Hey I have a general question about device to server security. Our server is in a k8n cluster with istio and SSL Termination. We have many small devices in the wild, most communications runs over MQTT with individual certificates, but from time to time we need HTTP requests as well. How would the security scenario look in this case? So the device sends a HTTPS request that is encrypted with our own self signed certificate and not the usual(?) one? The Reverse Proxy wants to terminate SSL so we need to give the reverse proxy the public keys of these certs. But then the request don't differ from the server point of view and I guess we need to tell the reverse proxy that on the specific paths it should only use our certificates and not the generic ones? I tried googling about this but I am not sure I fully comprehend it.

Not a Kotlin question, but; Your reverse proxy/ingress controller should have its own proper SSL certificates. External devices connect to it through HTTPS like any other website. Within the cluster, istio or whatever else you want to use encrypts all traffic.

Hey, yes that is how it is currently set up. But the API endpoints shouldn't be accessible to everyone and we are barred from basic auth (ofc) or OAuth Device Auth or rather, we should use the individual certificates already present on the devices to access the server API.