External Access
k8s Cluster — 3× Rocky Linux 10 / Hyper-V
Cluster Networking
Platform Services
Worker Nodes
Control Plane / GitOps
Internet Users
Public traffic
Cloudflare Tunnel
cloudflared connector pod
Tailscale
Admin VPN — WireGuard mesh
Cluster Gateway preferred
Cilium Gateway API · MetalLB VIP
*.ramsec.net TLS wildcard
CoreDNS
ramsec.net split-horizon
Cilium eBPF
CNI + Gateway API
MetalLB
L2 LoadBalancer VIPs
ingress-nginx legacy
Separate MetalLB VIP · kept for back-compat
local-path-provisioner
Default StorageClass · node-local PVs
AWX
awx.ramsec.net · automation UI
Harbor
harbor.ramsec.net · registry
Kyverno + Policy Reporter
kyverno.ramsec.net · admission
kube-prometheus-stack obs
grafana.ramsec.net · metrics + alerts
Falco + Sidekick UI sec
falco.ramsec.net · runtime security
Vaultwarden public
public-only · via Cloudflare Tunnel
cert-manager
ca-issuer · signs *.ramsec.net wildcard
cluster control plane
kubeadm · node01 control-plane + worker
Rocky Linux 10 · Hyper-V
node01 — control-plane + worker
node02 — worker
node03 — worker
Hyper-V VMs on single-public-IP VPS · behind WinNAT · LAN not externally routable (Tailscale overlays).
Git Repository
Ansible playbooks · Helm values · roles
Ansible
Provision · deploy · configure cluster
helm_chart Role
Reusable role — all chart deployments
Public / Cloudflare
Admin / internal routing
GitOps / deploy
DNS / VIP
CF bypass