Deploying on Google Cloud Platform (GCP)
Curiosity Workspace runs unchanged on GCP. This page describes the recommended infrastructure shape; for the workload itself, see Docker and Kubernetes.
Reference architecture (production)
| Concern | GCP service | Notes |
|---|---|---|
| Compute | Compute Engine (n2-standard-8+) or GKE | GKE Autopilot or Standard for production fleet. |
| Persistence | Persistent Disk SSD (pd-ssd / pd-balanced) |
200 GB starter, regional for HA. |
| Backups | Persistent Disk snapshots | Schedule via snapshot policy. |
| Ingress + TLS | External Application Load Balancer + Google-managed cert | Or NGINX Ingress on GKE with cert-manager. |
| Private access | VPC + Cloud NAT | Workspace egresses through NAT; ingress only via the LB. |
| Identity | Workload Identity (GKE) or service account (GCE) | For Secret Manager access. |
| Secrets | Google Secret Manager | Inject via the Secret Manager CSI driver or workload-identity-aware sidecar. |
| Logs | Cloud Logging | Native stdout collection on GKE. |
| Metrics | Cloud Monitoring + Managed Prometheus | Plus the workspace's /api/endpoints/metrics. |
| DNS | Cloud DNS → External LB | Or your existing registrar. |
Option A: Compute Engine VM
- Create the VM (
n2-standard-8, 8 vCPU, 32 GB, Ubuntu 22.04). - Add a Persistent Disk (SSD, ≥ 200 GB) and mount it at
/srv/curiosity. See Add a persistent disk to your VM. - Install Docker and bring up the workspace via Docker Compose. Pull secrets from Secret Manager before starting the container:
gcloud secrets versions access latest --secret=curiosity-prod \ > /etc/curiosity/.env - Front with an External HTTPS Load Balancer using a Google-managed certificate.
- Schedule Persistent Disk snapshots.
Option B: GKE
- Provision the cluster (Autopilot for less ops; Standard if you want per-node control).
- Enable Workload Identity so the workspace's
ServiceAccountcan read Secret Manager. - Install the Compute Engine persistent disk CSI Driver if it's not on by default. See Using the Compute Engine persistent disk CSI Driver.
- Install cert-manager for ACME certs (or use Google-managed certs through the GKE Ingress controller).
- Apply the manifest from Kubernetes, setting:
storageClassName: premium-rwo(regional, SSD-backed) orstandard-rwofor non-prod.ingressClassName: gce(GKE) ornginx(NGINX Ingress).
Identity (SSO) on GCP
If users sign in with Google Workspace accounts, use the Google Sign-In guide. Other IdPs work identically — pick from the SSO providers.
Observability
- Logs: container stdout flows into Cloud Logging automatically on GKE; on GCE, run the Ops Agent.
- Metrics: scrape
/api/endpoints/metrics(admin) into Managed Prometheus. - Alerts: liveness, scheduled-task failure rate, disk IOPS, container restart rate.
Production checklist (GCP-specific)
- Pinned image tag, not
:latest. - Regional Persistent Disk (or zonal with backups to another region).
- Secrets in Secret Manager, surfaced via Workload Identity or CSI.
- Google-managed TLS certificate on the external LB; HSTS enabled.
- Egress allowlist documented via Cloud NAT.
- Cloud Monitoring alerts for liveness, latency, container restarts.
- Restore drill completed and dated.
See also
- Kubernetes for the GKE case.
- Docker for the single-VM case.
- Configuration reference.