Clustered or paired (RPi) setups, sandboxed DMZ

Hi folks.

I’m in the process of rebuilding some of my stacks.

In particular, my current setup is as follows:

  • Trusted LAN/lab, in the process of standing up & experimenting with Docker+Kubernetes cluster on ‘old’ NUC’s
  • Dedicated DMZ on my gateway for IoT, so that I have better insight & control over what goes over the wire
    • Set up an OpenWRT dedicated to IoT devices in this DMZ, with nodes running in AP-isolation mode
    • said AP has a number of NIC’s for hardwired devices
  • IoT DMZ net has some internet access, but not with one-another unless ‘blessed’
  • LAN/lab has access to IoT DMZ, but not the other way round (treating IoT’s as super-hostile until they’re flashed, and even then…)

What I’m thinking is something along the lines of:

  • HA on a RPi in my DMZ on the AP able to discover/query/interrogate/manage IoT devices, but not other way round
    • consider this HA in a “compromised zone”, so still no calls to my LAN/lab
  • another HA RPi in my LAN/lab able to discover/query/interrogate/manage endpoints in my trusted zone, and poll or otherwise make calls out to the HA ‘agent’ in my DMZ
  • eventually planning on standing up a management console on my Kubes/Docker cluster to oversee these HA RPi’s & provide a degree of fault-tolerance or ephemeral provisioning.

Question: Is there an option/functionality to have n-number of HA’s work together, fulfilling different functions? (each overseeing their respective ‘zones’)

I’d like to put the minimal amount of functionality on my RPi’s so that I’m limiting my exposure, they don’t get overloaded & fall over, again (a mistake I’ve made before), but in aggregate I’m looking at building a rich environment across my entire setup.