In the future it would be better for the mnemonic phrase and passphrase in a Seed spec to come from a secret name and key since it is a security risk for those strings to be visible in the resource itself. Though k8s secrets are not very safe, common RBAC conventions could at least prevent low-privileged cluster users from seeing the strings (which is has basically the same as seeing the master private key).
Immediately some basic Hasicorp Vault integration would be possible, and potentially direct Vault integration with Bitcoin and Lightning nodes could be a long term consideration. Vault integration is out-of-scope for this particular issue.
davgordo
commented
1 year ago
In the future it would be better for the mnemonic phrase and passphrase in a Seed spec to come from a secret name and key since it is a security risk for those strings to be visible in the resource itself. Though k8s secrets are not very safe, common RBAC conventions could at least prevent low-privileged cluster users from seeing the strings (which is has basically the same as seeing the master private key).
Immediately some basic Hasicorp Vault integration would be possible, and potentially direct Vault integration with Bitcoin and Lightning nodes could be a long term consideration. Vault integration is out-of-scope for this particular issue.