Apollo Clone — Deployment Control Plane

Fleet overview

23 products · 14 environments · 4 regions · airgap: 2

Fleet health

98.2%

▲ 0.4 vs 24h

Active rollouts

2 canary · 1 wave

Policy violations

▲ 1 new · 4h

Mean reconcile

4.7s

▼ 0.2 vs p7d

Current rollout wave ingest-pipeline · v2.3.1 → v2.4.0

ROLLING

✓

dev

12/12

✓

staging

24/24

◔

prod-canary

7/40 · 18%

—

prod-us

0/142

—

prod-eu

0/98

Environment health

live

aws-us-east-1-prod

Cloud · AWS

HEALTHY

Products

Drift

SLO

99.97

gcp-eu-west-prod

Cloud · GCP

ROLLING

Products

Drift

SLO

99.92

onprem-dc-chicago

On-prem · bare metal

HEALTHY

Products

Drift

SLO

99.99

airgap-site-delta

Airgapped · highside

SYNCED

Products

Drift

SLO

—

edge-fleet-mobile

Edge · ruggedized

PARTIAL

Products

Drift

SLO

97.4

azure-gov-east

Cloud · Azure Gov

DEGRADED

Products

Drift

SLO

98.1

Event stream

tail -f

11:57:05INFOreconcile loop tick Δ=4.7s targets=14 products=23

11:57:05OKbundle-transport airgap-site-delta synced size=142MB age=4h 12m

11:57:05INFOpolicy check sla.wave-throttle-25pct PASS (fleet %/h = 12)

11:57:05WARNedge-fleet-mobile drift detected: telemetry-agent v1.8.4 ≠ desired v1.9.0

11:57:05OKartifact verify cosign://trusted-ca digest=sha256:a1b2f7...

11:57:05INFOcanary wave 2 (25%) → prod-canary 7/40 pods healthy

11:57:05OKreconcile ingest-pipeline → aws-us-east-1-prod desired=v2.4.0 drift=0

Releases

declarative rollouts · reconciliation-based · no imperative pipelines

Active 3 rollouts in flight

Product	From → to	Strategy	Progress	Owner	Status
ingest-pipeline stream processor	v2.3.1 → v2.4.0	canary · 10%	3/8 env	j.okonkwo	ROLLING
auth-service identity broker	v5.1.0 → v5.2.0	blue-green	6/8 env	m.sato	ROLLING
telemetry-agent edge collector	v1.8.4 → v1.9.0	airgap bundle	2/8 env	sre-ops	AWAITING SYNC

Recent last 7 days

Product	Version	Strategy	Duration	Result	Started
billing-api	v3.14.2	wave	18m	SUCCESS	2h ago
search-indexer	v0.9.7	canary	42m	SUCCESS	8h ago
notification-svc	v2.0.1	canary	6m	AUTO-ROLLBACK	1d ago
auth-service	v5.1.0	blue-green	24m	SUCCESS	2d ago
report-generator	v1.2.0	wave	1h 14m	SUCCESS	3d ago

Environments

14 targets · unified reconciliation regardless of topology

Registered targets

Name	Type	Region	Products	Drift	Agent	Status
aws-us-east-1-prod	Cloud (AWS)	us-east-1	18	0	v4.2.1	HEALTHY
aws-us-west-2-prod	Cloud (AWS)	us-west-2	15	0	v4.2.1	HEALTHY
gcp-eu-west-prod	Cloud (GCP)	europe-west1	16	1	v4.2.1	ROLLING
azure-gov-east	Cloud (Azure Gov)	usgovvirginia	11	2	v4.1.9	DEGRADED
onprem-dc-chicago	On-prem (bare metal)	ord1	9	0	v4.2.1	HEALTHY
onprem-dc-frankfurt	On-prem (VMware)	fra1	7	0	v4.2.1	HEALTHY
airgap-site-delta	Airgapped (highside)	classified	6	0	v4.2.0	SYNCED 4h
airgap-site-sigma	Airgapped (highside)	classified	6	1	v4.2.0	PENDING BUNDLE
edge-fleet-mobile	Edge (ruggedized)	tactical	4	3	v4.1.5	PARTIAL
customer-priv-acme	Private SaaS	customer-owned	5	0	v4.2.1	HEALTHY

Products

registered software · manifest-defined · signed artifacts

Catalog 23 products

Product	Latest	Deployed	Targets	SLA
ingest-pipeline Kafka → parquet stream processor	v2.4.0	v2.3.1 / 2.4.0	8	99.9%
auth-service identity & session broker	v5.2.0	v5.1.0 / 5.2.0	14	99.99%
billing-api invoice & payment orchestration	v3.14.2	v3.14.2	6	99.95%
notification-svc fanout & delivery (email, sms, push)	v2.0.2	v1.9.4	9	99.5%
telemetry-agent metrics/log collector · edge	v1.9.0	v1.8.4 / 1.9.0	14	99.9%
search-indexer document & vector index builder	v0.9.7	v0.9.7	7	99.9%
report-generator scheduled reporting pipeline	v1.2.0	v1.2.0	4	99%

Policies

security, compliance, SLA constraints · policy-as-code · enforced pre-apply

Active policies 18 rules · 2 violations

SEC

All artifacts must be signed by trusted CA

artifact.signature.trusted == true · scope: all envs · severity: block

ENFORCED

SEC

No deployment during customer change-freeze window

env.freeze_window == false · scope: customer-priv-* · severity: block

ENFORCED

SLA

Max rollout wave: 25% of fleet per hour

rollout.fleet_percent_per_hour <= 25 · scope: prod-* · severity: block

ENFORCED

SLA

Automatic rollback on error rate > 1%

telemetry.error_rate > 0.01 · window: 5m · severity: rollback

ENFORCED

CMP

FedRAMP High: azure-gov-east drift > 0

azure-gov-east has 2 products drifted from desired · severity: warn

VIOLATION

CMP

SOC 2: audit log retention >= 365d

all environments must retain audit events ≥ 365 days · severity: block

ENFORCED

SEC

telemetry-agent on edge-fleet behind version cap

edge-fleet-mobile has v1.8 pinned but product latest is v1.9 · severity: warn

VIOLATION

DORA metrics

30-day rolling window · computed from audit log · fleet-wide

Deployment frequency● ELITE

34/ day

▲ 12% vs previous window

Lead time for changes● ELITE

2.3hrs

▼ 18% vs previous window

Change failure rate● HIGH

8.4%

▼ 2.1pp vs previous window

Mean time to recovery● ELITE

11min

▼ 34% auto-rollback driven

Manifest spec

declarative product definition · the single source of truth

Example · ingest-pipeline v2.4.0

apollo.yaml

# Declarative product manifest — reconciled, not executed.
# The control plane makes reality converge to this spec.

apiVersion: apollo/v1
kind: Product
metadata:
  name: ingest-pipeline
  version: 2.4.0
  owner: team-data-platform

spec:
  artifacts:
    - name: ingest
      image: registry.apollo.io/ingest:2.4.0@sha256:a1b2...
      signature: cosign://trusted-ca

  dependencies:
    - product: auth-service
      minVersion: 5.1.0

  targets:
    - selector: env.class == prod AND env.region == us-*
      replicas: 12
      rollout:
        strategy: canary
        waves: [10, 25, 50, 100]
        bakeTime: 10m
    - selector: env.class == airgap
      replicas: 4
      rollout:
        strategy: bundle
        transport: signed-tarball

  slo:
    availability: 99.9%
    errorBudgetBurnRate: 14.4x/1h → rollback

  policies:
    - sec.artifacts-signed
    - sla.wave-throttle-25pct
    - cmp.audit-retention-365d