Hello, i'm running for a while a ziti overlay for my home network, and it works really nice, kudos for the amazing work 
.
As it is right now, i have a ziti router and a ziti controller running on azure, a couple of ziti desktop edge clients and a ziti-host container running on a Raspberry Pi.
I am trying to setup a HA k8s cluster on 3 Raspberry PIs, and i want to integrate it in the ziti overlay. (i'm new both to k8s and ziti).
From what i understand i would just need to add a router to the cluster, and i should be good(easier said than done 
).
I would like to setup the cluster in such a way that all "public" access should be thru the overlay, and the access granularity should be at the k8s service level(So ideally i would like that ziti identity A and B to have access to k8s service 1, and ziti identity C to have access to k8s service 2). The cluster is setup on a different vnet compared to the rest of the devices on my LAN and traffic is blocked by firewall between the vnets.
Looking at the documentation here it sounds like this is exactly what i want.
I have a couple of questions:
1 Is there more documentation/examples on how to set the k8s router in proxy mode? i get the following error on my first try to set this up: error: identity is not valid for provided host: [router-edge.openziti.svc]. is valid for: [, 127.0.0.1, localhost]]","time":"2025-04-24T21:30:19.520Z"
2 If i use the proxy mode this implies that this will route all the traffic thru dns(CoreDNS). Do i need to add an ingress to the cluster(from my understanding as all the k8s services will be of ClusterIP type and they will be "exposed" thru the ziti proxy router, there is no need for ingress)?
3 As the ziti router will be private, and the cluster blocked by firewall from there rest of the LAN, this will imply that all the traffic is gonna be routed to thru my public ziti router on azure, is this assumption correct? I was thinking to add one more router on the LAN that has access to both home and k8s vnet so the devices can be routed on LAN. I don't care much about discovery, but if i will have heavy traffic between devices on LAN i don't want that to go thru azure.
4 IF i get the documentation right, when i configure the router in proxy mode it will create the ziti services. Based on this assumption i was thinking to do the RBAC outside of k8s(creating the 2 configs and 2 service policies per service and associated the identities/attributes). Is this a good idea for managing the overlay?