From 950a3a6cc335c4f8274932b417e0a86e17be8a97 Mon Sep 17 00:00:00 2001
From: Erich Blume <blume.erich@gmail.com>
Date: Sun, 18 Jan 2026 18:50:27 -0800
Subject: [PATCH] Add ProxyClass for CRI-O image compatibility

CRI-O cannot resolve short image names like 'tailscale/tailscale:stable'.
The ProxyClass 'default' sets fully-qualified image references.

Services must use annotation: tailscale.com/proxy-class: "default"

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 argocd/manifests/tailscale-operator/README.md | 10 ++++++++++
 .../tailscale-operator/proxyclass.yaml        | 19 +++++++++++++++++++
 2 files changed, 29 insertions(+)
 create mode 100644 argocd/manifests/tailscale-operator/proxyclass.yaml

diff --git a/argocd/manifests/tailscale-operator/README.md b/argocd/manifests/tailscale-operator/README.md
index 56a13f5..5b2ffda 100644
--- a/argocd/manifests/tailscale-operator/README.md
+++ b/argocd/manifests/tailscale-operator/README.md
@@ -29,6 +29,15 @@ op inject -i argocd/manifests/tailscale-operator/secret.yaml.tpl | kubectl apply
 
 # 3. Apply the operator
 kubectl apply -f argocd/manifests/tailscale-operator/operator.yaml
+
+# 4. Apply the ProxyClass (required for CRI-O image compatibility)
+kubectl apply -f argocd/manifests/tailscale-operator/proxyclass.yaml
+```
+
+**Important:** Services using the Tailscale LoadBalancer must reference the ProxyClass:
+```yaml
+annotations:
+  tailscale.com/proxy-class: "default"
 ```
 
 ## Verification
@@ -46,5 +55,6 @@ kubectl logs -n tailscale -l app.kubernetes.io/name=operator
 | File | Description |
 |------|-------------|
 | `operator.yaml` | Operator deployment, CRDs, RBAC (secret removed) |
+| `proxyclass.yaml` | ProxyClass with fully-qualified images for CRI-O |
 | `secret.yaml.tpl` | 1Password template for OAuth credentials |
 | `README.md` | This file |
diff --git a/argocd/manifests/tailscale-operator/proxyclass.yaml b/argocd/manifests/tailscale-operator/proxyclass.yaml
new file mode 100644
index 0000000..9b88262
--- /dev/null
+++ b/argocd/manifests/tailscale-operator/proxyclass.yaml
@@ -0,0 +1,19 @@
+# ProxyClass for CRI-O compatibility
+# CRI-O cannot resolve short image names, so we must use fully-qualified references.
+# This ProxyClass sets the tailscale container images to use docker.io prefix.
+#
+# Apply this after operator.yaml. Services should reference this via:
+#   annotations:
+#     tailscale.com/proxy-class: "default"
+---
+apiVersion: tailscale.com/v1alpha1
+kind: ProxyClass
+metadata:
+  name: default
+spec:
+  statefulSet:
+    pod:
+      tailscaleContainer:
+        image: docker.io/tailscale/tailscale:stable
+      tailscaleInitContainer:
+        image: docker.io/tailscale/tailscale:stable