Using node secrets within an application

Overview

In a Barbara Edge Node, secrets refer to sensitive data, such as API keys, passwords, certificates, or encryption keys, that need to be securely stored and accessed by applications running on the node.

Videotutorial

How Secrets Work in a Barbara Edge Node

Secure Storage:
- Secrets are stored in an encrypted and secure way to prevent unauthorized access.
- They are managed within Barbara Panel, in the Docker Secrets card.
Controlled Access:
- Applications running on the node can retrieve secrets at runtime but cannot read them directly from the file system.
- Access to secrets is managed through policies, ensuring only specific containers or services can use them.
Separation from Images:
- Secrets are not hardcoded in container images to improve security.
- This ensures that images remain portable and do not expose sensitive data if shared.

Configuring Secrets in docker-compose.yaml

Secrets defined for a node within its "Docker Secrets" configuration are automatically made available to its applications. No specific tags are required in the docker-compose.yaml file; applications can access these secrets directly through their source code.

Hands-on Practice: Using Secrets in the MQTT Client application

Let's use the same MQTT Client example from the last section. This time, we'll set the connection parameters using the node's secrets. Here are the parameters:

BROKER = "mqttbbr" (Broker address)
PORT = 8883 (Default MQTT port; use 8883 for TLS)
TOPIC = "test/topic" (Topic to subscribe to)
USERNAME = "bbruser" (Username for broker connection)
PASSWORD = "bbrpassword" (Password for broker connection)"

Step 1: Define the secrets in the Docker Secrets card

Go to your node's docker secrets card and define the necessary secrets:

BROKER="mqttbbr"
PORT=8883
TOPIC="test/topic"
USERNAME="bbruser"
PASSWORD="bbrpassword"

Step 2: Change the application source code to read the secrets from the environment variables

Change the "test.py" code in the following way:

# MQTT Broker Configuration (set default values in case they are not defined)
BROKER = os.getenv("BROKER", "mqttbbr") # Change to your broker's address
PORT = INT(os.getenv("PORT", 8883))  # Default MQTT port (use 8883 for TLS)
TOPIC = os.getenv("TOPIC", "test/topic")  # Change to your topic
USERNAME = os.getenv("USERNAME", "bbruser")  # Replace with your username
PASSWORD = os.getenv("PASSWORD", "bbrpassword")  # Replace with your password

Step 3: Upload a new version to the library

Zip your source code and create a new version of the application in your Panel's library.

Step 4: Deploy the app to your node

Deploy the application to your edge node and check it connects successfully to the MQTT Broker.

Summary

We've explained how to securely manage and use secrets, such as API keys and passwords, within applications running on a Node. Secrets are stored securely within Barbara Panel and can be accessed by applications during runtime without exposing sensitive data in container images.

Overview​

Videotutorial​

How Secrets Work in a Barbara Edge Node​

Configuring Secrets in docker-compose.yaml​

Hands-on Practice: Using Secrets in the MQTT Client application​

Step 1: Define the secrets in the Docker Secrets card​

Step 2: Change the application source code to read the secrets from the environment variables​

Step 3: Upload a new version to the library​

Step 4: Deploy the app to your node​

Summary​