[build] influx: document one-time setup steps
1 view
Skip to first unread message
Michael Pratt (Gerrit)
Mar 25, 2022, 10:54:11 AM3/25/22
to Michael Pratt, goph...@pubsubhelper.golang.org, golang-...@googlegroups.com, Heschi Kreinick, Gopher Robot, Michael Knyszek, golang-co...@googlegroups.com
Michael Pratt submitted this change.
Approvals:
Heschi Kreinick: Looks good to me, approved
Michael Pratt: Trusted; Run TryBots
Gopher Robot: TryBots succeeded
influx: fix deployment and document one-time setup steps
* Add Kubernetes service account creation to deployment-prod.yaml.
* Fix app label to match selector in the service.
* Use Recreate strategy for rollout.
For golang/go#48803.
Change-Id: I52359ccbc0ce84ad7da9bf01f9336f5701d3cc46
Reviewed-on: https://go-review.googlesource.com/c/build/+/395540
Trust: Michael Pratt <mpr...@google.com>
Run-TryBot: Michael Pratt <mpr...@google.com>
TryBot-Result: Gopher Robot <go...@golang.org>
Reviewed-by: Heschi Kreinick <hes...@google.com>
---
M influx/README.md
M influx/deployment-prod.yaml
2 files changed, 71 insertions(+), 1 deletion(-)
diff --git a/influx/README.md b/influx/README.md
index 785991b..d258e7f 100644
--- a/influx/README.md
+++ b/influx/README.md
@@ -14,3 +14,39 @@
Browse / API connect to https://localhost:8086 (note that the instance uses a
self-signed certificate), and authenticate with user 'admin' or 'reader' with
the password or API token logged by the container.
+
+## Google Cloud
+
+One-time setup:
+
+1. IAM setup, based on
+ https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity#authenticating_to:
+
+ a. Create GCP service account:
+
+ $ gcloud iam service-accounts create influx \
+ --description="Runs golang.org/x/build/influx"
+
+ c. Allow Kubernetes service account (created by deployment-prod.yaml) to
+ impersonate the GCP service account:
+
+ $ gcloud iam service-accounts add-iam-policy-binding \
+ influx@<PROJECT>.iam.gserviceaccount.com \
+ --role roles/iam.workloadIdentityUser \
+ --member "serviceAccount:<PROJECT>.svc.id.goog[prod/influx]"
+
+2. Secret Manager set up:
+
+ a. Create the secrets to store InfluxDB passwords/tokens in:
+
+ $ gcloud secrets create influx-admin-pass
+ $ gcloud secrets create influx-admin-token
+ $ gcloud secrets create influx-reader-pass
+ $ gcloud secrets create influx-reader-token
+
+ b. Grant access to the GCP service account to update the secrets.
+
+ $ gcloud secrets add-iam-policy-binding influx-admin-pass --member=serviceAccount:influx@<PROJECT>.iam.gserviceaccount.com --role="roles/secretmanager.secretVersionAdder"
+ $ gcloud secrets add-iam-policy-binding influx-admin-token --member=serviceAccount:influx@<PROJECT>.iam.gserviceaccount.com --role="roles/secretmanager.secretVersionAdder"
+ $ gcloud secrets add-iam-policy-binding influx-reader-pass --member=serviceAccount:influx@<PROJECT>.iam.gserviceaccount.com --role="roles/secretmanager.secretVersionAdder"
+ $ gcloud secrets add-iam-policy-binding influx-reader-token --member=serviceAccount:influx@<PROJECT>.iam.gserviceaccount.com --role="roles/secretmanager.secretVersionAdder"
diff --git a/influx/deployment-prod.yaml b/influx/deployment-prod.yaml
index ef4eec7..e17b66f 100644
--- a/influx/deployment-prod.yaml
+++ b/influx/deployment-prod.yaml
@@ -8,6 +8,12 @@
selector:
matchLabels:
app: influx
+ strategy:
+ # Kill old pod, then start new one.
+ #
+ # We must do this otherwise we can't transfer persistent volume (it
+ # won't be available until the old pod dies).
+ type: Recreate
template:
metadata:
labels:
@@ -36,6 +42,14 @@
memory: "8Gi"
---
apiVersion: v1
+kind: ServiceAccount
+metadata:
+ namespace: prod
+ name: influx
+ annotations:
+ iam.gke.io/gcp-service-account: inf...@symbolic-datum-552.iam.gserviceaccount.com
+---
+apiVersion: v1
kind: PersistentVolumeClaim
metadata:
namespace: prod
@@ -62,5 +76,5 @@
targetPort: 443
name: https
selector:
- app: influx-data
+ app: influx
type: NodePort
To view, visit change 395540. To unsubscribe, or for help writing mail filters, visit settings.
Reply all
Reply to author
Forward
0 new messages