Thanks for this, that’s great detail.
The cluster’s UUID should never change and can be seen if you hit the /v1/connect/ca/roots endpoint (TrustDomain field). So that might help when generating a custom template.
Overall what you’ve done here is very similar to what we plan to build as a “basic ingress” just without having to figure all this out for yourself.
The other downside of the approach taken here is that it will bypass any L7 routing in Consul 1.6.0 (Presumably you worked on this prior to that even being available so it’s understandable). If you want the Routing and splitting rules configured in Consul to be respected by the edge proxy then I’m not sure it’s possible at all right now since those are all injected dynamically so adding a static listener at bootstrap time like this won’t work.
It might be possible still to hook into the named routes from a custom listener like this and have domain/SNI based routing choose which upstream and route set to use but that would be pretty involved envoy config! I’ve not tried it so not 100% sure if it’s possible currently.
At any rate we plan to make this all easier so this is great context to see what you did here.