Optional Installation Step: Configuring a Kubernetes Installation to Use CA Bundle

If you want to configure your Kubernetes installation to use CA certificates, use a ConfigMap.

A ConfigMap containing the required certificates can be mounted and referenced in your crane configuration.

While BlazeMeter provides auto-generated commands and configurations for easy installation of Docker and Kubernetes agents, we recommend using the manual installation approach when configuring a Kubernetes installation to use CA certificates.

Create a ConfigMap

The easiest way to create a ConfigMap for the purpose of using CA certificates in BlazeMeter is to create it from the certificate file:

$ kubectl create configmap <cm-name> --from-file=<cert-filename>
An example of creating ConfigMaps from files can be seen in this Kubernetes documentation.

In addition to the usual environment variables REQUEST_CA_BUNDLE and AWS_CA_BUNDLE, this approach requires another environment variable called KUBERNETES_CA_BUNDLE_MOUNT. The value of this environment variable takes the form of

<env var>=<cm-name>[=<subpath>]:<env var>=<cm-name>[=<subpath>]

where:

  • <env var> is the name of the environment variable you want to pass from crane to other components (REQUEST_CA_BUNDLE or AWS_CA_BUNDLE)
  • <cm-name> is the name of the ConfigMap mounted as volume in crane deployment
  • [=<subpath>] is the optional subpath of the certificate file.

Your environment variable configuration might look like this:

REQUESTS_CA_BUNDLE=/some/where.crt
AWS_CA_BUNDLE=/some/where-else.crt
KUBERNETES_CA_BUNDLE_MOUNT=REQUESTS_CA_BUNDLE=ConfigMapName=where.crt:AWS_CA_BUNDLE=ConfigMapName=where-else.crt

Note that REQUEST_CA_BUNDLE and AWS_CA_BUNDLE reference the file in the pod where the ConfigMap is mounted, and KUBERNETES_CA_BUNDLE_MOUNT may need to reference both the ConfigMap name and the subpath for both _CA_BUNDLE environment variables. If the subpath is missing, it will mount the whole ConfigMap as directory at the path in the value of respective env variable.

Use ConfigMap in Your Deployment

To use a ConfigMap in your deployment, reference it as a volume and then mount that volume.

Follow these steps:

  1. Follow the same process as for manually installing a Kubernetes agent.
  2. Add your ConfigMap name under the volumes section of the Pod specification. See an example in this Kubernetes Documentation.
  3. Add your ConfigMap data to a specific path in the volume. See an example in this Kubernetes Documentation.
    The full configuration looks like this:
    apiVersion: apps/v1
    kind: Deployment
    metadata:
      labels:
        role: role-crane
      name: crane
      namespace: <namespace_name>
    spec:
      replicas: 1
      selector:
        matchLabels:
          role: role-crane
          crane: ready
      strategy:
        type: Recreate
      template:
        metadata:
          labels:
            role: role-crane
            crane: ready
        spec:
          serviceAccountName: default
          automountServiceAccountToken: true
          containers:
          - env:
            - name: AUTH_TOKEN
              value: <auth_token>
            - name: HARBOR_ID
              value: <harbour_ID>
            - name: SHIP_ID
              value: <ship_ID>
            - name: CONTAINER_MANAGER_TYPE
              value: KUBERNETES
            - name: IMAGE_OVERRIDES
              value: '{}'
            - name: DOCKER_REGISTRY
              value: gcr.io/verdant-bulwark-278
            - name: AUTO_KUBERNETES_UPDATE
              value: 'true'
            - name: REQUEST_CA_BUNDLE
              value: /var/cm/where.crt
            - name: AWS_CA_BUNDLE
              value: /var/cm/where.crt
            - name: KUBERNETES_CA_BUNDLE_MOUNT
              value: REQUESTS_CA_BUNDLE=release-name-configmap=where.crt:AWS_CA_BUNDLE=release-name-configmap=where.crt
            image: gcr.io/verdant-bulwark-278/blazemeter/crane:latest-master
            imagePullPolicy: Always
            name: crane-container
            volumeMounts:
            - name: volume-cm
              mountPath: /var/cm
          volumes:
          - name: volume-cm
            configMap:
              name: <cm-name>
          restartPolicy: Always
          terminationGracePeriodSeconds: 30
    
  4. Once you have made the edits above, you can return to the Kubernetes installation steps to finish your installation.

Configure a ConfigMap for Grid Proxy

You can configure a Kubernetes private location agent to use a CA bundle for Grid Proxy by setting up the necessary environment variables in the ConfigMap.

The following environment variables in the ConfigMap provide the file paths for the SSL public certificate and private key required by the Grid Proxy:

  • TLS_CERT_GRID: Specifies the file path for the SSL public certificate.
  • TLS_KEY_GRID: Specifies the file path for the SSL private key.
  • KUBERNETES_CA_BUNDLE_MOUNT: Configures the mount point for the CA bundle in the Kubernetes environment.

Example

Copy

                TLS_CERT_GRID=/some/public.crt
                TLS_KEY_GRID=/some/private.key
                KUBERNETES_CA_BUNDLE_MOUNT=TLS_CERT_GRID=ConfigMapName=public.crt:TLS_KEY_GRID=ConfigMapName=private.key
            

TLS_CERT_GRID and TLS_KEY_GRID reference the file in the pod where the ConfigMap is mounted. The KUBERNETES_CA_BUNDLE_MOUNT variable may need to reference both the ConfigMap name and the subpath for both environment variables. If the subpath is missing, KUBERNETES_CA_BUNDLE_MOUNT will mount the whole ConfigMap as a directory at the path in the value of the respective environment variable.

Use ConfigMap in Your Grid Proxy Deployment

Copy
apiVersion: apps/v1
kind: Deployment
metadata:
  name: crane
  labels:
    role: role-crane
    harbor_id: 665466a196437dc8870f422a
    ship_id: 667981b161bb4b9491027188
spec:
  selector:
    matchLabels:
      role: role-crane
      harbor_id: 665466a196437dc8870f422a
      ship_id: 667981b161bb4b9491027188
  replicas: 1
  strategy:
    type: Recreate
  template:
    metadata:
      labels:
        role: role-crane
        harbor_id: 665466a196437dc8870f422a
        ship_id: 667981b161bb4b9491027188
    spec:
      restartPolicy: Always
      terminationGracePeriodSeconds: 30
      containers:
        - name: bzm-crane-667981b161bb4b9491027188
          image: 'blazemeter/crane:latest'
          imagePullPolicy: Always
          livenessProbe:
            failureThreshold: 3
            httpGet:
              path: /healtz
              port: 5000
              scheme: HTTP
            initialDelaySeconds: 300
            periodSeconds: 15
            successThreshold: 1
            timeoutSeconds: 10
          readinessProbe:
               failureThreshold: 3
            httpGet:
              path: /healtz
              port: 5000
              scheme: HTTP
            initialDelaySeconds: 5
            periodSeconds: 15
            successThreshold: 1
            timeoutSeconds: 10
          env:
            - name: HARBOR_ID
              value: 665466a196437dc8870f422a
            - name: SHIP_ID
              value: 667981b161bb4b9491027188
            - name: AUTH_TOKEN
              value: 97760977852c9e9a5d661492fb29be1d607255ed6e29a97911edf43eb59fee2f
            - name: DOCKER_PORT_RANGE
              value: 6000-7000
            - name: A_ENVIRONMENT
              value: 'https://bza-5590-punnetj-puneetjain.blazemeter.net'
            - name: CONTAINER_MANAGER_TYPE
              value: KUBERNETES
            - name: IMAGE_OVERRIDES
              value: '{}'
            - name: DOCKER_REGISTRY
              value: gcr.io/verdant-bulwark-278
            - name: AUTO_KUBERNETES_UPDATE
              value: 'true'
            - name: RUN_HEALTH_WEB_SERVICE
              value: 'true'
            - name: TLS_CERT_GRID
              value: '/etc/ssl/certs/doduo/localhost.crt'
            - name: TLS_KEY_GRID
              value: '/etc/ssl/certs/doduo/localhost.key'
            - name: KUBERNETES_CA_BUNDLE_MOUNT
              value: 'TLS_CERT_GRID=tls-files=localhost.crt:TLS_KEY_GRID=tls-files=localhost.key'
          volumeMounts:
            - name: tls-files
              mountPath: /etc/ssl/certs/doduo
              readOnly: true
      volumes:
        - name: tls-files
          configMap:
            name: tls-files
            items:
              - key: localhost.crt
                path: localhost.crt
              - key: localhost.key
                path: localhost.key