196 lines
5.7 KiB
Bash
Executable File
196 lines
5.7 KiB
Bash
Executable File
#!/bin/bash
|
||
# Vault与Consul集成管理脚本
|
||
|
||
# 颜色定义
|
||
GREEN='\033[0;32m'
|
||
YELLOW='\033[1;33m'
|
||
RED='\033[0;31m'
|
||
NC='\033[0m' # No Color
|
||
|
||
# 函数定义
|
||
log_info() {
|
||
echo -e "${GREEN}[INFO]${NC} $1"
|
||
}
|
||
|
||
log_warn() {
|
||
echo -e "${YELLOW}[WARN]${NC} $1"
|
||
}
|
||
|
||
log_error() {
|
||
echo -e "${RED}[ERROR]${NC} $1"
|
||
}
|
||
|
||
# 显示帮助信息
|
||
show_help() {
|
||
echo "用法: $0 [选项]"
|
||
echo "选项:"
|
||
echo " status 显示Vault和Consul状态"
|
||
echo " verify 验证集成状态"
|
||
echo " backup 备份Consul中的Vault数据"
|
||
echo " restore 从备份恢复Consul中的Vault数据"
|
||
echo " monitor 监控Vault和Consul运行状态"
|
||
echo " health 检查健康状态"
|
||
echo " help 显示此帮助信息"
|
||
}
|
||
|
||
# 显示Vault和Consul状态
|
||
show_status() {
|
||
log_info "Vault状态:"
|
||
source /root/mgmt/security/secrets/vault/dev/vault_env.sh
|
||
vault status
|
||
|
||
echo ""
|
||
log_info "Consul成员状态:"
|
||
consul members
|
||
|
||
echo ""
|
||
log_info "Consul中的Vault数据键数量:"
|
||
curl -s http://100.117.106.136:8500/v1/kv/vault/?keys | jq length
|
||
}
|
||
|
||
# 验证集成状态
|
||
verify_integration() {
|
||
/root/mgmt/deployment/scripts/verify_vault_consul_integration.sh
|
||
}
|
||
|
||
# 备份Vault数据(存储在Consul中)
|
||
backup_vault_data() {
|
||
log_info "开始备份Consul中的Vault数据..."
|
||
|
||
BACKUP_DIR="/root/mgmt/security/secrets/vault/backups"
|
||
TIMESTAMP=$(date +%Y%m%d_%H%M%S)
|
||
BACKUP_FILE="$BACKUP_DIR/vault_consul_backup_$TIMESTAMP.json"
|
||
|
||
mkdir -p "$BACKUP_DIR"
|
||
|
||
# 获取所有Vault相关的键
|
||
keys=$(curl -s http://100.117.106.136:8500/v1/kv/vault/?recurse | jq -r '.[].Key')
|
||
|
||
if [ -n "$keys" ]; then
|
||
# 创建备份数据结构
|
||
echo '{"backup_timestamp": "'$(date -Iseconds)'", "vault_data": []}' > "$BACKUP_FILE"
|
||
|
||
# 备份每个键的值
|
||
while IFS= read -r key; do
|
||
value=$(curl -s http://100.117.106.136:8500/v1/kv/$key | jq -r '.[0].Value' | base64 -d | base64)
|
||
jq --arg key "$key" --arg value "$value" '.vault_data += [{"key": $key, "value": $value}]' "$BACKUP_FILE" > "$BACKUP_FILE.tmp" && mv "$BACKUP_FILE.tmp" "$BACKUP_FILE"
|
||
done <<< "$keys"
|
||
|
||
log_info "✓ Vault数据已备份到: $BACKUP_FILE"
|
||
log_warn "注意:这是未加密的备份,请确保安全存储"
|
||
else
|
||
log_error "✗ 无法获取Consul中的Vault数据"
|
||
fi
|
||
}
|
||
|
||
# 远程管理功能演示
|
||
remote_management_demo() {
|
||
echo_section "HashiCorp 产品远程管理能力演示"
|
||
|
||
log_info "1. Consul 远程管理演示"
|
||
|
||
# 查看 Consul 集群成员
|
||
log_info "查看 Consul 集群成员:"
|
||
consul members || log_warn "无法获取集群成员信息"
|
||
|
||
# 查看 Consul 数据中心信息
|
||
log_info "查看 Consul 数据中心信息:"
|
||
consul info | grep -E "(datacenter|server|client)" || log_warn "无法获取数据中心信息"
|
||
|
||
# 在 Consul 中存储和读取键值
|
||
log_info "在 Consul 中存储测试键值:"
|
||
echo "测试值" | consul kv put demo/test/value -
|
||
log_info "从 Consul 读取测试键值:"
|
||
consul kv get demo/test/value || log_warn "无法读取键值"
|
||
|
||
log_info "2. Vault 远程管理演示"
|
||
|
||
# 检查 Vault 状态
|
||
log_info "检查 Vault 状态:"
|
||
vault status || log_warn "无法连接到 Vault 或 Vault 未初始化"
|
||
|
||
# 列出 Vault 密钥引擎
|
||
log_info "列出 Vault 密钥引擎:"
|
||
vault secrets list || log_warn "无法列出密钥引擎"
|
||
|
||
# 在 Vault 中写入和读取密钥
|
||
log_info "在 Vault 中存储测试密钥:"
|
||
echo "测试数据" | vault kv put secret/demo/test value=-
|
||
log_info "从 Vault 读取测试密钥:"
|
||
vault kv get secret/demo/test || log_warn "无法读取密钥"
|
||
|
||
# 查看 Vault 集群信息
|
||
log_info "查看 Vault 集群信息:"
|
||
vault operator raft list-peers || log_warn "无法列出 Raft 集群节点"
|
||
|
||
log_info "远程管理功能演示完成"
|
||
log_info "请根据实际环境配置正确的地址和认证凭据"
|
||
}
|
||
|
||
# 健康检查
|
||
health_check() {
|
||
log_info "执行健康检查..."
|
||
|
||
# Vault健康检查
|
||
vault_health=$(curl -s http://100.117.106.136:8200/v1/sys/health)
|
||
if echo "$vault_health" | grep -q '"initialized":true'; then
|
||
log_info "✓ Vault已初始化"
|
||
else
|
||
log_error "✗ Vault未初始化"
|
||
fi
|
||
|
||
if echo "$vault_health" | grep -q '"sealed":false'; then
|
||
log_info "✓ Vault未密封"
|
||
else
|
||
log_error "✗ Vault已密封"
|
||
fi
|
||
|
||
# Consul健康检查
|
||
consul_health=$(curl -s http://100.117.106.136:8500/v1/status/leader)
|
||
if [ -n "$consul_health" ] && [ "$consul_health" != "null" ]; then
|
||
log_info "✓ Consul集群有领导者"
|
||
else
|
||
log_error "✗ Consul集群无领导者"
|
||
fi
|
||
|
||
# 检查Vault数据
|
||
vault_data_check=$(curl -s http://100.117.106.136:8500/v1/kv/vault/core/seal-config 2>/dev/null | jq length 2>/dev/null)
|
||
if [ -n "$vault_data_check" ] && [ "$vault_data_check" -gt 0 ]; then
|
||
log_info "✓ Vault核心数据存在"
|
||
else
|
||
log_error "✗ Vault核心数据缺失"
|
||
fi
|
||
|
||
log_info "健康检查完成"
|
||
}
|
||
|
||
# 主程序
|
||
case "$1" in
|
||
status)
|
||
show_status
|
||
;;
|
||
verify)
|
||
verify_integration
|
||
;;
|
||
backup)
|
||
backup_vault_data
|
||
;;
|
||
monitor)
|
||
monitor_status
|
||
;;
|
||
health)
|
||
health_check
|
||
;;
|
||
help|--help|-h)
|
||
show_help
|
||
;;
|
||
*)
|
||
if [ -z "$1" ]; then
|
||
show_help
|
||
else
|
||
log_error "未知选项: $1"
|
||
show_help
|
||
exit 1
|
||
fi
|
||
;;
|
||
esac |