Deploying a self-hosted PoP

Synthetic PoP (Point of presence) is the agent where the Synthetic tests are run. You can deploy Synthetic PoP in multiple locations to monitor your application.

Architecture
Deployment option
Prerequisites
Installing
Upgrading
Uninstalling
More configuration options
Monitoring
- Synthetic PoP Sensor
- Assigning a PoP controller pod to a fixed node
Troubleshooting

Architecture

Synthetic PoP runs as a set of Kubernetes pods in the Kubernetes cluster, see the following architecture.

See the following playback engines that support different Synthetic test types:

HTTP playback engine: Used to run the API Simple test (type: HTTPAction).
JavaScript playback engine: Used to run the API Script test (type: HTTPScript).
BrowserScript playback engine: Used to run the Browser Script test (type: BrowserScript), Webpage Simple test (type: WebpageAction), and Webpage Script test (type: WebpageScript).
ISM (Internet Service Monitoring) playback engine: Used to run SSL Certificate test (type: SSLCertificate).

Deployment option

Synthetic PoP can be deployed only by the Helm charts.

The official Helm repository URL is https://agents.instana.io/helm, and the chart name is synthetic-pop.
The Helm chart Git repository URL is https://github.com/instana/synthetic-pop-charts.

For the chart version history, see Synthetic PoP chart published in ArtifactHUB.

Prerequisites

Synthetic PoP needs to be deployed in a Kubernetes cluster. Use the helm chart to deploy Synthetic PoP, and ensure that Kubernetes and helm are installed in your environment.

Set up a Kubernetes cluster where the PoP will be installed. The minimum supported version for the Kubernetes distribution is 1.10. For more information, see Set up Kubernetes.
Install Helm, and Helm V3 is recommended. For more information, see Installing Helm.

For more information about hardware prerequisites for your PoP deployment, see PoP Capacity planning.

Installing

Installing a self-hosted Synthetic PoP

Use the helm install command to install a new Synthetic PoP, and pass the following values. You are suggested to install the PoP in a separate namespace.

downloadKey: The download agent key for pulling image from containers.instana.io Docker registry.
controller.location: The format is label; displayLabel; country; city; latitude; longitude; description. This label acts as the PoP identifier and can only contain letter, number, hyphen, and underscore.
controller.instanaKey: The Instana agent key, which is used for connecting to Instana backend.
controller.instanaSyntheticEndpoint: The ingress endpoint of Synthetic acceptor in Instana backend.
controller.clusterName: Optionally. It needs to be set with the name of the Kubernetes cluster that is to be displayed in the Instana UI when Instana agent is installed to monitor this PoP.
redis.password: The authentication password to redis server. Specify a password with length at least 10.
redis.tls.enabled: Define if enabling Redis TLS or not (default false). If the value is true, the communication with Redis will be encrypted with TLS.
redis.tls.secretName: If the value of the redis.tls.enabled field is true, you need to specify a secret name for Redis TLS key/cert files.

Sign in to Instana UI, click Synthetic Monitoring, and then click New Location and select Private. Copy the values of downloadKey, controller.instanaKey, and controller.instanaSyntheticEndpoint.

To configure the installation, specify the values in the command line by using the --set flag, or provide a yaml file with your values by using the -f flag.

In the following example, a Synthetic PoP with the location name MyPoP is deployed, and Redis uses password for authentication. You need to update the following parameters based on your requirements:

helm install synthetic-pop \
    --repo https://agents.instana.io/helm  \
    --namespace syn \
    --create-namespace \
    --set downloadKey="yourdownloadkey" \
    --set controller.location="MyPoP;My PoP;MyCounty;MyCity;0;0;This is a testing Synthetic Point of Presence" \
    --set controller.instanaKey="instanaAgentkey" \
    --set controller.instanaSyntheticEndpoint="https://synthetics-green-saas.instana.io" \
    --set redis.tls.enabled=false \
    --set redis.password="a1fc5d01bcbb" \
    synthetic-pop

You can also provide your values.yaml to deploy a PoP, below examples shows how to get the values.yaml template and then pass the modified yaml file to deploy a PoP.

helm repo add synthetic-pop-repo https://agents.instana.io/helm
helm repo update
helm pull synthetic-pop-repo/synthetic-pop
tar xzvf synthetic-pop-*.tgz
# Modify the synthetic-pop/values.yaml file
# Run helm install to pass the modified values.yaml
 helm install synthetic-pop \
    --repo https://agents.instana.io/helm  \
    --namespace syn \
    --create-namespace \
    -f /path/to/values.yaml \
    synthetic-pop

After PoP is installed, make sure that each pod is in Running and Ready status.

kubectl get pod -n syn

Sign in to Instana UI, click Synthetic _Monitoring > Locations, and then you can see your location is showed up in the location list. If not, go to the Troubleshooting section to check the log files.

Security enhancement

The following configurations are recommended for security enhancement in production environment.

TLS encryption

The PoP controller and different playback engines communicate through Redis server, and PoP controller provides an endpoint for health check. You can configure TLS to encrypt the communication through Redis TLS and encrypt the endpoint of PoP controller through HTTPS.

To configure TLS, you need to have your X.509 certificate-key pair (tls.crt, tls.key) and Certificate Authority (CA) root certificate file (ca.crt). If you do not have your key and certificate files, you can also use the openssl command to generate new ones. See the following examples:

openssl genrsa -out tls.key 4096
openssl req -x509 -new -nodes -sha256 -key tls.key -days 3650 -subj '/O=Instana/CN=Certificate Authority' -out ca.crt
openssl req -new -sha256 -key tls.key -subj '/O=Instana/CN=Server' | openssl x509 -req -sha256 -CA ca.crt -CAkey tls.key -CAserial ca.txt -CAcreateserial -days 3650 -out tls.crt

After key/cert files are provided, use the kubectl command to create a secret.

# Create a new TLS secret named pop-tls-secret with the given key/cert files
kubectl create secret generic pop-tls-secret -n syn \
--type='kubernetes.io/tls' \
--from-file=ca.crt=path/to/ca.crt \
--from-file=tls.crt=path/to/tls.crt \
--from-file=tls.key=path/to/tls.key

To deploy a PoP to support TLS, run the following command:

helm install synthetic-pop \
    --repo https://agents.instana.io/helm \
    --namespace syn \
    --create-namespace \
    --set downloadKey="yourdownloadkey" \
    --set controller.location="MyPoP;My PoP;MyCounty;MyCity;0;0;This is a testing Synthetic Point of Presence" \
    --set controller.instanaKey="instanaAgentkey" \
    --set controller.instanaSyntheticEndpoint="https://synthetics-green-saas.instana.io" \
    --set redis.tls.enabled=true \
    --set redis.tls.secretName="pop-tls-secret" \
    synthetic-pop

Secure computing mode

You can use secure computing mode (or seccomp) to sandbox the privileges of a process, which restricts the calls from user space into the kernel. Use the following parameter to enable RuntimeDefault as default seccomp profile for all containers.

The default seccomp profile works only for Kubernetes version 1.19 or later or OCP (OpenShift Container Platform) version 4.11 or later. If seccompDefault is not set to true for OCP 4.11 or later, you can see some warning messages when you run the helm installation.

helm install synthetic-pop \
    --repo https://agents.instana.io/helm \
    --namespace syn \
   ...
    --set seccompDefault=true \
    synthetic-pop

Network policy

By using the network policy, you can specify how a pod is allowed to communicate with the network. To block access from PoP to specific IPs or IP ranges, you can enable and customize the playbackEngineNetworkPolicy parameter. Typically, you can collect the following IP addresses:

Cloud provider metadata service IP address: It is 169.254.169.254 for AWS Metadata API, Google Cloud Metadata API, Azure Metadata API.
Kubernetes API server IP address: Use the kubectl command to collect Kubernetes API server IP address. See the following example for microk8s or minikube Kubernetes cluster:

# Use the following command to print apiserver endpoint
# For example, if the following command prints "Endpoints: 10.128.0.127:16443", you need to block the IP address 10.128.0.127 
kubectl describe service kubernetes

Then, modify the file values.yaml in helm charts as follows to enable Egress rules to block the IP addresses that you collect.

playbackEngineNetworkPolicy:
  # Change the value to true to enable the network policy
  enabled: true
  egress:
    - to:
        - ipBlock:
            # Allow all IP address v4
            cidr: 0.0.0.0/0
            except:
              # Block Kubernetes API server IP address
              - 10.128.0.127/32
              # Block cloud provider metadata service IP address
              - 169.254.169.254/32

See the following example to pass network policy by using --set:

# --set-json only be supported since Helm V3.11
helm install synthetic-pop \
    --repo https://agents.instana.io/helm \
    --namespace syn \
   ...
    --set playbackEngineNetworkPolicy.enabled=true \
    --set-json 'playbackEngineNetworkPolicy.egress=[{"to":[{"ipBlock":{"cidr":"0.0.0.0/0","except":["10.128.0.127/32","169.254.169.254/32"]}}]}]' \
    synthetic-pop

Migration scenario

To support the backend migration scenario, you can specify multiple Synthetic acceptor endpoints and Instana agent keys with semicolon. Instana agent keys and Synthetic acceptor endpoints are one-to-one correspondence. During the migration period, Synthetic PoP can send data to both old and new backend to avoid downtime.

See the following example:

helm install synthetic-pop \
    --repo https://agents.instana.io/helm \
    --namespace syn \
    --set controller.instanaKey="instanaAgentkey;anotherInstanaAgentKey" \
    --set controller.instanaSyntheticEndpoint="https://synthetics-green-saas.instana.io;https://synthetics-green-saas.instana.host" \
    ...

Upgrading

You are recommended to upgrade your Synthetic PoP to the latest version regularly because the latest version of Synthetic PoP might contain new features, improvements, or fixes. To check your PoP version, go to Synthetic Monitoring and click the Locations tab. The "Version" column shows the PoP version. To check the latest version of Synthetic PoP, see Synthetic PoP chart published in ArtifactHUB.

Use the helm upgrade command to update a Synthetic PoP to latest version. See the following example. You can change the parameters as needed. To update the PoP to a specific version, pass --version <version> parameter additionally.

helm upgrade synthetic-pop \
    --repo https://agents.instana.io/helm \
    --namespace syn \
    --set downloadKey="yourdownloadkey" \
    --set controller.location="MyPoP;My PoP;MyCounty;MyCity;0;0;This is a testing Synthetic Point of Presence" \
    --set controller.instanaKey="instanaAgentkey" \
    --set controller.instanaSyntheticEndpoint="https://synthetics-green-saas.instana.io" \
    --set redis.tls.enabled=false \
    --set redis.password="a1fc5d01bcbb" \
    synthetic-pop

Note:

The label value in the location parameter is an identifier of the PoP, and not allowed to change. You are recommended to change the displayLabel value as you want.
The redis password is not allowed to update. If you really need to change it, uninstall it and then reinstall it with updated redis password.

Uninstalling

Use the helm uninstall command to uninstall a Synthetic PoP.

helm uninstall synthetic-pop -n syn

After the PoP is uninstalled, the PoP's location is still shown in the Instana UI with offline status. You can reinstall the PoP with the same location to make the location online again, or delete the location on UI if you do not use it anymore.

More configuration options

Playback engine enablement

You can disable some playback engines depending on your requirements. For example, you can disable the BrowserScript playback engine if you no longer require browser tests. Disable the playback engine by passing the following parameter to reduce the CPU and memory resources for your Synthetic PoP.

--set browserscript.enabled=false

Capabilities

The controller.capabilities property defines the playback capabilities for the Synthetic PoP, including the supported Synthetic test and web browser types.

CustomProperties

The controller.customProperties property defines the customized tags or properties for this PoP. The property is a list of key:value pairs, separated by a semicolon, such as key1=value1;key2=value2.

Use an API such as $env.key1 to access the custom property or tag in an API or browser script.

Proxy

You can configure a proxy server for Synthetic PoP to connect the Instana backend server. The following options are supported.

proxy.popProxyProtocol: the protocol used by the proxy server. Set the value to http or socks.
proxy.popProxyServer: the proxy server address in the ipaddress:port format.
proxy.popProxyUserPass: the username and password to authenticate the proxy server. Enter the username and password in the username:password format.

To configure the proxy server for Synthetic PoP to connect to the services that are being monitored, you can use the $network API to set a proxy server in the API script or browser script.

Using external secrets

If you don't want to use Helm chart to create new secrets for the keys controller.instanaKey, redis.password, proxy.popProxyUserPass, and downloadKey, you can use the existing secrets that you have created for the Synthetic PoP deployment by specifying the secret names as follows:

helm install synthetic-pop \
    --repo https://agents.instana.io/helm \
    --namespace syn \
    --set downloadSecret="my-pull-secret" \
    --set controller.instanaKeySecret="my-pop-secret" \
    --set redis.passwordSecret="my-pop-secret" \ 
    --set proxy.popProxyUserPassSecret="my-pop-secret" \
    ...

For the keys controller.instanaKey, redis.password, and proxy.popProxyUserPass, you can use the same secret or different existing secrets. However, when you create the secret, you must use the specified key fields instana-key, redis-password, and proxy-user-pass as follows:

 kubectl create secret generic my-pop-secret  --namespace <namespace> \
 --from-literal=instana-key='<instana agent key>'  \
 --from-literal=redis-password='<redis password>'  \
 --from-literal=proxy-user-pass='<proxy username and password>'

You need to replace <namespace> with the namespace that you use to install the Synthetic PoP.

The secret for the downloadKey key must use the kubernetes.io/dockerconfigjson type. You can create the secret with the kubernetes.io/dockerconfigjson type as follows:

kubectl create secret docker-registry my-pull-secret --namespace <namespace> --docker-server="https://containers.instana.io" --docker-username="_" --docker-password="<downloadKey>"

Notes:

Replace <namespace> with the namespace that you use to install the Synthetic PoP.
Don't change the value of the --docker-username argument.
Replace <downloadKey> with the Instana download key.

Monitoring

You can monitor Synthetic PoP with the Instana host agent. Instana host agent uses the Synthetic PoP sensor to monitor PoP.

Synthetic PoP Sensor

To monitor your Synthetic PoP, you are suggested to install the Instana host agent on the Kubernetes cluster where your PoP is installed.

Synthetic PoP sensor is automatically installed to monitor your PoP after the Instana host agent is installed. You can view the metrics in the Instana UI and get alerts if any health issue happens for your Synthetic PoP.

Assigning a PoP controller pod to a fixed node

When you upgrade a Synthetic PoP in a Kubernetes cluster with multiple nodes, the PoP controller pod might be assigned to a different node than you intended. If the PoP controller is assigned to a different node, the PoP entityId is changed. The PoP health data in the PoP monitoring dashboard is lost because the data is associated with the POP entityId. The result and result detail of the Synthetic tests running in this PoP are not impacted.

To prevent losing PoP health data, assign the PoP controller pod to a fixed node before you upgrade or install a Synthetic PoP.

To assign the PoP controller to a fixed node, complete the following steps:

Add a label to the node by running the following command:

kubectl label nodes <yournode> scheduler=synthetic-pop-controller

Specify the following parameter in the helm install or helm upgrade command: --set controller.nodeSelector.enabled=true

To assign a PoP controller pod to a fixed node and exclude other pods from this node, complete the following steps:

Add a taint to the node by running the following command:

kubectl taint nodes <yournode> toleration=synthetic-pop-controller:PreferNoSchedule

Specify the following parameter in the helm install or helm upgrade command: --set controller.taintSelector.enabled=true

Troubleshooting

To check the Helm chart version, run the following command:

helm list -n <namespace>

You can get the version number from the result such as synthetic-pop-<version>.

If you meet any issues, for example, the location that you specify can't be shown on Instana Synthetic UI, first check the PoP controller log by running the following command:

kubectl logs -n <namespace> -f <pop_controller_pod_name>

To change the trace level of each component, you can pass the traceLevel values as follows to make an upgrade on your PoP:

--set controller.traceLevel="DEBUG" \
--set http.traceLevel="DEBUG" \
--set javascript.traceLevel="DEBUG" \
--set browserscript.traceLevel="DEBUG" \
--set ism.traceLevel="DEBUG" \
--set redis.traceLevel="DEBUG"

You can also dynamically change the trace level of PoP controller without restarting the pod by running the set_trace_level.sh command in the container.

# enter synthetic-pop-controller container
kubectl exec -it -n <namespace> <pop_controller_pod_name> -- bash
# run set_trace_level.sh command to change trace level to DEBUG
./set_trace_level.sh DEBUG

A pdcollect.sh script is provided to collect and package log files of Synthetic PoP into a tar.gz file and send it to Instana support team for assistance. You can find the pdcollect.sh script in the Instana Helm charts directory or download it from the synthetic-pop-charts repository.

Run the following command:

# collect PoP logs from a namespace
./pdcollect.sh -n <namespace>

Check the PoP controller log files, troubleshooting steps for each error message is listed in the following sections.

403 Forbidden

If you see the following error message in the PoP controller log file: Request failed with status code: 403

Possible reasons for this error:

Instana key is incorrect
Your license is not validated.
The Synthetic endpoint URL is valid, but it belongs to a different self-hosted installation or a different production region.

To fix this issue, complete the following steps:

In the Instana UI, go to Synthetic Monitoring > Locations.
Click New Location. The New Location dialog is displayed.
Select Private.
Click Next.
In the Simple tab, check whether the controller.instanaKey and controller.instanaSyntheticEndpoint parameters are set correctly.
Check whether your license is validated and not expired.

404 Not Found

If you see the following error message in the PoP controller log file: Request failed with status code: 404

Possible reasons for this error:

The synthetic endpoint URL is not set correctly.
If you are using self-hosted Instana backend, something is wrong with the Synthetic acceptor or load balancer.

To fix this issue, complete the following steps:

In the Instana UI, go to Synthetic Monitoring > Locations.
Click New Location. The New Location dialog is displayed.
Select Private.
Click Next.
In the Simple tab, check whether the controller.instanaKey and controller.instanaSyntheticEndpoint parameters are set correctly.

If you are using self-hosted Instana backend and the controller.instanaSyntheticEndpoint parameter is correctly set, check whether load balancer and Synthetic acceptor are working correctly. For more information, see Setting up load balancers and DNS

503 Service Unavailable

If you see the following error message in the PoP controller log file: Request failed with status code: 503

Possible reasons for this error:

Something is wrong with the Ingresses, Routes, or LoadBalancer service that was created when you installed the self-hosted Instana backend.

To fix this issue, check the available Ingresses, Routes, or LoadBalancer services created when you installed the self-hosted Instana backend. Create or update the missing services or services that are not valid. For more information, see Setting up load balancers and DNS.

Name or service not known

If you see the following error message in the PoP controller log file: java.net.UnknownHostException: <hostname>: Name or service not known

Possible reasons for this error:

The hostname in the controller.instanaSyntheticEndpoint parameter is incorrect.
A DNS issue in your Kubernetes cluster.

To fix this issue, try the following steps:

Check whether the controller.instanaSyntheticEndpoint parameter is set correctly.
Check the DNS configuration in your Kubernetes cluster, see Debugging DNS Resolution.
Change the hostname to an IP address in controller.instanaSyntheticEndpoint parameter.