#!/bin/bash # Consul 密钥管理脚本 # 用于安全地管理 Oracle Cloud 和其他云服务商的敏感配置 set -euo pipefail # 配置 CONSUL_ADDR="${CONSUL_ADDR:-http://localhost:8500}" CONSUL_TOKEN="${CONSUL_TOKEN:-}" ENVIRONMENT="${ENVIRONMENT:-dev}" # 颜色输出 RED='\033[0;31m' GREEN='\033[0;32m' YELLOW='\033[1;33m' BLUE='\033[0;34m' NC='\033[0m' # No Color # 日志函数 log_info() { echo -e "${BLUE}[INFO]${NC} $1" } log_success() { echo -e "${GREEN}[SUCCESS]${NC} $1" } log_warning() { echo -e "${YELLOW}[WARNING]${NC} $1" } log_error() { echo -e "${RED}[ERROR]${NC} $1" } # 检查 Consul 连接 check_consul() { log_info "检查 Consul 连接..." if ! curl -s "${CONSUL_ADDR}/v1/status/leader" > /dev/null; then log_error "无法连接到 Consul: ${CONSUL_ADDR}" exit 1 fi log_success "Consul 连接正常" } # 设置 Oracle Cloud 配置 set_oracle_config() { log_info "设置 Oracle Cloud 配置..." echo "请输入 Oracle Cloud 配置信息:" read -p "租户 OCID: " tenancy_ocid read -p "用户 OCID: " user_ocid read -p "API 密钥指纹: " fingerprint read -p "私钥文件路径: " private_key_path read -p "区间 OCID: " compartment_ocid # 验证私钥文件是否存在 if [[ ! -f "$private_key_path" ]]; then log_error "私钥文件不存在: $private_key_path" exit 1 fi # 读取私钥内容 private_key_content=$(cat "$private_key_path") # 存储到 Consul local base_path="config/${ENVIRONMENT}/oracle" curl -s -X PUT "${CONSUL_ADDR}/v1/kv/${base_path}/tenancy_ocid" -d "$tenancy_ocid" > /dev/null curl -s -X PUT "${CONSUL_ADDR}/v1/kv/${base_path}/user_ocid" -d "$user_ocid" > /dev/null curl -s -X PUT "${CONSUL_ADDR}/v1/kv/${base_path}/fingerprint" -d "$fingerprint" > /dev/null curl -s -X PUT "${CONSUL_ADDR}/v1/kv/${base_path}/private_key" -d "$private_key_content" > /dev/null curl -s -X PUT "${CONSUL_ADDR}/v1/kv/${base_path}/compartment_ocid" -d "$compartment_ocid" > /dev/null log_success "Oracle Cloud 配置已存储到 Consul" } # 获取 Oracle Cloud 配置 get_oracle_config() { log_info "从 Consul 获取 Oracle Cloud 配置..." local base_path="config/${ENVIRONMENT}/oracle" echo "Oracle Cloud 配置:" echo "租户 OCID: $(curl -s "${CONSUL_ADDR}/v1/kv/${base_path}/tenancy_ocid?raw" 2>/dev/null || echo "未设置")" echo "用户 OCID: $(curl -s "${CONSUL_ADDR}/v1/kv/${base_path}/user_ocid?raw" 2>/dev/null || echo "未设置")" echo "指纹: $(curl -s "${CONSUL_ADDR}/v1/kv/${base_path}/fingerprint?raw" 2>/dev/null || echo "未设置")" echo "区间 OCID: $(curl -s "${CONSUL_ADDR}/v1/kv/${base_path}/compartment_ocid?raw" 2>/dev/null || echo "未设置")" echo "私钥: $(curl -s "${CONSUL_ADDR}/v1/kv/${base_path}/private_key?raw" 2>/dev/null | head -1 || echo "未设置")" } # 删除 Oracle Cloud 配置 delete_oracle_config() { log_warning "删除 Oracle Cloud 配置..." read -p "确定要删除所有 Oracle Cloud 配置吗?(y/N): " confirm if [[ "$confirm" != "y" && "$confirm" != "Y" ]]; then log_info "操作已取消" return fi local base_path="config/${ENVIRONMENT}/oracle" curl -s -X DELETE "${CONSUL_ADDR}/v1/kv/${base_path}?recurse" > /dev/null log_success "Oracle Cloud 配置已删除" } # 生成 Terraform 变量文件 generate_terraform_vars() { log_info "生成 Terraform 变量文件..." local base_path="config/${ENVIRONMENT}/oracle" local output_file="infrastructure/environments/${ENVIRONMENT}/terraform.tfvars.consul" # 从 Consul 获取配置 local tenancy_ocid=$(curl -s "${CONSUL_ADDR}/v1/kv/${base_path}/tenancy_ocid?raw" 2>/dev/null || echo "") local user_ocid=$(curl -s "${CONSUL_ADDR}/v1/kv/${base_path}/user_ocid?raw" 2>/dev/null || echo "") local fingerprint=$(curl -s "${CONSUL_ADDR}/v1/kv/${base_path}/fingerprint?raw" 2>/dev/null || echo "") local compartment_ocid=$(curl -s "${CONSUL_ADDR}/v1/kv/${base_path}/compartment_ocid?raw" 2>/dev/null || echo "") if [[ -z "$tenancy_ocid" ]]; then log_error "Consul 中没有找到 Oracle Cloud 配置" exit 1 fi # 创建临时私钥文件 local temp_key_file="/tmp/oci_private_key_${ENVIRONMENT}.pem" curl -s "${CONSUL_ADDR}/v1/kv/${base_path}/private_key?raw" > "$temp_key_file" chmod 600 "$temp_key_file" # 生成 Terraform 变量文件 cat > "$output_file" << EOF # 从 Consul 生成的 Oracle Cloud 配置 # 生成时间: $(date) # 环境: ${ENVIRONMENT} oci_config = { tenancy_ocid = "$tenancy_ocid" user_ocid = "$user_ocid" fingerprint = "$fingerprint" private_key_path = "$temp_key_file" region = "ap-seoul-1" compartment_ocid = "$compartment_ocid" } EOF log_success "Terraform 变量文件已生成: $output_file" log_warning "私钥文件位置: $temp_key_file" log_warning "请在使用完毕后删除临时私钥文件" } # 清理临时文件 cleanup_temp_files() { log_info "清理临时文件..." rm -f /tmp/oci_private_key_*.pem rm -f infrastructure/environments/*/terraform.tfvars.consul log_success "临时文件已清理" } # 显示帮助信息 show_help() { cat << EOF Consul 密钥管理脚本 用法: $0 [选项] 选项: set-oracle 设置 Oracle Cloud 配置到 Consul get-oracle 从 Consul 获取 Oracle Cloud 配置 delete-oracle 从 Consul 删除 Oracle Cloud 配置 generate-vars 从 Consul 生成 Terraform 变量文件 cleanup 清理临时文件 help 显示此帮助信息 环境变量: CONSUL_ADDR Consul 地址 (默认: http://localhost:8500) CONSUL_TOKEN Consul ACL Token (可选) ENVIRONMENT 环境名称 (默认: dev) 示例: # 设置 Oracle Cloud 配置 $0 set-oracle # 生成 Terraform 变量文件 $0 generate-vars # 查看配置 $0 get-oracle # 清理临时文件 $0 cleanup EOF } # 主函数 main() { case "${1:-help}" in "set-oracle") check_consul set_oracle_config ;; "get-oracle") check_consul get_oracle_config ;; "delete-oracle") check_consul delete_oracle_config ;; "generate-vars") check_consul generate_terraform_vars ;; "cleanup") cleanup_temp_files ;; "help"|*) show_help ;; esac } main "$@"