From 7b0f6420660f7bf97fa9f9c92f34b509466a554c Mon Sep 17 00:00:00 2001
From: Erich Blume <blume.erich@gmail.com>
Date: Sun, 15 Mar 2026 17:43:53 -0700
Subject: [PATCH] Exclude upstream placeholder OAuth Secret from kustomize
 build

The upstream manifest includes a Secret with empty client_id/client_secret
placeholders. We manage this via ExternalSecret, so drop the upstream copy
to avoid ownership conflicts in ArgoCD.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .../tailscale-operator-base/kustomization.yaml      | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/argocd/manifests/tailscale-operator-base/kustomization.yaml b/argocd/manifests/tailscale-operator-base/kustomization.yaml
index e5fc40d..4519af6 100644
--- a/argocd/manifests/tailscale-operator-base/kustomization.yaml
+++ b/argocd/manifests/tailscale-operator-base/kustomization.yaml
@@ -15,3 +15,16 @@ images:
   - name: tailscale/k8s-operator
     newName: docker.io/tailscale/k8s-operator
     newTag: v1.94.2
+
+# The upstream manifest includes a placeholder OAuth Secret with empty values.
+# We manage this secret via ExternalSecret, so drop the upstream copy.
+patches:
+  - target:
+      kind: Secret
+      name: operator-oauth
+    patch: |
+      $patch: delete
+      apiVersion: v1
+      kind: Secret
+      metadata:
+        name: operator-oauth