Instance Management
This document describes how Infrastream instances are provisioned, managed, and kept up to date. It covers the full lifecycle from initial onboarding to ongoing operations.
What Is an Infrastream Instance?
An Infrastream instance is a fully deployed, self-contained installation of the Infrastream platform within your Google Cloud organization. Each instance includes:
- A dedicated GCP project with all required APIs enabled
- Cloud Run services — the Portal (web interface), the Runner (engine), and webhook processors
- A Spanner instance — for infrastructure state persistence
- An AI Agent — a Vertex AI Reasoning Engine for intelligent infrastructure assistance
- Networking — VPC, subnets, and Private Service Connect back to the Pvotal SaaS
- IAM — Service accounts with least-privilege permissions
Onboarding: How an Instance Is Provisioned
The Infrastream Cloud Portal (Pvotal's SaaS control plane) automates the entire installation process. When your organization signs up, the onboarding flow provisions approximately 30 infrastructure components in a deterministic sequence.
Prerequisites
Before onboarding, you need:
- A Google Cloud Organization with an active billing account
- An Organization Admin user who can grant the required IAM permissions
- A target region for resource deployment (e.g.,
europe-west1,me-central1)
Installation Flow
The onboarding runs in two phases:
Phase 1: Discovery
The system first scans your GCP organization to detect any existing Infrastream components. This enables:
- Resume — Continuing a previously interrupted installation
- Upgrade — Detecting version mismatches and applying updates
- Audit — Verifying the health of all installed components
Phase 2: Provisioning
Each step in the installation flow implements a discover-or-create pattern: if the component already exists and is healthy, it's skipped; otherwise, it's created.
The provisioning sequence covers:
| Phase | Components |
|---|---|
| Foundation | GCP Folder, Security Tags, Organization Policies |
| Project | GCP Project, Billing Link, API Enablement |
| Identity | Service Account, IAM Bindings (org, folder, project levels) |
| Networking | VPC, Subnets, Firewall Rules, PSC Endpoint |
| Security | Artifact Registry, Binary Authorization Policy |
| AI Agent | Service Account, Permissions, Storage Bucket, Config Secret, Reasoning Engine |
| Data | Spanner Instance |
| Runtime | Cloud Run Services, Load Balancer, IAP Configuration |
| Onboarding | Rocketlane Project for customer success tracking |
The installation automatically applies security best practices: Binary Authorization ensures only signed container images can run, IAP (Identity-Aware Proxy) protects the web portal, and all inter-service communication uses OIDC tokens. No manual security configuration is required.
Installation Status
The Cloud Portal tracks the overall health of your installation:
| Status | Meaning |
|---|---|
| Installed | All components are healthy and running the latest version |
| Out of Date | All components are healthy but a newer version is available |
| Partial | Some components are still being provisioned |
| Error | One or more components are in a failed state |
The Procurement Link
Every Infrastream instance maintains a secure, private connection back to the Pvotal SaaS via Private Service Connect (PSC). This connection serves two purposes:
1. License & Feature Management
At the start of every engine run, the instance calls the SaaS to:
- Validate the license — Ensure the subscription is active
- Retrieve feature flags — Determine which addons and capabilities are enabled
If the SaaS is unreachable (network issue, maintenance), the engine continues operating with a freeze policy — existing infrastructure is preserved, but addon-dependent resources are not modified until connectivity is restored. The engine never blocks on procurement failures.
2. Error Reporting
When a resource fails to provision, the engine automatically forwards a structured error report to the SaaS. This enables:
- Proactive support — Pvotal engineers can identify and resolve issues before you report them
- Pattern detection — Aggregating errors across instances helps identify systemic issues
- AI-assisted remediation — The Engineering Squad agents can propose fixes automatically
All communication between your instance and the Pvotal SaaS travels over Private Service Connect — a private networking link that never touches the public internet. Your infrastructure data never leaves your GCP project.
Upgrades
When a new version of Infrastream is released, the Cloud Portal detects the version mismatch and marks your instance as Out of Date. Upgrades are initiated through the Cloud Portal UI:
- The target version is set from the latest release
- Container image digests are resolved against the new version
- Cloud Run services are redeployed with the updated images
- The AI Agent is redeployed with the latest model and configuration
- The installation status is rechecked to confirm all components are healthy
Upgrades follow the same discover-or-create pattern as initial installation — only components that need updating are touched.
Tracked Components
The Cloud Portal continuously monitors the following component types for each installation:
| Component | What It Tracks |
|---|---|
| Folder | GCP folder name, display name, state, IAM bindings |
| Project | GCP project ID, display name, state, IAM bindings |
| Service Account | Email, display name, unique ID |
| Cloud Run Services | Service name, URL, status, status message |
| IAP | Service agent, readiness status |
| AI Agent | Reasoning Engine name, service account |
| Spanner | Instance name, project ID |
| Rocketlane | Project ID, name, status |
Each component reports a health status (READY, PENDING, FAILED, ERROR) that contributes to the overall installation status.