Workloads    map[string]*ZtunnelWorkload `json:"by_addr"`
	Services     map[string]*ZtunnelService  `json:"by_vip"`
	Certificates []*CertsDump                `json:"certificates"`
}

type CertsDump struct {
	Identity  string  `json:"identity"`
	State     string  `json:"state"`
	CertChain []*Cert `json:"cert_chain"`
}

type Cert struct {
	Pem            string `json:"pem"`
	SerialNumber   string `json:"serial_number"`

	if !ok {
		return nil, errors.New(`field "spec" is not a map`)
	}
	var mem hubMembership
	mem.WorkloadIdentityPool, ok = spec["workload_identity_pool"].(string)
	if !ok {
		return nil, errors.New(`field "spec.workload_identity_pool" is not a string`)
	}
	return &mem, nil
}

func mcpDialOptions(ctx context.Context, gcpProject string, k8sCreds credentials.PerRPCCredentials) ([]grpc.DialOption, error) {

	for _, secret := range secretDump {
		if strings.Contains(secret.State, "Unavailable") {
			secret.State = "Unavailable"
		}
		if len(secret.CertChain) == 0 {
			fmt.Fprintf(w, "%v\t%v\t%v\t%v\t%v\t%v\t%v\n",
				secret.Identity, valueOrNA(""), secret.State, false, valueOrNA(""), valueOrNA(""), valueOrNA(""))
		} else {
			for i, ca := range secret.CertChain {
				t := "Intermediate"
				if i == 0 {
					t = "Leaf"

  // items is a list of schema objects.
  repeated Lease items = 2;
}

// LeaseSpec is a specification of a Lease.
message LeaseSpec {
  // holderIdentity contains the identity of the holder of a current lease.
  // +optional
  optional string holderIdentity = 1;

  // leaseDurationSeconds is a duration that candidates for a lease need

will open a vanilla TLS HBONE tunnel (NOTE: this is not mTLS) to the Waypoint proxy and forward the traffic over that connection without presenting a client certificate. Therefore, it is absolutely critical that the waypoint proxy not assume any identity from incoming connections, even if the ztunnel is hairpinning. In other words, all traffic over TLS HBONE tunnels must be considered to be untrusted. From there, traffic is returned to the ztunnel (still over the TLS HBONE tunnel) and forwarded to...

  // items is a list of schema objects.
  repeated Lease items = 2;
}

// LeaseSpec is a specification of a Lease.
message LeaseSpec {
  // holderIdentity contains the identity of the holder of a current lease.
  // +optional
  optional string holderIdentity = 1;

  // leaseDurationSeconds is a duration that candidates for a lease need

|CREDENTIAL_FETCHER_TYPE|allows using custom credential fetcher, for VMs with existing identity|
|CREDENTIAL_IDENTITY_PROVIDER|just used to control the audience for VMs with existing identity|
|PROXY_XDS_VIA_AGENT|use istio-agent to proxy XDS. True for all use cases now, likely can be always-on now or soon|

	Certificates  []*CertsDump                `json:"certificates"`
	WorkloadState map[string]WorkloadState    `json:"workloadState"`
}

type CertsDump struct {
	Identity  string  `json:"identity"`
	State     string  `json:"state"`
	CertChain []*Cert `json:"certChain"`
}

type Cert struct {
	Pem            string `json:"pem"`
	SerialNumber   string `json:"serialNumber"`

  // This field must only be set by the entity completing the attach
  // operation, i.e. the external-attacher.
  optional bool attached = 1;

  // attachmentMetadata is populated with any
  // information returned by the attach operation, upon successful attach, that must be passed
  // into subsequent WaitForAttach or Mount calls.
  // This field must only be set by the entity completing the attach

}

// TokenRequestSpec contains client provided parameters of a token request.
message TokenRequestSpec {
  // Audiences are the intendend audiences of the token. A recipient of a
  // token must identify themself with an identifier in the list of
  // audiences of the token, and otherwise should reject the token. A
  // token issued for multiple audiences may be used to authenticate