Point tailscale-operator manifests at local images

indri overlay: operator images: override (dagger/arm64 tag) + ProxyClass
strategic-merge patch for the proxy image (kustomize images: cannot
rewrite CR fields). ringtail overlay: operator images: override (-nix
tag); its proxy image is already local and unchanged.

Both overlays validated with kubectl kustomize. Images built from this
branch (runs 583/584); same v1.94.2 as currently deployed — pure
supply-chain swap.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

argocd/manifests/tailscale-operator-ringtail/kustomization.yaml

@@ -9,12 +9,19 @@ resources:
   - proxygroup-ingress.yaml
   - external-secret.yaml
 
-# Rewrite the proxyclass image to our local nix-built mirror.
-# Scoped to ringtail only; indri's tailscale-operator/kustomization.yaml still
-# pulls from upstream docker.io. A strategic merge patch is used instead of
-# kustomize's `images:` directive because that directive only rewrites images
-# in standard k8s container fields, not custom-resource fields like
-# ProxyClass.spec.statefulSet.pod.tailscaleContainer.image.
+# Rewrite the operator image to the locally nix-built (amd64) mirror.
+# The name must match the post-base-render image (base already rewrites
+# tailscale/k8s-operator -> docker.io/tailscale/k8s-operator).
+images:
+  - name: docker.io/tailscale/k8s-operator
+    newName: registry.ops.eblu.me/blumeops/tailscale-operator
+    newTag: v1.94.2-ac40a18-nix
+
+# Rewrite the proxyclass image to our local nix-built mirror (indri's overlay
+# carries the equivalent dagger/arm64 patch). A strategic merge patch is used
+# instead of kustomize's `images:` directive because that directive only
+# rewrites images in standard k8s container fields, not custom-resource fields
+# like ProxyClass.spec.statefulSet.pod.tailscaleContainer.image.
 patches:
   - path: proxyclass-image.yaml
     target:

argocd/manifests/tailscale-operator/kustomization.yaml

@@ -14,3 +14,23 @@ resources:
   # Endpoints). Apply manually:
   #   kubectl --context=minikube-indri apply -f endpoints-forge.yaml
   - ingress-forge.yaml
+
+# Rewrite the operator image to the locally dagger-built (arm64) mirror.
+# The name must match the post-base-render image (base already rewrites
+# tailscale/k8s-operator -> docker.io/tailscale/k8s-operator).
+images:
+  - name: docker.io/tailscale/k8s-operator
+    newName: registry.ops.eblu.me/blumeops/tailscale-operator
+    newTag: v1.94.2-ac40a18
+
+# Rewrite the proxyclass image to the local mirror. A strategic merge patch
+# is used instead of kustomize's `images:` directive because that directive
+# only rewrites standard k8s container fields, not custom-resource fields
+# like ProxyClass.spec.statefulSet.pod.tailscaleContainer.image.
+patches:
+  - path: proxyclass-image.yaml
+    target:
+      group: tailscale.com
+      version: v1alpha1
+      kind: ProxyClass
+      name: default

argocd/manifests/tailscale-operator/proxyclass-image.yaml

@@ -0,0 +1,11 @@
+apiVersion: tailscale.com/v1alpha1
+kind: ProxyClass
+metadata:
+  name: default
+spec:
+  statefulSet:
+    pod:
+      tailscaleContainer:
+        image: registry.ops.eblu.me/blumeops/tailscale:v1.94.2-ac40a18
+      tailscaleInitContainer:
+        image: registry.ops.eblu.me/blumeops/tailscale:v1.94.2-ac40a18