This means Ztunnel will have multiple distinct certificates at a time, one for each unique identity (service account) running on its node.

When fetching certificates, ztunnel will authenticate to the CA with its own identity, but request the identity of another workload.
Critically, the CA must enforce that the ztunnel has permission to request that identity.

	Workloads    map[string]*ZtunnelWorkload `json:"by_addr"`
	Services     map[string]*ZtunnelService  `json:"by_vip"`
	Certificates []*CertsDump                `json:"certificates"`
}

type CertsDump struct {
	Identity  string  `json:"identity"`
	State     string  `json:"state"`
	CertChain []*Cert `json:"cert_chain"`
}

type Cert struct {
	Pem            string `json:"pem"`
	SerialNumber   string `json:"serial_number"`

	if !ok {
		return nil, errors.New(`field "spec" is not a map`)
	}
	var mem hubMembership
	mem.WorkloadIdentityPool, ok = spec["workload_identity_pool"].(string)
	if !ok {
		return nil, errors.New(`field "spec.workload_identity_pool" is not a string`)
	}
	return &mem, nil
}

func mcpDialOptions(ctx context.Context, gcpProject string, k8sCreds credentials.PerRPCCredentials) ([]grpc.DialOption, error) {

	for _, secret := range secretDump {
		if strings.Contains(secret.State, "Unavailable") {
			secret.State = "Unavailable"
		}
		if len(secret.CertChain) == 0 {
			fmt.Fprintf(w, "%v\t%v\t%v\t%v\t%v\t%v\t%v\n",
				secret.Identity, valueOrNA(""), secret.State, false, valueOrNA(""), valueOrNA(""), valueOrNA(""))
		} else {
			for i, ca := range secret.CertChain {
				t := "Intermediate"
				if i == 0 {
					t = "Leaf"

  // items is a list of schema objects.
  repeated Lease items = 2;
}

// LeaseSpec is a specification of a Lease.
message LeaseSpec {
  // holderIdentity contains the identity of the holder of a current lease.
  // +optional
  optional string holderIdentity = 1;

  // leaseDurationSeconds is a duration that candidates for a lease need

// Identities are defined as:
//   - Network: A single stable DNS and hostname.
//   - Storage: As many VolumeClaims as requested.
//
// The StatefulSet guarantees that a given network identity will always
// map to the same storage identity.
message StatefulSet {
  // +optional
  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;

  // Spec defines the desired identities of pods in this set.
  // +optional

will open a vanilla TLS HBONE tunnel (NOTE: this is not mTLS) to the Waypoint proxy and forward the traffic over that connection without presenting a client certificate. Therefore, it is absolutely critical that the waypoint proxy not assume any identity from incoming connections, even if the ztunnel is hairpinning. In other words, all traffic over TLS HBONE tunnels must be considered to be untrusted. From there, traffic is returned to the ztunnel (still over the TLS HBONE tunnel) and forwarded to...

  // items is a list of schema objects.
  repeated Lease items = 2;
}

// LeaseSpec is a specification of a Lease.
message LeaseSpec {
  // holderIdentity contains the identity of the holder of a current lease.
  // +optional
  optional string holderIdentity = 1;

  // leaseDurationSeconds is a duration that candidates for a lease need

                                  subjectAltNames:
                                    description: A list of alternate names to verify
                                      the subject identity in the certificate.
                                    items:
                                      type: string
                                    type: array
                                type: object

                                  subjectAltNames:
                                    description: A list of alternate names to verify
                                      the subject identity in the certificate.
                                    items:
                                      type: string
                                    type: array
                                type: object