GKE Staging Implementation Summary

​

Overview

​

What Was Implemented

​

1. Infrastructure Setup Script

• ✅ Staging VPC network (10.1.0.0/20) with flow logs
• ✅ GKE Autopilot cluster with security hardening
  • Private nodes
  • Shielded nodes with secure boot
  • Binary Authorization enabled
  • Workload Identity enabled
• ✅ Cloud SQL PostgreSQL (db-custom-1-4096, private IP)
• ✅ Memorystore Redis (2GB standard tier, private IP)
• ✅ GCP Service Account for staging (mcp-staging-sa)
• ✅ Workload Identity Federation for GitHub Actions (keyless)
• ✅ Artifact Registry repository for Docker images
• ✅ Secret Manager secrets (with placeholders for API keys)

• Network isolation from production
• No service account keys (Workload Identity only)
• Private IP for all managed services
• Audit logging enabled
• Least privilege IAM roles

​

2. Kubernetes Manifests

1. kustomization.yaml - Main overlay configuration
2. namespace.yaml - mcp-staging namespace
3. deployment-patch.yaml - Application deployment with:
   • Cloud SQL Proxy sidecar
   • Security contexts (non-root, drop capabilities)
   • Health probes (readiness, liveness)
   • Resource limits
   • Workload Identity annotation
4. configmap-patch.yaml - Staging-specific configuration
5. serviceaccount-patch.yaml - Workload Identity binding
6. network-policy.yaml - Network security policies:
   • Default deny ingress
   • Restricted egress (LLM APIs, Cloud SQL, Redis only)
   • Pod-to-pod restrictions
   • Metadata service blocked
7. external-secrets.yaml - Secret Manager integration
8. otel-collector-config.yaml - GCP Cloud Logging/Monitoring

​

3. GitHub Actions Workflow

• ✅ Workload Identity Federation (no keys!)
• ✅ Build and push to Artifact Registry
• ✅ Deploy to GKE
• ✅ Smoke tests
• ✅ Security validation
• ✅ Performance checks
• ✅ Automatic rollback on failure
• ✅ GitHub Environment protection (approval gates)

1. Build Docker image
2. Push to Artifact Registry
3. Deploy to GKE staging
4. Wait for rollout
5. Run smoke tests
6. Validate security
7. Check Cloud Logging
8. Rollback on any failure

​

4. Smoke Tests

1. Health endpoint responds
2. Readiness endpoint responds
3. Liveness endpoint responds
4. Authentication endpoint exists
5. MCP tools endpoint responds
6. Response time acceptable (<1s)
7. Deployment is ready
8. All pods running
9. Low restart count
10. Cloud SQL proxy running
11. External Secrets synced

​

5. Documentation

1. docs/deployment/kubernetes/gke-staging.mdx - Complete deployment guide
   • Architecture diagram
   • Step-by-step setup
   • Security features
   • Monitoring & troubleshooting
   • Cost optimization tips
2. docs/security/gke-staging-checklist.md - Security verification checklist
   • ~80 security checks
   • Verification commands
   • Compliance tracking
   • Scoring system
3. README.md - Updated with GKE staging section

​

Security Best Practices Implemented

​

Network Security

• ✅ Separate VPC from production
• ✅ Private GKE nodes (no public IPs)
• ✅ Network policies (default deny + allow list)
• ✅ VPC flow logs enabled
• ✅ Metadata service blocked (169.254.169.254)

​

Identity & Access

• ✅ Workload Identity (no service account keys)
• ✅ GitHub Workload Identity Federation (keyless CI/CD)
• ✅ Least privilege IAM roles
• ✅ Service account per component

​

Data Protection

• ✅ Secret Manager for all secrets
• ✅ External Secrets Operator (Kubernetes sync)
• ✅ Encrypted at rest (GKE default)
• ✅ Private IP for Cloud SQL and Redis
• ✅ TLS for all connections

​

Container Security

• ✅ Distroless base images
• ✅ Run as non-root
• ✅ Drop all capabilities
• ✅ Read-only root filesystem (where possible)
• ✅ Security contexts enforced
• ✅ Binary Authorization (signed images only)

​

Observability

• ✅ Cloud Logging integration
• ✅ Cloud Monitoring metrics
• ✅ Cloud Trace distributed tracing
• ✅ Structured JSON logs
• ✅ OpenTelemetry collector

​

Deployment Security

• ✅ GitHub Environment protection rules
• ✅ Approval gates (1 reviewer + 5min wait)
• ✅ Automated smoke tests
• ✅ Automatic rollback on failure
• ✅ Deployment audit trail

​

Cost Estimate

​

Deployment Workflow

​

First-Time Setup (Manual)

1. Run infrastructure setup:
   Copy

   Ask AI

   export GCP_PROJECT_ID=vishnu-sandbox-20250310
   ./scripts/gcp/setup-staging-infrastructure.sh
   

2. Update API keys:
   Copy

   Ask AI

   echo -n "sk-ant-YOUR_KEY" | gcloud secrets versions add staging-anthropic-api-key --data-file=-
   echo -n "YOUR_KEY" | gcloud secrets versions add staging-google-api-key --data-file=-
   

3. Install External Secrets Operator:
   Copy

   Ask AI

   helm repo add external-secrets https://charts.external-secrets.io
   helm install external-secrets external-secrets/external-secrets \
     --namespace external-secrets-system \
     --create-namespace
   

4. Deploy application:
   Copy

   Ask AI

   gcloud container clusters get-credentials staging-mcp-server-langgraph-gke --region=us-central1
   kubectl apply -k deployments/overlays/staging-gke
   

5. Run smoke tests:
   Copy

   Ask AI

   ./scripts/gcp/staging-smoke-tests.sh
   

​

GitHub Actions Setup

1. Create GitHub Environment:
   • Go to Settings → Environments → New environment
   • Name: staging
   • Protection rules:
     • Required reviewers: 1
     • Wait timer: 5 minutes
2. Update workflow:
   • Get project number: gcloud projects describe vishnu-sandbox-20250310 --format="value(projectNumber)"
   • Replace PROJECT_NUMBER in .github/workflows/deploy-staging-gke.yaml
3. Trigger deployment:
   • Push to main branch
   • Create pre-release
   • Manual workflow dispatch

​

Automated Deployments

1. Developer pushes to main
2. GitHub Actions:
   • Builds Docker image
   • Pushes to Artifact Registry
   • Requests deployment approval
3. Reviewer approves deployment (or auto-approves after 5min)
4. GitHub Actions:
   • Deploys to GKE
   • Runs smoke tests
   • Validates security
   • Checks Cloud Logging
5. Success or auto-rollback

​

Monitoring & Observability

​

Cloud Console Dashboards

• GKE Workloads
• Cloud Logging
• Cloud Monitoring
• Cloud Trace

​

View Logs

## Cloud Logging
gcloud logging read \
  "resource.type=k8s_container
   resource.labels.cluster_name=staging-mcp-server-langgraph-gke
   resource.labels.namespace_name=mcp-staging" \
  --limit=50

## Kubectl
kubectl logs -n staging-mcp-server-langgraph -l app=mcp-server-langgraph --tail=100

​

Metrics

• kubernetes.io/container/cpu/core_usage_time
• kubernetes.io/container/memory/used_bytes
• kubernetes.io/pod/network/received_bytes_count
• custom.googleapis.com/mcp-staging/* (application metrics)

​

Security Validation

## Review docs/security/gke-staging-checklist.md
## Execute verification commands
## Track completion (~80 checks total)

​

Troubleshooting

​

Common Issues

1. Pods not starting:
   Copy

   Ask AI

   kubectl describe pod <pod-name> -n staging-mcp-server-langgraph
   kubectl logs <pod-name> -n staging-mcp-server-langgraph
   

2. External Secrets not syncing:
   Copy

   Ask AI

   kubectl describe externalsecret mcp-staging-secrets -n staging-mcp-server-langgraph
   

3. Cloud SQL connection fails:
   Copy

   Ask AI

   kubectl logs <pod-name> -n staging-mcp-server-langgraph -c cloud-sql-proxy
   

4. Network policies blocking traffic:
   Copy

   Ask AI

   kubectl get networkpolicies -n staging-mcp-server-langgraph
   # Temporarily delete to test
   

​

Rollback Procedures

​

Manual Rollback

kubectl rollout undo deployment/staging-mcp-server-langgraph -n staging-mcp-server-langgraph
kubectl rollout status deployment/staging-mcp-server-langgraph -n staging-mcp-server-langgraph

​

Automatic Rollback

• Deployment failure
• Smoke test failure
• Security validation failure
• Performance degradation

​

Next Steps

​

Immediate

1. ✅ Run infrastructure setup script
2. ✅ Update API keys in Secret Manager
3. ✅ Install External Secrets Operator
4. ✅ Deploy application
5. ✅ Run smoke tests
6. ✅ Configure GitHub Environment
7. ✅ Test automated deployment

​

Future

• Set up Cloud Monitoring alerts
• Create Grafana dashboards
• Configure log-based metrics
• Set up uptime checks
• Implement SLOs/SLIs
• Schedule security audits

​

Files Created

​

Scripts

• scripts/gcp/setup-staging-infrastructure.sh (infrastructure automation)
• scripts/gcp/staging-smoke-tests.sh (deployment validation)

​

Kubernetes Manifests

• deployments/overlays/staging-gke/kustomization.yaml
• deployments/overlays/staging-gke/namespace.yaml
• deployments/overlays/staging-gke/deployment-patch.yaml
• deployments/overlays/staging-gke/configmap-patch.yaml
• deployments/overlays/staging-gke/serviceaccount-patch.yaml
• deployments/overlays/staging-gke/network-policy.yaml
• deployments/overlays/staging-gke/external-secrets.yaml
• deployments/overlays/staging-gke/otel-collector-config.yaml

​

CI/CD

• .github/workflows/deploy-staging-gke.yaml (deployment workflow)

​

Documentation

• docs/deployment/kubernetes/gke-staging.mdx (deployment guide)
• docs/security/gke-staging-checklist.md (security checklist)
• docs/deployment/GKE_STAGING_IMPLEMENTATION_SUMMARY.md (this file)

​

Updates

• README.md (added GKE staging section)

​

Estimated Implementation Time

• Infrastructure setup: 30-45 minutes (mostly automated)
• GitHub configuration: 15 minutes
• First deployment: 15 minutes
• Testing & validation: 30 minutes
• Total: ~2 hours for complete setup

​

Success Criteria

• ✅ Infrastructure created successfully
• ✅ All 11 smoke tests pass
• ✅ Security checklist 90%+ complete
• ✅ Cloud Logging receiving logs
• ✅ Automated deployment from GitHub Actions works
• ✅ Rollback tested and working
• ✅ Documentation complete