Rename ProxyClass to crio-compat with documentation

- Rename from generic "default" to descriptive "crio-compat" - Add detailed comments explaining why this ProxyClass exists - Update all Service/Ingress annotations to use new name - Remove invalid `default: true` field (not a real ProxyClass field) The ProxyClass exists because CRI-O cannot resolve short image names. Each Tailscale Service/Ingress needs the annotation to use it. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-19 09:49:53 -08:00 · 2026-01-19 09:40:11 -08:00 · 2026-01-19 09:40:11 -08:00
commit 739f2f7da5
5 changed files with 21 additions and 10 deletions
--- a/argocd/manifests/argocd/service-tailscale.yaml
+++ b/argocd/manifests/argocd/service-tailscale.yaml
@ -10,7 +10,7 @@ metadata:
  name: argocd-server-tailscale
  namespace: argocd
  annotations:
-    tailscale.com/proxy-class: "default"
+    tailscale.com/proxy-class: "crio-compat"
 spec:
  ingressClassName: tailscale
  defaultBackend:
--- a/argocd/manifests/databases/service-tailscale.yaml
+++ b/argocd/manifests/databases/service-tailscale.yaml
@ -8,6 +8,7 @@ metadata:
  namespace: databases
  annotations:
    tailscale.com/hostname: "k8s-pg"
+    tailscale.com/proxy-class: "crio-compat"
 spec:
  type: LoadBalancer
  loadBalancerClass: tailscale
--- a/argocd/manifests/tailscale-operator/README.md
+++ b/argocd/manifests/tailscale-operator/README.md
@ -84,7 +84,7 @@ kubectl logs -n tailscale -l app.kubernetes.io/name=operator
 - Services using the Tailscale LoadBalancer must reference the ProxyClass:
  ```yaml
  annotations:
-    tailscale.com/proxy-class: "default"
+    tailscale.com/proxy-class: "crio-compat"
  ```
 - The egress proxy for forge targets `indri.tail8d86e.ts.net` directly (not `forge.tail8d86e.ts.net`)
  because Tailscale Serve hostnames are virtual and only work via the Tailscale client.
--- a/argocd/manifests/tailscale-operator/egress-forge.yaml
+++ b/argocd/manifests/tailscale-operator/egress-forge.yaml
@ -11,7 +11,7 @@ metadata:
  namespace: tailscale
  annotations:
    tailscale.com/tailnet-fqdn: indri.tail8d86e.ts.net
-    tailscale.com/proxy-class: "default"
+    tailscale.com/proxy-class: "crio-compat"
 spec:
  type: ExternalName
  externalName: placeholder
--- a/argocd/manifests/tailscale-operator/proxyclass.yaml
+++ b/argocd/manifests/tailscale-operator/proxyclass.yaml
@ -1,16 +1,26 @@
-# ProxyClass for CRI-O compatibility
-# CRI-O cannot resolve short image names, so we must use fully-qualified references.
-# This ProxyClass sets the tailscale container images to use docker.io prefix.
+# ProxyClass: crio-compat
 #
-# With `default: true`, this ProxyClass is automatically applied to all
-# Services/Ingresses that don't explicitly specify a different proxy-class.
+# Why this exists:
+# CRI-O (the container runtime used by minikube) cannot resolve short image
+# names like "tailscale/tailscale:stable". It requires fully-qualified names
+# with an explicit registry prefix (e.g., "docker.io/tailscale/tailscale:stable").
+#
+# The Tailscale operator creates proxy pods (StatefulSets) for each LoadBalancer
+# Service or Ingress. By default, these pods use short image names which fail
+# on CRI-O with "ImageInspectError".
+#
+# Usage:
+# Add this annotation to any Tailscale Service or Ingress:
+#   tailscale.com/proxy-class: "crio-compat"
+#
+# This tells the operator to use the fully-qualified image names defined below
+# when creating the proxy pod for that resource.
 ---
 apiVersion: tailscale.com/v1alpha1
 kind: ProxyClass
 metadata:
-  name: default
+  name: crio-compat
 spec:
-  default: true
  statefulSet:
    pod:
      tailscaleContainer: