将证书文件导入到 Service Fabric 上运行的容器Import a certificate file into a container running on Service Fabric

可以通过指定证书保护容器服务。You can secure your container services by specifying a certificate. Service Fabric 提供一种机制,供容器内服务访问在 Windows 或 Linux 群集(5.7 或更高版本)的节点中安装的证书。Service Fabric provides a mechanism for services inside a container to access a certificate that is installed on the nodes in a Windows or Linux cluster (version 5.7 or higher). 必须在群集的所有节点上将证书安装到 LocalMachine 下的证书存储中。The certificate must be installed in a certificate store under LocalMachine on all nodes of the cluster. 与证书对应的私钥必须可用、可访问,在 Windows 上还必须可导出。The private key corresponding to the certificate must be available, accessible and - on Windows - exportable. ContainerHostPolicies 标记下的应用程序清单中提供了证书信息,如以下代码片段所示:The certificate information is provided in the application manifest under the ContainerHostPolicies tag as the following snippet shows:

<ContainerHostPolicies CodePackageRef="NodeContainerService.Code">
    <CertificateRef Name="MyCert1" X509StoreName="My" X509FindValue="[Thumbprint1]"/>
    <CertificateRef Name="MyCert2" X509FindValue="[Thumbprint2]"/>

对于 Windows 群集,当启动应用程序时,运行时会将所引用的每个证书及其对应的私钥导出到一个 PFX 文件中,该文件由随机生成的密码提供保护。For Windows clusters, when starting the application, the runtime exports each referenced certificate and its corresponding private key into a PFX file, secured with a randomly-generated password. 可以在容器内使用以下环境变量来分别访问此 PFX 和密码文件:The PFX and password files, respectively, are accessible inside the container using the following environment variables:

  • Certificates_ServicePackageName_CodePackageName_CertName_PFXCertificates_ServicePackageName_CodePackageName_CertName_PFX
  • Certificates_ServicePackageName_CodePackageName_CertName_PasswordCertificates_ServicePackageName_CodePackageName_CertName_Password

对于 Linux 群集,证书 (PEM) 是从 X509StoreName 指定的存储中复制到容器中。For Linux clusters, the certificates (PEM) are copied over from the store specified by X509StoreName onto the container. 对应的 linux 环境变量为:The corresponding environment variables on Linux are:

  • Certificates_ServicePackageName_CodePackageName_CertName_PEMCertificates_ServicePackageName_CodePackageName_CertName_PEM
  • Certificates_ServicePackageName_CodePackageName_CertName_PrivateKeyCertificates_ServicePackageName_CodePackageName_CertName_PrivateKey

或者,如果已有所需形式的证书且想在容器内访问它,可在应用包内创建数据包,并在应用程序清单中指定以下内容:Alternatively, if you already have the certificates in the required form and want to access it inside the container, you can create a data package inside your app package and specify the following inside your application manifest:

<ContainerHostPolicies CodePackageRef="NodeContainerService.Code">
  <CertificateRef Name="MyCert1" DataPackageRef="[DataPackageName]" DataPackageVersion="[Version]" RelativePath="[Relative Path to certificate inside DataPackage]" Password="[password]" IsPasswordEncrypted="[true/false]"/>

容器服务或进程负责将证书文件导入到容器中。The container service or process is responsible for importing the certificate files into the container. 要导入证书,可以在容器进程内使用 setupentrypoint.sh 脚本或执行自定义代码。To import the certificate, you can use setupentrypoint.sh scripts or execute custom code within the container process. 下面是用于导入 PFX 文件的 C# 示例代码:Here is sample code in C# for importing the PFX file:

string certificateFilePath = Environment.GetEnvironmentVariable("Certificates_MyServicePackage_NodeContainerService.Code_MyCert1_PFX");
string passwordFilePath = Environment.GetEnvironmentVariable("Certificates_MyServicePackage_NodeContainerService.Code_MyCert1_Password");
X509Store store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
string password = File.ReadAllLines(passwordFilePath, Encoding.Default)[0];
password = password.Replace("\0", string.Empty);
X509Certificate2 cert = new X509Certificate2(certificateFilePath, password, X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet);
store.Open(OpenFlags.ReadWrite);
store.Add(cert);
store.Close();

此 PFX 证书可以用于对应用程序或服务或与其他服务的安全通信进行身份验证。This PFX certificate can be used for authenticating the application or service or secure communication with other services. 默认情况下,文件仅可列入 SYSTEM 的 ACL。By default, the files are ACLed only to SYSTEM. 根据服务需要,可将其列入其他帐户的 ACL。You can ACL it to other accounts as required by the service.

有关后续步骤,请阅读以下文章:As a next step, read the following articles: