[fluxcd] Add flux-aio module and migration

[kvaps]

This change is extracted from

• [cozystack] Major Architecture Refactoring #1641

and reworked to work standalone

requires:

• [platform] Separate assets server into dedicated deployment #1705

What this PR does

Adds a new flux-aio module and migration script to upgrade FluxCD to version 22. This introduces a new modular approach to FluxCD installation using the flux-aio OCI module.

Changes:

• Created new flux-aio package with Chart.yaml, Makefile, and CUE configuration
• Added flux-aio module configuration using OCI module from ghcr.io/stefanprodan/modules/flux-aio
• Generated large fluxcd.yaml template (11956+ lines) for FluxCD resources
• Added migration script (migrations/21) to handle upgrade from version 21 to 22
• Updated installer to include flux-aio module
• Added script issue-flux-certificates.sh for managing TLS certificates for cozystack-assets
• Updated platform templates to support flux-aio module
• Updated cozystack-assets service references

Release note

[fluxcd] Add flux-aio module and migration

Summary by CodeRabbit

Release Notes

• New Features

  • Added TLS certificate support for Helm package repositories with automatic certificate provisioning.

• Chores

  • Refactored FluxCD integration using Helm chart-based deployment.
  • Updated system to version 22 with automatic migration support.
  • Enhanced security dependencies (OpenSSL).

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

The PR introduces a new FluxCD AIO Helm chart package replacing the operator-based approach. Changes include new flux deployment automation, TLS certificate provisioning, HTTPS proxy configuration for Helm repositories, removal of legacy flux operator references from bundle definitions, and container image updates for enhanced tooling.

Changes

Cohort / File(s)	Summary
FluxCD AIO Package packages/core/flux-aio/Chart.yaml, packages/core/flux-aio/Makefile, packages/core/flux-aio/flux-aio.cue, packages/core/flux-aio/templates/_helpers.tpl	New Helm chart descriptor with v2 apiVersion; Makefile with targets (show, apply, diff, update) including manifest building and transformations via yq and timoni; Cue configuration defining bundle with flux-aio module from ghcr.io; Go template helper for Kubernetes environment variable extraction.
Installer Manifest Configuration packages/core/installer/templates/cozystack.yaml	Added INSTALL_FLUX environment variable to cozystack Deployment.
Installation & Certificate Scripts scripts/installer.sh, scripts/issue-flux-certificates.sh, scripts/migrations/21	Replaced legacy flux functions (flux_is_ok, ensure_fluxcd, install_basic_charts) with new install_flux entry point that invokes flux-aio Makefile target; added automated TLS certificate provisioning script for cozystack-assets-tls in cozy-system and cozy-public namespaces; added migration script to remove FluxCD HorizontalRelease and stamp version 22.
Platform Configuration & Templates packages/core/platform/templates/helmrepos.yaml, packages/core/platform/templates/_helpers.tpl, packages/core/platform/templates/cozystack-assets.yaml	Updated HelmRepository URLs to HTTPS proxy via Kubernetes API endpoint with TLS secret references; added kubernetesAPIEndpoint template helper to extract host:port from cozystack Deployment env vars; restricted cozystack-assets-reader Role verbs from [get, create, update] to [get].
Container Image packages/core/installer/images/cozystack/Dockerfile	Added openssl to APK packages; expanded COPY directives to include /src/packages/system and k8s-await-election binary.
Bundle Configuration packages/core/platform/bundles/distro-full.yaml, packages/core/platform/bundles/distro-hosted.yaml, packages/core/platform/bundles/paas-full.yaml, packages/core/platform/bundles/paas-hosted.yaml	Removed fluxcd-operator and fluxcd release entries from all bundles; expanded cilium configuration in distro-full with namespace, privileged, and network settings.

Sequence Diagram

sequenceDiagram
    participant I as Installer Script
    participant FK as Flux-AIO<br/>(Makefile)
    participant K8s as Kubernetes API
    participant Certs as Certificate<br/>Script
    participant Assets as Assets<br/>Service

    I->>+FK: invoke: make apply
    FK->>+K8s: kubectl apply (Flux AIO)
    K8s-->>-FK: ✓ Flux deployed
    FK->>+K8s: wait CRDs ready
    K8s-->>-FK: ✓ CRDs available
    FK-->>-I: ✓ Flux installed

    I->>+Certs: issue-flux-certificates.sh
    Certs->>+K8s: create CSR<br/>(cozystack-assets-reader)
    K8s-->>Certs: CSR submitted
    Certs->>K8s: approve CSR
    K8s-->>Certs: ✓ signed cert
    Certs->>+K8s: create secrets<br/>(cozystack-assets-tls)
    K8s-->>-Certs: ✓ secrets in<br/>cozy-system,<br/>cozy-public
    Certs-->>-I: ✓ certs issued

    I->>+K8s: HelmRepository configured<br/>with HTTPS proxy + TLS
    K8s->>Assets: fetch via<br/>kubernetesAPIEndpoint<br/>(/api/v1/namespaces/...)
    Assets-->>K8s: ✓ repos available
    K8s-->>-I: ✓ repos synced

    I->>I: reconcile platform

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Key areas requiring extra attention:

• scripts/installer.sh: Significant refactoring with removal of legacy functions and introduction of new install_flux entry point; verify that removed conditional logic does not introduce gaps in deployment ordering or readiness checks
• scripts/issue-flux-certificates.sh: New certificate handling with CSR approval workflow; validate 120-second timeout and idempotent secret creation logic
• Makefile targets in packages/core/flux-aio/Makefile: Complex manifest transformation pipeline using yq and timoni; verify all sed/yq operations correctly handle YAML structure and edge cases
• packages/core/platform/templates/helmrepos.yaml: URL format change to HTTPS proxy pattern; confirm kubernetesAPIEndpoint helper correctly resolves in all deployment scenarios
• Bundle removals across four files: Validate that fluxcd-operator and fluxcd removal does not break dependency ordering or other releases that may have depended on them

Poem

🐰 Hop, hop, our flux charts take flight,
No operators here, just AIO's light,
Certificates bloom in the crypto-spring air,
With HTTPS proxies beyond compare! 🎉

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title '[fluxcd] Add flux-aio module and migration' accurately summarizes the main change—introducing a new flux-aio module and associated migration script—and aligns with the changeset's primary objectives.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello @kvaps, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request integrates a new flux-aio module, designed for an all-in-one FluxCD deployment, into the system. It updates the core installer to leverage this new module, streamlining the deployment process and introducing a migration path for existing installations to transition to the new version 22.

Highlights

• New flux-aio module: Introduces a new flux-aio module with its own Helm chart, Makefile, CUE module definition, and default values for an all-in-one FluxCD deployment.
• Installer Integration: Updates the installer template (cozystack.yaml) to enable conditional Flux installation via an INSTALL_FLUX environment variable.
• Installer Script Refactoring: The installer.sh script has been refactored to remove old FluxCD installation logic and integrate the new flux-aio module installation via a new install_flux function.
• Migration Script: Adds a migration script (scripts/migrations/21) to handle the transition from version 21 to 22, specifically by deleting the old fluxcd HelmRelease.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces the flux-aio module integration and updates the installer script to support it, migrating from an older FluxCD setup. The changes involve adding new CUE and YAML definitions for flux-aio, modifying the Makefile for building and applying the module, and updating the main installer.sh script to use the new install_flux function. A migration script for version 21 to 22 is also included to clean up the old FluxCD HelmRelease. Overall, the changes align with the goal of integrating the new module, but there are a few areas that could be improved for stability, maintainability, and clarity regarding functional changes.

I am having trouble creating individual review comments. Click here to see my feedback.

packages/core/flux-aio/flux-aio.cue (8)

Using version: "latest" for the flux-aio module can lead to unexpected behavior and lack of reproducibility in production environments. It is a best practice to pin to a specific, immutable version tag to ensure consistent deployments and easier debugging.

scripts/installer.sh (52-58)

The install_basic_charts function, which was responsible for installing components like Cilium and KubeOVN, has been removed. The pull request description focuses on adding flux-aio integration but does not explicitly mention the removal of these core components from the installer. This could lead to a functional regression if these components are still expected as part of the CozyStack installation.

Please clarify if the removal of Cilium and KubeOVN installation is intentional and if their functionality is now handled by flux-aio or if they are no longer required. If they are still required, their installation logic needs to be re-integrated or explicitly handled by the new flux-aio module.

packages/core/flux-aio/Makefile (15)

The sed command on this line contains repetitive patterns for removing .cluster.local variations. This can be simplified for better readability and maintainability by combining the multiple s commands into a single, more concise regular expression.

sed -e 's|\.cluster\.local[.,]*||g' -e '/timoni/d' -i manifests/fluxcd.yaml

packages/core/flux-aio/values.yaml (8)

Specifying version: 2.7.x for the Flux distribution uses a floating minor version. While common, pinning to a specific patch version (e.g., 2.7.5) is generally recommended for better reproducibility and to avoid unexpected updates from upstream changes that might introduce breaking changes or regressions.

packages/core/flux-aio/values.yaml (33-34)

The resource limits for CPU (2000m) and memory (2048Mi) are quite high for default controller settings. While Flux controllers can be resource-intensive, these values might be overly generous for typical deployments and could lead to inefficient resource utilization in smaller clusters. Consider if these are optimal defaults or if they should be configurable.

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (2)

packages/core/flux-aio/Chart.yaml (1)

1-3: Consider implementing the umbrella chart pattern per coding guidelines.

As per coding guidelines, Helm charts should follow the umbrella pattern and vendor upstream charts in a charts/ directory. Currently, this chart descriptor has no dependencies or vendored charts. The flux-aio module is referenced via OCI in flux-aio.cue, but the Helm chart itself doesn't follow the documented pattern.

Consider either:

1. Adding upstream Flux charts as dependencies in Chart.yaml, or
2. Vendoring the upstream charts in packages/core/flux-aio/charts/

Based on coding guidelines, this approach would provide better alignment with the established chart management pattern in the repository.

packages/core/flux-aio/Makefile (1)

13-16: Document the sed post-processing rationale.

The update target uses a complex sed command with multiple patterns to remove cluster.local references and timoni lines. Consider adding a comment explaining why this post-processing is necessary, as it could break with upstream changes.

Apply this diff to add documentation:

 update:
+	# Build manifests from CUE bundle and post-process:
+	# - Remove cluster.local DNS suffixes for compatibility
+	# - Remove timoni metadata lines
 	timoni bundle build -f flux-aio.cue > manifests/fluxcd.yaml
 	sed -e 's|\.cluster\.local\.,||g' -e 's|\.cluster\.local\,||g' -e 's|\.cluster\.local\.||g' -e '/timoni/d' -i manifests/fluxcd.yaml
+	# Set privileged pod security for flux-aio namespace
 	yq eval '(select(.kind == "Namespace") | .metadata.labels."pod-security.kubernetes.io/enforce") = "privileged"' -i manifests/fluxcd.yaml

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 1f47fbc and 7e48f94.

📒 Files selected for processing (7)

• packages/core/flux-aio/Chart.yaml (1 hunks)
• packages/core/flux-aio/Makefile (1 hunks)
• packages/core/flux-aio/flux-aio.cue (1 hunks)
• packages/core/flux-aio/values.yaml (1 hunks)
• packages/core/installer/templates/cozystack.yaml (1 hunks)
• scripts/installer.sh (2 hunks)
• scripts/migrations/21 (1 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

**/Chart.yaml

📄 CodeRabbit inference engine (AGENTS.md)

Use Helm Charts with the umbrella pattern and vendor upstream charts in charts/ directory

Files:

• packages/core/flux-aio/Chart.yaml

🧠 Learnings (1)

📚 Learning: 2025-11-27T11:21:45.808Z

Learnt from: CR
Repo: cozystack/cozystack PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-11-27T11:21:45.808Z
Learning: Applies to **/Chart.yaml : Use Helm Charts with the umbrella pattern and vendor upstream charts in `charts/` directory

Applied to files:

• packages/core/flux-aio/Chart.yaml
• scripts/installer.sh

🪛 checkmake (0.2.2)

packages/core/flux-aio/Makefile

[warning] 1-1: Missing required phony target "all"

(minphony)

---

[warning] 1-1: Missing required phony target "clean"

(minphony)

---

[warning] 1-1: Missing required phony target "test"

(minphony)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Build

🔇 Additional comments (4)

scripts/migrations/21 (1)

1-10: LGTM!

The migration script correctly handles the upgrade from version 21 to 22 with appropriate error handling (set -euo pipefail), safe deletion of the FluxCD HelmRelease with --ignore-not-found, and proper version stamping.

packages/core/installer/templates/cozystack.yaml (1)

57-58: LGTM!

The addition of the INSTALL_FLUX environment variable correctly enables the Flux installation pathway in the updated installer script.

scripts/installer.sh (1)

22-28: LGTM! Simplified Flux installation.

The new install_flux function provides a streamlined approach compared to the previous multi-step installation logic. The function appropriately:

• Short-circuits when INSTALL_FLUX is not "true"
• Delegates to the Makefile for manifest application
• Waits for required CRDs before proceeding

packages/core/flux-aio/values.yaml (1)

1-55: LGTM! Well-structured Flux configuration.

The Flux Helm values are comprehensive and well-documented:

• Appropriate resource limits and concurrency settings for production use
• Correctly formatted JSON patches for all component deployments
• Proper service DNS addressing for internal communication
• Documented reasoning for networkPolicy disabling

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (1)

packages/core/flux-aio/Makefile (1)

1-16: Mark non-file targets as phony and consider dropping unused vars.

The targets here don’t produce files and should be marked .PHONY to avoid surprising no‑ops if files named show, apply, diff, or update ever appear. This was already flagged in a previous review and still applies. Also, NAME/NAMESPACE are currently unused; you can either start using them or remove them to keep the file minimal.

You could apply something like:

-NAME=flux-aio
-NAMESPACE=cozy-$(NAME)
-
-show:
+.PHONY: show apply diff update
+
+NAME=flux-aio
+NAMESPACE=cozy-$(NAME)
+
+show:
 	kubectl apply -R -f manifests/ --dry-run=client -o yaml

(or drop NAME/NAMESPACE entirely if they’re not needed elsewhere).

🧹 Nitpick comments (3)

scripts/migrations/21 (1)

1-10: Check /bin/sh compatibility with set -euo pipefail.

The migration logic looks fine, but set -euo pipefail is not supported by all /bin/sh implementations. If your images use dash/BusyBox sh, this may fail at startup. Consider either switching the shebang to a shell that supports pipefail (e.g. /usr/bin/env bash) or dropping pipefail here if you need strict POSIX /bin/sh portability.

scripts/installer.sh (1)

22-27: Consider defaulting INSTALL_FLUX to true for backward compatibility.

With the new gate, running scripts/installer.sh directly without INSTALL_FLUX set will silently skip Flux installation, which is a behavior change compared to always ensuring Flux was present. If you want the in-cluster flag to disable Flux when set to something else but keep manual runs installing Flux by default, you could default the variable to "true":

-install_flux() {
-  if [ "$INSTALL_FLUX" != "true" ]; then
+install_flux() {
+  if [ "${INSTALL_FLUX:-true}" != "true" ]; then
     return
   fi
   make -C packages/core/flux-aio apply
   wait_for_crds helmreleases.helm.toolkit.fluxcd.io helmrepositories.source.toolkit.fluxcd.io
 }

This keeps the new INSTALL_FLUX knob while avoiding surprises for users invoking the installer script directly.

Also applies to: 43-46

scripts/issue-flux-certificates.sh (1)

13-15: Fix trap quoting and optionally clean up CSR objects.

The overall flow looks good. Two small robustness tweaks:

1. ShellCheck’s SC2064 is right: the trap should use single quotes and quote $TMPDIR so the value is preserved safely:

-TMPDIR=$(mktemp -d)
-trap "rm -rf $TMPDIR" EXIT
+TMPDIR=$(mktemp -d)
+trap 'rm -rf "$TMPDIR"' EXIT

2. To avoid accumulating CertificateSigningRequest objects over time, consider deleting the CSR after you’ve retrieved the certificate:

 kubectl get csr "${CSR_NAME}" \
   -o jsonpath='{.status.certificate}' | base64 -d > tls.crt
+
+kubectl delete csr "${CSR_NAME}" || true

Both changes are low-risk and make the script a bit cleaner and more robust.

Also applies to: 36-45

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 7e48f94 and fea9095.

📒 Files selected for processing (9)

• packages/core/flux-aio/Chart.yaml (1 hunks)
• packages/core/flux-aio/Makefile (1 hunks)
• packages/core/flux-aio/flux-aio.cue (1 hunks)
• packages/core/flux-aio/values.yaml (1 hunks)
• packages/core/installer/templates/cozystack.yaml (1 hunks)
• packages/core/platform/templates/helmrepos.yaml (3 hunks)
• scripts/installer.sh (2 hunks)
• scripts/issue-flux-certificates.sh (1 hunks)
• scripts/migrations/21 (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (3)

• packages/core/flux-aio/Chart.yaml
• packages/core/flux-aio/flux-aio.cue
• packages/core/flux-aio/values.yaml

🧰 Additional context used

🪛 checkmake (0.2.2)

packages/core/flux-aio/Makefile

[warning] 1-1: Missing required phony target "all"

(minphony)

---

[warning] 1-1: Missing required phony target "clean"

(minphony)

---

[warning] 1-1: Missing required phony target "test"

(minphony)

🪛 Shellcheck (0.11.0)

scripts/issue-flux-certificates.sh

[warning] 14-14: Use single quotes, otherwise this expands now rather than when signalled.

(SC2064)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Build

🔇 Additional comments (2)

packages/core/installer/templates/cozystack.yaml (1)

55-58: INSTALL_FLUX flag wiring matches installer logic.

Setting INSTALL_FLUX to "true" here aligns with install_flux() in scripts/installer.sh, so the in-cluster cozystack deployment will execute the Flux AIO install path as intended.

packages/core/platform/templates/helmrepos.yaml (1)

10-13: HelmRepository proxy URL + TLS wiring looks consistent; confirm secret shape.

The move to the Kubernetes API proxy URL and shared certSecretRef: cozystack-assets-tls is consistent across all three repositories and matches the new certificate helper script. Please just double‑check that the cozystack-assets-tls secrets in cozy-system and cozy-public use the data keys expected by certSecretRef (tls.crt/tls.key and optional ca.crt) so Flux can consume them without additional configuration.

Also applies to: 25-27, 38-40

[coderabbitai]

Actionable comments posted: 4

♻️ Duplicate comments (2)

packages/core/flux-aio/Makefile (1)

4-11: Add .PHONY declarations for all targets.

This concern was already raised in a previous review. The targets show, apply, diff, and update should be marked as phony.

packages/core/flux-aio/flux-aio.cue (1)

6-9: Pin the module version instead of using "latest".

This concern was already raised in a previous review. The module version should be pinned to ensure reproducible builds and avoid unexpected breaking changes.

🧹 Nitpick comments (6)

packages/core/platform/images/cozystack-assets/Dockerfile (1)

1-25: New cozystack-assets image build looks correct; consider minor hardening

The build pipeline (Go build ➝ make repos ➝ copy _out/repos and dashboards) is coherent and should produce a self-contained assets image.

Two optional improvements you might consider:

• Run as non-root in the final stage (e.g., add a dedicated user and USER directive) if there are no root-only needs.
• If the binary is fully static/pure Go, explicitly setting CGO_ENABLED=0 for the go build can make the -extldflags "-static" intent clearer and slightly reduce toolchain coupling.

These are non-blocking polish items.

packages/core/platform/Makefile (1)

4-34: image/image-assets workflow is sound; declare image targets PHONY

The new image-assets target cleanly:

• Builds the cozystack-assets image with buildx and cache hints.
• Extracts the digest from images/cozystack-assets.json.
• Writes the fully qualified reference into values.yaml as .assets.image.

A couple of minor Makefile improvements:

1. Mark the image targets as phony (also matches the checkmake hint), since they don’t correspond to real files:

 NAME=platform
 NAMESPACE=cozy-system
 
 include ../../../scripts/common-envs.mk
 
+.PHONY: image image-assets
+
 show:

2. Since docker buildx build does not load or push by default, ensure $(BUILDX_ARGS) is configured (in common-envs.mk or CI) with --push or --load as appropriate for your workflow.

packages/core/platform/templates/cozystack-assets.yaml (3)

31-32: Overly permissive toleration.

Using operator: Exists tolerates all taints, meaning this pod can be scheduled on any node regardless of taints (including nodes marked for maintenance or with specific workload restrictions).

Consider specifying explicit tolerations:

 tolerations:
-- operator: Exists
+- key: node-role.kubernetes.io/control-plane
+  operator: Exists
+  effect: NoSchedule

---

20-26: Add resource limits and requests.

The container has no resource limits or requests defined, which can lead to resource contention and scheduling issues.

Add resource specifications:

 containers:
 - name: assets-server
   image: "{{ .Values.assets.image }}"
   command:
   - /usr/bin/cozystack-assets-server
   - "-dir=/cozystack/assets"
   - "-address=:8123"
+  resources:
+    requests:
+      memory: "64Mi"
+      cpu: "100m"
+    limits:
+      memory: "128Mi"
+      cpu: "200m"

---

20-30: Add liveness and readiness probes.

The container lacks health check probes, which means Kubernetes cannot determine if the container is healthy or ready to serve traffic. This can result in traffic being routed to unhealthy pods.

Add health probes:

 - name: assets-server
   image: "{{ .Values.assets.image }}"
   command:
   - /usr/bin/cozystack-assets-server
   - "-dir=/cozystack/assets"
   - "-address=:8123"
   ports:
   - name: http
     containerPort: 8123
     hostPort: 8123
+  livenessProbe:
+    httpGet:
+      path: /
+      port: 8123
+    initialDelaySeconds: 10
+    periodSeconds: 10
+  readinessProbe:
+    httpGet:
+      path: /
+      port: 8123
+    initialDelaySeconds: 5
+    periodSeconds: 5

scripts/installer.sh (1)

55-64: Consider more robust parsing for HelmRelease manipulation.

The shell loops parsing kubectl output work but are fragile to output format changes or unusual characters in names.

Consider using kubectl ... -o json | jq for more robust parsing:

# Example for line 55-61
kubectl get hr -A -o json | jq -r '.items[] | select(.spec.suspend) | "\(.spec.chart.spec.sourceRef.namespace)/\(.spec.chart.spec.sourceRef.name) \(.metadata.namespace) \(.metadata.name)"' | while read repo namespace name; do
  case "$repo" in
    cozy-system/cozystack-system|cozy-public/cozystack-extra|cozy-public/cozystack-apps)
      kubectl patch hr -n "$namespace" "$name" -p '{"spec": {"suspend": null}}' --type=merge --field-manager=flux-client-side-apply
      ;;
  esac
done

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between fea9095 and 2393550.

📒 Files selected for processing (16)

• Makefile (1 hunks)
• packages/core/flux-aio/Chart.yaml (1 hunks)
• packages/core/flux-aio/Makefile (1 hunks)
• packages/core/flux-aio/flux-aio.cue (1 hunks)
• packages/core/installer/images/cozystack/Dockerfile (1 hunks)
• packages/core/installer/templates/cozystack.yaml (1 hunks)
• packages/core/platform/Makefile (2 hunks)
• packages/core/platform/images/cozystack-assets/Dockerfile (1 hunks)
• packages/core/platform/templates/_helpers.tpl (1 hunks)
• packages/core/platform/templates/cozystack-assets.yaml (1 hunks)
• packages/core/platform/templates/helmrepos.yaml (3 hunks)
• packages/core/platform/values.yaml (1 hunks)
• packages/extra/monitoring/templates/dashboards.yaml (1 hunks)
• scripts/installer.sh (2 hunks)
• scripts/issue-flux-certificates.sh (1 hunks)
• scripts/migrations/21 (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

• packages/core/flux-aio/Chart.yaml
• scripts/migrations/21

🧰 Additional context used

🧠 Learnings (4)

📚 Learning: 2025-07-26T18:12:05.641Z

Learnt from: NickVolynkin
Repo: cozystack/cozystack PR: 1216
File: packages/apps/virtual-machine/values.yaml:0-0
Timestamp: 2025-07-26T18:12:05.641Z
Learning: In the cozystack repository, for the virtual-machine app's resources.sockets parameter, the value is intentionally kept as a string in values.yaml despite being documented as {int} type, because the string-to-integer parsing happens elsewhere in the system pipeline rather than at the YAML validation level.

Applied to files:

• packages/core/installer/templates/cozystack.yaml

📚 Learning: 2025-07-11T06:11:25.438Z

Learnt from: lllamnyp
Repo: cozystack/cozystack PR: 1130
File: hack/e2e-apps/kubernetes.bats:101-101
Timestamp: 2025-07-11T06:11:25.438Z
Learning: In cozystack, the plural form for the Kubernetes custom resource is `kuberneteses.apps.cozystack.io`, not `kubernetes.apps.cozystack.io`. This is defined in the API schema even though it's not grammatically perfect.

Applied to files:

• packages/core/platform/templates/cozystack-assets.yaml
• packages/core/platform/templates/_helpers.tpl

📚 Learning: 2025-07-03T05:54:51.264Z

Learnt from: NickVolynkin
Repo: cozystack/cozystack PR: 1120
File: packages/apps/clickhouse/README.md:60-67
Timestamp: 2025-07-03T05:54:51.264Z
Learning: The `cozy-lib.resources.sanitize` function in packages/library/cozy-lib/templates/_resources.tpl supports both standard Kubernetes resource format (with limits:/requests: sections) and flat format (direct resource specifications). The flat format takes priority over nested values. CozyStack apps include cozy-lib as a chart dependency through symlinks in packages/apps/*/charts/cozy-lib directories.

Applied to files:

• packages/core/platform/templates/cozystack-assets.yaml

📚 Learning: 2025-07-26T18:26:01.447Z

Learnt from: NickVolynkin
Repo: cozystack/cozystack PR: 1216
File: packages/extra/monitoring/README.md:30-31
Timestamp: 2025-07-26T18:26:01.447Z
Learning: The cozyvalues-gen tool has a known issue (https://github.com/cozystack/cozyvalues-gen/issues/10) where it incorrectly places Grafana configuration entries under the wrong documentation sections, specifically placing grafana.resources.requests.* entries in the Metrics storage configuration table instead of the Grafana configuration table.

Applied to files:

• packages/extra/monitoring/templates/dashboards.yaml

🪛 checkmake (0.2.2)

packages/core/platform/Makefile

[warning] 24-24: Target "image" should be declared PHONY.

(phonydeclared)

packages/core/flux-aio/Makefile

[warning] 1-1: Missing required phony target "all"

(minphony)

---

[warning] 1-1: Missing required phony target "clean"

(minphony)

---

[warning] 1-1: Missing required phony target "test"

(minphony)

🪛 Shellcheck (0.11.0)

scripts/issue-flux-certificates.sh

[warning] 14-14: Use single quotes, otherwise this expands now rather than when signalled.

(SC2064)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Build

🔇 Additional comments (10)

packages/extra/monitoring/templates/dashboards.yaml (1)

14-14: Dashboard URL correctly switched to cozystack-assets service

The new hostname cozystack-assets.cozy-system.svc aligns with the new assets component; the path is unchanged, so this looks compatible as long as cozystack-assets serves /dashboards/{{ . }}.json as expected. Please confirm the service and route match this URL.

packages/core/installer/images/cozystack/Dockerfile (1)

33-33: Adding openssl to installer image looks appropriate

Including openssl alongside kubectl/helm/jq is reasonable for certificate handling and should not affect existing flows beyond image size.

Please double-check that any new certificate-related scripts are executed in this image so the dependency is actually available where needed.

packages/core/platform/values.yaml (1)

1-2: assets.image value is consistent with cozystack-assets image wiring

Defining assets.image here matches how the platform Makefile later rewrites this field with the built image digest, so the chart has a single source of truth for the cozystack-assets image reference.

Makefile (1)

29-29: Top-level build now includes platform (cozystack-assets) image

Wiring make -C packages/core/platform image into build ensures the cozystack-assets image is produced as part of the standard pipeline, which keeps platform values in sync. Just be aware this adds another Docker build step to make build.

If CI build times are tight, you may want to confirm that always building this image is acceptable or consider a separate target.

packages/core/installer/templates/cozystack.yaml (1)

57-58: INSTALL_FLUX flag is now always enabled for the installer pod

Plumbing INSTALL_FLUX="true" into the cozystack Deployment is straightforward; just confirm this unconditional default matches the desired behavior (e.g., no remaining use cases where Flux installation should be skipped or made configurable via values).

packages/core/platform/templates/_helpers.tpl (1)

20-48: kubernetesAPIEndpoint helper is robust with sensible fallbacks

The helper correctly:

• Uses lookup/dig to avoid panics when the Deployment or container/env fields are missing.
• Falls back to kubernetes.default.svc:443 when it can't discover values, which keeps first-install rendering safe.

This should work well for forming API proxy URLs from templates. Just ensure the expectation about when the cozystack Deployment exists (and whether you want localhost:7445 vs kubernetes.default.svc:443) matches how and when these templates are rendered in your install flow.

scripts/installer.sh (2)

22-28: LGTM! Simplified Flux installation.

The refactored install_flux function is much cleaner, delegating to a single make target instead of complex pre-check logic. The early return when INSTALL_FLUX != "true" is appropriate.

---

67-71: Continuous reconciliation loop is appropriate.

The infinite loop with sleep and periodic reconciliation is a valid pattern for ensuring the platform stays in sync. The trap handler ensures clean exit on SIGINT/SIGTERM.

packages/core/platform/templates/cozystack-assets.yaml (1)

27-30: HostPort binding can cause scheduling issues.

Binding to hostPort: 8123 restricts pod placement to one instance per node. Combined with replicas: 1, if the node becomes unavailable, the pod cannot reschedule to another node while the hostPort remains bound elsewhere.

Verify whether hostPort is necessary for this workload's requirements, or if the defined Service alone would provide sufficient connectivity without the scheduling constraints.

packages/core/platform/templates/helmrepos.yaml (1)

11-13: The review comment references a file that could not be located in the repository.

Unable to verify the hardcoded pod name concern (cozystack-assets-0) and the suggestion to check StatefulSet configuration, replica scaling, and service alternatives. The file packages/core/platform/templates/helmrepos.yaml does not appear to exist in the current codebase.

Before proceeding with this review, confirm the correct file path and verify the code still exists in the current state of the repository.

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (2)

packages/core/flux-aio/flux-aio.cue (1)

6-9: Pin the module version instead of using "latest".

As noted in the previous review, using version: "latest" prevents reproducible builds and can introduce unexpected breaking changes. For production infrastructure components like FluxCD, version stability is critical.

packages/core/flux-aio/Makefile (1)

6-22: Add .PHONY declarations for all targets.

As noted in the previous review, targets show, apply, and diff should be marked as phony. Additionally, the new update target should also be included in the .PHONY declaration since it doesn't produce a file named "update".

Apply this diff:

+.PHONY: show apply diff update
+
 show:
 	cozypkg show -n $(NAMESPACE) $(NAME) --plain

🧹 Nitpick comments (2)

packages/core/flux-aio/Makefile (2)

18-22: Consider using yq for more robust YAML manipulation.

The sed patterns on lines 18-22 are fragile and may break if the generated YAML structure changes:

• Line 21: /value: .svc/a could match unintended lines containing "value: .svc"
• Line 22: /hostNetwork: true/i assumes exact formatting

Since you're already using yq on line 17, consider extending its use for these transformations instead of sed for better reliability and maintainability.

---

10-10: Note the use of --force-conflicts.

The --force-conflicts flag will forcibly override any conflicting field managers. While appropriate for automated infrastructure deployment scenarios, be aware that this can overwrite manual changes made by operators.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2393550 and a67b257.

📒 Files selected for processing (16)

• packages/core/flux-aio/Chart.yaml (1 hunks)
• packages/core/flux-aio/Makefile (1 hunks)
• packages/core/flux-aio/flux-aio.cue (1 hunks)
• packages/core/flux-aio/templates/_helpers.tpl (1 hunks)
• packages/core/installer/images/cozystack/Dockerfile (1 hunks)
• packages/core/installer/templates/cozystack.yaml (1 hunks)
• packages/core/platform/bundles/distro-full.yaml (0 hunks)
• packages/core/platform/bundles/distro-hosted.yaml (0 hunks)
• packages/core/platform/bundles/paas-full.yaml (0 hunks)
• packages/core/platform/bundles/paas-hosted.yaml (0 hunks)
• packages/core/platform/templates/_helpers.tpl (1 hunks)
• packages/core/platform/templates/cozystack-assets.yaml (1 hunks)
• packages/core/platform/templates/helmrepos.yaml (3 hunks)
• scripts/installer.sh (2 hunks)
• scripts/issue-flux-certificates.sh (1 hunks)
• scripts/migrations/21 (1 hunks)

💤 Files with no reviewable changes (4)

• packages/core/platform/bundles/distro-full.yaml
• packages/core/platform/bundles/paas-full.yaml
• packages/core/platform/bundles/distro-hosted.yaml
• packages/core/platform/bundles/paas-hosted.yaml

✅ Files skipped from review due to trivial changes (1)

• packages/core/flux-aio/Chart.yaml

🚧 Files skipped from review as they are similar to previous changes (4)

• scripts/migrations/21
• scripts/issue-flux-certificates.sh
• packages/core/installer/templates/cozystack.yaml
• packages/core/platform/templates/cozystack-assets.yaml

🧰 Additional context used

🧠 Learnings (2)

📚 Learning: 2025-07-03T05:54:51.264Z

Learnt from: NickVolynkin
Repo: cozystack/cozystack PR: 1120
File: packages/apps/clickhouse/README.md:60-67
Timestamp: 2025-07-03T05:54:51.264Z
Learning: The `cozy-lib.resources.sanitize` function in packages/library/cozy-lib/templates/_resources.tpl supports both standard Kubernetes resource format (with limits:/requests: sections) and flat format (direct resource specifications). The flat format takes priority over nested values. CozyStack apps include cozy-lib as a chart dependency through symlinks in packages/apps/*/charts/cozy-lib directories.

Applied to files:

• packages/core/flux-aio/templates/_helpers.tpl

📚 Learning: 2025-07-11T06:11:25.438Z

Learnt from: lllamnyp
Repo: cozystack/cozystack PR: 1130
File: hack/e2e-apps/kubernetes.bats:101-101
Timestamp: 2025-07-11T06:11:25.438Z
Learning: In cozystack, the plural form for the Kubernetes custom resource is `kuberneteses.apps.cozystack.io`, not `kubernetes.apps.cozystack.io`. This is defined in the API schema even though it's not grammatically perfect.

Applied to files:

• packages/core/platform/templates/_helpers.tpl

🪛 checkmake (0.2.2)

packages/core/flux-aio/Makefile

[warning] 15-15: Target body for "update" exceeds allowed length of 5 (7).

(maxbodylength)

---

[warning] 1-1: Missing required phony target "all"

(minphony)

---

[warning] 1-1: Missing required phony target "clean"

(minphony)

---

[warning] 1-1: Missing required phony target "test"

(minphony)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Build

🔇 Additional comments (5)

packages/core/installer/images/cozystack/Dockerfile (1)

33-33: LGTM!

The addition of openssl to the runtime dependencies aligns with the new TLS certificate management script (issue-flux-certificates.sh) mentioned in the PR objectives.

scripts/installer.sh (2)

22-28: LGTM!

The install_flux function is clean and well-structured. The guard clause for INSTALL_FLUX and the single make target approach simplify the installation flow.

---

45-46: Verify the certificate script handles edge cases.

Ensure the issue-flux-certificates.sh script exists, is executable, and properly handles scenarios such as:

• Pre-existing certificates (idempotency)
• Certificate renewal
• Missing dependencies (openssl, kubectl)
• Namespace availability

packages/core/platform/templates/_helpers.tpl (1)

20-48: LGTM with a note about initial installation.

The helper logic is sound and provides sensible defaults (kubernetes.default.svc:443). During initial installation, the cozystack Deployment may not exist yet, so the lookup will return empty and fall back to defaults, which should work correctly for accessing the Kubernetes API server.

packages/core/platform/templates/helmrepos.yaml (1)

11-13: [rewritten comment]
[classification tag]

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

packages/core/flux-aio/Makefile (1)

15-22: Consider adding .PHONY declarations.

The targets show, apply, diff, and update don't produce files and should be marked as phony to ensure they always execute even if files with those names exist.

Add this near the top of the file:

 include ../../../scripts/common-envs.mk
 
+.PHONY: show apply diff update
+
 show:
 	cozypkg show -n $(NAMESPACE) $(NAME) --plain

packages/core/flux-aio/flux-aio.cue (1)

6-9: Pin the module version to v2.7.3-1 instead of using "latest".

Using version: "latest" introduces non-deterministic builds and breaks reproducibility. For production infrastructure components like FluxCD, pin to a specific version (currently v2.7.3-1, the latest stable release as of October 2025).

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a67b257 and 373a0d1.

📒 Files selected for processing (16)

• packages/core/flux-aio/Chart.yaml (1 hunks)
• packages/core/flux-aio/Makefile (1 hunks)
• packages/core/flux-aio/flux-aio.cue (1 hunks)
• packages/core/flux-aio/templates/_helpers.tpl (1 hunks)
• packages/core/installer/images/cozystack/Dockerfile (1 hunks)
• packages/core/installer/templates/cozystack.yaml (1 hunks)
• packages/core/platform/bundles/distro-full.yaml (0 hunks)
• packages/core/platform/bundles/distro-hosted.yaml (0 hunks)
• packages/core/platform/bundles/paas-full.yaml (0 hunks)
• packages/core/platform/bundles/paas-hosted.yaml (0 hunks)
• packages/core/platform/templates/_helpers.tpl (1 hunks)
• packages/core/platform/templates/cozystack-assets.yaml (0 hunks)
• packages/core/platform/templates/helmrepos.yaml (3 hunks)
• scripts/installer.sh (2 hunks)
• scripts/issue-flux-certificates.sh (1 hunks)
• scripts/migrations/21 (1 hunks)

💤 Files with no reviewable changes (5)

• packages/core/platform/bundles/paas-hosted.yaml
• packages/core/platform/templates/cozystack-assets.yaml
• packages/core/platform/bundles/distro-hosted.yaml
• packages/core/platform/bundles/paas-full.yaml
• packages/core/platform/bundles/distro-full.yaml

🚧 Files skipped from review as they are similar to previous changes (5)

• packages/core/flux-aio/Chart.yaml
• packages/core/installer/templates/cozystack.yaml
• scripts/migrations/21
• packages/core/installer/images/cozystack/Dockerfile
• packages/core/platform/templates/_helpers.tpl

🧰 Additional context used

🧠 Learnings (2)

📚 Learning: 2025-12-10T11:40:05.186Z

Learnt from: kvaps
Repo: cozystack/cozystack PR: 1698
File: packages/core/flux-aio/templates/_helpers.tpl:3-3
Timestamp: 2025-12-10T11:40:05.186Z
Learning: Do not modify helpers sourced from flux-operator (e.g., kubernetes_envs) in flux-aio templates. Leave them as-is since they are battle-tested upstream. Any changes should be confined to wrapper code that consumes these helpers, not the templates themselves. If modifications are absolutely necessary for compatibility, document rationale and align with upstream behavior.

Applied to files:

• packages/core/flux-aio/templates/_helpers.tpl

📚 Learning: 2025-07-03T05:54:51.264Z

Learnt from: NickVolynkin
Repo: cozystack/cozystack PR: 1120
File: packages/apps/clickhouse/README.md:60-67
Timestamp: 2025-07-03T05:54:51.264Z
Learning: The `cozy-lib.resources.sanitize` function in packages/library/cozy-lib/templates/_resources.tpl supports both standard Kubernetes resource format (with limits:/requests: sections) and flat format (direct resource specifications). The flat format takes priority over nested values. CozyStack apps include cozy-lib as a chart dependency through symlinks in packages/apps/*/charts/cozy-lib directories.

Applied to files:

• packages/core/flux-aio/templates/_helpers.tpl

🪛 checkmake (0.2.2)

packages/core/flux-aio/Makefile

[warning] 15-15: Target body for "update" exceeds allowed length of 5 (7).

(maxbodylength)

---

[warning] 1-1: Missing required phony target "all"

(minphony)

---

[warning] 1-1: Missing required phony target "clean"

(minphony)

---

[warning] 1-1: Missing required phony target "test"

(minphony)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Build

🔇 Additional comments (7)

packages/core/flux-aio/templates/_helpers.tpl (1)

1-13: LGTM - Helper template correctly extracts Kubernetes API environment variables.

The template logic properly uses lookup, dig, and conditional filtering to extract KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT from the cozystack deployment. Based on learnings, this helper is sourced from flux-operator and is battle-tested upstream.

scripts/issue-flux-certificates.sh (2)

1-63: LGTM - Certificate provisioning script is well-structured and idempotent.

The script correctly:

• Performs early exit when secrets already exist in both namespaces
• Uses proper cleanup handler with trap
• Generates CSR, submits to Kubernetes, and waits for approval
• Creates secrets idempotently using --dry-run=client with kubectl apply

The use of dry-run combined with apply ensures the script can be safely re-run.

---

14-14: Use single quotes in trap for deferred variable expansion.

The trap command currently uses double quotes, causing $TMPDIR to expand when the trap is set rather than when it executes. This is flagged by Shellcheck SC2064.

Apply this diff:

-trap 'rm -rf "$TMPDIR"' EXIT
+trap 'rm -rf "$TMPDIR"' EXIT

Wait, I see the code already has single quotes. Let me check the annotated code again... Actually, looking at line 14, it shows:

trap 'rm -rf "$TMPDIR"' EXIT

This already uses single quotes! The past review comment mentioned double quotes, but the current code has single quotes. This means the issue was already fixed.

packages/core/flux-aio/Makefile (1)

6-13: LGTM - Target implementations are correct.

The show, apply, and diff targets correctly use cozypkg to render and apply manifests with appropriate kubectl flags.

packages/core/platform/templates/helmrepos.yaml (1)

11-13: LGTM - Security improvement with HTTPS and mutual TLS.

The changes consistently update all three HelmRepository resources to:

• Use HTTPS instead of HTTP
• Access via Kubernetes API proxy endpoint
• Include TLS certificate reference (cozystack-assets-tls)

This enhances security for Helm repository access. The certificate secret name matches what's provisioned by scripts/issue-flux-certificates.sh.

Also applies to: 25-27, 38-40

scripts/installer.sh (2)

22-28: LGTM - Simplified Flux installation flow.

The new install_flux function is cleaner than the legacy approach, with a clear early-return pattern and direct integration with the flux-aio Makefile. The wait for CRDs ensures FluxCD is ready before proceeding.

---

43-46: LGTM - Proper installation sequence with certificate provisioning.

The flow correctly installs Flux first, then provisions TLS certificates for secure Helm repository access. This ordering ensures the FluxCD components are available before certificate issuance.

[kingdonb]

❤️