#!/bin/bash # 通过API初始化Vault开发环境(无需本地vault命令) set -e echo "===== 通过API初始化Vault开发环境 =====" # 颜色定义 GREEN='\033[0;32m' YELLOW='\033[1;33m' RED='\033[0;31m' NC='\033[0m' # No Color # 函数定义 log_info() { echo -e "${GREEN}[INFO]${NC} $1" } log_warn() { echo -e "${YELLOW}[WARN]${NC} $1" } log_error() { echo -e "${RED}[ERROR]${NC} $1" } # 设置主节点地址 VAULT_MASTER_ADDR='http://100.117.106.136:8200' # 等待Vault启动 log_info "等待Vault启动..." for i in {1..30}; do if curl -s "$VAULT_MASTER_ADDR/v1/sys/health" > /dev/null; then break fi echo -n "." sleep 2 done echo "" # 检查Vault是否已初始化 init_status=$(curl -s "$VAULT_MASTER_ADDR/v1/sys/health" | grep -o '"initialized":[^,}]*' | cut -d ':' -f2) if [ "$init_status" = "false" ]; then log_info "Vault未初始化,正在通过API初始化..." # 通过API初始化Vault(1个密钥,阈值1) init_response=$(curl -s -X POST \ -H "Content-Type: application/json" \ -d '{ "secret_shares": 1, "secret_threshold": 1 }' \ "$VAULT_MASTER_ADDR/v1/sys/init") # 保存响应到文件 echo "$init_response" > /root/mgmt/security/secrets/vault/dev/init_keys.json if echo "$init_response" | grep -q "keys_base64"; then log_info "Vault初始化成功(开发模式)" log_warn "注意:这是开发模式,仅使用1个解封密钥" log_warn "生产环境请使用5个密钥中的3个阈值" # 提取密钥和令牌 unseal_key=$(echo "$init_response" | grep -o '"keys_base64":\["[^"]*"' | cut -d '"' -f4) root_token=$(echo "$init_response" | grep -o '"root_token":"[^"]*"' | cut -d '"' -f4) log_info "解封密钥: $unseal_key" log_info "根令牌: $root_token" # 自动解封所有节点 log_info "正在自动解封所有Vault节点..." # 解封master节点 curl -s -X POST \ -H "Content-Type: application/json" \ -d "{\"key\": \"$unseal_key\"}" \ "$VAULT_MASTER_ADDR/v1/sys/unseal" > /dev/null # 解封ash3c节点 curl -s -X POST \ -H "Content-Type: application/json" \ -d "{\"key\": \"$unseal_key\"}" \ "http://100.116.80.94:8200/v1/sys/unseal" > /dev/null # 解封warden节点 curl -s -X POST \ -H "Content-Type: application/json" \ -d "{\"key\": \"$unseal_key\"}" \ "http://100.122.197.112:8200/v1/sys/unseal" > /dev/null log_info "所有Vault节点已成功解封" # 显示Vault状态 log_info "Vault集群状态:" curl -s "$VAULT_MASTER_ADDR/v1/sys/health" | jq . # 保存环境变量以便后续使用 echo "export VAULT_ADDR='$VAULT_MASTER_ADDR'" > /root/mgmt/security/secrets/vault/dev/vault_env.sh echo "export VAULT_TOKEN='$root_token'" >> /root/mgmt/security/secrets/vault/dev/vault_env.sh log_info "环境变量已保存到: /root/mgmt/security/secrets/vault/dev/vault_env.sh" log_warn "开发环境提示:" log_warn "1. 请勿在生产环境中使用此配置" log_warn "2. 生产环境应使用5个密钥中的3个阈值" log_warn "3. 密钥应分发给不同管理员保管" else log_error "Vault初始化失败" log_error "响应: $init_response" exit 1 fi else log_info "Vault已初始化" # 检查Vault是否已解封 sealed_status=$(curl -s "$VAULT_MASTER_ADDR/v1/sys/health" | grep -o '"sealed":[^,}]*' | cut -d ':' -f2) if [ "$sealed_status" = "true" ]; then log_warn "Vault已初始化但仍处于密封状态" log_info "请使用API解封:" log_info "curl -X POST -d '{\"key\": \"<解封密钥>\"}' $VAULT_MASTER_ADDR/v1/sys/unseal" else log_info "Vault已初始化且已解封,可以正常使用" # 显示Vault状态 log_info "Vault集群状态:" curl -s "$VAULT_MASTER_ADDR/v1/sys/health" | jq . fi fi log_info "===== Vault开发环境初始化完成 ====="