When you start monitoring a service that requires a TLS certificate to be able to connect to the database, PMM Client creates the following artifacts:

• a directory per agent type in /usr/local/percona/pmm/tmp, where the certificates get persisted to the file system, ex: ../tmp/agent_type_mysqld_exporter/2d44b1ba-5131-4fbd-8dc0-aae0f23b043b with three certificates inside, including the private certificate

• additional directories, which depend on the exporter type, for example: ../tmp/check-mysql-connection or ../tmp/get-mysql-info

Later, when the service is removed, some of the certificates are still kept on disk instead of being deleted.

We think this could be a problem from two perspectives:

• unnecessary use of disk space

• security (especially the private key)

Solution

Implement an additional step to the service removal routine where all the certificates and intermediary files related to the services being removed are deleted from the file system.