GCP Config Connector
Config Connector enables managing GCP resources declaratively through Kubernetes custom resources. The Infra Management Cluster runs the Config Connector operator and manages resources for multiple GCP projects.
This page documents the ArgoCD
Application/ApplicationSetresources that deliver KCC. For an end-to-end view of how KCC is used at Titanbay - operator install, authentication model, GCP resource inventory, and day-to-day operations - see the dedicated Config Connector section.
The operator is pinned at version 1.148.0 (GKE Autopilot variant) and runs in namespaced mode, with one Google Service Account per namespace via ConfigConnectorContext CRs. See Config Connector → Overview for the full architecture.
ArgoCD Resources
| Application | Namespace | Purpose |
|---|---|---|
config-connector-operator | argocd | The Config Connector operator |
tb-platform-infra | argocd | Cross-environment GCP resources |
infra-mgmt-project | argocd | Infra management GCP project |
infra-mgmt-vpc-project | argocd | VPC project resources |
infra-security-project | argocd | Security project resources |
File Paths
| Application | File |
|---|---|
config-connector-operator, tb-platform-infra | apps/config-connector.yaml |
infra-mgmt-project | apps/infra-mgmt-project.yaml |
infra-mgmt-vpc-project | apps/infra-mgmt-vpc-project.yaml |
infra-security-project | apps/infra-security-project.yaml |
Config Connector Operator
The operator watches for ConfigConnectorContext resources and creates controllers to manage GCP resources.
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: config-connector-operator
spec:
syncPolicy:
automated:
prune: false
destination:
namespace: argocd
server: https://kubernetes.default.svc
project: infra-services
source:
path: k8s/infra-services/gcp-config-connector
repoURL: https://github.com/Titanbay/infra-services
targetRevision: 'main'
Source: k8s/infra-services/gcp-config-connector/
TB Platform Infrastructure
Cross-environment GCP resources for the tb-platform projects.
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: tb-platform-infra
spec:
syncPolicy:
automated:
prune: true
syncOptions:
- ServerSideApply=true
destination:
namespace: argocd
server: https://kubernetes.default.svc
project: infra-services
source:
repoURL: https://github.com/Titanbay/infra-services
path: k8s/tb-platform-infra
targetRevision: 'main'
Source Structure:
k8s/tb-platform-infra/
├── base/ # Shared resources
├── env/ # Per-environment resources
│ ├── base/
│ ├── dev/
│ ├── qa/
│ └── prod/
└── vpc/ # VPC-related resources
├── base/
├── dev/
├── qa/
└── prod/
Infra Management Project
GCP resources for the main infrastructure management project.
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: infra-mgmt-project
spec:
syncPolicy:
syncOptions:
- ServerSideApply=true
destination:
namespace: argocd
server: https://kubernetes.default.svc
project: infra-mgmt
source:
repoURL: https://github.com/Titanbay/infra-services
path: k8s/infra-services/tb-infra-mgmt-project
targetRevision: 'main'
Source: k8s/infra-services/tb-infra-mgmt-project/
Infra Management VPC Project
VPC-related GCP resources.
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: infra-mgmt-vpc-project
spec:
syncPolicy:
automated:
prune: true
syncOptions:
- ServerSideApply=true
destination:
namespace: argocd
server: https://kubernetes.default.svc
project: infra-mgmt
source:
repoURL: https://github.com/Titanbay/infra-services
path: k8s/infra-services/tb-infra-mgmt-vpc-project
targetRevision: 'main'
Source: k8s/infra-services/tb-infra-mgmt-vpc-project/
Infra Security Project
Security-related GCP resources.
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: infra-security-project
spec:
syncPolicy:
syncOptions:
- ServerSideApply=true
destination:
namespace: argocd
server: https://kubernetes.default.svc
project: infra-mgmt
source:
repoURL: https://github.com/Titanbay/infra-services
path: k8s/infra-services/tb-infra-security-project
targetRevision: 'main'
Source: k8s/infra-services/tb-infra-security-project/
Source Structure
k8s/infra-services/
├── gcp-config-connector/ # Config Connector operator
├── tb-infra-mgmt-project/ # Infra mgmt project resources
├── tb-infra-mgmt-vpc-project/ # VPC project resources
└── tb-infra-security-project/ # Security project resources
k8s/tb-platform-infra/ # Platform infrastructure
├── base/
├── env/
│ ├── dev/
│ ├── qa/
│ └── prod/
└── vpc/
├── dev/
├── qa/
└── prod/
AppProjects
Config Connector applications use specific AppProjects:
| Application | Project |
|---|---|
config-connector-operator | infra-services |
tb-platform-infra | infra-services |
infra-mgmt-project | infra-mgmt |
infra-mgmt-vpc-project | infra-mgmt |
infra-security-project | infra-mgmt |
How to Update
Adding GCP Resources
- Create the Config Connector resource YAML in the appropriate directory
- Add to the directory’s
kustomization.yaml - Commit and push to
main - ArgoCD syncs and Config Connector creates the GCP resource
Modifying Resources
- Edit the resource YAML
- Commit and push to
main - Config Connector reconciles the change in GCP
Sync Options
All Config Connector applications use ServerSideApply=true because:
- Config Connector resources often have large specs
- Server-side apply handles field ownership correctly
- Prevents conflicts with Config Connector’s own updates
Related ApplicationSets
For tb-platform clusters, Config Connector is also deployed via ApplicationSet:
| ApplicationSet | File | Purpose |
|---|---|---|
tb-platform-config-connector-operator | application-sets/tb-platform-config-connector.yaml | Deploys the operator to the three tb-platform clusters (dev/qa/prod) via a list generator |
tb-platform-environments | application-sets/tb-platform-infra.yaml | Git-directory generator over k8s/tb-platform-infra/env/* (excludes env/base) - one Application per env, deployed to namespace tb-platform-{env} on the hub |
tb-platform-vpc-config | application-sets/tb-platform-infra.yaml | Git-directory generator over k8s/tb-platform-infra/vpc/* (excludes vpc/base) - one Application per env, deployed to namespace tb-platform-vpc-{env} on the hub |
All three use ServerSideApply=true; tb-platform-config-connector-operator additionally has automated.prune: true.
Related Documentation
- Config Connector - Operator architecture, authentication model, hub-and-spoke topology.
- Config Connector → Managed resources - Per-project GCP resource inventory.
- Config Connector → Operations - Adding, updating, deleting, and troubleshooting KCC resources.