// The v1.22+ in-tree implementations of the well-known Kubernetes signers will
  // honor this field as long as the requested duration is not greater than the
  // maximum duration they will honor per the --cluster-signing-duration CLI
  // flag to the Kubernetes controller manager.
  //
  // Certificate signers may not honor this field for various reasons:
  //
  //   1. Old signer that is unaware of the field (such as the in-tree

// It can be optionally associated with a particular assigner, in which case it
// contains one valid set of trust anchors for that signer. Signers may have
// multiple associated ClusterTrustBundles; each is an independent set of trust
// anchors for that signer. Admission control is used to enforce that only users
// with permissions on the signer can create or modify the corresponding bundle.
message ClusterTrustBundle {
  // metadata contains the object metadata.

		// TODO: https://github.com/istio/istio/issues/41937
		grpc.WithTransportCredentials(credentials.NewTLS(
			&tls.Config{
				// Always skip verifying, because without it we always get "certificate signed by unknown authority".
				// We don't set the XDSSAN for the same reason.
				InsecureSkipVerify: true,
			})),
		grpc.WithPerRPCCredentials(k8sCreds),
	}, nil

      - "certificatesigningrequests/approval"
      - "certificatesigningrequests/status"
    verbs: ["update", "create", "get", "delete", "watch"]
  - apiGroups: ["certificates.k8s.io"]
    resources:
      - "signers"
    resourceNames:
    - "kubernetes.io/legacy-unknown"
{{- range .Values.global.certSigners }}
    - {{ . | quote }}
{{- end }}
    verbs: ["approve"]
{{- end}}

  # Used by Istiod to verify the JWT tokens

  // indicating the request was approved and should be issued by the signer.
  //
  // A "Denied" condition is added via the /approval subresource,
  // indicating the request was denied and should not be issued by the signer.
  //
  // A "Failed" condition is added via the /status subresource,
  // indicating the signer failed to issue the certificate.
  //
  // Approved and Denied conditions are mutually exclusive.

// in both Up and Down directions (scaleUp and scaleDown fields respectively).
message HorizontalPodAutoscalerBehavior {
  // scaleUp is scaling policy for scaling Up.
  // If not set, the default value is the higher of:
  //   * increase no more than 4 pods per 60 seconds
  //   * double the number of pods per 60 seconds
  // No stabilization is used.
  // +optional
  optional HPAScalingRules scaleUp = 1;

  // mounted only with a single SELinux context.
  //
  // When "false", Kubernetes won't pass any special SELinux mount options to the driver.
  // This is typical for volumes that represent subdirectories of a bigger shared filesystem.
  //
  // Default is "false".
  //
  // +featureGate=SELinuxMountReadWriteOncePod
  // +optional
  optional bool seLinuxMount = 8;
}

  // priority of the pod. When Priority Admission Controller is enabled, it
  // prevents users from setting this field. The admission controller populates
  // this field from PriorityClassName.
  // The higher the value, the higher the priority.
  // +optional
  optional int32 priority = 25;

  // Specifies the DNS parameters of a pod.
  // Parameters specified here will be merged to the generated DNS

                  type: string
                type: array
              localPref:
                description: The BGP LOCAL_PREF attribute which is used by BGP best
                  path algorithm, Path with higher localpref is preferred over one
                  with lower localpref.
                format: int32
                type: integer
              nodeSelectors:

It should be noted there is a circular dependency with mTLS authentication; in order to fetch a certificate we need
a certificate. This can be handled in various ways:
* `GenerateSecret` may additionally write any signed certificates to disk, with `OUTPUT_CERTS` configured.
* Users may have external CA setups that pre-configure certificates.
* The CaClient can use JWT token for the initial setup, then switch to mTLS certificates.