Ingress-nginx support for Datadog

Ingress-nginx is a Kubernetes ingress controller that uses nginx as a reverse proxy and load balancer. In a Kubernetes cluster, external access is restricted by default for security reasons. An ingress controller uses rules to control how external traffic may reach your services.

The ingress-nginx controller is managed through Kubernetes resources, but customization of the underlying nginx configuration is typically limited beyond its intended use case. However, ingress-nginx allows the addition of extra nginx modules for extended functionality. To take advantage of this feature with nginx-datadog, we provide init containers.

How to enable nginx-datadog in ingress-nginx?

To integrate nginx-datadog with ingress-nginx, add a Datadog init container to your pod specification and configure nginx to load the nginx-datadog module.

The following Helm values demonstrate how to inject the nginx-datadog module into an ingress-nginx controller:

controller:
  config: 
    main-snippet: "load_module /modules_mount/ngx_http_datadog_module.so;"
  opentelemetry:
    enabled: false
  extraModules:
    - name: nginx-datadog
      image:
        registry: docker.io
        image: datadog/ingress-nginx-injection
        # The tag should match the version of the ingress-nginx controller
        # For example, this will inject the Datadog module for ingress v1.10.0
        # Check <https://hub.docker.com/repository/docker/datadog/ingress-nginx-injection/tags> 
        # for the list of all versions supported.
        tag: "v1.10.0"
        distroless: false

Check our details examples to help you set up ingress-nginx with nginx-datadog.

How does it work?

Init containers are special containers that run before the main container in a Kubernetes pod. In this case, the Datadog init container is responsible for copying the nginx-datadog module into a shared volume that will be accessible by the main ingress-nginx container.

When the main ingrees-nginx controller starts, the nginx configuration must be updated with the load_module directive, allowing it to load the Datadog module seamlessly.

Interaction with OpenTelemetry

By default, ingress-nginx includes an OpenTelemetry (oTel) module that can be enabled using the enable-opentelemetry: true setting in the ingress-nginx ConfigMap. However, if you are using nginx-datadog for tracing, we recommend disabling OpenTelemetry to prevent duplicate tracing data from both the oTel and Datadog modules.

To disable OpenTelemetry, set enable-opentelemetry: false.

Enabling AppSec

You can enable the WAF provided by AppSec to protect your applications from security threats. To do so, update your Helm values to include the AppSec configuration:

controller:
  config:
    main-snippet: |
      load_module /modules_mount/ngx_http_datadog_module.so;
      # AppSec thread pool configuration (adjust threads and max_queue as needed)
      thread_pool waf_thread_pool threads=2 max_queue=16;
    http-snippet: |
      # Enable AppSec
      datadog_appsec_enabled on;
      datadog_waf_thread_pool_name waf_thread_pool;
  opentelemetry:
    enabled: false
  extraModules:
    - name: nginx-datadog
      image:
        registry: docker.io
        image: datadog/ingress-nginx-injection
        tag: "v1.10.0"
        distroless: false

Key configuration parameters:

• thread_pool waf_thread_pool: Creates a dedicated thread pool for AppSec processing. Adjust threads and max_queue based on your traffic patterns and available resources.
• datadog_appsec_enabled on: Enables the Application Security module for threat detection and protection. This can be omitted so that AppSec can be enabled or disabled through Remote Configuration.
• datadog_waf_thread_pool_name waf_thread_pool: Associates the matching requests with the configured thread pool.

Refer to the configuration reference for more configurable options.