// ImportKey imports a cryptographic key into the KMS.
	ImportKey(ctx context.Context, keyID string, bytes []byte) error

	// EncryptKey Encrypts and authenticates a (small) plaintext with the cryptographic key
	// The plaintext must not exceed 1 MB
	EncryptKey(keyID string, plaintext []byte, context Context) ([]byte, error)

	// HMAC computes the HMAC of the given msg and key with the given
	// key ID.

	"prefer-experimental": env.Register("ISTIOCTL_PREFER_EXPERIMENTAL", false, "The istioctl should use experimental subcommand variants"),
	"plaintext":           env.Register("ISTIOCTL_PLAINTEXT", false, "The istioctl --plaintext override"),
}

// Cmd represents the config subcommand command
func Cmd() *cobra.Command {
	configCmd := &cobra.Command{
		Use:   "config SUBCOMMAND",

* The **input model** needs to be able to have a password.
* The **output model** should not have a password.
* The **database model** would probably need to have a hashed password.

!!! danger
    Never store user's plaintext passwords. Always store a "secure hash" that you can then verify.

    If you don't know, you will learn what a "password hash" is in the [security chapters](security/simple-oauth2.md#password-hashing){.internal-link target=_blank}.

The following diagram illustrates the flow of unauthenticated traffic with a `PERMISSIVE` policy:

```mermaid
graph TD;
src[src pod]-->|plaintext port|ztunnel{"ztunnel (L4 policy applied here)"}
ztunnel{ztunnel}-->|TLS|wp{waypoint}
wp-->|mTLS|ztunnel
ztunnel-->|plaintext|dst[dst pod]
```

And here's an example of an authenticated request to a captured destination:

```mermaid
graph TD;

 *
 * [ietf_alpn]: http://tools.ietf.org/html/draft-ietf-tls-applayerprotoneg
 */
enum class Protocol(private val protocol: String) {
  /**
   * An obsolete plaintext framing that does not use persistent sockets by default.
   */
  HTTP_1_0("http/1.0"),

  /**
   * A plaintext framing that includes persistent connections.
   *
   * This version of OkHttp implements [RFC 7230][rfc_7230], and tracks revisions to that spec.
   *

##### Figure 1 - Secure Channel construction

```
plaintext   := chunk_0          ||       chunk_1          ||       chunk_2          ||       ...

          //
          // Raw write
          // Raw read
          // Plaintext before ENCRYPTION
          // Plaintext after DECRYPTION
          val message = record.message
          val parameters = record.parameters

          if (parameters != null && !message.startsWith("Raw") && !message.startsWith("Plaintext")) {
            if (verbose) {
              println(record.message)

	if !etag.IsEncrypted() {
		return etag, nil
	}
	mac := hmac.New(sha256.New, key)
	mac.Write([]byte(HMACContext))
	decryptionKey := mac.Sum(nil)

	plaintext := make([]byte, 0, 16)
	etag, err := sio.DecryptBuffer(plaintext, etag, sio.Config{
		Key:          decryptionKey,
		CipherSuites: fips.DARECiphers(),
	})
	if err != nil {
		return nil, err
	}
	return etag, nil
}

authority                                default
cert-dir                                 default
insecure                                 default
istioNamespace          istio-system     default
plaintext                                default
prefer-experimental                      default
xds-address                              default
xds-port                15012            default
`,
			WantException: false,
		},

    operator.istio.io/component: "Pilot"
    app: istiod
    istio: pilot
    release: {{ .Release.Name }}
spec:
  ports:
    - port: 15010
      name: grpc-xds # plaintext
      protocol: TCP
    - port: 15012
      name: https-dns # mTLS with k8s-signed cert
      protocol: TCP
    - port: 443
      name: https-webhook # validation and injection
      targetPort: 15017