Enterprise GCP Implementatiehandleiding - Energent.ai

Energent.ai levert AI-aangedreven virtuele desktopagenten die complexe multi-applicatie workflows automatiseren voor zakelijke gebruikers. Deze handleiding biedt uitgebreide specificaties voor implementatie op Google Cloud Platform met behulp van moderne cloud-native architectuur met GKE, multi-tenant ontwerp en beveiligingscontroles van ondernemingsniveau.

Documentclassificatie: Openbaar
Versie: 3.0
Laatst bijgewerkt: 2025-05-28
Architectuur: GCP GKE + Serverless Hybride
Compliance: SOC 2, Google Cloud Security Best Practices

1. Architectuuroverzicht

1.1 Cloud-Native Multi-Tenant Architectuur

Energent.ai wordt ingezet op Google Cloud Platform met een moderne, schaalbare architectuur die Kubernetes orkestratie combineert met serverless componenten voor optimale prestaties en kostenefficiëntie.

┌──────────────────────────────────────────────────────────────────┐
│                        GCP CLOUD OMGEVING                       │
│  ┌─────────────────┐  ┌─────────────────┐  ┌─────────────────┐   │
│  │   GKE CLUSTER   │  │   SERVERLESS    │  │   DATA LAAG     │   │
│  │                 │  │                 │  │                 │   │
│  │ • Multi-tenant  │  │ • Functies Auth │  │ • Firestore     │   │
│  │ • n2-standard-4 │  │ • Functies Fact │  │ • Cloud Storage │   │
│  │ • Auto-scaling  │  │ • API Gateway   │  │ • Filestore     │   │
│  │ • Flux GitOps   │  │ • Pub/Sub       │  │ • Geheimenbeheer│   │
│  └─────────────────┘  └─────────────────┘  └─────────────────┘   │
│           │                     │                    │           │
│           └─────────────────────┼────────────────────┘           │
│                                 │                                │
│  ┌─────────────────────────────────────────────────────────────┐ │
│  │                    VPC BEVEILIGINGSGRENS                    │ │
│  │  • Privé Subnets • Cloud NAT    • Firewallregels            │ │
│  │  • IAP Tunnels     • VPC Eindpunten • Load Balancer         │ │
│  └─────────────────────────────────────────────────────────────┘ │
└──────────────────────────────────────────────────────────────────┘

1.2 Implementatiemodellen

Model	Beschrijving	Gebruiksscenario	SLA
Multi-Tenant GKE	Gedeeld cluster met namespace isolatie	Standaard zakelijke implementatie	99.9%
Dedicated GKE	Single-tenant cluster	Hoge beveiliging, regelgeving	99.95%
Hybride Implementatie	GKE + integratie op locatie klant	Legacy systeemintegratie	99.9%

2. GCP Infrastructuurvereisten

2.1 Minimale Infrastructuurspecificaties

Component	Specificatie	Doel
GKE Cluster Versie	1.30+	Kubernetes orkestratie
Node Pool Instance Type	n2-standard-4 (4 vCPU, 16 GB RAM)	Compute-geoptimaliseerde workloads
Minimale Node Configuratie	1 vCPU, 2 GB RAM per tenant	Resource allocatie
Persistent Disks	100 GB SSD, versleuteld	Pod persistente opslag
Filestore	Basis, versleuteld	Gedeeld bestandssysteem
Cloud Storage	Standaard, versiebeheer ingeschakeld	Objectopslag
Firestore	Native modus, versleuteling in rust	Metadata en configuratie

2.2 GCP Serviceafhankelijkheden

Service	Doel	Configuratie
Google GKE	Kubernetes orkestratie	Privé cluster, logging ingeschakeld
Compute Engine	Dynamische node scaling	Auto-scaling, preemptible instances
Cloud Load Balancing	Verkeersverdeling	SSL terminatie, Cloud Armor
Cloud Functions	Serverless functies	Runtime: Python 3.11, VPC connector
API Gateway	API beheer	Rate limiting, authenticatie
Cloud Monitoring	Monitoring en logging	GKE monitoring, aangepaste metrics
Geheimenbeheer	Geheimenbeheer	Automatische rotatie, versleuteling
Cloud KMS	Sleutelbeheer	Klantbeheer sleutels, auto-rotatie

3. GKE Cluster Specificaties

3.1 Cluster Configuratie

# GKE Cluster Terraform Configuratie
resource "google_container_cluster" "energent_cluster" {
name     = "energent-production"
location = var.gcp_region

remove_default_node_pool = true
initial_node_count       = 1

network    = google_compute_network.vpc.name
subnetwork = google_compute_subnetwork.subnet.name

networking_mode = "VPC_NATIVE"
ip_allocation_policy {
cluster_secondary_range_name  = "k8s-pod-range"
services_secondary_range_name = "k8s-service-range"
}

private_cluster_config {
enable_private_nodes    = true
enable_private_endpoint = false
master_ipv4_cidr_block  = "172.16.0.0/28"
}

master_auth {
client_certificate_config {
issue_client_certificate = false
}
}

workload_identity_config {
workload_pool = "${var.project_id}.svc.id.goog"
}

addons_config {
gcp_filestore_csi_driver_config {
enabled = true
}

network_policy_config {
disabled = false
}
}

cluster_telemetry {
type = "ENABLED"
}

logging_config {
enable_components = [
"SYSTEM_COMPONENTS",
"WORKLOADS",
"API_SERVER"
]
}

monitoring_config {
enable_components = [
"SYSTEM_COMPONENTS",
"WORKLOADS"
]
}
}

3.2 Node Pool Configuratie

# Primaire Node Pool
resource "google_container_node_pool" "energent_nodes" {
name       = "energent-node-pool"
location   = var.gcp_region
cluster    = google_container_cluster.energent_cluster.name
node_count = 3

autoscaling {
min_node_count = 2
max_node_count = 20
}

node_config {
preemptible  = false
machine_type = "n2-standard-4"
disk_size_gb = 100
disk_type    = "pd-ssd"

service_account = google_service_account.gke_service_account.email
oauth_scopes = [
"https://www.googleapis.com/auth/logging.write",
"https://www.googleapis.com/auth/monitoring",
"https://www.googleapis.com/auth/cloud-platform"
]

workload_metadata_config {
mode = "GKE_METADATA"
}

labels = {
env = "production"
app = "energent-ai"
}

taint {
key    = "workload"
value  = "energent-ai"
effect = "NO_SCHEDULE"
}
}

management {
auto_repair  = true
auto_upgrade = true
}
}

3.3 Multi-Tenant Resource Allocatie

Tenant Niveau	CPU Limiet	Geheugenlimiet	Opslag	Gelijktijdige Workflows
Basis	1 vCPU	2 GB	10 GB	1
Standaard	2 vCPU	4 GB	25 GB	2
Premium	4 vCPU	8 GB	50 GB	4
Enterprise	8 vCPU	16 GB	100 GB	8

4. Data Laag Architectuur

4.1 Opslagarchitectuur

4.1.1 Cloud Storage Configuratie


# Cloud Storage Bucket voor Objectopslag
resource "google_storage_bucket" "energent_storage" {
  name     = "energent-${var.environment}-storage-${random_id.bucket_suffix.hex}"
  location = var.gcp_region

  uniform_bucket_level_access = true

  versioning {
    enabled = true
  }

  encryption {
    default_kms_key_name = google_kms_crypto_key.storage_key.id
  }

  lifecycle_rule {
    condition {
      age = 90
    }
    action {
      type          = "SetStorageClass"
      storage_class = "NEARLINE"
    }
  }

  retention_policy {
    retention_period = 2592000  # 30 dagen
  }

  labels = {
    environment = var.environment
    purpose     = "energent-object-storage"
  }
}

resource "google_storage_bucket_iam_member" "storage_admin" {
  bucket = google_storage_bucket.energent_storage.name
  role   = "roles/storage.admin"
  member = "serviceAccount:${google_service_account.gke_service_account.email}"
}

4.1.2 Firestore Configuratie

# Firestore Database voor Metadata en Configuratie
resource "google_firestore_database" "energent_metadata" {
  project     = var.project_id
  name        = "energent-metadata-${var.environment}"
  location_id = var.gcp_region
  type        = "FIRESTORE_NATIVE"

  concurrency_mode = "OPTIMISTIC"
  app_engine_integration_mode = "DISABLED"

  point_in_time_recovery_enablement = "POINT_IN_TIME_RECOVERY_ENABLED"
  delete_protection_state = "DELETE_PROTECTION_ENABLED"
}

# Firestore Beveiligingsregels
resource "google_firestore_database" "security_rules" {
  depends_on = [google_firestore_database.energent_metadata]

  # Beveiligingsregels inhoud zou hier worden gedefinieerd
  # Implementeren van tenantisolatie en toegangscontroles
}

4.1.3 Filestore Gedeelde Opslag

# Filestore voor Gedeeld Bestandssysteem
resource "google_filestore_instance" "energent_shared" {
name     = "energent-shared-${var.environment}"
location = var.gcp_zone
tier     = "BASIC_HDD"

file_shares {
capacity_gb = 1024
name        = "energent-share"
}

networks {
network = google_compute_network.vpc.name
modes   = ["MODE_IPV4"]
}

labels = {
environment = var.environment
purpose     = "shared-storage"
}
}

5. Serverloze Componenten

5.1 Cloud Functies

5.1.1 Authenticatiedienst

# Cloud Functie voor Authenticatie
resource "google_cloudfunctions2_function" "auth_service" {
name     = "energent-auth-${var.environment}"
location = var.gcp_region

build_config {
runtime     = "python311"
entry_point = "auth_handler"
source {
storage_source {
bucket = google_storage_bucket.functions_source.name
object = google_storage_bucket_object.auth_source.name
}
}
}

service_config {
max_instance_count = 100
min_instance_count = 1
available_memory   = "512Mi"
timeout_seconds    = 60

environment_variables = {
FIRESTORE_PROJECT = var.project_id
SECRET_MANAGER_PROJECT = var.project_id
ENVIRONMENT = var.environment
}

vpc_connector = google_vpc_access_connector.connector.id
vpc_connector_egress_settings = "ALL_TRAFFIC"

service_account_email = google_service_account.functions_service_account.email
}

event_trigger {
trigger_region = var.gcp_region
event_type     = "google.cloud.pubsub.topic.v1.messagePublished"
pubsub_topic   = google_pubsub_topic.auth_events.id
}

labels = {
environment = var.environment
service     = "authentication"
}
}

5.1.2 Facturatiedienst

# Cloud Functie voor Facturatie
resource "google_cloudfunctions2_function" "billing_service" {
name     = "energent-billing-${var.environment}"
location = var.gcp_region

build_config {
runtime     = "python311"
entry_point = "billing_handler"
source {
storage_source {
bucket = google_storage_bucket.functions_source.name
object = google_storage_bucket_object.billing_source.name
}
}
}

service_config {
max_instance_count = 50
min_instance_count = 0
available_memory   = "1Gi"
timeout_seconds    = 300

environment_variables = {
FIRESTORE_PROJECT = var.project_id
STORAGE_BUCKET = google_storage_bucket.energent_storage.name
}

service_account_email = google_service_account.functions_service_account.email
}
}

5.2 API Gateway Configuratie

# API Gateway voor Serverloze Functies
resource "google_api_gateway_api" "energent_api" {
provider = google-beta
api_id   = "energent-api-${var.environment}"
project  = var.project_id

labels = {
environment = var.environment
service     = "api-gateway"
}
}

resource "google_api_gateway_api_config" "energent_api_config" {
provider      = google-beta
api           = google_api_gateway_api.energent_api.api_id
api_config_id = "energent-config-${var.environment}"
project       = var.project_id

openapi_documents {
document {
path     = "spec.yaml"
contents = base64encode(templatefile("${path.module}/api-spec.yaml", {
project_id = var.project_id
region     = var.gcp_region
}))
}
}

lifecycle {
create_before_destroy = true
}
}

resource "google_api_gateway_gateway" "energent_gateway" {
provider   = google-beta
gateway_id = "energent-gateway-${var.environment}"
api_config = google_api_gateway_api_config.energent_api_config.id
location   = var.gcp_region
project    = var.project_id

labels = {
environment = var.environment
service     = "api-gateway"
}
}

6. Beveiliging & Naleving

6.1 Netwerkbeveiliging

6.1.1 VPC Configuratie

# VPC Netwerk en Firewallregels
resource "google_compute_network" "vpc" {
name                    = "energent-vpc-${var.environment}"
auto_create_subnetworks = false
mtu                     = 1460
}

resource "google_compute_subnetwork" "subnet" {
name          = "energent-subnet-${var.environment}"
ip_cidr_range = "10.0.0.0/16"
region        = var.gcp_region
network       = google_compute_network.vpc.id

secondary_ip_range {
range_name    = "k8s-pod-range"
ip_cidr_range = "10.1.0.0/16"
}

secondary_ip_range {
range_name    = "k8s-service-range"
ip_cidr_range = "10.2.0.0/16"
}

private_ip_google_access = true
}

resource "google_compute_firewall" "allow_internal" {
name    = "energent-allow-internal"
network = google_compute_network.vpc.name

allow {
protocol = "tcp"
ports    = ["0-65535"]
}

allow {
protocol = "udp"
ports    = ["0-65535"]
}

allow {
protocol = "icmp"
}

source_ranges = ["10.0.0.0/8"]
}

resource "google_compute_firewall" "allow_https" {
name    = "energent-allow-https"
network = google_compute_network.vpc.name

allow {
protocol = "tcp"
ports    = ["443"]
}

source_ranges = ["0.0.0.0/0"]
target_tags   = ["https-server"]
}

6.1.2 Firewallregels

Richting	Protocol	Poortbereik	Bron/Bestemming	Doel
Inkomend	HTTPS	443	0.0.0.0/0	API toegang
Inkomend	TCP	1024-65535	10.0.0.0/8	Intern verkeer
Uitgaand	HTTPS	443	0.0.0.0/0	Externe API-oproepen
Uitgaand	TCP	53	0.0.0.0/0	DNS-resolutie

6.2 Encryptiestandaarden

Gegevensstatus	Encryptiemethode	Sleutelbeheer	Naleving
In Rust	AES-256-GCM	Cloud KMS met automatische rotatie	SOC 2, FIPS 140-2 Niveau 3
In Transit	TLS 1.3	Google-beheerde certificaten	SOC 2, PCI DSS
In Geheugen	Applicatieniveau	Hardware Security Module	SOC 2
Backup	AES-256	Cross-region Cloud KMS	SOC 2, GDPR

6.3 IAM en Serviceaccounts

6.3.1 GKE Serviceaccounts

# GKE Serviceaccount
resource "google_service_account" "gke_service_account" {
  account_id   = "energent-gke-${var.environment}"
  display_name = "Energent GKE Serviceaccount"
  project      = var.project_id
}

resource "google_project_iam_member" "gke_permissions" {
  for_each = toset([
    "roles/logging.logWriter",
    "roles/monitoring.metricWriter",
    "roles/monitoring.viewer",
    "roles/storage.objectViewer"
  ])

  project = var.project_id
  role    = each.value
  member  = "serviceAccount:${google_service_account.gke_service_account.email}"
}

# Workload Identity binding
resource "google_service_account_iam_member" "workload_identity" {
  service_account_id = google_service_account.gke_service_account.name
  role               = "roles/iam.workloadIdentityUser"
  member             = "serviceAccount:${var.project_id}.svc.id.goog[energent-ai/energent-platform]"
}

7. Netwerkarchitectuur

7.1 VPC Ontwerp

┌─────────────────────────────────────────────────────────────────┐
│                         VPC (10.0.0.0/16)                       │
│                                                                 │
│  ┌─────────────────┐    ┌─────────────────┐    ┌─────────────┐  │
│  │  Publieke Subnet│    │  Publieke Subnet│    │ Publieke Sub│  │
│  │   (10.0.1.0/24) │    │   (10.0.2.0/24) │    │(10.0.3.0/24)│  │
│  │                 │    │                 │    │             │  │
│  │   Cloud NAT     │    │   Cloud NAT     │    │ Cloud NAT   │  │
│  │   Load Balancer │    │   Load Balancer │    │Load Balancer│  │
│  └─────────────────┘    └─────────────────┘    └─────────────┘  │
│           │                       │                     │       │
│  ┌─────────────────┐    ┌─────────────────┐    ┌─────────────┐  │
│  │ Privé Subnet    │    │ Privé Subnet    │    │Privé Sub    │  │
│  │  (10.1.0.0/16)  │    │  (10.1.0.0/16)  │    │(10.1.0.0/16)│  │
│  │                 │    │                 │    │             │  │
│  │  GKE Nodes      │    │  GKE Nodes      │    │ GKE Nodes   │  │
│  │  Functies VPC   │    │  Functies VPC   │    │ Functies    │  │
│  └─────────────────┘    └─────────────────┘    └─────────────┘  │
│           │                       │                     │       │
│  ┌─────────────────┐    ┌─────────────────┐    ┌─────────────┐  │
│  │ Services Subnet │    │ Services Subnet │    │Services Sub │  │
│  │  (10.2.0.0/16)  │    │  (10.2.0.0/16)  │    │(10.2.0.0/16)│  │
│  │                 │    │                 │    │             │  │
│  │   Firestore     │    │   Firestore     │    │ Firestore   │  │
│  │   Cloud Storage │    │   Cloud Storage │    │Cloud Storage│  │
│  └─────────────────┘    └─────────────────┘    └─────────────┘  │
└─────────────────────────────────────────────────────────────────┘

7.2 Privé Serviceverbindingen

Service	Type	Doel
Cloud Storage	Privé eindpunt	Toegang tot objectopslag
Firestore	Privé eindpunt	Metadata toegang
GKE	Privé cluster	Cluster API toegang
Container Registry	Privé eindpunt	Container registry
Cloud Monitoring	Privé eindpunt	Monitoring en logging
Secret Manager	Privé eindpunt	Toegang tot geheimen

8. CI/CD Pipeline

8.1 Infrastructure as Code (Terraform)

8.1.1 Terraform Structuur

terraform/
├── environments/
│   ├── dev/
│   ├── staging/
│   └── production/
├── modules/
│   ├── gke/
│   ├── networking/
│   ├── security/
│   └── storage/
├── shared/
│   └── backend.tf
└── global/
    └── iam.tf

8.1.2 Terraform Pipeline (Cloud Build)

# cloudbuild.yaml
steps:
  # Terraform Init
  - name: 'hashicorp/terraform:1.6.0'
    entrypoint: 'sh'
    args:
      - '-c'
      - |
        cd terraform/environments/${_ENVIRONMENT}
        terraform init -backend-config="bucket=${_TF_STATE_BUCKET}"

  # Terraform Plan
  - name: 'hashicorp/terraform:1.6.0'
    entrypoint: 'sh'
    args:
      - '-c'
      - |
        cd terraform/environments/${_ENVIRONMENT}
        terraform plan -var-file="${_ENVIRONMENT}.tfvars" -out=tfplan

  # Terraform Apply (alleen op main branch)
  - name: 'hashicorp/terraform:1.6.0'
    entrypoint: 'sh'
    args:
      - '-c'
      - |
        if [ "${BRANCH_NAME}" = "main" ]; then
          cd terraform/environments/${_ENVIRONMENT}
          terraform apply -auto-approve tfplan
        else
          echo "Skipping apply for non-main branch"
        fi

substitutions:
  _ENVIRONMENT: 'production'
  _TF_STATE_BUCKET: 'energent-terraform-state'

options:
  logging: CLOUD_LOGGING_ONLY
  machineType: 'E2_HIGHCPU_8'

timeout: 1200s

8.2 Kubernetes GitOps (Flux)

8.2.1 Flux Configuratie

# flux-system/gotk-sync.yaml
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: GitRepository
metadata:
  name: energent-k8s
  namespace: flux-system
spec:
  interval: 1m
  ref:
    branch: main
  url: https://github.com/energent-ai/k8s-manifests
---
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
  name: energent-apps
  namespace: flux-system
spec:
  interval: 10m
  path: './apps'
  prune: true
  sourceRef:
    kind: GitRepository
    name: energent-k8s
  validation: client

8.3 Serverless Deployment (Cloud Build)

8.3.1 Functie Deployment Configuratie

# cloudbuild-functions.yaml
steps:
  # Auth Functie implementeren
  - name: 'gcr.io/google.com/cloudsdktool/cloud-sdk:latest'
    entrypoint: 'bash'
    args:
      - '-c'
      - |
        cd functions/auth
        gcloud functions deploy energent-auth-${_ENVIRONMENT} \
          --runtime python311 \
          --trigger-http \
          --entry-point auth_handler \
          --memory 512MB \
          --timeout 60s \
          --region ${_REGION} \
          --vpc-connector ${_VPC_CONNECTOR} \
          --set-env-vars ENVIRONMENT=${_ENVIRONMENT}

  # Billing Functie implementeren
  - name: 'gcr.io/google.com/cloudsdktool/cloud-sdk:latest'
    entrypoint: 'bash'
    args:
      - '-c'
      - |
        cd functions/billing
        gcloud functions deploy energent-billing-${_ENVIRONMENT} \
          --runtime python311 \
          --trigger-topic billing-events \
          --entry-point billing_handler \
          --memory 1024MB \
          --timeout 300s \
          --region ${_REGION}

substitutions:
  _ENVIRONMENT: 'production'
  _REGION: 'us-central1'
  _VPC_CONNECTOR: 'energent-vpc-connector'

options:
  logging: CLOUD_LOGGING_ONLY

9. Monitoring & Observability

9.1 Cloud Monitoring Configuratie

9.1.1 GKE Monitoring

# Cloud Monitoring voor GKE
resource "google_monitoring_dashboard" "gke_dashboard" {
  dashboard_json = jsonencode({
    displayName = "Energent GKE Dashboard"
    mosaicLayout = {
      tiles = [
        {
          width = 6
          height = 4
          widget = {
            title = "GKE Cluster CPU Utilization"
            xyChart = {
              dataSets = [{
                timeSeriesQuery = {
                  timeSeriesFilter = {
                    filter = "resource.type=\"k8s_cluster\" AND metric.type=\"kubernetes.io/container/cpu/core_usage_time\""
                  }
                }
              }]
            }
          }
        }
      ]
    }
  })
}

# Log-gebaseerde Metrics
resource "google_logging_metric" "error_rate" {
  name   = "energent_error_rate"
  filter = "resource.type=\"k8s_container\" AND resource.labels.namespace_name=\"energent-ai\" AND severity=\"ERROR\""

  metric_descriptor {
    metric_kind = "GAUGE"
    value_type  = "INT64"
    display_name = "Energent Error Rate"
  }
}

9.2 Applicatie Metrics

Metric Categorie	Metrics	Doel	Alarmdrempel
Beschikbaarheid	Uptime, Health Checks	99.9%	< 99.5%
Prestaties	Responstijd, Doorvoer	< 2s, > 1000 RPS	> 5s, < 500 RPS
Resourcegebruik	CPU, Geheugen, Opslag	< 80%	> 90%
Foutpercentages	4xx, 5xx fouten	< 1%	> 5%

9.3 Audit Logging

# Cloud Audit Logs Configuratie
resource "google_project_iam_audit_config" "project_audit" {
  project = var.project_id
  service = "allServices"

  audit_log_config {
    log_type = "ADMIN_READ"
  }

  audit_log_config {
    log_type = "DATA_READ"
  }

  audit_log_config {
    log_type = "DATA_WRITE"
  }
}

# Log Sink voor Beveiligingsgebeurtenissen
resource "google_logging_project_sink" "security_sink" {
  name        = "energent-security-sink"
  destination = "storage.googleapis.com/${google_storage_bucket.audit_logs.name}"

  filter = "protoPayload.serviceName=\"container.googleapis.com\" OR protoPayload.serviceName=\"iam.googleapis.com\""

  unique_writer_identity = true
}

10. Implementatieproces

10.1 Implementatietijdlijn

Fase	Duur	Activiteiten	Belanghebbenden
Pre-Implementatie	2-3 dagen	Infrastructuurplanning, beveiligingscontrole	Klant IT, Beveiliging, Energent Solutions
Infrastructuur	1-2 dagen	Terraform implementatie, VPC setup	Klant DevOps, Energent Platform
GKE Cluster	0.5 dag	Cluster provisioning, node pools	Klant DevOps, Energent Platform
Applicatie	0.5 dag	Flux implementatie, applicatie uitrol	Energent Platform Team
Integratie	1-2 dagen	IAM, monitoring, testen	Klant IT, Energent Support
Go-Live	0.5 dag	Productie overschakeling, validatie	Alle belanghebbenden

10.2 Implementatiecommando's

10.2.1 Infrastructuur Implementatie

# Infrastructuur implementatie met Terraform
cd terraform/environments/production
terraform init -backend-config="bucket=energent-terraform-state"
terraform plan -var-file="production.tfvars"
terraform apply -auto-approve

# Verifieer GKE cluster
gcloud container clusters get-credentials energent-production --region us-central1
kubectl get nodes

10.2.2 Applicatie Implementatie

# Installeer Flux GitOps
flux bootstrap github \
  --owner=energent-ai \
  --repository=k8s-manifests \
  --branch=main \
  --path=./clusters/production

# Implementeer serverloze componenten
gcloud builds submit --config cloudbuild-functions.yaml \
  --substitutions _ENVIRONMENT=production,_REGION=us-central1

# Verifieer implementatie
kubectl get pods -n energent-ai
kubectl get ingress -n energent-ai

10.3 Validatie van implementatie

# Gezondheid controle eindpunten
curl -k https://api.energent.example.com/health
curl -k https://api.energent.example.com/metrics

# Kubernetes validatie
kubectl top nodes
kubectl get hpa -n energent-ai
kubectl logs -n energent-ai -l app=energent-platform

11. Operaties & Onderhoud

11.1 Back-up & Rampenherstel

11.1.1 Back-up strategie

Component	Frequentie	Bewaring	RTO	RPO
GKE Cluster Status	Dagelijks	30 dagen	< 4 uur	< 24 uur
Applicatiegegevens	Real-time	90 dagen	< 1 uur	< 15 minuten
Configuratie	Bij wijziging	1 jaar	< 30 minuten	0
Audit Logs	Real-time	7 jaar	< 24 uur	0

11.1.2 Rampenherstelprocedures

# GKE cluster back-up met Velero
velero backup create energent-cluster-backup \
  --include-namespaces energent-ai \
  --storage-location gcp

# Firestore point-in-time herstel
gcloud firestore databases restore \
  --source-database=energent-metadata-production \
  --destination-database=energent-metadata-restored \
  --backup-time=2025-05-28T10:00:00Z

11.2 Schaling & Prestaties

11.2.1 Auto-scaling configuratie

# Horizontale Pod Autoscaler
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
  name: energent-platform-hpa
  namespace: energent-ai
spec:
  scaleTargetRef:
    apiVersion: apps/v1
    kind: Deployment
    name: energent-platform
  minReplicas: 3
  maxReplicas: 50
  metrics:
    - type: Resource
      resource:
        name: cpu
        target:
          type: Utilization
          averageUtilization: 70
    - type: Resource
      resource:
        name: memory
        target:
          type: Utilization
          averageUtilization: 80

11.3 Updates & Onderhoud

11.3.1 Rolling updates

# GKE cluster update
gcloud container clusters upgrade energent-production \
  --master \
  --cluster-version 1.30 \
  --region us-central1

# Applicatie rolling update via Flux
git commit -am "Update energent-platform naar v2.1.0"
git push origin main
# Flux detecteert en past wijzigingen automatisch toe

12. Ondersteuning & Escalatie

12.1 Ondersteuningsniveaus

Niveau	Reactietijd	Kanalen	Bereik
L1 - Basis	< 4 uur	E-mail, Portaal	Algemene vragen, documentatie
L2 - Standaard	< 2 uur	Telefoon, E-mail, Meet	Technische problemen, integratieondersteuning
L3 - Premium	< 1 uur	Telefoon, Meet, Video	Complexe technische problemen, architectuur
L4 - Kritiek	< 30 minuten	Telefoon, SMS, Escalatie	Productiestoringen, beveiligingsincidenten

12.2 24/7 Ondersteuningsdekking

Enterprise Ondersteuning:

📧 E-mail: support@energent.ai

Noodescalatie:

📧 Nood-e-mail: emergency@energent.ai

12.3 Service Level Agreements

Dienst	SLA	Boete
Platform Beschikbaarheid	99.9% uptime	10% maandelijkse krediet per 0.1% tekort
Reactietijd (P95)	< 2 seconden	5% maandelijkse krediet indien > 5 seconden
Ondersteuningsreactie	Per niveau hierboven	Escalatie naar volgend niveau
Gegevensherstel	RTO < 4 uur	25% maandelijkse krediet indien overschreden

Appendices

Appendix A: GCP Servicekosten

Dienst	Geschatte maandelijkse kosten	Schaalfactor
GKE Cluster	$75	Vast per cluster
Compute Engine (3x n2-standard-4)	$850	Lineair per node
Persistent Disks (300GB)	$60	Lineair per GB
Cloud Storage (1TB)	$20	Lineair per GB
Firestore	$120	Gebruiksgebaseerd
Cloud Functions	$35	Verzoekgebaseerd
Totale Basis Kosten	~$1,160/maand	Voor 100 huurders

Appendix B: Beveiligingsnalevingscontrolelijst

Appendix C: Probleemoplossingsgids

Veelvoorkomende problemen:

GKE Nodes voegen zich niet bij cluster
- Controleer serviceaccount permissies
- Controleer subnet routing en Cloud NAT
Applicatie Pods CrashLooping
- Controleer resource limieten en verzoeken
- Verifieer persistent volume claims
Netwerkconnectiviteitsproblemen
- Controleer VPC connector configuratie
- Controleer firewallregels

Documentclassificatie: Openbaar
Versie: 3.0
Laatst bijgewerkt: 2025-05-28
Volgende beoordeling: 2025-08-28
Contact: support@energent.ai