From cbd243c842d2bc83279a9845fad8a19c1033e7ff Mon Sep 17 00:00:00 2001 From: Peter Sirotnak Date: Thu, 12 Mar 2026 16:16:07 +0100 Subject: [PATCH 01/21] PMM-14643: Skeleton of encrypted pmm client config --- pmm_qa/percona_server_for_mysql/percona-server-setup.yml | 1 + pmm_qa/pmm-framework.py | 5 ++++- pmm_qa/tasks/install_pmm_client.yml | 4 ++++ 3 files changed, 9 insertions(+), 1 deletion(-) diff --git a/pmm_qa/percona_server_for_mysql/percona-server-setup.yml b/pmm_qa/percona_server_for_mysql/percona-server-setup.yml index eb0f7348..defe0ee6 100644 --- a/pmm_qa/percona_server_for_mysql/percona-server-setup.yml +++ b/pmm_qa/percona_server_for_mysql/percona-server-setup.yml @@ -25,6 +25,7 @@ random_service_name_value: "" my_rocks: "{{ lookup('env', 'MY_ROCKS') | default(false, true) }}" container_prefix: "ps_pmm{{ (setup_type|default('')) and '_' ~ setup_type }}_{{ ps_version }}_" + encrypted_client_config: "{{ lookup('env', 'ENCRYPTED_CLIENT_CONFIG') | default(false, true) | bool }}" tasks: - name: Modify the node count for group replication diff --git a/pmm_qa/pmm-framework.py b/pmm_qa/pmm-framework.py index 083e280e..b652a36f 100755 --- a/pmm_qa/pmm-framework.py +++ b/pmm_qa/pmm-framework.py @@ -76,6 +76,7 @@ def setup_ps(db_type, db_version=None, db_config=None, args=None): 'CLIENT_VERSION': get_value('CLIENT_VERSION', db_type, args, db_config), 'ADMIN_PASSWORD': os.getenv('ADMIN_PASSWORD') or args.pmm_server_password or 'admin', 'MY_ROCKS': get_value('MY_ROCKS', db_type, args, db_config), + 'ENCRYPTED_CLIENT_CONFIG': args.encrypted - client - config } run_ansible_playbook('percona_server_for_mysql/percona-server-setup.yml', env_vars, args) @@ -113,7 +114,8 @@ def setup_mysql(db_type, db_version=None, db_config=None, args=None): 'QUERY_SOURCE': get_value('QUERY_SOURCE', db_type, args, db_config), 'MS_TARBALL': get_value('TARBALL', db_type, args, db_config), 'ADMIN_PASSWORD': os.getenv('ADMIN_PASSWORD') or args.pmm_server_password or 'admin', - 'PMM_QA_GIT_BRANCH': os.getenv('PMM_QA_GIT_BRANCH') or 'v3' + 'PMM_QA_GIT_BRANCH': os.getenv('PMM_QA_GIT_BRANCH') or 'v3', + 'ENCRYPTED_CLIENT_CONFIG': args.encrypted-client-config } run_ansible_playbook('mysql/mysql-setup.yml', env_vars, args) @@ -859,6 +861,7 @@ def setup_bucket(db_type, db_version=None, db_config=None, args=None): parser.add_argument("--pmm-server-password", nargs='?', help='PMM Server password') parser.add_argument("--client-version", nargs='?', help='PMM Client version/tarball') parser.add_argument("--verbose", "--v", action='store_true', help='Display verbose information') + parser.add_argument("--encrypted-client-config", action='store_true', help='Encrypt client config') parser.add_argument("--verbosity-level", nargs='?', help='Display verbose information level') args = parser.parse_args() diff --git a/pmm_qa/tasks/install_pmm_client.yml b/pmm_qa/tasks/install_pmm_client.yml index 34af7b3a..b2997c5d 100644 --- a/pmm_qa/tasks/install_pmm_client.yml +++ b/pmm_qa/tasks/install_pmm_client.yml @@ -147,6 +147,10 @@ when: - client_version | regex_search('^https?://.*\\.tar\\.gz$') is not none +- name: Debug encrypted_client_config value + debug: + msg: "encrypted_client_config is set to {{ encrypted_client_config }}" + - name: Connect pmm client to pmm server using metrics mode shell: | docker exec --user root {{ container_name }} \ From c2421a301acd7eb1f74d7665fbd4ee35be0ccda6 Mon Sep 17 00:00:00 2001 From: Peter Sirotnak Date: Thu, 12 Mar 2026 16:19:56 +0100 Subject: [PATCH 02/21] PMM-14643: Fix argument formatting in setup_ps function and add debug print statement --- pmm_qa/pmm-framework.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pmm_qa/pmm-framework.py b/pmm_qa/pmm-framework.py index b652a36f..46d4e5a0 100755 --- a/pmm_qa/pmm-framework.py +++ b/pmm_qa/pmm-framework.py @@ -62,7 +62,7 @@ def setup_ps(db_type, db_version=None, db_config=None, args=None): elif setup_type_value =="replication": setup_type = '' no_of_nodes = 2 - + printf(args) # Gather Version details ps_version = os.getenv('PS_VERSION') or db_version or database_configs[db_type]["versions"][-1] ps_version_int = int(ps_version.replace(".", "")) @@ -76,7 +76,7 @@ def setup_ps(db_type, db_version=None, db_config=None, args=None): 'CLIENT_VERSION': get_value('CLIENT_VERSION', db_type, args, db_config), 'ADMIN_PASSWORD': os.getenv('ADMIN_PASSWORD') or args.pmm_server_password or 'admin', 'MY_ROCKS': get_value('MY_ROCKS', db_type, args, db_config), - 'ENCRYPTED_CLIENT_CONFIG': args.encrypted - client - config + 'ENCRYPTED_CLIENT_CONFIG': args.encrypted-client-config } run_ansible_playbook('percona_server_for_mysql/percona-server-setup.yml', env_vars, args) From f1f70ba644606adaa1cd04b5068742248bfffa6b Mon Sep 17 00:00:00 2001 From: Peter Sirotnak Date: Thu, 12 Mar 2026 16:21:18 +0100 Subject: [PATCH 03/21] PMM-14643: Skeleton for encrypted pmm client config file --- pmm_qa/pmm-framework.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pmm_qa/pmm-framework.py b/pmm_qa/pmm-framework.py index 46d4e5a0..624a4fcc 100755 --- a/pmm_qa/pmm-framework.py +++ b/pmm_qa/pmm-framework.py @@ -62,7 +62,7 @@ def setup_ps(db_type, db_version=None, db_config=None, args=None): elif setup_type_value =="replication": setup_type = '' no_of_nodes = 2 - printf(args) + print(args) # Gather Version details ps_version = os.getenv('PS_VERSION') or db_version or database_configs[db_type]["versions"][-1] ps_version_int = int(ps_version.replace(".", "")) From cce67c459a9fb46a2c0e043124298ac65fb05e61 Mon Sep 17 00:00:00 2001 From: Peter Sirotnak Date: Thu, 12 Mar 2026 16:22:49 +0100 Subject: [PATCH 04/21] PMM-14643: Skeleton for encrypted pmm client config file --- pmm_qa/pmm-framework.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pmm_qa/pmm-framework.py b/pmm_qa/pmm-framework.py index 624a4fcc..3a230f11 100755 --- a/pmm_qa/pmm-framework.py +++ b/pmm_qa/pmm-framework.py @@ -76,7 +76,7 @@ def setup_ps(db_type, db_version=None, db_config=None, args=None): 'CLIENT_VERSION': get_value('CLIENT_VERSION', db_type, args, db_config), 'ADMIN_PASSWORD': os.getenv('ADMIN_PASSWORD') or args.pmm_server_password or 'admin', 'MY_ROCKS': get_value('MY_ROCKS', db_type, args, db_config), - 'ENCRYPTED_CLIENT_CONFIG': args.encrypted-client-config + 'ENCRYPTED_CLIENT_CONFIG': args.encrypted_client_config } run_ansible_playbook('percona_server_for_mysql/percona-server-setup.yml', env_vars, args) @@ -115,7 +115,7 @@ def setup_mysql(db_type, db_version=None, db_config=None, args=None): 'MS_TARBALL': get_value('TARBALL', db_type, args, db_config), 'ADMIN_PASSWORD': os.getenv('ADMIN_PASSWORD') or args.pmm_server_password or 'admin', 'PMM_QA_GIT_BRANCH': os.getenv('PMM_QA_GIT_BRANCH') or 'v3', - 'ENCRYPTED_CLIENT_CONFIG': args.encrypted-client-config + 'ENCRYPTED_CLIENT_CONFIG': args.encrypted_client_config } run_ansible_playbook('mysql/mysql-setup.yml', env_vars, args) From 575bca17a7c825c4921c0a02ddac7eb3b8f41e99 Mon Sep 17 00:00:00 2001 From: Peter Sirotnak Date: Thu, 12 Mar 2026 16:26:19 +0100 Subject: [PATCH 05/21] PMM-14643: Skeleton for encrypted pmm client config file --- pmm_qa/tasks/install_pmm_client.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/pmm_qa/tasks/install_pmm_client.yml b/pmm_qa/tasks/install_pmm_client.yml index b2997c5d..ed6eafad 100644 --- a/pmm_qa/tasks/install_pmm_client.yml +++ b/pmm_qa/tasks/install_pmm_client.yml @@ -151,6 +151,10 @@ debug: msg: "encrypted_client_config is set to {{ encrypted_client_config }}" +- name: Always fail + fail: + msg: "Intentional failure for testing" + - name: Connect pmm client to pmm server using metrics mode shell: | docker exec --user root {{ container_name }} \ From 9a11e5c5d83c4995ccf8e0d843bda361de540e25 Mon Sep 17 00:00:00 2001 From: Peter Sirotnak Date: Thu, 12 Mar 2026 16:31:57 +0100 Subject: [PATCH 06/21] PMM-14643: Skeleton for encrypted pmm client config file --- pmm_qa/tasks/install_pmm_client.yml | 66 ++++++++++++++++++++++++++--- 1 file changed, 61 insertions(+), 5 deletions(-) diff --git a/pmm_qa/tasks/install_pmm_client.yml b/pmm_qa/tasks/install_pmm_client.yml index ed6eafad..06cec05c 100644 --- a/pmm_qa/tasks/install_pmm_client.yml +++ b/pmm_qa/tasks/install_pmm_client.yml @@ -151,11 +151,16 @@ debug: msg: "encrypted_client_config is set to {{ encrypted_client_config }}" +- name: Generate keys for encrypted client config + shell: | + docker exec --user root {{ container_name }} openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:4096 -aes256 -pass pass:testpass -out "/usr/local/percona/pmm/config/pmm-key.pem" + when: encrypted_client_config | default(false) | bool + - name: Always fail fail: msg: "Intentional failure for testing" -- name: Connect pmm client to pmm server using metrics mode +- name: Connect pmm client to pmm server using metrics mode within encrypted client config shell: | docker exec --user root {{ container_name }} \ pmm-agent setup \ @@ -166,9 +171,9 @@ --server-username=admin \ --server-password={{ admin_password }} \ {{ container_name }} - when: metrics_mode | length > 0 + when: metrics_mode | length > 0 and encrypted_client_config | default(false) | bool -- name: Connect pmm client to pmm server using default metrics mode +- name: Connect pmm client to pmm server using default metrics mode without encrypted client config shell: | docker exec --user root {{ container_name }} \ pmm-agent setup \ @@ -178,16 +183,67 @@ --server-username=admin \ --server-password={{ admin_password }} \ {{ container_name }} - when: metrics_mode | length == 0 + when: metrics_mode | length == 0 and not (encrypted_client_config | default(false) | bool) + +- name: Connect pmm client to pmm server using metrics mode without encrypted client config + shell: | + docker exec --user root {{ container_name }} \ + pmm-agent setup \ + --config-file=/usr/local/percona/pmm/config/pmm-agent.yaml \ + --server-address={{ pmm_server_ip }}:{{ pmm_server_port }} \ + --server-insecure-tls \ + --metrics-mode={{ metrics_mode }} \ + --server-username=admin \ + --server-password={{ admin_password }} \ + {{ container_name }} + when: metrics_mode | length > 0 and not (encrypted_client_config | default(false) | bool) + +- name: Connect pmm client to pmm server using default metrics mode with encrypted client config + shell: | + docker exec --user root {{ container_name }} \ + pmm-agent setup \ + --config-file=/usr/local/percona/pmm/config/pmm-agent.yaml \ + --server-address={{ pmm_server_ip }}:{{ pmm_server_port }} \ + --custom-labels="environment=prod, role=pmm-client, encrypted=true, password=true" \ + --server-insecure-tls \ + --server-username=admin \ + --server-password={{ admin_password }} \ + --config-file-key-file="/usr/local/percona/pmm/config/pmm-key.pem" \ + --config-file-key-password="testpass" + {{ container_name }} + when: metrics_mode | length == 0 and encrypted_client_config | default(false) | bool + +- name: Connect pmm client to pmm server using metrics mode with encrypted client config + shell: | + docker exec --user root {{ container_name }} \ + pmm-agent setup \ + --config-file=/usr/local/percona/pmm/config/pmm-agent.yaml \ + --server-address={{ pmm_server_ip }}:{{ pmm_server_port }} \ + --custom-labels="environment=prod, role=pmm-client, encrypted=true, password=true" \ + --server-insecure-tls \ + --metrics-mode={{ metrics_mode }} \ + --server-username=admin \ + --server-password={{ admin_password }} \ + --config-file-key-file="/usr/local/percona/pmm/config/pmm-key.pem" \ + --config-file-key-password="testpass" + {{ container_name }} + when: metrics_mode | length > 0 and encrypted_client_config | default(false) | bool - name: Wait 5 seconds for connection to complete pause: seconds: 5 -- name: Start pmm client +- name: Start pmm client without encrypted client config shell: | docker exec --user root {{ container_name }} \ sh -c 'nohup pmm-agent --config-file=/usr/local/percona/pmm/config/pmm-agent.yaml > /var/log/pmm-agent.log 2>&1 &' + when: not (encrypted_client_config | default(false) | bool) + +- name: Start pmm client with encrypted client config + shell: | + docker exec --user root {{ container_name }} \ + sh -c 'nohup pmm-agent --config-file=/usr/local/percona/pmm/config/pmm-agent.yaml --config-file-key-file="/usr/local/percona/pmm/config/pmm-key.pem" --config-file-key-password="testpass" > /var/log/pmm-agent.log 2>&1 &' + when: encrypted_client_config | default(false) | bool - name: Wait 5 seconds for start to complete pause: From cc9a9e10e4f872a43fc46cb765fd0d62bf2babd9 Mon Sep 17 00:00:00 2001 From: Peter Sirotnak Date: Thu, 12 Mar 2026 16:34:56 +0100 Subject: [PATCH 07/21] PMM-14643: Skeleton for encrypted pmm client config file --- pmm_qa/tasks/install_pmm_client.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/pmm_qa/tasks/install_pmm_client.yml b/pmm_qa/tasks/install_pmm_client.yml index 06cec05c..e403ba07 100644 --- a/pmm_qa/tasks/install_pmm_client.yml +++ b/pmm_qa/tasks/install_pmm_client.yml @@ -156,10 +156,6 @@ docker exec --user root {{ container_name }} openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:4096 -aes256 -pass pass:testpass -out "/usr/local/percona/pmm/config/pmm-key.pem" when: encrypted_client_config | default(false) | bool -- name: Always fail - fail: - msg: "Intentional failure for testing" - - name: Connect pmm client to pmm server using metrics mode within encrypted client config shell: | docker exec --user root {{ container_name }} \ @@ -248,3 +244,7 @@ - name: Wait 5 seconds for start to complete pause: seconds: 5 + +- name: Always fail + fail: + msg: "Intentional failure for testing" \ No newline at end of file From 0ee38eb98c8164e341b905f0d4d932f47da4fc40 Mon Sep 17 00:00:00 2001 From: Peter Sirotnak Date: Thu, 12 Mar 2026 16:37:33 +0100 Subject: [PATCH 08/21] PMM-14643: Skeleton for encrypted pmm client config file --- pmm_qa/tasks/install_pmm_client.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pmm_qa/tasks/install_pmm_client.yml b/pmm_qa/tasks/install_pmm_client.yml index e403ba07..e69eb9ae 100644 --- a/pmm_qa/tasks/install_pmm_client.yml +++ b/pmm_qa/tasks/install_pmm_client.yml @@ -205,7 +205,7 @@ --server-username=admin \ --server-password={{ admin_password }} \ --config-file-key-file="/usr/local/percona/pmm/config/pmm-key.pem" \ - --config-file-key-password="testpass" + --config-file-key-password="testpass" \ {{ container_name }} when: metrics_mode | length == 0 and encrypted_client_config | default(false) | bool @@ -221,7 +221,7 @@ --server-username=admin \ --server-password={{ admin_password }} \ --config-file-key-file="/usr/local/percona/pmm/config/pmm-key.pem" \ - --config-file-key-password="testpass" + --config-file-key-password="testpass" \ {{ container_name }} when: metrics_mode | length > 0 and encrypted_client_config | default(false) | bool From 138288d2abc3282d3c69d0244513a3ff8f7a20d6 Mon Sep 17 00:00:00 2001 From: Peter Sirotnak Date: Thu, 12 Mar 2026 16:44:29 +0100 Subject: [PATCH 09/21] PMM-14643: Skeleton for encrypted pmm client config file --- pmm_qa/tasks/install_pmm_client.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/pmm_qa/tasks/install_pmm_client.yml b/pmm_qa/tasks/install_pmm_client.yml index e69eb9ae..9e22bea7 100644 --- a/pmm_qa/tasks/install_pmm_client.yml +++ b/pmm_qa/tasks/install_pmm_client.yml @@ -244,7 +244,3 @@ - name: Wait 5 seconds for start to complete pause: seconds: 5 - -- name: Always fail - fail: - msg: "Intentional failure for testing" \ No newline at end of file From 4ad90074e0c85894117245ba5768b3ecaaae54a5 Mon Sep 17 00:00:00 2001 From: Peter Sirotnak Date: Thu, 12 Mar 2026 16:46:01 +0100 Subject: [PATCH 10/21] PMM-14643: Skeleton for encrypted pmm client config file --- pmm_qa/pmm-framework.py | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/pmm_qa/pmm-framework.py b/pmm_qa/pmm-framework.py index 3a230f11..8e756137 100755 --- a/pmm_qa/pmm-framework.py +++ b/pmm_qa/pmm-framework.py @@ -176,7 +176,8 @@ def setup_pdpgsql(db_type, db_version=None, db_config=None, args=None): 'DISTRIBUTION': '', 'PMM_QA_GIT_BRANCH': os.getenv('PMM_QA_GIT_BRANCH') or 'v3', 'SETUP_TYPE': setup_type_value, - 'PGSM_BRANCH': pgsm_branch + 'PGSM_BRANCH': pgsm_branch, + 'ENCRYPTED_CLIENT_CONFIG': args.encrypted_client_config } # Ansible playbook filename @@ -766,7 +767,8 @@ def setup_valkey(db_type, db_version=None, db_config=None, args=None): 'CLIENT_VERSION': get_value('CLIENT_VERSION', db_type, args, db_config), 'ADMIN_PASSWORD': os.getenv('ADMIN_PASSWORD') or args.pmm_server_password or 'admin', 'PMM_QA_GIT_BRANCH': os.getenv('PMM_QA_GIT_BRANCH') or 'v3', - 'SETUP_TYPE': setup_type_value + 'SETUP_TYPE': setup_type_value, + 'ENCRYPTED_CLIENT_CONFIG': args.encrypted_client_config } # Choose playbook based on SETUP_TYPE (cluster is default; sentinel only when explicitly requested) From 4fe9c2c4e8783ed16414647278fb77abdffd90ff Mon Sep 17 00:00:00 2001 From: Peter Sirotnak Date: Thu, 12 Mar 2026 16:53:06 +0100 Subject: [PATCH 11/21] PMM-14643: Skeleton for encrypted pmm client config file --- pmm_qa/pmm-framework.py | 2 +- pmm_qa/tasks/install_pmm_client.yml | 8 ++------ 2 files changed, 3 insertions(+), 7 deletions(-) diff --git a/pmm_qa/pmm-framework.py b/pmm_qa/pmm-framework.py index 8e756137..ceb7137b 100755 --- a/pmm_qa/pmm-framework.py +++ b/pmm_qa/pmm-framework.py @@ -62,7 +62,7 @@ def setup_ps(db_type, db_version=None, db_config=None, args=None): elif setup_type_value =="replication": setup_type = '' no_of_nodes = 2 - print(args) + # Gather Version details ps_version = os.getenv('PS_VERSION') or db_version or database_configs[db_type]["versions"][-1] ps_version_int = int(ps_version.replace(".", "")) diff --git a/pmm_qa/tasks/install_pmm_client.yml b/pmm_qa/tasks/install_pmm_client.yml index 9e22bea7..44ff930c 100644 --- a/pmm_qa/tasks/install_pmm_client.yml +++ b/pmm_qa/tasks/install_pmm_client.yml @@ -147,16 +147,12 @@ when: - client_version | regex_search('^https?://.*\\.tar\\.gz$') is not none -- name: Debug encrypted_client_config value - debug: - msg: "encrypted_client_config is set to {{ encrypted_client_config }}" - - name: Generate keys for encrypted client config shell: | docker exec --user root {{ container_name }} openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:4096 -aes256 -pass pass:testpass -out "/usr/local/percona/pmm/config/pmm-key.pem" when: encrypted_client_config | default(false) | bool -- name: Connect pmm client to pmm server using metrics mode within encrypted client config +- name: Connect pmm client to pmm server using metrics mode without encrypted client config shell: | docker exec --user root {{ container_name }} \ pmm-agent setup \ @@ -167,7 +163,7 @@ --server-username=admin \ --server-password={{ admin_password }} \ {{ container_name }} - when: metrics_mode | length > 0 and encrypted_client_config | default(false) | bool + when: metrics_mode | length > 0 and not (encrypted_client_config | default(false) | bool) - name: Connect pmm client to pmm server using default metrics mode without encrypted client config shell: | From 6aa8768f51b401c15caaa860ba99bd07bd6ab331 Mon Sep 17 00:00:00 2001 From: Peter Sirotnak Date: Thu, 12 Mar 2026 17:35:57 +0100 Subject: [PATCH 12/21] PMM-14643: Skeleton for encrypted pmm client config file --- pmm_qa/mysql/mysql-setup.yml | 1 + pmm_qa/postgresql/postgresql-setup.yml | 1 + pmm_qa/valkey/valkey-cluster.yml | 1 + pmm_qa/valkey/valkey-sentinel.yml | 2 +- 4 files changed, 4 insertions(+), 1 deletion(-) diff --git a/pmm_qa/mysql/mysql-setup.yml b/pmm_qa/mysql/mysql-setup.yml index fc1c5a35..40a9220d 100644 --- a/pmm_qa/mysql/mysql-setup.yml +++ b/pmm_qa/mysql/mysql-setup.yml @@ -25,6 +25,7 @@ random_service_name_value: "" my_rocks: "{{ lookup('env', 'MY_ROCKS') | default(false, true) }}" container_prefix: "mysql_pmm{{ (setup_type|default('')) and '_' ~ setup_type }}_{{ mysql_version }}_" + encrypted_client_config: "{{ lookup('env', 'ENCRYPTED_CLIENT_CONFIG') | default(false, true) | bool }}" tasks: - name: Modify the node count for group replication diff --git a/pmm_qa/postgresql/postgresql-setup.yml b/pmm_qa/postgresql/postgresql-setup.yml index aa9277ef..ef28180d 100644 --- a/pmm_qa/postgresql/postgresql-setup.yml +++ b/pmm_qa/postgresql/postgresql-setup.yml @@ -20,6 +20,7 @@ metrics_mode: "auto" setup_type: "{{ lookup('env', 'SETUP_TYPE') }}" random_service_name_value: "" + encrypted_client_config: "{{ lookup('env', 'ENCRYPTED_CLIENT_CONFIG') | default(false, true) | bool }}" tasks: - name: Create Docker network diff --git a/pmm_qa/valkey/valkey-cluster.yml b/pmm_qa/valkey/valkey-cluster.yml index aaa3d065..646807da 100644 --- a/pmm_qa/valkey/valkey-cluster.yml +++ b/pmm_qa/valkey/valkey-cluster.yml @@ -19,6 +19,7 @@ valkey_primary_prefix: "valkey-primary-" valkey_replica_prefix: "valkey-replica-" pmm_server_name: "pmm-server" + encrypted_client_config: "{{ lookup('env', 'ENCRYPTED_CLIENT_CONFIG') | default(false, true) | bool }}" tasks: - name: Set Random Number Fact diff --git a/pmm_qa/valkey/valkey-sentinel.yml b/pmm_qa/valkey/valkey-sentinel.yml index fe838d8e..4aa22411 100644 --- a/pmm_qa/valkey/valkey-sentinel.yml +++ b/pmm_qa/valkey/valkey-sentinel.yml @@ -19,7 +19,7 @@ sentinel_count: 3 sentinel_start_port: 26379 sentinel_quorum: 2 - + encrypted_client_config: "{{ lookup('env', 'ENCRYPTED_CLIENT_CONFIG') | default(false, true) | bool }}" pmm_server_name: "pmm-server" tasks: From 8a60e399a12b46fd768e59999c420b5bc96ddc71 Mon Sep 17 00:00:00 2001 From: Peter Sirotnak Date: Thu, 12 Mar 2026 17:38:45 +0100 Subject: [PATCH 13/21] PMM-14643: Skeleton for encrypted pmm client config file --- .../percona-distribution-postgres-setup.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/pmm_qa/percona-distribution-postgresql/percona-distribution-postgres-setup.yml b/pmm_qa/percona-distribution-postgresql/percona-distribution-postgres-setup.yml index ae6f9321..e05d2cc3 100644 --- a/pmm_qa/percona-distribution-postgresql/percona-distribution-postgres-setup.yml +++ b/pmm_qa/percona-distribution-postgresql/percona-distribution-postgres-setup.yml @@ -23,6 +23,7 @@ docker_repo: "percona/percona-distribution-postgresql" container_prefix: "pdpgsql_pmm{{ (setup_type|default('')) and '_' ~ setup_type }}_{{ pdpgsql_version }}_" pgsm_branch: "{{ lookup('env', 'PGSM_BRANCH') }}" + encrypted_client_config: "{{ lookup('env', 'ENCRYPTED_CLIENT_CONFIG') | default(false, true) | bool }}" tasks: - name: Display setup type selected From 3c2d6c5940440d05cf1c4e536f25048f8bc1c382 Mon Sep 17 00:00:00 2001 From: Peter Sirotnak Date: Thu, 12 Mar 2026 17:43:29 +0100 Subject: [PATCH 14/21] PMM-14643: Skeleton for encrypted pmm client config file --- pmm_qa/tasks/install_pmm_client.yml | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/pmm_qa/tasks/install_pmm_client.yml b/pmm_qa/tasks/install_pmm_client.yml index 44ff930c..fd1b6e60 100644 --- a/pmm_qa/tasks/install_pmm_client.yml +++ b/pmm_qa/tasks/install_pmm_client.yml @@ -163,7 +163,9 @@ --server-username=admin \ --server-password={{ admin_password }} \ {{ container_name }} - when: metrics_mode | length > 0 and not (encrypted_client_config | default(false) | bool) + when: + - metrics_mode | length > 0 + - not (encrypted_client_config | default(false) | bool) - name: Connect pmm client to pmm server using default metrics mode without encrypted client config shell: | @@ -175,7 +177,9 @@ --server-username=admin \ --server-password={{ admin_password }} \ {{ container_name }} - when: metrics_mode | length == 0 and not (encrypted_client_config | default(false) | bool) + when: + - metrics_mode | length == 0 + - not (encrypted_client_config | default(false) | bool) - name: Connect pmm client to pmm server using metrics mode without encrypted client config shell: | @@ -203,7 +207,9 @@ --config-file-key-file="/usr/local/percona/pmm/config/pmm-key.pem" \ --config-file-key-password="testpass" \ {{ container_name }} - when: metrics_mode | length == 0 and encrypted_client_config | default(false) | bool + when: + - metrics_mode | length == 0 + - encrypted_client_config | default(false) | bool - name: Connect pmm client to pmm server using metrics mode with encrypted client config shell: | @@ -219,7 +225,9 @@ --config-file-key-file="/usr/local/percona/pmm/config/pmm-key.pem" \ --config-file-key-password="testpass" \ {{ container_name }} - when: metrics_mode | length > 0 and encrypted_client_config | default(false) | bool + when: + - metrics_mode | length > 0 + - encrypted_client_config | default(false) | bool - name: Wait 5 seconds for connection to complete pause: From 0b1f7ea5a7de33a401c63d1b4f03b0c83ab070c6 Mon Sep 17 00:00:00 2001 From: Peter Sirotnak Date: Thu, 12 Mar 2026 17:48:37 +0100 Subject: [PATCH 15/21] PMM-14643: Skeleton for encrypted pmm client config file --- pmm_qa/tasks/install_pmm_client.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/pmm_qa/tasks/install_pmm_client.yml b/pmm_qa/tasks/install_pmm_client.yml index fd1b6e60..d7e487b8 100644 --- a/pmm_qa/tasks/install_pmm_client.yml +++ b/pmm_qa/tasks/install_pmm_client.yml @@ -181,6 +181,14 @@ - metrics_mode | length == 0 - not (encrypted_client_config | default(false) | bool) +- name: debug Print metrics mode and encrypted client config values + debug: + msg: "Metrics mode: {{ metrics_mode }}, Encrypted client config: {{ encrypted_client_config | default(false) | bool }}" + +- name: debug Print encrypted client config values + debug: + msg: "Encrypted client config: {{ encrypted_client_config }}" + - name: Connect pmm client to pmm server using metrics mode without encrypted client config shell: | docker exec --user root {{ container_name }} \ From c801155f9bcd1d502d3c3d0ed1882521abd84be9 Mon Sep 17 00:00:00 2001 From: Peter Sirotnak Date: Thu, 12 Mar 2026 17:53:32 +0100 Subject: [PATCH 16/21] PMM-14643: Skeleton for encrypted pmm client config file --- pmm_qa/tasks/install_pmm_client.yml | 21 --------------------- 1 file changed, 21 deletions(-) diff --git a/pmm_qa/tasks/install_pmm_client.yml b/pmm_qa/tasks/install_pmm_client.yml index d7e487b8..2f9486bc 100644 --- a/pmm_qa/tasks/install_pmm_client.yml +++ b/pmm_qa/tasks/install_pmm_client.yml @@ -181,27 +181,6 @@ - metrics_mode | length == 0 - not (encrypted_client_config | default(false) | bool) -- name: debug Print metrics mode and encrypted client config values - debug: - msg: "Metrics mode: {{ metrics_mode }}, Encrypted client config: {{ encrypted_client_config | default(false) | bool }}" - -- name: debug Print encrypted client config values - debug: - msg: "Encrypted client config: {{ encrypted_client_config }}" - -- name: Connect pmm client to pmm server using metrics mode without encrypted client config - shell: | - docker exec --user root {{ container_name }} \ - pmm-agent setup \ - --config-file=/usr/local/percona/pmm/config/pmm-agent.yaml \ - --server-address={{ pmm_server_ip }}:{{ pmm_server_port }} \ - --server-insecure-tls \ - --metrics-mode={{ metrics_mode }} \ - --server-username=admin \ - --server-password={{ admin_password }} \ - {{ container_name }} - when: metrics_mode | length > 0 and not (encrypted_client_config | default(false) | bool) - - name: Connect pmm client to pmm server using default metrics mode with encrypted client config shell: | docker exec --user root {{ container_name }} \ From 6e74f3a0efed71599b148b3c1a25dc2f420db854 Mon Sep 17 00:00:00 2001 From: Peter Sirotnak Date: Fri, 13 Mar 2026 08:50:26 +0100 Subject: [PATCH 17/21] PMM-14643: Skeleton for encrypted pmm client config file --- pmm_qa/pmm-framework.py | 2 +- pmm_qa/scripts/database_options.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/pmm_qa/pmm-framework.py b/pmm_qa/pmm-framework.py index ceb7137b..970a9bb2 100755 --- a/pmm_qa/pmm-framework.py +++ b/pmm_qa/pmm-framework.py @@ -76,7 +76,7 @@ def setup_ps(db_type, db_version=None, db_config=None, args=None): 'CLIENT_VERSION': get_value('CLIENT_VERSION', db_type, args, db_config), 'ADMIN_PASSWORD': os.getenv('ADMIN_PASSWORD') or args.pmm_server_password or 'admin', 'MY_ROCKS': get_value('MY_ROCKS', db_type, args, db_config), - 'ENCRYPTED_CLIENT_CONFIG': args.encrypted_client_config + 'ENCRYPTED_CLIENT_CONFIG': get_value('ENCRYPTED_CLIENT_CONFIG', db_type, args, db_config), } run_ansible_playbook('percona_server_for_mysql/percona-server-setup.yml', env_vars, args) diff --git a/pmm_qa/scripts/database_options.py b/pmm_qa/scripts/database_options.py index c84436be..1a3861f5 100644 --- a/pmm_qa/scripts/database_options.py +++ b/pmm_qa/scripts/database_options.py @@ -30,7 +30,7 @@ "PS": { "versions": ["5.7", "8.4", "8.0"], "configurations": {"QUERY_SOURCE": "perfschema", "SETUP_TYPE": "", "CLIENT_VERSION": "3-dev-latest", - "TARBALL": "", "NODES_COUNT": 1, "MY_ROCKS": "false"} + "TARBALL": "", "NODES_COUNT": 1, "MY_ROCKS": "false", "ENCRYPTED_CLIENT_CONFIG": "false"} }, "SSL_MYSQL": { "versions": ["5.7", "8.4", "8.0"], From 2234f0d9d41ae2dc65833ca840ea7cee3d0f1990 Mon Sep 17 00:00:00 2001 From: Peter Sirotnak Date: Fri, 13 Mar 2026 09:03:18 +0100 Subject: [PATCH 18/21] PMM-14643: Skeleton for encrypted pmm client config file --- pmm_qa/pmm-framework.py | 10 +++++----- pmm_qa/scripts/database_options.py | 9 +++++---- pmm_qa/tasks/install_pmm_client.yml | 12 ++++++++++++ 3 files changed, 22 insertions(+), 9 deletions(-) diff --git a/pmm_qa/pmm-framework.py b/pmm_qa/pmm-framework.py index 970a9bb2..2361108f 100755 --- a/pmm_qa/pmm-framework.py +++ b/pmm_qa/pmm-framework.py @@ -115,7 +115,7 @@ def setup_mysql(db_type, db_version=None, db_config=None, args=None): 'MS_TARBALL': get_value('TARBALL', db_type, args, db_config), 'ADMIN_PASSWORD': os.getenv('ADMIN_PASSWORD') or args.pmm_server_password or 'admin', 'PMM_QA_GIT_BRANCH': os.getenv('PMM_QA_GIT_BRANCH') or 'v3', - 'ENCRYPTED_CLIENT_CONFIG': args.encrypted_client_config + 'ENCRYPTED_CLIENT_CONFIG': get_value('ENCRYPTED_CLIENT_CONFIG', db_type, args, db_config), } run_ansible_playbook('mysql/mysql-setup.yml', env_vars, args) @@ -177,7 +177,7 @@ def setup_pdpgsql(db_type, db_version=None, db_config=None, args=None): 'PMM_QA_GIT_BRANCH': os.getenv('PMM_QA_GIT_BRANCH') or 'v3', 'SETUP_TYPE': setup_type_value, 'PGSM_BRANCH': pgsm_branch, - 'ENCRYPTED_CLIENT_CONFIG': args.encrypted_client_config + 'ENCRYPTED_CLIENT_CONFIG': get_value('ENCRYPTED_CLIENT_CONFIG', db_type, args, db_config), } # Ansible playbook filename @@ -240,7 +240,8 @@ def setup_pgsql(db_type, db_version=None, db_config=None, args=None): 'ADMIN_PASSWORD': os.getenv('ADMIN_PASSWORD') or args.pmm_server_password or 'admin', 'PGSQL_PGSS_PORT': 5448, 'PMM_QA_GIT_BRANCH': os.getenv('PMM_QA_GIT_BRANCH') or 'v3', - 'SETUP_TYPE': setup_type_value + 'SETUP_TYPE': setup_type_value, + 'ENCRYPTED_CLIENT_CONFIG': get_value('ENCRYPTED_CLIENT_CONFIG', db_type, args, db_config), } # Ansible playbook filename @@ -768,7 +769,7 @@ def setup_valkey(db_type, db_version=None, db_config=None, args=None): 'ADMIN_PASSWORD': os.getenv('ADMIN_PASSWORD') or args.pmm_server_password or 'admin', 'PMM_QA_GIT_BRANCH': os.getenv('PMM_QA_GIT_BRANCH') or 'v3', 'SETUP_TYPE': setup_type_value, - 'ENCRYPTED_CLIENT_CONFIG': args.encrypted_client_config + 'ENCRYPTED_CLIENT_CONFIG': get_value('ENCRYPTED_CLIENT_CONFIG', db_type, args, db_config), } # Choose playbook based on SETUP_TYPE (cluster is default; sentinel only when explicitly requested) @@ -863,7 +864,6 @@ def setup_bucket(db_type, db_version=None, db_config=None, args=None): parser.add_argument("--pmm-server-password", nargs='?', help='PMM Server password') parser.add_argument("--client-version", nargs='?', help='PMM Client version/tarball') parser.add_argument("--verbose", "--v", action='store_true', help='Display verbose information') - parser.add_argument("--encrypted-client-config", action='store_true', help='Encrypt client config') parser.add_argument("--verbosity-level", nargs='?', help='Display verbose information level') args = parser.parse_args() diff --git a/pmm_qa/scripts/database_options.py b/pmm_qa/scripts/database_options.py index 1a3861f5..154ad652 100644 --- a/pmm_qa/scripts/database_options.py +++ b/pmm_qa/scripts/database_options.py @@ -25,7 +25,7 @@ "MYSQL": { "versions": ["5.7", "8.0", "8.4"], "configurations": {"QUERY_SOURCE": "perfschema", "SETUP_TYPE": "", "CLIENT_VERSION": "3-dev-latest", - "TARBALL": ""} + "TARBALL": "", "ENCRYPTED_CLIENT_CONFIG": "false"} }, "PS": { "versions": ["5.7", "8.4", "8.0"], @@ -40,11 +40,12 @@ "PGSQL": { "versions": ["11", "12", "13", "14", "15", "16", "18", "17"], "configurations": {"QUERY_SOURCE": "pgstatements", "CLIENT_VERSION": "3-dev-latest", "USE_SOCKET": "", - "SETUP_TYPE": ""} + "SETUP_TYPE": "", "ENCRYPTED_CLIENT_CONFIG": "false"} }, "PDPGSQL": { "versions": ["11", "12", "13", "14", "15", "16", "18", "17"], - "configurations": {"CLIENT_VERSION": "3-dev-latest", "USE_SOCKET": "", "SETUP_TYPE": "", "PGSM_BRANCH": ""} + "configurations": {"CLIENT_VERSION": "3-dev-latest", "USE_SOCKET": "", "SETUP_TYPE": "", "PGSM_BRANCH": "", + "ENCRYPTED_CLIENT_CONFIG": "false"} }, "SSL_PDPGSQL": { "versions": ["11", "12", "13", "14", "15", "16", "17"], @@ -79,6 +80,6 @@ }, "VALKEY": { "versions": ["7", "8"], - "configurations": {"CLIENT_VERSION": "3-dev-latest", "SETUP_TYPE": "", "TARBALL": ""} + "configurations": {"CLIENT_VERSION": "3-dev-latest", "SETUP_TYPE": "", "TARBALL": "", "ENCRYPTED_CLIENT_CONFIG": "false"} } } diff --git a/pmm_qa/tasks/install_pmm_client.yml b/pmm_qa/tasks/install_pmm_client.yml index 2f9486bc..2a149b30 100644 --- a/pmm_qa/tasks/install_pmm_client.yml +++ b/pmm_qa/tasks/install_pmm_client.yml @@ -181,6 +181,18 @@ - metrics_mode | length == 0 - not (encrypted_client_config | default(false) | bool) +- name: debug Print metrics mode and encrypted client config values + debug: + msg: "Metrics mode: {{ metrics_mode }}, Encrypted client config: {{ encrypted_client_config | default(false) | bool }}" + +- name: debug Print encrypted client config values + debug: + msg: "Encrypted client config: {{ encrypted_client_config }}" + +- name: Force failure for debugging + ansible.builtin.fail: + msg: "Intentional failure for debugging" + - name: Connect pmm client to pmm server using default metrics mode with encrypted client config shell: | docker exec --user root {{ container_name }} \ From cc8fa06f8ebbbaae4e55f22f97180c13f3ee089d Mon Sep 17 00:00:00 2001 From: Peter Sirotnak Date: Fri, 13 Mar 2026 09:06:12 +0100 Subject: [PATCH 19/21] PMM-14643: Skeleton for encrypted pmm client config file --- pmm_qa/tasks/install_pmm_client.yml | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/pmm_qa/tasks/install_pmm_client.yml b/pmm_qa/tasks/install_pmm_client.yml index 2a149b30..fe546bc8 100644 --- a/pmm_qa/tasks/install_pmm_client.yml +++ b/pmm_qa/tasks/install_pmm_client.yml @@ -181,18 +181,6 @@ - metrics_mode | length == 0 - not (encrypted_client_config | default(false) | bool) -- name: debug Print metrics mode and encrypted client config values - debug: - msg: "Metrics mode: {{ metrics_mode }}, Encrypted client config: {{ encrypted_client_config | default(false) | bool }}" - -- name: debug Print encrypted client config values - debug: - msg: "Encrypted client config: {{ encrypted_client_config }}" - -- name: Force failure for debugging - ansible.builtin.fail: - msg: "Intentional failure for debugging" - - name: Connect pmm client to pmm server using default metrics mode with encrypted client config shell: | docker exec --user root {{ container_name }} \ @@ -247,3 +235,15 @@ - name: Wait 5 seconds for start to complete pause: seconds: 5 + +- name: debug Print metrics mode and encrypted client config values + debug: + msg: "Metrics mode: {{ metrics_mode }}, Encrypted client config: {{ encrypted_client_config | default(false) | bool }}" + +- name: debug Print encrypted client config values + debug: + msg: "Encrypted client config: {{ encrypted_client_config }}" + +- name: Force failure for debugging + ansible.builtin.fail: + msg: "Intentional failure for debugging" From e8204169677c408ec08605eaeb4a7c42d4d7a144 Mon Sep 17 00:00:00 2001 From: Peter Sirotnak Date: Fri, 13 Mar 2026 09:09:42 +0100 Subject: [PATCH 20/21] PMM-14643: Skeleton for encrypted pmm client config file --- pmm_qa/tasks/install_pmm_client.yml | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/pmm_qa/tasks/install_pmm_client.yml b/pmm_qa/tasks/install_pmm_client.yml index fe546bc8..2f9486bc 100644 --- a/pmm_qa/tasks/install_pmm_client.yml +++ b/pmm_qa/tasks/install_pmm_client.yml @@ -235,15 +235,3 @@ - name: Wait 5 seconds for start to complete pause: seconds: 5 - -- name: debug Print metrics mode and encrypted client config values - debug: - msg: "Metrics mode: {{ metrics_mode }}, Encrypted client config: {{ encrypted_client_config | default(false) | bool }}" - -- name: debug Print encrypted client config values - debug: - msg: "Encrypted client config: {{ encrypted_client_config }}" - -- name: Force failure for debugging - ansible.builtin.fail: - msg: "Intentional failure for debugging" From 648aadd2093eed318e635ef89c0260ffb099d270 Mon Sep 17 00:00:00 2001 From: Peter Sirotnak Date: Fri, 13 Mar 2026 09:19:41 +0100 Subject: [PATCH 21/21] PMM-14643: Skeleton for encrypted pmm client config file --- pmm_qa/tasks/install_pmm_client.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pmm_qa/tasks/install_pmm_client.yml b/pmm_qa/tasks/install_pmm_client.yml index 2f9486bc..67784521 100644 --- a/pmm_qa/tasks/install_pmm_client.yml +++ b/pmm_qa/tasks/install_pmm_client.yml @@ -187,7 +187,7 @@ pmm-agent setup \ --config-file=/usr/local/percona/pmm/config/pmm-agent.yaml \ --server-address={{ pmm_server_ip }}:{{ pmm_server_port }} \ - --custom-labels="environment=prod, role=pmm-client, encrypted=true, password=true" \ + --custom-labels="role=pmm-client, encrypted=true, password=true" \ --server-insecure-tls \ --server-username=admin \ --server-password={{ admin_password }} \ @@ -204,7 +204,7 @@ pmm-agent setup \ --config-file=/usr/local/percona/pmm/config/pmm-agent.yaml \ --server-address={{ pmm_server_ip }}:{{ pmm_server_port }} \ - --custom-labels="environment=prod, role=pmm-client, encrypted=true, password=true" \ + --custom-labels="role=pmm-client, encrypted=true, password=true" \ --server-insecure-tls \ --metrics-mode={{ metrics_mode }} \ --server-username=admin \