Dynatrace supports running ActiveGate in a container. As an example of a container-based deployment, this page describes how to deploy container-based ActiveGate using a StatefulSet on Kubernetes/OpenShift.
InstallerDownload
scopeRun the command below and save the UUID from the output for later use.
kubectl get namespace kube-system -o jsonpath='{.metadata.uid}'
A Dynatrace ActiveGate image is supported on a variety of Kubernetes and OpenShift versions. For a complete list, see Technology support - Kubernetes.
Images are available for the following architectures:
To prioritize seamless integration with your tooling and adaptability to your needs, we offer our container images in various ways to maximize flexibility:
Please note that multi-arch Dynatrace container images, ensuring compatibility across various platforms are available from public registries only. Dynatrace built-in registry provides only x86-64 images.
Dynatrace provides signed container images to ensure authenticity and integrity, along with SBOMs that list all included software components. Verifying the signatures and reviewing the SBOMs enables effective vulnerability management and risk mitigation. For verification details, see Verify Software Bill of Materials (SBOM) Attestation.
Create a dedicated namespace.
kubectl create namespace dynatrace
Create a secret that holds the authentication details to the Dynatrace server used by ActiveGate.
kubectl -n dynatrace create secret generic dynatrace-tokens \--from-literal=tenant-token=<YOUR_TENANT_TOKEN> \--from-literal=auth-token=<YOUR_AUTH_TOKEN>
You need to replace
<YOUR_TENANT_TOKEN>
with the tenantToken
value obtained in Prerequisites from the connectivity information.<YOUR_AUTH_TOKEN>
with the individual ActiveGate token obtained in Prerequisites.Create an ag-deployment-example.yaml
file with the following content:
apiVersion: v1kind: Servicemetadata:name: dynatrace-activegatenamespace: dynatracespec:type: ClusterIPselector:app.kubernetes.io/component: activegatecomponent.dynatrace.com/feature: activegateports:- protocol: TCPport: 443targetPort: ag-https---apiVersion: apps/v1kind: StatefulSetmetadata:name: dynatrace-activegatenamespace: dynatracelabels:app.kubernetes.io/component: activegatecomponent.dynatrace.com/feature: activegatespec:podManagementPolicy: ParallelserviceName: ""selector:matchLabels:app.kubernetes.io/component: activegatecomponent.dynatrace.com/feature: activegatetemplate:metadata:labels:app.kubernetes.io/component: activegatecomponent.dynatrace.com/feature: activegatespec:affinity:nodeAffinity:requiredDuringSchedulingIgnoredDuringExecution:nodeSelectorTerms:- matchExpressions:- key: kubernetes.io/archoperator: Invalues:- <CPU_ARCHITECTURE>- key: kubernetes.io/osoperator: Invalues:- linuxcontainers:- name: activegateimage: <REPOSITORY_URL>/dynatrace-activegate:<IMAGE_TAG>imagePullPolicy: Alwaysports:- containerPort: 9999name: ag-httpsprotocol: TCPenv:- name: DT_TENANTvalue: <YOUR_ENVIRONMENT_ID>- name: DT_SERVERvalue: <YOUR_COMMUNICATION_ENDPOINTS>- name: DT_ID_SEED_NAMESPACEvalue: dynatrace- name: DT_ID_SEED_K8S_CLUSTER_IDvalue: <YOUR_KUBE-SYSTEM_NAMESPACE_UUID>- name: DT_CAPABILITIESvalue: restInterface,kubernetes_monitoring,MSGrouter,metrics_ingest- name: DT_DEPLOYMENT_METADATAvalue: orchestration_tech=handcrated-ag-sts;script_version=none;orchestrator_id=none- name: DT_DNS_ENTRY_POINTvalue: https://$(DYNATRACE_ACTIVEGATE_SERVICE_HOST):$(DYNATRACE_ACTIVEGATE_SERVICE_PORT)/communicationvolumeMounts:- name: dynatrace-tokensmountPath: /var/lib/dynatrace/secrets/tokens- name: truststore-volumemountPath: /opt/dynatrace/gateway/jre/lib/security/cacertsreadOnly: truesubPath: k8s-local.jks- name: server-certs-storagemountPath: /var/lib/dynatrace/gateway/ssl- name: ag-lib-gateway-configmountPath: /var/lib/dynatrace/gateway/config- name: ag-lib-gateway-tempmountPath: /var/lib/dynatrace/gateway/temp- name: ag-lib-gateway-datamountPath: /var/lib/dynatrace/gateway/data- name: ag-log-gatewaymountPath: /var/log/dynatrace/gateway- name: ag-tmp-gatewaymountPath: /var/tmp/dynatrace/gatewaylivenessProbe:failureThreshold: 2httpGet:path: /rest/stateport: ag-httpsscheme: HTTPSinitialDelaySeconds: 30periodSeconds: 30successThreshold: 1timeoutSeconds: 1readinessProbe:failureThreshold: 3httpGet:path: /rest/healthport: ag-httpsscheme: HTTPSinitialDelaySeconds: 30periodSeconds: 15successThreshold: 1timeoutSeconds: 1resources:requests:cpu: 500mmemory: 512Milimits:cpu: 1000mmemory: 1.5GisecurityContext:allowPrivilegeEscalation: falsecapabilities:drop:- allprivileged: falsereadOnlyRootFilesystem: truerunAsNonRoot: trueseccompProfile:type: RuntimeDefaultinitContainers:- name: certificate-loaderimage: <REPOSITORY_URL>/dynatrace-activegate:<IMAGE_TAG>workingDir: /var/lib/dynatrace/gatewaycommand: ['/bin/bash']args: ['-c', '/opt/dynatrace/gateway/k8scrt2jks.sh']volumeMounts:- mountPath: /var/lib/dynatrace/gateway/sslname: truststore-volumevolumes:- name: truststore-volumeemptyDir: {}- name: dynatrace-tokenssecret:secretName: dynatrace-tokens- name: server-certs-storageemptyDir: {}- name: ag-lib-gateway-configemptyDir: {}- name: ag-lib-gateway-tempemptyDir: {}- name: ag-lib-gateway-dataemptyDir: {}- name: ag-log-gatewayemptyDir: {}- name: ag-tmp-gatewayemptyDir: {}updateStrategy:type: RollingUpdate
Modify your deployment YAML file.
Add environment configuration details to the ag-deployment-example.yaml
file, making sure to replace:
CPU_ARCHITECTURE
with your CPU architecture. Possible values are amd64
, arm64
, s390x
, and ppcle64
<REPOSITORY_URL>
with one of the supported registries
<IMAGE_TAG>
with correct image tag (examples)
<YOUR_ENVIRONMENT_ID>
with your environment ID
To determine your environment ID, see the syntax below.
https://{your-environment-id}.live.dynatrace.com
https://{your-domain}/e/{your-environment-id}
<YOUR_COMMUNICATION_ENDPOINTS>
with the value of communicationEndpoints
obtained in Prerequisites from the connectivity information
The list of server communication endpoints (communicationEndpoints
) may change over time.
<YOUR_KUBE-SYSTEM_NAMESPACE_UUID>
with the kube-system namespace UUID obtained in Prerequisites
For PPC64le architecture, additional configuration is required. For details, see ActiveGate container image.
Options:
optional Enable AppArmor if available.
To maintain compatibility with a wider array of Kubernetes clusters, the AppArmor profile is not specified in ag-deployment-example.yaml
. If AppArmor is available on your Kubernetes cluster, we recommend that you additionally annotate StatefulSet with a runtime/default
profile.
spec:template:metadata:annotations:container.apparmor.security.beta.kubernetes.io/activegate: runtime/default
optional Apply resource limits according to sizing hints.
The table below lists suggested ActiveGate CPU and memory sizes according to the number of pods:
Actual figures depend on your environment.
These limits should be taken as a guideline. They're designed to prevent ActiveGate startup process slowdown and excessive node resource usage. The default values cover a large range of different cluster sizes; you can modify them according to your needs, based on the ActiveGate self-monitoring metrics.
For additional configuration options, see Containerized ActiveGate configuration.
Deploy ActiveGate.
kubectl apply -f ./ag-deployment-example.yaml
To verify that ActiveGate has successfully connected to the Dynatrace server, go to Deployment Status > ActiveGates.
To finish setup of containerized ActiveGate on PPC64le architecture, two more steps are needed:
Increase the number of CPU cores: To match the performance of the x86-64 architecture, the CPU core count should be increased by a factor of four.
Reduce the number of ActiveGate threads:
Create custom properties as described in Advanced configuration
Add the following lines to custom.properties:
[com.compuware.apm.webserver]threadpool-max-size=30async-worker-pool-coresize=60
To achieve better performance, we highly recommend applying the steps above.
To monitor Kubernetes/Openshift, select one of the following:
To collect logs from Kubernetes, use Log Monitoring.
ActiveGate version 1.315+
There is a dedicated, FIPS-compliant ActiveGate image available. See ActiveGate FIPS compliance for information on requirements, limitations, where to get the image, and how to verify the deployment.