if resp.StatusCode >= 200 && resp.StatusCode <= 299 {
		// accepted HTTP status codes.
		return nil
	} else if resp.StatusCode == http.StatusForbidden {
		return fmt.Errorf("%s returned '%s', please check if your auth token is correctly set", h.Endpoint(), resp.Status)
	}
	return fmt.Errorf("%s returned '%s', please check your endpoint configuration", h.Endpoint(), resp.Status)
}

				if err != nil {
					continue
				}
				jwtClaims, err = auth.ExtractClaims(cred.SessionToken, secretKey)
			}
			if err != nil {
				// skip this cred - session token seems invalid
				continue
			}

			ldapUsername, okUserN := jwtClaims.Lookup(ldapUserN)
			ldapActualDN, okDN := jwtClaims.Lookup(ldapActualUser)
			if !okUserN || !okDN {

						}
					}

					if testCase.resultL.IsTruncated != resultL.IsTruncated {
						// Allow an extra continuation token.
						if !resultL.IsTruncated || len(resultL.Objects) == 0 {
							t.Errorf("Test %d: %s: Expected IsTruncated flag to be %v, but instead found it to be %v", i+1, instanceType, testCase.resultL.IsTruncated, resultL.IsTruncated)

	quarkus/extensions/agroal/deployment/pom.xml
	quarkus/extensions/jdbc/jdbc-h2/deployment/pom.xml
	quarkus/test-framework/junit5-internal/pom.xml
quarkus/extensions/oidc-token-propagation-reactive/deployment/pom.xml
	quarkus/extensions/oidc-token-propagation-reactive/runtime/pom.xml
	quarkus/extensions/security/deployment/pom.xml
	quarkus/extensions/resteasy-reactive/rest-client-reactive/deployment/pom.xml

            ContiguousSet.closedOpen(Integer.MIN_VALUE, Integer.MIN_VALUE),
            ImmutableSortedSet.of(),
            ImmutableSet.of())
        .testEquals();
    // not testing hashCode for these because it takes forever to compute
    assertEquals(
        ContiguousSet.closed(Integer.MIN_VALUE, Integer.MAX_VALUE),
        ContiguousSet.create(Range.<Integer>all(), integers()));
    assertEquals(

- Graduated the `LegacyServiceAccountTokenTracking` feature gate to Beta. The usage of auto-generated secret-based service account token now produces warnings by default, and relevant Secrets are labeled with a last-used timestamp (label key `kubernetes.io/legacy-token-last-used`). ([#114523](https://github.com/kubernetes/kubernetes/pull/114523), [@zshihang](https://github.com/zshihang)) [SIG API Machinery and Auth]

r(var e=st||ht(),t=Math.max(0,l.startTime+l.duration-e),n=1-(t/l.duration||0),r=0,i=l.tweens.length;r<i;r++)l.tweens[r].run(n);return s.notifyWith(o,[l,n,t]),n<1&&i?t:(i||s.notifyWith(o,[l,1,0]),s.resolveWith(o,[l]),!1)},l=s.promise({elem:o,props:ce.extend({},e),opts:ce.extend(!0,{specialEasing:{},easing:ce.easing._default},t),originalProperties:e,originalOptions:t,startTime:st||ht(),duration:t.duration,tweens:[],createTween:function(e,t){var n=ce.Tween(o,l.opts,e,t,l.opts.specialEasing[e]||l.opts.easing);return...

  // respond with a 410 ResourceExpired error together with a continue token. If the client needs a
  // consistent list, it must restart their list without the continue field. Otherwise, the client may
  // send another list request with the token received with the 410 error, the server will respond with

This CA enforcement is done by Istio's CA, and is a requirement for any alternative CAs integrating with Ztunnel.

Note: Ztunnel authenticates to the CA with a Kubernetes Service Account JWT token, which encodes the pod information, which is what enables this.

Ztunnel will request certificates for all identities on the node.
It determines this based on the Workload xDS configuration it receives.

    * As we said above, only one process can be listening on a specific IP and port.
    * This is one of the reasons why it's very useful when the same TLS Termination Proxy also takes care of the certificate renewal process.