doc: Add documentation for enabling Kubelet proxy in Module Controller V2

Author: BetaCat0

content/en/docs/contribution-guidelines/module-controller-v2/virtual-kubelet-proxy.md

@@ -0,0 +1,29 @@
+---
+title: 6.6.4 Kubelet Proxy
+date: 2025-08-22T13:00:03+08:00
+description: Koupleless Module Controller V2 Kubelet Proxy
+weight: 930
+---
+
+## Kubelet Proxy
+
+The Kubelet Proxy is an enhanced feature of Module Controller V2 on the K8s side.
+It allows users to interact directly with Module Controller V2 using the ``kubectl`` tool,
+providing an operational experience similar to the native K8s Kubelet.
+
+<div style="text-align: center;">  
+    <img align="center" width="800px" src="/img/module-controller-v2/kubelet_proxy_sequence_diagram.png"/>
+    <p>Logs command schematic</p>
+</div>
+
+## Iteration Plan
+
+The adaptation will be carried out in two phases:
+
+- [x] Use the proxy solution to provide logs capability for modules deployed in the Pod base -> **Completed**
+- [ ] Ensure semantic consistency and implement logs capability through tunnel or arklet for smooth transition -> *
+  *Planned**
+
+## Notes
+
+Currently, only the logs capability is implemented, and the base must be deployed in the K8s cluster.

content/en/docs/tutorials/module-operation-v2/enable-virtual-kubelet-proxy.md

@@ -0,0 +1,193 @@
+---
+title: 5.7 Enable Kubelet Proxy
+date: 2025-08-22T13:00:03+08:00
+description: How to enable Koupleless Module Controller V2 Kubelet Proxy
+weight: 1100
+---
+
+## Kubelet Proxy
+
+Kubelet Proxy is an enhanced feature of Module Controller V2 on the K8s side.
+It allows users to interact directly with Module Controller V2 using the ``kubectl`` tool,
+providing an operational experience similar to the native K8s Kubelet.
+
+For design details, please refer to
+the [documentation](/docs/contribution-guidelines/module-controller-v2/virtual-kubelet-proxy).
+
+## Enable Kubelet Proxy
+
+0. Deploy cert-manager to manage certificate generation and rotation  
+   cert-manager is a Kubernetes plugin for automating the management and rotation of TLS certificates. It helps generate
+   and manage TLS certificates used for the Kubelet Proxy.  
+   Please refer to the [cert-manager documentation](https://cert-manager.io/docs/installation/) for installation
+   instructions.  
+   Here is a simple installation example (v1.18.2):
+
+```bash
+kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.18.2/cert-manager.yaml
+```
+
+After successful deployment, deploy the corresponding Issuer and Certificate:
+
+- To create Issuer
+
+```yaml
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: virtual-kubelet-issuer
+spec:
+  selfSigned: {}
+```
+
+- To create Cert
+
+```yaml
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: virtual-kubelet-cert
+spec:
+  secretName: virtual-kubelet-tls # secretName: virtual-kubelet-tls # The name of the Secret where the certificate is stored, which will be used later in the ModuleController
+  duration: 2160h # 90 days
+  renewBefore: 360h # renew 15 days before expiration
+  issuerRef:
+    name: virtual-kubelet-issuer # Reference to the above Issuer
+    kind: ClusterIssuer
+  commonName: koupleless-virtual-kubelet # Common Name
+  usages:
+  - server auth 
+  - digital signature
+  - key encipherment
+```
+
+After creation, you can use the following command to check whether the certificate secret was generated successfully:
+
+If the output is similar to the following, the certificate has been generated successfully:
+
+```bash
+kubectl get secret virtual-kubelet-tls
+```
+
+If the output is similar to the following, the certificate has been generated successfully:
+
+```
+NAME                   TYPE                DATA   AGE
+virtual-kubelet-tls    kubernetes.io/tls   3      1m
+```
+
+1. Add `pods/log` permission to the Role
+
+```yaml
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: virtual-kubelet-role
+rules:
+  - apiGroups: [""] # "" indicates the core API group
+    resources: ["pods" , "pods/status", "pods/spec","nodes", "nodes/status", "events", "pods/log"]
+    verbs: ["get", "watch", "list", "update", "patch", "create", "delete"]
+  - apiGroups: [ "apps" ]
+    resources: [ "deployments", "deployments/status", "deployments/spec", "daemonSets", "daemonSets/status", "daemonSets/spec" ]
+    verbs: [ "get", "watch", "list" ]
+  - apiGroups: [""] # "" indicates the core API group
+    resources: ["configmaps", "secrets", "services"]
+    verbs: ["get", "watch", "list"]
+  - apiGroups: ["coordination.k8s.io"] # "" indicates the core API group
+    resources: ["leases"]
+    verbs: ["get", "watch", "list", "update", "patch", "create", "delete"]
+```
+
+2. Create a Service for the ModuleController deployment
+
+```yaml
+apiVersion: v1
+kind: Service
+metadata:
+    name: module-controller
+    namespace: default
+    labels:
+        app: module-controller
+        virtual-kubelet.koupleless.io/kubelet-proxy-service: "true" # Necessary, indicates that this Service is used for Kubelet Proxy
+spec:
+    selector:
+        app: module-controller
+    ports:
+        - name: httptunnel # If HTTP tunneling is not enabled, please remove this port
+          port: 7777
+          targetPort: 7777
+        - name: kubelet-proxy # Kubelet Proxy port
+          port: 10250
+    type: ClusterIP
+```
+
+3. Modify the ENV configuration of ModuleController
+
+```yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: module-controller
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: module-controller
+  template:
+    metadata:
+      labels:
+        app: module-controller
+    spec:
+      serviceAccountName: virtual-kubelet
+      volumes:
+        - name: tls-certs
+          secret:
+            secretName: virtual-kubelet-tls # Necessary, mount the TLS certificate generated by cert-manager
+      containers:
+        - name: module-controller
+          image: serverless-registry.cn-shanghai.cr.aliyuncs.com/opensource/release/module-controller-v2:<VERSION> # Please replace <VERSION> with the actual version number, e.g., v2.1.4
+          imagePullPolicy: IfNotPresent
+          resources:
+            limits:
+              cpu: "1000m"
+              memory: "400Mi"
+          ports:
+            - name: httptunnel # If HTTP tunneling is not enabled, please remove this port
+              containerPort: 7777
+            - name: kubelet-proxy # Kubelet Proxy port
+              containerPort: 10250
+          env:
+            - name: ENABLE_HTTP_TUNNEL
+              value: "true"
+            - name: NAMESPACE # Necessary, the namespace where ModuleController is deployed
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            - name: KUBELET_PROXY_ENABLED # Necessary, enable Kubelet Proxy
+              value: "true"
+          volumeMounts: # Necessary, mount the TLS certificate generated by cert-manager
+            - name: tls-certs
+              mountPath: /etc/virtual-kubelet/tls
+              readOnly: true
+```
+
+## Verify Kubelet Proxy
+
+Assume that a module named `biz1-web-single-host` has been deployed and the Module Controller has enabled the Kubelet
+Proxy.
+
+```
+NAME                                    READY   STATUS    RESTARTS   AGE
+base-76d79d8599-f64jt                   1/1     Running   0          13d
+biz1-web-single-host-786dfc476f-qsp7q   1/1     Running   0          7m40s
+module-controller-59f7bb765-8w84l       1/1     Running   0          13d
+```
+
+At this point, you can directly access the module's logs using the kubectl command:
+
+```bash
+kubectl logs --tail=50 biz1-web-single-host-786dfc476f-qsp7q
+```
+
+It is expected to see normal log output. If an error occurs, it may indicate that the Kubelet Proxy is not properly
+configured or not enabled.

content/en/docs/tutorials/module-operation-v2/module-controller-deployment.md

@@ -73,6 +73,13 @@ Below are some configurable environment variables and their explanations:
 - **CLIENT_ID**
     - Meaning: Optional, Module Controller instance ID. need to be unique in one env, will generate a random UUID in default.
 
+- **KUBELET_PROXY_ENABLED**
+    - Meaning: Flag to enable Kubelet proxy. If `true`, the Kubelet proxy will be enabled. For prerequisites to enable,
+      please refer to documentation [here](/docs/tutorials/module-operation-v2/enable-virtual-kubelet-proxy/).
+
+- **KUBELET_PROXY_PORT**
+    - Meaning: Port for Kubelet proxy. Default is 10250.
+
 ### Documentation Reference
 
-For detailed structure and implementation, refer to the [documentation](/docs/contribution-guidelines/module-controller-v2/architecture/).  
+For detailed structure and implementation, refer to the [documentation](/docs/contribution-guidelines/module-controller-v2/architecture/).  

content/zh-cn/docs/contribution-guidelines/module-controller-v2/virtual-kubelet-proxy.md

@@ -0,0 +1,27 @@
+---
+title: 6.6.4 Kubelet 代理
+date: 2025-08-22T13:00:03+08:00
+description: Koupleless Module Controller V2 Kubelet 代理
+weight: 930
+---
+
+## Kubelet 代理
+
+Kubelet 代理是 Module Controller V2 在 K8s 侧的增强功能，它允许用户通过 ``kubectl`` 工具直接与 Module Controller V2
+交互，提供类似于 K8s 原生 Kubelet 的操作体验。
+
+<div style="text-align: center;">  
+    <img align="center" width="800px" src="/img/module-controller-v2/kubelet_proxy_sequence_diagram.png"/>
+    <p>logs 命令示意图</p>
+</div>
+
+## 迭代计划
+
+适配分两阶段进行：
+
+- [x] 使用 proxy 代理方案，为部署在 Pod 基座中的模块提供 logs 能力 -> **已完成**
+- [ ] 在保证语义的前提下，通过 tunnel 或 arklet 实现 logs 能力，完成平滑切换 -> **规划中**
+
+## 注意事项
+
+当前仅实现了 logs 能力，且基座必须部署在 K8s 集群中。