Add ProxyClass for CRI-O image compatibility

CRI-O cannot resolve short image names like 'tailscale/tailscale:stable'.
The ProxyClass 'default' sets fully-qualified image references.

Services must use annotation: tailscale.com/proxy-class: "default"

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

argocd/manifests/tailscale-operator/README.md

@@ -29,6 +29,15 @@ op inject -i argocd/manifests/tailscale-operator/secret.yaml.tpl | kubectl apply
 
 # 3. Apply the operator
 kubectl apply -f argocd/manifests/tailscale-operator/operator.yaml
+
+# 4. Apply the ProxyClass (required for CRI-O image compatibility)
+kubectl apply -f argocd/manifests/tailscale-operator/proxyclass.yaml
+```
+
+**Important:** Services using the Tailscale LoadBalancer must reference the ProxyClass:
+```yaml
+annotations:
+  tailscale.com/proxy-class: "default"
 ```
 
 ## Verification
@@ -46,5 +55,6 @@ kubectl logs -n tailscale -l app.kubernetes.io/name=operator
 | File | Description |
 |------|-------------|
 | `operator.yaml` | Operator deployment, CRDs, RBAC (secret removed) |
+| `proxyclass.yaml` | ProxyClass with fully-qualified images for CRI-O |
 | `secret.yaml.tpl` | 1Password template for OAuth credentials |
 | `README.md` | This file |

argocd/manifests/tailscale-operator/proxyclass.yaml

@@ -0,0 +1,19 @@
+# ProxyClass for CRI-O compatibility
+# CRI-O cannot resolve short image names, so we must use fully-qualified references.
+# This ProxyClass sets the tailscale container images to use docker.io prefix.
+#
+# Apply this after operator.yaml. Services should reference this via:
+#   annotations:
+#     tailscale.com/proxy-class: "default"
+---
+apiVersion: tailscale.com/v1alpha1
+kind: ProxyClass
+metadata:
+  name: default
+spec:
+  statefulSet:
+    pod:
+      tailscaleContainer:
+        image: docker.io/tailscale/tailscale:stable
+      tailscaleInitContainer:
+        image: docker.io/tailscale/tailscale:stable