Hello there!
I have been doing an enormous roundtrip with Kubernetes; learning it because my job told me to, and attempting to implement it at home because I have a few too many SBCs here... Well, I am finally on a good path and now I want to prepare a few of the last steps to make this work!
I am in the process of migrating my 20+ old docker-compose setups into Kubernetes deployments and I decided on using k3s; has great support and I even managed to build it for my RISC-V board to use as an agent in the future. So, Traefik is my ingress controller by default now.
The way my cluster will be structured, however, is a little bit weird perhaps, so I should explain that first: It has two endpoints.
internet <-> VPS( <-> vpn <-> )node1,2,3 <-> home network
My home network lives on 192.168.1.0/24 while my VPN (Headscale) is on 100.64.0.0/24 and there are some services I only want to have exposed to my home network and VPN - but NOT to the public internet.
I saw that there is a IPAllowList middleware for that - but is there perhaps a more broad way to set this up, by perhaps using one of the entrypoints defined in the ChartConfig's ports? i.e.: Having an entrypoint public and private, where the former allows traffic from everywhere, while the latter limits it - or do I have to create an IPAllowList for every single service?
And, perhaps by chance, is there something similiar I can do for regular TCP/UDP traffic? Like, I am thinking of deploying soft-serve as a local git server to handle storing a few smaller things before I send them somewhere else like Gitlab or Github - and I would like that to stay private for the time being and not be exposed.
Thanks a lot and kind regards,
Ingwie