DevZero Logo
DevZero
InstallGCP

Data Plane

Self-hosting a DevZero Data Plane on GCP GKE.

Prerequisites

Checkout out the Checklist Page to make sure you have the required permissions in GCP to set up the Data Plane.

Setting up the infrastructure

gcloud configuration and IAM setup

If you have a GCP account, use the gcloud CLI command to change the current project to your project name. Or, log in to your GCP console and create a new project.

In GCP, drop the project selector at the top of your screen and create a new project. You should see your project in the list:

Configuring gcloud CLI to interact with the project

First, run this GCP command to obtain new credentials:

gcloud auth application-default login

Your browser will open to connect to GCP, and then you will get this message:

You are now logged in as your GCP account email address.

You can change your current project by running:

gcloud config set project <PROJECT-ID>

Replace the PROJECT-ID placeholder with your current GCP project ID.

You may get this error message, and you should enter Y:

WARNING: Your active project does not match the quota project in your local Application Default Credentials file. This might result in unexpected quota issues.

To update your Application Default Credentials quota project, use the following command.

gcloud auth application-default set-quota-project <PROJECT-ID>

You might encounter the following on your first run:

WARNING: You do not appear to have access to project [<PROJECT-ID>], or it does not exist._
Are you sure you wish to set property [core/project] to &lt;PROJECT-ID&gt;?_
Do you want to continue (Y/n)?_

Type Y, and you will see:

Updated property [core/project].

Next, run this command and verify that your GCP project is devzero-kubernetes-sandbox:

gcloud config get-value project

Your GCP user account must have the "Kubernetes Engine Admin" role assigned for the correct project.

gcloud projects get-iam-policy <project-id> \
    --filter="bindings.role:roles/container.admin" \
    --flatten="bindings[].members" \
    --format="table(bindings.role,bindings.members)"

Replace the PROJECT-ID placeholder with your current GCP project ID.

Ensure the necessary permissions (container.clusters.create) are explicitly granted. This permission is part of the roles/container.admin role.

Assign the Kubernetes Engine Admin role to your account or service account:

For a user account:

gcloud projects add-iam-policy-binding <project-id> \
  --member="user:<your-email@domain.com>" \
  --role="roles/container.admin"

Replace the placeholders, your-email@domain.com and project-id with your GCP registered email account and current GCP Project ID respectively.

For a service account:

gcloud projects add-iam-policy-binding <project-id> \
  --member="serviceAccount:<your-service-account>@<project-id>.iam.gserviceaccount.com" \
  --role="roles/container.admin"

Replace the placeholders, your-service-account and project-id with your GCP service account and current GCP Project ID respectively.

Enable the GKE API for the terraform script to interact with the cluster.

Enable the GKE API.

gcloud services enable container.googleapis.com

Update the gcloud component tree.

gcloud components update

Install the GKE gcloud plugin.

gcloud components install gke-gcloud-auth-plugin

Setting up a GKE cluster

Deploying the Helm Charts

Create a new namespace called devzero-self-hosted by running:

kubectl create ns devzero-self-hosted

Install the CRDs which are prerequisites to set up a DevZero region on the GKE cluster.

helm upgrade --install dz-crds oci://public.ecr.aws/v1i4e1r2/charts/dz-crds \
  -n devzero-self-hosted \
  --version 0.1.2

Install the helm charts to set up the DevZero data plane. Contact the DevZero team at support@devzero.io to get the values for:

  • <CEDANA-AUTH-TOKEN>
  • <SIGNOZ-ACCESS-TOKEN>
helm upgrade --install dz-data-plane oci://public.ecr.aws/v1i4e1r2/charts/dz-data-plane \
  -n devzero-self-hosted \
  --version 0.1.2 \
  --set cedana-helm.cedanaConfig.signozAccessToken=<SIGNOZ-ACCESS-TOKEN> \
  --set cedana-helm.cedanaConfig.cedanaAuthToken=<CEDANA-AUTH-TOKEN>

Installing the helm charts

To track progress:

watch kubectl get pods -n devzero-self-hosted

Verify that everything works:

kubectl get pods -n devzero-self-hosted

Connecting to DevZero

Connect this Data Plane to DevZero

Visit the regions page on the DevZero dashboard and click Add New. Configuring the cluster in the DevZero dashboard

Use the retrieved values (token, URL, and CA certificate) to connect the self-hosted DevZero region to your team: Configuring the cluster in the DevZero dashboard

Fetching Cluster Configuration

After deploying the Helm chart, retrieve the following values for integration with the DevZero dashboard:

Cluster Name

Enter something meaningful and unique.

Examples: Madrid (europe-southwest1), Mumbai (asia-south1), Los Angeles (us-west2), The Dalles (us-west1)

Region ID

Enter a cloud-friendly region name (does not necessarily have to be unique).

To preserve familiarility, feel free to reuse existing GCP terms. For a list of GCP Region Names, click here.

Examples: asia-south1 (Mumbai), europe-southwest1 (Madrid), us-west1 (The Dalles), us-west2 (Los Angeles)

Cluster URL

To get the Cluster URL/IP:

kubectl config view --minify --raw -o jsonpath='{.clusters[0].cluster.server}'

For example,

% kubectl config view --minify --raw -o jsonpath='{.clusters[0].cluster.server}'
https://35.236.26.173

Add the string as is, without leading or trailing whitespaces.

Cluster CA Certificate

To get the Cluster CA certificate:

kubectl config view --minify --raw -o jsonpath='{.clusters[0].cluster.certificate-authority-data}'

For example,

% kubectl config view --minify --raw -o jsonpath='{.clusters[0].cluster.certificate-authority-data}'
LS0tLS1CRUdJTi.....FUlRJRklDQVRFLS0tLS0K

Add the string as is, without leading or trailing whitespaces.

Service Account Name

To get the name of the Service Account:

kubectl get serviceaccounts -n devzero-self-hosted

Usually, this should be devzero-sa-token.

Add the string as is, without leading or trailing whitespaces.

Service Account Token

To get the Service Account Token:

kubectl get secret devzero-sa-token -n devzero-self-hosted -o jsonpath='{.data.token}' | base64 -d

For example,

% kubectl get secret devzero-sa-token -n devzero-self-hosted -o jsonpath='{.data.token}' | base64 -d
eyJhbGciOi......pMWncc3bxGtreh9fDTgg

Add the string as is, without leading or trailing whitespaces.

Slug

To get the slug:

gcloud container clusters describe <cluster-name> --zone <zone/region> --format json | jq -r '.controlPlaneEndpointsConfig.dnsEndpointConfig.endpoint | split(".")[0]'

Replace <cluster-name> with the name of the GKE cluster, and <zone> with the zone its located in (eg: europe-southwest1, asia-south1, us-west2, us-west1).

For example,

% gcloud container clusters describe <cluster-name> --zone <zone/region> --format json | jq -r '.controlPlaneEndpointsConfig.dnsEndpointConfig.endpoint | split(".")[0]'
gke-d472a3765c8740d4aaa1442eb78df5beaa4d-354385559261

Previous

Control Plane

Next

Kubernetes

On this page