Upgrade Tailscale operator v1.94.2 → v1.96.3 (#304)

## Summary

- Bump Tailscale operator, proxy containers, and init containers from v1.94.2 to v1.96.3 across both clusters (indri + ringtail via shared base kustomization)
- Replace hand-rolled `until tailscale status` polling loop in `fly/start.sh` with `tailscale wait --timeout 60s` (new in v1.96.2)
- Stamp kube-state-metrics review date (already current at v2.18.0)

## Notable upstream changes (v1.94.2 → v1.96.3)

- Go upgraded from 1.25 to 1.26
- `tailscale wait` command — blocks until daemon is running + interface has IP
- AuthKey policy now applies only when users are not logged in (behavioral change)
- Peer Relay improvements (metrics, EC2 IMDS, UDP socket scaling)
- UPnP stability fixes

## Deploy plan

1. Merge PR
2. Sync tailscale-operator on indri: `argocd app sync tailscale-operator`
3. Sync tailscale-operator on ringtail: `argocd app sync tailscale-operator-ringtail --server ringtail...`
4. Verify proxy pods roll with new image: `kubectl --context=minikube-indri -n tailscale get pods`
5. Verify ingress connectivity (spot-check a few `*.tail8d86e.ts.net` services)
6. Rebuild + deploy Fly proxy container (separate step, picks up `tailscale wait` change)

## Test plan

- [ ] ArgoCD diff looks clean for both apps before sync
- [ ] Proxy pods on indri come up healthy with v1.96.3 images
- [ ] Proxy pods on ringtail come up healthy with v1.96.3 images
- [ ] Tailscale ingress services remain reachable (e.g., grafana, prometheus)
- [ ] Fly proxy rebuild deploys successfully with `tailscale wait`

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Reviewed-on: #304

argocd/manifests/tailscale-operator-base/kustomization.yaml

@@ -7,14 +7,14 @@ namespace: tailscale
 # Upstream Tailscale operator manifest from forge mirror.
 # To upgrade: update the ref in the URL AND the newTag below.
 resources:
-  - https://forge.eblu.me/mirrors/tailscale/raw/tag/v1.94.2/cmd/k8s-operator/deploy/manifests/operator.yaml
+  - https://forge.eblu.me/mirrors/tailscale/raw/tag/v1.96.3/cmd/k8s-operator/deploy/manifests/operator.yaml
   - proxyclass.yaml
   - dnsconfig.yaml
 
 images:
   - name: tailscale/k8s-operator
     newName: docker.io/tailscale/k8s-operator
-    newTag: v1.94.2
+    newTag: v1.96.3
 
 # The upstream manifest includes a placeholder OAuth Secret with empty values.
 # We manage this secret via ExternalSecret, so drop the upstream copy.

argocd/manifests/tailscale-operator-base/proxyclass.yaml

@@ -20,6 +20,6 @@ spec:
   statefulSet:
     pod:
       tailscaleContainer:
-        image: docker.io/tailscale/tailscale:v1.94.2
+        image: docker.io/tailscale/tailscale:v1.96.3
       tailscaleInitContainer:
-        image: docker.io/tailscale/tailscale:v1.94.2
+        image: docker.io/tailscale/tailscale:v1.96.3