在 Azure Stack Hub 中部署 Service Fabric 群集Deploy a Service Fabric cluster in Azure Stack Hub

使用 Azure 市场中的“Service Fabric 群集”项在 Azure Stack Hub 中部署受保护的 Service Fabric 群集。 Use the Service Fabric Cluster item from the Azure Marketplace to deploy a secured Service Fabric cluster in Azure Stack Hub.

有关使用 Service Fabric 的详细信息,请参阅 Azure 文档中的 Azure Service Fabric 概述Service Fabric 群集安全方案For more information about working with Service Fabric, see Overview of Azure Service Fabric and Service Fabric cluster security scenarios in the Azure documentation.

Azure Stack Hub 中的 Service Fabric 群集不使用资源提供程序 Microsoft.ServiceFabric。The Service Fabric cluster in Azure Stack Hub doesn't use the resource provider Microsoft.ServiceFabric. 相反,在 Azure Stack Hub 中,Service Fabric 群集是一个虚拟机规模集,具有使用 Desired State Configuration (DSC) 的预安装软件。Instead, in Azure Stack Hub, the Service Fabric cluster is a virtual machine scale set with preinstalled software using Desired State Configuration (DSC).

先决条件Prerequisites

若要部署 Service Fabric 群集,必须做好以下准备:The following are required to deploy the Service Fabric cluster:

  1. 群集证书Cluster certificate
    这是在部署 Service Fabric 时添加到 Key Vault 的 X.509 服务器证书。This is the X.509 server certificate you add to Key Vault when deploying Service Fabric.

    • 此证书中的 CN 必须与创建的 Service Fabric 群集的完全限定域名 (FQDN) 匹配。The CN on this cert must match the Fully Qualified Domain Name (FQDN) of the Service Fabric cluster you create.

    • 证书格式必须是 PFX,因为需要公钥和私钥。The certificate format must be PFX, as both the public and private keys are required. 请参阅创建此服务器端证书所要满足的要求See requirements for creating this server-side cert.

      备注

      可以使用自签名的证书取代 X.509 服务器证书进行测试。You can use a self-signed certificate inplace of the X.509 server certificate for test purposes. 自签名的证书不需要与群集的 FQDN 匹配。Self-signed certificates do not need to match the FQDN of the cluster.

  2. 管理员客户端证书Admin Client certificate
    这是客户端用于在 Service Fabric 群集中进行身份验证的证书,可以是自签名的证书。This is the certificate that the client uses to authenticate to the Service Fabric cluster, which can be self-signed. 请参阅创建此客户端证书所要满足的要求See requirements for creating this client cert.

  3. 必须在 Azure Stack Hub 市场中提供以下各项:The following items must be available in the Azure Stack Hub Marketplace:

    • Windows Server 2016 - 模板使用 Windows Server 2016 映像来创建群集。Windows Server 2016 - The template uses the Windows Server 2016 image to create the cluster.
    • 自定义脚本扩展 - Microsoft 提供的虚拟机扩展。Custom Script Extension - Virtual Machine Extension from Microsoft.
    • PowerShell Desired Stage Configuration - Microsoft 提供的虚拟机扩展。PowerShell Desired Stage Configuration - Virtual Machine Extension from Microsoft.

向 Key Vault 添加机密Add a secret to Key Vault

若要部署 Service Fabric 群集,必须指定正确的 Key Vault 机密标识符,或 Service Fabric 群集的 URL。 To deploy a Service Fabric cluster, you must specify the correct Key Vault Secret Identifier or URL for the Service Fabric cluster. Azure 资源管理器模板接受一个 Key Vault 作为输入。The Azure Resource Manager template takes a Key Vault as input. 然后,该模板在安装 Service Fabric 群集时检索群集证书。Then the template retrieves the Cluster certificate when installing the Service Fabric cluster.

重要

必须使用 PowerShell 在 Key Vault 中添加一个要用于 Service Fabric 的机密。You must use PowerShell to add a secret to Key Vault for use with Service Fabric. 不要使用门户。Do not use the portal.

使用以下脚本创建 Key Vault 并在其中添加群集证书。 Use the following script to create the Key Vault and add the cluster certificate to it. (请参阅先决条件。)在运行该脚本之前,请查看示例脚本并更新指示的参数,使之与环境匹配。(See the prerequisites.) Before you run the script, review the sample script and update the indicated parameters to match your environment. 此脚本还会输出需要向 Azure 资源管理器模板提供的值。This script will also output the values you need to provide to the Azure Resource Manager template.

提示

要成功运行该脚本,必须有某个公共产品/服务包含计算、网络、存储和 Key Vault 的服务。Before the script can succeed, there must be a public offer that includes the services for Compute, Network, Storage, and Key Vault.

  function Get-ThumbprintFromPfx($PfxFilePath, $Password) 
      {
          return New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($PfxFilePath, $Password)
      }
  
  function Publish-SecretToKeyVault ($PfxFilePath, $Password, $KeyVaultName)
     {
          $keyVaultSecretName = "ClusterCertificate"
          $certContentInBytes = [io.file]::ReadAllBytes($PfxFilePath)
          $pfxAsBase64EncodedString = [System.Convert]::ToBase64String($certContentInBytes)
  
          $jsonObject = ConvertTo-Json -Depth 10 ([pscustomobject]@{
              data     = $pfxAsBase64EncodedString
              dataType = 'pfx'
              password = $Password
          })
  
          $jsonObjectBytes = [System.Text.Encoding]::UTF8.GetBytes($jsonObject)
          $jsonEncoded = [System.Convert]::ToBase64String($jsonObjectBytes)
          $secret = ConvertTo-SecureString -String $jsonEncoded -AsPlainText -Force
          $keyVaultSecret = Set-AzureKeyVaultSecret -VaultName $KeyVaultName -Name $keyVaultSecretName -SecretValue $secret
          
          $pfxCertObject = Get-ThumbprintFromPfx -PfxFilePath $PfxFilePath -Password $Password
  
          Write-Host "KeyVault id: " -ForegroundColor Green
          (Get-AzureRmKeyVault -VaultName $KeyVaultName).ResourceId
          
          Write-Host "Secret Id: " -ForegroundColor Green
          (Get-AzureKeyVaultSecret -VaultName $KeyVaultName -Name $keyVaultSecretName).id
  
          Write-Host "Cluster Certificate Thumbprint: " -ForegroundColor Green
          $pfxCertObject.Thumbprint
     }
  
  #========================== CHANGE THESE VALUES ===============================
  $armEndpoint = "https://management.local.azurestack.external"
  $tenantId = "your_tenant_ID"
  $location = "local"
  $clusterCertPfxPath = "Your_path_to_ClusterCert.pfx"
  $clusterCertPfxPassword = "Your_password_for_ClusterCert.pfx"
  #==============================================================================
  
  Add-AzureRmEnvironment -Name AzureStack -ARMEndpoint $armEndpoint
  Login-AzureRmAccount -Environment AzureStack -TenantId $tenantId
  
  $rgName = "sfvaultrg"
  Write-Host "Creating Resource Group..." -ForegroundColor Yellow
  New-AzureRmResourceGroup -Name $rgName -Location $location
  
  Write-Host "Creating Key Vault..." -ForegroundColor Yellow
  $Vault = New-AzureRmKeyVault -VaultName sfvault -ResourceGroupName $rgName -Location $location -EnabledForTemplateDeployment -EnabledForDeployment -EnabledForDiskEncryption
  
  Write-Host "Publishing certificate to Vault..." -ForegroundColor Yellow
  Publish-SecretToKeyVault -PfxFilePath $clusterCertPfxPath -Password $clusterCertPfxPassword -KeyVaultName $vault.VaultName

有关详细信息,请参阅使用 PowerShell 管理 Azure Stack Hub 上的 Key VaultFor more information, see Manage Key Vault on Azure Stack Hub with PowerShell.

部署市场项Deploy the Marketplace item

  1. 在用户门户中,转到“+ 创建资源” > “计算” > “Service Fabric 群集”。 In the user portal, go to + Create a resource > Compute > Service Fabric Cluster.

    选择“Service Fabric 群集”

  2. 填写每个页(例如“基本信息”)中的部署窗体。 For each page, like Basics, fill out the deployment form. 如果不确定要指定哪个值,请使用默认值。Use defaults if you're not sure of a value.

    若要部署到断开连接的 Azure Stack Hub 或部署另一个版本的 Service Fabric,请下载 Service Fabric 部署包及其相应的运行时包,并将其托管在 Azure Stack Hub blob 上。For deployments to a disconnected Azure Stack Hub or to deploy another version of Service Fabric, download the Service Fabric deployment package and its corresponding runtime package and host it on an Azure Stack Hub blob. 向“Service Fabric 部署包 URL” 和“Service Fabric 运行时包 URL” 字段提供这些值。Provide these values to the Service Fabric deployment package URL and Service Fabric runtime package URL fields.

    备注

    最新版本的 Service Fabric 及其相应的 SDK 之间存在兼容性问题。There are compatibility issues between the latest release of Service Fabric and its corresponding SDK. 在解决该问题之前,请向部署包 URL 和运行时包 URL 提供以下参数。Until that issue is addressed, please provide the following parameters to the deployment package URL and runtime package URL. 否则,部署将失败。Your deployments will fail otherwise.

    对于断开连接的部署,请从指定位置下载这些包并将其托管在本地 Azure Stack Hub Blob 上。For disconnected deployments, download these packages from the specified location and host it locally on an Azure Stack Hub Blob.

    基础知识

  3. 在“网络设置”页上,可以指定要对应用程序打开的特定端口: On the Network Settings page, you can specify specific ports to open for your applications:

    网络设置

  4. 在“安全性”页上,添加在创建 Azure Key Vault 中获取的值并上传机密。 On the Security page, add the values that you got from creating the Azure Key Vault and Uploading the Secret.

    对于“管理客户端证书指纹”,请输入管理客户端证书的指纹。 For the Admin Client Certificate Thumbprint, enter the thumbprint of the Admin Client certificate. (请参阅先决条件。)(See the prerequisites.)

    • 源 Key Vault:指定脚本结果中的完整 keyVault id 字符串。Source Key Vault: Specify entire keyVault id string from the script results.
    • 群集证书 URL:指定脚本结果中的 Secret Id 中的完整 URL。Cluster Certificate URL: Specify the entire URL from the Secret Id from the script results.
    • 群集证书指纹:指定脚本结果中的 Cluster Certificate Thumbprint(群集证书指纹)。Cluster Certificate thumbprint: Specify the Cluster Certificate Thumbprint from the script results.
    • 服务器证书 URL:如果要使用群集证书中的单独证书,请将证书上传到密钥保管库,并提供机密的完整 URL。Server Certificate URL: If you wish to use a separate certificate from the Cluster certificate, upload the certificate to a keyvault and provide the full url to the secret.
    • 服务器证书指纹:指定服务器证书的指纹Server Certificate thumbprint: Specify the thumbprint for the Server Certificate
    • 管理客户端证书指纹:指定在先决条件中创建的管理客户端证书指纹Admin Client Certificate Thumbprints: Specify the Admin Client Certificate Thumbprint created in the prerequisites.

    脚本输出

    安全性

  5. 完成向导,然后选择“创建”以部署 Service Fabric 群集。 Complete the wizard, and then select Create to deploy the Service Fabric Cluster.

访问 Service Fabric 群集Access the Service Fabric Cluster

可以使用 Service Fabric Explorer 或 Service Fabric PowerShell 访问 Service Fabric 群集。You can access the Service Fabric cluster by using either the Service Fabric Explorer or Service Fabric PowerShell.

使用 Service Fabric ExplorerUse Service Fabric Explorer

  1. 确保浏览器是否能够访问你的管理客户端证书,以及是否可在 Service Fabric 群集中进行身份验证。Ensure that the browser has access to your Admin client certificate and can authenticate to your Service Fabric cluster.

    a.a. 打开 Internet Explorer 并转到“Internet 选项” > “内容” > “证书”。 Open Internet Explorer and go to Internet Options > Content > Certificates.

    b.b. 在“证书”中,选择“导入”启动“证书导入向导”,然后单击“下一步”。 On Certificates, select Import to start the Certificate Import Wizard, and then click Next. 在“要导入的文件”页上单击“浏览”,然后选择提供给 Azure 资源管理器模板的管理客户端证书On the File to Import page click Browse, and select the Admin Client certificate you provided to the Azure Resource Manager template.

    备注

    此证书不是先前已添加到 Key Vault 的群集证书。This certificate is not the Cluster certificate that was previously added to Key Vault.

    c.c. 确保在“文件资源管理器”窗口的扩展下拉列表中选择“个人信息交换”。Ensure that you have "Personal Information Exchange" selected in the extension dropdown of the File Explorer window.

    个人信息交换

    d.d. 在“证书存储”页上选择“个人”,然后完成向导。 On the Certificate Store page, select Personal, and then complete the wizard.
    证书存储Certificate store

  2. 若要查找 Service Fabric 群集的 FQDN:To find the FQDN of your Service Fabric cluster:

    a.a. 转到与 Service Fabric 群集关联的资源组,并找到“公共 IP 地址”资源。 Go to the resource group that is associated with your Service Fabric cluster and locate the Public IP address resource. 选择与“公共 IP 地址”关联的对象,打开“公共 IP 地址”边栏选项卡。 Select the object associated with the Public IP address to open the Public IP address blade.

    公共 IP 地址

    b.b. 在“公共 IP 地址”边栏选项卡上,FQDN 显示为“DNS 名称”。 On the Public IP address blade, the FQDN displays as DNS name.

    DNS 名称

  3. 若要查找 Service Fabric Explorer 的 URL 和客户端连接终结点,请查看模板部署的结果。To find the URL for the Service Fabric Explorer, and the Client connection endpoint, review the results of the Template deployment.

  4. 在浏览器中转到 https://*FQDN*:19080In your browser, go to https://*FQDN*:19080. FQDN 替换为在步骤 2 中获取的 Service Fabric 群集 FQDN。Replace FQDN with the FQDN of your Service Fabric cluster from step 2.
    如果使用了自签名证书,屏幕上会显示一条警告,指出连接不安全。If you've used a self-signed certificate, you'll get a warning that the connection isn't secure. 若要继续访问网站,请依次选择“更多信息”、“继续访问网页”。 To continue to the web site, select More Information, and then Go on to the webpage.

  5. 若要在站点中进行身份验证,必须选择要使用的证书。To authenticate to the site, you must select a certificate to use. 选择“更多选项”,选择适当的证书,然后单击“确定”连接到 Service Fabric Explorer。 Select More choices, pick the appropriate certificate, and then click OK to connect to the Service Fabric Explorer.

    Authenticate

使用 Service Fabric PowerShellUse Service Fabric PowerShell

  1. 根据 Azure Service Fabric 文档中的在 Windows 上准备开发环境安装 Azure Service Fabric SDKInstall the Azure Service Fabric SDK from Prepare your development environment on Windows in the Azure Service Fabric documentation.

  2. 安装完成后,配置系统环境变量,确保可从 PowerShell 访问 Service Fabric cmdlet。After the installation is complete, configure the system Environment variables to ensure that the Service Fabric cmdlets are accessible from PowerShell.

    a.a. 转到“控制面板” > “系统和安全” > “系统”并选择“高级系统设置”。 Go to Control Panel > System and Security > System, and then select Advanced system settings.

    控制面板

    b.b. 在“系统属性”的“高级”选项卡上,选择“环境变量”。 On the Advanced tab of System Properties, select Environment Variables.

    c.c. 对于“系统变量”,请编辑“路径”,并确保 C:\Program Files\Microsoft Service Fabric\bin\Fabric\Fabric.Code 位于环境变量列表的最前面。 For System variables, edit Path and make sure that C:\Program Files\Microsoft Service Fabric\bin\Fabric\Fabric.Code is at the top of the list of environment variables.

    环境变量列表

  3. 更改环境变量的顺序后,重启 PowerShell,然后运行以下 PowerShell 脚本获取 Service Fabric 群集的访问权限:After changing the order of the environment variables, restart PowerShell and then run the following PowerShell script to gain access to the Service Fabric cluster:

     Connect-ServiceFabricCluster -ConnectionEndpoint "\[Service Fabric
     CLUSTER FQDN\]:19000" \`
    
     -X509Credential -ServerCertThumbprint
     761A0D17B030723A37AA2E08225CD7EA8BE9F86A \`
    
     -FindType FindByThumbprint -FindValue
     0272251171BA32CEC7938A65B8A6A553AA2D3283 \`
    
     -StoreLocation CurrentUser -StoreName My -Verbose
    

    备注

    脚本中群集名称的前面没有 https://There is no https:// before the name of the cluster in the script. 必须指定端口 19000。Port 19000 is required.

后续步骤Next steps

将 Kubernetes 部署到 Azure Stack HubDeploy Kubernetes to Azure Stack Hub