// Provision and manage the certificates for non-Pilot services.
s.initCertController(args)
[s.initConfigController(args)](<https://cncamp.notion.site/s-initConfigController-args-6aeea6da20044480b20c62cc28be5d7b>)
[s.initServiceControllers(args)](<https://cncamp.notion.site/s-initServiceControllers-args-197e780387344d28b15834c330abe48c>)
s.initWorkloadTrustBundle(args) // controlled by ISTIO_MULTIROOT_MESH
s.initIstiodCerts() // Save the certificates to ./var/run/secrets/istio-dns. This is a memory-mounted dir.
s.initSecureDiscoveryService()-->
net.Listen("tcp", args.ServerOptions.SecureGRPCAddr)
s.XDSServer.Register(s.secureGrpcServer) // register grpc handler
reflection.Register(s.secureGrpcServer)
s.initSecureWebhookServer(args)
s.initSidecarInjector(args)
s.initConfigValidation(args)
s.initIstiodAdminServer(args, whc)
s.initRegistryEventHandlers()-->
s.ServiceController().AppendServiceHandler(serviceHandler) // s.XDSServer.ConfigUpdate(pushReq)
s.configController.RegisterEventHandler(schema.Resource().GroupVersionKind(), configHandler) //s.XDSServer.ConfigUpdate(pushReq)
// initDiscoveryService intializes discovery server on plain text port.
s.initDiscoveryService(args)
s.initSDSServer(args)-->
kubesecrets.NewMulticluster(s.kubeClient, s.clusterID, args.RegistryOptions.ClusterRegistriesNamespace, make(chan struct{}))-->
secretcontroller.StartSecretController()
// Start CA or RA server. This should be called after CA and Istiod certs have been created.
s.startCA(caOpts)
s.addReadinessProbe("discovery", func() (bool, error) {
return s.XDSServer.IsServerReady(), nil
})