name: istio-kubeconfig
          readOnly: true
        - mountPath: /var/run/secrets/istiod/tls
          name: istio-csr-dns-cert
          readOnly: true
        - mountPath: /var/run/secrets/istiod/ca
          name: istio-csr-ca-configmap
          readOnly: true
      serviceAccountName: istiod
      volumes:
      - emptyDir:
          medium: Memory
        name: local-certs

# issue is a list of GitHub issues resolved in this note.
issue:
- https://github.com/cert-manager/istio-csr/issues/113

docs: []

releaseNotes:
- |
  **Added** values to the Istio Pilot Helm charts for configuring additional container arguments, volumeMounts, and volumes. Can be used in conjunction with cert-manager istio-csr.

upgradeNotes: []

          name: istio-kubeconfig
          readOnly: true
        - mountPath: /var/run/secrets/istiod/tls
          name: istio-csr-dns-cert
          readOnly: true
        - mountPath: /var/run/secrets/istiod/ca
          name: istio-csr-ca-configmap
          readOnly: true
      nodeSelector:
        master: "true"
      serviceAccountName: istiod
      volumes:
      - emptyDir:

digraph {
    grpc -> ca [label="Send CSR gRPC Request"]
    subgraph cluster_istioagent {
        label = "Istio Agent"
        color="orange"
        sds
        SecretManager -> caClient [label="Sign CSR"]
        caClient -> grpc
        grpc -> TokenProvider [dir=none,label="Fetch JWT",color=purple]
        grpc -> cfiles [dir=none,label="Fetch Cert",color=purple]

        sds -> SecretManager [label="Generate certificate"]

          name: istio-kubeconfig
          readOnly: true
        - mountPath: /var/run/secrets/istiod/tls
          name: istio-csr-dns-cert
          readOnly: true
        - mountPath: /var/run/secrets/istiod/ca
          name: istio-csr-ca-configmap
          readOnly: true
      nodeSelector:
        node-name: test
      serviceAccountName: istiod
      volumes:
      - emptyDir:

  if [ -f "$FINAL_DIR"/ca-cert-alt.srl ]; then
    rm "$FINAL_DIR"/ca-cert-alt.srl
  fi
  if [ -f "$FINAL_DIR"/workload.cfg ]; then
    rm "$FINAL_DIR"/workload.cfg
  fi
  if [ -f "$FINAL_DIR"/workload.csr ]; then
    rm "$FINAL_DIR"/workload.csr
  fi
}

trap cleanup EXIT

openssl genrsa -out "$FINAL_DIR/workload-$sa-key.pem" 2048

cat > "$FINAL_DIR"/workload.cfg <<EOF
[req]
distinguished_name = req_distinguished_name

// We can't directly hash the serialized CSR because of random padding that we
// regenerate every loop and we include usages which are not contained in the
// CSR. This needs to be kept up to date as we add new fields to the node
// certificates and with ensureCompatible.
func digestedName(publicKey interface{}, subject *pkix.Name, usages []certificatesv1.KeyUsage) (string, error) {

	"istio.io/istio/pkg/security"
	mockca "istio.io/istio/security/pkg/pki/ca/mock"
	caerror "istio.io/istio/security/pkg/pki/error"
)

func FuzzCreateCertificate(f *testing.F) {
	fuzz.Fuzz(f, func(fg fuzz.Helper) {
		csr := fuzz.Struct[pb.IstioCertificateRequest](fg)
		ca := fuzz.Struct[mockca.FakeCA](fg)
		ca.SignErr = caerror.NewError(caerror.CSRError, fmt.Errorf("cannot sign"))
		server := &Server{
			ca:             &ca,

	"strings"

	"k8s.io/apimachinery/pkg/util/sets"
)

// ParseCSR extracts the CSR from the bytes and decodes it.
func ParseCSR(pemBytes []byte) (*x509.CertificateRequest, error) {
	block, _ := pem.Decode(pemBytes)
	if block == nil || block.Type != "CERTIFICATE REQUEST" {
		return nil, errors.New("PEM block type must be CERTIFICATE REQUEST")
	}
	csr, err := x509.ParseCertificateRequest(block.Bytes)
	if err != nil {
		return nil, err
	}

          name: istio-kubeconfig
          readOnly: true
        - mountPath: /var/run/secrets/istiod/tls
          name: istio-csr-dns-cert
          readOnly: true
        - mountPath: /var/run/secrets/istiod/ca
          name: istio-csr-ca-configmap
          readOnly: true
      serviceAccountName: istiod
      volumes:
      - emptyDir:
          medium: Memory
        name: local-certs