You can use Cloudflare for your TLS certificate and the access control of anya.
It is strongly recommended to protect your cluster against requests which could bypass the Cloudflare proxy. This can be done by simply using curl: curl --silent --verbose https://anya.example.com --resolve anya.example.com:443:<your-ip-address> --insecure
You can secure your setup with these options:
Firewalls are configured to first deny all access for all ports on all IP ranges (0.0.0.0/0). Then there should be a rule with higher priority, which allows only the Cloudflares IP ranges on port 443 (tcp:443).
Watch out: check your firewall carefully with the curl command from above. It is very likely that there is already a firewall rule, which allows all tcp:80/443 traffic. Simply deactivate this one.
nginx-values.yaml file to configure the Whitelisting:
controller:
service:
annotations:
nginx.ingress.kubernetes.io/whitelist-source-range:
103.21.244.0/22,
103.22.200.0/22,
103.31.4.0/22,
104.16.0.0/12,
[...]
anya-values.yaml file to configure the Whitelisting:
ingress:
annotations:
nginx.ingress.kubernetes.io/whitelist-source-range:
103.21.244.0/22,
103.22.200.0/22,
103.31.4.0/22,
104.16.0.0/12,
[...]
Cloudflare offers the possibility to validate a provided JWT token with a key. Every request will send a JWT token and the receiving application needs to verify the validity of it. So it will be necessary to build a gateway for this. There is also a possibility to use annotations of the nginx plus for this.
Cloudflare provides the possibility to tunnel all requests to the cluster. To make this work, you will need to install a specific cloudflare ingress controller.