K8s Migration Phase 0: Foundation Infrastructure

eblume commented

2026-01-18 10:30:47 -08:00

Owner

Summary

Step 0.1: Update Pulumi ACLs with tag:registry
Step 0.3: Create Zot registry ansible role with mcquack LaunchAgent
Step 0.4: Add Zot to Tailscale Serve configuration
Step 0.5: Create Zot metrics role for Prometheus scraping
Step 0.6: Add Zot log collection to Alloy
Step 0.7: Update indri-services-check with zot checks
Step 0.8: Add podman role for container runtime
Step 0.9: Add minikube role for Kubernetes cluster
Step 0.10: Configure remote kubectl access with 1Password credentials

Remaining Steps

Step 0.11: Add minikube to indri-services-check
Step 0.12: Create zettelkasten documentation
Step 0.13: Verify main playbook (already done - roles added)

Deployment and Testing

Zot registry deployed and accessible at https://registry.tail8d86e.ts.net
Podman machine running on indri
Minikube cluster running on indri
kubectl access from gilbert working with 1Password credentials
indri-services-check passes all checks

🤖 Generated with Claude Code

## Summary - Step 0.1: Update Pulumi ACLs with tag:registry - Step 0.3: Create Zot registry ansible role with mcquack LaunchAgent - Step 0.4: Add Zot to Tailscale Serve configuration - Step 0.5: Create Zot metrics role for Prometheus scraping - Step 0.6: Add Zot log collection to Alloy - Step 0.7: Update indri-services-check with zot checks - Step 0.8: Add podman role for container runtime - Step 0.9: Add minikube role for Kubernetes cluster - Step 0.10: Configure remote kubectl access with 1Password credentials ## Remaining Steps - [x] Step 0.11: Add minikube to indri-services-check - [x] Step 0.12: Create zettelkasten documentation - [x] Step 0.13: Verify main playbook (already done - roles added) ## Deployment and Testing - [x] Zot registry deployed and accessible at https://registry.tail8d86e.ts.net - [x] Podman machine running on indri - [x] Minikube cluster running on indri - [x] kubectl access from gilbert working with 1Password credentials - [x] indri-services-check passes all checks 🤖 Generated with [Claude Code](https://claude.com/claude-code)

eblume added 15 commits

2026-01-18 10:30:48 -08:00

Add tag:registry for Zot container registry 83956afe92

Phase 0 of k8s migration: Add registry tag to ACLs.
- Admins get full access via wildcard grant
- Members denied access (infrastructure only)
- Enables tailscale serve for registry.tail8d86e.ts.net

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Apply tag:registry to indri via Pulumi 8defa0ef6e

- Add tag:registry to indri DeviceTags in __main__.py
- Update plan with implementation details noting the tag is
  managed via Pulumi, not manually in admin console

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Add zot container registry ansible role 2bba28fc30

Phase 0: Creates zot role with:
- Config for pull-through cache (Docker Hub, GHCR, Quay)
- mcquack LaunchAgent for service management
- Sync registries configured for on-demand caching

Binary is built from source at ~/code/3rd/zot (not homebrew).

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Add registry to tailscale_serve configuration b62b10a60f

Exposes zot registry (localhost:5000) as registry.tail8d86e.ts.net

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Fix zot port and sync config, update plan with implementation details 1ee2863fc7

- Change zot port from 5000 to 5050 (macOS ControlCenter uses 5000)
- Fix sync config: use destination for namespacing, prefix ** for matching
- Update tailscale_serve to use port 5050
- Add zot role to main playbook
- Document implementation details in plan

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Add podman to Brewfile for container operations on gilbert e0e8c5449b

Required for testing zot registry push from workstation.
Podman uses a Linux VM under the hood on macOS.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Add zot_metrics role for Prometheus monitoring 7d673cbee9

Collects zot_up metric via textfile collector every 60 seconds.
Additional metrics can be added later if zot exposes them.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Add zot log collection to Alloy 8c01181e55

Collects stdout and stderr logs from zot to Loki.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Add zot checks to indri-services-check 8c7a746227

- zot LaunchAgent running
- zot-metrics LaunchAgent running
- Zot registry HTTP endpoint (via Tailscale service URL)
- Zot metrics file exists

Also updated Grafana, Kiwix, Forgejo, Devpi to use Tailscale
service URLs for consistency with Miniflux and Zot.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Add Step 0.7 implementation details to plan 8d96f91365

Note use of Tailscale service URL for health check.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Add podman role with known issue documentation 55f0335a1e

- Create ansible/roles/podman for podman machine setup on indri
- Document known reliability issue with podman machine init/start via SSH
  (race condition from containers/podman#16945)
- Role attempts init/start but doesn't fail if start hangs
- Workaround: manual init/start on indri if needed
- Update k8s-migration plan with implementation details

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Add minikube role for Kubernetes cluster on indri 2c90dc01a4

- Create ansible/roles/minikube for minikube cluster setup
- Use podman driver with cri-o runtime
- Set memory to 7800MB (vs 8192 podman) to account for VM overhead
- Add minikube role to indri playbook
- Update k8s-migration plan with implementation details

Deployed with Kubernetes v1.34.0 and CRI-O 1.24.6.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Update plan with Step 0.10 and 0.12 implementation details 9950c8207f

Step 0.10 (kubeconfig on gilbert):
- Document research on kubectl remote access options
- Choose --apiserver-names + --listen-address approach
- Add references to sources

Step 0.12 (zettelkasten):
- Add instructions to update main blumeops card
- Fix zot port from 5000 to 5050
- Add minikube.md template with remote access docs

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Configure remote kubectl access with 1Password credentials e032e27b66

Step 0.10 implementation:
- Recreate minikube with --apiserver-names=indri --listen-address=0.0.0.0
- Add kubectl-credential-1password exec plugin for 1Password integration
- Client certs fetched from 1Password on-demand (no private keys on disk)
- CA cert stored locally (not secret - public key for server verification)

Minikube role updates:
- Add minikube_apiserver_names and minikube_listen_address variables
- Update tasks to include remote access flags

This mirrors the 1Password SSH agent pattern - biometric auth required
for each kubectl command that needs credentials.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Add fish abbreviations for minikube-indri to plan docs 5ba2cf3861

Step 0.12 update:
- Document ki, k9i, k9 abbreviations for quick kubectl/k9s access
- These avoid accidentally triggering work SAML flow

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

eblume added 1 commit

2026-01-18 10:37:23 -08:00

Add minikube health checks to indri-services-check ce3e5fc1e0

Step 0.11 implementation:
- Check minikube status via SSH to indri
- Check k8s API server accessible from indri
- Check k8s API server accessible remotely from gilbert (via 1Password creds)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

eblume added 1 commit

2026-01-18 10:52:57 -08:00

Add Step 0.12 implementation notes bb58898731

Zettelkasten documentation created:
- zot.md: Container registry management log
- minikube.md: Kubernetes cluster management log
- Updated main blumeops card with new services, tags, and ports

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

eblume added 1 commit

2026-01-18 10:53:38 -08:00

Add Step 0.13 implementation notes - Phase 0 complete 67d3ba65f3

All Phase 0 steps completed:
- Zot registry with pull-through cache
- Podman container runtime
- Minikube Kubernetes cluster
- Remote kubectl access with 1Password credentials
- Health checks in indri-services-check
- Zettelkasten documentation

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

eblume added 1 commit

2026-01-18 11:53:20 -08:00

Add Grafana dashboards and metrics collection for zot and minikube 3337392b55

Phase 0 followup:
- Enable zot native metrics endpoint (/metrics)
- Add zot scraping to Alloy config
- Create zot Grafana dashboard (status, requests, latency, memory)
- Create minikube_metrics role (collects cluster health metrics)
- Create minikube Grafana dashboard (status, pod/namespace counts, logs)
- Update indri-services-check with minikube-metrics checks

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

eblume added 1 commit

2026-01-18 11:58:49 -08:00

Fix Jinja2 escaping in minikube-metrics template 09983b3ae0

The {{.Host}} Go template syntax was being interpreted by Jinja2.
Added {% raw %} block to escape it.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

eblume added 1 commit

2026-01-18 12:02:32 -08:00

Fix zot dashboard job label filter 6dc698d4ef

Alloy labels scraped metrics with job="prometheus.scrape.zot",
not just "zot". Updated all dashboard queries to match.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

eblume added 1 commit

2026-01-18 12:05:15 -08:00

Fix zot dashboard: correct latency metric, replace memory with storage 57ba61256c

- Use zot_http_method_latency_seconds_bucket (not zot_http_request_duration_*)
- Replace Memory Usage stat with Total Storage
- Replace Memory Over Time with Storage by Repository

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

eblume merged commit 19a82373d5 into main

2026-01-18 12:06:28 -08:00

eblume referenced this pull request from a commit

2026-01-18 12:06:28 -08:00

K8s Migration Phase 0: Foundation Infrastructure (#26)

Rows
Columns

K8s Migration Phase 0: Foundation Infrastructure #26

Summary

Remaining Steps

Deployment and Testing