Nerd Level Tech logo

DevOps: The Ultimate Guide (2026)

March 30, 2026

#devops#CI/CD#GitOps#platform engineering#DevSecOps#Kubernetes#infrastructure as code#DORA metrics#supply chain security
DevOps: The Ultimate Guide (2026)

DevOps is how high-performing engineering teams ship software — continuously, safely, and at scale. In 2026, 80% of large software organizations have established platform teams, GitOps adoption has crossed 64% of enterprises, and the DORA framework has shifted from ranking teams to identifying seven behavioral archetypes that predict delivery outcomes.

TL;DR

  • DORA 2025 replaced team rankings with seven behavioral archetypes; AI-assisted development showed mixed results — 75% reported productivity gains but delivery throughput decreased 1.5%1
  • GitOps is mainstream: 64% enterprise adoption, ArgoCD 3.3 leads with 20K+ GitHub stars2
  • Platform Engineering is the dominant trend: 80% of large orgs now have platform teams (up from 45% in 2022)3
  • Kubernetes 1.35 is the current stable release (March 2026)4
  • Supply chain security (SLSA, Sigstore) is table stakes for regulated industries5
  • OpenTelemetry crossed 95% adoption for new cloud-native instrumentation6
  • Jenkins requires Java 17+; GitHub Actions are at checkout@v6, setup-java@v5, upload-artifact@v67

What You'll Learn

  1. Core DevOps principles and the DevOps lifecycle
  2. CI/CD pipeline implementation with current tooling (GitHub Actions, GitLab CI)
  3. Infrastructure as Code with Terraform and Pulumi
  4. GitOps with ArgoCD and Flux
  5. Platform Engineering and Internal Developer Portals
  6. DevSecOps: supply chain security with SLSA and Sigstore
  7. Observability with OpenTelemetry
  8. DORA metrics framework and how elite teams measure performance
  9. Real-world case studies with verified outcomes

What is DevOps?

DevOps is a cultural and technical movement that unifies software development and IT operations through shared ownership, automation, and continuous feedback. It replaces the traditional "throw it over the wall" model with collaborative workflows spanning the full application lifecycle.

The Three Pillars

  1. Collaboration and Communication — Shared goals and responsibilities across development, operations, security, and business teams
  2. Automation — Every repeatable process (builds, tests, deployments, security scans, infrastructure provisioning) should be automated
  3. Continuous Improvement — Measure outcomes with DORA metrics, run blameless postmortems, and iterate on processes

DevOps vs. Traditional IT

Aspect Traditional IT DevOps
Release cadence Monthly/quarterly Multiple times per day
Team structure Siloed (dev, ops, QA) Cross-functional product teams
Deployment Manual runbooks Automated pipelines
Failure response Blame culture Blameless postmortems
Infrastructure Manually provisioned Infrastructure as Code
Security Gate at the end Shifted left (DevSecOps)
Monitoring Reactive Proactive observability

The DevOps Lifecycle

The DevOps lifecycle is a continuous loop: Plan, Code, Build, Test, Release, Deploy, Operate, Monitor — each phase feeding back into the next.

Phase-by-Phase Breakdown

1. Plan — Define requirements, prioritize work, assess risk. Tools: Jira, Linear, GitHub Projects, Azure DevOps

2. Code — Write, review, and version-control code. Tools: Git, GitHub, GitLab, Bitbucket

3. Build — Compile, package, and store artifacts. Tools: Maven 3.9+, Gradle, npm, Docker

4. Test — Automated testing at unit, integration, E2E, performance, and security levels. Tools: JUnit 5, Playwright, k6, OWASP ZAP

5. Release — Version, tag, and prepare for deployment. Tools: GitHub Releases, Artifactory, Harbor

6. Deploy — Push to production using safe deployment strategies (blue-green, canary, progressive rollout). Tools: ArgoCD, Flux, Kubernetes, Terraform

7. Operate — Manage running systems, respond to incidents, tune performance. Tools: PagerDuty, Grafana OnCall, Kubernetes operators

8. Monitor — Observe system health through logs, metrics, traces, and alerts. Tools: OpenTelemetry, Prometheus, Grafana, Datadog

CI/CD: The Engine of DevOps

GitHub Actions Pipeline (Current Best Practice)

# .github/workflows/ci.yml
name: CI/CD Pipeline
on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

jobs:
  build-and-test:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v6
    - name: Set up JDK 21
      uses: actions/setup-java@v5
      with:
        java-version: '21'
        distribution: 'temurin'
    - name: Build with Maven
      run: mvn -B package --file pom.xml
    - name: Run tests
      run: mvn test
    - name: Upload test results
      uses: actions/upload-artifact@v6
      if: always()
      with:
        name: test-results
        path: target/surefire-reports

  security-scan:
    runs-on: ubuntu-latest
    needs: build-and-test
    steps:
    - uses: actions/checkout@v6
    - name: Run Trivy vulnerability scanner
      uses: aquasecurity/trivy-action@master
      with:
        scan-type: 'fs'
        format: 'sarif'
        output: 'trivy-results.sarif'
    - name: Upload Trivy scan results
      uses: github/codeql-action/upload-sarif@v3
      with:
        sarif_file: 'trivy-results.sarif'

  deploy:
    runs-on: ubuntu-latest
    needs: [build-and-test, security-scan]
    if: github.ref == 'refs/heads/main'
    steps:
    - uses: actions/checkout@v6
    - name: Deploy to production
      run: |
        echo "Deploying via ArgoCD sync..."
        # ArgoCD handles the actual deployment via GitOps

Note: GitHub Actions versions as of March 2026: checkout@v6, setup-java@v5, upload-artifact@v6.7

GitLab CI/CD Pipeline

stages:
  - build
  - test
  - security
  - deploy

variables:
  MAVEN_OPTS: "-Dmaven.repo.local=.m2/repository"

cache:
  paths:
    - .m2/repository/
    - target/

build:
  stage: build
  image: maven:3.9-eclipse-temurin-21
  script:
    - mvn compile

unit-test:
  stage: test
  image: maven:3.9-eclipse-temurin-21
  script:
    - mvn test
  artifacts:
    reports:
      junit: target/surefire-reports/*.xml

container-scan:
  stage: security
  image:
    name: aquasec/trivy:latest
    entrypoint: [""]
  script:
    - trivy image --exit-code 1 --severity HIGH,CRITICAL $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA

deploy-production:
  stage: deploy
  image: bitnami/kubectl:latest
  script:
    - kubectl apply -f k8s/
  only:
    - main
  environment:
    name: production

Infrastructure as Code (IaC)

IaC eliminates configuration drift and makes infrastructure reproducible, version-controlled, and auditable.

Terraform (Declarative, HCL)

# main.tf — Kubernetes cluster on AWS EKS
terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"
    }
  }
}

provider "aws" {
  region = "us-west-2"
}

module "eks" {
  source          = "terraform-aws-modules/eks/aws"
  version         = "~> 20.0"
  cluster_name    = "production"
  cluster_version = "1.35"

  vpc_id     = module.vpc.vpc_id
  subnet_ids = module.vpc.private_subnets

  eks_managed_node_groups = {
    general = {
      desired_size = 3
      min_size     = 2
      max_size     = 10
      instance_types = ["m6i.xlarge"]
    }
    gpu = {
      desired_size = 0
      min_size     = 0
      max_size     = 4
      instance_types = ["g5.xlarge"]
      labels = { "nvidia.com/gpu" = "true" }
      taints = [{
        key    = "nvidia.com/gpu"
        value  = "true"
        effect = "NO_SCHEDULE"
      }]
    }
  }
}

Pulumi (Imperative, General-Purpose Languages)

Pulumi lets you define infrastructure using TypeScript, Python, Go, or C# instead of domain-specific languages:

// index.ts — Same EKS cluster in TypeScript
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
import * as eks from "@pulumi/eks";

const cluster = new eks.Cluster("production", {
    version: "1.35",
    instanceType: "m6i.xlarge",
    desiredCapacity: 3,
    minSize: 2,
    maxSize: 10,
});

export const kubeconfig = cluster.kubeconfig;
export const clusterName = cluster.eksCluster.name;

GitOps: Declarative Deployment

GitOps uses Git as the single source of truth for infrastructure and application state. Changes are made via pull requests, and a GitOps operator reconciles the cluster to match the declared state.

ArgoCD (The Market Leader)

ArgoCD 3.3 (released early 2026) is the dominant GitOps tool, with 20,000+ GitHub stars and adoption at companies including Red Hat, Adobe, and Goldman Sachs2.

# argocd-application.yaml
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: user-service
  namespace: argocd
spec:
  project: default
  source:
    repoURL: https://github.com/your-org/k8s-manifests.git
    targetRevision: main
    path: services/user-service
  destination:
    server: https://kubernetes.default.svc
    namespace: production
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    syncOptions:
      - CreateNamespace=true

Flux CD

Flux 2.8 takes a decentralized toolkit approach. After Weaveworks (Flux's corporate sponsor) shut down, Flux continued as a CNCF project with community governance2. It excels in edge and multi-cluster deployments where resource overhead matters.

GitOps Adoption Statistics

  • 64% of enterprises report GitOps as their primary delivery mechanism2
  • ArgoCD holds the dominant market position for centralized hub-and-spoke models
  • Flux leads in edge computing (manufacturing, telecom) due to minimal resource overhead

Platform Engineering and Internal Developer Portals

Platform Engineering builds internal platforms that give developers self-service access to infrastructure, tooling, and golden paths — reducing cognitive load and operational toil.

Adoption

Gartner predicted that by 2026, 80% of large software engineering organizations would have platform teams3. Current adoption already exceeds 55% across all organization sizes. Teams using Internal Developer Portals (IDPs) deliver updates up to 40% faster while cutting operational overhead nearly in half3.

Backstage (The Standard)

Backstage, created by Spotify, holds approximately 89% market share among IDP adopters, with over 3,400 adopters worldwide including LinkedIn, CVS Health, and Vodafone3.

# catalog-info.yaml — Backstage service registration
apiVersion: backstage.io/v1alpha1
kind: Component
metadata:
  name: user-service
  description: User management microservice
  annotations:
    github.com/project-slug: your-org/user-service
    backstage.io/techdocs-ref: dir:.
spec:
  type: service
  lifecycle: production
  owner: platform-team
  system: user-management
  providesApis:
    - user-api
  dependsOn:
    - resource:postgres-users

Alternative IDP Tools

Tool Approach Best For
Backstage Open-source framework, self-hosted Organizations wanting full customization
Port SaaS platform Faster implementation, less maintenance
Cortex SaaS with scorecards Engineering excellence tracking
Humanitec Platform Orchestrator Dynamic configuration management

DevSecOps: Security as Code

DevSecOps integrates security throughout the pipeline rather than bolting it on at the end.

Supply Chain Security (SLSA + Sigstore)

Software supply chain security is now table stakes for regulated industries. SLSA (Supply-chain Levels for Software Artifacts) v1.1 provides a framework for build integrity, while Sigstore provides keyless artifact signing5.

# GitHub Actions: Generate SLSA Level 3 provenance
- name: Generate SLSA provenance
  uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.1.0
  with:
    image: ghcr.io/${{ github.repository }}
    digest: ${{ needs.build.outputs.digest }}

# Sign container images with Cosign (Sigstore)
- name: Sign container image
  run: |
    cosign sign --yes \
      ghcr.io/${{ github.repository }}@${{ needs.build.outputs.digest }}

Security Scanning Pipeline

# Comprehensive security scanning in CI
security:
  stage: security
  parallel:
    matrix:
      - SCAN_TYPE: [sast, dast, container, dependency, iac]
  script:
    - case $SCAN_TYPE in
        sast) semgrep scan --config auto . ;;
        dast) zap-baseline.py -t $STAGING_URL ;;
        container) trivy image --severity HIGH,CRITICAL $IMAGE ;;
        dependency) trivy fs --scanners vuln . ;;
        iac) checkov -d terraform/ ;;
      esac

Key Security Tools (2026)

Category Tools Notes
SAST Semgrep, SonarQube, CodeQL Semgrep gaining share for speed
DAST OWASP ZAP, Burp Suite ZAP still actively maintained
Container scanning Trivy, Grype, Snyk Trivy is the open-source default
Supply chain Sigstore (Cosign/Fulcio/Rekor), SLSA GitHub has built-in attestation support
IaC scanning Checkov, tfsec, Kics Checkov covers Terraform, K8s, Docker
Policy enforcement OPA/Gatekeeper, Kyverno Kyverno gaining traction for K8s-native policies

Observability: OpenTelemetry as the Standard

OpenTelemetry (OTel) is now the second-largest CNCF project behind Kubernetes, with 95% adoption for new cloud-native instrumentation6.

The Three Pillars + Profiling

Signal Purpose OTel Status
Traces Request flow across services Stable
Metrics Quantitative measurements Stable
Logs Event records Stable
Profiling CPU/memory resource usage Emerging (2026)

OpenTelemetry Instrumentation

# Python auto-instrumentation with OpenTelemetry
# pip install opentelemetry-api opentelemetry-sdk opentelemetry-instrumentation-flask

from opentelemetry import trace
from opentelemetry.sdk.trace import TracerProvider
from opentelemetry.sdk.trace.export import BatchSpanProcessor
from opentelemetry.exporter.otlp.proto.grpc.trace_exporter import OTLPSpanExporter
from opentelemetry.instrumentation.flask import FlaskInstrumentor

# Configure tracer
provider = TracerProvider()
processor = BatchSpanProcessor(OTLPSpanExporter(endpoint="http://otel-collector:4317"))
provider.add_span_processor(processor)
trace.set_tracer_provider(provider)

# Auto-instrument Flask
from flask import Flask
app = Flask(__name__)
FlaskInstrumentor().instrument_app(app)

tracer = trace.get_tracer(__name__)

@app.route("/api/users/<user_id>")
def get_user(user_id):
    with tracer.start_as_current_span("fetch-user-from-db") as span:
        span.set_attribute("user.id", user_id)
        # ... database query
        return {"id": user_id, "name": "example"}

Observability Stack (2026)

# docker-compose.yml — Modern observability stack
services:
  otel-collector:
    image: otel/opentelemetry-collector-contrib:latest
    ports:
      - "4317:4317"   # gRPC OTLP
      - "4318:4318"   # HTTP OTLP
    volumes:
      - ./otel-config.yaml:/etc/otelcol-contrib/config.yaml

  prometheus:
    image: prom/prometheus:latest
    ports:
      - "9090:9090"
    volumes:
      - ./prometheus.yml:/etc/prometheus/prometheus.yml

  grafana:
    image: grafana/grafana:latest
    ports:
      - "3000:3000"
    depends_on:
      - prometheus

  tempo:
    image: grafana/tempo:latest
    ports:
      - "3200:3200"

  loki:
    image: grafana/loki:latest
    ports:
      - "3100:3100"

Note: No version field — it is obsolete in Docker Compose V2+ and should be omitted.8

DORA Metrics: Measuring DevOps Performance

The DORA (DevOps Research and Assessment) framework, maintained by Google Cloud, defines the metrics that predict software delivery performance.

The Four Key Metrics

Metric Elite High Medium Low
Deployment Frequency On-demand (multiple/day) Weekly-monthly Monthly-biannually < once per 6 months
Lead Time for Changes < 1 hour 1 day - 1 week 1-6 months > 6 months
Change Failure Rate < 5% 5-10% 10-15% > 15%
Failed Deployment Recovery Time < 1 hour < 1 day 1 day - 1 week > 1 week

2024-2025 DORA Findings

The 2024 DORA report (39,000+ respondents) found that AI-assisted development showed mixed results: 75% reported productivity gains, but delivery throughput decreased an estimated 1.5% and stability decreased 7.2%. Additionally, 39% of respondents reported little to no trust in AI-generated code1.

The 2025 DORA report shifted away from ranking teams entirely, introducing seven team archetypes that blend delivery performance with human factors such as burnout, friction, and perceived value1.

Real-World Case Studies

Etsy: Continuous Deployment Pioneer

Challenge: Manual deployments, infrequent releases. Solution: Built a culture of continuous deployment with feature flags, comprehensive monitoring, and developer-owned deploys. Results:

  • 50+ deployments per day (sustained since 2014)9
  • MTTR reduced by 50%
  • Engineers deploy their own code — no separate release team

Netflix: Cloud-Native at Scale

Challenge: Scale streaming infrastructure to 200+ million subscribers globally. Solution: Microservices architecture (1,000+ services), chaos engineering (Chaos Monkey), progressive deployment with canary analysis. Results:

  • Thousands of deployments per day across independent services10
  • 99.99% availability despite constant change
  • Engineers ship when their service is stable — no coordinated releases

Key Takeaway

Both Etsy and Netflix demonstrate that high deployment frequency correlates with higher stability, not lower — validating the core DORA finding that throughput and stability are not trade-offs but reinforcing capabilities.

Essential DevOps Tools (2026)

By Category

Category Top Tools Notes
Version Control Git, GitHub, GitLab GitHub dominates; GitLab strong for self-hosted
CI/CD GitHub Actions, GitLab CI, Jenkins Jenkins requires Java 17+ since v2.4637
IaC Terraform, Pulumi, OpenTofu OpenTofu is the open-source Terraform fork
GitOps ArgoCD 3.3, Flux 2.8 ArgoCD for centralized; Flux for edge2
Containers Docker, Kubernetes 1.35, Podman K8s follows N-2 support policy4
Configuration Ansible, Chef, Puppet Ansible dominates for agentless management
Observability OpenTelemetry, Prometheus, Grafana, Datadog OTel is the instrumentation standard6
Security Trivy, Sigstore, Semgrep, OPA Supply chain security is now baseline5
IDP Backstage, Port, Cortex Backstage has 89% IDP market share3

DevOps Adoption Roadmap

Phase 1: Foundation (Months 1-3)

  • Implement version control (Git) and branch strategy
  • Set up CI pipeline with automated testing
  • Introduce IaC for at least one environment
  • Establish DORA metric baselines

Phase 2: Automation (Months 3-6)

  • Implement CD pipeline to staging
  • Add security scanning (SAST + container scanning)
  • Set up observability (OTel + Prometheus + Grafana)
  • Introduce feature flags for safe deployments

Phase 3: GitOps & Scale (Months 6-12)

  • Deploy ArgoCD or Flux for GitOps-based delivery
  • Implement supply chain security (Sigstore, SLSA Level 2)
  • Evaluate Platform Engineering / IDP needs
  • Measure and report on DORA metrics quarterly

Phase 4: Platform Engineering (Months 12-18)

  • Deploy Backstage or alternative IDP
  • Define golden paths for common service types
  • Implement self-service infrastructure provisioning
  • Establish FinOps practices for cloud cost optimization

The Future of DevOps (2026-2028)

AI-Assisted DevOps

AI is reshaping DevOps workflows: GitHub Copilot generates CI/CD configurations, AI-powered incident analysis reduces MTTR, and ML-driven anomaly detection catches issues before alerts fire. The 2024 DORA data suggests these tools boost perceived productivity but require careful integration to avoid degrading delivery stability1.

Platform Engineering Maturity

Platform Engineering is evolving from "build an IDP" to "build a product for your developers." In 2026, AI is merging with Platform Engineering — platforms that auto-suggest golden paths, generate boilerplate, and predict resource needs based on workload patterns3.

FinOps Integration

As cloud spending grows, FinOps (financial operations) is becoming inseparable from DevOps. Teams that can attribute infrastructure costs to specific services and teams make better architectural decisions.

Zero-Trust and eBPF

eBPF-based tools (Cilium for networking, Falco for runtime security, Tetragon for observability) are enabling kernel-level security and monitoring without sidecar overhead — a significant shift for Kubernetes-native architectures.

Footnotes

  1. DORA State of DevOps Report 2024 (39,000+ respondents) and 2025 State of AI-Assisted Software Development Report. Google Cloud/DORA. 2 3 4

  2. The New Stack, "Survey: Argo CD Leaves Flux Behind" (2025); CNCF GitOps adoption data. 2 3 4 5

  3. Gartner platform engineering predictions; Port "State of Internal Developer Portals" (2025); Backstage adoption data. 2 3 4 5 6

  4. Kubernetes releases page (kubernetes.io/releases). Current stable: v1.35.3 (March 2026). 2

  5. SLSA v1.1 specification (slsa.dev); Practical DevSecOps "DevSecOps Trends 2026." 2 3

  6. ByteIota "OpenTelemetry 95% Adoption" (2026); Grafana Labs OpenTelemetry Report; CNCF project rankings. 2 3

  7. GitHub Actions releases (March 2026): checkout@v6, setup-java@v5, upload-artifact@v6. Jenkins Java Support Policy: Java 17+ required since v2.463 (June 2024). 2 3

  8. Docker Compose documentation: version field is obsolete since Compose V2.27.0.

  9. Etsy Engineering "Quantum of Deployment" (2026); InfoQ "How Etsy Deploys More Than 50 Times a Day."

  10. Netflix Engineering blog; BunksAllowed "Inside Netflix's Cloud Architecture" (2025).

Continue Learning

Related Posts

Mastering GitOps Workflow Patterns: From Commit to Cluster

Mastering GitOps Workflow Patterns: From Commit to Cluster

GitOpsDevOps
Mastering GitOps: The Future of Cloud-Native Operations

Mastering GitOps: The Future of Cloud-Native Operations

GitOpsDevOps
Edge Deployment in the Cloud-Native Era: Speed, Scale, and Smarts

Edge Deployment in the Cloud-Native Era: Speed, Scale, and Smarts

edge computingcloud native
Infrastructure as Code (IaC) Fundamentals: A Complete 2025 Guide

Infrastructure as Code (IaC) Fundamentals: A Complete 2025 Guide

Infrastructure as CodeDevOps
FREE WEEKLY NEWSLETTER

Stay on the Nerd Track

One email per week — courses, deep dives, tools, and AI experiments.

No spam. Unsubscribe anytime.