Scope
The deployment covers the infrastructure and ArgoCD dependency chain needed to bring Aperium from a shared GCP environment bootstrap to a functioning application deployment. It does not cover GCP org/folder/project creation, CI/CD image pipelines, or application source code.Dependency groups
1. Shared platform prerequisites
Required before the app layer can reconcile correctly:cert-managerexternal-secretsexternal-dnsgke-gatewaygateway-smokekedakyvernostakater-reloaderterraform-operator
2. Direct in-cluster runtime dependencies
The current prod-style Aperium deployment calls these services in-cluster:aperium-mcp-commonaperium-mcp-salesforceaperium-mcp-malbekaperium-mcp-netsuiteaperium-mcp-odooaperium-mcp-arenaaperium-mcp-prefectaperium-mcp-google-workspaceaperium-mcp-slack-workspaceaperium-mcp-atlassianaperium-mcp-epicaperium-mcp-gcs-datalakeaperium-retrieval
aperium.yaml overlay carried forward from the live deployment shape.
3. Supporting services
Included because they are part of the Aperium deployment shape or the surrounding operational stack:prefect— minimal server plusprefect-worker-aperiumtargetingaperium-pool.phoenix.- A dedicated
background-schedulerdeployment when scheduler mode is enabled. - Cleanup cronjobs for invoice export, file cache, and PostgreSQL tabular cleanup.
Cross-stack ordering contract
Shared env stack must exist first
Applyenvs/aperium-apps-prod/tf before anything else. It produces the infrastructure that later steps depend on:
- Network and subnetwork
- GKE cluster
- DNS zone
- ArgoCD bootstrap
- Platform Workload Identity GSAs
- Terraform agent config secret container
App stack depends on shared env outputs
Applyapps/aperium/envs/prod/tf only after the shared env stack exists. It depends on values such as gcp_project_id, gcp_network_path, and cluster reachability assumptions for private resources.
Prefect scaffold assumptions
The Prefect deployment is intentionally minimal and assumes the following are already available or will be adapted:- A Prefect backing Cloud SQL instance.
- A Prefect runtime GSA, for example
prefect@YOUR_GCP_PROJECT_ID.iam.gserviceaccount.com. - A secret-store entry named
prefect-admin-credentials. - A bootstrap step to create the
aperium-poolwork pool after Prefect server is up.
Go / no-go gates
Go. Proceed to a full Aperium rollout only when all of these are true.
- Shared env Terraform has applied successfully.
- DNS delegation is complete.
- ArgoCD is reconciling the app-of-apps set.
external-secretsis healthy and theClusterSecretStoreis Ready.prefectis healthy andaperium-poolexists.qdrantis healthy and API keys are synced.phoenixis healthy and auth secrets are synced.- App-specific Terraform dependencies are created.
- Required Secret Manager payloads exist.
- ArgoCD cannot read the repo because the URL placeholder or GitHub App credentials were not updated.
- Secret Manager containers exist but payloads were never added.
external-secretsis unhealthy or cannot access GCP Secret Manager.prefect-admin-credentialsis missing or malformed.aperium-poolwas never created in Prefect.qdrant-api-keysis missing in either theqdrantoraperiumnamespace.- Cloud SQL or Redis is expected but disabled in the app stack.
- The app stack is running from a workspace or agent that cannot reach private database endpoints.