Exclude upstream placeholder OAuth Secret from kustomize build

The upstream manifest includes a Secret with empty client_id/client_secret placeholders. We manage this via ExternalSecret, so drop the upstream copy to avoid ownership conflicts in ArgoCD. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Switch to kustomize remote resource for upstream manifest
2026-03-15 17:43:53 -07:00 · 2026-03-15 17:42:34 -07:00 · 2026-03-15 17:33:32 -07:00
5 changed files with 23 additions and 5395 deletions
--- a/argocd/manifests/tailscale-operator-base/kustomization.yaml
+++ b/argocd/manifests/tailscale-operator-base/kustomization.yaml
@ -4,15 +4,27 @@ kind: Kustomization

 namespace: tailscale

+# Upstream Tailscale operator manifest from forge mirror.
+# To upgrade: update the ref in the URL AND the newTag below.
 resources:
-  - operator.yaml
+  - https://forge.eblu.me/mirrors/tailscale/raw/tag/v1.94.2/cmd/k8s-operator/deploy/manifests/operator.yaml
  - proxyclass.yaml
  - dnsconfig.yaml

-# NOTE: also update proxyclass.yaml when changing the Tailscale version.
-# The kustomize images transformer only processes standard k8s container specs
-# (Deployments, StatefulSets, etc.), not CRD fields like ProxyClass, so
-# proxyclass.yaml tags must be updated manually.
 images:
-  - name: docker.io/tailscale/k8s-operator
+  - name: tailscale/k8s-operator
+    newName: docker.io/tailscale/k8s-operator
    newTag: v1.94.2
+
+# The upstream manifest includes a placeholder OAuth Secret with empty values.
+# We manage this secret via ExternalSecret, so drop the upstream copy.
+patches:
+  - target:
+      kind: Secret
+      name: operator-oauth
+    patch: |
+      $patch: delete
+      apiVersion: v1
+      kind: Secret
+      metadata:
+        name: operator-oauth
--- a/argocd/manifests/tailscale-operator-base/operator.yaml
+++ b/argocd/manifests/tailscale-operator-base/operator.yaml
--- a/argocd/manifests/tailscale-operator-base/proxyclass.yaml
+++ b/argocd/manifests/tailscale-operator-base/proxyclass.yaml
@ -3,6 +3,8 @@
 # Specifies fully-qualified image names for Tailscale proxy pods.
 # This ensures consistent behavior across different container runtimes.
 #
+# Version must match targetRevision in argocd/apps/tailscale-operator-base.yaml.
+#
 # Usage:
 # Add this annotation to any Tailscale Service or Ingress:
 #   tailscale.com/proxy-class: "default"
@ -18,7 +20,6 @@ spec:
  statefulSet:
    pod:
      tailscaleContainer:
-        # NOTE: keep in sync with kustomization.yaml (CRD fields aren't processed by kustomize images)
        image: docker.io/tailscale/tailscale:v1.94.2
      tailscaleInitContainer:
        image: docker.io/tailscale/tailscale:v1.94.2
--- a/docs/changelog.d/externalize-tailscale-operator-base.infra.md
+++ b/docs/changelog.d/externalize-tailscale-operator-base.infra.md
@ -0,0 +1 @@
+Externalize Tailscale operator manifest to forge mirror, removing 495 KB vendored file from the repo.
--- a/docs/reference/kubernetes/tailscale-operator.md
+++ b/docs/reference/kubernetes/tailscale-operator.md
@ -15,8 +15,8 @@ The Tailscale operator enables Kubernetes services to be exposed directly on the
 | Property | Value |
 |----------|-------|
 | **Namespace** | `tailscale` |
-| **Helm Chart** | `tailscale/tailscale-operator` |
-| **ArgoCD App** | `tailscale-operator` |
+| **Upstream** | `mirrors/tailscale` on forge (static manifest) |
+| **ArgoCD Apps** | `tailscale-operator-base` (upstream), `tailscale-operator` (config) |

 ## How It Works
				`@ -0,0 +1 @@`
				`Externalize Tailscale operator manifest to forge mirror, removing 495 KB vendored file from the repo.`