ln: same macaroon and cert for all nodes

Author: pinheadmz

resources/charts/bitcoincore/charts/lnd/templates/configmap.yaml

@@ -17,6 +17,27 @@ data:
     alias={{ include "lnd.fullname" . }}
     externalhosts={{ include "lnd.fullname" . }}
     tlsextradomain={{ include "lnd.fullname" . }}
+  tls.cert: |
+    -----BEGIN CERTIFICATE-----
+    MIIB8TCCAZagAwIBAgIUJDsR6mmY+TaO9pCfjtotlbOkzJMwCgYIKoZIzj0EAwIw
+    MjEfMB0GA1UECgwWbG5kIGF1dG9nZW5lcmF0ZWQgY2VydDEPMA0GA1UEAwwGd2Fy
+    bmV0MB4XDTI0MTExMTE2NTM1MFoXDTM0MTEwOTE2NTM1MFowMjEfMB0GA1UECgwW
+    bG5kIGF1dG9nZW5lcmF0ZWQgY2VydDEPMA0GA1UEAwwGd2FybmV0MFkwEwYHKoZI
+    zj0CAQYIKoZIzj0DAQcDQgAEBVltIvaTlAQI/3FFatTqVflZuZdRJ0SmRMSJrFLP
+    tp0fxE7hmteSt6gjQriy90fP8j9OJXBNAjt915kLY4zVvqOBiTCBhjAOBgNVHQ8B
+    Af8EBAMCAqQwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0TAQH/BAUwAwEB/zAd
+    BgNVHQ4EFgQU5d8QMrwhLgTkDjWA+eXZGz+dybUwLwYDVR0RBCgwJoIJbG9jYWxo
+    b3N0ggEqhwR/AAABhxAAAAAAAAAAAAAAAAAAAAABMAoGCCqGSM49BAMCA0kAMEYC
+    IQDPofN0fEl5gTwCYhk3nZbjMqJhZ8BsSJ6K8XRhxr7zbwIhAPsgQCFOqUWg632O
+    NEO53OQ6CIqnpxSskjsFNH4ZBQOE
+    -----END CERTIFICATE-----
+  tls.key: |
+    -----BEGIN EC PRIVATE KEY-----
+    MHcCAQEEIIcFtWTLQv5JaRRxdkPKkO98OrvgeztbZ7h8Ev/4UbE4oAoGCCqGSM49
+    AwEHoUQDQgAEBVltIvaTlAQI/3FFatTqVflZuZdRJ0SmRMSJrFLPtp0fxE7hmteS
+    t6gjQriy90fP8j9OJXBNAjt915kLY4zVvg==
+    -----END EC PRIVATE KEY-----
+
 ---
 apiVersion: v1
 kind: ConfigMap

resources/charts/bitcoincore/charts/lnd/templates/pod.yaml

@@ -32,10 +32,15 @@ spec:
         - name: p2p
           containerPort: {{ .Values.P2PPort }}
           protocol: TCP
+        - name: rest
+          containerPort: {{ .Values.RestPort }}
+          protocol: TCP
       livenessProbe:
         {{- toYaml .Values.livenessProbe | nindent 8 }}
       readinessProbe:
         {{- toYaml .Values.readinessProbe | nindent 8 }}
+      startupProbe:
+        {{- toYaml .Values.startupProbe | nindent 8 }}
       resources:
         {{- toYaml .Values.resources | nindent 8 }}
       volumeMounts:
@@ -45,6 +50,12 @@ spec:
         - mountPath: /root/.lnd/lnd.conf
           name: config
           subPath: lnd.conf
+        - mountPath: /root/.lnd/tls.key
+          name: tlskey
+          subPath: tls.key
+        - mountPath: /root/.lnd/tls.cert
+          name: tlscert
+          subPath: tls.cert
     {{- if .Values.circuitBreaker }}
     - name: circuitbreaker
       image: pinheadmz/circuitbreaker:278737d
@@ -57,6 +68,12 @@ spec:
     - configMap:
         name: {{ include "lnd.fullname" . }}
       name: config
+    - configMap:
+        name: {{ include "lnd.fullname" . }}
+      name: tlskey
+    - configMap:
+        name: {{ include "lnd.fullname" . }}
+      name: tlscert
   {{- with .Values.nodeSelector }}
   nodeSelector:
     {{- toYaml . | nindent 4 }}

resources/charts/bitcoincore/charts/lnd/values.yaml

@@ -33,6 +33,7 @@ service:
 
 RPCPort: 10009
 P2PPort: 9735
+RestPort: 8080
 
 ingress:
   enabled: false
@@ -80,7 +81,18 @@ readinessProbe:
   tcpSocket:
     port: 10009
   timeoutSeconds: 1
-
+startupProbe:
+  failureThreshold: 10
+  periodSeconds: 10
+  successThreshold: 1
+  timeoutSeconds: 10
+  exec:
+    command:
+      - /bin/sh
+      - -c
+      - |
+        PHRASE=`curl --silent --insecure https://localhost:8080/v1/genseed | grep -o '\[[^]]*\]'`
+        curl --insecure https://localhost:8080/v1/initwallet --data "{\"macaroon_root_key\":\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=\", \"wallet_password\":\"AAAAAAAAAAA=\", \"cipher_seed_mnemonic\": $PHRASE}"
 
 # Additional volumes on the output Deployment definition.
 volumes: []
@@ -102,8 +114,7 @@ tolerations: []
 affinity: {}
 
 baseConfig: |
-  noseedbackup=true
-  norest=true
+  norest=false
   debuglevel=debug
   accept-keysend=true
   bitcoin.active=true

resources/scripts/ssl/cert-gen.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+
+# Generate the private key using the P-256 curve
+openssl ecparam -name prime256v1 -genkey -noout -out tls.key
+
+# Generate the self-signed certificate using the configuration file
+# Expires in ten years, 2034
+openssl req -x509 -new -nodes -key tls.key -days 3650 -out tls.cert -config openssl-config.cnf

resources/scripts/ssl/openssl-config.cnf

@@ -0,0 +1,28 @@
+[ req ]
+distinguished_name = req_distinguished_name
+req_extensions     = req_ext
+x509_extensions    = v3_ca
+prompt             = no
+
+[ req_distinguished_name ]
+O = lnd autogenerated cert
+CN = warnet
+
+[ req_ext ]
+keyUsage = critical, digitalSignature, keyEncipherment, keyCertSign
+extendedKeyUsage = serverAuth
+basicConstraints = critical, CA:true
+subjectKeyIdentifier = hash
+
+[ v3_ca ]
+keyUsage = critical, digitalSignature, keyEncipherment, keyCertSign
+extendedKeyUsage = serverAuth
+basicConstraints = critical, CA:true
+subjectKeyIdentifier = hash
+subjectAltName = @alt_names
+
+[ alt_names ]
+DNS.1 = localhost
+DNS.2 = *
+IP.1 = 127.0.0.1
+IP.2 = ::1

resources/scripts/ssl/tls.cert

@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB8TCCAZagAwIBAgIUJDsR6mmY+TaO9pCfjtotlbOkzJMwCgYIKoZIzj0EAwIw
+MjEfMB0GA1UECgwWbG5kIGF1dG9nZW5lcmF0ZWQgY2VydDEPMA0GA1UEAwwGd2Fy
+bmV0MB4XDTI0MTExMTE2NTM1MFoXDTM0MTEwOTE2NTM1MFowMjEfMB0GA1UECgwW
+bG5kIGF1dG9nZW5lcmF0ZWQgY2VydDEPMA0GA1UEAwwGd2FybmV0MFkwEwYHKoZI
+zj0CAQYIKoZIzj0DAQcDQgAEBVltIvaTlAQI/3FFatTqVflZuZdRJ0SmRMSJrFLP
+tp0fxE7hmteSt6gjQriy90fP8j9OJXBNAjt915kLY4zVvqOBiTCBhjAOBgNVHQ8B
+Af8EBAMCAqQwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0TAQH/BAUwAwEB/zAd
+BgNVHQ4EFgQU5d8QMrwhLgTkDjWA+eXZGz+dybUwLwYDVR0RBCgwJoIJbG9jYWxo
+b3N0ggEqhwR/AAABhxAAAAAAAAAAAAAAAAAAAAABMAoGCCqGSM49BAMCA0kAMEYC
+IQDPofN0fEl5gTwCYhk3nZbjMqJhZ8BsSJ6K8XRhxr7zbwIhAPsgQCFOqUWg632O
+NEO53OQ6CIqnpxSskjsFNH4ZBQOE
+-----END CERTIFICATE-----

resources/scripts/ssl/tls.key

@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIIcFtWTLQv5JaRRxdkPKkO98OrvgeztbZ7h8Ev/4UbE4oAoGCCqGSM49
+AwEHoUQDQgAEBVltIvaTlAQI/3FFatTqVflZuZdRJ0SmRMSJrFLPtp0fxE7hmteS
+t6gjQriy90fP8j9OJXBNAjt915kLY4zVvg==
+-----END EC PRIVATE KEY-----