Addresses: []string{"1.2.3.4"},
					Hosts:     []string{"a.example.com", "b.example.com"},
					Ports: []*networking.ServicePort{{
						Number: 80,
						Name:   "http",
					}},
					SubjectAltNames: []string{"san1"},
					Resolution:      networking.ServiceEntry_DNS,
				},
			},
			result: []*workloadapi.Service{
				{
					Name:      "name",
					Namespace: "ns",
					Hostname:  "a.example.com",

			Name:            svc.Name,
			Namespace:       svc.Namespace,
			Hostname:        h,
			Addresses:       addresses,
			Ports:           ports,
			Waypoint:        waypointAddress,
			SubjectAltNames: svc.Spec.SubjectAltNames,
		})
	}
	return res
}

func (a *index) constructService(svc *v1.Service, w *Waypoint) *workloadapi.Service {
	ports := make([]*workloadapi.Port, 0, len(svc.Spec.Ports))

					Tls: &networking.ClientTLSSettings{
						Mode:            networking.ClientTLSSettings_SIMPLE,
						CaCertificates:  constants.RootCertFilename,
						Sni:             "foo.default.svc.cluster.local",
						SubjectAltNames: []string{"foo.default.svc.cluster.local"},
					},
				},
			},
			enableAutoSni:            false,
			enableVerifyCertAtClient: false,
			expectTLSContext: &tls.UpstreamTlsContext{

                                      during TLS handshake.
                                    type: string
                                  subjectAltNames:
                                    description: A list of alternate names to verify
                                      the subject identity in the certificate.
                                    items:

                                      during TLS handshake.
                                    type: string
                                  subjectAltNames:
                                    description: A list of alternate names to verify
                                      the subject identity in the certificate.
                                    items:

	// Optional; if set, the SAN to verify for TLS connections.
	// Typically, this is not set and per-workload identity is used to verify
	// TODO: support this field
	SubjectAltNames []string `protobuf:"bytes,6,rep,name=subject_alt_names,json=subjectAltNames,proto3" json:"subject_alt_names,omitempty"`
	// Waypoint is the waypoint proxy for this service. When set, all incoming requests must go
	// through the waypoint.

					} else {
						errs = AppendValidation(errs, agent.ValidatePort(port))
					}
				}
			}

			if i.Tls != nil {
				if len(i.Tls.SubjectAltNames) > 0 {
					errs = AppendValidation(errs, fmt.Errorf("sidecar: subjectAltNames is not supported in ingress tls"))
				}
				if i.Tls.HttpsRedirect {
					errs = AppendValidation(errs, fmt.Errorf("sidecar: httpsRedirect is not supported"))
				}

signer defines:\n 1. Trust distribution: how trust (CA bundles) are distributed.\n 2. Permitted subjects: and behavior when a disallowed subject is requested.\n 3. Required, permitted, or forbidden x509 extensions in the request (including whether subjectAltNames are allowed, which types, restrictions on allowed values) and behavior when a disallowed extension is requested.\n 4. Required, permitted, or forbidden key usages / extended key usages.\n 5. Expiration/certificate lifetime: whether it is fixed...

signer defines:\n 1. Trust distribution: how trust (CA bundles) are distributed.\n 2. Permitted subjects: and behavior when a disallowed subject is requested.\n 3. Required, permitted, or forbidden x509 extensions in the request (including whether subjectAltNames are allowed, which types, restrictions on allowed values) and behavior when a disallowed extension is requested.\n 4. Required, permitted, or forbidden key usages / extended key usages.\n 5. Expiration/certificate lifetime: whether it is fixed...