apiVersion: release-notes/v2
kind: bug-fix
area: security
issue:
- 45546
releaseNotes:
- |

		},
		{
			name: "@request.auth.claims[test-issuer******@****.***]",
			want: RoutingClaim{Match: true, Separator: Square, Claims: []string{"test-issuer******@****.***"}},
		},
		{
			name: "@request.auth.claims[test-issuer******@****.***][key1]",
			want: RoutingClaim{Match: true, Separator: Square, Claims: []string{"test-issuer******@****.***", "key1"}},
		},
	}

	for _, tt := range cases {

apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: {{ .To.ServiceName }}
spec:
  selector:
    matchLabels:
      app: {{ .To.ServiceName }}
  jwtRules:
  - issuer: "test-issuer******@****.***"
    jwksUri: "{{ .JWTServer.JwksURI }}?delay=500ms"
    outputPayloadToHeader: "x-test-payload"
    forwardOriginalToken: true

		},
		{
			name:      "issuer missing https",
			issuerURL: "http://issuer.example.com",
			jwksURI:   exampleIssuer + serviceaccount.JWKSPath,
			keys:      defaultKeys,
			err:       true,
		},
		{
			name:      "issuer missing scheme",
			issuerURL: "issuer.example.com",
			jwksURI:   exampleIssuer + serviceaccount.JWKSPath,
			keys:      defaultKeys,

apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: {{ .To.ServiceName }}
spec:
  selector:
    matchLabels:
      app: {{ .To.ServiceName }}
  jwtRules:
  - issuer: "test-issuer******@****.***"

metadata:
  name: {{ .To.ServiceName }}-part1
spec:
  selector:
    matchLabels:
      app: {{ .To.ServiceName }}
  jwtRules:
  - issuer: "test-issuer******@****.***"
    jwksUri: "https://raw.githubusercontent.com/istio/istio/master/tests/common/jwt/jwks.json"
    audiences:
    - "foo"
  - issuer: "test-issuer******@****.***"
    jwksUri: "https://raw.githubusercontent.com/istio/istio/master/tests/common/jwt/jwks.json"
    audiences:
    - "bar"

apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: {{ .To.ServiceName }}
spec:
  selector:
    matchLabels:
      app: {{ .To.ServiceName }}
  jwtRules:
  - issuer: "test-issuer******@****.***"
    jwksUri: "https://raw.githubusercontent.com/istio/istio/master/tests/common/jwt/jwks.json"
    outputPayloadToHeader: "x-test-payload"
    outputClaimToHeaders:
    - header: "x-jwt-iss"
      claim: "iss"

	}

	_, _, ecx1, edx1 := cpuid(1, 0)
	X86.HasSSE2 = isSet(26, edx1)

	X86.HasSSE3 = isSet(0, ecx1)
	X86.HasPCLMULQDQ = isSet(1, ecx1)
	X86.HasSSSE3 = isSet(9, ecx1)
	X86.HasFMA = isSet(12, ecx1)
	X86.HasCX16 = isSet(13, ecx1)
	X86.HasSSE41 = isSet(19, ecx1)
	X86.HasSSE42 = isSet(20, ecx1)
	X86.HasPOPCNT = isSet(23, ecx1)
	X86.HasAES = isSet(25, ecx1)
	X86.HasOSXSAVE = isSet(27, ecx1)
	X86.HasRDRAND = isSet(30, ecx1)

	// is not supported in user space on older linux kernels.
	ARM64.HasAES = isSet(HWCap, hwcap_AES)
	ARM64.HasPMULL = isSet(HWCap, hwcap_PMULL)
	ARM64.HasSHA1 = isSet(HWCap, hwcap_SHA1)
	ARM64.HasSHA2 = isSet(HWCap, hwcap_SHA2)
	ARM64.HasCRC32 = isSet(HWCap, hwcap_CRC32)
	ARM64.HasCPUID = isSet(HWCap, hwcap_CPUID)
	ARM64.HasSHA512 = isSet(HWCap, hwcap_SHA512)

	// The Samsung S9+ kernel reports support for atomics, but not all cores

// kube-apiserver usage of certs.
func GetHumanCertDetail(certificate *x509.Certificate) string {
	humanName := certificate.Subject.CommonName
	signerHumanName := certificate.Issuer.CommonName
	if certificate.Subject.CommonName == certificate.Issuer.CommonName {
		signerHumanName = "<self>"
	}

	usages := []string{}
	for _, curr := range certificate.ExtKeyUsage {
		if curr == x509.ExtKeyUsageClientAuth {