Manually deploy ActiveGate as a StatefulSet

Dynatrace Operator manages the lifecycle of several Dynatrace components, including ActiveGate. If you can't use Dynatrace Operator, you can manually deploy ActiveGate as a StatefulSet in your Kubernetes cluster. See below for instructions.

Prerequisites

Create an access token with PaaS Integration - InstallerDownload scope
Create an authentication token
Get your kube-system namespace UUID
Run the command below and save the UUID from the output for later use.
1kubectl get namespace kube-system -o jsonpath='{.metadata.uid}'

Deploy ActiveGate

To deploy ActiveGate, follow the steps below.

Create a dedicated namespace (Kubernetes)/project (OpenShift).

Depending on your platform, select one of the options below.
1kubectl create namespace dynatrace
Create two secrets:
- A secret holding the environment URL and login credentials for this registry
- A secret for the ActiveGate authentication token
1kubectl -n dynatrace create secret docker-registry dynatrace-docker-registry --docker-server=<YOUR_ENVIRONMENT_URL> --docker-username=<YOUR_ENVIRONMENT_ID> --docker-password=<YOUR_PAAS_TOKEN>
where you need to replace
- <YOUR_ENVIRONMENT_URL> with your environment URL (without 'http'). Example: {your-environment}.live.dynatrace.com
- <YOUR_ENVIRONMENT_ID> with the Docker account username (same as the ID in your environment URL above).
To determine your environment ID, see the syntax below.
SaaS: https://{your-environment-id}.live.dynatrace.com
Managed: https://{your-domain}/e/{your-environment-id}
- <YOUR_PAAS_TOKEN> with the PaaS token you created in Prerequisites

Create a service account and a cluster role.

Create a kubernetes-monitoring-service-account.yaml file with the following content.

1apiVersion: v1
2kind: ServiceAccount
3metadata:
4  name: dynatrace-activegate
5  namespace: dynatrace
6---
7apiVersion: rbac.authorization.k8s.io/v1
8kind: ClusterRole
9metadata:
10  name: dynatrace-activegate
11rules:
12- apiGroups:
13  - ""
14  - batch
15  - apps
16  - apps.openshift.io
17  resources:
18  - nodes
19  - nodes/metrics
20  - pods
21  - namespaces
22  - deployments
23  - replicasets
24  - deploymentconfigs
25  - replicationcontrollers
26  - jobs
27  - cronjobs
28  - statefulsets
29  - daemonsets
30  - events
31  - resourcequotas
32  - pods/proxy
33  - services
34  verbs:
35  - list
36  - watch
37  - get
38---
39apiVersion: rbac.authorization.k8s.io/v1
40kind: ClusterRoleBinding
41metadata:
42  name: dynatrace-activegate
43roleRef:
44  apiGroup: rbac.authorization.k8s.io
45  kind: ClusterRole
46  name: dynatrace-activegate
47subjects:
48- kind: ServiceAccount
49  name: dynatrace-activegate
50  namespace: dynatrace

Apply the file.

1kubectl apply -f kubernetes-monitoring-service-account.yaml

Create a file named ag-monitoring-and-routing.yaml with the following content, making sure to replace

<YOUR_ENVIRONMENT_URL> with your value as described above.
<YOUR_KUBE-SYSTEM_NAMESPACE_UUID> with the Kubernetes namespace UUID obtained in Prerequisites.

1apiVersion: v1
2kind: Service
3metadata:
4  name: dynatrace-activegate
5  namespace: dynatrace
6spec:
7  type: ClusterIP
8  selector:
9    activegate: kubernetes-monitoring-and-routing
10  ports:
11  - protocol: TCP
12    port: 443
13    targetPort: ag-https
14---
15apiVersion: apps/v1
16kind: StatefulSet
17metadata:
18  name: dynatrace-activegate
19  namespace: dynatrace
20  labels:
21    activegate: kubernetes-monitoring-and-routing
22spec:
23  serviceName: ""
24  selector:
25    matchLabels:
26      activegate: kubernetes-monitoring-and-routing
27  template:
28    metadata:
29#     Uncomment the lines below to enable AppArmor
30#     annotations:
31#  container.apparmor.security.beta.kubernetes.io/activegate: runtime/default
32      labels:
33        activegate: kubernetes-monitoring-and-routing
34    spec:
35      serviceAccountName: dynatrace-activegate
36      affinity:
37        nodeAffinity:
38          requiredDuringSchedulingIgnoredDuringExecution:
39            nodeSelectorTerms:
40            - matchExpressions:
41              - key: kubernetes.io/arch
42                operator: In
43                values:
44                - amd64
45              - key: kubernetes.io/os
46                operator: In
47                values:
48                - linux
49      containers:
50      - name: activegate
51        image: <YOUR_ENVIRONMENT_URL>/linux/activegate
52        imagePullPolicy: Always
53        ports:
54          - name: ag-https
55            containerPort: 9999
56        env:
57        - name: DT_ID_SEED_NAMESPACE
58          value: dynatrace
59        - name: DT_ID_SEED_K8S_CLUSTER_ID
60          value: <YOUR_KUBE-SYSTEM_NAMESPACE_UUID>
61        - name: DT_CAPABILITIES
62          value: kubernetes_monitoring,MSGrouter,restInterface
63        # - name: DT_NETWORK_ZONE
64        #   value: <CUSTOM_NZ>
65        - name: DT_DNS_ENTRY_POINT
66          value: https://$(DYNATRACE_ACTIVEGATE_SERVICE_HOST):$(DYNATRACE_ACTIVEGATE_SERVICE_PORT)/communication
67        volumeMounts:
68        - name: dynatrace-tokens
69          mountPath: /var/lib/dynatrace/secrets/tokens
70        - name: truststore-volume
71          mountPath: /opt/dynatrace/gateway/jre/lib/security/cacerts
72          readOnly: true
73          subPath: k8s-local.jks
74        - name: ag-lib-gateway-config
75          mountPath: /var/lib/dynatrace/gateway/config
76        - name: ag-lib-gateway-temp
77          mountPath: /var/lib/dynatrace/gateway/temp
78        - name: ag-lib-gateway-data
79          mountPath: /var/lib/dynatrace/gateway/data
80        - name: ag-log-gateway
81          mountPath: /var/log/dynatrace/gateway
82        - name: ag-tmp-gateway
83          mountPath: /var/tmp/dynatrace/gateway
84        livenessProbe:
85          failureThreshold: 2
86          httpGet:
87            path: /rest/state
88            port: ag-https
89            scheme: HTTPS
90          initialDelaySeconds: 30
91          periodSeconds: 30
92          successThreshold: 1
93          timeoutSeconds: 1
94        readinessProbe:
95          failureThreshold: 3
96          httpGet:
97            path: /rest/health
98            port: ag-https
99            scheme: HTTPS
100          initialDelaySeconds: 30
101          periodSeconds: 15
102          successThreshold: 1
103          timeoutSeconds: 1
104        resources:
105          requests:
106            cpu: 250m
107            memory: 512Mi
108          limits:
109            cpu: 250m
110            memory: 512Mi
111        securityContext:
112          allowPrivilegeEscalation: false
113          capabilities:
114            drop:
115            - all
116          privileged: false
117          readOnlyRootFilesystem: true
118          runAsNonRoot: true
119          seccompProfile:
120            type: RuntimeDefault
121      initContainers:
122      - name: certificate-loader
123        image: YOUR_ENVIRONMENT_URL>/linux/activegate
124        workingDir: /var/lib/dynatrace/gateway
125        command: ['/bin/bash']
126        args: ['-c', '/opt/dynatrace/gateway/k8scrt2jks.sh']
127        volumeMounts:
128        - mountPath: /var/lib/dynatrace/gateway/ssl
129          name: truststore-volume
130      imagePullSecrets:
131      - name: dynatrace-docker-registry
132      volumes:
133      - name: dynatrace-tokens
134        secret:
135          secretName: dynatrace-tokens
136      - name: truststore-volume
137        emptyDir: {}
138      - name: ag-lib-gateway-config
139        emptyDir: {}
140      - name: ag-lib-gateway-temp
141        emptyDir: {}
142      - name: ag-lib-gateway-data
143        emptyDir: {}
144      - name: ag-log-gateway
145        emptyDir: {}
146      - name: ag-tmp-gateway
147        emptyDir: {}
148  updateStrategy:
149    type: RollingUpdate

See below for a list of proposed sizes in relation to the number of pods:

Number of pods	CPU	Memory
Up to 100 pods	500 millicores (mCores)	512 mebibytes (MiB)
Up to 1,000 pods	1,000 millicores (mCores)	1 gibibyte (GiB)
Up to 5,000 pods	1,500 millicores (mCores)	2 gibibytes (GiB)
Over 5,000 pods	over 1,500 millicores (mCores)¹	over 2 gibibytes (GiB)¹
¹ Actual figures depend on your environment.

These limits should be taken as a guideline. They're designed to prevent ActiveGate startup process slowdown and excessive node resource usage. The default values cover a large range of different cluster sizes; you can modify them according to your needs, based on the ActiveGate self-monitoring metrics.

Deploy ActiveGate.

1kubectl apply -f ag-monitoring-and-routing.yaml

Connect ActiveGate with Kubernetes API

Continue with step 3 from the guide for enabling Kubernetes API monitoring

ActiveGate update behavior

ActiveGate is updated automatically on pod restart whenever there is a new version available, unless the image already specifies a certain version.