GEP: External Gateway Controllers

[kflynn]

Original Title: Chihiro and Ian want a way for out-of-cluster load balancers to be able to usefully participate in a GAMMA-compliant mesh

Historically, API gateways and ingress controllers have often been implemented as a Service of type LoadBalancer fronting a pod running a proxy. This is simple to reason about, easy to manage for sidecar meshes, and will presumably be an important implementation mechanism for the foreseeable future.

However, some cloud providers really, really want to move the proxy outside of the cluster, for various reasons which are out of scope for this discussion but should be considered Valid™.

On the one hand, this isn't really a problem: as long as this external-to-the-cluster proxy (which I'll start calling an "external ingress proxy") can make TCP connections to the IP addresses of Services and/or Endpoints inside the cluster, everything will work at least at a basic level. On the other hand, the first hop of traffic from the external ingress proxy to the application pods in the cluster will always be cleartext, which is hardly desirable.

Chihiro and Ian would, therefore, really like a way to configure the external ingress proxy to actually participate in the mesh.

[shaneutt]

This feature has been accepted for the v1.4.0 release. Please see this announcement for more details, and for the timing expectations for transitions. Note that if the timeline can not be met, there is a risk that this feature may unfortunately need to be dropped from the release. If you have any questions, concerns, or are in need of support please reach out to the maintainers so we can assist you!

Note: @robscott and @mikemorris are the assigned reviewers.