feat: Add Podman support as drop-in replacement for Docker

[ZPascal]

Summary

• Podman runtime support — scripts/detect-runtime.sh auto-detects Docker or Podman (explicit CONTAINER_RUNTIME override takes precedence). All scripts (create-kind.sh, delete-kind.sh, init.sh) use the detected runtime; no Docker
  aliasing required.
• Podman on macOS/Windows — scripts/setup-podman-vm.sh creates and configures a rootful Podman machine (4 CPU, 8 GB, 60 GB) with NFS kernel modules and inotify limits applied inside the VM.
• Cilium disabled under rootless Podman — SKIP_CILIUM=true is set automatically when Podman is detected. This skips the Cilium Helm release and suppresses CiliumClusterwideNetworkPolicy CRDs
  (assets/base-chart/templates/network-policy.yaml); https://github.com/aojea/kindnet provides pod networking instead. assets/values/cilium-podman.yaml documents a degraded-mode Cilium config for opt-in use.
• KinD config for Podman — kind-podman.yaml adds BPF filesystem mounts on all nodes (required by kindnet on some kernels).
• Remove CAPI udp-forwarder sidecar — the udp-forwarder sidecar from cloud_controller_ng was removed; loggregator endpoint is now configured directly.
• CF API readiness polling — make login now polls /v2/info for up to 10 minutes before calling cf login, fixing a race where make up returned before the cloud-controller pod was healthy.
• CI: Podman smoke job — kind-smoke.yaml now dispatches both Docker and Podman smoke runs via a shared reusable workflow (smoke-run.yaml), eliminating ~230 lines of duplication.

ARM / Apple Silicon limitations

The CF application workload layer is amd64-only:

• cflinuxfs4 rootfs and all pre-compiled buildpack archives are x86-64 images.
• Docker Desktop on Apple Silicon: enable Rosetta emulation (Settings → General → Use Rosetta for x86_64/amd64 emulation). Well-tested path.
• Podman on Apple Silicon: Podman machine runs under QEMU/Rosetta. Functional but slower than Docker Desktop with Rosetta.
• Linux ARM64: not supported — cflinuxfs4 and buildpacks are amd64-only; app staging will fail without kernel-level x86 emulation (binfmt_misc + QEMU).

CF platform components (gorouter, diego, CAPI, etc.) build and run natively on ARM; only app workloads are restricted to amd64.

Rootless Podman limitations

• No Cilium: CAP_NET_ADMIN in the host user namespace is required by Cilium 1.18.x and is unavailable in rootless containers. kindnet is used instead; Cilium network policies are not enforced.
• No make build: docker buildx bake is not supported with Podman. Use podman build directly with releases/*/Dockerfile.
• Linux prerequisites: fs.inotify.max_user_instances=512 and net.ipv4.ip_unprivileged_port_start=80 must be set before make up.

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: ZPascal / name: I539231 (62c48b6, 6ae8fa5, a87b2db)
• ✅ login: ZPascal / name: ZPascal (1ac2f9f, 21b3d34, 3c50440, 3e8c204, 4d017ec, 61afe52, 68467a1, 7a80f51, 9c98c0c, a8f7c53, a9150ee, b8ffd87, c3636e2, fd744b7)

[lukaszgryglicki]

/easycla