Externalize Tailscale operator to forge mirror

Replace vendored operator.yaml (495 KB) with ArgoCD apps sourcing the upstream static manifest from mirrors/tailscale on forge, pinned to v1.94.2 via targetRevision. Adds apps for both indri and ringtail clusters. Local kustomization retains only ProxyClass and DNSConfig. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-15 17:33:32 -07:00 · 2026-03-15 17:33:32 -07:00 · 56224867fa
commit 56224867fa
parent 272ea1e767
7 changed files with 63 additions and 5398 deletions
--- a/argocd/apps/tailscale-operator-base-ringtail.yaml
+++ b/argocd/apps/tailscale-operator-base-ringtail.yaml
@ -0,0 +1,25 @@
+# Tailscale Kubernetes Operator — upstream static manifest (ringtail)
+# Deploys CRDs, RBAC, ServiceAccounts, and the operator Deployment.
+# Custom resources (ProxyClass, DNSConfig, etc.) are in tailscale-operator-ringtail.
+#
+# Mirror of https://github.com/tailscale/tailscale
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: tailscale-operator-base-ringtail
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: ssh://forgejo@forge.ops.eblu.me:2222/mirrors/tailscale.git
+    targetRevision: v1.94.2
+    path: cmd/k8s-operator/deploy/manifests
+    directory:
+      include: 'operator.yaml'
+  destination:
+    server: https://ringtail.tail8d86e.ts.net:6443
+    namespace: tailscale
+  syncPolicy:
+    syncOptions:
+      - CreateNamespace=true
+      - ServerSideApply=true  # CRDs exceed annotation size limit
--- a/argocd/apps/tailscale-operator-base.yaml
+++ b/argocd/apps/tailscale-operator-base.yaml
@ -0,0 +1,25 @@
+# Tailscale Kubernetes Operator — upstream static manifest
+# Deploys CRDs, RBAC, ServiceAccounts, and the operator Deployment.
+# Custom resources (ProxyClass, DNSConfig, etc.) are in tailscale-operator.
+#
+# Mirror of https://github.com/tailscale/tailscale
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: tailscale-operator-base
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: ssh://forgejo@forge.ops.eblu.me:2222/mirrors/tailscale.git
+    targetRevision: v1.94.2
+    path: cmd/k8s-operator/deploy/manifests
+    directory:
+      include: 'operator.yaml'
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: tailscale
+  syncPolicy:
+    syncOptions:
+      - CreateNamespace=true
+      - ServerSideApply=true  # CRDs exceed annotation size limit
--- a/argocd/manifests/tailscale-operator-base/kustomization.yaml
+++ b/argocd/manifests/tailscale-operator-base/kustomization.yaml
@ -4,15 +4,14 @@ kind: Kustomization

 namespace: tailscale

+# The upstream operator manifest (CRDs, RBAC, Deployment) is managed by the
+# tailscale-operator-base ArgoCD app, sourced from mirrors/tailscale on forge.
+# Version is pinned via targetRevision in argocd/apps/tailscale-operator-base.yaml.
+#
+# When upgrading Tailscale, update BOTH:
+#   1. targetRevision in argocd/apps/tailscale-operator-base.yaml
+#   2. image tags in proxyclass.yaml below
+
 resources:
-  - operator.yaml
  - proxyclass.yaml
  - dnsconfig.yaml
-
-# NOTE: also update proxyclass.yaml when changing the Tailscale version.
-# The kustomize images transformer only processes standard k8s container specs
-# (Deployments, StatefulSets, etc.), not CRD fields like ProxyClass, so
-# proxyclass.yaml tags must be updated manually.
-images:
-  - name: docker.io/tailscale/k8s-operator
-    newTag: v1.94.2
--- a/argocd/manifests/tailscale-operator-base/operator.yaml
+++ b/argocd/manifests/tailscale-operator-base/operator.yaml
--- a/argocd/manifests/tailscale-operator-base/proxyclass.yaml
+++ b/argocd/manifests/tailscale-operator-base/proxyclass.yaml
@ -3,6 +3,8 @@
 # Specifies fully-qualified image names for Tailscale proxy pods.
 # This ensures consistent behavior across different container runtimes.
 #
+# Version must match targetRevision in argocd/apps/tailscale-operator-base.yaml.
+#
 # Usage:
 # Add this annotation to any Tailscale Service or Ingress:
 #   tailscale.com/proxy-class: "default"
@ -18,7 +20,6 @@ spec:
  statefulSet:
    pod:
      tailscaleContainer:
-        # NOTE: keep in sync with kustomization.yaml (CRD fields aren't processed by kustomize images)
        image: docker.io/tailscale/tailscale:v1.94.2
      tailscaleInitContainer:
        image: docker.io/tailscale/tailscale:v1.94.2
--- a/docs/changelog.d/externalize-tailscale-operator-base.infra.md
+++ b/docs/changelog.d/externalize-tailscale-operator-base.infra.md
@ -0,0 +1 @@
+Externalize Tailscale operator manifest to forge mirror, removing 495 KB vendored file from the repo.
--- a/docs/reference/kubernetes/tailscale-operator.md
+++ b/docs/reference/kubernetes/tailscale-operator.md
@ -15,8 +15,8 @@ The Tailscale operator enables Kubernetes services to be exposed directly on the
 | Property | Value |
 |----------|-------|
 | **Namespace** | `tailscale` |
-| **Helm Chart** | `tailscale/tailscale-operator` |
-| **ArgoCD App** | `tailscale-operator` |
+| **Upstream** | `mirrors/tailscale` on forge (static manifest) |
+| **ArgoCD Apps** | `tailscale-operator-base` (upstream), `tailscale-operator` (config) |

 ## How It Works
				`@ -0,0 +1 @@`
				`Externalize Tailscale operator manifest to forge mirror, removing 495 KB vendored file from the repo.`