K8s Migration Phase 0: Foundation Infrastructure (#26)

## Summary - Step 0.1: Update Pulumi ACLs with tag:registry - Step 0.3: Create Zot registry ansible role with mcquack LaunchAgent - Step 0.4: Add Zot to Tailscale Serve configuration - Step 0.5: Create Zot metrics role for Prometheus scraping - Step 0.6: Add Zot log collection to Alloy - Step 0.7: Update indri-services-check with zot checks - Step 0.8: Add podman role for container runtime - Step 0.9: Add minikube role for Kubernetes cluster - Step 0.10: Configure remote kubectl access with 1Password credentials ## Remaining Steps - [ ] Step 0.11: Add minikube to indri-services-check - [ ] Step 0.12: Create zettelkasten documentation - [ ] Step 0.13: Verify main playbook (already done - roles added) ## Deployment and Testing - [x] Zot registry deployed and accessible at https://registry.tail8d86e.ts.net - [x] Podman machine running on indri - [x] Minikube cluster running on indri - [x] kubectl access from gilbert working with 1Password credentials - [ ] indri-services-check passes all checks 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.tail8d86e.ts.net/eblume/blumeops/pulls/26
2026-01-18 12:06:28 -08:00 · 2026-01-18 12:06:28 -08:00 · 19a82373d5
commit 19a82373d5
parent ee196b0c10
32 changed files with 1811 additions and 10 deletions
--- a/pulumi/main.py
+++ b/pulumi/main.py
@ -52,6 +52,7 @@ indri_tags = tailscale.DeviceTags(
        "tag:loki",
        "tag:pg",
        "tag:feed",
+        "tag:registry",  # Zot container registry
    ],
 )

--- a/pulumi/policy.hujson
+++ b/pulumi/policy.hujson
@ -101,6 +101,7 @@
 		"tag:loki": ["autogroup:admin", "tag:blumeops"],
 		"tag:pg": ["autogroup:admin", "tag:blumeops"],
 		"tag:feed": ["autogroup:admin", "tag:blumeops"],
+		"tag:registry": ["autogroup:admin", "tag:blumeops"],
 	},

 	// ============== ACL Tests ==============
@ -108,13 +109,13 @@
 		// Erich can access everything
 		{
 			"src":    "blume.erich@gmail.com",
-			"accept": ["tag:grafana:443", "tag:kiwix:443", "tag:feed:443", "tag:loki:3100", "tag:pg:5432", "tag:homelab:22"],
+			"accept": ["tag:grafana:443", "tag:kiwix:443", "tag:feed:443", "tag:loki:3100", "tag:pg:5432", "tag:homelab:22", "tag:registry:443"],
 		},
 		// Allison can access user services but NOT grafana, loki, or NAS
 		{
 			"src":    "acmdavis@gmail.com",
 			"accept": ["tag:kiwix:443", "tag:forge:443", "tag:feed:443", "tag:pg:5432"],
-			"deny":   ["tag:grafana:443", "tag:loki:3100", "tag:nas:445"],
+			"deny":   ["tag:grafana:443", "tag:loki:3100", "tag:nas:445", "tag:registry:443"],
 		},
 		// Homelab can reach homelab and NAS
 		{