topic How to add custom CAs to an ActiveGate installed by the Dynatrace operator? in Container platforms

How to add custom CAs to an ActiveGate installed by the Dynatrace operator?

Anonymous — Fri, 08 Mar 2024 12:59:44 GMT

Hello,

Trying to scrap a posgresdb Prometheus exporter running on a k8s cluster. A curl command executed in the scope/context of a pod exec to scrap the metrics works perfectly when using the proper cacert: curl --cacert myCA.pem https://prometheus-exp-svcname.ns:9187/metrics

The ActiveGate installed by the Dynatrace operator is missing the root CA chain needed to query the prometheus exporter successfully. I identified the following logs in the k8s AG:

023-10-04 08:28:52 UTC INFO [<b282df91-57f8-42d2-bcf1-7ecf65d0165f>] [HttpClientStatisticsSfmConsumerImpl] Query failed for endpoint /metrics on DirectIp with statusReason: SslError. [Suppressing further identical messages for 1 hour]
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.ssl.Alert.createSSLException(Unknown Source)

A first idea was to add the CA certs in the dynakube.yaml in the block "trustedCAs", but it does not apply to Activegates. A second option would be to add permanently to the AG keystore the CA certificates. But I don't know how to deal with that in the dynakube.yaml. Any clue how to add custom CAs to an ActiveGate installed by the Dynatrace operator?

Thx,

Luc

Re: How to add custom CAs to an activegate installed by the dynatrace operator?

IzabelaRokita — Mon, 18 Dec 2023 10:40:37 GMT

Hello @Anonymous ,
Let me know if you still face that issue or maybe you've found the solution already. I'll try my best to help!

Re: How to add custom CAs to an activegate installed by the dynatrace operator?

Anonymous — Mon, 18 Dec 2023 10:57:06 GMT

Hello Izabela,

Thank you for your help.

No. I didn't succeed to scrap a prometheus exporter through "Full" SSL with DT. I succeeded with Prometheus to use TLS authentication, but not with DT. Anyway, I disabled the Certificate validation check with the following annotation:

metrics.dynatrace.com/insecure_skip_verify: "true"

That's ok for the moment. But if you succeded to create the right configmap or secret and the annoations in DT, I would be pleased to see how you have done.

I'm facing the same kind of issue when instead of using tls and certificate to scrape a prometheus exporter => When I have to use a bearer_token to authenticate on the prometheus exporter. . I've not found a DT annotation to add in the HTTP request Header: Authorization: Bearer<token>. A token is needed for instance to scrape sonarqube exporter on port 9000. It works fine with prometheus by using the following key value:

bearer_token: <token> in the prometheus yaml config or in the ServiceMonitor => but an annotation like the following don't work either with DT:

metrics.dynatrace.com/{bearer_token, bearerToken, token} : <token>

Here is the URL describing the sonaqube API monitoring via Prometheus with a token used in the HTTP header of the request:

https://dev.irpteam.com/sq/documentation/instance-administration/monitoring/

Re: How to add custom CAs to an activegate installed by the dynatrace operator?

IzabelaRokita — Tue, 19 Dec 2023 07:51:09 GMT

Hi @Anonymous ,

Thank you so much for sharing so many details and your workaround. 👏 I'm sure it will be very helpful to other Community members! 🚀