Support env vars with _FILE suffix pointing to file with secret value

[makukha]

Many Docker images allow setting env vars pointing to specific secret file.

For example, official PostgreSQL docker image, in addition to env var POSTGRES_PASSWORD, allows setting POSTGRES_PASSWORD_FILE, which, if set, must point to a file containing secret value.

All env vars in official PostgreSQL image, that allow _FILE override, are

• POSTGRES_INITDB_ARGS -> POSTGRES_INITDB_ARGS_FILE
• POSTGRES_PASSWORD -> POSTGRES_PASSWORD_FILE
• POSTGRES_USER -> POSTGRES_USER_FILE
• POSTGRES_DB -> POSTGRES_DB_FILE

This feature makes sense for secrets other than regular settings, that's why it might be a good idea to add it to this package.

[FichteFoll]

Would providing an explicit option for this functionality be an advantage over the already possible instantiation arguments?

In my current code, I use something like the following and I doubt that either hard-coding an environment variable and/or adding another argument to a config dict would be worth it, unless there is a commonly used standard for this that could be pushed that way.

    secrets_dir = os.getenv("SECRETS_BASEPATH")
    env_file = os.getenv("ENV_FILE", ENV_FILE) or None
    settings = AppSettings(
        _secrets_dir=secrets_dir,
        _env_file=env_file,
    )

[makukha]

@FichteFoll sorry, the original issue had no description, I was keeping in mind a different thing (description added). In addition, I made issue title more clear. Do you think this would be useful?

[FichteFoll]

I see. This is a different usage pattern than what I had assumed.

Since I'm using pydantic-file-secrets in applications whose life cycle I control, I can generally also specify where the files are mounted into a container and make those conform to the names defined by the base Settings model and how pydantic-file-secrets interprets them. Thus, I wouldn't need another way to achieve this.

I'm not sure if others may have a use case for this.