From 739f2f7da5f13c61b1420f46aedfc36142dc6a11 Mon Sep 17 00:00:00 2001 From: Erich Blume Date: Mon, 19 Jan 2026 09:40:11 -0800 Subject: [PATCH] Rename ProxyClass to crio-compat with documentation - Rename from generic "default" to descriptive "crio-compat" - Add detailed comments explaining why this ProxyClass exists - Update all Service/Ingress annotations to use new name - Remove invalid `default: true` field (not a real ProxyClass field) The ProxyClass exists because CRI-O cannot resolve short image names. Each Tailscale Service/Ingress needs the annotation to use it. Co-Authored-By: Claude Opus 4.5 --- .../manifests/argocd/service-tailscale.yaml | 2 +- .../databases/service-tailscale.yaml | 1 + argocd/manifests/tailscale-operator/README.md | 2 +- .../tailscale-operator/egress-forge.yaml | 2 +- .../tailscale-operator/proxyclass.yaml | 24 +++++++++++++------ 5 files changed, 21 insertions(+), 10 deletions(-) diff --git a/argocd/manifests/argocd/service-tailscale.yaml b/argocd/manifests/argocd/service-tailscale.yaml index 2fc4ce0..2c95cd6 100644 --- a/argocd/manifests/argocd/service-tailscale.yaml +++ b/argocd/manifests/argocd/service-tailscale.yaml @@ -10,7 +10,7 @@ metadata: name: argocd-server-tailscale namespace: argocd annotations: - tailscale.com/proxy-class: "default" + tailscale.com/proxy-class: "crio-compat" spec: ingressClassName: tailscale defaultBackend: diff --git a/argocd/manifests/databases/service-tailscale.yaml b/argocd/manifests/databases/service-tailscale.yaml index ab69280..06d3e5d 100644 --- a/argocd/manifests/databases/service-tailscale.yaml +++ b/argocd/manifests/databases/service-tailscale.yaml @@ -8,6 +8,7 @@ metadata: namespace: databases annotations: tailscale.com/hostname: "k8s-pg" + tailscale.com/proxy-class: "crio-compat" spec: type: LoadBalancer loadBalancerClass: tailscale diff --git a/argocd/manifests/tailscale-operator/README.md b/argocd/manifests/tailscale-operator/README.md index 271a158..6365ffe 100644 --- a/argocd/manifests/tailscale-operator/README.md +++ b/argocd/manifests/tailscale-operator/README.md @@ -84,7 +84,7 @@ kubectl logs -n tailscale -l app.kubernetes.io/name=operator - Services using the Tailscale LoadBalancer must reference the ProxyClass: ```yaml annotations: - tailscale.com/proxy-class: "default" + tailscale.com/proxy-class: "crio-compat" ``` - The egress proxy for forge targets `indri.tail8d86e.ts.net` directly (not `forge.tail8d86e.ts.net`) because Tailscale Serve hostnames are virtual and only work via the Tailscale client. diff --git a/argocd/manifests/tailscale-operator/egress-forge.yaml b/argocd/manifests/tailscale-operator/egress-forge.yaml index 8705eea..fec1752 100644 --- a/argocd/manifests/tailscale-operator/egress-forge.yaml +++ b/argocd/manifests/tailscale-operator/egress-forge.yaml @@ -11,7 +11,7 @@ metadata: namespace: tailscale annotations: tailscale.com/tailnet-fqdn: indri.tail8d86e.ts.net - tailscale.com/proxy-class: "default" + tailscale.com/proxy-class: "crio-compat" spec: type: ExternalName externalName: placeholder diff --git a/argocd/manifests/tailscale-operator/proxyclass.yaml b/argocd/manifests/tailscale-operator/proxyclass.yaml index 2704872..bb22ad7 100644 --- a/argocd/manifests/tailscale-operator/proxyclass.yaml +++ b/argocd/manifests/tailscale-operator/proxyclass.yaml @@ -1,16 +1,26 @@ -# ProxyClass for CRI-O compatibility -# CRI-O cannot resolve short image names, so we must use fully-qualified references. -# This ProxyClass sets the tailscale container images to use docker.io prefix. +# ProxyClass: crio-compat # -# With `default: true`, this ProxyClass is automatically applied to all -# Services/Ingresses that don't explicitly specify a different proxy-class. +# Why this exists: +# CRI-O (the container runtime used by minikube) cannot resolve short image +# names like "tailscale/tailscale:stable". It requires fully-qualified names +# with an explicit registry prefix (e.g., "docker.io/tailscale/tailscale:stable"). +# +# The Tailscale operator creates proxy pods (StatefulSets) for each LoadBalancer +# Service or Ingress. By default, these pods use short image names which fail +# on CRI-O with "ImageInspectError". +# +# Usage: +# Add this annotation to any Tailscale Service or Ingress: +# tailscale.com/proxy-class: "crio-compat" +# +# This tells the operator to use the fully-qualified image names defined below +# when creating the proxy pod for that resource. --- apiVersion: tailscale.com/v1alpha1 kind: ProxyClass metadata: - name: default + name: crio-compat spec: - default: true statefulSet: pod: tailscaleContainer: