• Home
  • Deploy
  • Kubernetes
  • Deployment
  • Other
  • Manually deploy ActiveGate as a StatefulSet

Manually deploy ActiveGate as a StatefulSet

Dynatrace Operator manages the lifecycle of several Dynatrace components, including ActiveGate. If you can't use Dynatrace Operator, you can manually deploy ActiveGate as a StatefulSet in your Kubernetes cluster. See below for instructions.

Prerequisites

  • Create a PaaS token

  • Create an authentication token

  • Get your kube-system namespace UUID

    How to extract the kube-system namespace UUID

    Run the command below and save the UUID from the output for later use.

    bash
    kubectl get namespace kube-system -o jsonpath='{.metadata.uid}'
    bash
    oc get namespace kube-system -o jsonpath='{.metadata.uid}'

Deploy ActiveGate

To deploy ActiveGate, follow the steps below.

  1. Create a dedicated namespace (Kubernetes)/project (OpenShift).

    Depending on your platform, select one of the options below.

    plaintext
    kubectl create namespace dynatrace
    plaintext
    oc adm new-project --node-selector="" dynatrace

  2. Create two secrets:

    • A secret holding the environment URL and login credentials for this registry
    • A secret for the ActiveGate authentication token
    plaintext
    kubectl -n dynatrace create secret docker-registry dynatrace-docker-registry --docker-server=<YOUR_ENVIRONMENT_URL> --docker-username=<YOUR_ENVIRONMENT_ID> --docker-password=<YOUR_PAAS_TOKEN>
kubectl -n dynatrace create secret generic dynatrace-tokens --from-literal=auth-token=<YOUR_AUTH_TOKEN>
    plaintext
    oc -n dynatrace create secret docker-registry dynatrace-docker-registry --docker-server=<YOUR_ENVIRONMENT_URL> --docker-username=<YOUR_ENVIRONMENT_ID> --docker-password=<YOUR_PAAS_TOKEN>
oc -n dynatrace create secret generic dynatrace-tokens --from-literal=auth-token=<YOUR_AUTH_TOKEN>

    where you need to replace

    • <YOUR_ENVIRONMENT_URL> with your environment URL (without 'http'). Example: {your-environment}.live.dynatrace.com

    • <YOUR_ENVIRONMENT_ID> with the Docker account username (same as the ID in your environment URL above).

    To determine your environment ID, see the syntax below.
    SaaS: https://{your-environment-id}.live.dynatrace.com
    Managed: https://{your-domain}/e/{your-environment-id}

    • <YOUR_PAAS_TOKEN> with the PaaS token you created in Prerequisites

    • <YOUR_AUTH_TOKEN> with the ActiveGate authentication token obtained in Prerequisites

  3. Create a service account and a cluster role.

    Create a kubernetes-monitoring-service-account.yaml file with the following content.

    kubernetes-monitoring-service-account.yaml
    yaml
    apiVersion: v1
kind: ServiceAccount
metadata:
  name: dynatrace-activegate
  namespace: dynatrace
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: dynatrace-activegate
rules:
- apiGroups:
  - ""
  - batch
  - apps
  - apps.openshift.io
  resources:
  - nodes
  - nodes/metrics
  - pods
  - namespaces
  - deployments
  - replicasets
  - deploymentconfigs
  - replicationcontrollers
  - jobs
  - cronjobs
  - statefulsets
  - daemonsets
  - events
  - resourcequotas
  - pods/proxy
  - services
  verbs:
  - list
  - watch
  - get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: dynatrace-activegate
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: dynatrace-activegate
subjects:
- kind: ServiceAccount
  name: dynatrace-activegate
  namespace: dynatrace

  4. Apply the file.

    bash
    kubectl apply -f kubernetes-monitoring-service-account.yaml
    bash
    oc apply -f kubernetes-monitoring-service-account.yaml

  5. Create a file named ag-monitoring-and-routing.yaml with the following content, making sure to replace

    • <YOUR_ENVIRONMENT_URL> with your value as described above.
    • <YOUR_KUBE-SYSTEM_NAMESPACE_UUID> with the Kubernetes namespace UUID obtained in Prerequisites.
    ag-monitoring-and-routing.yaml
    yaml
    apiVersion: v1
kind: Service
metadata:
  name: dynatrace-activegate
  namespace: dynatrace
spec:
  type: ClusterIP
  selector:
    activegate: kubernetes-monitoring-and-routing
  ports:
  - protocol: TCP
    port: 443
    targetPort: ag-https
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: dynatrace-activegate
  namespace: dynatrace
  labels:
    activegate: kubernetes-monitoring-and-routing
spec:
  serviceName: ""
  selector:
    matchLabels:
      activegate: kubernetes-monitoring-and-routing
  template:
    metadata:
#     Uncomment the lines below to enable AppArmor
#     annotations:
#  container.apparmor.security.beta.kubernetes.io/activegate: runtime/default
      labels:
        activegate: kubernetes-monitoring-and-routing
    spec:
      serviceAccountName: dynatrace-activegate
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
            - matchExpressions:
              - key: kubernetes.io/arch
                operator: In
                values:
                - amd64
              - key: kubernetes.io/os
                operator: In
                values:
                - linux
      containers:
      - name: activegate
        image: <YOUR_ENVIRONMENT_URL>/linux/activegate
        imagePullPolicy: Always
        ports:
          - name: ag-https
            containerPort: 9999
        env:
        - name: DT_ID_SEED_NAMESPACE
          value: dynatrace
        - name: DT_ID_SEED_K8S_CLUSTER_ID
          value: <YOUR_KUBE-SYSTEM_NAMESPACE_UUID>
        - name: DT_CAPABILITIES
          value: kubernetes_monitoring,MSGrouter,restInterface
        # - name: DT_NETWORK_ZONE
        #   value: <CUSTOM_NZ>
        - name: DT_DNS_ENTRY_POINT
          value: https://$(DYNATRACE_ACTIVEGATE_SERVICE_HOST):$(DYNATRACE_ACTIVEGATE_SERVICE_PORT)/communication
        volumeMounts:
        - name: dynatrace-tokens
          mountPath: /var/lib/dynatrace/secrets/tokens
        - name: truststore-volume
          mountPath: /opt/dynatrace/gateway/jre/lib/security/cacerts
          readOnly: true
          subPath: k8s-local.jks
        - name: ag-lib-gateway-config
          mountPath: /var/lib/dynatrace/gateway/config
        - name: ag-lib-gateway-temp
          mountPath: /var/lib/dynatrace/gateway/temp
        - name: ag-lib-gateway-data
          mountPath: /var/lib/dynatrace/gateway/data
        - name: ag-log-gateway
          mountPath: /var/log/dynatrace/gateway
        - name: ag-tmp-gateway
          mountPath: /var/tmp/dynatrace/gateway
        livenessProbe:
          failureThreshold: 2
          httpGet:
            path: /rest/state
            port: ag-https
            scheme: HTTPS
          initialDelaySeconds: 30
          periodSeconds: 30
          successThreshold: 1
          timeoutSeconds: 1
        readinessProbe:
          failureThreshold: 3
          httpGet:
            path: /rest/health
            port: ag-https
            scheme: HTTPS
          initialDelaySeconds: 30
          periodSeconds: 15
          successThreshold: 1
          timeoutSeconds: 1
        resources:
          requests:
            cpu: 250m
            memory: 512Mi
          limits:
            cpu: 250m
            memory: 512Mi
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
            - all
          privileged: false
          readOnlyRootFilesystem: true
          runAsNonRoot: true
          seccompProfile:
            type: RuntimeDefault
      initContainers:
      - name: certificate-loader
        image: YOUR_ENVIRONMENT_URL>/linux/activegate
        workingDir: /var/lib/dynatrace/gateway
        command: ['/bin/bash']
        args: ['-c', '/opt/dynatrace/gateway/k8scrt2jks.sh']
        volumeMounts:
        - mountPath: /var/lib/dynatrace/gateway/ssl
          name: truststore-volume
      imagePullSecrets:
      - name: dynatrace-docker-registry
      volumes:
      - name: dynatrace-tokens
        secret:
          secretName: dynatrace-tokens
      - name: truststore-volume
        emptyDir: {}
      - name: ag-lib-gateway-config
        emptyDir: {}
      - name: ag-lib-gateway-temp
        emptyDir: {}
      - name: ag-lib-gateway-data
        emptyDir: {}
      - name: ag-log-gateway
        emptyDir: {}
      - name: ag-tmp-gateway
        emptyDir: {}
  updateStrategy:
    type: RollingUpdate
    ActiveGate limit sizing hints

    See below for a list of proposed sizes in relation to the number of pods:

    Number of podsCPUMemory
    Up to 100 pods500 millicores (mCores)512 mebibytes (MiB)
    Up to 1,000 pods1,000 millicores (mCores)1 gibibyte (GiB)
    Up to 5,000 pods1,500 millicores (mCores)2 gibibytes (GiB)
    Over 5,000 podsover 1,500 millicores (mCores)1over 2 gibibytes (GiB)1
    1

    Actual figures depend on your environment.

    These limits should be taken as a guideline. They're designed to prevent ActiveGate startup process slowdown and excessive node resource usage. The default values cover a large range of different cluster sizes; you can modify them according to your needs, based on the ActiveGate self-monitoring metrics.

  6. Deploy ActiveGate.

    bash
    kubectl apply -f ag-monitoring-and-routing.yaml
    bash
    oc apply -f ag-monitoring-and-routing.yaml

Connect ActiveGate with Kubernetes API

Continue with step 3 from the guide for enabling Kubernetes API monitoring

ActiveGate update behavior

ActiveGate is updated automatically on pod restart whenever there is a new version available, unless the image already specifies a certain version.