This article details how to install a BlazeMeter on-premise agent for Kubernetes on a server/instance behind your firewall with the goal of running Mock Services. BlazeMeter supports Contour as well as Istio for defining Ingress traffic. The procedure described here relies on Istio.
Tip: If you want to install a BlazeMeter on-premise agent for Kubernetes without running Mock Services, consider the shorter procedure of setting up Kubernetes with Contour instead. For more information, see Installing a BlazeMeter Agent for Kubernetes.
Mock Services are a use case where the Private Location needs an outbound and an inbound connection, while Private Locations for other test types need only an outbound connection. Mock Services use either Istio or Contour to help route Ingress traffic into the desired pod in containers and the cluster. With Istio, you can also use the same Private Location for both Mock Services and Performance tests.
When adding an on-premise agent for a Private Location, you will come across commands for Docker and Kubernetes installations, which you copy and run on your machine to install the agent. Ensure that you update all environment variables according to your Kubernetes instance.
Istio Overview
Mock Services can use Istio to help route Ingress traffic into the desired pod in containers and the cluster.
Gateway
The Gateway serves as a load balancer configuration and as an entry point into your cluster. In the gateway, you can define ports that you want to expose and you can list different hosts (domain names) that each of the ports should handle.
Virtual Services
Istio handles traffic through the gateway. You can create resources called virtual services that serve as a bridge between the gateway and the actual services that are running on your Kubernetes cluster.
For incoming traffic that is targeting a given host name (example: mydomain1-9090-default.mocks.yoursite.com), a virtual service forwards traffic to a specific service which then forwards it to the pod and the containers within your cluster.
Sidecar Injection
Additionally, for any pod that you create in your cluster, Istio will inject a container that helps enforce mutual TLS traffic for anything that is going in and out of your pods.
Istio Configuration
The following procedures show how to set up and validate environments on a cluster with Istio setup:
- Set Up Istio
- Create a Secret
- Deploy the Gateway
- Deploy an Agent
- Deploy an HTTP- or HTTPS-based Mock Service
- Configure the DNS
Set Up Istio
Follow these steps:
-
Download the binary by executing the following shell script:
curl -L https://istio.io/downloadIstio | sh -
-
Ensure that the cluster is clean. Run the following command:
kubectl get all
-
Delete the projectcontour namespace if it is present. Run
the following command:
kubectl delete ns projectcontour
Install and set up a profile. Run the following command:
./istioctl install --set profile=demo -y
Enable the istio-injection for the namespace. In this example we are running on the default namespace. Run the following command:
kubectl label namespace default istio-injection=enabled
Create a Secret
Note:
Note: Ensure that the common name is set properly in csr. The common name will be
your subdomain.
Example: *.mydomain.local, and the load balancer should have a wild card cert.
Follow these steps:
- Create a secret by running the arguments below.
- Generate a wildcard cert using openssl.
Run the command:
openssl genrsa -out mydomain.local.key 2048
Run the command:
openssl req -new -key mydomain.local.key -out mydomain.local.csr
-
Run the command:
openssl x509 -req -days 3650 -in mydomain.local.csr -signkey mydomain.local.key -out mydomain.local.crt
- Run the command:
rm mydomain.local.csr
Create a secret in istio-system name using the wildcard certs.
You have created a secret.
Create a secret in the istio-system namespace called wildcard-credential.
kubectl create -n istio-system secret tls wildcard-credential --key=mydomain.local.key --cert=mydomain.local.crt
Deploy the Gateway
Follow these steps:
- Here is a sample of the gateway file contents.
Change the namespace to your namespace, if needed.apiVersion: networking.istio.io/v1beta1 kind: Gateway metadata: name: bzm-gateway namespace: default spec: selector: istio: ingressgateway # use istio default controller servers: - port: number: 80 name: http-80 protocol: HTTP hosts: - "*" - port: number: 443 name: https-443 protocol: HTTPS tls: mode: SIMPLE # This must be located in the "istio-system" namespace credentialName: wildcard-credential hosts: - "*" - port: number: 15443 name: https-15443 protocol: HTTPS tls: mode: PASSTHROUGH hosts: - "*" - Deploy the gateway. Change the namespace to your namespace, if needed.
kubectl apply -f <path to yaml>/bzm_gateway.yaml -n default
You have deployed a gateway.
Deploy an Agent
Follow these steps:
Create an agent in the BlazeMeter Private Location section and copy the Kubernetes configuration. For an example, see this example Kubernetes Command.
- Copy the Kubernetes Configuration agent creation command and update it or add the following:
- Update the namespace ‘BLAZEMETER’ with the namespace where you want to deploy crane, in this example, replace with ‘
default’. - Update imagePullPolicy value:
imagePullPolicy: Always Add the below properties under spec of kind Deployment:
- name: KUBERNETES_WEB_EXPOSE_TYPE value: ISTIO - name: KUBERNETES_WEB_EXPOSE_SUB_DOMAIN value: mydomain.local - name: KUBERNETES_WEB_EXPOSE_TLS_SECRET_NAME value: wildcard-credential - name: KUBERNETES_SERVICE_USE_TYPE value: CLUSTERIP - name: KUBERNETES_USE_PRE_PULLING value: "true" - name: KUBERNETES_SERVICES_BLOCKING_GET value: "true" - name: KUBERNETES_ISTIO_GATEWAY_NAME value: bzm-gateway
Note: The environment variable KUBERNETES_ISTIO_GATEWAY_NAME is optional. If it is not set, the crane agent creates a gateway resource for every Mock Service deployment.
- Add
"networking.istio.io"as part of the roles.rules.apiGroups. - Add
"ingresses", "gateways", "virtualservices"as part of roles.rules.resources.
- Update the namespace ‘BLAZEMETER’ with the namespace where you want to deploy crane, in this example, replace with ‘
Your final deployment-crane.yaml manifest should look like the following example. You can even copy the yaml and use it as your own deployment manifest. Just make sure to edit the variables auth_token, Namespace, harbourId, and so on.
# This is for defining Role
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: role-cranevs
rules:
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["create"]
- apiGroups: [""]
resources: ["pods", "pods/log"]
verbs: ["get", "list"]
- apiGroups: ["extensions", "apps", "networking.istio.io", ""] # leave empty string for core
resources: ["pods", "services", "endpoints", "daemonsets", "pods/*", "pods/exec", "deployments",
"replicasets", "ingresses", "gateways", "deployments/scale", "virtualservices"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete", "deletecollection", "createcollection"]
---
# This is for binding the above defined role
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: role-cranevs-binding-default
subjects:
- kind: ServiceAccount
name: default
namespace: default
roleRef:
kind: Role
name: role-cranevs
apiGroup: rbac.authorization.k8s.io
---
# This is for cluster role
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: clustercranevs
rules:
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get", "list", "watch", "create", "update", "patch"]
---
# This is for binding above cluster role
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: clustercranevs-binding-default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: clustercranevs
subjects:
- kind: ServiceAccount
name: default
namespace: default
---
# This is the main deployment manifest for crane deployment (Make changes to the HarbourId, ShipId & Auth-token)
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
role: role-cranevs
name: crane
namespace: default
spec:
replicas: 1
selector:
matchLabels:
role: role-cranevs
strategy:
type: Recreate
template:
metadata:
labels:
role: role-cranevs
spec:
serviceAccountName: default
automountServiceAccountToken: true
containers:
- env:
- name: AUTH_TOKEN
value: <Auth Token> # Update auth token
- name: HARBOR_ID
value: <harbour Id> # Update Harbour ID
- name: SHIP_ID
value: <Ship Id> # Update ship ID
- name: CONTAINER_MANAGER_TYPE
value: KUBERNETES
- name: IMAGE_OVERRIDES
value: '{}'
- name: DOCKER_REGISTRY
value: gcr.io/verdant-bulwark-278
- name: AUTO_KUBERNETES_UPDATE
value: 'true'
- name: KUBERNETES_WEB_EXPOSE_TYPE
value: ISTIO
- name: KUBERNETES_WEB_EXPOSE_SUB_DOMAIN
value: mydomain.local
- name: KUBERNETES_WEB_EXPOSE_TLS_SECRET_NAME
value: wildcard-credential
- name: KUBERNETES_SERVICE_USE_TYPE
value: CLUSTERIP
- name: KUBERNETES_USE_PRE_PULLING
value: "true"
- name: KUBERNETES_SERVICES_BLOCKING_GET
value: "true"
- name: KUBERNETES_ISTIO_GATEWAY_NAME
value: bzm-gateway
## Note: The environment variable KUBERNETES_ISTIO_GATEWAY_NAME is optional.
## If it is not set, the crane agent creates a gateway resource for every Mock Service deployment.
image: gcr.io/verdant-bulwark-278/blazemeter/crane:latest-master
imagePullPolicy: Always
name: crane-container
restartPolicy: Always
terminationGracePeriodSeconds: 30
To deploy the agent:
Apply the manifest to deploy this agent.
kubectl apply -f deployment-crane.yaml -n default
Verify the pods and other resources within your cluster namespace to ensure that the agent is running.
kubectl get all -n default
- After the agent is deployed, it will show up under the private location as shown in this screenshot:
- Verify the resources within the istio-system namespace
kubectl get svc -n istio-system
kubectl get secret -n istio-systemMake sure we have the loadbalancer service running with an active external IP.
Verify that the secret named wildcard-credential is set up.
- To verify Istio deployments within your active namespace, run the following commands:
kubectl get gw -n default
Verify that the bzm-gateway is deployed within your namespace (same namespace as that of crane)
After all resources within your cluster are set up, you can start deploying Mock Services.
Deploy an HTTP or HTTPS based Mock Service
The Mock Service creates an Istio virtual service in the namespace. You can verify the virtual service in your namespace by using the following command:
kubectl get virtualservices -n default
Note: Stopping or deleting a Mock Service deletes the Istio virtual service.
- Navigate to the Mock Service tab in the BlazeMeter UI.
- Create a Mock Service with a set of transactions, and select the Kubernetes private location agent (the agent we created with this configuration) in the Private Location.
- After the Mock Service is created, click on the save and start button to initiate the Mock Service.
- The endpoint should be visible in the UI with the FQDN ending the subdomain. In this example, it is:
"Mydomain.local"
- The format of your Mock Service endpoint should look like this:
mockserviceName&ID.namespaceName.mydomain.local
Configure the DNS
If you cannot connect to the Mock Service endpoint, it is likely due to failing DNS resolution. The DNS resolution for the generated Mock Services URLs/endpoint is not anything that Mock Services or Crane can set up automatically.
The missing piece is that the systems from which you are running HTTP/S requests don't have any DNS records that map traffic of the generated subdomains. You resolve this issue by adding the DNS entry of the external IP of the loadbalancer to the hosts file of the system which is used for hitting the Mock Service endpoint.
For example, let's say the generated URL is mockservice232297-8080-default.mydomain.local and the external IP of the loadbalancer is 34.72.180.232,
then add the following to your /etc/hosts file:
34.72.180.232 mockservice232297-8080-default.mydomain.localYou can now reach the Mock Service endpoint at mockservice232297-8080-default.mydomain.local
Now that you have an Agent installed, continue reading how you use your new Private Location.
0 Comments