🌍 🔒 🚀

Google Cloud Deployment Architecture

Reference architecture — same app, GCP-native platform layer

Customer identity + BrainzBytes infrastructure, zero API keys, Workload Identity Federation everywhere. The identical ContextWeaver containers deploy on GKE with Google Cloud services.

Base Architecture
Customer Identity
Google Identity Platform
Cloud Identity / Google Workspace
Or external OIDC: Okta, Auth0
Centralized user directory
OAuth 2.0 Client
Google Cloud Console credentials
OIDC authorization code flow
Consent screen + scopes
Token Configuration
OIDC tokens with custom claims
Groups + roles via directory sync
Callback: /oidc/callback
🔒
OIDC JWT Token — the ONLY thing crossing the boundary
BrainzBytes Platform (GCP Project)
Region: us-central1
GKE Cluster 3 nodes • e2-standard-2
Ingress Layer
Cloud Load Balancer
Cloud Armor (WAF) protection
Google-managed SSL certificate
Istio on GKE (Managed)
Anthos Service Mesh or open-source Istio
mTLS for all pod-to-pod traffic
default namespace Istio injected
cerebro-app 2/2
app + istio-proxy
KSA Workload Identity GSA (IAM)
Zero secrets in pod
mcp1 namespace Istio injected
mcp1 engine 2/2
engine + istio-proxy
KSA Workload Identity GSA (IAM)
4 plugins:
email (13 tools) github (6) payments (10) travel (4)
Workload Identity Federation
GKE Workload Identity binds Kubernetes ServiceAccounts (KSA) to Google Service Accounts (GSA) • Pods authenticate as GSA automatically • Zero secrets in pods
Secret Manager Accessor Vertex AI User Datastore User Artifact Registry Reader Service Account Token Creator
GCP Services All via Workload Identity — Zero Keys
Artifact Registry
Container image repository
2 container images
Pull via Workload Identity
Secret Manager
Connector secrets
IAM-based access control
Automatic rotation support
Vertex AI
Gemini / PaLM models
Or Cloud AI endpoints
Vertex AI User IAM role
Cloud Search / Elasticsearch
Elasticsearch on GCE
Or Vertex AI Vector Search
Vector embeddings for RAG
Firestore
Or Cloud Spanner (global)
Document database
Datastore User IAM role
External Services
Credentials in Secret Manager:
Stripe API Gmail / Calendar GitHub API

Customer Isolation on GCP

Every customer gets dedicated GCP resources on a shared GKE cluster — complete separation at every layer.

Per-Customer Resources
🔒 Secret Manager — dedicated secrets per customer
💾 Firestore — separate database per customer
🔍 Search — separate search index per customer
👤 Workload Identity — per-customer GCP SA bound to K8s SA, scoped to only its own resources
Isolation Controls
🌐 GKE Namespace — each customer in its own namespace with NetworkPolicy
🛡️ Istio mTLS (Managed) — strict mutual TLS per namespace
🚦 Cloud Load Balancer — routes by hostname to correct namespace
🔑 IAM Bindings — each Workload Identity only has roles on its own resources
Full isolation architecture → Base Architecture
GCP Security Posture
Zero API Keys Workload Identity Federation Istio mTLS (Managed) Cloud LB + Cloud Armor GKE Workload Identity GCP Secret Manager Google Identity SSO
Base Architecture Azure Architecture AWS Architecture