// It may return nil, if no authentication is needed.
	AuthNFilter(forSidecar bool) *hcm.HttpFilter

	// PortLevelSetting returns port level mTLS settings.
	PortLevelSetting() map[uint32]model.MutualTLSMode

	MtlsPolicy
}

type MtlsPolicy interface {
	// GetMutualTLSModeForPort gets the mTLS mode for the given port. If there is no port level setting, it
	// returns the inherited namespace/mesh level setting.

			var (
				credNameGeneric  = "mtls-credential-generic"
				fakeCredName     = "fake-mtls-credential"
				credWithCRL      = "mtls-credential-generic-valid-crl"
				credWithDummyCRL = "mtls-credential-generic-dummy-crl"
			)

			// Create a valid kubernetes secret to provision key/cert for sidecar.
			ingressutil.CreateIngressKubeSecretInNamespace(t, credNameGeneric, ingressutil.Mtls, ingressutil.IngressCredential{

apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: strict-mtls
spec:
  selector:
    matchLabels:
      app: a
  mtls:

	MTLSUnknown MutualTLSMode = iota

	// MTLSDisable if authentication policy disable mTLS.
	MTLSDisable

	// MTLSPermissive if authentication policy enable mTLS in permissive mode.
	MTLSPermissive

	// MTLSStrict if authentication policy enable mTLS in strict mode.
	MTLSStrict
)

// In Ambient, we convert k8s PeerAuthentication resources to the same type as AuthorizationPolicies

          "format": "time_series",
          "intervalFactor": 1,
          "legendFormat": "{{ source_workload }}.{{ source_workload_namespace }} : {{ response_code }} (🔐mTLS)",
          "refId": "A",
          "step": 2
        },
        {
          "datasource": {
            "type": "prometheus",
            "uid": "${datasource}"
          },

			})
		})
}

// TestMtlsGatewaysWithQUIC deploys multiple mTLS gateways with SDS enabled, and creates kubernetes that store
// private key, server certificate and CA certificate for each mTLS gateway. Verifies that client can communicate
// by using both QUIC and TCP/mTLS
func TestMtlsGatewaysWithQUIC(t *testing.T) {
	// nolint: staticcheck
	framework.
		NewTest(t).

    internal.istio.io/gateway-service: istio-ingressgateway.istio-system.svc.domain.suffix
    internal.istio.io/parents: Gateway/gateway/terminate-mtls.istio-system
  creationTimestamp: null
  name: gateway-istio-autogenerated-k8s-gateway-terminate-mtls
  namespace: istio-system
spec:
  servers:
  - hosts:
    - '*/other.example'
    port:
      name: default
      number: 34000
      protocol: HTTPS

	}
	if protocol == networking.ListenerProtocolTCP && features.MetadataExchange {
		// For TCP with mTLS, we advertise "istio-peer-exchange" from client and
		// expect the same from server. This  is so that secure metadata exchange
		// transfer can take place between sidecars for TCP with mTLS.
		if features.DisableMxALPN {
			ctx.CommonTlsContext.AlpnProtocols = util.ALPNDownstream
		} else {

					expectCrossCluster: notFromNaked,
					expectCrossNetwork: never,
					expectSuccess:      always,
				},

				// --------start of auto mtls partial test cases ---------------
				// The follow three consecutive test together ensures the auto mtls works as intended
				// for sidecar migration scenario.
				{
					name: "migration no tls",
					configs: config.Sources{

			}
		}
	}

	return outputPolicy
}

func isMtlsModeUnset(mtls *v1beta1.PeerAuthentication_MutualTLS) bool {
	return mtls == nil || mtls.Mode == v1beta1.PeerAuthentication_MutualTLS_UNSET