indri overlay: operator images: override (dagger/arm64 tag) + ProxyClass
strategic-merge patch for the proxy image (kustomize images: cannot
rewrite CR fields). ringtail overlay: operator images: override (-nix
tag); its proxy image is already local and unchanged.
Both overlays validated with kubectl kustomize. Images built from this
branch (runs 583/584); same v1.94.2 as currently deployed — pure
supply-chain swap.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Docs-first for C1: tailscale-operator card gains Local Images and
Rollout Safety sections (device identity lives in state Secrets; image
swaps don't re-register devices).
New containers/tailscale-operator (container.py for indri/arm64,
default.nix for ringtail/amd64) builds cmd/k8s-operator from the forge
mirror, mirroring upstream's mkctr recipe. containers/tailscale gains a
container.py so indri's ProxyClass can use a local arm64 proxy image
(ringtail already consumes the nix build).
Manifest updates follow once images are built and tagged.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
