Upgrade Tailscale operator v1.94.2 → v1.96.3 (#304)

## Summary

- Bump Tailscale operator, proxy containers, and init containers from v1.94.2 to v1.96.3 across both clusters (indri + ringtail via shared base kustomization)
- Replace hand-rolled `until tailscale status` polling loop in `fly/start.sh` with `tailscale wait --timeout 60s` (new in v1.96.2)
- Stamp kube-state-metrics review date (already current at v2.18.0)

## Notable upstream changes (v1.94.2 → v1.96.3)

- Go upgraded from 1.25 to 1.26
- `tailscale wait` command — blocks until daemon is running + interface has IP
- AuthKey policy now applies only when users are not logged in (behavioral change)
- Peer Relay improvements (metrics, EC2 IMDS, UDP socket scaling)
- UPnP stability fixes

## Deploy plan

1. Merge PR
2. Sync tailscale-operator on indri: `argocd app sync tailscale-operator`
3. Sync tailscale-operator on ringtail: `argocd app sync tailscale-operator-ringtail --server ringtail...`
4. Verify proxy pods roll with new image: `kubectl --context=minikube-indri -n tailscale get pods`
5. Verify ingress connectivity (spot-check a few `*.tail8d86e.ts.net` services)
6. Rebuild + deploy Fly proxy container (separate step, picks up `tailscale wait` change)

## Test plan

- [ ] ArgoCD diff looks clean for both apps before sync
- [ ] Proxy pods on indri come up healthy with v1.96.3 images
- [ ] Proxy pods on ringtail come up healthy with v1.96.3 images
- [ ] Tailscale ingress services remain reachable (e.g., grafana, prometheus)
- [ ] Fly proxy rebuild deploys successfully with `tailscale wait`

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Reviewed-on: #304

argocd/manifests/tailscale-operator-base/kustomization.yaml

@@ -7,14 +7,14 @@ namespace: tailscale
 # Upstream Tailscale operator manifest from forge mirror.
 # To upgrade: update the ref in the URL AND the newTag below.
 resources:
-  - https://forge.eblu.me/mirrors/tailscale/raw/tag/v1.94.2/cmd/k8s-operator/deploy/manifests/operator.yaml
+  - https://forge.eblu.me/mirrors/tailscale/raw/tag/v1.96.3/cmd/k8s-operator/deploy/manifests/operator.yaml
   - proxyclass.yaml
   - dnsconfig.yaml
 
 images:
   - name: tailscale/k8s-operator
     newName: docker.io/tailscale/k8s-operator
-    newTag: v1.94.2
+    newTag: v1.96.3
 
 # The upstream manifest includes a placeholder OAuth Secret with empty values.
 # We manage this secret via ExternalSecret, so drop the upstream copy.

argocd/manifests/tailscale-operator-base/proxyclass.yaml

@@ -20,6 +20,6 @@ spec:
   statefulSet:
     pod:
       tailscaleContainer:
-        image: docker.io/tailscale/tailscale:v1.94.2
+        image: docker.io/tailscale/tailscale:v1.96.3
       tailscaleInitContainer:
-        image: docker.io/tailscale/tailscale:v1.94.2
+        image: docker.io/tailscale/tailscale:v1.96.3

docs/changelog.d/upgrade-tailscale-operator-1.96.3.infra.md

@@ -0,0 +1 @@
+Upgrade Tailscale operator v1.94.2 → v1.96.3; replace Fly proxy polling loop with `tailscale wait`

fly/start.sh

@@ -7,9 +7,8 @@ set -e
 # natively — no need for --tun=userspace-networking.
 tailscaled --statedir=/var/lib/tailscale &
 sleep 2
-
 tailscale up --authkey="${TS_AUTHKEY}" --hostname=flyio-proxy
-until tailscale status > /dev/null 2>&1; do sleep 1; done
+tailscale wait --timeout 60s
 echo "Tailscale connected"
 
 # Ensure fail2ban deny file exists before nginx starts

service-versions.yaml

@@ -26,7 +26,7 @@ services:
 
   - name: kube-state-metrics
     type: argocd
-    last-reviewed: 2026-02-16
+    last-reviewed: 2026-03-22
     current-version: "v2.18.0"
     upstream-source: https://github.com/kubernetes/kube-state-metrics/releases
 
@@ -91,8 +91,8 @@ services:
 
   - name: tailscale-operator
     type: argocd
-    last-reviewed: 2026-02-16
+    last-reviewed: 2026-03-22
-    current-version: "v1.94.2"
+    current-version: "v1.96.3"
     upstream-source: https://github.com/tailscale/tailscale/releases
 
   - name: grafana