Optional Installation Step: Configuring a Kubernetes Installation to Use CA Bundle
If you want to configure your Kubernetes installation to use CA certificates, use a ConfigMap.
A ConfigMap containing the required certificates can be mounted and referenced in your crane configuration.
While BlazeMeter provides auto-generated commands and configurations for easy installation of Docker and Kubernetes agents, we recommend using the manual installation approach when configuring a Kubernetes installation to use CA certificates.
- Create a ConfigMap
- Use ConfigMap in Your Deployment
- Configure a ConfigMap for Grid Proxy
- Use ConfigMap in Your Grid Proxy Deployment
Create a ConfigMap
The easiest way to create a ConfigMap for the purpose of using CA certificates in BlazeMeter is to create it from the certificate file:
$ kubectl create configmap <cm-name> --from-file=<cert-filename>
In addition to the usual environment variables REQUEST_CA_BUNDLE and AWS_CA_BUNDLE, this approach requires another environment variable called KUBERNETES_CA_BUNDLE_MOUNT. The value of this environment variable takes the form of
<env var>=<cm-name>[=<subpath>]:<env var>=<cm-name>[=<subpath>]
where:
<env var>is the name of the environment variable you want to pass from crane to other components (REQUEST_CA_BUNDLE or AWS_CA_BUNDLE)<cm-name>is the name of the ConfigMap mounted as volume in crane deployment[=<subpath>]is the optional subpath of the certificate file.
Your environment variable configuration might look like this:
REQUESTS_CA_BUNDLE=/some/where.crt
AWS_CA_BUNDLE=/some/where-else.crt
KUBERNETES_CA_BUNDLE_MOUNT=REQUESTS_CA_BUNDLE=ConfigMapName=where.crt:AWS_CA_BUNDLE=ConfigMapName=where-else.crt
Note that REQUEST_CA_BUNDLE and AWS_CA_BUNDLE reference the file in the pod where the ConfigMap is mounted, and KUBERNETES_CA_BUNDLE_MOUNT may need to reference both the ConfigMap name and the subpath for both _CA_BUNDLE environment variables. If the subpath is missing, it will mount the whole ConfigMap as directory at the path in the value of respective env variable.
Use ConfigMap in Your Deployment
To use a ConfigMap in your deployment, reference it as a volume and then mount that volume.
Follow these steps:
- Follow the same process as for manually installing a Kubernetes agent.
-
Add your ConfigMap name under the
volumessection of the Pod specification. See an example in this Kubernetes Documentation. - Add your ConfigMap data to a specific path in the volume. See an example in this Kubernetes Documentation.
The full configuration looks like this:apiVersion: apps/v1 kind: Deployment metadata: labels: role: role-crane name: crane namespace: <namespace_name> spec: replicas: 1 selector: matchLabels: role: role-crane crane: ready strategy: type: Recreate template: metadata: labels: role: role-crane crane: ready spec: serviceAccountName: default automountServiceAccountToken: true containers: - env: - name: AUTH_TOKEN value: <auth_token> - name: HARBOR_ID value: <harbour_ID> - name: SHIP_ID value: <ship_ID> - name: CONTAINER_MANAGER_TYPE value: KUBERNETES - name: IMAGE_OVERRIDES value: '{}' - name: DOCKER_REGISTRY value: gcr.io/verdant-bulwark-278 - name: AUTO_KUBERNETES_UPDATE value: 'true' - name: REQUEST_CA_BUNDLE value: /var/cm/where.crt - name: AWS_CA_BUNDLE value: /var/cm/where.crt - name: KUBERNETES_CA_BUNDLE_MOUNT value: REQUESTS_CA_BUNDLE=release-name-configmap=where.crt:AWS_CA_BUNDLE=release-name-configmap=where.crt image: gcr.io/verdant-bulwark-278/blazemeter/crane:latest-master imagePullPolicy: Always name: crane-container volumeMounts: - name: volume-cm mountPath: /var/cm volumes: - name: volume-cm configMap: name: <cm-name> restartPolicy: Always terminationGracePeriodSeconds: 30 - Once you have made the edits above, you can return to the Kubernetes installation steps to finish your installation.
Configure a ConfigMap for Grid Proxy
You can configure a Kubernetes private location agent to use a CA bundle for Grid Proxy by setting up the necessary environment variables in the ConfigMap.
The following environment variables in the ConfigMap provide the file paths for the SSL public certificate and private key required by the Grid Proxy:
- TLS_CERT_GRID: Specifies the file path for the SSL public certificate.
- TLS_KEY_GRID: Specifies the file path for the SSL private key.
- KUBERNETES_CA_BUNDLE_MOUNT: Configures the mount point for the CA bundle in the Kubernetes environment.
Example
TLS_CERT_GRID=/some/public.crt
TLS_KEY_GRID=/some/private.key
KUBERNETES_CA_BUNDLE_MOUNT=TLS_CERT_GRID=ConfigMapName=public.crt:TLS_KEY_GRID=ConfigMapName=private.key
TLS_CERT_GRID and TLS_KEY_GRID reference the file in the pod where the ConfigMap is mounted. The KUBERNETES_CA_BUNDLE_MOUNT variable may need to reference both the ConfigMap name and the subpath for both environment variables. If the subpath is missing, KUBERNETES_CA_BUNDLE_MOUNT will mount the whole ConfigMap as a directory at the path in the value of the respective environment variable.
Use ConfigMap in Your Grid Proxy Deployment
apiVersion: apps/v1
kind: Deployment
metadata:
name: crane
labels:
role: role-crane
harbor_id: 665466a196437dc8870f422a
ship_id: 667981b161bb4b9491027188
spec:
selector:
matchLabels:
role: role-crane
harbor_id: 665466a196437dc8870f422a
ship_id: 667981b161bb4b9491027188
replicas: 1
strategy:
type: Recreate
template:
metadata:
labels:
role: role-crane
harbor_id: 665466a196437dc8870f422a
ship_id: 667981b161bb4b9491027188
spec:
restartPolicy: Always
terminationGracePeriodSeconds: 30
containers:
- name: bzm-crane-667981b161bb4b9491027188
image: 'blazemeter/crane:latest'
imagePullPolicy: Always
livenessProbe:
failureThreshold: 3
httpGet:
path: /healtz
port: 5000
scheme: HTTP
initialDelaySeconds: 300
periodSeconds: 15
successThreshold: 1
timeoutSeconds: 10
readinessProbe:
failureThreshold: 3
httpGet:
path: /healtz
port: 5000
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 15
successThreshold: 1
timeoutSeconds: 10
env:
- name: HARBOR_ID
value: 665466a196437dc8870f422a
- name: SHIP_ID
value: 667981b161bb4b9491027188
- name: AUTH_TOKEN
value: 97760977852c9e9a5d661492fb29be1d607255ed6e29a97911edf43eb59fee2f
- name: DOCKER_PORT_RANGE
value: 6000-7000
- name: A_ENVIRONMENT
value: 'https://bza-5590-punnetj-puneetjain.blazemeter.net'
- name: CONTAINER_MANAGER_TYPE
value: KUBERNETES
- name: IMAGE_OVERRIDES
value: '{}'
- name: DOCKER_REGISTRY
value: gcr.io/verdant-bulwark-278
- name: AUTO_KUBERNETES_UPDATE
value: 'true'
- name: RUN_HEALTH_WEB_SERVICE
value: 'true'
- name: TLS_CERT_GRID
value: '/etc/ssl/certs/doduo/localhost.crt'
- name: TLS_KEY_GRID
value: '/etc/ssl/certs/doduo/localhost.key'
- name: KUBERNETES_CA_BUNDLE_MOUNT
value: 'TLS_CERT_GRID=tls-files=localhost.crt:TLS_KEY_GRID=tls-files=localhost.key'
volumeMounts:
- name: tls-files
mountPath: /etc/ssl/certs/doduo
readOnly: true
volumes:
- name: tls-files
configMap:
name: tls-files
items:
- key: localhost.crt
path: localhost.crt
- key: localhost.key
path: localhost.key