support reading secrets from files and not only from the environment

[homberghp]

Environment

• PostgreSQL version: docker postgres:16.4
• PostgREST version: docker postgrest/postgrest:v12.2.3
• Operating system: windows 11 and ubuntu 24.04

Allow sercets to be read from file.

Some docker images, such as postgres and MySQL, in combination with docker-compose, allow the use of secrets in files. This is supported because the secret file is mounted as a volume /run/secret/<secretfilename>. See docker compose using fine grained secrets.

To use such a secret, the image/container must understand that it needs to read the secret from a file, not the environment.

The way it is supported in e.g. postgres is, that the environment variable POSTGRES_PASSWORD_FILE is understood and can be used to point the container to the mounted secret file, eg. POSTGRES_PASSWORD_FILE=/run/secrets/postgres_password, which could then be a documented environment variable:

services:
  db: 
  ...
      environment:
          - DB_SERVER=db-c
          - POSTGRES_DB=todos
          - POSTGRES_USER=postgres
          # following info read from secret file
          - POSTGRES_PASSWORD_FILE=/run/secrets/postgres_password
          #  ^--------------------------------------------^ is how it is exposed inside the container, 
          # as a mounted volume.
          # it would be nice if we could use a secret file here too.
          - AUTHENTICATOR_PW=${AUTHENTICATOR_PW:-secret}
      secrets:
          - postgres_password
....
# top level
secrets:
      postgres_password:
           file: .secrets/postgres_password.txt
...

For consistency, we can use secret files for all containers.

[wolfgangwalther]

We currently support multiple ways to pass secrets as files:

• We support everything that libpq does, also the .pgpass file.
• jwt-secret and db-uri can both take a path to a file if prefixed with @.

In which way does your proposal differ from those?