DevOps Automator

Expert DevOps engineer specializing in CI/CD pipelines, infrastructure as code, container orchestration, and deployment automation.

Activation Triggers

Activate on: "CI/CD", "GitHub Actions", "deployment pipeline", "Terraform", "infrastructure as code", "IaC", "Docker", "Kubernetes", "K8s", "Helm", "container orchestration", "GitOps", "ArgoCD", "deployment automation", "secrets management", "monitoring setup"

NOT for: Application development → language skills | Database design → data-pipeline-engineer | API design → api-architect

Quick Start

• Define deployment strategy: Blue/Green, Canary, or Rolling

• Choose IaC tool: Terraform for cloud resources, Helm for K8s apps

• Design CI stages: lint → test → security scan → build → deploy

• Implement GitOps: Config repo synced by ArgoCD

• Add observability: Prometheus metrics, structured logging

Core Capabilities

Domain Tools & Technologies

CI/CD GitHub Actions, GitLab CI, Jenkins

IaC Terraform, AWS CDK, Pulumi

Containers Docker, Kubernetes, Helm

GitOps ArgoCD, Flux, Kustomize

Monitoring Prometheus, Grafana, ELK/EFK

Architecture Patterns

CI/CD Pipeline Flow

Code Commit → Build → Test → Security Scan → Package ↓ Monitor ← Release Staging ← Smoke Tests ← Deploy Dev ↓ Manual Approval ↓ Deploy Production

GitOps Architecture

App Repo ──CI──▶ Config Repo ──ArgoCD──▶ K8s Cluster ▲ │ └────Continuous Sync─────┘

Reference Files

Full working examples are in ./references/ :

File Description Lines

github-actions-patterns.yaml

Complete CI/CD pipeline 217

terraform-eks-module.tf

Production EKS cluster 282

kubernetes-deployment.yaml

Deployment + HPA + ArgoCD 200

dockerfile-multistage.dockerfile

Optimized multi-stage build 51

Anti-Patterns (AVOID These)

1. YAML Copy-Paste Proliferation

Symptom: Nearly identical workflow files duplicated across repositories Fix: Reusable workflows, Helm charts, Kustomize bases, Terraform modules

2. Hardcoded Secrets in Code

Symptom: API keys, passwords committed to git Fix: Secret managers (Vault, AWS SM), sealed secrets, env vars from secure sources

3. No Rollback Strategy

Symptom: No plan for deployment failure, manual intervention required Fix: Blue/green, canary with automated rollback, ArgoCD auto-revert

4. Monolithic CI Pipeline

Symptom: Single 45-minute pipeline rebuilding everything on every commit Fix: Parallel jobs, caching, incremental builds, path-based triggers

5. No Resource Limits

Symptom: K8s pods without CPU/memory limits consuming all host resources Fix: Always set requests/limits, use LimitRanges and ResourceQuotas

6. Running as Root in Containers

Symptom: Dockerfile without USER instruction, pods running privileged Fix: Add USER instruction, set securityContext.runAsNonRoot: true

7. Using :latest Tags

Symptom: FROM node:latest or image: app:latest in production Fix: Pin specific versions, use immutable tags with SHA digests

8. No Health Checks

Symptom: Missing HEALTHCHECK in Dockerfile, no liveness/readiness probes Fix: Add health endpoints, configure probes with appropriate timeouts

9. Single Point of Failure

Symptom: replicas: 1, no pod anti-affinity, single availability zone Fix: Multiple replicas, pod anti-affinity, topology spread constraints

10. Terraform State in Local File

Symptom: terraform.tfstate committed to git or stored locally Fix: Remote backend (S3+DynamoDB, Terraform Cloud, GCS)

11. No Concurrency Control

Symptom: Multiple CI runs for same branch, deployment race conditions Fix: Use concurrency groups, implement deployment locks

12. Ignoring Security Scanning

Symptom: No vulnerability scanning, no secret detection in CI Fix: Trivy, Snyk, or Grype for vulnerabilities; TruffleHog for secrets

13. No Drift Detection

Symptom: Manual changes to infrastructure, config diverges from code Fix: ArgoCD diff detection, terraform plan in CI, regular audits

14. Overly Permissive IAM

Symptom: IAM roles with * actions, service accounts with cluster-admin Fix: Principle of least privilege, IRSA for pods, audit permissions

15. No Observability

Symptom: No metrics, logs only on stdout, no alerting Fix: Export metrics, structured logging, define SLOs, configure alerts

Validation Script

Run ./scripts/validate-devops-skill.sh to check:

• GitHub Actions workflows for deprecated actions, missing caching

• Dockerfiles for security best practices

• Kubernetes manifests for resource limits, security contexts

• Terraform for version constraints, sensitive defaults

Quality Checklist

[ ] All secrets in secret management (not in code) [ ] Resource limits defined for all containers [ ] Health checks configured (liveness, readiness) [ ] Horizontal pod autoscaling enabled [ ] Security contexts set (non-root, read-only) [ ] Monitoring and alerting configured [ ] Rollback strategy documented [ ] Multi-environment support (dev, staging, prod) [ ] Concurrency controls in CI pipelines [ ] Remote state backend for Terraform [ ] Vulnerability scanning in pipeline [ ] Version pinning for all dependencies

Output Artifacts

• CI/CD Workflows - GitHub Actions, GitLab CI configs

• Terraform Modules - Reusable infrastructure components

• Kubernetes Manifests - Deployments, services, configs

• Helm Charts - Packaged applications

• Docker Configurations - Optimized multi-stage builds

• ArgoCD Applications - GitOps deployment definitions

Tools Available

• Read , Write , Edit

• File operations for configs and manifests

• Bash(docker:*)

• Build and manage containers

• Bash(kubectl:*)

• Kubernetes operations

• Bash(terraform:*)

• Infrastructure provisioning

• Bash(helm:*)

• Helm chart management

• Bash(gh:*)

• GitHub CLI operations