Support docker file-based secrets natively

[sweatybridge]

Feature request

Is your feature request related to a problem? Please describe.

It would be great if gotrue supported Docker Secrets, and *_FILE versions of the variables that hold secrets, so that we can pass a secrets file vs. the raw value:

services:
  gotrue:
    image: supabase/gotrue:v2.40.1
    restart: unless-stopped
    environment:
      GOTRUE_JWT_SECRET: ${JWT_SECRET}
      GOTRUE_JWT_SECRET_FILE: /run/secrets/jwt_secret
    secrets:
      - jwt_secret

The current GOTRUE_JWT_SECRET variable could still be supported alongside GOTRUE_JWT_SECRET_FILE, and the same for all other secrets. This would let current code continue to work, but migrate to a more secure method of injecting secrets.

Describe the solution you'd like

A clear and concise description of what you want to happen.

Describe alternatives you've considered

entrypoint approach was rejected https://github.com/supabase/gotrue/pull/642

Additional context

upstream issue https://github.com/supabase/supabase/issues/6014

[hf]

GoTrue has just too many secrets, it doesn't make sense to do this for each one.

I'm considering adding a GOTRUE_ENV_SECRETS_FILE in which you can specify secrets as environment variables:

GOTRUE_JWT_SECRET=abcdef

Does that make sense?

[sweatybridge]

For secrets only used by gotrue, I think it's ok to store them in a single file. Since JWT_SECRET may be used by other services to decode auth token independently, it might be more useful to put it into a separate file. Also for secret rotation, it will be quite helpful to have them defined separately.

If there are too many secrets, I think it's ok to have one file for a start, then move specific ones out when the use case comes up.

[wolfspyre]

any progress on, or plan to implement this?

db creds are (imo) the biggest upside as far as toil-reduction/security exposure.