Kubernetes
Kubernetes
Defines the high-level intent for a managed Kubernetes cluster.
Provides a simplified interface for defining a cluster's region, maintenance window, and node pools. The platform handles the underlying complexity of VPC peering, control plane master authorized networks, and IAM role bindings for workload identity.
| Property | Type | Description |
|---|---|---|
| apiVersion | string | |
| kind | string | |
| metadata | map | |
| spec | Spec |
ApplicationsEntry
| Property | Type | Description |
|---|---|---|
| key | string | |
| value | ComputedApplication |
ServiceAccountsEntry
| Property | Type | Description |
|---|---|---|
| key | string | |
| value | ComputedIamServiceAccount |
Spec
Contains the user-defined configuration for the GKE cluster. Encapsulates regional placement and lifecycle maintenance window settings for the cluster.
| Property | Type | Description |
|---|---|---|
| description | string | This description is optional but will drastically improve the understand of the AI assistant about the structural elements of the organization |
| region | string | The GCP region where the GKE cluster will be created. If not specified, it inherits the region from its parent Environment. |
| maintenance | Maintenance | Defines the maintenance window for the GKE cluster. If not specified, it inherits the maintenance window from its parent Environment. |
ComputedIamServiceAccount
Represents a computed Google Cloud Service Account and its binding state.
Holds the resolved state for google_service_account resources, driving the creation of IAM bindings and establishing Kubernetes Workload Identity bindings (k8s_name).
| Property | Type | Description |
|---|---|---|
| name | string | The name of the Google Cloud Service Account. This is typically composed from the name of the corresponding 'Application' manifest. |
| create | bool | A boolean indicating whether the platform should create this service account. This is usually true unless the application is configured to use a pre-existing service account. |
| roles | ComputedIamServiceAccountPermissions | This block contains the final, resolved list of IAM roles granted to the service account, derived from the 'accessControl' block of the corresponding 'Application' manifest. |
| k8sName | string | The name of the corresponding Kubernetes Service Account that is bound to the Google Cloud Service Account. This is relevant for applications deployed to GKE. |
| k8sNamespace | string | The Kubernetes namespace where the Kubernetes Service Account is created. |
ComputedApplication
Represents a fully computed application deployment configuration.
Collates mesh strategy, pre-flight migration requirements, and the container image layout required by the execution engine to provision the underlying Cloud Run service or K8s Deployment.
| Property | Type | Description |
|---|---|---|
| name | string | The name of the application. |
| meshStrategy | string | The service mesh strategy used by the application (e.g., SIDECAR, PROXYLESS). |
| container | ComputedContainerDefinition | The computed definition for the application's container, including image URL, environment variables, and resource requests. |
| runMigrationJob | bool | Indicates whether a database migration job should be run before deploying the application. |
Maintenance
Defines the recurring weekly maintenance window and any explicit exclusions for resource upgrades.
Translates into maintenance_policy blocks on GCP resources like google_container_cluster (GKE) and google_sql_database_instance (Cloud SQL), dictating when Google Cloud can perform infrastructure upgrades.
| Property | Type | Description |
|---|---|---|
| start | string | The start time for the recurring weekly maintenance window, provided in RFC3339 format. The time-of-day and day-of-week are used to establish the schedule. This is used to configure the 'maintenance_policy' on resources like 'google_container_cluster' and 'google_sql_database_instance'. |
RFC3339 | | end | string | The end time for the recurring weekly maintenance window, provided in RFC3339 format. This defines the duration of the maintenance window for applicable GCP resources.
RFC3339 | | exclusions | list of MaintenanceExclusion | A list of specific, non-recurring time windows during which maintenance should not occur, even if it falls within the recurring weekly window. Use this to prevent updates during business-critical periods. Creates 'maintenance_exclusion' blocks on applicable GCP resources. |
ComputedIamServiceAccountPermissions
Represents computed IAM role aggregations for a service account.
Derived from the accessControl blocks to determine the precise list of IAM roles the application's service account requires across scopes (org, project, AR).
| Property | Type | Description |
|---|---|---|
| organization | list of string | A list of computed IAM roles granted to the service account at the GCP Organization level. |
| project | list of string | A list of computed IAM roles granted to the service account at the GCP Project level. |
| artifactRegistry | list of string | A list of computed IAM roles granted to the service account for accessing specific Artifact Registry repositories. |
ComputedContainerDefinition
Represents the fully resolved container image deployment source.
Fuses the registry's geographical footprint with a specific container build to provide the absolute URL for the deployment API (e.g., Cloud Run or GKE).
| Property | Type | Description |
|---|---|---|
| sourceRegistry | ComputedAccessibleRegistry | The registry where the container image is stored. |
| image | string | The full URL of the container image, including the registry and repository path. |
MaintenanceExclusion
Defines a specific, non-recurring time window where platform maintenance should not occur.
Translates into maintenance_exclusion blocks on underlying GCP resources, overriding regular weekly maintenance windows during critical business periods.
| Property | Type | Description |
|---|---|---|
| name | string | A unique name to identify the reason for this exclusion (e.g., 'black-friday-freeze'). |
| start | string | The start date and time for a specific, non-recurring exclusion from the maintenance window. |
RFC3339 | | end | string | The end date and time for the non-recurring exclusion window.
RFC3339 |
ComputedAccessibleRegistry
Represents a computed Artifact Registry resource accessible by deployments.
Tracks the registry location and name needed to perform container image path resolution.
| Property | Type | Description |
|---|---|---|
| name | string | The name of the artifact registry. |
| location | string | The GCP region or multi-region where the registry is located. |