[APPSEC-68250] Document automated ingress-nginx App and API Protection setup#37258
[APPSEC-68250] Document automated ingress-nginx App and API Protection setup#37258eliottness wants to merge 2 commits into
Conversation
Document the AppSec injector method for ingress-nginx (Datadog Operator and Helm) alongside the existing manual configuration, mirroring the Envoy Gateway and Istio setup pages. Confidence: high Scope-risk: narrow
Preview links (active after the
|
| name: datadog | ||
| annotations: | ||
| agent.datadoghq.com/appsec.injector.enabled: "true" | ||
| agent.datadoghq.com/appsec.injector.proxies: '["ingress-nginx"]' |
There was a problem hiding this comment.
This line is not required
There was a problem hiding this comment.
Done in 50ab3da — removed. injector.autoDetect (default true) already covers ingress-nginx, so injector.enabled alone is enough.
| proxies: | ||
| - ingress-nginx |
There was a problem hiding this comment.
This one is also not required, remote it
There was a problem hiding this comment.
Done in 50ab3da — removed from the Helm tab as well.
|
@codex review |
…pets injector.autoDetect is enabled by default and includes ingress-nginx, so injector.enabled alone is sufficient. Addresses PR review feedback.
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: ab1deb5fbe
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| This setup requires: | ||
|
|
||
| - The Datadog Cluster Agent `v7.79.0` or later. | ||
| - For the Helm method, the Datadog Helm chart `v3.217.0` or later. |
There was a problem hiding this comment.
This prerequisite points users to Datadog Helm chart v3.217.0, but the public Datadog Helm chart releases I checked for June 4, 2026 only go up to datadog-3.215.1; helm upgrade ... datadog/datadog --version 3.217.0 therefore cannot resolve. Until that chart is published, anyone following the new automated Helm setup is blocked before they can enable the ingress-nginx injector, so this should either name the first released chart that contains the values or wait for the release before publishing.
Useful? React with 👍 / 👎.
|
OliviaShoup
left a comment
OliviaShoup
left a comment
There was a problem hiding this comment.
hey, thanks for the PR! requesting two small changes (also can you tell me more about that Codex comment? is the Helm chart version going to be updated before we published these docs?)
|
|
||
| <div class="alert alert-danger"> | ||
| We provide a specific init container **for each ingress-nginx controller version**, starting with <code>v1.10.0</code>. This is crucial because **each** init container must match the underlying nginx version. To ensure compatibility, ensure the version of the Datadog init container matches your ingress-nginx version. | ||
| Datadog provides a specific init container **for each ingress-nginx controller version**, starting with <code>v1.10.0</code>. This is crucial because **each** init container must match the underlying NGINX version. To confirm compatibility, verify that the version of the Datadog init container matches your ingress-nginx version. |
There was a problem hiding this comment.
| Datadog provides a specific init container **for each ingress-nginx controller version**, starting with <code>v1.10.0</code>. This is crucial because **each** init container must match the underlying NGINX version. To confirm compatibility, verify that the version of the Datadog init container matches your ingress-nginx version. | |
| Datadog provides a specific init container <b>for each ingress-nginx controller version</b>, starting with <code>v1.10.0</code>. This is crucial because <b>each</b> init container must match the underlying NGINX version. To confirm compatibility, verify that the version of the Datadog init container matches your ingress-nginx version. |
| {{% /tab %}} | ||
| {{< /tabs >}} | ||
|
|
||
| After you enable this, the Datadog Cluster Agent: |
There was a problem hiding this comment.
| After you enable this, the Datadog Cluster Agent: | |
| After you enable automatic configuration, the Datadog Cluster Agent: |
2 participants
What does this PR do? What is the motivation?
Fixes APPSEC-68250
Adds documentation for enabling App and API Protection on ingress-nginx using the AppSec injector (the Datadog Cluster Agent injects the
nginx-datadogmodule into ingress-nginx controller pods), with Datadog Operator and Helm configuration. This mirrors the existing Envoy Gateway and Istio setup pages. The existing manual configuration is preserved as an alternative.Merge instructions
Merge readiness:
Additional notes