connectionPool = connectionPool,
          readTimeoutMillis = client.readTimeoutMillis,
          writeTimeoutMillis = client.writeTimeoutMillis,
          socketConnectTimeoutMillis = chain.connectTimeoutMillis,
          socketReadTimeoutMillis = chain.readTimeoutMillis,
          pingIntervalMillis = client.pingIntervalMillis,
          retryOnConnectionFailure = client.retryOnConnectionFailure,
          fastFallback = client.fastFallback,

 */
class RetryAndFollowUpInterceptor(private val client: OkHttpClient) : Interceptor {
  @Throws(IOException::class)
  override fun intercept(chain: Interceptor.Chain): Response {
    val realChain = chain as RealInterceptorChain
    var request = chain.request
    val call = realChain.call
    var followUpCount = 0
    var priorResponse: Response? = null
    var newRoutePlanner = true

		"citadel_server_cert_chain_expiry_timestamp",
		"The unix timestamp, in seconds, when Citadel cert chain will expire. "+
			"A negative time indicates the cert is expired.",
	)
	certChainExpirySeconds = monitoring.NewDerivedGauge(
		"citadel_server_cert_chain_expiry_seconds",
		"The time remaining, in seconds, before the certificate chain will expire. "+
			"A negative value indicates the cert is expired.",
	)
)

	// Sign generates a certificate for a workload or CA, from the given CSR and cert opts.
	Sign(csrPEM []byte, opts ca.CertOpts) ([]byte, error)
	// SignWithCertChain is similar to Sign but returns the leaf cert and the entire cert chain.
	SignWithCertChain(csrPEM []byte, opts ca.CertOpts) ([]string, error)
	// GetCAKeyCertBundle returns the KeyCertBundle used by CA.
	GetCAKeyCertBundle() *util.KeyCertBundle
}

	ProxyMetadataJSON = `
	{
      "FILE_MOUNTED_CERTS": "true",
      "ISTIO_META_TLS_CLIENT_CERT_CHAIN": "/client-certs/cert-chain.pem",
      "ISTIO_META_TLS_CLIENT_KEY": "/client-certs/key.pem",
      "ISTIO_META_TLS_CLIENT_ROOT_CERT": "/client-certs/root-cert.pem",
      "ISTIO_META_TLS_SERVER_CERT_CHAIN": "/server-certs/cert-chain.pem",
      "ISTIO_META_TLS_SERVER_KEY": "/server-certs/key.pem",

apiVersion: release-notes/v2
kind: bug-fix
area: traffic-management

issue:
  - 51377

releaseNotes:
- |

// CHECK-LABEL: func @_tfrt_fallback_init
// CHECK-SAME: {{.*}} !tfrt.chain
// CHECK: tfrt_fallback_async.createop(%arg0) key(0) device("/device:CPU:0") "tf.ParseExampleV2"()
// CHECK-SAME: Tdense = [f32, f32], dense_shapes = [#corert.shape<>, #corert.shape<>]

link:https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-supply-chain-security[GitHub supply chain security] features will detect and alert about any dependencies that have known vulnerabilities.
In order to do this, GitHub requires a complete dependency graph for your project.

				t.Errorf("failed to get initial workload secret: %v", err)
			}

			// Update CA with new intermediate cert
			if err := cert.CreateCustomCASecret(t,
				"ca-cert-alt-2.pem", "ca-key-alt-2.pem",
				"cert-chain-alt-2.pem", "root-cert-alt.pem"); err != nil {
				t.Errorf("failed to update CA secret: %v", err)
			}

			// perform one retry to handle race condition where ztunnel cert is refreshed before Istiod certificates are reloaded

	reject = s.rejectCSR
	s.faultInjectLock.Unlock()
	return reject
}

// SendEmptyCert force CA server send empty cert chain.
func (s *CAServer) SendEmptyCert() {
	s.faultInjectLock.Lock()
	s.emptyCert = true
	s.faultInjectLock.Unlock()
	caServerLog.Info("force CA server to send empty cert chain")
}

func (s *CAServer) sendEmpty() bool {
	var empty bool
	s.faultInjectLock.Lock()
	empty = s.emptyCert