Deploy OneAgent Operator on Kubernetes

OneAgent Operator version 0.8.2

We recommend installing OneAgent Operator on Kubernetes with kubectl. If you prefer Helm, you can use the OneAgent Helm chart as a basic alternative.
For more information on all deployment options, see Kubernetes deployment strategies.

Installation

Find out below how to install and configure OneAgent.

Deploy with kubectl Deploy with Helm

Prerequisites

Generate an API token and a PaaS token in your Dynatrace environment.
Make sure you have the Access problem and event feed, metrics, and topology setting enabled for the API token.
Pods must allow egress to your Dynatrace environment or to your environment ActiveGate in order for metric routing to work properly.
See Support lifecycle for supported Kubernetes versions.

Create the necessary objects for OneAgent Operator.
OneAgent Operator acts on its separate namespace dynatrace. It holds the operator deployment and all dependent objects like permissions, custom resources and the corresponding DaemonSet. You can also observe the logs of OneAgent Operator.

$ kubectl create namespace dynatrace
$ kubectl apply -f https://github.com/Dynatrace/dynatrace-oneagent-operator/releases/latest/download/kubernetes.yaml
$ kubectl -n dynatrace logs -f deployment/dynatrace-oneagent-operator

Create the secret holding API and PaaS tokens for authentication to the Dynatrace cluster.
The name of the secret is important in a later step when you configure the custom resource (.spec.tokens). In the following code-snippet the name is oneagent. Be sure to replace API_TOKEN and PAAS_TOKEN with the values explained in the prerequisites.

$ kubectl -n dynatrace create secret generic oneagent --from-literal="apiToken=API_TOKEN" --from-literal="paasToken=PAAS_TOKEN"

Save custom resource.
The rollout of Dynatrace OneAgent is governed by a custom resource of type OneAgent. Retrieve the cr.yaml file from the GitHub repository.

$ curl -o cr.yaml https://raw.githubusercontent.com/Dynatrace/dynatrace-oneagent-operator/master/deploy/cr.yaml

Adapt the values of the custom resource as indicated below.

If you want to revert an argument, you need to set it to empty instead of removing it from the custom resource.
Example:

args:
   - "--set-proxy="

Parameters...

Parameter	Description	Default value
`apiUrl`	required For Dynatrace SaaS, where OneAgent can connect to the internet, replace the Dynatrace `ENVIRONMENTID` in `https://ENVIRONMENTID.live.dynatrace.com/api`. For environment ActiveGates (SaaS or Managed), use the following to download the OneAgent, as well as to communicate OneAgent traffic through the ActiveGate: `https://YourActiveGateIP` or `FQDN:9999/e/<ENVIRONMENTID>/api`.
`useUnprivilegedMode`	optional Set to `false` if you want to mark the pod as privileged. Defaults to using Linux capabilities for the OneAgent pod	`true`
`tokens`	optional Name of the secret that holds the API and PaaS tokens from above.	Name of custom resource (`.metadata.name`) if unset
`useImmutableImage`	optional Set to `true` if you want to pull a OneAgent Docker image from your Dynatrace environment. Use this parameter together with the `agentVersion` parameter to control the version of OneAgent.	`false`
`agentVersion`	optional Set this value to the OneAgent version using semantic versioning (`major.minor.patch`). Example: `1.203.0`	latest version
`args`	optional Parameters to be passed to the OneAgent installer. All the command line parameters of the installer are supported, with the exception of `INSTALL_PATH`. Starting with OneAgent version 1.185, we recommend you set `--set-app-log-content-access=true` (for earlier versions, set `APP_LOG_CONTENT_ACCESS=1`).
`env`	optional Environment variables for OneAgent container.
`skipCertCheck`	optional Disable certificate validation checks for installer download and API communication. Set to `true` if you want to skip any certification validation checks.	`false`
`nodeSelector`	optional Keep empty default value. If you want to roll out OneAgent to specific nodes only, provide the `nodeSelectors` here. Refer to Kubernetes docs for details.
`tolerations`	optional Keep default value to also roll out the OneAgent to master nodes if possible. If you want to apply additional tolerations to OneAgent pods for tainted nodes, provide them here. Refer to Kubernetes docs for details.
`image`	optional Define the OneAgent image to be taken. Defaults to the publicly available OneAgent image on Docker Hub. In order to use the certified OneAgent image from Red Hat Container Catalog you need to set `.spec.image` to `registry.connect.redhat.com/dynatrace/oneagent` in the custom resource and provide image pull secrets as shown in the next step.	`docker.io/dynatrace/oneagent:latest` if unset
`resources`	optional Resource requests/limits for the OneAgent pods. These settings heavily depend on size of worker nodes and workloads. Please adjust to fit your needs.
`priorityClassName`	optional Priority class for OneAgent pod. Refer to Kubernetes docs.
`disableAgentUpdate`	optional Disable the Operator's auto-update feature for OneAgent pods.	`false`
`enableIstio`	optional Enable management of Istio service entries and virtual services for Dynatrace endpoints to allow for OneAgent monitoring egress traffic to your Dynatrace environment	`false`
`trustedCAs`	optional Adds the provided CA certficates to the Operator and the OneAgent; provide the name of the configmap which holds your PEM in a field called `certs`.	If not set, the default embedded certificates on the images will be used.

Configuration for Anthos, SUSE CaaS, GKE, and TKGI

For Anthos, SUSE CaaS, Google Kubernetes Engine, and VMware Tanzu Kubernetes Grid Integrated Edition (formerly PKE), you must add the following additional parameters to the env section in the cr.yaml file:

Anthos and GKE

env:
 - name: ONEAGENT_ENABLE_VOLUME_STORAGE
   value: "true"

TKGI

env:
 - name: ONEAGENT_ENABLE_VOLUME_STORAGE
   value: "true"
 - name: ONEAGENT_CONTAINER_STORAGE_PATH
   value: /var/vcap/store

SUSE CaaS

env:
 - name: ONEAGENT_ENABLE_VOLUME_STORAGE
   value: "true"

Create the custom resource.

$ kubectl apply -f cr.yaml

optional Configure proxy.

You can configure optional parameters like proxy settings in the cr.yaml file in order to
- download the OneAgent installer
- ensure the communication between the OneAgent and your Dynatrace environment
- ensure the communication between the Dynatrace OneAgent Operator and the Dynatrace API.

There are two ways to provide the proxy, depending on whether or not your proxy uses credentials.

No credentials

If you have a proxy that doesn't use credentials, enter your proxy URL directly in the value field for the proxy.

Example

apiVersion: dynatrace.com/v1alpha1
kind: OneAgent
metadata:  
  name: oneagent  
  namespace: dynatrace
spec:  
  apiUrl: https://environmentid.dynatrace.com/api  
  tolerations:  
  - effect: NoSchedule    
    key: node-role.kubernetes.io/master    
    operator: Exists  
  args:  
  - --set-app-log-content-access=true  
  enableIstio: true  
  proxy:    
    value: http://mysuperproxy

With credentials

If your proxy uses credentials

Create a secret with a field called proxy which holds your encrypted proxy URL with the credentials.
Example.

kubectl -n dynatrace create secret generic myproxysecret --from-literal="proxy=http://<user>:<password>@<IP>:<PORT>"

Provide the name of the secret in the valueFrom section.
Example.

apiVersion: dynatrace.com/v1alpha1
kind: OneAgent
metadata:  
  name: oneagent  
  namespace: dynatrace
spec:  
  apiUrl: https://environmentid.dynatrace.com/api  
  tolerations:  
  - effect: NoSchedule    
    key: node-role.kubernetes.io/master    
    operator: Exists  
  args:  
  - --set-app-log-content-access=true  
  enableIstio: true  
  proxy:    
    valueFrom: myproxysecret

optional Configure network zones.

You can configure network zones by setting the following argument:
```
args:
  - --set-network-zone=<your.network.zone>
```
See network zones for more information.

Prerequisites

Generate an API token and a PaaS token in your Dynatrace environment.
Make sure you have the Access problem and event feed, metrics, and topology setting enabled for the API token.
Pods must allow egress to your Dynatrace environment or to your environment ActiveGate in order for metric routing to work properly.
See Support lifecycle for supported Kubernetes versions.
Install Helm version 3.

Add the Dynatrace OneAgent Helm repository.

$ helm repo add dynatrace \
https://raw.githubusercontent.com/Dynatrace/helm-charts/master/repos/stable

Create a Dynatrace namespace.
The Dynatrace OneAgent Operator acts on its separate namespace called dynatrace, which holds the operator deployment and all dependent objects like permissions, custom resources, and corresponding DaemonSets.

$ kubectl create namespace dynatrace

Create a values.yaml file with the following content.

platform: "kubernetes"
operator:
  image: ""
oneagent:
  name: "oneagent"
  apiUrl: "https://ENVIRONMENTID.live.dynatrace.com/api"
  image: ""
  args:
    - --set-app-log-content-access=true
  env: {}
  nodeSelector: {}
  labels: {}
  skipCertCheck: false
  disableAgentUpdate: false
  enableIstio: false
  dnsPolicy: ""
  resources: {}
  waitReadySeconds: null
  priorityClassName: ""
  serviceAccountName: ""
  proxy: ""
  trustedCAs: ""
secret:
  apiToken: "DYNATRACE_API_TOKEN"
  paasToken: "PLATFORM_AS_A_SERVICE_TOKEN"

Note: The OneAgent proxy setting is used by both the Operator and the OneAgent containers when communicating to the Dynatrace environment.

Configuration for Anthos, SUSE CaaS, GKE, and TKGI

Anthos, SUSE CaaS, and GKE

  env:
    - name: ONEAGENT_ENABLE_VOLUME_STORAGE
      value: "true"

TKGI

  env:
    - name: ONEAGENT_ENABLE_VOLUME_STORAGE
      value: "true"
    - name: ONEAGENT_CONTAINER_STORAGE_PATH
      value: /var/vcap/store

optional Configure network zones.

You can configure network zones by setting the following argument:
```
args:
  - --set-network-zone=<your.network.zone>
```
See network zones for more information.
To apply the YAML parameters, run the following command:

$ helm install dynatrace-oneagent-operator \
dynatrace/dynatrace-oneagent-operator -n\
dynatrace --values values.yaml

Limitations

See Docker limitations for details.

Troubleshoot

Find out how to troubleshoot issues that you may encounter when deploying OneAgent on Kubernetes.

Connect your Kubernetes clusters to Dynatrace

Now that you have OneAgent running on your Kubernetes nodes, you're able to monitor those nodes, and the applications running in Kubernetes. The next step is to connect the Kubernetes API to Dynatrace in order to get native Kubernetes metrics, like request limits, and differences in pods requested vs. running pods.
For further instructions see Monitor your Kubernetes clusters with Dynatrace.