log.Infof("IstioGenerated %s secret found, use it as the CA certificate", ca.CACertsSecret)

			// TODO(jaellio): Currently, when the USE_CACERTS_FOR_SELF_SIGNED_CA flag is true istiod
			// handles loading and updating the "cacerts" secret with the "istio-generated" key the
			// same way it handles the "istio-ca-secret" secret. Isitod utilizes a secret watch instead

      volumes:
      - name: kiali-configuration
        configMap:
          name: kiali
      - name: kiali-cert
        secret:
          secretName: istio.kiali-service-account
          optional: true
      - name: kiali-secret
        secret:
          secretName: kiali
          optional: true
      - name: kiali-cabundle
        configMap:
          name: kiali-cabundle
          optional: true

}

// SecretManager defines secrets management interface which is used by SDS.
type SecretManager interface {
	// GenerateSecret generates new secret for the given resource.
	//
	// The current implementation also watched the generated secret and trigger a callback when it is
	// near expiry. It will constructs the SAN based on the token's 'sub' claim, expected to be in

	}
	return nil
}

// getTokenSigningKey returns secret key used to sign JWT session tokens
func getTokenSigningKey() (string, error) {
	secret := globalActiveCred.SecretKey
	if globalSiteReplicationSys.isEnabled() {
		c, err := globalSiteReplicatorCred.Get(GlobalContext)
		if err != nil {
			return "", err
		}
		return c.SecretKey, nil
	}
	return secret, nil
}

		if err != nil {
			klog.InfoS("Unable to retrieve pull secret, the image pull may not succeed.", "pod", klog.KObj(pod), "secret", klog.KObj(secret), "err", err)
			failedPullSecrets = append(failedPullSecrets, secretRef.Name)
			continue
		}

		pullSecrets = append(pullSecrets, *secret)
	}

	if len(failedPullSecrets) > 0 {

	if !nilOrEqual((*string)(ref.Group), gvk.Secret.Group) || !nilOrEqual((*string)(ref.Kind), gvk.Secret.Kind) {
		return "", &ConfigError{Reason: InvalidTLS, Message: fmt.Sprintf("invalid certificate reference %v, only secret is allowed", objectReferenceString(ref))}
	}

	secret := model.ConfigKey{
		Kind:      kind.Secret,
		Name:      string(ref.Name),

	}

	// check if signing key file exists the cert dir and if the istio-generated file
	// exists (only if USE_CACERTS_FOR_SELF_SIGNED_CA is enabled)
	if !detectedSigningCABundle {
		log.Infof("Use roots from istio-ca-secret")

		caBundle = s.CA.GetCAKeyCertBundle().GetRootCertPem()
		s.addStartFunc("istiod server certificate rotation", func(stop <-chan struct{}) error {
			go func() {

requests_log.setLevel(logging.INFO)
requests_log.propagate = True
app.logger.addHandler(logging.StreamHandler(sys.stdout))
app.logger.setLevel(logging.INFO)

# Set the secret key to some random bytes. Keep this really secret!
app.secret_key = b'_5#y2L"F4Q8z\n\xec]/'

servicesDomain = "" if (os.environ.get("SERVICES_DOMAIN") is None) else "." + os.environ.get("SERVICES_DOMAIN")

	FileDir string

	Registries []string

	// Kubernetes controller options
	KubeOptions kubecontroller.Options
	// ClusterRegistriesNamespace specifies where the multi-cluster secret resides
	ClusterRegistriesNamespace string
	KubeConfig                 string

	// DistributionTracking control
	DistributionCacheRetention time.Duration

	// DistributionTracking control

	if err != nil {
		secretKey, err := getTokenSigningKey()
		if err != nil {
			return nil, err
		}
		// Session tokens for STS creds will be generated with root secret or site-replicator-0 secret
		jwtClaims, err = auth.ExtractClaims(u.Credentials.SessionToken, secretKey)
		if err != nil {
			return nil, err
		}
	}
	return jwtClaims, nil
}