passwordSecret:
                description: passwordSecret is name of the authentication secret for
                  BGP Peer. the secret must be of type "kubernetes.io/basic-auth",
                  and created in the same namespace as the MetalLB deployment. The
                  password is stored in the secret as the key "password".
                properties:
                  name:

    },
    {
      "@type": "type.googleapis.com/envoy.admin.v3.SecretsConfigDump",
      "dynamic_active_secrets": [
        {
          "name": "default",
          "last_updated": "2023-05-15T01:32:52.262Z",
          "secret": {
            "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret",
            "name": "default",
            "tls_certificate": {
              "certificate_chain": {

                                            "address": {
                                                "pipe": {
                                                    "path": "./var/run/secrets/workload-spiffe-uds/socket"
                                                }
                                            },
                                            "health_check_config": {}

                "uid": "${datasource}"
              },
              "expr": "sum(irate(pilot_xds_pushes{type=\"sds\"}[1m]))",
              "interval": "",
              "legendFormat": "Secrets",
              "refId": "B"
            },
            {
              "datasource": {
                "type": "prometheus",
                "uid": "${datasource}"
              },

                        },
                        "alpn_protocols": [
                          "h2"
                        ],
                        "tls_certificate_sds_secret_configs": [
                          {
                            "name": "default",
                            "sds_config": {
                              "api_config_source": {
                                "api_type": "GRPC",

                        },
                        "alpn_protocols": [
                          "h2"
                        ],
                        "tls_certificate_sds_secret_configs": [
                          {
                            "name": "default",
                            "sds_config": {
                              "api_config_source": {
                                "api_type": "GRPC",

	if err != nil {
		secretKey, err := getTokenSigningKey()
		if err != nil {
			return nil, err
		}
		// Session tokens for STS creds will be generated with root secret or site-replicator-0 secret
		jwtClaims, err = auth.ExtractClaims(u.Credentials.SessionToken, secretKey)
		if err != nil {
			return nil, err
		}
	}
	return jwtClaims, nil
}

 *  Fix: Don't leak a connection when a call is canceled immediately preceding the `onFailure()`
    callback.

 *  Fix: Apply call timeouts when connecting duplex calls, web sockets, and server-sent events.
    Once the streams are established no further timeout is enforced.

 *  Fix: Retain the `Route` when a connection is reused on a redirect or other follow-up. This was

		Code:           "InvalidArgument",
		Description:    "The secret key was invalid for the specified algorithm.",
		HTTPStatusCode: http.StatusBadRequest,
	},
	ErrMissingSSECustomerKey: {
		Code:           "InvalidArgument",
		Description:    "Requests specifying Server Side Encryption with Customer provided keys must provide an appropriate secret key.",
		HTTPStatusCode: http.StatusBadRequest,
	},

	defer cancel()

	configCmds := []string{
		"identity_openid",
		fmt.Sprintf("config_url=%s/.well-known/openid-configuration", serverAddr),
		"client_id=minio-client-app",
		"client_secret=minio-client-app-secret",
		"scopes=openid,groups",
		"redirect_uri=http://127.0.0.1:10000/oauth_callback",
	}
	if rolePolicy != "" {
		configCmds = append(configCmds, fmt.Sprintf("role_policy=%s", rolePolicy))
	} else {