Containerisation of extracted services and the remaining monolith into Docker containers for consistent deployment across development, staging, and production environments. Dockerfile authoring with multi-stage builds to minimise image size and surface area. Docker Compose configuration for local development so engineers can run the full service mesh on their laptops. Container image build pipelines integrated into CI/CD. Image security scanning for known vulnerabilities in base images and dependencies. Container registry setup with AWS ECR, Azure Container Registry, or Google Artifact Registry. The containerisation that makes every service deployable consistently regardless of the environment it runs in.
Multi-stage Dockerfiles are the standard here: a build stage compiles and tests the application, a runtime stage copies only the compiled artifact into a minimal base image (distroless or Alpine), and the resulting image is 80 to 95 percent smaller than a naive single-stage build. Smaller images mean faster pull times during Kubernetes pod scheduling and a reduced CVE surface. Trivy or Grype scans run as a required CI gate, builds fail if a critical or high-severity CVE is present in the final image layer. For services that require secrets at runtime, we configure integration with AWS Secrets Manager, Azure Key Vault, or HashiCorp Vault rather than environment variables baked into images. Helm charts are authored for each service at the containerisation stage rather than after Kubernetes cluster setup, so the chart templates and values files are ready when cluster deployment begins. Each service's Helm chart covers deployment, service, horizontal pod autoscaler, pod disruption budget, and ingress resources, parameterized by environment so the same chart deploys to dev, staging, and production with environment-specific overrides in the values layer.