Showing results for 
Show  only  | Search instead for 
Did you mean: 

k8s dynatrace operator ActiveGate scraping prometheus exporter in SSL : CA certificates ?



Trying to scrap a posgresdb prometheus exporter running on a k8s cluster. A curl command executed in the scope/context of a pod exec to scrap the metrics works perfectly when using the proper cacert: curl  --cacert myCA.pem https://prometheus-exp-svcname.ns:9187/metrics

The activegate installed by the dyntrace operator is missing the root CA chain to query successfully the prometheus exporter. I identified the following logs in the k8s AG:

023-10-04 08:28:52 UTC INFO [<b282df91-57f8-42d2-bcf1-7ecf65d0165f>] [HttpClientStatisticsSfmConsumerImpl] Query failed for endpoint /metrics on DirectIp with statusReason: SslError. [Suppressing further identical messages for 1 hour] PKIX path building failed: unable to find valid certification path to requested target
at java.base/ Source)

A first idea was to add the CA certs in the dynakube.yaml in the block "trustedCAs", but it does not apply to Activegates. A second option would be to add permanently to the AG keystore the CA certificates. But I don't know how to deal with that in the dynakube.yaml.  Any clue how to add custom CAs to an activegate installed by the dynatrace operator ?