1. The `caClient` will be configured to use either JWT or mTLS authentication. For JWT authentication, gRPC's `PerRPCCredentials`
   is configured with a `TokenProvider` which handles the logic of adding the proper JWT to each request. mTLS is configured
   by a tls.Config that points to files on disk.

It should be noted there is a circular dependency with mTLS authentication; in order to fetch a certificate we need

apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: strict-mtls
spec:
  mtls:

	// It may return nil, if no authentication is needed.
	AuthNFilter(forSidecar bool) *hcm.HttpFilter

	// PortLevelSetting returns port level mTLS settings.
	PortLevelSetting() map[uint32]model.MutualTLSMode

	MtlsPolicy
}

type MtlsPolicy interface {
	// GetMutualTLSModeForPort gets the mTLS mode for the given port. If there is no port level setting, it
	// returns the inherited namespace/mesh level setting.

apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: strict-mtls
spec:
  selector:
    matchLabels:
      app: a
  mtls:

				ingressutil.RunTestMultiQUICGateways(t, inst, ingressutil.TLS, namespace.Future(&echo1NS))
			})
		})
}

// TestMtlsGatewaysWithQUIC deploys multiple mTLS gateways with SDS enabled, and creates kubernetes that store
// private key, server certificate and CA certificate for each mTLS gateway. Verifies that client can communicate
// by using both QUIC and TCP/mTLS
func TestMtlsGatewaysWithQUIC(t *testing.T) {
	// nolint: staticcheck

	// Compliance for downstream mesh mTLS.
	authn_model.EnforceCompliance(ctx.CommonTlsContext)
	return ctx
}

// GetMinTLSVersion returns the minimum TLS version for workloads based on the mesh config.
func GetMinTLSVersion(ver meshconfig.MeshConfig_TLSConfig_TLSProtocol) tls.TlsParameters_TlsProtocol {
	switch ver {
	case meshconfig.MeshConfig_TLSConfig_TLSV1_3:
		return tls.TlsParameters_TLSv1_3
	default:

apiVersion: release-notes/v2
kind: feature
area: security
issue:
  - https://github.com/istio/istio/issues/35111
releaseNotes:
  - |
    **Added** TLS settings to the sidecar API in order to enable TLS/mTLS termination on the sidecar proxy for requests 
    coming from outside the mesh.
docs:
  - https://docs.google.com/document/d/15Qhr7errbylXEzxxCK7ij_oUpn4E5SFU2uDdl_n2GIc/edit#heading=h.h3lxcxfhqndp
securityNotes:
  - |

			}

			ns := namespace.NewOrFail(t, t, namespace.Config{Prefix: "grpc-probe", Inject: true})
			// apply strict mtls
			t.ConfigKube(t.Clusters().Configs()...).YAML(ns.Name(), `
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: grpc-probe-mtls
spec:
  mtls:
    mode: STRICT`).ApplyOrFail(t)

			for _, testCase := range []struct {
				name     string
				rewrite  bool

) {
	ctx.Helper()
	wantSuccess := rewrite
	policyYAML := fmt.Sprintf(`apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: "mtls-strict-for-%v"
spec:
  selector:
    matchLabels:
      app: "%v"
  mtls:
    mode: STRICT
`, name, name)
	ctx.ConfigIstio().YAML(ns.Name(), policyYAML).ApplyOrFail(ctx)

	var healthcheck echo.Instance
	cfg := echo.Config{
		Namespace: ns,

// - The certificate issued by CA to the sidecar is as expected and that strict mTLS works as expected.
// - The plugin CA certs are correctly used in workload mTLS.
// - The CA certificate in the configmap of each namespace is as expected, which
//
//	is used for data plane to control plane TLS authentication.
//
// - Secure naming information is respected in the mTLS handshake.
func TestSecureNaming(t *testing.T) {
	framework.NewTest(t).