Managed resources
This page is the authoritative list of what KCC actually owns in this repo. Counts are computed from the manifests in main and reflect what KCC reconciles, not what exists in GCP (drift is recovered by the controller on the next reconcile).
Note on
secretmanager/directories. Per the naming convention, directories are named after the Config Connector API group they correspond to. Thesecretmanager//secretsmanager/directories are the one deliberate exception: they sit alongside the KCC API-group directories but contain External Secrets Operator resources (apiVersion: external-secrets.io/v1beta1-SecretStore,ExternalSecret), not KCC resources. These resources bridge Postgres credentials from GCP Secret Manager into Kubernetes secrets and are reconciled by the ESO controller, not by KCC. They are called out explicitly in each project’s table below.
API groups in use
KCC ships one CRD per GCP API. The groups we have at least one resource of:
| API group | GCP service | Used by |
|---|---|---|
iam.cnrm.cloud.google.com | Cloud IAM | All projects |
compute.cnrm.cloud.google.com | Compute Engine, VPC, LBs | tb-infra-mgmt-project, tb-infra-mgmt-vpc-project, tb-platform-infra |
dns.cnrm.cloud.google.com | Cloud DNS | tb-infra-mgmt-project, tb-platform-infra (per-env) |
serviceusage.cnrm.cloud.google.com | Service Usage (API enablement) | All workload projects |
storage.cnrm.cloud.google.com | Cloud Storage | tb-infra-mgmt-project, tb-platform-infra |
kms.cnrm.cloud.google.com | Cloud KMS | tb-infra-mgmt-project, tb-platform-infra (per-env) |
sql.cnrm.cloud.google.com | Cloud SQL | tb-infra-mgmt-project, tb-platform-infra |
resourcemanager.cnrm.cloud.google.com | Resource Manager (Projects/Folders) | tb-infra-mgmt-vpc-project, tb-infra-security-project, tb-platform-infra |
container.cnrm.cloud.google.com | GKE | tb-infra-mgmt-project, tb-platform-infra |
privateca.cnrm.cloud.google.com | Certificate Authority Service | tb-infra-mgmt-project |
pubsub.cnrm.cloud.google.com | Pub/Sub | tb-infra-mgmt-project |
firestore.cnrm.cloud.google.com | Firestore | tb-infra-mgmt-project |
bigquery.cnrm.cloud.google.com | BigQuery | tb-infra-mgmt-project |
networkconnectivity.cnrm.cloud.google.com | Network Connectivity Center | tb-infra-mgmt-vpc-project |
monitoring.cnrm.cloud.google.com | Cloud Monitoring | tb-platform-infra |
redis.cnrm.cloud.google.com | Memorystore for Redis | tb-platform-infra (per-env) |
run.cnrm.cloud.google.com | Cloud Run | tb-platform-infra (dev only) |
artifactregistry.cnrm.cloud.google.com | Artifact Registry | tb-platform-infra |
core.cnrm.cloud.google.com | KCC itself (ConfigConnector, ConfigConnectorContext) | Operator install + every namespace |
All resources use the v1beta1 channel of their API group (one compute/v1alpha1 exception exists in tb-platform-infra for an early-preview kind).
There is also one non-KCC API group co-located in these directory trees:
| API group | Owner | Used by |
|---|---|---|
external-secrets.io | External Secrets Operator (not KCC) | The secretmanager/ / secretsmanager/ directories in tb-infra-mgmt-project, tb-platform-infra/env/base, and each tb-platform-infra/vpc/{env} - bridges Postgres credentials from GCP Secret Manager into Kubernetes |
tb-infra-mgmt-project
GCP project: tb-infra-mgmt. This is the infra management project that hosts the GKE cluster running KCC itself, plus the build-cluster, Tailscale subnet routers, the platform PostgreSQL instance, Bufo’s Firestore databases, the Vault KMS unseal key, and the cross-project IAM bindings the platform infra team needs.
- Source:
k8s/infra-services/tb-infra-mgmt-project/ - Namespace:
tb-infra-mgmt-project - ArgoCD app:
infra-mgmt-projectinapps/infra-mgmt-project.yaml - AppProject:
infra-mgmt - Sync policy: manual sync,
ServerSideApply=true, no prune
Resource composition:
| Directory | Kinds |
|---|---|
iam/ | IAMServiceAccount, IAMPartialPolicy, IAMPolicyMember, IAMPolicy, IAMWorkloadIdentityPool, IAMWorkloadIdentityPoolProvider (workload-identity for GitHub Actions and external integrations, GKE/DNS/Storage IAM, Vault KMS binding) |
compute/ | ComputeNetwork, ComputeAddress, ComputeServiceAttachment, ComputeInstance (Tailscale subnet router) |
container/ | ContainerCluster, ContainerNodePool (build cluster and the titan infra cluster) |
dns/ | DNSManagedZone, DNSRecordSet (infra.titanbay.com) |
sql/ | SQLInstance, SQLDatabase, SQLUser (shared PostgreSQL) |
storage/ | StorageBucket |
kms/ | KMSKeyRing, KMSCryptoKey (Vault unseal key) |
pubsub/ | PubSubTopic, PubSubSubscription (org-admin events feed) |
privateca/ | PrivateCACAPool, PrivateCACertificateAuthority (root pool and k8s issuer pool) |
firestore/ | FirestoreDatabase (Bufo build + review databases) |
bigquery/ | BigQueryDataset (rotation testing) |
secretmanager/ | External Secrets Operator (not KCC) - SecretStore + ExternalSecret bridging Postgres credentials from GCP Secret Manager |
serviceusage/ | Service (API enablement) |
Approximate kind footprint: 20 IAMServiceAccount, 17 IAMPartialPolicy, 11 IAMPolicyMember, plus the per-domain resources above. The 2 SecretStore / ExternalSecret resources in secretmanager/ are ESO-owned and excluded from the KCC count.
tb-infra-mgmt-vpc-project
GCP project: tb-infra-mgmt-vpc. The shared-VPC host project for the infra-management environment. Owns the VPC networks, regional subnets, router/NAT, IP addresses, and the Network Connectivity Center hub/spokes that wire the infra and tb-platform networks together.
- Source:
k8s/infra-services/tb-infra-mgmt-vpc-project/ - Namespace:
tb-infra-mgmt-vpc-project - ArgoCD app:
infra-mgmt-vpc-projectinapps/infra-mgmt-vpc-project.yaml - AppProject:
infra-mgmt - Sync policy:
automated.prune: true,ServerSideApply=true
Resource composition:
| Directory | Kinds |
|---|---|
resourcemanager/ | Project |
serviceusage/ | Service |
compute/ | ComputeNetwork, ComputeSubnetwork (europe-west1, europe-west2), ComputeRouter, ComputeRouterNAT, ComputeAddress (L4 passthrough LB IPs) |
networkconnectivity/ | NetworkConnectivityHub, NetworkConnectivitySpoke |
iam/ | IAMPartialPolicy (GKE host-project bindings, KMS bindings, Network Connectivity bindings) |
tb-infra-security-project
GCP project: tb-infra-security (plus its parent Folder). The smallest of the infra projects - it exists to host security-team-owned IAM grants on a dedicated folder.
- Source:
k8s/infra-services/tb-infra-security-project/ - Namespace:
tb-infra-security-project - ArgoCD app:
infra-security-projectinapps/infra-security-project.yaml - AppProject:
infra-mgmt - Sync policy: manual sync,
ServerSideApply=true, no prune
Resource composition:
| Directory | Kinds |
|---|---|
project/ | Folder, Project |
iam/ | IAMPartialPolicy (folder-level grants) |
tb-platform-infra
GCP target: the three tb-platform workload projects (tb-platform-dev, tb-platform-qa, tb-platform-prod), the three tb-platform VPC host projects (tb-platform-vpc-dev, tb-platform-vpc-qa, tb-platform-vpc-prod), and a small set of shared resources at the root.
This tree is the bulk of the KCC footprint: roughly 300 IAM resources, 60 DNS records, 60 compute resources, 20 storage buckets, plus GKE clusters, Cloud SQL instances, Memorystore Redis, KMS, Service Usage, Artifact Registry, and Cloud Run.
- Source:
k8s/tb-platform-infra/ - AppProject:
tb-platform-infra
Per-env structure
There are three flavours of KCC delivery for this tree:
| Delivery | What it deploys | ArgoCD source path | Sync |
|---|---|---|---|
Application/tb-platform-infra | The root kustomization (core/config-connector-context.yaml, iam/cluster-mgmt-sa.yaml) into the hub tb-platform-infra namespace | k8s/tb-platform-infra | automated.prune: true, SSA |
ApplicationSet/tb-platform-environments | One Application per child of env/ (excluding env/base) → namespace tb-platform-{env} on the hub | git-directory generator over k8s/tb-platform-infra/env/* | SSA |
ApplicationSet/tb-platform-vpc-config | One Application per child of vpc/ (excluding vpc/base) → namespace tb-platform-vpc-{env} on the hub | git-directory generator over k8s/tb-platform-infra/vpc/* | SSA |
Both ApplicationSets use the Argo git-directory generator so simply creating a new env/<name>/ directory will materialise a new ArgoCD Application pointing at it.
Workload projects (env/)
env/base/ defines the shared resource manifests; env/{dev,qa,prod}/ extend the base via kustomization.yaml and patches/. Each env owns a complete copy of the tb-platform workload project so dev never depends on prod IAM (or vice versa).
| Directory | Kinds |
|---|---|
resourcemanager/ | Project (the workload project itself) |
serviceusage/ | Service (API enablement) |
iam/ | IAMServiceAccount, IAMPolicy, IAMPolicyMember, IAMPartialPolicy, IAMCustomRole (compliance, documents, identity, investments, reference, scanner, sftp, translation, eventarc, custom roles, KMS, pubsub, workload identity) |
compute/ | ComputeAddress (L4 + L7 LB IPs), ComputeNetworkAttachment (Eventarc), ComputeSSLPolicy, ComputeSharedVPCServiceProject, ComputeInstance (Tailscale router) |
container/ | ContainerCluster (titan-cluster) |
dns/ | DNSManagedZone, DNSRecordSet (external zones, L7 LB records, gateway records, L4 passthrough records) |
kms/ | KMSKeyRing, KMSCryptoKey |
redis/ | RedisInstance (Cloud Memorystore) |
sql/ | SQLInstance (Cloud SQL Postgres) |
storage/ | StorageBucket |
secretsmanager/ | External Secrets Operator (not KCC) - SecretStore + ExternalSecret bridging Postgres credentials from GCP Secret Manager (lives under env/base/secretsmanager/) |
artifactregistry/ | ArtifactRegistryRepository (env/base only - platform registry shared across envs) |
monitoring/ | MonitoringMonitoredProject (env/base only) |
run/ | RunService (dev only - run-test.yaml) |
patches/ | Strategic-merge patches that specialise base resources per env |
VPC host projects (vpc/)
vpc/base/ defines the shared VPC network and subnets; vpc/{dev,qa,prod}/ add the per-env host project, internal LB, PSC subnet, Cloud SQL endpoint, internal DNS records, and the secret-manager bridge for the env’s Postgres instance.
| Directory | Kinds |
|---|---|
resourcemanager/ | Project (host project) |
compute/ | ComputeNetwork, ComputeSubnetwork (cluster subnet, regional managed-proxy subnet, PSC subnet), ComputeAddress, ComputeForwardingRule (internal LB), ComputeRouter, ComputeRouterNAT, ComputeNetworkPeering |
dns/ | DNSManagedZone, DNSRecordSet (internal zones, internal L7 IRLB records) |
iam/ | IAMPolicyMember, IAMPartialPolicy (cluster IAM) |
sql/ | SQLInstance (PostgreSQL endpoint into the VPC) |
secretmanager/ | External Secrets Operator (not KCC) - SecretStore + ExternalSecret bridging the env’s Postgres credentials from GCP Secret Manager |
Shared root resources
The root kustomization deploys just the two shared resources:
# k8s/tb-platform-infra/kustomization.yaml
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: tb-platform-infra
resources:
- core/config-connector-context.yaml
- iam/cluster-mgmt-sa.yaml
The shared ConfigConnectorContext makes the hub tb-platform-infra namespace KCC-enabled; iam/cluster-mgmt-sa.yaml defines the cluster-management IAMServiceAccount used by the GKE clusters across all three environments.
Naming conventions
Three rules apply repo-wide and are spelled out in k8s/tb-platform-infra/README.md:
- Directory names map to API groups.
iam/foriam.cnrm.cloud.google.com,compute/forcompute.cnrm.cloud.google.com,resourcemanager/forresourcemanager.cnrm.cloud.google.com, and so on. The baseenv/base/,env/<env>/,vpc/base/,vpc/<env>/directories are the only deliberate exceptions. - Per-env overrides live in
patches/. New env-specific resources go underenv/<env>/<api-group>/. Modifications of base resources go inenv/<env>/patches/. - One
ConfigConnectorContextper namespace. Every directory whose kustomization targets a new namespace must includecore/config-connector-context.yaml.
How to find a resource
| You’re looking for | Where to look |
|---|---|
| A GCP IAM binding for the platform | k8s/tb-platform-infra/env/{env}/iam/ (env-specific) or k8s/tb-platform-infra/env/base/iam/ (shared) |
| An IAM binding on an infra project | k8s/infra-services/tb-infra-mgmt-project/iam/ |
| A DNS zone or record | k8s/tb-platform-infra/env/{env}/dns/ (external) or k8s/tb-platform-infra/vpc/{env}/dns/ (internal) |
| The platform Postgres instance | k8s/tb-platform-infra/env/{env}/sql/cloudsql-postgres.yaml |
| The GKE workload cluster | k8s/tb-platform-infra/env/base/container/titan-cluster.yaml + env patches |
| The VPC network and subnets | k8s/tb-platform-infra/vpc/base/compute/ (shared) and vpc/{env}/compute/ (per-env) |
| The KMS keys | k8s/tb-platform-infra/env/{env}/kms/ |
| The org-admin Pub/Sub feed | k8s/infra-services/tb-infra-mgmt-project/pubsub/ |
If a resource isn’t found here, it isn’t managed by KCC and lives in Terraform under infra/ or the infra-terraform repo - see Working with Titanbay infra.