}),
				},
			},
		},
		{
			name: "beta-mtls",
			peerIn: []*config.Config{
				{
					Spec: &v1beta1.PeerAuthentication{
						Mtls: &v1beta1.PeerAuthentication_MutualTLS{
							Mode: v1beta1.PeerAuthentication_MutualTLS_STRICT,
						},
					},
				},
			},
			expected: nil,
		},
		{
			name: "beta-mtls-disable",
			peerIn: []*config.Config{
				{

			},
			Strict: simulation.Result{
				// TLS, but not mTLS
				Error: simulation.ErrMTLSError,
			},
		},
		{
			Name: "mtls to http",
			Call: simulation.Call{
				Port:     80,
				Protocol: simulation.HTTP,
				TLS:      simulation.MTLS,
				CallMode: simulation.CallModeInbound,
			},
			Disabled: simulation.Result{
				// TLS is not terminated, so we will attempt to decode as HTTP and fail

		makeInstance(httpStatic, "2.2.2.2", 18080, httpStatic.Spec.(*networking.ServiceEntry).Ports[1], nil, MTLS),
		makeInstance(httpStatic, "3.3.3.3", 1080, httpStatic.Spec.(*networking.ServiceEntry).Ports[0], nil, MTLS),
		makeInstance(httpStatic, "3.3.3.3", 8080, httpStatic.Spec.(*networking.ServiceEntry).Ports[1], nil, MTLS),

		pol := c.(*clientsecurityv1beta1.PeerAuthentication)
		pol.Spec.Mtls = &auth.PeerAuthentication_MutualTLS{
			Mode: auth.PeerAuthentication_MutualTLS_PERMISSIVE,
		}
	})
	s.assertEvent(t, xdsConvertedStaticStrict)

	s.addPolicy(t, "namespace", testNS, nil, gvk.PeerAuthentication, func(c controllers.Object) {
		pol := c.(*clientsecurityv1beta1.PeerAuthentication)
		pol.Spec.Mtls = &auth.PeerAuthentication_MutualTLS{

kind: PeerAuthentication
metadata:
  name: global-strict
spec:
  mtls:
    mode: STRICT
				`).ApplyOrFail(t)
				opt = opt.DeepCopy()
				if !src.Config().HasProxyCapabilities() && dst.Config().HasProxyCapabilities() {
					// Expect deny if the dest is in the mesh (enforcing mTLS) but src is not (not sending mTLS)
					opt.Check = CheckDeny
				}
				src.CallOrFail(t, opt)
			})

			toMatch := match.Not(fromMatch)
			to := toMatch.GetServiceMatches(apps.Ns1.All)
			fromAndTo := to.Instances().Append(from)

			config.New(t).
				Source(config.File("testdata/authz/mtls.yaml.tmpl")).
				Source(config.File("testdata/authz/allow-principal.yaml.tmpl").WithParams(
					param.Params{
						"Allowed": allowed,
					})).
				BuildAll(nil, to).
				Apply()

sasl             (on|off)    set to 'on' to enable SASL authentication
tls              (on|off)    set to 'on' to enable TLS
tls_skip_verify  (on|off)    trust server TLS without verification, defaults to "on" (verify)
client_tls_cert  (path)      path to client certificate for mTLS auth
client_tls_key   (path)      path to client key for mTLS auth

          name: istio-envoy
        - mountPath: /var/run/secrets/tokens
          name: istio-token
        {{- if .Values.global.mountMtlsCerts }}
        # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
        - mountPath: /etc/certs/
          name: istio-certs
          readOnly: true
        {{- end }}
        - name: istio-podinfo
          mountPath: /etc/istio/pod

          name: istio-envoy
        - mountPath: /var/run/secrets/tokens
          name: istio-token
        {{- if .Values.global.mountMtlsCerts }}
        # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
        - mountPath: /etc/certs/
          name: istio-certs
          readOnly: true
        {{- end }}
        - name: istio-podinfo
          mountPath: /etc/istio/pod

          name: istio-envoy
        - mountPath: /var/run/secrets/tokens
          name: istio-token
        {{- if .Values.global.mountMtlsCerts }}
        # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
        - mountPath: /etc/certs/
          name: istio-certs
          readOnly: true
        {{- end }}
        - name: istio-podinfo
          mountPath: /etc/istio/pod