sh Bash shell脚本,用于检查本地Vault服务器的密封状态,并尝试使用保管库保密库中的密钥进行密封。支持HA Va

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了sh Bash shell脚本,用于检查本地Vault服务器的密封状态,并尝试使用保管库保密库中的密钥进行密封。支持HA Va相关的知识,希望对你有一定的参考价值。

#!/bin/bash

export vault=/usr/local/bin/vault
export VAULT_TOKEN=$(cat /root/.vault-token)
vault_cacert='-ca-cert=/path/to/your/ca.pem'
local_vault="-address=https://$(hostname -f):8200"
unsealed_vault="-address=https://$(getent hosts $(dig +short vault.service.consul  | tail -n 1) | awk '{ print $2 }'):8200"
leader_vault="-address=https://$($vault status $vault_cacert $unsealed_vault 2> /dev/null | grep Leader | awk '{ print $2 }' | sed 's/^http\(\|s\):\/\///g'):8200"
vault_read="$vault read $vault_cacert $leader_vault"
vault_unseal="$vault unseal $vault_cacert $local_vault"
vault_status="$vault status $vault_cacert $local_vault"


function check_unsealed(){
    $vault_status &> /dev/null
    if [[ ! $? == "0" ]]
    then
        echo "VaultSealManager-[$(date +'%X %x')]-[ERROR]: Local Vault instance was unsuccessfully unsealed (the instance is still sealed)."
        exit 1
    fi
}

function get_keys(){
    vault_key_1=$($vault_read -field=value secret/vault/keys/1 2> /dev/null)
    vault_key_2=$($vault_read -field=value secret/vault/keys/2 2> /dev/null)
    vault_key_3=$($vault_read -field=value secret/vault/keys/3 2> /dev/null)
    vault_key_4=$($vault_read -field=value secret/vault/keys/4 2> /dev/null)
    vault_key_5=$($vault_read -field=value secret/vault/keys/5 2> /dev/null)
    if [[ -z "$vault_key_1" ]] || [[ -z "$vault_key_2" ]] || [[ -z "$vault_key_3" ]] || [[ -z "$vault_key_4" ]] || [[ -z "$vault_key_5" ]]
    then
        echo "VaultSealManager-[$(date +'%X %x')]-[ERROR]: Error retrieving unseal keys from Vault secret store!"
        exit 1
    fi
}

function unseal_vault(){
    $vault_unseal $vault_key_1 &> /dev/null;
    status_1=$?
    $vault_unseal $vault_key_2 &> /dev/null;
    status_2=$?
    $vault_unseal $vault_key_3 &> /dev/null;
    status_3=$?
    # Only need three to unseal
    #$vault_unseal $vault_key_4 &> /dev/null;
    #status_4=$?
    #$vault_unseal $vault_key_5 &> /dev/null;
    #status_5=$?
    if [[ ! $status_1 == "0" ]] || [[ ! $status_2 == "0" ]] || [[ ! $status_3 == "0" ]]    # || [[ ! "status_4" == "0" ]] || [[ ! "status_5" == "0" ]]
    then
        echo "VaultSealManager-[$(date +'%X %x')]-[ERROR]: Error unsealing local Vault instance!"
        exit 1
    fi
}

function main(){
    $vault_status &> /dev/null
    if [[ $? == "0" ]]
    then
        echo "VaultSealManager-[$(date +'%X %x')]-[IFNO]: Local Vault instance is already unsealed!"
        exit 0
    fi
    if [[ -z "$unsealed_vault" ]]
    then
        echo "VaultSealManager-[$(date +'%X %x')]-[ERROR]: Consul service returned no unsealed Vault instances!"
        exit 1
    else
        echo "VaultSealManager-[$(date +'%X %x')]-[INFO]: Consul service returned unsealed Vault instance..."
        echo "VaultSealManager-[$(date +'%X %x')]-[INFO]: Attempting to get secured keys from Vault secret store..."
        get_keys
        echo "VaultSealManager-[$(date +'%X %x')]-[INFO]: Got unseal keys successfull..."
        echo "VaultSealManager-[$(date +'%X %x')]-[INFO]: Attempting to unseal local Vault instance with acquired unseal keys..."
        unseal_vault
        echo "VaultSealManager-[$(date +'%X %x')]-[INFO]: Checking local seal status..."
        check_unsealed
        echo "VaultSealManager-[$(date +'%X %x')]-[INFO]: Local Vault instance is now unsealed!"
    fi
}

main
exit 0

以上是关于sh Bash shell脚本,用于检查本地Vault服务器的密封状态,并尝试使用保管库保密库中的密钥进行密封。支持HA Va的主要内容,如果未能解决你的问题,请参考以下文章

Bash Shell脚本 - 检查标志并获取其值

sh 用于检查MySQL是否正在运行的简单bash脚本。

shell脚本结构和执行方法

sh 用于检查当前git branch =“x”的bash脚本

sh Bash脚本,用于检查网站是启动还是关闭,并通过电子邮件发送通知

shell 脚本4 检查脚本错误