A decision record for a workload that’s operationally stateless but has a fragile single-instance upgrade: StatefulSet vs Deployment, with live operational evidence and the case for Deployment plus a startup lock.
When Crossplane’s Go-template compositions outgrow you — no types, no tests, global scope — KCL offers a typed, testable alternative. The multi-step pipeline architecture, and the bugs only end-to-end validation catches.
When a platform bakes an environment-derived identity into its database on first boot, restoring across environments crash-loops on a mismatch. The fix is a product question: stabilize the identity, or rewrite it after restore?
A field guide to deleting a GKE or EKS deployment cleanly when the cluster, the in-cluster GitOps/Crossplane layer, and Terraform all disagree about who owns cleanup — orphans, deletion order, and the stuck cases.
How to retrofit machine-parseable JSON logging onto a legacy Java app on Kubernetes — both log4j2 and Tomcat’s JUL — without forking the vendor image, as an opt-in, fail-open, cleanly revertible layer.
Reach a private GKE cluster’s API server without a bastion or authorized-networks — using the GKE-native Connect Gateway, with GCP IAM outside the gateway and Kubernetes RBAC inside.
Everything’s green — Argo CD Synced, Crossplane Ready — but the change never took effect. The trap where Crossplane management policies without Update meet Kubernetes immutability.
You delete an env var from your Helm values, Argo CD reports Synced — and it’s still on the pod. Why strategic-merge-patch can’t remove list items, and the Server-Side Apply fix.