return "", fmt.Errorf("failed to unmarshall ROOTCA secret: %v", err)
	}
	var returnStr string
	var returnErr error
	rCASecret := secret.GetValidationContext()
	if rCASecret != nil {
		trustCA := rCASecret.GetTrustedCa()
		if trustCA != nil {
			inlineBytes := trustCA.GetInlineBytes()
			if inlineBytes != nil {
				returnStr = base64.StdEncoding.EncodeToString(inlineBytes)
				returnErr = nil
			} else {
				returnStr = ""

		return SecretItem{}, err
	}

	certChainSecret := secretTyped.
		GetTlsCertificate().
		GetCertificateChain().
		GetInlineBytes()
	caDataSecret := secretTyped.
		GetValidationContext().
		GetTrustedCa().
		GetInlineBytes()

	// seems as though the most straightforward way to tell whether this is a root ca or not
	// is to check whether the inline bytes of the cert chain or the trusted ca field is zero length