CertChain []*Cert `json:"cert_chain"`
}

type Cert struct {
	Pem            string `json:"pem"`
	SerialNumber   string `json:"serial_number"`
	ValidFrom      string `json:"valid_from"`
	ExpirationTime string `json:"expiration_time"`

  repeated string audiences = 1;

  // ExpirationSeconds is the requested duration of validity of the request. The
  // token issuer may return a token with a different validity duration so a
  // client needs to check the 'expiration' field in a response.
  // +optional
  optional int64 expirationSeconds = 4;

  // BoundObjectRef is a reference to an object that the token will be bound to.

the certificates are persisted to disk, rather than kept in memory like in the standard Kubernetes deployment.

## Certificate Rotation

The agent also handles rotating certificates near expiration. It does so by triggering a callback from the `SecretManager` to the SDS server

However, if a request needs a certain identity that we have not fetched yet, it will be immediately requested.

Ztunnel additionally will handle the rotation of these certificates (typically 24hr expiration) as they approach expiry.

## Telemetry

  // The CSI driver should parse and validate the following VolumeContext:
  // "csi.storage.k8s.io/serviceAccount.tokens": {
  //   "<audience>": {
  //     "token": <token>,
  //     "expirationTimestamp": <expiration timestamp in RFC3339>,
  //   },
  //   ...
  // }
  //
  // Note: Audience in each TokenRequest should be different and at
  // most one token is empty string. To receive a new token after expiry,

  // The CSI driver should parse and validate the following VolumeContext:
  // "csi.storage.k8s.io/serviceAccount.tokens": {
  //   "<audience>": {
  //     "token": <token>,
  //     "expirationTimestamp": <expiration timestamp in RFC3339>,
  //   },
  //   ...
  // }
  //
  // Note: Audience in each TokenRequest should be different and at
  // most one token is empty string. To receive a new token after expiry,

  //  4. Required, permitted, or forbidden key usages / extended key usages.
  //  5. Expiration/certificate lifetime: whether it is fixed by the signer, configurable by the admin.
  //  6. Whether or not requests for CA certificates are allowed.
  optional string signerName = 7;

  // identifier of the apiserver.
  // +optional
  optional string audience = 1;

  // expirationSeconds is the requested duration of validity of the service
  // account token. As the token approaches expiration, the kubelet volume
  // plugin will proactively rotate the service account token. The kubelet will
  // start trying to rotate the token if the token is older than 80 percent of

  // query parameters (except for the value of continue) and the server may reject a continue value it
  // does not recognize. If the specified continue value is no longer valid whether due to expiration
  // (generally five to fifteen minutes) or a configuration change on the server, the server will
  // respond with a 410 ResourceExpired error together with a continue token. If the client needs a