trafficPolicy:
    tls:
      mode: ISTIO_MUTUAL
      subjectAltNames:
      - "spiffe://cluster.local/ns/NS/sa/default"
`
	correctIdentityDR = `apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: "service-b-dr"
spec:
  host: "b.NS.svc.cluster.local"
  trafficPolicy:
    tls:
      mode: ISTIO_MUTUAL
      subjectAltNames:
      - "spiffe://cluster.local/ns/NS/sa/b"

				Version: networking.TrafficPolicy_ProxyProtocol_V2,
			},
			expectTransportSocket:      false,
			expectTransportSocketMatch: false,
		},
		{
			name:          "user specified with istio_mutual tls",
			mtlsCtx:       userSupplied,
			discoveryType: cluster.Cluster_EDS,
			tls:           istioMutualTLSSettings,
			proxyProtocolSettings: &networking.TrafficPolicy_ProxyProtocol{

	}
}

// buildUpstreamTLSSettings fills key cert fields for all TLSSettings when the mode is `ISTIO_MUTUAL`.
// If the (input) TLS setting is nil (i.e not set), *and* the service mTLS mode is STRICT, it also
// creates and populates the config as if they are set as ISTIO_MUTUAL.
func (cb *ClusterBuilder) buildUpstreamTLSSettings(
	tls *networking.ClientTLSSettings,
	serviceAccounts []string,
	sni string,

						config.File("testdata/reachability/global-dr.yaml.tmpl"),
					}.WithParams(param.Params{
						mtlsModeParam:            model.MTLSStrict.String(),
						tlsModeParam:             "ISTIO_MUTUAL",
						param.Namespace.String(): systemNS,
					}),
					fromMatch:          notMigration,
					toMatch:            notMigration,
					expectMTLS:         notNaked,
					expectCrossCluster: notFromNaked,

spec:
  mtls:
    mode: STRICT
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: "server-naked"
spec:
  host: "*.local"
  trafficPolicy:
    tls:
      mode: ISTIO_MUTUAL
`
)

// TestTrustDomainAliasSecureNaming scope:
// The client side mTLS connection should validate the trust domain alias during secure naming validation.
//
// Setup:

		},
		{
			name:    "Kubernetes service and EDS ServiceEntry ISTIO_MUTUAL",
			objs:    []runtime.Object{service, pod, endpoint},
			configs: []config.Config{drIstioMTLS, seEDS},
			// The Service has precedence, so its cluster will be used
			sans: []string{"spiffe://cluster.local/ns/default/sa/pod"},
		},
		{
			name:    "Kubernetes service and NONE ServiceEntry ISTIO_MUTUAL",
			objs:    []runtime.Object{service, pod, endpoint},

apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: server
  namespace: {{.AppNamespace}}
spec:
  host: "server.{{.AppNamespace}}.svc.cluster.local"
  trafficPolicy:
    tls:
      mode: ISTIO_MUTUAL
`

	PeerAuthenticationConfig = `
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: default
  namespace: {{.AppNamespace}}
spec:
  mtls:
    mode: STRICT
`
)

								},
							},
						},
					},
					Sni: "some-sni.com",
				},
				err: nil,
			},
		},
		// ecdh curves from MeshConfig should be ignored for ISTIO_MUTUAL mode
		{
			name: "tls mode ISTIO_MUTUAL with EcdhCurves specified in Mesh Config",
			opts: &buildClusterOpts{
				mutable: newTestCluster(),
				mesh: &meshconfig.MeshConfig{
					TlsDefaults: &meshconfig.MeshConfig_TLSConfig{

      mode: DISABLE
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: server
spec:
  host: server.%s.svc.cluster.local
  trafficPolicy:
    tls:
      mode: ISTIO_MUTUAL
    portLevelSettings:
    - port:
        number: 8090
      tls:
        mode: DISABLE
    - port:
        number: 8092
      tls:
        mode: DISABLE
`
)

  servers:
    - port:
        number: 443
        name: https-filebased
        protocol: HTTPS
      hosts:
        - external-service.{{.ServerNamespace}}.svc.cluster.local
      tls:
        mode: ISTIO_MUTUAL
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: egressgateway-for-server-filebased
spec:
  host: {{.EgressService}}.{{.EgressNamespace}}.svc.cluster.local
  subsets: