Set up OpenShift monitoring

Starting with Dynatrace version 1.215, you can deploy full-stack OneAgents and containerized ActiveGates using Dynatrace Operator. Earlier Dynatrace versions can still be deployed with OneAgent Operator. Nevertheless, we recommend migrating to Dynatrace Operator.
For more information on all deployment options, see OpenShift deployment overview

Deploy Dynatrace Operator and enable Kubernetes API monitoring

There are two ways to configure Dynatrace Operator to monitor your OpenShift cluster, (automated or manual. See below for instructions.

Note: The instructions apply to OpenShift Dedicated as well. For OpenShift Dedicated, you need cluster-admin privileges.

Prerequisites
  • Dynatrace Cluster version 1.215
  • OpenShift versions 3.11.188+, 4.5+
  • Pods must allow egress to your Dynatrace environment or to your Environment ActiveGate in order for metric routing to work properly.
  • See Support lifecycle for supported OpenShift versions.

Automated

  1. In the Dynatrace menu, go to Hub.
  2. Find and select Kubernetes.
  3. Select Monitor Kubernetes.
  4. On the Monitor Kubernetes / OpenShift page, follow the on-screen deployment instructions.
    • Name: This name is used by various Dynatrace settings, including OpenShift cluster name, Network Zone, ActiveGate Group, and Host Group
    • Platform: OpenShift
    • PaaS token and API token: To create these tokens automatically, select Create tokens
  5. Under Execute the following command in your terminal, Dynatrace creates a command based on your input in the previous steps. After you have set all of the preceding parameters, select Copy to copy the command to your clipboard.
  6. Paste the command to your terminal and run it.

Manual

  1. Generate an API token and a PaaS token in your Dynatrace environment.
    Note: Make sure you have the following permissions enabled for the API token in the API v1 section:

    • Access problem and event feed, metrics, and topology
    • Read configuration
    • Write configuration
  2. Add a new project.

oc adm new-project --node-selector="" dynatrace
  1. OCP version 3.11 Provide image pull secrets.

Skip this step if you're using a later version.
In order to use the certified Dynatrace Operator and OneAgent images from Red Hat Container Catalog (RHCC), you need to provide image pull secrets. The service accounts on the OpenShift manifest YAML already have links to the secrets to be created below.

# For OCP 3.11
oc -n dynatrace create secret docker-registry redhat-connect --docker-server=registry.connect.redhat.com --docker-username=REDHAT_CONNECT_USERNAME --docker-password=REDHAT_CONNECT_PASSWORD --docker-email=unused
oc -n dynatrace create secret docker-registry redhat-connect-sso --docker-server=sso.redhat.com --docker-username=REDHAT_CONNECT_USERNAME --docker-password=REDHAT_CONNECT_PASSWORD --docker-email=unused
  1. Apply the OpenShift manifest YAML to deploy Dynatrace Operator.
oc apply -f https://github.com/Dynatrace/dynatrace-operator/releases/latest/download/openshift.yaml
oc -n dynatrace logs -f deployment/dynatrace-operator
  1. Create the secret that holds the API and PaaS tokens for authenticating to the Dynatrace Cluster.

The name of the secret will be important in a later step when you configure the custom resource (.spec.tokens). In the following code snippet, the name is dynakube. Be sure to replace API_TOKEN and PAAS_TOKEN with values as specified in the prerequisites.

oc -n dynatrace create secret generic dynakube --from-literal="apiToken=API_TOKEN" --from-literal="paasToken=PAAS_TOKEN"
  1. Get the DynaKube custom resource from the GitHub repository.
curl -Lo cr.yaml https://github.com/Dynatrace/dynatrace-operator/releases/latest/download/cr.yaml
  1. Adapt the values of the custom resource as indicated below.

Example of a basic configuration:

apiVersion: dynatrace.com/v1alpha1
kind: DynaKube
metadata:
  name: dynakube
  namespace: dynatrace
spec:
  # Dynatrace apiUrl including the `/api` path at the end.
  # For SaaS, set `YOUR_ENVIRONMENT_ID` to your environment ID.
  # For Managed, change the apiUrl address.
  # For instructions on how to determine the environment ID and how to configure the apiUrl address, see https://www.dynatrace.com/support/help/reference/dynatrace-concepts/environment-id/.
  #
  apiUrl: https://YOUR_ENVIRONMENT_ID.live.dynatrace.com/api

  # Name of the secret holding the API and PaaS tokens.
  # If unset, Dynatrace Operator uses the name of the custom resource.
  #
  # tokens: ""

  # Enables and configures an ActiveGate instance that allows monitoring
  # of Kubernetes environments.
  #
  kubernetesMonitoring:
    #   Enable Kubernetes monitoring functionality.
    #
    enabled: true
  classicFullStack:
    # Enable classic oneagent monitoring
    enabled: true
    tolerations:
      - effect: NoSchedule
        key: node-role.kubernetes.io/master
        operator: Exists

If you want to revert an argument, you need to set it to empty instead of removing it from the custom resource.
Example:

args:
   - "--set-proxy="

Parameters

For a complete list of parameters, see the list below.

Global parameters

Parameter Description Default value
apiUrl Required Dynatrace apiUrl, including the /api path at the end.
- For SaaS, set YOUR_ENVIRONMENT_ID to your environment ID.
- For Managed, change the apiUrl address.
For instructions on how to determine the environment ID and how to configure the apiUrl address, see Environment ID.
tokens Optional Name of the secret holding the API and PaaS tokens. Name of custom resource (.metadata.name) if unset
skipCertCheck Optional Disable certificate check for the connection between Dynatrace Operator and the Dynatrace Cluster.
Set to true if you want to skip certification validation checks.
false
proxy Optional Set custom proxy settings either directly or from a secret with the field proxy.
Note: Only Dynatrace Operator traffic runs through this proxy; ActiveGate traffic doesn't.
trustedCAs Optional Adds custom RootCAs from a configmap. Put the certificate under certs within your configmap.
Note: Applies only to Dynatrace Operator, not to ActiveGate.
networkZone Optional Sets a network zone for the OneAgent and ActiveGate pods.
customPullSecret Optional Defines a custom pull secret in case you use a private registry when pulling images from the Dynatrace environment.
enableIstio Optional When enabled, and if Istio is installed on the Kubernetes environment, Dynatrace Operator will create the corresponding VirtualService and ServiceEntry objects to allow access to the Dynatrace Cluster from the OneAgent or ActiveGate. Disabled by default. false

ActiveGate parameters

Parameter Description Default value
activeGate.image Optional Configuration for ActiveGate instances (to use a custom ActiveGate Docker image).

OneAgent parameters

Parameter Description Default value
oneAgent.version Optional The OneAgent version to be used when useImmutableImage is enabled. The latest version is used by default.
oneAgent.image Optional Use a custom OneAgent Docker image. Defaults to docker.io/dynatrace/oneagent in Kubernetes and registry.connect.redhat.com/dynatrace/oneagent in OpenShift.
oneAgent.autoUpdate Optional Disables automatic restarts of OneAgent pods in case a new version is available. True by default. true

Classic full-stack observability parameters

Parameter Description Default value
classicFullStack.enabled Optional Enables classic OneAgent monitoring. false
classicFullStack.nodeSelector Optional Specify the node selector that controls on which nodes OneAgent will be deployed.
classicFullStack.tolerations Optional Tolerations to include with the OneAgent DaemonSet.
For details, see Taints and Tolerations.
classicFullStack.resources Optional Resource settings for OneAgent container. Consumption of the OneAgent heavily depends on the workload to monitor. You can use the default settings in the CR.
Note: resource.requests shows the values needed to run; resource.limits shows the maximum limits for the pod.
classicFullStack.args Optional Set additional arguments to the OneAgent installer.
For available options, see Linux custom installation.
For the list of limitations, see Limitations.
"--set-app-log-content-access=true"
classicFullStack.env Optional Set additional environment variables for the OneAgent pods.
classicFullStack.priorityClassName Optional Assign a priority class to the OneAgent pods. By default, no class is set.
For details, see Pod Priority and Preemption.
classicFullStack.dnsPolicy Optional Set the DNS Policy for OneAgent pods.
For details, see Pods DNS Policy.
ClusterFirstWithHostNet
classicFullStack.serviceAccountName Optional The name of the ServiceAccount to assign to the OneAgent pods. "dynatrace-dynakube-oneagent"
classicFullStack.labels Optional Your defined labels for OneAgent pods in order to structure workloads as desired.
classicFullStack.useUnprivilegedMode Optional When enabled, the OneAgent pods will run as unprivileged. Enabled by default. true
classicFullStack.useImmutableImage Optional When enabled, the Operator will use the immutable image from the Dynatrace environment or from your custom registry. Otherwise, an installer image is used. Disabled by default. false

Kubernetes API Monitoring parameters

Parameter Description Default value
kubernetesMonitoring.enabled Optional Enable Kubernetes monitoring functionality. false
kubernetesMonitoring.replicas Optional Number of replicas of ActiveGate pods. 1
kubernetesMonitoring.tolerations Optional Tolerations to include with the ActiveGate StatefulSet.
For details, see Taints and Tolerations.
kubernetesMonitoring.nodeSelector Optional Node selector to control on which nodes the ActiveGate will be deployed. {}
kubernetesMonitoring.resources Optional Resource settings for ActiveGate container. Consumption of the ActiveGate heavily depends on the workload to monitor. You can use the default settings in the CR.
Note: resource.requests shows the values needed to run; resource.limits shows the maximum limits for the pod.
kubernetesMonitoring.labels Optional Your defined labels for ActiveGate pods in order to structure workloads as desired.
kubernetesMonitoring.args Optional Set additional arguments to the ActiveGate pods.
kubernetesMonitoring.env Optional Set additional environment variables to the ActiveGate pods.
kubernetesMonitoring.group Optional Set activation group for ActiveGate. See Customize ActiveGate properties for details.
kubernetesMonitoring.customProperties Optional Add a custom properties file by providing it as a value or reference it from a secret.
Note: when referencing it from a secret, make sure the key is called customProperties. See Customize ActiveGate properties for details.

Routing parameters

Parameter Description Default value
routing.enabled Optional Enable routing functionality. false

For a complete file with all the properties, see the custom resource file on GitHub.

  1. Save the custom resource.
oc apply -f cr.yaml

Configure proxy optional

  • You can configure optional parameters like proxy settings in the cr.yaml file in order to
    • Download the OneAgent installer
    • Ensure communication between the OneAgent and your Dynatrace environment
    • Ensure communication between Dynatrace Operator and the Dynatrace API.

There are two ways to provide the proxy, depending on whether your proxy uses credentials.

Connect your OpenShift cluster to Dynatrace

Some Kubernetes pages require that your OpenShift cluster be connected to Dynatrace. This connection creates relationships among applications, services, processes, hosts, and Kubernetes objects such as pods and namespaces.
See Deploy ActiveGate using Dynatrace Operator for instructions on how to connect your cluster to Dynatrace.

If you want to monitor several OpenShift clusters with one ActiveGate and don't care about network isolation, you can deploy a classic ActiveGate in a virtual machine to connect your clusters to Dynatrace.

Configure security context constraints

To allow Dynatrace Operator to instrument pods, you must add a security context constraint. See Configure security context constraints on OpenShift using Dynatrace Operator for details.

Monitor large OpenShift environments

Contact Dynatrace ONE if you want to monitor environments that are larger than:

  • 50 OpenShift clusters per Dynatrace environment
  • 500 nodes per OpenShift cluster
  • 50,000 pods per OpenShift cluster

Uninstall Dynatrace Operator

Remove DynaKube custom resources and clean all remaining Dynatrace Operator–specific objects.

oc delete -n dynatrace dynakube --all
oc delete -f https://github.com/Dynatrace/dynatrace-operator/releases/latest/download/openshift.yaml