diff --git a/test/integration/connect/envoy/Dockerfile-test-sds-server b/test/integration/connect/envoy/Dockerfile-test-sds-server
new file mode 100644
index 0000000000..4ace04b394
--- /dev/null
+++ b/test/integration/connect/envoy/Dockerfile-test-sds-server
@@ -0,0 +1,8 @@
+FROM golang:latest
+
+WORKDIR /go/src
+COPY ./test-sds-server .
+
+RUN go build -v -o test-sds-server sds.go
+
+CMD ["/go/src/test-sds-server"]
\ No newline at end of file
diff --git a/test/integration/connect/envoy/case-ingress-gateway-sds/capture.sh b/test/integration/connect/envoy/case-ingress-gateway-sds/capture.sh
new file mode 100644
index 0000000000..41ea5cb24f
--- /dev/null
+++ b/test/integration/connect/envoy/case-ingress-gateway-sds/capture.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+snapshot_envoy_admin localhost:20000 ingress-gateway primary || true
\ No newline at end of file
diff --git a/test/integration/connect/envoy/case-ingress-gateway-sds/config_entries.hcl b/test/integration/connect/envoy/case-ingress-gateway-sds/config_entries.hcl
new file mode 100644
index 0000000000..6a9d6a65ec
--- /dev/null
+++ b/test/integration/connect/envoy/case-ingress-gateway-sds/config_entries.hcl
@@ -0,0 +1,49 @@
+config_entries {
+  bootstrap = [
+    {
+      kind = "proxy-defaults"
+      name = "global"
+      config {
+        protocol = "http"
+      }
+    },
+    {
+      kind = "ingress-gateway"
+      name = "ingress-gateway"
+
+      listeners = [
+        {
+          port     = 9999
+          protocol = "http"
+          services = [
+            {
+              name = "*"
+            }
+          ]
+          tls {
+            sds {
+              cluster_name = "sds-cluster"
+              cert_resource = "wildcard.ingress.consul"
+            }
+          }
+        },
+        {
+          port     = 9998
+          protocol = "http"
+          services = [
+            {
+              name  = "s1"
+              hosts = ["foo.example.com"]
+                tls {
+                sds {
+                  cluster_name = "sds-cluster"
+                  cert_resource = "foo.example.com"
+                }
+              }
+            }
+          ]
+        }
+      ]
+    }
+  ]
+}
diff --git a/test/integration/connect/envoy/case-ingress-gateway-sds/service_gateway.hcl b/test/integration/connect/envoy/case-ingress-gateway-sds/service_gateway.hcl
new file mode 100644
index 0000000000..1e3073a8d6
--- /dev/null
+++ b/test/integration/connect/envoy/case-ingress-gateway-sds/service_gateway.hcl
@@ -0,0 +1,42 @@
+services {
+  name = "ingress-gateway"
+  kind = "ingress-gateway"
+
+  proxy {
+    config {
+      envoy_extra_static_clusters_json = <<EOF
+{
+  "name": "sds-cluster",
+  "connect_timeout": "5s",
+  "typed_extension_protocol_options": {
+    "envoy.extensions.upstreams.http.v3.HttpProtocolOptions": {
+      "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions",
+      "explicit_http_config": {
+        "http2_protocol_options": {}
+      }
+    }
+  },
+  "load_assignment": {
+    "cluster_name": "sds-cluster",
+    "endpoints": [
+      {
+        "lb_endpoints": [
+          {
+            "endpoint": {
+              "address": {
+                "socket_address": {
+                  "address": "127.0.0.1",
+                  "port_value": 1234
+                }
+              }
+            }
+          }
+        ]
+      }
+    ]
+  }
+}
+EOF
+    }
+  }
+}
diff --git a/test/integration/connect/envoy/case-ingress-gateway-sds/setup.sh b/test/integration/connect/envoy/case-ingress-gateway-sds/setup.sh
new file mode 100644
index 0000000000..dd732cc0ad
--- /dev/null
+++ b/test/integration/connect/envoy/case-ingress-gateway-sds/setup.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+set -euo pipefail
+
+# wait for bootstrap to apply config entries
+wait_for_config_entry ingress-gateway ingress-gateway
+wait_for_config_entry proxy-defaults global
+
+register_services primary
+
+gen_envoy_bootstrap ingress-gateway 20000 primary true
+gen_envoy_bootstrap s1 19000
+gen_envoy_bootstrap s2 19001
diff --git a/test/integration/connect/envoy/case-ingress-gateway-sds/vars.sh b/test/integration/connect/envoy/case-ingress-gateway-sds/vars.sh
new file mode 100644
index 0000000000..b53032fbe4
--- /dev/null
+++ b/test/integration/connect/envoy/case-ingress-gateway-sds/vars.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+export REQUIRED_SERVICES="$DEFAULT_REQUIRED_SERVICES ingress-gateway-primary test-sds-server"
diff --git a/test/integration/connect/envoy/case-ingress-gateway-sds/verify.bats b/test/integration/connect/envoy/case-ingress-gateway-sds/verify.bats
new file mode 100644
index 0000000000..9cf961b743
--- /dev/null
+++ b/test/integration/connect/envoy/case-ingress-gateway-sds/verify.bats
@@ -0,0 +1,57 @@
+#!/usr/bin/env bats
+
+load helpers
+
+@test "ingress proxy admin is up on :20000" {
+  retry_default curl -f -s localhost:20000/stats -o /dev/null
+}
+
+@test "s1 proxy admin is up on :19000" {
+  retry_default curl -f -s localhost:19000/stats -o /dev/null
+}
+
+@test "s2 proxy admin is up on :19001" {
+  retry_default curl -f -s localhost:19001/stats -o /dev/null
+}
+
+@test "s1 proxy listener should be up and have right cert" {
+  assert_proxy_presents_cert_uri localhost:21000 s1
+}
+
+@test "s2 proxy listener should be up and have right cert" {
+  assert_proxy_presents_cert_uri localhost:21001 s2
+}
+
+@test "ingress-gateway should have healthy endpoints for s1" {
+   assert_upstream_has_endpoints_in_status 127.0.0.1:20000 s1 HEALTHY 1
+}
+
+@test "ingress-gateway should have healthy endpoints for s2" {
+   assert_upstream_has_endpoints_in_status 127.0.0.1:20000 s2 HEALTHY 1
+}
+
+@test "ingress should be able to connect to s1 using Host header" {
+  assert_expected_fortio_name s1 https://s1.ingress.consul 9999
+}
+
+@test "ingress should be able to connect to s2 using Host header" {
+  assert_expected_fortio_name s2 https://s2.ingress.consul 9999
+}
+
+@test "ingress should be able to connect to s1 using a user-specified Host" {
+  assert_expected_fortio_name s1 https://foo.example.com 9998
+}
+
+@test "ingress should serve SDS-supplied cert for wildcard service" {
+  # Make sure the Cert was the one SDS served and didn't just happen to have the
+  # right domain from Connect.
+  assert_cert_signed_by_ca /workdir/test-sds-server/certs/ca-root.crt \
+    localhost:9999 *.ingress.consul
+}
+
+@test "ingress should serve SDS-supplied cert for specific service" {
+  # Make sure the Cert was the one SDS served and didn't just happen to have the
+  # right domain from Connect.
+  assert_cert_signed_by_ca /workdir/test-sds-server/certs/ca-root.crt \
+    localhost:9998 foo.example.com
+}
diff --git a/test/integration/connect/envoy/helpers.bash b/test/integration/connect/envoy/helpers.bash
index 9093fb2393..9e0e42efd2 100755
--- a/test/integration/connect/envoy/helpers.bash
+++ b/test/integration/connect/envoy/helpers.bash
@@ -100,7 +100,13 @@ function is_set {
 
 function get_cert {
   local HOSTPORT=$1
-  CERT=$(openssl s_client -connect $HOSTPORT -showcerts </dev/null)
+  local SERVER_NAME=$2
+  local CA_FILE=$3
+  local SNI_FLAG=""
+  if [ -n "$SERVER_NAME" ]; then
+    SNI_FLAG="-servername $SERVER_NAME"
+  fi
+  CERT=$(openssl s_client -connect $HOSTPORT $SNI_FLAG -showcerts </dev/null)
   openssl x509 -noout -text <<< "$CERT"
 }
 
@@ -122,16 +128,34 @@ function assert_proxy_presents_cert_uri {
 function assert_dnssan_in_cert {
   local HOSTPORT=$1
   local DNSSAN=$2
+  local SERVER_NAME=${3:-$DNSSAN}
 
-  CERT=$(retry_default get_cert $HOSTPORT)
+  CERT=$(retry_default get_cert $HOSTPORT $SERVER_NAME)
 
-  echo "WANT DNSSAN: ${DNSSAN}"
+  echo "WANT DNSSAN: ${DNSSAN} (SNI: ${SERVER_NAME})"
   echo "GOT CERT:"
   echo "$CERT"
 
   echo "$CERT" | grep -Eo "DNS:${DNSSAN}"
 }
 
+function assert_cert_signed_by_ca {
+  local CA_FILE=$1
+  local HOSTPORT=$2
+  local DNSSAN=$3
+  local SERVER_NAME=${4:-$DNSSAN}
+  local SNI_FLAG=""
+  if [ -n "$SERVER_NAME" ]; then
+    SNI_FLAG="-servername $SERVER_NAME"
+  fi
+  CERT=$(openssl s_client -connect $HOSTPORT $SNI_FLAG -CAfile $CA_FILE -showcerts </dev/null)
+
+  echo "GOT CERT:"
+  echo "$CERT"
+
+  echo "$CERT" | grep 'Verify return code: 0 (ok)'
+}
+
 function assert_envoy_version {
   local ADMINPORT=$1
   run retry_default curl -f -s localhost:$ADMINPORT/server_info
@@ -823,8 +847,25 @@ function get_upstream_fortio_name {
   if [[ -n "${DEBUG_HEADER_VALUE}" ]]; then
       extra_args="-H x-test-debug:${DEBUG_HEADER_VALUE}"
   fi
-  run retry_default curl -v -s -f -H"Host: ${HOST}" $extra_args \
-      "localhost:${PORT}${PREFIX}/debug?env=dump"
+  # split proto if https:// is at the front of the host since the --resolve
+  # string needs just a bare host.
+  local PROTO=""
+  local CA_FILE=""
+  if [ "${HOST:0:8}" = "https://" ]; then
+    HOST="${HOST:8}"
+    PROTO="https://"
+    extra_args="${extra_args} --cacert /workdir/test-sds-server/certs/ca-root.crt"
+  fi
+  # We use --resolve instead of setting a Host header since we need the right
+  # name to be sent for SNI in some cases too.
+  run retry_default curl -v -s -f --resolve "${HOST}:${PORT}:127.0.0.1" $extra_args \
+      "${PROTO}${HOST}:${PORT}${PREFIX}/debug?env=dump"
+
+  # Useful Debugging but breaks the expectation that the value output is just
+  # the grep output when things don't fail
+  if [ "$status" != 0 ]; then
+    echo "GOT FORTIO OUTPUT: $output"
+  fi
   [ "$status" == 0 ]
   echo "$output" | grep -E "^FORTIO_NAME="
 }
@@ -836,12 +877,12 @@ function assert_expected_fortio_name {
   local URL_PREFIX=${4:-""}
   local DEBUG_HEADER_VALUE="${5:-""}"
 
-  GOT=$(get_upstream_fortio_name ${HOST} ${PORT} "${URL_PREFIX}" "${DEBUG_HEADER_VALUE}")
+  run get_upstream_fortio_name ${HOST} ${PORT} "${URL_PREFIX}" "${DEBUG_HEADER_VALUE}"
 
-  if [ "$GOT" != "FORTIO_NAME=${EXPECT_NAME}" ]; then
-    echo "expected name: $EXPECT_NAME, actual name: $GOT" 1>&2
-    return 1
-  fi
+  echo "GOT: $output"
+
+  [ "$status" == 0 ]
+  [ "$output" == "FORTIO_NAME=${EXPECT_NAME}" ]
 }
 
 function assert_expected_fortio_name_pattern {
@@ -889,4 +930,4 @@ function assert_expected_fortio_host_header {
     echo "expected Host header: $EXPECT_HOST, actual Host header: $GOT" 1>&2
     return 1
   fi
-}
+}
\ No newline at end of file
diff --git a/test/integration/connect/envoy/run-tests.sh b/test/integration/connect/envoy/run-tests.sh
index 2015c373f9..b50b578697 100755
--- a/test/integration/connect/envoy/run-tests.sh
+++ b/test/integration/connect/envoy/run-tests.sh
@@ -89,6 +89,10 @@ function init_workdir {
   # move all of the registration files OUT of the consul config dir now
   find workdir/${DC}/consul -type f -name 'service_*.hcl' -exec mv -f {} workdir/${DC}/register \;
 
+  # copy the ca-certs for SDS so we can verify the right ones are served
+  mkdir -p workdir/test-sds-server/certs
+  cp test-sds-server/certs/ca-root.crt workdir/test-sds-server/certs/ca-root.crt
+
   if test -d "${CASE_DIR}/data"
   then
     cp -r ${CASE_DIR}/data/* workdir/${DC}/data
@@ -366,6 +370,10 @@ function suite_setup {
     docker build -t consul-dev-envoy:${ENVOY_VERSION} \
         --build-arg ENVOY_VERSION=${ENVOY_VERSION} \
         -f Dockerfile-consul-envoy .
+
+    # pre-build the test-sds-server container
+    echo "Rebuilding 'test-sds-server' image..."
+    docker build -t test-sds-server -f Dockerfile-test-sds-server .
 }
 
 function suite_teardown {
@@ -576,6 +584,15 @@ function run_container_jaeger {
     --collector.zipkin.http-port=9411
 }
 
+function run_container_test-sds-server {
+  docker run -d --name $(container_name) \
+    $WORKDIR_SNIPPET \
+    -v "$PWD/test-sds-server/certs:/usr/sds/certs" \
+    -w /usr/sds \
+    $(network_snippet primary) \
+    "test-sds-server"
+}
+
 function container_name {
   echo "envoy_${FUNCNAME[1]/#run_container_/}_1"
 }
diff --git a/test/integration/connect/envoy/test-sds-server/certs/ca-root.crt b/test/integration/connect/envoy/test-sds-server/certs/ca-root.crt
new file mode 100644
index 0000000000..97805246ec
--- /dev/null
+++ b/test/integration/connect/envoy/test-sds-server/certs/ca-root.crt
@@ -0,0 +1,29 @@
+-----BEGIN CERTIFICATE-----
+MIIE5jCCAs4CCQCSUow3YnwtFTANBgkqhkiG9w0BAQsFADA1MQswCQYDVQQGEwJV
+UzELMAkGA1UECAwCQ0ExGTAXBgNVBAMMEFNEUyBUZXN0IENBIENlcnQwHhcNMjEw
+ODI0MTIzMjM4WhcNMzEwODIyMTIzMjM4WjA1MQswCQYDVQQGEwJVUzELMAkGA1UE
+CAwCQ0ExGTAXBgNVBAMMEFNEUyBUZXN0IENBIENlcnQwggIiMA0GCSqGSIb3DQEB
+AQUAA4ICDwAwggIKAoICAQDFGKACcPEVX4qMV6+ycjsTC5BAeGvB/9k1g6vULdEM
+atyZMJ74i/vMuI6NSNKbB+XKyZVfbLDkoU2vlnDIWljX13WiFOHA7yueuIFyYTWl
+7OG3SIoABqefh14dd86DyBrBYsNIp//QyzFNX9D98Ss3dnBnINTvFfFZKQ/hR90r
+wtOtgh51vUTHU8dhHP2i7t/YoHn5yIUrtkLYKOe76loveqRE9G34QHPo00EHEg/X
+0cCSOwzos+wK9ebLzgXdquvuIf8e8xkwJEpo/1MZ/0Tq9zsGWkNSM6G0jQ0qrHoa
+X+LMGY5JnyZTMjuwLI5UtU9b4aSxbUbVoHftVxnkfVPSOD1770QLLpYIUBEvbonh
+Y3r4zejQY2ES1sbMIOX+9lYaZKGGwd8/777bjeYTI+oIHlWgDMqiLhwzCOuQQ2Jo
+c7ilfWItyhAmucJdpHY80aFGGUhbqUWftrFnuSRJlxUy2+sEqIQiv1D1/q3pLcOP
+rPB/GozfeCW346LO5NpJmBdWItO37EARmH1cZW3PbX6FeXHWgm2MjWNR0E3K4Biv
+r0QeYagzjIjTiXqfZAMPscjHZI3YpMDtXuHUD2ppoCpAu0Qw5CKmvw834P2xezM9
+Y28CfciGxknYtkf3hd1Vgr0aRnBd5PRJq3iNdfO/a/YpDpdhFhDi29MPPnAJxBpj
+CwIDAQABMA0GCSqGSIb3DQEBCwUAA4ICAQAIFjEsrFR2AwhPuBCY9rB8NXiuWU6A
+O9hXxF36VUolJpD5F/E3J5LGSRlI4H5fAX09aoPNfwqTN4jBWOg0pAZP2oZ1BBQ8
+VQZwzGki9uJTKDnr09mnnMFbdVceYN+nh2HlknEyVj6oSGpD/D1WvhOpeAct30f4
+Z/kKnfM7awUJ/0VsbtVwcBMJTuoFflig9NXyqU1QRA2wEvnFSPG7bqprWE4FtODL
+71Fj9gB4M/PFs8+dB9UeSeI20834hRw8zI/QwpMyAs/5EU6wxjaVQtEba396oVQU
+BC+UxxQOmK/m31OKJYBLrzeeRD/im4H9fsbWiw4C0xi72OFDWjsRay5mxZlF9N2G
+LPIwS9f34JU5HBa/jutShfHE8xnUOeLiXz7AZJ4cNbN+OMPBF40gr67mGCTLpidd
+Kldl57UBQacrkecficpmL2KuCAZ80m1QxTJzTIzwSgqPfElsilNFNzeKaM+Qct/S
+XSOEsd7St7PxzceiyNkOOV6W+b4GVmxgiClQsWqxMmH7P9X6B+M0SSHFwIxaf126
+VpMOKRXH838s8aFl38PfnEY3v6mS5irvSk9iUsYRpcBHETVzltHzF5Qyn7lp9ncf
+iNlIeFEPABODkkU8KQ5MxAwHn5XoXIfJBRrmBfKvxEMCxdUrmUl3ZcsQMvj0c6xJ
+MUv9D4WRXMb3XA==
+-----END CERTIFICATE-----
diff --git a/test/integration/connect/envoy/test-sds-server/certs/ca-root.key b/test/integration/connect/envoy/test-sds-server/certs/ca-root.key
new file mode 100644
index 0000000000..ac37bebcc2
--- /dev/null
+++ b/test/integration/connect/envoy/test-sds-server/certs/ca-root.key
@@ -0,0 +1,51 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIJKAIBAAKCAgEAxRigAnDxFV+KjFevsnI7EwuQQHhrwf/ZNYOr1C3RDGrcmTCe
++Iv7zLiOjUjSmwflysmVX2yw5KFNr5ZwyFpY19d1ohThwO8rnriBcmE1pezht0iK
+AAann4deHXfOg8gawWLDSKf/0MsxTV/Q/fErN3ZwZyDU7xXxWSkP4UfdK8LTrYIe
+db1Ex1PHYRz9ou7f2KB5+ciFK7ZC2Cjnu+paL3qkRPRt+EBz6NNBBxIP19HAkjsM
+6LPsCvXmy84F3arr7iH/HvMZMCRKaP9TGf9E6vc7BlpDUjOhtI0NKqx6Gl/izBmO
+SZ8mUzI7sCyOVLVPW+GksW1G1aB37VcZ5H1T0jg9e+9ECy6WCFARL26J4WN6+M3o
+0GNhEtbGzCDl/vZWGmShhsHfP+++243mEyPqCB5VoAzKoi4cMwjrkENiaHO4pX1i
+LcoQJrnCXaR2PNGhRhlIW6lFn7axZ7kkSZcVMtvrBKiEIr9Q9f6t6S3Dj6zwfxqM
+33glt+OizuTaSZgXViLTt+xAEZh9XGVtz21+hXlx1oJtjI1jUdBNyuAYr69EHmGo
+M4yI04l6n2QDD7HIx2SN2KTA7V7h1A9qaaAqQLtEMOQipr8PN+D9sXszPWNvAn3I
+hsZJ2LZH94XdVYK9GkZwXeT0Sat4jXXzv2v2KQ6XYRYQ4tvTDz5wCcQaYwsCAwEA
+AQKCAgBn+Zan0wcLfGxtnvB8FdDeOjJuIFjQbfUbSwwBke3/O/yF/+VNPyOlmxLw
+q6MWz/LEqNVZEtC6u/FsmNOEjkziCLLwv01c548+Wx1GxstzbeShOO48F0akXNgk
+eYiDcrPSoxRcJuxILHkk1VA+NtTSnHOto99RBWVd4NCUysF9jXj3xnXlLOS0tpiu
+vYl8Q8Ho2LegMs02Ax9+Qw4Ezxumgm9YRQ4icXX0NEXQwhGDjA6n1ej4dbonChQo
+HdZwWvO9m0en/xyhjfOHMnKXe1fTEHud3U44di5vPh3dDkIX2c+eVjj+06t3Jj/g
+r5CiVUe5M+8a/ofouI+rsFBjfk4R4d7uC9FEvuv8SLzBBkCvZK3VLpX+8YCdlaVE
+y+2iTp0C42FB4RvSj8aV3qu6mxbyA1fa/Q17GiexYYuBqnc+yQANs5uBra+Lidn7
+W66D0cMEJS3IZJ5atpasFBiXh7a/xXAQBq6H3daEGyvgDZt144qqqVZBrGq5ZIYm
+4fbFMIbEC1xPovnPLlYPGeYwydXYGbKaPZ3S5Q30QAj+j7L1vvczvf0CmeYTc4dI
+qrQiLe8ksZ/wD7X5xOUPRFGKmiUqDLPDxGKX4kRKNmEZ7zo9lp+/LAAty5ekFS3f
+I5Vi0MjLCTCOt1xtgtArUuEK7QsV1p+CXfExhA/aALjnw/tWSQKCAQEA7fMmb8sp
+JYrkoJZHLz/jsvYAkY4B+j3L9Fdbd5b8kh+hvw9J5Av6IETJfWCxI+gPuyX6/0KK
+UzOv+bU/tT1Z/4Cb5S5TobTO83Yfs8XA1ML8ZMl8b9w7vpyUBoR93DCREpd1uF0Y
+89o1eKOPpjCvJMqDN+A3SQ3rqmkeEiFA1iNhhexjoon3u+v6xKfmG6txKcsS+vtq
+v8dKEvMsy25AkC6CnHpFR9WpuaCu48nRFif9ru5eZCKN3Vu+WFG/KuVCKtxZAFtE
+GVPvZ7ZkRY5V2uEDjeLXIz8ygv4ZcoRI79k2+SkoIbs1mrSWQqFVUDtaiekgyt3K
+vXG/jElg1NmTpwKCAQEA1Awe9vsADWCQo54cTToHe6+N/6DKddjvEFKly6QDPbxq
+zBbJNgQ8CCxF19lZY8nOMZsRi8qwb/ytnK2lYBp8+x/5g6NsQ6QkuWUmSPBJR2O/
+370284V1fwj/L9LxO3FS2Ci6AVlsMxEHG1Uifq80F80kSt2Qfdh3qTGrIrH9xFhQ
+RDGRaTURIWZEtpmJrmwLZFeWLJVOwAfRKuz+vEuOK2f1GwfK5avcGnRxXvp0SJU1
+uO+Aamj5i5aBz//gMhx/QAAOgVEhrED2bPKPj1erDa/yksB6t73fg3Gki7LdPf/E
+g3nBMTXMkI6MNA1h9IeRTnJXJgJpr6Qqy18wybux/QKCAQEA2OJSu30rAPwrTbAM
+LCYIzjrp48HTTZr8BreFOGjXx/yq+jHeQM0l7DmmifATJc5EYGnK8NVerV2kXW92
+JSVJndhEwE1Mj0z1gPW/CaYLECK12MvJ70+G6UNgrNwguA1QfeittSCuOL5BFLfI
+nEstqNQpbEmjOqRElOwBK7dBmK1hG6eOXT1yH8iEprD+zWOj3tspbriw4SKuAr3B
+q57PnFu4UxYjhclbTUYHgrqWKKLE2KiOQqk4M3aG9Yt1Oo0ClXyIZwnI9WkLArY9
+iSSmXr3P9oi3XXoh+UHQQhAPRwbu04ZO/QfdYSiO+SaCU4H2EVP7vs0QGULPu/e6
+GehDawKCAQBo35nM8zUCaLkAgyliNIoQ7TGgtUiM4n7SJt4jCnoj5XU4fSiE07FR
+JXxhlfi09tFJDXWvGs8KhADllahOEKuxlA3WwlPAXIVhQBqgRl8ntLjoEnAEHwSO
+kMeNQpnWmWSsze+4zR5LX2eRaBjIaSSthOMnN8/HvfDouEz4uulUW41PPOi7DOjt
+COSBHwzOPFeiCAOZBztMlFEqFs6iGAg3hZHfDYqW7tnMJ70OiXZLk6hfT+zGNCb/
+l6+aTOX4QsnYwG5sHNE3nWWDWrAP5/8MpPGnDRVknL7YBrOn+A2eJUpu8B/Rk9cZ
+w7ap49iHlSkTkE9z2AunN92GegzqKS+NAoIBABIyp3GOvAHfMKPDWoP9YvSeyxfd
+nnnA+OqS5CrpXcifLaY1kDdpPvI8Kixi+6+gtU4N5yoi2nfiG7X7JsWA//OPBymp
+OSqIlrC9adAM6UdoYuQHb4v2Wdk98Hdk5Su+xIERP09fC1PXWh6c2W5YzrBqsNKg
+RIq/oz1arcgESAbhFNqYMHoMKcFVnkS8XO8JvL9mQbnGYCwUsbcWb6rfKQtrspMF
+Owy2EOn0F9a1pj1VndHSRR6Tu5NgpcZtWlaOXTUuvtn594zRjotYeGu/nmyhTO2x
+ZE3IsZpHujFlUPctmFeRle5AL0Ev6ikfsgafF44kqA2D8iM236BeKCLHpSg=
+-----END RSA PRIVATE KEY-----
diff --git a/test/integration/connect/envoy/test-sds-server/certs/ca-root.srl b/test/integration/connect/envoy/test-sds-server/certs/ca-root.srl
new file mode 100644
index 0000000000..c84e26e067
--- /dev/null
+++ b/test/integration/connect/envoy/test-sds-server/certs/ca-root.srl
@@ -0,0 +1 @@
+E3EC7A5D1F03189C
diff --git a/test/integration/connect/envoy/test-sds-server/certs/foo.example.com.crt b/test/integration/connect/envoy/test-sds-server/certs/foo.example.com.crt
new file mode 100644
index 0000000000..03fafb3861
--- /dev/null
+++ b/test/integration/connect/envoy/test-sds-server/certs/foo.example.com.crt
@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIIECjCCAfKgAwIBAgIJAOPsel0fAxibMA0GCSqGSIb3DQEBCwUAMDUxCzAJBgNV
+BAYTAlVTMQswCQYDVQQIDAJDQTEZMBcGA1UEAwwQU0RTIFRlc3QgQ0EgQ2VydDAe
+Fw0yMTA4MjQxMjMyMzhaFw0zMTA4MjIxMjMyMzhaMDQxCzAJBgNVBAYTAlVTMQsw
+CQYDVQQIDAJDQTEYMBYGA1UEAwwPZm9vLmV4YW1wbGUuY29tMIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoNqz7MhSbI3pn+vNfO/3FrEkC64jmxrSK9bQ
+W4WXhbstaM1SbrIqlzacOhslyj5RjzNb1d1TAhdGzrrLiSkCGsstAnMOQIFzP1j9
+2Jiesm5ypiqiOACnwEmSOcfH91N3l/9rLB14uon3q3bLuKv2TjIKeQ21WlIIUSF4
+RwTZGb1sagj8qT9+k/byt94cURVK8DljAuY7v74XLoomRyr4hqaUnamE+K9/rPHi
+3IlcTdECHX57SLmfJvSD5YU1O+6l8+u2F79E1/Po2ckNuTFopwnAO487US8qRVjs
+3bn/iu9WcMNdTwwEdLEVPPAGNNEvl5gKzrIr+0aoE/XCJuDKFQIDAQABox4wHDAa
+BgNVHREEEzARgg9mb28uZXhhbXBsZS5jb20wDQYJKoZIhvcNAQELBQADggIBADYg
+UcWXPZdH1QPgWNgbs3q9ldNi1bl7BmPxuZio3a/yP1+xHWFVKvHJEQZI2OgdESCV
+zkLhpVOzpK9MO+pCSzE3ZOtM7+nKtHwmOGsjK7pOJblwXb3kXi6stEellKXOU4h3
+zYR5L0uZu7OBTnigvYSwT3cvTMQFRttVVJ5UYr+s84QUrKesiYlitUqiHmiBRitx
+/3Pxft/V5KvIuovJD7YXJij+hst17Wmoe/lpN6vzGBFaNJE25TZe+momCfU1Cn/F
+v0n63wwoR6LsSUuI5T7gFdUb/JXrJWV37P1fs/rk/8H2c6IYxVRjGSNGRIQ+QhdU
+2hVXEWexdieRcGsL75E0p9Ok5OjICPkdlkhhMRkJv/oVA9YNaqLk8t0ZtJmWX7Jr
+3rILNispG1UnfaBYFtXSSPUbQqyujeqMcXIg1JOAK1tjcMGPrd8BcaU8tT0Ycvg3
+kOcTayd9ZwuJhHTpNW090d3K55FJhEmR+1S4/JoHI1MLEUDRACdxnCKhJ+X9qPlk
+DBqyudDRaoe54eoUXtxBujB3rgTrWpryBvxJ5cXEeN8W0Yv8dTEywlHF3X+sp3U/
+5hlMrzsAn7+O+ZnxnSPGrIP/UxSqEoSz1Jz7mNhIXYTV1V1L8mRyDAEIBLMmTyEj
+hg2RBdjqu5KFPFogazXpe9mAK+hxb5TfsroWn/Zk
+-----END CERTIFICATE-----
diff --git a/test/integration/connect/envoy/test-sds-server/certs/foo.example.com.key b/test/integration/connect/envoy/test-sds-server/certs/foo.example.com.key
new file mode 100644
index 0000000000..50c0da94f4
--- /dev/null
+++ b/test/integration/connect/envoy/test-sds-server/certs/foo.example.com.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAoNqz7MhSbI3pn+vNfO/3FrEkC64jmxrSK9bQW4WXhbstaM1S
+brIqlzacOhslyj5RjzNb1d1TAhdGzrrLiSkCGsstAnMOQIFzP1j92Jiesm5ypiqi
+OACnwEmSOcfH91N3l/9rLB14uon3q3bLuKv2TjIKeQ21WlIIUSF4RwTZGb1sagj8
+qT9+k/byt94cURVK8DljAuY7v74XLoomRyr4hqaUnamE+K9/rPHi3IlcTdECHX57
+SLmfJvSD5YU1O+6l8+u2F79E1/Po2ckNuTFopwnAO487US8qRVjs3bn/iu9WcMNd
+TwwEdLEVPPAGNNEvl5gKzrIr+0aoE/XCJuDKFQIDAQABAoIBAHbCQcj19XTUKcK6
+k9JEUQdd7aD6BqvDV5yqUtbfgQlpMpOH0+6KeEuANEPqOzJgZFL3tjvl1h1bFhoX
+a6JutnEVxLtkOweBC5efmntJ4xEV3mu0WmRCh5e+OcmTKJ3/7/I2z+eYMsR2jHb5
+lFtaCtWcuIK7jkOLATz1GxpECA2p0zQZOlg2KyO2oyypig52p+kzR79L8EWcK3gX
+fJHdgycPkqbWb0mal3MPyHmMuYSvIeh40uTnTu0MAQh+N32247vuxXZu0zSeiOXe
+vJdgPRi8FpNe97DVmcx/JUKjmfuBySL8w6Jg1hrXGZTpEgEZVYWITEP1SmnGYGGW
+mzsyzMECgYEAzHw/ZqaEnXl+XmhuigFr5yOlfIy7NHrvCnXt08Ba791QGqEHPA+K
+8MXb5Yw8Vwb9VOnNTRN3nzDwBL1et9+oanH3ngAu8tSC7DfZhkPDS7EhE4sLU3k0
+C616Qn/+q+QEQctMZQKuk4yy+BZf5yLNOASZxgY5HemGIuy1oOV/U20CgYEAyWCV
+q6G8kLHUvXnwL86rJPdtQwwcUoGTkKEwRTqf94mW2IKHA/NNP9bIpAI799HtxIEw
+C9yX/0grAKwzpztqos+pcb5Ly8dOwg0DNVsOdAVHE5EBeLeQD/gP1t+VkYRBGEhF
++VRJwbrgg9WMCDPj/zLskRiWm3nRT/BTsN6aAEkCgYEAp/H8GJD3JmcclOlssEgO
+mV47kpn7P1UgcxT8agf4KD06h0RuLrQNR0caHeQZwthoxI7qIT2157dHynzGCHrX
+VeWYm9pGtQY5KU2NiKqrAcXPBsASY1KOnnCyk1+QiRjTLj6M1gFn5KOQchXeWnXI
+2xNcQLnnu1uK4bBMVINpGdkCgYA14uuKFuh/i6aS4Utdb58qcC9Drrzxcw0KuadS
+DyL5OU8tNphsfTGhsJbWFGb5pKpMWAmEUw41WJlxP6M+z850LL952WMs73Nqx9Kg
+93HBqBvh536OUAhzzXxnkkLSwqIsnkJjOqPV/GzRulYTZ9dN1dGp7ft3NTzGeFfc
+z2RESQKBgG4RDl1uHt0t6+dPH+apexI+uwJ9cfM0z+e7BjRjkkuQiSBUDUQJzYdK
+iIm0ftmO5esvgYWCJVndNGWbacOoq1/9W9WMjjpFMDgBTcZayt9yi9qc38AVhqGW
+x/FiQOZ8Eg2LE2lMEQVrIyXnKopZgU+wHlJPWoLvccK+cLXZuevg
+-----END RSA PRIVATE KEY-----
diff --git a/test/integration/connect/envoy/test-sds-server/certs/gen-certs.sh b/test/integration/connect/envoy/test-sds-server/certs/gen-certs.sh
new file mode 100755
index 0000000000..0e7f7be395
--- /dev/null
+++ b/test/integration/connect/envoy/test-sds-server/certs/gen-certs.sh
@@ -0,0 +1,42 @@
+#!/usr/bin/env bash
+
+set -eEuo pipefail
+
+rm -rf *.crt *.key
+
+openssl genrsa -out ca-root.key 4096
+openssl req -x509 -new -nodes -key ca-root.key -out ca-root.crt \
+  -subj "/C=US/ST=CA/O=/CN=SDS Test CA Cert" \
+  -sha256 -days 3650
+
+function gen_cert {
+  local FILE_NAME=$1
+  local DNS_NAME=$2
+
+  openssl genrsa -out "$FILE_NAME.key" 2048
+  openssl req -new -key "$FILE_NAME.key" -out "$FILE_NAME.csr" \
+    -reqexts SAN \
+    -config <(cat /etc/ssl/openssl.cnf \
+        <(printf "\n[SAN]\nsubjectAltName=DNS:$DNS_NAME")) \
+    -subj "/C=US/ST=CA/O=/CN=$DNS_NAME"
+
+  openssl x509 -req -in "$FILE_NAME.csr" \
+    -CA ca-root.crt -CAkey ca-root.key -CAcreateserial \
+    -out "$FILE_NAME.crt"  -days 3650 -sha256 \
+    -extfile <(printf "subjectAltName=DNS:$DNS_NAME")
+
+  rm "$FILE_NAME.csr"
+}
+
+DOMAINS="www.example.com foo.example.com *.ingress.consul"
+
+for domain in $DOMAINS
+do
+  # * in file names is interpreted as a globa and all sorts of things go
+  #   strange!
+  FILE_NAME="$domain"
+  if [ ${domain:0:2} == "*." ]; then
+    FILE_NAME="wildcard.${domain:2}"
+  fi
+  gen_cert $FILE_NAME $domain
+done
\ No newline at end of file
diff --git a/test/integration/connect/envoy/test-sds-server/certs/wildcard.ingress.consul.crt b/test/integration/connect/envoy/test-sds-server/certs/wildcard.ingress.consul.crt
new file mode 100644
index 0000000000..218999c897
--- /dev/null
+++ b/test/integration/connect/envoy/test-sds-server/certs/wildcard.ingress.consul.crt
@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIIEDDCCAfSgAwIBAgIJAOPsel0fAxicMA0GCSqGSIb3DQEBCwUAMDUxCzAJBgNV
+BAYTAlVTMQswCQYDVQQIDAJDQTEZMBcGA1UEAwwQU0RTIFRlc3QgQ0EgQ2VydDAe
+Fw0yMTA4MjQxMjMyMzhaFw0zMTA4MjIxMjMyMzhaMDUxCzAJBgNVBAYTAlVTMQsw
+CQYDVQQIDAJDQTEZMBcGA1UEAwwQKi5pbmdyZXNzLmNvbnN1bDCCASIwDQYJKoZI
+hvcNAQEBBQADggEPADCCAQoCggEBALdsZUrmtIPO914Gcsgr7llxD6Dq/+c4zj5M
+GYaFegfCK8mj27Lunxibz7ANkeb/TY7ujBSUjC12PzKNwZTtqs9ZuMlBvxcZeesB
+FawiWZ1P1TUJ/J8E+j0Egx6nIa5zd8/tZRR6wnBr/bCSUpr6ZQtkPSPA8vh7/cea
+al0SDsgq+ssbgpWf4EvnUDK6TH5x2iymJKkycppi2d4RkIha5uu9eznPkWKMNcFN
+nLCPOdljpJ2bC96hurdQAIElJAg+iJr+Oten1GtxlzhHi2U0IBFJ+aRObsTQYR2f
+AUGIEqS+E5vVPKsTZnitVL9DdEagl8NLMGTr3k2Ok4AOU+42uVkCAwEAAaMfMB0w
+GwYDVR0RBBQwEoIQKi5pbmdyZXNzLmNvbnN1bDANBgkqhkiG9w0BAQsFAAOCAgEA
+sNL1izKiFrY41+dK1RYtNAhtlexn+Jyizh8t6aDQfTEyYM8v7+FK5CmLECkGO+5Z
+0+HsHB4KwG1OhiTPbFdxyI3na2hluoxPM3ykR1erC10XoKSuerK8vO4JFEJSFVp1
+iqW926YgDnM38565JofXTj4keRvPyFGVW5y1HckgviDeYEpAuunolz3w2w7yuvfc
+EQydhl2WZHD1+6uRMKGmJz8f+7JwanfpW5XdwuVR6LH9uHcuDDR5xa+7jmDhQzto
+V3hejsVrCV85dyIELseLb1R+T36HXrAWUM3IBYd9DclwwhKo48TXfh3br8XFLkUV
+N7IobJthBVqtQqW7V/yI/zYZn+SPhX7BudUVf/dJwDq1hgxwmUo/vcx2HnlSoEDw
+M/r1RwY1QY0omZNn3G87VGZjC2tqL8FrT7Yu94EOZ21hneoaH+5Igt4groQ4aZl2
+MGVNdC9Slv8K7n+RyQbbo+JdfKDSDoi8FD5XYlaRSgA+TAn9ginl4/516cwcIZrU
+rxnx0QVjFzLeaFa51x6IC0FEE1Sp8dJQxJCMFndgCkIc8TC03SrCCSAvbIOj9CrD
+dT3/uAP+xQGZVGwRVY9qMH+gxE+KbjEukY1RmxrDFtSVUEwFPVhpgJmoHDy/N+lh
+BV6NlYN2M59mFI/rJh01yRCv0W0Qe0idJ76fVYOv1jk=
+-----END CERTIFICATE-----
diff --git a/test/integration/connect/envoy/test-sds-server/certs/wildcard.ingress.consul.key b/test/integration/connect/envoy/test-sds-server/certs/wildcard.ingress.consul.key
new file mode 100644
index 0000000000..69f7b874d8
--- /dev/null
+++ b/test/integration/connect/envoy/test-sds-server/certs/wildcard.ingress.consul.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEAt2xlSua0g873XgZyyCvuWXEPoOr/5zjOPkwZhoV6B8IryaPb
+su6fGJvPsA2R5v9Nju6MFJSMLXY/Mo3BlO2qz1m4yUG/Fxl56wEVrCJZnU/VNQn8
+nwT6PQSDHqchrnN3z+1lFHrCcGv9sJJSmvplC2Q9I8Dy+Hv9x5pqXRIOyCr6yxuC
+lZ/gS+dQMrpMfnHaLKYkqTJymmLZ3hGQiFrm6717Oc+RYow1wU2csI852WOknZsL
+3qG6t1AAgSUkCD6Imv4616fUa3GXOEeLZTQgEUn5pE5uxNBhHZ8BQYgSpL4Tm9U8
+qxNmeK1Uv0N0RqCXw0swZOveTY6TgA5T7ja5WQIDAQABAoIBAQCIgTX9ASbUdUGp
+Cvl/ORqAG+E6q8lYxfDPcgkJEOrZPUsjHDwTtPxX7xUoe2Da3aNVvPgpFMghyT+N
+Guw3Lo0RFT+tH63bvgz6tOrxGPtCVLhiaZVErwqgQGxoco9hafN/nbe8/wMXcXby
+YmLxjWmHicjqg90Oyg/67VM9AoRXuEo1vKaJQGOHz8kC1HUUzj7NJDDqZP9WAoqO
+EKcc/Q20SKuvI+IEdkuJ3Z+mxDU8jj8JtKOHp7q+5GpTqPonVxUC5nvH0wGelrAl
+uMws3IvqEgqzRuMWB6LY/1vMBxDjtMvR0c7N5HoK6UvWdefcvmAQgXy5LmUgEEWH
+nb0cpAABAoGBANjoe5/76d57jAHV5XZkme5TM/Eo2W3E658p45saL2L1kBycy8uS
+8KRdB4A7kwgllZQjUQSYpIOtSgiYP8c62OjXe7ysRZ6Da5fKD8bcSsC3kjoVA5Ei
+cy8mz+iwQnhpVsr08T9GgGBs7RRtn44ThYrM1j+avA2ABV+Kh/4LSVlZAoGBANh7
+BjxFg+iLiwzYA14R48kgY5U8fds+BciuS2X4zPGw/vm+JxipW6Xh1xdI7BHene4A
++FBTIXoVidE3FJ+s+qbNbWj6efQu1AUg60GkUoSI9mYz0CxLE+7YI50CMK5gzt8Y
+XykHG3t/E3I1x+oyIM3o0UgYTIO2FQs1O7xTTGABAoGBAJbRDyQuBG6teKvODb5E
+NMOBFpyXypaIVUxV0+wESO6Fz64VV540jR27kXuX8KO5fkeCRtLrT3g/BTr0oWPl
+huxe56pIHiAZQLZJyK58fX2CJio8cj53tZ8TXXxtEcqnc7GqnhNg8eIZ2r5ZepdO
++4uG4XFYJWk9mn7T07rQHjABAoGAM7U/Cgp4tYUPU6QNOd0AEbyAzNbEISgxbXvk
+WpkRKvHiFXlMEWHymC7Xl6I9cQ9BneXxag5RQr3+S1DixjklLc6HwbmCg8bjsc3p
+I6bCZxHn+QWLRekw+63447nwMtbA0x0ZLc2azObPmEosVE5g844W3yeerx9A64pt
+mFA1QAECgYEAlFKaFgtaWWR0b4RtSvlpDJNuBaBKueG6otpyOOXbndegfugaI8jV
+VWdnsRPForAuBUbg9fgO/Pfq5+x+V9u2GdchVPA16oolmDZF6CpNhxAa3hARdxD6
+MhYm0HJ2KySUhuAiChDM9UG6Fn02wz7KHRATuDzf3J9pdt1fA2XXj+I=
+-----END RSA PRIVATE KEY-----
diff --git a/test/integration/connect/envoy/test-sds-server/certs/www.example.com.crt b/test/integration/connect/envoy/test-sds-server/certs/www.example.com.crt
new file mode 100644
index 0000000000..3d0f178448
--- /dev/null
+++ b/test/integration/connect/envoy/test-sds-server/certs/www.example.com.crt
@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIIECjCCAfKgAwIBAgIJAOPsel0fAxiaMA0GCSqGSIb3DQEBCwUAMDUxCzAJBgNV
+BAYTAlVTMQswCQYDVQQIDAJDQTEZMBcGA1UEAwwQU0RTIFRlc3QgQ0EgQ2VydDAe
+Fw0yMTA4MjQxMjMyMzhaFw0zMTA4MjIxMjMyMzhaMDQxCzAJBgNVBAYTAlVTMQsw
+CQYDVQQIDAJDQTEYMBYGA1UEAwwPd3d3LmV4YW1wbGUuY29tMIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtAihQ1cJlIQEx6r7nmATL8OVh0wsOlKRwBBp
+0imcTfrhB4UAA8UnoPktozQe2PqAaeDEYvjmn6hxkhs+6Al5hpDPDLz+HO7FAXy+
+K29ywUtd+XQutzMS5ss5gPpGx4l1u6L+25avfG0AkUKF612RCrablLddTCGfMmiJ
+pnKPP6P/7I7aM0WSUFSRC632q91bDAF75/3hVs05/catN2FhCv+xyHsgAnoI5wmI
+bpbVik55aPkACI6oqWHiyYJpSCgUslLHAvgd9BdrTrerKrH7MNP/0nlMeC95DrpN
+wklUKhT3Dj90LFAnUewFsppUJf1tY3yqFSvCQ3926RsN9zF5lQIDAQABox4wHDAa
+BgNVHREEEzARgg93d3cuZXhhbXBsZS5jb20wDQYJKoZIhvcNAQELBQADggIBALos
+qLaJEInX1V7qp0U7B4x0U+FLZLvqif+K0o6dIoMyN+pdSbLvXnWPx5qKVdJxQ3V/
+DA7AVBbeOkdqSiVO0aDmH8/XSA+cVjMpd1fSm2tZcT0Ur1fLsTnv4ZP8Oaak6TY9
+SVLNE9EiNhRG8ykYO3zshDZAhgKxeTvP//gjMGrSyEgT7fvccE/gxZcXhzEonuMc
+837E85anz23/Ygo31AOIMyTqOzyR2DFof9LVuh85PP1Cl86q4Co2+ApFzipzgr4t
+yvrADAPcyiDAR9fLpemorTIH9UyJPsqri0tSLOkjjk3vO43O8DIijTYcERc3FZId
+/Ju8ZKa+89wfL2OzmpogEBieaWiif4adcGRJngq9C6qSk4/p5/iqvMhbdFJNIknD
+88OSet0eDFIL1jy/h+ibFTzat6BAflxwCu7tn9lmP7+c8rTvRd8hXsu7n8bUZ9V4
+LVHlGdKFfrcyJ5q/yr77GPDapkyQt/MP7Y+DVNtnO/ryupf8v4JjfK42cfHbbClJ
+gLTJI4PgRYtXMzWLbbrzMbeydVYiV1NLxQeB4fVHkm9AXcfb+aNG/85X3TUuIrqs
+AlalaWIcNsiN8ghHRzH4Zlg7JjBnqQyPnw7xzZVVcoE0t83paYVB6TvcpqWbfb41
+PnjvHQb39zDf7iU9cVC2hQpBmyA1ctq1hubxArXP
+-----END CERTIFICATE-----
diff --git a/test/integration/connect/envoy/test-sds-server/certs/www.example.com.key b/test/integration/connect/envoy/test-sds-server/certs/www.example.com.key
new file mode 100644
index 0000000000..848203342d
--- /dev/null
+++ b/test/integration/connect/envoy/test-sds-server/certs/www.example.com.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAtAihQ1cJlIQEx6r7nmATL8OVh0wsOlKRwBBp0imcTfrhB4UA
+A8UnoPktozQe2PqAaeDEYvjmn6hxkhs+6Al5hpDPDLz+HO7FAXy+K29ywUtd+XQu
+tzMS5ss5gPpGx4l1u6L+25avfG0AkUKF612RCrablLddTCGfMmiJpnKPP6P/7I7a
+M0WSUFSRC632q91bDAF75/3hVs05/catN2FhCv+xyHsgAnoI5wmIbpbVik55aPkA
+CI6oqWHiyYJpSCgUslLHAvgd9BdrTrerKrH7MNP/0nlMeC95DrpNwklUKhT3Dj90
+LFAnUewFsppUJf1tY3yqFSvCQ3926RsN9zF5lQIDAQABAoIBACWVG50EIWLYgGry
+HZ69LaQt7xwUYbM3I2f1xTFzMEbzFWDNeehPkus+uTE1oy7mdEImArkqfnJb5oF6
+oJIt0CmwNxjQpzeA/K1HzichF9KUGiUGBO6Hge2eBP4QwQ/MeUBXUV6jwTR3SMQK
+IAy3Np0G68mK0bYf2qzaN8oAZjkBeJerROyfQ02tuXKbcnK4C/ksVOT/efEb6WHK
+H6CasvodiyUdzpeL9uM//cgsMoHkA/Bw56okDkrAYVacQKqHHzZR1A7kbMa/Fbk4
+Gj8xF6CR+Ui/csyNX6pbPEynbosyTAhwZsHCKNareKbj0gpAQWzG0Cg0Rbxvyz9c
+kYQzgo0CgYEA4zYJL6kuBecU2iDWxI2TvfESUUyC5c3jRPemdPzXY/n1Tv0D4dER
+O7HaNOYX+Q07IZ+eRigHKkRdFxEQEXZxGC3n8XawtG7XSwe+YV1xfmj3axA4hoEf
+Uky/2Ci5M8mXHiTAM2vge9BX60XbZUEywlB1WIC6iLgaynG/+qR7U9cCgYEAythR
+mRoPKrdooq7x+MM+d5CNfPP7Stzz3Yby902GknLWwSD2UnhkgiZK1Rx9Y5aSAhhq
+dgHqtz7aKwCqCzKEMB3uNGLSmU7WnlqDMAebyXzjybgdtyBbgDmppfj/6KP9MoxD
+7pV+WQbItzAXVJLm7fgsG50ncbR01ACAA/IxsHMCgYB639Qj9EgxZQC/3haHgVEu
+3VpcoRYBFVEdERjyF3KcXKcvKmGZE6lQMSSiivTX+THLQzkjE66cSxBU0yNvbjBH
+NTxENz3ktjS0HOH2YcRo6nczbThEdTvtFBiD27IcsZ6J7LIMnQBvtQJ29/ZoUdQT
+hdOQIz29hmLmrJF4CM+xTQKBgH/xa55vImvmHZinUjZ/KBKQWb4bwkAZF7R93xh/
+jMcoqi5M1TF1gKfa8U50Vt6O5W9u6Q+f6+VDPqbrF1ZSubAD4PCn+H/8i0B8hMyx
+r+Cp5p+ggxWz0iMRu+DVKs0ZSqYsdNiy8GvE7KsnKUAOHJyy8VdFi9CbaykhW52h
+kRfjAoGBAJm+ZylqeopxFigMzqe+ibqQ03y08aHqSnvH99QXBQPTlSOmgqMOz52v
+jYc4GlnB+G77oaXbJ+74qVS159k6b0fQSNzN+IILq7/QNKsmXpPmbwhiRgQJOdSB
+9VbSPXeEKlr70QJ7iCfGvymVo/QPj0eQfrN9JdWoRDn49QoeptV0
+-----END RSA PRIVATE KEY-----
diff --git a/test/integration/connect/envoy/test-sds-server/go.mod b/test/integration/connect/envoy/test-sds-server/go.mod
new file mode 100644
index 0000000000..7aa65b5815
--- /dev/null
+++ b/test/integration/connect/envoy/test-sds-server/go.mod
@@ -0,0 +1,9 @@
+module test-sds-server
+
+go 1.16
+
+require (
+	github.com/envoyproxy/go-control-plane v0.9.9
+	github.com/hashicorp/go-hclog v0.16.2
+	google.golang.org/grpc v1.40.0
+)
diff --git a/test/integration/connect/envoy/test-sds-server/go.sum b/test/integration/connect/envoy/test-sds-server/go.sum
new file mode 100644
index 0000000000..f4cb806dfc
--- /dev/null
+++ b/test/integration/connect/envoy/test-sds-server/go.sum
@@ -0,0 +1,134 @@
+cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
+cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
+github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
+github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
+github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY=
+github.com/census-instrumentation/opencensus-proto v0.2.1 h1:glEXhBS5PSLLv4IXzLA5yPRVX4bilULVyxxbrfOtDAk=
+github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
+github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc=
+github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
+github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
+github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
+github.com/cncf/xds/go v0.0.0-20210312221358-fbca930ec8ed h1:OZmjad4L3H8ncOIR8rnb5MREYqG8ixi5+WbeUsquF0c=
+github.com/cncf/xds/go v0.0.0-20210312221358-fbca930ec8ed/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
+github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
+github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
+github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk=
+github.com/envoyproxy/go-control-plane v0.9.9-0.20210512163311-63b5d3c536b0/go.mod h1:hliV/p42l8fGbc6Y9bQ70uLwIvmJyVE5k4iMKlh8wCQ=
+github.com/envoyproxy/go-control-plane v0.9.9 h1:vQLjymTobffN2R0F8eTqw6q7iozfRO5Z0m+/4Vw+/uA=
+github.com/envoyproxy/go-control-plane v0.9.9/go.mod h1:hliV/p42l8fGbc6Y9bQ70uLwIvmJyVE5k4iMKlh8wCQ=
+github.com/envoyproxy/protoc-gen-validate v0.1.0 h1:EQciDnbrYxy13PgWoY8AqoxGiPrpgBZ1R8UNe3ddc+A=
+github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
+github.com/fatih/color v1.7.0 h1:DkWD4oS2D8LGGgTQ6IvwJJXSL5Vp2ffcQg58nFV38Ys=
+github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
+github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
+github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
+github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
+github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw=
+github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8=
+github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA=
+github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs=
+github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w=
+github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0=
+github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8=
+github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
+github.com/golang/protobuf v1.4.3 h1:JjCZWpVbqXDqFVmTfYWEVTMIYrL/NPdPSCHPJ0T/raM=
+github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
+github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
+github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
+github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
+github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.0 h1:/QaMHBdZ26BB3SSst0Iwl10Epc+xhTquomWX0oZEB6w=
+github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw=
+github.com/hashicorp/go-hclog v0.16.2 h1:K4ev2ib4LdQETX5cSZBG0DVLk1jwGqSPXBjdah3veNs=
+github.com/hashicorp/go-hclog v0.16.2/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39EeqMAyrmvFQ=
+github.com/mattn/go-colorable v0.1.4 h1:snbPLB8fVfU9iwbbo30TPtbLRzwWu6aJS6Xh4eaaviA=
+github.com/mattn/go-colorable v0.1.4/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=
+github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s=
+github.com/mattn/go-isatty v0.0.10 h1:qxFzApOv4WsAL965uUPIsXzAKCZxN2p9UqdhFS4ZW10=
+github.com/mattn/go-isatty v0.0.10/go.mod h1:qgIWMr58cqv1PHHyhnkY9lrL7etaEgOFcMEpPG5Rm84=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
+github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=
+github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
+github.com/stretchr/testify v1.5.1 h1:nOGnQDM7FYENwehXlg/kFVnos3rEvtKTjRvOWSzb6H4=
+github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
+go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
+golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
+golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
+golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
+golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20200822124328-c89045814202 h1:VvcQYSHwXgi7W+TpUR6A9g6Up98WAHf3f/ulnJ62IyA=
+golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
+golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
+golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
+golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191008105621-543471e840be/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd h1:xhmwyvizuTgC2qz7ZlMluP20uW+C3Rm0FD/WLDX8884=
+golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/text v0.3.0 h1:g61tztE5qeGQ89tm6NTjjM9VPIm088od1l6aSorWRWg=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
+golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
+golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
+golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE=
+golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
+google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
+google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
+google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
+google.golang.org/genproto v0.0.0-20200513103714-09dca8ec2884/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
+google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013 h1:+kGHl1aib/qcwaRi1CbqBZ1rk19r85MNUf8HaBghugY=
+google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
+google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
+google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
+google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY=
+google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
+google.golang.org/grpc v1.33.1/go.mod h1:fr5YgcSWrqhRRxogOsw7RzIpsmvOZ6IcH4kBYTpR3n0=
+google.golang.org/grpc v1.36.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
+google.golang.org/grpc v1.40.0 h1:AGJ0Ih4mHjSeibYkFGh1dD9KJ/eOtZ93I6hoHhukQ5Q=
+google.golang.org/grpc v1.40.0/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34=
+google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
+google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
+google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
+google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE=
+google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo=
+google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
+google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
+google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
+google.golang.org/protobuf v1.25.0 h1:Ejskq+SyPohKW+1uil0JJMtmHCgJPJ/qWTxr8qp+R4c=
+google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.2.3 h1:fvjTMHxHEw/mxHbtzPi3JCcKXQRAnQTBRo6YCJSVHKI=
+gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
+honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
diff --git a/test/integration/connect/envoy/test-sds-server/sds.go b/test/integration/connect/envoy/test-sds-server/sds.go
new file mode 100644
index 0000000000..1715585475
--- /dev/null
+++ b/test/integration/connect/envoy/test-sds-server/sds.go
@@ -0,0 +1,149 @@
+package main
+
+import (
+	"context"
+	"io/ioutil"
+	"net"
+	"os"
+	"os/signal"
+	"path"
+	"strings"
+	"syscall"
+
+	core "github.com/envoyproxy/go-control-plane/envoy/config/core/v3"
+	tls "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/tls/v3"
+	discovery "github.com/envoyproxy/go-control-plane/envoy/service/discovery/v3"
+	secretservice "github.com/envoyproxy/go-control-plane/envoy/service/secret/v3"
+	"github.com/envoyproxy/go-control-plane/pkg/cache/types"
+	cache "github.com/envoyproxy/go-control-plane/pkg/cache/v3"
+	xds "github.com/envoyproxy/go-control-plane/pkg/server/v3"
+	"github.com/hashicorp/go-hclog"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/grpclog"
+)
+
+const (
+	sdsTypeURI = "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret"
+)
+
+func main() {
+	log := hclog.Default()
+	log.SetLevel(hclog.Trace)
+	cache := cache.NewLinearCache(sdsTypeURI)
+
+	addr := "0.0.0.0:1234"
+	if a := os.Getenv("SDS_BIND_ADDR"); a != "" {
+		addr = a
+	}
+	certPath := "certs"
+	if p := os.Getenv("SDS_CERT_PATH"); p != "" {
+		certPath = p
+	}
+
+	if err := loadCertsFromPath(cache, log, certPath); err != nil {
+		panic(err)
+	}
+
+	l, err := net.Listen("tcp", addr)
+	if err != nil {
+		panic(err)
+	}
+	defer l.Close()
+	log.Info("==> SDS listening", "addr", addr)
+
+	callbacks := makeLoggerCallbacks(log)
+	ctx, cancel := context.WithCancel(context.Background())
+
+	xdsServer := xds.NewServer(ctx, cache, callbacks)
+	grpcServer := grpc.NewServer()
+	grpclog.SetLogger(log.StandardLogger(nil))
+
+	secretservice.RegisterSecretDiscoveryServiceServer(grpcServer, xdsServer)
+
+	sigs := make(chan os.Signal, 1)
+	signal.Notify(sigs, syscall.SIGINT, syscall.SIGTERM)
+
+	go func() {
+		<-sigs
+		grpcServer.Stop()
+		cancel()
+	}()
+
+	if err := grpcServer.Serve(l); err != nil {
+		panic(err)
+	}
+}
+
+func loadCertsFromPath(cache *cache.LinearCache, log hclog.Logger, dir string) error {
+	entries, err := os.ReadDir(dir)
+	if err != nil {
+		return err
+	}
+
+	for _, entry := range entries {
+		if entry.IsDir() {
+			continue
+		}
+		if strings.HasSuffix(entry.Name(), ".crt") {
+			certName := strings.TrimSuffix(entry.Name(), ".crt")
+			cert, err := ioutil.ReadFile(path.Join(dir, entry.Name()))
+			if err != nil {
+				return err
+			}
+			keyFile := certName + ".key"
+			key, err := ioutil.ReadFile(path.Join(dir, keyFile))
+			if err != nil {
+				return err
+			}
+			var res tls.Secret
+			res.Name = certName
+			res.Type = &tls.Secret_TlsCertificate{
+				TlsCertificate: &tls.TlsCertificate{
+					CertificateChain: &core.DataSource{
+						Specifier: &core.DataSource_InlineBytes{
+							InlineBytes: cert,
+						},
+					},
+					PrivateKey: &core.DataSource{
+						Specifier: &core.DataSource_InlineBytes{
+							InlineBytes: key,
+						},
+					},
+				},
+			}
+
+			if err := cache.UpdateResource(certName, types.Resource(&res)); err != nil {
+				return err
+			}
+			log.Info("Loaded cert from file", "name", certName)
+		}
+	}
+	return nil
+}
+
+func makeLoggerCallbacks(log hclog.Logger) *xds.CallbackFuncs {
+	return &xds.CallbackFuncs{
+
+		StreamOpenFunc: func(_ context.Context, id int64, addr string) error {
+			log.Trace("gRPC stream opened", "id", id, "addr", addr)
+			return nil
+		},
+		StreamClosedFunc: func(id int64) {
+			log.Trace("gRPC stream closed", "id", id)
+		},
+		StreamRequestFunc: func(id int64, req *discovery.DiscoveryRequest) error {
+			log.Trace("gRPC stream request", "id", id,
+				"node.id", req.Node.Id,
+				"req.typeURL", req.TypeUrl,
+				"req.version", req.VersionInfo,
+			)
+			return nil
+		},
+		StreamResponseFunc: func(id int64, req *discovery.DiscoveryRequest, resp *discovery.DiscoveryResponse) {
+			log.Trace("gRPC stream request", "id", id,
+				"resp.typeURL", resp.TypeUrl,
+				"resp.version", resp.VersionInfo,
+			)
+		},
+	}
+}