This should be a more flexible option since certificates aren't likely to be part of the actual workspace and may be environment-dependent. It also mirrors the kube_certificate, which is nice.
