assertSame(stringIdentityConverter, stringIdentityConverter.reverse());
    assertSame(STR_TO_LONG, stringIdentityConverter.andThen(STR_TO_LONG));

    assertSame(STR_VAL, stringIdentityConverter.convert(STR_VAL));
    assertSame(STR_VAL, stringIdentityConverter.reverse().convert(STR_VAL));

    assertEquals("Converter.identity()", stringIdentityConverter.toString());

This means Ztunnel will have multiple distinct certificates at a time, one for each unique identity (service account) running on its node.

When fetching certificates, ztunnel will authenticate to the CA with its own identity, but request the identity of another workload.
Critically, the CA must enforce that the ztunnel has permission to request that identity.

- Kube-apiserver now maintains a Lease object to identify itself: 
  - The feature is under feature gate `APIServerIdentity`. 
  - Two flags are added to kube-apiserver: `identity-lease-duration-seconds`, `identity-lease-renew-interval-seconds` ([#95533](https://github.com/kubernetes/kubernetes/pull/95533), [@roycaihw](https://github.com/roycaihw)) [SIG API Machinery]

```

### Using WebIdentiy API

On another terminal run `web-identity.go` a sample client application which obtains JWT id_tokens from an identity provider, in our case its Keycloak. Uses the returned id_token response to get new temporary credentials from the MinIO server using the STS API call `AssumeRoleWithWebIdentity`.

```

	StoreExtension = ".event"
)

// Identity represents access key who caused the event.
type Identity struct {
	PrincipalID string `json:"principalId"`
}

// Bucket represents bucket metadata of the event.
type Bucket struct {
	Name          string   `json:"name"`
	OwnerIdentity Identity `json:"ownerIdentity"`
	ARN           string   `json:"arn"`
}

		HTTPStatusCode: http.StatusBadRequest,
	},
	ErrSTSWebIdentityExpiredToken: {
		Code:           "ExpiredToken",
		Description:    "The web identity token that was passed is expired or is not valid. Get a new identity token from the identity provider and then retry the request.",
		HTTPStatusCode: http.StatusBadRequest,
	},
	ErrSTSClientGrantsExpiredToken: {
		Code:           "ExpiredToken",

	// The issuing authority of the web identity token presented. For OpenID Connect
	// ID tokens, this contains the value of the iss field. For OAuth 2.0 id_tokens,
	// this contains the value of the ProviderId parameter that was passed in the
	// AssumeRoleWithWebIdentity request.
	Provider string `xml:",omitempty"`

	// The unique user identifier that is returned by the identity provider.

            ArrayListMultimap.<String, Integer>create(), Functions.<Integer>identity())
        .asMap();
  }

  @Override
  protected Map<String, Collection<Integer>> makePopulatedMap() {
    ListMultimap<String, Integer> delegate = ArrayListMultimap.create();
    populate(delegate);
    return Multimaps.transformValues(delegate, Functions.<Integer>identity()).asMap();
  }

### 1. Fetch the root identity

As the initial step, fetch the private key and certificate of the root identity:

```sh
curl -sSL --tlsv1.2 \

operators, in increasing precedence:
</p>
<pre class="grammar">
|   alternation
()  grouping
[]  option (0 or 1 times)
{}  repetition (0 to n times)
</pre>

<p>
Lowercase production names are used to identify lexical (terminal) tokens.
Non-terminals are in CamelCase. Lexical tokens are enclosed in
double quotes <code>""</code> or back quotes <code>``</code>.
</p>

<p>