// Allows filtering the destinations we expect to reach (optional).
	ExpectDestinations func(from echo.Instance, to echo.Target) echo.Instances

	// Indicates whether the test should expect a MTLS response.
	ExpectMTLS func(from echo.Instance, opts echo.CallOptions) bool

	// Indicates whether a test should be run in the multicluster environment.

		return []authn.MTLSSettings{{
			Port: 0,
			Mode: model.MTLSDisable,
		}}
	}
	//	We need to create configuration for the passthrough,
	// but also any ports that are not explicitly declared in the Service but are in the mTLS port level settings.

	resp := []authn.MTLSSettings{
		// Full passthrough - no port match
		b.applier.InboundMTLSSettings(0, b.proxy, b.trustDomains, authn.NoOverride),
	}

	KubernetesGatewaySecretType    = "kubernetes-gateway"
	kubernetesGatewaySecretTypeURI = KubernetesGatewaySecretType + "://"
	// BuiltinGatewaySecretType is the name of a SDS secret that uses the workloads own mTLS certificate
	BuiltinGatewaySecretType    = "builtin"
	BuiltinGatewaySecretTypeURI = BuiltinGatewaySecretType + "://"
	// SdsCaSuffix is the suffix of the sds resource name for root CA.
	SdsCaSuffix = "-cacert"
)

# ISTIO_NAMESPACE=default

# Specify the IP address used in endpoints. If not set, 'hostname --ip-address' will be used.
# Needed if the host has multiple IP.
# ISTIO_SVC_IP=

# If istio-pilot is configured with mTLS authentication (--controlPlaneAuthPolicy MUTUAL_TLS ) you must
# also configure the mesh expansion machines:
# ISTIO_PILOT_PORT=15005
# ISTIO_CP_AUTH=MUTUAL_TLS

	keySize        = flag.Int("key-size", 2048, "Size of the generated private key")
	mode           = flag.String("mode", selfSignedMode, "Supported mode: self-signed, signer, citadel")
	// Enable this flag if istio mTLS is enabled and the service is running as server side
	isServer  = flag.Bool("server", false, "Whether this certificate is for a server.")

	xdsMeta, err := extractMeta(opts.Node)
	if err != nil {
		return nil, fmt.Errorf("failed extracting xds metadata: %v", err)
	}

	// TODO direct to CP should use secure channel (most likely JWT + TLS, but possibly allow mTLS)
	serverURI := opts.DiscoveryAddress
	if opts.XdsUdsPath != "" {
		serverURI = fmt.Sprintf("unix:///%s", opts.XdsUdsPath)
	}

	bootstrap := Bootstrap{
		XDSServers: []XdsServer{{

	endpoints          []string
	endpointUpdateChan chan struct{}
	remoteCaCertPool   *x509.CertPool
	meshConfig         mesh.Watcher
}

var (
	trustBundleLog = log.RegisterScope("trustBundle", "Workload mTLS trust bundle logs")
	remoteTimeout  = 10 * time.Second
)

// NewTrustBundle returns a new trustbundle
func NewTrustBundle(remoteCaCertPool *x509.CertPool, meshConfig mesh.Watcher) *TrustBundle {
	var err error

			allErrs = append(allErrs, field.Invalid(
				fldPath.Child("tlsConfig", "caBundle"),
				tlsConfig.CABundle,
				"TLS config ca bundle does not exist"))
		}
	}
	if tlsConfig.ClientCert == "" {
		allErrs = append(allErrs, field.Invalid(
			fldPath.Child("tlsConfig", "clientCert"),
			"nil",
			"Using TLS requires clientCert"))

			"Namespace": ns,
		}, `apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: "usergroup-peerauth"
  namespace: {{ .Namespace }}
spec:
  mtls:
    mode: STRICT
`).ApplyOrFail(t, apply.NoCleanup)
	}
}

func allowExternalService(t framework.TestContext, ns string, externalNs string, revision string) {
	t.ConfigIstio().Eval(ns, map[string]any{

		grpc.KeepaliveParams(keepalive.ServerParameters{
			MaxConnectionIdle: idleTimeout,
		}),
	}
	if s.Port.TLS {
		epLog.Infof("Listening GRPC (over TLS) on %v", p)
		// Create the TLS credentials
		creds, errCreds := credentials.NewServerTLSFromFile(s.TLSCert, s.TLSKey)
		if errCreds != nil {
			epLog.Errorf("could not load TLS keys: %s", errCreds)
		}
		opts = append(opts, grpc.Creds(creds))
	} else if s.Port.XDSServer {