders would be exported.
Challenge is - when moving this configuration from 1 env to other - it means the user still needs to connect to the front end set up the config node. Is my understanding correct ?
I want to achieve the following
Export flows from 1 env to other - which is connected to a different DB instance.
In the SQL nodes - i define the configuration using env variables.
Post deployment to new env it picks up the env variables.
But if i need to again login and type out the user password - then I cannot achieve 100% automation.
Please correct if my understanding on this is incorrect.
If I understand you. You have used (something like) ${user} and ${pass} as the username and password but when you export / import, these are lost?
That is (unfortunately) the designed behaviour.
I suspect a feature request with a concrete proposal is required.
EDIT...
This is by design to prevent the editor being able to expose credentials. Again though, if you can raise a good argument / Feature Request, please do so in #development:feature-requests
This is right. This is indeed i want to achieve. I have 10 environments and increasing.
Keeping same user / password in every env - both prod and non prod is a security risk.
What i want to do is once Development is finished - the flow is exported to prod environment and without having to open the flow and changing user/pass ( even it means setting it to {{{user}}} / {{{pass}}} ) it should work since these are already exported in the env.
Currently a manual intervention step is needed in every environment i export the flow to - which negates automation.
I will open a FR on the link.
If you are wanting to automate the deployment, can you not do so using the flow/credential files directly, rather than manually copy/pasting via the editors?
This works if the same credential is used across env - which will not be the case for prod and non prod. Even in non prod - depending on env - the credential varies. So today what happens is :
We deploy the flows in automated manner across multiple environments. No human internvention in the deployment process. This is done by putting our flows as a file in our storage repository which deployment folks take it via. their automations.
We will be setting all parameters of MSSQL as env variables including user and pass are part of deployment process. These would be specific to that environment . Example DB/Server is different per env.
What happens is post this automated deployment, specifically for user/pass - someone needs to open the editor and manually set it . Even if we copy the credential files directly to the target env - the source and target do not have the same credentials.
I was hoping that when we send the final flows post our tests for deployment the placeholders for user and pass also get deployed as placeholders and pick up values from that specific env.
Is that done by taking the flows.json and flow_creds.json files from the backend? Or by exporting them from the editor?
If you can do that via the files themselves and not through the editor, then all of the issues can be solved. The flow_creds.json will contain the credential properties - which can be ${FOO} style env var references.