Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[feature]: Support config via ENV to better protect secrets #8295

Closed
chevdor opened this issue Dec 19, 2023 · 9 comments · Fixed by #8310
Closed

[feature]: Support config via ENV to better protect secrets #8295

chevdor opened this issue Dec 19, 2023 · 9 comments · Fixed by #8310
Assignees
@mohamedawnallah
Labels
bitcoind Bitcoin Core backend config Parameters/arguments/config file related issues/PRs enhancement Improvements to existing features / behaviour good first issue Issues suitable for first time contributors to LND security General label for issues/PRs related to the security of the software
Milestone
v0.18.0

Comments

@chevdor
Copy link

chevdor commented Dec 19, 2023

Is your feature request related to a problem? Please describe.
bitcoind allows definining its config using ENV.
For instance:

rpcuser=${BTC_RPCUSER:-btc}

That allows not having the BTC_RPCUSER and BTC_RPCPASSWORD in clear text in the config.
At runtime, bitcoind is resolving those env.
lnd does not do this, forcing to pass the secrets in clear text in the config file.

Describe the solution you'd like

Just like bitcoind, it would be great if lnd could resolve variables, at least for secrets.

Describe alternatives you've considered

An alternative would be to add envsubst to the Docker image but this is rather clunky...
@chevdor chevdor added the enhancement Improvements to existing features / behaviour label Dec 19, 2023
@Roasbeef Roasbeef added config Parameters/arguments/config file related issues/PRs security General label for issues/PRs related to the security of the software good first issue Issues suitable for first time contributors to LND bitcoind Bitcoin Core backend labels Dec 20, 2023
@mohamedawnallah
Copy link
Contributor

I'd like to work on this issue. I will keep you updated on my progress :)

@mohamedawnallah mohamedawnallah mentioned this issue Dec 23, 2023
Merged
8 tasks
@mohamedawnallah
Copy link
Contributor

Hey @guggero @chevdor @Roasbeef, I've just submitted a PR for this issue. I'd love to receive any feedback from you. Thanks!

@chevdor
Copy link
Author

chevdor commented Dec 29, 2023

#8310

@saubyk saubyk added this to the v0.18.0 milestone Jan 2, 2024
@ronballesteros
Copy link

@chevdor Interested in finding out more information on how you set env variables for rpcuser and rpcpassword in the bitcoin.conf fle. I can't find anything related to this in the docs.

@chevdor
Copy link
Author

chevdor commented Feb 22, 2024

@ronballesteros I spotted this in some sample config. If you consider rpcuser for example, it seems that bitcoin.conf is parsed in order to resolve variables such as rpcuser=${BTC_RPCUSER:-btc}.
This is actually nice because it allows using the ENV BTC_RPCUSER if set, or default to btc otherwise.

@ronballesteros
Copy link

Thanks @chevdor. Interesting. I can't seem to get it to work in my lab. I have this set in my bitcoin.conf:

bitcoin.conf

...
rpcuser=${BTC_RPCUSER}
rpcpassword=${BTC_RPCPASSWORD}

env

bash-5.0# env | grep -i rpc
BTC_RPCPASSWORD=password
BTC_RPCUSER=admin

When I curl from another pod, I get that failed password attempt:

2024-02-22T17:43:42Z ThreadRPCServer incorrect password attempt

Am I missing something?

@chevdor
Copy link
Author

chevdor commented Feb 23, 2024

I am using k8s as well. I have a configmap for the config and a secret for.. well the secrets :)

There are a few other options that come to play with RPC and this issue is likely not the place to troubleshoot bitcoin.conf issues but here are a few hints, you can refer to the doc for more details about those:

    server=1
    rpcclienttimeout=${BTC_RPCCLIENTTIMEOUT:-30}
    rpcport=${BTC_RPCPORT:-8332}
    rpcbind=${BTC_RPCBIND:-127.0.0.1}

@Roasbeef
Copy link
Member

Roasbeef commented Feb 28, 2024
edited

If you're using k8s, you might want to check out this tool: https://github.com/lightninglabs/lndinit

We use it in our infra to handle provision+init of all our lnd nodes via config maps and secrets: https://github.com/lightninglabs/lndinit?tab=readme-ov-file#example-use-case-2-kubernetes

@chevdor
Copy link
Author

chevdor commented Feb 28, 2024

Interesting, thanks for the link @Roasbeef

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mohamedawnallah mohamedawnallah

Labels
bitcoind Bitcoin Core backend config Parameters/arguments/config file related issues/PRs enhancement Improvements to existing features / behaviour good first issue Issues suitable for first time contributors to LND security General label for issues/PRs related to the security of the software
Projects
None yet
Milestone
v0.18.0
5 participants
@chevdor @Roasbeef @saubyk @mohamedawnallah @ronballesteros