That is my standard approach when I deploy something. My application shouldn't deal with TLS unless it needs to.
Usually fronting a service with Traefik or NGINX fits all the business needs.
I do recall a setup in Kubernetes where nearly all traffic had to be encrypted, even within the cluster. The boundary was the pod. Within a pod you are guaranteed that all containers run on the same node. And since a node is a physical boundary (it's either a physical machine or a vm on a physical machine) you're guaranteed that that traffic never goes over a network cable.
The solution then is to deploy something like LinkerD which ensures that traffic between pods is encrypted transparently. We could've eased the policy that traffic between pods on the same node shouldn't be encrypted, but then we introduced more variables in the process, and it wasn't worth it.
Vs. shoving httpS proxy services in front of insecure backends is often easy.