local queries = (import './queries.libsonnet').queries({
  container: "istio-proxy",
  pod: "ztunnel-.*",
  component: "ztunnel",
  app: "ztunnel",
});

dashboard.new('Istio Ztunnel Dashboard')
+ g.dashboard.withPanels(
  grid.makeGrid([
    row.new('Process')
    + row.withPanels([
      panels.timeSeries.base('Ztunnel Versions', queries.istioBuild, 'Version number of each running instance'),

This means Ztunnel will have multiple distinct certificates at a time, one for each unique identity (service account) running on its node.

When fetching certificates, ztunnel will authenticate to the CA with its own identity, but request the identity of another workload.
Critically, the CA must enforce that the ztunnel has permission to request that identity.

1. Immediately upon starting a drain, `ztunnel-old` will close its listeners. Now only `ztunnel-new` is listening. Critically, at all times there was at least one ztunnel listening.
1. While `ztunnel-old` will not accept *new* connections, it will continue processing existing connections.
1. After `drain period` seconds, `ztunnel-old` will forcefully terminate any outstanding connections.

> [!NOTE]

                  "type": "prometheus",
                  "uid": "$datasource"
               },
               "expr": "sum by (tag) (istio_build{component=\"ztunnel\"})",
               "legendFormat": "Version ({{tag}})"
            }
         ],
         "title": "Ztunnel Versions",
         "type": "timeseries"
      },
      {
         "datasource": {
            "type": "datasource",
            "uid": "-- Mixed --"

```mermaid
graph TD;
src[src pod]-->|plaintext port|ztunnel{"ztunnel (L4 policy applied here)"}
ztunnel{ztunnel}-->|TLS|wp{waypoint}
wp-->|mTLS|ztunnel
ztunnel-->|plaintext|dst[dst pod]
```

And here's an example of an authenticated request to a captured destination:

```mermaid
graph TD;
src[src pod]-->|15008|ztunnel{ztunnel}
ztunnel-->|HBONE|dwp{"destination waypoint (all policy applied here)"}

  echo "Copying $(pwd)/${ZTUNNEL_BIN_PATH} to ${TARGET_OUT_LINUX}/ztunnel"
  mkdir -p "${TARGET_OUT_LINUX}"
  cp "${ZTUNNEL_BIN_PATH}" "${TARGET_OUT_LINUX}/ztunnel"
  popd
}

# ztunnel binary vars (TODO handle debug builds, arm, darwin etc.)
ISTIO_ZTUNNEL_BASE_URL="${ISTIO_ZTUNNEL_BASE_URL:-https://storage.googleapis.com/istio-build/ztunnel}"

			switch {
			case !errors.Is(err, os.ErrDeadlineExceeded):
				log.Debugf("ztunnel keepalive failed: %v", err)
				if errors.Is(err, io.EOF) {
					log.Debug("ztunnel EOF")
					return nil
				}
				return err
			case err == nil:
				log.Warn("ztunnel protocol error, unexpected message")
				return fmt.Errorf("ztunnel protocol error, unexpected message")
			default:

			execClientConfig: loggingConfig,
			args:             strings.Split("log ztunnel-9v7nw --level ztunnel::pool:debug", " "),
			expectedString:   "",
			wantException:    false,
		},
		{ // set ztunnel logging level
			execClientConfig: loggingConfig,
			args:             strings.Split("log ztunnel-9v7nw --level debug", " "),
			expectedString:   "current log level is debug",
			wantException:    false,
		},

- **Purpose**: Tests related to the Ambient mode, including components like `ztunnel`.
- **Focus**:
  1. Configuration and communication of Ambient components.
  1. Interaction between `ztunnel` and Ambient components.
  1. Validation of zero-trust security policies.
  1. Testing of ambient traffic management.
  1. Specific `istioctl ztunnel-config` commands being tested: `all`, `services`, `workloads`, `policies`, `certificates`.

  istioctl ztunnel-config workload <ztunnel-name[.namespace]> --address 0.0.0.0 -o json

  # Retrieve Ztunnel config dump separately and inspect from file.
  kubectl exec -it $ZTUNNEL -n istio-system -- curl localhost:15000/config_dump > ztunnel-config.json
  istioctl ztunnel-config workloads --file ztunnel-config.json

  # Retrieve workload summary for a specific namespace