local queries = (import './queries.libsonnet').queries({
  container: "istio-proxy",
  pod: "ztunnel-.*",
  component: "ztunnel",
  app: "ztunnel",
});

dashboard.new('Istio Ztunnel Dashboard')
+ g.dashboard.withPanels(
  grid.makeGrid([
    row.new('Process')
    + row.withPanels([
      panels.timeSeries.base('Ztunnel Versions', queries.istioBuild, 'Version number of each running instance'),

1. Immediately upon starting a drain, `ztunnel-old` will close its listeners. Now only `ztunnel-new` is listening. Critically, at all times there was at least one ztunnel listening.
1. While `ztunnel-old` will not accept *new* connections, it will continue processing existing connections.
1. After `drain period` seconds, `ztunnel-old` will forcefully terminate any outstanding connections.

> [!NOTE]

```mermaid
graph TD;
src[src pod]-->|plaintext port|ztunnel{"ztunnel (L4 policy applied here)"}
ztunnel{ztunnel}-->|TLS|wp{waypoint}
wp-->|mTLS|ztunnel
ztunnel-->|plaintext|dst[dst pod]
```

And here's an example of an authenticated request to a captured destination:

```mermaid
graph TD;
src[src pod]-->|15008|ztunnel{ztunnel}
ztunnel-->|HBONE|dwp{"destination waypoint (all policy applied here)"}

  echo "Copying $(pwd)/${ZTUNNEL_BIN_PATH} to ${TARGET_OUT_LINUX}/ztunnel"
  mkdir -p "${TARGET_OUT_LINUX}"
  cp "${ZTUNNEL_BIN_PATH}" "${TARGET_OUT_LINUX}/ztunnel"
  popd
}

# ztunnel binary vars (TODO handle debug builds, arm, darwin etc.)
ISTIO_ZTUNNEL_BASE_URL="${ISTIO_ZTUNNEL_BASE_URL:-https://storage.googleapis.com/istio-build/ztunnel}"

			execClientConfig: loggingConfig,
			args:             strings.Split("log ztunnel-9v7nw --level ztunnel::pool:debug", " "),
			expectedString:   "",
			wantException:    false,
		},
		{ // set ztunnel logging level
			execClientConfig: loggingConfig,
			args:             strings.Split("log ztunnel-9v7nw --level debug", " "),
			expectedString:   "current log level is debug",
			wantException:    false,
		},

- **Purpose**: Tests related to the Ambient mode, including components like `ztunnel`.
- **Focus**:
  1. Configuration and communication of Ambient components.
  1. Interaction between `ztunnel` and Ambient components.
  1. Validation of zero-trust security policies.
  1. Testing of ambient traffic management.
  1. Specific `istioctl ztunnel-config` commands being tested: `all`, `services`, `workloads`, `policies`, `certificates`.

//
// 1. Constructs a ztunnel state message to initialize ztunnel
// 2. Syncs the host ipset
func (s *NetServer) ConstructInitialSnapshot(ambientPods []*corev1.Pod) error {
	var consErr []error

	podsByUID := slices.GroupUnique(ambientPods, (*corev1.Pod).GetUID)
	if err := s.buildZtunnelSnapshot(podsByUID); err != nil {
		log.Warnf("failed to construct initial ztunnel snapshot: %v", err)
		consErr = append(consErr, err)

istio-system       ztunnel-n5bg2                                        10.244.0.8  ambient-control-plane None                                TCP
istio-system       ztunnel-qk2pp                                        10.244.2.60 ambient-worker2       None                                TCP

# This shows an example local config for ztunnel that adds a workload for localhost.
# This allows local testing by sending requests through the local ztunnel to other servers running on localhost.
workloads:
- uid: cluster1//v1/Pod/default/local
  name: local
  namespace: default
  serviceAccount: default
  workloadIps: ["127.0.0.1"]
  protocol: HBONE
  node: local
  network: ""
  services:
    "default/example.com":
      80: 8080

	isZtunnel := strings.HasPrefix(podName, "ztunnel")
	if client == nil {
		return isZtunnel
	}
	pod, err := client.Kube().CoreV1().Pods(podNamespace).Get(context.Background(), podName, metav1.GetOptions{})
	if err != nil {
		return isZtunnel
	}
	if v, ok := pod.Labels["app"]; ok {
		return v == "ztunnel"
	}
	return isZtunnel
}