Envoy sidecar bootstrap config - add one line

In case it helps anyone, I configured a custom envoy_public_listener_json and used it with a proxy default.

Steps:

cat <<EOF | jq '. | @json'
{
    "@type": "type.googleapis.com/envoy.config.listener.v3.Listener",
    "name": "public_listener:0.0.0.0:20000",
    "address": {
      "socket_address": {
        "address": "0.0.0.0",
        "port_value": 20000
      }
    },
    "filterChains": [
      {
        "filters": [
          {
            "name": "envoy.filters.network.http_connection_manager",
            "typed_config": {
              "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager",
              "stat_prefix": "public_listener",
              "forward_client_cert_details": "APPEND_FORWARD",
              "set_current_client_cert_details": {
               "subject": true,
               "dns": true,
               "uri": true
              },
              "route_config": {
                "name": "public_listener",
                "virtual_hosts": [
                  {
                    "name": "public_listener",
                    "domains": [
                      "*"
                    ],
                    "routes": [
                      {
                        "match": {
                          "prefix": "/"
                        },
                        "route": {
                          "cluster": "local_app"
                        }
                      }
                    ]
                  }
                ]
              },
              "http_filters": [
                {
                  "name": "envoy.filters.http.router"
                }
              ]
            }
          }
        ]
      }
    ]
  }
EOF

Then, took the output from above and used it as follows:

apiVersion: consul.hashicorp.com/v1alpha1
kind: ProxyDefaults
metadata:
  name: global
spec:
  config:
    envoy_public_listener_json: "{\"@type\":\"type.googleapis.com/envoy.config.listener.v3.Listener\",\"name\":\"public_listener:0.0.0.0:20000\",\"address\":{\"socket_address\":{\"address\":\"0.0.0.0\",\"port_value\":20000}},\"filterChains\":[{\"filters\":[{\"name\":\"envoy.filters.network.http_connection_manager\",\"typed_config\":{\"@type\":\"type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager\",\"stat_prefix\":\"public_listener\",\"forward_client_cert_details\":\"APPEND_FORWARD\",\"set_current_client_cert_details\":{\"subject\":true,\"dns\":true,\"uri\":true},\"route_config\":{\"name\":\"public_listener\",\"virtual_hosts\":[{\"name\":\"public_listener\",\"domains\":[\"*\"],\"routes\":[{\"match\":{\"prefix\":\"/\"},\"route\":{\"cluster\":\"local_app\"}}]}]},\"http_filters\":[{\"name\":\"envoy.filters.http.router\"}]}}]}]}"

Still testing this out but can verify that the client-cert/SPIFFE-ID is now being passed to the upstream service.