Avoid magic edits of the config

[chevdor]

Describe the bug

I am not using Umbrel and such but k8s.

Currenlty, using RTL in the context of K8S is rather clunky for a few reasons:

• config is being re-written (ie multiPassHashed)
• mix of config and ENV (the config is being generated from the ENV but it does not work properly)

K8S actually helps doing things clean and a config(Map) is considered ReadOnly.
Since RTL tries to patch the config after the fact, it fails. The config should be and remain untouched by RTL.
If some data need to change, the /database folder (or whatever location is configured) could be used to create/update a persistence file. That also could be done in a new persistence folder but that should not be mixed with the config.

My first attempt consisted in using a K8S ConfigMap to prepare the ENV and let RTL create the config. Some config file was indeed generated with the default password password but that did not allow logging in with the right password. That was very confusing...

The only options that remain for k8s are rather sub optimal:

• do prepare the final config as ConfigMap (ie hash the password yourself). This mean more work but this is not a bad option. But it fails when RTL tries writting into the file (since it is R/O)
• put the config into a R/W volume so RTL can path the config after starting up. This is a rather ugly option and requires mounting the default config somewhere, mounting a persistence volume and then copying the default config into this persistence volume.

At least the above should be documented but ideally that should be changed. My 2 cents:

• no password in the config, hashed or not
• if a default pass is passed as ENV, it can be stored into a R/W persistence file outside the config
• the config should be minimal and only allow starting RTL, anything that RTL wants to edit/change, should not land into the config but into the R/W persistence file

To Reproduce
A deploy similar to:

kind: Deployment
apiVersion: apps/v1
metadata:
  name: rtl
  namespace: bitcoin
  labels:
    app: rtl
spec:
  selector:
    matchLabels:
      app: rtl
  strategy:
    type: RollingUpdate
  template:
    metadata:
      namespace: bitcoin
      labels:
        app: rtl
    spec:
      containers:
        - name: rtl
          image: shahanafarooqui/rtl:0.14.1
          securityContext:
            # runAsNonRoot: true
            allowPrivilegeEscalation: false
            capabilities:
              drop: [ "ALL" ]
          resources:
            requests:
              memory: "64Mi"
              cpu: "50m"
            limits:
              memory: "512Mi"
              cpu: "250m"
          ports:
            - name: ui
              containerPort: 3000
          envFrom:
            - configMapRef:
                name: rtl-config-env

          volumeMounts:
            - name: rtl-db
              mountPath: /database
            - name: rtl-backup
              mountPath: /backup
            - name: lnd-data
              mountPath: /shared
              readOnly: true
            - name: rtl-config
              mountPath: /config/RTL-Config.json
              subPath: RTL-Config.json

      volumes:
        - name: rtl-db
          persistentVolumeClaim:
            claimName: pvc-rtl-db
        - name: rtl-backup
          persistentVolumeClaim:
            claimName: pvc-rtl-backup
        - name: lnd-data
          persistentVolumeClaim:
            claimName: pvc-lnd-data
        - name: rtl-config
          configMap:
            name: rtl-config

Screenshots
n/a
Your environment

• Version of RTL: shahanafarooqui/rtl:0.14.1
• Version of lnd/core lightning/eclair
• Version of btcd, bitcoind, or other backend
• Browser & browser version
• Operating system (uname -a on *Nix): k8s
• any other relevant environment details

Additional context
Add any other context about the problem here.