backport of commit 18821f6

website/content/docs/connect/config-entries/service-defaults.mdx

@@ -57,6 +57,10 @@ The following outline shows how to format the service splitter configuration ent
 - [`TransparentProxy`](#transparentproxy): map | no default
   - [`OutboundListenerPort`](#transparentproxy): integer | `15001`
   - [`DialedDirectly`](#transparentproxy  ): boolean | `false`
+- [`EnvoyExtensions`](#envoyextensions): list | no default
+  - [`Name`](#envoyextensions): string | `""`
+  - [`Required`](#envoyextensions): string | `""`
+  - [`Arguments`](#envoyextensions): map | `nil`
 - [`Destination`](#destination): map | no default
   - [`Addresses`](#destination): list | no default
   - [`Port`](#destination): integer | `0`
@@ -120,6 +124,10 @@ The following outline shows how to format the service splitter configuration ent
   - [`transparentProxy`](#transparentproxy): map | no default
     - [`outboundListenerPort`](#transparentproxy): integer | `15001`
     - [`dialedDirectly`](#transparentproxy): boolean | `false`
+  - [`envoyExtensions`](#envoyextensions): list | no default
+    - [`name`](#envoyextensions): string | `""`
+    - [`required`](#envoyextensions): string | `""`
+    - [`arguments`](#envoyextensions): map | `nil`
   - [`destination`](#destination): map | no default
     - [`addresses`](#destination): list | no default
     - [`port`](#destination): integer | `0`
@@ -128,7 +136,7 @@ The following outline shows how to format the service splitter configuration ent
   - [`localRequestTiimeoutMs`](#localrequesttimeoutms): integer | `0`
   - [`meshGateway`](#meshgateway): map | no default
     - [`mode`](#meshgateway): string | no default
-  - [`externalSNI`](#externalsni): string | no defaiult
+  - [`externalSNI`](#externalsni): string | no default
   - [`expose`](#expose): map | no default
     - [`checks`](#expose-checks): boolean | `false`
     - [`paths`](#expose-paths): list | no default
@@ -666,7 +674,7 @@ Map that specifies a set of rules that enable Consul to remove hosts from the up
 
 ### `TransparentProxy`
 
-Controls configurations specific to proxies in transparent mode. Refer to [Transparent Proxy](/consul/docs/connect/transparent-proxy) for additional information.  
+Controls configurations specific to proxies in transparent mode. Refer to [Transparent Proxy](/consul/docs/connect/transparent-proxy) for additional information.
 
 You can configure the following parameters in the `TransparentProxy` block:
 
@@ -675,6 +683,18 @@ You can configure the following parameters in the `TransparentProxy` block:
 | `OutboundListenerPort` | Specifies the port that the proxy listens on for outbound traffic. This must be the same port number where outbound application traffic is redirected. | integer | `15001` |
 | `DialedDirectly` | Enables transparent proxies to dial the proxy instance's IP address directly when set to `true`. Transparent proxies commonly dial upstreams at the `"virtual"` tagged address, which load balances across instances. Dialing individual instances can be helpful for stateful services, such as a database cluster with a leader. | boolean | `false` |
 
+### `EnvoyExtensions`
+
+List of extensions to modify Envoy proxy configuration. Refer to [Envoy Extensions](/consul/docs/connect/proxies/envoy-extensions) for additional information.  
+
+You can configure the following parameters in the `EnvoyExtensions` block:
+
+| Parameter | Description | Data type | Default |
+| ---   | ---         | ---       | ---     |
+| `Name` | Name of the extension. | string | `""` |
+| `Required` | When Required is true and the extension does not update any Envoy resources, an error is returned. Use this parameter to ensure that extensions required for secure communication are not unintentionally bypassed. | string | `""` |
+| `Arguments` | Arguments to pass to the extension executable. | map | `nil` |
+
 ### `Destination[]`
 
 Configures the destination for service traffic through terminating gateways. Refer to [Terminating Gateway](/consul/docs/connect/terminating-gateway) for additional information. 
@@ -1046,6 +1066,20 @@ You can configure the following parameters in the `TransparentProxy` block:
 | `outboundListenerPort` | Specifies the port that the proxy listens on for outbound traffic. This must be the same port number where outbound application traffic is redirected. | integer | `15001` |
 | `dialedDirectly` | Enables transparent proxies to dial the proxy instance's IP address directly when set to `true`. Transparent proxies commonly dial upstreams at the `"virtual"` tagged address, which load balances across instances. Dialing individual instances can be helpful for stateful services, such as a database cluster with a leader. | boolean | `false` |
 
+### `spec.envoyExtensions`
+
+List of extensions to modify Envoy proxy configuration. Refer to [Envoy Extensions](/consul/docs/connect/proxies/envoy-extensions) for additional information.
+
+#### Values
+
+You can configure the following parameters in the `EnvoyExtensions` block:
+
+| Parameter | Description | Data type | Default |
+| ---   | ---         | ---       | ---     |
+| `name` | Name of the extension. | string | `""` |
+| `required` | When Required is true and the extension does not update any Envoy resources, an error is returned. Use this parameter to ensure that extensions required for secure communication are not unintentionally bypassed. | string | `""` |
+| `arguments` | Arguments to pass to the extension executable. | map | `nil` |
+
 ### `spec.destination`
 
 Map of configurations that specify one or more destinations for service traffic routed through terminating gateways. Refer to [Terminating Gateway](/consul/docs/connect/terminating-gateway) for additional information. 

website/content/docs/connect/proxies/envoy-extensions/usage/lua.mdx

@@ -164,22 +164,65 @@ In the following example, the `service-defaults` configure the Lua Envoy extensi
 ```hcl
 Kind = "service-defaults"
 Name = "myservice"
-EnvoyExtensions {
-  Name = "builtin/lua"
-  
-  Arguments = {
-    ProxyType = "connect-proxy"
-    Listener = "inbound"
-    Script = <<EOF
-function envoy_on_request(request_handle)
-  local service = request_handle:streamInfo():dynamicMetadata():get("consul")["service"]
-  request_handle:headers():add("x-consul-service", service)
-end
-EOF
+EnvoyExtensions = [
+  {
+    Name = "builtin/lua"
+    
+    Arguments = {
+      ProxyType = "connect-proxy"
+      Listener = "inbound"
+      Script = <<EOF
+  function envoy_on_request(request_handle)
+    local service = request_handle:streamInfo():dynamicMetadata():get("consul")["service"]
+    request_handle:headers():add("x-consul-service", service)
+  end
+  EOF
+    }
   }
-}
+]
 ```
 
 </CodeBlockConfig>
 
 Alternatively, you can apply the same extension configuration to [`proxy-defaults`](/consul/docs/connect/config-entries/proxy-defaults#envoyextensions) configuration entries.
+
+You can also specify multiple Lua filters through the Envoy extensions. They will not override each other.
+
+<CodeBlockConfig filename="lua-envoy-extension.json">
+
+```hcl
+Kind = "service-defaults"
+Name = "myservice"
+EnvoyExtensions = [
+  {
+    Name = "builtin/lua",
+    Arguments = {
+      ProxyType = "connect-proxy"
+      Listener = "inbound"
+      Script = <<-EOF
+function envoy_on_request(request_handle)
+  meta = request_handle:streamInfo():dynamicMetadata()
+  m = meta:get("consul")
+  request_handle:headers():add("x-consul-datacenter", m["datacenter1"])
+end
+      EOF
+    }
+  },
+  {
+    Name = "builtin/lua",
+    Arguments = {
+      ProxyType = "connect-proxy"
+      Listener = "inbound"
+      Script = <<-EOF
+function envoy_on_request(request_handle)
+  meta = request_handle:streamInfo():dynamicMetadata()
+  m = meta:get("consul")
+  request_handle:headers():add("x-consul-datacenter", m["datacenter2"])
+end
+      EOF
+    }
+  }
+]
+```
+
+</CodeBlockConfig>