122 lines
4.5 KiB
Bash
Executable File
122 lines
4.5 KiB
Bash
Executable File
#!/bin/bash
|
||
# Vault集群初始化和解封脚本
|
||
|
||
set -e
|
||
|
||
echo "===== Vault集群初始化 ====="
|
||
|
||
# 颜色定义
|
||
GREEN='\033[0;32m'
|
||
YELLOW='\033[1;33m'
|
||
RED='\033[0;31m'
|
||
NC='\033[0m' # No Color
|
||
|
||
# 函数定义
|
||
log_info() {
|
||
echo -e "${GREEN}[INFO]${NC} $1"
|
||
}
|
||
|
||
log_warn() {
|
||
echo -e "${YELLOW}[WARN]${NC} $1"
|
||
}
|
||
|
||
log_error() {
|
||
echo -e "${RED}[ERROR]${NC} $1"
|
||
}
|
||
|
||
# 检查Vault命令是否存在
|
||
if ! command -v vault &> /dev/null; then
|
||
log_error "Vault命令未找到,请先安装Vault"
|
||
exit 1
|
||
fi
|
||
|
||
# 设置Vault地址为master节点
|
||
export VAULT_ADDR='http://100.117.106.136:8200'
|
||
|
||
# 等待Vault启动
|
||
log_info "等待Vault启动..."
|
||
for i in {1..30}; do
|
||
if curl -s "$VAULT_ADDR/v1/sys/health" > /dev/null; then
|
||
break
|
||
fi
|
||
echo -n "."
|
||
sleep 2
|
||
done
|
||
echo ""
|
||
|
||
# 检查Vault是否已初始化
|
||
init_status=$(curl -s "$VAULT_ADDR/v1/sys/health" | grep -o '"initialized":[^,}]*' | cut -d ':' -f2)
|
||
if [ "$init_status" = "false" ]; then
|
||
log_info "Vault未初始化,正在初始化..."
|
||
|
||
# 初始化Vault并保存密钥到安全目录
|
||
vault operator init -key-shares=5 -key-threshold=3 -format=json > /root/mgmt/security/secrets/vault/init_keys.json
|
||
|
||
if [ $? -eq 0 ]; then
|
||
log_info "Vault初始化成功"
|
||
log_warn "重要:请立即将以下文件安全备份并分发给不同管理员"
|
||
log_warn "密钥文件位置: /root/mgmt/security/secrets/vault/init_keys.json"
|
||
|
||
# 显示关键信息但不显示完整密钥
|
||
unseal_keys_count=$(cat /root/mgmt/security/secrets/vault/init_keys.json | grep -o '"unseal_keys_b64":\[\([^]]*\)' | sed 's/"unseal_keys_b64":\[//g' | tr ',' '\n' | wc -l)
|
||
root_token=$(cat /root/mgmt/security/secrets/vault/init_keys.json | grep -o '"root_token":"[^"]*"' | cut -d '"' -f4)
|
||
|
||
log_info "生成了 $unseal_keys_count 个解封密钥,需要其中任意 3 个来解封Vault"
|
||
log_info "根令牌已生成(请安全保管)"
|
||
|
||
# 提取解封密钥用于自动解封
|
||
unseal_key1=$(cat /root/mgmt/security/secrets/vault/init_keys.json | grep -o '"unseal_keys_b64":\[\([^]]*\)' | sed 's/"unseal_keys_b64":\[//g' | tr ',' '\n' | sed 's/"//g' | head -1)
|
||
unseal_key2=$(cat /root/mgmt/security/secrets/vault/init_keys.json | grep -o '"unseal_keys_b64":\[\([^]]*\)' | sed 's/"unseal_keys_b64":\[//g' | tr ',' '\n' | sed 's/"//g' | head -2 | tail -1)
|
||
unseal_key3=$(cat /root/mgmt/security/secrets/vault/init_keys.json | grep -o '"unseal_keys_b64":\[\([^]]*\)' | sed 's/"unseal_keys_b64":\[//g' | tr ',' '\n' | sed 's/"//g' | head -3 | tail -1)
|
||
|
||
# 解封所有节点
|
||
log_info "正在解封所有Vault节点..."
|
||
|
||
# 解封master节点
|
||
export VAULT_ADDR='http://100.117.106.136:8200'
|
||
vault operator unseal "$unseal_key1"
|
||
vault operator unseal "$unseal_key2"
|
||
vault operator unseal "$unseal_key3"
|
||
|
||
# 解封ash3c节点
|
||
export VAULT_ADDR='http://100.116.80.94:8200'
|
||
vault operator unseal "$unseal_key1"
|
||
vault operator unseal "$unseal_key2"
|
||
vault operator unseal "$unseal_key3"
|
||
|
||
# 解封warden节点
|
||
export VAULT_ADDR='http://100.122.197.112:8200'
|
||
vault operator unseal "$unseal_key1"
|
||
vault operator unseal "$unseal_key2"
|
||
vault operator unseal "$unseal_key3"
|
||
|
||
log_info "所有Vault节点已成功解封"
|
||
log_warn "请确保将密钥文件安全备份到多个位置,并按照安全策略分发给不同管理员"
|
||
log_info "根令牌: $root_token"
|
||
|
||
# 显示Vault状态
|
||
log_info "Vault集群状态:"
|
||
export VAULT_ADDR='http://100.117.106.136:8200'
|
||
vault status
|
||
else
|
||
log_error "Vault初始化失败"
|
||
exit 1
|
||
fi
|
||
else
|
||
log_info "Vault已初始化"
|
||
|
||
# 检查Vault是否已解封
|
||
sealed_status=$(curl -s "$VAULT_ADDR/v1/sys/health" | grep -o '"sealed":[^,}]*' | cut -d ':' -f2)
|
||
if [ "$sealed_status" = "true" ]; then
|
||
log_warn "Vault已初始化但仍处于密封状态,请手动解封"
|
||
log_info "使用以下命令解封Vault:"
|
||
log_info "export VAULT_ADDR='http://<节点IP>:8200'"
|
||
log_info "vault operator unseal <解封密钥1>"
|
||
log_info "vault operator unseal <解封密钥2>"
|
||
log_info "vault operator unseal <解封密钥3>"
|
||
else
|
||
log_info "Vault已初始化且已解封,可以正常使用"
|
||
fi
|
||
fi
|
||
|
||
log_info "===== Vault集群初始化和解封完成 =====" |