From 69c129c73fd923d252ec9a7a94950759c9320065 Mon Sep 17 00:00:00 2001
From: Mark Anderson <manderson@hashicorp.com>
Date: Tue, 3 May 2022 13:57:57 -0700
Subject: [PATCH] Change to use APPEND_FORWARD for terminating gateway

Signed-off-by: Mark Anderson <manderson@hashicorp.com>
---
 agent/xds/listeners.go | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/agent/xds/listeners.go b/agent/xds/listeners.go
index c04a47487..672d667ad 100644
--- a/agent/xds/listeners.go
+++ b/agent/xds/listeners.go
@@ -1153,9 +1153,8 @@ func (s *ResourceGenerator) makeFilterChainTerminatingGateway(
 
 		if meshConfig := cfgSnap.MeshConfig(); meshConfig == nil || meshConfig.HTTP == nil || !meshConfig.HTTP.SanitizeXForwardedClientCert {
 			opts.forwardClientDetails = true
-			// Note: filter Connection may not be mTLS, so then ALWAYS_FORWARD_ONLY. For mTLS connections we might want APPEND_FORWARD.
-			// Open question; how do I determine if this is mTLS or not?
-			opts.forwardClientPolicy = envoy_http_v3.HttpConnectionManager_ALWAYS_FORWARD_ONLY
+			// This assumes that we have a client cert (mTLS) (implied by the context of this function)
+			opts.forwardClientPolicy = envoy_http_v3.HttpConnectionManager_APPEND_FORWARD
 		}
 	}