continue
			}
		}

		var (
			certFile = filepath.Join(root.Name(), file.Name(), publicCertFile)
			keyFile  = filepath.Join(root.Name(), file.Name(), privateKeyFile)
		)
		if !isFile(certFile) || !isFile(keyFile) {
			continue
		}
		if err = manager.AddCertificate(certFile, keyFile); err != nil {
			err = fmt.Errorf("Unable to load TLS certificate '%s,%s': %w", certFile, keyFile, err)

	testCases := []struct {
		certFile          string
		expectedResultLen int
		expectedErr       bool
	}{
		{"nonexistent-file", 0, true},
		{tempFile1, 0, true},
		{tempFile2, 0, true},
		{tempFile3, 0, true},
		{tempFile4, 1, false},
		{tempFile5, 2, false},
	}

	for _, testCase := range testCases {
		certs, err := ParsePublicCertFile(testCase.certFile)
		if !testCase.expectedErr && err != nil {

		} else {
			loadX509KeyPair := func(certFile, keyFile string) (tls.Certificate, error) {
				// Manually load the certificate and private key into memory.
				// We need to check whether the private key is encrypted, and
				// if so, decrypt it using the user-provided password.
				certBytes, err := os.ReadFile(certFile)
				if err != nil {

equality-based selector in 1.1).
  * Running against a secured etcd requires these flags to be passed to
kube-apiserver (instead of --etcd-config):
     * --etcd-certfile, --etcd-keyfile (if using client cert auth)
     * --etcd-cafile (if not using system roots)
  * As part of preparation in 1.2 for adding support for protocol buffers (and the