Rke2 on Danilo Falcão da Silva

Where to Hide Kubernetes Secrets: AWS, Azure, GCP, and On-Prem Compared

Wed, 20 May 2026 22:25:00 -0300

The Kubernetes Secret object is a YAML manifest with a base64-encoded value in it. That’s the entire encryption story. Anyone with get permission on the namespace can read every credential the workload holds. Base64 is not encryption. It is barely obfuscation.

Teams discover this the wrong way — usually during a security review, occasionally during an incident — and the next question is always the same: so where do the real secrets live?

Rancher vs Lens: A Platform and a Dashboard, Not the Same Thing

Wed, 20 May 2026 21:15:00 -0300

You’ll see this comparison on r/kubernetes every couple of months, phrased as if it’s a real choice: Rancher or Lens? The framing is wrong. They occupy different layers of the stack. Asking which one “wins” is like asking whether VS Code beats Kubernetes.

But the question keeps coming up — usually from someone who has Lens installed, has heard about Rancher, and is trying to figure out whether they should swap. So let me lay out what each one actually is, where they overlap, where they don’t, and which one earns a place in a serious on-prem setup.

Caddy, Nginx, Traefik: Picking a Reverse Proxy in 2026

Wed, 20 May 2026 17:35:00 -0300

There is a kind of infrastructure question that never really gets settled, just re-litigated every couple of years as the surrounding ecosystem moves. “Which reverse proxy?” is one of those questions.

The shortlist hasn’t changed much: Caddy, Nginx, Traefik. The context around them has changed a lot. The community ingress-nginx project reached end-of-life in March 2026. RKE2 v1.36 flipped to Traefik as the default ingress. Caddy quietly shipped 2.11 with better health-checking and ECH rotation. Nginx is on 1.31 mainline / 1.30.1 stable and treats HTTP/3 as a first-class but still-evolving feature.

GitOps with Argo CD: The Reconciliation Loop That Survives 3 a.m.

Tue, 19 May 2026 13:30:00 -0300

Here’s the test I use for any deployment tooling:

It is 3 a.m. on a Sunday. PagerDuty just woke you up. A production service is degraded. You roll out of bed, open your laptop, and have to figure out what the cluster thinks is true, what’s actually true, and what changed in the last twelve hours. The faster you can answer those three questions, the better the tooling.

The right GitOps stack collapses all three questions into one dashboard. The wrong one has you SSH-hopping between five servers running kubectl rollout history against unlabeled deployments. I’ve done both. I’m writing this post about the former.

Helm 4 Made Me Stop Looking for an Alternative

Tue, 19 May 2026 13:00:00 -0300

Helm has been the punchline of Kubernetes packaging for about as long as Kubernetes has been called Kubernetes. Helm 2 had Tiller, an in-cluster component running as cluster-admin that read every chart’s YAML and applied it from inside the cluster — a security horror show that drove half the community to invent its own deployment tooling just to avoid it. Helm 3 finally killed Tiller in 2019 and went client-side, which fixed the worst of it. And then Helm 3 sat there, relatively unchanged, for six years.

RKE2 Deserves Some Love: Why It's My On-Prem Kubernetes Pick

Tue, 19 May 2026 12:30:00 -0300

Most of the Kubernetes conversation in 2026 happens around managed services — EKS, GKE, AKS — and most of the rest happens around K3s for edge and homelab. Somewhere in the middle, on the hardware that lives in a rack in a datacenter you can drive to, there’s a Kubernetes story that nobody talks about loudly enough.

That story is RKE2 — the Rancher Kubernetes Engine 2, SUSE’s hardened, security-focused, single-binary distribution designed for on-premises production. I’ve been running it for two years across two different employers and one home lab, and it’s the rare piece of infrastructure that gets more impressive the longer you live with it.