Skip to main content

DevOps Tools by Layer

A practitioner map of DevSecOps tooling what to learn first, alternatives, and how each layer connects in production.


DevOps Tools by Layer

Production platforms stack tools in layers. Learn the layer's job before memorizing vendor names. This guide reflects stacks seen across AWS, GCP, Azure, and on-prem Kubernetes.


Layer model


Must-learn vs alternatives

LayerLearn firstCommon alternativesWhen to switch
Version controlGit + GitHub or GitLabBitbucket, Azure ReposOrg mandate
CI/CDGitHub ActionsJenkins, GitLab CI, CircleCI, Azure PipelinesSelf-hosted plugins, enterprise templates
ContainersDockerPodman, containerd directRootless, no daemon
OrchestrationKubernetesNomad, ECS, Cloud RunSimpler workloads, serverless
IaCTerraformOpenTofu, Pulumi, CloudFormation, BicepPolicy, language preference
Config managementAnsibleChef, Puppet, SaltLegacy estates
GitOpsArgo CD or FluxSpinnakerK8s-native delivery
MetricsPrometheus + GrafanaDatadog, CloudWatch, Azure MonitorManaged budget, correlation
LogsLoki or ELKSplunk, Cloud LoggingScale, compliance
TracesOpenTelemetryJaeger, Tempo, vendor APMStandardization
SecretsVault or cloud KMSSealed Secrets, SOPSCloud-native vs portable
PolicyOPA / GatekeeperKyverno, cloud policy enginesK8s admission focus
SASTSemgrep, CodeQLSonarQube, CheckmarxLanguage coverage
SCADependabot, SnykGrype, Trivy in CILicense + CVE depth

Learning order (practical)

  1. Git + one CI every other tool hooks here.
  2. Docker + Compose before Kubernetes complexity.
  3. Terraform one module you reuse across projects.
  4. Kubernetes + Helm one cluster, three apps.
  5. Prometheus/Grafana or cloud monitor one golden-signals dashboard.
  6. One scanner in CI fail builds on critical CVEs.
  7. Vault or managed secrets rotate one credential end-to-end.

Anti-patterns

TrapBetter approach
Adopting Kubernetes for a single monolithManaged PaaS or VMs until team size justifies ops cost
Five overlapping CI systemsStandardize on one; wrap exceptions
Dashboards without ownersEach dashboard has a team and on-call rotation
Security tools with no enforcementPolicy gate in pipeline or admission controller

Hands-on labs (self-guided)

LabTimeProves
Dockerfile + multi-stage build2 hImage hygiene
Terraform remote state + workspace4 hIaC discipline
Helm chart with values per env4 hPackaging
Argo CD sync from git tag4 hGitOps
Trivy scan in GitHub Action2 hDevSecOps gate

Research Core deep dives