if err != nil {
		return nil, err
	}
	if iss.Scheme != "https" {
		return nil, fmt.Errorf("issuer URL must use https scheme, got: %s", issuerURL)
	}
	if iss.RawQuery != "" {
		return nil, fmt.Errorf("issuer URL may not include a query, got: %s", issuerURL)
	}
	if iss.Fragment != "" {
		return nil, fmt.Errorf("issuer URL may not include a fragment, got: %s", issuerURL)
	}

	mimeJWKS = "application/jwk-set+json"
)

// OpenIDMetadataServer is an HTTP server for metadata of the KSA token issuer.
type OpenIDMetadataServer struct {
	configJSON []byte
	keysetJSON []byte
}

// NewOpenIDMetadataServer creates a new OpenIDMetadataServer.
// The issuer is the OIDC issuer; keys are the keys that may be used to sign
// KSA tokens.

apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: {{ .To.ServiceName }}
spec:
  selector:
    matchLabels:
      app: {{ .To.ServiceName }}
  jwtRules:
  - issuer: "test-issuer******@****.***"
    jwksUri: "https://raw.githubusercontent.com/istio/istio/master/tests/common/jwt/jwks.json"
---
# The following policy enables authorization on workload dst.
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy

	ARM.HasTHUMBEE = isSet(hwCap, hwcap_THUMBEE)
	ARM.HasNEON = isSet(hwCap, hwcap_NEON)
	ARM.HasVFPv3 = isSet(hwCap, hwcap_VFPv3)
	ARM.HasVFPv3D16 = isSet(hwCap, hwcap_VFPv3D16)
	ARM.HasTLS = isSet(hwCap, hwcap_TLS)
	ARM.HasVFPv4 = isSet(hwCap, hwcap_VFPv4)
	ARM.HasIDIVA = isSet(hwCap, hwcap_IDIVA)
	ARM.HasIDIVT = isSet(hwCap, hwcap_IDIVT)
	ARM.HasVFPD32 = isSet(hwCap, hwcap_VFPD32)

apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: {{ .To.ServiceName }}
spec:
  selector:
    matchLabels:
      app: {{ .To.ServiceName }}
  jwtRules:
  - issuer: "test-issuer******@****.***"
    jwksUri: "https://raw.githubusercontent.com/istio/istio/master/tests/common/jwt/jwks.json"
    fromHeaders:
    - name: "x-jwt-token"
      prefix: "Value "
    - name: "auth-token"
      prefix: "Token "

	ARM64.HasASIMDHP = isSet(hwCap, hwcap_ASIMDHP)
	ARM64.HasCPUID = isSet(hwCap, hwcap_CPUID)
	ARM64.HasASIMDRDM = isSet(hwCap, hwcap_ASIMDRDM)
	ARM64.HasJSCVT = isSet(hwCap, hwcap_JSCVT)
	ARM64.HasFCMA = isSet(hwCap, hwcap_FCMA)
	ARM64.HasLRCPC = isSet(hwCap, hwcap_LRCPC)
	ARM64.HasDCPOP = isSet(hwCap, hwcap_DCPOP)
	ARM64.HasSHA3 = isSet(hwCap, hwcap_SHA3)
	ARM64.HasSM3 = isSet(hwCap, hwcap_SM3)
	ARM64.HasSM4 = isSet(hwCap, hwcap_SM4)

spec:
  targetRef:
    kind: Gateway
    group: gateway.networking.k8s.io
    name: {{ .To.ServiceName }}-gateway
  jwtRules:
  - issuer: "test-issuer******@****.***"
    jwksUri: "https://raw.githubusercontent.com/istio/istio/master/tests/common/jwt/jwks.json"
  - issuer: "test-issuer******@****.***"
    jwksUri: "https://raw.githubusercontent.com/istio/istio/master/tests/common/jwt/jwks.json"
---
apiVersion: security.istio.io/v1beta1

spec:
  targetRef:
    kind: Gateway
    group: gateway.networking.k8s.io
    name: {{ .To.ServiceName }}-gateway
  jwtRules:
  - issuer: "test-issuer******@****.***"
    jwksUri: "https://raw.githubusercontent.com/istio/istio/master/tests/common/jwt/jwks.json"
  - issuer: "test-issuer******@****.***"
    jwksUri: "https://raw.githubusercontent.com/istio/istio/master/tests/common/jwt/jwks.json"
---
apiVersion: security.istio.io/v1beta1

		return nil, err
	}

	var trest *TokenREST
	if issuer != nil && podStorage != nil && secretStorage != nil {
		trest = &TokenREST{
			svcaccts:             store,
			pods:                 podStorage,
			secrets:              secretStorage,
			nodes:                nodeStorage,
			issuer:               issuer,
			auds:                 auds,
			audsSet:              sets.NewString(auds...),

spec:
  targetRefs:
  - kind: Gateway
    group: gateway.networking.k8s.io
    name: waypoint
  jwtRules:
  - issuer: "test-issuer******@****.***"
    jwksUri: "https://raw.githubusercontent.com/istio/istio/master/tests/common/jwt/jwks.json"
  - issuer: "test-issuer******@****.***"
    jwksUri: "https://raw.githubusercontent.com/istio/istio/master/tests/common/jwt/jwks.json"
---
apiVersion: security.istio.io/v1beta1