Single Account to Multi Account
How to migrate from Single Account to Multi Account
Multi-Account
Multi-account BindPlane is an Enterprise feature that allows users to create multiple tenants (accounts). Each account can have its own users, configurations, and managed agents. Multi-account supports user invitations in order to support collaboration between multiple users.
Objective
After upgrading from BindPlane OP Open Source to BindPlane OP Enterprise, you want to convert the single account Bolt Store configuration into a multi-account configuration using Bolt Store or PostgreSQL.
Prerequisites
The following requirements must be met:
- You are running BindPlane OP Enterprise. See Upgrade to BindPlane OP Enterprise.
- You must have SSH access to the BindPlane server(s).
- You must have BindPlane cli access to the BindPlane server(s).
- BindPlane OP v1.25.0 or newer. If on an older version, upgrade before attempting a migration.
- Optional: You have a PostgreSQL server and database configured for BindPlane to use.
- Not required if using the default bolt store.
In most cases, the BindPlane cli can be used on the server
when you are connected over SSH.
Example:
Sudo or root access is required to read the /etc/bindplane/config.yaml.
Procedure
The migration procedure has the following steps:
- Export all resources
- Stop the service
- Backup the single account database and configuration
- Enable Multi-Account and Configure Authentication
- Optional: Configure PostgreSQL
- Start the service
- Create account
- Restore resources
- Cleanup
- Migrate Agents
Export Resources
Export
While connected to the BindPlane server using SSH, use the get
command with the --export flag to export destinations, sources, processors, and configurations. The order is important, as the resources will be created in the same order they were exported in.
note
If the the migration-resources.yaml file exists from a previous migration attempt, move it to a safe
location to prevent overwriting it.
Fill In Sensitive Values
The BindPlane API will not return sensitive values such as passwords and API keys. Therefore you must find and replace (sensitive)in the migration-resources.yaml file. Make sure you update all sources and destinations which have sensitive parameters.
Stop Service
Stop BindPlane in preparation for the migration.
Backup Database and Configuration
Rename the database file to bindplane-single-account.db:
Copy the configuration file:
Enable Multi-Account and Configure Authentication
Use the init server command to enable multi-account.
When asked to enable MultiAccount, select yes:
When asked to select an "authentication method", select the authentication backend you would like to use.
When coming from BindPlane Open Source, you will have been using "Single User" system authentication (basic auth). BindPlane OP Enterprise supports LDAP and Active Directory as an alternative to System authentication. See the authentication documentation for detailed information.
All other prompts can remain using their default values, which were
configured during the initial installation.
Configure PostgreSQL
PostgreSQL is an optional storage backend alternative to the default Bolt Store backend. Bolt store is highly performant and recommended for single instance BindPlane OP. Migrations to PostgreSQL can be performed at a later time.
Using your text editor, open /etc/bindplane/config.yaml.
Find the store section and update the store.type and store.postgres sections.
The following should be true:
store.typeis set topostgrespostgres.hostis set to the hostname or IP address of your Postgres serverpostgres.portis set to the port of your Postgres serverpostgres.databaseis set to the name of the database BindPlane should usepostgres.sslmodeis set to the ssl mode of your Postgres serverpostgres.usernameis set to the username that BindPlane should use to authenticate to Postgrespostgres.passwordis set to the password that BindPlane should use to authenticate to Postgres
Start Service
Start BindPlane in multi-account mode for the first time.
Create Account
Use the create account command to create an account. In this example,
the account name is migration. Replace the account name with
your desired name.
Once the account is created, note its ID:
Restore Resources
While connected to the BindPlane server using SSH, use the apply
command to import the previously exported resources. This example uses
the account name migration which has the ID 01H6ERPCPB49TSNXA2KHB87XY1.
Replace the ID with the ID of the account created in the previous step.
If using System authentication, the --config flag is sufficient for applying resources.
If using LDAP or Active Directory, set the --username and --password flags using your username and password.
Clean up
When you are satisfied with the migration, clean up the migration
yaml file. This file could contain sensitive information such as
credentials. It is important to remove it from your user's working
directory.
Optionally clean up the single account configuration and database.
Migrate Agents
Previously connected agents will need to be updated with the new account's secret key. Follow the Migrate Agents documentation.
Frequently Asked Questions
Can I migrate to a different system?
Yes, migrating to a different BindPlane OP server is supported. Make sure the target system is configured correctly and contains the account you want to migrate to.
When running the bindplane apply command, pass the following flags instead of the --config flag
--remote-url,--username,--password
Example:
Replace the values for the remote URL, username, and password with the correct values for your target server.
Where should PostgreSQL be Installed?
It is recommended to install PostgreSQL on a dedicated instance, however, the Postgres and BindPlane servers can coexist on the same system.