118 lines
5.4 KiB
Markdown
118 lines
5.4 KiB
Markdown
# GCP CI/CD and Redundancy Hardening
|
|
|
|
This records the current GCP hardening contract for `teleo-501523`.
|
|
|
|
## What Is Live
|
|
|
|
- Artifact Registry Docker repositories exist in `europe-west6`:
|
|
- `teleo`
|
|
- `livingip-web`
|
|
- Both repositories use immutable tags and active vulnerability scanning.
|
|
- `cloudbuild.gcp-staging.yaml` builds the staging Teleo image, runs the image smoke test, then pushes to Artifact Registry.
|
|
- Cloud Build runs as the dedicated service account:
|
|
- `sa-teleo-cloudbuild@teleo-501523.iam.gserviceaccount.com`
|
|
- The dedicated Cloud Build account has only the roles required for the current build/publish path:
|
|
- `roles/artifactregistry.writer`
|
|
- `roles/logging.logWriter`
|
|
- `roles/storage.objectViewer`
|
|
- GitHub Actions can publish Artifact Registry images through Workload Identity Federation:
|
|
- workflow: `.github/workflows/gcp-artifact.yml`
|
|
- provider: `projects/785938879453/locations/global/workloadIdentityPools/github-actions/providers/living-ip-github`
|
|
- service account: `sa-artifact-builder@teleo-501523.iam.gserviceaccount.com`
|
|
- repository scope: `living-ip/teleo-infrastructure`
|
|
- Backup buckets are versioned and use uniform bucket-level access:
|
|
- `gs://teleo-501523-prod-backups`
|
|
- `gs://teleo-501523-leoclean-backups`
|
|
- VM boot disks have a daily 7-day snapshot policy:
|
|
- `teleo-prod-1`
|
|
- `teleo-staging-1`
|
|
- Cloud SQL standby target exists for KB restore/replication drills:
|
|
- instance: `teleo-pgvector-standby`
|
|
- database: `teleo_kb`
|
|
- version: `POSTGRES_16`
|
|
- private IP only on `teleo-staging-net`
|
|
- encrypted-only SQL connections
|
|
- automated backups and point-in-time recovery enabled
|
|
- deletion protection enabled
|
|
- Source-side Teleo DB/KB export canary exists:
|
|
- script: `ops/backup_vps_sqlite_kb.sh`
|
|
- source DB: `/opt/teleo-eval/pipeline/pipeline.db`
|
|
- source Leo/KB files: `workspaces/*/agents/leo` plus `agent-state`
|
|
- excludes secrets and logs
|
|
|
|
## How To Build
|
|
|
|
Automatic Artifact Registry publishing runs on pushes to `main` through GitHub Actions. To run the same lane manually from GitHub:
|
|
|
|
```bash
|
|
gh workflow run gcp-artifact.yml --repo living-ip/teleo-infrastructure --ref main
|
|
```
|
|
|
|
The workflow authenticates to GCP with Workload Identity Federation, builds `Dockerfile.gcp-staging`, runs the image smoke test, pushes the image, and uploads `gcp-artifact-image.txt` as a run artifact.
|
|
|
|
For a local/manual Cloud Build proof:
|
|
|
|
```bash
|
|
REVISION="$(git rev-parse HEAD)"
|
|
TAG="$(git rev-parse --short=7 HEAD)-manual-$(date -u +%Y%m%d-%H%M%S)"
|
|
|
|
gcloud builds submit \
|
|
--project=teleo-501523 \
|
|
--config=cloudbuild.gcp-staging.yaml \
|
|
--substitutions="_TAG=${TAG},_REVISION=${REVISION}"
|
|
```
|
|
|
|
Expected result:
|
|
|
|
- `build-staging-image` succeeds.
|
|
- `smoke-test-image-before-push` succeeds.
|
|
- A Docker image is pushed to:
|
|
`europe-west6-docker.pkg.dev/teleo-501523/teleo/teleo-pipeline-gcp-staging:${TAG}`
|
|
|
|
## How To Check Readiness
|
|
|
|
Run from the repository root:
|
|
|
|
```bash
|
|
python3 ops/check_gcp_infra_readiness.py
|
|
```
|
|
|
|
The check is read-only and prints no secret values. It verifies:
|
|
|
|
- Artifact Registry immutability and vulnerability scanning.
|
|
- Cloud Build config contract.
|
|
- Dedicated Cloud Build service account and roles.
|
|
- GitHub Actions WIF Artifact Registry publishing contract.
|
|
- Network ingress posture:
|
|
- no enabled broad SSH/RDP ingress;
|
|
- Teleo SSH rules are scoped to `/32` source ranges and target tags.
|
|
- Runtime service-account posture for the prod/staging VMs.
|
|
- Compute disk snapshot policy attachment.
|
|
- Backup bucket versioning and uniform access.
|
|
- Cloud SQL standby target posture.
|
|
- Source SQLite/KB backup/export repeatability.
|
|
- Whether an approved source KB/Postgres dump or replication credential exists.
|
|
- Whether source data has actually been restored or replicated into GCP and queried.
|
|
|
|
## Current Boundaries
|
|
|
|
The GCP Docker build/publish path is live through manual Cloud Build and GitHub Actions Workload Identity Federation. Native Cloud Build GitHub triggers are not configured because this project currently has no Cloud Build repository connection.
|
|
|
|
Database redundancy is not complete. The current project now has a GCP Cloud SQL/Postgres standby target, backup buckets, VM disk snapshots, and a repeatable source SQLite/KB export script. It does not yet have source-data restore or replication into GCP. Do not claim DB parity until one of these is true:
|
|
|
|
- the existing canonical KB database is replicated into GCP and read back; or
|
|
- GCP Cloud SQL/Postgres becomes the canonical database and production services read/write it; or
|
|
- an explicitly approved standby restore drill proves that a GCP database can be restored and queried from the retained backups.
|
|
|
|
Do not call the empty `teleo-pgvector-standby` instance redundancy by itself. It only counts after source data, restore/replication, access controls, and query readback are proven.
|
|
|
|
## Communication Posture
|
|
|
|
Current GCP communication hardening is limited to the surfaces already read back:
|
|
|
|
- default SSH/RDP firewall rules are disabled;
|
|
- Teleo SSH access is scoped by instance tags and current source IP rules;
|
|
- the custom Teleo subnet has Private Google Access enabled.
|
|
- prod/staging VMs run as dedicated Teleo service accounts, not the default Compute Engine service account.
|
|
|
|
Before production cutover, add a dedicated runtime communication contract for service-to-service paths, including exact source tags/service accounts, allowed ports, health checks, and rollback.
|