remove Weave GitOps addon

Drop the Flux UI addon and its Tailscale exposure because the UI lags the
current Flux APIs and reports misleading HelmRelease errors. Keep Flux managed
through the controllers themselves and use Rancher or the flux CLI for access.

AGENTS.md

@@ -18,7 +18,7 @@ Repository guide for agentic contributors working in this repo.
 - **cert-manager** is required — Tailscale LoadBalancer does L4 TCP passthrough, so Rancher serves its own TLS.
 - **Secrets flow**: Doppler → `ClusterSecretStore` (doppler-hetznerterra) → `ExternalSecret` resources → k8s Secrets.
 - Rancher is reachable only over Tailscale at `https://rancher.silverside-gopher.ts.net/`.
-- Grafana, Prometheus, and Flux UI are also exposed via dedicated Tailscale LoadBalancer services at `http://grafana.silverside-gopher.ts.net/`, `http://prometheus.silverside-gopher.ts.net:9090/`, `http://flux.silverside-gopher.ts.net:9001/`.
+- Grafana and Prometheus are exposed via dedicated Tailscale LoadBalancer services at `http://grafana.silverside-gopher.ts.net/` and `http://prometheus.silverside-gopher.ts.net:9090/`.
 
 ## Important Files
 

README.md

@@ -201,8 +201,6 @@ Runtime cluster secrets are moving to Doppler + External Secrets Operator.
 - Initial auth: service token via `DOPPLER_HETZNERTERRA_SERVICE_TOKEN`
 - First synced secrets:
   - `GRAFANA_ADMIN_PASSWORD`
-  - `WEAVE_GITOPS_ADMIN_USERNAME`
-  - `WEAVE_GITOPS_ADMIN_PASSWORD_BCRYPT_HASH`
 
 Terraform/bootstrap secrets remain in Gitea Actions secrets and are not managed by Doppler.
 
@@ -237,7 +235,7 @@ Terraform/bootstrap secrets remain in Gitea Actions secrets and are not managed
 - Active Flux addons for stable baseline: `addon-tailscale-operator`, `addon-tailscale-proxyclass`, `addon-external-secrets`.
 - Deferred addons: `addon-ccm`, `addon-csi`, `addon-observability`, `addon-observability-content` (to be added after baseline is stable).
 - Ansible is limited to cluster bootstrap, private-access setup, and prerequisite secret creation for Flux-managed addons.
-- `addon-flux-ui` is optional for the stable-baseline phase and is not a blocker for rebuild success.
+- Weave GitOps / Flux UI is no longer deployed; use Rancher or the `flux` CLI for Flux operations.
 
 ### Rancher access
 
@@ -269,17 +267,14 @@ Flux deploys a lightweight observability stack in the `observability` namespace:
 
 Grafana content is managed as code via ConfigMaps in `infrastructure/addons/observability-content/`.
 
-Grafana and Prometheus are exposed through a single Tailscale front door backed by Traefik when the Tailscale Kubernetes Operator is healthy.
+Grafana and Prometheus are exposed through dedicated Tailscale LoadBalancer services when the Tailscale Kubernetes Operator is healthy.
 
 ### Access Grafana and Prometheus
 
 Preferred private access:
 
-- Grafana: `http://k8s-cluster-cp-1.<your-tailnet>:30080/`
+- Grafana: `http://grafana.silverside-gopher.ts.net/`
-- Prometheus: `http://k8s-cluster-cp-1.<your-tailnet>:30990/`
+- Prometheus: `http://prometheus.silverside-gopher.ts.net:9090/`
-- Flux UI: `http://k8s-cluster-cp-1.<your-tailnet>:30901/`
-
-This access path is bootstrapped automatically by Ansible on `control_plane[0]` using persistent `kubectl port-forward` systemd services plus `tailscale serve`, so it survives cluster rebuilds.
 
 Fallback (port-forward from a tailnet-connected machine):
 

infrastructure/addons/flux-ui/cluster-user-auth-externalsecret.yaml

@@ -1,25 +0,0 @@
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: cluster-user-auth
-  namespace: flux-system
-spec:
-  refreshInterval: 1h
-  secretStoreRef:
-    name: doppler-hetznerterra
-    kind: ClusterSecretStore
-  target:
-    name: cluster-user-auth
-    creationPolicy: Owner
-    template:
-      type: Opaque
-      data:
-        username: "{{ .fluxAdminUsername }}"
-        password: "{{ .fluxAdminPasswordHash }}"
-  data:
-    - secretKey: fluxAdminUsername
-      remoteRef:
-        key: WEAVE_GITOPS_ADMIN_USERNAME
-    - secretKey: fluxAdminPasswordHash
-      remoteRef:
-        key: WEAVE_GITOPS_ADMIN_PASSWORD_BCRYPT_HASH

infrastructure/addons/flux-ui/flux-tailscale-service.yaml

@@ -1,20 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: flux-tailscale
-  namespace: flux-system
-  annotations:
-    tailscale.com/hostname: flux
-    tailscale.com/tags: "tag:prod,tag:flux"
-    tailscale.com/proxy-class: infra-stable
-spec:
-  type: LoadBalancer
-  loadBalancerClass: tailscale
-  selector:
-    app.kubernetes.io/name: weave-gitops
-    app.kubernetes.io/instance: flux-system-weave-gitops
-  ports:
-    - name: http
-      port: 9001
-      protocol: TCP
-      targetPort: http

infrastructure/addons/flux-ui/gitrepository-weave-gitops.yaml

@@ -1,10 +0,0 @@
-apiVersion: source.toolkit.fluxcd.io/v1
-kind: GitRepository
-metadata:
-  name: weave-gitops
-  namespace: flux-system
-spec:
-  interval: 1h
-  url: https://github.com/weaveworks/weave-gitops
-  ref:
-    tag: v0.39.0-rc.2

infrastructure/addons/flux-ui/helmrelease-weave-gitops.yaml

@@ -1,38 +0,0 @@
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
-  name: weave-gitops
-  namespace: flux-system
-spec:
-  interval: 10m
-  targetNamespace: flux-system
-  chart:
-    spec:
-      chart: ./charts/gitops-server
-      sourceRef:
-        kind: GitRepository
-        name: weave-gitops
-        namespace: flux-system
-  install:
-    createNamespace: true
-    remediation:
-      retries: 3
-  upgrade:
-    remediation:
-      retries: 3
-  values:
-    service:
-      type: ClusterIP
-      port: 9001
-    adminUser:
-      create: true
-      createClusterRole: true
-      createSecret: false  # Secret is managed by External Secret from Doppler
-      username: admin
-    rbac:
-      create: true
-      impersonationResourceNames:
-        - admin
-      viewSecretsResourceNames:
-        - cluster-user-auth
-        - oidc-auth

infrastructure/addons/flux-ui/kustomization.yaml

@@ -1,7 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  - cluster-user-auth-externalsecret.yaml
-  - gitrepository-weave-gitops.yaml
-  - helmrelease-weave-gitops.yaml
-  - flux-tailscale-service.yaml

infrastructure/addons/kustomization-flux-ui.yaml

@@ -1,19 +0,0 @@
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: addon-flux-ui
-  namespace: flux-system
-spec:
-  interval: 10m
-  prune: true
-  sourceRef:
-    kind: GitRepository
-    name: platform
-  path: ./infrastructure/addons/flux-ui
-  dependsOn:
-    - name: addon-external-secrets
-    - name: addon-tailscale-operator
-    - name: addon-tailscale-proxyclass
-  wait: true
-  timeout: 5m
-  suspend: false

infrastructure/addons/kustomization.yaml

@@ -8,7 +8,6 @@ resources:
   - kustomization-tailscale-operator.yaml
   - kustomization-tailscale-proxyclass.yaml
   - traefik
-  - kustomization-flux-ui.yaml
   - kustomization-observability.yaml
   - kustomization-observability-content.yaml
   - kustomization-rancher.yaml