Install the Control Tower
1. Prepare Environment Variables
Click the tabs below to see what fields are required based on your setup.
1.1. Prepare required fields
Field Name | Secret Name | Description |
---|---|---|
fc_api_key | FC_API_KEY | Your Flightcrew API key is a unique, private key that can be found after signing up in your Flightcrew account. The same key should be used for all Control Towers. |
1.2. Prepare infrastructure fields
- Amazon Elastic Kubernetes
Service (EKS) - Google Kubernetes
Engine (GKE) - Self-hosted Kubernetes
(Bare Metal)
Field Name | Secret Name | Description |
---|---|---|
cluster_name | n/a | The name of your Kubernetes cluster, which can be found by using aws eks list-clusters . If you are using an external observability provider, ensure that this name matches what you've entered there. |
cloud_provider | n/a | Use provider:aws/platform:eks |
Field Name | Secret Name | Description |
---|---|---|
cluster_name | n/a | The name of your Kubernetes cluster, which can be found by using gcloud container clusters list . If you are using an external observability provider, ensure that this name matches what you've entered there. |
cloud_provider | n/a | Use provider:gcp/platform:gke |
Field Name | Secret Name | Description |
---|---|---|
cluster_name | n/a | The name of your Kubernetes cluster. If you are using an external observability provider, ensure that this name matches what you've entered there. |
cloud_provider | n/a | Use provider:self/platform:kubernetes |
1.3. Prepare observability fields
- Datadog
- Observe
- Prometheus
- Stackdriver
- SumoLogic
Field Name | Secret Name | Description |
---|---|---|
metric_providers | n/a | Use datadog |
datadog_api_key | DD_API_KEY | API key created in the Datadog setup steps |
datadog_app_key | DD_APP_KEY | Application key created in the Datadog setup steps |
Field Name | Secret Name | Description |
---|---|---|
metric_providers | n/a | Use observe |
observe_api_token | OBSERVE_API_TOKEN | API Token created in the Observe setup steps |
observe_cluster | OBSERVE_CLUSTER | Cluster created in the Observe setup steps |
observe_customer_id | OBSERVE_CUSTOMER_ID | Customer ID created in the Observe setup steps |
observe_dataset_id | OBSERVE_DATASET_ID | Dataset ID created in the Observe setup steps |
observe_domain | OBSERVE_DOMAIN | Domain created in the Observe setup steps |
Field Name | Secret Name | Description |
---|---|---|
metric_providers | n/a | Use prometheus |
prometheus_url | n/a | The Control Tower reads from the DNS name for the Prometheus service, in the form http://[SERVICE].[NAMESPACE].svc.cluster.local:[PORT] , where:SERVICE=Prometheus service name NAMESPACE=Its namespace PORT=spec.ports.port from the Prometheus service config The final URL should look something like http://prometheus-service.monitoring.svc.cluster.local:9090 |
Field Name | Secret Name | Description |
---|---|---|
metric_providers | n/a | Use stackdriver |
stackdriver_service_account | n/a | Set to the service account created in the Stackdriver setup steps which should look like iam.gke.io/gcp-service-account=flightcrew-monitoring-viewer@PROJECT_NAME.iam.gserviceaccount.com |
Field Name | Secret Name | Description |
---|---|---|
metric_providers | n/a | Use sumologic |
sumo_access_id | SUMO_ACCESS_ID | Access ID created in the Sumo Logic setup steps |
sumo_access_key | SUMO_ACCESS_KEY | Access Key created in the Sumo Logic setup steps |
sumo_cluster_display_name | SUMO_CLUSTER_DISPLAY_NAME | Cluster name, described in Sumo Logic verification steps |
sumo_region_code | SUMO_REGION_CODE | Region code, described in Sumo Logic verification steps |
2. (recommended) Secret Management
The Helm chart requires some values to be set to reach Flightcrew's backend and your metric provider. Some of these are potentially sensitive API keys, so we recommend storing them in your Secret Manager and creating a Kubernetes Secret
object to reference the values. The Helm chart can then access this existing secret using the --set existingSecretName="flightcrew-secrets-name"
option. Reference the Secret Name
column in the required environment variables above to figure out which should be used in the data
field, like this:
Otherwise, it is possible to enter the values into the Helm chart as plaintext and it will create a Secret object automatically, but this is the less secure option.
apiVersion: v1
kind: Secret
metadata:
name: fc-tokens
namespace: flightcrew
type: Opaque
data:
FC_API_KEY: <base64-encoded-API-key>
# other secrets as mentioned in part 1 above
...
3. Install the Control Tower
The Control Tower Helm chart provides an additional field --set userLabels.<label>=<value>
to add custom labels to the Control Tower deployment. For example, to add the env=prod
label, add --set userLabels.env=prod
to the command.
- Using Helm (via plaintext CLI)
- Using Helm (via CLI reusing secret)
- Using Helm (via Terraform)
Install the Helm chart via the commandline using plaintext values.
# Get the Helm chart
helm repo add flightcrew https://flightcrew-helm-charts.storage.googleapis.com/control-tower/stable
helm repo update
When providing values to the Helm chart, please refer to the "Field Name" column from the environment variable sections above. You'll pass values in by adding --set "<field_name>=<value>"
to the command.
# Construct the command
helm install control-tower flightcrew/control-tower \
--namespace flightcrew --create-namespace \
--set "<field_name1>=<value1>" \
--set "<field_name2>=<value2>"
Here's an example for EKS and Datadog:
helm repo add flightcrew https://flightcrew-helm-charts.storage.googleapis.com/control-tower/stable
helm repo update
helm install control-tower flightcrew/control-tower \
--namespace flightcrew --create-namespace \
--set cluster_name=my-prod-cluster \
--set cloud_provider=provider:aws/platform:eks \
--set metric_providers="datadog" \
--set datadog_api_key="api_key" \
--set datadog_app_key="app_key"
Install the Helm chart via the commandline by reusing an existing secret.
# Get the Helm chart
helm repo add flightcrew https://flightcrew-helm-charts.storage.googleapis.com/control-tower/stable
helm repo update
When providing values to the Secret, please refer to the "Secret Name" column from the environment variable sections above. You'll set values in the Secret by adding <field_name>: <value>
under data:
in the YAML below.
apiVersion: v1
kind: Secret
metadata:
name: flightcrew-secrets
namespace: flightcrew
type: Opaque
data:
<secret_name1>: <value1>
<secret_name2>: <value2>
When providing values to the Helm chart, please refer to the "Field Name" column from the environment variable sections above. You'll pass values in by adding --set "<field_name>=<value>"
to the command.
# Construct the command
helm install control-tower flightcrew/control-tower \
--namespace flightcrew \
--set existingSecretName="flightcrew-secrets" \
--set "<field_name1>=<value1>" \
--set "<field_name2>=<value2>"
Here's an example for EKS and Datadog:
apiVersion: v1
kind: Secret
metadata:
name: flightcrew-secrets
namespace: flightcrew
type: Opaque
data:
DD_API_KEY: api_key
DD_APP_KEY: app_key
helm repo add flightcrew https://flightcrew-helm-charts.storage.googleapis.com/control-tower/stable
helm repo update
helm install control-tower flightcrew/control-tower \
--namespace flightcrew --create-namespace \
--set cluster_name=my-prod-cluster \
--set cloud_provider=provider:aws/platform:eks \
--set metric_providers="datadog" \
--set existingSecretName="flightcrew-secrets"
This example below shows how to set up the .tf file with Amazon EKS and Sumo Logic.
Replace the values to match your setup, and then run terraform apply
.
resource "helm_release" "flightcrew" {
name = "control-tower"
namespace = "flightcrew"
repository = "https://flightcrew-helm-charts.storage.googleapis.com/control-tower/stable"
chart = "control-tower"
create_namespace = true
set {
name = "fc_api_key"
value = var.FC_API_KEY
}
set {
name = "cluster_name"
value = var.cluster_name
}
set {
name = "cloud_provider"
value = "provider:aws/platform:eks"
}
set {
name = "metric_providers"
value = "sumologic"
}
set {
name = "sumo_access_id"
value = var.SUMOLOGIC_ACCESSID
}
set {
name = "sumo_access_key"
value = var.SUMOLOGIC_ACCESSKEY
}
set {
name = "sumo_cluster_display_name"
value = var.cluster_name
}
set {
name = "sumo_region_code"
value = "us2"
}
}
4. Confirm Install
After a minute or two, your Kubernetes resources and metrics should begin to populate in the Flightcrew dashboard.
Flightcrew will take a few hours to build a full understanding of your cloud infrastructure and begin surfacing insights. Recommendations will continue to improve with time after gathering more and more data.
Click into the dashboard to follow your progress in real-time.

Troubleshooting
CrashLoopBackOff
The Control Tower will fail loudly if it's misconfigured or cannot reach the APIs it needs. Run the following command to check the error logs:
kubectl logs deployment/control-tower --namespace flightcrew --previous --tail=20
Feel free to send the error logs to the Flightcrew team on Slack or support@flightcrew.io for help debugging.
Out of Memory
Resource usage will vary slightly depending on the size of the cluster. Memory usage very rarely exceeds 500Mi, but if the pod is hitting its memory limit and getting OOMKilled
, the resources can be increased by updating fields on the Helm chart, for example:
helm upgrade control-tower flightcrew/control-tower --namespace flightcrew --reuse-values \
--set resources.limits.memory="2000Mi" \
--set resources.requests.memory="1000Mi"
Please still reach out to support@flightcrew.io if this happens, so we can take a closer look as something else may be going wrong.