Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: implement GPG Public Key encryption support #118

Merged
merged 1 commit into from
Nov 25, 2024
Merged

feat: implement GPG Public Key encryption support #118

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
35 changes: 35 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,8 @@ sudo dokku plugin:install https://github.com/dokku/dokku-nats.git nats

```
nats:app-links <app> # list all nats service links for a given app
nats:backup-set-public-key-encryption <service> <public-key-id> # set GPG Public Key encryption for all future backups of nats service
nats:backup-unset-public-key-encryption <service> # unset GPG Public Key encryption for future backups of the nats service
nats:create <service> [--create-flags...] # create a nats service
nats:destroy <service> [-f|--force] # delete the nats service/data/container if there are no links left
nats:enter <service> # enter or run a command in a running nats service container
Expand Down Expand Up @@ -496,6 +498,39 @@ List all apps linked to the `lollipop` nats service.
```shell
dokku nats:links lollipop
```
### Backups

Datastore backups are supported via AWS S3 and S3 compatible services like [minio](https://github.com/minio/minio).

You may skip the `backup-auth` step if your dokku install is running within EC2 and has access to the bucket via an IAM profile. In that case, use the `--use-iam` option with the `backup` command.

Backups can be performed using the backup commands:

### set GPG Public Key encryption for all future backups of nats service

```shell
# usage
dokku nats:backup-set-public-key-encryption <service> <public-key-id>
```

Set the `GPG` Public Key for encrypting backups:

```shell
dokku nats:backup-set-public-key-encryption lollipop
```

### unset GPG Public Key encryption for future backups of the nats service

```shell
# usage
dokku nats:backup-unset-public-key-encryption <service>
```

Unset the `GPG` Public Key encryption for backups:

```shell
dokku nats:backup-unset-public-key-encryption lollipop
```

### Disabling `docker image pull` calls

Expand Down
2 changes: 2 additions & 0 deletions bin/generate
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -290,7 +290,9 @@ def usage_backup(
"backup-deauth",
"backup",
"backup-set-encryption",
"backup-set-public-key-encryption",
"backup-unset-encryption",
"backup-unset-public-key-encryption",
"backup-schedule",
"backup-schedule-cat",
"backup-unschedule",
Expand Down
23 changes: 23 additions & 0 deletions common-functions
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -308,6 +308,10 @@ service_backup() {
BACKUP_PARAMETERS="$BACKUP_PARAMETERS -e ENCRYPTION_KEY=$(cat "$BACKUP_ENCRYPTION_CONFIG_ROOT/ENCRYPTION_KEY")"
fi

if [[ -f "$BACKUP_ENCRYPTION_CONFIG_ROOT/ENCRYPT_WITH_PUBLIC_KEY_ID" ]]; then
BACKUP_PARAMETERS="$BACKUP_PARAMETERS -e ENCRYPT_WITH_PUBLIC_KEY_ID=$(cat "$BACKUP_ENCRYPTION_CONFIG_ROOT/ENCRYPT_WITH_PUBLIC_KEY_ID")"
fi

# shellcheck disable=SC2086
"$DOCKER_BIN" container run --rm $BACKUP_PARAMETERS "$PLUGIN_S3BACKUP_IMAGE"
}
Expand Down Expand Up @@ -433,6 +437,16 @@ service_backup_set_encryption() {
echo "$ENCRYPTION_KEY" >"${SERVICE_BACKUP_ENCRYPTION_ROOT}/ENCRYPTION_KEY"
}

service_backup_set_public_key_encryption() {
declare desc="set up backup GPG Public Key encryption"
declare SERVICE="$1" ENCRYPT_WITH_PUBLIC_KEY_ID="$2"
local SERVICE_ROOT="${PLUGIN_DATA_ROOT}/${SERVICE}"
local SERVICE_BACKUP_ENCRYPTION_ROOT="${SERVICE_ROOT}/backup-encryption/"

mkdir "$SERVICE_BACKUP_ENCRYPTION_ROOT"
echo "$ENCRYPT_WITH_PUBLIC_KEY_ID" >"${SERVICE_BACKUP_ENCRYPTION_ROOT}/ENCRYPT_WITH_PUBLIC_KEY_ID"
}

service_backup_unschedule() {
declare desc="unschedule the backup of the service"
declare SERVICE="$1"
Expand All @@ -450,6 +464,15 @@ service_backup_unset_encryption() {
rm -rf "$SERVICE_BACKUP_ENCRYPTION_ROOT"
}

service_backup_unset_encryption() {
declare desc="remove backup encryption"
declare SERVICE="$1"
local SERVICE_ROOT="${PLUGIN_DATA_ROOT}/${SERVICE}"
local SERVICE_BACKUP_ENCRYPTION_ROOT="${SERVICE_ROOT}/backup-encryption/"

rm -rf "$SERVICE_BACKUP_ENCRYPTION_ROOT"
}

service_container_rm() {
declare desc="stop a service and remove the running container"
declare SERVICE="$1"
Expand Down
25 changes: 25 additions & 0 deletions subcommands/backup-set-public-key-encryption
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
#!/usr/bin/env bash
source "$(dirname "$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)")/config"
set -eo pipefail
[[ $DOKKU_TRACE ]] && set -x
source "$PLUGIN_CORE_AVAILABLE_PATH/common/functions"
source "$(dirname "$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)")/functions"

service-backup-set-public-key-encryption-cmd() {
#E set the GPG Public Key for encrypting backups
#E dokku $PLUGIN_COMMAND_PREFIX:backup-set-public-key-encryption lollipop
#A service, service to run command against
#A public-key-id, a GPG Public Key ID (or fingerprint) to use for encryption. Must be uploaded to the GPG keyserver beforehand.
declare desc="set GPG Public Key encryption for all future backups of $PLUGIN_SERVICE service"
local cmd="$PLUGIN_COMMAND_PREFIX:backup-set-public-key-encryption" argv=("$@")
[[ ${argv[0]} == "$cmd" ]] && shift 1
declare SERVICE="$1" PUBLIC_KEY_ID="$2"
is_implemented_command "$cmd" || dokku_log_fail "Not yet implemented"

[[ -z "$SERVICE" ]] && dokku_log_fail "Please specify a valid name for the service"
[[ -z "$PUBLIC_KEY_ID" ]] && dokku_log_fail "Please specify a valid GPG Public Key ID (or fingerprint)"
verify_service_name "$SERVICE"
service_backup_set_public_key_encryption "$SERVICE" "$PUBLIC_KEY_ID"
}

service-backup-set-public-key-encryption-cmd "$@"
23 changes: 23 additions & 0 deletions subcommands/backup-unset-public-key-encryption
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
#!/usr/bin/env bash
source "$(dirname "$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)")/config"
set -eo pipefail
[[ $DOKKU_TRACE ]] && set -x
source "$PLUGIN_CORE_AVAILABLE_PATH/common/functions"
source "$(dirname "$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)")/functions"

service-backup-unset-public-key-encryption-cmd() {
#E unset the GPG Public Key encryption for backups
#E dokku $PLUGIN_COMMAND_PREFIX:backup-unset-public-key-encryption lollipop
#A service, service to run command against
declare desc="unset GPG Public Key encryption for future backups of the $PLUGIN_SERVICE service"
local cmd="$PLUGIN_COMMAND_PREFIX:backup-unset-public-key-encryption" argv=("$@")
[[ ${argv[0]} == "$cmd" ]] && shift 1
declare SERVICE="$1"
is_implemented_command "$cmd" || dokku_log_fail "Not yet implemented" # TODO: [22.03.2024 by Mykola]

[[ -z "$SERVICE" ]] && dokku_log_fail "Please specify a valid name for the service"
verify_service_name "$SERVICE"
service_backup_unset_public_key_encryption "$SERVICE" # TODO: [22.03.2024 by Mykola]
}

service-backup-unset-encryption-cmd "$@"