Deployment capstone: ship a production pipeline

Design and ship a complete production deployment pipeline for a small stateful HTTP service (an API backed by a relational database), and prove it survives a zero-downtime release — including a database migration and a rollback — with traffic flowing the whole time.

• Build a lean multi-stage image: builder stage compiles, runtime stage carries only the artifact and runtime deps. Tag and pin by immutable digest (image@sha256:...); never deploy a mutable :latest tag. Show the final image size and that no build-time secret is present in any layer (docker history).
• Declare the k8s objects as YAML: Deployment, Service, Ingress, plus Config and Secret. The Deployment must reference the image by digest, set resource requests/limits, and carry both a readinessProbe (gates traffic, exercises the DB pool) and a liveness probe (gates restarts, checks only local liveness — not a remote dependency).
• Pick a rollout strategy and justify it against blast radius, resource cost, and rollback speed. Configure it concretely: for rolling update set maxUnavailable: 0 and maxSurge: 1; for blue-green or canary, wire the traffic-shift mechanism. Make 'success' mean healthy — gate promotion on error rate and p99 versus the old version's baseline, not on the apply command's exit code.
• Inject all secrets at runtime, never baked into the image: a k8s Secret (or external manager) mounted as files or env. Document that a k8s Secret is only base64-encoded and enable encryption-at-rest or an external secrets manager; scope RBAC so few principals can read it.
• Front the service with an L7 load balancer / Ingress that performs connection draining, and make the app handle SIGTERM: stop accepting new work, finish in-flight requests, exit within terminationGracePeriodSeconds, with a preStop sleep covering the endpoint-removal race.
• Codify the entire stack as IaC (Terraform/Pulumi/Helm + values, or equivalent) so the cluster state is reproducible from version control. The image digest, replica count, probes, and secret references all live in code — no hand-edited resources.
• Demonstrate a zero-downtime release end to end while a load generator drives steady traffic: ship a new version that includes a schema change applied via expand-contract (expand, dual-write + backfill, contract in a separate deploy), measuring error rate and p99 throughout.
• Demonstrate a rollback that stays safe: roll back to the previous version mid-release and show it still serves correctly — which only holds because every intermediate schema was N-1 compatible.

• A single repo (or directory) where terraform/helm apply from clean recreates the entire running service — image digest, objects, probes, secret wiring, LB, and rollout config — with zero manual kubectl edits.
• A release trace under live load showing error rate staying at baseline and p99 latency not spiking across the cutover; the readiness probe is shown failing during a pod's startup and passing only once the DB pool is open.
• Evidence the schema change shipped via expand-contract: the three deploys (expand, migrate/dual-write, contract) are distinct, and a rollback executed between them serves correctly because no intermediate schema broke N-1 compatibility.
• Proof that no secret is in the image (docker history is clean) and that secrets resolve only at runtime; a note on how the k8s Secret is protected beyond base64 (encryption-at-rest or external manager).
• A one-page architecture write-up naming each stage, the contract at each seam, and which configuration enforces it — the document a new hire reads to understand how the service ships.