diff --git a/README.md b/README.md index 431300d..50f617f 100644 --- a/README.md +++ b/README.md @@ -21,7 +21,9 @@ postgres:backup (--use-iam) Create a backup of the postgres serv postgres:backup-auth () () () Sets up authentication for backups on the postgres service postgres:backup-deauth Removes backup authentication for the postgres service postgres:backup-schedule Schedules a backup of the postgres service +postgres:backup-set-encryption , Sets up GPG encryption for future backups of the postgres service postgres:backup-unschedule Unschedules the backup of the postgres service +postgres:backup-unset-encryption , Removes backup encryption for future backups of the postgres service postgres:clone Create container then copy data from into postgres:connect Connect via psql to a postgres service postgres:create Create a postgres service with environment variables diff --git a/commands b/commands index db01b53..5568100 100755 --- a/commands +++ b/commands @@ -27,10 +27,18 @@ case "$1" in "$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)/subcommands/backup-schedule" "$@" ;; + $PLUGIN_COMMAND_PREFIX:backup-set-encryption) + "$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)/subcommands/backup-set-encryption" "$@" + ;; + $PLUGIN_COMMAND_PREFIX:backup-unschedule) "$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)/subcommands/backup-unschedule" "$@" ;; + $PLUGIN_COMMAND_PREFIX:backup-unset-encryption) + "$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)/subcommands/backup-unset-encryption" "$@" + ;; + $PLUGIN_COMMAND_PREFIX:clone) "$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)/subcommands/clone" "$@" ;; @@ -108,7 +116,9 @@ case "$1" in $PLUGIN_COMMAND_PREFIX:backup-auth () () (), Sets up authentication for backups on the $PLUGIN_COMMAND_PREFIX service $PLUGIN_COMMAND_PREFIX:backup-deauth , Removes backup authentication for the $PLUGIN_COMMAND_PREFIX service $PLUGIN_COMMAND_PREFIX:backup-schedule , Schedules a backup of the $PLUGIN_COMMAND_PREFIX service + $PLUGIN_COMMAND_PREFIX:backup-set-encryption , Sets up GPG encryption for future backups of the $PLUGIN_COMMAND_PREFIX service $PLUGIN_COMMAND_PREFIX:backup-unschedule , Unschedules the backup of the $PLUGIN_COMMAND_PREFIX service + $PLUGIN_COMMAND_PREFIX:backup-unset-encryption , Removes backup encryption for future backups of the $PLUGIN_COMMAND_PREFIX service $PLUGIN_COMMAND_PREFIX:clone , Create container then copy data from into $PLUGIN_COMMAND_PREFIX:connect , Connect via psql to a $PLUGIN_SERVICE service $PLUGIN_COMMAND_PREFIX:create , Create a $PLUGIN_SERVICE service diff --git a/common-functions b/common-functions index 3c9f411..e96e658 100755 --- a/common-functions +++ b/common-functions @@ -105,17 +105,18 @@ service_alternative_alias() { service_backup() { declare desc="Creates a backup of a service to an existing s3 bucket" - declare SERVICE="$1" BUCKET_NAME="$2" S3_FLAG="$3" + declare SERVICE="$1" BUCKET_NAME="$2" USE_IAM_OPTIONAL_FLAG="$3" local BACKUP_CONFIG_ROOT="$PLUGIN_DATA_ROOT/$SERVICE/backup" + local BACKUP_ENCRYPTION_CONFIG_ROOT="$PLUGIN_DATA_ROOT/$SERVICE/backup-encryption" local AWS_ACCESS_KEY_ID_FILE="$BACKUP_CONFIG_ROOT/AWS_ACCESS_KEY_ID" local AWS_SECRET_ACCESS_KEY_FILE="$BACKUP_CONFIG_ROOT/AWS_SECRET_ACCESS_KEY" local BACKUP_PARAMETERS="" - if [[ -z "$S3_FLAG" ]]; then + if [[ -z "$USE_IAM_OPTIONAL_FLAG" ]]; then [[ ! -f "$AWS_ACCESS_KEY_ID_FILE" ]] && dokku_log_fail "Missing AWS_ACCESS_KEY_ID file" [[ ! -f "$AWS_SECRET_ACCESS_KEY_FILE" ]] && dokku_log_fail "Missing AWS_SECRET_ACCESS_KEY file" BACKUP_PARAMETERS="$BACKUP_PARAMETERS -e AWS_ACCESS_KEY_ID=$(cat "$AWS_ACCESS_KEY_ID_FILE") -e AWS_SECRET_ACCESS_KEY=$(cat "$AWS_SECRET_ACCESS_KEY_FILE")" - elif [[ $S3_FLAG != "--use-iam" ]]; then + elif [[ $USE_IAM_OPTIONAL_FLAG != "--use-iam" ]]; then dokku_log_fail "Provide AWS credentials or use the --use-iam flag" fi @@ -141,8 +142,12 @@ service_backup() { BACKUP_PARAMETERS="$BACKUP_PARAMETERS -e ENDPOINT_URL=$(cat "$BACKUP_CONFIG_ROOT/ENDPOINT_URL")" fi + if [[ -f "$BACKUP_ENCRYPTION_CONFIG_ROOT/ENCRYPTION_KEY" ]]; then + BACKUP_PARAMETERS="$BACKUP_PARAMETERS -e ENCRYPTION_KEY=$(cat "$BACKUP_ENCRYPTION_CONFIG_ROOT/ENCRYPTION_KEY")" + fi + # shellcheck disable=SC2086 - docker run $BACKUP_PARAMETERS dokkupaas/s3backup:0.7.0 + docker run $BACKUP_PARAMETERS dokkupaas/s3backup:0.8.0 } service_backup_auth() { @@ -198,6 +203,25 @@ service_backup_unschedule() { sudo /bin/rm -f "$CRON_FILE" } +service_backup_set_encryption() { + declare desc="Sets up backup encryption" + declare SERVICE="$1" ENCRYPTION_KEY="$2" + local SERVICE_ROOT="${PLUGIN_DATA_ROOT}/${SERVICE}" + local SERVICE_BACKUP_ENCRYPTION_ROOT="${SERVICE_ROOT}/backup-encryption/" + + mkdir -p "$SERVICE_BACKUP_ENCRYPTION_ROOT" + echo "$ENCRYPTION_KEY" > "${SERVICE_BACKUP_ENCRYPTION_ROOT}/ENCRYPTION_KEY" +} + +service_backup_unset_encryption() { + declare desc="Removes backup encryption" + declare SERVICE="$1" + local SERVICE_ROOT="${PLUGIN_DATA_ROOT}/${SERVICE}" + local SERVICE_BACKUP_ENCRYPTION_ROOT="${SERVICE_ROOT}/backup-encryption/" + + rm -rf "$SERVICE_BACKUP_ENCRYPTION_ROOT" +} + service_enter() { declare desc="enters running app container of specified proc type" declare SERVICE="$1" && shift 1 diff --git a/install b/install index 60f5315..baced9a 100755 --- a/install +++ b/install @@ -13,7 +13,7 @@ plugin-install() { pull-docker-image "${PLUGIN_IMAGE}:${PLUGIN_IMAGE_VERSION}" pull-docker-image "svendowideit/ambassador:latest" pull-docker-image "dokkupaas/wait:0.2" - pull-docker-image "dokkupaas/s3backup:0.7.0" + pull-docker-image "dokkupaas/s3backup:0.8.0" pull-docker-image "busybox:latest" mkdir -p "$PLUGIN_DATA_ROOT" || echo "Failed to create $PLUGIN_SERVICE directory" diff --git a/subcommands/backup b/subcommands/backup index 4eae166..364cf08 100755 --- a/subcommands/backup +++ b/subcommands/backup @@ -7,12 +7,12 @@ source "$(dirname "$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)")/functions" postgres-backup-cmd() { declare desc="creates a backup of the $PLUGIN_SERVICE service to an existing s3 bucket" local cmd="$PLUGIN_COMMAND_PREFIX:backup" argv=("$@"); [[ ${argv[0]} == "$cmd" ]] && shift 1 - declare SERVICE="$1" BUCKET_NAME="$2" S3_FLAG="$3" + declare SERVICE="$1" BUCKET_NAME="$2" USE_IAM_OPTIONAL_FLAG="$3" [[ -z "$SERVICE" ]] && dokku_log_fail "Please specify a name for the service" [[ -z "$BUCKET_NAME" ]] && dokku_log_fail "Please specify an aws bucket for the backup" verify_service_name "$SERVICE" - service_backup "$SERVICE" "$BUCKET_NAME" "$S3_FLAG" + service_backup "$SERVICE" "$BUCKET_NAME" "$USE_IAM_OPTIONAL_FLAG" } postgres-backup-cmd "$@" diff --git a/subcommands/backup-auth b/subcommands/backup-auth index a633dbe..bf6ba92 100755 --- a/subcommands/backup-auth +++ b/subcommands/backup-auth @@ -7,16 +7,14 @@ source "$(dirname "$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)")/functions" postgres-backup-auth-cmd() { declare desc="sets up authentication for backups on the $PLUGIN_SERVICE service" local cmd="$PLUGIN_COMMAND_PREFIX:backup-auth" argv=("$@"); [[ ${argv[0]} == "$cmd" ]] && shift 1 - declare SERVICE="$1" AWS_ACCESS_KEY_ID="$2" AWS_SECRET_ACCESS_KEY="$3" - shift 3 - declare OPTIONAL_PARAMETERS="$@" + declare SERVICE="$1" AWS_ACCESS_KEY_ID="$2" AWS_SECRET_ACCESS_KEY="$3" AWS_DEFAULT_REGION="$4" AWS_SIGNATURE_VERSION="$5" ENDPOINT_URL="$6" [[ -z "$SERVICE" ]] && dokku_log_fail "Please specify a name for the service" [[ -z "$AWS_ACCESS_KEY_ID" ]] && dokku_log_fail "Please specify an aws access key id" [[ -z "$AWS_SECRET_ACCESS_KEY" ]] && dokku_log_fail "Please specify an aws secret access key" verify_service_name "$SERVICE" - service_backup_auth "$SERVICE" "$AWS_ACCESS_KEY_ID" "$AWS_SECRET_ACCESS_KEY" $OPTIONAL_PARAMETERS + service_backup_auth "$SERVICE" "$AWS_ACCESS_KEY_ID" "$AWS_SECRET_ACCESS_KEY" "$AWS_DEFAULT_REGION" "$AWS_SIGNATURE_VERSION" "$ENDPOINT_URL" } postgres-backup-auth-cmd "$@" diff --git a/subcommands/backup-set-encryption b/subcommands/backup-set-encryption new file mode 100755 index 0000000..6958a0d --- /dev/null +++ b/subcommands/backup-set-encryption @@ -0,0 +1,18 @@ +#!/usr/bin/env bash +source "$(dirname "$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)")/config" +set -eo pipefail; [[ $DOKKU_TRACE ]] && set -x +source "$PLUGIN_BASE_PATH/common/functions" +source "$(dirname "$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)")/functions" + +postgres-backup-set-encryption-cmd() { + declare desc="sets encryption for all future backups of $PLUGIN_SERVICE service" + local cmd="$PLUGIN_COMMAND_PREFIX:backup-set-encryption" argv=("$@"); [[ ${argv[0]} == "$cmd" ]] && shift 1 + declare SERVICE="$1" ENCRYPTION_KEY="$2" + + [[ -z "$SERVICE" ]] && dokku_log_fail "Please specify a name for the service" + [[ -z "$ENCRYPTION_KEY" ]] && dokku_log_fail "Please specify a GPG encryption key" + verify_service_name "$SERVICE" + service_backup_set_encryption "$SERVICE" "$ENCRYPTION_KEY" +} + +postgres-backup-set-encryption-cmd "$@" diff --git a/subcommands/backup-unset-encryption b/subcommands/backup-unset-encryption new file mode 100755 index 0000000..338bfdb --- /dev/null +++ b/subcommands/backup-unset-encryption @@ -0,0 +1,17 @@ +#!/usr/bin/env bash +source "$(dirname "$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)")/config" +set -eo pipefail; [[ $DOKKU_TRACE ]] && set -x +source "$PLUGIN_BASE_PATH/common/functions" +source "$(dirname "$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)")/functions" + +postgres-backup-unset-encryption-cmd() { + declare desc="unsets encryption for future backups of the $PLUGIN_SERVICE service" + local cmd="$PLUGIN_COMMAND_PREFIX:backup-unset-encryption" argv=("$@"); [[ ${argv[0]} == "$cmd" ]] && shift 1 + declare SERVICE="$1" + + [[ -z "$SERVICE" ]] && dokku_log_fail "Please specify a name for the service" + verify_service_name "$SERVICE" + service_backup_unset_encryption "$SERVICE" +} + +postgres-backup-unset-encryption-cmd "$@" diff --git a/subcommands/expose b/subcommands/expose index fe2566d..e2e0f62 100755 --- a/subcommands/expose +++ b/subcommands/expose @@ -7,7 +7,7 @@ source "$(dirname "$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)")/functions" postgres-expose-cmd() { declare desc="expose a $PLUGIN_SERVICE service on custom port if provided (random port otherwise)" local cmd="$PLUGIN_COMMAND_PREFIX:expose" argv=("$@"); [[ ${argv[0]} == "$cmd" ]] && shift 1 - declare SERVICE="$1" + declare SERVICE="$1" PORTS="${@:2}" [[ -z "$SERVICE" ]] && dokku_log_fail "Please specify a name for the service" verify_service_name "$SERVICE" diff --git a/subcommands/logs b/subcommands/logs index 7c746a3..e0abe21 100755 --- a/subcommands/logs +++ b/subcommands/logs @@ -7,11 +7,11 @@ source "$(dirname "$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)")/functions" postgres-logs-cmd() { declare desc="print the most recent log(s) for this service" local cmd="$PLUGIN_COMMAND_PREFIX:logs" argv=("$@"); [[ ${argv[0]} == "$cmd" ]] && shift 1 - declare SERVICE="$1" TAIL="$2" + declare SERVICE="$1" TAIL_FLAG="$2" [[ -z "$SERVICE" ]] && dokku_log_fail "Please specify a name for the service" verify_service_name "$SERVICE" - service_logs "$SERVICE" "$TAIL" + service_logs "$SERVICE" "$TAIL_FLAG" } postgres-logs-cmd "$@" diff --git a/subcommands/promote b/subcommands/promote index e13eb99..84bdf15 100755 --- a/subcommands/promote +++ b/subcommands/promote @@ -5,7 +5,7 @@ source "$PLUGIN_BASE_PATH/common/functions" source "$(dirname "$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)")/functions" postgres-promote-cmd() { - declare desc="promote service as ${PLUGIN_DEFAULT_ALIAS}_URL in " + declare desc="promote service as ${PLUGIN_DEFAULT_ALIAS}_URL in " local cmd="$PLUGIN_COMMAND_PREFIX:promote" argv=("$@"); [[ ${argv[0]} == "$cmd" ]] && shift 1 declare SERVICE="$1" APP="$2" APP=${APP:="$DOKKU_APP_NAME"}