PMM-7 SSL mysql base support

pmm_qa/pmm-framework.py

@@ -202,6 +202,36 @@ def setup_mysql(db_type, db_version=None, db_config=None, args=None):
     # Call the function to run the Ansible playbook
     run_ansible_playbook(playbook_filename, env_vars, args)
 
+def setup_ssl_mysql(db_type, db_version=None, db_config=None, args=None):
+    # Check if PMM server is running
+    container_name = get_running_container_name()
+    if container_name is None and args.pmm_server_ip is None:
+        print(f"Check if PMM Server is Up and Running..Exiting")
+        exit()
+
+    # Check Setup Types
+    setup_type = None
+    no_of_nodes = 1
+    setup_type_value = get_value('SETUP_TYPE', db_type, args, db_config).lower()
+
+    # Gather Version details
+    ms_version = os.getenv('MS_VERSION') or db_version or database_configs[db_type]["versions"][-1]
+    # Define environment variables for playbook
+    env_vars = {
+        'MYSQL_VERSION': ms_version,
+        'PMM_SERVER_IP': args.pmm_server_ip or container_name or '127.0.0.1',
+        'MYSQL_SSL_CONTAINER': 'mysql_ssl_' + str(ms_version),
+        'CLIENT_VERSION': get_value('CLIENT_VERSION', db_type, args, db_config),
+        'ADMIN_PASSWORD': os.getenv('ADMIN_PASSWORD') or args.pmm_server_password or 'admin',
+        'PMM_QA_GIT_BRANCH': os.getenv('PMM_QA_GIT_BRANCH') or 'v3'
+    }
+
+    # Ansible playbook filename
+    playbook_filename = 'tls-ssl-setup/mysql_tls_setup.yml'
+
+    # Call the function to run the Ansible playbook
+    run_ansible_playbook(playbook_filename, env_vars, args)
+
 
 def setup_pdpgsql(db_type, db_version=None, db_config=None, args=None):
     # Check if PMM server is running
@@ -312,7 +342,6 @@ def setup_external(db_type, db_version=None, db_config=None, args=None):
     # Call the function to run the Ansible playbook
     run_ansible_playbook(playbook_filename, env_vars, args)
 
-
 def execute_shell_scripts(shell_scripts, env_vars, args):
     # Get script directory
     script_path = os.path.abspath(sys.argv[0])
@@ -513,6 +542,8 @@ def setup_database(db_type, db_version=None, db_config=None, args=None):
         setup_haproxy(db_type, db_version, db_config, args)
     elif db_type == 'EXTERNAL':
         setup_external(db_type, db_version, db_config, args)
+    elif db_type == 'SSL_MYSQL':
+        setup_ssl_mysql(db_type, db_version, db_config, args)
     else:
         print(f"Database type {db_type} is not recognised, Exiting...")
         exit(1)

pmm_qa/tls-ssl-setup/create_certs.sh

@@ -0,0 +1,22 @@
+#!/bin/sh
+
+export PWD=$(pwd)
+export HOST=localhost
+mkdir -p certificates
+pushd certificates
+echo -e "\n=== Generating SSL certificates in ${PWD} ==="
+# Generate self signed root CA cert
+openssl req -nodes -x509 -newkey rsa:4096 -keyout ca.key -out ca.crt -subj "/C=US/ST=California/L=San Francisco/O=Percona/OU=root/CN=${HOST}/[email protected]"
+# Generate server cert to be signed
+openssl req -nodes -newkey rsa:4096 -keyout server.key -out server.csr -subj "/C=US/ST=California/L=San Francisco/O=Percona/OU=server/CN=${HOST}/[email protected]"
+# Sign server sert
+openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
+# Create server PEM file
+cat server.key server.crt > server.pem
+# Generate client cert to be signed
+openssl req -nodes -newkey rsa:4096 -keyout client.key -out client.csr -subj "/C=US/ST=California/L=San Francisco/O=Percona/OU=client/CN=${HOST}/[email protected]"
+# Sign the client cert
+openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -set_serial 02 -out client.crt
+# Create client PEM file
+cat client.key client.crt > client.pem
+popd

pmm_qa/tls-ssl-setup/mongodb/mongodb_ssl_setup.sh

@@ -0,0 +1,73 @@
+#!/bin/sh
+
+
+while [ $# -gt 0 ]; do
+
+   if [[ $1 == *"--"* ]]; then
+        param="${1/--/}"
+        declare $param="$2"
+   fi
+
+  shift
+done
+
+if [ -z "$mongodb_version" ]
+then
+      export mongodb_version=4.4
+fi
+
+apt-get update
+apt-get -y install wget curl git
+wget https://repo.percona.com/apt/percona-release_latest.generic_all.deb
+dpkg -i percona-release_latest.generic_all.deb
+wget https://raw.githubusercontent.com/Percona-QA/percona-qa/master/mongo_startup.sh
+chmod +x mongo_startup.sh
+wget https://raw.githubusercontent.com/percona/pmm-qa/main/pmm-tests/mongodb_user_setup.js
+if [ "$mongodb_version" == "4.4" ]; then
+   wget -O percona_server_mongodb.tar.gz https://downloads.percona.com/downloads/percona-server-mongodb-4.4/percona-server-mongodb-4.4.13-13/binary/tarball/percona-server-mongodb-4.4.13-13-x86_64.glibc2.17-minimal.tar.gz
+fi
+
+if [ "$mongodb_version" == "4.2" ]; then
+   wget -O percona_server_mongodb.tar.gz https://downloads.percona.com/downloads/percona-server-mongodb-4.2/percona-server-mongodb-4.2.19-19/binary/tarball/percona-server-mongodb-4.2.19-19-x86_64.glibc2.17-minimal.tar.gz
+fi
+
+if [ "$mongodb_version" == "4.0" ]; then
+   wget -O percona_server_mongodb.tar.gz https://downloads.percona.com/downloads/percona-server-mongodb-4.0/percona-server-mongodb-4.0.28-23/binary/tarball/percona-server-mongodb-4.0.28-23-x86_64.glibc2.17-minimal.tar.gz
+fi
+
+if [ "$mongodb_version" == "5.0" ]; then
+   wget -O percona_server_mongodb.tar.gz https://downloads.percona.com/downloads/percona-server-mongodb-5.0/percona-server-mongodb-5.0.7-6/binary/tarball/percona-server-mongodb-5.0.7-6-x86_64.glibc2.17-minimal.tar.gz
+fi
+
+tar -xvf percona_server_mongodb.tar.gz
+rm percona_server_mongodb.tar.gz*
+mv percona-server-mongodb-${mongodb_version}.* psmdb_${mongodb_version}
+
+bash ./mongo_startup.sh -m --ssl -x -e wiredTiger --mongodExtra="--profile 2 --slowms 1 --bind_ip_all" --b=/psmdb_${mongodb_version}/bin
+sleep 20
+/nodes/cl.sh mongodb_user_setup.js
+cat > add_new_ssl_user.js <<EOF
+db.getSiblingDB("\$external").runCommand(
+      {
+      createUser: "[email protected],CN=localhost,OU=client,O=Percona,L=San Francisco,ST=California,C=US",
+      roles: [
+             { role: "readWrite", db: 'test' },
+             { role: "explainRole", db: "admin" },
+             { role: "clusterMonitor", db: "admin" },
+             { role: "read", db: "local" },
+             { role: 'root', db: 'admin' }
+        ],
+      writeConcern: { w: "majority" , wtimeout: 5000 }
+      }
+);
+db.getSiblingDB("\$external").auth(
+  {
+    mechanism: "MONGODB-X509",
+    user: "[email protected],CN=localhost,OU=client,O=Percona,L=San Francisco,ST=California,C=US"
+  }
+);
+print("Added new user ssl");
+db.getSiblingDB("test").test.insert({a:1});
+db.getSiblingDB("test").test.insert({b:2});
+EOF
+/nodes/cl.sh add_new_ssl_user.js

pmm_qa/tls-ssl-setup/mongodb_tls_setup.yml

@@ -0,0 +1,84 @@
+---
+# This playbook does following:
+#   enables Percona testing repository
+#   Install Percona Server at Version 8.0.25 
+#   Install all required tools for backups in compatible version
+
+- hosts: all
+  become: true
+  become_method: sudo
+  vars:
+    mongodb_version: "{{ lookup('vars', 'extra_mongodb_version', default=lookup('env','MONGODB_VERSION') | default('4.4', true) ) }}"
+    mongodb_ssl_container: "{{ lookup('vars', 'extra_mongodb_ssl_container', default=lookup('env','MONGODB_SSL_CONTAINER') | default('mongodb_ssl', true) ) }}"
+    pmm_server_ip: "{{ lookup('vars', 'extra_pmm_server_ip', default=lookup('env','PMM_SERVER_IP') | default('127.0.0.1', true) ) }}"
+    client_version: "{{ lookup('vars', 'extra_client_version', default=lookup('env','CLIENT_VERSION') | default('dev-latest', true) ) }}"
+    admin_password: "{{ lookup('vars', 'extra_admin_password', default=lookup('env','ADMIN_PASSWORD') | default('admin', true) ) }}"
+    pmm_qa_branch: "{{ lookup('vars', 'extra_pmm_qa_branch', default=lookup('env','PMM_QA_GIT_BRANCH') | default('main', true) ) }}"
+
+  tasks:
+  - name: Cleanup Docker container for client and DB setup
+    shell: >
+      docker ps -a --filter "name={{ mongodb_ssl_container }}" | grep -q . && docker stop {{ mongodb_ssl_container }} && docker rm -fv {{ mongodb_ssl_container }}
+    ignore_errors: true
+    tags:
+      - cleanup
+  - name: delete network if exist
+    shell: docker network rm "{{ mongodb_ssl_container }}_network"
+    ignore_errors: true
+    tags:
+      - cleanup
+
+  - name: Create a network
+    shell: docker network create "{{ mongodb_ssl_container }}_network"
+
+  - name: Create pmm-qa network if not exist
+    shell: docker network create pmm-qa
+    ignore_errors: true
+
+  - name: Prepare Container for mongodb ssl container
+    shell: >
+      docker run -d --name={{ mongodb_ssl_container }}
+      --network "{{ mongodb_ssl_container }}_network"
+      phusion/baseimage:focal-1.1.0
+  
+  - name: Copy all required Artifacts to the docker mongodb_ssl_container
+    shell: "{{ item }}"
+    with_items:
+      - docker exec {{ mongodb_ssl_container }} mkdir -p artifacts
+      - docker cp ./mongodb/mongodb_ssl_setup.sh {{ mongodb_ssl_container }}:/
+
+  - name: Execute Setup script inside the mongodb mongodb_ssl_container
+    shell: "{{ item }}"
+    with_items:
+      - docker exec {{ mongodb_ssl_container }} bash -xe ./mongodb_ssl_setup.sh --mongodb_version {{ mongodb_version }} > mongodb/setup_mongodb_ssl_{{ mongodb_version }}.log
+
+  - name: Install pmm2-client on the mongodb_ssl_container
+    shell: "{{ item }}"
+    with_items:
+      - docker exec {{ mongodb_ssl_container }} wget https://raw.githubusercontent.com/percona/pmm-qa/{{ pmm_qa_branch }}/pmm-tests/pmm2-client-setup.sh
+      - docker network connect pmm-qa {{ mongodb_ssl_container }}
+      - docker exec {{ mongodb_ssl_container }} bash -x ./pmm2-client-setup.sh --pmm_server_ip {{ pmm_server_ip }} --client_version {{ client_version }} --admin_password {{ admin_password }} --use_metrics_mode no
+
+  - name: Add pmm-admin binary to path when tar ball installation
+    shell: docker exec {{ mongodb_ssl_container }} echo "export PATH=$PATH:/pmm2-client/bin" > setup_path.sh
+    when: '"http" in client_version'
+
+  - name: Remove mongodb service if already added previously
+    shell: "{{ item }}"
+    with_items:
+      - docker exec {{ mongodb_ssl_container }} bash -c 'source ~/.bash_profile || true; pmm-admin remove mongodb {{ mongodb_ssl_container }}_service'
+    ignore_errors: true
+
+  - name: Add mongodb_ssl for monitoring
+    shell: "{{ item }}"
+    with_items:
+      - docker exec {{ mongodb_ssl_container }} bash -c 'source ~/.bash_profile || true; pmm-admin list'
+      - docker exec {{ mongodb_ssl_container }} bash -c 'source ~/.bash_profile || true; pmm-admin add mongodb --tls --tls-skip-verify --authentication-mechanism=MONGODB-X509 --authentication-database=$external --tls-certificate-key-file=/nodes/certificates/client.pem --tls-certificate-key-file-password=/nodes/certificates/client.key --tls-ca-file=/nodes/certificates/ca.crt {{ mongodb_ssl_container }}_ssl_service'
+
+  - name: Get client cert Files on host
+    shell: "{{ item }}"
+    with_items:
+      - mkdir -p mongodb/{{ mongodb_version }} || true
+      - docker exec {{ mongodb_ssl_container }} cat /nodes/certificates/ca.crt > mongodb/{{ mongodb_version }}/ca.crt
+      - docker exec {{ mongodb_ssl_container }} cat /nodes/certificates/client.key > mongodb/{{ mongodb_version }}/client.key
+      - docker exec {{ mongodb_ssl_container }} cat /nodes/certificates/client.pem > mongodb/{{ mongodb_version }}/client.pem

pmm_qa/tls-ssl-setup/mysql/mysql_ssl_setup.sh

@@ -0,0 +1,92 @@
+#!/bin/sh
+
+
+while [ $# -gt 0 ]; do
+
+   if [[ $1 == *"--"* ]]; then
+        param="${1/--/}"
+        declare $param="$2"
+   fi
+
+  shift
+done
+
+if [ -z "$mysql_version" ]
+then
+      export mysql_version=8.0
+fi
+
+apt-get update
+apt-get -y install wget curl git
+wget https://repo.percona.com/apt/percona-release_latest.generic_all.deb
+dpkg -i percona-release_latest.generic_all.deb
+sleep 10
+if [ "$mysql_version" == "8.0" ]; then
+    percona-release setup ps80
+    sleep 10
+    DEBIAN_FRONTEND=noninteractive apt-get -y install percona-server-server sysbench sysbench-tpcc bc screen 
+cat > /etc/mysql/my.cnf << EOF
+[mysqld]
+innodb_buffer_pool_size=256M
+innodb_buffer_pool_instances=1
+innodb_log_file_size=1G
+innodb_flush_method=O_DIRECT
+innodb_numa_interleave=1
+innodb_flush_neighbors=0
+log_bin
+server_id=1
+binlog_expire_logs_seconds=600
+log_output=file
+slow_query_log=ON
+long_query_time=0
+log_slow_rate_limit=1
+log_slow_rate_type=query
+log_slow_verbosity=full
+log_slow_admin_statements=ON
+log_slow_slave_statements=ON
+slow_query_log_always_write_time=1
+slow_query_log_use_global_control=all
+innodb_monitor_enable=all
+userstat=1
+bind-address=0.0.0.0
+require_secure_transport=ON
+EOF
+
+fi
+
+if [ "$mysql_version" == "5.7" ]; then
+    percona-release setup ps57
+    sleep 10
+    DEBIAN_FRONTEND=noninteractive apt-get -y install percona-server-server-5.7 
+cat > /etc/mysql/my.cnf << EOF
+[mysqld]
+innodb_buffer_pool_size=256M
+innodb_buffer_pool_instances=1
+innodb_log_file_size=1G
+innodb_flush_method=O_DIRECT
+innodb_numa_interleave=1
+innodb_flush_neighbors=0
+log_bin
+server_id=1
+expire_logs_days=1
+log_output=file
+slow_query_log=ON
+long_query_time=0
+log_slow_rate_limit=1
+log_slow_rate_type=query
+log_slow_verbosity=full
+log_slow_admin_statements=ON
+log_slow_slave_statements=ON
+slow_query_log_always_write_time=1
+slow_query_log_use_global_control=all
+innodb_monitor_enable=all
+userstat=1
+bind-address=0.0.0.0
+require_secure_transport=ON
+EOF
+
+fi
+service mysql restart
+mysql -e "create user pmm@'%' identified by \"pmm\""
+mysql -e "grant all on *.* to pmm@'%'"
+service mysql restart

pmm_qa/tls-ssl-setup/postgres/init.sql

@@ -0,0 +1,8 @@
+CREATE DATABASE sbtest1;
+CREATE DATABASE sbtest2;
+CREATE USER pmm WITH PASSWORD 'pmm';
+GRANT pg_monitor TO pmm;
+CREATE EXTENSION pg_stat_statements;
+ALTER SYSTEM SET shared_preload_libraries TO 'pg_stat_statements';
+ALTER SYSTEM SET track_activity_query_size=2048;
+ALTER SYSTEM SET track_io_timing=ON;

pmm_qa/tls-ssl-setup/postgres/setup_pgsql.sh

@@ -0,0 +1,53 @@
+#!/bin/sh
+
+
+while [ $# -gt 0 ]; do
+
+   if [[ $1 == *"--"* ]]; then
+        param="${1/--/}"
+        declare $param="$2"
+   fi
+
+  shift
+done
+
+if [ -z "$pgsql_version" ]
+then
+      export pgsql_version=13
+fi
+
+apt-get update
+apt-get -y install wget curl git
+wget https://repo.percona.com/apt/percona-release_latest.generic_all.deb
+dpkg -i percona-release_latest.generic_all.deb
+percona-release setup ppg${pgsql_version}
+sleep 10
+pushd artifacts
+bash -x create_certs.sh
+popd
+sleep 10
+pwd
+apt -y install percona-postgresql-${pgsql_version}
+apt -y install percona-postgresql-contrib
+sleep 10
+sed -i 's/\(host\s*all\s*all\s*127.0.0.1.*\) md5/\1 trust/g' /etc/postgresql/${pgsql_version}/main/pg_hba.conf
+sed -i 's/\(host\s*all\s*all\s*::1.*\) md5/\1 trust/g' /etc/postgresql/${pgsql_version}/main/pg_hba.conf
+sed -i 's/\(local\s*all\s*postgres.*\) peer/\1 trust/g' /etc/postgresql/${pgsql_version}/main/pg_hba.conf
+sed -i 's/\(local\s*all\s*all.*\) peer/\1 trust/g' /etc/postgresql/${pgsql_version}/main/pg_hba.conf
+service postgresql restart
+sleep 10
+cp -a ./artifacts/certificates/. /var/lib/postgresql/${pgsql_version}/main/
+ls -la ./artifacts/certificates/
+chown -R postgres:postgres /var/lib/postgresql/${pgsql_version}/main
+chmod 0700 -R /var/lib/postgresql/${pgsql_version}/main
+sed -i "s/ssl_cert_file.*/ssl_cert_file = 'server.crt'/g" /etc/postgresql/${pgsql_version}/main/postgresql.conf
+sed -i "s/#listen_addresses.*/listen_addresses = '*'/g" /etc/postgresql/${pgsql_version}/main/postgresql.conf
+sed -i "s/ssl_key_file.*/ssl_key_file = 'server.key'/g" /etc/postgresql/${pgsql_version}/main/postgresql.conf
+sed -i "s/ssl_ca_file.*/ssl_ca_file = 'ca.crt'/g" /etc/postgresql/${pgsql_version}/main/postgresql.conf
+sed -i "s/#ssl_prefer_server_ciphers.*/ssl_prefer_server_ciphers = on/g" /etc/postgresql/${pgsql_version}/main/postgresql.conf
+echo "hostssl    all     all             0.0.0.0/0                 md5" >> /etc/postgresql/${pgsql_version}/main/pg_hba.conf
+echo "host    all             all              0.0.0.0/0                       md5" >> /etc/postgresql/${pgsql_version}/main/pg_hba.conf
+sleep 10
+service postgresql restart
+su postgres bash -c 'psql -f init.sql'
+service postgresql restart