Dynatrace supports running ActiveGate in a container. As an example of a container-based deployment, this page describes how to deploy container-based ActiveGate using a StatefulSet on Kubernetes/OpenShift.
Dedicated deployments
-
To monitor Kubernetes/Openshift, select one of the following:
-
To collect logs from Kubernetes, use Log Monitoring.
Prerequisites
- Create a PaaS token
- Create an individual ActiveGate token
How to create individual ActiveGate token with Dynatrace API
-
Generate an API token. Select one of the following token scopes to limit access for security reasons:
- Create ActiveGate tokens
- Write ActiveGate tokens
-
Save the token.
Note: it's displayed only once.
-
Use the ActiveGate tokens API - POST a token endpoint to create the token. Authorize your call with the API token you just created. For example, the following command generates an ActiveGate token with the following parameters:
- ActiveGate type:
ENVIRONMENT
- ActiveGate token expires in:
6 months
- ActiveGate token type: individual ActiveGate token (
seedToken is false).
Command:
curl -X POST "https://{your-environment-id}.live.dynatrace.com/api/v2/activeGateTokens" \
-H 'Authorization: Api-Token {api-token}' \
-H 'Accept: application/json; charset=utf-8' \
-H 'Content-Type: application/json; charset=utf-8' \
-d '{
"name": "myToken",
"expirationDate": "now+6M",
"seedToken": false,
"activeGateType": "ENVIRONMENT"
}'
You need to replace
{your-environment-id} with your Environment ID{api-token} with an API token set to one of the following scopes: Create ActiveGate tokens or Write ActiveGate tokens.
Response body example:
{
"token": "dt0g01.4KWZO5EF.
XT47R5DRADJIZUFOX4UDNOKTSUSABGLN7XSMJG7UXHRXKNY4WLORH4OF4T75MG7E",
"expirationTimeEpoch": 1607096737302
}
- Determine the ActiveGate communication endpoints and authentication. Use the GET connectivity information for ActiveGate API.
- Get your kube-system namespace UUID
ActiveGate image
The ActiveGate image
- Is a reusable image that doesn't contain any configuration related to your environment
- Is available in the container registry on your Dynatrace environment
To run the container, you need to provide a configuration that is specific to your environment.
Requirements
A Dynatrace ActiveGate image is supported on a variety of Kubernetes and OpenShift flavors. For a complete list, see Technology support - Kubernetes.
Available image versions
To specify the image version, use one of the tags below.
raw—The latest raw image1.sprint.patchlevel-raw—A raw image for a particular ActiveGate version (for example, 1.271.1)
Deploy ActiveGate
You need to authenticate to the registry with your environment ID as a username and a PaaS token as a password.
-
Create a dedicated namespace.
-
Create a secret that holds the environment URL and authentication details for this registry.
You need to replace
-
<YOUR_ENVIRONMENT_URL> with your environment URL (without https://). Example: abc12345.live.dynatrace.com
-
<YOUR_ENVIRONMENT_ID> with the Docker account username (the same as the ID in your environment URL above).
To determine your environment ID, see the syntax below.
- SaaS:
https://{your-environment-id}.live.dynatrace.com
- Managed:
https://{your-domain}/e/{your-environment-id}
-
<YOUR_PAAS_TOKEN> with the PaaS token you created in Prerequisites
-
Create a secret that holds the authentication details to the Dynatrace server used by ActiveGate.
You need to replace
<YOUR_TENANT_TOKEN> with the tenantToken value obtained in Prerequisites from the connectivity information.<YOUR_AUTH_TOKEN> with the individual ActiveGate token obtained in Prerequisites.
-
Create an ag-deployment-example.yaml file with the following content:
ag-deployment-example.yamlapiVersion: v1
kind: Service
metadata:
name: dynatrace-activegate
namespace: dynatrace
spec:
type: ClusterIP
selector:
app.kubernetes.io/component: activegate
component.dynatrace.com/feature: activegate
ports:
- protocol: TCP
port: 443
targetPort: ag-https
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: dynatrace-activegate
namespace: dynatrace
labels:
app.kubernetes.io/component: activegate
component.dynatrace.com/feature: activegate
spec:
podManagementPolicy: Parallel
serviceName: ""
selector:
matchLabels:
app.kubernetes.io/component: activegate
component.dynatrace.com/feature: activegate
template:
metadata:
labels:
app.kubernetes.io/component: activegate
component.dynatrace.com/feature: activegate
spec:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/arch
operator: In
values:
- amd64
- key: kubernetes.io/os
operator: In
values:
- linux
containers:
- name: activegate
image: <YOUR_ENVIRONMENT_URL>/linux/activegate:raw
imagePullPolicy: Always
ports:
- containerPort: 9999
name: ag-https
protocol: TCP
env:
- name: DT_TENANT
value: <YOUR_ENVIRONMENT_ID>
- name: DT_SERVER
value: <YOUR_COMMUNICATION_ENDPOINTS>
- name: DT_ID_SEED_NAMESPACE
value: dynatrace
- name: DT_ID_SEED_K8S_CLUSTER_ID
value: <YOUR_KUBE-SYSTEM_NAMESPACE_UUID>
- name: DT_CAPABILITIES
value: restInterface,kubernetes_monitoring,MSGrouter,metrics_ingest
- name: DT_DEPLOYMENT_METADATA
value: orchestration_tech=handcrated-ag-sts;script_version=none;orchestrator_id=none
- name: DT_DNS_ENTRY_POINT
value: https://$(DYNATRACE_ACTIVEGATE_SERVICE_HOST):$(DYNATRACE_ACTIVEGATE_SERVICE_PORT)/communication
volumeMounts:
- name: dynatrace-tokens
mountPath: /var/lib/dynatrace/secrets/tokens
- name: truststore-volume
mountPath: /opt/dynatrace/gateway/jre/lib/security/cacerts
readOnly: true
subPath: k8s-local.jks
- name: server-certs-storage
mountPath: /var/lib/dynatrace/gateway/ssl
- name: ag-lib-gateway-config
mountPath: /var/lib/dynatrace/gateway/config
- name: ag-lib-gateway-temp
mountPath: /var/lib/dynatrace/gateway/temp
- name: ag-lib-gateway-data
mountPath: /var/lib/dynatrace/gateway/data
- name: ag-log-gateway
mountPath: /var/log/dynatrace/gateway
- name: ag-tmp-gateway
mountPath: /var/tmp/dynatrace/gateway
livenessProbe:
failureThreshold: 2
httpGet:
path: /rest/state
port: ag-https
scheme: HTTPS
initialDelaySeconds: 30
periodSeconds: 30
successThreshold: 1
timeoutSeconds: 1
readinessProbe:
failureThreshold: 3
httpGet:
path: /rest/health
port: ag-https
scheme: HTTPS
initialDelaySeconds: 30
periodSeconds: 15
successThreshold: 1
timeoutSeconds: 1
resources:
requests:
cpu: 500m
memory: 512Mi
limits:
cpu: 1000m
memory: 1.5Gi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- all
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
initContainers:
- name: certificate-loader
image: <YOUR_ENVIRONMENT_URL>/linux/activegate:raw
workingDir: /var/lib/dynatrace/gateway
command: ['/bin/bash']
args: ['-c', '/opt/dynatrace/gateway/k8scrt2jks.sh']
volumeMounts:
- mountPath: /var/lib/dynatrace/gateway/ssl
name: truststore-volume
imagePullSecrets:
- name: dynatrace-docker-registry
volumes:
- name: truststore-volume
emptyDir: {}
- name: dynatrace-tokens
secret:
secretName: dynatrace-tokens
- name: server-certs-storage
emptyDir: {}
- name: ag-lib-gateway-config
emptyDir: {}
- name: ag-lib-gateway-temp
emptyDir: {}
- name: ag-lib-gateway-data
emptyDir: {}
- name: ag-log-gateway
emptyDir: {}
- name: ag-tmp-gateway
emptyDir: {}
updateStrategy:
type: RollingUpdate
-
Modify your deployment YAML file.
Add environment configuration details to the ag-deployment-example.yaml file, making sure to replace:
-
<YOUR_ENVIRONMENT_URL> with your environment URL (without https://). Example: abc12345.live.dynatrace.com
-
<YOUR_ENVIRONMENT_ID> with the Docker account username (the same as the ID in your environment URL above)
To determine your environment ID, see the syntax below.
- SaaS:
https://{your-environment-id}.live.dynatrace.com
- Managed:
https://{your-domain}/e/{your-environment-id}
-
<YOUR_COMMUNICATION_ENDPOINTS> with the value of communicationEndpoints obtained in Prerequisites from the connectivity information
The list of server communication endpoints (communicationEndpoints) may change over time.
-
<YOUR_KUBE-SYSTEM_NAMESPACE_UUID> with the kube-system namespace UUID obtained in Prerequisites
Options:
-
optional You can change the image version by using different version tags. For instructions on specifying the image version, see Available image versions.
-
optional Enable AppArmor if available.
AppArmor profileTo maintain compatibility with a wider array of Kubernetes clusters, the AppArmor profile is not specified in ag-deployment-example.yaml. If AppArmor is available on your Kubernetes cluster, we recommend that you additionally annotate StatefulSet with a runtime/default profile.
spec:
template:
metadata:
annotations:
container.apparmor.security.beta.kubernetes.io/activegate: runtime/default
-
optional Apply resource limits according to sizing hints.
K8S monitoring and agent routing sizing hintsThe table below lists suggested ActiveGate CPU and memory sizes according to the number of pods:
| Number of pods | CPU | Memory |
|---|
| Up to 100 pods | 500 millicores (mCores) | 512 mebibytes (MiB) |
| Up to 1,000 pods | 1,000 millicores (mCores) | 1 gibibyte (GiB) |
| Up to 5,000 pods | 1,500 millicores (mCores) | 2 gibibytes (GiB) |
| Over 5,000 pods | over 1,500 millicores (mCores)1 | over 2 gibibytes (GiB)1 |
1Actual figures depend on your environment. |
Note: These limits should be taken as a guideline. They're designed to prevent ActiveGate startup process slowdown and excessive node resource usage. The default values cover a large range of different cluster sizes; you can modify them according to your needs, based on the ActiveGate self-monitoring metrics.
For additional configuration options, see Containerized ActiveGate configuration.
-
Deploy ActiveGate.
-
To verify if ActiveGate has successfully connected to the Dynatrace server, select Deployment status > ActiveGates from the navigation menu.
Update behavior
ActiveGate is updated automatically on pod restart whenever there's a new version available, unless the image already specifies a certain version (for example, 1.273.1).