// the CNI binary installed.
	if err := installer.Run(ctx); err != nil {
		if errors.Is(err, context.Canceled) || errors.Is(err, context.DeadlineExceeded) {
			// Error was caused by interrupt/termination signal
			t.Logf("installer complete: %v", err)
		} else {
			t.Errorf("installer failed: %v", err)
		}
	}

	if cleanErr := installer.Cleanup(); cleanErr != nil {

      "state": "Unavailable: the identity is no longer needed",
      "certChain": []
    },
    {
      "identity": "spiffe://cluster.local/ns/istio-system/sa/istiod",
      "state": "Unavailable: signing gRPC error (The service is currently unavailable): error trying to connect: TLS handshake failed: cert verification failed - unable to get local issuer certificate [CERTIFICATE_VERIFY_FAILED]",
      "certChain": []
    }
  ]

  // the kill signal (no opportunity to shut down).
  // If this value is nil, the default grace period will be used instead.
  // The grace period is the duration in seconds after the processes running in the pod are sent
  // a termination signal and the time when the processes are forcibly halted with a kill signal.
  // Set this value longer than the expected cleanup time for your process.

  //
  // Valid values are:
  //  "signing", "digital signature", "content commitment",
  //  "key encipherment", "key agreement", "data encipherment",
  //  "cert sign", "crl sign", "encipher only", "decipher only", "any",
  //  "server auth", "client auth",
  //  "code signing", "email protection", "s/mime",
  //  "ipsec end system", "ipsec tunnel", "ipsec user",
  //  "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc"

package main

import (
	"context"
	"os"
	"os/signal"
	"syscall"

	"istio.io/istio/cni/pkg/cmd"
	"istio.io/istio/pkg/log"
)

func main() {
	// Create context that cancels on termination signal
	ctx, cancel := context.WithCancel(context.Background())
	sigChan := make(chan os.Signal, 1)
	signal.Notify(sigChan, os.Interrupt, syscall.SIGTERM)
	go func(sigChan chan os.Signal, cancel context.CancelFunc) {
		sig := <-sigChan

It should be noted there is a circular dependency with mTLS authentication; in order to fetch a certificate we need
a certificate. This can be handled in various ways:
* `GenerateSecret` may additionally write any signed certificates to disk, with `OUTPUT_CERTS` configured.
* Users may have external CA setups that pre-configure certificates.
* The CaClient can use JWT token for the initial setup, then switch to mTLS certificates.

		if podIsAmbient {
			cniClient := newCNIClient(conf.CNIEventAddress, constants.CNIAddEventPath)
			if err = PushCNIEvent(cniClient, args, prevResIps, podName, podNamespace); err != nil {
				log.Errorf("istio-cni cmdAdd failed to signal node Istio CNI agent: %s", err)
				return err
			}
			return nil
		}
		log.Debugf("istio-cni ambient cmdAdd podName: %s - not ambient enabled, ignoring", podName)
	}
	// End ambient plugin logic

# Architecture of Istiod

This document describes the high level architecture of the Istio control plane, Istiod.
Istiod is structured as a modular monolith, housing a wide range of functionality from certificate signing, proxy configuration (XDS), traditional Kubernetes controllers, and more.

## Proxy Configuration

    network: ""
    # Configure the certificate provider for control plane communication.
    # Currently, two providers are supported: "kubernetes" and "istiod".
    # As some platforms may not have kubernetes signing APIs,
    # Istiod is the default
    pilotCertProvider: istiod
    sds:
      # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3.

  // For example, a user may request that a pod is deleted in 30 seconds. The Kubelet will react
  // by sending a graceful termination signal to the containers in the pod. After that 30 seconds,
  // the Kubelet will send a hard termination signal (SIGKILL) to the container and after cleanup,
  // remove the pod from the API. In the presence of network partitions, this object may still