@tommo Hello Tom.
With K8S you can of course have the TLS terminated at the endpoint, rather than have dgraph itself do this, and also get the benefit of using a trusted cert. However, in particular, on Google Cloud, you cannot do this with the service type of LoadBalancer alone. The reason is that Google Cloud does not support Layer 7 HTTP/S with service type of LoadBalancer.
For this, you will need to use an ingress, such as the default ingress gce or install an alternative, such as ingress-nginx.
In the case of default gce ingress, GKE will use an L7 load balancer, which can terminate TLS. Note that with the gce ingress, service can only be NodePort or LoadBalancer types. In the ingress-nginx case, this uses service LoadBalancer type (Layer 3/4 TCP) but then adds an nginx (openresty flavor) reverse-proxy to implement the ingress controller. Either way works fine.
For certificates, you have some options, you can use the built-in Google Managed SSL certificate (SAN certs) with gce ingress or use cert-manager Kubernetes add-on with something like ACME Let’s Encrypt for any ingress.
One nice thing about Google Managed SSL certificate is that there’s a CRD ManagedCertificate on GKE, which automates the provisioning the cert at the time a gce ingress is created (or rather creates the L7 load balancer outside of K8S) in the background. For the general usage around Google Managed SSL certificate, I recommend this blog (especially as I wrote it):
(Note: If medium puts up some paywall stuff, let me know, I can send you a friend link to bypass that)
Also, for deploying on dgraph on Kubernetes, we have a helm chart that you can use that supports adding ingress resources for alpha and ratel that might be useful: