tree: 895207ffb8e6ed7e7df94ee655baae4d454de8be [path history] [tgz]
  1. deployment-prod.yaml
  2. Dockerfile
  3. main.go
  4. Makefile

InfluxDB container image

This directory contains the source for the InfluxDB container image used in the Go Performance Monitoring system. The image is based on the Google-maintained GCP InfluxDB 2 image, with an additional small program to perform initial database setup and push access credentials to Google Secret Manager.


To run an instance locally:

$ make docker-prod
$ docker run --rm -p 443:8086

Browse / API connect to https://localhost:8086 (note that the instance uses a self-signed certificate), and authenticate with user ‘admin’ or ‘reader’ with the password or API token logged by the container.

Google Cloud

One-time setup:

  1. IAM setup, based on

a. Create GCP service account:

$ gcloud iam service-accounts create influx \

c. Allow Kubernetes service account (created by deployment-prod.yaml) to impersonate the GCP service account:

$ gcloud iam service-accounts add-iam-policy-binding \
    influx@<PROJECT> \
    --role roles/iam.workloadIdentityUser \
    --member "serviceAccount:<PROJECT>[prod/influx]"
  1. Secret Manager set up:

a. Create the secrets to store InfluxDB passwords/tokens in:

$ gcloud secrets create influx-admin-pass
$ gcloud secrets create influx-admin-token
$ gcloud secrets create influx-reader-pass
$ gcloud secrets create influx-reader-token

b. Grant access to the GCP service account to update the secrets.

$ gcloud secrets add-iam-policy-binding influx-admin-pass --member=serviceAccount:influx@<PROJECT> --role="roles/secretmanager.secretVersionAdder"
$ gcloud secrets add-iam-policy-binding influx-admin-token --member=serviceAccount:influx@<PROJECT> --role="roles/secretmanager.secretVersionAdder"
$ gcloud secrets add-iam-policy-binding influx-reader-pass --member=serviceAccount:influx@<PROJECT> --role="roles/secretmanager.secretVersionAdder"
$ gcloud secrets add-iam-policy-binding influx-reader-token --member=serviceAccount:influx@<PROJECT> --role="roles/secretmanager.secretVersionAdder"

Accessing Influx

The available users on Influx are ‘admin’ (full access) and ‘reader’ (read-only). To login as ‘reader’, use the following to access the password:

$ gcloud --project=symbolic-datum-552 secrets versions access latest --secret=influx-reader-pass

Then login at

To access the admin password, admin API token, or reader API token, change to --secret to one of influx-admin-pass, influx-admin-token, or influx-reader-token, respectively.