Add x-forwarded-client-cert headers

Description Add x-fowarded-client-cert information on trusted incoming connections. Envoy provides support forwarding and annotating the x-forwarded-client-cert header via the forward_client_cert_details set_current_client_cert_details filter fields. It would be helpful for consul to support this directly in its config. The escape hatches are a bit cumbersome for this purpose. This has been implemented on incoming connections to envoy. Outgoing (from the local service through the sidecar) will not have a certificate, and so are left alone. A service on an incoming connection will now get headers something like this: ``` X-Forwarded-Client-Cert:[By=spiffe://efad7282-d9b2-3298-f6d8-38b37fb58df3.consul/ns/default/dc/dc1/svc/counting;Hash=61ad5cbdfcb50f5a3ec0ca60923d61613c149a9d4495010a64175c05a0268ab2;Cert="-----BEGIN%20CERTIFICATE-----%0AMIICHDCCAcOgAwIBAgIBCDAKBggqhkjOPQQDAjAxMS8wLQYDVQQDEyZwcmktMTli%0AYXdyb2YuY29uc3VsLmNhLmVmYWQ3MjgyLmNvbnN1bDAeFw0yMjA0MjkwMzE0NTBa%0AFw0yMjA1MDIwMzE0NTBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARVIZ7Y%0AZEXfbOGBfxGa7Vuok1MIng%2FuzLQK2xLVlSTIPDbO5hstTGP%2B%2FGx182PYFP3jYqk5%0Aq6rYWe1wiPNMA30Io4H8MIH5MA4GA1UdDwEB%2FwQEAwIDuDAdBgNVHSUEFjAUBggr%0ABgEFBQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH%2FBAIwADApBgNVHQ4EIgQgrp4q50oX%0AHHghMbxz5Bk8OJFWMdfgH0Upr350WlhyxvkwKwYDVR0jBCQwIoAgUe6uERAIj%2FLM%0AyuFzDc3Wbp9TGAKBJYAwyhF14ToOQCMwYgYDVR0RAQH%2FBFgwVoZUc3BpZmZlOi8v%0AZWZhZDcyODItZDliMi0zMjk4LWY2ZDgtMzhiMzdmYjU4ZGYzLmNvbnN1bC9ucy9k%0AZWZhdWx0L2RjL2RjMS9zdmMvZGFzaGJvYXJkMAoGCCqGSM49BAMCA0cAMEQCIDwb%0AFlchufggNTijnQ5SUcvTZrWlZyq%2FrdVC20nbbmWLAiAVshNNv1xBqJI1NmY2HI9n%0AgRMfb8aEPVSuxEHhqy57eQ%3D%3D%0A-----END%20CERTIFICATE-----%0A";Chain="-----BEGIN%20CERTIFICATE-----%0AMIICHDCCAcOgAwIBAgIBCDAKBggqhkjOPQQDAjAxMS8wLQYDVQQDEyZwcmktMTli%0AYXdyb2YuY29uc3VsLmNhLmVmYWQ3MjgyLmNvbnN1bDAeFw0yMjA0MjkwMzE0NTBa%0AFw0yMjA1MDIwMzE0NTBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARVIZ7Y%0AZEXfbOGBfxGa7Vuok1MIng%2FuzLQK2xLVlSTIPDbO5hstTGP%2B%2FGx182PYFP3jYqk5%0Aq6rYWe1wiPNMA30Io4H8MIH5MA4GA1UdDwEB%2FwQEAwIDuDAdBgNVHSUEFjAUBggr%0ABgEFBQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH%2FBAIwADApBgNVHQ4EIgQgrp4q50oX%0AHHghMbxz5Bk8OJFWMdfgH0Upr350WlhyxvkwKwYDVR0jBCQwIoAgUe6uERAIj%2FLM%0AyuFzDc3Wbp9TGAKBJYAwyhF14ToOQCMwYgYDVR0RAQH%2FBFgwVoZUc3BpZmZlOi8v%0AZWZhZDcyODItZDliMi0zMjk4LWY2ZDgtMzhiMzdmYjU4ZGYzLmNvbnN1bC9ucy9k%0AZWZhdWx0L2RjL2RjMS9zdmMvZGFzaGJvYXJkMAoGCCqGSM49BAMCA0cAMEQCIDwb%0AFlchufggNTijnQ5SUcvTZrWlZyq%2FrdVC20nbbmWLAiAVshNNv1xBqJI1NmY2HI9n%0AgRMfb8aEPVSuxEHhqy57eQ%3D%3D%0A-----END%20CERTIFICATE-----%0A";Subject="";URI=spiffe://efad7282-d9b2-3298-f6d8-38b37fb58df3.consul/ns/default/dc/dc1/svc/dashboard] ``` Closes #12852
2022-04-26 13:46:29 -07:00 · 2022-04-26 13:46:29 -07:00 · d8f4cc5537
parent 1cd73d7a71
commit d8f4cc5537
10 changed files with 288 additions and 10 deletions
--- a/.changelog/12878.txt
+++ b/.changelog/12878.txt
@ -0,0 +1,3 @@
 ```release-note:improvement
 agent: Envoy now inserts x-forwarded-client-cert for incoming proxy connections
 ```
--- a/agent/structs/config_entry_mesh.go
+++ b/agent/structs/config_entry_mesh.go
@ -15,6 +15,8 @@ type MeshConfigEntry struct {
 	TLS *MeshTLSConfig `json:",omitempty"`
 	HTTP *MeshHTTPConfig `json:",omitempty"`
 	Meta               map[string]string `json:",omitempty"`
 	acl.EnterpriseMeta `hcl:",squash" mapstructure:",squash"`
 	RaftIndex
@ -33,6 +35,10 @@ type MeshTLSConfig struct {
 	Outgoing *MeshDirectionalTLSConfig `json:",omitempty"`
 }
 type MeshHTTPConfig struct {
 	SanitizeXForwardedClientCert bool `json:",omitempty"`
 }
 type MeshDirectionalTLSConfig struct {
 	TLSMinVersion types.TLSVersion `json:",omitempty" alias:"tls_min_version"`
 	TLSMaxVersion types.TLSVersion `json:",omitempty" alias:"tls_max_version"`
--- a/agent/xds/listeners.go
+++ b/agent/xds/listeners.go
@ -859,6 +859,10 @@ func (s *ResourceGenerator) makeInboundListener(cfgSnap *proxycfg.ConfigSnapshot
 		if err != nil {
 			return nil, err
 		}
 		if meshConfig := cfgSnap.MeshConfig(); meshConfig == nil || meshConfig.HTTP == nil || !meshConfig.HTTP.SanitizeXForwardedClientCert {
 			filterOpts.forwardClientDetails = true
 			filterOpts.forwardClientPolicy = envoy_http_v3.HttpConnectionManager_APPEND_FORWARD
 		}
 	}
 	filter, err := makeListenerFilter(filterOpts)
 	if err != nil {
@ -1146,6 +1150,13 @@ func (s *ResourceGenerator) makeFilterChainTerminatingGateway(
 		opts.cluster = ""
 		opts.useRDS = true
 		if meshConfig := cfgSnap.MeshConfig(); meshConfig == nil || meshConfig.HTTP == nil || !meshConfig.HTTP.SanitizeXForwardedClientCert {
 			opts.forwardClientDetails = true
 			// Note: filter Connection may not be mTLS, so then ALWAYS_FORWARD_ONLY. For mTLS connections we might want APPEND_FORWARD.
 			// Open question; how do I determine if this is mTLS or not?
 			opts.forwardClientPolicy = envoy_http_v3.HttpConnectionManager_ALWAYS_FORWARD_ONLY
 		}
 	}
 	filter, err := makeListenerFilter(opts)
@ -1366,16 +1377,18 @@ func (s *ResourceGenerator) getAndModifyUpstreamConfigForListener(
 }
 type listenerFilterOpts struct {
-	useRDS           bool
+	useRDS               bool
-	protocol         string
+	protocol             string
-	filterName       string
+	filterName           string
-	routeName        string
+	routeName            string
-	cluster          string
+	cluster              string
-	statPrefix       string
+	statPrefix           string
-	routePath        string
+	routePath            string
-	requestTimeoutMs *int
+	requestTimeoutMs     *int
-	ingressGateway   bool
+	ingressGateway       bool
-	httpAuthzFilter  *envoy_http_v3.HttpFilter
+	httpAuthzFilter      *envoy_http_v3.HttpFilter
 	forwardClientDetails bool
 	forwardClientPolicy  envoy_http_v3.HttpConnectionManager_ForwardClientCertDetails
 }
 func makeListenerFilter(opts listenerFilterOpts) (*envoy_listener_v3.Filter, error) {
@ -1513,6 +1526,18 @@ func makeHTTPFilter(opts listenerFilterOpts) (*envoy_listener_v3.Filter, error)
 		cfg.Http2ProtocolOptions = &envoy_core_v3.Http2ProtocolOptions{}
 	}
 	// Note the default leads to setting HttpConnectionManager_SANITIZE
 	if opts.forwardClientDetails {
 		cfg.ForwardClientCertDetails = opts.forwardClientPolicy
 		cfg.SetCurrentClientCertDetails = &envoy_http_v3.HttpConnectionManager_SetCurrentClientCertDetails{
 			Subject: &wrappers.BoolValue{Value: true},
 			Cert:    true,
 			Chain:   true,
 			Dns:     true,
 			Uri:     true,
 		}
 	}
 	// Like injectConnectFilters for L4, here we ensure that the first filter
 	// (other than the "envoy.grpc_http1_bridge" filter) in the http filter
 	// chain of a public listener is the authz filter to prevent unauthorized
--- a/agent/xds/listeners_test.go
+++ b/agent/xds/listeners_test.go
@ -166,6 +166,27 @@ func TestListenersFromSnapshot(t *testing.T) {
 				}, nil)
 			},
 		},
 		{
 			name: "http-public-listener-no-xfcc",
 			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
 				return proxycfg.TestConfigSnapshot(t,
 					func(ns *structs.NodeService) {
 						ns.Proxy.Config["protocol"] = "http"
 					},
 					[]cache.UpdateEvent{
 						{
 							CorrelationID: "mesh",
 							Result: &structs.ConfigEntryResponse{
 								Entry: &structs.MeshConfigEntry{
 									HTTP: &structs.MeshHTTPConfig{
 										SanitizeXForwardedClientCert: true,
 									},
 								},
 							},
 						},
 					})
 			},
 		},
 		{
 			name: "http-listener-with-timeouts",
 			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
--- a/agent/xds/testdata/listeners/http-listener-with-timeouts.latest.golden
+++ b/agent/xds/testdata/listeners/http-listener-with-timeouts.latest.golden
@ -67,6 +67,14 @@
              "name": "envoy.filters.network.http_connection_manager",
              "typedConfig": {
                "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager",
                "forwardClientCertDetails": "APPEND_FORWARD",
                "setCurrentClientCertDetails": {
                  "cert": true,
                  "chain": true,
                  "dns": true,
                  "subject": true,
                  "uri": true
                },
                "statPrefix": "public_listener",
                "routeConfig": {
                  "name": "public_listener",
--- a/agent/xds/testdata/listeners/http-public-listener-no-xfcc.latest.golden
+++ b/agent/xds/testdata/listeners/http-public-listener-no-xfcc.latest.golden
@ -0,0 +1,151 @@
 {
  "versionInfo": "00000001",
  "resources": [
    {
      "@type": "type.googleapis.com/envoy.config.listener.v3.Listener",
      "name": "db:127.0.0.1:9191",
      "address": {
        "socketAddress": {
          "address": "127.0.0.1",
          "portValue": 9191
        }
      },
      "filterChains": [
        {
          "filters": [
            {
              "name": "envoy.filters.network.tcp_proxy",
              "typedConfig": {
                "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy",
                "statPrefix": "upstream.db.default.default.dc1",
                "cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul"
              }
            }
          ]
        }
      ],
      "trafficDirection": "OUTBOUND"
    },
    {
      "@type": "type.googleapis.com/envoy.config.listener.v3.Listener",
      "name": "prepared_query:geo-cache:127.10.10.10:8181",
      "address": {
        "socketAddress": {
          "address": "127.10.10.10",
          "portValue": 8181
        }
      },
      "filterChains": [
        {
          "filters": [
            {
              "name": "envoy.filters.network.tcp_proxy",
              "typedConfig": {
                "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy",
                "statPrefix": "upstream.prepared_query_geo-cache",
                "cluster": "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul"
              }
            }
          ]
        }
      ],
      "trafficDirection": "OUTBOUND"
    },
    {
      "@type": "type.googleapis.com/envoy.config.listener.v3.Listener",
      "name": "public_listener:0.0.0.0:9999",
      "address": {
        "socketAddress": {
          "address": "0.0.0.0",
          "portValue": 9999
        }
      },
      "filterChains": [
        {
          "filters": [
            {
              "name": "envoy.filters.network.http_connection_manager",
              "typedConfig": {
                "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager",
                "statPrefix": "public_listener",
                "routeConfig": {
                  "name": "public_listener",
                  "virtualHosts": [
                    {
                      "name": "public_listener",
                      "domains": [
                        "*"
                      ],
                      "routes": [
                        {
                          "match": {
                            "prefix": "/"
                          },
                          "route": {
                            "cluster": "local_app"
                          }
                        }
                      ]
                    }
                  ]
                },
                "httpFilters": [
                  {
                    "name": "envoy.filters.http.rbac",
                    "typedConfig": {
                      "@type": "type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBAC",
                      "rules": {
                      }
                    }
                  },
                  {
                    "name": "envoy.filters.http.router",
                    "typedConfig": {
                      "@type": "type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"
                    }
                  }
                ],
                "tracing": {
                  "randomSampling": {
                  }
                }
              }
            }
          ],
          "transportSocket": {
            "name": "tls",
            "typedConfig": {
              "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext",
              "commonTlsContext": {
                "tlsParams": {
                },
                "tlsCertificates": [
                  {
                    "certificateChain": {
                      "inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n"
                    },
                    "privateKey": {
                      "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n"
                    }
                  }
                ],
                "validationContext": {
                  "trustedCa": {
                    "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n"
                  }
                }
              },
              "requireClientCertificate": true
            }
          }
        }
      ],
      "trafficDirection": "INBOUND"
    }
  ],
  "typeUrl": "type.googleapis.com/envoy.config.listener.v3.Listener",
  "nonce": "00000001"
 }
--- a/agent/xds/testdata/listeners/http-public-listener.latest.golden
+++ b/agent/xds/testdata/listeners/http-public-listener.latest.golden
@ -67,6 +67,14 @@
              "name": "envoy.filters.network.http_connection_manager",
              "typedConfig": {
                "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager",
                "forwardClientCertDetails": "APPEND_FORWARD",
                "setCurrentClientCertDetails": {
                  "cert": true,
                  "chain": true,
                  "dns": true,
                  "subject": true,
                  "uri": true
                },
                "statPrefix": "public_listener",
                "routeConfig": {
                  "name": "public_listener",
--- a/agent/xds/testdata/listeners/terminating-gateway-service-subsets.latest.golden
+++ b/agent/xds/testdata/listeners/terminating-gateway-service-subsets.latest.golden
@ -184,6 +184,14 @@
              "name": "envoy.filters.network.http_connection_manager",
              "typedConfig": {
                "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager",
                "forwardClientCertDetails": "ALWAYS_FORWARD_ONLY",
                "setCurrentClientCertDetails": {
                  "cert": true,
                  "chain": true,
                  "dns": true,
                  "subject": true,
                  "uri": true
                },
                "statPrefix": "upstream.web.default.default.dc1",
                "rds": {
                  "configSource": {
@ -258,6 +266,14 @@
              "name": "envoy.filters.network.http_connection_manager",
              "typedConfig": {
                "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager",
                "forwardClientCertDetails": "ALWAYS_FORWARD_ONLY",
                "setCurrentClientCertDetails": {
                  "cert": true,
                  "chain": true,
                  "dns": true,
                  "subject": true,
                  "uri": true
                },
                "statPrefix": "upstream.web.default.default.dc1",
                "rds": {
                  "configSource": {
@ -332,6 +348,14 @@
              "name": "envoy.filters.network.http_connection_manager",
              "typedConfig": {
                "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager",
                "forwardClientCertDetails": "ALWAYS_FORWARD_ONLY",
                "setCurrentClientCertDetails": {
                  "cert": true,
                  "chain": true,
                  "dns": true,
                  "subject": true,
                  "uri": true
                },
                "statPrefix": "upstream.web.default.default.dc1",
                "rds": {
                  "configSource": {
--- a/agent/xds/testdata/serverless_plugin/listeners/lambda-terminating-gateway-with-service-resolvers.latest.golden
+++ b/agent/xds/testdata/serverless_plugin/listeners/lambda-terminating-gateway-with-service-resolvers.latest.golden
@ -130,6 +130,14 @@
              "name": "envoy.filters.network.http_connection_manager",
              "typedConfig": {
                "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager",
                "forwardClientCertDetails": "ALWAYS_FORWARD_ONLY",
                "setCurrentClientCertDetails": {
                  "cert": true,
                  "chain": true,
                  "dns": true,
                  "subject": true,
                  "uri": true
                },
                "statPrefix": "upstream.web.default.default.dc1",
                "rds": {
                  "configSource": {
@ -212,6 +220,14 @@
              "name": "envoy.filters.network.http_connection_manager",
              "typedConfig": {
                "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager",
                "forwardClientCertDetails": "ALWAYS_FORWARD_ONLY",
                "setCurrentClientCertDetails": {
                  "cert": true,
                  "chain": true,
                  "dns": true,
                  "subject": true,
                  "uri": true
                },
                "statPrefix": "upstream.web.default.default.dc1",
                "rds": {
                  "configSource": {
@ -348,6 +364,14 @@
              "name": "envoy.filters.network.http_connection_manager",
              "typedConfig": {
                "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager",
                "forwardClientCertDetails": "ALWAYS_FORWARD_ONLY",
                "setCurrentClientCertDetails": {
                  "cert": true,
                  "chain": true,
                  "dns": true,
                  "subject": true,
                  "uri": true
                },
                "statPrefix": "upstream.web.default.default.dc1",
                "rds": {
                  "configSource": {
--- a/agent/xds/testdata/serverless_plugin/listeners/lambda-terminating-gateway.latest.golden
+++ b/agent/xds/testdata/serverless_plugin/listeners/lambda-terminating-gateway.latest.golden
@ -184,6 +184,14 @@
              "name": "envoy.filters.network.http_connection_manager",
              "typedConfig": {
                "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager",
                "forwardClientCertDetails": "ALWAYS_FORWARD_ONLY",
                "setCurrentClientCertDetails": {
                  "cert": true,
                  "chain": true,
                  "dns": true,
                  "subject": true,
                  "uri": true
                },
                "statPrefix": "upstream.web.default.default.dc1",
                "rds": {
                  "configSource": {