In profile::service_proxy::envoy the uses_ingress option adds the TLS SNI setting to the TLS connections to the backend services. In T339890 the ML team used the option to force the TLS SNI to connect a service to Thanos Swift (via local envoy proxy), but the naming is not ideal since there is no (Istio) ingress involved.
My proposal is to rename uses_ingress to sets_sni. This is not an easy work since we'll need to support both for some time, to allow all charts to migrate away from it.
- Puppet change to allow the new setting: https://gerrit.wikimedia.org/r/c/operations/puppet/+/956379
- Deployment-charts change to modify the mesh module: https://gerrit.wikimedia.org/r/c/operations/deployment-charts/+/956441
- Fix to the mesh module: https://gerrit.wikimedia.org/r/c/operations/deployment-charts/+/968248
- Rollout of the mesh module change (mesh.configuration >= 1.5.0) to all charts
- Removal of the old option
- Clean up the related TODOs from https://gerrit.wikimedia.org/r/c/operations/puppet/+/974947