name: sidecar
  namespace: default
spec:
  ingress:
    - defaultEndpoint: 0.0.0.0:9080
      port:
        name: tls
        number: 9080
        protocol: %s
      tls:
        mode: MUTUAL
        privateKey: "httpbinkey.pem"
        serverCertificate: "httpbin.pem"
        caCertificates: "rootCA.pem"
  workloadSelector:
    labels:
      app: foo
---
`, protocol)
	}

This is not really so much a new protocol, but rather a name we came up with to refer to the expectations of clients and servers communicating in the mesh.

HBONE is just a standard HTTP `CONNECT` tunnel, over mutual TLS with mesh (SPIFFE) certificates, on a well known port (15008).
The target destination address is set in the `:authority` header, and additional headers can be included as well.

		allErrs = append(allErrs, validateCustomResourceDefinitionVersion(ctx, &version, fldPath.Child("versions").Index(i), hasStatusEnabled(subresources), opts)...)
	}

	// The top-level and per-version fields are mutual exclusive
	if spec.Validation != nil && hasPerVersionSchema(spec.Versions) {
		allErrs = append(allErrs, field.Forbidden(fldPath.Child("validation"), "top-level and per-version schemas are mutually exclusive"))
	}

	Acquire:         drwMutexAcquireTimeout,
	RefreshCall:     drwMutexRefreshCallTimeout,
	UnlockCall:      drwMutexUnlockCallTimeout,
	ForceUnlockCall: drwMutexForceUnlockCallTimeout,
}

// A DRWMutex is a distributed mutual exclusion lock.
type DRWMutex struct {
	Names                []string
	writeLocks           []string // Array of nodes that granted a write lock

		if tls.ServerCertificate == "" {
			v = AppendValidation(v, fmt.Errorf("MUTUAL TLS requires a server certificate"))
		}
		if tls.PrivateKey == "" {
			v = AppendValidation(v, fmt.Errorf("MUTUAL TLS requires a private key"))
		}
		if tls.CaCertificates == "" {
			v = AppendValidation(v, fmt.Errorf("MUTUAL TLS requires a client CA bundle"))
		}
	}
	if tls.CaCrl != "" {
		if tls.CredentialName != "" {

			want:    nil,
		},
		{
			name:    "SIMPLE TLS and nil metadata",
			tlsMode: networking.ClientTLSSettings_SIMPLE,
			meta:    nil,
			want:    alpnOverrideFalse,
		},
		{
			name:    "MUTUAL TLS and nil metadata",
			tlsMode: networking.ClientTLSSettings_SIMPLE,
			meta:    nil,
			want:    alpnOverrideFalse,
		},
		{
			name:    "SIMPLE TLS and empty metadata",

	CipherSuite uint16

	// NegotiatedProtocol is the application protocol negotiated with ALPN.
	NegotiatedProtocol string

	// NegotiatedProtocolIsMutual used to indicate a mutual NPN negotiation.
	//
	// Deprecated: this value is always true.
	NegotiatedProtocolIsMutual bool

	// ServerName is the value of the Server Name Indication extension sent by

				StringValue: subset,
			},
		}
	}
}

// AddALPNOverrideToMetadata sets filter metadata `istio.alpn_override: "false"` in the given core.Metadata struct,
// when TLS mode is SIMPLE or MUTUAL. If metadata is not initialized, builds a new metadata.
func AddALPNOverrideToMetadata(metadata *core.Metadata, tlsMode networking.ClientTLSSettings_TLSmode) *core.Metadata {

}

func (s *sliceType) init(elem gobType) {
	// Set our type id before evaluating the element's, in case it's our own.
	setTypeId(s)
	// See the comments about ids in newTypeObject. Only slices and
	// structs have mutual recursion.
	if elem.id() == 0 {
		setTypeId(elem)
	}
	s.Elem = elem.id()
}

func (s *sliceType) safeString(seen map[typeId]bool) string {
	if seen[s.Id] {
		return s.Name
	}

// Rather than doing a direct byte for byte equivalency check, we check if the
// subject, public key, and SAN, if present, are equal. This prevents loops that
// are created by mutual cross-signatures, or other cross-signature bridge
// oddities.
func alreadyInChain(candidate *Certificate, chain []*Certificate) bool {
	type pubKeyEqual interface {
		Equal(crypto.PublicKey) bool
	}