K8SPXC-1830 handle caching_sha2_password for proxysql_exporter

build/pmm-prerun.sh

@@ -26,6 +26,10 @@ if [[ $DB_TYPE == "mysql" ]]; then
 	)
 fi
 
+if [[ $DB_TYPE == "proxysql" && "${PROXYSQL_ADMIN_TLS}" == "true" ]]; then
+	pmm_args+=(--tls-skip-verify)
+fi
+
 if [[ $DB_TYPE == "haproxy" ]]; then
 	pmm_args+=(
 		"$PMM_AGENT_SETUP_NODE_NAME"

build/proxysql-entrypoint.sh

@@ -29,7 +29,7 @@
 # Percona scheduler
 PERCONA_SCHEDULER_CFG_TMPL=/opt/percona/proxysql_scheduler_config.tmpl
 if [[ -f ${PERCONA_SCHEDULER_CFG_TMPL} && -n ${PERCONA_SCHEDULER_CFG} ]]; then
 	cp ${PERCONA_SCHEDULER_CFG_TMPL} ${PERCONA_SCHEDULER_CFG}
 fi
 
 # internal scheduler
@@ -39,14 +39,15 @@
 sed_in_place "s/threads=2/threads=${MYSQL_THREADS:-2}/g" ${PROXY_CFG}
 
 set +o xtrace # hide sensitive information
 OPERATOR_PASSWORD_ESCAPED=$(sed 's/[][\-\!\#\$\%\&\(\)\*\+\,\.\:\;\<\=\>\?\@\^\_\~\{\}]/\\&/g' <<<"${OPERATOR_PASSWORD}")
 MONITOR_PASSWORD_ESCAPED=$(sed 's/[][\-\!\#\$\%\&\(\)\*\+\,\.\:\;\<\=\>\?\@\^\_\~\{\}]/\\&/g' <<<"${MONITOR_PASSWORD}")
 PROXY_ADMIN_PASSWORD_ESCAPED=$(sed 's/[][\-\!\#\$\%\&\(\)\*\+\,\.\:\;\<\=\>\?\@\^\_\~\{\}]/\\&/g' <<<"${PROXY_ADMIN_PASSWORD}")
 
 sed_in_place "s/\"admin:admin\"/\"${PROXY_ADMIN_USER:-admin}:${PROXY_ADMIN_PASSWORD_ESCAPED:-admin}\"/g" ${PROXY_CFG}
 sed_in_place "s/cluster_username=\"admin\"/cluster_username=\"${PROXY_ADMIN_USER:-admin}\"/g" ${PROXY_CFG}
 sed_in_place "s/cluster_password=\"admin\"/cluster_password=\"${PROXY_ADMIN_PASSWORD_ESCAPED:-admin}\"/g" ${PROXY_CFG}
 sed_in_place "s/monitor_password=\"monitor\"/monitor_password=\"${MONITOR_PASSWORD_ESCAPED:-monitor}\"/g" ${PROXY_CFG}
+sed_in_place "s/stats_credentials=\"monitor:monitor\"/stats_credentials=\"${MONITOR_USERNAME:-monitor}:${MONITOR_PASSWORD_ESCAPED:-monitor}\"/g" ${PROXY_CFG}
 sed_in_place "s/PROXYSQL_USERNAME='admin'/PROXYSQL_USERNAME='${PROXY_ADMIN_USER:-admin}'/g" ${PROXY_ADMIN_CFG}
 sed_in_place "s/PROXYSQL_PASSWORD='admin'/PROXYSQL_PASSWORD='${PROXY_ADMIN_PASSWORD_ESCAPED:-admin}'/g" ${PROXY_ADMIN_CFG}
 sed_in_place "s/CLUSTER_USERNAME='admin'/CLUSTER_USERNAME='${OPERATOR_USERNAME:-operator}'/g" ${PROXY_ADMIN_CFG}
@@ -59,21 +60,21 @@
 # Percona scheduler
 if [[ -f ${PERCONA_SCHEDULER_CFG} ]]; then
 	set +o xtrace # hide sensitive information
 	sed_in_place "s/SCHEDULER_PROXYSQLPASSWORD/'${PROXY_ADMIN_PASSWORD_ESCAPED:-admin}'/" ${PERCONA_SCHEDULER_CFG}
 	sed_in_place "s/SCHEDULER_CLUSTERPASSWORD/'${OPERATOR_PASSWORD_ESCAPED:-operator}'/" ${PERCONA_SCHEDULER_CFG}
 	sed_in_place "s/SCHEDULER_MONITORPASSWORD/'${MONITOR_PASSWORD_ESCAPED:-monitor}'/" ${PERCONA_SCHEDULER_CFG}
 	set -o xtrace # hide sensitive information
 
 	sed_in_place "s/SCHEDULER_PROXYSQLHOST/'$(hostname -f)'/" ${PERCONA_SCHEDULER_CFG}
 	sed_in_place "s/SCHEDULER_CLUSTERHOST/'${PXC_SERVICE}.$(hostname -f | cut -d '.' -f3-)'/" ${PERCONA_SCHEDULER_CFG}
 	sed_in_place "s/SCHEDULER_CLUSTERPORT/'${CLUSTER_PORT:-3306}'/" ${PERCONA_SCHEDULER_CFG}
 	sed_in_place "s/SCHEDULER_MAXCONNECTIONS/${SCHEDULER_MAXCONNECTIONS}/g" ${PERCONA_SCHEDULER_CFG}
 	sed_in_place "s/SCHEDULER_NODECHECKINTERVAL/${SCHEDULER_NODECHECKINTERVAL}/g" ${PERCONA_SCHEDULER_CFG}
 	sed_in_place "s/SCHEDULER_CHECKTIMEOUT/${SCHEDULER_CHECKTIMEOUT}/g" ${PERCONA_SCHEDULER_CFG}
 	sed_in_place "s/SCHEDULER_PINGTIMEOUT/${SCHEDULER_PINGTIMEOUT}/g" ${PERCONA_SCHEDULER_CFG}
 	sed_in_place "s/SCHEDULER_RETRYDOWN/${SCHEDULER_RETRYDOWN}/g" ${PERCONA_SCHEDULER_CFG}
 	sed_in_place "s/SCHEDULER_RETRYUP/${SCHEDULER_RETRYUP}/g" ${PERCONA_SCHEDULER_CFG}
 	sed_in_place "s/SCHEDULER_WRITERALSOREADER/${SCHEDULER_WRITERALSOREADER}/g" ${PERCONA_SCHEDULER_CFG}
 fi
 
 ## SSL/TLS support
@@ -85,14 +86,14 @@
 if [ -f "${SSL_DIR}/ca.crt" ]; then
 	CA=${SSL_DIR}/ca.crt
 	if [[ -f ${PERCONA_SCHEDULER_CFG} ]]; then
 		sed_in_place "s:^sslCertificatePath.*= .*\"$:sslCertificatePath = \"${SSL_DIR}\":" ${PERCONA_SCHEDULER_CFG}
 	fi
 fi
 SSL_INTERNAL_DIR=${SSL_INTERNAL_DIR:-/etc/proxysql/ssl-internal}
 if [ -f "${SSL_INTERNAL_DIR}/ca.crt" ]; then
 	CA=${SSL_INTERNAL_DIR}/ca.crt
 	if [[ -f ${PERCONA_SCHEDULER_CFG} ]]; then
 		sed_in_place "s:^sslCertificatePath.*= .*\"$:sslCertificatePath = \"${SSL_INTERNAL_DIR}\":" ${PERCONA_SCHEDULER_CFG}
 	fi
 fi
 
@@ -110,11 +111,15 @@
 	sed_in_place "s^ssl_p2s_key=\"\"^ssl_p2s_key=\"$KEY\"^" ${PROXY_CFG}
 	sed_in_place "s^ssl_p2s_cert=\"\"^ssl_p2s_cert=\"$CERT\"^" ${PROXY_CFG}
 
+	sed_in_place "s^ssl_ca=\"\"^ssl_ca=\"$CA\"^" ${PROXY_CFG}
+	sed_in_place "s^ssl_key=\"\"^ssl_key=\"$KEY\"^" ${PROXY_CFG}
+	sed_in_place "s^ssl_cert=\"\"^ssl_cert=\"$CERT\"^" ${PROXY_CFG}
+
 	# Percona scheduler
 	if [[ -f ${PERCONA_SCHEDULER_CFG} ]]; then
 		sed_in_place "s:^sslCa.*=.*\"$:sslCa = \"${CA##*/}\":" ${PERCONA_SCHEDULER_CFG}
 		sed_in_place "s:^sslKey.*=.*\"$:sslKey = \"${KEY##*/}\":" ${PERCONA_SCHEDULER_CFG}
 		sed_in_place "s:^sslClient.*=.*\"$:sslClient = \"${CERT##*/}\":" ${PERCONA_SCHEDULER_CFG}
 	fi
 fi
 
@@ -126,7 +131,7 @@
 	cp "${SSL_DIR}/ca.crt" /var/lib/proxysql/proxysql-ca.pem
 fi
 
 test -e /opt/percona/hookscript/hook.sh && source /opt/percona/hookscript/hook.sh
 
 # Start zombie reaper to clean up processes spawned by commands
 # This is needed because percona-scheduler-admin may not properly reap all child processes
@@ -154,7 +159,7 @@
 MAIN_PID=$!
 
 # Forward signals to main process
 forward_signal() {
        kill -"$1" "$MAIN_PID" 2>/dev/null || true
 }
 trap 'forward_signal TERM' TERM

build/proxysql.cnf

@@ -23,6 +23,10 @@ admin_variables =
 	cluster_mysql_servers_diffs_before_sync=1
 	cluster_mysql_users_diffs_before_sync=1
 	cluster_proxysql_servers_diffs_before_sync=1
+	stats_credentials="monitor:monitor"
+	ssl_ca=""
+	ssl_cert=""
+	ssl_key=""
 }
 
 mysql_variables=

e2e-tests/monitoring-pmm3/conf/monitoring.yml

@@ -31,6 +31,17 @@ spec:
     affinity:
       antiAffinityTopologyKey: none
     envVarsSecret: my-env-var-secrets
+  proxysql:
+    enabled: false
+    size: 2
+    image: -proxysql
+    resources:
+      requests:
+        memory: 500M
+        cpu: 300m
+    affinity:
+      antiAffinityTopologyKey: none
+    envVarsSecret: my-env-var-secrets
   pmm:
     enabled: true
     image: perconalab/pmm-client:3.1.0

e2e-tests/monitoring-pmm3/run

@@ -282,6 +282,20 @@ desc 'check haproxy metrics'
 get_metric_values_pmm3 haproxy_backend_status pxc-prefix-$namespace-$cluster-haproxy-0 $NEW_TOKEN
 get_metric_values_pmm3 haproxy_backend_active_servers pxc-prefix-$namespace-$cluster-haproxy-0 $NEW_TOKEN
 
+desc 'switch from haproxy to proxysql'
+kubectl_bin patch pxc ${cluster} --type=json -p '[
+	{"op": "replace", "path": "/spec/haproxy/enabled", "value": false},
+	{"op": "replace", "path": "/spec/proxysql/enabled", "value": true}
+]'
+wait_for_delete "sts/${cluster}-haproxy"
+wait_for_running "${cluster}-proxysql" 2
+sleep 60
+kubectl wait pod -l 'app.kubernetes.io/managed-by=percona-xtradb-cluster-operator' --for=condition=ready --timeout=300s
+
+desc 'check proxysql metrics'
+get_metric_values_pmm3 proxysql_connection_pool_conn_used pxc-prefix-$namespace-$cluster-proxysql-0 $NEW_TOKEN
+get_metric_values_pmm3 proxysql_connection_pool_status pxc-prefix-$namespace-$cluster-proxysql-0 $NEW_TOKEN
+
 desc 'check QAN data'
 get_qan20_values $cluster-pxc-0 $NEW_TOKEN
 

pkg/pxc/app/statefulset/proxysql.go

@@ -456,6 +456,12 @@ func (c *Proxy) PMMContainer(ctx context.Context, cl client.Client, spec *api.PM
 		}
 
 		pmm3Container.Env = append(pmm3Container.Env, pmm3ProxySQLEnvVars(spec.ProxysqlParams)...)
+		if cr.TLSEnabled() {
+			pmm3Container.Env = append(pmm3Container.Env, corev1.EnvVar{
+				Name:  "PROXYSQL_ADMIN_TLS",
+				Value: "true",
+			})
+		}
 
 		return &pmm3Container, nil
 	}
@@ -592,6 +598,13 @@ func (c *Proxy) PMMContainer(ctx context.Context, cl client.Client, spec *api.PM
 		ct.Env = append(ct.Env, sidecarEnvs...)
 	}
 
+	if cr.TLSEnabled() {
+		ct.Env = append(ct.Env, corev1.EnvVar{
+			Name:  "PROXYSQL_ADMIN_TLS",
+			Value: "true",
+		})
+	}
+
 	return &ct, nil
 }