Install Java agents in Container Service for Kubernetes (ACK) and Container Compute Service (ACS) using the ack-onepilot component - Application Real-Time Monitoring Service

You can install the ARMS Application Monitoring component ack-onepilot to monitor Java applications that are deployed in Container Service for Kubernetes ACK or Container Compute Service ACS. After the installation, you can view the application topology, API calls, abnormal and slow transactions, and other monitoring data. This topic describes how to install agents for Java applications in Container Service for Kubernetes ACK and Container Compute Service ACS.

Note

The installation procedures for agents in Container Service for Kubernetes ACK and Container Compute Service ACS are identical. This topic uses Container Service for Kubernetes ACK as an example.

ack-onepilot component overview

ARMS Agent Onboarding Assistant (ack-onepilot) is a key component that helps ARMS users automatically prepare ARMS agent packages and configure the reporting environment in containerized environments. For more information about how ack-onepilot works, see How ack-onepilot works.

After installation, ack-onepilot automatically upgrades the agent to the latest version when your application restarts after a new agent version is released. If you do not want automatic updates, you can manually control the agent version. For more information, see Control agent versions manually.

Important

The legacy application monitoring component arms-pilot is no longer maintained. You must install the upgraded ack-onepilot component to monitor your applications. ack-onepilot is fully compatible with arms-pilot, so you can migrate seamlessly without changing your application configuration. For more information, see Uninstall arms-pilot and install ack-onepilot.

Prerequisites

An ACK cluster or an ACS cluster is created.
ACK clusters: Create an ACK managed cluster, Create an ACK One registered cluster, Create an ACK dedicated cluster (no longer available for new creation), Create an ACK serverless cluster.
ACS clusters: Create an ACS cluster.
A namespace is created. For more information, see Manage namespaces and quotas. The namespace that is used in this example is arms-demo.
Check your JDK version. For more information about the requirements, see Supported JDK versions.
The maximum heap memory of the process must be greater than 256 MB.

Step 1: Install the ARMS Agent Onboarding Assistant (ack-onepilot)

Log on to the ACK console. On the Clusters page, click the name of the cluster.
In the left-side navigation pane, click Add-ons. On the Add-ons page, search for ack-onepilot.
Click Install on the ack-onepilot card.

Note
By default, the ack-onepilot component supports 1,000 pods. For every additional 1,000 pods in the cluster, you must add 0.5 CPU cores and 512 MB memory for the component.
In the dialog box that appears, configure the parameters and click OK. We recommend that you use the default values.

Note
After you install ack-onepilot, you can upgrade, configure, or uninstall it on the Add-ons page.

Step 2: Grant access permissions to ARMS resources

ACK managed clusters

If your ACK managed cluster does not have an ARMS Addon Token, you must manually grant access permissions to ARMS resources. If an ARMS Addon Token already exists, go to Step 3.

Check whether ARMS Addon Token exists in a cluster

Log on to the ACK console. In the left-side navigation pane, click Clusters. On the Clusters page, click the name of the cluster to go to the cluster details page.
In the left-side navigation pane, choose Configurations > Secrets. In the upper part of the page, select kube-system from the Namespace drop-down list and check whether addon.arms.token is displayed on the Secrets page.

Note

If a cluster has ARMS Addon Token, ARMS performs password-free authorization on the cluster. ARMS Addon Token may not exist in some ACK managed clusters. We recommend that you check whether an ACK managed cluster has ARMS Addon Token before you use ARMS to monitor applications in the cluster. If the cluster has no ARMS Addon Token, you must authorize the cluster to access ARMS.

Manually add permission policies

Log on to the ACK console. In the left-side navigation pane, click Clusters. On the Clusters page, click the name of the cluster.
On the Basic Information tab of the Cluster Information page, click the link next to Worker RAM Role in the Cluster Resources section.
On the page that appears, click Grant Permission on the Permissions tab.
In the Grant Permission panel, add the following policies and click Grant permissions.
- AliyunTracingAnalysisFullAccess: full access to Managed Service for OpenTelemetry.
- AliyunARMSFullAccess: full access to ARMS.

Dedicated clusters and registered clusters

To monitor applications in ACK dedicated clusters and ACK One registered clusters, you must ensure that your Alibaba Cloud account has the AliyunARMSFullAccess and AliyunSTSAssumeRoleAccess permissions. For more information about how to add permissions, see Manage permissions for RAM users.

After you install the ack-onepilot component, you must also provide the AccessKey ID and AccessKey secret of an Alibaba Cloud account that has ARMS permissions to the ack-onepilot component.

Method 1: Specify the AccessKey ID and AccessKey secret directly in Helm

Log on to the ACK console. In the left navigation pane, click Clusters.
On the Clusters page, click the name of your cluster. In the navigation pane on the left, choose Applications > Helm. Click Update next to the ack-onepilot component.
Replace the values of accessKey and accessKeySecret with the AccessKey ID and AccessKey secret of your account. Then, click OK.
Note
For more information about how to obtain an AccessKey pair, see Create an AccessKey pair.
Restart the application deployment.

Method 2: Use a Kubernetes secret to provide the AccessKey ID and AccessKey secret

Log on to the Container Service for Kubernetes console. In the navigation pane on the left, select Clusters.
On the Clusters page, click the name of your cluster. In the navigation pane on the left, choose Configurations > Secrets.
Select the ack-onepilot namespace and create a secret to store the AccessKey ID and AccessKey secret.
Note
For more information about how to obtain an AccessKey pair, see Create an AccessKey pair.
In the navigation pane on the left, choose Workloads > Deployments. Click the ack-onepilot component. The component is usually named ack-onepilot-ack-onepilot and is in the ack-onepilot namespace.
In the upper-right corner of the ack-onepilot-ack-onepilot page, click Edit. In the Environment Variables section, add ONE_PILOT_ACCESSKEY and ONE_PILOT_ACCESSKEY_SECRET, and reference the values that are stored in the secret. Then, click OK.

ASK/ECI clusters

To monitor applications in ACK serverless clusters or clusters that are integrated with ECI, you must complete authorization on the Resource Access Authorization page. Then, restart all pods of the ack-onepilot component.

Step 3: Enable ARMS Application Monitoring for Java applications

The following YAML template shows how to create a stateless application (Deployment) and enable ARMS Application Monitoring:

Expand to view the full YAML example (Java)

apiVersion: v1
kind: Namespace
metadata:
  name: arms-demo
---
apiVersion: apps/v1 # for versions before 1.8.0 use apps/v1beta1
kind: Deployment
metadata:
  name: arms-springboot-demo
  namespace: arms-demo
  labels:
    app: arms-springboot-demo
spec:
  replicas: 2
  selector:
    matchLabels:
      app: arms-springboot-demo
  template:
    metadata:
      labels:
        app: arms-springboot-demo
        armsPilotAutoEnable: "on"
        armsPilotCreateAppName: "arms-k8s-demo"
    spec:
      containers:
        - resources:
            limits:
              cpu: 0.5
          image: registry.cn-hangzhou.aliyuncs.com/arms-docker-repo/arms-springboot-demo:v0.1
          imagePullPolicy: Always
          name: arms-springboot-demo
          env:
            - name: SELF_INVOKE_SWITCH
              value: "true"
            - name: COMPONENT_HOST
              value: "arms-demo-component"
            - name: COMPONENT_PORT
              value: "6666"
            - name: MYSQL_SERVICE_HOST
              value: "arms-demo-mysql"
            - name: MYSQL_SERVICE_PORT
              value: "3306"
---
apiVersion: apps/v1 
kind: Deployment
metadata:
  name: arms-springboot-demo-subcomponent
  namespace: arms-demo
  labels:
    app: arms-springboot-demo-subcomponent
spec:
  replicas: 2
  selector:
    matchLabels:
      app: arms-springboot-demo-subcomponent
  template:
    metadata:
      labels:
        app: arms-springboot-demo-subcomponent
        armsPilotAutoEnable: "on"
        armsPilotCreateAppName: "arms-k8s-demo-subcomponent"
    spec:
      containers:
        - resources:
            limits:
              cpu: 0.5
          image: registry.cn-hangzhou.aliyuncs.com/arms-docker-repo/arms-springboot-demo:v0.1
          imagePullPolicy: Always
          name: arms-springboot-demo-subcomponent
          env:
            - name: SELF_INVOKE_SWITCH
              value: "false"
            - name: MYSQL_SERVICE_HOST
              value: "arms-demo-mysql"
            - name: MYSQL_SERVICE_PORT
              value: "3306"
---
apiVersion: v1
kind: Service
metadata:
  labels:
    name: arms-demo-component
  name: arms-demo-component
  namespace: arms-demo
spec:
  ports:
    # the port that this service should serve on
    - name: arms-demo-component-svc
      port: 6666
      targetPort: 8888
  # label keys and values that must match to receive traffic for this service
  selector:
    app: arms-springboot-demo-subcomponent
---
apiVersion: apps/v1 # for versions before 1.8.0 use apps/v1beta1
kind: Deployment
metadata:
  name: arms-demo-mysql
  namespace: arms-demo
  labels:
    app: mysql
spec:
  replicas: 1
  selector:
    matchLabels:
      app: mysql
  template:
    metadata:
      labels:
        app: mysql
    spec:
      containers:
        - resources:
            limits:
              cpu: 0.5
          image: registry.cn-hangzhou.aliyuncs.com/arms-docker-repo/arms-demo-mysql:v0.1
          name: mysql
          ports:
            - containerPort: 3306
              name: mysql
---
apiVersion: v1
kind: Service
metadata:
  labels:
    name: mysql
  name: arms-demo-mysql
  namespace: arms-demo
spec:
  ports:
    # the port that this service should serve on
    - name: arms-mysql-svc
      port: 3306
      targetPort: 3306
  # label keys and values that must match to receive traffic for this service
  selector:
    app: mysql
---

Log on to the ACK console. In the left navigation pane, click Clusters.
On the Clusters page, click the name of your cluster. In the navigation pane on the left, choose Workloads > Deployments.
On the Stateless page, select > YAML Edit to the right of the target application.
To create a new application, click Create from YAML.
In the YAML file, add the following labels to the `spec.template.metadata` section:
```
labels:
  armsPilotAutoEnable: "on"
  armsPilotCreateAppName: "<your-deployment-name>"    # Replace <your-deployment-name> with your application name.
  aliyun.com/app-language: java
```
Note
- For more information about application security, see What is application security?.
- For more information about application security billing, see Billing overview.
Click Update.
On the Stateless page, click > ARMS Console in the Actions column of the target application to view the application monitoring details.

Application Real-Time Monitoring Service:Install Java agents in Container Service for Kubernetes (ACK) and Container Compute Service (ACS) using the ack-onepilot component