if certSignerDomain == "" {
			log.Infof("CA cert file %q not found, using %q.", caCertFile, defaultCACertPath)
			caCertFile = defaultCACertPath
		} else {
			log.Infof("CA cert file %q not found - ignoring.", caCertFile)
			caCertFile = ""
		}
	}

	if s.kubeClient == nil {
		return nil, fmt.Errorf("kubeClient is nil")
	}
	raOpts := &ra.IstioRAOptions{
		ExternalCAType:   opts.ExternalCAType,

	}

	return nil
}

func getX509FromFile(t framework.TestContext, caCertFile string) *x509.Certificate {
	certBytes, err := cert.ReadSampleCertFromFile(caCertFile)
	if err != nil {
		t.Errorf("failed to read %s file: %v", caCertFile, err)
	}
	return parseCert(t, certBytes)
}

func parseCert(t framework.TestContext, certBytes []byte) *x509.Certificate {

	// Directory of injection related config files.
	InjectionDirectory string
}

// TLSOptions is optional TLS parameters for Istiod server.
type TLSOptions struct {
	// CaCertFile and related are set using CLI flags.
	CaCertFile      string
	CertFile        string
	KeyFile         string
	TLSCipherSuites []string
	CipherSuits     []uint16 // This is the parsed cipher suites
}

var (

		"Enable profiling via web interface host:port/debug/pprof")

	// Use TLS certificates if provided.
	c.PersistentFlags().StringVar(&serverArgs.ServerOptions.TLSOptions.CaCertFile, "caCertFile", "",
		"File containing the x509 Server CA Certificate")
	c.PersistentFlags().StringVar(&serverArgs.ServerOptions.TLSOptions.CertFile, "tlsCertFile", "",
		"File containing the x509 Server Certificate")

	KeyFile  string `protobuf:"bytes,17,opt,name=keyFile,proto3" json:"keyFile,omitempty"`
	// If non-empty, verify the server CA with the ca cert file.
	CaCertFile string `protobuf:"bytes,18,opt,name=caCertFile,proto3" json:"caCertFile,omitempty"`
	// Skip verifying peer's certificate.
	InsecureSkipVerify bool `protobuf:"varint,19,opt,name=insecureSkipVerify,proto3" json:"insecureSkipVerify,omitempty"`

func (s *Server) initFileCertificateWatches(tlsOptions TLSOptions) error {
	if err := s.istiodCertBundleWatcher.SetFromFilesAndNotify(tlsOptions.KeyFile, tlsOptions.CertFile, tlsOptions.CaCertFile); err != nil {
		return fmt.Errorf("set keyCertBundle failed: %v", err)
	}
	// TODO: Setup watcher for root and restart server if it changes.
	for _, file := range []string{tlsOptions.CertFile, tlsOptions.KeyFile} {

			FSCertsPaths: TLSFSLoadPaths{tlsArgcertFile, tlsArgkeyFile, tlsArgcaCertFile},
			tlsOptions: &TLSOptions{
				CertFile:   tlsArgcertFile,
				KeyFile:    tlsArgkeyFile,
				CaCertFile: tlsArgcaCertFile,
			},
			enableCA:                  false,
			certProvider:              constants.CertProviderKubernetes,
			expNewCert:                false,
			expCert:                   testcerts.ServerCert,

    k8s:
      overlays:
        - kind: Deployment
          name: istiod
          patches:
            - path: spec.template.spec.containers.[name:discovery].args[1001]
              value: "--caCertFile=/server-certs/root-cert.pem"
            - path: spec.template.spec.containers.[name:discovery].args[1002]
              value: "--tlsCertFile=/server-certs/cert-chain.pem"

		// Use the DNS certificate provided via args or in well known location.
		err = s.initFileCertificateWatches(TLSOptions{
			CaCertFile: caCertPath,
			KeyFile:    tlsKeyPath,
			CertFile:   tlsCertPath,
		})
		if err != nil {
			// Not crashing istiod - This typically happens if certs are missing and in tests.

							HTTP: echo.HTTP{
								Path: "/metrics",
							},
							TLS: echo.TLS{
								CertFile:           "/etc/certs/custom/cert-chain.pem",
								KeyFile:            "/etc/certs/custom/key.pem",
								CaCertFile:         "/etc/certs/custom/root-cert.pem",
								InsecureSkipVerify: true,
							},
						})
					}
				})
		})
}