129 lines
4.2 KiB
Bash
Executable File
129 lines
4.2 KiB
Bash
Executable File
#!/bin/bash
|
||
# 通过API初始化Vault开发环境(无需本地vault命令)
|
||
|
||
set -e
|
||
|
||
echo "===== 通过API初始化Vault开发环境 ====="
|
||
|
||
# 颜色定义
|
||
GREEN='\033[0;32m'
|
||
YELLOW='\033[1;33m'
|
||
RED='\033[0;31m'
|
||
NC='\033[0m' # No Color
|
||
|
||
# 函数定义
|
||
log_info() {
|
||
echo -e "${GREEN}[INFO]${NC} $1"
|
||
}
|
||
|
||
log_warn() {
|
||
echo -e "${YELLOW}[WARN]${NC} $1"
|
||
}
|
||
|
||
log_error() {
|
||
echo -e "${RED}[ERROR]${NC} $1"
|
||
}
|
||
|
||
# 设置主节点地址
|
||
VAULT_MASTER_ADDR='http://100.117.106.136:8200'
|
||
|
||
# 等待Vault启动
|
||
log_info "等待Vault启动..."
|
||
for i in {1..30}; do
|
||
if curl -s "$VAULT_MASTER_ADDR/v1/sys/health" > /dev/null; then
|
||
break
|
||
fi
|
||
echo -n "."
|
||
sleep 2
|
||
done
|
||
echo ""
|
||
|
||
# 检查Vault是否已初始化
|
||
init_status=$(curl -s "$VAULT_MASTER_ADDR/v1/sys/health" | grep -o '"initialized":[^,}]*' | cut -d ':' -f2)
|
||
if [ "$init_status" = "false" ]; then
|
||
log_info "Vault未初始化,正在通过API初始化..."
|
||
|
||
# 通过API初始化Vault(1个密钥,阈值1)
|
||
init_response=$(curl -s -X POST \
|
||
-H "Content-Type: application/json" \
|
||
-d '{
|
||
"secret_shares": 1,
|
||
"secret_threshold": 1
|
||
}' \
|
||
"$VAULT_MASTER_ADDR/v1/sys/init")
|
||
|
||
# 保存响应到文件
|
||
echo "$init_response" > /root/mgmt/security/secrets/vault/dev/init_keys.json
|
||
|
||
if echo "$init_response" | grep -q "keys_base64"; then
|
||
log_info "Vault初始化成功(开发模式)"
|
||
log_warn "注意:这是开发模式,仅使用1个解封密钥"
|
||
log_warn "生产环境请使用5个密钥中的3个阈值"
|
||
|
||
# 提取密钥和令牌
|
||
unseal_key=$(echo "$init_response" | grep -o '"keys_base64":\["[^"]*"' | cut -d '"' -f4)
|
||
root_token=$(echo "$init_response" | grep -o '"root_token":"[^"]*"' | cut -d '"' -f4)
|
||
|
||
log_info "解封密钥: $unseal_key"
|
||
log_info "根令牌: $root_token"
|
||
|
||
# 自动解封所有节点
|
||
log_info "正在自动解封所有Vault节点..."
|
||
|
||
# 解封master节点
|
||
curl -s -X POST \
|
||
-H "Content-Type: application/json" \
|
||
-d "{\"key\": \"$unseal_key\"}" \
|
||
"$VAULT_MASTER_ADDR/v1/sys/unseal" > /dev/null
|
||
|
||
# 解封ash3c节点
|
||
curl -s -X POST \
|
||
-H "Content-Type: application/json" \
|
||
-d "{\"key\": \"$unseal_key\"}" \
|
||
"http://100.116.80.94:8200/v1/sys/unseal" > /dev/null
|
||
|
||
# 解封warden节点
|
||
curl -s -X POST \
|
||
-H "Content-Type: application/json" \
|
||
-d "{\"key\": \"$unseal_key\"}" \
|
||
"http://100.122.197.112:8200/v1/sys/unseal" > /dev/null
|
||
|
||
log_info "所有Vault节点已成功解封"
|
||
|
||
# 显示Vault状态
|
||
log_info "Vault集群状态:"
|
||
curl -s "$VAULT_MASTER_ADDR/v1/sys/health" | jq .
|
||
|
||
# 保存环境变量以便后续使用
|
||
echo "export VAULT_ADDR='$VAULT_MASTER_ADDR'" > /root/mgmt/security/secrets/vault/dev/vault_env.sh
|
||
echo "export VAULT_TOKEN='$root_token'" >> /root/mgmt/security/secrets/vault/dev/vault_env.sh
|
||
log_info "环境变量已保存到: /root/mgmt/security/secrets/vault/dev/vault_env.sh"
|
||
|
||
log_warn "开发环境提示:"
|
||
log_warn "1. 请勿在生产环境中使用此配置"
|
||
log_warn "2. 生产环境应使用5个密钥中的3个阈值"
|
||
log_warn "3. 密钥应分发给不同管理员保管"
|
||
else
|
||
log_error "Vault初始化失败"
|
||
log_error "响应: $init_response"
|
||
exit 1
|
||
fi
|
||
else
|
||
log_info "Vault已初始化"
|
||
|
||
# 检查Vault是否已解封
|
||
sealed_status=$(curl -s "$VAULT_MASTER_ADDR/v1/sys/health" | grep -o '"sealed":[^,}]*' | cut -d ':' -f2)
|
||
if [ "$sealed_status" = "true" ]; then
|
||
log_warn "Vault已初始化但仍处于密封状态"
|
||
log_info "请使用API解封:"
|
||
log_info "curl -X POST -d '{\"key\": \"<解封密钥>\"}' $VAULT_MASTER_ADDR/v1/sys/unseal"
|
||
else
|
||
log_info "Vault已初始化且已解封,可以正常使用"
|
||
|
||
# 显示Vault状态
|
||
log_info "Vault集群状态:"
|
||
curl -s "$VAULT_MASTER_ADDR/v1/sys/health" | jq .
|
||
fi
|
||
fi
|
||
|
||
log_info "===== Vault开发环境初始化完成 =====" |