if tls == nil {
		return nil, nil
	}
	// Hack to avoid egress sds cluster config generation for sidecar when
	// CredentialName is set in DestinationRule without a workloadSelector.
	// We do not want to support CredentialName setting in non workloadSelector based DestinationRules, because
	// that would result in the CredentialName being supplied to all the sidecars which the DestinationRule is scoped to,

	// Path for selector in Gateway.
	// Required parameters: selector label.
	GatewaySelector = "{.spec.selector.%s}"

	// Path for credentialName.
	// Required parameters: server index.
	CredentialName = "{.spec.servers[%d].tls.credentialName}"

	// Path for Port in ServiceEntry.
	// Required parameters: port index.
	ServiceEntryPort = "{.spec.ports[%d].name}"

apiVersion: release-notes/v2
kind: bug-fix
area: istioctl  
issue:
- 51567
releaseNotes:
- |

	"{.spec.containers[0].image}":                                   1,
	"{.spec.rules[0].from[0].source.namespaces[0]}":                 1,
	"{.spec.selector.test}":                                         1,
	"{.spec.servers[0].tls.credentialName}":                         1,
	"{.networks.test.endpoints[0]}":                                 1,
	"{.spec.trafficPolicy.tls.caCertificates}":                      1,

apiVersion: release-notes/v2
kind: feature
area: traffic-management
releaseNotes:
   - |
     **Added** the ability to set credentialName based secret configuration
     at sidecars for egress TLS traffic when WorkloadSelector is specified in `DestinationRule`,
     provided the sidecar has permission to list secrets in the namespace where it resides.
docs:

			name: "tls mode ISTIO_MUTUAL, with credentialName",
			server: &networking.Server{
				Hosts: []string{"httpbin.example.com"},
				Port: &networking.Port{
					Protocol: string(protocol.HTTPS),
				},
				Tls: &networking.ServerTLSSettings{
					Mode:           networking.ServerTLSSettings_ISTIO_MUTUAL,
					CredentialName: "ignored",
				},
			},
			result: &auth.DownstreamTlsContext{

		if settings.Mode == networking.ClientTLSSettings_SIMPLE {
			// In tls simple mode, we can specify ca cert by CaCertificates or CredentialName.
			if settings.CaCertificates != "" || settings.CredentialName != "" || settings.SubjectAltNames != nil {
				errs = AppendErrors(errs, fmt.Errorf("cannot specify CaCertificates or CredentialName or SubjectAltNames when InsecureSkipVerify is set true"))
			}
		}

  namespace: istio-system
spec:
  servers:
  - hosts:
    - cert/cert1.domain.example
    port:
      name: default
      number: 443
      protocol: HTTPS
    tls:
      credentialName: kubernetes-gateway://cert/cert
      mode: SIMPLE
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  annotations:
    internal.istio.io/parents: HTTPRoute/http.cert

","
":"
"'"
"servers"
"port"
"number"
"protocol"
"name"
"hosts"
"template"
"probe"
"mode"
"tls"
"targetPort"
"httpsRedirect"
"serverCertificate"
"privateKey"
"caCertificates"
"credentialName"
"subjectAltNames"
"verifyCertificateSpki"
"verifyCertificateHash"
"minProtocolVersion"
"maxProtocolVersion"
"cipherSuites"
"trafficPolicy"
"subsets"
"exportTo"
"loadBalancer"
"connectionPool"

				},
				Tls: &v1alpha3.ServerTLSSettings{CredentialName: "cert", Mode: v1alpha3.ServerTLSSettings_MUTUAL},
			},
			expected: false,
		},
		{
			name: "tls and HTTP",
			server: &v1alpha3.Server{
				Port: &v1alpha3.Port{
					Number:   80,
					Protocol: string(protocol.HTTP),
					Name:     "https",
				},
				Tls: &v1alpha3.ServerTLSSettings{CredentialName: "cert", Mode: v1alpha3.ServerTLSSettings_MUTUAL},