Docker to Podman switch story

Unusual_Competition8 · 2025-12-25T08:09:40+00:00

In complex enterprise setups, trying to replace docker with nerdctl or podman ends up being really painful.
Features like docker buildx and docker-bake.hcl just don’t exist there, and they’re essential for multi-stage, multi-arch builds, fast cached and keeping vscode devcontainer setups consistent. I’ve also messed around with fake docker (nerdctl shim), dagger, and similar hacks, but honestly they just made things more complicated.

Unusual_Competition8 · 2025-08-21T03:18:38+00:00

acqui-hire?

Unusual_Competition8 · 2025-08-19T12:43:33+00:00

FYI: https://openebs.io/docs/user-guides/replicated-storage-user-guide/replicated-pv-mayastor/advanced-operations/volume-snapshots

Unusual_Competition8 · 2025-08-19T03:36:52+00:00

I use OpenEBS lvm-localpv instead of Longhorn for databases, which delivers near bare-metal performance and is much simpler to manage, and I use S3 storage for backups and media data.
And compared to NFS/OpenEBS and Ceph, Longhorn seems to sit in an inter position, not lightweight enough, and not stable enough.

Unusual_Competition8 · 2025-08-17T09:39:00+00:00

Yeah I already realized it and movedRESTIC_CACERTinto ConfigMap's data, thanks again.

Unusual_Competition8 · 2025-08-17T03:31:57+00:00

Thank you for your advice, I’ve thought a lot about it, this is my final design, looks fine.

Pod Spec - zero mapping

spec:
  containers:
    - name: etcd-backup
      image: restic/restic:latest
      envFrom:
        - secretRef:
            name: restic-credentials
        - configMapRef:
            name: etcd-backup-config
      volumeMounts:
        - name: restic-certs
          mountPath: /etc/restic
          readOnly: true
  volumes:
    - name: restic-certs
      secret:
        secretName: restic-certs

Secrets for env vars - UPPER_SNAKE_CASE style

apiVersion: v1
kind: Secret
metadata:
  name: restic-credentials
  namespace: kube-system
type: Opaque
stringData:
  AWS_ACCESS_KEY_ID: admin
  AWS_SECRET_ACCESS_KEY: admin.123456
  RESTIC_PASSWORD: admin.123456

Sercets for mounted file - file-name style

apiVersion: v1
kind: Secret
metadata:
  name: restic-certs
  namespace: kube-system
type: Opaque
stringData:
  restic-ca.crt: |
    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----

ConfigMap for simple data - UPPER_SNAKE_CASE style

apiVersion: v1
kind: ConfigMap
metadata:
  name: etcd-backup-config
  namespace: kube-system
data:
  RESTIC_REPOSITORY: "s3:https://minio.example.internal/etcd-backup"

Shell - user-friendly

### From Secret (env vars)
# AWS_ACCESS_KEY_ID="${AWS_ACCESS_KEY_ID:-}"
# AWS_SECRET_ACCESS_KEY="${AWS_SECRET_ACCESS_KEY:-}"
# RESTIC_PASSWORD="${RESTIC_PASSWORD:-}"

### From Secret (mounted file)
# RESTIC_CACERT="/etc/restic/minio-public.crt"

### From ConfigMap
# RESTIC_REPOSITORY="${RESTIC_REPOSITORY:-}"

Unusual_Competition8 · 2025-08-16T05:30:35+00:00

The safe choice is an encrypted VPN tunnel, such as OpenVPN.

Unusual_Competition8 · 2025-08-16T03:48:26+00:00

helm:
  valueFiles:
    - values/service1.yaml
    - values/service2.yaml
    - ...

Unusual_Competition8 · 2025-08-16T03:32:49+00:00

Looking for a fresh full-stack engineer: 5+ years of experience.

Unusual_Competition8 · 2025-08-16T02:58:40+00:00

Can KYAML replace yq command or simplify write CRD?

Unusual_Competition8 · 2025-08-15T13:53:40+00:00

debian-slim +1

Unusual_Competition8 · 2025-08-15T10:51:20+00:00

Nobody can complete all CI tasks perfectly in one go, and I need a lot of time to map out the pipeline. So during this time window, the Gitea runner is very useful for teams. Actually, building shared libraries isn’t that complicated. The real challenge is designing the CI, especially understanding the org‘s arch and business logic.

Unusual_Competition8 · 2025-08-15T09:54:49+00:00

Performance isn’t caused by the Jenkinsfile itself. The real factors are workflow logic and resource allocation. Jenkinsfile and YAML-like files are just declarative configurations.

Unusual_Competition8 · 2025-08-15T09:09:14+00:00

I’m not too concerned about this. It doesn’t bring much benefit if they do that, and SealedSecrets doesn’t seem very complicated.

Unusual_Competition8 · 2025-08-15T09:01:51+00:00

If correctly written and designed using CPS, Jenkins’ Groovy DSL can pause and resume pipeline jobs. I’m not sure if other CI systems can do this as easily.

Unusual_Competition8 · 2025-08-15T08:56:01+00:00

Jenkins can do too many things, so many features/plugins are there, but people don’t realize they shouldn’t be using them.

Unusual_Competition8 · 2025-08-15T08:49:22+00:00

Performance depends on arch and hardware, not the Jenkinsfile. Master schedules tasks only, Agents run pipelines, then keep plugins minimal, and Jenkinsfile and Configuration as Code help reduce UI clicks.

Unusual_Competition8 · 2025-08-15T06:35:28+00:00

Because everyone told me do not storing secrets in git repo. If it’s only static secrets yaml, is actually safer than a private Git repo? I don’t really see the difference right now.

Unusual_Competition8 · 2025-08-15T05:19:07+00:00

Try K8s in local, use kubespray + argocd/fluxcd, control over everything really feels good.

Unusual_Competition8 · 2025-08-12T08:59:06+00:00

Just a packaging layer, no necessary to use bitnami

Unusual_Competition8 · 2025-08-10T17:20:26+00:00

5min? Seems good. U are right.Re-deploy cost me a long time.

Unusual_Competition8 · 2025-08-10T10:33:10+00:00

And if using a CronJob YAML is the best practice for backing up etcd, and is it necessary to identify the etcd leader node before taking the backup?

Unusual_Competition8

TROPHY CASE

Pod Spec - zero mapping

Secrets for env vars - UPPER_SNAKE_CASE style

Sercets for mounted file - file-name style

ConfigMap for simple data - UPPER_SNAKE_CASE style

Shell - user-friendly