Skip to content

refactor: simplify NetworkingConfig to public/private presence signal#76

Merged
bdchatham merged 2 commits intomainfrom
refactor/simplify-networking-config
Apr 11, 2026
Merged

refactor: simplify NetworkingConfig to public/private presence signal#76
bdchatham merged 2 commits intomainfrom
refactor/simplify-networking-config

Conversation

@bdchatham
Copy link
Copy Markdown
Collaborator

@bdchatham bdchatham commented Apr 10, 2026

Summary

  • Strip NetworkingConfig to an empty struct — networking: {} = public, omitted = private
  • Remove ExternalServiceConfig, GatewayRouteConfig, NetworkIsolationConfig, AuthorizationPolicyConfig, TrafficSource
  • Replace LoadBalancer readiness gate with DNS hostname resolution check
  • Remove all AuthorizationPolicy reconciliation (deferred until isolation requirements are defined)
  • Remove external P2P address propagation (LB-specific)
  • -1,110 lines / +171 lines

Behavioral model

Config Effect
networking omitted Private — headless Services only, no routes, no DNS
networking: {} Public — ClusterIP Service + HTTPRoutes + DNS records

What's deferred (not removed permanently)

  • Isolation — will be re-added once requirements are defined. No one-way doors closed.
  • Custom annotations — can be added back as fields on NetworkingConfig later.

Test plan

  • All unit tests pass (make test)
  • Lint clean (make lint)
  • Deploy and verify public deployment creates ClusterIP Service + HTTPRoutes
  • Verify private deployment (no networking) creates no Service or routes

🤖 Generated with Claude Code

bdchatham and others added 2 commits April 10, 2026 16:41
@bdchatham @claude
refactor: simplify NetworkingConfig to empty presence signal
14f2bcf 
Strip NetworkingConfig down to an empty struct. The presence of
networking: {} means public (ClusterIP Service + HTTPRoutes),
absence means private (headless Services only).

Removed:
- ExternalServiceConfig (Type, Annotations) — always ClusterIP now
- GatewayRouteConfig — unused annotation passthrough
- NetworkIsolationConfig / AuthorizationPolicy — deferred until
  isolation requirements are defined
- LoadBalancer readiness gate — replaced with DNS hostname check
- External P2P address propagation — LB-specific, no longer applies
- ControllerSA field — only used by removed AuthorizationPolicy
- ConditionExternalServiceReady, ConditionIsolationReady conditions
- AuthorizationPolicy RBAC markers

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@bdchatham @claude
fix: address review findings from adversarial review
6b9ef6a 
- Remove SEI_CONTROLLER_SA_PRINCIPAL from base manager manifest
- Update sample manifest to use networking: {} (removed stale schema)
- Restore ServiceMonitor orphaning on Retain deletion policy
- Fix stale comments referencing LoadBalancer and AuthorizationPolicy
- Update Networking field godoc to reflect public/private semantics
- Rename external_address_test.go to route_resolvable_test.go
- Regenerate CRDs with updated field descriptions

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@bdchatham bdchatham merged commit 3f20de7 into main Apr 11, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@bdchatham