apiVersion: security.istio.io/v1
kind: PeerAuthentication
metadata:
  name: valid-peer-authentication
spec:
  selector:
    matchLabels:
      app: httpbin
      version: v1
  mtls:
    mode: PERMISSIVE
  portLevelMtls:
    8080:

apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: valid-peer-authentication
spec:
  selector:
    matchLabels:
      app: httpbin
      version: v1
  mtls:
    mode: PERMISSIVE
  portLevelMtls:
    8080:

	MTLSPermissive

	// MTLSStrict if authentication policy enable mTLS in strict mode.
	MTLSStrict
)

// In Ambient, we convert k8s PeerAuthentication resources to the same type as AuthorizationPolicies
// To prevent conflicts in xDS, we add this prefix to the converted PeerAuthentication resources.
const convertedPeerAuthenticationPrefix = "converted_peer_authentication_" // use '_' character since those are illegal in k8s names

				},
			},
			wantPeerAuthn: []*config.Config{
				{
					Meta: config.Meta{
						GroupVersionKind:  gvk.PeerAuthentication,
						CreationTimestamp: baseTimestamp,
						Name:              "default",
						Namespace:         "foo",
					},
					Spec: &securityBeta.PeerAuthentication{
						Mtls: &securityBeta.PeerAuthentication_MutualTLS{
							Mode: securityBeta.PeerAuthentication_MutualTLS_STRICT,
						},

				// the workload ports are working correctly.
				{
					name: "DISABLE",
					config: `apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: mtls
spec:
  mtls:
    mode: DISABLE`,
					expected: []expect{
						{
							port:              ports.TCPWorkloadOnly,
							plaintextSucceeds: true,

		ValidateProto: validation.EmptyValidate,
	}.MustBuild()

	PeerAuthentication = resource.Builder{
		Identifier: "PeerAuthentication",
		Group:      "security.istio.io",
		Kind:       "PeerAuthentication",
		Plural:     "peerauthentications",
		Version:    "v1beta1",
		VersionAliases: []string{
			"v1",
		},
		Proto: "istio.security.v1beta1.PeerAuthentication", StatusProto: "istio.meta.v1alpha1.IstioStatus",

				{
					Spec: &v1beta1.PeerAuthentication{
						Mtls: &v1beta1.PeerAuthentication_MutualTLS{
							Mode: v1beta1.PeerAuthentication_MutualTLS_STRICT,
						},
					},
				},
			},
			expected: nil,
		},
		{
			name: "beta-mtls-disable",
			peerIn: []*config.Config{
				{
					Spec: &v1beta1.PeerAuthentication{
						Mtls: &v1beta1.PeerAuthentication_MutualTLS{

			Kind:      kind.PeerAuthentication,
			Name:      selectorPolicyName,
			Namespace: "ns1",
		}))})

	// Add global selector policy; nothing should happen since PeerAuthentication doesn't support global mesh wide selectors
	s.addPolicy(t, "global-selector", systemNS, map[string]string{"app": "a"}, gvk.PeerAuthentication, func(c controllers.Object) {

// [static STRICT policy, port-level STRICT policy] based on the effective PeerAuthentication policy
func convertedSelectorPeerAuthentications(rootNamespace string, configs []*securityclient.PeerAuthentication) []string {
	var meshCfg, namespaceCfg, workloadCfg *securityclient.PeerAuthentication
	for _, cfg := range configs {
		spec := &cfg.Spec
		if spec.Selector == nil || len(spec.Selector.MatchLabels) == 0 {

		return "MeshNetworks"
	case MutatingWebhookConfiguration:
		return "MutatingWebhookConfiguration"
	case Namespace:
		return "Namespace"
	case Node:
		return "Node"
	case PeerAuthentication:
		return "PeerAuthentication"
	case Pod:
		return "Pod"
	case ProxyConfig:
		return "ProxyConfig"
	case ReferenceGrant:
		return "ReferenceGrant"
	case RequestAuthentication:
		return "RequestAuthentication"