apiVersion: security.istio.io/v1
kind: PeerAuthentication
metadata:
  name: valid-peer-authentication
spec:
  selector:
    matchLabels:
      app: httpbin
      version: v1
  mtls:
    mode: PERMISSIVE
  portLevelMtls:
    8080:

	}

	mTLSSecretConfigName := "default"
	if input.MtlsSecretConfigName != "" {
		mTLSSecretConfigName = input.MtlsSecretConfigName
	}

	// mTLS listener will only accept mTLS traffic
	if fc.TransportSocket != nil && sim.requiresMTLS(fc, mTLSSecretConfigName) != (input.TLS == MTLS) {
		// If there is no tls inspector, then
		result.Error = ErrMTLSError
		return
	}

	if len(input.CustomListenerValidations) > 0 {

# No caCertificates when mode is mutual at port level
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: db-mtls
spec:
  host: mydbserver.prod.svc.cluster.local
  trafficPolicy:
    portLevelSettings:
      - port:
          number: 443
        tls:
          mode: MUTUAL
          clientCertificate: /etc/certs/myclientcert.pem
          privateKey: /etc/certs/client_private_key.pem

apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: {{ .To.ServiceName }}
spec:
  selector:
    matchLabels:
      app: {{ .To.ServiceName }}
  mtls:

apiVersion: release-notes/v2
kind: bug-fix
area: traffic-management
issue:
  - 40680
releaseNotes:
  - |

apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: default
  namespace: default
spec:
  mtls:

path_prefix      (path)      namespace prefix to isolate tenants e.g. "customer1/"
coredns_path     (path)      shared bucket DNS records, default is "/skydns"
client_cert      (path)      client cert for mTLS authentication
client_cert_key  (path)      client cert key for mTLS authentication
comment          (sentence)  optionally add a comment to this setting
```

or environment variables

```
KEY:

	mode := checker.GetMutualTLSModeForPort(si.Port.TargetPort)

	// auto-mtls label is set - clients will attempt to connect using mtls, and
	// gRPC doesn't support permissive.
	if node.Labels[label.SecurityTlsMode.Name] == "istio" && mode == model.MTLSPermissive {
		mode = model.MTLSStrict
	}

apiVersion: release-notes/v2
kind: feature
area: security
issue:
  - 33809
releaseNotes:
  - |
    **Added** Auto mTLS support for workload level peer authentication. You no longer need to configure destination rule when servers are configured with workload level peer authentication policy. This can be disabled by setting ENABLE_AUTO_MTLS_CHECK_POLICIES to "false". 
docs:

# Otherwise, the eastwest gateway will be impacted
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
  name: "eastwest-opt-out"
  annotations:
    test-suite: "beta-mtls-on"
spec:
  exportTo: [.]
  host: "*"
  trafficPolicy:
    loadBalancer: