Skip to content

Latest commit

 

History

History
 
 

influx

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
Dockerfile
Dockerfile
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
deployment-prod.yaml
deployment-prod.yaml
 
 
main.go
main.go
 
 

README.md

InfluxDB container image

This directory contains the source for the InfluxDB container image used in the Go Performance Monitoring system. The image is based on the Google-maintained GCP InfluxDB 2 image, with an additional small program to perform initial database setup and push access credentials to Google Secret Manager.

Local

To run an instance locally:

$ make docker-prod
$ docker run --rm -p 443:8086 gcr.io/symbolic-datum-552/influx:latest

Browse / API connect to https://localhost:8086 (note that the instance uses a self-signed certificate), and authenticate with user 'admin' or 'reader' with the password or API token logged by the container.

Google Cloud

One-time setup:

  1. IAM setup, based on https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity#authenticating_to:

a. Create GCP service account:

$ gcloud iam service-accounts create influx \
    --description="Runs golang.org/x/build/influx"

c. Allow Kubernetes service account (created by deployment-prod.yaml) to impersonate the GCP service account:

$ gcloud iam service-accounts add-iam-policy-binding \
    influx@<PROJECT>.iam.gserviceaccount.com \
    --role roles/iam.workloadIdentityUser \
    --member "serviceAccount:<PROJECT>.svc.id.goog[prod/influx]"
  1. Secret Manager set up:

a. Create the secrets to store InfluxDB passwords/tokens in:

$ gcloud secrets create influx-admin-pass
$ gcloud secrets create influx-admin-token
$ gcloud secrets create influx-reader-pass
$ gcloud secrets create influx-reader-token

b. Grant access to the GCP service account to update the secrets.

$ gcloud secrets add-iam-policy-binding influx-admin-pass --member=serviceAccount:influx@<PROJECT>.iam.gserviceaccount.com --role="roles/secretmanager.secretVersionAdder"
$ gcloud secrets add-iam-policy-binding influx-admin-token --member=serviceAccount:influx@<PROJECT>.iam.gserviceaccount.com --role="roles/secretmanager.secretVersionAdder"
$ gcloud secrets add-iam-policy-binding influx-reader-pass --member=serviceAccount:influx@<PROJECT>.iam.gserviceaccount.com --role="roles/secretmanager.secretVersionAdder"
$ gcloud secrets add-iam-policy-binding influx-reader-token --member=serviceAccount:influx@<PROJECT>.iam.gserviceaccount.com --role="roles/secretmanager.secretVersionAdder"

Accessing Influx

The available users on Influx are 'admin' (full access) and 'reader' (read-only). To login as 'reader', use the following to access the password:

$ gcloud --project=symbolic-datum-552 secrets versions access latest --secret=influx-reader-pass

Then login at https://influx.golang.org.

To access the admin password, admin API token, or reader API token, change to --secret to one of influx-admin-pass, influx-admin-token, or influx-reader-token, respectively.

Deployment

See the documentation on deployment.