{
					Name:   "mtls on port 8000",
					Call:   mkCall(8000, simulation.MTLS),
					Result: simulation.Result{ClusterMatched: "inbound|8000||"},
				},
				{
					Name:   "plaintext port 9000",
					Call:   mkCall(9000, simulation.Plaintext),
					Result: simulation.Result{ClusterMatched: "InboundPassthroughCluster"},
				},
				{
					Name:   "mtls port 9000",
					Call:   mkCall(9000, simulation.MTLS),

				ClusterMatched: "inbound|70||",
			},
			Strict: simulation.Result{
				// TLS, but not mTLS
				Error: simulation.ErrMTLSError,
			},
		},
		{
			Name: "mtls tcp to tcp",
			Call: simulation.Call{
				Port:     70,
				Protocol: simulation.TCP,
				TLS:      simulation.MTLS,
				CallMode: simulation.CallModeInbound,
			},
			Disabled: simulation.Result{

			opts = getTLSFilterChainMatchOptions(lp)
			mtls.TCP = BuildListenerTLSContext(cc.tlsSettings, lb.node, lb.push.Mesh, istionetworking.TransportProtocolTCP, false)
			mtls.HTTP = mtls.TCP
		} else {
			lp := istionetworking.ModelProtocolToListenerProtocol(cc.port.Protocol)
			opts = getFilterChainMatchOptions(mtls, lp)
		}
		// Build the actual chain
		chains := lb.inboundChainForOpts(cc, mtls, opts)

		if cc.bindToPort {

	}

	mTLSSecretConfigName := "default"
	if input.MtlsSecretConfigName != "" {
		mTLSSecretConfigName = input.MtlsSecretConfigName
	}

	// mTLS listener will only accept mTLS traffic
	if fc.TransportSocket != nil && sim.requiresMTLS(fc, mTLSSecretConfigName) != (input.TLS == MTLS) {
		// If there is no tls inspector, then
		result.Error = ErrMTLSError
		return
	}

	if len(input.CustomListenerValidations) > 0 {

	DefaultPilotTLSCaCertAlternatePath = PilotWellKnownDNSCertPath + "ca.crt"

	// CertChainFilename is mTLS chain file
	CertChainFilename = "cert-chain.pem"
	// KeyFilename is mTLS private key
	KeyFilename = "key.pem"
	// RootCertFilename is mTLS root cert
	RootCertFilename = "root-cert.pem"

	// ConfigPathDir config directory for storing envoy json config files.

	"$service", ".*",
	"$srcns", ".*",
	"$srcwl", ".*",
	"$namespace", ".*",
	"$workload", ".*",
	"$dstsvc", ".*",
	"$adapter", ".*",
	"$qrep", "destination",
	// Just allow all mTLS settings rather than trying to send mtls and plaintext
	`connection_security_policy="unknown"`, `connection_security_policy=~".*"`,
	`connection_security_policy="mutual_tls"`, `connection_security_policy=~".*"`,

type FilterChainType string

const (
	PlainTCP    FilterChainType = "plaintext TCP"
	PlainHTTP   FilterChainType = "plaintext HTTP"
	StandardTLS FilterChainType = "TLS"
	MTLSTCP     FilterChainType = "mTLS TCP"
	MTLSHTTP    FilterChainType = "mTLS HTTP"
	Unknown     FilterChainType = "unknown"
)

func classifyFilterChain(have *listener.FilterChain) FilterChainType {
	fcm := have.GetFilterChainMatch()

kind: PeerAuthentication
metadata:
  name: global-strict
spec:
  mtls:
    mode: STRICT
				`).ApplyOrFail(t)
				opt = opt.DeepCopy()
				if !src.Config().HasProxyCapabilities() && dst.Config().HasProxyCapabilities() {
					// Expect deny if the dest is in the mesh (enforcing mTLS) but src is not (not sending mTLS)
					opt.Check = CheckDeny
				}
				src.CallOrFail(t, opt)
			})

		expected: []message{
			{msg.NoServerCertificateVerificationDestinationLevel, "DestinationRule db-mtls"},
			{msg.NoServerCertificateVerificationPortLevel, "DestinationRule db-mtls"},
		},
	},
	{
		name: "destinationrule with no cacert, simple at destinationlevel and mutual at port level",
		inputFiles: []string{
			"testdata/destinationrule-compound-mutual-simple.yaml",
		},

  else
      echo "ERROR: Some of ETCD_APISERVER_CA_KEY, ETCD_APISERVER_CA_CERT, ETCD_APISERVER_SERVER_KEY, ETCD_APISERVER_SERVER_CERT, ETCD_APISERVER_CLIENT_KEY and ETCD_APISERVER_CLIENT_CERT are missing, mTLS between etcd server and kube-apiserver cannot be enabled. Please provide all mTLS credential."
      exit 1
  fi