registry.tail8d86e.ts.net isn't available until tailscale serve
is configured in Step 0.4. Keep localhost tests in Step 0.3.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Remove tag:k8s from Phase 0 Step 0.1 (not needed until Tailscale
Kubernetes Operator is deployed)
- Add tag:k8s ACL setup as new Step 1 in Phase 1
- Clarify Step 0.10: no special Tailscale service needed for K8s API
(admin wildcard grant covers it)
- Add sed commands to replace localhost with indri in kubeconfig
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Update to match Phase 0 details:
- Built from source, not homebrew
- Config at ~/.config/zot/config.json
- Data at ~/zot/
- Binary path documented
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Use localhost:3001 for forge clone (hairpinning limitation)
- Document mise go@1.25 setup in repo directory
- Correct build command: mise x -- make binary
- Mark prerequisites as already completed with verification
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Updated Step 0.3 to clone zot from forge mirror instead of GitHub
- Added "Third-Party Projects" section to CLAUDE.md explaining:
- Ask user to mirror 3rd party repos to forge first
- Clone from mirror to ~/code/3rd/
- Avoids external dependencies
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Zot isn't in homebrew. Following existing pattern (like kiwix-tools),
clone to ~/code/3rd/zot on indri and build with 'make binary'.
Updated defaults and LaunchAgent template to use built binary path.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
K8s workloads (like Woodpecker CI) need to push/pull images from Zot.
They'll get Tailscale identity via the operator (Phase 1) with tag:k8s.
Added grant and test case for tag:k8s → tag:registry access.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Registry access restricted to admins (who already have full access).
Members don't need to push/pull container images.
K8s accesses registry locally on indri, not via Tailscale.
Added note about Zot htpasswd auth for future reference.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Use 'grants' not 'acls' (that's the newer format)
- Show exact line numbers and locations for each change
- Include tagOwners, grants, and tests sections
- Follow existing pattern with tag:blumeops in tagOwners
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Brewfile is for development tooling on gilbert, not for indri services.
Ansible roles handle homebrew installations on indri directly.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add 16 numbered steps with specific files, code, and testing commands
- Add Tailscale service creation order warning (must create in admin
console BEFORE running tailscale serve)
- Add comprehensive verification checklist and rollback procedures
- Document indri-services-check updates for zot and minikube
- Include zk documentation templates
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Comprehensive phased plan for migrating blumeops services from direct
hosting on indri to a minikube cluster. Documents technical decisions
(Zot registry, Podman driver, CloudNativePG, Tailscale Operator) and
9 migration phases with verification and rollback procedures.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
