certsphase.KubeadmCertEtcdAPIClient(),
			} {
				if err := cert.CreateFromCA(newcfg, caCert, caKey); err != nil {
					t.Fatalf("couldn't create certificate %s: %v", cert.Name, err)
				}
			}

			actualErr := StaticPodControlPlane(
				nil,
				waiter,
				pathMgr,
				newcfg,
				true,
				true,
				fakeTLSEtcdClient{
					TLS: false,
				},
				fakePodManifestEtcdClient{

	}

	// The CA cert is required for updating kubeconfig files.
	// For local CA renewal, the local CA on disk could have changed, thus a reload is needed.
	// For CSR renewal we assume the same CA on disk is mounted for usage with KCM's
	// '--cluster-signing-cert-file' flag.
	certificatePath, _ := pkiutil.PathsForCertAndKey(rw.certificateDir, rw.baseName)
	caCerts, err := certutil.CertsFromFile(certificatePath)

// and push skipping. This is because an secret potentially has a dependency on the same secret with or without
// the -cacert suffix. By including this dependency we ensure we do not miss any updates.
// This is important for cases where we have a compound secret. In this case, the `foo` secret may update,
// but we need to push both the `foo` and `foo-cacert` resource name, or they will fall out of sync.
func relatedConfigs(k model.ConfigKey) []model.ConfigKey {

	var privateKey, clientCert, caCert []byte
	var err error
	if privateKey, err = ReadCustomCertFromFile(certsPath, "key.pem"); err != nil {
		return err
	}
	if clientCert, err = ReadCustomCertFromFile(certsPath, "cert-chain.pem"); err != nil {
		return err
	}
	if caCert, err = ReadCustomCertFromFile(certsPath, "root-cert.pem"); err != nil {
		return err
	}

		},
	}

	for _, rt := range tests {
		t.Run(rt.name, func(t *testing.T) {
			caCert := &x509.Certificate{}
			config := &CertConfig{
				Config: certutil.Config{
					CommonName:   "test",
					Organization: []string{"test"},
					Usages:       []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
				},
			}
			_, _, err := NewCertAndKey(caCert, rt.key, config)
			if err != nil {
				t.Errorf("failed NewCertAndKey: %v", err)

	}

	for _, test := range tests {
		t.Run(test.name, func(t *testing.T) {

			certMap := test.certs.AsMap()

			for _, cert := range test.certs {
				if cert.CAName != "" && certMap[cert.CAName] == nil {
					t.Errorf("Certificate %q references nonexistent CA %q", cert.Name, cert.CAName)
				}
			}
		})
	}
}

func TestMakeCertTree(t *testing.T) {
	rootCert := &KubeadmCert{
		Name: "root",
	}

func TestLoadCaCertPem(t *testing.T) {
	cases := []struct {
		name      string
		cert      []byte
		wantError bool
	}{
		{
			name:      "valid pem",
			cert:      testcerts.CACert,
			wantError: false,
		},
		{
			name:      "pem decode error",
			cert:      append([]byte("-----codec"), testcerts.CACert...),
			wantError: true,
		},
		{
			name:      "pem wrong type",
			wantError: true,

	},
	{
		name: "destinationrule with no cacert, simple at destinationlevel",
		inputFiles: []string{
			"testdata/destinationrule-simple-destination.yaml",
		},
		analyzer: &destinationrule.CaCertificateAnalyzer{},
		expected: []message{
			{msg.NoServerCertificateVerificationDestinationLevel, "DestinationRule db-tls"},
		},
	},
	{
		name: "destinationrule with no cacert, mutual at destinationlevel",

	// If non-empty, make the request with the corresponding cert and key.
	Cert string `protobuf:"bytes,10,opt,name=cert,proto3" json:"cert,omitempty"`
	Key  string `protobuf:"bytes,11,opt,name=key,proto3" json:"key,omitempty"`
	// If non-empty, verify the server CA
	CaCert string `protobuf:"bytes,12,opt,name=caCert,proto3" json:"caCert,omitempty"`
	// If non-empty, make the request with the corresponding cert and key file.

	kubeadmapi "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm"
	"k8s.io/kubernetes/cmd/kubeadm/app/util/apiclient"
)

func TestRetrieveValidatedConfigInfo(t *testing.T) {
	const (
		caCert = `-----BEGIN CERTIFICATE-----
MIICyDCCAbCgAwIBAgIBADANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwprdWJl
cm5ldGVzMB4XDTE5MTEyMDAwNDk0MloXDTI5MTExNzAwNDk0MlowFTETMBEGA1UE
AxMKa3ViZXJuZXRlczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMqQ