ActiveGate container image

Dynatrace supports running ActiveGate in a container. As an example of a container-based deployment, this page describes how to deploy container-based ActiveGate using a StatefulSet on Kubernetes/OpenShift.

Prerequisites

Create an access token with InstallerDownload scope
Create an authentication token
Determine the ActiveGate communication endpoints and authentication. Use the GET connectivity information for ActiveGate API.
Get your kube-system namespace UUID
Run the command below and save the UUID from the output for later use.
kubectl get namespace kube-system -o jsonpath='{.metadata.uid}'
oc get namespace kube-system -o jsonpath='{.metadata.uid}'

System requirements

A Dynatrace ActiveGate image is supported on a variety of Kubernetes and OpenShift versions. For a complete list, see Technology support - Kubernetes.

Images are available for the following architectures:

x86-64
ARM64 (AArch64)
s390x

Container registries

To prioritize seamless integration with your tooling and adaptability to your needs, we offer our container images in various ways to maximize flexibility:

Dynatrace built-in registry default
Public registries
Bring your own private registry recommended

Please note that multi-arch Dynatrace container images supporting ARM64 (AArch64) and x86-64 CPU architectures on Linux, ensuring compatibility across various platforms are available from public registries only. Dynatrace built-in registry provides only x86-64 images.

Deployment

Dynatrace provides signed container images to ensure authenticity and integrity, along with SBOMs that list all included software components. Verifying the signatures and reviewing the SBOMs enables effective vulnerability management and risk mitigation. For verification details, see Verify Software Bill of Materials (SBOM) Attestation.

Create a dedicated namespace.

kubectl create namespace dynatrace

oc adm new-project --node-selector="" dynatrace

Create a secret that holds the authentication details to the Dynatrace server used by ActiveGate.
kubectl -n dynatrace create secret generic dynatrace-tokens \
--from-literal=tenant-token=<YOUR_TENANT_TOKEN> \
--from-literal=auth-token=<YOUR_AUTH_TOKEN>
oc -n dynatrace create secret generic dynatrace-tokens \
--from-literal=tenant-token=<YOUR_TENANT_TOKEN> \
--from-literal=auth-token=<YOUR_AUTH_TOKEN>
You need to replace
- <YOUR_TENANT_TOKEN> with the tenantToken value obtained in Prerequisites from the connectivity information.
- <YOUR_AUTH_TOKEN> with the individual ActiveGate token obtained in Prerequisites.

Create an ag-deployment-example.yaml file with the following content:

apiVersion: v1
kind: Service
metadata:
  name: dynatrace-activegate
  namespace: dynatrace
spec:
  type: ClusterIP
  selector:
    app.kubernetes.io/component: activegate
    component.dynatrace.com/feature: activegate
  ports:
    - protocol: TCP
      port: 443
      targetPort: ag-https
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: dynatrace-activegate
  namespace: dynatrace
  labels:
    app.kubernetes.io/component: activegate
    component.dynatrace.com/feature: activegate
spec:
  podManagementPolicy: Parallel
  serviceName: ""
  selector:
    matchLabels:
      app.kubernetes.io/component: activegate
      component.dynatrace.com/feature: activegate
  template:
    metadata:
      labels:
        app.kubernetes.io/component: activegate
        component.dynatrace.com/feature: activegate
    spec:
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
              - matchExpressions:
                  - key: kubernetes.io/arch
                    operator: In
                    values:
                      - <CPU_ARCHITECTURE>
                  - key: kubernetes.io/os
                    operator: In
                    values:
                      - linux
      containers:
        - name: activegate
          image: <REPOSITORY_URL>/dynatrace-activegate:<IMAGE_TAG>
          imagePullPolicy: Always
          ports:
            - containerPort: 9999
              name: ag-https
              protocol: TCP
          env:
            - name: DT_TENANT
              value: <YOUR_ENVIRONMENT_ID>
            - name: DT_SERVER
              value: <YOUR_COMMUNICATION_ENDPOINTS>
            - name: DT_ID_SEED_NAMESPACE
              value: dynatrace
            - name: DT_ID_SEED_K8S_CLUSTER_ID
              value: <YOUR_KUBE-SYSTEM_NAMESPACE_UUID>
            - name: DT_CAPABILITIES
              value: restInterface,kubernetes_monitoring,MSGrouter,metrics_ingest
            - name: DT_DEPLOYMENT_METADATA
              value: orchestration_tech=handcrated-ag-sts;script_version=none;orchestrator_id=none
            - name: DT_DNS_ENTRY_POINT
              value: https://$(DYNATRACE_ACTIVEGATE_SERVICE_HOST):$(DYNATRACE_ACTIVEGATE_SERVICE_PORT)/communication
          volumeMounts:
            - name: dynatrace-tokens
              mountPath: /var/lib/dynatrace/secrets/tokens
            - name: truststore-volume
              mountPath: /opt/dynatrace/gateway/jre/lib/security/cacerts
              readOnly: true
              subPath: k8s-local.jks
            - name: server-certs-storage
              mountPath: /var/lib/dynatrace/gateway/ssl
            - name: ag-lib-gateway-config
              mountPath: /var/lib/dynatrace/gateway/config
            - name: ag-lib-gateway-temp
              mountPath: /var/lib/dynatrace/gateway/temp
            - name: ag-lib-gateway-data
              mountPath: /var/lib/dynatrace/gateway/data
            - name: ag-log-gateway
              mountPath: /var/log/dynatrace/gateway
            - name: ag-tmp-gateway
              mountPath: /var/tmp/dynatrace/gateway
          livenessProbe:
            failureThreshold: 2
            httpGet:
              path: /rest/state
              port: ag-https
              scheme: HTTPS
            initialDelaySeconds: 30
            periodSeconds: 30
            successThreshold: 1
            timeoutSeconds: 1
          readinessProbe:
            failureThreshold: 3
            httpGet:
              path: /rest/health
              port: ag-https
              scheme: HTTPS
            initialDelaySeconds: 30
            periodSeconds: 15
            successThreshold: 1
            timeoutSeconds: 1
          resources:
            requests:
              cpu: 500m
              memory: 512Mi
            limits:
              cpu: 1000m
              memory: 1.5Gi
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
                - all
            privileged: false
            readOnlyRootFilesystem: true
            runAsNonRoot: true
            seccompProfile:
              type: RuntimeDefault
      initContainers:
        - name: certificate-loader
          image: <REPOSITORY_URL>/dynatrace-activegate:<IMAGE_TAG>
          workingDir: /var/lib/dynatrace/gateway
          command: ['/bin/bash']
          args: ['-c', '/opt/dynatrace/gateway/k8scrt2jks.sh']
          volumeMounts:
            - mountPath: /var/lib/dynatrace/gateway/ssl
              name: truststore-volume
      volumes:
        - name: truststore-volume
          emptyDir: {}
        - name: dynatrace-tokens
          secret:
            secretName: dynatrace-tokens
        - name: server-certs-storage
          emptyDir: {}
        - name: ag-lib-gateway-config
          emptyDir: {}
        - name: ag-lib-gateway-temp
          emptyDir: {}
        - name: ag-lib-gateway-data
          emptyDir: {}
        - name: ag-log-gateway
          emptyDir: {}
        - name: ag-tmp-gateway
          emptyDir: {}
  updateStrategy:
    type: RollingUpdate

Modify your deployment YAML file.

Add environment configuration details to the ag-deployment-example.yaml file, making sure to replace:
- CPU_ARCHITECTURE with your CPU architecture. Possible values are amd64, arm64, and s390x
- <REPOSITORY_URL> with one of the supported registries
- <IMAGE_TAG> with correct image tag (examples)
- <YOUR_ENVIRONMENT_ID> with your environment ID
  
  To determine your environment ID, see the syntax below.
  - SaaS: https://{your-environment-id}.live.dynatrace.com
  - Managed: https://{your-domain}/e/{your-environment-id}
- <YOUR_COMMUNICATION_ENDPOINTS> with the value of communicationEndpoints obtained in Prerequisites from the connectivity information
  
  The list of server communication endpoints (communicationEndpoints) may change over time.
- <YOUR_KUBE-SYSTEM_NAMESPACE_UUID> with the kube-system namespace UUID obtained in Prerequisites
Options:
- optional Enable AppArmor if available.
  To maintain compatibility with a wider array of Kubernetes clusters, the AppArmor profile is not specified in ag-deployment-example.yaml. If AppArmor is available on your Kubernetes cluster, we recommend that you additionally annotate StatefulSet with a runtime/default profile.
  spec:
  template:
  metadata:
  annotations:
  container.apparmor.security.beta.kubernetes.io/activegate: runtime/default
- optional Apply resource limits according to sizing hints.
  
  The table below lists suggested ActiveGate CPU and memory sizes according to the number of pods:
  
  Number of pods
  CPU
  Memory
  Up to 100 pods
  500 millicores (mCores)
  512 mebibytes (MiB)
  Up to 1,000 pods
  1,000 millicores (mCores)
  1 gibibyte (GiB)
  Up to 5,000 pods
  1,500 millicores (mCores)
  2 gibibytes (GiB)
  Over 5,000 pods
  over 1,500 millicores (mCores)¹
  over 2 gibibytes (GiB)¹
  ¹
  Actual figures depend on your environment.
  These limits should be taken as a guideline. They're designed to prevent ActiveGate startup process slowdown and excessive node resource usage. The default values cover a large range of different cluster sizes; you can modify them according to your needs, based on the ActiveGate self-monitoring metrics.
For additional configuration options, see Containerized ActiveGate configuration.

Deploy ActiveGate.

kubectl apply -f ./ag-deployment-example.yaml

oc apply -f ./ag-deployment-example.yaml

To verify that ActiveGate has successfully connected to the Dynatrace server, go to Deployment Status > ActiveGates.

Create a dedicated namespace.

kubectl create namespace dynatrace

oc adm new-project --node-selector="" dynatrace

Create a secret that holds the environment URL and authentication details for this registry.
kubectl -n dynatrace create secret docker-registry dynatrace-docker-registry \
--docker-server=<YOUR_ENVIRONMENT_URL> \
--docker-username=<YOUR_ENVIRONMENT_ID> \
--docker-password=<YOUR_INSTALLER_DOWNLOAD_TOKEN>
oc -n dynatrace create secret docker-registry dynatrace-docker-registry \
--docker-server=<YOUR_ENVIRONMENT_URL> \
--docker-username=<YOUR_ENVIRONMENT_ID> \
--docker-password=<YOUR_INSTALLER_DOWNLOAD_TOKEN> -n dynatrace
You need to replace
- <YOUR_ENVIRONMENT_URL> with your environment URL (without https://). Example: abc12345.live.dynatrace.com
- <YOUR_ENVIRONMENT_ID> with the Docker account username (the same as the ID in your environment URL above).
  
  To determine your environment ID, see the syntax below.
  - SaaS: https://{your-environment-id}.live.dynatrace.com
  - Managed: https://{your-domain}/e/{your-environment-id}
- <YOUR_INSTALLER_DOWNLOAD_TOKEN> with the access token with InstallerDownload scope you created in Prerequisites
Create a secret that holds the authentication details to the Dynatrace server used by ActiveGate.
kubectl -n dynatrace create secret generic dynatrace-tokens \
--from-literal=tenant-token=<YOUR_TENANT_TOKEN> \
--from-literal=auth-token=<YOUR_AUTH_TOKEN>
oc -n dynatrace create secret generic dynatrace-tokens \
--from-literal=tenant-token=<YOUR_TENANT_TOKEN> \
--from-literal=auth-token=<YOUR_AUTH_TOKEN>
You need to replace
- <YOUR_TENANT_TOKEN> with the tenantToken value obtained in Prerequisites from the connectivity information.
- <YOUR_AUTH_TOKEN> with the individual ActiveGate token obtained in Prerequisites.

Create an ag-deployment-example.yaml file with the following content:

apiVersion: v1
kind: Service
metadata:
  name: dynatrace-activegate
  namespace: dynatrace
spec:
  type: ClusterIP
  selector:
    app.kubernetes.io/component: activegate
    component.dynatrace.com/feature: activegate
  ports:
    - protocol: TCP
      port: 443
      targetPort: ag-https
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: dynatrace-activegate
  namespace: dynatrace
  labels:
    app.kubernetes.io/component: activegate
    component.dynatrace.com/feature: activegate
spec:
  podManagementPolicy: Parallel
  serviceName: ""
  selector:
    matchLabels:
      app.kubernetes.io/component: activegate
      component.dynatrace.com/feature: activegate
  template:
    metadata:
      labels:
        app.kubernetes.io/component: activegate
        component.dynatrace.com/feature: activegate
    spec:
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
              - matchExpressions:
                  - key: kubernetes.io/arch
                    operator: In
                    values:
                      - amd64
                  - key: kubernetes.io/os
                    operator: In
                    values:
                      - linux
      containers:
        - name: activegate
          image: <YOUR_ENVIRONMENT_URL>/linux/activegate:raw
          imagePullPolicy: Always
          ports:
            - containerPort: 9999
              name: ag-https
              protocol: TCP
          env:
            - name: DT_TENANT
              value: <YOUR_ENVIRONMENT_ID>
            - name: DT_SERVER
              value: <YOUR_COMMUNICATION_ENDPOINTS>
            - name: DT_ID_SEED_NAMESPACE
              value: dynatrace
            - name: DT_ID_SEED_K8S_CLUSTER_ID
              value: <YOUR_KUBE-SYSTEM_NAMESPACE_UUID>
            - name: DT_CAPABILITIES
              value: restInterface,kubernetes_monitoring,MSGrouter,metrics_ingest
            - name: DT_DEPLOYMENT_METADATA
              value: orchestration_tech=handcrated-ag-sts;script_version=none;orchestrator_id=none
            - name: DT_DNS_ENTRY_POINT
              value: https://$(DYNATRACE_ACTIVEGATE_SERVICE_HOST):$(DYNATRACE_ACTIVEGATE_SERVICE_PORT)/communication
          volumeMounts:
            - name: dynatrace-tokens
              mountPath: /var/lib/dynatrace/secrets/tokens
            - name: truststore-volume
              mountPath: /opt/dynatrace/gateway/jre/lib/security/cacerts
              readOnly: true
              subPath: k8s-local.jks
            - name: server-certs-storage
              mountPath: /var/lib/dynatrace/gateway/ssl
            - name: ag-lib-gateway-config
              mountPath: /var/lib/dynatrace/gateway/config
            - name: ag-lib-gateway-temp
              mountPath: /var/lib/dynatrace/gateway/temp
            - name: ag-lib-gateway-data
              mountPath: /var/lib/dynatrace/gateway/data
            - name: ag-log-gateway
              mountPath: /var/log/dynatrace/gateway
            - name: ag-tmp-gateway
              mountPath: /var/tmp/dynatrace/gateway
          livenessProbe:
            failureThreshold: 2
            httpGet:
              path: /rest/state
              port: ag-https
              scheme: HTTPS
            initialDelaySeconds: 30
            periodSeconds: 30
            successThreshold: 1
            timeoutSeconds: 1
          readinessProbe:
            failureThreshold: 3
            httpGet:
              path: /rest/health
              port: ag-https
              scheme: HTTPS
            initialDelaySeconds: 30
            periodSeconds: 15
            successThreshold: 1
            timeoutSeconds: 1
          resources:
            requests:
              cpu: 500m
              memory: 512Mi
            limits:
              cpu: 1000m
              memory: 1.5Gi
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
                - all
            privileged: false
            readOnlyRootFilesystem: true
            runAsNonRoot: true
            seccompProfile:
              type: RuntimeDefault
      initContainers:
        - name: certificate-loader
          image: <YOUR_ENVIRONMENT_URL>/linux/activegate:raw
          workingDir: /var/lib/dynatrace/gateway
          command: ['/bin/bash']
          args: ['-c', '/opt/dynatrace/gateway/k8scrt2jks.sh']
          volumeMounts:
            - mountPath: /var/lib/dynatrace/gateway/ssl
              name: truststore-volume
      imagePullSecrets:
        - name: dynatrace-docker-registry
      volumes:
        - name: truststore-volume
          emptyDir: {}
        - name: dynatrace-tokens
          secret:
            secretName: dynatrace-tokens
        - name: server-certs-storage
          emptyDir: {}
        - name: ag-lib-gateway-config
          emptyDir: {}
        - name: ag-lib-gateway-temp
          emptyDir: {}
        - name: ag-lib-gateway-data
          emptyDir: {}
        - name: ag-log-gateway
          emptyDir: {}
        - name: ag-tmp-gateway
          emptyDir: {}
  updateStrategy:
    type: RollingUpdate

Modify your deployment YAML file.

Add environment configuration details to the ag-deployment-example.yaml file, making sure to replace:
- <YOUR_ENVIRONMENT_URL> with your environment URL (without https://). Example: abc12345.live.dynatrace.com
- <YOUR_ENVIRONMENT_ID> with the Docker account username (the same as the ID in your environment URL above)
  
  To determine your environment ID, see the syntax below.
  - SaaS: https://{your-environment-id}.live.dynatrace.com
  - Managed: https://{your-domain}/e/{your-environment-id}
- <YOUR_COMMUNICATION_ENDPOINTS> with the value of communicationEndpoints obtained in Prerequisites from the connectivity information
  
  The list of server communication endpoints (communicationEndpoints) may change over time.
- <YOUR_KUBE-SYSTEM_NAMESPACE_UUID> with the kube-system namespace UUID obtained in Prerequisites
Options:
- optional You can change the image version by using different version tag
  raw—The latest available image
  1.sprint.patchlevel-raw—An image for a particular ActiveGate version (for example, 1.297.0-raw)
- optional Enable AppArmor if available.
  To maintain compatibility with a wider array of Kubernetes clusters, the AppArmor profile is not specified in ag-deployment-example.yaml. If AppArmor is available on your Kubernetes cluster, we recommend that you additionally annotate StatefulSet with a runtime/default profile.
  spec:
  template:
  metadata:
  annotations:
  container.apparmor.security.beta.kubernetes.io/activegate: runtime/default
- optional Apply resource limits according to sizing hints.
  
  The table below lists suggested ActiveGate CPU and memory sizes according to the number of pods:
  
  Number of pods
  CPU
  Memory
  Up to 100 pods
  500 millicores (mCores)
  512 mebibytes (MiB)
  Up to 1,000 pods
  1,000 millicores (mCores)
  1 gibibyte (GiB)
  Up to 5,000 pods
  1,500 millicores (mCores)
  2 gibibytes (GiB)
  Over 5,000 pods
  over 1,500 millicores (mCores)¹
  over 2 gibibytes (GiB)¹
  ¹
  Actual figures depend on your environment.
  These limits should be taken as a guideline. They're designed to prevent ActiveGate startup process slowdown and excessive node resource usage. The default values cover a large range of different cluster sizes; you can modify them according to your needs, based on the ActiveGate self-monitoring metrics.
For additional configuration options, see Containerized ActiveGate configuration.

Deploy ActiveGate.

kubectl apply -f ./ag-deployment-example.yaml

oc apply -f ./ag-deployment-example.yaml

To verify that ActiveGate has successfully connected to the Dynatrace server, go to Deployment Status > ActiveGates.

Dedicated deployments

To monitor Kubernetes/Openshift, select one of the following:
- Use Dynatrace Operator
- Deploy ActiveGate directly as a StatefulSet
To collect logs from Kubernetes, use Log Monitoring.