} else {
			ids = append(ids, Identity{Type: TypeDNS, Value: []byte(host)})
		}
	}

	san, err := BuildSANExtension(ids)
	if err != nil {
		return nil, fmt.Errorf("SAN extension building failure (%v)", err)
	}

	return san, nil
}

// BuildSANExtension builds a `pkix.Extension` of type "Subject
// Alternative Name" based on the given identities.

apiVersion: release-notes/v2
kind: bug-fix
area: security
releaseNotes:
  - |

John Howard <******@****.***> 1662658353 -0700

        .build()
    assert200Http2Response(execute(url), server.hostName)
    val sanUrl = url.newBuilder().host("san.com").build()
    dns["san.com"] =
      Arrays.asList(
        InetAddress.getByAddress("san.com", byteArrayOf(0, 0, 0, 0)),
        serverIps[0],
      )
    assert200Http2Response(execute(sanUrl), "san.com")
    assertThat(client.connectionPool.connectionCount()).isEqualTo(1)

}

// 7 days
var saTokenExpiration int64 = 60 * 60 * 24 * 7

func GetServiceAccountToken(c kubernetes.Interface, aud, ns, sa string) (string, error) {
	san := san(ns, sa)

	if got, f := cachedTokens.Load(san); f {
		t := got.(token)
		if t.expiration.After(time.Now().Add(time.Minute)) {
			return t.token, nil
		}
		// Otherwise, its expired, load a new one
	}

			expectedIDs:    nil,
			expectedErrMsg: "the SAN extension does not exist",
		},
		"Extensions without SAN": {
			exts: []pkix.Extension{
				{Id: asn1.ObjectIdentifier{1, 2, 3, 4}},
				{Id: asn1.ObjectIdentifier{3, 2, 1}},
			},
			expectedIDs:    nil,
			expectedErrMsg: "the SAN extension does not exist",
		},
		"Extensions with bad SAN": {
			exts: []pkix.Extension{

- `cert-chain-alt-2.pem`: alternative certificate chain signed by `root-cert-alt.pem`.
- `workload-foo-[cert|key].pem`: workload certificate and key for URI SAN `spiffe://trust-domain-foo/ns/foo/sa/foo` signed by `ca-cert.key`.
- `workload-bar-[cert|key].pem`: workload certificate and key for URI SAN `spiffe://trust-domain-bar/ns/bar/sa/bar` signed by `ca-cert.key`.
- `workload-foo-root-certs.pem`: root and intermediate CA certificates for foo workload certificate.

	@echo "basicConstraints = critical, CA:true, pathlen:0" >> $@
	@echo "keyUsage = critical, digitalSignature, nonRepudiation, keyEncipherment, keyCertSign" >> $@
	@echo "subjectAltName=@san" >> $@
	@echo "[ san ]" >> $@
	@echo "DNS.1 = $(INTERMEDIATE_SAN_DNS)" >> $@
	@echo "[ req_dn ]" >> $@
	@echo "O = $(INTERMEDIATE_ORG)" >> $@
	@echo "CN = $(INTERMEDIATE_CN)" >> $@
	@echo "L = $(L:/=)" >> $@

			opts: &buildClusterOpts{
				mutable: newTestCluster(),
			},
			tls: &networking.ClientTLSSettings{
				Mode:            networking.ClientTLSSettings_ISTIO_MUTUAL,
				SubjectAltNames: []string{"SAN"},
				Sni:             "some-sni.com",
			},
			result: expectedResult{
				tlsContext: &tls.UpstreamTlsContext{
					CommonTlsContext: &tls.CommonTlsContext{
						TlsParams: &tls.TlsParameters{

		config.ServerName = host
	}
	// For debugging on localhost (with port forward)
	if strings.Contains(config.ServerName, "localhost") {
		config.ServerName = "istiod.istio-system.svc"
	}
	if opts.SAN != "" {
		config.ServerName = opts.SAN
	}
	// Compliance for all gRPC clients (e.g. Citadel)..
	sec_model.EnforceGoCompliance(&config)
	transportCreds := credentials.NewTLS(&config)
	return grpc.WithTransportCredentials(transportCreds), nil