C1: switch to strategic merge patch for proxyclass image rewrite

Kustomize's images: directive only rewrites image fields on built-in k8s
kinds (Pod, Deployment, etc.), not on custom resources like ProxyClass.
The first attempt left the rendered ProxyClass pointing at upstream
docker.io. Replaces it with a strategic merge patch over
spec.statefulSet.pod.tailscale{Container,InitContainer}.image.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

argocd/manifests/tailscale-operator-ringtail/kustomization.yaml

@@ -11,8 +11,14 @@ resources:
 
 # Rewrite the proxyclass image to our local nix-built mirror.
 # Scoped to ringtail only; indri's tailscale-operator/kustomization.yaml still
-# pulls from upstream docker.io.
+# pulls from upstream docker.io. A strategic merge patch is used instead of
-images:
+# kustomize's `images:` directive because that directive only rewrites images
-  - name: docker.io/tailscale/tailscale
+# in standard k8s container fields, not custom-resource fields like
-    newName: registry.ops.eblu.me/blumeops/tailscale
+# ProxyClass.spec.statefulSet.pod.tailscaleContainer.image.
-    newTag: v1.94.2-67af7a8-nix
+patches:
+  - path: proxyclass-image.yaml
+    target:
+      group: tailscale.com
+      version: v1alpha1
+      kind: ProxyClass
+      name: default

argocd/manifests/tailscale-operator-ringtail/proxyclass-image.yaml

@@ -0,0 +1,11 @@
+apiVersion: tailscale.com/v1alpha1
+kind: ProxyClass
+metadata:
+  name: default
+spec:
+  statefulSet:
+    pod:
+      tailscaleContainer:
+        image: registry.ops.eblu.me/blumeops/tailscale:v1.94.2-67af7a8-nix
+      tailscaleInitContainer:
+        image: registry.ops.eblu.me/blumeops/tailscale:v1.94.2-67af7a8-nix