lightninglabs / lndinit Goto Github PK

It appears that when using the --k8s.base64 flag, secrets are encoded in base64 twice. This causes issues with decoding.

Kubernetes Verison 1.22 / 1.23

To Reproduce

From a pod within a k8s context (has role to create secrets). Create two secrets, one with base64 flag and one without..

# create secret using base64 flag
$ lndinit gen-password \
  | lndinit -v store-secret \
  --target=k8s \
  --k8s.base64 \
  --k8s.namespace="default" \
  --k8s.secret-name="lnd-wallet-secret-b64" \
  --k8s.secret-key-name=walletpassword

# create secret without base64 flag
$ lndinit gen-password \
  | lndinit -v store-secret \
  --target=k8s \
  --k8s.namespace="default" \
  --k8s.secret-name="lnd-wallet-secret" \
  --k8s.secret-key-name=walletpassword

Then from your host, decode secrets, you will see the base64 flagged one requires double decoding..

# decode base64 flagged secret
$ k get secret lnd-wallet-secret-b64 -o json | jq -r .data.walletpassword | base64 -d
bWF6ZS1wb3J0aW9uLWlkZWEtc29kYS1uZXN0LXJhaW4tZm9vZC1wb3B1bGFy

# double decode base64 flagged secret
$ k get secret lnd-wallet-secret-b64 -o json | jq -r .data.walletpassword | base64 -d | base64 -d
maze-portion-idea-soda-nest-rain-food-popular

# decode non base64 flagged secret
$ k get secret lnd-wallet-secret -o json | jq -r .data.walletpassword | base64 -d
slice-random-school-energy-cart-proof-notice-nest

Expected behavior

Using --k8s.base64 flag would not require double decoding. This makes unlocking the wallet fail, as you would imagine.

Hello, I love your products, thanks for it and sorry that I have to ask here in lack of other places.
I really like that you seem to support K8s indicated by this:
https://github.com/lightninglabs/lndinit#example-use-case-2-kubernetes
What would be great is a helm chart with which I can deploy an lnd stack on an existing cluster.
Are you planning something like this?
BG

This cmd fetches your key via its fingerprint:

gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys F4FC70F07310028424EFC20A8E4256593F177720

It's is only slightly longer than the current

curl https://keybase.io/guggero/pgp_keys.asc | gpg --import

... but it removes keybase as a trusted party.

I can generate wallets in an automated flow. There are three files generated - seed, password and wallet.db.
What is the type of database used for wallet.db? Is this something I can decode and see having seed and password?

The asJSON function is pretty-printing JSON, resulting in multiple log lines. It would be preferable to output JSON in a compact single-line format, then the log consumer can apply formatting if needed.

in this line, I think main should be used instead of master as that's the actual branch name and, when I try to build this Dockerfile "out of the box", I get the error below:

#7 7.310 error: pathspec 'master' did not match any file(s) known to git

It would be really great if this app could allow you to input an aezeed and respond with the node pubkey, as a way of checking a seed on an offline machine and matching to a node.

It's not an issue, but just to get a better understanding.
For some reason I thought lndinit works via running requests to an lnd node but then ran without having a node and it still worked.
So I suppose lndinit just needs some data from me like macaroons and cert and then does everything internally?

Thanks!