`

	PeerAuthenticationConfig = `
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: default
  namespace: "istio-system"
spec:
  mtls:
    mode: STRICT
`
)

func createObject(ctx framework.TestContext, serviceNamespace string, yamlManifest string) {
	args := map[string]string{"AppNamespace": serviceNamespace}
	ctx.ConfigIstio().Eval(serviceNamespace, args, yamlManifest).ApplyOrFail(ctx)

      * Because the destination DNS name is treated as opaque, we cannot apply Istio policies to it as expected. For example, if I point
        an external name at another in-cluster Service (for example, `example.default.svc.cluster.local`), mTLS would not be used.
      
      `ExternalName` support has been revamped to fix these problems. `ExternalName`s are now simply treated as aliases.

	}, nil
}

// authenticateHTTP performs mTLS authentication for http requests. Requires having the endpoints on a listener
// with proper TLS configuration.
func (cca *ClientCertAuthenticator) authenticateHTTP(req *http.Request) (*security.Caller, error) {
	if req.TLS == nil || req.TLS.VerifiedChains == nil {
		return nil, fmt.Errorf("no client certificate is presented")
	}

	chains := req.TLS.VerifiedChains

		// This is typically used to share the certs with non-proxy containers in the pod which does not run as root or 1337.
		// For example, prometheus server could use proxy provisioned certs to scrape application metrics through mTLS.
		certFileMode = os.FileMode(0o644)
	}
	// Depending on the SDS resource to output, some fields may be nil
	if privateKey == nil && certChain == nil && rootCert == nil {

```
MINIO_LAMBDA_WEBHOOK_ENABLE_function=on MINIO_LAMBDA_WEBHOOK_ENDPOINT_function=http://localhost:5000 MINIO_LAMBDA_WEBHOOK_AUTH_TOKEN="mytoken" minio server /data &
```

### Lambda Target with mTLS authentication

If your lambda target expects mTLS client you can enable it per function target as follows
```

  - hosts:
    - "./*"
---
# Authentication policy to enable mutual TLS for all services (that have sidecar) in the mesh.
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: default
  namespace: istio-config
spec:
  mtls:
    mode: STRICT
---
# Corresponding destination rule to configure client side to use mutual TLS when talking to
# any service (host) in the mesh.

	// Allows filtering the destinations we expect to reach (optional).
	ExpectDestinations func(from echo.Instance, to echo.Target) echo.Instances

	// Indicates whether the test should expect a MTLS response.
	ExpectMTLS func(from echo.Instance, opts echo.CallOptions) bool

	// Indicates whether a test should be run in the multicluster environment.

		return []authn.MTLSSettings{{
			Port: 0,
			Mode: model.MTLSDisable,
		}}
	}
	//	We need to create configuration for the passthrough,
	// but also any ports that are not explicitly declared in the Service but are in the mTLS port level settings.

	resp := []authn.MTLSSettings{
		// Full passthrough - no port match
		b.applier.InboundMTLSSettings(0, b.proxy, b.trustDomains, authn.NoOverride),
	}

	KubernetesGatewaySecretType    = "kubernetes-gateway"
	kubernetesGatewaySecretTypeURI = KubernetesGatewaySecretType + "://"
	// BuiltinGatewaySecretType is the name of a SDS secret that uses the workloads own mTLS certificate
	BuiltinGatewaySecretType    = "builtin"
	BuiltinGatewaySecretTypeURI = BuiltinGatewaySecretType + "://"
	// SdsCaSuffix is the suffix of the sds resource name for root CA.
	SdsCaSuffix = "-cacert"
)

# ISTIO_NAMESPACE=default

# Specify the IP address used in endpoints. If not set, 'hostname --ip-address' will be used.
# Needed if the host has multiple IP.
# ISTIO_SVC_IP=

# If istio-pilot is configured with mTLS authentication (--controlPlaneAuthPolicy MUTUAL_TLS ) you must
# also configure the mesh expansion machines:
# ISTIO_PILOT_PORT=15005
# ISTIO_CP_AUTH=MUTUAL_TLS