}{
		{
			name:     "Creation of a CSR request for renewal of a PKI certificate",
			certName: "apiserver",
			createCertFunc: func() *x509.Certificate {
				return writeTestCertificate(t, dir, "apiserver", testCACert, testCAKey, testCertOrganization, time.Time{}, time.Time{})
			},
		},
		{
			name:     "Creation of a CSR request for renewal of a certificate embedded in a kubeconfig file",

	server, err := ca.New(mockCa, 1, []security.Authenticator{auth}, nil)
	if err != nil {
		return 0
	}
	csrString, err := f.GetString()
	if err != nil {
		return 0
	}
	request := &pb.IstioCertificateRequest{Csr: csrString}
	ctx := context.Background()

	certChain, err := fuzzedCertChain(f)
	if err != nil {
		return 0
	}
	tlsInfo := credentials.TLSInfo{
		State: tls.ConnectionState{VerifiedChains: certChain},

at two levels. For distributing workload certificates, Envoy will send [SDS](https://www.envoyproxy.io/docs/envoy/latest/configuration/security/secret)
requests to the agent, causing the agent to submit a CSR to the configured CA (generally Istiod). For other configuration,
Envoy will send [ADS](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/operations/dynamic_configuration#aggregated-xds-ads)

				kubeadmConfig: validKubeadmConfig,
				cert:          nil,
			},
			wantErr: true,
		},
		{
			name: "key and CSR do not exist",
			args: args{
				kubeadmConfig: validKubeadmConfig,
				cert:          validKubeadmCert,
			},
			wantErr: false,
		},
		{
			name: "key or CSR already exist",
			args: args{
				kubeadmConfig: validKubeadmConfig,
				cert:          validKubeadmCert,
			},

	KeyFilePath string
	// The path for an existing root certificate bundle
	RootCertFilePath string
}

// Client interface defines the clients need to implement to talk to CA for CSR.
// The Agent will create a key pair and a CSR, and use an implementation of this
// interface to get back a signed certificate. There is no guarantee that the SAN
// in the request will be returned - server may replace it.
type Client interface {

                    "server auth",
                    "client auth"
                ]
            }
        }
    }
}
EOF
  fi

  if [ ! -r "ca-csr.json" ]; then
    cat >ca-csr.json <<EOF
{
    "CN": "Kubernetes",
    "key": {
        "algo": "ecdsa",
        "size": 256
    },
    "names": [
        {
            "C": "US",
            "L": "CA",

func ParseCertificateRequest(asn1Data []byte) (*CertificateRequest, error) {
	var csr certificateRequest

	rest, err := asn1.Unmarshal(asn1Data, &csr)
	if err != nil {
		return nil, err
	} else if len(rest) != 0 {
		return nil, asn1.SyntaxError{Msg: "trailing data"}
	}

	return parseCertificateRequest(&csr)
}

func parseCertificateRequest(in *certificateRequest) (*CertificateRequest, error) {

      self.base(title, targets, desc)
      + timeSeries.standardOptions.withUnit('s'),

    connections(title, targets, desc=''):
      self.base(title, targets, desc)
      + timeSeries.standardOptions.withUnit('cps'),

    dns(title, targets, desc=''):
      self.base(title, targets, desc)
      + timeSeries.standardOptions.withUnit('qps'),

    bytes(title, targets, desc=''):
      self.base(title, targets, desc)

  # Used to locate the XDS and CA, if caAddress or xdsAddress are not set explicitly.
  revision: ""

  # The customized CA address to retrieve certificates for the pods in the cluster.
  # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint.
  caAddress: ""

  # The customized XDS address to retrieve configuration.

					t.Errorf("resp: got %+v, expected %v", resp, tc.expectedCert)
				}
			}

			if tc.expectRetry {
				mt.Assert("num_outgoing_retries", map[string]string{"request_type": monitoring.CSR}, monitortest.AtLeast(1))
			}
		})
	}
}

type mockTokenCAServer struct {
	pb.UnimplementedIstioCertificateServiceServer
	Certs []string
}