Azure Service Fabric 中的中心机密存储Central Secrets Store in Azure Service Fabric

本文介绍如何使用 Azure Service Fabric 中的中心机密存储 (CSS) 在 Service Fabric 应用程序中创建机密。This article describes how to use Central Secrets Store (CSS) in Azure Service Fabric to create secrets in Service Fabric applications. CSS 是一个本地机密存储缓存,用于保存敏感数据,例如,已在内存中加密的密码、令牌和密钥。CSS is a local secret store cache that keeps sensitive data, such as a password, tokens, and keys, encrypted in memory.

启用中心机密存储Enable Central Secrets Store

将以下脚本添加到群集配置中的 fabricSettings 下即可启用 CSS。Add the following script to your cluster configuration under fabricSettings to enable CSS. 对于 CSS,我们建议使用除群集证书以外的证书。We recommend that you use a certificate other than a cluster certificate for CSS. 确保在所有节点上安装加密证书,并且 NetworkService 对证书的私钥拥有读取权限。Make sure the encryption certificate is installed on all nodes and that NetworkService has read permission to the certificate's private key.

"fabricSettings": 
[
    ...
    {
        "name":  "CentralSecretService",
        "parameters":  [         
            {
                "name":  "IsEnabled",
                "value":  "true"
            },
            {
                "name":  "MinReplicaSetSize",
                "value":  "3"
            },
            {
                "name":  "TargetReplicaSetSize",
                "value":  "3"
            },
            {
                "name" : "EncryptionCertificateThumbprint",
                "value": "<thumbprint>"
            }
         ]
    }
    ...
]

声明机密资源Declare a secret resource

可以使用 Azure 资源管理器模板或 REST API 创建机密资源。You can create a secret resource by using either the Azure Resource Manager template or the REST API.

使用资源管理器Use Resource Manager

使用以下资源管理器模板创建机密资源。Use the following template to use Resource Manager to create the secret resource. 该模板将创建 supersecret 机密资源,但不会为机密资源设置任何值。The template creates a supersecret secret resource, but no value is set for the secret resource yet.

"resources": [
    {
        "apiVersion": "2018-07-01-preview",
        "name": "supersecret",
        "type": "Microsoft.ServiceFabricMesh/secrets",
        "location": "[parameters('location')]", 
        "dependsOn": [],
        "properties": {
          "kind": "inlinedValue",
            "description": "Application Secret",
            "contentType": "text/plain",
          }
    }
]

使用 REST APIUse the REST API

若要使用 REST API 创建 supersecret 机密资源,请向 https://<clusterfqdn>:19080/Resources/Secrets/supersecret?api-version=6.4-preview 发出 PUT 请求。To create a supersecret secret resource by using the REST API, make a PUT request to https://<clusterfqdn>:19080/Resources/Secrets/supersecret?api-version=6.4-preview. 需要提供群集证书或管理客户端证书来创建机密资源。You need the cluster certificate or admin client certificate to create a secret resource.

Invoke-WebRequest  -Uri https://<clusterfqdn>:19080/Resources/Secrets/supersecret?api-version=6.4-preview -Method PUT -CertificateThumbprint <CertThumbprint>

设置机密值Set the secret value

使用资源管理器模板Use the Resource Manager template

使用以下资源管理器模板创建和设置机密值。Use the following Resource Manager template to create and set the secret value. 此模板将 supersecret 机密资源的机密值设置为版本 ver1This template sets the secret value for the supersecret secret resource as version ver1.

  {
  "parameters": {
  "supersecret": {
      "type": "string",
      "metadata": {
        "description": "supersecret value"
      }
   }
  },
  "resources": [
    {
      "apiVersion": "2018-07-01-preview",
        "name": "supersecret",
        "type": "Microsoft.ServiceFabricMesh/secrets",
        "location": "[parameters('location')]", 
        "dependsOn": [],
        "properties": {
          "kind": "inlinedValue",
            "description": "Application Secret",
            "contentType": "text/plain",
        }
    },
    {
      "apiVersion": "2018-07-01-preview",
      "name": "supersecret/ver1",
      "type": "Microsoft.ServiceFabricMesh/secrets/values",
      "location": "[parameters('location')]",
      "dependsOn": [
        "Microsoft.ServiceFabricMesh/secrets/supersecret"
      ],
      "properties": {
        "value": "[parameters('supersecret')]"
      }
    }
  ],

使用 REST APIUse the REST API

使用以下 REST API 脚本设置机密值。Use the following script to use the REST API to set the secret value.

$Params = @{"properties": {"value": "mysecretpassword"}}
Invoke-WebRequest -Uri https://<clusterfqdn>:19080/Resources/Secrets/supersecret/values/ver1?api-version=6.4-preview -Method PUT -Body $Params -CertificateThumbprint <ClusterCertThumbprint>

在应用程序中使用机密Use the secret in your application

遵循以下步骤在 Service Fabric 应用程序中使用机密。Follow these steps to use the secret in your Service Fabric application.

  1. settings.xml 文件中添加包含以下代码片段的节。Add a section in the settings.xml file with the following snippet. 请注意,此处的值采用 {secretname:version} 格式。Note here that the value is in the format {secretname:version}.

     <Section Name="testsecrets">
      <Parameter Name="TopSecret" Type="SecretsStoreRef" Value="supersecret:ver1"/
     </Section>
    
  2. 将该节导入到 ApplicationManifest.xml 中。Import the section in ApplicationManifest.xml.

     <ServiceManifestImport>
       <ServiceManifestRef ServiceManifestName="testservicePkg" ServiceManifestVersion="1.0.0" />
       <ConfigOverrides />
       <Policies>
         <ConfigPackagePolicies CodePackageRef="Code">
           <ConfigPackage Name="Config" SectionName="testsecrets" EnvironmentVariableName="SecretPath" />
           </ConfigPackagePolicies>
       </Policies>
     </ServiceManifestImport>
    

    环境变量 SecretPath 将指向存储所有机密的目录。The environment variable SecretPath will point to the directory where all secrets are stored. testsecrets 节下列出的每个参数存储在单独的文件中。Each parameter listed under the testsecrets section is stored in a separate file. 现在,应用程序可以使用该机密,如下所示:The application can now use the secret as follows:

    secretValue = IO.ReadFile(Path.Join(Environment.GetEnvironmentVariable("SecretPath"),  "TopSecret"))
    
  3. 将机密装载到容器。Mount the secrets to a container. 使机密在容器中可用而要做出的唯一更改就是在 <ConfigPackage> 中指定 (specify) 一个装入点。The only change required to make the secrets available inside the container is to specify a mount point in <ConfigPackage>. 以下代码片段是修改后的 ApplicationManifest.xmlThe following snippet is the modified ApplicationManifest.xml.

    <ServiceManifestImport>
       <ServiceManifestRef ServiceManifestName="testservicePkg" ServiceManifestVersion="1.0.0" />
       <ConfigOverrides />
       <Policies>
         <ConfigPackagePolicies CodePackageRef="Code">
           <ConfigPackage Name="Config" SectionName="testsecrets" MountPoint="C:\secrets" EnvironmentVariableName="SecretPath" />
           <!-- Linux Container
            <ConfigPackage Name="Config" SectionName="testsecrets" MountPoint="/mnt/secrets" EnvironmentVariableName="SecretPath" />
           -->
    
         </ConfigPackagePolicies>
       </Policies>
     </ServiceManifestImport>
    

    可在容器中的装入点下使用机密。Secrets are available under the mount point inside your container.

  4. 可以通过指定 Type='SecretsStoreRef 将机密绑定到进程环境变量。You can bind a secret to a process environment variable by specifying Type='SecretsStoreRef. 以下示例代码片段演示如何将 supersecret 版本 ver1 绑定到 ServiceManifest.xml 中的环境变量 MySuperSecretThe following snippet is an example of how to bind the supersecret version ver1 to the environment variable MySuperSecret in ServiceManifest.xml.

    <EnvironmentVariables>
     <EnvironmentVariable Name="MySuperSecret" Type="SecretsStoreRef" Value="supersecret:ver1"/>
    </EnvironmentVariables>
    

后续步骤Next steps

详细了解应用程序和服务安全性Learn more about application and service security.