var (
	// SkipValidateTrustDomain tells the server proxy to not to check the peer's trust domain when
	// mTLS is enabled in authentication policy.
	SkipValidateTrustDomain = env.Register(
		"PILOT_SKIP_VALIDATE_TRUST_DOMAIN",
		false,
		"Skip validating the peer is from the same trust domain when mTLS is enabled in authentication policy").Get()

	XDSAuth = env.Register("XDS_AUTH", true,

apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: {{ .To.ServiceName }}
spec:
  selector:
    matchLabels:
      app: {{ .To.ServiceName }}
  mtls:
    mode: {{ .MTLSMode }}
  portLevelMtls:
    {{ (.To.PortForName `http`).WorkloadPort }}:
      mode: {{ .MTLSModeOverride }}
    {{ (.To.PortForName `http2`).WorkloadPort }}:
      mode: {{ .MTLSModeOverride }}
    {{ (.To.PortForName `https`).WorkloadPort }}:

area: security

issue:
    - https://github.com/istio/istio/issues/28742

releaseNotes:
- |
  **Added** Configuring Envoy to fetch the Jwks by it self. This should be enabled if the JwksUri is a mesh cluster URL for mTLS and other benefits like retries, jws caching etc. 

		},
		config.HelpKV{
			Key:         target.WebhookClientCert,
			Description: "client cert for Webhook mTLS auth",
			Optional:    true,
			Type:        "string",
			Sensitive:   true,
		},
		config.HelpKV{
			Key:         target.WebhookClientKey,
			Description: "client cert key for Webhook mTLS auth",
			Optional:    true,
			Type:        "string",
			Sensitive:   true,
		},
	}

	}
}

// isMtlsEnabled returns true if the given lbEp has mTLS enabled.
func isMtlsEnabled(lbEp *endpoint.LbEndpoint) bool {
	return lbEp.Metadata.FilterMetadata[util.EnvoyTransportSocketMetadataKey].
		GetFields()[model.TLSModeLabelShortname].
		GetStringValue() == model.IstioMutualTLSModeLabel
}

// checkMtlsEnabled computes whether mTLS should be enabled or not. This is determined based

    name: auto
    protocol: ""
  resolution: STATIC
  endpoints:
  - address: 1.1.1.1
---
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: default
spec:
  mtls:

# No caCertificates when mode is simple at destination level and MUTUAL at port level
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: db-mtls
spec:
  host: mydbserver.prod.svc.cluster.local
  trafficPolicy:
    tls:
      mode: SIMPLE
      clientCertificate: /etc/certs/myclientcert.pem
      privateKey: /etc/certs/client_private_key.pem
    portLevelSettings:
      - port:
          number: 443
        tls:

apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: "default"
  annotations:
    test-suite: "automtls-partial-sidecar-dr-no-tls"
spec:
  mtls:
    mode: STRICT
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: "multiversion-route"
  annotations:
    test-suite: "automtls-partial-sidecar-dr-no-tls"
spec:
  hosts:
  - "multiversion"
  http:

		cb.applyHBONETransportSocketMatches(c.cluster, tls, istioAutodetectedMtls)
	} else if c.cluster.GetType() != cluster.Cluster_ORIGINAL_DST {
		// For headless service, discovery type will be `Cluster_ORIGINAL_DST`
		// Apply auto mtls to clusters excluding these kind of headless services.
		if istioAutodetectedMtls {
			// convert to transport socket matcher if the mode was auto detected
			transportSocket := c.cluster.TransportSocket

    "pilot.ingress" "meshConfig.ingressService, meshConfig.ingressControllerMode, and meshConfig.ingressClass"
    "global.mtls.enabled" "the PeerAuthentication resource"
    "global.mtls.auto" "meshConfig.enableAutoMtls"
    "global.tracer.lightstep.address" "meshConfig.defaultConfig.tracing.lightstep.address"