Type: New Feature
Affects Version/s: 2.13.0
Fix Version/s: 2.17.0
Sprint:08 - Core, 07 - Core
Platform Team:C/S Core
- As a DBA I need to be able to connect my MySQL service to the PMM specifying TLS options so that PMM can connect and collect metrics
>pmm-admin add mysql --ssl-ca=....
- user able to specify --ssl-ca flag and it's parameters
- user able to specify --ssl-cert flag and it's parameters
- user able to specify --ssl-key flag and it's parameters
- PMM added to monitoring and collecting metrics and queries
Out of scope:
- Adding TLS parameters for Remote instances
- making TLS flags consistent across all technologies. we'll do this later but we need to come to the same UI
- Update mysqld_exporter from upstream. Separate ticket here: https://jira.percona.com/browse/PMM-7572
- Add new fields required for certificate to add mysql DB API in pmm-managed.
- Add new fields in DB for Agents Table.
- Add new flags (mention above) to add mysql CLI commands in pmm-admin.
- PMM-admin should read body of certificate and send it to pmm-managed.
- PMM-managed should generate my.cnf from provided certificates.
- Reload, use this config for all conections by call mysql.RegisterTLSConfig
How to test:
1. Use new flags in pmm-admin to add instance (tls, tls-ca, tls-cert, tls-key). Use certificates from attachment. Bold ones are needed.
Example: ./bin/pmm-admin add mysql -
username=fry --password=pass ** tls tls-ca=mysql/ca.pem tls-cert=mysql/cert.pem -tls-key=mysql/key.pem --server-url=http://admin:firstname.lastname@example.org --tls-skip-verify --query-source=perfschema mysqlssl
2. Go to PMM inventory and check if agent running and tls: true property is presented:
3. Check if you getting data in instance summary and query analytics.
-ssl-ca: The path name of the Certificate Authority (CA) certificate file. This option, if used, must specify the same certificate used by the server. (-ssl-capath is similar but specifies the path name of a directory of CA certificate files.)
--ssl-cert: The path name of the client public key certificate file.
--ssl-key: The path name of the client private key file.
There is no way to tell pmm-admin to use a particular set of SSL certificates for connecting to the DB. We do have --tls and --tls-skip-verify, but we can't use custom certificates for client connections with these arguments only.
Additionally, as far as I know, pmm-admin will not try to parse configuration files available (for other options other than user/pass and basic DSN), and try to use the SSL settings from the [client] section.
For MySQL, for instance, you can find more information on this here:
There is no need to add all variables supported, but at least a basic subset that can allow to have pmm-admin use certificates with a DB.
PMM v1 used to have something like this for the MongoDB exporter.
Additionally, we should think of adding these to the "Add Remote Instance" menu within the web UI.