We would like to have TLS termination (and initiation) right from the start for all services running in our kubernetes clusters. That being said, expecting services to reliably implement TLS (both inbound and outbound) is not the best path forward since it duplicates a lot of effort, exposes to the application a lot of the rather complicated internals of TLS and encourages diversion of configurations and codebases. Instead we could use a forward+reverse proxy scheme where a well tested and trusted software with a single configuration completes these tasks. The forward part is about outbound traffic from applications to other applications and the reverse proxy is the usual tlsproxy like implementation we have. This is a field still being worked one with ideas like istio [1] or envoy[2] or linkerd [3]
We should experiment with those ideas
[1] https://istio.io/
[2] https://envoyproxy.github.io/
[3] https://linkerd.io/