go
/
build
зеркало из https://github.com/golang/build.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
build/influx
История
Michael Pratt c5e6b32442 influx: disable pprof endpoints 
We don't need to expose /debug publicly.

The build needs to disable cgo as the golang build image apparently has
a newer version of glibc than the influxdb2 image. This only impacts the
wrapper binary, not influxdb itself.

Change-Id: I8ea5c4863daf6cadb8502e08feba2919f4f9c05a
Reviewed-on: https://go-review.googlesource.com/c/build/+/556175
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Michael Pratt <mpratt@google.com>
Reviewed-by: Michael Knyszek <mknyszek@google.com>
 		2024-01-16 20:41:07 +00:00
..
Dockerfile influx: disable pprof endpoints 2024-01-16 20:41:07 +00:00
Makefile influx: add kubernetes deployment 2022-03-23 21:59:02 +00:00
README.md all: clean up and consolidate deployment documentation 2022-07-07 18:00:38 +00:00
deployment-prod.yaml all: make copyright headers consistent 2023-03-01 01:31:01 +00:00
main.go influx: disable pprof endpoints 2024-01-16 20:41:07 +00:00

README.md

InfluxDB container image

This directory contains the source for the InfluxDB container image used in the Go Performance Monitoring system. The image is based on the Google-maintained GCP InfluxDB 2 image, with an additional small program to perform initial database setup and push access credentials to Google Secret Manager.

Local

To run an instance locally:

$ make docker-prod
$ docker run --rm -p 443:8086 gcr.io/symbolic-datum-552/influx:latest

Browse / API connect to https://localhost:8086 (note that the instance uses a self-signed certificate), and authenticate with user 'admin' or 'reader' with the password or API token logged by the container.

Google Cloud

One-time setup:

  1. IAM setup, based on https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity#authenticating_to:

a. Create GCP service account:

$ gcloud iam service-accounts create influx \
    --description="Runs golang.org/x/build/influx"

c. Allow Kubernetes service account (created by deployment-prod.yaml) to impersonate the GCP service account:

$ gcloud iam service-accounts add-iam-policy-binding \
    influx@<PROJECT>.iam.gserviceaccount.com \
    --role roles/iam.workloadIdentityUser \
    --member "serviceAccount:<PROJECT>.svc.id.goog[prod/influx]"
  1. Secret Manager set up:

a. Create the secrets to store InfluxDB passwords/tokens in:

$ gcloud secrets create influx-admin-pass
$ gcloud secrets create influx-admin-token
$ gcloud secrets create influx-reader-pass
$ gcloud secrets create influx-reader-token

b. Grant access to the GCP service account to update the secrets.

$ gcloud secrets add-iam-policy-binding influx-admin-pass --member=serviceAccount:influx@<PROJECT>.iam.gserviceaccount.com --role="roles/secretmanager.secretVersionAdder"
$ gcloud secrets add-iam-policy-binding influx-admin-token --member=serviceAccount:influx@<PROJECT>.iam.gserviceaccount.com --role="roles/secretmanager.secretVersionAdder"
$ gcloud secrets add-iam-policy-binding influx-reader-pass --member=serviceAccount:influx@<PROJECT>.iam.gserviceaccount.com --role="roles/secretmanager.secretVersionAdder"
$ gcloud secrets add-iam-policy-binding influx-reader-token --member=serviceAccount:influx@<PROJECT>.iam.gserviceaccount.com --role="roles/secretmanager.secretVersionAdder"

Accessing Influx

The available users on Influx are 'admin' (full access) and 'reader' (read-only). To login as 'reader', use the following to access the password:

$ gcloud --project=symbolic-datum-552 secrets versions access latest --secret=influx-reader-pass

Then login at https://influx.golang.org.

To access the admin password, admin API token, or reader API token, change to --secret to one of influx-admin-pass, influx-admin-token, or influx-reader-token, respectively.

Deployment

See the documentation on deployment.