This is the streamlined setup guide for getting Confident AI running on GCP. It covers cloning the repository, configuring variables, provisioning infrastructure with Terraform, and deploying workloads via ArgoCD.
If you want detailed explanations of each step, see the step-by-step guide instead. This page assumes you already have the required tools installed and GCP credentials configured — see Requirements and Prerequisites for details.
All cloud resources are defined in .tf (Terraform) files in the gcp directory:
GKE/database/public/private-service-connect subnets with Cloud NAT, firewall rules, and Cloud DNS private zone.
Managed Kubernetes with autoscaling node pools and Workload Identity.
Secure jump host for accessing private resources inside the VPC.
Managed database with Private Service Access, automated backups, and encryption.
Automated TLS certificate management for HTTPS termination via NGINX Ingress.
Private GCS bucket with Private Google Access for application data.
ECR cross-account credentials are only used for syncing image pull secrets into the GKE cluster — it handles cross-cloud image pull credentials, not hosting your own images.
Copy an environment template and save it as terraform.tfvars:
Open terraform.tfvars and set the following variables:
Cloud Run code executor image: First pull the image from 128045499490.dkr.ecr.us-east-1.amazonaws.com/confident-code-sandbox-cloud-run:<tag>, push it to your own Artifact Registry, then use its URI in code_executor_cloud_run_image_uri. Cloud Run requires the image to be in your project’s private Artifact Registry.
For detailed explanations of each variable, see the Configuration page.
Approve when prompted. This takes 15-25 minutes and provisions the VPC, GKE cluster, Cloud SQL instance, GCS buckets, Secret Manager, service accounts, and Helm releases.
External Secrets syncs credentials from Google Secret Manager into Kubernetes.
Edit app/base/common/external-secrets/external-secrets.yaml and update the key field for each secret block. Set it based on your confident_environment variable:
confidentai-stage-confident-secretconfidentai-prod-confident-secretThen in app/base/common/secret-store/secret-store.yaml, update the projectID: field to match your confident_gcp_project_id value.
In app/base/network/ingress.yaml, update the annotations block with your cert-manager ClusterIssuer and ingress class:
Unlike AWS (which uses ACM), GCP deployments use cert-manager with Let’s Encrypt. Create a ClusterIssuer resource first — see TLS Certificates for the manifest. Ensure your NGINX Ingress controller is reachable from Let’s Encrypt for HTTP-01 challenges.
ArgoCD installation via Terraform is enabled in helm-charts.tf (lines 69-104). If the Terraform runner’s context window is exceeded, you’ll need to install ArgoCD manually using Helm.
To install ArgoCD manually:
A few things to keep in mind:
<External | Internal> based on your setup — use External if confident_public_gke is true, otherwise Internal.<your_admin_password> with the same value you provided to the argocd_admin_password Terraform variable.Once ArgoCD is running:
terraform outputapp/argocd/app-of-apps.yaml to start automated deployment of all Kubernetes workloadsArgoCD deploys everything described in app-of-apps.yaml. You may need to approve access or confirm secrets sync depending on your cluster security settings.
To install the Datadog Agent on your GKE cluster, use the official Datadog Helm chart:
Replace <your-gke-cluster-name> with your GKE cluster name (available from terraform output or the GCP Console). Use your actual Datadog API Key and Application Key for authentication.
For further configuration (tags, proxy, extra features), see the Datadog Helm chart documentation.
Done ✅ All major components and workloads are handled via Terraform and ArgoCD (app-of-apps pattern).
You’ve completed the quickstart setup. Here’s what to do next: