Core Code
Core Code Modern Dev Handbook
INFRA-DEVOPS Contents
Linux for Production
Processes, Threads, and Signals Filesystems, Mounts, and Permissions systemd Units and Service Lifecycle journald and Production Logging ulimits, cgroups, and Resource Limits /proc, /sys, and Safe Debugging Performance Basics: load, iowait, run queue Package Management and Patch Strategy Users, Groups, sudo, Capabilities Production Troubleshooting Playbook
Networking for Production
Operator Networking Mental Model (TCP/IP) DNS in Production: TTL, caching, outages TLS Handshake and Certificates Timeouts and Retries Across Layers Load Balancers and Health Checks Reverse Proxies and API Gateways Firewalls, NAT, and Egress Identity Network Debugging Tools (ss, tcpdump, curl) Failure Patterns: partial outage, brownout, storm Connectivity Checklist (DNS→TCP→TLS→HTTP)
Compute, Storage, and Resource Management
CPU, Memory, and I/O Basics Capacity Planning and Headroom Disk Latency, IOPS, Throughput, Queue Depth Disk Full vs Inode Full and Cleanup Strategy Resource Isolation and Noisy Neighbors Quotas, Limits, and Guardrails Horizontal vs Vertical Scaling Ephemeral vs Persistent State Virtualization vs Containers (Failure Domains) Resource Metrics Primer (what to alert on)
Containers & OCI
OCI and Runtime Architecture (containerd, runc) Dockerfile Production Patterns Image Layering and Build Caching Registries: Digests vs Tags and Promotion Container Networking Model (bridge/NAT/ports) OverlayFS and Volumes (persistence & perf) Signals, PID 1, and Graceful Shutdown Rootless Containers and Tradeoffs Container Security Basics (caps/seccomp) Debugging Containers (inspect/logs/exec)
Kubernetes Core
Kubernetes Architecture (control plane vs data plane) Workloads: Deployment, Job, DaemonSet, StatefulSet Deployments and Rollouts (readiness, rollback) Services, Endpoints, and Cluster DNS Ingress and Service Exposure ConfigMaps and Secrets Probes: readiness, liveness, startup Resource Requests and Limits Scheduling Basics (taints/affinity/topology) Namespaces, RBAC, and Isolation Basics
Kubernetes Operations
kubectl Production Workflow Debugging Pods and Nodes (events, logs, states) Cluster Upgrades and Versioning Strategy Disruption Budgets, Drains, and Maintenance Autoscaling: HPA, VPA, Cluster Autoscaler NetworkPolicy and Traffic Control RBAC and Access Control (least privilege) etcd Basics and Backup Strategy Backups and Disaster Recovery for Kubernetes Incident Response on Kubernetes
Release Engineering & CI/CD
CI Pipeline Architecture Build Once, Promote Everywhere (Artifacts) Testing Strategy: unit→integration→e2e Versioning: SemVer, tags, and changelogs Deployment Strategies: rolling, blue/green, canary Feature Flags and Progressive Delivery GitOps Introduction (pull-based delivery) Secrets in CI/CD and Environment Injection Rollback Strategy and Release Safety Supply Chain Validation in Pipelines
Observability
Logs vs Metrics vs Traces Structured Logging and Correlation IDs Metrics Design Principles SLIs, SLOs, and Error Budgets Alerting Strategy and Alert Fatigue Distributed Tracing Basics Sampling and High Cardinality Problems Dashboards That Drive Action Golden Signals and RED/USE methods Observability During Rollouts (what to watch)
Incident Response & Reliability
Incident Lifecycle and Roles Triage and Stabilization (reduce blast radius) Runbooks and Operational Checklists Root Cause Analysis (RCA) Blameless Postmortems and Learning On-call Design and Escalation Error Budgets and Reliability vs Velocity Disaster Recovery Basics (RPO/RTO) Game Days and Restore Drills Chaos Engineering Basics
Security for Operators
Principle of Least Privilege Secrets Management (ops view) Certificate Rotation and Expiry Prevention Container Hardening (seccomp, caps, RO fs) Kubernetes SecurityContext Patterns Kubernetes RBAC Deep Dive Network Segmentation and Policy Vulnerability Scanning and Patch Loops Runtime Security Signals (what to monitor) Threat Modeling for Operators
Supply Chain Security
SBOM Basics (what and why) Provenance and Attestation Dependency Scanning and Policies Image Signing and Verification Artifact Immutability and Promotion Reproducible Builds CI Hardening and Runner Security Registry Security and Access Controls Tamper Detection and Incident Response Zero Trust Delivery Concepts
Infrastructure as Code & Environments
Infrastructure as Code Principles Declarative vs Imperative IaC State Management (remote state, locking) Drift Detection and Repair Secrets in IaC (avoid leaks) Review Workflows and Change Control Environment Parity and Config Strategy Multi-Environment Promotion Model Testing IaC (plan checks, policy tests) Modules, Standards, and Reuse
Platform Engineering & Internal Developer Platforms
Platform as Product (mental model) Golden Paths and Paved Roads Self-Service Infrastructure Workflows Internal Developer Platform Architecture Service Templates and Scaffolding Platform SLIs, SLOs, and Reliability Multi-Tenancy and Isolation Models Cost Visibility and Chargeback Models Platform Governance and Guardrails Platform Maturity Model
Advanced: Scaling, Multi-Cluster, and Governance
Multi-Cluster Topologies Federation and Regional Failover Control Plane Hardening Large Cluster Scaling Limits Cross-Region Networking Patterns Advanced Progressive Delivery Patterns Global Traffic Management Org-wide Policy Enforcement (OPA/Gatekeeper) Capacity Modeling at Scale Failure Domain and Blast Radius Design

TLS Handshake and Certificates

Run TLS in production: handshake basics, cert chains, expiry prevention, and practical debugging with openssl/curl.
On this page

Production TLS: What Breaks

  • Cert expiry, wrong chain, wrong hostname (SNI), old cipher/protocol mismatch
  • Clock skew on servers/clients
  • Proxy terminates TLS but backend expects TLS (or vice versa)

Quick TLS Debug with curl

curl -sv https://example.com/health --max-time 5 || true
curl -sv --resolve example.com:443:<IP> https://example.com/health --max-time 5 || true

Inspect Certificate Chain

openssl s_client -connect example.com:443 -servername example.com -showcerts </dev/null 2>/dev/null | openssl x509 -noout -subject -issuer -dates

Expiry Prevention Runbook

  • Alert at T-30, T-14, T-7 days (and daily at T-3).
  • Automate renewal + deploy + validation (staging first).
  • Validate chain and hostname from outside the cluster/VPC too.

Failure Modes

  • Intermediate missing: some clients fail, others succeed (partial outage).
  • SNI mismatch: works by IP but fails by hostname.
  • Clock skew: 'not yet valid' / 'expired' even with correct cert.

Checklist

date -u
curl -sv https://example.com --max-time 5 || true
openssl s_client -connect example.com:443 -servername example.com </dev/null | grep -E 'Verify return code|subject=|issuer=|notAfter'
Timeouts and Retries Across Layers →