xds: use envoy's rbac filter to handle intentions entirely within envoy (#8569)

.changelog/8569.txt

@@ -0,0 +1,3 @@
+```release-note:feature
+xds: use envoy's rbac filter to handle intentions entirely within envoy
+```

agent/agent.go

@@ -548,6 +548,16 @@ func (a *Agent) Start(ctx context.Context) error {
 		return err
 	}
 
+	var intentionDefaultAllow bool
+	switch a.config.ACLDefaultPolicy {
+	case "allow":
+		intentionDefaultAllow = true
+	case "deny":
+		intentionDefaultAllow = false
+	default:
+		return fmt.Errorf("unexpected ACL default policy value of %q", a.config.ACLDefaultPolicy)
+	}
+
 	// Start the proxy config manager.
 	a.proxyConfig, err = proxycfg.NewManager(proxycfg.ManagerConfig{
 		Cache:  a.cache,
@@ -562,7 +572,8 @@ func (a *Agent) Start(ctx context.Context) error {
 			Domain:    a.config.DNSDomain,
 			AltDomain: a.config.DNSAltDomain,
 		},
-		TLSConfigurator: a.tlsConfigurator,
+		TLSConfigurator:       a.tlsConfigurator,
+		IntentionDefaultAllow: intentionDefaultAllow,
 	})
 	if err != nil {
 		return err
@@ -655,7 +666,6 @@ func (a *Agent) listenAndServeGRPC() error {
 	xdsServer := &xds.Server{
 		Logger:       a.logger,
 		CfgMgr:       a.proxyConfig,
-		Authz:        a,
 		ResolveToken: a.resolveToken,
 		CheckFetcher: a,
 		CfgFetcher:   a,

agent/consul/discoverychain/compile.go

@@ -1009,10 +1009,5 @@ func defaultIfEmpty(val, defaultVal string) string {
 }
 
 func enableAdvancedRoutingForProtocol(protocol string) bool {
-	switch protocol {
+	return structs.IsProtocolHTTPLike(protocol)
-	case "http", "http2", "grpc":
-		return true
-	default:
-		return false
-	}
 }

agent/proxycfg/manager.go

@@ -70,6 +70,11 @@ type ManagerConfig struct {
 	// logger is the agent's logger to be used for logging logs.
 	Logger          hclog.Logger
 	TLSConfigurator *tlsutil.Configurator
+
+	// IntentionDefaultAllow is set by the agent so that we can pass this
+	// information to proxies that need to make intention decisions on their
+	// own.
+	IntentionDefaultAllow bool
 }
 
 // NewManager constructs a manager from the provided agent cache.
@@ -192,6 +197,7 @@ func (m *Manager) ensureProxyServiceLocked(ns *structs.NodeService, token string
 	state.cache = m.Cache
 	state.source = m.Source
 	state.dnsConfig = m.DNSConfig
+	state.intentionDefaultAllow = m.IntentionDefaultAllow
 	if m.TLSConfigurator != nil {
 		state.serverSNIFn = m.TLSConfigurator.ServerSNI
 	}

agent/proxycfg/manager_test.go

@@ -221,6 +221,8 @@ func TestManager_BasicLifecycle(t *testing.T) {
 					},
 					PreparedQueryEndpoints: map[string]structs.CheckServiceNodes{},
 					WatchedServiceChecks:   map[structs.ServiceID][]structs.CheckType{},
+					Intentions:             TestIntentions().Matches[0],
+					IntentionsSet:          true,
 				},
 				Datacenter: "dc1",
 			},
@@ -269,6 +271,8 @@ func TestManager_BasicLifecycle(t *testing.T) {
 					},
 					PreparedQueryEndpoints: map[string]structs.CheckServiceNodes{},
 					WatchedServiceChecks:   map[structs.ServiceID][]structs.CheckType{},
+					Intentions:             TestIntentions().Matches[0],
+					IntentionsSet:          true,
 				},
 				Datacenter: "dc1",
 			},
@@ -286,7 +290,7 @@ func TestManager_BasicLifecycle(t *testing.T) {
 			// Setup initial values
 			types.roots.Set(rootsCacheKey, roots)
 			types.leaf.Set(leafCacheKey, leaf)
-			types.intentions.Set(intentionCacheKey, TestIntentions(t))
+			types.intentions.Set(intentionCacheKey, TestIntentions())
 			tt.setup(t, types)
 
 			expectSnapCopy, err := copystructure.Copy(tt.expectSnap)
@@ -334,7 +338,7 @@ func testManager_BasicLifecycle(
 	state.TriggerSyncChanges = func() {}
 
 	// Create manager
-	m, err := NewManager(ManagerConfig{c, state, source, DNSConfig{}, logger, nil})
+	m, err := NewManager(ManagerConfig{c, state, source, DNSConfig{}, logger, nil, false})
 	require.NoError(err)
 
 	// And run it

agent/proxycfg/snapshot.go

@@ -42,6 +42,12 @@ type configSnapshotConnectProxy struct {
 
 	WatchedServiceChecks   map[structs.ServiceID][]structs.CheckType // TODO: missing garbage collection
 	PreparedQueryEndpoints map[string]structs.CheckServiceNodes      // DEPRECATED:see:WatchedUpstreamEndpoints
+
+	// NOTE: Intentions stores a list of lists as returned by the Intentions
+	// Match RPC. So far we only use the first list as the list of matching
+	// intentions.
+	Intentions    structs.Intentions
+	IntentionsSet bool
 }
 
 func (c *configSnapshotConnectProxy) IsEmpty() bool {
@@ -49,6 +55,7 @@ func (c *configSnapshotConnectProxy) IsEmpty() bool {
 		return true
 	}
 	return c.Leaf == nil &&
+		!c.IntentionsSet &&
 		len(c.DiscoveryChain) == 0 &&
 		len(c.WatchedUpstreams) == 0 &&
 		len(c.WatchedUpstreamEndpoints) == 0 &&
@@ -71,6 +78,14 @@ type configSnapshotTerminatingGateway struct {
 	// are no longer linked to the gateway.
 	WatchedIntentions map[structs.ServiceName]context.CancelFunc
 
+	// NOTE: Intentions stores a map of list of lists as returned by the Intentions
+	// Match RPC. So far we only use the first list as the list of matching
+	// intentions.
+	//
+	// A key being present implies that we have gotten at least one watch reply for the
+	// service. This is logically the same as ConnectProxy.IntentionsSet==true
+	Intentions map[structs.ServiceName]structs.Intentions
+
 	// WatchedLeaves is a map of ServiceName to a cancel function.
 	// This cancel function is tied to the watch of leaf certs for linked services.
 	// As with WatchedServices, leaf watches will be cancelled when services
@@ -82,6 +97,16 @@ type configSnapshotTerminatingGateway struct {
 	// on the service that the caller is trying to reach.
 	ServiceLeaves map[structs.ServiceName]*structs.IssuedCert
 
+	// WatchedConfigs is a map of ServiceName to a cancel function. This cancel
+	// function is tied to the watch of service configs for linked services. As
+	// with WatchedServices, service config watches will be cancelled when
+	// services are no longer linked to the gateway.
+	WatchedConfigs map[structs.ServiceName]context.CancelFunc
+
+	// ServiceConfigs is a map of service name to the resolved service config
+	// for that service.
+	ServiceConfigs map[structs.ServiceName]*structs.ServiceConfigResponse
+
 	// WatchedResolvers is a map of ServiceName to a cancel function.
 	// This cancel function is tied to the watch of resolvers for linked services.
 	// As with WatchedServices, resolver watches will be cancelled when services
@@ -90,7 +115,8 @@ type configSnapshotTerminatingGateway struct {
 
 	// ServiceResolvers is a map of service name to an associated
 	// service-resolver config entry for that service.
-	ServiceResolvers map[structs.ServiceName]*structs.ServiceResolverConfigEntry
+	ServiceResolvers    map[structs.ServiceName]*structs.ServiceResolverConfigEntry
+	ServiceResolversSet map[structs.ServiceName]bool
 
 	// ServiceGroups is a map of service name to the service instances of that
 	// service in the local datacenter.
@@ -106,6 +132,38 @@ type configSnapshotTerminatingGateway struct {
 	HostnameServices map[structs.ServiceName]structs.CheckServiceNodes
 }
 
+// ValidServices returns the list of service keys that have enough data to be emitted.
+func (c *configSnapshotTerminatingGateway) ValidServices() []structs.ServiceName {
+	out := make([]structs.ServiceName, 0, len(c.ServiceGroups))
+	for svc := range c.ServiceGroups {
+		// It only counts if ALL of our watches have come back (with data or not).
+
+		// Skip the service if we don't know if there is a resolver or not.
+		if _, ok := c.ServiceResolversSet[svc]; !ok {
+			continue
+		}
+
+		// Skip the service if we don't have a cert to present for mTLS.
+		if cert, ok := c.ServiceLeaves[svc]; !ok || cert == nil {
+			continue
+		}
+
+		// Skip the service if we haven't gotten our intentions yet.
+		if _, intentionsSet := c.Intentions[svc]; !intentionsSet {
+			continue
+		}
+
+		// Skip the service if we haven't gotten our service config yet to know
+		// the protocol.
+		if _, ok := c.ServiceConfigs[svc]; !ok {
+			continue
+		}
+
+		out = append(out, svc)
+	}
+	return out
+}
+
 func (c *configSnapshotTerminatingGateway) IsEmpty() bool {
 	if c == nil {
 		return true
@@ -113,10 +171,14 @@ func (c *configSnapshotTerminatingGateway) IsEmpty() bool {
 	return len(c.ServiceLeaves) == 0 &&
 		len(c.WatchedLeaves) == 0 &&
 		len(c.WatchedIntentions) == 0 &&
+		len(c.Intentions) == 0 &&
 		len(c.ServiceGroups) == 0 &&
 		len(c.WatchedServices) == 0 &&
 		len(c.ServiceResolvers) == 0 &&
+		len(c.ServiceResolversSet) == 0 &&
 		len(c.WatchedResolvers) == 0 &&
+		len(c.ServiceConfigs) == 0 &&
+		len(c.WatchedConfigs) == 0 &&
 		len(c.GatewayServices) == 0 &&
 		len(c.HostnameServices) == 0
 }
@@ -252,15 +314,16 @@ func (k *IngressListenerKey) RouteName() string {
 // It is meant to be point-in-time coherent and is used to deliver the current
 // config state to observers who need it to be pushed in (e.g. XDS server).
 type ConfigSnapshot struct {
-	Kind            structs.ServiceKind
+	Kind                  structs.ServiceKind
-	Service         string
+	Service               string
-	ProxyID         structs.ServiceID
+	ProxyID               structs.ServiceID
-	Address         string
+	Address               string
-	Port            int
+	Port                  int
-	ServiceMeta     map[string]string
+	ServiceMeta           map[string]string
-	TaggedAddresses map[string]structs.ServiceAddress
+	TaggedAddresses       map[string]structs.ServiceAddress
-	Proxy           structs.ConnectProxyConfig
+	Proxy                 structs.ConnectProxyConfig
-	Datacenter      string
+	Datacenter            string
+	IntentionDefaultAllow bool
 
 	ServerSNIFn ServerSNIFunc
 	Roots       *structs.IndexedCARoots
@@ -276,24 +339,28 @@ type ConfigSnapshot struct {
 
 	// ingress-gateway specific
 	IngressGateway configSnapshotIngressGateway
-
-	// Skip intentions for now as we don't push those down yet, just pre-warm them.
 }
 
 // Valid returns whether or not the snapshot has all required fields filled yet.
 func (s *ConfigSnapshot) Valid() bool {
 	switch s.Kind {
 	case structs.ServiceKindConnectProxy:
-		return s.Roots != nil && s.ConnectProxy.Leaf != nil
+		return s.Roots != nil &&
+			s.ConnectProxy.Leaf != nil &&
+			s.ConnectProxy.IntentionsSet
+
 	case structs.ServiceKindTerminatingGateway:
 		return s.Roots != nil
+
 	case structs.ServiceKindMeshGateway:
 		if s.ServiceMeta[structs.MetaWANFederationKey] == "1" {
 			if len(s.MeshGateway.ConsulServers) == 0 {
 				return false
 			}
 		}
-		return s.Roots != nil && (s.MeshGateway.WatchedServicesSet || len(s.MeshGateway.ServiceGroups) > 0)
+		return s.Roots != nil &&
+			(s.MeshGateway.WatchedServicesSet || len(s.MeshGateway.ServiceGroups) > 0)
+
 	case structs.ServiceKindIngressGateway:
 		return s.Roots != nil &&
 			s.IngressGateway.Leaf != nil &&
@@ -323,6 +390,8 @@ func (s *ConfigSnapshot) Clone() (*ConfigSnapshot, error) {
 		snap.TerminatingGateway.WatchedServices = nil
 		snap.TerminatingGateway.WatchedIntentions = nil
 		snap.TerminatingGateway.WatchedLeaves = nil
+		snap.TerminatingGateway.WatchedConfigs = nil
+		snap.TerminatingGateway.WatchedResolvers = nil
 	case structs.ServiceKindMeshGateway:
 		snap.MeshGateway.WatchedDatacenters = nil
 		snap.MeshGateway.WatchedServices = nil

agent/proxycfg/state.go

@@ -37,6 +37,7 @@ const (
 	gatewayConfigWatchID               = "gateway-config"
 	externalServiceIDPrefix            = "external-service:"
 	serviceLeafIDPrefix                = "service-leaf:"
+	serviceConfigIDPrefix              = "service-config:"
 	serviceResolverIDPrefix            = "service-resolver:"
 	serviceIntentionsIDPrefix          = "service-intentions:"
 	svcChecksWatchIDPrefix             = cachetype.ServiceHTTPChecksName + ":"
@@ -50,11 +51,12 @@ const (
 // is discarded and a new one created.
 type state struct {
 	// logger, source and cache are required to be set before calling Watch.
-	logger      hclog.Logger
+	logger                hclog.Logger
-	source      *structs.QuerySource
+	source                *structs.QuerySource
-	cache       CacheNotifier
+	cache                 CacheNotifier
-	dnsConfig   DNSConfig
+	dnsConfig             DNSConfig
-	serverSNIFn ServerSNIFunc
+	serverSNIFn           ServerSNIFunc
+	intentionDefaultAllow bool
 
 	// ctx and cancel store the context created during initWatches call
 	ctx    context.Context
@@ -523,16 +525,17 @@ func (s *state) initWatchesIngressGateway() error {
 
 func (s *state) initialConfigSnapshot() ConfigSnapshot {
 	snap := ConfigSnapshot{
-		Kind:            s.kind,
+		Kind:                  s.kind,
-		Service:         s.service,
+		Service:               s.service,
-		ProxyID:         s.proxyID,
+		ProxyID:               s.proxyID,
-		Address:         s.address,
+		Address:               s.address,
-		Port:            s.port,
+		Port:                  s.port,
-		ServiceMeta:     s.meta,
+		ServiceMeta:           s.meta,
-		TaggedAddresses: s.taggedAddresses,
+		TaggedAddresses:       s.taggedAddresses,
-		Proxy:           s.proxyCfg,
+		Proxy:                 s.proxyCfg,
-		Datacenter:      s.source.Datacenter,
+		Datacenter:            s.source.Datacenter,
-		ServerSNIFn:     s.serverSNIFn,
+		ServerSNIFn:           s.serverSNIFn,
+		IntentionDefaultAllow: s.intentionDefaultAllow,
 	}
 
 	switch s.kind {
@@ -546,12 +549,16 @@ func (s *state) initialConfigSnapshot() ConfigSnapshot {
 		snap.ConnectProxy.PreparedQueryEndpoints = make(map[string]structs.CheckServiceNodes)
 	case structs.ServiceKindTerminatingGateway:
 		snap.TerminatingGateway.WatchedServices = make(map[structs.ServiceName]context.CancelFunc)
-		snap.TerminatingGateway.WatchedLeaves = make(map[structs.ServiceName]context.CancelFunc)
 		snap.TerminatingGateway.WatchedIntentions = make(map[structs.ServiceName]context.CancelFunc)
-		snap.TerminatingGateway.WatchedResolvers = make(map[structs.ServiceName]context.CancelFunc)
+		snap.TerminatingGateway.Intentions = make(map[structs.ServiceName]structs.Intentions)
+		snap.TerminatingGateway.WatchedLeaves = make(map[structs.ServiceName]context.CancelFunc)
 		snap.TerminatingGateway.ServiceLeaves = make(map[structs.ServiceName]*structs.IssuedCert)
-		snap.TerminatingGateway.ServiceGroups = make(map[structs.ServiceName]structs.CheckServiceNodes)
+		snap.TerminatingGateway.WatchedConfigs = make(map[structs.ServiceName]context.CancelFunc)
+		snap.TerminatingGateway.ServiceConfigs = make(map[structs.ServiceName]*structs.ServiceConfigResponse)
+		snap.TerminatingGateway.WatchedResolvers = make(map[structs.ServiceName]context.CancelFunc)
 		snap.TerminatingGateway.ServiceResolvers = make(map[structs.ServiceName]*structs.ServiceResolverConfigEntry)
+		snap.TerminatingGateway.ServiceResolversSet = make(map[structs.ServiceName]bool)
+		snap.TerminatingGateway.ServiceGroups = make(map[structs.ServiceName]structs.CheckServiceNodes)
 		snap.TerminatingGateway.GatewayServices = make(map[structs.ServiceName]structs.GatewayService)
 		snap.TerminatingGateway.HostnameServices = make(map[structs.ServiceName]structs.CheckServiceNodes)
 	case structs.ServiceKindMeshGateway:
@@ -691,7 +698,17 @@ func (s *state) handleUpdateConnectProxy(u cache.UpdateEvent, snap *ConfigSnapsh
 		}
 		snap.Roots = roots
 	case u.CorrelationID == intentionsWatchID:
-		// no-op: Intentions don't get stored in the snapshot, calls to ConnectAuthorize will fetch them from the cache
+		resp, ok := u.Result.(*structs.IndexedIntentionMatches)
+		if !ok {
+			return fmt.Errorf("invalid type for response: %T", u.Result)
+		}
+		if len(resp.Matches) > 0 {
+			// RPC supports matching multiple services at once but we only ever
+			// query with the one service we represent currently so just pick
+			// the one result set up.
+			snap.ConnectProxy.Intentions = resp.Matches[0]
+		}
+		snap.ConnectProxy.IntentionsSet = true
 
 	case strings.HasPrefix(u.CorrelationID, "upstream:"+preparedQueryIDPrefix):
 		resp, ok := u.Result.(*structs.PreparedQueryExecuteResponse)
@@ -1000,6 +1017,28 @@ func (s *state) handleUpdateTerminatingGateway(u cache.UpdateEvent, snap *Config
 				snap.TerminatingGateway.WatchedLeaves[svc.Service] = cancel
 			}
 
+			// Watch service configs for the service.
+			// These are used to determine the protocol for the target service.
+			if _, ok := snap.TerminatingGateway.WatchedConfigs[svc.Service]; !ok {
+				ctx, cancel := context.WithCancel(s.ctx)
+				err := s.cache.Notify(ctx, cachetype.ResolvedServiceConfigName, &structs.ServiceConfigRequest{
+					Datacenter:     s.source.Datacenter,
+					QueryOptions:   structs.QueryOptions{Token: s.token},
+					Name:           svc.Service.Name,
+					EnterpriseMeta: svc.Service.EnterpriseMeta,
+				}, serviceConfigIDPrefix+svc.Service.String(), s.ch)
+
+				if err != nil {
+					logger.Error("failed to register watch for a resolved service config",
+						"service", svc.Service.String(),
+						"error", err,
+					)
+					cancel()
+					return err
+				}
+				snap.TerminatingGateway.WatchedConfigs[svc.Service] = cancel
+			}
+
 			// Watch service resolvers for the service
 			// These are used to create clusters and endpoints for the service subsets
 			if _, ok := snap.TerminatingGateway.WatchedResolvers[svc.Service]; !ok {
@@ -1058,12 +1097,23 @@ func (s *state) handleUpdateTerminatingGateway(u cache.UpdateEvent, snap *Config
 			}
 		}
 
+		// Cancel service config watches for services that were not in the update
+		for sn, cancelFn := range snap.TerminatingGateway.WatchedConfigs {
+			if _, ok := svcMap[sn]; !ok {
+				logger.Debug("canceling watch for resolved service config", "service", sn.String())
+				delete(snap.TerminatingGateway.WatchedConfigs, sn)
+				delete(snap.TerminatingGateway.ServiceConfigs, sn)
+				cancelFn()
+			}
+		}
+
 		// Cancel service-resolver watches for services that were not in the update
 		for sn, cancelFn := range snap.TerminatingGateway.WatchedResolvers {
 			if _, ok := svcMap[sn]; !ok {
 				logger.Debug("canceling watch for service-resolver", "service", sn.String())
 				delete(snap.TerminatingGateway.WatchedResolvers, sn)
 				delete(snap.TerminatingGateway.ServiceResolvers, sn)
+				delete(snap.TerminatingGateway.ServiceResolversSet, sn)
 				cancelFn()
 			}
 		}
@@ -1073,9 +1123,7 @@ func (s *state) handleUpdateTerminatingGateway(u cache.UpdateEvent, snap *Config
 			if _, ok := svcMap[sn]; !ok {
 				logger.Debug("canceling watch for intention", "service", sn.String())
 				delete(snap.TerminatingGateway.WatchedIntentions, sn)
-
+				delete(snap.TerminatingGateway.Intentions, sn)
-				// No additional deletions needed, since intentions aren't stored in snapshot
-
 				cancelFn()
 			}
 		}
@@ -1105,21 +1153,43 @@ func (s *state) handleUpdateTerminatingGateway(u cache.UpdateEvent, snap *Config
 		sn := structs.ServiceNameFromString(strings.TrimPrefix(u.CorrelationID, serviceLeafIDPrefix))
 		snap.TerminatingGateway.ServiceLeaves[sn] = leaf
 
-	case strings.HasPrefix(u.CorrelationID, "service-resolver:"):
+	case strings.HasPrefix(u.CorrelationID, serviceConfigIDPrefix):
+		serviceConfig, ok := u.Result.(*structs.ServiceConfigResponse)
+		if !ok {
+			return fmt.Errorf("invalid type for response: %T", u.Result)
+		}
+
+		sn := structs.ServiceNameFromString(strings.TrimPrefix(u.CorrelationID, serviceConfigIDPrefix))
+		snap.TerminatingGateway.ServiceConfigs[sn] = serviceConfig
+
+	case strings.HasPrefix(u.CorrelationID, serviceResolverIDPrefix):
 		configEntries, ok := u.Result.(*structs.IndexedConfigEntries)
 		if !ok {
 			return fmt.Errorf("invalid type for response: %T", u.Result)
 		}
+		sn := structs.ServiceNameFromString(strings.TrimPrefix(u.CorrelationID, serviceResolverIDPrefix))
 		// There should only ever be one entry for a service resolver within a namespace
 		if len(configEntries.Entries) == 1 {
 			if resolver, ok := configEntries.Entries[0].(*structs.ServiceResolverConfigEntry); ok {
-				snap.TerminatingGateway.ServiceResolvers[structs.NewServiceName(resolver.Name, &resolver.EnterpriseMeta)] = resolver
+				snap.TerminatingGateway.ServiceResolvers[sn] = resolver
 			}
 		}
+		snap.TerminatingGateway.ServiceResolversSet[sn] = true
 
-	// nolint: staticcheck // github.com/dominikh/go-tools/issues/580
 	case strings.HasPrefix(u.CorrelationID, serviceIntentionsIDPrefix):
-		// no-op: Intentions don't get stored in the snapshot, calls to ConnectAuthorize will fetch them from the cache
+		resp, ok := u.Result.(*structs.IndexedIntentionMatches)
+		if !ok {
+			return fmt.Errorf("invalid type for response: %T", u.Result)
+		}
+
+		sn := structs.ServiceNameFromString(strings.TrimPrefix(u.CorrelationID, serviceIntentionsIDPrefix))
+
+		if len(resp.Matches) > 0 {
+			// RPC supports matching multiple services at once but we only ever
+			// query with the one service we represent currently so just pick
+			// the one result set up.
+			snap.TerminatingGateway.Intentions[sn] = resp.Matches[0]
+		}
 
 	default:
 		// do nothing

agent/proxycfg/state_test.go

@@ -223,6 +223,17 @@ func genVerifyResolverWatch(expectedService, expectedDatacenter, expectedKind st
 	}
 }
 
+func genVerifyResolvedConfigWatch(expectedService string, expectedDatacenter string) verifyWatchRequest {
+	return func(t testing.TB, cacheType string, request cache.Request) {
+		require.Equal(t, cachetype.ResolvedServiceConfigName, cacheType)
+
+		reqReal, ok := request.(*structs.ServiceConfigRequest)
+		require.True(t, ok)
+		require.Equal(t, expectedDatacenter, reqReal.Datacenter)
+		require.Equal(t, expectedService, reqReal.Name)
+	}
+}
+
 func genVerifyIntentionWatch(expectedService string, expectedDatacenter string) verifyWatchRequest {
 	return func(t testing.TB, cacheType string, request cache.Request) {
 		require.Equal(t, cachetype.IntentionMatchName, cacheType)
@@ -422,6 +433,8 @@ func TestState_WatchesAndUpdates(t *testing.T) {
 			ns.Proxy.MeshGateway.Mode = meshGatewayProxyConfigValue
 		}
 
+		ixnMatch := TestIntentions()
+
 		stage0 := verificationStage{
 			requiredWatches: map[string]verifyWatchRequest{
 				rootsWatchID:                    genVerifyRootsWatch("dc1"),
@@ -481,6 +494,11 @@ func TestState_WatchesAndUpdates(t *testing.T) {
 					Result:        issuedCert,
 					Err:           nil,
 				},
+				{
+					CorrelationID: intentionsWatchID,
+					Result:        ixnMatch,
+					Err:           nil,
+				},
 				{
 					CorrelationID: "discovery-chain:api",
 					Result: &structs.DiscoveryChainResponse{
@@ -555,6 +573,9 @@ func TestState_WatchesAndUpdates(t *testing.T) {
 
 				require.Len(t, snap.ConnectProxy.WatchedServiceChecks, 0, "%+v", snap.ConnectProxy.WatchedServiceChecks)
 				require.Len(t, snap.ConnectProxy.PreparedQueryEndpoints, 0, "%+v", snap.ConnectProxy.PreparedQueryEndpoints)
+
+				require.True(t, snap.ConnectProxy.IntentionsSet)
+				require.Equal(t, ixnMatch.Matches[0], snap.ConnectProxy.Intentions)
 			},
 		}
 
@@ -581,6 +602,9 @@ func TestState_WatchesAndUpdates(t *testing.T) {
 
 				require.Len(t, snap.ConnectProxy.WatchedServiceChecks, 0, "%+v", snap.ConnectProxy.WatchedServiceChecks)
 				require.Len(t, snap.ConnectProxy.PreparedQueryEndpoints, 0, "%+v", snap.ConnectProxy.PreparedQueryEndpoints)
+
+				require.True(t, snap.ConnectProxy.IntentionsSet)
+				require.Equal(t, ixnMatch.Matches[0], snap.ConnectProxy.Intentions)
 			},
 		}
 
@@ -599,9 +623,46 @@ func TestState_WatchesAndUpdates(t *testing.T) {
 	db := structs.NewServiceName("db", nil)
 	dbStr := db.String()
 
+	billing := structs.NewServiceName("billing", nil)
+
 	api := structs.NewServiceName("api", nil)
 	apiStr := api.String()
 
+	dbIxnMatch := &structs.IndexedIntentionMatches{
+		Matches: []structs.Intentions{
+			[]*structs.Intention{
+				{
+					ID:              "abc-123",
+					SourceNS:        "default",
+					SourceName:      "api",
+					DestinationNS:   "default",
+					DestinationName: "db",
+					Action:          structs.IntentionActionAllow,
+				},
+			},
+		},
+	}
+
+	dbConfig := &structs.ServiceConfigResponse{
+		ProxyConfig: map[string]interface{}{
+			"protocol": "grpc",
+		},
+	}
+
+	dbResolver := &structs.IndexedConfigEntries{
+		Kind: structs.ServiceResolver,
+		Entries: []structs.ConfigEntry{
+			&structs.ServiceResolverConfigEntry{
+				Name: "db",
+				Kind: structs.ServiceResolver,
+				Redirect: &structs.ServiceResolverRedirect{
+					Service:    "db",
+					Datacenter: "dc2",
+				},
+			},
+		},
+	}
+
 	cases := map[string]testCase{
 		"initial-gateway": {
 			ns: structs.NodeService{
@@ -1105,7 +1166,7 @@ func TestState_WatchesAndUpdates(t *testing.T) {
 							Result: &structs.IndexedGatewayServices{
 								Services: structs.GatewayServices{
 									{
-										Service: structs.NewServiceName("db", nil),
+										Service: db,
 										Gateway: structs.NewServiceName("terminating-gateway", nil),
 									},
 								},
@@ -1115,7 +1176,10 @@ func TestState_WatchesAndUpdates(t *testing.T) {
 					},
 					verifySnapshot: func(t testing.TB, snap *ConfigSnapshot) {
 						require.True(t, snap.Valid(), "gateway with service list is valid")
+						require.Len(t, snap.TerminatingGateway.ValidServices(), 0)
+
 						require.Len(t, snap.TerminatingGateway.WatchedServices, 1)
+						require.Contains(t, snap.TerminatingGateway.WatchedServices, db)
 					},
 				},
 				{
@@ -1125,15 +1189,15 @@ func TestState_WatchesAndUpdates(t *testing.T) {
 							Result: &structs.IndexedGatewayServices{
 								Services: structs.GatewayServices{
 									{
-										Service: structs.NewServiceName("db", nil),
+										Service: db,
 										Gateway: structs.NewServiceName("terminating-gateway", nil),
 									},
 									{
-										Service: structs.NewServiceName("billing", nil),
+										Service: billing,
 										Gateway: structs.NewServiceName("terminating-gateway", nil),
 									},
 									{
-										Service: structs.NewServiceName("api", nil),
+										Service: api,
 										Gateway: structs.NewServiceName("terminating-gateway", nil),
 									},
 								},
@@ -1142,11 +1206,9 @@ func TestState_WatchesAndUpdates(t *testing.T) {
 						},
 					},
 					verifySnapshot: func(t testing.TB, snap *ConfigSnapshot) {
-						db := structs.NewServiceName("db", nil)
-						billing := structs.NewServiceName("billing", nil)
-						api := structs.NewServiceName("api", nil)
-
 						require.True(t, snap.Valid(), "gateway with service list is valid")
+						require.Len(t, snap.TerminatingGateway.ValidServices(), 0)
+
 						require.Len(t, snap.TerminatingGateway.WatchedServices, 3)
 						require.Contains(t, snap.TerminatingGateway.WatchedServices, db)
 						require.Contains(t, snap.TerminatingGateway.WatchedServices, billing)
@@ -1162,6 +1224,11 @@ func TestState_WatchesAndUpdates(t *testing.T) {
 						require.Contains(t, snap.TerminatingGateway.WatchedLeaves, billing)
 						require.Contains(t, snap.TerminatingGateway.WatchedLeaves, api)
 
+						require.Len(t, snap.TerminatingGateway.WatchedConfigs, 3)
+						require.Contains(t, snap.TerminatingGateway.WatchedConfigs, db)
+						require.Contains(t, snap.TerminatingGateway.WatchedConfigs, billing)
+						require.Contains(t, snap.TerminatingGateway.WatchedConfigs, api)
+
 						require.Len(t, snap.TerminatingGateway.WatchedResolvers, 3)
 						require.Contains(t, snap.TerminatingGateway.WatchedResolvers, db)
 						require.Contains(t, snap.TerminatingGateway.WatchedResolvers, billing)
@@ -1198,8 +1265,11 @@ func TestState_WatchesAndUpdates(t *testing.T) {
 						},
 					},
 					verifySnapshot: func(t testing.TB, snap *ConfigSnapshot) {
+						require.True(t, snap.Valid(), "gateway with service list is valid")
+						require.Len(t, snap.TerminatingGateway.ValidServices(), 0)
+
 						require.Len(t, snap.TerminatingGateway.ServiceGroups, 1)
-						require.Equal(t, snap.TerminatingGateway.ServiceGroups[structs.NewServiceName("db", nil)],
+						require.Equal(t, snap.TerminatingGateway.ServiceGroups[db],
 							structs.CheckServiceNodes{
 								{
 									Node: &structs.Node{
@@ -1263,6 +1333,9 @@ func TestState_WatchesAndUpdates(t *testing.T) {
 						},
 					},
 					verifySnapshot: func(t testing.TB, snap *ConfigSnapshot) {
+						require.True(t, snap.Valid(), "gateway with service list is valid")
+						require.Len(t, snap.TerminatingGateway.ValidServices(), 0)
+
 						require.Len(t, snap.TerminatingGateway.ServiceGroups, 2)
 						expect := structs.CheckServiceNodes{
 							{
@@ -1299,11 +1372,10 @@ func TestState_WatchesAndUpdates(t *testing.T) {
 								},
 							},
 						}
-						sn := structs.NewServiceName("api", nil)
+						require.Equal(t, snap.TerminatingGateway.ServiceGroups[api], expect)
-						require.Equal(t, snap.TerminatingGateway.ServiceGroups[sn], expect)
 
 						// The instance in node3 should not be present in HostnameDatacenters because it has a valid IP
-						require.ElementsMatch(t, snap.TerminatingGateway.HostnameServices[sn], expect[:2])
+						require.ElementsMatch(t, snap.TerminatingGateway.HostnameServices[api], expect[:2])
 					},
 				},
 				{
@@ -1318,7 +1390,50 @@ func TestState_WatchesAndUpdates(t *testing.T) {
 						},
 					},
 					verifySnapshot: func(t testing.TB, snap *ConfigSnapshot) {
-						require.Equal(t, snap.TerminatingGateway.ServiceLeaves[structs.NewServiceName("db", nil)], issuedCert)
+						require.True(t, snap.Valid(), "gateway with service list is valid")
+						require.Len(t, snap.TerminatingGateway.ValidServices(), 0)
+
+						require.Equal(t, snap.TerminatingGateway.ServiceLeaves[db], issuedCert)
+					},
+				},
+				{
+					requiredWatches: map[string]verifyWatchRequest{
+						serviceIntentionsIDPrefix + dbStr: genVerifyIntentionWatch("db", "dc1"),
+					},
+					events: []cache.UpdateEvent{
+						{
+							CorrelationID: serviceIntentionsIDPrefix + dbStr,
+							Result:        dbIxnMatch,
+							Err:           nil,
+						},
+					},
+					verifySnapshot: func(t testing.TB, snap *ConfigSnapshot) {
+						require.True(t, snap.Valid(), "gateway with service list is valid")
+						require.Len(t, snap.TerminatingGateway.ValidServices(), 0)
+
+						require.Len(t, snap.TerminatingGateway.Intentions, 1)
+						dbIxn, ok := snap.TerminatingGateway.Intentions[db]
+						require.True(t, ok)
+						require.Equal(t, dbIxnMatch.Matches[0], dbIxn)
+					},
+				},
+				{
+					requiredWatches: map[string]verifyWatchRequest{
+						serviceConfigIDPrefix + dbStr: genVerifyResolvedConfigWatch("db", "dc1"),
+					},
+					events: []cache.UpdateEvent{
+						{
+							CorrelationID: serviceConfigIDPrefix + dbStr,
+							Result:        dbConfig,
+							Err:           nil,
+						},
+					},
+					verifySnapshot: func(t testing.TB, snap *ConfigSnapshot) {
+						require.True(t, snap.Valid(), "gateway with service list is valid")
+						require.Len(t, snap.TerminatingGateway.ValidServices(), 0)
+
+						require.Len(t, snap.TerminatingGateway.ServiceConfigs, 1)
+						require.Equal(t, snap.TerminatingGateway.ServiceConfigs[db], dbConfig)
 					},
 				},
 				{
@@ -1328,32 +1443,20 @@ func TestState_WatchesAndUpdates(t *testing.T) {
 					events: []cache.UpdateEvent{
 						{
 							CorrelationID: "service-resolver:" + dbStr,
-							Result: &structs.IndexedConfigEntries{
+							Result:        dbResolver,
-								Kind: structs.ServiceResolver,
+							Err:           nil,
-								Entries: []structs.ConfigEntry{
-									&structs.ServiceResolverConfigEntry{
-										Name: "db",
-										Kind: structs.ServiceResolver,
-										Redirect: &structs.ServiceResolverRedirect{
-											Service:    "db",
-											Datacenter: "dc2",
-										},
-									},
-								},
-							},
-							Err: nil,
 						},
 					},
 					verifySnapshot: func(t testing.TB, snap *ConfigSnapshot) {
-						want := &structs.ServiceResolverConfigEntry{
+						require.True(t, snap.Valid(), "gateway with service list is valid")
-							Kind: structs.ServiceResolver,
+						// Finally we have everything we need
-							Name: "db",
+						require.Equal(t, []structs.ServiceName{db}, snap.TerminatingGateway.ValidServices())
-							Redirect: &structs.ServiceResolverRedirect{
+
-								Service:    "db",
+						require.Len(t, snap.TerminatingGateway.ServiceResolversSet, 1)
-								Datacenter: "dc2",
+						require.True(t, snap.TerminatingGateway.ServiceResolversSet[db])
-							},
+
-						}
+						require.Len(t, snap.TerminatingGateway.ServiceResolvers, 1)
-						require.Equal(t, want, snap.TerminatingGateway.ServiceResolvers[structs.NewServiceName("db", nil)])
+						require.Equal(t, dbResolver.Entries[0], snap.TerminatingGateway.ServiceResolvers[db])
 					},
 				},
 				{
@@ -1363,7 +1466,7 @@ func TestState_WatchesAndUpdates(t *testing.T) {
 							Result: &structs.IndexedGatewayServices{
 								Services: structs.GatewayServices{
 									{
-										Service: structs.NewServiceName("billing", nil),
+										Service: billing,
 										Gateway: structs.NewServiceName("terminating-gateway", nil),
 									},
 								},
@@ -1372,9 +1475,8 @@ func TestState_WatchesAndUpdates(t *testing.T) {
 						},
 					},
 					verifySnapshot: func(t testing.TB, snap *ConfigSnapshot) {
-						billing := structs.NewServiceName("billing", nil)
-
 						require.True(t, snap.Valid(), "gateway with service list is valid")
+						require.Len(t, snap.TerminatingGateway.ValidServices(), 0)
 
 						// All the watches should have been cancelled for db
 						require.Len(t, snap.TerminatingGateway.WatchedServices, 1)

agent/proxycfg/testing.go

@@ -99,7 +99,7 @@ func TestLeafForCA(t testing.T, ca *structs.CARoot) *structs.IssuedCert {
 
 // TestIntentions returns a sample intentions match result useful to
 // mocking service discovery cache results.
-func TestIntentions(t testing.T) *structs.IndexedIntentionMatches {
+func TestIntentions() *structs.IndexedIntentionMatches {
 	return &structs.IndexedIntentionMatches{
 		Matches: []structs.Intentions{
 			[]*structs.Intention{
@@ -685,6 +685,8 @@ func TestConfigSnapshot(t testing.T) *ConfigSnapshot {
 			PreparedQueryEndpoints: map[string]structs.CheckServiceNodes{
 				"prepared_query:geo-cache": TestUpstreamNodes(t),
 			},
+			Intentions:    nil, // no intentions defined
+			IntentionsSet: true,
 		},
 		Datacenter: "dc1",
 	}
@@ -1793,6 +1795,12 @@ func testConfigSnapshotTerminatingGateway(t testing.T, populateServices bool) *C
 				db:    dbNodes,
 				cache: cacheNodes,
 			},
+			ServiceResolversSet: map[structs.ServiceName]bool{
+				web:   true,
+				api:   true,
+				db:    true,
+				cache: true,
+			},
 			GatewayServices: map[structs.ServiceName]structs.GatewayService{
 				web: {
 					Service: web,
@@ -1817,20 +1825,43 @@ func testConfigSnapshotTerminatingGateway(t testing.T, populateServices bool) *C
 				cache: {cacheNodes[0], cacheNodes[1]},
 			},
 		}
+
+		snap.TerminatingGateway.ServiceConfigs = map[structs.ServiceName]*structs.ServiceConfigResponse{
+			web: {
+				ProxyConfig: map[string]interface{}{"protocol": "tcp"},
+			},
+			api: {
+				ProxyConfig: map[string]interface{}{"protocol": "tcp"},
+			},
+			db: {
+				ProxyConfig: map[string]interface{}{"protocol": "tcp"},
+			},
+			cache: {
+				ProxyConfig: map[string]interface{}{"protocol": "tcp"},
+			},
+		}
+		snap.TerminatingGateway.Intentions = map[structs.ServiceName]structs.Intentions{
+			// no intentions defined for thse services
+			web:   nil,
+			api:   nil,
+			db:    nil,
+			cache: nil,
+		}
+
 		snap.TerminatingGateway.ServiceLeaves = map[structs.ServiceName]*structs.IssuedCert{
-			structs.NewServiceName("web", nil): {
+			web: {
 				CertPEM:       golden(t, "test-leaf-cert"),
 				PrivateKeyPEM: golden(t, "test-leaf-key"),
 			},
-			structs.NewServiceName("api", nil): {
+			api: {
 				CertPEM:       golden(t, "alt-test-leaf-cert"),
 				PrivateKeyPEM: golden(t, "alt-test-leaf-key"),
 			},
-			structs.NewServiceName("db", nil): {
+			db: {
 				CertPEM:       golden(t, "db-test-leaf-cert"),
 				PrivateKeyPEM: golden(t, "db-test-leaf-key"),
 			},
-			structs.NewServiceName("cache", nil): {
+			cache: {
 				CertPEM:       golden(t, "cache-test-leaf-cert"),
 				PrivateKeyPEM: golden(t, "cache-test-leaf-key"),
 			},

agent/structs/config_entry_discoverychain.go

@@ -1212,3 +1212,12 @@ func defaultIfEmpty(val, defaultVal string) string {
 	}
 	return defaultVal
 }
+
+func IsProtocolHTTPLike(protocol string) bool {
+	switch protocol {
+	case "http", "http2", "grpc":
+		return true
+	default:
+		return false
+	}
+}

agent/structs/config_entry_discoverychain_test.go

@@ -8,6 +8,7 @@ import (
 	"time"
 
 	"github.com/hashicorp/consul/acl"
+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
 
@@ -1162,3 +1163,12 @@ func TestValidateServiceSubset(t *testing.T) {
 		})
 	}
 }
+
+func TestIsProtocolHTTPLike(t *testing.T) {
+	assert.False(t, IsProtocolHTTPLike(""))
+	assert.False(t, IsProtocolHTTPLike("tcp"))
+
+	assert.True(t, IsProtocolHTTPLike("http"))
+	assert.True(t, IsProtocolHTTPLike("http2"))
+	assert.True(t, IsProtocolHTTPLike("grpc"))
+}

agent/structs/intention.go

@@ -359,6 +359,14 @@ func (x *Intention) EstimateSize() int {
 	return size
 }
 
+func (x *Intention) SourceServiceName() ServiceName {
+	return NewServiceName(x.SourceName, x.SourceEnterpriseMeta())
+}
+
+func (x *Intention) DestinationServiceName() ServiceName {
+	return NewServiceName(x.DestinationName, x.DestinationEnterpriseMeta())
+}
+
 // IntentionAction is the action that the intention represents. This
 // can be "allow" or "deny".
 type IntentionAction string

agent/structs/intention_oss.go

@@ -6,6 +6,14 @@ import (
 	"github.com/hashicorp/consul/acl"
 )
 
+func (ixn *Intention) SourceEnterpriseMeta() *EnterpriseMeta {
+	return DefaultEnterpriseMeta()
+}
+
+func (ixn *Intention) DestinationEnterpriseMeta() *EnterpriseMeta {
+	return DefaultEnterpriseMeta()
+}
+
 // FillAuthzContext can fill in an acl.AuthorizerContext object to setup
 // extra parameters for ACL enforcement. In OSS there is currently nothing
 // extra to be done.

agent/xds/golden_test.go

@@ -9,6 +9,7 @@ import (
 
 	envoy "github.com/envoyproxy/go-control-plane/envoy/api/v2"
 	"github.com/golang/protobuf/jsonpb"
+	"github.com/golang/protobuf/proto"
 	"github.com/hashicorp/go-version"
 	"github.com/stretchr/testify/require"
 )
@@ -55,11 +56,15 @@ func golden(t *testing.T, name, subname, got string) string {
 }
 
 func responseToJSON(t *testing.T, r *envoy.DiscoveryResponse) string {
+	return protoToJSON(t, r)
+}
+
+func protoToJSON(t *testing.T, pb proto.Message) string {
 	t.Helper()
 	m := jsonpb.Marshaler{
 		Indent: "  ",
 	}
-	gotJSON, err := m.MarshalToString(r)
+	gotJSON, err := m.MarshalToString(pb)
 	require.NoError(t, err)
 	return gotJSON
 }

agent/xds/listeners.go

@@ -15,7 +15,6 @@ import (
 	envoycore "github.com/envoyproxy/go-control-plane/envoy/api/v2/core"
 	envoylistener "github.com/envoyproxy/go-control-plane/envoy/api/v2/listener"
 	envoyroute "github.com/envoyproxy/go-control-plane/envoy/api/v2/route"
-	extauthz "github.com/envoyproxy/go-control-plane/envoy/config/filter/network/ext_authz/v2"
 	envoyhttp "github.com/envoyproxy/go-control-plane/envoy/config/filter/network/http_connection_manager/v2"
 	envoytcp "github.com/envoyproxy/go-control-plane/envoy/config/filter/network/tcp_proxy/v2"
 	envoytype "github.com/envoyproxy/go-control-plane/envoy/type"
@@ -23,6 +22,7 @@ import (
 	"github.com/envoyproxy/go-control-plane/pkg/wellknown"
 	"github.com/golang/protobuf/jsonpb"
 	"github.com/golang/protobuf/proto"
+	pbtypes "github.com/golang/protobuf/ptypes"
 	"github.com/golang/protobuf/ptypes/any"
 	pbstruct "github.com/golang/protobuf/ptypes/struct"
 	"github.com/golang/protobuf/ptypes/wrappers"
@@ -313,8 +313,17 @@ func (s *Server) makeIngressGatewayListeners(address string, cfgSnap *proxycfg.C
 		} else {
 			// If multiple upstreams share this port, make a special listener for the protocol.
 			listener := makeListener(listenerKey.Protocol, address, listenerKey.Port)
-			filter, err := makeListenerFilter(
+			opts := listenerFilterOpts{
-				true, listenerKey.Protocol, listenerKey.RouteName(), "", "ingress_upstream_", "", false)
+				useRDS:          true,
+				protocol:        listenerKey.Protocol,
+				filterName:      listenerKey.RouteName(),
+				cluster:         "",
+				statPrefix:      "ingress_upstream_",
+				routePath:       "",
+				ingress:         false,
+				httpAuthzFilter: nil,
+			}
+			filter, err := makeListenerFilter(opts)
 			if err != nil {
 				return nil, err
 			}
@@ -395,23 +404,104 @@ func makeListenerFromUserConfig(configJSON string) (*envoy.Listener, error) {
 	return &l, err
 }
 
-// Ensure that the first filter in each filter chain of a public listener is the
+// Ensure that the first filter in each filter chain of a public listener is
-// authz filter to prevent unauthorized access and that every filter chain uses
+// the authz filter to prevent unauthorized access.
-// our TLS certs. We might allow users to work around this later if there is a
+func (s *Server) injectConnectFilters(_ connectionInfo, cfgSnap *proxycfg.ConfigSnapshot, listener *envoy.Listener) error {
-// good use case but this is actually a feature for now as it allows them to
+	authzFilter, err := makeRBACNetworkFilter(
-// specify custom listener params in config but still get our certs delivered
+		cfgSnap.ConnectProxy.Intentions,
-// dynamically and intentions enforced without coming up with some complicated
+		cfgSnap.IntentionDefaultAllow,
-// templating/merging solution.
+	)
-func injectConnectFilters(cInfo connectionInfo, cfgSnap *proxycfg.ConfigSnapshot, listener *envoy.Listener) error {
-	authFilter, err := makeExtAuthFilter(cInfo.Token)
 	if err != nil {
 		return err
 	}
+
 	for idx := range listener.FilterChains {
 		// Insert our authz filter before any others
 		listener.FilterChains[idx].Filters =
-			append([]*envoylistener.Filter{authFilter}, listener.FilterChains[idx].Filters...)
+			append([]*envoylistener.Filter{
+				authzFilter,
+			}, listener.FilterChains[idx].Filters...)
+	}
+	return nil
+}
 
+const httpConnectionManagerNewName = "envoy.filters.network.http_connection_manager"
+
+// Locate the existing http connect manager L4 filter and inject our RBAC filter at the top.
+func (s *Server) injectHTTPFilterOnFilterChains(
+	listener *envoy.Listener,
+	authzFilter *envoyhttp.HttpFilter,
+) error {
+	for chainIdx, chain := range listener.FilterChains {
+		var (
+			hcmFilter    *envoylistener.Filter
+			hcmFilterIdx int
+		)
+
+		for filterIdx, filter := range chain.Filters {
+			if filter.Name == wellknown.HTTPConnectionManager ||
+				filter.Name == httpConnectionManagerNewName {
+				hcmFilter = filter
+				hcmFilterIdx = filterIdx
+				break
+			}
+		}
+		if hcmFilter == nil {
+			return fmt.Errorf(
+				"filter chain %d lacks either a %q or %q filter",
+				chainIdx,
+				wellknown.HTTPConnectionManager,
+				httpConnectionManagerNewName,
+			)
+		}
+
+		var (
+			hcm     envoyhttp.HttpConnectionManager
+			isTyped bool
+		)
+		switch x := hcmFilter.ConfigType.(type) {
+		case *envoylistener.Filter_Config:
+			if err := conversion.StructToMessage(x.Config, &hcm); err != nil {
+				return err
+			}
+			isTyped = false
+		case *envoylistener.Filter_TypedConfig:
+			if err := pbtypes.UnmarshalAny(x.TypedConfig, &hcm); err != nil {
+				return err
+			}
+			isTyped = true
+		default:
+			return fmt.Errorf(
+				"filter chain %d has a %q filter with an unsupported config type: %T",
+				chainIdx,
+				hcmFilter.Name,
+				x,
+			)
+		}
+
+		// Insert our authz filter before any others
+		hcm.HttpFilters = append([]*envoyhttp.HttpFilter{
+			authzFilter,
+		}, hcm.HttpFilters...)
+
+		// And persist the modified filter.
+		newFilter, err := makeFilter(hcmFilter.Name, &hcm, isTyped)
+		if err != nil {
+			return err
+		}
+		chain.Filters[hcmFilterIdx] = newFilter
+	}
+
+	return nil
+}
+
+// Ensure every filter chain uses our TLS certs. We might allow users to work
+// around this later if there is a good use case but this is actually a feature
+// for now as it allows them to specify custom listener params in config but
+// still get our certs delivered dynamically and intentions enforced without
+// coming up with some complicated templating/merging solution.
+func (s *Server) injectConnectTLSOnFilterChains(_ connectionInfo, cfgSnap *proxycfg.ConfigSnapshot, listener *envoy.Listener) error {
+	for idx := range listener.FilterChains {
 		listener.FilterChains[idx].TlsContext = &envoyauth.DownstreamTlsContext{
 			CommonTlsContext:         makeCommonTLSContextFromLeaf(cfgSnap, cfgSnap.Leaf()),
 			RequireClientCertificate: &wrappers.BoolValue{Value: true},
@@ -436,9 +526,12 @@ func (s *Server) makePublicListener(cInfo connectionInfo, cfgSnap *proxycfg.Conf
 		if err != nil {
 			return l, err
 		}
-		// In the happy path don't return yet as we need to inject TLS config still.
+		// In the happy path don't return yet as we need to inject TLS and authz config still.
 	}
 
+	// This controls if we do L4 or L7 intention checks.
+	useHTTPFilter := structs.IsProtocolHTTPLike(cfg.Protocol)
+
 	if l == nil {
 		// No user config, use default listener
 		addr := cfgSnap.Address
@@ -460,8 +553,27 @@ func (s *Server) makePublicListener(cInfo connectionInfo, cfgSnap *proxycfg.Conf
 
 		l = makeListener(PublicListenerName, addr, port)
 
-		filter, err := makeListenerFilter(
+		opts := listenerFilterOpts{
-			false, cfg.Protocol, "public_listener", LocalAppClusterName, "", "", true)
+			useRDS:     false,
+			protocol:   cfg.Protocol,
+			filterName: "public_listener",
+			cluster:    LocalAppClusterName,
+			statPrefix: "",
+			routePath:  "",
+			ingress:    true,
+		}
+
+		if useHTTPFilter {
+			opts.httpAuthzFilter, err = makeRBACHTTPFilter(
+				cfgSnap.ConnectProxy.Intentions,
+				cfgSnap.IntentionDefaultAllow,
+			)
+			if err != nil {
+				return nil, err
+			}
+		}
+
+		filter, err := makeListenerFilter(opts)
 		if err != nil {
 			return nil, err
 		}
@@ -472,9 +584,39 @@ func (s *Server) makePublicListener(cInfo connectionInfo, cfgSnap *proxycfg.Conf
 				},
 			},
 		}
+
+	} else if useHTTPFilter {
+		httpAuthzFilter, err := makeRBACHTTPFilter(
+			cfgSnap.ConnectProxy.Intentions,
+			cfgSnap.IntentionDefaultAllow,
+		)
+		if err != nil {
+			return nil, err
+		}
+
+		// We're using the listener escape hatch, so try our best to inject the
+		// HTTP RBAC filter, but if we can't then just inject the RBAC Network
+		// filter instead.
+		if err := s.injectHTTPFilterOnFilterChains(l, httpAuthzFilter); err != nil {
+			s.Logger.Warn(
+				"could not inject the HTTP RBAC filter to enforce intentions on user-provided 'envoy_public_listener_json' config; falling back on the RBAC network filter instead",
+				"proxy", cfgSnap.ProxyID,
+				"error", err,
+			)
+			useHTTPFilter = false
+		}
+	}
+
+	if !useHTTPFilter {
+		if err := s.injectConnectFilters(cInfo, cfgSnap, l); err != nil {
+			return nil, err
+		}
+	}
+
+	if err := s.injectConnectTLSOnFilterChains(cInfo, cfgSnap, l); err != nil {
+		return nil, err
 	}
 
-	err = injectConnectFilters(cInfo, cfgSnap, l)
 	return l, err
 }
 
@@ -505,7 +647,17 @@ func (s *Server) makeExposedCheckListener(cfgSnap *proxycfg.ConfigSnapshot, clus
 
 	filterName := fmt.Sprintf("exposed_path_filter_%s_%d", strippedPath, path.ListenerPort)
 
-	f, err := makeListenerFilter(false, path.Protocol, filterName, cluster, "", path.Path, true)
+	opts := listenerFilterOpts{
+		useRDS:          false,
+		protocol:        path.Protocol,
+		filterName:      filterName,
+		cluster:         cluster,
+		statPrefix:      "",
+		routePath:       path.Path,
+		ingress:         true,
+		httpAuthzFilter: nil,
+	}
+	f, err := makeListenerFilter(opts)
 	if err != nil {
 		return nil, err
 	}
@@ -557,20 +709,35 @@ func (s *Server) makeTerminatingGatewayListener(
 
 	// Make a FilterChain for each linked service
 	// Match on the cluster name,
-	for svc := range cfgSnap.TerminatingGateway.ServiceGroups {
+	for _, svc := range cfgSnap.TerminatingGateway.ValidServices() {
 		clusterName := connect.ServiceSNI(svc.Name, "", svc.NamespaceOrDefault(), cfgSnap.Datacenter, cfgSnap.Roots.TrustDomain)
+
+		// Resolvers are optional.
 		resolver, hasResolver := cfgSnap.TerminatingGateway.ServiceResolvers[svc]
 
-		// Skip the service if we don't have a cert to present for mTLS
+		intentions := cfgSnap.TerminatingGateway.Intentions[svc]
-		if cert, ok := cfgSnap.TerminatingGateway.ServiceLeaves[svc]; !ok || cert == nil {
+		svcConfig := cfgSnap.TerminatingGateway.ServiceConfigs[svc]
-			// TODO (gateways) (freddy) Should the error suggest that the issue may be ACLs? (need service:write on service)
+
-			s.Logger.Named(logging.TerminatingGateway).
+		cfg, err := ParseProxyConfig(svcConfig.ProxyConfig)
-				Error("no client certificate available for linked service, skipping filter chain creation",
+		if err != nil {
-					"service", svc.String(), "error", err)
+			// Don't hard fail on a config typo, just warn. The parse func returns
-			continue
+			// default config if there is an error so it's safe to continue.
+			s.Logger.Named(logging.TerminatingGateway).Warn(
+				"failed to parse Connect.Proxy.Config for linked service",
+				"service", svc.String(),
+				"error", err,
+			)
 		}
 
-		clusterChain, err := s.sniFilterChainTerminatingGateway(cInfo, cfgSnap, name, clusterName, svc)
+		clusterChain, err := s.makeFilterChainTerminatingGateway(
+			cInfo,
+			cfgSnap,
+			name,
+			clusterName,
+			svc,
+			intentions,
+			cfg.Protocol,
+		)
 		if err != nil {
 			return nil, fmt.Errorf("failed to make filter chain for cluster %q: %v", clusterName, err)
 		}
@@ -580,13 +747,21 @@ func (s *Server) makeTerminatingGatewayListener(
 		if hasResolver {
 			// generate 1 filter chain for each service subset
 			for subsetName := range resolver.Subsets {
-				clusterName := connect.ServiceSNI(svc.Name, subsetName, svc.NamespaceOrDefault(), cfgSnap.Datacenter, cfgSnap.Roots.TrustDomain)
+				subsetClusterName := connect.ServiceSNI(svc.Name, subsetName, svc.NamespaceOrDefault(), cfgSnap.Datacenter, cfgSnap.Roots.TrustDomain)
 
-				clusterChain, err := s.sniFilterChainTerminatingGateway(cInfo, cfgSnap, name, clusterName, svc)
+				subsetClusterChain, err := s.makeFilterChainTerminatingGateway(
+					cInfo,
+					cfgSnap,
+					name,
+					subsetClusterName,
+					svc,
+					intentions,
+					cfg.Protocol,
+				)
 				if err != nil {
-					return nil, fmt.Errorf("failed to make filter chain for cluster %q: %v", clusterName, err)
+					return nil, fmt.Errorf("failed to make filter chain for cluster %q: %v", subsetClusterName, err)
 				}
-				l.FilterChains = append(l.FilterChains, clusterChain)
+				l.FilterChains = append(l.FilterChains, subsetClusterChain)
 			}
 		}
 	}
@@ -608,41 +783,70 @@ func (s *Server) makeTerminatingGatewayListener(
 	return l, nil
 }
 
-func (s *Server) sniFilterChainTerminatingGateway(
+func (s *Server) makeFilterChainTerminatingGateway(
-	cInfo connectionInfo,
+	_ connectionInfo,
 	cfgSnap *proxycfg.ConfigSnapshot,
 	listener, cluster string,
 	service structs.ServiceName,
+	intentions structs.Intentions,
+	protocol string,
 ) (*envoylistener.FilterChain, error) {
-
+	filterChain := &envoylistener.FilterChain{
-	authFilter, err := makeExtAuthFilter(cInfo.Token)
-	if err != nil {
-		return nil, err
-	}
-	sniCluster, err := makeSNIClusterFilter()
-	if err != nil {
-		return nil, err
-	}
-
-	// The cluster name here doesn't matter as the sni_cluster filter will fill it in for us.
-	statPrefix := fmt.Sprintf("terminating_gateway_%s_%s_", service.NamespaceOrDefault(), service.Name)
-	tcpProxy, err := makeTCPProxyFilter(listener, "", statPrefix)
-	if err != nil {
-		return nil, err
-	}
-
-	return &envoylistener.FilterChain{
 		FilterChainMatch: makeSNIFilterChainMatch(cluster),
-		Filters: []*envoylistener.Filter{
+		Filters:          make([]*envoylistener.Filter, 0, 3),
-			authFilter,
-			sniCluster,
-			tcpProxy,
-		},
 		TlsContext: &envoyauth.DownstreamTlsContext{
 			CommonTlsContext:         makeCommonTLSContextFromLeaf(cfgSnap, cfgSnap.TerminatingGateway.ServiceLeaves[service]),
 			RequireClientCertificate: &wrappers.BoolValue{Value: true},
 		},
-	}, err
+	}
+
+	// This controls if we do L4 or L7 intention checks.
+	useHTTPFilter := structs.IsProtocolHTTPLike(protocol)
+
+	// If this is L4, the first filter we setup is to do intention checks.
+	if !useHTTPFilter {
+		authFilter, err := makeRBACNetworkFilter(
+			intentions,
+			cfgSnap.IntentionDefaultAllow,
+		)
+		if err != nil {
+			return nil, err
+		}
+		filterChain.Filters = append(filterChain.Filters, authFilter)
+	}
+
+	// Lastly we setup the actual proxying component. For L4 this is a straight
+	// tcp proxy. For L7 this is a very hands-off HTTP proxy just to inject an
+	// HTTP filter to do intention checks here instead.
+	statPrefix := fmt.Sprintf("terminating_gateway_%s_%s_", service.NamespaceOrDefault(), service.Name)
+	opts := listenerFilterOpts{
+		useRDS:     false,
+		protocol:   protocol,
+		filterName: listener,
+		cluster:    cluster,
+		statPrefix: statPrefix,
+		routePath:  "",
+		ingress:    false,
+	}
+
+	if useHTTPFilter {
+		var err error
+		opts.httpAuthzFilter, err = makeRBACHTTPFilter(
+			intentions,
+			cfgSnap.IntentionDefaultAllow,
+		)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	filter, err := makeListenerFilter(opts)
+	if err != nil {
+		return nil, err
+	}
+	filterChain.Filters = append(filterChain.Filters, filter)
+
+	return filterChain, nil
 }
 
 func (s *Server) makeMeshGatewayListener(name, addr string, port int, cfgSnap *proxycfg.ConfigSnapshot) (*envoy.Listener, error) {
@@ -791,8 +995,17 @@ func (s *Server) makeUpstreamListenerForDiscoveryChain(
 		clusterName = CustomizeClusterName(target.Name, chain)
 	}
 
-	filter, err := makeListenerFilter(
+	opts := listenerFilterOpts{
-		useRDS, cfg.Protocol, upstreamID, clusterName, "upstream_", "", false)
+		useRDS:          useRDS,
+		protocol:        cfg.Protocol,
+		filterName:      upstreamID,
+		cluster:         clusterName,
+		statPrefix:      "upstream_",
+		routePath:       "",
+		ingress:         false,
+		httpAuthzFilter: nil,
+	}
+	filter, err := makeListenerFilter(opts)
 	if err != nil {
 		return nil, err
 	}
@@ -855,26 +1068,34 @@ func getAndModifyUpstreamConfigForListener(logger hclog.Logger, u *structs.Upstr
 	return cfg
 }
 
-func makeListenerFilter(
+type listenerFilterOpts struct {
-	useRDS bool,
+	useRDS          bool
-	protocol, filterName, cluster, statPrefix, routePath string, ingress bool) (*envoylistener.Filter, error) {
+	protocol        string
+	filterName      string
+	cluster         string
+	statPrefix      string
+	routePath       string
+	ingress         bool
+	httpAuthzFilter *envoyhttp.HttpFilter
+}
 
-	switch protocol {
+func makeListenerFilter(opts listenerFilterOpts) (*envoylistener.Filter, error) {
+	switch opts.protocol {
 	case "grpc":
-		return makeHTTPFilter(useRDS, filterName, cluster, statPrefix, routePath, ingress, true, true)
+		return makeHTTPFilter(opts.useRDS, opts.filterName, opts.cluster, opts.statPrefix, opts.routePath, opts.ingress, true, true, opts.httpAuthzFilter)
 	case "http2":
-		return makeHTTPFilter(useRDS, filterName, cluster, statPrefix, routePath, ingress, false, true)
+		return makeHTTPFilter(opts.useRDS, opts.filterName, opts.cluster, opts.statPrefix, opts.routePath, opts.ingress, false, true, opts.httpAuthzFilter)
 	case "http":
-		return makeHTTPFilter(useRDS, filterName, cluster, statPrefix, routePath, ingress, false, false)
+		return makeHTTPFilter(opts.useRDS, opts.filterName, opts.cluster, opts.statPrefix, opts.routePath, opts.ingress, false, false, opts.httpAuthzFilter)
 	case "tcp":
 		fallthrough
 	default:
-		if useRDS {
+		if opts.useRDS {
 			return nil, fmt.Errorf("RDS is not compatible with the tcp proxy filter")
-		} else if cluster == "" {
+		} else if opts.cluster == "" {
 			return nil, fmt.Errorf("cluster name is required for a tcp proxy filter")
 		}
-		return makeTCPProxyFilter(filterName, cluster, statPrefix)
+		return makeTCPProxyFilter(opts.filterName, opts.cluster, opts.statPrefix)
 	}
 }
 
@@ -898,7 +1119,7 @@ func makeTCPProxyFilter(filterName, cluster, statPrefix string) (*envoylistener.
 		StatPrefix:       makeStatPrefix("tcp", statPrefix, filterName),
 		ClusterSpecifier: &envoytcp.TcpProxy_Cluster{Cluster: cluster},
 	}
-	return makeFilter("envoy.tcp_proxy", cfg)
+	return makeFilter("envoy.tcp_proxy", cfg, false)
 }
 
 func makeStatPrefix(protocol, prefix, filterName string) string {
@@ -912,6 +1133,7 @@ func makeHTTPFilter(
 	useRDS bool,
 	filterName, cluster, statPrefix, routePath string,
 	ingress, grpc, http2 bool,
+	authzFilter *envoyhttp.HttpFilter,
 ) (*envoylistener.Filter, error) {
 	op := envoyhttp.HttpConnectionManager_Tracing_INGRESS
 	if !ingress {
@@ -1001,43 +1223,51 @@ func makeHTTPFilter(
 		cfg.Http2ProtocolOptions = &envoycore.Http2ProtocolOptions{}
 	}
 
+	// Like injectConnectFilters for L4, here we ensure that the first filter
+	// (other than the "envoy.grpc_http1_bridge" filter) in the http filter
+	// chain of a public listener is the authz filter to prevent unauthorized
+	// access and that every filter chain uses our TLS certs.
+	if authzFilter != nil {
+		cfg.HttpFilters = append([]*envoyhttp.HttpFilter{authzFilter}, cfg.HttpFilters...)
+	}
+
 	if grpc {
-		// Add grpc bridge before router
+		// Add grpc bridge before router and authz
 		cfg.HttpFilters = append([]*envoyhttp.HttpFilter{{
 			Name:       "envoy.grpc_http1_bridge",
 			ConfigType: &envoyhttp.HttpFilter_Config{Config: &pbstruct.Struct{}},
 		}}, cfg.HttpFilters...)
 	}
 
-	return makeFilter("envoy.http_connection_manager", cfg)
+	return makeFilter("envoy.http_connection_manager", cfg, false)
 }
 
-func makeExtAuthFilter(token string) (*envoylistener.Filter, error) {
+func makeFilter(name string, cfg proto.Message, typed bool) (*envoylistener.Filter, error) {
-	cfg := &extauthz.ExtAuthz{
+	filter := &envoylistener.Filter{
-		StatPrefix: "connect_authz",
+		Name: name,
-		GrpcService: &envoycore.GrpcService{
-			// Attach token header so we can authorize the callbacks. Technically
-			// authorize is not really protected data but we locked down the HTTP
-			// implementation to need service:write and since we have the token that
-			// has that it's pretty reasonable to set it up here.
-			InitialMetadata: []*envoycore.HeaderValue{
-				{
-					Key:   "x-consul-token",
-					Value: token,
-				},
-			},
-			TargetSpecifier: &envoycore.GrpcService_EnvoyGrpc_{
-				EnvoyGrpc: &envoycore.GrpcService_EnvoyGrpc{
-					ClusterName: LocalAgentClusterName,
-				},
-			},
-		},
-		FailureModeAllow: false,
 	}
-	return makeFilter("envoy.ext_authz", cfg)
+	if typed {
+		any, err := pbtypes.MarshalAny(cfg)
+		if err != nil {
+			return nil, err
+		}
+
+		filter.ConfigType = &envoylistener.Filter_TypedConfig{TypedConfig: any}
+	} else {
+		// Ridiculous dance to make that struct into pbstruct.Struct by... encoding it
+		// as JSON and decoding again!!
+		cfgStruct, err := conversion.MessageToStruct(cfg)
+		if err != nil {
+			return nil, err
+		}
+
+		filter.ConfigType = &envoylistener.Filter_Config{Config: cfgStruct}
+	}
+
+	return filter, nil
 }
 
-func makeFilter(name string, cfg proto.Message) (*envoylistener.Filter, error) {
+func makeEnvoyHTTPFilter(name string, cfg proto.Message) (*envoyhttp.HttpFilter, error) {
 	// Ridiculous dance to make that struct into pbstruct.Struct by... encoding it
 	// as JSON and decoding again!!
 	cfgStruct, err := conversion.MessageToStruct(cfg)
@@ -1045,9 +1275,9 @@ func makeFilter(name string, cfg proto.Message) (*envoylistener.Filter, error) {
 		return nil, err
 	}
 
-	return &envoylistener.Filter{
+	return &envoyhttp.HttpFilter{
 		Name:       name,
-		ConfigType: &envoylistener.Filter_Config{Config: cfgStruct},
+		ConfigType: &envoyhttp.HttpFilter_Config{Config: cfgStruct},
 	}, nil
 }
 

agent/xds/listeners_test.go

@@ -2,13 +2,13 @@ package xds
 
 import (
 	"bytes"
-	"fmt"
 	"path/filepath"
 	"sort"
 	"testing"
 	"text/template"
 
 	envoy "github.com/envoyproxy/go-control-plane/envoy/api/v2"
+	"github.com/envoyproxy/go-control-plane/pkg/wellknown"
 	"github.com/hashicorp/consul/agent/proxycfg"
 	"github.com/hashicorp/consul/agent/structs"
 	"github.com/hashicorp/consul/agent/xds/proxysupport"
@@ -80,6 +80,66 @@ func TestListenersFromSnapshot(t *testing.T) {
 					})
 			},
 		},
+		{
+			name:   "custom-public-listener-http",
+			create: proxycfg.TestConfigSnapshot,
+			setup: func(snap *proxycfg.ConfigSnapshot) {
+				snap.Proxy.Config["protocol"] = "http"
+				snap.Proxy.Config["envoy_public_listener_json"] =
+					customHTTPListenerJSON(t, customHTTPListenerJSONOptions{
+						Name: "custom-public-listen",
+					})
+			},
+		},
+		{
+			name:   "custom-public-listener-http-typed",
+			create: proxycfg.TestConfigSnapshot,
+			setup: func(snap *proxycfg.ConfigSnapshot) {
+				snap.Proxy.Config["protocol"] = "http"
+				snap.Proxy.Config["envoy_public_listener_json"] =
+					customHTTPListenerJSON(t, customHTTPListenerJSONOptions{
+						Name:        "custom-public-listen",
+						TypedConfig: true,
+					})
+			},
+		},
+		{
+			name:   "custom-public-listener-http-2",
+			create: proxycfg.TestConfigSnapshot,
+			setup: func(snap *proxycfg.ConfigSnapshot) {
+				snap.Proxy.Config["protocol"] = "http"
+				snap.Proxy.Config["envoy_public_listener_json"] =
+					customHTTPListenerJSON(t, customHTTPListenerJSONOptions{
+						Name:                      "custom-public-listen",
+						HTTPConnectionManagerName: httpConnectionManagerNewName,
+					})
+			},
+		},
+		{
+			name:   "custom-public-listener-http-2-typed",
+			create: proxycfg.TestConfigSnapshot,
+			setup: func(snap *proxycfg.ConfigSnapshot) {
+				snap.Proxy.Config["protocol"] = "http"
+				snap.Proxy.Config["envoy_public_listener_json"] =
+					customHTTPListenerJSON(t, customHTTPListenerJSONOptions{
+						Name:                      "custom-public-listen",
+						HTTPConnectionManagerName: httpConnectionManagerNewName,
+						TypedConfig:               true,
+					})
+			},
+		},
+		{
+			name:   "custom-public-listener-http-missing",
+			create: proxycfg.TestConfigSnapshot,
+			setup: func(snap *proxycfg.ConfigSnapshot) {
+				snap.Proxy.Config["protocol"] = "http"
+				snap.Proxy.Config["envoy_public_listener_json"] =
+					customListenerJSON(t, customListenerJSONOptions{
+						Name:        "custom-public-listen",
+						IncludeType: false,
+					})
+			},
+		},
 		{
 			name:               "custom-public-listener-typed",
 			create:             proxycfg.TestConfigSnapshot,
@@ -500,11 +560,7 @@ func TestListenersFromSnapshot(t *testing.T) {
 	}
 }
 
-func expectListenerJSONResources(t *testing.T, snap *proxycfg.ConfigSnapshot, token string) map[string]string {
+func expectListenerJSONResources(t *testing.T, snap *proxycfg.ConfigSnapshot) map[string]string {
-	tokenVal := ""
-	if token != "" {
-		tokenVal = fmt.Sprintf(",\n"+`"value": "%s"`, token)
-	}
 	return map[string]string{
 		"public_listener": `{
 				"@type": "type.googleapis.com/envoy.api.v2.Listener",
@@ -520,18 +576,9 @@ func expectListenerJSONResources(t *testing.T, snap *proxycfg.ConfigSnapshot, to
 						"tlsContext": ` + expectedPublicTLSContextJSON(t, snap) + `,
 						"filters": [
 							{
-								"name": "envoy.ext_authz",
+								"name": "envoy.filters.network.rbac",
 								"config": {
-										"grpc_service": {
+										"rules": {
-												"envoy_grpc": {
-													"cluster_name": "local_agent"
-												},
-												"initial_metadata": [
-													{
-														"key": "x-consul-token"
-														` + tokenVal + `
-													}
-												]
 											},
 										"stat_prefix": "connect_authz"
 									}
@@ -622,15 +669,14 @@ func expectListenerJSONFromResources(snap *proxycfg.ConfigSnapshot, v, n uint64,
 		}`
 }
 
-func expectListenerJSON(t *testing.T, snap *proxycfg.ConfigSnapshot, token string, v, n uint64) string {
+func expectListenerJSON(t *testing.T, snap *proxycfg.ConfigSnapshot, v, n uint64) string {
-	return expectListenerJSONFromResources(snap, v, n, expectListenerJSONResources(t, snap, token))
+	return expectListenerJSONFromResources(snap, v, n, expectListenerJSONResources(t, snap))
 }
 
 type customListenerJSONOptions struct {
-	Name          string
+	Name        string
-	IncludeType   bool
+	IncludeType bool
-	OverrideAuthz bool
+	TLSContext  string
-	TLSContext    string
 }
 
 const customListenerJSONTpl = `{
@@ -650,25 +696,6 @@ const customListenerJSONTpl = `{
 			"tlsContext": {{ .TLSContext }},
 			{{- end }}
 			"filters": [
-				{{ if .OverrideAuthz -}}
-				{
-					"name": "envoy.ext_authz",
-					"config": {
-							"grpc_service": {
-										"envoy_grpc": {
-													"cluster_name": "local_agent"
-												},
-										"initial_metadata": [
-													{
-																"key": "x-consul-token",
-																"value": "my-token"
-															}
-												]
-									},
-							"stat_prefix": "connect_authz"
-						}
-				},
-				{{- end }}
 				{
 					"name": "envoy.tcp_proxy",
 					"config": {
@@ -681,12 +708,82 @@ const customListenerJSONTpl = `{
 	]
 }`
 
-var customListenerJSONTemplate = template.Must(template.New("").Parse(customListenerJSONTpl))
+type customHTTPListenerJSONOptions struct {
+	Name                      string
+	HTTPConnectionManagerName string
+	TypedConfig               bool
+}
+
+const customHTTPListenerJSONTpl = `{
+	"name": "{{ .Name }}",
+	"address": {
+		"socketAddress": {
+			"address": "11.11.11.11",
+			"portValue": 11111
+		}
+	},
+	"filterChains": [
+		{
+			"filters": [
+				{
+					"name": "{{ .HTTPConnectionManagerName }}",
+					{{ if .TypedConfig -}}
+					"typedConfig": {
+					"@type": "type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager",
+					{{ else -}}
+					"config": {
+					{{- end }}
+						"http_filters": [
+							{
+								"name": "envoy.router"
+							}
+						],
+						"route_config": {
+							"name": "public_listener",
+							"virtual_hosts": [
+								{
+									"domains": [
+										"*"
+									],
+									"name": "public_listener",
+									"routes": [
+										{
+											"match": {
+												"prefix": "/"
+											},
+											"route": {
+												"cluster": "random-cluster"
+											}
+										}
+									]
+								}
+							]
+						}
+					}
+				}
+			]
+		}
+	]
+}`
+
+var (
+	customListenerJSONTemplate     = template.Must(template.New("").Parse(customListenerJSONTpl))
+	customHTTPListenerJSONTemplate = template.Must(template.New("").Parse(customHTTPListenerJSONTpl))
+)
 
 func customListenerJSON(t *testing.T, opts customListenerJSONOptions) string {
 	t.Helper()
 	var buf bytes.Buffer
-	err := customListenerJSONTemplate.Execute(&buf, opts)
+	require.NoError(t, customListenerJSONTemplate.Execute(&buf, opts))
-	require.NoError(t, err)
+	return buf.String()
+}
+
+func customHTTPListenerJSON(t *testing.T, opts customHTTPListenerJSONOptions) string {
+	t.Helper()
+	if opts.HTTPConnectionManagerName == "" {
+		opts.HTTPConnectionManagerName = wellknown.HTTPConnectionManager
+	}
+	var buf bytes.Buffer
+	require.NoError(t, customHTTPListenerJSONTemplate.Execute(&buf, opts))
 	return buf.String()
 }

agent/xds/rbac.go

@@ -0,0 +1,374 @@
+package xds
+
+import (
+	"fmt"
+	"sort"
+
+	envoylistener "github.com/envoyproxy/go-control-plane/envoy/api/v2/listener"
+	envoyhttprbac "github.com/envoyproxy/go-control-plane/envoy/config/filter/http/rbac/v2"
+	envoyhttp "github.com/envoyproxy/go-control-plane/envoy/config/filter/network/http_connection_manager/v2"
+	envoynetrbac "github.com/envoyproxy/go-control-plane/envoy/config/filter/network/rbac/v2"
+	envoyrbac "github.com/envoyproxy/go-control-plane/envoy/config/rbac/v2"
+	envoymatcher "github.com/envoyproxy/go-control-plane/envoy/type/matcher"
+	"github.com/hashicorp/consul/agent/structs"
+)
+
+func makeRBACNetworkFilter(intentions structs.Intentions, intentionDefaultAllow bool) (*envoylistener.Filter, error) {
+	rules, err := makeRBACRules(intentions, intentionDefaultAllow)
+	if err != nil {
+		return nil, err
+	}
+
+	cfg := &envoynetrbac.RBAC{
+		StatPrefix: "connect_authz",
+		Rules:      rules,
+	}
+	return makeFilter("envoy.filters.network.rbac", cfg, false)
+}
+
+func makeRBACHTTPFilter(intentions structs.Intentions, intentionDefaultAllow bool) (*envoyhttp.HttpFilter, error) {
+	rules, err := makeRBACRules(intentions, intentionDefaultAllow)
+	if err != nil {
+		return nil, err
+	}
+
+	cfg := &envoyhttprbac.RBAC{
+		Rules: rules,
+	}
+	return makeEnvoyHTTPFilter("envoy.filters.http.rbac", cfg)
+}
+
+type rbacIntention struct {
+	Source     structs.ServiceName
+	NotSources []structs.ServiceName
+	Allow      bool
+	Precedence int
+	Skip       bool
+}
+
+func (r *rbacIntention) Simplify() {
+	r.NotSources = simplifyNotSourceSlice(r.NotSources)
+}
+
+func simplifyNotSourceSlice(notSources []structs.ServiceName) []structs.ServiceName {
+	if len(notSources) <= 1 {
+		return notSources
+	}
+
+	// Collapse NotSources elements together if any element is a subset of
+	// another.
+
+	// Sort, keeping the least wildcarded elements first.
+	sort.SliceStable(notSources, func(i, j int) bool {
+		return countWild(notSources[i]) < countWild(notSources[j])
+	})
+
+	keep := make([]structs.ServiceName, 0, len(notSources))
+	for i := 0; i < len(notSources); i++ {
+		si := notSources[i]
+		remove := false
+		for j := i + 1; j < len(notSources); j++ {
+			sj := notSources[j]
+
+			if ixnSourceMatches(si, sj) {
+				remove = true
+				break
+			}
+		}
+		if !remove {
+			keep = append(keep, si)
+		}
+	}
+
+	return keep
+}
+
+// makeRBACRules translates Consul intentions into RBAC Policies for Envoy.
+//
+// Consul lets you define up to 9 different kinds of intentions that apply at
+// different levels of precedence (this is limited to 4 if not using Consul
+// Enterprise). Each intention in this flat list (sorted by precedence) can either
+// be an allow rule or a deny rule. Here’s a concrete example of this at work:
+//
+//     intern/trusted-app => billing/payment-svc : ALLOW (prec=9)
+//     intern/*           => billing/payment-svc : DENY  (prec=8)
+//     */*                => billing/payment-svc : ALLOW (prec=7)
+//     ::: ACL default policy :::                : DENY  (prec=N/A)
+//
+// In contrast, Envoy lets you either configure a filter to be based on an
+// allow-list or a deny-list based on the action attribute of the RBAC rules
+// struct.
+//
+// On the surface it would seem that the configuration model of Consul
+// intentions is incompatible with that of Envoy’s RBAC engine. For any given
+// destination service Consul’s model requires evaluating a list of rules and
+// short circuiting later rules once an earlier rule matches. After a rule is
+// found to match then we decide if it is allow/deny. Envoy on the other hand
+// requires the rules to express all conditions to allow access or all conditions
+// to deny access.
+//
+// Despite the surface incompatibility it is possible to marry these two
+// models. For clarity I’ll rewrite the earlier example intentions in an
+// abbreviated form:
+//
+//     A         : ALLOW
+//     B         : DENY
+//     C         : ALLOW
+//     <default> : DENY
+//
+// 1. Given that the overall intention default is set to deny, we start by
+//    choosing to build an allow-list in Envoy (this is also the variant that I find
+//    easier to think about).
+// 2. Next we traverse the list in precedence order (top down) and any DENY
+//    intentions are combined with later intentions using logical operations.
+// 3. Now that all of the intentions result in the same action (allow) we have
+//    successfully removed precedence and we can express this in as a set of Envoy
+//    RBAC policies.
+//
+// After this the earlier A/B/C/default list becomes:
+//
+//     A            : ALLOW
+//     C AND NOT(B) : ALLOW
+//     <default>    : DENY
+//
+// Which really is just an allow-list of [A, C AND NOT(B)]
+func makeRBACRules(intentions structs.Intentions, intentionDefaultAllow bool) (*envoyrbac.RBAC, error) {
+	// Note that we DON'T explicitly validate the trust-domain matches ours.
+	//
+	// For now we don't validate the trust domain of the _destination_ at all.
+	// The RBAC policies below ignore the trust domain and it's implicit that
+	// the request is for the correct cluster. We might want to reconsider this
+	// later but plumbing in additional machinery to check the clusterID here
+	// is not really necessary for now unless the Envoys are badly configured.
+	// Our threat model _requires_ correctly configured and well behaved
+	// proxies given that they have ACLs to fetch certs and so can do whatever
+	// they want including not authorizing traffic at all or routing it do a
+	// different service than they auth'd against.
+
+	// TODO(banks,rb): Implement revocation list checking?
+
+	// Omit any lower-precedence intentions that share the same source.
+	intentions = removeSameSourceIntentions(intentions)
+
+	// First build up just the basic principal matches.
+	rbacIxns := make([]*rbacIntention, 0, len(intentions))
+	for _, ixn := range intentions {
+		rbacIxns = append(rbacIxns, &rbacIntention{
+			Source:     ixn.SourceServiceName(),
+			Allow:      (ixn.Action == structs.IntentionActionAllow),
+			Precedence: ixn.Precedence,
+		})
+	}
+
+	// Normalize: if we are in default-deny then all intentions must be allows and vice versa
+
+	var rbacAction envoyrbac.RBAC_Action
+	if intentionDefaultAllow {
+		// The RBAC policies deny access to principals. The rest is allowed.
+		// This is block-list style access control.
+		rbacAction = envoyrbac.RBAC_DENY
+	} else {
+		// The RBAC policies grant access to principals. The rest is denied.
+		// This is safe-list style access control. This is the default type.
+		rbacAction = envoyrbac.RBAC_ALLOW
+	}
+
+	// First walk backwards and if we encounter an intention with an action
+	// that is the same as the default intention action, add it to all
+	// subsequent statements (via AND NOT $x) and mark the rule itself for
+	// erasure.
+	//
+	// i.e. for a default-deny setup we look for denies.
+	if len(rbacIxns) > 0 {
+		for i := len(rbacIxns) - 1; i >= 0; i-- {
+			if rbacIxns[i].Allow == intentionDefaultAllow {
+				for j := i + 1; j < len(rbacIxns); j++ {
+					if rbacIxns[j].Skip {
+						continue
+					}
+					// [i] is the intention candidate that we are distributing
+					// [j] is the thing to maybe NOT [i] from
+					if ixnSourceMatches(rbacIxns[i].Source, rbacIxns[j].Source) {
+						rbacIxns[j].NotSources = append(rbacIxns[j].NotSources, rbacIxns[i].Source)
+					}
+				}
+				// since this is default-FOO, any trailing FOO intentions will just evaporate
+				rbacIxns[i].Skip = true // mark for deletion
+			}
+		}
+	}
+	// At this point precedence doesn't matter since all roads lead to the same action.
+
+	var principals []*envoyrbac.Principal
+	for _, rbacIxn := range rbacIxns {
+		if rbacIxn.Skip {
+			continue
+		}
+
+		// NOTE: at this point "rbacIxn.Allow != intentionDefaultAllow"
+
+		rbacIxn.Simplify()
+
+		if len(rbacIxn.NotSources) > 0 {
+			andIDs := make([]*envoyrbac.Principal, 0, len(rbacIxn.NotSources)+1)
+			andIDs = append(andIDs, idPrincipal(rbacIxn.Source))
+			for _, src := range rbacIxn.NotSources {
+				andIDs = append(andIDs, notPrincipal(
+					idPrincipal(src),
+				))
+			}
+			principals = append(principals, andPrincipals(andIDs))
+		} else {
+			principals = append(principals, idPrincipal(rbacIxn.Source))
+		}
+	}
+
+	rbac := &envoyrbac.RBAC{
+		Action: rbacAction,
+	}
+	if len(principals) > 0 {
+		policy := &envoyrbac.Policy{
+			Principals:  principals,
+			Permissions: []*envoyrbac.Permission{anyPermission()},
+		}
+		rbac.Policies = map[string]*envoyrbac.Policy{
+			"consul-intentions": policy,
+		}
+	}
+
+	return rbac, nil
+}
+
+func removeSameSourceIntentions(intentions structs.Intentions) structs.Intentions {
+	if len(intentions) < 2 {
+		return intentions
+	}
+
+	var (
+		out        = make(structs.Intentions, 0, len(intentions))
+		changed    = false
+		seenSource = make(map[structs.ServiceName]struct{})
+	)
+	for _, ixn := range intentions {
+		sn := ixn.SourceServiceName()
+		if _, ok := seenSource[sn]; ok {
+			// A higher precedence intention already used this exact source
+			// definition with a different destination.
+			changed = true
+			continue
+		}
+		seenSource[sn] = struct{}{}
+		out = append(out, ixn)
+	}
+
+	if !changed {
+		return intentions
+	}
+	return out
+}
+
+type sourceMatch int
+
+const (
+	sourceMatchIgnore   sourceMatch = 0
+	sourceMatchSuperset sourceMatch = 1
+	matchSameSubset     sourceMatch = 2
+)
+
+// ixnSourceMatches deterines if the 'tester' service name is matched by the
+// 'against' service name via wildcard rules.
+//
+// For instance:
+// - (web, api)               => false, because these have no wildcards
+// - (web, *)                 => true,  because "all services" includes "web"
+// - (default/web, default/*) => true,  because "all services in the default NS" includes "default/web"
+// - (default/*, */*)         => true,  "any service in any NS" includes "all services in the default NS"
+func ixnSourceMatches(tester, against structs.ServiceName) bool {
+	// We assume that we can't have the same intention twice before arriving
+	// here.
+	numWildTester := countWild(tester)
+	numWildAgainst := countWild(against)
+
+	if numWildTester == numWildAgainst {
+		return false
+	} else if numWildTester > numWildAgainst {
+		return false
+	}
+
+	matchesNS := tester.NamespaceOrDefault() == against.NamespaceOrDefault() || against.NamespaceOrDefault() == structs.WildcardSpecifier
+	matchesName := tester.Name == against.Name || against.Name == structs.WildcardSpecifier
+	return matchesNS && matchesName
+}
+
+// countWild counts the number of wildcard values in the given namespace and name.
+func countWild(src structs.ServiceName) int {
+	// If NS is wildcard, it must be 2 since wildcards only follow exact
+	if src.NamespaceOrDefault() == structs.WildcardSpecifier {
+		return 2
+	}
+
+	// Same reasoning as above, a wildcard can only follow an exact value
+	// and an exact value cannot follow a wildcard, so if name is a wildcard
+	// we must have exactly one.
+	if src.Name == structs.WildcardSpecifier {
+		return 1
+	}
+
+	return 0
+}
+
+func andPrincipals(ids []*envoyrbac.Principal) *envoyrbac.Principal {
+	return &envoyrbac.Principal{
+		Identifier: &envoyrbac.Principal_AndIds{
+			AndIds: &envoyrbac.Principal_Set{
+				Ids: ids,
+			},
+		},
+	}
+}
+
+func notPrincipal(id *envoyrbac.Principal) *envoyrbac.Principal {
+	return &envoyrbac.Principal{
+		Identifier: &envoyrbac.Principal_NotId{
+			NotId: id,
+		},
+	}
+}
+
+func idPrincipal(src structs.ServiceName) *envoyrbac.Principal {
+	pattern := makeSpiffePattern(src.NamespaceOrDefault(), src.Name)
+
+	return &envoyrbac.Principal{
+		Identifier: &envoyrbac.Principal_Authenticated_{
+			Authenticated: &envoyrbac.Principal_Authenticated{
+				PrincipalName: &envoymatcher.StringMatcher{
+					MatchPattern: &envoymatcher.StringMatcher_SafeRegex{
+						SafeRegex: makeEnvoyRegexMatch(pattern),
+					},
+				},
+			},
+		},
+	}
+}
+func makeSpiffePattern(sourceNS, sourceName string) string {
+	const (
+		anyPath        = `[^/]+`
+		spiffeTemplate = `^spiffe://%s/ns/%s/dc/%s/svc/%s$`
+	)
+	switch {
+	case sourceNS != structs.WildcardSpecifier && sourceName != structs.WildcardSpecifier:
+		return fmt.Sprintf(spiffeTemplate, anyPath, sourceNS, anyPath, sourceName)
+	case sourceNS != structs.WildcardSpecifier && sourceName == structs.WildcardSpecifier:
+		return fmt.Sprintf(spiffeTemplate, anyPath, sourceNS, anyPath, anyPath)
+	case sourceNS == structs.WildcardSpecifier && sourceName == structs.WildcardSpecifier:
+		return fmt.Sprintf(spiffeTemplate, anyPath, anyPath, anyPath, anyPath)
+	default:
+		panic(fmt.Sprintf("not possible to have a wildcarded namespace %q but an exact service %q", sourceNS, sourceName))
+	}
+}
+
+func anyPermission() *envoyrbac.Permission {
+	return &envoyrbac.Permission{
+		Rule: &envoyrbac.Permission_Any{Any: true},
+	}
+}

agent/xds/rbac_test.go

@@ -0,0 +1,259 @@
+package xds
+
+import (
+	"fmt"
+	"path/filepath"
+	"sort"
+	"testing"
+
+	"github.com/hashicorp/consul/agent/structs"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestMakeRBACNetworkFilter(t *testing.T) {
+	testIntention := func(t *testing.T, src, dst string, action structs.IntentionAction) *structs.Intention {
+		t.Helper()
+		ixn := structs.TestIntention(t)
+		ixn.SourceName = src
+		ixn.DestinationName = dst
+		ixn.Action = action
+		ixn.UpdatePrecedence()
+		return ixn
+	}
+	testSourceIntention := func(src string, action structs.IntentionAction) *structs.Intention {
+		return testIntention(t, src, "api", action)
+	}
+	sorted := func(ixns ...*structs.Intention) structs.Intentions {
+		sort.SliceStable(ixns, func(i, j int) bool {
+			return ixns[j].Precedence < ixns[i].Precedence
+		})
+		return structs.Intentions(ixns)
+	}
+
+	tests := map[string]struct {
+		intentionDefaultAllow bool
+		intentions            structs.Intentions
+	}{
+		"default-deny-mixed-precedence": {
+			intentionDefaultAllow: false,
+			intentions: sorted(
+				testIntention(t, "web", "api", structs.IntentionActionAllow),
+				testIntention(t, "*", "api", structs.IntentionActionDeny),
+				testIntention(t, "web", "*", structs.IntentionActionDeny),
+			),
+		},
+		"default-deny-service-wildcard-allow": {
+			intentionDefaultAllow: false,
+			intentions: sorted(
+				testSourceIntention("*", structs.IntentionActionAllow),
+			),
+		},
+		"default-allow-service-wildcard-deny": {
+			intentionDefaultAllow: true,
+			intentions: sorted(
+				testSourceIntention("*", structs.IntentionActionDeny),
+			),
+		},
+		"default-deny-one-allow": {
+			intentionDefaultAllow: false,
+			intentions: sorted(
+				testSourceIntention("web", structs.IntentionActionAllow),
+			),
+		},
+		"default-allow-one-deny": {
+			intentionDefaultAllow: true,
+			intentions: sorted(
+				testSourceIntention("web", structs.IntentionActionDeny),
+			),
+		},
+		"default-deny-allow-deny": {
+			intentionDefaultAllow: false,
+			intentions: sorted(
+				testSourceIntention("web", structs.IntentionActionDeny),
+				testSourceIntention("*", structs.IntentionActionAllow),
+			),
+		},
+		"default-deny-kitchen-sink": {
+			intentionDefaultAllow: false,
+			intentions: sorted(
+				// (double exact)
+				testSourceIntention("web", structs.IntentionActionAllow),
+				testSourceIntention("unsafe", structs.IntentionActionDeny),
+				testSourceIntention("cron", structs.IntentionActionAllow),
+				// and we invert the default-ness of the whole thing
+				testSourceIntention("*", structs.IntentionActionAllow),
+			),
+		},
+		"default-allow-kitchen-sink": {
+			intentionDefaultAllow: true,
+			intentions: sorted(
+				// (double exact)
+				testSourceIntention("web", structs.IntentionActionDeny),
+				testSourceIntention("unsafe", structs.IntentionActionAllow),
+				testSourceIntention("cron", structs.IntentionActionDeny),
+				// and we invert the default-ness of the whole thing
+				testSourceIntention("*", structs.IntentionActionDeny),
+			),
+		},
+	}
+
+	for name, tt := range tests {
+		tt := tt
+		t.Run(name, func(t *testing.T) {
+			filter, err := makeRBACNetworkFilter(tt.intentions, tt.intentionDefaultAllow)
+			require.NoError(t, err)
+
+			gotJSON := protoToJSON(t, filter)
+
+			require.JSONEq(t, golden(t, filepath.Join("rbac", name), "", gotJSON), gotJSON)
+		})
+	}
+}
+
+func TestRemoveSameSourceIntentions(t *testing.T) {
+	testIntention := func(t *testing.T, src, dst string) *structs.Intention {
+		t.Helper()
+		ixn := structs.TestIntention(t)
+		ixn.SourceName = src
+		ixn.DestinationName = dst
+		ixn.UpdatePrecedence()
+		return ixn
+	}
+	sorted := func(ixns ...*structs.Intention) structs.Intentions {
+		sort.SliceStable(ixns, func(i, j int) bool {
+			return ixns[j].Precedence < ixns[i].Precedence
+		})
+		return structs.Intentions(ixns)
+	}
+	tests := map[string]struct {
+		in     structs.Intentions
+		expect structs.Intentions
+	}{
+		"empty": {},
+		"one": {
+			in: sorted(
+				testIntention(t, "*", "*"),
+			),
+			expect: sorted(
+				testIntention(t, "*", "*"),
+			),
+		},
+		"two with no match": {
+			in: sorted(
+				testIntention(t, "*", "foo"),
+				testIntention(t, "bar", "*"),
+			),
+			expect: sorted(
+				testIntention(t, "*", "foo"),
+				testIntention(t, "bar", "*"),
+			),
+		},
+		"two with match, exact": {
+			in: sorted(
+				testIntention(t, "bar", "foo"),
+				testIntention(t, "bar", "*"),
+			),
+			expect: sorted(
+				testIntention(t, "bar", "foo"),
+			),
+		},
+		"two with match, wildcard": {
+			in: sorted(
+				testIntention(t, "*", "foo"),
+				testIntention(t, "*", "*"),
+			),
+			expect: sorted(
+				testIntention(t, "*", "foo"),
+			),
+		},
+	}
+
+	for name, tc := range tests {
+		tc := tc
+		t.Run(name, func(t *testing.T) {
+			got := removeSameSourceIntentions(tc.in)
+			require.Equal(t, tc.expect, got)
+		})
+	}
+}
+
+func TestSimplifyNotSourceSlice(t *testing.T) {
+	tests := map[string]struct {
+		in     []string
+		expect []string
+	}{
+		"empty": {},
+		"one": {
+			[]string{"bar"},
+			[]string{"bar"},
+		},
+		"two with no match": {
+			[]string{"foo", "bar"},
+			[]string{"foo", "bar"},
+		},
+		"two with match": {
+			[]string{"*", "bar"},
+			[]string{"*"},
+		},
+		"three with two matches down to one": {
+			[]string{"*", "foo", "bar"},
+			[]string{"*"},
+		},
+	}
+
+	for name, tc := range tests {
+		tc := tc
+		t.Run(name, func(t *testing.T) {
+			got := simplifyNotSourceSlice(makeServiceNameSlice(tc.in))
+			require.Equal(t, makeServiceNameSlice(tc.expect), got)
+		})
+	}
+}
+
+func TestIxnSourceMatches(t *testing.T) {
+	tests := []struct {
+		tester, against string
+		matches         bool
+	}{
+		// identical precedence
+		{"web", "api", false},
+		{"*", "*", false},
+		// backwards precedence
+		{"*", "web", false},
+		// name wildcards
+		{"web", "*", true},
+	}
+
+	for _, tc := range tests {
+		t.Run(fmt.Sprintf("%s cmp %s", tc.tester, tc.against), func(t *testing.T) {
+			matches := ixnSourceMatches(
+				structs.ServiceNameFromString(tc.tester),
+				structs.ServiceNameFromString(tc.against),
+			)
+			assert.Equal(t, tc.matches, matches)
+		})
+	}
+}
+
+func makeServiceNameSlice(slice []string) []structs.ServiceName {
+	if len(slice) == 0 {
+		return nil
+	}
+	var out []structs.ServiceName
+	for _, src := range slice {
+		out = append(out, structs.ServiceNameFromString(src))
+	}
+	return out
+}
+
+func unmakeServiceNameSlice(slice []structs.ServiceName) []string {
+	if len(slice) == 0 {
+		return nil
+	}
+	var out []string
+	for _, src := range slice {
+		out = append(out, src.String())
+	}
+	return out
+}

agent/xds/response.go

@@ -3,6 +3,7 @@ package xds
 import (
 	envoy "github.com/envoyproxy/go-control-plane/envoy/api/v2"
 	envoycore "github.com/envoyproxy/go-control-plane/envoy/api/v2/core"
+	envoymatcher "github.com/envoyproxy/go-control-plane/envoy/type/matcher"
 	"github.com/golang/protobuf/proto"
 	"github.com/golang/protobuf/ptypes/any"
 	"github.com/golang/protobuf/ptypes/wrappers"
@@ -56,3 +57,12 @@ func makeUint32Value(n int) *wrappers.UInt32Value {
 func makeBoolValue(n bool) *wrappers.BoolValue {
 	return &wrappers.BoolValue{Value: n}
 }
+
+func makeEnvoyRegexMatch(patt string) *envoymatcher.RegexMatcher {
+	return &envoymatcher.RegexMatcher{
+		EngineType: &envoymatcher.RegexMatcher_GoogleRe2{
+			GoogleRe2: &envoymatcher.RegexMatcher_GoogleRE2{},
+		},
+		Regex: patt,
+	}
+}

agent/xds/routes.go

@@ -458,12 +458,3 @@ func makeRouteActionForSplitter(splits []*structs.DiscoverySplit, chain *structs
 		},
 	}, nil
 }
-
-func makeEnvoyRegexMatch(patt string) *envoymatcher.RegexMatcher {
-	return &envoymatcher.RegexMatcher{
-		EngineType: &envoymatcher.RegexMatcher_GoogleRe2{
-			GoogleRe2: &envoymatcher.RegexMatcher_GoogleRE2{},
-		},
-		Regex: patt,
-	}
-}

agent/xds/server.go

@@ -9,19 +9,14 @@ import (
 
 	envoy "github.com/envoyproxy/go-control-plane/envoy/api/v2"
 	envoycore "github.com/envoyproxy/go-control-plane/envoy/api/v2/core"
-	envoyauthz "github.com/envoyproxy/go-control-plane/envoy/service/auth/v2"
-	envoyauthzalpha "github.com/envoyproxy/go-control-plane/envoy/service/auth/v2alpha"
 	envoydisco "github.com/envoyproxy/go-control-plane/envoy/service/discovery/v2"
 	"github.com/golang/protobuf/proto"
 	"github.com/hashicorp/consul/acl"
-	"github.com/hashicorp/consul/agent/cache"
-	"github.com/hashicorp/consul/agent/connect"
 	"github.com/hashicorp/consul/agent/proxycfg"
 	"github.com/hashicorp/consul/agent/structs"
 	"github.com/hashicorp/consul/logging"
 	"github.com/hashicorp/consul/tlsutil"
 	"github.com/hashicorp/go-hclog"
-	rpcstatus "google.golang.org/genproto/googleapis/rpc/status"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/credentials"
@@ -92,13 +87,6 @@ const (
 // coupling this to the agent.
 type ACLResolverFunc func(id string) (acl.Authorizer, error)
 
-// ConnectAuthz is the interface the agent needs to expose to be able to re-use
-// the authorization logic between both APIs.
-type ConnectAuthz interface {
-	// ConnectAuthorize is implemented by Agent.ConnectAuthorize
-	ConnectAuthorize(token string, req *structs.ConnectAuthorizeRequest) (authz bool, reason string, m *cache.ResultMeta, err error)
-}
-
 // ServiceChecks is the interface the agent needs to expose
 // for the xDS server to fetch a service's HTTP check definitions
 type HTTPCheckFetcher interface {
@@ -119,16 +107,14 @@ type ConfigManager interface {
 	Watch(proxyID structs.ServiceID) (<-chan *proxycfg.ConfigSnapshot, proxycfg.CancelFunc)
 }
 
-// Server represents a gRPC server that can handle both XDS and ext_authz
+// Server represents a gRPC server that can handle xDS requests from Envoy. All
-// requests from Envoy. All of it's public members must be set before the gRPC
+// of it's public members must be set before the gRPC server is started.
-// server is started.
 //
 // A full description of the XDS protocol can be found at
 // https://www.envoyproxy.io/docs/envoy/latest/api-docs/xds_protocol
 type Server struct {
 	Logger       hclog.Logger
 	CfgMgr       ConfigManager
-	Authz        ConnectAuthz
 	ResolveToken ACLResolverFunc
 	// AuthCheckFrequency is how often we should re-check the credentials used
 	// during a long-lived gRPC Stream after it has been initially established.
@@ -490,90 +476,7 @@ func (s *Server) DeltaAggregatedResources(_ envoydisco.AggregatedDiscoveryServic
 	return errors.New("not implemented")
 }
 
-func deniedResponse(reason string) (*envoyauthz.CheckResponse, error) {
+// GRPCServer returns a server instance that can handle xDS requests.
-	return &envoyauthz.CheckResponse{
-		Status: &rpcstatus.Status{
-			Code:    int32(codes.PermissionDenied),
-			Message: "Denied: " + reason,
-		},
-	}, nil
-}
-
-// Check implements envoyauthz.AuthorizationServer.
-func (s *Server) Check(ctx context.Context, r *envoyauthz.CheckRequest) (*envoyauthz.CheckResponse, error) {
-	// Sanity checks
-	if r.Attributes == nil || r.Attributes.Source == nil || r.Attributes.Destination == nil {
-		return nil, status.Error(codes.InvalidArgument, "source and destination attributes are required")
-	}
-	if r.Attributes.Source.Principal == "" || r.Attributes.Destination.Principal == "" {
-		return nil, status.Error(codes.InvalidArgument, "source and destination Principal are required")
-	}
-
-	// Parse destination to know the target service
-	dest, err := connect.ParseCertURIFromString(r.Attributes.Destination.Principal)
-	if err != nil {
-		s.Logger.Debug("Connect AuthZ DENIED: bad destination URI", "source", r.Attributes.Source.Principal, "destination",
-			r.Attributes.Destination.Principal)
-		// Treat this as an auth error since Envoy has sent something it considers
-		// valid, it's just not an identity we trust.
-		return deniedResponse("Destination Principal is not a valid Connect identity")
-	}
-
-	destID, ok := dest.(*connect.SpiffeIDService)
-	if !ok {
-		s.Logger.Debug("Connect AuthZ DENIED: bad destination service ID", "source", r.Attributes.Source.Principal, "destination",
-			r.Attributes.Destination.Principal)
-		return deniedResponse("Destination Principal is not a valid Service identity")
-	}
-
-	// For now we don't validate the trust domain of the _destination_ at all -
-	// the HTTP Authorize endpoint just accepts a target _service_ and it's
-	// implicit that the request is for the correct cluster. We might want to
-	// reconsider this later but plumbing in additional machinery to check the
-	// clusterID here is not really necessary for now unless Envoys are badly
-	// configured. Our threat model _requires_ correctly configured and well
-	// behaved proxies given that they have ACLs to fetch certs and so can do
-	// whatever they want including not authorizing traffic at all or routing it
-	// do a different service than they auth'd against.
-
-	// Create an authz request
-	req := &structs.ConnectAuthorizeRequest{
-		Target:         destID.Service,
-		EnterpriseMeta: *destID.GetEnterpriseMeta(),
-		ClientCertURI:  r.Attributes.Source.Principal,
-		// TODO(banks): need Envoy to support sending cert serial/hash to enforce
-		// revocation later.
-	}
-	token := tokenFromContext(ctx)
-	authed, reason, _, err := s.Authz.ConnectAuthorize(token, req)
-	if err != nil {
-		if err == acl.ErrPermissionDenied {
-			s.Logger.Debug("Connect AuthZ failed ACL check", "error", err, "source", r.Attributes.Source.Principal,
-				"dest", r.Attributes.Destination.Principal)
-			return nil, status.Error(codes.PermissionDenied, err.Error())
-		}
-		s.Logger.Debug("Connect AuthZ failed", "error", err, "source", r.Attributes.Source.Principal,
-			"destination", r.Attributes.Destination.Principal)
-		return nil, status.Error(codes.Internal, err.Error())
-	}
-	if !authed {
-		s.Logger.Debug("Connect AuthZ DENIED", "source", r.Attributes.Source.Principal,
-			"destination", r.Attributes.Destination.Principal, "reason", reason)
-		return deniedResponse(reason)
-	}
-
-	s.Logger.Debug("Connect AuthZ ALLOWED", "source", r.Attributes.Source.Principal,
-		"destination", r.Attributes.Destination.Principal, "reason", reason)
-	return &envoyauthz.CheckResponse{
-		Status: &rpcstatus.Status{
-			Code:    int32(codes.OK),
-			Message: "ALLOWED: " + reason,
-		},
-	}, nil
-}
-
-// GRPCServer returns a server instance that can handle XDS and ext_authz
-// requests.
 func (s *Server) GRPCServer(tlsConfigurator *tlsutil.Configurator) (*grpc.Server, error) {
 	opts := []grpc.ServerOption{
 		grpc.MaxConcurrentStreams(2048),
@@ -587,15 +490,5 @@ func (s *Server) GRPCServer(tlsConfigurator *tlsutil.Configurator) (*grpc.Server
 	srv := grpc.NewServer(opts...)
 	envoydisco.RegisterAggregatedDiscoveryServiceServer(srv, s)
 
-	// Envoy 1.10 changed the package for ext_authz from v2alpha to v2. We still
-	// need to be compatible with 1.9.1 and earlier which only uses v2alpha. While
-	// there is a deprecated compatibility shim option in 1.10, we want to support
-	// first class. Fortunately they are wire-compatible so we can just register a
-	// single service implementation (using the new v2 package definitions) but
-	// using the old v2alpha regiatration function which just exports it on the
-	// old path as well.
-	envoyauthz.RegisterAuthorizationServer(srv, s)
-	envoyauthzalpha.RegisterAuthorizationServer(srv, s)
-
 	return srv, nil
 }

agent/xds/server_test.go

@@ -1,8 +1,6 @@
 package xds
 
 import (
-	"context"
-	"errors"
 	"strings"
 	"sync"
 	"sync/atomic"
@@ -12,7 +10,6 @@ import (
 	envoy "github.com/envoyproxy/go-control-plane/envoy/api/v2"
 	"github.com/stretchr/testify/require"
 	"google.golang.org/grpc/codes"
-	"google.golang.org/grpc/metadata"
 	"google.golang.org/grpc/status"
 
 	"github.com/hashicorp/consul/acl"
@@ -91,22 +88,6 @@ func (m *testManager) AssertWatchCancelled(t *testing.T, proxyID structs.Service
 	}
 }
 
-// ConnectAuthorize implements ConnectAuthz
-func (m *testManager) ConnectAuthorize(token string, req *structs.ConnectAuthorizeRequest) (authz bool, reason string, meta *cache.ResultMeta, err error) {
-	m.Lock()
-	defer m.Unlock()
-	if res, ok := m.authz[token]; ok {
-		if res.validate != nil {
-			if err := res.validate(req); err != nil {
-				return false, "", nil, err
-			}
-		}
-		return res.authz, res.reason, res.m, res.err
-	}
-	// Default allow but with reason that won't match by accident in a test case
-	return true, "OK: allowed by default test implementation", nil, nil
-}
-
 func TestServer_StreamAggregatedResources_BasicProtocol(t *testing.T) {
 	logger := testutil.Logger(t)
 	mgr := newTestManager(t)
@@ -120,7 +101,6 @@ func TestServer_StreamAggregatedResources_BasicProtocol(t *testing.T) {
 	s := Server{
 		Logger:       logger,
 		CfgMgr:       mgr,
-		Authz:        mgr,
 		ResolveToken: aclResolve,
 	}
 	s.Initialize()
@@ -170,7 +150,7 @@ func TestServer_StreamAggregatedResources_BasicProtocol(t *testing.T) {
 	envoy.SendReq(t, EndpointType, 1, 2)
 
 	// And should get a response immediately.
-	assertResponseSent(t, envoy.stream.sendCh, expectListenerJSON(t, snap, "", 1, 3))
+	assertResponseSent(t, envoy.stream.sendCh, expectListenerJSON(t, snap, 1, 3))
 
 	// Now send Route request along with next listener one
 	envoy.SendReq(t, RouteType, 0, 0)
@@ -197,7 +177,7 @@ func TestServer_StreamAggregatedResources_BasicProtocol(t *testing.T) {
 	// which is reasonable anyway to ensure consistency of the config Envoy sees.
 	assertResponseSent(t, envoy.stream.sendCh, expectClustersJSON(snap, 2, 4))
 	assertResponseSent(t, envoy.stream.sendCh, expectEndpointsJSON(2, 5))
-	assertResponseSent(t, envoy.stream.sendCh, expectListenerJSON(t, snap, "", 2, 6))
+	assertResponseSent(t, envoy.stream.sendCh, expectListenerJSON(t, snap, 2, 6))
 
 	// Let's pretend that Envoy doesn't like that new listener config. It will ACK
 	// all the others (same version) but NACK the listener. This is the most
@@ -234,7 +214,7 @@ func TestServer_StreamAggregatedResources_BasicProtocol(t *testing.T) {
 
 	assertResponseSent(t, envoy.stream.sendCh, expectClustersJSON(snap, 3, 7))
 	assertResponseSent(t, envoy.stream.sendCh, expectEndpointsJSON(3, 8))
-	assertResponseSent(t, envoy.stream.sendCh, expectListenerJSON(t, snap, "", 3, 9))
+	assertResponseSent(t, envoy.stream.sendCh, expectListenerJSON(t, snap, 3, 9))
 }
 
 func expectEndpointsJSON(v, n uint64) string {
@@ -474,7 +454,6 @@ func TestServer_StreamAggregatedResources_ACLEnforcement(t *testing.T) {
 			s := Server{
 				Logger:       logger,
 				CfgMgr:       mgr,
-				Authz:        mgr,
 				ResolveToken: aclResolve,
 			}
 			s.Initialize()
@@ -501,7 +480,7 @@ func TestServer_StreamAggregatedResources_ACLEnforcement(t *testing.T) {
 			envoy.SendReq(t, ListenerType, 0, 0)
 
 			if !tt.wantDenied {
-				assertResponseSent(t, envoy.stream.sendCh, expectListenerJSON(t, snap, tt.token, 1, 1))
+				assertResponseSent(t, envoy.stream.sendCh, expectListenerJSON(t, snap, 1, 1))
 				// Close the client stream since all is well. We _don't_ do this in the
 				// expected error case because we want to verify the error closes the
 				// stream from server side.
@@ -549,7 +528,6 @@ func TestServer_StreamAggregatedResources_ACLTokenDeleted_StreamTerminatedDuring
 	s := Server{
 		Logger:             logger,
 		CfgMgr:             mgr,
-		Authz:              mgr,
 		ResolveToken:       aclResolve,
 		AuthCheckFrequency: 1 * time.Hour, // make sure this doesn't kick in
 	}
@@ -641,7 +619,6 @@ func TestServer_StreamAggregatedResources_ACLTokenDeleted_StreamTerminatedInBack
 	s := Server{
 		Logger:             logger,
 		CfgMgr:             mgr,
-		Authz:              mgr,
 		ResolveToken:       aclResolve,
 		AuthCheckFrequency: 100 * time.Millisecond, // Make this short.
 	}
@@ -716,144 +693,6 @@ func TestServer_StreamAggregatedResources_ACLTokenDeleted_StreamTerminatedInBack
 	}
 }
 
-// This tests the ext_authz service method that implements connect authz.
-func TestServer_Check(t *testing.T) {
-
-	tests := []struct {
-		name            string
-		source          string
-		dest            string
-		sourcePrincipal string
-		destPrincipal   string
-		authzResult     connectAuthzResult
-		wantErr         bool
-		wantErrCode     codes.Code
-		wantDenied      bool
-		wantReason      string
-	}{
-		{
-			name:        "auth allowed",
-			source:      "web",
-			dest:        "db",
-			authzResult: connectAuthzResult{true, "default allow", nil, nil, nil},
-			wantDenied:  false,
-			wantReason:  "default allow",
-		},
-		{
-			name:        "auth denied",
-			source:      "web",
-			dest:        "db",
-			authzResult: connectAuthzResult{false, "default deny", nil, nil, nil},
-			wantDenied:  true,
-			wantReason:  "default deny",
-		},
-		{
-			name:            "no source",
-			sourcePrincipal: "",
-			dest:            "db",
-			// Should never make it to authz call.
-			wantErr:     true,
-			wantErrCode: codes.InvalidArgument,
-		},
-		{
-			name:   "no dest",
-			source: "web",
-			dest:   "",
-			// Should never make it to authz call.
-			wantErr:     true,
-			wantErrCode: codes.InvalidArgument,
-		},
-		{
-			name:          "dest invalid format",
-			source:        "web",
-			destPrincipal: "not-a-spiffe-id",
-			// Should never make it to authz call.
-			wantDenied: true,
-			wantReason: "Destination Principal is not a valid Connect identity",
-		},
-		{
-			name:          "dest not a service URI",
-			source:        "web",
-			destPrincipal: "spiffe://trust-domain.consul",
-			// Should never make it to authz call.
-			wantDenied: true,
-			wantReason: "Destination Principal is not a valid Service identity",
-		},
-		{
-			name:        "ACL not got permission for authz call",
-			source:      "web",
-			dest:        "db",
-			authzResult: connectAuthzResult{false, "", nil, acl.ErrPermissionDenied, nil},
-			wantErr:     true,
-			wantErrCode: codes.PermissionDenied,
-		},
-		{
-			name:        "Random error running authz",
-			source:      "web",
-			dest:        "db",
-			authzResult: connectAuthzResult{false, "", nil, errors.New("gremlin attack"), nil},
-			wantErr:     true,
-			wantErrCode: codes.Internal,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			token := "my-real-acl-token"
-			logger := testutil.Logger(t)
-			mgr := newTestManager(t)
-
-			// Setup expected auth result against that token no lock as no other
-			// goroutine is touching this yet.
-			mgr.authz[token] = tt.authzResult
-
-			aclResolve := func(id string) (acl.Authorizer, error) {
-				return nil, nil
-			}
-			envoy := NewTestEnvoy(t, "web-sidecar-proxy", token)
-			defer envoy.Close()
-
-			s := Server{
-				Logger:       logger,
-				CfgMgr:       mgr,
-				Authz:        mgr,
-				ResolveToken: aclResolve,
-			}
-			s.Initialize()
-
-			// Create a context with the correct token
-			ctx := metadata.NewIncomingContext(context.Background(),
-				metadata.Pairs("x-consul-token", token))
-
-			r := TestCheckRequest(t, tt.source, tt.dest)
-			// If sourcePrincipal is set override, or if source is also not set
-			// explicitly override to empty.
-			if tt.sourcePrincipal != "" || tt.source == "" {
-				r.Attributes.Source.Principal = tt.sourcePrincipal
-			}
-			if tt.destPrincipal != "" || tt.dest == "" {
-				r.Attributes.Destination.Principal = tt.destPrincipal
-			}
-			resp, err := s.Check(ctx, r)
-			// Denied is not an error
-			if tt.wantErr {
-				require.Error(t, err)
-				grpcStatus := status.Convert(err)
-				require.Equal(t, tt.wantErrCode, grpcStatus.Code())
-				require.Nil(t, resp)
-				return
-			}
-			require.NoError(t, err)
-			if tt.wantDenied {
-				require.Equal(t, int32(codes.PermissionDenied), resp.Status.Code)
-			} else {
-				require.Equal(t, int32(codes.OK), resp.Status.Code)
-			}
-			require.Contains(t, resp.Status.Message, tt.wantReason)
-		})
-	}
-}
-
 func TestServer_StreamAggregatedResources_IngressEmptyResponse(t *testing.T) {
 	logger := testutil.Logger(t)
 	mgr := newTestManager(t)
@@ -867,7 +706,6 @@ func TestServer_StreamAggregatedResources_IngressEmptyResponse(t *testing.T) {
 	s := Server{
 		Logger:       logger,
 		CfgMgr:       mgr,
-		Authz:        mgr,
 		ResolveToken: aclResolve,
 	}
 	s.Initialize()

agent/xds/testdata/listeners/connect-proxy-with-chain-and-overrides.envoy-1-12-x.golden

@@ -106,18 +106,9 @@
           },
           "filters": [
             {
-              "name": "envoy.ext_authz",
+              "name": "envoy.filters.network.rbac",
               "config": {
-                  "grpc_service": {
+                  "rules": {
-                        "envoy_grpc": {
-                              "cluster_name": "local_agent"
-                            },
-                        "initial_metadata": [
-                              {
-                                    "key": "x-consul-token",
-                                    "value": "my-token"
-                                  }
-                            ]
                       },
                   "stat_prefix": "connect_authz"
                 }

agent/xds/testdata/listeners/connect-proxy-with-chain-and-overrides.envoy-1-13-x.golden

@@ -106,18 +106,9 @@
           },
           "filters": [
             {
-              "name": "envoy.ext_authz",
+              "name": "envoy.filters.network.rbac",
               "config": {
-                  "grpc_service": {
+                  "rules": {
-                        "envoy_grpc": {
-                              "cluster_name": "local_agent"
-                            },
-                        "initial_metadata": [
-                              {
-                                    "key": "x-consul-token",
-                                    "value": "my-token"
-                                  }
-                            ]
                       },
                   "stat_prefix": "connect_authz"
                 }

agent/xds/testdata/listeners/connect-proxy-with-chain-and-overrides.envoy-1-14-x.golden

@@ -106,18 +106,9 @@
           },
           "filters": [
             {
-              "name": "envoy.ext_authz",
+              "name": "envoy.filters.network.rbac",
               "config": {
-                  "grpc_service": {
+                  "rules": {
-                        "envoy_grpc": {
-                              "cluster_name": "local_agent"
-                            },
-                        "initial_metadata": [
-                              {
-                                    "key": "x-consul-token",
-                                    "value": "my-token"
-                                  }
-                            ]
                       },
                   "stat_prefix": "connect_authz"
                 }

agent/xds/testdata/listeners/connect-proxy-with-chain-and-overrides.envoy-1-15-x.golden

@@ -106,18 +106,9 @@
           },
           "filters": [
             {
-              "name": "envoy.ext_authz",
+              "name": "envoy.filters.network.rbac",
               "config": {
-                  "grpc_service": {
+                  "rules": {
-                        "envoy_grpc": {
-                              "cluster_name": "local_agent"
-                            },
-                        "initial_metadata": [
-                              {
-                                    "key": "x-consul-token",
-                                    "value": "my-token"
-                                  }
-                            ]
                       },
                   "stat_prefix": "connect_authz"
                 }

agent/xds/testdata/listeners/connect-proxy-with-chain-external-sni.envoy-1-12-x.golden

@@ -83,18 +83,9 @@
           },
           "filters": [
             {
-              "name": "envoy.ext_authz",
+              "name": "envoy.filters.network.rbac",
               "config": {
-                  "grpc_service": {
+                  "rules": {
-                        "envoy_grpc": {
-                              "cluster_name": "local_agent"
-                            },
-                        "initial_metadata": [
-                              {
-                                    "key": "x-consul-token",
-                                    "value": "my-token"
-                                  }
-                            ]
                       },
                   "stat_prefix": "connect_authz"
                 }

agent/xds/testdata/listeners/connect-proxy-with-chain-external-sni.envoy-1-13-x.golden

@@ -83,18 +83,9 @@
           },
           "filters": [
             {
-              "name": "envoy.ext_authz",
+              "name": "envoy.filters.network.rbac",
               "config": {
-                  "grpc_service": {
+                  "rules": {
-                        "envoy_grpc": {
-                              "cluster_name": "local_agent"
-                            },
-                        "initial_metadata": [
-                              {
-                                    "key": "x-consul-token",
-                                    "value": "my-token"
-                                  }
-                            ]
                       },
                   "stat_prefix": "connect_authz"
                 }

agent/xds/testdata/listeners/connect-proxy-with-chain-external-sni.envoy-1-14-x.golden

@@ -83,18 +83,9 @@
           },
           "filters": [
             {
-              "name": "envoy.ext_authz",
+              "name": "envoy.filters.network.rbac",
               "config": {
-                  "grpc_service": {
+                  "rules": {
-                        "envoy_grpc": {
-                              "cluster_name": "local_agent"
-                            },
-                        "initial_metadata": [
-                              {
-                                    "key": "x-consul-token",
-                                    "value": "my-token"
-                                  }
-                            ]
                       },
                   "stat_prefix": "connect_authz"
                 }

agent/xds/testdata/listeners/connect-proxy-with-chain-external-sni.envoy-1-15-x.golden

@@ -83,18 +83,9 @@
           },
           "filters": [
             {
-              "name": "envoy.ext_authz",
+              "name": "envoy.filters.network.rbac",
               "config": {
-                  "grpc_service": {
+                  "rules": {
-                        "envoy_grpc": {
-                              "cluster_name": "local_agent"
-                            },
-                        "initial_metadata": [
-                              {
-                                    "key": "x-consul-token",
-                                    "value": "my-token"
-                                  }
-                            ]
                       },
                   "stat_prefix": "connect_authz"
                 }

agent/xds/testdata/listeners/connect-proxy-with-grpc-chain.envoy-1-12-x.golden

@@ -106,18 +106,9 @@
           },
           "filters": [
             {
-              "name": "envoy.ext_authz",
+              "name": "envoy.filters.network.rbac",
               "config": {
-                  "grpc_service": {
+                  "rules": {
-                        "envoy_grpc": {
-                              "cluster_name": "local_agent"
-                            },
-                        "initial_metadata": [
-                              {
-                                    "key": "x-consul-token",
-                                    "value": "my-token"
-                                  }
-                            ]
                       },
                   "stat_prefix": "connect_authz"
                 }

agent/xds/testdata/listeners/connect-proxy-with-grpc-chain.envoy-1-13-x.golden

@@ -106,18 +106,9 @@
           },
           "filters": [
             {
-              "name": "envoy.ext_authz",
+              "name": "envoy.filters.network.rbac",
               "config": {
-                  "grpc_service": {
+                  "rules": {
-                        "envoy_grpc": {
-                              "cluster_name": "local_agent"
-                            },
-                        "initial_metadata": [
-                              {
-                                    "key": "x-consul-token",
-                                    "value": "my-token"
-                                  }
-                            ]
                       },
                   "stat_prefix": "connect_authz"
                 }

agent/xds/testdata/listeners/connect-proxy-with-grpc-chain.envoy-1-14-x.golden

@@ -106,18 +106,9 @@
           },
           "filters": [
             {
-              "name": "envoy.ext_authz",
+              "name": "envoy.filters.network.rbac",
               "config": {
-                  "grpc_service": {
+                  "rules": {
-                        "envoy_grpc": {
-                              "cluster_name": "local_agent"
-                            },
-                        "initial_metadata": [
-                              {
-                                    "key": "x-consul-token",
-                                    "value": "my-token"
-                                  }
-                            ]
                       },
                   "stat_prefix": "connect_authz"
                 }

agent/xds/testdata/listeners/connect-proxy-with-grpc-chain.envoy-1-15-x.golden

@@ -106,18 +106,9 @@
           },
           "filters": [
             {
-              "name": "envoy.ext_authz",
+              "name": "envoy.filters.network.rbac",
               "config": {
-                  "grpc_service": {
+                  "rules": {
-                        "envoy_grpc": {
-                              "cluster_name": "local_agent"
-                            },
-                        "initial_metadata": [
-                              {
-                                    "key": "x-consul-token",
-                                    "value": "my-token"
-                                  }
-                            ]
                       },
                   "stat_prefix": "connect_authz"
                 }

agent/xds/testdata/listeners/connect-proxy-with-http-chain.envoy-1-12-x.golden

@@ -99,18 +99,9 @@
           },
           "filters": [
             {
-              "name": "envoy.ext_authz",
+              "name": "envoy.filters.network.rbac",
               "config": {
-                  "grpc_service": {
+                  "rules": {
-                        "envoy_grpc": {
-                              "cluster_name": "local_agent"
-                            },
-                        "initial_metadata": [
-                              {
-                                    "key": "x-consul-token",
-                                    "value": "my-token"
-                                  }
-                            ]
                       },
                   "stat_prefix": "connect_authz"
                 }

agent/xds/testdata/listeners/connect-proxy-with-http-chain.envoy-1-13-x.golden

@@ -99,18 +99,9 @@
           },
           "filters": [
             {
-              "name": "envoy.ext_authz",
+              "name": "envoy.filters.network.rbac",
               "config": {
-                  "grpc_service": {
+                  "rules": {
-                        "envoy_grpc": {
-                              "cluster_name": "local_agent"
-                            },
-                        "initial_metadata": [
-                              {
-                                    "key": "x-consul-token",
-                                    "value": "my-token"
-                                  }
-                            ]
                       },
                   "stat_prefix": "connect_authz"
                 }

agent/xds/testdata/listeners/connect-proxy-with-http-chain.envoy-1-14-x.golden

@@ -99,18 +99,9 @@
           },
           "filters": [
             {
-              "name": "envoy.ext_authz",
+              "name": "envoy.filters.network.rbac",
               "config": {
-                  "grpc_service": {
+                  "rules": {
-                        "envoy_grpc": {
-                              "cluster_name": "local_agent"
-                            },
-                        "initial_metadata": [
-                              {
-                                    "key": "x-consul-token",
-                                    "value": "my-token"
-                                  }
-                            ]
                       },
                   "stat_prefix": "connect_authz"
                 }

agent/xds/testdata/listeners/connect-proxy-with-http-chain.envoy-1-15-x.golden

@@ -99,18 +99,9 @@
           },
           "filters": [
             {
-              "name": "envoy.ext_authz",
+              "name": "envoy.filters.network.rbac",
               "config": {
-                  "grpc_service": {
+                  "rules": {
-                        "envoy_grpc": {
-                              "cluster_name": "local_agent"
-                            },
-                        "initial_metadata": [
-                              {
-                                    "key": "x-consul-token",
-                                    "value": "my-token"
-                                  }
-                            ]
                       },
                   "stat_prefix": "connect_authz"
                 }

agent/xds/testdata/listeners/connect-proxy-with-http2-chain.envoy-1-12-x.golden

@@ -101,18 +101,9 @@
           },
           "filters": [
             {
-              "name": "envoy.ext_authz",
+              "name": "envoy.filters.network.rbac",
               "config": {
-                  "grpc_service": {
+                  "rules": {
-                        "envoy_grpc": {
-                              "cluster_name": "local_agent"
-                            },
-                        "initial_metadata": [
-                              {
-                                    "key": "x-consul-token",
-                                    "value": "my-token"
-                                  }
-                            ]
                       },
                   "stat_prefix": "connect_authz"
                 }

agent/xds/testdata/listeners/connect-proxy-with-http2-chain.envoy-1-13-x.golden

@@ -101,18 +101,9 @@
           },
           "filters": [
             {
-              "name": "envoy.ext_authz",
+              "name": "envoy.filters.network.rbac",
               "config": {
-                  "grpc_service": {
+                  "rules": {
-                        "envoy_grpc": {
-                              "cluster_name": "local_agent"
-                            },
-                        "initial_metadata": [
-                              {
-                                    "key": "x-consul-token",
-                                    "value": "my-token"
-                                  }
-                            ]
                       },
                   "stat_prefix": "connect_authz"
                 }

agent/xds/testdata/listeners/connect-proxy-with-http2-chain.envoy-1-14-x.golden

@@ -101,18 +101,9 @@
           },
           "filters": [
             {
-              "name": "envoy.ext_authz",
+              "name": "envoy.filters.network.rbac",
               "config": {
-                  "grpc_service": {
+                  "rules": {
-                        "envoy_grpc": {
-                              "cluster_name": "local_agent"
-                            },
-                        "initial_metadata": [
-                              {
-                                    "key": "x-consul-token",
-                                    "value": "my-token"
-                                  }
-                            ]
                       },
                   "stat_prefix": "connect_authz"
                 }

agent/xds/testdata/listeners/connect-proxy-with-http2-chain.envoy-1-15-x.golden

@@ -101,18 +101,9 @@
           },
           "filters": [
             {
-              "name": "envoy.ext_authz",
+              "name": "envoy.filters.network.rbac",
               "config": {
-                  "grpc_service": {
+                  "rules": {
-                        "envoy_grpc": {
-                              "cluster_name": "local_agent"
-                            },
-                        "initial_metadata": [
-                              {
-                                    "key": "x-consul-token",
-                                    "value": "my-token"
-                                  }
-                            ]
                       },
                   "stat_prefix": "connect_authz"
                 }

agent/xds/testdata/listeners/connect-proxy-with-tcp-chain-failover-through-local-gateway.envoy-1-12-x.golden

@@ -83,18 +83,9 @@
           },
           "filters": [
             {
-              "name": "envoy.ext_authz",
+              "name": "envoy.filters.network.rbac",
               "config": {
-                  "grpc_service": {
+                  "rules": {
-                        "envoy_grpc": {
-                              "cluster_name": "local_agent"
-                            },
-                        "initial_metadata": [
-                              {
-                                    "key": "x-consul-token",
-                                    "value": "my-token"
-                                  }
-                            ]
                       },
                   "stat_prefix": "connect_authz"
                 }

agent/xds/testdata/listeners/connect-proxy-with-tcp-chain-failover-through-local-gateway.envoy-1-13-x.golden

@@ -83,18 +83,9 @@
           },
           "filters": [
             {
-              "name": "envoy.ext_authz",
+              "name": "envoy.filters.network.rbac",
               "config": {
-                  "grpc_service": {
+                  "rules": {
-                        "envoy_grpc": {
-                              "cluster_name": "local_agent"
-                            },
-                        "initial_metadata": [
-                              {
-                                    "key": "x-consul-token",
-                                    "value": "my-token"
-                                  }
-                            ]
                       },
                   "stat_prefix": "connect_authz"
                 }

agent/xds/testdata/listeners/connect-proxy-with-tcp-chain-failover-through-local-gateway.envoy-1-14-x.golden

@@ -83,18 +83,9 @@
           },
           "filters": [
             {
-              "name": "envoy.ext_authz",
+              "name": "envoy.filters.network.rbac",
               "config": {
-                  "grpc_service": {
+                  "rules": {
-                        "envoy_grpc": {
-                              "cluster_name": "local_agent"
-                            },
-                        "initial_metadata": [
-                              {
-                                    "key": "x-consul-token",
-                                    "value": "my-token"
-                                  }
-                            ]
                       },
                   "stat_prefix": "connect_authz"
                 }

agent/xds/testdata/listeners/connect-proxy-with-tcp-chain-failover-through-local-gateway.envoy-1-15-x.golden

@@ -83,18 +83,9 @@
           },
           "filters": [
             {
-              "name": "envoy.ext_authz",
+              "name": "envoy.filters.network.rbac",
               "config": {
-                  "grpc_service": {
+                  "rules": {
-                        "envoy_grpc": {
-                              "cluster_name": "local_agent"
-                            },
-                        "initial_metadata": [
-                              {
-                                    "key": "x-consul-token",
-                                    "value": "my-token"
-                                  }
-                            ]
                       },
                   "stat_prefix": "connect_authz"
                 }

agent/xds/testdata/listeners/connect-proxy-with-tcp-chain-failover-through-remote-gateway.envoy-1-12-x.golden

@@ -83,18 +83,9 @@
           },
           "filters": [
             {
-              "name": "envoy.ext_authz",
+              "name": "envoy.filters.network.rbac",
               "config": {
-                  "grpc_service": {
+                  "rules": {
-                        "envoy_grpc": {
-                              "cluster_name": "local_agent"
-                            },
-                        "initial_metadata": [
-                              {
-                                    "key": "x-consul-token",
-                                    "value": "my-token"
-                                  }
-                            ]
                       },
                   "stat_prefix": "connect_authz"
                 }

agent/xds/testdata/listeners/connect-proxy-with-tcp-chain-failover-through-remote-gateway.envoy-1-13-x.golden

@@ -83,18 +83,9 @@
           },
           "filters": [
             {
-              "name": "envoy.ext_authz",
+              "name": "envoy.filters.network.rbac",
               "config": {
-                  "grpc_service": {
+                  "rules": {
-                        "envoy_grpc": {
-                              "cluster_name": "local_agent"
-                            },
-                        "initial_metadata": [
-                              {
-                                    "key": "x-consul-token",
-                                    "value": "my-token"
-                                  }
-                            ]
                       },
                   "stat_prefix": "connect_authz"
                 }

agent/xds/testdata/listeners/connect-proxy-with-tcp-chain-failover-through-remote-gateway.envoy-1-14-x.golden

@@ -83,18 +83,9 @@
           },
           "filters": [
             {
-              "name": "envoy.ext_authz",
+              "name": "envoy.filters.network.rbac",
               "config": {
-                  "grpc_service": {
+                  "rules": {
-                        "envoy_grpc": {
-                              "cluster_name": "local_agent"
-                            },
-                        "initial_metadata": [
-                              {
-                                    "key": "x-consul-token",
-                                    "value": "my-token"
-                                  }
-                            ]
                       },
                   "stat_prefix": "connect_authz"
                 }

agent/xds/testdata/listeners/connect-proxy-with-tcp-chain-failover-through-remote-gateway.envoy-1-15-x.golden

@@ -83,18 +83,9 @@
           },
           "filters": [
             {
-              "name": "envoy.ext_authz",
+              "name": "envoy.filters.network.rbac",
               "config": {
-                  "grpc_service": {
+                  "rules": {
-                        "envoy_grpc": {
-                              "cluster_name": "local_agent"
-                            },
-                        "initial_metadata": [
-                              {
-                                    "key": "x-consul-token",
-                                    "value": "my-token"
-                                  }
-                            ]
                       },
                   "stat_prefix": "connect_authz"
                 }

agent/xds/testdata/listeners/connect-proxy-with-tcp-chain.envoy-1-12-x.golden

@@ -83,18 +83,9 @@
           },
           "filters": [
             {
-              "name": "envoy.ext_authz",
+              "name": "envoy.filters.network.rbac",
               "config": {
-                  "grpc_service": {
+                  "rules": {
-                        "envoy_grpc": {
-                              "cluster_name": "local_agent"
-                            },
-                        "initial_metadata": [
-                              {
-                                    "key": "x-consul-token",
-                                    "value": "my-token"
-                                  }
-                            ]
                       },
                   "stat_prefix": "connect_authz"
                 }

agent/xds/testdata/listeners/connect-proxy-with-tcp-chain.envoy-1-13-x.golden

@@ -83,18 +83,9 @@
           },
           "filters": [
             {
-              "name": "envoy.ext_authz",
+              "name": "envoy.filters.network.rbac",
               "config": {
-                  "grpc_service": {
+                  "rules": {
-                        "envoy_grpc": {
-                              "cluster_name": "local_agent"
-                            },
-                        "initial_metadata": [
-                              {
-                                    "key": "x-consul-token",
-                                    "value": "my-token"
-                                  }
-                            ]
                       },
                   "stat_prefix": "connect_authz"
                 }

agent/xds/testdata/listeners/connect-proxy-with-tcp-chain.envoy-1-14-x.golden

@@ -83,18 +83,9 @@
           },
           "filters": [
             {
-              "name": "envoy.ext_authz",
+              "name": "envoy.filters.network.rbac",
               "config": {
-                  "grpc_service": {
+                  "rules": {
-                        "envoy_grpc": {
-                              "cluster_name": "local_agent"
-                            },
-                        "initial_metadata": [
-                              {
-                                    "key": "x-consul-token",
-                                    "value": "my-token"
-                                  }
-                            ]
                       },
                   "stat_prefix": "connect_authz"
                 }

agent/xds/testdata/listeners/connect-proxy-with-tcp-chain.envoy-1-15-x.golden

@@ -83,18 +83,9 @@
           },
           "filters": [
             {
-              "name": "envoy.ext_authz",
+              "name": "envoy.filters.network.rbac",
               "config": {
-                  "grpc_service": {
+                  "rules": {
-                        "envoy_grpc": {
-                              "cluster_name": "local_agent"
-                            },
-                        "initial_metadata": [
-                              {
-                                    "key": "x-consul-token",
-                                    "value": "my-token"
-                                  }
-                            ]
                       },
                   "stat_prefix": "connect_authz"
                 }

agent/xds/testdata/listeners/custom-public-listener-http-2-typed.envoy-1-12-x.golden

@@ -0,0 +1,131 @@
+{
+  "versionInfo": "00000001",
+  "resources": [
+    {
+      "@type": "type.googleapis.com/envoy.api.v2.Listener",
+      "name": "custom-public-listen",
+      "address": {
+        "socketAddress": {
+          "address": "11.11.11.11",
+          "portValue": 11111
+        }
+      },
+      "filterChains": [
+        {
+          "tlsContext": {
+            "commonTlsContext": {
+              "tlsParams": {
+
+              },
+              "tlsCertificates": [
+                {
+                  "certificateChain": {
+                    "inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n"
+                  },
+                  "privateKey": {
+                    "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n"
+                  }
+                }
+              ],
+              "validationContext": {
+                "trustedCa": {
+                  "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n"
+                }
+              }
+            },
+            "requireClientCertificate": true
+          },
+          "filters": [
+            {
+              "name": "envoy.filters.network.http_connection_manager",
+              "typedConfig": {
+                "@type": "type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager",
+                "routeConfig": {
+                  "name": "public_listener",
+                  "virtualHosts": [
+                    {
+                      "name": "public_listener",
+                      "domains": [
+                        "*"
+                      ],
+                      "routes": [
+                        {
+                          "match": {
+                            "prefix": "/"
+                          },
+                          "route": {
+                            "cluster": "random-cluster"
+                          }
+                        }
+                      ]
+                    }
+                  ]
+                },
+                "httpFilters": [
+                  {
+                    "name": "envoy.filters.http.rbac",
+                    "config": {
+                        "rules": {
+                            }
+                      }
+                  },
+                  {
+                    "name": "envoy.router"
+                  }
+                ]
+              }
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "@type": "type.googleapis.com/envoy.api.v2.Listener",
+      "name": "db:127.0.0.1:9191",
+      "address": {
+        "socketAddress": {
+          "address": "127.0.0.1",
+          "portValue": 9191
+        }
+      },
+      "filterChains": [
+        {
+          "filters": [
+            {
+              "name": "envoy.tcp_proxy",
+              "config": {
+                  "cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul",
+                  "stat_prefix": "upstream_db_tcp"
+                }
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "@type": "type.googleapis.com/envoy.api.v2.Listener",
+      "name": "prepared_query:geo-cache:127.10.10.10:8181",
+      "address": {
+        "socketAddress": {
+          "address": "127.10.10.10",
+          "portValue": 8181
+        }
+      },
+      "filterChains": [
+        {
+          "filters": [
+            {
+              "name": "envoy.tcp_proxy",
+              "config": {
+                  "cluster": "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul",
+                  "stat_prefix": "upstream_prepared_query_geo-cache_tcp"
+                }
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "typeUrl": "type.googleapis.com/envoy.api.v2.Listener",
+  "nonce": "00000001"
+}

agent/xds/testdata/listeners/custom-public-listener-http-2-typed.envoy-1-13-x.golden

@@ -0,0 +1,131 @@
+{
+  "versionInfo": "00000001",
+  "resources": [
+    {
+      "@type": "type.googleapis.com/envoy.api.v2.Listener",
+      "name": "custom-public-listen",
+      "address": {
+        "socketAddress": {
+          "address": "11.11.11.11",
+          "portValue": 11111
+        }
+      },
+      "filterChains": [
+        {
+          "tlsContext": {
+            "commonTlsContext": {
+              "tlsParams": {
+
+              },
+              "tlsCertificates": [
+                {
+                  "certificateChain": {
+                    "inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n"
+                  },
+                  "privateKey": {
+                    "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n"
+                  }
+                }
+              ],
+              "validationContext": {
+                "trustedCa": {
+                  "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n"
+                }
+              }
+            },
+            "requireClientCertificate": true
+          },
+          "filters": [
+            {
+              "name": "envoy.filters.network.http_connection_manager",
+              "typedConfig": {
+                "@type": "type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager",
+                "routeConfig": {
+                  "name": "public_listener",
+                  "virtualHosts": [
+                    {
+                      "name": "public_listener",
+                      "domains": [
+                        "*"
+                      ],
+                      "routes": [
+                        {
+                          "match": {
+                            "prefix": "/"
+                          },
+                          "route": {
+                            "cluster": "random-cluster"
+                          }
+                        }
+                      ]
+                    }
+                  ]
+                },
+                "httpFilters": [
+                  {
+                    "name": "envoy.filters.http.rbac",
+                    "config": {
+                        "rules": {
+                            }
+                      }
+                  },
+                  {
+                    "name": "envoy.router"
+                  }
+                ]
+              }
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "@type": "type.googleapis.com/envoy.api.v2.Listener",
+      "name": "db:127.0.0.1:9191",
+      "address": {
+        "socketAddress": {
+          "address": "127.0.0.1",
+          "portValue": 9191
+        }
+      },
+      "filterChains": [
+        {
+          "filters": [
+            {
+              "name": "envoy.tcp_proxy",
+              "config": {
+                  "cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul",
+                  "stat_prefix": "upstream_db_tcp"
+                }
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "@type": "type.googleapis.com/envoy.api.v2.Listener",
+      "name": "prepared_query:geo-cache:127.10.10.10:8181",
+      "address": {
+        "socketAddress": {
+          "address": "127.10.10.10",
+          "portValue": 8181
+        }
+      },
+      "filterChains": [
+        {
+          "filters": [
+            {
+              "name": "envoy.tcp_proxy",
+              "config": {
+                  "cluster": "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul",
+                  "stat_prefix": "upstream_prepared_query_geo-cache_tcp"
+                }
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "typeUrl": "type.googleapis.com/envoy.api.v2.Listener",
+  "nonce": "00000001"
+}

agent/xds/testdata/listeners/custom-public-listener-http-2-typed.envoy-1-14-x.golden

@@ -0,0 +1,131 @@
+{
+  "versionInfo": "00000001",
+  "resources": [
+    {
+      "@type": "type.googleapis.com/envoy.api.v2.Listener",
+      "name": "custom-public-listen",
+      "address": {
+        "socketAddress": {
+          "address": "11.11.11.11",
+          "portValue": 11111
+        }
+      },
+      "filterChains": [
+        {
+          "tlsContext": {
+            "commonTlsContext": {
+              "tlsParams": {
+
+              },
+              "tlsCertificates": [
+                {
+                  "certificateChain": {
+                    "inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n"
+                  },
+                  "privateKey": {
+                    "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n"
+                  }
+                }
+              ],
+              "validationContext": {
+                "trustedCa": {
+                  "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n"
+                }
+              }
+            },
+            "requireClientCertificate": true
+          },
+          "filters": [
+            {
+              "name": "envoy.filters.network.http_connection_manager",
+              "typedConfig": {
+                "@type": "type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager",
+                "routeConfig": {
+                  "name": "public_listener",
+                  "virtualHosts": [
+                    {
+                      "name": "public_listener",
+                      "domains": [
+                        "*"
+                      ],
+                      "routes": [
+                        {
+                          "match": {
+                            "prefix": "/"
+                          },
+                          "route": {
+                            "cluster": "random-cluster"
+                          }
+                        }
+                      ]
+                    }
+                  ]
+                },
+                "httpFilters": [
+                  {
+                    "name": "envoy.filters.http.rbac",
+                    "config": {
+                        "rules": {
+                            }
+                      }
+                  },
+                  {
+                    "name": "envoy.router"
+                  }
+                ]
+              }
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "@type": "type.googleapis.com/envoy.api.v2.Listener",
+      "name": "db:127.0.0.1:9191",
+      "address": {
+        "socketAddress": {
+          "address": "127.0.0.1",
+          "portValue": 9191
+        }
+      },
+      "filterChains": [
+        {
+          "filters": [
+            {
+              "name": "envoy.tcp_proxy",
+              "config": {
+                  "cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul",
+                  "stat_prefix": "upstream_db_tcp"
+                }
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "@type": "type.googleapis.com/envoy.api.v2.Listener",
+      "name": "prepared_query:geo-cache:127.10.10.10:8181",
+      "address": {
+        "socketAddress": {
+          "address": "127.10.10.10",
+          "portValue": 8181
+        }
+      },
+      "filterChains": [
+        {
+          "filters": [
+            {
+              "name": "envoy.tcp_proxy",
+              "config": {
+                  "cluster": "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul",
+                  "stat_prefix": "upstream_prepared_query_geo-cache_tcp"
+                }
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "typeUrl": "type.googleapis.com/envoy.api.v2.Listener",
+  "nonce": "00000001"
+}

agent/xds/testdata/listeners/custom-public-listener-http-2-typed.envoy-1-15-x.golden

@@ -0,0 +1,131 @@
+{
+  "versionInfo": "00000001",
+  "resources": [
+    {
+      "@type": "type.googleapis.com/envoy.api.v2.Listener",
+      "name": "custom-public-listen",
+      "address": {
+        "socketAddress": {
+          "address": "11.11.11.11",
+          "portValue": 11111
+        }
+      },
+      "filterChains": [
+        {
+          "tlsContext": {
+            "commonTlsContext": {
+              "tlsParams": {
+
+              },
+              "tlsCertificates": [
+                {
+                  "certificateChain": {
+                    "inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n"
+                  },
+                  "privateKey": {
+                    "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n"
+                  }
+                }
+              ],
+              "validationContext": {
+                "trustedCa": {
+                  "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n"
+                }
+              }
+            },
+            "requireClientCertificate": true
+          },
+          "filters": [
+            {
+              "name": "envoy.filters.network.http_connection_manager",
+              "typedConfig": {
+                "@type": "type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager",
+                "routeConfig": {
+                  "name": "public_listener",
+                  "virtualHosts": [
+                    {
+                      "name": "public_listener",
+                      "domains": [
+                        "*"
+                      ],
+                      "routes": [
+                        {
+                          "match": {
+                            "prefix": "/"
+                          },
+                          "route": {
+                            "cluster": "random-cluster"
+                          }
+                        }
+                      ]
+                    }
+                  ]
+                },
+                "httpFilters": [
+                  {
+                    "name": "envoy.filters.http.rbac",
+                    "config": {
+                        "rules": {
+                            }
+                      }
+                  },
+                  {
+                    "name": "envoy.router"
+                  }
+                ]
+              }
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "@type": "type.googleapis.com/envoy.api.v2.Listener",
+      "name": "db:127.0.0.1:9191",
+      "address": {
+        "socketAddress": {
+          "address": "127.0.0.1",
+          "portValue": 9191
+        }
+      },
+      "filterChains": [
+        {
+          "filters": [
+            {
+              "name": "envoy.tcp_proxy",
+              "config": {
+                  "cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul",
+                  "stat_prefix": "upstream_db_tcp"
+                }
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "@type": "type.googleapis.com/envoy.api.v2.Listener",
+      "name": "prepared_query:geo-cache:127.10.10.10:8181",
+      "address": {
+        "socketAddress": {
+          "address": "127.10.10.10",
+          "portValue": 8181
+        }
+      },
+      "filterChains": [
+        {
+          "filters": [
+            {
+              "name": "envoy.tcp_proxy",
+              "config": {
+                  "cluster": "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul",
+                  "stat_prefix": "upstream_prepared_query_geo-cache_tcp"
+                }
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "typeUrl": "type.googleapis.com/envoy.api.v2.Listener",
+  "nonce": "00000001"
+}

agent/xds/testdata/listeners/custom-public-listener-http-2.envoy-1-12-x.golden

@@ -0,0 +1,130 @@
+{
+  "versionInfo": "00000001",
+  "resources": [
+    {
+      "@type": "type.googleapis.com/envoy.api.v2.Listener",
+      "name": "custom-public-listen",
+      "address": {
+        "socketAddress": {
+          "address": "11.11.11.11",
+          "portValue": 11111
+        }
+      },
+      "filterChains": [
+        {
+          "tlsContext": {
+            "commonTlsContext": {
+              "tlsParams": {
+
+              },
+              "tlsCertificates": [
+                {
+                  "certificateChain": {
+                    "inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n"
+                  },
+                  "privateKey": {
+                    "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n"
+                  }
+                }
+              ],
+              "validationContext": {
+                "trustedCa": {
+                  "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n"
+                }
+              }
+            },
+            "requireClientCertificate": true
+          },
+          "filters": [
+            {
+              "name": "envoy.filters.network.http_connection_manager",
+              "config": {
+                  "http_filters": [
+                        {
+                              "config": {
+                                    "rules": {
+                                        }
+                                  },
+                              "name": "envoy.filters.http.rbac"
+                            },
+                        {
+                              "name": "envoy.router"
+                            }
+                      ],
+                  "route_config": {
+                        "name": "public_listener",
+                        "virtual_hosts": [
+                              {
+                                    "domains": [
+                                          "*"
+                                        ],
+                                    "name": "public_listener",
+                                    "routes": [
+                                          {
+                                                "match": {
+                                                      "prefix": "/"
+                                                    },
+                                                "route": {
+                                                      "cluster": "random-cluster"
+                                                    }
+                                              }
+                                        ]
+                                  }
+                            ]
+                      }
+                }
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "@type": "type.googleapis.com/envoy.api.v2.Listener",
+      "name": "db:127.0.0.1:9191",
+      "address": {
+        "socketAddress": {
+          "address": "127.0.0.1",
+          "portValue": 9191
+        }
+      },
+      "filterChains": [
+        {
+          "filters": [
+            {
+              "name": "envoy.tcp_proxy",
+              "config": {
+                  "cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul",
+                  "stat_prefix": "upstream_db_tcp"
+                }
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "@type": "type.googleapis.com/envoy.api.v2.Listener",
+      "name": "prepared_query:geo-cache:127.10.10.10:8181",
+      "address": {
+        "socketAddress": {
+          "address": "127.10.10.10",
+          "portValue": 8181
+        }
+      },
+      "filterChains": [
+        {
+          "filters": [
+            {
+              "name": "envoy.tcp_proxy",
+              "config": {
+                  "cluster": "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul",
+                  "stat_prefix": "upstream_prepared_query_geo-cache_tcp"
+                }
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "typeUrl": "type.googleapis.com/envoy.api.v2.Listener",
+  "nonce": "00000001"
+}

agent/xds/testdata/listeners/custom-public-listener-http-2.envoy-1-13-x.golden

@@ -0,0 +1,130 @@
+{
+  "versionInfo": "00000001",
+  "resources": [
+    {
+      "@type": "type.googleapis.com/envoy.api.v2.Listener",
+      "name": "custom-public-listen",
+      "address": {
+        "socketAddress": {
+          "address": "11.11.11.11",
+          "portValue": 11111
+        }
+      },
+      "filterChains": [
+        {
+          "tlsContext": {
+            "commonTlsContext": {
+              "tlsParams": {
+
+              },
+              "tlsCertificates": [
+                {
+                  "certificateChain": {
+                    "inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n"
+                  },
+                  "privateKey": {
+                    "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n"
+                  }
+                }
+              ],
+              "validationContext": {
+                "trustedCa": {
+                  "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n"
+                }
+              }
+            },
+            "requireClientCertificate": true
+          },
+          "filters": [
+            {
+              "name": "envoy.filters.network.http_connection_manager",
+              "config": {
+                  "http_filters": [
+                        {
+                              "config": {
+                                    "rules": {
+                                        }
+                                  },
+                              "name": "envoy.filters.http.rbac"
+                            },
+                        {
+                              "name": "envoy.router"
+                            }
+                      ],
+                  "route_config": {
+                        "name": "public_listener",
+                        "virtual_hosts": [
+                              {
+                                    "domains": [
+                                          "*"
+                                        ],
+                                    "name": "public_listener",
+                                    "routes": [
+                                          {
+                                                "match": {
+                                                      "prefix": "/"
+                                                    },
+                                                "route": {
+                                                      "cluster": "random-cluster"
+                                                    }
+                                              }
+                                        ]
+                                  }
+                            ]
+                      }
+                }
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "@type": "type.googleapis.com/envoy.api.v2.Listener",
+      "name": "db:127.0.0.1:9191",
+      "address": {
+        "socketAddress": {
+          "address": "127.0.0.1",
+          "portValue": 9191
+        }
+      },
+      "filterChains": [
+        {
+          "filters": [
+            {
+              "name": "envoy.tcp_proxy",
+              "config": {
+                  "cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul",
+                  "stat_prefix": "upstream_db_tcp"
+                }
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "@type": "type.googleapis.com/envoy.api.v2.Listener",
+      "name": "prepared_query:geo-cache:127.10.10.10:8181",
+      "address": {
+        "socketAddress": {
+          "address": "127.10.10.10",
+          "portValue": 8181
+        }
+      },
+      "filterChains": [
+        {
+          "filters": [
+            {
+              "name": "envoy.tcp_proxy",
+              "config": {
+                  "cluster": "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul",
+                  "stat_prefix": "upstream_prepared_query_geo-cache_tcp"
+                }
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "typeUrl": "type.googleapis.com/envoy.api.v2.Listener",
+  "nonce": "00000001"
+}

agent/xds/testdata/listeners/custom-public-listener-http-2.envoy-1-14-x.golden

@@ -0,0 +1,130 @@
+{
+  "versionInfo": "00000001",
+  "resources": [
+    {
+      "@type": "type.googleapis.com/envoy.api.v2.Listener",
+      "name": "custom-public-listen",
+      "address": {
+        "socketAddress": {
+          "address": "11.11.11.11",
+          "portValue": 11111
+        }
+      },
+      "filterChains": [
+        {
+          "tlsContext": {
+            "commonTlsContext": {
+              "tlsParams": {
+
+              },
+              "tlsCertificates": [
+                {
+                  "certificateChain": {
+                    "inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n"
+                  },
+                  "privateKey": {
+                    "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n"
+                  }
+                }
+              ],
+              "validationContext": {
+                "trustedCa": {
+                  "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n"
+                }
+              }
+            },
+            "requireClientCertificate": true
+          },
+          "filters": [
+            {
+              "name": "envoy.filters.network.http_connection_manager",
+              "config": {
+                  "http_filters": [
+                        {
+                              "config": {
+                                    "rules": {
+                                        }
+                                  },
+                              "name": "envoy.filters.http.rbac"
+                            },
+                        {
+                              "name": "envoy.router"
+                            }
+                      ],
+                  "route_config": {
+                        "name": "public_listener",
+                        "virtual_hosts": [
+                              {
+                                    "domains": [
+                                          "*"
+                                        ],
+                                    "name": "public_listener",
+                                    "routes": [
+                                          {
+                                                "match": {
+                                                      "prefix": "/"
+                                                    },
+                                                "route": {
+                                                      "cluster": "random-cluster"
+                                                    }
+                                              }
+                                        ]
+                                  }
+                            ]
+                      }
+                }
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "@type": "type.googleapis.com/envoy.api.v2.Listener",
+      "name": "db:127.0.0.1:9191",
+      "address": {
+        "socketAddress": {
+          "address": "127.0.0.1",
+          "portValue": 9191
+        }
+      },
+      "filterChains": [
+        {
+          "filters": [
+            {
+              "name": "envoy.tcp_proxy",
+              "config": {
+                  "cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul",
+                  "stat_prefix": "upstream_db_tcp"
+                }
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "@type": "type.googleapis.com/envoy.api.v2.Listener",
+      "name": "prepared_query:geo-cache:127.10.10.10:8181",
+      "address": {
+        "socketAddress": {
+          "address": "127.10.10.10",
+          "portValue": 8181
+        }
+      },
+      "filterChains": [
+        {
+          "filters": [
+            {
+              "name": "envoy.tcp_proxy",
+              "config": {
+                  "cluster": "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul",
+                  "stat_prefix": "upstream_prepared_query_geo-cache_tcp"
+                }
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "typeUrl": "type.googleapis.com/envoy.api.v2.Listener",
+  "nonce": "00000001"
+}

agent/xds/testdata/listeners/custom-public-listener-http-2.envoy-1-15-x.golden

@@ -0,0 +1,130 @@
+{
+  "versionInfo": "00000001",
+  "resources": [
+    {
+      "@type": "type.googleapis.com/envoy.api.v2.Listener",
+      "name": "custom-public-listen",
+      "address": {
+        "socketAddress": {
+          "address": "11.11.11.11",
+          "portValue": 11111
+        }
+      },
+      "filterChains": [
+        {
+          "tlsContext": {
+            "commonTlsContext": {
+              "tlsParams": {
+
+              },
+              "tlsCertificates": [
+                {
+                  "certificateChain": {
+                    "inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n"
+                  },
+                  "privateKey": {
+                    "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n"
+                  }
+                }
+              ],
+              "validationContext": {
+                "trustedCa": {
+                  "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n"
+                }
+              }
+            },
+            "requireClientCertificate": true
+          },
+          "filters": [
+            {
+              "name": "envoy.filters.network.http_connection_manager",
+              "config": {
+                  "http_filters": [
+                        {
+                              "config": {
+                                    "rules": {
+                                        }
+                                  },
+                              "name": "envoy.filters.http.rbac"
+                            },
+                        {
+                              "name": "envoy.router"
+                            }
+                      ],
+                  "route_config": {
+                        "name": "public_listener",
+                        "virtual_hosts": [
+                              {
+                                    "domains": [
+                                          "*"
+                                        ],
+                                    "name": "public_listener",
+                                    "routes": [
+                                          {
+                                                "match": {
+                                                      "prefix": "/"
+                                                    },
+                                                "route": {
+                                                      "cluster": "random-cluster"
+                                                    }
+                                              }
+                                        ]
+                                  }
+                            ]
+                      }
+                }
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "@type": "type.googleapis.com/envoy.api.v2.Listener",
+      "name": "db:127.0.0.1:9191",
+      "address": {
+        "socketAddress": {
+          "address": "127.0.0.1",
+          "portValue": 9191
+        }
+      },
+      "filterChains": [
+        {
+          "filters": [
+            {
+              "name": "envoy.tcp_proxy",
+              "config": {
+                  "cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul",
+                  "stat_prefix": "upstream_db_tcp"
+                }
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "@type": "type.googleapis.com/envoy.api.v2.Listener",
+      "name": "prepared_query:geo-cache:127.10.10.10:8181",
+      "address": {
+        "socketAddress": {
+          "address": "127.10.10.10",
+          "portValue": 8181
+        }
+      },
+      "filterChains": [
+        {
+          "filters": [
+            {
+              "name": "envoy.tcp_proxy",
+              "config": {
+                  "cluster": "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul",
+                  "stat_prefix": "upstream_prepared_query_geo-cache_tcp"
+                }
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "typeUrl": "type.googleapis.com/envoy.api.v2.Listener",
+  "nonce": "00000001"
+}

agent/xds/testdata/listeners/custom-public-listener-http-missing.envoy-1-12-x.golden

@@ -0,0 +1,107 @@
+{
+  "versionInfo": "00000001",
+  "resources": [
+    {
+      "@type": "type.googleapis.com/envoy.api.v2.Listener",
+      "name": "custom-public-listen",
+      "address": {
+        "socketAddress": {
+          "address": "11.11.11.11",
+          "portValue": 11111
+        }
+      },
+      "filterChains": [
+        {
+          "tlsContext": {
+            "commonTlsContext": {
+              "tlsParams": {
+
+              },
+              "tlsCertificates": [
+                {
+                  "certificateChain": {
+                    "inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n"
+                  },
+                  "privateKey": {
+                    "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n"
+                  }
+                }
+              ],
+              "validationContext": {
+                "trustedCa": {
+                  "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n"
+                }
+              }
+            },
+            "requireClientCertificate": true
+          },
+          "filters": [
+            {
+              "name": "envoy.filters.network.rbac",
+              "config": {
+                  "rules": {
+                      },
+                  "stat_prefix": "connect_authz"
+                }
+            },
+            {
+              "name": "envoy.tcp_proxy",
+              "config": {
+                  "cluster": "random-cluster",
+                  "stat_prefix": "foo-stats"
+                }
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "@type": "type.googleapis.com/envoy.api.v2.Listener",
+      "name": "db:127.0.0.1:9191",
+      "address": {
+        "socketAddress": {
+          "address": "127.0.0.1",
+          "portValue": 9191
+        }
+      },
+      "filterChains": [
+        {
+          "filters": [
+            {
+              "name": "envoy.tcp_proxy",
+              "config": {
+                  "cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul",
+                  "stat_prefix": "upstream_db_tcp"
+                }
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "@type": "type.googleapis.com/envoy.api.v2.Listener",
+      "name": "prepared_query:geo-cache:127.10.10.10:8181",
+      "address": {
+        "socketAddress": {
+          "address": "127.10.10.10",
+          "portValue": 8181
+        }
+      },
+      "filterChains": [
+        {
+          "filters": [
+            {
+              "name": "envoy.tcp_proxy",
+              "config": {
+                  "cluster": "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul",
+                  "stat_prefix": "upstream_prepared_query_geo-cache_tcp"
+                }
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "typeUrl": "type.googleapis.com/envoy.api.v2.Listener",
+  "nonce": "00000001"
+}

agent/xds/testdata/listeners/custom-public-listener-http-missing.envoy-1-13-x.golden

@@ -0,0 +1,107 @@
+{
+  "versionInfo": "00000001",
+  "resources": [
+    {
+      "@type": "type.googleapis.com/envoy.api.v2.Listener",
+      "name": "custom-public-listen",
+      "address": {
+        "socketAddress": {
+          "address": "11.11.11.11",
+          "portValue": 11111
+        }
+      },
+      "filterChains": [
+        {
+          "tlsContext": {
+            "commonTlsContext": {
+              "tlsParams": {
+
+              },
+              "tlsCertificates": [
+                {
+                  "certificateChain": {
+                    "inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n"
+                  },
+                  "privateKey": {
+                    "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n"
+                  }
+                }
+              ],
+              "validationContext": {
+                "trustedCa": {
+                  "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n"
+                }
+              }
+            },
+            "requireClientCertificate": true
+          },
+          "filters": [
+            {
+              "name": "envoy.filters.network.rbac",
+              "config": {
+                  "rules": {
+                      },
+                  "stat_prefix": "connect_authz"
+                }
+            },
+            {
+              "name": "envoy.tcp_proxy",
+              "config": {
+                  "cluster": "random-cluster",
+                  "stat_prefix": "foo-stats"
+                }
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "@type": "type.googleapis.com/envoy.api.v2.Listener",
+      "name": "db:127.0.0.1:9191",
+      "address": {
+        "socketAddress": {
+          "address": "127.0.0.1",
+          "portValue": 9191
+        }
+      },
+      "filterChains": [
+        {
+          "filters": [
+            {
+              "name": "envoy.tcp_proxy",
+              "config": {
+                  "cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul",
+                  "stat_prefix": "upstream_db_tcp"
+                }
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "@type": "type.googleapis.com/envoy.api.v2.Listener",
+      "name": "prepared_query:geo-cache:127.10.10.10:8181",
+      "address": {
+        "socketAddress": {
+          "address": "127.10.10.10",
+          "portValue": 8181
+        }
+      },
+      "filterChains": [
+        {
+          "filters": [
+            {
+              "name": "envoy.tcp_proxy",
+              "config": {
+                  "cluster": "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul",
+                  "stat_prefix": "upstream_prepared_query_geo-cache_tcp"
+                }
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "typeUrl": "type.googleapis.com/envoy.api.v2.Listener",
+  "nonce": "00000001"
+}

agent/xds/testdata/listeners/custom-public-listener-http-missing.envoy-1-14-x.golden

@@ -0,0 +1,107 @@
+{
+  "versionInfo": "00000001",
+  "resources": [
+    {
+      "@type": "type.googleapis.com/envoy.api.v2.Listener",
+      "name": "custom-public-listen",
+      "address": {
+        "socketAddress": {
+          "address": "11.11.11.11",
+          "portValue": 11111
+        }
+      },
+      "filterChains": [
+        {
+          "tlsContext": {
+            "commonTlsContext": {
+              "tlsParams": {
+
+              },
+              "tlsCertificates": [
+                {
+                  "certificateChain": {
+                    "inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n"
+                  },
+                  "privateKey": {
+                    "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n"
+                  }
+                }
+              ],
+              "validationContext": {
+                "trustedCa": {
+                  "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n"
+                }
+              }
+            },
+            "requireClientCertificate": true
+          },
+          "filters": [
+            {
+              "name": "envoy.filters.network.rbac",
+              "config": {
+                  "rules": {
+                      },
+                  "stat_prefix": "connect_authz"
+                }
+            },
+            {
+              "name": "envoy.tcp_proxy",
+              "config": {
+                  "cluster": "random-cluster",
+                  "stat_prefix": "foo-stats"
+                }
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "@type": "type.googleapis.com/envoy.api.v2.Listener",
+      "name": "db:127.0.0.1:9191",
+      "address": {
+        "socketAddress": {
+          "address": "127.0.0.1",
+          "portValue": 9191
+        }
+      },
+      "filterChains": [
+        {
+          "filters": [
+            {
+              "name": "envoy.tcp_proxy",
+              "config": {
+                  "cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul",
+                  "stat_prefix": "upstream_db_tcp"
+                }
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "@type": "type.googleapis.com/envoy.api.v2.Listener",
+      "name": "prepared_query:geo-cache:127.10.10.10:8181",
+      "address": {
+        "socketAddress": {
+          "address": "127.10.10.10",
+          "portValue": 8181
+        }
+      },
+      "filterChains": [
+        {
+          "filters": [
+            {
+              "name": "envoy.tcp_proxy",
+              "config": {
+                  "cluster": "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul",
+                  "stat_prefix": "upstream_prepared_query_geo-cache_tcp"
+                }
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "typeUrl": "type.googleapis.com/envoy.api.v2.Listener",
+  "nonce": "00000001"
+}

agent/xds/testdata/listeners/custom-public-listener-http-missing.envoy-1-15-x.golden

@@ -0,0 +1,107 @@
+{
+  "versionInfo": "00000001",
+  "resources": [
+    {
+      "@type": "type.googleapis.com/envoy.api.v2.Listener",
+      "name": "custom-public-listen",
+      "address": {
+        "socketAddress": {
+          "address": "11.11.11.11",
+          "portValue": 11111
+        }
+      },
+      "filterChains": [
+        {
+          "tlsContext": {
+            "commonTlsContext": {
+              "tlsParams": {
+
+              },
+              "tlsCertificates": [
+                {
+                  "certificateChain": {
+                    "inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n"
+                  },
+                  "privateKey": {
+                    "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n"
+                  }
+                }
+              ],
+              "validationContext": {
+                "trustedCa": {
+                  "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n"
+                }
+              }
+            },
+            "requireClientCertificate": true
+          },
+          "filters": [
+            {
+              "name": "envoy.filters.network.rbac",
+              "config": {
+                  "rules": {
+                      },
+                  "stat_prefix": "connect_authz"
+                }
+            },
+            {
+              "name": "envoy.tcp_proxy",
+              "config": {
+                  "cluster": "random-cluster",
+                  "stat_prefix": "foo-stats"
+                }
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "@type": "type.googleapis.com/envoy.api.v2.Listener",
+      "name": "db:127.0.0.1:9191",
+      "address": {
+        "socketAddress": {
+          "address": "127.0.0.1",
+          "portValue": 9191
+        }
+      },
+      "filterChains": [
+        {
+          "filters": [
+            {
+              "name": "envoy.tcp_proxy",
+              "config": {
+                  "cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul",
+                  "stat_prefix": "upstream_db_tcp"
+                }
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "@type": "type.googleapis.com/envoy.api.v2.Listener",
+      "name": "prepared_query:geo-cache:127.10.10.10:8181",
+      "address": {
+        "socketAddress": {
+          "address": "127.10.10.10",
+          "portValue": 8181
+        }
+      },
+      "filterChains": [
+        {
+          "filters": [
+            {
+              "name": "envoy.tcp_proxy",
+              "config": {
+                  "cluster": "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul",
+                  "stat_prefix": "upstream_prepared_query_geo-cache_tcp"
+                }
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "typeUrl": "type.googleapis.com/envoy.api.v2.Listener",
+  "nonce": "00000001"
+}

agent/xds/testdata/listeners/custom-public-listener-http-typed.envoy-1-12-x.golden

@@ -0,0 +1,131 @@
+{
+  "versionInfo": "00000001",
+  "resources": [
+    {
+      "@type": "type.googleapis.com/envoy.api.v2.Listener",
+      "name": "custom-public-listen",
+      "address": {
+        "socketAddress": {
+          "address": "11.11.11.11",
+          "portValue": 11111
+        }
+      },
+      "filterChains": [
+        {
+          "tlsContext": {
+            "commonTlsContext": {
+              "tlsParams": {
+
+              },
+              "tlsCertificates": [
+                {
+                  "certificateChain": {
+                    "inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n"
+                  },
+                  "privateKey": {
+                    "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n"
+                  }
+                }
+              ],
+              "validationContext": {
+                "trustedCa": {
+                  "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n"
+                }
+              }
+            },
+            "requireClientCertificate": true
+          },
+          "filters": [
+            {
+              "name": "envoy.http_connection_manager",
+              "typedConfig": {
+                "@type": "type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager",
+                "routeConfig": {
+                  "name": "public_listener",
+                  "virtualHosts": [
+                    {
+                      "name": "public_listener",
+                      "domains": [
+                        "*"
+                      ],
+                      "routes": [
+                        {
+                          "match": {
+                            "prefix": "/"
+                          },
+                          "route": {
+                            "cluster": "random-cluster"
+                          }
+                        }
+                      ]
+                    }
+                  ]
+                },
+                "httpFilters": [
+                  {
+                    "name": "envoy.filters.http.rbac",
+                    "config": {
+                        "rules": {
+                            }
+                      }
+                  },
+                  {
+                    "name": "envoy.router"
+                  }
+                ]
+              }
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "@type": "type.googleapis.com/envoy.api.v2.Listener",
+      "name": "db:127.0.0.1:9191",
+      "address": {
+        "socketAddress": {
+          "address": "127.0.0.1",
+          "portValue": 9191
+        }
+      },
+      "filterChains": [
+        {
+          "filters": [
+            {
+              "name": "envoy.tcp_proxy",
+              "config": {
+                  "cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul",
+                  "stat_prefix": "upstream_db_tcp"
+                }
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "@type": "type.googleapis.com/envoy.api.v2.Listener",
+      "name": "prepared_query:geo-cache:127.10.10.10:8181",
+      "address": {
+        "socketAddress": {
+          "address": "127.10.10.10",
+          "portValue": 8181
+        }
+      },
+      "filterChains": [
+        {
+          "filters": [
+            {
+              "name": "envoy.tcp_proxy",
+              "config": {
+                  "cluster": "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul",
+                  "stat_prefix": "upstream_prepared_query_geo-cache_tcp"
+                }
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "typeUrl": "type.googleapis.com/envoy.api.v2.Listener",
+  "nonce": "00000001"
+}

agent/xds/testdata/listeners/custom-public-listener-http-typed.envoy-1-13-x.golden

@@ -0,0 +1,131 @@
+{
+  "versionInfo": "00000001",
+  "resources": [
+    {
+      "@type": "type.googleapis.com/envoy.api.v2.Listener",
+      "name": "custom-public-listen",
+      "address": {
+        "socketAddress": {
+          "address": "11.11.11.11",
+          "portValue": 11111
+        }
+      },
+      "filterChains": [
+        {
+          "tlsContext": {
+            "commonTlsContext": {
+              "tlsParams": {
+
+              },
+              "tlsCertificates": [
+                {
+                  "certificateChain": {
+                    "inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n"
+                  },
+                  "privateKey": {
+                    "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n"
+                  }
+                }
+              ],
+              "validationContext": {
+                "trustedCa": {
+                  "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n"
+                }
+              }
+            },
+            "requireClientCertificate": true
+          },
+          "filters": [
+            {
+              "name": "envoy.http_connection_manager",
+              "typedConfig": {
+                "@type": "type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager",
+                "routeConfig": {
+                  "name": "public_listener",
+                  "virtualHosts": [
+                    {
+                      "name": "public_listener",
+                      "domains": [
+                        "*"
+                      ],
+                      "routes": [
+                        {
+                          "match": {
+                            "prefix": "/"
+                          },
+                          "route": {
+                            "cluster": "random-cluster"
+                          }
+                        }
+                      ]
+                    }
+                  ]
+                },
+                "httpFilters": [
+                  {
+                    "name": "envoy.filters.http.rbac",
+                    "config": {
+                        "rules": {
+                            }
+                      }
+                  },
+                  {
+                    "name": "envoy.router"
+                  }
+                ]
+              }
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "@type": "type.googleapis.com/envoy.api.v2.Listener",
+      "name": "db:127.0.0.1:9191",
+      "address": {
+        "socketAddress": {
+          "address": "127.0.0.1",
+          "portValue": 9191
+        }
+      },
+      "filterChains": [
+        {
+          "filters": [
+            {
+              "name": "envoy.tcp_proxy",
+              "config": {
+                  "cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul",
+                  "stat_prefix": "upstream_db_tcp"
+                }
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "@type": "type.googleapis.com/envoy.api.v2.Listener",
+      "name": "prepared_query:geo-cache:127.10.10.10:8181",
+      "address": {
+        "socketAddress": {
+          "address": "127.10.10.10",
+          "portValue": 8181
+        }
+      },
+      "filterChains": [
+        {
+          "filters": [
+            {
+              "name": "envoy.tcp_proxy",
+              "config": {
+                  "cluster": "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul",
+                  "stat_prefix": "upstream_prepared_query_geo-cache_tcp"
+                }
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "typeUrl": "type.googleapis.com/envoy.api.v2.Listener",
+  "nonce": "00000001"
+}

agent/xds/testdata/listeners/custom-public-listener-http-typed.envoy-1-14-x.golden

@@ -0,0 +1,131 @@
+{
+  "versionInfo": "00000001",
+  "resources": [
+    {
+      "@type": "type.googleapis.com/envoy.api.v2.Listener",
+      "name": "custom-public-listen",
+      "address": {
+        "socketAddress": {
+          "address": "11.11.11.11",
+          "portValue": 11111
+        }
+      },
+      "filterChains": [
+        {
+          "tlsContext": {
+            "commonTlsContext": {
+              "tlsParams": {
+
+              },
+              "tlsCertificates": [
+                {
+                  "certificateChain": {
+                    "inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n"
+                  },
+                  "privateKey": {
+                    "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n"
+                  }
+                }
+              ],
+              "validationContext": {
+                "trustedCa": {
+                  "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n"
+                }
+              }
+            },
+            "requireClientCertificate": true
+          },
+          "filters": [
+            {
+              "name": "envoy.http_connection_manager",
+              "typedConfig": {
+                "@type": "type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager",
+                "routeConfig": {
+                  "name": "public_listener",
+                  "virtualHosts": [
+                    {
+                      "name": "public_listener",
+                      "domains": [
+                        "*"
+                      ],
+                      "routes": [
+                        {
+                          "match": {
+                            "prefix": "/"
+                          },
+                          "route": {
+                            "cluster": "random-cluster"
+                          }
+                        }
+                      ]
+                    }
+                  ]
+                },
+                "httpFilters": [
+                  {
+                    "name": "envoy.filters.http.rbac",
+                    "config": {
+                        "rules": {
+                            }
+                      }
+                  },
+                  {
+                    "name": "envoy.router"
+                  }
+                ]
+              }
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "@type": "type.googleapis.com/envoy.api.v2.Listener",
+      "name": "db:127.0.0.1:9191",
+      "address": {
+        "socketAddress": {
+          "address": "127.0.0.1",
+          "portValue": 9191
+        }
+      },
+      "filterChains": [
+        {
+          "filters": [
+            {
+              "name": "envoy.tcp_proxy",
+              "config": {
+                  "cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul",
+                  "stat_prefix": "upstream_db_tcp"
+                }
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "@type": "type.googleapis.com/envoy.api.v2.Listener",
+      "name": "prepared_query:geo-cache:127.10.10.10:8181",
+      "address": {
+        "socketAddress": {
+          "address": "127.10.10.10",
+          "portValue": 8181
+        }
+      },
+      "filterChains": [
+        {
+          "filters": [
+            {
+              "name": "envoy.tcp_proxy",
+              "config": {
+                  "cluster": "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul",
+                  "stat_prefix": "upstream_prepared_query_geo-cache_tcp"
+                }
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "typeUrl": "type.googleapis.com/envoy.api.v2.Listener",
+  "nonce": "00000001"
+}

agent/xds/testdata/listeners/custom-public-listener-http-typed.envoy-1-15-x.golden

@@ -0,0 +1,131 @@
+{
+  "versionInfo": "00000001",
+  "resources": [
+    {
+      "@type": "type.googleapis.com/envoy.api.v2.Listener",
+      "name": "custom-public-listen",
+      "address": {
+        "socketAddress": {
+          "address": "11.11.11.11",
+          "portValue": 11111
+        }
+      },
+      "filterChains": [
+        {
+          "tlsContext": {
+            "commonTlsContext": {
+              "tlsParams": {
+
+              },
+              "tlsCertificates": [
+                {
+                  "certificateChain": {
+                    "inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n"
+                  },
+                  "privateKey": {
+                    "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n"
+                  }
+                }
+              ],
+              "validationContext": {
+                "trustedCa": {
+                  "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n"
+                }
+              }
+            },
+            "requireClientCertificate": true
+          },
+          "filters": [
+            {
+              "name": "envoy.http_connection_manager",
+              "typedConfig": {
+                "@type": "type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager",
+                "routeConfig": {
+                  "name": "public_listener",
+                  "virtualHosts": [
+                    {
+                      "name": "public_listener",
+                      "domains": [
+                        "*"
+                      ],
+                      "routes": [
+                        {
+                          "match": {
+                            "prefix": "/"
+                          },
+                          "route": {
+                            "cluster": "random-cluster"
+                          }
+                        }
+                      ]
+                    }
+                  ]
+                },
+                "httpFilters": [
+                  {
+                    "name": "envoy.filters.http.rbac",
+                    "config": {
+                        "rules": {
+                            }
+                      }
+                  },
+                  {
+                    "name": "envoy.router"
+                  }
+                ]
+              }
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "@type": "type.googleapis.com/envoy.api.v2.Listener",
+      "name": "db:127.0.0.1:9191",
+      "address": {
+        "socketAddress": {
+          "address": "127.0.0.1",
+          "portValue": 9191
+        }
+      },
+      "filterChains": [
+        {
+          "filters": [
+            {
+              "name": "envoy.tcp_proxy",
+              "config": {
+                  "cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul",
+                  "stat_prefix": "upstream_db_tcp"
+                }
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "@type": "type.googleapis.com/envoy.api.v2.Listener",
+      "name": "prepared_query:geo-cache:127.10.10.10:8181",
+      "address": {
+        "socketAddress": {
+          "address": "127.10.10.10",
+          "portValue": 8181
+        }
+      },
+      "filterChains": [
+        {
+          "filters": [
+            {
+              "name": "envoy.tcp_proxy",
+              "config": {
+                  "cluster": "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul",
+                  "stat_prefix": "upstream_prepared_query_geo-cache_tcp"
+                }
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "typeUrl": "type.googleapis.com/envoy.api.v2.Listener",
+  "nonce": "00000001"
+}

agent/xds/testdata/listeners/custom-public-listener-http.envoy-1-12-x.golden

@@ -0,0 +1,130 @@
+{
+  "versionInfo": "00000001",
+  "resources": [
+    {
+      "@type": "type.googleapis.com/envoy.api.v2.Listener",
+      "name": "custom-public-listen",
+      "address": {
+        "socketAddress": {
+          "address": "11.11.11.11",
+          "portValue": 11111
+        }
+      },
+      "filterChains": [
+        {
+          "tlsContext": {
+            "commonTlsContext": {
+              "tlsParams": {
+
+              },
+              "tlsCertificates": [
+                {
+                  "certificateChain": {
+                    "inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n"
+                  },
+                  "privateKey": {
+                    "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n"
+                  }
+                }
+              ],
+              "validationContext": {
+                "trustedCa": {
+                  "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n"
+                }
+              }
+            },
+            "requireClientCertificate": true
+          },
+          "filters": [
+            {
+              "name": "envoy.http_connection_manager",
+              "config": {
+                  "http_filters": [
+                        {
+                              "config": {
+                                    "rules": {
+                                        }
+                                  },
+                              "name": "envoy.filters.http.rbac"
+                            },
+                        {
+                              "name": "envoy.router"
+                            }
+                      ],
+                  "route_config": {
+                        "name": "public_listener",
+                        "virtual_hosts": [
+                              {
+                                    "domains": [
+                                          "*"
+                                        ],
+                                    "name": "public_listener",
+                                    "routes": [
+                                          {
+                                                "match": {
+                                                      "prefix": "/"
+                                                    },
+                                                "route": {
+                                                      "cluster": "random-cluster"
+                                                    }
+                                              }
+                                        ]
+                                  }
+                            ]
+                      }
+                }
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "@type": "type.googleapis.com/envoy.api.v2.Listener",
+      "name": "db:127.0.0.1:9191",
+      "address": {
+        "socketAddress": {
+          "address": "127.0.0.1",
+          "portValue": 9191
+        }
+      },
+      "filterChains": [
+        {
+          "filters": [
+            {
+              "name": "envoy.tcp_proxy",
+              "config": {
+                  "cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul",
+                  "stat_prefix": "upstream_db_tcp"
+                }
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "@type": "type.googleapis.com/envoy.api.v2.Listener",
+      "name": "prepared_query:geo-cache:127.10.10.10:8181",
+      "address": {
+        "socketAddress": {
+          "address": "127.10.10.10",
+          "portValue": 8181
+        }
+      },
+      "filterChains": [
+        {
+          "filters": [
+            {
+              "name": "envoy.tcp_proxy",
+              "config": {
+                  "cluster": "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul",
+                  "stat_prefix": "upstream_prepared_query_geo-cache_tcp"
+                }
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "typeUrl": "type.googleapis.com/envoy.api.v2.Listener",
+  "nonce": "00000001"
+}

agent/xds/testdata/listeners/custom-public-listener-http.envoy-1-13-x.golden

@@ -0,0 +1,130 @@
+{
+  "versionInfo": "00000001",
+  "resources": [
+    {
+      "@type": "type.googleapis.com/envoy.api.v2.Listener",
+      "name": "custom-public-listen",
+      "address": {
+        "socketAddress": {
+          "address": "11.11.11.11",
+          "portValue": 11111
+        }
+      },
+      "filterChains": [
+        {
+          "tlsContext": {
+            "commonTlsContext": {
+              "tlsParams": {
+
+              },
+              "tlsCertificates": [
+                {
+                  "certificateChain": {
+                    "inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n"
+                  },
+                  "privateKey": {
+                    "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n"
+                  }
+                }
+              ],
+              "validationContext": {
+                "trustedCa": {
+                  "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n"
+                }
+              }
+            },
+            "requireClientCertificate": true
+          },
+          "filters": [
+            {
+              "name": "envoy.http_connection_manager",
+              "config": {
+                  "http_filters": [
+                        {
+                              "config": {
+                                    "rules": {
+                                        }
+                                  },
+                              "name": "envoy.filters.http.rbac"
+                            },
+                        {
+                              "name": "envoy.router"
+                            }
+                      ],
+                  "route_config": {
+                        "name": "public_listener",
+                        "virtual_hosts": [
+                              {
+                                    "domains": [
+                                          "*"
+                                        ],
+                                    "name": "public_listener",
+                                    "routes": [
+                                          {
+                                                "match": {
+                                                      "prefix": "/"
+                                                    },
+                                                "route": {
+                                                      "cluster": "random-cluster"
+                                                    }
+                                              }
+                                        ]
+                                  }
+                            ]
+                      }
+                }
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "@type": "type.googleapis.com/envoy.api.v2.Listener",
+      "name": "db:127.0.0.1:9191",
+      "address": {
+        "socketAddress": {
+          "address": "127.0.0.1",
+          "portValue": 9191
+        }
+      },
+      "filterChains": [
+        {
+          "filters": [
+            {
+              "name": "envoy.tcp_proxy",
+              "config": {
+                  "cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul",
+                  "stat_prefix": "upstream_db_tcp"
+                }
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "@type": "type.googleapis.com/envoy.api.v2.Listener",
+      "name": "prepared_query:geo-cache:127.10.10.10:8181",
+      "address": {
+        "socketAddress": {
+          "address": "127.10.10.10",
+          "portValue": 8181
+        }
+      },
+      "filterChains": [
+        {
+          "filters": [
+            {
+              "name": "envoy.tcp_proxy",
+              "config": {
+                  "cluster": "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul",
+                  "stat_prefix": "upstream_prepared_query_geo-cache_tcp"
+                }
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "typeUrl": "type.googleapis.com/envoy.api.v2.Listener",
+  "nonce": "00000001"
+}

agent/xds/testdata/listeners/custom-public-listener-http.envoy-1-14-x.golden

@@ -0,0 +1,130 @@
+{
+  "versionInfo": "00000001",
+  "resources": [
+    {
+      "@type": "type.googleapis.com/envoy.api.v2.Listener",
+      "name": "custom-public-listen",
+      "address": {
+        "socketAddress": {
+          "address": "11.11.11.11",
+          "portValue": 11111
+        }
+      },
+      "filterChains": [
+        {
+          "tlsContext": {
+            "commonTlsContext": {
+              "tlsParams": {
+
+              },
+              "tlsCertificates": [
+                {
+                  "certificateChain": {
+                    "inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n"
+                  },
+                  "privateKey": {
+                    "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n"
+                  }
+                }
+              ],
+              "validationContext": {
+                "trustedCa": {
+                  "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n"
+                }
+              }
+            },
+            "requireClientCertificate": true
+          },
+          "filters": [
+            {
+              "name": "envoy.http_connection_manager",
+              "config": {
+                  "http_filters": [
+                        {
+                              "config": {
+                                    "rules": {
+                                        }
+                                  },
+                              "name": "envoy.filters.http.rbac"
+                            },
+                        {
+                              "name": "envoy.router"
+                            }
+                      ],
+                  "route_config": {
+                        "name": "public_listener",
+                        "virtual_hosts": [
+                              {
+                                    "domains": [
+                                          "*"
+                                        ],
+                                    "name": "public_listener",
+                                    "routes": [
+                                          {
+                                                "match": {
+                                                      "prefix": "/"
+                                                    },
+                                                "route": {
+                                                      "cluster": "random-cluster"
+                                                    }
+                                              }
+                                        ]
+                                  }
+                            ]
+                      }
+                }
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "@type": "type.googleapis.com/envoy.api.v2.Listener",
+      "name": "db:127.0.0.1:9191",
+      "address": {
+        "socketAddress": {
+          "address": "127.0.0.1",
+          "portValue": 9191
+        }
+      },
+      "filterChains": [
+        {
+          "filters": [
+            {
+              "name": "envoy.tcp_proxy",
+              "config": {
+                  "cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul",
+                  "stat_prefix": "upstream_db_tcp"
+                }
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "@type": "type.googleapis.com/envoy.api.v2.Listener",
+      "name": "prepared_query:geo-cache:127.10.10.10:8181",
+      "address": {
+        "socketAddress": {
+          "address": "127.10.10.10",
+          "portValue": 8181
+        }
+      },
+      "filterChains": [
+        {
+          "filters": [
+            {
+              "name": "envoy.tcp_proxy",
+              "config": {
+                  "cluster": "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul",
+                  "stat_prefix": "upstream_prepared_query_geo-cache_tcp"
+                }
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "typeUrl": "type.googleapis.com/envoy.api.v2.Listener",
+  "nonce": "00000001"
+}

agent/xds/testdata/listeners/custom-public-listener-http.envoy-1-15-x.golden

@@ -0,0 +1,130 @@
+{
+  "versionInfo": "00000001",
+  "resources": [
+    {
+      "@type": "type.googleapis.com/envoy.api.v2.Listener",
+      "name": "custom-public-listen",
+      "address": {
+        "socketAddress": {
+          "address": "11.11.11.11",
+          "portValue": 11111
+        }
+      },
+      "filterChains": [
+        {
+          "tlsContext": {
+            "commonTlsContext": {
+              "tlsParams": {
+
+              },
+              "tlsCertificates": [
+                {
+                  "certificateChain": {
+                    "inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n"
+                  },
+                  "privateKey": {
+                    "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n"
+                  }
+                }
+              ],
+              "validationContext": {
+                "trustedCa": {
+                  "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n"
+                }
+              }
+            },
+            "requireClientCertificate": true
+          },
+          "filters": [
+            {
+              "name": "envoy.http_connection_manager",
+              "config": {
+                  "http_filters": [
+                        {
+                              "config": {
+                                    "rules": {
+                                        }
+                                  },
+                              "name": "envoy.filters.http.rbac"
+                            },
+                        {
+                              "name": "envoy.router"
+                            }
+                      ],
+                  "route_config": {
+                        "name": "public_listener",
+                        "virtual_hosts": [
+                              {
+                                    "domains": [
+                                          "*"
+                                        ],
+                                    "name": "public_listener",
+                                    "routes": [
+                                          {
+                                                "match": {
+                                                      "prefix": "/"
+                                                    },
+                                                "route": {
+                                                      "cluster": "random-cluster"
+                                                    }
+                                              }
+                                        ]
+                                  }
+                            ]
+                      }
+                }
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "@type": "type.googleapis.com/envoy.api.v2.Listener",
+      "name": "db:127.0.0.1:9191",
+      "address": {
+        "socketAddress": {
+          "address": "127.0.0.1",
+          "portValue": 9191
+        }
+      },
+      "filterChains": [
+        {
+          "filters": [
+            {
+              "name": "envoy.tcp_proxy",
+              "config": {
+                  "cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul",
+                  "stat_prefix": "upstream_db_tcp"
+                }
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "@type": "type.googleapis.com/envoy.api.v2.Listener",
+      "name": "prepared_query:geo-cache:127.10.10.10:8181",
+      "address": {
+        "socketAddress": {
+          "address": "127.10.10.10",
+          "portValue": 8181
+        }
+      },
+      "filterChains": [
+        {
+          "filters": [
+            {
+              "name": "envoy.tcp_proxy",
+              "config": {
+                  "cluster": "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul",
+                  "stat_prefix": "upstream_prepared_query_geo-cache_tcp"
+                }
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "typeUrl": "type.googleapis.com/envoy.api.v2.Listener",
+  "nonce": "00000001"
+}

agent/xds/testdata/listeners/custom-public-listener.envoy-1-12-x.golden

@@ -37,18 +37,9 @@
           },
           "filters": [
             {
-              "name": "envoy.ext_authz",
+              "name": "envoy.filters.network.rbac",
               "config": {
-                  "grpc_service": {
+                  "rules": {
-                        "envoy_grpc": {
-                              "cluster_name": "local_agent"
-                            },
-                        "initial_metadata": [
-                              {
-                                    "key": "x-consul-token",
-                                    "value": "my-token"
-                                  }
-                            ]
                       },
                   "stat_prefix": "connect_authz"
                 }

agent/xds/testdata/listeners/custom-public-listener.envoy-1-13-x.golden

@@ -37,18 +37,9 @@
           },
           "filters": [
             {
-              "name": "envoy.ext_authz",
+              "name": "envoy.filters.network.rbac",
               "config": {
-                  "grpc_service": {
+                  "rules": {
-                        "envoy_grpc": {
-                              "cluster_name": "local_agent"
-                            },
-                        "initial_metadata": [
-                              {
-                                    "key": "x-consul-token",
-                                    "value": "my-token"
-                                  }
-                            ]
                       },
                   "stat_prefix": "connect_authz"
                 }

agent/xds/testdata/listeners/custom-public-listener.envoy-1-14-x.golden

@@ -37,18 +37,9 @@
           },
           "filters": [
             {
-              "name": "envoy.ext_authz",
+              "name": "envoy.filters.network.rbac",
               "config": {
-                  "grpc_service": {
+                  "rules": {
-                        "envoy_grpc": {
-                              "cluster_name": "local_agent"
-                            },
-                        "initial_metadata": [
-                              {
-                                    "key": "x-consul-token",
-                                    "value": "my-token"
-                                  }
-                            ]
                       },
                   "stat_prefix": "connect_authz"
                 }

agent/xds/testdata/listeners/custom-public-listener.envoy-1-15-x.golden

@@ -37,18 +37,9 @@
           },
           "filters": [
             {
-              "name": "envoy.ext_authz",
+              "name": "envoy.filters.network.rbac",
               "config": {
-                  "grpc_service": {
+                  "rules": {
-                        "envoy_grpc": {
-                              "cluster_name": "local_agent"
-                            },
-                        "initial_metadata": [
-                              {
-                                    "key": "x-consul-token",
-                                    "value": "my-token"
-                                  }
-                            ]
                       },
                   "stat_prefix": "connect_authz"
                 }

agent/xds/testdata/listeners/custom-upstream-typed-ignored-with-disco-chain.envoy-1-12-x.golden

@@ -83,18 +83,9 @@
           },
           "filters": [
             {
-              "name": "envoy.ext_authz",
+              "name": "envoy.filters.network.rbac",
               "config": {
-                  "grpc_service": {
+                  "rules": {
-                        "envoy_grpc": {
-                              "cluster_name": "local_agent"
-                            },
-                        "initial_metadata": [
-                              {
-                                    "key": "x-consul-token",
-                                    "value": "my-token"
-                                  }
-                            ]
                       },
                   "stat_prefix": "connect_authz"
                 }

agent/xds/testdata/listeners/custom-upstream-typed-ignored-with-disco-chain.envoy-1-13-x.golden

@@ -83,18 +83,9 @@
           },
           "filters": [
             {
-              "name": "envoy.ext_authz",
+              "name": "envoy.filters.network.rbac",
               "config": {
-                  "grpc_service": {
+                  "rules": {
-                        "envoy_grpc": {
-                              "cluster_name": "local_agent"
-                            },
-                        "initial_metadata": [
-                              {
-                                    "key": "x-consul-token",
-                                    "value": "my-token"
-                                  }
-                            ]
                       },
                   "stat_prefix": "connect_authz"
                 }

agent/xds/testdata/listeners/custom-upstream-typed-ignored-with-disco-chain.envoy-1-14-x.golden

@@ -83,18 +83,9 @@
           },
           "filters": [
             {
-              "name": "envoy.ext_authz",
+              "name": "envoy.filters.network.rbac",
               "config": {
-                  "grpc_service": {
+                  "rules": {
-                        "envoy_grpc": {
-                              "cluster_name": "local_agent"
-                            },
-                        "initial_metadata": [
-                              {
-                                    "key": "x-consul-token",
-                                    "value": "my-token"
-                                  }
-                            ]
                       },
                   "stat_prefix": "connect_authz"
                 }

agent/xds/testdata/listeners/custom-upstream-typed-ignored-with-disco-chain.envoy-1-15-x.golden

@@ -83,18 +83,9 @@
           },
           "filters": [
             {
-              "name": "envoy.ext_authz",
+              "name": "envoy.filters.network.rbac",
               "config": {
-                  "grpc_service": {
+                  "rules": {
-                        "envoy_grpc": {
-                              "cluster_name": "local_agent"
-                            },
-                        "initial_metadata": [
-                              {
-                                    "key": "x-consul-token",
-                                    "value": "my-token"
-                                  }
-                            ]
                       },
                   "stat_prefix": "connect_authz"
                 }

agent/xds/testdata/listeners/custom-upstream.envoy-1-12-x.golden

@@ -83,18 +83,9 @@
           },
           "filters": [
             {
-              "name": "envoy.ext_authz",
+              "name": "envoy.filters.network.rbac",
               "config": {
-                  "grpc_service": {
+                  "rules": {
-                        "envoy_grpc": {
-                              "cluster_name": "local_agent"
-                            },
-                        "initial_metadata": [
-                              {
-                                    "key": "x-consul-token",
-                                    "value": "my-token"
-                                  }
-                            ]
                       },
                   "stat_prefix": "connect_authz"
                 }

agent/xds/testdata/listeners/custom-upstream.envoy-1-13-x.golden

@@ -83,18 +83,9 @@
           },
           "filters": [
             {
-              "name": "envoy.ext_authz",
+              "name": "envoy.filters.network.rbac",
               "config": {
-                  "grpc_service": {
+                  "rules": {
-                        "envoy_grpc": {
-                              "cluster_name": "local_agent"
-                            },
-                        "initial_metadata": [
-                              {
-                                    "key": "x-consul-token",
-                                    "value": "my-token"
-                                  }
-                            ]
                       },
                   "stat_prefix": "connect_authz"
                 }

agent/xds/testdata/listeners/custom-upstream.envoy-1-14-x.golden

@@ -83,18 +83,9 @@
           },
           "filters": [
             {
-              "name": "envoy.ext_authz",
+              "name": "envoy.filters.network.rbac",
               "config": {
-                  "grpc_service": {
+                  "rules": {
-                        "envoy_grpc": {
-                              "cluster_name": "local_agent"
-                            },
-                        "initial_metadata": [
-                              {
-                                    "key": "x-consul-token",
-                                    "value": "my-token"
-                                  }
-                            ]
                       },
                   "stat_prefix": "connect_authz"
                 }

agent/xds/testdata/listeners/custom-upstream.envoy-1-15-x.golden

@@ -83,18 +83,9 @@
           },
           "filters": [
             {
-              "name": "envoy.ext_authz",
+              "name": "envoy.filters.network.rbac",
               "config": {
-                  "grpc_service": {
+                  "rules": {
-                        "envoy_grpc": {
-                              "cluster_name": "local_agent"
-                            },
-                        "initial_metadata": [
-                              {
-                                    "key": "x-consul-token",
-                                    "value": "my-token"
-                                  }
-                            ]
                       },
                   "stat_prefix": "connect_authz"
                 }

agent/xds/testdata/listeners/defaults.envoy-1-12-x.golden

@@ -83,18 +83,9 @@
           },
           "filters": [
             {
-              "name": "envoy.ext_authz",
+              "name": "envoy.filters.network.rbac",
               "config": {
-                  "grpc_service": {
+                  "rules": {
-                        "envoy_grpc": {
-                              "cluster_name": "local_agent"
-                            },
-                        "initial_metadata": [
-                              {
-                                    "key": "x-consul-token",
-                                    "value": "my-token"
-                                  }
-                            ]
                       },
                   "stat_prefix": "connect_authz"
                 }

agent/xds/testdata/listeners/defaults.envoy-1-13-x.golden

@@ -83,18 +83,9 @@
           },
           "filters": [
             {
-              "name": "envoy.ext_authz",
+              "name": "envoy.filters.network.rbac",
               "config": {
-                  "grpc_service": {
+                  "rules": {
-                        "envoy_grpc": {
-                              "cluster_name": "local_agent"
-                            },
-                        "initial_metadata": [
-                              {
-                                    "key": "x-consul-token",
-                                    "value": "my-token"
-                                  }
-                            ]
                       },
                   "stat_prefix": "connect_authz"
                 }

agent/xds/testdata/listeners/defaults.envoy-1-14-x.golden

@@ -83,18 +83,9 @@
           },
           "filters": [
             {
-              "name": "envoy.ext_authz",
+              "name": "envoy.filters.network.rbac",
               "config": {
-                  "grpc_service": {
+                  "rules": {
-                        "envoy_grpc": {
-                              "cluster_name": "local_agent"
-                            },
-                        "initial_metadata": [
-                              {
-                                    "key": "x-consul-token",
-                                    "value": "my-token"
-                                  }
-                            ]
                       },
                   "stat_prefix": "connect_authz"
                 }

agent/xds/testdata/listeners/defaults.envoy-1-15-x.golden

@@ -83,18 +83,9 @@
           },
           "filters": [
             {
-              "name": "envoy.ext_authz",
+              "name": "envoy.filters.network.rbac",
               "config": {
-                  "grpc_service": {
+                  "rules": {
-                        "envoy_grpc": {
-                              "cluster_name": "local_agent"
-                            },
-                        "initial_metadata": [
-                              {
-                                    "key": "x-consul-token",
-                                    "value": "my-token"
-                                  }
-                            ]
                       },
                   "stat_prefix": "connect_authz"
                 }

agent/xds/testdata/listeners/expose-paths-local-app-paths.envoy-1-12-x.golden

@@ -121,18 +121,9 @@
           },
           "filters": [
             {
-              "name": "envoy.ext_authz",
+              "name": "envoy.filters.network.rbac",
               "config": {
-                  "grpc_service": {
+                  "rules": {
-                        "envoy_grpc": {
-                              "cluster_name": "local_agent"
-                            },
-                        "initial_metadata": [
-                              {
-                                    "key": "x-consul-token",
-                                    "value": "my-token"
-                                  }
-                            ]
                       },
                   "stat_prefix": "connect_authz"
                 }

agent/xds/testdata/listeners/expose-paths-local-app-paths.envoy-1-13-x.golden

@@ -121,18 +121,9 @@
           },
           "filters": [
             {
-              "name": "envoy.ext_authz",
+              "name": "envoy.filters.network.rbac",
               "config": {
-                  "grpc_service": {
+                  "rules": {
-                        "envoy_grpc": {
-                              "cluster_name": "local_agent"
-                            },
-                        "initial_metadata": [
-                              {
-                                    "key": "x-consul-token",
-                                    "value": "my-token"
-                                  }
-                            ]
                       },
                   "stat_prefix": "connect_authz"
                 }

agent/xds/testdata/listeners/expose-paths-local-app-paths.envoy-1-14-x.golden

@@ -121,18 +121,9 @@
           },
           "filters": [
             {
-              "name": "envoy.ext_authz",
+              "name": "envoy.filters.network.rbac",
               "config": {
-                  "grpc_service": {
+                  "rules": {
-                        "envoy_grpc": {
-                              "cluster_name": "local_agent"
-                            },
-                        "initial_metadata": [
-                              {
-                                    "key": "x-consul-token",
-                                    "value": "my-token"
-                                  }
-                            ]
                       },
                   "stat_prefix": "connect_authz"
                 }

agent/xds/testdata/listeners/expose-paths-local-app-paths.envoy-1-15-x.golden

@@ -121,18 +121,9 @@
           },
           "filters": [
             {
-              "name": "envoy.ext_authz",
+              "name": "envoy.filters.network.rbac",
               "config": {
-                  "grpc_service": {
+                  "rules": {
-                        "envoy_grpc": {
-                              "cluster_name": "local_agent"
-                            },
-                        "initial_metadata": [
-                              {
-                                    "key": "x-consul-token",
-                                    "value": "my-token"
-                                  }
-                            ]
                       },
                   "stat_prefix": "connect_authz"
                 }

agent/xds/testdata/listeners/expose-paths-new-cluster-http2.envoy-1-12-x.golden

@@ -123,18 +123,9 @@
           },
           "filters": [
             {
-              "name": "envoy.ext_authz",
+              "name": "envoy.filters.network.rbac",
               "config": {
-                  "grpc_service": {
+                  "rules": {
-                        "envoy_grpc": {
-                              "cluster_name": "local_agent"
-                            },
-                        "initial_metadata": [
-                              {
-                                    "key": "x-consul-token",
-                                    "value": "my-token"
-                                  }
-                            ]
                       },
                   "stat_prefix": "connect_authz"
                 }

agent/xds/testdata/listeners/expose-paths-new-cluster-http2.envoy-1-13-x.golden

@@ -123,18 +123,9 @@
           },
           "filters": [
             {
-              "name": "envoy.ext_authz",
+              "name": "envoy.filters.network.rbac",
               "config": {
-                  "grpc_service": {
+                  "rules": {
-                        "envoy_grpc": {
-                              "cluster_name": "local_agent"
-                            },
-                        "initial_metadata": [
-                              {
-                                    "key": "x-consul-token",
-                                    "value": "my-token"
-                                  }
-                            ]
                       },
                   "stat_prefix": "connect_authz"
                 }

agent/xds/testdata/listeners/expose-paths-new-cluster-http2.envoy-1-14-x.golden

@@ -123,18 +123,9 @@
           },
           "filters": [
             {
-              "name": "envoy.ext_authz",
+              "name": "envoy.filters.network.rbac",
               "config": {
-                  "grpc_service": {
+                  "rules": {
-                        "envoy_grpc": {
-                              "cluster_name": "local_agent"
-                            },
-                        "initial_metadata": [
-                              {
-                                    "key": "x-consul-token",
-                                    "value": "my-token"
-                                  }
-                            ]
                       },
                   "stat_prefix": "connect_authz"
                 }

agent/xds/testdata/listeners/expose-paths-new-cluster-http2.envoy-1-15-x.golden

@@ -123,18 +123,9 @@
           },
           "filters": [
             {
-              "name": "envoy.ext_authz",
+              "name": "envoy.filters.network.rbac",
               "config": {
-                  "grpc_service": {
+                  "rules": {
-                        "envoy_grpc": {
-                              "cluster_name": "local_agent"
-                            },
-                        "initial_metadata": [
-                              {
-                                    "key": "x-consul-token",
-                                    "value": "my-token"
-                                  }
-                            ]
                       },
                   "stat_prefix": "connect_authz"
                 }

agent/xds/testdata/listeners/http-public-listener.envoy-1-12-x.golden

@@ -82,27 +82,17 @@
             "requireClientCertificate": true
           },
           "filters": [
-            {
-              "name": "envoy.ext_authz",
-              "config": {
-                  "grpc_service": {
-                        "envoy_grpc": {
-                              "cluster_name": "local_agent"
-                            },
-                        "initial_metadata": [
-                              {
-                                    "key": "x-consul-token",
-                                    "value": "my-token"
-                                  }
-                            ]
-                      },
-                  "stat_prefix": "connect_authz"
-                }
-            },
             {
               "name": "envoy.http_connection_manager",
               "config": {
                   "http_filters": [
+                        {
+                              "config": {
+                                    "rules": {
+                                        }
+                                  },
+                              "name": "envoy.filters.http.rbac"
+                            },
                         {
                               "name": "envoy.router"
                             }

agent/xds/testdata/listeners/http-public-listener.envoy-1-13-x.golden

@@ -82,27 +82,17 @@
             "requireClientCertificate": true
           },
           "filters": [
-            {
-              "name": "envoy.ext_authz",
-              "config": {
-                  "grpc_service": {
-                        "envoy_grpc": {
-                              "cluster_name": "local_agent"
-                            },
-                        "initial_metadata": [
-                              {
-                                    "key": "x-consul-token",
-                                    "value": "my-token"
-                                  }
-                            ]
-                      },
-                  "stat_prefix": "connect_authz"
-                }
-            },
             {
               "name": "envoy.http_connection_manager",
               "config": {
                   "http_filters": [
+                        {
+                              "config": {
+                                    "rules": {
+                                        }
+                                  },
+                              "name": "envoy.filters.http.rbac"
+                            },
                         {
                               "name": "envoy.router"
                             }