Michał Sulawiak - Senior DevOps for production AI infrastructure

Static Web Apps + AKS

How this page is served

Right now you're on the always-on front, served by Azure Static Web Apps. The same build runs on a private AKS cluster, deployed by Helm, during an on-demand live window.

In a live window, the app and a Grafana dashboard are both served from the cluster, no login.
Ingress is outbound-only. The AKS API server is private (CI reaches it over Tailscale), and app traffic arrives through a Cloudflare Tunnel the cluster dials out itself, so nothing on it listens to the internet.
Every run writes its own proof - cosign verify and kubectl output - to docs/evidence.

aks-proof · 2026-06-19T15-22-28Z

commit: 54eab67
image: ✓ cosign verifiedsha256:74eca7ac6b…
node: aks-system-24544743-vmss000000
app /healthz: HTTP 200

Captured by the deploy-aks pipeline and committed to the repo - view the full run ↗.

Source on GitHub Architecture docs

Inside the platform

What it looks like running

The cluster's own Grafana and the Azure resources behind it. Screenshots are local assets - no remote images, so the page still makes zero external requests.

Azure portal Resources blade for the rg-newcode-cv resource group: container registry, AKS cluster, Azure Managed Grafana, Azure Monitor workspace, Key Vault, Log Analytics workspace, Static Web App and managed identities, all in Sweden Central. — Azure portal - rg-newcode-cv (click to enlarge)

In-cluster Grafana RED dashboard: requests per second, connections handled versus accepted, active connections, a 0% dropped-connection ratio and total requests handled. — In-cluster Grafana - RED dashboard (click to enlarge)

Newcode.ai role

The job requirements, and where each one lives

Each row links to the file in this repo that backs it.

#	Requirement	What's there	Proof in this repo	✓
01	Azure (IaC)	Whole platform - RG, AKS, ACR, Key Vault, monitoring - is Terraform.	terraform/aks.tf	✓
02	AKS	Private-API-server cluster; nodes, identities, add-ons codified.	terraform/aks.tf	✓
03	Terraform	azurerm remote state; pinned providers; OIDC plan/apply in CI.	terraform/main.tf	✓
04	Helm	cv-site chart: Deployment, HPA, PDB, ServiceMonitor, NetworkPolicy.	helm/cv-site/Chart.yaml	✓
05	GitHub Actions	Build, scan, sign, then helm-upgrade to private AKS over Tailscale.	.github/workflows/deploy-aks.yml	✓
06	Multi-tenant isolation	Per-tenant namespaces with default-deny NetworkPolicy.	helm/cv-site/templates/networkpolicy.yaml	✓
07	Model-serving infra	Reproducible container + Helm pattern for serving any AI workload.	docs/architecture.md	✓
08	Monitoring / alerting	Managed Prometheus ServiceMonitor + Grafana RED dashboard + SLO.	SLO.md	✓
09	Security	Zero secrets in repo: OIDC, Key Vault + CSI, gitleaks, Trivy, cosign.	SECURITY.md	✓
10	AI agents	How this platform hosts agentic AI workloads for legal/pro services.	docs/ai-agents.md	✓

15+ years in production infrastructure

Track record

AI Delivery Lead, Sky. Led delivery of a governed, multi-tenant agentic-AI platform - security gateway, sandboxed agent runtime, approval-aware tool registry and RAG - across Azure, AWS and GCP, and industrialised AI across the software-delivery lifecycle.
Senior Azure Architect & DevOps, PwC. Built Azure DevOps CI/CD with FinOps and on-demand AKS, pipeline templates and automated secret rotation; audited an enterprise platform on AKS / Terraform / GitOps; led Microsoft-stack upskilling for a large engineering group.
Lead Azure Architect & DevOps, Lingaro. Azure DevOps + Terraform CI/CD, AKS and Ansible at scale - high-availability clusters and repeatable deployments.
Earlier: infrastructure architecture and systems administration across many SMEs (Linux/Windows, virtualization, DR). MSc Robotics. Microsoft Certified: Azure Solutions Architect Expert.

A dozen-plus smaller companies

Independent delivery

Alongside contracting, I've delivered automation and platform work for a dozen-plus smaller companies - software houses, businesses automating their operations, IT product teams, and my own back office. A few of them:

Multi-agent AI delivery platform - an orchestrator spawning ephemeral agent containers, with all side-effects routed through an authenticated, audited gateway (per-caller allow-lists, network-isolated egress); plus a GitHub-driven agent crew (Planner / Developer / Reviewer) that runs Issue → PR → merge.
AI product stack - chatbot, RAG connectors, MCP integrations and a Teams-RAG assistant, packaged for repeatable deployment.
GPU inference service - audio/video transcription with speaker diarization (Whisper / NeMo), GPU images built and shipped through GitHub Actions.
Bare-metal GPU server, deployed and AI-operated end to end - a dual-Blackwell box (2× RTX 6000 Pro / 192 GB VRAM, 64-core Threadripper, ECC RAM, ZFS NVMe) on Proxmox with VFIO GPU passthrough, NVIDIA / CUDA and a container GPU runtime, Tailscale-only access and Cloudflare-Tunnel ingress - provisioned by Ansible + GitHub Actions and managed through an AI ops workflow.
Product apps with full CI/CD - e.g. an OCR-based invoicing/accounting app (Next.js, PostgreSQL, object storage, job queue) on a containerized deploy pipeline.
Infrastructure tooling - GitOps VM-fleet automation (Ansible + GitHub Actions over Tailscale) and a Terraform-managed edge (Cloudflare DNS / WAF / origin certs / Zero-Trust tunnels in front of an NGINX reverse proxy).

OIDC · Key Vault · cosign

No secrets in a public repo

OIDC, not stored keys OIDC

Azure auth uses GitHub workload-identity federation. No service-principal secrets exist in the repo or CI.

Key Vault + CSI KEYVAULT

In-cluster secrets (like the tunnel token) come from Azure Key Vault through the Secrets Store CSI Driver and Workload Identity.

Secret scanning GITLEAKS

gitleaks runs pre-commit and in CI; a detectable secret fails the build before it merges.

Signed, scanned images COSIGN

Trivy blocks HIGH/CRITICAL CVEs; cosign keyless signs every image and the deploy verifies that signature.

Read SECURITY.md

Engagement

Get in touch

This whole platform - AKS, signing, monitoring, tenant isolation - is built and run by the pipelines in this repo, starting from an empty Azure subscription. If that's what you're hiring for, get in touch.

LinkedIn: michal-sulawiak
Code: github.com/sullson/newcode-devops

Browse the repo ↗