我正在使用microsoft文章续订hdinsight证书。我想知道证书更新是否会影响是否有任何正在运行的作业?
我们有类似的证书更新过程的自动化帐户。我已经通过创建一个长时间运行的runbook并启动证书更新,对自动化帐户进行了测试。runbook执行不受证书续订代码的影响。
我想看看有没有人试过这个。
$clusterName = '<clustername>'
$resourceGroupName = '<resourcegroupname>'
$subscriptionId = '01234567-8a6c-43bc-83d3-6b318c6c7305'
$appId = '01234567-e100-4118-8ba6-c25834f4e938'
$addNewCertKeyCredential = $true
$certFilePath = 'C:\localfolder\adls.pfx'
$KeyVaultName = "my-key-vault-name"
$KeyVaultSecretName = "my-key-vault-secret-name"
$certPassword = Read-Host "Enter Certificate Password"
# certSource
# 0 - create self signed cert
# 1 - read cert from file path
# 2 - read cert from key vault
$certSource = 0
Login-AzAccount
Select-AzSubscription -SubscriptionId $subscriptionId
if($certSource -eq 0)
{
Write-Host "Generating new SelfSigned certificate"
$cert = New-SelfSignedCertificate -CertStoreLocation "cert:\CurrentUser\My" -Subject "CN=hdinsightAdlsCert" -KeySpec KeyExchange
$certBytes = $cert.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Pkcs12, $certPassword);
$certString = [System.Convert]::ToBase64String($certBytes)
}
elseif($certSource -eq 1)
{
Write-Host "Reading the cert file from path $certFilePath"
$cert = new-object System.Security.Cryptography.X509Certificates.X509Certificate2($certFilePath, $certPassword)
$certString = [System.Convert]::ToBase64String([System.IO.File]::ReadAllBytes($certFilePath))
}
elseif($certSource -eq 2)
{
Write-Host "Reading the cert file from Azure Key Vault $KeyVaultName"
$cert = (Get-AzureKeyVaultSecret -VaultName $KeyVaultName -Name $KeyVaultSecretName)
$certValue = [System.Convert]::FromBase64String($cert.SecretValueText)
$certObject = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 -ArgumentList $certValue, $null,"Exportable, PersistKeySet"
$certBytes = $certObject.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Pkcs12, $certPassword.SecretValueText);
$certString =[System.Convert]::ToBase64String($certBytes)
}
if($addNewCertKeyCredential)
{
Write-Host "Creating new KeyCredential for the app"
$keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())
New-AzADAppCredential -ApplicationId $appId -CertValue $keyValue -EndDate $cert.NotAfter -StartDate $cert.NotBefore
Write-Host "Waiting for 7 minutes for the permissions to get propagated"
Start-Sleep -s 420 #7 minutes
}
Write-Host "Updating the certificate on HDInsight cluster..."
Invoke-AzResourceAction `
-ResourceGroupName $resourceGroupName `
-ResourceType 'Microsoft.HDInsight/clusters' `
-ResourceName $clusterName `
-ApiVersion '2015-03-01-preview' `
-Action 'updateclusteridentitycertificate' `
-Parameters @{ ApplicationId = $appId; Certificate = $certString; CertificatePassword = $certPassword.ToString() } `
-Force
1条答案
按热度按时间mefy6pfw1#
我没试过。我相信你的问题已经解决了。但是,对于其他查看器,如果作业正在生产集群中运行,则不建议运行证书续订过程,因为这可能会导致不一致的错误。