[feature]: Support config via ENV to better protect secrets

lightningnetwork / lnd

Lightning Network Daemon ⚡️

MIT License

7.67k stars 2.07k forks source link

[feature]: Support config via ENV to better protect secrets #8295

Closed chevdor closed 7 months ago

chevdor commented 10 months ago

Is your feature request related to a problem? Please describe. bitcoind allows definining its config using ENV. For instance:

rpcuser=${BTC_RPCUSER:-btc}

That allows not having the BTC_RPCUSER and BTC_RPCPASSWORD in clear text in the config. At runtime, bitcoind is resolving those env. lnd does not do this, forcing to pass the secrets in clear text in the config file.

Describe the solution you'd like

Just like bitcoind, it would be great if lnd could resolve variables, at least for secrets.

Describe alternatives you've considered

An alternative would be to add envsubst to the Docker image but this is rather clunky...

mohamedawnallah commented 10 months ago

I'd like to work on this issue. I will keep you updated on my progress :)

mohamedawnallah commented 10 months ago

Hey @guggero @chevdor @Roasbeef, I've just submitted a PR for this issue. I'd love to receive any feedback from you. Thanks!

chevdor commented 9 months ago

https://github.com/lightningnetwork/lnd/pull/8310

ronballesteros commented 8 months ago

@chevdor Interested in finding out more information on how you set env variables for rpcuser and rpcpassword in the bitcoin.conf fle. I can't find anything related to this in the docs.

chevdor commented 8 months ago

@ronballesteros I spotted this in some sample config. If you consider rpcuser for example, it seems that bitcoin.conf is parsed in order to resolve variables such as rpcuser=${BTC_RPCUSER:-btc}. This is actually nice because it allows using the ENV BTC_RPCUSER if set, or default to btc otherwise.

ronballesteros commented 8 months ago

Thanks @chevdor. Interesting. I can't seem to get it to work in my lab. I have this set in my bitcoin.conf:

bitcoin.conf

...
rpcuser=${BTC_RPCUSER}
rpcpassword=${BTC_RPCPASSWORD}

env

bash-5.0# env | grep -i rpc
BTC_RPCPASSWORD=password
BTC_RPCUSER=admin

When I curl from another pod, I get that failed password attempt:

2024-02-22T17:43:42Z ThreadRPCServer incorrect password attempt

Am I missing something?

chevdor commented 8 months ago

I am using k8s as well. I have a configmap for the config and a secret for.. well the secrets :)

There are a few other options that come to play with RPC and this issue is likely not the place to troubleshoot bitcoin.conf issues but here are a few hints, you can refer to the doc for more details about those:

    server=1
    rpcclienttimeout=${BTC_RPCCLIENTTIMEOUT:-30}
    rpcport=${BTC_RPCPORT:-8332}
    rpcbind=${BTC_RPCBIND:-127.0.0.1}

Roasbeef commented 7 months ago

If you're using k8s, you might want to check out this tool: https://github.com/lightninglabs/lndinit

We use it in our infra to handle provision+init of all our lnd nodes via config maps and secrets: https://github.com/lightninglabs/lndinit?tab=readme-ov-file#example-use-case-2-kubernetes

chevdor commented 7 months ago

Interesting, thanks for the link @Roasbeef