Uploaded image for project: 'Percona Monitoring and Management'
  1. Percona Monitoring and Management
  2. PMM-7421

Add support for using SSL certificates between pmm-admin and monitored MySQL databases



    • Story Points:
    • Sprint:
      08 - Core, 07 - Core
    • Needs Review:
    • Needs QA:
    • Needs Doc:
    • Platform Team:
      C/S Core


      User story:

      • As a DBA I need to be able to connect my MySQL service to the PMM specifying TLS options so that PMM can connect and collect metrics

      >pmm-admin add mysql --ssl-ca=....

      Acceptance criteria

      1. user able to specify --ssl-ca flag and it's parameters
      2. user able to specify --ssl-cert flag and it's parameters
      3. user able to specify --ssl-key flag and it's parameters
      4. PMM added to monitoring and collecting metrics and queries

      Out of scope:

      • Adding TLS parameters for Remote instances
      • making TLS flags consistent across all technologies. we'll do this later but we need to come to the same UI


      Suggested implementation:

      • Add new fields required for certificate to add mysql DB API in pmm-managed.
      • Add new fields in DB for Agents Table.
      • Add new flags (mention above) to add mysql CLI commands in pmm-admin.
      • PMM-admin should read body of certificate and send it to pmm-managed.
      • PMM-managed should generate my.cnf from provided certificates.
      • Reload, use this config for all conections by call mysql.RegisterTLSConfig


      How to test:
      See how to test here please: https://jira.percona.com/browse/PMM-7847 


      -ssl-ca: The path name of the Certificate Authority (CA) certificate file. This option, if used, must specify the same certificate used by the server. (-ssl-capath is similar but specifies the path name of a directory of CA certificate files.)

      --ssl-cert: The path name of the client public key certificate file.

      --ssl-key: The path name of the client private key file.

      There is no way to tell pmm-admin to use a particular set of SSL certificates for connecting to the DB. We do have --tls and --tls-skip-verify, but we can't use custom certificates for client connections with these arguments only.

      Additionally, as far as I know, pmm-admin will not try to parse configuration files available (for other options other than user/pass and basic DSN), and try to use the SSL settings from the [client] section.

      For MySQL, for instance, you can find more information on this here:


      and here:


      There is no need to add all variables supported, but at least a basic subset that can allow to have pmm-admin use certificates with a DB.

      PMM v1 used to have something like this for the MongoDB exporter.

      Additionally, we should think of adding these to the "Add Remote Instance" menu within the web UI.


          Issue Links



              jiri.ctvrtka Jiří Čtvrtka
              agustin.gallego Agustín Gallego
              0 Vote for this issue
              10 Start watching this issue



                  Smart Checklist