"targetPort"
"httpsRedirect"
"serverCertificate"
"privateKey"
"caCertificates"
"credentialName"
"subjectAltNames"
"verifyCertificateSpki"
"verifyCertificateHash"
"minProtocolVersion"
"maxProtocolVersion"
"cipherSuites"
"trafficPolicy"
"subsets"
"exportTo"
"loadBalancer"
"connectionPool"
"outlierDetection"
"portLevelSettings"
"labels"
"http"
"consecutiveGatewayErrors"
"consecutive5xxErrors"
"interval"

// body of a single-part PUT request.
func EncryptSinglePart(r io.Reader, key ObjectKey) io.Reader {
	r, err := sio.EncryptReader(r, sio.Config{MinVersion: sio.Version20, Key: key[:], CipherSuites: fips.DARECiphers()})
	if err != nil {
		logger.CriticalIf(context.Background(), errors.New("Unable to encrypt io.Reader using object key"))
	}
	return r
}

}

// secureTLSCipherNames returns a list of secure cipher suite names implemented by crypto/tls.
func secureTLSCipherNames() []string {
	cipherKeys := sets.New[string]()
	for _, cipher := range tls.CipherSuites() {
		cipherKeys.Insert(cipher.Name)
	}
	return sets.SortedList(cipherKeys)
}

func validateFlags(serverArgs *bootstrap.PilotArgs) error {
	if serverArgs == nil {
		return nil
	}

		return
	}

	tlsConfig := &tls.Config{
		GetCertificate: s.getIstiodCertificate,
		MinVersion:     tls.VersionTLS12,
		CipherSuites:   args.ServerOptions.TLSOptions.CipherSuits,
	}
	// Compliance for control plane validation and injection webhook server.
	sec_model.EnforceGoCompliance(tlsConfig)

	return nil
}

func allCiphers() map[string]uint16 {
	acceptedCiphers := make(map[string]uint16, len(tls.CipherSuites())+len(tls.InsecureCipherSuites()))
	for _, cipher := range tls.InsecureCipherSuites() {
		acceptedCiphers[cipher.Name] = cipher.ID
	}
	for _, cipher := range tls.CipherSuites() {
		acceptedCiphers[cipher.Name] = cipher.ID
	}
	return acceptedCiphers
}

 * as part of MODERN_TLS or folded into the default OkHttp client once published and
 * available in JDK11 or Conscrypt.
 */
private val TLS_13 =
  ConnectionSpec.Builder(true)
    .cipherSuites(*TLS13_CIPHER_SUITES.toTypedArray())
    .tlsVersions(TlsVersion.TLS_1_3)
    .build()

private val TLS_12 =
  ConnectionSpec.Builder(ConnectionSpec.RESTRICTED_TLS)
    .tlsVersions(TlsVersion.TLS_1_2)
    .build()

		Hosts:        hosts,
		AddAuth:      newCachedAuthToken(),
		AuthRequest:  storageServerRequestValidate,
		BlockConnect: globalGridStart,
		TLSConfig: &tls.Config{
			RootCAs:          globalRootCAs,
			CipherSuites:     fips.TLSCiphers(),
			CurvePreferences: fips.TLSCurveIDs(),
		},
		// Record incoming and outgoing bytes.
		Incoming: globalConnStats.incInternodeInputBytes,
		Outgoing: globalConnStats.incInternodeOutputBytes,

		return nil
	}
	return fmt.Errorf("bad key (%s): should have format a[b]", key)
}

// ValidCipherSuites contains a list of all ciphers supported in Gateway.server.tls.cipherSuites
// Extracted from: `bssl ciphers -openssl-name ALL | rg -v PSK`
var ValidCipherSuites = sets.New(
	"ECDHE-ECDSA-AES128-GCM-SHA256",
	"ECDHE-RSA-AES128-GCM-SHA256",
	"ECDHE-ECDSA-AES256-GCM-SHA384",