可以通过在nginx ingress的配置中添加annotations来实现。具体地，在ingress的yaml文件中添加如下annotations：

nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true"

该annotations会将客户端的证书按照SSL握手协议转发到upstream。同时需要在upstream的yaml文件中添加如下annotations：

nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"

该annotations会开启对客户端证书的认证。最终的ingress yaml文件应该类似于：

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: test-ingress
  annotations:
    nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true"
spec:
  tls:
  - secretName: test-secret
  rules:
  - host: test.example.com
    http:
      paths:
      - path: /
        backend:
          serviceName: test-service
          servicePort: 80
---
apiVersion: v1
kind: Service
metadata:
  name: test-service
spec:
  selector:
    app: test
  ports:
  - name: http
    port: 80
    targetPort: 80
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: test
spec:
  selector:
    matchLabels:
      app: test
  template:
    metadata:
      labels:
        app: test
    spec:
      containers:
      - name: test
        image: test-image
        ports:
        - containerPort: 80
        env:
        - name: MY_POD_IP
          valueFrom:
            fieldRef:
              fieldPath: status.podIP
---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: test-upstream-ingress
  annotations:
    nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
spec:
  rules:
  - host: test.example.com
    http:
      paths:
      - path: /upstream
        backend:
          serviceName: test-upstream-service
          servicePort: 80
---
apiVersion: v1
kind: Service
metadata:
  name: test-upstream-service
spec:
  selector:
    app: test
  ports:
  - name: http
    port: 80
    targetPort: 80

注：此解法需要nginx ingress版本 >= 0.22.0。

∠