cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Is Hybrid architecture (shared activegates beetween oneagent in vm and oneagent in container) valid ?

prgss
Frequent Guest

Hi Dynatrace,

We have trouble deploying CloudNative Dynatrace in OpenShift clusters.
Can you confirm us that these "hybrid" architecture is valid ?

dynatrace-noname.png

- Install CloudNative Dynatrace in OpenShift clusters with Company trustedCA in Dynakube

- Private docker registry holding OneAgent and codemodules images exposing the Company certificate (green box on the left)

- ActiveGate VM with Dynatrace self signed Certificate (purple box)

- Company Internet Proxy (no certificate)

- Notice that we have many oneagent deployed in virtual machine. These oneagents trust the ActiveGate VM Certificate.

- We don't want to change the exposed certificate of ActiveGate.

 

When we add the trustedCAs field in the dynakube configuration, the communication between oneagent pod and activegate vm are broken (invalid certificate).

 broken-cert.png

 

2 REPLIES 2

In my opinion, the problem is that when you configure a trustedCA in Kubernetes, it will use it for all outgoing communication. Now: when the OneAgents want to sent out that information, it'll mismatch with the self-signed one.
You could potentially test this to add it to 1 of the Environment ActiveGate and put that one in a network zone.

if this doesn't help, I'd recommend getting Dynatrace support onboard to figure out what the best solution for you is.

michiel_otten_0-1758021178503.png

 

#Performance matter!

prgss
Frequent Guest

Thank your for your reply @michiel_otten 

It's indeed the error we are getting.

Here is the solution we chose to avoid to change the shared ActiveGate's certificates.

  • We choose to not ignore the certificate.
  • We inject the trustedCAs to authorize the communication between CSI and Docker Registry to download code module.
  • We add 2 env var to oneagent to ignore the self signed certificate

apiVersion: dynatrace.com/v1beta5
kind: DynaKube
spec:
  skipCertCheck: false
  trustedCAs: companyCA
  oneAgent:
    cloudNativeFullStack:
      env:
        - name: DT_SSLVERIFYHOST
          value: "false"
        - name: DT_SSLVERIFYPEER
          value: "false"

Could be usefull for people in the same shared ActiveGate configuration.
 
I found this workaround here : https://community.dynatrace.com/t5/Heads-up-from-Dynatrace/Resolved-OneAgent-pods-unable-to-validate...

Featured Posts