// The request should be denied on port 8085 and 8071.
					name: "STRICT with DISABLE",
					config: `apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: {{ .To.ServiceName }}-mtls
spec:
  selector:
    matchLabels:
      app: {{ .To.ServiceName }}
  mtls:
    mode: STRICT
  portLevelMtls:

			namespace: "default",
			cert:      "tls-mtls-cert",
			key:       "tls-mtls-key",
			caCert:    "tls-mtls-ca",
		},
		{
			name:      "tls-mtls-crl",
			namespace: "default",
			cert:      "tls-mtls-cert",
			key:       "tls-mtls-key",
			caCert:    "tls-mtls-ca",
			crl:       "tls-mtls-crl",
			caCrl:     "tls-mtls-crl",
		},
		{
			name:            "tls-mtls-split",

				{
					Name:   "mtls on port 8000",
					Call:   mkCall(8000, simulation.MTLS),
					Result: simulation.Result{ClusterMatched: "inbound|8000||"},
				},
				{
					Name:   "plaintext port 9000",
					Call:   mkCall(9000, simulation.Plaintext),
					Result: simulation.Result{ClusterMatched: "InboundPassthroughCluster"},
				},
				{
					Name:   "mtls port 9000",
					Call:   mkCall(9000, simulation.MTLS),

		Cert   string
		CaCert string
		CaCrl  string
	}
	allResources := []string{
		"kubernetes://generic", "kubernetes://generic-mtls", "kubernetes://generic-mtls-cacert",
		"kubernetes://generic-mtls-split", "kubernetes://generic-mtls-split-cacert", "kubernetes://generic-mtls-crl",
		"kubernetes://generic-mtls-crl-cacert",
	}
	cases := []struct {
		name                 string
		proxy                *model.Proxy

}

// TestSingleMTLSGateway_ServerKeyCertRotation tests a single mTLS ingress gateway with SDS enabled.
// Verifies behavior in these scenarios.
// (1) create two kubernetes secrets to provision server key/cert and client CA cert, and
// verify that mTLS connection could establish to deliver HTTPS request.
// (2) replace kubernetes secret to rotate server key/cert, and verify that mTLS connection could

					Mtls: &security.PeerAuthentication_MutualTLS{Mode: security.PeerAuthentication_MutualTLS_STRICT},
				},
			},
			IsMtlsDisabled: false,
		},
		"mtls-off-global": {
			Config: config.Config{
				Meta: config.Meta{
					GroupVersionKind: gvk.PeerAuthentication,
					Name:             "mtls-off",
					Namespace:        "istio-system",
				},
				Spec: &security.PeerAuthentication{

		})
	}
	return res
}

func isMtlsModeUnset(mtls *v1beta1.PeerAuthentication_MutualTLS) bool {
	return mtls == nil || mtls.Mode == v1beta1.PeerAuthentication_MutualTLS_UNSET
}

func isMtlsModeStrict(mtls *v1beta1.PeerAuthentication_MutualTLS) bool {
	return mtls != nil && mtls.Mode == v1beta1.PeerAuthentication_MutualTLS_STRICT
}

func isMtlsModeDisable(mtls *v1beta1.PeerAuthentication_MutualTLS) bool {

						GroupVersionKind:  gvk.PeerAuthentication,
						CreationTimestamp: baseTimestamp,
						Name:              "default",
						Namespace:         "foo",
					},
					Spec: &securityBeta.PeerAuthentication{
						Mtls: &securityBeta.PeerAuthentication_MutualTLS{
							Mode: securityBeta.PeerAuthentication_MutualTLS_STRICT,
						},
					},
				},
				{
					Meta: config.Meta{
						GroupVersionKind:  gvk.PeerAuthentication,

				credWithCRL      = "mtls-credential-generic-valid-crl"
				credWithDummyCRL = "mtls-credential-generic-dummy-crl"
			)

			// Create a valid kubernetes secret to provision key/cert for sidecar.
			ingressutil.CreateIngressKubeSecretInNamespace(t, credNameGeneric, ingressutil.Mtls, ingressutil.IngressCredential{
				Certificate: file.AsStringOrFail(t, path.Join(env.IstioSrc, "tests/testdata/certs/dns/cert-chain.pem")),

)

// MutualTLSMode is the mutual TLS mode specified by authentication policy.
type MutualTLSMode int

const (
	// MTLSUnknown is used to indicate the variable hasn't been initialized correctly (with the authentication policy).
	MTLSUnknown MutualTLSMode = iota

	// MTLSDisable if authentication policy disable mTLS.
	MTLSDisable

	// MTLSPermissive if authentication policy enable mTLS in permissive mode.
	MTLSPermissive