PMM-14993 Add one-step PMM client installer script and UI integration#5250
PMM-14993 Add one-step PMM client installer script and UI integration#5250theTibi wants to merge 26 commits into
Conversation
- Introduced a new script `install-pmm-client.sh` for streamlined installation of the PMM client. - Updated Ansible tasks to copy the installer script to the appropriate directory. - Enhanced documentation with a new section for one-step installation from the UI. - Added a new Install Client page in the UI for generating installation commands. - Integrated navigation for the new Install Client page within the application. This update simplifies the PMM client installation process and improves user experience through the UI.
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## v3 #5250 +/- ##
==========================================
+ Coverage 43.13% 43.16% +0.02%
==========================================
Files 413 413
Lines 42253 42253
==========================================
+ Hits 18225 18237 +12
+ Misses 22158 22150 -8
+ Partials 1870 1866 -4
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
- Cleaned up import statements in `accesscontrol_grpc.pb.go` and `actions_grpc.pb.go` by removing unnecessary blank lines. - Updated `accesscontrol.pb.go` and `actions.pb.go` to reorder import statements for consistency. - Added validation checks in `accesscontrol.pb.validate.go` and `advisors.pb.validate.go` to ensure proper handling of optional fields. - Introduced new Swagger JSON files for `accesscontrol` and `actions` APIs to enhance API documentation. - Improved formatting and organization of code across multiple files for better readability and maintainability. These changes enhance the overall structure and documentation of the API, making it easier for developers to understand and use.
- Simplified the implementation of the createNodeInstallToken function by directly returning the response data from the API call. - Removed unnecessary parameters in the API post method for cleaner code. These changes enhance code readability and maintainability.
- Modified `install-pmm-client.sh` to enhance command options for node registration and configuration, including clearer error messages and improved handling of non-interactive installations. - Updated the UI to set `insecureTLS` to true by default and adjusted related tests to reflect this change. - Refactored command building logic in `InstallClientPage.utils.ts` to streamline the installation command generation, ensuring proper handling of flags and environment variables. These changes improve the installation process and user experience for the PMM client.
- Simplified the OS detection logic by removing unnecessary cases for various Linux distributions. - Updated the error message to clearly specify the supported 64-bit Linux distributions: Debian, Ubuntu (DEB) and RHEL, Oracle Linux, Amazon Linux (RPM). These changes enhance the clarity and maintainability of the installation script.
- Updated the default credentials mode to 'env' for improved security during installation. - Enhanced user guidance in the UI regarding the use of environment variables and flags for database credentials. - Added new helper text to clarify the limitations of using curl with the installation script. - Modified the command generation logic to include database environment variables when applicable, improving the handling of optional database fields in both prompt and env modes. - Updated tests to ensure correct behavior when optional database fields are provided. These changes improve the user experience and security of the PMM client installation process.
matejkubinec
changed the title
- Introduced environment variables for PMM agent configuration, allowing customization of the config file path, listen host, listen port, log file, and start timeout. - Implemented functions to ensure the PMM agent is running, handling both systemd and nohup startup methods. - Added checks to create the PMM agent config file if it does not exist, improving the robustness of the installation script. These changes enhance the installation process by ensuring the PMM agent is properly configured and running, especially in environments without systemd. Signed-off-by: theTibi <tkorocz@gmail.com>
- Updated the default lifetime of install tokens to 15 minutes for improved security, reflecting the short-lived nature of tokens used during the initial configuration. - Modified the `InstallClientPage` to include a countdown timer for token expiration, enhancing user awareness of token validity. - Added helper text to clarify the implications of token expiration and the need for regeneration. - Introduced a new utility function `formatExpiresIn` to format the remaining time of the token, improving the display of expiration information. - Updated tests to ensure correct functionality of the new token management features. These changes improve the security and usability of the PMM client installation process. Signed-off-by: theTibi <tkorocz@gmail.com>
- Added a new function `detect_node_hostname` to resolve the local node's hostname without relying on the `hostname` command, improving compatibility with minimal RHEL/UBI/Alpine images. - Updated service name assignments for MySQL, PostgreSQL, MongoDB, and Valkey to use the new hostname detection function, ensuring accurate service naming. These changes enhance the robustness of the PMM client installation script in diverse environments. Signed-off-by: theTibi <tkorocz@gmail.com>
- Refactored the `CreateNodeInstallToken` function to accept a technology parameter instead of a unique suffix, improving clarity and usability. - Implemented validation for technology input, ensuring it is not empty and normalizing casing and whitespace. - Updated tests to cover new validation logic and ensure correct behavior for various technology inputs, including error handling for invalid and empty cases. - Enhanced the `install_token.go` file to maintain consistency with the updated function signature and logic. These changes improve the robustness and reliability of the node installation token management process. Signed-off-by: theTibi <tkorocz@gmail.com>
- Clarified that the service token for PMM Client installation is generated with Grafana Admin role, enhancing security awareness. - Updated documentation to reflect the correct role and expiration details for generated tokens. - Modified the `CreateNodeInstallToken` function to ensure service accounts are created with Admin role, aligning with the updated security model. - Adjusted UI components to communicate the Admin role of generated tokens, reinforcing the importance of treating the token URL as a password. These changes improve the clarity and security of the PMM Client installation process. Signed-off-by: theTibi <tkorocz@gmail.com>
- Updated the `install-pmm-client.sh` script to clarify the behavior of the prompt mode, ensuring it correctly handles database credentials by prompting users when the script is run interactively. - Modified the UI components to reflect the new two-step command for the prompt mode, improving user guidance on how to execute the installation script. - Enhanced documentation to explain the differences between installation modes, particularly emphasizing the security benefits of using prompt mode for sensitive credentials. - Updated tests to validate the new command generation logic for prompt mode, ensuring that no sensitive information is exposed in the command output. These changes improve the security and usability of the PMM client installation process. Signed-off-by: theTibi <tkorocz@gmail.com>
…odes - Adjusted the default credentials mode in the UI from 'env' to 'prompt', aligning with the updated documentation that emphasizes the security benefits of prompting for database credentials. - Enhanced the installation documentation to clarify the differences between the credentials modes, particularly focusing on the two-step command for prompt mode. - Updated UI components to reflect the new default and provide clearer guidance on the available options for credential handling. These changes improve the usability and security of the PMM client installation process. Signed-off-by: theTibi <tkorocz@gmail.com>
mattiasimonato
left a comment
mattiasimonato
left a comment
There was a problem hiding this comment.
After reviewing the frontend implementation, I have one small architectural note: the hook is colocated within the page/component, while the PMM codebase usually extracts hooks into separate modules. This is low priority and can be deferred, it does not need to block the dev preview
|
@theTibi This feature does not need to touch the backend at all, since PMM already exposes endpoints to generate the service account tokens. I suggest we refactor the code, it's going to be much less to review and maintain going forward. |
…okenResponse from API - Deleted the CreateNodeInstallTokenRequest and CreateNodeInstallTokenResponse messages from the proto definition and related validation logic, as they are no longer needed. - Updated the ManagementService interface and its implementation to remove references to the CreateNodeInstallToken method. - Adjusted related JSON and gateway files to reflect the removal of the token creation functionality. These changes streamline the API and improve maintainability by eliminating unused components. Signed-off-by: theTibi <tkorocz@gmail.com>
|
@ademidoff I did some refactoring, we do not touch the backend now. |
Resolve conflicts: - api/management/v1/node.pb.go, service.pb.go: take v3 generated output (protos match merged v3) - managed/services/grafana/auth_server_test.go: use package rules map (v3 refactor) Co-authored-by: Cursor <cursoragent@cursor.com> Signed-off-by: theTibi <tkorocz@gmail.com>
| config_cmd+=("${NODE_ADDRESS}") | ||
| fi | ||
| if [ -n "${NODE_NAME}" ]; then | ||
| config_cmd+=("generic" "${NODE_NAME}") |
There was a problem hiding this comment.
pmm-admin config positional args are [<node-address>] [<node-type>] [<node-name>]. If NODE_NAME is set without NODE_ADDRESS, this emits pmm-admin config --server-url=... generic <name> and the literal generic ends up in the node-address slot.
Two options:
- Require
NODE_ADDRESSwheneverNODE_NAMEis set (validate early and error out), or - Fall back to a sentinel address when only the name is provided (e.g.
$(detect_node_hostname)or127.0.0.1).
The second option keeps the wizard UX simple — a user filling in only "Node name" still gets a working command.
| rhel|ol|amzn) | ||
| echo "el" | ||
| return | ||
| ;; |
There was a problem hiding this comment.
Common EL derivatives aren't listed here: Rocky (rocky), AlmaLinux (almalinux), CentOS Stream (centos), Fedora (fedora). Rocky/Alma/CentOS happen to ship /etc/redhat-release so the fallback below catches them, but Fedora minimal images ship /etc/fedora-release and slip through.
Adding rocky|almalinux|centos|fedora to the el arm of this case is cheap and avoids relying on the file-existence fallback for the common cases.
| DB_ADDRESS="${DB_ADDRESS:-}" | ||
| DB_SERVICE_NAME="${DB_SERVICE_NAME:-}" | ||
| DB_AUTH_DB="${DB_AUTH_DB:-}" | ||
| DB_SOCKET="${DB_SOCKET:-}" |
There was a problem hiding this comment.
These eight reassignments are no-ops — DB_USER through DB_SOCKET are already defaulted at script init (lines 60–68). Safe to delete the whole block; the per-tech derivations below them are the actual work this function does.
| DB_AUTH_DB="${DB_AUTH_DB:-}" | ||
| DB_SOCKET="${DB_SOCKET:-}" | ||
|
|
||
| MYSQL_USERNAME="${MYSQL_USERNAME:-}" |
There was a problem hiding this comment.
Small naming inconsistency that's likely to bite users: the generic env var is DB_USER, but the per-tech overrides use _USERNAME (MYSQL_USERNAME, POSTGRESQL_USERNAME, …). A user who reads DB_USER in the docs and tries the per-tech form will reasonably guess MYSQL_USER and find nothing.
Either alias MYSQL_USER → MYSQL_USERNAME (and friends) inside apply_generic_inputs, or rename to match. The flag side already uses --db-user consistently, so the inconsistency is env-only.
| "${cmd[@]}" | ||
| } | ||
|
|
||
| add_valkey() { |
There was a problem hiding this comment.
Worth confirming pmm-admin add valkey is a real subcommand in the pmm-client version that the pmm3-client release repo serves at the time this script runs. If Valkey support was added recently to pmm-admin but the released client is older, the script installs fine, registers the node, and then fails at the last step with a confusing "unknown command" error — exactly the failure mode that report_add_service_failure doesn't help with (it assumes auth/conflict).
| // UUID-suffixed token name keeps concurrent calls from colliding on Grafana's | ||
| // per-SA unique-name constraint (Grafana returns 409 otherwise). | ||
| const tokenName = `${TOKEN_NAME_PREFIX}-${technology}-${crypto.randomUUID()}`; | ||
| const key = await mintToken(saId, tokenName, ttl); |
There was a problem hiding this comment.
Each Generate token click creates a new token on the shared per-tech SA (pmm-install-sa-mysql etc.). Tokens auto-expire in Grafana, but they stay in the SA's token list until manually deleted. After heavy use the SA's tokens table grows unbounded.
Options, in increasing order of effort:
- Delete expired tokens for this SA right before minting the new one (
GET /api/serviceaccounts/{id}/tokens→ filter →DELETE …/tokens/{id}). - A scheduled cleanup elsewhere.
- At minimum, a comment here pointing operators at where to clean up if it ever becomes a problem.
None of these are blockers, but the unbounded growth will surface eventually.
| * Admin (Grafana rejects the create/mint requests with 403 otherwise) — that's the | ||
| * same trust boundary the old backend endpoint had, just one hop shorter. | ||
| */ | ||
| export async function createNodeInstallToken( |
There was a problem hiding this comment.
The doc comment says Grafana rejects with 403 for non-Admin callers — worth a quick manual confirmation that hitting /api/serviceaccounts as a Viewer or Editor really returns 403. The entire security model of this page rests on that check, so it's the one thing worth verifying explicitly rather than trusting by inheritance from the old backend endpoint.
| const authority = | ||
| pmmHost.trim() || | ||
| (typeof window !== 'undefined' ? window.location.host : 'localhost'); | ||
| const t = token.trim(); |
There was a problem hiding this comment.
If a user types a full URL into the wizard's "PMM host" field (e.g. https://pmm.example.com), this produces https://service_token:<TOKEN>@https://pmm.example.com, which curl will reject. A light input sanitization (strip leading http(s)://, or validate with a regex in the form and show a helper) would prevent the foot-gun.
|
|
4 participants
install-pmm-client.shfor streamlined installation of the PMM client.This update simplifies the PMM client installation process and improves user experience through the UI.
PMM-14993
Link to the Feature Build:
Percona-Lab/pmm-submodules#4330
If this PR adds, removes or alters one or more API endpoints, please review and update the relevant API documentation as well:
If this PR is related to other PRs, contributions, or ongoing work in this or other repositories, please reference them here: