serviceAnnotations: {}
    serviceAccountAnnotations: {}
    topologySpreadConstraints: []
    # You can use jwksResolverExtraRootCA to provide a root certificate
    # in PEM format. This will then be trusted by pilot when resolving
    # JWKS URIs.
    jwksResolverExtraRootCA: ""
    # This is used to set the source of configuration for
    # the associated address in configSource, if nothing is specified

 *  Fix: Handshake now returns peer certificates in canonical order: each certificate is signed by
    the certificate that follows and the last certificate is signed by a trusted root.

 *  Fix: Don't lose HTTP/2 flow control bytes when incoming data races with a stream close. If this
    happened enough then eventually the connection would stall.

## Previous tools

### <a href="https://www.djangoproject.com/" class="external-link" target="_blank">Django</a>

It's the most popular Python framework and is widely trusted. It is used to build systems like Instagram.

    `EventSourceListener.onOpen()`.
 *  Fix: Enforce the max intermediates constraint when using pinned certificates with Conscrypt.
    This impacts Conscrypt when the server's presented certificates form both a trusted-but-unpinned
    chain and an untrusted-but-pinned chain.
 *  Upgrade: [Kotlin 1.6.10][kotlin_1_6_10].


## Version 5.0.0-alpha.3

_2021-11-22_

          "secret": {
            "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret",
            "name": "ROOTCA",
            "validation_context": {
              "trusted_ca": {

          this.routeDatabase = null
        }

        this.hostnameVerifier = hostnameVerifier
      }

    /**
     * Sets the certificate pinner that constrains which certificates are trusted. By default HTTPS
     * connections rely on only the [SSL socket factory][sslSocketFactory] to establish trust.
     * Pinning certificates avoids the need to trust certificate authorities.
     */

ISTIO_META_ENABLE_HBONE: "true" variant: distroless pilot: variant: distroless env: # Setup more secure default that is off in 'default' only for backwards compatibility VERIFY_CERTIFICATE_AT_CLIENT: "true" ENABLE_AUTO_SNI: "true" PILOT_ENABLE_HBONE: "true" CA_TRUSTED_NODE_ACCOUNTS: "istio-system/ztunnel,kube-system/ztunnel" PILOT_ENABLE_AMBIENT_CONTROLLERS: "true" cni: logLevel: info privileged: true ambient: enabled: true # Default excludes istio-system; its actually fine to redirect there since we opt-out istiod,...

  - The requested name did not match the set of authorized names (`x509.HostnameError`)
  - The error surfaced after attempting a connection contained one of the substrings: "certificate is not trusted" or "certificate signed by unknown authority". ([#120736](https://github.com/kubernetes/kubernetes/pull/120736), [@MadhavJivrajani](https://github.com/MadhavJivrajani))

  - The requested name does not match the set of authorized names (x509.HostnameError)
  - The error surfaced after attempting a connection contains one of the substrings: "certificate is not trusted" or "certificate signed by unknown authority" ([#120767](https://github.com/kubernetes/kubernetes/pull/120767), [@MadhavJivrajani](https://github.com/MadhavJivrajani)) [SIG Architecture and Cloud Provider]

  - The requested name does not match the set of authorized names (x509.HostnameError)
  - The error surfaced after attempting a connection contains one of the substrings: "certificate is not trusted" or "certificate signed by unknown authority" ([#120768](https://github.com/kubernetes/kubernetes/pull/120768), [@MadhavJivrajani](https://github.com/MadhavJivrajani)) [SIG Architecture and Cloud Provider]