Deploy OneAgent on OpenShift Container Platform

For full-stack monitoring of OpenShift clusters, you need to roll-out Dynatrace OneAgent on each cluster node using OneAgent Operator.

OneAgent Operator v0.3+ requires OpenShift 3.11 or higher. Older versions of the OneAgent Operator work with OpenShift v3.9 or higher.

Prepare Dynatrace tokens for OneAgent Operator

The OneAgent Operator requires two different tokens for interacting with Dynatrace servers. These two tokens are made available to OneAgent Operator by means of a Kubernetes secret as explained at a later step.

  1. Get an API token for the Dynatrace API with the scope Access problem and event feed, metrics, and topology. This token is later referenced as API_TOKEN.

  2. Get a Platform-as-a-Service token. This token is later referenced as PAAS_TOKEN.

Install OneAgent Operator

Start by adding a new project as follows: $ oc adm new-project --node-selector="" dynatrace

If you are installing the Operator on an OpenShift Container Platform 3.11 environment, in order to use the certified OneAgent Operator and OneAgent images from Red Hat Container Catalog (RHCC), you need to provide image pull secrets. The Service Accounts on the openshift.yaml manifest already have links to the secrets to be created below. Skip this step if you are using OCP 4.x.

# For OCP 3.11
$ oc -n dynatrace create secret docker-registry redhat-connect --docker-username=REDHAT_CONNECT_USERNAME --docker-password=REDHAT_CONNECT_PASSWORD --docker-email=unused
$ oc -n dynatrace create secret docker-registry redhat-connect-sso --docker-username=REDHAT_CONNECT_USERNAME --docker-password=REDHAT_CONNECT_PASSWORD --docker-email=unused

For both 4.x and 3.11, we apply the openshift.yaml manifest to deploy the Operator:

$ LATEST_RELEASE=$(curl -s | grep tag_name | cut -d '"' -f 4)
$ oc apply -f$LATEST_RELEASE/deploy/openshift.yaml
$ oc -n dynatrace logs -f deployment/dynatrace-oneagent-operator

Create the secret holding API and PaaS tokens for authenticating to the Dynatrace cluster. The name of the secret is important in a later step when you configure the custom resource (.spec.tokens). In the following code-snippet the name is oneagent. Be sure to replace API_TOKEN and PAAS_TOKEN with the values explained above.

$ oc -n dynatrace create secret generic oneagent --from-literal="apiToken=API_TOKEN" --from-literal="paasToken=PAAS_TOKEN"

Save the following custom resource snippet to a file cr.yaml. The rollout of Dynatrace OneAgent is governed by a custom resource of type OneAgent.

Alternatively, you can use the snippet from the GitHub repository.

$ curl -o cr.yaml$LATEST_RELEASE/deploy/cr.yaml

Adapt the values of the custom resource as indicated in the following table.

Parameter Description Default value
apiUrl Dynatrace SaaS: Replace ENVIRONMENTID with your Dynatrace environment ID in
Dynatrace Managed: Provide your Dynatrace Server URL (https://<YourDynatraceServerURL>/e/<ENVIRONMENTID>/api)
tokens Name of the secret that holds the API and PaaS tokens from above. Name of custom resource ( if unset
image Define the OneAgent image to be taken. Defaults to the publicly available OneAgent image on Docker Hub. In order to use the certified OneAgent image from Red Hat Container Catalog you need to set .spec.image to in the custom resource and provide image pull secrets as shown in the next step. if unset
args Parameters to be passed to the OneAgent installer. All the command line parameters of the installer are supported, with the exception of INSTALL_PATH. We recommend to set APP_LOG_CONTENT_ACCESS=1 []

Create the custom resource.

$ oc create -f cr.yaml


The same limitations apply as when deploying OneAgent as a Docker container, except the auto-update. The operator makes sure OneAgents are properly updated.