FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to add custom CAs to an ActiveGate installed by the Dynatrace operator?

Go to solution
Luc_
Frequent Guest

‎04 Oct 2023 12:05 PM - last edited on ‎08 Mar 2024 12:59 PM by Community Team

Hello,

Trying to scrap a posgresdb Prometheus exporter running on a k8s cluster. A curl command executed in the scope/context of a pod exec to scrap the metrics works perfectly when using the proper cacert: curl  --cacert myCA.pem https://prometheus-exp-svcname.ns:9187/metrics

The ActiveGate installed by the Dynatrace operator is missing the root CA chain needed to query the prometheus exporter successfully. I identified the following logs in the k8s AG:

023-10-04 08:28:52 UTC INFO [<b282df91-57f8-42d2-bcf1-7ecf65d0165f>] [HttpClientStatisticsSfmConsumerImpl] Query failed for endpoint /metrics on DirectIp with statusReason: SslError. [Suppressing further identical messages for 1 hour]
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.ssl.Alert.createSSLException(Unknown Source)

A first idea was to add the CA certs in the dynakube.yaml in the block "trustedCAs", but it does not apply to Activegates. A second option would be to add permanently to the AG keystore the CA certificates. But I don't know how to deal with that in the dynakube.yaml. Any clue how to add custom CAs to an ActiveGate installed by the Dynatrace operator?

Thx,

Luc

0 Kudos
Reply
3 REPLIES 3

Go to solution
IzabelaRokita
Community Team
Community Team

‎18 Dec 2023 10:40 AM

Hello @Luc_ ,
Let me know if you still face that issue or maybe you've found the solution already. I'll try my best to help!

0 Kudos
Reply

Go to solution
Luc_
Frequent Guest
In response to IzabelaRokita

‎18 Dec 2023 10:57 AM

Hello Izabela,

Thank you for your help.

No. I didn't succeed to scrap a prometheus exporter through "Full" SSL with DT. I succeeded with Prometheus to use TLS authentication, but not with DT. Anyway, I disabled the Certificate validation check with the following annotation:

metrics.dynatrace.com/insecure_skip_verify: "true"

That's ok for the moment. But if you succeded to create the right configmap or secret and the annoations in DT, I would be pleased to see how you have done.

I'm facing the same kind of issue when instead of using tls and certificate to scrape a prometheus exporter => When I have to use a bearer_token to authenticate on the prometheus exporter.  .  I've not found a DT annotation to add in the HTTP request Header: Authorization: Bearer<token>. A token is needed for instance to scrape sonarqube exporter on port 9000. It works fine with prometheus by using the following key value:

bearer_token: <token> in the prometheus yaml config or in the ServiceMonitor => but an annotation like the following don't work either with DT:

metrics.dynatrace.com/{bearer_token, bearerToken, token} : <token>

Here is the URL describing the sonaqube API monitoring via Prometheus with a token used in the HTTP header of the request:

https://dev.irpteam.com/sq/documentation/instance-administration/monitoring/

Reply

Go to solution
IzabelaRokita
Community Team
Community Team

‎19 Dec 2023 07:51 AM

Hi @Luc_ ,

Thank you so much for sharing so many details and your workaround. 👏 I'm sure it will be very helpful to other Community members! 🚀

0 Kudos
Reply
Ask a question

Featured Posts