Data Plane

First, run this GCP command to obtain new credentials:

gcloud auth application-default login

Your browser will open to connect to GCP, and then you will get this message:

You are now logged in as your GCP account email address.

You can change your current project by running:

gcloud config set project <PROJECT-ID>

Replace the PROJECT-ID placeholder with your current GCP project ID.

You may get this error message, and you should enter Y:

WARNING: Your active project does not match the quota project in your local Application Default Credentials file. This might result in unexpected quota issues.

To update your Application Default Credentials quota project, use the following command.

gcloud auth application-default set-quota-project <PROJECT-ID>

You might encounter the following on your first run:

WARNING: You do not appear to have access to project [<PROJECT-ID>], or it does not exist._
Are you sure you wish to set property [core/project] to &lt;PROJECT-ID&gt;?_
Do you want to continue (Y/n)?_

Type Y, and you will see:

Updated property [core/project].

Next, run this command and verify that your GCP project is devzero-kubernetes-sandbox:

gcloud config get-value project

Your GCP user account must have the "Kubernetes Engine Admin" role assigned for the correct project.

gcloud projects get-iam-policy <project-id> \
    --filter="bindings.role:roles/container.admin" \
    --flatten="bindings[].members" \
    --format="table(bindings.role,bindings.members)"

Replace the PROJECT-ID placeholder with your current GCP project ID.

For a user account:

gcloud projects add-iam-policy-binding <project-id> \
  --member="user:<your-email@domain.com>" \
  --role="roles/container.admin"

Replace the placeholders, your-email@domain.com and project-id with your GCP registered email account and current GCP Project ID respectively.

For a service account:

gcloud projects add-iam-policy-binding <project-id> \
  --member="serviceAccount:<your-service-account>@<project-id>.iam.gserviceaccount.com" \
  --role="roles/container.admin"

Replace the placeholders, your-service-account and project-id with your GCP service account and current GCP Project ID respectively.

Enable the GKE API for the terraform script to interact with the cluster.

gcloud services enable container.googleapis.com

gcloud components update

gcloud components install gke-gcloud-auth-plugin

Create a new namespace called devzero-self-hosted by running:

kubectl create ns devzero-self-hosted

Install the CRDs which are prerequisites to set up a DevZero region on the GKE cluster.

helm upgrade --install dz-crds oci://public.ecr.aws/v1i4e1r2/charts/dz-crds \
  -n devzero-self-hosted \
  --version 0.1.2

Install the helm charts to set up the DevZero data plane. Contact the DevZero team at support@devzero.io to get the values for:

• <CEDANA-AUTH-TOKEN>
• <SIGNOZ-ACCESS-TOKEN>

helm upgrade --install dz-data-plane oci://public.ecr.aws/v1i4e1r2/charts/dz-data-plane \
  -n devzero-self-hosted \
  --version 0.1.2 \
  --set cedana-helm.cedanaConfig.signozAccessToken=<SIGNOZ-ACCESS-TOKEN> \
  --set cedana-helm.cedanaConfig.cedanaAuthToken=<CEDANA-AUTH-TOKEN>

To track progress:

watch kubectl get pods -n devzero-self-hosted

Verify that everything works:

kubectl get pods -n devzero-self-hosted

Visit the regions page on the DevZero dashboard and click Add New.

Use the retrieved values (token, URL, and CA certificate) to connect the self-hosted DevZero region to your team:

Cluster Name

Enter something meaningful and unique.

Examples: Madrid (europe-southwest1), Mumbai (asia-south1), Los Angeles (us-west2), The Dalles (us-west1)

Region ID

Enter a cloud-friendly region name (does not necessarily have to be unique).

To preserve familiarility, feel free to reuse existing GCP terms. For a list of GCP Region Names, click here.

Examples: asia-south1 (Mumbai), europe-southwest1 (Madrid), us-west1 (The Dalles), us-west2 (Los Angeles)

Cluster URL

To get the Cluster URL/IP:

kubectl config view --minify --raw -o jsonpath='{.clusters[0].cluster.server}'

For example,

% kubectl config view --minify --raw -o jsonpath='{.clusters[0].cluster.server}'
https://35.236.26.173

Cluster CA Certificate

To get the Cluster CA certificate:

kubectl config view --minify --raw -o jsonpath='{.clusters[0].cluster.certificate-authority-data}'

For example,

% kubectl config view --minify --raw -o jsonpath='{.clusters[0].cluster.certificate-authority-data}'
LS0tLS1CRUdJTi.....FUlRJRklDQVRFLS0tLS0K

Service Account Name

To get the name of the Service Account:

kubectl get serviceaccounts -n devzero-self-hosted

Service Account Token

To get the Service Account Token:

kubectl get secret devzero-sa-token -n devzero-self-hosted -o jsonpath='{.data.token}' | base64 -d

For example,

% kubectl get secret devzero-sa-token -n devzero-self-hosted -o jsonpath='{.data.token}' | base64 -d
eyJhbGciOi......pMWncc3bxGtreh9fDTgg

Slug

To get the slug:

gcloud container clusters describe <cluster-name> --zone <zone/region> --format json | jq -r '.controlPlaneEndpointsConfig.dnsEndpointConfig.endpoint | split(".")[0]'

Replace <cluster-name> with the name of the GKE cluster, and <zone> with the zone its located in (eg: europe-southwest1, asia-south1, us-west2, us-west1).

For example,

% gcloud container clusters describe <cluster-name> --zone <zone/region> --format json | jq -r '.controlPlaneEndpointsConfig.dnsEndpointConfig.endpoint | split(".")[0]'
gke-d472a3765c8740d4aaa1442eb78df5beaa4d-354385559261