Add dedicated Containerization and Kubernetes wizard groups, add podman support

Co-authored-by: chefgs <7605658+chefgs@users.noreply.github.com>

Author: Copilot

cli/devopsos.py

@@ -38,7 +38,7 @@ def init(
     # ── Canonical tool lists ──────────────────────────────────────────────
     ALL_LANGUAGES    = ["python", "java", "node", "ruby", "csharp", "php", "rust",
                         "typescript", "kotlin", "c", "cpp", "javascript", "go"]
-    ALL_CICD         = ["docker", "terraform", "kubectl", "helm", "github_actions", "jenkins"]
+    ALL_CICD         = ["docker", "podman", "terraform", "kubectl", "helm", "github_actions", "jenkins"]
     ALL_KUBERNETES   = ["k9s", "kustomize", "argocd_cli", "lens", "kubeseal",
                         "flux", "kind", "minikube", "openshift_cli"]
     ALL_BUILD_TOOLS  = ["gradle", "maven", "ant", "make", "cmake"]
@@ -58,29 +58,30 @@ def init(
             "choices": ALL_LANGUAGES,
             "description": "Programming languages for your project",
         },
+        "Containerization  [CONTAINER stage]": {
+            "choices": ["docker", "podman"],
+            "description": "Container runtimes to build, ship, and run application images",
+        },
         "Build Tools  [BUILD stage]": {
-            "choices": ["docker", "gradle", "maven", "ant", "make", "cmake", "nexus"],
+            "choices": ["gradle", "maven", "ant", "make", "cmake", "nexus"],
             "description": "Tools to compile, package, and store build artifacts",
         },
         "Test & Quality  [TEST stage]": {
             "choices": ["sonarqube", "checkstyle", "pmd", "eslint", "pylint"],
             "description": "Static analysis and quality gates to enforce standards early",
         },
-        "IaC & Infrastructure  [IaC stage]": {
-            "choices": ["terraform", "kubectl", "helm", "kustomize"],
-            "description": "Infrastructure as Code tools for reproducible environments",
+        "Kubernetes  [KUBERNETES stage]": {
+            "choices": ["kubectl", "helm", "kustomize", "k9s", "argocd_cli",
+                        "flux", "kind", "minikube", "lens", "kubeseal", "openshift_cli"],
+            "description": "Kubernetes CLI tools, GitOps engines, and local cluster runtimes",
         },
-        "Deploy & GitOps  [DEPLOY stage]": {
-            "choices": ["github_actions", "jenkins", "argocd_cli", "flux"],
-            "description": "CI/CD pipelines and GitOps delivery tools",
+        "CI/CD & Deploy  [DEPLOY stage]": {
+            "choices": ["github_actions", "jenkins", "terraform"],
+            "description": "CI/CD pipelines, IaC provisioning, and deployment automation",
         },
         "SRE & Monitoring  [SRE/MONITORING stage]": {
-            "choices": ["prometheus", "grafana", "elk", "k9s"],
-            "description": "Observability stack: metrics, dashboards, and logs",
-        },
-        "Security & Kubernetes Dev  [SECURITY stage]": {
-            "choices": ["kubeseal", "lens", "kind", "minikube", "openshift_cli"],
-            "description": "Secret management, security scanning, and local K8s dev tools",
+            "choices": ["prometheus", "grafana", "elk"],
+            "description": "Observability stack: metrics, dashboards, and centralised logs",
         },
     }
 
@@ -110,34 +111,35 @@ def init(
     # output for backward compatibility.
     def _sel(group): return selected_by_group.get(group, [])
 
+    container_sel = _sel("Containerization  [CONTAINER stage]")
     build_sel     = _sel("Build Tools  [BUILD stage]")
     test_sel      = _sel("Test & Quality  [TEST stage]")
-    iac_sel       = _sel("IaC & Infrastructure  [IaC stage]")
-    deploy_sel    = _sel("Deploy & GitOps  [DEPLOY stage]")
+    k8s_sel       = _sel("Kubernetes  [KUBERNETES stage]")
+    deploy_sel    = _sel("CI/CD & Deploy  [DEPLOY stage]")
     sre_sel       = _sel("SRE & Monitoring  [SRE/MONITORING stage]")
-    security_sel  = _sel("Security & Kubernetes Dev  [SECURITY stage]")
     lang_sel      = _sel("Languages")
 
     config = {
         "languages": {opt: opt in lang_sel for opt in ALL_LANGUAGES},
         "cicd": {
-            "docker":         "docker"         in build_sel,
-            "terraform":      "terraform"      in iac_sel,
-            "kubectl":        "kubectl"        in iac_sel,
-            "helm":           "helm"           in iac_sel,
+            "docker":         "docker"         in container_sel,
+            "podman":         "podman"         in container_sel,
+            "terraform":      "terraform"      in deploy_sel,
+            "kubectl":        "kubectl"        in k8s_sel,
+            "helm":           "helm"           in k8s_sel,
             "github_actions": "github_actions" in deploy_sel,
             "jenkins":        "jenkins"        in deploy_sel,
         },
         "kubernetes": {
-            "k9s":           "k9s"           in sre_sel,
-            "kustomize":     "kustomize"     in iac_sel,
-            "argocd_cli":    "argocd_cli"    in deploy_sel,
-            "lens":          "lens"          in security_sel,
-            "kubeseal":      "kubeseal"      in security_sel,
-            "flux":          "flux"          in deploy_sel,
-            "kind":          "kind"          in security_sel,
-            "minikube":      "minikube"      in security_sel,
-            "openshift_cli": "openshift_cli" in security_sel,
+            "k9s":           "k9s"           in k8s_sel,
+            "kustomize":     "kustomize"     in k8s_sel,
+            "argocd_cli":    "argocd_cli"    in k8s_sel,
+            "lens":          "lens"          in k8s_sel,
+            "kubeseal":      "kubeseal"      in k8s_sel,
+            "flux":          "flux"          in k8s_sel,
+            "kind":          "kind"          in k8s_sel,
+            "minikube":      "minikube"      in k8s_sel,
+            "openshift_cli": "openshift_cli" in k8s_sel,
         },
         "build_tools": {opt: opt in build_sel for opt in ALL_BUILD_TOOLS},
         "code_analysis": {opt: opt in test_sel for opt in ALL_CODE_ANALYSIS},
@@ -180,9 +182,10 @@ def _sel(group): return selected_by_group.get(group, [])
         }
         for lang, arg in lang_map.items():
             build_args[arg] = str(config["languages"].get(lang, False)).lower()
-        # CICD
+        # CICD (includes container runtimes docker/podman)
         cicd_map = {
-            "docker": "INSTALL_DOCKER", "terraform": "INSTALL_TERRAFORM",
+            "docker": "INSTALL_DOCKER", "podman": "INSTALL_PODMAN",
+            "terraform": "INSTALL_TERRAFORM",
             "kubectl": "INSTALL_KUBECTL", "helm": "INSTALL_HELM",
             "github_actions": "INSTALL_GITHUB_ACTIONS", "jenkins": "INSTALL_JENKINS"
         }

cli/process_first.py

@@ -107,6 +107,14 @@
   │                             │  ArgoCD, and Flux ensure every team      │
   │                             │  starts from a reviewed baseline.        │
   ├─────────────────────────────┼──────────────────────────────────────────┤
+  │  Standardise the container  │  `devopsos scaffold devcontainer`        │
+  │  runtime & Kubernetes env   │  encodes Docker/Podman runtime choice    │
+  │                             │  and all Kubernetes CLI tools (kubectl,  │
+  │                             │  helm, kustomize, argocd_cli, flux,      │
+  │                             │  k9s, kind, minikube, kubeseal …) into a │
+  │                             │  reproducible devcontainer.json so every │
+  │                             │  engineer starts from the same baseline. │
+  ├─────────────────────────────┼──────────────────────────────────────────┤
   │  Automate the repeatable    │  `devopsos scaffold argocd` encodes      │
   │                             │  the GitOps sync process as code;        │
   │                             │  `devopsos scaffold devcontainer`        │
@@ -180,12 +188,42 @@
   🔨 BUILD
   ────────
   • Define build standards and conventions before choosing tools
-    (Docker, Gradle, Maven, Make).
-  • Standardise base images and dependency management across all teams.
-  • Enforce reproducible builds with version-pinned dependencies.
+    (Gradle, Maven, Make).
+  • Standardise dependency management and enforce version-pinned builds.
+  • Enforce reproducible builds across all teams and environments.
   • Use an artifact repository (Nexus) to cache, version, and audit
     build outputs.
 
+  🐳 CONTAINERIZATION
+  ────────────────────
+  • Choose and document your container runtime (Docker or Podman) before
+    writing the first Dockerfile — consistency prevents environment drift.
+  • Standardise base images across all services: use a pinned, minimal
+    base image (e.g. distroless or Alpine) and update it on a schedule.
+  • Define a container image naming and tagging convention (e.g.
+    <registry>/<org>/<service>:<gitsha>) before the first build.
+  • Scan every image for vulnerabilities during the CI build stage —
+    never push an unscanned image to a shared registry.
+  • Use multi-stage Dockerfiles to keep production images small and
+    free of build-time dependencies.
+  • Configure your dev environment with `devopsos scaffold devcontainer`
+    to standardise the container runtime for every team member.
+
+  ☸️  KUBERNETES
+  ──────────────
+  • Define Kubernetes cluster topology and namespace strategy before
+    deploying any workload.
+  • Use a local cluster (kind or minikube) for development so that
+    every engineer can reproduce production-like conditions locally.
+  • Manage all manifests through version-controlled Kustomize overlays
+    or Helm charts — no kubectl apply from a developer laptop in production.
+  • Use GitOps (ArgoCD or Flux) as the single path to deploy and update
+    workloads; direct kubectl changes to production are prohibited.
+  • Manage Kubernetes secrets with Sealed Secrets (Kubeseal) so that
+    encrypted secrets can be safely stored in Git.
+  • Use k9s or Lens for day-two operations and cluster observability
+    rather than ad-hoc kubectl commands.
+
   🧪 TEST & QUALITY
   ─────────────────
   • Define quality gates and acceptance criteria before writing tests.

cli/scaffold_devcontainer.py

@@ -26,7 +26,7 @@
     "rust", "typescript", "kotlin", "c", "cpp", "javascript", "go",
 ]
 ALL_CICD = [
-    "docker", "terraform", "kubectl", "helm", "github_actions", "jenkins",
+    "docker", "podman", "terraform", "kubectl", "helm", "github_actions", "jenkins",
 ]
 ALL_KUBERNETES = [
     "k9s", "kustomize", "argocd_cli", "lens", "kubeseal", "flux",
@@ -47,7 +47,8 @@
     "go": "INSTALL_GO",
 }
 CICD_ARG_MAP = {
-    "docker": "INSTALL_DOCKER", "terraform": "INSTALL_TERRAFORM",
+    "docker": "INSTALL_DOCKER", "podman": "INSTALL_PODMAN",
+    "terraform": "INSTALL_TERRAFORM",
     "kubectl": "INSTALL_KUBECTL", "helm": "INSTALL_HELM",
     "github_actions": "INSTALL_GITHUB_ACTIONS", "jenkins": "INSTALL_JENKINS",
 }
@@ -272,8 +273,8 @@ def generate_devcontainer_json(env_config):
         extensions += ["dbaeumer.vscode-eslint", "esbenp.prettier-vscode", "ms-vscode.vscode-typescript-next"]
     if langs.get("go"):
         extensions.append("golang.go")
-    if cicd.get("docker"):
-        extensions.append("ms-azuretools.vscode-docker")
+    if cicd.get("docker") or cicd.get("podman"):
+        extensions.append("ms-azuretools.vscode-docker")  # Docker extension also works with Podman
     if cicd.get("terraform"):
         extensions.append("hashicorp.terraform")
     if cicd.get("kubectl") or cicd.get("helm"):

docs/PROCESS-FIRST.md

@@ -63,6 +63,7 @@ immediately usable configuration artefact:
 |-------------------------|-------------------|-------------------|
 | **Define before you Build** | `devopsos scaffold cicd` / `gha` / `gitlab` | Interactive wizards capture intent before generating any config file |
 | **Standardise before Scale** | `devopsos scaffold gha`, `gitlab`, `jenkins` | Golden-path templates for GitHub Actions, GitLab CI, and Jenkins — reviewed baselines every team can adopt |
+| **Standardise the container runtime & Kubernetes env** | `devopsos scaffold devcontainer` | Encodes Docker/Podman choice and all Kubernetes CLI tools (kubectl, helm, kustomize, argocd_cli, flux, k9s, kind, minikube, kubeseal …) into a reproducible `devcontainer.json` |
 | **Automate the Repeatable** | `devopsos scaffold argocd` | GitOps sync process encoded as an ArgoCD `Application` + `AppProject` CR |
 | **Automate the Repeatable** | `devopsos scaffold devcontainer` | Developer environment setup encoded as `devcontainer.json` — reproducible for every team member |
 | **Observe and Iterate** | `devopsos scaffold sre` | Prometheus alert rules, Grafana dashboards, and SLO manifests — close the measure-improve feedback loop |
@@ -128,11 +129,33 @@ stream **before** selecting or configuring any tool.
 
 | Best Practice | Why it matters |
 |---------------|----------------|
-| Define build standards before choosing tools (Docker, Gradle, Maven, Make) | Prevents tool sprawl and ensures consistent outputs |
-| Standardise base images and dependency management across all teams | Reduces "works on my machine" issues |
-| Enforce reproducible builds with version-pinned dependencies | Makes builds auditable and roll-backable |
+| Define build standards before choosing tools (Gradle, Maven, Make) | Prevents tool sprawl and ensures consistent outputs |
+| Standardise dependency management and enforce version-pinned builds | Reduces "works on my machine" issues |
+| Enforce reproducible builds across all teams and environments | Makes builds auditable and roll-backable |
 | Use an artifact repository (Nexus) to cache, version, and audit build outputs | Provides a single source of truth for artifacts |
 
+### 🐳 Containerization
+
+| Best Practice | Why it matters |
+|---------------|----------------|
+| Choose and document your container runtime (Docker or Podman) before writing the first Dockerfile | Consistency prevents environment drift across teams |
+| Standardise base images: use pinned, minimal images (distroless or Alpine) updated on a schedule | Reduces attack surface and image size |
+| Define a container image naming and tagging convention (`<registry>/<org>/<service>:<gitsha>`) | Makes every image traceable back to its source commit |
+| Scan every image for vulnerabilities in the CI build stage before pushing to a registry | Prevents known CVEs from reaching any environment |
+| Use multi-stage Dockerfiles to keep production images free of build-time dependencies | Smaller images, faster pulls, smaller attack surface |
+| Use `devopsos scaffold devcontainer` to standardise the container runtime for every team member | Every engineer starts from the same reproducible baseline |
+
+### ☸️ Kubernetes
+
+| Best Practice | Why it matters |
+|---------------|----------------|
+| Define cluster topology and namespace strategy before deploying any workload | Avoids namespace sprawl and permission confusion |
+| Use a local cluster (kind or minikube) for development so every engineer can reproduce production-like conditions locally | Reduces "it works on staging but not prod" surprises |
+| Manage all manifests through version-controlled Kustomize overlays or Helm charts | No kubectl apply from developer laptops in production |
+| Use GitOps (ArgoCD or Flux) as the single deployment path — direct production kubectl changes are prohibited | Every change is auditable, reviewable, and reversible |
+| Manage Kubernetes secrets with Sealed Secrets (Kubeseal) | Encrypted secrets can be safely stored in Git |
+| Use k9s or Lens for day-two operations and cluster observability | Consistent tooling reduces operator error |
+
 ### 🧪 Test & Quality
 
 | Best Practice | Why it matters |