testCases := []struct {
		namespace      string
		trustDomain    string
		serviceAccount string
		expectedError  string
		expectedURI    string
	}{
		{
			serviceAccount: "sa",
			trustDomain:    defaultTrustDomain,
			expectedError:  "namespace or service account empty for SPIFFE uri",
		},
		{
			namespace:     "ns",
			trustDomain:   defaultTrustDomain,

func (v *PeerCertVerifier) AddMapping(trustDomain string, certs []*x509.Certificate) {
	if v.certPools[trustDomain] == nil {
		v.certPools[trustDomain] = x509.NewCertPool()
	}
	for _, cert := range certs {
		v.certPools[trustDomain].AddCert(cert)
		v.generalCertPool.AddCert(cert)
	}
	spiffeLog.Infof("Added %d certs to trust domain %s in peer cert verifier", len(certs), trustDomain)
}

        "port": 15008
      },
      "protocol": "HBONE",
      "uid": "Kubernetes//Pod/bookinfo/ratings-v1-6484c4d9bb-mdxm5",
      "name": "ratings-v1-6484c4d9bb-mdxm5",
      "namespace": "bookinfo",
      "trustDomain": "cluster.local",
      "serviceAccount": "bookinfo-ratings",
      "workloadName": "ratings-v1",
      "workloadType": "deployment",
      "canonicalName": "ratings",
      "canonicalRevision": "v1",

}

func NewBuilderForService(actionType ActionType, push *model.PushContext, proxy *model.Proxy, useFilterState bool, svc *model.Service) *Builder {
	tdBundle := trustdomain.NewBundle(push.Mesh.TrustDomain, push.Mesh.TrustDomainAliases)
	option := builder.Option{
		IsCustomBuilder: actionType == Custom,
		UseFilterState:  useFilterState,
		UseExtendedJwt:  proxy.SupportsEnvoyExtendedJwt(),
	}

	CanonicalName         string            `json:"canonicalName"`
	CanonicalRevision     string            `json:"canonicalRevision"`
	ClusterID             string            `json:"clusterId"`
	TrustDomain           string            `json:"trustDomain,omitempty"`
	Locality              Locality          `json:"locality,omitempty"`
	Node                  string            `json:"node"`
	Network               string            `json:"network,omitempty"`

		applier:      applier,
		proxy:        proxy,
		trustDomains: trustDomains,
	}
}

func (b *Builder) ForPort(port uint32) authn.MTLSSettings {
	if b == nil {
		return authn.MTLSSettings{
			Port: port,
			Mode: model.MTLSDisable,
		}
	}
	return b.applier.InboundMTLSSettings(port, b.proxy, b.trustDomains, authn.NoOverride)
}

func (b *Builder) ForHBONE() authn.MTLSSettings {
	if b == nil {

package builder

import (
	"testing"

	"istio.io/istio/pilot/pkg/model"
	"istio.io/istio/pilot/pkg/security/trustdomain"
	"istio.io/istio/pkg/fuzz"
)

func FuzzBuildHTTP(f *testing.F) {
	fuzz.Fuzz(f, func(fg fuzz.Helper) {
		bundle := fuzz.Struct[trustdomain.Bundle](fg)
		push := fuzz.Struct[*model.PushContext](fg, validatePush)
		node := fuzz.Struct[*model.Proxy](fg)

	credFetcher, err := credentialfetcher.NewCredFetcher(credFetcherTypeEnv, o.TrustDomain, jwtPath, o.CredIdentityProvider)
	if err != nil {
		return nil, fmt.Errorf("failed to create credential fetcher: %v", err)
	}
	log.Infof("using credential fetcher of %s type in %s trust domain", credFetcherTypeEnv, o.TrustDomain)
	o.CredFetcher = credFetcher

	if o.CAProviderName == security.GkeWorkloadCertificateProvider {

			name:     "trust-domain-wildcard-in-principal",
			tdBundle: trustdomain.NewBundle("td1", []string{"foobar"}),
			input:    "simple-policy-principal-with-wildcard-in.yaml",
			want:     []string{"simple-policy-principal-with-wildcard-out.yaml"},
		},
		{
			name:     "trust-domain-aliases-in-source-principal",
			tdBundle: trustdomain.NewBundle("new-td", []string{"old-td", "some-trustdomain"}),
			input:    "td-aliases-source-principal-in.yaml",

        - name: ISTIO_META_MESH_ID
          value: "{{ .Values.global.meshID }}"
        {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
        - name: ISTIO_META_MESH_ID
          value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
        {{- end }}
        resources:
          limits:
            cpu: "2"
            memory: 1Gi
          requests: