[epilogue]

We’ve been using Linkerd as our service mesh which does this without really much effort at all required on our part. They bind the certs to the ServiceAccount identity of each pod, which is apparently more secure than doing it via IP.

https://linkerd.io/2.13/features/automatic-mtls/

[simiones]

Unfortunately this would probably not work for my purposes - the issue on my side is that I want to enable MinIO to use server-side encryption; however, MinIO doesn't support SSE unless TLS is enabled inside MinIO itself - so it's ultimately MinIO that needs these certificates, it doesn't help that the Linkerd proxy is actually encrypting the traffic if MinIO doesn't know about it.

There may be a way to tell MinIO to use the the proxy certificates though, since those may be somewhere in the pod FS if I understand the docs correctly, I can try to investigate that, thanks for the link!