#!/bin/bash # Vault与Consul集成管理脚本 # 颜色定义 GREEN='\033[0;32m' YELLOW='\033[1;33m' RED='\033[0;31m' NC='\033[0m' # No Color # 函数定义 log_info() { echo -e "${GREEN}[INFO]${NC} $1" } log_warn() { echo -e "${YELLOW}[WARN]${NC} $1" } log_error() { echo -e "${RED}[ERROR]${NC} $1" } # 显示帮助信息 show_help() { echo "用法: $0 [选项]" echo "选项:" echo " status 显示Vault和Consul状态" echo " verify 验证集成状态" echo " backup 备份Consul中的Vault数据" echo " restore 从备份恢复Consul中的Vault数据" echo " monitor 监控Vault和Consul运行状态" echo " health 检查健康状态" echo " help 显示此帮助信息" } # 显示Vault和Consul状态 show_status() { log_info "Vault状态:" source /root/mgmt/security/secrets/vault/dev/vault_env.sh vault status echo "" log_info "Consul成员状态:" consul members echo "" log_info "Consul中的Vault数据键数量:" curl -s http://100.117.106.136:8500/v1/kv/vault/?keys | jq length } # 验证集成状态 verify_integration() { /root/mgmt/deployment/scripts/verify_vault_consul_integration.sh } # 备份Vault数据(存储在Consul中) backup_vault_data() { log_info "开始备份Consul中的Vault数据..." BACKUP_DIR="/root/mgmt/security/secrets/vault/backups" TIMESTAMP=$(date +%Y%m%d_%H%M%S) BACKUP_FILE="$BACKUP_DIR/vault_consul_backup_$TIMESTAMP.json" mkdir -p "$BACKUP_DIR" # 获取所有Vault相关的键 keys=$(curl -s http://100.117.106.136:8500/v1/kv/vault/?recurse | jq -r '.[].Key') if [ -n "$keys" ]; then # 创建备份数据结构 echo '{"backup_timestamp": "'$(date -Iseconds)'", "vault_data": []}' > "$BACKUP_FILE" # 备份每个键的值 while IFS= read -r key; do value=$(curl -s http://100.117.106.136:8500/v1/kv/$key | jq -r '.[0].Value' | base64 -d | base64) jq --arg key "$key" --arg value "$value" '.vault_data += [{"key": $key, "value": $value}]' "$BACKUP_FILE" > "$BACKUP_FILE.tmp" && mv "$BACKUP_FILE.tmp" "$BACKUP_FILE" done <<< "$keys" log_info "✓ Vault数据已备份到: $BACKUP_FILE" log_warn "注意:这是未加密的备份,请确保安全存储" else log_error "✗ 无法获取Consul中的Vault数据" fi } # 远程管理功能演示 remote_management_demo() { echo_section "HashiCorp 产品远程管理能力演示" log_info "1. Consul 远程管理演示" # 查看 Consul 集群成员 log_info "查看 Consul 集群成员:" consul members || log_warn "无法获取集群成员信息" # 查看 Consul 数据中心信息 log_info "查看 Consul 数据中心信息:" consul info | grep -E "(datacenter|server|client)" || log_warn "无法获取数据中心信息" # 在 Consul 中存储和读取键值 log_info "在 Consul 中存储测试键值:" echo "测试值" | consul kv put demo/test/value - log_info "从 Consul 读取测试键值:" consul kv get demo/test/value || log_warn "无法读取键值" log_info "2. Vault 远程管理演示" # 检查 Vault 状态 log_info "检查 Vault 状态:" vault status || log_warn "无法连接到 Vault 或 Vault 未初始化" # 列出 Vault 密钥引擎 log_info "列出 Vault 密钥引擎:" vault secrets list || log_warn "无法列出密钥引擎" # 在 Vault 中写入和读取密钥 log_info "在 Vault 中存储测试密钥:" echo "测试数据" | vault kv put secret/demo/test value=- log_info "从 Vault 读取测试密钥:" vault kv get secret/demo/test || log_warn "无法读取密钥" # 查看 Vault 集群信息 log_info "查看 Vault 集群信息:" vault operator raft list-peers || log_warn "无法列出 Raft 集群节点" log_info "远程管理功能演示完成" log_info "请根据实际环境配置正确的地址和认证凭据" } # 健康检查 health_check() { log_info "执行健康检查..." # Vault健康检查 vault_health=$(curl -s http://100.117.106.136:8200/v1/sys/health) if echo "$vault_health" | grep -q '"initialized":true'; then log_info "✓ Vault已初始化" else log_error "✗ Vault未初始化" fi if echo "$vault_health" | grep -q '"sealed":false'; then log_info "✓ Vault未密封" else log_error "✗ Vault已密封" fi # Consul健康检查 consul_health=$(curl -s http://100.117.106.136:8500/v1/status/leader) if [ -n "$consul_health" ] && [ "$consul_health" != "null" ]; then log_info "✓ Consul集群有领导者" else log_error "✗ Consul集群无领导者" fi # 检查Vault数据 vault_data_check=$(curl -s http://100.117.106.136:8500/v1/kv/vault/core/seal-config 2>/dev/null | jq length 2>/dev/null) if [ -n "$vault_data_check" ] && [ "$vault_data_check" -gt 0 ]; then log_info "✓ Vault核心数据存在" else log_error "✗ Vault核心数据缺失" fi log_info "健康检查完成" } # 主程序 case "$1" in status) show_status ;; verify) verify_integration ;; backup) backup_vault_data ;; monitor) monitor_status ;; health) health_check ;; help|--help|-h) show_help ;; *) if [ -z "$1" ]; then show_help else log_error "未知选项: $1" show_help exit 1 fi ;; esac