创建 Service Fabric 群集 Resource Manager 模板Create a Service Fabric cluster Resource Manager template

Azure Service Fabric 群集是一组联网的虚拟机,可在其中部署和管理微服务。An Azure Service Fabric cluster is a network-connected set of virtual machines into which your microservices are deployed and managed. 在 Azure 中运行的 Service Fabric 群集是一种 Azure 资源,它是使用资源管理器进行部署、管理和监视的。A Service Fabric cluster running in Azure is an Azure resource and is deployed, managed, and monitored using the Resource Manager. 本文介绍了如何为在 Azure 中运行的 Service Fabric 群集创建资源管理器模板。This article describes how create a Resource Manager template for a Service Fabric cluster running in Azure. 在模板完成后,可以在 Azure 上部署群集When the template is complete, you can deploy the cluster on Azure.

群集安全性是在首次设置群集时配置的,以后无法更改。Cluster security is configured when the cluster is first set up and cannot be changed later. 在设置群集之前,请先阅读 Service Fabric 群集安全性方案Before setting up a cluster, read Service Fabric cluster security scenarios. 在 Azure 中,Service Fabric 使用 x509 证书来保护群集及其终结点,对客户端进行身份验证以及对数据进行加密。In Azure, Service Fabric uses x509 certificate to secure your cluster and its endpoints, authenticate clients, and encrypt data. 另外,还建议使用 Azure Active Directory 来保护对管理终结点的访问。Azure Active Directory is also recommended to secure access to management endpoints. 在创建群集之前,必须先创建 Azure AD 租户和用户。Azure AD tenants and users must be created before creating the cluster. 有关详细信息,请阅读设置 Azure AD 来对客户端进行身份验证For more information, read Set up Azure AD to authenticate clients.

在部署生产群集来运行生产工作负荷之前,请务必首先阅读生产就绪情况核对清单Before deploying a production cluster to run production workloads, be sure to first read the Production readiness checklist.

Note

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

创建 资源管理器模板Create the Resource Manager template

GitHub 上的 Azure 示例中提供了示例资源管理器模板。Sample Resource Manager templates are available in the Azure samples on GitHub. 这些模板可用作群集模板的起点。These templates can be used as a starting point for your cluster template.

本文使用了五节点安全群集示例模板和模板参数。This article uses the five-node secure cluster example template and template parameters. azuredeploy.jsonazuredeploy.parameters.json 下载到计算机并在你喜欢使用的文本编辑器中打开这两个文件。Download azuredeploy.json and azuredeploy.parameters.json to your computer and open both files in your favorite text editor.

Note

对于 Azure 中国云,还应将下面的 fabricSettings 添加到模板:AADLoginEndpointAADTokenEndpointFormatAADCertEndpointFormatFor Azure China Cloud, you should also add the following fabricSettings to your template: AADLoginEndpoint, AADTokenEndpointFormat and AADCertEndpointFormat.

添加证书Add certificates

通过引用包含证书密钥的密钥保管库将证书添加到群集 Resource Manager 模板。You add certificates to a cluster Resource Manager template by referencing the key vault that contains the certificate keys. 在资源管理器模板参数文件 (azuredeploy.parameters.json) 中添加这些密钥保管库参数和值。Add those key-vault parameters and values in a Resource Manager template parameters file (azuredeploy.parameters.json).

将所有证书都添加到虚拟机规模集 osProfileAdd all certificates to the virtual machine scale set osProfile

必须在规模集资源 (Microsoft.Compute/virtualMachineScaleSets) 的 osProfile 节中配置在群集中安装的每个证书。Every certificate that's installed in the cluster must be configured in the osProfile section of the scale set resource (Microsoft.Compute/virtualMachineScaleSets). 该操作会指示资源提供程序在 VM 上安装证书。This action instructs the resource provider to install the certificate on the VMs. 此安装包括群集证书和打算用于应用程序的任何应用程序安全证书:This installation includes both the cluster certificate and any application security certificates that you plan to use for your applications:

{
  "apiVersion": "[variables('vmssApiVersion')]",
  "type": "Microsoft.Compute/virtualMachineScaleSets",
  ...
  "properties": {
    ...
    "osProfile": {
      ...
      "secrets": [
        {
          "sourceVault": {
            "id": "[parameters('sourceVaultValue')]"
          },
          "vaultCertificates": [
            {
              "certificateStore": "[parameters('clusterCertificateStorevalue')]",
              "certificateUrl": "[parameters('clusterCertificateUrlValue')]"
            },
            {
              "certificateStore": "[parameters('applicationCertificateStorevalue')",
              "certificateUrl": "[parameters('applicationCertificateUrlValue')]"
            },
            ...
          ]
        }
      ]
    }
  }
}

配置 Service Fabric 群集证书Configure the Service Fabric cluster certificate

必须在 Service Fabric 群集资源 (Microsoft.ServiceFabric/clusters) 和 Service Fabric 扩展为虚拟机规模集资源中的虚拟机规模集配置群集身份验证证书。The cluster authentication certificate must be configured in both the Service Fabric cluster resource (Microsoft.ServiceFabric/clusters) and the Service Fabric extension for virtual machine scale sets in the virtual machine scale set resource. 通过此安排,Service Fabric 资源提供程序便可以将该证书配置为用于群集身份验证及管理终结点的服务器身份验证。This arrangement allows the Service Fabric resource provider to configure it for use for cluster authentication and server authentication for management endpoints.

将证书信息添加到虚拟机规模集资源Add the certificate information the Virtual machine scale set resource

{
  "apiVersion": "[variables('vmssApiVersion')]",
  "type": "Microsoft.Compute/virtualMachineScaleSets",
  ...
  "properties": {
    ...
    "virtualMachineProfile": {
      "extensionProfile": {
        "extensions": [
          {
            "name": "[concat('ServiceFabricNodeVmExt_',variables('vmNodeType0Name'))]",
            "properties": {
              ...
              "settings": {
                ...
                "certificate": {
                  "commonNames": ["[parameters('certificateCommonName')]"],
                  "x509StoreName": "[parameters('clusterCertificateStoreValue')]"
                },
                ...
              }
            }
          }
        ]
      }
    }
  }
}

将证书信息添加到 Service Fabric 群集资源Add the certificate information to the Service Fabric cluster resource

{
  "apiVersion": "2018-02-01",
  "type": "Microsoft.ServiceFabric/clusters",
  "name": "[parameters('clusterName')]",
  "location": "[parameters('clusterLocation')]",
  "dependsOn": [
    "[concat('Microsoft.Storage/storageAccounts/', variables('supportLogStorageAccountName'))]"
  ],
  "properties": {
    "certificateCommonNames": {
        "commonNames": [
        {
            "certificateCommonName": "[parameters('certificateCommonName')]",
            "certificateIssuerThumbprint": ""
        }
        ],
        "x509StoreName": "[parameters('certificateStoreValue')]"
    },
    ...
  }
}

添加 Azure AD 配置以使用 Azure AD 访问客户端Add Azure AD configuration to use Azure AD for client access

通过引用包含证书密钥的密钥保管库,将 Azure AD 配置添加到群集资源管理器模板。You add the Azure AD configuration to a cluster Resource Manager template by referencing the key vault that contains the certificate keys. 在资源管理器模板参数文件 (azuredeploy.parameters.json) 中添加这些 Azure AD 参数和值。Add those Azure AD parameters and values in a Resource Manager template parameters file (azuredeploy.parameters.json).

Note

在 Linux 上,创建群集之前必须先创建 Azure AD 租户和用户。On Linux, Azure AD tenants and users must be created before creating the cluster. 有关详细信息,请阅读设置 Azure AD 来对客户端进行身份验证For more information, read Set up Azure AD to authenticate clients.

{
  "apiVersion": "2018-02-01",
  "type": "Microsoft.ServiceFabric/clusters",
  "name": "[parameters('clusterName')]",
  ...
  "properties": {
    "certificateCommonNames": {
        "commonNames": [
        {
            "certificateCommonName": "[parameters('certificateCommonName')]",
            "certificateIssuerThumbprint": ""
        }
        ],
        "x509StoreName": "[parameters('certificateStoreValue')]"
    },
    ...
    "azureActiveDirectory": {
      "tenantId": "[parameters('aadTenantId')]",
      "clusterApplication": "[parameters('aadClusterApplicationId')]",
      "clientApplication": "[parameters('aadClientApplicationId')]"
    },
    ...
  }
}

在参数文件中填充值Populate the parameter file with the values

最后,使用 Key Vault 和 Azure AD PowerShell 命令的输出值填充参数文件。Finally, use the output values from the key vault and Azure AD PowerShell commands to populate the parameters file.

如果打算使用 Azure Service Fabric 资源管理器 PowerShell 模块,则不需要填充群集证书信息。If you plan to use the Azure service fabric RM PowerShell modules, then you do not need to populate the cluster certificate information. 如果希望让系统生成自签名证书来确保群集安全性,则只需将它们保留为空。If you want the system to generate the self signed certificate for cluster security you, just keep them as null.

Note

要让资源管理器模块拾取并填充这些空参数值,参数名称必须与以下名称匹配For the RM modules to pick up and populate these empty parameter values, the parameters names much match the names below

"clusterCertificateThumbprint": {
    "value": ""
},
"certificateCommonName": {
    "value": ""
},
"clusterCertificateUrlValue": {
    "value": ""
},
"sourceVaultvalue": {
    "value": ""
},

如果使用的是应用程序证书或已上传到密钥保管库的现有群集,则需要获取并填充此信息。If you are using application certs or are using an existing cluster that you have uploaded to the key vault, you need to get this information and populate it.

资源管理器模块没有能力为你生成 Azure AD 配置,因此,如果计划将 Azure AD 用于客户端访问,你需要填充该配置。The RM modules do not have the ability to generate the Azure AD configuration for you, so if you plan to use the Azure AD for client access, you need to populate it.

{
    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        ...
        "clusterCertificateStoreValue": {
            "value": "My"
        },
        "clusterCertificateThumbprint": {
            "value": "<thumbprint>"
        },
        "clusterCertificateUrlValue": {
            "value": "https://myvault.vault.azure.cn:443/secrets/myclustercert/4d087088df974e869f1c0978cb100e47"
        },
        "applicationCertificateStorevalue": {
            "value": "My"
        },
        "applicationCertificateUrlValue": {
            "value": "https://myvault.vault.azure.cn:443/secrets/myapplicationcert/2e035058ae274f869c4d0348ca100f08"
        },
        "sourceVaultvalue": {
            "value": "/subscriptions/<guid>/resourceGroups/mycluster-keyvault/providers/Microsoft.KeyVault/vaults/myvault"
        },
        "aadTenantId": {
            "value": "<guid>"
        },
        "aadClusterApplicationId": {
            "value": "<guid>"
        },
        "aadClientApplicationId": {
            "value": "<guid>"
        },
        ...
    }
}

测试模板Test your template

运行以下 PowerShell 命令,使用参数文件测试资源管理器模板:Use the following PowerShell command to test your Resource Manager template with a parameter file:

Test-AzResourceGroupDeployment -ResourceGroupName "myresourcegroup" -TemplateFile .\azuredeploy.json -TemplateParameterFile .\azuredeploy.parameters.json

如果遇到问题并收到含义模糊的消息,请使用“-Debug”作为选项。In case you run into issues and get cryptic messages, then use "-Debug" as an option.

Test-AzResourceGroupDeployment -ResourceGroupName "myresourcegroup" -TemplateFile .\azuredeploy.json -TemplateParameterFile .\azuredeploy.parameters.json -Debug

下图演示密钥保管库和 Azure AD 配置在 Resource Manager 模板中的作用。The following diagram illustrates where your key vault and Azure AD configuration fit into your Resource Manager template.

Resource Manager 依赖关系图

后续步骤Next steps

现在,你已有了用于群集的模板,请学习如何将群集部署到 AzureNow that you have a template for your cluster, learn how to deploy the cluster to Azure. 在部署生产群集之前,如果尚未阅读生产就绪情况核对清单,请阅读该内容。If you haven't already, read the Production readiness checklist before deploying a production cluster.