Store Dynatrace images in private registries in Kubernetes/OpenShift

The following options are available:

Store Dynatrace containers in private registries in Kubernetes environments using either an immutable or a lightweight OneAgent container image.
- The immutable image includes the binaries themselves, allowing for more control and thorough security scanning.
- The lightweight image consists of a OneAgent installer, which downloads necessary binaries from Dynatrace.
Build and store your code-module image for applicationMonitoring and cloudNativeFullstack deployments.

Immutable mode

Prerequisites

Dynatrace Operator version 0.3.0+
A working private registry
Log in to the Dynatrace container registry for your environment

To log in

Run the command below.

Note: Be sure to replace the placeholders with your own values:

To determine <your-environment-ID>, see environment ID.
To determine <your-PaaS-token>, see PaaS token.

plaintext
sudo docker login -u <your-environment-ID> <your_environment_URL> -p <your-PaaS-token>

The immutable image can only be used for classicFullSTack and hostMonitoring configurations. Any other deployment modes are currently not supported.

To store Dynatrace containers in private registries using an immutable OneAgent image follow the steps below, making sure to replace the placeholders (<...>) in all the example commands or example configurations with your own values, as shown in the following table:

Parameter	Value description
`<dynatrace_operator_version>`	The latest Dynatrace Operator version.
`<oneagent_version>`	The semantic versioning form (`<major>.<minor>.<patch>`) of your desired OneAgent version.
`<activegate_version>`	The semantic versioning form (`<major>.<minor>.<patch>`) of your desired ActiveGate version.
`<your_private_registry>`	The address from your private registry
`<your_environment_domain_name>`	Your own environment domain name (the URL without `https://`)
`<your_environment_ID>`	Your environment ID
`<sample>`	The name of your selected Dynakube custom resource sample.

1. Pull, tag, and push the Dynatrace Operator image

Pull the image.

Example command:

bash
docker pull docker.io/dynatrace/dynatrace-operator:v<dynatrace_operator_version>

Tag the image for your own registry.

Example command:

bash
docker tag docker.io/dynatrace/dynatrace-operator:v<dynatrace_operator_version> <your_private_registry>/dynatrace-operator:v<dynatrace_operator_version>

Push the image to your own registry.

Example command:

bash
docker push <your_private_registry>/dynatrace-operator:v<dynatrace_operator_version>

2. Pull, tag, and push the OneAgent image

Pull a specific immutable OneAgent image version.

Example command:

bash
docker pull <your_environment_domain_name>/linux/oneagent:<oneagent_version>

Tag the image for your own registry.

Example command:

bash
docker tag <your_environment_domain_name>/linux/oneagent:<oneagent_version> <your_private_registry>/oneagent:<oneagent_version>

Push the image to your own registry.

Example command:

bash
docker push <your_private_registry>/oneagent:<oneagent_version>

3. Pull, tag, and push the ActiveGate image

Pull the image.

Example command:

bash
docker pull <your_environment_domain_name>/linux/activegate:<activegate_version>

Tag the image for your own registry.

Example command:

bash
docker tag <your_environment_domain_name>/linux/activegate:<activegate_version> <your_private_registry>/activegate:<activegate_version>

Push the image to your own registry.

Example command:

bash
docker push <your_private_registry>/activegate:<activegate_version>

4. Fetch, modify, and apply the Kubernetes/OpenShift YAML

Download the latest Kubernetes/OpenShift YAML from the Dynatrace GitHub repository.

kubectloc

bash
curl -Lo kubernetes.yaml https://github.com/Dynatrace/dynatrace-operator/releases/download/latest/kubernetes.yaml

bash
curl -Lo openshift.yaml https://github.com/Dynatrace/dynatrace-operator/releases/download/latest/openshift.yaml

Edit the Kubernetes/OpenShift YAML by replacing the default image location of Dynatrace Operator with your private registry address.
If your registries need authentication, update imagePullSecrets on different service accounts.
For more information on how Kubernetes handles security for pods, see Configure service accounts for pods.
Depending on your platform, select one of the options below.
kubectloc
Create a Dynatrace namespace.
```
bash
kubectl create namespace dynatrace
```
Create a Dynatrace project.
```
bash
oc adm new-project --node-selector="" dynatrace
```

Deploy Dynatrace Operator.

kubectloc

bash
kubectl apply -f kubernetes.yaml

bash
oc apply -f openshift.yaml

5. Fetch, modify, and apply the DynaKube custom resource

Download one of the preconfigured DynaKube custom resource samples from GitHub, depending on your monitoring approach.

Example command:
```
bash
curl -Lo <sample>.yaml https://github.com/Dynatrace/dynatrace-operator/blob/master/config/samples/<sample>.yaml
```

Edit the DynaKube custom resource as follows:

Replace the empty value of the image fields (image: "") with image: <your_private_registry>.
Adapt other values according to the parameters section of the Dynatrace Operator deployment page.

Note: When using the immutable image, fields such as proxy, trustedCAs, and skipCertCheck are ignored. Kubernetes attempts to pull images straight from your registry. These network settings must be configured directly on the node.

Example basic configuration:

yaml
apiVersion: dynatrace.com/v1beta1
kind: DynaKube
metadata:
  name: dynakube
  namespace: dynatrace
spec:
  apiUrl: https://ENVIRONMENTID.live.dynatrace.com/api
  oneAgent:
    classicFullStack:
      image: <your_private_registry>/oneagent:<oneagent_version>
      tolerations:
        - effect: NoSchedule
          key: node-role.kubernetes.io/master
          operator: Exists
  activeGate:
    capabilities:
      - routing
      - kubernetes-monitoring
    image: <your_private_registry>/activegate:<activegate_version>

Deploy the DynaKube custom resource.

kubectloc

Example command:

bash
kubectl apply -f <sample>.yaml

bash
oc apply -f <sample>.yaml

Lightweight mode

Note: This method isn't supported by Dynatrace Operator.

Prerequisites

A working private registry
Log in to the Dynatrace container registry for your environment

To log in

Run the command below.

Note: Be sure to replace the placeholders with your own values:

To determine <your-environment-ID>, see environment ID.
To determine <your-PaaS-token>, see PaaS token.

plaintext
sudo docker login -u <your-environment-ID> <your_environment_URL> -p <your-PaaS-token>

To store Dynatrace containers in private registries using a lightweight OneAgent image follow the steps below, making sure to replace the placeholders (<...>) in all the example commands or example configurations with your own values, as shown in the following table:

Parameter	Value description
`<dynatrace_operator_version>`	The latest Dynatrace Operator version.
`<activegate_version>`	The semantic versioning form (`<major>.<minor>.<patch>`) of your desired ActiveGate version.
`<your_private_registry>`	The address from your private registry
`<your_environment_domain_name>`	Your own environment domain name (the URL without `https://`)
`<your_environment_ID>`	Your environment ID
`<sample>`	The name of your selected Dynakube custom resource sample.

1. Pull, tag, and push the Dynatrace Operator image

Pull the image.

Example command:

bash
docker pull docker.io/dynatrace/dynatrace-operator:v<dynatrace_operator_version>

Tag the image for your own registry.

Example command:

bash
docker tag docker.io/dynatrace/dynatrace-operator:v<dynatrace_operator_version> <your_private_registry>/dynatrace-operator:v<dynatrace_operator_version>

Push the image to your own registry.

Example command:

bash
docker push <your_private_registry>/dynatrace-operator:v<dynatrace_operator_version>

2. Pull, tag, and push the OneAgent image

Pull the image.

bash
docker pull docker.io/dynatrace/oneagent

Tag the image for your own registry.

Example command:

bash
docker tag docker.io/dynatrace/oneagent:latest <your_private_registry>/oneagent:latest

Push the image to your own registry.

Example command:

bash
docker push <your_private_registry>/oneagent:latest

3. Pull, tag, and push the ActiveGate image

Pull the image.

Example command:

bash
docker pull <your_environment_domain_name>/linux/activegate:<activegate_version>

Tag the image for your own registry.

Example command:

bash
docker tag <your_environment_domain_name>/linux/activegate:<activegate_version> <your_private_registry>/activegate:<activegate_version>

Push the image to your own registry.

Example command:

bash
docker push <your_private_registry>/activegate:<activegate_version>

4. Fetch, modify, and apply the Kubernetes/OpenShift YAML

Download the latest Kubernetes/OpenShift YAML from the Dynatrace GitHub repository.

kubectloc

bash
curl -Lo kubernetes.yaml https://github.com/Dynatrace/dynatrace-operator/releases/download/latest/kubernetes.yaml

bash
curl -Lo openshift.yaml https://github.com/Dynatrace/dynatrace-operator/releases/download/latest/openshift.yaml

Edit the Kubernetes/OpenShift YAML by replacing the default image location of Dynatrace Operator with your private registry address.
If your registries need authentication, update imagePullSecrets on different service accounts.
For more information on how Kubernetes handles security for pods, see Configure service accounts for pods.
Depending on your platform, select one of the options below.
kubectloc
Create a Dynatrace namespace.
```
bash
kubectl create namespace dynatrace
```
Create a Dynatrace project.
```
bash
oc adm new-project --node-selector="" dynatrace
```

Deploy Dynatrace Operator.

kubectloc

bash
kubectl apply -f kubernetes.yaml

bash
oc apply -f openshift.yaml

5. Fetch, modify, and apply the DynaKube custom resource

Download one of the preconfigured DynaKube custom resource samples from GitHub, depending on your monitoring approach.

Example command:
```
bash
curl -Lo <sample>.yaml https://github.com/Dynatrace/dynatrace-operator/blob/master/config/samples/<sample>.yaml
```

Edit the DynaKube custom resource as follows:

Replace the empty value of the image fields (image: "") with image: <your_private_registry>.
Adapt other values according to the parameters section of the Dynatrace Operator deployment page.

Example basic configuration:

yaml
apiVersion: dynatrace.com/v1beta1
kind: DynaKube
metadata:
  name: dynakube
  namespace: dynatrace
spec:
  apiUrl: https://ENVIRONMENTID.live.dynatrace.com/api
  oneAgent:
    classicFullStack:
      image: <your_private_registry>/oneagent:<oneagent_version>
      tolerations:
        - effect: NoSchedule
          key: node-role.kubernetes.io/master
          operator: Exists
  activeGate:
    capabilities:
      - routing
      - kubernetes-monitoring
    image: <your_private_registry>/activegate:<activegate_version>

Deploy the DynaKube custom resource.

kubectloc

Example command:

bash
kubectl apply -f <sample>.yaml

bash
oc apply -f <sample>.yaml

Code modules as an image

applicationMonitoringcloudNativeFullstack

To build and store your code-module image for applicationMonitoring and cloudNativeFullstack deployments, follow the instructions below.

Prerequisites

Dynatrace Operator version 0.7.0+
A working private registry
Make sure your API token has the PaaS integration - Installer download permission enabled.
Determine what architecture you want to use.
- For x86 architecture, you need to download the multidistro flavor.
- For ARM architecture, you need to download the default flavor.
Determine which OneAgent version you want to use. Example format: 1.239.14.20220325-164521.
Get the available OneAgent version for your environment
Run the command below, replacing the placeholders with the values obtained in the prerequisites above.
```
bash
curl -X GET "<your-API-URL>/api/v1/deployment/installer/agent/versions/unix/paas?flavor=<your-flavor>&arch=all" \
-H "Authorization: Api-Token <your-API-token-with-PaaS-permissions>"
```

Build the image

Create a Dockerfile, which will download, unpack, and place the necessary binaries (ZIP package) to the right location. For examples of Dockerfiles, consult our GitHub repository.

Build the image from the Dockerfile you created above.

Run the command below, making sure to provide the necessary arguments.

bash
docker build \
--build-arg APIURL=<your-API-URL>/api\
--build-arg APITOKEN=<your-API-token> \
--build-arg AGENTVERSION=<your-desired-OneAgent-version> \
--tag <your-registry>/<your-code-modules-repository>:<your-OneAgent-version> \
-f <path-to-your-Dockerfile> .

Push the image to your private repository.
```
bash
docker push <your-registry>/<your-code-modules-repository>:<your-OneAgent-version>
```
After you're done, you can use the image in the custom resource YAML and download the OneAgent binaries from your private image repository.

Note:
- For Dynatrace Operator to authenticate to the private registry, you need to define the customPullSecret parameter in the Dynakube custom resource. For details, see Create a Secret based on existing credentials.
For cloudNativeFullStack and applicationMonitoring deployments when using CSI driver, you need to set the codeModulesImage parameter in DynaKube.
- Example:
```
yaml
...
cloudNativeFullStack:
  codeModulesImage: <your-registry>/<your-code-modules-repository>:<your-OneAgent-version>
```