Deploying a self-hosted PoP
Synthetic PoP (Point of presence) is the agent where the Synthetic tests are run. You can deploy Synthetic PoP in multiple locations to monitor your application.
Synthetic PoP runs as a set of Kubernetes pods in the Kubernetes cluster, see the following architecture.
The following playback engines are supported for Synthetic tests. The value you set in the API varies depending on the test type.
Playback Engine | Test type | Value in API |
HTTP | API Simple | HTTPAction |
JavaScript | API Script | HTTPScript |
BrowserScript | - Webpage Simple or Browser Simple - Node.js-based Browser Script - Selenium IDE script-based Webpage Script |
WebpageAction BrowserScript WebpageScript |
Internet Service Monitoring (ISM) | SSL Certificate | SSLCertificate |
Deployment option
Synthetic PoP can be deployed only by the Helm charts.
- The official Helm repository URL is, and the chart name is
. - The Helm chart Git repository URL is
For the chart version history, see Synthetic PoP chart published in ArtifactHUB.
Synthetic PoP needs to be deployed in a Kubernetes cluster. Use the helm chart to deploy Synthetic PoP, and ensure that Kubernetes and helm are installed in your environment.
- Set up a Kubernetes cluster where the PoP will be installed. The minimum supported version for the Kubernetes distribution is 1.10. For more information, see Set up Kubernetes.
- Install Helm, and Helm V3 is recommended. For more information, see Installing Helm.
For more information about hardware prerequisites for your PoP deployment, see PoP Capacity planning.
Installing a self-hosted Synthetic PoP
Use the helm install command to install a new Synthetic PoP, and pass the following values. You are suggested to install the PoP in a separate namespace.
- downloadKey: The download agent key for pulling image from
Docker registry. - controller.location: The format is
label; displayLabel; country; city; latitude; longitude; description
. This label acts as the PoP identifier and can only contain letter, number, hyphen, and underscore. - controller.instanaKey: The Instana agent key, which is used for connecting to Instana backend.
- controller.instanaSyntheticEndpoint: The ingress endpoint of Synthetic acceptor in Instana backend.
- controller.clusterName: Optionally. It needs to be set with the name of the Kubernetes cluster that is to be displayed in the Instana UI when Instana agent is installed to monitor this PoP.
- redis.password: The authentication password to redis server. Specify a password with length at least 10.
- redis.tls.enabled: Define if enabling Redis TLS or not (default false). If the value is
, the communication with Redis will be encrypted with TLS. - redis.tls.secretName: If the value of the
field istrue
, you need to specify a secret name for Redis TLS key/cert files. To find the values fordownloadKey
, andcontroller.instanaSyntheticEndpoint
, complete the following steps:
- Sign in to the Instana UI, and click Synthetic Monitoring.
- Perform one of the following steps:
- On Instana SaaS, click New Location and select Private.
- On Instana self-hosted, click Deploy a PoP and select Private.
- Copy the values of
, andcontroller.instanaSyntheticEndpoint
To configure the installation, specify the values in the command line by using the --set
flag, or provide a yaml file with your values by using the -f
In the following example, a Synthetic PoP with the location name MyPoP
is deployed, and Redis uses password for authentication. You need to update the following parameters based on your requirements:
helm install synthetic-pop \
--repo \
--namespace syn \
--create-namespace \
--set downloadKey="yourdownloadkey" \
--set controller.location="MyPoP;My PoP;MyCounty;MyCity;0;0;This is a testing Synthetic Point of Presence" \
--set controller.instanaKey="instanaAgentkey" \
--set controller.instanaSyntheticEndpoint="" \
--set redis.tls.enabled=false \
--set redis.password="a1fc5d01bcbb" \
You can also provide your values.yaml to deploy a PoP, below examples shows how to get the values.yaml template and then pass the modified yaml file to deploy a PoP.
helm repo add synthetic-pop-repo
helm repo update
helm pull synthetic-pop-repo/synthetic-pop
tar xzvf synthetic-pop-*.tgz
# Modify the synthetic-pop/values.yaml file
# Run helm install to pass the modified values.yaml
helm install synthetic-pop \
--repo \
--namespace syn \
--create-namespace \
-f /path/to/values.yaml \
After PoP is installed, make sure that each pod is in Running
and Ready
kubectl get pod -n syn
Sign in to Instana UI, click Synthetic _Monitoring > Locations, and then you can see your location is showed up in the location list. If not, go to the Troubleshooting section to check the log files.
Security enhancement
To improve security on Synthetic PoP, apply the following security practices.
TLS encryption
The PoP controller and different playback engines communicate through Redis server, and PoP controller provides an endpoint for health check. You can configure TLS to encrypt the communication through Redis TLS and encrypt the endpoint of PoP controller through HTTPS.
To configure TLS, you need to have your X.509 certificate-key pair (tls.crt
, tls.key
) and Certificate Authority (CA) root certificate file (ca.crt
). If you do not have your key and certificate files,
you can also use the openssl
command to generate new ones. See the following examples:
openssl genrsa -out tls.key 4096
openssl req -x509 -new -nodes -sha256 -key tls.key -days 3650 -subj '/O=Instana/CN=Certificate Authority' -out ca.crt
openssl req -new -sha256 -key tls.key -subj '/O=Instana/CN=Server' | openssl x509 -req -sha256 -CA ca.crt -CAkey tls.key -CAserial ca.txt -CAcreateserial -days 3650 -out tls.crt
After key/cert files are provided, use the kubectl
command to create a secret.
# Create a new TLS secret named pop-tls-secret with the given key/cert files
kubectl create secret generic pop-tls-secret -n syn \
--type='' \
--from-file=ca.crt=path/to/ca.crt \
--from-file=tls.crt=path/to/tls.crt \
To deploy a PoP to support TLS, run the following command:
helm install synthetic-pop \
--repo \
--namespace syn \
--create-namespace \
--set downloadKey="yourdownloadkey" \
--set controller.location="MyPoP;My PoP;MyCounty;MyCity;0;0;This is a testing Synthetic Point of Presence" \
--set controller.instanaKey="instanaAgentkey" \
--set controller.instanaSyntheticEndpoint="" \
--set redis.tls.enabled=true \
--set redis.tls.secretName="pop-tls-secret" \
Secure computing mode
You can use secure computing mode (or seccomp) to sandbox the privileges of a process, which restricts the calls from user space into the kernel. Use the following parameter to enable RuntimeDefault as default seccomp profile for all containers.
The default seccomp profile works only for Kubernetes version 1.19 or later or OCP (OpenShift Container Platform) version 4.11 or later. If seccompDefault
is not set to true
for OCP 4.11 or later, you can see some
warning messages when you run the helm installation.
helm install synthetic-pop \
--repo \
--namespace syn \
--set seccompDefault=true \
Network policy
By using the network policy, you can specify how a pod is allowed to communicate with the network. To block access from PoP to specific IPs or IP ranges,
you can enable and customize the playbackEngineNetworkPolicy
parameter. Typically, you can collect the following IP addresses:
- Cloud provider metadata service IP address: It is
for AWS Metadata API, Google Cloud Metadata API, Azure Metadata API. - Kubernetes API server IP address: Use the kubectl command to collect Kubernetes API server IP address. See the following example for microk8s or minikube Kubernetes cluster:
# Use the following command to print apiserver endpoint
# For example, if the following command prints "Endpoints:", you need to block the IP address
kubectl describe service kubernetes
Then, modify the file values.yaml
in helm charts as follows to enable Egress rules to block the IP addresses that you collect.
# Change the value to true to enable the network policy
enabled: true
- to:
- ipBlock:
# Allow all IP address v4
# Block Kubernetes API server IP address
# Block cloud provider metadata service IP address
See the following example to pass network policy by using --set
# --set-json only be supported since Helm V3.11
helm install synthetic-pop \
--repo \
--namespace syn \
--set playbackEngineNetworkPolicy.enabled=true \
--set-json 'playbackEngineNetworkPolicy.egress=[{"to":[{"ipBlock":{"cidr":"","except":["",""]}}]}]' \
Migration scenario
To support the backend migration scenario, you can specify multiple Synthetic acceptor endpoints and Instana agent keys with semicolon. Instana agent keys and Synthetic acceptor endpoints are one-to-one correspondence. During the migration period, Synthetic PoP can send data to both old and new backend to avoid downtime.
See the following example:
helm install synthetic-pop \
--repo \
--namespace syn \
--set controller.instanaKey="instanaAgentkey;anotherInstanaAgentKey" \
--set controller.instanaSyntheticEndpoint=";" \
You are recommended to upgrade your Synthetic PoP to the latest version regularly because the latest version of Synthetic PoP might contain new features, improvements, or fixes. To check your PoP version, go to Synthetic Monitoring and click the Locations tab. The "Version" column shows the PoP version. To check the latest version of Synthetic PoP, see Synthetic PoP chart published in ArtifactHUB.
Use the helm upgrade command to update a Synthetic PoP to latest version. See the following example. You can change the parameters as needed. To update the PoP to a specific version, pass --version <version>
parameter additionally.
helm upgrade synthetic-pop \
--repo \
--namespace syn \
--set downloadKey="yourdownloadkey" \
--set controller.location="MyPoP;My PoP;MyCounty;MyCity;0;0;This is a testing Synthetic Point of Presence" \
--set controller.instanaKey="instanaAgentkey" \
--set controller.instanaSyntheticEndpoint="" \
--set redis.tls.enabled=false \
--set redis.password="a1fc5d01bcbb" \
- The
value in the location parameter is an identifier of the PoP, and not allowed to change. You are recommended to change thedisplayLabel
value as you want. - The redis password is not allowed to update. If you really need to change it, uninstall it and then reinstall it with updated redis password.
Use the helm uninstall command to uninstall a Synthetic PoP.
helm uninstall synthetic-pop -n syn
After the PoP is uninstalled, the PoP's location is still shown in the Instana UI with offline
status. You can reinstall the PoP with the same location to make the location online again, or delete the location on UI if you do not
use it anymore.
More configuration options
Playback engine enablement
You can disable some playback engines depending on your requirements. For example, you can disable the BrowserScript playback engine if you no longer require browser tests. Disable the playback engine by passing the following parameter to reduce the CPU and memory resources for your Synthetic PoP.
--set browserscript.enabled=false
The controller.capabilities
property defines the playback capabilities for the Synthetic PoP, including the supported Synthetic test and web browser types.
The controller.customProperties
property defines the customized tags or properties for this PoP. The property is a list of key:value
pairs, separated by a semicolon, such as key1=value1;key2=value2
Use an API such as $env.key1
to access the custom property or tag in an API or browser script.
You can configure a proxy server for Synthetic PoP to connect the Instana backend server. The following options are supported.
: the protocol used by the proxy server. Set the value tohttp
: the proxy server address in theipaddress:port
: the username and password to authenticate the proxy server. Enter the username and password in theusername:password
To configure the proxy server for Synthetic PoP to connect to the services that are being monitored, you can use the $network API to set a proxy server in the API script or browser script.
Using external secrets
If you don't want to use Helm chart to create new secrets for the keys controller.instanaKey
, redis.password
, proxy.popProxyUserPass
, and downloadKey
, you can use the existing secrets that
you have created for the Synthetic PoP deployment by specifying the secret names as follows:
helm install synthetic-pop \
--repo \
--namespace syn \
--set downloadSecret="my-pull-secret" \
--set controller.instanaKeySecret="my-pop-secret" \
--set redis.passwordSecret="my-pop-secret" \
--set proxy.popProxyUserPassSecret="my-pop-secret" \
For the keys controller.instanaKey
, redis.password
, and proxy.popProxyUserPass
, you can use the same secret or different existing secrets. However, when you create the secret, you must use the specified
key fields instana-key, redis-password, and proxy-user-pass as follows:
kubectl create secret generic my-pop-secret --namespace <namespace> \
--from-literal=instana-key='<instana agent key>' \
--from-literal=redis-password='<redis password>' \
--from-literal=proxy-user-pass='<proxy username and password>'
You need to replace <namespace> with the namespace that you use to install the Synthetic PoP.
The secret for the downloadKey
key must use the
type. You can create the secret with the
type as follows:
kubectl create secret docker-registry my-pull-secret --namespace <namespace> --docker-server="" --docker-username="_" --docker-password="<downloadKey>"
- Replace <namespace> with the namespace that you use to install the Synthetic PoP.
- Don't change the value of the --docker-username argument.
- Replace <downloadKey> with the Instana download key.
You can monitor Synthetic PoP with the Instana host agent. Instana host agent uses the Synthetic PoP sensor to monitor PoP.
Synthetic PoP Sensor
To monitor your Synthetic PoP, you are suggested to install the Instana host agent on the Kubernetes cluster where your PoP is installed.
Synthetic PoP sensor is automatically installed to monitor your PoP after the Instana host agent is installed. You can view the metrics in the Instana UI and get alerts if any health issue happens for your Synthetic PoP.
Assigning a PoP controller pod to a fixed node
When you upgrade a Synthetic PoP in a Kubernetes cluster with multiple nodes, the PoP controller pod might be assigned to a different node than you intended. If the PoP controller is assigned to a different node, the PoP entityId is changed. The PoP health data in the PoP monitoring dashboard is lost because the data is associated with the POP entityId. The result and result detail of the Synthetic tests running in this PoP are not impacted.
To prevent losing PoP health data, assign the PoP controller pod to a fixed node before you upgrade or install a Synthetic PoP.
To assign the PoP controller to a fixed node, complete the following steps:
Add a label to the node by running the following command:
kubectl label nodes <yournode> scheduler=synthetic-pop-controller
Specify the following parameter in the
helm install
orhelm upgrade
command:--set controller.nodeSelector.enabled=true
To assign a PoP controller pod to a fixed node and exclude other pods from this node, complete the following steps:
Add a taint to the node by running the following command:
kubectl taint nodes <yournode> toleration=synthetic-pop-controller:PreferNoSchedule
Specify the following parameter in the
helm install
orhelm upgrade
command:--set controller.taintSelector.enabled=true
To check the Helm chart version, run the following command:
helm list -n <namespace>
You can get the version number from the result such as synthetic-pop-<version>
If you meet any issues, for example, the location that you specify can't be shown on Instana Synthetic UI, first check the PoP controller log by running the following command:
kubectl logs -n <namespace> -f <pop_controller_pod_name>
To change the trace level of each component, you can pass the traceLevel values as follows to make an upgrade on your PoP:
--set controller.traceLevel="DEBUG" \
--set http.traceLevel="DEBUG" \
--set javascript.traceLevel="DEBUG" \
--set browserscript.traceLevel="DEBUG" \
--set ism.traceLevel="DEBUG" \
--set redis.traceLevel="DEBUG"
You can also dynamically change the trace level of PoP controller without restarting the pod by running the command in the container.
# enter synthetic-pop-controller container
kubectl exec -it -n <namespace> <pop_controller_pod_name> -- bash
# run command to change trace level to DEBUG
script is provided to collect and package log files of Synthetic PoP into a tar.gz
file and send it to Instana support team for assistance. You can find the
script in the Instana
Helm charts directory or download it from the synthetic-pop-charts repository.
Run the following command:
# collect PoP logs from a namespace
./ -n <namespace>
Check the PoP controller log files, troubleshooting steps for each error message is listed in the following sections.
403 Forbidden
If you see the following error message in the PoP controller log file: Request failed with status code: 403
Possible reasons for this error:
- Instana key is incorrect
- Your license is not validated.
- The Synthetic endpoint URL is valid, but it belongs to a different self-hosted installation or a different production region.
To fix this issue on Instana SaaS, complete the following steps:
- In the Instana UI, go to Synthetic Monitoring > Locations.
- Click New Location. The New Location dialog is displayed.
- Select Private.
- Click Next.
- In the Simple tab, check whether the
parameters are set correctly. - Check whether your license is validated and not expired.
To fix this issue on Instana self-hosted, complete the following steps:
- In the Instana UI, go to Synthetic Monitoring > Locations.
- Click Deploy a PoP. The Deploy a PoP dialog is displayed.
- In the Simple tab, check whether the
parameters are set correctly. - Check whether your license is valid and not expired.
404 Not Found
If you see the following error message in the PoP controller log file: Request failed with status code: 404
Possible reasons for this error:
- The synthetic endpoint URL is not set correctly.
- If you are using self-hosted Instana backend, something is wrong with the Synthetic acceptor or load balancer.
To fix this issue on Instana SaaS, complete the following steps:
- In the Instana UI, go to Synthetic Monitoring > Locations.
- Click New Location. The New Location dialog is displayed.
- Select Private.
- Click Next.
- In the Simple tab, check whether the
parameters are set correctly.
To fix this issue on Instana Self-hosted, complete the following steps:
- In the Instana UI, go to Synthetic Monitoring > Locations.
- Click Deploy a PoP. The Deploy a PoP dialog is displayed.
- In the Simple tab, check whether the
parameters are set correctly.
If you are using self-hosted Instana backend and the controller.instanaSyntheticEndpoint
parameter is correctly set, check whether load balancer and Synthetic acceptor are working correctly. For more information, see Setting up load balancers and DNS
Name or service not known
If you see the following error message in the PoP controller log file: <hostname>: Name or service not known
Possible reasons for this error:
- The hostname in the
parameter is incorrect. - A DNS issue in your Kubernetes cluster.
To fix this issue, try the following steps:
- Check whether the
parameter is set correctly. - Check the DNS configuration in your Kubernetes cluster, see Debugging DNS Resolution.
- Change the hostname to an IP address in