From 60f466ab984795b40418a1662fcf5c0c4b687893 Mon Sep 17 00:00:00 2001
From: MichaelFisher1997 <contact@michaelfisher.tech>
Date: Sat, 18 Apr 2026 18:44:55 +0000
Subject: [PATCH] remove Weave GitOps addon

Drop the Flux UI addon and its Tailscale exposure because the UI lags the
current Flux APIs and reports misleading HelmRelease errors. Keep Flux managed
through the controllers themselves and use Rancher or the flux CLI for access.
---
 AGENTS.md                                     |  2 +-
 README.md                                     | 13 ++-----
 .../cluster-user-auth-externalsecret.yaml     | 25 ------------
 .../flux-ui/flux-tailscale-service.yaml       | 20 ----------
 .../flux-ui/gitrepository-weave-gitops.yaml   | 10 -----
 .../flux-ui/helmrelease-weave-gitops.yaml     | 38 -------------------
 .../addons/flux-ui/kustomization.yaml         |  7 ----
 .../addons/kustomization-flux-ui.yaml         | 19 ----------
 infrastructure/addons/kustomization.yaml      |  1 -
 9 files changed, 5 insertions(+), 130 deletions(-)
 delete mode 100644 infrastructure/addons/flux-ui/cluster-user-auth-externalsecret.yaml
 delete mode 100644 infrastructure/addons/flux-ui/flux-tailscale-service.yaml
 delete mode 100644 infrastructure/addons/flux-ui/gitrepository-weave-gitops.yaml
 delete mode 100644 infrastructure/addons/flux-ui/helmrelease-weave-gitops.yaml
 delete mode 100644 infrastructure/addons/flux-ui/kustomization.yaml
 delete mode 100644 infrastructure/addons/kustomization-flux-ui.yaml

diff --git a/AGENTS.md b/AGENTS.md
index 47d3dfe..377ae49 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -18,7 +18,7 @@ Repository guide for agentic contributors working in this repo.
 - **cert-manager** is required — Tailscale LoadBalancer does L4 TCP passthrough, so Rancher serves its own TLS.
 - **Secrets flow**: Doppler → `ClusterSecretStore` (doppler-hetznerterra) → `ExternalSecret` resources → k8s Secrets.
 - Rancher is reachable only over Tailscale at `https://rancher.silverside-gopher.ts.net/`.
-- Grafana, Prometheus, and Flux UI are also exposed via dedicated Tailscale LoadBalancer services at `http://grafana.silverside-gopher.ts.net/`, `http://prometheus.silverside-gopher.ts.net:9090/`, `http://flux.silverside-gopher.ts.net:9001/`.
+- Grafana and Prometheus are exposed via dedicated Tailscale LoadBalancer services at `http://grafana.silverside-gopher.ts.net/` and `http://prometheus.silverside-gopher.ts.net:9090/`.
 
 ## Important Files
 
diff --git a/README.md b/README.md
index 5e159c7..7424b57 100644
--- a/README.md
+++ b/README.md
@@ -201,8 +201,6 @@ Runtime cluster secrets are moving to Doppler + External Secrets Operator.
 - Initial auth: service token via `DOPPLER_HETZNERTERRA_SERVICE_TOKEN`
 - First synced secrets:
   - `GRAFANA_ADMIN_PASSWORD`
-  - `WEAVE_GITOPS_ADMIN_USERNAME`
-  - `WEAVE_GITOPS_ADMIN_PASSWORD_BCRYPT_HASH`
 
 Terraform/bootstrap secrets remain in Gitea Actions secrets and are not managed by Doppler.
 
@@ -237,7 +235,7 @@ Terraform/bootstrap secrets remain in Gitea Actions secrets and are not managed
 - Active Flux addons for stable baseline: `addon-tailscale-operator`, `addon-tailscale-proxyclass`, `addon-external-secrets`.
 - Deferred addons: `addon-ccm`, `addon-csi`, `addon-observability`, `addon-observability-content` (to be added after baseline is stable).
 - Ansible is limited to cluster bootstrap, private-access setup, and prerequisite secret creation for Flux-managed addons.
-- `addon-flux-ui` is optional for the stable-baseline phase and is not a blocker for rebuild success.
+- Weave GitOps / Flux UI is no longer deployed; use Rancher or the `flux` CLI for Flux operations.
 
 ### Rancher access
 
@@ -269,17 +267,14 @@ Flux deploys a lightweight observability stack in the `observability` namespace:
 
 Grafana content is managed as code via ConfigMaps in `infrastructure/addons/observability-content/`.
 
-Grafana and Prometheus are exposed through a single Tailscale front door backed by Traefik when the Tailscale Kubernetes Operator is healthy.
+Grafana and Prometheus are exposed through dedicated Tailscale LoadBalancer services when the Tailscale Kubernetes Operator is healthy.
 
 ### Access Grafana and Prometheus
 
 Preferred private access:
 
-- Grafana: `http://k8s-cluster-cp-1.<your-tailnet>:30080/`
-- Prometheus: `http://k8s-cluster-cp-1.<your-tailnet>:30990/`
-- Flux UI: `http://k8s-cluster-cp-1.<your-tailnet>:30901/`
-
-This access path is bootstrapped automatically by Ansible on `control_plane[0]` using persistent `kubectl port-forward` systemd services plus `tailscale serve`, so it survives cluster rebuilds.
+- Grafana: `http://grafana.silverside-gopher.ts.net/`
+- Prometheus: `http://prometheus.silverside-gopher.ts.net:9090/`
 
 Fallback (port-forward from a tailnet-connected machine):
 
diff --git a/infrastructure/addons/flux-ui/cluster-user-auth-externalsecret.yaml b/infrastructure/addons/flux-ui/cluster-user-auth-externalsecret.yaml
deleted file mode 100644
index 0ae9723..0000000
--- a/infrastructure/addons/flux-ui/cluster-user-auth-externalsecret.yaml
+++ /dev/null
@@ -1,25 +0,0 @@
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: cluster-user-auth
-  namespace: flux-system
-spec:
-  refreshInterval: 1h
-  secretStoreRef:
-    name: doppler-hetznerterra
-    kind: ClusterSecretStore
-  target:
-    name: cluster-user-auth
-    creationPolicy: Owner
-    template:
-      type: Opaque
-      data:
-        username: "{{ .fluxAdminUsername }}"
-        password: "{{ .fluxAdminPasswordHash }}"
-  data:
-    - secretKey: fluxAdminUsername
-      remoteRef:
-        key: WEAVE_GITOPS_ADMIN_USERNAME
-    - secretKey: fluxAdminPasswordHash
-      remoteRef:
-        key: WEAVE_GITOPS_ADMIN_PASSWORD_BCRYPT_HASH
diff --git a/infrastructure/addons/flux-ui/flux-tailscale-service.yaml b/infrastructure/addons/flux-ui/flux-tailscale-service.yaml
deleted file mode 100644
index 886fea7..0000000
--- a/infrastructure/addons/flux-ui/flux-tailscale-service.yaml
+++ /dev/null
@@ -1,20 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: flux-tailscale
-  namespace: flux-system
-  annotations:
-    tailscale.com/hostname: flux
-    tailscale.com/tags: "tag:prod,tag:flux"
-    tailscale.com/proxy-class: infra-stable
-spec:
-  type: LoadBalancer
-  loadBalancerClass: tailscale
-  selector:
-    app.kubernetes.io/name: weave-gitops
-    app.kubernetes.io/instance: flux-system-weave-gitops
-  ports:
-    - name: http
-      port: 9001
-      protocol: TCP
-      targetPort: http
diff --git a/infrastructure/addons/flux-ui/gitrepository-weave-gitops.yaml b/infrastructure/addons/flux-ui/gitrepository-weave-gitops.yaml
deleted file mode 100644
index 8993773..0000000
--- a/infrastructure/addons/flux-ui/gitrepository-weave-gitops.yaml
+++ /dev/null
@@ -1,10 +0,0 @@
-apiVersion: source.toolkit.fluxcd.io/v1
-kind: GitRepository
-metadata:
-  name: weave-gitops
-  namespace: flux-system
-spec:
-  interval: 1h
-  url: https://github.com/weaveworks/weave-gitops
-  ref:
-    tag: v0.39.0-rc.2
diff --git a/infrastructure/addons/flux-ui/helmrelease-weave-gitops.yaml b/infrastructure/addons/flux-ui/helmrelease-weave-gitops.yaml
deleted file mode 100644
index a57b243..0000000
--- a/infrastructure/addons/flux-ui/helmrelease-weave-gitops.yaml
+++ /dev/null
@@ -1,38 +0,0 @@
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
-  name: weave-gitops
-  namespace: flux-system
-spec:
-  interval: 10m
-  targetNamespace: flux-system
-  chart:
-    spec:
-      chart: ./charts/gitops-server
-      sourceRef:
-        kind: GitRepository
-        name: weave-gitops
-        namespace: flux-system
-  install:
-    createNamespace: true
-    remediation:
-      retries: 3
-  upgrade:
-    remediation:
-      retries: 3
-  values:
-    service:
-      type: ClusterIP
-      port: 9001
-    adminUser:
-      create: true
-      createClusterRole: true
-      createSecret: false  # Secret is managed by External Secret from Doppler
-      username: admin
-    rbac:
-      create: true
-      impersonationResourceNames:
-        - admin
-      viewSecretsResourceNames:
-        - cluster-user-auth
-        - oidc-auth
diff --git a/infrastructure/addons/flux-ui/kustomization.yaml b/infrastructure/addons/flux-ui/kustomization.yaml
deleted file mode 100644
index 4f0d0b7..0000000
--- a/infrastructure/addons/flux-ui/kustomization.yaml
+++ /dev/null
@@ -1,7 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  - cluster-user-auth-externalsecret.yaml
-  - gitrepository-weave-gitops.yaml
-  - helmrelease-weave-gitops.yaml
-  - flux-tailscale-service.yaml
diff --git a/infrastructure/addons/kustomization-flux-ui.yaml b/infrastructure/addons/kustomization-flux-ui.yaml
deleted file mode 100644
index 7f93dc5..0000000
--- a/infrastructure/addons/kustomization-flux-ui.yaml
+++ /dev/null
@@ -1,19 +0,0 @@
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: addon-flux-ui
-  namespace: flux-system
-spec:
-  interval: 10m
-  prune: true
-  sourceRef:
-    kind: GitRepository
-    name: platform
-  path: ./infrastructure/addons/flux-ui
-  dependsOn:
-    - name: addon-external-secrets
-    - name: addon-tailscale-operator
-    - name: addon-tailscale-proxyclass
-  wait: true
-  timeout: 5m
-  suspend: false
diff --git a/infrastructure/addons/kustomization.yaml b/infrastructure/addons/kustomization.yaml
index 5deb9b0..ca27350 100644
--- a/infrastructure/addons/kustomization.yaml
+++ b/infrastructure/addons/kustomization.yaml
@@ -8,7 +8,6 @@ resources:
   - kustomization-tailscale-operator.yaml
   - kustomization-tailscale-proxyclass.yaml
   - traefik
-  - kustomization-flux-ui.yaml
   - kustomization-observability.yaml
   - kustomization-observability-content.yaml
   - kustomization-rancher.yaml