apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: "default"
spec:
  mtls:

// BuildInboundTLS returns the TLS context corresponding to the mTLS mode.
func BuildInboundTLS(mTLSMode model.MutualTLSMode, node *model.Proxy,
	protocol networking.ListenerProtocol, trustDomainAliases []string, minTLSVersion tls.TlsParameters_TlsProtocol,
	mc *meshconfig.MeshConfig,
) *tls.DownstreamTlsContext {
	if mTLSMode == model.MTLSDisable || mTLSMode == model.MTLSUnknown {
		return nil
	}
	ctx := &tls.DownstreamTlsContext{

apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: {{ .To.ServiceName }}
spec:
  selector:
    matchLabels:
      app: {{ .To.ServiceName }}
  mtls:
    mode: {{ .MTLSMode }}
  portLevelMtls:
    {{ (.To.PortForName `http`).WorkloadPort }}:
      mode: {{ .MTLSModeOverride }}
    {{ (.To.PortForName `http2`).WorkloadPort }}:
      mode: {{ .MTLSModeOverride }}
    {{ (.To.PortForName `https`).WorkloadPort }}:

apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: {{ .To.ServiceName }}
spec:
  selector:
    matchLabels:
      app: {{ .To.ServiceName }}
  mtls:

  - name: "vistio"
    labels:
      version: "vistio"
{{- if ne .TLSMode "" }}
    trafficPolicy:
      tls:
        mode: {{ .TLSMode }}
{{- end }}
  - name: "vlegacy"
    labels:
      version: "vlegacy"
{{- if ne .TLSMode "" }}
    trafficPolicy:
      tls:
        mode: {{ .TLSMode }}
  trafficPolicy:
    tls:
      mode: {{ .TLSMode }}

	}

	return &model.IstioEndpoint{
		Labels:                b.labels,
		ServiceAccount:        b.serviceAccount,
		Locality:              b.locality,
		TLSMode:               b.tlsMode,
		Address:               endpointAddress,
		EndpointPort:          uint32(endpointPort),
		ServicePortName:       svcPortName,
		Network:               networkID,
		WorkloadName:          b.workloadName,

spec:
  hosts:
  - example.com
  ports:
  - number: 7070
    name: tcp
    protocol: TCP
  resolution: STATIC
  location: MESH_INTERNAL
  endpoints:
  - address: 1.1.1.1
    labels:
      security.istio.io/tlsMode: istio
---
# Set up .Services number of services.
{{- range $i := until .Services }}
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: service-{{$i}}
spec:
  addresses:

    name: https
    protocol: HTTPS
  - number: 9090
    name: auto
    protocol: ""
  resolution: STATIC
  location: MESH_INTERNAL
  endpoints:
  - address: 1.1.1.1
    labels:
      security.istio.io/tlsMode: istio
---
# Set up .Services number of services. Each will have 4 ports (one for each protocol)
{{- range $i := until .Services }}
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:

// on the DR, original endpoint TLSMode (based on injection of sidecar), and PeerAuthentication settings.
func (c *mtlsChecker) checkMtlsEnabled(ep *model.IstioEndpoint, isWaypoint bool) bool {
	if drMode := c.destinationRule; drMode != nil {
		return *drMode == networkingapi.ClientTLSSettings_ISTIO_MUTUAL
	}

	// if endpoint has no sidecar or explicitly tls disabled by "security.istio.io/tlsMode" label.

spec:
  hosts:
  - example.com
  ports:
  - number: 7070
    name: auto
    protocol: ""
  resolution: STATIC
  location: MESH_INTERNAL
  endpoints:
  - address: 1.1.1.1
    labels:
      security.istio.io/tlsMode: istio
---
# Set up .Services number of services.
{{- range $i := until .Services }}
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: service-{{$i}}
spec:
  addresses: