feat: Support _FILE suffix for environment variables

Author: ivov

docs/setup.md

@@ -63,6 +63,8 @@ For an example, refer to the [config file](https://github.com/n8n-io/n8n/blob/ma
 
 It is required to pass `N8N_RUNNERS_AUTH_TOKEN` to the launcher and to the n8n instance. This token will allow the launcher to authenticate with the n8n instance and to obtain a grant tokens for every runner it manages. All other env vars are optional and are listed in the [n8n docs](https://docs.n8n.io/hosting/configuration/environment-variables/task-runners).
 
+For any environment variable, you can append `_FILE` to specify a file path to read a value from. For example: `N8N_RUNNERS_AUTH_TOKEN_FILE=/path/to/auth-token.txt`
+
 The launcher can pass env vars to task runners in two ways, as specified in the [config file](#config-file):
 
 | Source | Description | Purpose |

internal/config/config.go

@@ -94,13 +94,13 @@ type RunnerConfig struct {
 
 // LoadLauncherConfig loads the launcher's base config from the launcher's environment and
 // loads runner configs from the config file specified by N8N_RUNNERS_CONFIG_PATH.
-func LoadLauncherConfig(runnerTypes []string, lookuper envconfig.Lookuper) (*LauncherConfig, error) {
+func LoadLauncherConfig(runnerTypes []string, baseLookuper envconfig.Lookuper) (*LauncherConfig, error) {
 	ctx := context.Background()
 
 	var baseConfig BaseConfig
 	if err := envconfig.ProcessWith(ctx, &envconfig.Config{
 		Target:   &baseConfig,
-		Lookuper: lookuper,
+		Lookuper: NewLauncherLookuper(baseLookuper),
 	}); err != nil {
 		return nil, err
 	}

internal/config/lookuper.go

@@ -0,0 +1,31 @@
+package config
+
+import (
+	"os"
+	"strings"
+
+	"github.com/sethvargo/go-envconfig"
+)
+
+type LauncherLookuper struct {
+	baseLookuper envconfig.Lookuper
+}
+
+func NewLauncherLookuper(baseLookuper envconfig.Lookuper) *LauncherLookuper {
+	return &LauncherLookuper{baseLookuper: baseLookuper}
+}
+
+func (f *LauncherLookuper) Lookup(key string) (string, bool) {
+	fileKey := key + "_FILE"
+	if filePath, ok := f.baseLookuper.Lookup(fileKey); ok {
+		// #nosec G304 -- filePath is controlled by system administrator via environment variable
+		content, err := os.ReadFile(filePath)
+		if err != nil {
+			return "", false
+		}
+
+		return strings.TrimRight(string(content), "\n\r"), true
+	}
+
+	return f.baseLookuper.Lookup(key)
+}

internal/config/lookuper_test.go

@@ -0,0 +1,153 @@
+package config
+
+import (
+	"maps"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/sethvargo/go-envconfig"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestFileLookuper(t *testing.T) {
+	tests := []struct {
+		name          string
+		envVars       map[string]string
+		fileContent   map[string]string // filename -> content
+		lookupKey     string
+		expectedValue string
+		expectedFound bool
+	}{
+		{
+			name: "reads from _FILE when it exists",
+			envVars: map[string]string{
+				"AUTH_TOKEN_FILE": "/tmp/secret.txt",
+			},
+			fileContent: map[string]string{
+				"/tmp/secret.txt": "my-secret-token",
+			},
+			lookupKey:     "AUTH_TOKEN",
+			expectedValue: "my-secret-token",
+			expectedFound: true,
+		},
+		{
+			name: "trims trailing newlines from file content",
+			envVars: map[string]string{
+				"AUTH_TOKEN_FILE": "/tmp/secret.txt",
+			},
+			fileContent: map[string]string{
+				"/tmp/secret.txt": "my-secret-token\n",
+			},
+			lookupKey:     "AUTH_TOKEN",
+			expectedValue: "my-secret-token",
+			expectedFound: true,
+		},
+		{
+			name: "trims multiple trailing newlines",
+			envVars: map[string]string{
+				"AUTH_TOKEN_FILE": "/tmp/secret.txt",
+			},
+			fileContent: map[string]string{
+				"/tmp/secret.txt": "my-secret-token\n\n\r\n",
+			},
+			lookupKey:     "AUTH_TOKEN",
+			expectedValue: "my-secret-token",
+			expectedFound: true,
+		},
+		{
+			name: "preserves internal newlines",
+			envVars: map[string]string{
+				"MULTI_LINE_FILE": "/tmp/multi.txt",
+			},
+			fileContent: map[string]string{
+				"/tmp/multi.txt": "line1\nline2\nline3\n",
+			},
+			lookupKey:     "MULTI_LINE",
+			expectedValue: "line1\nline2\nline3",
+			expectedFound: true,
+		},
+		{
+			name: "falls back to direct env var when _FILE doesn't exist",
+			envVars: map[string]string{
+				"AUTH_TOKEN": "direct-value",
+			},
+			lookupKey:     "AUTH_TOKEN",
+			expectedValue: "direct-value",
+			expectedFound: true,
+		},
+		{
+			name: "_FILE takes precedence over direct env var",
+			envVars: map[string]string{
+				"AUTH_TOKEN":      "direct-value",
+				"AUTH_TOKEN_FILE": "/tmp/secret.txt",
+			},
+			fileContent: map[string]string{
+				"/tmp/secret.txt": "file-value",
+			},
+			lookupKey:     "AUTH_TOKEN",
+			expectedValue: "file-value",
+			expectedFound: true,
+		},
+		{
+			name:          "returns not found when neither exists",
+			envVars:       map[string]string{},
+			lookupKey:     "AUTH_TOKEN",
+			expectedValue: "",
+			expectedFound: false,
+		},
+		{
+			name: "returns not found when file doesn't exist",
+			envVars: map[string]string{
+				"AUTH_TOKEN_FILE": "/tmp/nonexistent.txt",
+			},
+			lookupKey:     "AUTH_TOKEN",
+			expectedValue: "",
+			expectedFound: false,
+		},
+		{
+			name: "handles empty file content",
+			envVars: map[string]string{
+				"EMPTY_FILE": "/tmp/empty.txt",
+			},
+			fileContent: map[string]string{
+				"/tmp/empty.txt": "",
+			},
+			lookupKey:     "EMPTY",
+			expectedValue: "",
+			expectedFound: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			tempDir := t.TempDir()
+
+			updatedEnvVars := make(map[string]string)
+			maps.Copy(updatedEnvVars, tt.envVars)
+
+			for filePath, content := range tt.fileContent {
+				tempFile := filepath.Join(tempDir, filepath.Base(filePath))
+				err := os.WriteFile(tempFile, []byte(content), 0600)
+				require.NoError(t, err)
+
+				for key, path := range updatedEnvVars {
+					if path == filePath {
+						updatedEnvVars[key] = tempFile
+					}
+				}
+			}
+
+			baseLookuper := envconfig.MapLookuper(updatedEnvVars)
+			lancherLookuper := NewLauncherLookuper(baseLookuper)
+
+			value, found := lancherLookuper.Lookup(tt.lookupKey)
+
+			assert.Equal(t, tt.expectedFound, found, "found mismatch")
+			if tt.expectedFound {
+				assert.Equal(t, tt.expectedValue, value, "value mismatch")
+			}
+		})
+	}
+}