K8s Migration Phase 1: Infrastructure Setup (#29)

## Summary
- Split k8s migration plan into phases folder for easier navigation
- Added `tag:k8s` to Pulumi ACLs for Kubernetes workloads
- Phase 1 work in progress

## Phase 1 Goals
- Tailscale Kubernetes Operator
- CloudNativePG Operator
- PostgreSQL cluster for future app migrations

## Deployment and Testing
- [ ] Review Phase 1 plan
- [ ] `mise run tailnet-preview` to verify ACL changes
- [ ] `mise run tailnet-up` to apply ACL changes
- [ ] Create Tailscale OAuth client (manual)
- [ ] Deploy operators and PostgreSQL cluster

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Reviewed-on: https://forge.tail8d86e.ts.net/eblume/blumeops/pulls/29

pulumi/policy.hujson

@@ -59,6 +59,21 @@
 			"dst": ["tag:nas"],
 			"ip":  ["*"],
 		},
+
+		// --- Kubernetes workloads ---
+		// k8s workloads (e.g., Woodpecker CI) can push/pull from registry
+		{
+			"src": ["tag:k8s"],
+			"dst": ["tag:registry"],
+			"ip":  ["tcp:443"],
+		},
+		// k8s workloads (e.g., ArgoCD) can access forge on indri for GitOps
+		// HTTP on 3001, SSH on 2200
+		{
+			"src": ["tag:k8s"],
+			"dst": ["tag:homelab"],
+			"ip":  ["tcp:3001", "tcp:2200"],
+		},
 	],
 
 	// ============== SSH Access ==============
@@ -103,6 +118,8 @@
 		"tag:feed": ["autogroup:admin", "tag:blumeops"],
 		"tag:registry": ["autogroup:admin", "tag:blumeops"],
 		"tag:k8s-api": ["autogroup:admin", "tag:blumeops"],
+		"tag:k8s-operator": ["autogroup:admin", "tag:blumeops"],
+		"tag:k8s": ["autogroup:admin", "tag:blumeops", "tag:k8s-operator"],
 	},
 
 	// ============== ACL Tests ==============
@@ -123,5 +140,10 @@
 			"src":    "tag:homelab",
 			"accept": ["tag:homelab:22", "tag:nas:445"],
 		},
+		// K8s workloads can reach registry and forge (on indri:3001 HTTP, :2200 SSH)
+		{
+			"src":    "tag:k8s",
+			"accept": ["tag:registry:443", "tag:homelab:3001", "tag:homelab:2200"],
+		},
 	],
 }