Solved: Storing Dynatrace Image in Private Registry

Starhut · ‎17 Mar 2022

Hi, we are setting up the Dynatrace Openshift monitoring (classicFullstack).

After we applied the token and apply classicFullStack.yaml, dynakube pods are not shown

dynakube-controller","msg":"problem with token detected","dynakube":"dynakube","token":"APIToken","msg":"error when querying token on secret dynatrace:dynakube: error making post request to dynatrace api: Post \"https://xxxx/e/xxxx/api/v1/tokens/lookup\": x509: certificate relies on legacy Common Name field, use SANs instead"}

dynakube-controller","msg":"paas or api token not valid","name":"dynakube"}

Did anyone have encountered a similar error before?

theharithsa · ‎17 Mar 2022

Hi @Starhut

Thanks for your question.

Looking at the error, I can see that PaaS or API token you are passing is not valid. Kindly check the right permissions while creating the token and apply the yaml file once again.

Love more, hate less; Technology for all, together we grow.

Starhut · ‎17 Mar 2022

Hi @theharithsa ,

I checked on the token permission don't find anything wrong on it.

API v1 - Access problem and event feed, metrics, and topology,

PaaS integration - Installer download

follow according to prerequisite mentioned here:

https://www.dynatrace.com/support/help/setup-and-configuration/setup-on-container-platforms/openshif...

I think the token is not valid is because of the prior error there " error making Post request" that reject it.

Thanks.

Yosi_Neuman · ‎17 Mar 2022

Hi @Starhut

Wonder if the message regarding the certificate (x509: certificate relies on legacy Common Name field, use SANs instead) is info or error one ....

I would try to skip cert here

HTH

Yos

dynatrace certificated professional - dynatrace master partner - Matrix Soft Ware Division - Israel

Starhut · ‎17 Mar 2022

Hi @Yosi_Neuman

I get the statement from:

oc -n dynatrace logs -f deployment/dynatrace-operator.

Since I am using immutable image, I don't think skipcertcheck is possible. Correct me if I am wrong.

Thanks

Yosi_Neuman · ‎17 Mar 2022

Hi @Starhut ,

Please try to set skipCertCheck to true as explained in documentation

Update if the issue persist

All the best and stay safe

Yos

dynatrace certificated professional - dynatrace master partner - Matrix Soft Ware Division - Israel

Starhut · ‎17 Mar 2022

Hi @Yosi_Neuman ,

Please check this.

When using the immutable image, fields such as proxy, trustedCAs, and skipCertCheck are ignored

I am following this due to my environment is isolated from Internet.

Link

Thanks.

Yosi_Neuman · ‎17 Mar 2022

Hi @Starhut

Stand corrected.

One of our prospects had the similar issue and was able to over come it by adding the DT cluster to the allowed list in OpenShift. It was something that the OpenShift guys made and we didn't get any details how this was set.

If that will not work open a support ticket and support will be able to give you internal domain of your dynatrace cluster that can help to solve this issue.

HTH

Yos

dynatrace certificated professional - dynatrace master partner - Matrix Soft Ware Division - Israel

Peter_Ralston · ‎10 May 2022

All,

We were receiving a similar issue in GKE deployment using the v.0.5.0 & v.0.5.1 operators.

│ Last Transition Time: 2022-05-10T02:51:26Z │
│ Message: error when querying token on secret dynatrace:dynakube: error making post request to dynatrace api: Post "https://<ActiveGate URL> :9999/e/<env>/api/v1/token ││ ns/lookup": EOF │
│ Reason: TokenError ││ Status: False │
│ Type: APIToken

There seems (or is) an issue where the Service entries for Istio were not added despite being enabled in the CRD (Resource), which caused the resulting errors to occur.

We resolved the issue by manually adding the ServiceEntry and VirtualService objects
Configure Istio for OneAgent traffic in Kubernetes | Dynatrace Docs

Might help someone

Starhut · ‎10 May 2022

In the end, we generated a certificate with san.cnf, reload into the server and able to resolve the issue.