[FLINK-36456] feat: Add support to pass Datadog API Key as environment variable #27432
+137
−3
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
barryib
changed the title
Collaborator
barryib
force-pushed
the
feature/datadog-api-key-env-var
branch
from
2659790 to
00bac62
Compare
Author
|
@flinkbot run azure |
barryib
force-pushed
the
feature/datadog-api-key-env-var
branch
2 times, most recently
from
c0a2c09 to
f2c8ba0
Compare
Author
|
@flinkbot run azure |
Author
|
@zentol @molsionmo can I get your attention on this PR please. It has been closed for few times. I tried to add tests |
Author
|
cc @pinxiu for info |
Author
|
@Sxnan is it possible to review this PR please 🙏🏽 |
Contributor
|
I cant find the Jira - do you mean FLINK-33994 |
davidradl
reviewed
Jan 20, 2026
| * @param config the configuration properties | ||
| * @return the Datadog API key, or null if not found in either location | ||
| */ | ||
| private String getApiKey(Properties config) { |
Contributor
There was a problem hiding this comment.
On the whole this change seems reasonable. Some points to raise:
- would it not make sense for the environment variable to be honoured, so you can override the configuration at a more granular level?
- Could you add this environment variable name and usage to the English and Chinese docs.
- I notice the docs say
"On Docker-based deployments, you can use the FLINK_PROPERTIES environment variable for passing configuration values." Does this help you resolve this issue without this fix?
Author
There was a problem hiding this comment.
@davidradl Make sense, I'll change the order to prioritize the environment variable if it is present.
Regarding the FLINK_PROPERTIES suggestion: that mechanism works well in standard Docker environments, but it fails in Kubernetes when using the Flink Operator. The Operator mounts the configuration as a ConfigMap, which is read-only (can't be something else). Since the standard Docker entrypoint attempts to append FLINK_PROPERTIES to flink-conf.yaml, it causes the pod to crash with a "Read-only file system" error. This PR solves that by allowing the API key to be read directly from the environment without needing to modify the config file at runtime.
github-actions
bot
added
the
community-reviewed
- Add DATADOG_API_KEY environment variable support in DatadogHttpReporterFactory - Configuration property 'apikey' takes precedence over environment variable - Environment variable provides fallback when no configuration is provided - Add comprehensive test suite covering environment variable support and configuration scenarios The API key resolution follows this order: 1. Configuration property 'apikey' (if provided and non-empty) 2. Environment variable 'DATADOG_API_KEY' (fallback) This enhancement allows secure credential management using environment variables, which is particularly useful in containerized and cloud deployments. Signed-off-by: Thierno IB. BARRY <ibrahima.br@gmail.com>
…e support - Add testApiKeyFromConfigurationProperty: Verify API key resolution from config - Add testApiKeyFromEnvironmentVariable: Test environment variable fallback - Add testConfigurationPropertyTakesPrecedenceOverEnvironmentVariable: Ensure config takes priority - Add testEmptyConfigurationPropertyFallsBackToEnvironmentVariable: Test empty config fallback - Use reflection to test private getApiKey() method directly - Avoid API validation issues in tests using environment variable manipulation
…eflection issues - Remove unnecessary Field lookup for getApiKey method - Replace CommonTestUtils.setEnv() with Mockito mockStatic() to mock System.getenv() - This resolves InaccessibleObjectException when running on Java 16+ - Fixes failing tests: testApiKeyFromEnvironmentVariable, testConfigurationPropertyTakesPrecedenceOverEnvironmentVariable, testEmptyConfigurationPropertyFallsBackToEnvironmentVariable
- Remove Mockito mock implementation that violates Flink coding guidelines - Keep testable scenarios: configuration property tests - Environment variable testing relies on System.getenv() behavior in production - Simplify test suite to 3 core tests that can run without mocking
barryib
force-pushed
the
feature/datadog-api-key-env-var
branch
from
817d76f to
ca20a57
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What is the purpose of the change
This pull request adds support for passing the Datadog API Key via an environment variable (
DATADOG_API_KEY) instead of only through configuration properties. This enables secure credential management in containerized and cloud-native deployments where environment variables are commonly used.Why: We utilize a GitOps workflow with ArgoCD to deploy the Flink operator and applications. Since we cannot commit sensitive data like the Datadog API key to our repository, injecting it during deployment has proven difficult.
This simplifies our secret management by allowing us to use the External Secrets Operator. We can now sync the API key to a Kubernetes Secret and inject it securely into the application using envFrom.
Brief change log
DD_API_KEYenvironment variable support inDatadogHttpReporterFactoryapikeytakes precedence over environment variable for backward compatibilityResolves FLINK-36456 FLINK-33994
Related to:
API Key Resolution Order
The API key is resolved in the following priority order:
apikey(if provided and non-empty)DD_API_KEY(fallback)Verifying this change
This change added tests and can be verified as follows:
testMetricReporterSetupViaSPI- Verifies metric reporter can be created via SPItestApiKeyFromConfigurationProperty- Verifies API key from config property workstestApiKeyFromEnvironmentVariable- Tests environment variable fallback using MockitotestConfigurationPropertyTakesPrecedenceOverEnvironmentVariable- Ensures config takes priority over env vartestEmptyConfigurationPropertyFallsBackToEnvironmentVariable- Tests fallback when config is emptyDoes this pull request potentially affect one of the following parts:
@Public(Evolving): noDocumentation
getApiKey()method includes comprehensive JavaDoc explaining the resolution order and behavior