"target_uri": "{{ .discovery_address }}",
            "stat_prefix": "googlegrpcxds",
            "channel_credentials": {
              "ssl_credentials": {
                {{ with .xds_root_cert}}"root_certs": {"filename": "{{.}}"}{{ end }}
              }
            },
            "call_credentials": [{
            {{ if .sts }}
              "sts_service": {

              value: |-
                name: inject-volume
                mountPath: /var/lib/istio/inject
{{- end }}
`, map[string]any{
		"rootcert1":              cert1.Rootcert,
		"signer1":                cert1.Signer,
		"rootcert2":              cert2.Rootcert,
		"signer2":                cert2.Signer,
		"isConfigCluster":        isConfigCluster,
		"isExternalControlPlane": isExternalControlPlane,
	})

func AppendCertByte(pemCert []byte, rootCert []byte) []byte {
	rootCerts := []byte{}
	if len(pemCert) > 0 {
		// Copy the input certificate
		rootCerts = []byte(strings.TrimSuffix(string(pemCert), "\n") + "\n")
	}
	rootCerts = append(rootCerts, rootCert...)
	return rootCerts

	rootCert, err := util.ParsePemEncodedCertificate(rootCertBytes)
	if err != nil {
		t.Error(err)
	}
	// Root cert and siging cert are the same for self-signed CA.
	if !rootCert.Equal(signingCert) {
		t.Error("CA root cert does not match signing cert")
	}

	if ttl := rootCert.NotAfter.Sub(rootCert.NotBefore); ttl != caCertTTL {

	defer cancel()
	if err := b.RetryWithContext(ctx, certValid); err != nil {
		return nil, err
	}

	// Set the rootCert only if it is workload root cert.
	if workload {
		sc.cache.SetRoot(rootCert)
	}
	return &security.SecretItem{
		ResourceName: resourceName,
		RootCert:     rootCert,
	}, nil
}

// Generate a key and certificate item from the existing key certificate files from the passed in file paths.

			}

			rootCerts, err := util.AppendRootCerts(pemCert, rootCertFile)
			if err != nil {
				pkiCaLog.Warnf("failed to append root certificates (%v)", err)
				return fmt.Errorf("failed to append root certificates (%v)", err)
			}
			if caOpts.KeyCertBundle, err = util.NewVerifiedKeyCertBundleFromPem(pemCert, pemKey, nil, rootCerts); err != nil {

			rootCerts, err := util.AppendRootCerts(caSecret.Data[CACertFile], rotator.config.rootCertFile)
			if err != nil {
				rootCertRotatorLog.Errorf("failed to append root certificates from file: %s", err.Error())
				return
			}

			if err := rotator.ca.GetCAKeyCertBundle().VerifyAndSetAll(caSecret.Data[CACertFile],
				caSecret.Data[CAPrivateKeyFile], nil, rootCerts); err != nil {

			SignedCert:    []byte("cert"),
			KeyCertBundle: util.NewKeyCertBundleFromPem(nil, nil, []byte("cert_chain"), []byte("root_cert")),
		},
		Authenticators: []security.Authenticator{auth},
		monitoring:     newMonitoringMetrics(),
	}
	mockCertChain := []string{"cert", "cert_chain", "root_cert"}
	mockIPAddr := &net.IPAddr{IP: net.IPv4(192, 168, 1, 1)}
	testCerts := map[string]struct {
		certChain    [][]*x509.Certificate

	if expectedSecret.ResourceName == security.RootCertReqResourceName || (ok && cfg.IsRootCertificate()) {
		if !bytes.Equal(expectedSecret.RootCert, gotSecret.RootCert) {
			t.Fatalf("root cert: expected %v but got %v", expectedSecret.RootCert,
				gotSecret.RootCert)
		}
	} else {
		if !bytes.Equal(expectedSecret.CertificateChain, gotSecret.CertificateChain) {

// TLSOptions include TLS options that a grpc client uses to connect with server.
type TLSOptions struct {
	RootCert      string
	Key           string
	Cert          string
	ServerAddress string
	SAN           string
}

func getTLSDialOption(opts *TLSOptions) (grpc.DialOption, error) {
	rootCert, err := getRootCertificate(opts.RootCert)
	if err != nil {
		return nil, err
	}
	config := tls.Config{