enable upgrades, remove dedicated filter chain

config/envoyconfig/clusters.go

@@ -120,7 +120,7 @@ func (b *Builder) BuildClusters(ctx context.Context, cfg *config.Config) ([]*env
 		}
 
 		// XXX
-		clusters = append(clusters, b.forwardProxyCluster())
+		clusters = append(clusters, b.forwardProxyCluster(cfg))
 	}
 
 	if err = validateClusters(clusters); err != nil {
@@ -547,10 +547,12 @@ func getClusterDiscoveryType(lbEndpoints []*envoy_config_endpoint_v3.LbEndpoint)
 	return &envoy_config_cluster_v3.Cluster_Type{Type: envoy_config_cluster_v3.Cluster_STRICT_DNS}
 }
 
-func (b *Builder) forwardProxyCluster() *envoy_config_cluster_v3.Cluster {
+func (b *Builder) forwardProxyCluster(
+	cfg *config.Config,
+) *envoy_config_cluster_v3.Cluster {
 	clusterConfig := protoutil.NewAny(&envoy_extensions_clusters_dynamic_forward_proxy_v3.ClusterConfig{
 		ClusterImplementationSpecifier: &envoy_extensions_clusters_dynamic_forward_proxy_v3.ClusterConfig_DnsCacheConfig{
-			DnsCacheConfig: b.forwardProxyDNSCacheConfig(),
+			DnsCacheConfig: b.forwardProxyDNSCacheConfig(cfg),
 		},
 	})
 	return &envoy_config_cluster_v3.Cluster{
@@ -565,7 +567,9 @@ func (b *Builder) forwardProxyCluster() *envoy_config_cluster_v3.Cluster {
 	}
 }
 
-func (b *Builder) forwardProxyDNSCacheConfig() *envoy_extensions_common_dynamic_forward_proxy_v3.DnsCacheConfig {
+func (b *Builder) forwardProxyDNSCacheConfig(
+	cfg *config.Config,
+) *envoy_extensions_common_dynamic_forward_proxy_v3.DnsCacheConfig {
 	resolverConfig := protoutil.NewAny(&envoy_extensions_network_dns_resolver_cares_v3.CaresDnsResolverConfig{
 		Resolvers: []*envoy_config_core_v3.Address{{
 			Address: &envoy_config_core_v3.Address_SocketAddress{
@@ -584,7 +588,8 @@ func (b *Builder) forwardProxyDNSCacheConfig() *envoy_extensions_common_dynamic_
 	})
 	return &envoy_extensions_common_dynamic_forward_proxy_v3.DnsCacheConfig{
 		Name: "dynamic_forward_proxy_cache_config",
-		DnsLookupFamily: envoy_config_cluster_v3.Cluster_AUTO,
+		// XXX: this should probably pull from the main config option
+		DnsLookupFamily: config.GetEnvoyDNSLookupFamily(cfg.Options.DNSLookupFamily),
 		TypedDnsResolverConfig: &envoy_config_core_v3.TypedExtensionConfig{
 			Name:        "envoy.network.dns_resolver.cares",
 			TypedConfig: resolverConfig,

config/envoyconfig/listeners_main.go

@@ -126,9 +126,9 @@ func (b *Builder) buildMainTLSListener(
 	}
 	li.FilterChains = append(li.FilterChains, filterChain)
 
-	fp := b.buildForwardProxyFilterChain(ctx, cfg)
+	/*fp := b.buildForwardProxyFilterChain(ctx, cfg)
 	fp.TransportSocket = transportSocket
-	li.FilterChains = append(li.FilterChains, fp)
+	li.FilterChains = append(li.FilterChains, fp)*/
 
 	return li, nil
 }
@@ -175,7 +175,7 @@ func (b *Builder) buildMainHTTPConnectionManagerFilter(
 	if !useQUIC && cfg.Options.CodecType == config.CodecTypeHTTP3 {
 		filters = append(filters, newQUICAltSvcHeaderFilter(cfg))
 	}
-	filters = append(filters, DynamicForwardProxyFilter(b.forwardProxyDNSCacheConfig()))
+	filters = append(filters, DynamicForwardProxyFilter(b.forwardProxyDNSCacheConfig(cfg)))
 	filters = append(filters, HTTPRouterFilter())
 
 	var maxStreamDuration *durationpb.Duration
@@ -309,7 +309,7 @@ func (b *Builder) buildForwardProxyFilterChain(
 	})
 	return &envoy_config_listener_v3.FilterChain{
 		FilterChainMatch: &envoy_config_listener_v3.FilterChainMatch{
-			ServerNames: []string{"relay.ken.sandbox.pomerium.io"}, // XXX
+			ServerNames: []string{"relay.ken.sandbox.pomerium.io", "relay.localhost.pomerium.io"}, // XXX
 		},
 		Filters: []*envoy_config_listener_v3.Filter{filter},
 	}

config/envoyconfig/route_configurations.go

@@ -100,7 +100,7 @@ func (b *Builder) buildMainRouteConfiguration(
 		vh.Routes = append(vh.Routes, rs...)
 
 		// XXX
-		vh.Routes = append(vh.Routes, b.buildDynamicForwardProxyRoute(cfg))
+		vh.Routes = append(vh.Routes, b.buildDynamicForwardProxyRoutes(cfg)...)
 	}
 
 	virtualHosts = append(virtualHosts, vh)

config/envoyconfig/routes.go

@@ -355,9 +355,10 @@ func (b *Builder) buildRouteForPolicyAndMatch(
 	return route, nil
 }
 
-func (b *Builder) buildDynamicForwardProxyRoute(cfg *config.Config) *envoy_config_route_v3.Route {
+func (b *Builder) buildDynamicForwardProxyRoutes(cfg *config.Config) []*envoy_config_route_v3.Route {
-	return &envoy_config_route_v3.Route{
+	return []*envoy_config_route_v3.Route{
-		Name: "dynamic",
+		{
+			Name: "dynamic-upstream",
 			Match: &envoy_config_route_v3.RouteMatch{
 				PathSpecifier: &envoy_config_route_v3.RouteMatch_Prefix{
 					Prefix: "/",
@@ -370,8 +371,40 @@ func (b *Builder) buildDynamicForwardProxyRoute(cfg *config.Config) *envoy_confi
 					},
 				},
 			},
-		// XXX: does this need any RequestHeadersToRemove?
+			TypedPerFilterConfig: map[string]*anypb.Any{
-		// XXX: does this need a Decorator?
+				PerFilterConfigExtAuthzName: PerFilterConfigExtAuthzDisabled(),
+			},
+		},
+		{
+			Name: "dynamic-proxy",
+			Match: &envoy_config_route_v3.RouteMatch{
+				PathSpecifier: &envoy_config_route_v3.RouteMatch_ConnectMatcher_{
+					ConnectMatcher: &envoy_config_route_v3.RouteMatch_ConnectMatcher{},
+				},
+			},
+			Action: &envoy_config_route_v3.Route_Route{
+				Route: &envoy_config_route_v3.RouteAction{
+					ClusterSpecifier: &envoy_config_route_v3.RouteAction_Cluster{
+						Cluster: "dynamic-forward-proxy-cluster",
+					},
+					UpgradeConfigs: []*envoy_config_route_v3.RouteAction_UpgradeConfig{
+						{
+							UpgradeType:   "CONNECT",
+							ConnectConfig: &envoy_config_route_v3.RouteAction_UpgradeConfig_ConnectConfig{},
+						},
+						{
+							UpgradeType:   "CONNECT-UDP",
+							ConnectConfig: &envoy_config_route_v3.RouteAction_UpgradeConfig_ConnectConfig{},
+						},
+					},
+				},
+			},
+			TypedPerFilterConfig: map[string]*anypb.Any{
+				PerFilterConfigExtAuthzName: PerFilterConfigExtAuthzDisabled(),
+			},
+		},
+		// XXX: do these need any RequestHeadersToRemove?
+		// XXX: do these need a Decorator?
 	}
 }