feat: implement GPG Public Key encryption support

Author: josegonzalez

README.md

@@ -1,6 +1,6 @@
 # dokku mysql [![Build Status](https://img.shields.io/github/actions/workflow/status/dokku/dokku-mysql/ci.yml?branch=master&style=flat-square "Build Status")](https://github.com/dokku/dokku-mysql/actions/workflows/ci.yml?query=branch%3Amaster) [![IRC Network](https://img.shields.io/badge/irc-libera-blue.svg?style=flat-square "IRC Libera")](https://webchat.libera.chat/?channels=dokku)
 
-Official mysql plugin for dokku. Currently defaults to installing [mysql 9.0.1](https://hub.docker.com/_/mysql/).
+Official mysql plugin for dokku. Currently defaults to installing [mysql 9.1.0](https://hub.docker.com/_/mysql/).
 
 ## Requirements
 
@@ -24,8 +24,10 @@ mysql:backup-deauth <service>                      # remove backup authenticatio
 mysql:backup-schedule <service> <schedule> <bucket-name> [--use-iam] # schedule a backup of the mysql service
 mysql:backup-schedule-cat <service>                # cat the contents of the configured backup cronfile for the service
 mysql:backup-set-encryption <service> <passphrase> # set encryption for all future backups of mysql service
+mysql:backup-set-public-key-encryption <service> <public-key-id> # set GPG Public Key encryption for all future backups of mysql service
 mysql:backup-unschedule <service>                  # unschedule the backup of the mysql service
 mysql:backup-unset-encryption <service>            # unset encryption for future backups of the mysql service
+mysql:backup-unset-public-key-encryption <service> # unset GPG Public Key encryption for future backups of the mysql service
 mysql:clone <service> <new-service> [--clone-flags...] # create container <new-name> then copy data from <name> into <new-name>
 mysql:connect <service>                            # connect to the service via the mysql connection tool
 mysql:create <service> [--create-flags...]         # create a mysql service
@@ -675,6 +677,19 @@ Set the GPG-compatible passphrase for encrypting backups for backups:
 dokku mysql:backup-set-encryption lollipop
 ```
 
+### set GPG Public Key encryption for all future backups of mysql service
+
+```shell
+# usage
+dokku mysql:backup-set-public-key-encryption <service> <public-key-id>
+```
+
+Set the `GPG` Public Key for encrypting backups:
+
+```shell
+dokku mysql:backup-set-public-key-encryption lollipop
+```
+
 ### unset encryption for future backups of the mysql service
 
 ```shell
@@ -688,6 +703,19 @@ Unset the `GPG` encryption passphrase for backups:
 dokku mysql:backup-unset-encryption lollipop
 ```
 
+### unset GPG Public Key encryption for future backups of the mysql service
+
+```shell
+# usage
+dokku mysql:backup-unset-public-key-encryption <service>
+```
+
+Unset the `GPG` Public Key encryption for backups:
+
+```shell
+dokku mysql:backup-unset-public-key-encryption lollipop
+```
+
 ### schedule a backup of the mysql service
 
 ```shell

bin/generate

@@ -290,7 +290,9 @@ def usage_backup(
         "backup-deauth",
         "backup",
         "backup-set-encryption",
+        "backup-set-public-key-encryption",
         "backup-unset-encryption",
+        "backup-unset-public-key-encryption",
         "backup-schedule",
         "backup-schedule-cat",
         "backup-unschedule",

common-functions

@@ -308,6 +308,10 @@ service_backup() {
     BACKUP_PARAMETERS="$BACKUP_PARAMETERS -e ENCRYPTION_KEY=$(cat "$BACKUP_ENCRYPTION_CONFIG_ROOT/ENCRYPTION_KEY")"
   fi
 
+  if [[ -f "$BACKUP_ENCRYPTION_CONFIG_ROOT/ENCRYPT_WITH_PUBLIC_KEY_ID" ]]; then
+    BACKUP_PARAMETERS="$BACKUP_PARAMETERS -e ENCRYPT_WITH_PUBLIC_KEY_ID=$(cat "$BACKUP_ENCRYPTION_CONFIG_ROOT/ENCRYPT_WITH_PUBLIC_KEY_ID")"
+  fi
+
   # shellcheck disable=SC2086
   "$DOCKER_BIN" container run --rm $BACKUP_PARAMETERS "$PLUGIN_S3BACKUP_IMAGE"
 }
@@ -433,6 +437,16 @@ service_backup_set_encryption() {
   echo "$ENCRYPTION_KEY" >"${SERVICE_BACKUP_ENCRYPTION_ROOT}/ENCRYPTION_KEY"
 }
 
+service_backup_set_public_key_encryption() {
+  declare desc="set up backup GPG Public Key encryption"
+  declare SERVICE="$1" ENCRYPT_WITH_PUBLIC_KEY_ID="$2"
+  local SERVICE_ROOT="${PLUGIN_DATA_ROOT}/${SERVICE}"
+  local SERVICE_BACKUP_ENCRYPTION_ROOT="${SERVICE_ROOT}/backup-encryption/"
+
+  mkdir "$SERVICE_BACKUP_ENCRYPTION_ROOT"
+  echo "$ENCRYPT_WITH_PUBLIC_KEY_ID" >"${SERVICE_BACKUP_ENCRYPTION_ROOT}/ENCRYPT_WITH_PUBLIC_KEY_ID"
+}
+
 service_backup_unschedule() {
   declare desc="unschedule the backup of the service"
   declare SERVICE="$1"
@@ -450,6 +464,15 @@ service_backup_unset_encryption() {
   rm -rf "$SERVICE_BACKUP_ENCRYPTION_ROOT"
 }
 
+service_backup_unset_encryption() {
+  declare desc="remove backup encryption"
+  declare SERVICE="$1"
+  local SERVICE_ROOT="${PLUGIN_DATA_ROOT}/${SERVICE}"
+  local SERVICE_BACKUP_ENCRYPTION_ROOT="${SERVICE_ROOT}/backup-encryption/"
+
+  rm -rf "$SERVICE_BACKUP_ENCRYPTION_ROOT"
+}
+
 service_container_rm() {
   declare desc="stop a service and remove the running container"
   declare SERVICE="$1"

subcommands/backup-set-public-key-encryption

@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+source "$(dirname "$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)")/config"
+set -eo pipefail
+[[ $DOKKU_TRACE ]] && set -x
+source "$PLUGIN_CORE_AVAILABLE_PATH/common/functions"
+source "$(dirname "$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)")/functions"
+
+service-backup-set-public-key-encryption-cmd() {
+  #E set the GPG Public Key for encrypting backups
+  #E dokku $PLUGIN_COMMAND_PREFIX:backup-set-public-key-encryption lollipop
+  #A service, service to run command against
+  #A public-key-id, a GPG Public Key ID (or fingerprint) to use for encryption. Must be uploaded to the GPG keyserver beforehand.
+  declare desc="set GPG Public Key encryption for all future backups of $PLUGIN_SERVICE service"
+  local cmd="$PLUGIN_COMMAND_PREFIX:backup-set-public-key-encryption" argv=("$@")
+  [[ ${argv[0]} == "$cmd" ]] && shift 1
+  declare SERVICE="$1" PUBLIC_KEY_ID="$2"
+  is_implemented_command "$cmd" || dokku_log_fail "Not yet implemented"
+
+  [[ -z "$SERVICE" ]] && dokku_log_fail "Please specify a valid name for the service"
+  [[ -z "$PUBLIC_KEY_ID" ]] && dokku_log_fail "Please specify a valid GPG Public Key ID (or fingerprint)"
+  verify_service_name "$SERVICE"
+  service_backup_set_public_key_encryption "$SERVICE" "$PUBLIC_KEY_ID"
+}
+
+service-backup-set-public-key-encryption-cmd "$@"

subcommands/backup-unset-public-key-encryption

@@ -0,0 +1,23 @@
+#!/usr/bin/env bash
+source "$(dirname "$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)")/config"
+set -eo pipefail
+[[ $DOKKU_TRACE ]] && set -x
+source "$PLUGIN_CORE_AVAILABLE_PATH/common/functions"
+source "$(dirname "$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)")/functions"
+
+service-backup-unset-public-key-encryption-cmd() {
+  #E unset the GPG Public Key encryption for backups
+  #E dokku $PLUGIN_COMMAND_PREFIX:backup-unset-public-key-encryption lollipop
+  #A service, service to run command against
+  declare desc="unset GPG Public Key encryption for future backups of the $PLUGIN_SERVICE service"
+  local cmd="$PLUGIN_COMMAND_PREFIX:backup-unset-public-key-encryption" argv=("$@")
+  [[ ${argv[0]} == "$cmd" ]] && shift 1
+  declare SERVICE="$1"
+  is_implemented_command "$cmd" || dokku_log_fail "Not yet implemented"  # TODO: [22.03.2024 by Mykola]
+
+  [[ -z "$SERVICE" ]] && dokku_log_fail "Please specify a valid name for the service"
+  verify_service_name "$SERVICE"
+  service_backup_unset_public_key_encryption "$SERVICE"  # TODO: [22.03.2024 by Mykola]
+}
+
+service-backup-unset-encryption-cmd "$@"