PMM-14643: Add support for encrypted PMM Client config (#196)

peterSirotnak · web-flow · commit f00b2a87e835 · 2026-03-16T15:36:41.000+01:00
* PMM-14643: Skeleton of encrypted pmm client config

* PMM-14643: Fix argument formatting in setup_ps function and add debug print statement

* PMM-14643: Skeleton for encrypted pmm client config file

* PMM-14643: Skeleton for encrypted pmm client config file

* PMM-14643: Skeleton for encrypted pmm client config file

* PMM-14643: Skeleton for encrypted pmm client config file

* PMM-14643: Skeleton for encrypted pmm client config file

* PMM-14643: Skeleton for encrypted pmm client config file

* PMM-14643: Skeleton for encrypted pmm client config file

* PMM-14643: Skeleton for encrypted pmm client config file

* PMM-14643: Skeleton for encrypted pmm client config file

* PMM-14643: Skeleton for encrypted pmm client config file

* PMM-14643: Skeleton for encrypted pmm client config file

* PMM-14643: Skeleton for encrypted pmm client config file

* PMM-14643: Skeleton for encrypted pmm client config file

* PMM-14643: Skeleton for encrypted pmm client config file

* PMM-14643: Skeleton for encrypted pmm client config file

* PMM-14643: Skeleton for encrypted pmm client config file

* PMM-14643: Skeleton for encrypted pmm client config file

* PMM-14643: Skeleton for encrypted pmm client config file

* PMM-14643: Skeleton for encrypted pmm client config file
diff --git a/pmm_qa/mysql/mysql-setup.yml b/pmm_qa/mysql/mysql-setup.yml
@@ -25,6 +25,7 @@
     random_service_name_value: ""
     my_rocks: "{{ lookup('env', 'MY_ROCKS') | default(false, true) }}"
     container_prefix: "mysql_pmm{{ (setup_type|default('')) and '_' ~ setup_type }}_{{ mysql_version }}_"
+    encrypted_client_config: "{{ lookup('env', 'ENCRYPTED_CLIENT_CONFIG') | default(false, true) | bool }}"
 
   tasks:
     - name: Modify the node count for group replication
diff --git a/pmm_qa/percona-distribution-postgresql/percona-distribution-postgres-setup.yml b/pmm_qa/percona-distribution-postgresql/percona-distribution-postgres-setup.yml
@@ -23,6 +23,7 @@
     docker_repo: "percona/percona-distribution-postgresql"
     container_prefix: "pdpgsql_pmm{{ (setup_type|default('')) and '_' ~ setup_type }}_{{ pdpgsql_version }}_"
     pgsm_branch: "{{ lookup('env', 'PGSM_BRANCH') }}"
+    encrypted_client_config: "{{ lookup('env', 'ENCRYPTED_CLIENT_CONFIG') | default(false, true) | bool }}"
 
   tasks:
     - name: Display setup type selected
diff --git a/pmm_qa/percona_server_for_mysql/percona-server-setup.yml b/pmm_qa/percona_server_for_mysql/percona-server-setup.yml
@@ -25,6 +25,7 @@
     random_service_name_value: ""
     my_rocks: "{{ lookup('env', 'MY_ROCKS') | default(false, true) }}"
     container_prefix: "ps_pmm{{ (setup_type|default('')) and '_' ~ setup_type }}_{{ ps_version }}_"
+    encrypted_client_config: "{{ lookup('env', 'ENCRYPTED_CLIENT_CONFIG') | default(false, true) | bool }}" 
 
   tasks:
     - name: Modify the node count for group replication
diff --git a/pmm_qa/pmm-framework.py b/pmm_qa/pmm-framework.py
@@ -76,6 +76,7 @@ def setup_ps(db_type, db_version=None, db_config=None, args=None):
         'CLIENT_VERSION': get_value('CLIENT_VERSION', db_type, args, db_config),
         'ADMIN_PASSWORD': os.getenv('ADMIN_PASSWORD') or args.pmm_server_password or 'admin',
         'MY_ROCKS': get_value('MY_ROCKS', db_type, args, db_config),
+        'ENCRYPTED_CLIENT_CONFIG': get_value('ENCRYPTED_CLIENT_CONFIG', db_type, args, db_config),
     }
 
     run_ansible_playbook('percona_server_for_mysql/percona-server-setup.yml', env_vars, args)
@@ -113,7 +114,8 @@ def setup_mysql(db_type, db_version=None, db_config=None, args=None):
         'QUERY_SOURCE': get_value('QUERY_SOURCE', db_type, args, db_config),
         'MS_TARBALL': get_value('TARBALL', db_type, args, db_config),
         'ADMIN_PASSWORD': os.getenv('ADMIN_PASSWORD') or args.pmm_server_password or 'admin',
-        'PMM_QA_GIT_BRANCH': os.getenv('PMM_QA_GIT_BRANCH') or 'v3'
+        'PMM_QA_GIT_BRANCH': os.getenv('PMM_QA_GIT_BRANCH') or 'v3',
+        'ENCRYPTED_CLIENT_CONFIG': get_value('ENCRYPTED_CLIENT_CONFIG', db_type, args, db_config),
     }
 
     run_ansible_playbook('mysql/mysql-setup.yml', env_vars, args)
@@ -174,7 +176,8 @@ def setup_pdpgsql(db_type, db_version=None, db_config=None, args=None):
         'DISTRIBUTION': '',
         'PMM_QA_GIT_BRANCH': os.getenv('PMM_QA_GIT_BRANCH') or 'v3',
         'SETUP_TYPE': setup_type_value,
-        'PGSM_BRANCH': pgsm_branch
+        'PGSM_BRANCH': pgsm_branch,
+        'ENCRYPTED_CLIENT_CONFIG': get_value('ENCRYPTED_CLIENT_CONFIG', db_type, args, db_config),
     }
 
     # Ansible playbook filename
@@ -237,7 +240,8 @@ def setup_pgsql(db_type, db_version=None, db_config=None, args=None):
             'ADMIN_PASSWORD': os.getenv('ADMIN_PASSWORD') or args.pmm_server_password or 'admin',
             'PGSQL_PGSS_PORT': 5448,
             'PMM_QA_GIT_BRANCH': os.getenv('PMM_QA_GIT_BRANCH') or 'v3',
-            'SETUP_TYPE': setup_type_value
+            'SETUP_TYPE': setup_type_value,
+            'ENCRYPTED_CLIENT_CONFIG': get_value('ENCRYPTED_CLIENT_CONFIG', db_type, args, db_config),
         }
 
         # Ansible playbook filename
@@ -764,7 +768,8 @@ def setup_valkey(db_type, db_version=None, db_config=None, args=None):
         'CLIENT_VERSION': get_value('CLIENT_VERSION', db_type, args, db_config),
         'ADMIN_PASSWORD': os.getenv('ADMIN_PASSWORD') or args.pmm_server_password or 'admin',
         'PMM_QA_GIT_BRANCH': os.getenv('PMM_QA_GIT_BRANCH') or 'v3',
-        'SETUP_TYPE': setup_type_value
+        'SETUP_TYPE': setup_type_value,
+        'ENCRYPTED_CLIENT_CONFIG': get_value('ENCRYPTED_CLIENT_CONFIG', db_type, args, db_config),
     }
 
     # Choose playbook based on SETUP_TYPE (cluster is default; sentinel only when explicitly requested)
diff --git a/pmm_qa/postgresql/postgresql-setup.yml b/pmm_qa/postgresql/postgresql-setup.yml
@@ -20,6 +20,7 @@
     metrics_mode: "auto"
     setup_type: "{{ lookup('env', 'SETUP_TYPE') }}"
     random_service_name_value: ""
+    encrypted_client_config: "{{ lookup('env', 'ENCRYPTED_CLIENT_CONFIG') | default(false, true) | bool }}"
 
   tasks:
     - name: Create Docker network
diff --git a/pmm_qa/scripts/database_options.py b/pmm_qa/scripts/database_options.py
@@ -25,12 +25,12 @@
     "MYSQL": {
         "versions": ["5.7", "8.0", "8.4"],
         "configurations": {"QUERY_SOURCE": "perfschema", "SETUP_TYPE": "", "CLIENT_VERSION": "3-dev-latest",
-                           "TARBALL": ""}
+                           "TARBALL": "", "ENCRYPTED_CLIENT_CONFIG": "false"}
     },
     "PS": {
         "versions": ["5.7", "8.4", "8.0"],
         "configurations": {"QUERY_SOURCE": "perfschema", "SETUP_TYPE": "", "CLIENT_VERSION": "3-dev-latest",
-                           "TARBALL": "", "NODES_COUNT": 1, "MY_ROCKS": "false"}
+                           "TARBALL": "", "NODES_COUNT": 1, "MY_ROCKS": "false", "ENCRYPTED_CLIENT_CONFIG": "false"}
     },
     "SSL_MYSQL": {
         "versions": ["5.7", "8.4", "8.0"],
@@ -40,11 +40,12 @@
     "PGSQL": {
         "versions": ["11", "12", "13", "14", "15", "16", "18", "17"],
         "configurations": {"QUERY_SOURCE": "pgstatements", "CLIENT_VERSION": "3-dev-latest", "USE_SOCKET": "",
-                           "SETUP_TYPE": ""}
+                           "SETUP_TYPE": "", "ENCRYPTED_CLIENT_CONFIG": "false"}
     },
     "PDPGSQL": {
         "versions": ["11", "12", "13", "14", "15", "16", "18", "17"],
-        "configurations": {"CLIENT_VERSION": "3-dev-latest", "USE_SOCKET": "", "SETUP_TYPE": "", "PGSM_BRANCH": ""}
+        "configurations": {"CLIENT_VERSION": "3-dev-latest", "USE_SOCKET": "", "SETUP_TYPE": "", "PGSM_BRANCH": "",
+                           "ENCRYPTED_CLIENT_CONFIG": "false"}
     },
     "SSL_PDPGSQL": {
         "versions": ["11", "12", "13", "14", "15", "16", "17"],
@@ -79,6 +80,6 @@
     },
     "VALKEY": {
         "versions": ["7", "8"],
-        "configurations": {"CLIENT_VERSION": "3-dev-latest", "SETUP_TYPE": "", "TARBALL": ""}
+        "configurations": {"CLIENT_VERSION": "3-dev-latest", "SETUP_TYPE": "", "TARBALL": "", "ENCRYPTED_CLIENT_CONFIG": "false"}
     }
 }
diff --git a/pmm_qa/tasks/install_pmm_client.yml b/pmm_qa/tasks/install_pmm_client.yml
@@ -147,7 +147,12 @@
   when:
     - client_version | regex_search('^https?://.*\\.tar\\.gz$') is not none
 
-- name: Connect pmm client to pmm server using metrics mode
+- name: Generate keys for encrypted client config
+  shell: |
+    docker exec --user root {{ container_name }} openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:4096 -aes256 -pass pass:testpass -out "/usr/local/percona/pmm/config/pmm-key.pem"
+  when: encrypted_client_config | default(false) | bool
+
+- name: Connect pmm client to pmm server using metrics mode without encrypted client config
   shell: |
     docker exec --user root {{ container_name }} \
       pmm-agent setup \
@@ -158,28 +163,74 @@
         --server-username=admin \
         --server-password={{ admin_password }} \
         {{ container_name }}
-  when: metrics_mode | length > 0
+  when:
+    - metrics_mode | length > 0
+    - not (encrypted_client_config | default(false) | bool)
+
+- name: Connect pmm client to pmm server using default metrics mode without encrypted client config
+  shell: |
+    docker exec --user root {{ container_name }} \
+      pmm-agent setup \
+        --config-file=/usr/local/percona/pmm/config/pmm-agent.yaml \
+        --server-address={{ pmm_server_ip }}:{{ pmm_server_port }} \
+        --server-insecure-tls \
+        --server-username=admin \
+        --server-password={{ admin_password }} \
+        {{ container_name }}
+  when:
+    - metrics_mode | length == 0
+    - not (encrypted_client_config | default(false) | bool)
+
+- name: Connect pmm client to pmm server using default metrics mode with encrypted client config
+  shell: |
+    docker exec --user root {{ container_name }} \
+      pmm-agent setup \
+        --config-file=/usr/local/percona/pmm/config/pmm-agent.yaml \
+        --server-address={{ pmm_server_ip }}:{{ pmm_server_port }} \
+        --custom-labels="role=pmm-client, encrypted=true, password=true" \
+        --server-insecure-tls \
+        --server-username=admin \
+        --server-password={{ admin_password }} \
+        --config-file-key-file="/usr/local/percona/pmm/config/pmm-key.pem" \
+        --config-file-key-password="testpass" \
+        {{ container_name }}
+  when:
+    - metrics_mode | length == 0
+    - encrypted_client_config | default(false) | bool
 
-- name: Connect pmm client to pmm server using default metrics mode
+- name: Connect pmm client to pmm server using metrics mode with encrypted client config
   shell: |
     docker exec --user root {{ container_name }} \
       pmm-agent setup \
         --config-file=/usr/local/percona/pmm/config/pmm-agent.yaml \
         --server-address={{ pmm_server_ip }}:{{ pmm_server_port }} \
+        --custom-labels="role=pmm-client, encrypted=true, password=true" \
         --server-insecure-tls \
+        --metrics-mode={{ metrics_mode }} \
         --server-username=admin \
         --server-password={{ admin_password }} \
+        --config-file-key-file="/usr/local/percona/pmm/config/pmm-key.pem" \
+        --config-file-key-password="testpass" \
         {{ container_name }}
-  when: metrics_mode | length == 0
+  when:
+    - metrics_mode | length > 0
+    - encrypted_client_config | default(false) | bool
 
 - name: Wait 5 seconds for connection to complete
   pause:
     seconds: 5
 
-- name: Start pmm client
+- name: Start pmm client without encrypted client config
   shell: |
     docker exec --user root {{ container_name }} \
       sh -c 'nohup pmm-agent --config-file=/usr/local/percona/pmm/config/pmm-agent.yaml > /var/log/pmm-agent.log 2>&1 &'
+  when: not (encrypted_client_config | default(false) | bool)
+
+- name: Start pmm client with encrypted client config
+  shell: |
+    docker exec --user root {{ container_name }} \
+      sh -c 'nohup pmm-agent --config-file=/usr/local/percona/pmm/config/pmm-agent.yaml --config-file-key-file="/usr/local/percona/pmm/config/pmm-key.pem" --config-file-key-password="testpass" > /var/log/pmm-agent.log 2>&1 &'
+  when: encrypted_client_config | default(false) | bool
 
 - name: Wait 5 seconds for start to complete
   pause:
diff --git a/pmm_qa/valkey/valkey-cluster.yml b/pmm_qa/valkey/valkey-cluster.yml
@@ -19,6 +19,7 @@
     valkey_primary_prefix: "valkey-primary-"
     valkey_replica_prefix: "valkey-replica-"
     pmm_server_name: "pmm-server"
+    encrypted_client_config: "{{ lookup('env', 'ENCRYPTED_CLIENT_CONFIG') | default(false, true) | bool }}"
 
   tasks:
     - name: Set Random Number Fact
diff --git a/pmm_qa/valkey/valkey-sentinel.yml b/pmm_qa/valkey/valkey-sentinel.yml
@@ -19,7 +19,7 @@
     sentinel_count: 3
     sentinel_start_port: 26379
     sentinel_quorum: 2
-
+    encrypted_client_config: "{{ lookup('env', 'ENCRYPTED_CLIENT_CONFIG') | default(false, true) | bool }}"
     pmm_server_name: "pmm-server"
 
   tasks:
