trafficPolicy:
    tls:
      mode: ISTIO_MUTUAL
      subjectAltNames:
      - "spiffe://cluster.local/ns/NS/sa/default"
`
	correctIdentityDR = `apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: "service-b-dr"
spec:
  host: "b.NS.svc.cluster.local"
  trafficPolicy:
    tls:
      mode: ISTIO_MUTUAL
      subjectAltNames:
      - "spiffe://cluster.local/ns/NS/sa/b"

				Version: networking.TrafficPolicy_ProxyProtocol_V2,
			},
			expectTransportSocket:      false,
			expectTransportSocketMatch: false,
		},
		{
			name:          "user specified with istio_mutual tls",
			mtlsCtx:       userSupplied,
			discoveryType: cluster.Cluster_EDS,
			tls:           istioMutualTLSSettings,
			proxyProtocolSettings: &networking.TrafficPolicy_ProxyProtocol{

spec:
  mtls:
    mode: STRICT
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: "server-naked"
spec:
  host: "*.local"
  trafficPolicy:
    tls:
      mode: ISTIO_MUTUAL
`
)

// TestTrustDomainAliasSecureNaming scope:
// The client side mTLS connection should validate the trust domain alias during secure naming validation.
//
// Setup:

		},
		{
			name:    "Kubernetes service and EDS ServiceEntry ISTIO_MUTUAL",
			objs:    []runtime.Object{service, pod, endpoint},
			configs: []config.Config{drIstioMTLS, seEDS},
			// The Service has precedence, so its cluster will be used
			sans: []string{"spiffe://cluster.local/ns/default/sa/pod"},
		},
		{
			name:    "Kubernetes service and NONE ServiceEntry ISTIO_MUTUAL",
			objs:    []runtime.Object{service, pod, endpoint},

    port: 34000
    protocol: HTTPS
    allowedRoutes:
      namespaces:
        from: All
    tls:
      mode: Terminate
      options:
        gateway.istio.io/tls-terminate-mode: ISTIO_MUTUAL
---
apiVersion: gateway.networking.k8s.io/v1alpha2
kind: TLSRoute
metadata:
  name: tls
  namespace: default
spec:
  parentRefs:
  - name: gateway
    namespace: istio-system
  rules:

apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: server
  namespace: {{.AppNamespace}}
spec:
  host: "server.{{.AppNamespace}}.svc.cluster.local"
  trafficPolicy:
    tls:
      mode: ISTIO_MUTUAL
`

	PeerAuthenticationConfig = `
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: default
  namespace: {{.AppNamespace}}
spec:
  mtls:
    mode: STRICT
`
)

  namespace: istio-system
spec:
  servers:
  - hosts:
    - '*/egress.example'
    port:
      name: default
      number: 34000
      protocol: HTTPS
    tls:
      mode: ISTIO_MUTUAL
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  annotations:
    internal.istio.io/parents: HTTPRoute/http.default
    internal.istio.io/route-semantics: gateway

      mode: DISABLE
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: server
spec:
  host: server.%s.svc.cluster.local
  trafficPolicy:
    tls:
      mode: ISTIO_MUTUAL
    portLevelSettings:
    - port:
        number: 8090
      tls:
        mode: DISABLE
    - port:
        number: 8092
      tls:
        mode: DISABLE
`
)

apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: echo-dr
  namespace: default
spec:
  host: echo-app.default.svc.cluster.local
  trafficPolicy:
    tls:
      mode: ISTIO_MUTUAL
---
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: default
  namespace: default
spec:
  mtls:
    mode: STRICT
`,
	}, echoCfg{version: "v1", tls: true})