配置应用程序的存储库凭据以下载容器映像Configure repository credentials for your application to download container images

通过将 RepositoryCredentials 添加到应用程序清单的 ContainerHostPolicies 部分来配置容器注册表身份验证。Configure container registry authentication by adding RepositoryCredentials to the ContainerHostPolicies section of your application manifest. 为容器注册表(下面示例中的“myregistry.azurecr.cn”)添加帐户和密码,以便服务从存储库下载容器映像。Add the account and password for your container registry (myregistry.azurecr.cn in the example below), which allows the service to download the container image from the repository.

<ServiceManifestImport>
    ...
    <Policies>
        <ContainerHostPolicies CodePackageRef="Code">
            <RepositoryCredentials AccountName="myregistry" Password="=P==/==/=8=/=+u4lyOB=+=nWzEeRfF=" PasswordEncrypted="false"/>
            <PortBinding ContainerPort="80" EndpointRef="Guest1TypeEndpoint"/>
        </ContainerHostPolicies>
    </Policies>
    ...
</ServiceManifestImport>

建议使用部署到群集所有节点的加密证书,对存储库密码加密。It is recommended that you encrypt the repository password by using an encipherment certificate that's deployed to all nodes of the cluster. 当 Service Fabric 将服务包部署到群集时,即可使用加密证书解密密码文本。When Service Fabric deploys the service package to the cluster, the encipherment certificate is used to decrypt the cipher text. Invoke-ServiceFabricEncryptText cmdlet 用于为密码创建密码文本,后者将添加到 ApplicationManifest.xml 文件中。The Invoke-ServiceFabricEncryptText cmdlet is used to create the cipher text for the password, which is added to the ApplicationManifest.xml file. 有关证书和加密语义的详细信息,请参阅机密管理See Secret Management for more on certificates and encryption semantics.

配置群集级凭据Configure cluster-wide credentials

Service Fabric 允许你配置群集级凭据,应用程序可以将这些凭据用作默认存储库凭据。Service Fabric allows you to configure cluster-wide credentials which can be used as default repository credentials by applications.

可以通过在 ApplicationManifest.xml 中向 ContainerHostPolicies 添加 UseDefaultRepositoryCredentials 属性来启用或禁用此功能;将其值设为 true 则启用,将其值设为 false 则禁用。This feature can be enabled or disabled by adding the UseDefaultRepositoryCredentials attribute to ContainerHostPolicies in ApplicationManifest.xml with a true or false value.

<ServiceManifestImport>
    ...
    <Policies>
        <ContainerHostPolicies CodePackageRef="Code" UseDefaultRepositoryCredentials="true">
            <PortBinding ContainerPort="80" EndpointRef="Guest1TypeEndpoint"/>
        </ContainerHostPolicies>
    </Policies>
    ...
</ServiceManifestImport>

然后,Service Fabric 会使用可在 ClusterManifest 中的 Hosting 部分下指定的默认存储库凭据。Service Fabric then uses the default repository credentials which can be specified in the ClusterManifest under the Hosting section. 如果 UseDefaultRepositoryCredentialstrue,则 Service Fabric 将从 ClusterManifest 中读取以下值:If UseDefaultRepositoryCredentials is true, Service Fabric reads the following values from the ClusterManifest:

  • DefaultContainerRepositoryAccountName (string)DefaultContainerRepositoryAccountName (string)
  • DefaultContainerRepositoryPassword (string)DefaultContainerRepositoryPassword (string)
  • IsDefaultContainerRepositoryPasswordEncrypted (bool)IsDefaultContainerRepositoryPasswordEncrypted (bool)
  • DefaultContainerRepositoryPasswordType(字符串)DefaultContainerRepositoryPasswordType (string)

下面是可以在 ClusterManifestTemplate.json 文件中的 Hosting 部分内添加的内容的示例。Here is an example of what can be added inside the Hosting section in the ClusterManifestTemplate.json file. 可以在群集创建时或配置升级后期添加 Hosting 节。The Hosting section can be added at cluster creation or later in a configuration upgrade. 有关详细信息,请参阅更改 Azure Service Fabric 群集设置管理 Azure Service Fabric 应用程序机密For more information, see Change Azure Service Fabric cluster settings and Manage Azure Service Fabric application secrets

"fabricSettings": [
    ...,
    {
        "name": "Hosting",
        "parameters": [
          {
            "name": "EndpointProviderEnabled",
            "value": "true"
          },
          {
            "name": "DefaultContainerRepositoryAccountName",
            "value": "someusername"
          },
          {
            "name": "DefaultContainerRepositoryPassword",
            "value": "somepassword"
          },
          {
            "name": "IsDefaultContainerRepositoryPasswordEncrypted",
            "value": "false"
          },
          {
            "name": "DefaultContainerRepositoryPasswordType",
            "value": "PlainText"
          }
        ]
      },
]

使用令牌作为注册表凭据Use tokens as registry credentials

Service Fabric 支持使用令牌作为凭据下载容器的映像。Service Fabric supports using tokens as credentials to download images for your containers. 此功能利用基础虚拟机规模集的托管标识对注册表进行身份验证,从而消除了管理用户凭据的需要。This feature leverages the managed identity of the underlying virtual machine scale set to authenticate to the registry, eliminating the need for managing user credentials. 请参阅 Azure 资源的托管标识获取详细信息。See Managed identities for Azure resources for more info. 使用此功能需要执行以下步骤:Using this feature requires the follows steps:

  1. 确保已为 VM 启用系统分配的托管标识。Ensure that System Assigned Managed Identity is enabled for the VM.

    Azure 门户:创建虚拟机规模集标识选项

备注

对于用户分配的托管标识,请跳过此步骤。For user-assigned managed identity, skip this step. 如果规模集只与一个用户分配的托管标识相关联,则以下剩余步骤的作用相同。The remaining steps below will work the same, as long as the scale set is only associated with a single user-assigned managed identity.

  1. 向虚拟机规模集授予从注册表中拉取/读取映像的权限。Grant permissions to the virtual machine scale set to pull/read images from the registry. 从 Azure 门户中 Azure 容器注册表的“访问控制(IAM)”边栏选项卡中,为虚拟机添加角色分配:From the Access Control (IAM) blade of your Azure Container Registry in the Azure portal, add a role assignment for your virtual machine:

    将 VM 主体添加到 ACR

  2. 接下来,修改应用程序清单。Next, modify your application manifest. ContainerHostPolicies 部分中,添加属性 'UseTokenAuthenticationCredentials="true"In the ContainerHostPolicies section, add the attribute 'UseTokenAuthenticationCredentials="true".

      <ServiceManifestImport>
          <ServiceManifestRef ServiceManifestName="NodeServicePackage" ServiceManifestVersion="1.0"/>
      <Policies>
        <ContainerHostPolicies CodePackageRef="NodeService.Code" Isolation="process" UseTokenAuthenticationCredentials="true">
          <PortBinding ContainerPort="8905" EndpointRef="Endpoint1"/>
        </ContainerHostPolicies>
        <ResourceGovernancePolicy CodePackageRef="NodeService.Code" MemoryInMB="256"/>
      </Policies>
      </ServiceManifestImport>
    

    备注

    UseTokenAuthenticationCredentials 为 true 时,将标志 UseDefaultRepositoryCredentials 设置为 true 将导致部署过程中出现错误。The flag UseDefaultRepositoryCredentials set to true while UseTokenAuthenticationCredentials is true will cause an error during deployment.

后续步骤Next steps