ArgoCD (Self-Managing)
The self-referencing ArgoCD Application that manages ArgoCD and all other Applications
Managed Services
Overview of all services managed by ArgoCD on the Infra Management Cluster
This section documents all services that ArgoCD manages on the Infra Management Cluster. The hub ArgoCD instance uses a combination of Application and ApplicationSet resources to deploy and maintain infrastructure services both locally and on remote tb-platform clusters.
Service Categories
Services are organised into the following categories:
| Category | Description | Count |
|---|---|---|
| Core Infrastructure | ArgoCD itself, identity, and foundational services | 6 |
| Observability Stack | Monitoring, logging, and tracing | 4 |
| Gateway & Networking | Ingress, API gateway, and VPN | 4 |
| GCP Config Connector | GCP resource management via Kubernetes | 5 |
| Platform Services | Business and operational applications | 6 |
| TB Platform Clusters | Services deployed to remote clusters via ApplicationSets | 10 |
Quick Reference
Applications (Local Cluster)
These Application resources deploy services directly to the Infra Management Cluster:
| Application | Namespace | Source Type | File Path |
|---|---|---|---|
argocd | argocd | Kustomize | apps/argocd.yaml |
infra-docs-portal | argocd | Kustomize | apps/infra-services-apps.yaml |
atlantis | argocd | Kustomize | apps/infra-services-apps.yaml |
webhooks | argocd | Kustomize | apps/infra-services-apps.yaml |
misc | argocd | Kustomize | apps/infra-services-apps.yaml |
dex | argocd | Kustomize | apps/infra-services-apps.yaml |
coredns | argocd | Kustomize | apps/infra-services-apps.yaml |
grafana | monitoring | Kustomize | apps/monitoring-services.yaml |
grafana-loki | grafana-loki | Helm | apps/grafana-loki.yaml |
grafana-alloy-hub | grafana-alloy | Helm | apps/grafana-alloy.yaml |
grafana-tempo | grafana-tempo | Helm | apps/grafana-tempo.yaml |
tailscale-operator | tailscale | Helm | apps/tailscale-operator.yaml |
envoy-infra-titanbay-com | envoy-infra-titanbay-com | Helm | apps/envoy-gateway-system.yaml |
envoy-infra-titanbayapis-com | envoy-infra-titanbayapis-com | Helm | apps/envoy-gateway-system.yaml |
envoy-infra-titanbay-internal | envoy-infra-titanbay-internal | Helm | apps/envoy-gateway-system.yaml |
envoy-gateway-infra-titanbay-com | envoy-infra-titanbayapis-com | Kustomize | apps/envoy-gateway.yaml |
envoy-gateway-infra-titanbayapis-com | envoy-infra-titanbayapis-com | Kustomize | apps/envoy-gateway.yaml |
envoy-gateway-infra-titanbay-internal | envoy-infra-titanbay-internal | Kustomize | apps/envoy-gateway.yaml |
config-connector-operator | argocd | Kustomize | apps/config-connector.yaml |
tb-platform-infra | argocd | Kustomize | apps/config-connector.yaml |
infra-mgmt-project | argocd | Kustomize | apps/infra-mgmt-project.yaml |
infra-mgmt-vpc-project | argocd | Kustomize | apps/infra-mgmt-vpc-project.yaml |
infra-security-project | argocd | Kustomize | apps/infra-security-project.yaml |
netbox | argocd | Kustomize | apps/netbox.yaml |
onepassword-scim-bridge | onepassword | Helm | apps/onepassword-scim-bridge.yaml |
pamdb | pam-system | Kustomize | apps/pamdb.yaml |
feeder-fund-simulator | tb-ops | Kustomize | apps/tb-ops-apps.yaml |
infra-platform-google-cas-issuer | cert-manager | Helm | apps/google-cas-issuer.yaml |
cert-manager-trust-manager | cert-manager | Helm | apps/cert-manager-trust-manager.yaml |
ApplicationSets (Multi-Cluster)
These ApplicationSet resources generate Applications dynamically for tb-platform clusters:
| ApplicationSet | Target Clusters | Generated Apps | File Path |
|---|---|---|---|
tb-platform-init-resources | dev, qa, prod | 3 | application-sets/tb-platform-init.yaml |
tb-platform-init-services | dev, qa, prod | 3 | application-sets/tb-platform-init.yaml |
tb-platform-environments | local (per env dir) | dynamic | application-sets/tb-platform-infra.yaml |
tb-platform-vpc-config | local (per vpc dir) | dynamic | application-sets/tb-platform-infra.yaml |
tb-platform-external-secrets | dev, qa, prod | 3 | application-sets/tb-platform-external-secrets.yaml |
tb-platform-grafana-alloy | dev, qa, prod | 3 | application-sets/tb-platform-grafana-alloy.yaml |
tb-platform-1password-operator | dev, qa, prod | 3 | application-sets/tb-platform-onepassword-operator.yaml |
tb-platform-config-connector-operator | dev, qa, prod | 3 | application-sets/tb-platform-config-connector.yaml |
tb-platform-malware-scanner | dev, qa, prod | 3 | application-sets/tb-platform-malware-scanner.yaml |
tb-platform-tykctl | dev, qa, prod | 3 | application-sets/tb-platform-tykctl.yaml |
tb-platform-api-docs | dev, qa, prod | 3 | application-sets/tb-platform-api-docs.yaml |
tb-platform-kube-green | dev, qa | 2 | application-sets/tb-platform-kube-green.yaml |
tb-ops-project-environments | local (per env dir) | dynamic | application-sets/tb-ops-project.yaml |
Directory Structure
All ArgoCD resources for the Infra Management Cluster are located under:
k8s/infra-services/argocd/overlays/infra-platform-cluster/
├── apps/ # Application definitions
│ ├── kustomization.yaml # Lists all Application files
│ ├── argocd.yaml # Self-managing ArgoCD
│ ├── infra-services-apps.yaml
│ ├── monitoring-services.yaml
│ └── ...
├── application-sets/ # ApplicationSet definitions
│ ├── kustomization.yaml # Lists all ApplicationSet files
│ ├── tb-platform-init.yaml
│ ├── tb-platform-infra.yaml
│ └── ...
├── projects/ # AppProject definitions
│ ├── kustomization.yaml
│ ├── infra-services-project.yaml
│ ├── tb-platform-infra.yaml
│ └── ...
├── patches/ # Kustomize patches for ArgoCD config
└── kustomization.yaml # Main overlay kustomization
Core Infrastructure
ArgoCD (Self-Managing)
The argocd Application is the foundation - it manages ArgoCD itself plus all other Applications via the app-of-apps pattern.
- File:
apps/argocd.yaml - Source:
k8s/infra-services/argocd/overlays/infra-platform-cluster - Details: ArgoCD Service
Identity & Authentication
- Dex: OIDC identity provider for SSO (Infra Services)
- 1Password SCIM Bridge: User provisioning from Google Workspace (1Password SCIM Bridge)
Infrastructure Services
- Atlantis: Terraform PR automation
- Webhooks: Generic webhook handler
- CoreDNS: Custom DNS for private zones
Observability Stack
| Service | Purpose | Deployment Type |
|---|---|---|
| Grafana | Dashboards and visualisation | Kustomize |
| Grafana Loki | Log aggregation | Helm (distributed mode) |
| Grafana Alloy | Telemetry collection | Helm |
| Grafana Tempo | Distributed tracing | Helm |
Gateway & Networking
The cluster runs multiple Envoy Gateway instances for different domains:
| Instance | Domain | Purpose |
|---|---|---|
envoy-infra-titanbay-com | *.infra.titanbay.com | Public infrastructure services |
envoy-infra-titanbayapis-com | *.infra.titanbayapis.com | API endpoints |
envoy-infra-titanbay-internal | Internal | Internal-only services |
Tailscale Operator provides secure VPN connectivity for operators.
GCP Config Connector
Config Connector enables declarative GCP resource management:
| Application | Manages |
|---|---|
config-connector-operator | The Config Connector operator itself |
tb-platform-infra | Cross-environment GCP resources |
infra-mgmt-project | Infra management GCP project resources |
infra-mgmt-vpc-project | VPC project resources |
infra-security-project | Security project resources |
Platform Services
| Service | Purpose | Details |
|---|---|---|
| Netbox | Infrastructure documentation and IPAM | Netbox |
| PAM DB | Privileged Access Management for JIT database access | PAM DB |
| 1Password SCIM Bridge | User provisioning from Google Workspace | 1Password SCIM Bridge |
| Infra Docs Portal | This documentation site | Infra Services |
| Feeder Fund Simulator | Ops team application | TB Ops |
TB Platform Clusters (ApplicationSets)
ApplicationSets deploy services to the three tb-platform clusters (dev, qa, prod):
| Service | Purpose |
|---|---|
| Init Resources | Bootstrap namespaces, RBAC, secrets |
| Init Services | Initial service deployments |
| External Secrets | Secret management operator |
| Grafana Alloy | Telemetry collection |
| 1Password Operator | Secret injection |
| Config Connector | GCP resource management |
| Malware Scanner | ClamAV-based file scanning |
| Tykctl | Tyk API Gateway management |
| API Docs | API documentation portal |
| Kube-green | Resource scheduling for cost savings |
How to Update Services
For Kustomize-based Applications
- Edit manifests in the service’s
base/oroverlays/directory - Commit and push to
main - ArgoCD auto-syncs the changes
For Helm-based Applications
- Update the
valuesObjectin the Application YAML - Or update
targetRevisionfor chart version upgrades - Commit and push to
main - ArgoCD auto-syncs the changes
Adding a New Service
- Create the Application YAML in
apps/or ApplicationSet inapplication-sets/ - Add the file to the appropriate
kustomization.yaml - Commit and push to
main - The
argocdApplication will sync and create the new Application
Related Documentation
- Cluster Topology - How ArgoCD is deployed across clusters
- Self-Management - How ArgoCD maintains itself
Infrastructure Services
Core infrastructure applications: Atlantis, Dex, CoreDNS, Webhooks, and Docs Portal
Monitoring Stack
Grafana, Loki, Alloy, and Tempo for observability
Envoy Gateway
API Gateway and ingress using Envoy Gateway with GKE Gateway API
Tailscale Operator
Kubernetes operator for Tailscale VPN connectivity
GCP Config Connector
Declarative GCP resource management via Kubernetes
Cert-Manager Extensions
Google CAS Issuer and Trust Manager for certificate management
Netbox
Infrastructure resource modelling and documentation tool
TB Platform Init
Bootstrap resources and services for tb-platform clusters
1Password SCIM Bridge
SCIM bridge for 1Password user provisioning from Google Workspace
PAM DB
Privileged Access Management for just-in-time database access via Slack
TB Platform ApplicationSets
ApplicationSets that deploy services to tb-platform clusters
TB Ops
Applications and GCP resources for the Ops and Finance teams