Since you asked, we have a commercial zero-trust product very similar to this. As a quick comparison: In our architecture, the worker node (extender) only needs outbound direct access to contact the master node. Unlike many of our competitors, we promote the usage of ephemeral certificates instead of secrets management or minting. We support a number of identity providers and dynamic host directories. Connections can be formed either with native clients or web browser (SSH, RDP, HTTPS) with session recording for auditing purposes. Check it out here https://www.ssh.com/products/privx/