---
name: ck-devops
description: Deploy to Cloudflare Workers/R2/D1, Docker, GCP Cloud Run/GKE, Kubernetes with kubectl and Helm. Use for serverless deployment, container orchestration, CI/CD pipelines, GitOps, security audit, infrastructure management.
---

# ck-devops

Deploy and manage cloud infrastructure across Cloudflare, Docker, Google Cloud, and Kubernetes.

## When to Use

- Deploy serverless apps to Cloudflare Workers or Pages
- Containerize apps with Docker and Docker Compose
- Manage GCP with gcloud CLI (Cloud Run, GKE, Cloud SQL)
- Kubernetes cluster management (kubectl, Helm)
- GitOps workflows (Argo CD, Flux)
- CI/CD pipelines and multi-region deployments
- Security audits, RBAC, network policies

## Don't Use When

- Application-level code — use `ck-backend-development` or `ck-frontend-development`
- Database schema work — use `ck-databases`
- Simple script automation with no infrastructure components

## Platform Selection

| Need | Choose |
|------|--------|
| Sub-50ms latency globally | Cloudflare Workers |
| Large file storage (zero egress fees) | Cloudflare R2 |
| SQL database (global reads) | Cloudflare D1 |
| Containerized workloads | Docker + Cloud Run/GKE |
| Enterprise Kubernetes | GKE |
| Managed relational DB | Cloud SQL |
| Static site + API | Cloudflare Pages |
| Package management for K8s | Helm |

## Quick Start Commands

```bash
# Cloudflare Worker
wrangler init my-worker && wrangler deploy

# Docker
docker build -t myapp . && docker run -p 3000:3000 myapp

# GCP Cloud Run
gcloud run deploy my-service --image gcr.io/project/image --region us-central1

# Kubernetes
kubectl apply -f manifests/ && kubectl get pods
```

## Cloudflare Platform

- **Workers**: Edge compute, sub-50ms globally, V8 isolates
- **R2**: Object storage with S3-compatible API, zero egress costs
- **D1**: Serverless SQLite at the edge
- **KV**: Global key-value store
- **Pages**: Static site hosting + Functions
- **Browser Rendering**: Puppeteer automation at the edge

## Docker Best Practices

- Multi-stage builds to minimize image size
- Non-root user in containers
- `.dockerignore` to exclude dev dependencies
- Health checks in Dockerfile
- Pin base image versions for reproducibility
- Scan images for vulnerabilities before pushing

## Kubernetes

**Core concepts:** Deployments, Services, ConfigMaps, Secrets, Ingress, PersistentVolumes

**Essential kubectl workflow:**
```bash
kubectl get pods -n namespace
kubectl logs pod-name -f
kubectl describe pod pod-name
kubectl exec -it pod-name -- sh
kubectl apply -f manifest.yaml
kubectl rollout status deployment/my-app
```

**Helm:**
```bash
helm install my-release ./chart
helm upgrade my-release ./chart --set image.tag=v2
helm rollback my-release 1
```

## Security Best Practices

- Non-root containers (never run as root)
- RBAC: least-privilege service accounts
- Secrets in environment variables or secret managers — never in images or config maps
- Image scanning in CI pipeline
- Network policies to restrict pod-to-pod communication
- TLS everywhere, rotate certificates

## CI/CD Patterns

- **Blue-green**: Two identical environments, instant switch
- **Canary**: Gradual traffic shift (5% → 25% → 100%)
- **Feature flags**: Decouple deploy from release
- **GitOps**: Argo CD or Flux for declarative infra

## Python Utility Scripts

```bash
# Automate Cloudflare Worker deployments
python scripts/cloudflare-deploy.py --env production

# Analyze and optimize Dockerfiles
python scripts/docker-optimize.py --path ./Dockerfile
```

## Best Practices Summary

- **Security**: Non-root containers, RBAC, secrets in env vars, image scanning
- **Performance**: Multi-stage builds, edge caching, resource limits
- **Cost**: R2 for large egress, caching, right-size resources
- **Development**: Docker Compose for local dev, wrangler dev, version-control all IaC

## Resources

- Cloudflare: https://developers.cloudflare.com
- Docker: https://docs.docker.com
- GCP: https://cloud.google.com/docs
- Kubernetes: https://kubernetes.io/docs
- Helm: https://helm.sh/docs