Dynatrace Operator manages the lifecycle of several Dynatrace components, including ActiveGate. If you can't use Dynatrace Operator, you can manually deploy ActiveGate as a StatefulSet in your Kubernetes cluster. See below for instructions.
Create an access token with PaaS Integration - InstallerDownload
scope
Get your kube-system namespace UUID
Run the command below and save the UUID from the output for later use.
To deploy ActiveGate, follow the steps below.
Create a dedicated namespace (Kubernetes)/project (OpenShift).
Depending on your platform, select one of the options below.
Create two secrets:
where you need to replace
<YOUR_ENVIRONMENT_URL>
with your environment URL (without http
). Example: {your-environment}.live.dynatrace.com
<YOUR_ENVIRONMENT_ID>
with the Docker account username (same as the ID in your environment URL above).<YOUR_PAAS_TOKEN>
with the PaaS token you created in PrerequisitesCreate a secret that holds the authentication details to the Dynatrace server used by ActiveGate.
You need to replace
<YOUR_TENANT_TOKEN>
with the tenantToken
value obtained in Prerequisites from the connectivity information.<YOUR_AUTH_TOKEN>
with the individual ActiveGate token obtained in Prerequisites.To determine your environment ID, see the syntax below.
SaaS: https://{your-environment-id}.live.dynatrace.com
Managed: https://{your-domain}/e/{your-environment-id}
Create a service account and a cluster role.
Create a kubernetes-monitoring-service-account.yaml
file with the following content.
apiVersion: v1kind: ServiceAccountmetadata:name: dynatrace-activegatenamespace: dynatrace---apiVersion: rbac.authorization.k8s.io/v1kind: ClusterRolemetadata:name: dynatrace-activegaterules:- apiGroups:- ""- batch- apps- apps.openshift.ioresources:- nodes- nodes/metrics- pods- namespaces- deployments- replicasets- deploymentconfigs- replicationcontrollers- jobs- cronjobs- statefulsets- daemonsets- events- resourcequotas- pods/proxy- servicesverbs:- list- watch- get---apiVersion: rbac.authorization.k8s.io/v1kind: ClusterRoleBindingmetadata:name: dynatrace-activegateroleRef:apiGroup: rbac.authorization.k8s.iokind: ClusterRolename: dynatrace-activegatesubjects:- kind: ServiceAccountname: dynatrace-activegatenamespace: dynatrace
Apply the file.
Create a file named ag-monitoring-and-routing.yaml
with the following content, making sure to replace
<YOUR_ENVIRONMENT_URL>
with your value as described above.<YOUR_KUBE-SYSTEM_NAMESPACE_UUID>
with the Kubernetes namespace UUID obtained in Prerequisites.apiVersion: v1kind: Servicemetadata:name: dynatrace-activegatenamespace: dynatracespec:type: ClusterIPselector:activegate: kubernetes-monitoring-and-routingports:- protocol: TCPport: 443targetPort: ag-https---apiVersion: apps/v1kind: StatefulSetmetadata:name: dynatrace-activegatenamespace: dynatracelabels:activegate: kubernetes-monitoring-and-routingspec:serviceName: ""selector:matchLabels:activegate: kubernetes-monitoring-and-routingtemplate:metadata:# Uncomment the lines below to enable AppArmor# annotations:# container.apparmor.security.beta.kubernetes.io/activegate: runtime/defaultlabels:activegate: kubernetes-monitoring-and-routingspec:serviceAccountName: dynatrace-activegateaffinity:nodeAffinity:requiredDuringSchedulingIgnoredDuringExecution:nodeSelectorTerms:- matchExpressions:- key: kubernetes.io/archoperator: Invalues:- amd64- key: kubernetes.io/osoperator: Invalues:- linuxcontainers:- name: activegateimage: <YOUR_ENVIRONMENT_URL>/linux/activegateimagePullPolicy: Alwaysports:- name: ag-httpscontainerPort: 9999env:- name: DT_ID_SEED_NAMESPACEvalue: dynatrace- name: DT_ID_SEED_K8S_CLUSTER_IDvalue: <YOUR_KUBE-SYSTEM_NAMESPACE_UUID>- name: DT_CAPABILITIESvalue: kubernetes_monitoring,MSGrouter,restInterface# - name: DT_NETWORK_ZONE# value: <CUSTOM_NZ>- name: DT_DNS_ENTRY_POINTvalue: https://$(DYNATRACE_ACTIVEGATE_SERVICE_HOST):$(DYNATRACE_ACTIVEGATE_SERVICE_PORT)/communicationvolumeMounts:- name: dynatrace-tokensmountPath: /var/lib/dynatrace/secrets/tokens- name: truststore-volumemountPath: /opt/dynatrace/gateway/jre/lib/security/cacertsreadOnly: truesubPath: k8s-local.jks- name: ag-lib-gateway-configmountPath: /var/lib/dynatrace/gateway/config- name: ag-lib-gateway-tempmountPath: /var/lib/dynatrace/gateway/temp- name: ag-lib-gateway-datamountPath: /var/lib/dynatrace/gateway/data- name: ag-log-gatewaymountPath: /var/log/dynatrace/gateway- name: ag-tmp-gatewaymountPath: /var/tmp/dynatrace/gatewaylivenessProbe:failureThreshold: 2httpGet:path: /rest/stateport: ag-httpsscheme: HTTPSinitialDelaySeconds: 30periodSeconds: 30successThreshold: 1timeoutSeconds: 1readinessProbe:failureThreshold: 3httpGet:path: /rest/healthport: ag-httpsscheme: HTTPSinitialDelaySeconds: 30periodSeconds: 15successThreshold: 1timeoutSeconds: 1resources:requests:cpu: 250mmemory: 512Milimits:cpu: 250mmemory: 512MisecurityContext:allowPrivilegeEscalation: falsecapabilities:drop:- allprivileged: falsereadOnlyRootFilesystem: truerunAsNonRoot: trueseccompProfile:type: RuntimeDefaultinitContainers:- name: certificate-loaderimage: <YOUR_ENVIRONMENT_URL>/linux/activegateworkingDir: /var/lib/dynatrace/gatewaycommand: ['/bin/bash']args: ['-c', '/opt/dynatrace/gateway/k8scrt2jks.sh']volumeMounts:- mountPath: /var/lib/dynatrace/gateway/sslname: truststore-volumeimagePullSecrets:- name: dynatrace-docker-registryvolumes:- name: dynatrace-tokenssecret:secretName: dynatrace-tokens- name: truststore-volumeemptyDir: {}- name: ag-lib-gateway-configemptyDir: {}- name: ag-lib-gateway-tempemptyDir: {}- name: ag-lib-gateway-dataemptyDir: {}- name: ag-log-gatewayemptyDir: {}- name: ag-tmp-gatewayemptyDir: {}updateStrategy:type: RollingUpdate
For more information about containerized ActiveGate configuration, see Containerized ActiveGate configuration.
See below for a list of proposed sizes in relation to the number of pods:
Actual figures depend on your environment.
These limits should be taken as a guideline. They're designed to prevent ActiveGate startup process slowdown and excessive node resource usage. The default values cover a large range of different cluster sizes; you can modify them according to your needs, based on the ActiveGate self-monitoring metrics.
Deploy ActiveGate.
Continue with step 3 from the guide for enabling Kubernetes API monitoring
ActiveGate is updated automatically on pod restart whenever there is a new version available, unless the image already specifies a certain version.