### Security Integration Tests

- **Location**: `tests/integration/security`
- **Purpose**: Tests related to the security features and components of Istio, such as authentication and authorization mechanisms.
- **Focus**:
  1. Authentication and authorization mechanisms.
  1. Interaction between security components and Istio control plane.
  1. Validation of mutual TLS (mTLS) configurations.
  1. Testing of JWT token validation and RBAC policies.

## FAQ

> Why is this change needed?

Before, there were two separate mechanisms - S3 objects got encrypted using a KMS,
if present, and the IAM / configuration data got encrypted with the root credentials.
Now, MinIO encrypts IAM / configuration and S3 objects with a KMS, if present. This

mechanisms that prevent unwanted access to the data from other tenants.

Network isolation between different models is also important not only to prevent
unauthorized access to data or models, but also to prevent malicious users or
tenants sending graphs to execute under another tenant’s identity.

The isolation mechanisms are the responsibility of the users to design and

/**
 * A certificate chain cleaner that uses a set of trusted root certificates to build the trusted
 * chain. This class duplicates the clean chain building performed during the TLS handshake. We
 * prefer other mechanisms where they exist, such as with
 * [okhttp3.internal.platform.AndroidPlatform.AndroidCertificateChainCleaner].
 *
 * This class includes code from [Conscrypt's][Conscrypt] [TrustManagerImpl] and
 * [TrustedCertificateIndex].

		return errors.New("multiple authentication mechanisms are provided")
	case conf.AccountKey == "" && (conf.SPAuth.TenantID == "" || conf.SPAuth.ClientID == "" || conf.SPAuth.ClientSecret == ""):
		return errors.New("no authentication mechanism was provided")
	}

	if conf.Bucket == "" {
		return errors.New("no bucket name was provided")
	}

	return nil

///

## **FastAPI** utilities

FastAPI provides several tools for each of these security schemes in the `fastapi.security` module that simplify using these security mechanisms.

In the next chapters you will see how to add security to your API using those tools provided by **FastAPI**.

A queue is used to give a few properties:
* Ability to serially process updates received from a variety of different sources. This avoids need for other synchronization mechanisms like mutexes.
* Correctness at startup; with the sequencing above, items are only processed once all informers are synced. This means queries will not return stale data at startup.
* Deduping of identical events

We are not restricted to having only one dependency that can return that type of data.

///

## Other models

You can now get the current user directly in the *path operation functions* and deal with the security mechanisms at the **Dependency Injection** level, using `Depends`.

And you can use any model or data for the security requirements (in this case, a Pydantic model `User`).

However, it would be ideal to give immediate feedback rather than relying on these mechanisms.

### Pod Shutdown Implementation

[ZDS](../../pkg/zdsapi/zds.proto) exposes a `DelWorkload` message to signal to Ztunnel that a pod has been terminated.

It gives you all the flexibility to choose the ones that fit your project the best.

And you can use directly many well maintained and widely used packages like `passlib` and `PyJWT`, because **FastAPI** doesn't require any complex mechanisms to integrate external packages.

But it provides you the tools to simplify the process as much as possible without compromising flexibility, robustness, or security.