What would you like to be added:

Support for META_PASSWORD_FILE as an alternative to META_PASSWORD. When set, META_PASSWORD_FILE should point to a file containing the password for the metadata engine. It should work exactly as META_PASSWORD does today, but just file oriented instead of environment variable oriented.

Why is this needed:

Currently, JuiceFS supports passing the metadata engine password via environment variable. In the context of Kubernetes, this typically means storing the password in a Kubernetes secret and then injecting into a pod via environment variable.

However many organizations discourage the use of Kubernetes secrets (due to lack of encryption, no native rotation capability, limited auditing, etc.) and instead use external secrets system such as Hashicorp Vault.

Moreover, some organizations use systems like consul-template, which only expose secrets as files.

The purpose of META_PASSWORD_FILE is expose the secret as a file to support systems that expose secrets as files instead of environment variables such as consul-template.

Implementation

I put together a draft PR for how this could work. #6438