#!/bin/bash # Vault集群初始化和解封脚本 set -e echo "===== Vault集群初始化 =====" # 颜色定义 GREEN='\033[0;32m' YELLOW='\033[1;33m' RED='\033[0;31m' NC='\033[0m' # No Color # 函数定义 log_info() { echo -e "${GREEN}[INFO]${NC} $1" } log_warn() { echo -e "${YELLOW}[WARN]${NC} $1" } log_error() { echo -e "${RED}[ERROR]${NC} $1" } # 检查Vault命令是否存在 if ! command -v vault &> /dev/null; then log_error "Vault命令未找到,请先安装Vault" exit 1 fi # 设置Vault地址为master节点 export VAULT_ADDR='http://100.117.106.136:8200' # 等待Vault启动 log_info "等待Vault启动..." for i in {1..30}; do if curl -s "$VAULT_ADDR/v1/sys/health" > /dev/null; then break fi echo -n "." sleep 2 done echo "" # 检查Vault是否已初始化 init_status=$(curl -s "$VAULT_ADDR/v1/sys/health" | grep -o '"initialized":[^,}]*' | cut -d ':' -f2) if [ "$init_status" = "false" ]; then log_info "Vault未初始化,正在初始化..." # 初始化Vault并保存密钥到安全目录 vault operator init -key-shares=5 -key-threshold=3 -format=json > /root/mgmt/security/secrets/vault/init_keys.json if [ $? -eq 0 ]; then log_info "Vault初始化成功" log_warn "重要:请立即将以下文件安全备份并分发给不同管理员" log_warn "密钥文件位置: /root/mgmt/security/secrets/vault/init_keys.json" # 显示关键信息但不显示完整密钥 unseal_keys_count=$(cat /root/mgmt/security/secrets/vault/init_keys.json | grep -o '"unseal_keys_b64":\[\([^]]*\)' | sed 's/"unseal_keys_b64":\[//g' | tr ',' '\n' | wc -l) root_token=$(cat /root/mgmt/security/secrets/vault/init_keys.json | grep -o '"root_token":"[^"]*"' | cut -d '"' -f4) log_info "生成了 $unseal_keys_count 个解封密钥,需要其中任意 3 个来解封Vault" log_info "根令牌已生成(请安全保管)" # 提取解封密钥用于自动解封 unseal_key1=$(cat /root/mgmt/security/secrets/vault/init_keys.json | grep -o '"unseal_keys_b64":\[\([^]]*\)' | sed 's/"unseal_keys_b64":\[//g' | tr ',' '\n' | sed 's/"//g' | head -1) unseal_key2=$(cat /root/mgmt/security/secrets/vault/init_keys.json | grep -o '"unseal_keys_b64":\[\([^]]*\)' | sed 's/"unseal_keys_b64":\[//g' | tr ',' '\n' | sed 's/"//g' | head -2 | tail -1) unseal_key3=$(cat /root/mgmt/security/secrets/vault/init_keys.json | grep -o '"unseal_keys_b64":\[\([^]]*\)' | sed 's/"unseal_keys_b64":\[//g' | tr ',' '\n' | sed 's/"//g' | head -3 | tail -1) # 解封所有节点 log_info "正在解封所有Vault节点..." # 解封master节点 export VAULT_ADDR='http://100.117.106.136:8200' vault operator unseal "$unseal_key1" vault operator unseal "$unseal_key2" vault operator unseal "$unseal_key3" # 解封ash3c节点 export VAULT_ADDR='http://100.116.80.94:8200' vault operator unseal "$unseal_key1" vault operator unseal "$unseal_key2" vault operator unseal "$unseal_key3" # 解封warden节点 export VAULT_ADDR='http://100.122.197.112:8200' vault operator unseal "$unseal_key1" vault operator unseal "$unseal_key2" vault operator unseal "$unseal_key3" log_info "所有Vault节点已成功解封" log_warn "请确保将密钥文件安全备份到多个位置,并按照安全策略分发给不同管理员" log_info "根令牌: $root_token" # 显示Vault状态 log_info "Vault集群状态:" export VAULT_ADDR='http://100.117.106.136:8200' vault status else log_error "Vault初始化失败" exit 1 fi else log_info "Vault已初始化" # 检查Vault是否已解封 sealed_status=$(curl -s "$VAULT_ADDR/v1/sys/health" | grep -o '"sealed":[^,}]*' | cut -d ':' -f2) if [ "$sealed_status" = "true" ]; then log_warn "Vault已初始化但仍处于密封状态,请手动解封" log_info "使用以下命令解封Vault:" log_info "export VAULT_ADDR='http://<节点IP>:8200'" log_info "vault operator unseal <解封密钥1>" log_info "vault operator unseal <解封密钥2>" log_info "vault operator unseal <解封密钥3>" else log_info "Vault已初始化且已解封,可以正常使用" fi fi log_info "===== Vault集群初始化和解封完成 ====="