fi

# CA_ADDR > PILOT_ADDRESS > ISTIO_PILOT_PORT
CA_ADDR=${CA_ADDR:-${CUSTOM_PILOT_ADDRESS:-${DEFAULT_PILOT_ADDRESS}}}
PROV_CERT=${PROV_CERT-./etc/certs}
OUTPUT_CERTS=${OUTPUT_CERTS-./etc/certs}

export PROV_CERT
export OUTPUT_CERTS
export CA_ADDR

# If predefined ISTIO_AGENT_FLAGS is null, make it an empty string.
ISTIO_AGENT_FLAGS=${ISTIO_AGENT_FLAGS:-}
# Split ISTIO_AGENT_FLAGS by spaces.

# environment variable. If the value is different from PROV_CERTS the workload certs will be saved, but
# the provisioning cert will remain under control of the VM provisioning tools.
# OUTPUT_CERTS=/var/run/secrets/istio
# OUTPUT_CERTS=/etc/certs

# Address of the CA. The CA must implement the Istio protocol, accepting the provisioning certificate

a certificate. This can be handled in various ways:
* `GenerateSecret` may additionally write any signed certificates to disk, with `OUTPUT_CERTS` configured.
* Users may have external CA setups that pre-configure certificates.
* The CaClient can use JWT token for the initial setup, then switch to mTLS certificates.

Note that `OUTPUT_CERTS` can be used to refresh certificates using previously provisioned certificates, by configuring

        - --proxyLogLevel=warning
        - --proxyComponentLogLevel=misc:error
        - --log_output_level=default:info
        env:
        - name: ISTIO_META_GENERATOR
          value: grpc
        - name: OUTPUT_CERTS
          value: /var/lib/istio/data
        - name: PILOT_CERT_PROVIDER
          value: istiod
        - name: CA_ADDR
          value: istiod.istio-system.svc:15012
        - name: POD_NAME
          valueFrom:

			e.Subsets[0].Annotations[annotation.SidecarStatsHistogramBuckets.Name] = customBuckets
		}
		e.Subsets[0].Annotations[annotation.ProxyConfig.Name] = proxyMetadata
	}

	proxyMd := `{"proxyMetadata": {"OUTPUT_CERTS": "/etc/certs/custom"}}`
	prom := echo.Config{
		// mock prom instance is used to mock a prometheus server, which will visit other echo instance /metrics
		// endpoint with proxy provisioned certs.
		Service: "mock-prom",

          fi
          echo "istiod host ok"

          # read certs from correct directory
          sudo sh -c 'echo PROV_CERT=/var/run/secrets/istio >> /var/lib/istio/envoy/cluster.env'
          sudo sh -c 'echo OUTPUT_CERTS=/var/run/secrets/istio >> /var/lib/istio/envoy/cluster.env'

          # This looks weird but Kubernetes escapes $$ to $; we want double dollar sign for current PID
          pid="$$$$"

	// set to "SYSTEM" for ACME/public signed CA servers.
	caRootCA = env.Register("CA_ROOT_CA", "",
		"Explicitly set the root CA to expect for the CA connection.").Get()

	outputKeyCertToDir = env.Register("OUTPUT_CERTS", "",
		"The output directory for the key and certificate. If empty, key and certificate will not be saved. "+
			"Must be set for VMs using provisioning certificates.").Get()

	}

	ret.rootCaPath = options.CARootPath

	if options.FileMountedCerts {
		return ret
	}

	// Pre-generate workload certificates to improve startup latency and ensure that for OUTPUT_CERTS
	// case we always write a certificate. A workload can technically run without any mTLS/CA
	// configured, in which case this will fail; if it becomes noisy we should disable the entire SDS
	// server in these cases.

        exec:
          command:
          - pilot-agent
          - wait
          - --url=http://localhost:15020/healthz/ready
    env:
    - name: ISTIO_META_GENERATOR
      value: grpc
    - name: OUTPUT_CERTS
      value: /var/lib/istio/data
    {{- if eq .InboundTrafficPolicyMode "localhost" }}
    - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION
      value: "true"
    {{- end }}
    - name: PILOT_CERT_PROVIDER

                  - wait
                  - --url=http://localhost:15020/healthz/ready
            env:
            - name: ISTIO_META_GENERATOR
              value: grpc
            - name: OUTPUT_CERTS
              value: /var/lib/istio/data
            {{- if eq (env "PILOT_ENABLE_INBOUND_PASSTHROUGH" "true") "false" }}
            - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION
              value: "true"