What is Platform and Delivery for API Engineers?
Platform and Delivery is how your APIs move from a laptop to reliable production: containerizing services, configuring gateways, separating environments (Dev/Stage/Prod), automating CI/CD, managing secrets, and releasing safely with blue-green, canary, feature flags, and solid rollback/rollforward strategies.
Who this is for
- API Engineers who build and ship backend services.
- Backend developers stepping into deployment, release, and runtime ownership.
- Any engineer aiming to deliver APIs safely and repeatedly.
Prerequisites
- Working knowledge of at least one server-side language (e.g., Node.js, Go, Python, Java).
- Comfort with Git and basic branching.
- Basic command-line and Docker familiarity helps, but you can learn it here.
Why it matters for API Engineers
- Reliability: Proper gateways, secrets, and env separation prevent outages and leaks.
- Speed: CI/CD allows frequent, low-risk releases.
- Safety: Blue-green/canary and feature flags reduce blast radius and enable quick rollback.
- Ownership: You can ship independently without waiting on others.
Quick wins you can do today
- Add health and readiness endpoints to your API (e.g., /healthz, /readyz).
- Create a .env.example that lists needed secrets without values.
- Introduce a basic CI job that runs tests on every pull request.
- Containerize your API with a minimal multi-stage Dockerfile.
Learning path
-
Containerization Basics – Package your API into an image. Learn minimal base images, multi-stage builds, and health checks.
-
Environment Separation (Dev/Stage/Prod) – Configure distinct configs and safeguards per environment.
-
Secrets Management – Store and inject secrets securely; learn rotation and scoping.
-
API Gateway Configuration – Routes, auth, rate limits, timeouts, and observability.
-
CI/CD for API Services – Build once, test, scan, deploy to staging, then promote to prod.
-
Blue-Green and Canary Releases – Release with safety, verify, and gradually shift traffic.
-
Feature Flags for APIs – Toggle behavior at runtime without redeploys.
-
Rollback and Rollforward Strategy – Practice rapid recovery with versioned artifacts and database-safe tactics.
Practical 30-60-90 day roadmap
- Days 1–30: Containerize API, add health checks, set up Dev/Stage/Prod configs, and basic CI (build + test).
- Days 31–60: Introduce secrets manager, wire API gateway (routes, auth, rate limits), add security scanning and deploy to staging.
- Days 61–90: Implement blue-green/canary, add feature flags, finalize rollback/rollforward runbooks, and automate promotion to prod.
Worked examples
1) Configure an API Gateway route with rate limiting
Example (Kong declarative, simplified):
_format_version: "3.0"
services:
- name: users-api
url: http://users.default.svc.cluster.local:8080
routes:
- name: users-route
paths: ["/api/users"]
methods: ["GET","POST"]
plugins:
- name: rate-limiting
service: users-api
config:
minute: 300
policy: local
- name: request-transformer
service: users-api
config:
add:
headers: ["x-request-source:gateway"]
What it does: routes /api/users to the service, limits to 300 req/min, and tags requests. Adjust limits per environment.
2) CI pipeline that builds, tests, scans, and deploys to staging
Example (GitHub Actions):
name: ci-cd
on:
push:
branches: ["main"]
pull_request:
branches: ["main"]
jobs:
build_test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with: { node-version: '20' }
- run: npm ci
- run: npm test -- --ci
- name: Build image
run: docker build -t registry.example.com/users:${{ github.sha }} .
- name: Trivy scan (fail on high)
run: trivy image --exit-code 1 --severity HIGH,CRITICAL registry.example.com/users:${{ github.sha }}
push_image:
runs-on: ubuntu-latest
needs: build_test
steps:
- name: Login & push
run: |
echo $CR_PAT | docker login registry.example.com -u user --password-stdin
docker push registry.example.com/users:${{ github.sha }}
deploy_staging:
runs-on: ubuntu-latest
needs: push_image
environment: staging
steps:
- name: Set image and apply
run: |
kubectl set image deploy/users users=registry.example.com/users:${{ github.sha }} -n staging
kubectl rollout status deploy/users -n staging --timeout=120s
Principles: build once, scan, push immutable image, deploy to staging, then promote to prod later.
3) Minimal multi-stage Dockerfile for a Node.js API
# Stage 1: deps & build
FROM node:20-alpine AS build
WORKDIR /app
COPY package*.json ./
RUN npm ci --only=production
COPY . .
RUN npm prune --production
# Stage 2: runtime
FROM gcr.io/distroless/nodejs20-debian12
WORKDIR /app
COPY --from=build /app /app
ENV NODE_ENV=production
EXPOSE 8080
USER 10001
CMD ["server.js"]
Key points: small, non-root image; only production deps; explicit port; distroless for reduced attack surface.
4) Blue-Green switch with a single Service selector
Two Deployments (users-blue, users-green) and one Service. Switch by updating the selector:
apiVersion: v1
kind: Service
metadata:
name: users
spec:
selector:
app: users
version: green # change from blue -> green to switch
ports:
- port: 80
targetPort: 8080
Process: deploy green, run smoke tests, flip selector to version: green, watch metrics, then remove blue.
5) Feature flag middleware (Express.js)
// Simple flag via env or header override
function featureFlag(name) {
return (req, res, next) => {
const override = req.headers['x-flag-' + name];
const enabled = (process.env['FLAG_' + name.toUpperCase()] === 'true') || override === 'on';
req.flags = req.flags || {};
req.flags[name] = !!enabled;
next();
};
}
app.get('/api/users/new-endpoint', featureFlag('new_users_api'), (req, res) => {
if (!req.flags.new_users_api) return res.status(404).send('Not enabled');
res.json({ ok: true });
});
Use headers to test in staging/limited prod without exposing to all users.
6) Secrets via Kubernetes Secret (mounted as env)
apiVersion: v1
kind: Secret
metadata:
name: users-secrets
namespace: staging
type: Opaque
stringData:
DB_PASSWORD: "change-me"
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: users
namespace: staging
spec:
template:
spec:
containers:
- name: users
image: registry.example.com/users:abc123
env:
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: users-secrets
key: DB_PASSWORD
Rotate by updating the Secret and rolling the Deployment. Do not commit secrets to Git.
Drills and exercises
- Create a multi-stage Dockerfile for your API and run a local container.
- Define Dev/Stage/Prod config files with different timeouts and log levels.
- Set up a CI job that runs unit tests on pull requests and fails on high-severity vulnerabilities.
- Add one rate limit and a request header in your API gateway for a single route.
- Implement a feature flag around one endpoint; verify behavior with and without the flag.
- Practice a blue-green flip in a test cluster; confirm zero downtime.
- Write a rollback checklist with exact commands for your stack.
Common mistakes and debugging tips
- Leaking secrets in logs: Never log environment variables. Redact sensitive fields in middleware.
- Building multiple images per environment: Build once; promote the same image. Embed env via config, not baked into the image.
- Unbounded timeouts: Set gateway and upstream timeouts; slow calls exhaust resources.
- Skipping readiness probes: Liveness passes but readiness fails; ensure your API signals ready only after DB/cache connections are live.
- Canary without observability: Always monitor error rate, latency, and saturation before increasing traffic.
- Schema-changing migrations during canary: Use backward-compatible migrations; deploy code that works with both old and new schemas.
Mini project: Ship a feature-toggled endpoint with blue-green
- Containerize your API with a minimal Dockerfile.
- Add /healthz and /readyz endpoints.
- Create Dev/Stage/Prod configs with different rate limits and log levels.
- Introduce a feature-flagged endpoint (off by default).
- Set up CI to build, test, scan, and push an image on main branch changes.
- Deploy blue (current) to staging; deploy green (new version) alongside.
- Run smoke tests; flip the Service selector to green; monitor metrics for 15 minutes.
- If healthy, promote to Prod using the same image; keep the flag off, then enable gradually.
Acceptance criteria: zero downtime on flip, error rate unchanged, secrets never logged, and rollback plan documented.
Practical projects
- Gateway hardening pack: add auth, IP allowlist, rate limits, and request/response size limits for two critical routes.
- Safe DB migration demo: implement a backward-compatible migration and deploy with canary to validate read/write behavior.
- One-click rollback: script a rollback that switches Service selector, reverts config, and posts a release note to chat.
Subskills
- API Gateway Configuration: Set up routes, auth, rate limits, headers, and timeouts.
- Environment Separation Dev Stage Prod: Distinct configs, credentials, and safeguards per environment.
- CI CD For API Services: Build once, test, scan, deploy to staging, promote to prod.
- Secrets Management: Store, inject, and rotate secrets safely; least privilege access.
- Containerization Basics: Multi-stage builds, minimal images, non-root users, health checks.
- Blue Green And Canary Releases: Safe rollout patterns to reduce risk.
- Feature Flags For APIs: Toggle behavior at runtime and target cohorts.
- Rollback And Rollforward Strategy: Fast recovery using versioned artifacts and clear runbooks.
Next steps
- Pick one service and implement the entire path: containerize, secure secrets, add CI, deploy to staging, then do a blue-green flip.
- Automate what you manually did: codify configs, write scripts, and store runbooks in your repo.
- Take the skill exam below to validate understanding. Everyone can take it for free; only logged-in users get saved progress.