Protocol: string(protocol.HTTPS),
				},
				Tls: &networking.ServerTLSSettings{
					Mode:            networking.ServerTLSSettings_SIMPLE,
					CredentialName:  "ingress-sds-resource-name",
					SubjectAltNames: []string{"subject.name.a.com", "subject.name.b.com"},
				},
			},
			result: &auth.DownstreamTlsContext{
				CommonTlsContext: &auth.CommonTlsContext{
					AlpnProtocols: util.ALPNHttp,

      privateKey: tests/testdata/certs/default/key.pem
      caCertificates: tests/testdata/certs/default/root-cert.pem
      # Not included in the example, added for testing
      sni: v1.mymongodb.somedomain
      subjectAltNames:
      - service.mongodb.somedomain

---
#The following example uses a combination of service entry and TLS
#routing in virtual service to demonstrate the use of SNI routing to

			Host: "reviews",
			TrafficPolicy: &networking.TrafficPolicy{
				Tls: &networking.ClientTLSSettings{
					Mode:            networking.ClientTLSSettings_SIMPLE,
					CaCertificates:  "test",
					SubjectAltNames: []string{"reviews.default.svc"},
				},
			},
		}, valid: true},

func setupApps(ctx resource.Context, customNs namespace.Getter, customCfg *[]echo.Config) error {
	appsNamespace := customNs.Get()

	// Server certificate has "server.file-mounted.svc" in SANs; Same is expected in DestinationRule.subjectAltNames for the test Echo server
	// This cert is going to be used as a server and "client" certificate on the "Echo Server"'s side
	err := CreateCustomSecret(ctx, ServerSecretName, appsNamespace, ServerCertsPath)
	if err != nil {

      #        privateKey:        # example: /etc/istio/tracer/key.pem
      #        caCertificates:    # example: /etc/istio/tracer/root-cert.pem
      #        sni:               # example: tracer.somedomain
      #        subjectAltNames: []

signer defines:\n 1. Trust distribution: how trust (CA bundles) are distributed.\n 2. Permitted subjects: and behavior when a disallowed subject is requested.\n 3. Required, permitted, or forbidden x509 extensions in the request (including whether subjectAltNames are allowed, which types, restrictions on allowed values) and behavior when a disallowed extension is requested.\n 4. Required, permitted, or forbidden key usages / extended key usages.\n 5. Expiration/certificate lifetime: whether it is fixed...

  //  2. Permitted subjects: and behavior when a disallowed subject is requested.
  //  3. Required, permitted, or forbidden x509 extensions in the request (including whether subjectAltNames are allowed, which types, restrictions on allowed values) and behavior when a disallowed extension is requested.
  //  4. Required, permitted, or forbidden key usages / extended key usages.

	//  2. Permitted subjects: and behavior when a disallowed subject is requested.
	//  3. Required, permitted, or forbidden x509 extensions in the request (including whether subjectAltNames are allowed, which types, restrictions on allowed values) and behavior when a disallowed extension is requested.
	//  4. Required, permitted, or forbidden key usages / extended key usages.

      #        privateKey:        # example: /etc/istio/tracer/key.pem
      #        caCertificates:    # example: /etc/istio/tracer/root-cert.pem
      #        sni:               # example: tracer.somedomain
      #        subjectAltNames: []

                                      during TLS handshake.
                                    type: string
                                  subjectAltNames:
                                    description: A list of alternate names to verify
                                      the subject identity in the certificate.
                                    items: