Different Endpoint Certificates Per Environment in Service Fabric

2
votes

I have a service fabric application that exposes an SSL endpoint. I would like to use a different certificate based on the environment. I'm trying to do this with parameters in the ApplicationMainfest.xml file in the same way that I specify other things, such as instance counts. However, parameters appear not to be working for this. I'm wondering if this is actually true and if there are certain things that you cannot parameterize. Also, is there any way to specify a different certificate based on the environment?

Here are the relevant pieces from my application manifest:

    <Parameter Name="CERTNAME" DefaultValue="MyCert" />
    ...
     <Certificates>
        <EndpointCertificate X509FindValue="..." Name="MyCert" />
        <EndpointCertificate X509FindValue="..." Name="SVSSL" />
      </Certificates>

 <Policies>
      <EndpointBindingPolicy EndpointRef="ServiceEndpointHttps" CertificateRef="[CERTNAME]" />
    </Policies>

On deployment, I get the following error: Register-ServiceFabricApplicationType : The CertificateRef '[CERTNAME]' in EndpointBindingPolicy is invalid. There is no matching Certificate in the corresponding ApplicationManifest.

1
azure-service-fabric

1 Answers

4
votes

Today the certificate value itself is parameterizable but not the Ref. So instead of changing the reference or the name, you would parameterize the X509FindValue and keep the endpointbindingpolicy the same.

As a note, just any time you run into something you want to parameterize but can't figure out how to do it, there are a few options. Consider for example most things in the Service Manifest, like the port that the service listens on (if you have it statically configured). There are some other ways around this:

  1. Create different manifests (service manifests or application manifests) and replacing them when creating the application package for a given environment
  2. Using something during your build/deployment stages (such as the Tokenizer Task in VSTS) to replace a stub value with the actual value given the environment that the package is being crafted for
  3. Move most of the endpoint configuration stuff to settings.xml and replace those values via the normal application parameter/override behavior. This would mean taking on the work of configuring your endpoints yourself, however.