add enterprise xds tests (#16738)

2023-03-22 14:56:18 -04:00 · 2023-03-22 14:56:18 -04:00 · 672c1eea41
parent d7c81a3b1d
commit 672c1eea41
24 changed files with 810 additions and 697 deletions
--- a/agent/agent_endpoint_test.go
+++ b/agent/agent_endpoint_test.go
@ -186,7 +186,7 @@ func TestAgent_Services_ExternalConnectProxy(t *testing.T) {
 		Port:    5000,
 		Proxy: structs.ConnectProxyConfig{
 			DestinationServiceName: "db",
-			Upstreams:              structs.TestUpstreams(t),
+			Upstreams:              structs.TestUpstreams(t, false),
 		},
 	}
 	a.State.AddServiceWithChecks(srv1, nil, "", false)
@ -226,7 +226,7 @@ func TestAgent_Services_Sidecar(t *testing.T) {
 		LocallyRegisteredAsSidecar: true,
 		Proxy: structs.ConnectProxyConfig{
 			DestinationServiceName: "db",
-			Upstreams:              structs.TestUpstreams(t),
+			Upstreams:              structs.TestUpstreams(t, false),
 			Mode:                   structs.ProxyModeTransparent,
 			TransparentProxy: structs.TransparentProxyConfig{
 				OutboundListenerPort: 10101,
--- a/agent/proxycfg/manager_test.go
+++ b/agent/proxycfg/manager_test.go
@ -95,7 +95,7 @@ func TestManager_BasicLifecycle(t *testing.T) {
 		})
 	}

-	upstreams := structs.TestUpstreams(t)
+	upstreams := structs.TestUpstreams(t, false)
 	for i := range upstreams {
 		upstreams[i].DestinationNamespace = structs.IntentionDefaultNamespace
 		upstreams[i].DestinationPartition = api.PartitionDefaultName
--- a/agent/proxycfg/testing.go
+++ b/agent/proxycfg/testing.go
@ -552,7 +552,7 @@ func TestGatewayServiceGroupBarDC1(t testing.T) structs.CheckServiceNodes {
 				},
 				Proxy: structs.ConnectProxyConfig{
 					DestinationServiceName: "bar",
-					Upstreams:              structs.TestUpstreams(t),
+					Upstreams:              structs.TestUpstreams(t, false),
 				},
 			},
 		},
@ -573,7 +573,7 @@ func TestGatewayServiceGroupBarDC1(t testing.T) structs.CheckServiceNodes {
 				},
 				Proxy: structs.ConnectProxyConfig{
 					DestinationServiceName: "bar",
-					Upstreams:              structs.TestUpstreams(t),
+					Upstreams:              structs.TestUpstreams(t, false),
 				},
 			},
 		},
@ -594,7 +594,7 @@ func TestGatewayServiceGroupBarDC1(t testing.T) structs.CheckServiceNodes {
 				},
 				Proxy: structs.ConnectProxyConfig{
 					DestinationServiceName: "bar",
-					Upstreams:              structs.TestUpstreams(t),
+					Upstreams:              structs.TestUpstreams(t, false),
 				},
 			},
 		},
@ -620,7 +620,7 @@ func TestGatewayServiceGroupFooDC1(t testing.T) structs.CheckServiceNodes {
 				},
 				Proxy: structs.ConnectProxyConfig{
 					DestinationServiceName: "foo",
-					Upstreams:              structs.TestUpstreams(t),
+					Upstreams:              structs.TestUpstreams(t, false),
 				},
 			},
 		},
@ -641,7 +641,7 @@ func TestGatewayServiceGroupFooDC1(t testing.T) structs.CheckServiceNodes {
 				},
 				Proxy: structs.ConnectProxyConfig{
 					DestinationServiceName: "foo",
-					Upstreams:              structs.TestUpstreams(t),
+					Upstreams:              structs.TestUpstreams(t, false),
 				},
 			},
 		},
@ -662,7 +662,7 @@ func TestGatewayServiceGroupFooDC1(t testing.T) structs.CheckServiceNodes {
 				},
 				Proxy: structs.ConnectProxyConfig{
 					DestinationServiceName: "foo",
-					Upstreams:              structs.TestUpstreams(t),
+					Upstreams:              structs.TestUpstreams(t, false),
 				},
 			},
 		},
@ -683,7 +683,7 @@ func TestGatewayServiceGroupFooDC1(t testing.T) structs.CheckServiceNodes {
 				},
 				Proxy: structs.ConnectProxyConfig{
 					DestinationServiceName: "foo",
-					Upstreams:              structs.TestUpstreams(t),
+					Upstreams:              structs.TestUpstreams(t, false),
 				},
 			},
 			Checks: structs.HealthChecks{
--- a/agent/proxycfg/testing_api_gateway.go
+++ b/agent/proxycfg/testing_api_gateway.go
@ -105,7 +105,7 @@ func TestConfigSnapshotAPIGateway(
 		})
 	}

-	upstreams := structs.TestUpstreams(t)
+	upstreams := structs.TestUpstreams(t, false)

 	baseEvents = testSpliceEvents(baseEvents, setupTestVariationConfigEntriesAndSnapshot(
 		t, variation, upstreams, additionalEntries...,
--- a/agent/proxycfg/testing_connect_proxy.go
+++ b/agent/proxycfg/testing_connect_proxy.go
@ -7,6 +7,7 @@ import (
 	"github.com/mitchellh/go-testing-interface"
 	"github.com/stretchr/testify/assert"

+	"github.com/hashicorp/consul/acl"
 	"github.com/hashicorp/consul/agent/connect"
 	"github.com/hashicorp/consul/agent/consul/discoverychain"
 	"github.com/hashicorp/consul/agent/structs"
@ -23,7 +24,7 @@ func TestConfigSnapshot(t testing.T, nsFn func(ns *structs.NodeService), extraUp
 	assert.True(t, dbChain.Default)

 	var (
-		upstreams   = structs.TestUpstreams(t)
+		upstreams   = structs.TestUpstreams(t, false)
 		dbUpstream  = upstreams[0]
 		geoUpstream = upstreams[1]

@ -93,19 +94,25 @@ func TestConfigSnapshot(t testing.T, nsFn func(ns *structs.NodeService), extraUp
 func TestConfigSnapshotDiscoveryChain(
 	t testing.T,
 	variation string,
+	enterprise bool,
 	nsFn func(ns *structs.NodeService),
 	extraUpdates []UpdateEvent,
 	additionalEntries ...structs.ConfigEntry,
 ) *ConfigSnapshot {
 	roots, leaf := TestCerts(t)

+	var entMeta acl.EnterpriseMeta
+	if enterprise {
+		entMeta = acl.NewEnterpriseMetaWithPartition("ap1", "ns1")
+	}
+
 	var (
-		upstreams   = structs.TestUpstreams(t)
+		upstreams   = structs.TestUpstreams(t, enterprise)
 		geoUpstream = upstreams[1]

 		geoUID = NewUpstreamID(&geoUpstream)

-		webSN = structs.ServiceIDString("web", nil)
+		webSN = structs.ServiceIDString("web", &entMeta)
 	)

 	baseEvents := testSpliceEvents([]UpdateEvent{
@ -157,6 +164,7 @@ func TestConfigSnapshotDiscoveryChain(
 		},
 		Meta:            nil,
 		TaggedAddresses: nil,
+		EnterpriseMeta:  entMeta,
 	}, nsFn, nil, testSpliceEvents(baseEvents, extraUpdates))
 }

--- a/agent/proxycfg/testing_ingress_gateway.go
+++ b/agent/proxycfg/testing_ingress_gateway.go
@ -84,7 +84,7 @@ func TestConfigSnapshotIngressGateway(
 			},
 		}})

-		upstreams := structs.TestUpstreams(t)
+		upstreams := structs.TestUpstreams(t, false)
 		upstreams = structs.Upstreams{upstreams[0]} // just keep 'db'

 		baseEvents = testSpliceEvents(baseEvents, setupTestVariationConfigEntriesAndSnapshot(
--- a/agent/proxycfg/testing_upstreams.go
+++ b/agent/proxycfg/testing_upstreams.go
@ -5,6 +5,7 @@ import (

 	"github.com/mitchellh/go-testing-interface"

+	"github.com/hashicorp/consul/acl"
 	"github.com/hashicorp/consul/agent/connect"
 	"github.com/hashicorp/consul/agent/consul/discoverychain"
 	"github.com/hashicorp/consul/agent/structs"
@ -23,7 +24,7 @@ func setupTestVariationConfigEntriesAndSnapshot(
 		dbUID = NewUpstreamID(&dbUpstream)
 	)

-	dbChain := setupTestVariationDiscoveryChain(t, variation, additionalEntries...)
+	dbChain := setupTestVariationDiscoveryChain(t, variation, dbUID.EnterpriseMeta, additionalEntries...)

 	nodes := TestUpstreamNodes(t, "db")
 	if variation == "register-to-terminating-gateway" {
@ -46,29 +47,42 @@ func setupTestVariationConfigEntriesAndSnapshot(
 		},
 	}

+	dbOpts := structs.DiscoveryTargetOpts{
+		Service:    dbUID.Name,
+		Namespace:  dbUID.NamespaceOrDefault(),
+		Partition:  dbUID.PartitionOrDefault(),
+		Datacenter: "dc1",
+	}
+	dbChainID := structs.ChainID(dbOpts)
+	makeChainID := func(opts structs.DiscoveryTargetOpts) string {
+		return structs.ChainID(structs.MergeDiscoveryTargetOpts(dbOpts, opts))
+	}
+
 	switch variation {
 	case "default":
 	case "simple-with-overrides":
 	case "simple":
 	case "external-sni":
 	case "failover":
+		chainID := makeChainID(structs.DiscoveryTargetOpts{Service: "fail"})
 		events = append(events, UpdateEvent{
-			CorrelationID: "upstream-target:fail.default.default.dc1:" + dbUID.String(),
+			CorrelationID: "upstream-target:" + chainID + ":" + dbUID.String(),
 			Result: &structs.IndexedCheckServiceNodes{
 				Nodes: TestUpstreamNodesAlternate(t),
 			},
 		})
 	case "failover-through-remote-gateway-triggered":
 		events = append(events, UpdateEvent{
-			CorrelationID: "upstream-target:db.default.default.dc1:" + dbUID.String(),
+			CorrelationID: "upstream-target:" + dbChainID + ":" + dbUID.String(),
 			Result: &structs.IndexedCheckServiceNodes{
 				Nodes: TestUpstreamNodesInStatus(t, "critical"),
 			},
 		})
 		fallthrough
 	case "failover-through-remote-gateway":
+		chainID := makeChainID(structs.DiscoveryTargetOpts{Datacenter: "dc2"})
 		events = append(events, UpdateEvent{
-			CorrelationID: "upstream-target:db.default.default.dc2:" + dbUID.String(),
+			CorrelationID: "upstream-target:" + chainID + ":" + dbUID.String(),
 			Result: &structs.IndexedCheckServiceNodes{
 				Nodes: TestUpstreamNodesDC2(t),
 			},
@ -91,8 +105,13 @@ func setupTestVariationConfigEntriesAndSnapshot(
 				},
 			},
 		})
+		uid := UpstreamID{
+			Name:           "db",
+			Peer:           "cluster-01",
+			EnterpriseMeta: acl.NewEnterpriseMetaWithPartition(dbUID.PartitionOrDefault(), ""),
+		}
 		events = append(events, UpdateEvent{
-			CorrelationID: "upstream-peer:db?peer=cluster-01",
+			CorrelationID: "upstream-peer:" + uid.String(),
 			Result: &structs.IndexedCheckServiceNodes{
 				Nodes: structs.CheckServiceNodes{structs.TestCheckNodeServiceWithNameInPeer(t, "db", "dc1", "cluster-01", "10.40.1.1", false)},
 			},
@ -109,83 +128,93 @@ func setupTestVariationConfigEntriesAndSnapshot(
 				},
 			},
 		})
+		uid := UpstreamID{
+			Name:           "db",
+			Peer:           "cluster-01",
+			EnterpriseMeta: acl.NewEnterpriseMetaWithPartition(dbUID.PartitionOrDefault(), ""),
+		}
 		events = append(events, UpdateEvent{
-			CorrelationID: "upstream-peer:db?peer=cluster-01",
+			CorrelationID: "upstream-peer:" + uid.String(),
 			Result: &structs.IndexedCheckServiceNodes{
 				Nodes: structs.CheckServiceNodes{structs.TestCheckNodeServiceWithNameInPeer(t, "db", "dc2", "cluster-01", "10.40.1.1", false)},
 			},
 		})
 	case "failover-through-double-remote-gateway-triggered":
+		chainID := makeChainID(structs.DiscoveryTargetOpts{Datacenter: "dc2"})
 		events = append(events, UpdateEvent{
-			CorrelationID: "upstream-target:db.default.default.dc1:" + dbUID.String(),
+			CorrelationID: "upstream-target:" + dbChainID + ":" + dbUID.String(),
 			Result: &structs.IndexedCheckServiceNodes{
 				Nodes: TestUpstreamNodesInStatus(t, "critical"),
 			},
-		})
-		events = append(events, UpdateEvent{
-			CorrelationID: "upstream-target:db.default.default.dc2:" + dbUID.String(),
-			Result: &structs.IndexedCheckServiceNodes{
-				Nodes: TestUpstreamNodesInStatusDC2(t, "critical"),
-			},
-		})
+		},
+			UpdateEvent{
+				CorrelationID: "upstream-target:" + chainID + ":" + dbUID.String(),
+				Result: &structs.IndexedCheckServiceNodes{
+					Nodes: TestUpstreamNodesInStatusDC2(t, "critical"),
+				},
+			})
 		fallthrough
 	case "failover-through-double-remote-gateway":
+		chainID := makeChainID(structs.DiscoveryTargetOpts{Datacenter: "dc3"})
 		events = append(events, UpdateEvent{
-			CorrelationID: "upstream-target:db.default.default.dc3:" + dbUID.String(),
+			CorrelationID: "upstream-target:" + chainID + ":" + dbUID.String(),
 			Result: &structs.IndexedCheckServiceNodes{
 				Nodes: TestUpstreamNodesDC2(t),
 			},
-		})
-		events = append(events, UpdateEvent{
-			CorrelationID: "mesh-gateway:dc2:" + dbUID.String(),
-			Result: &structs.IndexedCheckServiceNodes{
-				Nodes: TestGatewayNodesDC2(t),
+		},
+			UpdateEvent{
+				CorrelationID: "mesh-gateway:dc2:" + dbUID.String(),
+				Result: &structs.IndexedCheckServiceNodes{
+					Nodes: TestGatewayNodesDC2(t),
+				},
 			},
-		})
-		events = append(events, UpdateEvent{
-			CorrelationID: "mesh-gateway:dc3:" + dbUID.String(),
-			Result: &structs.IndexedCheckServiceNodes{
-				Nodes: TestGatewayNodesDC3(t),
-			},
-		})
+			UpdateEvent{
+				CorrelationID: "mesh-gateway:dc3:" + dbUID.String(),
+				Result: &structs.IndexedCheckServiceNodes{
+					Nodes: TestGatewayNodesDC3(t),
+				},
+			})
 	case "failover-through-local-gateway-triggered":
 		events = append(events, UpdateEvent{
-			CorrelationID: "upstream-target:db.default.default.dc1:" + dbUID.String(),
+			CorrelationID: "upstream-target:" + dbChainID + ":" + dbUID.String(),
 			Result: &structs.IndexedCheckServiceNodes{
 				Nodes: TestUpstreamNodesInStatus(t, "critical"),
 			},
 		})
 		fallthrough
 	case "failover-through-local-gateway":
+		chainID := makeChainID(structs.DiscoveryTargetOpts{Datacenter: "dc2"})
 		events = append(events, UpdateEvent{
-			CorrelationID: "upstream-target:db.default.default.dc2:" + dbUID.String(),
+			CorrelationID: "upstream-target:" + chainID + ":" + dbUID.String(),
 			Result: &structs.IndexedCheckServiceNodes{
 				Nodes: TestUpstreamNodesDC2(t),
 			},
-		})
-		events = append(events, UpdateEvent{
-			CorrelationID: "mesh-gateway:dc1:" + dbUID.String(),
-			Result: &structs.IndexedCheckServiceNodes{
-				Nodes: TestGatewayNodesDC1(t),
-			},
-		})
+		},
+			UpdateEvent{
+				CorrelationID: "mesh-gateway:dc1:" + dbUID.String(),
+				Result: &structs.IndexedCheckServiceNodes{
+					Nodes: TestGatewayNodesDC1(t),
+				},
+			})
 	case "failover-through-double-local-gateway-triggered":
+		db2ChainID := makeChainID(structs.DiscoveryTargetOpts{Datacenter: "dc2"})
 		events = append(events, UpdateEvent{
-			CorrelationID: "upstream-target:db.default.default.dc1:" + dbUID.String(),
+			CorrelationID: "upstream-target:" + dbChainID + ":" + dbUID.String(),
 			Result: &structs.IndexedCheckServiceNodes{
 				Nodes: TestUpstreamNodesInStatus(t, "critical"),
 			},
-		})
-		events = append(events, UpdateEvent{
-			CorrelationID: "upstream-target:db.default.default.dc2:" + dbUID.String(),
-			Result: &structs.IndexedCheckServiceNodes{
-				Nodes: TestUpstreamNodesInStatusDC2(t, "critical"),
-			},
-		})
+		},
+			UpdateEvent{
+				CorrelationID: "upstream-target:" + db2ChainID + ":" + dbUID.String(),
+				Result: &structs.IndexedCheckServiceNodes{
+					Nodes: TestUpstreamNodesInStatusDC2(t, "critical"),
+				},
+			})
 		fallthrough
 	case "failover-through-double-local-gateway":
+		db3ChainID := makeChainID(structs.DiscoveryTargetOpts{Datacenter: "dc3"})
 		events = append(events, UpdateEvent{
-			CorrelationID: "upstream-target:db.default.default.dc3:" + dbUID.String(),
+			CorrelationID: "upstream-target:" + db3ChainID + ":" + dbUID.String(),
 			Result: &structs.IndexedCheckServiceNodes{
 				Nodes: TestUpstreamNodesDC2(t),
 			},
@ -197,14 +226,16 @@ func setupTestVariationConfigEntriesAndSnapshot(
 			},
 		})
 	case "splitter-with-resolver-redirect-multidc":
+		v1ChainID := makeChainID(structs.DiscoveryTargetOpts{ServiceSubset: "v1"})
+		v2ChainID := makeChainID(structs.DiscoveryTargetOpts{ServiceSubset: "v2", Datacenter: "dc2"})
 		events = append(events, UpdateEvent{
-			CorrelationID: "upstream-target:v1.db.default.default.dc1:" + dbUID.String(),
+			CorrelationID: "upstream-target:" + v1ChainID + ":" + dbUID.String(),
 			Result: &structs.IndexedCheckServiceNodes{
 				Nodes: TestUpstreamNodes(t, "db"),
 			},
 		})
 		events = append(events, UpdateEvent{
-			CorrelationID: "upstream-target:v2.db.default.default.dc2:" + dbUID.String(),
+			CorrelationID: "upstream-target:" + v2ChainID + ":" + dbUID.String(),
 			Result: &structs.IndexedCheckServiceNodes{
 				Nodes: TestUpstreamNodesDC2(t),
 			},
@ -225,6 +256,7 @@ func setupTestVariationConfigEntriesAndSnapshot(
 func setupTestVariationDiscoveryChain(
 	t testing.T,
 	variation string,
+	entMeta acl.EnterpriseMeta,
 	additionalEntries ...structs.ConfigEntry,
 ) *structs.CompiledDiscoveryChain {
 	// Compile a chain.
@ -249,6 +281,7 @@ func setupTestVariationDiscoveryChain(
 			&structs.ServiceResolverConfigEntry{
 				Kind:           structs.ServiceResolver,
 				Name:           "db",
+				EnterpriseMeta: entMeta,
 				ConnectTimeout: 33 * time.Second,
 				RequestTimeout: 33 * time.Second,
 			},
@ -256,13 +289,15 @@ func setupTestVariationDiscoveryChain(
 	case "external-sni":
 		entries = append(entries,
 			&structs.ServiceConfigEntry{
-				Kind:        structs.ServiceDefaults,
-				Name:        "db",
-				ExternalSNI: "db.some.other.service.mesh",
+				Kind:           structs.ServiceDefaults,
+				Name:           "db",
+				EnterpriseMeta: entMeta,
+				ExternalSNI:    "db.some.other.service.mesh",
 			},
 			&structs.ServiceResolverConfigEntry{
 				Kind:           structs.ServiceResolver,
 				Name:           "db",
+				EnterpriseMeta: entMeta,
 				ConnectTimeout: 33 * time.Second,
 				RequestTimeout: 33 * time.Second,
 			},
@ -272,6 +307,7 @@ func setupTestVariationDiscoveryChain(
 			&structs.ServiceResolverConfigEntry{
 				Kind:           structs.ServiceResolver,
 				Name:           "db",
+				EnterpriseMeta: entMeta,
 				ConnectTimeout: 33 * time.Second,
 				RequestTimeout: 33 * time.Second,
 				Failover: map[string]structs.ServiceResolverFailover{
@ -286,8 +322,9 @@ func setupTestVariationDiscoveryChain(
 	case "failover-through-remote-gateway":
 		entries = append(entries,
 			&structs.ServiceConfigEntry{
-				Kind: structs.ServiceDefaults,
-				Name: "db",
+				Kind:           structs.ServiceDefaults,
+				Name:           "db",
+				EnterpriseMeta: entMeta,
 				MeshGateway: structs.MeshGatewayConfig{
 					Mode: structs.MeshGatewayModeRemote,
 				},
@ -295,6 +332,7 @@ func setupTestVariationDiscoveryChain(
 			&structs.ServiceResolverConfigEntry{
 				Kind:           structs.ServiceResolver,
 				Name:           "db",
+				EnterpriseMeta: entMeta,
 				ConnectTimeout: 33 * time.Second,
 				RequestTimeout: 33 * time.Second,
 				Failover: map[string]structs.ServiceResolverFailover{
@ -309,6 +347,7 @@ func setupTestVariationDiscoveryChain(
 			&structs.ServiceResolverConfigEntry{
 				Kind:           structs.ServiceResolver,
 				Name:           "db",
+				EnterpriseMeta: entMeta,
 				ConnectTimeout: 33 * time.Second,
 				RequestTimeout: 33 * time.Second,
 				Failover: map[string]structs.ServiceResolverFailover{
@ -325,6 +364,7 @@ func setupTestVariationDiscoveryChain(
 			&structs.ServiceResolverConfigEntry{
 				Kind:           structs.ServiceResolver,
 				Name:           "db",
+				EnterpriseMeta: entMeta,
 				ConnectTimeout: 33 * time.Second,
 				RequestTimeout: 33 * time.Second,
 				Redirect: &structs.ServiceResolverRedirect{
@ -337,8 +377,9 @@ func setupTestVariationDiscoveryChain(
 	case "failover-through-double-remote-gateway":
 		entries = append(entries,
 			&structs.ServiceConfigEntry{
-				Kind: structs.ServiceDefaults,
-				Name: "db",
+				Kind:           structs.ServiceDefaults,
+				Name:           "db",
+				EnterpriseMeta: entMeta,
 				MeshGateway: structs.MeshGatewayConfig{
 					Mode: structs.MeshGatewayModeRemote,
 				},
@ -346,6 +387,7 @@ func setupTestVariationDiscoveryChain(
 			&structs.ServiceResolverConfigEntry{
 				Kind:           structs.ServiceResolver,
 				Name:           "db",
+				EnterpriseMeta: entMeta,
 				ConnectTimeout: 33 * time.Second,
 				RequestTimeout: 33 * time.Second,
 				Failover: map[string]structs.ServiceResolverFailover{
@ -360,8 +402,9 @@ func setupTestVariationDiscoveryChain(
 	case "failover-through-local-gateway":
 		entries = append(entries,
 			&structs.ServiceConfigEntry{
-				Kind: structs.ServiceDefaults,
-				Name: "db",
+				Kind:           structs.ServiceDefaults,
+				Name:           "db",
+				EnterpriseMeta: entMeta,
 				MeshGateway: structs.MeshGatewayConfig{
 					Mode: structs.MeshGatewayModeLocal,
 				},
@ -369,6 +412,7 @@ func setupTestVariationDiscoveryChain(
 			&structs.ServiceResolverConfigEntry{
 				Kind:           structs.ServiceResolver,
 				Name:           "db",
+				EnterpriseMeta: entMeta,
 				ConnectTimeout: 33 * time.Second,
 				RequestTimeout: 33 * time.Second,
 				Failover: map[string]structs.ServiceResolverFailover{
@ -383,8 +427,9 @@ func setupTestVariationDiscoveryChain(
 	case "failover-through-double-local-gateway":
 		entries = append(entries,
 			&structs.ServiceConfigEntry{
-				Kind: structs.ServiceDefaults,
-				Name: "db",
+				Kind:           structs.ServiceDefaults,
+				Name:           "db",
+				EnterpriseMeta: entMeta,
 				MeshGateway: structs.MeshGatewayConfig{
 					Mode: structs.MeshGatewayModeLocal,
 				},
@ -392,6 +437,7 @@ func setupTestVariationDiscoveryChain(
 			&structs.ServiceResolverConfigEntry{
 				Kind:           structs.ServiceResolver,
 				Name:           "db",
+				EnterpriseMeta: entMeta,
 				ConnectTimeout: 33 * time.Second,
 				RequestTimeout: 33 * time.Second,
 				Failover: map[string]structs.ServiceResolverFailover{
@ -402,25 +448,29 @@ func setupTestVariationDiscoveryChain(
 			},
 		)
 	case "splitter-with-resolver-redirect-multidc":
+		em := acl.NewEnterpriseMetaWithPartition(entMeta.PartitionOrDefault(), acl.NamespaceOrDefault(""))
 		entries = append(entries,
 			&structs.ProxyConfigEntry{
-				Kind: structs.ProxyDefaults,
-				Name: structs.ProxyConfigGlobal,
+				Kind:           structs.ProxyDefaults,
+				Name:           structs.ProxyConfigGlobal,
+				EnterpriseMeta: em,
 				Config: map[string]interface{}{
 					"protocol": "http",
 				},
 			},
 			&structs.ServiceSplitterConfigEntry{
-				Kind: structs.ServiceResolver,
-				Name: "db",
+				Kind:           structs.ServiceResolver,
+				Name:           "db",
+				EnterpriseMeta: entMeta,
 				Splits: []structs.ServiceSplit{
 					{Weight: 50, Service: "db-dc1"},
 					{Weight: 50, Service: "db-dc2"},
 				},
 			},
 			&structs.ServiceResolverConfigEntry{
-				Kind: structs.ServiceResolver,
-				Name: "db-dc1",
+				Kind:           structs.ServiceResolver,
+				Name:           "db-dc1",
+				EnterpriseMeta: entMeta,
 				Redirect: &structs.ServiceResolverRedirect{
 					Service:       "db",
 					ServiceSubset: "v1",
@ -428,8 +478,9 @@ func setupTestVariationDiscoveryChain(
 				},
 			},
 			&structs.ServiceResolverConfigEntry{
-				Kind: structs.ServiceResolver,
-				Name: "db-dc2",
+				Kind:           structs.ServiceResolver,
+				Name:           "db-dc2",
+				EnterpriseMeta: entMeta,
 				Redirect: &structs.ServiceResolverRedirect{
 					Service:       "db",
 					ServiceSubset: "v2",
@ -437,8 +488,9 @@ func setupTestVariationDiscoveryChain(
 				},
 			},
 			&structs.ServiceResolverConfigEntry{
-				Kind: structs.ServiceResolver,
-				Name: "db",
+				Kind:           structs.ServiceResolver,
+				Name:           "db",
+				EnterpriseMeta: entMeta,
 				Subsets: map[string]structs.ServiceResolverSubset{
 					"v1": {
 						Filter: "Service.Meta.version == v1",
@ -454,19 +506,22 @@ func setupTestVariationDiscoveryChain(
 			&structs.ServiceResolverConfigEntry{
 				Kind:           structs.ServiceResolver,
 				Name:           "db",
+				EnterpriseMeta: entMeta,
 				ConnectTimeout: 33 * time.Second,
 				RequestTimeout: 33 * time.Second,
 			},
 			&structs.ProxyConfigEntry{
-				Kind: structs.ProxyDefaults,
-				Name: structs.ProxyConfigGlobal,
+				Kind:           structs.ProxyDefaults,
+				Name:           structs.ProxyConfigGlobal,
+				EnterpriseMeta: entMeta,
 				Config: map[string]interface{}{
 					"protocol": "http",
 				},
 			},
 			&structs.ServiceSplitterConfigEntry{
-				Kind: structs.ServiceSplitter,
-				Name: "db",
+				Kind:           structs.ServiceSplitter,
+				Name:           "db",
+				EnterpriseMeta: entMeta,
 				Splits: []structs.ServiceSplit{
 					{
 						Weight:  95.5,
@ -506,19 +561,22 @@ func setupTestVariationDiscoveryChain(
 			&structs.ServiceResolverConfigEntry{
 				Kind:           structs.ServiceResolver,
 				Name:           "db",
+				EnterpriseMeta: entMeta,
 				ConnectTimeout: 33 * time.Second,
 				RequestTimeout: 33 * time.Second,
 			},
 			&structs.ProxyConfigEntry{
-				Kind: structs.ProxyDefaults,
-				Name: structs.ProxyConfigGlobal,
+				Kind:           structs.ProxyDefaults,
+				Name:           structs.ProxyConfigGlobal,
+				EnterpriseMeta: entMeta,
 				Config: map[string]interface{}{
 					"protocol": "grpc",
 				},
 			},
 			&structs.ServiceRouterConfigEntry{
-				Kind: structs.ServiceRouter,
-				Name: "db",
+				Kind:           structs.ServiceRouter,
+				Name:           "db",
+				EnterpriseMeta: entMeta,
 				Routes: []structs.ServiceRoute{
 					{
 						Match: &structs.ServiceRouteMatch{
@ -538,19 +596,22 @@ func setupTestVariationDiscoveryChain(
 			&structs.ServiceResolverConfigEntry{
 				Kind:           structs.ServiceResolver,
 				Name:           "db",
+				EnterpriseMeta: entMeta,
 				ConnectTimeout: 33 * time.Second,
 				RequestTimeout: 33 * time.Second,
 			},
 			&structs.ProxyConfigEntry{
-				Kind: structs.ProxyDefaults,
-				Name: structs.ProxyConfigGlobal,
+				Kind:           structs.ProxyDefaults,
+				Name:           structs.ProxyConfigGlobal,
+				EnterpriseMeta: entMeta,
 				Config: map[string]interface{}{
 					"protocol": "http",
 				},
 			},
 			&structs.ServiceSplitterConfigEntry{
-				Kind: structs.ServiceSplitter,
-				Name: "split-3-ways",
+				Kind:           structs.ServiceSplitter,
+				Name:           "split-3-ways",
+				EnterpriseMeta: entMeta,
 				Splits: []structs.ServiceSplit{
 					{Weight: 95.5, Service: "big-side"},
 					{Weight: 4, Service: "goldilocks-side"},
@ -558,8 +619,9 @@ func setupTestVariationDiscoveryChain(
 				},
 			},
 			&structs.ServiceRouterConfigEntry{
-				Kind: structs.ServiceRouter,
-				Name: "db",
+				Kind:           structs.ServiceRouter,
+				Name:           "db",
+				EnterpriseMeta: entMeta,
 				Routes: []structs.ServiceRoute{
 					{
 						Match: httpMatch(&structs.ServiceRouteHTTPMatch{
@ -790,23 +852,26 @@ func setupTestVariationDiscoveryChain(
 	case "lb-resolver":
 		entries = append(entries,
 			&structs.ProxyConfigEntry{
-				Kind: structs.ProxyDefaults,
-				Name: structs.ProxyConfigGlobal,
+				Kind:           structs.ProxyDefaults,
+				Name:           structs.ProxyConfigGlobal,
+				EnterpriseMeta: entMeta,
 				Config: map[string]interface{}{
 					"protocol": "http",
 				},
 			},
 			&structs.ServiceSplitterConfigEntry{
-				Kind: structs.ServiceSplitter,
-				Name: "db",
+				Kind:           structs.ServiceSplitter,
+				Name:           "db",
+				EnterpriseMeta: entMeta,
 				Splits: []structs.ServiceSplit{
 					{Weight: 95.5, Service: "something-else"},
 					{Weight: 4.5, Service: "db"},
 				},
 			},
 			&structs.ServiceResolverConfigEntry{
-				Kind: structs.ServiceResolver,
-				Name: "db",
+				Kind:           structs.ServiceResolver,
+				Name:           "db",
+				EnterpriseMeta: entMeta,
 				LoadBalancer: &structs.LoadBalancer{
 					Policy: "ring_hash",
 					RingHashConfig: &structs.RingHashConfig{
@ -845,7 +910,7 @@ func setupTestVariationDiscoveryChain(
 		entries = append(entries, additionalEntries...)
 	}

-	return discoverychain.TestCompileConfigEntries(t, "db", "default", "default", "dc1", connect.TestClusterID+".consul", compileSetup, entries...)
+	return discoverychain.TestCompileConfigEntries(t, "db", entMeta.NamespaceOrDefault(), entMeta.PartitionOrDefault(), "dc1", connect.TestClusterID+".consul", compileSetup, entries...)
 }

 func httpMatch(http *structs.ServiceRouteHTTPMatch) *structs.ServiceRouteMatch {
--- a/agent/proxycfg_test.go
+++ b/agent/proxycfg_test.go
@ -41,7 +41,7 @@ func TestAgent_local_proxycfg(t *testing.T) {
 		LocallyRegisteredAsSidecar: true,
 		Proxy: structs.ConnectProxyConfig{
 			DestinationServiceName: "db",
-			Upstreams:              structs.TestUpstreams(t),
+			Upstreams:              structs.TestUpstreams(t, false),
 		},
 		EnterpriseMeta: *structs.DefaultEnterpriseMetaInDefaultPartition(),
 	}
--- a/agent/sidecar_service_test.go
+++ b/agent/sidecar_service_test.go
@ -93,7 +93,7 @@ func TestAgent_sidecarServiceFromNodeService(t *testing.T) {
 							LocalServiceAddress:    "127.0.127.0",
 							LocalServicePort:       9999,
 							Config:                 map[string]interface{}{"baz": "qux"},
-							Upstreams:              structs.TestUpstreams(t),
+							Upstreams:              structs.TestUpstreams(t, false),
 						},
 					},
 				},
@ -118,7 +118,7 @@ func TestAgent_sidecarServiceFromNodeService(t *testing.T) {
 					LocalServiceAddress:    "127.0.127.0",
 					LocalServicePort:       9999,
 					Config:                 map[string]interface{}{"baz": "qux"},
-					Upstreams: structs.TestAddDefaultsToUpstreams(t, structs.TestUpstreams(t),
+					Upstreams: structs.TestAddDefaultsToUpstreams(t, structs.TestUpstreams(t, false),
 						*structs.DefaultEnterpriseMetaInDefaultPartition()),
 				},
 			},
--- a/agent/structs/discovery_chain.go
+++ b/agent/structs/discovery_chain.go
@ -59,7 +59,7 @@ type CompiledDiscoveryChain struct {
 // ID returns an ID that encodes the service, namespace, partition, and datacenter.
 // This ID allows us to compare a discovery chain target to the chain upstream itself.
 func (c *CompiledDiscoveryChain) ID() string {
-	return chainID(DiscoveryTargetOpts{
+	return ChainID(DiscoveryTargetOpts{
 		Service:    c.ServiceName,
 		Namespace:  c.Namespace,
 		Partition:  c.Partition,
@ -314,7 +314,7 @@ func (t *DiscoveryTarget) ToDiscoveryTargetOpts() DiscoveryTargetOpts {
 	}
 }

-func chainID(opts DiscoveryTargetOpts) string {
+func ChainID(opts DiscoveryTargetOpts) string {
 	// NOTE: this format is similar to the SNI syntax for simplicity
 	if opts.Peer != "" {
 		return fmt.Sprintf("%s.%s.default.external.%s", opts.Service, opts.Namespace, opts.Peer)
@ -326,7 +326,7 @@ func chainID(opts DiscoveryTargetOpts) string {
 }

 func (t *DiscoveryTarget) setID() {
-	t.ID = chainID(t.ToDiscoveryTargetOpts())
+	t.ID = ChainID(t.ToDiscoveryTargetOpts())
 }

 func (t *DiscoveryTarget) String() string {
--- a/agent/structs/testing_connect_proxy_config.go
+++ b/agent/structs/testing_connect_proxy_config.go
@ -11,37 +11,46 @@ import (
 func TestConnectProxyConfig(t testing.T) ConnectProxyConfig {
 	return ConnectProxyConfig{
 		DestinationServiceName: "web",
-		Upstreams:              TestUpstreams(t),
+		Upstreams:              TestUpstreams(t, false),
 	}
 }

 // TestUpstreams returns a set of upstreams to be used in tests exercising most
 // important configuration patterns.
-func TestUpstreams(t testing.T) Upstreams {
-	return Upstreams{
-		{
-			// We rely on this one having default type in a few tests...
-			DestinationName: "db",
-			LocalBindPort:   9191,
-			Config: map[string]interface{}{
-				// Float because this is how it is decoded by JSON decoder so this
-				// enables the value returned to be compared directly to a decoded JSON
-				// response without spurious type loss.
-				"connect_timeout_ms": float64(1000),
-			},
-		},
-		{
-			DestinationType:  UpstreamDestTypePreparedQuery,
-			DestinationName:  "geo-cache",
-			LocalBindPort:    8181,
-			LocalBindAddress: "127.10.10.10",
-		},
-		{
-			DestinationName:     "upstream_socket",
-			LocalBindSocketPath: "/tmp/upstream.sock",
-			LocalBindSocketMode: "0700",
+func TestUpstreams(t testing.T, enterprise bool) Upstreams {
+	db := Upstream{
+		// We rely on this one having default type in a few tests...
+		DestinationName: "db",
+		LocalBindPort:   9191,
+		Config: map[string]interface{}{
+			// Float because this is how it is decoded by JSON decoder so this
+			// enables the value returned to be compared directly to a decoded JSON
+			// response without spurious type loss.
+			"connect_timeout_ms": float64(1000),
 		},
 	}
+
+	geoCache := Upstream{
+		DestinationType:  UpstreamDestTypePreparedQuery,
+		DestinationName:  "geo-cache",
+		LocalBindPort:    8181,
+		LocalBindAddress: "127.10.10.10",
+	}
+
+	if enterprise {
+		db.DestinationNamespace = "foo"
+		db.DestinationPartition = "bar"
+
+		geoCache.DestinationNamespace = "baz"
+		geoCache.DestinationPartition = "qux"
+	}
+
+	return Upstreams{db, geoCache, {
+		DestinationName:     "upstream_socket",
+		LocalBindSocketPath: "/tmp/upstream.sock",
+		LocalBindSocketMode: "0700",
+	},
+	}
 }

 // TestAddDefaultsToUpstreams takes an array of upstreams (such as that from
--- a/agent/xds/clusters_test.go
+++ b/agent/xds/clusters_test.go
@ -21,6 +21,112 @@ import (
 	"github.com/hashicorp/consul/types"
 )

+type clusterTestCase struct {
+	name               string
+	create             func(t testinf.T) *proxycfg.ConfigSnapshot
+	overrideGoldenName string
+}
+
+func makeClusterDiscoChainTests(enterprise bool) []clusterTestCase {
+	return []clusterTestCase{
+		{
+			name: "custom-upstream-default-chain",
+			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
+				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "default", enterprise, func(ns *structs.NodeService) {
+					ns.Proxy.Upstreams[0].Config["envoy_cluster_json"] =
+						customAppClusterJSON(t, customClusterJSONOptions{
+							Name: "myservice",
+						})
+				}, nil)
+			},
+		},
+		{
+			name: "connect-proxy-with-chain",
+			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
+				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "simple", enterprise, nil, nil)
+			},
+		},
+		{
+			name: "connect-proxy-with-chain-external-sni",
+			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
+				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "external-sni", enterprise, nil, nil)
+			},
+		},
+		{
+			name: "connect-proxy-with-chain-and-overrides",
+			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
+				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "simple-with-overrides", enterprise, nil, nil)
+			},
+		},
+		{
+			name: "connect-proxy-with-chain-and-failover",
+			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
+				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "failover", enterprise, nil, nil)
+			},
+		},
+		{
+			name: "connect-proxy-with-tcp-chain-failover-through-remote-gateway",
+			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
+				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "failover-through-remote-gateway", enterprise, nil, nil)
+			},
+		},
+		{
+			name: "connect-proxy-with-tcp-chain-failover-through-remote-gateway-triggered",
+			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
+				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "failover-through-remote-gateway-triggered", enterprise, nil, nil)
+			},
+		},
+		{
+			name: "connect-proxy-with-tcp-chain-double-failover-through-remote-gateway",
+			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
+				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "failover-through-double-remote-gateway", enterprise, nil, nil)
+			},
+		},
+		{
+			name: "connect-proxy-with-tcp-chain-double-failover-through-remote-gateway-triggered",
+			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
+				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "failover-through-double-remote-gateway-triggered", enterprise, nil, nil)
+			},
+		},
+		{
+			name: "connect-proxy-with-tcp-chain-failover-through-local-gateway",
+			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
+				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "failover-through-local-gateway", enterprise, nil, nil)
+			},
+		},
+		{
+			name: "connect-proxy-with-tcp-chain-failover-through-local-gateway-triggered",
+			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
+				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "failover-through-local-gateway-triggered", enterprise, nil, nil)
+			},
+		},
+		{
+			name: "connect-proxy-with-tcp-chain-double-failover-through-local-gateway",
+			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
+				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "failover-through-double-local-gateway", enterprise, nil, nil)
+			},
+		},
+		{
+			name: "connect-proxy-with-tcp-chain-double-failover-through-local-gateway-triggered",
+			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
+				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "failover-through-double-local-gateway-triggered", enterprise, nil, nil)
+			},
+		},
+		{
+			name: "splitter-with-resolver-redirect",
+			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
+				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "splitter-with-resolver-redirect-multidc", enterprise, nil, nil)
+			},
+		},
+		{
+			name: "connect-proxy-lb-in-resolver",
+			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
+				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "lb-resolver", enterprise, nil, nil)
+			},
+		},
+	}
+}
+
 func TestClustersFromSnapshot(t *testing.T) {
 	// TODO: we should move all of these to TestAllResourcesFromSnapshot
 	// eventually to test all of the xDS types at once with the same input,
@ -29,11 +135,7 @@ func TestClustersFromSnapshot(t *testing.T) {
 		t.Skip("too slow for testing.Short")
 	}

-	tests := []struct {
-		name               string
-		create             func(t testinf.T) *proxycfg.ConfigSnapshot
-		overrideGoldenName string
-	}{
+	tests := []clusterTestCase{
 		{
 			name: "connect-proxy-with-tls-outgoing-min-version-auto",
 			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
@ -135,17 +237,6 @@ func TestClustersFromSnapshot(t *testing.T) {
 				}, nil)
 			},
 		},
-		{
-			name: "custom-upstream-default-chain",
-			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
-				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "default", func(ns *structs.NodeService) {
-					ns.Proxy.Upstreams[0].Config["envoy_cluster_json"] =
-						customAppClusterJSON(t, customClusterJSONOptions{
-							Name: "myservice",
-						})
-				}, nil)
-			},
-		},
 		{
 			name:               "custom-upstream-ignores-tls",
 			overrideGoldenName: "custom-upstream", // should be the same
@ -245,90 +336,6 @@ func TestClustersFromSnapshot(t *testing.T) {
 				}, nil)
 			},
 		},
-		{
-			name: "connect-proxy-with-chain",
-			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
-				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "simple", nil, nil)
-			},
-		},
-		{
-			name: "connect-proxy-with-chain-external-sni",
-			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
-				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "external-sni", nil, nil)
-			},
-		},
-		{
-			name: "connect-proxy-with-chain-and-overrides",
-			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
-				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "simple-with-overrides", nil, nil)
-			},
-		},
-		{
-			name: "connect-proxy-with-chain-and-failover",
-			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
-				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "failover", nil, nil)
-			},
-		},
-		{
-			name: "connect-proxy-with-tcp-chain-failover-through-remote-gateway",
-			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
-				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "failover-through-remote-gateway", nil, nil)
-			},
-		},
-		{
-			name: "connect-proxy-with-tcp-chain-failover-through-remote-gateway-triggered",
-			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
-				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "failover-through-remote-gateway-triggered", nil, nil)
-			},
-		},
-		{
-			name: "connect-proxy-with-tcp-chain-double-failover-through-remote-gateway",
-			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
-				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "failover-through-double-remote-gateway", nil, nil)
-			},
-		},
-		{
-			name: "connect-proxy-with-tcp-chain-double-failover-through-remote-gateway-triggered",
-			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
-				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "failover-through-double-remote-gateway-triggered", nil, nil)
-			},
-		},
-		{
-			name: "connect-proxy-with-tcp-chain-failover-through-local-gateway",
-			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
-				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "failover-through-local-gateway", nil, nil)
-			},
-		},
-		{
-			name: "connect-proxy-with-tcp-chain-failover-through-local-gateway-triggered",
-			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
-				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "failover-through-local-gateway-triggered", nil, nil)
-			},
-		},
-		{
-			name: "connect-proxy-with-tcp-chain-double-failover-through-local-gateway",
-			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
-				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "failover-through-double-local-gateway", nil, nil)
-			},
-		},
-		{
-			name: "connect-proxy-with-tcp-chain-double-failover-through-local-gateway-triggered",
-			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
-				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "failover-through-double-local-gateway-triggered", nil, nil)
-			},
-		},
-		{
-			name: "splitter-with-resolver-redirect",
-			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
-				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "splitter-with-resolver-redirect-multidc", nil, nil)
-			},
-		},
-		{
-			name: "connect-proxy-lb-in-resolver",
-			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
-				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "lb-resolver", nil, nil)
-			},
-		},
 		{
 			name: "expose-paths-local-app-paths",
 			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
@ -767,6 +774,8 @@ func TestClustersFromSnapshot(t *testing.T) {
 		},
 	}

+	tests = append(tests, makeClusterDiscoChainTests(false)...)
+
 	latestEnvoyVersion := xdscommon.EnvoyVersions[0]
 	for _, envoyVersion := range xdscommon.EnvoyVersions {
 		sf, err := xdscommon.DetermineSupportedProxyFeaturesFromString(envoyVersion)
--- a/agent/xds/delta_envoy_extender_oss_test.go
+++ b/agent/xds/delta_envoy_extender_oss_test.go
@ -92,7 +92,7 @@ end`,
 		{
 			name: "lambda-connect-proxy",
 			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
-				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "default", nil, nil, makeLambdaServiceDefaults(false))
+				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "default", false, nil, nil, makeLambdaServiceDefaults(false))
 			},
 		},
 		{
@ -107,13 +107,13 @@ end`,
 		{
 			name: "lambda-connect-proxy-with-terminating-gateway-upstream",
 			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
-				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "register-to-terminating-gateway", nil, nil, makeLambdaServiceDefaults(false))
+				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "register-to-terminating-gateway", false, nil, nil, makeLambdaServiceDefaults(false))
 			},
 		},
 		{
 			name: "lambda-connect-proxy-opposite-meta",
 			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
-				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "default", nil, nil, makeLambdaServiceDefaults(true))
+				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "default", false, nil, nil, makeLambdaServiceDefaults(true))
 			},
 		},
 		{
@ -129,13 +129,13 @@ end`,
 		{
 			name: "lua-outbound-applies-to-upstreams",
 			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
-				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "default", nil, nil, makeLuaServiceDefaults(false))
+				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "default", false, nil, nil, makeLuaServiceDefaults(false))
 			},
 		},
 		{
 			name: "lua-inbound-doesnt-applies-to-upstreams",
 			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
-				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "default", nil, nil, makeLuaServiceDefaults(true))
+				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "default", false, nil, nil, makeLuaServiceDefaults(true))
 			},
 		},
 		{
@ -183,7 +183,7 @@ end`,
 		{
 			name: "lua-connect-proxy-with-terminating-gateway-upstream",
 			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
-				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "register-to-terminating-gateway", nil, nil, makeLambdaServiceDefaults(false))
+				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "register-to-terminating-gateway", false, nil, nil, makeLambdaServiceDefaults(false))
 			},
 		},
 		{
@ -205,7 +205,7 @@ end`,
 						},
 					}
 				}
-				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "default", nsFunc, nil, makeLambdaServiceDefaults(true))
+				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "default", false, nsFunc, nil, makeLambdaServiceDefaults(true))
 			},
 		},
 		{
--- a/agent/xds/endpoints_test.go
+++ b/agent/xds/endpoints_test.go
@ -217,6 +217,106 @@ func Test_makeLoadAssignment(t *testing.T) {
 	}
 }

+type endpointTestCase struct {
+	name               string
+	create             func(t testinf.T) *proxycfg.ConfigSnapshot
+	overrideGoldenName string
+}
+
+func makeEndpointDiscoChainTests(enterprise bool) []endpointTestCase {
+	return []endpointTestCase{
+		{
+			name: "connect-proxy-with-chain",
+			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
+				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "simple", enterprise, nil, nil)
+			},
+		},
+		{
+			name: "connect-proxy-with-chain-external-sni",
+			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
+				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "external-sni", enterprise, nil, nil)
+			},
+		},
+		{
+			name: "connect-proxy-with-chain-and-overrides",
+			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
+				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "simple-with-overrides", enterprise, nil, nil)
+			},
+		},
+		{
+			name: "connect-proxy-with-chain-and-failover",
+			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
+				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "failover", enterprise, nil, nil)
+			},
+		},
+		{
+			name: "connect-proxy-with-tcp-chain-failover-through-remote-gateway",
+			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
+				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "failover-through-remote-gateway", enterprise, nil, nil)
+			},
+		},
+		{
+			name: "connect-proxy-with-tcp-chain-failover-through-remote-gateway-triggered",
+			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
+				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "failover-through-remote-gateway-triggered", enterprise, nil, nil)
+			},
+		},
+		{
+			name: "connect-proxy-with-tcp-chain-double-failover-through-remote-gateway",
+			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
+				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "failover-through-double-remote-gateway", enterprise, nil, nil)
+			},
+		},
+		{
+			name: "connect-proxy-with-tcp-chain-double-failover-through-remote-gateway-triggered",
+			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
+				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "failover-through-double-remote-gateway-triggered", enterprise, nil, nil)
+			},
+		},
+		{
+			name: "connect-proxy-with-tcp-chain-failover-through-local-gateway",
+			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
+				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "failover-through-local-gateway", enterprise, nil, nil)
+			},
+		},
+		{
+			name: "connect-proxy-with-tcp-chain-failover-through-local-gateway-triggered",
+			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
+				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "failover-through-local-gateway-triggered", enterprise, nil, nil)
+			},
+		},
+		{
+			name: "connect-proxy-with-tcp-chain-double-failover-through-local-gateway",
+			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
+				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "failover-through-double-local-gateway", enterprise, nil, nil)
+			},
+		},
+		{
+			name: "connect-proxy-with-tcp-chain-double-failover-through-local-gateway-triggered",
+			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
+				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "failover-through-double-local-gateway-triggered", enterprise, nil, nil)
+			},
+		},
+		{
+			name: "connect-proxy-with-default-chain-and-custom-cluster",
+			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
+				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "default", enterprise, func(ns *structs.NodeService) {
+					ns.Proxy.Upstreams[0].Config["envoy_cluster_json"] =
+						customAppClusterJSON(t, customClusterJSONOptions{
+							Name: "myservice",
+						})
+				}, nil)
+			},
+		},
+		{
+			name: "splitter-with-resolver-redirect",
+			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
+				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "splitter-with-resolver-redirect-multidc", enterprise, nil, nil)
+			},
+		},
+	}
+}
+
 func TestEndpointsFromSnapshot(t *testing.T) {
 	// TODO: we should move all of these to TestAllResourcesFromSnapshot
 	// eventually to test all of the xDS types at once with the same input,
@ -225,11 +325,7 @@ func TestEndpointsFromSnapshot(t *testing.T) {
 		t.Skip("too slow for testing.Short")
 	}

-	tests := []struct {
-		name               string
-		create             func(t testinf.T) *proxycfg.ConfigSnapshot
-		overrideGoldenName string
-	}{
+	tests := []endpointTestCase{
 		{
 			name: "mesh-gateway",
 			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
@ -260,95 +356,6 @@ func TestEndpointsFromSnapshot(t *testing.T) {
 				return proxycfg.TestConfigSnapshotMeshGateway(t, "no-services", nil, nil)
 			},
 		},
-		{
-			name: "connect-proxy-with-chain",
-			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
-				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "simple", nil, nil)
-			},
-		},
-		{
-			name: "connect-proxy-with-chain-external-sni",
-			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
-				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "external-sni", nil, nil)
-			},
-		},
-		{
-			name: "connect-proxy-with-chain-and-overrides",
-			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
-				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "simple-with-overrides", nil, nil)
-			},
-		},
-		{
-			name: "connect-proxy-with-chain-and-failover",
-			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
-				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "failover", nil, nil)
-			},
-		},
-		{
-			name: "connect-proxy-with-tcp-chain-failover-through-remote-gateway",
-			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
-				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "failover-through-remote-gateway", nil, nil)
-			},
-		},
-		{
-			name: "connect-proxy-with-tcp-chain-failover-through-remote-gateway-triggered",
-			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
-				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "failover-through-remote-gateway-triggered", nil, nil)
-			},
-		},
-		{
-			name: "connect-proxy-with-tcp-chain-double-failover-through-remote-gateway",
-			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
-				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "failover-through-double-remote-gateway", nil, nil)
-			},
-		},
-		{
-			name: "connect-proxy-with-tcp-chain-double-failover-through-remote-gateway-triggered",
-			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
-				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "failover-through-double-remote-gateway-triggered", nil, nil)
-			},
-		},
-		{
-			name: "connect-proxy-with-tcp-chain-failover-through-local-gateway",
-			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
-				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "failover-through-local-gateway", nil, nil)
-			},
-		},
-		{
-			name: "connect-proxy-with-tcp-chain-failover-through-local-gateway-triggered",
-			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
-				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "failover-through-local-gateway-triggered", nil, nil)
-			},
-		},
-		{
-			name: "connect-proxy-with-tcp-chain-double-failover-through-local-gateway",
-			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
-				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "failover-through-double-local-gateway", nil, nil)
-			},
-		},
-		{
-			name: "connect-proxy-with-tcp-chain-double-failover-through-local-gateway-triggered",
-			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
-				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "failover-through-double-local-gateway-triggered", nil, nil)
-			},
-		},
-		{
-			name: "connect-proxy-with-default-chain-and-custom-cluster",
-			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
-				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "default", func(ns *structs.NodeService) {
-					ns.Proxy.Upstreams[0].Config["envoy_cluster_json"] =
-						customAppClusterJSON(t, customClusterJSONOptions{
-							Name: "myservice",
-						})
-				}, nil)
-			},
-		},
-		{
-			name: "splitter-with-resolver-redirect",
-			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
-				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "splitter-with-resolver-redirect-multidc", nil, nil)
-			},
-		},
 		{
 			name: "mesh-gateway-service-subsets",
 			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
@ -498,6 +505,8 @@ func TestEndpointsFromSnapshot(t *testing.T) {
 		},
 	}

+	tests = append(tests, makeEndpointDiscoChainTests(false)...)
+
 	latestEnvoyVersion := xdscommon.EnvoyVersions[0]
 	for _, envoyVersion := range xdscommon.EnvoyVersions {
 		sf, err := xdscommon.DetermineSupportedProxyFeaturesFromString(envoyVersion)
--- a/agent/xds/extensionruntime/runtime_config_oss_test.go
+++ b/agent/xds/extensionruntime/runtime_config_oss_test.go
@ -130,11 +130,11 @@ func TestGetRuntimeConfigurations_ConnectProxy(t *testing.T) {
 	}

 	// Setup a snapshot where the db upstream is on a connect proxy.
-	snapConnect := proxycfg.TestConfigSnapshotDiscoveryChain(t, "default", nil, nil, serviceDefaults)
+	snapConnect := proxycfg.TestConfigSnapshotDiscoveryChain(t, "default", false, nil, nil, serviceDefaults)
 	// Setup a snapshot where the db upstream is on a terminating gateway.
-	snapTermGw := proxycfg.TestConfigSnapshotDiscoveryChain(t, "register-to-terminating-gateway", nil, nil, serviceDefaults)
+	snapTermGw := proxycfg.TestConfigSnapshotDiscoveryChain(t, "register-to-terminating-gateway", false, nil, nil, serviceDefaults)
 	// Setup a snapshot with the local service web has extensions.
-	snapWebConnect := proxycfg.TestConfigSnapshotDiscoveryChain(t, "default", func(ns *structs.NodeService) {
+	snapWebConnect := proxycfg.TestConfigSnapshotDiscoveryChain(t, "default", false, func(ns *structs.NodeService) {
 		ns.Proxy.EnvoyExtensions = envoyExtensions
 	}, nil)

--- a/agent/xds/listeners_test.go
+++ b/agent/xds/listeners_test.go
@ -21,6 +21,121 @@ import (
 	"github.com/hashicorp/consul/types"
 )

+type listenerTestCase struct {
+	name   string
+	create func(t testinf.T) *proxycfg.ConfigSnapshot
+	// Setup is called before the test starts. It is passed the snapshot from
+	// TestConfigSnapshot and is allowed to modify it in any way to setup the
+	// test input.
+	overrideGoldenName string
+	generatorSetup     func(*ResourceGenerator)
+}
+
+func makeListenerDiscoChainTests(enterprise bool) []listenerTestCase {
+	return []listenerTestCase{
+		{
+			name: "custom-upstream-ignored-with-disco-chain",
+			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
+				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "failover", enterprise, func(ns *structs.NodeService) {
+					for i := range ns.Proxy.Upstreams {
+						if ns.Proxy.Upstreams[i].DestinationName != "db" {
+							continue // only tweak the db upstream
+						}
+						if ns.Proxy.Upstreams[i].Config == nil {
+							ns.Proxy.Upstreams[i].Config = map[string]interface{}{}
+						}
+
+						uid := proxycfg.NewUpstreamID(&ns.Proxy.Upstreams[i])
+
+						ns.Proxy.Upstreams[i].Config["envoy_listener_json"] =
+							customListenerJSON(t, customListenerJSONOptions{
+								Name: uid.EnvoyID() + ":custom-upstream",
+							})
+					}
+				}, nil)
+			},
+		},
+		{
+			name: "splitter-with-resolver-redirect",
+			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
+				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "splitter-with-resolver-redirect-multidc", enterprise, nil, nil)
+			},
+		},
+		{
+			name: "connect-proxy-with-tcp-chain",
+			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
+				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "simple", enterprise, nil, nil)
+			},
+		},
+		{
+			name: "connect-proxy-with-http-chain",
+			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
+				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "simple", enterprise, nil, nil,
+					&structs.ProxyConfigEntry{
+						Kind: structs.ProxyDefaults,
+						Name: structs.ProxyConfigGlobal,
+						Config: map[string]interface{}{
+							"protocol": "http",
+						},
+					},
+				)
+			},
+		},
+		{
+			name: "connect-proxy-with-http2-chain",
+			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
+				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "simple", enterprise, nil, nil,
+					&structs.ProxyConfigEntry{
+						Kind: structs.ProxyDefaults,
+						Name: structs.ProxyConfigGlobal,
+						Config: map[string]interface{}{
+							"protocol": "http2",
+						},
+					},
+				)
+			},
+		},
+		{
+			name: "connect-proxy-with-grpc-chain",
+			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
+				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "simple", enterprise, nil, nil,
+					&structs.ProxyConfigEntry{
+						Kind: structs.ProxyDefaults,
+						Name: structs.ProxyConfigGlobal,
+						Config: map[string]interface{}{
+							"protocol": "grpc",
+						},
+					},
+				)
+			},
+		},
+		{
+			name: "connect-proxy-with-chain-external-sni",
+			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
+				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "external-sni", enterprise, nil, nil)
+			},
+		},
+		{
+			name: "connect-proxy-with-chain-and-overrides",
+			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
+				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "simple-with-overrides", enterprise, nil, nil)
+			},
+		},
+		{
+			name: "connect-proxy-with-tcp-chain-failover-through-remote-gateway",
+			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
+				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "failover-through-remote-gateway", enterprise, nil, nil)
+			},
+		},
+		{
+			name: "connect-proxy-with-tcp-chain-failover-through-local-gateway",
+			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
+				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "failover-through-local-gateway", enterprise, nil, nil)
+			},
+		},
+	}
+}
+
 func TestListenersFromSnapshot(t *testing.T) {
 	// TODO: we should move all of these to TestAllResourcesFromSnapshot
 	// eventually to test all of the xDS types at once with the same input,
@ -29,16 +144,7 @@ func TestListenersFromSnapshot(t *testing.T) {
 		t.Skip("too slow for testing.Short")
 	}

-	tests := []struct {
-		name   string
-		create func(t testinf.T) *proxycfg.ConfigSnapshot
-		// Setup is called before the test starts. It is passed the snapshot from
-		// TestConfigSnapshot and is allowed to modify it in any way to setup the
-		// test input.
-		setup              func(snap *proxycfg.ConfigSnapshot)
-		overrideGoldenName string
-		generatorSetup     func(*ResourceGenerator)
-	}{
+	tests := []listenerTestCase{
 		{
 			name: "connect-proxy-with-tls-outgoing-min-version-auto",
 			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
@ -326,106 +432,6 @@ func TestListenersFromSnapshot(t *testing.T) {
 				}, nil)
 			},
 		},
-		{
-			name: "custom-upstream-ignored-with-disco-chain",
-			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
-				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "failover", func(ns *structs.NodeService) {
-					for i := range ns.Proxy.Upstreams {
-						if ns.Proxy.Upstreams[i].DestinationName != "db" {
-							continue // only tweak the db upstream
-						}
-						if ns.Proxy.Upstreams[i].Config == nil {
-							ns.Proxy.Upstreams[i].Config = map[string]interface{}{}
-						}
-
-						uid := proxycfg.NewUpstreamID(&ns.Proxy.Upstreams[i])
-
-						ns.Proxy.Upstreams[i].Config["envoy_listener_json"] =
-							customListenerJSON(t, customListenerJSONOptions{
-								Name: uid.EnvoyID() + ":custom-upstream",
-							})
-					}
-				}, nil)
-			},
-		},
-		{
-			name: "splitter-with-resolver-redirect",
-			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
-				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "splitter-with-resolver-redirect-multidc", nil, nil)
-			},
-		},
-		{
-			name: "connect-proxy-with-tcp-chain",
-			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
-				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "simple", nil, nil)
-			},
-		},
-		{
-			name: "connect-proxy-with-http-chain",
-			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
-				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "simple", nil, nil,
-					&structs.ProxyConfigEntry{
-						Kind: structs.ProxyDefaults,
-						Name: structs.ProxyConfigGlobal,
-						Config: map[string]interface{}{
-							"protocol": "http",
-						},
-					},
-				)
-			},
-		},
-		{
-			name: "connect-proxy-with-http2-chain",
-			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
-				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "simple", nil, nil,
-					&structs.ProxyConfigEntry{
-						Kind: structs.ProxyDefaults,
-						Name: structs.ProxyConfigGlobal,
-						Config: map[string]interface{}{
-							"protocol": "http2",
-						},
-					},
-				)
-			},
-		},
-		{
-			name: "connect-proxy-with-grpc-chain",
-			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
-				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "simple", nil, nil,
-					&structs.ProxyConfigEntry{
-						Kind: structs.ProxyDefaults,
-						Name: structs.ProxyConfigGlobal,
-						Config: map[string]interface{}{
-							"protocol": "grpc",
-						},
-					},
-				)
-			},
-		},
-		{
-			name: "connect-proxy-with-chain-external-sni",
-			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
-				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "external-sni", nil, nil)
-			},
-		},
-		{
-			name: "connect-proxy-with-chain-and-overrides",
-			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
-				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "simple-with-overrides", nil, nil)
-			},
-		},
-		{
-			name: "connect-proxy-with-tcp-chain-failover-through-remote-gateway",
-			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
-				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "failover-through-remote-gateway", nil, nil)
-			},
-		},
-		{
-			name: "connect-proxy-with-tcp-chain-failover-through-local-gateway",
-			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
-				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "failover-through-local-gateway", nil, nil)
-			},
-		},
 		{
 			name: "connect-proxy-upstream-defaults",
 			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
@ -1092,6 +1098,8 @@ func TestListenersFromSnapshot(t *testing.T) {
 		},
 	}

+	tests = append(tests, makeListenerDiscoChainTests(false)...)
+
 	latestEnvoyVersion := xdscommon.EnvoyVersions[0]
 	for _, envoyVersion := range xdscommon.EnvoyVersions {
 		sf, err := xdscommon.DetermineSupportedProxyFeaturesFromString(envoyVersion)
@ -1110,10 +1118,6 @@ func TestListenersFromSnapshot(t *testing.T) {
 					// golder files for every test case and so not be any use!
 					testcommon.SetupTLSRootsAndLeaf(t, snap)

-					if tt.setup != nil {
-						tt.setup(snap)
-					}
-
 					// Need server just for logger dependency
 					g := NewResourceGenerator(testutil.Logger(t), nil, false)
 					g.ProxyFeatures = sf
--- a/agent/xds/resources_test.go
+++ b/agent/xds/resources_test.go
@ -175,7 +175,7 @@ func TestAllResourcesFromSnapshot(t *testing.T) {
 	}
 	tests = append(tests, getConnectProxyTransparentProxyGoldenTestCases()...)
 	tests = append(tests, getMeshGatewayPeeringGoldenTestCases()...)
-	tests = append(tests, getTrafficControlPeeringGoldenTestCases()...)
+	tests = append(tests, getTrafficControlPeeringGoldenTestCases(false)...)
 	tests = append(tests, getEnterpriseGoldenTestCases()...)
 	tests = append(tests, getAPIGatewayGoldenTestCases(t)...)

@ -253,21 +253,29 @@ func getMeshGatewayPeeringGoldenTestCases() []goldenTestCase {
 	}
 }

-func getTrafficControlPeeringGoldenTestCases() []goldenTestCase {
-	return []goldenTestCase{
+func getTrafficControlPeeringGoldenTestCases(enterprise bool) []goldenTestCase {
+	cases := []goldenTestCase{
 		{
 			name: "connect-proxy-with-chain-and-failover-to-cluster-peer",
 			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
-				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "failover-to-cluster-peer", nil, nil)
+				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "failover-to-cluster-peer", enterprise, nil, nil)
 			},
 		},
 		{
 			name: "connect-proxy-with-chain-and-redirect-to-cluster-peer",
 			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
-				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "redirect-to-cluster-peer", nil, nil)
+				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "redirect-to-cluster-peer", enterprise, nil, nil)
 			},
 		},
 	}
+
+	if enterprise {
+		for i := range cases {
+			cases[i].name = "enterprise-" + cases[i].name
+		}
+	}
+
+	return cases
 }

 const (
--- a/agent/xds/routes_test.go
+++ b/agent/xds/routes_test.go
@ -19,6 +19,65 @@ import (
 	"github.com/hashicorp/consul/sdk/testutil"
 )

+type routeTestCase struct {
+	name               string
+	create             func(t testinf.T) *proxycfg.ConfigSnapshot
+	overrideGoldenName string
+}
+
+func makeRouteDiscoChainTests(enterprise bool) []routeTestCase {
+	return []routeTestCase{
+		{
+			name: "connect-proxy-with-chain",
+			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
+				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "simple", enterprise, nil, nil)
+			},
+		},
+		{
+			name: "connect-proxy-with-chain-external-sni",
+			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
+				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "external-sni", enterprise, nil, nil)
+			},
+		},
+		{
+			name: "connect-proxy-with-chain-and-overrides",
+			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
+				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "simple-with-overrides", enterprise, nil, nil)
+			},
+		},
+		{
+			name: "splitter-with-resolver-redirect",
+			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
+				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "splitter-with-resolver-redirect-multidc", enterprise, nil, nil)
+			},
+		},
+		{
+			name: "connect-proxy-with-chain-and-splitter",
+			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
+				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "chain-and-splitter", enterprise, nil, nil)
+			},
+		},
+		{
+			name: "connect-proxy-with-grpc-router",
+			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
+				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "grpc-router", enterprise, nil, nil)
+			},
+		},
+		{
+			name: "connect-proxy-with-chain-and-router",
+			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
+				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "chain-and-router", enterprise, nil, nil)
+			},
+		},
+		{
+			name: "connect-proxy-lb-in-resolver",
+			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
+				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "lb-resolver", enterprise, nil, nil)
+			},
+		},
+	}
+}
+
 func TestRoutesFromSnapshot(t *testing.T) {
 	// TODO: we should move all of these to TestAllResourcesFromSnapshot
 	// eventually to test all of the xDS types at once with the same input,
@ -27,59 +86,7 @@ func TestRoutesFromSnapshot(t *testing.T) {
 		t.Skip("too slow for testing.Short")
 	}

-	tests := []struct {
-		name               string
-		create             func(t testinf.T) *proxycfg.ConfigSnapshot
-		overrideGoldenName string
-	}{
-		{
-			name: "connect-proxy-with-chain",
-			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
-				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "simple", nil, nil)
-			},
-		},
-		{
-			name: "connect-proxy-with-chain-external-sni",
-			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
-				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "external-sni", nil, nil)
-			},
-		},
-		{
-			name: "connect-proxy-with-chain-and-overrides",
-			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
-				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "simple-with-overrides", nil, nil)
-			},
-		},
-		{
-			name: "splitter-with-resolver-redirect",
-			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
-				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "splitter-with-resolver-redirect-multidc", nil, nil)
-			},
-		},
-		{
-			name: "connect-proxy-with-chain-and-splitter",
-			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
-				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "chain-and-splitter", nil, nil)
-			},
-		},
-		{
-			name: "connect-proxy-with-grpc-router",
-			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
-				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "grpc-router", nil, nil)
-			},
-		},
-		{
-			name: "connect-proxy-with-chain-and-router",
-			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
-				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "chain-and-router", nil, nil)
-			},
-		},
-		{
-			name: "connect-proxy-lb-in-resolver",
-			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
-				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "lb-resolver", nil, nil)
-			},
-		},
+	tests := []routeTestCase{
 		// TODO(rb): test match stanza skipped for grpc
 		// Start ingress gateway test cases
 		{
@ -188,6 +195,8 @@ func TestRoutesFromSnapshot(t *testing.T) {
 		},
 	}

+	tests = append(tests, makeRouteDiscoChainTests(false)...)
+
 	latestEnvoyVersion := xdscommon.EnvoyVersions[0]
 	for _, envoyVersion := range xdscommon.EnvoyVersions {
 		sf, err := xdscommon.DetermineSupportedProxyFeaturesFromString(envoyVersion)
--- a/agent/xds/testdata/endpoints/connect-proxy-with-chain-and-redirect-to-cluster-peer.latest.golden
+++ b/agent/xds/testdata/endpoints/connect-proxy-with-chain-and-redirect-to-cluster-peer.latest.golden
@ -1,63 +1,63 @@
 {
-  "versionInfo": "00000001",
-  "resources": [
+  "versionInfo":  "00000001",
+  "resources":  [
    {
-      "@type": "type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment",
-      "clusterName": "db.default.cluster-01.external.peer1.domain",
-      "endpoints": [
+      "@type":  "type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment",
+      "clusterName":  "db.default.cluster-01.external.peer1.domain",
+      "endpoints":  [
        {
-          "lbEndpoints": [
+          "lbEndpoints":  [
            {
-              "endpoint": {
-                "address": {
-                  "socketAddress": {
-                    "address": "10.40.1.1",
-                    "portValue": 8080
+              "endpoint":  {
+                "address":  {
+                  "socketAddress":  {
+                    "address":  "10.40.1.1",
+                    "portValue":  8080
                  }
                }
              },
-              "healthStatus": "HEALTHY",
-              "loadBalancingWeight": 1
+              "healthStatus":  "HEALTHY",
+              "loadBalancingWeight":  1
            }
          ]
        }
      ]
    },
    {
-      "@type": "type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment",
-      "clusterName": "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul",
-      "endpoints": [
+      "@type":  "type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment",
+      "clusterName":  "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul",
+      "endpoints":  [
        {
-          "lbEndpoints": [
+          "lbEndpoints":  [
            {
-              "endpoint": {
-                "address": {
-                  "socketAddress": {
-                    "address": "10.10.1.1",
-                    "portValue": 8080
+              "endpoint":  {
+                "address":  {
+                  "socketAddress":  {
+                    "address":  "10.10.1.1",
+                    "portValue":  8080
                  }
                }
              },
-              "healthStatus": "HEALTHY",
-              "loadBalancingWeight": 1
+              "healthStatus":  "HEALTHY",
+              "loadBalancingWeight":  1
            },
            {
-              "endpoint": {
-                "address": {
-                  "socketAddress": {
-                    "address": "10.20.1.2",
-                    "portValue": 8080
+              "endpoint":  {
+                "address":  {
+                  "socketAddress":  {
+                    "address":  "10.20.1.2",
+                    "portValue":  8080
                  }
                }
              },
-              "healthStatus": "HEALTHY",
-              "loadBalancingWeight": 1
+              "healthStatus":  "HEALTHY",
+              "loadBalancingWeight":  1
            }
          ]
        }
      ]
    }
  ],
-  "typeUrl": "type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment",
-  "nonce": "00000001"
+  "typeUrl":  "type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment",
+  "nonce":  "00000001"
 }
--- a/agent/xds/testdata/listeners/connect-proxy-with-chain-and-failover-to-cluster-peer.latest.golden
+++ b/agent/xds/testdata/listeners/connect-proxy-with-chain-and-failover-to-cluster-peer.latest.golden
@ -1,119 +1,115 @@
 {
-  "versionInfo": "00000001",
-  "resources": [
+  "versionInfo":  "00000001",
+  "resources":  [
    {
-      "@type": "type.googleapis.com/envoy.config.listener.v3.Listener",
-      "name": "db:127.0.0.1:9191",
-      "address": {
-        "socketAddress": {
-          "address": "127.0.0.1",
-          "portValue": 9191
+      "@type":  "type.googleapis.com/envoy.config.listener.v3.Listener",
+      "name":  "db:127.0.0.1:9191",
+      "address":  {
+        "socketAddress":  {
+          "address":  "127.0.0.1",
+          "portValue":  9191
        }
      },
-      "filterChains": [
+      "filterChains":  [
        {
-          "filters": [
+          "filters":  [
            {
-              "name": "envoy.filters.network.tcp_proxy",
-              "typedConfig": {
-                "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy",
-                "statPrefix": "upstream.db.default.default.dc1",
-                "cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul"
+              "name":  "envoy.filters.network.tcp_proxy",
+              "typedConfig":  {
+                "@type":  "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy",
+                "statPrefix":  "upstream.db.default.default.dc1",
+                "cluster":  "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul"
              }
            }
          ]
        }
      ],
-      "trafficDirection": "OUTBOUND"
+      "trafficDirection":  "OUTBOUND"
    },
    {
-      "@type": "type.googleapis.com/envoy.config.listener.v3.Listener",
-      "name": "prepared_query:geo-cache:127.10.10.10:8181",
-      "address": {
-        "socketAddress": {
-          "address": "127.10.10.10",
-          "portValue": 8181
+      "@type":  "type.googleapis.com/envoy.config.listener.v3.Listener",
+      "name":  "prepared_query:geo-cache:127.10.10.10:8181",
+      "address":  {
+        "socketAddress":  {
+          "address":  "127.10.10.10",
+          "portValue":  8181
        }
      },
-      "filterChains": [
+      "filterChains":  [
        {
-          "filters": [
+          "filters":  [
            {
-              "name": "envoy.filters.network.tcp_proxy",
-              "typedConfig": {
-                "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy",
-                "statPrefix": "upstream.prepared_query_geo-cache",
-                "cluster": "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul"
+              "name":  "envoy.filters.network.tcp_proxy",
+              "typedConfig":  {
+                "@type":  "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy",
+                "statPrefix":  "upstream.prepared_query_geo-cache",
+                "cluster":  "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul"
              }
            }
          ]
        }
      ],
-      "trafficDirection": "OUTBOUND"
+      "trafficDirection":  "OUTBOUND"
    },
    {
-      "@type": "type.googleapis.com/envoy.config.listener.v3.Listener",
-      "name": "public_listener:0.0.0.0:9999",
-      "address": {
-        "socketAddress": {
-          "address": "0.0.0.0",
-          "portValue": 9999
+      "@type":  "type.googleapis.com/envoy.config.listener.v3.Listener",
+      "name":  "public_listener:0.0.0.0:9999",
+      "address":  {
+        "socketAddress":  {
+          "address":  "0.0.0.0",
+          "portValue":  9999
        }
      },
-      "filterChains": [
+      "filterChains":  [
        {
-          "filters": [
+          "filters":  [
            {
-              "name": "envoy.filters.network.rbac",
-              "typedConfig": {
-                "@type": "type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC",
-                "rules": {
-
-                },
-                "statPrefix": "connect_authz"
+              "name":  "envoy.filters.network.rbac",
+              "typedConfig":  {
+                "@type":  "type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC",
+                "rules":  {},
+                "statPrefix":  "connect_authz"
              }
            },
            {
-              "name": "envoy.filters.network.tcp_proxy",
-              "typedConfig": {
-                "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy",
-                "statPrefix": "public_listener",
-                "cluster": "local_app"
+              "name":  "envoy.filters.network.tcp_proxy",
+              "typedConfig":  {
+                "@type":  "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy",
+                "statPrefix":  "public_listener",
+                "cluster":  "local_app"
              }
            }
          ],
-          "transportSocket": {
-            "name": "tls",
-            "typedConfig": {
-              "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext",
-              "commonTlsContext": {
-                "tlsParams": {
-
-                },
-                "tlsCertificates": [
+          "transportSocket":  {
+            "name":  "tls",
+            "typedConfig":  {
+              "@type":  "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext",
+              "commonTlsContext":  {
+                "tlsParams":  {},
+                "tlsCertificates":  [
                  {
-                    "certificateChain": {
-                      "inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n"
+                    "certificateChain":  {
+                      "inlineString":  "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n"
                    },
-                    "privateKey": {
-                      "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n"
+                    "privateKey":  {
+                      "inlineString":  "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n"
                    }
                  }
                ],
-                "validationContext": {
-                  "trustedCa": {
-                    "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n"
+                "validationContext":  {
+                  "trustedCa":  {
+                    "inlineString":  "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n"
                  }
                }
              },
-              "requireClientCertificate": true
+              "requireClientCertificate":  true
            }
          }
        }
      ],
-      "trafficDirection": "INBOUND"
+      "trafficDirection":  "INBOUND"
    }
  ],
-  "typeUrl": "type.googleapis.com/envoy.config.listener.v3.Listener",
-  "nonce": "00000001"
+  "typeUrl":  "type.googleapis.com/envoy.config.listener.v3.Listener",
+  "nonce":  "00000001"
 }
--- a/agent/xds/testdata/listeners/connect-proxy-with-chain-and-redirect-to-cluster-peer.latest.golden
+++ b/agent/xds/testdata/listeners/connect-proxy-with-chain-and-redirect-to-cluster-peer.latest.golden
@ -1,119 +1,115 @@
 {
-  "versionInfo": "00000001",
-  "resources": [
+  "versionInfo":  "00000001",
+  "resources":  [
    {
-      "@type": "type.googleapis.com/envoy.config.listener.v3.Listener",
-      "name": "db:127.0.0.1:9191",
-      "address": {
-        "socketAddress": {
-          "address": "127.0.0.1",
-          "portValue": 9191
+      "@type":  "type.googleapis.com/envoy.config.listener.v3.Listener",
+      "name":  "db:127.0.0.1:9191",
+      "address":  {
+        "socketAddress":  {
+          "address":  "127.0.0.1",
+          "portValue":  9191
        }
      },
-      "filterChains": [
+      "filterChains":  [
        {
-          "filters": [
+          "filters":  [
            {
-              "name": "envoy.filters.network.tcp_proxy",
-              "typedConfig": {
-                "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy",
-                "statPrefix": "upstream.db.default.default.dc1",
-                "cluster": "db.default.cluster-01.external.peer1.domain"
+              "name":  "envoy.filters.network.tcp_proxy",
+              "typedConfig":  {
+                "@type":  "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy",
+                "statPrefix":  "upstream.db.default.default.dc1",
+                "cluster":  "db.default.cluster-01.external.peer1.domain"
              }
            }
          ]
        }
      ],
-      "trafficDirection": "OUTBOUND"
+      "trafficDirection":  "OUTBOUND"
    },
    {
-      "@type": "type.googleapis.com/envoy.config.listener.v3.Listener",
-      "name": "prepared_query:geo-cache:127.10.10.10:8181",
-      "address": {
-        "socketAddress": {
-          "address": "127.10.10.10",
-          "portValue": 8181
+      "@type":  "type.googleapis.com/envoy.config.listener.v3.Listener",
+      "name":  "prepared_query:geo-cache:127.10.10.10:8181",
+      "address":  {
+        "socketAddress":  {
+          "address":  "127.10.10.10",
+          "portValue":  8181
        }
      },
-      "filterChains": [
+      "filterChains":  [
        {
-          "filters": [
+          "filters":  [
            {
-              "name": "envoy.filters.network.tcp_proxy",
-              "typedConfig": {
-                "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy",
-                "statPrefix": "upstream.prepared_query_geo-cache",
-                "cluster": "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul"
+              "name":  "envoy.filters.network.tcp_proxy",
+              "typedConfig":  {
+                "@type":  "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy",
+                "statPrefix":  "upstream.prepared_query_geo-cache",
+                "cluster":  "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul"
              }
            }
          ]
        }
      ],
-      "trafficDirection": "OUTBOUND"
+      "trafficDirection":  "OUTBOUND"
    },
    {
-      "@type": "type.googleapis.com/envoy.config.listener.v3.Listener",
-      "name": "public_listener:0.0.0.0:9999",
-      "address": {
-        "socketAddress": {
-          "address": "0.0.0.0",
-          "portValue": 9999
+      "@type":  "type.googleapis.com/envoy.config.listener.v3.Listener",
+      "name":  "public_listener:0.0.0.0:9999",
+      "address":  {
+        "socketAddress":  {
+          "address":  "0.0.0.0",
+          "portValue":  9999
        }
      },
-      "filterChains": [
+      "filterChains":  [
        {
-          "filters": [
+          "filters":  [
            {
-              "name": "envoy.filters.network.rbac",
-              "typedConfig": {
-                "@type": "type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC",
-                "rules": {
-
-                },
-                "statPrefix": "connect_authz"
+              "name":  "envoy.filters.network.rbac",
+              "typedConfig":  {
+                "@type":  "type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC",
+                "rules":  {},
+                "statPrefix":  "connect_authz"
              }
            },
            {
-              "name": "envoy.filters.network.tcp_proxy",
-              "typedConfig": {
-                "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy",
-                "statPrefix": "public_listener",
-                "cluster": "local_app"
+              "name":  "envoy.filters.network.tcp_proxy",
+              "typedConfig":  {
+                "@type":  "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy",
+                "statPrefix":  "public_listener",
+                "cluster":  "local_app"
              }
            }
          ],
-          "transportSocket": {
-            "name": "tls",
-            "typedConfig": {
-              "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext",
-              "commonTlsContext": {
-                "tlsParams": {
-
-                },
-                "tlsCertificates": [
+          "transportSocket":  {
+            "name":  "tls",
+            "typedConfig":  {
+              "@type":  "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext",
+              "commonTlsContext":  {
+                "tlsParams":  {},
+                "tlsCertificates":  [
                  {
-                    "certificateChain": {
-                      "inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n"
+                    "certificateChain":  {
+                      "inlineString":  "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n"
                    },
-                    "privateKey": {
-                      "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n"
+                    "privateKey":  {
+                      "inlineString":  "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n"
                    }
                  }
                ],
-                "validationContext": {
-                  "trustedCa": {
-                    "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n"
+                "validationContext":  {
+                  "trustedCa":  {
+                    "inlineString":  "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n"
                  }
                }
              },
-              "requireClientCertificate": true
+              "requireClientCertificate":  true
            }
          }
        }
      ],
-      "trafficDirection": "INBOUND"
+      "trafficDirection":  "INBOUND"
    }
  ],
-  "typeUrl": "type.googleapis.com/envoy.config.listener.v3.Listener",
-  "nonce": "00000001"
+  "typeUrl":  "type.googleapis.com/envoy.config.listener.v3.Listener",
+  "nonce":  "00000001"
 }
--- a/agent/xds/validateupstream-test/validateupstream_test.go
+++ b/agent/xds/validateupstream-test/validateupstream_test.go
@ -43,13 +43,13 @@ func TestValidateUpstreams(t *testing.T) {
 		{
 			name: "tcp-success",
 			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
-				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "default", nil, nil)
+				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "default", false, nil, nil)
 			},
 		},
 		{
 			name: "tcp-missing-listener",
 			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
-				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "default", nil, nil)
+				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "default", false, nil, nil)
 			},
 			patcher: func(ir *xdscommon.IndexedResources) *xdscommon.IndexedResources {
 				delete(ir.Index[xdscommon.ListenerType], listenerName)
@ -60,7 +60,7 @@ func TestValidateUpstreams(t *testing.T) {
 		{
 			name: "tcp-missing-cluster",
 			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
-				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "default", nil, nil)
+				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "default", false, nil, nil)
 			},
 			patcher: func(ir *xdscommon.IndexedResources) *xdscommon.IndexedResources {
 				delete(ir.Index[xdscommon.ClusterType], sni)
@ -71,7 +71,7 @@ func TestValidateUpstreams(t *testing.T) {
 		{
 			name: "http-success",
 			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
-				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "default", nil, nil, httpServiceDefaults)
+				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "default", false, nil, nil, httpServiceDefaults)
 			},
 		},
 		{
@ -79,7 +79,7 @@ func TestValidateUpstreams(t *testing.T) {
 			// RDS, Envoy's Route Discovery Service, is only used for HTTP services with a customized discovery chain, so we
 			// need to use the test snapshot and add L7 config entries.
 			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
-				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "default", nil, []proxycfg.UpdateEvent{
+				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "default", false, nil, []proxycfg.UpdateEvent{
 					// The events ensure there are endpoints for the v1 and v2 subsets.
 					{
 						CorrelationID: "upstream-target:v1.db.default.default.dc1:" + dbUID.String(),
@ -104,7 +104,7 @@ func TestValidateUpstreams(t *testing.T) {
 			// RDS, Envoy's Route Discovery Service, is only used for HTTP services with a customized discovery chain, so we
 			// need to use the test snapshot and add L7 config entries.
 			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
-				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "default", nil, []proxycfg.UpdateEvent{
+				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "default", false, nil, []proxycfg.UpdateEvent{
 					// The events ensure there are endpoints for the v1 and v2 subsets.
 					{
 						CorrelationID: "upstream-target:v1.db.default.default.dc1:" + dbUID.String(),
@ -129,19 +129,19 @@ func TestValidateUpstreams(t *testing.T) {
 		{
 			name: "redirect",
 			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
-				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "redirect-to-cluster-peer", nil, nil)
+				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "redirect-to-cluster-peer", false, nil, nil)
 			},
 		},
 		{
 			name: "failover",
 			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
-				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "failover", nil, nil)
+				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "failover", false, nil, nil)
 			},
 		},
 		{
 			name: "failover-to-cluster-peer",
 			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
-				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "failover-to-cluster-peer", nil, nil)
+				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "failover-to-cluster-peer", false, nil, nil)
 			},
 		},
 		{
--- a/agent/xds/xds_protocol_helpers_test.go
+++ b/agent/xds/xds_protocol_helpers_test.go
@ -47,7 +47,7 @@ func newTestSnapshot(
 	dbServiceProtocol string,
 	additionalEntries ...structs.ConfigEntry,
 ) *proxycfg.ConfigSnapshot {
-	snap := proxycfg.TestConfigSnapshotDiscoveryChain(t, "default", nil, nil, additionalEntries...)
+	snap := proxycfg.TestConfigSnapshotDiscoveryChain(t, "default", false, nil, nil, additionalEntries...)
 	snap.ConnectProxy.PreparedQueryEndpoints = map[proxycfg.UpstreamID]structs.CheckServiceNodes{
 		UID("prepared_query:geo-cache"): proxycfg.TestPreparedQueryNodes(t, "geo-cache"),
 	}
--- a/command/services/config_test.go
+++ b/command/services/config_test.go
@ -137,7 +137,7 @@ func TestStructsToAgentService(t *testing.T) {
 					DestinationServiceName: "web",
 					LocalServiceAddress:    "127.0.0.1",
 					LocalServicePort:       8181,
-					Upstreams:              structs.TestUpstreams(t),
+					Upstreams:              structs.TestUpstreams(t, false),
 					Mode:                   structs.ProxyModeTransparent,
 					Config: map[string]interface{}{
 						"foo": "bar",
@ -154,7 +154,7 @@ func TestStructsToAgentService(t *testing.T) {
 					DestinationServiceName: "web",
 					LocalServiceAddress:    "127.0.0.1",
 					LocalServicePort:       8181,
-					Upstreams:              structs.TestUpstreams(t).ToAPI(),
+					Upstreams:              structs.TestUpstreams(t, false).ToAPI(),
 					Mode:                   api.ProxyModeTransparent,
 					Config: map[string]interface{}{
 						"foo": "bar",
@ -174,7 +174,7 @@ func TestStructsToAgentService(t *testing.T) {
 					DestinationServiceName: "web",
 					LocalServiceAddress:    "127.0.0.1",
 					LocalServicePort:       8181,
-					Upstreams:              structs.TestUpstreams(t),
+					Upstreams:              structs.TestUpstreams(t, false),
 					Mode:                   structs.ProxyModeTransparent,
 					TransparentProxy: structs.TransparentProxyConfig{
 						OutboundListenerPort: 808,
@ -201,7 +201,7 @@ func TestStructsToAgentService(t *testing.T) {
 					DestinationServiceName: "web",
 					LocalServiceAddress:    "127.0.0.1",
 					LocalServicePort:       8181,
-					Upstreams:              structs.TestUpstreams(t).ToAPI(),
+					Upstreams:              structs.TestUpstreams(t, false).ToAPI(),
 					Mode:                   api.ProxyModeTransparent,
 					TransparentProxy: &api.TransparentProxyConfig{
 						OutboundListenerPort: 808,