Deploy ActiveGate in Kubernetes/OpenShift as a StatefulSet

Dynatrace Operator manages the lifecycle of several Dynatrace components, including ActiveGate. If you can't use Dynatrace Operator, you can deploy ActiveGate directly as a StatefulSet. See below for instructions.

Prerequisites

Create a PaaS token
Create an authentication token
Get your kube-system namespace UUID
How to extract the kube-system namespace UUID
Run the command below and save the UUID from the output for later use.
kubectloc
bash
kubectl get namespace kube-system -o jsonpath='{.metadata.uid}'
bash
oc get namespace kube-system -o jsonpath='{.metadata.uid}'

Deploy ActiveGate

To deploy ActiveGate, follow the steps below.

Create a dedicated namespace (Kubernetes)/project (OpenShift).

Depending on your platform, select one of the options below.

kubectloc

plaintext
kubectl create namespace dynatrace

plaintext
oc adm new-project --node-selector="" dynatrace

Create two secrets:
- A secret holding the environment URL and login credentials for this registry
- A secret for the ActiveGate authentication token
Example commands:
kubectloc
```
plaintext
kubectl -n dynatrace create secret docker-registry dynatrace-docker-registry --docker-server=<YOUR_ENVIRONMENT_URL> --docker-username=<YOUR_ENVIRONMENT_ID> --docker-password=<YOUR_PAAS_TOKEN>
kubectl -n dynatrace create secret generic dynatrace-tokens --from-literal=auth-token=<YOUR_AUTH_TOKEN>
```
```
plaintext
oc -n dynatrace create secret docker-registry dynatrace-docker-registry --docker-server=<YOUR_ENVIRONMENT_URL> --docker-username=<YOUR_ENVIRONMENT_ID> --docker-password=<YOUR_PAAS_TOKEN>
oc -n dynatrace create secret generic dynatrace-tokens --from-literal=auth-token=<YOUR_AUTH_TOKEN>
```
where you need to replace
- <YOUR_ENVIRONMENT_URL> with your environment URL (without 'http'). Example: environment.live.dynatrace.com
- <YOUR_ENVIRONMENT_ID> with the Docker account username (same as the ID in your environment URL above).
  
  To determine your environment ID, see the syntax below. SaaS: https://{your-environment-id}.live.dynatrace.com Managed: https://{your-domain}/e/{your-environment-id}
- <YOUR_PAAS_TOKEN> with the PaaS token you created in Prerequisites
- <YOUR_AUTH_TOKEN> with the ActiveGate authentication token obtained in Prerequisites

Create a service account and a cluster role.

Create a kubernetes-monitoring-service-account.yaml file with the following content.

kubernetes-monitoring-service-account.yaml

yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: dynatrace-activegate
  namespace: dynatrace
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: dynatrace-activegate
rules:
- apiGroups:
  - ""
  - batch
  - apps
  - apps.openshift.io
  resources:
  - nodes
  - nodes/metrics
  - pods
  - namespaces
  - deployments
  - replicasets
  - deploymentconfigs
  - replicationcontrollers
  - jobs
  - cronjobs
  - statefulsets
  - daemonsets
  - events
  - resourcequotas
  - pods/proxy
  - services
  verbs:
  - list
  - watch
  - get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: dynatrace-activegate
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: dynatrace-activegate
subjects:
- kind: ServiceAccount
  name: dynatrace-activegate
  namespace: dynatrace

Apply the file.

kubectloc

bash
kubectl apply -f kubernetes-monitoring-service-account.yaml

bash
oc apply -f kubernetes-monitoring-service-account.yaml

Create a file named ag-monitoring-and-routing.yaml with the following content, making sure to replace

<YOUR_ENVIRONMENT_URL> and <YOUR_ENVIRONMENT_ID> with your values as described above.
<YOUR_KUBE-SYSTEM_NAMESPACE_UUID> with the Kubernetes cluster UUID obtained in Prerequisites.

ag-monitoring-and-routing.yaml

yaml
apiVersion: v1
kind: Service
metadata:
  name: dynatrace-activegate
  namespace: dynatrace
spec:
  type: ClusterIP
  selector:
    activegate: kubernetes-monitoring-and-routing
  ports:
  - protocol: TCP
    port: 443
    targetPort: ag-https
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: dynatrace-activegate
  namespace: dynatrace
  labels:
    activegate: kubernetes-monitoring-and-routing
spec:
  serviceName: ""
  selector:
    matchLabels:
      activegate: kubernetes-monitoring-and-routing
  template:
    metadata:
      annotations:
        container.apparmor.security.beta.kubernetes.io/activegate: runtime/default
      labels:
        activegate: kubernetes-monitoring-and-routing
    spec:
      serviceAccountName: dynatrace-activegate
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
            - matchExpressions:
              - key: beta.kubernetes.io/arch
                operator: In
                values:
                - amd64
              - key: beta.kubernetes.io/os
                operator: In
                values:
                - linux
            - matchExpressions:
              - key: kubernetes.io/arch
                operator: In
                values:
                - amd64
              - key: kubernetes.io/os
                operator: In
                values:
                - linux
      containers:
      - name: activegate
        image: <YOUR_ENVIRONMENT_URL>/linux/activegate
        imagePullPolicy: Always
        ports:
          - name: ag-https
            containerPort: 9999
        env:
        - name: DT_ID_SEED_NAMESPACE
          value: dynatrace
        - name: DT_ID_SEED_K8S_CLUSTER_ID
          value: <YOUR_KUBE-SYSTEM_NAMESPACE_UUID>
        - name: DT_CAPABILITIES
          value: kubernetes_monitoring,MSGrouter,restInterface
        # - name: DT_NETWORK_ZONE
        #   value: <CUSTOM_NZ>
        - name: DT_DNS_ENTRY_POINT
          value: https://$(DYNATRACE_ACTIVEGATE_SERVICE_HOST):$(DYNATRACE_ACTIVEGATE_SERVICE_PORT)/communication
        volumeMounts:
        - name: dynatrace-tokens
          mountPath: /var/lib/dynatrace/secrets/tokens
        - name: truststore-volume
          mountPath: /opt/dynatrace/gateway/jre/lib/security/cacerts
          readOnly: true
          subPath: k8s-local.jks
        - name: ag-lib-gateway-config
          mountPath: /var/lib/dynatrace/gateway/config
        - name: ag-lib-gateway-temp
          mountPath: /var/lib/dynatrace/gateway/temp
        - name: ag-lib-gateway-data
          mountPath: /var/lib/dynatrace/gateway/data
        - name: ag-log-gateway
          mountPath: /var/log/dynatrace/gateway
        - name: ag-tmp-gateway
          mountPath: /var/tmp/dynatrace/gateway
        livenessProbe:
          failureThreshold: 2
          httpGet:
            path: /rest/state
            port: ag-https
            scheme: HTTPS
          initialDelaySeconds: 30
          periodSeconds: 30
          successThreshold: 1
          timeoutSeconds: 1
        readinessProbe:
          failureThreshold: 3
          httpGet:
            path: /rest/health
            port: ag-https
            scheme: HTTPS
          initialDelaySeconds: 30
          periodSeconds: 15
          successThreshold: 1
          timeoutSeconds: 1
        resources:
          requests:
            cpu: 500m
            memory: 512Mi
          limits:
            cpu: 1000m
            memory: 2Gi
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
            - all
          privileged: false
          readOnlyRootFilesystem: true
          runAsNonRoot: true
          seccompProfile:
            type: RuntimeDefault
      initContainers:
      - name: certificate-loader
        image: <YOUR_ENVIRONMENT_URL>/linux/activegate
        workingDir: /var/lib/dynatrace/gateway
        command: ['/bin/bash']
        args: ['-c', '/opt/dynatrace/gateway/k8scrt2jks.sh']
        volumeMounts:
        - mountPath: /var/lib/dynatrace/gateway/ssl
          name: truststore-volume
      imagePullSecrets:
      - name: dynatrace-docker-registry
      volumes:
      - name: dynatrace-tokens
        secret:
          secretName: dynatrace-tokens
      - name: truststore-volume
        emptyDir: {}
      - name: ag-lib-gateway-config
        emptyDir: {}
      - name: ag-lib-gateway-temp
        emptyDir: {}
      - name: ag-lib-gateway-data
        emptyDir: {}
      - name: ag-log-gateway
        emptyDir: {}
      - name: ag-tmp-gateway
        emptyDir: {}
  updateStrategy:
    type: RollingUpdate

ActiveGate limit sizing hints

See below for a list of proposed sizes in relation to the number of pods:

Number of pods	CPU	Memory
Up to 100 pods	500 millicores (mCores)	512 mebibytes (MiB)
Up to 1,000 pods	1,000 millicores (mCores)	1 gibibyte (GiB)
Up to 5,000 pods	1,500 millicores (mCores)	2 gibibytes (GiB)
Over 5,000 pods	over 1,500 millicores (mCores)¹	over 2 gibibytes (GiB)¹
¹ Actual figures depend on your environment.

Note: These limits should be taken as a guideline. They're designed to prevent ActiveGate startup process slowdown and excessive node resource usage. The default values cover a large range of different cluster sizes; you can modify them according to your needs, based on the ActiveGate self-monitoring metrics.

Deploy ActiveGate.

kubectloc

bash
kubectl apply -f ag-monitoring-and-routing.yaml

bash
oc apply -f ag-monitoring-and-routing.yaml

Connect your Kubernetes clusters to Dynatrace

To get native Kubernetes metrics, you need to connect your clusters to Dynatrace.

To connect your clusters and enable monitoring, you have two options:

See below for instructions for both options.

Connect to a local Kubernetes API endpoint

ActiveGate version 1.229+

You can enable monitoring by connecting a containerized ActiveGate to a local Kubernetes API endpoint. For this, you only need to provide the unique Kubernetes cluster ID (the UUID of the kube-system namespace) in the Dynatrace web UI. The containerized ActiveGate then identifies the unique cluster ID and sends it over to Dynatrace.

To connect to a local Kubernetes API endpoint

In the Dynatrace menu, go to Kubernetes.
Select Connect manually.
On the Kubernetes cluster monitoring settings page, provide a Name, and then turn on Connect containerized ActiveGate to local Kubernetes API endpoint.
For Kubernetes cluster ID, enter the kube-system namespace UUID obtained in Prerequisites.
Select Save changes to save your configuration. Note: You can save your configuration even if the ActiveGate isn't ready to connect, and finish the configuration later. To verify if it's ready, select Test configuration.

Change monitoring settings

You can change monitoring settings at any time from your Kubernetes cluster details page.

In the Dynatrace menu, go to Kubernetes.
Find your Kubernetes cluster, and then select Actions > Settings.
Adjust your settings, and then select Save changes.

Delete configuration

To delete the connection to a local Kubernetes API endpoint

In the Dynatrace menu, go to Kubernetes.
Find your Kubernetes cluster, and then select Actions > Settings.
Select Use defaults, and then select Save changes.

Connect to the public Kubernetes API

To connect the Kubernetes API to Dynatrace

Get the Kubernetes API URL.

kubectloc

bash
kubectl config view --minify -o jsonpath='{.clusters[0].cluster.server}'

bash
oc config view --minify -o jsonpath='{.clusters[0].cluster.server}'

Get the bearer token.

KubernetesOpenShift v3.xOpenShift v4.x

bash
kubectl get secret $(kubectl get sa dynatrace-activegate -o jsonpath='{.secrets[0].name}' -n dynatrace) -o jsonpath='{.data.token}' -n dynatrace | base64 --decode

bash
oc get secret $(oc get sa dynatrace-activegate -o jsonpath='{.secrets[0].name}' -n dynatrace) -o jsonpath='{.data.token}' -n dynatrace | base64 --decode

bash
oc get secret $(oc get sa dynatrace-activegate -o jsonpath='{.secrets[1].name}' -n dynatrace) -o jsonpath='{.data.token}' -n dynatrace | base64 --decode

Special instructions for Rancher distributions to get the API URL and the bearer token

For Rancher distributions of Kubernetes, you need to use the bearer token and API URL of the Rancher server, as this server manages and secures traffic to the Kubernetes API server. Follow the steps below.

Get the Kubernetes API URL for later use.

bash
$ kubectl config view --minify -o jsonpath='{.clusters[0].cluster.server}'

Configure a user.
On the Rancher web UI page, either create a new user or use an existing user to be associated with the token. We recommend creating a new user.
Set permissions.
Make sure the user has either Owner or Custom permissions to the cluster you want to monitor. We recommend using the Custom permissions for this type of account.

Note: If you select Custom permissions, make sure to check these two roles: View all Projects and View Nodes.
Create an API key.
Go to API & Keys and create a key either for your specific account (enter your cluster name) or for all clusters (enter No scope). For security reasons, we recommend selecting the first option.

Note: Newly created keys display four fields. Make sure to use the content of the field called Bearer token to set up the connection to the Kubernetes API described in the next section.

In the Dynatrace menu, go to Kubernetes and select Connect manually.
Provide a Name, Kubernetes API URL target, and the Bearer token for the Kubernetes cluster.

Note: For Rancher distributions, you need the bearer token that was created in Rancher web UI, as described in Special instructions for Rancher distributions above.

If you haven't installed a trusted certificate to your ActiveGate, make sure to clear the Require valid certificates for communication with the API server (recommended) checkbox.

Select Save changes.

Once you connect your Kubernetes clusters to Dynatrace, you can get native Kubernetes metrics, like request limits, and differences in pods requested vs. running pods.

ActiveGate update behavior

ActiveGate is updated automatically on pod restart whenever there is a new version available, unless the image already specifies a certain version.