Install the Datadog Agent on Kubernetes using the Datadog Operator — required before enabling Single Step Instrumentation (SSI), which automatically instruments applications for APM without code changes. Only use if no Datadog Agent is deployed on the cluster yet.
Before doing anything else: Fully resolve all variables in
## Context to resolve before acting. Do not begin Step 1 until every variable has a concrete value.
NEVER ask the user to type
DD_API_KEYor any secret in the conversation. Credentials must come from theenvironmentfile only. If the key is missing, tell the user to create the file and source it — do not ask for the value in chat.
[ -f environment ] && source environment && echo "Loaded credentials from ./environment file" || echo "No environment file found"
echo "DD_API_KEY set: $([ -n "${DD_API_KEY:-}" ] && echo yes || echo no)"
echo "DD_SITE: ${DD_SITE:-not set}"
echo "helm: $(helm version --short 2>/dev/null || echo NOT FOUND)"
If helm is not found — tell the user:
helmis required for this skill. Install it with:brew install helm # macOS # or see https://helm.sh/docs/intro/install/ for other platformsOnce installed, let me know and I'll continue.
Do not proceed until helm is available.
If DD_API_KEY is already set — proceed to Prerequisites.
If DD_API_KEY is not set — tell the user:
"Please create an
environmentfile in this directory (it's git-ignored and never committed):export DD_API_KEY='your-api-key-here' export DD_SITE='datadoghq.com'Then run
! source environmentin this chat to load it. I'll wait — do not paste the key here."
Once sourced, re-run the check above and verify DD_API_KEY is set before continuing.
Why a file? Claude's shell session is separate from your terminal —
exportcommands in your terminal don't reach here. Theenvironmentfile is the persistent, session-safe way to pass credentials. It is git-ignored so it will never be committed.
kubectl versionhelm versionkubectl config current-contextpup --version; if missing, install with brew tap datadog-labs/pack && brew install pup| Variable | How to resolve |
|---|---|
CLUSTER_NAME | Check repo IaC, scripts, or kubectl config current-context |
DD_SITE | Ask the user. Default: datadoghq.com. Common options: datadoghq.eu, us3.datadoghq.com, us5.datadoghq.com, ap1.datadoghq.com. Full list: https://docs.datadoghq.com/getting_started/site/ |
AGENT_NAMESPACE | Use datadog unless the repo already uses datadog-agent consistently |
CHART_VERSION | Run helm search repo datadog/datadog-operator --versions | head -5 and use the latest stable |
helm list -A | grep -i datadog
If a release shows deployed — Agent already installed. Skip to Step 5 to confirm health, then exit.
If there is no output — no existing install. Continue to Step 2.
helm repo add datadog https://helm.datadoghq.com
helm repo update
helm upgrade --install datadog-operator datadog/datadog-operator \
--namespace <AGENT_NAMESPACE> \
--create-namespace \
--version <CHART_VERSION>
kubectl wait --for=condition=Ready pod \
-l app.kubernetes.io/name=datadog-operator \
-n <AGENT_NAMESPACE> \
--timeout=120s
If the Operator pod is Running — continue to Step 3.
ERROR: Pod not ready after 120s — check image pull: kubectl describe pod -l app.kubernetes.io/name=datadog-operator -n <AGENT_NAMESPACE>.
export DD_API_KEY=<your-api-key>
kubectl create secret generic datadog-secret \
--from-literal api-key=$DD_API_KEY \
--namespace <AGENT_NAMESPACE>
If secret/datadog-secret created — continue to Step 4.
ERROR: AlreadyExists — confirm which key it holds via Step 5 before deciding whether to recreate.
[DECISION: cluster type]
kubelet.tlsVerify: false inside spec.globalkubelet.tlsVerify entirely[DECISION: APM/SSI also being enabled in this session]
DatadogAgent for APM — extend this same manifest with features.apm per enable-ssi. One manifest, not two.Save the following as datadog-agent.yaml:
apiVersion: datadoghq.com/v2alpha1