// BuildInboundTLS returns the TLS context corresponding to the mTLS mode.
func BuildInboundTLS(mTLSMode model.MutualTLSMode, node *model.Proxy,
	protocol networking.ListenerProtocol, trustDomainAliases []string, minTLSVersion tls.TlsParameters_TlsProtocol,
	mc *meshconfig.MeshConfig,
) *tls.DownstreamTlsContext {
	if mTLSMode == model.MTLSDisable || mTLSMode == model.MTLSUnknown {
		return nil
	}
	ctx := &tls.DownstreamTlsContext{

							},
						},
					},
				},
			},
			mtlsMode:       model.MTLSPermissive,
			expectedResult: expectIstioMTLS,
		},
	}
	for _, tt := range cases {
		t.Run(tt.name, func(t *testing.T) {
			cg := NewConfigGenTest(t, TestOptions{
				Services:     services,
				Instances:    instances,
				ConfigString: mtlsMode(tt.mtlsMode.String()),
			})
			proxy := cg.SetupProxy(nil)

	svcPort *networking.ServicePort, svcLabels map[string]string, mtlsMode MTLSMode,
) *model.ServiceInstance {
	services := convertServices(*cfg)
	svc := services[0] // default
	for _, s := range services {
		if string(s.Hostname) == address {
			svc = s
			break
		}
	}
	tlsMode := model.DisabledTLSModeLabel
	if mtlsMode == MTLS || mtlsMode == MTLSUnlabelled {
		tlsMode = model.IstioMutualTLSModeLabel
	}

		inheritedMTLSMode = MTLSPermissive
	}
	for ns, mtlsMode := range foundNamespaceMTLS {
		if mtlsMode == v1beta1.PeerAuthentication_MutualTLS_UNSET {
			policy.namespaceMutualTLSMode[ns] = inheritedMTLSMode
		} else {
			policy.namespaceMutualTLSMode[ns] = ConvertToMutualTLSMode(mtlsMode)
		}
	}
}

	migrationVersionNonIstio = "vlegacy"
	migrationPathIstio       = "/" + migrationVersionIstio
	migrationPathNonIstio    = "/" + migrationVersionNonIstio
	mtlsModeParam            = "MTLSMode"
	mtlsModeOverrideParam    = "MTLSModeOverride"
	tlsModeParam             = "TLSMode"
	cMinIstioVersion         = "1.15.0"
	// cMinIstioVersionDS       = "1.16.0"
)

func TestReachability(t *testing.T) {
	framework.NewTest(t).

	if err := json.Unmarshal(s, &meta); err != nil {
		t.Fatal(err)
	}
	res := []string{}
	for _, m := range meta.Services {
		res = append(res, m.Host)
	}
	return res
}

func mtlsMode(m string) string {
	return fmt.Sprintf(`apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: default
  namespace: istio-system
spec:
  mtls:
    mode: %s
`, m)
}

	// * Use security.istio.io/tlsMode if its present
	// * If not, set TLS mode if ServiceAccount is specified
	tlsMode := model.DisabledTLSModeLabel
	if val, exists := wle.Labels[label.SecurityTlsMode.Name]; exists {
		tlsMode = val
	} else if wle.ServiceAccount != "" {
		tlsMode = model.IstioMutualTLSModeLabel
	}

	return tlsMode
}

	}

	return &model.IstioEndpoint{
		Labels:                b.labels,
		ServiceAccount:        b.serviceAccount,
		Locality:              b.locality,
		TLSMode:               b.tlsMode,
		Address:               endpointAddress,
		EndpointPort:          uint32(endpointPort),
		ServicePortName:       svcPortName,
		Network:               networkID,
		WorkloadName:          b.workloadName,

spec:
  hosts:
  - example.com
  ports:
  - number: 7070
    name: tcp
    protocol: TCP
  resolution: STATIC
  location: MESH_INTERNAL
  endpoints:
  - address: 1.1.1.1
    labels:
      security.istio.io/tlsMode: istio
---
# Set up .Services number of services.
{{- range $i := until .Services }}
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: service-{{$i}}
spec:
  addresses:

    name: https
    protocol: HTTPS
  - number: 9090
    name: auto
    protocol: ""
  resolution: STATIC
  location: MESH_INTERNAL
  endpoints:
  - address: 1.1.1.1
    labels:
      security.istio.io/tlsMode: istio
---
# Set up .Services number of services. Each will have 4 ports (one for each protocol)
{{- range $i := until .Services }}
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata: