nameToCertificate := map[string]*tls.Certificate{}
	byNameExplicit := map[string]*tls.Certificate{}

	// Iterate backwards so that earlier certs take precedence in the names map
	for i := len(sniCerts) - 1; i >= 0; i-- {
		cert, err := tls.X509KeyPair(sniCerts[i].cert, sniCerts[i].key)
		if err != nil {

		certProvider, err := createTestTLSCerts(certSpec, names)
		if err != nil {
			t.Fatal(err)
		}
		sniCerts = append(sniCerts, certProvider)
	}

	dynamicCertificateController := NewDynamicServingCertificateController(
		tlsConfig,
		&nullCAContent{name: "client-ca"},
		defaultCertProvider,
		sniCerts,
		nil, // TODO see how to plumb an event recorder down in here. For now this results in simply klog messages.
	)

		clientCA    CAContentProvider
		servingCert CertKeyContentProvider
		sniCerts    []SNICertKeyContentProvider

		expected    *dynamicCertificateContent
		expectedErr string
	}{
		{
			name:        "filled",
			clientCA:    &staticCAContent{name: "test-ca", caBundle: &caBundleAndVerifier{caBundle: []byte("content-1")}},
			servingCert: testCertProvider,
			sniCerts:    []SNICertKeyContentProvider{testCertProvider},

	}

	if !c.clientCA.Equal(&rhs.clientCA) {
		return false
	}

	if !c.servingCert.Equal(&rhs.servingCert) {
		return false
	}

	if len(c.sniCerts) != len(rhs.sniCerts) {
		return false
	}

	for i := range c.sniCerts {
		if !c.sniCerts[i].Equal(&rhs.sniCerts[i]) {
			return false
		}
	}

	return true
}

func (c *caBundleContent) Equal(rhs *caBundleContent) bool {
	if c == nil || rhs == nil {

		return fmt.Errorf("failed to generate self-signed certificate for loopback connection: %v", err)
	}

	// Write to the front of SNICerts so that this overrides any other certs with the same name
	(*secureServingInfo).SNICerts = append([]dynamiccertificates.SNICertKeyContentProvider{certProvider}, (*secureServingInfo).SNICerts...)

	secureLoopbackClientConfig, err := (*secureServingInfo).NewLoopbackClientConfig(uuid.New().String(), certPem)
	switch {

				continue NextTest
			}
			bySignature[sig] = j
		}

		c := DynamicServingCertificateController{sniCerts: sniCerts}
		content, err := c.newTLSContent()
		assert.NoError(t, err)

		certMap, err := c.BuildNamedCertificates(content.sniCerts)
		if err == nil && len(test.errorString) != 0 {
			t.Errorf("%d - expected no error, got: %v", i, err)

		t.Errorf("unexpected error: %v", err)
	}
	if loopbackClientConfig == nil {
		t.Errorf("unexpected empty loopbackClientConfig")
	}
	if e, a := 1, len(secureServingInfo.SNICerts); e != a {
		t.Errorf("expected %d SNICert, got %d", e, a)
	}

const LoopbackClientServerNameOverride = "apiserver-loopback-client"

func (s *SecureServingInfo) NewClientConfig(caCert []byte) (*restclient.Config, error) {
	if s == nil || (s.Cert == nil && len(s.SNICerts) == 0) {
		return nil, nil
	}

	host, port, err := LoopbackHostPort(s.Listener.Addr().String())
	if err != nil {
		return nil, err
	}

	return &restclient.Config{
		// Do not limit loopback client QPS.