GCP Config Connector

Declarative GCP resource management via Kubernetes

Config Connector enables managing GCP resources declaratively through Kubernetes custom resources. The Infra Management Cluster runs the Config Connector operator and manages resources for multiple GCP projects.

ArgoCD Resources

Application	Namespace	Purpose
`config-connector-operator`	`argocd`	The Config Connector operator
`tb-platform-infra`	`argocd`	Cross-environment GCP resources
`infra-mgmt-project`	`argocd`	Infra management GCP project
`infra-mgmt-vpc-project`	`argocd`	VPC project resources
`infra-security-project`	`argocd`	Security project resources

File Paths

Application	File
`config-connector-operator`, `tb-platform-infra`	`apps/config-connector.yaml`
`infra-mgmt-project`	`apps/infra-mgmt-project.yaml`
`infra-mgmt-vpc-project`	`apps/infra-mgmt-vpc-project.yaml`
`infra-security-project`	`apps/infra-security-project.yaml`

Config Connector Operator

The operator watches for ConfigConnectorContext resources and creates controllers to manage GCP resources.

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: config-connector-operator
spec:
  syncPolicy:
    automated:
      prune: false
  destination:
    namespace: argocd
    server: https://kubernetes.default.svc
  project: infra-services
  source:
    path: k8s/infra-services/gcp-config-connector
    repoURL: https://github.com/Titanbay/infra-services
    targetRevision: 'main'

Source: k8s/infra-services/gcp-config-connector/

TB Platform Infrastructure

Cross-environment GCP resources for the tb-platform projects.

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: tb-platform-infra
spec:
  syncPolicy:
    automated:
      prune: true
    syncOptions:
      - ServerSideApply=true
  destination:
    namespace: argocd
    server: https://kubernetes.default.svc
  project: infra-services
  source:
    repoURL: https://github.com/Titanbay/infra-services
    path: k8s/tb-platform-infra
    targetRevision: 'main'

Source Structure:

k8s/tb-platform-infra/
├── base/                    # Shared resources
├── env/                     # Per-environment resources
│   ├── base/
│   ├── dev/
│   ├── qa/
│   └── prod/
└── vpc/                     # VPC-related resources
    ├── base/
    ├── dev/
    ├── qa/
    └── prod/

Infra Management Project

GCP resources for the main infrastructure management project.

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: infra-mgmt-project
spec:
  syncPolicy:
    syncOptions:
      - ServerSideApply=true
  destination:
    namespace: argocd
    server: https://kubernetes.default.svc
  project: infra-mgmt
  source:
    repoURL: https://github.com/Titanbay/infra-services
    path: k8s/infra-services/tb-infra-mgmt-project
    targetRevision: 'main'

Source: k8s/infra-services/tb-infra-mgmt-project/

Infra Management VPC Project

VPC-related GCP resources.

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: infra-mgmt-vpc-project
spec:
  syncPolicy:
    automated:
      prune: true
    syncOptions:
      - ServerSideApply=true
  destination:
    namespace: argocd
    server: https://kubernetes.default.svc
  project: infra-mgmt
  source:
    repoURL: https://github.com/Titanbay/infra-services
    path: k8s/infra-services/tb-infra-mgmt-vpc-project
    targetRevision: 'main'

Source: k8s/infra-services/tb-infra-mgmt-vpc-project/

Infra Security Project

Security-related GCP resources.

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: infra-security-project
spec:
  syncPolicy:
    syncOptions:
      - ServerSideApply=true
  destination:
    namespace: argocd
    server: https://kubernetes.default.svc
  project: infra-mgmt
  source:
    repoURL: https://github.com/Titanbay/infra-services
    path: k8s/infra-services/tb-infra-security-project
    targetRevision: 'main'

Source: k8s/infra-services/tb-infra-security-project/

Source Structure

k8s/infra-services/
├── gcp-config-connector/           # Config Connector operator
├── tb-infra-mgmt-project/          # Infra mgmt project resources
├── tb-infra-mgmt-vpc-project/      # VPC project resources
└── tb-infra-security-project/      # Security project resources

k8s/tb-platform-infra/              # Platform infrastructure
├── base/
├── env/
│   ├── dev/
│   ├── qa/
│   └── prod/
└── vpc/
    ├── dev/
    ├── qa/
    └── prod/

AppProjects

Config Connector applications use specific AppProjects:

Application	Project
`config-connector-operator`	`infra-services`
`tb-platform-infra`	`infra-services`
`infra-mgmt-project`	`infra-mgmt`
`infra-mgmt-vpc-project`	`infra-mgmt`
`infra-security-project`	`infra-mgmt`

How to Update

Adding GCP Resources

Create the Config Connector resource YAML in the appropriate directory
Add to the directory’s kustomization.yaml
Commit and push to main
ArgoCD syncs and Config Connector creates the GCP resource

Modifying Resources

Edit the resource YAML
Commit and push to main
Config Connector reconciles the change in GCP

Sync Options

All Config Connector applications use ServerSideApply=true because:

Config Connector resources often have large specs
Server-side apply handles field ownership correctly
Prevents conflicts with Config Connector’s own updates

For tb-platform clusters, Config Connector is also deployed via ApplicationSet:

ApplicationSet	Purpose
`tb-platform-config-connector-operator`	Deploys operator to tb-platform clusters
`tb-platform-environments`	Generates apps for `k8s/tb-platform-infra/env/*`
`tb-platform-vpc-config`	Generates apps for `k8s/tb-platform-infra/vpc/*`

See TB Platform Config Connector for details.

Last modified January 19, 2026: docs: add ArgoCD managed services (#1932) (2efa8f20)