Restrict K8s API firewall to VPC + Tailscale only (#37)

Now that GitHub Actions uses self-hosted runners in VPC,
we no longer need the K8s API open to the internet.

- VPC (10.118.0.0/20): Allows kubelets, kube-proxy, and GitHub runner
- Tailscale (100.64.0.0/10): Allows admin kubectl access

Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

Author: cmyui

tf/digitalocean.tf

@@ -134,13 +134,13 @@ resource "digitalocean_firewall" "k8s-master-firewall" {
     source_addresses = [var.tailscale_ipv4_range]
   }
 
-  # Kubernetes API - open for now (GitHub Actions has 4000+ dynamic IPs)
-  # TODO: Consider self-hosted runners in VPC to restrict this
-  # Security: K8s API requires valid client certs, so exposure is low risk
+  # Kubernetes API - VPC + Tailscale only
+  # GitHub Actions uses self-hosted runners in VPC
+  # Admin access via Tailscale
   inbound_rule {
     protocol         = "tcp"
     port_range       = "6443"
-    source_addresses = ["0.0.0.0/0", "::/0"]
+    source_addresses = [digitalocean_vpc.akatsuki-production-vpc.ip_range, var.tailscale_ipv4_range]
   }
 
   # etcd - VPC only (cluster-internal)