new: add configuration of node service communication encryption

ludomikula · ludomikula · commit 08ba3338595f · 2025-05-24T11:55:45.000+02:00
diff --git a/deploy/docker/README.md b/deploy/docker/README.md
@@ -44,6 +44,8 @@ Image can be configured by setting environment variables.
 | `LOWCODER_API_RATE_LIMIT`           | Number of max Request per Second                                        | `100`                                                 |
 | `LOWCODER_API_SERVICE_URL`          | Lowcoder API service URL                                                | `http://localhost:8080`                               |
 | `LOWCODER_NODE_SERVICE_URL`         | Lowcoder Node service (js executor) URL                                 | `http://localhost:6060`                               |
+| `LOWCODER_NODE_SERVICE_SECRET`      | Secret used for encrypting communication between API service and Node service - CHANGE IT! |                                    |
+| `LOWCODER_NODE_SERVICE_SALT`        | Salt used for encrypting communication between API service and Node service   - CHANGE IT! |                                    |
 | `LOWCODER_MAX_ORGS_PER_USER`        | Default maximum organizations per user                                  | `100`                                                 |
 | `LOWCODER_MAX_MEMBERS_PER_ORG`      | Default maximum members per organization                                | `1000`                                                |
 | `LOWCODER_MAX_GROUPS_PER_ORG`       | Default maximum groups per organization                                 | `100`                                                 |
@@ -128,6 +130,8 @@ Image can be configured by setting environment variables.
 | `LOWCODER_COOKIE_NAME`              | Name of the lowcoder application cookie                                 | `LOWCODER_CE_SELFHOST_TOKEN`                          |
 | `LOWCODER_COOKIE_MAX_AGE`           | Lowcoder application cookie max age in hours                            | `24`                                                  |
 | `LOWCODER_APP_SNAPSHOT_RETENTIONTIME` | Application snapshots retention time in days                          | `30`                                                  |
+| `LOWCODER_NODE_SERVICE_SECRET`      | Secret used for encrypting communication between API service and Node service - CHANGE IT! |                                    |
+| `LOWCODER_NODE_SERVICE_SALT`        | Salt used for encrypting communication between API service and Node service   - CHANGE IT! |                                    |
 
 Also you should set the API-KEY secret, whcih should be a string of at least 32 random characters. (from Lowcoder v2.3.x on)
 On linux/mac, generate one eg. with: head /dev/urandom | head -c 30 | shasum -a 256
@@ -172,6 +176,8 @@ Image can be configured by setting environment variables.
 | `LOWCODER_PUID`                 | ID of user running services. It will own all created logs and data. | `9001`                                                  |
 | `LOWCODER_PGID`                 | ID of group of the user running services.                           | `9001`                                                  |
 | `LOWCODER_API_SERVICE_URL`      | Lowcoder API service URL                                            | `http://localhost:8080`                                 |
+| `LOWCODER_NODE_SERVICE_SECRET`      | Secret used for encrypting communication between API service and Node service - CHANGE IT! |                                    |
+| `LOWCODER_NODE_SERVICE_SALT`        | Salt used for encrypting communication between API service and Node service   - CHANGE IT! |                                    |
 
 ## Building web frontend image
 
diff --git a/deploy/docker/default.env b/deploy/docker/default.env
@@ -105,6 +105,14 @@ LOWCODER_API_SERVICE_URL="http://localhost:8080"
 # Lowcoder Node service URL
 LOWCODER_NODE_SERVICE_URL="http://localhost:6060"
 
+#
+# ! PLEASE CHANGE THESE TO SOMETHING UNIQUE !
+# 
+#   Secret and salt used for encrypting comunication between API service and NODE service
+#
+LOWCODER_NODE_SERVICE_SECRET="62e348319ab9f5c43c3b5a380b4d82525cdb68740f21140e767989b509ab0aa2"
+LOWCODER_NODE_SERVICE_SECRET_SALT="lowcoder.org"
+
 ##
 ## Frontend parameters
 ##
diff --git a/deploy/helm/Chart.yaml b/deploy/helm/Chart.yaml
@@ -4,10 +4,10 @@ description: A Helm chart for Kubernetes for installing lowcoder
 
 type: application
 # Chart version (change every time you make changes to the chart)
-version: 2.6.6
+version: 2.7.0
 
 # Lowcoder version
-appVersion: "2.6.6"
+appVersion: "2.7.0"
 
 # Dependencies needed for Lowcoder deployment
 dependencies:
diff --git a/deploy/helm/README.md b/deploy/helm/README.md
@@ -61,6 +61,8 @@ $ helm delete -n lowcoder my-lowcoder
 | `global.config.snapshotRetentionTime`   | Lowcoder application snapshot retention time (in days)                            | `30`           |
 | `global.config.marketplacePrivateMode`  | Controls whether to show Apps on the local Marketplace to anonymous users         | `true`         |
 | `global.config.nodeServiceUrl`          | URL to node-service server if using external one (disabled by default)            |                |
+| `global.config.nodeServiceSecret`       | Secret used for encrypting traffic between API service and Node service - CHANGE IT! |                |
+| `global.config.nodeServiceSalt`         | Salt used for encrypting traffic between API service and Node service   - CHANGE IT! |                |
 | `global.config.apiServiceUrl`           | URL to api-service server if using external one (disabled by default)             |                |
 | `global.cookie.name`                    | Name of the lowcoder application cookie                                           | `LOWCODER_CE_SELFHOST_TOKEN` |
 | `global.cookie.maxAge`                  | Lowcoder application cookie max age in hours                                      | `24`           |
diff --git a/deploy/helm/templates/api-service/secrets.yaml b/deploy/helm/templates/api-service/secrets.yaml
@@ -31,3 +31,6 @@ stringData:
   LOWCODER_API_KEY_SECRET: "{{ .Values.global.config.apiKeySecret }}"
   LOWCODER_SUPERUSER_USERNAME: {{ .Values.global.config.superuser.username | default "admin@localhost" | quote }}
   LOWCODER_SUPERUSER_PASSWORD: {{ .Values.global.config.superuser.password | default "" | quote }}
+  LOWCODER_NODE_SERVICE_SECRET: {{ .values.global.config.nodeServiceSecret | default "62e348319ab9f5c43c3b5a380b4d82525cdb68740f21140e767989b509ab0aa2" | quote }}
+  LOWCODER_NODE_SERVICE_SECRET_SALT: {{ .values.global.config.nodeServiceSalt | default "lowcoder.org" | quote }}
+
diff --git a/deploy/helm/templates/node-service/deployment.yaml b/deploy/helm/templates/node-service/deployment.yaml
@@ -36,6 +36,8 @@ spec:
           envFrom:
             - configMapRef:
                 name: {{ include "lowcoder.fullname" . }}-node-service
+            - secretRef:
+                name: {{ include "lowcoder.fullname" . }}-node-service
           ports:
             - name: lowcoder-node
               containerPort: 6060
diff --git a/deploy/helm/templates/node-service/secrets.yaml b/deploy/helm/templates/node-service/secrets.yaml
@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Secret
+type: Opaque
+metadata:
+  name: {{ include "lowcoder.fullname" . }}-node-service
+  labels:
+    {{- include "lowcoder.labels" . | nindent 4 }}
+  {{- with .Values.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+stringData:
+  LOWCODER_NODE_SERVICE_SECRET: {{ .values.global.config.nodeServiceSecret | default "62e348319ab9f5c43c3b5a380b4d82525cdb68740f21140e767989b509ab0aa2" | quote }}
+  LOWCODER_NODE_SERVICE_SECRET_SALT: {{ .values.global.config.nodeServiceSalt | default "lowcoder.org" | quote }}
+
diff --git a/deploy/helm/values.yaml b/deploy/helm/values.yaml
@@ -31,6 +31,8 @@ global:
     #nodeServiceUrl: 
     #apiServiceUrl: 
     apiKeySecret: "5a41b090758b39b226603177ef48d73ae9839dd458ccb7e66f7e7cc028d5a50b"
+    nodeServiceSecret: "62e348319ab9f5c43c3b5a380b4d82525cdb68740f21140e767989b509ab0aa2"
+    nodeServiceSalt: "lowcoder.org"
     maxQueryTimeout: 120
     maxRequestSize: "20m"
     snapshotRetentionTime: 30
