Verification
Overview
You’ve provisioned infrastructure and deployed the application. This final step verifies everything works correctly. You will:
- Confirm all infrastructure components (GKE, Cloud SQL, GCS, secrets) are healthy
- Configure DNS to point to your load balancer
- Test application access via the frontend and backend URLs
- Run functional tests (user login, project creation, SDK connectivity)
- Check health endpoints for each service
- Complete a production readiness checklist
After this step, your deployment is verified and ready for users.
Infrastructure verification
Before testing the application, verify all infrastructure components are healthy.
GKE cluster health
All nodes should show Ready:
Nodes stuck in NotReady? Check for issues:
Look at the “Conditions” section for clues. Common causes: network plugin issues, insufficient resources, or failed health checks.
Cloud SQL connectivity
Verify the database is accessible from the cluster by checking backend logs:
You should see successful connection messages, not connection refused errors.
Check Cloud SQL status in GCP Console:
- Go to GCP Console → SQL → Instances
- Find your instance
- State should be “Runnable”
Secret Manager secrets
Verify secrets exist and External Secrets can read them:
Cloud Storage
Verify the buckets exist:
You should see three buckets (e.g., confidentai-stage-testcases, confidentai-stage-payloads, and confidentai-stage-chbackups).
Storage is used for file uploads. If storage connectivity fails, users
won’t be able to upload datasets or export reports. The backend uses GCP
Workload Identity to access GCS—verify the confident-storage-sa service
account exists.
DNS configuration
The NGINX Ingress controller has a GCP Network Load Balancer IP. DNS records must point to it.
Get the Load Balancer IP
Example output:
GCP uses IP addresses, not hostnames. Unlike AWS ALBs which have hostnames, GCP Network Load Balancers use static IP addresses. You create DNS A records (not CNAME records) pointing your domains to this IP.
Create DNS records
Add A records for each hostname you configured in the ingress:
A records vs. CNAME:
- A record: Points a hostname to an IP address. Used for GCP Network Load Balancers.
- CNAME: Points a hostname to another hostname. Cannot be used for GCP LB IPs.
Corporate DNS changes may require approval. If your DNS is managed by an internal team, submit change requests for all four records. Factor in approval time—this can delay verification by hours or days.
Verify DNS propagation
After adding records, verify they resolve correctly:
You should see the Load Balancer IP in the response. If you see “NXDOMAIN” or your old values, wait for DNS propagation (typically 5-30 minutes, up to 48 hours for some providers).
Application verification
Frontend access
Open your frontend URL in a browser:
What you should see:
- HTTPS (padlock icon) — certificate is working
- Confident AI login page — application is serving
- Google OAuth button (if configured) — SSO is set up
Certificate errors?
- “NET::ERR_CERT_COMMON_NAME_INVALID” — The certificate doesn’t cover this domain. Verify the ingress TLS hosts include the right domain names.
- “NET::ERR_CERT_DATE_INVALID” — Certificate isn’t issued yet. Check cert-manager status:
kubectl get certificate -n confident-ai - “Your connection is not private” — If using self-signed certs, this is expected. For Let’s Encrypt, check the ClusterIssuer is ready.
Backend health check
The backend exposes a health endpoint:
Expected response:
Connection refused or timeout?
- DNS not propagated: Wait and retry
- Firewall blocking: Check VPC firewall rules allow inbound HTTPS
- Ingress not ready: Check
kubectl get ingress -n confident-aifor an address - Backend not running: Check pod status with
kubectl get pods -n confident-ai
Evals health check
Expected: {"status":"healthy"}
OTEL collector health
Expected: {"status":"ok"}
Functional testing
Test 1: User login
- Navigate to
https://app.yourdomain.com - Click “Sign in with Google” (or your configured auth provider)
- Complete authentication
- Expected: Redirected to dashboard, user session created
OAuth errors?
- “redirect_uri_mismatch” — The redirect URI in Google Console doesn’t match. It must be exactly
https://api.yourdomain.com/api/auth/callback/google. - “access_denied” — User not authorized. Check if OAuth app restricts to certain domains.
- Infinite redirect loop —
confident_subdomainmay be misconfigured. Must be root domain, not full subdomain.
Test 2: Create a project
- From the dashboard, click “New Project”
- Enter a project name
- Click Create
- Expected: Project created successfully, appears in list
This verifies database connectivity and basic write operations.
Test 3: API key generation
- Go to Project Settings → API Keys
- Click “Generate API Key”
- Copy the generated key
- Expected: API key displayed (save it—it won’t be shown again)
Test 4: SDK connectivity
From your local machine (or any machine that can reach the backend):
Expected: True or success message
SDK can’t connect?
- “Connection refused” — Backend not reachable. Check DNS and network connectivity.
- “401 Unauthorized” — API key invalid. Generate a new one.
- “SSL certificate verify failed” — Certificate issue. Check the URL is using HTTPS and cert is valid.
If your machine can’t reach the backend directly (internal LB), run this test from within the same network (VPN) or from a pod inside the cluster.
Test 5: Run a simple evaluation
Expected: Evaluation runs and results appear in the dashboard.
Evaluation fails with API errors?
- “OpenAI API error” —
openai_api_keynot configured or invalid - “timeout” — Network can’t reach OpenAI. Check outbound connectivity to
api.openai.com - “Rate limited” — OpenAI quota exceeded. Check your OpenAI usage limits.
Your cluster needs outbound HTTPS access to OpenAI (or your configured LLM provider).
Service health checks
Run comprehensive health checks on all services:
View logs for troubleshooting
Production readiness checklist
Before announcing the deployment is ready for users, verify:
Security
- HTTPS working on all endpoints (padlock icon in browser)
- TLS certificate valid and not expiring soon
- Firewall rules restrict access appropriately
- Cloud SQL not publicly accessible (Private Service Access only)
- GCS buckets have uniform access and no public objects
- Secret Manager has access controls configured
-
terraform.tfvarsnot committed to version control
High availability
- At least 2 worker nodes running
- At least 2 replicas for backend service (scale if not)
- Cloud SQL has regional HA enabled (if required)
- Worker pool autoscaling configured for traffic spikes
Monitoring (recommended)
- Cloud Monitoring configured for GKE
- Cloud SQL metrics and alerts enabled
- GKE Container logging enabled
- Alerts configured for node health, pod restarts, errors
Operations
- Team members have cluster access (see Cluster Access page)
- Runbook documented for common issues
- Backup strategy confirmed for Cloud SQL
- Upgrade path understood for future releases
What to do if verification fails
Don’t panic. Most issues have straightforward fixes:
- Identify the failing component: Use the checks above to isolate which part isn’t working
- Check logs:
kubectl logsfor pod issues, GCP Console for service-level issues - Review configuration: Typos in URLs, missing certificates, wrong secret names
- Check network: Firewall rules, DNS propagation, VPN connectivity
- Contact support: If stuck, reach out to your Confident AI representative with:
- What step failed
- Exact error messages
- Results of relevant
kubectl getcommands
Summary
You’ve completed the Confident AI deployment on GCP:
- Prerequisites — Installed tools and gathered credentials
- Configuration — Set up Terraform variables
- Provisioning — Created GCP infrastructure
- TLS Certificates — Configured cert-manager and ClusterIssuer
- Cluster Access — Configured kubectl access
- Kubernetes Deployment — Deployed application services
- Verification — Tested everything works
Your deployment is now ready for users. Welcome to Confident AI!
Need help? Contact your Confident AI representative or email support@confident-ai.com with details about your deployment and any issues encountered.