04 Oct 202312:05 PM - last edited on 08 Oct 202312:48 PM by MaciejNeumann
Trying to scrap a posgresdb prometheus exporter running on a k8s cluster. A curl command executed in the scope/context of a pod exec to scrap the metrics works perfectly when using the proper cacert: curl --cacert myCA.pem https://prometheus-exp-svcname.ns:9187/metrics
The activegate installed by the dyntrace operator is missing the root CA chain to query successfully the prometheus exporter. I identified the following logs in the k8s AG:
023-10-04 08:28:52 UTC INFO [<b282df91-57f8-42d2-bcf1-7ecf65d0165f>] [HttpClientStatisticsSfmConsumerImpl] Query failed for endpoint /metrics on DirectIp with statusReason: SslError. [Suppressing further identical messages for 1 hour] javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at java.base/sun.security.ssl.Alert.createSSLException(Unknown Source)
A first idea was to add the CA certs in the dynakube.yaml in the block "trustedCAs", but it does not apply to Activegates. A second option would be to add permanently to the AG keystore the CA certificates. But I don't know how to deal with that in the dynakube.yaml. Any clue how to add custom CAs to an activegate installed by the dynatrace operator ?