FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

k8s dynatrace operator ActiveGate scraping prometheus exporter in SSL : CA certificates ?

Luc_
Visitor

‎04 Oct 2023 12:05 PM - last edited on ‎08 Oct 2023 12:48 PM by Community Team

Hello,

Trying to scrap a posgresdb prometheus exporter running on a k8s cluster. A curl command executed in the scope/context of a pod exec to scrap the metrics works perfectly when using the proper cacert: curl  --cacert myCA.pem https://prometheus-exp-svcname.ns:9187/metrics

The activegate installed by the dyntrace operator is missing the root CA chain to query successfully the prometheus exporter. I identified the following logs in the k8s AG:

023-10-04 08:28:52 UTC INFO [<b282df91-57f8-42d2-bcf1-7ecf65d0165f>] [HttpClientStatisticsSfmConsumerImpl] Query failed for endpoint /metrics on DirectIp with statusReason: SslError. [Suppressing further identical messages for 1 hour]
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.ssl.Alert.createSSLException(Unknown Source)

A first idea was to add the CA certs in the dynakube.yaml in the block "trustedCAs", but it does not apply to Activegates. A second option would be to add permanently to the AG keystore the CA certificates. But I don't know how to deal with that in the dynakube.yaml.  Any clue how to add custom CAs to an activegate installed by the dynatrace operator ?

Thx,

Luc

0 Kudos
Reply
0 REPLIES 0
Ask a question