• Home
  • Setup and configuration
  • Set up Dynatrace on container platforms
  • Kubernetes
  • Configure Istio for OneAgent traffic in Kubernetes

Configure Istio for OneAgent traffic in Kubernetes

Istio is a service mesh that helps in managing distributed microservices architectures. Istio uses the sidecar pattern to deploy a proxy to pods which then intercept network traffic between your microservices. Egress traffic of Istio-enabled pods is redirected to the sidecar proxy within each pod, and accessibility of endpoints outside of the cluster depends on the configuration of the proxy. This includes the communication of Dynatrace OneAgent code modules. If the OneAgent code-modules' communication to the Dynatrace environment is blocked, the Dynatrace communication endpoints need to be explicitly added to the mesh or the proxy needs to be configured to pass through all requests.

This topic describes how to manually configure Istio for enabling egress traffic to your Dynatrace environment if you aren't using OneAgent Operator version 0.4 or higher.

OneAgent Operator version 0.4+ automatically manages Istio service entries and virtual services for your Dynatrace environment when enableIstio is set to true in the custom resource. The Dynatrace OneAgent code modules can then send monitoring information to your Dynatrace environment.

Prepare Dynatrace tokens

Get a Platform-as-a-Service token to query the list of communication endpoints for the OneAgent. This token is later referenced as {token}.

Configure a ServiceEntry object

  1. Get the list of available communication endpoints for your environment.

    For this you need to make a GET call to the REST endpoint of your Dynatrace environment. Don't forget to adapt the respective placeholders {environmentID} and {token}.

    text
    https://{your-domain}/e/{environmentID}/api/v1/deployment/installer/agent/connectioninfo?Api-Token={token}
    text
    https://{environmentID}.live.dynatrace.com/api/v1/deployment/installer/agent/connectioninfo?Api-Token={token}

    In return, you get a JSON object that covers the communicationEndpoints. The list of endpoints may look like this.

    json
    {
   ...
   "communicationEndpoints": [
      "https://gateway1.internal:9999/communication",
      "https://10.0.0.1:9999/communication",
      "https://gateway2.live.ruxit.com/communication",
      "https://gateway3.live.ruxit.com/communication"
   ]
}

  2. Save the following snippet with the service entries to a file istio-oneagent-serviceentries.yaml and adapt the content to suit your communication endpoints from your JSON response above. The snippet below covers multiple ServiceEntry and VirtualService definitions.

    • Endpoints with a hostname that run on the same port (e.g. 9999 or 443) can be grouped in an HTTPS ServiceEntry and VirtualService combination.
    • Each endpoint with an IP address should be handled in its own TCP ServiceEntry.
    Snippet with OneAgent service entries
    yaml
    ---
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: dynatrace-oneagent-hostnames-9999
spec:
  hosts:
  - gateway1.internal
  location: MESH_EXTERNAL
  ports:
  - number: 9999
    name: https-9999
    protocol: HTTPS
  resolution: DNS
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: dynatrace-oneagent-hostnames-9999
spec:
  hosts:
  - gateway1.internal
  tls:
  - match:
    - port: 9999
      sniHosts:
      - gateway1.internal
    route:
    - destination:
        host: gateway1.internal
        port:
          number: 9999
---
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: dynatrace-oneagent-hostnames
spec:
  hosts:
  - gateway2.live.ruxit.com
  - gateway3.live.ruxit.com
  location: MESH_EXTERNAL
  ports:
  - number: 443
    name: https-443
    protocol: HTTPS
  resolution: DNS
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: dynatrace-oneagent-hostnames
spec:
  hosts:
  - gateway2.live.ruxit.com
  - gateway3.live.ruxit.com
  tls:
  - match:
    - port: 443
      sniHosts:
      - gateway2.live.ruxit.com
    route:
    - destination:
        host: gateway2.live.ruxit.com
        port:
          number: 443
  - match:
    - port: 443
      sniHosts:
      - gateway3.live.ruxit.com
    route:
    - destination:
        host: gateway3.live.ruxit.com
        port:
          number: 443
---
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: dynatrace-oneagent-ips
spec:
  hosts:
  - ignored.subdomain #ignored 
  addresses:
  - 10.0.0.1/32
  location: MESH_EXTERNAL
  ports:
    - number: 9999  
      protocol: TCP
      name: tcp-9999
  resolution: NONE

Create the ServiceEntry and VirtualService objects

Create the ServiceEntry and VirtualService configuration from the saved file. We recommend to create the ServiceEntry and VirtualService resources in a dynatrace namespace.

bash
kubectl -n dynatrace create -f istio-oneagent-serviceentries.yaml

Remove the ServiceEntry and VirtualService objects

In case you uninstalled the OneAgent you'll also need to remove the ServiceEntry configurations.

bash
kubectl -n dynatrace delete -f istio-oneagent-serviceentries.yaml
Related topics
  • Kubernetes monitoring

    Learn how to monitor Kubernetes with Dynatrace.