cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
darynakovyrina
Dynatrace Mentor
Dynatrace Mentor

The underlying host's container runtime doesn't contain the certificate presented by your endpoint.

Spoiler
The skipCertCheck field in the DynaKube YAML doesn't control this certificate check. Additionally, the trustedCAs field in the DynaKube YAML is used to add custom Root Certificate Authorities for communication with the Dynatrace API and does not apply to the ActiveGate.

Example error (the error message may vary):

desc = failed to pull and unpack image "<environment>/linux/activegate:latest": failed to resolve reference "<environment>/linux/activegate:latest": failed to do request: Head "<environment>/linux/activegate/manifests/latest": x509: certificate signed by unknown authority
Warning Failed ... Error: ErrImagePull
Normal BackOff ... Back-off pulling image "<environment>/linux/activegate:latest"
Warning Failed ... Error: ImagePullBackOff
  

In this example, if the description on your pod shows x509: certificate signed by unknown authority, you must fix the certificates on your Kubernetes hosts, or use the private repository configuration to store the images. Additionally, for issues related to Dynatrace API communication, you can use the trustedCAs configuration in the DynaKube YAML to trust additional RootCAs. This involves adding custom RootCAs from a configmap where the key to the data must be "certs". This setting is specifically for enhancing security in API communications and does not influence the ActiveGate's certificate handling.

Version history
Last update:
‎16 Jan 2024 03:23 AM
Updated by:
Comments
Brijesh_Saw
Observer

Hi @darynakovyrina,

 

I have faced same issue with operator version v0.14.0, Where I got to know that there is a issue with operator itself and I rolled back to old operator version.
Can you please try the same with different operator version.

 

 

Thanks and Regards

sirbaughmf
Newcomer_

We too have this issue, what exactly is the fix for this issue.  As I understand it, adding configMap and enabling trustedCAs is not the answer as it doesn't apply to the OCP Active Gate.  Thus what is the solution or workaround?

Much thx! Marcie

ronaldnnr
Newcomer

Does anyone have a solution for this problem? I have the same problem

 

ronaldnnr_1-1721938181244.png

 

gopher
Mentor

All, 

After v0.14.0 The typical solution for this (One Agent, Active Gate, Operator) is to use the following annotation in the CRD

'feature.dynatrace.com/no-proxy: "<your internal repository>" and this will allow for the  connectivity to your private repository. 

 

This will allow communication to the private repository without going through the proxy and will allow for not using pull secrets on  One Agent, Active Gate, Operator.   If you are are using 'code-module images' you must have pull secrets at this point of time for it to download.

Thanks