Curated, opinionated picks — what each tool is for, when to reach for it, and what to
skip. Bias: boring, widely-adopted, well-documented tools beat clever ones. Verdict tags:
★ default pick, solid, niche,
legacy.
CI/CD
| Tool | Verdict | Review |
|---|
| GitHub Actions | ★ default | Lives next to your code, huge marketplace, easy YAML. Default for anything already on GitHub. Watch runner cost + secret scoping on forked PRs. |
| GitLab CI | solid | Best if you're on GitLab — tight integration, built-in registry/environments. Single .gitlab-ci.yml; powerful but YAML sprawls. |
| Argo CD | ★ (GitOps) | Declarative GitOps CD for Kubernetes — Git is the source of truth, drift auto-syncs. Pair with Actions/GitLab for CI. |
| Jenkins | legacy | Infinitely flexible, plugin hell, you babysit the server. Inherit it, don't start with it. |
| CircleCI / Buildkite | niche | CircleCI = fast SaaS; Buildkite = your own runners + their UI (good for scale/security). |
CI vs CD
Keep them separate: CI (build/test) on GitHub Actions/GitLab; CD (deploy to k8s) via GitOps
(Argo CD / Flux). Don't kubectl apply from a CI job — push to Git, let the
reconciler deploy.
Infrastructure as Code
| Tool | Verdict | Review |
|---|
| Terraform / OpenTofu | ★ default | The IaC lingua franca — every provider, huge module registry. OpenTofu is the open-source fork (post-license change). Remote state + locking is mandatory. |
| Pulumi | solid | IaC in real languages (TS/Python/Go) — great for devs who want loops/types. Smaller ecosystem; state model similar to TF. |
| Ansible | solid | Agentless config management / provisioning over SSH. Best for VM config + ad-hoc ops, not cloud resource lifecycle (use TF for that). |
| Packer | niche | Bake immutable machine/AMI images. Pair with TF: Packer builds the image, TF deploys it. |
| Crossplane | niche | Provision cloud infra via Kubernetes CRDs. Good if you're all-in on k8s + platform engineering. |
Containers & orchestration
| Tool | Verdict | Review |
|---|
| Docker | ★ default | Still the dev experience standard for building/running containers locally. BuildKit for fast cached builds. |
| Kubernetes | ★ (at scale) | The orchestration standard. Powerful, complex — don't reach for it until you actually need orchestration. Managed (EKS/GKE/AKS) over self-hosted. |
| Helm | solid | Package manager / templating for k8s. Ubiquitous for third-party charts; templating gets ugly — consider Kustomize for your own manifests. |
| Kustomize | solid | Template-free overlays (built into kubectl). Cleaner than Helm for your own app's env variants. |
| k9s | ★ (daily) | Terminal UI for k8s — navigate pods/logs/exec fast. Huge quality-of-life win over raw kubectl. |
| Podman / nerdctl | niche | Daemonless/rootless Docker alternatives. Nice for security-sensitive or CI environments. |
Registries & artifacts
| Tool | Verdict | Review |
|---|
| Cloud-native registry (ECR/GAR/ACR) | ★ default | Use your cloud's registry — IAM integration, no extra infra. GitHub/GitLab registries if your CI lives there. |
| Harbor | solid | Self-hosted registry + vulnerability scanning + signing + replication. Default for on-prem/air-gapped. |
| Artifactory / Nexus | solid | Universal artifact stores (containers + language packages + binaries). Heavy but enterprise-complete. |
Secrets & config
| Tool | Verdict | Review |
|---|
| Cloud secret manager (AWS SM / GCP Secret Manager / Azure KV) | ★ default | Managed, IAM-scoped, versioned, auto-rotation. Default unless you're multi-cloud/on-prem. |
| HashiCorp Vault | ★ (advanced) | The gold standard for dynamic secrets, PKI, leasing, multi-cloud. Powerful but real operational cost — don't run it unless you need it. |
| External Secrets Operator | solid | Sync secrets from a manager into k8s Secrets — keeps the source of truth external. |
| SOPS | solid | Encrypt secrets in Git (with KMS/age). Great for GitOps secret workflows. |
never commit plaintext secrets
Secrets in env files, CI logs, or images leak forever (git history, layer history). Use a
manager + injected at runtime, or SOPS-encrypted in Git. Add a secret scanner (gitleaks) to CI.
Observability
| Tool | Verdict | Review |
|---|
| Prometheus + Grafana | ★ default | The open-source metrics + dashboards standard. Pull-based, PromQL, Alertmanager. Watch cardinality. |
| Loki | solid | Log aggregation that indexes labels not full text — cheap, Grafana-native (LogQL). |
| OpenTelemetry | ★ (instrument) | Vendor-neutral metrics/logs/traces SDKs + Collector. Instrument once, export anywhere. The right default for tracing. |
| Tempo / Jaeger | solid | Distributed tracing backends. Tempo = cheap object-store traces, Grafana-native. |
| Datadog / Grafana Cloud | solid | Managed all-in-one — fast to value, gets expensive at scale. Buy time, not forever. |
Everyday CLI quality-of-life
| Tool | What |
|---|
| kubectx / kubens | Switch k8s context/namespace fast — stop fat-fingering prod. |
| direnv | Per-directory env vars, auto-loaded. Great for project-scoped config. |
| jq / yq | Slice JSON / YAML on the command line. Non-negotiable. |
| fzf / ripgrep / bat | Fuzzy find / fast grep / better cat. Shell speed boost. |
| tflint / tfsec / checkov | Lint + security-scan Terraform in CI. |
| pre-commit | Run linters/formatters/secret-scans before every commit. |
| gitleaks / trivy | Secret detection / image + IaC vulnerability scanning. |
A sensible default stack
If you're starting fresh and want boring-that-works:
- CI: GitHub Actions · CD: Argo CD (GitOps)
- IaC: Terraform/OpenTofu + remote state · images: Packer (if VMs)
- Runtime: managed Kubernetes (EKS/GKE) or Cloud Run if you don't need orchestration
- Packaging: Helm for third-party, Kustomize for your own
- Secrets: cloud secret manager + External Secrets Operator (or SOPS for GitOps)
- Observability: Prometheus + Grafana + Loki + OpenTelemetry
- CI guards: pre-commit + tflint/tfsec + gitleaks + trivy
tool count is a cost
Every tool is something to learn, secure, patch, and on-call for. Pick the fewest that cover
your needs; prefer managed + widely-adopted. "Boring" is a feature in production.