Original Title: Chihiro and Ian want a way for out-of-cluster load balancers to be able to usefully participate in a GAMMA-compliant mesh

Historically, API gateways and ingress controllers have often been implemented as a Service of type LoadBalancer fronting a pod running a proxy. This is simple to reason about, easy to manage for sidecar meshes, and will presumably be an important implementation mechanism for the foreseeable future.

However, some cloud providers really, really want to move the proxy outside of the cluster, for various reasons which are out of scope for this discussion but should be considered Valid™.

On the one hand, this isn't really a problem: as long as this external-to-the-cluster proxy (which I'll start calling an "external ingress proxy") can make TCP connections to the IP addresses of Services and/or Endpoints inside the cluster, everything will work at least at a basic level. On the other hand, the first hop of traffic from the external ingress proxy to the application pods in the cluster will always be cleartext, which is hardly desirable.

Chihiro and Ian would, therefore, really like a way to configure the external ingress proxy to actually participate in the mesh.