return metav1.ObjectMeta{Namespace: ns, Name: name}
	}

	createTests := []struct {
		testName     string
		serviceName  string
		servicePorts []corev1.ServicePort
		serviceType  corev1.ServiceType
		expectCreate *corev1.Service // nil means none expected
	}{
		{
			testName:    "service does not exist",
			serviceName: "foo",
			servicePorts: []corev1.ServicePort{

    private final String serviceName;
    private final Class<T> serviceType;
    private final BuildIdentifier buildIdentifier;
    private volatile RegisteredBuildServiceProvider<T, BuildServiceParameters> resolvedProvider;

    public ConsumedBuildServiceProvider(
        BuildIdentifier buildIdentifier,
        String serviceName,
        Class<T> serviceType,
        ServiceRegistry internalServices

apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: {{ .To.ServiceName }}
spec:
  selector:
    matchLabels:
      app: {{ .To.ServiceName }}
  jwtRules:
  - issuer: "******@****.***"
    jwksUri: "https://raw.githubusercontent.com/istio/istio/master/tests/common/jwt/jwks.json"
---
# The following policy enables authorization on workload dst.
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: {{ .To.ServiceName }}
spec:
  selector:
    matchLabels:
      "app": "{{ .To.ServiceName }}"
  action: DENY
  rules:
    - to:
        - operation: # HTTP
            ports: [ "{{ (.To.PortForName `http`).WorkloadPort }}", "{{ (.To.PortForName `http2`).WorkloadPort }}" ]
            paths: [ "/deny*" ]
            notPaths: ["/deny/allow"]

	tests := map[string]struct {
		external v1beta1.IngressSpec
		internal networking.IngressSpec
	}{
		"service-port-number": {
			external: v1beta1.IngressSpec{
				Backend: &v1beta1.IngressBackend{
					ServiceName: "test-backend",
					ServicePort: intstr.FromInt32(8080),
				},
			},
			internal: networking.IngressSpec{
				DefaultBackend: &networking.IngressBackend{
					Service: &networking.IngressServiceBackend{

    - operation:
        hosts:
{{- range $svc := .Services }}
        - "example.{{ $svc.ServiceName }}.com"
{{- end }}
    from:
    - source:
        requestPrincipals: ["******@****.***/sub-1"]
  - to:
    - operation:
        hosts:
  {{- range $svc := .Services }}
        - "any-request-principal-ok.{{ $svc.ServiceName }}.com"
  {{- end }}
    from:
    - source:
        requestPrincipals: ["*"]
  - to:

kind: VirtualService
metadata:
  name: route-via-egressgateway-2
  namespace: {{ .From.NamespaceName }}
spec:
  hosts:
    - "{{ .Allowed.ServiceName }}-{{ .Allowed.NamespaceName }}-only.com"
    - "jwt-only.com"
    - "jwt-and-{{ .Allowed.ServiceName }}-{{ .Allowed.NamespaceName }}-only.com"
  gateways:
    - test-egress
    - mesh
  http:
    - match:
        - gateways:
            - mesh

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: policy-{{ .To.ServiceName }}-bad
spec:
  selector:
    matchLabels:
      "app": "{{ .To.ServiceName }}"
      "foo": "bla"
  rules:
    - to:
        - operation:

apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: {{ .To.ServiceName }}
spec:
  selector:
    matchLabels:
      app: {{ .To.ServiceName }}
  mtls:

# mTLS is required in order to match source principals.

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: {{ .To.ServiceName }}
  namespace: {{ .To.NamespaceName }}
spec:
  selector:
    matchLabels:
      "app": "{{ .To.ServiceName }}"
  action: DENY
  rules:
    - from:
        - source:
            notPrincipals: [ "*" ]

---