Containerized ActiveGate configuration
An ActiveGate container can be configured to some degree using container-specific methods via variables or secrets. More advanced settings require providing an ActiveGate custom.properties
file. See Advanced configuration to learn how to use Kubernetes mechanisms such as ConfigMap
to map it into the custom.properties
.
To ensure security, you must pass the sensitive information to an ActiveGate container in a file containing a secret.
Environment configuration
An ActiveGate container image does not hold any configuration related to your environment.
See below for the mandatory configuration settings to make your ActiveGate container work.
Communication endpoints
This is a comma-separated list of the communication endpoints to be used by ActiveGate to send data to your Dynatrace environment.
To determine the endpoints, use GET connectivity information for ActiveGate in the Dynatrace API.
Environment variable
DT_SERVER
Mandatory?
Environment ID
The Dynatrace environment ID.
Environment variable
DT_TENANT
Mandatory?
Token
The tenant token is used by OneAgents and ActiveGates to report data to Dynatrace. Dynatrace automatically generates the tenant token for your ActiveGate.
To determine the token, use GET connectivity information for ActiveGate in the Dynatrace API.
Secret as a file
/var/lib/dynatrace/secrets/tokens/tenant-token
Mandatory?
Authorization token
ActiveGate requires a unique ActiveGate token to authorize in the Dynatrace Cluster.
For instructions, see Generate ActiveGate token.
Secret as a file
/var/lib/dynatrace/secrets/tokens/auth-token
Mandatory?
Deployment settings
Activation group
Defines the ActiveGate group to which the ActiveGate belongs. An ActiveGate can belong to only one group. The name of an ActiveGate group is a string of alphanumeric characters, hyphens (-
), underscores (_
), and dots (.
). Dots are used as separators, so you must not use a dot as the first character of a group name. The length of the string is limited to 256 characters. You can use ActiveGate groups to perform bulk actions on your ActiveGates, such as managing Extensions 2.0 running on ActiveGates. If you want to assign your ActiveGate to a group, see ActiveGate group.
Environment variable
Example
DT_GROUP
myGroup
Network zone
Defines the network zone to which the ActiveGate belongs. An ActiveGate can belong to only one network zone. The name of a network zone is a string of alphanumeric characters, hyphens (-
), underscores (_
), and dots (.
). Dots are used as separators, so you must not use a dot as the first character of a network zone name. The length of the string is limited to 256 characters.
Environment variable
Example
DT_NETWORK_ZONE
myNetworkZone
Enabled modules
Containerized ActiveGate does not enable any functionalities by default. Enabled modules need to be specified using the DT_CAPABILITIES
environment variable. Add a comma-separated list of module names as the variable value.
Environment variable
Example
DT_CAPABILITIES
aws_monitoring,azure_monitoring,MSGrouter
See ActiveGate modules for a complete list. Generally, you should refer to the custom.properties
section names as the module names, for example, cloudfoundry_monitoring
.
The exceptions to this rule are the following modules that are stored in the [collector]
section.
MSGrouter
—Enables message routingrestInterface
—Enables REST API modulejava-script-agent-servlet
—Enables JavaScript agent
Not all modules are supported in containerized deployments yet. For more information, see ActiveGate purposes and functionality.
Network settings
Proxy
The proxy used for communication with the Dynatrace Cluster to which ActiveGate sends data.
Secret as a file
Description
/var/lib/dynatrace/secrets/internal-proxy/host
Server address.
/var/lib/dynatrace/secrets/internal-proxy/port
optional Port. If left empty, the default 8080 port is used.
/var/lib/dynatrace/secrets/internal-proxy/scheme
ActiveGate version 1.289+
optional Scheme. If left empty, the default http
scheme is used. This applies the most common setup, where the connection to the proxy is initiated using HTTP and automatically upgraded to a secure one. All further ActiveGate communication through the proxy is secured by SSL/TLS.
Must be set to https
for proxies that do not support HTTP at all.
/var/lib/dynatrace/secrets/internal-proxy/username
optional User name.
/var/lib/dynatrace/secrets/internal-proxy/password
optional Password, see Proxy password requirements.
Advanced scenarios
For more advanced scenarios where one or more proxies are used for means other than communication with the Dynatrace Cluster, see Proxy for ActiveGate. Once you have crafted the required configuration, you can provide it to the ActiveGate container as a custom.properties file.
Rules for the proxy password
The proxy password needs to meet the following requirements.
! " # $ ( ) * - . / : ; < > ? @ [ ] ^ _ { | }
' ` , & = + % \
Load balancer between ActiveGate and OneAgents
Dynatrace OneAgent accesses the ActiveGate via an auto-detected endpoint list. If a load balancer is placed on the path from OneAgent to the ActiveGate, such as Kubernetes Service, you need to explicitly set the endpoint to be used by OneAgents.
Environment variable
Example value
DT_DNS_ENTRY_POINT
https://sg1.mydomain.com:9999
Load balancer between ActiveGate and the Dynatrace Cluster
A reverse proxy or a load balancer can be placed on the path from an ActiveGate to the Dynatrace Cluster. This allows your ActiveGate to connect to any available node of the Cluster, spreading the load between the nodes.
To do this, you need to:
- Provide the address of the reverse proxy/load balancer.
- Ensure that ActiveGate will ignore any further target address information sent from the Dynatrace Cluster, and will thus connect only to the address you have specified.
In this scenario, you need to set the following environment variables.
Environment variable
Example value
DT_SERVER
https://load.balancer.com:9999
DT_IGNORE_CLUSTER_RUNTIME_INFO
true
SSL settings
Custom SSL certificate
ActiveGate will serve a custom certificate instead of the default one. To configure this, you need a file in PKCS#12
format that contains a private key and its corresponding certificate chain. For more information, see Custom SSL certificate for ActiveGate.
Secret as a file
Description
/var/lib/dynatrace/secrets/tls/server.p12
Certificate file
/var/lib/dynatrace/secrets/tls/password
optional Certificate password
/var/lib/dynatrace/secrets/tls/alias
optional Certificate alias. The value must be specified in lower case.
Trusted root certificates
Additional trusted root certificates can be used by ActiveGate. To configure this, you need a file in the PEM
format that contains a list of certificates to be included in the trust store. For more information, see Trusted root certificates for ActiveGate.
Secret as a file
Description
/var/lib/dynatrace/secrets/rootca/rootca.pem
Certificate file
HTTP port
An ActiveGate container by default opens HTTPS port 9999
. If you require your ActiveGate to communicate over plain HTTP, you need to explicitly specify the HTTP port.
Environment variable
Example
DT_HTTP_PORT
8888
Advanced configuration
In addition to the configuration settings passed via environment variables or files, you can configure all other configuration settings by providing the contents of the custom.properties
file.
-
Define
ConfigMap
.kind: ConfigMapapiVersion: v1data:custom.properties: |-[vmware_monitoring]vmware_monitoring_enabled = truemetadata:name: vmware-confignamespace: dynatrace -
Reference
ConfigMap
in your deployment file.[...]volumeMounts:[...]- name: ag-confmountPath: /var/lib/dynatrace/gateway/config_template/custom.propertiessubPath: custom.properties[...]volumes:- name: ag-confconfigMap:name: vmware-configitems:- key: custom.propertiespath: custom.properties