- port: 15011
              name: grpc-pilot-mtls
            - port: 8060
              targetPort: 8060
              name: tcp-citadel-grpc-tls
            # Port 5353 is forwarded to kube-dns
            - port: 5353
              name: tcp-dns
          overlays:
            - kind: Deployment
              name: ilb-gateway
              patches:

// CA private key. Only called by a self-signed Citadel.
func GenRootCertFromExistingKey(options CertOptions) (pemCert []byte, pemKey []byte, err error) {
	if !options.IsSelfSigned || len(options.SignerPrivPem) == 0 {
		return nil, nil, fmt.Errorf("skip cert " +
			"generation. Citadel is not in self-signed mode or CA private key is not " +
			"available")
	}

// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package citadel

import (
	"testing"

	"istio.io/istio/tests/util/leak"
)

func TestMain(m *testing.M) {
	// CheckMain asserts that no goroutines are leaked after a test package exits.
	leak.CheckMain(m)

    - [security](security/). This directory contains [security](https://istio.io/latest/docs/concepts/security/) related code,
including Citadel (acting as Certificate Authority), citadel agent, etc.

- [istio/proxy](https://github.com/istio/proxy). The Istio proxy contains
extensions to the [Envoy proxy](https://github.com/envoyproxy/envoy) (in the form of

	}
	a, err := i.InternalDiscoveryAddressFor(c)
	if err != nil {
		return Cert{}, err
	}
	client, err := newCitadelClient(a, []byte(rootCert))
	if err != nil {
		return Cert{}, fmt.Errorf("creating citadel client: %v", err)
	}
	req := &pb.IstioCertificateRequest{
		Csr:              string(csrPEM),
		ValidityDuration: int64((time.Hour * 24 * 7).Seconds()),
	}

metadata:
  name: sleep
spec:
  replicas: 1
  selector:
    matchLabels:
      app: sleep
  template:
    metadata:
      labels:
        app: sleep
    spec:
      serviceAccountName: vault-citadel-sa
      containers:
      - name: sleep
        image: curlimages/curl
        command: ["/bin/sleep", "infinity"]
        imagePullPolicy: IfNotPresent

## Configuration

| Variable | Description |
| - | - |
|CA_ADDR|Address of CA, defaults to discoveryAddress|
|CA_PROVIDER|Type of CA; supported values are GoogleCA or Citadel (although anything but GoogleCA will use Citadel); defaults to Citadel|
|PROV_CERT|certificates to be used for mTLS communication with control plane only; NOT for workload mTLS|

  selector:
    matchLabels:
      app: httpbin
      version: v1
  template:
    metadata:
      labels:
        app: httpbin
        version: v1
    spec:
      serviceAccountName: vault-citadel-sa    
      containers:
      - image: docker.io/kong/httpbin
        imagePullPolicy: IfNotPresent
        name: httpbin
        # Same as found in Dockerfile's CMD but using an unprivileged port
        command:

	v1 "k8s.io/api/core/v1"
	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
	corev1 "k8s.io/client-go/kubernetes/typed/core/v1"

	"istio.io/istio/pkg/log"
)

var k8sControllerLog = log.RegisterScope("secretcontroller", "Citadel kubernetes controller log")

// CaSecretController manages the self-signed signing CA secret.
type CaSecretController struct {
	client corev1.CoreV1Interface
}

	},
	{
		Component: "Injector",
		Revision:  "default",
		Info:      BuildInfo{"1.2.0", "gitSHAabc", "go1.10.1", "Modified", "tag"},
	},
	{
		Component: "Citadel",
		Revision:  "default",
		Info:      BuildInfo{"1.2.0", "gitSHA321", "go1.11.0", "Clean", "tag"},
	},
}

var meshInfoMultiVersion = MeshInfo{
	{
		Component: "Pilot",
		Revision:  "default",