expectedMinTLSVer tls.TlsParameters_TlsProtocol
	}{
		{
			name:              "Default TLS versions",
			expectedMinTLSVer: tls.TlsParameters_TLSv1_2,
		},
		{
			name:              "Configure minimum TLS version 1.2",
			minTLSVer:         meshconfig.MeshConfig_TLSConfig_TLSV1_2,
			expectedMinTLSVer: tls.TlsParameters_TLSv1_2,
		},
		{

apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: valid-peer-authentication
spec:
  selector:
    matchLabels:
      app: httpbin
      version: v1
  mtls:
    mode: PERMISSIVE
  portLevelMtls:
    8080:

issue:
  - 33809
releaseNotes:
  - |
    **Added** Auto mTLS support for workload level peer authentication. You no longer need to configure destination rule when servers are configured with workload level peer authentication policy. This can be disabled by setting ENABLE_AUTO_MTLS_CHECK_POLICIES to "false". 
docs:

# Otherwise, the eastwest gateway will be impacted
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
  name: "eastwest-opt-out"
  annotations:
    test-suite: "beta-mtls-on"
spec:
  exportTo: [.]
  host: "*"
  trafficPolicy:
    loadBalancer:

path_prefix      (path)      namespace prefix to isolate tenants e.g. "customer1/"
coredns_path     (path)      shared bucket DNS records, default is "/skydns"
client_cert      (path)      client cert for mTLS authentication
client_cert_key  (path)      client cert key for mTLS authentication
comment          (sentence)  optionally add a comment to this setting
```

or environment variables

```
KEY:

	// auto-mtls label is set - clients will attempt to connect using mtls, and
	// gRPC doesn't support permissive.
	if node.Labels[label.SecurityTlsMode.Name] == "istio" && mode == model.MTLSPermissive {
		mode = model.MTLSStrict
	}

	var tlsContext *tls.DownstreamTlsContext
	if mode != model.MTLSDisable && mode != model.MTLSUnknown {
		tlsContext = &tls.DownstreamTlsContext{

# No caCertificates when mode is mutual at destination level
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: db-mtls
spec:
  host: mydbserver.prod.svc.cluster.local
  trafficPolicy:
    tls:
      mode: MUTUAL
      clientCertificate: /etc/certs/myclientcert.pem

apiVersion: release-notes/v2
kind: feature
area: traffic-management

releaseNotes:
- |
  **Updated** the Istiod debug interface to be only accessible over localhost or with proper authenciation (mTLS or JWT).
  The recommended way to access the debug interface is through `istioctl experimental internal-debug`, which handles

    name: auto
    protocol: ""
  resolution: STATIC
  endpoints:
  - address: 1.1.1.1
---
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: default
spec:
  mtls:

metadata:
  name: default
  annotations:
    test-suite: plaintext-to-permissive
spec:
  mtls:
    mode: PERMISSIVE
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: default
  annotations:
    test-suite: plaintext-to-permissive
spec:
  host: "*.local"
  trafficPolicy:
    tls: