type SecretItem struct {
    CertificateChain []byte
    PrivateKey       []byte

    RootCert []byte

    // RootCertOwnedByCompoundSecret is true if this SecretItem was created by a
    // K8S secret having both server cert/key and client ca and should be deleted
    // with the secret.
    RootCertOwnedByCompoundSecret bool

    // ResourceName passed from envoy SDS discovery request.
    // "ROOTCA" for root cert request, "default" for key/cert request.
    ResourceName string

    // Credential token passed from envoy, caClient uses this token to send
    // CSR to CA to sign certificate.
    Token string

    // Version is used(together with token and ResourceName) to identify discovery request from
    // envoy which is used only for confirm purpose.
    Version string

    CreatedTime time.Time

    ExpireTime time.Time
}