将现有的 Azure Service Fabric 群集配置为启用托管标识支持(预览版)Configure an existing Azure Service Fabric cluster to enable Managed Identity support (preview)

若要访问 Azure Service Fabric 应用程序的托管标识功能,必须先在群集上启用托管标识令牌服务In order to access the managed identity feature for Azure Service Fabric applications, you must first enable the Managed Identity Token Service on the cluster. 此服务负责使用 Service Fabric 应用程序的托管标识对这些应用程序进行身份验证,以及代表它们获取访问令牌。This service is responsible for the authentication of Service Fabric applications using their managed identities, and for obtaining access tokens on their behalf. 启用此服务以后,即可在 Service Fabric Explorer 中左侧窗格的“系统”部分 看到它,它以 fabric:/System/ManagedIdentityTokenService 名称运行。Once the service is enabled, you can see it in Service Fabric Explorer under the System section in the left pane, running under the name fabric:/System/ManagedIdentityTokenService.

Note

若要启用托管标识令牌服务,必须使用 Service Fabric 运行时 6.5.658.9590 或更高版本。Service Fabric runtime version 6.5.658.9590 or higher is required to enable the Managed Identity Token Service.

可以在 Azure 门户中查找 Service Fabric 版群集,方法是:打开群集资源,然后在“基本信息”部分查找“Service Fabric 版本”属性。 You can find the Service Fabric version of a cluster from the Azure portal by opening the cluster resource and checking the Service Fabric version property in the Essentials section.

如果群集处于“手动”升级模式,则需先将其升级到 6.5.658.9590 或更高版本。If the cluster is on Manual upgrade mode, you will need to first upgrade it to 6.5.658.9590 or later.

在现有群集中启用托管标识令牌服务Enable the Managed Identity Token Service in an existing cluster

若要在现有群集中启用托管标识令牌服务,需启动群集升级并指定两项更改:启用托管标识令牌服务,以及请求重启每个节点。To enable the Managed Identity Token Service in an existing cluster, you will need to initiate a cluster upgrade specifying two changes: enabling the Managed Identity Token Service, and requesting a restart of each node. 为此,请在 Azure 资源管理器模板中添加下述两个代码片段:To do so, add the following two snippets in the Azure Resource Manager template:

"fabricSettings": [
    {
        "name": "ManagedIdentityTokenService",
        "parameters": [
            {
                "name": "IsEnabled",
                "value": "true"
            }
        ]
    }
]

若要让更改生效,还需更改升级策略,指定在升级进展到群集时,在每个节点上以强制方式重启 Service Fabric 运行时。In order for the changes to take effect, you will also need to change the upgrade policy to specify a forceful restart of the Service Fabric runtime on each node as the upgrade progresses through the cluster. 此重启确保新启用的系统服务在每个节点上启动并运行。This restart ensures that the newly enabled system service is started and running on each node. 在下面的代码片段中,forceRestart 是基本设置;请对余下设置使用现有值。In the snippet below, forceRestart is the essential setting; use your existing values for the remainder of the settings.

"upgradeDescription": {
    "forceRestart": true,
    "healthCheckRetryTimeout": "00:45:00",
    "healthCheckStableDuration": "00:05:00",
    "healthCheckWaitDuration": "00:05:00",
    "upgradeDomainTimeout": "02:00:00",
    "upgradeReplicaSetCheckTimeout": "1.00:00:00",
    "upgradeTimeout": "12:00:00"
}

Note

成功完成升级以后,请勿忘记回退 forceRestart 设置,尽量减少后续升级的影响。Upon the successful completion of the upgrade, do not forget to roll back the forceRestart setting, to minimize the impact of subsequent upgrades.

错误和故障排除Errors and troubleshooting

如果部署失败并出现以下错误,则表明群集运行时所在的 Service Fabric 的版本不够高:If the deployment fails with the following message, it means the cluster is not running on a high enough Service Fabric version:

{
    "code": "ParameterNotAllowed",
    "message": "Section 'ManagedIdentityTokenService' and Parameter 'IsEnabled' is not allowed."
}

后续步骤Next steps