GCP Infrastructure Overview
The platform is organized into four project layers — bootstrap, organization, platform, and tenant — with a single shared GKE cluster per environment and namespace-based isolation between applications.
Project layers
Bootstrap — u2i-bootstrap (us-central1)
Terraform state, Cloud Deploy pipelines, GitHub connections, and the shared Artifact Registry live here. Region chosen for cost, not data residency.
Organization — u2i-organization, u2i-dns, u2i-security
Org-wide policies, DNS zones, and centralized audit logging (7-year retention).
Platform — u2i-platform-nonprod / u2i-platform-prod (europe-west1)
Owns the GKE Fleet, Config Sync, and Binary Authorization for the region.
Tenant — c-u2i-nonprod / c-u2i-prod (europe-west1)
The shared tenant project that hosts every application's namespace, images, and Cloud Build/Deploy resources. europe-west1 is used here for GDPR/EU data residency.
GKE clusters
Shared Autopilot clusters
One cluster per environment (u2i-nonprod, u2i-prod) in europe-west1. Every app is a namespace on the shared cluster rather than getting its own cluster.
Namespace isolation
Namespaces follow {app}-dev, {app}-qa, {app}-prod, and {app}-pr-{N} for pull-request previews.
Networking
Private nodes behind Cloud NAT; dual-stack IPv4/IPv6 in nonprod, IPv4 only in prod. Pod/service CIDRs are allocated centrally so they stay globally unique across clusters.
IAM & service accounts
Zero standing privilege
Terraform service accounts are read-only by default. Write access is granted only through PAM: 30-minute windows for CI/CD, 2-hour windows for break-glass access.
Per-app service accounts
Each app gets a {app}-ci account (builds images, creates Cloud Deploy releases) and a {app}-cloud-deploy account (executes kubectl apply against the clusters).
No standing keys
Everything authenticates via Application Default Credentials locally or Workload Identity Federation in CI — no long-lived service account keys.
Compliance & security
terraform-google-compliance-modules
Reusable modules aligned with ISO 27001 and SOC 2 Type II. Google-managed encryption is accepted for GKE/Compute; CMEK is still required for databases, BigQuery, and Secret Manager.
Centralized logging
All audit logs flow into the u2i-security project with a 7-year retention policy.
Privileged Access Manager (PAM)
Time-bound elevation with an audit trail written to BigQuery and a Slack notification on every grant.
Storage: GCS via GCSFuse CSI
Native CSI driver, no sidecars
Apps that need bucket-backed storage (e.g. RetroTool's board backgrounds) mount GCS through GKE's gcsfuse.csi.storage.gke.io driver directly on the pod — not a sidecar container.
Tunable per environment
Cache sizes (fileCacheCapacity, ephemeral storage requests/limits) are set per environment in Helm values — smaller in preview to fit spot instances.
Bucket provisioning
Buckets are provisioned declaratively via Config Connector through the gke-tenant-storage chart; the app's GKE service account gets roles/storage.objectUser via Workload Identity.