Updated MySQL Prometheus documentation

[algchoo]

Changes

• updated the minimum exporter version, example configuration, and additional install info
• updated the minimum supported version in metadata

Details

The latest version of the MySQL Prometheus exporter works with MySQL 5.7 and MySQL 8.0.34. This new version of the exporter removes the DATA_SOURCE_NAME environment variable and instead we can pass in the --mysqld.username argument and the MYSQLD_EXPORTER_PASSWORD environment variable for authentication, or we can mount a configuration file with the credentials in it and pass the --config.my-cnf=<PATH_TO_MOUNTED_CONFIG_FILE>.

Example configuration file:

[client]
user=root
password=password

I'm not sure which option to go with for the example configuration and wanted to get an opinion, we could change it to look something like

config_mods: |
apiVersion: v1
kind: ConfigMap
metadata:
  name: mysql-exporter-config
data:
  .my-cnf: |
    [client]
    user=root
    password=password
-------
  apiVersion: apps/v1
  kind: StatefulSet
  metadata:
    name: mysql
  spec:
    serviceName: mysql
    selector:
      matchLabels:
  +     app.kubernetes.io/name: mysql
    template:
      metadata:
        labels:
  +       app.kubernetes.io/name: mysql
      spec:
        containers:
  +     - name: exporter
  +       image: prom/mysqld-exporter:v0.15.0
  +       args:
  +         - --config.my-cnf=<PATH_TO_MOUNTED_CONFIGURATION>
  +       ports:
  +       - containerPort: 9104
  +         name: prometheus
  +       volumeMounts:
  +       - mountPath: /home/.my.cnf
  +         subPath: .my.cnf
  +         name: mysql-exporter-config
        - image: mysql:5.7
          name: mysql
          env:
          - name: MYSQL_ROOT_PASSWORD
            value: password
          - name: MYSQL_USER
            value: sbtest
          - name: MYSQL_PASSWORD
            value: password
          - name: MYSQL_DATABASE
            value: sbtest
          ports:
          - containerPort: 3306
            name: mysql

[yqlu]

Looking at the mysql-exporter README, I think the config map approach is more recommended as a best practice for security:

To avoid putting sensitive information like username and password in the URL, you can have multiple configurations in config.my-cnf file and match it by adding &auth_module=<section> to the request.

On the topic of best practices, I see that we're defining a non-root user for mysql in this toy example:

          - name: MYSQL_USER
            value: sbtest
          - name: MYSQL_PASSWORD
            value: password

So should we use that instead of root for the exporter's auth?

Happy to help test this if you update the yaml!

[algchoo]

Looking at the mysql-exporter README, I think the config map approach is more recommended as a best practice for security:

To avoid putting sensitive information like username and password in the URL, you can have multiple configurations in config.my-cnf file and match it by adding &auth_module=<section> to the request.

On the topic of best practices, I see that we're defining a non-root user for mysql in this toy example:

          - name: MYSQL_USER
            value: sbtest
          - name: MYSQL_PASSWORD
            value: password

So should we use that instead of root for the exporter's auth?

Happy to help test this if you update the yaml!

Sounds good, I will update the documentation to show the example that uses the configuration file. The non-root user that is defined is used while running sysbench to generate load. I attempted to use that user for to authenticate against the exporter and they didn't have the appropriate permissions, so I went back to using the root user.

[algchoo]

@yqlu For this repo the name of the branch that'll have changes is dashboards/currency-test.

[yqlu]

I tried applying this yaml and got

create Pod mysql-0 in StatefulSet mysql failed error: Pod "mysql-0" is invalid: spec.containers[1].volumeMounts[0].name: Not found: "mysql-exporter-config"

Looks like we need to define a volume that corresponds to the volumeMount?

[algchoo]

I've updated the yaml to include a volumeMount and I'm wondering, do we want the + symbols with the configmap that is included in the example as well?

[yqlu]

I think so.

In some cases like the nginx one, you can reasonably expect that anyone setting up nginx on k8s will have a configmap set up, so we just use "+"s to indicate the lines they need to add to the config map.

In this case, if you already had a mysql instance up and running, and then you were adding an exporter, you wouldn't already have a configmap with credentials beforehand, so the volume, volumemount, configmap are all indicated with "+"s.

Does that make sense?

[algchoo]

I believe so, I pushed changes to include the + symbols with the configmap unsure if we need all of them.

[yqlu]

As per the other example, we can update https://github.com/GoogleCloudPlatform/prometheus-engine/blob/main/examples/mysql/exporter.yaml.snippet directly (after addressing the other comments here)

But unlike the consul example, this PR doesn't become completely obsolete -- we do still need to update this file because of the change you made in line 70 (additional_install_info).

[algchoo]

Sounds good, just for clarity I wanted to make sure that the line you're mentioning here doesn't need to be changed? We just want to update things in this repo and the other one, right?

[yqlu]

Yep