It's worth noting that VPN / SSL proxies provide box to box (or process to box) encryption, whereas native SSL support provides process to process encryption. The difference being that if an attacker manages to get access to the box then it becomes easier to capture traffic due to it going unencrypted between the app and the VPN/SSL proxies. Fundamentally, native SSL support provides strictly better protection than just VPNs or SSL proxies.
Now, given the context this may or may not be a distinction that you care about, but there certainly are times where you really do care.
(Besides, if I'm running a tcpdump on a box to try and figure out why the network is going wibbly I'm a lot happier knowing all traffic is encrypted and I'm not going to accidentally capture some PII. I've had to tcpdump within docker containers before too, so putting everything in containers doesn't necessarily solve this.)
I think this could be workable, but it probably depends a lot on context.
One reason off the top of my head would be regulatory/compliance issues around how things are encrypted. wireguard is relatively new, and some certifications required to do business in specific industries (finance, healthcare, etc) mandate protocols with a minimum level of maturity. wireguard may be good, but many regulators would probably not find it acceptable without a longer track record.
On a more concrete note, I'd consider any system that handles authentication to be inherently broken if it had no way to keep those credentials safe out of the box. TLS has long been a cheap-ish way to do this, as it's widely available and well understood by both implements and regulators.
I'd feel more safe as an admin by knowing I only have 1 port and 1 app (ie wireguard) being public than 10 with their own ports and security (ie redis and others).
This isn't about making things public, just resistant to tampering and sniffing. Yes if you want to connect networks together then wireguard is a good choice.
If your devices are already on the same network and instead you close down the firewall and you move everything into wireguard you've just moved your problem.
It's much easier to configure once wireguard than configure on each application the ssl mecanism. Redis for example is very easy to use normally, but adding ssl makes it quite harder to setup/use.
This is the "vpn" option. It's a valid option. I don't think tightly coupling ssl is always a good idea - I just don't think it's a bad idea as an option/feature.
I don't use haproxy to secure my telnet sessions - I use ssh.
