```mermaid
graph TD;
src[src pod]-->|plaintext port|ztunnel{"ztunnel (L4 policy applied here)"}
ztunnel{ztunnel}-->|TLS|wp{waypoint}
wp-->|mTLS|ztunnel
ztunnel-->|plaintext|dst[dst pod]
```

And here's an example of an authenticated request to a captured destination:

```mermaid
graph TD;
src[src pod]-->|15008|ztunnel{ztunnel}
ztunnel-->|HBONE|dwp{"destination waypoint (all policy applied here)"}

This means Ztunnel will have multiple distinct certificates at a time, one for each unique identity (service account) running on its node.

When fetching certificates, ztunnel will authenticate to the CA with its own identity, but request the identity of another workload.
Critically, the CA must enforce that the ztunnel has permission to request that identity.

1. Immediately upon starting a drain, `ztunnel-old` will close its listeners. Now only `ztunnel-new` is listening. Critically, at all times there was at least one ztunnel listening.
1. While `ztunnel-old` will not accept *new* connections, it will continue processing existing connections.
1. After `drain period` seconds, `ztunnel-old` will forcefully terminate any outstanding connections.

> [!NOTE]

local queries = (import './queries.libsonnet').queries({
  container: "istio-proxy",
  pod: "ztunnel-.*",
  component: "ztunnel",
  app: "ztunnel",
});

dashboard.new('Istio Ztunnel Dashboard')
+ g.dashboard.withPanels(
  grid.makeGrid([
    row.new('Process')
    + row.withPanels([
      panels.timeSeries.base('Ztunnel Versions', queries.istioBuild, 'Version number of each running instance'),

        .addEqualityGroup(Funnels.longFunnel())
        .addEqualityGroup(Funnels.unencodedCharsFunnel())
        .addEqualityGroup(Funnels.stringFunnel(UTF_8))
        .addEqualityGroup(Funnels.stringFunnel(US_ASCII))
        .addEqualityGroup(
            Funnels.sequentialFunnel(Funnels.integerFunnel()),
            SerializableTester.reserialize(Funnels.sequentialFunnel(Funnels.integerFunnel())))

                  "type": "prometheus",
                  "uid": "$datasource"
               },
               "expr": "sum by (tag) (istio_build{component=\"ztunnel\"})",
               "legendFormat": "Version ({{tag}})"
            }
         ],
         "title": "Ztunnel Versions",
         "type": "timeseries"
      },
      {
         "datasource": {
            "type": "datasource",
            "uid": "-- Mixed --"

        .addEqualityGroup(BloomFilter.create(Funnels.byteArrayFunnel(), 100, 0.01))
        .addEqualityGroup(BloomFilter.create(Funnels.byteArrayFunnel(), 100, 0.02))
        .addEqualityGroup(BloomFilter.create(Funnels.byteArrayFunnel(), 200, 0.01))
        .addEqualityGroup(BloomFilter.create(Funnels.byteArrayFunnel(), 200, 0.02))
        .addEqualityGroup(BloomFilter.create(Funnels.unencodedCharsFunnel(), 100, 0.01))

      Funnel<? super T> funnel, long expectedInsertions, double fpp) {
    return create(funnel, expectedInsertions, fpp, BloomFilterStrategies.MURMUR128_MITZ_64);
  }

  @VisibleForTesting
  static <T extends @Nullable Object> BloomFilter<T> create(
      Funnel<? super T> funnel, long expectedInsertions, double fpp, Strategy strategy) {
    checkNotNull(funnel);
    checkArgument(

See [architecture doc](../architecture/ambient/ztunnel-cni-lifecycle.md).

## Reference

### Design details

Broadly, `istio-cni` accomplishes ambient redirection by instructing ztunnel to set up sockets within the application pod network namespace, where:

- one end of the socket is in the application pod
- and the other end is in ztunnel's pod

and setting up iptables rules to funnel traffic thru that socket "tube" to ztunnel and back.

	or when the ztunnel pod is restarted in the same pod (remove old entries when the same uid connects again, but with different boot id?)

	save a queue of what needs to be sent to the ztunnel pod and send it one by one when it connects.

	when a new ztunnel connects with different uid, only propagate deletes to older ztunnels.
*/

type connMgr struct {
	connectionSet map[*ZtunnelConnection]struct{}
	latestConn    *ZtunnelConnection