}

		ecds = append(ecds, c)
	}

	sort.Slice(ecds, func(i, j int) bool {
		if ecds[i].GetTypedConfig().GetTypeUrl() == ecds[j].GetTypedConfig().GetTypeUrl() {
			return ecds[i].GetName() < ecds[j].GetName()
		}

		return ecds[i].GetTypedConfig().GetTypeUrl() < ecds[j].GetTypedConfig().GetTypeUrl()
	})

	return ecds, nil

		} else if filter.Name == TCPListener {
			if !strings.Contains(string(filter.GetTypedConfig().GetValue()), util.BlackHoleCluster) {
				tcpProxy := &tcp.TcpProxy{}
				// Allow Unmarshal to work even if Envoy and istioctl are different
				filter.GetTypedConfig().TypeUrl = "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy"
				err := filter.GetTypedConfig().UnmarshalTo(tcpProxy)
				if err != nil {
					return err.Error()

	if customValidator := secret.GetValidationContext().GetCustomValidatorConfig(); customValidator != nil {
		if customValidator.GetTypedConfig().GetTypeUrl() == "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig" {
			spiffeConfig := &auth.SPIFFECertValidatorConfig{}
			if err := customValidator.GetTypedConfig().UnmarshalTo(spiffeConfig); err != nil {
				return nil, fmt.Errorf("error unmarshaling spiffe config: %v", err)
			}

	for _, httpFilter := range hcm.HttpFilters {
		if httpFilter.Name == wellknown.HTTPRoleBasedAccessControl {
			rbac := &rbachttp.RBAC{}
			if err := httpFilter.GetTypedConfig().UnmarshalTo(rbac); err == nil {
				policies := []string{}
				for polName := range rbac.Rules.Policies {
					policies = append(policies, polName)
				}
				return policies, nil
			}
		}
	}