MeshPassthrough with http remote endpoint

[bcollard]

What happened?

Given:

• mesh passthrough turned off
• client-1 being a workload in the mesh, that connects to a remote service over HTTP (not in the mesh)
• and the following policy:

apiVersion: kuma.io/v1alpha1
kind: MeshPassthrough
metadata:
  name: allow-client1-cluster1-to-kgw-cluster2
  namespace: kong-mesh-system
  labels:
    kuma.io/mesh: default
spec:
  targetRef:
    kind: MeshSubset
    proxyTypes:
    - Sidecar
    tags:
      kuma.io/service: client-1_client_svc
  default:
    passthroughMode: Matched
    appendMatch:
    - type: IP
      value: $PROXY_IP
      protocol: http
      port: 80

Then, the generated Envoy config for sidecar attached to client-1 is like:

                  "filters": [
                    {
                      "name": "envoy.filters.network.http_connection_manager",
                      "typed_config": {
                        "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager",
                        "stat_prefix": "meshpassthrough_http_80",
                        "route_config": {
                          "name": "meshpassthrough_http_80",
                          "virtual_hosts": [
                            {
                              "name": "<public IP ADDRESS>",
                              "domains": [
                                "<public IP ADDRESS>"
                              ],
                              "routes": [
                                {
                                  "match": {
                                    "path": "/"
                                  },
                                  "route": {
                                    "cluster": "meshpassthrough_<public IP ADDRESS>_80"
                                  }
                                }
                              ]
                            },
                            {
                              "name": "no_match",
                              "domains": [
                                "*"
                              ],
                              "routes": [
                                {
                                  "match": {
                                    "prefix": "/"
                                  },
                                  "direct_response": {
                                    "status": 503,
                                    "body": {
                                      "inline_string": "This response comes from Kuma Sidecar. No routes matched this domain - check configuration of your MeshPassthrough policy.\n"
                                    }
                                  }
                                }
                              ]
                            }
                          ]
                        },

The route matcher should be "prefix": "/" and not "path": "/".