Deployment Patterns

1---2name: deployment-patterns3description: Deployment workflows, CI/CD pipeline patterns, Docker containerization, health checks, rollback strategies, and production readiness checklists for web applications.4origin: ECC5---6 7# Deployment Patterns8 9Production deployment workflows and CI/CD best practices.10 11## When to Activate12 13- Setting up CI/CD pipelines14- Dockerizing an application15- Planning deployment strategy (blue-green, canary, rolling)16- Implementing health checks and readiness probes17- Preparing for a production release18- Configuring environment-specific settings19 20## Deployment Strategies21 22### Rolling Deployment (Default)23 24Replace instances gradually — old and new versions run simultaneously during rollout.25 26```27Instance 1: v1 → v2  (update first)28Instance 2: v1        (still running v1)29Instance 3: v1        (still running v1)30 31Instance 1: v232Instance 2: v1 → v2  (update second)33Instance 3: v134 35Instance 1: v236Instance 2: v237Instance 3: v1 → v2  (update last)38```39 40**Pros:** Zero downtime, gradual rollout41**Cons:** Two versions run simultaneously — requires backward-compatible changes42**Use when:** Standard deployments, backward-compatible changes43 44### Blue-Green Deployment45 46Run two identical environments. Switch traffic atomically.47 48```49Blue  (v1) ← traffic50Green (v2)   idle, running new version51 52# After verification:53Blue  (v1)   idle (becomes standby)54Green (v2) ← traffic55```56 57**Pros:** Instant rollback (switch back to blue), clean cutover58**Cons:** Requires 2x infrastructure during deployment59**Use when:** Critical services, zero-tolerance for issues60 61### Canary Deployment62 63Route a small percentage of traffic to the new version first.64 65```66v1: 95% of traffic67v2:  5% of traffic  (canary)68 69# If metrics look good:70v1: 50% of traffic71v2: 50% of traffic72 73# Final:74v2: 100% of traffic75```76 77**Pros:** Catches issues with real traffic before full rollout78**Cons:** Requires traffic splitting infrastructure, monitoring79**Use when:** High-traffic services, risky changes, feature flags80 81## Docker82 83### Multi-Stage Dockerfile (Node.js)84 85```dockerfile86# Stage 1: Install dependencies87FROM node:22-alpine AS deps88WORKDIR /app89COPY package.json package-lock.json ./90RUN npm ci --production=false91 92# Stage 2: Build93FROM node:22-alpine AS builder94WORKDIR /app95COPY --from=deps /app/node_modules ./node_modules96COPY . .97RUN npm run build98RUN npm prune --production99 100# Stage 3: Production image101FROM node:22-alpine AS runner102WORKDIR /app103 104RUN addgroup -g 1001 -S appgroup && adduser -S appuser -u 1001105USER appuser106 107COPY --from=builder --chown=appuser:appgroup /app/node_modules ./node_modules108COPY --from=builder --chown=appuser:appgroup /app/dist ./dist109COPY --from=builder --chown=appuser:appgroup /app/package.json ./110 111ENV NODE_ENV=production112EXPOSE 3000113 114HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \115  CMD wget --no-verbose --tries=1 --spider http://localhost:3000/health || exit 1116 117CMD ["node", "dist/server.js"]118```119 120### Multi-Stage Dockerfile (Go)121 122```dockerfile123FROM golang:1.22-alpine AS builder124WORKDIR /app125COPY go.mod go.sum ./126RUN go mod download127COPY . .128RUN CGO_ENABLED=0 GOOS=linux go build -ldflags="-s -w" -o /server ./cmd/server129 130FROM alpine:3.19 AS runner131RUN apk --no-cache add ca-certificates132RUN adduser -D -u 1001 appuser133USER appuser134 135COPY --from=builder /server /server136 137EXPOSE 8080138HEALTHCHECK --interval=30s --timeout=3s CMD wget -qO- http://localhost:8080/health || exit 1139CMD ["/server"]140```141 142### Multi-Stage Dockerfile (Python/Django)143 144```dockerfile145FROM python:3.12-slim AS builder146WORKDIR /app147RUN pip install --no-cache-dir uv148COPY requirements.txt .149RUN uv pip install --system --no-cache -r requirements.txt150 151FROM python:3.12-slim AS runner152WORKDIR /app153 154RUN useradd -r -u 1001 appuser155USER appuser156 157COPY --from=builder /usr/local/lib/python3.12/site-packages /usr/local/lib/python3.12/site-packages158COPY --from=builder /usr/local/bin /usr/local/bin159COPY . .160 161ENV PYTHONUNBUFFERED=1162EXPOSE 8000163 164HEALTHCHECK --interval=30s --timeout=3s CMD python -c "import urllib.request; urllib.request.urlopen('http://localhost:8000/health/')" || exit 1165CMD ["gunicorn", "config.wsgi:application", "--bind", "0.0.0.0:8000", "--workers", "4"]166```167 168### Docker Best Practices169 170```171# GOOD practices172- Use specific version tags (node:22-alpine, not node:latest)173- Multi-stage builds to minimize image size174- Run as non-root user175- Copy dependency files first (layer caching)176- Use .dockerignore to exclude node_modules, .git, tests177- Add HEALTHCHECK instruction178- Set resource limits in docker-compose or k8s179 180# BAD practices181- Running as root182- Using :latest tags183- Copying entire repo in one COPY layer184- Installing dev dependencies in production image185- Storing secrets in image (use env vars or secrets manager)186```187 188## CI/CD Pipeline189 190### GitHub Actions (Standard Pipeline)191 192```yaml193name: CI/CD194 195on:196  push:197    branches: [main]198  pull_request:199    branches: [main]200 201jobs:202  test:203    runs-on: ubuntu-latest204    steps:205      - uses: actions/checkout@v4206      - uses: actions/setup-node@v4207        with:208          node-version: 22209          cache: npm210      - run: npm ci211      - run: npm run lint212      - run: npm run typecheck213      - run: npm test -- --coverage214      - uses: actions/upload-artifact@v4215        if: always()216        with:217          name: coverage218          path: coverage/219 220  build:221    needs: test222    runs-on: ubuntu-latest223    if: github.ref == 'refs/heads/main'224    steps:225      - uses: actions/checkout@v4226      - uses: docker/setup-buildx-action@v3227      - uses: docker/login-action@v3228        with:229          registry: ghcr.io230          username: ${{ github.actor }}231          password: ${{ secrets.GITHUB_TOKEN }}232      - uses: docker/build-push-action@v5233        with:234          push: true235          tags: ghcr.io/${{ github.repository }}:${{ github.sha }}236          cache-from: type=gha237          cache-to: type=gha,mode=max238 239  deploy:240    needs: build241    runs-on: ubuntu-latest242    if: github.ref == 'refs/heads/main'243    environment: production244    steps:245      - name: Deploy to production246        run: |247          # Platform-specific deployment command248          # Railway: railway up249          # Vercel: vercel --prod250          # K8s: kubectl set image deployment/app app=ghcr.io/${{ github.repository }}:${{ github.sha }}251          echo "Deploying ${{ github.sha }}"252```253 254### Pipeline Stages255 256```257PR opened:258  lint → typecheck → unit tests → integration tests → preview deploy259 260Merged to main:261  lint → typecheck → unit tests → integration tests → build image → deploy staging → smoke tests → deploy production262```263 264## Health Checks265 266### Health Check Endpoint267 268```typescript269// Simple health check270app.get("/health", (req, res) => {271  res.status(200).json({ status: "ok" });272});273 274// Detailed health check (for internal monitoring)275app.get("/health/detailed", async (req, res) => {276  const checks = {277    database: await checkDatabase(),278    redis: await checkRedis(),279    externalApi: await checkExternalApi(),280  };281 282  const allHealthy = Object.values(checks).every(c => c.status === "ok");283 284  res.status(allHealthy ? 200 : 503).json({285    status: allHealthy ? "ok" : "degraded",286    timestamp: new Date().toISOString(),287    version: process.env.APP_VERSION || "unknown",288    uptime: process.uptime(),289    checks,290  });291});292 293async function checkDatabase(): Promise<HealthCheck> {294  try {295    await db.query("SELECT 1");296    return { status: "ok", latency_ms: 2 };297  } catch (err) {298    return { status: "error", message: "Database unreachable" };299  }300}301```302 303### Kubernetes Probes304 305```yaml306livenessProbe:307  httpGet:308    path: /health309    port: 3000310  initialDelaySeconds: 10311  periodSeconds: 30312  failureThreshold: 3313 314readinessProbe:315  httpGet:316    path: /health317    port: 3000318  initialDelaySeconds: 5319  periodSeconds: 10320  failureThreshold: 2321 322startupProbe:323  httpGet:324    path: /health325    port: 3000326  initialDelaySeconds: 0327  periodSeconds: 5328  failureThreshold: 30    # 30 * 5s = 150s max startup time329```330 331## Environment Configuration332 333### Twelve-Factor App Pattern334 335```bash336# All config via environment variables — never in code337DATABASE_URL=postgres://user:pass@host:5432/db338REDIS_URL=redis://host:6379/0339API_KEY=${API_KEY}           # injected by secrets manager340LOG_LEVEL=info341PORT=3000342 343# Environment-specific behavior344NODE_ENV=production          # or staging, development345APP_ENV=production           # explicit app environment346```347 348### Configuration Validation349 350```typescript351import { z } from "zod";352 353const envSchema = z.object({354  NODE_ENV: z.enum(["development", "staging", "production"]),355  PORT: z.coerce.number().default(3000),356  DATABASE_URL: z.string().url(),357  REDIS_URL: z.string().url(),358  JWT_SECRET: z.string().min(32),359  LOG_LEVEL: z.enum(["debug", "info", "warn", "error"]).default("info"),360});361 362// Validate at startup — fail fast if config is wrong363export const env = envSchema.parse(process.env);364```365 366## Rollback Strategy367 368### Instant Rollback369 370```bash371# Docker/Kubernetes: point to previous image372kubectl rollout undo deployment/app373 374# Vercel: promote previous deployment375vercel rollback376 377# Railway: redeploy previous commit378railway up --commit <previous-sha>379 380# Database: rollback migration (if reversible)381npx prisma migrate resolve --rolled-back <migration-name>382```383 384### Rollback Checklist385 386- [ ] Previous image/artifact is available and tagged387- [ ] Database migrations are backward-compatible (no destructive changes)388- [ ] Feature flags can disable new features without deploy389- [ ] Monitoring alerts configured for error rate spikes390- [ ] Rollback tested in staging before production release391 392## Production Readiness Checklist393 394Before any production deployment:395 396### Application397- [ ] All tests pass (unit, integration, E2E)398- [ ] No hardcoded secrets in code or config files399- [ ] Error handling covers all edge cases400- [ ] Logging is structured (JSON) and does not contain PII401- [ ] Health check endpoint returns meaningful status402 403### Infrastructure404- [ ] Docker image builds reproducibly (pinned versions)405- [ ] Environment variables documented and validated at startup406- [ ] Resource limits set (CPU, memory)407- [ ] Horizontal scaling configured (min/max instances)408- [ ] SSL/TLS enabled on all endpoints409 410### Monitoring411- [ ] Application metrics exported (request rate, latency, errors)412- [ ] Alerts configured for error rate > threshold413- [ ] Log aggregation set up (structured logs, searchable)414- [ ] Uptime monitoring on health endpoint415 416### Security417- [ ] Dependencies scanned for CVEs418- [ ] CORS configured for allowed origins only419- [ ] Rate limiting enabled on public endpoints420- [ ] Authentication and authorization verified421- [ ] Security headers set (CSP, HSTS, X-Frame-Options)422 423### Operations424- [ ] Rollback plan documented and tested425- [ ] Database migration tested against production-sized data426- [ ] Runbook for common failure scenarios427- [ ] On-call rotation and escalation path defined