-
Notifications
You must be signed in to change notification settings - Fork 474
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
unable to load specified CA cert in target allocator #3572
Comments
I'm noticing this error too, and I think it's related to enabling the Target Allocator's mTLS feature flag. I have kube-state-metrics deployed, which deploys a ServiceMonitor with the TLS section filled out. When the Target Allocator discovers this, it's throwing this error at the receiver trying to discover the certificate described in the ServiceMonitor. I had this halfway configured from some earlier work on this feature, and I missed a few key steps:
After fixing those two issues, I no longer see the periodic issue when the TA discovers a ServiceMonitor with a TLS block. |
thank you @mtthwcmpbll
and also in the operator logs I can see:
but I still see the issue in the collectors:
can it be related to the fact that the operator has this log?
|
and the main issue still exists:
|
Component(s)
target allocator
What happened?
Description
I'm trying to run TA with Prom CR, while using autoGenerateCert true and certManager false.
I see the secret is populated:
apiVersion: v1 data: ca.crt: ++++++++ tls.crt: ++++++++ tls.key: ++++++++ kind: Secret metadata: annotations: helm.sh/hook: 'pre-install,pre-upgrade' helm.sh/hook-delete-policy: before-hook-creation kubectl.kubernetes.io/last-applied-configuration: >- {"apiVersion":"v1","data":{"ca.crt":"++++++++","tls.crt":"++++++++","tls.key":"++++++++"},"kind":"Secret","metadata":{"annotations":{"helm.sh/hook":"pre-install,pre-upgrade","helm.sh/hook-delete-policy":"before-hook-creation"},"labels":{"app.kubernetes.io/component":"webhook","app.kubernetes.io/instance":"<cluster_name>-opentelemetry-operator","app.kubernetes.io/managed-by":"Helm","app.kubernetes.io/name":"opentelemetry-operator","app.kubernetes.io/version":"0.94.0","argocd.argoproj.io/instance":"<cluster_name>-opentelemetry-operator","helm.sh/chart":"opentelemetry-operator-0.48.0"},"name":"<cluster_name>-opentelemetry-operator-controller-manager-service-cert","namespace":"opentelemetry"},"type":"kubernetes.io/tls"} creationTimestamp: '2024-12-23T08:55:47Z' labels: app.kubernetes.io/component: webhook app.kubernetes.io/instance:<cluster_name>-opentelemetry-operator app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: opentelemetry-operator app.kubernetes.io/version: 0.94.0 argocd.argoproj.io/instance: <cluster_name>-opentelemetry-operator helm.sh/chart: opentelemetry-operator-0.48.0 name: >- <cluster_name>-opentelemetry-operator-controller-manager-service-cert namespace: opentelemetry resourceVersion: '665456594' uid: a5c19d0f-414c-40b5-a4da-7da52cde746a type: kubernetes.io/tls
but still can't get it to work.
Also tried to mount it in the collector crd:
volumes: - name: prometheus-certs secret: secretName: {{ .Values.scraper.prometheusSecretName }} items: - key: ca.crt path: {{ .Values.scraper.prometheusSecretPath }} containers: - name: otel-scraper volumeMounts: - name: prometheus-certs mountPath: /etc/prometheus/certs/ readOnly: true
and still getting the same error
Steps to Reproduce
Install operator and enable target allocator with self signed certs
Expected Result
I'm able to scrapte targets over https
Actual Result
Getting error creating new scrape pool
Kubernetes Version
1.30.0
Operator version
0.94.0
Collector version
0.94.0
Environment information
Environment
OS: (e.g., "Ubuntu 20.04")
Compiler(if manually compiled): (e.g., "go 14.2")
Log output
Additional context
No response
The text was updated successfully, but these errors were encountered: