Deploy ActiveGate in a VM

If you want to monitor several Kubernetes clusters with one ActiveGate and don't need to separate networks for administrative or operational traffic, you can install an ActiveGate on a virtual machine using a conventional installer to connect your clusters to Dynatrace as described below.

Step 1

Start installation

Step 2

Download the installer

Step 3

Run the installer

Step 4

Connect your Kubernetes clusters to Dynatrace

Step 1 Start installation

  1. In Dynatrace Hub, select ActiveGate.
  2. Select Set up.
  3. On the Install Environment ActiveGate page, select Linux.

Step 2 Download the installer

How you download your installer depends on your setup and needs. You can choose to download an installer directly to the server where you plan to install Environment ActiveGate or you can download an installer to a different machine and then transfer the installer to the server.

  1. Select Route OneAgent traffic as an ActiveGate purpose.
  2. Provide an access token with PaaS Integration - InstallerDownload scope. This token is required to download the ActiveGate installer from your environment. If you don't have an access token, you can create one right in the UI. The token is automatically appended to the download and installation commands you'll use later.
  3. Select Download installer. There are two options:
    • Download via shell command. Copy and run the wget command.
    • Select the link to download the ActiveGate installer.
  4. Verify the signature
    Wait for the download to complete, and then verify the signature by copying the command from the second Verify signature text box and pasting the command into your terminal window.

Step 3 Run the installer

An install parameter (determined by the ActiveGate purpose you selected) is automatically set for the command to run the installer. Make sure you use the command displayed in Dynatrace that reflects the ActiveGate purpose. Copy the installation script command from the Run the installer with root rights step and paste it into your terminal.

Add the Kubernetes CA certificate to the truststore recommended

For instructions on how to add the certificate to the truststore file, see Trusted root certificates for ActiveGate.

Customize installation

You can add additional parameters to the installation command to customize your installation. For example, to install ActiveGate in a different directory, use the INSTALL=<path> parameter:

[root@host]# /bin/bash Dynatrace-ActiveGate-Linux-x86-1.0.0.sh INSTALL=/hosted_app/dynatrace

Default installation settings

For installation defaults, including default directories, see ActiveGate default settings for Linux.

Step 4 Connect your Kubernetes clusters to Dynatrace

To connect the Kubernetes API to Dynatrace, follow the instructions that apply to your Kubernetes version.

  1. Create a service account and cluster role.

    Create a kubernetes-monitoring-service-account.yaml file with the following content.

    apiVersion: v1
    kind: ServiceAccount
    metadata:
      name: dynatrace-monitoring
      namespace: dynatrace
    ---
    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRole
    metadata:
      name: dynatrace-monitoring-cluster
    rules:
    - apiGroups:
      - ""
      - batch
      - apps
      - apps.openshift.io
      resources:
      - nodes
      - pods
      - namespaces
      - deployments
      - replicasets
      - deploymentconfigs
      - replicationcontrollers
      - jobs
      - cronjobs
      - statefulsets
      - daemonsets
      - events
      - resourcequotas
      - pods/proxy
      - services
      verbs:
      - list
      - watch
      - get
    ---
    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRoleBinding
    metadata:
      name: dynatrace-monitoring-cluster
    roleRef:
      apiGroup: rbac.authorization.k8s.io
      kind: ClusterRole
      name: dynatrace-monitoring-cluster
    subjects:
    - kind: ServiceAccount
      name: dynatrace-monitoring
      namespace: dynatrace

  2. Apply the file.

    kubectl apply -f kubernetes-monitoring-service-account.yaml

  3. Get the Kubernetes API URL. 

    $ kubectl config view --minify -o jsonpath='{.clusters[0].cluster.server}'

  4. Kubernetes version 1.24+ Create a file named token-secret.yaml with the following content.

    apiVersion: v1
    kind: Secret
    metadata:
      name: dynatrace-monitoring
      annotations:
        kubernetes.io/service-account.name: "dynatrace-monitoring"
    type: kubernetes.io/service-account-token

  5. Kubernetes version 1.24+ Apply the file to create the dynatrace-monitoring secret.

    kubectl apply -n dynatrace -f token-secret.yaml

  6. Get the bearer token.

    Kubernetes version 1.24+

    kubectl get secret dynatrace-monitoring -o jsonpath='{.data.token}' -n dynatrace | base64 --decode

    Kubernetes versions 1.23 and lower

    kubectl get secret $(kubectl get sa dynatrace-monitoring -o jsonpath='{.secrets[0].name}' -n dynatrace) -o jsonpath='{.data.token}' -n dynatrace | base64 --decode

    For Rancher distributions of Kubernetes, you need to use the bearer token and API URL of the Rancher server, because this server manages and secures traffic to the Kubernetes API server. Follow the steps below.

    1. Get the Kubernetes API URL.

      kubectl config view --minify -o jsonpath='{.clusters[0].cluster.server}'

    2. Configure a user.

      In the Rancher web UI, either create a new user or use an existing user to associate with the token. We recommend creating a new user.

    3. Set permissions.

      Make sure the user has either Owner or Custom permissions to the cluster you want to monitor.

      Recommended: select Custom permissions, and be sure to select these two roles: View all Projects and View Nodes.

    4. Create an API key.

      Go to API & Keys and create a key either for your specific account (enter your cluster name) or for all clusters (enter No scope). For security reasons, we recommend selecting the first option.

      Newly created keys display four fields. Make sure to use the content of the field called Bearer token to set up the connection to the Kubernetes API described in the next section.

  7. Go to Kubernetes or Kubernetes Classic (latest Dynatrace).

  8. Select Connect manually.

  9. Provide a Name, the Kubernetes API URL target, and the Kubernetes bearer token for the Kubernetes cluster.

  10. Make sure Monitor events and Monitor Kubernetes namespaces, services, workloads, and pods are turned on.

Disabling certificate validation isn't recommended because it imposes security risks. However, if you still want to disable certificate validation for test environments, make sure to disable Require valid certificates for communication with the API server (recommended) and Verify hostname in certificate against Kubernetes API URL.

  1. Select Save changes to save your configuration.

To update ActiveGate, see Update ActiveGate.