return &security.StringMatch{MatchType: &security.StringMatch_Exact{
										Exact: strings.TrimPrefix(spiffe.MustGenSpiffeURI(meshCfg.MeshConfig, waypoint.Namespace, sa), spiffe.URIPrefix),
									}}
								}),
							},
						},
					},
				},
			}},
		},
	}

	CAEndpointSAN string

	// The CA provider name.
	CAProviderName string

	// TrustDomain corresponds to the trust root of a system.
	// https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain
	TrustDomain string

	// WorkloadRSAKeySize is the size of a private key for a workload certificate.
	WorkloadRSAKeySize int

	// Whether to generate PKCS#8 private keys.

  string network = 4;

  // Protocol that should be used to connect to this workload.
  TunnelProtocol tunnel_protocol = 5;

  // The SPIFFE identity of the workload. The identity is joined to form spiffe://<trust_domain>/ns/<namespace>/sa/<service_account>.
  // TrustDomain of the workload. May be elided if this is the mesh wide default (typically cluster.local)
  string trust_domain = 6;

	log.Infof("Discover server subject alt names: %v", dnsNames)
	return dnsNames
}

// createPeerCertVerifier creates a SPIFFE certificate verifier with the current istiod configuration.
func (s *Server) createPeerCertVerifier(tlsOptions TLSOptions, trustDomain string) (*spiffe.PeerCertVerifier, error) {
	customTLSCertsExists, _, _, caCertPath := hasCustomTLSCerts(tlsOptions)

		"istio-workload-dashboard.json",
		[]string{
			"istio_tcp_",
			// there is no non-mtls traffic generated so the test flakes for the split query on
			// "Outgoing Requests By Destination And Response Code"
			"spiffe.*",
		},
		false,
	},
	{
		"istio-grafana-dashboards",
		"istio-performance-dashboard.json",
		[]string{
			// cAdvisor does not expose this metrics, and we don't have kubelet in kind

		"destination_principal":          "spiffe://" + dst.Config().ServiceAccountName(),
		"destination_version":            dst.Config().Version,
		"destination_workload":           deployName(dst),
		"destination_workload_namespace": destns,
		"source_canonical_service":       src.ServiceName(),
		"source_canonical_revision":      src.Config().Version,
		"source_principal":               "spiffe://" + src.Config().ServiceAccountName(),

		sim.t.Fatal(err)
	}

	if len(t.GetCommonTlsContext().GetTlsCertificateSdsSecretConfigs()) == 0 {
		return false
	}
	// This is a lazy heuristic, we could check for explicit default resource or spiffe if it becomes necessary
	if t.GetCommonTlsContext().GetTlsCertificateSdsSecretConfigs()[0].Name != mTLSSecretConfigName {
		return false
	}
	if !t.RequireClientCertificate.Value {
		return false
	}
	return true

	"istio.io/istio/security/pkg/server/ca/authenticate"
	"istio.io/istio/security/pkg/util"
)

type caOptions struct {
	ExternalCAType   ra.CaExternalType
	ExternalCASigner string
	// domain to use in SPIFFE identity URLs
	TrustDomain      string
	Namespace        string
	Authenticators   []security.Authenticator
	CertSignerDomain string
}

	TunnelProtocol TunnelProtocol `protobuf:"varint,5,opt,name=tunnel_protocol,json=tunnelProtocol,proto3,enum=istio.workload.TunnelProtocol" json:"tunnel_protocol,omitempty"`
	// The SPIFFE identity of the workload. The identity is joined to form spiffe://<trust_domain>/ns/<namespace>/sa/<service_account>.
	// TrustDomain of the workload. May be elided if this is the mesh wide default (typically cluster.local)

    source_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$workload\\\",
    reporter=\\\"source\\\", destination_service=~\\\"$dstsvc\\\"}[5m])) by (destination_service,