Currently we can not do TLS for service-to-service communication in k8s staging environment, because all the certificates are signed for production hostnames. E.g. to call eventgate-analytics in staging I need to issue a request to staging.svc.eqiad.wmnet with a right port, but the certificate is issued for eventgate-analytics.discovery.wmnet.
It is not critical to have encrypted connections in staging, but it would be convenient to be able to test TLS in staging. Plus, supporting it will make staging more homogenous with production.