fi

# CA_ADDR > PILOT_ADDRESS > ISTIO_PILOT_PORT
CA_ADDR=${CA_ADDR:-${CUSTOM_PILOT_ADDRESS:-${DEFAULT_PILOT_ADDRESS}}}
PROV_CERT=${PROV_CERT-./etc/certs}
OUTPUT_CERTS=${OUTPUT_CERTS-./etc/certs}

export PROV_CERT
export OUTPUT_CERTS
export CA_ADDR

# If predefined ISTIO_AGENT_FLAGS is null, make it an empty string.
ISTIO_AGENT_FLAGS=${ISTIO_AGENT_FLAGS:-}

# the expected SAN. Istio-agent will use it to connect to istiod and get fresh certificates.
# PROV_CERT=/var/run/secrets/istio

# Location to save the certificates from the CA. Setting this to the same location with PROV_CERT
# allows rotation of the secrets. Users may also use longer-lived PROV_CERT, rotated under the control
# of the provisioning tool.

				security.GkeWorkloadCertChainFilePath, security.GkeWorkloadKeyFilePath, security.GkeWorkloadRootCertFilePath)
		}
		if o.ProvCert != "" {
			return nil, fmt.Errorf(
				"invalid options: PROV_CERT and FILE_MOUNTED_CERTS of GKE workload cert are mutually exclusive")
		}
		o.FileMountedCerts = true
		o.CertChainFilePath = security.GkeWorkloadCertChainFilePath
		o.KeyFilePath = security.GkeWorkloadKeyFilePath

	})
	t.Run("VMs provisioned certificates - short lived", func(t *testing.T) {
		// User has certificates pre-provisioned on the VM by some sort of tooling, pointed to by
		// PROV_CERT. These are used for mTLS auth with XDS and CA. Certificates are short lived,
		// OUTPUT_CERT = PROV_CERT. This is the same as "VMs", just skipping the initial
		// JWT exchange.
		dir := mktemp()
		copyCerts(t, dir)

		sds := Setup(t, func(a AgentTest) AgentTest {

            echo "/var/run/secrets/istio/bootstrap/hosts: $ISTIOCTL_HOST"
            exit 1
          fi
          echo "istiod host ok"

          # read certs from correct directory
          sudo sh -c 'echo PROV_CERT=/var/run/secrets/istio >> /var/lib/istio/envoy/cluster.env'
          sudo sh -c 'echo OUTPUT_CERTS=/var/run/secrets/istio >> /var/lib/istio/envoy/cluster.env'

	// May also be used in K8S to use a Secret to bootstrap (as a 'refresh key'), but use short-lived tokens
	// with extra SAN (labels, etc) in data path.
	provCert = env.Register("PROV_CERT", "",
		"Set to a directory containing provisioned certs, for VMs").Get()

	// set to "SYSTEM" for ACME/public signed XDS servers.
	xdsRootCA = env.Register("XDS_ROOT_CA", "",

| Variable | Description |
| - | - |
|CA_ADDR|Address of CA, defaults to discoveryAddress|
|CA_PROVIDER|Type of CA; supported values are GoogleCA or Citadel (although anything but GoogleCA will use Citadel); defaults to Citadel|
|PROV_CERT|certificates to be used for mTLS communication with control plane only; NOT for workload mTLS|

		if fileExists(k8sCAIstioMountedPath) {
			rootCAPath = k8sCAIstioMountedPath
		} else {
			rootCAPath = k8sCAPath
		}
	} else if a.secOpts.ProvCert != "" {
		// This was never completely correct - PROV_CERT are only intended for auth with CA_ADDR,
		// and should not be involved in determining the root CA.
		// For VMs, the root cert file used to auth may be populated afterwards.