You can use the SECRET_MANAGER_MOUNT_SOURCE environment variable to supply external vault credentials through file‑based authentication rather than relying on vault tokens stored on the BlazeMeter platform. This integration method ensures that your credentials remain securely within your environment, giving you greater control over how sensitive information is provided to BlazeMeter.
You can integrate your external vault using Docker or Kubernetes.
Integrate using Docker
-
Create vaults.json file with the BlazeMeter vault ID and credentials:
-
Copy the vault.json file to a location on the OPL agent machine and add the path of the vaults.json folder to the BlazeMeter agent (Crane) command using the environment variable
SECRET_MANAGER_MOUNT_SOURCECopydocker run -d \
--env SECRET_MANAGER_MOUNT_SOURCE=/path/to/directory/containing/the/json \
--env HARBOR_ID=your_harbor_id \
--env SHIP_ID=your_ship_id \
--env AUTH_TOKEN=your_auth_token \
--name=bzm-crane-ship_id \
-v /var/run/docker.sock:/var/run/docker.sock \
-v /path/to/secrets/directory:/path/to/secrets/directory \
--net=host \
blazemeter/crane python agent/agent.py
Integrate using Kubernetes
-
Create vaults.json file with the BlazeMeter vault ID and credentials:
-
Configure Kubernetes:
-
storage-pv.yaml and storage-pvc.yaml: Define Persistent Volume to map to the directory holding vaults.json.
hostPath.pathpoints to the library of vaults.jsonCopystorage-pv.yaml
# Persistent volume for secrets
apiVersion: v1
kind: PersistentVolume
metadata:
name: secrets-pv
spec:
storageClassName: ""
capacity:
storage: 10Mi
accessModes:
- ReadWriteMany
hostPath:
path: /Users/mbanner/k8s-bzm-crane/data
type: DirectoryOrCreateCopystorage-pvc.yaml
# Persistent volume claim for secrets
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: secrets-pvc
spec:
storageClassName: ""
accessModes:
- ReadWriteMany
resources:
requests:
storage: 10Mi
-
Crane deployment with
KUBERNETES_PERMANENT_MOUNT. Be sure thatKUBERNETES_PERMANENT_MOUNTissecrets-pvc=/app/secrets=False.Copycrane-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
role: roleCrane
name: crane
namespace: default
spec:
replicas: 1
selector:
matchLabels:
role: roleCrane
crane: ready
strategy:
type: Recreate
template:
metadata:
labels:
role: roleCrane
crane: ready
spec:
serviceAccountName: bzm-crane-sa
automountServiceAccountToken: true
containers:
- env:
- name: A_ENVIRONMENT
value: https://a.blazemeter.com
- name: AUTH_TOKEN
value: e99c4c84b6c8189a3f3a972ecf2c8e56f6d234cd49dcd107abe4a
- name: HARBOR_ID
value: 68ad8b3ecea3351f0a7e4
- name: SHIP_ID
value: 68ad8b45f3b6df70eae24
- name: CONTAINER_MANAGER_TYPE
value: KUBERNETES
- name: IMAGE_OVERRIDES
value: '{}'
- name: DOCKER_REGISTRY
value: gcr.io/verdant-bulwark-278
- name: AUTO_KUBERNETES_UPDATE
value: 'false'
- name: KUBERNETES_WEB_EXPOSE_TLS_SECRET_NAME
value: "my-credentials"
- name: KUBERNETES_SERVICE_USE_TYPE
value: CLUSTERIP
- name: KUBERNETES_USE_PRE_PULLING
value: "true"
- name: KUBERNETES_SERVICES_BLOCKING_GET
value: "true"
- name: KUBERNETES_LIVENESS_INITIAL_DELAY
value: "500"
- name: KUBERNETES_READINESS_THRESHOLD
value: "500"
- name: VERBOSE
value: 'true'
- name: AUTO_UPDATE
value: 'false'
- name: KUBERNETES_PERMANENT_MOUNT
value: 'secrets-pvc=/app/secrets=False' #Mock service volume mapping claimName=path from VIRTUAL_SERVICE_ADDITIONAL_JARS= False (means RW permissions)
image: gcr.io/verdant-bulwark-278/blazemeter/crane:3.6.146
imagePullPolicy: Never
name: crane-container
securityContext:
runAsUser: 0
volumeMounts:
- name: config-volume
mountPath: /etc/blazemeter
volumes:
- name: config-volume
configMap:
name: bzm-crane-config
items:
- key: env.json
path: config.json
restartPolicy: Always
terminationGracePeriodSeconds: 30
-