Deprecate retry_bootstrap (#6050 )

* Deprecate retry_bootstrap Signed-off-by: Kevin Fox <Kevin.Fox@pnnl.gov>
Wait for server to come up before using it (#6174 )
2025-07-10 10:06:38 -03:00 · 2025-07-09 07:19:04 +01:00 · 2025-07-08 22:41:56 +01:00 · 2025-07-08 21:43:37 +01:00 · 2025-07-07 20:21:53 +01:00 · 2025-07-04 16:14:29 -03:00
520 changed files with 10838 additions and 7529 deletions
--- a/.github/workflows/nightly_build.yaml
+++ b/.github/workflows/nightly_build.yaml
@ -25,7 +25,7 @@ jobs:
        with:
          cosign-release: v2.2.3
      - name: Install regctl
-        uses: regclient/actions/regctl-installer@b6614f5f56245066b533343a85f4109bdc38c8cc # main
+        uses: regclient/actions/regctl-installer@ce5fd131e371ffcdd7508b478cb223b3511a9183 # main
      - name: Build images
        run: make images
      - name: Log in to GHCR
--- a/.github/workflows/pr_build.yaml
+++ b/.github/workflows/pr_build.yaml
@ -21,11 +21,11 @@ jobs:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup go
-        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
          go-version-file: 'go.mod'
      - name: Setup dep cache
-        uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
@ -45,16 +45,16 @@ jobs:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup go
-        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
          go-version-file: 'go.mod'
      - name: Load cached deps
-        uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
      - name: Setup build tool cache
-        uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: .build
          key: ${{ runner.os }}-tools-${{ hashFiles('.go-version','Makefile') }}
@ -82,11 +82,11 @@ jobs:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup go
-        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
          go-version-file: 'go.mod'
      - name: Load cached deps
-        uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
@ -106,11 +106,11 @@ jobs:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup go
-        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
          go-version-file: 'go.mod'
      - name: Load cached deps
-        uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
@ -130,11 +130,11 @@ jobs:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup go
-        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
          go-version-file: 'go.mod'
      - name: Install regctl
-        uses: regclient/actions/regctl-installer@b6614f5f56245066b533343a85f4109bdc38c8cc # main
+        uses: regclient/actions/regctl-installer@ce5fd131e371ffcdd7508b478cb223b3511a9183 # main
      - name: Download archived images
        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
        with:
@ -146,7 +146,7 @@ jobs:
      - name: Build artifacts
        run: ./.github/workflows/scripts/build_artifacts.sh ${{ runner.os }}
      - name: Archive artifacts
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4
        with:
          name: binaries-linux
          path: ./artifacts/
@ -164,29 +164,29 @@ jobs:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup go
-        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
          go-version-file: 'go.mod'
      - name: Load cached deps
-        uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
      - name: Load cached build tools
-        uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: .build
          key: ${{ runner.os }}-tools-${{ hashFiles('.go-version','Makefile') }}
      - name: Set up QEMU
        uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1
+        uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0
      - name: Build images
        run: make images-no-load
      - name: Export images
        run: tar -czvf images.tar.gz *-image.tar
      - name: Archive images
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4
        with:
          name: images
          path: images.tar.gz
@ -204,10 +204,10 @@ jobs:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Load cached executables
-        uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ./bin/
-          key: ${{ runner.os }}-executables-${{ hashFiles('**/*.exe') }}
+          key: ${{ runner.os }}-executables-${{ github.sha }}
      - name: Build images
        run: make images-windows
      - name: Export images
@ -215,7 +215,7 @@ jobs:
          docker save spire-server-windows:latest-local spire-agent-windows:latest-local oidc-discovery-provider-windows:latest-local -o images-windows.tar
          gzip images-windows.tar
      - name: Archive images
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4
        with:
          name: images-windows
          path: images-windows.tar.gz
@ -239,10 +239,9 @@ jobs:
    outputs:
      test: ${{ steps.set-matrix.outputs.test }}
  
-
  integration:
-    name: integration (linux)
-    runs-on: ubuntu-22.04
+    name: integration (${{ matrix.arch }}) (${{ strategy.job-index}}/${{ strategy.job-total }})
+    runs-on: ${{ matrix.runs-on }}
    needs: [cache-deps, images]
    timeout-minutes: 45

@ -252,8 +251,14 @@ jobs:
    strategy:
      fail-fast: false
      matrix:
-        num_runners: [5]
-        runner_id: [1, 2, 3, 4, 5]
+        arch: [x64, arm64]
+        num_runners: [10]
+        runner_id: [1, 2, 3, 4, 5, 6, 7, 8, 9, 10]
+        include:
+          - arch: x64
+            runs-on: ubuntu-22.04
+          - arch: arm64
+            runs-on: ubuntu-22.04-arm
    steps:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@ -264,18 +269,18 @@ jobs:
          # fetch depth of zero.
          fetch-depth: 0
      - name: Setup go
-        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
          go-version-file: 'go.mod'
      - name: Install regctl
-        uses: regclient/actions/regctl-installer@b6614f5f56245066b533343a85f4109bdc38c8cc # main
+        uses: regclient/actions/regctl-installer@ce5fd131e371ffcdd7508b478cb223b3511a9183 # main
      - name: Load cached deps
-        uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
      - name: Load cached build tools
-        uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: .build
          key: ${{ runner.os }}-tools-${{ hashFiles('.go-version','Makefile') }}
@ -294,13 +299,12 @@ jobs:
          THIS_RUNNER: ${{ matrix.runner_id }}
          TERM: dumb
          CICD_TARGET_BRANCH: ${{ github.event.pull_request.base.ref }}
+          IGNORE_SUITES: ${{ matrix.arch == 'arm64' && 'suites/upstream-authority-ejbca' || '' }} # Waiting for EJBCA to support arm64 (https://github.com/spiffe/spire/issues/6060)
        run: ./.github/workflows/scripts/split.sh | xargs ./test/integration/test.sh

-
-
  integration-k8s:
-    name: integration-k8s
-    runs-on: ubuntu-22.04
+    name: integration-k8s-${{ matrix.test[0] }}-${{ matrix.arch }}
+    runs-on: ${{ matrix.runs-on }}
    needs: [cache-deps, images, build-matrix]
    timeout-minutes: 45

@ -310,10 +314,18 @@ jobs:
    strategy:
      fail-fast: false
      matrix:
-         num_runners: [1]
-         runner_id: [1]
-         #Test elements should be added as [KubeCTLVersion, K8s-image, KindVersion]
-         test: ${{ fromJson(needs.build-matrix.outputs.test) }}
+        arch: [x64, arm64]
+        include:
+          - arch: x64
+            runs-on: ubuntu-22.04
+            num_runners: 1
+            runner_id: 1
+          - arch: arm64
+            runs-on: ubuntu-22.04-arm
+            num_runners: 1
+            runner_id: 1
+        #Test elements should be added as [KubeCTLVersion, K8s-image, KindVersion]
+        test: ${{ fromJson(needs.build-matrix.outputs.test) }}
    steps:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@ -324,18 +336,18 @@ jobs:
          # fetch depth of zero.
          fetch-depth: 0
      - name: Setup go
-        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
          go-version-file: 'go.mod'
      - name: Install regctl
-        uses: regclient/actions/regctl-installer@b6614f5f56245066b533343a85f4109bdc38c8cc # main
+        uses: regclient/actions/regctl-installer@ce5fd131e371ffcdd7508b478cb223b3511a9183 # main
      - name: Load cached deps
-        uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
      - name: Load cached build tools
-        uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: .build
          key: ${{ runner.os }}-tools-${{ hashFiles('.go-version','Makefile') }}
@ -381,22 +393,22 @@ jobs:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup go
-        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
          go-version-file: 'go.mod'
          cache: true
      - name: Load cached deps
-        uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
      - name: Load cached build tools
-        uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: .build
          key: ${{ runner.os }}-tools-${{ hashFiles('.go-version','Makefile') }}
      - name: Install msys2
-        uses: msys2/setup-msys2@c52d1fa9c7492275e60fe763540fb601f5f232a1 # v2.25.0
+        uses: msys2/setup-msys2@d44ca8e88d8b43d56cf5670f91747359d5537f97 # v2.26.0
        with:
          msystem: MINGW64
          update: true
@ -431,12 +443,12 @@ jobs:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup go
-        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
          go-version-file: 'go.mod'
          cache: true
      - name: Setup dep cache
-        uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
@ -464,22 +476,22 @@ jobs:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup go
-        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
          go-version-file: 'go.mod'
          cache: true
      - name: Load cached deps
-        uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
      - name: Setup build tool cache
-        uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: .build
          key: ${{ runner.os }}-tools-${{ hashFiles('.go-version','Makefile') }}
      - name: Install msys2
-        uses: msys2/setup-msys2@c52d1fa9c7492275e60fe763540fb601f5f232a1 # v2.25.0
+        uses: msys2/setup-msys2@d44ca8e88d8b43d56cf5670f91747359d5537f97 # v2.26.0
        with:
          msystem: MINGW64
          update: true
@ -513,17 +525,17 @@ jobs:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup go
-        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
          go-version-file: 'go.mod'
          cache: true
      - name: Load cached deps
-        uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
      - name: Install msys2
-        uses: msys2/setup-msys2@c52d1fa9c7492275e60fe763540fb601f5f232a1 # v2.25.0
+        uses: msys2/setup-msys2@d44ca8e88d8b43d56cf5670f91747359d5537f97 # v2.26.0
        with:
          msystem: MINGW64
          update: true
@ -553,22 +565,22 @@ jobs:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup go
-        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
          go-version-file: 'go.mod'
          cache: true
      - name: Load cached deps
-        uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
      - name: Load cached build tools
-        uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: .build
          key: ${{ runner.os }}-tools-${{ hashFiles('.go-version','Makefile') }}
      - name: Install msys2
-        uses: msys2/setup-msys2@c52d1fa9c7492275e60fe763540fb601f5f232a1 # v2.25.0
+        uses: msys2/setup-msys2@d44ca8e88d8b43d56cf5670f91747359d5537f97 # v2.26.0
        with:
          msystem: MINGW64
          update: true
@ -577,21 +589,21 @@ jobs:
      - name: Build binaries
        run: make build
      - name: Setup executables cache
-        uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ./bin/
-          key: ${{ runner.os }}-executables-${{ hashFiles('**/*.exe') }}
+          key: ${{ runner.os }}-executables-${{ github.sha }}
      - name: Build artifacts
        run: ./.github/workflows/scripts/build_artifacts.sh ${{ runner.os }}
      - name: Archive artifacts
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4
        with:
          name: binaries-windows
          path: ./artifacts/

  success:
    runs-on: ubuntu-22.04
-    needs: [lint, unit-test, unit-test-race-detector, artifacts, integration, lint-windows, unit-test-windows, artifacts-windows, integration-windows]
+    needs: [lint, unit-test, unit-test-race-detector, artifacts, integration, integration-k8s, lint-windows, unit-test-windows, artifacts-windows, integration-windows]
    timeout-minutes: 30
    permissions:
      contents: read
--- a/.github/workflows/release_build.yaml
+++ b/.github/workflows/release_build.yaml
@ -15,11 +15,11 @@ jobs:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup go
-        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
          go-version-file: 'go.mod'
      - name: Setup dep cache
-        uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
@ -38,16 +38,16 @@ jobs:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup go
-        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
          go-version-file: 'go.mod'
      - name: Load cached deps
-        uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
      - name: Setup build tool cache
-        uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: .build
          key: ${{ runner.os }}-tools-${{ hashFiles('.go-version','Makefile') }}
@ -74,11 +74,11 @@ jobs:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup go
-        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
          go-version-file: 'go.mod'
      - name: Load cached deps
-        uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
@ -97,11 +97,11 @@ jobs:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup go
-        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
          go-version-file: 'go.mod'
      - name: Load cached deps
-        uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
@ -121,11 +121,11 @@ jobs:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup go
-        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
          go-version-file: 'go.mod'
      - name: Install regctl
-        uses: regclient/actions/regctl-installer@b6614f5f56245066b533343a85f4109bdc38c8cc # main
+        uses: regclient/actions/regctl-installer@ce5fd131e371ffcdd7508b478cb223b3511a9183 # main
      - name: Download archived images
        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
        with:
@ -137,7 +137,7 @@ jobs:
      - name: Build artifacts
        run: ./.github/workflows/scripts/build_artifacts.sh ${{ runner.os }}
      - name: Archive artifacts
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4
        with:
          name: binaries-linux
          path: ./artifacts/
@ -154,16 +154,16 @@ jobs:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup go
-        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
          go-version-file: 'go.mod'
      - name: Load cached deps
-        uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
      - name: Load cached build tools
-        uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: .build
          key: ${{ runner.os }}-tools-${{ hashFiles('.go-version','Makefile') }}
@ -172,7 +172,7 @@ jobs:
      - name: Export images
        run: tar -czvf images.tar.gz *-image.tar
      - name: Archive images
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4
        with:
          name: images
          path: images.tar.gz
@ -189,10 +189,10 @@ jobs:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Load cached executables
-        uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ./bin/
-          key: ${{ runner.os }}-executables-${{ hashFiles('**/*.exe') }}
+          key: ${{ runner.os }}-executables-${{ github.sha }}
      - name: Build images
        run: make images-windows
      - name: Export images
@ -200,7 +200,7 @@ jobs:
          docker save spire-server-windows:latest-local spire-agent-windows:latest-local oidc-discovery-provider-windows:latest-local -o images-windows.tar
          gzip images-windows.tar
      - name: Archive images
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4
        with:
          name: images-windows
          path: images-windows.tar.gz
@ -225,9 +225,10 @@ jobs:
      test: ${{ steps.set-matrix.outputs.test }}

  integration:
-    name: integration (linux)
-    runs-on: ubuntu-22.04
+    name: integration (${{ matrix.arch }}) (${{ strategy.job-index}}/${{ strategy.job-total }})
+    runs-on: ${{ matrix.runs-on }}
    needs: [cache-deps, images]
+    timeout-minutes: 45

    permissions:
      contents: read
@ -235,8 +236,14 @@ jobs:
    strategy:
      fail-fast: false
      matrix:
-        num_runners: [5]
-        runner_id: [1, 2, 3, 4, 5]
+        arch: [x64, arm64]
+        num_runners: [10]
+        runner_id: [1, 2, 3, 4, 5, 6, 7, 8, 9, 10]
+        include:
+          - arch: x64
+            runs-on: ubuntu-22.04
+          - arch: arm64
+            runs-on: ubuntu-22.04-arm
    steps:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@ -256,18 +263,18 @@ jobs:
      - name: Fix tag annotations
        run: git fetch --tags --force
      - name: Setup go
-        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
          go-version-file: 'go.mod'
      - name: Install regctl
-        uses: regclient/actions/regctl-installer@b6614f5f56245066b533343a85f4109bdc38c8cc # main
+        uses: regclient/actions/regctl-installer@ce5fd131e371ffcdd7508b478cb223b3511a9183 # main
      - name: Load cached deps
-        uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
      - name: Load cached build tools
-        uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: .build
          key: ${{ runner.os }}-tools-${{ hashFiles('.go-version','Makefile') }}
@ -285,14 +292,15 @@ jobs:
          NUM_RUNNERS: ${{ matrix.num_runners }}
          THIS_RUNNER: ${{ matrix.runner_id }}
          TERM: dumb
+          IGNORE_SUITES: ${{ matrix.arch == 'arm64' && 'suites/upstream-authority-ejbca' || '' }} # Waiting for EJBCA to support arm64 (https://github.com/spiffe/spire/issues/6060)
          # We don't need to specify CICD_TARGET_BRANCH since the upgrade
          # integration test will detect the annotated tag for version checking.
          # CICD_TARGET_BRANCH:
        run: ./.github/workflows/scripts/split.sh | xargs ./test/integration/test.sh

  integration-k8s:
-    name: integration-k8s
-    runs-on: ubuntu-22.04
+    name: integration-k8s-${{ matrix.test[0] }}-${{ matrix.arch }}
+    runs-on: ${{ matrix.runs-on }}
    needs: [cache-deps, images, build-matrix]
    timeout-minutes: 45

@ -302,10 +310,18 @@ jobs:
    strategy:
      fail-fast: false
      matrix:
-         num_runners: [1]
-         runner_id: [1]
-         #Test elements should be added as [KubeCTLVersion, K8s-image, KindVersion]
-         test: ${{ fromJson(needs.build-matrix.outputs.test) }}
+        arch: [x64, arm64]
+        include:
+          - arch: x64
+            runs-on: ubuntu-22.04
+            num_runners: 1
+            runner_id: 1
+          - arch: arm64
+            runs-on: ubuntu-22.04-arm
+            num_runners: 1
+            runner_id: 1
+        #Test elements should be added as [KubeCTLVersion, K8s-image, KindVersion]
+        test: ${{ fromJson(needs.build-matrix.outputs.test) }}
    steps:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@ -316,18 +332,18 @@ jobs:
          # fetch depth of zero.
          fetch-depth: 0
      - name: Setup go
-        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
          go-version-file: 'go.mod'
      - name: Install regctl
-        uses: regclient/actions/regctl-installer@b6614f5f56245066b533343a85f4109bdc38c8cc # main
+        uses: regclient/actions/regctl-installer@ce5fd131e371ffcdd7508b478cb223b3511a9183 # main
      - name: Load cached deps
-        uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
      - name: Load cached build tools
-        uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: .build
          key: ${{ runner.os }}-tools-${{ hashFiles('.go-version','Makefile') }}
@ -366,21 +382,21 @@ jobs:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup go
-        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
          go-version-file: 'go.mod'
      - name: Load cached deps
-        uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
      - name: Load cached build tools
-        uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: .build
          key: ${{ runner.os }}-tools-${{ hashFiles('.go-version','Makefile') }}
      - name: Install msys2
-        uses: msys2/setup-msys2@c52d1fa9c7492275e60fe763540fb601f5f232a1 # v2.25.0
+        uses: msys2/setup-msys2@d44ca8e88d8b43d56cf5670f91747359d5537f97 # v2.26.0
        with:
          msystem: MINGW64
          update: true
@ -409,11 +425,11 @@ jobs:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup go
-        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
          go-version-file: 'go.mod'
      - name: Setup dep cache
-        uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
@ -435,21 +451,21 @@ jobs:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup go
-        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
          go-version-file: 'go.mod'
      - name: Load cached deps
-        uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
      - name: Setup build tool cache
-        uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: .build
          key: ${{ runner.os }}-tools-${{ hashFiles('.go-version','Makefile') }}
      - name: Install msys2
-        uses: msys2/setup-msys2@c52d1fa9c7492275e60fe763540fb601f5f232a1 # v2.25.0
+        uses: msys2/setup-msys2@d44ca8e88d8b43d56cf5670f91747359d5537f97 # v2.26.0
        with:
          msystem: MINGW64
          update: true
@ -477,16 +493,16 @@ jobs:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup go
-        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
          go-version-file: 'go.mod'
      - name: Load cached deps
-        uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
      - name: Install msys2
-        uses: msys2/setup-msys2@c52d1fa9c7492275e60fe763540fb601f5f232a1 # v2.25.0
+        uses: msys2/setup-msys2@d44ca8e88d8b43d56cf5670f91747359d5537f97 # v2.26.0
        with:
          msystem: MINGW64
          update: true
@ -510,21 +526,21 @@ jobs:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup go
-        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
          go-version-file: 'go.mod'
      - name: Load cached deps
-        uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
      - name: Load cached build tools
-        uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: .build
          key: ${{ runner.os }}-tools-${{ hashFiles('.go-version','Makefile') }}
      - name: Install msys2
-        uses: msys2/setup-msys2@c52d1fa9c7492275e60fe763540fb601f5f232a1 # v2.25.0
+        uses: msys2/setup-msys2@d44ca8e88d8b43d56cf5670f91747359d5537f97 # v2.26.0
        with:
          msystem: MINGW64
          update: true
@ -535,19 +551,19 @@ jobs:
      - name: Build artifacts
        run: ./.github/workflows/scripts/build_artifacts.sh ${{ runner.os }}
      - name: Setup executables cache
-        uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ./bin/
-          key: ${{ runner.os }}-executables-${{ hashFiles('**/*.exe') }}
+          key: ${{ runner.os }}-executables-${{ github.sha }}
      - name: Archive artifacts
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4
        with:
          name: binaries-windows
          path: ./artifacts/

  publish-artifacts:
    runs-on: ubuntu-22.04
-    needs: [lint, unit-test, unit-test-race-detector, artifacts, integration, lint-windows, unit-test-windows, artifacts-windows, integration-windows]
+    needs: [lint, unit-test, unit-test-race-detector, artifacts, integration, integration-k8s, lint-windows, unit-test-windows, artifacts-windows, integration-windows]
    permissions:
      contents: write

@ -579,7 +595,7 @@ jobs:

  publish-images:
    runs-on: ubuntu-22.04
-    needs: [lint, unit-test, unit-test-race-detector, artifacts, integration, lint-windows, unit-test-windows, artifacts-windows, integration-windows]
+    needs: [lint, unit-test, unit-test-race-detector, artifacts, integration, integration-k8s, lint-windows, unit-test-windows, artifacts-windows, integration-windows]
    permissions:
      contents: read
      id-token: write
@ -593,7 +609,7 @@ jobs:
        with:
          cosign-release: v2.2.3
      - name: Install regctl
-        uses: regclient/actions/regctl-installer@b6614f5f56245066b533343a85f4109bdc38c8cc # main
+        uses: regclient/actions/regctl-installer@ce5fd131e371ffcdd7508b478cb223b3511a9183 # main
      - name: Download archived images
        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
        with:
--- a/.github/workflows/scripts/find_k8s.sh
+++ b/.github/workflows/scripts/find_k8s.sh
@ -23,6 +23,13 @@
          
          declare -A tags_map
          for element in "${tags_sorted[@]}"; do
+            # Skip 1.32.1 until either a new version of kind is released the problem
+            # with the kindest/node:1.32.1 image is fixed. See upstream kind issue:
+            # https://github.com/kubernetes-sigs/kind/issues/3853
+            if [[ "$element" == "v1.32.1" ]]; then
+              continue
+            fi
+
            # Element is in this form: "X.XX.YY"
            # If not, continue
            num_dots=$(echo "$element" | grep -o '\.' | wc -l)
--- a/.github/workflows/stalebot.yaml
+++ b/.github/workflows/stalebot.yaml
@ -16,7 +16,24 @@ jobs:
        days-before-issue-stale: 365 # 1 year
        days-before-issue-close: 30
        stale-issue-label: "stale"
+        exempt-issue-labels: "blocked" # Ignore blocked issues
        stale-issue-message: "This issue is stale because it has been open for 365 days with no activity."
        close-issue-message: "This issue was closed because it has been inactive for 30 days since being marked as stale."
        days-before-pr-stale: -1 # Don't handle PRs
        days-before-pr-close: -1 # Don't handle PRs
+
+  process-stale-blocked-issues:
+    runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
+    steps:
+    - uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e # v9.0.0
+      with:
+        only-labels: "blocked"
+        days-before-issue-stale: 30
+        days-before-issue-close: -1 # Don't close blocked issues
+        stale-issue-label: "stale"
+        stale-issue-message: "This issue has been in the blocked state for 30 days, marking as stale so the blocking issue is re-checked."
+        days-before-pr-stale: -1 # Don't handle PRs
+        days-before-pr-close: -1 # Don't handle PRs
--- a/.go-version
+++ b/.go-version
@ -1 +1 @@
-1.23.2
+1.24.4
--- a/.golangci.yml
+++ b/.golangci.yml
@ -1,34 +1,87 @@
+version: "2"
 run:
-  # timeout for analysis, e.g. 30s, 5m, default is 1m
  timeout: 12m
-
-issues:
-  exclude-dirs:
-    - testdata$
-    - test/mock
-  exclude-files:
-    - ".*\\.pb\\.go"
-
 linters:
  enable:
    - bodyclose
+    - copyloopvar
    - durationcheck
    - errorlint
-    - goimports
-    - revive
+    - exptostd
+    - gocritic
    - gosec
+    - intrange
+    - mirror
    - misspell
    - nakedret
+    - nilnesserr
+    - nolintlint
+    - predeclared
+    - reassign
+    - revive
    - unconvert
    - unparam
+    - wastedassign
    - whitespace
-    - gocritic
-    - nolintlint
-
-linters-settings:
-  revive:
-    # minimal confidence for issues, default is 0.8
-    confidence: 0.0
+  settings:
+    govet:
+      enable:
+        - sortslice
+        - unusedwrite
+    revive:
+      confidence: 0
+      rules:
+        - name: atomic
+        - name: bool-literal-in-expr
+        - name: constant-logical-expr
+        - name: context-as-argument
+        - name: datarace
+        - name: error-naming
+        - name: error-return
+        - name: errorf
+        - name: identical-branches
+        - name: if-return
+        - name: increment-decrement
+        - name: modifies-value-receiver
+        - name: optimize-operands-order
+        - name: range
+        - name: receiver-naming
+        - name: redundant-import-alias
+        - name: redundant-test-main-exit
+        - name: string-of-int
+        - name: time-equal
+        - name: unconditional-recursion
+        - name: unnecessary-stmt
+        - name: unreachable-code
+        - name: use-any
+        - name: use-errors-new
+        - name: useless-break
+        - name: var-declaration
+        - name: waitgroup-by-value
+    staticcheck:
+      checks:
+        - all
+        - -ST1003
+        - -QF1001
+        - -QF1008
+  exclusions:
+    generated: lax
+    presets:
+      - comments
+      - common-false-positives
+      - legacy
+      - std-error-handling
    rules:
-      - name: unused-parameter
-        disabled: true
+      - linters:
+          - gosec
+        path: (.*_test\.go$)|(^test/.*)
+        text: integer overflow conversion
+      - linters:
+          - revive
+        text: Import alias "v1" is redundant
+formatters:
+  enable:
+    - gofmt
+    - goimports
+  exclusions:
+    generated: lax
--- a/.spire-tool-versions
+++ b/.spire-tool-versions
@ -1,3 +1,3 @@
-golangci_lint v1.60.1
+golangci-lint v2.1.6
 markdown_lint v0.37.0
-protoc 24.4
+protoc 29.4
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,5 +1,146 @@
 # Changelog

+## [1.12.4] - 2025-07-01
+
+### Added
+
+- `k8s_configmap` BundlePublisher plugin (#6105, #6139)
+- UpstreamAuthority.SubscribeToLocalBundle RPC to stream updates in the local trust bundle (#6090)
+- Integration tests running on ARM64 platform (#6059)
+- The OIDC Discovery Provider can now read the trust bundle from a file (#6025)
+
+### Changed
+
+- The "Container id not found" log message in the `k8s` WorkloadAttestor has been lowered to Debug level (#6128)
+- Improvements in lookup performance for entries (#6100, #6034)
+- Agent no longer pulls the bundle from `trust_bundle_url` if it is not required (#6065)
+
+### Fixed
+
+- The `subject_types_supported` value in the discovery document is now properly populated by the OIDC Discovery Provider (#6126)
+- SPIRE Server gRPC servers are now gracefully stopped (#6076)
+
+## [1.12.3] - 2025-06-17
+
+### Security
+
+- Fixed an issue in spire-agent where the WorkloadAPI.ValidateJWTSVID endpoint did not enforce the presence of the exp (expiration) claim in JWT-SVIDs, as required by the SPIFFE specification.
+This vulnerability has limited impact: by default, SPIRE does not issue JWT-SVIDs without an expiration claim. Exploitation would require federating with a misconfigured or non-compliant trust domain.
+Thanks to Edoardo Geraci for reporting this issue.
+
+## [1.12.2] - 2025-05-19
+
+### Fixed
+
+- Regression where PolicyCredentials set by CredentialComposer plugins were not correctly applied to CA certificates. (#6074)
+
+## [1.12.1] - 2025-05-06
+
+### Added
+
+- Support for Unix sockets in trust bundle URLs (#5932)
+- Documentation improvements and additions (#5989, #6012)
+
+### Changed
+
+- `sql_transaction_timeout` replaced by `event_timeout` and value reduced to 15 minutes (#5966)
+- Experimental events-based cache performance improvements by batch fetching updated entries (#5970)
+- Improved error messages when retrieving CGroups (#6030).
+
+### Fixed
+
+- Corrected invalid `user-agent` value in OIDC Discovery Provider debug logs (#5981).
+
+## [1.12.0] - 2025-03-21
+
+### Added
+
+- Support for any S3 compatible object storage such as MinIO in the `aws_s3` BundlePublisher plugin (#5757)
+- Support for Rego V1 in the authorization policy engine (#5769)
+- Support for SAN-based selectors in the `x509pop` NodeAttestor plugin (#5775)
+
+### Changed
+
+- Agents now use the SyncAuthorizedEntries API for periodically synchronization of authorized entries by default (#5906)
+- Timestamps in logs are now formatted to include nanoseconds (#5798)
+- Improved entry lookup performance in NewJWTSVID and BatchNewX509SVID server RPCs (#5819)
+- Increased the maximum number of idle database connections to 100 (#5853)
+- The maximum idle time per database connection is now set to 30 seconds (#5853)
+- Small documentation improvements (#5873, #5876)
+- The experimental events-based cache now supports reading events from read-only replicas when data staleness is tolerated, enhancing read performance (#5911)
+- The `use_legacy_downstream_x509_ca_ttl` server setting is now set to false by default (#5917)
+
+### Deprecated
+
+- `use_sync_authorized_entries` experimental agent setting (#5906)
+- `use_legacy_downstream_x509_ca_ttl` server setting (#5917)
+
+### Removed
+
+- The deprecated `k8s_sat` NodeAttestor plugin (#5703)
+
+### Fixed
+
+- Issue where agents did not receive entry updates when new entries with the same entry ID were created while `use_sync_authorized_entries` was enabled (#5764)
+
+## [1.11.3] - 2025-06-17
+
+### Security
+
+- Fixed an issue in spire-agent where the WorkloadAPI.ValidateJWTSVID endpoint did not enforce the presence of the exp (expiration) claim in JWT-SVIDs, as required by the SPIFFE specification.
+This vulnerability has limited impact: by default, SPIRE does not issue JWT-SVIDs without an expiration claim. Exploitation would require federating with a misconfigured or non-compliant trust domain.
+Thanks to Edoardo Geraci for reporting this issue.
+
+## [1.11.2] - 2025-02-13
+
+### Added
+
+- `gcp_secretmanager` SVIDStore plugin now supports specifying the regions where secrets are created (#5718)
+- Support for expanding environment variables in the OIDC Discovery Provider configuration (#5689)
+- Support for optionally enabling `trust_domain` label for all metrics (#5673)
+- The JWKS URI returned in the discovery document can now be configured in the OIDC Discovery Provider (#5690)
+- A server path prefix can now be specified in the OIDC Discovery Provider (#5690)
+
+### Changed
+
+- Small documentation improvements (#5809, #5720)
+
+### Fixed
+
+- Regression in the hydration of the experimental event-based cache that caused a delay in availability (#5842)
+- Do not log an error when the Envoy SDS v3 API connection has been closed cleanly (#5835)
+- SVIDStore plugins to properly parse metadata in entry selectors containing ':' characters (#5750)
+- Compatibility with deployments that use a server port other than 443 when the `jwt_issuer` configuration is set in the OIDC Discovery Provider (#5690)
+- Domain verification is now properly done when setting the `jwt_issuer` configuration in the OIDC Discovery Provider (#5690)
+
+### Security
+
+- Fixed to properly call the CompareObjectHandles function when it's available on Windows systems, as an extra security measure in the peertracker (#5749)
+
+## [1.11.1] - 2024-12-12
+
+### Added
+
+- The Go based text/template engine used in various plugins has been extended to include a set of functions from the SPRIG library (#5593, #5625)
+- The JWT-SVID cache in the agent is now configurable (#5633)
+- The JWT issuer is now configurable in the OIDC Discovery Provider (#5657)
+
+### Changed
+
+- CA journal now relies on the authority ID instead of the issued time when updating the status of keys (#5622)
+
+### Fixed
+
+- Spelling and grammar fixes (#5571)
+- Handling of IPv6 address consistently for the binding address of the server and health checks (#5623)
+- Link to Telemetry documentation in the Contributing guide (#5650)
+- Handling of registration entries with revision number 0 when the agent syncs entries with the server (#5680)
+
+### Known Issues
+
+- Setting the new `jwt_issuer` configuration property in oidc-discovery-provider is not compatible with deployments that use a server port other than 443 (#5696)
+- Domain verification is bypassed when setting the new `jwt_issuer` configuration property in oidc-discovery-provider (#5697)
+
 ## [1.11.0] - 2024-10-24

 ### Added
--- a/14
+++ b/14
@ -1,27 +1,27 @@
-* @evan2645 @amartinezfayo @azdagron @MarcosDY @rturner3
+* @evan2645 @amartinezfayo @sorindumitru @MarcosDY @rturner3

 ##########################################
 # Maintainers
 ##########################################

 # Evan Gilman
-# VMware, Inc
+# SPIRL, Inc.
 # @evan2645

 # Agustin Martínez Fayó
 # Hewlett-Packard Enterprise	
 # @amartinezfayo

-# Andrew Harding
-# VMware, Inc
-# @azdagron
+# Sorin Dumitru
+# Bloomberg L.P.
+# @sorindumitru

 # Marcos Yacob
 # Hewlett-Packard Enterprise
 # @MarcosDY

 # Ryan Turner
-# Uber Technologies, Inc
+# Cielara AI
 # @rturner3

 ##########################################
@ -29,5 +29,5 @@
 ##########################################

 # Umair Khan
-# Hewlett-Packard Enterprise
+# Stacklet, Inc.
 # @umairmkhan
--- a/2
+++ b/2
@ -2,7 +2,7 @@

 # Build stage
 ARG goversion
-FROM --platform=${BUILDPLATFORM} golang:${goversion}-alpine3.20 as base
+FROM --platform=${BUILDPLATFORM} golang:${goversion}-alpine3.22 as base
 WORKDIR /spire
 RUN apk --no-cache --update add file bash clang lld pkgconfig git make
 COPY go.* ./
--- a/Dockerfile.dev
+++ b/Dockerfile.dev
@ -1,4 +1,4 @@
-FROM ubuntu:xenial
+FROM ubuntu:24.04
 WORKDIR /spire
 RUN apt-get update && apt-get -y install \
    curl unzip git build-essential ca-certificates libssl-dev
--- a/28
+++ b/28
@ -32,6 +32,7 @@ help:
 	@echo "  $(cyan)race-test$(reset)                             - run unit tests with race detection"
 	@echo "  $(cyan)integration$(reset)                           - run integration tests (requires Docker images)"
 	@echo "                                          support 'SUITES' variable for executing specific tests"
+	@echo "                                          and 'IGNORE_SUITES' variable for ignoring tests"
 	@echo "                                          e.g. SUITES='suites/join-token suites/k8s' make integration"
 	@echo "  $(cyan)integration-windows$(reset)                   - run integration tests for windows (requires Docker images)"
 	@echo "                                          support 'SUITES' variable for executing specific tests"
@ -103,6 +104,8 @@ else
 $(error unsupported ARCH: $(arch1))
 endif

+ignore_suites := $(IGNORE_SUITES)
+
 ############################################################################
 # Docker TLS detection for buildx
 ############################################################################
@ -136,9 +139,8 @@ endif

 go_path := PATH="$(go_bin_dir):$(PATH)"

-golangci_lint_version := $(shell awk '/golangci_lint/{print $$2}' .spire-tool-versions)
+golangci_lint_version := $(shell awk '/golangci-lint/{print $$2}' .spire-tool-versions)
 golangci_lint_dir = $(build_dir)/golangci_lint/$(golangci_lint_version)
-golangci_lint_bin = $(golangci_lint_dir)/golangci-lint
 golangci_lint_cache = $(golangci_lint_dir)/cache

 markdown_lint_version := $(shell awk '/markdown_lint/{print $$2}' .spire-tool-versions)
@ -310,11 +312,11 @@ integration:
 ifeq ($(os1), windows)
 	$(error Integration tests are not supported on windows)
 else
-	$(E)$(go_path) ./test/integration/test.sh $(SUITES)
+	$(E)$(go_path) IGNORE_SUITES='$(ignore_suites)' ./test/integration/test.sh $(SUITES)
 endif

 integration-windows:
-	$(E)$(go_path) ./test/integration/test-windows.sh $(SUITES)
+	$(E)$(go_path) IGNORE_SUITES='$(ignore_suites)' ./test/integration/test-windows.sh $(SUITES)

 #############################################################################
 # Docker Images
@ -402,8 +404,11 @@ endif

 lint: lint-code lint-md

-lint-code: $(golangci_lint_bin)
-	$(E)PATH="$(go_bin_dir):$(PATH)" GOLANGCI_LINT_CACHE="$(golangci_lint_cache)" $(golangci_lint_bin) run ./...
+lint-code: | go-check
+	$(E)mkdir -p $(golangci_lint_cache)
+	$(E)$(go_path) GOLANGCI_LINT_CACHE="$(golangci_lint_cache)" \
+		go run github.com/golangci/golangci-lint/v2/cmd/golangci-lint@$(golangci_lint_version) \
+		run --max-issues-per-linter=0 --max-same-issues=0 ./...

 lint-md:
 	$(E)docker run --rm -v "$(DIR):/workdir" $(markdown_lint_image) "**/*.md"
@ -507,7 +512,7 @@ endif
 go-bin-path: go-check
 	@echo "$(go_bin_dir):${PATH}"

-install-toolchain: install-protoc install-golangci-lint install-protoc-gen-go install-protoc-gen-doc | go-check
+install-toolchain: install-protoc install-protoc-gen-go | go-check

 install-protoc: $(protoc_bin)

@ -517,15 +522,6 @@ $(protoc_bin):
 	$(E)mkdir -p $(protoc_dir)
 	$(E)curl -sSfL $(protoc_url) -o $(build_dir)/tmp.zip; unzip -q -d $(protoc_dir) $(build_dir)/tmp.zip; rm $(build_dir)/tmp.zip

-install-golangci-lint: $(golangci_lint_bin)
-
-$(golangci_lint_bin): | go-check
-	@echo "Installing golangci-lint $(golangci_lint_version)..."
-	$(E)rm -rf $(dir $(golangci_lint_dir))
-	$(E)mkdir -p $(golangci_lint_dir)
-	$(E)mkdir -p $(golangci_lint_cache)
-	$(E)GOBIN=$(golangci_lint_dir) $(go_path) go install github.com/golangci/golangci-lint/cmd/golangci-lint@$(golangci_lint_version)
-
 install-protoc-gen-go: $(protoc_gen_go_bin)

 $(protoc_gen_go_bin): | go-check
--- a/README.md
+++ b/README.md
@ -61,8 +61,8 @@ The SPIFFE community maintains the SPIRE project. Information on the various SIG
 A third party security firm ([Cure53](https://cure53.de/)) completed a security audit of SPIFFE and SPIRE in February of 2021. Additionally, the [CNCF Technical Advisory Group for Security](https://github.com/cncf/tag-security) conducted two assessments on SPIFFE and SPIRE in 2018 and 2020. Please find the reports and supporting material, including the threat model exercise results, below.

 - [Cure53 Security Audit Report](doc/cure53-report.pdf)
- [SIG-Security SPIFFE/SPIRE Security Assessment: summary](https://github.com/cncf/sig-security/tree/main/assessments/projects/spiffe-spire)
- [SIG-Security SPIFFE/SPIRE Security Assessment: full assessment](https://github.com/cncf/sig-security/blob/main/assessments/projects/spiffe-spire/self-assessment.md)
+- [SIG-Security SPIFFE/SPIRE Security Assessment: summary](https://github.com/cncf/sig-security/tree/main/community/assessments/projects/spiffe-spire)
+- [SIG-Security SPIFFE/SPIRE Security Assessment: full assessment](https://github.com/cncf/sig-security/blob/main/community/assessments/projects/spiffe-spire/self-assessment.md)
 - [Scrutinizing SPIRE to Sensibly Strengthen SPIFFE Security](https://blog.spiffe.io/scrutinizing-spire-security-9c82ba542019)

 ### Reporting Security Vulnerabilities
--- a/cmd/spire-agent/cli/api/api_test.go
+++ b/cmd/spire-agent/cli/api/api_test.go
@ -15,9 +15,9 @@ import (
 	"github.com/mitchellh/cli"
 	"github.com/spiffe/go-spiffe/v2/proto/spiffe/workload"
 	"github.com/spiffe/go-spiffe/v2/spiffeid"
-	"github.com/spiffe/spire/cmd/spire-server/cli/common"
 	commoncli "github.com/spiffe/spire/pkg/common/cli"
 	"github.com/spiffe/spire/pkg/common/x509util"
+	"github.com/spiffe/spire/test/clitest"
 	"github.com/spiffe/spire/test/fakes/fakeworkloadapi"
 	"github.com/spiffe/spire/test/spiretest"
 	"github.com/spiffe/spire/test/testca"
@ -416,9 +416,10 @@ func TestValidateJWTCommand(t *testing.T) {
 						Claims: &structpb.Struct{
 							Fields: map[string]*structpb.Value{
 								"aud": {
-									Kind: &structpb.Value_ListValue{ListValue: &structpb.ListValue{
-										Values: []*structpb.Value{{Kind: &structpb.Value_StringValue{StringValue: "foo"}}},
-									},
+									Kind: &structpb.Value_ListValue{
+										ListValue: &structpb.ListValue{
+											Values: []*structpb.Value{{Kind: &structpb.Value_StringValue{StringValue: "foo"}}},
+										},
 									},
 								},
 							},
@ -504,7 +505,7 @@ func setupTest(t *testing.T, newCmd func(env *commoncli.Env, clientMaker workloa
 	}, newWorkloadClient)

 	test := &apiTest{
-		addr:        common.GetAddr(addr),
+		addr:        clitest.GetAddr(addr),
 		stdin:       stdin,
 		stdout:      stdout,
 		stderr:      stderr,
@ -538,7 +539,7 @@ func (s *apiTest) afterTest(t *testing.T) {
 }

 func (s *apiTest) args(extra ...string) []string {
-	return append([]string{common.AddrArg, s.addr}, extra...)
+	return append([]string{clitest.AddrArg, s.addr}, extra...)
 }

 func assertOutputBasedOnFormat(t *testing.T, format, stdoutString, expectedStdoutJSON string, expectedStdoutPretty ...string) {
--- a/cmd/spire-agent/cli/api/common.go
+++ b/cmd/spire-agent/cli/api/common.go
@ -28,7 +28,7 @@ func newWorkloadClient(ctx context.Context, addr net.Addr, timeout time.Duration
 	if err != nil {
 		return nil, err
 	}
-	conn, err := util.GRPCDialContext(ctx, target)
+	conn, err := util.NewGRPCClient(target)
 	if err != nil {
 		return nil, err
 	}
--- a/cmd/spire-agent/cli/healthcheck/healthcheck.go
+++ b/cmd/spire-agent/cli/healthcheck/healthcheck.go
@ -79,7 +79,7 @@ func (c *healthCheckCommand) run() error {
 	if err != nil {
 		return err
 	}
-	conn, err := util.GRPCDialContext(context.Background(), target)
+	conn, err := util.NewGRPCClient(target)
 	if err != nil {
 		return err
 	}
--- a/cmd/spire-agent/cli/run/run.go
+++ b/cmd/spire-agent/cli/run/run.go
@ -2,13 +2,11 @@ package run

 import (
 	"context"
-	"crypto/x509"
 	"errors"
 	"flag"
 	"fmt"
 	"io"
 	"net"
-	"net/http"
 	"net/url"
 	"os"
 	"os/signal"
@ -26,10 +24,9 @@ import (
 	"github.com/imdario/mergo"
 	"github.com/mitchellh/cli"
 	"github.com/sirupsen/logrus"
-	"github.com/spiffe/go-spiffe/v2/spiffeid"
 	"github.com/spiffe/spire/pkg/agent"
+	"github.com/spiffe/spire/pkg/agent/trustbundlesources"
 	"github.com/spiffe/spire/pkg/agent/workloadkey"
-	"github.com/spiffe/spire/pkg/common/bundleutil"
 	"github.com/spiffe/spire/pkg/common/catalog"
 	common_cli "github.com/spiffe/spire/pkg/common/cli"
 	"github.com/spiffe/spire/pkg/common/config"
@ -37,7 +34,6 @@ import (
 	"github.com/spiffe/spire/pkg/common/health"
 	"github.com/spiffe/spire/pkg/common/idutil"
 	"github.com/spiffe/spire/pkg/common/log"
-	"github.com/spiffe/spire/pkg/common/pemutil"
 	"github.com/spiffe/spire/pkg/common/telemetry"
 	"github.com/spiffe/spire/pkg/common/tlspolicy"
 )
@ -55,9 +51,6 @@ const (
 	defaultDefaultAllBundlesName       = "ALL"
 	defaultDisableSPIFFECertValidation = false

-	bundleFormatPEM    = "pem"
-	bundleFormatSPIFFE = "spiffe"
-
 	minimumAvailabilityTarget = 24 * time.Hour
 )

@ -74,7 +67,7 @@ type agentConfig struct {
 	DataDir                       string    `hcl:"data_dir"`
 	AdminSocketPath               string    `hcl:"admin_socket_path"`
 	InsecureBootstrap             bool      `hcl:"insecure_bootstrap"`
-	RetryBootstrap                bool      `hcl:"retry_bootstrap"`
+	RetryBootstrap                *bool     `hcl:"retry_bootstrap"`
 	JoinToken                     string    `hcl:"join_token"`
 	LogFile                       string    `hcl:"log_file"`
 	LogFormat                     string    `hcl:"log_format"`
@ -87,6 +80,7 @@ type agentConfig struct {
 	WorkloadX509SVIDKeyType       string    `hcl:"workload_x509_svid_key_type"`
 	TrustBundleFormat             string    `hcl:"trust_bundle_format"`
 	TrustBundlePath               string    `hcl:"trust_bundle_path"`
+	TrustBundleUnixSocket         string    `hcl:"trust_bundle_unix_socket"`
 	TrustBundleURL                string    `hcl:"trust_bundle_url"`
 	TrustDomain                   string    `hcl:"trust_domain"`
 	AllowUnauthenticatedVerifiers bool      `hcl:"allow_unauthenticated_verifiers"`
@ -121,7 +115,7 @@ type experimentalConfig struct {
 	SyncInterval             string `hcl:"sync_interval"`
 	NamedPipeName            string `hcl:"named_pipe_name"`
 	AdminNamedPipeName       string `hcl:"admin_named_pipe_name"`
-	UseSyncAuthorizedEntries bool   `hcl:"use_sync_authorized_entries"`
+	UseSyncAuthorizedEntries *bool  `hcl:"use_sync_authorized_entries"`
 	RequirePQKEM             bool   `hcl:"require_pq_kem"`

 	Flags fflag.RawConfig `hcl:"feature_flags"`
@ -262,16 +256,32 @@ func (c *agentConfig) validate() error {
 		return errors.New("only one of trust_bundle_url or trust_bundle_path can be specified, not both")
 	}

-	if c.TrustBundleFormat != bundleFormatPEM && c.TrustBundleFormat != bundleFormatSPIFFE {
-		return fmt.Errorf("invalid value for trust_bundle_format, expected %q or %q", bundleFormatPEM, bundleFormatSPIFFE)
+	if c.TrustBundleFormat != trustbundlesources.BundleFormatPEM && c.TrustBundleFormat != trustbundlesources.BundleFormatSPIFFE {
+		return fmt.Errorf("invalid value for trust_bundle_format, expected %q or %q", trustbundlesources.BundleFormatPEM, trustbundlesources.BundleFormatSPIFFE)
 	}

+	if c.TrustBundleUnixSocket != "" && c.TrustBundleURL == "" {
+		return errors.New("if trust_bundle_unix_socket is specified, so must be trust_bundle_url")
+	}
 	if c.TrustBundleURL != "" {
 		u, err := url.Parse(c.TrustBundleURL)
 		if err != nil {
 			return fmt.Errorf("unable to parse trust bundle URL: %w", err)
 		}
-		if u.Scheme != "https" {
+		if c.TrustBundleUnixSocket != "" {
+			if u.Scheme != "http" {
+				return errors.New("trust bundle URL must start with http:// when used with trust bundle unix socket")
+			}
+			params := u.Query()
+			for key := range params {
+				if strings.HasPrefix(key, "spiffe-") {
+					return errors.New("trust_bundle_url query params can not start with spiffe-")
+				}
+				if strings.HasPrefix(key, "spire-") {
+					return errors.New("trust_bundle_url query params can not start with spire-")
+				}
+			}
+		} else if u.Scheme != "https" {
 			return errors.New("trust bundle URL must start with https://")
 		}
 	}
@ -319,6 +329,7 @@ func parseFlags(name string, args []string, output io.Writer) (*agentConfig, err
 	flags := flag.NewFlagSet(name, flag.ContinueOnError)
 	flags.SetOutput(output)
 	c := &agentConfig{}
+	retryBootstrap := false

 	flags.StringVar(&c.ConfigPath, "config", defaultConfigPath, "Path to a SPIRE config file")
 	flags.StringVar(&c.DataDir, "dataDir", "", "A directory the agent can use for its runtime data")
@ -332,10 +343,10 @@ func parseFlags(name string, args []string, output io.Writer) (*agentConfig, err
 	flags.StringVar(&c.TrustDomain, "trustDomain", "", "The trust domain that this agent belongs to")
 	flags.StringVar(&c.TrustBundlePath, "trustBundle", "", "Path to the SPIRE server CA bundle")
 	flags.StringVar(&c.TrustBundleURL, "trustBundleUrl", "", "URL to download the SPIRE server CA bundle")
-	flags.StringVar(&c.TrustBundleFormat, "trustBundleFormat", "", fmt.Sprintf("Format of the bootstrap trust bundle, %q or %q", bundleFormatPEM, bundleFormatSPIFFE))
+	flags.StringVar(&c.TrustBundleFormat, "trustBundleFormat", "", fmt.Sprintf("Format of the bootstrap trust bundle, %q or %q", trustbundlesources.BundleFormatPEM, trustbundlesources.BundleFormatSPIFFE))
 	flags.BoolVar(&c.AllowUnauthenticatedVerifiers, "allowUnauthenticatedVerifiers", false, "If true, the agent permits the retrieval of X509 certificate bundles by unregistered clients")
 	flags.BoolVar(&c.InsecureBootstrap, "insecureBootstrap", false, "If true, the agent bootstraps without verifying the server's identity")
-	flags.BoolVar(&c.RetryBootstrap, "retryBootstrap", false, "If true, the agent retries bootstrap with backoff")
+	flags.BoolVar(&retryBootstrap, "retryBootstrap", true, "If true, the agent retries bootstrap with backoff")
 	flags.BoolVar(&c.ExpandEnv, "expandEnv", false, "Expand environment variables in SPIRE config file")

 	c.addOSFlags(flags)
@ -345,6 +356,12 @@ func parseFlags(name string, args []string, output io.Writer) (*agentConfig, err
 		return nil, err
 	}

+	flags.Visit(func(f *flag.Flag) {
+		if f.Name == "retryBootstrap" {
+			c.RetryBootstrap = &retryBootstrap
+		}
+	})
+
 	return c, nil
 }

@ -370,87 +387,6 @@ func mergeInput(fileInput *Config, cliInput *agentConfig) (*Config, error) {
 	return c, nil
 }

-func parseTrustBundle(bundleBytes []byte, trustBundleContentType string) ([]*x509.Certificate, error) {
-	switch trustBundleContentType {
-	case bundleFormatPEM:
-		bundle, err := pemutil.ParseCertificates(bundleBytes)
-		if err != nil {
-			return nil, err
-		}
-		return bundle, nil
-	case bundleFormatSPIFFE:
-		bundle, err := bundleutil.Unmarshal(spiffeid.TrustDomain{}, bundleBytes)
-		if err != nil {
-			return nil, fmt.Errorf("unable to parse SPIFFE trust bundle: %w", err)
-		}
-		return bundle.X509Authorities(), nil
-	}
-
-	return nil, fmt.Errorf("unknown trust bundle format: %s", trustBundleContentType)
-}
-
-func downloadTrustBundle(trustBundleURL string) ([]byte, error) {
-	// Download the trust bundle URL from the user specified URL
-	// We use gosec -- the annotation below will disable a security check that URLs are not tainted
-	/* #nosec G107 */
-	resp, err := http.Get(trustBundleURL)
-	if err != nil {
-		return nil, fmt.Errorf("unable to fetch trust bundle URL %s: %w", trustBundleURL, err)
-	}
-
-	defer resp.Body.Close()
-
-	if resp.StatusCode != http.StatusOK {
-		return nil, fmt.Errorf("error downloading trust bundle: %s", resp.Status)
-	}
-	pemBytes, err := io.ReadAll(resp.Body)
-	if err != nil {
-		return nil, fmt.Errorf("unable to read from trust bundle URL %s: %w", trustBundleURL, err)
-	}
-
-	return pemBytes, nil
-}
-
-func setupTrustBundle(ac *agent.Config, c *Config) error {
-	// Either download the trust bundle if TrustBundleURL is set, or read it
-	// from disk if TrustBundlePath is set
-	ac.InsecureBootstrap = c.Agent.InsecureBootstrap
-
-	var bundleBytes []byte
-	var err error
-
-	switch {
-	case c.Agent.TrustBundleURL != "":
-		bundleBytes, err = downloadTrustBundle(c.Agent.TrustBundleURL)
-		if err != nil {
-			return err
-		}
-	case c.Agent.TrustBundlePath != "":
-		bundleBytes, err = loadTrustBundle(c.Agent.TrustBundlePath)
-		if err != nil {
-			return fmt.Errorf("could not parse trust bundle: %w", err)
-		}
-	default:
-		// If InsecureBootstrap is configured, the bundle is not required
-		if ac.InsecureBootstrap {
-			return nil
-		}
-	}
-
-	bundle, err := parseTrustBundle(bundleBytes, c.Agent.TrustBundleFormat)
-	if err != nil {
-		return err
-	}
-
-	if len(bundle) == 0 {
-		return errors.New("no certificates found in trust bundle")
-	}
-
-	ac.TrustBundle = bundle
-
-	return nil
-}
-
 func NewAgentConfig(c *Config, logOptions []log.Option, allowUnknownConfig bool) (*agent.Config, error) {
 	ac := &agent.Config{}

@ -458,8 +394,6 @@ func NewAgentConfig(c *Config, logOptions []log.Option, allowUnknownConfig bool)
 		return nil, err
 	}

-	ac.RetryBootstrap = c.Agent.RetryBootstrap
-
 	if c.Agent.Experimental.SyncInterval != "" {
 		var err error
 		ac.SyncInterval, err = time.ParseDuration(c.Agent.Experimental.SyncInterval)
@ -468,8 +402,6 @@ func NewAgentConfig(c *Config, logOptions []log.Option, allowUnknownConfig bool)
 		}
 	}

-	ac.UseSyncAuthorizedEntries = c.Agent.Experimental.UseSyncAuthorizedEntries
-
 	serverHostPort := net.JoinHostPort(c.Agent.ServerAddress, strconv.Itoa(c.Agent.ServerPort))
 	ac.ServerAddress = fmt.Sprintf("dns:///%s", serverHostPort)

@ -499,6 +431,18 @@ func NewAgentConfig(c *Config, logOptions []log.Option, allowUnknownConfig bool)
 		ac.LogReopener = log.ReopenOnSignal(logger, reopenableFile)
 	}

+	ac.RetryBootstrap = true
+	if c.Agent.RetryBootstrap != nil {
+		ac.Log.Warn("The 'retry_bootstrap' configuration is deprecated. It will be removed in SPIRE 1.14. Please test without the flag before upgrading.")
+		ac.RetryBootstrap = *c.Agent.RetryBootstrap
+	}
+
+	ac.UseSyncAuthorizedEntries = true
+	if c.Agent.Experimental.UseSyncAuthorizedEntries != nil {
+		ac.Log.Warn("The 'use_sync_authorized_entries' configuration is deprecated. The option to disable it will be removed in SPIRE 1.13.")
+		ac.UseSyncAuthorizedEntries = *c.Agent.Experimental.UseSyncAuthorizedEntries
+	}
+
 	if c.Agent.X509SVIDCacheMaxSize < 0 {
 		return nil, errors.New("x509_svid_cache_max_size should not be negative")
 	}
@ -538,11 +482,16 @@ func NewAgentConfig(c *Config, logOptions []log.Option, allowUnknownConfig bool)
 	}
 	ac.DisableSPIFFECertValidation = c.Agent.SDS.DisableSPIFFECertValidation

-	err = setupTrustBundle(ac, c)
-	if err != nil {
-		return nil, err
+	ts := &trustbundlesources.Config{
+		InsecureBootstrap:     c.Agent.InsecureBootstrap,
+		TrustBundleFormat:     c.Agent.TrustBundleFormat,
+		TrustBundlePath:       c.Agent.TrustBundlePath,
+		TrustBundleURL:        c.Agent.TrustBundleURL,
+		TrustBundleUnixSocket: c.Agent.TrustBundleUnixSocket,
 	}

+	ac.TrustBundleSources = trustbundlesources.New(ts, ac.Log.WithField("Logger", "TrustBundleSources"))
+
 	ac.WorkloadKeyType = workloadkey.ECP256
 	if c.Agent.WorkloadX509SVIDKeyType != "" {
 		ac.WorkloadKeyType, err = workloadkey.KeyTypeFromString(c.Agent.WorkloadX509SVIDKeyType)
@ -687,7 +636,7 @@ func defaultConfig() *Config {
 			DataDir:           defaultDataDir,
 			LogLevel:          defaultLogLevel,
 			LogFormat:         log.DefaultFormat,
-			TrustBundleFormat: bundleFormatPEM,
+			TrustBundleFormat: trustbundlesources.BundleFormatPEM,
 			SDS: sdsConfig{
 				DefaultBundleName:           defaultDefaultBundleName,
 				DefaultSVIDName:             defaultDefaultSVIDName,
@ -700,12 +649,3 @@ func defaultConfig() *Config {

 	return c
 }
-
-func loadTrustBundle(path string) ([]byte, error) {
-	bundleBytes, err := os.ReadFile(path)
-	if err != nil {
-		return nil, err
-	}
-
-	return bundleBytes, nil
-}
--- a/cmd/spire-agent/cli/run/run_test.go
+++ b/cmd/spire-agent/cli/run/run_test.go
@ -2,8 +2,6 @@ package run

 import (
 	"io"
-	"net/http"
-	"net/http/httptest"
 	"os"
 	"path"
 	"path/filepath"
@ -39,119 +37,6 @@ type newAgentConfigCase struct {
 	test               func(*testing.T, *agent.Config)
 }

-func TestDownloadTrustBundle(t *testing.T) {
-	testTB, _ := os.ReadFile(path.Join(util.ProjectRoot(), "conf/agent/dummy_root_ca.crt"))
-	testTBSPIFFE := `{
-    "keys": [
-        {
-            "use": "x509-svid",
-            "kty": "EC",
-            "crv": "P-384",
-            "x": "WjB-nSGSxIYiznb84xu5WGDZj80nL7W1c3zf48Why0ma7Y7mCBKzfQkrgDguI4j0",
-            "y": "Z-0_tDH_r8gtOtLLrIpuMwWHoe4vbVBFte1vj6Xt6WeE8lXwcCvLs_mcmvPqVK9j",
-            "x5c": [
-                "MIIBzDCCAVOgAwIBAgIJAJM4DhRH0vmuMAoGCCqGSM49BAMEMB4xCzAJBgNVBAYTAlVTMQ8wDQYDVQQKDAZTUElGRkUwHhcNMTgwNTEzMTkzMzQ3WhcNMjMwNTEyMTkzMzQ3WjAeMQswCQYDVQQGEwJVUzEPMA0GA1UECgwGU1BJRkZFMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEWjB+nSGSxIYiznb84xu5WGDZj80nL7W1c3zf48Why0ma7Y7mCBKzfQkrgDguI4j0Z+0/tDH/r8gtOtLLrIpuMwWHoe4vbVBFte1vj6Xt6WeE8lXwcCvLs/mcmvPqVK9jo10wWzAdBgNVHQ4EFgQUh6XzV6LwNazA+GTEVOdu07o5yOgwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwGQYDVR0RBBIwEIYOc3BpZmZlOi8vbG9jYWwwCgYIKoZIzj0EAwQDZwAwZAIwE4Me13qMC9i6Fkx0h26y09QZIbuRqA9puLg9AeeAAyo5tBzRl1YL0KNEp02VKSYJAjBdeJvqjJ9wW55OGj1JQwDFD7kWeEB6oMlwPbI/5hEY3azJi16I0uN1JSYTSWGSqWc="
-            ]
-        }
-    ]
-}`
-
-	cases := []struct {
-		msg                 string
-		status              int
-		fileContents        string
-		format              string
-		expectDownloadError bool
-		expectParseError    bool
-	}{
-		{
-			msg:                 "if URL is not found, should be an error",
-			status:              http.StatusNotFound,
-			fileContents:        "",
-			format:              bundleFormatPEM,
-			expectDownloadError: true,
-			expectParseError:    false,
-		},
-		{
-			msg:                 "if URL returns error 500, should be an error",
-			status:              http.StatusInternalServerError,
-			fileContents:        "",
-			format:              bundleFormatPEM,
-			expectDownloadError: true,
-			expectParseError:    false,
-		},
-		{
-			msg:                 "if file is not parseable, should be an error",
-			status:              http.StatusOK,
-			fileContents:        "NON PEM PARSEABLE TEXT HERE",
-			format:              bundleFormatPEM,
-			expectDownloadError: false,
-			expectParseError:    true,
-		},
-		{
-			msg:                 "if file is empty, should be an error",
-			status:              http.StatusOK,
-			fileContents:        "",
-			format:              bundleFormatPEM,
-			expectDownloadError: false,
-			expectParseError:    true,
-		},
-		{
-			msg:                 "if file is valid, should not be an error",
-			status:              http.StatusOK,
-			fileContents:        string(testTB),
-			format:              bundleFormatPEM,
-			expectDownloadError: false,
-			expectParseError:    false,
-		},
-		{
-			msg:                 "if file is not parseable, format is SPIFFE, should not be an error",
-			status:              http.StatusOK,
-			fileContents:        "[}",
-			format:              bundleFormatSPIFFE,
-			expectDownloadError: false,
-			expectParseError:    true,
-		},
-		{
-			msg:                 "if file is valid, format is SPIFFE, should not be an error",
-			status:              http.StatusOK,
-			fileContents:        testTBSPIFFE,
-			format:              bundleFormatSPIFFE,
-			expectDownloadError: false,
-			expectParseError:    false,
-		},
-	}
-
-	for _, testCase := range cases {
-		testCase := testCase
-
-		t.Run(testCase.msg, func(t *testing.T) {
-			testServer := httptest.NewServer(http.HandlerFunc(
-				func(w http.ResponseWriter, r *http.Request) {
-					w.WriteHeader(testCase.status)
-					_, _ = io.WriteString(w, testCase.fileContents)
-					// if err != nil {
-					// 	return
-					// }
-				}))
-			defer testServer.Close()
-			bundleBytes, err := downloadTrustBundle(testServer.URL)
-			if testCase.expectDownloadError {
-				require.Error(t, err)
-			} else {
-				require.NoError(t, err)
-
-				_, err := parseTrustBundle(bundleBytes, testCase.format)
-				if testCase.expectParseError {
-					require.Error(t, err)
-				} else {
-					require.NoError(t, err)
-				}
-			}
-		})
-	}
-}
-
 func TestMergeInput(t *testing.T) {
 	cases := []mergeInputCase{
 		{
@ -629,8 +514,6 @@ func TestMergeInput(t *testing.T) {
 	cases = append(cases, mergeInputCasesOS()...)

 	for _, testCase := range cases {
-		testCase := testCase
-
 		fileInput := &Config{Agent: &agentConfig{}}
 		cliInput := &agentConfig{}

@ -683,7 +566,7 @@ func TestNewAgentConfig(t *testing.T) {
 				c.Agent.InsecureBootstrap = false
 			},
 			test: func(t *testing.T, c *agent.Config) {
-				require.False(t, c.InsecureBootstrap)
+				require.False(t, c.TrustBundleSources.GetInsecureBootstrap())
 			},
 		},
 		{
@ -695,13 +578,14 @@ func TestNewAgentConfig(t *testing.T) {
 				c.Agent.InsecureBootstrap = true
 			},
 			test: func(t *testing.T, c *agent.Config) {
-				require.True(t, c.InsecureBootstrap)
+				require.True(t, c.TrustBundleSources.GetInsecureBootstrap())
 			},
 		},
 		{
 			msg: "retry_bootstrap should be correctly set to false",
 			input: func(c *Config) {
-				c.Agent.RetryBootstrap = false
+				rb := false
+				c.Agent.RetryBootstrap = &rb
 			},
 			test: func(t *testing.T, c *agent.Config) {
 				require.False(t, c.RetryBootstrap)
@ -710,7 +594,8 @@ func TestNewAgentConfig(t *testing.T) {
 		{
 			msg: "retry_bootstrap should be correctly set to true",
 			input: func(c *Config) {
-				c.Agent.RetryBootstrap = true
+				rb := true
+				c.Agent.RetryBootstrap = &rb
 			},
 			test: func(t *testing.T, c *agent.Config) {
 				require.True(t, c.RetryBootstrap)
@ -841,6 +726,51 @@ func TestNewAgentConfig(t *testing.T) {
 				require.Nil(t, c)
 			},
 		},
+		{
+			msg:                "trust_bundle_url must start with http:// when unix socket",
+			expectError:        true,
+			requireErrorPrefix: "trust bundle URL must start with http://",
+			input: func(c *Config) {
+				// remove trust_bundle_path provided by defaultValidConfig()
+				c.Agent.TrustBundlePath = ""
+				c.Agent.TrustBundleURL = "foo.bar"
+				c.Agent.TrustBundleUnixSocket = "foo.bar"
+				c.Agent.InsecureBootstrap = false
+			},
+			test: func(t *testing.T, c *agent.Config) {
+				require.Nil(t, c)
+			},
+		},
+		{
+			msg:                "trust_bundle_url query params can not start with spiffe- when unix socket",
+			expectError:        true,
+			requireErrorPrefix: "trust_bundle_url query params can not start with spiffe-",
+			input: func(c *Config) {
+				// remove trust_bundle_path provided by defaultValidConfig()
+				c.Agent.TrustBundlePath = ""
+				c.Agent.TrustBundleURL = "http://localhost/trustbundle?spiffe-test=foo"
+				c.Agent.TrustBundleUnixSocket = "foo.bar"
+				c.Agent.InsecureBootstrap = false
+			},
+			test: func(t *testing.T, c *agent.Config) {
+				require.Nil(t, c)
+			},
+		},
+		{
+			msg:                "trust_bundle_url query params can not start with spire- when unix socket",
+			expectError:        true,
+			requireErrorPrefix: "trust_bundle_url query params can not start with spire-",
+			input: func(c *Config) {
+				// remove trust_bundle_path provided by defaultValidConfig()
+				c.Agent.TrustBundlePath = ""
+				c.Agent.TrustBundleURL = "http://localhost/trustbundle?spire-test=foo"
+				c.Agent.TrustBundleUnixSocket = "foo.bar"
+				c.Agent.InsecureBootstrap = false
+			},
+			test: func(t *testing.T, c *agent.Config) {
+				require.Nil(t, c)
+			},
+		},
 		{
 			msg: "workload_key_type is not set",
 			input: func(c *Config) {
@ -1042,8 +972,6 @@ func TestNewAgentConfig(t *testing.T) {
 	}
 	cases = append(cases, newAgentConfigCasesOS(t)...)
 	for _, testCase := range cases {
-		testCase := testCase
-
 		input := defaultValidConfig()

 		testCase.input(input)
@ -1206,8 +1134,6 @@ func TestWarnOnUnknownConfig(t *testing.T) {
 	}

 	for _, testCase := range cases {
-		testCase := testCase
-
 		c, err := ParseFile(filepath.Join(testFileDir, testCase.confFile), false)
 		require.NoError(t, err)

--- a/cmd/spire-server/cli/agent/agent_test.go
+++ b/cmd/spire-server/cli/agent/agent_test.go
@ -12,8 +12,8 @@ import (
 	agentv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/agent/v1"
 	"github.com/spiffe/spire-api-sdk/proto/spire/api/types"
 	"github.com/spiffe/spire/cmd/spire-server/cli/agent"
-	"github.com/spiffe/spire/cmd/spire-server/cli/common"
 	commoncli "github.com/spiffe/spire/pkg/common/cli"
+	"github.com/spiffe/spire/test/clitest"
 	"github.com/spiffe/spire/test/spiretest"
 	"github.com/stretchr/testify/require"
 	"google.golang.org/grpc"
@ -92,10 +92,13 @@ func TestBan(t *testing.T) {
 			expectStderr:     "Error: a SPIFFE ID is required\n",
 		},
 		{
-			name:             "wrong UDS path",
-			args:             []string{common.AddrArg, common.AddrValue},
+			name: "wrong UDS path",
+			args: []string{
+				clitest.AddrArg, clitest.AddrValue,
+				"-spiffeID", "spiffe://example.org/spire/agent/agent1",
+			},
 			expectReturnCode: 1,
-			expectStderr:     common.AddrError,
+			expectStderr:     "Error: " + clitest.AddrError,
 		},
 		{
 			name:             "server error",
@ -152,10 +155,13 @@ func TestEvict(t *testing.T) {
 			expectedStderr:     "Error: a SPIFFE ID is required\n",
 		},
 		{
-			name:               "wrong UDS path",
-			args:               []string{common.AddrArg, common.AddrValue},
+			name: "wrong UDS path",
+			args: []string{
+				clitest.AddrArg, clitest.AddrValue,
+				"-spiffeID", "spiffe://example.org/spire/agent/agent1",
+			},
 			expectedReturnCode: 1,
-			expectedStderr:     common.AddrError,
+			expectedStderr:     "Error: " + clitest.AddrError,
 		},
 		{
 			name:               "server error",
@ -221,9 +227,9 @@ func TestCount(t *testing.T) {
 		},
 		{
 			name:               "wrong UDS path",
-			args:               []string{common.AddrArg, common.AddrValue},
+			args:               []string{clitest.AddrArg, clitest.AddrValue},
 			expectedReturnCode: 1,
-			expectedStderr:     common.AddrError,
+			expectedStderr:     "Error: " + clitest.AddrError,
 		},
 		{
 			name:               "Count by expiresBefore: month out of range",
@ -448,9 +454,9 @@ func TestList(t *testing.T) {
 		},
 		{
 			name:               "wrong UDS path",
-			args:               []string{common.AddrArg, common.AddrValue},
+			args:               []string{clitest.AddrArg, clitest.AddrValue},
 			expectedReturnCode: 1,
-			expectedStderr:     common.AddrError,
+			expectedStderr:     "Error: " + clitest.AddrError,
 		},
 		{
 			name:               "List by expiresBefore: month out of range",
@ -740,10 +746,13 @@ func TestShow(t *testing.T) {
 			expectedStderr:     "Error: rpc error: code = Internal desc = internal server error\n",
 		},
 		{
-			name:               "wrong UDS path",
-			args:               []string{common.AddrArg, common.AddrValue},
+			name: "wrong UDS path",
+			args: []string{
+				clitest.AddrArg, clitest.AddrValue,
+				"-spiffeID", "spiffe://example.org/spire/agent/agent1",
+			},
 			expectedReturnCode: 1,
-			expectedStderr:     common.AddrError,
+			expectedStderr:     "Error: " + clitest.AddrError,
 		},
 		{
 			name:                 "show selectors",
@ -801,7 +810,7 @@ func setupTest(t *testing.T, newClient func(*commoncli.Env) cli.Command) *agentT
 		stdin:  stdin,
 		stdout: stdout,
 		stderr: stderr,
-		args:   []string{common.AddrArg, common.GetAddr(addr)},
+		args:   []string{clitest.AddrArg, clitest.GetAddr(addr)},
 		server: server,
 		client: client,
 	}
--- a/cmd/spire-server/cli/authoritycommon/test/authoritycommontest.go
+++ b/cmd/spire-server/cli/authoritycommon/test/authoritycommontest.go
@ -7,16 +7,14 @@ import (

 	"github.com/mitchellh/cli"
 	localauthorityv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/localauthority/v1"
-	"github.com/spiffe/spire/cmd/spire-server/cli/common"
 	commoncli "github.com/spiffe/spire/pkg/common/cli"
+	"github.com/spiffe/spire/test/clitest"
 	"github.com/spiffe/spire/test/spiretest"
 	"github.com/stretchr/testify/require"
 	"google.golang.org/grpc"
 )

-var (
-	AvailableFormats = []string{"pretty", "json"}
-)
+var AvailableFormats = []string{"pretty", "json"}

 type localAuthorityTest struct {
 	Stdin  *bytes.Buffer
@ -55,7 +53,7 @@ func SetupTest(t *testing.T, newClient func(*commoncli.Env) cli.Command) *localA
 		Stdin:  stdin,
 		Stdout: stdout,
 		Stderr: stderr,
-		Args:   []string{common.AddrArg, common.GetAddr(addr)},
+		Args:   []string{clitest.AddrArg, clitest.GetAddr(addr)},
 		Server: server,
 		Client: client,
 	}
--- a/cmd/spire-server/cli/bundle/common.go
+++ b/cmd/spire-server/cli/bundle/common.go
@ -2,7 +2,6 @@ package bundle

 import (
 	"bytes"
-	"crypto"
 	"crypto/x509"
 	"encoding/json"
 	"encoding/pem"
@ -17,7 +16,7 @@ import (
 	"github.com/spiffe/go-spiffe/v2/spiffeid"
 	"github.com/spiffe/spire-api-sdk/proto/spire/api/types"
 	"github.com/spiffe/spire/cmd/spire-server/util"
-	"github.com/zeebo/errs"
+	"github.com/spiffe/spire/pkg/common/jwtutil"
 )

 const (
@ -78,7 +77,7 @@ func printBundle(out io.Writer, bundle *types.Bundle) error {

 	docBytes, err := b.Marshal()
 	if err != nil {
-		return errs.Wrap(err)
+		return err
 	}

 	var o bytes.Buffer
@ -86,11 +85,8 @@ func printBundle(out io.Writer, bundle *types.Bundle) error {
 		return err
 	}

-	if _, err := fmt.Fprintln(out, o.String()); err != nil {
-		return errs.Wrap(err)
-	}
-
-	return nil
+	_, err = fmt.Fprintln(out, o.String())
+	return err
 }

 // bundleFromProto converts a bundle from the given *types.Bundle to *spiffebundle.Bundle
@ -103,7 +99,7 @@ func bundleFromProto(bundleProto *types.Bundle) (*spiffebundle.Bundle, error) {
 	if err != nil {
 		return nil, err
 	}
-	jwtAuthorities, err := jwtKeysFromProto(bundleProto.JwtAuthorities)
+	jwtAuthorities, err := jwtutil.JWTKeysFromProto(bundleProto.JwtAuthorities)
 	if err != nil {
 		return nil, err
 	}
@ -132,20 +128,6 @@ func x509CertificatesFromProto(proto []*types.X509Certificate) ([]*x509.Certific
 	return certs, nil
 }

-// jwtKeysFromProto converts JWT keys from the given []*types.JWTKey to map[string]crypto.PublicKey.
-// The key ID of the public key is used as the key in the returned map.
-func jwtKeysFromProto(proto []*types.JWTKey) (map[string]crypto.PublicKey, error) {
-	keys := make(map[string]crypto.PublicKey)
-	for i, publicKey := range proto {
-		jwtSigningKey, err := x509.ParsePKIXPublicKey(publicKey.PublicKey)
-		if err != nil {
-			return nil, fmt.Errorf("unable to parse JWT signing key %d: %w", i, err)
-		}
-		keys[publicKey.KeyId] = jwtSigningKey
-	}
-	return keys, nil
-}
-
 func printBundleWithFormat(out io.Writer, bundle *types.Bundle, format string, header bool) error {
 	if bundle == nil {
 		return errors.New("no bundle provided")
--- a/cmd/spire-server/cli/bundle/common_test.go
+++ b/cmd/spire-server/cli/bundle/common_test.go
@ -9,9 +9,9 @@ import (
 	"github.com/mitchellh/cli"
 	bundlev1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/bundle/v1"
 	"github.com/spiffe/spire-api-sdk/proto/spire/api/types"
-	"github.com/spiffe/spire/cmd/spire-server/cli/common"
 	common_cli "github.com/spiffe/spire/pkg/common/cli"
 	"github.com/spiffe/spire/pkg/common/pemutil"
+	"github.com/spiffe/spire/test/clitest"
 	"github.com/spiffe/spire/test/spiretest"
 	"github.com/stretchr/testify/require"
 	"google.golang.org/grpc"
@ -203,7 +203,7 @@ func setupTest(t *testing.T, newClient func(*common_cli.Env) cli.Command) *bundl
 		cert1:    cert1,
 		cert2:    cert2,
 		key1Pkix: key1Pkix,
-		addr:     common.GetAddr(addr),
+		addr:     clitest.GetAddr(addr),
 		stdin:    stdin,
 		stdout:   stdout,
 		stderr:   stderr,
@ -241,7 +241,7 @@ func (s *bundleTest) afterTest(t *testing.T) {
 }

 func (s *bundleTest) args(extra ...string) []string {
-	return append([]string{common.AddrArg, s.addr}, extra...)
+	return append([]string{clitest.AddrArg, s.addr}, extra...)
 }

 type fakeBundleServer struct {
--- a/cmd/spire-server/cli/common/common_windows.go
+++ b/cmd/spire-server/cli/common/common_windows.go
@ -1,25 +0,0 @@
-//go:build windows
-
-package common
-
-import (
-	"net"
-
-	"github.com/spiffe/spire/pkg/common/namedpipe"
-)
-
-var (
-	AddrArg         = "-namedPipeName"
-	AddrError       = "Error: connection error: desc = \"transport: error while dialing: open \\\\\\\\.\\\\pipe\\\\does-not-exist: The system cannot find the file specified.\"\n"
-	AddrOutputUsage = `
-  -namedPipeName string
-    	Pipe name of the SPIRE Server API named pipe (default "\\spire-server\\private\\api")
-  -output value
-    	Desired output format (pretty, json); default: pretty.
-`
-	AddrValue = "\\does-not-exist"
-)
-
-func GetAddr(addr net.Addr) string {
-	return namedpipe.GetPipeName(addr.String())
-}
--- a/cmd/spire-server/cli/entry/create.go
+++ b/cmd/spire-server/cli/entry/create.go
@ -4,14 +4,16 @@ import (
 	"context"
 	"errors"
 	"flag"
+	"fmt"

 	"github.com/mitchellh/cli"
 	entryv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/entry/v1"
 	"github.com/spiffe/spire-api-sdk/proto/spire/api/types"
-	"github.com/spiffe/spire/cmd/spire-server/util"
+	serverutil "github.com/spiffe/spire/cmd/spire-server/util"
 	commoncli "github.com/spiffe/spire/pkg/common/cli"
 	"github.com/spiffe/spire/pkg/common/cliprinter"
 	"github.com/spiffe/spire/pkg/common/idutil"
+	"github.com/spiffe/spire/pkg/common/util"
 	"google.golang.org/grpc/codes"
 )

@ -21,7 +23,7 @@ func NewCreateCommand() cli.Command {
 }

 func newCreateCommand(env *commoncli.Env) cli.Command {
-	return util.AdaptCommand(env, &createCommand{env: env})
+	return serverutil.AdaptCommand(env, &createCommand{env: env})
 }

 type createCommand struct {
@ -104,7 +106,7 @@ func (c *createCommand) AppendFlags(f *flag.FlagSet) {
 	cliprinter.AppendFlagWithCustomPretty(&c.printer, f, c.env, prettyPrintCreate)
 }

-func (c *createCommand) Run(ctx context.Context, _ *commoncli.Env, serverClient util.ServerClient) error {
+func (c *createCommand) Run(ctx context.Context, _ *commoncli.Env, serverClient serverutil.ServerClient) error {
 	if err := c.validate(); err != nil {
 		return err
 	}
@ -175,6 +177,16 @@ func (c *createCommand) parseConfig() ([]*types.Entry, error) {
 		return nil, err
 	}

+	x509SvidTTL, err := util.CheckedCast[int32](c.x509SVIDTTL)
+	if err != nil {
+		return nil, fmt.Errorf("invalid value for X509 SVID TTL: %w", err)
+	}
+
+	jwtSvidTTL, err := util.CheckedCast[int32](c.jwtSVIDTTL)
+	if err != nil {
+		return nil, fmt.Errorf("invalid value for JWT SVID TTL: %w", err)
+	}
+
 	e := &types.Entry{
 		Id:          c.entryID,
 		ParentId:    parentID,
@ -183,14 +195,14 @@ func (c *createCommand) parseConfig() ([]*types.Entry, error) {
 		ExpiresAt:   c.entryExpiry,
 		DnsNames:    c.dnsNames,
 		StoreSvid:   c.storeSVID,
-		X509SvidTtl: int32(c.x509SVIDTTL),
-		JwtSvidTtl:  int32(c.jwtSVIDTTL),
+		X509SvidTtl: x509SvidTTL,
+		JwtSvidTtl:  jwtSvidTTL,
 		Hint:        c.hint,
 	}

 	selectors := []*types.Selector{}
 	for _, s := range c.selectors {
-		cs, err := util.ParseSelector(s)
+		cs, err := serverutil.ParseSelector(s)
 		if err != nil {
 			return nil, err
 		}
@ -254,7 +266,7 @@ func prettyPrintCreate(env *commoncli.Env, results ...any) error {

 	for _, r := range failed {
 		env.ErrPrintf("Failed to create the following entry (code: %s, msg: %q):\n",
-			codes.Code(r.Status.Code),
+			util.MustCast[codes.Code](r.Status.Code),
 			r.Status.Message)
 		printEntry(r.Entry, env.ErrPrintf)
 	}
--- a/cmd/spire-server/cli/entry/delete.go
+++ b/cmd/spire-server/cli/entry/delete.go
@ -10,9 +10,10 @@ import (

 	"github.com/mitchellh/cli"
 	entryv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/entry/v1"
-	"github.com/spiffe/spire/cmd/spire-server/util"
+	serverutil "github.com/spiffe/spire/cmd/spire-server/util"
 	commoncli "github.com/spiffe/spire/pkg/common/cli"
 	"github.com/spiffe/spire/pkg/common/cliprinter"
+	"github.com/spiffe/spire/pkg/common/util"
 	"google.golang.org/grpc/codes"
 )

@ -22,7 +23,7 @@ func NewDeleteCommand() cli.Command {
 }

 func newDeleteCommand(env *commoncli.Env) cli.Command {
-	return util.AdaptCommand(env, &deleteCommand{env: env})
+	return serverutil.AdaptCommand(env, &deleteCommand{env: env})
 }

 type deleteCommand struct {
@ -70,7 +71,7 @@ func parseEntryDeleteJSON(path string) ([]string, error) {
 	return batchDeleteEntryRequest.Ids, nil
 }

-func (c *deleteCommand) Run(ctx context.Context, _ *commoncli.Env, serverClient util.ServerClient) error {
+func (c *deleteCommand) Run(ctx context.Context, _ *commoncli.Env, serverClient serverutil.ServerClient) error {
 	if err := c.validate(); err != nil {
 		return err
 	}
@ -135,7 +136,7 @@ func (c *deleteCommand) prettyPrintDelete(env *commoncli.Env, results ...any) er
 	for _, result := range failed {
 		env.ErrPrintf("Failed to delete entry with ID %s (code: %s, msg: %q)\n",
 			result.Id,
-			codes.Code(result.Status.Code),
+			util.MustCast[codes.Code](result.Status.Code),
 			result.Status.Message)
 	}

--- a/cmd/spire-server/cli/entry/show_test.go
+++ b/cmd/spire-server/cli/entry/show_test.go
@ -445,7 +445,7 @@ func getEntries(count int) []*types.Entry {
 	}

 	e := []*types.Entry{}
-	for i := 0; i < count; i++ {
+	for i := range count {
 		e = append(e, entries[i])
 	}

--- a/cmd/spire-server/cli/entry/update.go
+++ b/cmd/spire-server/cli/entry/update.go
@ -4,13 +4,15 @@ import (
 	"context"
 	"errors"
 	"flag"
+	"fmt"

 	"github.com/mitchellh/cli"
 	entryv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/entry/v1"
 	"github.com/spiffe/spire-api-sdk/proto/spire/api/types"
-	"github.com/spiffe/spire/cmd/spire-server/util"
+	serverutil "github.com/spiffe/spire/cmd/spire-server/util"
 	commoncli "github.com/spiffe/spire/pkg/common/cli"
 	"github.com/spiffe/spire/pkg/common/cliprinter"
+	"github.com/spiffe/spire/pkg/common/util"
 	"google.golang.org/grpc/codes"
 )

@ -20,7 +22,7 @@ func NewUpdateCommand() cli.Command {
 }

 func newUpdateCommand(env *commoncli.Env) cli.Command {
-	return util.AdaptCommand(env, &updateCommand{env: env})
+	return serverutil.AdaptCommand(env, &updateCommand{env: env})
 }

 type updateCommand struct {
@ -99,7 +101,7 @@ func (c *updateCommand) AppendFlags(f *flag.FlagSet) {
 	cliprinter.AppendFlagWithCustomPretty(&c.printer, f, c.env, prettyPrintUpdate)
 }

-func (c *updateCommand) Run(ctx context.Context, _ *commoncli.Env, serverClient util.ServerClient) error {
+func (c *updateCommand) Run(ctx context.Context, _ *commoncli.Env, serverClient serverutil.ServerClient) error {
 	if err := c.validate(); err != nil {
 		return err
 	}
@ -169,6 +171,16 @@ func (c *updateCommand) parseConfig() ([]*types.Entry, error) {
 		return nil, err
 	}

+	x509SvidTTL, err := util.CheckedCast[int32](c.x509SvidTTL)
+	if err != nil {
+		return nil, fmt.Errorf("invalid value for X509 SVID TTL: %w", err)
+	}
+
+	jwtSvidTTL, err := util.CheckedCast[int32](c.jwtSvidTTL)
+	if err != nil {
+		return nil, fmt.Errorf("invalid value for JWT SVID TTL: %w", err)
+	}
+
 	e := &types.Entry{
 		Id:          c.entryID,
 		ParentId:    parentID,
@ -176,14 +188,14 @@ func (c *updateCommand) parseConfig() ([]*types.Entry, error) {
 		Downstream:  c.downstream,
 		ExpiresAt:   c.entryExpiry,
 		DnsNames:    c.dnsNames,
-		X509SvidTtl: int32(c.x509SvidTTL),
-		JwtSvidTtl:  int32(c.jwtSvidTTL),
+		X509SvidTtl: x509SvidTTL,
+		JwtSvidTtl:  jwtSvidTTL,
 		Hint:        c.hint,
 	}

 	selectors := []*types.Selector{}
 	for _, s := range c.selectors {
-		cs, err := util.ParseSelector(s)
+		cs, err := serverutil.ParseSelector(s)
 		if err != nil {
 			return nil, err
 		}
@ -240,7 +252,7 @@ func prettyPrintUpdate(env *commoncli.Env, results ...any) error {
 	// Print entries that failed to be updated
 	for _, r := range failed {
 		env.ErrPrintf("Failed to update the following entry (code: %s, msg: %q):\n",
-			codes.Code(r.Status.Code),
+			util.MustCast[codes.Code](r.Status.Code),
 			r.Status.Message)
 		printEntry(r.Entry, env.ErrPrintf)
 	}
--- a/cmd/spire-server/cli/entry/util_test.go
+++ b/cmd/spire-server/cli/entry/util_test.go
@ -10,8 +10,8 @@ import (
 	"github.com/mitchellh/cli"
 	entryv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/entry/v1"
 	"github.com/spiffe/spire-api-sdk/proto/spire/api/types"
-	"github.com/spiffe/spire/cmd/spire-server/cli/common"
 	common_cli "github.com/spiffe/spire/pkg/common/cli"
+	"github.com/spiffe/spire/test/clitest"
 	"github.com/spiffe/spire/test/spiretest"
 	"github.com/spiffe/spire/test/util"
 	"github.com/stretchr/testify/assert"
@ -45,7 +45,6 @@ func TestParseEntryJSON(t *testing.T) {
 	}

 	for _, testCase := range testCases {
-		testCase := testCase
 		t.Run(testCase.name, func(t *testing.T) {
 			p := testCase.testDataPath

@ -155,7 +154,7 @@ func (e *entryTest) afterTest(t *testing.T) {
 }

 func (e *entryTest) args(extra ...string) []string {
-	return append([]string{common.AddrArg, e.addr}, extra...)
+	return append([]string{clitest.AddrArg, e.addr}, extra...)
 }

 type fakeEntryServer struct {
@ -242,7 +241,7 @@ func setupTest(t *testing.T, newClient func(*common_cli.Env) cli.Command) *entry
 	})

 	test := &entryTest{
-		addr:   common.GetAddr(addr),
+		addr:   clitest.GetAddr(addr),
 		stdin:  stdin,
 		stdout: stdout,
 		stderr: stderr,
--- a/cmd/spire-server/cli/federation/common_test.go
+++ b/cmd/spire-server/cli/federation/common_test.go
@ -11,9 +11,9 @@ import (
 	"github.com/spiffe/go-spiffe/v2/spiffeid"
 	trustdomainv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/trustdomain/v1"
 	"github.com/spiffe/spire-api-sdk/proto/spire/api/types"
-	"github.com/spiffe/spire/cmd/spire-server/cli/common"
 	common_cli "github.com/spiffe/spire/pkg/common/cli"
 	"github.com/spiffe/spire/pkg/common/pemutil"
+	"github.com/spiffe/spire/test/clitest"
 	"github.com/spiffe/spire/test/fakes/fakeserverca"
 	"github.com/spiffe/spire/test/spiretest"
 	"github.com/stretchr/testify/require"
@ -124,7 +124,7 @@ func (c *cmdTest) afterTest(t *testing.T) {
 }

 func (c *cmdTest) args(extra ...string) []string {
-	return append([]string{common.AddrArg, c.addr}, extra...)
+	return append([]string{clitest.AddrArg, c.addr}, extra...)
 }

 type fakeServer struct {
@ -222,7 +222,7 @@ func setupTest(t *testing.T, newClient func(*common_cli.Env) cli.Command) *cmdTe
 	})

 	test := &cmdTest{
-		addr:   common.GetAddr(addr),
+		addr:   clitest.GetAddr(addr),
 		stdin:  stdin,
 		stdout: stdout,
 		stderr: stderr,
@ -241,7 +241,7 @@ func createBundle(t *testing.T, trustDomain string) (*types.Bundle, string) {
 	td := spiffeid.RequireTrustDomainFromString(trustDomain)
 	bundlePath := path.Join(t.TempDir(), "bundle.pem")
 	ca := fakeserverca.New(t, td, &fakeserverca.Options{})
-	require.NoError(t, os.WriteFile(bundlePath, pemutil.EncodeCertificates(ca.Bundle()), 0600))
+	require.NoError(t, os.WriteFile(bundlePath, pemutil.EncodeCertificates(ca.Bundle()), 0o600))

 	return &types.Bundle{
 		TrustDomain: td.Name(),
@ -253,13 +253,13 @@ func createBundle(t *testing.T, trustDomain string) (*types.Bundle, string) {

 func createCorruptedBundle(t *testing.T) string {
 	bundlePath := path.Join(t.TempDir(), "bundle.pem")
-	require.NoError(t, os.WriteFile(bundlePath, []byte("corrupted-bundle"), 0600))
+	require.NoError(t, os.WriteFile(bundlePath, []byte("corrupted-bundle"), 0o600))
 	return bundlePath
 }

 func createJSONDataFile(t *testing.T, data string) string {
 	jsonDataFilePath := path.Join(t.TempDir(), "bundle.pem")
-	require.NoError(t, os.WriteFile(jsonDataFilePath, []byte(data), 0600))
+	require.NoError(t, os.WriteFile(jsonDataFilePath, []byte(data), 0o600))
 	return jsonDataFilePath
 }

--- a/cmd/spire-server/cli/federation/create.go
+++ b/cmd/spire-server/cli/federation/create.go
@ -9,9 +9,10 @@ import (
 	"github.com/mitchellh/cli"
 	trustdomainv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/trustdomain/v1"
 	"github.com/spiffe/spire-api-sdk/proto/spire/api/types"
-	"github.com/spiffe/spire/cmd/spire-server/util"
+	serverutil "github.com/spiffe/spire/cmd/spire-server/util"
 	commoncli "github.com/spiffe/spire/pkg/common/cli"
 	"github.com/spiffe/spire/pkg/common/cliprinter"
+	"github.com/spiffe/spire/pkg/common/util"
 	"google.golang.org/grpc/codes"
 )

@ -26,7 +27,7 @@ func NewCreateCommand() cli.Command {
 }

 func newCreateCommand(env *commoncli.Env) cli.Command {
-	return util.AdaptCommand(env, &createCommand{env: env})
+	return serverutil.AdaptCommand(env, &createCommand{env: env})
 }

 type createCommand struct {
@ -52,7 +53,7 @@ func (c *createCommand) AppendFlags(f *flag.FlagSet) {
 	cliprinter.AppendFlagWithCustomPretty(&c.printer, f, c.env, c.prettyPrintCreate)
 }

-func (c *createCommand) Run(ctx context.Context, _ *commoncli.Env, serverClient util.ServerClient) error {
+func (c *createCommand) Run(ctx context.Context, _ *commoncli.Env, serverClient serverutil.ServerClient) error {
 	federationRelationships, err := getRelationships(c.config, c.path)
 	if err != nil {
 		return err
@ -101,7 +102,7 @@ func (c *createCommand) prettyPrintCreate(env *commoncli.Env, results ...any) er
 	for _, r := range failed {
 		env.Println()
 		env.ErrPrintf("Failed to create the following federation relationship (code: %s, msg: %q):\n",
-			codes.Code(r.Status.Code),
+			util.MustCast[codes.Code](r.Status.Code),
 			r.Status.Message)
 		printFederationRelationship(r.FederationRelationship, env.ErrPrintf)
 	}
--- a/cmd/spire-server/cli/federation/update.go
+++ b/cmd/spire-server/cli/federation/update.go
@ -9,9 +9,10 @@ import (
 	"github.com/mitchellh/cli"
 	trustdomainv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/trustdomain/v1"
 	"github.com/spiffe/spire-api-sdk/proto/spire/api/types"
-	"github.com/spiffe/spire/cmd/spire-server/util"
+	serverutil "github.com/spiffe/spire/cmd/spire-server/util"
 	commoncli "github.com/spiffe/spire/pkg/common/cli"
 	"github.com/spiffe/spire/pkg/common/cliprinter"
+	"github.com/spiffe/spire/pkg/common/util"
 	"google.golang.org/grpc/codes"
 )

@ -21,7 +22,7 @@ func NewUpdateCommand() cli.Command {
 }

 func newUpdateCommand(env *commoncli.Env) cli.Command {
-	return util.AdaptCommand(env, &updateCommand{env: env})
+	return serverutil.AdaptCommand(env, &updateCommand{env: env})
 }

 type updateCommand struct {
@ -47,7 +48,7 @@ func (c *updateCommand) AppendFlags(f *flag.FlagSet) {
 	cliprinter.AppendFlagWithCustomPretty(&c.printer, f, c.env, c.prettyPrintUpdate)
 }

-func (c *updateCommand) Run(ctx context.Context, _ *commoncli.Env, serverClient util.ServerClient) error {
+func (c *updateCommand) Run(ctx context.Context, _ *commoncli.Env, serverClient serverutil.ServerClient) error {
 	federationRelationships, err := getRelationships(c.config, c.path)
 	if err != nil {
 		return err
@ -97,7 +98,7 @@ func (c *updateCommand) prettyPrintUpdate(env *commoncli.Env, results ...any) er
 	for _, r := range failed {
 		env.Println()
 		env.ErrPrintf("Failed to update the following federation relationship (code: %s, msg: %q):\n",
-			codes.Code(r.Status.Code),
+			util.MustCast[codes.Code](r.Status.Code),
 			r.Status.Message)
 		printFederationRelationship(r.FederationRelationship, env.ErrPrintf)
 	}
--- a/cmd/spire-server/cli/healthcheck/healthcheck_test.go
+++ b/cmd/spire-server/cli/healthcheck/healthcheck_test.go
@ -6,8 +6,8 @@ import (
 	"testing"

 	"github.com/mitchellh/cli"
-	"github.com/spiffe/spire/cmd/spire-server/cli/common"
 	common_cli "github.com/spiffe/spire/pkg/common/cli"
+	"github.com/spiffe/spire/test/clitest"
 	"github.com/spiffe/spire/test/spiretest"
 	"github.com/stretchr/testify/suite"
 	"google.golang.org/grpc"
@ -58,24 +58,24 @@ func (s *HealthCheckSuite) TestBadFlags() {
 }

 func (s *HealthCheckSuite) TestFailsIfEndpointDoesNotExist() {
-	code := s.cmd.Run([]string{common.AddrArg, common.AddrValue})
+	code := s.cmd.Run([]string{clitest.AddrArg, clitest.AddrValue})
 	s.NotEqual(0, code, "exit code")
 	s.Equal("", s.stdout.String(), "stdout")
-	spiretest.AssertHasPrefix(s.T(), s.stderr.String(), common.AddrError)
+	spiretest.AssertHasPrefix(s.T(), s.stderr.String(), "Error: server is unhealthy: unable to determine health\n")
 }

 func (s *HealthCheckSuite) TestFailsIfEndpointDoesNotExistVerbose() {
-	code := s.cmd.Run([]string{common.AddrArg, common.AddrValue, "-verbose"})
+	code := s.cmd.Run([]string{clitest.AddrArg, clitest.AddrValue, "-verbose"})
 	s.NotEqual(0, code, "exit code")
-	s.Equal("", s.stdout.String(), "stdout")
-	spiretest.AssertHasPrefix(s.T(), s.stderr.String(), common.AddrError)
+	s.Equal("Checking server health...\n", s.stdout.String(), "stdout")
+	spiretest.AssertHasPrefix(s.T(), s.stderr.String(), "Failed to check health: "+clitest.AddrError)
 }

 func (s *HealthCheckSuite) TestSucceedsIfServingStatusServing() {
 	addr := spiretest.StartGRPCServer(s.T(), func(srv *grpc.Server) {
 		grpc_health_v1.RegisterHealthServer(srv, withStatus(grpc_health_v1.HealthCheckResponse_SERVING))
 	})
-	code := s.cmd.Run([]string{common.AddrArg, common.GetAddr(addr)})
+	code := s.cmd.Run([]string{clitest.AddrArg, clitest.GetAddr(addr)})
 	s.Equal(0, code, "exit code")
 	s.Equal("Server is healthy.\n", s.stdout.String(), "stdout")
 	s.Equal("", s.stderr.String(), "stderr")
@ -85,7 +85,7 @@ func (s *HealthCheckSuite) TestSucceedsIfServingStatusServingVerbose() {
 	addr := spiretest.StartGRPCServer(s.T(), func(srv *grpc.Server) {
 		grpc_health_v1.RegisterHealthServer(srv, withStatus(grpc_health_v1.HealthCheckResponse_SERVING))
 	})
-	code := s.cmd.Run([]string{common.AddrArg, common.GetAddr(addr), "-verbose"})
+	code := s.cmd.Run([]string{clitest.AddrArg, clitest.GetAddr(addr), "-verbose"})
 	s.Equal(0, code, "exit code")
 	s.Equal(`Checking server health...
 Server is healthy.
@ -97,7 +97,7 @@ func (s *HealthCheckSuite) TestFailsIfServiceStatusOther() {
 	addr := spiretest.StartGRPCServer(s.T(), func(srv *grpc.Server) {
 		grpc_health_v1.RegisterHealthServer(srv, withStatus(grpc_health_v1.HealthCheckResponse_NOT_SERVING))
 	})
-	code := s.cmd.Run([]string{common.AddrArg, common.GetAddr(addr), "-verbose"})
+	code := s.cmd.Run([]string{clitest.AddrArg, clitest.GetAddr(addr), "-verbose"})
 	s.NotEqual(0, code, "exit code")
 	s.Equal(`Checking server health...
 `, s.stdout.String(), "stdout")
--- a/cmd/spire-server/cli/jwt/mint.go
+++ b/cmd/spire-server/cli/jwt/mint.go
@ -12,11 +12,12 @@ import (
 	"github.com/spiffe/go-spiffe/v2/spiffeid"
 	svidv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/svid/v1"
 	"github.com/spiffe/spire-api-sdk/proto/spire/api/types"
-	"github.com/spiffe/spire/cmd/spire-server/util"
+	serverutil "github.com/spiffe/spire/cmd/spire-server/util"
 	commoncli "github.com/spiffe/spire/pkg/common/cli"
 	"github.com/spiffe/spire/pkg/common/cliprinter"
 	"github.com/spiffe/spire/pkg/common/diskutil"
 	"github.com/spiffe/spire/pkg/common/jwtsvid"
+	"github.com/spiffe/spire/pkg/common/util"
 )

 func NewMintCommand() cli.Command {
@ -24,7 +25,7 @@ func NewMintCommand() cli.Command {
 }

 func newMintCommand(env *commoncli.Env) cli.Command {
-	return util.AdaptCommand(env, &mintCommand{env: env})
+	return serverutil.AdaptCommand(env, &mintCommand{env: env})
 }

 type mintCommand struct {
@ -52,7 +53,7 @@ func (c *mintCommand) AppendFlags(fs *flag.FlagSet) {
 	cliprinter.AppendFlagWithCustomPretty(&c.printer, fs, c.env, prettyPrintMint)
 }

-func (c *mintCommand) Run(ctx context.Context, env *commoncli.Env, serverClient util.ServerClient) error {
+func (c *mintCommand) Run(ctx context.Context, env *commoncli.Env, serverClient serverutil.ServerClient) error {
 	if c.spiffeID == "" {
 		return errors.New("spiffeID must be specified")
 	}
@ -63,6 +64,10 @@ func (c *mintCommand) Run(ctx context.Context, env *commoncli.Env, serverClient
 	if err != nil {
 		return err
 	}
+	ttl, err := ttlToSeconds(c.ttl)
+	if err != nil {
+		return fmt.Errorf("invalid value for TTL: %w", err)
+	}

 	client := serverClient.NewSVIDClient()
 	resp, err := client.MintJWTSVID(ctx, &svidv1.MintJWTSVIDRequest{
@ -70,7 +75,7 @@ func (c *mintCommand) Run(ctx context.Context, env *commoncli.Env, serverClient
 			TrustDomain: spiffeID.TrustDomain().Name(),
 			Path:        spiffeID.Path(),
 		},
-		Ttl:      ttlToSeconds(c.ttl),
+		Ttl:      ttl,
 		Audience: c.audience,
 	})
 	if err != nil {
@ -132,8 +137,8 @@ func getJWTSVIDEndOfLife(token string) (time.Time, error) {

 // ttlToSeconds returns the number of seconds in a duration, rounded up to
 // the nearest second
-func ttlToSeconds(ttl time.Duration) int32 {
-	return int32((ttl + time.Second - 1) / time.Second)
+func ttlToSeconds(ttl time.Duration) (int32, error) {
+	return util.CheckedCast[int32]((ttl + time.Second - 1) / time.Second)
 }

 func prettyPrintMint(env *commoncli.Env, results ...any) error {
--- a/cmd/spire-server/cli/jwt/mint_test.go
+++ b/cmd/spire-server/cli/jwt/mint_test.go
@ -16,9 +16,9 @@ import (
 	"github.com/go-jose/go-jose/v4/jwt"
 	svidv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/svid/v1"
 	"github.com/spiffe/spire-api-sdk/proto/spire/api/types"
-	"github.com/spiffe/spire/cmd/spire-server/cli/common"
 	common_cli "github.com/spiffe/spire/pkg/common/cli"
 	"github.com/spiffe/spire/pkg/common/pemutil"
+	"github.com/spiffe/spire/test/clitest"
 	"github.com/spiffe/spire/test/spiretest"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@ -35,7 +35,7 @@ qNV3lKIL59N7G2B4ojbhfSNneSIIpP448uPxUnaunaQZ+/m7+x9oobIp
 	availableFormats = []string{"pretty", "json"}
 	expectedUsage    = `Usage of jwt mint:
  -audience value
-    	Audience claim that will be included in the SVID. Can be used more than once.` + common.AddrOutputUsage +
+    	Audience claim that will be included in the SVID. Can be used more than once.` + clitest.AddrOutputUsage +
 		`  -spiffeID string
    	SPIFFE ID of the JWT-SVID
  -ttl duration
@ -325,7 +325,7 @@ func TestMintRun(t *testing.T) {
 					BaseDir: dir,
 				})

-				args := []string{common.AddrArg, common.GetAddr(addr)}
+				args := []string{clitest.AddrArg, clitest.GetAddr(addr)}
 				if tt.spiffeID != "" {
 					args = append(args, "-spiffeID", tt.spiffeID)
 				}
--- a/cmd/spire-server/cli/localauthority/jwt/jwt_activate_test.go
+++ b/cmd/spire-server/cli/localauthority/jwt/jwt_activate_test.go
@ -7,8 +7,8 @@ import (
 	"github.com/gogo/status"
 	localauthorityv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/localauthority/v1"
 	authoritycommon_test "github.com/spiffe/spire/cmd/spire-server/cli/authoritycommon/test"
-	"github.com/spiffe/spire/cmd/spire-server/cli/common"
 	"github.com/spiffe/spire/cmd/spire-server/cli/localauthority/jwt"
+	"github.com/spiffe/spire/test/clitest"
 	"github.com/stretchr/testify/require"
 	"google.golang.org/grpc/codes"
 )
@ -57,10 +57,13 @@ func TestJWTActivate(t *testing.T) {
 			expectStderr:     "Error: an authority ID is required\n",
 		},
 		{
-			name:             "wrong UDS path",
-			args:             []string{common.AddrArg, common.AddrValue},
+			name: "wrong UDS path",
+			args: []string{
+				clitest.AddrArg, clitest.AddrValue,
+				"-authorityID", "prepared-id",
+			},
 			expectReturnCode: 1,
-			expectStderr:     common.AddrError,
+			expectStderr:     "Error: could not activate JWT authority: " + clitest.AddrError,
 		},
 		{
 			name:             "server error",
--- a/cmd/spire-server/cli/localauthority/jwt/jwt_prepare_test.go
+++ b/cmd/spire-server/cli/localauthority/jwt/jwt_prepare_test.go
@ -7,8 +7,8 @@ import (
 	"github.com/gogo/status"
 	localauthorityv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/localauthority/v1"
 	authoritycommon_test "github.com/spiffe/spire/cmd/spire-server/cli/authoritycommon/test"
-	"github.com/spiffe/spire/cmd/spire-server/cli/common"
 	"github.com/spiffe/spire/cmd/spire-server/cli/localauthority/jwt"
+	"github.com/spiffe/spire/test/clitest"
 	"github.com/stretchr/testify/require"
 	"google.golang.org/grpc/codes"
 )
@ -48,9 +48,9 @@ func TestJWTPrepare(t *testing.T) {
 		},
 		{
 			name:             "wrong UDS path",
-			args:             []string{common.AddrArg, common.AddrValue},
+			args:             []string{clitest.AddrArg, clitest.AddrValue},
 			expectReturnCode: 1,
-			expectStderr:     common.AddrError,
+			expectStderr:     "Error: could not prepare JWT authority: " + clitest.AddrError,
 		},
 		{
 			name:             "server error",
--- a/cmd/spire-server/cli/localauthority/jwt/jwt_revoke_test.go
+++ b/cmd/spire-server/cli/localauthority/jwt/jwt_revoke_test.go
@ -7,8 +7,8 @@ import (
 	"github.com/gogo/status"
 	localauthorityv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/localauthority/v1"
 	authoritycommon_test "github.com/spiffe/spire/cmd/spire-server/cli/authoritycommon/test"
-	"github.com/spiffe/spire/cmd/spire-server/cli/common"
 	"github.com/spiffe/spire/cmd/spire-server/cli/localauthority/jwt"
+	"github.com/spiffe/spire/test/clitest"
 	"github.com/stretchr/testify/require"
 	"google.golang.org/grpc/codes"
 )
@ -53,10 +53,13 @@ func TestJWTRevoke(t *testing.T) {
 			expectStderr:     "Error: an authority ID is required\n",
 		},
 		{
-			name:             "wrong UDS path",
-			args:             []string{common.AddrArg, common.AddrValue},
+			name: "wrong UDS path",
+			args: []string{
+				clitest.AddrArg, clitest.AddrValue,
+				"-authorityID", "prepared-id",
+			},
 			expectReturnCode: 1,
-			expectStderr:     common.AddrError,
+			expectStderr:     "Error: could not revoke JWT authority: " + clitest.AddrError,
 		},
 		{
 			name:             "server error",
--- a/cmd/spire-server/cli/localauthority/jwt/jwt_show_test.go
+++ b/cmd/spire-server/cli/localauthority/jwt/jwt_show_test.go
@ -7,8 +7,8 @@ import (
 	"github.com/gogo/status"
 	localauthorityv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/localauthority/v1"
 	authoritycommon_test "github.com/spiffe/spire/cmd/spire-server/cli/authoritycommon/test"
-	"github.com/spiffe/spire/cmd/spire-server/cli/common"
 	"github.com/spiffe/spire/cmd/spire-server/cli/localauthority/jwt"
+	"github.com/spiffe/spire/test/clitest"
 	"github.com/stretchr/testify/require"
 	"google.golang.org/grpc/codes"
 )
@ -101,9 +101,9 @@ func TestJWTShow(t *testing.T) {
 		},
 		{
 			name:             "wrong UDS path",
-			args:             []string{common.AddrArg, common.AddrValue},
+			args:             []string{clitest.AddrArg, clitest.AddrValue},
 			expectReturnCode: 1,
-			expectStderr:     common.AddrError,
+			expectStderr:     "Error: " + clitest.AddrError,
 		},
 		{
 			name:             "server error",
--- a/cmd/spire-server/cli/localauthority/jwt/jwt_taint_test.go
+++ b/cmd/spire-server/cli/localauthority/jwt/jwt_taint_test.go
@ -7,8 +7,8 @@ import (
 	"github.com/gogo/status"
 	localauthorityv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/localauthority/v1"
 	authoritycommon_test "github.com/spiffe/spire/cmd/spire-server/cli/authoritycommon/test"
-	"github.com/spiffe/spire/cmd/spire-server/cli/common"
 	"github.com/spiffe/spire/cmd/spire-server/cli/localauthority/jwt"
+	"github.com/spiffe/spire/test/clitest"
 	"github.com/stretchr/testify/require"
 	"google.golang.org/grpc/codes"
 )
@ -53,10 +53,13 @@ func TestJWTTaint(t *testing.T) {
 			expectStderr:     "Error: an authority ID is required\n",
 		},
 		{
-			name:             "wrong UDS path",
-			args:             []string{common.AddrArg, common.AddrValue},
+			name: "wrong UDS path",
+			args: []string{
+				clitest.AddrArg, clitest.AddrValue,
+				"-authorityID", "prepared-id",
+			},
 			expectReturnCode: 1,
-			expectStderr:     common.AddrError,
+			expectStderr:     "Error: could not taint JWT authority: " + clitest.AddrError,
 		},
 		{
 			name:             "server error",
--- a/cmd/spire-server/cli/localauthority/x509/x509_activate_test.go
+++ b/cmd/spire-server/cli/localauthority/x509/x509_activate_test.go
@ -7,8 +7,8 @@ import (
 	"github.com/gogo/status"
 	localauthorityv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/localauthority/v1"
 	authoritycommon_test "github.com/spiffe/spire/cmd/spire-server/cli/authoritycommon/test"
-	"github.com/spiffe/spire/cmd/spire-server/cli/common"
 	"github.com/spiffe/spire/cmd/spire-server/cli/localauthority/x509"
+	"github.com/spiffe/spire/test/clitest"
 	"github.com/stretchr/testify/require"
 	"google.golang.org/grpc/codes"
 )
@ -59,10 +59,13 @@ func TestX509Activate(t *testing.T) {
 			expectStderr:     "Error: an authority ID is required\n",
 		},
 		{
-			name:             "wrong UDS path",
-			args:             []string{common.AddrArg, common.AddrValue},
+			name: "wrong UDS path",
+			args: []string{
+				clitest.AddrArg, clitest.AddrValue,
+				"-authorityID", "prepared-id",
+			},
 			expectReturnCode: 1,
-			expectStderr:     common.AddrError,
+			expectStderr:     "Error: could not activate X.509 authority: " + clitest.AddrError,
 		},
 		{
 			name:             "server error",
--- a/cmd/spire-server/cli/localauthority/x509/x509_prepare_test.go
+++ b/cmd/spire-server/cli/localauthority/x509/x509_prepare_test.go
@ -7,8 +7,8 @@ import (
 	"github.com/gogo/status"
 	localauthorityv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/localauthority/v1"
 	authoritycommon_test "github.com/spiffe/spire/cmd/spire-server/cli/authoritycommon/test"
-	"github.com/spiffe/spire/cmd/spire-server/cli/common"
 	"github.com/spiffe/spire/cmd/spire-server/cli/localauthority/x509"
+	"github.com/spiffe/spire/test/clitest"
 	"github.com/stretchr/testify/require"
 	"google.golang.org/grpc/codes"
 )
@ -49,9 +49,9 @@ func TestX509Prepare(t *testing.T) {
 		},
 		{
 			name:             "wrong UDS path",
-			args:             []string{common.AddrArg, common.AddrValue},
+			args:             []string{clitest.AddrArg, clitest.AddrValue},
 			expectReturnCode: 1,
-			expectStderr:     common.AddrError,
+			expectStderr:     "Error: could not prepare X.509 authority: " + clitest.AddrError,
 		},
 		{
 			name:             "server error",
--- a/cmd/spire-server/cli/localauthority/x509/x509_revoke_test.go
+++ b/cmd/spire-server/cli/localauthority/x509/x509_revoke_test.go
@ -7,8 +7,8 @@ import (
 	"github.com/gogo/status"
 	localauthorityv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/localauthority/v1"
 	authoritycommon_test "github.com/spiffe/spire/cmd/spire-server/cli/authoritycommon/test"
-	"github.com/spiffe/spire/cmd/spire-server/cli/common"
 	"github.com/spiffe/spire/cmd/spire-server/cli/localauthority/x509"
+	"github.com/spiffe/spire/test/clitest"
 	"github.com/stretchr/testify/require"
 	"google.golang.org/grpc/codes"
 )
@ -54,10 +54,13 @@ func TestX509Revoke(t *testing.T) {
 			expectStderr:     "Error: an authority ID is required\n",
 		},
 		{
-			name:             "wrong UDS path",
-			args:             []string{common.AddrArg, common.AddrValue},
+			name: "wrong UDS path",
+			args: []string{
+				clitest.AddrArg, clitest.AddrValue,
+				"-authorityID", "prepared-id",
+			},
 			expectReturnCode: 1,
-			expectStderr:     common.AddrError,
+			expectStderr:     "Error: could not revoke X.509 authority: " + clitest.AddrError,
 		},
 		{
 			name:             "server error",
--- a/cmd/spire-server/cli/localauthority/x509/x509_show_test.go
+++ b/cmd/spire-server/cli/localauthority/x509/x509_show_test.go
@ -7,8 +7,8 @@ import (
 	"github.com/gogo/status"
 	localauthorityv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/localauthority/v1"
 	authoritycommon_test "github.com/spiffe/spire/cmd/spire-server/cli/authoritycommon/test"
-	"github.com/spiffe/spire/cmd/spire-server/cli/common"
 	"github.com/spiffe/spire/cmd/spire-server/cli/localauthority/x509"
+	"github.com/spiffe/spire/test/clitest"
 	"github.com/stretchr/testify/require"
 	"google.golang.org/grpc/codes"
 )
@ -110,9 +110,9 @@ func TestX509Show(t *testing.T) {
 		},
 		{
 			name:             "wrong UDS path",
-			args:             []string{common.AddrArg, common.AddrValue},
+			args:             []string{clitest.AddrArg, clitest.AddrValue},
 			expectReturnCode: 1,
-			expectStderr:     common.AddrError,
+			expectStderr:     "Error: could not get X.509 authorities: " + clitest.AddrError,
 		},
 		{
 			name:             "server error",
--- a/cmd/spire-server/cli/localauthority/x509/x509_taint_test.go
+++ b/cmd/spire-server/cli/localauthority/x509/x509_taint_test.go
@ -7,8 +7,8 @@ import (
 	"github.com/gogo/status"
 	localauthorityv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/localauthority/v1"
 	authoritycommon_test "github.com/spiffe/spire/cmd/spire-server/cli/authoritycommon/test"
-	"github.com/spiffe/spire/cmd/spire-server/cli/common"
 	"github.com/spiffe/spire/cmd/spire-server/cli/localauthority/x509"
+	"github.com/spiffe/spire/test/clitest"
 	"github.com/stretchr/testify/require"
 	"google.golang.org/grpc/codes"
 )
@ -54,10 +54,13 @@ func TestX509Taint(t *testing.T) {
 			expectStderr:     "Error: an authority ID is required\n",
 		},
 		{
-			name:             "wrong UDS path",
-			args:             []string{common.AddrArg, common.AddrValue},
+			name: "wrong UDS path",
+			args: []string{
+				clitest.AddrArg, clitest.AddrValue,
+				"-authorityID", "prepared-id",
+			},
 			expectReturnCode: 1,
-			expectStderr:     common.AddrError,
+			expectStderr:     "Error: could not taint X.509 authority: " + clitest.AddrError,
 		},
 		{
 			name:             "server error",
--- a/cmd/spire-server/cli/logger/mocks_test.go
+++ b/cmd/spire-server/cli/logger/mocks_test.go
@ -1,18 +1,17 @@
 package logger_test

 import (
+	"bytes"
+	"context"
 	"io"
 	"testing"

+	"github.com/spiffe/spire/test/clitest"
 	"github.com/spiffe/spire/test/spiretest"

-	"bytes"
-	"context"
-
 	"github.com/mitchellh/cli"
 	loggerv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/logger/v1"
 	"github.com/spiffe/spire-api-sdk/proto/spire/api/types"
-	"github.com/spiffe/spire/cmd/spire-server/cli/common"
 	commoncli "github.com/spiffe/spire/pkg/common/cli"
 	"google.golang.org/grpc"
 )
@ -55,7 +54,7 @@ func setupCliTest(t *testing.T, server *mockLoggerService, newClient func(*commo
 		stdin:  stdin,
 		stdout: stdout,
 		stderr: stderr,
-		args:   []string{common.AddrArg, common.GetAddr(addr)},
+		args:   []string{clitest.AddrArg, clitest.GetAddr(addr)},
 		server: server,
 		client: client,
 	}
--- a/cmd/spire-server/cli/logger/printers.go
+++ b/cmd/spire-server/cli/logger/printers.go
@ -33,8 +33,5 @@ func PrettyPrintLogger(env *commoncli.Env, results ...any) error {
 		return fmt.Errorf("internal error: logrus log level %d has no name; please report this as a bug", logrusLaunch)
 	}

-	if err := env.Printf("Logger Level : %s\nLaunch Level : %s\n\n", currentText, launchText); err != nil {
-		return err
-	}
-	return nil
+	return env.Printf("Logger Level : %s\nLaunch Level : %s\n\n", currentText, launchText)
 }
--- a/cmd/spire-server/cli/logger/printers_test.go
+++ b/cmd/spire-server/cli/logger/printers_test.go
@ -14,7 +14,7 @@ import (
 func TestPrettyPrintLogger(t *testing.T) {
 	for _, tt := range []struct {
 		name           string
-		logger         interface{}
+		logger         any
 		outWriter      errorWriter
 		errWriter      errorWriter
 		env            *commoncli.Env
@ -53,7 +53,6 @@ Launch Level : info
 			expectedError: errors.New("internal error: unexpected type *types.Entry returned; please report this as a bug"),
 		},
 	} {
-		tt := tt
 		t.Run(tt.name, func(t *testing.T) {
 			tt.env = &commoncli.Env{
 				Stdout: &tt.outWriter,
--- a/cmd/spire-server/cli/run/run.go
+++ b/cmd/spire-server/cli/run/run.go
@ -110,6 +110,7 @@ type experimentalConfig struct {
 	CacheReloadInterval   string                      `hcl:"cache_reload_interval"`
 	EventsBasedCache      bool                        `hcl:"events_based_cache"`
 	PruneEventsOlderThan  string                      `hcl:"prune_events_older_than"`
+	EventTimeout          string                      `hcl:"event_timeout"`
 	SQLTransactionTimeout string                      `hcl:"sql_transaction_timeout"`
 	RequirePQKEM          bool                        `hcl:"require_pq_kem"`

@ -568,6 +569,7 @@ func NewServerConfig(c *Config, logOptions []log.Option, allowUnknownConfig bool
 	}

 	if c.Server.UseLegacyDownstreamX509CATTL != nil {
+		sc.Log.Warn("'use_legacy_downstream_x509_ca_ttl' is deprecated and will be removed in a future release")
 		sc.UseLegacyDownstreamX509CATTL = *c.Server.UseLegacyDownstreamX509CATTL
 		if sc.UseLegacyDownstreamX509CATTL {
 			sc.Log.Warn("Using legacy downstream X509 CA TTL calculation; this option will be removed in a future release")
@ -575,10 +577,9 @@ func NewServerConfig(c *Config, logOptions []log.Option, allowUnknownConfig bool
 			sc.Log.Info("Using preferred downstream X509 CA TTL calculation")
 		}
 	} else {
-		// The default value should be false in SPIRE 1.11.0 and the flag
-		// removed in SPIRE 1.12.0.
-		sc.UseLegacyDownstreamX509CATTL = true
-		sc.Log.Info("Using legacy downstream X509 CA TTL calculation by default; this default will change in a future release")
+		// The flag should be removed in SPIRE 1.13.0.
+		sc.UseLegacyDownstreamX509CATTL = false
+		sc.Log.Info("Using preferred downstream X509 CA TTL calculation")
 	}

 	// If the configured TTLs can lead to surprises, then do our best to log an
@ -707,11 +708,20 @@ func NewServerConfig(c *Config, logOptions []log.Option, allowUnknownConfig bool
 	}

 	if c.Server.Experimental.SQLTransactionTimeout != "" {
+		sc.Log.Warn("experimental.sql_transaction_timeout is deprecated, use experimental.event_timeout instead")
 		interval, err := time.ParseDuration(c.Server.Experimental.SQLTransactionTimeout)
 		if err != nil {
 			return nil, fmt.Errorf("could not parse SQL transaction timeout interval: %w", err)
 		}
-		sc.SQLTransactionTimeout = interval
+		sc.EventTimeout = interval
+	}
+
+	if c.Server.Experimental.EventTimeout != "" {
+		interval, err := time.ParseDuration(c.Server.Experimental.EventTimeout)
+		if err != nil {
+			return nil, fmt.Errorf("could not parse event timeout interval: %w", err)
+		}
+		sc.EventTimeout = interval
 	}

 	if c.Server.Experimental.EventsBasedCache {
@ -762,10 +772,7 @@ func setBundleEndpointConfigProfile(config *bundleEndpointConfig, dataDir string
 			return nil
 		case profileConfig.HTTPSWeb.ServingCertFile != nil:
 			federationConfig.BundleEndpoint.DiskCertManager, err = configToDiskCertManager(profileConfig.HTTPSWeb.ServingCertFile, log)
-			if err != nil {
-				return err
-			}
-			return nil
+			return err
 		default:
 			return errors.New("malformed https_web profile configuration: 'acme' or 'serving_cert_file' is required")
 		}
@ -904,6 +911,10 @@ func validateConfig(c *Config) error {
 		}
 	}

+	if c.Server.Experimental.EventTimeout != "" && c.Server.Experimental.SQLTransactionTimeout != "" {
+		return errors.New("both experimental sql_transaction_timeout and event_timeout set, only set event_timeout")
+	}
+
 	return c.validateOS()
 }

--- a/cmd/spire-server/cli/run/run_test.go
+++ b/cmd/spire-server/cli/run/run_test.go
@ -470,8 +470,6 @@ func TestMergeInput(t *testing.T) {
 	cases = append(cases, mergeInputCasesOS(t)...)

 	for _, testCase := range cases {
-		testCase := testCase
-
 		fileInput := &Config{Server: &serverConfig{}}

 		testCase.fileInput(fileInput)
@ -1146,6 +1144,24 @@ func TestNewServerConfig(t *testing.T) {
 				require.Nil(t, c)
 			},
 		},
+		{
+			msg: "sql_transaction_timeout is correctly parsed",
+			input: func(c *Config) {
+				c.Server.Experimental.SQLTransactionTimeout = "1m"
+			},
+			test: func(t *testing.T, c *server.Config) {
+				require.Equal(t, time.Minute, c.EventTimeout)
+			},
+		},
+		{
+			msg: "event_timeout is correctly parsed",
+			input: func(c *Config) {
+				c.Server.Experimental.EventTimeout = "1m"
+			},
+			test: func(t *testing.T, c *server.Config) {
+				require.Equal(t, time.Minute, c.EventTimeout)
+			},
+		},
 		{
 			msg: "audit_log_enabled is enabled",
 			input: func(c *Config) {
@ -1213,8 +1229,6 @@ func TestNewServerConfig(t *testing.T) {
 	cases = append(cases, newServerConfigCasesOS(t)...)

 	for _, testCase := range cases {
-		testCase := testCase
-
 		input := defaultValidConfig()

 		testCase.input(input)
@ -1334,10 +1348,17 @@ func TestValidateConfig(t *testing.T) {
 			},
 			expectedErr: `federation.federates_with["domain.test"].bundle_endpoint_url must use the HTTPS protocol; URL found: "http://example.org/test"`,
 		},
+		{
+			name: "can't set both sql_transaction_timeout and event_timeout",
+			applyConf: func(c *Config) {
+				c.Server.Experimental.EventTimeout = "1h"
+				c.Server.Experimental.SQLTransactionTimeout = "1h"
+			},
+			expectedErr: "both experimental sql_transaction_timeout and event_timeout set, only set event_timeout",
+		},
 	}

 	for _, testCase := range testCases {
-		testCase := testCase
 		t.Run(testCase.name, func(t *testing.T) {
 			conf := defaultValidConfig()
 			testCase.applyConf(conf)
@ -1550,8 +1571,6 @@ func TestWarnOnUnknownConfig(t *testing.T) {
 	}

 	for _, testCase := range cases {
-		testCase := testCase
-
 		c, err := ParseFile(filepath.Join(testFileDir, testCase.confFile), false)
 		require.NoError(t, err)

@ -1759,7 +1778,6 @@ func TestHasCompatibleTTLs(t *testing.T) {
 	}

 	for _, testCase := range cases {
-		testCase := testCase
 		if testCase.caTTL == 0 {
 			testCase.caTTL = credtemplate.DefaultX509CATTL
 		}
--- a/cmd/spire-server/cli/token/generate.go
+++ b/cmd/spire-server/cli/token/generate.go
@ -3,14 +3,16 @@ package token
 import (
 	"context"
 	"flag"
+	"fmt"

 	"github.com/mitchellh/cli"
 	"github.com/spiffe/go-spiffe/v2/spiffeid"
 	agentv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/agent/v1"
 	prototypes "github.com/spiffe/spire-api-sdk/proto/spire/api/types"
-	"github.com/spiffe/spire/cmd/spire-server/util"
+	serverutil "github.com/spiffe/spire/cmd/spire-server/util"
 	commoncli "github.com/spiffe/spire/pkg/common/cli"
 	"github.com/spiffe/spire/pkg/common/cliprinter"
+	"github.com/spiffe/spire/pkg/common/util"
 )

 func NewGenerateCommand() cli.Command {
@ -18,7 +20,7 @@ func NewGenerateCommand() cli.Command {
 }

 func newGenerateCommand(env *commoncli.Env) cli.Command {
-	return util.AdaptCommand(env, &generateCommand{env: env})
+	return serverutil.AdaptCommand(env, &generateCommand{env: env})
 }

 type generateCommand struct {
@ -39,16 +41,20 @@ func (g *generateCommand) Synopsis() string {
 	return "Generates a join token"
 }

-func (g *generateCommand) Run(ctx context.Context, _ *commoncli.Env, serverClient util.ServerClient) error {
+func (g *generateCommand) Run(ctx context.Context, _ *commoncli.Env, serverClient serverutil.ServerClient) error {
 	id, err := getID(g.SpiffeID)
 	if err != nil {
 		return err
 	}
+	ttl, err := util.CheckedCast[int32](g.TTL)
+	if err != nil {
+		return fmt.Errorf("invalid value for TTL: %w", err)
+	}

 	c := serverClient.NewAgentClient()
 	resp, err := c.CreateJoinToken(ctx, &agentv1.CreateJoinTokenRequest{
 		AgentId: id,
-		Ttl:     int32(g.TTL),
+		Ttl:     ttl,
 	})
 	if err != nil {
 		return err
--- a/cmd/spire-server/cli/token/generate_test.go
+++ b/cmd/spire-server/cli/token/generate_test.go
@ -9,8 +9,8 @@ import (
 	"github.com/mitchellh/cli"
 	agentv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/agent/v1"
 	"github.com/spiffe/spire-api-sdk/proto/spire/api/types"
-	"github.com/spiffe/spire/cmd/spire-server/cli/common"
 	common_cli "github.com/spiffe/spire/pkg/common/cli"
+	"github.com/spiffe/spire/test/clitest"
 	"github.com/spiffe/spire/test/spiretest"
 	"github.com/stretchr/testify/require"
 	"google.golang.org/grpc"
@ -116,7 +116,7 @@ type tokenTest struct {
 }

 func (t *tokenTest) args(extra ...string) []string {
-	return append([]string{common.AddrArg, t.addr}, extra...)
+	return append([]string{clitest.AddrArg, t.addr}, extra...)
 }

 func setupTest(t *testing.T) *tokenTest {
@ -137,7 +137,7 @@ func setupTest(t *testing.T) *tokenTest {
 	})

 	return &tokenTest{
-		addr:   common.GetAddr(addr),
+		addr:   clitest.GetAddr(addr),
 		stderr: stderr,
 		stdin:  stdin,
 		stdout: stdout,
--- a/cmd/spire-server/cli/upstreamauthority/revoke_test.go
+++ b/cmd/spire-server/cli/upstreamauthority/revoke_test.go
@ -6,8 +6,8 @@ import (

 	"github.com/gogo/status"
 	authority_common_test "github.com/spiffe/spire/cmd/spire-server/cli/authoritycommon/test"
-	"github.com/spiffe/spire/cmd/spire-server/cli/common"
 	"github.com/spiffe/spire/cmd/spire-server/cli/upstreamauthority"
+	"github.com/spiffe/spire/test/clitest"
 	"github.com/stretchr/testify/require"
 	"google.golang.org/grpc/codes"
 )
@ -49,10 +49,13 @@ func TestRevoke(t *testing.T) {
 			expectStderr:     "Error: the Subject Key ID of the X.509 upstream authority is required\n",
 		},
 		{
-			name:             "wrong UDS path",
-			args:             []string{common.AddrArg, common.AddrValue},
+			name: "wrong UDS path",
+			args: []string{
+				clitest.AddrArg, clitest.AddrValue,
+				"-subjectKeyID", "subject-key-id",
+			},
 			expectReturnCode: 1,
-			expectStderr:     common.AddrError,
+			expectStderr:     "Error: could not revoke X.509 upstream authority: " + clitest.AddrError,
 		},
 		{
 			name:             "server error",
--- a/cmd/spire-server/cli/upstreamauthority/taint_test.go
+++ b/cmd/spire-server/cli/upstreamauthority/taint_test.go
@ -6,8 +6,8 @@ import (

 	"github.com/gogo/status"
 	authority_common_test "github.com/spiffe/spire/cmd/spire-server/cli/authoritycommon/test"
-	"github.com/spiffe/spire/cmd/spire-server/cli/common"
 	"github.com/spiffe/spire/cmd/spire-server/cli/upstreamauthority"
+	"github.com/spiffe/spire/test/clitest"
 	"github.com/stretchr/testify/require"
 	"google.golang.org/grpc/codes"
 )
@ -49,10 +49,13 @@ func TestTaint(t *testing.T) {
 			expectStderr:     "Error: the Subject Key ID of the X.509 upstream authority is required\n",
 		},
 		{
-			name:             "wrong UDS path",
-			args:             []string{common.AddrArg, common.AddrValue},
+			name: "wrong UDS path",
+			args: []string{
+				clitest.AddrArg, clitest.AddrValue,
+				"-subjectKeyID", "subject-key-id",
+			},
 			expectReturnCode: 1,
-			expectStderr:     common.AddrError,
+			expectStderr:     "Error: could not taint X.509 upstream authority: " + clitest.AddrError,
 		},
 		{
 			name:             "server error",
--- a/cmd/spire-server/cli/x509/mint.go
+++ b/cmd/spire-server/cli/x509/mint.go
@ -19,10 +19,11 @@ import (
 	"github.com/spiffe/go-spiffe/v2/spiffeid"
 	bundlev1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/bundle/v1"
 	svidv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/svid/v1"
-	"github.com/spiffe/spire/cmd/spire-server/util"
+	serverutil "github.com/spiffe/spire/cmd/spire-server/util"
 	commoncli "github.com/spiffe/spire/pkg/common/cli"
 	"github.com/spiffe/spire/pkg/common/cliprinter"
 	"github.com/spiffe/spire/pkg/common/diskutil"
+	"github.com/spiffe/spire/pkg/common/util"
 )

 type generateKeyFunc func() (crypto.Signer, error)
@ -37,7 +38,7 @@ func newMintCommand(env *commoncli.Env, generateKey generateKeyFunc) cli.Command
 			return ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
 		}
 	}
-	return util.AdaptCommand(env, &mintCommand{
+	return serverutil.AdaptCommand(env, &mintCommand{
 		generateKey: generateKey,
 		env:         env,
 	})
@ -70,7 +71,7 @@ func (c *mintCommand) AppendFlags(fs *flag.FlagSet) {
 	cliprinter.AppendFlagWithCustomPretty(&c.printer, fs, c.env, c.prettyPrintMint)
 }

-func (c *mintCommand) Run(ctx context.Context, env *commoncli.Env, serverClient util.ServerClient) error {
+func (c *mintCommand) Run(ctx context.Context, env *commoncli.Env, serverClient serverutil.ServerClient) error {
 	if c.spiffeID == "" {
 		return errors.New("spiffeID must be specified")
 	}
@ -80,6 +81,11 @@ func (c *mintCommand) Run(ctx context.Context, env *commoncli.Env, serverClient
 		return err
 	}

+	ttl, err := ttlToSeconds(c.ttl)
+	if err != nil {
+		return fmt.Errorf("invalid value for TTL: %w", err)
+	}
+
 	key, err := c.generateKey()
 	if err != nil {
 		return fmt.Errorf("unable to generate key: %w", err)
@ -96,7 +102,7 @@ func (c *mintCommand) Run(ctx context.Context, env *commoncli.Env, serverClient
 	client := serverClient.NewSVIDClient()
 	resp, err := client.MintX509SVID(ctx, &svidv1.MintX509SVIDRequest{
 		Csr: csr,
-		Ttl: ttlToSeconds(c.ttl),
+		Ttl: ttl,
 	})
 	if err != nil {
 		return fmt.Errorf("unable to mint SVID: %w", err)
@ -167,8 +173,8 @@ func (c *mintCommand) Run(ctx context.Context, env *commoncli.Env, serverClient

 // ttlToSeconds returns the number of seconds in a duration, rounded up to
 // the nearest second
-func ttlToSeconds(ttl time.Duration) int32 {
-	return int32((ttl + time.Second - 1) / time.Second)
+func ttlToSeconds(ttl time.Duration) (int32, error) {
+	return util.CheckedCast[int32]((ttl + time.Second - 1) / time.Second)
 }

 type mintResult struct {
--- a/cmd/spire-server/cli/x509/mint_test.go
+++ b/cmd/spire-server/cli/x509/mint_test.go
@ -22,9 +22,9 @@ import (
 	bundlev1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/bundle/v1"
 	svidv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/svid/v1"
 	"github.com/spiffe/spire-api-sdk/proto/spire/api/types"
-	"github.com/spiffe/spire/cmd/spire-server/cli/common"
 	common_cli "github.com/spiffe/spire/pkg/common/cli"
 	"github.com/spiffe/spire/pkg/common/pemutil"
+	"github.com/spiffe/spire/test/clitest"
 	"github.com/spiffe/spire/test/spiretest"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@ -34,7 +34,7 @@ import (
 var (
 	expectedUsage = `Usage of x509 mint:
  -dns value
-    	DNS name that will be included in SVID. Can be used more than once.` + common.AddrOutputUsage +
+    	DNS name that will be included in SVID. Can be used more than once.` + clitest.AddrOutputUsage +
 		`  -spiffeID string
    	SPIFFE ID of the X509-SVID
  -ttl duration
@ -297,7 +297,7 @@ Root CAs:
 					return testKey, nil
 				})

-				args := []string{common.AddrArg, common.GetAddr(addr)}
+				args := []string{clitest.AddrArg, clitest.GetAddr(addr)}
 				if tt.spiffeID != "" {
 					args = append(args, "-spiffeID", tt.spiffeID)
 				}
--- a/cmd/spire-server/util/util.go
+++ b/cmd/spire-server/util/util.go
@ -2,11 +2,9 @@ package util

 import (
 	"context"
-	"crypto"
 	"crypto/x509"
 	"flag"
 	"fmt"
-	"net"
 	"strings"

 	"github.com/spiffe/go-spiffe/v2/bundle/spiffebundle"
@ -20,6 +18,7 @@ import (
 	trustdomainv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/trustdomain/v1"
 	api_types "github.com/spiffe/spire-api-sdk/proto/spire/api/types"
 	common_cli "github.com/spiffe/spire/pkg/common/cli"
+	"github.com/spiffe/spire/pkg/common/jwtutil"
 	"github.com/spiffe/spire/pkg/common/pemutil"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/credentials/insecure"
@ -33,13 +32,12 @@ const (
 	FormatSPIFFE         = "spiffe"
 )

-func Dial(addr net.Addr) (*grpc.ClientConn, error) {
-	return grpc.Dial(addr.String(), //nolint: staticcheck // It is going to be resolved on #5152
+func NewGRPCClient(addr string) (*grpc.ClientConn, error) {
+	return grpc.NewClient(
+		addr,
 		grpc.WithTransportCredentials(insecure.NewCredentials()),
 		grpc.WithContextDialer(dialer),
-		grpc.WithBlock(),                  //nolint: staticcheck // It is going to be resolved on #5152
-		grpc.FailOnNonTempDialError(true), //nolint: staticcheck // It is going to be resolved on #5152
-		grpc.WithReturnConnectionError())  //nolint: staticcheck // It is going to be resolved on #5152
+	)
 }

 type ServerClient interface {
@ -54,8 +52,8 @@ type ServerClient interface {
 	NewHealthClient() grpc_health_v1.HealthClient
 }

-func NewServerClient(addr net.Addr) (ServerClient, error) {
-	conn, err := Dial(addr)
+func NewServerClient(addr string) (ServerClient, error) {
+	conn, err := NewGRPCClient(addr)
 	if err != nil {
 		return nil, err
 	}
@ -157,12 +155,7 @@ func (a *Adapter) Run(args []string) int {
 		return 1
 	}

-	addr, err := a.getAddr()
-	if err != nil {
-		fmt.Fprintln(a.env.Stderr, "Error: "+err.Error())
-		return 1
-	}
-
+	addr := a.getGRPCAddr()
 	client, err := NewServerClient(addr)
 	if err != nil {
 		fmt.Fprintln(a.env.Stderr, "Error: "+err.Error())
@ -252,7 +245,7 @@ func protoFromSpiffeBundle(bundle *spiffebundle.Bundle) (*api_types.Bundle, erro
 		X509Authorities: protoFromX509Certificates(bundle.X509Authorities()),
 	}

-	jwtAuthorities, err := protoFromJWTKeys(bundle.JWTAuthorities())
+	jwtAuthorities, err := jwtutil.ProtoFromJWTKeys(bundle.JWTAuthorities())
 	if err != nil {
 		return nil, err
 	}
@ -280,21 +273,3 @@ func protoFromX509Certificates(certs []*x509.Certificate) []*api_types.X509Certi

 	return resp
 }
-
-// protoFromJWTKeys converts JWT keys from the given map[string]crypto.PublicKey to []*types.JWTKey
-func protoFromJWTKeys(keys map[string]crypto.PublicKey) ([]*api_types.JWTKey, error) {
-	var resp []*api_types.JWTKey
-
-	for kid, key := range keys {
-		pkixBytes, err := x509.MarshalPKIXPublicKey(key)
-		if err != nil {
-			return nil, err
-		}
-		resp = append(resp, &api_types.JWTKey{
-			PublicKey: pkixBytes,
-			KeyId:     kid,
-		})
-	}
-
-	return resp, nil
-}
--- a/cmd/spire-server/util/util_posix.go
+++ b/cmd/spire-server/util/util_posix.go
@ -6,8 +6,7 @@ import (
 	"context"
 	"flag"
 	"net"
-
-	"github.com/spiffe/spire/pkg/common/util"
+	"strings"
 )

 type adapterOS struct {
@ -18,13 +17,23 @@ func (a *Adapter) addOSFlags(flags *flag.FlagSet) {
 	flags.StringVar(&a.socketPath, "socketPath", DefaultSocketPath, "Path to the SPIRE Server API socket")
 }

-func (a *Adapter) getAddr() (net.Addr, error) {
-	if a.adapterOS.socketPath == "" {
+func (a *Adapter) getGRPCAddr() string {
+	if a.socketPath == "" {
 		a.socketPath = DefaultSocketPath
 	}
-	return util.GetUnixAddrWithAbsPath(a.socketPath)
+
+	// When grpc-go deprecated grpc.DialContext() in favor of grpc.NewClient(),
+	// they made a breaking change to always use the DNS resolver, even when overriding the context dialer.
+	// This is problematic for clients that do not use DNS for address resolution and don't set a resolver in the address.
+	// As a workaround, use the passthrough resolver to prevent using the DNS resolver.
+	// More context can be found in this issue: https://github.com/grpc/grpc-go/issues/1786#issuecomment-2114124036
+	return "unix:" + a.socketPath
 }

 func dialer(ctx context.Context, addr string) (net.Conn, error) {
-	return (&net.Dialer{}).DialContext(ctx, "unix", addr)
+	// This is an ugly workaround to circumvent grpc-go needing us to provide the resolver in the address
+	// in order to bypass DNS lookup, which is not relevant in the case of CLI invocation.
+	// More context can be found in this issue: https://github.com/grpc/grpc-go/issues/1786#issuecomment-2114124036
+	socketPathAddr := strings.TrimPrefix(addr, "unix:")
+	return (&net.Dialer{}).DialContext(ctx, "unix", socketPathAddr)
 }
--- a/cmd/spire-server/util/util_windows.go
+++ b/cmd/spire-server/util/util_windows.go
@ -6,6 +6,7 @@ import (
 	"context"
 	"flag"
 	"net"
+	"strings"

 	"github.com/Microsoft/go-winio"
 	"github.com/spiffe/spire/pkg/common/namedpipe"
@ -20,12 +21,21 @@ func (a *Adapter) addOSFlags(flags *flag.FlagSet) {
 }

 func dialer(ctx context.Context, addr string) (net.Conn, error) {
-	return winio.DialPipeContext(ctx, addr)
+	// This is an ugly workaround to circumvent grpc-go needing us to provide the resolver in the address
+	// in order to bypass DNS lookup, which is not relevant in the case of CLI invocation.
+	npipeAddr := strings.TrimPrefix(addr, "passthrough:")
+	return winio.DialPipeContext(ctx, npipeAddr)
 }

-func (a *Adapter) getAddr() (net.Addr, error) {
-	if a.adapterOS.namedPipeName == "" {
-		a.adapterOS.namedPipeName = DefaultNamedPipeName
+func (a *Adapter) getGRPCAddr() string {
+	if a.namedPipeName == "" {
+		a.namedPipeName = DefaultNamedPipeName
 	}
-	return namedpipe.AddrFromName(a.namedPipeName), nil
+
+	// When grpc-go deprecated grpc.DialContext() in favor of grpc.NewClient(),
+	// they made a breaking change to always use the DNS resolver, even when overriding the context dialer.
+	// This is problematic for clients that do not use DNS for address resolution and don't set a resolver in the address.
+	// As a workaround, use the passthrough resolver to prevent using the DNS resolver.
+	// More context can be found in this issue: https://github.com/grpc/grpc-go/issues/1786#issuecomment-2114124036
+	return "passthrough:" + namedpipe.AddrFromName(a.namedPipeName).String()
 }
--- a/conf/agent/agent_full.conf
+++ b/conf/agent/agent_full.conf
@ -59,6 +59,9 @@ agent {
    # trust_bundle_url: URL to download the initial SPIRE server trust bundle.
    # trust_bundle_url = ""

+    # trust_bundle_unix_socket: Make the request specified via trust_bundle_url happen against the specified unix socket.
+    # trust_budnle_unix_socket = "/tmp/your-webserver.sock"
+
    # trust_bundle_format: The format for the initial SPIRE server trust bundle, pem or spiffe
    # trust_bundle_format = "pem"

@ -108,6 +111,10 @@ agent {
    #     # admin_named_pipe_name: Pipe name to bind the Admin API named pipe (Windows only).
    #     Can be used to access the Debug API and Delegated Identity API.
    #     admin_named_pipe_name = ""
+
+    #     # use_sync_authorized_entries: Use SyncAuthorizedEntries API for periodic synchronization
+    #     # of authorized entries.
+    #     use_sync_authorized_entries = true
    # }
 }

@ -204,20 +211,6 @@ plugins {
        }
    }

-    # NodeAttestor "k8s_sat" (deprecated): A node attestor which attests agent identity
-    # using a Kubernetes Service Account token.
-    NodeAttestor "k8s_sat" {
-        plugin_data {
-            # cluster: Name of the cluster. It must correspond to a cluster
-            # configured in the server plugin.
-            # cluster = ""
-
-            # token_path: Path to the service account token on disk.
-            # Default: /var/run/secrets/kubernetes.io/serviceaccount/token.
-            # token_path = "/var/run/secrets/kubernetes.io/serviceaccount/token"
-        }
-    }
-
    # NodeAttestor "sshpop": A node attestor which attests agent identity
    # using an existing ssh certificate.
    NodeAttestor "sshpop" {
--- a/conf/server/server_full.conf
+++ b/conf/server/server_full.conf
@ -533,47 +533,6 @@ plugins {
    #     }
    # }

-    # NodeAttestor "k8s_sat" (deprecated): A node attestor which attests agent identity
-    # using a Kubernetes Service Account token.
-    # NodeAttestor "k8s_sat" {
-    #     plugin_data {
-    #         # clusters: A map of clusters, keyed by an arbitrary ID, that are
-    #         # authorized for attestation.
-    #         # clusters = {
-    #             # "<arbitrary ID>" = {
-    #                 # service_account_allow_list: A list of service account names,
-    #                 # qualified by namespace (for example, "default:blog" or
-    #                 # "production:web") to allow for node attestation. Attestation
-    #                 # will be rejected for tokens bound to service accounts that
-    #                 # aren't in the allow list.
-    #                 # service_account_allow_list = []
-
-    #                 # use_token_review_api_validation: Specifies how the service
-    #                 # account token is validated. If false, validation is done
-    #                 # locally using the provided key. If true, validation is done
-    #                 # using token review API. Default: false.
-    #                 # use_token_review_api_validation = false
-
-    #                 # service_account_key_file: It is only used if
-    #                 # use_token_review_api_validation is set to false. Path on disk
-    #                 # to a PEM encoded file containing public keys used in
-    #                 # validating tokens for that cluster. RSA and ECDSA keys are
-    #                 # supported. For RSA, X509 certificates, PKCS1, and PKIX encoded
-    #                 # public keys are accepted. For ECDSA, X509 certificates, and
-    #                 # PKIX encoded public keys are accepted.
-    #                 # service_account_key_file = ""
-
-    #                 # kube_config_file: It is only used if
-    #                 # use_token_review_api_validation is set to true. Path to a k8s
-    #                 # configuration file for API Server authentication. A kubernetes
-    #                 # configuration file must be specified if SPIRE server runs
-    #                 # outside of the k8s cluster. If empty, SPIRE server is assumed
-    #                 # to be running inside the cluster and in-cluster configuration
-    #                 # is used. Default: "".
-    #                 # kube_config_file = ""
-    #     }
-    # }
-
    # NodeAttestor "sshpop": A node attestor which attests agent identity
    # using an existing ssh certificate.
    # NodeAttestor "sshpop" {
@ -982,6 +941,29 @@ plugins {
    #         # trust_anchor_id = "153d3e58-cab5-4a59-a0a1-3febad2937c4"
    #     }
    # }
+
+    # BundlePublisher "k8s_configmap": A bundle publisher that puts the current trust
+    # bundle of the server in a designated Kubernetes ConfigMap, keeping it updated.
+    # BundlePublisher "k8s_configmap" {
+    #     plugin_data {
+    #         clusters = {
+    #             "example-cluster-1" = {
+    #                 configmap_name = "example.org"
+    #                 configmap_key = "bundle"
+    #                 namespace = "spire"
+    #                 kubeconfig_path = "/file/path/cluster-1"
+    #                 format = "spiffe"
+    #             },
+    #             "example-cluster-2" = {
+    #                 configmap_name = "example.org"
+    #                 configmap_key = "bundle"
+    #                 namespace = "spire"
+    #                 kubeconfig_path = "/file/path/cluster-2"
+    #                 format = "pem"
+    #             }
+    #         }
+    #     }
+    # }
 }

 # telemetry: If telemetry is desired use this section to configure the
--- a/doc/SPIRE101.md
+++ b/doc/SPIRE101.md
@ -44,15 +44,16 @@ If you don't already have Docker installed, please follow these [installation in
   $ make dev-shell
   ```

-3. Create a user with uid 1000. The uid will be registered as a selector of the workload's SPIFFE ID. During kernel based attestation the workload process will be interrogated for the registered uid.
+3. Create a user with uid 1001. The uid will be registered as a selector of the workload's SPIFFE ID. During kernel based attestation the workload process will be interrogated for the registered uid.

   ```shell
-   (in dev shell) # useradd -u 1000 workload
+   (in dev shell) # useradd -u 1001 workload
   ```

-4. Build SPIRE by running the **build** target. The build target builds all the SPIRE binaries.
+4. Build SPIRE by running the **build** target. The build target builds all the SPIRE binaries. This requires configuring `git` to know that the temporary docker container is safe.

   ```shell
+   (in dev shell) # git config --global --add safe.directory /spire
   (in dev shell) # make build
   ```

@ -169,12 +170,12 @@ If you don't already have Docker installed, please follow these [installation in
    (in dev shell) # ./bin/spire-server entry create \
        -parentID spiffe://example.org/host \
        -spiffeID spiffe://example.org/workload \
-        -selector unix:uid:1000
+        -selector unix:uid:1001
    ```

    At this point, the target workload has been registered with the SPIRE Server. We can now call the Workload API using a command line program to request the workload SVID from the SPIRE Agent.

-12. Simulate the Workload API interaction and retrieve the workload SVID bundle by running the `api` subcommand in the agent. Run the command as user **_workload_** created in step #3 with uid 1000
+12. Simulate the Workload API interaction and retrieve the workload SVID bundle by running the `api` subcommand in the agent. Run the command as user **_workload_** created in step #3 with uid 1001

    ```shell
    (in dev shell) # su -c "./bin/spire-agent api fetch x509 " workload
@ -183,6 +184,6 @@ If you don't already have Docker installed, please follow these [installation in
 13. Examine the output. Optionally, you may write the SVID and key to disk with `-write` in order to examine them in detail.

    ```shell
-    (in dev shell) # su -c "./bin/spire-agent api fetch x509 -write ./" workload
-    (in dev shell) # openssl x509 -in ./svid.0.pem -text -noout
+    (in dev shell) # su -c "./bin/spire-agent api fetch x509 -write /tmp" workload
+    (in dev shell) # openssl x509 -in /tmp/svid.0.pem -text -noout
    ```
--- a/doc/authorization_policy_engine.md
+++ b/doc/authorization_policy_engine.md
@ -18,6 +18,7 @@ server {
            local {
                rego_path = "./conf/server/policy.rego"
                policy_data_path = "./conf/server/policy_data.json"
+                use_rego_v1 = true
            }
        }
    }
--- a/doc/docker_images.md
+++ b/doc/docker_images.md
@ -30,7 +30,7 @@ $ docker run \
    --user 1000:1000 \
    -p 8081:8081 \
    -v /path/to/server/config:/etc/spire/server \
-    ghcr.io/spiffe/spire-server:v1.6.0 \
+    ghcr.io/spiffe/spire-server:1.6.1 \
    -config /etc/spire/server/server.conf
 ```

--- a/doc/plugin_agent_nodeattestor_k8s_sat.md
+++ b/doc/plugin_agent_nodeattestor_k8s_sat.md
@ -1,50 +0,0 @@
-# Agent plugin: NodeAttestor "k8s_sat" (deprecated)
-
-**This plugin has been deprecated in favor of the  ["k8s_psat"](plugin_agent_nodeattestor_k8s_psat.md) plugin and will be removed in a future release.**
-
-*Must be used in conjunction with the server-side k8s_sat plugin*
-
-The `k8s_sat` plugin attests nodes running in inside of Kubernetes. The agent
-reads and provides the signed service account token to the server.
-
-*Note: If your cluster supports [Service Account Token Volume Projection](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection)
-you should instead consider using the `k8s_psat` attestor due to the [security considerations](#security-considerations) below.*
-
-The server-side `k8s_sat` plugin generates a one-time UUID and generates a SPIFFE ID with the form:
-
-```xml
-spiffe://<trust_domain>/spire/agent/k8s_sat/<cluster>/<UUID>
-```
-
-The main configuration accepts the following values:
-
-| Configuration | Description                                                                           | Default                                               |
-|---------------|---------------------------------------------------------------------------------------|-------------------------------------------------------|
-| `cluster`     | Name of the cluster. It must correspond to a cluster configured in the server plugin. |
-| `token_path`  | Path to the service account token on disk                                             | "/var/run/secrets/kubernetes.io/serviceaccount/token" |
-
-The token path defaults to the default location Kubernetes uses to place the token and should not need to be overridden in most cases.
-
-A sample configuration with the default token path:
-
-```hcl
-    NodeAttestor "k8s_sat" {
-        plugin_data {
-            cluster = "MyCluster"
-        }
-    }
-```
-
-## Security Considerations
-
-At this time, the service account token does not contain claims that could be
-used to strongly identify the node/daemonset/pod running the agent. This means
-that any container running in an allowed service account can masquerade as
-an agent, giving it access to any identity the agent is capable of issuing. It
-is **STRONGLY** recommended that agents run under a dedicated service account.
-
-It should be noted that due to the fact that SPIRE can't positively
-identify a node using this method, it is not possible to directly authorize
-identities for a distinct node or sets of nodes. Instead, this must be
-accomplished indirectly using a service account and deployment that
-leverages node affinity or node selectors.
--- a/doc/plugin_agent_svidstore_gcp_secretmanager.md
+++ b/doc/plugin_agent_svidstore_gcp_secretmanager.md
@ -71,3 +71,4 @@ Selectors are used on `storable` entries to describe metadata that is needed by
 | `gcp_secretmanager:projectid`      | `gcp_secretmanager:projectid:some-project`                                       | x        | The Google Cloud project ID which the plugin will use Secret Manager       |
 | `gcp_secretmanager:role`           | `gcp_secretmanager:role:roles/secretmanager.viewer`                              | -        | The Google Cloud role id for IAM policy (serviceaccount required when set) |
 | `gcp_secretmanager:serviceaccount` | `gcp_secretmanager:serviceaccount:test-secret@test-proj.iam.gserviceaccount.com` | -        | The Google Cloud Service account for IAM policy (role required when set)   |
+| `gcp_secretmanager:regions`        | `gcp_secretmanager:regions:europe-north1,europe-west1`                    | -        | List of Google Cloud Region to create the secret in, this is immutable and cannot be changed (Omit to use automatic region selection)                   |
--- a/doc/plugin_agent_workloadattestor_docker.md
+++ b/doc/plugin_agent_workloadattestor_docker.md
@ -122,7 +122,7 @@ ghcr.io/spiffe/spire-server   1.9.1             e3b24c3cd9e1   4 weeks ago    10
 envoyproxy/envoy              contrib-v1.29.1   644f45f6626c   7 weeks ago    181MB
 ```

-Then u4se the `REPOSITORY:TAG` as the selector, not the `IMAGE ID` column.
+Then use the `REPOSITORY:TAG` as the selector, not the `IMAGE ID` column.

 ```shell
 $ spire-server entry create \
--- a/doc/plugin_server_bundlepublisher_aws_rolesanywhere_trustanchor.md
+++ b/doc/plugin_server_bundlepublisher_aws_rolesanywhere_trustanchor.md
@ -1,7 +1,10 @@
 # Server plugin: BundlePublisher "aws_rolesanywhere_trustanchor"

 > [!WARNING]
-> This plugin is only supported when an UpstreamAuthority plugin is used.
+> AWS Roles Anywhere only allows configuring up to two CAs per trust anchor. If you are using this plugin, you will
+> need to make sure there are at most 2 CAs in the trust bundle for the trust domain, otherwise publishing the bundle
+> will fail. This can be achieved by configuring the spire-server with an `UpstreamAuthority` plugin.
+> Also, keep in mind that expired CAs are only removed from the bundle 24 hours after their expiration.

 The `aws_rolesanywhere_trustanchor` plugin puts the current trust bundle of the server
 in a trust anchor, keeping it updated.
--- a/doc/plugin_server_bundlepublisher_aws_s3.md
+++ b/doc/plugin_server_bundlepublisher_aws_s3.md
@ -13,6 +13,7 @@ The plugin accepts the following configuration options:
 | bucket            | The Amazon S3 bucket name to which the trust bundle is uploaded.                                                                                               | Yes.                                                                   |                                                     |
 | object_key        | The object key inside the bucket.                                                                                                                              | Yes.                                                                   |                                                     |
 | format            | Format in which the trust bundle is stored, &lt;spiffe &vert; jwks &vert; pem&gt;. See [Supported bundle formats](#supported-bundle-formats) for more details. | Yes.                                                                   |                                                     |
+| endpoint          | A custom S3 endpoint should be set when using third-party object storage providers, such as Minio.                                                             | No.                                                                    |                                                     |

 ## Supported bundle formats

@ -48,3 +49,19 @@ The following configuration uploads the local trust bundle contents to the `exam
        }
    }
 ```
+
+The following configuration uploads the local trust bundle contents to the `example.org` object in the `spire-trust-bundle` bucket on Minio server.
+
+```hcl
+    BundlePublisher "aws_s3" {
+        plugin_data {
+            endpoint = "https://my-org-minio.example.org"
+            region = "minio-sample-region"
+            access_key_id  = "minio-key-id"
+            secret_access_key = "minio-access-key"
+            bucket = "spire-trust-bundle"
+            object_key = "example.org"
+            format = "spiffe"
+        }
+    }
+```
--- a/doc/plugin_server_bundlepublisher_k8s_configmap.md
+++ b/doc/plugin_server_bundlepublisher_k8s_configmap.md
@ -0,0 +1,127 @@
+# Server plugin: BundlePublisher "k8s_configmap"
+
+The `k8s_configmap` plugin puts the current trust bundle of the server in a designated
+Kubernetes ConfigMap, keeping it updated. The plugin supports configuring multiple clusters.
+
+The plugin accepts the following configuration:
+
+| Configuration | Description                                                                                       | Default |
+|---------------|---------------------------------------------------------------------------------------------------|---------|
+| `clusters`    | A map of clusters, keyed by an arbitrary ID, where the plugin publishes the current trust bundle. |         |
+
+> [!WARNING]
+> When `clusters` is empty, the plugin does not publish the bundle.
+
+Each cluster in the main configuration has the following configuration options:
+
+| Configuration   | Description                                                                                                                                                                                            | Required | Default |
+|-----------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------|---------|
+| configmap_name  | The name of the ConfigMap.                                                                                                                                                                             | Yes.     |         |
+| configmap_key   | The key within the ConfigMap for the bundle.                                                                                                                                                           | Yes.     |         |
+| namespace       | The namespace containing the ConfigMap.                                                                                                                                                                | Yes.     |         |
+| kubeconfig_path | The path on disk to the kubeconfig containing configuration to enable interaction with the Kubernetes API server. If unset, in-cluster credentials will be used.                                       | No.      |         |
+| format          | Format in which the trust bundle is stored, &lt;spiffe &vert; jwks &vert; pem&gt;. See [Supported bundle formats](#supported-bundle-formats) for more details.                                         | Yes.     |         |
+
+## Supported bundle formats
+
+The following bundle formats are supported:
+
+### SPIFFE format
+
+The trust bundle is represented as an RFC 7517 compliant JWK Set, with the specific parameters defined in the [SPIFFE Trust Domain and Bundle specification](https://github.com/spiffe/spiffe/blob/main/standards/SPIFFE_Trust_Domain_and_Bundle.md#4-spiffe-bundle-format). Both the JWT authorities and the X.509 authorities are included.
+
+### JWKS format
+
+The trust bundle is encoded as an RFC 7517 compliant JWK Set, omitting SPIFFE-specific parameters. Both the JWT authorities and the X.509 authorities are included.
+
+### PEM format
+
+The trust bundle is formatted using PEM encoding. Only the X.509 authorities are included.
+
+## Configuring Kubernetes
+
+To use this plugin, configure Kubernetes permissions for the SPIRE Server's Service Account:
+
+- For in-cluster SPIRE servers: grant permissions to the Service Account running SPIRE.
+- For out-of-cluster SPIRE servers: grant permissions to the Service Account specified in the kubeconfig.
+
+The plugin uses the Kubernetes Apply operation to manage ConfigMaps. This operation will create the ConfigMap if it doesn't exist, or update it if it does. The Service Account needs permission to use the `patch` verb on ConfigMaps in the specified namespace.
+
+### Required Permissions
+
+The Service Account needs the following permissions:
+
+- `get` on ConfigMaps (required for the Apply operation to read the current state)
+- `patch` on ConfigMaps (required for the Apply operation to update resources)
+- `create` on ConfigMaps (required if the ConfigMap doesn't exist)
+
+### Example
+
+In this example, assume that Service Account is `spire-server`.
+
+```yaml
+kind: Role # Note: Using Role instead of ClusterRole for namespace-scoped permissions
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: spire-server-role
+  namespace: spire
+rules:
+- apiGroups: [""]
+  resources: ["configmaps"]
+  verbs: ["create", "get", "patch"]
+  resourceNames: ["spire-bundle"]  # Restrict to specific ConfigMap for create, get and patch operations
+
+---
+
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: spire-server-role-binding
+  namespace: spire
+subjects:
+- kind: ServiceAccount
+  name: spire-server
+  namespace: spire
+roleRef:
+  kind: Role
+  name: spire-server-role
+  apiGroup: rbac.authorization.k8s.io
+
+---
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: spire-bundle
+  namespace: spire
+```
+
+> [!NOTE]
+> The Apply operation uses Server-Side Apply (SSA) with a field manager name of `spire-bundlepublisher-k8s_configmap`. This ensures that SPIRE's updates to the ConfigMap are tracked and can coexist with other controllers that might be managing different fields of the same ConfigMap.
+
+## Sample configuration
+
+The following configuration keeps the local trust bundle updated in ConfigMaps from two different clusters.
+
+```hcl
+    BundlePublisher "k8s_configmap" {
+        plugin_data {
+            clusters = {
+                "example-cluster-1" = {
+                    configmap_name = "example.org"
+                    configmap_key = "bundle"
+                    namespace = "spire"
+                    kubeconfig_path = "/file/path/cluster-1"
+                    format = "spiffe"
+                },
+                "example-cluster-2" = {
+                    configmap_name = "example.org"
+                    configmap_key = "bundle"
+                    namespace = "spire"
+                    kubeconfig_path = "/file/path/cluster-2"
+                    format = "pem"
+                }
+            }
+        }
+    }
+```
--- a/doc/plugin_server_datastore_sql.md
+++ b/doc/plugin_server_datastore_sql.md
@ -11,13 +11,15 @@ The `sql` plugin implements SQL based data storage for the SPIRE server using SQ
 | client_cert_path     | Path to client certificate (MySQL only)                                                                                                                                                                                                                                            |
 | client_key_path      | Path to private key for client certificate (MySQL only)                                                                                                                                                                                                                            |
 | max_open_conns       | The maximum number of open db connections (default: 100)                                                                                                                                                                                                                           |
-| max_idle_conns       | The maximum number of idle connections in the pool (default: 2)                                                                                                                                                                                                                    |
+| max_idle_conns       | The maximum number of idle connections in the pool (default: 100)                                                                                                                                                                                                                    |
 | conn_max_lifetime    | The maximum amount of time a connection may be reused (default: unlimited)                                                                                                                                                                                                         |
 | disable_migration    | True to disable auto-migration functionality. Use of this flag allows finer control over when datastore migrations occur and coordination of the migration of a datastore shared with a SPIRE Server cluster. Only available for databases from SPIRE Code version 0.9.0 or later. |

 For more information on the `max_open_conns`, `max_idle_conns`, and `conn_max_lifetime`, refer to the
 documentation for the Go [`database/sql`](https://golang.org/pkg/database/sql/#DB) package.

+> **Note:** The SQL plugin uses an internal default setting of 30 seconds for the maximum idle time per connection (ConnMaxIdleTime). This setting is not configurable through the plugin configuration.
+
 ## Database configurations

 ### `database_type = "sqlite3"`
--- a/doc/plugin_server_nodeattestor_k8s_sat.md
+++ b/doc/plugin_server_nodeattestor_k8s_sat.md
@ -1,105 +0,0 @@
-# Server plugin: NodeAttestor "k8s_sat" (deprecated)
-
-**This plugin has been deprecated in favor of the  ["k8s_psat"](plugin_server_nodeattestor_k8s_psat.md) plugin and will be removed in a future release.**
-
-*Must be used in conjunction with the agent-side k8s_sat plugin*
-
-The `k8s_sat` plugin attests nodes running in inside of Kubernetes. The server validates the signed service
-account token provided by the agent. This validation can be done in two different ways depending on the value
-of the `use_token_review_api_validation` flag:
-
-+ If this value is set to `false` (default behavior), the attestor validates the token locally using the key provided in `service_account_key_file`.
-+ If this value is set to `true`, the validation is performed using the Kubernetes [Token Review API](https://kubernetes.io/docs/reference/kubernetes-api/authentication-resources/token-review-v1/).
-
-*Note: If your cluster supports [Service Account Token Volume Projection](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection)
-you should instead consider using the `k8s_psat` attestor due to the [security considerations](#security-considerations) below.*
-
-The server uses a one-time UUID provided by the agent to generate a SPIFFE ID with the form:
-
-```xml
-spiffe://<trust_domain>/spire/agent/k8s_sat/<cluster>/<UUID>
-```
-
-The server does not need to be running in Kubernetes in order to perform node
-attestation. In fact, the plugin can be configured to attest nodes running in
-multiple clusters.
-
-The main configuration accepts the following values:
-
-| Configuration | Description                                                                       | Default |
-|---------------|-----------------------------------------------------------------------------------|---------|
-| `clusters`    | A map of clusters, keyed by an arbitrary ID, that are authorized for attestation. |         |
-
-Each cluster in the main configuration requires the following configuration:
-
-| Configuration                     | Description                                                                                                                                                                                                                                                                                                                                                            | Default |
-|-----------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------|
-| `service_account_allow_list`      | A list of service account names, qualified by namespace (for example, "default:blog" or "production:web") to allow for node attestation. Attestation will be rejected for tokens bound to service accounts that aren't in the allow list.                                                                                                                              |         |
-| `use_token_review_api_validation` | Specifies how the service account token is validated. If false, validation is done locally using the provided key. If true, validation is done using token review API.                                                                                                                                                                                                 | false   |
-| `service_account_key_file`        | It is only used if `use_token_review_api_validation` is set to `false`. Path on disk to a PEM encoded file containing public keys used in validating tokens for that cluster. RSA and ECDSA keys are supported. For RSA, X509 certificates, PKCS1, and PKIX encoded public keys are accepted. For ECDSA, X509 certificates, and PKIX encoded public keys are accepted. |         |
-| `kube_config_file`                | It is only used if `use_token_review_api_validation` is set to `true`. Path to a k8s configuration file for API Server authentication. A Kubernetes configuration file must be specified if SPIRE server runs outside of the k8s cluster. If empty, SPIRE server is assumed to be running inside the cluster and in-cluster configuration is used.                     | ""      |
-
-A sample configuration for SPIRE server running inside or outside a Kubernetes cluster and validating the service account token with a key file located at `"/run/k8s-certs/sa.pub"`:
-
-```hcl
-    NodeAttestor "k8s_sat" {
-        plugin_data {
-            clusters = {
-                "MyCluster" = {
-                    service_account_allow_list = ["production:spire-agent"]
-                    service_account_key_file = "/run/k8s-certs/sa.pub"
-                }
-        }
-    }
-```
-
-A sample configuration for SPIRE server running inside of a Kubernetes cluster and validating the service account token with the kubernetes token review API:
-
-```hcl
-    NodeAttestor "k8s_sat" {
-        plugin_data {
-            clusters = {
-                "MyCluster" = {
-                    service_account_allow_list = ["production:spire-agent"]
-                    use_token_review_api_validation = true
-                }
-        }
-    }
-```
-
-A sample configuration for SPIRE server running outside of a Kubernetes cluster and validating the service account token with the kubernetes token review API:
-
-```hcl
-    NodeAttestor "k8s_sat" {
-        plugin_data {
-            clusters = {
-                "MyCluster" = {
-                    service_account_allow_list = ["production:spire-agent"]
-                    use_token_review_api_validation = true
-                    kube_config_file = "path/to/kubeconfig/file"
-                }
-        }
-    }
-```
-
-In addition, this plugin generates the following selectors:
-
-| Selector           | Example                        | Description                                                                     |
-|--------------------|--------------------------------|---------------------------------------------------------------------------------|
-| `k8s_sat:cluster`  | `k8s_sat:cluster:MyCluster`    | Name of the cluster (from the plugin config) used to verify the token signature |
-| `k8s_sat:agent_ns` | `k8s_sat:agent_ns:production`  | Namespace that the agent is running under                                       |
-| `k8s_sat:agent_sa` | `k8s_sat:agent_sa:spire-agent` | Service Account the agent is running under                                      |
-
-## Security Considerations
-
-At this time, the service account token does not contain claims that could be
-used to strongly identify the node/daemonset/pod running the agent. This means
-that any container running in an allowed service account can masquerade as
-an agent, giving it access to any identity the agent is capable of issuing. It
-is **STRONGLY** recommended that agents run under a dedicated service account.
-
-It should be noted that due to the fact that SPIRE can't positively
-identify a node using this method, it is not possible to directly authorize
-identities for a distinct node or sets of nodes. Instead, this must be
-accomplished indirectly using a service account and deployment that
-leverages node affinity or node selectors.
--- a/doc/plugin_server_nodeattestor_x509pop.md
+++ b/doc/plugin_server_nodeattestor_x509pop.md
@ -4,7 +4,7 @@

 The `x509pop` plugin attests nodes that have been provisioned with an x509
 identity through an out-of-band mechanism. It verifies that the certificate is
-rooted to a trusted set of CAs and issues a signature based proof-of-possession
+rooted to a trusted set of CAs and issues a signature-based proof-of-possession
 challenge to the agent plugin to verify that the node is in possession of the
 private key.

@ -17,10 +17,12 @@ spiffe://<trust_domain>/spire/agent/x509pop/<fingerprint>
 ```

 | Configuration         | Description                                                                                                                                                                                                                                    | Default                                 |
-|-----------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------|
-| `ca_bundle_path`      | The path to the trusted CA bundle on disk. The file must contain one or more PEM blocks forming the set of trusted root CA's for chain-of-trust verification. If the CA certificates are in more than one file, use `ca_bundle_paths` instead. |                                         |
-| `ca_bundle_paths`     | A list of paths to trusted CA bundles on disk. The files must contain one or more PEM blocks forming the set of trusted root CA's for chain-of-trust verification.                                                                             |                                         |
-| `agent_path_template` | A URL path portion format of Agent's SPIFFE ID. Describe in text/template format.                                                                                                                                                              | `"{{ .PluginName}}/{{ .Fingerprint }}"` |
+|-----------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------|
+| `mode`                | If `spiffe`, use the spire servers own trust bundle to use for validation. If `external_pki`, use the specified CA(s).                                                                                                                         | external_pki                                                    |
+| `svid_prefix`            | The prefix of the SVID to use for matching valid SVIDS and exchanging them for Node SVIDs                                                                                                                                                   | /spire-exchange                                                 |
+| `ca_bundle_path`      | The path to the trusted CA bundle on disk. The file must contain one or more PEM blocks forming the set of trusted root CA's for chain-of-trust verification. If the CA certificates are in more than one file, use `ca_bundle_paths` instead. |                                                                 |
+| `ca_bundle_paths`     | A list of paths to trusted CA bundles on disk. The files must contain one or more PEM blocks forming the set of trusted root CA's for chain-of-trust verification.                                                                             |                                                                 |
+| `agent_path_template` | A URL path portion format of Agent's SPIFFE ID. Describe in text/template format.                                                                                                                                                              | See [Agent Path Template](#agent-path-template) for details   |

 A sample configuration:

@ -28,7 +30,7 @@ A sample configuration:
    NodeAttestor "x509pop" {
        plugin_data {
            ca_bundle_path = "/opt/spire/conf/server/agent-cacert.pem"
-            
+
            # Change the agent's SPIFFE ID format
            # agent_path_template = "/cn/{{ .Subject.CommonName }}"
        }
@ -37,16 +39,29 @@ A sample configuration:

 ## Selectors

-| Selector         | Example                                                           | Description                                                                              |
-|------------------|-------------------------------------------------------------------|------------------------------------------------------------------------------------------|
-| Common Name      | `x509pop:subject:cn:example.org`                                  | The Subject's Common Name (see X.500 Distinguished Names)                                |
-| SHA1 Fingerprint | `x509pop:ca:fingerprint:0beec7b5ea3f0fdbc95d0dd47f3c5bc275da8a33` | The SHA1 fingerprint as a hex string for each cert in the PoP chain, excluding the leaf. |
-| SerialNumber     | `x509pop:serialnumber:0a1b2c3d4e5f`                               | The leaf certificate serial number as a lowercase hexadecimal string                     |
+| Selector         | Example                                                           | Description                                                                                                                                                                                                |
+|------------------|-------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Common Name      | `x509pop:subject:cn:example.org`                                  | The Subject's Common Name (see X.500 Distinguished Names)                                                                                                                                                  |
+| SHA1 Fingerprint | `x509pop:ca:fingerprint:0beec7b5ea3f0fdbc95d0dd47f3c5bc275da8a33` | The SHA1 fingerprint as a hex string for each cert in the PoP chain, excluding the leaf.                                                                                                                   |
+| SerialNumber     | `x509pop:serialnumber:0a1b2c3d4e5f`                               | The leaf certificate serial number as a lowercase hexadecimal string                                                                                                                                       |
+| San              | `x509pop:san:<key>:<value>`                                       | The san selectors on the leaf certificate. The expected format of the uri san is `x509pop://<trust_domain>/<key>:<value>`. One selector is exposed per uri san corresponding to x509pop uri scheme. string |
+
+## SVID Path Prefix
+
+When `mode="spiffe"` the SPIFFE ID being exchanged must be prefixed by the specified `svid_prefix`. The prefix will be removed from the `.SVIDPathTrimmed` property before sending to the agent path template. If `svid_prefix` is set to `""`, all prefixes will be allowed, and the limiting logic will have to be implemented in the `agent_path_template`.
+
+**Example:** If your trust domain is example.com and `svid_prefix` is set to its default value `/spire-exchange`, and [agent_path_template](#agent-path-template) is the default too, then the SPIFFE ID from the x509 identity `spiffe://example.com/spire-exchange/testhost` will be exchanged for `spiffe://example.com/spire/agent/x509pop/testhost`. If a SPIFFE ID with a different prefix is given, for example `spiffe://example.com/other/testhost`, it will not match the `svid_prefix` and will be rejected.

 ## Agent Path Template

-The agent path template is a way of customizing the format of generated SPIFFE IDs for agents.
-The template formatter is using Golang text/template conventions, it can reference values provided by the plugin or in a [golang x509.Certificate](https://pkg.go.dev/crypto/x509#Certificate)
+Specifying the value of `agent_path_template` provides a way of customizing the format of generated SPIFFE IDs for agents. The default format for every mode is shown below
+
+| `mode`         | `agent_path_template`                      |
+|----------------|--------------------------------------------|
+| `spiffe`       | `{{ .PluginName }}/{{ .SVIDPathTrimmed }}` |
+| `external_pki` | `{{ .PluginName }}/{{ .Fingerprint }}`     |
+
+The template formatter is using Golang text/template conventions. It can reference values provided by the plugin or in a [golang x509.Certificate](https://pkg.go.dev/crypto/x509#Certificate).
 Details about the template engine are available [here](template_engine.md).

 Some useful values are:
@ -58,3 +73,4 @@ Some useful values are:
 | .TrustDomain          | The configured trust domain                                                                  |
 | .Subject.CommonName   | The common name field of the agent's x509 certificate                                        |
 | .SerialNumberHex      | The serial number field of the agent's x509 certificate represented as lowercase hexadecimal |
+| .SVIDPathTrimmed      | The SVID Path after trimming off the SVID prefix                                             |
--- a/doc/spire_agent.md
+++ b/doc/spire_agent.md
@ -21,7 +21,6 @@ This document is a configuration reference for SPIRE Agent. It includes informat
 | NodeAttestor     | [azure_msi](/doc/plugin_agent_nodeattestor_azure_msi.md)                | A node attestor which attests agent identity using an Azure MSI token                                                                            |
 | NodeAttestor     | [gcp_iit](/doc/plugin_agent_nodeattestor_gcp_iit.md)                    | A node attestor which attests agent identity using a GCP Instance Identity Token                                                                 |
 | NodeAttestor     | [join_token](/doc/plugin_agent_nodeattestor_jointoken.md)               | A node attestor which uses a server-generated join token                                                                                         |
-| NodeAttestor     | [k8s_sat](/doc/plugin_agent_nodeattestor_k8s_sat.md) (deprecated)       | A node attestor which attests agent identity using a Kubernetes Service Account token                                                            |
 | NodeAttestor     | [k8s_psat](/doc/plugin_agent_nodeattestor_k8s_psat.md)                  | A node attestor which attests agent identity using a Kubernetes Projected Service Account token                                                  |
 | NodeAttestor     | [sshpop](/doc/plugin_agent_nodeattestor_sshpop.md)                      | A node attestor which attests agent identity using an existing ssh certificate                                                                   |
 | NodeAttestor     | [x509pop](/doc/plugin_agent_nodeattestor_x509pop.md)                    | A node attestor which attests agent identity using an existing X.509 certificate                                                                 |
@ -66,6 +65,7 @@ This may be useful for templating configuration files, for example across differ
 | `sds`                             | Optional SDS configuration section                                                                                                                                                                                                                |                                  |
 | `trust_bundle_path`               | Path to the SPIRE server CA bundle                                                                                                                                                                                                                |                                  |
 | `trust_bundle_url`                | URL to download the initial SPIRE server trust bundle                                                                                                                                                                                             |                                  |
+| `trust_bundle_unix_socket`        | Make the request specified via trust_bundle_url happen against the specified unix socket.                                                                                                                                                         |                                  |
 | `trust_bundle_format`             | Format of the initial trust bundle, pem or spiffe                                                                                                                                                                                                 | pem                              |
 | `trust_domain`                    | The trust domain that this agent belongs to (should be no more than 255 characters)                                                                                                                                                               |                                  |
 | `workload_x509_svid_key_type`     | The workload X509 SVID key type &lt;rsa-2048&vert;ec-p256&gt;                                                                                                                                                                                     | ec-p256                          |
@ -77,15 +77,17 @@ This may be useful for templating configuration files, for example across differ
 |:------------------------------|--------------------------------------------------------------------------------------|-------------------------|
 | `named_pipe_name`             | Pipe name to bind the SPIRE Agent API named pipe (Windows only)                      | \spire-agent\public\api |
 | `sync_interval`               | Sync interval with SPIRE server with exponential backoff                             | 5 sec                   |
-| `use_sync_authorized_entries` | Use SyncAuthorizedEntries API for periodically synchronization of authorized entries | false                   |
+| `use_sync_authorized_entries` | Use SyncAuthorizedEntries API for periodically synchronization of authorized entries | true                    |
 | `require_pq_kem`              | Require use of a post-quantum-safe key exchange method for TLS handshakes            | false                   |

 ### Initial trust bundle configuration

-The agent needs an initial trust bundle in order to connect securely to the SPIRE server. There are three options:
+The agent needs an initial trust bundle in order to connect securely to the SPIRE server. There are four options:

 1. If the `trust_bundle_path` option is used, the agent will read the initial trust bundle from the file at that path. You need to copy or share the file before starting the SPIRE agent.
-2. If the `trust_bundle_url` option is used, the agent will read the initial trust bundle from the specified URL. **The URL must start with `https://` for security, and the server must have a valid certificate (verified with the system trust store).** This can be used to rapidly deploy SPIRE agents without having to manually share a file. Keep in mind the contents of the URL need to be kept up to date.
+2. If the `trust_bundle_url` option is used, the agent will read the initial trust bundle from the specified URL.
+    1. If trust_bundle_unix_socket is unset, **The URL must start with `https://` for security, and the server must have a valid certificate (verified with the system trust store).** This can be used to rapidly deploy SPIRE agents without having to manually share a file. Keep in mind the contents of the URL need to be kept up to date.
+    2. If trust_bundle_unix_socket is set, **The URL must start with `http://`.** This can be used along with a local service running on the socket to fetch up to date trust bundles via some site specific, secure meachanism.
 3. If the `insecure_bootstrap` option is set to `true`, then the agent will not use an initial trust bundle. It will connect to the SPIRE server without authenticating it. This is not a secure configuration, because a man-in-the-middle attacker could control the SPIRE infrastructure. It is included because it is a useful option for testing and development.

 Only one of these three options may be set at a time.
@ -195,7 +197,7 @@ SPIRE Agent, upon receipt of the signal, does the following:

 ## Telemetry configuration

-Please see the [Telemetry Configuration](./telemetry_config.md) guide for more information about configuring SPIRE Agent to emit telemetry.
+Please see the [Telemetry Configuration](./telemetry/telemetry_config.md) guide for more information about configuring SPIRE Agent to emit telemetry.

 ## Health check configuration

--- a/doc/spire_server.md
+++ b/doc/spire_server.md
@ -27,7 +27,6 @@ This document is a configuration reference for SPIRE Server. It includes informa
 | NodeAttestor       | [azure_msi](/doc/plugin_server_nodeattestor_azure_msi.md)                                            | A node attestor which attests agent identity using an Azure MSI token                                                       |
 | NodeAttestor       | [gcp_iit](/doc/plugin_server_nodeattestor_gcp_iit.md)                                                | A node attestor which attests agent identity using a GCP Instance Identity Token                                            |
 | NodeAttestor       | [join_token](/doc/plugin_server_nodeattestor_jointoken.md)                                           | A node attestor which validates agents attesting with server-generated join tokens                                          |
-| NodeAttestor       | [k8s_sat](/doc/plugin_server_nodeattestor_k8s_sat.md) (deprecated)                                   | A node attestor which attests agent identity using a Kubernetes Service Account token                                       |
 | NodeAttestor       | [k8s_psat](/doc/plugin_server_nodeattestor_k8s_psat.md)                                              | A node attestor which attests agent identity using a Kubernetes Projected Service Account token                             |
 | NodeAttestor       | [sshpop](/doc/plugin_server_nodeattestor_sshpop.md)                                                  | A node attestor which attests agent identity using an existing ssh certificate                                              |
 | NodeAttestor       | [tpm_devid](/doc/plugin_server_nodeattestor_tpm_devid.md)                                            | A node attestor which attests agent identity using a TPM that has been provisioned with a DevID certificate                 |
@ -82,7 +81,7 @@ This may be useful for templating configuration files, for example across differ
 | `ratelimit`                         | Rate limiting configurations, usually used when the server is behind a load balancer (see below)                                                                                                                                                |                                                                |
 | `socket_path`                       | Path to bind the SPIRE Server API socket to (Unix only)                                                                                                                                                                                         | /tmp/spire-server/private/api.sock                             |
 | `trust_domain`                      | The trust domain that this server belongs to (should be no more than 255 characters)                                                                                                                                                            |                                                                |
-| `use_legacy_downstream_x509_ca_ttl` | Use the downstream spire-server registration entry TTL as the downstream CA TTL. This is deprecated and will be removed in a future version.                                                                                                    | true                                                           |
+| `use_legacy_downstream_x509_ca_ttl` | Use the downstream spire-server registration entry TTL as the downstream CA TTL. This is deprecated and will be removed in a future version.                                                                                                    | false                                                          |

 | ca_subject                  | Description                    | Default        |
 |:----------------------------|--------------------------------|----------------|
@ -95,10 +94,10 @@ This may be useful for templating configuration files, for example across differ
 | `cache_reload_interval`   | The amount of time between two reloads of the in-memory entry cache. Increasing this will mitigate high database load for extra large deployments, but will also slow propagation of new or updated entries to agents. | 5s                                 |
 | `events_based_cache`      | Use events to update the cache with what's changed since the last update. Enabling this will reduce overhead on the database.                                                                                          | false                              |
 | `prune_events_older_than` | How old an event can be before being deleted. Used with events based cache. Decreasing this will keep the events table smaller, but will increase risk of missing an event if connection to the database is down.      | 12h                                |
-| `sql_transaction_timeout` | Maximum time an SQL transaction could take, used by the events based cache to determine when an event id is unlikely to be used anymore.                                                                               | 24h                                |
+| `event_timeout`           | Maximum time to wait for an event to come in before giving up.                                                                                                                                                         | 15m                                 |
 | `auth_opa_policy_engine`  | The [auth opa_policy engine](/doc/authorization_policy_engine.md) used for authorization decisions                                                                                                                     | default SPIRE authorization policy |
 | `named_pipe_name`         | Pipe name of the SPIRE Server API named pipe (Windows only)                                                                                                                                                            | \spire-server\private\api          |
-| `require_pq_kem`         | Require use of a post-quantum-safe key exchange method for TLS handshakes                                                                                                                                               | false                              |
+| `require_pq_kem`          | Require use of a post-quantum-safe key exchange method for TLS handshakes                                                                                                                                              | false                              |

 | ratelimit     | Description                                                                                                                                        | Default |
 |:--------------|----------------------------------------------------------------------------------------------------------------------------------------------------|---------|
@ -109,10 +108,11 @@ This may be useful for templating configuration files, for example across differ
 |:-----------------------|---------------------------------------------------|---------|
 | `local`                | Local OPA configuration for authorization policy. |         |

-| auth_opa_policy_engine.local  | Description                                              | Default        |
-|:------------------------------|----------------------------------------------------------|----------------|
-| `rego_path`                   | File to retrieve OPA rego policy for authorization.      |                |
-| `policy_data_path`            | File to retrieve databindings for policy evaluation.     |                |
+| auth_opa_policy_engine.local  | Description                                                                               | Default        |
+|:------------------------------|-------------------------------------------------------------------------------------------|----------------|
+| `rego_path`                   | File to retrieve OPA rego policy for authorization.                                       |                |
+| `policy_data_path`            | File to retrieve databindings for policy evaluation.                                      |                |
+| `use_rego_v1`                 | Use rego V1 when evaluating the policy. This will become the default in a future release. | false          |

 ### Profiling Names

@ -261,7 +261,7 @@ When setting a `bundle_endpoint`, it is `required` to specify the bundle profile

 Allowed profiles:

- `https_web` allow to configure either the [Automated Certificate Management Environment](#Configuration options for `federation.bundle_endpoint.profile "https_web".acme`) or the [serving cert file](#Configure options for 'federation.bundle_endpoint.porfile "https_web".serving_cert_file') section.
+- `https_web` allow to configure either the [Automated Certificate Management Environment](#configuration-options-for-federationbundle_endpointprofile-https_webacme) or the [serving cert file](#configuration-options-for-federationbundle_endpointprofile-https_webserving_cert_file) section.
 - `https_spiffe`

 ### Configuration options for `federation.bundle_endpoint.profile "https_web".acme`
@ -304,7 +304,7 @@ For more information about the different profiles defined in SPIFFE, along with

 ## Telemetry configuration

-Please see the [Telemetry Configuration](./telemetry_config.md) guide for more information about configuring SPIRE Server to emit telemetry.
+Please see the [Telemetry Configuration](./telemetry/telemetry_config.md) guide for more information about configuring SPIRE Server to emit telemetry.

 ## Health check configuration

--- a/doc/telemetry/telemetry_config.md
+++ b/doc/telemetry/telemetry_config.md
@ -16,20 +16,21 @@ You may use all, some, or none of the collectors. The following collectors suppo

 ## Telemetry configuration syntax

-| Configuration         | Type          | Description                                                   | Default                  |
-|-----------------------|---------------|---------------------------------------------------------------|--------------------------|
-| `InMem`               | `InMem`       | In-memory configuration                                       | running                  |
-| `Prometheus`          | `Prometheus`  | Prometheus configuration                                      |                          |
-| `DogStatsd`           | `[]DogStatsd` | List of DogStatsd configurations                              |                          |
-| `Statsd`              | `[]Statsd`    | List of Statsd configurations                                 |                          |
-| `M3`                  | `[]M3`        | List of M3 configurations                                     |                          |
-| `MetricPrefix`        | `string`      | Prefix to add to all emitted metrics                          | spire_server/spire_agent |
-| `EnableHostnameLabel` | `bool`        | Enable adding hostname to labels                              | true                     |
-| `AllowedPrefixes`     | `[]string`    | A list of metric prefixes to allow, with '.' as the separator |                          |
-| `AllowedPrefixes`     | `[]string`    | A list of metric prefixes to allow, with '.' as the separator |                          |
-| `BlockedPrefixes`     | `[]string`    | A list of metric prefixes to block, with '.' as the separator |                          |
-| `AllowedLabels`       | `[]string`    | A list of metric labels to allow, with '.' as the separator   |                          |
-| `BlockedLabels`       | `[]string`    | A list of metric labels to block, with '.' as the separator   |                          |
+| Configuration            | Type          | Description                                                   | Default                  |
+|--------------------------|---------------|---------------------------------------------------------------|--------------------------|
+| `InMem`                  | `InMem`       | In-memory configuration                                       | running                  |
+| `Prometheus`             | `Prometheus`  | Prometheus configuration                                      |                          |
+| `DogStatsd`              | `[]DogStatsd` | List of DogStatsd configurations                              |                          |
+| `Statsd`                 | `[]Statsd`    | List of Statsd configurations                                 |                          |
+| `M3`                     | `[]M3`        | List of M3 configurations                                     |                          |
+| `MetricPrefix`           | `string`      | Prefix to add to all emitted metrics                          | spire_server/spire_agent |
+| `EnableTrustDomainLabel` | `bool`        | Enable optional trust domain label for all metrics            | false                    |
+| `EnableHostnameLabel`    | `bool`        | Enable adding hostname to labels                              | true                     |
+| `AllowedPrefixes`        | `[]string`    | A list of metric prefixes to allow, with '.' as the separator |                          |
+| `AllowedPrefixes`        | `[]string`    | A list of metric prefixes to allow, with '.' as the separator |                          |
+| `BlockedPrefixes`        | `[]string`    | A list of metric prefixes to block, with '.' as the separator |                          |
+| `AllowedLabels`          | `[]string`    | A list of metric labels to allow, with '.' as the separator   |                          |
+| `BlockedLabels`          | `[]string`    | A list of metric labels to block, with '.' as the separator   |                          |

 ### `Prometheus`

@ -79,7 +80,6 @@ telemetry {
        ]

        InMem {}
-
        AllowedLabels = []
        BlockedLabels = []
        AllowedPrefixes = []
--- a/go.mod
+++ b/go.mod
@ -1,201 +1,194 @@
 module github.com/spiffe/spire

-go 1.23.2
+go 1.24.4

 require (
-	cloud.google.com/go/iam v1.2.2
-	cloud.google.com/go/kms v1.20.1
-	cloud.google.com/go/secretmanager v1.14.2
-	cloud.google.com/go/security v1.18.2
-	cloud.google.com/go/storage v1.47.0
-	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.16.0
-	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.8.0
+	cloud.google.com/go/iam v1.5.2
+	cloud.google.com/go/kms v1.22.0
+	cloud.google.com/go/secretmanager v1.15.0
+	cloud.google.com/go/security v1.18.5
+	cloud.google.com/go/storage v1.55.0
+	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.18.0
+	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.10.1
 	github.com/Azure/azure-sdk-for-go/sdk/keyvault/azkeys v0.10.0
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute v1.0.0
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork v1.1.0
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources v1.2.0
-	github.com/GoogleCloudPlatform/cloudsql-proxy v1.37.1
+	github.com/GoogleCloudPlatform/cloudsql-proxy v1.37.7
 	github.com/Keyfactor/ejbca-go-client-sdk v1.0.2
 	github.com/Masterminds/sprig/v3 v3.3.0
 	github.com/Microsoft/go-winio v0.6.2
 	github.com/andres-erbsen/clock v0.0.0-20160526145045-9e14626cd129
-	github.com/aws/aws-sdk-go-v2 v1.32.5
-	github.com/aws/aws-sdk-go-v2/config v1.28.1
-	github.com/aws/aws-sdk-go-v2/credentials v1.17.42
-	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.18
-	github.com/aws/aws-sdk-go-v2/feature/rds/auth v1.4.2
-	github.com/aws/aws-sdk-go-v2/service/acmpca v1.37.0
-	github.com/aws/aws-sdk-go-v2/service/ec2 v1.194.0
-	github.com/aws/aws-sdk-go-v2/service/iam v1.38.1
-	github.com/aws/aws-sdk-go-v2/service/kms v1.37.0
-	github.com/aws/aws-sdk-go-v2/service/organizations v1.35.1
-	github.com/aws/aws-sdk-go-v2/service/rolesanywhere v1.16.0
-	github.com/aws/aws-sdk-go-v2/service/s3 v1.69.0
-	github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.34.0
-	github.com/aws/aws-sdk-go-v2/service/sts v1.33.1
-	github.com/aws/smithy-go v1.22.1
+	github.com/aws/aws-sdk-go-v2 v1.36.5
+	github.com/aws/aws-sdk-go-v2/config v1.29.16
+	github.com/aws/aws-sdk-go-v2/credentials v1.17.69
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.31
+	github.com/aws/aws-sdk-go-v2/feature/rds/auth v1.5.1
+	github.com/aws/aws-sdk-go-v2/service/acmpca v1.40.0
+	github.com/aws/aws-sdk-go-v2/service/ec2 v1.229.0
+	github.com/aws/aws-sdk-go-v2/service/iam v1.43.0
+	github.com/aws/aws-sdk-go-v2/service/kms v1.41.0
+	github.com/aws/aws-sdk-go-v2/service/organizations v1.39.0
+	github.com/aws/aws-sdk-go-v2/service/rolesanywhere v1.17.0
+	github.com/aws/aws-sdk-go-v2/service/s3 v1.83.0
+	github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.35.0
+	github.com/aws/aws-sdk-go-v2/service/sts v1.34.0
+	github.com/aws/smithy-go v1.22.4
 	github.com/blang/semver/v4 v4.0.0
 	github.com/cenkalti/backoff/v4 v4.3.0
-	github.com/docker/docker v27.3.1+incompatible
-	github.com/envoyproxy/go-control-plane v0.13.1
+	github.com/docker/docker v28.3.1+incompatible
+	github.com/envoyproxy/go-control-plane/envoy v1.32.4
 	github.com/fullsailor/pkcs7 v0.0.0-20190404230743-d7302db945fa
-	github.com/go-jose/go-jose/v4 v4.0.4
-	github.com/go-sql-driver/mysql v1.8.1
+	github.com/go-jose/go-jose/v4 v4.1.1
+	github.com/go-sql-driver/mysql v1.9.3
 	github.com/godbus/dbus/v5 v5.1.0
-	github.com/gofrs/uuid/v5 v5.3.0
+	github.com/gofrs/uuid/v5 v5.3.2
 	github.com/gogo/status v1.1.1
 	github.com/google/btree v1.1.3
-	github.com/google/go-cmp v0.6.0
-	github.com/google/go-containerregistry v0.20.2
-	github.com/google/go-tpm v0.9.1
-	github.com/google/go-tpm-tools v0.4.4
-	github.com/googleapis/gax-go/v2 v2.14.0
+	github.com/google/go-cmp v0.7.0
+	github.com/google/go-containerregistry v0.20.6
+	github.com/google/go-tpm v0.9.5
+	github.com/google/go-tpm-tools v0.4.5
+	github.com/googleapis/gax-go/v2 v2.14.2
 	github.com/gorilla/handlers v1.5.2
 	github.com/hashicorp/go-hclog v1.6.3
-	github.com/hashicorp/go-metrics v0.5.3
-	github.com/hashicorp/go-plugin v1.6.2
+	github.com/hashicorp/go-metrics v0.5.4
+	github.com/hashicorp/go-plugin v1.6.3
 	github.com/hashicorp/hcl v1.0.1-vault-7
-	github.com/hashicorp/vault/api v1.15.0
-	github.com/hashicorp/vault/sdk v0.14.0
+	github.com/hashicorp/vault/api v1.20.0
+	github.com/hashicorp/vault/sdk v0.18.0
 	github.com/imdario/mergo v0.3.16
 	github.com/imkira/go-observer v1.0.3
-	github.com/jackc/pgx/v5 v5.7.1
+	github.com/jackc/pgx/v5 v5.7.5
 	github.com/jinzhu/gorm v1.9.16
-	github.com/lestrrat-go/jwx/v2 v2.1.3
 	github.com/lib/pq v1.10.9
-	github.com/mattn/go-sqlite3 v1.14.24
+	github.com/mattn/go-sqlite3 v1.14.28
 	github.com/mitchellh/cli v1.1.5
-	github.com/open-policy-agent/opa v0.70.0
-	github.com/prometheus/client_golang v1.20.5
-	github.com/shirou/gopsutil/v3 v3.24.5
-	github.com/sigstore/cosign/v2 v2.4.1
-	github.com/sigstore/rekor v1.3.6
-	github.com/sigstore/sigstore v1.8.10
+	github.com/open-policy-agent/opa v1.5.1
+	github.com/prometheus/client_golang v1.22.0
+	github.com/shirou/gopsutil/v4 v4.25.6
+	github.com/sigstore/cosign/v2 v2.5.2
+	github.com/sigstore/rekor v1.3.10
+	github.com/sigstore/sigstore v1.9.5
 	github.com/sirupsen/logrus v1.9.3
-	github.com/spiffe/go-spiffe/v2 v2.4.0
-	github.com/spiffe/spire-api-sdk v1.2.5-0.20240916165922-16526993814a
-	github.com/spiffe/spire-plugin-sdk v1.4.4-0.20240701180828-594312f4444d
+	github.com/spiffe/go-spiffe/v2 v2.5.0
+	github.com/spiffe/spire-api-sdk v1.2.5-0.20250109200630-101d5e7de758
+	github.com/spiffe/spire-plugin-sdk v1.4.4-0.20250606112051-68609d83ce7c
 	github.com/stretchr/testify v1.10.0
-	github.com/uber-go/tally/v4 v4.1.16
+	github.com/uber-go/tally/v4 v4.1.17
 	github.com/valyala/fastjson v1.6.4
-	github.com/zeebo/errs v1.4.0
-	golang.org/x/crypto v0.29.0
-	golang.org/x/exp v0.0.0-20240613232115-7f521ea00fb8
-	golang.org/x/net v0.31.0
-	golang.org/x/sync v0.9.0
-	golang.org/x/sys v0.27.0
-	golang.org/x/time v0.8.0
-	google.golang.org/api v0.209.0
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20241113202542-65e8d215514f
-	google.golang.org/grpc v1.68.0
-	google.golang.org/protobuf v1.35.2
-	k8s.io/api v0.31.3
-	k8s.io/apimachinery v0.31.3
-	k8s.io/client-go v0.31.3
-	k8s.io/kube-aggregator v0.31.3
-	k8s.io/mount-utils v0.31.3
-	sigs.k8s.io/controller-runtime v0.19.2
+	golang.org/x/crypto v0.39.0
+	golang.org/x/exp v0.0.0-20250408133849-7e4ce0ab07d0
+	golang.org/x/net v0.41.0
+	golang.org/x/sync v0.15.0
+	golang.org/x/sys v0.33.0
+	golang.org/x/time v0.12.0
+	google.golang.org/api v0.240.0
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250603155806-513f23925822
+	google.golang.org/grpc v1.73.0
+	google.golang.org/protobuf v1.36.6
+	k8s.io/api v0.33.2
+	k8s.io/apimachinery v0.33.2
+	k8s.io/client-go v0.33.2
+	k8s.io/kube-aggregator v0.33.2
+	k8s.io/mount-utils v0.33.2
+	sigs.k8s.io/controller-runtime v0.21.0
 )

 require (
-	cel.dev/expr v0.16.1 // indirect
-	cloud.google.com/go v0.116.0 // indirect
-	cloud.google.com/go/auth v0.10.2 // indirect
-	cloud.google.com/go/auth/oauth2adapt v0.2.5 // indirect
-	cloud.google.com/go/compute/metadata v0.5.2 // indirect
-	cloud.google.com/go/longrunning v0.6.2 // indirect
-	cloud.google.com/go/monitoring v1.21.2 // indirect
+	cel.dev/expr v0.23.0 // indirect
+	cloud.google.com/go v0.121.1 // indirect
+	cloud.google.com/go/auth v0.16.2 // indirect
+	cloud.google.com/go/auth/oauth2adapt v0.2.8 // indirect
+	cloud.google.com/go/compute/metadata v0.7.0 // indirect
+	cloud.google.com/go/longrunning v0.6.7 // indirect
+	cloud.google.com/go/monitoring v1.24.2 // indirect
 	dario.cat/mergo v1.0.1 // indirect
 	filippo.io/edwards25519 v1.1.0 // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.1 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/keyvault/internal v0.7.1 // indirect
-	github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2 // indirect
+	github.com/AzureAD/microsoft-authentication-library-for-go v1.4.2 // indirect
 	github.com/DataDog/datadog-go v3.2.0+incompatible // indirect
-	github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.24.1 // indirect
-	github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.48.1 // indirect
-	github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.48.1 // indirect
+	github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.27.0 // indirect
+	github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.51.0 // indirect
+	github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.51.0 // indirect
 	github.com/Masterminds/goutils v1.1.1 // indirect
-	github.com/Masterminds/semver/v3 v3.3.0 // indirect
-	github.com/OneOfOne/xxhash v1.2.8 // indirect
-	github.com/agnivade/levenshtein v1.2.0 // indirect
+	github.com/Masterminds/semver/v3 v3.3.1 // indirect
+	github.com/agnivade/levenshtein v1.2.1 // indirect
 	github.com/armon/go-radix v1.0.0 // indirect
 	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
-	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.7 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.24 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.24 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.24 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ecr v1.24.7 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.21.6 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.1 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.4.5 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.5 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.18.5 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sso v1.24.3 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.3 // indirect
+	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.11 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.36 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.36 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.36 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.4 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.7.4 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.17 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.18.17 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.25.4 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.30.2 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
-	github.com/bgentry/speakeasy v0.1.0 // indirect
+	github.com/bgentry/speakeasy v0.2.0 // indirect
 	github.com/blang/semver v3.5.1+incompatible // indirect
-	github.com/census-instrumentation/opencensus-proto v0.4.1 // indirect
+	github.com/cenkalti/backoff/v5 v5.0.2 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
-	github.com/cncf/xds/go v0.0.0-20240905190251-b4127c9b8d78 // indirect
-	github.com/containerd/stargz-snapshotter/estargz v0.14.3 // indirect
-	github.com/coreos/go-systemd/v22 v22.5.0 // indirect
-	github.com/cyberphone/json-canonicalization v0.0.0-20231011164504-785e29786b46 // indirect
+	github.com/cncf/xds/go v0.0.0-20250326154945-ae57f3c0d45f // indirect
+	github.com/containerd/errdefs v1.0.0 // indirect
+	github.com/containerd/errdefs/pkg v0.3.0 // indirect
+	github.com/containerd/stargz-snapshotter/estargz v0.16.3 // indirect
+	github.com/cyberphone/json-canonicalization v0.0.0-20241213102144-19d51d7fe467 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
-	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.3.0 // indirect
 	github.com/digitorus/pkcs7 v0.0.0-20230818184609-3a137a874352 // indirect
 	github.com/digitorus/timestamp v0.0.0-20231217203849-220c5c2851b7 // indirect
 	github.com/distribution/reference v0.6.0 // indirect
-	github.com/docker/cli v27.1.1+incompatible // indirect
+	github.com/docker/cli v28.2.2+incompatible // indirect
 	github.com/docker/distribution v2.8.3+incompatible // indirect
-	github.com/docker/docker-credential-helpers v0.8.0 // indirect
-	github.com/docker/go-connections v0.4.0 // indirect
+	github.com/docker/docker-credential-helpers v0.9.3 // indirect
+	github.com/docker/go-connections v0.5.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
+	github.com/ebitengine/purego v0.8.4 // indirect
 	github.com/emicklei/go-restful/v3 v3.11.0 // indirect
-	github.com/envoyproxy/protoc-gen-validate v1.1.0 // indirect
-	github.com/evanphx/json-patch/v5 v5.9.0 // indirect
-	github.com/fatih/color v1.16.0 // indirect
+	github.com/envoyproxy/protoc-gen-validate v1.2.1 // indirect
+	github.com/evanphx/json-patch/v5 v5.9.11 // indirect
+	github.com/fatih/color v1.18.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
-	github.com/fsnotify/fsnotify v1.7.0 // indirect
+	github.com/fsnotify/fsnotify v1.9.0 // indirect
 	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
 	github.com/go-chi/chi v4.1.2+incompatible // indirect
 	github.com/go-ini/ini v1.67.0 // indirect
-	github.com/go-jose/go-jose/v3 v3.0.3 // indirect
-	github.com/go-logr/logr v1.4.2 // indirect
+	github.com/go-jose/go-jose/v3 v3.0.4 // indirect
+	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-ole/go-ole v1.2.6 // indirect
 	github.com/go-openapi/analysis v0.23.0 // indirect
-	github.com/go-openapi/errors v0.22.0 // indirect
+	github.com/go-openapi/errors v0.22.1 // indirect
 	github.com/go-openapi/jsonpointer v0.21.0 // indirect
 	github.com/go-openapi/jsonreference v0.21.0 // indirect
 	github.com/go-openapi/loads v0.22.0 // indirect
 	github.com/go-openapi/runtime v0.28.0 // indirect
 	github.com/go-openapi/spec v0.21.0 // indirect
 	github.com/go-openapi/strfmt v0.23.0 // indirect
-	github.com/go-openapi/swag v0.23.0 // indirect
+	github.com/go-openapi/swag v0.23.1 // indirect
 	github.com/go-openapi/validate v0.24.0 // indirect
+	github.com/go-viper/mapstructure/v2 v2.3.0 // indirect
 	github.com/gobwas/glob v0.2.3 // indirect
-	github.com/goccy/go-json v0.10.3 // indirect
 	github.com/gogo/googleapis v0.0.0-20180223154316-0cd9801be74a // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/golang-jwt/jwt/v5 v5.2.1 // indirect
-	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
-	github.com/golang/mock v1.6.0 // indirect
+	github.com/golang-jwt/jwt/v5 v5.2.2 // indirect
+	github.com/golang/mock v1.7.0-rc.1 // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/golang/snappy v0.0.4 // indirect
-	github.com/google/certificate-transparency-go v1.2.1 // indirect
-	github.com/google/flatbuffers v23.5.26+incompatible // indirect
-	github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49 // indirect
-	github.com/google/go-configfs-tsm v0.2.2 // indirect
-	github.com/google/go-sev-guest v0.9.3 // indirect
-	github.com/google/go-tdx-guest v0.3.1 // indirect
-	github.com/google/gofuzz v1.2.0 // indirect
+	github.com/google/certificate-transparency-go v1.3.2 // indirect
+	github.com/google/gnostic-models v0.6.9 // indirect
+	github.com/google/go-configfs-tsm v0.3.3-0.20240919001351-b4b5b84fdcbc // indirect
+	github.com/google/go-sev-guest v0.12.1 // indirect
+	github.com/google/go-tdx-guest v0.3.2-0.20241009005452-097ee70d0843 // indirect
 	github.com/google/logger v1.1.1 // indirect
-	github.com/google/s2a-go v0.1.8 // indirect
+	github.com/google/s2a-go v0.1.9 // indirect
 	github.com/google/uuid v1.6.0 // indirect
-	github.com/googleapis/enterprise-certificate-proxy v0.3.4 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.3.6 // indirect
 	github.com/gorilla/mux v1.8.1 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
@ -203,40 +196,35 @@ require (
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
 	github.com/hashicorp/go-retryablehttp v0.7.7 // indirect
 	github.com/hashicorp/go-rootcerts v1.0.2 // indirect
-	github.com/hashicorp/go-secure-stdlib/parseutil v0.1.8 // indirect
+	github.com/hashicorp/go-secure-stdlib/parseutil v0.2.0 // indirect
 	github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 // indirect
-	github.com/hashicorp/go-sockaddr v1.0.6 // indirect
+	github.com/hashicorp/go-sockaddr v1.0.7 // indirect
 	github.com/hashicorp/golang-lru v1.0.2 // indirect
-	github.com/hashicorp/yamux v0.1.1 // indirect
+	github.com/hashicorp/yamux v0.1.2 // indirect
 	github.com/huandu/xstrings v1.5.0 // indirect
+	github.com/in-toto/attestation v1.1.1 // indirect
 	github.com/in-toto/in-toto-golang v0.9.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jackc/pgpassfile v1.0.0 // indirect
 	github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 // indirect
 	github.com/jedisct1/go-minisign v0.0.0-20230811132847-661be99b8267 // indirect
 	github.com/jinzhu/inflection v1.0.0 // indirect
-	github.com/jmespath/go-jmespath v0.4.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
-	github.com/klauspost/compress v1.17.9 // indirect
+	github.com/klauspost/compress v1.18.0 // indirect
 	github.com/kylelemons/godebug v1.1.0 // indirect
-	github.com/lestrrat-go/blackmagic v1.0.2 // indirect
-	github.com/lestrrat-go/httpcc v1.0.1 // indirect
-	github.com/lestrrat-go/httprc v1.0.6 // indirect
-	github.com/lestrrat-go/iter v1.0.2 // indirect
-	github.com/lestrrat-go/option v1.0.1 // indirect
 	github.com/letsencrypt/boulder v0.0.0-20240620165639-de9c06129bec // indirect
 	github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 // indirect
-	github.com/magiconair/properties v1.8.7 // indirect
-	github.com/mailru/easyjson v0.7.7 // indirect
-	github.com/mattn/go-colorable v0.1.13 // indirect
+	github.com/mailru/easyjson v0.9.0 // indirect
+	github.com/mattn/go-colorable v0.1.14 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/mitchellh/copystructure v1.2.0 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
-	github.com/mitchellh/mapstructure v1.5.0 // indirect
+	github.com/mitchellh/mapstructure v1.5.1-0.20231216201459-8508981c8b6c // indirect
 	github.com/mitchellh/reflectwalk v1.0.2 // indirect
 	github.com/moby/docker-image-spec v1.3.1 // indirect
-	github.com/moby/sys/mountinfo v0.7.1 // indirect
+	github.com/moby/sys/mountinfo v0.7.2 // indirect
+	github.com/moby/sys/sequential v0.6.0 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
@ -244,84 +232,79 @@ require (
 	github.com/oklog/run v1.1.0 // indirect
 	github.com/oklog/ulid v1.3.1 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
-	github.com/opencontainers/image-spec v1.1.0 // indirect
-	github.com/opencontainers/runc v1.1.14 // indirect
-	github.com/opencontainers/runtime-spec v1.1.0 // indirect
+	github.com/opencontainers/image-spec v1.1.1 // indirect
 	github.com/opentracing/opentracing-go v1.2.0 // indirect
-	github.com/pborman/uuid v1.2.1 // indirect
-	github.com/pelletier/go-toml/v2 v2.2.2 // indirect
+	github.com/pelletier/go-toml/v2 v2.2.4 // indirect
 	github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/posener/complete v1.2.3 // indirect
 	github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c // indirect
-	github.com/prometheus/client_model v0.6.1 // indirect
-	github.com/prometheus/common v0.55.0 // indirect
+	github.com/prometheus/client_model v0.6.2 // indirect
+	github.com/prometheus/common v0.63.0 // indirect
 	github.com/prometheus/procfs v0.15.1 // indirect
 	github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 // indirect
 	github.com/ryanuber/go-glob v1.0.0 // indirect
-	github.com/sagikazarmark/locafero v0.4.0 // indirect
-	github.com/sagikazarmark/slog-shim v0.1.0 // indirect
+	github.com/sagikazarmark/locafero v0.7.0 // indirect
 	github.com/sassoftware/relic v7.2.1+incompatible // indirect
-	github.com/secure-systems-lab/go-securesystemslib v0.8.0 // indirect
-	github.com/segmentio/asm v1.2.0 // indirect
+	github.com/secure-systems-lab/go-securesystemslib v0.9.0 // indirect
 	github.com/shibumi/go-pathspec v1.3.0 // indirect
-	github.com/shoenig/go-m1cpu v0.1.6 // indirect
 	github.com/shopspring/decimal v1.4.0 // indirect
-	github.com/sigstore/protobuf-specs v0.3.2 // indirect
-	github.com/sigstore/timestamp-authority v1.2.2 // indirect
+	github.com/sigstore/protobuf-specs v0.4.3 // indirect
+	github.com/sigstore/sigstore-go v1.0.0 // indirect
+	github.com/sigstore/timestamp-authority v1.2.8 // indirect
 	github.com/sourcegraph/conc v0.3.0 // indirect
-	github.com/spf13/afero v1.11.0 // indirect
-	github.com/spf13/cast v1.7.0 // indirect
-	github.com/spf13/cobra v1.8.1 // indirect
-	github.com/spf13/pflag v1.0.5 // indirect
-	github.com/spf13/viper v1.19.0 // indirect
+	github.com/spf13/afero v1.12.0 // indirect
+	github.com/spf13/cast v1.7.1 // indirect
+	github.com/spf13/cobra v1.9.1 // indirect
+	github.com/spf13/pflag v1.0.6 // indirect
+	github.com/spf13/viper v1.20.1 // indirect
 	github.com/subosito/gotenv v1.6.0 // indirect
 	github.com/syndtr/goleveldb v1.0.1-0.20220721030215-126854af5e6d // indirect
-	github.com/tchap/go-patricia/v2 v2.3.1 // indirect
+	github.com/tchap/go-patricia/v2 v2.3.2 // indirect
 	github.com/theupdateframework/go-tuf v0.7.0 // indirect
+	github.com/theupdateframework/go-tuf/v2 v2.1.1 // indirect
 	github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect
 	github.com/tklauser/go-sysconf v0.3.12 // indirect
 	github.com/tklauser/numcpus v0.6.1 // indirect
 	github.com/transparency-dev/merkle v0.0.2 // indirect
 	github.com/twmb/murmur3 v1.1.8 // indirect
-	github.com/vbatts/tar-split v0.11.5 // indirect
+	github.com/vbatts/tar-split v0.12.1 // indirect
+	github.com/vektah/gqlparser/v2 v2.5.26 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
 	github.com/yashtewari/glob-intersection v0.2.0 // indirect
 	github.com/yusufpapurcu/wmi v1.2.4 // indirect
+	github.com/zeebo/errs v1.4.0 // indirect
 	go.mongodb.org/mongo-driver v1.14.0 // indirect
-	go.opencensus.io v0.24.0 // indirect
-	go.opentelemetry.io/contrib/detectors/gcp v1.29.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.54.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.54.0 // indirect
-	go.opentelemetry.io/otel v1.29.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.22.0 // indirect
-	go.opentelemetry.io/otel/metric v1.29.0 // indirect
-	go.opentelemetry.io/otel/sdk v1.29.0 // indirect
-	go.opentelemetry.io/otel/sdk/metric v1.29.0 // indirect
-	go.opentelemetry.io/otel/trace v1.29.0 // indirect
+	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
+	go.opentelemetry.io/contrib/detectors/gcp v1.36.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.61.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 // indirect
+	go.opentelemetry.io/otel v1.36.0 // indirect
+	go.opentelemetry.io/otel/metric v1.36.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.36.0 // indirect
+	go.opentelemetry.io/otel/sdk/metric v1.36.0 // indirect
+	go.opentelemetry.io/otel/trace v1.36.0 // indirect
 	go.uber.org/atomic v1.11.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.27.0 // indirect
-	golang.org/x/mod v0.20.0 // indirect
-	golang.org/x/oauth2 v0.24.0 // indirect
-	golang.org/x/term v0.26.0 // indirect
-	golang.org/x/text v0.20.0 // indirect
-	google.golang.org/genproto v0.0.0-20241113202542-65e8d215514f // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20241104194629-dd2ea8efbc28 // indirect
-	google.golang.org/grpc/stats/opentelemetry v0.0.0-20240907200651-3ffb98b2c93a // indirect
+	golang.org/x/mod v0.25.0 // indirect
+	golang.org/x/oauth2 v0.30.0 // indirect
+	golang.org/x/term v0.32.0 // indirect
+	golang.org/x/text v0.26.0 // indirect
+	google.golang.org/genproto v0.0.0-20250505200425-f936aa4a68b2 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20250603155806-513f23925822 // indirect
 	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
-	gopkg.in/ini.v1 v1.67.0 // indirect
-	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	k8s.io/klog/v2 v2.130.1 // indirect
-	k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 // indirect
-	k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 // indirect
-	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
-	sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
+	k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff // indirect
+	k8s.io/utils v0.0.0-20241210054802-24370beab758 // indirect
+	sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 // indirect
+	sigs.k8s.io/randfill v1.0.0 // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.6.0 // indirect
 	sigs.k8s.io/yaml v1.4.0 // indirect
 )
--- a/go.sum
+++ b/go.sum
--- a/pkg/agent/agent.go
+++ b/pkg/agent/agent.go
@ -2,6 +2,7 @@ package agent

 import (
 	"context"
+	"crypto/x509"
 	"errors"
 	"fmt"
 	"net/http"
@ -77,6 +78,7 @@ func (a *Agent) Run(ctx context.Context) error {
 		FileConfig:  a.c.Telemetry,
 		Logger:      a.c.Log.WithField(telemetry.SubsystemName, telemetry.Telemetry),
 		ServiceName: telemetry.SpireAgent,
+		TrustDomain: a.c.TrustDomain.Name(),
 	})
 	if err != nil {
 		return err
@ -113,13 +115,20 @@ func (a *Agent) Run(ctx context.Context) error {
 		)

 		for {
-			as, err = a.attest(ctx, sto, cat, metrics, nodeAttestor)
-			if err == nil {
-				break
+			insecureBootstrap := false
+			bootstrapTrustBundle, err := sto.LoadBundle()
+			if errors.Is(err, storage.ErrNotCached) {
+				bootstrapTrustBundle, insecureBootstrap, err = a.c.TrustBundleSources.GetBundle()
 			}
+			if err == nil {
+				as, err = a.attest(ctx, sto, cat, metrics, nodeAttestor, bootstrapTrustBundle, insecureBootstrap)
+				if err == nil {
+					break
+				}

-			if status.Code(err) == codes.PermissionDenied {
-				return err
+				if status.Code(err) == codes.PermissionDenied {
+					return err
+				}
 			}

 			nextDuration := attBackoff.NextBackOff()
@ -140,7 +149,15 @@ func (a *Agent) Run(ctx context.Context) error {
 			}
 		}
 	} else {
-		as, err = a.attest(ctx, sto, cat, metrics, nodeAttestor)
+		insecureBootstrap := false
+		bootstrapTrustBundle, err := sto.LoadBundle()
+		if errors.Is(err, storage.ErrNotCached) {
+			bootstrapTrustBundle, insecureBootstrap, err = a.c.TrustBundleSources.GetBundle()
+		}
+		if err != nil {
+			return err
+		}
+		as, err = a.attest(ctx, sto, cat, metrics, nodeAttestor, bootstrapTrustBundle, insecureBootstrap)
 		if err != nil {
 			return err
 		}
@ -172,7 +189,7 @@ func (a *Agent) Run(ctx context.Context) error {
 		endpoints.ListenAndServe,
 		metrics.ListenAndServe,
 		catalog.ReconfigureTask(a.c.Log.WithField(telemetry.SubsystemName, "reconfigurer"), cat),
-		util.SerialRun(a.waitForTestDial, healthChecker.ListenAndServe),
+		healthChecker.ListenAndServe,
 	}

 	if a.c.AdminBindAddress != nil {
@ -248,19 +265,19 @@ func (a *Agent) setupProfiling(ctx context.Context) (stop func()) {
 	}
 }

-func (a *Agent) attest(ctx context.Context, sto storage.Storage, cat catalog.Catalog, metrics telemetry.Metrics, na nodeattestor.NodeAttestor) (*node_attestor.AttestationResult, error) {
+func (a *Agent) attest(ctx context.Context, sto storage.Storage, cat catalog.Catalog, metrics telemetry.Metrics, na nodeattestor.NodeAttestor, bootstrapTrustBundle []*x509.Certificate, insecureBootstrap bool) (*node_attestor.AttestationResult, error) {
 	config := node_attestor.Config{
-		Catalog:           cat,
-		Metrics:           metrics,
-		JoinToken:         a.c.JoinToken,
-		TrustDomain:       a.c.TrustDomain,
-		TrustBundle:       a.c.TrustBundle,
-		InsecureBootstrap: a.c.InsecureBootstrap,
-		Storage:           sto,
-		Log:               a.c.Log.WithField(telemetry.SubsystemName, telemetry.Attestor),
-		ServerAddress:     a.c.ServerAddress,
-		NodeAttestor:      na,
-		TLSPolicy:         a.c.TLSPolicy,
+		Catalog:              cat,
+		Metrics:              metrics,
+		JoinToken:            a.c.JoinToken,
+		TrustDomain:          a.c.TrustDomain,
+		BootstrapTrustBundle: bootstrapTrustBundle,
+		InsecureBootstrap:    insecureBootstrap,
+		Storage:              sto,
+		Log:                  a.c.Log.WithField(telemetry.SubsystemName, telemetry.Attestor),
+		ServerAddress:        a.c.ServerAddress,
+		NodeAttestor:         na,
+		TLSPolicy:            a.c.TLSPolicy,
 	}
 	return node_attestor.New(&config).Attest(ctx)
 }
@ -386,14 +403,6 @@ func (a *Agent) newAdminEndpoints(metrics telemetry.Metrics, mgr manager.Manager
 	return admin_api.New(config)
 }

-// waitForTestDial calls health.WaitForTestDial to wait for a connection to the
-// SPIRE Agent API socket. This function always returns nil, even if
-// health.WaitForTestDial exited due to a timeout.
-func (a *Agent) waitForTestDial(ctx context.Context) error {
-	health.WaitForTestDial(ctx, a.c.BindAddress)
-	return nil
-}
-
 // CheckHealth is used as a top-level health check for the agent.
 func (a *Agent) CheckHealth() health.State {
 	err := a.checkWorkloadAPI()
--- a/pkg/agent/api/debug/v1/service.go
+++ b/pkg/agent/api/debug/v1/service.go
@ -3,6 +3,7 @@ package debug
 import (
 	"context"
 	"crypto/x509"
+	"fmt"
 	"sync"
 	"time"

@ -13,6 +14,7 @@ import (
 	debugv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/agent/debug/v1"
 	"github.com/spiffe/spire-api-sdk/proto/spire/api/types"
 	"github.com/spiffe/spire/pkg/agent/manager"
+	"github.com/spiffe/spire/pkg/common/util"
 	"github.com/spiffe/spire/test/clock"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/codes"
@ -92,15 +94,32 @@ func (s *Service) GetInfo(context.Context, *debugv1.GetInfoRequest) (*debugv1.Ge
 			})
 		}

+		uptime, err := util.CheckedCast[int32](int64(s.uptime().Seconds()))
+		if err != nil {
+			return nil, fmt.Errorf("invalid value for uptime: %w", err)
+		}
+		x509SvidsCount, err := util.CheckedCast[int32](s.m.CountX509SVIDs())
+		if err != nil {
+			return nil, fmt.Errorf("out of range value for X.509 SVIDs count: %w", err)
+		}
+		jwtSvidsCount, err := util.CheckedCast[int32](s.m.CountJWTSVIDs())
+		if err != nil {
+			return nil, fmt.Errorf("out of range value for JWT SVIDs count: %w", err)
+		}
+		svidstoreX509SvidsCount, err := util.CheckedCast[int32](s.m.CountSVIDStoreX509SVIDs())
+		if err != nil {
+			return nil, fmt.Errorf("out of range value for SVIDStore X.509 SVIDs count: %w", err)
+		}
+
 		// Reset clock and set current response
 		s.getInfoResp.ts = s.clock.Now()
 		s.getInfoResp.resp = &debugv1.GetInfoResponse{
 			SvidChain:                     svidChain,
-			Uptime:                        int32(s.uptime().Seconds()),
-			SvidsCount:                    int32(s.m.CountX509SVIDs()),
-			CachedX509SvidsCount:          int32(s.m.CountX509SVIDs()),
-			CachedJwtSvidsCount:           int32(s.m.CountJWTSVIDs()),
-			CachedSvidstoreX509SvidsCount: int32(s.m.CountSVIDStoreX509SVIDs()),
+			Uptime:                        uptime,
+			SvidsCount:                    x509SvidsCount,
+			CachedX509SvidsCount:          x509SvidsCount,
+			CachedJwtSvidsCount:           jwtSvidsCount,
+			CachedSvidstoreX509SvidsCount: svidstoreX509SvidsCount,
 			LastSyncSuccess:               s.m.GetLastSync().UTC().Unix(),
 		}
 	}
--- a/pkg/agent/api/debug/v1/service_test.go
+++ b/pkg/agent/api/debug/v1/service_test.go
@ -189,7 +189,6 @@ func TestGetInfo(t *testing.T) {
 			err:  "failed to verify agent SVID: x509svid: could not get leaf SPIFFE ID: certificate contains no URI SAN",
 		},
 	} {
-		tt := tt
 		t.Run(tt.name, func(t *testing.T) {
 			test := setupServiceTest(t)
 			defer test.Cleanup()
@ -277,7 +276,7 @@ func setupServiceTest(t *testing.T) *serviceTest {
 	}
 	server := grpctest.StartServer(t, registerFn)
 	test.done = server.Stop
-	test.client = debugv1.NewDebugClient(server.Dial(t))
+	test.client = debugv1.NewDebugClient(server.NewGRPCClient(t))

 	return test
 }
--- a/pkg/agent/api/delegatedidentity/v1/service.go
+++ b/pkg/agent/api/delegatedidentity/v1/service.go
@ -3,6 +3,7 @@ package delegatedidentity
 import (
 	"context"
 	"crypto/x509"
+	"errors"
 	"fmt"
 	"sort"
 	"time"
@ -261,7 +262,7 @@ func composeX509SVIDBySelectors(update *cache.WorkloadUpdate) (*delegatedidentit

 		// check if SVIDs exist for the identity
 		if len(identity.SVID) == 0 {
-			return nil, fmt.Errorf("unable to get SVID from identity")
+			return nil, errors.New("unable to get SVID from identity")
 		}

 		id, err := idutil.IDProtoFromString(identity.Entry.SpiffeId)
--- a/pkg/agent/api/delegatedidentity/v1/service_test.go
+++ b/pkg/agent/api/delegatedidentity/v1/service_test.go
@ -168,10 +168,11 @@ func TestSubscribeToX509SVIDs(t *testing.T) {
 				identities[0],
 			},
 			updates: []*cache.WorkloadUpdate{
-				{Identities: []cache.Identity{
-					identities[0],
-					identities[1],
-				},
+				{
+					Identities: []cache.Identity{
+						identities[0],
+						identities[1],
+					},
 					Bundle: bundle,
 				},
 			},
@ -238,7 +239,8 @@ func TestSubscribeToX509SVIDs(t *testing.T) {
 					},
 					Bundle: bundle,
 					FederatedBundles: map[spiffeid.TrustDomain]*spiffebundle.Bundle{
-						federatedBundle1.TrustDomain(): federatedBundle1},
+						federatedBundle1.TrustDomain(): federatedBundle1,
+					},
 				},
 			},
 			expectResp: &delegatedidentityv1.SubscribeToX509SVIDsResponse{
@ -269,7 +271,8 @@ func TestSubscribeToX509SVIDs(t *testing.T) {
 					},
 					Bundle: bundle,
 					FederatedBundles: map[spiffeid.TrustDomain]*spiffebundle.Bundle{
-						federatedBundle1.TrustDomain(): federatedBundle1},
+						federatedBundle1.TrustDomain(): federatedBundle1,
+					},
 				},
 			},
 			expectResp: &delegatedidentityv1.SubscribeToX509SVIDsResponse{
@ -301,7 +304,8 @@ func TestSubscribeToX509SVIDs(t *testing.T) {
 					Bundle: bundle,
 					FederatedBundles: map[spiffeid.TrustDomain]*spiffebundle.Bundle{
 						federatedBundle1.TrustDomain(): federatedBundle1,
-						federatedBundle2.TrustDomain(): federatedBundle2},
+						federatedBundle2.TrustDomain(): federatedBundle2,
+					},
 				},
 			},
 			expectResp: &delegatedidentityv1.SubscribeToX509SVIDsResponse{
@ -315,13 +319,14 @@ func TestSubscribeToX509SVIDs(t *testing.T) {
 						X509SvidKey: pkcs8FromSigner(t, x509SVID1.PrivateKey),
 					},
 				},
-				FederatesWith: []string{federatedBundle1.TrustDomain().IDString(),
-					federatedBundle2.TrustDomain().IDString()},
+				FederatesWith: []string{
+					federatedBundle1.TrustDomain().IDString(),
+					federatedBundle2.TrustDomain().IDString(),
+				},
 			},
 			expectMetrics: generateSubscribeToX509SVIDMetrics(),
 		},
 	} {
-		tt := tt
 		t.Run(tt.testName, func(t *testing.T) {
 			metrics := fakemetrics.New()
 			params := testParams{
@ -370,7 +375,6 @@ func TestSubscribeToX509Bundles(t *testing.T) {
 		expectResp   []*delegatedidentityv1.SubscribeToX509BundlesResponse
 		cacheUpdates map[spiffeid.TrustDomain]*cache.Bundle
 	}{
-
 		{
 			testName:   "Attest error",
 			attestErr:  errors.New("ohno"),
@ -423,7 +427,6 @@ func TestSubscribeToX509Bundles(t *testing.T) {
 			},
 		},
 	} {
-		tt := tt
 		t.Run(tt.testName, func(t *testing.T) {
 			params := testParams{
 				CA:           ca,
@ -663,7 +666,6 @@ func TestFetchJWTSVIDs(t *testing.T) {
 			},
 		},
 	} {
-		tt := tt
 		t.Run(tt.testName, func(t *testing.T) {
 			params := testParams{
 				CA:           ca,
@ -711,7 +713,6 @@ func TestSubscribeToJWTBundles(t *testing.T) {
 		expectResp   []*delegatedidentityv1.SubscribeToJWTBundlesResponse
 		cacheUpdates map[spiffeid.TrustDomain]*cache.Bundle
 	}{
-
 		{
 			testName:   "Attest error",
 			attestErr:  errors.New("ohno"),
@ -764,7 +765,6 @@ func TestSubscribeToJWTBundles(t *testing.T) {
 			},
 		},
 	} {
-		tt := tt
 		t.Run(tt.testName, func(t *testing.T) {
 			params := testParams{
 				CA:           ca,
@ -844,7 +844,7 @@ func runTest(t *testing.T, params testParams, fn func(ctx context.Context, clien
 	ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
 	defer cancel()

-	conn, _ := grpc.DialContext(ctx, "unix:"+addr.String(), grpc.WithTransportCredentials(insecure.NewCredentials())) //nolint: staticcheck // It is going to be resolved on #5152
+	conn, _ := grpc.NewClient("unix:"+addr.String(), grpc.WithTransportCredentials(insecure.NewCredentials()))
 	t.Cleanup(func() { conn.Close() })

 	fn(ctx, delegatedidentityv1.NewDelegatedIdentityClient(conn))
--- a/pkg/agent/api/health/v1/service_test.go
+++ b/pkg/agent/api/health/v1/service_test.go
@ -26,9 +26,7 @@ import (
 	"google.golang.org/grpc/status"
 )

-var (
-	td = spiffeid.RequireTrustDomainFromString("example.org")
-)
+var td = spiffeid.RequireTrustDomainFromString("example.org")

 func TestServiceCheck(t *testing.T) {
 	ca := testca.New(t, td)
@ -84,7 +82,6 @@ func TestServiceCheck(t *testing.T) {
 			},
 		},
 	} {
-		tt := tt
 		t.Run(tt.name, func(t *testing.T) {
 			log, logHook := test.NewNullLogger()

@ -106,7 +103,7 @@ func TestServiceCheck(t *testing.T) {
 				}),
 			)

-			client := grpc_health_v1.NewHealthClient(server.Dial(t))
+			client := grpc_health_v1.NewHealthClient(server.NewGRPCClient(t))
 			resp, err := client.Check(context.Background(), &grpc_health_v1.HealthCheckRequest{
 				Service: tt.service,
 			})
--- a/pkg/agent/attestor/node/node.go
+++ b/pkg/agent/attestor/node/node.go
@ -28,7 +28,6 @@ import (
 	"github.com/spiffe/spire/pkg/common/tlspolicy"
 	"github.com/spiffe/spire/pkg/common/util"
 	"github.com/spiffe/spire/pkg/common/x509util"
-	"github.com/zeebo/errs"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/credentials"
 )
@ -49,17 +48,17 @@ type Attestor interface {
 }

 type Config struct {
-	Catalog           catalog.Catalog
-	Metrics           telemetry.Metrics
-	JoinToken         string
-	TrustDomain       spiffeid.TrustDomain
-	TrustBundle       []*x509.Certificate
-	InsecureBootstrap bool
-	Storage           storage.Storage
-	Log               logrus.FieldLogger
-	ServerAddress     string
-	NodeAttestor      nodeattestor.NodeAttestor
-	TLSPolicy         tlspolicy.Policy
+	Catalog              catalog.Catalog
+	Metrics              telemetry.Metrics
+	JoinToken            string
+	TrustDomain          spiffeid.TrustDomain
+	BootstrapTrustBundle []*x509.Certificate
+	InsecureBootstrap    bool
+	Storage              storage.Storage
+	Log                  logrus.FieldLogger
+	ServerAddress        string
+	NodeAttestor         nodeattestor.NodeAttestor
+	TLSPolicy            tlspolicy.Policy
 }

 type attestor struct {
@ -101,7 +100,7 @@ func (a *attestor) Attest(ctx context.Context) (res *AttestationResult, err erro
 		// This is a bizarre case where we have an SVID but were unable to
 		// load a bundle from the cache which suggests some tampering with the
 		// cache on disk.
-		return nil, errs.New("SVID loaded but no bundle in cache")
+		return nil, errors.New("SVID loaded but no bundle in cache")
 	default:
 		log.WithField(telemetry.SPIFFEID, svid[0].URIs[0].String()).Info("SVID loaded")
 	}
@ -158,12 +157,12 @@ func (a *attestor) loadBundle() (*spiffebundle.Bundle, error) {
 	bundle, err := a.c.Storage.LoadBundle()
 	if errors.Is(err, storage.ErrNotCached) {
 		if a.c.InsecureBootstrap {
-			if len(a.c.TrustBundle) > 0 {
+			if len(a.c.BootstrapTrustBundle) > 0 {
 				a.c.Log.Warn("Trust bundle will be ignored; performing insecure bootstrap")
 			}
 			return nil, nil
 		}
-		bundle = a.c.TrustBundle
+		bundle = a.c.BootstrapTrustBundle
 	} else if err != nil {
 		return nil, fmt.Errorf("load bundle: %w", err)
 	}
@ -228,7 +227,7 @@ func (a *attestor) newSVID(ctx context.Context, key keymanager.Key, bundle *spif
 	defer counter.Done(&err)
 	telemetry_common.AddAttestorType(counter, a.c.NodeAttestor.Name())

-	conn, err := a.serverConn(ctx, bundle)
+	conn, err := a.serverConn(bundle)
 	if err != nil {
 		return nil, nil, false, fmt.Errorf("create attestation client: %w", err)
 	}
@ -252,9 +251,9 @@ func (a *attestor) newSVID(ctx context.Context, key keymanager.Key, bundle *spif
 	return newSVID, newBundle, reattestable, nil
 }

-func (a *attestor) serverConn(ctx context.Context, bundle *spiffebundle.Bundle) (*grpc.ClientConn, error) {
+func (a *attestor) serverConn(bundle *spiffebundle.Bundle) (*grpc.ClientConn, error) {
 	if bundle != nil {
-		return client.DialServer(ctx, client.DialServerConfig{
+		return client.NewServerGRPCClient(client.ServerClientConfig{
 			Address:     a.c.ServerAddress,
 			TrustDomain: a.c.TrustDomain,
 			GetBundle:   bundle.X509Authorities,
@ -265,7 +264,7 @@ func (a *attestor) serverConn(ctx context.Context, bundle *spiffebundle.Bundle)
 	if !a.c.InsecureBootstrap {
 		// We shouldn't get here since loadBundle() should fail if the bundle
 		// is empty, but just in case...
-		return nil, errs.New("no bundle and not doing insecure bootstrap")
+		return nil, errors.New("no bundle and not doing insecure bootstrap")
 	}

 	// Insecure bootstrapping. Do not verify the server chain but rather do a
@ -279,7 +278,7 @@ func (a *attestor) serverConn(ctx context.Context, bundle *spiffebundle.Bundle)
 			if len(rawCerts) == 0 {
 				// This is not really possible without a catastrophic bug
 				// creeping into the TLS stack.
-				return errs.New("server chain is unexpectedly empty")
+				return errors.New("server chain is unexpectedly empty")
 			}

 			expectedServerID, err := idutil.ServerID(a.c.TrustDomain)
@ -292,18 +291,17 @@ func (a *attestor) serverConn(ctx context.Context, bundle *spiffebundle.Bundle)
 				return err
 			}
 			if len(serverCert.URIs) != 1 || serverCert.URIs[0].String() != expectedServerID.String() {
-				return errs.New("expected server SPIFFE ID %q; got %q", expectedServerID, serverCert.URIs)
+				return fmt.Errorf("expected server SPIFFE ID %q; got %q", expectedServerID, serverCert.URIs)
 			}
 			return nil
 		},
 	}

-	return grpc.DialContext(ctx, a.c.ServerAddress, //nolint: staticcheck // It is going to be resolved on #5152
+	return grpc.NewClient(
+		a.c.ServerAddress,
 		grpc.WithDefaultServiceConfig(roundRobinServiceConfig),
 		grpc.WithDisableServiceConfig(),
-		grpc.FailOnNonTempDialError(true), //nolint: staticcheck // It is going to be resolved on #5152
 		grpc.WithTransportCredentials(credentials.NewTLS(tlsConfig)),
-		grpc.WithReturnConnectionError(), //nolint: staticcheck // It is going to be resolved on #5152
 	)
 }

--- a/pkg/agent/attestor/node/node_test.go
+++ b/pkg/agent/attestor/node/node_test.go
@ -281,8 +281,6 @@ func TestAttestor(t *testing.T) {
 	}

 	for _, testCase := range testCases {
-		testCase := testCase
-
 		t.Run(testCase.name, func(t *testing.T) {
 			require := require.New(t)

@ -319,16 +317,16 @@ func TestAttestor(t *testing.T) {
 			// create the attestor
 			log, _ := test.NewNullLogger()
 			attestor := attestor.New(&attestor.Config{
-				Catalog:           catalog,
-				Metrics:           telemetry.Blackhole{},
-				JoinToken:         testCase.agentService.joinToken,
-				Storage:           sto,
-				Log:               log,
-				TrustDomain:       trustDomain,
-				TrustBundle:       makeTrustBundle(testCase.bootstrapBundle),
-				InsecureBootstrap: testCase.insecureBootstrap,
-				ServerAddress:     listener.Addr().String(),
-				NodeAttestor:      agentNA,
+				Catalog:              catalog,
+				Metrics:              telemetry.Blackhole{},
+				JoinToken:            testCase.agentService.joinToken,
+				Storage:              sto,
+				Log:                  log,
+				TrustDomain:          trustDomain,
+				BootstrapTrustBundle: makeTrustBundle(testCase.bootstrapBundle),
+				InsecureBootstrap:    testCase.insecureBootstrap,
+				ServerAddress:        listener.Addr().String(),
+				NodeAttestor:         agentNA,
 			})

 			// perform attestation
@ -527,7 +525,6 @@ func TestIsSVIDExpired(t *testing.T) {
 	}

 	for _, tt := range tests {
-		tt := tt
 		t.Run(tt.Desc, func(t *testing.T) {
 			isExpired := attestor.IsSVIDExpired(tt.SVID, func() time.Time { return now })
 			require.Equal(t, tt.ExpectExpired, isExpired)
--- a/pkg/agent/attestor/workload/workload.go
+++ b/pkg/agent/attestor/workload/workload.go
@ -66,7 +66,7 @@ func (wla *attestor) Attest(ctx context.Context, pid int) ([]*common.Selector, e

 	// Collect the results
 	selectors := []*common.Selector{}
-	for i := 0; i < len(plugins); i++ {
+	for range plugins {
 		select {
 		case s := <-sChan:
 			selectors = append(selectors, s...)
--- a/pkg/agent/catalog/catalog.go
+++ b/pkg/agent/catalog/catalog.go
@ -2,7 +2,7 @@ package catalog

 import (
 	"context"
-	"fmt"
+	"errors"

 	"github.com/sirupsen/logrus"
 	"github.com/spiffe/go-spiffe/v2/spiffeid"
@ -84,7 +84,7 @@ func (repo *Repository) Close() {

 func Load(ctx context.Context, config Config) (_ *Repository, err error) {
 	if c, ok := config.PluginConfigs.Find(nodeAttestorType, jointoken.PluginName); ok && c.IsEnabled() && c.IsExternal() {
-		return nil, fmt.Errorf("the built-in join_token node attestor cannot be overridden by an external plugin")
+		return nil, errors.New("the built-in join_token node attestor cannot be overridden by an external plugin")
 	}

 	// Load the plugins and populate the repository
--- a/pkg/agent/catalog/nodeattestor.go
+++ b/pkg/agent/catalog/nodeattestor.go
@ -8,7 +8,6 @@ import (
 	"github.com/spiffe/spire/pkg/agent/plugin/nodeattestor/httpchallenge"
 	"github.com/spiffe/spire/pkg/agent/plugin/nodeattestor/jointoken"
 	"github.com/spiffe/spire/pkg/agent/plugin/nodeattestor/k8spsat"
-	"github.com/spiffe/spire/pkg/agent/plugin/nodeattestor/k8ssat"
 	"github.com/spiffe/spire/pkg/agent/plugin/nodeattestor/sshpop"
 	"github.com/spiffe/spire/pkg/agent/plugin/nodeattestor/tpmdevid"
 	"github.com/spiffe/spire/pkg/agent/plugin/nodeattestor/x509pop"
@ -41,7 +40,6 @@ func (repo *nodeAttestorRepository) BuiltIns() []catalog.BuiltIn {
 		httpchallenge.BuiltIn(),
 		jointoken.BuiltIn(),
 		k8spsat.BuiltIn(),
-		k8ssat.BuiltIn(),
 		sshpop.BuiltIn(),
 		tpmdevid.BuiltIn(),
 		x509pop.BuiltIn(),
--- a/pkg/agent/client/client.go
+++ b/pkg/agent/client/client.go
@ -39,6 +39,7 @@ var (
 		RevisionNumber: true,
 		StoreSvid:      true,
 		Hint:           true,
+		CreatedAt:      true,
 	}
 )

@ -103,8 +104,8 @@ type client struct {
 	connections *nodeConn
 	m           sync.Mutex

-	// Constructor used for testing purposes.
-	dialContext func(ctx context.Context, target string, opts ...grpc.DialOption) (*grpc.ClientConn, error)
+	// dialOpts optionally sets gRPC dial options
+	dialOpts []grpc.DialOption
 }

 // New creates a new client struct with the configuration provided
@ -233,7 +234,7 @@ func (c *client) RenewSVID(ctx context.Context, csr []byte) (*X509SVID, error) {
 	ctx, cancel := context.WithTimeout(ctx, rpcTimeout)
 	defer cancel()

-	agentClient, connection, err := c.newAgentClient(ctx)
+	agentClient, connection, err := c.newAgentClient()
 	if err != nil {
 		return nil, err
 	}
@ -308,7 +309,7 @@ func (c *client) NewJWTSVID(ctx context.Context, entryID string, audience []stri
 	ctx, cancel := context.WithTimeout(ctx, rpcTimeout)
 	defer cancel()

-	svidClient, connection, err := c.newSVIDClient(ctx)
+	svidClient, connection, err := c.newSVIDClient()
 	if err != nil {
 		return nil, err
 	}
@ -357,8 +358,8 @@ func (c *client) release(conn *nodeConn) {
 	}
 }

-func (c *client) dial(ctx context.Context) (*grpc.ClientConn, error) {
-	return DialServer(ctx, DialServerConfig{
+func (c *client) newServerGRPCClient() (*grpc.ClientConn, error) {
+	return NewServerGRPCClient(ServerClientConfig{
 		Address:     c.c.Addr,
 		TrustDomain: c.c.TrustDomain,
 		GetBundle: func() []*x509.Certificate {
@ -375,13 +376,13 @@ func (c *client) dial(ctx context.Context) (*grpc.ClientConn, error) {
 			}
 			return agentCert
 		},
-		TLSPolicy:   c.c.TLSPolicy,
-		dialContext: c.dialContext,
+		TLSPolicy: c.c.TLSPolicy,
+		dialOpts:  c.dialOpts,
 	})
 }

 func (c *client) fetchEntries(ctx context.Context) ([]*types.Entry, error) {
-	entryClient, connection, err := c.newEntryClient(ctx)
+	entryClient, connection, err := c.newEntryClient()
 	if err != nil {
 		return nil, err
 	}
@ -400,7 +401,7 @@ func (c *client) fetchEntries(ctx context.Context) ([]*types.Entry, error) {
 }

 func (c *client) syncEntries(ctx context.Context, cachedEntries map[string]*common.RegistrationEntry) (SyncEntriesStats, error) {
-	entryClient, connection, err := c.newEntryClient(ctx)
+	entryClient, connection, err := c.newEntryClient()
 	if err != nil {
 		return SyncEntriesStats{}, err
 	}
@ -416,6 +417,27 @@ func (c *client) syncEntries(ctx context.Context, cachedEntries map[string]*comm
 	return stats, nil
 }

+func entryIsStale(entry *common.RegistrationEntry, revisionNumber, revisionCreatedAt int64) bool {
+	if entry.RevisionNumber != revisionNumber {
+		return true
+	}
+
+	// TODO: remove in SPIRE 1.14
+	if revisionCreatedAt == 0 {
+		return false
+	}
+
+	// Verify that the CreatedAt of the entries match. If they are different, they are
+	// completely different entries even if the revision number is the same.
+	// This can happen for example if an entry is deleted and recreated with the
+	// same entry id.
+	if entry.CreatedAt != revisionCreatedAt {
+		return true
+	}
+
+	return false
+}
+
 func (c *client) streamAndSyncEntries(ctx context.Context, entryClient entryv1.EntryClient, cachedEntries map[string]*common.RegistrationEntry) (stats SyncEntriesStats, err error) {
 	// Build a set of all the entries to be removed. This set is initialized
 	// with all entries currently known. As entries are synced down from the
@ -459,7 +481,7 @@ func (c *client) streamAndSyncEntries(ctx context.Context, entryClient entryv1.E
 			// If entry is either not cached or is stale, record the ID so
 			// the full entry can be requested after syncing down all
 			// entry revisions.
-			if cachedEntry, ok := cachedEntries[entryRevision.Id]; !ok || cachedEntry.RevisionNumber < entryRevision.RevisionNumber {
+			if cachedEntry, ok := cachedEntries[entryRevision.Id]; !ok || entryIsStale(cachedEntry, entryRevision.GetRevisionNumber(), entryRevision.GetCreatedAt()) {
 				needFull = append(needFull, entryRevision.Id)
 			}
 		}
@ -487,7 +509,7 @@ func (c *client) streamAndSyncEntries(ctx context.Context, entryClient entryv1.E
 			switch {
 			case !ok:
 				stats.Missing++
-			case cachedEntry.RevisionNumber < entry.RevisionNumber:
+			case entryIsStale(cachedEntry, entry.GetRevisionNumber(), entry.GetCreatedAt()):
 				stats.Stale++
 			}

@ -549,10 +571,7 @@ func (c *client) streamAndSyncEntries(ctx context.Context, entryClient entryv1.E
 	// time using the assumed page size.
 	for len(needFull) > 0 {
 		// Request up to a page full of full entries
-		n := len(needFull)
-		if n > pageSize {
-			n = pageSize
-		}
+		n := min(len(needFull), pageSize)
 		if err := stream.Send(&entryv1.SyncAuthorizedEntriesRequest{Ids: needFull[:n]}); err != nil {
 			return SyncEntriesStats{}, err
 		}
@ -580,7 +599,7 @@ func (c *client) streamAndSyncEntries(ctx context.Context, entryClient entryv1.E
 }

 func (c *client) fetchBundles(ctx context.Context, federatedBundles []string) ([]*types.Bundle, error) {
-	bundleClient, connection, err := c.newBundleClient(ctx)
+	bundleClient, connection, err := c.newBundleClient()
 	if err != nil {
 		return nil, err
 	}
@ -621,7 +640,7 @@ func (c *client) fetchBundles(ctx context.Context, federatedBundles []string) ([
 }

 func (c *client) fetchSVIDs(ctx context.Context, params []*svidv1.NewX509SVIDParams) ([]*types.X509SVID, error) {
-	svidClient, connection, err := c.newSVIDClient(ctx)
+	svidClient, connection, err := c.newSVIDClient()
 	if err != nil {
 		return nil, err
 	}
@ -653,44 +672,44 @@ func (c *client) fetchSVIDs(ctx context.Context, params []*svidv1.NewX509SVIDPar
 	return svids, nil
 }

-func (c *client) newEntryClient(ctx context.Context) (entryv1.EntryClient, *nodeConn, error) {
-	conn, err := c.getOrOpenConn(ctx)
+func (c *client) newEntryClient() (entryv1.EntryClient, *nodeConn, error) {
+	conn, err := c.getOrOpenConn()
 	if err != nil {
 		return nil, nil, err
 	}
 	return entryv1.NewEntryClient(conn.Conn()), conn, nil
 }

-func (c *client) newBundleClient(ctx context.Context) (bundlev1.BundleClient, *nodeConn, error) {
-	conn, err := c.getOrOpenConn(ctx)
+func (c *client) newBundleClient() (bundlev1.BundleClient, *nodeConn, error) {
+	conn, err := c.getOrOpenConn()
 	if err != nil {
 		return nil, nil, err
 	}
 	return bundlev1.NewBundleClient(conn.Conn()), conn, nil
 }

-func (c *client) newSVIDClient(ctx context.Context) (svidv1.SVIDClient, *nodeConn, error) {
-	conn, err := c.getOrOpenConn(ctx)
+func (c *client) newSVIDClient() (svidv1.SVIDClient, *nodeConn, error) {
+	conn, err := c.getOrOpenConn()
 	if err != nil {
 		return nil, nil, err
 	}
 	return svidv1.NewSVIDClient(conn.Conn()), conn, nil
 }

-func (c *client) newAgentClient(ctx context.Context) (agentv1.AgentClient, *nodeConn, error) {
-	conn, err := c.getOrOpenConn(ctx)
+func (c *client) newAgentClient() (agentv1.AgentClient, *nodeConn, error) {
+	conn, err := c.getOrOpenConn()
 	if err != nil {
 		return nil, nil, err
 	}
 	return agentv1.NewAgentClient(conn.Conn()), conn, nil
 }

-func (c *client) getOrOpenConn(ctx context.Context) (*nodeConn, error) {
+func (c *client) getOrOpenConn() (*nodeConn, error) {
 	c.m.Lock()
 	defer c.m.Unlock()

 	if c.connections == nil {
-		conn, err := c.dial(ctx)
+		conn, err := c.newServerGRPCClient()
 		if err != nil {
 			return nil, err
 		}
--- a/pkg/agent/client/client_test.go
+++ b/pkg/agent/client/client_test.go
@ -21,6 +21,7 @@ import (
 	svidv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/svid/v1"
 	"github.com/spiffe/spire-api-sdk/proto/spire/api/types"
 	"github.com/spiffe/spire/pkg/common/telemetry"
+	"github.com/spiffe/spire/pkg/server/api"
 	"github.com/spiffe/spire/pkg/server/api/entry/v1"
 	"github.com/spiffe/spire/proto/spire/common"
 	"github.com/spiffe/spire/test/spiretest"
@ -285,14 +286,19 @@ func TestSyncUpdatesEntries(t *testing.T) {
 		assert.Equal(t, expected, cachedEntries)
 	}

-	entryA1 := makeEntry("A", 1)
-	entryB1 := makeEntry("B", 1)
-	entryC1 := makeEntry("C", 1)
-	entryD1 := makeEntry("D", 1)
+	firstDate := time.Date(2024, time.December, 31, 0, 0, 0, 0, time.UTC)
+	secondDate := time.Date(2025, time.January, 1, 0, 0, 0, 0, time.UTC)

-	entryA2 := makeEntry("A", 2)
-	entryB2 := makeEntry("B", 2)
-	entryC2 := makeEntry("C", 2)
+	entryA1 := makeEntry("A", 1, firstDate)
+	entryB1 := makeEntry("B", 1, firstDate)
+	entryC1 := makeEntry("C", 1, firstDate)
+	entryD1 := makeEntry("D", 1, firstDate)
+
+	entryA2 := makeEntry("A", 2, firstDate)
+	entryB2 := makeEntry("B", 2, firstDate)
+	entryC2 := makeEntry("C", 2, firstDate)
+
+	entryB1prime := makeEntry("B", 1, secondDate)

 	// No entries yet
 	syncAndAssertEntries(t, 0, 0, 0, 0)
@ -314,6 +320,12 @@ func TestSyncUpdatesEntries(t *testing.T) {

 	// Sync again but with no changes.
 	syncAndAssertEntries(t, 3, 0, 0, 0, entryA2, entryB2, entryC2)
+
+	// Sync again after recreating an entry with the same entry ID, which should be marked stale
+	syncAndAssertEntries(t, 3, 0, 1, 0, entryA2, entryB1prime, entryC2)
+
+	// Sync again after the database has been rolled back to a previous version
+	syncAndAssertEntries(t, 4, 1, 3, 0, entryA1, entryB1, entryC1, entryD1)
 }

 func TestRenewSVID(t *testing.T) {
@ -403,7 +415,6 @@ func TestRenewSVID(t *testing.T) {
 			},
 		},
 	} {
-		tt := tt
 		t.Run(tt.name, func(t *testing.T) {
 			logHook.Reset()
 			tc.agentServer.err = tt.agentErr
@ -660,27 +671,27 @@ func TestFetchReleaseWaitsForFetchUpdatesToFinish(t *testing.T) {
 func TestNewNodeClientRelease(t *testing.T) {
 	client, _ := createClient(t)

-	for i := 0; i < 3; i++ {
+	for range 3 {
 		// Create agent client and release
-		_, r, err := client.newAgentClient(ctx)
+		_, r, err := client.newAgentClient()
 		require.NoError(t, err)
 		assertConnectionIsNotNil(t, client)
 		r.Release()

 		// Create bundle client and release
-		_, r, err = client.newBundleClient(ctx)
+		_, r, err = client.newBundleClient()
 		require.NoError(t, err)
 		assertConnectionIsNotNil(t, client)
 		r.Release()

 		// Create entry client and release
-		_, r, err = client.newEntryClient(ctx)
+		_, r, err = client.newEntryClient()
 		require.NoError(t, err)
 		assertConnectionIsNotNil(t, client)
 		r.Release()

 		// Create svid client and release
-		_, r, err = client.newSVIDClient(ctx)
+		_, r, err = client.newSVIDClient()
 		require.NoError(t, err)
 		assertConnectionIsNotNil(t, client)
 		r.Release()
@ -697,9 +708,9 @@ func TestNewNodeClientRelease(t *testing.T) {
 func TestNewNodeInternalClientRelease(t *testing.T) {
 	client, _ := createClient(t)

-	for i := 0; i < 3; i++ {
+	for range 3 {
 		// Create agent client
-		_, conn, err := client.newAgentClient(ctx)
+		_, conn, err := client.newAgentClient()
 		require.NoError(t, err)
 		assertConnectionIsNotNil(t, client)

@ -708,7 +719,7 @@ func TestNewNodeInternalClientRelease(t *testing.T) {
 		assertConnectionIsNil(t, client)

 		// Create bundle client
-		_, conn, err = client.newBundleClient(ctx)
+		_, conn, err = client.newBundleClient()
 		require.NoError(t, err)
 		assertConnectionIsNotNil(t, client)

@ -717,7 +728,7 @@ func TestNewNodeInternalClientRelease(t *testing.T) {
 		assertConnectionIsNil(t, client)

 		// Create entry client
-		_, conn, err = client.newEntryClient(ctx)
+		_, conn, err = client.newEntryClient()
 		require.NoError(t, err)
 		assertConnectionIsNotNil(t, client)

@ -726,7 +737,7 @@ func TestNewNodeInternalClientRelease(t *testing.T) {
 		assertConnectionIsNil(t, client)

 		// Create svid client
-		_, conn, err = client.newSVIDClient(ctx)
+		_, conn, err = client.newSVIDClient()
 		require.NoError(t, err)
 		assertConnectionIsNotNil(t, client)

@ -757,7 +768,6 @@ func TestFetchUpdatesReleaseConnectionIfItFailsToFetch(t *testing.T) {
 			err: "failed to fetch bundle: rpc error: code = Unknown desc = an error",
 		},
 	} {
-		tt := tt
 		t.Run(tt.name, func(t *testing.T) {
 			client, tc := createClient(t)
 			tt.setupTest(tc)
@ -829,54 +839,6 @@ func TestFetchUpdatesAddStructuredLoggingIfCallToFetchBundlesFails(t *testing.T)
 	spiretest.AssertLogs(t, logHook.AllEntries(), entries)
 }

-func TestNewAgentClientFailsDial(t *testing.T) {
-	client := newClient(&Config{
-		KeysAndBundle: keysAndBundle,
-		TrustDomain:   trustDomain,
-	})
-	agentClient, conn, err := client.newAgentClient(ctx)
-	require.Error(t, err)
-	require.Contains(t, err.Error(), "failed to dial")
-	require.Nil(t, agentClient)
-	require.Nil(t, conn)
-}
-
-func TestNewBundleClientFailsDial(t *testing.T) {
-	client := newClient(&Config{
-		KeysAndBundle: keysAndBundle,
-		TrustDomain:   trustDomain,
-	})
-	agentClient, conn, err := client.newBundleClient(ctx)
-	require.Error(t, err)
-	require.Contains(t, err.Error(), "failed to dial")
-	require.Nil(t, agentClient)
-	require.Nil(t, conn)
-}
-
-func TestNewEntryClientFailsDial(t *testing.T) {
-	client := newClient(&Config{
-		KeysAndBundle: keysAndBundle,
-		TrustDomain:   trustDomain,
-	})
-	agentClient, conn, err := client.newEntryClient(ctx)
-	require.Error(t, err)
-	require.Contains(t, err.Error(), "failed to dial")
-	require.Nil(t, agentClient)
-	require.Nil(t, conn)
-}
-
-func TestNewSVIDClientFailsDial(t *testing.T) {
-	client := newClient(&Config{
-		KeysAndBundle: keysAndBundle,
-		TrustDomain:   trustDomain,
-	})
-	agentClient, conn, err := client.newSVIDClient(ctx)
-	require.Error(t, err)
-	require.Contains(t, err.Error(), "failed to dial")
-	require.Nil(t, agentClient)
-	require.Nil(t, conn)
-}
-
 func TestFetchJWTSVID(t *testing.T) {
 	client, tc := createClient(t)

@ -969,7 +931,6 @@ func TestFetchJWTSVID(t *testing.T) {
 			fetchErr: status.Error(codes.Internal, "NewJWTSVID fails"),
 		},
 	} {
-		tt := tt
 		t.Run(tt.name, func(t *testing.T) {
 			tt.setupTest(tt.fetchErr)
 			resp, err := client.NewJWTSVID(ctx, "entry-id", []string{"myAud"})
@ -1012,11 +973,10 @@ func createClient(t *testing.T) (*client, *testServer) {
 	listener := bufconn.Listen(1024)
 	spiretest.ServeGRPCServerOnListener(t, server, listener)

-	client.dialContext = func(ctx context.Context, addr string, opts ...grpc.DialOption) (*grpc.ClientConn, error) {
-		return grpc.DialContext(ctx, addr, //nolint: staticcheck // It is going to be resolved on #5152
-			grpc.WithTransportCredentials(insecure.NewCredentials()), grpc.WithContextDialer(func(ctx context.Context, _ string) (net.Conn, error) {
-				return listener.DialContext(ctx)
-			}))
+	client.dialOpts = []grpc.DialOption{
+		grpc.WithTransportCredentials(insecure.NewCredentials()), grpc.WithContextDialer(func(ctx context.Context, _ string) (net.Conn, error) {
+			return listener.DialContext(ctx)
+		}),
 	}
 	return client, tc
 }
@ -1064,7 +1024,13 @@ func (c *fakeEntryServer) GetAuthorizedEntries(_ context.Context, in *entryv1.Ge

 func (c *fakeEntryServer) SyncAuthorizedEntries(stream entryv1.Entry_SyncAuthorizedEntriesServer) error {
 	const entryPageSize = 2
-	return entry.SyncAuthorizedEntries(stream, c.entries, entryPageSize)
+
+	entries := []api.ReadOnlyEntry{}
+	for _, entry := range c.entries {
+		entries = append(entries, api.NewReadOnlyEntry(entry))
+	}
+
+	return entry.SyncAuthorizedEntries(stream, entries, entryPageSize)
 }

 type fakeBundleServer struct {
@ -1194,6 +1160,7 @@ func checkAuthorizedEntryOutputMask(outputMask *types.EntryMask) error {
 		RevisionNumber: true,
 		StoreSvid:      true,
 		Hint:           true,
+		CreatedAt:      true,
 	}, protocmp.Transform()); diff != "" {
 		return status.Errorf(codes.InvalidArgument, "invalid output mask requested: %s", diff)
 	}
@ -1214,12 +1181,13 @@ func makeCommonBundle(trustDomainName string) *common.Bundle {
 	}
 }

-func makeEntry(id string, revisionNumber int64) *types.Entry {
+func makeEntry(id string, revisionNumber int64, createdAt time.Time) *types.Entry {
 	return &types.Entry{
 		Id:             id,
 		SpiffeId:       &types.SPIFFEID{TrustDomain: "example.org", Path: "/workload"},
 		ParentId:       &types.SPIFFEID{TrustDomain: "example.org", Path: "/agent"},
 		Selectors:      []*types.Selector{{Type: "not", Value: "relevant"}},
 		RevisionNumber: revisionNumber,
+		CreatedAt:      createdAt.Unix(),
 	}
 }
--- a/pkg/agent/client/dial.go
+++ b/pkg/agent/client/dial.go
@ -1,11 +1,9 @@
 package client

 import (
-	"context"
 	"crypto"
 	"crypto/tls"
 	"crypto/x509"
-	"errors"
 	"fmt"
 	"time"

@ -25,7 +23,7 @@ const (
 	roundRobinServiceConfig = `{ "loadBalancingConfig": [ { "round_robin": {} } ] }`
 )

-type DialServerConfig struct {
+type ServerClientConfig struct {
 	// Address is the SPIRE server address
 	Address string

@ -42,11 +40,11 @@ type DialServerConfig struct {
 	// TLSPolicy determines the post-quantum-safe policy to apply to all TLS connections.
 	TLSPolicy tlspolicy.Policy

-	// dialContext is an optional constructor for the grpc client connection.
-	dialContext func(ctx context.Context, target string, opts ...grpc.DialOption) (*grpc.ClientConn, error)
+	// dialOpts are optional gRPC dial options
+	dialOpts []grpc.DialOption
 }

-func DialServer(ctx context.Context, config DialServerConfig) (*grpc.ClientConn, error) {
+func NewServerGRPCClient(config ServerClientConfig) (*grpc.ClientConn, error) {
 	bundleSource := newBundleSource(config.TrustDomain, config.GetBundle)
 	serverID, err := idutil.ServerID(config.TrustDomain)
 	if err != nil {
@ -66,29 +64,20 @@ func DialServer(ctx context.Context, config DialServerConfig) (*grpc.ClientConn,
 		return nil, err
 	}

-	ctx, cancel := context.WithTimeout(ctx, defaultDialTimeout)
-	defer cancel()
+	dialOpts := config.dialOpts
+	if dialOpts == nil {
+		dialOpts = []grpc.DialOption{
+			grpc.WithDefaultServiceConfig(roundRobinServiceConfig),
+			grpc.WithDisableServiceConfig(),
+			grpc.WithTransportCredentials(credentials.NewTLS(tlsConfig)),
+		}
+	}

-	if config.dialContext == nil {
-		config.dialContext = grpc.DialContext //nolint: staticcheck // It is going to be resolved on #5152
-	}
-	client, err := config.dialContext(ctx, config.Address,
-		grpc.WithDefaultServiceConfig(roundRobinServiceConfig),
-		grpc.WithDisableServiceConfig(),
-		grpc.FailOnNonTempDialError(true), //nolint: staticcheck // It is going to be resolved on #5152
-		grpc.WithBlock(),                  //nolint: staticcheck // It is going to be resolved on #5152
-		grpc.WithReturnConnectionError(),  //nolint: staticcheck // It is going to be resolved on #5152
-		grpc.WithTransportCredentials(credentials.NewTLS(tlsConfig)),
-	)
-	switch {
-	case err == nil:
-	case errors.Is(err, context.Canceled):
-		return nil, fmt.Errorf("failed to dial %s: canceled", config.Address)
-	case errors.Is(err, context.DeadlineExceeded):
-		return nil, fmt.Errorf("failed to dial %s: timed out", config.Address)
-	default:
-		return nil, fmt.Errorf("failed to dial %s: %w", config.Address, err)
+	client, err := grpc.NewClient(config.Address, dialOpts...)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create gRPC client: %w", err)
 	}
+
 	return client, nil
 }

--- a/pkg/agent/client/nodeconn_test.go
+++ b/pkg/agent/client/nodeconn_test.go
@ -1,7 +1,6 @@
 package client

 import (
-	"context"
 	"crypto"
 	"crypto/x509"
 	"testing"
@ -33,11 +32,11 @@ func newTestConn(t *testing.T) *grpc.ClientConn {
 		KeysAndBundle: emptyKeysAndBundle,
 		TrustDomain:   trustDomain,
 	})
-	client.dialContext = func(_ context.Context, addr string, opts ...grpc.DialOption) (*grpc.ClientConn, error) {
+	client.dialOpts = []grpc.DialOption{
 		// make a normal grpc dial but without any of the provided options that may cause it to fail
-		return grpc.NewClient(addr, grpc.WithTransportCredentials(insecure.NewCredentials()))
+		grpc.WithTransportCredentials(insecure.NewCredentials()),
 	}
-	conn, err := client.dial(context.Background())
+	conn, err := client.newServerGRPCClient()
 	require.NoError(t, err)
 	return conn
 }
@ -64,7 +63,7 @@ func TestNewNodeMany(t *testing.T) {
 	firstRelease := false

 	go func() {
-		for i := 0; i < 100; i++ {
+		for range 100 {
 			nodeConn.AddRef()
 			if !firstRelease {
 				nodeConn.Release()
@ -75,7 +74,7 @@ func TestNewNodeMany(t *testing.T) {
 	}()

 	go func() {
-		for i := 0; i < 100; i++ {
+		for range 100 {
 			nodeConn.Release()
 		}
 		close(waitForReleases)
--- a/pkg/agent/client/util.go
+++ b/pkg/agent/client/util.go
@ -34,7 +34,7 @@ func slicedEntryFromProto(e *types.Entry) (*common.RegistrationEntry, error) {
 	}

 	if e.Id == "" {
-		return nil, fmt.Errorf("missing entry ID")
+		return nil, errors.New("missing entry ID")
 	}

 	spiffeID, err := spiffeIDFromProto(e.SpiffeId)
@ -81,5 +81,6 @@ func slicedEntryFromProto(e *types.Entry) (*common.RegistrationEntry, error) {
 		Admin:          e.Admin,
 		Downstream:     e.Downstream,
 		Hint:           e.Hint,
+		CreatedAt:      e.CreatedAt,
 	}, nil
 }
--- a/pkg/agent/common/cgroups/cgroups.go
+++ b/pkg/agent/common/cgroups/cgroups.go
@ -43,7 +43,7 @@ func GetCgroups(pid int32, fs FileSystem) ([]Cgroup, error) {
 		token := scanner.Text()
 		substrings := strings.SplitN(token, ":", 3)
 		if len(substrings) < 3 {
-			return nil, fmt.Errorf("cgroup entry contains %v colons, but expected at least 2 colons: %q", len(substrings), token)
+			return nil, fmt.Errorf("invalid cgroup entry, contains %v colon separated fields but expected at least 3: %q", len(substrings), token)
 		}
 		cgroups = append(cgroups, Cgroup{
 			HierarchyID:    substrings[0],
--- a/pkg/agent/common/cgroups/cgroups_test.go
+++ b/pkg/agent/common/cgroups/cgroups_test.go
@ -23,9 +23,21 @@ const (
 2:blkio:/user.slice
 1:name=systemd:/user.slice/user-1000.slice/session-2.scope
 `
-	// cgBadFormat is a malformed set of cgroup entries (no slash separator)
+	// cgBadFormat is a malformed set of cgroup entries (missing cgroup-path)
 	cgBadFormat = `11:hugetlb
 `
+	// cgUnified is a good set of cgroup entries including unified
+	cgUnified = `10:devices:/user.slice
+9:net_cls,net_prio:/
+8:blkio:/
+7:freezer:/
+6:perf_event:/
+5:cpuset:/
+4:memory:/user.slice
+3:pids:/user.slice/user-1000.slice/user@1000.service
+2:cpu,cpuacct:/
+1:name=systemd:/user.slice/user-1000.slice/user@1000.service/gnome-terminal-server.service
+0::/user.slice/user-1000.slice/user@1000.service/gnome-terminal-server.service`
 )

 var (
@ -42,6 +54,20 @@ var (
 		{"2", "blkio", "/user.slice"},
 		{"1", "name=systemd", "/user.slice/user-1000.slice/session-2.scope"},
 	}
+
+	expectUnifiedCgroup = []Cgroup{
+		{"10", "devices", "/user.slice"},
+		{"9", "net_cls,net_prio", "/"},
+		{"8", "blkio", "/"},
+		{"7", "freezer", "/"},
+		{"6", "perf_event", "/"},
+		{"5", "cpuset", "/"},
+		{"4", "memory", "/user.slice"},
+		{"3", "pids", "/user.slice/user-1000.slice/user@1000.service"},
+		{"2", "cpu,cpuacct", "/"},
+		{"1", "name=systemd", "/user.slice/user-1000.slice/user@1000.service/gnome-terminal-server.service"},
+		{"0", "", "/user.slice/user-1000.slice/user@1000.service/gnome-terminal-server.service"},
+	}
 )

 func TestCgroups(t *testing.T) {
@ -67,10 +93,21 @@ func TestCgroupsBadFormat(t *testing.T) {
 			"/proc/123/cgroup": cgBadFormat,
 		},
 	})
-	require.EqualError(t, err, `cgroup entry contains 2 colons, but expected at least 2 colons: "11:hugetlb"`)
+	require.EqualError(t, err, `invalid cgroup entry, contains 2 colon separated fields but expected at least 3: "11:hugetlb"`)
 	require.Nil(t, cgroups)
 }

+func TestUnifiedCgroups(t *testing.T) {
+	cgroups, err := GetCgroups(1234, FakeFileSystem{
+		Files: map[string]string{
+			"/proc/1234/cgroup": cgUnified,
+		},
+	})
+	require.NoError(t, err)
+	require.Len(t, cgroups, 11)
+	require.Equal(t, expectUnifiedCgroup, cgroups)
+}
+
 type FakeFileSystem struct {
 	Files map[string]string
 }
--- a/pkg/agent/common/sigstore/sigstore_test.go
+++ b/pkg/agent/common/sigstore/sigstore_test.go
@ -15,7 +15,6 @@ import (
 	"time"

 	"github.com/google/go-containerregistry/pkg/name"
-	_ "github.com/google/go-containerregistry/pkg/v1"
 	v1 "github.com/google/go-containerregistry/pkg/v1"
 	"github.com/google/go-containerregistry/pkg/v1/types"
 	"github.com/hashicorp/go-hclog"
@ -35,7 +34,6 @@ func TestNewVerifier(t *testing.T) {
 	config.IgnoreSCT = true
 	config.IgnoreTlog = true
 	config.IgnoreAttestations = true
-	config.RekorURL = "https://rekor.test.com"
 	config.RegistryCredentials = map[string]*RegistryCredential{
 		"docker.io": {
 			Username: "testuser",
@ -45,6 +43,15 @@ func TestNewVerifier(t *testing.T) {
 			Username: "testuser",
 			Password: "testpassword",
 		},
+		"nopassword.io": { // should warn and ignore
+			Username: "testuser",
+			Password: "",
+		},
+		"nousername.io": { // should warn and ignore
+			Username: "",
+			Password: "testpassword",
+		},
+		"nil.io": nil, // should ignore
 	}

 	config.SkippedImages = map[string]struct{}{
@ -58,6 +65,8 @@ func TestNewVerifier(t *testing.T) {

 	verifier := NewVerifier(config)
 	require.NotNil(t, verifier)
+	require.NotNil(t, verifier.config.Logger)
+	require.Equal(t, verifier.config.RekorURL, publicRekorURL) // verify default public RekorURL

 	identityPlainValues := cosign.Identity{
 		Issuer:  "test-issuer",
@ -70,7 +79,11 @@ func TestNewVerifier(t *testing.T) {
 	expectedIdentites := []cosign.Identity{identityPlainValues, identityRegExp}

 	assert.Equal(t, config, verifier.config)
-	assert.Equal(t, len(config.RegistryCredentials), len(verifier.authOptions))
+	assert.NotNil(t, verifier.authOptions["docker.io"])
+	assert.NotNil(t, verifier.authOptions["other.io"])
+	assert.Nil(t, verifier.authOptions["nopassword.io"])
+	assert.Nil(t, verifier.authOptions["nousername.io"])
+	assert.Nil(t, verifier.authOptions["nil.io"])
 	assert.ElementsMatch(t, expectedIdentites, verifier.allowedIdentities)
 	assert.NotNil(t, verifier.sigstoreFunctions.verifyImageSignatures)
 	assert.NotNil(t, verifier.sigstoreFunctions.verifyImageAttestations)
@ -378,10 +391,110 @@ func TestVerify(t *testing.T) {
 			expectedVerifyCallCount:       0,
 			expectedAttestationsCallCount: 0,
 		},
+		{
+			name: "fails to extract details from signatures missing cert",
+			configureTest: func(ctx context.Context, _ *ImageVerifier, signatureVerifyFake *fakeCosignVerifySignatureFn, attestationsVerifyFake *fakeCosignVerifyAttestationsFn) {
+				signature := &fakeSignature{
+					payload:         createFakePayload(),
+					base64Signature: "base64signature",
+					bundle:          createFakeBundle(),
+				}
+
+				signatureVerifyFake.Responses = append(signatureVerifyFake.Responses, struct {
+					Signatures     []oci.Signature
+					BundleVerified bool
+					Err            error
+				}{
+					Signatures:     []oci.Signature{signature},
+					BundleVerified: true,
+					Err:            nil,
+				})
+				attestationsVerifyFake.Responses = append(attestationsVerifyFake.Responses, struct {
+					Signatures     []oci.Signature
+					BundleVerified bool
+					Err            error
+				}{
+					Signatures:     []oci.Signature{signature},
+					BundleVerified: true,
+					Err:            nil,
+				})
+			},
+			expectedSelectors:             nil,
+			expectedError:                 true,
+			expectedVerifyCallCount:       1,
+			expectedAttestationsCallCount: 1,
+		},
+		{
+			name: "fails to extract details from signatures missing cert subject",
+			configureTest: func(ctx context.Context, _ *ImageVerifier, signatureVerifyFake *fakeCosignVerifySignatureFn, attestationsVerifyFake *fakeCosignVerifyAttestationsFn) {
+				signature := &fakeSignature{
+					payload:         createFakePayload(),
+					base64Signature: "base64signature",
+					cert:            createSubjectlessTestCert(),
+					bundle:          createFakeBundle(),
+				}
+
+				signatureVerifyFake.Responses = append(signatureVerifyFake.Responses, struct {
+					Signatures     []oci.Signature
+					BundleVerified bool
+					Err            error
+				}{
+					Signatures:     []oci.Signature{signature},
+					BundleVerified: true,
+					Err:            nil,
+				})
+				attestationsVerifyFake.Responses = append(attestationsVerifyFake.Responses, struct {
+					Signatures     []oci.Signature
+					BundleVerified bool
+					Err            error
+				}{
+					Signatures:     []oci.Signature{signature},
+					BundleVerified: true,
+					Err:            nil,
+				})
+			},
+			expectedSelectors:             nil,
+			expectedError:                 true,
+			expectedVerifyCallCount:       1,
+			expectedAttestationsCallCount: 1,
+		},
+		{
+			name: "fails to extract details from signatures empty names cert subject",
+			configureTest: func(ctx context.Context, _ *ImageVerifier, signatureVerifyFake *fakeCosignVerifySignatureFn, attestationsVerifyFake *fakeCosignVerifyAttestationsFn) {
+				signature := &fakeSignature{
+					payload:         createFakePayload(),
+					base64Signature: "base64signature",
+					cert:            createEmptynamesTestCert(),
+					bundle:          createFakeBundle(),
+				}
+
+				signatureVerifyFake.Responses = append(signatureVerifyFake.Responses, struct {
+					Signatures     []oci.Signature
+					BundleVerified bool
+					Err            error
+				}{
+					Signatures:     []oci.Signature{signature},
+					BundleVerified: true,
+					Err:            nil,
+				})
+				attestationsVerifyFake.Responses = append(attestationsVerifyFake.Responses, struct {
+					Signatures     []oci.Signature
+					BundleVerified bool
+					Err            error
+				}{
+					Signatures:     []oci.Signature{signature},
+					BundleVerified: true,
+					Err:            nil,
+				})
+			},
+			expectedSelectors:             nil,
+			expectedError:                 true,
+			expectedVerifyCallCount:       1,
+			expectedAttestationsCallCount: 1,
+		},
 	}

 	for _, tt := range tests {
-		tt := tt
 		t.Run(tt.name, func(t *testing.T) {
 			t.Parallel()

@ -709,9 +822,35 @@ func createTestCert() *x509.Certificate {
 	}
 }

+func createSubjectlessTestCert() *x509.Certificate {
+	return &x509.Certificate{
+		Extensions: []pkix.Extension{
+			{
+				Id:    []int{1, 3, 6, 1, 4, 1, 57264, 1, 1}, // OIDC issuer OID
+				Value: []byte("test-issuer"),
+			},
+		},
+	}
+}
+
+func createEmptynamesTestCert() *x509.Certificate {
+	return &x509.Certificate{
+		Subject: pkix.Name{
+			CommonName: "",
+		},
+		DNSNames: []string{""},
+		Extensions: []pkix.Extension{
+			{
+				Id:    []int{1, 3, 6, 1, 4, 1, 57264, 1, 1}, // OIDC issuer OID
+				Value: []byte("test-issuer"),
+			},
+		},
+	}
+}
+
 func createFakePayload() []byte {
 	signaturePayload := payload.SimpleContainerImage{
-		Optional: map[string]interface{}{
+		Optional: map[string]any{
 			"subject": "test-subject",
 		},
 	}
--- a/pkg/agent/config.go
+++ b/pkg/agent/config.go
@ -2,12 +2,12 @@ package agent

 import (
 	"context"
-	"crypto/x509"
 	"net"
 	"time"

 	"github.com/sirupsen/logrus"
 	"github.com/spiffe/go-spiffe/v2/spiffeid"
+	"github.com/spiffe/spire/pkg/agent/trustbundlesources"
 	"github.com/spiffe/spire/pkg/agent/workloadkey"
 	"github.com/spiffe/spire/pkg/common/catalog"
 	"github.com/spiffe/spire/pkg/common/health"
@ -37,9 +37,6 @@ type Config struct {
 	// The TLS Certificate resource name to use for the default X509-SVID with Envoy SDS
 	DefaultSVIDName string

-	// If true, the agent will bootstrap insecurely with the server
-	InsecureBootstrap bool
-
 	// If true, the agent retries bootstrap with backoff
 	RetryBootstrap bool

@ -75,7 +72,9 @@ type Config struct {

 	// Trust domain and associated CA bundle
 	TrustDomain spiffeid.TrustDomain
-	TrustBundle []*x509.Certificate
+
+	// Sources for getting Trust Bundles
+	TrustBundleSources *trustbundlesources.Bundle

 	// Join token to use for attestation, if needed
 	JoinToken string
--- a/pkg/agent/endpoints/endpoints_posix_test.go
+++ b/pkg/agent/endpoints/endpoints_posix_test.go
@ -3,7 +3,6 @@
 package endpoints

 import (
-	"context"
 	"net"
 	"path/filepath"
 	"testing"
@ -18,6 +17,6 @@ func getTestAddr(t *testing.T) net.Addr {
 	}
 }

-func testRemoteCaller(context.Context, *testing.T, string) {
+func testRemoteCaller(*testing.T, string) {
 	// No testing for UDS endpoints
 }
--- a/pkg/agent/endpoints/endpoints_test.go
+++ b/pkg/agent/endpoints/endpoints_test.go
@ -163,7 +163,6 @@ func TestEndpoints(t *testing.T) {
 			},
 		},
 	} {
-		tt := tt
 		t.Run(tt.name, func(t *testing.T) {
 			log, hook := test.NewNullLogger()
 			metrics := fakemetrics.New()
@ -229,11 +228,11 @@ func TestEndpoints(t *testing.T) {
 			require.NoError(t, err)

 			if tt.fromRemote {
-				testRemoteCaller(ctx, t, target)
+				testRemoteCaller(t, target)
 				return
 			}

-			conn, err := util.GRPCDialContext(ctx, target, grpc.WithBlock()) //nolint: staticcheck // It is going to be resolved on #5152
+			conn, err := util.NewGRPCClient(target)
 			require.NoError(t, err)
 			defer conn.Close()

--- a/Show More
+++ b/Show More
 @ -1 +1 @@
 .23.2
 .24.4