Point tailscale-operator manifests at local images

indri overlay: operator images: override (dagger/arm64 tag) + ProxyClass
strategic-merge patch for the proxy image (kustomize images: cannot
rewrite CR fields). ringtail overlay: operator images: override (-nix
tag); its proxy image is already local and unchanged.

Both overlays validated with kubectl kustomize. Images built from this
branch (runs 583/584); same v1.94.2 as currently deployed — pure
supply-chain swap.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

argocd/manifests/tailscale-operator-ringtail/kustomization.yaml

@@ -15,7 +15,7 @@ resources:
 images:
   - name: docker.io/tailscale/k8s-operator
     newName: registry.ops.eblu.me/blumeops/tailscale-operator
-    newTag: v1.94.2-d03ed33-nix
+    newTag: v1.94.2-ac40a18-nix
 
 # Rewrite the proxyclass image to our local nix-built mirror (indri's overlay
 # carries the equivalent dagger/arm64 patch). A strategic merge patch is used

argocd/manifests/tailscale-operator/kustomization.yaml

@@ -21,7 +21,7 @@ resources:
 images:
   - name: docker.io/tailscale/k8s-operator
     newName: registry.ops.eblu.me/blumeops/tailscale-operator
-    newTag: v1.94.2-d03ed33
+    newTag: v1.94.2-ac40a18
 
 # Rewrite the proxyclass image to the local mirror. A strategic merge patch
 # is used instead of kustomize's `images:` directive because that directive

argocd/manifests/tailscale-operator/proxyclass-image.yaml

@@ -6,6 +6,6 @@ spec:
   statefulSet:
     pod:
       tailscaleContainer:
-        image: registry.ops.eblu.me/blumeops/tailscale:v1.94.2-d03ed33
+        image: registry.ops.eblu.me/blumeops/tailscale:v1.94.2-ac40a18
       tailscaleInitContainer:
-        image: registry.ops.eblu.me/blumeops/tailscale:v1.94.2-d03ed33
+        image: registry.ops.eblu.me/blumeops/tailscale:v1.94.2-ac40a18