Deploy ActiveGate in a VM for Kubernetes/OpenShift monitoring

If you want to monitor several Kubernetes clusters with one ActiveGate and don't need to separate networks for administrative or operational traffic, you can install an ActiveGate on a virtual machine using a conventional installer, to connect your clusters to Dynatrace as described below.

Start installation

Download the installer

Run the installer

Connect your Kubernetes clusters to Dynatrace

Start installation

In the Dynatrace menu, go to Deploy Dynatrace.
Select Install ActiveGate.
On the Install Environment ActiveGate page, select Linux.

Download the installer

How you download your installer depends on your setup and needs. You can choose to download an installer directly to the server where you plan to install Environment ActiveGate or you can download an installer to a different machine and then transfer the installer to the server.

Select Route OneAgent traffic as an ActiveGate purpose.
Provide a PaaS token. This token is required to download the ActiveGate installer from your environment. If you don't have a PaaS token, you can create one right in the UI. The token is automatically appended to the download and installation commands you'll use later.
Select Download installer. There are two options:
- Download via shell command. Copy and run the wget command.
- Select the link to download the ActiveGate installer.
Verify the signature
Wait for the download to complete, and then verify the signature by copying the command from the second Verify signature text box and pasting the command into your terminal window.

Run the installer

An install parameter (determined by the ActiveGate purpose you selected) is automatically set for the command to run the installer. Make sure you use the command displayed in the Dynatrace web UI that reflects the ActiveGate purpose. Copy the installation script command from the Run the installer with root rights step and paste it into your terminal.

Add the Kubernetes CA certificate to the truststore recommended

For instructions on how to add the certificate to the truststore file, see Trusted root certificates for ActiveGate.

Customize installation

You can add additional parameters to the installation command to customize your installation. For example, to install ActiveGate in a different directory, use the INSTALL=<path> parameter:

bash
[root@host]# /bin/bash Dynatrace-ActiveGate-Linux-x86-1.0.0.sh INSTALL=/hosted_app/dynatrace

Default installation settings

For installation defaults, including default directories, see ActiveGate default settings for Linux.

Connect your Kubernetes clusters to Dynatrace

To connect the Kubernetes API to Dynatrace

Create a service account and cluster role.

Create a kubernetes-monitoring-service-account.yaml file with the following content.

kubernetes-monitoring-service-account.yaml

yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: dynatrace-monitoring
  namespace: dynatrace
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: dynatrace-monitoring-cluster
rules:
- apiGroups:
  - ""
  - batch
  - apps
  - apps.openshift.io
  resources:
  - nodes
  - pods
  - namespaces
  - deployments
  - replicasets
  - deploymentconfigs
  - replicationcontrollers
  - jobs
  - cronjobs
  - statefulsets
  - daemonsets
  - events
  - resourcequotas
  - pods/proxy
  - services
  verbs:
  - list
  - watch
  - get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: dynatrace-monitoring-cluster
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: dynatrace-monitoring-cluster
subjects:
- kind: ServiceAccount
  name: dynatrace-monitoring
  namespace: dynatrace

Apply the file.

bash
kubectl apply -f kubernetes-monitoring-service-account.yaml

Get the Kubernetes API URL.

bash
$ kubectl config view --minify -o jsonpath='{.clusters[0].cluster.server}'

Get the bearer token.
```
bash
$ kubectl get secret $(kubectl get sa dynatrace-monitoring -o jsonpath='{.secrets[0].name}' -n dynatrace) -o jsonpath='{.data.token}' -n dynatrace | base64 --decode
```
Special instructions for Rancher distributions to get the API URL and the bearer token
For Rancher distributions of Kubernetes, you need to use the bearer token and API URL of the Rancher server, because this server manages and secures traffic to the Kubernetes API server. Follow the steps below.
1. Get the Kubernetes API URL.
```
bash
kubectl config view --minify -o jsonpath='{.clusters[0].cluster.server}'
```
2. Configure a user.
  
  In the Rancher web UI, either create a new user or use an existing user to associate with the token. We recommend creating a new user.
3. Set permissions.
  
  Make sure the user has either Owner or Custom permissions to the cluster you want to monitor.
  
  Recommended: select Custom permissions, and be sure to select these two roles: View all Projects and View Nodes.
4. Create an API key.
  
  Go to API & Keys and create a key either for your specific account (enter your cluster name) or for all clusters (enter No scope). For security reasons, we recommend selecting the first option.
  
  Note: Newly created keys display four fields. Make sure to use the content of the field called Bearer token to set up the connection to the Kubernetes API described in the next section.
In the Dynatrace menu, go to Kubernetes.
Select Connect manually.
Provide a Name, the Kubernetes API URL target, and the Kubernetes bearer token for the Kubernetes cluster.
Make sure Monitor events and Monitor Kubernetes namespaces, services, workloads, and pods are turned on.

Disabling certificate validation isn't recommended because it imposes security risks. However, if you still want to disable certificate validation for test environments, make sure to disable Require valid certificates for communication with the API server (recommended) and Verify hostname in certificate against Kubernetes API URL.
Select Save changes to save your configuration.

Note: To update ActiveGate, see Update ActiveGate.