config: createGateway("gateway", "", `port:
  number: 443
  name: https
  protocol: HTTPS
hosts:
- "example.com"
tls:
  httpsRedirect: true
  mode: SIMPLE
  credentialName: test`) + simpleRoute,
			calls: []simulation.Expect{
				{
					Name: "request",
					Call: simulation.Call{
						Port:       443,
						HostHeader: "example.com",
						Protocol:   simulation.HTTP,

					},
					ValidationContextType: &tls.CommonTlsContext_ValidationContext{},
				},
			},
		},
		{
			name:        "With tls mode simple and CredentialName, InsecureSkipVerify is set true and env VERIFY_CERTIFICATE_AT_CLIENT is true",
			cluster:     &cluster.Cluster{Name: "foo", ClusterDiscoveryType: &cluster.Cluster_Type{Type: cluster.Cluster_EDS}},

                                  clientCertificate:
                                    description: REQUIRED if mode is `MUTUAL`.
                                    type: string
                                  credentialName:
                                    description: The name of the secret that holds
                                      the TLS certs for the client including the CA
                                      certificates.

caCertificates: description: 'OPTIONAL: The path to the file containing certificate authority certificates to use in verifying a presented server certificate.' type: string clientCertificate: description: REQUIRED if mode is `MUTUAL`. type: string credentialName: description: The name of the secret that holds the TLS certs for the client including the CA certificates. type: string insecureSkipVerify: description: '`insecureSkipVerify` specifies whether the proxy should skip verifying the CA signature...

	// If credential name is specified at gateway config, create  SDS config for gateway to fetch key/cert from Istiod.
	case serverTLSSettings.CredentialName != "":
		authnmodel.ApplyCredentialSDSToServerCommonTLSContext(ctx.CommonTlsContext, serverTLSSettings, credentialSocketExist)
	default:
		certProxy := &model.Proxy{}
		certProxy.IstioVersion = proxy.IstioVersion

				Message: fmt.Sprintf(
					"certificateRef %v/%v not accessible to a Gateway in namespace %q (missing a ReferenceGrant?)",
					tls.CertificateRefs[0].Name, credNs, namespace,
				),
			}
		}
		out.CredentialName = cred
	case k8s.TLSModePassthrough:
		out.Mode = istio.ServerTLSSettings_PASSTHROUGH
		if isAutoPassthrough {
			out.Mode = istio.ServerTLSSettings_AUTO_PASSTHROUGH
		}
	}
	return out, nil
}

  servers:
  - port:
      number: {{.GatewayPort}}
      name: {{.GatewayPortName}}
      protocol: {{.GatewayProtocol}}
{{- if .Credential }}
    tls:
      mode: {{.TLSMode}}
      credentialName: {{.Credential}}
{{- if .Ciphers }}
      cipherSuites:
{{- range $cipher := .Ciphers }}
      - "{{$cipher}}"
{{- end }}
{{- end }}
{{- end }}
    hosts:
    - "{{.GatewayHost}}"
---
`

	ContainsAutoPassthroughGateways bool

	// PortMap defines a mapping of targetPorts to the set of Service ports that reference them
	PortMap GatewayPortMap

	// VerifiedCertificateReferences contains a set of all credentialNames referenced by gateways *in the same namespace as the proxy*.
	// These are considered "verified", since there is mutually agreement from the pod, Secret, and Gateway, as all
	// reside in the same namespace and trust boundary.