Pass client certificates as CLI flags

[hem-source]

Brief summary

I have my certificate present on path

• export MTLS_PEM=“$(”)"
• echo $MTLS_PEM | sed ‘s/\n/\n/g’ > /mtls.pem
• export MTLS_KEY=“$(”)"
• echo $MTLS_KEY | sed ‘s/\n/\n/g’ > /mtls.key
  I want to load this certificate with performing k6 run
  k6 run --summary-export=load-performance.json $file --config=src/test/performance/config.json.

How do i load this certificate ?

k6 run --summary-export=load-performance.json --ssl-client-cert mtls.pem --ssl-client-key mtls.key $file --config=/config.json;

Is it possible to use --ssl-cleint-cert such type to call certificate?

Also the main issue is , when were we run performance test for process API our test result showed failed . PFB error . where as same pipeline is used to run experience API all results shows pass.

Process API:
✗ Status code is 200
↳ 0% — ✓ 0 / ✗ 12002
checks.....................: 0.00% ✓ 0 ✗ 12002
http_req_failed............: 100.00% ✓ 12002 ✗ 0

Experience API:
http_req_failed................: 0.00% ✓ 0 ✗ 18000

we are not able to identify why different behaviour/out put we are getting as both is using same script.?

k6 version

k6

OS

windos

Docker version and image (if applicable)

No response

Steps to reproduce the problem

NA

Expected behaviour

same script should pass all performance test successful for process API as well

Actual behaviour

Performance test is failing for process API

[na--]

k6 doesn't have a --ssl-client-cert or --ssl-client-key CLI flags, I am not sure where you saw that? 😕 Instead you should use the tlsAuth JS option, you can see an example of how it can be used in the docs: https://k6.io/docs/using-k6/k6-options/reference/#tls-auth

This doesn't seem like a bug in k6, so I'll close the issue. In the future, if you want to ask questions, please do it in the community forum at https://community.k6.io/

[olegbespalov]

@na-- just to also provide more context here. There is a post in the community forum.

I guess the purpose of that issue is to request the possibility of configuring certificates via the flags like --ssl-client-cert or --ssl-client-key.

[na--]

Ah, I see, then this feature request was definitely both mis-classified as a bug and not very well explained... I'll reopen it and adjust the title slightly.

[na--]

@hem-source, I skimmed the forum thread, but I don't get why you need to pass TLS certificates as CLI flags... 😕 Can you please explain why options.tlsAuth in combination with k6 environment variables is insufficient for your use case?

[mstoykov]

Potentially relevant documentation issue grafana/k6-docs#616

[hem-source]

the main issue is , when were we run performance test for process API our test result showed failed . PFB error . where as same pipeline is used to run experience API all results shows pass.

Process API:
✗ Status code is 200
↳ 0% — ✓ 0 / ✗ 12002
checks.....................: 0.00% ✓ 0 ✗ 12002
http_req_failed............: 100.00% ✓ 12002 ✗ 0

Experience API:
http_req_failed................: 0.00% ✓ 0 ✗ 18000

we are not able to identify why different behaviour/out put we are getting as both is using same script.?

So we are suspecting that for process API we need certificate to be loaded before k6 run. So in my GIT script i have made below changes

script:
- export MTLS_PEM="$(vault kv get -tls-skip-verify -field=pem "kv/mulesoft/postman/mtls")"
- echo $MTLS_PEM | sed 's/\n/\n/g' > src/test/performance/mtls.pem
- export MTLS_KEY="$(vault kv get -tls-skip-verify -field=key "kv/mulesoft/postman/mtls")"
- echo $MTLS_KEY | sed 's/\n/\n/g' > src/test/performance/mtls.key
- pwd
- export const options = tlsAuth: [ { domains: ["domain.com"], cert: open('./mtls.pem'), key: open('./mtls.pem'),},]
- ls -la src/test/performance/
- |
for file in src/test/performance/*.js ;
do
k6 run --summary-export=load-performance.json $file --config=src/test/performance/config.json;
done

So is this TLS auth option is correctly defined?

[hem-source]

SO in addition to tlsauth option defined, how would i call it in k6 run?

[olegbespalov]

@hem-source the issues of this repository are for the bugs, feature requests, and things like that. For support, please use the community forum.

The reason why I mentioned the issue is that, as you mentioned that you would like to load the certificate with the flags:

Can we use this k6 run --summary-export=load-performance.json --ssl-client-cert mtls.pem --ssl-client-key mtls.key $file --config=/config.json;

And since right now there is no such functionality in the k6, you can make a feature request. But it should be appropriately specified.

Depending on different factors (community needs, k6, or maybe some contributors' capacity), the feature request can be prioritized and implemented in further versions of the k6.

[na--]

- pwd
- export const options = tlsAuth: [ { domains: ["domain.com"], cert: open('./mtls.pem'), key: open('./mtls.pem'),},]

@hem-source, you should not use export const options in the CI script code, you should have that code in your .js script files... See https://k6.io/docs/using-k6/k6-options/how-to and other examples in the documentation on how that works.

[olegbespalov]

There is no plan to add the client certificate flags into k6 for now. Closing as not planned.