s.faultInjectLock.Unlock()
	return empty
}

// CreateCertificate handles CSR.
func (s *CAServer) CreateCertificate(ctx context.Context, request *pb.IstioCertificateRequest) (
	*pb.IstioCertificateResponse, error,
) {
	caServerLog.Infof("received CSR request")
	if s.shouldReject() {
		caServerLog.Info("force rejecting CSR request")
		return nil, status.Error(codes.Unavailable, "CA server is not available")
	}

	signingCert, signingKey, certChain, rootCert := c.bundle.GetAll()
	csr, err := util.ParsePemEncodedCSR(csrPEM)
	if err != nil {
		return nil, fmt.Errorf("csr sign error: %v", err)
	}
	subjectIDs := []string{"test"}
	certBytes, err := util.GenCertFromCSR(csr, signingCert, csr.PublicKey, *signingKey, subjectIDs, c.certLifetime, false)
	if err != nil {
		return nil, fmt.Errorf("csr sign error: %v", err)
	}

	block := &pem.Block{

		"The number of errors occurred when parsing the CSR.",
	)

	idExtractionErrorCounts = monitoring.NewSum(
		"citadel_server_id_extraction_err_count",
		"The number of errors occurred when extracting the ID from CSR.",
	)

	certSignErrorCounts = monitoring.NewSum(
		"citadel_server_csr_sign_err_count",
		"The number of errors occurred when signing the CSR.",
	)

	successCounts = monitoring.NewSum(

	var cert []byte
	var respCertChain []string
	if certSigner == "" {
		cert, signErr = s.ca.Sign([]byte(request.Csr), certOpts)
	} else {
		serverCaLog.Debugf("signing CSR with cert chain")
		respCertChain, signErr = s.ca.SignWithCertChain([]byte(request.Csr), certOpts)
	}
	if signErr != nil {
		serverCaLog.Errorf("CSR signing error: %v", signErr.Error())
		s.monitoring.GetCertSignError(signErr.(*caerror.Error).ErrorType()).Increment()

      - name: istio-kubeconfig
        secret:
          secretName: istio-kubeconfig
          optional: true
      # Optional: istio-csr dns pilot certs
      - name: istio-csr-dns-cert
        secret:
          secretName: istiod-tls
          optional: true
      - name: istio-csr-ca-configmap
        configMap:
          name: istio-ca-root-cert
          defaultMode: 420
          optional: true

	}
}

// CSRSign calls Citadel to sign a CSR.
func (c *CitadelClient) CSRSign(csrPEM []byte, certValidTTLInSec int64) (res []string, err error) {
	crMetaStruct := &structpb.Struct{
		Fields: map[string]*structpb.Value{
			security.CertSigner: {
				Kind: &structpb.Value_StringValue{StringValue: c.opts.CertSigner},
			},
		},
	}
	req := &pb.IstioCertificateRequest{
		Csr:              string(csrPEM),

	block, _ := pem.Decode(csrBytes)
	if block == nil {
		return nil, fmt.Errorf("certificate signing request is not properly encoded")
	}
	csr, err := x509.ParseCertificateRequest(block.Bytes)
	if err != nil {
		return nil, fmt.Errorf("failed to parse X.509 certificate signing request")
	}
	return csr, nil
}

// ParsePemEncodedKey takes a PEM-encoded key and parsed the bytes into a `crypto.PrivateKey`.

      self.base(title, targets, desc)
      + timeSeries.standardOptions.withUnit('s'),

    connections(title, targets, desc=''):
      self.base(title, targets, desc)
      + timeSeries.standardOptions.withUnit('cps'),

    dns(title, targets, desc=''):
      self.base(title, targets, desc)
      + timeSeries.standardOptions.withUnit('qps'),

    bytes(title, targets, desc=''):
      self.base(title, targets, desc)

  # Used to locate the XDS and CA, if caAddress or xdsAddress are not set explicitly.
  revision: ""

  # The customized CA address to retrieve certificates for the pods in the cluster.
  # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint.
  caAddress: ""

  # The customized XDS address to retrieve configuration.