I am building a relatively complex distributed Node system. Let's say there are two processes (node apps), A and B. They are defined in separate projects.
In addition, there are a couple of custom made node modules, being used in both A and B. Let's call them M and N. In addition, M is using N.
How should I correctly handle environment vars?
I guess I should define .env for both main processes (A and B), handle all ENV vars from there and simply pass the needed env vars from there, down to M and N. This way, M and N (and other internal modules) will receive their own ENV vars passed as parameters on creation.
Is this approach correct?
Having modules getting direct access to process.env is not a good idea, and modules having their own .env file is an even worse idea.
.env files should not be added to source control (ie git) because they change with the environment (dev, prod, pre-prod) and sometimes contains sensitive information (like AWS secret keys). So that would require you to paste a .env file each time you install your node_modules making your deployment process more complex.
The .env file loaded inside your module could merge in unexpected ways with the .env of your root app (remember there is only one process.env).
Imagine a case where your module would need to behave differently in two parts of your application. How would you override the data loaded via the .env file only in one place?
So in my opinion, your guess is correct: don't put .env in node_modules.
// This is better...
nModule.someMethod(process.env.PARAM1, process.env.PARAM2);
// ...than this
process.env.PARAM1 = '';
process.env.PARAM2 = '';
nModule.someMethod();
I feel strongly that environment variables are reserved for, well, the environment. This to me implies a few things:
Inside the code, these variables should be global, i.e., accessed only via process.env.
They are not passed down to other modules. Certainly it's a good idea to make dependencies customizable with parameters you can pass to the functions they export. But the environment should not be used for that.
How you load values into process.env is really a question of how you start your programs A and B. I personally prefer systemd services for that which have excellent support for defining the runtime environment. The dotenv package seems more like a crutch, but it's fine from the program's perspective.
Your approach sounds correct and it should work. When you define .env file and use dotenv package, you will be able to access all the variables inside .env in your code. That means that custom made node modules will also be able to access it, and you don't have to pass them anything (you can access them directly with process.env.NAME_OF_ENVIRONMENT_VARIABLE).
SUMERIZE: Create .env file in both A and B, use dotenv package, and then you can access environment variables directly inside the code with process.env.NAME_OF_ENVIRONMENT_VARIABLE (in custom node modules also). You can create constructor (for custom modules) in modules A and B, and just pass process.env.ENV_WHATEVER as a parameters. That is even better approach since your custom module's logic will be independent from the rest of the app (it will depend only on the input).
NOTE: Don't commit your .env to Git since .env usually have some confidential information. The best practice is to create a .gitignore file and add .env in it.
RECOMMENDATION You can keep all your .env files in one centralized place for better management. You can check some password management tools like https://www.dashlane.com/ or https://www.lastpass.com/.
You mentioned complex distributed system. Distribution can also be associated with a hub / centralized key/variable management system. I'm assuming there are many env variables that are shared across your multiple apps.
Isn't it a plus if you create a centralized node that contain all your required variables and protected them with authentication?
All nodes (regardless of app) to maintain only a single password string in order to authenticated with the centralized node, and load all required variables from a single .env file.
Alternatively you can use a system like vault
Related
I'm new to NodeJS and trying to understand the internal working of the system. Normally we create a .env file or some other configuration file to keep and manage secrets. The same environment values can be kept at the system level like using "export" command on mac.
what I'm trying to understand is how NodeJS loads and reads these value when we start the program either from a configuration file or from system itself.
You can dig through the NodeJS source code to actually see how the environment is provided to NodeJS, e.g. here through the RealEnvStore class. As you can see uv_os_getenv abstracts access to the env depending on the actual operation system.
At least on unix systems uv_os_getenv uses the environ variable which basically references all the environment variables that are made available to the node process as you can see here.
Is it possible to inject/change the current enviroment variables in an already loaded and started NodeJS process?
Exposing an Interface within the application is not an option, restarting is also not a valid option.
The process is running inside a docker container, requiring a specific NodeJS Version is possible.
EDIT: The change must be done from outside the application source so doing process.env.ENV_VAR = "new env" is not possible.
It isn't possible to modify the env vars of a running process. This isn't unique to NodeJS processes. It's just how env vars work on UNIX like operating systems. The vars live within the address space of the process. And while they are, typically, initially placed at a well known location near the top of the stack the current vars are likely to be at an arbitrary address in the heap. Env vars are intentionally private to each process. So unless the program provides an API for changing its env vars you can't modify them once the program is running.
You should use a redis store shared between containers that has stored the env.
redis node repo - redis listen for changes
I am looking to bind a PCF (Pivotal Cloud Foundry) Service to allow us to set certain api endpoints used by our UI within PCF environment. I want to use the values in this service to overwrite the values in the root directory file, 'config.json'. Are there any examples out there that accomplish this sort of thing?
The primary way to tackle this is to have your application do this parsing. Most (all?) programming languages give you the ability to load environment variables and to parse JSON. Using these capabilities, what you'd want to do is to read the VCAP_SERVICES environment variable and parse the JSON. This is where the platform will insert the information from your bound services. From there you, you have the configuration information so you can configure your app using the values from your bound service.
Manual Ex:
var vcap_services = JSON.parse(process.env.VCAP_SERVICES)
or you can use a library. There's a handy Node.js library called cfenv. You can read more about both of these options in the docs.
https://docs.cloudfoundry.org/buildpacks/node/node-service-bindings.html
If you cannot read the configuration inside of your application, perhaps there's a timing problem and you need the information before your app starts, you can use the platform's pre-runtime hooks.
https://docs.cloudfoundry.org/devguide/deploy-apps/deploy-app.html#profile
The runtime hooks allow your application to include a file called .profile which will execute before your application. The .profile file is a simple bash script which can do anything needed to ready your application to be run. The only catch is that this needs to happen very quickly because it must complete before your application is able to start up and your application has a finite amount of time to start (usually 60s).
In your case, you could use jq to parse you values and insert them info your config file, perhaps using sed to overwrite a template value. Another option would be to run a small Node.js script, since your app is using Node.js it should be available on the path when this script runs, to read the environment variables and generate your config file.
Hope that helps!
Context:
As my Node.js project grows larger, the need for configuration increases. This project is the first project where I have switched from a 'legacy configuration file' (say, a config.js or config.json) to a dotenv (.env) file to configure the product.
However, the sheer amount of environment variables used raises a question. These environment variables are all related to OS and networking configuration, so it seems justified to configure the application with the dotenv technique.
Question:
Say there is one environment variable already set; that would mess up the configuration. A practical example of this would be when you upload a project to some of the bigger (cloud) hosts: the PORT environment variable of the machine is set, and may therefore override a default value (see example below), or a value that you might expect. For a system administrator, these errors would be hard to debug.
const PORT = process.env.PORT || 3000
How does one deal with these pitfalls?
Current situation:
I am currently using [name of product]_[name of variable] as template for my environment variables. It feels like a hack (remember private members in JS?) and there is most likely a better solution available.
The second option I have in mind is to be very explicit in the .env files by settings all variables used in the product. However, reliability seems to be a weak spot here: if someone were to remove one setting, the entire "defense mechanism" is gone and the product is vulnerable to these bugs again.
I have written two node scripts running on Mac/Unix which invoke rest services. Each script requires some configuration information like endpoints, keys, secrets, passwords etc. Not sure how this information should be stored or passed to the node scripts? I'm new to node and not sure where this type of information is typically stored for a node application. Its really just a bunch of scripts that I intend to call periodically, so these are not services but scripts that invoke services.
Looks like node-config module is the way to go:
https://github.com/lorenwest/node-config