DevOps Agent - Reference Patterns

DevOps Agent - Reference Patterns

Source: agents/devops.md Load: On-demand when deep DevOps expertise needed

---

Core Competencies (Detailed)

1. Containerization

• Docker: Dockerfile optimization, multi-stage builds, layer caching
• Image Security: Scanning (Trivy), minimal base images (Alpine, Distroless)
• Best Practices: .dockerignore, health checks, non-root users
• Registries: Docker Hub, ECR, GCR, ACR

2. Container Orchestration

• Kubernetes: Deployments, Services, Ingress, ConfigMaps, Secrets
• Manifests: YAML generation, Helm charts, Kustomize
• Security: RBAC, Pod Security Policies, Network Policies
• Monitoring: Prometheus, Grafana, Kubernetes Dashboard

3. CI/CD Pipelines

• GitHub Actions: Workflows, matrix builds, caching, secrets
• GitLab CI: .gitlab-ci.yml, runners, artifacts
• Azure Pipelines: azure-pipelines.yml, agents
• Jenkins: Jenkinsfile, declarative pipelines
• CircleCI: config.yml, orbs

Pipeline Stages:

• Build -> Test -> Security Scan -> Deploy
• Automated testing (unit, integration, E2E)
• Code quality checks (linting, coverage)
• Dependency vulnerability scanning
• Container image building and pushing
• Deployment to staging/production

4. Infrastructure as Code (IaC)

• Terraform: AWS, GCP, Azure providers, modules, state management
• AWS CloudFormation: Templates, stacks, change sets
• Pulumi: TypeScript/Python infrastructure definitions
• Ansible: Playbooks, roles, inventory management

5. Cloud Platforms

AWS:

• Compute: EC2, ECS, EKS, Lambda, Fargate
• Storage: S3, EBS, EFS
• Database: RDS, DynamoDB, Aurora
• Networking: VPC, ALB, Route53, CloudFront
• Security: IAM, Secrets Manager, KMS, WAF
• Monitoring: CloudWatch, X-Ray

GCP:

• Compute: Compute Engine, GKE, Cloud Run, Cloud Functions
• Storage: Cloud Storage, Persistent Disk
• Database: Cloud SQL, Firestore, BigQuery
• Networking: VPC, Load Balancer, Cloud CDN
• Security: IAM, Secret Manager, Cloud Armor

Azure:

• Compute: VM, AKS, Container Instances, Functions
• Storage: Blob Storage, Disk Storage
• Database: Azure SQL, Cosmos DB
• Networking: Virtual Network, Application Gateway
• Security: Azure AD, Key Vault

6. Secrets Management

• HashiCorp Vault: Dynamic secrets, encryption as a service
• AWS Secrets Manager: Automatic rotation
• Azure Key Vault: Certificates, keys, secrets
• GCP Secret Manager: Version management
• Environment Variables: .env files, CI/CD secrets

7. Monitoring & Logging

• Monitoring: Prometheus, Grafana, Datadog, New Relic
• Logging: ELK Stack (Elasticsearch, Logstash, Kibana), Loki
• APM: Application Performance Monitoring
• Alerting: PagerDuty, Opsgenie, Slack notifications
• Tracing: Jaeger, Zipkin, AWS X-Ray

8. Deployment Strategies

• Blue-Green Deployment: Zero-downtime deployments
• Canary Deployment: Gradual rollout to percentage of users
• Rolling Deployment: Sequential instance updates
• A/B Testing: Feature flag-based deployment
• Rollback: Quick revert on failures

---

Tech Stack Examples

Docker

# Multi-stage build example
FROM node:20-alpine AS builder
WORKDIR /app
COPY package*.json ./
RUN npm ci --only=production
COPY . .
RUN npm run build

FROM node:20-alpine
WORKDIR /app
COPY --from=builder /app/dist ./dist
COPY --from=builder /app/node_modules ./node_modules
USER node
EXPOSE 3000
HEALTHCHECK --interval=30s CMD node healthcheck.js
CMD ["node", "dist/server.js"]

Kubernetes

# Deployment + Service example
apiVersion: apps/v1
kind: Deployment
metadata:
  name: api-server
spec:
  replicas: 3
  selector:
    matchLabels:
      app: api-server
  template:
    metadata:
      labels:
        app: api-server
    spec:
      containers:
      - name: api
        image: myregistry/api:v1.0.0
        ports:
        - containerPort: 3000
        env:
        - name: DATABASE_URL
          valueFrom:
            secretKeyRef:
              name: db-secrets
              key: url
        resources:
          requests:
            memory: "256Mi"
            cpu: "250m"
          limits:
            memory: "512Mi"
            cpu: "500m"
        livenessProbe:
          httpGet:
            path: /health
            port: 3000
          initialDelaySeconds: 30
          periodSeconds: 10
---
apiVersion: v1
kind: Service
metadata:
  name: api-service
spec:
  selector:
    app: api-server
  ports:
  - protocol: TCP
    port: 80
    targetPort: 3000
  type: LoadBalancer

GitHub Actions

name: CI/CD Pipeline

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - uses: actions/setup-node@v3
        with:
          node-version: '20'
          cache: 'npm'
      - run: npm ci
      - run: npm run lint
      - run: npm test
      - run: npm run build

  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - run: npm audit
      - uses: aquasecurity/trivy-action@master
        with:
          scan-type: 'fs'
          severity: 'CRITICAL,HIGH'

  deploy:
    needs: [test, security]
    runs-on: ubuntu-latest
    if: github.ref == 'refs/heads/main'
    steps:
      - uses: actions/checkout@v3
      - uses: docker/build-push-action@v4
        with:
          push: true
          tags: myregistry/api:${{ github.sha }}
      - uses: azure/k8s-deploy@v4
        with:
          manifests: k8s/deployment.yaml
          images: myregistry/api:${{ github.sha }}

Terraform (AWS)

# VPC + EC2 example
provider "aws" {
  region = "us-east-1"
}

resource "aws_vpc" "main" {
  cidr_block = "10.0.0.0/16"
  enable_dns_hostnames = true
  tags = {
    Name = "main-vpc"
  }
}

resource "aws_subnet" "public" {
  vpc_id = aws_vpc.main.id
  cidr_block = "10.0.1.0/24"
  availability_zone = "us-east-1a"
  map_public_ip_on_launch = true
}

resource "aws_security_group" "web" {
  name = "web-sg"
  vpc_id = aws_vpc.main.id

  ingress {
    from_port = 80
    to_port = 80
    protocol = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }

  egress {
    from_port = 0
    to_port = 0
    protocol = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }
}

resource "aws_instance" "web" {
  ami = "ami-0c55b159cbfafe1f0"
  instance_type = "t3.micro"
  subnet_id = aws_subnet.public.id
  vpc_security_group_ids = [aws_security_group.web.id]

  user_data = <<-EOF
              #!/bin/bash
              apt-get update
              apt-get install -y docker.io
              systemctl start docker
              EOF

  tags = {
    Name = "web-server"
  }
}

---

Best Practices

Dockerfile

• Use multi-stage builds (reduce image size)
• Use specific version tags (not latest)
• Run as non-root user
• Use .dockerignore (exclude node_modules, .git)
• Minimize layers (combine RUN commands)
• Use health checks
• Scan for vulnerabilities (Trivy)

Kubernetes

• Set resource requests and limits
• Use liveness/readiness probes
• Store secrets in Secrets, not ConfigMaps
• Use RBAC for access control
• Implement network policies
• Use namespaces for isolation
• Enable horizontal pod autoscaling (HPA)

CI/CD

• Run tests before deployment
• Security scanning in pipeline
• Automated rollback on failure
• Use caching to speed up builds
• Separate staging and production
• Tag images with git commit SHA
• Store secrets in CI/CD platform (not code)

Infrastructure as Code

• Version control infrastructure code
• Use modules for reusability
• Implement state locking (Terraform)
• Use workspaces for environments
• Plan before apply
• Document infrastructure changes

---

Typical Workflows

1. Containerize Application

Command: docker:create

Steps:

1. Analyze project (Node.js, Python, PHP, Go)
2. Generate optimized Dockerfile
3. Create .dockerignore
4. Add health check endpoint
5. Build and test image locally

Deliverables:

• Dockerfile (multi-stage, optimized)
• .dockerignore
• docker-compose.yml (for local dev)
• Build instructions

2. Create CI/CD Pipeline

Command: cicd:create

Steps:

1. Detect platform (GitHub Actions, GitLab CI, etc.)
2. Generate pipeline configuration
3. Include stages: lint, test, build, deploy
4. Add security scanning
5. Configure secrets

Deliverables:

• Pipeline configuration file
• Setup instructions
• Secret configuration guide

3. Deploy to Kubernetes

Command: k8s:create

Steps:

1. Generate Deployment manifest
2. Create Service definition
3. Add Ingress (if needed)
4. Create ConfigMap/Secrets
5. Add resource limits

Deliverables:

• Kubernetes manifests
• Deployment guide
• Kubectl commands

4. Setup Deployment

Command: deploy:setup

Steps:

1. Choose platform (AWS, GCP, Azure, Vercel, etc.)
2. Generate infrastructure code (Terraform, CloudFormation)
3. Create deployment scripts
4. Configure environment variables
5. Setup monitoring

Deliverables:

• Infrastructure code
• Deployment scripts
• Environment configuration
• Monitoring setup

---

Deliverables by Phase

Phase 1 (Understand + Design):

• Deployment architecture diagram
• Infrastructure requirements
• Cloud provider selection

Phase 4 (Refactor + Review):

• Dockerfile
• CI/CD pipeline
• Kubernetes manifests
• Infrastructure code

Phase 5 (Finalize):

• Deployment guide
• Monitoring setup
• Rollback procedures
• Production checklist