refactor: surface Flux & Crossplane only via Headlamp plugins

[devantler]

What

Consolidates the two standalone GitOps dashboards into Headlamp (which already ships the relevant plugins) and removes the redundant standalone web UIs.

Flux Web UI — fully removed

Headlamp's headlamp_flux plugin (already installed, v0.6.0) covers Flux, so the standalone Flux Status web UI is redundant.

• Deleted: the flux-operator-web HelmRelease (web.serverOnly), its flux.${domain} HTTPRoute + homepage tile, the flux-operator-web HTTPScaledObject, the flux-web-admins ClusterRoleBinding, and the docker provider web patch. The operator release keeps web.enabled: false.
• Dropped the now-dead wiring: the Dex flux-web static client, the OpenBao flux-web client-secret PushSecret, the KEDA interceptor egress to flux-system:9080 + its ReferenceGrant entry, and the (already-unused) flux-system entry in the oauth2-proxy ReferenceGrant (flux-system now has no HTTPRoutes).

Crossplane UI (Crossview) — kept, but no longer standalone

Per the chosen approach, the crossview-headlamp plugin stays and the Crossview backend keeps running, but its standalone public surface is removed so it is reachable only embedded inside Headlamp.

• The plugin reaches Crossview via a Headlamp-managed port-forward to crossview-service:3001: Crossview exposes no Ingress (chart default ingress.enabled: false) and a ClusterIP Service, so the plugin's URL resolver falls through to startPortForward (source). The public route was never part of that path.
• Removed: the crossview.${domain} HTTPRoute + homepage tile, the auth-proxy router/service, and the crossview oauth2-proxy ReferenceGrant entry. The Crossview HelmRelease / Service / namespace stay.
• Swapped the CiliumNetworkPolicy ingress from the (now-gone) oauth2-proxy path to the port-forward path (host/remote-node → :3001). That hop is host-identity traffic (kubelet-dialed) and is correctly exempt from the SPIRE require-mutual-auth requirement — host has no SVID, so authentication.mode is intentionally not set.

⚠️ Needs live verification (prod-only, can't be tested statically)

The Crossview embed path now bypasses oauth2-proxy. The Crossview HelmRelease was left byte-for-byte unchanged, so config.server.cors.origin still points at the now-unrouted https://crossview.${domain}. Please confirm in prod that Headlamp → Crossview sidebar → "Open Crossview" still loads/authenticates. If Crossview demands the upstream SSO auth header (or tries to redirect to the dead public origin), the follow-up is to set it to header/anonymous auth for the embed. The headlamp_flux view needs no such check.

Notes

• flux_web_client_secret is left in the protected SOPS bootstrap secrets as an unused substitution variable (harmless; *.enc.yaml is not edited).

Validation

• ksail workload validate (local) and ksail --config ksail.prod.yaml workload validate — 342 files validated, all green.
• kubectl kustomize k8s/clusters/local/ and k8s/clusters/prod/ build clean.

🤖 Generated with Claude Code

[devantler]

@copilot resolve the merge conflicts in this pull request

[Copilot]

@copilot resolve the merge conflicts in this pull request

Resolved in f3fd5ac.

[devantler]

Verified Copilot's merge resolution (f3fd5acf) — it's a clean 3-way union, nothing lost from either side:

• My Flux/Crossview UI removal is fully preserved (22 files, +23/−303 vs main).
• Main's Crossview Postgres-password + session-secret work (fix(crossview): provide Postgres password + session secret via SOPS secret #2155/refactor(crossview): manage Postgres password + session secret with OpenBao #2157) is fully preserved (6 files).
• crossview/kustomization.yaml correctly keeps external-secret.yaml and drops httproute.yaml.

Re-validated the merged tree (the combination wasn't validated before): ksail workload validate for local and prod → 343 files, all green. PR is MERGEABLE again.

Note for whoever promotes this from draft: the embed-auth caveat in the PR description still stands — please confirm Headlamp → "Open Crossview" loads on prod, since the embed bypasses oauth2-proxy and cors.origin still points at the now-unrouted public URL.

🤖 Addressed by Claude Code