case PeerAuthentication:
		return "PeerAuthentication"
	case Pod:
		return "Pod"
	case ProxyConfig:
		return "ProxyConfig"
	case ReferenceGrant:
		return "ReferenceGrant"
	case RequestAuthentication:
		return "RequestAuthentication"
	case Secret:
		return "Secret"
	case Service:
		return "Service"
	case ServiceAccount:
		return "ServiceAccount"
	case ServiceEntry:
		return "ServiceEntry"
	case Sidecar:

	case *sigsk8siogatewayapiapisv1beta1.ReferenceGrant:
		return gvk.ReferenceGrant, true
	case *istioioapisecurityv1beta1.RequestAuthentication:
		return gvk.RequestAuthentication, true
	case *apiistioioapisecurityv1beta1.RequestAuthentication:
		return gvk.RequestAuthentication, true
	case *k8sioapicorev1.Secret:
		return gvk.Secret, true
	case *k8sioapicorev1.Service:
		return gvk.Service, true

apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: {{ .To.ServiceName }}
spec:
  selector:
    matchLabels:
      app: {{ .To.ServiceName }}
  jwtRules:
  - issuer: "******@****.***"
    jwksUri: "{{ .JWTServer.JwksURI }}?delay=500ms"
    outputPayloadToHeader: "x-test-payload"
    forwardOriginalToken: true

apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: default-{{ .To.ServiceName }}
spec:
  targetRefs:
  - kind: Gateway
    group: gateway.networking.k8s.io
    name: waypoint
  jwtRules:
  - issuer: "******@****.***"
    jwksUri: "https://raw.githubusercontent.com/istio/istio/master/tests/common/jwt/jwks.json"
  - issuer: "******@****.***"

---
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: request-authn
spec:
  selector:
    matchLabels:
      app: {{ .dst }}
  jwtRules:
  - issuer: "******@****.***"
    jwksUri: "http://example.com:8000/jwks?delay={{ .delay }}"
    outputPayloadToHeader: "x-test-payload"
    forwardOriginalToken: true
    timeout: {{ .timeout }}
---
apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry

// Map of all configs that do not impact CDS
var skippedCdsConfigs = sets.New(
	kind.Gateway,
	kind.WorkloadEntry,
	kind.WorkloadGroup,
	kind.AuthorizationPolicy,
	kind.RequestAuthentication,
	kind.Secret,
	kind.Telemetry,
	kind.WasmPlugin,
	kind.ProxyConfig,
	kind.DNSName,

	kind.KubernetesGateway,
)

// Map of all configs that do not impact RDS
var skippedRdsConfigs = sets.New[kind.Kind](
	kind.WorkloadEntry,
	kind.WorkloadGroup,
	kind.AuthorizationPolicy,
	kind.RequestAuthentication,
	kind.PeerAuthentication,
	kind.Secret,
	kind.WasmPlugin,
	kind.Telemetry,
	kind.ProxyConfig,
	kind.DNSName,
)

func rdsNeedsPush(req *model.PushRequest) bool {
	if req == nil {
		return true

# Enforce access control based on JWT subject.

# The following policy enables JWT authentication on destination service.

apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: default
spec:
  jwtRules:
  - issuer: "******@****.***"
    jwksUri: "https://raw.githubusercontent.com/istio/istio/master/tests/common/jwt/jwks.json"
  - issuer: "******@****.***"

	kind.Gateway,
	kind.VirtualService,
	kind.DestinationRule,
	kind.Secret,
	kind.Telemetry,
	kind.EnvoyFilter,
	kind.WorkloadEntry,
	kind.WorkloadGroup,
	kind.AuthorizationPolicy,
	kind.RequestAuthentication,
	kind.PeerAuthentication,
	kind.WasmPlugin,
	kind.ProxyConfig,
	kind.MeshConfig,

	kind.KubernetesGateway,
	kind.HTTPRoute,
	kind.TCPRoute,
	kind.TLSRoute,
	kind.GRPCRoute,
)

		err = f.GenerateStruct(in)
		if err != nil {
			return 0
		}
		c.Spec = in
		_, _ = validation.ValidateAuthorizationPolicy(c)
	case 5:
		in := &security_beta.RequestAuthentication{}
		err = f.GenerateStruct(in)
		if err != nil {
			return 0
		}
		c.Spec = in
		_, _ = validation.ValidateRequestAuthentication(c)
	case 6:
		in := &security_beta.PeerAuthentication{}