eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions
66 commits 79 branches 160 tags 8.6 MiB
Commit graph

9 commits

Author SHA1 Message Date
Erich Blume
6d84ff7bca Use forge mirror for zot, add third-party project guidance 
- Updated Step 0.3 to clone zot from forge mirror instead of GitHub
- Added "Third-Party Projects" section to CLAUDE.md explaining:
  - Ask user to mirror 3rd party repos to forge first
  - Clone from mirror to ~/code/3rd/
  - Avoids external dependencies

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-01-17 14:00:54 -08:00
Erich Blume
f064ba3afa Update Zot installation: clone to ~/code/3rd/ and build from source 
Zot isn't in homebrew. Following existing pattern (like kiwix-tools),
clone to ~/code/3rd/zot on indri and build with 'make binary'.
Updated defaults and LaunchAgent template to use built binary path.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-01-17 13:56:17 -08:00
Erich Blume
adba123ad4 Document both registry modes: pull-through cache + private images 
- Added Zot config.json template showing sync extension for pull-through
- Documented namespace convention:
  - registry.../docker.io/* → cached from Docker Hub
  - registry.../ghcr.io/* → cached from GHCR
  - registry.../blumeops/* → private images
- Added testing steps for both pull-through and private push
- Updated zk template with namespace table and build/push commands
- Updated verification checklist

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-01-17 13:51:46 -08:00
Erich Blume
950604bf25 Add tag:k8s grant for registry access (Woodpecker CI) 
K8s workloads (like Woodpecker CI) need to push/pull images from Zot.
They'll get Tailscale identity via the operator (Phase 1) with tag:k8s.
Added grant and test case for tag:k8s → tag:registry access.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-01-17 13:47:24 -08:00
Erich Blume
97dce31171 Remove member grant for registry - admins only 
Registry access restricted to admins (who already have full access).
Members don't need to push/pull container images.
K8s accesses registry locally on indri, not via Tailscale.
Added note about Zot htpasswd auth for future reference.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-01-17 13:45:03 -08:00
Erich Blume
ee42f0f1a2 Fix Step 0.1: Use correct policy.hujson structure 
- Use 'grants' not 'acls' (that's the newer format)
- Show exact line numbers and locations for each change
- Include tagOwners, grants, and tests sections
- Follow existing pattern with tag:blumeops in tagOwners

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-01-17 13:42:19 -08:00
Erich Blume
26113aee42 Remove Brewfile from Phase 0 (it's for gilbert tooling only) 
Brewfile is for development tooling on gilbert, not for indri services.
Ansible roles handle homebrew installations on indri directly.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-01-17 13:33:09 -08:00
Erich Blume
ace4822305 Expand Phase 0 with detailed implementation steps 
- Add 16 numbered steps with specific files, code, and testing commands
- Add Tailscale service creation order warning (must create in admin
  console BEFORE running tailscale serve)
- Add comprehensive verification checklist and rollback procedures
- Document indri-services-check updates for zot and minikube
- Include zk documentation templates

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-01-17 13:27:04 -08:00
Erich Blume
4d916a46d3 Add Kubernetes migration plan documentation 
Comprehensive phased plan for migrating blumeops services from direct
hosting on indri to a minikube cluster. Documents technical decisions
(Zot registry, Podman driver, CloudNativePG, Tailscale Operator) and
9 migration phases with verification and rollback procedures.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-01-17 13:12:09 -08:00