在 Azure Stack Hub 中部署 Service Fabric 叢集Deploy a Service Fabric cluster in Azure Stack Hub

使用 Azure Marketplace 中的 [Service Fabric 叢集] 項目,在 Azure Stack Hub 中部署安全的 Service Fabric 叢集。Use the Service Fabric Cluster item from the Azure Marketplace to deploy a secured Service Fabric cluster in Azure Stack Hub.

如需有關使用 Service Fabric 的詳細資訊,請參閱 Azure 文件中的 Azure Service Fabric 概觀Service Fabric 叢集安全性案例For more information about working with Service Fabric, see Overview of Azure Service Fabric and Service Fabric cluster security scenarios in the Azure documentation.

Azure Stack Hub 中的 Service Fabric 叢集不會使用資源提供者 Microsoft.ServiceFabric。The Service Fabric cluster in Azure Stack Hub doesn't use the resource provider Microsoft.ServiceFabric. 而在 Azure Stack Hub 中,Service Fabric 叢集是一個虛擬機器擴展集,內含以 Desired State Configuration (DSC) 設定的預先安裝軟體。Instead, in Azure Stack Hub, the Service Fabric cluster is a virtual machine scale set with preinstalled software using Desired State Configuration (DSC).

PrerequisitesPrerequisites

部署 Service Fabric 叢集時需要下列各項:The following are required to deploy the Service Fabric cluster:

  1. 叢集憑證Cluster certificate
    這是在部署 Service Fabric 時,您新增至 Key Vault 的 X.509 伺服器憑證。This is the X.509 server certificate you add to Key Vault when deploying Service Fabric.

    • 此憑證上的 CN 必須符合您所建立之 Service Fabric 叢集的完整網域名稱 (FQDN)。The CN on this cert must match the Fully Qualified Domain Name (FQDN) of the Service Fabric cluster you create.

    • 憑證格式必須是 PFX,因為需要公用與私密金鑰。The certificate format must be PFX, as both the public and private keys are required. 請參閱建立此伺服器端憑證的需求See requirements for creating this server-side cert.

      注意

      您可以使用自我簽署的憑證代替 X.509 伺服器憑證進行測試。You can use a self-signed certificate inplace of the X.509 server certificate for test purposes. 自我簽署的憑證不需要符合叢集的 FQDN。Self-signed certificates do not need to match the FQDN of the cluster.

  2. 系統管理用戶端憑證Admin Client certificate
    這是用戶端用來驗證 Service Fabric 叢集的憑證,其可自我簽署。This is the certificate that the client uses to authenticate to the Service Fabric cluster, which can be self-signed. 請參閱建立此用戶端憑證的需求See requirements for creating this client cert.

  3. 在 Azure Stack Hub Marketplace 中必須可取得下列項目:The following items must be available in the Azure Stack Hub Marketplace:

    • Windows Server 2016 – 範本使用 Windows Server 2016 映像來建立叢集。Windows Server 2016 - The template uses the Windows Server 2016 image to create the cluster.
    • 自訂指令碼擴充功能 - 來自 Microsoft 的虛擬機器擴充功能。Custom Script Extension - Virtual Machine Extension from Microsoft.
    • PowerShell 所需階段組態-來自 Microsoft 的虛擬機器擴充功能。PowerShell Desired Stage Configuration - Virtual Machine Extension from Microsoft.

將祕密新增至 Key VaultAdd a secret to Key Vault

若要部署 Service Fabric 叢集時,您必須為 Service Fabric 叢集指定正確的 Key Vault「祕密識別碼」 或 URL。To deploy a Service Fabric cluster, you must specify the correct Key Vault Secret Identifier or URL for the Service Fabric cluster. Azure Resource Manager 範本會使用 Key Vault 作為輸入。The Azure Resource Manager template takes a Key Vault as input. 接著,範本會在安裝 Service Fabric 叢集時擷取叢集憑證。Then the template retrieves the Cluster certificate when installing the Service Fabric cluster.

重要

您必須使用 PowerShell 將祕密新增至 Key Vault,以便搭配 Service Fabric 使用。You must use PowerShell to add a secret to Key Vault for use with Service Fabric. 請勿使用入口網站。Do not use the portal.

使用下列指令碼來建立 Key Vault,並且在其中新增「叢集憑證」 。Use the following script to create the Key Vault and add the cluster certificate to it. (請參閱必要條件。)執行指令碼之前,請檢閱範例指令碼及更新指定的參數,以符合您的環境。(See the prerequisites.) Before you run the script, review the sample script and update the indicated parameters to match your environment. 此指令碼也會將您需要提供的值輸出至 Azure Resource Manager 範本。This script will also output the values you need to provide to the Azure Resource Manager template.

提示

必須先具備公用供應項目 (包括用於計算、網路、儲存體和 Key Vault 的服務),指令碼才可能成功。Before the script can succeed, there must be a public offer that includes the services for Compute, Network, Storage, and Key Vault.

   function Get-ThumbprintFromPfx($PfxFilePath, $Password) 
      {
         return New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($PfxFilePath, $Password)
      }
   
   function Publish-SecretToKeyVault ($PfxFilePath, $Password, $KeyVaultName)
      {
         $keyVaultSecretName = "ClusterCertificate"
         $certContentInBytes = [io.file]::ReadAllBytes($PfxFilePath)
         $pfxAsBase64EncodedString = [System.Convert]::ToBase64String($certContentInBytes)
   
         $jsonObject = ConvertTo-Json -Depth 10 ([pscustomobject]@{
               data     = $pfxAsBase64EncodedString
               dataType = 'pfx'
               password = $Password
         })
   
         $jsonObjectBytes = [System.Text.Encoding]::UTF8.GetBytes($jsonObject)
         $jsonEncoded = [System.Convert]::ToBase64String($jsonObjectBytes)
         $secret = ConvertTo-SecureString -String $jsonEncoded -AsPlainText -Force
         $keyVaultSecret = Set-AzureKeyVaultSecret -VaultName $KeyVaultName -Name $keyVaultSecretName -SecretValue $secret
         
         $pfxCertObject = Get-ThumbprintFromPfx -PfxFilePath $PfxFilePath -Password $Password
   
         Write-Host "KeyVault id: " -ForegroundColor Green
         (Get-AzKeyVault -VaultName $KeyVaultName).ResourceId
         
         Write-Host "Secret Id: " -ForegroundColor Green
         (Get-AzureKeyVaultSecret -VaultName $KeyVaultName -Name $keyVaultSecretName).id
   
         Write-Host "Cluster Certificate Thumbprint: " -ForegroundColor Green
         $pfxCertObject.Thumbprint
      }
   
   #========================== CHANGE THESE VALUES ===============================
   $armEndpoint = "https://management.local.azurestack.external"
   $tenantId = "your_tenant_ID"
   $location = "local"
   $clusterCertPfxPath = "Your_path_to_ClusterCert.pfx"
   $clusterCertPfxPassword = "Your_password_for_ClusterCert.pfx"
   #==============================================================================
   
   Add-AzEnvironment -Name AzureStack -ARMEndpoint $armEndpoint
   Login-AzAccount -Environment AzureStack -TenantId $tenantId
   
   $rgName = "sfvaultrg"
   Write-Host "Creating Resource Group..." -ForegroundColor Yellow
   New-AzResourceGroup -Name $rgName -Location $location
   
   Write-Host "Creating Key Vault..." -ForegroundColor Yellow
   $Vault = New-AzKeyVault -VaultName sfvault -ResourceGroupName $rgName -Location $location -EnabledForTemplateDeployment -EnabledForDeployment -EnabledForDiskEncryption
   
   Write-Host "Publishing certificate to Vault..." -ForegroundColor Yellow
   Publish-SecretToKeyVault -PfxFilePath $clusterCertPfxPath -Password $clusterCertPfxPassword -KeyVaultName $vault.VaultName

如需詳細資訊,請參閱使用 PowerShell 在 Azure Stack Hub 上管理 Key VaultFor more information, see Manage Key Vault on Azure Stack Hub with PowerShell.

部署 Marketplace 項目Deploy the Marketplace item

  1. 在使用者入口網站中,移至 [+ 建立資源] > [計算] > [Service Fabric 叢集] 。In the user portal, go to + Create a resource > Compute > Service Fabric Cluster.

    選取 Service Fabric 叢集

  2. 針對每個頁面 (如「基本概念」 ),填妥部署表單。For each page, like Basics, fill out the deployment form. 如果您不確定值為何,請使用預設值。Use defaults if you're not sure of a value.

    若要針對中斷連線的 Azure Stack Hub 進行部署,或部署另一版本的 Service Fabric,請下載 Service Fabric 部署套件和其對應的執行階段套件,並裝載於 Azure Stack Hub Blob 中。For deployments to a disconnected Azure Stack Hub or to deploy another version of Service Fabric, download the Service Fabric deployment package and its corresponding runtime package and host it on an Azure Stack Hub blob. Service Fabric 部署套件 URLService Fabric 執行階段套件 URL 欄位中提供這些值。Provide these values to the Service Fabric deployment package URL and Service Fabric runtime package URL fields.

    注意

    最新版本的 Service Fabric 和其對應的 SDK 出現相容性問題。There are compatibility issues between the latest release of Service Fabric and its corresponding SDK. 在問題解決前,請在部署套件 URL 和執行階段套件 URL 中提供下列參數。Until that issue is addressed, please provide the following parameters to the deployment package URL and runtime package URL. 否則您的部署將會失敗。Your deployments will fail otherwise.

    若是已中斷連線的部署,請從指定位置下載這些套件,並在 Azure Stack Hub Blob 中以本機安裝方式裝載。For disconnected deployments, download these packages from the specified location and host it locally on an Azure Stack Hub Blob.

    基本概念

  3. 在 [網路設定] 頁面上,您可以指定要對您的應用程式開啟的特定連接埠:On the Network Settings page, you can specify specific ports to open for your applications:

    網路設定

  4. 在 [安全性] 頁面上,新增您經由建立 Azure Key Vault 和上傳祕密所得到的值。On the Security page, add the values that you got from creating the Azure Key Vault and Uploading the Secret.

    針對 [管理用戶端憑證指紋] ,輸入 [管理用戶端憑證] 的指紋。For the Admin Client Certificate Thumbprint, enter the thumbprint of the Admin Client certificate. (請參閱必要條件。)(See the prerequisites.)

    • 來源 Key Vault:指定指令碼結果中的完整 keyVault id 字串。Source Key Vault: Specify entire keyVault id string from the script results.
    • 叢集憑證 URL:指定指令碼結果中 Secret Id 的完整 URL。Cluster Certificate URL: Specify the entire URL from the Secret Id from the script results.
    • 叢集憑證指紋:指定指令碼結果中的「叢集憑證指紋」 。Cluster Certificate thumbprint: Specify the Cluster Certificate Thumbprint from the script results.
    • 伺服器憑證 URL:如果想要使用叢集憑證中的個別憑證,請將憑證上傳到金鑰存放庫,並提供完整的 URL 以供選擇。Server Certificate URL: If you wish to use a separate certificate from the Cluster certificate, upload the certificate to a keyvault and provide the full url to the secret.
    • 伺服器憑證指紋:指定伺服器憑證的指紋Server Certificate thumbprint: Specify the thumbprint for the Server Certificate
    • 管理員用戶端憑證指紋:指定在必要條件中建立的「管理員用戶端憑證指紋」 。Admin Client Certificate Thumbprints: Specify the Admin Client Certificate Thumbprint created in the prerequisites.

    指令碼輸出

    安全性

  5. 完成精靈,然後選取 [建立] 來部署 Service Fabric 叢集。Complete the wizard, and then select Create to deploy the Service Fabric Cluster.

存取 Service Fabric 叢集Access the Service Fabric Cluster

您可以使用 Service Fabric Explorer 或 Service Fabric PowerShell 來存取 Service Fabric 叢集。You can access the Service Fabric cluster by using either the Service Fabric Explorer or Service Fabric PowerShell.

使用 Service Fabric ExplorerUse Service Fabric Explorer

  1. 確保瀏覽器可以存取您的管理用戶端憑證,而且可以向 Service Fabric 叢集進行驗證。Ensure that the browser has access to your Admin client certificate and can authenticate to your Service Fabric cluster.

    a.a. 開啟 Internet Explorer 並移至 [網際網路選項] > [內容] > [憑證] 。Open Internet Explorer and go to Internet Options > Content > Certificates.

    b.b. 在 [憑證] 上,選取 [匯入] 啟動 [憑證匯入精靈] ,然後按 [下一步] 。On Certificates, select Import to start the Certificate Import Wizard, and then click Next. 在 [要匯入的檔案] 頁面上,按一下 [瀏覽] ,然後選取您提供給 Azure Resource Manager 範本的 [管理用戶端憑證] 。On the File to Import page click Browse, and select the Admin Client certificate you provided to the Azure Resource Manager template.

    注意

    此憑證不是先前新增至 Key Vault 的叢集憑證。This certificate is not the Cluster certificate that was previously added to Key Vault.

    c.c. 確定您已在 [檔案總管] 視窗的擴充下拉式清單中選取 [個人資訊交換]。Ensure that you have "Personal Information Exchange" selected in the extension dropdown of the File Explorer window.

    個人資訊交換

    d.d. 在 [憑證存放區] 頁面上,選取 [個人] ,然後完成精靈。On the Certificate Store page, select Personal, and then complete the wizard.
    憑證存放區Certificate store

  2. 若要尋找 Service Fabric 叢集的 FQDN:To find the FQDN of your Service Fabric cluster:

    a.a. 請移至與 Service Fabric 叢集相關聯的資源群組,並找出 [公用 IP 位址] 資源。Go to the resource group that is associated with your Service Fabric cluster and locate the Public IP address resource. 選取與公用 IP 位址相關聯的物件,以開啟 [公用 IP 位址] 刀鋒視窗。Select the object associated with the Public IP address to open the Public IP address blade.

    公用 IP 位址

    b.b. 在 [公用 IP 位址] 刀鋒視窗上,FQDN 會顯示為 [DNS 名稱] 。On the Public IP address blade, the FQDN displays as DNS name.

    DNS 名稱

  3. 若要尋找 Service Fabric Explorer 和用戶端連線端點的 URL,請檢閱範本部署的結果。To find the URL for the Service Fabric Explorer, and the Client connection endpoint, review the results of the Template deployment.

  4. 在瀏覽器中,前往 https://*FQDN*:19080In your browser, go to https://*FQDN*:19080. 使用步驟 2 中 Service Fabric 叢集的 FQDN 來取代 FQDNReplace FQDN with the FQDN of your Service Fabric cluster from step 2.
    如果您已使用自我簽署的憑證,您會收到連線不安全的警告。If you've used a self-signed certificate, you'll get a warning that the connection isn't secure. 若要繼續使用網站,請選取 [更多資訊] ,然後 [前往網頁] 。To continue to the web site, select More Information, and then Go on to the webpage.

  5. 若要向網站進行驗證,您必須選取要使用的憑證。To authenticate to the site, you must select a certificate to use. 選取 [更多選擇] ,挑選適當的憑證,然後按一下 [確定] 以連線到 Service Fabric Explorer。Select More choices, pick the appropriate certificate, and then click OK to connect to the Service Fabric Explorer.

    Authenticate

使用 Service Fabric PowerShellUse Service Fabric PowerShell

  1. 從 Azure Service Fabric 文件中的在 Windows 上準備開發環境,安裝 Microsoft Azure Service Fabric SDK 。Install the Microsoft Azure Service Fabric SDK from Prepare your development environment on Windows in the Azure Service Fabric documentation.

  2. 完成安裝之後,設定系統環境變數,以確保可從 PowerShell 存取 Service Fabric Cmdlet。After the installation is complete, configure the system Environment variables to ensure that the Service Fabric cmdlets are accessible from PowerShell.

    a.a. 移至 [控制台] > [系統及安全性] > [系統] ,然後選取 [進階系統設定] 。Go to Control Panel > System and Security > System, and then select Advanced system settings.

    控制台

    b.b. 在 [系統屬性] 的 [進階] 索引標籤上,選取 [環境變數] 。On the Advanced tab of System Properties, select Environment Variables.

    c.c. 針對 [系統變數] ,編輯 [路徑] 並確定 C:\Program Files\Microsoft Service Fabric\bin\Fabric\Fabric.Code 位於環境變數的清單頂端。For System variables, edit Path and make sure that C:\Program Files\Microsoft Service Fabric\bin\Fabric\Fabric.Code is at the top of the list of environment variables.

    環境變數清單

  3. 變更環境變數的順序之後,重新啟動 PowerShell,然後執行下列 PowerShell 指令碼來存取 Service Fabric 叢集:After changing the order of the environment variables, restart PowerShell and then run the following PowerShell script to gain access to the Service Fabric cluster:

     Connect-ServiceFabricCluster -ConnectionEndpoint "\[Service Fabric
     CLUSTER FQDN\]:19000" \`
    
     -X509Credential -ServerCertThumbprint
     761A0D17B030723A37AA2E08225CD7EA8BE9F86A \`
    
     -FindType FindByThumbprint -FindValue
     0272251171BA32CEC7938A65B8A6A553AA2D3283 \`
    
     -StoreLocation CurrentUser -StoreName My -Verbose
    

    注意

    指令碼中的叢集名稱前面沒有 https:// 。There is no https:// before the name of the cluster in the script. 需要連接埠 19000。Port 19000 is required.

後續步驟Next steps

將 Kubernetes 部署至 Azure Stack HubDeploy Kubernetes to Azure Stack Hub