// Default path prefix for all keys on etcd, other than CoreDNSPath.
	cfg.PathPrefix = env.Get(EnvEtcdPathPrefix, kvs.Get(PathPrefix))
	if etcdSecure {
		cfg.TLS = &tls.Config{
			RootCAs:                  rootCAs,
			PreferServerCipherSuites: true,
			MinVersion:               tls.VersionTLS12,
			NextProtos:               []string{"http/1.1", "h2"},
			ClientSessionCache:       tls.NewLRUClientSessionCache(64),

	dialContext := s.DialContext
	if dialContext == nil {
		dialContext = DialContextWithLookupHost(s.LookupHost, NewInternodeDialContext(s.DialTimeout, s.TCPOptions))
	}

	tlsClientConfig := tls.Config{
		RootCAs:            s.RootCAs,
		CipherSuites:       s.CipherSuites,
		CurvePreferences:   s.CurvePreferences,
		ClientSessionCache: tls.NewLRUClientSessionCache(tlsClientSessionCacheSize),
	}

	return func(args *OperatorDNS) {
		args.username = username
		args.password = password
	}
}

// RootCAs - add custom trust certs pool
func RootCAs(certPool *x509.CertPool) OperatorOption {
	return func(args *OperatorDNS) {
		args.rootCAs = certPool
	}
}

// NewOperatorDNS - initialize a new K8S Operator DNS set/unset values.

	}
	if n.Secure || n.TLS && n.TLSSkipVerify {
		connOpts = append(connOpts, nats.Secure(nil))
	} else if n.TLS {
		connOpts = append(connOpts, nats.Secure(&tls.Config{RootCAs: n.RootCAs}))
	}
	if n.CertAuthority != "" {
		connOpts = append(connOpts, nats.RootCAs(n.CertAuthority))
	}
	if n.ClientCert != "" && n.ClientKey != "" {
		connOpts = append(connOpts, nats.ClientCert(n.ClientCert, n.ClientKey))
	}

	config.Net.TLS.Config = tlsConfig
	config.Net.TLS.Config.InsecureSkipVerify = args.TLS.SkipVerify
	config.Net.TLS.Config.ClientAuth = args.TLS.ClientAuth
	config.Net.TLS.Config.RootCAs = args.TLS.RootCAs

	// These settings are needed to ensure that kafka client doesn't hang on brokers
	// refer https://github.com/IBM/sarama/issues/765#issuecomment-254333355
	config.Producer.Retry.Max = 2

			if !args.Enable {
				continue
			}
			args.TLS.RootCAs = transport.TLSClientConfig.RootCAs
			t, err := target.NewKafkaTarget(id, args, logOnceIf)
			if err != nil {
				return nil, err
			}
			targets = append(targets, t)

		}

	case config.NotifyMQTTSubSys:
		mqttTargets, err := GetNotifyMQTT(cfg[config.NotifyMQTTSubSys], transport.TLSClientConfig.RootCAs)
		if err != nil {
			return nil, err
		}

		Dialer: grid.ConnectWS(
			grid.ContextDialer(xhttp.DialContextWithLookupHost(lookupHost, xhttp.NewInternodeDialContext(rest.DefaultTimeout, globalTCPOptions.ForWebsocket()))),
			newCachedAuthToken(),
			&tls.Config{
				RootCAs:          globalRootCAs,
				CipherSuites:     fips.TLSCiphers(),
				CurvePreferences: fips.TLSCurveIDs(),
			}),
		Local:        local,
		Hosts:        hosts,
		AuthToken:    validateStorageRequestToken,

		if err != nil {
			return nil, err
		}

		key, err := kms.ParseAPIKey(env.Get(EnvKMSAPIKey, ""))
		if err != nil {
			return nil, err
		}

		var rootCAs *x509.CertPool
		if opts != nil && opts.CADir != "" {
			rootCAs, err = certs.GetRootCAs(opts.CADir)
			if err != nil {
				return nil, err
			}
		}

		client, err := kms.NewClient(&kms.Config{
			Endpoints: endpoints,

		SetCleanSession(true).
		SetUsername(args.User).
		SetPassword(args.Password).
		SetMaxReconnectInterval(args.MaxReconnectInterval).
		SetKeepAlive(args.KeepAlive).
		SetTLSConfig(&tls.Config{RootCAs: args.RootCAs}).
		AddBroker(args.Broker.String())

	target.client = mqtt.NewClient(options)

	token := target.client.Connect()
	ok := token.WaitTimeout(reconnectInterval)
	if !ok {
		return store.ErrNotConnected

			NextProtos:         []string{"h2", "http/1.1"},
			ClientSessionCache: tls.NewLRUClientSessionCache(100),
			CipherSuites:       fips.TLSCiphersBackwardCompatible(), // Contains RSA key exchange
			RootCAs:            rootCAs,
		},
	}

	// Parse explicitly set enable=on/off flag.
	isEnableFlagExplicitlySet := false
	if v := getCfgVal(config.Enable); v != "" {
		isEnableFlagExplicitlySet = true