golang.org/x/build@v0.0.0-20240506185731-218518f32b70/influx/README.md

golang.org/x/build@v0.0.0-20240506185731-218518f32b70/influx/README.md (about)

     1  # InfluxDB container image
     2  
     3  This directory contains the source for the InfluxDB container image used in the
     4  Go Performance Monitoring system. The image is based on the Google-maintained
     5  GCP InfluxDB 2 image, with an additional small program to perform initial
     6  database setup and push access credentials to Google Secret Manager.
     7  
     8  ## Local
     9  
    10  To run an instance locally:
    11  
    12      $ make docker-prod
    13      $ docker run --rm -p 443:8086 gcr.io/symbolic-datum-552/influx:latest
    14  
    15  Browse / API connect to https://localhost:8086 (note that the instance uses a
    16  self-signed certificate), and authenticate with user 'admin' or 'reader' with
    17  the password or API token logged by the container.
    18  
    19  ## Google Cloud
    20  
    21  One-time setup:
    22  
    23  1. IAM setup, based on
    24     https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity#authenticating_to:
    25  
    26    a. Create GCP service account:
    27  
    28      $ gcloud iam service-accounts create influx \
    29          --description="Runs golang.org/x/build/influx"
    30  
    31    c. Allow Kubernetes service account (created by deployment-prod.yaml) to
    32       impersonate the GCP service account:
    33  
    34      $ gcloud iam service-accounts add-iam-policy-binding \
    35          influx@<PROJECT>.iam.gserviceaccount.com \
    36          --role roles/iam.workloadIdentityUser \
    37          --member "serviceAccount:<PROJECT>.svc.id.goog[prod/influx]"
    38  
    39  2. Secret Manager set up:
    40  
    41    a. Create the secrets to store InfluxDB passwords/tokens in:
    42  
    43      $ gcloud secrets create influx-admin-pass
    44      $ gcloud secrets create influx-admin-token
    45      $ gcloud secrets create influx-reader-pass
    46      $ gcloud secrets create influx-reader-token
    47  
    48    b. Grant access to the GCP service account to update the secrets.
    49  
    50      $ gcloud secrets add-iam-policy-binding influx-admin-pass --member=serviceAccount:influx@<PROJECT>.iam.gserviceaccount.com --role="roles/secretmanager.secretVersionAdder"
    51      $ gcloud secrets add-iam-policy-binding influx-admin-token --member=serviceAccount:influx@<PROJECT>.iam.gserviceaccount.com --role="roles/secretmanager.secretVersionAdder"
    52      $ gcloud secrets add-iam-policy-binding influx-reader-pass --member=serviceAccount:influx@<PROJECT>.iam.gserviceaccount.com --role="roles/secretmanager.secretVersionAdder"
    53      $ gcloud secrets add-iam-policy-binding influx-reader-token --member=serviceAccount:influx@<PROJECT>.iam.gserviceaccount.com --role="roles/secretmanager.secretVersionAdder"
    54  
    55  ### Accessing Influx
    56  
    57  The available users on Influx are 'admin' (full access) and 'reader'
    58  (read-only). To login as 'reader', use the following to access the password:
    59  
    60    $ gcloud --project=symbolic-datum-552 secrets versions access latest --secret=influx-reader-pass
    61  
    62  Then login at https://influx.golang.org.
    63  
    64  To access the admin password, admin API token, or reader API token, change to
    65  `--secret` to one of `influx-admin-pass`, `influx-admin-token`, or
    66  `influx-reader-token`, respectively.
    67  
    68  ## Deployment
    69  
    70  See the documentation on [deployment](../doc/deployment.md).