argocd/manifests/tailscale-operator-base/kustomization.yaml

@@ -4,15 +4,27 @@ kind: Kustomization
 
 namespace: tailscale
 
+# Upstream Tailscale operator manifest from forge mirror.
+# To upgrade: update the ref in the URL AND the newTag below.
 resources:
-  - operator.yaml
+  - https://forge.eblu.me/mirrors/tailscale/raw/tag/v1.94.2/cmd/k8s-operator/deploy/manifests/operator.yaml
   - proxyclass.yaml
   - dnsconfig.yaml
 
-# NOTE: also update proxyclass.yaml when changing the Tailscale version.
-# The kustomize images transformer only processes standard k8s container specs
-# (Deployments, StatefulSets, etc.), not CRD fields like ProxyClass, so
-# proxyclass.yaml tags must be updated manually.
 images:
-  - name: docker.io/tailscale/k8s-operator
+  - name: tailscale/k8s-operator
+    newName: docker.io/tailscale/k8s-operator
     newTag: v1.94.2
+
+# The upstream manifest includes a placeholder OAuth Secret with empty values.
+# We manage this secret via ExternalSecret, so drop the upstream copy.
+patches:
+  - target:
+      kind: Secret
+      name: operator-oauth
+    patch: |
+      $patch: delete
+      apiVersion: v1
+      kind: Secret
+      metadata:
+        name: operator-oauth

argocd/manifests/tailscale-operator-base/proxyclass.yaml

@@ -3,6 +3,8 @@
 # Specifies fully-qualified image names for Tailscale proxy pods.
 # This ensures consistent behavior across different container runtimes.
 #
+# Version must match targetRevision in argocd/apps/tailscale-operator-base.yaml.
+#
 # Usage:
 # Add this annotation to any Tailscale Service or Ingress:
 #   tailscale.com/proxy-class: "default"
@@ -18,7 +20,6 @@ spec:
   statefulSet:
     pod:
       tailscaleContainer:
-        # NOTE: keep in sync with kustomization.yaml (CRD fields aren't processed by kustomize images)
         image: docker.io/tailscale/tailscale:v1.94.2
       tailscaleInitContainer:
         image: docker.io/tailscale/tailscale:v1.94.2

docs/changelog.d/externalize-tailscale-operator-base.infra.md

@@ -0,0 +1 @@
+Externalize Tailscale operator manifest to forge mirror, removing 495 KB vendored file from the repo.

docs/reference/kubernetes/tailscale-operator.md

@@ -15,8 +15,8 @@ The Tailscale operator enables Kubernetes services to be exposed directly on the
 | Property | Value |
 |----------|-------|
 | **Namespace** | `tailscale` |
-| **Helm Chart** | `tailscale/tailscale-operator` |
-| **ArgoCD App** | `tailscale-operator` |
+| **Upstream** | `mirrors/tailscale` on forge (static manifest) |
+| **ArgoCD Apps** | `tailscale-operator-base` (upstream), `tailscale-operator` (config) |
 
 ## How It Works