Looking for Guidance & Referrals in DevOps — Tough Year, Still Trying to Stand Strong

Hi everyone,
I hope you're all doing well. I don’t usually post things like this, but today I really needed to take a chance and reach out.

This year has been extremely difficult for me — I’ve faced losses both in my family and in my personal life. Through it all, I’ve tried to stay focused on my work and on becoming a better version of myself every day. But lately things have become emotionally and mentally exhausting.

I’m currently working in a service-based company, but I feel stuck and burned out. I’m passionate about DevOps and truly want to grow in this field I have 2.5 years of work ex. I’m actively looking for opportunities where I can contribute, learn, and be part of a team that values ownership, automation, and good engineering culture.

If anyone here is hiring for DevOps / SRE / Platform Engineering roles or knows someone who is, a referral or even guidance would mean a lot to me right now. I’m not looking for sympathy — only for a fair chance to prove myself.

Here’s my LinkedIn if someone wants to connect or check my profile:
🔗 **linkedin.com/in/nipun-kumar-85544a190/**

Thank you to everyone who took the time to read this. Even a small suggestion or connection can make a big difference. I truly appreciate it. 🙏

https://redd.it/1pfvkcq
@r_devops

🚀 Announcing Guardon v0.4 — Real-Time Kubernetes YAML Validation in Your Browser!

Hi everyone! 👋

I’m thrilled to share the release of **Guardon v0.4**, a browser extension that validates Kubernetes YAML *directly inside GitHub and GitLab* — no clusters, servers, or CI pipelines required. This release brings a major leap forward in usability, policy coverage, collaboration, and real-world cluster alignment.

# ✨ What’s New in v0.4

# 🔧 Interactive Rule Management

Create, edit, group, and organize rules visually — no coding required.

# 📦 Import & Export Rule Packs

Instantly load policy bundles, including:

* Custom enterprise rule packs

# ⚡ Live YAML Validation + Autofix

As you browse PRs, files, and diffs, Guardon:

* Detects misconfigurations in real time
* Provides actionable explanations
* Suggests copy-paste–ready fixes

# 📘 OpenAPI & CRD Schema Import

Validate manifests against **your actual cluster schema** for true environment-specific accuracy.

# 🤝 Collaboration & Team Workflows

Share rule packs, annotate findings, exchange feedback, and standardize policies across teams.

# 🧩 No-Code / Low-Code Policy Authoring

Enable security, DevOps, and platform teams to define guardrails without writing complex policy code.

# 🔒 Privacy-First Architecture

Everything runs locally in your browser.
No data leaves your machine — ever.

# 🔗 Useful Links

* **📘 README & Documentation:** [*https://github.com/guardon-dev/guardon/blob/main/README.md*](https://github.com/guardon-dev/guardon/blob/main/README.md)
* **🧩 Chrome Extension:** [*https://chromewebstore.google.com/detail/jhhegdmiakbocegfcfjngkodicpjkgpb?utm\_source=item-share-cb*](https://chromewebstore.google.com/detail/jhhegdmiakbocegfcfjngkodicpjkgpb?utm_source=item-share-cb)
* **💻 GitHub Repository:** [*https://github.com/guardon-dev/guardon*](https://github.com/guardon-dev/guardon)



# 🌐 Community & CNCF Journey

Guardon has successfully completed the **CNCF TAG-Security self-assessment**, and I’m actively working toward **CNCF Sandbox submission**. Community adoption, contributors, and early feedback will be critical to shaping its future direction.

# 🙏 Looking for Feedback & Contributors

Your feedback, suggestions, and contributions mean a lot!
Please give Guardon a try, share your thoughts, and help build the next generation of Kubernetes security tooling.

Thanks for your support — and more exciting updates are on the way! 🚀

https://redd.it/1pfuzse
@r_devops

Digital Ocean's bandwidth pricing is criminal. Any alternatives for image hosting?

 I run a small image hosting service for a niche community. My droplet bill is fine, but the bandwidth overage fees on Digital Ocean are starting to cost more than the server itself.

I am testing a migration to virtarix because they claim unmetered bandwidth on their NVMe plans. It almost feels too good to be true. I moved a backup bucket there last week and transfer speeds were consistent, but I am worried about hidden "fair use" caps.

Has anyone pushed more than 10TB/month through their pipes? Did they throttle you?



https://redd.it/1pfyc2d
@r_devops

is it possible to see request and response for API call in Dynatrace?

Hi All!
is it possible to see request and response for HTTP/Rest API in Dynatrace? I couldn't find it. It detects an API call but I cannot find what was the request

https://redd.it/1pfuqab
@r_devops

can you actually automate end to end testing without coding or is that fantasy?

Non technical founder here trying to figure out testing for our saas product. We have 2 developers and they're focused on building features, don't have bandwidth to also become testing experts.

I keep seeing ads for tools that claim you can automate testing without writing code, just record what you're doing and it creates tests automatically. Sounds too good to be true but figured i'd ask if anyone has actually used these successfully.

Main concern is we keep shipping bugs to customers and it's embarrassing. Need some way to catch obvious issues before they go live but don't have budget to hire qa team yet.

Is no code test automation legit or am i gonna waste money on something that doesn't actually work? Would rather pay for a tool than have developers spend weeks learning selenium if there's a faster option.

https://redd.it/1pg6gj5
@r_devops

Built a GitHub based life metrics tracker

I've been journaling my daily metrics (mood, sleep, exercise, habits) for a while and wanted a better way to visualize the data without giving it to some random app.

So I built Gitffy - a life metrics dashboard that reads from a markdown file in your private GitHub repo.

How it works:

\- You maintain a life.md file in a private repo with daily entries

\- Connect Gitffy to your GitHub (via GitHub App)

\- It parses the markdown and shows charts, trends, and insights

\- Auto-syncs when you push changes - no manual uploads

Example entry format:

\## 2024-12-07

\- mood: 8

\- sleep: 7.5

\- exercise: running

\- coffee: 2

\- productivity: 7

Features:

\- Multiple chart types (line, bar, radar, etc.)

\- Dark/light mode

\- AI-powered insights (optional, uses Gemini)

\- Timeline and day-detail views

\- Your data stays in YOUR repo

Why GitHub?

\- Version history for free

\- Private repos = your data stays private

\- Edit from anywhere (phone, VS Code, etc.)

\- No vendor lock-in - it's just markdown

Live at: gitffy.com

Payments not live yet

Would love feedback! What metrics do you track daily?

https://redd.it/1pg7tsg
@r_devops

For people who are on-call: What actually helps you debug incidents (beyond “just roll back”)?

I’m a PhD student working on program repair / debugging and I really want my research to actually help SREs and DevOps engineers. I’m researching how SRE/DevOps teams actually handle incidents.

Some questions for people who are on-call / close to incidents:

1. Hardest part of an incident today?
* Finding real root cause vs noise?
* Figuring out what changed (deploys, flags, config)?
* Mapping symptoms → right service/owner/code?
* Jumping between Datadog/logs/Jira/GitHub/Slack/runbooks?
2. Apart from “roll back,” what do you actually do?
* What tools do you open first?
* What’s your usual path from alert → “aha, it’s here”?
3. How do you search across everything?
* Do you use standard ELK stack?
4. Tried any “AI SRE” / AIOps / copilot features? (Datadog Watchdog/Bits, Dynatrace Davis, PagerDuty AIOps, [incident.io](http://incident.io) AI, Traversal or Deductive etc.)
* Did any of them actually help in a real incident?
* If not, what’s the biggest gap?
5. If one thing could be magically solved for you during incidents, what would it be? (e.g., “show me the most likely bad deploy/PR”, “surface similar past incidents + fixes”, “auto-assemble context in one place”, or something else entirely.)

I’m happy to read long replies or specific war stories. Your answers will directly shape what I work on, so any insight is genuinely appreciated. Feel free to also share anything I haven’t asked about 🙏

https://redd.it/1pg8e1c
@r_devops

Cloud Metadata Service Exploitation: IMDSv1's Open Door to AWS Credentials ☁️

https://instatunnel.my/blog/cloud-metadata-service-exploitation-imdsv1s-open-door-to-aws-credentials

https://redd.it/1pg8qkr
@r_devops

Built a self-service platform with approvals and SSO. Single Binary

I wanted to share Flowctl which is an open-source self-service platform that can be used to turn noscripts into self-service offerings securely. This is an alternative to Rundeck. It supports remote execution via SSH. There is in-built support for SSO and approvals. Executions can wait for actions to be approved.

Workflow definitions are simple YAML files that can be version controlled. Flows are defined as a list of actions that can either run locally or on remote nodes. These actions can use different executors to run the noscripts.

I built Flowctl because I wanted a lighter-weight alternative to Rundeck that was easier to configure and version control. Key features like SSO and approvals are available out of the box without enterprise licensing.

## Features

SSO and RBAC
Approvals
Namespace isolation
Encrypted executions secrets and SSH credentials
Execution on remote nodes via SSH
Docker and noscript executors
Cron based scheduling
YAML/HUML based workflow definitions.

## Use Cases

Database migrations with approval
Incident response
Server maintenance
Infra provisioning with approvals

Homepage - https://flowctl.net
GitHub - https://github.com/cvhariharan/flowctl

https://redd.it/1pgbtiv
@r_devops

Certificate Ripper v2.6.0 released - tool to extract server certificates

* Added support for:
* wss (WebSocket Secure)
* ftps (File Transfer Protocol Secure)
* smtps (Simple Mail Transfer Protocol Secure)
* imaps (Internet Message Access Protocol Secure)
* Bumped dependencies
* Added filtering option (leaf, intermediate, root)
* Added Java DSL
* Support for Cyrillic characters on Windows

You can find/view the tool here: [GitHub - Certificate Ripper](https://github.com/Hakky54/certificate-ripper)

https://redd.it/1pge830
@r_devops

Sophisticated rate limits as a service: please roast!

Hi everyone,



I’m a backend / infra engineer with \~20 years of experience.

Right now I’m building a very boring but, I think, painful-problem tool:



**API governance + rate limits + anomaly alerts as a service.**



The goal is simple:

to catch and stop things like:

\- runaway cron jobs

\- infinite webhook loops

\- abusive or buggy clients

\- sudden API/cloud bill explosions



This is NOT:

\- an AI chatbot

\- not just metrics/observability

\- not another generic Nginx limiter



It’s focused on:

\- real-time enforcement

\- per-tenant / per-route policies

\- hard + soft limits

\- alerts + audit trail



Think:

\> “a strict traffic cop for your API, focused on cost control and abuse prevention.”

\---



I’m trying to validate this against real-world pain before I overbuild.



A few quick questions:

1) Have you personally seen runaway API usage or a surprise bill?

2) How do you protect against this today?

(Nginx? Redis counters? Cloudflare? Custom noscripts? Just hope?)

3) What would be a *must-have* feature for you in such a tool?



Not selling anything yet — just doing customer discovery.

Brutal, technical feedback is very welcome.

https://redd.it/1pge56p
@r_devops

Bitbucket to GitHub + Actions (self-hosted) Migration

Our engineering department is moving our entire operation from bitbucket to github, and we're struggling with a few fundamental changes in how github handles things compared to bitbucket projects.

We have about 70 repositories in our department, and we are looking for real world advice on how to manage this scale, especially since we aren't organization level administrators.

Here are the four big areas we're trying to figure out:

# 1. Managing Secrets and Credentials

In bitbucket, secrets were often stored in jenkins/our build server. Now that we're using github actions, we need a better, more secure approach for things like cloud provider keys, database credentials, and artifactory tokens.

Where do you store high-value secrets? Do you rely on github organization secrets (which feel a bit basic) or do you integrate with a dedicated vault like hashicorp vault or aws/azure key vault?
How do you fetch them securely? If you use an external vault, what's the recommended secure, passwordless way for a github action to grab a secret? We've heard about OIDC - is this the standard and how hard is it to set up?

# 2. Best Way to Use jfrog

We rely heavily on artifactory (for packages) and xray (for security scanning).

What are the best practices for integrating jfrog with github actions?
How do you securely pass artifactory tokens to your build pipelines?

# 3. Managing Repositories at Scale (70+ Repos)

In bitbucket, we had a single "project" folder for our entire department, making it easy to apply the same permissions and rules to all 70 repos at once. github doesn't have this.

How do you enforce consistent rules (like required checks, branch protection, or team access) across dozens of repos when you don't control the organization's settings?
Configuration as Code (CaC): Is using terraform (or similar tools) to manage our repository settings and github rulesets the recommended way to handle this scale and keep things in sync?

# 4. Tracking Build Health and Performance

We need to track more than just if a pipeline passed or failed. We want to monitor the stability, performance, and flakiness of our builds over time.

What are the best tools or services you use to monitor and track CI/CD performance and stability within github actions?
Are people generally exporting this data to monitoring systems or using specialized github-focused tools?

Any advice, especially from those who have done this specific migration, would be incredibly helpful! Thanks!

https://redd.it/1pghkmk
@r_devops

Do tools like Semgrep or Snyk Upload Any Part of My Codebase?

Hey everyone, quick question. How much of my codebase actually gets sent to third-party servers when using tools like Semgrep or Snyk? I’m working on something that involves confidential code, so I want to be sure nothing sensitive is shared.

https://redd.it/1pgkwq3
@r_devops

Anyone else hit by Sha1-Hulud 2.0 transitive NPM infections in CI builds?

My team got hit months ago, three different Node.js microservices pulling malicious packages through transitive deps we didn't even know existed. Our SBOM tooling caught it but only after images were already built and tagged.

The bottleneck is we're running legacy base images with hundreds of CVEs each, so when the real threat shows up it gets buried in noise. Spent hours last week mapping which services were affected because our dependency graphs are a mess. We have never recovered.

Anyone found a clean way to block these at build time without breaking your CI pipeline? We don’t want a repeat ever.

https://redd.it/1pglm8j
@r_devops

Final Year Project in DevOps

Hi Guys,
I am in my Final year of my BSc and am cleat that I want to pursue my career in DevOps. I already have AWS cloud practitioner and Terraform Associate certification. I would like suggestions on what my Final year project should be. I want it to help me stand out from other candidates in future when applying for jobs. I would really appreciate your thoughts.

https://redd.it/1pgl52u
@r_devops

GWLB, GWLBe, and Suricata setup

Hi, I would like to ask for insights regarding setting up GWLBe and GWLB. I tried following the diagram on this guide to implement inspection in a test setup that I have, my setup is almost the same as in the diagram except the fact that my servers is in an EKS setup. I'm not sure what I did wrong rn, as I followed the diagram perfectly but Im not seeing GENEVE traffic in my suricata instance(port 6081) and I'm not quiet sure how to check if my gwlbe is routing traffic to my GWLB.

Here's what I've tried so far:
1.) Reachability analyzer shows my IGW is reaching the GWLBe just fine.
2.) My route tables are as shown in the diagram, my app route table is 0.0.0.0/0 \> gwlbe and app vpc cidr > local. for the suricata ec2 instance route table(security vpc) its security vpc cidr > local
3.) I have 2 gwlbe and its both pointed to my vpc endpoint service, while my vpc endpoint service is pointed to my 2 GWLB in security vpc(all in available and active status)
4.) Target group of my GWLB is also properly attached and it shows my ec2 suricata instance(I only have 1 instance) registered and is on healthy status and port is 6081.
5.) systemctl status suricata shows its running with 46k rules successfully loaded

Any tips/advice/guidance regarding this is highly appreciated.

For reference here are the documents/guides I've browsed so far.
https://forum.suricata.io/t/suricata-as-ips-in-aws-with-gwlb/2465
https://aws.amazon.com/blogs/networking-and-content-delivery/introducing-aws-gateway-load-balancer-supported-architecture-patterns/
https://www.youtube.com/watch?v=zD1vBvHu8eA&t=1523s
https://www.youtube.com/watch?v=GZzt0iJPC9Q
https://www.youtube.com/watch?v=fLp-W7pLwPY

https://redd.it/1pglwlr
@r_devops

Focus on DevSecOps or Cybersecurity?

I am currently pursuing my Masters in Cybersecurity and have a Bachelor’s in CSE with specialisation in Cloud Computing. I am confused if I should pursue my career solely focusing on Cybersecurity or in DevSecOps. I can fully focus on 1 stream only currently. I have a mediocre knowledge in both the fields but going forward want to focus on one field only. Please someone help me or give some advice.

https://redd.it/1pgpng5
@r_devops

Workflow challenges

Curious to hear from others: what’s a challenge you've been dealing with lately in your workflow that feels unnecessary or frustrating?

https://redd.it/1pgpkh7
@r_devops

Small Change, Big Result.

I was working with someone recently who had been applying for months with almost no responses. Good experience, solid projects, strong recommendations — but her application kept disappearing into the void.

We reviewed everything together, and nothing major stood out. But there was one tiny thing:
Her resume opened with a generic line — “Experienced software engineer seeking opportunities to contribute and grow.”

It didn’t say who she was, what she was great at, or why someone should care.

I asked her to rewrite just the first 3 lines. That’s it. No full overhaul. No template change. Just a sharper intro.

She changed it to:
“Software engineer with 6+ years in backend systems, reduced API latency 40% at my last company, and passionate about building reliable, scalable infrastructure.”

That tiny change repositioned her instantly.
Within 20 hours of apply4u , she started getting callbacks

It reminded me how often job search breakthroughs come from small clarifications, not big reinventions.

Curious — what’s one small change you made in your career or job search that created a surprisingly big result?

https://redd.it/1pgttlm
@r_devops

AI for monitor system automatically.

I just thinking about AI for monitoring & predict what can cause issue for my whole company system

Any solution advices? Thanks so many!

https://redd.it/1ph1rcm
@r_devops

Looking to migrate company off GitHub. What’s the best alternative?

I’m exploring options to move our engineering org off GitHub. The main drivers are pricing, reliability and wanting more control over our code hosting.

For teams that have already made the switch:

* Which platforms did you evaluate?
* What did you ultimately choose (GitLab, Gitea, Bitbucket, something else)?
* Any major surprises during the migration?

Looking for practical, experience-based input before we commit to a direction.

https://redd.it/1ph3dca
@r_devops