Manually deploy ActiveGate as a StatefulSet

  • 5-min read
  • Published Jul 28, 2023

Dynatrace Operator manages the lifecycle of several Dynatrace components, including ActiveGate. If you can't use Dynatrace Operator, you can manually deploy ActiveGate as a StatefulSet in your Kubernetes cluster. See below for instructions.

Prerequisites

Deploy ActiveGate

To deploy ActiveGate, follow the steps below.

  1. Create a dedicated namespace (Kubernetes)/project (OpenShift).

    Depending on your platform, select one of the options below.

    kubectl create namespace dynatrace

  2. Create two secrets:

    • A secret holding the environment URL and login credentials for this registry
    • A secret for the ActiveGate authentication token
    kubectl -n dynatrace create secret docker-registry dynatrace-docker-registry --docker-server=<YOUR_ENVIRONMENT_URL> --docker-username=<YOUR_ENVIRONMENT_ID> --docker-password=<YOUR_PAAS_TOKEN>

    where you need to replace

    • <YOUR_ENVIRONMENT_URL> with your environment URL (without http). Example: {your-environment}.live.dynatrace.com
    • <YOUR_ENVIRONMENT_ID> with the Docker account username (same as the ID in your environment URL above).
    • <YOUR_PAAS_TOKEN> with the PaaS token you created in Prerequisites

    Create a secret that holds the authentication details to the Dynatrace server used by ActiveGate.

    kubectl -n dynatrace create secret generic dynatrace-tokens \
    --from-literal=tenant-token=<YOUR_TENANT_TOKEN> \
    --from-literal=auth-token=<YOUR_AUTH_TOKEN>

    You need to replace

    • <YOUR_TENANT_TOKEN> with the tenantToken value obtained in Prerequisites from the connectivity information.
    • <YOUR_AUTH_TOKEN> with the individual ActiveGate token obtained in Prerequisites.

    To determine your environment ID, see the syntax below.
    SaaS: https://{your-environment-id}.live.dynatrace.com
    Managed: https://{your-domain}/e/{your-environment-id}

  3. Create a service account and a cluster role.

    Create a kubernetes-monitoring-service-account.yaml file with the following content.

    apiVersion: v1
    kind: ServiceAccount
    metadata:
      name: dynatrace-activegate
      namespace: dynatrace
    ---
    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRole
    metadata:
      name: dynatrace-activegate
    rules:
      - apiGroups:
        - ""
        - batch
        - apps
        - apps.openshift.io
        resources:
          - nodes
          - nodes/metrics
          - pods
          - namespaces
          - deployments
          - replicasets
          - deploymentconfigs
          - replicationcontrollers
          - jobs
          - cronjobs
          - statefulsets
          - daemonsets
          - events
          - resourcequotas
          - pods/proxy
          - services
        verbs:
          - list
          - watch
          - get
    ---
    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRoleBinding
    metadata:
      name: dynatrace-activegate
    roleRef:
      apiGroup: rbac.authorization.k8s.io
      kind: ClusterRole
      name: dynatrace-activegate
    subjects:
      - kind: ServiceAccount
        name: dynatrace-activegate
        namespace: dynatrace

  4. Apply the file.

    kubectl apply -f kubernetes-monitoring-service-account.yaml

  5. Create a file named ag-monitoring-and-routing.yaml with the following content, making sure to replace

    • <YOUR_ENVIRONMENT_URL> with your value as described above.
    • <YOUR_KUBE-SYSTEM_NAMESPACE_UUID> with the Kubernetes namespace UUID obtained in Prerequisites.
    apiVersion: v1
    kind: Service
    metadata:
      name: dynatrace-activegate
      namespace: dynatrace
    spec:
      type: ClusterIP
      selector:
        activegate: kubernetes-monitoring-and-routing
      ports:
      - protocol: TCP
        port: 443
        targetPort: ag-https
    ---
    apiVersion: apps/v1
    kind: StatefulSet
    metadata:
    name: dynatrace-activegate
    namespace: dynatrace
    labels:
      activegate: kubernetes-monitoring-and-routing
    spec:
    serviceName: ""
    selector:
      matchLabels:
        activegate: kubernetes-monitoring-and-routing
    template:
      metadata:
    #     Uncomment the lines below to enable AppArmor
    #     annotations:
    #  container.apparmor.security.beta.kubernetes.io/activegate: runtime/default
        labels:
          activegate: kubernetes-monitoring-and-routing
      spec:
        serviceAccountName: dynatrace-activegate
        affinity:
          nodeAffinity:
            requiredDuringSchedulingIgnoredDuringExecution:
              nodeSelectorTerms:
              - matchExpressions:
                - key: kubernetes.io/arch
                  operator: In
                  values:
                  - amd64
                - key: kubernetes.io/os
                  operator: In
                  values:
                  - linux
        containers:
        - name: activegate
          image: <YOUR_ENVIRONMENT_URL>/linux/activegate
          imagePullPolicy: Always
          ports:
            - name: ag-https
              containerPort: 9999
          env:
          - name: DT_ID_SEED_NAMESPACE
            value: dynatrace
          - name: DT_ID_SEED_K8S_CLUSTER_ID
            value: <YOUR_KUBE-SYSTEM_NAMESPACE_UUID>
          - name: DT_CAPABILITIES
            value: kubernetes_monitoring,MSGrouter,restInterface
          # - name: DT_NETWORK_ZONE
          #   value: <CUSTOM_NZ>
          - name: DT_DNS_ENTRY_POINT
            value: https://$(DYNATRACE_ACTIVEGATE_SERVICE_HOST):$(DYNATRACE_ACTIVEGATE_SERVICE_PORT)/communication
          volumeMounts:
          - name: dynatrace-tokens
            mountPath: /var/lib/dynatrace/secrets/tokens
          - name: truststore-volume
            mountPath: /opt/dynatrace/gateway/jre/lib/security/cacerts
            readOnly: true
            subPath: k8s-local.jks
          - name: ag-lib-gateway-config
            mountPath: /var/lib/dynatrace/gateway/config
          - name: ag-lib-gateway-temp
            mountPath: /var/lib/dynatrace/gateway/temp
          - name: ag-lib-gateway-data
            mountPath: /var/lib/dynatrace/gateway/data
          - name: ag-log-gateway
            mountPath: /var/log/dynatrace/gateway
          - name: ag-tmp-gateway
            mountPath: /var/tmp/dynatrace/gateway
          livenessProbe:
            failureThreshold: 2
            httpGet:
              path: /rest/state
              port: ag-https
              scheme: HTTPS
            initialDelaySeconds: 30
            periodSeconds: 30
            successThreshold: 1
            timeoutSeconds: 1
          readinessProbe:
            failureThreshold: 3
            httpGet:
              path: /rest/health
              port: ag-https
              scheme: HTTPS
            initialDelaySeconds: 30
            periodSeconds: 15
            successThreshold: 1
            timeoutSeconds: 1
          resources:
            requests:
              cpu: 250m
              memory: 512Mi
            limits:
              cpu: 250m
              memory: 512Mi
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
              - all
            privileged: false
            readOnlyRootFilesystem: true
            runAsNonRoot: true
            seccompProfile:
              type: RuntimeDefault
        initContainers:
        - name: certificate-loader
          image: <YOUR_ENVIRONMENT_URL>/linux/activegate
          workingDir: /var/lib/dynatrace/gateway
          command: ['/bin/bash']
          args: ['-c', '/opt/dynatrace/gateway/k8scrt2jks.sh']
          volumeMounts:
          - mountPath: /var/lib/dynatrace/gateway/ssl
            name: truststore-volume
        imagePullSecrets:
        - name: dynatrace-docker-registry
        volumes:
        - name: dynatrace-tokens
          secret:
            secretName: dynatrace-tokens
        - name: truststore-volume
          emptyDir: {}
        - name: ag-lib-gateway-config
          emptyDir: {}
        - name: ag-lib-gateway-temp
          emptyDir: {}
        - name: ag-lib-gateway-data
          emptyDir: {}
        - name: ag-log-gateway
          emptyDir: {}
        - name: ag-tmp-gateway
          emptyDir: {}
    updateStrategy:
      type: RollingUpdate

    For more information about containerized ActiveGate configuration, see Containerized ActiveGate configuration.

    See below for a list of proposed sizes in relation to the number of Pods:

    Number of Pods
    CPU
    Memory
    Up to 100 Pods
    500 millicores (mCores)
    768 mebibytes (MiB)
    Up to 1,000 Pods
    1,000 millicores (mCores)
    1 gibibyte (GiB)
    Up to 5,000 Pods
    1,500 millicores (mCores)
    2 gibibytes (GiB)
    Over 5,000 Pods
    over 1,500 millicores (mCores)1
    over 2 gibibytes (GiB)1
    1

    Actual figures depend on your environment.

    These limits should be taken as a guideline. They're designed to prevent ActiveGate startup process slowdown and excessive node resource usage. The default values cover a large range of different cluster sizes; you can modify them according to your needs, based on the ActiveGate self-monitoring metrics.

    For PPC64le architecture, additional configuration is required. For details, see ActiveGate container image.

  6. Deploy ActiveGate.

    kubectl apply -f ag-monitoring-and-routing.yaml

Connect ActiveGate with Kubernetes API

Continue with step 3 from the guide for enabling Kubernetes API monitoring

ActiveGate update behavior

ActiveGate is updated automatically on pod restart whenever there is a new version available, unless the image already specifies a certain version.