GKE Burst Baseline (HyOps Blueprint)

• Purpose: Build the first cloud burst baseline on GKE with GitOps and cloud-native secret delivery.
• Trigger: A controlled burst lane is required for public workload rollout, validation, or future decision-driven scale-out.
• Impact: Provisions the cluster, publishes kubeconfig, installs Argo CD-managed workloads from clusters/burst, and bootstraps a Workload Identity-backed ClusterSecretStore.
• Severity: P1
• Rollback strategy: Destroy in reverse order, beginning with the GitOps/secret-store layers and then the cluster infrastructure.

Context

Blueprint ref: gcp/gke-burst@v1

Current validated burst baseline:

• cluster substrate: platform/gcp/gke-cluster
• kubeconfig publication: platform/gcp/gke-kubeconfig
• GitOps root: platform/k8s/argocd-bootstrap#gke_burst_gitops
• cloud-native secret-store: platform/k8s/gcp-secret-store
• public workload target: clusters/burst

The current public burst target is intentionally narrow:

• smoke/guestbook
• platform/external-secrets

platform/secret-stores is not carried in Git for the burst target. It is created by core through the platform/k8s/gcp-secret-store module.

Private burst extensions should stay separate from this public baseline:

• keep gke_burst_gitops on the public workloads repo
• use a separate platform/k8s/argocd-bootstrap instance for private targets
• use repo_access_mode=ssh with a vault-backed deploy key for private repos
• bridge private runtime payloads through platform/k8s/runtime-bundle-secret

Preconditions

• GCP init is complete for the target environment
• controller has gcloud, kubectl, and gke-gcloud-auth-plugin
• target project billing and required APIs are active for ongoing GKE and Secret Manager operations
• target project has sufficient quota for the current starter profile
• public workloads repo is reachable at the pinned revision in the blueprint inputs
• the workstation or runner executing kubeconfig/bootstrap steps can reach the GKE control-plane endpoint
• env overlays that replay this blueprint must preserve the cluster naming context inputs: name_prefix, context_id, project_state_ref, region, and location

Execute

hyops blueprint deploy --env dev \
  --ref gcp/gke-burst@v1 \
  --execute

Step flow

#	Step ID	Module	Phase
1	gke_burst_cluster	platform/gcp/gke-cluster	bootstrap
2	gke_burst_kubeconfig	platform/gcp/gke-kubeconfig	bootstrap
3	gke_burst_gitops	platform/k8s/argocd-bootstrap	operations
4	gke_burst_secret_store	platform/k8s/gcp-secret-store	operations

Verification

Check applications:

KUBECONFIG="$HOME/.hybridops/envs/dev/state/kubeconfigs/gke-burst.yaml" \
kubectl get applications.argoproj.io -n argocd \
  -o custom-columns=NAME:.metadata.name,SYNC:.status.sync.status,HEALTH:.status.health.status,REVISION:.status.sync.revision

Expected current result:

• hyops-workloads-root → Synced Healthy
• platform-external-secrets → Synced Healthy
• smoke-guestbook → Synced Healthy

Check the cluster secret store:

KUBECONFIG="$HOME/.hybridops/envs/dev/state/kubeconfigs/gke-burst.yaml" \
kubectl get clustersecretstore gcp-secret-manager -o yaml

Success indicators:

• blueprint summary ends with status=ok
• the root app revision matches the pinned public workloads commit
• cap.k8s.gcp-secret-store = ready
• ClusterSecretStore/gcp-secret-manager is Ready=True

Live lane verification

Use these checks when you need the current burst lane truth rather than the original deployment proof:

hyops show module platform/k8s/argocd-bootstrap#gke_burst_gitops --env dev

KUBECONFIG="$HOME/.hybridops/envs/dev/state/kubeconfigs/gke-burst.yaml" \
kubectl -n showcase-burst get ingress,deploy,pods

curl -fsS https://burst.hybridops.tech/__burst/status \
  | jq '{status,desired,burst_weight_pct,route_ready}'

Expected current signals:

• the GitOps root is status=ok
• the showcase-burst deployment is healthy
• the public burst status endpoint reports status=live-ok

For the observability and decision-control surfaces behind this lane, use the edge control-plane runbook:

• Deploy Edge Control Plane (HyOps Blueprint)

Notes

• This baseline proves cluster bring-up, public-workload GitOps handoff, and cloud-native secret delivery.
• platform/gcp/gke-kubeconfig now fails early if the cluster project is billing-blocked or if the public control-plane endpoint is not reachable from the current execution surface.
• Do not strip the naming-context inputs from env overlays when replaying this blueprint. platform/gcp/gke-cluster composes the real cluster identity from name_prefix + context_id + cluster_name. If name_prefix or context_id drop to empty values, Terraform will plan a cluster replacement instead of reconciling the existing burst lane.
• It does not yet establish the full burst application surface or a decision-service automation loop.
• The next layer is workload expansion. Private runtime payloads should be bridged into the cluster through platform/k8s/runtime-bundle-secret, not by pushing that logic into the public workloads repo.

References

• Module – GCP secret store lifecycle
• Module – Runtime bundle secret lifecycle
• Blueprint – RKE2 + workloads
• Reference Scenario – RKE2 HA Platform Foundation