namespace: "default",
			cert:      "tls-mtls-cert",
			key:       "tls-mtls-key",
			caCert:    "tls-mtls-ca",
		},
		{
			name:      "tls-mtls-crl",
			namespace: "default",
			cert:      "tls-mtls-cert",
			key:       "tls-mtls-key",
			caCert:    "tls-mtls-ca",
			crl:       "tls-mtls-crl",
			caCrl:     "tls-mtls-crl",
		},
		{
			name:            "tls-mtls-split",

			return inboundPlainTextTCPFilterChainMatchOptions
		}
	}
}

func (opt FilterChainMatchOptions) ToTransportSocket(mtls authn.MTLSSettings) *tls.DownstreamTlsContext {
	if !opt.TLS {
		return nil
	}
	if opt.Protocol == networking.ListenerProtocolHTTP {
		return mtls.HTTP
	}
	return mtls.TCP

				{
					Name:   "mtls on port 8000",
					Call:   mkCall(8000, simulation.MTLS),
					Result: simulation.Result{ClusterMatched: "inbound|8000||"},
				},
				{
					Name:   "plaintext port 9000",
					Call:   mkCall(9000, simulation.Plaintext),
					Result: simulation.Result{ClusterMatched: "InboundPassthroughCluster"},
				},
				{
					Name:   "mtls port 9000",
					Call:   mkCall(9000, simulation.MTLS),

# This configures all services within the namespace to use mTLS with permissive mode (allowing plaintext).

apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: ns-default
  namespace: {{ .To.NamespaceName }}
spec:
  mtls:
    mode: PERMISSIVE

---
# This configures requests to any service in the namespace to use mTLS.

apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:

		Cert   string
		CaCert string
		CaCrl  string
	}
	allResources := []string{
		"kubernetes://generic", "kubernetes://generic-mtls", "kubernetes://generic-mtls-cacert",
		"kubernetes://generic-mtls-split", "kubernetes://generic-mtls-split-cacert", "kubernetes://generic-mtls-crl",
		"kubernetes://generic-mtls-crl-cacert",
	}
	cases := []struct {
		name                 string
		proxy                *model.Proxy

}

// TestSingleMTLSGateway_ServerKeyCertRotation tests a single mTLS ingress gateway with SDS enabled.
// Verifies behavior in these scenarios.
// (1) create two kubernetes secrets to provision server key/cert and client CA cert, and
// verify that mTLS connection could establish to deliver HTTPS request.
// (2) replace kubernetes secret to rotate server key/cert, and verify that mTLS connection could

# mTLS is disabled without destination rule.
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: "default"
  annotations:
    test-suite: "beta-mtls-off"
spec:
  mtls:

    internal.istio.io/parents: Gateway/gateway/terminate-mtls.istio-system
  creationTimestamp: null
  name: gateway-istio-autogenerated-k8s-gateway-terminate-mtls
  namespace: istio-system
spec:
  servers:
  - hosts:
    - '*/other.example'
    port:
      name: default
      number: 34000
      protocol: HTTPS
    tls:
      credentialName: kubernetes-gateway://istio-system/my-cert-http

					Mtls: &security.PeerAuthentication_MutualTLS{Mode: security.PeerAuthentication_MutualTLS_STRICT},
				},
			},
			IsMtlsDisabled: false,
		},
		"mtls-off-global": {
			Config: config.Config{
				Meta: config.Meta{
					GroupVersionKind: gvk.PeerAuthentication,
					Name:             "mtls-off",
					Namespace:        "istio-system",
				},
				Spec: &security.PeerAuthentication{

the effective policy is `PERMISSIVE` (the default), the ztunnel will open a vanilla TLS HBONE tunnel (NOTE: this is not mTLS) to the Waypoint proxy and forward the traffic over that connection without presenting a client certificate. Therefore, it is absolutely critical that the waypoint proxy not assume any identity from incoming connections, even if the ztunnel is hairpinning. In other words, all traffic over TLS HBONE tunnels must be considered to be untrusted. From there, traffic is returned to...