5. Monitor database with Percona Monitoring and Management (PMM)¶

The Operator integrates natively with Percona Monitoring and Management (PMM) for comprehensive database monitoring. While custom monitoring solutions solutions are also supported, they require manual setup and are not automated by the Operator.

The Operator is compatible with both PMM versions 2 and 3. We recommend using the latest PMM version 3 for optimal monitoring capabilities.

In this section, you’ll learn how to monitor Percona XtraDB Cluster using PMM.

PMM is a client/server application. It includes the PMM Server and the number of PMM Clients running on each node with the database you wish to monitor.

A PMM Client collects needed metrics and sends gathered data to the PMM Server. As a user, you connect to the PMM Server to see database metrics on a number of dashboards. PMM Server and PMM Client are installed separately.

Considerations¶

If you are using PMM server version 2, use a PMM client image compatible with PMM 2. If you are using PMM server version 3, use a PMM client image compatible with PMM 3. Check Percona certified images for the right one.
If you specified both authentication methods for PMM server configuration and they have non-empty values, priority goes to PMM 3.
For migration from PMM2 to PMM3, see PMM upgrade documentation . Also check the Automatic migration of API keys page.

Install PMM Server¶

You must have PMM server up and running. You can run PMM Server as a Docker image, a virtual appliance, or in Kubernetes. Please refer to the official PMM documentation for the installation instructions.

Install PMM Client¶

PMM Client is installed as a side-car container in the database, HAProxy and ProxySQL Pods in your Kubernetes-based environment. To install PMM Client, do the following:

Configure authentication¶

PMM3PMM2

PMM3 uses Grafana service accounts to control access to PMM server components and resources. To authenticate in PMM server, you need a service account token. Generate a service account and token . Specify the Admin role for the service account.

Warning

When you create a service account token, you can select its lifetime: it can be either a permanent token that never expires or the one with the expiration date. PMM server cannot rotate service account tokens after they expire. So you must take care of reconfiguring PMM Client in this case.

Get the PMM API key from PMM Server . The API key must have the role “Admin”. You need this key to authorize PMM Client within PMM Server.

From PMM UI From command line

Generate the PMM API key

You can query your PMM Server installation for the API Key using curl and jq utilities. Replace <login>:<password>@<server_host> placeholders with your real PMM Server login, password, and hostname in the following command:

$ API_KEY=$(curl --insecure -X POST -H "Content-Type: application/json" -d '{"name":"operator", "role": "Admin"}' "https://<login>:<password>@<server_host>/graph/api/auth/keys" | jq .key)

Warning

The API key is not rotated.

Create a secret¶

Now you must pass the credentials to the Operator. To do so, create a Secret object.

Create a Secret configuration file. You can use the deploy/secrets.yaml secrets file.

PMM 3PMM 2

Specify the service account token as the pmmservertoken value in the secrets file:

apiVersion: v1
kind: Secret
metadata:
  name: cluster1-secrets
type: Opaque
stringData:
  pmmservertoken: ""

Specify the API key as the pmmserverkey value in the secrets file:

apiVersion: v1
kind: Secret
metadata:
  name: cluster1-secrets
type: Opaque
stringData:
  pmmserverkey: ""

Create the Secrets object using the deploy/secrets.yaml file. Replace the <namespace> placeholder with your value.
```
$ kubectl apply -f deploy/secrets.yaml -n <namespace>
```
Expected output
```
secret/cluster1-secrets created
```

Deploy a PMM Client¶

Update the pmm section in the deploy/cr.yaml file.
- Set pmm.enabled=true.
- Specify the PMM Client image path. Check Percona certified images for the required one.
- Specify your PMM Server hostname / an IP address for the pmm.serverHost option. The PMM Server IP address should be resolvable and reachable from within your cluster.
```
  pmm:
    enabled: true
    image: percona/pmm-client:2.44.1-1
    serverHost: monitoring-service
```
Update the cluster. Replace the <namespace> placeholder with your value.
```
$ kubectl apply -f deploy/cr.yaml -n <namespace>
```
Check that corresponding Pods are not in a cycle of stopping and restarting. This cycle occurs if there are errors on the previous steps:
```
$ kubectl get pods -n <namespace>
$ kubectl logs <pod_name> -c pmm-client
```

Update the secrets file¶

The deploy/secrets.yaml file contains all values for each key/value pair in a convenient plain text format. But the resulting Secrets Object contains passwords stored as base64-encoded strings. If you want to update the password field, you need to encode the new password into the base64 format and pass it to the Secrets Object.

To encode a password or any other parameter, run the following command:

Linux macOS

$ echo -n "password" | base64 --wrap=0

$ echo -n "password" | base64

For example, to set the new service account token in the cluster1-secrets object, use the following command replacing the placeholders in <> with your values:

Linux macOS

$ kubectl patch secret/cluster1-secrets -p '{"data":{"pmmservertoken": '$(echo -n <new-token> | base64 --wrap=0)'}}'

$ kubectl patch secret/cluster1-secrets -p '{"data":{"pmmservertoken": '$(echo -n <new-token> | base64)'}}'

Check the metrics¶

Let’s see how the collected data is visualized in PMM.

Now you can access PMM via https in a web browser, with the login/password authentication, and the browser is configured to show Percona XtraDB Cluster metrics.

Next steps¶

What’s next

Last update: 2025-08-14