envoy: upgrade to 1.23.0 (#3560)

* envoy: upgrade to 1.23.0 * only set ipv4_compat if :: or an ipv4in6 address * fix tests
2025-08-03 16:59:22 +02:00 · 2022-08-22 15:03:29 -06:00 · 2022-08-22 15:03:29 -06:00 · 4d38da94dd
commit 4d38da94dd
parent b613cf757e
9 changed files with 164 additions and 156 deletions
--- a/config/envoyconfig/clusters_test.go
+++ b/config/envoyconfig/clusters_test.go
@ -475,7 +475,6 @@ func Test_buildCluster(t *testing.T) {
 								"address": {
 									"socketAddress": {
 										"address": "example.com",
-										"ipv4Compat": true,
 										"portValue": 80
 									}
 								}
@ -485,7 +484,6 @@ func Test_buildCluster(t *testing.T) {
 								"address": {
 									"socketAddress": {
 										"address": "1.2.3.4",
-										"ipv4Compat": true,
 										"portValue": 80
 									}
 								}
@ -631,7 +629,6 @@ func Test_buildCluster(t *testing.T) {
 								"address": {
 									"socketAddress": {
 										"address": "example.com",
-										"ipv4Compat": true,
 										"portValue": 443
 									}
 								}
@ -648,7 +645,6 @@ func Test_buildCluster(t *testing.T) {
 								"address": {
 									"socketAddress": {
 										"address": "example.com",
-										"ipv4Compat": true,
 										"portValue": 443
 									}
 								}
@ -702,7 +698,6 @@ func Test_buildCluster(t *testing.T) {
 								"address": {
 									"socketAddress": {
 										"address": "127.0.0.1",
-										"ipv4Compat": true,
 										"portValue": 80
 									}
 								}
@ -712,7 +707,6 @@ func Test_buildCluster(t *testing.T) {
 								"address": {
 									"socketAddress": {
 										"address": "127.0.0.2",
-										"ipv4Compat": true,
 										"portValue": 80
 									}
 								}
@ -759,7 +753,6 @@ func Test_buildCluster(t *testing.T) {
 								"address": {
 									"socketAddress": {
 										"address": "127.0.0.1",
-										"ipv4Compat": true,
 										"portValue": 8080
 									}
 								}
@ -770,7 +763,6 @@ func Test_buildCluster(t *testing.T) {
 								"address": {
 									"socketAddress": {
 										"address": "127.0.0.2",
-										"ipv4Compat": true,
 										"portValue": 80
 									}
 								}
@ -818,7 +810,6 @@ func Test_buildCluster(t *testing.T) {
 								"address": {
 									"socketAddress": {
 										"address": "127.0.0.1",
-										"ipv4Compat": true,
 										"portValue": 80
 									}
 								}
@ -875,7 +866,6 @@ func Test_buildCluster(t *testing.T) {
 								"address": {
 									"socketAddress": {
 										"address": "example.com",
-										"ipv4Compat": true,
 										"portValue": 80
 									}
 								}
--- a/config/envoyconfig/envoyconfig.go
+++ b/config/envoyconfig/envoyconfig.go
@ -11,6 +11,7 @@ import (
 	"errors"
 	"fmt"
 	"net"
+	"net/netip"
 	"net/url"
 	"os"
 	"strconv"
@ -127,11 +128,17 @@ func buildAddress(hostport string, defaultPort int) *envoy_config_core_v3.Addres
 			host = "0.0.0.0"
 		}
 	}
+
+	is4in6 := false
+	if addr, err := netip.ParseAddr(host); err == nil {
+		is4in6 = addr.Is4In6()
+	}
+
 	return &envoy_config_core_v3.Address{
 		Address: &envoy_config_core_v3.Address_SocketAddress{SocketAddress: &envoy_config_core_v3.SocketAddress{
 			Address:       host,
 			PortSpecifier: &envoy_config_core_v3.SocketAddress_PortValue{PortValue: uint32(port)},
-			Ipv4Compat:    true,
+			Ipv4Compat:    host == "::" || is4in6,
 		}},
 	}
 }
--- a/config/envoyconfig/filters.go
+++ b/config/envoyconfig/filters.go
@ -0,0 +1,100 @@
+package envoyconfig
+
+import (
+	envoy_config_core_v3 "github.com/envoyproxy/go-control-plane/envoy/config/core/v3"
+	envoy_config_listener_v3 "github.com/envoyproxy/go-control-plane/envoy/config/listener/v3"
+	envoy_extensions_filters_http_ext_authz_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/ext_authz/v3"
+	envoy_extensions_filters_http_lua_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/lua/v3"
+	envoy_extensions_filters_http_router_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/router/v3"
+	envoy_extensions_filters_listener_proxy_protocol_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/listener/proxy_protocol/v3"
+	envoy_extensions_filters_listener_tls_inspector_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/listener/tls_inspector/v3"
+	envoy_extensions_filters_network_http_connection_manager "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/http_connection_manager/v3"
+	envoy_type_v3 "github.com/envoyproxy/go-control-plane/envoy/type/v3"
+	"google.golang.org/protobuf/types/known/durationpb"
+
+	"github.com/pomerium/pomerium/pkg/protoutil"
+)
+
+// ExtAuthzFilter creates an ext authz filter.
+func ExtAuthzFilter(grpcClientTimeout *durationpb.Duration) *envoy_extensions_filters_network_http_connection_manager.HttpFilter {
+	return &envoy_extensions_filters_network_http_connection_manager.HttpFilter{
+		Name: "envoy.filters.http.ext_authz",
+		ConfigType: &envoy_extensions_filters_network_http_connection_manager.HttpFilter_TypedConfig{
+			TypedConfig: protoutil.NewAny(&envoy_extensions_filters_http_ext_authz_v3.ExtAuthz{
+				StatusOnError: &envoy_type_v3.HttpStatus{
+					Code: envoy_type_v3.StatusCode_InternalServerError,
+				},
+				Services: &envoy_extensions_filters_http_ext_authz_v3.ExtAuthz_GrpcService{
+					GrpcService: &envoy_config_core_v3.GrpcService{
+						Timeout: grpcClientTimeout,
+						TargetSpecifier: &envoy_config_core_v3.GrpcService_EnvoyGrpc_{
+							EnvoyGrpc: &envoy_config_core_v3.GrpcService_EnvoyGrpc{
+								ClusterName: "pomerium-authorize",
+							},
+						},
+					},
+				},
+				IncludePeerCertificate: true,
+				TransportApiVersion:    envoy_config_core_v3.ApiVersion_V3,
+			}),
+		},
+	}
+}
+
+// HTTPConnectionManagerFilter creates a new HTTP connection manager filter.
+func HTTPConnectionManagerFilter(
+	httpConnectionManager *envoy_extensions_filters_network_http_connection_manager.HttpConnectionManager,
+) *envoy_config_listener_v3.Filter {
+	return &envoy_config_listener_v3.Filter{
+		Name: "envoy.filters.network.http_connection_manager",
+		ConfigType: &envoy_config_listener_v3.Filter_TypedConfig{
+			TypedConfig: protoutil.NewAny(httpConnectionManager),
+		},
+	}
+}
+
+// HTTPRouterFilter creates a new HTTP router filter.
+func HTTPRouterFilter() *envoy_extensions_filters_network_http_connection_manager.HttpFilter {
+	return &envoy_extensions_filters_network_http_connection_manager.HttpFilter{
+		Name: "envoy.filters.http.router",
+		ConfigType: &envoy_extensions_filters_network_http_connection_manager.HttpFilter_TypedConfig{
+			TypedConfig: protoutil.NewAny(&envoy_extensions_filters_http_router_v3.Router{}),
+		},
+	}
+}
+
+// LuaFilter creates a lua HTTP filter.
+func LuaFilter(defaultSourceCode string) *envoy_extensions_filters_network_http_connection_manager.HttpFilter {
+	return &envoy_extensions_filters_network_http_connection_manager.HttpFilter{
+		Name: "envoy.filters.http.lua",
+		ConfigType: &envoy_extensions_filters_network_http_connection_manager.HttpFilter_TypedConfig{
+			TypedConfig: protoutil.NewAny(&envoy_extensions_filters_http_lua_v3.Lua{
+				DefaultSourceCode: &envoy_config_core_v3.DataSource{
+					Specifier: &envoy_config_core_v3.DataSource_InlineString{
+						InlineString: defaultSourceCode,
+					},
+				},
+			}),
+		},
+	}
+}
+
+// ProxyProtocolFilter creates a new Proxy Protocol filter.
+func ProxyProtocolFilter() *envoy_config_listener_v3.ListenerFilter {
+	return &envoy_config_listener_v3.ListenerFilter{
+		Name: "envoy.filters.listener.proxy_protocol",
+		ConfigType: &envoy_config_listener_v3.ListenerFilter_TypedConfig{
+			TypedConfig: protoutil.NewAny(&envoy_extensions_filters_listener_proxy_protocol_v3.ProxyProtocol{}),
+		},
+	}
+}
+
+// TLSInspectorFilter creates a new TLS inspector filter.
+func TLSInspectorFilter() *envoy_config_listener_v3.ListenerFilter {
+	return &envoy_config_listener_v3.ListenerFilter{
+		Name: "tls_inspector",
+		ConfigType: &envoy_config_listener_v3.ListenerFilter_TypedConfig{
+			TypedConfig: protoutil.NewAny(&envoy_extensions_filters_listener_tls_inspector_v3.TlsInspector{}),
+		},
+	}
+}
--- a/config/envoyconfig/listeners.go
+++ b/config/envoyconfig/listeners.go
@ -12,15 +12,12 @@ import (
 	envoy_config_listener_v3 "github.com/envoyproxy/go-control-plane/envoy/config/listener/v3"
 	envoy_config_route_v3 "github.com/envoyproxy/go-control-plane/envoy/config/route/v3"
 	envoy_extensions_filters_http_ext_authz_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/ext_authz/v3"
-	envoy_extensions_filters_http_lua_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/lua/v3"
-	envoy_extensions_filters_listener_proxy_protocol_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/listener/proxy_protocol/v3"
 	envoy_http_connection_manager "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/http_connection_manager/v3"
 	envoy_extensions_transport_sockets_tls_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/tls/v3"
 	envoy_type_v3 "github.com/envoyproxy/go-control-plane/envoy/type/v3"
 	"github.com/golang/protobuf/ptypes/any"
 	"github.com/golang/protobuf/ptypes/wrappers"
 	"google.golang.org/protobuf/types/known/durationpb"
-	"google.golang.org/protobuf/types/known/emptypb"
 	"google.golang.org/protobuf/types/known/wrapperspb"

 	"github.com/pomerium/pomerium/config"
@ -95,13 +92,7 @@ func (b *Builder) BuildListeners(ctx context.Context, cfg *config.Config) ([]*en
 func (b *Builder) buildMainListener(ctx context.Context, cfg *config.Config) (*envoy_config_listener_v3.Listener, error) {
 	listenerFilters := []*envoy_config_listener_v3.ListenerFilter{}
 	if cfg.Options.UseProxyProtocol {
-		proxyCfg := marshalAny(&envoy_extensions_filters_listener_proxy_protocol_v3.ProxyProtocol{})
-		listenerFilters = append(listenerFilters, &envoy_config_listener_v3.ListenerFilter{
-			Name: "envoy.filters.listener.proxy_protocol",
-			ConfigType: &envoy_config_listener_v3.ListenerFilter_TypedConfig{
-				TypedConfig: proxyCfg,
-			},
-		})
+		listenerFilters = append(listenerFilters, ProxyProtocolFilter())
 	}

 	if cfg.Options.InsecureServer {
@ -125,14 +116,7 @@ func (b *Builder) buildMainListener(ctx context.Context, cfg *config.Config) (*e
 		}}
 		return li, nil
 	}
-
-	tlsInspectorCfg := marshalAny(new(emptypb.Empty))
-	listenerFilters = append(listenerFilters, &envoy_config_listener_v3.ListenerFilter{
-		Name: "envoy.filters.listener.tls_inspector",
-		ConfigType: &envoy_config_listener_v3.ListenerFilter_TypedConfig{
-			TypedConfig: tlsInspectorCfg,
-		},
-	})
+	listenerFilters = append(listenerFilters, TLSInspectorFilter())

 	chains, err := b.buildFilterChains(cfg.Options, cfg.Options.Addr,
 		func(tlsDomain string, httpDomains []string) (*envoy_config_listener_v3.FilterChain, error) {
@ -349,83 +333,17 @@ func (b *Builder) buildMainHTTPConnectionManagerFilter(
 		grpcClientTimeout = durationpb.New(30 * time.Second)
 	}

-	extAuthZ := marshalAny(&envoy_extensions_filters_http_ext_authz_v3.ExtAuthz{
-		StatusOnError: &envoy_type_v3.HttpStatus{
-			Code: envoy_type_v3.StatusCode_InternalServerError,
-		},
-		Services: &envoy_extensions_filters_http_ext_authz_v3.ExtAuthz_GrpcService{
-			GrpcService: &envoy_config_core_v3.GrpcService{
-				Timeout: grpcClientTimeout,
-				TargetSpecifier: &envoy_config_core_v3.GrpcService_EnvoyGrpc_{
-					EnvoyGrpc: &envoy_config_core_v3.GrpcService_EnvoyGrpc{
-						ClusterName: "pomerium-authorize",
-					},
-				},
-			},
-		},
-		IncludePeerCertificate: true,
-		TransportApiVersion:    envoy_config_core_v3.ApiVersion_V3,
-	})
-
-	extAuthzSetCookieLua := marshalAny(&envoy_extensions_filters_http_lua_v3.Lua{
-		InlineCode: luascripts.ExtAuthzSetCookie,
-	})
-	cleanUpstreamLua := marshalAny(&envoy_extensions_filters_http_lua_v3.Lua{
-		InlineCode: luascripts.CleanUpstream,
-	})
-	removeImpersonateHeadersLua := marshalAny(&envoy_extensions_filters_http_lua_v3.Lua{
-		InlineCode: luascripts.RemoveImpersonateHeaders,
-	})
-	rewriteHeadersLua := marshalAny(&envoy_extensions_filters_http_lua_v3.Lua{
-		InlineCode: luascripts.RewriteHeaders,
-	})
-
 	filters := []*envoy_http_connection_manager.HttpFilter{
-		{
-			Name: "envoy.filters.http.lua",
-			ConfigType: &envoy_http_connection_manager.HttpFilter_TypedConfig{
-				TypedConfig: removeImpersonateHeadersLua,
-			},
-		},
-		{
-			Name: "envoy.filters.http.ext_authz",
-			ConfigType: &envoy_http_connection_manager.HttpFilter_TypedConfig{
-				TypedConfig: extAuthZ,
-			},
-		},
-		{
-			Name: "envoy.filters.http.lua",
-			ConfigType: &envoy_http_connection_manager.HttpFilter_TypedConfig{
-				TypedConfig: extAuthzSetCookieLua,
-			},
-		},
-		{
-			Name: "envoy.filters.http.lua",
-			ConfigType: &envoy_http_connection_manager.HttpFilter_TypedConfig{
-				TypedConfig: cleanUpstreamLua,
-			},
-		},
-		{
-			Name: "envoy.filters.http.lua",
-			ConfigType: &envoy_http_connection_manager.HttpFilter_TypedConfig{
-				TypedConfig: rewriteHeadersLua,
-			},
-		},
+		LuaFilter(luascripts.RemoveImpersonateHeaders),
+		ExtAuthzFilter(grpcClientTimeout),
+		LuaFilter(luascripts.ExtAuthzSetCookie),
+		LuaFilter(luascripts.CleanUpstream),
+		LuaFilter(luascripts.RewriteHeaders),
 	}
 	if tlsDomain != "" && tlsDomain != "*" {
-		fixMisdirectedLua := marshalAny(&envoy_extensions_filters_http_lua_v3.Lua{
-			InlineCode: fmt.Sprintf(luascripts.FixMisdirected, tlsDomain),
-		})
-		filters = append(filters, &envoy_http_connection_manager.HttpFilter{
-			Name: "envoy.filters.http.lua",
-			ConfigType: &envoy_http_connection_manager.HttpFilter_TypedConfig{
-				TypedConfig: fixMisdirectedLua,
-			},
-		})
+		filters = append(filters, LuaFilter(fmt.Sprintf(luascripts.FixMisdirected, tlsDomain)))
 	}
-	filters = append(filters, &envoy_http_connection_manager.HttpFilter{
-		Name: "envoy.filters.http.router",
-	})
+	filters = append(filters, HTTPRouterFilter())

 	var maxStreamDuration *durationpb.Duration
 	if options.WriteTimeout > 0 {
@ -440,7 +358,8 @@ func (b *Builder) buildMainHTTPConnectionManagerFilter(
 	if err != nil {
 		return nil, err
 	}
-	tc := marshalAny(&envoy_http_connection_manager.HttpConnectionManager{
+
+	return HTTPConnectionManagerFilter(&envoy_http_connection_manager.HttpConnectionManager{
 		AlwaysSetRequestIdInResponse: true,

 		CodecType:  options.GetCodecType().ToEnvoy(),
@ -464,14 +383,7 @@ func (b *Builder) buildMainHTTPConnectionManagerFilter(
 		SkipXffAppend:     options.SkipXffAppend,
 		XffNumTrustedHops: options.XffNumTrustedHops,
 		LocalReplyConfig:  b.buildLocalReplyConfig(options),
-	})
-
-	return &envoy_config_listener_v3.Filter{
-		Name: "envoy.filters.network.http_connection_manager",
-		ConfigType: &envoy_config_listener_v3.Filter_TypedConfig{
-			TypedConfig: tc,
-		},
-	}, nil
+	}), nil
 }

 func (b *Builder) buildMetricsHTTPConnectionManagerFilter() (*envoy_config_listener_v3.Filter, error) {
@ -496,23 +408,16 @@ func (b *Builder) buildMetricsHTTPConnectionManagerFilter() (*envoy_config_liste
 		return nil, err
 	}

-	tc := marshalAny(&envoy_http_connection_manager.HttpConnectionManager{
+	return HTTPConnectionManagerFilter(&envoy_http_connection_manager.HttpConnectionManager{
 		CodecType:  envoy_http_connection_manager.HttpConnectionManager_AUTO,
 		StatPrefix: "metrics",
 		RouteSpecifier: &envoy_http_connection_manager.HttpConnectionManager_RouteConfig{
 			RouteConfig: rc,
 		},
-		HttpFilters: []*envoy_http_connection_manager.HttpFilter{{
-			Name: "envoy.filters.http.router",
-		}},
-	})
-
-	return &envoy_config_listener_v3.Filter{
-		Name: "envoy.filters.network.http_connection_manager",
-		ConfigType: &envoy_config_listener_v3.Filter_TypedConfig{
-			TypedConfig: tc,
+		HttpFilters: []*envoy_http_connection_manager.HttpFilter{
+			HTTPRouterFilter(),
 		},
-	}, nil
+	}), nil
 }

 func (b *Builder) buildGRPCListener(ctx context.Context, cfg *config.Config) (*envoy_config_listener_v3.Listener, error) {
@ -558,15 +463,11 @@ func (b *Builder) buildGRPCListener(ctx context.Context, cfg *config.Config) (*e
 		return nil, err
 	}

-	tlsInspectorCfg := marshalAny(new(emptypb.Empty))
 	li := newEnvoyListener("grpc-ingress")
 	li.Address = buildAddress(cfg.Options.GetGRPCAddr(), 443)
-	li.ListenerFilters = []*envoy_config_listener_v3.ListenerFilter{{
-		Name: "envoy.filters.listener.tls_inspector",
-		ConfigType: &envoy_config_listener_v3.ListenerFilter_TypedConfig{
-			TypedConfig: tlsInspectorCfg,
-		},
-	}}
+	li.ListenerFilters = []*envoy_config_listener_v3.ListenerFilter{
+		TLSInspectorFilter(),
+	}
 	li.FilterChains = chains
 	return li, nil
 }
@ -601,7 +502,7 @@ func (b *Builder) buildGRPCHTTPConnectionManagerFilter() (*envoy_config_listener
 		return nil, err
 	}

-	tc := marshalAny(&envoy_http_connection_manager.HttpConnectionManager{
+	return HTTPConnectionManagerFilter(&envoy_http_connection_manager.HttpConnectionManager{
 		CodecType:  envoy_http_connection_manager.HttpConnectionManager_AUTO,
 		StatPrefix: "grpc_ingress",
 		// limit request first byte to last byte time
@ -611,16 +512,10 @@ func (b *Builder) buildGRPCHTTPConnectionManagerFilter() (*envoy_config_listener
 		RouteSpecifier: &envoy_http_connection_manager.HttpConnectionManager_RouteConfig{
 			RouteConfig: rc,
 		},
-		HttpFilters: []*envoy_http_connection_manager.HttpFilter{{
-			Name: "envoy.filters.http.router",
-		}},
-	})
-	return &envoy_config_listener_v3.Filter{
-		Name: "envoy.filters.network.http_connection_manager",
-		ConfigType: &envoy_config_listener_v3.Filter_TypedConfig{
-			TypedConfig: tc,
+		HttpFilters: []*envoy_http_connection_manager.HttpFilter{
+			HTTPRouterFilter(),
 		},
-	}, nil
+	}), nil
 }

 func (b *Builder) buildRouteConfiguration(name string, virtualHosts []*envoy_config_route_v3.VirtualHost) (*envoy_config_route_v3.RouteConfiguration, error) {
--- a/config/envoyconfig/listeners_test.go
+++ b/config/envoyconfig/listeners_test.go
@ -36,12 +36,11 @@ func Test_buildMetricsHTTPConnectionManagerFilter(t *testing.T) {
 	require.NoError(t, err)
 	testutil.AssertProtoJSONEqual(t, `
 {
-	"name": "metrics-ingress-1566242852377945326",
+	"name": "metrics-ingress-18010634919562279975",
 	"perConnectionBufferLimitBytes": 32768,
 	"address": {
 		"socketAddress": {
 			"address": "127.0.0.1",
-			"ipv4Compat": true,
 			"portValue": 9902
 		}
 	},
@ -51,7 +50,10 @@ func Test_buildMetricsHTTPConnectionManagerFilter(t *testing.T) {
 			"typedConfig": {
 				"@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager",
 				"httpFilters": [{
-					"name": "envoy.filters.http.router"
+					"name": "envoy.filters.http.router",
+					"typedConfig": {
+						"@type": "type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"
+					}
 				}],
 				"routeConfig": {
 					"name": "metrics",
@ -144,7 +146,9 @@ func Test_buildMainHTTPConnectionManagerFilter(t *testing.T) {
 					"name": "envoy.filters.http.lua",
 					"typedConfig": {
 						"@type": "type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua",
-						"inlineCode": "local function starts_with(str, start)\n    return str:sub(1, #start) == start\nend\n\nfunction envoy_on_request(request_handle)\n    local headers = request_handle:headers()\n    local metadata = request_handle:metadata()\n\n    local remove_impersonate_headers = metadata:get(\"remove_impersonate_headers\")\n    if remove_impersonate_headers then\n        local to_remove = {}\n        for k, v in pairs(headers) do\n            if starts_with(k, \"impersonate-extra-\") or k == \"impersonate-group\" or k == \"impersonate-user\" then\n                table.insert(to_remove, k)\n            end\n        end\n\n        for k, v in pairs(to_remove) do\n            headers:remove(v)\n        end\n    end\nend\n\nfunction envoy_on_response(response_handle)\nend\n"
+						"defaultSourceCode": {
+							"inlineString": "local function starts_with(str, start)\n    return str:sub(1, #start) == start\nend\n\nfunction envoy_on_request(request_handle)\n    local headers = request_handle:headers()\n    local metadata = request_handle:metadata()\n\n    local remove_impersonate_headers = metadata:get(\"remove_impersonate_headers\")\n    if remove_impersonate_headers then\n        local to_remove = {}\n        for k, v in pairs(headers) do\n            if starts_with(k, \"impersonate-extra-\") or k == \"impersonate-group\" or k == \"impersonate-user\" then\n                table.insert(to_remove, k)\n            end\n        end\n\n        for k, v in pairs(to_remove) do\n            headers:remove(v)\n        end\n    end\nend\n\nfunction envoy_on_response(response_handle)\nend\n"
+						}
 					}
 				},
 				{
@ -168,25 +172,34 @@ func Test_buildMainHTTPConnectionManagerFilter(t *testing.T) {
 					"name": "envoy.filters.http.lua",
 					"typedConfig": {
 						"@type": "type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua",
-						"inlineCode": "function envoy_on_request(request_handle)\n    local headers = request_handle:headers()\n    local dynamic_meta = request_handle:streamInfo():dynamicMetadata()\n    if headers:get(\"x-pomerium-set-cookie\") ~= nil then\n        dynamic_meta:set(\"envoy.filters.http.lua\", \"pomerium_set_cookie\",\n                         headers:get(\"x-pomerium-set-cookie\"))\n        headers:remove(\"x-pomerium-set-cookie\")\n    end\nend\n\nfunction envoy_on_response(response_handle)\n    local headers = response_handle:headers()\n    local dynamic_meta = response_handle:streamInfo():dynamicMetadata()\n    local tbl = dynamic_meta:get(\"envoy.filters.http.lua\")\n    if tbl ~= nil and tbl[\"pomerium_set_cookie\"] ~= nil then\n        headers:add(\"set-cookie\", tbl[\"pomerium_set_cookie\"])\n    end\nend\n"
+						"defaultSourceCode": {
+							"inlineString": "function envoy_on_request(request_handle)\n    local headers = request_handle:headers()\n    local dynamic_meta = request_handle:streamInfo():dynamicMetadata()\n    if headers:get(\"x-pomerium-set-cookie\") ~= nil then\n        dynamic_meta:set(\"envoy.filters.http.lua\", \"pomerium_set_cookie\",\n                         headers:get(\"x-pomerium-set-cookie\"))\n        headers:remove(\"x-pomerium-set-cookie\")\n    end\nend\n\nfunction envoy_on_response(response_handle)\n    local headers = response_handle:headers()\n    local dynamic_meta = response_handle:streamInfo():dynamicMetadata()\n    local tbl = dynamic_meta:get(\"envoy.filters.http.lua\")\n    if tbl ~= nil and tbl[\"pomerium_set_cookie\"] ~= nil then\n        headers:add(\"set-cookie\", tbl[\"pomerium_set_cookie\"])\n    end\nend\n"
+						}
 					}
 				},
 				{
 					"name": "envoy.filters.http.lua",
 					"typedConfig": {
 						"@type": "type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua",
-						"inlineCode": "function remove_pomerium_cookie(cookie_name, cookie)\n    -- lua doesn't support optional capture groups\n    -- so we replace twice to handle pomerium=xyz at the end of the string\n    cookie = cookie:gsub(cookie_name .. \"=[^;]+; \", \"\")\n    cookie = cookie:gsub(cookie_name .. \"=[^;]+\", \"\")\n    return cookie\nend\n\nfunction has_prefix(str, prefix)\n    return str ~= nil and str:sub(1, #prefix) == prefix\nend\n\nfunction envoy_on_request(request_handle)\n    local headers = request_handle:headers()\n    local metadata = request_handle:metadata()\n\n    local remove_cookie_name = metadata:get(\"remove_pomerium_cookie\")\n    if remove_cookie_name then\n        local cookie = headers:get(\"cookie\")\n        if cookie ~= nil then\n            newcookie = remove_pomerium_cookie(remove_cookie_name, cookie)\n            headers:replace(\"cookie\", newcookie)\n        end\n    end\n\n    local remove_authorization = metadata:get(\"remove_pomerium_authorization\")\n    if remove_authorization then\n        local authorization = headers:get(\"authorization\")\n        local authorization_prefix = \"Pomerium \"\n        if has_prefix(authorization, authorization_prefix) then\n            headers:remove(\"authorization\")\n        end\n\n        headers:remove('x-pomerium-authorization')\n    end\nend\n\nfunction envoy_on_response(response_handle) end\n"
+						"defaultSourceCode": {
+							"inlineString": "function remove_pomerium_cookie(cookie_name, cookie)\n    -- lua doesn't support optional capture groups\n    -- so we replace twice to handle pomerium=xyz at the end of the string\n    cookie = cookie:gsub(cookie_name .. \"=[^;]+; \", \"\")\n    cookie = cookie:gsub(cookie_name .. \"=[^;]+\", \"\")\n    return cookie\nend\n\nfunction has_prefix(str, prefix)\n    return str ~= nil and str:sub(1, #prefix) == prefix\nend\n\nfunction envoy_on_request(request_handle)\n    local headers = request_handle:headers()\n    local metadata = request_handle:metadata()\n\n    local remove_cookie_name = metadata:get(\"remove_pomerium_cookie\")\n    if remove_cookie_name then\n        local cookie = headers:get(\"cookie\")\n        if cookie ~= nil then\n            newcookie = remove_pomerium_cookie(remove_cookie_name, cookie)\n            headers:replace(\"cookie\", newcookie)\n        end\n    end\n\n    local remove_authorization = metadata:get(\"remove_pomerium_authorization\")\n    if remove_authorization then\n        local authorization = headers:get(\"authorization\")\n        local authorization_prefix = \"Pomerium \"\n        if has_prefix(authorization, authorization_prefix) then\n            headers:remove(\"authorization\")\n        end\n\n        headers:remove('x-pomerium-authorization')\n    end\nend\n\nfunction envoy_on_response(response_handle) end\n"
+						}
 					}
 				},
 				{
 					"name": "envoy.filters.http.lua",
 					"typedConfig": {
 						"@type": "type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua",
-						"inlineCode": "function replace_prefix(str, prefix, value)\n    return str:gsub(\"^\"..prefix, value)\nend\n\nfunction envoy_on_request(request_handle)\nend\n\nfunction envoy_on_response(response_handle)\n    local headers = response_handle:headers()\n    local metadata = response_handle:metadata()\n\n    -- should be in the form:\n    -- [{\n    --   \"header\":\"Location\",\n    --   \"prefix\":\"http://localhost:8000/two/\",\n    --   \"value\":\"http://frontend/one/\"\n    -- }]\n    local rewrite_response_headers = metadata:get(\"rewrite_response_headers\")\n    if rewrite_response_headers then\n        for _, obj in pairs(rewrite_response_headers) do\n            local hdr = headers:get(obj.header)\n            if hdr ~= nil then\n                local newhdr = replace_prefix(hdr, obj.prefix, obj.value)\n                headers:replace(obj.header, newhdr)\n            end\n        end\n    end\nend\n"
+						"defaultSourceCode": {
+							"inlineString": "function replace_prefix(str, prefix, value)\n    return str:gsub(\"^\"..prefix, value)\nend\n\nfunction envoy_on_request(request_handle)\nend\n\nfunction envoy_on_response(response_handle)\n    local headers = response_handle:headers()\n    local metadata = response_handle:metadata()\n\n    -- should be in the form:\n    -- [{\n    --   \"header\":\"Location\",\n    --   \"prefix\":\"http://localhost:8000/two/\",\n    --   \"value\":\"http://frontend/one/\"\n    -- }]\n    local rewrite_response_headers = metadata:get(\"rewrite_response_headers\")\n    if rewrite_response_headers then\n        for _, obj in pairs(rewrite_response_headers) do\n            local hdr = headers:get(obj.header)\n            if hdr ~= nil then\n                local newhdr = replace_prefix(hdr, obj.prefix, obj.value)\n                headers:replace(obj.header, newhdr)\n            end\n        end\n    end\nend\n"
+						}
 					}
 				},
 				{
-					"name": "envoy.filters.http.router"
+					"name": "envoy.filters.http.router",
+					"typedConfig": {
+						"@type": "type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"
+					}
 				}
 			],
 			"requestTimeout": "30s",
--- a/config/envoyconfig/outbound.go
+++ b/config/envoyconfig/outbound.go
@ -60,9 +60,9 @@ func (b *Builder) buildOutboundHTTPConnectionManager() (*envoy_config_listener_v
 		RouteSpecifier: &envoy_http_connection_manager.HttpConnectionManager_RouteConfig{
 			RouteConfig: rc,
 		},
-		HttpFilters: []*envoy_http_connection_manager.HttpFilter{{
-			Name: "envoy.filters.http.router",
-		}},
+		HttpFilters: []*envoy_http_connection_manager.HttpFilter{
+			HTTPRouterFilter(),
+		},
 	})

 	return &envoy_config_listener_v3.Filter{
--- a/go.mod
+++ b/go.mod
@ -15,7 +15,7 @@ require (
 	github.com/client9/misspell v0.3.4
 	github.com/coreos/go-oidc/v3 v3.2.0
 	github.com/docker/docker v20.10.17+incompatible
-	github.com/envoyproxy/go-control-plane v0.10.2-0.20220325020618-49ff273808a1
+	github.com/envoyproxy/go-control-plane v0.10.3-0.20220819153403-8a9be01c9575
 	github.com/envoyproxy/protoc-gen-validate v0.6.7
 	github.com/go-chi/chi/v5 v5.0.7
 	github.com/go-jose/go-jose/v3 v3.0.0
@ -109,7 +109,7 @@ require (
 	github.com/census-instrumentation/opencensus-proto v0.3.0 // indirect
 	github.com/charithe/durationcheck v0.0.9 // indirect
 	github.com/chavacava/garif v0.0.0-20220316182200-5cad0b5181d4 // indirect
-	github.com/cncf/xds/go v0.0.0-20211130200136-a8f946100490 // indirect
+	github.com/cncf/xds/go v0.0.0-20220314180256-7f1daf1720fc // indirect
 	github.com/containerd/continuity v0.3.0 // indirect
 	github.com/daixiang0/gci v0.6.2 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
--- a/go.sum
+++ b/go.sum
@ -287,8 +287,8 @@ github.com/cncf/xds/go v0.0.0-20210805033703-aa0b78936158/go.mod h1:eXthEFrGJvWH
 github.com/cncf/xds/go v0.0.0-20210922020428-25de7278fc84/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
 github.com/cncf/xds/go v0.0.0-20211001041855-01bcc9b48dfe/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
 github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
-github.com/cncf/xds/go v0.0.0-20211130200136-a8f946100490 h1:KwaoQzs/WeUxxJqiJsZ4euOly1Az/IgZXXSxlD/UBNk=
-github.com/cncf/xds/go v0.0.0-20211130200136-a8f946100490/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
+github.com/cncf/xds/go v0.0.0-20220314180256-7f1daf1720fc h1:PYXxkRUBGUMa5xgMVMDl62vEklZvKpVaxQeN9ie7Hfk=
+github.com/cncf/xds/go v0.0.0-20220314180256-7f1daf1720fc/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
 github.com/cockroachdb/apd v1.1.0 h1:3LFP3629v+1aKXU5Q37mxmRxX/pIu1nijXydLShEq5I=
 github.com/cockroachdb/apd v1.1.0/go.mod h1:8Sl8LxpKi29FqWXR16WEFZRNSz3SoPzUzeMeY4+DwBQ=
 github.com/cockroachdb/datadriven v0.0.0-20190809214429-80d97fb3cbaa/go.mod h1:zn76sxSg3SzpJ0PPJaLDCu+Bu0Lg3sKTORVIj19EIF8=
@ -503,8 +503,9 @@ github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.m
 github.com/envoyproxy/go-control-plane v0.9.9-0.20210217033140-668b12f5399d/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk=
 github.com/envoyproxy/go-control-plane v0.9.9-0.20210512163311-63b5d3c536b0/go.mod h1:hliV/p42l8fGbc6Y9bQ70uLwIvmJyVE5k4iMKlh8wCQ=
 github.com/envoyproxy/go-control-plane v0.9.10-0.20210907150352-cf90f659a021/go.mod h1:AFq3mo9L8Lqqiid3OhADV3RfLJnjiw63cSpi+fDTRC0=
-github.com/envoyproxy/go-control-plane v0.10.2-0.20220325020618-49ff273808a1 h1:xvqufLtNVwAhN8NMyWklVgxnWohi+wtMGQMhtxexlm0=
 github.com/envoyproxy/go-control-plane v0.10.2-0.20220325020618-49ff273808a1/go.mod h1:KJwIaB5Mv44NWtYuAOFCVOjcI94vtpEz2JU/D2v6IjE=
+github.com/envoyproxy/go-control-plane v0.10.3-0.20220819153403-8a9be01c9575 h1:yrCCU7Wf6E1dMmWDfMuD9cT+fABNmOaCI8KzS9shMrE=
+github.com/envoyproxy/go-control-plane v0.10.3-0.20220819153403-8a9be01c9575/go.mod h1:fJJn/j26vwOu972OllsvAgJJM//w9BV6Fxbg2LuVd34=
 github.com/envoyproxy/protoc-gen-validate v0.0.14/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
 github.com/envoyproxy/protoc-gen-validate v0.6.7 h1:qcZcULcd/abmQg6dwigimCNEyi4gg31M/xaciQlDml8=
@ -1684,6 +1685,7 @@ go.opentelemetry.io/otel/trace v1.3.0/go.mod h1:c/VDhno8888bvQYmbYLqe41/Ldmr/KKu
 go.opentelemetry.io/otel/trace v1.7.0/go.mod h1:fzLSB9nqR2eXzxPXb2JW9IKE+ScyXA48yyE4TNvoHqU=
 go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI=
 go.opentelemetry.io/proto/otlp v0.11.0/go.mod h1:QpEjXPrNQzrFDZgoTo49dgHR9RYRSrg3NAKnUGl9YpQ=
+go.opentelemetry.io/proto/otlp v0.15.0/go.mod h1:H7XAot3MsfNsj7EXtrA2q5xSNQ10UqI405h3+duxN4U=
 go.opentelemetry.io/proto/otlp v0.16.0/go.mod h1:H7XAot3MsfNsj7EXtrA2q5xSNQ10UqI405h3+duxN4U=
 go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
 go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
@ -2325,6 +2327,7 @@ google.golang.org/genproto v0.0.0-20220222213610-43724f9ea8cf/go.mod h1:kGP+zUP2
 google.golang.org/genproto v0.0.0-20220304144024-325a89244dc8/go.mod h1:kGP+zUP2Ddo0ayMi4YuN7C3WZyJvGLZRh8Z5wnAqvEI=
 google.golang.org/genproto v0.0.0-20220310185008-1973136f34c6/go.mod h1:kGP+zUP2Ddo0ayMi4YuN7C3WZyJvGLZRh8Z5wnAqvEI=
 google.golang.org/genproto v0.0.0-20220324131243-acbaeb5b85eb/go.mod h1:hAL49I2IFola2sVEjAn7MEwsja0xp51I0tlGAf9hz4E=
+google.golang.org/genproto v0.0.0-20220329172620-7be39ac1afc7/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo=
 google.golang.org/genproto v0.0.0-20220407144326-9054f6ed7bac/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo=
 google.golang.org/genproto v0.0.0-20220413183235-5e96e2839df9/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo=
 google.golang.org/genproto v0.0.0-20220414192740-2d67ff6cf2b4/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo=
--- a/scripts/get-envoy.bash
+++ b/scripts/get-envoy.bash
@ -5,7 +5,7 @@ PATH="$PATH:$(go env GOPATH)/bin"
 export PATH

 _project_root="$(cd "$(dirname "${BASH_SOURCE[0]}")" >/dev/null 2>&1 && pwd)/.."
-_envoy_version=1.21.3
+_envoy_version=1.23.0
 _dir="$_project_root/pkg/envoy/files"
 _target="${TARGET:-"$(go env GOOS)-$(go env GOARCH)"}"