headers =
          headersOf(
            "WWW-Authenticate",
            "Basic realm=\"protected area\", charset=\"UTF-8\"",
          ),
        body = "Please authenticate with UTF-8.",
      ),
    )
    server.enqueue(
      MockResponse(
        code = 401,
        headers =
          headersOf(
            "WWW-Authenticate",
            "Basic realm=\"protected area\"",
          ),

  @Test
  fun proxyAuthenticateOnConnect() {
    server.useHttps(handshakeCertificates.sslSocketFactory())
    server.enqueue(
      MockResponse(
        code = 407,
        headers = headersOf("Proxy-Authenticate", "Basic realm=\"localhost\""),
        inTunnel = true,
      ),
    )
    server.enqueue(
      MockResponse(inTunnel = true),
    )
    server.enqueue(

        .code(responseCode)
        .body("ABCDE")
        .addHeader("WWW-Authenticate: challenge")
    when (responseCode) {
      HttpURLConnection.HTTP_PROXY_AUTH -> {
        builder.addHeader("Proxy-Authenticate: Basic realm=\"protected area\"")
      }

      HttpURLConnection.HTTP_UNAUTHORIZED -> {
        builder.addHeader("WWW-Authenticate: Basic realm=\"protected area\"")
      }

* Fixes request header authenticator by presenting the request header client CA so that the front proxy will authenticate using its client certificate. ([#40301](https://github.com/kubernetes/kubernetes/pull/40301), [@deads2k](https://github.com/deads2k))

                     * is like changing the rug out from underneath our feet.
                     */
/* Technically we should also try to authenticate here but that means doing the session setup and tree connect separately. For now a simple connect will at least tell us if the host is alive. That should be sufficient for 99% of the cases. We can revisit this again for 2.0.
 */