// Use subject alt names specified in service entry if TLS settings does not have subject alt names.
		if opts.serviceRegistry == provider.External && len(tls.SubjectAltNames) == 0 {
			tls = tls.DeepCopy()
			tls.SubjectAltNames = opts.serviceAccounts
		}
		if tls.CredentialName != "" {
			// If  credential name is specified at Destination Rule config and originating node is egress gateway, create

          }
        }
      },
      "subjectAltNames": []
    },
    "/10.96.0.1": {
      "name": "kubernetes",
      "namespace": "default",
      "hostname": "kubernetes.default.svc.cluster.local",
      "vips": [
        "/10.96.0.1"
      ],
      "ports": {
        "443": 6443
      },
      "endpoints": {},
      "subjectAltNames": []
    },
    "/10.96.71.36": {

	dnsSANNotAllowedErr           = fmt.Errorf("DNS subjectAltNames are not allowed")
	emailSANNotAllowedErr         = fmt.Errorf("Email subjectAltNames are not allowed")
	ipSANNotAllowedErr            = fmt.Errorf("IP subjectAltNames are not allowed")
	uriSANNotAllowedErr           = fmt.Errorf("URI subjectAltNames are not allowed")
)

var (
	kubeletServingRequiredUsages = sets.NewString(

					Addresses: []string{"1.2.3.4"},
					Hosts:     []string{"a.example.com", "b.example.com"},
					Ports: []*networking.ServicePort{{
						Number: 80,
						Name:   "http",
					}},
					SubjectAltNames: []string{"san1"},
					Resolution:      networking.ServiceEntry_DNS,
				},
			},
			result: []*workloadapi.Service{
				{
					Name:      "name",
					Namespace: "ns",
					Hostname:  "a.example.com",

					tlsOpts.CredentialName+SdsCaSuffix, credentialSocketExist),
			},
		}
	} else if len(tlsOpts.SubjectAltNames) > 0 {
		tlsContext.ValidationContextType = &tls.CommonTlsContext_ValidationContext{
			ValidationContext: &tls.CertificateValidationContext{
				MatchSubjectAltNames: util.StringToExactMatch(tlsOpts.SubjectAltNames),
			},
		}
	}
}

func EnforceGoCompliance(ctx *gotls.Config) {

		Mode:            networking.ClientTLSSettings_ISTIO_MUTUAL,
		SubjectAltNames: []string{"custom.foo.com"},
		Sni:             "custom.foo.com",
	}
	mutualTLSSettingsWithCerts := &networking.ClientTLSSettings{
		Mode:              networking.ClientTLSSettings_MUTUAL,
		CaCertificates:    "root-cert.pem",
		ClientCertificate: "cert-chain.pem",
		PrivateKey:        "key.pem",
		SubjectAltNames:   []string{"custom.foo.com"},

  trafficPolicy:
    tls:
      mode: ISTIO_MUTUAL
      subjectAltNames:
      - "spiffe://cluster.local/ns/NS/sa/default"
`
	correctIdentityDR = `apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: "service-b-dr"
spec:
  host: "b.NS.svc.cluster.local"
  trafficPolicy:
    tls:
      mode: ISTIO_MUTUAL
      subjectAltNames:
      - "spiffe://cluster.local/ns/NS/sa/b"
`

							Address: "address",
							TlsSettings: &v1alpha3.ClientTLSSettings{
								SubjectAltNames: []string{"san"},
							},
						},
					}),
				},
			},
			// nolint: lll
			`{"PROXY_CONFIG":{"configPath":"foo","drainDuration":"5s","controlPlaneAuthPolicy":"MUTUAL_TLS","envoyAccessLogService":{"address":"address","tlsSettings":{"subjectAltNames":["san"]}}}}`,
			model.BootstrapNodeMetadata{
				NodeMetadata: model.NodeMetadata{

apiVersion: release-notes/v2
kind: bug-fix
area: traffic-management
issue:
- 40801
releaseNotes:
- |
  **Fixed** an issue with where a `DestinationRule` applying to multiple services could incorrectly apply an unexpected `subjectAltNames` field.
- |

		Mode:            networking.ClientTLSSettings_ISTIO_MUTUAL,
		SubjectAltNames: []string{"custom.foo.com"},
		Sni:             "custom.foo.com",
	}
	mutualTLSSettingsWithCerts := &networking.ClientTLSSettings{
		Mode:              networking.ClientTLSSettings_MUTUAL,
		CaCertificates:    "root-cert.pem",
		ClientCertificate: "cert-chain.pem",
		PrivateKey:        "key.pem",
		SubjectAltNames:   []string{"custom.foo.com"},