CONFIG
GITOPS
CI/CD
DRIFT
BEHAVIORAL
CTA'2026 · Pamporovo · 15–17 April 2026
Declarative GitOps-Based Automated
Deployment and Management
of HTTP Gateway Services
Kristiyan Kolev, Vesselin Kyurkchiev
Paisii Hilendarski University of Plovdiv
Faculty of Mathematics and Informatics
Supported by Project FP25-FMI-010
Problem and Motivation
The Challenge
- HTTP gateways route all traffic — misconfigurations affect every downstream service
- 90% of large IaC deployments experience configuration drift; ~50% goes undetected
- Existing CI/CD gates are structural (lint, plan, policy) — not behavioral
- No tool verifies: "Does staging behave like production?" before promoting changes
Industry Context
- 77% of organizations use GitOps (CNCF Survey 2024)
- Gateway API reached GA in Kubernetes v1.2 (Oct 2024)
- ArgoCD, Flux manage config sync — but provide no behavioral validation
- Gap: end-to-end governance for HTTP gateway lifecycle is missing
Proposed Approach
Five-component declarative framework for HTTP gateway lifecycle management
1
YAML Configuration Model
Declarative gateway specification via Gateway API resources
2
Template Generation
Helm / Kustomize for DRY multi-environment configs
3
Two-Stage CI/CD Pipeline
Staging validation gates before production promotion
4
Drift Detection
Continuous reconciliation identifying unauthorized changes
5
Behavioral Regression Testing
HTTP snapshot comparison: staging vs. production
Key contribution: Component 5 — behavioral regression testing for infrastructure
Declarative Configuration Model
Intent-Based Configuration
Operators declare WHAT the gateway should do,
not HOW to configure it.
Template Generation
Helm charts with environment-specific value overlays eliminate configuration duplication.
Key Property
Idempotency — re-applying the same spec produces no changes.
Kubernetes Gateway API Resources
| Resource | Managed By | Purpose |
|---|
| GatewayClass | Infra provider | Implementation type |
| Gateway | Platform ops | Listeners, TLS, ports |
| HTTPRoute | App developer | Routing rules, weights |
| GRPCRoute | App developer | gRPC-specific routing |
GA since October 2024 (Kubernetes v1.2)
GitOps Reconciliation Loop
Continuous desired-state enforcement via pull-based agents
Git
Repository
→
ArgoCD
Repo Server
→
Application
Controller
→
Kubernetes
API Server
→
Gateway
Controller
Declarative
Desired state as YAML facts, not imperative steps
Versioned & Immutable
Full Git history — audit trails and instant rollback
Pulled Automatically
In-cluster agents pull state — no external credentials
Continuously Reconciled
Drift corrected within minutes (Seshagiri et al., IEEE ICCA 2025)
Two-Stage CI/CD Pipeline
Git
Commit
→
Pre-Deploy
Gates
→
Deploy to
Staging
→
Behavioral
Gate
→
Promote to
Production
→
Post-Deploy
Monitor
Pre-Staging Gates Structural
- YAML lint +
terraform validate
- Static analysis (tfsec, checkov, kube-score)
- Policy compliance (OPA / Kyverno)
- Plan preview for destructive changes
- IaC unit tests
Staging Gates Behavioral
- Smoke + integration tests
- HTTP snapshot comparison vs. production
- SLO-based performance validation
- Security scanning (DAST)
- Drift detection verification
Drift Detection
Maintaining declared state through continuous monitoring
Desired State
(Git YAML)
↔ DRIFT
Recorded State
(State File)
↔ DRIFT
Actual State
(Live Cluster)
| Strategy | Latency | Self-Healing | Scope |
|---|
| ArgoCD Reconciliation | ~3 min | Yes | K8s resources |
| Terraform Plan | ~24 hrs | No | IaC-managed |
| Event-Driven (AWS Config) | ~minutes | No | All cloud resources |
Config drift detection tells us WHAT changed. Behavioral testing tells us IF it matters.
Key Contribution: Behavioral Regression Testing
1Capture prod
HTTP baseline
→
2Deploy change
to staging
→
3Execute same
requests
→
4Compare
responses
→
5Gate decision:
pass / block
Five Distinguishing Dimensions
Spatial comparison
Staging vs. production (not version N vs. N+1)
Pre-deployment timing
Blocks before reaching production
Infrastructure context
Tests infra changes, not app code
Full HTTP content
Status + headers + body (not just metrics)
Production-as-oracle
No developer-authored specifications needed
Comparison with Existing Approaches
| Approach | Pre-Deploy
Behavioral Gate | Staging vs.
Production | Production
as Oracle | HTTP
Content | Infra
Context |
|---|
| ArgoCD / Flux | No | No | No | No | Yes |
| Terraform plan | No | No | No | No | Yes |
| Pact (CDCT) | Partial | No | No | Partial | No |
| Twitter Diffy | No | Version | Old ver. | Yes | No |
| Flagger / Argo Rollouts | Post-deploy | No | No | Metrics | No |
| Godefroid et al. (ISSTA'20) | Post-release | Temporal | No | Yes | No |
| Proposed System | Yes | Yes | Yes | Yes | Yes |
Positioning in the Research Landscape
Pre-deployment
Post-deployment
Spatial
(env vs env)
Temporal
(ver vs ver)
GoReplay
Pact (CDCT)
Godefroid et al.
Diffy
Canary Analysis
PROPOSED
HTTP Snapshot Gate
Evaluation Framework
100%
Behavioral regressions
detected in staging
< 3 min
Drift detection latency
(ArgoCD reconciliation)
0
Regressions reaching
production through pipeline
Evaluation Metrics
Detection accuracy
Precision / recall for injected regressions (routing, TLS, headers)
False positive rate
Tolerance threshold tuning via dynamic field scrubbing
Pipeline overhead
Time added by HTTP snapshot gate per endpoint corpus
Drift coverage
Detection rate across config change types and severity tiers
Conclusion
This work presents a declarative GitOps-based framework integrating five components for HTTP gateway lifecycle management.
The key contribution — behavioral regression testing via HTTP snapshot comparison — occupies a novel position: spatial, pre-deployment, infrastructure-scoped, content-level, and specification-free.
Future Directions
- Extend behavioral testing to gRPC and WebSocket protocols
- Integrate ML-based noise filtering for dynamic response content
- Formalize tolerance threshold model for false-positive tuning
Thank you!
kristiyan.kolev@uni-plovdiv.bg · Supported by Project FP25-FMI-010