Description
I have installed both cert-manager and opentelemetry-operator. Other services work fine with cert-manager. However opentelemetry-operator keeps showing this error in the log and I'm not getting metrics due to it.
Steps to Reproduce
- Apply config
- Look at logs
Expected Result
No errors about certificate, and metrics show up
Actual Result
Log is filled with errors about invalid certificate, no metrics showing up
Kubernetes Version
v1.31.4
Operator version
0.136.0
Collector version
0.136.0
Environment information
Environment
OS: Arch 6.11.8-arch1-2
Log output
2025-10-19T21:52:46.839Z error targetallocator/manager.go:126 Failed to retrieve job list {"resource": {"service.instance.id": "c6954f62-10ff-49df-9515-1965610f81d4", "service.name": "otelcol-contrib", "service.version": "0.136.0"}, "otelcol.component.id": "prometheus", "otelcol.component.kind": "receiver", "otelcol.signal": "metrics", "error": "Get \"https://otelcol-targetallocator:443/scrape_configs\": tls: failed to verify certificate: x509: certificate signed by unknown authority (possibly because of \"crypto/rsa: verification error\" while trying to verify candidate authority certificate \"otelcol-ca-cert\")"}
github.com/open-telemetry/opentelemetry-collector-contrib/receiver/prometheusreceiver/targetallocator.(*Manager).sync
github.com/open-telemetry/opentelemetry-collector-contrib/receiver/prometheusreceiver@v0.136.0/targetallocator/manager.go:126
github.com/open-telemetry/opentelemetry-collector-contrib/receiver/prometheusreceiver/targetallocator.(*Manager).Start.func1
github.com/open-telemetry/opentelemetry-collector-contrib/receiver/prometheusreceiver@v0.136.0/targetallocator/manager.go:81
github.com/cenkalti/backoff/v5.Retry[...]
github.com/cenkalti/backoff/v5@v5.0.3/retry.go:87
github.com/open-telemetry/opentelemetry-collector-contrib/receiver/prometheusreceiver/targetallocator.(*Manager).Start
github.com/open-telemetry/opentelemetry-collector-contrib/receiver/prometheusreceiver@v0.136.0/targetallocator/manager.go:91
github.com/open-telemetry/opentelemetry-collector-contrib/receiver/prometheusreceiver.(*pReceiver).Start
github.com/open-telemetry/opentelemetry-collector-contrib/receiver/prometheusreceiver@v0.136.0/metrics_receiver.go:121
go.opentelemetry.io/collector/service/internal/graph.(*Graph).StartAll
go.opentelemetry.io/collector/service@v0.136.0/internal/graph/graph.go:432
go.opentelemetry.io/collector/service.(*Service).Start
go.opentelemetry.io/collector/service@v0.136.0/service.go:254
go.opentelemetry.io/collector/otelcol.(*Collector).setupConfigurationComponents
go.opentelemetry.io/collector/otelcol@v0.136.0/collector.go:240
go.opentelemetry.io/collector/otelcol.(*Collector).Run
go.opentelemetry.io/collector/otelcol@v0.136.0/collector.go:310
go.opentelemetry.io/collector/otelcol.NewCommand.func1
go.opentelemetry.io/collector/otelcol@v0.136.0/command.go:39
github.com/spf13/cobra.(*Command).execute
github.com/spf13/cobra@v1.10.1/command.go:1015
github.com/spf13/cobra.(*Command).ExecuteC
github.com/spf13/cobra@v1.10.1/command.go:1148
github.com/spf13/cobra.(*Command).Execute
github.com/spf13/cobra@v1.10.1/command.go:1071
main.runInteractive
github.com/open-telemetry/opentelemetry-collector-releases/contrib/main.go:70
main.run
github.com/open-telemetry/opentelemetry-collector-releases/contrib/main_others.go:10
main.main
github.com/open-telemetry/opentelemetry-collector-releases/contrib/main.go:63
runtime.main
runtime/proc.go:283Additional context
kustomization.yaml
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
helmCharts:
- name: opentelemetry-operator
releaseName: opentelemetry-operator
repo: https://open-telemetry.github.io/opentelemetry-helm-charts
version: 0.97.0
valuesFile: values.yaml
namespace: monitoring
namespace: monitoring
resources:
- opentelemetry-collector.yamlvalues.yaml
manager:
featureGatesMap:
operator.targetallocator.mtls: true
collectorImage:
repository: ghcr.io/open-telemetry/opentelemetry-collector-releases/opentelemetry-collector-contribopentelemetry-collector.yaml
apiVersion: opentelemetry.io/v1beta1
kind: OpenTelemetryCollector
metadata:
name: otelcol
spec:
mode: statefulset
upgradeStrategy: automatic
serviceAccount: opentelemetry-allocator-sa
targetAllocator:
enabled: true
serviceAccount: opentelemetry-allocator-sa
prometheusCR:
enabled: true
podMonitorSelector: {}
serviceMonitorSelector: {}
config:
receivers:
prometheus:
config:
scrape_configs:
- job_name: otel-collector
scrape_interval: 10s
static_configs:
- targets: ["0.0.0.0:8888"]
- job_name: node-exporter
static_configs:
- targets: ["archlinux:9100", "pi.hole:9100"]
- job_name: nvidia-smi
static_configs:
- targets: ["archlinux:9835"]
- job_name: rpi
static_configs:
- targets: ["pi.hole:9110"]
- job_name: fail2ban
static_configs:
- targets: ["pi.hole:9191"]
- job_name: crowdsec
static_configs:
- targets: ["pi.hole:6060", "pi.hole:60601"]
processors:
batch: {}
attributes/cluster:
actions:
- key: cluster
value: k8s
action: insert
exporters:
prometheusremotewrite:
endpoint: http://prometheus-operated:9090/api/v1/write
tls:
insecure: true
service:
pipelines:
metrics:
receivers: [prometheus]
processors: [attributes/cluster, batch]
exporters: [prometheusremotewrite]kubectl describe certificate -n monitoring otelcol-ca-cert -o yaml
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
creationTimestamp: "2025-10-19T21:47:43Z"
generation: 1
labels:
app.kubernetes.io/component: opentelemetry-targetallocator
app.kubernetes.io/instance: monitoring.otelcol
app.kubernetes.io/managed-by: opentelemetry-operator
app.kubernetes.io/name: otelcol-ca-cert
app.kubernetes.io/part-of: opentelemetry
app.kubernetes.io/version: latest
name: otelcol-ca-cert
namespace: monitoring
ownerReferences:
- apiVersion: opentelemetry.io/v1alpha1
blockOwnerDeletion: true
controller: true
kind: TargetAllocator
name: otelcol
uid: c2d1aeef-5f1c-450d-8b26-ae55054a7507
resourceVersion: "218930758"
uid: f66329a9-aab1-437a-971d-dbecd904e2cc
spec:
commonName: otelcol-ca-cert
isCA: true
issuerRef:
kind: Issuer
name: otelcol-self-signed-issuer
secretName: otelcol-ca-cert
subject:
organizationalUnits:
- opentelemetry-operator
status:
conditions:
- lastTransitionTime: "2025-10-19T21:47:43Z"
message: Certificate is up to date and has not expired
observedGeneration: 1
reason: Ready
status: "True"
type: Ready
notAfter: "2026-01-17T09:25:18Z"
notBefore: "2025-10-19T09:25:18Z"
renewalTime: "2025-12-18T09:25:18Z"Tip
React with 👍 to help prioritize this issue. Please use comments to provide useful context, avoiding +1 or me too, to help us triage it. Learn more here.
Description
I have installed both cert-manager and opentelemetry-operator. Other services work fine with cert-manager. However opentelemetry-operator keeps showing this error in the log and I'm not getting metrics due to it.
Steps to Reproduce
Expected Result
No errors about certificate, and metrics show up
Actual Result
Log is filled with errors about invalid certificate, no metrics showing up
Kubernetes Version
v1.31.4
Operator version
0.136.0
Collector version
0.136.0
Environment information
Environment
OS: Arch 6.11.8-arch1-2
Log output
2025-10-19T21:52:46.839Z error targetallocator/manager.go:126 Failed to retrieve job list {"resource": {"service.instance.id": "c6954f62-10ff-49df-9515-1965610f81d4", "service.name": "otelcol-contrib", "service.version": "0.136.0"}, "otelcol.component.id": "prometheus", "otelcol.component.kind": "receiver", "otelcol.signal": "metrics", "error": "Get \"https://otelcol-targetallocator:443/scrape_configs\": tls: failed to verify certificate: x509: certificate signed by unknown authority (possibly because of \"crypto/rsa: verification error\" while trying to verify candidate authority certificate \"otelcol-ca-cert\")"} github.com/open-telemetry/opentelemetry-collector-contrib/receiver/prometheusreceiver/targetallocator.(*Manager).sync github.com/open-telemetry/opentelemetry-collector-contrib/receiver/prometheusreceiver@v0.136.0/targetallocator/manager.go:126 github.com/open-telemetry/opentelemetry-collector-contrib/receiver/prometheusreceiver/targetallocator.(*Manager).Start.func1 github.com/open-telemetry/opentelemetry-collector-contrib/receiver/prometheusreceiver@v0.136.0/targetallocator/manager.go:81 github.com/cenkalti/backoff/v5.Retry[...] github.com/cenkalti/backoff/v5@v5.0.3/retry.go:87 github.com/open-telemetry/opentelemetry-collector-contrib/receiver/prometheusreceiver/targetallocator.(*Manager).Start github.com/open-telemetry/opentelemetry-collector-contrib/receiver/prometheusreceiver@v0.136.0/targetallocator/manager.go:91 github.com/open-telemetry/opentelemetry-collector-contrib/receiver/prometheusreceiver.(*pReceiver).Start github.com/open-telemetry/opentelemetry-collector-contrib/receiver/prometheusreceiver@v0.136.0/metrics_receiver.go:121 go.opentelemetry.io/collector/service/internal/graph.(*Graph).StartAll go.opentelemetry.io/collector/service@v0.136.0/internal/graph/graph.go:432 go.opentelemetry.io/collector/service.(*Service).Start go.opentelemetry.io/collector/service@v0.136.0/service.go:254 go.opentelemetry.io/collector/otelcol.(*Collector).setupConfigurationComponents go.opentelemetry.io/collector/otelcol@v0.136.0/collector.go:240 go.opentelemetry.io/collector/otelcol.(*Collector).Run go.opentelemetry.io/collector/otelcol@v0.136.0/collector.go:310 go.opentelemetry.io/collector/otelcol.NewCommand.func1 go.opentelemetry.io/collector/otelcol@v0.136.0/command.go:39 github.com/spf13/cobra.(*Command).execute github.com/spf13/cobra@v1.10.1/command.go:1015 github.com/spf13/cobra.(*Command).ExecuteC github.com/spf13/cobra@v1.10.1/command.go:1148 github.com/spf13/cobra.(*Command).Execute github.com/spf13/cobra@v1.10.1/command.go:1071 main.runInteractive github.com/open-telemetry/opentelemetry-collector-releases/contrib/main.go:70 main.run github.com/open-telemetry/opentelemetry-collector-releases/contrib/main_others.go:10 main.main github.com/open-telemetry/opentelemetry-collector-releases/contrib/main.go:63 runtime.main runtime/proc.go:283Additional context
kustomization.yaml
values.yaml
opentelemetry-collector.yaml
kubectl describe certificate -n monitoring otelcol-ca-cert -o yaml
Tip
React with 👍 to help prioritize this issue. Please use comments to provide useful context, avoiding
+1orme too, to help us triage it. Learn more here.