InboundMTLSSettings(endpointPort uint32, node *model.Proxy, trustDomainAliases []string, modeOverride model.MutualTLSMode) MTLSSettings

	// JwtFilter returns the JWT HTTP filter to enforce the underlying authentication policy.
	// It may return nil, if no JWT validation is needed.
	JwtFilter(useExtendedJwt, clearRouteCache bool) *hcm.HttpFilter

	// AuthNFilter returns the (authn) HTTP filter to enforce the underlying authentication policy.

		return nil
	}
	if b.proxy.SupportsEnvoyExtendedJwt() {
		filter := b.applier.JwtFilter(true, b.proxy.Type != model.SidecarProxy)
		if filter != nil {
			return []*hcm.HttpFilter{filter}
		}
		return nil
	}
	res := []*hcm.HttpFilter{}
	if filter := b.applier.JwtFilter(false, false); filter != nil {
		res = append(res, filter)
	}
	forSidecar := b.proxy.Type == model.SidecarProxy

	return policyApplier{
		processedJwtRules:      processedJwtRules,
		consolidatedPeerPolicy: ComposePeerAuthentication(rootNamespace, peerPolicies),
		push:                   push,
	}
}

func (a policyApplier) JwtFilter(useExtendedJwt, clearRouteCache bool) *hcm.HttpFilter {
	if len(a.processedJwtRules) == 0 {
		return nil
	}

	filterConfigProto := convertToEnvoyJwtConfig(a.processedJwtRules, a.push, useExtendedJwt, clearRouteCache)

	}
	for _, c := range cases {
		t.Run(c.name, func(t *testing.T) {
			istiotest.SetForTest(t, &features.JwksFetchMode, c.jwksFetchMode)
			if got := newPolicyApplier("root-namespace", c.in, nil, push).JwtFilter(false, false); !reflect.DeepEqual(c.expected, got) {
				t.Errorf("got:\n%s\nwanted:\n%s", spew.Sdump(got), spew.Sdump(c.expected))
			}
		})
	}
}

func TestConvertToEnvoyJwtConfig(t *testing.T) {