Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to add custom CAs to an ActiveGate installed by the Dynatrace operator?

Frequent Guest


Trying to scrap a posgresdb Prometheus exporter running on a k8s cluster. A curl command executed in the scope/context of a pod exec to scrap the metrics works perfectly when using the proper cacert: curl  --cacert myCA.pem https://prometheus-exp-svcname.ns:9187/metrics

The ActiveGate installed by the Dynatrace operator is missing the root CA chain needed to query the prometheus exporter successfully. I identified the following logs in the k8s AG:

023-10-04 08:28:52 UTC INFO [<b282df91-57f8-42d2-bcf1-7ecf65d0165f>] [HttpClientStatisticsSfmConsumerImpl] Query failed for endpoint /metrics on DirectIp with statusReason: SslError. [Suppressing further identical messages for 1 hour] PKIX path building failed: unable to find valid certification path to requested target
at java.base/ Source)

A first idea was to add the CA certs in the dynakube.yaml in the block "trustedCAs", but it does not apply to Activegates. A second option would be to add permanently to the AG keystore the CA certificates. But I don't know how to deal with that in the dynakube.yaml. Any clue how to add custom CAs to an ActiveGate installed by the Dynatrace operator?




Community Team
Community Team

Hello @Luc_ ,
Let me know if you still face that issue or maybe you've found the solution already. I'll try my best to help!

Hello Izabela,

Thank you for your help.

No. I didn't succeed to scrap a prometheus exporter through "Full" SSL with DT. I succeeded with Prometheus to use TLS authentication, but not with DT. Anyway, I disabled the Certificate validation check with the following annotation: "true"

That's ok for the moment. But if you succeded to create the right configmap or secret and the annoations in DT, I would be pleased to see how you have done.

I'm facing the same kind of issue when instead of using tls and certificate to scrape a prometheus exporter => When I have to use a bearer_token to authenticate on the prometheus exporter.  .  I've not found a DT annotation to add in the HTTP request Header: Authorization: Bearer<token>. A token is needed for instance to scrape sonarqube exporter on port 9000. It works fine with prometheus by using the following key value:

bearer_token: <token> in the prometheus yaml config or in the ServiceMonitor => but an annotation like the following don't work either with DT:{bearer_token, bearerToken, token} : <token>

Here is the URL describing the sonaqube API monitoring via Prometheus with a token used in the HTTP header of the request:

Community Team
Community Team

Hi @Luc_ ,

Thank you so much for sharing so many details and your workaround. 👏 I'm sure it will be very helpful to other Community members! 🚀

Featured Posts