{
  "test_id": "T91",
  "date": "2026-07-05",
  "doc": "docs/istio/egress/mtls-passthrough-connectionpool",
  "environment": {
    "istio": "1.30.0",
    "kubernetes": "1.30.6",
    "mode": "sidecar",
    "registry_domain": "homelab.local (istiod --domain)",
    "gateway": "dedicated, inject.istio.io/templates: gateway, ns istio-vt-t91",
    "external_target": "mock.istio-verify-ext (mendhak/http-https-echo:37, no sidecar, self-signed HTTPS :443)"
  },
  "claims": [
    {
      "id": "N1",
      "claim": "tls.mode 'tcp' does not exist in ClientTLSSettings enum",
      "result": "kubectl apply rejected at CRD validation: Unsupported value \"tcp\", supported: DISABLE/SIMPLE/MUTUAL/ISTIO_MUTUAL",
      "verdict": "supported"
    },
    {
      "id": "E1",
      "claim": "inner app TLS preserved end-to-end (gateway does not re-terminate)",
      "result": "HTTP 200; client saw server's own self-signed cert (CN=my.example.com, ssl_verify=18); server saw inner SNI api.partner.example and empty clientCertificate",
      "verdict": "supported"
    },
    {
      "id": "P1",
      "claim": "traffic transits the egress gateway",
      "result": "server-observed peer IP = gateway pod IP; gateway access log outbound|443||api.partner.example (flag '-'); istio_tcp_connections_opened_total=3, L4 metrics only",
      "verdict": "supported"
    },
    {
      "id": "C1",
      "claim": "DR-hop1 connectionPool compiles into the CLIENT sidecar's subset cluster",
      "result": "outbound|8443|partner|t91-egress...homelab.local: maxConnections=111, connectTimeout=3s, keepalive 300/30/3, SDS 'default' (ISTIO_MUTUAL), sni=api.partner.example",
      "verdict": "supported"
    },
    {
      "id": "C2",
      "claim": "DR-hop2 (no tls block) connectionPool compiles into the GATEWAY cluster with no TLS transport socket",
      "result": "outbound|443||api.partner.example on gateway: maxConnections=222, keepalive present, transportSocket ABSENT (raw TCP forward)",
      "verdict": "supported"
    },
    {
      "id": "S1",
      "claim": "hop-1 enforces caller SPIFFE identity",
      "result": "gateway :8443 listener requireClientCertificate=true with SNI filterChainMatch",
      "verdict": "supported"
    },
    {
      "id": "B1",
      "claim": "exportTo [\".\"] hides DR-hop2 from other namespaces",
      "result": "refined: same-namespace client sidecar still compiles DR2 (max=222) — harmless (VS tls route diverts first); isolation applies to OTHER namespaces only",
      "verdict": "supported_with_refinement"
    }
  ],
  "notes": [
    "Envoy native per-cluster stats (upstream_cx_total) not visible via pilot-agent GET stats — presumed default statsMatcher trimming (unconfirmed); usage proven via access log + istio_tcp_* instead",
    "marker values 111 (hop1) / 222 (hop2) chosen to make placement unambiguous"
  ]
}
