},
		config.HelpKV{
			Key:         target.WebhookClientCert,
			Description: "client cert for Webhook mTLS auth",
			Optional:    true,
			Type:        "string",
			Sensitive:   true,
		},
		config.HelpKV{
			Key:         target.WebhookClientKey,
			Description: "client cert key for Webhook mTLS auth",
			Optional:    true,
			Type:        "string",
			Sensitive:   true,
		},
	}

apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: db-mtls
spec:
  exportTo: ["."]
  host: server
  trafficPolicy:
    tls:
      mode: MUTUAL
      clientCertificate: /etc/certs/custom/cert-chain.pem
      privateKey: /etc/certs/custom/key.pem
      caCertificates: /etc/certs/custom/root-cert.pem
      sni: server
`).ApplyOrFail(t)

			result: expectedResult{
				tlsContext: &tls.UpstreamTlsContext{
					CommonTlsContext: &tls.CommonTlsContext{
						TlsParams: &tls.TlsParameters{
							// if not specified, envoy use TLSv1_2 as default for client.
							TlsMaximumProtocolVersion: tls.TlsParameters_TLSv1_3,
							TlsMinimumProtocolVersion: tls.TlsParameters_TLSv1_2,
						},
						TlsCertificateSdsSecretConfigs: []*tls.SdsSecretConfig{
							{

	} else {
		// build http connection manager with TLS context, for HTTPS servers using simple/mutual TLS
		// build listener with tcp proxy, with or without TLS context, for TCP servers
		//   or TLS servers using simple/mutual/passthrough TLS
		//   or HTTPS servers using passthrough TLS
		// This process typically yields multiple filter chain matches (with SNI) [if TLS is used]
		for _, server := range serversForPort.Servers {

            ports:
            ## You can add custom gateway ports - google ILB default quota is 5 ports,
            - port: 15011
              name: grpc-pilot-mtls
            - port: 8060
              targetPort: 8060
              name: tcp-citadel-grpc-tls
            # Port 5353 is forwarded to kube-dns
            - port: 5353
              name: tcp-dns
          overlays:
            - kind: Deployment

        "Compliance-fips*": "No FIPS",
        "*DTLS*": "No DTLS",
        "SendEmptyRecords*": "crypto/tls doesn't implement spam protections",
        "SendWarningAlerts*": "crypto/tls doesn't implement spam protections",
        "TooManyKeyUpdates": "crypto/tls doesn't implement spam protections (TODO: I think?)",
        "KyberNotEnabledByDefaultInClients": "crypto/tls intentionally enables it",

					// The request should be denied on port 8085 and 8071.
					name: "STRICT with DISABLE",
					config: `apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: {{ .To.ServiceName }}-mtls
spec:
  selector:
    matchLabels:
      app: {{ .To.ServiceName }}
  mtls:
    mode: STRICT
  portLevelMtls:

	EnvKESClientKey      = "MINIO_KMS_KES_KEY_FILE"     // Path to TLS private key for authenticating to KES with mTLS - usually prefer API keys
	EnvKESClientCert     = "MINIO_KMS_KES_CERT_FILE"    // Path to TLS certificate for authenticating to KES with mTLS - usually prefer API keys

	tlsContext.TlsCertificateSdsSecretConfigs = []*tls.SdsSecretConfig{
		ConstructSdsSecretConfig(model.GetOrDefault(res.GetResourceName(), SDSDefaultResourceName)),
	}
}

// ApplyCustomSDSToClientCommonTLSContext applies the customized sds to CommonTlsContext
// Used for building upstream TLS context for egress gateway's TLS/mTLS origination
func ApplyCustomSDSToClientCommonTLSContext(tlsContext *tls.CommonTlsContext,

	// CertChainFilename is mTLS chain file
	CertChainFilename = "cert-chain.pem"
	// KeyFilename is mTLS private key
	KeyFilename = "key.pem"
	// RootCertFilename is mTLS root cert
	RootCertFilename = "root-cert.pem"

	// ConfigPathDir config directory for storing envoy json config files.
	ConfigPathDir = "./etc/istio/proxy"