Kubernetes Secrets/ENV automation

Hey Guys! I recently came across one use-case where secrets need to be autogenerated and pushed to a secret management tool ( Vault for me).
context:
1) Everytime if we are creating a new cluster for a new client, we create the secrets mannualy api-keys and some random generated strings.( including mongo or postgress connection string). which takes a lot of time and effort.

2) On the release day, comparing the lower environment and upper environment mannually to findout the newly created secrets.

Now we have created a Golang application which will automatically generate the secrets based upon the context provided to it. But still some user intervention is required via cli to confirm secret type ( if its api-key it can't be generated randomly so user needs to pass it via cli).

Does anyone know, how we can more effortlessly manage it ? like one-click solution?
Can someone please let me know how you guys are handling it in your organization?

Thank you!

https://redd.it/1pdupoa
@r_devops

Switching to devops from frontend/fullstack dev

I have 2 YOE and planning to switch to devops from frontend heavy full stack development and banking/fintech domain . Currently my package is 6.2 lpa in mumbai, india. I am targeting for minimum 25 lpa inr for my next switch. I just wanted ur advise on what should I focus more on to get the desired hike and an entry in devops role like getting hands on devops tools and anything else maybe soft skills and also become the best in devops field, currently i am following roadmap from roadmap site.
Thanks🙌🏻

https://redd.it/1pdv72p
@r_devops

Looking for guidance wiz vs orca vs upwind

im trying to pick cloud security platform for one of our client and im kinda stuck. they’re growing fast, and we’re trying to keep things safe while the security team is still taking shape. Right now our DevOps and SRE handle most of it, and they’re stretched enough as it is.

We run fully on AWS and use the native tools, but the alerts stack up. We need clearer signals. Whats exposed. Whats exploitable. What needs attention now, not next month.

We looked at wiz, orca, and upwind. They look similar from the outside. Same claims. Same style. One talks about runtime data through ebpf, one pushes posture, one pushes simplicity. Hard to tell what changes the day to day work. 
Price matters. Ease matters and something that helps a small group keep things under control.

Please tell me about your experience with them. Not the demo version please 🙏.

TIA



https://redd.it/1pdw8bw
@r_devops

Version/Patch Monitoring Service on AWS/GCP/Azure

Hi,

Ya'll know how you have hundreds of services deployed on cloud, each requiring their own upgrade and patch management protocol?

Would there be interest in a small web service that monitors your clusters, dbs, elasticache etc. (just read perms on the versions), shows current version and eol / upcoming patchings, AWS release notes + auto alerts your team and syncs with your calendar?

This is geared for the smb rather than the enterprise that has entire teams devoted to it.

https://redd.it/1pduucq
@r_devops

External Service Certification

Something that I have observed working at different companies (working closely with the dev teams) is what happens when developers want/need to work with third-party services:

I saw this a few times: The team found an external service that seemed to work for a project, but then the questions came from devops:

\-Where is the data stored?

\-How long will this API keep my (and our customers) data?

\-Who else is processing or accessing it behind the scenes?

And does the API even have the certifications needed to keep everything secure and compliant? ( folks working with EU companies will know what I mean here, with GDPR etc).

In smaller companies and startups, this is often not a big problem: things move fast, and the stakes might feel lower. But in bigger companies, with security, compliance teams and standards, this is not the case (You can’t just plug in any API and hope all works out)

Main scenario I have seen: The Security/devops teams need some answers and send a (long) questionnaire. If the service provider cant show/demonstrate where data lives or how data protected, chances are the service does not get approved at all.

Sometimes, that process can drag on which delays things and can even force the team to build something new (from scratch).

So I was wondering how we can kind of put all this in practice: Its not the final result yet but I think its in the right direction.

So, we put together a certification scheme to be able to capture (and show) upfront, structured human AND machine-readable information about how APIs handle data:

\- Location/region that data is stored

\- Retention period (inout and output, logs, metadata)

\- Third parties that might be involved

\- Any Standards and if are actually met (and not just implied) - this could be GDPR, SOC 2 etc.

I think that having this information can help teams move faster, and build features that users (and compliance folks) can trust (or at least not have big objections against lol).

Would like to get your take : What do you think about this idea? What extra information would you find useful to know/see before deciding to move ahead with using n external service?

This is currently how our certificates look like (for the APIs we have certified): https://apyhub.com/catalog (you can check the shield icon next an API).

Nikolas



https://redd.it/1pdvugg
@r_devops

Maintainer Feedback Needed: Why do you run Harbor on Azure instead of using ACR?

Hey all, I am one of the maintainers of CNCF Harbor. I know we have quite a few users who are running Harbor on Azure although there is ACR.

I recently had a discussion with a group of Azure experts, who claimed there is no reason why Harbor would ever be a better fit than ACR.

I was really surprised because that's not the reality we see. I mean, If ACR fits your needs, go with it. Good for you; I am in total agreement with such a decision. ACR is simpler to set up and maintain, and it also integrates nicely into the Azure ecosystem.

From some Harbor users who run on Azure, I know a few arguments why they favor Harbor over ACR.

Replication capabilities from/to other registries
IAM outside Azure, some see that as a benefit.
Works better as an organization-wide registry
Better fitted for cross-cloud and on-prem


Somehow those arguments didn't resonate at all.

So my question is, are there any other deciding factors you decided on for Harbor instead of ACR?
thx.

https://redd.it/1pe0269
@r_devops

Need help to improve my skill in GitHub CI/CD

Hi guys, for past few days I have learnt Linux and git. by using chatgpt I practiced some basic things, i want to push my level from basic to medium level.
My goal is to be understand better and improve skill in cloud and devops world!
Guidance and helps are welcome


https://redd.it/1pe2dkn
@r_devops

Is Golden Kubestronaut actually worth it? Looking for honest opinions from the community

Hey everyone,

I'm a Senior Cloud Architect (10+ years experience) currently holding Kubestronaut certification along with Azure Solutions Architect and a bunch of other certs. I've been seriously considering going for Golden Kubestronaut but the more I think about it, the more I'm second-guessing myself.

Here's my dilemma:

The Cost Reality:
- 5-6 additional certs to maintain = ₹75,000-1,50,000 just for exams
- Renewal costs every 2-3 years = another ₹50,000+
- Realistically 200-300 hours of study time
- That's time away from actual hands-on work
- had to pay from own pocket as employer is not covering the cost

Pros I can see:
- Ultimate flex in the K8s community - only ~200 people worldwide have it
- Opens doors for conference speaking and community leadership
- Shows insane dedication and commitment
- Might help with consulting opportunities
- Resume definitely stands out in the pile

Cons I'm worried about:
- The certs I'd need to add (11+) seem less valuable than what I already have (CKA/CKS/CKAD)
- Most hiring managers don't even know the difference between Kubestronaut and Golden Kubestronaut
- Knowledge retention is already a problem - I don't use half the stuff I learned for exams daily
- That ₹1,50,000 could build a sick home lab where I'd actually learn practical skills
- My current Kubestronaut already proves I know K8s deeply
- Salary bump seems minimal - maybe 5-10% at most?

Alternative I'm considering:
Taking that same money and time to either:
1. Build a proper home lab (3-node K8s cluster + NAS) for hands-on practice
2. Get GCP or AWS certification to become multi-cloud
3. Learn Platform Engineering (Backstage, ArgoCD, Crossplane)
4. Focus on FinOps certification (seems to have better ROI)

My real question:
For those who've achieved Golden Kubestronaut - was it actually worth it career-wise? Did it open doors that regular Kubestronaut didn't? Or is it more of a personal achievement thing?

And for hiring managers - does Golden Kubestronaut actually make a candidate significantly more attractive, or is regular Kubestronaut + solid project experience better?

I'm leaning towards skipping it and focusing on practical skills + multi-cloud, but I'd love to hear from people who've been in this position. Especially interested in hearing from people who chose NOT to pursue it after getting Kubestronaut.

Thanks for any insights!

https://redd.it/1pe3ure
@r_devops

failed KCNA three times

I'm kind of at a loss here...I've gotten a 71/75 exactly ... three times. I know kubernetes relatively well... have gone through the kodekloud course multiple times, practice exams from udemy, have done all the HOL on kodekloud multiple times.

all 3 times I am finding questions that were not covered in any of those resources... multiple specifics on networking, security, 3rd party players like ArgoCD etc. Just feel like each time I prepare I am not properly prepped for these off the wall questions.

any tips? I have one more retake left...

https://redd.it/1pe5130
@r_devops

IS AI the future or is a big scam?

I am really confused, I am a unity developer and I am seeing that nowdays 90% of jobs is around AI and agentic AI

But at the same time every time I ask to any AI a coding task
For example how to implement this:
https://github.com/CyberAgentGameEntertainment/InstantReplay?tab=readme-ov-file

I get a lot of NONSENSE, lies, false claiming, code that not even compile etc.

And from what I hear from collegues they have the same feelings.

And at the same time I not see in real world a real application of AI other then "casual chatting" or coding no more complex than "how is 2+2?"

Can someone clarify this to me? there are real good use of ai?

https://redd.it/1pe6ho7
@r_devops

Bitbucket bait-and-switched, now charging $15/month per self-hosted runner

I saw this morning that Bitbucket has announced self-hosted runner v5 which comes with some interesting new features, but they also changed their pricing from no charge for self-hosted runners to $15/month per concurrent build slot. So now if you're trying to run multiple builds at once or parallelizing releases on your own hardware they want you to pay for the privilege.

This seems crazy to me as we are using self-hosted runners to save money by using our own hardware for builds. We just spent months moving a bunch of our pipelines over to BB and it just seems so wrong that after all that, they can just threaten to make our releases (which rely on parallelizing pipelines) take over 10x as long unless we want to pony up a monthly fee that we really can't afford on top of what we're already paying for users and hardware or instances to actually run the builds.

Github doesn't charge for self-hosted runners. Gitlab doesn't either. It looks like CircleCI does but included concurrency is higher, or unlimited if you have an enterprise plan. So this feels like a total ripoff and a bait-and-switch because they know moving to another CI platform is a massive undertaking.

https://www.atlassian.com/blog/bitbucket/announcing-v5-self-hosted-runners

https://redd.it/1pe8wzd
@r_devops

Snyk AI-BOM CLI launched on Product Hunt today

Hey ops friends, how are you getting a grip on scattered AI usage across the org?

Snyk launched AI-BOM today on Product Hunt that shows how it works via the CLI:

$ snyk aibom --experimental

If you head over to producthunt.com and scroll down there's a video and more screenshots that show how it works.

Curious to get feedback and any input you have if you at all are concerned about discovery and rogue usage of LLMs, AI libraries like LangChain, AI SDK or other libraries without IT approval, or even just one-offs MCP servers downloaded from the Internet.

https://redd.it/1pe928d
@r_devops

Observability Overload: When Monitoring Creates More Work Than It Saves

I've set up comprehensive monitoring and alerting, but now I'm drowning in data and alerts. More visibility hasn't made things better, it's made them worse.

**The problem:**

* Hundreds of metrics to track
* Thousands of potential alerts
* Alert fatigue from false positives
* Debugging issues takes longer because of so much data
* Can't find signal in the noise

**Questions:**

* How do you choose what to actually monitor?
* What's a reasonable alert threshold before alert fatigue?
* Should you be alarming on everything, or just critical paths?
* How do you structure alerting for different severity levels?
* Tools for managing monitoring complexity?
* How do you know monitoring is actually helping?

**What I'm trying to achieve:**

* Actionable monitoring, not noise
* Early warning for real issues
* Reasonable on-call experience
* Not spending all time responding to false alarms

How do you do monitoring without going insane?

https://redd.it/1pe7r1f
@r_devops

IT profile

Guys, help me with something, in humility without trying to make fun lol

I've been in the IT area for about 6 years, I started working as an IT intern, I did everything.

At the time I was working with ERP Protheus, it gave me very good information about the system, how a company operates, etc., but I didn't have much contact with anything.

I was hired as an assistant, assistant and then as an analyst. I was responsible for the IT department, support, networks, telephony, new solutions, updating and supporting the ERP, testing, I was responsible for servers such as AD, DNS, DHCP, etc...

I changed jobs and joined as an analyst, it was just me in the department, a company with 250 employees.

I had to make do in my 30s, I had no passwords, no processes, no management... Nothing.

Today I am an IT supervisor and lead another analyst and other third parties who provide services.

I manage the network of the headquarters and branches, including markets, I am responsible for bringing new solutions, I create reports in SQL for senior management, I take care of cloud telephony, I am the administrator of the ERP system, I manage other security solutions, I manage cell phones with MDM, I design networks and cameras for new and existing units.

I feel like Severino and I don't even earn 5,000.00, well, I'm lost, there are so many fronts that I need to focus on that I can't say what I am, what I do, how much I deserve, etc...

Has anyone reached this stage, and if so, what did you do to get out?

I see myself as more in the management field than in the technical field, but at the same time I like to be ahead and resolve particular issues that keep the company running.

At the same time that I do a lot of things and post them on LinkedIn, I haven't had a single visitor interested in me in all this time.

This makes me feel like I'm out of date and that companies don't look at professionals with my profile, which scares me.

https://redd.it/1pecqef
@r_devops

I built a tool that generates your complete reliability stack from a single YAML file

What it does:
Define service once in YAML (name, tier, dependencies, SLOs)
Generate: Grafana dashboards, Prometheus alerts, PagerDuty setup, SLOs
Technology-aware: knows PostgreSQL, Redis, Kafka, etc. have different metrics
See reliability health across all your services in one command

Example output for a payment-api service:
12-28 panel Grafana dashboard (based on dependencies)
400+ battle-tested Prometheus alerts
PagerDuty team, escalation policy, service (tier-based defaults)
SLO definitions with error budget tracking

Bonus - org-wide visibility:

$ nthlayer portfolio
Overall Health: 78% (14/18 SLOs meeting target)
Critical: 5/6 healthy
! payment-api needs reliability investment

Works with your existing stack - generates configs for the tools you
already use.

Live demo: https://rsionnach.github.io/nthlayer

Early alpha - feedback welcome from folks who deal with this toil daily.

GitHub: https://github.com/rsionnach/nthlayer

https://redd.it/1pedzz0
@r_devops

So what does the career path of a really good DevOps engineer look like?

As a new grad in computer science and someone who's intermediate at full stack engineering, I've just decided to pivot to a junior devops role at a company my friend is referring me to. I found it interesting and I also wrote a bit of code in GO and I loved it.

I was curious, let's say if you're a really good devops engineer who decides to work hard at it and get CKA and AWS certified. What does the career path of such a engineer look like and potential income levels they can reach?

And finally, what entrepreneurial opportunities are open to you with this skillset and experience in the tech industry? Consulting?

https://redd.it/1peorui
@r_devops

How good is devops as a career?

So, currently I am working as a QA on a certain company. I am currently doing bachelors and will graduate this coming september of 2026. I am planning to choose devops as my career and will try to go abroad for further studies. How good is devops as a career and how hard it is to reach a certain good level? What is the market requirements for a DevOps intern? Can anyone help me with this?


https://redd.it/1peps4g
@r_devops

Cloudflare is down again

All I see is "500 Internal Server Error"... almost everywhere...

Is it just me?

https://redd.it/1peqa4c
@r_devops

CycloneDX or SPDX

Hi everyone! We (BellSoft) are trying to determine which SBOM format to use for our hardened images. There are obvious considerations: SPDX is more about licenses, while CycloneDX is more about security.

But what we don't know - what actual people want/need/prefer to use.

So, here's the question: what do you need/use/want? And another one: which tools you are using support which format?

https://redd.it/1peqqdx
@r_devops

How do you guys get into Cloud with no previous experience

Some things about me first.

I started out as a junior software engineer building websites. I found a lot of people were not paying so i decided to chase my other love, security and hacking. I tried the freelance thing for \~2 years.

Started a new job in a security operation center. The job was fun at the start, but as i kept learning more and getting more responsibilities i found out that it has nothing to do with what i had in mind, at least on in most companies in Greece. In the end of the day it was just us overselling other peoples products. But i build up a lot of experience in managing linux servers, elk stack, networking etc. I stayed on that job 2 years.

Then i got an offer from a friend to work as a sysadmin. There i got to work with backups, deploying new software, ansible, jenkins, hetzner(mostly managing dedicated servers), managed and installed dbs(mariadb), proxies, caches, self hosted emails, dns and a loooot in general. I also coded a lot in go and python which i loved. Stayed there 4+ years. Job was fine but the employer crossed a lot of lines that made people quit and the environment stopped being what it was.

Then due to all the knowledge i got from all these jobs i decided that i actually love what people called devops. And i chased that position next!

Now i have been working as a devops engineer for the past 5 years, working with kubernetes(all kinds of flavors), deploying with bamboo, automating a ton of stuff everyday, managing vms, dockerizing apps, deploying in all kinds of envornments, managing kafka clusters(mainly cdc via strimzi, sync via mm2) and lately been into using azure(foundry + ai search) to create agents that serve our documentation to users to improve on-boarding and generally assist people across all managerial positions that raise the same questions again and again or developers that needs specific environment info, how to's etc.

So whats all this intro about? Cloud is nowhere to be seen. Terraform is nowhere to be seen. ArgoCD is nowhere to be seen. And these are the big 3 right now in terms of wanted skills. I even made my own projects, used these tools, got certifications(AZ-900, AZ-104, terraform associate) but i never got to use them since i got them, so now i cant say that i even know anything. Its been 3 years since i got these. And i cant go around paying myself all the time to learn something that i wont get to use anytime soon.

My main problem is, how on earth do you get into these positions in any way other than taking a huge pay cut and start again from a lower position? Companies, at least where i live, do not seem to care for the fact that all that these are, are tools, and with the experience one carries will catch up fast, given some time.

You either got what they want, or you dont. And with devops evolving every other year(with AI/MLOps being the new shiny thing) how can you get into these areas if your company is not setup to use these tools and technologies? I wish i had enough money to throw around into new projects. But i dont. How do you guys manage to follow through the tech evolving and not stay behind? What has your experience been so far with getting into positions where you lack some of the knowledge the listing needs?

https://redd.it/1peqoij
@r_devops

Building a complete Terraform CI/CD pipeline with automated validation and security scanning

We recently moved our infrastructure team off laptop-based Terraform workflow. The solution was layered validation in CI/CD. Terraform fmt and validate run in pre-commit hooks. tflint catches quality issues and deprecated patterns during PR checks. tfsec blocks security misconfigurations like unencrypted buckets or overly permissive IAM policies. Then Conftest with OPA enforces organizational policies that used to live in wikis.

One key decision was using OIDC authentication instead of long-lived access keys. GitHub Actions authenticates directly to AWS without storing credentials. Every infrastructure change requires PR review, shows the plan output as a comment, and needs manual approval before apply runs.

Drift detection runs on a schedule and creates issues when it finds manual changes. Infracost posts cost estimates in PRs so expensive mistakes get caught during review. The entire pipeline uses open-source tools and works without Terraform Cloud.

Starting advice: don't enable every security rule at once. You'll get 100+ warnings and your team will ignore it. Start with HIGH severity findings, fix those, then tighten gradually.

I documented the complete setup with working GitHub Actions workflows and policy examples: Production Ready Terraform with Testing, Validation and CI/CD

What's your approach to Terraform governance and automated validation?

https://redd.it/1pet61x
@r_devops