Monitoring

Monitoring IBM Verify Identity Access OIDC Provider

IBM Verify Identity Access OIDC provider supports Instana, Dynatrace, and Prometheus to monitor the performance of some application runtime components.

Instana

CPU
Memory
Response time for individual HTTP calls

Dynatrace

CPU
Memory
Response time for individual HTTP calls
Detailed SQL queries for each HTTP call using OpenTelemetry libraries for PostgreSQL database

Prometheus

http_requests_total
response_status
node_memory_usage_bytes
http_response_time_seconds
Go lang based metrics

Configuration for Instana

The Instana agent can be installed on a Kubernetes platform by using the instructions provided here
A helm chart example

helm install instana-agent \
   --repo https://agents.instana.io/helm \
   --namespace instana-agent \
   --create-namespace \
   --set agent.key=QHAvLwgRSH11111zGGGnTA \
   --set agent.downloadKey=QHAvLwgRSH11111zGGGnTA \
   --set agent.endpointHost=ingress-test.instana.io \
   --set agent.endpointPort=443 \
   --set cluster.name='IVIAOP' \
   --set zone.name='jp-tok' \
   instana-agent

To configure sending metrics to an Instana agent, some environmental variables must be set at the IVIAOP deployment.
A Kubernetes environment example

env:
  - name: INSTANA_ENDPOINT_URL
    value: https://<INSTANA_ENDPOINT_URL>
  - name: INSTANA_AGENT_KEY
    value: uBp4GXpZQp11111XNcvInQ
  - name: INSTANA_AGENT_HOST
    value: 10.67.92.81
  - name: INSTANA_ENABLEMENT
    value: 'true'

Environment Variable	Description
INSTANA_ENDPOINT_URL	Instana endpoint URL, it can be retrieved from the Instana tenant
INSTANA_AGENT_KEY	Instana agent key which can be retrieved from the tenant
INSTANA_AGENT_HOST	The IP address on the Instana agent running in the same Kubernetes cluster
INSTANA_ENABLEMENT	Boolean flag that control pushing metric to the Instana agent

After the connection is successful, the Kubernetes cluster and the HTTP calls can be monitored in the Instana dashboard.

Configuration for Dynatrace

The Dynatrace One Agent can be installed on a Kubernetes platform by using the instructions provided here.
A command example

$kubectl create namespace dynatrace
$kubectl apply -f https://github.com/Dynatrace/dynatrace-operator/releases/download/v1.0.0/kubernetes.yaml
$kubectl apply -f csi.yaml 
$kubectl -n dynatrace wait pod --for=condition=ready --selector=app.kubernetes.io/name=dynatrace-operator,app.kubernetes.io/component=webhook --timeout=300s
$kubectl -n dynatrace create secret generic dynakube --from-literal="apiToken=<apiToken>" --from-literal="dataIngestToken=<dataIngestToken>"
$kubectl apply -f cloudnative.yaml

Example of csi.yaml

---
# Source: dynatrace-operator/templates/Common/csi/priority-class.yaml
# Copyright 2021 Dynatrace LLC

# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at

#     http://www.apache.org/licenses/LICENSE-2.0

# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
kind: PriorityClass
apiVersion: scheduling.k8s.io/v1
metadata:
  name: dynatrace-high-priority
value: 1000000
globalDefault: false
description: "This priority class is used for Dynatrace Components in order to make sure they are not evicted in favor of other pods"
---
# Source: dynatrace-operator/templates/Common/csi/serviceaccount-csi.yaml
# Copyright 2021 Dynatrace LLC

# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at

#     http://www.apache.org/licenses/LICENSE-2.0

# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: v1
kind: ServiceAccount
metadata:
  name: dynatrace-oneagent-csi-driver
  namespace: dynatrace
  labels:
    app.kubernetes.io/name: dynatrace-operator
    app.kubernetes.io/version: "1.0.0"
    app.kubernetes.io/component: csi-driver
---
# Source: dynatrace-operator/templates/Common/csi/clusterrole-csi.yaml
# Copyright 2021 Dynatrace LLC

# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at

#     http://www.apache.org/licenses/LICENSE-2.0

# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: dynatrace-oneagent-csi-driver
  labels:
    app.kubernetes.io/name: dynatrace-operator
    app.kubernetes.io/version: "1.0.0"
    app.kubernetes.io/component: csi-driver
rules:
  - apiGroups:
      - ""
    resources:
      - namespaces
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - ""
    resources:
      - events
    verbs:
      - list
      - watch
      - create
      - update
      - patch
  - apiGroups:
      - storage.k8s.io
    resources:
      - csinodes
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - ""
    resources:
      - nodes
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - ""
    resources:
      - pods
    verbs:
      - get
      - list
      - watch
---
# Source: dynatrace-operator/templates/Common/csi/clusterrole-csi.yaml
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: dynatrace-oneagent-csi-driver
  labels:
    app.kubernetes.io/name: dynatrace-operator
    app.kubernetes.io/version: "1.0.0"
    app.kubernetes.io/component: csi-driver
subjects:
  - kind: ServiceAccount
    name: dynatrace-oneagent-csi-driver
    namespace: dynatrace
roleRef:
  kind: ClusterRole
  name: dynatrace-oneagent-csi-driver
  apiGroup: rbac.authorization.k8s.io
---
# Source: dynatrace-operator/templates/Common/csi/role-csi.yaml
# Copyright 2021 Dynatrace LLC

# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at

#     http://www.apache.org/licenses/LICENSE-2.0

# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: dynatrace-oneagent-csi-driver
  namespace: dynatrace
  labels:
    app.kubernetes.io/name: dynatrace-operator
    app.kubernetes.io/version: "1.0.0"
    app.kubernetes.io/component: csi-driver
rules:
  - apiGroups:
      - ""
    resources:
      - endpoints
    verbs:
      - get
      - watch
      - list
      - delete
      - update
      - create
  - apiGroups:
      - coordination.k8s.io
    resources:
      - leases
    verbs:
      - get
      - watch
      - list
      - delete
      - update
      - create
  - apiGroups:
      - dynatrace.com
    resources:
      - dynakubes
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - ""
    resources:
      - secrets
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - ""
    resources:
      - configmaps
    verbs:
      - get
      - list
      - watch
---
# Source: dynatrace-operator/templates/Common/csi/role-csi.yaml
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: dynatrace-oneagent-csi-driver
  namespace: dynatrace
  labels:
    app.kubernetes.io/name: dynatrace-operator
    app.kubernetes.io/version: "1.0.0"
    app.kubernetes.io/component: csi-driver
subjects:
  - kind: ServiceAccount
    name: dynatrace-oneagent-csi-driver
    namespace: dynatrace
roleRef:
  kind: Role
  name: dynatrace-oneagent-csi-driver
  apiGroup: rbac.authorization.k8s.io
---
# Source: dynatrace-operator/templates/Common/csi/daemonset.yaml
# Copyright 2021 Dynatrace LLC

# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at

#     http://www.apache.org/licenses/LICENSE-2.0

# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: apps/v1
kind: DaemonSet
metadata:
  labels:
    app.kubernetes.io/name: dynatrace-operator
    app.kubernetes.io/version: "1.0.0"
    app.kubernetes.io/component: csi-driver
  name: dynatrace-oneagent-csi-driver
  namespace: dynatrace
spec:
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      internal.oneagent.dynatrace.com/app: csi-driver
      internal.oneagent.dynatrace.com/component: csi-driver
  template:
    metadata:
      annotations:
        dynatrace.com/inject: "false"
        kubectl.kubernetes.io/default-container: provisioner
        cluster-autoscaler.kubernetes.io/enable-ds-eviction: "false"
      labels:
        app.kubernetes.io/name: dynatrace-operator
        app.kubernetes.io/version: "1.0.0"
        app.kubernetes.io/component: csi-driver
        internal.oneagent.dynatrace.com/app: csi-driver
        internal.oneagent.dynatrace.com/component: csi-driver
    spec:
      initContainers:
      - name: csi-init
        image: public.ecr.aws/dynatrace/dynatrace-operator:v1.0.0@sha256:f742a1856f61ad127e9130e44e20dfa4d9990d1d472cbd5ce815b3599205e2e3
        imagePullPolicy: Always
        args:
        - csi-init
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
        resources:
          limits:
            cpu: 50m
            memory: 100Mi
          requests:
            cpu: 50m
            memory: 100Mi
        securityContext:
          allowPrivilegeEscalation: false
          privileged: false
          readOnlyRootFilesystem: true
          runAsNonRoot: false
          runAsUser: 0
          seLinuxOptions:
            level: s0
          seccompProfile:
            type: RuntimeDefault
        volumeMounts:
        - mountPath: /data
          name: data-dir
      containers:
        # Used to receive/execute gRPC requests (NodePublishVolume/NodeUnpublishVolume) from kubelet to mount/unmount volumes for a pod
        # - Needs access to the csi socket, needs to read/write to it, needs root permissions to do so.
        # - Needs access to the filesystem of pods on the node, and mount stuff to it,needs to read/write to it, needs root permissions to do so
        # - Needs access to a dedicated folder on the node to persist data, needs to read/write to it.
      - name: server
        image: public.ecr.aws/dynatrace/dynatrace-operator:v1.0.0@sha256:f742a1856f61ad127e9130e44e20dfa4d9990d1d472cbd5ce815b3599205e2e3
        imagePullPolicy: Always
        args:
        - csi-server
        - --endpoint=unix://csi/csi.sock
        - --node-id=$(KUBE_NODE_NAME)
        - --health-probe-bind-address=:10080
        env:
        - name: POD_NAMESPACE
          valueFrom:
            fieldRef:
              apiVersion: v1
              fieldPath: metadata.namespace
        - name: KUBE_NODE_NAME
          valueFrom:
            fieldRef:
              apiVersion: v1
              fieldPath: spec.nodeName
        livenessProbe:
          failureThreshold: 3
          httpGet:
            path: /livez
            port: livez
            scheme: HTTP
          initialDelaySeconds: 5
          periodSeconds: 5
          successThreshold: 1
          timeoutSeconds: 1
        ports:
        - containerPort: 10080
          name: livez
          protocol: TCP
        resources:
          limits:
            cpu: 50m
            memory: 100Mi
          requests:
            cpu: 50m
            memory: 100Mi
        securityContext:
          allowPrivilegeEscalation: true
          privileged: true
          readOnlyRootFilesystem: true
          runAsNonRoot: false
          runAsUser: 0
          seLinuxOptions:
            level: s0
          seccompProfile:
            type: RuntimeDefault
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
        volumeMounts:
        - mountPath: /csi
          name: plugin-dir
        - mountPath: /var/data/kubelet/pods/
          mountPropagation: Bidirectional
          name: mountpoint-dir
        - mountPath: /data
          name: data-dir
          mountPropagation: Bidirectional
        - name: tmp-dir
          mountPath: /tmp
      - name: provisioner
        image: public.ecr.aws/dynatrace/dynatrace-operator:v1.0.0@sha256:f742a1856f61ad127e9130e44e20dfa4d9990d1d472cbd5ce815b3599205e2e3
        imagePullPolicy: Always
        args:
          - csi-provisioner
          - --health-probe-bind-address=:10090
        env:
          - name: POD_NAMESPACE
            valueFrom:
              fieldRef:
                apiVersion: v1
                fieldPath: metadata.namespace
        startupProbe:
          exec:
            command:
            - /usr/local/bin/dynatrace-operator
            - startup-probe
          periodSeconds: 10
          timeoutSeconds: 5
          failureThreshold: 1
        
        livenessProbe:
          failureThreshold: 3
          httpGet:
            path: /livez
            port: livez
            scheme: HTTP
          initialDelaySeconds: 5
          periodSeconds: 5
          successThreshold: 1
          timeoutSeconds: 1
        ports:
          - containerPort: 10090
            name: livez
            protocol: TCP
        resources:
          limits:
            cpu: 300m
            memory: 100Mi
          requests:
            cpu: 300m
            memory: 100Mi
        securityContext:
          allowPrivilegeEscalation: true
          privileged: true
          readOnlyRootFilesystem: true
          runAsNonRoot: false
          runAsUser: 0
          seLinuxOptions:
            level: s0
          seccompProfile:
            type: RuntimeDefault
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
        volumeMounts:
          - mountPath: /data
            name: data-dir
            mountPropagation: Bidirectional
          - mountPath: /tmp
            name: tmp-dir

        # Used to make a gRPC request (GetPluginInfo()) to the driver to get driver name and driver contain
        # - Needs access to the csi socket, needs to read/write to it, needs root permissions to do so.
        # Used for registering the driver with kubelet
        # - Needs access to the registration socket, needs to read/write to it, needs root permissions to do so.
      - name: registrar
        image: public.ecr.aws/dynatrace/dynatrace-operator:v1.0.0@sha256:f742a1856f61ad127e9130e44e20dfa4d9990d1d472cbd5ce815b3599205e2e3
        imagePullPolicy: Always
        env:
        - name: DRIVER_REG_SOCK_PATH
          value: /var/data/kubelet/plugins/csi.oneagent.dynatrace.com/csi.sock
        args:
        - --csi-address=/csi/csi.sock
        - --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH)
        command:
        - csi-node-driver-registrar
        resources:
          limits:
            cpu: 20m
            memory: 30Mi
          requests:
            cpu: 20m
            memory: 30Mi
        securityContext:
          privileged: false
          readOnlyRootFilesystem: true
          runAsNonRoot: false
          runAsUser: 0
          seccompProfile:
            type: RuntimeDefault
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
        volumeMounts:
        - mountPath: /csi
          name: plugin-dir
        - mountPath: /registration
          name: registration-dir
        - mountPath: /var/data/kubelet/plugins/csi.oneagent.dynatrace.com/
          name: lockfile-dir
        # Used to make a gRPC request (Probe()) to the driver to check if its running
        # - Needs access to the csi socket, needs to read/write to it, needs root permissions to do so.
      - name: liveness-probe
        image: public.ecr.aws/dynatrace/dynatrace-operator:v1.0.0@sha256:f742a1856f61ad127e9130e44e20dfa4d9990d1d472cbd5ce815b3599205e2e3
        imagePullPolicy: Always
        args:
        - --csi-address=/csi/csi.sock
        - --health-port=9898
        command:
        - livenessprobe
        resources:
          limits:
            cpu: 20m
            memory: 30Mi
          requests:
            cpu: 20m
            memory: 30Mi
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
        securityContext:
          allowPrivilegeEscalation: false
          privileged: false
          readOnlyRootFilesystem: true
          runAsNonRoot: false
          runAsUser: 0
          seccompProfile:
            type: RuntimeDefault
        volumeMounts:
        - mountPath: /csi
          name: plugin-dir
      dnsPolicy: ClusterFirst
      restartPolicy: Always
      schedulerName: default-scheduler
      securityContext: {}
      serviceAccountName: dynatrace-oneagent-csi-driver
      terminationGracePeriodSeconds: 30
      priorityClassName: dynatrace-high-priority
      volumes:
      # This volume is where the registrar registers the plugin with kubelet
      - name: registration-dir
        hostPath:
          path: /var/data/kubelet/plugins_registry/
          type: Directory
        # This volume is where the socket for kubelet->driver communication is done
      - name: plugin-dir
        hostPath:
          path: /var/data/kubelet/plugins/csi.oneagent.dynatrace.com/
          type: DirectoryOrCreate
      - name: data-dir
        hostPath:
          path: /var/data/kubelet/plugins/csi.oneagent.dynatrace.com/data
          type: DirectoryOrCreate
        # This volume is where the driver mounts volumes
      - name: mountpoint-dir
        hostPath:
          path: /var/data/kubelet/pods/
          type: DirectoryOrCreate
        # Used by the registrar to create its lockfile
      - name: lockfile-dir
        emptyDir: {}
        # A volume for the driver to write temporary files to
      - name: tmp-dir
        emptyDir: {}
      tolerations:
        - effect: NoSchedule
          key: node-role.kubernetes.io/master
          operator: Exists
        - effect: NoSchedule
          key: node-role.kubernetes.io/control-plane
          operator: Exists
        - key: kubernetes.io/arch
          value: arm64
          effect: NoSchedule
        - key: kubernetes.io/arch
          value: amd64
          effect: NoSchedule
        - key: kubernetes.io/arch
          value: ppc64le
          effect: NoSchedule
        - key: ToBeDeletedByClusterAutoscaler
          operator: Exists
          effect: NoSchedule
  updateStrategy:
    rollingUpdate:
      maxUnavailable: 1
    type: RollingUpdate
---
# Source: dynatrace-operator/templates/Common/csi/csidriver.yaml
# Copyright 2021 Dynatrace LLC

# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at

#     http://www.apache.org/licenses/LICENSE-2.0

# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: storage.k8s.io/v1
kind: CSIDriver
metadata:
  name: csi.oneagent.dynatrace.com
  labels:
    app.kubernetes.io/name: dynatrace-operator
    app.kubernetes.io/version: "1.0.0"
    app.kubernetes.io/component: csi-driver
spec:
  attachRequired: false
  podInfoOnMount: true
  volumeLifecycleModes:
    - Ephemeral

Example of cloudnative.yaml, replace the TENANT with the Dynatrace tenant information.

apiVersion: dynatrace.com/v1beta1
kind: DynaKube
metadata:
  name: dynakube
  namespace: dynatrace
spec:
  # Dynatrace apiUrl including the `/api` path at the end.
  # For SaaS, set `ENVIRONMENTID` to your environment ID.
  # For Managed, change the apiUrl address.
  # For instructions on how to determine the environment ID and how to configure the apiUrl address, see https://www.dynatrace.com/support/help/reference/dynatrace-concepts/environment-id/.
  apiUrl: https://<TENANT>/api

  # Optional: Name of the secret holding the credentials required to connect to the Dynatrace tenant
  # If unset, the name of this custom resource is used
  #
  # tokens: ""

  # Optional: Defines a custom pull secret in case you use a private registry when pulling images from the Dynatrace environment
  # The secret has to be of type 'kubernetes.io/dockerconfigjson' (see https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/)
  #
  # customPullSecret: "custom-pull-secret"

  # Optional: Disable certificate validation checks for installer download and API communication
  #
  # skipCertCheck: false

  # Optional: Set custom proxy settings either directly or from a secret with the field 'proxy'
  #
  # proxy:
  #   value: my-proxy-url.com
  #   valueFrom: name-of-my-proxy-secret

  # Optional: Adds custom RootCAs from a configmap
  # The key to the data must be "certs"
  # This property only affects certificates used to communicate with the Dynatrace API.
  # The property is not applied to the ActiveGate
  #
  # trustedCAs: name-of-my-ca-configmap

  # Optional: Sets Network Zone for OneAgent and ActiveGate pods
  # Make sure networkZones are enabled on your cluster before (see https://www.dynatrace.com/support/help/setup-and-configuration/network-zones/network-zones-basic-info/)
  #
  # networkZone: name-of-my-network-zone

  # Optional: If enabled, and if Istio is installed on the Kubernetes environment, the
  # Operator will create the corresponding VirtualService and ServiceEntry objects to allow access
  # to the Dynatrace cluster from agents or activeGates. Disabled by default.
  #
  # enableIstio: false

  # The namespaces which should be injected into
  # If unset, all namespace will be injected into
  # namespaceSelector has no effect on hostMonitoring or classicFullstack
  # For examples regarding namespaceSelectors, see https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#resources-that-support-set-based-requirements
  #
  # namespaceSelector:
  #   matchLabels:
  #     app: my-app
  #   matchExpressions:
  #    - key: app
  #      operator: In
  #      values: [my-frontend, my-backend, my-database]

  # Configuration for OneAgent instances
  #
  oneAgent:
    # Enables cloud-native fullstack monitoring and changes its settings
    # Cannot be used in conjunction with classic fullstack monitoring, application-only monitoring or host monitoring
    #
    cloudNativeFullStack:
      # Optional: Sets a node selector to control on which nodes the OneAgent will be deployed.
      # For more information on node selectors, see https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes/
      #
      # nodeSelector: {}

      # Optional: Sets the priority class assigned to the OneAgent Pods. No class is set by default.
      # For more information on priority classes, see https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
      #
      # priorityClassName: priority-class

      # Optional: Specifies tolerations to include with the OneAgent DaemonSet.
      # For more information on tolerations, see https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
      #
      tolerations:
        - effect: NoSchedule
          key: node-role.kubernetes.io/master
          operator: Exists
        - effect: NoSchedule
          key: node-role.kubernetes.io/control-plane
          operator: Exists

      # Optional: Adds resource settings for OneAgent container
      # Consumption of the OneAgent heavily depends on the workload to monitor
      # The values should be adjusted according to the workload
      #
      # oneAgentResources:
      #   requests:
      #     cpu: 100m
      #     memory: 512Mi
      #   limits:
      #     cpu: 300m
      #     memory: 1.5Gi

      # Optional: Adds custom arguments to the OneAgent installer
      # For a list of available options, see https://www.dynatrace.com/support/help/shortlink/linux-custom-installation
      # For a list of the limitations for OneAgents in Docker, see https://www.dynatrace.com/support/help/shortlink/oneagent-docker#limitations
      #
      # args: []

      # Optional: Adds custom environment variables to OneAgent pods
      #
      # env: []

      # Optional: Enables or disables automatic updates of OneAgent pods
      # By default, if a new version is available, the OneAgent pods are restarted to apply the update
      # If set to "false", this behavior is disabled
      # Defaults to "true"
      #
      # autoUpdate: true

      # Optional: Sets the DNS Policy for OneAgent pods
      # Defaults to "ClusterFirstWithHostNet"
      # For more information on DNS policies, see https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy
      #
      # dnsPolicy: "ClusterFirstWithHostNet"

      # Optional: Adds custom annotations to OneAgent pods
      #
      # annotations:
      #   custom: annotation

      # Optional: Adds custom labels to OneAgent pods
      # Can be used to structure workloads
      #
      # labels:
      #   custom: label

      # Optional: Sets the URI for the image containing the OneAgent installer used by the DaemonSet
      # Defaults to the latest OneAgent image on the tenant's registry
      #
      # image: ""

      # Optional: If specified, indicates the OneAgent version to use
      # Defaults to the configured version on your Dynatrace environment
      # The version is expected to be provided in the semver format
      # Example: {major.minor.release}, e.g., "1.200.0"
      #
      # version: ""

      # Optional: Defines resources requests and limits for the initContainer
      # See more: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers
      #
      # initResources:
      #   requests:
      #     cpu: 100m
      #     memory: 512Mi
      #   limits:
      #     cpu: 300m
      #     memory: 1.5Gi

      # Optional: The URI of the image that contains the codemodules specific OneAgent that will be injected into pods and applications.
      # For an example of a Dockerfile creating such an image, see https://dt-url.net/operator-docker-samples
      #
      # codeModulesImage: ""

  # Configuration for ActiveGate instances.
  #
  activeGate:
    # Specifies which capabilities will be enabled on ActiveGate instances
    # The following capabilities can be set:
    # - routing
    # - kubernetes-monitoring
    # - metrics-ingest
    # - dynatrace-api
    #
    capabilities:
      - routing
      - kubernetes-monitoring
      - dynatrace-api

    # Optional: Sets how many ActiveGate pods are spawned by the StatefulSet
    # Defaults to "1"
    #
    # replicas: 1

    # Optional: Sets the image used to deploy ActiveGate instances
    # Defaults to the latest ActiveGate image on the tenant's registry
    # Example: "ENVIRONMENTID.live.dynatrace.com/linux/activegate:latest"
    #
    # image: ""

    # Recommended: Sets the activation group for ActiveGate instances
    #
    # group: ""

    # Optional: Defines a custom properties file, the file contents can be provided either as a value in this yaml or as a reference to a secret.
    # If a reference to a secret is used, then the file contents must be stored under the 'customProperties' key within the secret.
    #
    # customProperties:
    #   value: |
    #     [connectivity]
    #     networkZone=
    #   valueFrom: myCustomPropertiesConfigMap

    # Optional: Specifies resource settings for ActiveGate instances
    # Consumption of the ActiveGate heavily depends on the workload to monitor
    # The values should be adjusted according to the workload
    #
    resources:
      requests:
        cpu: 500m
        memory: 512Mi
      limits:
        cpu: 1000m
        memory: 1.5Gi

    # Optional: Sets a node selector to control on which nodes the ActiveGate will be deployed.
    # For more information on node selectors, see https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes/
    #
    # nodeSelector: {}

    # Optional: Specifies tolerations to include with the ActiveGate StatefulSet.
    # For more information on tolerations, see https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
    #
    # tolerations:
    # - effect: NoSchedule
    #   key: node-role.kubernetes.io/master
    #   operator: Exists

    # Optional: Adds custom labels to ActiveGate pods
    # Can be used to structure workloads
    #
    # labels:
    #   custom: label

    # Optional: Adds custom environment variables to ActiveGate pods
    #
    # env: []

    # Optional: Specifies the name of a secret containing a TLS certificate, a TLS key and the TLS key's password to be used by ActiveGate instances
    # If unset, a self-signed certificate is used
    # The secret is expected to have the following key-value pairs
    # server.p12: TLS certificate and TLS key pair in pkcs12 format
    # password: passphrase to decrypt the TLS certificate and TLS key pair
    #
    # tlsSecretName: "my-tls-secret"

    # Optional: Sets the DNS Policy for ActiveGate pods
    # Defaults to "Default"
    # For more information on DNS policies, see https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy
    #
    # dnsPolicy: "Default"

    # Optional: Specifies the priority class to assign to the ActiveGate Pods
    # No class is set by default
    # For more information on priority classes, see https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
    #
    # priorityClassName: priority-class

    # Optional: Adds custom annotations to ActiveGate pods
    #
    # annotations:
    #   custom: annotation

    # Optional: Adds TopologySpreadConstraints to the ActiveGate pods
    # For more information on TopologySpreadConstraints, see https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/
    #
    # topologySpreadConstraints: []

Access tokens can be generated with the right scopes by using this documentation link.
Enable OpenTelemetry for Go by using the following link
Enable Attribute Capturing by using the following link
After the previous steps are configured successfully, all the HTTP calls and the respective DB queries are logged in Dynatrace Distributed Traces.

📘
Note
Instrumentation is added only for the PostgreSQL database library.

Configuration for Prometheus

To enable /metrics endpoint, the following environmental variable must be set. Example https://:/metrics.
A Kubernetes environment example

env:
  - name: PROMETHEUS_ENABLED
    value: 'true'

The following counters, gauges and historgram will be exposed
- http_requests_total
- response_status
- node_memory_usage_bytes
- http_response_time_seconds
- Go lang based metrics
In Kubernetes a prometheus operator can be deployed in a different namespace where the IVIAOP is deployed.
Example deployment.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: prometheus-server
  namespace: prometheus
spec:
  replicas: 1
  selector:
    matchLabels:
      app: prometheus-server
  template:
    metadata:
      labels:
        app: prometheus-server
    spec:
      containers:
        - name: prometheus
          image: prom/prometheus
          ports:
            - containerPort: 9090
          volumeMounts:
            - name: config-volume
              mountPath: /etc/prometheus
      volumes:
        - name: config-volume
          configMap:
            name: prometheus-server-conf
            defaultMode: 420

Example service.yaml

apiVersion: v1
kind: Service
metadata:
  name: prometheus-service
  namespace: prometheus
spec:
  selector:
    app: prometheus-server
  ports:
    - protocol: TCP
      port: 80
      targetPort: 9090
  type: LoadBalancer

Example of the promethues configuration file

apiVersion: v1
kind: ConfigMap
metadata:
  name: prometheus-server-conf
  namespace: prometheus
data:
  prometheus.yml: |
    global:
     scrape_interval:     20s
     evaluation_interval: 10s

    scrape_configs:
      - job_name: iviaop 
        metrics_path: /metrics
        static_configs:
          - targets:
              - <IP>:<IVIAOP Port>

To understand more about Kubernetes SD Configuration, (see )[https://prometheus.io/docs/prometheus/latest/configuration/configuration/#kubernetes_sd_config].

Monitoring IBM Verify Identity Access OIDC Provider

Configuration for Instana

Configuration for Dynatrace

📘Note

Configuration for Prometheus

📘
Note