// +optional
  optional IngressBackend backend = 1;

  // tls represents the TLS configuration. Currently the Ingress only supports a
  // single TLS port, 443. If multiple members of this list specify different hosts,
  // they will be multiplexed on the same port according to the hostname specified
  // through the SNI TLS extension, if the ingress controller fulfilling the
  // ingress supports SNI.
  // +optional

  // +optional
  optional IngressBackend defaultBackend = 1;

  // tls represents the TLS configuration. Currently the Ingress only supports a
  // single TLS port, 443. If multiple members of this list specify different hosts,
  // they will be multiplexed on the same port according to the hostname specified
  // through the SNI TLS extension, if the ingress controller fulfilling the
  // ingress supports SNI.

### Inbound

Traffic entering a pod over HBONE will be handled by the "inbound" code path, on port 15008.

Incoming requests have multiple "layers": TLS wrapping HTTP CONNECT that is wrapping the user's connection.

To unwrap the first layer, we terminate TLS.
As part of this, we need to pick the correct certificate to serve on behalf of the destination workload.
As discussed in [HBONE](#hbone), this is based on the destination IP.

  optional int32 expirationSeconds = 8;

  // usages specifies a set of key usages requested in the issued certificate.
  //
  // Requests for TLS client certificates typically request: "digital signature", "key encipherment", "client auth".
  //
  // Requests for TLS serving certificates typically request: "key encipherment", "digital signature", "server auth".
  //
  // Valid values are:

	@bin/check_samples.sh
	@testlinter
	@envvarlinter istioctl pilot security

# Allow-list:
# (k8s) Machinery, utils, klog
# (proto) Istio API non-CRDs, MeshConfig and ProxyConfig
# (proto) Envoy TLS proto for SDS
# (proto) Envoy Wasm filters for wasm xDS proxy
# (proto) xDS discovery service for xDS proxy
.PHONY: check-agent-deps
check-agent-deps:
	@go list -f '{{ join .Deps "\n" }}' -tags=agent \

  // List of ValidatingWebhookConfiguration.
  repeated ValidatingWebhookConfiguration items = 2;
}

// WebhookClientConfig contains the information to make a TLS
// connection with the webhook
message WebhookClientConfig {
  // `url` gives the location of the webhook, in standard URL form
  // (`scheme://host:port/path`). Exactly one of `url` or `service`
  // must be specified.

  // TLS configuration. Currently the Ingress only supports a single TLS
  // port, 443. If multiple members of this list specify different hosts, they
  // will be multiplexed on the same port according to the hostname specified
  // through the SNI TLS extension, if the ingress controller fulfilling the
  // ingress supports SNI.
  // +optional
  repeated IngressTLS tls = 2;

  // List of ValidatingWebhookConfiguration.
  repeated ValidatingWebhookConfiguration items = 2;
}

// WebhookClientConfig contains the information to make a TLS
// connection with the webhook
message WebhookClientConfig {
  // `url` gives the location of the webhook, in standard URL form
  // (`scheme://host:port/path`). Exactly one of `url` or `service`
  // must be specified.

  // and the backend insecure. This means the apiserver cannot verify the log data it is receiving came from the real
  // kubelet.  If the kubelet is configured to verify the apiserver's TLS credentials, it does not mean the
  // connection to the real kubelet is vulnerable to a man in the middle attack (e.g. an attacker could not intercept
  // the actual log data coming from the real kubelet).
  // +optional