# Bindplane Server (Self-Hosted) ## Options Bindplane server configuration can be found at `/etc/bindplane/config.yaml`. Bindplane will look for flags, environment variables, and a configuration file, with precedence: flags > environment variables > configuration file. Server and client configurations can be bootstrapped using the `init` command. See the [initialization section](#initialization). For detailed examples, see the [configurations section](#example-configurations). ### License The Bindplane license key. This option is required for server startup. If you do not have a license, you can request one [here](https://bindplane.com/download).

Option	Environment Variable
license	BINDPLANE_LICENSE

### Host IP Address the Bindplane server binds to. This can be a single address or `0.0.0.0` for all interfaces. | Option | Flag | Environment Variable | Default | | ------------ | ------ | -------------------- | ----------- | | network.host | --host | BINDPLANE\_HOST | `127.0.0.1` | ### Port TCP port the Bindplane server binds to. This must be an unprivileged port when running Bindplane as a non-root user. | Option | Flag | Environment Variable | Default | | ------------ | ------ | -------------------- | ------- | | network.port | --port | BINDPLANE\_PORT | `3001` | ### Remote URL URL used to reach the Bindplane server. This must be set in all client and server configurations\ and must be a valid URL with a protocol (HTTP / HTTPS), hostname or IP address, and port. If the server is behind a proxy or load balancer, the proxy URL can be used.

Option	Flag	Environment Variable	Default
network.remoteURL	--remote-url	BINDPLANE_REMOTE_URL	`http://127.0.0.1:3001`

### Web URL Optional URL used to override the [Remote URL](#remote-url) for interactions with the web interface. When set, some features will use the Web URL instead of the Remote URL. For example, invitation links will use Web URL. When Web URL is not set, Remote URL is used.

Option	Flag	Environment Variable	Default
network.webURL	--web-url	BINDPLANE_WEB_URL	`http://127.0.0.1:3001`

#### **Kubernetes Example** Bindplane is deployed to a Kubernetes cluster. Bindplane is configured with the following: * Remote URL: `http://bindplane.default.svc.cluster.local:3001` * Web URL: `https://bindplane.my-corp.net` In this case, agents will connect to Bindplane using the remote URL. This allows agents to connect\ directly to Bindplane without traversing over ingress. Invitation links for web users will use the external endpoint, `https://bindplane.my-corp.net`. ### CorsAllowedOrigins A list of origin domains allowed to make requests to Bindplane. It should at least contain the domain of the hosted UI. An empty or null value matches all origins. A wildcard "\*" is also allowed to match all origins. In most cases, this value can be the same as `network.remoteURL`.

Option	Flag	Environment Variable	Default
network.corsAllowedOrigins	--cors-allowed-origins	BINDPLANE_CORS_ALLOWED_ORIGINS	`*`

### Logging Log output (`file` or `stdout`). When log output is set to `file`, a log file path can be specified.

Option	Flag	Environment Variable	Default
logging.output	--logging-output	BINDPLANE_LOGGING_OUTPUT	`file`
logging.filePath	--logging-file-path	BINDPLANE_LOGGING_FILE_PATH	`~/.bindplane/bindplane.log`

Server installations will use `/var/log/bindplane/bindplane.log`, which is set using an environment variable in the `systemd` service configuration. Log files are rotated and gzip compressed, and cleaned up automatically by Bindplane. Log files have a max size of 100mb and up to 10 rotates or 30 days of age, whichever comes first. Using an external utility such as `logrotate` is not recommended. ### Metrics Bindplane can be configured to forward metrics to an OpenTelemetry collector. The easiest way to get up and running is to deploy a collector on the same machine Bindplane is installed on. The collector should be configuted with the OpenTelemetry source. Configure Bindplane to send metrics over localhost. ```yaml metrics: interval: 1m type: otlp otlp: endpoint: 127.0.0.1:4317 insecure: true ``` Once configured, the managed collector can forward the metrics to the destination of your choice. Metrics are sent to OpenTelemetry collectors using the `gRPC` protocol.

Option	Flag	Environment Variable	Default
metrics.type	--metrics-type	BINDPLANE_METRICS_TYPE
metrics.interval	--metrics-interval	BINDPLANE_METRICS_INTERVAL	`1m0s`
metrics.otlp.endpoint	--metrics-otlp-endpoint	BINDPLANE_METRICS_OTLP_ENDPOINT
metrics.otlp.insecure	--metrics-otlp-insecure	BINDPLANE_METRICS_OTLP_INSECURE

### Tracing Bindplane supports configuration to enable tracing. `tracing.type` can be set to `google` or `otlp`.

Option	Flag	Environment Variable	Default
tracing.type	--tracing-type	BINDPLANE_TRACING_TYPE

When `tracing.type` is set to `otlp`, some more configuration is possible.

Option	Flag	Environment Variable	Default
tracing.otlp.endpoint	--tracing-otlp-endpoint	BINDPLANE_TRACING_OTLP_ENDPOINT
tracing.otlp.insecure	--tracing-otlp-insecure	BINDPLANE_TRACING_OTLP_INSECURE	`FALSE`

## TLS Bindplane supports server side TLS and mutual TLS. See [the tls examples](#tls) for detailed usage.

Option	Flag	Environment Variable
network.tlsCert	--tls-cert	BINDPLANE_TLS_CERT
network.tlsKey	--tls-key	BINDPLANE_TLS_KEY
network.tlsCA	--tls-ca	BINDPLANE_TLS_CA
network.tlsSkipVerify	--tls-skip-verify	BINDPLANE_TLS_SKIP_VERIFY
network.tlsMinVersion	--tls-min-version	BINDPLANE_TLS_MIN_VERSION

### Server * `network.tlsCert`: Enables server-side TLS * `network.tlsKey`: Enables server-side TLS * `network.tlsCA`: Enables mutual TLS ### Client * `network.tlsCA`: Allows the client to trust the server certificate. Not required if the host operating system already trusts the server certificate. * `network.tlsCert`: Enables mutual TLS * `network.tlsKey`: Enables mutual TLS * `network.tlsSkipVerify`: Skip server certificate verification ## Storage Backend Bindplane supports two storage backends,`postgres` and `bbolt`. Bbolt is deprecated and should\ not be used for new installations of Bindplane.

Option	Flag	Environment Variable	Default
store.type	--store-type	BINDPLANE_STORE_TYPE	`postgres`

### Postgres Postgres can be used as a local or remote storage backend. Postgres storage is enabled\ when `store.type` is set to `postgres`. Configuring both authentication and TLS for Postgres is recommended. **Postgres is a Bindplane Enterprise feature.**

Option	Flag	Environment Variable	Default
store.postgres.host	--postgres-host	BINDPLANE_POSTGRES_HOST	`localhost`
store.postgres.port	--postgres-port	BINDPLANE_POSTGRES_PORT	`5432`
store.postgres.database	--postgres-database	BINDPLANE_POSTGRES_DATABASE	`bindplane`
store.postgres.sslmode	--postgres-ssl-mode	BINDPLANE_POSTGRES_SSL_MODE	`disable`
store.postgres.sslrootcert	--postgres-ssl-root-cert	BINDPLANE_POSTGRES_SSL_ROOT_CERT	Optional
store.postgres.sslcert	--postgres-ssl-cert	BINDPLANE_POSTGRES_SSL_CERT	Optional
store.postgres.sslkey	--postgres-ssl-key	BINDPLANE_POSTGRES_SSL_KEY	Optional
store.postgres.username	--postgres-username	BINDPLANE_POSTGRES_USERNAME
store.postgres.password	--postgres-password	BINDPLANE_POSTGRES_PASSWORD
postgres.maxConnections	--postgres-max-connections	BINDPLANE_POSTGRES_MAX_CONNECTIONS	`100`
postgres.maxIdleConnections	--postgres-max-idle-connections	BINDPLANE_POSTGRES_MAX_IDLE_CONNECTIONS	`50`
postgres.maxIdleTime	--postgres-max-idle-time	BINDPLANE_POSTGRES_MAX_IDLE_TIME	`1m0s`
postgres.maxLifetime	--postgres-max-lifetime	BINDPLANE_POSTGRES_MAX_LIFETIME	`6h`
postgres.schema	--postgres-schema	BINDPLANE_POSTGRES_SCHEMA	`default`

Example Postgres configuration: ```yaml name: default apiVersion: bindplane.observiq.com/v1 auth: username: user password: password network: host: 0.0.0.0 port: '3001' remoteURL: http://10.99.1.10:3001 store: type: postgres postgres: host: localhost port: '5432' database: bindplane sslmode: disable username: postgres password: password maxConnections: 200 ``` #### **Connection Management** Bindplane has several Postgres connection options. The most important option is max connections. You should ensure the value does not exceed the number of available connections your PostgreSQL server can accept. When operating Bindplane in [high availability](/production-checklist/bindplane/high-availability.md) it is important to consider the total number of connections that can be created across all Bindplane instances. #### **Transport Layer Security (TLS)** Bindplane supports connecting to Postgres using TLS. TLS can be enabled by configuring the SSL mode options.

SSL Mode	Description
disable	No SSL; connection is made in plain text.
require	SSL is used, but the server's certificate is not verified.
verify-ca	SSL is used, and the server's certificate is verified against a trusted CA.
verify-full	SSL is used, and the server's certificate is fully verified, including hostname validation.

You can learn more about Postgres SSL modes [here](https://www.postgresql.org/docs/current/libpq-ssl.html). When using `verify-ca` or `verify-full`, your server's operating system's trust store will be used\ to verify the Postgres certificate. Alternatively, you can configure the `store.postgres.sslrootcert`\ option. ```yaml store: type: postgres postgres: host: localhost port: '5432' database: bindplane username: postgres password: password maxConnections: 200 sslmode: verify-ca sslrootcert: /etc/bindplane/ca.crt ``` {% hint style="info" %} **NOTE** When configuring certificate file paths, ensure the `bindplane` user has filesystem permissions\ to read the files. {% endhint %} If your Postgres server is enforcing client certificate authentication (mutual TLS), you can configure\ the `sslcert` and `sslkey` options. ```yaml store: type: postgres postgres: sslmode: verify-full sslrootcert: /etc/bindplane/ca.crt sslcert: /etc/bindplane/client.crt sslkey: /etc/bindplane/client.key ``` If you rotate your client certificates frequently, you can set the `maxLifetime` options to limit\ how long connections can live. The default value is six hours (`6h`). This means, every six hours\ connections will be replaced. When a connection is created, it reads the SSL files from disk. Make sure\ to rotate your SSL certificates before the previous certificate has expired. ## Event Bus Bindplane uses an event bus to communicate between components within Bindplane. When operating Bindplane with multiple servers, the event bus can be used to send events between Bindplane servers.

Option	Flag	Environment Variable
eventBus.type	--event-bus-type	BINDPLANE_EVENT_BUS_TYPE

The event bus type supports the following options: * [local](#local-event-bus) * [nats](#nats-event-bus) * [googlePubSub](#google-pub-sub-event-bus) ### Local Event Bus The local event bus is the default event bus used by Bindplane. The local event bus does not have\ a configuration. It can be used by setting the event bus type to `local`. ### Google Pub/Sub Event Bus The [Google Pub/Sub](https://cloud.google.com/pubsub) event bus can be used when operating multiple Bindplane servers.

Option	Flag	Environment Variable
eventBus.googlePubSub.projectID	--event-bus-type	BINDPLANE_GOOGLE_PUB_SUB_PROJECT_ID
eventBus.googlePubSub.credentialsFile	--google-pub-sub-credentials-file	BINDPLANE_GOOGLE_PUB_SUB_CREDENTIALS_FILE
eventBus.googlePubSub.topic	--google-pub-sub-topic	BINDPLANE_GOOGLE_PUB_SUB_TOPIC

When operating Bindplane on Google Compute Engine with the [pub/sub" oath scopes](https://developers.google.com/identity/protocols/oauth2/scopes#pubsub) enabled, Bindplane will handle authentication automatically. The configuration is simple and requires only the `projectID` and `topic` options. ```yaml eventBus: type: googlePubSub googlePubSub: projectID: myproject topic: bindplane ``` When running outside of Google Cloud, or without the Pub/Sub oauth scopes, you can use a [Google Service Account Credential](https://cloud.google.com/iam/docs/keys-create-delete) by setting the `credentialsFile` option. This credentials file must be installed on the Bindplane server's filesystem and be readable by the `bindplane` user. ```yaml eventBus: type: googlePubSub googlePubSub: projectID: myproject credentialsFile: /etc/bindplane/google-credentials.json topic: bindplane ``` Bindplane will manage its own Pub/Sub subscription. Subscriptions are created and named based on\ the server's hostname. Bindplane will attempt to clean up its subscription on shutdown. Subscriptions\ are automatically cleaned up by Google Cloud if they have been disconnected for more than one day. ### NATS Event Bus [NATS](https://github.com/nats-io/nats-server) can be used as the event bus for Bindplane Enterprise and is a good option for distributed on-prem deployments. NATS is embedded into Bindplane and does not require external infrastructure. See the [NATS Configuration](/configuration/bindplane/nats-as-event-bus.md) documentation for more information. ## Server Session Secret A UUIDv4 is used for encoding web UI login cookies. This should be a new random UUIDv4. This value should be different than `auth.secretKey`.

Option	Flag	Environment Variable
auth.sessionSecret	--session-secret	BINDPLANE_SESSION_SECRET

## Prometheus {% hint style="info" %} **NOTE** It is not necessary to make changes to the Bindplane Prometheus configuration when using Bindplane's bundled Prometheus. {% endhint %} ### Base Configuration

Option	Description
`prometheus.enable`	Whether or not to enable Prometheus as the measurement backend.
`prometheus.enableRemote`	Whether or not to use a remote Prometheus instance. When disabled, Bindplane will manage a local Prometheus child process.
`prometheus.localFolder`	The directory where the Prometheus binary and dependencies are located.
`prometheus.host`	The hostname or ip address of the Prometheus instance.
`prometheus.port`	The port of the Prometheus instance's API.
`prometheus.queryPathPrefix`	The path prefix of the query endpoint. This parameter is useful if using a Prometheus compatible system such as Mimir.

### Authentication {% hint style="info" %} **NOTE** Authentication is supported for remote Prometheus deployments. {% endhint %} Bindplane supports two authentication modes. * No authentication * Basic authentication Prometheus does not use authentication by default. Follow the Prometheus [Basic Auth Password Hashing](https://prometheus.io/docs/guides/basic-auth/#hashing-a-password) documentation for more information.

Option	Description
`prometheus.auth.type`	The authentication type to use. Supported options are `none` and `basic` (Basic Authentication).
`prometheus.auth.username`	The username to use when basic authentication is enabled.
`prometheus.auth.password`	The password to use when basic authentication is enabled.

### TLS Bindplane supports connecting to Prometheus with TLS and Mutual TLS.

Option	Description
`prometheus.enableTLS`	Whether or not to use TLS when communicating with Prometheus.
`prometheus.tls.tlsSkipVerify`	Whether or not to skip verification of the Prometheus server's TLS certificate. It is not recommended to enable this option.
`prometheus.tls.tlsCa`	The x509 PEM encoded certificate authority file to use to verify the Prometheus server's TLS certificate. Alternatively, the CA certificate can be imported into the host's trust store, instead of configuring this option.
`prometheus.tls.tlsCert`	The x509 PEM encoded client certificate file to use for mutual TLS.
`prometheus.tls.tlsKey`	The x509 PEM encoded client private key file to use for mutual TLS.

TLS example configuration. ```yaml prometheus: tls: tlsSkipVerify: false tlsCA: [/etc/bindplane/tls/ca.crt] ``` Mutual TLS example configuration. ```yaml prometheus: tls: tlsSkipVerify: false tlsCA: [/etc/bindplane/tls/ca.crt] tlsCert: /etc/bindplane/tls/bindplane.crt tlsKey: /etc/bindplane/tls/bindplane.key ``` ### Remote Write When using Prometheus compatible systems, such as [Mimir](https://grafana.com/oss/mimir/), you may need to define the remote write host and port, if it differs from the main host and port. Bindplane will use the remote write host and port for pushing metrics to Prometheus, and the main host and port for querying Prometheus. If using vanilla Prometheus, these options are not required.

Option	Description
`prometheus.remoteWrite.host`	The hostname or ip address of the Prometheus instance for remote write. If not set, the value of `prometheus.host` will be used.
`prometheus.remoteWrite.port`	The port of the Prometheus instance for remote write. If not set, the value of `prometheus.port` will be used.
`prometheus.remoteWrite.endpoint`	The API path to use for remote write.

## Authentication {% hint style="info" %} Single Sign-On (SSO) Authentication is only available on Bindplane Cloud. [Read more here](broken://pages/I0GiHA3xd9AwaqTmWDoS) {% endhint %} Bindplane supports several authentication options. * System (Basic Auth) * External Auth (Enterprise & Google Editions only) * [Active Directory](/configuration/bindplane/authentication/active-directory-authentication.md) * LDAP * [OIDC](/configuration/bindplane/authentication/openid-connect-authentication.md) The configuration's `auth` section contains the following authentication options.

Option	Description
`auth.type`	Authentication type to use (`system` / `active-directory` / `ldap` / `oidc`).

### System

Option	Description
`auth.username`	Basic authentication username.
`auth.password`	Basic authentication password.

### LDAP / Active Directory Configuration (Enterprise) The configuration's `auth.ldap` section contains the following options for configuration LDAP and Active Directory.

Option	Description
auth.ldap.server	Hostname or IP address of the LDAP or Active Directory server.
auth.ldap.port	The TCP port to use when connecting to the authentication server.
auth.ldap.searchFilter	LDAP Query for searching users based on mapping of username to a particular LDAP attribute as well as any applicable additional filters, (ex: groups in Active Directory).
auth.ldap.baseDN	The starting point an LDAP server uses when searching for users.
auth.ldap.bindUser	The username used to connect to the authentication server. For active directory, this is a username. For LDAP, this is the full DN to the user.
auth.ldap.bindPassword	The password used to connect to the authentication server.
auth.ldap.tls.tlsCA	Path to the TLS certificate authority.
auth.ldap.tls.tlsSkipVerify	Whether or not to skip TLS verification.
auth.ldap.tls.tlsCert	Path to TLS certificate when mutual TLS is required.
auth.ldap.tls.tlsKey	Path to TLS private key when mutual TLS is required.

See the [Active Directory documentation](/configuration/bindplane/authentication/active-directory-authentication.md) for detailed setup instructions. ### OIDC Configuration (Enterprise) The configuration's `auth.oidc` section contains the following options for configuring an OpenID Connect provider.

Option	Description
auth.oidc.issuer	URL of your OIDC provider.
auth.oidc.oauth2ClientID	OAuth2 client ID provided by the OIDC provider.
auth.oidc.oauth2ClientSecret	OAuth2 client secret provided by the OIDC provider.
auth.oidc.scopes	List of scopes requested during authentication.

Environment variables can be used instead of the configuration file: ``` BINDPLANE_OIDC_ISSUER BINDPLANE_OIDC_OAUTH2_CLIENT_ID BINDPLANE_OIDC_OAUTH2_CLIENT_SECRET BINDPLANE_OIDC_SCOPES ``` See the [OpenID Connect documentation](/configuration/bindplane/authentication/openid-connect-authentication.md) for detailed setup instructions. #### **Active Directory Example** Active Directory authentication is enabled by setting `auth.type` to `active-directory`. In this example, the domain controller's hostname is `dc.corp.net`. The username `bindplane` is used to bind to Active Directory. The `searchFilter` is inserted by default when running `bindplane init server --config `. User login is restricted to the DN `CN=Users,DC=corp,DC=net`. ```yaml auth: type: active-directory secretKey: e8bfcfe0-bbe6-4ee6-bf35-72ff182d2dc5 username: admin password: admin sessionSecret: b84746f6-aca1-4b91-9ccd-d4da8d75fe4d ldap: server: dc.corp.net port: '389' baseDN: CN=Users,DC=corp,DC=net bindUser: bindplane@corp.net bindPassword: complexpassword searchFilter: (|(sAMAccountName=%s)(userPrincipalName=%s)) ``` #### **Basic Example** In this example, the domain controller's hostname is `ldap.corp.net`. The username `bindplane` is used to bind to LDAP. The `searchFilter` is inserted by default when running `bindplane init server --config `. User login is restricted to the DN `CN=Users,DC=corp,DC=net`. ```yaml auth: type: ldap secretKey: e8bfcfe0-bbe6-4ee6-bf35-72ff182d2dc5 username: admin password: admin sessionSecret: b84746f6-aca1-4b91-9ccd-d4da8d75fe4d ldap: server: ldap.corp.net port: '389' baseDN: CN=Users,DC=corp,DC=net bindUser: bindplane bindPassword: complexpassword searchFilter: (uid=%s) ``` #### **TLS** This example is the same as the "basic" example, with TLS. The protocol has been set to `ldaps`, port to `636`, and a ca certificate is optionally\* configured. ```yaml auth: type: ldap secretKey: e8bfcfe0-bbe6-4ee6-bf35-72ff182d2dc5 username: admin password: admin sessionSecret: b84746f6-aca1-4b91-9ccd-d4da8d75fe4d ldap: server: ldap.corp.net port: '636' baseDN: CN=Users,DC=corp,DC=net bindUser: bindplane bindPassword: complexpassword searchFilter: (uid=%s) tls: tlsCa: - /etc/bindplane/tls/ca.crt ``` \*CA certificate is not required if the ca is already trusted by the underlying operating system. Alternatively, `auth.ldap.tls.tlsSkipVerify: true` could be set to skip TLS verification. #### **Mutual TLS** This example is the same as the "TLS" example, with client TLS authentication. The `auth.ldap.tls.tlsCert` and `auth.ldap.tls.tlsKey` fields have been set. ```yaml auth: type: ldap secretKey: e8bfcfe0-bbe6-4ee6-bf35-72ff182d2dc5 username: admin password: admin sessionSecret: b84746f6-aca1-4b91-9ccd-d4da8d75fe4d ldap: server: ldap.corp.net port: '636' baseDN: CN=Users,DC=corp,DC=net bindUser: bindplane bindPassword: complexpassword searchFilter: (uid=%s) tls: tlsCert: /etc/bindplane/tls/bindplane.crt tlsKey: /etc/bindplane/tls/bindplane.key tlsCa: - /etc/bindplane/tls/ca.crt ``` ### Agent Versions Bindplane can be configured to manage agent versions and upgrades. The `agentVersions` section controls how Bindplane synchronizes and manages agent version information.

Option	Flag	Environment Variable	Default
agentVersions.syncInterval	--agent-versions-sync-interval	BINDPLANE_AGENT_VERSIONS_SYNC_INTERVAL	`1h`
agentVersions.agentUpgradesFolder	--agent-versions-agent-upgrades-folder	BINDPLANE_AGENT_VERSIONS_AGENT_UPGRADES_FOLDER	`/var/lib/bindplane/agent-upgrades`
agentVersions.clients	--agent-versions-clients	BINDPLANE_AGENT_VERSIONS_CLIENTS	`["bdot"]`

#### Sync Interval The interval at which Bindplane synchronizes agent version information from configured clients. #### Agent Upgrades Folder The path to the folder where Bindplane stores agent upgrade files. This folder is used to cache agent binaries and metadata for distribution to agents. **Note:** This option is only used when offline agent upgrades are configured. In standard deployments, agents download updates directly from the configured clients. #### Clients List of version clients to use for synchronizing agent versions. Valid options are: * `bdot` - Bindplane's official agent synchronization endpoint, `bdot.bindplane.com` (recommended) * `github` - GitHub releases Multiple clients can be configured by providing a comma-separated list. As of Bindplane v1.95.0, `bdot` is the default and only configured option. This is recommended for most deployments. **Version History** * **Bindplane v1.95.0+**: `bdot` is the default and only configured option. Bindplane syncs agent versions from `https://bdot.bindplane.com`. * **Bindplane v1.94.0**: Introduced the Clients option and defaulted to `github`. Bindplane synced agent versions from `https://github.com/observiq/bindplane-otel-collector`. * **Previous versions**: Used GitHub exclusively. **Recommendations** * **Default deployments**: Use `bdot` only. This simplifies firewall requirements by not requiring access to `github.com`. * **Custom agent installs**: Use both `bdot` and `github` configured together to support custom agent installations while maintaining access to official releases. The `bdot.bindplane.com` endpoint was introduced to make user firewall requirements simpler for default Bindplane installations. **Example Configuration** ```yaml agentVersions: syncInterval: 1h agentUpgradesFolder: /var/lib/bindplane/agent-upgrades clients: - bdot - github ``` ## Initialization The `init` command is useful for bootstrapping a server or client. ### Server After installing Bindplane server, simply run the following command and follow the prompts. ```bash sudo BINDPLANE_CONFIG_HOME=/var/lib/bindplane /usr/local/bin/bindplane init server \ --config /etc/bindplane/config.yaml ``` Once finished, you will have the option to automatically restart the server. If the server is not\ automatically restarted, it must be restarted manually. ### Client Client initialization will create a new profile if one is not already set. If an existing profile is in use, init will update that profile. You can learn more about profiles in the [client profiles](#client-profiles) section. ```bash bindplane init client ``` Once finished, the client configuration will exist in `~/.bindplane/profiles`. You can also run the `profile` command: ```bash bindplane profile --help ``` #### Client Profiles The `profile` command offers a convenient way to create and use multiple client configurations. In this example, it is assumed that the Bindplane server is running at `10.99.1.10` on port `3001`. ```bash bindplane profile set remote --remote-url https://10.99.1.10:3001 bindplane profile use remote ``` See `bindplane profile help` for more profile sub-commands. ## Example Configurations The following examples assume the use of [Bindplane collectors](https://github.com/observIQ/bindplane-otel-collector). ### Basic This configuration assumes that the Bindplane server is running on IP address `192.168.1.10`. #### Server Configuration ```yaml auth: secretKey: e124852a-49db-4318-99a8-76bd4aa80ba5 username: myuser password: mypassword sessionSecret: 99112c19-9d87-4460-958c-a9affa874e21 ``` #### Client Profile Create a profile named `basic`: ```bash bindplane profile set basic \ --username myuser \ --password mypassword \ --remote-url http://192.168.1.10:3001 bindplane profile use basic ``` A profile will be created at `~/.bindplane/profiles/basic.yaml`: ```yaml name: basic apiVersion: bindplane.observiq.com/v1 auth: username: myuser password: mypassword network: remoteURL: http://192.168.1.10:3001 ``` #### Collector Manager Configuration ```yaml endpoint: http://192.168.1.10:3001/v1/opamp secret_key: e124852a-49db-4318-99a8-76bd4aa80ba5 agent_id: ad3caa0c-ac90-4f8d-8691-2f43d9addc71 ``` ### TLS Bindplane has support for server side TLS and mutual TLS. What is a server? A server is the process running from the `bindplane serve` command. What is a client? * bindplane cli * OpAMP collectors * Web browsers Keep in mind that all certificate files must be readable by the user running the bindplane, client,\ and collector processes. #### Server Side TLS **Server Configuration** Server-side TLS is configured by setting `network.tlsCert` and `network.tlsKey` on the server. ```yaml network: host: 0.0.0.0 port: '3001' remoteURL: https://bindplane-op.mydomain.net:3001 tlsCert: /etc/bindplane/tls/bindplane.crt tlsKey: /etc/bindplane/tls/bindplane.key ``` Note that remoteURL have a tls protocol set (`https`). **Client Profile** All clients must trust the certificate authority that signed the server's certificate. This can be accomplished by setting `tlsCa` on the client or by importing the certificate authority into your operating system's trust store. Create a profile named `tls`: ```bash bindplane profile set tls \ --username myuser \ --password mypassword \ --remote-url http://192.168.1.10:3001 \ --tls-ca /etc/bindplane/tls/my-corp-ca.crt bindplane profile use tls ``` A profile will be created at `~/.bindplane/profiles/tls.yaml`: ```yaml name: tls apiVersion: bindplane.observiq.com/v1 auth: username: myuser password: mypassword network: remoteURL: https://bindplane-op.mydomain.net:3001 tlsCa: - /etc/bindplane/tls/my-corp-ca.crt ``` If the server's certificate authority is already imported into the client's operating system trust store, it is not required to be set in the configuration. Browsers will show a TLS warning unless the certificate authority is trusted by your operating system. **Collector Manager Configuration** ```yaml endpoint: https://bindplane-op.mydomain.net:3001/v1/opamp secret_key: e124852a-49db-4318-99a8-76bd4aa80ba5 agent_id: ad3caa0c-ac90-4f8d-8691-2f43d9addc71 tls_config: ca_file: /opt/observiq-otel-collector/tls/bindplane-ca.crt ``` If the server's certificate authority is already imported into the client's operating system trust store, it is not required to be set in the configuration. #### Mutual TLS In this example, three certificate authorities are referenced: * `my-corp-ca.crt`: Signed the server's certificate, must be trusted by all clients/collectors * `client-ca.crt`: Signed all client certificates, must be set in the server configuration * `collector-ca.crt`: Signed all collector certificates, must be set in the server configuration **Server Configuration** Mutual TLS is configured by setting `network.tlsCert`, `network.tlsKey`, and `network.tlsCA` on the server. ```yaml network: host: 0.0.0.0 port: '3001' remoteURL: https://bindplane-op.mydomain.net:3001 tlsCert: /etc/bindplane/tls/bindplane.crt tlsKey: /etc/bindplane/tls/bindplane.key # Any client / collector certificate signed by one of these # authorities will be trusted. tlsCa: - /etc/bindplane/tls/client-ca.crt - /etc/bindplane/tls/collector-ca.crt ``` Note that `remoteURL` has a TLS protocol set (`https`). Note that multiple certificate authorities can be specified. This example will trust incoming connections from certificates signed by `client-ca` and `collector-ca`. **Client Profile** All clients must trust the certificate authority that signed the server's certificate. This can be accomplished by setting `network.tlsCA` on the client or by importing the certificate authority into your operating system's trust store. Create a profile named `mtls`: ```bash bindplane profile set mtls \ --username myuser \ --password mypassword \ --remote-url http://192.168.1.10:3001 \ --tls-cert /etc/bindplane/tls/client.crt \ --tls-key /etc/bindplane/tls/client.key \ --tls-ca /etc/bindplane/tls/my-corp-ca.crt bindplane profile use mtls ``` A profile will be created at `~/.bindplane/profiles/mtls.yaml`: ```yaml name: mtls apiVersion: bindplane.observiq.com/v1 auth: username: myuser password: mypassword network: remoteURL: https://bindplane-op.mydomain.net:3001 tlsCert: /etc/bindplane/tls/client.crt tlsKey: /etc/bindplane/tls/client.key tlsCa: - /etc/bindplane/tls/my-corp-ca.crt ``` If the server's certificate authority is already imported into the client's operating system trust store, it is not required to be set in the configuration. Browsers will show a TLS warning unless the certificate authority is trusted by your operating system. **Collector Manager Configuration** ```yaml endpoint: https://bindplane-op.mydomain.net:3001/v1/opamp secret_key: e124852a-49db-4318-99a8-76bd4aa80ba5 agent_id: ad3caa0c-ac90-4f8d-8691-2f43d9addc71 tls_config: cert_file: /opt/observiq-otel-collector/tls/collector.crt key_file: /opt/observiq-otel-collector/tls/collector.crt ca_file: /opt/observiq-otel-collector/tls/bindplane-ca.crt ``` If the server's certificate authority is already imported into the client's operating system trust store, it is not required to be set in the configuration. ### Advanced Configuration Bindplane has several advanced configuration options. It is unnecessary to modify advanced options unless explicitly called out in the [Prerequisites](/deployment/virtual-machine/bindplane/prerequisites.md) documentation or you are guided by Bindplane support. #### Agent **Telemetry Port** Collectors managed by Bindplane expose metrics on TCP port `8888` by default. The port is now configurable globally. Modifying the port will affect all collectors connected to Bindplane. The telemetry port can be configured under `advanced.agent.telemetryPort`. ```yaml advanced: agent: telemetryPort: 8888 ``` #### Store **Stats** The Prometheus measurements backend can be tuned with the options found under `advanced.store.stats`. **Batch Flush Interval** The batch flush interval is the duration used to batch collector management requests before flushing to the measurements backend. A higher interval will mean larger batches are published. At scale, a shorter interval can be used to reduce the payload size sent to Prometheus. ```yaml advanced: store: stats: batchFlushInterval: 1s ``` **Worker Count** The worker count is the number of workers used to publish measurement batches to Prometheus. Increasing the worker count can improve performance at high collector counts. ```yaml advanced: store: stats: workerCount: 1 ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.bindplane.com/configuration/bindplane.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.