Payment processors¶
Use spec.paymentBackend.grpcProcessor when the mint should talk to a gRPC payment processor instead of LND, CLN, LNBits, or fakeWallet.
This is the right place for Spark/Breez, Stripe, or custom payment integrations.
How the operator wires CDK¶
When spec.paymentBackend.grpcProcessor is set, the operator:
- sets CDK's Lightning backend to
grpcprocessor - renders the
[grpc_processor]section in the generatedconfig.toml - mounts client TLS materials when
tlsSecretRefis provided - optionally injects a sidecar container named
grpc-processorinto the mint pod
That means you only describe the processor endpoint once in CashuMint; the operator handles the pod wiring and config file generation.
External gRPC processor¶
Use this when the payment processor already runs as its own Deployment or Service.
spec:
paymentBackend:
grpcProcessor:
address: https://payments.cashu.svc.cluster.local
port: 50051
supportedUnits:
- sat
tlsSecretRef:
name: grpc-processor-client
key: client.crt
Important details¶
addressshould include the scheme you want CDK to use. Usehttps://...for TLS andhttp://...for plaintext.portdefaults to50051.supportedUnitsdefaults to["sat"].- The Secret named in
tlsSecretRef.nameshould contain the full client bundle expected by CDK: client.crtclient.keyca.crt
The key field is still required because the CRD uses SecretKeySelector, but the operator mounts the entire Secret by name.
See the full example: mint_v1alpha1_cashumint_grpc_processor_external.yaml
Sidecar gRPC processor¶
Use a sidecar when the payment processor should live inside the same pod as mintd.
spec:
paymentBackend:
grpcProcessor:
port: 50051
supportedUnits:
- sat
sidecarProcessor:
enabled: true
image: ghcr.io/acme/cdk-custom-processor:1.0.0
imagePullPolicy: IfNotPresent
workingDir: /data/processor
env:
- name: SERVER_ADDR
value: "0.0.0.0"
- name: SERVER_PORT
value: "50051"
What the sidecar gives you¶
- a second container named
grpc-processor - the same pod lifecycle as the mint
- a shared data volume when
workingDiris set - optional sidecar TLS Secret mounts
When workingDir is set, the operator mounts the mint's data volume into that directory using the sidecar-processor subpath. This is a convenient place to keep processor state separate from the rest of /data.
Address defaults¶
If sidecarProcessor.enabled=true and you do not set address, the operator writes:
[grpc_processor]
addr = "http://127.0.0.1"
port = 50051
That is correct for plaintext loopback traffic inside the pod.
If you enable sidecar TLS, override the address explicitly:
spec:
paymentBackend:
grpcProcessor:
address: https://127.0.0.1
port: 50051
sidecarProcessor:
enabled: true
enableTLS: true
tlsSecretRef:
name: grpc-sidecar-server
key: tls.crt
Without that override, the default remains http://127.0.0.1.
Sidecar TLS expectations¶
When enableTLS=true, sidecarProcessor.tlsSecretRef is required. The operator mounts the named Secret at /secrets/sidecar-tls. Your sidecar image is responsible for reading the mounted files and serving TLS correctly.
CDK + payment processor patterns in this repository¶
| Pattern | Sample |
|---|---|
| External gRPC processor with client TLS | mint_v1alpha1_cashumint_grpc_processor_external.yaml |
| Spark/Breez sidecar | mint_v1alpha1_cashumint_spark_breez.yaml |
| Spark/Breez sidecar with example Secrets | mint_v1alpha1_cashumint_spark_processor.yaml |
| Stripe sidecar | mint_v1alpha1_cashumint_stripe_processor.yaml |
| Production-style external gRPC processor | mint_v1alpha1_cashumint_production.yaml |
Troubleshooting checklist¶
- Make sure only one backend is set under
spec.paymentBackend. - If you are not using a sidecar,
spec.paymentBackend.grpcProcessor.addressmust be set. - If you are using a sidecar,
sidecarProcessor.imageis required. - If you enable sidecar TLS, set both
sidecarProcessor.enableTLS=trueandsidecarProcessor.tlsSecretRef. - If the mint should connect over TLS, make sure the
addressstarts withhttps://.