As ztunnel aims to transparently encrypt and route users traffic, we need a mechanism to capture all traffic entering and leaving "mesh" pods.
This is a security critical task: if the ztunnel can be bypassed, authorization policies can be bypassed.

Redirection must meet these requirements:
* All traffic *egressing* a pod in the mesh should be redirected to the node-local ztunnel on port 15001.

    #
    # If an administrator expects that any of these conditions may become true in
    # the future, they should ensure their meshes have different Mesh IDs
    # assigned.
    #
    # Within a multicluster mesh, each cluster must be (manually or auto)
    # configured to have the same Mesh ID value. If an existing cluster 'joins' a

  kubectl -n istio-system get cm istio -o jsonpath="{.data.mesh}" > /tmp/mesh.yaml
  kubectl -n istio-system get cm istio-sidecar-injector -o jsonpath="{.data.values}" > /tmp/values.json

  # Use kube-inject based on captured configuration
  istioctl kube-inject -f samples/bookinfo/platform/kube/bookinfo.yaml \
    --injectConfigFile /tmp/inj-template.tmpl \
    --meshConfigFile /tmp/mesh.yaml \
    --valuesFile /tmp/values.json
`,

	if matchAmbient {
		log.Infof("Namespace %s is enabled in ambient mesh", namespace)
	} else {
		log.Infof("Namespace %s is disabled from ambient mesh", namespace)
	}
	for _, pod := range s.pods.List(namespace, klabels.Everything()) {
		// ztunnel pods are never "added to/removed from the mesh", so do not fire
		// spurious events for them to avoid triggering extra

data:

  # Configuration file for the mesh networks to be used by the Split Horizon EDS.
  meshNetworks: |-
  {{- if .Values.global.meshNetworks }}
    networks:
{{ toYaml .Values.global.meshNetworks | trim | indent 6 }}
  {{- else }}
    networks: {}
  {{- end }}

  mesh: |-
{{- if .Values.meshConfig }}
{{ $mesh | toYaml | indent 4 }}
{{- else }}
{{- include "mesh" . }}
{{- end }}
---

CANONICAL_SERVICE='foo'
CA_ADDR='istiod-rev-1.istio-system.svc:15012'
CLUSTER_MESH_CONFIG_VALUE='foo'
ISTIO_INBOUND_PORTS='*'
ISTIO_LOCAL_EXCLUDE_PORTS='22,15090,15021,15020'
ISTIO_METAJSON_LABELS='{"service.istio.io/canonical-name":"foo","service.istio.io/canonical-revision":"latest"}'
ISTIO_META_CLUSTER_ID='Kubernetes'
ISTIO_META_DNS_CAPTURE='true'
ISTIO_META_MESH_ID=''
ISTIO_META_NETWORK=''
ISTIO_META_WORKLOAD_NAME='foo'
ISTIO_NAMESPACE='bar'

    # should be overridden by the command
    ISTIO_META_DNS_CAPTURE: "false"
    # should be overridden by the annotation on the WorkloadGroup
    PROXY_CONFIG_ANNOT_VALUE: "foo"
    # should be in the final cluster.env/mesh.yaml

	testDoAddRun(t, cniConf, testNSName, pod, ns)

	wasCalled := serverClose()
	// Pod in namespace with enabled ambient label, should be added to mesh
	assert.Equal(t, wasCalled, true)
}

func TestCmdAddAmbientEnabledOnNSServerFails(t *testing.T) {
	url, serverClose := setupCNIEventClientWithMockServer(true)

	cniConf := buildMockConf(true, url)

        {{- if .Values.global.meshID }}
        - name: ISTIO_META_MESH_ID
          value: "{{ .Values.global.meshID }}"
        {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
        - name: ISTIO_META_MESH_ID
          value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
        {{- end }}
        resources:

    #
    # If an administrator expects that any of these conditions may become true in
    # the future, they should ensure their meshes have different Mesh IDs
    # assigned.
    #
    # Within a multicluster mesh, each cluster must be (manually or auto)
    # configured to have the same Mesh ID value. If an existing cluster 'joins' a