Skip to content

refactor: remove dead Vault integration and unused structured API code#17

Merged
kphunter merged 2 commits into
mainfrom
devin/1777153136-remove-dead-code
Apr 25, 2026
Merged

refactor: remove dead Vault integration and unused structured API code#17
kphunter merged 2 commits into
mainfrom
devin/1777153136-remove-dead-code

Conversation

@devin-ai-integration

@devin-ai-integration devin-ai-integration Bot commented Apr 25, 2026

Copy link
Copy Markdown
Contributor

Summary

Removes code that is incompatible with the one-way cluster architecture (clusters are not publicly accessible; Flux pulls from GitHub, no direct cluster-to-external communication).

Removed:

What Why
charts/templates/vault-pki.yaml VaultPKISecret CR requires cluster→Vault communication
charts/templates/vault-static.yaml VaultStaticSecret CR requires cluster→Vault communication
vault.* values block Configuration for the removed Vault templates
vault.enabled conditional in deployment.yaml Dead branch — static TLS now always uses haproxy-operator-tls Secret
ApplyConfiguration, applyBackend, applyServer, applyFrontend, applyBind, applyBackendSwitchRule, *Exists helpers Structured API methods never called — reconciler uses raw config push exclusively
types.go (Config, Backend, Server, Frontend, Bind, UseBackendRule, HashConfig) Only referenced by the removed methods; production code uses config.HashBytes()

Updated:

  • README: Documents one-way architecture, replaces Vault PKI section with Static TLS section, changes diagram label from "poll / webhook" to "poll"
  • values.yaml comment: Clarifies cert paths are for static TLS (when SPIRE is disabled)

All tests pass (go test -race ./...), go vet clean, helm lint clean.

Review & Testing Checklist for Human

  • Verify flux-fleet base helmrelease.yaml removes vault.enabled: true before deploying (addressed in flux-fleet#27)
  • After merging bcit-tlu/.github#2, re-run CI to confirm the full pipeline passes including SARIF upload
  • Deploy to latest cluster (cluster03) and verify the operator starts correctly with SPIRE mTLS

Notes

Companion PRs:

  • bcit-tlu/.github#2 — fixes CI SARIF upload permission
  • flux-fleet#27 — removes vault.enabled: true from HelmRelease, fixes notifications event source, enables haproxy-operator on cluster03

Link to Devin session: https://app.devin.ai/sessions/40f980f21cd648f3b53ef45b06451a7e
Requested by: @kphunter


Open in Devin Review

Remove code that is incompatible with the one-way cluster architecture
(clusters are not publicly accessible; Flux pulls from GitHub only):

Vault Helm templates (vault-pki.yaml, vault-static.yaml):
  Created VaultPKISecret/VaultStaticSecret CRs requiring cluster→Vault
  communication, which is not possible in this architecture.

Vault values and deployment conditionals:
  Removed vault.* values block and vault.enabled conditional in the
  deployment volume section. Static TLS certs now always come from the
  haproxy-operator-tls Secret when SPIRE is disabled.

Structured Dataplane API methods (dataplane_client.go):
  ApplyConfiguration, applyBackend, applyServer, applyFrontend,
  applyBind, applyBackendSwitchRule, and all *Exists helpers were never
  called — the reconciler exclusively uses raw config push via
  ApplyRawConfiguration/ApplyRawConfigurationValidated.

Dead types (types.go):
  Config, Backend, Server, Frontend, Bind, UseBackendRule structs and
  HashConfig function — only referenced by the removed methods.
  Production code uses config.HashBytes() instead of HashConfig.

README updated to reflect one-way architecture and two supported auth
paths (SPIRE mTLS or static TLS certs).

Co-Authored-By: kyle_hunter@bcit.ca <kyle_hunter@bcit.ca>
@devin-ai-integration

Copy link
Copy Markdown
Contributor Author

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
  • Look at CI failures and help fix them

⚙️ Control Options:

  • Disable automatic comment and CI monitoring

@devin-ai-integration devin-ai-integration Bot left a comment

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 3 additional findings.

Open in Devin Review

devin-ai-integration[bot]

This comment was marked as resolved.

devin-ai-integration[bot]

This comment was marked as resolved.

doRequestVersioned was only called by the structured API methods removed
in the previous commit. isNotFound was only called by the *Exists helpers
(also removed). Remove both and their tests.

Co-Authored-By: kyle_hunter@bcit.ca <kyle_hunter@bcit.ca>
@kphunter kphunter merged commit 005ec36 into main Apr 25, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant