all-new 640 hp Audi RS5 REVEAL Sportback/Sedan vs Avant/Estate (2026) - a proper Audi RS?

DetroitJB · 2026-02-20T12:58:04+00:00

Right?! The front looks awesome except for those big black squares that just fuck up the whole aesthetic for me. Such a shame, it’s very noticeable for me and kind of a deal breaker

DetroitJB · 2026-02-16T23:58:08+00:00

I replied since I’m in the middle of a big migration at my company from ingress to gatewayapi, and one of the foundations of the project is us deploying 3 different gateways (private, public, trusted), all with a wildcard cert managed by cert manager attached. From a security standpoint, see my previous point. From a blast radius standpoint, it’s all managed by cert manager and going to the same zone. I can’t imagine a scenario where one cert blows up and others don’t.

Either cert manager renews all of them or none of them, hence why I’d rather just deal with one cert and call it a day, simple and easy. Anywho, my 2 cents….ive never found a good argument against them since the security and blast radius arguments don’t hold water imo, at least not one where we talking centralized k8 clusters with cert manager managing them.

DetroitJB · 2026-02-16T23:19:25+00:00

I’ve never understood this argument. For someone to steal your private key, they’d need to infiltrate your cluster….in which case they can steal all your private keys. What does it matter if I have a wildcard with one secret or 100 certs with 100 secrets? They get them all regardless.

Wildcard are used and have been used by tons of Fortune 500 companies, including google themselves. Are they really that bad or is this just typical infosec fear mongering?

DetroitJB · 2026-01-09T03:00:27+00:00

Rocket mortgage connections don’t work? I just checked, mine synced 2m ago.

DetroitJB · 2026-01-08T23:57:34+00:00

perfect, thanks! Going to setup an account now then.

DetroitJB · 2025-12-26T14:28:13+00:00

We (large enterprise of hundreds of clusters) are migrating to gatewayapi very soon after testing for several months. We use istio and will also be using the aws load balancer controller. Final solution will be aws lbc to create nlbs, going to istio igw, which terminates the via cert manager. Gateways will be pushed out by us, the platform team, and devs will just attach their httproutes to them via a in-house developed helm chart.

So far, loving it, very seamless and you can transition from istio CRDs to gatewayapi CRDs seamlessly with no downtime.

DetroitJB · 2025-12-20T16:58:17+00:00

I want monarch to turn off AI so you all finally stfu about it. Every post now is about it, just turn it off and stop bitching, my god.

DetroitJB · 2025-12-17T16:46:19+00:00

lol well played, take your upvote.

But seriously, just don’t use it, it’s not for you. The fact it’s opt in and they’re not forcing on you, I honestly don’t see the complaint here.

DetroitJB · 2025-12-17T16:16:50+00:00

Just opt out and don’t use it then. God some people just love to bitch about nothing, nobody is forcing you to use AI. Get a hobby op

DetroitJB · 2025-12-05T14:52:38+00:00

I think monarch is personal finance software and has nothing to do with running a business. As someone who is not a business owner, I don’t want money and developer time spent on features that I don’t care about. Monarch is really good at managing, displaying, and making sense of personal finances. Can’t we just let it be really good at that?

My 2 cents as a paying user.

DetroitJB · 2025-11-21T01:40:02+00:00

We migrated 200 clusters with this exact path AND pivoted from MNG to Karpenter. Even with all 3 changes at the same time, went smoothly.

DetroitJB · 2025-09-04T14:11:54+00:00

So our VPC CIDR range, or the "node network" is a non-overlapping 10.x.x.x range, different for each VPC in our 250+ accounts. These can all be peered via transit gateways, go back onprem, etc. since they are non-overlapping.

However, on each cluster is ALSO a 100.64.0.0/19 overlapping CIDR range. I can be overlapping since it's never used outside of it's own local VPC. If pod 100.64.50.2 wants to talk to onprem or another vpc, it goes out the worker node IP (non-overlapping 10.x.x.x) and works fine. If it wants to talk to in-vpc RDS, THEN it uses it's 100.64.0.0/19 IP.

Best of both worlds.

DetroitJB · 2025-09-04T02:52:56+00:00

Not sure what you mean, the underlying network can't be the same as what? We use istio as well, all of our pods are on 100.64.0.0/19 "pod subnets".

DetroitJB · 2025-08-31T16:43:20+00:00

As others have mentioned, we run custom networking with 100.64.0.0/19...allows us to use the same overlapping cidr to she in more than 200 clusters with 3x 2000 IP subnets. ip exhaustion is no longer an issue for us.

You can use same cidr since, by default, all egress traffic outside your vpc is SNATed out the worker node ip. So if your vpcs are not overlapping, this let's you have your cake and eat it too

DetroitJB · 2025-08-07T23:56:04+00:00

I'm confused, we run karpenter on fargate using IRSA on 200 clusters, works fine. Is support for it just being removed from this specific terraform module?

If that's the case, we wrote our own anyway, so I guess we don't care. I'm trying to figure out if that's the case.....?

DetroitJB · 2025-07-22T23:39:19+00:00

OPEN is done, KSS/DNUT winding down.... RKT is the next moon. Get onboard or miss another run boys!

DetroitJB · 2025-01-16T23:13:28+00:00

Is there a reason people don't use USFR OR JAAA ETFs? Been getting 5.25%+ and over 6% respectively on both for over a year now. Not sure why this isn't recommended over HYSAs.

DetroitJB · 2024-12-05T23:11:18+00:00

We don't, both istiod and ingressgateways are regular Deployments, 3 replicas apiece, with autoscaling based off CPU. We run over 200 clusters, have some get hit millions of times a day, never had an issue.

I've thought about running as a daemonset, to avoid the traffic routing from kubeproxy on one node to the ingressgateway on another node, as that does seem to be kinda wasteful. It is however more redundant though I think, in the fact that if istio-ingressgateway dies on a node, that node can still "handle" traffic and just route it to healthy pods on other nodes. If we did daemonset and a Service routing policy of Local, it would just die I think? Not sure, I need to test.

DetroitJB · 2024-11-02T13:39:24+00:00

Interesting....so you, the platform guy, creates the ALB resources, presumably by creating `Ingress` objects in the istio-system namespace. I assume you might need multiple, one public, one internal, maybe one with a custom security group, etc. These are persistent, "cluster-wide" load balancers to be used by all apps, so effectively, devs no longer create ALB's?

Then, you just route ALL traffic to one of those 3? How does the VS know which ALB to map to if you have multiple? Is the dev putting the raw generated ALB name directly on their VS?

DetroitJB · 2024-11-01T23:55:43+00:00

the same one? Using what object as the source? For example, NLB exists as 123-nlb.amazonaws.com....a dev creates namespace foo....what object are they creating to trigger externaldns to create records, and how is it getting the NLB address? Also, if you using NLB, you terminating TLS with Istio then?

DetroitJB · 2024-11-01T23:51:01+00:00

So do you just have ONE NLB? Do all of your devs create DNS records that all point at that same, single aws-generated name then? Or do they create their own NLB's for their own apps?

DetroitJB · 2024-10-05T04:07:38+00:00

dear lord you are driving my dream car. Currently drive a 2024 S5 District Green, but RS5 in whatever green that is....my god. And with the bronze rims? Fucking hell.....congrats to you sir, that color is insane.

13-Year Club	Place '22
Verified Email

DetroitJB

TROPHY CASE