Do you want to use mTLS with client auth, or just simply HTTPS?
For TLS w/o client auth (i.e. w/o the mutual part), you can use cert-manager where the ingress (such as ingress-nginx) would terminate the certificate.
If you use cloud provider’s solution:
- AWS allows you to create public trusted wild-card certs with ACM, as long as you can read/write DNS, such as Route53, for the verification process.
- Google Cloud has Google-Managed Certificates which can be automated using their
ManagedCertificateCRD. This one is not wild-card cert, but rather a SAN cert.
For mTLS w/ client auth, I have only tried this out with dgraph cert. Even with this, we found that it did not work with Firefox browsers, but seem to work with Chrome (linux/windows/mac) and Safari (mac). You have to install both root CA cert and client cert into local store. We recently updated the docs in this area:
For mTLS w/ client auth outside of dgraph alpha, I would need to follow up on this, as I have yet tried this scenario yet.