Don’t thank me, thank dmai. I just edited it.
In the case of GraphQL for k8s, I suggest you wait until GraphQL is released for real or for the next stable RCs with it (Some features like “custom resolvers” are coming). Or we provide some YML. A contribution to this is welcome too.
Dgraph by default is to use behind an API. There is no security by default, only if you use ACL you will have it. Thus, you need to create an API and isolate Dgraph instances from users or another approach to secure it.
I’m sorry for your experience, but GraphQL is an under development feature and any security approach (except for ACL) is the user’s responsibility.
This is true even in GraphQL context. They don’t offer any security solutions or tips for doing it. They make it clear that security approaches are optional for each user. There are several approaches in this regard. Using JWT tokens, using Firebase, using password/hashes and so on. There are several approaches and GraphQL does not determine any of them. But we do, and it is “Create an API and isolate the instances”.
Notoriously, all YMLs that exist in Dgraph docs provide no means of isolating instances. Precisely to make access easier for people to learn to use Dgraph. You can simply modify them to get the isolation you need.
Creating APIs and other approaches can be part of “tips” we can give in blog posts and so on. But I believe every IT business has its own way of handling it. We have some examples of APIs in the Dgraph repositories. But more examples will come.
Cheers.