590d2aa95d
This updates the repository to a currently supported version of go1.20. Most of the Docker configuration files have been updated to use go1.20 and Debian bookworm. This change is needed in order to import some of the LUCI packages we intend to use. Change-Id: Ibef9f2e5a0d5ee5b842cf4559c858630e32528eb Reviewed-on: https://go-review.googlesource.com/c/build/+/518296 Auto-Submit: Carlos Amedee <carlos@golang.org> Run-TryBot: Carlos Amedee <carlos@golang.org> Reviewed-by: Heschi Kreinick <heschi@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Carlos Amedee <carlos@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org> |
||
|---|---|---|
| .. | ||
| Dockerfile | ||
| Makefile | ||
| README.md | ||
| deployment-prod.yaml | ||
| main.go | ||
README.md
InfluxDB container image
This directory contains the source for the InfluxDB container image used in the Go Performance Monitoring system. The image is based on the Google-maintained GCP InfluxDB 2 image, with an additional small program to perform initial database setup and push access credentials to Google Secret Manager.
Local
To run an instance locally:
$ make docker-prod
$ docker run --rm -p 443:8086 gcr.io/symbolic-datum-552/influx:latest
Browse / API connect to https://localhost:8086 (note that the instance uses a self-signed certificate), and authenticate with user 'admin' or 'reader' with the password or API token logged by the container.
Google Cloud
One-time setup:
- IAM setup, based on https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity#authenticating_to:
a. Create GCP service account:
$ gcloud iam service-accounts create influx \
--description="Runs golang.org/x/build/influx"
c. Allow Kubernetes service account (created by deployment-prod.yaml) to impersonate the GCP service account:
$ gcloud iam service-accounts add-iam-policy-binding \
influx@<PROJECT>.iam.gserviceaccount.com \
--role roles/iam.workloadIdentityUser \
--member "serviceAccount:<PROJECT>.svc.id.goog[prod/influx]"
- Secret Manager set up:
a. Create the secrets to store InfluxDB passwords/tokens in:
$ gcloud secrets create influx-admin-pass
$ gcloud secrets create influx-admin-token
$ gcloud secrets create influx-reader-pass
$ gcloud secrets create influx-reader-token
b. Grant access to the GCP service account to update the secrets.
$ gcloud secrets add-iam-policy-binding influx-admin-pass --member=serviceAccount:influx@<PROJECT>.iam.gserviceaccount.com --role="roles/secretmanager.secretVersionAdder"
$ gcloud secrets add-iam-policy-binding influx-admin-token --member=serviceAccount:influx@<PROJECT>.iam.gserviceaccount.com --role="roles/secretmanager.secretVersionAdder"
$ gcloud secrets add-iam-policy-binding influx-reader-pass --member=serviceAccount:influx@<PROJECT>.iam.gserviceaccount.com --role="roles/secretmanager.secretVersionAdder"
$ gcloud secrets add-iam-policy-binding influx-reader-token --member=serviceAccount:influx@<PROJECT>.iam.gserviceaccount.com --role="roles/secretmanager.secretVersionAdder"
Accessing Influx
The available users on Influx are 'admin' (full access) and 'reader' (read-only). To login as 'reader', use the following to access the password:
$ gcloud --project=symbolic-datum-552 secrets versions access latest --secret=influx-reader-pass
Then login at https://influx.golang.org.
To access the admin password, admin API token, or reader API token, change to
--secret to one of influx-admin-pass, influx-admin-token, or
influx-reader-token, respectively.
Deployment
See the documentation on deployment.