Externalize Tailscale operator to forge mirror (#295)

## Summary
- Mirrors `tailscale/tailscale` on forge (`mirrors/tailscale`)
- Replaces vendored `operator.yaml` (495 KB / 5,386 lines) with ArgoCD apps sourcing the upstream static manifest, pinned via `targetRevision: v1.94.2`
- Adds `tailscale-operator-base` app for indri and `tailscale-operator-base-ringtail` for ringtail
- Local kustomization retains only ProxyClass and DNSConfig custom resources
- Updates `[[tailscale-operator]]` doc to reflect new sourcing

## Deployment and Testing
- [ ] Register `mirrors/tailscale` repo in ArgoCD (it needs to know about the new repo)
- [ ] Sync `apps` app to pick up the new `tailscale-operator-base` app definitions
- [ ] Sync `tailscale-operator-base` — verify CRDs, RBAC, operator Deployment come up
- [ ] Sync `tailscale-operator` — verify ProxyClass, DNSConfig still apply cleanly
- [ ] Verify existing Tailscale Ingresses still work (ProxyGroup pods healthy)
- [ ] Repeat for ringtail cluster
- [ ] After merge: apps already point at tags, no revision reset needed

Reviewed-on: #295

argocd/manifests/tailscale-operator-base/kustomization.yaml

@@ -4,15 +4,27 @@ kind: Kustomization
 
 namespace: tailscale
 
+# Upstream Tailscale operator manifest from forge mirror.
+# To upgrade: update the ref in the URL AND the newTag below.
 resources:
-  - operator.yaml
+  - https://forge.eblu.me/mirrors/tailscale/raw/tag/v1.94.2/cmd/k8s-operator/deploy/manifests/operator.yaml
   - proxyclass.yaml
   - dnsconfig.yaml
 
-# NOTE: also update proxyclass.yaml when changing the Tailscale version.
-# The kustomize images transformer only processes standard k8s container specs
-# (Deployments, StatefulSets, etc.), not CRD fields like ProxyClass, so
-# proxyclass.yaml tags must be updated manually.
 images:
-  - name: docker.io/tailscale/k8s-operator
+  - name: tailscale/k8s-operator
+    newName: docker.io/tailscale/k8s-operator
     newTag: v1.94.2
+
+# The upstream manifest includes a placeholder OAuth Secret with empty values.
+# We manage this secret via ExternalSecret, so drop the upstream copy.
+patches:
+  - target:
+      kind: Secret
+      name: operator-oauth
+    patch: |
+      $patch: delete
+      apiVersion: v1
+      kind: Secret
+      metadata:
+        name: operator-oauth

argocd/manifests/tailscale-operator-base/proxyclass.yaml

@@ -3,6 +3,8 @@
 # Specifies fully-qualified image names for Tailscale proxy pods.
 # This ensures consistent behavior across different container runtimes.
 #
+# Version must match targetRevision in argocd/apps/tailscale-operator-base.yaml.
+#
 # Usage:
 # Add this annotation to any Tailscale Service or Ingress:
 #   tailscale.com/proxy-class: "default"
@@ -18,7 +20,6 @@ spec:
   statefulSet:
     pod:
       tailscaleContainer:
-        # NOTE: keep in sync with kustomization.yaml (CRD fields aren't processed by kustomize images)
         image: docker.io/tailscale/tailscale:v1.94.2
       tailscaleInitContainer:
         image: docker.io/tailscale/tailscale:v1.94.2

docs/changelog.d/externalize-tailscale-operator-base.infra.md

@@ -0,0 +1 @@
+Externalize Tailscale operator manifest to forge mirror, removing 495 KB vendored file from the repo.

docs/reference/kubernetes/tailscale-operator.md

@@ -15,8 +15,8 @@ The Tailscale operator enables Kubernetes services to be exposed directly on the
 | Property | Value |
 |----------|-------|
 | **Namespace** | `tailscale` |
-| **Helm Chart** | `tailscale/tailscale-operator` |
-| **ArgoCD App** | `tailscale-operator` |
+| **Upstream** | `mirrors/tailscale` on forge (static manifest) |
+| **ArgoCD Apps** | `tailscale-operator-base` (upstream), `tailscale-operator` (config) |
 
 ## How It Works