Upload platform/golden-paths/microservice/checklist.md with huggingface_hub
Browse files
platform/golden-paths/microservice/checklist.md
ADDED
|
@@ -0,0 +1,34 @@
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1 |
+
# Microservice Golden Path Checklist
|
| 2 |
+
|
| 3 |
+
## Pre-Deployment
|
| 4 |
+
- [ ] Service name follows naming convention: lowercase-hyphenated
|
| 5 |
+
- [ ] Dockerfile uses multi-stage build + distroless base
|
| 6 |
+
- [ ] Image is signed with Cosign
|
| 7 |
+
- [ ] SBOM is generated and attested
|
| 8 |
+
- [ ] All security scans pass (Trivy, Semgrep, Checkov)
|
| 9 |
+
- [ ] Health endpoints: /healthz (liveness) + /readyz (readiness)
|
| 10 |
+
- [ ] Graceful shutdown handles SIGTERM
|
| 11 |
+
|
| 12 |
+
## Kubernetes
|
| 13 |
+
- [ ] Resource requests AND limits defined
|
| 14 |
+
- [ ] runAsNonRoot: true + readOnlyRootFilesystem: true
|
| 15 |
+
- [ ] capabilities.drop: ["ALL"]
|
| 16 |
+
- [ ] Probes configured (liveness + readiness)
|
| 17 |
+
- [ ] PDB created (minAvailable >= 2)
|
| 18 |
+
- [ ] HPA configured
|
| 19 |
+
- [ ] NetworkPolicy: default deny + selective allow
|
| 20 |
+
- [ ] Secrets from External Secrets Operator (not hardcoded)
|
| 21 |
+
- [ ] automountServiceAccountToken: false (unless needed)
|
| 22 |
+
- [ ] TopologySpreadConstraints for multi-AZ
|
| 23 |
+
|
| 24 |
+
## Observability
|
| 25 |
+
- [ ] Prometheus metrics endpoint exposed
|
| 26 |
+
- [ ] Structured JSON logging
|
| 27 |
+
- [ ] OpenTelemetry traces emitted
|
| 28 |
+
- [ ] Dashboard exists in Grafana
|
| 29 |
+
- [ ] Alert rules defined in Prometheus
|
| 30 |
+
|
| 31 |
+
## CI/CD
|
| 32 |
+
- [ ] DevSecOps pipeline passes (SAST + scan + sign + test)
|
| 33 |
+
- [ ] ArgoCD application manifest created
|
| 34 |
+
- [ ] Kustomize overlay for each environment
|