# No caCertificates when mode is mutual at port level
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: db-mtls
spec:
  host: mydbserver.prod.svc.cluster.local
  trafficPolicy:
    portLevelSettings:
      - port:
          number: 443
        tls:
          mode: MUTUAL
          clientCertificate: /etc/certs/myclientcert.pem
          privateKey: /etc/certs/client_private_key.pem

# No caCertificates when mode is mutual at destination level
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: db-mtls
spec:
  host: mydbserver.prod.svc.cluster.local
  trafficPolicy:
    tls:
      mode: MUTUAL
      clientCertificate: /etc/certs/myclientcert.pem

# No caCertificates when mode is simple at destination level and MUTUAL at port level
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: db-mtls
spec:
  host: mydbserver.prod.svc.cluster.local
  trafficPolicy:
    tls:
      mode: SIMPLE
      clientCertificate: /etc/certs/myclientcert.pem
      privateKey: /etc/certs/client_private_key.pem
    portLevelSettings:
      - port:
          number: 443
        tls:

apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: db-mtls
spec:
  host: mydbserver.prod.svc.cluster.local
  trafficPolicy:
    tls:
      mode: MUTUAL
      clientCertificate: /etc/certs/myclientcert.pem
      privateKey: /etc/certs/client_private_key.pem
    portLevelSettings:
    - port:
        number: 443
      tls:
        mode: SIMPLE

apiVersion: release-notes/v2
kind: bug-fix
area: traffic-management
releaseNotes:
- |
  **Fixed** an issue where using `ISTIO_MUTUAL` TLS mode in Gateways while also setting `credentialName` cause mutual TLS to not be configured.
  This configuration is now rejected, as `ISTIO_MUTUAL` is intended to be used without `credentialName` set.

kind: PeerAuthentication
metadata:
  name: "default"
  annotations:
    test-suite: "automtls-partial-dr-mutual"
spec:
  mtls:
    mode: STRICT
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: "multiversion-route"
  annotations:
    test-suite: "automtls-partial-dr-mutual"
spec:
  hosts:
  - "multiversion"
  http:
  - name: "vistio-route"
    match:
    - uri:

#  caCertificates when mode is mutual at destination level and simple at port level
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: db-mtls
spec:
  host: mydbserver.prod.svc.cluster.local
  trafficPolicy:
    tls:
      mode: MUTUAL
      clientCertificate: /etc/certs/myclientcert.pem
      privateKey: /etc/certs/client_private_key.pem
      caCertificates: /etc/certs/root.pem
    portLevelSettings:

	"istio.io/istio/pkg/test/framework/resource/config/apply"
	"istio.io/istio/pkg/test/util/file"
	ingressutil "istio.io/istio/tests/integration/security/sds_ingress/util"
)

// TestSidecarMutualTlsOrigination test MUTUAL TLS mode with TLS origination happening at the sidecar.
// It uses CredentialName set in DestinationRule API to fetch secrets from k8s API server.
func TestSidecarMutualTlsOrigination(t *testing.T) {
	// nolint: staticcheck

            hosts: [ "www.company.com" ]
    - to: # checks only a call 443 over istio mutual without JWT
        - operation:
            hosts: [ "{{ .Allowed.ServiceName }}-{{ .Allowed.NamespaceName }}-only.com" ]
      from:
        - source:
            principals: [ "{{ .Allowed.ServiceAccountName }}" ]
    - to: # checks workload can call 443 over istio mutual with JWT
        - operation:
            hosts: [ "jwt-only.com" ]
      from:

# Authentication policy to enable mutual TLS for all services (that have sidecar) in the mesh.
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: default
  namespace: istio-config
spec:
  mtls:
    mode: STRICT
---
# Corresponding destination rule to configure client side to use mutual TLS when talking to
# any service (host) in the mesh.
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata: