* Sécurité et authentification, y compris la prise en charge de **OAuth2** avec les **<abbr title="en anglais : JWT tokens">jetons <abbr title="JSON Web Tokens">JWT</abbr></abbr>** et l'authentification **HTTP Basic**.

		return nil, nil
	}

	netns, err := proc.Open(netnsName)
	if err != nil {
		return nil, err
	}
	fd, err := GetFd(netns)
	if err != nil {
		netns.Close()
		return nil, err
	}
	netnsObserved[inode] = struct{}{}
	log.Debugf("found pod to netns: %s %d", uid, inode)

	return &PodNetnsEntry{
		uid:     uid,
		netns:   netns,
		netnsfd: fd,
		inode:   inode,
	}, nil
}

	assert.Equal(t, nlDeps.DelLoopbackRoutesCnt.Load(), 1)
	// make sure the uid was taken from cache and netns closed
	netns := fixture.podNsMap.Take(string(pod.UID))
	assert.Equal(t, nil, netns)

	// run gc to clean up ns:

	//revive:disable-next-line:call-to-gc Just a test that we are cleaning up the netns
	runtime.GC()
	assertNSClosed(t, closed)
}

	"number of connections to ztunnel")

type ZtunnelServer interface {
	Run(ctx context.Context)
	PodDeleted(ctx context.Context, uid string) error
	PodAdded(ctx context.Context, pod *v1.Pod, netns Netns) error
	Close() error
}

/*
To clean up stale ztunnels

	we may need to ztunnel to send its (uid, bootid / boot time) to us
	so that we can remove stale entries when the ztunnel pod is deleted

	netns, err := runInHost(func() (string, error) { return getPodNetNs(pod) })
	if err != nil {
		m.With(resultLabel.Value(resultFail)).Increment()
		return fmt.Errorf("get netns: %v", err)
	}
	log = log.WithLabels("netns", netns)

	if err := redirectRunningPod(pod, netns); err != nil {
		log.Errorf("failed to setup redirection: %v", err)

	ConstructInitialSnapshot(ambientPods []*corev1.Pod) error
	Start(ctx context.Context)

	//	IsPodInMesh(ctx context.Context, pod *metav1.ObjectMeta, netNs string) (bool, error)
	AddPodToMesh(ctx context.Context, pod *corev1.Pod, podIPs []netip.Addr, netNs string) error
	RemovePodFromMesh(ctx context.Context, pod *corev1.Pod, isDelete bool) error

	Stop()
}

type Server struct {
	ctx        context.Context

    - on pod add, determines whether pod should have netns setup to redirect to Istio proxy. See [cmdAdd](#cmdadd-workflow) for detailed logic.
        - it connects to K8S using the kubeconfig and JWT token copied from install-cni to get Pod and Namespace. Since this is a short-running command, each invocation creates a new connection.
        - If so, calls `istio-iptables` with params to setup pod netns
        - If ambient, sets up the ambient logic.

}

func (f *fakeServer) AddPodToMesh(ctx context.Context, pod *corev1.Pod, podIPs []netip.Addr, netNs string) error {
	if f.testWG != nil {
		defer f.testWG.Done()
	}
	args := f.Called(ctx, pod, podIPs, netNs)
	return args.Error(0)
}

func (f *fakeServer) RemovePodFromMesh(ctx context.Context, pod *corev1.Pod, isDelete bool) error {
	if f.testWG != nil {

			if wasReady != nil && isReady != nil && isAnnotated {
				log.Infof("pod update event skipped: added/labeled by CNI plugin")
				return nil
			}

			// netns == ""; at this point netns should have been added via the initial snapshot,
			// or via the cni plugin. If it happens to get here before the cni plugin somehow,

  @BeforeEach
  fun setUp(server: MockWebServer) {
    this.server = server
    server.protocols = bootstrapClient.protocols
    dns = buildLocalhost(bootstrapClient, false)
  }

  @Test
  fun getOne() {
    server.enqueue(
      dnsResponse(
        "0000818000010003000000000567726170680866616365626f6f6b03636f6d0000010001c00c000500010" +