systemNs, err := istio.ClaimSystemNamespace(ctx)
	if err != nil {
		return err
	}

	var caCert, caKey, certChain, rootCert []byte
	if caCert, err = ReadSampleCertFromFile(caCertFile); err != nil {
		return err
	}
	if caKey, err = ReadSampleCertFromFile(caKeyFile); err != nil {
		return err
	}
	if certChain, err = ReadSampleCertFromFile(certChainFile); err != nil {
		return err
	}

	}
	return cert.NotAfter, nil
}

// OutputKeyCertToDir output the key and certificate to the given directory.
// If directory string is empty, return nil.
func OutputKeyCertToDir(dir string, privateKey, certChain, rootCert []byte) error {
	var err error
	if len(dir) == 0 {
		return nil
	}

	certFileMode := os.FileMode(0o600)
	if k8sInCluster.Get() != "" {

		cert.UsageServerAuth,
	}
	if signerName == "" {
		return nil, nil, nil, fmt.Errorf("signerName is required for Kubernetes CA")
	}
	certChain, caCert, err := SignCSRK8s(client, csrPEM, signerName, usages, dnsName, caFilePath, approveCsr, true, requestedLifetime)

	return certChain, keyPEM, caCert, err
}

// SignCSRK8s generates a certificate from CSR using the K8s CA
// 1. Submit a CSR
// 2. Approve a CSR

}

func createCASecret(t test.Failer, client kube.Client) {
	var caCert, caKey, certChain, rootCert []byte
	var err error
	if caCert, err = readSampleCertFromFile("ca-cert.pem"); err != nil {
		t.Fatal(err)
	}
	if caKey, err = readSampleCertFromFile("ca-key.pem"); err != nil {
		t.Fatal(err)
	}
	if certChain, err = readSampleCertFromFile("cert-chain.pem"); err != nil {
		t.Fatal(err)
	}

	resp, err := c.client.CreateCertificate(ctx, req)
	if err != nil {
		return nil, fmt.Errorf("create certificate: %v", err)
	}

	if len(resp.CertChain) <= 1 {
		return nil, errors.New("invalid empty CertChain")
	}

	return resp.CertChain, nil
}

func (c *CitadelClient) getTLSOptions() *istiogrpc.TLSOptions {
	if c.tlsOpts != nil {
		return &istiogrpc.TLSOptions{

	WorkloadState map[string]WorkloadState `json:"workloadState"`
}

type CertsDump struct {
	Identity  string  `json:"identity"`
	State     string  `json:"state"`
	CertChain []*Cert `json:"certChain"`
}

type Cert struct {
	Pem            string `json:"pem"`
	SerialNumber   string `json:"serialNumber"`
	ValidFrom      string `json:"validFrom"`
	ExpirationTime string `json:"expirationTime"`

// CSRSign returns the certificate or errors depending on the settings.
func (c *CAClient) CSRSign(csrPEM []byte, certValidTTLInSec int64) ([]string, error) {
	atomic.AddUint64(&c.SignInvokeCount, 1)
	signingCert, signingKey, certChain, rootCert := c.bundle.GetAll()
	csr, err := util.ParsePemEncodedCSR(csrPEM)
	if err != nil {
		return nil, fmt.Errorf("csr sign error: %v", err)
	}
	subjectIDs := []string{"test"}

}

func (s *TestServer) UpdateSecret(name string, secret *ca2.SecretItem) {
	s.t.Helper()
	s.store.Set(name, secret)
	s.server.OnSecretUpdate(name)
}

type Expectation struct {
	ResourceName string
	CertChain    []byte
	Key          []byte
	RootCert     []byte
}

func (s *TestServer) extractPrivateKeyProvider(provider *tlsv3.PrivateKeyProvider) []byte {
	var cmb cryptomb.CryptoMbPrivateKeyMethodConfig

func FindRootCertFromCertificateChainBytes(certBytes []byte) ([]byte, error) {
	certChain, cert, err := ParsePemEncodedCertificateChain(certBytes)
	if err != nil {
		return nil, fmt.Errorf("error parsing root certificate: %s", err.Error())
	}
	rootCert := certChain[len(certChain)-1]

	if !rootCert.IsCA {
		return nil, fmt.Errorf("found root cert is not a ca type cert: %v", rootCert)
	}

func concatCerts(certsPEM []string) []byte {
	if len(certsPEM) == 0 {
		return []byte{}
	}
	var certChain bytes.Buffer
	for i, c := range certsPEM {
		certChain.WriteString(c)
		if i < len(certsPEM)-1 && !strings.HasSuffix(c, "\n") {
			certChain.WriteString("\n")
		}
	}
	return certChain.Bytes()
}

// UpdateConfigTrustBundle : Update the Configured Trust Bundle in the secret Manager client