这是indexloc提供的服务,不要输入任何密码
Skip to content

feat: implement GPG Public Key encryption support #83

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Nov 25, 2024
Merged

feat: implement GPG Public Key encryption support #83

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
35 changes: 35 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,8 @@ sudo dokku plugin:install https://github.com/dokku/dokku-rethinkdb.git rethinkdb

```
rethinkdb:app-links <app> # list all rethinkdb service links for a given app
rethinkdb:backup-set-public-key-encryption <service> <public-key-id> # set GPG Public Key encryption for all future backups of rethinkdb service
rethinkdb:backup-unset-public-key-encryption <service> # unset GPG Public Key encryption for future backups of the rethinkdb service
rethinkdb:connect <service> # connect to the service via the rethinkdb connection tool
rethinkdb:create <service> [--create-flags...] # create a rethinkdb service
rethinkdb:destroy <service> [-f|--force] # delete the rethinkdb service/data/container if there are no links left
Expand Down Expand Up @@ -512,6 +514,39 @@ List all apps linked to the `lollipop` rethinkdb service.
```shell
dokku rethinkdb:links lollipop
```
### Backups

Datastore backups are supported via AWS S3 and S3 compatible services like [minio](https://github.com/minio/minio).

You may skip the `backup-auth` step if your dokku install is running within EC2 and has access to the bucket via an IAM profile. In that case, use the `--use-iam` option with the `backup` command.

Backups can be performed using the backup commands:

### set GPG Public Key encryption for all future backups of rethinkdb service

```shell
# usage
dokku rethinkdb:backup-set-public-key-encryption <service> <public-key-id>
```

Set the `GPG` Public Key for encrypting backups:

```shell
dokku rethinkdb:backup-set-public-key-encryption lollipop
```

### unset GPG Public Key encryption for future backups of the rethinkdb service

```shell
# usage
dokku rethinkdb:backup-unset-public-key-encryption <service>
```

Unset the `GPG` Public Key encryption for backups:

```shell
dokku rethinkdb:backup-unset-public-key-encryption lollipop
```

### Disabling `docker image pull` calls

Expand Down
2 changes: 2 additions & 0 deletions bin/generate
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -290,7 +290,9 @@ def usage_backup(
"backup-deauth",
"backup",
"backup-set-encryption",
"backup-set-public-key-encryption",
"backup-unset-encryption",
"backup-unset-public-key-encryption",
"backup-schedule",
"backup-schedule-cat",
"backup-unschedule",
Expand Down
23 changes: 23 additions & 0 deletions common-functions
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -308,6 +308,10 @@ service_backup() {
BACKUP_PARAMETERS="$BACKUP_PARAMETERS -e ENCRYPTION_KEY=$(cat "$BACKUP_ENCRYPTION_CONFIG_ROOT/ENCRYPTION_KEY")"
fi

if [[ -f "$BACKUP_ENCRYPTION_CONFIG_ROOT/ENCRYPT_WITH_PUBLIC_KEY_ID" ]]; then
BACKUP_PARAMETERS="$BACKUP_PARAMETERS -e ENCRYPT_WITH_PUBLIC_KEY_ID=$(cat "$BACKUP_ENCRYPTION_CONFIG_ROOT/ENCRYPT_WITH_PUBLIC_KEY_ID")"
fi

# shellcheck disable=SC2086
"$DOCKER_BIN" container run --rm $BACKUP_PARAMETERS "$PLUGIN_S3BACKUP_IMAGE"
}
Expand Down Expand Up @@ -433,6 +437,16 @@ service_backup_set_encryption() {
echo "$ENCRYPTION_KEY" >"${SERVICE_BACKUP_ENCRYPTION_ROOT}/ENCRYPTION_KEY"
}

service_backup_set_public_key_encryption() {
declare desc="set up backup GPG Public Key encryption"
declare SERVICE="$1" ENCRYPT_WITH_PUBLIC_KEY_ID="$2"
local SERVICE_ROOT="${PLUGIN_DATA_ROOT}/${SERVICE}"
local SERVICE_BACKUP_ENCRYPTION_ROOT="${SERVICE_ROOT}/backup-encryption/"

mkdir "$SERVICE_BACKUP_ENCRYPTION_ROOT"
echo "$ENCRYPT_WITH_PUBLIC_KEY_ID" >"${SERVICE_BACKUP_ENCRYPTION_ROOT}/ENCRYPT_WITH_PUBLIC_KEY_ID"
}

service_backup_unschedule() {
declare desc="unschedule the backup of the service"
declare SERVICE="$1"
Expand All @@ -450,6 +464,15 @@ service_backup_unset_encryption() {
rm -rf "$SERVICE_BACKUP_ENCRYPTION_ROOT"
}

service_backup_unset_encryption() {
declare desc="remove backup encryption"
declare SERVICE="$1"
local SERVICE_ROOT="${PLUGIN_DATA_ROOT}/${SERVICE}"
local SERVICE_BACKUP_ENCRYPTION_ROOT="${SERVICE_ROOT}/backup-encryption/"

rm -rf "$SERVICE_BACKUP_ENCRYPTION_ROOT"
}

service_container_rm() {
declare desc="stop a service and remove the running container"
declare SERVICE="$1"
Expand Down
25 changes: 25 additions & 0 deletions subcommands/backup-set-public-key-encryption
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
#!/usr/bin/env bash
source "$(dirname "$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)")/config"
set -eo pipefail
[[ $DOKKU_TRACE ]] && set -x
source "$PLUGIN_CORE_AVAILABLE_PATH/common/functions"
source "$(dirname "$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)")/functions"

service-backup-set-public-key-encryption-cmd() {
#E set the GPG Public Key for encrypting backups
#E dokku $PLUGIN_COMMAND_PREFIX:backup-set-public-key-encryption lollipop
#A service, service to run command against
#A public-key-id, a GPG Public Key ID (or fingerprint) to use for encryption. Must be uploaded to the GPG keyserver beforehand.
declare desc="set GPG Public Key encryption for all future backups of $PLUGIN_SERVICE service"
local cmd="$PLUGIN_COMMAND_PREFIX:backup-set-public-key-encryption" argv=("$@")
[[ ${argv[0]} == "$cmd" ]] && shift 1
declare SERVICE="$1" PUBLIC_KEY_ID="$2"
is_implemented_command "$cmd" || dokku_log_fail "Not yet implemented"

[[ -z "$SERVICE" ]] && dokku_log_fail "Please specify a valid name for the service"
[[ -z "$PUBLIC_KEY_ID" ]] && dokku_log_fail "Please specify a valid GPG Public Key ID (or fingerprint)"
verify_service_name "$SERVICE"
service_backup_set_public_key_encryption "$SERVICE" "$PUBLIC_KEY_ID"
}

service-backup-set-public-key-encryption-cmd "$@"
23 changes: 23 additions & 0 deletions subcommands/backup-unset-public-key-encryption
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
#!/usr/bin/env bash
source "$(dirname "$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)")/config"
set -eo pipefail
[[ $DOKKU_TRACE ]] && set -x
source "$PLUGIN_CORE_AVAILABLE_PATH/common/functions"
source "$(dirname "$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)")/functions"

service-backup-unset-public-key-encryption-cmd() {
#E unset the GPG Public Key encryption for backups
#E dokku $PLUGIN_COMMAND_PREFIX:backup-unset-public-key-encryption lollipop
#A service, service to run command against
declare desc="unset GPG Public Key encryption for future backups of the $PLUGIN_SERVICE service"
local cmd="$PLUGIN_COMMAND_PREFIX:backup-unset-public-key-encryption" argv=("$@")
[[ ${argv[0]} == "$cmd" ]] && shift 1
declare SERVICE="$1"
is_implemented_command "$cmd" || dokku_log_fail "Not yet implemented" # TODO: [22.03.2024 by Mykola]

[[ -z "$SERVICE" ]] && dokku_log_fail "Please specify a valid name for the service"
verify_service_name "$SERVICE"
service_backup_unset_public_key_encryption "$SERVICE" # TODO: [22.03.2024 by Mykola]
}

service-backup-unset-encryption-cmd "$@"