K8s workloads (like Woodpecker CI) need to push/pull images from Zot.
They'll get Tailscale identity via the operator (Phase 1) with tag:k8s.
Added grant and test case for tag:k8s → tag:registry access.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Registry access restricted to admins (who already have full access).
Members don't need to push/pull container images.
K8s accesses registry locally on indri, not via Tailscale.
Added note about Zot htpasswd auth for future reference.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Use 'grants' not 'acls' (that's the newer format)
- Show exact line numbers and locations for each change
- Include tagOwners, grants, and tests sections
- Follow existing pattern with tag:blumeops in tagOwners
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Brewfile is for development tooling on gilbert, not for indri services.
Ansible roles handle homebrew installations on indri directly.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add 16 numbered steps with specific files, code, and testing commands
- Add Tailscale service creation order warning (must create in admin
console BEFORE running tailscale serve)
- Add comprehensive verification checklist and rollback procedures
- Document indri-services-check updates for zot and minikube
- Include zk documentation templates
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Comprehensive phased plan for migrating blumeops services from direct
hosting on indri to a minikube cluster. Documents technical decisions
(Zot registry, Podman driver, CloudNativePG, Tailscale Operator) and
9 migration phases with verification and rollback procedures.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
