The support for mutual authentication in GoLang has its limitations:

Mutual authentication can be best described by the presence of two files – keystore and truststore.

A keystore imports a key and a certificate to identify the server to its clients.

A truststore imports only certificates that the clients make to validate itself to the server.

Together the keystore enables the server to be validated to the clients and the truststore enables the clients to be validated to the servers.

The support for these in GoLang is rather limited:

Golang.org/x/crypto/pkcs12 provides an ability to make SafeBags and ShroudedBags. A keystore or a truststore is essentially a collection of safebag or shroudedbag. The former is used to enclose certificates and the latter is used to enclose the private key.

However, pkcs12 does not support making truststores and is left for the caller of the library to implement. The support for keystore is made possible with the help of Encode method which takes a private key and a certificate.

Without the private key the Encode method could be tweaked to make only a truststore however it becomes the task of the caller to add certificates to the truststore as they become available. The ability to pass the certificate to the caller depends exclusively on the clients as they come up. It the clients are known beforehand; their certificates are also known beforehand. However, this is not always the case as clients come-up dynamically and they need to register their certificates.

Most applications are unaware of the clients except for their own internal clients used with say the command line interface. Moreover, these applications delegate the transport layer security to the keystore and truststore files assuming that automations involving tools like keychain will automatically add the certificate to the concerned file. 

Yet this is not really the case and clients need to add their certificates to the pre-existing truststore so that the Kubernetes operators can install and provision the application with transport layer security. Currently this is left as Do-It-Yourself approach both in the standard golang pkcs12 library as well as the upcoming go-pkcs12 library.   

An alternative to using keystore and truststore is to use nginx ingress controller with side car proxy.