ADR-0029 — Progressive delivery with Argo Rollouts (canary + analysis)

V1 Freeze (2026-06-12): Deferred. No canary fleet in V1. Re-opens at P4.

Context

A bad deploy of a data-custody platform can corrupt or lose user data. Plain rolling updates reach 100% of traffic before metrics reveal a regression. We want deploys that expose a new version gradually and roll back automatically on objective signals.

Decision

Use Argo Rollouts for stateless, traffic-serving services (gateway, bitvaultd, web):

Consequences

Positive

Negative / costs

Alternatives considered

Scaling

Short analysis windows + HPA bound the two-version cost; expand/contract + online index builds keep migrations zero-downtime at large table sizes (storage/08).