Enterprise Server: Container settings
The settings on this page can be passed in as environment variables into the pganalyze Enterprise Server container. Any change of these settings requires a container restart to read the new configuration.
Basic configuration
DATABASE_URL
: PostgreSQL server used for storing statistics information (required)LICENSE_KEY
: License key provided to you by the pganalyze team (required)DOMAIN_NAME
: Domain name where you are hosting the pganalyze app (optional, but recommended, and required for SSO)MAILER_URL
: SMTP server used to send system emails, e.g. user invites (optional, recommended)MAILER_FROM
: "From" address used to send system emails (optional, recommended if setting MAILER_URL)REDIS_URL
: Redis server used for scale out architecture (optional, only needed when running Redis separately)
An example configuration looks like this:
DATABASE_URL=postgres://myusername:mypassword@example.com:5432/mydatabase
LICENSE_KEY=KEYKEYKEY
DOMAIN_NAME=pganalyze.example.com
MAILER_URL=smtp://myusername:mypassword@example.com:25
MAILER_FROM=pganalyze@example.com
Resource settings
SIDEKIQ_CONCURRENCY
: Concurrency (number of threads) for background workers, defaults to 1. Set this to 0 to turn off the workers in the combined image (requires 2023.06.0 or newer).
Access control settings
DISABLE_DIRECT_SIGNUP
: Whether direct signups to the pganalyze application are permitted (without requiring an invite or going through Single Sign-On)DEFAULT_ORG_ROLE
: How new users are added to the organization when they sign up (optional, default:none
)none
- new users are not organization members and have to be invited by an existing user (recommended)admin
- assigns the role named "Admin (All Servers)"modify_all
- assigns the role named "View & Modify (All Servers)"view_all
- assigns the role named "View (All Servers)"
Important: If you are hosting your pganalyze Enterprise Server installation on a publicly available interface (i.e. without explicit access control at the network level), we recommend setting DISABLE_DIRECT_SIGNUP
to 1
.
Note that DISABLE_DIRECT_SIGNUP
is not compatible with the DEFAULT_ORG_ROLE
setting: If DISABLE_DIRECT_SIGNUP
is enabled, and DEFAULT_ORG_ROLE
is not none
, it will be the same as setting it to none
, since direct registrations are not possible.
Object storage
For using Log Insights and Automated EXPLAIN, additional settings must be configured for object storage.
AWS-specific settings
When using the object storage on AWS, the required IAM credentials can either be set using an instance role (recommended), or by explicitly setting these environment variables:
AWS_ACCESS_KEY_ID
: AWS Access Key ID (optional)AWS_SECRET_ACCESS_KEY
: AWS Secret Access Key (optional)
You can also configure the following object storage settings:
AWS_S3_SNAPSHOTS_BUCKET
: Name of the snapshots S3 bucket (required for object storage)AWS_S3_LOGS_BUCKET
: Name of the logs S3 bucket (required for object storage)AWS_KMS_LOGS_CMK
: Identifier for the KMS key used for client-side log text encryption (required for object storage)AWS_S3_SNAPSHOTS_PREFIX
: Prefix for all objects stored in snapshots bucket (optional, empty by default)AWS_S3_LOGS_PREFIX
: Prefix for all objects stored in logs bucket (optional, empty by default)
Note that when using the collector inside the Enterprise Server container to monitor Amazon RDS or Aurora, the actual fetching of log data from RDS will also use these same credentials. Ensure to also set the collector IAM policy in that case.
In addition, you can also set these other general settings:
AWS_REGION
: Default AWS region (optional)AWS_ENDPOINT_S3_URL
: VPC endpoint to use for Amazon S3 API access (optional)AWS_ENDPOINT_KMS_URL
: VPC endpoint to use for Amazon KMS API access (optional)AWS_ENDPOINT_STS_URL
: VPC endpoint to use for Amazon STS API access (optional)
When using Amazon EKS with IAM roles associated to a service account, the following additional settings can be used:
AWS_ROLE_ARN
: Role to assume for AWS API access (automatically set by EKS)AWS_WEB_IDENTITY_TOKEN_FILE
: Location of Web Identity token file (automatically set by EKS)AWS_ROLE_SESSION_NAME
: Session name to use when assuming roles (optional, defaults to "pganalyze")
Local object storage with Minio
See Object Storage Setup (Local Storage).
Additionally the following optional settings are available:
MINIO_SNAPSHOTS_BUCKET
: Name of the snapshots bucket in Minio (optional, defaults topganalyze-snapshots
)MINIO_LOGS_BUCKET
: Name of the logs bucket in Minio (optional, defaults topganalyze-logs
)
Google Auth integration
Configured using GOOGLE_CLIENT_ID
and GOOGLE_CLIENT_SECRET
. See separate instructions.
PagerDuty integration
Configured using PAGERDUTY_APP_ID
. See separate instructions.
Slack integration
Configured using SLACK_CLIENT_ID
and SLACK_CLIENT_SECRET
. See separate instructions.
LDAP configuration
The collector can optionally support using an LDAP connection to verify user credentials, instead of using a username/password stored in the pganalyze database. When LDAP is enabled regular user authentication is turned off.
LDAP is commonly utilized when using Microsoft Active Directory on-premise. If possible we recommend using the SAML integration instead, including when using Azure Active Directory.
When using LDAP, it is recommended to also set DEFAULT_ORG_ROLE
to a non-empty value (see above)
to ensure that new LDAP users are added to the existing organization.
LDAP_HOST
: Internal hostname or IP of your LDAP serverLDAP_PORT
: Port of your LDAP server. Use port 636 for LDAPSLDAP_BASE_DN
: Base DN that all lookups should be done with. You can use this to restrict access to a subset of your LDAP accounts. Note that both the admin CN and regular users need to be members of this DN.LDAP_LOOKUP_CN
: Common Name of an account that will be used to run authentication lookups on your LDAP directoryLDAP_LOOKUP_PASSWORD
: Password for the account that will be used to run authentication lookupsLDAP_FIELD_UID
: UID field on your LDAP entries. This is usuallysAMAccountName
on Active Directory serversLDAP_ENCRYPTION
: Encryption mode to use for LDAP connections. Only add this when you want to use LDAPS (Port 636) or STARTTLS (Port 389) for a secure connection to your server. Specifyssl
for LDAPS, andtls
for STARTTLS (optional)
Example LDAP configuration, with the required DEFAULT_ORG_ROLE
setting, but without other unrelated settings:
LDAP_HOST=example.com
LDAP_PORT=389
LDAP_BASE_DN=OU=Users,OU=ldaptest,DC=ldaptest,DC=pganalyze,DC=com
LDAP_LOOKUP_CN=Admin
LDAP_LOOKUP_PASSWORD=ReallyLongSecurePassword
LDAP_FIELD_UID=sAMAccountName
LDAP_ENCRYPTION=ssl
DEFAULT_ORG_ROLE=view_all
Note you can run an Enterprise self-check to verify the connection and lookup LDAP information, but some configuration errors are only visible once logging in.
Worker queue monitoring using Prometheus
The metrics HTTP endpoint /metrics
is available for Prometheus scraping. Currently, it provides worker queue metrics using the sidekiq-prometheus-exporter gem.
The endpoint is protected with a bearer auth, the token is specified with the SIDEKIQ_PROMETHEUS_TOKEN
environment variable. The endpoint is only available when the environment variable is set.
If you have a Prometheus setup already, you can add the hostname and port of your web server as an additional target to the Prometheus config file to scrape.
Below is an example of a prometheus.yml
file (with web server 0.0.0.0:5000
):
scrape_configs:
- job_name: "sidekiq-prometheus"
scrape_interval: 60s
scrape_timeout: 10s
authorization:
credentials: $SIDEKIQ_PROMETHEUS_TOKEN
static_configs:
- targets: [ '0.0.0.0:5000' ]
Couldn't find what you were looking for or want to talk about something specific?
Start a conversation with us →