From e86a95b7b9efc25d97f7c4bd14157545e9afa556 Mon Sep 17 00:00:00 2001 From: Gary Fowler <97983559+garylfowler@users.noreply.github.com> Date: Mon, 8 Dec 2025 10:45:01 -1000 Subject: [PATCH 1/6] Add Self-Signed Certificate docs (#6593) * Add Self-Signed Certificate docs Added TLS/certificate verification options and updated container name for InfluxDB Explorer. * Update content/influxdb3/explorer/install.md * Update content/influxdb3/explorer/install.md * Update content/influxdb3/explorer/install.md * style(explorer): improve TLS and self-signed certificate documentation - Fix heading format: use lowercase "and" per style guidelines - Fix use case wording: "an internal or private CA" - Convert plain Note to callout format - Fix Docker command syntax error (remove erroneous line) - Reorganize: move self-signed certificates section under TLS - Add structured step-by-step instructions for self-signed certs - Wrap self-signed certificate example in expand-wrapper - Use consistent long-form Docker options (--volume, --env, --publish) - Update TOC with new subsections - Add NODE_EXTRA_CA_CERTS and CA_CERT_PATH to environment variables table - Add /ca-certs volume to volume reference table Addresses PR review feedback. * Apply suggestions from code review Co-authored-by: Scott Anderson * Apply suggestions from code review * Apply suggestion from @jstirnaman * Apply suggestion from @jstirnaman * Apply suggestion from @jstirnaman --------- Co-authored-by: Jason Stirnaman Co-authored-by: Scott Anderson --- content/influxdb3/explorer/install.md | 109 +++++++++++++++++++++++++- 1 file changed, 107 insertions(+), 2 deletions(-) diff --git a/content/influxdb3/explorer/install.md b/content/influxdb3/explorer/install.md index 862844609..88de02dee 100644 --- a/content/influxdb3/explorer/install.md +++ b/content/influxdb3/explorer/install.md @@ -17,6 +17,8 @@ Use [Docker](https://docker.com) to install and run **InfluxDB 3 Explorer**. - [Persist data across restarts](#persist-data-across-restarts) - [Pre-configure InfluxDB connections](#pre-configure-influxdb-connections) - [Enable TLS/SSL (HTTPS)](#enable-tlsssl-https) + - [TLS and certificate verification options](#tls-and-certificate-verification-options) + - [Use self-signed certificates](#use-self-signed-certificates) - [Choose operational mode](#choose-operational-mode) - [Advanced configuration](#advanced-configuration) - [Environment variables](#environment-variables) @@ -347,6 +349,105 @@ To enable TLS/SSL for secure connections: > [!Note] > The nginx web server automatically detects and uses certificate files in the mounted path. +#### TLS and certificate verification options +#### TLS and certificate verification options + +Use the following environment variables to configure TLS and certificate verification: + +- `NODE_EXTRA_CA_CERTS` - Path to custom CA certificate file inside container (recommended). + + This option adds an intermediate or custom CA certificate to the Node.js trusted certificate store + and is required when InfluxDB uses certificates signed by an internal or private CA. + + - **Format**: PEM format certificate file + - **Example**: `-e NODE_EXTRA_CA_CERTS=/ca-certs/ca-bundle.crt` + + > [!Note] + > This is the native Node.js environment variable for custom CAs. + +- `CA_CERT_PATH` - Alternative to `NODE_EXTRA_CA_CERTS` (convenience alias) + - **Example**: `-e CA_CERT_PATH=/ca-certs/ca-bundle.crt` + + > [!Note] + > Use either `NODE_EXTRA_CA_CERTS` or `CA_CERT_PATH`; not both. `CA_CERT_PATH` aliases `NODE_EXTRA_CA_CERTS`. + +#### Use self-signed certificates + +To configure Explorer to trust self-signed or custom CA certificates when connecting to InfluxDB: + +1. **Create a directory for CA certificates:** + + ```bash + mkdir -p ./ca-certs + ``` + +2. **Copy your CA certificate to the directory:** + + ```bash + cp /path/to/your-ca.pem ./ca-certs/ + ``` + +3. **Mount the CA certificate directory and set the `NODE_EXTRA_CA_CERTS` environment variable:** + +{{< expand-wrapper >}} +{{% expand "View example Docker configuration for self-signed certificates" %}} + +{{< code-tabs-wrapper >}} +{{% code-tabs %}} +[Docker](#) +[Docker Compose](#) +{{% /code-tabs %}} + +{{% code-tab-content %}} +{{< code-callout "NODE_EXTRA_CA_CERTS" >}} +```bash +docker run --detach \ + --name influxdb3-explorer \ + --restart unless-stopped \ + --publish 8888:443 \ + --volume $(pwd)/db:/db:rw \ + --volume $(pwd)/config:/app-root/config:ro \ + --volume $(pwd)/ssl:/etc/nginx/ssl:ro \ + --volume $(pwd)/ca-certs:/ca-certs:ro \ + --env SESSION_SECRET_KEY=your-secure-secret-key-here \ + --env NODE_EXTRA_CA_CERTS=/ca-certs/your-ca.pem \ + influxdata/influxdb3-ui:{{% latest-patch %}} \ + --mode=admin +``` +{{< /code-callout >}} +{{% /code-tab-content %}} + +{{% code-tab-content %}} +{{< code-callout "NODE_EXTRA_CA_CERTS" >}} +```yaml +# docker-compose.yml +version: '3.8' + +services: + explorer: + image: influxdata/influxdb3-ui:{{% latest-patch %}} + container_name: influxdb3-explorer + pull_policy: always + command: ["--mode=admin"] + ports: + - "8888:443" + volumes: + - ./db:/db:rw + - ./config:/app-root/config:ro + - ./ssl:/etc/nginx/ssl:ro + - ./ca-certs:/ca-certs:ro + environment: + SESSION_SECRET_KEY: ${SESSION_SECRET_KEY:-your-secure-secret-key-here} + NODE_EXTRA_CA_CERTS: /ca-certs/your-ca.pem + restart: unless-stopped +``` +{{< /code-callout >}} +{{% /code-tab-content %}} +{{< /code-tabs-wrapper >}} + +{{% /expand %}} +{{< /expand-wrapper >}} + ### Choose operational mode {{% product-name %}} supports two operational modes: @@ -410,6 +511,8 @@ services: | `DATABASE_URL` | `/db/sqlite.db` | Path to SQLite database inside container | | `SSL_CERT_PATH` | `/etc/nginx/ssl/cert.pem` | Path to SSL certificate file | | `SSL_KEY_PATH` | `/etc/nginx/ssl/key.pem` | Path to SSL private key file | +| `NODE_EXTRA_CA_CERTS` | _(none)_ | Path to custom CA certificate file (PEM format) for trusting self-signed or internal CA certificates | +| `CA_CERT_PATH` | _(none)_ | Alias for `NODE_EXTRA_CA_CERTS` | > [!Important] > Always set `SESSION_SECRET_KEY` in production to persist user sessions across container restarts. @@ -426,6 +529,7 @@ services: | `/db` | SQLite database storage | 700 | No (but recommended) | | `/app-root/config` | Connection configuration | 755 | No | | `/etc/nginx/ssl` | TLS/SSL certificates | 755 | Only for HTTPS | +| `/ca-certs` | Custom CA certificates | 755 | Only for self-signed certificates | ### Port reference @@ -527,7 +631,7 @@ docker-compose up -d {{% code-tab-content %}} ```bash docker run --rm \ - --name influxdb3-explorer-dev \ + --name influxdb3-explorer \ --publish 8888:80 \ influxdata/influxdb3-ui:{{% latest-patch %}} ``` @@ -541,9 +645,10 @@ version: '3.8' services: explorer: image: influxdata/influxdb3-ui:{{% latest-patch %}} - container_name: influxdb3-explorer-dev + container_name: influxdb3-explorer ports: - "8888:80" ``` {{% /code-tab-content %}} {{< /code-tabs-wrapper >}} + From c76304ca281c2e55bf138047539724f582b134db Mon Sep 17 00:00:00 2001 From: Gary Fowler <97983559+garylfowler@users.noreply.github.com> Date: Mon, 8 Dec 2025 13:02:45 -1000 Subject: [PATCH 2/6] Fix duplicate header in install.md (#6596) Removed duplicate section header for TLS and certificate verification options. --- content/influxdb3/explorer/install.md | 1 - 1 file changed, 1 deletion(-) diff --git a/content/influxdb3/explorer/install.md b/content/influxdb3/explorer/install.md index 88de02dee..09b972a19 100644 --- a/content/influxdb3/explorer/install.md +++ b/content/influxdb3/explorer/install.md @@ -349,7 +349,6 @@ To enable TLS/SSL for secure connections: > [!Note] > The nginx web server automatically detects and uses certificate files in the mounted path. -#### TLS and certificate verification options #### TLS and certificate verification options Use the following environment variables to configure TLS and certificate verification: From f5790a3ddb5a421cb1f4316c6bc11231f24e1abb Mon Sep 17 00:00:00 2001 From: Dustin Eaton Date: Tue, 9 Dec 2025 10:10:45 -0600 Subject: [PATCH 3/6] Release influxctl v2.12.0 --- data/products.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data/products.yml b/data/products.yml index cca24aa82..1fdb646ee 100644 --- a/data/products.yml +++ b/data/products.yml @@ -115,7 +115,7 @@ influxdb3_cloud_dedicated: list_order: 3 latest: cloud-dedicated link: "https://www.influxdata.com/contact-sales-cloud-dedicated/" - latest_cli: 2.11.0 + latest_cli: 2.12.0 placeholder_host: cluster-id.a.influxdb.io detector_config: query_languages: From d690edb645370098e451c67ee32c1fdeff05223c Mon Sep 17 00:00:00 2001 From: Dustin Eaton Date: Tue, 9 Dec 2025 10:35:11 -0600 Subject: [PATCH 4/6] chore(influxctl): add influxctl 2.12.0 release notes --- content/shared/influxctl/release-notes.md | 68 +++++++++++++++++++++++ 1 file changed, 68 insertions(+) diff --git a/content/shared/influxctl/release-notes.md b/content/shared/influxctl/release-notes.md index 522d7ca05..be098edf6 100644 --- a/content/shared/influxctl/release-notes.md +++ b/content/shared/influxctl/release-notes.md @@ -1,3 +1,71 @@ +## 2.12.0 {date="2025-12-09"} + +### Features + +- Add 'influxdata-archive-keyring' as a suggested package to simplify future repository key rotations for the end user +- Add a new `--perf-debug` flag to the `query` command that outputs performance statistics and gRPC response trailers instead of query results + +Example Output for `--perf-debug`: + +``` +$ ./influxctl query --perf-debug --format table --token REDACTED --database testdb --language influxql "SELECT SUM(i), non_negative_difference(SUM(i)) as diff_i FROM data WHERE time > '2025-11-07T01:20:00Z' AND time < '2025-11-07T03:00:00Z' AND runid = '540cd752bb6411f0a23e30894adea878' GROUP BY time(5m)" ++--------------------------+----------+ +| Metric | Value | ++--------------------------+----------+ +| Client Duration | 1.222 s | +| Output Rows | 20 | +| Output Size | 647 B | ++--------------------------+----------+ +| Compute Duration | 37.2 ms | +| Execution Duration | 243.8 ms | +| Ingester Latency Data | 0 | +| Ingester Latency Plan | 0 | +| Ingester Partition Count | 0 | +| Ingester Response | 0 B | +| Ingester Response Rows | 0 | +| Max Memory | 70 KiB | +| Parquet Files | 1 | +| Partitions | 1 | +| Planning Duration | 9.6 ms | +| Queue Duration | 286.6 µs | ++--------------------------+----------+ + +$ ./influxctl query --perf-debug --format json --token REDACTED --database testdb --language influxql "SELECT SUM(i), non_negative_difference(SUM(i)) as diff_i FROM data WHERE time > '2025-11-07T01:20:00Z' AND time < '2025-11-07T03:00:00Z' AND runid = '540cd752bb6411f0a23e30894adea878' GROUP BY time(5m)" +{ + "client_duration_secs": 1.101, + "compute_duration_secs": 0.037, + "execution_duration_secs": 0.247, + "ingester_latency_data": 0, + "ingester_latency_plan": 0, + "ingester_partition_count": 0, + "ingester_response_bytes": 0, + "ingester_response_rows": 0, + "max_memory_bytes": 71744, + "output_bytes": 647, + "output_rows": 20, + "parquet_files": 1, + "partitions": 1, + "planning_duration_secs": 0.009, + "queue_duration_secs": 0 +} +``` +``` + +### Dependency updates + +- Upgrade Go to 1.25.5. +- Update `github.com/containerd/containerd` from 1.7.27 to 1.7.29 +- Update `github.com/go-git/go-git/v5` from 5.16.3 to 5.16.4 +- Update `github.com/jedib0t/go-pretty/v6` from 6.6.8 to 6.7.5 +- Update `github.com/ovechkin-dm/mockio/v2` from 2.0.3 to 2.0.4 +- Update `go.uber.org/zap` from 1.27.0 to 1.27.1 +- Update `golang.org/x/crypto` from 0.43.0 to 0.45.0 +- Update `golang.org/x/mod` from 0.29.0 to 0.30.0 +- Update `golang.org/x/oauth2` from 0.32.0 to 0.33.0 +- Update `google.golang.org/grpc` from 1.76.0 to 1.77.0 + +--- + ## 2.11.0 {date="2025-10-17"} ### Features From 44ad61d6519efacc9a94b33259f7e2182c8d2b56 Mon Sep 17 00:00:00 2001 From: Jason Stirnaman Date: Tue, 9 Dec 2025 10:41:03 -0600 Subject: [PATCH 5/6] Update content/shared/influxctl/release-notes.md Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- content/shared/influxctl/release-notes.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/shared/influxctl/release-notes.md b/content/shared/influxctl/release-notes.md index be098edf6..639179b1e 100644 --- a/content/shared/influxctl/release-notes.md +++ b/content/shared/influxctl/release-notes.md @@ -53,7 +53,7 @@ $ ./influxctl query --perf-debug --format json --token REDACTED --database testd ### Dependency updates -- Upgrade Go to 1.25.5. +- Update Go to 1.25.5. - Update `github.com/containerd/containerd` from 1.7.27 to 1.7.29 - Update `github.com/go-git/go-git/v5` from 5.16.3 to 5.16.4 - Update `github.com/jedib0t/go-pretty/v6` from 6.6.8 to 6.7.5 From ebbb0d47212ab53b646b70fbee7d748b091a00c4 Mon Sep 17 00:00:00 2001 From: Jason Stirnaman Date: Wed, 10 Dec 2025 10:52:51 -0500 Subject: [PATCH 6/6] chore(ci): update link-checker to v1.2.5 (#6602) Update link-checker to v1.2.5 which adds --root-dir support for lychee v0.22.0+. This fixes CI failures caused by lychee v0.22.0 (released Dec 5, 2025) requiring --root-dir to resolve root-relative links in local files. The link-checker now automatically sets --root-dir to the Hugo public/ directory when checking local HTML files. Fixes failures for PRs touching /telegraf/v1 and /influxdb3/explorer paths. --- .github/workflows/pr-link-check.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pr-link-check.yml b/.github/workflows/pr-link-check.yml index c884491db..7f33806e0 100644 --- a/.github/workflows/pr-link-check.yml +++ b/.github/workflows/pr-link-check.yml @@ -95,7 +95,7 @@ jobs: curl -L -H "Accept: application/vnd.github+json" \ -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \ -o link-checker-info.json \ - "https://api.github.com/repos/influxdata/docs-v2/releases/tags/link-checker-v1.2.4" + "https://api.github.com/repos/influxdata/docs-v2/releases/tags/link-checker-v1.2.5" # Extract download URL for linux binary DOWNLOAD_URL=$(jq -r '.assets[] | select(.name | test("link-checker.*linux")) | .url' link-checker-info.json)