Configure Istio for OneAgent traffic in OpenShift

Istio is a service mesh that helps running distributed microservice architectures. Istio uses the sidecar pattern to deploy a proxy to pods which then intercepts network traffic between your microservices. The standard configuration of the Istio-enabled pods is to redirect all outbound traffic to the sidecar proxy within every pod. This also includes the communication of Dynatrace OneAgent code-modules and therefore the OneAgent cannot send the monitoring data to the cluster.

This topic describes how to configure Istio for enabling egress traffic to your Dynatrace environment.

Prepare Dynatrace tokens

Get a Platform-as-a-Service token to query the list of communication endpoints for the OneAgent. This token is later referenced as {token}.

Configure a ServiceEntry object

Get the list of available communication endpoints for your environment.

For this you need to make a GET call to the REST endpoint of your Dynatrace environment. Don't forget to adapt the respective placeholders {environmentID} and {token}.

https://{your-domain}/e/{environmentID}/api/v1/deployment/installer/agent/connectioninfo?Api-Token={token}

In return, you get a JSON object that covers the communicationEndpoints. The list of endpoints may look like this.

{
   ...
   "communicationEndpoints": [
      "https://gateway1.internal:9999/communication",
      "https://10.0.0.1:9999/communication",
      "https://gateway2.live.ruxit.com/communication",
      "https://gateway3.live.ruxit.com/communication"
   ]
}

Save the following snippet with the service entries to a file istio-oneagent-serviceentries.yaml and adapt the content to suit your communication endpoints from your JSON response above. The snippet below covers multiple ServiceEntry and VirtualService definitions.

  • Endpoints with a hostname that run on the same port (e.g. 9999 or 443) can be grouped in an HTTPS ServiceEntry and VirtualService combination.
  • Each endpoint with an IP address should be handled in its own TCP ServiceEntry.

Create the ServiceEntry and VirtualService objects

Create the ServiceEntry and VirtualService configuration from the saved file. We recommend to create the ServiceEntry and VirtualService resources in a dynatrace namespace.

$ oc -n dynatrace create -f istio-oneagent-serviceentries.yaml

Remove the ServiceEntry and VirtualService objects

In case you uninstalled the OneAgent you'll also need to remove the ServiceEntry configurations.

$ oc -n dynatrace delete -f istio-oneagent-serviceentries.yaml