Focus mode active/Press Alt+Shift+R to toggle/Esc to exit
Deepen PracticeOrdered learning track

From Commit to Production Runtime

CI/CD Pipeline Operations for Kubernetes

Operasi CI/CD untuk Kubernetes backend workloads: build, test, scan, image push, manifest update, deployment trigger, environment promotion, approval gate, smoke test, rollback path, deployment markers, evidence capture, dan production-safe release flow.

15 min read2817 words
PrevNext
Lesson 5798 lesson track54–80 Deepen Practice
#kubernetes#cicd#pipeline#gitops+5 more

Part 057 — CI/CD Pipeline Operations for Kubernetes

Tujuan

CI/CD pipeline untuk Kubernetes bukan hanya otomasi build dan deploy. Dalam sistem enterprise, pipeline adalah control point yang menentukan apakah sebuah perubahan aplikasi, image, manifest, config, secret reference, migration, atau routing change bisa masuk ke runtime production dengan aman.

Untuk backend engineer, pipeline harus dipahami sebagai jalur perubahan dari source code sampai running pod:

  • commit
  • build
  • unit/integration test
  • static analysis
  • dependency scan
  • container image build
  • image scan
  • image push
  • manifest update
  • GitOps reconciliation atau direct deploy
  • approval gate
  • rollout
  • smoke test
  • post-deployment verification
  • rollback path
  • evidence capture

Part ini membahas CI/CD pipeline dari sudut pandang day-2 operations: bagaimana membaca jalur deployment, menemukan failure point, memastikan traceability, dan mencegah perubahan menjadi incident.


1. Pipeline Mental Model

flowchart TD A[Source Commit] --> B[Build] B --> C[Test] C --> D[Static Analysis / Security Scan] D --> E[Container Image Build] E --> F[Image Scan] F --> G[Push to Registry] G --> H[Manifest / Values / Overlay Update] H --> I[Approval / Promotion Gate] I --> J[GitOps Sync or Deploy] J --> K[Kubernetes Rollout] K --> L[Smoke Test] L --> M[Post-Deployment Verification] M --> N[Runtime Observability]

Operationally, a deployment is not complete when the pipeline is green.

A deployment is complete when:

  • intended image is running
  • intended manifest is applied
  • pods are ready
  • service has endpoints
  • ingress/backend route is healthy
  • smoke test passes
  • core SLI remains stable
  • dependency error does not spike
  • queue lag does not regress
  • no hidden CrashLoop/OOM/restart pattern appears
  • rollback path remains available

2. Why CI/CD Pipeline Matters for Backend Engineers

Backend engineers often think pipeline belongs to DevOps or platform team. That is only partly true.

Platform/DevOps may own pipeline infrastructure, but backend engineers own the runtime effect of application changes.

A backend service owner must understand:

  • what image version is being deployed
  • what commit produced the image
  • what manifest version references the image
  • which environment receives the change
  • whether config and secret references changed
  • whether database migration runs before/after rollout
  • whether rollout strategy protects availability
  • whether smoke test validates meaningful user paths
  • whether alert and dashboard show deployment markers
  • whether rollback can restore service safely

In CPQ, quote management, order management, billing integration, and workflow-heavy systems, a bad pipeline can break not only an API endpoint but also long-running business state.

Example failure:

Code change is backward compatible.
Image builds successfully.
Manifest promotes to production.
Migration job runs destructively.
Old pods still serving traffic fail against new schema.
Rollback cannot restore data shape.
Incident becomes data recovery problem.

Pipeline review must include application lifecycle, data compatibility, and operational verification.


3. Pipeline Ownership Boundaries

AreaBackend Service OwnerPlatform / DevOps / SRE
Build correctnessOwns app build, tests, artifact semanticsProvides build runner and standard stages
Image contentOwns app runtime dependenciesProvides base image policy and registry controls
Manifest semanticsOwns service-specific runtime behaviorProvides manifest standards and deployment tooling
Environment promotionValidates app readinessProvides promotion mechanism and gates
Production deployOwns application riskOwns platform-safe delivery mechanics
Rollback decisionProvides app-level rollback safety judgmentSupports rollback execution and platform state
Smoke testDefines meaningful service checksProvides execution framework
ObservabilityDefines service signalsProvides logging/metrics/tracing platform
Security scan findingsFixes app/library findingsMaintains scanning policy and exceptions

Boundary rule:

Platform owns the delivery machinery. Backend owns whether the delivered workload is correct, safe, observable, and reversible.


4. Commit-to-Runtime Traceability

Every production pod should be traceable back to:

  • source commit SHA
  • repository
  • branch/tag
  • build number
  • container image digest
  • chart version or manifest revision
  • GitOps commit
  • deployment timestamp
  • release ticket/change request
  • actor or automation identity

Recommended pod/deployment annotations:

metadata:
  annotations:
    app.example.com/git-commit: "9f2a1c7"
    app.example.com/build-id: "build-2026-07-12-1042"
    app.example.com/image-digest: "sha256:..."
    app.example.com/release-id: "REL-12345"
    app.example.com/deployed-by: "gitops-controller"

Recommended labels:

metadata:
  labels:
    app.kubernetes.io/name: quote-order-api
    app.kubernetes.io/component: api
    app.kubernetes.io/part-of: quote-order
    app.kubernetes.io/version: "2026.07.12.1"
    app.kubernetes.io/managed-by: argocd

Operational question during incident:

Which exact code, image, manifest, and config is currently serving production traffic?

If the answer requires guesswork, the pipeline is not production-grade enough.


5. Build Stage Operations

Build stage validates whether application artifact can be created repeatably.

For Java/JAX-RS service, check:

  • Java version consistency, for example Java 17+
  • Maven/Gradle lockfile or dependency reproducibility
  • generated code step
  • annotation processing
  • OpenAPI/client generation
  • unit test execution
  • integration test execution
  • dependency vulnerability scan
  • license policy
  • artifact checksum

Operational failure modes:

FailureOperational Meaning
Build passes locally but fails in CIEnvironment drift, missing generated artifact, dependency resolution issue
Build is flakyNon-deterministic test, shared state, time dependency, concurrency issue
Dependency download failureRepository outage, proxy issue, credential issue
Build uses mutable dependencyReproducibility risk
Build skips tests for speedProduction risk shifted downstream

Backend engineer should know which failures block deployment and which can be waived only through formal exception.


6. Test Stage Operations

Tests in CI/CD should not be treated as generic quality decoration. They are release gates.

Minimum test categories for backend Kubernetes workload:

  • unit tests
  • service-level tests
  • API contract tests
  • repository/database tests
  • messaging contract tests
  • serialization compatibility tests
  • migration compatibility tests
  • failure-path tests
  • idempotency tests for consumers/jobs
  • startup/config validation tests

For CPQ/order systems, useful tests include:

  • quote creation path
  • quote validation path
  • pricing/catalog dependency behavior
  • order submission path
  • downstream integration failure behavior
  • retry/DLQ behavior
  • workflow correlation behavior
  • idempotent event processing

Pipeline smell:

All tests pass, but none of them validate the path that production users actually depend on.

7. Static Analysis and Security Gates

Security and quality gates may include:

  • SAST
  • dependency vulnerability scan
  • container image scan
  • secret scanning
  • IaC/manifest scanning
  • license scanning
  • code quality threshold
  • policy-as-code validation

Backend engineer should care because findings may affect runtime:

  • vulnerable library in JAX-RS stack
  • vulnerable base image
  • leaked secret in config
  • privileged container setting
  • missing resource limit
  • invalid NetworkPolicy
  • unsafe RBAC permission
  • deprecated Kubernetes API

Operational rule:

A security gate is not only a compliance step. It is a production risk filter.


8. Container Image Build Operations

Image build should produce a deterministic, deployable runtime unit.

Review checklist:

  • base image is approved
  • Java version matches service requirement
  • image runs as non-root if policy requires
  • image has minimal required packages
  • timezone/locale behavior is known
  • CA certificates are included
  • JVM flags are configurable
  • entrypoint handles SIGTERM
  • health endpoint is available after startup
  • image tag is not the only identity; digest is available

Example image metadata expectation:

image: registry.example.com/quote-order-api:2026.07.12.1
imageID: registry.example.com/quote-order-api@sha256:...

Tag tells human intent. Digest tells immutable runtime identity.


9. Registry and Image Promotion

Image promotion determines which artifact reaches each environment.

Common patterns:

PatternMeaningRisk
Rebuild per environmentBuild image separately for dev/stage/prodArtifact drift
Promote same digestSame image digest moves across environmentsBetter traceability
Mutable tag promotionTag like latest or prod is movedRuntime ambiguity
Immutable release tagUnique version tag per releaseSafer

Production-safe preference:

Build once, scan once, promote immutable digest through environments.

Backend engineer should verify:

  • stage and prod use same image digest unless intentionally different
  • image scan completed before promotion
  • deployment manifest references expected tag/digest
  • registry auth works from target cluster
  • rollback image still exists in registry

10. Manifest Update Stage

The pipeline may update Kubernetes manifests through:

  • direct YAML patch
  • Helm values update
  • Kustomize image override
  • GitOps repo commit
  • generated environment manifest
  • release automation tool

Example Kustomize image update:

images:
  - name: registry.example.com/quote-order-api
    newTag: 2026.07.12.1

Example Helm values update:

image:
  repository: registry.example.com/quote-order-api
  tag: 2026.07.12.1

Operational checks:

  • Did only the intended image/config change?
  • Did resource/probe/HPA/PDB change accidentally?
  • Did environment overlay drift?
  • Did Helm/Kustomize render expected output?
  • Did generated ConfigMap/Secret name change and trigger rollout?
  • Did Service selector remain stable?
  • Did NetworkPolicy still allow dependency traffic?

Rendered manifest must be reviewed, not only source templates.


11. Deployment Trigger Models

There are two common delivery models.

Direct deploy

Pipeline applies changes directly:

kubectl apply -f rendered.yaml

Pros:

  • simple flow
  • immediate feedback
  • fewer moving parts

Cons:

  • weaker GitOps traceability
  • harder drift control
  • greater risk of manual deploy ambiguity

GitOps deploy

Pipeline commits desired state to GitOps repo, then controller reconciles:

sequenceDiagram participant CI as CI Pipeline participant Git as GitOps Repo participant CD as GitOps Controller participant K8s as Kubernetes API participant Pod as Workload Pods CI->>Git: Commit image/manifest change CD->>Git: Detect desired-state change CD->>K8s: Apply manifests K8s->>Pod: Start rollout CD->>K8s: Observe sync and health

Pros:

  • desired state is auditable
  • rollback through Git
  • drift visibility
  • cleaner production change record

Cons:

  • delayed reconciliation
  • sync wave complexity
  • requires understanding GitOps controller health

12. Environment Promotion

Promotion is not merely copying image tag from staging to production.

Promotion should validate:

  • same image digest tested in lower environment
  • migration strategy approved
  • feature flags configured
  • environment-specific config reviewed
  • dependency endpoints correct
  • secrets available
  • ingress route correct
  • HPA/PDB/resources ready
  • observability ready
  • rollback path known

Promotion failure modes:

FailureExample
Config mismatchStaging uses mock endpoint, prod uses real billing integration
Secret missingProd external secret not synced
Dependency permission missingIRSA/Azure Workload Identity not allowed
Network egress blockedNetworkPolicy allows staging DB only
Migration not compatibleProd schema rollout breaks old pods
Smoke test weakPipeline validates /health only, not business path

13. Approval Gates

Approval gates are useful when they force risk review, not when they become ceremonial clicks.

Good approval gate asks:

  • What changed?
  • What is the blast radius?
  • Is rollback safe?
  • Does this include migration?
  • Does this change config/secret/identity/networking?
  • Are dashboards and alerts ready?
  • Is there a known incident or freeze window?
  • Who owns validation after deployment?

Bad approval gate:

Approve because pipeline is green.

Production-grade approval should include application, platform, and security context when relevant.


14. Smoke Test Operations

Smoke test validates that deployed workload can perform minimal meaningful function.

Bad smoke test:

curl /health

This only proves that the process responds.

Better smoke test examples:

  • GET readiness endpoint
  • call one authenticated API path
  • validate dependency connectivity in safe mode
  • execute quote retrieval for test fixture
  • validate order validation endpoint with non-mutating payload
  • check Kafka/RabbitMQ consumer group availability
  • check workflow worker registration
  • verify no 5xx spike after deployment

Smoke test must avoid:

  • mutating production business data without cleanup
  • triggering real billing/order fulfillment
  • bypassing auth path if auth is part of runtime risk
  • relying only on pod readiness

15. Post-Deployment Verification

After rollout, verify runtime state.

Safe command examples:

kubectl -n <namespace> rollout status deploy/<deployment>
kubectl -n <namespace> get deploy <deployment>
kubectl -n <namespace> get rs -l app.kubernetes.io/name=<service>
kubectl -n <namespace> get pods -l app.kubernetes.io/name=<service>
kubectl -n <namespace> get endpointslice -l kubernetes.io/service-name=<service>
kubectl -n <namespace> describe deploy <deployment>

Check observability:

  • error rate
  • latency p95/p99
  • request volume
  • restart count
  • pod readiness
  • CPU/memory/throttling
  • GC pause
  • DB pool usage
  • Kafka lag
  • RabbitMQ queue depth/unacked messages
  • Redis latency/errors
  • Camunda incidents/job backlog
  • ingress 5xx
  • dependency errors

Verification rule:

Rollout success means Kubernetes accepted and progressed the deployment. It does not prove business correctness.


16. Deployment Markers

Deployment markers help correlate metric changes with releases.

They should appear in:

  • logs
  • metrics dashboard
  • tracing system
  • incident timeline
  • release dashboard
  • change management record

Useful marker fields:

service=quote-order-api
version=2026.07.12.1
commit=9f2a1c7
image_digest=sha256:...
environment=prod
namespace=quote-order-prod
release_id=REL-12345

Without deployment markers, incident debugging often starts with a weak question:

Did anything change recently?

With markers, it becomes:

Error rate increased 4 minutes after release 2026.07.12.1 reached 100% traffic.

17. Rollback Path in Pipeline

Rollback must be designed before deployment.

Rollback may mean:

  • revert GitOps commit
  • restore previous Helm release
  • update Kustomize image back to previous digest
  • use kubectl rollout undo only if compatible with delivery model
  • disable feature flag
  • pause canary
  • switch traffic back in blue-green
  • run compensating migration only if approved

Rollback questions:

  • Is previous image still available?
  • Is previous config still available?
  • Is previous secret version still available?
  • Did DB migration break backward compatibility?
  • Did event schema change break consumers?
  • Did cache data format change?
  • Did workflow version change create mixed process state?
  • Who is authorized to execute rollback?

Pipeline should expose rollback path as an operational procedure, not tribal knowledge.


18. CI/CD Failure Mode Map

flowchart TD A[Production Symptom] --> B{Recent Deployment?} B -->|Yes| C[Check Pipeline Record] B -->|No| D[Check Platform/Dependency Changes] C --> E[Image Changed?] C --> F[Manifest Changed?] C --> G[Config/Secret Changed?] C --> H[Migration Ran?] C --> I[Routing Changed?] E --> J[Check Pod Logs / Crash / JVM] F --> K[Check Resources / Probes / HPA / PDB] G --> L[Check Env / Mount / External Secret] H --> M[Check Schema Compatibility / DB Metrics] I --> N[Check Ingress / Service / EndpointSlice]

Pipeline evidence narrows incident search space.


19. Kubernetes-Specific Pipeline Failure Modes

Failure ModeDetectionTypical Mitigation
Wrong image tagPod image differs from expected releasePromote correct image, rollback bad manifest
ImagePullBackOffPod event shows pull failureFix registry auth/tag/network, rollback if needed
Bad resource limitOOMKilled or CPU throttling after deployRestore previous resource config, tune JVM
Bad probePods not ready or restart loopFix probe path/port/timing, rollback
Bad ConfigMapApp startup failure or wrong behaviorRestore config, restart pods safely
Missing SecretCrashLoopBackOff or access deniedFix secret sync/reference, rollback if needed
Bad NetworkPolicyDependency timeoutAdd minimal rule with approval, rollback policy change
Migration incompatibilityOld/new app fail against schemaStop rollout, rollback app if possible, DB recovery plan
GitOps driftController reverts manual fixFix desired state in Git

20. Java/JAX-RS Pipeline Concerns

For Java/JAX-RS service, pipeline should verify:

  • Java version matches base image
  • app starts under container memory limit
  • readiness endpoint returns only after server is ready
  • graceful shutdown works under SIGTERM
  • DB migrations are coordinated
  • dependency timeout config is environment-specific but intentional
  • OpenAPI contract compatibility is checked
  • serialization compatibility is checked
  • thread pool and connection pool values fit replica count
  • JVM flags are carried into deployment

Example risk:

Pipeline changes replica count from 4 to 12.
DB pool remains maxPoolSize=30 per pod.
Potential DB connections jump from 120 to 360.
PostgreSQL max_connections is exhausted during rollout surge.

CI/CD review must include runtime math.


21. Messaging and Workflow Pipeline Concerns

For Kafka/RabbitMQ/Camunda workloads, deployment can change processing semantics.

Check:

  • consumer group ID
  • topic/queue names
  • DLQ configuration
  • retry policy
  • offset commit behavior
  • prefetch/concurrency
  • worker type
  • workflow version compatibility
  • schema/event compatibility
  • idempotency guarantee
  • shutdown behavior

Risk examples:

New consumer version starts before producer schema is deployed.
Rollback reintroduces old worker that cannot process jobs created by new version.
Replica increase triggers Kafka rebalance storm during release window.

22. Safe Investigation Commands

Use read-only investigation first:

kubectl -n <namespace> get deploy <deployment> -o wide
kubectl -n <namespace> get deploy <deployment> -o yaml
kubectl -n <namespace> get rs -l app.kubernetes.io/name=<service>
kubectl -n <namespace> get pods -l app.kubernetes.io/name=<service> -o wide
kubectl -n <namespace> describe pod <pod>
kubectl -n <namespace> logs <pod> --since=30m
kubectl -n <namespace> logs <pod> --previous
kubectl -n <namespace> rollout history deploy/<deployment>
kubectl -n <namespace> rollout status deploy/<deployment>

If GitOps is used, also check:

# Tool-specific; verify internal command/process first.
argocd app get <app>
argocd app history <app>
argocd app diff <app>

Do not execute rollback, delete pod, restart deployment, or sync GitOps manually unless you know the internal authority and blast radius.


23. Production-Safe Pipeline Review Checklist

Before deployment, review:

  • What commit is being deployed?
  • What image digest is being promoted?
  • Was the same digest tested in staging?
  • Did the manifest change beyond image tag?
  • Did resources/probes/HPA/PDB change?
  • Did ConfigMap/Secret references change?
  • Did Service/Ingress/Gateway route change?
  • Did NetworkPolicy/RBAC/ServiceAccount change?
  • Does deployment include DB migration?
  • Is migration backward compatible?
  • Is rollback safe after migration?
  • Are smoke tests meaningful?
  • Are deployment markers visible?
  • Are dashboards ready?
  • Are alerts healthy before deploy?
  • Is rollback path documented?
  • Is owner available for post-deployment verification?

24. Internal Verification Checklist

Verify in your internal environment:

  • pipeline stages for service build, test, scan, image push, deployment
  • artifact promotion model
  • registry used for production
  • image tag and digest policy
  • GitOps repository and controller if used
  • Helm/Kustomize render process
  • environment promotion policy
  • approval gate requirements
  • release freeze window
  • change management process
  • smoke test implementation
  • post-deployment verification checklist
  • deployment marker integration
  • rollback process
  • database migration process
  • security scan exception process
  • incident linkage from deployment to timeline
  • ownership boundary between backend, platform, SRE, DevOps, and security

Do not assume CSG/team specifics. Confirm actual pipeline, GitOps repo, registry, approval process, runbook, and deployment authority internally.


25. Practical Review Questions

Ask during PR/release review:

  1. Is this a code-only change, or does it change runtime configuration?
  2. Is the image immutable and traceable to commit?
  3. Does production run the same artifact tested in staging?
  4. Is the rendered manifest reviewed?
  5. Does this change require migration coordination?
  6. Could rollback fail due to data, cache, event, or workflow compatibility?
  7. Does the deployment affect connection count, consumer count, or queue pressure?
  8. Is there enough observability to know whether release is healthy?
  9. Who validates after deploy?
  10. What is the fastest safe mitigation if this fails?

26. Key Takeaways

  • CI/CD is part of production operations, not only automation.
  • Backend engineers own the runtime impact of their service changes.
  • Immutable image digest is stronger than mutable tag.
  • Rendered manifest is the real deployable artifact.
  • Pipeline green does not equal production healthy.
  • Smoke tests must validate meaningful service behavior.
  • Rollback must be designed before deployment.
  • Deployment markers are critical for incident debugging.
  • GitOps changes must be fixed in Git, not only with manual kubectl.
  • Pipeline review must include code, config, image, manifest, dependency, migration, observability, and rollback safety.
Lesson Recap

You just completed lesson 57 in deepen practice. Use the series map if you want to review the broader track, or continue directly into the next lesson while the context is still warm.

Continue The Track

Keep the momentum while the lesson is still fresh. Move backward for review or continue forward into the next concept.