Add article: Flux-aio, Kubernetes mTLS and the Chicken and Egg Problem

[kvaps]

This PR adds a new blog article about solving the chicken-and-egg problem of deploying CNI and kube-proxy through Flux while ensuring Flux itself works without CNI and kube-proxy, using Kubernetes API routing and mTLS certificates.

The article explains how we:

• Use flux-aio to run Flux without CNI and kube-proxy
• Route Flux through the Kubernetes API to access internal HTTP server
• Obtain client certificates for mTLS authentication
• Configure RBAC for pod proxy access

Related PR: cozystack/cozystack#1698

Summary by CodeRabbit

• Documentation
  • Added blog post on deploying CNI and kube-proxy through Flux-aio using Kubernetes API routing with mTLS client certificate authentication, including step-by-step guidance and configuration examples.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[netlify]

✅ Deploy Preview for cozystack ready!

Name	Link
🔨 Latest commit	f9817cd
🔍 Latest deploy log	https://app.netlify.com/projects/cozystack/deploys/693c6c25631f0a000856f930
😎 Deploy Preview	https://deploy-preview-381--cozystack.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[coderabbitai]

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

Walkthrough

A new blog post was added documenting how to deploy CNI and kube-proxy through Flux using Flux-aio while Flux itself operates without CNI/kube-proxy by routing traffic through the Kubernetes API and using mTLS client certificates for authentication.

Changes

Cohort / File(s)	Summary
Blog Post Addition content/en/blog/2025-12-12-flux-aio-kubernetes-mtls-and-the-chicken-and-egg-problem/index.md	New blog post documenting Flux-aio deployment with mTLS; includes step-by-step guidance on generating Kubernetes CSR client certificates, retrieving CA certs, creating TLS secrets, defining RBAC roles, and configuring HelmRepository for API proxy access. References ongoing transitions to source-watcher and OCIRepository artifacts.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

This is a straightforward content addition with no code changes or functional impact—primarily a documentation file review for accuracy, clarity, and consistency with existing blog standards.

Poem

🐰 A beautiful hack we document with care,
mTLS and CSRs floating through the air,
Flux deploys itself without a net so small,
Through Kubernetes API, it orchestrates it all! 🔐✨

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main content of the blog post being added, addressing the specific technical problem (Flux-aio, Kubernetes mTLS, and the chicken-and-egg problem) that the article discusses.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch add-flux-aio-mtls-article

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello @kvaps, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request adds a comprehensive blog post that addresses a significant challenge in Kubernetes deployments: enabling Flux to manage CNI and kube-proxy while Flux itself is bootstrapping without these critical networking components. The article presents an innovative workaround involving Kubernetes API routing and mTLS authentication using dynamically generated client certificates, providing a detailed explanation of the implementation steps and the rationale behind them. It offers valuable insights into advanced Kubernetes API usage for bootstrapping and internal communication.

Highlights

• New Blog Article Added: This pull request introduces a new blog article titled 'Flux-aio, Kubernetes mTLS and the Chicken and Egg Problem', detailing a complex Kubernetes deployment challenge and its solution.
• Solving the Flux 'Chicken-and-Egg' Problem: The article explains how to deploy CNI and kube-proxy using Flux, even when Flux itself needs to operate without these components initially, leveraging flux-aio.
• Kubernetes API Routing for Internal Access: It describes an elegant solution for Flux to access an internal HTTP server pod by routing through the Kubernetes API, bypassing the need for CNI or kube-proxy.
• mTLS Authentication with Kubernetes Client Certificates: The article provides a step-by-step guide on obtaining and utilizing Kubernetes client certificates for mTLS authentication, securing access to internal services via the API proxy.
• RBAC Configuration for Pod Proxy Access: It outlines the necessary Role-Based Access Control (RBAC) setup to grant Flux the permissions required to proxy requests to specific pods through the Kubernetes API.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This is a well-written and interesting article explaining a clever solution to a classic chicken-and-egg problem in Kubernetes bootstrapping with Flux. The explanation is clear and the code snippets are very helpful. I've found a couple of technical inaccuracies in the Kubernetes and Flux resource definitions which could confuse readers or cause errors if copied directly. My suggestions aim to correct these to ensure the examples are accurate and functional. Overall, great work on documenting this complex scenario!

[gemini-code-assist]

The kubectl create secret generic command shown here is incorrect because the generic subcommand does not have a --type flag. This command will fail when executed.

Furthermore, Flux's certSecretRef requires a secret of type kubernetes.io/tls. The kubectl create secret tls command is the correct one for this type, but it doesn't support adding an arbitrary file like ca.crt directly.

A more robust and declarative way to create this secret is by defining it in YAML and applying it with kubectl apply. This ensures the correct type and allows including the ca.crt data.

Here is a corrected snippet that you could use in the article:

# Create a secret for Flux
kubectl apply -f - <<EOF
apiVersion: v1
kind: Secret
metadata:
  name: cozystack-assets-tls
  namespace: cozy-system
type: kubernetes.io/tls
data:
  tls.crt: $(base64 < tls.crt | tr -d '\n')
  tls.key: $(base64 < tls.key | tr -d '\n')
  ca.crt: $(base64 < ca.crt | tr -d '\n')
EOF

[gemini-code-assist]

The apiVersion for a Flux HelmRepository resource is incorrect. It should be source.toolkit.fluxcd.io/v1beta2, not source.toolkit.fluxcd.io/v1. Using v1 will result in a failure to apply this manifest to a cluster with Flux installed.

Suggested change

	apiVersion: source.toolkit.fluxcd.io/v1
	apiVersion: source.toolkit.fluxcd.io/v1beta2

[coderabbitai]

Actionable comments posted: 3

♻️ Duplicate comments (2)

content/en/blog/2025-12-12-flux-aio-kubernetes-mtls-and-the-chicken-and-egg-problem/index.md (2)

39-75: Fix the TLS secret creation command (it currently won’t work as written).

Lines 69-74: kubectl create secret generic doesn’t support --type, and Flux’s certSecretRef expects a TLS-formatted secret (commonly kubernetes.io/tls) but you also want to include ca.crt. Prefer a small YAML-applied secret (as suggested in the prior review comment) to ensure type + keys are correct.

---

112-121: Flux HelmRepository apiVersion looks wrong (will fail to apply on many clusters).

Line 113 uses source.toolkit.fluxcd.io/v1; prior review noted v1beta2. Please verify the correct apiVersion for the Flux version Cozystack targets and update the snippet accordingly.

FluxCD HelmRepository apiVersion: for Flux v2.x, what is the correct apiVersion for kind HelmRepository (source.toolkit.fluxcd.io)? Is it v1beta2 or v1, and since which version?

🧹 Nitpick comments (1)

content/en/blog/2025-12-12-flux-aio-kubernetes-mtls-and-the-chicken-and-egg-problem/index.md (1)

79-108: RBAC: consider calling out required privileges + rotation for the client cert.

The Role/RoleBinding is fine, but the doc would be stronger if it mentioned:

• CSR approval typically requires elevated privileges (cluster-admin or delegated signer approval).
• cert lifetime/rotation (CSRs expire; you may want an automation note).

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e250000 and f9817cd.

⛔ Files ignored due to path filters (1)

• content/en/blog/2025-12-12-flux-aio-kubernetes-mtls-and-the-chicken-and-egg-problem/chicken-and-egg-problem.png is excluded by !**/*.png

📒 Files selected for processing (1)

• content/en/blog/2025-12-12-flux-aio-kubernetes-mtls-and-the-chicken-and-egg-problem/index.md (1 hunks)

🧰 Additional context used

🪛 markdownlint-cli2 (0.18.1)

content/en/blog/2025-12-12-flux-aio-kubernetes-mtls-and-the-chicken-and-egg-problem/index.md

9-9: Images should have alternate text (alt text)

(MD045, no-alt-text)

---

27-27: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

131-131: Bare URL used

(MD034, no-bare-urls)

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Add alt text for the image (markdownlint MD045).

Line 9 should include descriptive alt text for accessibility.

-![](chicken-and-egg-problem.png)
+![Chicken-and-egg problem diagram](chicken-and-egg-problem.png)

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	
	

🧰 Tools

🪛 markdownlint-cli2 (0.18.1)

9-9: Images should have alternate text (alt text)

(MD045, no-alt-text)

🤖 Prompt for AI Agents

content/en/blog/2025-12-12-flux-aio-kubernetes-mtls-and-the-chicken-and-egg-problem/index.md
around line 9: the Markdown image lacks alt text which violates accessibility
rule MD045; update the image tag to include a concise, descriptive alt text that
summarizes the image (e.g., "Diagram illustrating the chicken-and-egg problem in
Kubernetes mTLS setup") so screen readers and markdownlint can detect meaningful
alt text.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Specify a language for the fenced code block (markdownlint MD040).

Line 27 should be something like text (or url) to satisfy linters.

-```
+```text
 https://example.org:6443/api/v1/namespaces/cozy-system/pods/cozystack-assets-0/proxy

<details>
<summary>🧰 Tools</summary>

<details>
<summary>🪛 markdownlint-cli2 (0.18.1)</summary>

27-27: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

</details>

</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

content/en/blog/2025-12-12-flux-aio-kubernetes-mtls-and-the-chicken-and-egg-problem/index.md
lines 27-30: the fenced code block lacks a language tag which trips markdownlint
MD040; add an appropriate info string such as "text" or "url" after the opening
backticks (e.g., ```text) so the block becomes fenced with a language and
linting passes.

</details>

<!-- fingerprinting:phantom:triton:falcon -->

<!-- This is an auto-generated comment by CodeRabbit -->

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Avoid bare URLs (markdownlint MD034).

Convert to a proper Markdown link:

-- https://github.com/cozystack/cozystack/pull/1698
+- [cozystack/cozystack#1698](https://github.com/cozystack/cozystack/pull/1698)

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	You can view (and review) the full code of the PR here:
	- https://github.com/cozystack/cozystack/pull/1698
	You can view (and review) the full code of the PR here:
	- [cozystack/cozystack#1698](https://github.com/cozystack/cozystack/pull/1698)

🧰 Tools

🪛 markdownlint-cli2 (0.18.1)

131-131: Bare URL used

(MD034, no-bare-urls)

🤖 Prompt for AI Agents

In
content/en/blog/2025-12-12-flux-aio-kubernetes-mtls-and-the-chicken-and-egg-problem/index.md
around lines 129 to 132, there is a bare URL which violates markdownlint MD034;
replace the plain URL with a proper Markdown link by wrapping the URL in
brackets with descriptive link text (e.g., "PR #1698 on GitHub" or "cozystack PR
#1698") followed by the URL in parentheses so the link reads like [PR #1698 on
GitHub](https://github.com/cozystack/cozystack/pull/1698).