Incompatibility of gnoland secrets init with Read-Only mounted k8s Secrets

[mazzy89]

Description

The command gnoland secrets init generates a file named priv_validator_state.json, which is saved in the secrets directory. This file is the only one that is modified at runtime, as the validator/node writes its state to it.

It is common industry practice that once secrets are mounted to containers, applications cannot mutate them throughout their entire lifecycle. The entire k8s ecosystem follow this best practice to ensure that no attacker can potentially compromise secrets.

For example, Kubernetes Secret objects are mounted into Deployments or StatefulSets in read-only mode, prohibiting any modifications to these secrets.

Currently, it is not possible to mount a Kubernetes secret during the bootstrap of an application like the following:

apiVersion: v1
kind: Secret
metadata:
  name: gnoland-secrets
stringData:
  priv_validator_state.json |
    {
       "height": "0",
       "round": "0",
       "step": 0
    }

Mounting a secret this way causes gnoland to fail at startup because the secret is mounted in a non-writable directory by design.

There are ways to overcome this issue. One possible solution:

• Check at initialization whether the secret priv_validator_state.json exists. If it does not exist, create it in a directory other than gnoland-data/secrets so it can be written to during the launch of the gnoland chain and change the path under config.toml to ensure that gnoland looks up correctly for the file.

However this solution imply that the priv_validator_state.json is mounted in a directory where is possible to write which defeat the purpose of having immutable secrets.