{
  "properties": {
    "spec": {
      "description": "Peer authentication configuration for workloads. See more details at: https://istio.io/docs/reference/config/security/peer_authentication.html",
      "properties": {
        "mtls": {
          "description": "Mutual TLS settings for workload.",
          "properties": {
            "mode": {
              "description": "Defines the mTLS mode used for peer authentication.\n\nValid Options: DISABLE, PERMISSIVE, STRICT",
              "enum": [
                "UNSET",
                "DISABLE",
                "PERMISSIVE",
                "STRICT"
              ],
              "type": "string"
            }
          },
          "type": "object",
          "additionalProperties": false
        },
        "portLevelMtls": {
          "additionalProperties": {
            "properties": {
              "mode": {
                "description": "Defines the mTLS mode used for peer authentication.\n\nValid Options: DISABLE, PERMISSIVE, STRICT",
                "enum": [
                  "UNSET",
                  "DISABLE",
                  "PERMISSIVE",
                  "STRICT"
                ],
                "type": "string"
              }
            },
            "type": "object",
            "additionalProperties": false
          },
          "description": "Port specific mutual TLS settings.",
          "minProperties": 1,
          "type": "object",
          "x-kubernetes-validations": [
            {
              "message": "port must be between 1-65535",
              "rule": "self.all(key, 0 < int(key) && int(key) <= 65535)"
            }
          ]
        },
        "selector": {
          "description": "The selector determines the workloads to apply the PeerAuthentication on.",
          "properties": {
            "matchLabels": {
              "additionalProperties": {
                "maxLength": 63,
                "type": "string",
                "x-kubernetes-validations": [
                  {
                    "message": "wildcard not allowed in label value match",
                    "rule": "!self.contains('*')"
                  }
                ]
              },
              "description": "One or more labels that indicate a specific set of pods/VMs on which a policy should be applied.",
              "maxProperties": 4096,
              "type": "object",
              "x-kubernetes-validations": [
                {
                  "message": "wildcard not allowed in label key match",
                  "rule": "self.all(key, !key.contains('*'))"
                },
                {
                  "message": "key must not be empty",
                  "rule": "self.all(key, key.size() != 0)"
                }
              ]
            }
          },
          "type": "object",
          "additionalProperties": false
        }
      },
      "type": "object",
      "x-kubernetes-validations": [
        {
          "message": "portLevelMtls requires selector",
          "rule": "(has(self.selector) && has(self.selector.matchLabels) && self.selector.matchLabels.size() > 0) || !has(self.portLevelMtls)"
        }
      ],
      "additionalProperties": false
    },
    "status": {
      "type": "object",
      "x-kubernetes-preserve-unknown-fields": true
    }
  },
  "type": "object"
}