P5.1: Update minikube role for QEMU2 driver

- Change minikube driver from podman to qemu2
- Change container runtime from cri-o to containerd
- Add qemu installation to minikube role
- Remove podman role from indri.yml playbook
- Update handlers for containerd instead of cri-o
- Temporarily disable registry mirror config (needs containerd format)
- Add k8s-storage synology user creation steps to P5.1 doc
- Add post-migration tasks for zot registry mirror reconfiguration

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

ansible/playbooks/indri.yml

@@ -47,8 +47,6 @@
       tags: zot
     - role: zot_metrics
       tags: zot_metrics
-    - role: podman
-      tags: podman
     - role: minikube
       tags: minikube
     - role: minikube_metrics

ansible/roles/minikube/defaults/main.yml

@@ -1,11 +1,10 @@
 ---
 # Minikube cluster configuration
 minikube_cpus: 4
-# Note: Must be less than podman machine memory (8192MB) to account for overhead
-minikube_memory: 7800
+minikube_memory: 8192
 minikube_disk_size: "200g"
-minikube_driver: podman
-minikube_container_runtime: cri-o
+minikube_driver: qemu2
+minikube_container_runtime: containerd
 
 # Remote access configuration
 # These allow kubectl from other machines (e.g., gilbert) to connect
@@ -13,8 +12,5 @@ minikube_container_runtime: cri-o
 minikube_apiserver_names:
   - k8s.tail8d86e.ts.net
   - indri
-# Note: apiserver_port is the INTERNAL container port; with podman driver,
-# the host port is dynamically assigned. Check actual port with:
-#   kubectl config view --minify -o jsonpath="{.clusters[0].cluster.server}"
 minikube_apiserver_port: 6443
 minikube_listen_address: "0.0.0.0"

ansible/roles/minikube/handlers/main.yml

@@ -8,7 +8,7 @@
     minikube start
   changed_when: true
 
-- name: Restart CRI-O in minikube
+- name: Restart containerd in minikube
   ansible.builtin.command:
-    cmd: minikube ssh --native-ssh=false "sudo systemctl restart crio"
+    cmd: minikube ssh --native-ssh=false "sudo systemctl restart containerd"
   changed_when: true

ansible/roles/minikube/tasks/main.yml

@@ -1,14 +1,19 @@
 ---
 # Minikube installation and cluster setup for indri
-# Requires podman machine to be running (see podman role)
+# Uses qemu2 driver for full VM with kernel mount capabilities (NFS, SMB, etc.)
 #
-# NOTE: Similar to podman, minikube start may have issues when run via SSH.
+# NOTE: minikube start may have issues when run via SSH.
 # If cluster fails to start, manually run on indri:
-#   minikube start --driver=podman --container-runtime=cri-o \
-#     --cpus=4 --memory=7800 --disk-size=200g \
+#   minikube start --driver=qemu2 --container-runtime=containerd \
+#     --cpus=4 --memory=8192 --disk-size=200g \
 #     --apiserver-names=k8s.tail8d86e.ts.net --apiserver-names=indri \
 #     --apiserver-port=6443 --listen-address=0.0.0.0
 
+- name: Install qemu via homebrew (required for qemu2 driver)
+  community.general.homebrew:
+    name: qemu
+    state: present
+
 - name: Install minikube via homebrew
   community.general.homebrew:
     name: minikube
@@ -57,54 +62,22 @@
     msg: "WARNING: minikube may not have started properly. Run 'minikube start' manually on indri if needed. Status: {{ minikube_final_status.stdout | default('unknown') }}"
   when: minikube_final_status.rc != 0 or 'Running' not in minikube_final_status.stdout
 
-# Configure CRI-O to use zot as pull-through cache
-- name: Read desired zot mirror config
-  ansible.builtin.slurp:
-    src: "{{ role_path }}/files/zot-mirror.conf"
-  register: minikube_desired_zot_config
-  delegate_to: localhost
-  when: minikube_final_status.rc == 0 and 'Running' in minikube_final_status.stdout
-
-- name: Check current zot mirror config in minikube
+# Configure containerd to use zot as pull-through cache
+# With qemu2 driver, host is accessible via host.minikube.internal
+# Zot listens on indri:5050 (localhost:5050 from host perspective)
+- name: Get host IP for registry mirror config
   ansible.builtin.command:
-    cmd: minikube ssh --native-ssh=false "cat /etc/containers/registries.conf.d/zot-mirror.conf 2>/dev/null || echo ''"
-  register: minikube_existing_zot_config
+    cmd: minikube ssh --native-ssh=false "getent hosts host.minikube.internal | awk '{print \$1}'"
+  register: minikube_host_ip
   changed_when: false
+  failed_when: false
   when: minikube_final_status.rc == 0 and 'Running' in minikube_final_status.stdout
 
-- name: Determine if zot mirror config needs update
-  ansible.builtin.set_fact:
-    minikube_zot_config_changed: "{{ (minikube_existing_zot_config.stdout | trim) != (minikube_desired_zot_config.content | b64decode | trim) }}"
-  when: minikube_final_status.rc == 0 and 'Running' in minikube_final_status.stdout
-
-- name: Copy zot mirror config to temp location
-  ansible.builtin.copy:
-    src: zot-mirror.conf
-    dest: /tmp/zot-mirror.conf
-    mode: "0644"
-  when:
-    - minikube_final_status.rc == 0
-    - "'Running' in minikube_final_status.stdout"
-    - minikube_zot_config_changed | default(false)
-
-- name: Apply zot mirror config to minikube
-  ansible.builtin.shell:
-    cmd: |
-      set -o pipefail
-      cat /tmp/zot-mirror.conf | minikube ssh --native-ssh=false "sudo tee /etc/containers/registries.conf.d/zot-mirror.conf > /dev/null"
-    executable: /bin/bash
-  changed_when: true  # Task only runs when config needs updating
-  when:
-    - minikube_final_status.rc == 0
-    - "'Running' in minikube_final_status.stdout"
-    - minikube_zot_config_changed | default(false)
-  notify: Restart CRI-O in minikube
-
-- name: Clean up temp config file
-  ansible.builtin.file:
-    path: /tmp/zot-mirror.conf
-    state: absent
-  when:
-    - minikube_final_status.rc == 0
-    - "'Running' in minikube_final_status.stdout"
-    - minikube_zot_config_changed | default(false)
+- name: Configure insecure registry for zot
+  ansible.builtin.command:
+    cmd: "minikube addons configure registry-creds"
+  changed_when: false
+  failed_when: false
+  when: false  # TODO: Configure containerd registry mirrors after basic migration works
+  # For now, images will be pulled directly from public registries
+  # We can add zot mirror config later via containerd config or minikube addons

plans/k8s-migration/P5.1_qemu2_migration.md

@@ -45,6 +45,26 @@ QEMU2 creates an actual VM (not a container), which has:
 
 ---
 
+## Prerequisites (Manual Steps)
+
+### Create Synology User for Kubernetes Storage Access
+
+Create a dedicated Synology user for k8s NFS/SMB access (do not use personal account):
+
+On Synology DSM (Control Panel → User & Group):
+1. Create new user: `k8s-storage`
+   - Set a strong password
+   - No admin privileges needed
+   - Deny access to all applications (only needs file services)
+2. Set permissions on the `torrents` share:
+   - Give `k8s-storage` user Read/Write access
+3. Store credentials in 1Password:
+   - Vault: `vg6xf6vvfmoh5hqjjhlhbeoaie` (blumeops vault)
+   - Item name: `synology-k8s-storage`
+   - Fields: `username` (k8s-storage), `password`
+
+---
+
 ## Plan
 
 ### 1. Export Current State
@@ -233,3 +253,16 @@ All state is in git, so cluster recreation is straightforward.
 - First boot may be slower due to VM initialization
 - socket_vmnet provides better networking but requires sudo setup
 - Consider creating a LaunchAgent for `minikube mount` if using that approach
+
+## Post-Migration Tasks
+
+### Zot Registry Mirror (TODO)
+
+The CRI-O registry mirror config (`zot-mirror.conf`) is not compatible with containerd. After the basic QEMU2 migration is verified working, we need to:
+
+1. **Reconfigure zot mirrors for containerd** - containerd uses a different config format at `/etc/containerd/config.toml`
+2. **Update host address** - `host.containers.internal` (podman-specific) won't work; use `host.minikube.internal` or the host IP instead
+3. **Test registry caching** - verify images are being cached through zot
+4. **Update ansible role** - add containerd-specific registry mirror configuration
+
+For now, images will be pulled directly from public registries (docker.io, ghcr.io, etc.) which is fine for the migration but loses the caching benefits.