tofu config and docs

.tofu/platforms/upc/modules/cluster/main.tf

@@ -47,6 +47,14 @@ resource "upcloud_kubernetes_node_group" "workers" {
   node_count    = var.node_count
   plan          = var.node_plan
   anti_affinity = var.node_count > 1
+
+  dynamic "cloud_native_plan" {
+    for_each = var.storage_size != null ? [1] : []
+    content {
+      storage_size = var.storage_size
+    }
+  }
+
   labels = {
     prefix  = var.prefix
     cluster = var.cluster_name

.tofu/platforms/upc/modules/cluster/variables.tf

@@ -38,6 +38,12 @@ variable "control_plane_ip_filter" {
   default     = ["0.0.0.0/0"]
 }
 
+variable "storage_size" {
+  description = "Storage size in GB for worker nodes (overrides plan default via cloud_native_plan block)"
+  type        = number
+  default     = null
+}
+
 variable "tags" {
   description = "Labels to apply to resources"
   type        = map(string)

.tofu/platforms/upc/prod/main.tf

@@ -1,10 +1,72 @@
+# =============================================================================
+# UpCloud Workload Cluster
+# =============================================================================
+# A lean UCS cluster for running application workloads. No managed data
+# services — those live on the platform cluster. ArgoCD (on the platform
+# cluster) deploys apps to this cluster via the app-of-apps pattern.
+#
+# Platform components deployed by deploy-workload.sh:
+#   nginx-ingress, cert-manager, external-dns, external-secrets, alloy
+#
+# Usage:
+#   tofu init && tofu plan && tofu apply
+#   ./sync-tofu-outputs.sh --env upcloud-workload
+#   ./deploy-workload.sh --env upcloud-workload
+# =============================================================================
+
+variable "prefix" {
+  description = "Prefix for resource names"
+  type        = string
+  default     = "clst-workload"
+}
+
+variable "zone" {
+  description = "UpCloud zone"
+  type        = string
+  default     = "no-svg1"
+}
+
+variable "node_plan" {
+  description = "UpCloud server plan for worker nodes"
+  type        = string
+  default     = "2xCPU-4GB"
+}
+
+variable "node_count" {
+  description = "Number of worker nodes"
+  type        = number
+  default     = 2
+}
+
+variable "network_cidr" {
+  description = "CIDR block for the private network"
+  type        = string
+  default     = "10.110.0.0/24"
+}
+
+variable "control_plane_ip_filter" {
+  description = "CIDRs allowed to access the K8s API"
+  type        = list(string)
+  default     = ["0.0.0.0/0"]
+}
+
+variable "tags" {
+  description = "Labels to apply to resources"
+  type        = map(string)
+  default = {
+    Environment = "workload"
+    ManagedBy   = "tofu"
+  }
+}
+
 module "cluster" {
   source = "../modules/cluster"
 
-  prefix       = "clst"
+  prefix       = "clst-prod"
-  zone         = "de-fra1"
+  zone         = "no-svg1"
-  node_plan    = "4xCPU-8GB"
+  node_plan    = "CLOUDNATIVE-4xCPU-8GB"
-  node_count   = 3
+  node_count   = 4
+  storage_size = 30
   network_cidr = "10.100.0.0/24"
 
   control_plane_ip_filter = ["0.0.0.0/0"] # TODO: restrict to known CIDRs
@@ -14,3 +76,45 @@ module "cluster" {
     ManagedBy   = "tofu"
   }
 }
+
+# ─── Networking ───────────────────────────────────────────────────────
+
+resource "upcloud_router" "kubernetes" {
+  name = "${var.prefix}-workload-router"
+}
+
+resource "upcloud_gateway" "kubernetes" {
+  name     = "${var.prefix}-workload-gateway"
+  zone     = var.zone
+  features = ["nat"]
+  router {
+    id = upcloud_router.kubernetes.id
+  }
+}
+
+resource "upcloud_network" "kubernetes" {
+  name   = "${var.prefix}-workload-network"
+  zone   = var.zone
+  router = upcloud_router.kubernetes.id
+
+  ip_network {
+    address            = var.network_cidr
+    dhcp               = true
+    dhcp_default_route = true
+    family             = "IPv4"
+    gateway            = cidrhost(var.network_cidr, 1)
+  }
+
+  depends_on = [upcloud_gateway.kubernetes]
+}
+
+# ─── Kubernetes Cluster ───────────────────────────────────────────────
+
+resource "upcloud_kubernetes_cluster" "main-prod" {
+  name                    = "${var.prefix}-workload"
+  zone                    = var.zone
+  network                 = upcloud_network.kubernetes.id
+  control_plane_ip_filter = var.control_plane_ip_filter
+
+  private_node_groups = true
+}

.tofu/platforms/upc/workload/main.tf

@@ -23,7 +23,7 @@ variable "prefix" {
 variable "zone" {
   description = "UpCloud zone"
   type        = string
-  default     = "fi-hel1"
+  default     = "no-svg1"
 }
 
 variable "node_plan" {

docs/REFERENCE.md

@@ -333,8 +333,8 @@ Each platform defines three environment tiers:
 | `upcloud_kubernetes_node_group` | Anti-affinity if node_count > 1 |
 
 **Dev**: DEV-1xCPU-2GB, 2 nodes, no-svg1
-**Prod**: 4xCPU-8GB, 3 nodes, de-fra1
+**Prod**: 4xCPU-8GB, 3 nodes, no-svg1
-**Workload**: 2xCPU-4GB, 2 nodes, fi-hel1, CIDR `10.110.0.0/24`
+**Workload**: 2xCPU-4GB, 2 nodes, no-svg1, CIDR `10.110.0.0/24`
 
 > **Note**: UpCloud has no native workload identity — external-DNS integration not available.