DataDog / dd-trace-php

Datadog PHP Clients
https://docs.datadoghq.com/tracing/setup/php
Other
496 stars 154 forks source link

[Feature] AppSec warnings for unset environment variables despite variables being set at Agent level in Kubernetes cluster #2880

Open stewartmalik opened 3 weeks ago

stewartmalik commented 3 weeks ago

Describe the feature you'd like

Add a new environment variable DD_APPSEC_DISABLE_MISSING_ENV_WARNING or something similar to suppress the following warning message:

[Tue Oct 08 23:33:26.942581 2024] [php:warn] [pid 28:tid 28] [client 127.0.0.6:36537] PHP Warning:  PHP Request Startup: [ddappsec] AppSec is not disabled and Datadog service or env is empty. Please set DD_SERVICE and DD_ENV rather than setting the corresponding properties on the root span. Otherwise, remote configuration for AppSec will use service=unnamed-php-service and env=none in Unknown on line 0

The default value of the new environment variable would be false

Is your feature request related to a problem?

We are running our PHP applications in a Kubernetes cluster and the DataDog agent is installed as an Operator within the cluster. We have configured the Agent to automatically tag all messages to DataDog with the relevant environment. For example we have 3 environments and 3 Kubernetes clusters for dev, stg, and prod.

This allows us to not have to set DD_ENV on each different application as this is handled at the cluster level.

See snippets of our Terraform configuration for the DataDog Cluster Agent Operator below (although not directly relevant to this issue):

...
        "nodeAgent" = {
          "env" = [
            {
              "name"  = "DD_ENV"
              "value" = var.environment
            },
            {
...
...
            "cluster-agent" = {
              "env" = [
                {
                  "name"  = "DD_ENV"
                  "value" = var.environment
                },
                {
...

After updating to the DataDog PHP library version 1.4.0 we found that the aforementioned warning was being generated, likely because whilst we are setting DD_SERVICE for each application we are not explicitly setting DD_ENV at a container level. The DD PHP library has no idea that this is being set at a cluster level and thus the warning message is generated.

Describe alternatives you've considered

Initially this warning was being output to the browser due to a misconfiguration of PHP ini settings on our behalf, we have since disabled this so that this is not affecting our users however the warnings are still being reported in container logs.

Additional context

No response

bwoebi commented 3 weeks ago

Hey @stewartmalik,

a) short-term (patch release in a couple days) we'll remove that message completely and implement a workaround for the case where the service not is set, so that we can extract use service information in any case. b) for the next minor release we target to ask the datadog-agent for its default environment and use the information from there for remote configuration (including appsec). [This was probably always broken for you.]

Together both fixes aim to fix the issue you have, without any extra configuration, working as expected out of the box.

stewartmalik commented 3 weeks ago

Hi @bwoebi ,

Thank you for your response.

Confirming that in our specific example it's DD_ENV that is being set at the datadog-agent and not at the container (library) level, we do explicitly set DD_SERVICE. So I think once b) is implemented that will resolve our issues.

As mentioned previously we are working around this by just setting both DD_ENV and DD_SERVICE on every project, but just feels better from an architectural standpoint to have DD_ENV be set at the datadog-agent level cluster wide.

Thanks again!

robgordon89 commented 1 week ago

👋 is there an ETA on this one please ?

bwoebi commented 1 week ago

Hey @robgordon89, problem a) is solved (use 1.4.2). Problem b) is still on our todo (but that one is not a regression which we had compared to 1.3.) - no specific ETA yet, though.