static_resources:
  listeners:
  - address:
      socket_address:
        address: 0.0.0.0
        port_value: 443
    filter_chains:
    - filters:
      - name: envoy.http_connection_manager
        config:
          codec_type: auto
          stat_prefix: ingress_http
          route_config:
            name: hello
            virtual_hosts:
            - name: hello
              domains:
              - "hello-mtls.default.svc.cluster.local"
              routes:
              - match:
                  prefix: "/"
                route:
                  cluster: hello-mTLS
          http_filters:
          - name: envoy.router
            config: {}
      tls_context:
        common_tls_context:
          tls_params:
            tls_minimum_protocol_version: TLSv1_2
            tls_maximum_protocol_version: TLSv1_3
            cipher_suites: "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]"
          tls_certificates:
            - certificate_chain: 
                filename: "/var/run/autocert.step.sm/site.crt"
              private_key:
                filename: "/var/run/autocert.step.sm/site.key"
          validation_context:
            trusted_ca:
              filename: "/var/run/autocert.step.sm/root.crt"
        require_client_certificate: true
  clusters:
  - name: hello-mTLS
    connect_timeout: 0.25s
    type: strict_dns
    lb_policy: round_robin
    hosts:
    - socket_address:
        address: 127.0.0.1
        port_value: 8080