apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: strict-and-disable-mtls
spec:
  selector:
    matchLabels:
      app: a
  mtls:
    mode: STRICT
  portLevelMtls:
    9090:

action: DENY
groups:
- rules:
  - matches:
    - destinationPorts:
      - 8080
      notPrincipals:
      - presence: {}
name: converted_peer_authentication_strict-mtls

action: DENY
groups:
- rules:
  - matches:
    - notPrincipals:
      - presence: {}
  - matches:
    - notDestinationPorts:
      - 9090
name: converted_peer_authentication_strict-and-permissive-mtls

action: DENY
groups:
- rules:
  - matches:
    - destinationPorts:
      - 9090
      notPrincipals:
      - presence: {}
name: converted_peer_authentication_permissive-strict-mtls

# This configures all services within the namespace to use mTLS with permissive mode (allowing plaintext).

apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: ns-default
  namespace: {{ .To.NamespaceName }}
spec:
  mtls:
    mode: PERMISSIVE

---
# This configures requests to any service in the namespace to use mTLS.

apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:

the effective policy is `PERMISSIVE` (the default), the ztunnel will open a vanilla TLS HBONE tunnel (NOTE: this is not mTLS) to the Waypoint proxy and forward the traffic over that connection without presenting a client certificate. Therefore, it is absolutely critical that the waypoint proxy not assume any identity from incoming connections, even if the ztunnel is hairpinning. In other words, all traffic over TLS HBONE tunnels must be considered to be untrusted. From there, traffic is returned to...

					Mtls: &security.PeerAuthentication_MutualTLS{Mode: security.PeerAuthentication_MutualTLS_STRICT},
				},
			},
			IsMtlsDisabled: false,
		},
		"mtls-off-global": {
			Config: config.Config{
				Meta: config.Meta{
					GroupVersionKind: gvk.PeerAuthentication,
					Name:             "mtls-off",
					Namespace:        "istio-system",
				},
				Spec: &security.PeerAuthentication{

apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: strict-and-permissive-mtls
spec:
  selector:
    matchLabels:
      app: a
  mtls:
    mode: STRICT
  portLevelMtls:
    9090:

  namespace: istio-system
spec:
  servers:
  - hosts:
    - cert/cert1.domain.example
    port:
      name: default
      number: 443
      protocol: HTTPS
    tls:
      credentialName: kubernetes-gateway://cert/cert
      mode: SIMPLE
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  annotations:
    internal.istio.io/parents: HTTPRoute/http.cert

			{Port: port, Protocol: simulation.HTTP, TLS: simulation.Plaintext, HostHeader: "foo"},
			{Port: port, Protocol: simulation.HTTP, TLS: simulation.TLS, HostHeader: "foo"},
			{Port: port, Protocol: simulation.HTTP, TLS: simulation.TLS, HostHeader: "foo", Alpn: "http/1.1"},
			{Port: port, Protocol: simulation.TCP, TLS: simulation.Plaintext, HostHeader: "foo"},
			{Port: port, Protocol: simulation.HTTP2, TLS: simulation.TLS, HostHeader: "foo"},
		} {