Open to work | Platform Engineer, Cloud Engineer & SRE roles - full-time or consulting | Open to relocation and international opportunities—let’s connect and discuss how I can contribute to your team.Open to work | Platform Engineer, Cloud Engineer & SRE roles - full-time or consulting | Open to relocation and international opportunities—let’s connect and discuss how I can contribute to your team.Open to work | Platform Engineer, Cloud Engineer & SRE roles - full-time or consulting | Open to relocation and international opportunities—let’s connect and discuss how I can contribute to your team.Open to work | Platform Engineer, Cloud Engineer & SRE roles - full-time or consulting | Open to relocation and international opportunities—let’s connect and discuss how I can contribute to your team.

Blogs

Thoughts on DevOps, Software Engineering, and homelab experiments.

From branch to production: automating multi-environment deployments with GitHub Actions and Argo CD on EKS

How I run 20+ developer environments plus testing, staging and production across two AWS accounts with one standalone deploy-pipeline repo whose workflow every microservice reuses — GitHub Actions building images, self-hosted runners reaching private EKS, and per-cluster Argo CD doing the syncs. On-demand dev deploys, auto-drafted releases and a branch-to-production promotion flow that never rebuilds the artefact.

KubernetesGitOpsCI/CD+1

Building a Kubernetes operator in Go: automating SPIFFE workload registration

In the previous post I registered SPIFFE entries by hand with spire-server entry create. Here I build the Kubernetes operator that automates it — a controller-runtime reconciler that watches Deployments and registers them with the SPIRE Entry API, finalizer cleanup and Prometheus metrics included.

KubernetesGoOperators+1

Implementing zero trust workload identity with SPIFFE/SPIRE on Kubernetes

Static API keys and shared secrets don't scale, and they all hit the Secret Zero problem. Here's how SPIFFE and SPIRE give every workload a short-lived, attested identity on Kubernetes — with production manifests, go-spiffe mTLS and the operational reality of running it.

KubernetesSecurityZero Trust+1

Beyond 200 OK: connecting LLM traces to business outcomes with OpenTelemetry

The application-level semantic layer of LLM observability: representing user intent, answer quality and business outcomes as telemetry on the trace, and correlating spans with eval results and feedback to see whether the AI served the user.

AIObservabilityOpenTelemetry+1

Implementing SLOs and error budgets in production

How to turn reliability from a gut feeling into a measurable, negotiated target — choosing good SLIs, setting honest SLOs, deriving an error budget and wiring up multi-window burn-rate alerts in Prometheus.

SREReliabilityObservability+1

Building an AI platform on Kubernetes

Once three teams have each rebuilt GPU scheduling, model serving and RAG plumbing, you don't have an AI strategy — you have three. Here's how to turn that into one paved road on Kubernetes: a gateway, a serving layer, GPU compute and the cross-cutting concerns that make it production-grade.

AIKubernetesPlatform Engineering+1

Observability for AI applications with OpenTelemetry

LLM apps fail in ways ordinary services don't — silent quality drops, runaway token costs, latency you can't explain. Here's how to instrument them with OpenTelemetry's GenAI conventions and see tokens, cost, latency and traces in Grafana.

AIObservabilityOpenTelemetry+1

Zero-downtime Kubernetes upgrades: a production-ready strategy

Kubernetes ships three releases a year and you can't skip them — here's how to keep clusters current without users ever noticing, covering version skew, pre-flight checks, workload readiness and a careful node rollout.

KubernetesReliabilitySRE+1

Spot instances in production: when to use them, when not to and how to maintain availability

When spot instances are the right call, when not to use them at all, and how to keep a service available even as AWS reclaims nodes underneath it. A workload-by-workload model with the reasoning behind each decision.

AWSSpot InstancesReliability+1

Reducing Kubernetes costs by 35% with Karpenter and spot instances

How we cut an EKS compute bill by roughly a third — replacing static node groups with Karpenter, running the stateless majority on spot and letting consolidation reclaim idle capacity, without trading away reliability.

KubernetesAWSKarpenter+1

Analysing incidents in plain language with MCP and AI

Investigating incidents by asking questions in plain language — exposing Prometheus, Loki and Tempo as tools an AI assistant calls over the Model Context Protocol, instead of reaching for PromQL, LogQL and TraceQL.

AIMCPObservability+1

Building a RAG pipeline with pgvector and vLLM

How retrieval-augmented generation grounds an LLM in your own data — chunking, embeddings, vector search with pgvector and generation with a self-hosted vLLM endpoint.

AIRAGPostgreSQL+1

Private networking on AWS for GDPR and ISO 27001 compliance

How to design an AWS VPC that keeps workloads private, auditable and aligned with GDPR, ISO 27001 and PCI-DSS — using private subnets, VPC endpoints, flow logs and Terraform.

AWSNetworkingCompliance+1

Application performance monitoring with OpenTelemetry, Grafana and Tempo

How to set up application performance monitoring using OpenTelemetry for instrumentation, Tempo for traces and Grafana for unified visibility.

ObservabilityOpenTelemetryGrafana+1

Deploying AI inference on Kubernetes

A practical guide to running AI model inference workloads on Kubernetes with vLLM — resource limits, autoscaling and serving at scale.

KubernetesAIPlatform Engineering+1

Kubernetes and Cloudflare Tunnel: Zero Trust private networking without a public IP

How to expose Kubernetes services securely using Cloudflare Tunnel and Zero Trust, with no open inbound ports.

KubernetesCloudflareNetworking+1