Skip to content
Percona Operators Documentation

For help, click the link below to get free database assistance or contact our experts for personalized support.

Get help from Percona

Monitor with Percona Monitoring and Management (PMM)

In this section you will learn how to monitor the health of Percona Distribution for PostgreSQL with Percona Monitoring and Management (PMM) .

The Operator supports both PMM version 2 and PMM version 3.

It determines which PMM server version you are using based on the authentication method you provide. For PMM 2, the Operator uses API keys for authentication. For PMM 3, it uses service account tokens.

We recommend to use the latest PMM 3.

PMM is a client/server application. It includes the PMM Server and the number of PMM Clients running on each node with the database you wish to monitor.

A PMM Client collects needed metrics and sends gathered data to the PMM Server. As a user, you connect to the PMM Server to see database metrics on a number of dashboards. PMM Server and PMM Client are installed separately.

Considerations

  1. If you are using PMM server version 2, use a PMM client image compatible with PMM 2. If you are using PMM server version 3, use a PMM client image compatible with PMM 3. Check Percona certified images for the right one.
  2. If you specified both authentication methods for PMM server configuration and they have non-empty values, priority goes to PMM 3.
  3. For migration from PMM2 to PMM3, see PMM upgrade documentation . Also check the Automatic migration of API keys page.

Install PMM Server

You must have PMM server up and running. You can run PMM Server as a Docker image, a virtual appliance, or in Kubernetes. Please refer to the official PMM documentation for the installation instructions.

Install PMM Client

PMM Client is installed as a side-car container in the database Pods in your Kubernetes-based environment. To install PMM Client, do the following:

Configure authentication

PMM3 uses Grafana service accounts to control access to PMM server components and resources. To authenticate in PMM server, you need a service account token. Generate a service account and token . Specify the Admin role for the service account.

Warning

When you create a service account token, you can select its lifetime: it can be either a permanent token that never expires or the one with the expiration date. PMM server cannot rotate service account tokens after they expire. So you must take care of reconfiguring PMM Client in this case.

Get the PMM API key from PMM Server . The API key must have the role “Admin”. You need this key to authorize PMM Client within PMM Server.

Generate the PMM API key

You can query your PMM Server installation for the API Key using curl and jq utilities. Replace <login>:<password>@<server_host> placeholders with your real PMM Server login, password, and hostname in the following command:

$ API_KEY=$(curl --insecure -X POST -H "Content-Type: application/json" -d '{"name":"operator", "role": "Admin"}' "https://<login>:<password>@<server_host>/graph/api/auth/keys" | jq .key)

Warning

The API key is not rotated.

Create a secret

Now you must pass the credentials to the Operator. To do so, create a Secret object.

  1. Create a Secret configuration file. You can use the deploy/secrets.yaml secrets file.

    Specify the service account token as the PMM_SERVER_TOKEN value in the secrets file:

    apiVersion: v1
kind: Secret
metadata:
  name: cluster1-pmm-secret
type: Opaque
stringData:
  PMM_SERVER_TOKEN: ""

    Specify the API key as the PMM_SERVER_KEY value in the secrets file:

    apiVersion: v1
kind: Secret
metadata:
  name: cluster1-pmm-secret
type: Opaque
stringData:
  PMM_SERVER_KEY: ""

  2. Create the Secrets object using the deploy/secrets.yaml file.

    $ kubectl apply -f deploy/secrets.yaml -n postgres-operator
    Expected output 
    secret/cluster1-pmm-secret created

Deploy a PMM Client

  1. Update the pmm section in the deploy/cr.yaml file.

    • Set pmm.enabled=true.
    • Specify your PMM Server hostname / an IP address for the pmm.serverHost option. The PMM Server IP address should be resolvable and reachable from within your cluster.
    • Specify the name of the Secret object that you created earlier
      pmm:
    enabled: true
    image: percona/pmm-client:3.3.0
#    imagePullPolicy: IfNotPresent
    secret: cluster1-pmm-secret
    serverHost: monitoring-service

  2. Update the cluster

    $ kubectl apply -f deploy/cr.yaml -n postgres-operator

  3. Check that corresponding Pods are not in a cycle of stopping and restarting. This cycle occurs if there are errors on the previous steps:

    $ kubectl get pods -n postgres-operator
$ kubectl logs <pod_name> -c pmm-client

Update the secrets file

The deploy/secrets.yaml file contains all values for each key/value pair in a convenient plain text format. But the resulting Secrets Objects contains passwords stored as base64-encoded strings. If you want to update the password field, you need to encode the new password into the base64 format and pass it to the Secrets Object.

To encode a password or any other parameter, run the following command:

$ echo -n "password" | base64 --wrap=0

$ echo -n "password" | base64

For example, to set the new service account token in the my-cluster-name-secrets object, do the following:

$ kubectl patch secret/cluster1-pmm-secret -p '{"data":{"PMM_SERVER_TOKEN": '$(echo -n <new-token> | base64 --wrap=0)'}}'

$ kubectl patch secret/cluster1-pmm-secret -p '{"data":{"PMM_SERVER_TOKEN": '$(echo -n <new-token> | base64)'}}'

Check the metrics

Let’s see how the collected data is visualized in PMM.

  1. Log in to PMM server.

  2. Click PostgreSQL from the left-hand navigation menu. You land on the Instances Overview page.

  3. Click PostgreSQLOther dashboards to see the list of available dashboards that allow you to drill down to the metrics you are interested in.

Last update: 2025-07-18