This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Is Hybrid architecture (shared activegates beetween oneagent in vm and oneagent in container) valid ?

Go to solution
prgss
Frequent Guest

‎16 Sep 2025 11:07 AM

Hi Dynatrace,

We have trouble deploying CloudNative Dynatrace in OpenShift clusters.
Can you confirm us that these "hybrid" architecture is valid ?

dynatrace-noname.png

- Install CloudNative Dynatrace in OpenShift clusters with Company trustedCA in Dynakube

- Private docker registry holding OneAgent and codemodules images exposing the Company certificate (green box on the left)

- ActiveGate VM with Dynatrace self signed Certificate (purple box)

- Company Internet Proxy (no certificate)

- Notice that we have many oneagent deployed in virtual machine. These oneagents trust the ActiveGate VM Certificate.

- We don't want to change the exposed certificate of ActiveGate.

 

When we add the trustedCAs field in the dynakube configuration, the communication between oneagent pod and activegate vm are broken (invalid certificate).

 broken-cert.png

 

0 Kudos
Reply
2 REPLIES 2

Go to solution
michiel_otten
Pro

‎16 Sep 2025 12:13 PM

In my opinion, the problem is that when you configure a trustedCA in Kubernetes, it will use it for all outgoing communication. Now: when the OneAgents want to sent out that information, it'll mismatch with the self-signed one.
You could potentially test this to add it to 1 of the Environment ActiveGate and put that one in a network zone.

if this doesn't help, I'd recommend getting Dynatrace support onboard to figure out what the best solution for you is.

michiel_otten_0-1758021178503.png

 

#Performance matter!
Reply

Go to solution
prgss
Frequent Guest

‎19 Sep 2025 01:23 PM

Thank your for your reply @michiel_otten 

It's indeed the error we are getting.

Here is the solution we chose to avoid to change the shared ActiveGate's certificates.

  • We choose to not ignore the certificate.
  • We inject the trustedCAs to authorize the communication between CSI and Docker Registry to download code module.
  • We add 2 env var to oneagent to ignore the self signed certificate

apiVersion: dynatrace.com/v1beta5
kind: DynaKube
spec:
  skipCertCheck: false
  trustedCAs: companyCA
  oneAgent:
    cloudNativeFullStack:
      env:
        - name: DT_SSLVERIFYHOST
          value: "false"
        - name: DT_SSLVERIFYPEER
          value: "false"

Could be usefull for people in the same shared ActiveGate configuration.
 
I found this workaround here : https://community.dynatrace.com/t5/Heads-up-from-Dynatrace/Resolved-OneAgent-pods-unable-to-validate...

Reply
Ask a question

Featured Posts