diff --git a/AGENTS.md b/AGENTS.md index 47d3dfe..377ae49 100644 --- a/AGENTS.md +++ b/AGENTS.md @@ -18,7 +18,7 @@ Repository guide for agentic contributors working in this repo. - **cert-manager** is required — Tailscale LoadBalancer does L4 TCP passthrough, so Rancher serves its own TLS. - **Secrets flow**: Doppler → `ClusterSecretStore` (doppler-hetznerterra) → `ExternalSecret` resources → k8s Secrets. - Rancher is reachable only over Tailscale at `https://rancher.silverside-gopher.ts.net/`. -- Grafana, Prometheus, and Flux UI are also exposed via dedicated Tailscale LoadBalancer services at `http://grafana.silverside-gopher.ts.net/`, `http://prometheus.silverside-gopher.ts.net:9090/`, `http://flux.silverside-gopher.ts.net:9001/`. +- Grafana and Prometheus are exposed via dedicated Tailscale LoadBalancer services at `http://grafana.silverside-gopher.ts.net/` and `http://prometheus.silverside-gopher.ts.net:9090/`. ## Important Files diff --git a/README.md b/README.md index 5e159c7..7424b57 100644 --- a/README.md +++ b/README.md @@ -201,8 +201,6 @@ Runtime cluster secrets are moving to Doppler + External Secrets Operator. - Initial auth: service token via `DOPPLER_HETZNERTERRA_SERVICE_TOKEN` - First synced secrets: - `GRAFANA_ADMIN_PASSWORD` - - `WEAVE_GITOPS_ADMIN_USERNAME` - - `WEAVE_GITOPS_ADMIN_PASSWORD_BCRYPT_HASH` Terraform/bootstrap secrets remain in Gitea Actions secrets and are not managed by Doppler. @@ -237,7 +235,7 @@ Terraform/bootstrap secrets remain in Gitea Actions secrets and are not managed - Active Flux addons for stable baseline: `addon-tailscale-operator`, `addon-tailscale-proxyclass`, `addon-external-secrets`. - Deferred addons: `addon-ccm`, `addon-csi`, `addon-observability`, `addon-observability-content` (to be added after baseline is stable). - Ansible is limited to cluster bootstrap, private-access setup, and prerequisite secret creation for Flux-managed addons. -- `addon-flux-ui` is optional for the stable-baseline phase and is not a blocker for rebuild success. +- Weave GitOps / Flux UI is no longer deployed; use Rancher or the `flux` CLI for Flux operations. ### Rancher access @@ -269,17 +267,14 @@ Flux deploys a lightweight observability stack in the `observability` namespace: Grafana content is managed as code via ConfigMaps in `infrastructure/addons/observability-content/`. -Grafana and Prometheus are exposed through a single Tailscale front door backed by Traefik when the Tailscale Kubernetes Operator is healthy. +Grafana and Prometheus are exposed through dedicated Tailscale LoadBalancer services when the Tailscale Kubernetes Operator is healthy. ### Access Grafana and Prometheus Preferred private access: -- Grafana: `http://k8s-cluster-cp-1.:30080/` -- Prometheus: `http://k8s-cluster-cp-1.:30990/` -- Flux UI: `http://k8s-cluster-cp-1.:30901/` - -This access path is bootstrapped automatically by Ansible on `control_plane[0]` using persistent `kubectl port-forward` systemd services plus `tailscale serve`, so it survives cluster rebuilds. +- Grafana: `http://grafana.silverside-gopher.ts.net/` +- Prometheus: `http://prometheus.silverside-gopher.ts.net:9090/` Fallback (port-forward from a tailnet-connected machine): diff --git a/infrastructure/addons/flux-ui/cluster-user-auth-externalsecret.yaml b/infrastructure/addons/flux-ui/cluster-user-auth-externalsecret.yaml deleted file mode 100644 index 0ae9723..0000000 --- a/infrastructure/addons/flux-ui/cluster-user-auth-externalsecret.yaml +++ /dev/null @@ -1,25 +0,0 @@ -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: cluster-user-auth - namespace: flux-system -spec: - refreshInterval: 1h - secretStoreRef: - name: doppler-hetznerterra - kind: ClusterSecretStore - target: - name: cluster-user-auth - creationPolicy: Owner - template: - type: Opaque - data: - username: "{{ .fluxAdminUsername }}" - password: "{{ .fluxAdminPasswordHash }}" - data: - - secretKey: fluxAdminUsername - remoteRef: - key: WEAVE_GITOPS_ADMIN_USERNAME - - secretKey: fluxAdminPasswordHash - remoteRef: - key: WEAVE_GITOPS_ADMIN_PASSWORD_BCRYPT_HASH diff --git a/infrastructure/addons/flux-ui/flux-tailscale-service.yaml b/infrastructure/addons/flux-ui/flux-tailscale-service.yaml deleted file mode 100644 index 886fea7..0000000 --- a/infrastructure/addons/flux-ui/flux-tailscale-service.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: flux-tailscale - namespace: flux-system - annotations: - tailscale.com/hostname: flux - tailscale.com/tags: "tag:prod,tag:flux" - tailscale.com/proxy-class: infra-stable -spec: - type: LoadBalancer - loadBalancerClass: tailscale - selector: - app.kubernetes.io/name: weave-gitops - app.kubernetes.io/instance: flux-system-weave-gitops - ports: - - name: http - port: 9001 - protocol: TCP - targetPort: http diff --git a/infrastructure/addons/flux-ui/gitrepository-weave-gitops.yaml b/infrastructure/addons/flux-ui/gitrepository-weave-gitops.yaml deleted file mode 100644 index 8993773..0000000 --- a/infrastructure/addons/flux-ui/gitrepository-weave-gitops.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: source.toolkit.fluxcd.io/v1 -kind: GitRepository -metadata: - name: weave-gitops - namespace: flux-system -spec: - interval: 1h - url: https://github.com/weaveworks/weave-gitops - ref: - tag: v0.39.0-rc.2 diff --git a/infrastructure/addons/flux-ui/helmrelease-weave-gitops.yaml b/infrastructure/addons/flux-ui/helmrelease-weave-gitops.yaml deleted file mode 100644 index a57b243..0000000 --- a/infrastructure/addons/flux-ui/helmrelease-weave-gitops.yaml +++ /dev/null @@ -1,38 +0,0 @@ -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: weave-gitops - namespace: flux-system -spec: - interval: 10m - targetNamespace: flux-system - chart: - spec: - chart: ./charts/gitops-server - sourceRef: - kind: GitRepository - name: weave-gitops - namespace: flux-system - install: - createNamespace: true - remediation: - retries: 3 - upgrade: - remediation: - retries: 3 - values: - service: - type: ClusterIP - port: 9001 - adminUser: - create: true - createClusterRole: true - createSecret: false # Secret is managed by External Secret from Doppler - username: admin - rbac: - create: true - impersonationResourceNames: - - admin - viewSecretsResourceNames: - - cluster-user-auth - - oidc-auth diff --git a/infrastructure/addons/flux-ui/kustomization.yaml b/infrastructure/addons/flux-ui/kustomization.yaml deleted file mode 100644 index 4f0d0b7..0000000 --- a/infrastructure/addons/flux-ui/kustomization.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - cluster-user-auth-externalsecret.yaml - - gitrepository-weave-gitops.yaml - - helmrelease-weave-gitops.yaml - - flux-tailscale-service.yaml diff --git a/infrastructure/addons/kustomization-flux-ui.yaml b/infrastructure/addons/kustomization-flux-ui.yaml deleted file mode 100644 index 7f93dc5..0000000 --- a/infrastructure/addons/kustomization-flux-ui.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: addon-flux-ui - namespace: flux-system -spec: - interval: 10m - prune: true - sourceRef: - kind: GitRepository - name: platform - path: ./infrastructure/addons/flux-ui - dependsOn: - - name: addon-external-secrets - - name: addon-tailscale-operator - - name: addon-tailscale-proxyclass - wait: true - timeout: 5m - suspend: false diff --git a/infrastructure/addons/kustomization.yaml b/infrastructure/addons/kustomization.yaml index 5deb9b0..ca27350 100644 --- a/infrastructure/addons/kustomization.yaml +++ b/infrastructure/addons/kustomization.yaml @@ -8,7 +8,6 @@ resources: - kustomization-tailscale-operator.yaml - kustomization-tailscale-proxyclass.yaml - traefik - - kustomization-flux-ui.yaml - kustomization-observability.yaml - kustomization-observability-content.yaml - kustomization-rancher.yaml