• Home
  • Setup and configuration
  • Set up Dynatrace on container platforms
  • Kubernetes
  • Enable Kubernetes/OpenShift API monitoring
  • Deploy ActiveGate in Kubernetes/OpenShift as a StatefulSet

Deploy ActiveGate in Kubernetes/OpenShift as a StatefulSet

Dynatrace Operator manages the lifecycle of several Dynatrace components, including ActiveGate. If you can't use Dynatrace Operator, you can deploy ActiveGate directly as a StatefulSet. See below for instructions.

Prerequisites

  • Create a PaaS token

Deploy ActiveGate

To deploy ActiveGate, follow the steps below.

  1. Depending on your platform, select one of the options below.

Create a dedicated namespace.

kubectl create namespace dynatrace

Create a dedicated namespace.

oc adm new-project --node-selector="" dynatrace
  1. Create a secret holding the environment URL and login credentials for this registry.

Example command:

kubectl create secret docker-registry dynatrace-docker-registry --docker-server=<YOUR_ENVIRONMENT_URL> --docker-username=<YOUR_ENVIRONMENT_ID> --docker-password=<YOUR_PAAS_TOKEN> -n dynatrace
oc -n dynatrace create secret docker-registry dynatrace-docker-registry --docker-server=<YOUR_ENVIRONMENT_URL> --docker-username=<YOUR_ENVIRONMENT_ID> --docker-password=<YOUR_PAAS_TOKEN> -n dynatrace

where you need to replace

  • <YOUR_ENVIRONMENT_URL> with your environment URL (without 'http'). Example: environment.live.dynatrace.com
  • <YOUR_ENVIRONMENT_ID> with the Docker account username (same as the ID in your environment URL above)
  • <YOUR_PAAS_TOKEN> with the PaaS token you created in Prerequisites
  1. Create a file named ag-monitoring-and-routing.yaml with the following content, making sure to replace
  • <YOUR_ENVIRONMENT_URL> and <YOUR_ENVIRONMENT_ID>with your own values as described above
  • <ANY_UNIQUE_ID> with any unique value. This ID will be used by the ActiveGate to generate a unique name in the UI.
ag-monitoring-and-routing.yaml
yaml
apiVersion: v1 kind: Service metadata: name: dynatrace-activegate namespace: dynatrace spec: type: ClusterIP selector: activegate: kubernetes-monitoring-and-routing ports: - protocol: TCP port: 443 targetPort: ag-https --- apiVersion: apps/v1 kind: StatefulSet metadata: name: dynatrace-activegate namespace: dynatrace labels: activegate: kubernetes-monitoring-and-routing spec: serviceName: "" selector: matchLabels: activegate: kubernetes-monitoring-and-routing template: metadata: annotations: container.apparmor.security.beta.kubernetes.io/activegate: runtime/default labels: activegate: kubernetes-monitoring-and-routing spec: affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: beta.kubernetes.io/arch operator: In values: - amd64 - key: beta.kubernetes.io/os operator: In values: - linux - matchExpressions: - key: kubernetes.io/arch operator: In values: - amd64 - key: kubernetes.io/os operator: In values: - linux containers: - name: activegate image: <YOUR_ENVIRONMENT_URL>/linux/activegate imagePullPolicy: Always ports: - name: ag-https containerPort: 9999 env: - name: DT_ID_SEED_NAMESPACE value: dynatrace - name: DT_ID_SEED_K8S_CLUSTER_ID value: <ANY_UNIQUE_ID> - name: DT_CAPABILITIES value: kubernetes_monitoring,MSGrouter,restInterface # - name: DT_NETWORK_ZONE # value: <CUSTOM_NZ> - name: DT_DNS_ENTRY_POINT value: https://$(DYNATRACE_ACTIVEGATE_SERVICE_HOST):$(DYNATRACE_ACTIVEGATE_SERVICE_PORT)/communication volumeMounts: - name: truststore-volume mountPath: /opt/dynatrace/gateway/jre/lib/security/cacerts readOnly: true subPath: k8s-local.jks - name: ag-lib-gateway-config mountPath: /var/lib/dynatrace/gateway/config - name: ag-lib-gateway-temp mountPath: /var/lib/dynatrace/gateway/temp - name: ag-lib-gateway-data mountPath: /var/lib/dynatrace/gateway/data - name: ag-log-gateway mountPath: /var/log/dynatrace/gateway - name: ag-tmp-gateway mountPath: /var/tmp/dynatrace/gateway livenessProbe: failureThreshold: 2 httpGet: path: /rest/state port: ag-https scheme: HTTPS initialDelaySeconds: 30 periodSeconds: 30 successThreshold: 1 timeoutSeconds: 1 readinessProbe: failureThreshold: 3 httpGet: path: /rest/health port: ag-https scheme: HTTPS initialDelaySeconds: 30 periodSeconds: 15 successThreshold: 1 timeoutSeconds: 1 # resources: # limits: # cpu: "1" # memory: 2G # requests: # cpu: "1" # memory: 2G securityContext: allowPrivilegeEscalation: false capabilities: drop: - all privileged: false readOnlyRootFilesystem: true runAsNonRoot: true seccompProfile: type: RuntimeDefault initContainers: - name: certificate-loader image: <YOUR_ENVIRONMENT_URL>/linux/activegate workingDir: /var/lib/dynatrace/gateway command: ['/bin/bash'] args: ['-c', '/opt/dynatrace/gateway/k8scrt2jks.sh'] volumeMounts: - mountPath: /var/lib/dynatrace/gateway/ssl name: truststore-volume imagePullSecrets: - name: dynatrace-docker-registry volumes: - name: truststore-volume emptyDir: {} - name: ag-lib-gateway-config emptyDir: {} - name: ag-lib-gateway-temp emptyDir: {} - name: ag-lib-gateway-data emptyDir: {} - name: ag-log-gateway emptyDir: {} - name: ag-tmp-gateway emptyDir: {} updateStrategy: type: RollingUpdate
  1. Deploy ActiveGate.
bash
kubectl apply -f ag-monitoring-and-routing.yaml
bash
oc apply -f ag-monitoring-and-routing.yaml

Connect your Kubernetes clusters to Dynatrace

To get native Kubernetes metrics, you need to connect your clusters to Dynatrace.

To connect your clusters and enable monitoring, you have two options:

  • Connect the containerized ActiveGate to a local Kubernetes API endpoint
  • Connect the containerized ActiveGate to the public Kubernetes API URL

See below for instructions for both options.

Connect to a local Kubernetes API endpoint

ActiveGate version 1.229+

You can enable monitoring by connecting a containerized ActiveGate to a local Kubernetes API endpoint. For this you only need to provide the unique Kubernetes cluster ID (the uuid of the kube-system namespace) in Dynatrace web UI. The containerized ActiveGate then identifies the unique cluster ID and sends it over to Dynatrace.

To connect to a local Kubernetes API endpoint

1. Get the Kubernetes cluster ID

Run the command below and grab the UID from the output.

bash
kubectl get namespace kube-system -o jsonpath='{.metadata.uid}'
bash
oc get namespace kube-system -o jsonpath='{.metadata.uid}'

2. Provide the Kubernetes cluster ID in the Dynatrace web UI

  1. In the Dynatrace menu, go to Kubernetes.
  2. Select Connect manually.
  3. On the Kubernetes cluster monitoring settings page, provide a Name, and then turn on Connect containerized ActiveGate to local Kubernetes API endpoint.
  4. For Kubernetes cluster ID, enter the UID obtained earlier.
  5. Select Save changes to save your configuration. Note: You can save your configuration even if the ActiveGate isn't ready to connect, and finish the configuration later. To verify if it's ready, select Test configuration.

Change monitoring settings

You can change monitoring settings at any time from your Kubernetes cluster details page.

  1. In the Dynatrace menu, go to Kubernetes.
  2. Find your Kubernetes cluster, and then select Actions > Settings.
  3. Adjust your settings, and then select Save changes.

Delete configuration

To delete the connection to a local Kubernetes API endpoint

  1. In the Dynatrace menu, go to Kubernetes.
  2. Find your Kubernetes cluster, and then select Actions > Settings.
  3. Select Use defaults, and then select Save changes.

Connect to the public Kubernetes API

To connect the Kubernetes API to Dynatrace

  1. Create a service account and cluster role.

Create a kubernetes-monitoring-service-account.yaml file with the following content.

kubernetes-monitoring-service-account.yaml
yaml
apiVersion: v1 kind: ServiceAccount metadata: name: dynatrace-monitoring namespace: dynatrace --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: dynatrace-monitoring-cluster rules: - apiGroups: - "" - batch - apps - apps.openshift.io resources: - nodes - pods - namespaces - deployments - replicasets - deploymentconfigs - replicationcontrollers - jobs - cronjobs - statefulsets - daemonsets - events - resourcequotas - pods/proxy verbs: - list - watch - get --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: dynatrace-monitoring-cluster roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: dynatrace-monitoring-cluster subjects: - kind: ServiceAccount name: dynatrace-monitoring namespace: dynatrace
  1. Apply the file.
bash
kubectl apply -f kubernetes-monitoring-service-account.yaml
bash
oc apply -f kubernetes-monitoring-service-account.yaml
  1. Get the Kubernetes API URL.
bash
kubectl config view --minify -o jsonpath='{.clusters[0].cluster.server}'
bash
oc config view --minify -o jsonpath='{.clusters[0].cluster.server}'
  1. Get the bearer token.
bash
kubectl get secret $(kubectl get sa dynatrace-monitoring -o jsonpath='{.secrets[0].name}' -n dynatrace) -o jsonpath='{.data.token}' -n dynatrace | base64 --decode
bash
oc get secret $(oc get sa dynatrace-monitoring -o jsonpath='{.secrets[0].name}' -n dynatrace) -o jsonpath='{.data.token}' -n dynatrace | base64 --decode
bash
oc get secret $(oc get sa dynatrace-monitoring -o jsonpath='{.secrets[1].name}' -n dynatrace) -o jsonpath='{.data.token}' -n dynatrace | base64 --decode

Special instructions for Rancher distributions

Rancher distributions

For Rancher distributions of Kubernetes, you need to use the bearer token and API URL of the Rancher server, as this server manages and secures traffic to the Kubernetes API server. Follow the steps below.

  1. Get the Kubernetes API URL for later use.
bash
$ kubectl config view --minify -o jsonpath='{.clusters[0].cluster.server}'
  1. Configure a user.
    On the Rancher web UI page, either create a new user or use an existing user to be associated with the token. We recommend creating a new user.

  2. Set permissions.
    Make sure the user has either Owner or Custom permissions to the cluster you want to monitor. We recommend using the Custom permissions for this type of account.

Note: If you select Custom permissions, make sure to check these two roles: View all Projects and View Nodes.

  1. Create an API key.
    Go to API & Keys and create a key either for your specific account (enter your cluster name) or for all clusters (enter No scope). For security reasons, we recommend selecting the first option.

Note: Newly created keys display four fields. Make sure to use the content of the field called Bearer token to set up the connection to the Kubernetes API described in the next section.

  1. In the Dynatrace menu, go to Settings > Cloud and virtualization > Kubernetes and select Connect new cluster.

  2. Provide a Name, Kubernetes API URL, and the Bearer token for the Kubernetes cluster.

Note: For Rancher distributions, you need the bearer token that was created in Rancher web UI, as described in Special instructions for Rancher distributions above.

If you haven't installed a trusted certificate to your ActiveGate, make sure to clear the Require valid certificates for communication with the API server (recommended) checkbox.

Once you connect your Kubernetes clusters to Dynatrace, you can get native Kubernetes metrics, like request limits, and differences in pods requested vs. running pods.

ActiveGate update behavior

ActiveGate is updated automatically on pod restart whenever there is a new version available, unless the image already specifies a certain version.

Related topics
  • Kubernetes/OpenShift monitoring

    Monitor Kubernetes/OpenShift with Dynatrace.