{"id":31827801,"url":"https://github.com/settlemint/btp-on-gcp","last_synced_at":"2026-03-19T14:38:00.835Z","repository":{"id":248375746,"uuid":"824481500","full_name":"settlemint/btp-on-gcp","owner":"settlemint","description":null,"archived":false,"fork":false,"pushed_at":"2026-03-04T11:33:46.000Z","size":295,"stargazers_count":0,"open_issues_count":7,"forks_count":0,"subscribers_count":3,"default_branch":"main","last_synced_at":"2026-03-04T18:29:33.997Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/settlemint.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2024-07-05T08:20:02.000Z","updated_at":"2026-02-24T23:57:16.000Z","dependencies_parsed_at":"2026-01-28T15:00:41.111Z","dependency_job_id":null,"html_url":"https://github.com/settlemint/btp-on-gcp","commit_stats":null,"previous_names":["settlemint/tutorial-btp-on-gcp","settlemint/btp-on-gcp"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/settlemint/btp-on-gcp","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/settlemint%2Fbtp-on-gcp","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/settlemint%2Fbtp-on-gcp/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/settlemint%2Fbtp-on-gcp/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/settlemint%2Fbtp-on-gcp/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/settlemint","download_url":"https://codeload.github.com/settlemint/btp-on-gcp/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/settlemint%2Fbtp-on-gcp/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30219541,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-07T14:02:48.375Z","status":"ssl_error","status_checked_at":"2026-03-07T14:02:43.192Z","response_time":53,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-10-11T19:18:46.229Z","updated_at":"2026-03-07T15:31:26.201Z","avatar_url":"https://github.com/settlemint.png","language":"HCL","readme":"# SettleMint Blockchain Transformation Platform on Google Cloud Platform\n\n\u003e **āš ļø IMPORTANT DISCLAIMER**\n\u003e \n\u003e This repository and its deployment guides are provided for **educational and demonstration purposes only**. The configurations, scripts, and procedures contained within are designed to help you understand the SettleMint BTP platform architecture and deployment concepts.\n\u003e \n\u003e **For production deployments, official support, and enterprise implementations:**\n\u003e - Contact the **SettleMint team** directly for official deployment guides\n\u003e - Obtain proper licensing and support agreements\n\u003e - Use officially supported and maintained configurations\n\u003e - Engage with SettleMint's Customer Success team for production planning\n\u003e \n\u003e **Contact SettleMint:**\n\u003e - Website: [www.settlemint.com](https://www.settlemint.com)\n\u003e - Email: support@settlemint.com\n\u003e - Documentation: [Developer Documentation](https://console.settlemint.com/documentation/)\n\n## Table of Contents\n\n- [Overview](#overview)\n- [Architecture](#architecture)\n- [Prerequisites](#prerequisites)\n- [Infrastructure Components](#infrastructure-components)\n- [Installation Guide](#installation-guide)\n- [Configuration](#configuration)\n- [Monitoring](#monitoring)\n- [Security](#security)\n- [Troubleshooting](#troubleshooting)\n- [Production Considerations](#production-considerations)\n\n## Overview\n\nThe **SettleMint Blockchain Transformation Platform (BTP)** is an enterprise-grade blockchain development and deployment platform designed for organizations seeking to build, deploy, and manage blockchain applications at scale. This repository provides Infrastructure as Code (IaC) using Terraform to deploy BTP in a **self-managed mode** on Google Cloud Platform.\n\n### Key Capabilities\n\n| Feature | Description | Enterprise Value |\n|---------|-------------|------------------|\n| **Multi-Blockchain Support** | Deploy Ethereum, Hyperledger Fabric, IPFS networks | Flexibility in blockchain technology choice |\n| **Visual Development Environment** | Web-based IDE for smart contract development | Accelerated development cycles |\n| **Enterprise Integration** | REST APIs and connectors for existing systems | Seamless integration with legacy infrastructure |\n| **Scalable Infrastructure** | Kubernetes-based with auto-scaling | Cost optimization and performance scaling |\n| **Comprehensive Monitoring** | Built-in observability stack | Operational excellence and SLA compliance |\n| **Security-First Design** | Vault integration for secrets management | Enterprise security standards |\n\n### Self-Managed vs SaaS Comparison\n\n| Aspect | Self-Managed (This Guide) | SettleMint SaaS |\n|--------|---------------------------|-----------------|\n| **Infrastructure Control** | Full control over GCP resources | Managed by SettleMint |\n| **Data Residency** | Complete control over data location | Hosted in SettleMint regions |\n| **Customization** | Ability to customize | Limited customization options |\n| **Operational Responsibility** | Customer manages operations | SettleMint manages operations |\n| **Cost Model** | Infrastructure + platform license | Subscription-based pricing |\n| **Compliance** | Customer-controlled compliance | SettleMint compliance framework |\n\n\u003e **Note**: This deployment is optimized for demonstration and development. For production environments, refer to the [Production Considerations](#production-considerations) section.\n\n## Architecture\n\n### High-Level GCP Architecture\n\n```mermaid\ngraph TD\n USERS[šŸ‘„ Enterprise Users]\n INTERNET[šŸŒ Internet]\n REGISTRAR[šŸ“ Domain Registrar]\n \n subgraph GCP[\"šŸ¢ Google Cloud Platform\"]\n subgraph GLOBAL[\"šŸŒ Global Services\"]\n DNS[šŸŒ Cloud DNS\u003cbr/\u003eZone Management\u003cbr/\u003eA \u0026 Wildcard Records]\n KMS[šŸ” Cloud KMS\u003cbr/\u003eKey Rings\u003cbr/\u003eCrypto Keys\u003cbr/\u003eAuto-unseal]\n IAM[šŸ‘¤ Workload Identity\u003cbr/\u003eService Accounts\u003cbr/\u003eRBAC Permissions]\n end\n \n subgraph REGIONAL[\"šŸ“ Regional Services (europe-west1)\"]\n subgraph GKE[\"ā˜øļø Google Kubernetes Engine\"]\n LB[āš–ļø Cloud Load Balancer\u003cbr/\u003eGlobal Distribution\u003cbr/\u003eSSL Termination]\n NGINX[šŸ”€ NGINX Ingress\u003cbr/\u003ePath Routing\u003cbr/\u003eRate Limiting]\n \n subgraph DEPS[\"šŸ“¦ cluster-dependencies\"]\n POSTGRES[(šŸ—„ļø PostgreSQL\u003cbr/\u003ePrimary Database)]\n REDIS[(āš” Redis\u003cbr/\u003eCache \u0026 Sessions)]\n MINIO[(šŸ“ MinIO\u003cbr/\u003eObject Storage)]\n VAULT[šŸ”’ HashiCorp Vault\u003cbr/\u003eSecrets Management\u003cbr/\u003eKMS Integration]\n CERTMGR[šŸ“œ cert-manager\u003cbr/\u003eSSL Certificates\u003cbr/\u003eLet's Encrypt]\n end\n \n subgraph PLATFORM[\"šŸš€ settlemint\"]\n WEBAPP[šŸ’» BTP Web UI\u003cbr/\u003eReact SPA\u003cbr/\u003eDashboard]\n API[šŸ”Œ BTP API Services\u003cbr/\u003eNode.js Backend\u003cbr/\u003eREST APIs]\n ENGINE[āš™ļø Deployment Engine\u003cbr/\u003eBlockchain\u003cbr/\u003eOrchestration]\n CLUSTER[šŸŽ›ļø Cluster Manager\u003cbr/\u003eInfrastructure\u003cbr/\u003eControl]\n MONITOR[šŸ“Š Observability\u003cbr/\u003eGrafana \u0026 Prometheus\u003cbr/\u003eMonitoring Stack]\n end\n \n subgraph DEPLOY[\"šŸ”— deployments\"]\n ETH[āŸ  Ethereum\u003cbr/\u003eNetworks]\n FABRIC[šŸ”— Hyperledger\u003cbr/\u003eFabric]\n IPFS[šŸŒ IPFS\u003cbr/\u003eNodes]\n CUSTOM[šŸ”§ Custom\u003cbr/\u003eApplications]\n end\n end\n end\n end\n \n %% User Flow\n USERS --\u003e INTERNET\n INTERNET --\u003e DNS\n DNS --\u003e LB\n LB --\u003e NGINX\n REGISTRAR -.-\u003e DNS\n \n %% Internal Platform Flow\n NGINX --\u003e WEBAPP\n NGINX --\u003e API\n NGINX --\u003e MONITOR\n \n %% Data Flow\n API --\u003e POSTGRES\n API --\u003e REDIS\n API --\u003e VAULT\n ENGINE --\u003e MINIO\n \n %% Security \u0026 Certificates\n VAULT --\u003e KMS\n CERTMGR --\u003e DNS\n CERTMGR --\u003e IAM\n VAULT --\u003e IAM\n \n %% Blockchain Deployment Flow\n ENGINE --\u003e ETH\n ENGINE --\u003e FABRIC\n ENGINE --\u003e IPFS\n ENGINE --\u003e CUSTOM\n \n %% Styling with Colors\n classDef gcpService fill:#4285f4,stroke:#1a73e8,stroke-width:3px,color:#fff,font-weight:bold\n classDef k8sService fill:#326ce5,stroke:#1565c0,stroke-width:3px,color:#fff,font-weight:bold\n classDef btpService fill:#ff6b35,stroke:#e55100,stroke-width:3px,color:#fff,font-weight:bold\n classDef external fill:#34a853,stroke:#137333,stroke-width:3px,color:#fff,font-weight:bold\n classDef blockchain fill:#9c27b0,stroke:#7b1fa2,stroke-width:3px,color:#fff,font-weight:bold\n \n class DNS,KMS,IAM,LB gcpService\n class NGINX,POSTGRES,REDIS,MINIO,VAULT,CERTMGR k8sService\n class WEBAPP,API,ENGINE,CLUSTER,MONITOR btpService\n class USERS,INTERNET,REGISTRAR external\n class ETH,FABRIC,IPFS,CUSTOM blockchain\n```\n\n### Network Flow and Traffic Routing\n\n```mermaid\nsequenceDiagram\n participant U as šŸ‘„ Users\n participant I as šŸŒ Internet\n participant D as šŸŒ Cloud DNS\n participant L as āš–ļø Load Balancer\n participant N as šŸ”€ NGINX Ingress\n participant W as šŸ’» Web UI\n participant A as šŸ”Œ API Services\n participant M as šŸ“Š Monitoring\n participant Auth as šŸ” Auth Service\n\n Note over U,Auth: šŸš€ BTP Platform Access Flow\n \n U-\u003e\u003e+I: šŸŒ Access https://btp.example.com\n I-\u003e\u003e+D: šŸ” DNS Query for domain\n D--\u003e\u003e-I: šŸ“ Returns Load Balancer IP\n I-\u003e\u003e+L: šŸ”’ HTTPS Request to IP\n L-\u003e\u003e+N: āž”ļø Forward to NGINX Ingress\n \n Note over N: šŸ”’ SSL Termination \u0026 šŸ›£ļø Path Routing\n \n alt šŸ’» Web UI Access (/)\n N-\u003e\u003e+W: šŸŽØ Route to React SPA\n W--\u003e\u003e-N: šŸ“± Return Web Application\n else šŸ”Œ API Calls (/api/*)\n N-\u003e\u003e+A: šŸ”— Route to Node.js Backend\n A--\u003e\u003e-N: šŸ“Š Return API Response\n else šŸ” Authentication (/auth/*)\n N-\u003e\u003e+Auth: šŸ”‘ Route to Auth Service\n Auth--\u003e\u003e-N: āœ… OAuth2 Flow Response\n else šŸ“Š Monitoring (/grafana/*)\n N-\u003e\u003e+M: šŸ“ˆ Route to Grafana Dashboard\n M--\u003e\u003e-N: šŸ“Š Return Monitoring UI\n end\n \n N--\u003e\u003e-L: šŸ“¤ Response with security headers\n L--\u003e\u003e-I: šŸ”’ HTTPS Response\n I--\u003e\u003e-U: šŸŽÆ Deliver content to user\n \n Note over U,Auth: āœ… Secure End-to-End Communication\n```\n\n### BTP Platform Component Interaction\n\n```mermaid\ngraph TD\n subgraph USER_LAYER[\"šŸ‘„ User Interface Layer\"]\n WEB[šŸ’» Web Dashboard\u003cbr/\u003eReact SPA\u003cbr/\u003eUser Management]\n MOBILE[šŸ“± Mobile App\u003cbr/\u003eReact Native\u003cbr/\u003eField Operations]\n CLI[āŒØļø CLI Tools\u003cbr/\u003eDeveloper APIs\u003cbr/\u003eAutomation]\n end\n \n subgraph API_LAYER[\"šŸ”Œ API Gateway Layer\"]\n REST[šŸŒ REST APIs\u003cbr/\u003eCRUD Operations\u003cbr/\u003eAuthentication]\n GRAPHQL[šŸ“Š GraphQL\u003cbr/\u003eData Queries\u003cbr/\u003eReal-time Updates]\n WEBSOCKET[āš” WebSocket\u003cbr/\u003eLive Updates\u003cbr/\u003eNotifications]\n end\n \n subgraph BUSINESS_LAYER[\"āš™ļø Business Logic Layer\"]\n AUTH[šŸ” Authentication\u003cbr/\u003eOAuth2/OIDC\u003cbr/\u003eRole Management]\n BLOCKCHAIN[šŸ”— Blockchain Service\u003cbr/\u003eNetwork Management\u003cbr/\u003eTransaction Processing]\n CONTRACT[šŸ“‹ Smart Contracts\u003cbr/\u003eDeployment\u003cbr/\u003eInteraction]\n WORKFLOW[šŸ”„ Workflow Engine\u003cbr/\u003eProcess Automation\u003cbr/\u003eBusiness Rules]\n end\n \n subgraph DATA_LAYER[\"šŸ—„ļø Data Layer\"]\n POSTGRES[(šŸ—„ļø PostgreSQL\u003cbr/\u003eApplication Data\u003cbr/\u003eUser Profiles\u003cbr/\u003eConfigurations)]\n REDIS[(āš” Redis\u003cbr/\u003eSession Cache\u003cbr/\u003eReal-time Data\u003cbr/\u003eMessage Queue)]\n VAULT[(šŸ”’ Vault\u003cbr/\u003eSecrets\u003cbr/\u003ePrivate Keys\u003cbr/\u003eCertificates)]\n STORAGE[(šŸ“ Object Storage\u003cbr/\u003eFiles \u0026 Documents\u003cbr/\u003eBlockchain Data\u003cbr/\u003eBackups)]\n end\n \n subgraph BLOCKCHAIN_LAYER[\"āŸ  Blockchain Networks\"]\n ETH[āŸ  Ethereum\u003cbr/\u003eSmart Contracts\u003cbr/\u003eDeFi Applications]\n FABRIC[šŸ”— Hyperledger Fabric\u003cbr/\u003ePrivate Networks\u003cbr/\u003eEnterprise Solutions]\n IPFS[šŸŒ IPFS\u003cbr/\u003eDistributed Storage\u003cbr/\u003eContent Addressing]\n end\n \n %% User Interface Connections\n WEB --\u003e REST\n WEB --\u003e GRAPHQL\n WEB --\u003e WEBSOCKET\n MOBILE --\u003e REST\n MOBILE --\u003e WEBSOCKET\n CLI --\u003e REST\n \n %% API to Business Logic\n REST --\u003e AUTH\n REST --\u003e BLOCKCHAIN\n REST --\u003e CONTRACT\n REST --\u003e WORKFLOW\n GRAPHQL --\u003e BLOCKCHAIN\n GRAPHQL --\u003e CONTRACT\n WEBSOCKET --\u003e WORKFLOW\n \n %% Business Logic to Data\n AUTH --\u003e POSTGRES\n AUTH --\u003e REDIS\n AUTH --\u003e VAULT\n BLOCKCHAIN --\u003e POSTGRES\n BLOCKCHAIN --\u003e REDIS\n BLOCKCHAIN --\u003e VAULT\n CONTRACT --\u003e STORAGE\n CONTRACT --\u003e VAULT\n WORKFLOW --\u003e POSTGRES\n WORKFLOW --\u003e REDIS\n \n %% Business Logic to Blockchain\n BLOCKCHAIN --\u003e ETH\n BLOCKCHAIN --\u003e FABRIC\n CONTRACT --\u003e ETH\n CONTRACT --\u003e FABRIC\n WORKFLOW --\u003e IPFS\n \n %% Styling\n classDef userLayer fill:#e3f2fd,stroke:#1976d2,stroke-width:2px,color:#000\n classDef apiLayer fill:#f3e5f5,stroke:#7b1fa2,stroke-width:2px,color:#000\n classDef businessLayer fill:#fff3e0,stroke:#f57c00,stroke-width:2px,color:#000\n classDef dataLayer fill:#e8f5e8,stroke:#388e3c,stroke-width:2px,color:#000\n classDef blockchainLayer fill:#fce4ec,stroke:#c2185b,stroke-width:2px,color:#000\n \n class WEB,MOBILE,CLI userLayer\n class REST,GRAPHQL,WEBSOCKET apiLayer\n class AUTH,BLOCKCHAIN,CONTRACT,WORKFLOW businessLayer\n class POSTGRES,REDIS,VAULT,STORAGE dataLayer\n class ETH,FABRIC,IPFS blockchainLayer\n```\n\n### Kubernetes Pod and Container Architecture\n\n```mermaid\ngraph TB\n subgraph \"GKE Cluster - Regional Deployment\"\n subgraph \"Node Pool (e2-standard-4)\"\n subgraph \"cluster-dependencies Namespace\"\n subgraph \"PostgreSQL StatefulSet\"\n PG_POD[postgresql-0\u003cbr/\u003eContainer: postgres:16\u003cbr/\u003ePVC: 20Gi\u003cbr/\u003ePort: 5432]\n end\n \n subgraph \"Redis StatefulSet\"\n REDIS_POD[redis-master-0\u003cbr/\u003eContainer: redis:7\u003cbr/\u003eMemory: 256Mi\u003cbr/\u003ePort: 6379]\n end\n \n subgraph \"MinIO StatefulSet\"\n MINIO_POD[minio-0\u003cbr/\u003eContainer: minio/minio\u003cbr/\u003ePVC: 10Gi\u003cbr/\u003ePorts: 9000, 9001]\n end\n \n subgraph \"Vault StatefulSet\"\n VAULT_POD[vault-0\u003cbr/\u003eContainer: vault:1.15\u003cbr/\u003ePVC: 1Gi\u003cbr/\u003ePort: 8200]\n VAULT_INIT[vault-init-job\u003cbr/\u003eInit Container\u003cbr/\u003eStatus: Completed]\n VAULT_CONFIG[vault-configure-job\u003cbr/\u003eConfig Container\u003cbr/\u003eStatus: Completed]\n end\n \n subgraph \"cert-manager Deployment\"\n CERT_POD[cert-manager-*\u003cbr/\u003eContainer: cert-manager\u003cbr/\u003eReplicas: 1\u003cbr/\u003ePort: 9402]\n WEBHOOK_POD[cert-manager-webhook-*\u003cbr/\u003eContainer: webhook\u003cbr/\u003eReplicas: 1\u003cbr/\u003ePort: 10250]\n CAINJECTOR_POD[cert-manager-cainjector-*\u003cbr/\u003eContainer: cainjector\u003cbr/\u003eReplicas: 1]\n end\n \n subgraph \"NGINX Ingress Deployment\"\n NGINX_POD[ingress-nginx-controller-*\u003cbr/\u003eContainer: nginx-controller\u003cbr/\u003eReplicas: 1\u003cbr/\u003ePorts: 80, 443]\n end\n end\n \n subgraph \"settlemint Namespace\"\n subgraph \"BTP Web UI Deployment\"\n UI_POD1[settlemint-app-*\u003cbr/\u003eContainer: btp-frontend\u003cbr/\u003eReplicas: 2\u003cbr/\u003ePort: 3000]\n UI_POD2[settlemint-app-*\u003cbr/\u003eContainer: btp-frontend\u003cbr/\u003eReplicas: 2\u003cbr/\u003ePort: 3000]\n end\n \n subgraph \"BTP API Deployment\"\n API_POD1[settlemint-api-*\u003cbr/\u003eContainer: btp-backend\u003cbr/\u003eReplicas: 2\u003cbr/\u003ePort: 8080]\n API_POD2[settlemint-api-*\u003cbr/\u003eContainer: btp-backend\u003cbr/\u003eReplicas: 2\u003cbr/\u003ePort: 8080]\n end\n \n subgraph \"Deployment Engine\"\n ENGINE_POD[settlemint-deploy-worker-*\u003cbr/\u003eContainer: deploy-engine\u003cbr/\u003eHPA: 1-10\u003cbr/\u003ePort: 8081]\n end\n \n subgraph \"Cluster Manager\"\n CLUSTER_POD1[settlemint-cluster-manager-*\u003cbr/\u003eContainer: cluster-mgr\u003cbr/\u003eReplicas: 2\u003cbr/\u003ePort: 8082]\n CLUSTER_POD2[settlemint-cluster-manager-*\u003cbr/\u003eContainer: cluster-mgr\u003cbr/\u003eReplicas: 2\u003cbr/\u003ePort: 8082]\n end\n \n subgraph \"Observability Stack\"\n GRAFANA_POD[grafana-*\u003cbr/\u003eContainer: grafana\u003cbr/\u003eReplicas: 2\u003cbr/\u003ePort: 3000]\n VICTORIA_POD[victoria-metrics-*\u003cbr/\u003eContainer: victoria-metrics\u003cbr/\u003eReplicas: 1\u003cbr/\u003ePort: 8428]\n LOKI_POD[loki-*\u003cbr/\u003eContainer: loki\u003cbr/\u003eReplicas: 1\u003cbr/\u003ePort: 3100]\n end\n end\n \n subgraph \"deployments Namespace\"\n subgraph \"User Blockchain Networks\"\n ETH_POD[ethereum-node-*\u003cbr/\u003eContainer: ethereum/client-go\u003cbr/\u003eDynamic Scaling\u003cbr/\u003ePorts: 8545, 30303]\n FABRIC_POD[fabric-peer-*\u003cbr/\u003eContainer: hyperledger/fabric-peer\u003cbr/\u003eDynamic Scaling\u003cbr/\u003ePort: 7051]\n IPFS_POD[ipfs-node-*\u003cbr/\u003eContainer: ipfs/go-ipfs\u003cbr/\u003eDynamic Scaling\u003cbr/\u003ePorts: 4001, 5001]\n end\n end\n end\n end\n \n subgraph \"Google Cloud Services\"\n LB_SVC[Google Cloud\u003cbr/\u003eLoad Balancer\u003cbr/\u003eExternal IP]\n DNS_SVC[Cloud DNS\u003cbr/\u003eZone Management]\n KMS_SVC[Cloud KMS\u003cbr/\u003eAuto-unseal Keys]\n WI_SVC[Workload Identity\u003cbr/\u003eService Accounts]\n end\n \n %% Service connections\n LB_SVC --\u003e NGINX_POD\n NGINX_POD --\u003e UI_POD1\n NGINX_POD --\u003e UI_POD2\n NGINX_POD --\u003e API_POD1\n NGINX_POD --\u003e API_POD2\n NGINX_POD --\u003e GRAFANA_POD\n \n API_POD1 --\u003e PG_POD\n API_POD2 --\u003e PG_POD\n API_POD1 --\u003e REDIS_POD\n API_POD2 --\u003e REDIS_POD\n API_POD1 --\u003e VAULT_POD\n API_POD2 --\u003e VAULT_POD\n \n ENGINE_POD --\u003e MINIO_POD\n ENGINE_POD --\u003e VAULT_POD\n ENGINE_POD --\u003e ETH_POD\n ENGINE_POD --\u003e FABRIC_POD\n ENGINE_POD --\u003e IPFS_POD\n \n VAULT_POD --\u003e KMS_SVC\n CERT_POD --\u003e DNS_SVC\n CERT_POD --\u003e WI_SVC\n \n %% Styling\n classDef database fill:#4285f4,stroke:#1a73e8,stroke-width:2px,color:#fff\n classDef application fill:#ff6b35,stroke:#e55100,stroke-width:2px,color:#fff\n classDef infrastructure fill:#326ce5,stroke:#1a73e8,stroke-width:2px,color:#fff\n classDef blockchain fill:#9c27b0,stroke:#7b1fa2,stroke-width:2px,color:#fff\n classDef gcpService fill:#34a853,stroke:#137333,stroke-width:2px,color:#fff\n \n class PG_POD,REDIS_POD,MINIO_POD database\n class UI_POD1,UI_POD2,API_POD1,API_POD2,ENGINE_POD,CLUSTER_POD1,CLUSTER_POD2 application\n class VAULT_POD,CERT_POD,WEBHOOK_POD,CAINJECTOR_POD,NGINX_POD,GRAFANA_POD,VICTORIA_POD,LOKI_POD infrastructure\n class ETH_POD,FABRIC_POD,IPFS_POD blockchain\n class LB_SVC,DNS_SVC,KMS_SVC,WI_SVC gcpService\n```\n\n### Infrastructure Deployment Flow\n\n```mermaid\nflowchart TD\n START([šŸš€ Start Deployment\u003cbr/\u003eInitialize BTP Setup])\n \n subgraph PREP[\"šŸ“‹ Preparation Phase\"]\n ENV[āš™ļø Set Environment\u003cbr/\u003eVariables \u0026 Credentials]\n PREREQ[āœ… Check Prerequisites\u003cbr/\u003eAPIs, Permissions, Quotas]\n end\n \n subgraph DNS_PHASE[\"šŸŒ DNS Setup Phase\"]\n DNS_INIT[šŸŒ Initialize DNS Zone\u003cbr/\u003eCreate Cloud DNS Zone]\n DNS_APPLY[šŸ“ Apply DNS Config\u003cbr/\u003eConfigure Records]\n DNS_OUTPUT[šŸ“¤ Get Nameservers\u003cbr/\u003eExtract NS Records]\n DELEGATE[šŸ”— Delegate Domain\u003cbr/\u003eUpdate Registrar]\n VERIFY[āœ… Verify DNS\u003cbr/\u003eTest Resolution]\n end\n \n subgraph INFRA_PHASE[\"šŸ—ļø Infrastructure Phase\"]\n GKE_CREATE[ā˜øļø Create GKE Cluster\u003cbr/\u003eRegional Deployment]\n NAMESPACES[šŸ“¦ Create Namespaces\u003cbr/\u003eDependencies \u0026 Platform]\n WORKLOAD_ID[šŸ” Setup Workload Identity\u003cbr/\u003eService Account Binding]\n KMS_CREATE[šŸ”’ Create KMS Resources\u003cbr/\u003eKey Ring \u0026 Crypto Keys]\n end\n \n subgraph SERVICES_PHASE[\"šŸ”§ Services Phase\"]\n CERT_DEPLOY[šŸ“œ Deploy cert-manager\u003cbr/\u003eSSL Certificate Management]\n NGINX_DEPLOY[šŸ”€ Deploy NGINX Ingress\u003cbr/\u003eLoad Balancer Setup]\n POSTGRES_DEPLOY[šŸ—„ļø Deploy PostgreSQL\u003cbr/\u003eDatabase Setup]\n REDIS_DEPLOY[āš” Deploy Redis\u003cbr/\u003eCache Configuration]\n MINIO_DEPLOY[šŸ“ Deploy MinIO\u003cbr/\u003eObject Storage]\n end\n \n subgraph VAULT_PHASE[\"šŸ” Security Phase\"]\n VAULT_DEPLOY[šŸ”’ Deploy Vault\u003cbr/\u003eSecrets Management]\n VAULT_INIT[šŸ”‘ Initialize Vault\u003cbr/\u003eGenerate Keys]\n VAULT_CONFIG[āš™ļø Configure Vault\u003cbr/\u003eSecret Engines]\n VAULT_POLICIES[šŸ“‹ Create Policies\u003cbr/\u003eAccess Control]\n APPROLE[šŸŽ­ Setup AppRole\u003cbr/\u003eAuthentication]\n end\n \n subgraph PLATFORM_PHASE[\"šŸš€ Platform Phase\"]\n SSL_CERT[šŸ“œ Request SSL Certs\u003cbr/\u003eLet's Encrypt]\n DNS_RECORDS[šŸ“ Create DNS Records\u003cbr/\u003eA Records for Services]\n BTP_DEPLOY[šŸš€ Deploy BTP Platform\u003cbr/\u003eApplication Stack]\n HEALTH_CHECK[šŸ„ Health Check\u003cbr/\u003eAll Services]\n end\n \n subgraph COMPLETION[\"āœ… Completion\"]\n READY{šŸ” All Services\u003cbr/\u003eReady?}\n TROUBLESHOOT[šŸ”§ Troubleshoot\u003cbr/\u003eIssues]\n COMPLETE([šŸŽ‰ Deployment\u003cbr/\u003eComplete!])\n end\n \n %% Flow connections\n START --\u003e ENV\n ENV --\u003e PREREQ\n PREREQ --\u003e DNS_INIT\n \n DNS_INIT --\u003e DNS_APPLY\n DNS_APPLY --\u003e DNS_OUTPUT\n DNS_OUTPUT --\u003e DELEGATE\n DELEGATE --\u003e VERIFY\n \n VERIFY --\u003e GKE_CREATE\n GKE_CREATE --\u003e NAMESPACES\n NAMESPACES --\u003e WORKLOAD_ID\n WORKLOAD_ID --\u003e KMS_CREATE\n \n KMS_CREATE --\u003e CERT_DEPLOY\n CERT_DEPLOY --\u003e NGINX_DEPLOY\n NGINX_DEPLOY --\u003e POSTGRES_DEPLOY\n POSTGRES_DEPLOY --\u003e REDIS_DEPLOY\n REDIS_DEPLOY --\u003e MINIO_DEPLOY\n \n MINIO_DEPLOY --\u003e VAULT_DEPLOY\n VAULT_DEPLOY --\u003e VAULT_INIT\n VAULT_INIT --\u003e VAULT_CONFIG\n VAULT_CONFIG --\u003e VAULT_POLICIES\n VAULT_POLICIES --\u003e APPROLE\n \n APPROLE --\u003e SSL_CERT\n SSL_CERT --\u003e DNS_RECORDS\n DNS_RECORDS --\u003e BTP_DEPLOY\n BTP_DEPLOY --\u003e HEALTH_CHECK\n \n HEALTH_CHECK --\u003e READY\n READY --\u003e|āŒ No| TROUBLESHOOT\n TROUBLESHOOT --\u003e HEALTH_CHECK\n READY --\u003e|āœ… Yes| COMPLETE\n \n %% Styling with colors\n classDef startEnd fill:#4caf50,stroke:#2e7d32,stroke-width:3px,color:#fff,font-weight:bold\n classDef prep fill:#e3f2fd,stroke:#1976d2,stroke-width:2px,color:#000,font-weight:bold\n classDef dns fill:#f3e5f5,stroke:#7b1fa2,stroke-width:2px,color:#000,font-weight:bold\n classDef infra fill:#fff3e0,stroke:#f57c00,stroke-width:2px,color:#000,font-weight:bold\n classDef services fill:#e8f5e8,stroke:#388e3c,stroke-width:2px,color:#000,font-weight:bold\n classDef security fill:#fce4ec,stroke:#c2185b,stroke-width:2px,color:#000,font-weight:bold\n classDef platform fill:#fff8e1,stroke:#fbc02d,stroke-width:2px,color:#000,font-weight:bold\n classDef decision fill:#ffebee,stroke:#d32f2f,stroke-width:2px,color:#000,font-weight:bold\n classDef error fill:#ffcdd2,stroke:#f44336,stroke-width:2px,color:#000,font-weight:bold\n \n class START,COMPLETE startEnd\n class ENV,PREREQ prep\n class DNS_INIT,DNS_APPLY,DNS_OUTPUT,DELEGATE,VERIFY dns\n class GKE_CREATE,NAMESPACES,WORKLOAD_ID,KMS_CREATE infra\n class CERT_DEPLOY,NGINX_DEPLOY,POSTGRES_DEPLOY,REDIS_DEPLOY,MINIO_DEPLOY services\n class VAULT_DEPLOY,VAULT_INIT,VAULT_CONFIG,VAULT_POLICIES,APPROLE security\n class SSL_CERT,DNS_RECORDS,BTP_DEPLOY,HEALTH_CHECK platform\n class READY decision\n class TROUBLESHOOT error\n```\n\n### Security Architecture Deep Dive\n\n```mermaid\ngraph TD\n subgraph EXTERNAL[\"šŸŒ External Layer\"]\n USERS[šŸ‘„ End Users\u003cbr/\u003eWeb Browsers\u003cbr/\u003eMobile Apps]\n ADMIN[šŸ‘Øā€šŸ’¼ Administrators\u003cbr/\u003eDevOps Team\u003cbr/\u003eSupport Staff]\n APIS[šŸ”Œ External APIs\u003cbr/\u003eThird-party Services\u003cbr/\u003eWebhooks]\n end\n \n subgraph SECURITY_PERIMETER[\"šŸ›”ļø Security Perimeter\"]\n WAF[šŸ›”ļø Web Application Firewall\u003cbr/\u003eDDoS Protection\u003cbr/\u003eRate Limiting\u003cbr/\u003eBot Detection]\n LB[āš–ļø Load Balancer\u003cbr/\u003eSSL Termination\u003cbr/\u003eHealth Checks\u003cbr/\u003eTraffic Distribution]\n FIREWALL[šŸ”„ Network Firewall\u003cbr/\u003eIP Whitelisting\u003cbr/\u003ePort Restrictions\u003cbr/\u003eProtocol Filtering]\n end\n \n subgraph AUTH_LAYER[\"šŸ” Authentication Layer\"]\n OAUTH[šŸŽ« OAuth 2.0/OIDC\u003cbr/\u003eGoogle Workspace\u003cbr/\u003eAzure AD\u003cbr/\u003eCustom Providers]\n MFA[šŸ“± Multi-Factor Auth\u003cbr/\u003eTOTP/SMS\u003cbr/\u003eHardware Tokens\u003cbr/\u003eBiometric]\n SESSION[šŸŽŖ Session Management\u003cbr/\u003eJWT Tokens\u003cbr/\u003eRefresh Tokens\u003cbr/\u003eSession Store]\n end\n \n subgraph AUTHORIZATION_LAYER[\"šŸ‘® Authorization Layer\"]\n RBAC[šŸ‘„ Role-Based Access\u003cbr/\u003eUser Roles\u003cbr/\u003ePermissions\u003cbr/\u003eResource Access]\n POLICY[šŸ“‹ Policy Engine\u003cbr/\u003eAttribute-Based\u003cbr/\u003eDynamic Rules\u003cbr/\u003eContext Aware]\n AUDIT[šŸ“Š Audit Logging\u003cbr/\u003eAccess Logs\u003cbr/\u003eChange Tracking\u003cbr/\u003eCompliance]\n end\n \n subgraph SECRETS_LAYER[\"šŸ”’ Secrets Management\"]\n VAULT_CORE[šŸ” HashiCorp Vault\u003cbr/\u003eSecret Storage\u003cbr/\u003eDynamic Secrets\u003cbr/\u003eEncryption Transit]\n KMS[šŸ—ļø Cloud KMS\u003cbr/\u003eKey Management\u003cbr/\u003eHardware Security\u003cbr/\u003eAuto-rotation]\n CERT_MGR[šŸ“œ Certificate Manager\u003cbr/\u003eSSL/TLS Certs\u003cbr/\u003eAuto-renewal\u003cbr/\u003eCA Integration]\n end\n \n subgraph DATA_PROTECTION[\"šŸ›”ļø Data Protection\"]\n ENCRYPTION[šŸ” Encryption at Rest\u003cbr/\u003eDatabase Encryption\u003cbr/\u003eFile System Encryption\u003cbr/\u003eBackup Encryption]\n NETWORK_SEC[šŸŒ Network Security\u003cbr/\u003eVPC Isolation\u003cbr/\u003ePrivate Subnets\u003cbr/\u003eService Mesh]\n MONITORING[šŸ‘ļø Security Monitoring\u003cbr/\u003eIntrusion Detection\u003cbr/\u003eAnomaly Detection\u003cbr/\u003eThreat Intelligence]\n end\n \n %% External to Security Perimeter\n USERS --\u003e WAF\n ADMIN --\u003e WAF\n APIS --\u003e FIREWALL\n \n %% Security Perimeter Flow\n WAF --\u003e LB\n LB --\u003e FIREWALL\n FIREWALL --\u003e OAUTH\n \n %% Authentication Flow\n OAUTH --\u003e MFA\n MFA --\u003e SESSION\n SESSION --\u003e RBAC\n \n %% Authorization Flow\n RBAC --\u003e POLICY\n POLICY --\u003e AUDIT\n AUDIT --\u003e VAULT_CORE\n \n %% Secrets Management\n VAULT_CORE --\u003e KMS\n KMS --\u003e CERT_MGR\n CERT_MGR --\u003e ENCRYPTION\n \n %% Data Protection\n ENCRYPTION --\u003e NETWORK_SEC\n NETWORK_SEC --\u003e MONITORING\n MONITORING --\u003e AUDIT\n \n %% Styling\n classDef external fill:#ffebee,stroke:#d32f2f,stroke-width:2px,color:#000\n classDef perimeter fill:#e8eaf6,stroke:#3f51b5,stroke-width:2px,color:#000\n classDef auth fill:#e0f2f1,stroke:#00695c,stroke-width:2px,color:#000\n classDef authz fill:#fff3e0,stroke:#ef6c00,stroke-width:2px,color:#000\n classDef secrets fill:#f3e5f5,stroke:#7b1fa2,stroke-width:2px,color:#000\n classDef protection fill:#e3f2fd,stroke:#0277bd,stroke-width:2px,color:#000\n \n class USERS,ADMIN,APIS external\n class WAF,LB,FIREWALL perimeter\n class OAUTH,MFA,SESSION auth\n class RBAC,POLICY,AUDIT authz\n class VAULT_CORE,KMS,CERT_MGR secrets\n class ENCRYPTION,NETWORK_SEC,MONITORING protection\n```\n\n## Prerequisites\n\n### Required Tools and Software\n\n| Tool | Version | Purpose | Installation Command |\n|------|---------|---------|---------------------|\n| **Terraform** | \u003e= 1.0 | Infrastructure provisioning | `brew install terraform` |\n| **Google Cloud SDK** | Latest | GCP authentication and management | `brew install google-cloud-sdk` |\n| **kubectl** | \u003e= 1.20 | Kubernetes cluster management | `brew install kubectl` |\n| **Helm** | \u003e= 3.0 | Kubernetes package management | `brew install helm` |\n\n### Google Cloud Platform Requirements\n\n#### 1. GCP Account and Project Setup\n\n| Requirement | Details | Action Required |\n|-------------|---------|-----------------|\n| **GCP Account** | Active Google Cloud account with billing enabled | [Create Account](https://console.cloud.google.com/freetrial/) |\n| **Project Creation** | New GCP project dedicated to BTP deployment | Create via GCP Console or `gcloud projects create` |\n| **Billing Account** | Linked billing account for resource provisioning | Link in GCP Console |\n\n#### 2. Required API Enablement\n\n```bash\n# Enable essential Google Cloud APIs\ngcloud services enable container.googleapis.com # Google Kubernetes Engine\ngcloud services enable dns.googleapis.com # Cloud DNS\ngcloud services enable cloudkms.googleapis.com # Key Management Service\ngcloud services enable compute.googleapis.com # Compute Engine\ngcloud services enable iam.googleapis.com # Identity and Access Management\n```\n\n#### 3. IAM Permissions Matrix\n\n| Role | Scope | Purpose | Required for |\n|------|-------|---------|--------------|\n| **Owner** | Project | Full administrative access (recommended for demo) | All operations |\n| **Editor** | Project | Resource creation and modification | Infrastructure deployment |\n| **Cloud KMS Admin** | Project | KMS key management for Vault unsealing | Vault auto-unsealing |\n| **Project IAM Admin** | Project | Service account and role management | Workload Identity setup |\n| **Kubernetes Engine Admin** | Project | GKE cluster management | Cluster operations |\n| **DNS Administrator** | Project | Cloud DNS management | Domain and certificate management |\n\n### SettleMint Platform Credentials\n\nContact your **SettleMint Customer Success representative** to obtain:\n\n| Credential | Purpose | Format | Example |\n|------------|---------|--------|---------|\n| **OCI Registry Username** | Access to SettleMint Helm charts | String | `customer-username` |\n| **OCI Registry Password** | Authentication for chart downloads | String | `secure-password-123` |\n| **BTP Version** | Specific platform version to deploy | Semantic version | `v7.6.19` |\n\n### OAuth2 Provider Configuration\n\n#### Google OAuth Setup Process\n\n1. **Configure OAuth Consent Screen**\n - Navigate to: [OAuth Consent Screen](https://console.cloud.google.com/apis/credentials/consent)\n - Select: **External** user type\n - Required fields:\n - App name: `SettleMint BTP Platform`\n - User support email: Your email address\n - Developer contact information: Your email address\n\n2. **Create OAuth Client ID**\n - Navigate to: [API Credentials](https://console.developers.google.com/apis/credentials)\n - Click: **+ CREATE CREDENTIALS** ā†’ **OAuth client ID**\n - Application type: **Web application**\n - Configuration:\n\n| Field | Value | Example |\n|-------|-------|---------|\n| **Name** | SettleMint BTP OAuth Client | `SettleMint BTP OAuth Client` |\n| **Authorized JavaScript origins** | Your platform domain | `https://btp.yourdomain.com` |\n| **Authorized redirect URIs** | OAuth callback endpoint | `https://btp.yourdomain.com/api/auth/callback/google` |\n\n### Domain and DNS Requirements\n\n#### Domain Prerequisites\n\n| Requirement | Description | Examples |\n|-------------|-------------|----------|\n| **Domain Control** | You must own or control a domain/subdomain | `btp.yourcompany.com` |\n| **DNS Management Access** | Ability to create NS records in parent domain | Access to domain registrar or DNS provider |\n| **Subdomain Delegation** | Capability to delegate subdomain to Google Cloud DNS | NS record creation permissions |\n\n#### Supported DNS Providers\n\n| Provider | Complexity | Features | Recommended |\n|----------|------------|----------|-------------|\n| **Cloudflare** | Low | Full DNS management, API access | āœ… Yes |\n| **Google Domains** | Low | Native GCP integration | āœ… Yes |\n| **Route 53 (AWS)** | Medium | Advanced DNS features | āš ļø Possible |\n| **GoDaddy** | Medium | Basic DNS management | āš ļø Possible |\n| **Namecheap** | Medium | Standard DNS features | āš ļø Possible |\n\n## Infrastructure Components\n\n### Core Infrastructure Layer\n\n#### Google Kubernetes Engine (GKE) Cluster\n\n| Configuration | Value | Rationale |\n|---------------|-------|-----------|\n| **Cluster Type** | Regional | High availability across multiple zones |\n| **Node Pool** | e2-standard-4 (4 vCPU, 16GB RAM) | Optimal for BTP workloads |\n| **Scaling Range** | 1-50 nodes | Cost optimization with growth capability |\n| **Network** | Default VPC | Simplified networking for demo |\n| **Security** | Shielded GKE nodes | Enhanced security posture |\n\n**Resource Allocation**:\n```\nMinimum Configuration: 1 node (4 vCPU, 16GB RAM)\nTypical Production: 3 nodes (12 vCPU, 48GB RAM)\nMaximum Scaling: 50 nodes (200 vCPU, 800GB RAM)\n```\n\n#### Cloud DNS Configuration\n\n| Component | Purpose | Configuration |\n|-----------|---------|---------------|\n| **DNS Zone** | Public DNS zone for platform access | Managed zone with TTL 300s |\n| **A Record** | Main domain resolution | Points to load balancer IP |\n| **Wildcard Record** | Subdomain support | `*.domain.com` for services |\n| **Integration** | Automatic record management | via external-dns controller |\n\n#### Cloud KMS (Key Management Service)\n\n| Feature | Configuration | Security Benefit |\n|---------|---------------|------------------|\n| **Key Ring** | Regional key ring | Localized key management |\n| **Crypto Key** | Symmetric encryption key | Vault auto-unsealing |\n| **Access Control** | Service account permissions | Principle of least privilege |\n| **Audit Logging** | All key operations logged | Compliance and security monitoring |\n\n### Application Data Layer\n\n#### PostgreSQL Database\n\n| Specification | Configuration | Purpose |\n|---------------|---------------|---------|\n| **Version** | PostgreSQL 16.x | Latest stable with enterprise features |\n| **Deployment** | Bitnami Helm chart | Production-ready configuration |\n| **Storage** | Persistent volumes | Data durability |\n| **Authentication** | Password-based | Secure database access |\n\n**Database Schema Overview**:\n```sql\n-- Primary application database\nDatabase: btp\nOwner: btp\nEncoding: UTF8\n\n-- Key table categories\nTables:\n - users (authentication and profiles)\n - projects (blockchain project metadata)\n - deployments (network deployment records)\n - blockchain_networks (network configurations)\n - smart_contracts (contract artifacts)\n - audit_logs (system activity tracking)\n```\n\n#### Redis Cache Layer\n\n| Feature | Configuration | Use Case |\n|---------|---------------|----------|\n| **Architecture** | Standalone (demo) | Single instance for simplicity |\n| **Version** | Redis 7.x | Latest with enhanced features |\n| **Persistence** | RDB snapshots | Data recovery capability |\n| **Memory Management** | Configurable with eviction | Optimal memory utilization |\n\n**Redis Usage Patterns**:\n- **Session Storage**: User authentication sessions\n- **API Caching**: Frequently accessed data caching\n- **Job Queues**: Background task management\n- **Real-time Data**: WebSocket connection state\n\n#### MinIO Object Storage\n\n| Component | Configuration | Storage Type |\n|-----------|---------------|--------------|\n| **Deployment** | Single-node instance | S3-compatible storage |\n| **Default Bucket** | Platform-named bucket | Organized data storage |\n| **Access Method** | S3 API with credentials | Standard object storage interface |\n| **Web UI** | Enabled for administration | User-friendly management |\n\n**Storage Categories**:\n```\nšŸ“ Smart Contract Artifacts\n ā”œā”€ā”€ Compiled contracts (.json, .bin)\n ā”œā”€ā”€ ABI definitions\n ā””ā”€ā”€ Deployment metadata\n\nšŸ“ Blockchain Configurations\n ā”œā”€ā”€ Network genesis files\n ā”œā”€ā”€ Node configurations\n ā””ā”€ā”€ Consensus parameters\n\nšŸ“ User Data\n ā”œā”€ā”€ Uploaded files\n ā”œā”€ā”€ Project documentation\n ā””ā”€ā”€ Backup archives\n\nšŸ“ System Data\n ā”œā”€ā”€ Container images\n ā”œā”€ā”€ Build artifacts\n ā””ā”€ā”€ Log archives\n```\n\n#### HashiCorp Vault\n\n| Feature | Configuration | Security Function |\n|---------|---------------|-------------------|\n| **Version** | Latest stable | Enterprise-grade secrets management |\n| **Unsealing** | Google Cloud KMS | Automatic unsealing without manual intervention |\n| **Authentication** | AppRole method | Secure service-to-service authentication |\n| **Storage Backend** | File-based with PV | Persistent secret storage |\n\n**Secret Engine Structure**:\n```\nšŸ” Secret Engines:\nā”œā”€ā”€ ethereum/ (Ethereum private keys, wallet data)\nā”œā”€ā”€ fabric/ (Hyperledger Fabric certificates, MSP)\nā”œā”€ā”€ ipfs/ (IPFS node keys, swarm keys)\nā”œā”€ā”€ database/ (Database credentials)\nā””ā”€ā”€ api-keys/ (External service API keys)\n\nšŸ›”ļø Policies:\nā”œā”€ā”€ ethereum-policy (ethereum/* access)\nā”œā”€ā”€ fabric-policy (fabric/* access)\nā”œā”€ā”€ ipfs-policy (ipfs/* access)\nā””ā”€ā”€ platform-policy (combined access for BTP)\n```\n\n### Networking and Security Layer\n\n#### NGINX Ingress Controller\n\n| Feature | Configuration | Benefit |\n|---------|---------------|---------|\n| **SSL Termination** | Automatic certificate management | Secure HTTPS access |\n| **Load Balancing** | Round-robin across pods | High availability |\n| **Path Routing** | URL-based service routing | Microservice architecture support |\n| **WebSocket Support** | Real-time communication | Interactive blockchain applications |\n\n**Routing Configuration**:\n```\nšŸŒ Ingress Routes:\nā”œā”€ā”€ / ā†’ šŸ–„ļø BTP Web UI (React SPA)\nā”œā”€ā”€ /api/* ā†’ šŸ”Œ BTP API Services\nā”œā”€ā”€ /auth/* ā†’ šŸ” Authentication Service\nā”œā”€ā”€ /grafana/* ā†’ šŸ“Š Monitoring Dashboard\nā”œā”€ā”€ /logs/* ā†’ šŸ“‹ Log Aggregation\nā””ā”€ā”€ /metrics/* ā†’ šŸ“ˆ Metrics Collection\n```\n\n#### cert-manager\n\n| Component | Function | Integration |\n|-----------|----------|-------------|\n| **Certificate Authority** | Let's Encrypt | Free SSL certificates |\n| **Challenge Method** | DNS-01 validation | Wildcard certificate support |\n| **Renewal Process** | Automatic (60 days before expiry) | Zero-downtime certificate updates |\n| **DNS Integration** | Google Cloud DNS | Seamless validation process |\n\n**Certificate Coverage**:\n```\nšŸ”’ SSL Certificates:\nā”œā”€ā”€ Primary: btp.yourdomain.com\nā”œā”€ā”€ Wildcard: *.btp.yourdomain.com\nā”œā”€ā”€ Validity: 90 days (Let's Encrypt standard)\nā”œā”€ā”€ Auto-renewal: 30 days before expiration\nā””ā”€ā”€ Algorithm: RSA 2048-bit or ECDSA P-256\n```\n\n## Installation Guide\n\n### Phase 1: Environment Preparation\n\n#### Step 1.1: Repository Setup\n\n```bash\n# Clone the BTP infrastructure repository\ngit clone https://github.com/settlemint/tutorial-btp-on-gcp.git\ncd tutorial-btp-on-gcp\n\n# Verify repository structure\nls -la\n# Expected output:\n# 00_dns_zone/ (DNS zone configuration)\n# 01_infrastructure/ (Main infrastructure)\n# example.env.sh (Environment template)\n# README.md (This documentation)\n```\n\n#### Step 1.2: Environment Configuration\n\n```bash\n# Create your environment configuration\ncp example.env.sh btp-production.env.sh\n\n# Edit with your specific values\nnano btp-production.env.sh\n```\n\n**Environment Variables Configuration**:\n\n| Variable | Description | Example Value | Required |\n|----------|-------------|---------------|----------|\n| `TF_VAR_gcp_dns_zone` | Your subdomain for BTP access | `btp.yourcompany.com` | āœ… |\n| `TF_VAR_gcp_project_id` | GCP project identifier | `btp-production-123456` | āœ… |\n| `TF_VAR_gcp_region` | GCP region for deployment | `europe-west1` | āœ… |\n| `TF_VAR_gcp_client_id` | Google OAuth client ID | `123456789-abc.googleusercontent.com` | āœ… |\n| `TF_VAR_gcp_client_secret` | Google OAuth client secret | `GOCSPX-abcdef123456` | āœ… |\n| `TF_VAR_oci_registry_username` | SettleMint registry username | `customer-username` | āœ… |\n| `TF_VAR_oci_registry_password` | SettleMint registry password | `secure-password` | āœ… |\n| `TF_VAR_btp_version` | BTP platform version | `v7.6.19` | āœ… |\n\n**Complete Environment File Example**:\n```bash\n#!/bin/bash\n# SettleMint BTP Production Environment Configuration\n\n# DNS and Domain Configuration\nexport TF_VAR_gcp_dns_zone=\"btp.yourcompany.com\"\n\n# Google Cloud Platform Configuration\nexport TF_VAR_gcp_project_id=\"btp-production-123456\"\nexport TF_VAR_gcp_region=\"europe-west1\"\n\n# OAuth2 Authentication Configuration\nexport TF_VAR_gcp_client_id=\"123456789-abc.googleusercontent.com\"\nexport TF_VAR_gcp_client_secret=\"GOCSPX-abcdef123456\"\n\n# SettleMint Platform Credentials\nexport TF_VAR_oci_registry_username=\"customer-username\"\nexport TF_VAR_oci_registry_password=\"secure-password\"\nexport TF_VAR_btp_version=\"v7.6.19\"\n\n# Validation\necho \"Environment configured for: $TF_VAR_gcp_dns_zone\"\necho \"GCP Project: $TF_VAR_gcp_project_id\"\necho \"Region: $TF_VAR_gcp_region\"\n```\n\n#### Step 1.3: Authentication Setup\n\n```bash\n# Load environment variables\nsource btp-production.env.sh\n\n# Authenticate with Google Cloud\ngcloud auth login\ngcloud auth application-default login\n\n# Set default project\ngcloud config set project $TF_VAR_gcp_project_id\n\n# Verify authentication\ngcloud auth list\ngcloud config list\n```\n\n### Phase 2: DNS Zone Deployment\n\n#### Step 2.1: DNS Infrastructure Creation\n\n```bash\n# Navigate to DNS zone configuration\ncd 00_dns_zone\n\n# Initialize Terraform\nterraform init\n# Expected output: Terraform has been successfully initialized!\n\n# Review planned changes\nterraform plan\n# Review the resources that will be created\n\n# Apply DNS zone configuration\nterraform apply\n# Type 'yes' when prompted\n```\n\n**Expected Terraform Output**:\n```\nApply complete! Resources: 1 added, 0 changed, 0 destroyed.\n\nOutputs:\n\nname_servers = [\n \"ns-cloud-a1.googledomains.com.\",\n \"ns-cloud-a2.googledomains.com.\",\n \"ns-cloud-a3.googledomains.com.\",\n \"ns-cloud-a4.googledomains.com.\",\n]\n```\n\n#### Step 2.2: Domain Delegation Configuration\n\n**For Cloudflare Users**:\n\n| Step | Action | Configuration |\n|------|--------|---------------|\n| 1 | Login to Cloudflare Dashboard | Access your domain management |\n| 2 | Navigate to DNS settings | Select your domain |\n| 3 | Add NS records | Create nameserver delegation |\n\n**NS Record Configuration**:\n```\nRecord Type: NS\nName: btp\nContent: ns-cloud-a1.googledomains.com\nTTL: Auto (or 1 hour)\n\nRecord Type: NS\nName: btp\nContent: ns-cloud-a2.googledomains.com\nTTL: Auto\n\nRecord Type: NS\nName: btp\nContent: ns-cloud-a3.googledomains.com\nTTL: Auto\n\nRecord Type: NS\nName: btp\nContent: ns-cloud-a4.googledomains.com\nTTL: Auto\n```\n\n#### Step 2.3: DNS Delegation Verification\n\n```bash\n# Test DNS delegation (may take time to propagate)\ndig NS btp.yourcompany.com\n\n# Alternative verification methods\nnslookup -type=NS btp.yourcompany.com\nhost -t NS btp.yourcompany.com\n\n# Test from multiple DNS servers\ndig @8.8.8.8 NS btp.yourcompany.com\ndig @1.1.1.1 NS btp.yourcompany.com\n```\n\n**Successful Delegation Indicators**:\n```\n;; ANSWER SECTION:\nbtp.yourcompany.com. 300 IN NS ns-cloud-a1.googledomains.com.\nbtp.yourcompany.com. 300 IN NS ns-cloud-a2.googledomains.com.\nbtp.yourcompany.com. 300 IN NS ns-cloud-a3.googledomains.com.\nbtp.yourcompany.com. 300 IN NS ns-cloud-a4.googledomains.com.\n```\n\n### Phase 3: Infrastructure Deployment\n\n#### Step 3.1: Main Infrastructure Deployment\n\n```bash\n# Navigate to infrastructure directory\ncd ../01_infrastructure\n\n# Initialize Terraform with all providers\nterraform init\n# This will download: Google, Kubernetes, Helm, and Random providers\n\n# Review the complete infrastructure plan\nterraform plan\n# Review all resources that will be created (approximately 30+ resources)\n\n# Deploy infrastructure (15-30 minutes)\nterraform apply\n# Type 'yes' to confirm deployment\n```\n\n#### Step 3.2: Deployment Progress Monitoring\n\n**Phase Breakdown**:\n\n| Phase | Duration | Components | Status Indicators |\n|-------|----------|------------|-------------------|\n| **Phase 1** | 5-10 min | GKE cluster, node pools | `kubectl get nodes` |\n| **Phase 2** | 10-15 min | Dependencies (DB, cache, storage) | `kubectl get pods -A` |\n| **Phase 3** | 5-10 min | Security (cert-manager, ingress) | `kubectl get certificates` |\n| **Phase 4** | 5-10 min | BTP platform deployment | `kubectl get pods -n settlemint` |\n\n**Monitoring Commands**:\n```bash\n# Monitor cluster creation\ngcloud container clusters list\n\n# Check node status\nkubectl get nodes -o wide\n\n# Monitor namespace creation\nkubectl get namespaces\n\n# Watch pod deployment across all namespaces\nkubectl get pods -A -w\n\n# Check ingress controller status\nkubectl get svc -n cluster-dependencies ingress-nginx-controller\n\n# Monitor certificate provisioning\nkubectl get certificates -n cluster-dependencies -w\n\n# Check BTP platform deployment\nkubectl get pods -n settlemint -w\n```\n\n#### Step 3.3: Deployment Verification\n\n**Infrastructure Health Check**:\n```bash\n# Comprehensive system status\nkubectl get all -A | grep -E \"(Running|Ready|Available)\"\n\n# Check critical services\nkubectl get svc -A | grep LoadBalancer\n\n# Verify persistent volumes\nkubectl get pv\n\n# Check ingress configuration\nkubectl get ingress -A\n```\n\n**Expected Healthy State**:\n```\nNAMESPACE NAME READY STATUS RESTARTS\ncluster-dependencies postgresql-0 1/1 Running 0\ncluster-dependencies redis-master-0 1/1 Running 0\ncluster-dependencies minio-0 1/1 Running 0\ncluster-dependencies vault-0 1/1 Running 0\ncluster-dependencies cert-manager-* 1/1 Running 0\ncluster-dependencies ingress-nginx-controller-* 1/1 Running 0\nsettlemint settlemint-app-* 1/1 Running 0\nsettlemint settlemint-api-* 1/1 Running 0\n```\n\n### Phase 4: Platform Access and Verification\n\n#### Step 4.1: Platform Access\n\n```bash\n# Get external IP address\nkubectl get svc -n cluster-dependencies ingress-nginx-controller\n\n# Expected output:\n# NAME TYPE EXTERNAL-IP PORT(S)\n# ingress-nginx-controller LoadBalancer 35.123.45.67 80:32080/TCP,443:32443/TCP\n\n# Platform should be accessible at:\necho \"Platform URL: https://$TF_VAR_gcp_dns_zone\"\n```\n\n#### Step 4.2: Initial Platform Setup\n\n**Access Flow**:\n1. Navigate to `https://btp.yourcompany.com`\n2. Click **\"Sign in with Google\"**\n3. Authenticate with your Google account\n4. Complete initial platform configuration\n\n**Platform Health Verification**:\n\n| Component | URL | Expected Status |\n|-----------|-----|-----------------|\n| **Main Platform** | `https://btp.yourcompany.com` | BTP login page |\n| **Monitoring** | `https://grafana.btp.yourcompany.com` | Grafana dashboard |\n| **Logs** | `https://logs.btp.yourcompany.com` | Loki log interface |\n| **Metrics** | `https://metrics.btp.yourcompany.com` | Victoria Metrics UI |\n\n## Configuration\n\n### Platform Configuration Overview\n\nThe BTP platform configuration is managed through Helm values, processed via the `values.yaml.tmpl` template.\n\n### Key Configuration Areas\n\n#### Authentication Configuration\n\n```yaml\n# Google OAuth2 Configuration\nauth:\n jwtSigningKey: \"${jwtSigningKey}\" # Auto-generated JWT signing key\n providers:\n google:\n enabled: true\n clientID: \"${gcp_client_id}\" # From environment variables\n clientSecret: \"${gcp_client_secret}\" # From environment variables\n```\n\n#### Database Configuration\n\n```yaml\npostgresql:\n host: postgresql.${dependencies_namespace}.svc.cluster.local\n port: 5432\n user: \"${gcp_platform_name}\"\n password: \"${postgresql_password}\" # Auto-generated\n database: \"${gcp_platform_name}\"\n\nredis:\n host: redis-master.${dependencies_namespace}.svc.cluster.local\n port: 6379\n password: \"${redis_password}\" # Auto-generated\n```\n\n#### Storage Configuration\n\n```yaml\nfeatures:\n deploymentEngine:\n state:\n s3ConnectionUrl: \"s3://${gcp_platform_name}?region=${gcp_region}\u0026endpoint=minio.${dependencies_namespace}.svc.cluster.local:9000\u0026disableSSL=true\u0026s3ForcePathStyle=true\"\n credentials:\n aws:\n accessKeyId: \"${minio_svcacct_access_key}\"\n secretAccessKey: \"${minio_svcacct_secret_key}\"\n```\n\n## Monitoring\n\n### Observability Stack Components\n\nThe BTP platform includes a comprehensive observability stack for monitoring, logging, and alerting.\n\n#### Monitoring Dashboard Access\n\n| Service | URL | Credentials | Purpose |\n|---------|-----|-------------|---------|\n| **Grafana** | `https://grafana.btp.yourcompany.com` | settlemint / auto-generated | Metrics visualization |\n| **Victoria Metrics** | `https://metrics.btp.yourcompany.com` | settlemint / settlemint | Metrics storage |\n| **Loki** | `https://logs.btp.yourcompany.com` | settlemint / settlemint | Log aggregation |\n\n#### Key Performance Indicators (KPIs)\n\n| Metric Category | Key Metrics | Target Values |\n|-----------------|-------------|---------------|\n| **Application Performance** | Response time, throughput | \u003c 200ms, \u003e 1000 RPS |\n| **Infrastructure Health** | CPU, memory, disk usage | \u003c 80% utilization |\n| **Database Performance** | Query time, connections | \u003c 100ms, \u003c 80% max connections |\n| **Network Performance** | Latency, packet loss | \u003c 50ms, \u003c 0.1% loss |\n\n## Security\n\n### Security Architecture Overview\n\nThe BTP platform implements multiple layers of security controls to protect against various threat vectors.\n\n#### Authentication and Authorization\n\n**Multi-Factor Authentication Flow**:\n```\nUser Request ā†’ Google OAuth2 ā†’ JWT Token ā†’ Role-Based Access ā†’ Resource Access\n```\n\n#### Network Security\n\n| Security Layer | Implementation | Protection |\n|----------------|----------------|------------|\n| **TLS/SSL** | Let's Encrypt certificates | Data in transit |\n| **Network Policies** | Kubernetes network policies | Inter-pod communication |\n| **Ingress Security** | NGINX security headers | Web application attacks |\n| **Private Networking** | VPC with private subnets | Network isolation |\n\n#### Secrets Management\n\n**Vault Security Architecture**:\n\n```mermaid\ngraph TD\n subgraph KMS[\"šŸ” Google Cloud KMS\"]\n KEYRING[šŸ—ļø Key Ring\u003cbr/\u003evault-key-ring-suffix\u003cbr/\u003eRegional Resource\u003cbr/\u003eHSM-backed]\n CRYPTOKEY[šŸ”‘ Crypto Key\u003cbr/\u003evault-unseal-key\u003cbr/\u003eAES-256 Encryption\u003cbr/\u003eAuto-rotation]\n end\n \n subgraph VAULT[\"šŸ”’ HashiCorp Vault Cluster\"]\n subgraph AUTH[\"šŸŽ­ Authentication Layer\"]\n APPROLE[šŸŽŖ AppRole Method\u003cbr/\u003eplatform-role\u003cbr/\u003eTTL: 1h, Max: 4h\u003cbr/\u003eSecure ID Generation]\n TOKEN[šŸŽ« Vault Tokens\u003cbr/\u003eTime-limited Access\u003cbr/\u003ePolicy-bound\u003cbr/\u003eRenewable]\n end\n \n subgraph ENGINES[\"āš™ļø Secret Engines\"]\n ETHEREUM[āŸ  ethereum/ Engine\u003cbr/\u003eKV-v2 Store\u003cbr/\u003ePrivate Keys\u003cbr/\u003eWallet Data]\n FABRIC[šŸ”— fabric/ Engine\u003cbr/\u003eKV-v2 Store\u003cbr/\u003eCertificates\u003cbr/\u003eMSP Data]\n IPFS[šŸŒ ipfs/ Engine\u003cbr/\u003eKV-v2 Store\u003cbr/\u003eNode Keys\u003cbr/\u003eSwarm Keys]\n end\n \n subgraph POLICIES[\"šŸ“‹ Access Policies\"]\n ETH_POLICY[āŸ  ethereum-policy\u003cbr/\u003eCRUD Operations\u003cbr/\u003ePath: ethereum/*\u003cbr/\u003eCapability Control]\n FAB_POLICY[šŸ”— fabric-policy\u003cbr/\u003eCRUD Operations\u003cbr/\u003ePath: fabric/*\u003cbr/\u003eCapability Control]\n IPFS_POLICY[šŸŒ ipfs-policy\u003cbr/\u003eCRUD Operations\u003cbr/\u003ePath: ipfs/*\u003cbr/\u003eCapability Control]\n end\n \n subgraph CORE[\"šŸ›ļø Vault Core\"]\n UNSEAL[šŸ”“ Auto-unseal\u003cbr/\u003eCloud KMS Integration\u003cbr/\u003eZero-touch Recovery\u003cbr/\u003eHigh Availability]\n STORAGE[šŸ’¾ File Storage\u003cbr/\u003ePersistent Volume\u003cbr/\u003e1Gi Capacity\u003cbr/\u003eEncrypted at Rest]\n AUDIT[šŸ“‹ Audit Logging\u003cbr/\u003eAll Operations\u003cbr/\u003eCompliance Ready\u003cbr/\u003eTamper-proof]\n end\n end\n \n subgraph PLATFORM[\"šŸš€ BTP Platform\"]\n BTPAPI[šŸ”Œ BTP API Services\u003cbr/\u003erole_id + secret_id\u003cbr/\u003eToken Exchange\u003cbr/\u003eAuthenticated Access]\n ENGINE[āš™ļø Deployment Engine\u003cbr/\u003eBlockchain Secrets\u003cbr/\u003eNetwork Deployment\u003cbr/\u003eKey Management]\n end\n \n subgraph NETWORKS[\"āŸ  Blockchain Networks\"]\n ETHNET[āŸ  Ethereum Networks\u003cbr/\u003ePrivate Keys\u003cbr/\u003eNode Configurations\u003cbr/\u003eSmart Contracts]\n FABRICNET[šŸ”— Fabric Networks\u003cbr/\u003eCertificates \u0026 MSP\u003cbr/\u003eChannel Configs\u003cbr/\u003eChaincode Secrets]\n IPFSNET[šŸŒ IPFS Networks\u003cbr/\u003ePeer Identity\u003cbr/\u003eSwarm Keys\u003cbr/\u003eContent Addressing]\n end\n \n %% KMS to Vault Core\n KEYRING --\u003e CRYPTOKEY\n CRYPTOKEY --\u003e UNSEAL\n UNSEAL --\u003e STORAGE\n STORAGE --\u003e AUDIT\n \n %% BTP Platform Authentication\n BTPAPI --\u003e APPROLE\n APPROLE --\u003e TOKEN\n \n %% Token to Policies\n TOKEN --\u003e ETH_POLICY\n TOKEN --\u003e FAB_POLICY\n TOKEN --\u003e IPFS_POLICY\n \n %% Policies to Secret Engines\n ETH_POLICY --\u003e ETHEREUM\n FAB_POLICY --\u003e FABRIC\n IPFS_POLICY --\u003e IPFS\n \n %% Engine Access to Secrets\n ENGINE --\u003e ETHEREUM\n ENGINE --\u003e FABRIC\n ENGINE --\u003e IPFS\n \n %% Secrets to Blockchain Networks\n ETHEREUM --\u003e ETHNET\n FABRIC --\u003e FABRICNET\n IPFS --\u003e IPFSNET\n \n %% Styling with Enhanced Colors\n classDef kms fill:#4285f4,stroke:#1a73e8,stroke-width:3px,color:#fff,font-weight:bold\n classDef vault fill:#000000,stroke:#ffb000,stroke-width:3px,color:#fff,font-weight:bold\n classDef btp fill:#ff6b35,stroke:#e55100,stroke-width:3px,color:#fff,font-weight:bold\n classDef blockchain fill:#9c27b0,stroke:#7b1fa2,stroke-width:3px,color:#fff,font-weight:bold\n classDef auth fill:#2e7d32,stroke:#1b5e20,stroke-width:3px,color:#fff,font-weight:bold\n classDef policy fill:#d32f2f,stroke:#c62828,stroke-width:3px,color:#fff,font-weight:bold\n \n class KEYRING,CRYPTOKEY kms\n class UNSEAL,STORAGE,AUDIT,ETHEREUM,FABRIC,IPFS vault\n class APPROLE,TOKEN auth\n class ETH_POLICY,FAB_POLICY,IPFS_POLICY policy\n class BTPAPI,ENGINE btp\n class ETHNET,FABRICNET,IPFSNET blockchain\n```\n\n### Data Flow and Storage Architecture\n\n```mermaid\ngraph TD\n subgraph INGRESS[\"šŸ“„ Data Ingress\"]\n USER_DATA[šŸ‘¤ User Input\u003cbr/\u003eSmart Contracts\u003cbr/\u003eConfigurations\u003cbr/\u003eFiles \u0026 Documents]\n API_DATA[šŸ”Œ API Requests\u003cbr/\u003eREST Calls\u003cbr/\u003eGraphQL Queries\u003cbr/\u003eWebSocket Messages]\n BLOCKCHAIN_DATA[āŸ  Blockchain Data\u003cbr/\u003eTransactions\u003cbr/\u003eBlock Data\u003cbr/\u003eEvent Logs]\n end\n \n subgraph PROCESSING[\"āš™ļø Data Processing Layer\"]\n VALIDATION[āœ… Data Validation\u003cbr/\u003eSchema Validation\u003cbr/\u003eBusiness Rules\u003cbr/\u003eSecurity Checks]\n TRANSFORMATION[šŸ”„ Data Transformation\u003cbr/\u003eFormat Conversion\u003cbr/\u003eEnrichment\u003cbr/\u003eNormalization]\n ROUTING[šŸ›£ļø Data Routing\u003cbr/\u003eService Discovery\u003cbr/\u003eLoad Balancing\u003cbr/\u003eCircuit Breaker]\n end\n \n subgraph STORAGE[\"šŸ’¾ Storage Layer\"]\n subgraph TRANSACTIONAL[\"šŸ—„ļø Transactional Storage\"]\n POSTGRES_MAIN[(šŸ—„ļø PostgreSQL\u003cbr/\u003eUser Data\u003cbr/\u003eConfigurations\u003cbr/\u003eAudit Logs)]\n POSTGRES_REPLICA[(šŸ“‹ Read Replica\u003cbr/\u003eAnalytics\u003cbr/\u003eReporting\u003cbr/\u003eBackup)]\n end\n \n subgraph CACHE[\"āš” Cache Layer\"]\n REDIS_MAIN[(āš” Redis Primary\u003cbr/\u003eSession Data\u003cbr/\u003eReal-time Cache\u003cbr/\u003eMessage Queue)]\n REDIS_REPLICA[(šŸ“Š Redis Replica\u003cbr/\u003eRead Operations\u003cbr/\u003eFailover\u003cbr/\u003eAnalytics)]\n end\n \n subgraph OBJECT_STORE[\"šŸ“ Object Storage\"]\n MINIO_HOT[šŸ“ Hot Storage\u003cbr/\u003eActive Files\u003cbr/\u003eSmart Contracts\u003cbr/\u003eRecent Backups]\n MINIO_COLD[šŸ§Š Cold Storage\u003cbr/\u003eArchive Data\u003cbr/\u003eHistorical Logs\u003cbr/\u003eLong-term Backups]\n end\n \n subgraph SECRETS[\"šŸ”’ Secrets Storage\"]\n VAULT_SECRETS[šŸ” Vault Secrets\u003cbr/\u003ePrivate Keys\u003cbr/\u003eCertificates\u003cbr/\u003eAPI Keys]\n KMS_KEYS[šŸ—ļø KMS Keys\u003cbr/\u003eEncryption Keys\u003cbr/\u003eSigning Keys\u003cbr/\u003eRoot Certificates]\n end\n end\n \n subgraph OUTPUT[\"šŸ“¤ Data Output\"]\n WEB_UI[šŸ’» Web Interface\u003cbr/\u003eDashboards\u003cbr/\u003eReports\u003cbr/\u003eReal-time Updates]\n API_RESPONSES[šŸ”Œ API Responses\u003cbr/\u003eJSON/XML\u003cbr/\u003eStatus Updates\u003cbr/\u003eError Messages]\n BLOCKCHAIN_TX[āŸ  Blockchain Transactions\u003cbr/\u003eSmart Contract Calls\u003cbr/\u003eToken Transfers\u003cbr/\u003eEvent Emissions]\n end\n \n %% Ingress Flow\n USER_DATA --\u003e VALIDATION\n API_DATA --\u003e VALIDATION\n BLOCKCHAIN_DATA --\u003e VALIDATION\n \n %% Processing Flow\n VALIDATION --\u003e TRANSFORMATION\n TRANSFORMATION --\u003e ROUTING\n \n %% Storage Flow\n ROUTING --\u003e POSTGRES_MAIN\n ROUTING --\u003e REDIS_MAIN\n ROUTING --\u003e MINIO_HOT\n ROUTING --\u003e VAULT_SECRETS\n \n %% Replication Flow\n POSTGRES_MAIN --\u003e POSTGRES_REPLICA\n REDIS_MAIN --\u003e REDIS_REPLICA\n MINIO_HOT --\u003e MINIO_COLD\n VAULT_SECRETS --\u003e KMS_KEYS\n \n %% Output Flow\n POSTGRES_REPLICA --\u003e WEB_UI\n REDIS_REPLICA --\u003e API_RESPONSES\n MINIO_HOT --\u003e BLOCKCHAIN_TX\n \n %% Styling\n classDef ingress fill:#e8f5e8,stroke:#4caf50,stroke-width:3px,color:#000,font-weight:bold\n classDef processing fill:#fff3e0,stroke:#ff9800,stroke-width:3px,color:#000,font-weight:bold\n classDef storage fill:#e3f2fd,stroke:#2196f3,stroke-width:3px,color:#000,font-weight:bold\n classDef output fill:#fce4ec,stroke:#e91e63,stroke-width:3px,color:#000,font-weight:bold\n classDef secrets fill:#f3e5f5,stroke:#9c27b0,stroke-width:3px,color:#000,font-weight:bold\n \n class USER_DATA,API_DATA,BLOCKCHAIN_DATA ingress\n class VALIDATION,TRANSFORMATION,ROUTING processing\n class POSTGRES_MAIN,POSTGRES_REPLICA,REDIS_MAIN,REDIS_REPLICA,MINIO_HOT,MINIO_COLD storage\n class VAULT_SECRETS,KMS_KEYS secrets\n class WEB_UI,API_RESPONSES,BLOCKCHAIN_TX output\n```\n\n## Troubleshooting\n\n### Common Issues and Solutions\n\n#### DNS Resolution Problems\n\n**Symptom**: Cannot access platform via custom domain\n\n**Diagnostic Steps**:\n```bash\n# Check DNS delegation\ndig NS btp.yourcompany.com\n\n# Verify A record resolution\ndig A btp.yourcompany.com\n\n# Test from different DNS servers\ndig @8.8.8.8 A btp.yourcompany.com\n```\n\n**Solutions**:\n1. **Wait for DNS propagation** (up to 48 hours)\n2. **Verify NS records** at domain registrar\n3. **Clear DNS cache** locally\n\n#### SSL Certificate Issues\n\n**Symptom**: SSL certificate not provisioned\n\n**Diagnostic Steps**:\n```bash\n# Check certificate status\nkubectl describe certificate -n cluster-dependencies\n\n# Review cert-manager logs\nkubectl logs -n cluster-dependencies -l app=cert-manager\n\n# Verify certificate secret\nkubectl get secret nginx-tls-secret -n cluster-dependencies\n```\n\n**Solutions**:\n1. **Check Let's Encrypt rate limits**\n2. **Verify DNS admin permissions**\n3. **Review Workload Identity configuration**\n\n#### Pod Startup Failures\n\n**Symptom**: Pods in `CrashLoopBackOff` or `Pending` state\n\n**Diagnostic Steps**:\n```bash\n# Check pod status and events\nkubectl describe pod \u003cpod-name\u003e -n \u003cnamespace\u003e\n\n# Review pod logs\nkubectl logs \u003cpod-name\u003e -n \u003cnamespace\u003e\n\n# Check resource availability\nkubectl top nodes\n```\n\n**Solutions**:\n1. **Scale cluster** if resource-constrained\n2. **Verify image pull secrets**\n3. **Check configuration errors**\n\n### Health Check Script\n\n```bash\n#!/bin/bash\n# BTP Platform Health Check\n\necho \"=== Cluster Status ===\"\nkubectl get nodes\n\necho \"=== Critical Pods ===\"\nkubectl get pods -A | grep -v Running\n\necho \"=== Services ===\"\nkubectl get svc -A | grep LoadBalancer\n\necho \"=== Certificates ===\"\nkubectl get certificates -A\n\necho \"=== Recent Events ===\"\nkubectl get events -A --sort-by='.lastTimestamp' | tail -10\n```\n\n## Production Considerations\n\n### High Availability Configuration\n\nFor production deployments, consider these enhancements:\n\n#### Multi-Zone Deployment\n\n| Component | Production Configuration | Benefit |\n|-----------|-------------------------|---------|\n| **GKE Cluster** | Multi-zone regional cluster | Zone-level fault tolerance |\n| **Node Pools** | Spread across 3+ zones | Workload distribution |\n| **Database** | Cloud SQL with regional HA | Database high availability |\n| **Storage** | Regional persistent disks | Data durability |\n\n#### External Managed Services\n\n**Recommended Production Architecture**:\n\n| Service | Demo Configuration | Production Recommendation |\n|---------|-------------------|---------------------------|\n| **Database** | In-cluster PostgreSQL | Cloud SQL for PostgreSQL |\n| **Cache** | In-cluster Redis | Cloud Memorystore for Redis |\n| **Object Storage** | In-cluster MinIO | Google Cloud Storage |\n| **Secrets** | In-cluster Vault | Google Secret Manager + Vault |\n\n### Backup and Disaster Recovery\n\n#### Backup Strategy\n\n| Data Type | Backup Method | Frequency | Retention |\n|-----------|---------------|-----------|-----------|\n| **Database** | Cloud SQL automated backups | Daily | 30 days |\n| **Vault Data** | Snapshot to Cloud Storage | Daily | 90 days |\n| **Configuration** | GitOps repository | On change | Indefinite |\n| **User Data** | Object storage replication | Real-time | 1 year |\n\n### Security Hardening\n\n#### Production Security Checklist\n\n- [ ] **Private GKE cluster** with authorized networks\n- [ ] **VPC-native networking** with private subnets\n- [ ] **Pod Security Standards** enforcement\n- [ ] **Network policies** for traffic restriction\n- [ ] **Image vulnerability scanning** in CI/CD\n- [ ] **Regular security updates** and patches\n- [ ] **Audit logging** enabled and monitored\n- [ ] **Backup encryption** and testing\n\n### Cost Optimization\n\n#### Resource Right-Sizing\n\n| Resource Type | Demo Configuration | Production Optimization |\n|---------------|-------------------|-------------------------|\n| **Node Pools** | e2-standard-4 | Preemptible instances for dev |\n| **Storage** | Standard persistent disks | SSD for performance-critical |\n| **Load Balancer** | Standard | Premium for global distribution |\n\n---\n\n## Support and Resources\n\n### Documentation and Support\n\n| Resource | URL | Purpose |\n|----------|-----|---------|\n| **SettleMint Documentation** | [Developer Documentation](https://console.settlemint.com/documentation/) | Platform documentation |\n| **Support Portal** | Contact Customer Success | Enterprise support |\n\n### Contributing\n\nWe welcome contributions to improve this deployment guide. Please submit issues and pull requests through the repository.\n\n### License\n\nThis project is licensed under the MIT License. See the [LICENSE](LICENSE) file for details.\n\n---\n\n**Disclaimer**: This deployment is optimized for demonstration and development environments. For production deployments, engage with SettleMint's Customer Success team for proper sizing, security hardening, and compliance requirements.\n\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsettlemint%2Fbtp-on-gcp","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsettlemint%2Fbtp-on-gcp","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsettlemint%2Fbtp-on-gcp/lists"}