Add example

observIQ · Apr 10, 2024 · 65b6238 · 65b6238
1 parent 586a747
commit 65b6238
Show file tree

Hide file tree

Showing 2 changed files with 249 additions and 0 deletions.
diff --git a/docs/example/gke/README.md b/docs/example/gke/README.md
@@ -0,0 +1,148 @@
+# Google Kubernetes Engine
+
+This example deploys BindPlane to GKE, sized to support 20,000 agents.
+
+## Create Namespace
+
+Create the `bindplane` namespace.
+
+```bash
+kubectl create namespace bindplane
+```
+
+## Create Secret
+
+Create the `bindplane` secret in the `bindplane` namespace.
+See the [secret](/README.md#create-secret) documentation for
+more information.
+
+```bash
+kubectl -n bindplane create secret generic bindplane \
+  --from-literal=username=<username> \
+  --from-literal=password=<password> \
+  --from-literal=secret_key=<secret key> \
+  --from-literal=sessions_secret=<session secret> \
+  --from-literal=license=<license>
+```
+
+Example:
+
+```bash
+kubectl -n bindplane create secret generic bindplane \
+  --from-literal=username=my-username \
+  --from-literal=password=my-secure-password \
+  --from-literal=secret_key=353753ca-ae48-40f9-9588-28cf86430910 \
+  --from-literal=sessions_secret=d9425db6-c4ee-4769-9c1f-a66987679e90 \
+  --from-literal=license=mylicense-key
+```
+
+## Configure
+
+Edit the `values.yaml` file in this directory.
+
+### Ingress
+
+Remove the `ingress` block if you do not want to use an ingress class
+to provide access to BindPlane. This example uses Ingress NGINX with
+Cert Manager.
+
+```yaml
+ingress:
+  enable: true
+  host: bindplane.data-metric.com
+  class: nginx
+  tls:
+    enable: true
+    secret: bindplane-tls
+  annotations:
+    cert-manager.io/issuer: letsencrypt
+```
+
+If removing ingress, remove the `config.server_url` option. If using
+ingress, update `config.server_url` to match your ingress hostname.
+
+```yaml
+config:
+  server_url: https://bindplane.data-metric.com
+```
+
+### Pub/Sub
+
+Update the Pub/Sub `projectid` and `topic`.
+
+```yaml
+eventbus:
+  type: 'pubsub'
+  pubsub:
+    projectid: 'my-project'
+    topic: 'bindplane'
+```
+
+Make sure your GKE node pool's have the [Pub/Sub scope](https://developers.google.com/identity/protocols/oauth2/scopes#pubsub) enabled.
+
+### Postgres
+
+Update the Postgres configuration's `host`, `database`, `username` and `password` options to reflect your environment.
+
+```yaml
+backend:
+  type: postgres
+  postgres:
+    host: '34.23.43.29'
+    port: 5432
+    database: 'bindplane'
+    username: 'your-username'
+    password: 'your-secure-password'
+    maxConnections: 10
+```
+
+## Deploy
+
+```bash
+helm repo update
+
+helm upgrade \
+    --values="values.yaml" \
+    --namespace=bindplane \
+    --create-namespace \
+    --install \
+    bindplane \
+    bindplane/bindplane
+```
+
+Once deployed, the `bindplane` namespace will look like this:
+
+```
+NAME                                         READY   STATUS  
+bindplane-58968545f8-6n6pm                   1/1     Running  
+bindplane-58968545f8-79rt4                   1/1     Running  
+bindplane-58968545f8-7wtbh                   1/1     Running   
+bindplane-58968545f8-987pb                   1/1     Running   
+bindplane-58968545f8-cxpkq                   1/1     Running   
+bindplane-58968545f8-whg6v                   1/1     Running   
+bindplane-58968545f8-z5wm7                   1/1     Running   
+bindplane-prometheus-0                       1/1     Running   
+bindplane-transform-agent-675d8f5865-8rzrn   1/1     Running   
+bindplane-transform-agent-675d8f5865-pgvh2   1/1     Running   
+```
+
+If using ingress, the ingress resource will look like this:
+
+```
+NAME        CLASS    HOSTS                       ADDRESS         PORTS     AGE
+bindplane   <none>   bindplane.data-metric.com   34.23.141.224   80, 443   74m
+```
+
+If using ingress with TLS, a certificate and secret resource will be present in the namespace.
+
+```bash
+$ kubectl -n bindplane get certificate
+NAME            READY   SECRET          AGE
+bindplane-tls   True    bindplane-tls   72m
+```
+```bash
+$ kubectl -n bindplane get secret bindplane-tls
+NAME            TYPE                DATA   AGE
+bindplane-tls   kubernetes.io/tls   2      70m
+```
+
diff --git a/docs/example/gke/values.yaml b/docs/example/gke/values.yaml
@@ -0,0 +1,101 @@
+# This ingress example uses Ingress NGINX and Cert Manager
+# for creating Lets Encrypt signed certificates.
+# 
+# - https://kubernetes.github.io/ingress-nginx/deploy/#gce-gke
+# - https://cert-manager.io/docs/tutorials/getting-started-with-cert-manager-on-google-kubernetes-engine-using-lets-encrypt-for-ingress-ssl/
+#
+ingress:
+  enable: true
+  host: bindplane.data-metric.com
+  class: nginx
+  tls:
+    enable: true
+    secret: bindplane-tls
+  annotations:
+    cert-manager.io/issuer: letsencrypt
+
+config:
+  # Use the secret named "bindplane", which contains
+  # the license, username, password, secret_key, and sessions_secret.
+  # If you do not want to use a secret, see the comment below and
+  # disable this option.
+  licenseUseSecret: true
+
+  # See the readme for information on how to create a secret
+  # that contains these values. If you do not with to use a 
+  # secret, uncomment these options and set them.
+  #
+  # https://github.com/observIQ/bindplane-op-helm/tree/main?tab=readme-ov-file#secrets
+  # 
+  #license: ''
+  #username: ''
+  #password: ''
+  #secret_key: ''
+  #sessions_secret: ''
+
+  # Defaults to ws://bindplane.bindplane.svc.cluster.local:3001/v1/opamp,
+  # which is the bindplane namespace's bindplane service. This is suitable
+  # for connecting agents within the same cluster. We are using ingress
+  # so server_url needs to be updated to the ingress host.
+  # NOTE: server_url maps to bindplane's network.remoteURL option.
+  server_url: https://bindplane.data-metric.com
+
+
+# Enables mutli account, allowing you to create
+# multiple Tenants within the same BindPlane instance.
+multiAccount: true
+
+# Fixed number of pods. BindPlane CPU usage is bursty, using
+# a pod autoscaler can be tricky. Generally a fixed number
+# of pods is recommended.
+replicas: 7
+
+resources:
+  # Allow cpu bursting by leaving limits.cpu unset
+  requests:
+    cpu: '1000m'
+    memory: '4096Mi'
+  limits:
+    memory: '4096Mi'
+
+# Node pools must be authenticated to Pub/Sub with one of the following options
+# - Pub/Sub scope enabled
+# - GKE Service Account with Pub/Sub permissions
+# - Service Account key file and the GOOGLE_APPLICATION_CREDENTIALS environment variable set
+#   to the path of the key file. You can use extraVolumes, extraVolumeMounts, extraEnv to
+#   mount a configMap or secret containing the key file.
+eventbus:
+  type: 'pubsub'
+  pubsub:
+    projectid: 'my-project'
+    topic: 'bindplane'
+
+backend:
+  type: postgres
+  postgres:
+    host: '34.23.43.29'
+    port: 5432
+    database: 'bindplane'
+    username: 'your-username'
+    password: 'your-secure-password'
+    # Replicas * max connections should not exceed
+    # your Postgres instance's max connections.
+    # This option defaults to 100, which is too high
+    # for an environment with 7 replicas.
+    maxConnections: 10
+
+transform_agent:
+  replicas: 2
+
+# Prometheus is deployed and managed by the Helm chart. At scale
+# it will require additional resources which can be set here.
+prometheus:
+  resources:
+    requests:
+      cpu: '2000m'
+      memory: '8192Mi'
+    limits:
+      memory: '8192Mi'
+  storage:
+    volumeSize: '120Gi'
+