Design a security architecture for a containerized microservices application running on Kubernetes, adhering to Zero Trust principles. Assume services communicate via a service mesh. Describe how you would implement mutual TLS (mTLS) for all service-to-service communication. Define the authentication flow using OAuth2 and OpenID Connect for human users accessing the system. Explain how to enforce fine-grained authorization (e.g., specific users can only invoke specific endpoints on specific services) using policies, and how to rotate certificates and secrets automatically without downtime.