Certificate Strategy
Plan your TLS strategy before provisioning the environment.
Two approaches are available:
Service-level certificates. Each Arch microservice ships with a -cert.yml service definition variant.
Use these when microservices are exposed directly, or when you want end-to-end encryption within your Docker network.
The certificate must be accessible to the container via a bind mount.
Reverse proxy termination. Terminate TLS at a reverse proxy (eg. nginx, Traefik) and run standard yml variants behind it.
This is the simpler approach when all microservices sit behind a single ingress.