Skip to content

Google Cloud

All Tomoda compute, data, secrets, and CI live in a single GCP project: development-485000, region asia-east1. Environment separation (dev vs prod) is done with Kubernetes namespaces inside one GKE cluster — there are no per-environment GCP projects.

Terraform code for everything below is in infrastructure/gcp/. Remote state lives in the GCS bucket development-485000-tfstate (default workspace).

  • Overview

    The big picture: project layout, region choice, namespace-based env split, and a Mermaid diagram of every resource Terraform manages.

  • GKE Cluster

    gke-tomoda in asia-east1-a. Two node pools (one idle, one active), Workload Identity, deletion protection on.

  • VPC & Networking

    Custom VPC, single regional subnet, secondary ranges for pods and services. No Cloud NAT.

  • Cloud Build

    Four triggers (backend/frontend × dev/prod), tied to the tomoda GitHub repo. Dev requires manual approval; prod fires on semver tags.

  • Artifact Registry

    Two Docker repos (tomoda-dev-repo, tomoda-prod-repo). Image-updater SA pulls metadata for Argo CD Image Updater.

  • Argo CD

    Helm-installed Argo CD with Dex + Google OAuth restricted to tomoda.life. ClusterIP exposed through Traefik + oauth2-proxy.

  • OAuth & Dex

    The IAP brand, OAuth client, and Secret Manager entry used by Argo CD and oauth2-proxy.

  • Photon Indexer

    GCS bucket for multilingual Photon indexes. Public-read, lifecycle to Nearline then delete. CronJob currently suspended.

  • Backup Bucket

    tomoda-db-backups-${project_id}. CNPG Barman writes WAL + base backups here via Workload Identity.

  • IAM Overview

    All Workload Identity bindings in one place: which K8s SA impersonates which GCP SA, and what it gets access to.