Add option to pass secrets as files

[bryopsida]

Expected Behavior

I'd like an option to pass secret values as files when appending _FILE after the current environment variable used for the value.

This behavior is consistent with other images such as MySQL, PostgreSQL (see the docker secrets section in the readme files for both).

Related to: https://github.com/apache/couchdb-helm/issues/140

Current Behavior

Currently, the secret values can only be passed through environment variables which can be problematic when benchmark/scanner tools are used, see: https://avd.aquasec.com/compliance/kubernetes/cis-kubernetes-benchmarks-v1.23-1.23/5.4.1/ or bind mounts.

Enabling the _FILE option would allow for a cleaner implementation in the chart and is consistent with other official docker image behavior.

Possible Solution

The docker entry point could be updated to use COUCHDB_ADMIN_USER_FILE, COUCHDB_SECRET_FILE etc environment variables which have the path to a file holding the actual secret value.

[MichaelBrunn3r]

An alternative could be a URI-like format like authentik uses (https://docs.goauthentik.io/docs/installation/configuration#about-authentik-configurations).

services:
  couchdb:
    environment:
      # Original solution 
      COUCHDB_SECRET_FILE: /run/secrets/COUCHDB_SECRET
      # Solution like Authentik
      COUCHDB_SECRET: file:///run/secrets/COUCHDB_SECRET

I have seen your solution more often and it should be easier to implement, so I would prefer it. Just wanted to show a possible alternative.

[janl]

I’d look at a PR for this, if you’d make one :)

[axodentally]

Why did https://github.com/apache/couchdb-docker/pull/205 not get merged?

[bryopsida]

I created a draft PR here: #276 and am curious if this approach would be acceptable before I go further with it. Also I'm currently hitting some issues testing it due to the image build process breaking on my m1 laptop but should be able to move over to a x86 box to wrap the PR.