Managed resources

Inventory of GCP resources reconciled by Config Connector, grouped by managed GCP project

This page is the authoritative list of what KCC actually owns in this repo. Counts are computed from the manifests in main and reflect what KCC reconciles, not what exists in GCP (drift is recovered by the controller on the next reconcile).

Note on secretmanager/ directories. Per the naming convention, directories are named after the Config Connector API group they correspond to. The secretmanager/ / secretsmanager/ directories are the one deliberate exception: they sit alongside the KCC API-group directories but contain External Secrets Operator resources (apiVersion: external-secrets.io/v1beta1 - SecretStore, ExternalSecret), not KCC resources. These resources bridge Postgres credentials from GCP Secret Manager into Kubernetes secrets and are reconciled by the ESO controller, not by KCC. They are called out explicitly in each project’s table below.

API groups in use

KCC ships one CRD per GCP API. The groups we have at least one resource of:

API groupGCP serviceUsed by
iam.cnrm.cloud.google.comCloud IAMAll projects
compute.cnrm.cloud.google.comCompute Engine, VPC, LBstb-infra-mgmt-project, tb-infra-mgmt-vpc-project, tb-platform-infra
dns.cnrm.cloud.google.comCloud DNStb-infra-mgmt-project, tb-platform-infra (per-env)
serviceusage.cnrm.cloud.google.comService Usage (API enablement)All workload projects
storage.cnrm.cloud.google.comCloud Storagetb-infra-mgmt-project, tb-platform-infra
kms.cnrm.cloud.google.comCloud KMStb-infra-mgmt-project, tb-platform-infra (per-env)
sql.cnrm.cloud.google.comCloud SQLtb-infra-mgmt-project, tb-platform-infra
resourcemanager.cnrm.cloud.google.comResource Manager (Projects/Folders)tb-infra-mgmt-vpc-project, tb-infra-security-project, tb-platform-infra
container.cnrm.cloud.google.comGKEtb-infra-mgmt-project, tb-platform-infra
privateca.cnrm.cloud.google.comCertificate Authority Servicetb-infra-mgmt-project
pubsub.cnrm.cloud.google.comPub/Subtb-infra-mgmt-project
firestore.cnrm.cloud.google.comFirestoretb-infra-mgmt-project
bigquery.cnrm.cloud.google.comBigQuerytb-infra-mgmt-project
networkconnectivity.cnrm.cloud.google.comNetwork Connectivity Centertb-infra-mgmt-vpc-project
monitoring.cnrm.cloud.google.comCloud Monitoringtb-platform-infra
redis.cnrm.cloud.google.comMemorystore for Redistb-platform-infra (per-env)
run.cnrm.cloud.google.comCloud Runtb-platform-infra (dev only)
artifactregistry.cnrm.cloud.google.comArtifact Registrytb-platform-infra
core.cnrm.cloud.google.comKCC itself (ConfigConnector, ConfigConnectorContext)Operator install + every namespace

All resources use the v1beta1 channel of their API group (one compute/v1alpha1 exception exists in tb-platform-infra for an early-preview kind).

There is also one non-KCC API group co-located in these directory trees:

API groupOwnerUsed by
external-secrets.ioExternal Secrets Operator (not KCC)The secretmanager/ / secretsmanager/ directories in tb-infra-mgmt-project, tb-platform-infra/env/base, and each tb-platform-infra/vpc/{env} - bridges Postgres credentials from GCP Secret Manager into Kubernetes

tb-infra-mgmt-project

GCP project: tb-infra-mgmt. This is the infra management project that hosts the GKE cluster running KCC itself, plus the build-cluster, Tailscale subnet routers, the platform PostgreSQL instance, Bufo’s Firestore databases, the Vault KMS unseal key, and the cross-project IAM bindings the platform infra team needs.

Resource composition:

DirectoryKinds
iam/IAMServiceAccount, IAMPartialPolicy, IAMPolicyMember, IAMPolicy, IAMWorkloadIdentityPool, IAMWorkloadIdentityPoolProvider (workload-identity for GitHub Actions and external integrations, GKE/DNS/Storage IAM, Vault KMS binding)
compute/ComputeNetwork, ComputeAddress, ComputeServiceAttachment, ComputeInstance (Tailscale subnet router)
container/ContainerCluster, ContainerNodePool (build cluster and the titan infra cluster)
dns/DNSManagedZone, DNSRecordSet (infra.titanbay.com)
sql/SQLInstance, SQLDatabase, SQLUser (shared PostgreSQL)
storage/StorageBucket
kms/KMSKeyRing, KMSCryptoKey (Vault unseal key)
pubsub/PubSubTopic, PubSubSubscription (org-admin events feed)
privateca/PrivateCACAPool, PrivateCACertificateAuthority (root pool and k8s issuer pool)
firestore/FirestoreDatabase (Bufo build + review databases)
bigquery/BigQueryDataset (rotation testing)
secretmanager/External Secrets Operator (not KCC) - SecretStore + ExternalSecret bridging Postgres credentials from GCP Secret Manager
serviceusage/Service (API enablement)

Approximate kind footprint: 20 IAMServiceAccount, 17 IAMPartialPolicy, 11 IAMPolicyMember, plus the per-domain resources above. The 2 SecretStore / ExternalSecret resources in secretmanager/ are ESO-owned and excluded from the KCC count.

tb-infra-mgmt-vpc-project

GCP project: tb-infra-mgmt-vpc. The shared-VPC host project for the infra-management environment. Owns the VPC networks, regional subnets, router/NAT, IP addresses, and the Network Connectivity Center hub/spokes that wire the infra and tb-platform networks together.

Resource composition:

DirectoryKinds
resourcemanager/Project
serviceusage/Service
compute/ComputeNetwork, ComputeSubnetwork (europe-west1, europe-west2), ComputeRouter, ComputeRouterNAT, ComputeAddress (L4 passthrough LB IPs)
networkconnectivity/NetworkConnectivityHub, NetworkConnectivitySpoke
iam/IAMPartialPolicy (GKE host-project bindings, KMS bindings, Network Connectivity bindings)

tb-infra-security-project

GCP project: tb-infra-security (plus its parent Folder). The smallest of the infra projects - it exists to host security-team-owned IAM grants on a dedicated folder.

Resource composition:

DirectoryKinds
project/Folder, Project
iam/IAMPartialPolicy (folder-level grants)

tb-platform-infra

GCP target: the three tb-platform workload projects (tb-platform-dev, tb-platform-qa, tb-platform-prod), the three tb-platform VPC host projects (tb-platform-vpc-dev, tb-platform-vpc-qa, tb-platform-vpc-prod), and a small set of shared resources at the root.

This tree is the bulk of the KCC footprint: roughly 300 IAM resources, 60 DNS records, 60 compute resources, 20 storage buckets, plus GKE clusters, Cloud SQL instances, Memorystore Redis, KMS, Service Usage, Artifact Registry, and Cloud Run.

Per-env structure

There are three flavours of KCC delivery for this tree:

DeliveryWhat it deploysArgoCD source pathSync
Application/tb-platform-infraThe root kustomization (core/config-connector-context.yaml, iam/cluster-mgmt-sa.yaml) into the hub tb-platform-infra namespacek8s/tb-platform-infraautomated.prune: true, SSA
ApplicationSet/tb-platform-environmentsOne Application per child of env/ (excluding env/base) → namespace tb-platform-{env} on the hubgit-directory generator over k8s/tb-platform-infra/env/*SSA
ApplicationSet/tb-platform-vpc-configOne Application per child of vpc/ (excluding vpc/base) → namespace tb-platform-vpc-{env} on the hubgit-directory generator over k8s/tb-platform-infra/vpc/*SSA

Both ApplicationSets use the Argo git-directory generator so simply creating a new env/<name>/ directory will materialise a new ArgoCD Application pointing at it.

Workload projects (env/)

env/base/ defines the shared resource manifests; env/{dev,qa,prod}/ extend the base via kustomization.yaml and patches/. Each env owns a complete copy of the tb-platform workload project so dev never depends on prod IAM (or vice versa).

DirectoryKinds
resourcemanager/Project (the workload project itself)
serviceusage/Service (API enablement)
iam/IAMServiceAccount, IAMPolicy, IAMPolicyMember, IAMPartialPolicy, IAMCustomRole (compliance, documents, identity, investments, reference, scanner, sftp, translation, eventarc, custom roles, KMS, pubsub, workload identity)
compute/ComputeAddress (L4 + L7 LB IPs), ComputeNetworkAttachment (Eventarc), ComputeSSLPolicy, ComputeSharedVPCServiceProject, ComputeInstance (Tailscale router)
container/ContainerCluster (titan-cluster)
dns/DNSManagedZone, DNSRecordSet (external zones, L7 LB records, gateway records, L4 passthrough records)
kms/KMSKeyRing, KMSCryptoKey
redis/RedisInstance (Cloud Memorystore)
sql/SQLInstance (Cloud SQL Postgres)
storage/StorageBucket
secretsmanager/External Secrets Operator (not KCC) - SecretStore + ExternalSecret bridging Postgres credentials from GCP Secret Manager (lives under env/base/secretsmanager/)
artifactregistry/ArtifactRegistryRepository (env/base only - platform registry shared across envs)
monitoring/MonitoringMonitoredProject (env/base only)
run/RunService (dev only - run-test.yaml)
patches/Strategic-merge patches that specialise base resources per env

VPC host projects (vpc/)

vpc/base/ defines the shared VPC network and subnets; vpc/{dev,qa,prod}/ add the per-env host project, internal LB, PSC subnet, Cloud SQL endpoint, internal DNS records, and the secret-manager bridge for the env’s Postgres instance.

DirectoryKinds
resourcemanager/Project (host project)
compute/ComputeNetwork, ComputeSubnetwork (cluster subnet, regional managed-proxy subnet, PSC subnet), ComputeAddress, ComputeForwardingRule (internal LB), ComputeRouter, ComputeRouterNAT, ComputeNetworkPeering
dns/DNSManagedZone, DNSRecordSet (internal zones, internal L7 IRLB records)
iam/IAMPolicyMember, IAMPartialPolicy (cluster IAM)
sql/SQLInstance (PostgreSQL endpoint into the VPC)
secretmanager/External Secrets Operator (not KCC) - SecretStore + ExternalSecret bridging the env’s Postgres credentials from GCP Secret Manager

Shared root resources

The root kustomization deploys just the two shared resources:

# k8s/tb-platform-infra/kustomization.yaml
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: tb-platform-infra
resources:
  - core/config-connector-context.yaml
  - iam/cluster-mgmt-sa.yaml

The shared ConfigConnectorContext makes the hub tb-platform-infra namespace KCC-enabled; iam/cluster-mgmt-sa.yaml defines the cluster-management IAMServiceAccount used by the GKE clusters across all three environments.

Naming conventions

Three rules apply repo-wide and are spelled out in k8s/tb-platform-infra/README.md:

  1. Directory names map to API groups. iam/ for iam.cnrm.cloud.google.com, compute/ for compute.cnrm.cloud.google.com, resourcemanager/ for resourcemanager.cnrm.cloud.google.com, and so on. The base env/base/, env/<env>/, vpc/base/, vpc/<env>/ directories are the only deliberate exceptions.
  2. Per-env overrides live in patches/. New env-specific resources go under env/<env>/<api-group>/. Modifications of base resources go in env/<env>/patches/.
  3. One ConfigConnectorContext per namespace. Every directory whose kustomization targets a new namespace must include core/config-connector-context.yaml.

How to find a resource

You’re looking forWhere to look
A GCP IAM binding for the platformk8s/tb-platform-infra/env/{env}/iam/ (env-specific) or k8s/tb-platform-infra/env/base/iam/ (shared)
An IAM binding on an infra projectk8s/infra-services/tb-infra-mgmt-project/iam/
A DNS zone or recordk8s/tb-platform-infra/env/{env}/dns/ (external) or k8s/tb-platform-infra/vpc/{env}/dns/ (internal)
The platform Postgres instancek8s/tb-platform-infra/env/{env}/sql/cloudsql-postgres.yaml
The GKE workload clusterk8s/tb-platform-infra/env/base/container/titan-cluster.yaml + env patches
The VPC network and subnetsk8s/tb-platform-infra/vpc/base/compute/ (shared) and vpc/{env}/compute/ (per-env)
The KMS keysk8s/tb-platform-infra/env/{env}/kms/
The org-admin Pub/Sub feedk8s/infra-services/tb-infra-mgmt-project/pubsub/

If a resource isn’t found here, it isn’t managed by KCC and lives in Terraform under infra/ or the infra-terraform repo - see Working with Titanbay infra.