How to enable inserting of Authentication headers for outgoing requests using Envoy

We’re currently in the process of trying to replace a homegrown authentication proxy sidecar with envoy for our services in kubernetes. The reason why we needed to create such a sidecar in the first place is that we use custom JWT tokens along with another header to authenticate. This authentication proxy has 2 main functionalities;

  1. Authenticating incoming requests
    - I’ve been able to replicate this functionality using the ext_authz filter in Envoy
  2. Inject authentication headers into outgoing requests

My question is for the 2nd use case, is there a way to use Envoy as an outgoing proxy and perhaps call another sidecar/service to obtain JWT tokens, then insert them as headers to the outgoing request?

The config I have right now:

static_resources:
  listeners:
    -
      address:
        socket_address:
          address: 0.0.0.0
          port_value: 9000
      filter_chains:
        filters:
          -
            name: envoy.http_connection_manager
            config:
              stat_prefix: ingress_http
              http_filters:
                -
                  name: envoy.ext_authz
                  config:
                    http_service:
                      server_uri:
                        uri: http://0.0.0.0:9002
                        cluster: ext-authz
                        timeout: 1s
                        failure_mode_allow: false
                      authorization_request:
                        allowed_headers:
                          patterns:
                            prefix: "wd-"
                -
                  name: envoy.router
                  config: {}
              route_config:
                name: local_route
                virtual_hosts:
                  -
                    name: backend
                    domains: '*'
                    routes:
                      -
                        route:
                          cluster: some-service
                        match:
                          prefix: /
  clusters:
    -
      name: some-service
      type: STRICT_DNS
      connect_timeout: 1s
      hosts:
        -
          socket_address:
            address: 0.0.0.0
            port_value: 19000
    -
      name: ext-authz
      type: STRICT_DNS
      connect_timeout: 1s
      hosts:
        -
          socket_address:
            address: 0.0.0.0
            port_value: 9002