Multi-Cloud Platform Engineering

A production-grade, GitOps-driven platform spanning AWS and GCP. Zero static credentials. All infrastructure as code. No ClickOps.

Built by Jigish Patel · GitHub · LinkedIn

2 Clouds
10 Phases
100+ Dev Sessions
15+ CNCF Projects
0 Static Credentials
0 Lines Written Manually
Backstage ArgoCD Grafana Kargo

Platform Status

Live health checks run every 30 minutes via GitHub Actions.

Status data collecting... checks run every 30 minutes.

Daily E2E Validation

Every day, ephemeral EKS and GKE clusters are spun up, validated end-to-end, and torn down.

No E2E test results yet. Daily tests validate the full platform pipeline.

Explore the Platform

Live UIs are available when the management cluster is running. Screenshots shown as fallback.

ArgoCD app-of-apps view showing 30+ synced applications

ArgoCD

GitOps continuous delivery. App-of-apps pattern managing 30+ applications across clusters.

Backstage software catalog showing 13 platform components

Backstage

Developer portal with software catalog, cluster creation templates, and TechDocs.

Grafana dashboard showing cluster CPU and memory metrics

Grafana

Full LGTM observability stack — Prometheus metrics, Loki logs, Tempo traces.

Kargo podinfo-delivery pipeline with staging and prod stages

Kargo

GitOps-native progressive delivery. Promotion pipelines from staging to production.

Self-Service Cluster Creation

Developers provision EKS or GKE clusters through a Backstage template. The template generates Crossplane claims, opens a GitHub PR, and once merged, ArgoCD + Crossplane provision the cluster automatically.

Backstage template: Create Kubernetes Cluster
Choose template
EKS cluster configuration: cloud provider, region, node count
EKS: Configure cluster
EKS cluster: authorization and lifecycle settings
EKS: Set lifecycle
EKS cluster: review all settings before creation
EKS: Review
EKS cluster creation running: generating claims, creating PR
EKS: Creating
GitHub PR overview for EKS workload cluster
EKS: GitHub PR
GitHub PR files: Crossplane claim YAML for EKS cluster
EKS: Claim YAML
GKE cluster configuration: cloud provider, region, node count
GKE: Configure cluster
GKE cluster: authorization and lifecycle settings
GKE: Set lifecycle
GKE cluster: review all settings before creation
GKE: Review
GKE cluster creation running: generating claims, creating PR
GKE: Creating
GitHub PR overview for GKE workload cluster
GKE: GitHub PR
GitHub PR files: Crossplane claim YAML for GKE cluster
GKE: Claim YAML

Architecture

A single EKS management cluster provisions and manages workload clusters on both AWS and GCP.

Platform architecture diagram showing management cluster with ArgoCD, Crossplane, Backstage, and Kargo provisioning EKS and GKE workload clusters

Zero Static Credentials

IRSA for AWS, Workload Identity Federation for GCP. No long-lived secrets anywhere.

GitOps-Native

All changes flow through Git. ArgoCD reconciles desired state automatically.

Cloud-Portable

Same claim API provisions EKS or GKE. Crossplane compositions abstract cloud differences.

Observable

Full LGTM stack: Prometheus, Grafana, Loki, Tempo. Dashboards and alerts from day one.

Secure by Default

Kyverno policies, Pod Security Standards, automated TLS, SSO across all tools.

All Infrastructure as Code

Pure Crossplane — no Terraform, no ClickOps. Every resource is a Kubernetes manifest.

Built Entirely with AI

Every line of code, every kubectl command, every debugging session — done through Claude Code across 100+ paired sessions. Zero lines written manually.

3-Tier Bootstrap Flow

The platform bootstraps itself through three tiers, progressively upgrading from static credentials to fully keyless authentication.

1

Bootstrap Cluster (Local)

Kind cluster on a laptop. Crossplane + AWS provider with temporary secret-based credentials. Creates the management cluster, then is deleted.

2

Management Cluster (EKS)

Self-managing EKS cluster. Crossplane with IRSA (AWS) and Workload Identity Federation (GCP) — zero static credentials. Runs ArgoCD, Backstage, Kargo, and the full observability stack.

3

Workload Clusters (EKS + GKE)

Ephemeral clusters provisioned on-demand via Backstage templates. Platform services (Istio, cert-manager, ExternalDNS) auto-deployed by ArgoCD. Kargo promotes applications through staging to production.

Technology Stack

Category Technology Why This Choice
Infrastructure as Code Crossplane Kubernetes-native, GitOps-friendly (not Terraform)
GitOps ArgoCD App-of-apps, multi-cluster, health checks
Progressive Delivery Kargo GitOps-native promotions (not Argo Rollouts)
Developer Portal Backstage CNCF standard, software templates, TechDocs
Identity / SSO Dex + GitHub Unified SSO across all UIs, pluggable IdP
Observability Prometheus + Grafana + Loki + Tempo Full LGTM stack, industry standard
Service Mesh Istio + Gateway API L7 traffic management, mTLS
Policy Kyverno Kubernetes-native, mutation + validation
Secrets ESO + AWS Secrets Manager No secrets in Git, auto-rotation
TLS cert-manager + Let's Encrypt Automated certificate lifecycle
DNS ExternalDNS Automated DNS from Kubernetes resources

Implementation Roadmap

Built iteratively across 10 phases, each expanding the platform's capabilities.

Capability Matrix

Capability Platform Feature Industry Practice
Multi-cloud provisioning Crossplane compositions (EKS + GKE) Cloud-agnostic control plane
GitOps delivery ArgoCD app-of-apps + ApplicationSets CNCF GitOps principles
Progressive delivery Kargo promotion pipelines Environment promotion gates
Self-service infrastructure Backstage software templates Internal Developer Platform
Ephemeral environments TTL-based clusters with CronJob cleanup On-demand dev/test environments
Zero-trust identity IRSA + Workload Identity Federation Keyless workload authentication
Unified observability Prometheus, Grafana, Loki, Tempo LGTM stack
Policy enforcement Kyverno baseline policies Pod Security Standards
Secrets management ESO + AWS Secrets Manager External secret stores
Service mesh Istio + Gateway API L7 traffic management
SSO across tools Dex OIDC (ArgoCD, Backstage, Grafana, Kargo) Unified developer experience
Automated TLS cert-manager + Let's Encrypt + ExternalDNS Certificate automation

CNCF Ecosystem

Built on CNCF projects across the maturity spectrum.

Kubernetes Graduated
Foundation
Prometheus Graduated
Metrics collection
ArgoCD Graduated
GitOps delivery
Istio Graduated
Service mesh
Crossplane Graduated
Infrastructure provisioning
cert-manager Graduated
TLS automation
Kyverno Graduated
Policy enforcement
OpenTelemetry Graduated
Tracing (via Tempo)
Backstage Incubating
Developer portal
ExternalDNS Incubating
DNS automation
Gateway API Standard
L7 routing

Architecture Decisions

Key decisions documented as Architecture Decision Records.

Cost & Process

Cost-conscious design decisions and development approach.

Daily E2E Tests

~$6/mo
Both EKS + GKE clusters, 30 min each, daily

Management Cluster

On-demand
Torn down when not in use to minimize cost

Cost-Conscious Decisions

AI-Paired Development

This entire platform — every YAML manifest, Crossplane composition, Helm configuration, ArgoCD application, shell command, and debugging session — was built through Claude Code across 100+ iterative sessions. No code was written manually. Architecture decisions, infrastructure provisioning, troubleshooting, and operations were all done through AI-paired development, with session context carrying across the full build.