servers:
    - port:
        number: 443
        name: https
        protocol: HTTPS
      tls:
        mode: SIMPLE
        credentialName: "invalid-key" # wrong key names, should have one error
      hosts:
        - "httpbin.example.com"
---
apiVersion: v1
data:
  tls.cert: aHVzaCBodXNoIGh1c2gK
kind: Secret
metadata:
  name: missing-key

	// credentialName SDS which may refer to secrets which do not exist. We do not want to block the
	// entire listener/cluster in these cases.
	ResourceApiVersion: core.ApiVersion_V3,
}

// ConstructSdsSecretConfigForCredential constructs SDS secret configuration used
// from certificates referenced by credentialName in DestinationRule or Gateway.

}

func newTLSGatewayDestinationRule(t framework.TestContext, to echo.Instances, destinationRuleMode string, credentialName string) {
	args := map[string]any{
		"to":             to,
		"Mode":           destinationRuleMode,
		"CredentialName": credentialName,
	}

	// Get namespace for gateway pod.
	istioCfg := istio.DefaultConfigOrFail(t, t)

kind: bug-fix
area: traffic-management
releaseNotes:
- |
  **Fixed** an issue where using `ISTIO_MUTUAL` TLS mode in Gateways while also setting `credentialName` cause mutual TLS to not be configured.
  This configuration is now rejected, as `ISTIO_MUTUAL` is intended to be used without `credentialName` set.

apiVersion: release-notes/v2
kind: feature
area: istioctl
issue:
  - 43891
releaseNotes:
  - |

}

type TestConfig struct {
	Mode           string
	CredentialName string
	Host           string
	ServiceName    string
	GatewayLabel   string
}

const vsTemplate = `
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: {{.CredentialName}}
spec:
  hosts:
  - "{{.Host}}"
  gateways:
  - {{.CredentialName}}
  http:
  - match:
    - uri:

func newTLSSidecarDestinationRule(t framework.TestContext, to echo.Instances, destinationRuleMode string,
	workloadSelector string, credentialName string, clientNamespace namespace.Instance,
) {
	args := map[string]any{
		"to":               to,
		"Mode":             destinationRuleMode,
		"CredentialName":   credentialName,
		"WorkloadSelector": workloadSelector,
	}
	se := `
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry

  namespace: istio-system
spec:
  servers:
  - hosts:
    - '*/domain.example'
    port:
      name: default
      number: 34000
      protocol: HTTPS
    tls:
      credentialName: kubernetes-gateway://istio-system/my-cert-http
      mode: SIMPLE
---
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  annotations:
    internal.istio.io/gateway-semantics: gateway

				continue
			}

			secret := ctx.Find(gvk.Secret, resource.NewShortOrFullName(gwNs, cn))
			if secret == nil {
				m := msg.NewReferencedResourceNotFound(r, "credentialName", cn)

				if line, ok := util.ErrorLine(r, fmt.Sprintf(util.CredentialName, i)); ok {
					m.Line = line
				}

				ctx.Report(gvk.Gateway, m)
				continue
			}
			if !isValidSecret(secret) {

spec:
  selector:
    istio: ingressgateway
  servers:
  - hosts:
    - foo.org
    port:
      name: https-443-ingress-tls-bar-0
      number: 443
      protocol: HTTPS
    tls:
      credentialName: myingress-cert
      mode: SIMPLE
  - hosts:
    - '*'
    port:
      name: http-80-ingress-tls-bar
      number: 80
      protocol: HTTP