DataDog · erikayasuda · Feb 10, 2026 · Feb 10, 2026 · Feb 10, 2026 · Feb 10, 2026
@@ -38,6 +38,7 @@ type Config struct {
 	InitRetryDelay time.Duration
 	BucketID       string
 	DigestCacheTTL time.Duration
+	Enabled        bool
 }
 
 func calculateRolloutBucket(apiKey string) string {
@@ -55,6 +56,7 @@ func NewConfig(cfg config.Component, rcClient RemoteConfigClient) Config {
 		MaxInitRetries: 5,
 		InitRetryDelay: 1 * time.Second,
 		BucketID:       calculateRolloutBucket(cfg.GetString("api_key")),
-		DigestCacheTTL: 1 * time.Hour, // DEV: Make this configurable
+		DigestCacheTTL: cfg.GetDuration("admission_controller.auto_instrumentation.gradual_rollout.cache_ttl_hours") * time.Hour,
+		Enabled:        cfg.GetBool("admission_controller.auto_instrumentation.gradual_rollout.enabled"),
 	}
 }
@@ -39,6 +39,7 @@ func TestNewConfig(t *testing.T) {
 				InitRetryDelay: 1 * time.Second,
 				BucketID:       "2",
 				DigestCacheTTL: 1 * time.Hour,
+				Enabled:        true,
 			},
 		},
 		{
@@ -57,6 +58,7 @@ func TestNewConfig(t *testing.T) {
 				InitRetryDelay: 1 * time.Second,
 				BucketID:       "2",
 				DigestCacheTTL: 1 * time.Hour,
+				Enabled:        true,
 			},
 		},
 		{
@@ -74,6 +76,7 @@ func TestNewConfig(t *testing.T) {
 				InitRetryDelay: 1 * time.Second,
 				BucketID:       "2",
 				DigestCacheTTL: 1 * time.Hour,
+				Enabled:        true,
 			},
 		},
 		{
@@ -92,6 +95,47 @@ func TestNewConfig(t *testing.T) {
 				InitRetryDelay: 1 * time.Second,
 				BucketID:       "0",
 				DigestCacheTTL: 1 * time.Hour,
+				Enabled:        true,
+			},
+		},
+		{
+			name: "gradual_rollout_disabled",
+			configFactory: func(t *testing.T) config.Component {
+				mockConfig := config.NewMock(t)
+				mockConfig.SetWithoutSource("site", "datadoghq.com")
+				mockConfig.SetWithoutSource("api_key", "1234567890abcdef")
+				mockConfig.SetWithoutSource("admission_controller.auto_instrumentation.gradual_rollout.enabled", false)
+				return mockConfig
+			},
+			expectedState: Config{
+				Site:           "datadoghq.com",
+				DDRegistries:   map[string]struct{}{"gcr.io/datadoghq": {}, "docker.io/datadog": {}, "public.ecr.aws/datadog": {}},
+				RCClient:       nil,
+				MaxInitRetries: 5,
+				InitRetryDelay: 1 * time.Second,
+				BucketID:       "0",
+				DigestCacheTTL: 1 * time.Hour,
+				Enabled:        false,
+			},
+		},
+		{
+			name: "gradual_rollout_cache_ttl_hours_configured",
+			configFactory: func(t *testing.T) config.Component {
+				mockConfig := config.NewMock(t)
+				mockConfig.SetWithoutSource("site", "datadoghq.com")
+				mockConfig.SetWithoutSource("api_key", "1234567890abcdef")
+				mockConfig.SetWithoutSource("admission_controller.auto_instrumentation.gradual_rollout.cache_ttl_hours", 2)
+				return mockConfig
+			},
+			expectedState: Config{
+				Site:           "datadoghq.com",
+				DDRegistries:   map[string]struct{}{"gcr.io/datadoghq": {}, "docker.io/datadog": {}, "public.ecr.aws/datadog": {}},
+				RCClient:       nil,
+				MaxInitRetries: 5,
+				InitRetryDelay: 1 * time.Second,
+				BucketID:       "0",
+				DigestCacheTTL: 2 * time.Hour,
+				Enabled:        true,
 			},
 		},
 	}

@@ -124,7 +124,6 @@ func (r *rcResolver) Resolve(registry string, repository string, tag string) (*R
 	defer r.mu.RUnlock()
 
 	if len(r.imageMappings) == 0 {
-		log.Debugf("Cache empty, no resolution available")
 		metrics.ImageResolutionAttempts.Inc(repository, tag, tag)
 		return nil, false
 	}
@@ -275,6 +274,9 @@ func newBucketTagResolver(cfg Config) *bucketTagResolver {
 // New creates the appropriate Resolver based on whether
 // a remote config client is available.
 func New(cfg Config) Resolver {
+	if !cfg.Enabled {
+		return NewNoOpResolver()
+	}
 	if cfg.RCClient == nil || reflect.ValueOf(cfg.RCClient).IsNil() {
 		log.Debugf("No remote config client available")
 		return NewNoOpResolver()

@@ -962,6 +962,8 @@ func InitConfig(config pkgconfigmodel.Setup) {
 		"docker.io/datadog",
 		"public.ecr.aws/datadog",
 	})
+	config.BindEnvAndSetDefault("admission_controller.auto_instrumentation.gradual_rollout.enabled", true)
+	config.BindEnvAndSetDefault("admission_controller.auto_instrumentation.gradual_rollout.cache_ttl_hours", 1)
 	config.BindEnvAndSetDefault("admission_controller.auto_instrumentation.patcher.enabled", false)
 	config.BindEnvAndSetDefault("admission_controller.auto_instrumentation.patcher.fallback_to_file_provider", false)                                // to be enabled only in e2e tests
 	config.BindEnvAndSetDefault("admission_controller.auto_instrumentation.patcher.file_provider_path", "/etc/datadog-agent/patch/auto-instru.json") // to be used only in e2e tests

@@ -0,0 +1,16 @@
+# Each section from every release note are combined when the
+# CHANGELOG.rst is rendered. So the text needs to be worded so that
+# it does not depend on any information only available in another
+# section. This may mean repeating some details, but each section
+# must be readable independently of the other.
+#
+# Each section note must be formatted as reStructuredText.
+---
+enhancements:
+  - |
+    Added support for two new configurations for tag-based gradual rollout in K8s SSI deployments.
+    The gradual rollout can be configured using the following parameters:
+    - ``DD_ADMISSION_CONTROLLER_AUTO_INSTRUMENTATION_GRADUAL_ROLLOUT_ENABLED``: Whether to enable gradual rollout (default: true)
+    - ``DD_ADMISSION_CONTROLLER_AUTO_INSTRUMENTATION_GRADUAL_ROLLOUT_CACHE_TTL_HOURS``: The cache TTL in hours for the gradual rollout image cache (default: 1)
+       - This cache is used to store the mapping of mutable tags -> image digest for the gradual rollout, and setting this TTL helps prevent the image resolution from becoming stale.
+