1. The `caClient` will be configured to use either JWT or mTLS authentication. For JWT authentication, gRPC's `PerRPCCredentials`
   is configured with a `TokenProvider` which handles the logic of adding the proper JWT to each request. mTLS is configured
   by a tls.Config that points to files on disk.

It should be noted there is a circular dependency with mTLS authentication; in order to fetch a certificate we need

apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: strict-mtls
spec:
  mtls:

	// It may return nil, if no authentication is needed.
	AuthNFilter(forSidecar bool) *hcm.HttpFilter

	// PortLevelSetting returns port level mTLS settings.
	PortLevelSetting() map[uint32]model.MutualTLSMode

	MtlsPolicy
}

type MtlsPolicy interface {
	// GetMutualTLSModeForPort gets the mTLS mode for the given port. If there is no port level setting, it
	// returns the inherited namespace/mesh level setting.

				credWithCRL      = "mtls-credential-generic-valid-crl"
				credWithDummyCRL = "mtls-credential-generic-dummy-crl"
			)

			// Create a valid kubernetes secret to provision key/cert for sidecar.
			ingressutil.CreateIngressKubeSecretInNamespace(t, credNameGeneric, ingressutil.Mtls, ingressutil.IngressCredential{
				Certificate: file.AsStringOrFail(t, path.Join(env.IstioSrc, "tests/testdata/certs/dns/cert-chain.pem")),

apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: strict-mtls
spec:
  selector:
    matchLabels:
      app: a
  mtls:

)

// MutualTLSMode is the mutual TLS mode specified by authentication policy.
type MutualTLSMode int

const (
	// MTLSUnknown is used to indicate the variable hasn't been initialized correctly (with the authentication policy).
	MTLSUnknown MutualTLSMode = iota

	// MTLSDisable if authentication policy disable mTLS.
	MTLSDisable

	// MTLSPermissive if authentication policy enable mTLS in permissive mode.
	MTLSPermissive

          "format": "time_series",
          "intervalFactor": 1,
          "legendFormat": "{{ source_workload }}.{{ source_workload_namespace }} : {{ response_code }} (🔐mTLS)",
          "refId": "A",
          "step": 2
        },
        {
          "datasource": {
            "type": "prometheus",
            "uid": "${datasource}"
          },

				ingressutil.RunTestMultiQUICGateways(t, inst, ingressutil.TLS, namespace.Future(&echo1NS))
			})
		})
}

// TestMtlsGatewaysWithQUIC deploys multiple mTLS gateways with SDS enabled, and creates kubernetes that store
// private key, server certificate and CA certificate for each mTLS gateway. Verifies that client can communicate
// by using both QUIC and TCP/mTLS
func TestMtlsGatewaysWithQUIC(t *testing.T) {
	// nolint: staticcheck

	// Compliance for downstream mesh mTLS.
	authn_model.EnforceCompliance(ctx.CommonTlsContext)
	return ctx
}

// GetMinTLSVersion returns the minimum TLS version for workloads based on the mesh config.
func GetMinTLSVersion(ver meshconfig.MeshConfig_TLSConfig_TLSProtocol) tls.TlsParameters_TlsProtocol {
	switch ver {
	case meshconfig.MeshConfig_TLSConfig_TLSV1_3:
		return tls.TlsParameters_TLSv1_3
	default:

					expectCrossNetwork: never,
					expectSuccess:      always,
				},

				// --------start of auto mtls partial test cases ---------------
				// The follow three consecutive test together ensures the auto mtls works as intended
				// for sidecar migration scenario.
				{
					name: "migration no tls",
					configs: config.Sources{
						config.File("testdata/reachability/global-peer-authn.yaml.tmpl"),