out.NetworkName = in.NetworkName
	out.SourceVip = in.SourceVip
	out.EnableDSR = in.EnableDSR
	out.RootHnsEndpointName = in.RootHnsEndpointName
	out.ForwardHealthCheckVip = in.ForwardHealthCheckVip
	return nil
}

    injectionURL: ""

  # Revision is set as 'version' label and part of the resource names when installing multiple control planes.
  revision: ""

  sidecarInjectorWebhook:
    # This enables injection of sidecar in all namespaces,

# The original version of this file is located at /manifests/helm-profiles directory.
# If you want to make a change in this file, edit the original one and run "make gen".

# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed
meshConfig:
  defaultConfig:
    proxyMetadata:
      ISTIO_META_ENABLE_HBONE: "true"
global:
  variant: distroless
pilot:
  env:

# The original version of this file is located at /manifests/helm-profiles directory.
# If you want to make a change in this file, edit the original one and run "make gen".

# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed
meshConfig:
  defaultConfig:
    proxyMetadata:
      ISTIO_META_ENABLE_HBONE: "true"
global:
  variant: distroless
pilot:
  env:

// This is the early part of the conversion in isolation. This enables a caller
// to inject more information in the middle of the conversion before resuming it
// (like freezing variables for example).
void AddPreVariableFreezingTFToTFLConversionPasses(
    const mlir::TFL::PassConfig& pass_config,
    mlir::OpPassManager* pass_manager);

// This is the later part of the conversion in isolation. This enables a caller

// See the License for the specific language governing permissions and
// limitations under the License.

// Package monitoring provides a common instrumentation library for Istio components.
// Use of this library enables collateral generation for collected metrics, as well as
// a consistent developer experience across Istio codebases.

# See the License for the specific language governing permissions and
# limitations under the License.
# ==============================================================================
# Sourcing this enables Bazel remote cache (public, read-only)
# The cache configs are different for MacOS and Linux
if [[ $(uname -s) == "Darwin" ]]; then
  TFCI_BAZEL_COMMON_ARGS="$TFCI_BAZEL_COMMON_ARGS --config tf_public_macos_cache"
else

    fromHeaders:
    - name: "x-jwt-token"
      prefix: "Value "
    - name: "auth-token"
      prefix: "Token "
    fromParams:
    - "token"
    - "secondary_token"
---
# The following policy enables authorization on workload dst.
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: {{ .To.ServiceName }}
spec:
  selector:
    matchLabels:
      app: {{ .To.ServiceName }}

    matchLabels:
      app: {{ .To.ServiceName }}
  jwtRules:
  - issuer: "******@****.***"
    jwksUri: "https://raw.githubusercontent.com/istio/istio/master/tests/common/jwt/jwks.json"
---
# The following policy enables authorization on workload dst.
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: {{ .To.ServiceName }}
spec:
  selector:
    matchLabels:
      app: {{ .To.ServiceName }}

						{
							port:              ports.HTTPWorkloadOnly,
							plaintextSucceeds: false,
							mtlsSucceeds:      false,
						},
					},
				},
				{
					// There is only authN policy that enables mTLS (Strict).
					// The request should be denied because the client is always using plain text.
					name: "STRICT",
					config: `apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata: