Deploy OneAgent Operator on OpenShift (deprecated)

This procedure is deprecated.

If you are making a fresh installation, you should set up OpenShift monitoring using Dynatrace Operator.
If you already have OneAgent installed using OneAgent Operator, please see the instructions for migrating to Dynatrace Operator.

Note: The instructions below apply to OpenShift Dedicated as well. For OpenShift Dedicated, you need cluster-admin privileges.

Installation

Find out below how to install and configure OneAgent.

Deploy with ocDeploy with Helm

Prerequisites

Generate an API token and a PaaS token in your Dynatrace environment.
Note: Make sure you have the Access problem and event feed, metrics, and topology setting enabled for the API token.
Pods must allow egress to your Dynatrace environment or to your Environment ActiveGate in order for metric routing to work properly.
See Support lifecycle for supported OpenShift versions.

Add a new project.

bash
oc adm new-project --node-selector="" dynatrace

OCP version 3.11 Provide image pull secrets.
Skip this step if you're using a later version.
In order to use the certified OneAgent Operator and OneAgent images from Red Hat Container Catalog (RHCC), you need to provide image pull secrets. The Service Accounts on the openshift.yaml manifest already have links to the secrets to be created below.

bash
# For OCP 3.11
oc -n dynatrace create secret docker-registry redhat-connect --docker-server=registry.connect.redhat.com --docker-username=REDHAT_CONNECT_USERNAME --docker-password=REDHAT_CONNECT_PASSWORD --docker-email=unused
oc -n dynatrace create secret docker-registry redhat-connect-sso --docker-server=sso.redhat.com --docker-username=REDHAT_CONNECT_USERNAME --docker-password=REDHAT_CONNECT_PASSWORD --docker-email=unused

OCP version 4.x OCP version 3.11 Apply the openshift.yaml manifest to deploy the OneAgent Operator.
```
bash
oc apply -f https://github.com/Dynatrace/dynatrace-oneagent-operator/releases/latest/download/openshift.yaml
oc -n dynatrace logs -f deployment/dynatrace-oneagent-operator
```
For OpenShift versions earlier than 3.11.188 you need to delete the type: object line beneath the required spec validation in openshift.yaml before deploying the CustomResourceDefinition (OpenShift known bug).
```
yaml
required:
-  spec
type: object  # delete this line, which is a validation rule
```
Create the secret that holds the API and PaaS tokens for authenticating to the Dynatrace Cluster.
The name of the secret will be important in a later step when you configure the custom resource (.spec.tokens). In the following code-snippet the name is oneagent. Be sure to replace API_TOKEN and PAAS_TOKEN with the values mentioned in prerequisites.
```
bash
oc -n dynatrace create secret generic oneagent --from-literal="apiToken=API_TOKEN" --from-literal="paasToken=PAAS_TOKEN"
```
Save the custom resource.
The rollout of Dynatrace OneAgent is governed by a custom resource of type OneAgent. Retrieve the cr.yaml file from the GitHub repository.
```
bash
curl -o cr.yaml https://raw.githubusercontent.com/Dynatrace/dynatrace-oneagent-operator/master/deploy/cr.yaml
```

Adapt the custom resource.

If you want to revert an argument, you need to set it to empty instead of removing it from the custom resource. Example:

plaintext
args:
  - "--set-proxy="

Parameters...

Parameter	Description	Default value
`apiUrl`	required For Dynatrace SaaS, where OneAgent can connect to the internet, replace the Dynatrace `ENVIRONMENTID` in `https://ENVIRONMENTID.live.dynatrace.com/api`. For Environment ActiveGates (SaaS or Managed), use the following to download the OneAgent, as well as to communicate OneAgent traffic through the ActiveGate: `https://YourActiveGateIP` or `FQDN:9999/e/<ENVIRONMENTID>/api`.
`useUnprivilegedMode`	optional Set to `false` if you want to mark the pod as privileged. Defaults to using Linux capabilities for the OneAgent pod	`true`
`tokens`	optional Name of the secret that holds the API and PaaS tokens from above.	Name of custom resource (`.metadata.name`) if unset
`useImmutableImage`	optional Set to `true` if you want to pull a OneAgent Docker image from your Dynatrace environment. Use this parameter together with the `agentVersion` parameter to control the version of OneAgent.	`false`
`agentVersion`	optional Set this value to the OneAgent version using semantic versioning (`major.minor.patch`). Example: `1.203.0`	latest version
`args`	optional Parameters to be passed to the OneAgent installer. All the command line parameters of the installer are supported, with the exception of `INSTALL_PATH`.
`env`	optional Environment variables for OneAgent container.
`skipCertCheck`	optional Disable certificate validation checks for installer download and API communication. Set to `true` if you want to skip any certification validation checks.	`false`
`nodeSelector`	optional Keep empty default value. If you want to roll out OneAgent to specific nodes only, provide the `nodeSelectors` here. Refer to Kubernetes docs for details.
`tolerations`	optional Keep default value to also roll out the OneAgent to master nodes if possible. If you want to apply additional tolerations to OneAgent pods for tainted nodes, provide them here. Refer to Kubernetes docs for details.
`image`	optional Define the OneAgent image to be taken. Defaults to the publicly available OneAgent image on Docker Hub. In order to use the certified OneAgent image from Red Hat Container Catalog you need to set `.spec.image` to `registry.connect.redhat.com/dynatrace/oneagent` in the custom resource and provide image pull secrets as shown in the next step.	`docker.io/dynatrace/oneagent:latest` if unset
`resources`	optional Resource requests/limits for the OneAgent pods. These settings heavily depend on size of worker nodes and workloads. Please adjust to fit your needs.
`priorityClassName`	optional Priority class for OneAgent pod. Refer to Kubernetes docs.
`disableAgentUpdate`	optional Disable the Operator's auto-update feature for OneAgent pods.	`false`
`enableIstio`	optional Enable management of Istio service entries and virtual services for Dynatrace endpoints to allow for OneAgent monitoring egress traffic to your Dynatrace environment	`false`
`trustedCAs`	optional Name of the ConfigMap containing the custom CA certificates. The ConfigMap must have a field called `certs` with the content of the PEM bundle. These custom certificates will be used by both the OneAgent Operator and the OneAgent.	If not set, the default embedded certificates on the images will be used.

Create the custom resource.
```
bash
oc apply -f cr.yaml
```

optional Configure proxy.

You can configure optional parameters like proxy settings in the cr.yaml file in order to
- download the OneAgent installer
- ensure the communication between the OneAgent and your Dynatrace environment
- ensure the communication between the Dynatrace OneAgent Operator and the Dynatrace API.

There are two ways to provide the proxy, depending on whether or not your proxy uses credentials.

No credentials

If you have a proxy that doesn't use credentials, enter your proxy URL directly in the value field for the proxy.

Example

plaintext
apiVersion: dynatrace.com/v1alpha1
kind: OneAgent
metadata:
  name: oneagent
  namespace: dynatrace
spec:
  apiUrl: https://environmentid.dynatrace.com/api
  tolerations:
  - effect: NoSchedule
    key: node-role.kubernetes.io/master
    operator: Exists
  args: []
  enableIstio: true
  proxy:
    value: http://mysuperproxy

With credentials

If your proxy uses credentials

Create a secret with a field called proxy which holds your encrypted proxy URL with the credentials.
Example.

plaintext
oc -n dynatrace create secret generic myproxysecret --from-literal="proxy=http://<user>:<password>@<IP>:<PORT>"

Provide the name of the secret in the valueFrom section.
Example.

plaintext
apiVersion: dynatrace.com/v1alpha1
kind: OneAgent
metadata:
  name: oneagent
  namespace: dynatrace
spec:
  apiUrl: https://environmentid.dynatrace.com/api
  tolerations:
  - effect: NoSchedule
    key: node-role.kubernetes.io/master
    operator: Exists
  args: []
  enableIstio: true
  proxy:
    valueFrom: myproxysecret

optional Configure network zones.

You can configure network zones by setting the following argument:
```
yaml
args:
  - --set-network-zone=<your.network.zone>
```
See network zones for more information.

Prerequisites

Generate an API token and a PaaS token in your Dynatrace environment.
Note: Make sure you have the Access problem and event feed, metrics, and topology setting enabled for the API token.
Pods must allow egress to your Dynatrace environment or to your Environment ActiveGate in order for metric routing to work properly.
See Support lifecycle for supported OpenShift versions.
Install Helm version 3.
We recommend installing a recent version of the Helm chart.

Add a new project called dynatrace.

plaintext
oc adm new-project --node-selector="" dynatrace

Add the Dynatrace OneAgent Helm repository.

bash
helm repo add dynatrace \
https://raw.githubusercontent.com/Dynatrace/helm-charts/master/repos/stable

Create the custom resource definitions.

bash
oc apply -f https://github.com/Dynatrace/dynatrace-oneagent-operator/releases/latest/download/dynatrace.com_oneagents.yaml
oc apply -f https://github.com/Dynatrace/dynatrace-oneagent-operator/releases/latest/download/dynatrace.com_oneagentapms.yaml

Note: For OCP version 3.11, run the commands below.

bash
oc apply -f https://github.com/Dynatrace/dynatrace-oneagent-operator/releases/latest/download/dynatrace.com_oneagents-v1beta1.yaml
oc apply -f https://github.com/Dynatrace/dynatrace-oneagent-operator/releases/latest/download/dynatrace.com_oneagentapms-v1beta1.yaml

Create a values.yaml file with the following content.

yaml
platform: "openshift"
operator:
  image: ""
oneagent:
  name: "oneagent"
  apiUrl: "https://ENVIRONMENTID.live.dynatrace.com/api"
  image: ""
  args: []
  env: []
  nodeSelector: []
  labels: []
  skipCertCheck: false
  disableAgentUpdate: false
  enableIstio: false
  dnsPolicy: ""
  resources: []
  waitReadySeconds: null
  priorityClassName: ""
  serviceAccountName: ""
  proxy: ""
  trustedCAs: ""
secret:
  apiToken: "DYNATRACE_API_TOKEN"
  paasToken: "PLATFORM_AS_A_SERVICE_TOKEN"

optional Configure network zones.

You can configure network zones by setting the following argument:
```
yaml
args:
  - --set-network-zone=<your.network.zone>
```
See network zones for more information.
For OpenShift versions earlier than 3.11.188 you need to delete the type: object line beneath the required spec validation in openshift.yaml before deploying the CustomResourceDefinition (OpenShift known bug).
```
yaml
required:
-  spec
type: object  # delete this line, which is a validation rule
```

To apply the YAML parameters, run the following command:

plaintext
helm install dynatrace-oneagent-operator \
dynatrace/dynatrace-oneagent-operator -n\
dynatrace --disable-openapi-validation --values values.yaml

Note: After deployment, you need to restart your pods so OneAgent can inject into them.

Cluster-wide permissions

The following table shows the permissions needed for OneAgent Operator.

Resources accessed	APIs used	Resource names
`Nodes`	Get/List/Watch	-
`Namespaces`	Get/List/Watch	-
`Secrets`	Create	-
`Secrets`	Get/Update/Delete	`dynatrace-oneagent-config`, `dynatrace-oneagent-pull-secret`

Limitations

See Docker limitations for details.

Troubleshoot

Find out how to troubleshoot issues that you may encounter when deploying OneAgent on OpenShift.

Deploy an ActiveGate and connect your Kubernetes API to Dynatrace

Now that you have OneAgent running on your OpenShift nodes, you're able to monitor those nodes, and the applications running in OpenShift. The next step is to deploy an ActiveGate and connect your Kubernetes API to Dynatrace in order to get native Kubernetes metrics, like request limits, and differences in pods requested vs. running pods.
For further instructions see Deploy ActiveGate in OpenShift as a StatefulSet.

Update OneAgent Operator with oc

OneAgent Operator for OpenShift version 3.9+ automatically takes care of the lifecycle of the deployed OneAgents, so you don't need to update OneAgent pods yourself.

Review the release notes of the Operator for any breaking changes of the custom resource.

To update OneAgent Operator, run the following command:

bash
oc apply -f https://github.com/Dynatrace/dynatrace-oneagent-operator/releases/latest/download/openshift.yaml

Update OneAgent Operator with Helm

Update your Helm repositories.
```
bash
helm repo update
```
Alternative method: add it again. This will overwrite the older version.

Update OneAgent to the latest version.

Don't omit the --reuse-values flag in the command in order to keep your configuration.

bash
helm upgrade dynatrace-oneagent-operator dynatrace/\
dynatrace-oneagent-operator -n dynatrace --reuse-values

Uninstall OneAgent Operator

Uninstall with kubectlUninstall with Helm

To uninstall OneAgent Operator from OpenShift version 3.9+

Remove OneAgent custom resources and clean up all remaining OneAgent Operator–specific objects.

bash
oc delete -n dynatrace oneagent --all
oc delete -f https://github.com/Dynatrace/dynatrace-oneagent-operator/releases/latest/download/openshift.yaml

optional After you delete OneAgent Operator, the OneAgent binary remains on the node in an inactive state. To uninstall it completely, run the uninstall.sh script and delete logs and configuration files.
See Linux related information.

Remove OneAgent custom resources and clean up all remaining OneAgent Operator–specific objects:

bash
helm uninstall dynatrace-oneagent-operator -n dynatrace