Bindplane Server (Self-Hosted)
Complete configuration reference for a self-hosted Bindplane Server.
Options
Bindplane server configuration can be found at /etc/bindplane/config.yaml.
Bindplane will look for flags, environment variables, and a configuration file, with precedence: flags > environment variables > configuration file.
Server and client configurations can be bootstrapped using the init command. See the initialization section.
For detailed examples, see the configurations section.
License
The Bindplane license key. This option is required for server startup. If you do not have a license, you can request one here.
license
BINDPLANE_LICENSE
Host
IP Address the Bindplane server binds to. This can be a single address or 0.0.0.0 for all interfaces.
network.host
--host
BINDPLANE_HOST
127.0.0.1
Port
TCP port the Bindplane server binds to. This must be an unprivileged port when running Bindplane as a non-root user.
network.port
--port
BINDPLANE_PORT
3001
Remote URL
URL used to reach the Bindplane server. This must be set in all client and server configurations and must be a valid URL with a protocol (HTTP / HTTPS), hostname or IP address, and port.
If the server is behind a proxy or load balancer, the proxy URL can be used.
network.remoteURL
--remote-url
BINDPLANE_REMOTE_URL
http://127.0.0.1:3001
Web URL
Optional URL used to override the Remote URL for interactions with the web interface. When set, some features will use the Web URL instead of the Remote URL. For example, invitation links will use Web URL.
When Web URL is not set, Remote URL is used.
network.webURL
--web-url
BINDPLANE_WEB_URL
http://127.0.0.1:3001
Kubernetes Example
Bindplane is deployed to a Kubernetes cluster. Bindplane is configured with the following:
Remote URL:
http://bindplane.default.svc.cluster.local:3001Web URL:
https://bindplane.my-corp.net
In this case, agents will connect to Bindplane using the remote URL. This allows agents to connect directly to Bindplane without traversing over ingress.
Invitation links for web users will use the external endpoint, https://bindplane.my-corp.net.
CorsAllowedOrigins
A list of origin domains allowed to make requests to Bindplane. It should at least contain the domain of the hosted UI. An empty or null value matches all origins. A wildcard "*" is also allowed to match all origins.
In most cases, this value can be the same as network.remoteURL.
network.corsAllowedOrigins
--cors-allowed-origins
BINDPLANE_CORS_ALLOWED_ORIGINS
*
Logging
Log output (file or stdout). When log output is set to file, a log file path can be specified.
logging.output
--logging-output
BINDPLANE_LOGGING_OUTPUT
file
logging.filePath
--logging-file-path
BINDPLANE_LOGGING_FILE_PATH
~/.bindplane/bindplane.log
Server installations will use /var/log/bindplane/bindplane.log, which is set using an environment variable in the systemd service configuration.
Log files are rotated and gzip compressed, and cleaned up automatically by Bindplane. Log files have a max size of 100mb and up to 10 rotates or 30 days of age, whichever comes first. Using an external utility such as logrotate is not recommended.
Metrics
Bindplane can be configured to forward metrics to an OpenTelemetry collector. The easiest way to get up and running is to deploy a collector on the same machine Bindplane is installed on. The collector should be configuted with the OpenTelemetry source. Configure Bindplane to send metrics over localhost.
metrics:
interval: 1m
type: otlp
otlp:
endpoint: 127.0.0.1:4317
insecure: trueOnce configured, the managed collector can forward the metrics to the destination of your choice.
Metrics are sent to OpenTelemetry collectors using the gRPC protocol.
metrics.type
--metrics-type
BINDPLANE_METRICS_TYPE
metrics.interval
--metrics-interval
BINDPLANE_METRICS_INTERVAL
1m0s
metrics.otlp.endpoint
--metrics-otlp-endpoint
BINDPLANE_METRICS_OTLP_ENDPOINT
metrics.otlp.insecure
--metrics-otlp-insecure
BINDPLANE_METRICS_OTLP_INSECURE
Tracing
Bindplane supports configuration to enable tracing. tracing.type can be set to google or otlp.
tracing.type
--tracing-type
BINDPLANE_TRACING_TYPE
When tracing.type is set to otlp, some more configuration is possible.
tracing.otlp.endpoint
--tracing-otlp-endpoint
BINDPLANE_TRACING_OTLP_ENDPOINT
tracing.otlp.insecure
--tracing-otlp-insecure
BINDPLANE_TRACING_OTLP_INSECURE
FALSE
TLS
Bindplane supports server side TLS and mutual TLS. See the tls examples for detailed usage.
network.tlsCert
--tls-cert
BINDPLANE_TLS_CERT
network.tlsKey
--tls-key
BINDPLANE_TLS_KEY
network.tlsCA
--tls-ca
BINDPLANE_TLS_CA
network.tlsSkipVerify
--tls-skip-verify
BINDPLANE_TLS_SKIP_VERIFY
network.tlsMinVersion
--tls-min-version
BINDPLANE_TLS_MIN_VERSION
Server
network.tlsCert: Enables server-side TLSnetwork.tlsKey: Enables server-side TLSnetwork.tlsCA: Enables mutual TLS
Client
network.tlsCA: Allows the client to trust the server certificate. Not required if the host operating system already trusts the server certificate.network.tlsCert: Enables mutual TLSnetwork.tlsKey: Enables mutual TLSnetwork.tlsSkipVerify: Skip server certificate verification
Storage Backend
Bindplane supports two storage backends,postgres and bbolt. Bbolt is deprecated and should
not be used for new installations of Bindplane.
store.type
--store-type
BINDPLANE_STORE_TYPE
postgres
Postgres
Postgres can be used as a local or remote storage backend. Postgres storage is enabled
when store.type is set to postgres. Configuring both authentication and TLS for Postgres is recommended.
Postgres is a Bindplane Enterprise feature.
store.postgres.host
--postgres-host
BINDPLANE_POSTGRES_HOST
localhost
store.postgres.port
--postgres-port
BINDPLANE_POSTGRES_PORT
5432
store.postgres.database
--postgres-database
BINDPLANE_POSTGRES_DATABASE
bindplane
store.postgres.sslmode
--postgres-ssl-mode
BINDPLANE_POSTGRES_SSL_MODE
disable
store.postgres.sslrootcert
--postgres-ssl-root-cert
BINDPLANE_POSTGRES_SSL_ROOT_CERT
Optional
store.postgres.sslcert
--postgres-ssl-cert
BINDPLANE_POSTGRES_SSL_CERT
Optional
store.postgres.sslkey
--postgres-ssl-key
BINDPLANE_POSTGRES_SSL_KEY
Optional
store.postgres.username
--postgres-username
BINDPLANE_POSTGRES_USERNAME
store.postgres.password
--postgres-password
BINDPLANE_POSTGRES_PASSWORD
postgres.maxConnections
--postgres-max-connections
BINDPLANE_POSTGRES_MAX_CONNECTIONS
100
postgres.maxIdleConnections
--postgres-max-idle-connections
BINDPLANE_POSTGRES_MAX_IDLE_CONNECTIONS
50
postgres.maxIdleTime
--postgres-max-idle-time
BINDPLANE_POSTGRES_MAX_IDLE_TIME
1m0s
postgres.maxLifetime
--postgres-max-lifetime
BINDPLANE_POSTGRES_MAX_LIFETIME
6h
postgres.schema
--postgres-schema
BINDPLANE_POSTGRES_SCHEMA
default
Example Postgres configuration:
name: default
apiVersion: bindplane.observiq.com/v1
auth:
username: user
password: password
network:
host: 0.0.0.0
port: '3001'
remoteURL: http://10.99.1.10:3001
store:
type: postgres
postgres:
host: localhost
port: '5432'
database: bindplane
sslmode: disable
username: postgres
password: password
maxConnections: 200Connection Management
Bindplane has several Postgres connection options. The most important option is max connections. You should ensure the value does not exceed the number of available connections your PostgreSQL server can accept. When operating Bindplane in high availability it is important to consider the total number of connections that can be created across all Bindplane instances.
Transport Layer Security (TLS)
Bindplane supports connecting to Postgres using TLS. TLS can be enabled by configuring the SSL mode options.
disable
No SSL; connection is made in plain text.
require
SSL is used, but the server's certificate is not verified.
verify-ca
SSL is used, and the server's certificate is verified against a trusted CA.
verify-full
SSL is used, and the server's certificate is fully verified, including hostname validation.
You can learn more about Postgres SSL modes here.
When using verify-ca or verify-full, your server's operating system's trust store will be used
to verify the Postgres certificate. Alternatively, you can configure the store.postgres.sslrootcert
option.
store:
type: postgres
postgres:
host: localhost
port: '5432'
database: bindplane
username: postgres
password: password
maxConnections: 200
sslmode: verify-ca
sslrootcert: /etc/bindplane/ca.crtIf your Postgres server is enforcing client certificate authentication (mutual TLS), you can configure
the sslcert and sslkey options.
store:
type: postgres
postgres:
sslmode: verify-full
sslrootcert: /etc/bindplane/ca.crt
sslcert: /etc/bindplane/client.crt
sslkey: /etc/bindplane/client.keyIf you rotate your client certificates frequently, you can set the maxLifetime options to limit
how long connections can live. The default value is six hours (6h). This means, every six hours
connections will be replaced. When a connection is created, it reads the SSL files from disk. Make sure
to rotate your SSL certificates before the previous certificate has expired.
Event Bus
Bindplane uses an event bus to communicate between components within Bindplane. When operating Bindplane with multiple servers, the event bus can be used to send events between Bindplane servers.
eventBus.type
--event-bus-type
BINDPLANE_EVENT_BUS_TYPE
The event bus type supports the following options:
Local Event Bus
The local event bus is the default event bus used by Bindplane. The local event bus does not have
a configuration. It can be used by setting the event bus type to local.
Google Pub/Sub Event Bus
The Google Pub/Sub event bus can be used when operating multiple Bindplane servers.
eventBus.googlePubSub.projectID
--event-bus-type
BINDPLANE_GOOGLE_PUB_SUB_PROJECT_ID
eventBus.googlePubSub.credentialsFile
--google-pub-sub-credentials-file
BINDPLANE_GOOGLE_PUB_SUB_CREDENTIALS_FILE
eventBus.googlePubSub.topic
--google-pub-sub-topic
BINDPLANE_GOOGLE_PUB_SUB_TOPIC
When operating Bindplane on Google Compute Engine with the pub/sub" oath scopes enabled, Bindplane will handle authentication automatically.
The configuration is simple and requires only the projectID and topic options.
eventBus:
type: googlePubSub
googlePubSub:
projectID: myproject
topic: bindplaneWhen running outside of Google Cloud, or without the Pub/Sub oauth scopes, you can use a Google Service Account Credential by setting the credentialsFile option. This credentials file must be installed on the Bindplane server's filesystem and be readable by the bindplane user.
eventBus:
type: googlePubSub
googlePubSub:
projectID: myproject
credentialsFile: /etc/bindplane/google-credentials.json
topic: bindplaneBindplane will manage its own Pub/Sub subscription. Subscriptions are created and named based on the server's hostname. Bindplane will attempt to clean up its subscription on shutdown. Subscriptions are automatically cleaned up by Google Cloud if they have been disconnected for more than one day.
NATS Event Bus
NATS can be used as the event bus for Bindplane Enterprise and is a good option for distributed on-prem deployments. NATS is embedded into Bindplane and does not require external infrastructure.
See the NATS Configuration documentation for more information.
Server Session Secret
A UUIDv4 is used for encoding web UI login cookies. This should be a new random UUIDv4. This value should be different than auth.secretKey.
auth.sessionSecret
--session-secret
BINDPLANE_SESSION_SECRET
Prometheus
Base Configuration
prometheus.enable
Whether or not to enable Prometheus as the measurement backend.
prometheus.enableRemote
Whether or not to use a remote Prometheus instance. When disabled, Bindplane will manage a local Prometheus child process.
prometheus.localFolder
The directory where the Prometheus binary and dependencies are located.
prometheus.host
The hostname or ip address of the Prometheus instance.
prometheus.port
The port of the Prometheus instance's API.
prometheus.queryPathPrefix
The path prefix of the query endpoint. This parameter is useful if using a Prometheus compatible system such as Mimir.
Authentication
Bindplane supports two authentication modes.
No authentication
Basic authentication
Prometheus does not use authentication by default. Follow the Prometheus Basic Auth Password Hashing documentation for more information.
prometheus.auth.type
The authentication type to use. Supported options are none and basic (Basic Authentication).
prometheus.auth.username
The username to use when basic authentication is enabled.
prometheus.auth.password
The password to use when basic authentication is enabled.
TLS
Bindplane supports connecting to Prometheus with TLS and Mutual TLS.
prometheus.enableTLS
Whether or not to use TLS when communicating with Prometheus.
prometheus.tls.tlsSkipVerify
Whether or not to skip verification of the Prometheus server's TLS certificate. It is not recommended to enable this option.
prometheus.tls.tlsCa
The x509 PEM encoded certificate authority file to use to verify the Prometheus server's TLS certificate. Alternatively, the CA certificate can be imported into the host's trust store, instead of configuring this option.
prometheus.tls.tlsCert
The x509 PEM encoded client certificate file to use for mutual TLS.
prometheus.tls.tlsKey
The x509 PEM encoded client private key file to use for mutual TLS.
TLS example configuration.
prometheus:
tls:
tlsSkipVerify: false
tlsCA: [/etc/bindplane/tls/ca.crt]Mutual TLS example configuration.
prometheus:
tls:
tlsSkipVerify: false
tlsCA: [/etc/bindplane/tls/ca.crt]
tlsCert: /etc/bindplane/tls/bindplane.crt
tlsKey: /etc/bindplane/tls/bindplane.keyRemote Write
When using Prometheus compatible systems, such as Mimir, you may need to define the remote write host and port, if it differs from the main host and port. Bindplane will use the remote write host and port for pushing metrics to Prometheus, and the main host and port for querying Prometheus.
If using vanilla Prometheus, these options are not required.
prometheus.remoteWrite.host
The hostname or ip address of the Prometheus instance for remote write. If not set, the value of prometheus.host will be used.
prometheus.remoteWrite.port
The port of the Prometheus instance for remote write. If not set, the value of prometheus.port will be used.
prometheus.remoteWrite.endpoint
The API path to use for remote write.
Authentication
Bindplane supports several authentication options.
System (Basic Auth)
Active Directory (Enterprise only)
LDAP (Enterprise only)
OIDC (Enterprise only)
The configuration's auth section contains the following authentication options.
auth.type
Authentication type to use (ldap / active-directory / system ).
System
auth.username
Basic authentication username.
auth.password
Basic authentication password.
LDAP / Active Directory Configuration (Enterprise)
The configuration's auth.ldap section contains the following options for configuration LDAP and Active Directory.
auth.ldap.server
Hostname or IP address of the LDAP or Active Directory server.
auth.ldap.port
The TCP port to use when connecting to the authentication server.
auth.ldap.searchFilter
LDAP Query for searching users based on mapping of username to a particular LDAP attribute as well as any applicable additional filters, (ex: groups in Active Directory).
auth.ldap.baseDN
The starting point an LDAP server uses when searching for users.
auth.ldap.bindUser
The username used to connect to the authentication server. For active directory, this is a username. For LDAP, this is the full DN to the user.
auth.ldap.bindPassword
The password used to connect to the authentication server.
auth.ldap.tls.tlsCA
Path to the TLS certificate authority.
auth.ldap.tls.tlsSkipVerify
Whether or not to skip TLS verification.
auth.ldap.tls.tlsCert
Path to TLS certificate when mutual TLS is required.
auth.ldap.tls.tlsKey
Path to TLS private key when mutual TLS is required.
OIDC Configuration (Enterprise)
The configuration's auth.oidc section contains the following options for configuring an OpenID Connect provider.
auth.oidc.issuer
URL of your OIDC provider.
auth.oidc.oauth2ClientID
OAuth2 client ID provided by the OIDC provider.
auth.oidc.oauth2ClientSecret
OAuth2 client secret provided by the OIDC provider.
auth.oidc.scopes
List of scopes requested during authentication.
Environment variables can be used instead of the configuration file:
BINDPLANE_OIDC_ISSUER
BINDPLANE_OIDC_OAUTH2_CLIENT_ID
BINDPLANE_OIDC_OAUTH2_CLIENT_SECRET
BINDPLANE_OIDC_SCOPES
See the OpenID Connect documentation for detailed setup instructions.
Active Directory Example
Active Directory authentication is enabled by setting auth.type to active-directory.
In this example, the domain controller's hostname is dc.corp.net. The username bindplane is used to bind to Active Directory. The searchFilter is inserted by default when running bindplane init server --config <path to bindplane config.yaml>.
User login is restricted to the DN CN=Users,DC=corp,DC=net.
auth:
type: active-directory
secretKey: e8bfcfe0-bbe6-4ee6-bf35-72ff182d2dc5
username: admin
password: admin
sessionSecret: b84746f6-aca1-4b91-9ccd-d4da8d75fe4d
ldap:
server: dc.corp.net
port: '389'
baseDN: CN=Users,DC=corp,DC=net
bindUser: [email protected]
bindPassword: complexpassword
searchFilter: (|(sAMAccountName=%s)(userPrincipalName=%s))Basic Example
In this example, the domain controller's hostname is ldap.corp.net. The username bindplane is used to bind to LDAP. The searchFilter is inserted by default when running bindplane init server --config <path to bindplane config.yaml>.
User login is restricted to the DN CN=Users,DC=corp,DC=net.
auth:
type: ldap
secretKey: e8bfcfe0-bbe6-4ee6-bf35-72ff182d2dc5
username: admin
password: admin
sessionSecret: b84746f6-aca1-4b91-9ccd-d4da8d75fe4d
ldap:
server: ldap.corp.net
port: '389'
baseDN: CN=Users,DC=corp,DC=net
bindUser: bindplane
bindPassword: complexpassword
searchFilter: (uid=%s)TLS
This example is the same as the "basic" example, with TLS. The protocol has been set to ldaps, port to 636, and a ca certificate is optionally* configured.
auth:
type: ldap
secretKey: e8bfcfe0-bbe6-4ee6-bf35-72ff182d2dc5
username: admin
password: admin
sessionSecret: b84746f6-aca1-4b91-9ccd-d4da8d75fe4d
ldap:
server: ldap.corp.net
port: '636'
baseDN: CN=Users,DC=corp,DC=net
bindUser: bindplane
bindPassword: complexpassword
searchFilter: (uid=%s)
tls:
tlsCa:
- /etc/bindplane/tls/ca.crt*CA certificate is not required if the ca is already trusted by the underlying operating system. Alternatively, auth.ldap.tls.tlsSkipVerify: true could be set to skip TLS verification.
Mutual TLS
This example is the same as the "TLS" example, with client TLS authentication. The auth.ldap.tls.tlsCert and auth.ldap.tls.tlsKey fields have been set.
auth:
type: ldap
secretKey: e8bfcfe0-bbe6-4ee6-bf35-72ff182d2dc5
username: admin
password: admin
sessionSecret: b84746f6-aca1-4b91-9ccd-d4da8d75fe4d
ldap:
server: ldap.corp.net
port: '636'
baseDN: CN=Users,DC=corp,DC=net
bindUser: bindplane
bindPassword: complexpassword
searchFilter: (uid=%s)
tls:
tlsCert: /etc/bindplane/tls/bindplane.crt
tlsKey: /etc/bindplane/tls/bindplane.key
tlsCa:
- /etc/bindplane/tls/ca.crtInitialization
The init command is useful for bootstrapping a server or client.
Server
After installing Bindplane server, simply run the following command and follow the prompts.
sudo BINDPLANE_CONFIG_HOME=/var/lib/bindplane /usr/local/bin/bindplane init server \
--config /etc/bindplane/config.yamlOnce finished, you will have the option to automatically restart the server. If the server is not automatically restarted, it must be restarted manually.
Client
Client initialization will create a new profile if one is not already set. If an existing profile is in use, init will update that profile. You can learn more about profiles in the client profiles section.
bindplane init clientOnce finished, the client configuration will exist in ~/.bindplane/profiles. You can also run the profile command:
bindplane profile --helpClient Profiles
The profile command offers a convenient way to create and use multiple client configurations.
In this example, it is assumed that the Bindplane server is running at 10.99.1.10 on port 3001.
bindplane profile set remote --remote-url https://10.99.1.10:3001
bindplane profile use remoteSee bindplane profile help for more profile sub-commands.
Example Configurations
The following examples assume the use of Bindplane collectors.
Basic
This configuration assumes that the Bindplane server is running on IP address 192.168.1.10.
Server Configuration
auth:
secretKey: e124852a-49db-4318-99a8-76bd4aa80ba5
username: myuser
password: mypassword
sessionSecret: 99112c19-9d87-4460-958c-a9affa874e21Client Profile
Create a profile named basic:
bindplane profile set basic \
--username myuser \
--password mypassword \
--remote-url http://192.168.1.10:3001
bindplane profile use basicA profile will be created at ~/.bindplane/profiles/basic.yaml:
name: basic
apiVersion: bindplane.observiq.com/v1
auth:
username: myuser
password: mypassword
network:
remoteURL: http://192.168.1.10:3001Collector Manager Configuration
endpoint: http://192.168.1.10:3001/v1/opamp
secret_key: e124852a-49db-4318-99a8-76bd4aa80ba5
agent_id: ad3caa0c-ac90-4f8d-8691-2f43d9addc71TLS
Bindplane has support for server side TLS and mutual TLS.
What is a server? A server is the process running from the bindplane serve command.
What is a client?
bindplane cli
OpAMP collectors
Web browsers
Keep in mind that all certificate files must be readable by the user running the bindplane, client, and collector processes.
Server Side TLS
Server Configuration
Server-side TLS is configured by setting network.tlsCert and network.tlsKey on the server.
network:
host: 0.0.0.0
port: '3001'
remoteURL: https://bindplane-op.mydomain.net:3001
tlsCert: /etc/bindplane/tls/bindplane.crt
tlsKey: /etc/bindplane/tls/bindplane.keyNote that remoteURL have a tls protocol set (https).
Client Profile
All clients must trust the certificate authority that signed the server's certificate. This can be accomplished by setting tlsCa on the client or by importing the certificate authority into your operating system's trust store.
Create a profile named tls:
bindplane profile set tls \
--username myuser \
--password mypassword \
--remote-url http://192.168.1.10:3001 \
--tls-ca /etc/bindplane/tls/my-corp-ca.crt
bindplane profile use tlsA profile will be created at ~/.bindplane/profiles/tls.yaml:
name: tls
apiVersion: bindplane.observiq.com/v1
auth:
username: myuser
password: mypassword
network:
remoteURL: https://bindplane-op.mydomain.net:3001
tlsCa:
- /etc/bindplane/tls/my-corp-ca.crtIf the server's certificate authority is already imported into the client's operating system trust store, it is not required to be set in the configuration.
Browsers will show a TLS warning unless the certificate authority is trusted by your operating system.
Collector Manager Configuration
endpoint: https://bindplane-op.mydomain.net:3001/v1/opamp
secret_key: e124852a-49db-4318-99a8-76bd4aa80ba5
agent_id: ad3caa0c-ac90-4f8d-8691-2f43d9addc71
tls_config:
ca_file: /opt/observiq-otel-collector/tls/bindplane-ca.crtIf the server's certificate authority is already imported into the client's operating system trust store, it is not required to be set in the configuration.
Mutual TLS
In this example, three certificate authorities are referenced:
my-corp-ca.crt: Signed the server's certificate, must be trusted by all clients/collectorsclient-ca.crt: Signed all client certificates, must be set in the server configurationcollector-ca.crt: Signed all collector certificates, must be set in the server configuration
Server Configuration
Mutual TLS is configured by setting network.tlsCert, network.tlsKey, and network.tlsCA on the server.
network:
host: 0.0.0.0
port: '3001'
remoteURL: https://bindplane-op.mydomain.net:3001
tlsCert: /etc/bindplane/tls/bindplane.crt
tlsKey: /etc/bindplane/tls/bindplane.key
# Any client / collector certificate signed by one of these
# authorities will be trusted.
tlsCa:
- /etc/bindplane/tls/client-ca.crt
- /etc/bindplane/tls/collector-ca.crtNote that remoteURL has a TLS protocol set (https).
Note that multiple certificate authorities can be specified. This example will trust incoming connections from certificates signed by client-ca and collector-ca.
Client Profile
All clients must trust the certificate authority that signed the server's certificate. This can be accomplished by setting network.tlsCA on the client or by importing the certificate authority into your operating system's trust store.
Create a profile named mtls:
bindplane profile set mtls \
--username myuser \
--password mypassword \
--remote-url http://192.168.1.10:3001 \
--tls-cert /etc/bindplane/tls/client.crt \
--tls-key /etc/bindplane/tls/client.key \
--tls-ca /etc/bindplane/tls/my-corp-ca.crt
bindplane profile use mtlsA profile will be created at ~/.bindplane/profiles/mtls.yaml:
name: mtls
apiVersion: bindplane.observiq.com/v1
auth:
username: myuser
password: mypassword
network:
remoteURL: https://bindplane-op.mydomain.net:3001
tlsCert: /etc/bindplane/tls/client.crt
tlsKey: /etc/bindplane/tls/client.key
tlsCa:
- /etc/bindplane/tls/my-corp-ca.crtIf the server's certificate authority is already imported into the client's operating system trust store, it is not required to be set in the configuration.
Browsers will show a TLS warning unless the certificate authority is trusted by your operating system.
Collector Manager Configuration
endpoint: https://bindplane-op.mydomain.net:3001/v1/opamp
secret_key: e124852a-49db-4318-99a8-76bd4aa80ba5
agent_id: ad3caa0c-ac90-4f8d-8691-2f43d9addc71
tls_config:
cert_file: /opt/observiq-otel-collector/tls/collector.crt
key_file: /opt/observiq-otel-collector/tls/collector.crt
ca_file: /opt/observiq-otel-collector/tls/bindplane-ca.crtIf the server's certificate authority is already imported into the client's operating system trust store, it is not required to be set in the configuration.
Advanced Configuration
Bindplane has several advanced configuration options. It is unnecessary to modify advanced options unless explicitly called out in the Prerequisites documentation or you are guided by Bindplane support.
Store
Stats
The Prometheus measurements backend can be tuned with the options found under advanced.store.stats.
Batch Flush Interval
The batch flush interval is the duration used to batch collector management requests before flushing to the measurements backend. A higher interval will mean larger batches are published. At scale, a shorter interval can be used to reduce the payload size sent to Prometheus.
advanced:
store:
stats:
batchFlushInterval: 1sWorker Count
The worker count is the number of workers used to publish measurement batches to Prometheus. Increasing the worker count can improve performance at high collector counts.
advanced:
store:
stats:
workerCount: 1Last updated
Was this helpful?