home / skills / yonatangross / orchestkit / devops-deployment
This skill helps you design and implement robust CI/CD pipelines, containerization, and deployment strategies for Kubernetes and cloud platforms.
npx playbooks add skill yonatangross/orchestkit --skill devops-deploymentReview the files below or copy the command above to add this skill to your agents.
---
name: devops-deployment
license: MIT
compatibility: "Claude Code 2.1.34+."
description: Use when setting up CI/CD pipelines, containerizing applications, deploying to Kubernetes, or writing infrastructure as code. DevOps & Deployment covers GitHub Actions, Docker, Helm, and Terraform patterns.
tags: [devops, ci-cd, docker, kubernetes, terraform]
context: fork
agent: data-pipeline-engineer
version: 1.0.0
author: OrchestKit
user-invocable: false
complexity: medium
metadata:
category: workflow-automation
---
# DevOps & Deployment Skill
Comprehensive frameworks for CI/CD pipelines, containerization, deployment strategies, and infrastructure automation.
## Overview
- Setting up CI/CD pipelines
- Containerizing applications
- Deploying to Kubernetes or cloud platforms
- Implementing GitOps workflows
- Managing infrastructure as code
- Planning release strategies
## Pipeline Architecture
```
┌─────────────┐ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐
│ Code │──>│ Build │──>│ Test │──>│ Deploy │
│ Commit │ │ & Lint │ │ & Scan │ │ & Release │
└─────────────┘ └─────────────┘ └─────────────┘ └─────────────┘
│ │ │ │
v v v v
Triggers Artifacts Reports Monitoring
```
## Key Concepts
### CI/CD Pipeline Stages
1. **Lint & Type Check** - Code quality gates
2. **Unit Tests** - Test coverage with reporting
3. **Security Scan** - npm audit + Trivy vulnerability scanner
4. **Build & Push** - Docker image to container registry
5. **Deploy Staging** - Environment-gated deployment
6. **Deploy Production** - Manual approval or automated
### Container Best Practices
**Multi-stage builds** minimize image size:
- Stage 1: Install production dependencies only
- Stage 2: Build application with dev dependencies
- Stage 3: Production runtime with minimal footprint
**Security hardening**:
- Non-root user (uid 1001)
- Read-only filesystem where possible
- Health checks for orchestrator integration
### Kubernetes Deployment
**Essential manifests**:
- Deployment with rolling update strategy
- Service for internal routing
- Ingress for external access with TLS
- HorizontalPodAutoscaler for scaling
**Security context**:
- `runAsNonRoot: true`
- `allowPrivilegeEscalation: false`
- `readOnlyRootFilesystem: true`
- Drop all capabilities
### Deployment Strategies
| Strategy | Use Case | Risk |
|----------|----------|------|
| **Rolling** | Default, gradual replacement | Low - automatic rollback |
| **Blue-Green** | Instant switch, easy rollback | Medium - double resources |
| **Canary** | Progressive traffic shift | Low - gradual exposure |
**Rolling Update** (Kubernetes default):
```yaml
strategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 25%
maxUnavailable: 0 # Zero downtime
```
### Secrets Management
Use External Secrets Operator to sync from cloud providers:
- AWS Secrets Manager
- HashiCorp Vault
- Azure Key Vault
- GCP Secret Manager
---
## References
### Docker Patterns
**See: `references/docker-patterns.md`**
Key topics covered:
- Multi-stage build examples with 78% size reduction
- Layer caching optimization
- Security hardening (non-root, health checks)
- Trivy vulnerability scanning
- Docker Compose development setup
### CI/CD Pipelines
**See: `references/ci-cd-pipelines.md`**
Key topics covered:
- Branch strategy (Git Flow)
- GitHub Actions caching (85% time savings)
- Artifact management
- Matrix testing
- Complete backend CI/CD example
### Kubernetes Basics
**See: `references/kubernetes-basics.md`**
Key topics covered:
- Health probes (startup, liveness, readiness)
- Security context configuration
- PodDisruptionBudget
- Resource quotas
- StatefulSets for databases
- Helm chart structure
### Environment Management
**See: `references/environment-management.md`**
Key topics covered:
- External Secrets Operator
- GitOps with ArgoCD
- Terraform patterns (remote state, modules)
- Zero-downtime database migrations
- Alembic migration workflow
- Rollback procedures
### Observability
**See: `references/observability.md`**
Key topics covered:
- Prometheus metrics exposition
- Grafana dashboard queries (PromQL)
- Alerting rules for SLOs
- Golden signals (SRE)
- Structured logging
- Distributed tracing (OpenTelemetry)
### Railway Deployment
**See: `rules/railway-deployment.md`**
Key topics covered:
- railway.json configuration, Nixpacks builds
- Environment variable management, database provisioning
- Multi-service setups, Railway CLI workflows
- References: `references/railway-json-config.md`, `references/nixpacks-customization.md`, `references/multi-service-setup.md`
### Deployment Strategies
**See: `references/deployment-strategies.md`**
Key topics covered:
- Rolling deployment
- Blue-green deployment
- Canary releases
- Traffic splitting with Istio
---
## Deployment Checklist
### Pre-Deployment
- [ ] All tests passing in CI
- [ ] Security scans clean
- [ ] Database migrations ready
- [ ] Rollback plan documented
### During Deployment
- [ ] Monitor deployment progress
- [ ] Watch error rates
- [ ] Verify health checks passing
### Post-Deployment
- [ ] Verify metrics normal
- [ ] Check logs for errors
- [ ] Update status page
---
## Helm Chart Structure
```
charts/app/
├── Chart.yaml
├── values.yaml
├── scripts/
│ ├── deployment.yaml
│ ├── service.yaml
│ ├── ingress.yaml
│ ├── configmap.yaml
│ ├── secret.yaml
│ ├── hpa.yaml
│ └── _helpers.tpl
└── values/
├── staging.yaml
└── production.yaml
```
---
## Related Skills
- `zero-downtime-migration` - Database migration patterns for zero-downtime deployments
- `security-scanning` - Security scanning integration for CI/CD pipelines
- `monitoring-observability` - Monitoring and alerting for deployed applications
- `database-patterns` - Python/Alembic migration workflow for backend deployments
## Key Decisions
| Decision | Choice | Rationale |
|----------|--------|-----------|
| Container user | Non-root (uid 1001) | Security best practice, required by many orchestrators |
| Deployment strategy | Rolling update (default) | Zero downtime, automatic rollback, resource efficient |
| Secrets management | External Secrets Operator | Syncs from cloud providers, GitOps compatible |
| Health checks | Separate startup/liveness/readiness | Prevents premature traffic, enables graceful shutdown |
---
## Extended Thinking Triggers
Use Opus 4.6 adaptive thinking for:
- **Architecture decisions** - Kubernetes vs serverless, multi-region setup
- **Migration planning** - Moving between cloud providers
- **Incident response** - Complex deployment failures
- **Security design** - Zero-trust architecture
---
## Templates Reference
| Template | Purpose |
|----------|---------|
| `github-actions-pipeline.yml` | Full CI/CD workflow with 6 stages |
| `Dockerfile` | Multi-stage Node.js build |
| `docker-compose.yml` | Development environment |
| `k8s-manifests.yaml` | Deployment, Service, Ingress |
| `helm-values.yaml` | Helm chart values |
| `terraform-aws.tf` | VPC, EKS, RDS infrastructure |
| `argocd-application.yaml` | GitOps application |
| `external-secrets.yaml` | Secrets Manager integration |
---
## Capability Details
### ci-cd
**Keywords:** ci, cd, pipeline, github actions, gitlab ci, jenkins, workflow
**Solves:**
- How do I set up CI/CD?
- GitHub Actions workflow patterns
- Pipeline caching strategies
- Matrix testing setup
### docker
**Keywords:** docker, dockerfile, container, image, build, compose, multi-stage
**Solves:**
- How do I containerize my app?
- Multi-stage Dockerfile best practices
- Docker Compose development setup
- Container security hardening
### kubernetes
**Keywords:** kubernetes, k8s, deployment, service, ingress, helm, statefulset, pdb
**Solves:**
- How do I deploy to Kubernetes?
- K8s health probes and resource limits
- Helm chart structure
- StatefulSet for databases
### infrastructure-as-code
**Keywords:** terraform, pulumi, iac, infrastructure, provision, gitops, argocd
**Solves:**
- How do I set up infrastructure as code?
- Terraform AWS patterns (VPC, EKS, RDS)
- GitOps with ArgoCD
- Secrets management patterns
### deployment-strategies
**Keywords:** blue green, canary, rolling, deployment strategy, rollback, zero downtime
**Solves:**
- Which deployment strategy should I use?
- Zero-downtime database migrations
- Blue-green deployment setup
- Canary release with traffic splitting
### observability
**Keywords:** prometheus, grafana, metrics, alerting, monitoring, health check
**Solves:**
- How do I add monitoring to my app?
- Prometheus metrics exposition
- Grafana dashboard queries
- Alerting rules for SLOsThis skill consolidates production-ready DevOps and deployment patterns for CI/CD, containerization, Kubernetes, and infrastructure as code. It bundles practical templates and decision guidance for GitHub Actions, Docker multi-stage builds, Helm charts, and Terraform modules. Use it to standardize releases, secure containers, and implement GitOps workflows across staging and production.
The skill inspects pipeline stages, container rules, Kubernetes manifests, and IaC layouts to recommend concrete artifacts and configuration. It provides templates for CI workflows, Dockerfiles, Helm chart structure, and Terraform patterns, plus a deployment checklist and observability guidance. It also encodes security and operational best practices such as non-root containers, health probes, secrets syncing, and deployment strategy recommendations.
Which deployment strategy should I pick for minimal risk?
Start with rolling updates for most services because they offer zero-downtime and automated rollback; use canary for gradual exposure and blue-green when instant switch and easy rollback are needed but you can afford duplicate resources.
How should I manage secrets across environments?
Use an External Secrets Operator backed by your cloud provider (AWS Secrets Manager, Vault, Azure Key Vault, or GCP Secret Manager) so secrets are not stored in Git and can be synced securely at deploy time.