Some basic Argo setup question

After reading mostly all your documentation I did not really find any clear picture about the setup of an Agro tunnel (you have to read several other pages since the getting started is quite opaque)

Anyway, here is what an overview of what keeps me busy lately:

On-Premise has outbound internet access.
Inbound connection from the internet to on-premise services are blocked by firewall.

The Goal

  • Cloud providers VM or k8s cluster shall be able to access securely some of our on-premise services (source code, artifacts, …).
  • In the case of k8s cluster, one would like to configure the cluster to allow any created pods to access to these services, without configuring some additional sidecars per pods.

Important Note:
Beware that by default some of the artifacts hosted on-premise are available anonymously read-only no login is required at all.
The same applies for on-premise git server which usually requires login/ssh, but some of the git repository are made public meaning visible by everybody without any authentication.

Open Question:

  1. As far as I could understand the cloudflared client has to be installed on the same server where the service (git server) is currently running?
  2. Is there a possibility to restrict the authorized traffic from the internet to the Agro tunnel by selecting a range of IP allowed, or having a specific key on the cloud VM / k8s granting access to the specific services hostname url?

Kind regards