Both FluxCD and ArgoCD, which use CRDs in Gitops, have a serious flaw: will these tools fail when your Kubernetes needs an update? I've encountered incompatibility issues even with simple Helm (which failed due to changes in the HPA API), let alone OPSs that forcibly depend on CRDs. GitLab CI + Pulumi/Kusion is the most stable solution.

Ultimately probably not, under the hood all Argo is doing in its vanilla configuration is pulling stuff from a git repo, calculating a diff, performing some templating to spit out the manifest (helm or kustomize) and then kubectl apply the manifest (or the api equivalent of that).

So unless the API’s it uses to calculate deltas or apply manifests change it’s going to be mostly resilient. The underlying things it might apply though, are often much more sensitive to that kind of api version diff

Interesting. I've used Pulumi but this is the first I've heard of Kusion.

From a quick look, it still requires all of the resource specification to be present in the AppConfiguration, and it's written in their own DSL called KCL. Is there more to the use case that I'm missing?

It seems like if I'm already specifying the details of the entire workload, I'd either use Terraform, where I probably already know the DSL, or Pulumi, where I could skip the DSLs entirely.

Technological communism means that everyone can afford the latest technology.

Of course, people always forget that communism is based on huge production of everything. That's why China can continue to do this and break capitalist companies.

This is strictly state capitalism, and not communism, at work and I'd argue that the "state" qualifier is redundant.

Yes, to achieve communism, state capitalism is a necessary tool. I'm not saying it will be achieved, but that's how it could progress.

mwss https://github.com/go-gost/x/blob/master/dialer/mws/dialer.g...

No, they are no longer; they are now Singaporean companies.

Fully HTTPS traffic can bypass that damned Great Firewall. Greetings from inside the Great Firewall.

Tls 1.3 is completely banned by the gfw

Why is TLS 1.3 interesting here, in relation to censorship circumvention? Why is version 1.3 banned and not 1.2?

TLS 1.3 forces PFS, which means that if you want to decrypt a 1.3 stream, you have to actually do a man in the middle attack, not just get a copy of a key. PFS was optional before.

It supports ECH, which lets you hide which service the client is trying to reach on a multitenant host or CDN. Given that Cloudflare supports ECH, and that it's possible to hide the fact that you're using ECH, that makes it possible to have connections that could actually be using any of a huge number of possible sites without passive spying equipment being able to tell which ones.

It removes a bunch of weak old primitives and options, and should generally be harder to misconfigure in a dangerous way.

Thanks a lot for the detailed reply!

Just in case someone will read this without knowing the abbreviations:

PFS = perfect forward secrecy [0]

ECH = Encrypted Client Hello

[0] https://en.wikipedia.org/wiki/Forward_secrecy

[1] https://en.wikipedia.org/wiki/Server_Name_Indication#Encrypt...

The US government is becoming another Soviet Union.

Ring-1T

Ring-1T,a SOTA open-source trillion-parameter reasoning model

So I wrote an MCP using your code: https://gurddy-mcp.fly.dev. You can get the source code from https://github.com/novvoo/gurddy-mcp.