CredentialName:    "some credential",
				ClientCertificate: "",
				PrivateKey:        "",
				CaCertificates:    "",
			},
			valid: true,
		},
		{
			name: "SIMPLE CredentialName set with ClientCertificate specified",
			tls: &networking.ClientTLSSettings{
				Mode:              networking.ClientTLSSettings_SIMPLE,
				CredentialName:    "credential",

	// credentialName SDS which may refer to secrets which do not exist. We do not want to block the
	// entire listener/cluster in these cases.
	ResourceApiVersion: core.ApiVersion_V3,
}

// ConstructSdsSecretConfigForCredential constructs SDS secret configuration used
// from certificates referenced by credentialName in DestinationRule or Gateway.

}

func newTLSGatewayDestinationRule(t framework.TestContext, to echo.Instances, destinationRuleMode string, credentialName string) {
	args := map[string]any{
		"to":             to,
		"Mode":           destinationRuleMode,
		"CredentialName": credentialName,
	}

	// Get namespace for gateway pod.
	istioCfg := istio.DefaultConfigOrFail(t, t)

}

type TestConfig struct {
	Mode           string
	CredentialName string
	Host           string
	ServiceName    string
	GatewayLabel   string
}

const vsTemplate = `
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: {{.CredentialName}}
spec:
  hosts:
  - "{{.Host}}"
  gateways:
  - {{.CredentialName}}
  http:
  - match:
    - uri:

func newTLSSidecarDestinationRule(t framework.TestContext, to echo.Instances, destinationRuleMode string,
	workloadSelector string, credentialName string, clientNamespace namespace.Instance,
) {
	args := map[string]any{
		"to":               to,
		"Mode":             destinationRuleMode,
		"CredentialName":   credentialName,
		"WorkloadSelector": workloadSelector,
	}
	se := `
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry

	if tls == nil {
		return nil, nil
	}
	// Hack to avoid egress sds cluster config generation for sidecar when
	// CredentialName is set in DestinationRule without a workloadSelector.
	// We do not want to support CredentialName setting in non workloadSelector based DestinationRules, because
	// that would result in the CredentialName being supplied to all the sidecars which the DestinationRule is scoped to,

		if settings.Mode == networking.ClientTLSSettings_SIMPLE {
			// In tls simple mode, we can specify ca cert by CaCertificates or CredentialName.
			if settings.CaCertificates != "" || settings.CredentialName != "" || settings.SubjectAltNames != nil {
				errs = AppendErrors(errs, fmt.Errorf("cannot specify CaCertificates or CredentialName or SubjectAltNames when InsecureSkipVerify is set true"))
			}
		}

				},
				Tls: &v1alpha3.ServerTLSSettings{CredentialName: "cert", Mode: v1alpha3.ServerTLSSettings_MUTUAL},
			},
			expected: false,
		},
		{
			name: "tls and HTTP",
			server: &v1alpha3.Server{
				Port: &v1alpha3.Port{
					Number:   80,
					Protocol: string(protocol.HTTP),
					Name:     "https",
				},
				Tls: &v1alpha3.ServerTLSSettings{CredentialName: "cert", Mode: v1alpha3.ServerTLSSettings_MUTUAL},

				echotest.New(t, instances).
					SetupForDestination(func(t framework.TestContext, to echo.Target) error {
						ingressutil.SetupConfig(t, echo1NS, ingressutil.TestConfig{
							Mode:           "SIMPLE",
							CredentialName: credName,
							Host:           host,
							ServiceName:    to.Config().Service,
							GatewayLabel:   inst.Settings().IngressGatewayIstioLabel,
						})
						return nil
					}).

		},
	},
	{
		name: "destinationrule with credentialname, simple at destinationlevel, workloadSelector",
		inputFiles: []string{
			"testdata/destinationrule-simple-destination-credentialname-selector.yaml",
		},
		analyzer: &destinationrule.CaCertificateAnalyzer{},
		expected: []message{},
	},
	{
		name: "destinationrule with credentialname, simple at portlevel, no workloadSelector",
		inputFiles: []string{