Dynatrace supports running ActiveGate in a container. As an example of a container-based deployment, this page describes how to deploy container-based ActiveGate using a StatefulSet on Kubernetes/OpenShift.
InstallerDownload
scopeRun the command below and save the UUID from the output for later use.
kubectl get namespace kube-system -o jsonpath='{.metadata.uid}'
oc get namespace kube-system -o jsonpath='{.metadata.uid}'
A Dynatrace ActiveGate image is supported on a variety of Kubernetes and OpenShift versions. For a complete list, see Technology support - Kubernetes.
Images are available for the following architectures:
To prioritize seamless integration with your tooling and adaptability to your needs, we offer our container images in various ways to maximize flexibility:
Please note that multi-arch Dynatrace container images supporting ARM64 (AArch64) and x86-64 CPU architectures on Linux, ensuring compatibility across various platforms are available from public registries only. Dynatrace built-in registry provides only x86-64 images.
Create a dedicated namespace.
kubectl create namespace dynatrace
oc adm new-project --node-selector="" dynatrace
Create a secret that holds the authentication details to the Dynatrace server used by ActiveGate.
kubectl -n dynatrace create secret generic dynatrace-tokens \--from-literal=tenant-token=<YOUR_TENANT_TOKEN> \--from-literal=auth-token=<YOUR_AUTH_TOKEN>
oc -n dynatrace create secret generic dynatrace-tokens \--from-literal=tenant-token=<YOUR_TENANT_TOKEN> \--from-literal=auth-token=<YOUR_AUTH_TOKEN>
You need to replace
<YOUR_TENANT_TOKEN>
with the tenantToken
value obtained in Prerequisites from the connectivity information.<YOUR_AUTH_TOKEN>
with the individual ActiveGate token obtained in Prerequisites.Create an ag-deployment-example.yaml
file with the following content:
apiVersion: v1kind: Servicemetadata:name: dynatrace-activegatenamespace: dynatracespec:type: ClusterIPselector:app.kubernetes.io/component: activegatecomponent.dynatrace.com/feature: activegateports:- protocol: TCPport: 443targetPort: ag-https---apiVersion: apps/v1kind: StatefulSetmetadata:name: dynatrace-activegatenamespace: dynatracelabels:app.kubernetes.io/component: activegatecomponent.dynatrace.com/feature: activegatespec:podManagementPolicy: ParallelserviceName: ""selector:matchLabels:app.kubernetes.io/component: activegatecomponent.dynatrace.com/feature: activegatetemplate:metadata:labels:app.kubernetes.io/component: activegatecomponent.dynatrace.com/feature: activegatespec:affinity:nodeAffinity:requiredDuringSchedulingIgnoredDuringExecution:nodeSelectorTerms:- matchExpressions:- key: kubernetes.io/archoperator: Invalues:- <CPU_ARCHITECTURE>- key: kubernetes.io/osoperator: Invalues:- linuxcontainers:- name: activegateimage: <REPOSITORY_URL>/dynatrace-activegate:<IMAGE_TAG>imagePullPolicy: Alwaysports:- containerPort: 9999name: ag-httpsprotocol: TCPenv:- name: DT_TENANTvalue: <YOUR_ENVIRONMENT_ID>- name: DT_SERVERvalue: <YOUR_COMMUNICATION_ENDPOINTS>- name: DT_ID_SEED_NAMESPACEvalue: dynatrace- name: DT_ID_SEED_K8S_CLUSTER_IDvalue: <YOUR_KUBE-SYSTEM_NAMESPACE_UUID>- name: DT_CAPABILITIESvalue: restInterface,kubernetes_monitoring,MSGrouter,metrics_ingest- name: DT_DEPLOYMENT_METADATAvalue: orchestration_tech=handcrated-ag-sts;script_version=none;orchestrator_id=none- name: DT_DNS_ENTRY_POINTvalue: https://$(DYNATRACE_ACTIVEGATE_SERVICE_HOST):$(DYNATRACE_ACTIVEGATE_SERVICE_PORT)/communicationvolumeMounts:- name: dynatrace-tokensmountPath: /var/lib/dynatrace/secrets/tokens- name: truststore-volumemountPath: /opt/dynatrace/gateway/jre/lib/security/cacertsreadOnly: truesubPath: k8s-local.jks- name: server-certs-storagemountPath: /var/lib/dynatrace/gateway/ssl- name: ag-lib-gateway-configmountPath: /var/lib/dynatrace/gateway/config- name: ag-lib-gateway-tempmountPath: /var/lib/dynatrace/gateway/temp- name: ag-lib-gateway-datamountPath: /var/lib/dynatrace/gateway/data- name: ag-log-gatewaymountPath: /var/log/dynatrace/gateway- name: ag-tmp-gatewaymountPath: /var/tmp/dynatrace/gatewaylivenessProbe:failureThreshold: 2httpGet:path: /rest/stateport: ag-httpsscheme: HTTPSinitialDelaySeconds: 30periodSeconds: 30successThreshold: 1timeoutSeconds: 1readinessProbe:failureThreshold: 3httpGet:path: /rest/healthport: ag-httpsscheme: HTTPSinitialDelaySeconds: 30periodSeconds: 15successThreshold: 1timeoutSeconds: 1resources:requests:cpu: 500mmemory: 512Milimits:cpu: 1000mmemory: 1.5GisecurityContext:allowPrivilegeEscalation: falsecapabilities:drop:- allprivileged: falsereadOnlyRootFilesystem: truerunAsNonRoot: trueseccompProfile:type: RuntimeDefaultinitContainers:- name: certificate-loaderimage: <REPOSITORY_URL>/dynatrace-activegate:<IMAGE_TAG>workingDir: /var/lib/dynatrace/gatewaycommand: ['/bin/bash']args: ['-c', '/opt/dynatrace/gateway/k8scrt2jks.sh']volumeMounts:- mountPath: /var/lib/dynatrace/gateway/sslname: truststore-volumevolumes:- name: truststore-volumeemptyDir: {}- name: dynatrace-tokenssecret:secretName: dynatrace-tokens- name: server-certs-storageemptyDir: {}- name: ag-lib-gateway-configemptyDir: {}- name: ag-lib-gateway-tempemptyDir: {}- name: ag-lib-gateway-dataemptyDir: {}- name: ag-log-gatewayemptyDir: {}- name: ag-tmp-gatewayemptyDir: {}updateStrategy:type: RollingUpdate
Modify your deployment YAML file.
Add environment configuration details to the ag-deployment-example.yaml
file, making sure to replace:
CPU_ARCHITECTURE
with your CPU architecture. Possible values are amd64
, arm64
, and s390x
<REPOSITORY_URL>
with one of the supported registries
<IMAGE_TAG>
with correct image tag (examples)
<YOUR_ENVIRONMENT_ID>
with your environment ID
To determine your environment ID, see the syntax below.
https://{your-environment-id}.live.dynatrace.com
https://{your-domain}/e/{your-environment-id}
<YOUR_COMMUNICATION_ENDPOINTS>
with the value of communicationEndpoints
obtained in Prerequisites from the connectivity information
The list of server communication endpoints (communicationEndpoints
) may change over time.
<YOUR_KUBE-SYSTEM_NAMESPACE_UUID>
with the kube-system namespace UUID obtained in Prerequisites
Options:
optional Enable AppArmor if available.
To maintain compatibility with a wider array of Kubernetes clusters, the AppArmor profile is not specified in ag-deployment-example.yaml
. If AppArmor is available on your Kubernetes cluster, we recommend that you additionally annotate StatefulSet with a runtime/default
profile.
spec:template:metadata:annotations:container.apparmor.security.beta.kubernetes.io/activegate: runtime/default
optional Apply resource limits according to sizing hints.
The table below lists suggested ActiveGate CPU and memory sizes according to the number of pods:
Actual figures depend on your environment.
These limits should be taken as a guideline. They're designed to prevent ActiveGate startup process slowdown and excessive node resource usage. The default values cover a large range of different cluster sizes; you can modify them according to your needs, based on the ActiveGate self-monitoring metrics.
For additional configuration options, see Containerized ActiveGate configuration.
Deploy ActiveGate.
kubectl apply -f ./ag-deployment-example.yaml
oc apply -f ./ag-deployment-example.yaml
To verify that ActiveGate has successfully connected to the Dynatrace server, go to Deployment Status > ActiveGates.
Create a dedicated namespace.
kubectl create namespace dynatrace
oc adm new-project --node-selector="" dynatrace
Create a secret that holds the environment URL and authentication details for this registry.
kubectl -n dynatrace create secret docker-registry dynatrace-docker-registry \--docker-server=<YOUR_ENVIRONMENT_URL> \--docker-username=<YOUR_ENVIRONMENT_ID> \--docker-password=<YOUR_INSTALLER_DOWNLOAD_TOKEN>
oc -n dynatrace create secret docker-registry dynatrace-docker-registry \--docker-server=<YOUR_ENVIRONMENT_URL> \--docker-username=<YOUR_ENVIRONMENT_ID> \--docker-password=<YOUR_INSTALLER_DOWNLOAD_TOKEN> -n dynatrace
You need to replace
<YOUR_ENVIRONMENT_URL>
with your environment URL (without https://
). Example: abc12345.live.dynatrace.com
<YOUR_ENVIRONMENT_ID>
with the Docker account username (the same as the ID in your environment URL above).
To determine your environment ID, see the syntax below.
https://{your-environment-id}.live.dynatrace.com
https://{your-domain}/e/{your-environment-id}
<YOUR_INSTALLER_DOWNLOAD_TOKEN>
with the access token with InstallerDownload
scope you created in Prerequisites
Create a secret that holds the authentication details to the Dynatrace server used by ActiveGate.
kubectl -n dynatrace create secret generic dynatrace-tokens \--from-literal=tenant-token=<YOUR_TENANT_TOKEN> \--from-literal=auth-token=<YOUR_AUTH_TOKEN>
oc -n dynatrace create secret generic dynatrace-tokens \--from-literal=tenant-token=<YOUR_TENANT_TOKEN> \--from-literal=auth-token=<YOUR_AUTH_TOKEN>
You need to replace
<YOUR_TENANT_TOKEN>
with the tenantToken
value obtained in Prerequisites from the connectivity information.<YOUR_AUTH_TOKEN>
with the individual ActiveGate token obtained in Prerequisites.Create an ag-deployment-example.yaml
file with the following content:
apiVersion: v1kind: Servicemetadata:name: dynatrace-activegatenamespace: dynatracespec:type: ClusterIPselector:app.kubernetes.io/component: activegatecomponent.dynatrace.com/feature: activegateports:- protocol: TCPport: 443targetPort: ag-https---apiVersion: apps/v1kind: StatefulSetmetadata:name: dynatrace-activegatenamespace: dynatracelabels:app.kubernetes.io/component: activegatecomponent.dynatrace.com/feature: activegatespec:podManagementPolicy: ParallelserviceName: ""selector:matchLabels:app.kubernetes.io/component: activegatecomponent.dynatrace.com/feature: activegatetemplate:metadata:labels:app.kubernetes.io/component: activegatecomponent.dynatrace.com/feature: activegatespec:affinity:nodeAffinity:requiredDuringSchedulingIgnoredDuringExecution:nodeSelectorTerms:- matchExpressions:- key: kubernetes.io/archoperator: Invalues:- amd64- key: kubernetes.io/osoperator: Invalues:- linuxcontainers:- name: activegateimage: <YOUR_ENVIRONMENT_URL>/linux/activegate:rawimagePullPolicy: Alwaysports:- containerPort: 9999name: ag-httpsprotocol: TCPenv:- name: DT_TENANTvalue: <YOUR_ENVIRONMENT_ID>- name: DT_SERVERvalue: <YOUR_COMMUNICATION_ENDPOINTS>- name: DT_ID_SEED_NAMESPACEvalue: dynatrace- name: DT_ID_SEED_K8S_CLUSTER_IDvalue: <YOUR_KUBE-SYSTEM_NAMESPACE_UUID>- name: DT_CAPABILITIESvalue: restInterface,kubernetes_monitoring,MSGrouter,metrics_ingest- name: DT_DEPLOYMENT_METADATAvalue: orchestration_tech=handcrated-ag-sts;script_version=none;orchestrator_id=none- name: DT_DNS_ENTRY_POINTvalue: https://$(DYNATRACE_ACTIVEGATE_SERVICE_HOST):$(DYNATRACE_ACTIVEGATE_SERVICE_PORT)/communicationvolumeMounts:- name: dynatrace-tokensmountPath: /var/lib/dynatrace/secrets/tokens- name: truststore-volumemountPath: /opt/dynatrace/gateway/jre/lib/security/cacertsreadOnly: truesubPath: k8s-local.jks- name: server-certs-storagemountPath: /var/lib/dynatrace/gateway/ssl- name: ag-lib-gateway-configmountPath: /var/lib/dynatrace/gateway/config- name: ag-lib-gateway-tempmountPath: /var/lib/dynatrace/gateway/temp- name: ag-lib-gateway-datamountPath: /var/lib/dynatrace/gateway/data- name: ag-log-gatewaymountPath: /var/log/dynatrace/gateway- name: ag-tmp-gatewaymountPath: /var/tmp/dynatrace/gatewaylivenessProbe:failureThreshold: 2httpGet:path: /rest/stateport: ag-httpsscheme: HTTPSinitialDelaySeconds: 30periodSeconds: 30successThreshold: 1timeoutSeconds: 1readinessProbe:failureThreshold: 3httpGet:path: /rest/healthport: ag-httpsscheme: HTTPSinitialDelaySeconds: 30periodSeconds: 15successThreshold: 1timeoutSeconds: 1resources:requests:cpu: 500mmemory: 512Milimits:cpu: 1000mmemory: 1.5GisecurityContext:allowPrivilegeEscalation: falsecapabilities:drop:- allprivileged: falsereadOnlyRootFilesystem: truerunAsNonRoot: trueseccompProfile:type: RuntimeDefaultinitContainers:- name: certificate-loaderimage: <YOUR_ENVIRONMENT_URL>/linux/activegate:rawworkingDir: /var/lib/dynatrace/gatewaycommand: ['/bin/bash']args: ['-c', '/opt/dynatrace/gateway/k8scrt2jks.sh']volumeMounts:- mountPath: /var/lib/dynatrace/gateway/sslname: truststore-volumeimagePullSecrets:- name: dynatrace-docker-registryvolumes:- name: truststore-volumeemptyDir: {}- name: dynatrace-tokenssecret:secretName: dynatrace-tokens- name: server-certs-storageemptyDir: {}- name: ag-lib-gateway-configemptyDir: {}- name: ag-lib-gateway-tempemptyDir: {}- name: ag-lib-gateway-dataemptyDir: {}- name: ag-log-gatewayemptyDir: {}- name: ag-tmp-gatewayemptyDir: {}updateStrategy:type: RollingUpdate
Modify your deployment YAML file.
Add environment configuration details to the ag-deployment-example.yaml
file, making sure to replace:
<YOUR_ENVIRONMENT_URL>
with your environment URL (without https://
). Example: abc12345.live.dynatrace.com
<YOUR_ENVIRONMENT_ID>
with the Docker account username (the same as the ID in your environment URL above)
To determine your environment ID, see the syntax below.
https://{your-environment-id}.live.dynatrace.com
https://{your-domain}/e/{your-environment-id}
<YOUR_COMMUNICATION_ENDPOINTS>
with the value of communicationEndpoints
obtained in Prerequisites from the connectivity information
The list of server communication endpoints (communicationEndpoints
) may change over time.
<YOUR_KUBE-SYSTEM_NAMESPACE_UUID>
with the kube-system namespace UUID obtained in Prerequisites
Options:
raw
—The latest available image1.sprint.patchlevel-raw
—An image for a particular ActiveGate version (for example, 1.297.0-raw
)optional Enable AppArmor if available.
To maintain compatibility with a wider array of Kubernetes clusters, the AppArmor profile is not specified in ag-deployment-example.yaml
. If AppArmor is available on your Kubernetes cluster, we recommend that you additionally annotate StatefulSet with a runtime/default
profile.
spec:template:metadata:annotations:container.apparmor.security.beta.kubernetes.io/activegate: runtime/default
optional Apply resource limits according to sizing hints.
The table below lists suggested ActiveGate CPU and memory sizes according to the number of pods:
Actual figures depend on your environment.
These limits should be taken as a guideline. They're designed to prevent ActiveGate startup process slowdown and excessive node resource usage. The default values cover a large range of different cluster sizes; you can modify them according to your needs, based on the ActiveGate self-monitoring metrics.
For additional configuration options, see Containerized ActiveGate configuration.
Deploy ActiveGate.
kubectl apply -f ./ag-deployment-example.yaml
oc apply -f ./ag-deployment-example.yaml
To verify that ActiveGate has successfully connected to the Dynatrace server, go to Deployment Status > ActiveGates.
To monitor Kubernetes/Openshift, select one of the following:
To collect logs from Kubernetes, use Log Monitoring.