06 Dec 2023 08:00 AM - edited 16 Jan 2024 03:23 AM
The underlying host's container runtime doesn't contain the certificate presented by your endpoint.
skipCertCheck
field in the DynaKube YAML doesn't control this certificate check. Additionally, the trustedCAs
field in the DynaKube YAML is used to add custom Root Certificate Authorities for communication with the Dynatrace API and does not apply to the ActiveGate.Example error (the error message may vary):
desc = failed to pull and unpack image "<environment>/linux/activegate:latest": failed to resolve reference "<environment>/linux/activegate:latest": failed to do request: Head "<environment>/linux/activegate/manifests/latest": x509: certificate signed by unknown authority
Warning Failed ... Error: ErrImagePull
Normal BackOff ... Back-off pulling image "<environment>/linux/activegate:latest"
Warning Failed ... Error: ImagePullBackOff
In this example, if the description on your pod shows x509: certificate signed by unknown authority
, you must fix the certificates on your Kubernetes hosts, or use the private repository configuration to store the images. Additionally, for issues related to Dynatrace API communication, you can use the trustedCAs
configuration in the DynaKube YAML to trust additional RootCAs. This involves adding custom RootCAs from a configmap where the key to the data must be "certs"
. This setting is specifically for enhancing security in API communications and does not influence the ActiveGate's certificate handling.
Hi @darynakovyrina,
I have faced same issue with operator version v0.14.0, Where I got to know that there is a issue with operator itself and I rolled back to old operator version.
Can you please try the same with different operator version.
Thanks and Regards
We too have this issue, what exactly is the fix for this issue. As I understand it, adding configMap and enabling trustedCAs is not the answer as it doesn't apply to the OCP Active Gate. Thus what is the solution or workaround?
Much thx! Marcie
All,
After v0.14.0 The typical solution for this (One Agent, Active Gate, Operator) is to use the following annotation in the CRD
'feature.dynatrace.com/no-proxy: "<your internal repository>" and this will allow for the connectivity to your private repository.
This will allow communication to the private repository without going through the proxy and will allow for not using pull secrets on One Agent, Active Gate, Operator. If you are are using 'code-module images' you must have pull secrets at this point of time for it to download.
Thanks