Merge pull request #94131 from MicrosoftDocs/release-ga-service-fabric-7.0

Release ga service fabric 7.0

Author: huypub

articles/service-fabric/concepts-managed-identity.md

@@ -12,7 +12,7 @@ ms.author: atsenthi
 
 # Managed Identity for Service Fabric Application (Preview)
 
-A common challenge when building cloud applications is how to manage the credentials in your code for authenticating to cloud services. Keeping credentials secure is an important task, since they never appear on developer workstations and are not checked into source control. The Managed Identity feature for Azure resources in Azure Active Directory (Azure AD) solves this problem. The feature provides Azure services with an automatically-managed identity in Azure AD. You can use the identity to authenticate to any service that supports Azure AD authentication, including Key Vault, without any credentials in your code.
+A common challenge when building cloud applications is how to manage the credentials in your code for authenticating to cloud services. Keeping credentials secure is an important task, since they never appear on developer workstations and are not checked into source control. The Managed Identity feature for Azure resources in Azure Active Directory (Azure AD) solves this problem. The feature provides Azure services with an automatically managed identity in Azure AD. You can use the identity to authenticate to any service that supports Azure AD authentication, including Key Vault, without any credentials in your code.
 
 The Managed Identity feature for Azure resources is free with Azure AD for Azure subscriptions. There is no additional cost.
 
@@ -41,7 +41,7 @@ The following terms are used throughout the Managed Identity for Azure resources
 
 ## Supported scenarios for Service Fabric applications
 
-Managed identities for Service Fabric is only supported in Azure deployed Service Fabric clusters, and only for applications deployed as Azure resources; an applications which is not deployed as an Azure resource cannot be assigned an identity. Conceptually speaking, support for managed identities in Azure Service Fabric cluster consists of two phases:
+Managed identities for Service Fabric is only supported in Azure deployed Service Fabric clusters, and only for applications deployed as Azure resources; an application which is not deployed as an Azure resource cannot be assigned an identity. Conceptually speaking, support for managed identities in Azure Service Fabric cluster consists of two phases:
 
 1. Assign one or more managed identities to the application resource; an application may be assigned a single system-assigned identity, and/or up to 32 user-assigned identities, respectively.
 
@@ -58,7 +58,7 @@ The list of supported scenarios for the preview release is as follows:
 
 The following scenarios are not supported or not recommended; note these actions may not be blocked, but can lead to outages in your applications:
 
-   - Remove or change the identities assigned to an application; if you must make changes, submit separate deployments to first add a new identity assignment, and then to remove a previously assigned one. Removal of an identity from an existing application can have undesirable effects, including leaving your application in a state which is not upgradeable. It is safe to delete the application altogether if the removal of an identity is necessary; note this will delete the system-assigned identity (if so defined) associated with the application, and will remove any associations with the user-assigned identities assigned to the application.
+   - Remove or change the identities assigned to an application; if you must make changes, submit separate deployments to first add a new identity assignment, and then to remove a previously assigned one. Removal of an identity from an existing application can have undesirable effects, including leaving your application in a state that is not upgradeable. It is safe to delete the application altogether if the removal of an identity is necessary; note this will delete the system-assigned identity (if so defined) associated with the application, and will remove any associations with the user-assigned identities assigned to the application.
 
    - SF support for managed identities is not integrated at this time into the [AzureServiceTokenProvider](../key-vault/service-to-service-authentication.md); the integration will be achieved by the end of the preview period for the managed identity feature.
 
@@ -74,3 +74,4 @@ The following scenarios are not supported or not recommended; note these actions
 * [Deploy an Azure Service Fabric application with a user-assigned managed identity](./how-to-deploy-service-fabric-application-user-assigned-managed-identity.md)
 * [Leverage the managed identity of a Service Fabric application from service code](./how-to-managed-identity-service-fabric-app-code.md)
 * [Grant an Azure Service Fabric application access to other Azure resources](./how-to-grant-access-other-resources.md)
+* [Declaring and using application secrets as KeyVaultReferences](./service-fabric-keyvault-references.md) 

articles/service-fabric/service-fabric-cluster-resource-manager-movement-cost.md

@@ -72,7 +72,14 @@ this.Partition.ReportMoveCost(MoveCost.Medium);
 ```
 
 ## Impact of move cost
-MoveCost has four levels: Zero, Low, Medium, and High. MoveCosts are relative to each other, except for Zero. Zero move cost means that movement is free and should not count against the score of the solution. Setting your move cost to High does *not* guarantee that the replica stays in one place.
+MoveCost has five levels: Zero, Low, Medium, High and VeryHigh. The following rules apply:
+
+* MoveCosts are relative to each other, except for Zero and VeryHigh. 
+* Zero move cost means that movement is free and should not count against the score of the solution.
+* Setting your move cost to High or VeryHigh does *not* provide a guarantee that the replica will *never* be moved.
+* Replicas with VeryHigh move cost will be moved only if there is a constraint violation in the cluster that cannot be fixed in any other way (even if it requires moving many other replicas to fix the violation)
+
+
 
 <center>
 
@@ -85,6 +92,9 @@ MoveCost helps you find the solutions that cause the least disruption overall an
 - The cost of disconnection of clients. Moving a primary replica is usually more costly than the cost of moving a secondary replica.
 - The cost of interrupting an in-flight operation. Some operations at the data store level or operations performed in response to a client call are costly. After a certain point, you don’t want to stop them if you don’t have to. So while the operation is going on, you increase the move cost of this service object to reduce the likelihood that it moves. When the operation is done, you set the cost back to normal.
 
+> [!IMPORTANT]
+> Using the VeryHigh move cost should be carefully considered as it significantly restricts the ability of Cluster Resource Manager to find a globally-optimal placement solution in the cluster. Replicas with VeryHigh move cost will be moved only if there is a constraint violation in the cluster that cannot be fixed in any other way (even if it requires moving many other replicas to fix the violation)
+
 ## Enabling move cost in your cluster
 In order for the more granular MoveCosts to be taken into account, MoveCost must be enabled in your cluster. Without this setting, the default mode of counting moves is used for calculating MoveCost, and MoveCost reports are ignored.
 

articles/service-fabric/service-fabric-diagnostics-event-aggregation-wad.md

@@ -162,6 +162,15 @@ Then, update the `VirtualMachineProfile` section of the template.json file by ad
                     "DefaultEvents": {
                     "eventDestination": "ServiceFabricSystemEventTable"
                     }
+                },
+                {
+                    "provider": "02d06793-efeb-48c8-8f7f-09713309a810",
+                    "scheduledTransferLogLevelFilter": "Information",
+                    "scheduledTransferKeywordFilter": "4611686018427387904",
+                    "scheduledTransferPeriod": "PT5M",
+                    "DefaultEvents": {
+                    "eventDestination": "ServiceFabricSystemEventTable"
+                    }
                 }
                 ]
             }
@@ -259,6 +268,15 @@ To enable the **Base Operational Channel** our recommendation for comprehensive
                 "DefaultEvents": {
                   "eventDestination": "ServiceFabricSystemEventTable"
                 }
+              },
+              {
+                "provider": "02d06793-efeb-48c8-8f7f-09713309a810",
+                "scheduledTransferLogLevelFilter": "Information",
+                "scheduledTransferKeywordFilter": "4611686018427387904",
+                "scheduledTransferPeriod": "PT5M",
+                "DefaultEvents": {
+                "eventDestination": "ServiceFabricSystemEventTable"
+                }
               }
             ]
           }

articles/service-fabric/service-fabric-keyvault-references.md

@@ -0,0 +1,151 @@
+---
+title: Azure Service Fabric - Using Service Fabric application KeyVault references | Microsoft Docs
+description: This article explains how to use service-fabric KeyVaultReference support for application secrets.
+services: service-fabric
+author: athinanthny
+
+ms.service: service-fabric
+ms.devlang: dotnet
+ms.topic: article
+ms.date: 09/20/2019
+ms.author: atsenthi
+---
+
+#  KeyVaultReference support for Service Fabric applications (preview)
+
+A common challenge when building cloud applications is how to securely store secrets required by your application. For example, you might want to store the container repository credentials in keyvault and reference it in application manifest. Service Fabric KeyVaultReference uses Service Fabric Managed Identity and makes it easy to reference keyvault secrets. The remainder of this article details how to use Service Fabric KeyVaultReference and includes some typical usage.
+
+## Prerequisites
+
+- Managed Identity for Application (MIT)
+    
+    Service Fabric KeyVaultReference support uses application's Managed Identity and therefore applications planing to use KeyVaultReferences should use Managed Identity. Follow this [document](concepts-managed-identity.md) to enable managed identity for your application.
+
+- Central Secrets Store (CSS).
+
+    Central Secrets Store(CSS) is service-fabric's encrypted local secrets cache, KeyVaultReference once fetched are cached in CSS.
+
+    Add the below to your cluster configuration under `fabricSettings` to enable all the required features for KeyVaultReference support.
+
+    ```json
+    "fabricSettings": 
+    [
+        ...
+    {
+        "parameters":  [
+            "name":  "CentralSecretService"
+                {
+                    "name":  "IsEnabled",
+                    "value":  "true"
+                },
+                {
+                    "name":  "MinReplicaSetSize",
+                    "value":  "3"
+                },
+                {
+                    "name":  "TargetReplicaSetSize",
+                    "value":  "3"
+                }
+                ],
+            },
+            {
+                "name":  "ManagedIdentityTokenService",
+                "parameters":  [
+                {
+                    "name":  "IsEnabled",
+                    "value":  "true"
+                }
+                ]
+            }
+            ]
+    ```
+
+    > [!NOTE] 
+    > It's recommended to use a separate encryption certificate for CSS. You can add it under the "CentralSecretService" section.
+
+    ```json
+        {
+            "name": "EncryptionCertificateThumbprint",
+            "value": "<EncryptionCertificateThumbprint for CSS>"
+        }
+    ```
+
+- Grant application's managed identity access permission to the keyvault
+
+    Reference this [document](how-to-grant-access-other-resources.md) to see how to grant managed identity access to keyvault. Also note if you are using System Assigned Managed Identity, the managed identity is created only after application deployment.
+
+## Keyvault secret as application parameter
+Let's say the application needs to read the backend database password stored in keyvault, Service Fabric KeyVaultReference support makes it easy. Below example reads `DBPassword` secret from keyvault using Service Fabric KeyVaultReference support.
+
+- Add a section to settings.xml
+
+    Define `DBPassword` parameter with Type `KeyVaultReference` and Value `<KeyVaultURL>`
+
+    ```xml
+    <Section Name="dbsecrets">
+        <Parameter Name="DBPassword" Type="KeyVaultReference" Value="https://vault200.vault.azure.net/secrets/dbpassword/8ec042bbe0ea4356b9b171588a8a1f32"/>
+    </Section>
+    ```
+- Reference the new section in ApplicationManifest.xml in `<ConfigPackagePolicies>`
+
+    ```xml
+    <ServiceManifestImport>
+        <Policies>
+        <IdentityBindingPolicy ServiceIdentityRef="WebAdmin" ApplicationIdentityRef="ttkappuser" />
+        <ConfigPackagePolicies CodePackageRef="Code">
+            <!--Linux container example-->
+            <ConfigPackage Name="Config" SectionName="dbsecrets" EnvironmentVariableName="SecretPath" MountPoint="/var/secrets"/>
+            <!--Windows container example-->
+            <!-- <ConfigPackage Name="Config" SectionName="dbsecrets" EnvironmentVariableName="SecretPath" MountPoint="C:\secrets"/> -->
+        </ConfigPackagePolicies>
+        </Policies>
+    </ServiceManifestImport>
+    ```
+
+- Using KeyVaultReference in your application
+
+    Service Fabric on service instantiation will resolve the KeyVaultReference Parameter using application's managed identity. Each parameter listed under `<Section  Name=dbsecrets>` will be a file under the folder pointed to by EnvironmentVariable SecretPath. Below C# code snippet show how to read DBPassword in your application.
+
+    ```C#
+    string secretPath = Environment.GetEnvironmentVariable("SecretPath");
+    using (StreamReader sr = new StreamReader(Path.Combine(secretPath, "DBPassword"))) 
+    {
+        string dbPassword =  sr.ReadToEnd();
+        // dbPassword to connect to DB
+    }
+    ```
+    > [!NOTE] 
+    > For the container scenario, you can use the MountPoint to control where the `secrets` will be mounted.
+
+## Keyvault secret as environment variable
+
+Service Fabric environment variables now support KeyVaultReference type, below example shows how to bind an environment variable to a secret stored in KeyVault.
+
+```xml
+<EnvironmentVariables>
+      <EnvironmentVariable Name="EventStorePassword" Type="KeyVaultReference" Value="https://ttkvault.vault.azure.net/secrets/clustercert/e225bd97e203430d809740b47736b9b8"/>
+</EnvironmentVariables>
+```
+
+```C#
+string eventStorePassword =  Environment.GetEnvironmentVariable("EventStorePassword");
+```
+## Keyvault secret as container repository password
+KeyVaultReference is a supported type for container RepositoryCredentials, below example shows how to use a keyvault 
+reference as container repository password.
+```xml
+ <Policies>
+      <ContainerHostPolicies CodePackageRef="Code">
+        <RepositoryCredentials AccountName="user1" Type="KeyVaultReference" Password="https://ttkvault.vault.azure.net/secrets/containerpwd/e225bd97e203430d809740b47736b9b8"/>
+      </ContainerHostPolicies>
+```
+## FAQ
+- Managed identity needs to be enabled for KeyVaultReference support, your application activation will fail if KeyVaultReference is used without enabling Managed Identity.
+
+- If you are using system assigned identity, it's created only after the application is deployed and this creates a circular dependency. Once your application is deployed, you can grant the system assigned identity access permission to keyvault. You can find the system assigned identity by name {cluster}/{application name}/{servicename}
+
+- The keyvault needs to be in the same subscription as your service fabric cluster. 
+
+## Next steps
+
+* [Azure KeyVault Documentation](https://docs.microsoft.com/azure/key-vault/)

articles/service-fabric/service-fabric-reliable-services-configuration.md

@@ -121,6 +121,7 @@ ReplicatorConfig
 | SharedLogPath |Fully qualified path name |"" |Specifies the fully qualified path where the shared log file for this replica will be created. Typically, services should not use this setting. However, if SharedLogPath is specified, then SharedLogId must also be specified. |
 | SlowApiMonitoringDuration |Seconds |300 |Sets the monitoring interval for managed API calls. Example: user provided backup callback function. After the interval has passed, a warning health report will be sent to the Health Manager. |
 | LogTruncationIntervalSeconds |Seconds |0 |Configurable interval at which log truncation will be initiated on each replica. It is used to ensure log is also truncated based on time instead of just log size. This setting also forces purge of deleted entries in reliable dictionary. Hence it can be used to ensure deleted items are purged in a timely manner. |
+| EnableStableReads |Boolean |False |Enabling stable reads restricts secondary replicas to returning values which have been quorum-acked. |
 
 ### Sample configuration via code
 ```csharp