Exclude upstream placeholder OAuth Secret from kustomize build

The upstream manifest includes a Secret with empty client_id/client_secret placeholders. We manage this via ExternalSecret, so drop the upstream copy to avoid ownership conflicts in ArgoCD. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Switch to kustomize remote resource for upstream manifest
2026-03-15 17:43:53 -07:00 · 2026-03-15 17:42:34 -07:00 · 2026-03-15 17:33:32 -07:00
5 changed files with 23 additions and 5395 deletions
--- a/argocd/manifests/tailscale-operator-base/kustomization.yaml
+++ b/argocd/manifests/tailscale-operator-base/kustomization.yaml
@ -4,15 +4,27 @@ kind: Kustomization
 namespace: tailscale
 # Upstream Tailscale operator manifest from forge mirror.
 # To upgrade: update the ref in the URL AND the newTag below.
 resources:
-  - operator.yaml
+  - https://forge.eblu.me/mirrors/tailscale/raw/tag/v1.94.2/cmd/k8s-operator/deploy/manifests/operator.yaml
  - proxyclass.yaml
  - dnsconfig.yaml
 # NOTE: also update proxyclass.yaml when changing the Tailscale version.
 # The kustomize images transformer only processes standard k8s container specs
 # (Deployments, StatefulSets, etc.), not CRD fields like ProxyClass, so
 # proxyclass.yaml tags must be updated manually.
 images:
-  - name: docker.io/tailscale/k8s-operator
+  - name: tailscale/k8s-operator
    newName: docker.io/tailscale/k8s-operator
    newTag: v1.94.2
 # The upstream manifest includes a placeholder OAuth Secret with empty values.
 # We manage this secret via ExternalSecret, so drop the upstream copy.
 patches:
  - target:
      kind: Secret
      name: operator-oauth
    patch: |
      $patch: delete
      apiVersion: v1
      kind: Secret
      metadata:
        name: operator-oauth
--- a/argocd/manifests/tailscale-operator-base/operator.yaml
+++ b/argocd/manifests/tailscale-operator-base/operator.yaml
--- a/argocd/manifests/tailscale-operator-base/proxyclass.yaml
+++ b/argocd/manifests/tailscale-operator-base/proxyclass.yaml
@ -3,6 +3,8 @@
 # Specifies fully-qualified image names for Tailscale proxy pods.
 # This ensures consistent behavior across different container runtimes.
 #
 # Version must match targetRevision in argocd/apps/tailscale-operator-base.yaml.
 #
 # Usage:
 # Add this annotation to any Tailscale Service or Ingress:
 #   tailscale.com/proxy-class: "default"
@ -18,7 +20,6 @@ spec:
  statefulSet:
    pod:
      tailscaleContainer:
        # NOTE: keep in sync with kustomization.yaml (CRD fields aren't processed by kustomize images)
        image: docker.io/tailscale/tailscale:v1.94.2
      tailscaleInitContainer:
        image: docker.io/tailscale/tailscale:v1.94.2
--- a/docs/changelog.d/externalize-tailscale-operator-base.infra.md
+++ b/docs/changelog.d/externalize-tailscale-operator-base.infra.md
@ -0,0 +1 @@
 Externalize Tailscale operator manifest to forge mirror, removing 495 KB vendored file from the repo.
--- a/docs/reference/kubernetes/tailscale-operator.md
+++ b/docs/reference/kubernetes/tailscale-operator.md
@ -15,8 +15,8 @@ The Tailscale operator enables Kubernetes services to be exposed directly on the
 | Property | Value |
 |----------|-------|
 | **Namespace** | `tailscale` |
-| **Helm Chart** | `tailscale/tailscale-operator` |
+| **Upstream** | `mirrors/tailscale` on forge (static manifest) |
-| **ArgoCD App** | `tailscale-operator` |
+| **ArgoCD Apps** | `tailscale-operator-base` (upstream), `tailscale-operator` (config) |
 ## How It Works
		`@ -0,0 +1 @@`
							`Externalize Tailscale operator manifest to forge mirror, removing 495 KB vendored file from the repo.`