Support PROXY Protocol listener filter (1.7)

[sam-heilbron]

Backport of: solo-io#5117

Description

Support PROXY Protocol listener filter and ensure it is executed before the TLS inspector listener filter.

Context

https://www.envoyproxy.io/docs/envoy/latest/configuration/listeners/listener_filters/proxy_protocol.html

We previously relied on a now deprecated Envoy flag, use_proxy_proto defined on the Listener FilterChain: https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener_components.proto#config-listener-v3-filterchain.

SNI Context

Using the deprecated flag, the PROXY protocol listener filter is appended to the filter chain. However, we need the PROXY protocol listener filter to be executed before the TLS inspector filter. Since the PROXY protocol adds bytes to the beginning of the connection, the SNI will not be parsed correctly if the PROXY protocol listener filter is not executed first. Without SNI matching, you would get the wrong certificate, and traffic would drop.

Checklist:

• I included a concise, user-facing changelog (for details, see https://github.com/solo-io/go-utils/tree/master/changelogutils) which references the issue that is resolved.
• If I updated APIs (our protos) or helm values, I ran make -B install-go-tools generated-code to ensure there will be no code diff
• I followed guidelines laid out in the Gloo Edge contribution guide
• I opened a draft PR or added the work in progress label if my PR is not ready for review
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have added tests that prove my fix is effective or that my feature works

[solo-changelog-bot]

Issues linked to changelog:
solo-io#5116