From af0fce2a05fca6edf6feb07d79b535054b0e0025 Mon Sep 17 00:00:00 2001 From: Erich Blume Date: Tue, 9 Jun 2026 16:56:43 -0700 Subject: [PATCH] Point tailscale-operator manifests at local images MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit indri overlay: operator images: override (dagger/arm64 tag) + ProxyClass strategic-merge patch for the proxy image (kustomize images: cannot rewrite CR fields). ringtail overlay: operator images: override (-nix tag); its proxy image is already local and unchanged. Both overlays validated with kubectl kustomize. Images built from this branch (runs 583/584); same v1.94.2 as currently deployed — pure supply-chain swap. Co-Authored-By: Claude Fable 5 --- .../kustomization.yaml | 19 ++++++++++++------ .../tailscale-operator/kustomization.yaml | 20 +++++++++++++++++++ .../tailscale-operator/proxyclass-image.yaml | 11 ++++++++++ 3 files changed, 44 insertions(+), 6 deletions(-) create mode 100644 argocd/manifests/tailscale-operator/proxyclass-image.yaml diff --git a/argocd/manifests/tailscale-operator-ringtail/kustomization.yaml b/argocd/manifests/tailscale-operator-ringtail/kustomization.yaml index 2d9ceb2..fc119c9 100644 --- a/argocd/manifests/tailscale-operator-ringtail/kustomization.yaml +++ b/argocd/manifests/tailscale-operator-ringtail/kustomization.yaml @@ -9,12 +9,19 @@ resources: - proxygroup-ingress.yaml - external-secret.yaml -# Rewrite the proxyclass image to our local nix-built mirror. -# Scoped to ringtail only; indri's tailscale-operator/kustomization.yaml still -# pulls from upstream docker.io. A strategic merge patch is used instead of -# kustomize's `images:` directive because that directive only rewrites images -# in standard k8s container fields, not custom-resource fields like -# ProxyClass.spec.statefulSet.pod.tailscaleContainer.image. +# Rewrite the operator image to the locally nix-built (amd64) mirror. +# The name must match the post-base-render image (base already rewrites +# tailscale/k8s-operator -> docker.io/tailscale/k8s-operator). +images: + - name: docker.io/tailscale/k8s-operator + newName: registry.ops.eblu.me/blumeops/tailscale-operator + newTag: v1.94.2-ac40a18-nix + +# Rewrite the proxyclass image to our local nix-built mirror (indri's overlay +# carries the equivalent dagger/arm64 patch). A strategic merge patch is used +# instead of kustomize's `images:` directive because that directive only +# rewrites images in standard k8s container fields, not custom-resource fields +# like ProxyClass.spec.statefulSet.pod.tailscaleContainer.image. patches: - path: proxyclass-image.yaml target: diff --git a/argocd/manifests/tailscale-operator/kustomization.yaml b/argocd/manifests/tailscale-operator/kustomization.yaml index f1d6f89..ad275a9 100644 --- a/argocd/manifests/tailscale-operator/kustomization.yaml +++ b/argocd/manifests/tailscale-operator/kustomization.yaml @@ -14,3 +14,23 @@ resources: # Endpoints). Apply manually: # kubectl --context=minikube-indri apply -f endpoints-forge.yaml - ingress-forge.yaml + +# Rewrite the operator image to the locally dagger-built (arm64) mirror. +# The name must match the post-base-render image (base already rewrites +# tailscale/k8s-operator -> docker.io/tailscale/k8s-operator). +images: + - name: docker.io/tailscale/k8s-operator + newName: registry.ops.eblu.me/blumeops/tailscale-operator + newTag: v1.94.2-ac40a18 + +# Rewrite the proxyclass image to the local mirror. A strategic merge patch +# is used instead of kustomize's `images:` directive because that directive +# only rewrites standard k8s container fields, not custom-resource fields +# like ProxyClass.spec.statefulSet.pod.tailscaleContainer.image. +patches: + - path: proxyclass-image.yaml + target: + group: tailscale.com + version: v1alpha1 + kind: ProxyClass + name: default diff --git a/argocd/manifests/tailscale-operator/proxyclass-image.yaml b/argocd/manifests/tailscale-operator/proxyclass-image.yaml new file mode 100644 index 0000000..eae73eb --- /dev/null +++ b/argocd/manifests/tailscale-operator/proxyclass-image.yaml @@ -0,0 +1,11 @@ +apiVersion: tailscale.com/v1alpha1 +kind: ProxyClass +metadata: + name: default +spec: + statefulSet: + pod: + tailscaleContainer: + image: registry.ops.eblu.me/blumeops/tailscale:v1.94.2-ac40a18 + tailscaleInitContainer: + image: registry.ops.eblu.me/blumeops/tailscale:v1.94.2-ac40a18