ActiveGate container image

Dynatrace supports running ActiveGate in a container. As an example of a container-based deployment, this page describes how to deploy container-based ActiveGate using a StatefulSet on Kubernetes/OpenShift.

Prerequisites

Create an access token with InstallerDownload scope
Create an authentication token
Determine the ActiveGate communication endpoints and authentication. Use the GET connectivity information for ActiveGate API.
Get your kube-system namespace UUID
Run the command below and save the UUID from the output for later use.
kubectl get namespace kube-system -o jsonpath='{.metadata.uid}'
oc get namespace kube-system -o jsonpath='{.metadata.uid}'

System requirements

A Dynatrace ActiveGate image is supported on a variety of Kubernetes and OpenShift versions. For a complete list, see Technology support - Kubernetes.

Images are available for the following architectures:

x86-64
ARM64 (AArch64)
s390x

Container registries

To prioritize seamless integration with your tooling and adaptability to your needs, we offer our container images in various ways to maximize flexibility:

Dynatrace built-in registry default
Public registries
Bring your own private registry recommended

Please note that multi-arch Dynatrace container images supporting ARM64 (AArch64) and x86-64 CPU architectures on Linux, ensuring compatibility across various platforms are available from public registries only. Dynatrace built-in registry provides only x86-64 images.

Deployment

Create a dedicated namespace.

kubectl create namespace dynatrace

oc adm new-project --node-selector="" dynatrace

Create a secret that holds the authentication details to the Dynatrace server used by ActiveGate.
kubectl -n dynatrace create secret generic dynatrace-tokens \
--from-literal=tenant-token=<YOUR_TENANT_TOKEN> \
--from-literal=auth-token=<YOUR_AUTH_TOKEN>
oc -n dynatrace create secret generic dynatrace-tokens \
--from-literal=tenant-token=<YOUR_TENANT_TOKEN> \
--from-literal=auth-token=<YOUR_AUTH_TOKEN>
You need to replace
- <YOUR_TENANT_TOKEN> with the tenantToken value obtained in Prerequisites from the connectivity information.
- <YOUR_AUTH_TOKEN> with the individual ActiveGate token obtained in Prerequisites.

Create an ag-deployment-example.yaml file with the following content:

apiVersion: v1
kind: Service
metadata:
  name: dynatrace-activegate
  namespace: dynatrace
spec:
  type: ClusterIP
  selector:
    app.kubernetes.io/component: activegate
    component.dynatrace.com/feature: activegate
  ports:
    - protocol: TCP
      port: 443
      targetPort: ag-https
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: dynatrace-activegate
  namespace: dynatrace
  labels:
    app.kubernetes.io/component: activegate
    component.dynatrace.com/feature: activegate
spec:
  podManagementPolicy: Parallel
  serviceName: ""
  selector:
    matchLabels:
      app.kubernetes.io/component: activegate
      component.dynatrace.com/feature: activegate
  template:
    metadata:
      labels:
        app.kubernetes.io/component: activegate
        component.dynatrace.com/feature: activegate
    spec:
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
              - matchExpressions:
                  - key: kubernetes.io/arch
                    operator: In
                    values:
                      - <CPU_ARCHITECTURE>
                  - key: kubernetes.io/os
                    operator: In
                    values:
                      - linux
      containers:
        - name: activegate
          image: <REPOSITORY_URL>/dynatrace-activegate:<IMAGE_TAG>
          imagePullPolicy: Always
          ports:
            - containerPort: 9999
              name: ag-https
              protocol: TCP
          env:
            - name: DT_TENANT
              value: <YOUR_ENVIRONMENT_ID>
            - name: DT_SERVER
              value: <YOUR_COMMUNICATION_ENDPOINTS>
            - name: DT_ID_SEED_NAMESPACE
              value: dynatrace
            - name: DT_ID_SEED_K8S_CLUSTER_ID
              value: <YOUR_KUBE-SYSTEM_NAMESPACE_UUID>
            - name: DT_CAPABILITIES
              value: restInterface,kubernetes_monitoring,MSGrouter,metrics_ingest
            - name: DT_DEPLOYMENT_METADATA
              value: orchestration_tech=handcrated-ag-sts;script_version=none;orchestrator_id=none
            - name: DT_DNS_ENTRY_POINT
              value: https://$(DYNATRACE_ACTIVEGATE_SERVICE_HOST):$(DYNATRACE_ACTIVEGATE_SERVICE_PORT)/communication
          volumeMounts:
            - name: dynatrace-tokens
              mountPath: /var/lib/dynatrace/secrets/tokens
            - name: truststore-volume
              mountPath: /opt/dynatrace/gateway/jre/lib/security/cacerts
              readOnly: true
              subPath: k8s-local.jks
            - name: server-certs-storage
              mountPath: /var/lib/dynatrace/gateway/ssl
            - name: ag-lib-gateway-config
              mountPath: /var/lib/dynatrace/gateway/config
            - name: ag-lib-gateway-temp
              mountPath: /var/lib/dynatrace/gateway/temp
            - name: ag-lib-gateway-data
              mountPath: /var/lib/dynatrace/gateway/data
            - name: ag-log-gateway
              mountPath: /var/log/dynatrace/gateway
            - name: ag-tmp-gateway
              mountPath: /var/tmp/dynatrace/gateway
          livenessProbe:
            failureThreshold: 2
            httpGet:
              path: /rest/state
              port: ag-https
              scheme: HTTPS
            initialDelaySeconds: 30
            periodSeconds: 30
            successThreshold: 1
            timeoutSeconds: 1
          readinessProbe:
            failureThreshold: 3
            httpGet:
              path: /rest/health
              port: ag-https
              scheme: HTTPS
            initialDelaySeconds: 30
            periodSeconds: 15
            successThreshold: 1
            timeoutSeconds: 1
          resources:
            requests:
              cpu: 500m
              memory: 512Mi
            limits:
              cpu: 1000m
              memory: 1.5Gi
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
                - all
            privileged: false
            readOnlyRootFilesystem: true
            runAsNonRoot: true
            seccompProfile:
              type: RuntimeDefault
      initContainers:
        - name: certificate-loader
          image: <REPOSITORY_URL>/dynatrace-activegate:<IMAGE_TAG>
          workingDir: /var/lib/dynatrace/gateway
          command: ['/bin/bash']
          args: ['-c', '/opt/dynatrace/gateway/k8scrt2jks.sh']
          volumeMounts:
            - mountPath: /var/lib/dynatrace/gateway/ssl
              name: truststore-volume
      volumes:
        - name: truststore-volume
          emptyDir: {}
        - name: dynatrace-tokens
          secret:
            secretName: dynatrace-tokens
        - name: server-certs-storage
          emptyDir: {}
        - name: ag-lib-gateway-config
          emptyDir: {}
        - name: ag-lib-gateway-temp
          emptyDir: {}
        - name: ag-lib-gateway-data
          emptyDir: {}
        - name: ag-log-gateway
          emptyDir: {}
        - name: ag-tmp-gateway
          emptyDir: {}
  updateStrategy:
    type: RollingUpdate

Modify your deployment YAML file.

Add environment configuration details to the ag-deployment-example.yaml file, making sure to replace:
- CPU_ARCHITECTURE with your CPU architecture. Possible values are amd64, arm64, and s390x
- <REPOSITORY_URL> with one of the supported registries
- <IMAGE_TAG> with correct image tag (examples)
- <YOUR_ENVIRONMENT_ID> with your environment ID
  
  To determine your environment ID, see the syntax below.
  - SaaS: https://{your-environment-id}.live.dynatrace.com
  - Managed: https://{your-domain}/e/{your-environment-id}
- <YOUR_COMMUNICATION_ENDPOINTS> with the value of communicationEndpoints obtained in Prerequisites from the connectivity information
  
  The list of server communication endpoints (communicationEndpoints) may change over time.
- <YOUR_KUBE-SYSTEM_NAMESPACE_UUID> with the kube-system namespace UUID obtained in Prerequisites
Options:
- optional Enable AppArmor if available.
  To maintain compatibility with a wider array of Kubernetes clusters, the AppArmor profile is not specified in ag-deployment-example.yaml. If AppArmor is available on your Kubernetes cluster, we recommend that you additionally annotate StatefulSet with a runtime/default profile.
  spec:
  template:
  metadata:
  annotations:
  container.apparmor.security.beta.kubernetes.io/activegate: runtime/default
- optional Apply resource limits according to sizing hints.
  
  The table below lists suggested ActiveGate CPU and memory sizes according to the number of pods:
  
  Number of pods
  CPU
  Memory
  Up to 100 pods
  500 millicores (mCores)
  512 mebibytes (MiB)
  Up to 1,000 pods
  1,000 millicores (mCores)
  1 gibibyte (GiB)
  Up to 5,000 pods
  1,500 millicores (mCores)
  2 gibibytes (GiB)
  Over 5,000 pods
  over 1,500 millicores (mCores)¹
  over 2 gibibytes (GiB)¹
  ¹
  Actual figures depend on your environment.
  These limits should be taken as a guideline. They're designed to prevent ActiveGate startup process slowdown and excessive node resource usage. The default values cover a large range of different cluster sizes; you can modify them according to your needs, based on the ActiveGate self-monitoring metrics.
For additional configuration options, see Containerized ActiveGate configuration.

Deploy ActiveGate.

kubectl apply -f ./ag-deployment-example.yaml

oc apply -f ./ag-deployment-example.yaml

To verify that ActiveGate has successfully connected to the Dynatrace server, go to Deployment Status > ActiveGates.

Create a dedicated namespace.

kubectl create namespace dynatrace

oc adm new-project --node-selector="" dynatrace

Create a secret that holds the environment URL and authentication details for this registry.
kubectl -n dynatrace create secret docker-registry dynatrace-docker-registry \
--docker-server=<YOUR_ENVIRONMENT_URL> \
--docker-username=<YOUR_ENVIRONMENT_ID> \
--docker-password=<YOUR_INSTALLER_DOWNLOAD_TOKEN>
oc -n dynatrace create secret docker-registry dynatrace-docker-registry \
--docker-server=<YOUR_ENVIRONMENT_URL> \
--docker-username=<YOUR_ENVIRONMENT_ID> \
--docker-password=<YOUR_INSTALLER_DOWNLOAD_TOKEN> -n dynatrace
You need to replace
- <YOUR_ENVIRONMENT_URL> with your environment URL (without https://). Example: abc12345.live.dynatrace.com
- <YOUR_ENVIRONMENT_ID> with the Docker account username (the same as the ID in your environment URL above).
  
  To determine your environment ID, see the syntax below.
  - SaaS: https://{your-environment-id}.live.dynatrace.com
  - Managed: https://{your-domain}/e/{your-environment-id}
- <YOUR_INSTALLER_DOWNLOAD_TOKEN> with the access token with InstallerDownload scope you created in Prerequisites
Create a secret that holds the authentication details to the Dynatrace server used by ActiveGate.
kubectl -n dynatrace create secret generic dynatrace-tokens \
--from-literal=tenant-token=<YOUR_TENANT_TOKEN> \
--from-literal=auth-token=<YOUR_AUTH_TOKEN>
oc -n dynatrace create secret generic dynatrace-tokens \
--from-literal=tenant-token=<YOUR_TENANT_TOKEN> \
--from-literal=auth-token=<YOUR_AUTH_TOKEN>
You need to replace
- <YOUR_TENANT_TOKEN> with the tenantToken value obtained in Prerequisites from the connectivity information.
- <YOUR_AUTH_TOKEN> with the individual ActiveGate token obtained in Prerequisites.

Create an ag-deployment-example.yaml file with the following content:

apiVersion: v1
kind: Service
metadata:
  name: dynatrace-activegate
  namespace: dynatrace
spec:
  type: ClusterIP
  selector:
    app.kubernetes.io/component: activegate
    component.dynatrace.com/feature: activegate
  ports:
    - protocol: TCP
      port: 443
      targetPort: ag-https
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: dynatrace-activegate
  namespace: dynatrace
  labels:
    app.kubernetes.io/component: activegate
    component.dynatrace.com/feature: activegate
spec:
  podManagementPolicy: Parallel
  serviceName: ""
  selector:
    matchLabels:
      app.kubernetes.io/component: activegate
      component.dynatrace.com/feature: activegate
  template:
    metadata:
      labels:
        app.kubernetes.io/component: activegate
        component.dynatrace.com/feature: activegate
    spec:
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
              - matchExpressions:
                  - key: kubernetes.io/arch
                    operator: In
                    values:
                      - amd64
                  - key: kubernetes.io/os
                    operator: In
                    values:
                      - linux
      containers:
        - name: activegate
          image: <YOUR_ENVIRONMENT_URL>/linux/activegate:raw
          imagePullPolicy: Always
          ports:
            - containerPort: 9999
              name: ag-https
              protocol: TCP
          env:
            - name: DT_TENANT
              value: <YOUR_ENVIRONMENT_ID>
            - name: DT_SERVER
              value: <YOUR_COMMUNICATION_ENDPOINTS>
            - name: DT_ID_SEED_NAMESPACE
              value: dynatrace
            - name: DT_ID_SEED_K8S_CLUSTER_ID
              value: <YOUR_KUBE-SYSTEM_NAMESPACE_UUID>
            - name: DT_CAPABILITIES
              value: restInterface,kubernetes_monitoring,MSGrouter,metrics_ingest
            - name: DT_DEPLOYMENT_METADATA
              value: orchestration_tech=handcrated-ag-sts;script_version=none;orchestrator_id=none
            - name: DT_DNS_ENTRY_POINT
              value: https://$(DYNATRACE_ACTIVEGATE_SERVICE_HOST):$(DYNATRACE_ACTIVEGATE_SERVICE_PORT)/communication
          volumeMounts:
            - name: dynatrace-tokens
              mountPath: /var/lib/dynatrace/secrets/tokens
            - name: truststore-volume
              mountPath: /opt/dynatrace/gateway/jre/lib/security/cacerts
              readOnly: true
              subPath: k8s-local.jks
            - name: server-certs-storage
              mountPath: /var/lib/dynatrace/gateway/ssl
            - name: ag-lib-gateway-config
              mountPath: /var/lib/dynatrace/gateway/config
            - name: ag-lib-gateway-temp
              mountPath: /var/lib/dynatrace/gateway/temp
            - name: ag-lib-gateway-data
              mountPath: /var/lib/dynatrace/gateway/data
            - name: ag-log-gateway
              mountPath: /var/log/dynatrace/gateway
            - name: ag-tmp-gateway
              mountPath: /var/tmp/dynatrace/gateway
          livenessProbe:
            failureThreshold: 2
            httpGet:
              path: /rest/state
              port: ag-https
              scheme: HTTPS
            initialDelaySeconds: 30
            periodSeconds: 30
            successThreshold: 1
            timeoutSeconds: 1
          readinessProbe:
            failureThreshold: 3
            httpGet:
              path: /rest/health
              port: ag-https
              scheme: HTTPS
            initialDelaySeconds: 30
            periodSeconds: 15
            successThreshold: 1
            timeoutSeconds: 1
          resources:
            requests:
              cpu: 500m
              memory: 512Mi
            limits:
              cpu: 1000m
              memory: 1.5Gi
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
                - all
            privileged: false
            readOnlyRootFilesystem: true
            runAsNonRoot: true
            seccompProfile:
              type: RuntimeDefault
      initContainers:
        - name: certificate-loader
          image: <YOUR_ENVIRONMENT_URL>/linux/activegate:raw
          workingDir: /var/lib/dynatrace/gateway
          command: ['/bin/bash']
          args: ['-c', '/opt/dynatrace/gateway/k8scrt2jks.sh']
          volumeMounts:
            - mountPath: /var/lib/dynatrace/gateway/ssl
              name: truststore-volume
      imagePullSecrets:
        - name: dynatrace-docker-registry
      volumes:
        - name: truststore-volume
          emptyDir: {}
        - name: dynatrace-tokens
          secret:
            secretName: dynatrace-tokens
        - name: server-certs-storage
          emptyDir: {}
        - name: ag-lib-gateway-config
          emptyDir: {}
        - name: ag-lib-gateway-temp
          emptyDir: {}
        - name: ag-lib-gateway-data
          emptyDir: {}
        - name: ag-log-gateway
          emptyDir: {}
        - name: ag-tmp-gateway
          emptyDir: {}
  updateStrategy:
    type: RollingUpdate

Modify your deployment YAML file.

Add environment configuration details to the ag-deployment-example.yaml file, making sure to replace:
- <YOUR_ENVIRONMENT_URL> with your environment URL (without https://). Example: abc12345.live.dynatrace.com
- <YOUR_ENVIRONMENT_ID> with the Docker account username (the same as the ID in your environment URL above)
  
  To determine your environment ID, see the syntax below.
  - SaaS: https://{your-environment-id}.live.dynatrace.com
  - Managed: https://{your-domain}/e/{your-environment-id}
- <YOUR_COMMUNICATION_ENDPOINTS> with the value of communicationEndpoints obtained in Prerequisites from the connectivity information
  
  The list of server communication endpoints (communicationEndpoints) may change over time.
- <YOUR_KUBE-SYSTEM_NAMESPACE_UUID> with the kube-system namespace UUID obtained in Prerequisites
Options:
- optional You can change the image version by using different version tag
  raw—The latest available image
  1.sprint.patchlevel-raw—An image for a particular ActiveGate version (for example, 1.297.0-raw)
- optional Enable AppArmor if available.
  To maintain compatibility with a wider array of Kubernetes clusters, the AppArmor profile is not specified in ag-deployment-example.yaml. If AppArmor is available on your Kubernetes cluster, we recommend that you additionally annotate StatefulSet with a runtime/default profile.
  spec:
  template:
  metadata:
  annotations:
  container.apparmor.security.beta.kubernetes.io/activegate: runtime/default
- optional Apply resource limits according to sizing hints.
  
  The table below lists suggested ActiveGate CPU and memory sizes according to the number of pods:
  
  Number of pods
  CPU
  Memory
  Up to 100 pods
  500 millicores (mCores)
  512 mebibytes (MiB)
  Up to 1,000 pods
  1,000 millicores (mCores)
  1 gibibyte (GiB)
  Up to 5,000 pods
  1,500 millicores (mCores)
  2 gibibytes (GiB)
  Over 5,000 pods
  over 1,500 millicores (mCores)¹
  over 2 gibibytes (GiB)¹
  ¹
  Actual figures depend on your environment.
  These limits should be taken as a guideline. They're designed to prevent ActiveGate startup process slowdown and excessive node resource usage. The default values cover a large range of different cluster sizes; you can modify them according to your needs, based on the ActiveGate self-monitoring metrics.
For additional configuration options, see Containerized ActiveGate configuration.

Deploy ActiveGate.

kubectl apply -f ./ag-deployment-example.yaml

oc apply -f ./ag-deployment-example.yaml

To verify that ActiveGate has successfully connected to the Dynatrace server, go to Deployment Status > ActiveGates.

Dedicated deployments

To monitor Kubernetes/Openshift, select one of the following:
- Use Dynatrace Operator
- Deploy ActiveGate directly as a StatefulSet
To collect logs from Kubernetes, use Log Monitoring.