Deploy Keeptrusts on Google Cloud
This guide covers deploying Keeptrusts on Google Cloud Platform using Cloud Run or GKE for compute, Cloud SQL for PostgreSQL, Cloud Load Balancing, Cloud Monitoring, and Google Cloud Storage (GCS) for exports.
Use this page when
- You are deploying the Keeptrusts gateway and API to Google Cloud Platform.
- You need Cloud Run or GKE deployment patterns with Cloud SQL for PostgreSQL.
- You want to use Secret Manager for credentials and GCS for export artifacts.
- You need Cloud Monitoring uptime checks and log-based alerting for the gateway.
Primary audience
- Primary: Technical Engineers
- Secondary: AI Agents, Technical Leaders
Architecture overview
Internet
→ Cloud Load Balancing (HTTPS)
→ Cloud Run / GKE
→ Keeptrusts Gateway (port 41002)
→ Keeptrusts API (port 8080)
→ Worker instances (export, lifecycle, config)
→ Cloud SQL for PostgreSQL (private IP)
→ Google Cloud Storage (export artifacts)
→ Secret Manager (API keys, DB credentials)
→ Cloud Monitoring + Cloud Logging
Prerequisites
- GCP project with billing enabled
gcloudCLI installed and authenticated- Artifact Registry repository for container images
- VPC network created (or use the default)
gcloud auth login
gcloud config set project keeptrusts-prod
gcloud services enable \
run.googleapis.com \
sqladmin.googleapis.com \
secretmanager.googleapis.com \
artifactregistry.googleapis.com \
monitoring.googleapis.com
Artifact Registry
Push Keeptrusts images to Artifact Registry.
gcloud artifacts repositories create keeptrusts \
--repository-format=docker \
--location=us-central1
gcloud auth configure-docker us-central1-docker.pkg.dev
docker tag keeptrusts-api:latest \
us-central1-docker.pkg.dev/keeptrusts-prod/keeptrusts/api:latest
docker tag keeptrusts-gateway:latest \
us-central1-docker.pkg.dev/keeptrusts-prod/keeptrusts/gateway:latest
docker push us-central1-docker.pkg.dev/keeptrusts-prod/keeptrusts/api:latest
docker push us-central1-docker.pkg.dev/keeptrusts-prod/keeptrusts/gateway:latest
Cloud SQL for PostgreSQL
gcloud sql instances create keeptrusts-db \
--database-version=POSTGRES_15 \
--tier=db-custom-2-8192 \
--region=us-central1 \
--network=default \
--no-assign-ip \
--storage-size=100GB \
--storage-auto-increase
gcloud sql databases create keeptrusts --instance=keeptrusts-db
gcloud sql users create ktadmin \
--instance=keeptrusts-db \
--password="${POSTGRES_PASSWORD}"
Store the connection string in Secret Manager:
echo -n "postgres://ktadmin:${POSTGRES_PASSWORD}@/keeptrusts?host=/cloudsql/keeptrusts-prod:us-central1:keeptrusts-db" | \
gcloud secrets create database-url --data-file=-
Service account
Create a dedicated service account for Keeptrusts workloads.
gcloud iam service-accounts create keeptrusts-sa \
--display-name="Keeptrusts Service Account"
SA_EMAIL="keeptrusts-sa@keeptrusts-prod.iam.gserviceaccount.com"
# Grant Cloud SQL Client, Secret Manager Accessor, Storage Object Admin
for ROLE in roles/cloudsql.client roles/secretmanager.secretAccessor roles/storage.objectAdmin; do
gcloud projects add-iam-policy-binding keeptrusts-prod \
--member="serviceAccount:${SA_EMAIL}" --role="$ROLE"
done
Deploy with Cloud Run
Cloud Run is the simplest path for deploying Keeptrusts containers.
API service
gcloud run deploy keeptrusts-api \
--image=us-central1-docker.pkg.dev/keeptrusts-prod/keeptrusts/api:latest \
--region=us-central1 \
--port=8080 \
--cpu=2 --memory=2Gi \
--min-instances=1 \
--max-instances=10 \
--service-account="${SA_EMAIL}" \
--add-cloudsql-instances=keeptrusts-prod:us-central1:keeptrusts-db \
--set-secrets="DATABASE_URL=database-url:latest" \
--set-env-vars="KEEPTRUSTS_CORS_ALLOWED_ORIGINS=https://console.yourdomain.com" \
--no-allow-unauthenticated
Gateway service
gcloud run deploy keeptrusts-gateway \
--image=us-central1-docker.pkg.dev/keeptrusts-prod/keeptrusts/gateway:latest \
--region=us-central1 \
--port=41002 \
--cpu=2 --memory=4Gi \
--min-instances=1 \
--max-instances=20 \
--service-account="${SA_EMAIL}" \
--set-env-vars="KEEPTRUSTS_API_URL=$(gcloud run services describe keeptrusts-api --region=us-central1 --format='value(status.url)')" \
--set-secrets="KEEPTRUSTS_GATEWAY_TOKEN=api-key:latest" \
--allow-unauthenticated
Worker service
gcloud run deploy keeptrusts-worker \
--image=us-central1-docker.pkg.dev/keeptrusts-prod/keeptrusts/api:latest \
--region=us-central1 \
--command="worker_export" \
--cpu=1 --memory=1Gi \
--min-instances=0 \
--max-instances=5 \
--service-account="${SA_EMAIL}" \
--add-cloudsql-instances=keeptrusts-prod:us-central1:keeptrusts-db \
--set-secrets="DATABASE_URL=database-url:latest" \
--no-allow-unauthenticated
Deploy with GKE (advanced)
For larger deployments, use Google Kubernetes Engine.
gcloud container clusters create keeptrusts-gke \
--region=us-central1 \
--num-nodes=3 \
--machine-type=e2-standard-4 \
--workload-pool=keeptrusts-prod.svc.id.goog \
--enable-ip-alias
gcloud container clusters get-credentials keeptrusts-gke --region=us-central1
Workload Identity binding
gcloud iam service-accounts add-iam-policy-binding "${SA_EMAIL}" \
--role=roles/iam.workloadIdentityUser \
--member="serviceAccount:keeptrusts-prod.svc.id.goog[keeptrusts/keeptrusts-sa]"
# keeptrusts-sa.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: keeptrusts-sa
namespace: keeptrusts
annotations:
iam.gke.io/gcp-service-account: keeptrusts-sa@keeptrusts-prod.iam.gserviceaccount.com
Apply the same Kubernetes manifests from the Kubernetes deployment guide, substituting the image references and service account.
Google Cloud Storage for exports
gcloud storage buckets create gs://keeptrusts-exports \
--location=us-central1 \
--uniform-bucket-level-access
# The service account already has storage.objectAdmin via the IAM binding above
Set these environment variables on the API and worker containers:
KEEPTRUSTS_EXPORT_S3_ENDPOINT=https://storage.googleapis.com
KEEPTRUSTS_EXPORT_S3_BUCKET=keeptrusts-exports
Cloud Load Balancing
For custom domains with HTTPS, create a global external Application Load Balancer.
# Reserve a static IP
gcloud compute addresses create keeptrusts-ip --global
# Create a serverless NEG for the Cloud Run gateway service
gcloud compute network-endpoint-groups create keeptrusts-neg \
--region=us-central1 \
--network-endpoint-type=serverless \
--cloud-run-service=keeptrusts-gateway
# Backend service
gcloud compute backend-services create keeptrusts-backend \
--global --load-balancing-scheme=EXTERNAL_MANAGED
gcloud compute backend-services add-backend keeptrusts-backend \
--global --network-endpoint-group=keeptrusts-neg \
--network-endpoint-group-region=us-central1
# URL map and HTTPS proxy
gcloud compute url-maps create keeptrusts-urlmap \
--default-service=keeptrusts-backend
gcloud compute ssl-certificates create keeptrusts-cert \
--domains=gateway.yourdomain.com --global
gcloud compute target-https-proxies create keeptrusts-https-proxy \
--ssl-certificates=keeptrusts-cert --url-map=keeptrusts-urlmap
gcloud compute forwarding-rules create keeptrusts-fwd \
--global --target-https-proxy=keeptrusts-https-proxy \
--address=keeptrusts-ip --ports=443
Cloud Monitoring
Uptime check
gcloud monitoring uptime create keeptrusts-health \
--display-name="Keeptrusts API Health" \
--resource-type=uptime-url \
--hostname=api.yourdomain.com \
--path=/healthz \
--check-frequency=60s
Log-based alert for gateway errors
gcloud logging metrics create gateway_errors \
--description="Keeptrusts gateway 5xx errors" \
--filter='resource.type="cloud_run_revision" AND resource.labels.service_name="keeptrusts-gateway" AND httpRequest.status>=500'
gcloud monitoring policies create \
--display-name="Gateway 5xx Spike" \
--condition-display-name="Error rate > 10/min" \
--condition-filter='metric.type="logging.googleapis.com/user/gateway_errors"' \
--condition-threshold-value=10 \
--condition-threshold-duration=60s \
--notification-channels="projects/keeptrusts-prod/notificationChannels/<channel-id>"
Validate the deployment
# Health check
curl https://api.yourdomain.com/healthz
# Validate gateway config
kt policy lint --file policy-config.yaml
# Send a test request through the gateway
curl https://gateway.yourdomain.com/v1/chat/completions \
-H "Authorization: Bearer $GATEWAY_KEY" \
-H "Content-Type: application/json" \
-d '{"model":"gpt-4o","messages":[{"role":"user","content":"Hello"}]}'
# Confirm events reach the API
curl https://api.yourdomain.com/v1/events \
-H "Authorization: Bearer $API_KEY" | jq '.data | length'
For AI systems
- Canonical terms: Keeptrusts gateway, Keeptrusts API, Cloud Run, GKE, Cloud SQL for PostgreSQL, Artifact Registry, Secret Manager, Cloud Monitoring, GCS.
- Key config:
DATABASE_URL(Cloud SQL socket path format),KEEPTRUSTS_CORS_ALLOWED_ORIGINS, service account IAM bindings. - CLI commands:
gcloud run deploy,gcloud sql instances create,kt policy lint,kt events tail. - Best next pages: Webhook-driven workflows, GitHub Actions CI/CD, Datadog observability.
For engineers
- Prerequisites: GCP project with billing,
gcloudCLI authenticated, Artifact Registry repository, APIs enabled (Cloud Run, Cloud SQL, Secret Manager). - Validate:
curl https://api.yourdomain.com/healthz, send a test chat completion through the gateway, verify events via/v1/events. - Cloud Run advantage: Zero-to-N scaling with no cluster management. Use
--min-instances 1for production to avoid cold starts. - Security: Private VPC connector for Cloud SQL access, no public IP on database, IAM-based auth for service-to-service calls.
For leaders
- Cost model: Cloud Run (pay-per-request, aggressive scale-to-zero for dev), Cloud SQL (instance hours + storage), GCS (storage + egress).
- Simplicity vs. control: Cloud Run is simpler for small teams; GKE gives full Kubernetes control for large-scale or multi-tenant deployments.
- Compliance: GCP's compliance certifications (FedRAMP, HIPAA BAA), VPC Service Controls for data perimeter, Cloud Audit Logs for access tracking.
- Regional choice: Select regions matching data residency requirements; Cloud SQL private IP keeps database traffic off the public internet.
Next steps
- Set up webhook-driven workflows for event-driven automation
- Configure GitHub Actions for policy CI/CD
- Add Datadog observability alongside Cloud Monitoring