"certChain": []
    },
    {
      "identity": "spiffe://cluster.local/ns/istio-system/sa/istiod",
      "state": "Unavailable: signing gRPC error (The service is currently unavailable): error trying to connect: TLS handshake failed: cert verification failed - unable to get local issuer certificate [CERTIFICATE_VERIFY_FAILED]",
      "certChain": []
    }
  ]

      labels:
        app: metallb
        component: controller
    spec:
      containers:
      - args:
        - --port=7472
        - --log-level=info
        - --tls-min-version=VersionTLS12
        env:
        - name: METALLB_ML_SECRET_NAME
          value: memberlist
        - name: METALLB_DEPLOYMENT
          value: controller

      enabled: true
`
	invalidDuplicateKey = `
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: productpage
spec:
trafficPolicy: {}
trafficPolicy:
  tls:
    mode: ISTIO_MUTUAL
`
	validDeployment = `
apiVersion: apps/v1
kind: Deployment
metadata:
  name: helloworld-v1
  labels:
    app: helloworld
    version: v1
spec:
  replicas: 1

          - name: extracacerts
            mountPath: /cacerts
          {{- end }}
          - name: istio-csr-dns-cert
            mountPath: /var/run/secrets/istiod/tls
            readOnly: true
          - name: istio-csr-ca-configmap
            mountPath: /var/run/secrets/istiod/ca
            readOnly: true
          {{- with .Values.pilot.volumeMounts }}

      targetPort: 8443
      name: https
    - port: 31400
      targetPort: 31400
      name: tcp
      # This is the port where sni routing happens
    - port: 15443
      targetPort: 15443
      name: tls
    resources:
      requests:
        cpu: 10m

      targetPort: 8443
      name: https
    - port: 31400
      targetPort: 31400
      name: tcp
      # This is the port where sni routing happens
    - port: 15443
      targetPort: 15443
      name: tls
    resources:
      requests:
        cpu: 10m

      targetPort: 8443
      name: https
    - port: 31400
      targetPort: 31400
      name: tcp
      # This is the port where sni routing happens
    - port: 15443
      targetPort: 15443
      name: tls
    resources:
      requests:
        cpu: 10m

  // and the backend insecure. This means the apiserver cannot verify the log data it is receiving came from the real
  // kubelet.  If the kubelet is configured to verify the apiserver's TLS credentials, it does not mean the
  // connection to the real kubelet is vulnerable to a man in the middle attack (e.g. an attacker could not intercept
  // the actual log data coming from the real kubelet).
  // +optional

	registerStringParameter(constants.KubeCAFile, "", "CA file for kubeconfig. Defaults to the same as install-cni pod")
	registerBooleanParameter(constants.SkipTLSVerify, false, "Whether to use insecure TLS in kubeconfig file")
	registerIntegerParameter(constants.MonitoringPort, 15014, "HTTP port to serve prometheus metrics")

      # TODO: convert to real options, env should not be exposed
      env: {}
        # Set this to "external" if and only if you want the egress gateway to
        # act as a transparent SNI gateway that routes mTLS/TLS traffic to
        # external services defined using service entries, where the service
        # entry has resolution set to DNS, has one or more endpoints with