serverCert: serverCert, serverKey: serverKey, serverCA: caCert,
			expectedRegisteredStatusCode: "200",
			expectEvalutionResult:        "success",
			expectDurationResult:         "success",
			expectFailOpenResult:         "",
		},

		{
			name:       "timed out request",
			clientCert: clientCert, clientKey: clientKey, clientCA: caCert,

			}
			s.PeerCAFile = filepath.Join(s.SecureServing.ServerCert.CertDirectory, s.SecureServing.ServerCert.PairName+".crt")
		}
	}

	s.SecureServing.ExternalAddress = s.SecureServing.Listener.Addr().(*net.TCPAddr).IP // use listener addr although it is a loopback device

	pkgPath, err := pkgPath(t)
	if err != nil {
		return result, err
	}
	s.SecureServing.ServerCert.FixtureDirectory = filepath.Join(pkgPath, "testdata")

		"If true, HTTP2 serving will be disabled [default=false]")

	fs.StringVar(&s.ServerCert.CertDirectory, "cert-dir", s.ServerCert.CertDirectory, ""+
		"The directory where the TLS certs are located. "+
		"If --tls-cert-file and --tls-private-key-file are provided, this flag will be ignored.")

	fs.StringVar(&s.ServerCert.CertKey.CertFile, "tls-cert-file", s.ServerCert.CertKey.CertFile, ""+

			clientCA:   caCert,
			serverCert: serverCert, serverKey: serverKey,
			wantAuth: true,
		},
		{
			test:       "Server does not require client auth, client provides it",
			clientCert: clientCert, clientKey: clientKey, clientCA: caCert,
			serverCert: serverCert, serverKey: serverKey,
			wantAuth: true,
		},
		{
			test:       "Client does not trust server",

			clientCA:   caCert,
			serverCert: serverCert, serverKey: serverKey,
			wantAuth: true,
		},
		{
			test:       "Server does not require client auth, client provides it",
			clientCert: clientCert, clientKey: clientKey, clientCA: caCert,
			serverCert: serverCert, serverKey: serverKey,
			wantAuth: true,
		},
		{
			test:       "Client does not trust server",

  private lateinit var server: MockWebServer
  private lateinit var serverRootCa: HeldCertificate
  private lateinit var serverIntermediateCa: HeldCertificate
  private lateinit var serverCert: HeldCertificate
  private lateinit var clientRootCa: HeldCertificate
  private lateinit var clientIntermediateCa: HeldCertificate
  private lateinit var clientCert: HeldCertificate

  @BeforeEach

		},
		{
			name:        "valid cert no rotation",
			certToWatch: testcerts.ServerCert,
			certRotated: false,
		},
	}

	csr := &cert.CertificateSigningRequest{
		ObjectMeta: metav1.ObjectMeta{
			Name: "abc.xyz",
		},
		Status: cert.CertificateSigningRequestStatus{
			Certificate: testcerts.ServerCert,
		},
	}
	s := &Server{
		server:                  server.New(),

)

var (
	httpPort   = flag.String("http", "8000", "HTTP server port")
	httpsPort  = flag.String("https", "8443", "HTTPS server port")
	serverCert = flag.String("cert", "", "Optional, the name of server's certificate file")
	serverkey  = flag.String("key", "", "Optional, the name of server's private key")
)

// JWTServer implements the sample server that serves jwt keys.

		if len(completed.Authentication.ServiceAccounts.KeyFiles) == 0 && completed.SecureServing.ServerCert.CertKey.KeyFile != "" {
			if kubeauthenticator.IsValidServiceAccountKeyFile(completed.SecureServing.ServerCert.CertKey.KeyFile) {
				completed.Authentication.ServiceAccounts.KeyFiles = []string{completed.SecureServing.ServerCert.CertKey.KeyFile}
			} else {

		{
			name:         "Success with one trust domain",
			in:           input1,
			extraCerts:   serverCerts,
			statusCode:   http.StatusOK,
			body:         validSpiffeX509Bundle,
			wantNumCerts: 1,
		},
		{
			name:         "Success with multiple trust domains",
			in:           input2,
			extraCerts:   serverCerts,
			statusCode:   http.StatusOK,
			body:         validSpiffeX509Bundle,
			wantNumCerts: 1,
		},