Support use of a path for auth_token in teleport.yaml

[webvictim]

What happened:
Using a file path in the auth_token section of teleport.yaml doesn't read the token from the file - the string seems to be interpreted literally as being the token itself.

What you expected to happen:
Given that we support using a path in the tokens section under auth_service (https://gravitational.com/teleport/docs/admin-guide/#static-tokens), I would expect that providing a path to auth_token would read the token from the file in the same way.

How to reproduce it (as minimally and precisely as possible):
teleport.yaml (node) - token is not read from the file:

teleport:
  auth_token: /var/lib/tokens/node/join-token

teleport.yaml (proxy/auth) - token is read from the file:

auth_service:
  enabled: true
  tokens:
    - "node:/var/lib/tokens/node/join-token"

Environment:

• Teleport version (use teleport version): Teleport Enterprise v3.1.1git:v3.1.1-0-g8c506f47 go1.11.4
• OS (e.g. from /etc/os-release): Ubuntu 18.10

[kontsevoy]

I would treat this as a lower priority thing for now. TBH the tokens config section is screaming for improvement, i.e. we've made a mistake of overloading it, i.e. if I were to touch this code again I would propose to move to an easier and cleaner YAML (while accepting the old format), i.e.

# server side:
auth_service:
  tokens:
    node: "file:///path/to/file"
    auth: "https://host/path/to/file"
    proxy: "in-place secret"

# one secret for all:
auth_service:
  tokens:
    "node,auth,proxy": "file://path/to/file"

# client side:
auth_token: "file:///path/to/file"
# or...
auth_token: "in-place secret"

[aaronmell]

This is a pretty big blocker if you want to run your auth nodes in kubernetes and use kubernetes secrets to store your token. Make it challenging to rotate the secrets as well.

[kontsevoy]

@aaronmell agreed, we'll get to this eventually!