Most “DevOps best practices” posts read like a tool vendor’s wishlist. This one won’t. After running pipelines for fintech, e-commerce, and SaaS teams ranging from four engineers to ninety, we’ve learned which practices compound — and which are theater. Below is what we’d recommend if you were sitting across the table from us at the office in Istanbul.
Measure the four things that matter: DORA
If you’re not tracking the DORA metrics, you’re optimizing blind. The four signals from Google’s State of DevOps research correlate with both organizational performance and engineer happiness:
- Deployment frequency — how often you ship to production.
- Lead time for changes — commit to running in prod.
- Change failure rate — percentage of deploys that need a rollback or hotfix.
- Mean time to recovery (MTTR) — how long incidents last.
Elite performers deploy multiple times per day with under an hour of lead time and recover in under an hour. If you’re shipping weekly with a 20% failure rate, no amount of Kubernetes will fix the underlying process problem. Start measuring before you start tooling.
A team that ships twice a week with confidence beats a team that ships twice a day in panic. Frequency without stability is just chaos with extra steps.
CI/CD pipeline anatomy
A good pipeline is fast, deterministic, and gives feedback in stages. Here’s a minimal but production-grade GitHub Actions workflow for a Node service:
name: ci
on: [push, pull_request]
jobs:
test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: "20"
cache: "npm"
- run: npm ci
- run: npm run lint
- run: npm test -- --coverage
- uses: actions/upload-artifact@v4
with: { name: coverage, path: coverage/ }
build:
needs: test
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: docker/build-push-action@v5
with:
push: true
tags: ghcr.io/iwwomi/api:${{ github.sha }}
cache-from: type=gha
cache-to: type=gha,mode=maxTool honest take:
- GitHub Actions — Default choice if you’re on GitHub. $0.008/min on Linux runners after the free tier. Marketplace is unmatched. The official docs are excellent.
- GitLab CI — Best if you already pay for GitLab Premium. Tight integration with merge requests and environments. YAML feels slightly cleaner.
- CircleCI — Fastest cold starts and the best macOS support if you build iOS. Pricier at scale ($15/user/mo on Performance).
- Jenkins — Only if you have a dedicated platform team that wants to babysit it. Otherwise, move on.
Rule of thumb: aim for under 10 minutes from push to “deployed to staging.” Anything longer and engineers context-switch, kill the feedback loop, and stop trusting the pipeline.
Infrastructure as Code: pick one and commit
Stop clicking in the AWS console. Every resource needs to be code-reviewable, diff-able, and reproducible. Three real options:
- Terraform (1.7+) — The default. Massive provider ecosystem, huge talent pool, and OpenTofu is a credible open-source fork if you’re worried about HashiCorp’s BSL license. State management is the hard part — use S3 + DynamoDB locking or Terraform Cloud ($0.00014/resource-hour on Standard).
- Pulumi — Same primitives, but in TypeScript/Go/Python. Wins when your team is allergic to HCL or you need real loops and abstractions. Free for individuals, $0.18/resource-hour for teams.
- CloudFormation/CDK — Only if you’re 100% AWS forever. CDK (TypeScript) is genuinely nice; raw CloudFormation YAML is not.
A boring but production-ready Terraform module:
resource "aws_ecs_service" "api" {
name = "api"
cluster = aws_ecs_cluster.main.id
task_definition = aws_ecs_task_definition.api.arn
desired_count = var.environment == "prod" ? 3 : 1
launch_type = "FARGATE"
deployment_circuit_breaker {
enable = true
rollback = true
}
network_configuration {
subnets = var.private_subnet_ids
security_groups = [aws_security_group.api.id]
}
}Pick one tool, write a module library, enforce it via PR review. The worst IaC stack is three half-finished ones. While you’re at it, read our cloud migration guide — it covers the broader provider decision.
Containers and orchestration: when Kubernetes is overkill
Kubernetes is incredible. It’s also a full-time job for at least one engineer. If your team is under ten people and you’re running fewer than twenty services, you almost certainly don’t need it.
Better options for small teams:
- AWS ECS Fargate / Google Cloud Run / Azure Container Apps — Push a container, get a URL. Autoscaling, TLS, and health checks included. Fargate is roughly $0.04/vCPU-hour.
- Fly.io / Render / Railway — Heroku-style ergonomics with modern pricing. Great for startups.
- Docker Compose on a single VM — Don’t laugh. For an internal tool or an MVP, a $40/mo Hetzner box running Compose is fine for months.
Move to Kubernetes when: you have 15+ services, multi-team ownership, multi-region requirements, or specific workloads (GPU, batch) that managed runtimes can’t handle. EKS, GKE Autopilot, or AKS — never roll your own control plane in 2026. If you’re going service-heavy, our piece on microservices architecture covers the operational tradeoffs.
Observability: logs, metrics, traces
You can’t fix what you can’t see. The modern stack has three pillars, and you need all three:
- Logs — Loki + Grafana if self-hosting, CloudWatch Logs or Datadog if not. Structured JSON only. Forget grep-friendly logs; you want field-searchable.
- Metrics — Prometheus is the default. Pair with Grafana for dashboards and Alertmanager for paging. For managed: Grafana Cloud ($0/mo free tier, $19/mo Pro) or Datadog (expensive but excellent).
- Traces — OpenTelemetry as the instrumentation standard. Jaeger or Tempo for storage. Honeycomb if you want the best query experience and can afford it.
Instrument once with OpenTelemetry SDK and route to whatever backend. Vendor lock-in on telemetry is a tax that compounds.
# otel-collector.yaml
receivers:
otlp:
protocols: { grpc: { endpoint: 0.0.0.0:4317 } }
exporters:
prometheusremotewrite:
endpoint: https://prometheus.example/api/v1/write
otlp/tempo:
endpoint: tempo:4317
service:
pipelines:
metrics: { receivers: [otlp], exporters: [prometheusremotewrite] }
traces: { receivers: [otlp], exporters: [otlp/tempo] }For database-heavy services, instrument query duration histograms per route — it’s the cheapest way to catch N+1s before users do. See our database optimization post for the full playbook.
Secrets management: never commit .env
If your repository contains a .env file with real credentials, stop reading and rotate them now. Then pick one:
- HashiCorp Vault — Full-featured, dynamic secrets, audit logs. Self-hosted is a real commitment.
- AWS Secrets Manager / GCP Secret Manager / Azure Key Vault — $0.40/secret/month on AWS. Boring, integrated, fine.
- SOPS + age — Encrypt secrets in Git itself. Brilliant for IaC and Kubernetes manifests. Free.
- Doppler / Infisical — Developer-friendly managed services starting around $7/user/month.
Whatever you choose: short-lived credentials, automatic rotation, and audit trails are non-negotiable. Pair this with the practices in our secure web applications guide.
Deploy strategies: rolling, blue/green, canary
Three patterns, each with a place:
- Rolling — Replace instances N at a time. Default for ECS, Kubernetes, Nomad. Good for stateless services with backward-compatible changes. Cheapest.
- Blue/green — Stand up the new version alongside the old, flip traffic at the load balancer. Instant rollback. Doubles infra cost during deploys, but you can run database migrations safely.
- Canary — Route 1% → 5% → 25% → 100% over minutes or hours. Pair with automated SLO monitoring (e.g., Flagger on Kubernetes, AWS CodeDeploy with CloudWatch alarms). Essential for high-traffic services.
Pick the simplest deploy strategy that meets your reliability bar. Canary everything sounds great until you’re debugging why 3% of users see stale data.
For most teams: rolling deploys with circuit breakers in dev/staging, canary with automated rollback in production. Blue/green specifically for risky migrations.
Modernize your delivery pipeline
DevOps is not a department. It’s a set of habits — measure, automate, observe, and reduce the cost of mistakes. Start with DORA metrics, get your pipeline under 10 minutes, codify your infrastructure, and build observability before you need it. The compounding effects are real: teams that invest here ship 2–3x faster within a year, with fewer incidents.
If you want a second set of eyes on your pipeline, IaC, or production setup, get in touch. We help teams in Istanbul and across Europe ship faster without breaking things.
