Configuration
Configure BindPlane OP
Options
BindPlane server configuration can be found at /etc/bindplane/config.yaml.
BindPlane will look for flags, environment variables, and a configuration file, with precedence: flags > environment variables > configuration file.
Server and client configurations can be bootstrapped using the init command. See the initialization section.
For detailed examples, see the configurations section.
Host
IP Address the BindPlane server binds to. This can be a single address or 0.0.0.0 for all interfaces.
| Option | Flag | Environment Variable | Default |
|---|---|---|---|
| network.host | --host | BINDPLANE_HOST | 127.0.0.1 |
Port
TCP port the BindPlane server binds to. This must be an unprivileged port when running BindPlane as a non-root user.
| Option | Flag | Environment Variable | Default |
|---|---|---|---|
| network.port | --port | BINDPLANE_PORT | 3001 |
Remote URL
URL used to reach the BindPlane server. This must be set in all client and server configurations
and must be a valid URL with a protocol (HTTP / HTTPS), hostname or IP address, and port.
If the server is behind a proxy or load balancer, the proxy URL can be used.
| Option | Flag | Environment Variable | Default |
|---|---|---|---|
| network.remoteURL | --remote-url | BINDPLANE_REMOTE_URL | http://127.0.0.1:3001 |
CorsAllowedOrigins
A list of origin domains allowed to make requests to BindPlane OP. It should at least contain the domain of the hosted UI. An empty or null value matches all origins. A wildcard "*" is also allowed to match all origins.
In most cases, this value can be the same as network.remoteURL.
| Option | Flag | Environment Variable | Default |
|---|---|---|---|
| network.corsAllowedOrigins | --cors-allowed-origins | BINDPLANE_CORS_ALLOWED_ORIGINS | * |
Logging
Log output (file or stdout). When log output is set to file, a log file path can be specified.
| Option | Flag | Environment Variable | Default |
|---|---|---|---|
| logging.output | --logging-output | BINDPLANE_LOGGING_OUTPUT | file |
| logging.filePath | --logging-file-path | BINDPLANE_LOGGING_FILE_PATH | ~/.bindplane/bindplane.log |
Server installations will use /var/log/bindplane/bindplane.log, which is set
using an environment variable in the systemd service configuration.
Log files are rotated and gzip compressed, and cleaned up automatically by BindPlane. Log files have a max size of 100mb
and up to 10 rotates or 30 days of age, whichever comes first. Using an external utility such as logrotate is not recommended.
Metrics
BindPlane can be configured to forward metrics to an OpenTelemetry collector. The easiest way to get up and running is to deploy an agent on the same machine BindPlane is installed on. The agent should be configured with the OpenTelemetry source. Configure BindPlane to send metrics over localhost.
Once configured, the managed agent can forward the metrics to the destination of your choice.
Metrics are sent to OpenTelemetry collectors using the gRPC protocol.
| Option | Flag | Environment Variable | Default |
|---|---|---|---|
| metrics.type | --metrics-type | BINDPLANE_METRICS_TYPE | |
| metrics.interval | --metrics-interval | BINDPLANE_METRICS_INTERVAL | 1m0s |
| metrics.otlp.endpoint | --metrics-otlp-endpoint | BINDPLANE_METRICS_OTLP_ENDPOINT | |
| metrics.otlp.insecure | --metrics-otlp-insecure | BINDPLANE_METRICS_OTLP_INSECURE |
Tracing
BindPlane supports configuration to enable tracing. tracing.type can be set to google or otlp.
| Option | Flag | Environment Variable | Default |
|---|---|---|---|
| tracing.type | --tracing-type | BINDPLANE_TRACING_TYPE |
When tracing.type is set to otlp, some more configuration is possible.
| Option | Flag | Environment Variable | Default |
|---|---|---|---|
| tracing.otlp.endpoint | --tracing-otlp-endpoint | BINDPLANE_TRACING_OTLP_ENDPOINT | |
| tracing.otlp.insecure | --tracing-otlp-insecure | BINDPLANE_TRACING_OTLP_INSECURE | FALSE |
TLS
BindPlane supports server side TLS and mutual TLS. See the tls examples
for detailed usage.
| Option | Flag | Environment Variable |
|---|---|---|
| network.tlsCert | --tls-cert | BINDPLANE_TLS_CERT |
| network.tlsKey | --tls-key | BINDPLANE_TLS_KEY |
| network.tlsCA | --tls-ca | BINDPLANE_TLS_CA |
| network.tlsSkipVerify | --tls-skip-verify | BINDPLANE_TLS_SKIP_VERIFY |
| network.tlsMinVersion | --tls-min-version | BINDPLANE_TLS_MIN_VERSION |
Server
network.tlsCert: Enables server-side TLSnetwork.tlsKey: Enables server-side TLSnetwork.tlsCA: Enables mutual TLS
Client
network.tlsCA: Allows the client to trust the server certificate. Not required if the host operating system already trusts the server certificate.network.tlsCert: Enables mutual TLSnetwork.tlsKey: Enables mutual TLSnetwork.tlsSkipVerify: Skip server certificate verification
Storage Backend
BindPlane supports two storage backends, bbolt and postgres.
| Option | Flag | Environment Variable | Default |
|---|---|---|---|
| store.type | --store-type | BINDPLANE_STORE_TYPE | bbolt |
BBolt
| Option | Flag | Environment Variable | Default |
|---|---|---|---|
| store.bbolt.path | --store-bbolt-path | BINDPLANE_STORE_BBOLT_PATH | ~/.bindplane/storage |
Postgres
Postgres can be used as a local or remote storage backend. Postgres storage is enabled
when store.type is set to postgres.
Postgres is a BindPlane OP Enterprise feature.
| Option | Flag | Environment Variable | Default |
|---|---|---|---|
| store.postgres.host | --postgres-host | BINDPLANE_POSTGRES_HOST | localhost |
| store.postgres.port | --postgres-port | BINDPLANE_POSTGRES_PORT | 5432 |
| store.postgres.database | --postgres-database | BINDPLANE_POSTGRES_DATABASE | bindplane |
| store.postgres.sslmode | --postgres-ssl-mode | BINDPLANE_POSTGRES_SSL_MODE | disable |
| store.postgres.sslrootcert | --postgres-ssl-root-cert | BINDPLANE_POSTGRES_SSL_ROOT_CERT | Optional |
| store.postgres.sslcert | --postgres-ssl-cert | BINDPLANE_POSTGRES_SSL_CERT | Optional |
| store.postgres.sslkey | --postgres-ssl-key | BINDPLANE_POSTGRES_SSL_KEY | Optional |
| store.postgres.username | --postgres-username | BINDPLANE_POSTGRES_USERNAME | |
| store.postgres.password | --postgres-password | BINDPLANE_POSTGRES_PASSWORD | |
| postgres.maxConnections | --postgres-max-connections | BINDPLANE_POSTGRES_MAX_CONNECTIONS | 100 |
Example Postgres configuration:
Event Bus
BindPlane uses an event bus to communicate between components within BindPlane. When operating BindPlane with multiple servers, the event bus can be used to send events between BindPlane servers.
| Option | Flag | Environment Variable |
|---|---|---|
| eventBus.type | --event-bus-type | BINDPLANE_EVENT_BUS_TYPE |
The event bus type supports the following options:
Local Event Bus
The local event bus is the default event bus used by BindPlane. The local event bus does not have
a configuration. It can be used by setting the event bus type to local.
Google Pub/Sub Event Bus
The Google Pub/Sub event bus can be used when operating multiple BindPlane servers.
| Option | Flag | Environment Variable |
|---|---|---|
| eventBus.googlePubSub.projectID | --event-bus-type | BINDPLANE_GOOGLE_PUB_SUB_PROJECT_ID |
| eventBus.googlePubSub.credentialsFile | --google-pub-sub-credentials-file | BINDPLANE_GOOGLE_PUB_SUB_CREDENTIALS_FILE |
| eventBus.googlePubSub.topic | --google-pub-sub-topic | BINDPLANE_GOOGLE_PUB_SUB_TOPIC |
When operating BindPlane on Google Compute Engine with the pub/sub" oath scopes enabled, BindPlane will handle authentication automatically.
The configuration is simple and requires only the projectID and topic options.
When running outside of Google Cloud, or without the Pub/Sub oauth scopes, you can use a
Google Service Account Credential by setting
the credentialsFile option. This credentials file must be installed on the BindPlane server's
filesystem and be readable by the bindplane user.
BindPlane will manage its own Pub/Sub subscription. Subscriptions are created and named based on the server's hostname. BindPlane will attempt to clean up its subscription on shutdown. Subscriptions are automatically cleaned up by Google Cloud if they have been disconnected for more than one day.
NATS Event Bus
NATS can be used as the event bus for BindPlane OP Enterprise and is a good option for distributed on-prem deployments. NATS is embedded into BindPlane and does not require external infrastructure.
See the NATS Configuration documentation for more information.
Server Session Secret
A UUIDv4 is used for encoding web UI login cookies. This should be a new random UUIDv4. This
value should be different than auth.secretKey.
| Option | Flag | Environment Variable |
|---|---|---|
| auth.sessionSecret | --session-secret | BINDPLANE_SESSION_SECRET |
Prometheus
note
It is not necessary to make changes to the BindPlane Prometheus configuration when using BindPlane's bundled Prometheus.
Base Configuration.
| Option | Description |
|---|---|
prometheus.enable | Whether or not to enable Prometheus as the measurement backend. |
prometheus.enableRemote | Whether or not to use a remote Prometheus instance. When disabled, BindPlane will manage a local Prometheus child process. |
prometheus.localFolder | The directory where the Prometheus binary and dependencies are located. |
prometheus.host | The hostname or ip address of the Prometheus instance. |
prometheus.port | The port of the Prometheus instance's API. |
prometheus.queryPathPrefix | The path prefix of the query endpoint. This parameter is useful if using a Prometheus compatible system such as Mimir. |
Authentication.
note
Authentication is supported for remote Prometheus deployments.
BindPlane OP supports two authentication modes.
- No authentication
- Basic authentication
Prometheus does not use authentication by default. Follow the Prometheus Basic Auth Password Hashing documentation for more information.
| Option | Description |
|---|---|
prometheus.auth.type | The authentication type to use. Supported options are none and basic (Basic Authentication). |
prometheus.auth.username | The username to use when basic authentication is enabled. |
prometheus.auth.password | The password to use when basic authentication is enabled. |
TLS
BindPlane supports connecting to Prometheus with TLS and Mutual TLS.
| Option | Description |
|---|---|
prometheus.enableTLS | Whether or not to use TLS when communicating with Prometheus. |
prometheus.tls.tlsSkipVerify | Whether or not to skip verification of the Prometheus server's TLS certificate. It is not recommended to enable this option. |
prometheus.tls.tlsCa | The x509 PEM encoded certificate authority file to use to verify the Prometheus server's TLS certificate. Alternatively, the CA certificate can be imported into the host's trust store, instead of configuring this option. |
prometheus.tls.tlsCert | The x509 PEM encoded client certificate file to use for mutual TLS. |
prometheus.tls.tlsKey | The x509 PEM encoded client private key file to use for mutual TLS. |
TLS example configuration.
Mutual TLS example configuration.
Remote Write
When using Prometheus compatible systems, such as Mimir, you may need to define the remote write host and port, if it differs from the main host and port. BindPlane will use the remote write host and port for pushing metrics to Prometheus, and the main host and port for querying Prometheus.
If using vanilla Prometheus, these options are not required.
| Option | Description |
|---|---|
prometheus.remoteWrite.host | The hostname or ip address of the Prometheus instance for remote write. If not set, the value of prometheus.host will be used. |
prometheus.remoteWrite.port | The port of the Prometheus instance for remote write. If not set, the value of prometheus.port will be used. |
prometheus.remoteWrite.endpoint | The API path to use for remote write. |
Authentication
BindPlane supports several authentication options.
- System (Basic Auth)
- Active Directory (Enterprise only)
- LDAP (Enterprise only)
The configuration's auth section contains the following authentication options.
| Option | Description |
|---|---|
auth.type | Authentication type to use (ldap / active-directory / system ). |
System
| Option | Description |
|---|---|
auth.username | Basic authentication username. |
auth.password | Basic authentication password. |
LDAP / Active Directory Configuration (Enterprise)
The configuration's auth.ldap section contains the following options for
configuration LDAP and Active Directory.
| Option | Description |
|---|---|
| auth.ldap.server | Hostname or IP address of the LDAP or Active Directory server. |
| auth.ldap.port | The TCP port to use when connecting to the authentication server. |
| auth.ldap.searchFilter | LDAP Query for searching users based on mapping of username to a particular LDAP attribute as well as any applicable additional filters, (ex: groups in Active Directory). |
| auth.ldap.baseDN | The starting point an LDAP server uses when searching for users. |
| auth.ldap.bindUser | The username used to connect to the authentication server. For active directory, this is a username. For LDAP, this is the full DN to the user. |
| auth.ldap.bindPassword | The password used to connect to the authentication server. |
| auth.ldap.tls.tlsCA | Path to the TLS certificate authority. |
| auth.ldap.tls.tlsSkipVerify | Whether or not to skip TLS verification. |
| auth.ldap.tls.tlsCert | Path to TLS certificate when mutual TLS is required. |
| auth.ldap.tls.tlsKey | Path to TLS private key when mutual TLS is required. |
Active Directory Example
Active Directory authentication is enabled by setting auth.type to active-directory.
In this example, the domain controller's hostname is dc.corp.net. The username bindplane is used to bind to Active Directory. The searchFilter is inserted by default when running bindplane init server --config <path to bindplane config.yaml.
User login is restricted to the DN CN=Users,DC=corp,DC=net.
Basic Example
In this example, the domain controller's hostname is ldap.corp.net. The username bindplane is used to bind to LDAP. The searchFilter is inserted by default when running bindplane init server --config <path to bindplane config.yaml.
User login is restricted to the DN CN=Users,DC=corp,DC=net.
TLS
This example is the same as the "basic" example, with TLS. The protocol has been set to ldaps, port to 636, and a ca certificate is optionally* configured.
*CA certificate is not required if the ca is already trusted by the underlying operating system. Alternatively, auth.ldap.tls.tlsSkipVerify: true could be set to skip TLS verification.
Mutual TLS
This example is the same as the "TLS" example, with client TLS authentication. The auth.ldap.tls.tlsCert and auth.ldap.tls.tlsKey fields have been set.
Initialization
The init command is useful for bootstrapping a server or client.
Server
After installing BindPlane server, simply run the following command and follow the prompts.
Once finished, you will have the option to automatically restart the server. If the server is not automatically restarted, it must be restarted manually.
Client
Client initialization will create a new profile if one is not already set. If an existing profile is in use, init will update that profile. You can learn more about profiles in the client profiles section.
Once finished, the client configuration will exist in ~/.bindplane/profiles. You
can also run the profile command:
Client Profiles
The profile command offers a convenient way to create and use multiple client configurations.
In this example, it is assumed that the BindPlane server is running at 10.99.1.10 on port 3001.
See bindplane profile help for more profile sub-commands.
Example Configurations
The following examples assume the use of observIQ collectors.
Basic
This configuration assumes that the BindPlane server is running on
IP address 192.168.1.10.
Server Configuration
Client Profile
Create a profile named basic:
A profile will be created at ~/.bindplane/profiles/basic.yaml:
Collector Manager Configuration
TLS
BindPlane OP has support for server side TLS and mutual TLS.
What is a server? A server is the process running from the bindplane serve command.
What is a client?
- bindplane cli
- OpAMP collectors
- Web browsers
Keep in mind that all certificate files must be readable by the user running the bindplane, client,
and collector processes.
Server Side TLS
Server Configuration
Server-side TLS is configured by setting network.tlsCert and network.tlsKey on the server.
Note that remoteURL have a tls protocol set (https).
Client Profile
All clients must trust the certificate authority that signed the server's
certificate. This can be accomplished by setting tlsCa on the client or
by importing the certificate authority into your operating system's trust store.
Create a profile named tls:
A profile will be created at ~/.bindplane/profiles/tls.yaml:
If the server's certificate authority is already imported into the client's operating system trust store, it is not required to be set in the configuration.
Browsers will show a TLS warning unless the certificate authority is trusted by your operating system.
Collector Manager Configuration
If the server's certificate authority is already imported into the client's operating system trust
store, it is not required to be set in the configuration.
Mutual TLS
In this example, three certificate authorities are referenced:
my-corp-ca.crt: Signed the server's certificate, must be trusted by all clients/collectorsclient-ca.crt: Signed all client certificates, must be set in the server configurationcollector-ca.crt: Signed all collector certificates, must be set in the server configuration
Server Configuration
Mutual TLS is configured by setting network.tlsCert, network.tlsKey, and network.tlsCA on the server.
Note that remoteURL has a TLS protocol set (https).
Note that multiple certificate authorities can be specified. This example will trust
incoming connections from certificates signed by client-ca and collector-ca.
Client Profile
All clients must trust the certificate authority that signed the server's
certificate. This can be accomplished by setting network.tlsCA on the client or
by importing the certificate authority into your operating system's trust store.
Create a profile named mtls:
A profile will be created at ~/.bindplane/profiles/mtls.yaml:
If the server's certificate authority is already imported into the client's operating system trust store, it is not required to be set in the configuration.
Browsers will show a TLS warning unless the certificate authority is trusted by your operating system.
Collector Manager Configuration
If the server's certificate authority is already imported into the client's operating system trust
store, it is not required to be set in the configuration.
Advanced Configuration
BindPlane has several advanced configuration options. It is unnecessary to modify advanced options unless explicitly called out in the Prerequisites documentation or you are guided by BindPlane support.
Store
Stats
The Prometheus measurements backend can be tuned with the options found under advanced.store.stats.
Batch Flush Interval
The batch flush interval is the duration used to batch agent measurement requests before flushing to the measurements backend. A higher interval will mean larger batches are published. At scale, a shorter interval can be used to reduce the payload size sent to Prometheus.
Worker Count
The worker count is the number of workers used to publish measurement batches to Prometheus. Increasing the worker count can improve performance at high agent counts.