Service Mesh Istio Configuration Pack

Service Mesh Istio Configuration Pack

A DevOps pipeline that does not encode your team's deployment pain into automated gates is just a script runner with a UI. I have built pipelines for defense contractors, healthcare platforms, and energy infrastructure — and the common thread is that every production incident could have been prevented by a gate that nobody thought to add until after the incident. This template includes the gates that production incidents taught me were necessary.

This pipeline template implements a full CI/CD workflow with build, test, security, and deployment stages. It is designed to be adapted to any CI platform (GitHub Actions, GitLab CI, Jenkins, Azure DevOps) and any deployment target.

Pipeline Stages

• Checkout & Setup — Clean workspace, language runtime setup, dependency installation with lockfile verification. Cache restoration for dependencies.
• Lint & Format — Code style enforcement. Fails fast — no point running expensive tests on code that will not pass review.
• Unit Test — Parallel execution across runtime versions. Coverage threshold enforced at 80%. JUnit XML results for CI platform reporting.
• Integration Test — Real databases and services (not mocks). Tests the actual behavior of the system against real dependencies.
• Security Scan — SAST for code vulnerabilities. SCA for dependency vulnerabilities. Secret detection for leaked credentials. Container scanning for image vulnerabilities. All findings block the pipeline at HIGH severity and above.
• Build — Reproducible build with version stamping. Container image with digest-based tagging. Artifact signing for supply chain integrity.
• Deploy Dev — Automatic on merge to develop. Health check validation.
• Deploy Staging — Manual approval. Integration test suite against deployed environment. One required reviewer.
• Deploy Prod — Two required reviewers. Canary or blue-green deployment. Automated metric validation during bake period. Automatic rollback on threshold breach.

Security Gates

• SAST — Static analysis catches SQL injection, XSS, path traversal, and insecure deserialization at the code level.
• SCA — Software Composition Analysis identifies known vulnerabilities in direct and transitive dependencies.
• Secret detection — Scans code and git history for API keys, passwords, tokens, and certificates.
• Container scanning — OS package and application dependency vulnerabilities in the built image.
• OIDC authentication — No stored cloud credentials. Federated identity via the CI platform's OIDC provider.

Environment Matrix

Three environments with escalating gates. Dev: automatic, no approval. Staging: one approval, integration tests. Production: two approvals, canary deployment, metric validation. Each environment uses isolated credentials, separate cloud accounts (or resource groups), and independent monitoring.

Top 3 Failure Modes

• Environment configuration drift — Staging works but production fails because an environment variable is missing or different. Fix: manage environment variables as code (Terraform, Helm values, or a dedicated config management tool). Diff environment configs in the PR review.
• Flaky tests causing pipeline distrust — A test that fails 1 in 10 runs erodes confidence in the pipeline. Engineers start ignoring failures or retrying until it passes. Fix: quarantine flaky tests immediately. Run them in a separate non-blocking job. Fix the root cause within one sprint or delete the test.
• Rollback requires forward-fix instead — The deployment included a database migration that cannot be reversed. Rolling back the application leaves it incompatible with the new schema. Fix: make all changes backward-compatible. Use expand-contract migration pattern: add new, migrate data, remove old — each as a separate deployment.