Rollout strategies: build a gated canary that rolls itself back

Deploy a small HTTP service to Kubernetes behind an automated canary rollout, then prove the rollout's safety properties by deliberately shipping a bad release and a schema change and showing the system contains both — limited blast radius, no 502s, and a rollback that survives the migration.

• Build or take a small HTTP service that reads/writes one table and exposes a /healthz endpoint plus a metric the canary can gate on (request error rate and p99 latency, scraped by Prometheus).
• Deploy it to a Kubernetes cluster (kind/minikube is fine) with a real readiness probe wired to /healthz that returns success only after DB connectivity is established — and add a startup delay to the app so an unprobed pod would visibly serve 502s.
• Set up an automated canary with Argo Rollouts or Flagger: steps 5% → 25% → 50% → 100% with an analysis template that pauses and auto-rolls-back if error rate or p99 breaches an SLO threshold at any step.
• Experiment 1 (readiness): deploy with the readiness probe removed, drive load during the rollout, and capture the 502s; re-add the probe and show the same rollout serves zero errors. Record both runs.
• Experiment 2 (canary gate): ship a release that returns 500s for ~10% of requests and show the analysis step auto-pauses and rolls back at the 5% step — capture the rollout events and the share of traffic that ever saw the bad version.
• Experiment 3 (schema): perform a column rename as an expand-contract migration (add + dual-write, deploy, then a separate contract deploy). Mid-rollout, roll back to the previous version and show it still serves correctly against the expanded schema.
• Document the maxSurge/maxUnavailable (or canary equivalent) settings you chose and why, and the SLO thresholds the analysis gate uses.

• A before/after for Experiment 1: error count during the rollout with the probe absent vs present, measured under the same load — not estimated.
• Rollout event logs from Experiment 2 showing the automated pause and rollback, plus the measured fraction of total traffic that hit the bad version (should be ≤ the 5% canary step).
• Evidence from Experiment 3 that a rollback after the expand step still serves correctly, and a note on why the contract step is deferred to a later deploy.
• A one-paragraph write-up choosing canary vs blue-green vs rolling for this service and justifying it against blast radius, resource cost, and rollback speed.