diff --git a/.github/workflows/cd-testnet.yaml b/.github/workflows/cd-testnet.yaml
new file mode 100644
index 0000000..493a60e
--- /dev/null
+++ b/.github/workflows/cd-testnet.yaml
@@ -0,0 +1,14 @@
+name: Testnet CD for graphix
+
+on:
+  workflow_dispatch:
+  push:
+    pull_request:
+
+jobs:
+  deploy:
+    uses: ./.github/workflows/template-deploy.yaml
+    with:
+      ENVIRONMENT: testnet
+    secrets:
+      GCP_SECRET: ${{ secrets.GCP_GRAPH_NETWORK }}
diff --git a/.github/workflows/template-deploy.yaml b/.github/workflows/template-deploy.yaml
new file mode 100644
index 0000000..057b4a8
--- /dev/null
+++ b/.github/workflows/template-deploy.yaml
@@ -0,0 +1,59 @@
+name: Template Deploy
+
+on:
+  workflow_call:
+    inputs:
+      GCP_PROJECT_ID:
+        required: false
+        type: string
+        default: graph-mainnet
+      ENVIRONMENT:
+        required: false
+        type: string
+        default: testnet
+      ENABLE_DIFF:
+        required: false
+        type: boolean
+        default: true
+      ENABLE_APPLY:
+        required: false
+        type: boolean
+        default: false
+    secrets:
+      GCP_SECRET:
+        required: true
+      TRANSCRYPT:
+        required: true
+
+jobs:
+  template-deploy:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout the repo
+        uses: actions/checkout@v3
+
+      - id: "auth"
+        uses: "google-github-actions/auth@v0"
+        with:
+          credentials_json: ${{ secrets.GCP_SECRET }}
+
+      - name: Set up Cloud SDK
+        uses: google-github-actions/setup-gcloud@v0
+        with:
+          project_id: ${{ inputs.GCP_PROJECT_ID }}
+
+      - name: Enable homebrew
+        uses: raviqqe/enable-homebrew@v1.0.0
+
+      - name: Install infrastructure tools
+        run: ./brew.sh
+
+      - name: Diff ${{ inputs.ENVIRONMENT }}
+        if: inputs.ENABLE_DIFF
+        working-directory: k8s/${{ inputs.ENVIRONMENT }}
+        run: ./diff.sh
+
+      - name: Deploy to ${{ inputs.ENVIRONMENT }} cluster
+        if: inputs.ENABLE_APPLY
+        working-directory: k8s/${{ inputs.ENVIRONMENT }}
+        run: ./apply.sh
diff --git a/brew.sh b/brew.sh
new file mode 100755
index 0000000..8e46440
--- /dev/null
+++ b/brew.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+# brew install transcrypt         # encrypt/decrypt secrets
+brew install jsonnet            # jsonnet is a superset of json
+brew install jsonnet-bundler    # manage jsonnet packages with lock file
+brew install helm
+brew install jq
+
+brew install cask google-cloud-sdk
+gcloud components install gke-gcloud-auth-plugin
+
+curl -fSL -o "/usr/local/bin/tk" "https://github.com/grafana/tanka/releases/download/v0.22.1/tk-linux-amd64"
+chmod a+x "/usr/local/bin/tk"
+
+curl -LO "https://dl.k8s.io/release/v1.24.1/bin/linux/amd64/kubectl"
+chmod +x ./kubectl
+mv ./kubectl /usr/local/bin/kubectl
diff --git a/k8s/base/deployment.yaml b/k8s/base/deployment.yaml
new file mode 100644
index 0000000..46c87d1
--- /dev/null
+++ b/k8s/base/deployment.yaml
@@ -0,0 +1,73 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: graphix
+  labels:
+    app: graphix
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: graphix
+  template:
+    metadata:
+      labels:
+        app: graphix
+      annotations:
+        prometheus.io/scrape: "true"
+        prometheus.io/path: "/metrics"
+        prometheus.io/port: "7300"
+    spec:
+      # tolerations:
+      #   - key: "graphix"
+      #     operator: "Exists"
+      #     effect: "NoSchedule"
+      # affinity:
+      #   nodeAffinity:
+      #     requiredDuringSchedulingIgnoredDuringExecution:
+      #       nodeSelectorTerms:
+      #         - matchExpressions:
+      #             - key: "graphix"
+      #               operator: In
+      #               values:
+      #                 - "1"
+      imagePullSecrets:
+        - name: docker-registry
+
+      volumes:
+        - name: graphix-config
+          secret:
+            secretName: graphix-config
+        - name: redpanda-certificates
+          secret:
+            secretName: redpanda-certificates
+
+      containers:
+        - name: graphix
+          image: graphix:to-be-replaced-by-kustomize
+          imagePullPolicy: IfNotPresent
+          ports:
+            - name: graphix
+              containerPort: 80
+            - name: metrics
+              containerPort: 7300
+          # readinessProbe:
+          #   httpGet:
+          #     path: /
+          #     port: graphix
+          #   timeoutSeconds: 5
+          # volumeMounts:
+          #   - name: graphix-config
+          #     mountPath: /opt/graphix/config
+          #     readOnly: true
+          #   - name: redpanda-certificates
+          #     mountPath: /redpanda_config
+          #     readOnly: true
+          # env:
+          #   - name: RUST_LOG
+          #     value: info,graph_graphix=debug,indexer_selection=debug
+          command:
+            - sleep
+            - infinte
+          # args:
+          #   - "/opt/graphix/config/config"
diff --git a/k8s/base/kustomization.yaml b/k8s/base/kustomization.yaml
new file mode 100644
index 0000000..791cf8d
--- /dev/null
+++ b/k8s/base/kustomization.yaml
@@ -0,0 +1,13 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - deployment.yaml
+  # - service.yaml
+  # - ingress.yaml
+  # - servicemonitor.yaml
+
+images:
+  - name: graphix
+    newName: edgeandnode/graphix-cross-checker
+    newTag: latest
diff --git a/k8s/testnet/kustomization.yaml b/k8s/testnet/kustomization.yaml
new file mode 100644
index 0000000..55050e0
--- /dev/null
+++ b/k8s/testnet/kustomization.yaml
@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+bases:
+  - ../base