Support _FILE based configuration values (#264)

* Replace envconfig with env

* Adjust config options and processing

* Added _FILE variant for all password vars.

* Try pathenvconfig

* Revert everything so far

* Use our fork of envconfig with custom lookup

* Use our fork of envconfig with custom lookup

* Test compose timeout option

* Remove secret resolving and specific _FILE config

* Fix timing issue in swarm tests

* Revert "Test compose timeout option"

This reverts commit ab50b21748, reversing
changes made to 0282514b2b.

Revert "Test compose timeout option"

This reverts commit 0282514b2b.

* Use offen/envconfig v1.5.0

* Add info about _FILE in README

* Value > File. Panic on file error. Panic on duplicate presence.

* Test panic on duplicate vars and panic on file error.

cmd/backup/config.go

@@ -24,9 +24,7 @@ type Config struct {
 	AwsEndpointCACert             CertDecoder     `envconfig:"AWS_ENDPOINT_CA_CERT"`
 	AwsStorageClass               string          `split_words:"true"`
 	AwsAccessKeyID                string          `envconfig:"AWS_ACCESS_KEY_ID"`
-	AwsAccessKeyIDFile            string          `envconfig:"AWS_ACCESS_KEY_ID_FILE"`
 	AwsSecretAccessKey            string          `split_words:"true"`
-	AwsSecretAccessKeyFile        string          `split_words:"true"`
 	AwsIamRoleEndpoint            string          `split_words:"true"`
 	AwsPartSize                   int64           `split_words:"true"`
 	BackupCompression             CompressionType `split_words:"true" default:"gz"`
@@ -80,17 +78,6 @@ type Config struct {
 	DropboxConcurrencyLevel       NaturalNumber   `split_words:"true" default:"6"`
 }
 
-func (c *Config) resolveSecret(envVar string, secretPath string) (string, error) {
-	if secretPath == "" {
-		return envVar, nil
-	}
-	data, err := os.ReadFile(secretPath)
-	if err != nil {
-		return "", fmt.Errorf("resolveSecret: error reading secret path: %w", err)
-	}
-	return string(data), nil
-}
-
 type CompressionType string
 
 func (c *CompressionType) Decode(v string) error {

cmd/backup/script.go

@@ -35,8 +35,8 @@ import (
 	"github.com/docker/docker/api/types/filters"
 	"github.com/docker/docker/api/types/swarm"
 	"github.com/docker/docker/client"
-	"github.com/kelseyhightower/envconfig"
 	"github.com/leekchan/timeutil"
+	"github.com/offen/envconfig"
 	"github.com/otiai10/copy"
 	"golang.org/x/sync/errgroup"
 )
@@ -89,6 +89,28 @@ func newScript() (*script, error) {
 		return nil
 	})
 
+	envconfig.Lookup = func(key string) (string, bool) {
+		value, okValue := os.LookupEnv(key)
+		location, okFile := os.LookupEnv(key + "_FILE")
+
+		switch {
+		case okValue && !okFile: // only value
+			return value, true
+		case !okValue && okFile: // only file
+			contents, err := os.ReadFile(location)
+			if err != nil {
+				s.must(fmt.Errorf("newScript: failed to read %s! Error: %s", location, err))
+				return "", false
+			}
+			return string(contents), true
+		case okValue && okFile: // both
+			s.must(fmt.Errorf("newScript: both %s and %s are set!", key, key+"_FILE"))
+			return "", false
+		default: // neither, ignore
+			return "", false
+		}
+	}
+
 	if err := envconfig.Process("", s.c); err != nil {
 		return nil, fmt.Errorf("newScript: failed to process configuration values: %w", err)
 	}
@@ -137,18 +159,10 @@ func newScript() (*script, error) {
 	}
 
 	if s.c.AwsS3BucketName != "" {
-		accessKeyID, err := s.c.resolveSecret(s.c.AwsAccessKeyID, s.c.AwsAccessKeyIDFile)
-		if err != nil {
-			return nil, fmt.Errorf("newScript: error resolving AwsAccessKeyID: %w", err)
-		}
-		secretAccessKey, err := s.c.resolveSecret(s.c.AwsSecretAccessKey, s.c.AwsSecretAccessKeyFile)
-		if err != nil {
-			return nil, fmt.Errorf("newScript: error resolving AwsSecretAccessKey: %w", err)
-		}
 		s3Config := s3.Config{
 			Endpoint:         s.c.AwsEndpoint,
-			AccessKeyID:      accessKeyID,
-			SecretAccessKey:  secretAccessKey,
+			AccessKeyID:      s.c.AwsAccessKeyID,
+			SecretAccessKey:  s.c.AwsSecretAccessKey,
 			IamRoleEndpoint:  s.c.AwsIamRoleEndpoint,
 			EndpointProto:    s.c.AwsEndpointProto,
 			EndpointInsecure: s.c.AwsEndpointInsecure,