}

  override fun writeRequestHeaders(request: Request) {
    if (stream != null) return

    val hasRequestBody = request.body != null
    val requestHeaders = http2HeadersList(request)
    stream = http2Connection.newStream(requestHeaders, hasRequestBody)
    // We may have been asked to cancel while creating the new stream and sending the request
    // headers, but there was still no stream to close.
    if (canceled) {

   * @param requestHeaders minimally includes `:method`, `:scheme`, `:authority`, and `:path`.
   */
  @Throws(IOException::class)
  fun pushPromise(
    streamId: Int,
    promisedStreamId: Int,
    requestHeaders: List<Header>,
  ) {
    this.withLock {
      if (closed) throw IOException("closed")
      hpackWriter.writeHeaders(requestHeaders)

      val byteCount = hpackBuffer.size

		{Name: "requestheader-username-headers", Value: "X-Remote-User"},
		{Name: "requestheader-group-headers", Value: "X-Remote-Group"},
		{Name: "requestheader-extra-headers-prefix", Value: "X-Remote-Extra-"},
		{Name: "requestheader-client-ca-file", Value: filepath.Join(cfg.CertificatesDir, kubeadmconstants.FrontProxyCACertName)},
		{Name: "requestheader-allowed-names", Value: "front-proxy-client"},

					Aggregation: "sum",
					Labels: map[string]string{
						"destination_service_name": "istio-egressgateway",
						"response_code":            "200",
					},
				},
				StatusCode: http.StatusOK,
				RequestHeaders: map[string]string{
					// We inject this header in the VirtualService
					"Handled-By-Egress-Gateway": "true",
				},
			},
		},
		// TODO add HTTPS through gateway
		{
			Name:     "TCP",

								if codeStr != r.Code {
									return fmt.Errorf("response[%d] received status code %s, expected %d", i, r.Code, tc.Expected.StatusCode)
								}
								for k, v := range tc.Expected.RequestHeaders {
									if got := r.RequestHeaders.Get(k); got != v {
										return fmt.Errorf("expected metadata %v=%v, got %q", k, v, got)
									}
								}
							}
							return nil
						},
					})

					return
				}
				// if get Audit-ID returned, it should be the same with the requested one
				if test.requestHeader != "" && resp.Header.Get("Audit-ID") != test.requestHeader {
					t.Errorf("[%s] returned audit http header is not the same with the requested http header, expected: %s, get %s", test.desc, test.requestHeader, resp.Header.Get("Audit-ID"))
				}
			} else {
				if resp.Header.Get("Audit-ID") != "" {

	requestURL     url.URL
	requestHost    string
	requestHeader  http.Header
	requestBody    []byte
	requestMethod  string
	responseBody   string
	responseHeader map[string]string
	t              *testing.T
}

func (s *SimpleBackendHandler) ServeHTTP(w http.ResponseWriter, req *http.Request) {
	s.requestURL = *req.URL
	s.requestHost = req.Host
	s.requestHeader = req.Header
	s.requestMethod = req.Method
	var err error

}

func checkHTTP(opts echo.CallOptions, expectAllowed bool) echo.Checker {
	override := opts.HTTP.Headers.Get(XExtAuthzAdditionalHeaderOverride)
	var hType echoClient.HeaderType
	if expectAllowed {
		hType = echoClient.RequestHeader
	} else {
		hType = echoClient.ResponseHeader
	}
	headerChecker := check.And(
		headerContains(hType, map[string][]string{

	if instanceOptions.EnableCertAuth {
		// set up default headers for request header auth
		reqHeaders := serveroptions.NewDelegatingAuthenticationOptions()
		s.Authentication.RequestHeader = &reqHeaders.RequestHeader

		var proxySigningKey *rsa.PrivateKey
		var proxySigningCert *x509.Certificate

		if instanceOptions.ProxyCA != nil {
			// use provided proxyCA

  if [[ -s "${REQUESTHEADER_CA_CERT_PATH:-}" ]]; then
    params+=" --requestheader-client-ca-file=${REQUESTHEADER_CA_CERT_PATH}"
    params+=" --requestheader-allowed-names=aggregator"
    params+=" --requestheader-extra-headers-prefix=X-Remote-Extra-"
    params+=" --requestheader-group-headers=X-Remote-Group"
    params+=" --requestheader-username-headers=X-Remote-User"
    params+=" --proxy-client-cert-file=${PROXY_CLIENT_CERT_PATH}"