"servers"
"port"
"number"
"protocol"
"name"
"hosts"
"template"
"probe"
"mode"
"tls"
"targetPort"
"httpsRedirect"
"serverCertificate"
"privateKey"
"caCertificates"
"credentialName"
"subjectAltNames"
"verifyCertificateSpki"
"verifyCertificateHash"
"minProtocolVersion"
"maxProtocolVersion"
"cipherSuites"
"trafficPolicy"
"subsets"
"exportTo"
"loadBalancer"
"connectionPool"
"outlierDetection"

  trafficPolicy:
    tls:
      mode: MUTUAL
      caCertificates: /client-certs/root-cert.pem
      clientCertificate: /client-certs/cert-chain.pem
      privateKey: /client-certs/key.pem
      subjectAltNames:
        - server.mounted-certs.svc

`

	PeerAuthenticationConfig = `
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: default
  namespace: "istio-system"
spec:

			CombinedValidationContext: &auth.CommonTlsContext_CombinedCertificateValidationContext{
				DefaultValidationContext:         &auth.CertificateValidationContext{MatchSubjectAltNames: model.StringToExactMatch(tls.SubjectAltNames)},
				ValidationContextSdsSecretConfig: model.ConstructSdsSecretConfig(res.GetRootResourceName()),
			},
		}
		tlsContext.CommonTlsContext.AlpnProtocols = model.ALPNH2Only
		tlsContext.Sni = tls.Sni

			Name:            svc.Name,
			Namespace:       svc.Namespace,
			Hostname:        h,
			Addresses:       addresses,
			Ports:           ports,
			Waypoint:        waypointAddress,
			SubjectAltNames: svc.Spec.SubjectAltNames,
		})
	}
	return res
}

func (a *index) constructService(svc *v1.Service, w *Waypoint) *workloadapi.Service {
	ports := make([]*workloadapi.Port, 0, len(svc.Spec.Ports))

		Spec: &networking.ServiceEntry{
			Hosts: []string{"example.default.svc.cluster.local"},
			Ports: []*networking.ServicePort{{
				Number:   80,
				Protocol: "HTTP",
				Name:     "http",
			}},
			SubjectAltNames: []string{"se-top"},
			Resolution:      networking.ServiceEntry_STATIC,
			Endpoints: []*networking.WorkloadEntry{{
				Address:        "1.1.1.1",
				ServiceAccount: "se-endpoint",
			}},
		},
	}

  }

  private fun getSubjectAltNames(
    certificate: X509Certificate,
    type: Int,
  ): List<String> {
    try {
      val subjectAltNames = certificate.subjectAlternativeNames ?: return emptyList()
      val result = mutableListOf<String>()
      for (subjectAltName in subjectAltNames) {
        if (subjectAltName == null || subjectAltName.size < 2) continue
        if (subjectAltName[0] != type) continue

		CipherSuites:              ciphers,
		TlsMinimumProtocolVersion: minTLSVersion,
		TlsMaximumProtocolVersion: tls.TlsParameters_TLSv1_3,
	}
	authn_model.ApplyToCommonTLSContext(ctx.CommonTlsContext, node, []string{}, /*subjectAltNames*/
		"", /*crl*/
		trustDomainAliases, ctx.RequireClientCertificate.Value)

	// Compliance for downstream mesh mTLS.
	authn_model.EnforceCompliance(ctx.CommonTlsContext)
	return ctx
}

			// In tls simple mode, we can specify ca cert by CaCertificates or CredentialName.
			if settings.CaCertificates != "" || settings.CredentialName != "" || settings.SubjectAltNames != nil {
				errs = AppendErrors(errs, fmt.Errorf("cannot specify CaCertificates or CredentialName or SubjectAltNames when InsecureSkipVerify is set true"))
			}
		}

		if settings.Mode == networking.ClientTLSSettings_MUTUAL {

					Tls: &networking.ClientTLSSettings{
						Mode:            networking.ClientTLSSettings_SIMPLE,
						CaCertificates:  constants.RootCertFilename,
						Sni:             "foo.default.svc.cluster.local",
						SubjectAltNames: []string{"foo.default.svc.cluster.local"},
					},
				},
			},
			enableAutoSni:            false,
			enableVerifyCertAtClient: false,
			expectTLSContext: &tls.UpstreamTlsContext{

		Addresses: svc.GetAddresses(proxy),

		// This is based on alpha.istio.io/canonical-serviceaccounts and
		//  alpha.istio.io/kubernetes-serviceaccounts.
		SubjectAltNames: svc.ServiceAccounts,
	}

	if len(svc.Attributes.LabelSelectors) > 0 {
		se.WorkloadSelector = &networking.WorkloadSelector{Labels: svc.Attributes.LabelSelectors}
	}