can we separate nodes for cms and lms?
Kubernetes does provide a way to constraint pod scheduling in such a way ( Assigning Pods to Nodes | Kubernetes ). You would need to leverage the tools provided by kustomize to set pod affinities accordingly. I mentioned a little bit about kustomize on this answer: How to customise mongodb in the deployment.yaml config? - #2 by MoisesGonzalezS . But for the most part, running lms and cms on different nodes doesn’t accomplish too much.
shoud we use ingress or nlb and expose cadddy service loadbalancer to internet facing?
A lot of people do use an ingress controller and forward the traffic to the caddy service. Setting ENABLE_WEB_PROXY: false in the tutor config would set the caddy service as a ClusterIP instead of LoadBalancer and you can set your ingress rule accordingly.
which services should be kept external e.g rds, mongodb
A rule of thumb is to look at the services that caddy exposes. You can inspect the caddyfile in $TUTOR_ROOT/env/apps/caddy/Caddyfile and see which ones need to be exposed to the internet. DB connections should remain private.