}
}

// getDefaultCircuitBreakerThresholds returns a copy of the default circuit breaker thresholds for the given traffic direction.
func getDefaultCircuitBreakerThresholds() *cluster.CircuitBreakers_Thresholds {
	return &cluster.CircuitBreakers_Thresholds{
		// DefaultMaxRetries specifies the default for the Envoy circuit breaker parameter max_retries. This

        },
        "required": [
          "clientCIDR",
          "serverAddress"
        ],
        "type": "object"
      }
    },
    "securitySchemes": {
      "BearerToken": {
        "description": "Bearer Token authentication",
        "in": "header",
        "name": "authorization",
        "type": "apiKey"
      }
    }
  },
  "info": {
    "title": "Kubernetes",
    "version": "unversioned"
  },

					customizeCall: func(t framework.TestContext, from echo.Instance, opts *echo.CallOptions) {
						opts.HTTP.Path = "/valid-token-noauthz"
						opts.HTTP.Headers = headers.New().
							With("Authorization", "Bearer "+jwt.TokenIssuer1WithNestedClaims2).
							With("X-Jwt-Nested-Claim", "value_to_be_replaced").
							Build()
						opts.HTTP.Headers = headers.New().WithAuthz(jwt.TokenIssuer1WithNestedClaims2).Build()

	}

	return target, nil
}

func isKafkaConnErr(err error) bool {
	// Sarama opens the circuit breaker after 3 consecutive connection failures.
	return err == sarama.ErrLeaderNotAvailable || err.Error() == "circuit breaker is open"

) ([]grpc.DialOption, error) {
	ctx := context.TODO()
	// If we are using the insecure 15010 don't bother getting a token
	if opts.Plaintext || opts.CertDir != "" {
		return make([]grpc.DialOption, 0), nil
	}
	// Use bearer token
	aud := tokenAudiences
	isMCP := strings.HasSuffix(opts.Xds, ".googleapis.com") || strings.HasSuffix(opts.Xds, ".googleapis.com:443")
	if isMCP {
		// Special credentials handling when using ASM Managed Control Plane.

						opts.Check = check.And(
							check.OK(),
							check.ReachedTargetClusters(t),
							check.RequestHeaders(map[string]string{
								headers.Authorization: "Bearer " + jwt.TokenIssuer1,
								"X-Test-Payload":      payload1,
							}))
					},
				},
				{
					name:       "remote-jwks-with-service-entry",
					policyFile: "./testdata/requestauthn-with-se-timeout.yaml.tmpl",

	Status TokenReviewStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"`
}

// TokenReviewSpec is a description of the token authentication request.
type TokenReviewSpec struct {
	// Token is the opaque bearer token.
	// +optional
	Token string `json:"token,omitempty" protobuf:"bytes,1,opt,name=token"`
	// Audiences is a list of the identifiers that the resource server presented

        "required": [
          "clientCIDR",
          "serverAddress"
        ],
        "type": "object"
      }
    },
    "securitySchemes": {
      "BearerToken": {
        "description": "Bearer Token authentication",
        "in": "header",
        "name": "authorization",
        "type": "apiKey"
      }
    }
  },
  "info": {
    "title": "Kubernetes",
    "version": "unversioned"

        "required": [
          "clientCIDR",
          "serverAddress"
        ],
        "type": "object"
      }
    },
    "securitySchemes": {
      "BearerToken": {
        "description": "Bearer Token authentication",
        "in": "header",
        "name": "authorization",
        "type": "apiKey"
      }
    }
  },
  "info": {
    "title": "Kubernetes",
    "version": "unversioned"

        "required": [
          "clientCIDR",
          "serverAddress"
        ],
        "type": "object"
      }
    },
    "securitySchemes": {
      "BearerToken": {
        "description": "Bearer Token authentication",
        "in": "header",
        "name": "authorization",
        "type": "apiKey"
      }
    }
  },
  "info": {
    "title": "Kubernetes",
    "version": "unversioned"