Solved: Kubenetes dynatrace-operator behind firewall and proxy

BevanBroun · ‎24 Sep 2024

Hi All

Im very new to Dynatrace and Kubenetes

We have an activegate and I have installed one agent on several VMs. Everything is going via the proxy and working.

However, Im having lots of trouble getting the monitoring of kubenetes working - most of the issue are about proxy and firewalls. What I would really love is the method of downloading separately so I can avoid these issues.

Eg: The instructions say "helm install dynatrace-operator oci://public.ecr.aws/dynatrace/dynatrace-operator" however despite adding public.ecr.aws to our proxy and firewall rules the traffic doesnt flow, we see from packet capture its being forwarded to another address - so we add that too and we still get nowhere.

At the moment I have downloaded the content from: Releases · Dynatrace/dynatrace-operator (github.com) and run

kubectl create namespace dynatrace
kubectl apply -f kubernetes.yaml
apply -f kubernetes-csi.yaml

However, as expected the things are trying to download:

[root@prod-k8s-mast-n1a ~]# kubectl get pods -n dynatrace
NAME                                  READY   STATUS                  RESTARTS   AGE
dynatrace-oneagent-csi-driver-69v9k   0/4     Init:ImagePullBackOff   0          19m
dynatrace-oneagent-csi-driver-b94zd   0/4     Init:ImagePullBackOff   0          19m
dynatrace-oneagent-csi-driver-gwqx8   0/4     Init:ImagePullBackOff   0          19m
dynatrace-oneagent-csi-driver-hzt7m   0/4     Init:ImagePullBackOff   0          19m
dynatrace-oneagent-csi-driver-ll4l9   0/4     Init:ImagePullBackOff   0          19m
dynatrace-oneagent-csi-driver-w7n2l   0/4     Init:ImagePullBackOff   0          19m
dynatrace-oneagent-csi-driver-z9sg4   0/4     Init:ImagePullBackOff   0          19m
dynatrace-operator-94d65c56c-k8xx6    0/1     ImagePullBackOff        0          19m
dynatrace-webhook-56bd655b8b-4rzhc    0/1     ImagePullBackOff        0          19m
dynatrace-webhook-56bd655b8b-h6hv4    0/1     ImagePullBackOff        0          19m

How can I do this in an offline mode

OR

tell this system to use a proxy and what URLs are needed in firewalls and proxy ACLs?

Thanks in advance.

Julius_Loman · ‎24 Sep 2024

@BevanBroun you need to copy the images to your local repository, where your k8s can download images as your environment cannot access public repositories directly. See https://docs.dynatrace.com/docs/shortlink/prepare-private-registry for details on how to copy images.

After you have images in your repository, follow the steps here: https://docs.dynatrace.com/docs/shortlink/use-private-registry for deploying the Dynatrace operator in an air-gapped environment.

Certified Dynatrace Master | Alanata a.s., Slovakia, Dynatrace Master Partner

BevanBroun · ‎25 Sep 2024

Thanks Julius - Ill be trying this shortly. BTW we are not completely air-gapped. The problem is redirects and proxy/firewall/url lists.

timothyyara · ‎18 Mar 2025

++1 for knowing where/how to add a custom proxy setting into the dynakube.yaml and what needs to be white-listed or excluded from the proxy settings. Right now, we are having similar issues that the webhook is failing: TLS handshake error from *IPADDRESS* remote error: tls: bad certificate

gopher · ‎18 Mar 2025

@timothyyara @BevanBroun

you can use the no-proxy feature flag. this is used for both Private Repositories and anywhere else that you need the Active Gate to not route to the proxy. DynaKube feature flags for Dynatrace Operator — Dynatrace Docs

**no-proxy is not set in proxy pull secrets (only the credentials and proxy address), and must be set this way.

Example below:

apiVersion: dynatrace.com/v1beta3
kind: DynaKube
metadata:
  name: dynakube
  namespace: dynatrace
  annotations:
    feature.dynatrace.com/no-proxy: ".dynatrace.svc,.myprivaterepo,.amazonaws.com" #private repo
    feature.dynatrace.com/oneagent-initial-connect-retry-ms: "10000"
    feature.dynatrace.com/init-container-seccomp-profile: "true"