GitOps
Deploy resources to BindPlane OP using a GitOps model
BindPlane OP's API allows developers to manage configuration state with GitOps.
This guide will showcase how to use Github actions for automating the deployment of resources to BindPlane OP.
Prerequisites
The following prerequisites must be satisfied before BindPlane can be automated.
BindPlane Authentication
You must have access to your BindPlane OP Server using an API key (when multi-project is enabled) or username and password (when single-project is enabled).
BindPlane CLI
You must have the ability to run CLI commands against your BindPlane OP server from your workstation.
You can create a quick CLI profile with the following commands (where gitflow
is the name of the profile`):
If you are using a username and password, replace the --api-key
flag with the --username
and
--password
flags.
See the CLI documentation for more information.
Network Access
BindPlane OP must be reachable by the CI/CD "runner". If your BindPlane OP server is hidden behind a corporate firewall, you can look into using Self-hosted Runners.
Most installations of BindPlane will be listening on port 3001
unless configured otherwise or placed
behind a load balancer.
Repository
You must have a new or existing repository that you can use while following this guide. This repository will be used to store BindPlane resource files as well as rendered OpenTelemetry "raw" configuration files.
Github Actions
Repository Secrets
The following repository secrets must be defined in your repository.
BINDPLANE_REMOTE_URL
: The remote URL of your BindPlane OP server, usually in the form ofhttp://<hostname>:3001
.BINDPLANE_API_KEY
: API key if you do not want to use a username and password
BindPlane supports username and password, however, an API key is required when multi-project is enabled. If BindPlane is not configured for multi-project, you must have the following secrets for your basic authentication username and password.
BINDPLANE_USERNAME
BINDPLANE_PASSWORD
Export Existing Resources
Existing resources should be exported to your repository before enabling the Github Action.
This will output all existing destinations to destinations.yaml
and configurations
to configurations.yaml
. You can move these files to any directory within your repository.
Make a note of where they live, as their paths will be required when configuring the GitHub Action.
Sensitive Values
Destinations and configurations that have sensitive values (passwords, tokens, API keys) will not export the actual value. Instead, the value will be a placeholder "(sensitive)". BindPlane will never allow you to retrieve a sensitive value.
BindPlane destination resource example:
Raw OTEL configuration example:
When the configuration is pushed to the agent, the correct value will be included in the configuration.
Github Action Workflow
Create a new workflow at .github/workflows/bindplane.yml
. Open the observIQ/bindplane-op-action
repository to view the full list of configurable parameters.
If using username and password, replace the bindplane_api_key
option with:
Update target_branch: main
to point to the branch you wish to use as your source of truth. When
the action is running against this branch, it will apply resources to BindPlane.
Make sure destination_path
and configuration_path
point to the relative path of the
previously exported destination and configuration resource files.
If you do not wish to write back the raw OpenTelemetry configuration files to the repo, set
enable_otel_config_write_back
to false
.
Commit and Test
Commit the destination resource, configuration resource, and actions
workflow YAML files to the repository. If committing to a branch other
than the target_branch
, make sure to open a pull request to merge these changes to the target branch.
Once the target branch has the BindPlane resources and the actions workflow, you should see the action running under the repository's "Actions" tab.
Because the existing resources are up to date with the repository's resources, the results will
be uneventful. The actions will pass without taking action. If enable_otel_config_write_back
is
set to true
, the action will have committed the raw OpenTelemetry configuration back to the repo.
You can test changes by editing one of the resources in the repository (destinations.yaml
or configurations.yaml
).
Save and commit the change to the target branch either directly or by using your pull request
workflow.
Once the change is merged into the target branch, the following will happen:
- The action will apply the resources to BindPlane
- All affected BindPlane configurations will have a pending rollout
- The updated raw OpenTelemetry configurations will be committed back to the repo if
enable_otel_config_write_back
istrue
Configurations that have a pending rollout can be triggered by BindPlane Web Interface users.
Automatic Rollout
The action can be configured to trigger rollouts automatically after updating a configuration.
warning
When automatic rollouts are enabled, configuration changes made by the action will immediately apply to agents that are attached to that configuration.
Set enable_auto_rollout
to true
.
Updating Resources
Resources can be updated using two methods. You can edit the resources (destination and configuration YAML files) files directly or you can edit resources in the BindPlane UI and export them using the CLI, similar to the original export covered at the beginning of this guide.
Direct Edit
Direct edits can be done by editing the configuration files that the action is pointing to.
In this example, the otlp_grpc
destination's grpc_port
is updated from 4317
to 44317
.
You can use git diff
to view your changes.
--- destinations.yaml
+++ destinations.yaml
@@ -10,7 +10,7 @@ spec:
- name: grpc_port
- value: 4317
+ value: 44317
With the changes in place, commit the change directly to the target branch (branch the action is deploying changes from) or go through your normal pull request and review workflow with your team.
Once the change is merged or committed to the target branch, the action will deploy the change to BindPlane.
If Auto Rollout is not enabled, you will need to log into BindPlane's web interface and trigger the rollout manually.
UI Export
As an alternative to editing the resource files directly, you can modify configurations in the web interface and re-export them to your repository.
- Edit the configuration within the BindPlane web interface.
- Do NOT roll the configuration out.
- Re-run the CLI export commands in the Export Existing Resources section.
- Verify the changes with
git diff
- Commit the changes to the target branch, or follow a pull request workflow to merge the changes to the target branch.
Once the change is merged or committed to the target branch, the action will deploy the change to BindPlane.
If Auto Rollout is not enabled, you will need to log into BindPlane's web interface and trigger the rollout manually.
Updating Sensitive Values
At this time, sensitive values must be updated by following the UI Export workflow. It is important to avoid storing sensitive values in the Git repository.
Role Based Access Control
When using the action with Auto Rollout enabled, it is recommended to restrict your Web Interface user's access by using RBAC.
You can allow users to make configuration changes and prevent them from rolling the configuration
out by setting their permission level to user
. See the Rollout Permissions
guide for more information.
note
The action's username or API key should be associated with an admin user to allow it to trigger rollouts.