The following forum(s) are migrating to a new home on Microsoft Q&A (Preview): Azure Service Fabric!

Ask new questions on Microsoft Q&A (Preview).
Interact with existing posts until December 13, 2019, after which content will be closed to all new and existing posts.

Learn More

 none
How to deploy certs to local service fabric cluster RRS feed

  • Question

  • I'm trying to run Identity Server as one of the stateless web services in my service fabric cluster. One of the issues I'm having is that I don't want to deploy the X509 certificated needed by identity server with my code, and most of the resources online cite Azure KeyVault as the facilitator to key storage for a Service Fabric environment, and then setting up the deployment to pull the certificate in from the key vault to the VMs in the cluster as they are provisioned (as referenced here https://blogs.technet.microsoft.com/kv/2015/07/14/deploy-certificates-to-vms-from-customer-managed-key-vault/)

    I'd like to be able to provision my local service fabric dev cluster in such a way that it isn't dependent on Key Vault if possible. I haven't been able to find a good reference for this online - but is there some way that I can set up a powershell script to update nodes in my local cluster to contain my certificate at deploy time? I apologize if this is a silly question, but I'm just getting in to service fabric and I might be missing an obvious solution.

    Thanks!

    Thursday, June 23, 2016 3:33 AM

Answers

  • Strictly speaking, a node is really just our Service Fabric system host process (Fabric.exe et al). We use "node" and "VM" or "machine" interchangeably sometimes because normally they map 1 to 1: one node per VM or machine. Your local dev cluster is the exception, where you have multiple nodes (5 by default) on a single machine. What I'm getting at is that technically you don't install certs on "nodes", you install certs on the VM or machine that hosts the node(s). So for your local dev cluster, just install the certs on your local dev machine.
    Friday, June 24, 2016 7:52 PM
    Answerer