diff --git a/pmm_qa/mysql/mysql-setup.yml b/pmm_qa/mysql/mysql-setup.yml index fc1c5a35..40a9220d 100644 --- a/pmm_qa/mysql/mysql-setup.yml +++ b/pmm_qa/mysql/mysql-setup.yml @@ -25,6 +25,7 @@ random_service_name_value: "" my_rocks: "{{ lookup('env', 'MY_ROCKS') | default(false, true) }}" container_prefix: "mysql_pmm{{ (setup_type|default('')) and '_' ~ setup_type }}_{{ mysql_version }}_" + encrypted_client_config: "{{ lookup('env', 'ENCRYPTED_CLIENT_CONFIG') | default(false, true) | bool }}" tasks: - name: Modify the node count for group replication diff --git a/pmm_qa/percona-distribution-postgresql/percona-distribution-postgres-setup.yml b/pmm_qa/percona-distribution-postgresql/percona-distribution-postgres-setup.yml index ae6f9321..e05d2cc3 100644 --- a/pmm_qa/percona-distribution-postgresql/percona-distribution-postgres-setup.yml +++ b/pmm_qa/percona-distribution-postgresql/percona-distribution-postgres-setup.yml @@ -23,6 +23,7 @@ docker_repo: "percona/percona-distribution-postgresql" container_prefix: "pdpgsql_pmm{{ (setup_type|default('')) and '_' ~ setup_type }}_{{ pdpgsql_version }}_" pgsm_branch: "{{ lookup('env', 'PGSM_BRANCH') }}" + encrypted_client_config: "{{ lookup('env', 'ENCRYPTED_CLIENT_CONFIG') | default(false, true) | bool }}" tasks: - name: Display setup type selected diff --git a/pmm_qa/percona_server_for_mysql/percona-server-setup.yml b/pmm_qa/percona_server_for_mysql/percona-server-setup.yml index eb0f7348..defe0ee6 100644 --- a/pmm_qa/percona_server_for_mysql/percona-server-setup.yml +++ b/pmm_qa/percona_server_for_mysql/percona-server-setup.yml @@ -25,6 +25,7 @@ random_service_name_value: "" my_rocks: "{{ lookup('env', 'MY_ROCKS') | default(false, true) }}" container_prefix: "ps_pmm{{ (setup_type|default('')) and '_' ~ setup_type }}_{{ ps_version }}_" + encrypted_client_config: "{{ lookup('env', 'ENCRYPTED_CLIENT_CONFIG') | default(false, true) | bool }}" tasks: - name: Modify the node count for group replication diff --git a/pmm_qa/pmm-framework.py b/pmm_qa/pmm-framework.py index 083e280e..2361108f 100755 --- a/pmm_qa/pmm-framework.py +++ b/pmm_qa/pmm-framework.py @@ -76,6 +76,7 @@ def setup_ps(db_type, db_version=None, db_config=None, args=None): 'CLIENT_VERSION': get_value('CLIENT_VERSION', db_type, args, db_config), 'ADMIN_PASSWORD': os.getenv('ADMIN_PASSWORD') or args.pmm_server_password or 'admin', 'MY_ROCKS': get_value('MY_ROCKS', db_type, args, db_config), + 'ENCRYPTED_CLIENT_CONFIG': get_value('ENCRYPTED_CLIENT_CONFIG', db_type, args, db_config), } run_ansible_playbook('percona_server_for_mysql/percona-server-setup.yml', env_vars, args) @@ -113,7 +114,8 @@ def setup_mysql(db_type, db_version=None, db_config=None, args=None): 'QUERY_SOURCE': get_value('QUERY_SOURCE', db_type, args, db_config), 'MS_TARBALL': get_value('TARBALL', db_type, args, db_config), 'ADMIN_PASSWORD': os.getenv('ADMIN_PASSWORD') or args.pmm_server_password or 'admin', - 'PMM_QA_GIT_BRANCH': os.getenv('PMM_QA_GIT_BRANCH') or 'v3' + 'PMM_QA_GIT_BRANCH': os.getenv('PMM_QA_GIT_BRANCH') or 'v3', + 'ENCRYPTED_CLIENT_CONFIG': get_value('ENCRYPTED_CLIENT_CONFIG', db_type, args, db_config), } run_ansible_playbook('mysql/mysql-setup.yml', env_vars, args) @@ -174,7 +176,8 @@ def setup_pdpgsql(db_type, db_version=None, db_config=None, args=None): 'DISTRIBUTION': '', 'PMM_QA_GIT_BRANCH': os.getenv('PMM_QA_GIT_BRANCH') or 'v3', 'SETUP_TYPE': setup_type_value, - 'PGSM_BRANCH': pgsm_branch + 'PGSM_BRANCH': pgsm_branch, + 'ENCRYPTED_CLIENT_CONFIG': get_value('ENCRYPTED_CLIENT_CONFIG', db_type, args, db_config), } # Ansible playbook filename @@ -237,7 +240,8 @@ def setup_pgsql(db_type, db_version=None, db_config=None, args=None): 'ADMIN_PASSWORD': os.getenv('ADMIN_PASSWORD') or args.pmm_server_password or 'admin', 'PGSQL_PGSS_PORT': 5448, 'PMM_QA_GIT_BRANCH': os.getenv('PMM_QA_GIT_BRANCH') or 'v3', - 'SETUP_TYPE': setup_type_value + 'SETUP_TYPE': setup_type_value, + 'ENCRYPTED_CLIENT_CONFIG': get_value('ENCRYPTED_CLIENT_CONFIG', db_type, args, db_config), } # Ansible playbook filename @@ -764,7 +768,8 @@ def setup_valkey(db_type, db_version=None, db_config=None, args=None): 'CLIENT_VERSION': get_value('CLIENT_VERSION', db_type, args, db_config), 'ADMIN_PASSWORD': os.getenv('ADMIN_PASSWORD') or args.pmm_server_password or 'admin', 'PMM_QA_GIT_BRANCH': os.getenv('PMM_QA_GIT_BRANCH') or 'v3', - 'SETUP_TYPE': setup_type_value + 'SETUP_TYPE': setup_type_value, + 'ENCRYPTED_CLIENT_CONFIG': get_value('ENCRYPTED_CLIENT_CONFIG', db_type, args, db_config), } # Choose playbook based on SETUP_TYPE (cluster is default; sentinel only when explicitly requested) diff --git a/pmm_qa/postgresql/postgresql-setup.yml b/pmm_qa/postgresql/postgresql-setup.yml index aa9277ef..ef28180d 100644 --- a/pmm_qa/postgresql/postgresql-setup.yml +++ b/pmm_qa/postgresql/postgresql-setup.yml @@ -20,6 +20,7 @@ metrics_mode: "auto" setup_type: "{{ lookup('env', 'SETUP_TYPE') }}" random_service_name_value: "" + encrypted_client_config: "{{ lookup('env', 'ENCRYPTED_CLIENT_CONFIG') | default(false, true) | bool }}" tasks: - name: Create Docker network diff --git a/pmm_qa/scripts/database_options.py b/pmm_qa/scripts/database_options.py index c84436be..154ad652 100644 --- a/pmm_qa/scripts/database_options.py +++ b/pmm_qa/scripts/database_options.py @@ -25,12 +25,12 @@ "MYSQL": { "versions": ["5.7", "8.0", "8.4"], "configurations": {"QUERY_SOURCE": "perfschema", "SETUP_TYPE": "", "CLIENT_VERSION": "3-dev-latest", - "TARBALL": ""} + "TARBALL": "", "ENCRYPTED_CLIENT_CONFIG": "false"} }, "PS": { "versions": ["5.7", "8.4", "8.0"], "configurations": {"QUERY_SOURCE": "perfschema", "SETUP_TYPE": "", "CLIENT_VERSION": "3-dev-latest", - "TARBALL": "", "NODES_COUNT": 1, "MY_ROCKS": "false"} + "TARBALL": "", "NODES_COUNT": 1, "MY_ROCKS": "false", "ENCRYPTED_CLIENT_CONFIG": "false"} }, "SSL_MYSQL": { "versions": ["5.7", "8.4", "8.0"], @@ -40,11 +40,12 @@ "PGSQL": { "versions": ["11", "12", "13", "14", "15", "16", "18", "17"], "configurations": {"QUERY_SOURCE": "pgstatements", "CLIENT_VERSION": "3-dev-latest", "USE_SOCKET": "", - "SETUP_TYPE": ""} + "SETUP_TYPE": "", "ENCRYPTED_CLIENT_CONFIG": "false"} }, "PDPGSQL": { "versions": ["11", "12", "13", "14", "15", "16", "18", "17"], - "configurations": {"CLIENT_VERSION": "3-dev-latest", "USE_SOCKET": "", "SETUP_TYPE": "", "PGSM_BRANCH": ""} + "configurations": {"CLIENT_VERSION": "3-dev-latest", "USE_SOCKET": "", "SETUP_TYPE": "", "PGSM_BRANCH": "", + "ENCRYPTED_CLIENT_CONFIG": "false"} }, "SSL_PDPGSQL": { "versions": ["11", "12", "13", "14", "15", "16", "17"], @@ -79,6 +80,6 @@ }, "VALKEY": { "versions": ["7", "8"], - "configurations": {"CLIENT_VERSION": "3-dev-latest", "SETUP_TYPE": "", "TARBALL": ""} + "configurations": {"CLIENT_VERSION": "3-dev-latest", "SETUP_TYPE": "", "TARBALL": "", "ENCRYPTED_CLIENT_CONFIG": "false"} } } diff --git a/pmm_qa/tasks/install_pmm_client.yml b/pmm_qa/tasks/install_pmm_client.yml index 34af7b3a..67784521 100644 --- a/pmm_qa/tasks/install_pmm_client.yml +++ b/pmm_qa/tasks/install_pmm_client.yml @@ -147,7 +147,12 @@ when: - client_version | regex_search('^https?://.*\\.tar\\.gz$') is not none -- name: Connect pmm client to pmm server using metrics mode +- name: Generate keys for encrypted client config + shell: | + docker exec --user root {{ container_name }} openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:4096 -aes256 -pass pass:testpass -out "/usr/local/percona/pmm/config/pmm-key.pem" + when: encrypted_client_config | default(false) | bool + +- name: Connect pmm client to pmm server using metrics mode without encrypted client config shell: | docker exec --user root {{ container_name }} \ pmm-agent setup \ @@ -158,28 +163,74 @@ --server-username=admin \ --server-password={{ admin_password }} \ {{ container_name }} - when: metrics_mode | length > 0 + when: + - metrics_mode | length > 0 + - not (encrypted_client_config | default(false) | bool) + +- name: Connect pmm client to pmm server using default metrics mode without encrypted client config + shell: | + docker exec --user root {{ container_name }} \ + pmm-agent setup \ + --config-file=/usr/local/percona/pmm/config/pmm-agent.yaml \ + --server-address={{ pmm_server_ip }}:{{ pmm_server_port }} \ + --server-insecure-tls \ + --server-username=admin \ + --server-password={{ admin_password }} \ + {{ container_name }} + when: + - metrics_mode | length == 0 + - not (encrypted_client_config | default(false) | bool) + +- name: Connect pmm client to pmm server using default metrics mode with encrypted client config + shell: | + docker exec --user root {{ container_name }} \ + pmm-agent setup \ + --config-file=/usr/local/percona/pmm/config/pmm-agent.yaml \ + --server-address={{ pmm_server_ip }}:{{ pmm_server_port }} \ + --custom-labels="role=pmm-client, encrypted=true, password=true" \ + --server-insecure-tls \ + --server-username=admin \ + --server-password={{ admin_password }} \ + --config-file-key-file="/usr/local/percona/pmm/config/pmm-key.pem" \ + --config-file-key-password="testpass" \ + {{ container_name }} + when: + - metrics_mode | length == 0 + - encrypted_client_config | default(false) | bool -- name: Connect pmm client to pmm server using default metrics mode +- name: Connect pmm client to pmm server using metrics mode with encrypted client config shell: | docker exec --user root {{ container_name }} \ pmm-agent setup \ --config-file=/usr/local/percona/pmm/config/pmm-agent.yaml \ --server-address={{ pmm_server_ip }}:{{ pmm_server_port }} \ + --custom-labels="role=pmm-client, encrypted=true, password=true" \ --server-insecure-tls \ + --metrics-mode={{ metrics_mode }} \ --server-username=admin \ --server-password={{ admin_password }} \ + --config-file-key-file="/usr/local/percona/pmm/config/pmm-key.pem" \ + --config-file-key-password="testpass" \ {{ container_name }} - when: metrics_mode | length == 0 + when: + - metrics_mode | length > 0 + - encrypted_client_config | default(false) | bool - name: Wait 5 seconds for connection to complete pause: seconds: 5 -- name: Start pmm client +- name: Start pmm client without encrypted client config shell: | docker exec --user root {{ container_name }} \ sh -c 'nohup pmm-agent --config-file=/usr/local/percona/pmm/config/pmm-agent.yaml > /var/log/pmm-agent.log 2>&1 &' + when: not (encrypted_client_config | default(false) | bool) + +- name: Start pmm client with encrypted client config + shell: | + docker exec --user root {{ container_name }} \ + sh -c 'nohup pmm-agent --config-file=/usr/local/percona/pmm/config/pmm-agent.yaml --config-file-key-file="/usr/local/percona/pmm/config/pmm-key.pem" --config-file-key-password="testpass" > /var/log/pmm-agent.log 2>&1 &' + when: encrypted_client_config | default(false) | bool - name: Wait 5 seconds for start to complete pause: diff --git a/pmm_qa/valkey/valkey-cluster.yml b/pmm_qa/valkey/valkey-cluster.yml index aaa3d065..646807da 100644 --- a/pmm_qa/valkey/valkey-cluster.yml +++ b/pmm_qa/valkey/valkey-cluster.yml @@ -19,6 +19,7 @@ valkey_primary_prefix: "valkey-primary-" valkey_replica_prefix: "valkey-replica-" pmm_server_name: "pmm-server" + encrypted_client_config: "{{ lookup('env', 'ENCRYPTED_CLIENT_CONFIG') | default(false, true) | bool }}" tasks: - name: Set Random Number Fact diff --git a/pmm_qa/valkey/valkey-sentinel.yml b/pmm_qa/valkey/valkey-sentinel.yml index fe838d8e..4aa22411 100644 --- a/pmm_qa/valkey/valkey-sentinel.yml +++ b/pmm_qa/valkey/valkey-sentinel.yml @@ -19,7 +19,7 @@ sentinel_count: 3 sentinel_start_port: 26379 sentinel_quorum: 2 - + encrypted_client_config: "{{ lookup('env', 'ENCRYPTED_CLIENT_CONFIG') | default(false, true) | bool }}" pmm_server_name: "pmm-server" tasks: