将应用程序证书添加到 Service Fabric 群集Add an application certificate to a Service Fabric cluster

此示例脚本演示如何在 Key Vault 中创建证书,然后将其部署到运行群集的虚拟机规模集之一。This sample script walks through how to create a certificate in Key Vault and then deploy it to one of the virtual machine scale sets your cluster runs on. 此方案不直接使用 Service Fabric,而是取决于 Key Vault 和虚拟机规模集。This scenario does not use Service Fabric directly, but rather depends on Key Vault and on virtual machine scale sets.

Note

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

必要时,请使用 Azure PowerShell 指南中的说明安装 Azure PowerShell,并运行 Connect-AzAccount -Environment AzureChinaCloud 创建与 Azure 的连接。If needed, install the Azure PowerShell using the instruction found in the Azure PowerShell guide and then run Connect-AzAccount -Environment AzureChinaCloud to create a connection with Azure.

在 Key Vault 中创建证书Create a certificate in Key Vault

Connect-AzAccount -Environment AzureChinaCloud

$VaultName = ""
$CertName = ""
$SubjectName = "CN="

$policy = New-AzKeyVaultCertificatePolicy -SubjectName $SubjectName -IssuerName Self -ValidityInMonths 12
Add-AzKeyVaultCertificate -VaultName $VaultName -Name $CertName -CertificatePolicy $policy

或将现有证书上传到 Key VaultOr upload an existing certificate into Key Vault

$VaultName= ""
$CertName= ""
$CertPassword= ""
$PathToPFX= ""

$Cert = new-object System.Security.Cryptography.X509Certificates.X509Certificate2 $PathToPFX, $CertPassword

$bytes = [System.IO.File]::ReadAllBytes($ExistingPfxFilePath)
$base64 = [System.Convert]::ToBase64String($bytes)
$jsonBlob = @{
   data = $base64
   dataType = 'pfx'
   password = $CertPassword
   } | ConvertTo-Json
$contentbytes = [System.Text.Encoding]::UTF8.GetBytes($jsonBlob)
$content = [System.Convert]::ToBase64String($contentbytes)

$SecretValue = ConvertTo-SecureString -String $content -AsPlainText -Force

# Upload the certificate to the key vault as a secret
$Secret = Set-AzKeyVaultSecret -VaultName $VaultName -Name $CertName -SecretValue $SecretValue

通过证书更新虚拟机规模集配置文件Update virtual machine scale sets profile with certificate

$ResourceGroupName = ""
$VMSSName = ""
$CertStore = "My" # Update this with the store you want your certificate placed in, this is LocalMachine\My

$CertConfig = New-AzVmssVaultCertificateConfig -CertificateUrl (Get-AzKeyVaultCertificate -VaultName $VaultName -Name $CertName).SecretId -CertificateStore $CertStore
$VMSS = Get-AzVmss -ResourceGroupName $ResourceGroupName -VMScaleSetName $VMSSName

# If this KeyVault is already known by the virtual machine scale set, for example if the cluster certificate is deployed from this keyvault, use
$VMSS.virtualmachineprofile.osProfile.secrets[0].vaultCertificates.Add($certConfig)

# Otherwise use
$VMSS = Add-AzVmssSecret -VirtualMachineScaleSet $VMSS -SourceVaultId (Get-AzKeyVault -VaultName $VaultName).ResourceId  -VaultCertificate $CertConfig

更新虚拟机规模集Update the virtual machine scale set

Update-AzVmss -ResourceGroupName $ResourceGroupName -VirtualMachineScaleSet $VMSS -VMScaleSetName $VMSSName

Note

如果希望将证书放置在群集中的多个节点上,应针对每个应具有证书的节点类型重复此脚本的第二个和第三部分。If you would like the certificate placed on multiple node types in your cluster, the second and third parts of this script should be repeated for each node type that should have the certificate.

脚本说明Script explanation

此脚本使用以下命令:表中的每条命令均链接到特定于命令的文档。This script uses the following commands: Each command in the table links to command specific documentation.

CommandCommand 说明Notes
New-AzKeyVaultCertificatePolicyNew-AzKeyVaultCertificatePolicy 创建表示证书的内存中策略Creates an in-memory policy representing the certificate
Add-AzKeyVaultCertificateAdd-AzKeyVaultCertificate 将策略部署到 Key VaultDeploys the policy to Key Vault
New-AzVmssVaultCertificateConfigNew-AzVmssVaultCertificateConfig 创建表示 VM 中证书的内存中配置Creates an in-memory config representing the certificate in a VM
Get-AzVmssGet-AzVmss
Add-AzVmssSecretAdd-AzVmssSecret 将证书添加到虚拟机规模集的内存中定义Adds the certificate to the in-memory definition of the virtual machine scale set
Update-AzVmssUpdate-AzVmss 部署虚拟机规模集的新定义Deploys the new definition of the virtual machine scale set

后续步骤Next steps

有关 Azure PowerShell 模块的详细信息,请参阅 Azure PowerShell 文档For more information on the Azure PowerShell module, see Azure PowerShell documentation.

可以在 Azure PowerShell 示例中找到 Azure Service Fabric 的其他 Azure Powershell 示例。Additional Azure Powershell samples for Azure Service Fabric can be found in the Azure PowerShell samples.