On first thought service meshes sound like the dumbest thing possible but then you realize that not every application can natively integrate with consul for service discovery and you can't use the DNS fallback because your datacenter doesn't have IPv6 support so you can't give every container an IP address. You also cannot use DNS SRV which contains ip:port information. You realize that a lot of software doesn't support TLS encryption natively. All of that has to be implemented outside of the legacy application. So instead of tackling each challenge individually you can just run a sidecar process that does everything for you.