There are quite a few different options described in the paper. And I guess it was a long journey to find a solution which you are happy with.
Which configuration you ended up with?
We have a mix of static and dynamic configuration.
We started with almost everything defined in the configuration and implemented our control plane only for endpoint discovery service. Over the time we implemented more and more features there (certificates, tls tickets, route and vhost configuration, etc).
We decided to write own implementation on control plane - actually the core part is pretty simple and easily expandable.
We do have some local patches as well (mostly for integration with out own infrastructure - stats collection, some RPC specific stuff). As SaveTheRbtz mentioned we encountered some issues with non-RFC clients, corner cases which were not exposed when envoy is used in "trusted" environment, etc., but all our fixes are now in upstream, so next migrations will be way easier both for us and for other envoy users.