Deploy ActiveGate in a VM for Kubernetes monitoring

If you want to monitor several Kubernetes clusters with one ActiveGate and don't need to separate networks for administrative or operational traffic, you can deploy a classic ActiveGate in a virtual machine to connect your clusters to Dynatrace as described below.

1. Start installation

Sign in to Dynatrace, select Deploy Dynatrace from the navigation menu and select Install ActiveGate.

2. Download the installer

How you download your installer depends on your setup and needs. You can choose to download an installer directly to the server where you plan to install Environment ActiveGate or you can download an installer to a different machine and then transfer the installer to the server.

  1. Select the ActiveGate purpose.

  2. Select Download installer.
    If you plan to download Environment ActiveGate directly to the server, make sure your system is up to date, especially SSL and related certificate libraries. Outdated libraries (for example, CA certificates) or missing OpenSSL will prevent the installer from downloading (Dynatrace uses encrypted connections, so OpenSSL is required to enable wget to access the server).

    • Download the installer using one of these options:
      • Run the command
        Copy the wget command from the text box and paste it into a terminal window on the machine where you plan to install the ActiveGate. Make sure you copy the command directly from the first text box; it contains your environment ID.
      • Download via browser
        No internet access on servers? You can download the installer by selecting the ActiveGate installer link at the bottom of the page and saving the installer script to any location on your system, thereby bypassing the wget command altogether.
  • Verify the signature
    Wait for the download to complete. Then verify the signature by copying the command from the second Verify signature text box and pasting the command into your terminal window.

3. Run the installer

An install parameter (determined by the ActiveGate purpose you selected) is automatically set for the command to run the installer. Make sure you use the command displayed in the Dynatrace web UI that reflects the ActiveGate purpose.

Copy the installation script command from the Run the installer with root rights step and paste it into your terminal.

You only need root rights to install an ActiveGate. The user running the ActiveGate service doesn't require root rights. If you don't specify your own user to run the ActiveGate service, the installer will create and use the dtuserag user by default.

To install ActiveGate, run one of the following pairs of commands in the directory where you downloaded the installation script.

  • Ubuntu Server

    [user@ubuntu]# chmod + x Dynatrace-ActiveGate-Linux-x86-1.0.0.sh  
    [user@ubuntu]# sudo ./Dynatrace-ActiveGate-Linux-x86-1.0.0.sh
    
  • Red Hat Enterprise Linux

    [user@rhel]# chmod + x Dynatrace-ActiveGate-Linux-x86-1.0.0.sh  
    [user@rhel]# su ./Dynatrace-ActiveGate-Linux-x86-1.0.0.sh
    
  • Other Linux distribution with root session

    [root@host]# chmod + x Dynatrace-ActiveGate-Linux-x86-1.0.0.sh  
    [root@host]# ./Dynatrace-ActiveGate-Linux-x86-1.0.0.sh
    

4. Certificate management

If you're using self-signed certificates for communication to external APIs, you can either add the certificate to the truststore or disable certificate validation.

Add the self-signed certificate to the truststore

  • For ActiveGate version 1.167

Use the method described in Configure trusted root certificates on ActiveGate.

  • For ActiveGate version 1.169+

Bring in the certificate from your cloud provider.
In the following example, we extract the certificate from google.com and save it locally as dt_k8s_api.pem. The command is the same for Windows and Linux, assuming you have openssl installed on Windows.

echo Q | openssl s_client -connect google.com:443 | openssl x509 -outform PEM > dt_k8s_api.pem

For Kubernetes, you can use the following command sequence to get the certificate:

[root@host]# API_ENDPOINT_URL=$(kubectl config view --minify -o jsonpath='{.clusters[0].cluster.server}')
[root@host]# if [[ $API_ENDPOINT_URL =~ (https?://.*):(\d*) ]]; then API_SERVER_PORT=$API_ENDPOINT_URL; else API_SERVER_PORT="$(echo $API_ENDPOINT_URL | sed -e "s/https:\/\///"):443"; fi
[root@host]# echo -e "${YLW} API server:${NC} ${API_SERVER_PORT}"

[root@host]# echo Q | openssl s_client -connect $API_SERVER_PORT 2>/dev/null | openssl x509 -outform PEM > dt_k8s_api.pem

Add the certificate to the keystore.
You can provide a full path to the pem file location (including paths to remote locations) using the -file parameter, or copy the pem file to your ActiveGate and provide only the filename as indicated in the example.

[root@host]# sudo /opt/dynatrace/gateway/jre/bin/keytool -import -file dt_k8s_api.pem -alias dt_k8s_api -keystore /var/lib/dynatrace/gateway/ssl/mytrusted.jks

If you import multiple certificates, make sure that you provide a unique alias for each certificate that you import. If you use the same alias for each certificate, all previously used certificates will be overwritten.

You can display the list of aliases and the certificate description using the keytool -list command.

For example:

# sudo /opt/dynatrace/gateway/jre/bin/keytool -list -keystore /var/lib/dynatrace/gateway/ssl/mytrusted.jks
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
dt_k8s_api, Apr 26, 2020,
trustedCertEntry,
Certificate fingerprint (SHA-256): 07:28:9A:F2:29:32:0D:64:F0:18:93:A1:CC:2E:49:21:E9:DA:40:82:9B:A8:71:B7:A4:2C:6D:8C:B3:90:31:31

Add the following entries in the /var/lib/dynatrace/gateway/config/custom.properties file.

The entry in the custom.properties file may look like this:

[collector]
trustedstore = mytrusted.jks
# the following entries are optional
trustedstore-password = changeit
trustedstore-type = JKS
Encrypted password

The password will be stripped and encrypted when you restart the ActiveGate service.

Restart ActiveGate services.

Disable certificate validation

Disabling certificate validation isn't recommended because it imposes security risks. However, if you still want to disable certificate validation for test environments, you need to do the following:

  1. From the Dynatrace menu, select Settings > Cloud and virtualization > Kubernetes.
  2. Look for your cluster and select the Edit button next to it to edit the cluster settings.
  3. Disable Require valid certificates for communication with API server.
  4. Disable Verify hostname in certificate against Kubernetes API URL.
  5. Select Save to save your changes.

These setting override the settings in the ActiveGate custom.properties file.

5. Connect your Kubernetes clusters to Dynatrace

To connect the Kubernetes API to Dynatrace

  1. Create a service account and cluster role.

Create a service account and cluster role for accessing the Kubernetes API. This creates the bearer token necessary to authenticate in the Kubernetes API. Use the following snippet.

kubectl apply -f https://www.dynatrace.com/support/help/codefiles/kubernetes/kubernetes-monitoring-service-account.yaml
  1. Get the Kubernetes API URL.
$ kubectl config view --minify -o jsonpath='{.clusters[0].cluster.server}'
  1. Get the bearer token.
$ kubectl get secret $(kubectl get sa dynatrace-monitoring -o jsonpath='{.secrets[0].name}' -n dynatrace) -o jsonpath='{.data.token}' -n dynatrace | base64 --decode
  1. In the Dynatrace menu, go to Settings > Cloud and virtualization > Kubernetes.
  2. Select Connect new cluster.
  3. Provide a Name, the Kubernetes API URL, and the Bearer token for the Kubernetes cluster.
  1. Turn on Enable monitoring and Show workloads and cloud applications.

If you haven't installed a trusted certificate to your ActiveGate, make sure to clear the Require valid certificates for communication with the API server (recommended) checkbox.

Note: In Dynatrace environments earlier than version 1.190, you need to turn on Cloud application and workload detection in the Process group detection settings. This way, cloud applications and workloads will be detected properly and process groups won't be spread across different cloud applications and workloads.

  1. Select Connect to save your configuration.