How do I set the maangement endpoint on a service fabric managed cluster?

Bill Wolohan 41

I'm setting up a managed cluster for service fabric and want to use a custom domain to connect to service fabric explorer (sfexplorer@mydomain.com). I've install the certificate for my domain but the sfexplorer site needs to bind to it. In a non-managed cluster I can set the property managementEndpoint in the Bicep or ARM template for the cluster, but this doesn't seem to be available for a managed cluster. Is this possible or is it not available for managed clusters (yet)?

Bill Wolohan 41 Reputation points

2023-02-13T13:15:57.2066667+00:00

Thank you but that doesn't work for me. I'm using a Microsoft.ServiceFabric/managedclusters resource which doesn't have the managementEndpoint property. I'm guessing this is an unintentional omission. I was wondering if there is another way to set this property.
vipullag-MSFT 24,111 Reputation points Microsoft Employee

2023-02-13T15:58:15.45+00:00
Hello Bill Wolohan

Welcome to Microsoft Q&A Platform, thanks for posting your query here.

Yes, it is possible to use a custom domain for the Service Fabric Explorer in a managed cluster.

You can use the managementEndpoint property in the Microsoft.ServiceFabric/clusters resource in your ARM template to specify the custom domain for the Service Fabric Explorer.

{ "type": "Microsoft.ServiceFabric/clusters", "name": "[parameters('clusterName')]", "apiVersion": "2018-02-01", "location": "[parameters('location')]", "properties": { "managementEndpoint": "https://sfexplorer.mydomain.com:19080", ... } }

Make sure to replace sfexplorer.mydomain.com with your custom domain and 19080 with the port number for the Service Fabric Explorer.

Also, you need to make sure that the certificate for your custom domain is installed on the virtual machine scale set that's used for the managed cluster. You can use the secrets property in the Microsoft.Compute/virtualMachineScaleSets resource in your ARM template to specify the certificate.

Here's an example of how you can set the secrets property in your ARM template:

{ "type": "Microsoft.Compute/virtualMachineScaleSets", "name": "[parameters('vmssName')]", "apiVersion": "2018-06-01", "location": "[parameters('location')]", "properties": { "secrets": [ { "sourceVault": { "id": "[resourceId('Microsoft.KeyVault/vaults', parameters('keyVaultName'))]" }, "vaultCertificates": [ { "certificateUrl": "[concat(parameters('keyVaultUrl'), '/secrets/', parameters('certificateName'))]", "certificateStore": "My" } ] } ], ... } }

Ref:
https://learn.microsoft.com/en-us/azure/service-fabric/how-to-managed-identity-managed-cluster-virtual-machine-scale-sets

https://learn.microsoft.com/en-us/azure/service-fabric/cluster-security-certificate-management

Hope this helps.

If you need further help on this, tag me in a comment.

If the suggested response helped you resolve your issue, please 'Accept as answer', so that it can help others in the community looking for help on similar topics.

Accepted answer

vipullag-MSFT 24,111 Reputation points Microsoft Employee

2023-02-13T15:58:04.5066667+00:00

Hello Bill Wolohan

Thanks for sharing more details. I checked with internal team to see if there is a way to set this property.

However, with managed clusters the Certificates bound to the endpoints are managed by Microsoft (via the Service Fabric Resource Provider), you really only can manage client certificate[s] to give you admin or readonly access on the management endpoints.

This being the case you cannot bind a custom cert in the same way you have done with standard SF clusters.

You can still setup a DNS A record to point to your management endpoint and use the custom domain, but the browser will not trust it since the cluster cert is different from your domain/client cert you have configured.

So this is currently by design for the management endpoints.

Hope this helps.

If you need further help on this, tag me in a comment.

If the suggested response helped you resolve your issue, please 'Accept as answer', so that it can help others in the community looking for help on similar topics.
Please sign in to rate this answer.

1 person found this answer helpful.
Bill Wolohan 41 Reputation points

2023-02-13T16:50:33.23+00:00

That's not ideal but I understand why it works that way. Thank you.
Sign in to comment

How do I set the maangement endpoint on a service fabric managed cluster?

0 additional answers