122 lines
3.9 KiB
Bash
Executable File
122 lines
3.9 KiB
Bash
Executable File
#!/bin/bash
|
||
# Vault开发环境初始化脚本
|
||
|
||
set -e
|
||
|
||
echo "===== Vault开发环境初始化 ====="
|
||
|
||
# 颜色定义
|
||
GREEN='\033[0;32m'
|
||
YELLOW='\033[1;33m'
|
||
RED='\033[0;31m'
|
||
NC='\033[0m' # No Color
|
||
|
||
# 函数定义
|
||
log_info() {
|
||
echo -e "${GREEN}[INFO]${NC} $1"
|
||
}
|
||
|
||
log_warn() {
|
||
echo -e "${YELLOW}[WARN]${NC} $1"
|
||
}
|
||
|
||
log_error() {
|
||
echo -e "${RED}[ERROR]${NC} $1"
|
||
}
|
||
|
||
# 检查Vault命令是否存在
|
||
if ! command -v vault &> /dev/null; then
|
||
log_error "Vault命令未找到,请先安装Vault"
|
||
exit 1
|
||
fi
|
||
|
||
# 设置Vault地址为master节点
|
||
export VAULT_ADDR='http://100.117.106.136:8200'
|
||
|
||
# 等待Vault启动
|
||
log_info "等待Vault启动..."
|
||
for i in {1..30}; do
|
||
if curl -s "$VAULT_ADDR/v1/sys/health" > /dev/null; then
|
||
break
|
||
fi
|
||
echo -n "."
|
||
sleep 2
|
||
done
|
||
echo ""
|
||
|
||
# 检查Vault是否已初始化
|
||
init_status=$(curl -s "$VAULT_ADDR/v1/sys/health" | grep -o '"initialized":[^,}]*' | cut -d ':' -f2)
|
||
if [ "$init_status" = "false" ]; then
|
||
log_info "Vault未初始化,正在初始化..."
|
||
|
||
# 初始化Vault并保存密钥到开发目录
|
||
vault operator init -key-shares=1 -key-threshold=1 -format=json > /root/mgmt/security/secrets/vault/dev/init_keys.json
|
||
|
||
if [ $? -eq 0 ]; then
|
||
log_info "Vault初始化成功(开发模式)"
|
||
log_warn "注意:这是开发模式,仅使用1个解封密钥"
|
||
log_warn "生产环境请使用5个密钥中的3个阈值"
|
||
|
||
# 显示密钥信息
|
||
unseal_key=$(cat /root/mgmt/security/secrets/vault/dev/init_keys.json | grep -o '"unseal_keys_b64":\["[^"]*"' | cut -d '"' -f4)
|
||
root_token=$(cat /root/mgmt/security/secrets/vault/dev/init_keys.json | grep -o '"root_token":"[^"]*"' | cut -d '"' -f4)
|
||
|
||
log_info "解封密钥: $unseal_key"
|
||
log_info "根令牌: $root_token"
|
||
|
||
# 自动解封所有节点
|
||
log_info "正在自动解封所有Vault节点..."
|
||
|
||
# 解封master节点
|
||
export VAULT_ADDR='http://100.117.106.136:8200'
|
||
vault operator unseal "$unseal_key"
|
||
|
||
# 解封ash3c节点
|
||
export VAULT_ADDR='http://100.116.80.94:8200'
|
||
vault operator unseal "$unseal_key"
|
||
|
||
# 解封warden节点
|
||
export VAULT_ADDR='http://100.122.197.112:8200'
|
||
vault operator unseal "$unseal_key"
|
||
|
||
log_info "所有Vault节点已成功解封"
|
||
|
||
# 显示Vault状态
|
||
log_info "Vault集群状态:"
|
||
export VAULT_ADDR='http://100.117.106.136:8200'
|
||
vault status
|
||
|
||
# 保存环境变量以便后续使用
|
||
echo "export VAULT_ADDR='http://100.117.106.136:8200'" > /root/mgmt/security/secrets/vault/dev/vault_env.sh
|
||
echo "export VAULT_TOKEN='$root_token'" >> /root/mgmt/security/secrets/vault/dev/vault_env.sh
|
||
log_info "环境变量已保存到: /root/mgmt/security/secrets/vault/dev/vault_env.sh"
|
||
|
||
log_warn "开发环境提示:"
|
||
log_warn "1. 请勿在生产环境中使用此配置"
|
||
log_warn "2. 生产环境应使用5个密钥中的3个阈值"
|
||
log_warn "3. 密钥应分发给不同管理员保管"
|
||
else
|
||
log_error "Vault初始化失败"
|
||
exit 1
|
||
fi
|
||
else
|
||
log_info "Vault已初始化"
|
||
|
||
# 检查Vault是否已解封
|
||
sealed_status=$(curl -s "$VAULT_ADDR/v1/sys/health" | grep -o '"sealed":[^,}]*' | cut -d ':' -f2)
|
||
if [ "$sealed_status" = "true" ]; then
|
||
log_warn "Vault已初始化但仍处于密封状态"
|
||
log_info "请使用以下命令解封:"
|
||
log_info "export VAULT_ADDR='http://<节点IP>:8200'"
|
||
log_info "vault operator unseal <解封密钥>"
|
||
else
|
||
log_info "Vault已初始化且已解封,可以正常使用"
|
||
|
||
# 显示Vault状态
|
||
log_info "Vault集群状态:"
|
||
export VAULT_ADDR='http://100.117.106.136:8200'
|
||
vault status
|
||
fi
|
||
fi
|
||
|
||
log_info "===== Vault开发环境初始化完成 =====" |