// List of ValidatingWebhookConfiguration.
  repeated ValidatingWebhookConfiguration items = 2;
}

// WebhookClientConfig contains the information to make a TLS
// connection with the webhook
message WebhookClientConfig {
  // `url` gives the location of the webhook, in standard URL form
  // (`scheme://host:port/path`). Exactly one of `url` or `service`
  // must be specified.

package configdump

import (
	"encoding/base64"
	"fmt"

	admin "github.com/envoyproxy/go-control-plane/envoy/admin/v3"
	extapi "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/tls/v3"
	anypb "google.golang.org/protobuf/types/known/anypb"
)

// GetSecretConfigDump retrieves a secret dump from a config dump wrapper
func (w *Wrapper) GetSecretConfigDump() (*admin.SecretsConfigDump, error) {

  // List of ValidatingWebhookConfiguration.
  repeated ValidatingWebhookConfiguration items = 2;
}

// WebhookClientConfig contains the information to make a TLS
// connection with the webhook
message WebhookClientConfig {
  // `url` gives the location of the webhook, in standard URL form
  // (`scheme://host:port/path`). Exactly one of `url` or `service`
  // must be specified.

	LogLevel             = "log-level"
	KubeconfigFilename   = "kubecfg-file-name"
	KubeconfigMode       = "kubeconfig-mode"
	KubeCAFile           = "kube-ca-file"
	SkipTLSVerify        = "skip-tls-verify"
	MonitoringPort       = "monitoring-port"
	LogUDSAddress        = "log-uds-address"
	ZtunnelUDSAddress    = "ztunnel-uds-address"
	CNIEventAddress      = "cni-event-address"
	AmbientEnabled       = "ambient-enabled"

	if trafficPolicy == nil {
		fmt.Fprintf(writer, "%sNo Traffic Policy\n", printSpaces(initPrintNum+printLevel1))
	} else {
		if trafficPolicy.Tls != nil {
			fmt.Fprintf(writer, "%sTraffic Policy TLS Mode: %s\n",
				printSpaces(initPrintNum+printLevel1), dr.Spec.TrafficPolicy.Tls.Mode.String())
		}
		shortPolicies := recordShortPolicies(
			trafficPolicy.LoadBalancer,
			trafficPolicy.ConnectionPool,

* `kclient.NewDelayedInformer` can also fully abstract this away, by providing a client that handles this behind the scenes.

#### Credentials Controller

The Credentials controller exposes access to TLS certificate information, stored in cluster as `Secrets`. Aside from simply accessing certificates, it also has an authorization component that can verify whether a requester has access to read `Secret`s in its namespace.

  // TLS configuration. Currently the Ingress only supports a single TLS
  // port, 443. If multiple members of this list specify different hosts, they
  // will be multiplexed on the same port according to the hostname specified
  // through the SNI TLS extension, if the ingress controller fulfilling the
  // ingress supports SNI.
  // +optional
  repeated IngressTLS tls = 2;

   is configured with a `TokenProvider` which handles the logic of adding the proper JWT to each request. mTLS is configured
   by a tls.Config that points to files on disk.

It should be noted there is a circular dependency with mTLS authentication; in order to fetch a certificate we need
a certificate. This can be handled in various ways:

  type: {{ .Values.service.type }}
  ports:
{{- if .Values.networkGateway }}
  - name: status-port
    port: 15021
    targetPort: 15021
  - name: tls
    port: 15443
    targetPort: 15443
  - name: tls-istiod
    port: 15012
    targetPort: 15012
  - name: tls-webhook
    port: 15017
    targetPort: 15017
{{- else }}
{{ .Values.service.ports | toYaml | indent 4 }}
{{- end }}
{{- if .Values.service.externalIPs }}

		return err
	}
	checkVerify := func(tls *networking.ClientTLSSettings) bool {
		if tls == nil {
			return false
		}
		if tls.Mode == networking.ClientTLSSettings_DISABLE || tls.Mode == networking.ClientTLSSettings_ISTIO_MUTUAL {
			return false
		}
		return tls.CaCertificates == "" && tls.CredentialName == "" && !tls.InsecureSkipVerify.GetValue()
	}
	checkSNI := func(tls *networking.ClientTLSSettings) bool {