trafficPolicy:
    tls:
      mode: ISTIO_MUTUAL
      subjectAltNames:
      - "spiffe://cluster.local/ns/NS/sa/default"
`
	correctIdentityDR = `apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: "service-b-dr"
spec:
  host: "b.NS.svc.cluster.local"
  trafficPolicy:
    tls:
      mode: ISTIO_MUTUAL
      subjectAltNames:
      - "spiffe://cluster.local/ns/NS/sa/b"

				Version: networking.TrafficPolicy_ProxyProtocol_V2,
			},
			expectTransportSocket:      false,
			expectTransportSocketMatch: false,
		},
		{
			name:          "user specified with istio_mutual tls",
			mtlsCtx:       userSupplied,
			discoveryType: cluster.Cluster_EDS,
			tls:           istioMutualTLSSettings,
			proxyProtocolSettings: &networking.TrafficPolicy_ProxyProtocol{

	}
}

// buildUpstreamTLSSettings fills key cert fields for all TLSSettings when the mode is `ISTIO_MUTUAL`.
// If the (input) TLS setting is nil (i.e not set), *and* the service mTLS mode is STRICT, it also
// creates and populates the config as if they are set as ISTIO_MUTUAL.
func (cb *ClusterBuilder) buildUpstreamTLSSettings(
	tls *networking.ClientTLSSettings,
	serviceAccounts []string,
	sni string,

						config.File("testdata/reachability/global-dr.yaml.tmpl"),
					}.WithParams(param.Params{
						mtlsModeParam:            model.MTLSStrict.String(),
						tlsModeParam:             "ISTIO_MUTUAL",
						param.Namespace.String(): systemNS,
					}),
					fromMatch:          notMigration,
					toMatch:            notMigration,
					expectMTLS:         notNaked,
					expectCrossCluster: notFromNaked,

spec:
  mtls:
    mode: STRICT
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: "server-naked"
spec:
  host: "*.local"
  trafficPolicy:
    tls:
      mode: ISTIO_MUTUAL
`
)

// TestTrustDomainAliasSecureNaming scope:
// The client side mTLS connection should validate the trust domain alias during secure naming validation.
//
// Setup:

		configTemplate := `apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
  name: productpage
  labels:
    version: %s
spec:
  host: productpage
  trafficPolicy:
    tls:
      mode: ISTIO_MUTUAL
  subsets:
  - name: %s
    labels:
      version: %s`
		config := fmt.Sprintf(configTemplate, version, version, version)
		err := src.ApplyContent("test", config)
		g.Expect(err).To(BeNil())

		},
		{
			name:    "Kubernetes service and EDS ServiceEntry ISTIO_MUTUAL",
			objs:    []runtime.Object{service, pod, endpoint},
			configs: []config.Config{drIstioMTLS, seEDS},
			// The Service has precedence, so its cluster will be used
			sans: []string{"spiffe://cluster.local/ns/default/sa/pod"},
		},
		{
			name:    "Kubernetes service and NONE ServiceEntry ISTIO_MUTUAL",
			objs:    []runtime.Object{service, pod, endpoint},

    port: 34000
    protocol: HTTPS
    allowedRoutes:
      namespaces:
        from: All
    tls:
      mode: Terminate
      options:
        gateway.istio.io/tls-terminate-mode: ISTIO_MUTUAL
---
apiVersion: gateway.networking.k8s.io/v1alpha2
kind: TLSRoute
metadata:
  name: tls
  namespace: default
spec:
  parentRefs:
  - name: gateway
    namespace: istio-system
  rules:

apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: server
  namespace: {{.AppNamespace}}
spec:
  host: "server.{{.AppNamespace}}.svc.cluster.local"
  trafficPolicy:
    tls:
      mode: ISTIO_MUTUAL
`

	PeerAuthenticationConfig = `
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: default
  namespace: {{.AppNamespace}}
spec:
  mtls:
    mode: STRICT
`
)

  namespace: istio-system
spec:
  servers:
  - hosts:
    - '*/egress.example'
    port:
      name: default
      number: 34000
      protocol: HTTPS
    tls:
      mode: ISTIO_MUTUAL
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  annotations:
    internal.istio.io/parents: HTTPRoute/http.default
    internal.istio.io/route-semantics: gateway