I was stuck with the same problem for a few months, rebuilt RKE2 cluster a few times, tried Talos lately - the same. The problem was DNS configuration caused by OPNsense firewall's DHCPv4 settings.
You could check logs from flux-system containers but let's suppose for now it's TLS Handshake Error. The same error I had with Flux, ArgoCD and Fleet.
Then You could also troubleshoot DNS with dnsutils container and execute nslookup inside it.
nslookup github.com
In my case it was appending given address (github.com) with my local domain, so it was looking for github.com.mydomain.com, returning IPs of cloudflare I use. It was caused by cluster nodes DNS settings, specifically by search domain entry (search mydomain.com). To check that run:
cat /etc/resolv.conf
or if You're running Talos:
talosctl read /etc/resolv.conf
To fix the problem the easiest approach would be to remove search domain entry from /etc/resolv.conf or replace search domain with a dot ('.'). In my case, since I am running K8S in a separate VLAN and I couldn't easily modify the file on my nodes (Talos), I've overwritten VLANs 'Domain name' and 'Domain search list' with single dots in Services -> ISC DHCPv4 -> [K8S-VLAN].
If it's TLS Handshake Error, it was probably DNS. Remove 'search domain' entry in Your K8S nodes' DNS settings located in:
/etc/resolv.conf
If You're running OPNsense firewall (may be similiar fix for pfSense) go to:
Services -> ISC DHCPv4 -> [K8S-VLAN]
And overwrite 'Domain name' and 'Domain search list' with dots - . - like this. Overwriting both may not be necessary.
