// The v1.22+ in-tree implementations of the well-known Kubernetes signers will
  // honor this field as long as the requested duration is not greater than the
  // maximum duration they will honor per the --cluster-signing-duration CLI
  // flag to the Kubernetes controller manager.
  //
  // Certificate signers may not honor this field for various reasons:
  //
  //   1. Old signer that is unaware of the field (such as the in-tree

// It can be optionally associated with a particular assigner, in which case it
// contains one valid set of trust anchors for that signer. Signers may have
// multiple associated ClusterTrustBundles; each is an independent set of trust
// anchors for that signer. Admission control is used to enforce that only users
// with permissions on the signer can create or modify the corresponding bundle.
message ClusterTrustBundle {
  // metadata contains the object metadata.

    followIssuerChain@
    for (c in 0 until MAX_SIGNERS) {
      val toVerify = result[result.size - 1] as X509Certificate

      // If this cert has been signed by a trusted cert, use that. Add the trusted certificate to
      // the end of the chain unless it's already present. (That would happen if the first
      // certificate in the chain is itself a self-signed and trusted CA certificate.)

  // The v1.22+ in-tree implementations of the well-known Kubernetes signers will
  // honor this field as long as the requested duration is not greater than the
  // maximum duration they will honor per the --cluster-signing-duration CLI
  // flag to the Kubernetes controller manager.
  //
  // Certificate signers may not honor this field for various reasons:
  //
  //   1. Old signer that is unaware of the field (such as the in-tree

      - "certificatesigningrequests/approval"
      - "certificatesigningrequests/status"
    verbs: ["update", "create", "get", "delete", "watch"]
  - apiGroups: ["certificates.k8s.io"]
    resources:
      - "signers"
    resourceNames:
{{- range .Values.global.certSigners }}
    - {{ . | quote }}
{{- end }}
    verbs: ["approve"]
{{- end}}

  # Used by Istiod to verify the JWT tokens

      - "certificatesigningrequests/approval"
      - "certificatesigningrequests/status"
    verbs: ["update", "create", "get", "delete", "watch"]
  - apiGroups: ["certificates.k8s.io"]
    resources:
      - "signers"
    resourceNames:
{{- range .Values.global.certSigners }}
    - {{ . | quote }}
{{- end }}
    verbs: ["approve"]
{{- end}}

  # Used by Istiod to verify the JWT tokens

  meshConfig:
    enablePrometheusMerge: true
  experimental:
    stableValidationPolicy: false
  global:
    # Used to locate istiod.
    istioNamespace: istio-system
    # List of cert-signers to allow "approve" action in the istio cluster role
    #
    # certSigners:
    #   - clusterissuers.cert-manager.io/istio-ca
    certSigners: []

  meshConfig:
    enablePrometheusMerge: true

  experimental:
    stableValidationPolicy: false

  global:
    # Used to locate istiod.
    istioNamespace: istio-system
    # List of cert-signers to allow "approve" action in the istio cluster role
    #
    # certSigners:
    #   - clusterissuers.cert-manager.io/istio-ca
    certSigners: []

		{serverType: "ErasureSD", signer: signerV4},
		// Init and run test on ErasureSD backend with signature v2.
		{serverType: "ErasureSD", signer: signerV2},
		// Init and run test on ErasureSD backend, with tls enabled.
		{serverType: "ErasureSD", signer: signerV4, secure: true},
		// Init and run test on Erasure backend.
		{serverType: "Erasure", signer: signerV4},
		// Init and run test on ErasureSet backend.

- The kube-controller-manager managed signers can now have distinct signing certificates and keys.  See the help about `--cluster-signing-[signer-name]-{cert,key}-file`.  `--cluster-signing-{cert,key}-file` is still the default. ([#90822](https://github.com/kubernetes/kubernetes/pull/90822), [@deads2k](https://github.com/deads2k)) [SIG API Machinery,...