- name: prometheus
  prometheus: {}
trustDomainAliases: ["both", "default"]
`,
		},
		{
			name: "add trust domain aliases",
			in: `
trustDomainAliases: ["added", "both"]`,
			out: `defaultProviders:
  metrics:
  - stackdriver
extensionProviders:
- name: stackdriver
  stackdriver:
    maxNumberOfAttributes: 3
trustDomainAliases:
- added
- both
- default
`,
		},
	}

				found = true
				break
			}
		}
		if !found {
			defaultConfig.ExtensionProviders = append(defaultConfig.ExtensionProviders, p)
		}
	}

	defaultConfig.TrustDomainAliases = sets.SortedList(sets.New(append(defaultConfig.TrustDomainAliases, prevTrustDomainAliases...)...))

	warn, err := agent.ValidateMeshConfig(defaultConfig)
	if err != nil {
		return nil, err
	}
	if warn != nil {

// 5. DestinaitonRule with tls ISTIO_MUTUAL mode, because Istio auto mTLS will let client send plaintext to naked servers by default.
// 6. MeshConfig.TrustDomainAliases contains one of the trust domain "server-naked-foo".
//
// Expectation:
// When the "server-naked-foo" is in the list of MeshConfig.TrustDomainAliases, client requests to
// "server-naked-foo" succeeds, and requests to "server-naked-bar" fails.
func TestTrustDomainAliasSecureNaming(t *testing.T) {

//
//	{"spiffe://td1/ns/def/sa/a", "spiffe://td2/ns/def/sa/a", "spiffe://td1/ns/def/sa/b", "spiffe://td2/ns/def/sa/b"}.
func ExpandWithTrustDomains(spiffeIdentities sets.String, trustDomainAliases []string) sets.String {
	if len(trustDomainAliases) == 0 {
		return spiffeIdentities
	}
	out := sets.New[string]()
	for id := range spiffeIdentities {
		out.Insert(id)

}

func NewBuilderForService(actionType ActionType, push *model.PushContext, proxy *model.Proxy, useFilterState bool, svc *model.Service) *Builder {
	tdBundle := trustdomain.NewBundle(push.Mesh.TrustDomain, push.Mesh.TrustDomainAliases)
	option := builder.Option{
		IsCustomBuilder: actionType == Custom,
		UseFilterState:  useFilterState,
		UseExtendedJwt:  proxy.SupportsEnvoyExtendedJwt(),
	}

type PolicyApplier interface {
	// InboundMTLSSettings returns inbound mTLS settings for a given workload port
	InboundMTLSSettings(endpointPort uint32, node *model.Proxy, trustDomainAliases []string, modeOverride model.MutualTLSMode) MTLSSettings

	// JwtFilter returns the JWT HTTP filter to enforce the underlying authentication policy.
	// It may return nil, if no JWT validation is needed.

	"istio.io/istio/pkg/config/host"
	"istio.io/istio/pkg/test/util/retry"
)

type mockMeshConfigHolder struct {
	trustDomainAliases []string
}

func (mh mockMeshConfigHolder) Mesh() *meshconfig.MeshConfig {
	return &meshconfig.MeshConfig{
		TrustDomainAliases: mh.trustDomainAliases,
	}
}

func buildMockController() *Controller {
	discovery1 := memory.NewServiceDiscovery(mock.ReplicatedFooServiceV1.DeepCopy(),

			"discovery address must be set to the proxy discovery service",
			"invalid proxy admin port",
			"invalid status port",
			"trustDomain: empty domain name not allowed",
			"trustDomainAliases[0]",
			"trustDomainAliases[1]",
			"trustDomainAliases[2]",
			"mesh TLS does not support ECDH curves configuration",
		}
		switch err := err.(type) {
		case *multierror.Error:
			// each field must cause an error in the field

	cfgYaml := tmpl.MustEvaluate(`
values:
  pilot:
    env:
      ISTIO_MULTIROOT_MESH: true
  meshConfig:
    defaultConfig:
      proxyMetadata:
        PROXY_CONFIG_XDS_AGENT: "true"
    trustDomainAliases: [some-other, trust-domain-foo]
    caCertificates:
    - pem: |
{{.pem | indent 8}}
`, map[string]string{"pem": rootPEM})
	cfg.ControlPlaneValues = cfgYaml
}

		errs = multierror.Append(errs, fmt.Errorf("trustDomain: %v", err))
	}
	for i, tda := range config.TrustDomainAliases {
		if err := ValidateTrustDomain(tda); err != nil {
			errs = multierror.Append(errs, fmt.Errorf("trustDomainAliases[%d], domain `%s` : %v", i, tda, err))
		}
	}
	return
}

func ValidateMeshTLSConfig(mesh *meshconfig.MeshConfig) (errs error) {