From f0a3cbf5ffaa7c3eeaca95a31df8ed9a87b54f3c Mon Sep 17 00:00:00 2001 From: Erich Blume Date: Wed, 21 Jan 2026 14:25:02 -0800 Subject: [PATCH] Rename ProxyClass from crio-compat to default The crio-compat name was misleading since we're now using docker driver. Renamed to 'default' and updated all references. Fully-qualified image names still used for consistency across runtimes. Co-Authored-By: Claude Opus 4.5 --- argocd/manifests/argocd/service-tailscale.yaml | 2 +- .../manifests/databases/service-tailscale.yaml | 2 +- argocd/manifests/devpi/ingress-tailscale.yaml | 2 +- .../grafana-config/ingress-tailscale.yaml | 2 +- argocd/manifests/miniflux/ingress-tailscale.yaml | 2 +- argocd/manifests/tailscale-operator/README.md | 8 ++++---- .../tailscale-operator/egress-forge.yaml | 2 +- .../manifests/tailscale-operator/proxyclass.yaml | 16 +++++----------- 8 files changed, 15 insertions(+), 21 deletions(-) diff --git a/argocd/manifests/argocd/service-tailscale.yaml b/argocd/manifests/argocd/service-tailscale.yaml index 2c95cd6..2fc4ce0 100644 --- a/argocd/manifests/argocd/service-tailscale.yaml +++ b/argocd/manifests/argocd/service-tailscale.yaml @@ -10,7 +10,7 @@ metadata: name: argocd-server-tailscale namespace: argocd annotations: - tailscale.com/proxy-class: "crio-compat" + tailscale.com/proxy-class: "default" spec: ingressClassName: tailscale defaultBackend: diff --git a/argocd/manifests/databases/service-tailscale.yaml b/argocd/manifests/databases/service-tailscale.yaml index 7d816ff..c41fb87 100644 --- a/argocd/manifests/databases/service-tailscale.yaml +++ b/argocd/manifests/databases/service-tailscale.yaml @@ -7,7 +7,7 @@ metadata: namespace: databases annotations: tailscale.com/hostname: "pg" - tailscale.com/proxy-class: "crio-compat" + tailscale.com/proxy-class: "default" spec: type: LoadBalancer loadBalancerClass: tailscale diff --git a/argocd/manifests/devpi/ingress-tailscale.yaml b/argocd/manifests/devpi/ingress-tailscale.yaml index 2a1c659..8f37d17 100644 --- a/argocd/manifests/devpi/ingress-tailscale.yaml +++ b/argocd/manifests/devpi/ingress-tailscale.yaml @@ -4,7 +4,7 @@ metadata: name: devpi-tailscale namespace: devpi annotations: - tailscale.com/proxy-class: "crio-compat" + tailscale.com/proxy-class: "default" spec: ingressClassName: tailscale defaultBackend: diff --git a/argocd/manifests/grafana-config/ingress-tailscale.yaml b/argocd/manifests/grafana-config/ingress-tailscale.yaml index 8e6fe24..b72f8b9 100644 --- a/argocd/manifests/grafana-config/ingress-tailscale.yaml +++ b/argocd/manifests/grafana-config/ingress-tailscale.yaml @@ -8,7 +8,7 @@ metadata: name: grafana-tailscale namespace: monitoring annotations: - tailscale.com/proxy-class: "crio-compat" + tailscale.com/proxy-class: "default" spec: ingressClassName: tailscale defaultBackend: diff --git a/argocd/manifests/miniflux/ingress-tailscale.yaml b/argocd/manifests/miniflux/ingress-tailscale.yaml index e384f66..8884c61 100644 --- a/argocd/manifests/miniflux/ingress-tailscale.yaml +++ b/argocd/manifests/miniflux/ingress-tailscale.yaml @@ -4,7 +4,7 @@ metadata: name: miniflux-tailscale namespace: miniflux annotations: - tailscale.com/proxy-class: "crio-compat" + tailscale.com/proxy-class: "default" spec: ingressClassName: tailscale defaultBackend: diff --git a/argocd/manifests/tailscale-operator/README.md b/argocd/manifests/tailscale-operator/README.md index 6365ffe..44c5089 100644 --- a/argocd/manifests/tailscale-operator/README.md +++ b/argocd/manifests/tailscale-operator/README.md @@ -6,7 +6,7 @@ Manifests for the Tailscale Kubernetes Operator, managed via ArgoCD. - `operator.yaml` - Static manifest from https://github.com/tailscale/tailscale/tree/main/cmd/k8s-operator/deploy/manifests - Secret block removed from `operator.yaml` - managed separately via `secret.yaml.tpl` -- Image reference changed to fully-qualified `docker.io/tailscale/k8s-operator:stable` for CRI-O compatibility +- Image reference changed to fully-qualified `docker.io/tailscale/k8s-operator:stable` ## Prerequisites @@ -71,7 +71,7 @@ kubectl logs -n tailscale -l app.kubernetes.io/name=operator |------|-------------| | `kustomization.yaml` | Kustomize configuration for all manifests | | `operator.yaml` | Operator deployment, CRDs, RBAC (secret removed) | -| `proxyclass.yaml` | ProxyClass with fully-qualified images for CRI-O | +| `proxyclass.yaml` | ProxyClass with fully-qualified images | | `dnsconfig.yaml` | DNSConfig for cluster-to-tailnet name resolution | | `egress-forge.yaml` | Egress proxy for accessing forge on indri | | `secret.yaml.tpl` | 1Password template for OAuth credentials (manual) | @@ -81,10 +81,10 @@ kubectl logs -n tailscale -l app.kubernetes.io/name=operator - **TODO:** The OAuth secret (`operator-oauth`) is not managed by ArgoCD and must be applied manually. Future improvement: integrate with a secrets operator (e.g., External Secrets). -- Services using the Tailscale LoadBalancer must reference the ProxyClass: +- Services using the Tailscale LoadBalancer should reference the ProxyClass: ```yaml annotations: - tailscale.com/proxy-class: "crio-compat" + tailscale.com/proxy-class: "default" ``` - The egress proxy for forge targets `indri.tail8d86e.ts.net` directly (not `forge.tail8d86e.ts.net`) because Tailscale Serve hostnames are virtual and only work via the Tailscale client. diff --git a/argocd/manifests/tailscale-operator/egress-forge.yaml b/argocd/manifests/tailscale-operator/egress-forge.yaml index fec1752..8705eea 100644 --- a/argocd/manifests/tailscale-operator/egress-forge.yaml +++ b/argocd/manifests/tailscale-operator/egress-forge.yaml @@ -11,7 +11,7 @@ metadata: namespace: tailscale annotations: tailscale.com/tailnet-fqdn: indri.tail8d86e.ts.net - tailscale.com/proxy-class: "crio-compat" + tailscale.com/proxy-class: "default" spec: type: ExternalName externalName: placeholder diff --git a/argocd/manifests/tailscale-operator/proxyclass.yaml b/argocd/manifests/tailscale-operator/proxyclass.yaml index bb22ad7..2e247d7 100644 --- a/argocd/manifests/tailscale-operator/proxyclass.yaml +++ b/argocd/manifests/tailscale-operator/proxyclass.yaml @@ -1,17 +1,11 @@ -# ProxyClass: crio-compat +# ProxyClass: default # -# Why this exists: -# CRI-O (the container runtime used by minikube) cannot resolve short image -# names like "tailscale/tailscale:stable". It requires fully-qualified names -# with an explicit registry prefix (e.g., "docker.io/tailscale/tailscale:stable"). -# -# The Tailscale operator creates proxy pods (StatefulSets) for each LoadBalancer -# Service or Ingress. By default, these pods use short image names which fail -# on CRI-O with "ImageInspectError". +# Specifies fully-qualified image names for Tailscale proxy pods. +# This ensures consistent behavior across different container runtimes. # # Usage: # Add this annotation to any Tailscale Service or Ingress: -# tailscale.com/proxy-class: "crio-compat" +# tailscale.com/proxy-class: "default" # # This tells the operator to use the fully-qualified image names defined below # when creating the proxy pod for that resource. @@ -19,7 +13,7 @@ apiVersion: tailscale.com/v1alpha1 kind: ProxyClass metadata: - name: crio-compat + name: default spec: statefulSet: pod: