value: |-
                name: inject-volume
                mountPath: /var/lib/istio/inject
{{- end }}
`, map[string]any{
		"rootcert1":              cert1.Rootcert,
		"signer1":                cert1.Signer,
		"rootcert2":              cert2.Rootcert,
		"signer2":                cert2.Signer,
		"isConfigCluster":        isConfigCluster,
		"isExternalControlPlane": isExternalControlPlane,
	})

	defer cancel()
	if err := b.RetryWithContext(ctx, certValid); err != nil {
		return nil, err
	}

	// Set the rootCert only if it is workload root cert.
	if workload {
		sc.cache.SetRoot(rootCert)
	}
	return &security.SecretItem{
		ResourceName: resourceName,
		RootCert:     rootCert,
	}, nil
}

// Generate a key and certificate item from the existing key certificate files from the passed in file paths.

	}
	return cert.NotAfter, nil
}

// OutputKeyCertToDir output the key and certificate to the given directory.
// If directory string is empty, return nil.
func OutputKeyCertToDir(dir string, privateKey, certChain, rootCert []byte) error {
	var err error
	if len(dir) == 0 {
		return nil
	}

	certFileMode := os.FileMode(0o600)
	if k8sInCluster.Get() != "" {
		// If this is running on k8s, give more permission to the file certs.

			{
				Name:         "https",
				Protocol:     protocol.HTTPS,
				ServicePort:  443,
				WorkloadPort: 8443,
				TLS:          true,
			},
		},
		TLSSettings: &common.TLSSettings{
			RootCert:      rootCert,
			ClientCert:    clientCert,
			Key:           Key,
			AcceptAnyALPN: true,
		},
	}

	serverNakedBarConfig := echo.Config{
		Namespace: customNs.Get(),
		Service:   "server-naked-bar",

	}
}

func TestMakeCertTree(t *testing.T) {
	rootCert := &KubeadmCert{
		Name: "root",
	}
	leaf0 := &KubeadmCert{
		Name:   "leaf0",
		CAName: "root",
	}
	leaf1 := &KubeadmCert{
		Name:   "leaf1",
		CAName: "root",
	}
	selfSigned := &KubeadmCert{
		Name: "self-signed",
	}

	certMap := CertificateMap{
		"root":        rootCert,
		"leaf0":       leaf0,
		"leaf1":       leaf1,

EOF

certchain="$FINAL_DIR"/cert-chain.pem
cacert="$FINAL_DIR"/ca-cert.pem
cakey="$FINAL_DIR"/ca-key.pem
rootcert="$FINAL_DIR"/root-cert.pem

if [[ "$rootselect" = "use-alternative-root" ]] ; then
  certchain="$FINAL_DIR"/cert-chain-alt.pem
  cacert="$FINAL_DIR"/ca-cert-alt.pem
  cakey="$FINAL_DIR"/ca-key-alt.pem
  rootcert="$FINAL_DIR"/root-cert-alt.pem
fi

	if err != nil {
		return err
	}

	var caCert, caKey, certChain, rootCert []byte
	if caCert, err = ReadSampleCertFromFile(caCertFile); err != nil {
		return err
	}
	if caKey, err = ReadSampleCertFromFile(caKeyFile); err != nil {
		return err
	}
	if certChain, err = ReadSampleCertFromFile(certChainFile); err != nil {
		return err
	}
	if rootCert, err = ReadSampleCertFromFile(rootCertFile); err != nil {
		return err
	}

	}

	return resp.CertChain, nil
}

func (c *CitadelClient) getTLSOptions() *istiogrpc.TLSOptions {
	if c.tlsOpts != nil {
		return &istiogrpc.TLSOptions{
			RootCert:      c.tlsOpts.RootCert,
			Key:           c.tlsOpts.Key,
			Cert:          c.tlsOpts.Cert,
			ServerAddress: c.opts.CAEndpoint,
			SAN:           c.opts.CAEndpointSAN,
		}
	}
	return nil
}

			exampleCertChainLength, len(certs))
		return
	}
	var rootCert []byte
	var err error
	if rootCert, err = cert.ReadSampleCertFromFile("root-cert.pem"); err != nil {
		t.Errorf("error when reading expected CA cert: %v", err)
		return
	}
	// Verify that the CA certificate is as expected
	if strings.TrimSpace(string(rootCert)) != strings.TrimSpace(certs[2]) {

		var certPool *x509.CertPool
		certPool, err = x509.SystemCertPool()
		if err != nil {
			return nil, fmt.Errorf("failed to fetch Cert from SystemCertPool: %v", err)
		}

		if tlsSettings.RootCert != "" && !certPool.AppendCertsFromPEM([]byte(tlsSettings.RootCert)) {
			return nil, fmt.Errorf("failed to create cert pool")
		}
		cfg := credentials.NewTLS(&tls.Config{Certificates: []tls.Certificate{cert}, RootCAs: certPool, MinVersion: tls.VersionTLS12})