func fetchPeerAuthentications(
	ctx krt.HandlerContext,
	PeerAuths krt.Collection[*securityclient.PeerAuthentication],
	meshCfg *MeshConfig,
	ns string,
	matchLabels map[string]string,
) []*securityclient.PeerAuthentication {
	return krt.Fetch(ctx, PeerAuths, krt.FilterGeneric(func(a any) bool {
		pol := a.(*securityclient.PeerAuthentication)
		if pol.Namespace == meshCfg.GetRootNamespace() && pol.Spec.Selector == nil {
			return true

	"istio.io/istio/pilot/test/xds"
)

// TestPeerAuthenticationPassthrough tests the PeerAuthentication policy applies correctly on the passthrough filter chain,
// including both global configuration and port level configuration.
func TestPeerAuthenticationPassthrough(t *testing.T) {
	paStrict := `
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
 name: default
spec:
 selector:
   matchLabels:
     app: foo

	"istio.io/istio/pkg/spiffe"
	"istio.io/istio/pkg/workloadapi/security"
)

func PolicyCollections(
	AuthzPolicies krt.Collection[*securityclient.AuthorizationPolicy],
	PeerAuths krt.Collection[*securityclient.PeerAuthentication],
	MeshConfig krt.Singleton[MeshConfig],
	Waypoints krt.Collection[Waypoint],
	Pods krt.Collection[*v1.Pod],
) (krt.Collection[model.WorkloadAuthorization], krt.Collection[model.WorkloadAuthorization]) {

			builder := a.podWorkloadBuilder(
				GetMeshConfig(mock),
				krttest.GetMockCollection[model.WorkloadAuthorization](mock),
				krttest.GetMockCollection[*securityclient.PeerAuthentication](mock),
				krttest.GetMockCollection[Waypoint](mock),
				WorkloadServices,
				WorkloadServicesNamespaceIndex,
				krttest.GetMockCollection[*v1.Namespace](mock),
				krttest.GetMockCollection[*v1.Node](mock),

		})
	}
	return res
}

const strictMode = `
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: default
  namespace: istio-system
spec:
  mtls:
    mode: STRICT
`

const disableMode = `
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: default
  namespace: istio-system
spec:
  mtls:
    mode: DISABLE
`

			MeshWatcher:     mesh.NewFixedWatcher(m),
			CRDs: []schema.GroupVersionResource{
				// Install all CRDs used (mostly in Ambient)
				gvr.AuthorizationPolicy,
				gvr.PeerAuthentication,
				gvr.KubernetesGateway,
				gvr.KubernetesGateway,
				gvr.WorkloadEntry,
				gvr.ServiceEntry,
			},
		})
		stop := test.NewStop(t)

					"Destination": dst.Config().Service,
					"Source":      src.Config().Service,
					"Namespace":   apps.Namespace.Name(),
				}, `
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: global-permissive
spec:
  mtls:
    mode: PERMISSIVE
`).ApplyOrFail(t)
				opt = opt.DeepCopy()
				src.CallOrFail(t, opt)
			})

	nodeType          model.NodeType
	locality          *core.Locality
	mesh              *meshconfig.MeshConfig
	destRule          proto.Message
	sidecar           *networking.Sidecar
	peerAuthn         *authn_beta.PeerAuthentication
	externalService   bool

	meta         *model.NodeMetadata
	istioVersion *model.IstioVersion
	proxyIps     []string
}

func (c clusterTest) fillDefaults() clusterTest {
	if c.proxyIps == nil {

	for _, m := range meta.Services {
		res = append(res, m.Host)
	}
	return res
}

func mtlsMode(m string) string {
	return fmt.Sprintf(`apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: default
  namespace: istio-system
spec:
  mtls:
    mode: %s
`, m)
}

func TestInbound(t *testing.T) {
	svc := `
apiVersion: networking.istio.io/v1alpha3

		// First, construct our set of filter chain matchers. For a given port, we will have multiple matches
		// to handle mTLS vs plaintext and HTTP vs TCP (depending on protocol and PeerAuthentication).
		var opts []FilterChainMatchOptions
		mtls := lb.authnBuilder.ForPort(cc.port.TargetPort)
		// Chain has explicit user TLS config. This can only apply when the TLS mode is DISABLE to avoid conflicts.