Skip to content

Kubernetes

Tomoda runs on a single GKE cluster (gke-tomoda in asia-east1-a). There are no separate clusters per environment — dev and prod are Kubernetes namespaces inside the same control plane, sharing the same nodes and the same system services.

The entire cluster is driven by Argo CD using the app-of-apps pattern. Two bootstrap manifests (k8s/envs/dev/bootstrap.yaml and k8s/envs/prod/bootstrap.yaml) point Argo CD at the rest of the repo, and Argo CD reconciles everything else.

Namespace layout

graph TB
    subgraph cluster["GKE cluster — gke-tomoda"]
        argocd[argocd<br/>Argo CD + image-updater]
        traefik[traefik-system<br/>ingress controller]
        certmgr[cert-manager<br/>Let's Encrypt + CRDs]
        eso[external-secrets<br/>ESO + ClusterSecretStores]
        extdns[external-dns<br/>Cloudflare DNS sync]
        sys[sys<br/>oauth2-proxy + Traefik middlewares]
        monitoring[monitoring<br/>kube-prometheus-stack + Loki + Grafana]
        cnpg[cnpg-system<br/>CloudNativePG operator]
        data[data<br/>postgres / redis / photon]
        tomoda[tomoda<br/>dev app]
        prod[prod<br/>prod app]
    end

    argocd -.reconciles.-> traefik
    argocd -.reconciles.-> certmgr
    argocd -.reconciles.-> eso
    argocd -.reconciles.-> extdns
    argocd -.reconciles.-> sys
    argocd -.reconciles.-> monitoring
    argocd -.reconciles.-> cnpg
    argocd -.reconciles.-> data
    argocd -.reconciles.-> tomoda
    argocd -.reconciles.-> prod

Same cluster, two environments

The tomoda namespace runs the dev build of the app; prod runs the production build. They share Postgres clusters (different databases inside the data namespace), the same Redis, the same Traefik, the same monitoring stack. The only thing that differs is the app image tag and a handful of envFrom secrets.

How to navigate this section

  • Argo CD

    Operational guide to the GitOps layer. Bootstrap manifests, Application CRs, sync workflow, Image Updater, OAuth gating on the UI.

  • Apps

    The tomoda and prod workloads — backend Deployment, Service, Ingress, ExternalSecrets. Documentation pending.

  • Middleware

    Per-environment data plane: Postgres (CNPG), Redis, Photon, pgAdmin, RedisInsight. Lives under k8s/envs/{dev,prod}/middleware/. Documentation pending.

  • System

    Cluster-wide infrastructure installed once via dev's bootstrap and shared across all environments: Traefik, cert-manager, External-DNS, External Secrets, oauth2-proxy, Prometheus stack, Loki.

Reading the repo

Repo path What lives there
k8s/envs/dev/bootstrap.yaml App-of-apps root for the dev cluster — installs dev-sys and dev-middleware.
k8s/envs/prod/bootstrap.yaml App-of-apps root for prod — installs prod-middleware only (no prod-sys).
k8s/envs/dev/sys/ Argo CD Application CRs for every system service.
k8s/envs/dev/middleware/ Dev data plane (Postgres, Redis, Photon, app).
k8s/envs/prod/middleware/ Prod data plane.

Cluster provisioning itself (node pools, networking, Workload Identity) is in Infrastructure → GCP → GKE.