EPOCH.ENGINEERING

▸ Online

• Proxmox VE + OpenTofu
• TalosOS + K8s 1.36
• Karpenter (node autoscaling)
• Cilium + Hubble (networking)
• WireGuard (pod-to-pod encryption)
• ArgoCD (continuous delivery)
• OpenBao (secrets vault)
• External Secrets Operator
• SOPS + age (encryption)
• helm-secrets (config injection)
• Traefik + cert-manager + trust-manager
• Cloudflare Zero Trust
• Keycloak (identity provider)
• oauth2-proxy (ForwardAuth)
• Longhorn (block storage)
• CloudNativePG (PostgreSQL)
• Harbor (container registry)
• Spegel (P2P image mirror)
• Argo Workflows (CI pipelines)
• Argo Events (webhook triggers)
• Kyverno (policy enforcement)
• Cosign (image signing)
• Sigstore Fulcio + Rekor (keyless)
• SLSA Build L3 (provenance)
• Syft + Grype (SBOM/CVE)
• Semgrep + Trivy (SAST/IaC)
• Pluto (deprecated K8s APIs)
• OWASP ZAP (DAST scanning)
• Headlamp (K8s dashboard)
• kubernetes-reflector (ConfigMap sync)
• Reloader (CM/Secret-driven rollouts)
• Renovate (dependency updates)
• ArgoCD Image Updater
• Kargo (staged promotion)
• Argo Rollouts (progressive delivery)
• Linkerd mTLS (workload identity)
• Prometheus + AlertManager
• Grafana (visualization)
• Alloy (logs + OTLP traces)
• Loki (log aggregation)
• Tempo (tracing + metrics)
• ntfy (push notifications)
• Goldilocks (VPA dashboard)
• HPA (CPU-based autoscaling)
• KEDA (event-driven scaling)
• VPA (memory right-sizing)
• KRR (resource analysis)
• Velero (cluster backups)
• Velero UI (backup dashboard)
• SeaweedFS (S3 storage)
• RabbitMQ (message broker)
• Valkey (Redis cache)
• CrowdSec (threat intel)
• Maddy (SMTP relay)
• BetterAuth + Hono (app auth)
• Resend (email delivery)
• Knative Serving (serverless)
• Rybbit (web analytics)
• Gatus (status page)
• GO Feature Flag
• Grafana Faro (Web Vitals)
• Falco (runtime security)
• Falcosidekick (event routing)
• DefectDojo (vulnerability mgmt)
• Loki Ruler (LogQL detection)
• Beelzebub (cluster-internal honeypot)
• LitmusChaos (chaos engineering)