K8s Migration Phase 1: Infrastructure Setup (#29)

## Summary
- Split k8s migration plan into phases folder for easier navigation
- Added `tag:k8s` to Pulumi ACLs for Kubernetes workloads
- Phase 1 work in progress

## Phase 1 Goals
- Tailscale Kubernetes Operator
- CloudNativePG Operator
- PostgreSQL cluster for future app migrations

## Deployment and Testing
- [ ] Review Phase 1 plan
- [ ] `mise run tailnet-preview` to verify ACL changes
- [ ] `mise run tailnet-up` to apply ACL changes
- [ ] Create Tailscale OAuth client (manual)
- [ ] Deploy operators and PostgreSQL cluster

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Reviewed-on: https://forge.tail8d86e.ts.net/eblume/blumeops/pulls/29

ansible/roles/minikube/files/zot-mirror.conf

@@ -0,0 +1,27 @@
+# Zot pull-through cache on indri
+# Uses host.containers.internal which is stable across restarts
+# Applied by ansible minikube role
+
+[[registry]]
+prefix = "docker.io"
+location = "docker.io"
+
+[[registry.mirror]]
+location = "host.containers.internal:5050/docker.io"
+insecure = true
+
+[[registry]]
+prefix = "ghcr.io"
+location = "ghcr.io"
+
+[[registry.mirror]]
+location = "host.containers.internal:5050/ghcr.io"
+insecure = true
+
+[[registry]]
+prefix = "quay.io"
+location = "quay.io"
+
+[[registry.mirror]]
+location = "host.containers.internal:5050/quay.io"
+insecure = true

ansible/roles/minikube/handlers/main.yml

@@ -7,3 +7,8 @@
     minikube stop 2>/dev/null || true
     minikube start
   changed_when: true
+
+- name: Restart CRI-O in minikube
+  ansible.builtin.command:
+    cmd: minikube ssh "sudo systemctl restart crio"
+  changed_when: true

ansible/roles/minikube/tasks/main.yml

@@ -56,3 +56,42 @@
   ansible.builtin.debug:
     msg: "WARNING: minikube may not have started properly. Run 'minikube start' manually on indri if needed. Status: {{ minikube_final_status.stdout | default('unknown') }}"
   when: minikube_final_status.rc != 0 or 'Running' not in minikube_final_status.stdout
+
+# Configure CRI-O to use zot as pull-through cache
+- name: Copy zot mirror config to temp location
+  ansible.builtin.copy:
+    src: zot-mirror.conf
+    dest: /tmp/zot-mirror.conf
+    mode: "0644"
+  when: minikube_final_status.rc == 0 and 'Running' in minikube_final_status.stdout
+
+- name: Check if zot mirror config exists in minikube
+  ansible.builtin.command:
+    cmd: minikube ssh "cat /etc/containers/registries.conf.d/zot-mirror.conf 2>/dev/null || echo ''"
+  register: minikube_existing_zot_config
+  changed_when: false
+  when: minikube_final_status.rc == 0 and 'Running' in minikube_final_status.stdout
+
+- name: Read local zot mirror config
+  ansible.builtin.slurp:
+    src: /tmp/zot-mirror.conf
+  register: minikube_local_zot_config
+  when: minikube_final_status.rc == 0 and 'Running' in minikube_final_status.stdout
+
+- name: Apply zot mirror config to minikube
+  ansible.builtin.shell:
+    cmd: |
+      set -o pipefail
+      cat /tmp/zot-mirror.conf | minikube ssh "sudo tee /etc/containers/registries.conf.d/zot-mirror.conf > /dev/null"
+    executable: /bin/bash
+  changed_when: true
+  when:
+    - minikube_final_status.rc == 0
+    - "'Running' in minikube_final_status.stdout"
+    - minikube_existing_zot_config.stdout != (minikube_local_zot_config.content | b64decode)
+  notify: Restart CRI-O in minikube
+
+- name: Clean up temp config file
+  ansible.builtin.file:
+    path: /tmp/zot-mirror.conf
+    state: absent