Skip to content

Enable unique lnd root keys and macaroons #738

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Sep 5, 2025
Merged

Enable unique lnd root keys and macaroons #738

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
a12dc86
lnd: allow macaroon root key to be set from chart
pinheadmz Sep 2, 2025
424f3c3
lnd: regenerate TLS certs to include default namespace
pinheadmz Sep 3, 2025
7c58bb0
test: ensure custom macaroon root keys in network.yaml work
pinheadmz Sep 3, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 14 additions & 12 deletions resources/charts/bitcoincore/charts/lnd/templates/configmap.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,25 +20,27 @@ data:
tlsextradomain={{ include "lnd.fullname" . }}
tls.cert: |
-----BEGIN CERTIFICATE-----
MIIB8TCCAZagAwIBAgIUJDsR6mmY+TaO9pCfjtotlbOkzJMwCgYIKoZIzj0EAwIw
MIIB+DCCAZ6gAwIBAgIUSbyK/9viFWS3cLoPkmxZsW8fcH8wCgYIKoZIzj0EAwIw
MjEfMB0GA1UECgwWbG5kIGF1dG9nZW5lcmF0ZWQgY2VydDEPMA0GA1UEAwwGd2Fy
bmV0MB4XDTI0MTExMTE2NTM1MFoXDTM0MTEwOTE2NTM1MFowMjEfMB0GA1UECgwW
bmV0MB4XDTI1MDkwMzE1NDgzNFoXDTM1MDkwMTE1NDgzNFowMjEfMB0GA1UECgwW
bG5kIGF1dG9nZW5lcmF0ZWQgY2VydDEPMA0GA1UEAwwGd2FybmV0MFkwEwYHKoZI
zj0CAQYIKoZIzj0DAQcDQgAEBVltIvaTlAQI/3FFatTqVflZuZdRJ0SmRMSJrFLP
tp0fxE7hmteSt6gjQriy90fP8j9OJXBNAjt915kLY4zVvqOBiTCBhjAOBgNVHQ8B
zj0CAQYIKoZIzj0DAQcDQgAENIGvS4bQr/zzUQnIqgJIYrPEdPMXVkv3yEyJRCFg
PyZTvxWUJy7AI3VKb7ubIXawYcnPBe7K1sgBAbTPz1c8sqOBkTCBjjAOBgNVHQ8B
Af8EBAMCAqQwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0TAQH/BAUwAwEB/zAd
BgNVHQ4EFgQU5d8QMrwhLgTkDjWA+eXZGz+dybUwLwYDVR0RBCgwJoIJbG9jYWxo
b3N0ggEqhwR/AAABhxAAAAAAAAAAAAAAAAAAAAABMAoGCCqGSM49BAMCA0kAMEYC
IQDPofN0fEl5gTwCYhk3nZbjMqJhZ8BsSJ6K8XRhxr7zbwIhAPsgQCFOqUWg632O
NEO53OQ6CIqnpxSskjsFNH4ZBQOE
BgNVHQ4EFgQUNhDWW7rajlA9sNGI/1Q5BDLH/rMwNwYDVR0RBDAwLoIJbG9jYWxo
b3N0ggkqLmRlZmF1bHSHBH8AAAGHEAAAAAAAAAAAAAAAAAAAAAEwCgYIKoZIzj0E
AwIDSAAwRQIhAOFm85wvwPZMJg0+16Sh0FkKqAuGVmllHnriWHQJ1NhuAiAfoxzE
9ooZuDwKy0Y3dP4DfJCrOlFNTHfp3abG7VQ+VQ==
-----END CERTIFICATE-----

tls.key: |
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIIcFtWTLQv5JaRRxdkPKkO98OrvgeztbZ7h8Ev/4UbE4oAoGCCqGSM49
AwEHoUQDQgAEBVltIvaTlAQI/3FFatTqVflZuZdRJ0SmRMSJrFLPtp0fxE7hmteS
t6gjQriy90fP8j9OJXBNAjt915kLY4zVvg==
MHcCAQEEIEKlsxGkakClpHqXbr6tqEey634Xc364DgGMJxLdiLHIoAoGCCqGSM49
AwEHoUQDQgAENIGvS4bQr/zzUQnIqgJIYrPEdPMXVkv3yEyJRCFgPyZTvxWUJy7A
I3VKb7ubIXawYcnPBe7K1sgBAbTPz1c8sg==
-----END EC PRIVATE KEY-----
MACAROON_HEX: 0201036c6e6402f801030a1062beabbf2a614b112128afa0c0b4fdd61201301a160a0761646472657373120472656164120577726974651a130a04696e666f120472656164120577726974651a170a08696e766f69636573120472656164120577726974651a210a086d616361726f6f6e120867656e6572617465120472656164120577726974651a160a076d657373616765120472656164120577726974651a170a086f6666636861696e120472656164120577726974651a160a076f6e636861696e120472656164120577726974651a140a057065657273120472656164120577726974651a180a067369676e6572120867656e657261746512047265616400000620b17be53e367290871681055d0de15587f6d1cd47d1248fe2662ae27f62cfbdc6

MACAROON_HEX: {{ .Values.adminMacaroon }}
---
apiVersion: v1
kind: ConfigMap
Expand Down
16 changes: 14 additions & 2 deletions resources/charts/bitcoincore/charts/lnd/templates/pod.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ metadata:
chain: {{ .Values.global.chain }}
annotations:
kubectl.kubernetes.io/default-container: "lnd"
adminMacaroon: {{ .Values.adminMacaroon }}
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
Expand All @@ -40,9 +41,20 @@ spec:
livenessProbe:
{{- toYaml .Values.livenessProbe | nindent 8 }}
readinessProbe:
{{- toYaml .Values.readinessProbe | nindent 8 }}
{{- toYaml .Values.readinessProbe | nindent 8 }}
startupProbe:
{{- toYaml .Values.startupProbe | nindent 8 }}
failureThreshold: 10
periodSeconds: 30
successThreshold: 1
timeoutSeconds: 60
exec:
command:
- /bin/sh
- -c
- |
PHRASE=`curl --silent --insecure https://localhost:8080/v1/genseed | grep -o '\[[^]]*\]'`
curl --insecure https://localhost:8080/v1/initwallet --data "{\"macaroon_root_key\":\"{{ .Values.macaroonRootKey }}\", \"wallet_password\":\"AAAAAAAAAAA=\", \"cipher_seed_mnemonic\": $PHRASE}"

resources:
{{- toYaml .Values.resources | nindent 8 }}
volumeMounts:
Expand Down
15 changes: 3 additions & 12 deletions resources/charts/bitcoincore/charts/lnd/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -81,18 +81,6 @@ readinessProbe:
tcpSocket:
port: 10009
timeoutSeconds: 1
startupProbe:
failureThreshold: 10
periodSeconds: 30
successThreshold: 1
timeoutSeconds: 60
exec:
command:
- /bin/sh
- -c
- |
PHRASE=`curl --silent --insecure https://localhost:8080/v1/genseed | grep -o '\[[^]]*\]'`
curl --insecure https://localhost:8080/v1/initwallet --data "{\"macaroon_root_key\":\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=\", \"wallet_password\":\"AAAAAAAAAAA=\", \"cipher_seed_mnemonic\": $PHRASE}"

# Additional volumes on the output Deployment definition.
volumes: []
Expand All @@ -113,6 +101,9 @@ tolerations: []

affinity: {}

macaroonRootKey: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
adminMacaroon: 0201036c6e6402f801030a1062beabbf2a614b112128afa0c0b4fdd61201301a160a0761646472657373120472656164120577726974651a130a04696e666f120472656164120577726974651a170a08696e766f69636573120472656164120577726974651a210a086d616361726f6f6e120867656e6572617465120472656164120577726974651a160a076d657373616765120472656164120577726974651a170a086f6666636861696e120472656164120577726974651a160a076f6e636861696e120472656164120577726974651a140a057065657273120472656164120577726974651a180a067369676e6572120867656e657261746512047265616400000620b17be53e367290871681055d0de15587f6d1cd47d1248fe2662ae27f62cfbdc6

baseConfig: |
norest=false
restlisten=0.0.0.0:8080
Expand Down
17 changes: 9 additions & 8 deletions resources/plugins/simln/charts/simln/templates/configmap.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,18 +5,19 @@ metadata:
data:
tls.cert: |
-----BEGIN CERTIFICATE-----
MIIB8TCCAZagAwIBAgIUJDsR6mmY+TaO9pCfjtotlbOkzJMwCgYIKoZIzj0EAwIw
MIIB+DCCAZ6gAwIBAgIUSbyK/9viFWS3cLoPkmxZsW8fcH8wCgYIKoZIzj0EAwIw
MjEfMB0GA1UECgwWbG5kIGF1dG9nZW5lcmF0ZWQgY2VydDEPMA0GA1UEAwwGd2Fy
bmV0MB4XDTI0MTExMTE2NTM1MFoXDTM0MTEwOTE2NTM1MFowMjEfMB0GA1UECgwW
bmV0MB4XDTI1MDkwMzE1NDgzNFoXDTM1MDkwMTE1NDgzNFowMjEfMB0GA1UECgwW
bG5kIGF1dG9nZW5lcmF0ZWQgY2VydDEPMA0GA1UEAwwGd2FybmV0MFkwEwYHKoZI
zj0CAQYIKoZIzj0DAQcDQgAEBVltIvaTlAQI/3FFatTqVflZuZdRJ0SmRMSJrFLP
tp0fxE7hmteSt6gjQriy90fP8j9OJXBNAjt915kLY4zVvqOBiTCBhjAOBgNVHQ8B
zj0CAQYIKoZIzj0DAQcDQgAENIGvS4bQr/zzUQnIqgJIYrPEdPMXVkv3yEyJRCFg
PyZTvxWUJy7AI3VKb7ubIXawYcnPBe7K1sgBAbTPz1c8sqOBkTCBjjAOBgNVHQ8B
Af8EBAMCAqQwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0TAQH/BAUwAwEB/zAd
BgNVHQ4EFgQU5d8QMrwhLgTkDjWA+eXZGz+dybUwLwYDVR0RBCgwJoIJbG9jYWxo
b3N0ggEqhwR/AAABhxAAAAAAAAAAAAAAAAAAAAABMAoGCCqGSM49BAMCA0kAMEYC
IQDPofN0fEl5gTwCYhk3nZbjMqJhZ8BsSJ6K8XRhxr7zbwIhAPsgQCFOqUWg632O
NEO53OQ6CIqnpxSskjsFNH4ZBQOE
BgNVHQ4EFgQUNhDWW7rajlA9sNGI/1Q5BDLH/rMwNwYDVR0RBDAwLoIJbG9jYWxo
b3N0ggkqLmRlZmF1bHSHBH8AAAGHEAAAAAAAAAAAAAAAAAAAAAEwCgYIKoZIzj0E
AwIDSAAwRQIhAOFm85wvwPZMJg0+16Sh0FkKqAuGVmllHnriWHQJ1NhuAiAfoxzE
9ooZuDwKy0Y3dP4DfJCrOlFNTHfp3abG7VQ+VQ==
-----END CERTIFICATE-----

{{- $configMaps := lookup "v1" "ConfigMap" .Release.Namespace "" }}
{{- range $configMaps.items }}
{{- if and .metadata.labels (hasKey .metadata.labels "role") (eq (index .metadata.labels "role") "macaroon-ref") }}
Expand Down
6 changes: 5 additions & 1 deletion resources/scenarios/commander.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -70,9 +70,13 @@
)

if pod.metadata.labels["mission"] == "lightning":
lnnode = LND(pod.metadata.name, pod.status.pod_ip)
if "lnd" in pod.metadata.labels["app.kubernetes.io/name"]:
lnnode = LND(
pod.metadata.name, pod.status.pod_ip, pod.metadata.annotations["adminMacaroon"]
)
if "cln" in pod.metadata.labels["app.kubernetes.io/name"]:
lnnode = CLN(pod.metadata.name, pod.status.pod_ip)
assert lnnode
WARNET["lightning"].append(lnnode)

for cm in cmaps.items:
Expand Down
7 changes: 3 additions & 4 deletions resources/scenarios/ln_framework/ln.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,8 +8,6 @@

import requests

# hard-coded deterministic lnd credentials
ADMIN_MACAROON_HEX = "0201036c6e6402f801030a1062beabbf2a614b112128afa0c0b4fdd61201301a160a0761646472657373120472656164120577726974651a130a04696e666f120472656164120577726974651a170a08696e766f69636573120472656164120577726974651a210a086d616361726f6f6e120867656e6572617465120472656164120577726974651a160a076d657373616765120472656164120577726974651a170a086f6666636861696e120472656164120577726974651a160a076f6e636861696e120472656164120577726974651a140a057065657273120472656164120577726974651a180a067369676e6572120867656e657261746512047265616400000620b17be53e367290871681055d0de15587f6d1cd47d1248fe2662ae27f62cfbdc6"
# Don't worry about lnd's self-signed certificates
INSECURE_CONTEXT = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
INSECURE_CONTEXT.check_hostname = False
Expand Down Expand Up @@ -286,13 +284,14 @@ def update(self, txid_hex: str, policy: dict, capacity: int) -> dict:


class LND(LNNode):
def __init__(self, pod_name, ip_address):
def __init__(self, pod_name, ip_address, admin_macaroon_hex):
super().__init__(pod_name, ip_address)
self.conn = http.client.HTTPSConnection(
host=pod_name, port=8080, timeout=5, context=INSECURE_CONTEXT
)
self.admin_macaroon_hex = admin_macaroon_hex
self.headers = {
"Grpc-Metadata-macaroon": ADMIN_MACAROON_HEX,
"Grpc-Metadata-macaroon": admin_macaroon_hex,
"Connection": "close",
}
self.impl = "lnd"
Expand Down
2 changes: 1 addition & 1 deletion resources/scripts/ssl/openssl-config.cnf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,6 @@ subjectAltName = @alt_names

[ alt_names ]
DNS.1 = localhost
DNS.2 = *
DNS.2 = *.default
IP.1 = 127.0.0.1
IP.2 = ::1
16 changes: 8 additions & 8 deletions resources/scripts/ssl/tls.cert
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,13 +1,13 @@
-----BEGIN CERTIFICATE-----
MIIB8TCCAZagAwIBAgIUJDsR6mmY+TaO9pCfjtotlbOkzJMwCgYIKoZIzj0EAwIw
MIIB+DCCAZ6gAwIBAgIUSbyK/9viFWS3cLoPkmxZsW8fcH8wCgYIKoZIzj0EAwIw
MjEfMB0GA1UECgwWbG5kIGF1dG9nZW5lcmF0ZWQgY2VydDEPMA0GA1UEAwwGd2Fy
bmV0MB4XDTI0MTExMTE2NTM1MFoXDTM0MTEwOTE2NTM1MFowMjEfMB0GA1UECgwW
bmV0MB4XDTI1MDkwMzE1NDgzNFoXDTM1MDkwMTE1NDgzNFowMjEfMB0GA1UECgwW
bG5kIGF1dG9nZW5lcmF0ZWQgY2VydDEPMA0GA1UEAwwGd2FybmV0MFkwEwYHKoZI
zj0CAQYIKoZIzj0DAQcDQgAEBVltIvaTlAQI/3FFatTqVflZuZdRJ0SmRMSJrFLP
tp0fxE7hmteSt6gjQriy90fP8j9OJXBNAjt915kLY4zVvqOBiTCBhjAOBgNVHQ8B
zj0CAQYIKoZIzj0DAQcDQgAENIGvS4bQr/zzUQnIqgJIYrPEdPMXVkv3yEyJRCFg
PyZTvxWUJy7AI3VKb7ubIXawYcnPBe7K1sgBAbTPz1c8sqOBkTCBjjAOBgNVHQ8B
Af8EBAMCAqQwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0TAQH/BAUwAwEB/zAd
BgNVHQ4EFgQU5d8QMrwhLgTkDjWA+eXZGz+dybUwLwYDVR0RBCgwJoIJbG9jYWxo
b3N0ggEqhwR/AAABhxAAAAAAAAAAAAAAAAAAAAABMAoGCCqGSM49BAMCA0kAMEYC
IQDPofN0fEl5gTwCYhk3nZbjMqJhZ8BsSJ6K8XRhxr7zbwIhAPsgQCFOqUWg632O
NEO53OQ6CIqnpxSskjsFNH4ZBQOE
BgNVHQ4EFgQUNhDWW7rajlA9sNGI/1Q5BDLH/rMwNwYDVR0RBDAwLoIJbG9jYWxo
b3N0ggkqLmRlZmF1bHSHBH8AAAGHEAAAAAAAAAAAAAAAAAAAAAEwCgYIKoZIzj0E
AwIDSAAwRQIhAOFm85wvwPZMJg0+16Sh0FkKqAuGVmllHnriWHQJ1NhuAiAfoxzE
9ooZuDwKy0Y3dP4DfJCrOlFNTHfp3abG7VQ+VQ==
-----END CERTIFICATE-----
6 changes: 3 additions & 3 deletions resources/scripts/ssl/tls.key
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIIcFtWTLQv5JaRRxdkPKkO98OrvgeztbZ7h8Ev/4UbE4oAoGCCqGSM49
AwEHoUQDQgAEBVltIvaTlAQI/3FFatTqVflZuZdRJ0SmRMSJrFLPtp0fxE7hmteS
t6gjQriy90fP8j9OJXBNAjt915kLY4zVvg==
MHcCAQEEIEKlsxGkakClpHqXbr6tqEey634Xc364DgGMJxLdiLHIoAoGCCqGSM49
AwEHoUQDQgAENIGvS4bQr/zzUQnIqgJIYrPEdPMXVkv3yEyJRCFgPyZTvxWUJy7A
I3VKb7ubIXawYcnPBe7K1sgBAbTPz1c8sg==
-----END EC PRIVATE KEY-----
9 changes: 9 additions & 0 deletions test/data/ln/network.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,10 @@ nodes:
circuitbreaker:
enabled: true
httpPort: 9235
# Just 32 bytes of entropy encoded in base64
macaroonRootKey: nmPScpcYkBBUXvEryzpYfjgY27j8hO9SiXO9qNQAJFs=
# Derived from root key with `lncli bakemacaroon --root_key=...`
adminMacaroon: 0201036c6e6402f801030a10b676fd9c5cbdfccedb1b932865ad57451201301a160a0761646472657373120472656164120577726974651a130a04696e666f120472656164120577726974651a170a08696e766f69636573120472656164120577726974651a210a086d616361726f6f6e120867656e6572617465120472656164120577726974651a160a076d657373616765120472656164120577726974651a170a086f6666636861696e120472656164120577726974651a160a076f6e636861696e120472656164120577726974651a140a057065657273120472656164120577726974651a180a067369676e6572120867656e657261746512047265616400000620cff489a728f1be62c41db20607e78e3b3173f5b51679b4489e429cc83648dac4

- name: tank-0004
addnode:
Expand All @@ -36,6 +40,11 @@ nodes:
target: tank-0005-ln
capacity: 50000
push_amt: 25000
# Just 32 bytes of entropy encoded in base64
macaroonRootKey: FmEMD2X1hKzxR5yAWgbAT5CbQWPOW+OdyztMMCTBThU=
# Derived from root key with `lncli bakemacaroon --root_key=...`
adminMacaroon: 0201036c6e6402f801030a102616e41d07f5df28869fe8f8147ed2861201301a160a0761646472657373120472656164120577726974651a130a04696e666f120472656164120577726974651a170a08696e766f69636573120472656164120577726974651a210a086d616361726f6f6e120867656e6572617465120472656164120577726974651a160a076d657373616765120472656164120577726974651a170a086f6666636861696e120472656164120577726974651a160a076f6e636861696e120472656164120577726974651a140a057065657273120472656164120577726974651a180a067369676e6572120867656e657261746512047265616400000620e40032ba0d91a7f046ed4596da67aa129cca0ff162e51444df2ce68fa6d16944

- name: tank-0005
addnode:
- tank-0000
39 changes: 39 additions & 0 deletions test/ln_basic_test.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,9 @@ def run_test(self):
# Wait for all nodes to wake up. ln_init will start automatically
self.setup_network()

# Test manually configured macroons
self.test_admin_macaroons()

# Test circuit breaker API
self.test_circuit_breaker_api()

Expand All @@ -53,6 +56,42 @@ def setup_network(self):
self.log.info("Setting up network")
stream_command(f"warnet deploy {self.network_dir}")

def test_admin_macaroons(self):
self.log.info("Testing lnd nodes with same macaroon root key can query each other")
# These tanks all use the same default macaroon root key, meaning the macaroons
# generated at ~/.lnd/.../admin.macaroon in each lnd container are authorized
# to make requests to each other.
info = json.loads(
self.warnet("ln rpc tank-0000-ln --rpcserver=tank-0001-ln.default:10009 getinfo")
)
info["alias"] = "tank-0001-ln"
info = json.loads(
self.warnet("ln rpc tank-0001-ln --rpcserver=tank-0002-ln.default:10009 getinfo")
)
info["alias"] = "tank-0002-ln"
info = json.loads(
self.warnet("ln rpc tank-0002-ln --rpcserver=tank-0005-ln.default:10009 getinfo")
)
info["alias"] = "tank-0005-ln"

self.log.info("Testing lnd nodes with unique macaroon root key can NOT query each other")
# These tanks are configured with unique macaroon root keys
try:
self.warnet("ln rpc tank-0000-ln --rpcserver=tank-0003-ln.default:10009 getinfo")
raise AssertionError("That should not have worked!")
except Exception as e:
assert "verification failed: signature mismatch after caveat verification" in str(e)
try:
self.warnet("ln rpc tank-0000-ln --rpcserver=tank-0004-ln.default:10009 getinfo")
raise AssertionError("That should not have worked!")
except Exception as e:
assert "verification failed: signature mismatch after caveat verification" in str(e)
try:
self.warnet("ln rpc tank-0003-ln --rpcserver=tank-0004-ln.default:10009 getinfo")
raise AssertionError("That should not have worked!")
except Exception as e:
assert "verification failed: signature mismatch after caveat verification" in str(e)

def fund_wallets(self):
for ln in self.lns:
addr = json.loads(self.warnet(f"ln rpc {ln} newaddress p2wkh"))["address"]
Expand Down
Loading