Deprecate retry_bootstrap (#6050 )

* Deprecate retry_bootstrap Signed-off-by: Kevin Fox <Kevin.Fox@pnnl.gov>
Wait for server to come up before using it (#6174 )
2025-07-10 10:06:38 -03:00 · 2025-07-09 07:19:04 +01:00 · 2025-07-08 22:41:56 +01:00 · 2025-07-08 21:43:37 +01:00 · 2025-07-07 20:21:53 +01:00 · 2025-07-04 16:14:29 -03:00
1585 changed files with 109426 additions and 38575 deletions
--- a/.dockerignore
+++ b/.dockerignore
@ -3,3 +3,9 @@
 .cache
 releases/
 artifacts/
+.githooks/
+script/
+doc/
+examples/
+oci/
+*-image.tar
--- a/.envrc.example
+++ b/.envrc.example
@ -0,0 +1,8 @@
+toplevel="$(git rev-parse --show-toplevel)"
+
+# build and use the managed go sdk
+unset GOROOT
+make -C "$toplevel" go-check
+PATH="$(make --no-print-directory -C "$toplevel" go-bin-path)"
+
+# add custom direnv initialization below here
--- a/.githooks/pre-commit
+++ b/.githooks/pre-commit
@ -1,26 +0,0 @@
-#!/bin/sh
-# Copyright 2012 The Go Authors. All rights reserved.
-# Use of this source code is governed by a BSD-style
-# license that can be found in the LICENSE file.
-
-# git gofmt pre-commit hook
-#
-# To use, store as .git/hooks/pre-commit inside your repository and make sure
-# it has execute permissions.
-#
-# This script does not handle file names that contain spaces.
-
-gofiles=$(git diff --cached --name-only --diff-filter=ACM | grep '\.go$')
-[ -z "$gofiles" ] && exit 0
-
-unformatted=$(gofmt -l $gofiles)
-[ -z "$unformatted" ] && exit 0
-
-# Some files are not gofmt'd. Print message and fail.
-
-echo >&2 "Go files must be formatted with gofmt. Please run:"
-for fn in $unformatted; do
-	echo >&2 "  gofmt -w $PWD/$fn"
-done
-
-exit 1
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -6,6 +6,25 @@ updates:
    interval: "daily"
    time: "09:00"
    timezone: "America/Los_Angeles"
+  groups:
+    actions:
+      patterns:
+        - "github.com/actions/*"
+    aws-sdk:
+      patterns:
+        - "github.com/aws/aws-sdk-go-v2/*"
+    azure-sdk:
+      patterns:
+        - "github.com/Azure/azure-sdk-for-go/*"
+    google-cloud-sdk:
+      patterns:
+        - "cloud.google.com/go/*"
+    k8s.io:
+      patterns:
+        - "k8s.io/*"
+    sigs.k8s.io:
+      patterns:
+        - "sig.k8s.io/*"
  ignore:
  - dependency-name: "github.com/spiffe/spire-api-sdk"
  - dependency-name: "github.com/spiffe/spire-plugin-sdk"
@ -14,6 +33,8 @@ updates:
    versions: ["2.x"]
  - dependency-name: "github.com/aws/aws-sdk-go-v2*"
    update-types: ["version-update:semver-patch"]
+  - dependency-name: "cloud.google.com/go/*"
+    update-types: ["version-update:semver-patch"]
  open-pull-requests-limit: 5
 - package-ecosystem: "github-actions"
  directory: "/"
--- a/.github/workflows/dco.yaml
+++ b/.github/workflows/dco.yaml
@ -0,0 +1,23 @@
+name: DCO
+on:
+  pull_request: {}
+  workflow_dispatch: {}
+  merge_group:
+    types:
+      - checks_requested
+jobs:
+  check-dco:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Set up Python 3.x
+        uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
+        with:
+          python-version: '3.x'
+      - name: Check DCO
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          pip3 install -U dco-check
+          dco-check --exclude-pattern 'dependabot\[bot\]@users\.noreply\.github\.com'
--- a/.github/workflows/depsreview.yaml
+++ b/.github/workflows/depsreview.yaml
@ -1,14 +1,15 @@
 name: 'Dependency Review'
 on: [pull_request]

-permissions:
-  contents: read
-
 jobs:
  dependency-review:
    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+
    steps:
      - name: 'Checkout Repository'
-        uses: actions/checkout@v3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: 'Dependency Review'
-        uses: actions/dependency-review-action@v2
+        uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019 # v4.5.0
--- a/.github/workflows/nightly_build.yaml
+++ b/.github/workflows/nightly_build.yaml
@ -4,31 +4,35 @@ on:
    # Random minute number to avoid GH scheduler stampede
    - cron: '37 21 * * *'
  workflow_dispatch: {}
-permissions:
-  contents: read
-  packages: write
+
+env:
+  NIGHTLY: true

 jobs:
  build-and-publish-images:
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-22.04
+
+    permissions:
+      contents: read
+      id-token: write
+      packages: write
+
    steps:
      - name: Checkout
-        uses: actions/checkout@v3
-      - name: Build images
-        run: make images scratch-images
-      - name: Log in to GCR
-        uses: docker/login-action@v2
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Install cosign
+        uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
        with:
-          registry: gcr.io
-          username: _json_key
-          password: ${{ secrets.GCR_JSON_KEY }}
-      - name: Push images
-        run: ./.github/workflows/scripts/push-images.sh nightly
+          cosign-release: v2.2.3
+      - name: Install regctl
+        uses: regclient/actions/regctl-installer@ce5fd131e371ffcdd7508b478cb223b3511a9183 # main
+      - name: Build images
+        run: make images
      - name: Log in to GHCR
-        uses: docker/login-action@v2
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Push images
-        run: ./.github/workflows/scripts/push-scratch-images.sh nightly
+        run: ./.github/workflows/scripts/push-images.sh nightly
--- a/.github/workflows/pr_build.yaml
+++ b/.github/workflows/pr_build.yaml
@ -2,24 +2,30 @@ name: PR Build
 on:
  pull_request: {}
  workflow_dispatch: {}
-env:
-  GO_VERSION: 1.19.1
+  merge_group:
+    types:
+      - checks_requested
 permissions:
  contents: read

 jobs:
  cache-deps:
    name: cache-deps (linux)
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-22.04
+    timeout-minutes: 30
+
+    permissions:
+      contents: read
+
    steps:
      - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: 'go.mod'
      - name: Setup dep cache
-        uses: actions/cache@v3
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
@ -28,27 +34,30 @@ jobs:

  lint:
    name: lint (linux)
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-22.04
    needs: cache-deps
+    timeout-minutes: 30
+
+    permissions:
+      contents: read
+
    steps:
      - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: 'go.mod'
      - name: Load cached deps
-        uses: actions/cache@v3
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
      - name: Setup build tool cache
-        uses: actions/cache@v3
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: .build
-          key: ${{ runner.os }}-tools-${{ github.sha }}
-          restore-keys: |
-            ${{ runner.os }}-tools-
+          key: ${{ runner.os }}-tools-${{ hashFiles('.go-version','Makefile') }}
      - name: Lint
        run: make lint
      - name: Tidy check
@ -61,18 +70,23 @@ jobs:
  unit-test:
    strategy:
      matrix:
-        OS: [ubuntu-18.04, macos-latest]
+        OS: [ubuntu-22.04, macos-latest]
    runs-on: ${{ matrix.OS }}
    needs: cache-deps
+    timeout-minutes: 30
+
+    permissions:
+      contents: read
+
    steps:
      - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: 'go.mod'
      - name: Load cached deps
-        uses: actions/cache@v3
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
@ -81,17 +95,22 @@ jobs:

  unit-test-race-detector:
    name: unit-test (linux with race detection)
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-22.04
    needs: cache-deps
+    timeout-minutes: 30
+
+    permissions:
+      contents: read
+
    steps:
      - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: 'go.mod'
      - name: Load cached deps
-        uses: actions/cache@v3
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
@ -100,64 +119,74 @@ jobs:

  artifacts:
    name: artifacts (linux)
-    runs-on: ubuntu-18.04
-    needs: [cache-deps]
+    runs-on: ubuntu-22.04
+    needs: [cache-deps, images]
+    timeout-minutes: 30
+
+    permissions:
+      contents: read
+
    steps:
      - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
-          go-version: ${{ env.GO_VERSION }}
-      - name: Load cached deps
-        uses: actions/cache@v3
+          go-version-file: 'go.mod'
+      - name: Install regctl
+        uses: regclient/actions/regctl-installer@ce5fd131e371ffcdd7508b478cb223b3511a9183 # main
+      - name: Download archived images
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
        with:
-          path: ~/go/pkg/mod
-          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
-      - name: Load cached build tools
-        uses: actions/cache@v3
-        with:
-          path: .build
-          key: ${{ runner.os }}-tools-${{ github.sha }}
-          restore-keys: |
-            ${{ runner.os }}-tools-
+          name: images
+          path: .
+      - name: Expand archived images
+        run: |
+          tar xvf images.tar.gz
      - name: Build artifacts
-        run: ./.github/workflows/scripts/build_artifacts.sh
+        run: ./.github/workflows/scripts/build_artifacts.sh ${{ runner.os }}
      - name: Archive artifacts
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4
        with:
-          name: binaries
+          name: binaries-linux
          path: ./artifacts/

  images:
    name: images (linux)
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-22.04
    needs: [cache-deps]
+    timeout-minutes: 30
+
+    permissions:
+      contents: read
+
    steps:
      - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: 'go.mod'
      - name: Load cached deps
-        uses: actions/cache@v3
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
      - name: Load cached build tools
-        uses: actions/cache@v3
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: .build
-          key: ${{ runner.os }}-tools-${{ github.sha }}
-          restore-keys: |
-            ${{ runner.os }}-tools-
+          key: ${{ runner.os }}-tools-${{ hashFiles('.go-version','Makefile') }}
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0
      - name: Build images
-        run: make images
+        run: make images-no-load
      - name: Export images
-        run: docker save spire-server:latest-local spire-agent:latest-local k8s-workload-registrar:latest-local oidc-discovery-provider:latest-local | gzip > images.tar.gz
+        run: tar -czvf images.tar.gz *-image.tar
      - name: Archive images
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4
        with:
          name: images
          path: images.tar.gz
@ -165,15 +194,20 @@ jobs:
  images-windows:
    name: images (windows)
    runs-on: windows-2022
-    needs: artifact-windows
+    needs: artifacts-windows
+    timeout-minutes: 45
+
+    permissions:
+      contents: read
+
    steps:
      - name: Checkout
-        uses: actions/checkout@v3
-      - name: Download artifacts
-        uses: actions/download-artifact@v3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Load cached executables
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
-          name: bin-windows
          path: ./bin/
+          key: ${{ runner.os }}-executables-${{ github.sha }}
      - name: Build images
        run: make images-windows
      - name: Export images
@ -181,55 +215,53 @@ jobs:
          docker save spire-server-windows:latest-local spire-agent-windows:latest-local oidc-discovery-provider-windows:latest-local -o images-windows.tar
          gzip images-windows.tar
      - name: Archive images
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4
        with:
          name: images-windows
          path: images-windows.tar.gz

-  scratch-images:
-    runs-on: ubuntu-18.04
+  build-matrix:
+    name: Build matrix
+    runs-on: ubuntu-22.04
    needs: [cache-deps]
+    permissions:
+      contents: read
    steps:
      - name: Checkout
-        uses: actions/checkout@v3
-      - name: Setup go
-        uses: actions/setup-go@v3
-        with:
-          go-version: ${{ env.GO_VERSION }}
-      - name: Load cached deps
-        uses: actions/cache@v3
-        with:
-          path: ~/go/pkg/mod
-          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
-      - name: Load cached build tools
-        uses: actions/cache@v3
-        with:
-          path: .build
-          key: ${{ runner.os }}-tools-${{ github.sha }}
-          restore-keys: |
-            ${{ runner.os }}-tools-
-      - name: Build scratch images
-        run: make scratch-images
-      - name: Export scratch images
-        run: docker save spire-server-scratch:latest-local spire-agent-scratch:latest-local k8s-workload-registrar-scratch:latest-local oidc-discovery-provider-scratch:latest-local | gzip > scratch-images.tar.gz
-      - name: Archive scratch images
-        uses: actions/upload-artifact@v3
-        with:
-          name: scratch-images
-          path: scratch-images.tar.gz
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - id: set-matrix
+        name: Collect versions
+        run: |
+          json_array=$(bash ./.github/workflows/scripts/find_k8s.sh)
+          echo "test=$json_array" >> $GITHUB_OUTPUT
+          echo "Collected tests: $json_array"

+    outputs:
+      test: ${{ steps.set-matrix.outputs.test }}
+  
  integration:
-    name: integration (linux)
-    runs-on: ubuntu-18.04
-    needs: [cache-deps, images, scratch-images]
+    name: integration (${{ matrix.arch }}) (${{ strategy.job-index}}/${{ strategy.job-total }})
+    runs-on: ${{ matrix.runs-on }}
+    needs: [cache-deps, images]
+    timeout-minutes: 45
+
+    permissions:
+      contents: read
+
    strategy:
      fail-fast: false
      matrix:
-        num_runners: [5]
-        runner_id: [1, 2, 3, 4, 5]
+        arch: [x64, arm64]
+        num_runners: [10]
+        runner_id: [1, 2, 3, 4, 5, 6, 7, 8, 9, 10]
+        include:
+          - arch: x64
+            runs-on: ubuntu-22.04
+          - arch: arm64
+            runs-on: ubuntu-22.04-arm
    steps:
      - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          # The "upgrade" integration test needs the history to ensure
          # that the version number in the source code has been bumped as
@ -237,84 +269,154 @@ jobs:
          # fetch depth of zero.
          fetch-depth: 0
      - name: Setup go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: 'go.mod'
+      - name: Install regctl
+        uses: regclient/actions/regctl-installer@ce5fd131e371ffcdd7508b478cb223b3511a9183 # main
      - name: Load cached deps
-        uses: actions/cache@v3
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
      - name: Load cached build tools
-        uses: actions/cache@v3
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: .build
-          key: ${{ runner.os }}-tools-${{ github.sha }}
-          restore-keys: |
-            ${{ runner.os }}-tools-
+          key: ${{ runner.os }}-tools-${{ hashFiles('.go-version','Makefile') }}
      - name: Download archived images
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
        with:
          name: images
          path: .
-      - name: Download archived scratch images
-        uses: actions/download-artifact@v3
-        with:
-          name: scratch-images
-          path: .
      - name: Load archived images
-        run: zcat images.tar.gz | docker load
-      - name: Load archived scratch images
-        run: zcat scratch-images.tar.gz | docker load
+        run: |
+          tar xvf images.tar.gz
+          make load-images
      - name: Run integration tests
        env:
          NUM_RUNNERS: ${{ matrix.num_runners }}
          THIS_RUNNER: ${{ matrix.runner_id }}
          TERM: dumb
          CICD_TARGET_BRANCH: ${{ github.event.pull_request.base.ref }}
+          IGNORE_SUITES: ${{ matrix.arch == 'arm64' && 'suites/upstream-authority-ejbca' || '' }} # Waiting for EJBCA to support arm64 (https://github.com/spiffe/spire/issues/6060)
        run: ./.github/workflows/scripts/split.sh | xargs ./test/integration/test.sh

+  integration-k8s:
+    name: integration-k8s-${{ matrix.test[0] }}-${{ matrix.arch }}
+    runs-on: ${{ matrix.runs-on }}
+    needs: [cache-deps, images, build-matrix]
+    timeout-minutes: 45
+
+    permissions:
+      contents: read
+
+    strategy:
+      fail-fast: false
+      matrix:
+        arch: [x64, arm64]
+        include:
+          - arch: x64
+            runs-on: ubuntu-22.04
+            num_runners: 1
+            runner_id: 1
+          - arch: arm64
+            runs-on: ubuntu-22.04-arm
+            num_runners: 1
+            runner_id: 1
+        #Test elements should be added as [KubeCTLVersion, K8s-image, KindVersion]
+        test: ${{ fromJson(needs.build-matrix.outputs.test) }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          # The "upgrade" integration test needs the history to ensure
+          # that the version number in the source code has been bumped as
+          # expected. This action does not fetch tags unless we supply a
+          # fetch depth of zero.
+          fetch-depth: 0
+      - name: Setup go
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
+        with:
+          go-version-file: 'go.mod'
+      - name: Install regctl
+        uses: regclient/actions/regctl-installer@ce5fd131e371ffcdd7508b478cb223b3511a9183 # main
+      - name: Load cached deps
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
+        with:
+          path: ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+      - name: Load cached build tools
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
+        with:
+          path: .build
+          key: ${{ runner.os }}-tools-${{ hashFiles('.go-version','Makefile') }}
+      - name: Download archived images
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        with:
+          name: images
+          path: .
+      - name: Load archived images
+        run: |
+          tar xvf images.tar.gz
+          make load-images
+      - name: Run k8s integration
+        env:
+          NUM_RUNNERS: ${{ matrix.num_runners }}
+          THIS_RUNNER: ${{ matrix.runner_id }}
+          KUBECTLVERSION: ${{ matrix.test[0] }}
+          K8SIMAGE: ${{ matrix.test[1] }}
+          KINDVERSION: ${{ matrix.test[2] }}
+          TERM: dumb
+          CICD_TARGET_BRANCH: ${{ github.event.pull_request.base.ref }}
+        run: ./.github/workflows/scripts/split_k8s.sh | xargs ./test/integration/test-k8s.sh
+
+
  integration-windows:
    name: integration (windows)
    runs-on: windows-2022
    needs: images-windows
-    strategy:
-      fail-fast: false
+    timeout-minutes: 45
+
+    env:
+      GOPATH: 'D:\golang\go'
+      GOCACHE: 'D:\golang\cache'
+      GOMODCACHE: 'D:\golang\modcache'
+
+    permissions:
+      contents: read
+
    defaults:
      run:
        shell: msys2 {0}
    steps:
      - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: 'go.mod'
+          cache: true
      - name: Load cached deps
-        uses: actions/cache@v3
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
      - name: Load cached build tools
-        uses: actions/cache@v3
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: .build
-          key: ${{ runner.os }}-tools-${{ github.sha }}
-          restore-keys: |
-            ${{ runner.os }}-tools-
+          key: ${{ runner.os }}-tools-${{ hashFiles('.go-version','Makefile') }}
      - name: Install msys2
-        uses: msys2/setup-msys2@v2
+        uses: msys2/setup-msys2@d44ca8e88d8b43d56cf5670f91747359d5537f97 # v2.26.0
        with:
          msystem: MINGW64
          update: true
          path-type: inherit
          install: >-
-            git
-            base-devel
-            mingw-w64-x86_64-toolchain
-            unzip
+            git base-devel mingw-w64-x86_64-toolchain unzip
      - name: Download archived images
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
        with:
          name: images-windows
          path: .
@ -327,15 +429,26 @@ jobs:
  cache-deps-windows:
    name: cache-deps (windows)
    runs-on: windows-2022
+    timeout-minutes: 45
+
+    env:
+      GOPATH: 'D:\golang\go'
+      GOCACHE: 'D:\golang\cache'
+      GOMODCACHE: 'D:\golang\modcache'
+
+    permissions:
+      contents: read
+
    steps:
      - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: 'go.mod'
+          cache: true
      - name: Setup dep cache
-        uses: actions/cache@v3
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
@ -346,40 +459,46 @@ jobs:
    name: lint (windows)
    runs-on: windows-2022
    needs: cache-deps-windows
+    timeout-minutes: 45
+
+    env:
+      GOPATH: 'D:\golang\go'
+      GOCACHE: 'D:\golang\cache'
+      GOMODCACHE: 'D:\golang\modcache'
+
+    permissions:
+      contents: read
+
    defaults:
      run:
        shell: msys2 {0}
    steps:
      - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: 'go.mod'
+          cache: true
      - name: Load cached deps
-        uses: actions/cache@v3
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
      - name: Setup build tool cache
-        uses: actions/cache@v3
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: .build
-          key: ${{ runner.os }}-tools-${{ github.sha }}
-          restore-keys: |
-            ${{ runner.os }}-tools-
+          key: ${{ runner.os }}-tools-${{ hashFiles('.go-version','Makefile') }}
      - name: Install msys2
-        uses: msys2/setup-msys2@v2
+        uses: msys2/setup-msys2@d44ca8e88d8b43d56cf5670f91747359d5537f97 # v2.26.0
        with:
          msystem: MINGW64
          update: true
          install: >-
-            git
-            base-devel 
-            mingw-w64-x86_64-toolchain 
-            unzip 
+            git base-devel mingw-w64-x86_64-toolchain unzip
      - name: Lint
-        run: make lint
+        run: make lint-code
      - name: Tidy check
        run: make tidy-check
      - name: Generate check
@ -389,80 +508,105 @@ jobs:
    name: unit-test (windows)
    runs-on: windows-2022
    needs: cache-deps-windows
+    timeout-minutes: 45
+
+    env:
+      GOPATH: 'D:\golang\go'
+      GOCACHE: 'D:\golang\cache'
+      GOMODCACHE: 'D:\golang\modcache'
+
+    permissions:
+      contents: read
+
    defaults:
      run:
        shell: msys2 {0}
    steps:
      - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: 'go.mod'
+          cache: true
      - name: Load cached deps
-        uses: actions/cache@v3
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
      - name: Install msys2
-        uses: msys2/setup-msys2@v2
+        uses: msys2/setup-msys2@d44ca8e88d8b43d56cf5670f91747359d5537f97 # v2.26.0
        with:
          msystem: MINGW64
          update: true
          install: >-
-            git
-            base-devel 
-            mingw-w64-x86_64-toolchain 
-            unzip 
+            git base-devel mingw-w64-x86_64-toolchain unzip
      - name: Run unit tests
        run: ./.github/workflows/scripts/run_unit_tests.sh
-          
-  artifact-windows:
-    name: artifact (windows)
+
+  artifacts-windows:
+    name: artifacts (windows)
    runs-on: windows-2022
    needs: cache-deps-windows
+    timeout-minutes: 45
+
+    env:
+      GOPATH: 'D:\golang\go'
+      GOCACHE: 'D:\golang\cache'
+      GOMODCACHE: 'D:\golang\modcache'
+
+    permissions:
+      contents: read
+
    defaults:
      run:
        shell: msys2 {0}
    steps:
      - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: 'go.mod'
+          cache: true
      - name: Load cached deps
-        uses: actions/cache@v3
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
      - name: Load cached build tools
-        uses: actions/cache@v3
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: .build
-          key: ${{ runner.os }}-tools-${{ github.sha }}
-          restore-keys: |
-            ${{ runner.os }}-tools-
+          key: ${{ runner.os }}-tools-${{ hashFiles('.go-version','Makefile') }}
      - name: Install msys2
-        uses: msys2/setup-msys2@v2
+        uses: msys2/setup-msys2@d44ca8e88d8b43d56cf5670f91747359d5537f97 # v2.26.0
        with:
          msystem: MINGW64
          update: true
          install: >-
-            git
-            base-devel 
-            mingw-w64-x86_64-toolchain 
-            zip
-            unzip 
-      - name: Build artifacts
-        run: ./.github/workflows/scripts/build_artifacts.sh
-      - name: Archive binaries
-        uses: actions/upload-artifact@v3
+            git base-devel mingw-w64-x86_64-toolchain zip unzip
+      - name: Build binaries
+        run: make build
+      - name: Setup executables cache
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
-          name: bin-windows
          path: ./bin/
+          key: ${{ runner.os }}-executables-${{ github.sha }}
+      - name: Build artifacts
+        run: ./.github/workflows/scripts/build_artifacts.sh ${{ runner.os }}
      - name: Archive artifacts
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4
        with:
-          name: binaries
+          name: binaries-windows
          path: ./artifacts/
+
+  success:
+    runs-on: ubuntu-22.04
+    needs: [lint, unit-test, unit-test-race-detector, artifacts, integration, integration-k8s, lint-windows, unit-test-windows, artifacts-windows, integration-windows]
+    timeout-minutes: 30
+    permissions:
+      contents: read
+    steps:
+      - name: Declare victory!
+        run: echo "# Successful" >> $GITHUB_STEP_SUMMARY
--- a/.github/workflows/release_build.yaml
+++ b/.github/workflows/release_build.yaml
@ -3,21 +3,23 @@ on:
  push:
    tags:
      - 'v[0-9].[0-9]+.[0-9]+'
-env:
-  GO_VERSION: 1.19.1
 jobs:
  cache-deps:
    name: cache-deps (linux)
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-22.04
+
+    permissions:
+      contents: read
+
    steps:
      - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: 'go.mod'
      - name: Setup dep cache
-        uses: actions/cache@v3
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
@ -26,27 +28,29 @@ jobs:

  lint:
    name: lint (linux)
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-22.04
    needs: cache-deps
+
+    permissions:
+      contents: read
+
    steps:
      - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: 'go.mod'
      - name: Load cached deps
-        uses: actions/cache@v3
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
      - name: Setup build tool cache
-        uses: actions/cache@v3
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: .build
-          key: ${{ runner.os }}-tools-${{ github.sha }}
-          restore-keys: |
-            ${{ runner.os }}-tools-
+          key: ${{ runner.os }}-tools-${{ hashFiles('.go-version','Makefile') }}
      - name: Lint
        run: make lint
      - name: Tidy check
@ -59,18 +63,22 @@ jobs:
  unit-test:
    strategy:
      matrix:
-        OS: [ubuntu-18.04, macos-latest]
+        OS: [ubuntu-22.04, macos-latest]
    runs-on: ${{ matrix.OS }}
    needs: cache-deps
+
+    permissions:
+      contents: read
+
    steps:
      - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: 'go.mod'
      - name: Load cached deps
-        uses: actions/cache@v3
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
@ -79,17 +87,21 @@ jobs:

  unit-test-race-detector:
    name: unit-test (linux with race detection)
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-22.04
    needs: cache-deps
+
+    permissions:
+      contents: read
+
    steps:
      - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: 'go.mod'
      - name: Load cached deps
-        uses: actions/cache@v3
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
@ -98,64 +110,69 @@ jobs:

  artifacts:
    name: artifacts (linux)
-    runs-on: ubuntu-18.04
-    needs: [cache-deps]
+    runs-on: ubuntu-22.04
+    needs: [cache-deps, images]
+    timeout-minutes: 30
+
+    permissions:
+      contents: read
+
    steps:
      - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
-          go-version: ${{ env.GO_VERSION }}
-      - name: Load cached deps
-        uses: actions/cache@v3
+          go-version-file: 'go.mod'
+      - name: Install regctl
+        uses: regclient/actions/regctl-installer@ce5fd131e371ffcdd7508b478cb223b3511a9183 # main
+      - name: Download archived images
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
        with:
-          path: ~/go/pkg/mod
-          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
-      - name: Load cached build tools
-        uses: actions/cache@v3
-        with:
-          path: .build
-          key: ${{ runner.os }}-tools-${{ github.sha }}
-          restore-keys: |
-            ${{ runner.os }}-tools-
+          name: images
+          path: .
+      - name: Expand archived images
+        run: |
+          tar xvf images.tar.gz
      - name: Build artifacts
-        run: ./.github/workflows/scripts/build_artifacts.sh
+        run: ./.github/workflows/scripts/build_artifacts.sh ${{ runner.os }}
      - name: Archive artifacts
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4
        with:
-          name: binaries
+          name: binaries-linux
          path: ./artifacts/

  images:
    name: images (linux)
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-22.04
    needs: [cache-deps]
+
+    permissions:
+      contents: read
+
    steps:
      - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: 'go.mod'
      - name: Load cached deps
-        uses: actions/cache@v3
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
      - name: Load cached build tools
-        uses: actions/cache@v3
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: .build
-          key: ${{ runner.os }}-tools-${{ github.sha }}
-          restore-keys: |
-            ${{ runner.os }}-tools-
+          key: ${{ runner.os }}-tools-${{ hashFiles('.go-version','Makefile') }}
      - name: Build images
-        run: make images
+        run: TAG=${GITHUB_REF##refs/tags/v} make images-no-load
      - name: Export images
-        run: docker save spire-server:latest-local spire-agent:latest-local k8s-workload-registrar:latest-local oidc-discovery-provider:latest-local | gzip > images.tar.gz
+        run: tar -czvf images.tar.gz *-image.tar
      - name: Archive images
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4
        with:
          name: images
          path: images.tar.gz
@ -163,15 +180,19 @@ jobs:
  images-windows:
    name: images (windows)
    runs-on: windows-2022
-    needs: artifact-windows
+    needs: artifacts-windows
+
+    permissions:
+      contents: read
+
    steps:
      - name: Checkout
-        uses: actions/checkout@v3
-      - name: Download artifacts
-        uses: actions/download-artifact@v3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Load cached executables
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
-          name: bin-windows
          path: ./bin/
+          key: ${{ runner.os }}-executables-${{ github.sha }}
      - name: Build images
        run: make images-windows
      - name: Export images
@ -179,55 +200,53 @@ jobs:
          docker save spire-server-windows:latest-local spire-agent-windows:latest-local oidc-discovery-provider-windows:latest-local -o images-windows.tar
          gzip images-windows.tar
      - name: Archive images
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4
        with:
          name: images-windows
          path: images-windows.tar.gz

-  scratch-images:
-    runs-on: ubuntu-18.04
+  build-matrix:
+    name: Build matrix
+    runs-on: ubuntu-22.04
    needs: [cache-deps]
+    permissions:
+      contents: read
    steps:
      - name: Checkout
-        uses: actions/checkout@v3
-      - name: Setup go
-        uses: actions/setup-go@v3
-        with:
-          go-version: ${{ env.GO_VERSION }}
-      - name: Load cached deps
-        uses: actions/cache@v3
-        with:
-          path: ~/go/pkg/mod
-          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
-      - name: Load cached build tools
-        uses: actions/cache@v3
-        with:
-          path: .build
-          key: ${{ runner.os }}-tools-${{ github.sha }}
-          restore-keys: |
-            ${{ runner.os }}-tools-
-      - name: Build scratch images
-        run: make scratch-images
-      - name: Export scratch images
-        run: docker save spire-server-scratch:latest-local spire-agent-scratch:latest-local k8s-workload-registrar-scratch:latest-local oidc-discovery-provider-scratch:latest-local | gzip > scratch-images.tar.gz
-      - name: Archive scratch images
-        uses: actions/upload-artifact@v3
-        with:
-          name: scratch-images
-          path: scratch-images.tar.gz
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - id: set-matrix
+        name: Collect versions
+        run: |
+          json_array=$(bash ./.github/workflows/scripts/find_k8s.sh)
+          echo "test=$json_array" >> $GITHUB_OUTPUT
+          echo "Collected tests: $json_array"
+
+    outputs:
+      test: ${{ steps.set-matrix.outputs.test }}

  integration:
-    name: integration (linux)
-    runs-on: ubuntu-18.04
-    needs: [cache-deps, images, scratch-images]
+    name: integration (${{ matrix.arch }}) (${{ strategy.job-index}}/${{ strategy.job-total }})
+    runs-on: ${{ matrix.runs-on }}
+    needs: [cache-deps, images]
+    timeout-minutes: 45
+
+    permissions:
+      contents: read
+
    strategy:
      fail-fast: false
      matrix:
-        num_runners: [5]
-        runner_id: [1, 2, 3, 4, 5]
+        arch: [x64, arm64]
+        num_runners: [10]
+        runner_id: [1, 2, 3, 4, 5, 6, 7, 8, 9, 10]
+        include:
+          - arch: x64
+            runs-on: ubuntu-22.04
+          - arch: arm64
+            runs-on: ubuntu-22.04-arm
    steps:
      - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          # The "upgrade" integration test needs the history to ensure
          # that the version number in the source code has been bumped as
@ -244,86 +263,148 @@ jobs:
      - name: Fix tag annotations
        run: git fetch --tags --force
      - name: Setup go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: 'go.mod'
+      - name: Install regctl
+        uses: regclient/actions/regctl-installer@ce5fd131e371ffcdd7508b478cb223b3511a9183 # main
      - name: Load cached deps
-        uses: actions/cache@v3
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
      - name: Load cached build tools
-        uses: actions/cache@v3
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: .build
-          key: ${{ runner.os }}-tools-${{ github.sha }}
-          restore-keys: |
-            ${{ runner.os }}-tools-
+          key: ${{ runner.os }}-tools-${{ hashFiles('.go-version','Makefile') }}
      - name: Download archived images
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
        with:
          name: images
          path: .
-      - name: Download archived scratch images
-        uses: actions/download-artifact@v3
-        with:
-          name: scratch-images
-          path: .
      - name: Load archived images
-        run: zcat images.tar.gz | docker load
-      - name: Load archived scratch images
-        run: zcat scratch-images.tar.gz | docker load
+        run: |
+          tar xvf images.tar.gz
+          make load-images
      - name: Run integration tests
        env:
          NUM_RUNNERS: ${{ matrix.num_runners }}
          THIS_RUNNER: ${{ matrix.runner_id }}
          TERM: dumb
+          IGNORE_SUITES: ${{ matrix.arch == 'arm64' && 'suites/upstream-authority-ejbca' || '' }} # Waiting for EJBCA to support arm64 (https://github.com/spiffe/spire/issues/6060)
          # We don't need to specify CICD_TARGET_BRANCH since the upgrade
          # integration test will detect the annotated tag for version checking.
          # CICD_TARGET_BRANCH:
        run: ./.github/workflows/scripts/split.sh | xargs ./test/integration/test.sh

+  integration-k8s:
+    name: integration-k8s-${{ matrix.test[0] }}-${{ matrix.arch }}
+    runs-on: ${{ matrix.runs-on }}
+    needs: [cache-deps, images, build-matrix]
+    timeout-minutes: 45
+
+    permissions:
+      contents: read
+
+    strategy:
+      fail-fast: false
+      matrix:
+        arch: [x64, arm64]
+        include:
+          - arch: x64
+            runs-on: ubuntu-22.04
+            num_runners: 1
+            runner_id: 1
+          - arch: arm64
+            runs-on: ubuntu-22.04-arm
+            num_runners: 1
+            runner_id: 1
+        #Test elements should be added as [KubeCTLVersion, K8s-image, KindVersion]
+        test: ${{ fromJson(needs.build-matrix.outputs.test) }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          # The "upgrade" integration test needs the history to ensure
+          # that the version number in the source code has been bumped as
+          # expected. This action does not fetch tags unless we supply a
+          # fetch depth of zero.
+          fetch-depth: 0
+      - name: Setup go
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
+        with:
+          go-version-file: 'go.mod'
+      - name: Install regctl
+        uses: regclient/actions/regctl-installer@ce5fd131e371ffcdd7508b478cb223b3511a9183 # main
+      - name: Load cached deps
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
+        with:
+          path: ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+      - name: Load cached build tools
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
+        with:
+          path: .build
+          key: ${{ runner.os }}-tools-${{ hashFiles('.go-version','Makefile') }}
+      - name: Download archived images
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        with:
+          name: images
+          path: .
+      - name: Load archived images
+        run: |
+          tar xvf images.tar.gz
+          make load-images
+      - name: Run k8s integration
+        env:
+          NUM_RUNNERS: ${{ matrix.num_runners }}
+          THIS_RUNNER: ${{ matrix.runner_id }}
+          KUBECTLVERSION: ${{ matrix.test[0] }}
+          K8SIMAGE: ${{ matrix.test[1] }}
+          KINDVERSION: ${{ matrix.test[2] }}
+          TERM: dumb
+          CICD_TARGET_BRANCH: ${{ github.event.pull_request.base.ref }}
+        run: ./.github/workflows/scripts/split_k8s.sh | xargs ./test/integration/test-k8s.sh
+
  integration-windows:
    name: integration (windows)
    runs-on: windows-2022
    needs: images-windows
-    strategy:
-      fail-fast: false
+
+    permissions:
+      contents: read
+
    defaults:
      run:
        shell: msys2 {0}
    steps:
      - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: 'go.mod'
      - name: Load cached deps
-        uses: actions/cache@v3
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
      - name: Load cached build tools
-        uses: actions/cache@v3
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: .build
-          key: ${{ runner.os }}-tools-${{ github.sha }}
-          restore-keys: |
-            ${{ runner.os }}-tools-
+          key: ${{ runner.os }}-tools-${{ hashFiles('.go-version','Makefile') }}
      - name: Install msys2
-        uses: msys2/setup-msys2@v2
+        uses: msys2/setup-msys2@d44ca8e88d8b43d56cf5670f91747359d5537f97 # v2.26.0
        with:
          msystem: MINGW64
          update: true
          path-type: inherit
          install: >-
-            git
-            base-devel
-            mingw-w64-x86_64-toolchain
-            unzip
+            git base-devel mingw-w64-x86_64-toolchain unzip
      - name: Download archived images
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
        with:
          name: images-windows
          path: .
@ -336,15 +417,19 @@ jobs:
  cache-deps-windows:
    name: cache-deps (windows)
    runs-on: windows-2022
+
+    permissions:
+      contents: read
+
    steps:
      - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: 'go.mod'
      - name: Setup dep cache
-        uses: actions/cache@v3
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
@ -355,40 +440,39 @@ jobs:
    name: lint (windows)
    runs-on: windows-2022
    needs: cache-deps-windows
+
+    permissions:
+      contents: read
+
    defaults:
      run:
        shell: msys2 {0}
    steps:
      - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: 'go.mod'
      - name: Load cached deps
-        uses: actions/cache@v3
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
      - name: Setup build tool cache
-        uses: actions/cache@v3
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: .build
-          key: ${{ runner.os }}-tools-${{ github.sha }}
-          restore-keys: |
-            ${{ runner.os }}-tools-
+          key: ${{ runner.os }}-tools-${{ hashFiles('.go-version','Makefile') }}
      - name: Install msys2
-        uses: msys2/setup-msys2@v2
+        uses: msys2/setup-msys2@d44ca8e88d8b43d56cf5670f91747359d5537f97 # v2.26.0
        with:
          msystem: MINGW64
          update: true
          install: >-
-            git
-            base-devel 
-            mingw-w64-x86_64-toolchain 
-            unzip 
+            git base-devel mingw-w64-x86_64-toolchain unzip
      - name: Lint
-        run: make lint
+        run: make lint-code
      - name: Tidy check
        run: make tidy-check
      - name: Generate check
@ -398,143 +482,146 @@ jobs:
    name: unit-test (windows)
    runs-on: windows-2022
    needs: cache-deps-windows
+
+    permissions:
+      contents: read
+
    defaults:
      run:
        shell: msys2 {0}
    steps:
      - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: 'go.mod'
      - name: Load cached deps
-        uses: actions/cache@v3
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
      - name: Install msys2
-        uses: msys2/setup-msys2@v2
+        uses: msys2/setup-msys2@d44ca8e88d8b43d56cf5670f91747359d5537f97 # v2.26.0
        with:
          msystem: MINGW64
          update: true
          install: >-
-            git
-            base-devel 
-            mingw-w64-x86_64-toolchain 
-            unzip 
+            git base-devel mingw-w64-x86_64-toolchain unzip
      - name: Run unit tests
        run: ./.github/workflows/scripts/run_unit_tests.sh
-          
-  artifact-windows:
-    name: artifact (windows)
+
+  artifacts-windows:
+    name: artifacts (windows)
    runs-on: windows-2022
    needs: cache-deps-windows
+
+    permissions:
+      contents: read
+
    defaults:
      run:
        shell: msys2 {0}
    steps:
      - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: 'go.mod'
      - name: Load cached deps
-        uses: actions/cache@v3
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
      - name: Load cached build tools
-        uses: actions/cache@v3
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: .build
-          key: ${{ runner.os }}-tools-${{ github.sha }}
-          restore-keys: |
-            ${{ runner.os }}-tools-
+          key: ${{ runner.os }}-tools-${{ hashFiles('.go-version','Makefile') }}
      - name: Install msys2
-        uses: msys2/setup-msys2@v2
+        uses: msys2/setup-msys2@d44ca8e88d8b43d56cf5670f91747359d5537f97 # v2.26.0
        with:
          msystem: MINGW64
          update: true
          install: >-
-            git
-            base-devel 
-            mingw-w64-x86_64-toolchain 
-            zip
-            unzip 
+            git base-devel mingw-w64-x86_64-toolchain zip unzip
+      - name: Build binaries
+        run: make build
      - name: Build artifacts
-        run: ./.github/workflows/scripts/build_artifacts.sh
-      - name: Archive binaries
-        uses: actions/upload-artifact@v3
+        run: ./.github/workflows/scripts/build_artifacts.sh ${{ runner.os }}
+      - name: Setup executables cache
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
-          name: bin-windows
          path: ./bin/
+          key: ${{ runner.os }}-executables-${{ github.sha }}
      - name: Archive artifacts
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4
        with:
-          name: binaries
+          name: binaries-windows
          path: ./artifacts/

  publish-artifacts:
-    runs-on: ubuntu-18.04
-    needs: [lint, unit-test, unit-test-race-detector, artifacts, integration,
-            lint-windows, unit-test-windows, artifact-windows, integration-windows]
+    runs-on: ubuntu-22.04
+    needs: [lint, unit-test, unit-test-race-detector, artifacts, integration, integration-k8s, lint-windows, unit-test-windows, artifacts-windows, integration-windows]
+    permissions:
+      contents: write
+
    steps:
      - name: Checkout
-        uses: actions/checkout@v3
-      - name: Download archived artifacts
-        uses: actions/download-artifact@v3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Download archived Linux artifacts
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
        with:
-          name: binaries
+          name: binaries-linux
          path: ./artifacts/
+      - name: Download archived Windows artifacts
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        with:
+          name: binaries-windows
+          path: ./artifacts/
+
      - name: Create Release
        env:
          # GH_REPO is required for older releases of `gh`. Until we're
-          # reasonably confident that that the gh release is new enough,
+          # reasonably confident that the gh release is new enough,
          # set GH_REPO to the repository to create the release in.
          #
          # See https://github.com/cli/cli/issues/3556
-          GH_REPO: ${{ github.repository }} 
+          GH_REPO: ${{ github.repository }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        # Create the release using the version number as the title
        run: gh release create "${GITHUB_REF#refs/tags/}" ./artifacts/*.zip ./artifacts/*.tar.gz ./artifacts/*.txt --title "${GITHUB_REF#refs/tags/}"

  publish-images:
-    runs-on: ubuntu-18.04
-    needs: [lint, unit-test, unit-test-race-detector, artifacts, integration]
+    runs-on: ubuntu-22.04
+    needs: [lint, unit-test, unit-test-race-detector, artifacts, integration, integration-k8s, lint-windows, unit-test-windows, artifacts-windows, integration-windows]
+    permissions:
+      contents: read
+      id-token: write
+      packages: write
+
    steps:
      - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Install cosign
+        uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
+        with:
+          cosign-release: v2.2.3
+      - name: Install regctl
+        uses: regclient/actions/regctl-installer@ce5fd131e371ffcdd7508b478cb223b3511a9183 # main
      - name: Download archived images
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
        with:
          name: images
          path: .
-      - name: Download archived scratch images
-        uses: actions/download-artifact@v3
-        with:
-          name: scratch-images
-          path: .
-      - name: Load archived images
-        run: zcat images.tar.gz | docker load
-      - name: Load archived scratch images
-        run: zcat scratch-images.tar.gz | docker load
-      - name: Log in to GCR
-        uses: docker/login-action@v2
-        with:
-          registry: gcr.io
-          username: _json_key
-          password: ${{ secrets.GCR_JSON_KEY }}
-      # Push the images to GCR using the version number (without the "v" prefix).
-      - name: Push images
-        run: ./.github/workflows/scripts/push-images.sh "${GITHUB_REF#refs/tags/v}"
      - name: Log in to GHCR
-        uses: docker/login-action@v2
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
-      # Push the images to GHCR using the version number (without the "v" prefix).
      - name: Push images
-        run: ./.github/workflows/scripts/push-scratch-images.sh "${GITHUB_REF#refs/tags/v}"
+        run: |
+          tar xzvf images.tar.gz
+          ./.github/workflows/scripts/push-images.sh "${GITHUB_REF}"
--- a/.github/workflows/scripts/build_artifacts.sh
+++ b/.github/workflows/scripts/build_artifacts.sh
@ -1,14 +1,36 @@
 #!/bin/bash
+# Builds all SPIRE artifacts for all supported architectures for the provided operating system.
+# Usage: build_artifacts.sh <Linux|Windows|macOS>

 set -e

+usage() {
+    echo "usage: ${BASH_SOURCE[0]} <Linux|Windows>"
+    exit 1
+}
+
+SCRIPTDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
 export TAG=
 if [[ "$GITHUB_REF" =~ ^refs/tags/v[0-9.]+$ ]]; then
-        # Strip off the leading "v" from the release tag. Release artifacts are
-        # named just with the version number (e.g. v0.9.3 tag produces
-        # spire-0.9.3-linux-x64.tar.gz).
-        TAG="${GITHUB_REF##refs/tags/v}"
+    # Strip off the leading "v" from the release tag. Release artifacts are
+    # named just with the version number (e.g. v0.9.3 tag produces
+    # spire-0.9.3-linux-x64.tar.gz).
+    TAG="${GITHUB_REF##refs/tags/v}"
 fi

-# Make references the $TAG environment variable set above
-make artifact
+[[ $# -eq 1 ]] || usage
+
+os="$1"
+case "${os}" in
+    Linux)
+        "${SCRIPTDIR}"/build_linux_artifacts.sh
+        ;;
+    Windows)
+        "${SCRIPTDIR}"/build_windows_artifacts.sh
+        ;;
+    *)
+        echo "Only artifacts for Linux and Windows are supported" 1>&2
+        usage
+        ;;
+esac
--- a/.github/workflows/scripts/build_linux_artifacts.sh
+++ b/.github/workflows/scripts/build_linux_artifacts.sh
@ -0,0 +1,83 @@
+#!/bin/bash
+
+set -e
+
+REPODIR=$(git rev-parse --show-toplevel)
+
+TAG=${TAG:-$(git log -n1 --pretty=%h)}
+OUTDIR=${OUTDIR:-"${REPODIR}/artifacts"}
+
+TAROPTS=("--owner=root" "--group=root")
+
+TMPDIR=$(mktemp -d)
+cleanup() {
+    rm -rf "${TMPDIR}"
+}
+trap cleanup EXIT
+
+copy_binary_from_multiarch_tar() {
+    local arch=$1
+    local binary=$2
+    local destdir=$3
+
+    local srcpath="/opt/spire/bin/${binary}"
+    local destpath="${destdir}/${binary}"
+    local ocidir="ocidir://${TMPDIR}/${arch}/oci/${binary}"
+    local imagetar="${REPODIR}/${binary}-image.tar"
+    local platform="linux/${arch}"
+
+    echo "Importing multiarch image ${imagetar}..."
+    regctl image import "${ocidir}" "${imagetar}"
+
+    echo "Copying ${srcpath} for platform ${platform}..."
+    regctl image get-file "${ocidir}" "${srcpath}" "${destpath}" -p "${platform}"
+
+    # file does not retain permission bits, so fix up the executable bit.
+    chmod +x "${destpath}"
+}
+
+build_artifact() {
+    local arch="$1"
+
+    local artifact="${OUTDIR}/spire-${TAG}-linux-${arch}-musl.tar.gz"
+    local checksum="${OUTDIR}/spire-${TAG}-linux-${arch}-musl_sha256sum.txt"
+
+    local extras_artifact="${OUTDIR}/spire-extras-${TAG}-linux-${arch}-musl.tar.gz"
+    local extras_checksum="${OUTDIR}/spire-extras-${TAG}-linux-${arch}-musl_sha256sum.txt"
+
+    local tardir="${TMPDIR}/${arch}/tar" 
+    local staging="${tardir}"/spire/spire-${TAG}
+    local extras_staging="${tardir}"/spire-extras/spire-extras-${TAG}
+
+    mkdir -p "${staging}"/bin 
+    mkdir -p "${extras_staging}"/bin
+    mkdir -p "${OUTDIR}"
+
+    echo "Creating \"${artifact}\" and \"${extras_artifact}\""
+
+    # Copy in the contents under release/
+    cp -r "${REPODIR}"/release/posix/spire/* "${staging}"
+    cp -r "${REPODIR}"/release/posix/spire-extras/* "${extras_staging}"
+
+    # Copy in the LICENSE
+    cp "${REPODIR}"/LICENSE "${staging}"
+    cp "${REPODIR}"/LICENSE "${extras_staging}"
+
+    # Copy in the SPIRE binaries from the docker images:
+    # 1. import the image from the multiarch tarball into the OCI directory
+    copy_binary_from_multiarch_tar "$arch" "spire-server" "${staging}/bin"
+    copy_binary_from_multiarch_tar "$arch" "spire-agent" "${staging}/bin"
+    copy_binary_from_multiarch_tar "$arch" "oidc-discovery-provider" "${extras_staging}/bin"
+
+    # Create the tarballs and checksums
+    (cd "${tardir}/spire"; tar -cvzf "${artifact}" "${TAROPTS[@]}" -- *)
+    (cd "${tardir}/spire-extras"; tar -cvzf "${extras_artifact}" "${TAROPTS[@]}" -- *)
+
+    (cd "$(dirname "${artifact}")"; shasum -a 256 "$(basename "${artifact}")" > "${checksum}" )
+    (cd "$(dirname "${extras_artifact}")"; shasum -a 256 "$(basename "${extras_artifact}")" > "${extras_checksum}" )
+}
+
+command -v regctl >/dev/null 2>&1 || { echo -e "The regctl cli is required to run this script." >&2 ; exit 1; }
+
+build_artifact amd64
+build_artifact arm64
--- a/.github/workflows/scripts/build_windows_artifacts.sh
+++ b/.github/workflows/scripts/build_windows_artifacts.sh
@ -0,0 +1,51 @@
+#!/bin/bash
+
+set -e
+
+REPODIR=$(git rev-parse --show-toplevel)
+BINDIR="${REPODIR}/bin"
+
+TAG=${TAG:-$(git log -n1 --pretty=%h)}
+OUTDIR=${OUTDIR:-"${REPODIR}/artifacts"}
+
+ARCH=amd64
+
+ARTIFACT="${OUTDIR}/spire-${TAG}-windows-${ARCH}.zip"
+CHECKSUM="${OUTDIR}/spire-${TAG}-windows-${ARCH}_sha256sum.txt"
+
+EXTRAS_ARTIFACT="${OUTDIR}/spire-extras-${TAG}-windows-${ARCH}.zip"
+EXTRAS_CHECKSUM="${OUTDIR}/spire-extras-${TAG}-windows-${ARCH}_sha256sum.txt"
+
+TMPDIR=$(mktemp -d)
+cleanup() {
+    rm -rf "${TMPDIR}"
+}
+trap cleanup EXIT
+
+STAGING="${TMPDIR}"/spire/spire-${TAG}
+EXTRAS_STAGING="${TMPDIR}"/spire-extras/spire-extras-${TAG}
+mkdir -p "${STAGING}" "${EXTRAS_STAGING}"
+
+echo "Creating \"${ARTIFACT}\" and \"${EXTRAS_ARTIFACT}\""
+
+# Copy in the contents under release/
+cp -r "${REPODIR}"/release/windows/spire/* "${STAGING}"
+cp -r "${REPODIR}"/release/windows/spire-extras/* "${EXTRAS_STAGING}"
+
+# Copy in the LICENSE
+cp "${REPODIR}"/LICENSE "${STAGING}"
+cp "${REPODIR}"/LICENSE "${EXTRAS_STAGING}"
+
+# Copy in the SPIRE binaries
+mkdir -p "${STAGING}"/bin "${EXTRAS_STAGING}"/bin
+cp "${BINDIR}"/spire-server.exe "${STAGING}"/bin
+cp "${BINDIR}"/spire-agent.exe "${STAGING}"/bin
+cp "${BINDIR}"/oidc-discovery-provider.exe "${EXTRAS_STAGING}"/bin
+
+mkdir -p "${OUTDIR}"
+
+(cd "${TMPDIR}/spire"; zip -rv "${ARTIFACT}" -- *)
+(cd "${TMPDIR}/spire-extras"; zip -rv "${EXTRAS_ARTIFACT}" -- *)
+
+(cd "$(dirname "${ARTIFACT}")"; CertUtil -hashfile "$(basename "${ARTIFACT}")" SHA256 > "${CHECKSUM}")
+(cd "$(dirname "${EXTRAS_ARTIFACT}")"; CertUtil -hashfile "$(basename "${EXTRAS_ARTIFACT}")" SHA256 > "${EXTRAS_CHECKSUM}")
--- a/.github/workflows/scripts/find_k8s.sh
+++ b/.github/workflows/scripts/find_k8s.sh
@ -0,0 +1,74 @@
+#!/usr/bin/env bash
+          kind_release_info=$(curl -s https://api.github.com/repos/kubernetes-sigs/kind/releases/latest)
+          kind_version=$(echo "$kind_release_info" | jq -r '.tag_name')
+          
+          all_tags=()
+          # Currently we're taking the first 5 pages of the URL
+            for ((page=1; page<=5; page++)); do
+                # Fetch tags for the current page using curl and jq
+                tags=$(curl -s "https://hub.docker.com/v2/repositories/kindest/node/tags?page=$page" | jq -r '.results[].name')
+
+                # Check if the tags variable is empty
+                if [[ -z "$tags" ]]; then
+                    break
+                fi
+
+                # Append the current page tags to the all_tags array
+                all_tags+=( "$tags" )
+            done
+          
+          readarray -t tags_sorted < <(printf '%s\n' "${all_tags[@]}" | sort -V)
+
+          lowest_target_version=$(cat ./test/integration/suites/k8s/integration_k8s_min_version.txt)
+          
+          declare -A tags_map
+          for element in "${tags_sorted[@]}"; do
+            # Skip 1.32.1 until either a new version of kind is released the problem
+            # with the kindest/node:1.32.1 image is fixed. See upstream kind issue:
+            # https://github.com/kubernetes-sigs/kind/issues/3853
+            if [[ "$element" == "v1.32.1" ]]; then
+              continue
+            fi
+
+            # Element is in this form: "X.XX.YY"
+            # If not, continue
+            num_dots=$(echo "$element" | grep -o '\.' | wc -l)
+
+            # Continue to the next iteration if the number of dots is not equal to 2
+            if [[ "$num_dots" -ne 2 ]]; then
+                continue
+            fi
+
+            # Extract the "X.XX" part as the key for the map
+            key="${element%.*}"
+            key="${key//\"}"
+            # Check if the key is greater than or equal to "1.21"
+            if [[ $(printf "%s\n$lowest_target_version" "$key" | sort -V | head -n1) == "$lowest_target_version" ]]; then
+                # Extract the "YY" part as the value for the map
+                value="${element##*.}"
+                tags_map["$key"]=$value
+            fi
+           done
+
+          # Read the content of the array.txt file
+          # Currently we just have one row as example, add more if we need to test a specific version
+          # Test elements should be added as [KubeCTLVersion, K8s-image, KindVersion]
+          IFS= readarray -t matrix_lines < ./test/integration/suites/k8s/integration_k8s_versions.txt
+
+          # Convert each line of the file into a JSON array element
+          json_array="["
+          for line in "${matrix_lines[@]}"; do
+            json_array+="$line,"
+          done
+
+          # Add every version from tags_map
+          for key in "${!tags_map[@]}"; do
+              value="${tags_map[$key]}"
+              k8s_image="kindest/node:$key.$value"
+              new_version_row="[\"$key.$value\",\"$k8s_image\",\"$kind_version\"]"
+              json_array+="$new_version_row,"
+          done
+
+          json_array="${json_array%,}]"
+
+echo "${json_array}"
--- a/.github/workflows/scripts/load-oci-archives.sh
+++ b/.github/workflows/scripts/load-oci-archives.sh
@ -0,0 +1,64 @@
+#!/usr/bin/env bash
+# shellcheck shell=bash
+##
+## USAGE: __PROG__
+##
+## "__PROG__" loads oci tarballs created with xbuild into docker.
+##
+## Usage example(s):
+##   ./__PROG__
+##   PLATFORM=linux/arm64 ./__PROG__
+##
+## Commands
+## - ./__PROG__ loads the oci tarball into Docker.
+
+function usage {
+  grep '^##' "$0" | sed -e 's/^##//' -e "s/__PROG__/$me/" >&2
+}
+
+function normalize_path {
+    # Remove all /./ sequences.
+    local path=${1//\/.\//\/}
+    local npath
+    # Remove first dir/.. sequence.
+    npath="${path//[^\/][^\/]*\/\.\.\//}"
+    # Remove remaining dir/.. sequence.
+    while [[ $npath != "$path" ]] ; do
+        path=$npath
+        npath="${path//[^\/][^\/]*\/\.\.\//}"
+    done
+    echo "$path"
+}
+
+me=$(basename "$0")
+BASEDIR=$(dirname "$0")
+ROOTDIR="$(normalize_path "$BASEDIR/../../../")"
+
+command -v regctl >/dev/null 2>&1 || { usage; echo -e "\n * The regctl cli is required to run this script." >&2 ; exit 1; }
+command -v docker >/dev/null 2>&1 || { usage; echo -e "\n * The docker cli is required to run this script." >&2 ; exit 1; }
+
+# Takes the current platform architecture or plaftorm as defined externally in a platform variable.
+# e.g.:
+# linux/amd64
+# linux/arm64
+# linux/arm64/v7
+PLATFORM="${PLATFORM:-local}"
+OCI_IMAGES=(
+    spire-server spire-agent oidc-discovery-provider
+)
+
+echo "Importing ${OCI_IMAGES[*]} into docker".
+for img in "${OCI_IMAGES[@]}"; do
+    oci_dir="ocidir://${ROOTDIR}oci/${img}"
+    platform_tar="${img}-${PLATFORM}-image.tar"
+    
+    # regclient works with directories rather than tars, so import the OCI tar to a directory
+    regctl image import "$oci_dir" "${img}-image.tar"
+    dig="$(regctl image digest --platform "$PLATFORM" "$oci_dir")"
+    # export the single platform image using the digest
+    regctl image export "$oci_dir@${dig}" "${platform_tar}"
+    
+    docker load < "${platform_tar}"
+    docker image tag "localhost/oci/${img}:latest" "${img}:latest-local"
+    docker image rm "localhost/oci/${img}:latest"
+done
--- a/.github/workflows/scripts/push-images.sh
+++ b/.github/workflows/scripts/push-images.sh
@ -1,20 +1,72 @@
-#!/bin/bash
+#!/usr/bin/env bash
+# shellcheck shell=bash
+##
+## USAGE: __PROG__
+##
+## "__PROG__" publishes images to a registry.
+##
+## Usage example(s):
+##   ./__PROG__ 1.5.2
+##   ./__PROG__ v1.5.2
+##   ./__PROG__ refs/tags/v1.5.2
+##
+## Commands
+## - ./__PROG__ <version> pushes images to the registry using given version.

 set -e

-IMAGETAG="$1"
-if [ -z "$IMAGETAG" ]; then
-    echo "IMAGETAG not provided!" 1>&2
-    echo "Usage: push-images.sh IMAGETAG" 1>&2
-    exit 1
+function usage {
+  grep '^##' "$0" | sed -e 's/^##//' -e "s/__PROG__/$me/" >&2
+}
+
+function normalize_path {
+  # Remove all /./ sequences.
+  local path=${1//\/.\//\/}
+  local npath
+  # Remove first dir/.. sequence.
+  npath="${path//[^\/][^\/]*\/\.\.\//}"
+  # Remove remaining dir/.. sequence.
+  while [[ $npath != "$path" ]] ; do
+    path=$npath
+    npath="${path//[^\/][^\/]*\/\.\.\//}"
+  done
+  echo "$path"
+}
+
+me=$(basename "$0")
+BASEDIR=$(dirname "$0")
+ROOTDIR="$(normalize_path "$BASEDIR/../../../")"
+
+version="$1"
+if [ -z "${version}" ]; then
+  usage
+  echo -e "\n Errors:\n * the version must be provided." >&2
+  exit 1
 fi

-echo "Pushing images tagged as $IMAGETAG..."
+# remove the git tag prefix
+# Push the images using the version tag (without the "v" prefix).
+# Also strips the refs/tags part if the GITHUB_REF variable is used.
+version="${version#refs/tags/v}"
+version="${version#v}"

-for img in spire-server spire-agent k8s-workload-registrar oidc-discovery-provider; do
-    gcrimg=gcr.io/spiffe-io/"$img":"${IMAGETAG}"
-    echo "Executing: docker tag $img:latest-local $gcrimg"
-    docker tag "$img":latest-local "$gcrimg"
-    echo "Executing: docker push $gcrimg"
-    docker push "$gcrimg"
+OCI_IMAGES=(
+  spire-server spire-agent oidc-discovery-provider
+)
+
+org_name=$(echo "$GITHUB_REPOSITORY" | tr '/' "\n" | head -1 | tr -d "\n")
+org_name="${org_name:-spiffe}" # default to spiffe in case ran on local
+registry=ghcr.io/${org_name}
+
+echo "Pushing images ${OCI_IMAGES[*]} to ${registry} with tag ${version}".
+for img in "${OCI_IMAGES[@]}"; do
+  oci_dir="ocidir://${ROOTDIR}oci/${img}"
+  image_to_push="${registry}/${img}:${version}"
+  
+  regctl image import "${oci_dir}" "${img}-image.tar"
+  regctl image copy "${oci_dir}" "${image_to_push}"
+
+  image_digest="$(jq -r '.manifests[0].digest' "${ROOTDIR}oci/${img}/index.json")"
+
+  cosign sign -y "${registry}/${img}@${image_digest}"
 done
--- a/.github/workflows/scripts/push-scratch-images.sh
+++ b/.github/workflows/scripts/push-scratch-images.sh
@ -1,32 +0,0 @@
-#!/bin/bash
-
-set -e
-
-IMAGETAG="$1"
-if [ -z "$IMAGETAG" ]; then
-    echo "IMAGETAG not provided!" 1>&2
-    echo "Usage: push-images.sh IMAGETAG" 1>&2
-    exit 1
-fi
-
-# Extracting org name rather than hardcoding allows this
-# action to be portable across forks
-ORGNAME=$(echo "$GITHUB_REPOSITORY" | tr '/' "\n" | head -1 | tr -d "\n")
-
-echo "Pushing images tagged as $IMAGETAG..."
-
-for img in spire-server spire-agent oidc-discovery-provider; do
-    ghcrimg="ghcr.io/${ORGNAME}/${img}:${IMAGETAG}"
-
-    # Detect the oidc image and give it a different name for GHCR
-    # TODO: Remove this hack and fully rename the image once we move
-    # off of GCR.
-    if [ "$img" == "oidc-discovery-provider" ]; then
-            ghcrimg="ghcr.io/${ORGNAME}/spire-oidc-provider:${IMAGETAG}"
-    fi
-
-    echo "Executing: docker tag $img-scratch:latest-local $ghcrimg"
-    docker tag "$img"-scratch:latest-local "$ghcrimg"
-    echo "Executing: docker push $ghcrimg"
-    docker push "$ghcrimg"
-done
--- a/.github/workflows/scripts/run_unit_tests.sh
+++ b/.github/workflows/scripts/run_unit_tests.sh
@ -14,3 +14,7 @@ if [ -n "${COVERALLS_TOKEN}" ]; then
    "$(go env GOPATH)"/bin/goveralls -coverprofile="${COVERPROFILE}" \
            -service=github
 fi
+
+# This ensures that running the tests didn't modify the source files, for
+# example by generating test keys that should have been checked in with the PR.
+make git-clean-check
--- a/.github/workflows/scripts/run_unit_tests_under_race_detector.sh
+++ b/.github/workflows/scripts/run_unit_tests_under_race_detector.sh
@ -8,9 +8,13 @@ if [ -n "${COVERALLS_TOKEN}" ]; then
    go install github.com/mattn/goveralls@v0.0.7
 fi

-COVERPROFILE="${COVERPROFILE}" make ci-race-test
+COVERPROFILE="${COVERPROFILE}" make race-test

 if [ -n "${COVERALLS_TOKEN}" ]; then
    "$(go env GOPATH)"/bin/goveralls -coverprofile="${COVERPROFILE}" \
            -service=github
 fi
+
+# This ensures that running the tests didn't modify the source files, for
+# example by generating test keys that should have been checked in with the PR.
+make git-clean-check
--- a/.github/workflows/scripts/split.sh
+++ b/.github/workflows/scripts/split.sh
@ -18,7 +18,7 @@ for FILE in test/integration/suites/*; do
        job_set[$current_runner]+="${FILE##test/integration/} "

        ((current_runner++))
-        if [ $current_runner -gt "$NUM_RUNNERS" ]; then
+        if [ "$current_runner" -gt "$NUM_RUNNERS" ]; then
                current_runner=1
        fi
 done
--- a/.github/workflows/scripts/split_k8s.sh
+++ b/.github/workflows/scripts/split_k8s.sh
@ -0,0 +1,26 @@
+#!/bin/bash
+
+set -e
+
+if [ -z "$NUM_RUNNERS" ]; then
+        echo "split.sh: NUM_RUNNERS environment variable must be set"
+        exit 1
+fi
+
+if [ -z "$THIS_RUNNER" ]; then
+        echo "split.sh: THIS_RUNNER environment variable must be set"
+        exit 1
+fi
+
+declare -a job_set
+current_runner=1
+for FILE in test/integration/suites/k8s*; do
+        job_set[$current_runner]+="${FILE##test/integration/} "
+
+        ((current_runner++))
+        if [ "$current_runner" -gt "$NUM_RUNNERS" ]; then
+                current_runner=1
+        fi
+done
+
+echo "${job_set[$THIS_RUNNER]}"
--- a/.github/workflows/stalebot.yaml
+++ b/.github/workflows/stalebot.yaml
@ -0,0 +1,39 @@
+name: stalebot
+on:
+  schedule:
+  # Random minute number to avoid GH scheduler stampede
+  - cron: '39 22 * * *'
+
+jobs:
+  process-stale-issues:
+    runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
+    steps:
+    - uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e # v9.0.0
+      with:
+        days-before-issue-stale: 365 # 1 year
+        days-before-issue-close: 30
+        stale-issue-label: "stale"
+        exempt-issue-labels: "blocked" # Ignore blocked issues
+        stale-issue-message: "This issue is stale because it has been open for 365 days with no activity."
+        close-issue-message: "This issue was closed because it has been inactive for 30 days since being marked as stale."
+        days-before-pr-stale: -1 # Don't handle PRs
+        days-before-pr-close: -1 # Don't handle PRs
+
+  process-stale-blocked-issues:
+    runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
+    steps:
+    - uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e # v9.0.0
+      with:
+        only-labels: "blocked"
+        days-before-issue-stale: 30
+        days-before-issue-close: -1 # Don't close blocked issues
+        stale-issue-label: "stale"
+        stale-issue-message: "This issue has been in the blocked state for 30 days, marking as stale so the blocking issue is re-checked."
+        days-before-pr-stale: -1 # Don't handle PRs
+        days-before-pr-close: -1 # Don't handle PRs
--- a/.gitignore
+++ b/.gitignore
@ -1,8 +1,10 @@
-.build*
+.build
 .cache
 .data
+.envrc
 .glide
 .tmp
+.DS_Store
 *.swp
 *.log
 /bin
@ -18,14 +20,24 @@ svid.*.pem
 # within the respective main packages.
 /spire-server
 /spire-agent
-/k8s-workload-registrar
 /oidc-discovery-provider
 cmd/spire-server/spire-server
 cmd/spire-agent/spire-agent
-support/k8s/k8s-workload-registrar/k8s-workload-registrar
 support/oidc-discovery-provider/oidc-discovery-provider
 tools/spire-plugingen/spire-plugingen

 # Editor specific configuration
 .idea
 .vscode
+
+# Runtime version manager specific configuration
+# asdf config file
+.tool-versions
+
+# oci artifacts
+*-image.tar
+oci/
+
+# Go workspace files
+go.work
+go.work.sum
--- a/.go-version
+++ b/.go-version
@ -1 +1 @@
-1.19.1
+1.24.4
--- a/.golangci.yml
+++ b/.golangci.yml
@ -1,34 +1,87 @@
+version: "2"
 run:
-  # timeout for analysis, e.g. 30s, 5m, default is 1m
  timeout: 12m
-
-  skip-dirs:
-    - testdata$
-    - test/mock
-
-  skip-files:
-    - ".*\\.pb\\.go"
-    - support/k8s/k8s-workload-registrar/mode-crd/api/spiffeid/v1beta1/spiffeid_types.go
-
 linters:
  enable:
    - bodyclose
-    - depguard
+    - copyloopvar
    - durationcheck
    - errorlint
-    - goimports
-    - revive
+    - exptostd
+    - gocritic
    - gosec
+    - intrange
+    - mirror
    - misspell
    - nakedret
+    - nilnesserr
+    - nolintlint
+    - predeclared
+    - reassign
+    - revive
    - unconvert
    - unparam
+    - wastedassign
    - whitespace
-    - gocritic
-    # nolintlint can be re-enabled after the rest of the linters have gained
-    # support for go1.18.
-    # - nolintlint
-linters-settings:
-  revive:
-    # minimal confidence for issues, default is 0.8
-    confidence: 0.0
+  settings:
+    govet:
+      enable:
+        - sortslice
+        - unusedwrite
+    revive:
+      confidence: 0
+      rules:
+        - name: atomic
+        - name: bool-literal-in-expr
+        - name: constant-logical-expr
+        - name: context-as-argument
+        - name: datarace
+        - name: error-naming
+        - name: error-return
+        - name: errorf
+        - name: identical-branches
+        - name: if-return
+        - name: increment-decrement
+        - name: modifies-value-receiver
+        - name: optimize-operands-order
+        - name: range
+        - name: receiver-naming
+        - name: redundant-import-alias
+        - name: redundant-test-main-exit
+        - name: string-of-int
+        - name: time-equal
+        - name: unconditional-recursion
+        - name: unnecessary-stmt
+        - name: unreachable-code
+        - name: use-any
+        - name: use-errors-new
+        - name: useless-break
+        - name: var-declaration
+        - name: waitgroup-by-value
+    staticcheck:
+      checks:
+        - all
+        - -ST1003
+        - -QF1001
+        - -QF1008
+  exclusions:
+    generated: lax
+    presets:
+      - comments
+      - common-false-positives
+      - legacy
+      - std-error-handling
+    rules:
+      - linters:
+          - gosec
+        path: (.*_test\.go$)|(^test/.*)
+        text: integer overflow conversion
+      - linters:
+          - revive
+        text: Import alias "v1" is redundant
+formatters:
+  enable:
+    - gofmt
+    - goimports
+  exclusions:
+    generated: lax
--- a/.markdownlint.yaml
+++ b/.markdownlint.yaml
@ -0,0 +1,7 @@
+MD013: false
+# We are not interested on requesting output when using "$" on shell documentation
+MD014: false
+MD024:
+  siblings_only: true
+# we use emphasis on all node attestors
+MD036: false
--- a/.spire-tool-versions
+++ b/.spire-tool-versions
@ -0,0 +1,3 @@
+golangci-lint v2.1.6
+markdown_lint v0.37.0
+protoc 29.4
--- a/ADOPTERS.md
+++ b/ADOPTERS.md
@ -1,34 +1,38 @@
+# Adopters
+
 ## End users

-Known end users with notable contributions to the advancement of the project include: 
+Known end users with notable contributions to the advancement of the project include:

 * Anthem
-* Bloomberg 
-* ByteDance 
+* Bloomberg
+* ByteDance
 * Duke Energy
 * GitHub
 * Netflix
 * Niantic
-* Pinterest 
+* Pinterest
 * Square
-* Twilio 
+* Twilio
 * Uber
+* Unity Technologies
 * Z Lab Corporation

-SPIFFE and SPIRE are being used by numerous other companies, both large and small, to build higher layer products and services. The list includes but is not limited to: 
+SPIFFE and SPIRE are being used by numerous other companies, both large and small, to build higher layer products and services. The list includes but is not limited to:

+* AccuKnox
 * Amazon
 * Arm
-* Cisco 
-* Decipher Technology Studios 
-* F5 Networks 
-* HashiCorp 
+* Cisco
+* Decipher Technology Studios
+* F5 Networks
+* HashiCorp
 * Hewlett Packard Enterprise
-* Intel 
-* Google 
-* IBM 
+* Intel
+* Google
+* IBM
 * SAP
-* Tigera 
+* Tigera
 * TestifySec
 * Transferwise
 * VMware
@ -37,70 +41,69 @@ SPIFFE and SPIRE are being used by numerous other companies, both large and smal

 SPIFFE and SPIRE have integrations available with a number of open-source projects. The list includes but is not limited to:

-* [App Mesh Controller](https://github.com/aws/aws-app-mesh-controller-for-k8s)		
+* [App Mesh Controller](https://github.com/aws/aws-app-mesh-controller-for-k8s)  
 * [Athenz](https://github.com/yahoo/athenz)
-* [Cert-Manager](https://github.com/cert-manager/csi-driver-spiffe)		
-* [Consul](https://github.com/hashicorp/consul)		
-* [Dapr](https://github.com/dapr)		
-* [Docker](https://github.com/containerd/containerd)		
-* [Emissary](https://github.com/github/emissary)		
-* [Envoy](https://github.com/envoyproxy/envoy)		
-* [Ghostunnel](https://github.com/square/ghostunnel)		
-* [gRPC](https://pkg.go.dev/github.com/spiffe/go-spiffe/v2/examples/spiffe-grpc) 
-* [Hamlet](https://github.com/vmware/hamlet)		
-* [Istio](https://github.com/istio/istio)		
-* [Knox](https://github.com/pinterest/knox)		
-* [Kubernetes](https://github.com/kubernetes/kubernetes)		
-* [NGINX](http://hg.nginx.org/nginx/)		
-* [Parsec](https://github.com/parallaxsecond/parsec)		
-* [Sigstore](https://github.com/sigstore/fulcio)		
-* [Tekton](https://github.com/tektoncd/chains)		
-* [Tornjak](https://github.com/spiffe/tornjak)		
-
+* [Cert-Manager](https://github.com/cert-manager/csi-driver-spiffe)
+* [Consul](https://github.com/hashicorp/consul)
+* [Dapr](https://github.com/dapr)
+* [Docker](https://github.com/containerd/containerd)
+* [Emissary](https://github.com/github/emissary)
+* [Envoy](https://github.com/envoyproxy/envoy)
+* [Ghostunnel](https://github.com/square/ghostunnel)
+* [gRPC](https://pkg.go.dev/github.com/spiffe/go-spiffe/v2/examples/spiffe-grpc)
+* [Hamlet](https://github.com/vmware/hamlet)
+* [Istio](https://github.com/istio/istio)
+* [Knox](https://github.com/pinterest/knox)
+* [Kubernetes](https://github.com/kubernetes/kubernetes)
+* [Linkerd](https://github.com/linkerd/linkerd2)
+* [NGINX](http://hg.nginx.org/nginx/)
+* [Parsec](https://github.com/parallaxsecond/parsec)
+* [Sigstore](https://github.com/sigstore/fulcio)
+* [Tekton](https://github.com/tektoncd/chains)
+* [Tornjak](https://github.com/spiffe/tornjak)
+* [Traefik](https://github.com/traefik/traefik)

 ## Case Studies/User Stories

-* Amazon Web Services blogs about using mTLS with SPIFFE/SPIRE in AWS App Mesh on Amazon EKS
-https://aws.amazon.com/blogs/containers/using-mtls-with-spiffe-spire-in-app-mesh-on-eks/
+* Amazon Web Services blogs about using mTLS with SPIFFE/SPIRE in AWS App Mesh on Amazon EKS:
+<https://aws.amazon.com/blogs/containers/using-mtls-with-spiffe-spire-in-app-mesh-on-eks/>

 * Anthem writes about developing a zero trust framework at Anthem Using SPIFFE and SPIRE:
-https://upshotstories.com/stories/developing-a-zero-trust-framework-at-anthem-using-spiffe-and-spire
+<https://upshotstories.com/stories/developing-a-zero-trust-framework-at-anthem-using-spiffe-and-spire>

-* ARM and VMware showcase hardware backed security for multitenancy at the Edge with SPIFFE & PARSEC
-https://www.youtube.com/watch?v=-I_rCKMyY7Y
+* ARM and VMware showcase hardware backed security for multi-tenancy at the Edge with SPIFFE & PARSEC:
+<https://www.youtube.com/watch?v=-I_rCKMyY7Y>

 * Bloomberg talks about TPM node attestation with SPIRE:
-https://youtu.be/30S0sKRxzjM
+<https://youtu.be/30S0sKRxzjM>

 * Coinbase details Container Technologies part of their stack:
-https://blog.coinbase.com/container-technologies-at-coinbase-d4ae118dcb6c
+<https://blog.coinbase.com/container-technologies-at-coinbase-d4ae118dcb6c>

-* Duke Energy describes securing the Microgrid using SPIFFE and SPIRE with TPMs 
-https://www.distributech.com/distributech-international-2022-conference-sessions/achieving-the-promise-of-grid-security-with-openfmb-and-cybersecurity-zero-trust-best-practices 
+* Duke Energy describes securing the Microgrid using SPIFFE and SPIRE with TPMs:
+<https://www.distributech.com/distributech-international-2022-conference-sessions/achieving-the-promise-of-grid-security-with-openfmb-and-cybersecurity-zero-trust-best-practices>

-* NGINX/F5 on how NGINX service mesh leverages SPIFFE and SPIRE
-https://youtu.be/plRkDK5xFpM
+* Google announces standardization on SPIFFE across Google Cloud as the unified workload identity platform offered as a managed service:
+<https://www.youtube.com/watch?v=aaPvEUCXvvw>

-* Styra demonstrates fortifying microservices with SPIRE and OPA
-https://www.youtube.com/watch?v=iQ5ctLQswUc
+* NGINX/F5 on how NGINX service mesh leverages SPIFFE and SPIRE:
+<https://youtu.be/plRkDK5xFpM>
+
+* Styra demonstrates fortifying microservices with SPIRE and OPA:
+<https://www.youtube.com/watch?v=iQ5ctLQswUc>

 * Square talks about how Square uses SPIFFE and SPIRE to secure communications across hybrid infrastructure services:
-https://youtu.be/H5IlmYmEDKk?t=2585
+<https://youtu.be/H5IlmYmEDKk?t=2585>

-* Square describes how they provide mTLS identities to Lambdas using SPIFFE and SPIRE
-https://developer.squareup.com/blog/providing-mtls-identities-to-lambdas/
+* Square describes how they provide mTLS identities to Lambdas using SPIFFE and SPIRE:
+<https://developer.squareup.com/blog/providing-mtls-identities-to-lambdas/>

 * Tigera demonstrates how Calico, Envoy and SPIRE are used to deliver unified Layer 4 and Layer 7 authorization policies:
-https://youtu.be/H5IlmYmEDKk?t=7812
-
-* Uber talks about integrating SPIRE with workload schedulers: 
-https://youtu.be/H5IlmYmEDKk?t=4703
-
-
+<https://youtu.be/H5IlmYmEDKk?t=7812>

+* Uber talks about integrating SPIRE with workload schedulers:
+<https://youtu.be/H5IlmYmEDKk?t=4703>

 ## Adding a name

-If you would like to add your name to this file, submit a pull request with your change. 
-
-
+If you would like to add your name to this file, submit a pull request with your change.
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
--- a/CODE-OF-CONDUCT.md
+++ b/CODE-OF-CONDUCT.md
@ -1,8 +1,10 @@
-### Contributor Code of Conduct
+# Code of Conduct
+
+## Contributor Code of Conduct

 We follow the [CNCF Contributor Code of Conduct](https://github.com/cncf/foundation/blob/main/code-of-conduct.md). Additionally, we commit to the following guidelines as detailed on the [SPIFFE Code of Conduct](https://github.com/spiffe/spiffe/blob/main/CODE-OF-CONDUCT.md):

-### Community Guidelines
+## Community Guidelines

 - Our goal is to foster an inclusive and diverse community of technology enthusiasts.

@ -14,6 +16,6 @@ We follow the [CNCF Contributor Code of Conduct](https://github.com/cncf/foundat

 - We do our best to avoid [subtle-isms](https://www.recurse.com/manual#sub-sec-social-rules): small actions that make others feel uncomfortable. If you witness a subtle-ism, you may respectfully point it out to the person publicly or privately, or you may ask a moderator to say something. Accidentally saying something biased is common, expected, and readily forgiven. It is not in and of itself a bannable offense.

-### Moderation
+## Moderation

 - If you feel any of SPIFFE's Slack channels require moderation, please e-mail [SPIFFE's Technical Steering Committee (TSC)](mailto:tsc@spiffe.io). The TSC will issue a warning to users who don't follow this code of conduct. A second offense results in a temporary ban. A third offense warrants a permanent ban. It is at the moderator's discretion to un-ban offending users, or to immediately ban a toxic user without warning.
--- a/14
+++ b/14
@ -1,27 +1,27 @@
-* @evan2645 @amartinezfayo @azdagron @MarcosDY @rturner3
+* @evan2645 @amartinezfayo @sorindumitru @MarcosDY @rturner3

 ##########################################
 # Maintainers
 ##########################################

 # Evan Gilman
-# VMware, Inc
+# SPIRL, Inc.
 # @evan2645

 # Agustin Martínez Fayó
 # Hewlett-Packard Enterprise	
 # @amartinezfayo

-# Andrew Harding
-# VMware, Inc
-# @azdagron
+# Sorin Dumitru
+# Bloomberg L.P.
+# @sorindumitru

 # Marcos Yacob
 # Hewlett-Packard Enterprise
 # @MarcosDY

 # Ryan Turner
-# Uber Technologies, Inc
+# Cielara AI
 # @rturner3

 ##########################################
@ -29,5 +29,5 @@
 ##########################################

 # Umair Khan
-# Hewlett-Packard Enterprise
+# Stacklet, Inc.
 # @umairmkhan
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -1,4 +1,6 @@
-# Contributor guidelines and Governance
+# Contributing
+
+## Contributor guidelines and Governance

 Please see
 [CONTRIBUTING](https://github.com/spiffe/spiffe/blob/main/CONTRIBUTING.md)
@ -6,20 +8,23 @@ and
 [GOVERNANCE](https://github.com/spiffe/spiffe/blob/main/GOVERNANCE.md)
 from the SPIFFE project.

-# Prerequisites
+As a general guideline, it is suggested to first create an issue summarizing the changes you would like to see to the project.
+The project maintainers regularly triage open issues to clarify the request, refine the scope, and determine the direction for the issue.
+Contributions that are tied to a triaged issue are more likely to be successfully merged into the project.
+
+## Prerequisites

 For basic development you will need:

-* **Go 1.11** or higher (https://golang.org/dl/)
+* **Go 1.11** or higher (<https://golang.org/dl/>)

 For development that requires changes to the gRPC interfaces you will need:

-* The protobuf compiler (https://github.com/google/protobuf)
-* The protobuf documentation generator (https://github.com/pseudomuto/protoc-gen-doc)
+* The protobuf compiler (<https://github.com/google/protobuf>)
+* The protobuf documentation generator (<https://github.com/pseudomuto/protoc-gen-doc>)
 * protoc-gen-go and protoc-gen-spireplugin (`make utils`)

-
-#  Building
+## Building

 Since go modules are used, this repository can live in any folder on your local disk (it is not required to be in GOPATH).

@ -38,20 +43,20 @@ The Makefile takes care of installing the required toolchain as needed. The
 toolchain and other build related files are cached under the `.build` folder
 (ignored by git).

-## Development in Docker
+### Development in Docker

-You can either build SPIRE on your host or in a Ubuntu docker container. In
+You can either build SPIRE on your host or in an Ubuntu docker container. In
 both cases you will use the same Makefile commands.

 To build SPIRE within a container, first build the development image:

-```
+```shell
 $ make dev-image
 ```

 Then launch a shell inside of development container:

-```
+```shell
 $ make dev-shell
 ```

@ -59,17 +64,17 @@ Because the docker container shares the `.build` cache and `$GOPATH/pkg/mod`
 you will not have to re-install the toolchain or go dependencies every time you
 run the container.

-# Conventions
+## Conventions

 In addition to the conventions covered in the SPIFFE project's
 [CONTRIBUTING](https://github.com/spiffe/spiffe/blob/main/CONTRIBUTING.md), the following
 conventions apply to the SPIRE repository:

-## SQL Plugin Changes
+### SQL Plugin Changes

 Datastore changes must be present in at least one full minor release cycle prior to introducing code changes that depend on them.

-## Directory layout
+### Directory layout

 `/cmd/{spire-server,spire-agent}/`

@ -94,30 +99,30 @@ gRPC .proto files, their generated .pb.go, and README_pb.md.
 The protobuf package names should be `spire.{server,agent,api,common}.<name>` and the go package name
 should be specified with `option go_package = "<name>";`

-## Interfaces
+### Interfaces

 Packages should be exported through interfaces. Interaction with packages must be done through these
 interfaces

 Interfaces should be defined in their own file, named (in lowercase) after the name of the
-interface. eg. `foodata.go` implements `type FooData interface{}`
+interface. e.g. `foodata.go` implements `type FooData any`

-## Metrics
+### Metrics

 As much as possible, label names should be constants defined in the `telemetry` package. Additionally,
 specific metrics should be centrally defined in the `telemetry` package or its subpackages. Functions
 desiring metrics should delegate counter, gauge, timer, etc. creation to such packages.
-The metrics emitted by SPIRE are listed in the [telemetry document](doc/telemetry.md) and should be kept up to date.
+The metrics emitted by SPIRE are listed in the [telemetry document](doc/telemetry/telemetry.md) and should be kept up to date.

 In addition, metrics should be unit-tested where reasonable.

-### Count in Aggregate
+#### Count in Aggregate

 Event count metrics should aggregate where possible to reduce burden on metric sinks, infrastructure,
 and consumers.
 That is, instead of:

-```
+```go
 for ... {
  if ... {
    foo.Bar = X
@ -130,7 +135,7 @@ for ... {

 Change to this instead:

-```
+```go
 updateCount := 0
 notUpdatedCount := 0
 for ... {
@ -149,16 +154,18 @@ telemetry.FooNotUpdatedCount(notUpdatedCount)

 Labels added to metrics must be singular only; that is:

- the value of a metrics label must not be an array or slice, and a label of some name must only be added
+* the value of a metrics label must not be an array or slice, and a label of some name must only be added
 once. Failure to follow this will make metrics less usable for non-tagging metrics libraries such as `statsd`.
 As counter examples, DO NOT do the following:
-```
+
+```go
 []telemetry.Label{
  {Name: "someName", "val1"},
  {Name: "someName", "val2"},
 }
 ```
-```
+
+```go
 var callCounter telemetry.CallCounter
 ...
 callCounter.AddLabel("someName", "val1")
@ -166,12 +173,13 @@ callCounter.AddLabel("someName", "val1")
 callCounter.AddLabel("someName", "val2")
 ```

- the existence of a metrics label is constant for all instances of a given metric. For some given metric A with
+* the existence of a metrics label is constant for all instances of a given metric. For some given metric A with
 label X, label X must appear in every instance of metric A rather than conditionally. Failure to follow this will
 make metrics less usable for non-tagging metrics libraries such as `statsd`, and potentially break aggregation for
 tagging metrics libraries.
 As a counter example, DO NOT do the following:
-```
+
+```go
 var callCounter telemetry.CallCounter
 ...
 if caller != "" {
@ -182,8 +190,10 @@ if x > 5000 {
  callCounter.AddLabel("big_load", "true")
 }
 ```
+
 Instead, the following would be more acceptable:
-```
+
+```go
 var callCounter telemetry.CallCounter
 ...
 if caller != "" {
@ -199,7 +209,7 @@ if x > 5000 {
 }
 ```

-## Logs and Errors
+### Logs and Errors

 Errors should start with lower case, and logged messages should follow standard casing.

@ -209,7 +219,7 @@ look for and hinders aggregation.

 Log messages and error messages should not end with periods.

-## Mocks v.s. Fakes
+### Mocks v.s. Fakes

 Unit tests should avoid mocks (e.g. those generated via go-mock) and instead
 prefer fake implementations. Mocks tend to be brittle as they encode specific
@ -223,13 +233,21 @@ implementation can easily serve the needs for an entire suite of tests and
 the behavior is in a centralized location when it needs to be updated. Fakes
 are also less inclined to be impacted by changes to usage patterns.

-# Git hooks
+## Example [direnv][direnv_link] .envrc

-We have checked in a pre-commit hook which enforces `go fmt` styling. Please install it
-before sending a pull request. From the project root:
+We have committed a basic `.envrc.example`. If you use [direnv][direnv_link],
+copy it into `.envrc`, edit as desired, and enable it with `direnv allow`. The
+`.envrc` is `.gitignored`. Be aware that [source_env][source_env] is insecure
+so keep your customizations in `.envrc`.

-```
-ln -s .githooks/pre-commit .git/hooks/pre-commit
-```
-# Reporting security vulnerabilities
-If you've found a vulnerability or a potential vulnerability in SPIRE please let us know at security@spiffe.io. We'll send a confirmation email to acknowledge your report, and we'll send an additional email when we've identified the issue positively or negatively.
+[direnv_link]: https://direnv.net/
+[source_env]: https://direnv.net/man/direnv-stdlib.1.html#codesourceenv-ltfileordirpathgtcode
+
+## Project Tool Versions
+
+This project uses a `.spire-tool-versions` file to centralize the versions of various tools used for
+development, linting, and other tasks.
+
+## Reporting security vulnerabilities
+
+If you've found a vulnerability or a potential vulnerability in SPIRE please let us know at <security@spiffe.io>. We'll send a confirmation email to acknowledge your report, and we'll send an additional email when we've identified the issue positively or negatively.
--- a/102
+++ b/102
@ -1,43 +1,85 @@
+# syntax = docker/dockerfile:1.6.0@sha256:ac85f380a63b13dfcefa89046420e1781752bab202122f8f50032edf31be0021
+
 # Build stage
 ARG goversion
-FROM golang:${goversion}-alpine as builder
-RUN apk add build-base git mercurial
-ADD go.mod /spire/go.mod
-RUN cd /spire && go mod download
-ADD . /spire
+FROM --platform=${BUILDPLATFORM} golang:${goversion}-alpine3.22 as base
 WORKDIR /spire
-RUN make build
+RUN apk --no-cache --update add file bash clang lld pkgconfig git make
+COPY go.* ./
+# https://go.dev/ref/mod#module-cache
+RUN --mount=type=cache,target=/go/pkg/mod go mod download
+COPY . .

-# Common base
-FROM alpine AS spire-base
-RUN apk --no-cache add dumb-init
-RUN apk --no-cache add ca-certificates
-RUN mkdir -p /opt/spire/bin
+# xx is a helper for cross-compilation
+# when bumping to a new version analyze the new version for security issues
+# then use crane to lookup the digest of that version so we are immutable
+# crane digest tonistiigi/xx:1.3.0
+FROM --platform=$BUILDPLATFORM tonistiigi/xx:1.5.0@sha256:0c6a569797744e45955f39d4f7538ac344bfb7ebf0a54006a0a4297b153ccf0f AS xx
+
+FROM --platform=${BUILDPLATFORM} base as builder
+ARG TAG
+ARG TARGETPLATFORM
+ARG TARGETARCH
+COPY --link --from=xx / /
+
+RUN xx-go --wrap
+RUN set -e ; xx-apk --no-cache --update add build-base musl-dev libseccomp-dev
+ENV CGO_ENABLED=1
+RUN --mount=type=cache,target=/root/.cache/go-build \
+    --mount=type=cache,target=/go/pkg/mod \
+    if [ "$TARGETARCH" = "arm64" ]; then CC=aarch64-alpine-linux-musl; elif [ "$TARGETARCH" = "s390x" ]; then CC=s390x-alpine-linux-musl; fi && \
+    make build-static git_tag=$TAG git_dirty="" && \
+    for f in $(find bin -executable -type f); do xx-verify --static $f; done
+
+FROM --platform=${BUILDPLATFORM} scratch AS spire-base
+COPY --link --from=builder --chown=root:root --chmod=755 /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
+WORKDIR /opt/spire
+
+# Preparation environment for setting up directories
+FROM alpine as prep-spire-server
+RUN mkdir -p /spireroot/opt/spire/bin \
+    /spireroot/etc/spire/server \
+    /spireroot/run/spire/server/private \
+    /spireroot/tmp/spire-server/private \
+    /spireroot/var/lib/spire/server
+
+FROM alpine as prep-spire-agent
+RUN mkdir -p /spireroot/opt/spire/bin \
+    /spireroot/etc/spire/agent \
+    /spireroot/run/spire/agent/public \
+    /spireroot/tmp/spire-agent/public \
+    /spireroot/var/lib/spire/agent
+
+# For users that wish to run SPIRE containers with a specific uid and gid, the
+# spireuid and spiregid arguments are provided. The default paths that SPIRE
+# will try to read from, write to, and create at runtime are given the
+# corresponding file ownership/permissions at build time.
+# A default non-root user is defined for SPIRE Server and the OIDC Discovery
+# Provider. The SPIRE Agent image runs as root by default to facilitate the
+# sharing of the agent socket in Kubernetes environments.

 # SPIRE Server
 FROM spire-base AS spire-server
-COPY --from=builder /spire/bin/spire-server /opt/spire/bin/spire-server
-WORKDIR /opt/spire
-ENTRYPOINT ["/usr/bin/dumb-init", "/opt/spire/bin/spire-server", "run"]
-CMD []
+ARG spireuid=1000
+ARG spiregid=1000
+USER ${spireuid}:${spiregid}
+ENTRYPOINT ["/opt/spire/bin/spire-server", "run"]
+COPY --link --from=prep-spire-server --chown=${spireuid}:${spiregid} --chmod=755 /spireroot /
+COPY --link --from=builder --chown=${spireuid}:${spiregid} --chmod=755 /spire/bin/static/spire-server /opt/spire/bin/

 # SPIRE Agent
 FROM spire-base AS spire-agent
-COPY --from=builder /spire/bin/spire-agent /opt/spire/bin/spire-agent
-WORKDIR /opt/spire
-ENTRYPOINT ["/usr/bin/dumb-init", "/opt/spire/bin/spire-agent", "run"]
-CMD []
-
-# K8S Workload Registrar
-FROM spire-base AS k8s-workload-registrar
-COPY --from=builder /spire/bin/k8s-workload-registrar /opt/spire/bin/k8s-workload-registrar
-WORKDIR /opt/spire
-ENTRYPOINT ["/usr/bin/dumb-init", "/opt/spire/bin/k8s-workload-registrar"]
-CMD []
+ARG spireuid=0
+ARG spiregid=0
+USER ${spireuid}:${spiregid}
+ENTRYPOINT ["/opt/spire/bin/spire-agent", "run"]
+COPY --link --from=prep-spire-agent --chown=${spireuid}:${spiregid} --chmod=755 /spireroot /
+COPY --link --from=builder --chown=${spireuid}:${spiregid} --chmod=755 /spire/bin/static/spire-agent /opt/spire/bin/

 # OIDC Discovery Provider
 FROM spire-base AS oidc-discovery-provider
-COPY --from=builder /spire/bin/oidc-discovery-provider /opt/spire/bin/oidc-discovery-provider
-WORKDIR /opt/spire
-ENTRYPOINT ["/usr/bin/dumb-init", "/opt/spire/bin/oidc-discovery-provider"]
-CMD []
+ARG spireuid=1000
+ARG spiregid=1000
+USER ${spireuid}:${spiregid}
+ENTRYPOINT ["/opt/spire/bin/oidc-discovery-provider"]
+COPY --link --from=builder --chown=${spireuid}:${spiregid} --chmod=755 /spire/bin/static/oidc-discovery-provider /opt/spire/bin/
--- a/Dockerfile.dev
+++ b/Dockerfile.dev
@ -1,6 +1,4 @@
-FROM ubuntu:xenial
-
+FROM ubuntu:24.04
+WORKDIR /spire
 RUN apt-get update && apt-get -y install \
    curl unzip git build-essential ca-certificates libssl-dev
-
-WORKDIR /spire
--- a/Dockerfile.scratch
+++ b/Dockerfile.scratch
@ -1,42 +0,0 @@
-# Build stage
-ARG goversion
-FROM golang:${goversion}-alpine as builder
-RUN apk add build-base git mercurial ca-certificates
-RUN apk add --update gcc musl-dev
-ADD go.mod /spire/go.mod
-RUN cd /spire && go mod download
-ADD . /spire
-WORKDIR /spire
-RUN make build-static
-
-# SPIRE Server
-FROM scratch AS spire-server-scratch
-COPY --from=builder /spire/bin/spire-server-static /opt/spire/bin/spire-server
-COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
-WORKDIR /opt/spire
-ENTRYPOINT ["/opt/spire/bin/spire-server", "run"]
-CMD []
-
-FROM scratch  AS spire-agent-scratch
-COPY --from=builder /spire/bin/spire-agent-static /opt/spire/bin/spire-agent
-COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
-WORKDIR /opt/spire
-EXPOSE 8080 8443
-ENTRYPOINT ["/opt/spire/bin/spire-agent", "run"]
-CMD []
-
-# K8S Workload Registrar
-FROM scratch AS k8s-workload-registrar-scratch
-COPY --from=builder /spire/bin/k8s-workload-registrar-static /opt/spire/bin/k8s-workload-registrar
-COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
-WORKDIR /opt/spire
-ENTRYPOINT ["/opt/spire/bin/k8s-workload-registrar"]
-CMD []
-
-# OIDC Discovery Provider
-FROM scratch AS oidc-discovery-provider-scratch
-COPY --from=builder /spire/bin/oidc-discovery-provider-static /opt/spire/bin/oidc-discovery-provider
-COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
-WORKDIR /opt/spire
-ENTRYPOINT ["/opt/spire/bin/oidc-discovery-provider"]
-CMD []
--- a/Dockerfile.windows
+++ b/Dockerfile.windows
@ -4,32 +4,20 @@
 FROM mcr.microsoft.com/windows/nanoserver:ltsc2022 AS spire-base-windows
 RUN mkdir c:\\spire\\bin
 RUN mkdir c:\\spire\\data
+WORKDIR C:/spire
+CMD []

 # SPIRE Server
 FROM spire-base-windows AS spire-server-windows
-COPY bin/spire-server.exe C:/spire/bin/spire-server.exe
-WORKDIR C:/spire
 ENTRYPOINT ["c:/spire/bin/spire-server.exe", "run"]
-CMD []
+COPY bin/spire-server.exe C:/spire/bin/spire-server.exe

 # SPIRE Agent
 FROM spire-base-windows AS spire-agent-windows
-COPY ./bin/spire-agent.exe C:/spire/bin/spire-agent.exe
-WORKDIR C:/spire
 ENTRYPOINT ["c:/spire/bin/spire-agent.exe", "run"]
-CMD []
-
-# K8S Workload Registrar
-FROM spire-base-windows AS k8s-workload-registrar-windows
-COPY ./bin/k8s-workload-registrar.exe C:/spire/bin/k8s-workload-registrar.exe
-WORKDIR c:/spire
-ENTRYPOINT ["c:/spire/bin/k8s-workload-registrar.exe"]
-CMD []
+COPY ./bin/spire-agent.exe C:/spire/bin/spire-agent.exe

 # OIDC Discovery Provider
 FROM spire-base-windows AS oidc-discovery-provider-windows
-COPY ./bin/oidc-discovery-provider.exe c:/spire/bin/oidc-discovery-provider.exe
-WORKDIR c:/spire
 ENTRYPOINT ["c:/spire/bin/oidc-discovery-provider.exe"]
-CMD []
-
+COPY ./bin/oidc-discovery-provider.exe c:/spire/bin/oidc-discovery-provider.exe
--- a/MAINTAINERS.md
+++ b/MAINTAINERS.md
@ -1,4 +1,5 @@
 # SPIRE Maintainership Guidelines and Processes
+
 This document captures the values, guidelines, and processes that the SPIRE project and its maintainers adhere to. All SPIRE maintainers, in their independent and individual capacity, agree to uphold and abide by the text contained herein.

 This process can be changed, either permanently or as a one-time exception, through an 80% supermajority maintainer vote.
@ -6,18 +7,22 @@ This process can be changed, either permanently or as a one-time exception, thro
 For a list of active SPIRE maintainers, please see the [CODEOWNERS](CODEOWNERS) file.

 ## General Governance
+
 The SPIRE project abides by the same [governance procedures][1] as the SPIFFE project, and ultimately reports to the SPIFFE TSC the same way that the SPIFFE project and associated maintainers do.

 TSC members do not track day-to-day activity in the SPIFFE/SPIRE projects, and this should be considered when deciding to raise issues to them. While the SPIFFE TSC has the ultimate say, in practice they are only engaged upon serious maintainer disagreement. To say that this would be unprecedented is an understatement.

 ### Maintainer Responsibility
+
 SPIRE maintainers adhere to the [requirements and responsibilities][2] set forth in the SPIFFE governance document. They further pledge the following:
+
 * To act in the best interest of the project at all times.
 * To ensure that project development and direction is a function of community needs.
 * To never take any action while hesitant that it is the right action to take.
 * To fulfill the responsibilities outlined in this document and its dependents.

 ### Number of Maintainers
+
 The SPIRE project keeps a total of five maintainer seats. This number was chosen because 1) it results in a healthy distribution of responsibility/load given the current volume of project activity, and 2) an odd number is highly desirable for dispute resolution.

 We strive to keep the number of maintainers as low as is reasonably possible, given the fact that maintainers carry powerful privileges.
@ -25,18 +30,21 @@ We strive to keep the number of maintainers as low as is reasonably possible, gi
 This section of the document can and should be updated as the above considerations fluctuate. Changes to this section of the document fall under the same requirements as other sections. When changing this section, maintainers must re-review and agree with the document in its entirety, as other guidelines (e.g. voting requirements) will likely change as a result.

 ### Changes in Maintainership
-SPIRE maintainers are appointed according to the [process described in the governance document][2]. Maintainers may voluntarily step down at any time. Unseating a maintainer against their will requires a unanimous vote with the exception of the unseated.

-Unseating a maintainer is an extraordinary circumstance. A process to do so is necessary, but its use is not intended. Careful consideration should be made when voting in a new maintainer, particularly in validating that they pledge to uphold the terms of this document. To ensure that these decisions are not taken lightly, and to maintain long term project stability and foresight, no more than one maintainer can be involuntarily unseated in any given nine month period.
+SPIRE maintainers are appointed according to the [process described in the governance document][2]. Maintainers may voluntarily step down at any time. Unseating a maintainer against their will requires a unanimous vote except the unseated.
+
+Unseating a maintainer is an extraordinary circumstance. A process to do so is necessary, but its use is not intended. Careful consideration should be made when voting in a new maintainer, particularly in validating that they pledge to uphold the terms of this document. To ensure that these decisions are not taken lightly, and to maintain long term project stability and foresight, no more than one maintainer can be involuntarily unseated in any given nine-month period.

 The CNCF MUST be notified of any changes in maintainership via the CNCF Service Desk.

 #### Onboarding a New Maintainer
+
 New SPIRE maintainers participate in an onboarding period during which they fulfill all code review and issue management responsibilities that are required for their role. The length of this onboarding period is variable, and is considered complete once both the existing maintainers and the candidate maintainer are comfortable with the candidate's competency in the responsibilities of maintainership. This process MUST be completed prior to the candidate being named an official SPIRE maintainer.

 The onboarding period is intended to ensure that the to-be-appointed maintainer is able/willing to take on the time requirements, familiar with SPIRE core logic and concepts, understands the overall system architecture and interactions that comprise it, and is able to work well with both the existing maintainers and the community.

 ## Change Review and Disagreements
+
 The SPIRE project abides by the same [change review process][3] as the SPIFFE project, unless otherwise specified.

 The exact definition/difference between "major" and "minor" changes is left to maintainer's discretion. Changes to particularly sensitive areas like the agent's cache manager, or the server's CA, are always good candidates for additional review. If in doubt, always ask for another review.
@ -44,6 +52,7 @@ The exact definition/difference between "major" and "minor" changes is left to m
 If there is a disagreement amongst maintainers over a contribution or proposal, a vote may be called in which a simple majority wins. If any maintainer feels that the result of this vote critically endangers the project or its users, they have the right to raise the matter to the SPIFFE TSC. If this occurs, the contribution or proposal in question MUST be frozen until the SPIFFE TSC has made a decision. Do not take this route lightly (see [General Governance](#general-governance)).

 ### Security and Usability
+
 SPIRE solves a complicated problem, and is developed and maintained by people with deep expertise. SPIRE maintainers must ensure that new features, log and error messages, documentation and naming choices, are all easily accessible by those who may not be very familiar with SPIFFE or authentication systems in general.

 Decisions should favor "secure by default" and "it just works" anywhere possible, and in that order. The number of configurables should be minimized as much as possible, especially in cases where it's believed that many users would need to invoke it, or when their values (and extremes) could significantly affect SPIRE performance, reliability, or security.
@ -51,9 +60,11 @@ Decisions should favor "secure by default" and "it just works" anywhere possible
 A good measure is the "beginner" measure. A beginner should be able to easily and quickly understand the configurable/feature, and its potential uses/impacts. They should also be able to easily and quickly troubleshoot a problem when something important goes wrong - and not to mention, be clearly informed of such a condition!

 ### Review Guidelines
+
 The SPIFFE [governance document][1], its section on [review process][3], and the SPIRE [contribution guidelines][4], must all be applied for any SPIRE review.

 While reviewing, SPIRE maintainers should ask questions similar to the following:
+
 * Do I clearly understand the use case that this change is addressing?
 * Does the proposed change break any current user's expectations of behavior (i.e. regression)?
 * Is it possible for this change to be misconfigured? If it is, what is the impact?
@ -65,76 +76,23 @@ While reviewing, SPIRE maintainers should ask questions similar to the following
 The above list is advisory, and is meant only to get the mind going.

 ## Release and Branch Management
-The SPIRE project maintains active support for both the current and the previous major versions. All active development occurs in the `main` branch. Version branches are used for minor releases of the previous major version when necessary.

-### Version Branches
-When a bug is discovered in the latest release that also affects releases of the prior major version, it is necessary to backport the fix.
-
-If it is the first time that the prior major version is receiving a backported patch, then a version branch is created to track it. The version branch is named `vX.Y` where X and Y are the two most significant digits in the semantic version number. Its base is the last tag present in main for the release in question. For example, if SPIRE is on version 0.9.3, and the last 0.8 release was 0.8.4, then a `v0.8` branch is created with its base being the main commit tagged with `v0.8.4`.
-
-Once the version branch is created, the patch is either cherry picked or backported into a PR against the version branch. The version branch is maintained via the same process as the main branch, including PR approval process etc.
-
-Releases for the previous major version are made directly from its version branch. Ensure that the CHANGELOG is updated in both the main and the version branch to reflect the new release.
-
-### Releasing
-The SPIRE release machinery is tag-driven. When the maintainers are ready to release, a tag is pushed referencing the release commit. While the CI/CD pipeline takes care of the rest, it is important to keep an eye on its progress. If an error is encountered during this process, the release is aborted.
-
-The first two releases that a new maintainer performs must be performed under the supervision of maintainer that has already satisfied this requirement.
-
-SPIRE releases are authorized by its maintainers. When doing so, they should carefully consider the proposed release commit. Is there confidence that the changes included do not represent a compatibility concern? Have the affected codepaths been sufficiently exercised, be it by automated test suite or manual testing? Is the maintainer free of general hesitation in releasing this commit, particularly with regards to safety and security? If the answer to any of these questions is "no", then do not release.
-
-A simple majority vote is required to authorize a SPIRE release at a specific commit hash. If any maintainer feels that the result of this vote critically endangers the project or its users, they have the right to raise the matter to the SPIFFE TSC. If this occurs, the release in question MUST be frozen until the SPIFFE TSC has made a decision. Do not take this route lightly (see [General Governance](#general-governance)).
-
-#### Checklist
-This section summarizes the steps necessary to execute a SPIRE release. Unless explicitly stated, the below steps must be executed in order.
-
-The following steps must be completed one week prior to release:
-* Ensure all changes intended to be included in the release are fully merged.
-* Identify a specific commit as the release candidate.
-* Create a draft pull request against the main branch with the updates to the CHANGELOG following [these guidelines](doc/changelog_guidelines.md). This allows those tracking the project to have early visibility into what will be included in the upcoming release and an opportunity to provide feedback. The release date can be set as "TBD" while it is a draft.
-* Raise an issue "Release SPIRE X.Y.Z", and include the release candidate commit hash. Reference the pull request with the updates to the CHANGELOG.
-* If the current state of the main branch has diverged from the candidate commit due to other changes than the ones from the CHANGELOG:
-  * If there is not a version branch for this release, create a branch following the guidelines described in [Version branches](#version-branches).
-  * Create a GitHub project named `Release vX.X.X` to identify the PRs that will be cherry-picked. The project should have two statuses to track the progress: one to identify the PRs to be cherry-picked and one for those that have been merged in the version branch.
-  * Make sure that the [version in the branch](pkg/common/version/version.go) has been bumped to the version that is being released and that the [upgrade integration test is updated](test/integration/suites/upgrade/README.md#maintenance).
-  * Cherry-pick into the version branch the commits for all the changes that must be included in the release.
-
-**If this is a major release**, the following steps must be completed before releasing:
-* Review and exercise all examples in spiffe.io and spire-examples repo against the release candidate hash.
-* Raise a PR for every example that updates included text and configuration to reflect current state and best practice.
-  * Do not merge this PR yet. It will be updated later to use the real version pin rather than the commit hash.
-  * If anything unusual is encountered during this process, a comment MUST be left on the release issue describing what was observed.
-
-The following steps must be completed to perform a release:
-* Mark the pull request to update the CHANGELOG as "Ready for review". Make sure that it is updated with the final release date. **At least two approvals from maintainers are required in order to be able to merge it**. If a version branch was created for the realease, cherry-pick the final CHANGELOG changes into the version branch once they are merged.
-* If releasing from main and the current state of the main branch has diverged from the candidate commit due to just the CHANGELOG changes, the candidate commit is now the one that includes the updated CHANGELOG. If releasing from a version branch, the candidate commit is now the one that has the CHANGELOG changes cherry-picked in the branch.
-* Cut an annotated tag against the release candidate named `vX.X.X`, where `X.X.X` is the semantic version number of SPIRE.
-  * The first line of the annotation should be `vX.X.X` followed by the CHANGELOG. **There should be a newline between the version and the CHANGELOG**.
-* Push the annotated tag to SPIRE, and watch the build to completion.
-  * If the build fails, or anything unusual is encountered, abort the release.
-    * Ensure that the GitHub release, container images, and release artifacts are deleted/rolled back if necessary.
-* Visit the releases page on GitHub, copy the release notes, click edit and paste them back in. This works around a GitHub rendering bug that you will notice before completing this task.
-* Close the GitHub project created to track the release process.
-* Open and merge a PR to bump the SPIRE version to the next projected version and [update the upgrade integration test](test/integration/suites/upgrade/README.md#maintenance).
-  * For example, after releasing 0.10.0, update the version to 0.10.1, since it is more likely to be released before 0.11.0.
-  * Ideally, this is the first commit merged following the release.
-
-**If this is a major release**, the following steps must be completed no later than one week after the release:
-* PRs to update spiffe.io and spire-examples repo to the latest major version must be merged.
-  * Ensure that the PRs have been updated to use the version tag instead of the commit sha.
-* Broadcast news of release to the community via available means: SPIFFE Slack, Twitter, etc.
+See [RELEASING.md](RELEASING.md).

 ## Community Interaction and Presence
+
 Maintainers represent the front line of SPIFFE and SPIRE community engagement. They are the ones interacting with end users on issues, and with contributors on their PRs.

 SPIRE maintainers must make themselves available to the community. It is critical that maintainers engage in this capacity - for understanding user needs and pains, for ensuring success in project adoption and deployment, and to close feedback loops on recently-introduced changes or features... to name a few.

 PR and Issue management/response is a critical responsibility for all SPIRE maintainers. In addition, maintainers should, whenever possible:
+
 * Be generally available on the SPIFFE Slack, and engage in questions/conversations raised in the #help and #spire channels.
 * Attend SPIFFE/SPIRE community events (physically or virtually).
 * Present SPIFFE/SPIRE at meetups and industry conferences.

 ### Communication Values
+
 SPIRE maintainers always engage in a respectful and constructive manner, and always follow the [SPIFFE Code of Conduct][6].

 It is very important for maintainers to understand that contributions are generally acts of generosity, whether it be creating an issue or sending a pull request. It takes time to do these things. In the vast majority of cases, the motivating factor for taking the time to do this is either to improve the quality of the project for others, or to enable the project to (more easily?) solve a problem that it could not previously. Both of these factors are positive.
@ -145,7 +103,7 @@ This is a very important aspect of SPIRE maintainership. Adoption and contributi

 ## Product Management and Roadmap Curation

-In addition to the maintainer seats, the SPIRE project designates one product manager seat. While maintainers strive to ensure that project development and direction is a function of community needs, and interact with end users and contributors on a daily basis, the product manager works to clarify user needs by gathering additional information and context. This includes, but is not limited to, conducting user research and field testing to better inform maintainers, and communicating project development information to the community.
+In addition to the maintainer seats, the SPIRE project designates one product manager seat. While maintainers strive to ensure that project development and direction is a function of community needs, and interact with end users and contributors on a daily basis, the product manager works to clarify user needs by gathering additional information and context. This includes, but is not limited to, conducting user research and field-testing to better inform maintainers, and communicating project development information to the community.

 Maintainers are expected to have heavy participation in the community, but it may be impractical to dedicate themselves to gathering and analyzing community feedback and end-user pain points. Based on data collection, the role of the product manager is intended to aid maintainers to validate the desirability, feasibility, and viability of efforts to help drive project direction and priorities in long term planning.

@ -165,17 +123,16 @@ The product manager must:

 The product manager makes the same pledge as maintainers do to act in the best interest at all times and its seat follows the same change guidelines as maintainer seats as described in the governance document. Unseating a product manager against their will requires a unanimous vote by the maintainers.

-
 ## Community Facilitation and Outreach

-The project designates a community chair to work with the product manager seat to focus on growing awareness of the project and increasing community engagement. In this role, the community chair is responsible for community outreach and outbound communication. 
+The project designates a community chair to work with the product manager seat to focus on growing awareness of the project and increasing community engagement. In this role, the community chair is responsible for community outreach and outbound communication.

 The responsibilities of the community chair are as follows:

 * Maintain, share with the community and execute a plan for proposed marketing and community outreach activities every release cycle.
 * Coordinate and facilitate community events (online and in-person).
 * Maintain and manage the spiffe.io website, ensuring that it stays available and up-to-date.
-* Coordinate social media communications. 
+* Coordinate social media communications.
 * Ensure that all community events and meetings are recorded, and make the recordings available and discoverable on YouTube.
 * Ensure that all community meeting notes, discussions, and designs are easily discoverable on Google Docs.
 * Encourage use of project official channels for all technical and non-technical discussions.
@ -183,8 +140,6 @@ The responsibilities of the community chair are as follows:
 * Protect the privacy and confidentiality of non-public community information, including personal contact information such as email addresses and phone numbers.
 * Onboard contributors and welcome them into the community.

-
-
 [1]: https://github.com/spiffe/spiffe/blob/main/GOVERNANCE.md
 [2]: https://github.com/spiffe/spiffe/blob/main/GOVERNANCE.md#maintainers
 [3]: https://github.com/spiffe/spiffe/blob/main/GOVERNANCE.md#change-review-process
--- a/278
+++ b/278
@ -26,38 +26,36 @@ help:
 	@echo
 	@echo "$(bold)Build:$(reset)"
 	@echo "  $(cyan)build$(reset)                                 - build all SPIRE binaries (default)"
-	@echo "  $(cyan)artifact$(reset)                              - build SPIRE tarball artifact"
 	@echo
 	@echo "$(bold)Test:$(reset)"
 	@echo "  $(cyan)test$(reset)                                  - run unit tests"
 	@echo "  $(cyan)race-test$(reset)                             - run unit tests with race detection"
 	@echo "  $(cyan)integration$(reset)                           - run integration tests (requires Docker images)"
 	@echo "                                          support 'SUITES' variable for executing specific tests"
+	@echo "                                          and 'IGNORE_SUITES' variable for ignoring tests"
 	@echo "                                          e.g. SUITES='suites/join-token suites/k8s' make integration"
 	@echo "  $(cyan)integration-windows$(reset)                   - run integration tests for windows (requires Docker images)"
 	@echo "                                          support 'SUITES' variable for executing specific tests"
 	@echo "                                          e.g. SUITES='windows-suites/windows-workload-attestor' make integration-windows"
 	@echo
-	@echo "$(bold)Build and test:$(reset)"
-	@echo "  $(cyan)all$(reset)                                   - build all SPIRE binaries, lint the code, and run unit tests"
+	@echo "$(bold)Lint:$(reset)"
+	@echo "  $(cyan)lint$(reset)                                  - lint the code and markdown files"
+	@echo "  $(cyan)lint-code$(reset)                             - lint the code"
+	@echo "  $(cyan)lint-md$(reset)                               - lint markdown files"
+	@echo
+	@echo "$(bold)Build, lint and test:$(reset)"
+	@echo "  $(cyan)all$(reset)                                   - build all SPIRE binaries, run linters and unit tests"
 	@echo
 	@echo "$(bold)Docker image:$(reset)"
 	@echo "  $(cyan)images$(reset)                                - build all SPIRE Docker images"
+	@echo "  $(cyan)images-no-load$(reset)                        - build all SPIRE Docker images but don't load them into the local docker registry"
 	@echo "  $(cyan)spire-server-image$(reset)                    - build SPIRE server Docker image"
 	@echo "  $(cyan)spire-agent-image$(reset)                     - build SPIRE agent Docker image"
-	@echo "  $(cyan)k8s-workload-registrar-image$(reset)          - build Kubernetes Workload Registrar Docker image"
 	@echo "  $(cyan)oidc-discovery-provider-image$(reset)         - build OIDC Discovery Provider Docker image"
-	@echo "$(bold)Docker from scratch image:$(reset)"
-	@echo "  $(cyan)scratch-images$(reset)                        - build all SPIRE Docker from scratch images"
-	@echo "  $(cyan)spire-server-scratch-image$(reset)            - build SPIRE server Docker scratch image"
-	@echo "  $(cyan)spire-agent-scratch-image$(reset)             - build SPIRE agent Docker scratch image"
-	@echo "  $(cyan)k8s-workload-registrar-scratch-image$(reset)  - build Kubernetes Workload Registrar Docker scratch image"
-	@echo "  $(cyan)oidc-discovery-provider-scratch-image$(reset) - build OIDC Discovery Provider Docker image"
 	@echo "$(bold)Windows docker image:$(reset)"
 	@echo "  $(cyan)images-windows$(reset)                        - build all SPIRE Docker images for windows"
 	@echo "  $(cyan)spire-server-image-windows$(reset)            - build SPIRE server Docker image for windows"
 	@echo "  $(cyan)spire-agent-image-windows$(reset)             - build SPIRE agent Docker image for windows"
-	@echo "  $(cyan)k8s-workload-registrar-image-windows$(reset)  - build Kubernetes Workload Registrar Docker image for windows"
 	@echo "  $(cyan)oidc-discovery-provider-image-windows$(reset) - build OIDC Discovery Provider Docker image for windows"
 	@echo "$(bold)Developer support:$(reset)"
 	@echo "  $(cyan)dev-image$(reset)                             - build the development Docker image"
@ -98,42 +96,65 @@ else ifeq ($(arch1),aarch64)
 arch2=arm64
 else ifeq ($(arch1),arm64)
 arch2=arm64
+else ifeq ($(arch1),s390x)
+arch2=s390x
+else ifeq ($(arch1),ppc64le)
+arch2=ppc64le
 else
 $(error unsupported ARCH: $(arch1))
 endif

+ignore_suites := $(IGNORE_SUITES)
+
+############################################################################
+# Docker TLS detection for buildx
+############################################################################
+dockertls=
+ifeq ($(DOCKER_TLS_VERIFY), 1)
+dockertls=spire-buildx-tls
+endif
+
 ############################################################################
 # Vars
 ############################################################################

+PLATFORMS ?= linux/amd64,linux/arm64
+
+binaries := spire-server spire-agent oidc-discovery-provider
+
 build_dir := $(DIR)/.build/$(os1)-$(arch1)

-go_version_full := $(shell cat .go-version)
-go_version := $(go_version_full:.0=)
+go_version := $(shell cat .go-version)
 go_dir := $(build_dir)/go/$(go_version)

 ifeq ($(os1),windows)
 	go_bin_dir = $(go_dir)/go/bin
-	go_url = https://storage.googleapis.com/golang/go$(go_version).$(os1)-$(arch2).zip
+	go_url = https://go.dev/dl/go$(go_version).$(os1)-$(arch2).zip
 	exe=".exe"
 else
 	go_bin_dir = $(go_dir)/bin
-	go_url = https://storage.googleapis.com/golang/go$(go_version).$(os1)-$(arch2).tar.gz
+	go_url = https://go.dev/dl/go$(go_version).$(os1)-$(arch2).tar.gz
 	exe=
 endif

 go_path := PATH="$(go_bin_dir):$(PATH)"

-golangci_lint_version = v1.49.0
+golangci_lint_version := $(shell awk '/golangci-lint/{print $$2}' .spire-tool-versions)
 golangci_lint_dir = $(build_dir)/golangci_lint/$(golangci_lint_version)
-golangci_lint_bin = $(golangci_lint_dir)/golangci-lint
 golangci_lint_cache = $(golangci_lint_dir)/cache

-protoc_version = 3.20.1
+markdown_lint_version := $(shell awk '/markdown_lint/{print $$2}' .spire-tool-versions)
+markdown_lint_image = ghcr.io/igorshubovych/markdownlint-cli:$(markdown_lint_version)
+
+protoc_version := $(shell awk '/protoc/{print $$2}' .spire-tool-versions)
 ifeq ($(os1),windows)
 protoc_url = https://github.com/protocolbuffers/protobuf/releases/download/v$(protoc_version)/protoc-$(protoc_version)-win64.zip
 else ifeq ($(arch2),arm64)
 protoc_url = https://github.com/protocolbuffers/protobuf/releases/download/v$(protoc_version)/protoc-$(protoc_version)-$(os2)-aarch_64.zip
+else ifeq ($(arch2),s390x)
+protoc_url = https://github.com/protocolbuffers/protobuf/releases/download/v$(protoc_version)/protoc-$(protoc_version)-$(os2)-s390_64.zip
+else ifeq ($(arch2),ppc64le)
+protoc_url = https://github.com/protocolbuffers/protobuf/releases/download/v$(protoc_version)/protoc-$(protoc_version)-$(os2)-ppcle_64.zip
 else
 protoc_url = https://github.com/protocolbuffers/protobuf/releases/download/v$(protoc_version)/protoc-$(protoc_version)-$(os2)-$(arch1).zip
 endif
@ -145,7 +166,7 @@ protoc_gen_go_base_dir := $(build_dir)/protoc-gen-go
 protoc_gen_go_dir := $(protoc_gen_go_base_dir)/$(protoc_gen_go_version)-go$(go_version)
 protoc_gen_go_bin := $(protoc_gen_go_dir)/protoc-gen-go

-protoc_gen_go_grpc_version := v1.1.0
+protoc_gen_go_grpc_version := v1.3.0
 protoc_gen_go_grpc_base_dir := $(build_dir)/protoc-gen-go-grpc
 protoc_gen_go_grpc_dir := $(protoc_gen_go_grpc_base_dir)/$(protoc_gen_go_grpc_version)-go$(go_version)
 protoc_gen_go_grpc_bin := $(protoc_gen_go_grpc_dir)/protoc-gen-go-grpc
@ -168,7 +189,7 @@ protos := \
 api-protos := \

 plugin-protos := \
-	proto/spire/common/plugin/plugin.proto 
+	proto/spire/common/plugin/plugin.proto

 service-protos := \

@ -201,7 +222,11 @@ endif
 ############################################################################

 # Flags passed to all invocations of go test
-go_test_flags := -timeout=60s
+go_test_flags :=
+ifeq ($(NIGHTLY),)
+	# Cap unit-test timout to 90s unless we're running nightlies.
+	go_test_flags += -timeout=90s
+endif

 go_flags :=
 ifneq ($(GOPARALLEL),)
@ -226,54 +251,42 @@ ifeq ($(git_dirty),)
 		go_ldflags += -X github.com/spiffe/spire/pkg/common/version.githash=$(git_hash)
 	endif
 endif
-go_ldflags := '${go_ldflags}'

 #############################################################################
 # Build Targets
 #############################################################################

 .PHONY: build
+build: tidy $(addprefix bin/,$(binaries))

-build: tidy bin/spire-server bin/spire-agent bin/k8s-workload-registrar bin/oidc-discovery-provider
+go_build := $(go_path) go build $(go_flags) -ldflags '$(go_ldflags)' -o

-define binary_rule
-.PHONY: $1
-$1: | go-check bin/
-	@echo Building $1...
-	$(E)$(go_path) go build $$(go_flags) -ldflags $$(go_ldflags) -o $1$(exe) $2
-endef
+bin/%: cmd/% FORCE | go-check
+	@echo Building $@…
+	$(E)$(go_build) $@$(exe) ./$<

-# main SPIRE binaries
-$(eval $(call binary_rule,bin/spire-server,./cmd/spire-server))
-$(eval $(call binary_rule,bin/spire-agent,./cmd/spire-agent))
-$(eval $(call binary_rule,bin/k8s-workload-registrar,./support/k8s/k8s-workload-registrar))
-$(eval $(call binary_rule,bin/oidc-discovery-provider,./support/oidc-discovery-provider))
-
-bin/:
-	@mkdir -p $@
+bin/%: support/% FORCE | go-check
+	@echo Building $@…
+	$(E)$(go_build) $@$(exe) ./$<

 #############################################################################
-# Build Static binaries for scratch docker images
+# Build static binaries for docker images
 #############################################################################

 .PHONY: build-static
-
-build-static: tidy bin/spire-server-static bin/spire-agent-static bin/k8s-workload-registrar-static bin/oidc-discovery-provider-static
-
+# The build-static is intended to statically link to musl libc.
+# There are possibilities of unexpected errors when statically link to GLIBC.
 # https://7thzero.com/blog/golang-w-sqlite3-docker-scratch-image
-define binary_rule_static
-.PHONY: $1
-$1: | go-check bin/
-	@echo Building $1...
-	$(E)$(go_path) CGO_ENABLED=1 go build $$(go_flags) -ldflags '-s -w -linkmode external -extldflags "-static"' -o $1$(exe) $2
+build-static: tidy $(addprefix bin/static/,$(binaries))

-endef
+go_build_static := $(go_path) go build $(go_flags) -ldflags '$(go_ldflags) -linkmode external -extldflags "-static"' -o

-# static builds
-$(eval $(call binary_rule_static,bin/spire-server-static,./cmd/spire-server))
-$(eval $(call binary_rule_static,bin/spire-agent-static,./cmd/spire-agent))
-$(eval $(call binary_rule_static,bin/k8s-workload-registrar-static,./support/k8s/k8s-workload-registrar))
-$(eval $(call binary_rule_static,bin/oidc-discovery-provider-static,./support/oidc-discovery-provider))
+bin/static/%: cmd/% FORCE | go-check
+	@echo Building $@…
+	$(E)$(go_build_static) $@$(exe) ./$<
+
+bin/static/%: support/% FORCE | go-check
+	$(E)$(go_build_static) $@$(exe) ./$<

 #############################################################################
 # Test Targets
@ -295,112 +308,81 @@ else
 	$(E)$(go_path) go test $(go_flags) $(go_test_flags) -race ./...
 endif

-ci-race-test: | go-check
-ifneq ($(COVERPROFILE),)
-	$(E)SKIP_FLAKY_TESTS_UNDER_RACE_DETECTOR=1 $(go_path) go test $(go_flags) $(go_test_flags) -race -count=1 -coverprofile="$(COVERPROFILE)" ./...
-else
-	$(E)SKIP_FLAKY_TESTS_UNDER_RACE_DETECTOR=1 $(go_path) go test $(go_flags) $(go_test_flags) -race -count=1 ./...
-endif
-
 integration:
 ifeq ($(os1), windows)
 	$(error Integration tests are not supported on windows)
 else
-	$(E)./test/integration/test.sh $(SUITES)
+	$(E)$(go_path) IGNORE_SUITES='$(ignore_suites)' ./test/integration/test.sh $(SUITES)
 endif

 integration-windows:
-	$(E)./test/integration/test-windows.sh $(SUITES)
-
-#############################################################################
-# Build Artifact
-#############################################################################
-
-.PHONY: artifact
-
-artifact: build
-	$(E)OUTDIR="$(OUTDIR)" TAG="$(TAG)" ./script/build-artifact.sh
+	$(E)$(go_path) IGNORE_SUITES='$(ignore_suites)' ./test/integration/test-windows.sh $(SUITES)

 #############################################################################
 # Docker Images
 #############################################################################

+.PHONY: spire-buildx-tls
+spire-buildx-tls:
+	$(E)docker context rm -f "$(dockertls)" > /dev/null
+	$(E)docker context create $(dockertls) --description "$(dockertls)" --docker "host=$(DOCKER_HOST),ca=$(DOCKER_CERT_PATH)/ca.pem,cert=$(DOCKER_CERT_PATH)/cert.pem,key=$(DOCKER_CERT_PATH)/key.pem" > /dev/null
+
+.PHONY: container-builder
+container-builder: $(dockertls)
+	$(E)docker buildx create $(dockertls) --platform $(PLATFORMS) --name container-builder --node container-builder0 --use
+
+define image_rule
+.PHONY: $1
+$1: $3 container-builder
+	@echo Building docker image $2 $(PLATFORM)…
+	$(E)docker buildx build \
+		--platform $(PLATFORMS) \
+		--build-arg goversion=$(go_version) \
+		--build-arg TAG=$(TAG) \
+		--target $2 \
+		-o type=oci,dest=$2-image.tar \
+		-f $3 \
+		.
+
+endef
+
+$(eval $(call image_rule,spire-server-image,spire-server,Dockerfile))
+$(eval $(call image_rule,spire-agent-image,spire-agent,Dockerfile))
+$(eval $(call image_rule,oidc-discovery-provider-image,oidc-discovery-provider,Dockerfile))
+
+.PHONY: images-no-load
+images-no-load: $(addsuffix -image,$(binaries))
+
 .PHONY: images
-images: spire-server-image spire-agent-image k8s-workload-registrar-image oidc-discovery-provider-image
+images: images-no-load
+	.github/workflows/scripts/load-oci-archives.sh

-.PHONY: spire-server-image
-spire-server-image: Dockerfile
-	docker build --build-arg goversion=$(go_version_full) --target spire-server -t spire-server .
-	docker tag spire-server:latest spire-server:latest-local
-
-.PHONY: spire-agent-image
-spire-agent-image: Dockerfile
-	docker build --build-arg goversion=$(go_version_full) --target spire-agent -t spire-agent .
-	docker tag spire-agent:latest spire-agent:latest-local
-
-.PHONY: k8s-workload-registrar-image
-k8s-workload-registrar-image: Dockerfile
-	docker build --build-arg goversion=$(go_version_full) --target k8s-workload-registrar -t k8s-workload-registrar .
-	docker tag k8s-workload-registrar:latest k8s-workload-registrar:latest-local
-
-.PHONY: oidc-discovery-provider-image
-oidc-discovery-provider-image: Dockerfile
-	docker build --build-arg goversion=$(go_version_full) --target oidc-discovery-provider -t oidc-discovery-provider .
-	docker tag oidc-discovery-provider:latest oidc-discovery-provider:latest-local
+.PHONY: load-images
+load-images:
+	.github/workflows/scripts/load-oci-archives.sh

 #############################################################################
-# Docker Images FROM scratch
+# Windows Docker Images
 #############################################################################
+define windows_image_rule
+.PHONY: $1
+$1: $3
+	@echo Building docker image $2…
+	$(E)docker build \
+		--build-arg goversion=$(go_version) \
+		--target $2 \
+		-t $2 -t $2:latest-local \
+		-f $3 \
+		.

-.PHONY: scratch-images
-scratch-images: spire-server-scratch-image spire-agent-scratch-image k8s-workload-registrar-scratch-image oidc-discovery-provider-scratch-image
-
-.PHONY: spire-server-scratch-image
-spire-server-scratch-image: Dockerfile
-	docker build --build-arg goversion=$(go_version_full) --target spire-server-scratch -t spire-server-scratch -f Dockerfile.scratch .
-	docker tag spire-server-scratch:latest spire-server-scratch:latest-local
-
-.PHONY: spire-agent-scratch-image
-spire-agent-scratch-image: Dockerfile
-	docker build --build-arg goversion=$(go_version_full) --target spire-agent-scratch -t spire-agent-scratch -f Dockerfile.scratch .
-	docker tag spire-agent-scratch:latest spire-agent-scratch:latest-local
-
-.PHONY: k8s-workload-registrar-scratch-image
-k8s-workload-registrar-scratch-image: Dockerfile
-	docker build --build-arg goversion=$(go_version_full) --target k8s-workload-registrar-scratch -t k8s-workload-registrar-scratch -f Dockerfile.scratch .
-	docker tag k8s-workload-registrar-scratch:latest k8s-workload-registrar-scratch:latest-local
-
-.PHONY: oidc-discovery-provider-scratch-image
-oidc-discovery-provider-scratch-image: Dockerfile
-	docker build --build-arg goversion=$(go_version_full) --target oidc-discovery-provider-scratch -t oidc-discovery-provider-scratch -f Dockerfile.scratch .
-	docker tag oidc-discovery-provider-scratch:latest oidc-discovery-provider-scratch:latest-local
-
-#############################################################################
-# Docker Images
-#############################################################################
+endef

 .PHONY: images-windows
-images-windows: spire-server-image-windows spire-agent-image-windows oidc-discovery-provider-image-windows
+images-windows: $(addsuffix -windows-image,$(binaries))

-.PHONY: spire-server-image-windows
-spire-server-image-windows: Dockerfile
-	docker build -f Dockerfile.windows --target spire-server-windows -t spire-server-windows .
-	docker tag spire-server-windows:latest spire-server-windows:latest-local
-
-.PHONY: spire-agent-image-windows
-spire-agent-image-windows: Dockerfile
-	docker build -f Dockerfile.windows --target spire-agent-windows -t spire-agent-windows .
-	docker tag spire-agent-windows:latest spire-agent-windows:latest-local
-
-.PHONY: k8s-workload-registrar-image-windows
-k8s-workload-registrar-image-windows: Dockerfile
-	docker build -f Dockerfile.windows --target k8s-workload-registrar-windows -t k8s-workload-registrar-windows .
-	docker tag k8s-workload-registrar-windows:latest k8s-workload-registrar-windows:latest-local
-
-.PHONY: oidc-discovery-provider-image-windows
-oidc-discovery-provider-image-windows: Dockerfile
-	docker build -f Dockerfile.windows --target oidc-discovery-provider-windows -t oidc-discovery-provider-windows .
-	docker tag oidc-discovery-provider-windows:latest oidc-discovery-provider-windows:latest-local
+$(eval $(call windows_image_rule,spire-server-windows-image,spire-server-windows,Dockerfile.windows))
+$(eval $(call windows_image_rule,spire-agent-windows-image,spire-agent-windows,Dockerfile.windows))
+$(eval $(call windows_image_rule,oidc-discovery-provider-windows-image,oidc-discovery-provider-windows,Dockerfile.windows))

 #############################################################################
 # Code cleanliness
@ -420,11 +402,16 @@ endif
 	@echo "Ensuring git repository is clean..."
 	$(E)$(MAKE) git-clean-check

-lint: lint-code
+lint: lint-code lint-md

-lint-code: $(golangci_lint_bin)
-	$(E)PATH="$(go_bin_dir):$(PATH)" GOLANGCI_LINT_CACHE="$(golangci_lint_cache)" $(golangci_lint_bin) run ./...
+lint-code: | go-check
+	$(E)mkdir -p $(golangci_lint_cache)
+	$(E)$(go_path) GOLANGCI_LINT_CACHE="$(golangci_lint_cache)" \
+		go run github.com/golangci/golangci-lint/v2/cmd/golangci-lint@$(golangci_lint_version) \
+		run --max-issues-per-linter=0 --max-same-issues=0 ./...

+lint-md:
+	$(E)docker run --rm -v "$(DIR):/workdir" $(markdown_lint_image) "**/*.md"

 #############################################################################
 # Code Generation
@ -525,7 +512,7 @@ endif
 go-bin-path: go-check
 	@echo "$(go_bin_dir):${PATH}"

-install-toolchain: install-protoc install-golangci-lint install-protoc-gen-go install-protoc-gen-doc | go-check
+install-toolchain: install-protoc install-protoc-gen-go | go-check

 install-protoc: $(protoc_bin)

@ -535,15 +522,6 @@ $(protoc_bin):
 	$(E)mkdir -p $(protoc_dir)
 	$(E)curl -sSfL $(protoc_url) -o $(build_dir)/tmp.zip; unzip -q -d $(protoc_dir) $(build_dir)/tmp.zip; rm $(build_dir)/tmp.zip

-install-golangci-lint: $(golangci_lint_bin)
-
-$(golangci_lint_bin): | go-check
-	@echo "Installing golangci-lint $(golangci_lint_version)..."
-	$(E)rm -rf $(dir $(golangci_lint_dir))
-	$(E)mkdir -p $(golangci_lint_dir)
-	$(E)mkdir -p $(golangci_lint_cache)
-	$(E)GOBIN=$(golangci_lint_dir) $(go_path) go install github.com/golangci/golangci-lint/cmd/golangci-lint@$(golangci_lint_version)
-
 install-protoc-gen-go: $(protoc_gen_go_bin)

 $(protoc_gen_go_bin): | go-check
--- a/README.md
+++ b/README.md
@ -3,12 +3,10 @@
 [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/3303/badge)](https://bestpractices.coreinfrastructure.org/projects/3303)
 [![Build Status](https://github.com/spiffe/spire/actions/workflows/pr_build.yaml/badge.svg)](https://github.com/spiffe/spire/actions/workflows/pr_build.yaml)
 [![Go Report Card](https://goreportcard.com/badge/github.com/spiffe/spire)](https://goreportcard.com/report/github.com/spiffe/spire)
-[![Slack Status](https://slack.spiffe.io/badge.svg)](https://slack.spiffe.io)
 [![Production Phase](https://img.shields.io/badge/SPIFFE-Prod-green.svg?logoWidth=18&logo=data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHJvbGU9ImltZyIgdmlld0JveD0iMC4xMSAxLjg2IDM1OC4yOCAzNTguMjgiPjxzdHlsZT5zdmcge2VuYWJsZS1iYWNrZ3JvdW5kOm5ldyAwIDAgMzYwIDM2MH08L3N0eWxlPjxzdHlsZT4uc3QyLC5zdDN7ZmlsbC1ydWxlOmV2ZW5vZGQ7Y2xpcC1ydWxlOmV2ZW5vZGQ7ZmlsbDojYmNkOTE4fS5zdDN7ZmlsbDojMDRiZGQ5fTwvc3R5bGU+PGcgaWQ9IkxPR08iPjxwYXRoIGQ9Ik0xMi4xIDguOWgyOC4zYzIuNyAwIDUgMi4yIDUgNXYyOC4zYzAgMi43LTIuMiA1LTUgNUgxMi4xYy0yLjcgMC01LTIuMi01LTVWMTMuOWMuMS0yLjcgMi4zLTUgNS01eiIgY2xhc3M9InN0MiIvPjxwYXRoIGQ9Ik04OC43IDguOWgyNThjMi43IDAgNSAyLjIgNSA1djI4LjNjMCAyLjctMi4yIDUtNSA1aC0yNThjLTIuNyAwLTUtMi4yLTUtNVYxMy45YzAtMi43IDIuMi01IDUtNXoiIGNsYXNzPSJzdDMiLz48cGF0aCBkPSJNMzQ2LjcgODUuNWgtMjguM2MtMi43IDAtNSAyLjItNSA1djI4LjNjMCAyLjggMi4yIDUgNSA1aDI4LjNjMi43IDAgNS0yLjIgNS01VjkwLjVjMC0yLjgtMi4zLTUtNS01eiIgY2xhc3M9InN0MiIvPjxwYXRoIGQ9Ik0xOTMuNiA4NS41SDEyLjFjLTIuNyAwLTUgMi4zLTUgNXYyOC4zYzAgMi43IDIuMiA1IDUgNWgxODEuNWMyLjcgMCA1LTIuMiA1LTVWOTAuNWMwLTIuOC0yLjItNS01LTV6IiBjbGFzcz0ic3QzIi8+PHBhdGggZD0iTTI3MC4yIDg1LjVoLTI4LjNjLTIuNyAwLTUgMi4yLTUgNXYyOC4zYzAgMi44IDIuMiA1IDUgNWgyOC4zYzIuNyAwIDUtMi4yIDUtNVY5MC41Yy0uMS0yLjgtMi4zLTUtNS01eiIgY2xhc3M9InN0MiIvPjxwYXRoIGQ9Ik0yNzAuMiAxNjJIODguN2MtMi43IDAtNSAyLjItNSA1djI4LjNjMCAyLjcgMi4yIDUgNSA1aDE4MS41YzIuNyAwIDUtMi4yIDUtNVYxNjdjLS4xLTIuOC0yLjMtNS01LTV6IiBjbGFzcz0ic3QzIi8+PHBhdGggZD0iTTM0Ni43IDE2MmgtMjguM2MtMi43IDAtNSAyLjItNSA1djI4LjNjMCAyLjggMi4yIDUgNSA1aDI4LjNjMi43IDAgNS0yLjIgNS01VjE2N2MwLTIuOC0yLjMtNS01LTV6bS0zMDYuMyAwSDEyLjFjLTIuNyAwLTUgMi4yLTUgNXYyOC4zYzAgMi44IDIuMiA1IDUgNWgyOC4zYzIuNyAwIDUtMi4yIDUtNVYxNjdjMC0yLjgtMi4yLTUtNS01em0tMjguMyA3Ni41aDI4LjNjMi43IDAgNSAyLjIgNSA1djI4LjNjMCAyLjctMi4yIDUtNSA1SDEyLjFjLTIuNyAwLTUtMi4yLTUtNXYtMjguM2MuMS0yLjcgMi4zLTUgNS01eiIgY2xhc3M9InN0MiIvPjxwYXRoIGQ9Ik0xNjUuMiAyMzguNWgxODEuNWMyLjcgMCA1IDIuMiA1IDV2MjguM2MwIDIuNy0yLjIgNS01IDVIMTY1LjJjLTIuNyAwLTUtMi4yLTUtNXYtMjguM2MwLTIuNyAyLjItNSA1LTV6IiBjbGFzcz0ic3QzIi8+PHBhdGggZD0iTTg4LjcgMjM4LjVIMTE3YzIuNyAwIDUgMi4yIDUgNXYyOC4zYzAgMi43LTIuMiA1LTUgNUg4OC43Yy0yLjcgMC01LTIuMi01LTV2LTI4LjNjMC0yLjcgMi4yLTUgNS01em0yNTggNzYuN2gtMjguM2MtMi43IDAtNSAyLjItNSA1djI4LjNjMCAyLjggMi4yIDUgNSA1aDI4LjNjMi43IDAgNS0yLjIgNS01di0yOC4zYzAtMi44LTIuMy01LTUtNXoiIGNsYXNzPSJzdDIiLz48cGF0aCBkPSJNMjcwLjIgMzE1LjJoLTI1OGMtMi43IDAtNSAyLjItNSA1djI4LjNjMCAyLjcgMi4yIDUgNSA1aDI1OGMyLjcgMCA1LTIuMiA1LTV2LTI4LjNjLS4xLTIuOC0yLjMtNS01LTV6IiBjbGFzcz0ic3QzIi8+PC9nPjwvc3ZnPg==)](https://github.com/spiffe/spiffe/blob/main/MATURITY.md#production)

 SPIRE (the [SPIFFE](https://github.com/spiffe/spiffe) Runtime Environment) is a toolchain of APIs for establishing trust between software systems across a wide variety of hosting platforms. SPIRE exposes the [SPIFFE Workload API](https://github.com/spiffe/go-spiffe/blob/main/v2/proto/spiffe/workload/workload.proto), which can attest running software systems and issue [SPIFFE IDs](https://github.com/spiffe/spiffe/blob/main/standards/SPIFFE-ID.md) and [SVID](https://github.com/spiffe/spiffe/blob/main/standards/SPIFFE-ID.md)s to them.  This in turn allows two workloads to establish trust between each other, for example by establishing an mTLS connection or by signing and verifying a JWT token. SPIRE can also enable workloads to securely authenticate to a secret store, a database, or a cloud provider service.

-
 - [Get SPIRE](#get-spire)
 - [Learn about SPIRE](#learn-about-spire)
 - [Integrate with SPIRE](#integrate-with-spire)
@ -16,13 +14,12 @@ SPIRE (the [SPIFFE](https://github.com/spiffe/spiffe) Runtime Environment) is a
 - [Further Reading](#further-reading)
 - [Security](#security)

-
-
 SPIRE is a [graduated](https://www.cncf.io/projects/spire/) project of the [Cloud Native Computing Foundation](https://cncf.io) (CNCF). If you are an organization that wants to help shape the evolution of technologies that are container-packaged, dynamically-scheduled and microservices-oriented, consider joining the CNCF.

 ## Get SPIRE

 - Pre-built releases of SPIRE can be found at [https://github.com/spiffe/spire/releases](https://github.com/spiffe/spire/releases). These releases contain both SPIRE Server and SPIRE Agent binaries.
+- Container images are published for [spire-server](https://ghcr.io/spiffe/spire-server), [spire-agent](https://ghcr.io/spiffe/spire-agent), and [oidc-discovery-provider](https://ghcr.io/spiffe/oidc-discovery-provider).
 - Alternatively, you can [build SPIRE from source](/CONTRIBUTING.md).

 ## Learn about SPIRE
@ -46,7 +43,7 @@ For supported integration versions, see [Supported Integrations](/doc/supported_
 ## Contribute to SPIRE

 The SPIFFE community maintains the SPIRE project. Information on the various SIGs and relevant standards can be found in
-https://github.com/spiffe/spiffe.
+<https://github.com/spiffe/spiffe>.

 - See [CONTRIBUTING](https://github.com/spiffe/spire/blob/main/CONTRIBUTING.md) to get started.
 - Use [GitHub Issues](https://github.com/spiffe/spire/issues) to request features or file bugs.
@ -64,10 +61,12 @@ https://github.com/spiffe/spiffe.
 A third party security firm ([Cure53](https://cure53.de/)) completed a security audit of SPIFFE and SPIRE in February of 2021. Additionally, the [CNCF Technical Advisory Group for Security](https://github.com/cncf/tag-security) conducted two assessments on SPIFFE and SPIRE in 2018 and 2020. Please find the reports and supporting material, including the threat model exercise results, below.

 - [Cure53 Security Audit Report](doc/cure53-report.pdf)
- [SIG-Security SPIFFE/SPIRE Security Assessment: summary](https://github.com/cncf/sig-security/tree/main/assessments/projects/spiffe-spire)
- [SIG-Security SPIFFE/SPIRE Security Assessment: full assessment](https://github.com/cncf/sig-security/blob/main/assessments/projects/spiffe-spire/self-assessment.md)
+- [SIG-Security SPIFFE/SPIRE Security Assessment: summary](https://github.com/cncf/sig-security/tree/main/community/assessments/projects/spiffe-spire)
+- [SIG-Security SPIFFE/SPIRE Security Assessment: full assessment](https://github.com/cncf/sig-security/blob/main/community/assessments/projects/spiffe-spire/self-assessment.md)
 - [Scrutinizing SPIRE to Sensibly Strengthen SPIFFE Security](https://blog.spiffe.io/scrutinizing-spire-security-9c82ba542019)

 ### Reporting Security Vulnerabilities

-If you've found a vulnerability or a potential vulnerability in SPIRE please let us know at security@spiffe.io. We'll send a confirmation email to acknowledge your report, and we'll send an additional email when we've identified the issue positively or negatively.
+If you've found a vulnerability or a potential vulnerability in SPIRE please let us know at <security@spiffe.io>. We'll send a confirmation email to acknowledge your report, and we'll send an additional email when we've identified the issue positively or negatively.
+
+<!-- markdownlint-configure-file { "MD041": false } -->
--- a/RELEASING.md
+++ b/RELEASING.md
@ -0,0 +1,101 @@
+# Release and Branch Management
+
+The SPIRE project maintains active support for both the current and the previous minor versions. All active development occurs in the `main` branch. Version branches are used for patch releases of the previous minor version when necessary.
+
+## Version Branches
+
+Each release must have its own release branch following the naming convention `release/vX.Y.Z` where `X` is the major version, `Y` is the minor version, and `Z` is patch version.
+
+The base commit of the release branch is based on the type of release being generated:
+
+* Patch release for older minor release series. In this case, the new release branch is based off of the previous patch release branch for the same minor release series. Example: the latest release is v1.5.z, and the release being prepared is v1.4.5. The base commit should be the `release/v1.4.4` branch.
+* Security release for current minor release series. In this case, the new release branch should be based off of the previous release branch for the same minor release series. Example: the latest release is v1.5.0, and the release being prepared is v1.5.1. The base commit should be the `release/v1.5.0` branch.
+* Scheduled patch release for current minor release series OR scheduled minor release. In this case, the new release branch should be based off of a commit on the `main` branch. Example: the latest release is v1.5.0, and the release being prepared is v1.5.1. The base commit should be the candidate commit selected from the `main` branch.
+
+When a bug is discovered in the latest release that also affects releases of the prior minor version, it is necessary to backport the fix.
+
+Once the version branch is created, the patch is either cherry-picked or backported into a PR against the version branch. The version branch is maintained via the same process as the main branch, including PR approval process etc.
+
+Ensure that the CHANGELOG is updated in both `main` and the version branch to reflect the new release.
+
+## Releasing
+
+The SPIRE release machinery is tag-driven. When the maintainers are ready to release, a tag is pushed referencing the release commit. While the CI/CD pipeline takes care of the rest, it is important to keep an eye on its progress. If an error is encountered during this process, the release is aborted.
+
+The first two releases that a new maintainer performs must be performed under the supervision of maintainer that has already satisfied this requirement.
+
+SPIRE releases are authorized by its maintainers. When doing so, they should carefully consider the proposed release commit. Is there confidence that the changes included do not represent a compatibility concern? Have the affected codepaths been sufficiently exercised, be it by automated test suite or manual testing? Is the maintainer free of general hesitation in releasing this commit, particularly with regards to safety and security? If the answer to any of these questions is "no", then do not release.
+
+A simple majority vote is required to authorize a SPIRE release at a specific commit hash. If any maintainer feels that the result of this vote critically endangers the project or its users, they have the right to raise the matter to the SPIFFE TSC. If this occurs, the release in question MUST be frozen until the SPIFFE TSC has made a decision. Do not take this route lightly (see [General Governance](MAINTAINERS.md#general-governance)).
+
+### Checklist
+
+This section summarizes the steps necessary to execute a SPIRE release. Unless explicitly stated, the below steps must be executed in order.
+
+The following steps must be completed by the primary on-call maintainer one week prior to release:
+
+* Ensure all changes intended to be included in the release are fully merged. For the spire-api-sdk and spire-plugin-sdk repositories, ensure that all changes intended for the upcoming release are merged into the main branch from the next branch.
+* Identify a specific commit as the release candidate.
+* Raise an issue "Release SPIRE X.Y.Z", and include the release candidate commit hash.
+* Create the release branch following the guidelines described in [Version branches](#version-branches).
+* If the current state of the main branch has diverged from the candidate commit due to other changes than the ones from the CHANGELOG:
+  * Make sure that the [version in the branch](pkg/common/version/version.go) has been bumped to the version that is being released and that the [upgrade integration test is updated](test/integration/suites/upgrade/README.md#maintenance).
+  * Cherry-pick into the version branch the commits for all the changes that must be included in the release. Ensure the PRs for these commits all target the release milestone in GitHub.
+* Create a draft pull request against the release branch with the updates to the CHANGELOG following [these guidelines](doc/changelog_guidelines.md). This allows those tracking the project to have early visibility into what will be included in the upcoming release and an opportunity to provide feedback. The release date can be set as "TBD" while it is a draft.
+
+**If this is a major or minor release**, the following steps must be completed by the secondary on-call maintainer at least one day before releasing:
+
+* Review and exercise all examples in spiffe.io and spire-examples repo against the release candidate hash.
+* Raise a PR for every example that updates included text and configuration to reflect current state and best practice.
+  * Do not merge this PR yet. It will be updated later to use the real version pin rather than the commit hash.
+  * If anything unusual is encountered during this process, a comment MUST be left on the release issue describing what was observed.
+
+The following steps must be completed by the primary on-call maintainer to perform a release:
+
+* Mark the pull request to update the CHANGELOG as "Ready for review". Make sure that it is updated with the final release date. **At least two approvals from maintainers are required in order to be able to merge it**.
+* Cut an annotated tag against the release candidate named `vX.Y.Z`, where `X.Y.Z` is the semantic version number of SPIRE.
+  * The first line of the annotation should be `vX.Y.Z` followed by the CHANGELOG. **There should be a newline between the version and the CHANGELOG**. The tag should not contain the Markdown header formatting because the "#" symbol is interpreted as a comment by Git.
+* Push the annotated tag to SPIRE, and watch the build to completion.
+  * If the build fails, or anything unusual is encountered, abort the release.
+    * Ensure that the GitHub release, container images, and release artifacts are deleted/rolled back if necessary.
+* Visit the releases page on GitHub, copy the release notes, click edit and paste them back in. This works around a GitHub Markdown rendering bug that you will notice before completing this task.
+* Cut new SDK releases (see [SDK Releases](#sdk-releases)).
+* Open a PR targeted for the main branch with the following changes:
+  * Cherry-pick of the changelog commit from the latest release so that the changelog on the main branch contains all the release notes.
+  * Bump the SPIRE version to the next projected version. As for determining the next projected version, the project generally releases three patch releases per minor release cycle (e.g. `vX.Y.[0-3]`), not including dedicated security releases. The version needs to be updated in the following places:
+    * Next projected version goes in [version.go](pkg/common/version/version.go)
+    * Previous version should be added to upgrade integration test, following additional guidelines described in test [README.md](test/integration/suites/upgrade/README.md#maintenance)
+    * Previous version should be added to [SQL Datastore migration comments](pkg/server/datastore/sqlstore/migration.go), if not already present
+  * This needs to be the first commit merged following the release because the upgrade integration test will start failing on CI for all PRs until the test is brought up to date.
+* Close the GitHub issue created to track the release process.
+* Broadcast news of release to the community via available means: SPIFFE Slack, Twitter, etc.
+* Create a new GitHub milestone for the next release, if not already created.
+
+**If this is a major or minor release**, the following steps must be completed by the secondary on-call maintainer no later than one week after the release:
+
+* PRs to update spiffe.io and spire-examples repo to the latest major version must be merged.
+  * Ensure that the PRs have been updated to use the version tag instead of the commit sha.
+
+### SDK Releases
+
+SPIRE has two SDK repositories:
+
+* [API SDK](https://github.com/spiffe/spire-api-sdk)
+* [Plugin SDK](https://github.com/spiffe/spire-plugin-sdk)
+
+SPIRE consumes these SDKs using pseudo-versions from the `next` branch in each SDK repository. This allows unreleased changes to be reviewed, merged, and consumed by SPIRE.
+
+These SDKs need to be released with each SPIRE release.
+
+SDK releases take place using tagged commits from the `main` branch in each repository. When cutting a new release, the `main` branch needs to be prepared with any previously unreleased changes that are part of the new release.
+
+To create a release for an SDK, perform the following steps:
+
+1. Review the diff between `next` and `main`.
+1. Determine the commits in `next` that are missing from `main`, in other words, commits containing features that were under development that are now publicly available through the new SPIRE release (e.g. API or plugin interface additions).
+1. Cherry-pick those commits, if any, into `main`.
+1. Create a git tag (not annotated) with the name `vX.Y.Z`, corresponding to the SPIRE release version, for the `HEAD` commit of the main branch.
+1. Push the `vX.Y.Z` tag to Github.
+
+> [!WARNING]  
+> Extra care should be taken to ensure that the tagged commit is correct before pushing. Once it has been pushed, anyone running `go get <SDK module>@latest` will cause the repository to be pulled into the Go module cache at that cache. Changing it afterwards is not without consequence.
--- a/ROADMAP.md
+++ b/ROADMAP.md
@ -1,25 +1,28 @@
-**Recently completed**
-* Use SPIRE on workloads [running on platforms where installing an agent is not possible](https://github.com/spiffe/spire/projects/9) (New!)
-* Provide an [API](https://github.com/spiffe/spire-api-sdk/blob/main/proto/spire/api/server/trustdomain/v1/trustdomain.proto) on SPIRE Server to allow programmatic configuration of federation relationships (New!)
-* [API](https://github.com/spiffe/spire-api-sdk) and [Plugin](https://github.com/spiffe/spire-plugin-sdk) SDKs for Integration authors
-* Expand [support of TPM node attestation](https://github.com/spiffe/spire/pull/2111) to provide first-class verification and identification of TPM metadata (New!)
-* Support for using [Cert-Manager as an upstream authority](https://github.com/spiffe/spire/pull/2274) to SPIRE (New!)
-* AWS Support: Support for using [AWS KMS to store signing keys](https://github.com/spiffe/spire/pull/2066), [Support for internet-restricted environments](https://github.com/spiffe/spire/pull/2119)
-* Support for using [GCP Certificate Authority Service as an upstream authority](https://github.com/spiffe/spire/pull/2172)
+# Roadmap

-**Near-Term and Medium-Term**
+## Recently completed
+
+* [Support for using Google Cloud Key Management Service to create, maintain, and rotate server key pairs](https://github.com/spiffe/spire/pull/3410)
+* [Ability to have separate X.509-SVID and JWT-SVID TTLs, which can be configured both at the entry-level and server default level](https://github.com/spiffe/spire/pull/3445)
+* [Experimental support for limiting the number of SVIDs in the agent's cache](https://github.com/spiffe/spire/pull/3181)
+* [Experimental Windows support](https://github.com/spiffe/spire/projects/12)
+
+## Near-Term and Medium-Term
+
+* [Key Revocation and Forced Rotation (In Progress)](https://github.com/spiffe/spire/issues/1934)
 * Provide a turn-key Kubernetes experience that adheres to security best practices  (In Progress)
-* Provide a privileged API on SPIRE Agent to delegate SVID management to platform integrators (In Progress)
+* [Deprecate the Notifier plugin interface in favor of a BundlePublisher interface, implementing plugins that push bundles to remote locations (In Progress)](https://github.com/spiffe/spire/issues/2909)
 * Support for supply chain provenance attestation by verification of binary signing (e.g. TUF/notary/in-toto metadata validation)
 * Secretless authentication to Google Compute Platform by expanding OIDC Federation integration support

-**Long-Term**
-* Key Revocation and Forced Rotation
+## Long-Term
+
+* [Re-evaluate SPIRE Server API authorization](https://github.com/spiffe/spire/issues/3620)
 * Ensure error messages are indicative of a direction towards resolution
-* Improve health-check subsystem
 * Secretless authentication to Microsoft Azure by expanding OIDC Federation integration support

 ***
-   
-**Credits**  
-Thank you to [@anjaltelang](https://github.com/anjaltelang) for helping the SPIRE team keep this roadmap accurate and up-to-date 🎉 
+
+## Credits
+
+Thank you to [@anjaltelang](https://github.com/anjaltelang) for helping the SPIRE team keep this roadmap accurate and up-to-date 🎉
--- a/SECURITY.md
+++ b/SECURITY.md
@ -2,15 +2,8 @@

 ## Supported Versions

-Versions of the project that are currently being supported with security updates:
-
-| Version | Supported          |
-| ------- | ------------------ |
-| 1.2.x      | :white_check_mark: |
-| 1.1.x      | :white_check_mark: |
-| <=1.0.x    | :x: |
-
+The project supports security releases for the current minor release series and the previous minor release series, i.e. v1.X and v1.X-1. Example: if the current release series is v1.5, security fixes will be supported for both the v1.4 and v1.5 series.

 ## Reporting a Vulnerability

-If you've found a vulnerability or a potential vulnerability in SPIRE please let us know at security@spiffe.io. We'll send a confirmation email to acknowledge your report, and we'll send an additional email when we've identified the issue positively or negatively.
+If you've found a vulnerability or a potential vulnerability in SPIRE please let us know at <security@spiffe.io>. We'll send a confirmation email to acknowledge your report, and we'll send an additional email when we've identified the issue positively or negatively.
--- a/cmd/spire-agent/cli/api/api_posix_test.go
+++ b/cmd/spire-agent/cli/api/api_posix_test.go
@ -0,0 +1,44 @@
+//go:build !windows
+
+package api
+
+const (
+	fetchJWTUsage = `Usage of fetch jwt:
+  -audience value
+    	comma separated list of audience values
+  -format value
+    	deprecated; use -output
+  -output value
+    	Desired output format (pretty, json); default: pretty.
+  -socketPath string
+    	Path to the SPIRE Agent API Unix domain socket (default "/tmp/spire-agent/public/api.sock")
+  -spiffeID string
+    	SPIFFE ID subject (optional)
+  -timeout value
+    	Time to wait for a response (default 5s)
+`
+	fetchX509Usage = `Usage of fetch x509:
+  -output value
+    	Desired output format (pretty, json); default: pretty.
+  -silent
+    	Suppress stdout
+  -socketPath string
+    	Path to the SPIRE Agent API Unix domain socket (default "/tmp/spire-agent/public/api.sock")
+  -timeout value
+    	Time to wait for a response (default 5s)
+  -write string
+    	Write SVID data to the specified path (optional; only available for pretty output format)
+`
+	validateJWTUsage = `Usage of validate jwt:
+  -audience string
+    	expected audience value
+  -output value
+    	Desired output format (pretty, json); default: pretty.
+  -socketPath string
+    	Path to the SPIRE Agent API Unix domain socket (default "/tmp/spire-agent/public/api.sock")
+  -svid string
+    	JWT SVID
+  -timeout value
+    	Time to wait for a response (default 5s)
+`
+)
--- a/cmd/spire-agent/cli/api/api_test.go
+++ b/cmd/spire-agent/cli/api/api_test.go
@ -0,0 +1,568 @@
+package api
+
+import (
+	"bytes"
+	"crypto"
+	"crypto/x509"
+	"encoding/base64"
+	"encoding/pem"
+	"errors"
+	"fmt"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/mitchellh/cli"
+	"github.com/spiffe/go-spiffe/v2/proto/spiffe/workload"
+	"github.com/spiffe/go-spiffe/v2/spiffeid"
+	commoncli "github.com/spiffe/spire/pkg/common/cli"
+	"github.com/spiffe/spire/pkg/common/x509util"
+	"github.com/spiffe/spire/test/clitest"
+	"github.com/spiffe/spire/test/fakes/fakeworkloadapi"
+	"github.com/spiffe/spire/test/spiretest"
+	"github.com/spiffe/spire/test/testca"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+	"google.golang.org/protobuf/types/known/structpb"
+)
+
+var availableFormats = []string{"pretty", "json"}
+
+func TestFetchJWTCommandHelp(t *testing.T) {
+	test := setupTest(t, newFetchJWTCommandWithEnv)
+	test.cmd.Help()
+	require.Equal(t, fetchJWTUsage, test.stderr.String())
+}
+
+func TestFetchJWTCommandSynopsis(t *testing.T) {
+	test := setupTest(t, newFetchJWTCommandWithEnv)
+	require.Equal(t, "Fetches a JWT SVID from the Workload API", test.cmd.Synopsis())
+}
+
+func TestFetchJWTCommand(t *testing.T) {
+	td := spiffeid.RequireTrustDomainFromString("example.org")
+	ca := testca.New(t, td)
+	encodedSvid1 := ca.CreateJWTSVID(spiffeid.RequireFromString("spiffe://domain1.test"), []string{"foo"}).Marshal()
+	encodedSvid2 := ca.CreateJWTSVID(spiffeid.RequireFromString("spiffe://domain2.test"), []string{"foo"}).Marshal()
+	bundleJWKSBytes, err := ca.JWTBundle().Marshal()
+	require.NoError(t, err)
+
+	tests := []struct {
+		name                 string
+		args                 []string
+		fakeRequests         []*fakeworkloadapi.FakeRequest
+		expectedStderr       string
+		expectedStdoutPretty []string
+		expectedStdoutJSON   string
+	}{
+		{
+			name: "success fetching jwt with bundles",
+			args: []string{"-audience", "foo", "-spiffeID", "spiffe://domain1.test"},
+			fakeRequests: []*fakeworkloadapi.FakeRequest{
+				{
+					Req: &workload.JWTBundlesRequest{},
+					Resp: &workload.JWTBundlesResponse{
+						Bundles: map[string][]byte{
+							"spiffe://domain1.test": bundleJWKSBytes,
+							"spiffe://domain2.test": bundleJWKSBytes,
+						},
+					},
+				},
+				{
+					Req: &workload.JWTSVIDRequest{
+						Audience: []string{"foo"},
+						SpiffeId: "spiffe://domain1.test",
+					},
+					Resp: &workload.JWTSVIDResponse{
+						Svids: []*workload.JWTSVID{
+							{
+								SpiffeId: "spiffe://domain1.test",
+								Svid:     encodedSvid1,
+								Hint:     "external",
+							},
+							{
+								SpiffeId: "spiffe://domain2.test",
+								Svid:     encodedSvid2,
+							},
+						},
+					},
+				},
+			},
+			expectedStdoutPretty: []string{
+				fmt.Sprintf("token(spiffe://domain1.test):\n\t%s", encodedSvid1),
+				fmt.Sprintf("hint(spiffe://domain1.test):\n\t%s", "external"),
+				fmt.Sprintf("token(spiffe://domain2.test):\n\t%s", encodedSvid2),
+				fmt.Sprintf("bundle(spiffe://domain1.test):\n\t%s", bundleJWKSBytes),
+				fmt.Sprintf("bundle(spiffe://domain2.test):\n\t%s", bundleJWKSBytes),
+			},
+			expectedStdoutJSON: fmt.Sprintf(`[
+  {
+    "svids": [
+      {
+        "hint": "external",
+        "spiffe_id": "spiffe://domain1.test",
+        "svid": "%s"
+      },
+      {
+        "hint": "",
+        "spiffe_id": "spiffe://domain2.test",
+        "svid": "%s"
+      }
+    ]
+  },
+  {
+    "bundles": {
+      "spiffe://domain1.test": "%s",
+      "spiffe://domain2.test": "%s"
+    }
+  }
+]`, encodedSvid1, encodedSvid2, base64.StdEncoding.EncodeToString(bundleJWKSBytes), base64.StdEncoding.EncodeToString(bundleJWKSBytes)),
+		},
+		{
+			name: "fail with error fetching bundles",
+			args: []string{"-audience", "foo", "-spiffeID", "spiffe://domain1.test"},
+			fakeRequests: []*fakeworkloadapi.FakeRequest{
+				{
+					Req:  &workload.JWTBundlesRequest{},
+					Resp: &workload.JWTBundlesResponse{},
+					Err:  errors.New("error fetching bundles"),
+				},
+			},
+			expectedStderr: "rpc error: code = Unknown desc = error fetching bundles\n",
+		},
+		{
+			name: "fail with error fetching svid",
+			args: []string{"-audience", "foo", "-spiffeID", "spiffe://domain1.test"},
+			fakeRequests: []*fakeworkloadapi.FakeRequest{
+				{
+					Req: &workload.JWTBundlesRequest{},
+					Resp: &workload.JWTBundlesResponse{
+						Bundles: map[string][]byte{
+							"spiffe://domain1.test": bundleJWKSBytes,
+						},
+					},
+				},
+				{
+					Req: &workload.JWTSVIDRequest{
+						Audience: []string{"foo"},
+						SpiffeId: "spiffe://domain1.test",
+					},
+					Resp: &workload.JWTSVIDResponse{},
+					Err:  errors.New("error fetching svid"),
+				},
+			},
+			expectedStderr: "rpc error: code = Unknown desc = error fetching svid\n",
+		},
+		{
+			name:           "fail when audience is not provided",
+			expectedStderr: "audience must be specified\n",
+		},
+	}
+
+	for _, tt := range tests {
+		for _, format := range availableFormats {
+			t.Run(fmt.Sprintf("%s using %s format", tt.name, format), func(t *testing.T) {
+				test := setupTest(t, newFetchJWTCommandWithEnv, tt.fakeRequests...)
+				args := tt.args
+				args = append(args, "-output", format)
+
+				rc := test.cmd.Run(test.args(args...))
+
+				if tt.expectedStderr != "" {
+					assert.Equal(t, 1, rc)
+					assert.Equal(t, tt.expectedStderr, test.stderr.String())
+					return
+				}
+
+				assertOutputBasedOnFormat(t, format, test.stdout.String(), tt.expectedStdoutJSON, tt.expectedStdoutPretty...)
+				assert.Empty(t, test.stderr.String())
+				assert.Equal(t, 0, rc)
+			})
+		}
+	}
+}
+
+func TestFetchX509CommandHelp(t *testing.T) {
+	test := setupTest(t, newFetchX509Command)
+	test.cmd.Help()
+	require.Equal(t, fetchX509Usage, test.stderr.String())
+}
+
+func TestFetchX509CommandSynopsis(t *testing.T) {
+	test := setupTest(t, newFetchX509Command)
+	require.Equal(t, "Fetches X509 SVIDs from the Workload API", test.cmd.Synopsis())
+}
+
+func TestFetchX509Command(t *testing.T) {
+	testDir := t.TempDir()
+	td := spiffeid.RequireTrustDomainFromString("example.org")
+	ca := testca.New(t, td)
+	svid := ca.CreateX509SVID(spiffeid.RequireFromString("spiffe://example.org/foo"))
+
+	tests := []struct {
+		name                 string
+		args                 []string
+		fakeRequests         []*fakeworkloadapi.FakeRequest
+		expectedStderr       string
+		expectedStdoutPretty string
+		expectedStdoutJSON   string
+		expectedFileResult   bool
+	}{
+		{
+			name: "success fetching x509 svid",
+			fakeRequests: []*fakeworkloadapi.FakeRequest{
+				{
+					Req: &workload.X509SVIDRequest{},
+					Resp: &workload.X509SVIDResponse{
+						Svids: []*workload.X509SVID{
+							{
+								SpiffeId:    svid.ID.String(),
+								X509Svid:    x509util.DERFromCertificates(svid.Certificates),
+								X509SvidKey: pkcs8FromSigner(t, svid.PrivateKey),
+								Bundle:      x509util.DERFromCertificates(ca.Bundle().X509Authorities()),
+								Hint:        "external",
+							},
+						},
+						Crl:              [][]byte{},
+						FederatedBundles: map[string][]byte{},
+					},
+				},
+			},
+			expectedStdoutPretty: fmt.Sprintf(`
+SPIFFE ID:		spiffe://example.org/foo
+Hint:			external
+SVID Valid After:	%v
+SVID Valid Until:	%v
+CA #1 Valid After:	%v
+CA #1 Valid Until:	%v
+`,
+				svid.Certificates[0].NotBefore,
+				svid.Certificates[0].NotAfter,
+				ca.Bundle().X509Authorities()[0].NotBefore,
+				ca.Bundle().X509Authorities()[0].NotAfter,
+			),
+			expectedStdoutJSON: fmt.Sprintf(`{
+  "crl": [],
+  "federated_bundles": {},
+  "svids": [
+    {
+      "bundle": "%s",
+      "hint": "external",
+      "spiffe_id": "spiffe://example.org/foo",
+      "x509_svid": "%s",
+      "x509_svid_key": "%s"
+    }
+  ]
+}`,
+				base64.StdEncoding.EncodeToString(x509util.DERFromCertificates(ca.Bundle().X509Authorities())),
+				base64.StdEncoding.EncodeToString(x509util.DERFromCertificates(svid.Certificates)),
+				base64.StdEncoding.EncodeToString(pkcs8FromSigner(t, svid.PrivateKey)),
+			),
+		},
+		{
+			name: "success fetching x509 and writing to file",
+			args: []string{"-write", testDir},
+			fakeRequests: []*fakeworkloadapi.FakeRequest{
+				{
+					Req: &workload.X509SVIDRequest{},
+					Resp: &workload.X509SVIDResponse{
+						Svids: []*workload.X509SVID{
+							{
+								SpiffeId:    svid.ID.String(),
+								X509Svid:    x509util.DERFromCertificates(svid.Certificates),
+								X509SvidKey: pkcs8FromSigner(t, svid.PrivateKey),
+								Bundle:      x509util.DERFromCertificates(ca.Bundle().X509Authorities()),
+							},
+						},
+						Crl:              [][]byte{},
+						FederatedBundles: map[string][]byte{},
+					},
+				},
+			},
+			expectedStdoutPretty: fmt.Sprintf(`
+SPIFFE ID:		spiffe://example.org/foo
+SVID Valid After:	%v
+SVID Valid Until:	%v
+CA #1 Valid After:	%v
+CA #1 Valid Until:	%v
+
+Writing SVID #0 to file %s
+Writing key #0 to file %s
+Writing bundle #0 to file %s
+`,
+				svid.Certificates[0].NotBefore,
+				svid.Certificates[0].NotAfter,
+				ca.Bundle().X509Authorities()[0].NotBefore,
+				ca.Bundle().X509Authorities()[0].NotAfter,
+				fmt.Sprintf("%s/svid.0.pem.", testDir),
+				fmt.Sprintf("%s/svid.0.key.", testDir),
+				fmt.Sprintf("%s/bundle.0.pem.", testDir),
+			),
+			expectedStdoutJSON: fmt.Sprintf(`{
+  "crl": [],
+  "federated_bundles": {},
+  "svids": [
+    {
+      "bundle": "%s",
+      "hint": "",
+      "spiffe_id": "spiffe://example.org/foo",
+      "x509_svid": "%s",
+      "x509_svid_key": "%s"
+    }
+  ]
+}`,
+				base64.StdEncoding.EncodeToString(x509util.DERFromCertificates(ca.Bundle().X509Authorities())),
+				base64.StdEncoding.EncodeToString(x509util.DERFromCertificates(svid.Certificates)),
+				base64.StdEncoding.EncodeToString(pkcs8FromSigner(t, svid.PrivateKey)),
+			),
+			expectedFileResult: true,
+		},
+		{
+			name: "fails fetching svid",
+			fakeRequests: []*fakeworkloadapi.FakeRequest{
+				{
+					Req:  &workload.X509SVIDRequest{},
+					Resp: &workload.X509SVIDResponse{},
+					Err:  errors.New("error fetching svid"),
+				},
+			},
+			expectedStderr: "rpc error: code = Unknown desc = error fetching svid\n",
+		},
+	}
+	for _, tt := range tests {
+		for _, format := range availableFormats {
+			t.Run(fmt.Sprintf("%s using %s format", tt.name, format), func(t *testing.T) {
+				test := setupTest(t, newFetchX509Command, tt.fakeRequests...)
+				args := tt.args
+				args = append(args, "-output", format)
+
+				rc := test.cmd.Run(test.args(args...))
+
+				if tt.expectedStderr != "" {
+					assert.Equal(t, 1, rc)
+					assert.Equal(t, tt.expectedStderr, test.stderr.String())
+					return
+				}
+
+				assertOutputBasedOnFormat(t, format, test.stdout.String(), tt.expectedStdoutJSON, tt.expectedStdoutPretty)
+				assert.Empty(t, test.stderr.String())
+				assert.Equal(t, 0, rc)
+
+				if tt.expectedFileResult && format == "pretty" {
+					content, err := os.ReadFile(filepath.Join(testDir, "svid.0.pem"))
+					assert.NoError(t, err)
+					assert.Equal(t, pem.EncodeToMemory(&pem.Block{
+						Type:  "CERTIFICATE",
+						Bytes: svid.Certificates[0].Raw,
+					}), content)
+
+					content, err = os.ReadFile(filepath.Join(testDir, "svid.0.key"))
+					assert.NoError(t, err)
+					assert.Equal(t, string(pem.EncodeToMemory(&pem.Block{
+						Type:  "PRIVATE KEY",
+						Bytes: pkcs8FromSigner(t, svid.PrivateKey),
+					})), string(content))
+
+					content, err = os.ReadFile(filepath.Join(testDir, "bundle.0.pem"))
+					assert.NoError(t, err)
+					assert.Equal(t, pem.EncodeToMemory(&pem.Block{
+						Type:  "CERTIFICATE",
+						Bytes: ca.Bundle().X509Authorities()[0].Raw,
+					}), content)
+				}
+			})
+		}
+	}
+}
+
+func TestValidateJWTCommandHelp(t *testing.T) {
+	test := setupTest(t, newValidateJWTCommand)
+	test.cmd.Help()
+	require.Equal(t, validateJWTUsage, test.stderr.String())
+}
+
+func TestValidateJWTCommandSynopsis(t *testing.T) {
+	test := setupTest(t, newValidateJWTCommand)
+	require.Equal(t, "Validates a JWT SVID", test.cmd.Synopsis())
+}
+
+func TestValidateJWTCommand(t *testing.T) {
+	td := spiffeid.RequireTrustDomainFromString("example.org")
+	ca := testca.New(t, td)
+	encodedSvid := ca.CreateJWTSVID(spiffeid.RequireFromString("spiffe://domain1.test"), []string{"foo"}).Marshal()
+
+	tests := []struct {
+		name                 string
+		args                 []string
+		fakeRequests         []*fakeworkloadapi.FakeRequest
+		expectedStderr       string
+		expectedStdoutPretty string
+		expectedStdoutJSON   string
+	}{
+		{
+			name: "valid svid",
+			args: []string{"-audience", "foo", "-svid", encodedSvid},
+			fakeRequests: []*fakeworkloadapi.FakeRequest{
+				{
+					Req: &workload.ValidateJWTSVIDRequest{
+						Audience: "foo",
+						Svid:     encodedSvid,
+					},
+					Resp: &workload.ValidateJWTSVIDResponse{
+						SpiffeId: "spiffe://example.org/foo",
+						Claims: &structpb.Struct{
+							Fields: map[string]*structpb.Value{
+								"aud": {
+									Kind: &structpb.Value_ListValue{
+										ListValue: &structpb.ListValue{
+											Values: []*structpb.Value{{Kind: &structpb.Value_StringValue{StringValue: "foo"}}},
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			expectedStdoutPretty: `SVID is valid.
+SPIFFE ID : spiffe://example.org/foo
+Claims    : {"aud":["foo"]}`,
+			expectedStdoutJSON: `{
+  "claims": {
+    "aud": [
+      "foo"
+    ]
+  },
+  "spiffe_id": "spiffe://example.org/foo"
+}`,
+		},
+		{
+			name: "invalid svid",
+			args: []string{"-audience", "invalid", "-svid", "invalid"},
+			fakeRequests: []*fakeworkloadapi.FakeRequest{
+				{
+					Req: &workload.ValidateJWTSVIDRequest{
+						Audience: "foo",
+						Svid:     encodedSvid,
+					},
+					Resp: &workload.ValidateJWTSVIDResponse{},
+					Err:  status.Error(codes.InvalidArgument, "invalid svid"),
+				},
+			},
+			expectedStderr: "SVID is not valid: invalid svid\n",
+		},
+		{
+			name:           "fail when audience is not provided",
+			expectedStderr: "audience must be specified\n",
+		},
+		{
+			name:           "fail when svid is not provided",
+			args:           []string{"-audience", "foo"},
+			expectedStderr: "svid must be specified\n",
+		},
+	}
+	for _, tt := range tests {
+		for _, format := range availableFormats {
+			t.Run(fmt.Sprintf("%s using %s format", tt.name, format), func(t *testing.T) {
+				test := setupTest(t, newValidateJWTCommand, tt.fakeRequests...)
+				args := tt.args
+				args = append(args, "-output", format)
+
+				rc := test.cmd.Run(test.args(args...))
+
+				if tt.expectedStderr != "" {
+					assert.Equal(t, 1, rc)
+					assert.Equal(t, tt.expectedStderr, test.stderr.String())
+					return
+				}
+
+				assertOutputBasedOnFormat(t, format, test.stdout.String(), tt.expectedStdoutJSON, tt.expectedStdoutPretty)
+				assert.Empty(t, test.stderr.String())
+				assert.Equal(t, 0, rc)
+			})
+		}
+	}
+}
+
+func setupTest(t *testing.T, newCmd func(env *commoncli.Env, clientMaker workloadClientMaker) cli.Command, requests ...*fakeworkloadapi.FakeRequest) *apiTest {
+	workloadAPIServer := fakeworkloadapi.New(t, requests...)
+
+	addr := spiretest.StartGRPCServer(t, func(s *grpc.Server) {
+		workload.RegisterSpiffeWorkloadAPIServer(s, workloadAPIServer)
+	})
+
+	stdin := new(bytes.Buffer)
+	stdout := new(bytes.Buffer)
+	stderr := new(bytes.Buffer)
+
+	cmd := newCmd(&commoncli.Env{
+		Stdin:  stdin,
+		Stdout: stdout,
+		Stderr: stderr,
+	}, newWorkloadClient)
+
+	test := &apiTest{
+		addr:        clitest.GetAddr(addr),
+		stdin:       stdin,
+		stdout:      stdout,
+		stderr:      stderr,
+		workloadAPI: workloadAPIServer,
+		cmd:         cmd,
+	}
+
+	t.Cleanup(func() {
+		test.afterTest(t)
+	})
+
+	return test
+}
+
+type apiTest struct {
+	stdin  *bytes.Buffer
+	stdout *bytes.Buffer
+	stderr *bytes.Buffer
+
+	addr        string
+	workloadAPI *fakeworkloadapi.WorkloadAPI
+
+	cmd cli.Command
+}
+
+func (s *apiTest) afterTest(t *testing.T) {
+	t.Logf("TEST:%s", t.Name())
+	t.Logf("STDOUT:\n%s", s.stdout.String())
+	t.Logf("STDIN:\n%s", s.stdin.String())
+	t.Logf("STDERR:\n%s", s.stderr.String())
+}
+
+func (s *apiTest) args(extra ...string) []string {
+	return append([]string{clitest.AddrArg, s.addr}, extra...)
+}
+
+func assertOutputBasedOnFormat(t *testing.T, format, stdoutString, expectedStdoutJSON string, expectedStdoutPretty ...string) {
+	switch format {
+	case "pretty":
+		if len(expectedStdoutPretty) > 0 {
+			for _, expected := range expectedStdoutPretty {
+				require.Contains(t, stdoutString, expected)
+			}
+		} else {
+			require.Empty(t, stdoutString)
+		}
+	case "json":
+		if expectedStdoutJSON != "" {
+			require.JSONEq(t, expectedStdoutJSON, stdoutString)
+		} else {
+			require.Empty(t, stdoutString)
+		}
+	}
+}
+
+func pkcs8FromSigner(t *testing.T, key crypto.Signer) []byte {
+	keyBytes, err := x509.MarshalPKCS8PrivateKey(key)
+	require.NoError(t, err)
+	return keyBytes
+}
--- a/cmd/spire-agent/cli/api/api_windows_test.go
+++ b/cmd/spire-agent/cli/api/api_windows_test.go
@ -0,0 +1,44 @@
+//go:build windows
+
+package api
+
+const (
+	fetchJWTUsage = `Usage of fetch jwt:
+  -audience value
+    	comma separated list of audience values
+  -format value
+    	deprecated; use -output
+  -namedPipeName string
+    	Pipe name of the SPIRE Agent API named pipe (default "\\spire-agent\\public\\api")
+  -output value
+    	Desired output format (pretty, json); default: pretty.
+  -spiffeID string
+    	SPIFFE ID subject (optional)
+  -timeout value
+    	Time to wait for a response (default 5s)
+`
+	fetchX509Usage = `Usage of fetch x509:
+  -namedPipeName string
+    	Pipe name of the SPIRE Agent API named pipe (default "\\spire-agent\\public\\api")
+  -output value
+    	Desired output format (pretty, json); default: pretty.
+  -silent
+    	Suppress stdout
+  -timeout value
+    	Time to wait for a response (default 5s)
+  -write string
+    	Write SVID data to the specified path (optional; only available for pretty output format)
+`
+	validateJWTUsage = `Usage of validate jwt:
+  -audience string
+    	expected audience value
+  -namedPipeName string
+    	Pipe name of the SPIRE Agent API named pipe (default "\\spire-agent\\public\\api")
+  -output value
+    	Desired output format (pretty, json); default: pretty.
+  -svid string
+    	JWT SVID
+  -timeout value
+    	Time to wait for a response (default 5s)
+`
+)
--- a/cmd/spire-agent/cli/api/common.go
+++ b/cmd/spire-agent/cli/api/common.go
@ -28,7 +28,7 @@ func newWorkloadClient(ctx context.Context, addr net.Addr, timeout time.Duration
 	if err != nil {
 		return nil, err
 	}
-	conn, err := util.GRPCDialContext(ctx, target)
+	conn, err := util.NewGRPCClient(target)
 	if err != nil {
 		return nil, err
 	}
--- a/cmd/spire-agent/cli/api/fetch_jwt.go
+++ b/cmd/spire-agent/cli/api/fetch_jwt.go
@ -8,22 +8,23 @@ import (

 	"github.com/mitchellh/cli"
 	"github.com/spiffe/go-spiffe/v2/proto/spiffe/workload"
-	common_cli "github.com/spiffe/spire/pkg/common/cli"
+	commoncli "github.com/spiffe/spire/pkg/common/cli"
 	"github.com/spiffe/spire/pkg/common/cliprinter"
 )

 func NewFetchJWTCommand() cli.Command {
-	return newFetchJWTCommand(common_cli.DefaultEnv, newWorkloadClient)
+	return newFetchJWTCommandWithEnv(commoncli.DefaultEnv, newWorkloadClient)
 }

-func newFetchJWTCommand(env *common_cli.Env, clientMaker workloadClientMaker) cli.Command {
-	return adaptCommand(env, clientMaker, new(fetchJWTCommand))
+func newFetchJWTCommandWithEnv(env *commoncli.Env, clientMaker workloadClientMaker) cli.Command {
+	return adaptCommand(env, clientMaker, &fetchJWTCommand{env: env})
 }

 type fetchJWTCommand struct {
-	audience common_cli.CommaStringsFlag
+	audience commoncli.CommaStringsFlag
 	spiffeID string
 	printer  cliprinter.Printer
+	env      *commoncli.Env
 }

 func (c *fetchJWTCommand) name() string {
@ -34,7 +35,7 @@ func (c *fetchJWTCommand) synopsis() string {
 	return "Fetches a JWT SVID from the Workload API"
 }

-func (c *fetchJWTCommand) run(ctx context.Context, env *common_cli.Env, client *workloadClient) error {
+func (c *fetchJWTCommand) run(ctx context.Context, _ *commoncli.Env, client *workloadClient) error {
 	if len(c.audience) == 0 {
 		return errors.New("audience must be specified")
 	}
@ -48,15 +49,14 @@ func (c *fetchJWTCommand) run(ctx context.Context, env *common_cli.Env, client *
 		return err
 	}

-	c.printer.MustPrintProto(svidResp, bundlesResp)
-	return nil
+	return c.printer.PrintProto(svidResp, bundlesResp)
 }

 func (c *fetchJWTCommand) appendFlags(fs *flag.FlagSet) {
 	fs.Var(&c.audience, "audience", "comma separated list of audience values")
 	fs.StringVar(&c.spiffeID, "spiffeID", "", "SPIFFE ID subject (optional)")
-
-	cliprinter.AppendFlagWithCustomPretty(&c.printer, fs, printPrettyResult)
+	outputValue := cliprinter.AppendFlagWithCustomPretty(&c.printer, fs, c.env, printPrettyResult)
+	fs.Var(outputValue, "format", "deprecated; use -output")
 }

 func (c *fetchJWTCommand) fetchJWTSVID(ctx context.Context, client *workloadClient) (*workload.JWTSVIDResponse, error) {
@ -78,27 +78,28 @@ func (c *fetchJWTCommand) fetchJWTBundles(ctx context.Context, client *workloadC
 	return stream.Recv()
 }

-func printPrettyResult(results ...interface{}) error {
-	errMsg := "internal error: cli printer; please report this bug"
-
+func printPrettyResult(env *commoncli.Env, results ...any) error {
 	svidResp, ok := results[0].(*workload.JWTSVIDResponse)
 	if !ok {
-		fmt.Println(errMsg)
-		return errors.New(errMsg)
+		env.Println(cliprinter.ErrInternalCustomPrettyFunc.Error())
+		return cliprinter.ErrInternalCustomPrettyFunc
 	}

 	bundlesResp, ok := results[1].(*workload.JWTBundlesResponse)
 	if !ok {
-		fmt.Println(errMsg)
-		return errors.New(errMsg)
+		env.Println(cliprinter.ErrInternalCustomPrettyFunc.Error())
+		return cliprinter.ErrInternalCustomPrettyFunc
 	}

 	for _, svid := range svidResp.Svids {
-		fmt.Printf("token(%s):\n\t%s\n", svid.SpiffeId, svid.Svid)
+		env.Printf("token(%s):\n\t%s\n", svid.SpiffeId, svid.Svid)
+		if svid.Hint != "" {
+			env.Printf("hint(%s):\n\t%s\n", svid.SpiffeId, svid.Hint)
+		}
 	}

 	for trustDomainID, jwksJSON := range bundlesResp.Bundles {
-		fmt.Printf("bundle(%s):\n\t%s\n", trustDomainID, string(jwksJSON))
+		env.Printf("bundle(%s):\n\t%s\n", trustDomainID, string(jwksJSON))
 	}

 	return nil
--- a/cmd/spire-agent/cli/api/fetch_x509.go
+++ b/cmd/spire-agent/cli/api/fetch_x509.go
@ -8,7 +8,6 @@ import (
 	"errors"
 	"flag"
 	"fmt"
-	"os"
 	"path"
 	"time"

@ -17,20 +16,25 @@ import (
 	"github.com/spiffe/go-spiffe/v2/proto/spiffe/workload"
 	"github.com/spiffe/go-spiffe/v2/spiffeid"
 	"github.com/spiffe/go-spiffe/v2/svid/x509svid"
-	common_cli "github.com/spiffe/spire/pkg/common/cli"
+	commoncli "github.com/spiffe/spire/pkg/common/cli"
+	"github.com/spiffe/spire/pkg/common/cliprinter"
+	"github.com/spiffe/spire/pkg/common/diskutil"
 )

 func NewFetchX509Command() cli.Command {
-	return newFetchX509Command(common_cli.DefaultEnv, newWorkloadClient)
+	return newFetchX509Command(commoncli.DefaultEnv, newWorkloadClient)
 }

-func newFetchX509Command(env *common_cli.Env, clientMaker workloadClientMaker) cli.Command {
-	return adaptCommand(env, clientMaker, new(fetchX509Command))
+func newFetchX509Command(env *commoncli.Env, clientMaker workloadClientMaker) cli.Command {
+	return adaptCommand(env, clientMaker, &fetchX509Command{env: env})
 }

 type fetchX509Command struct {
 	silent    bool
 	writePath string
+	env       *commoncli.Env
+	printer   cliprinter.Printer
+	respTime  time.Duration
 }

 func (*fetchX509Command) name() string {
@ -41,35 +45,21 @@ func (*fetchX509Command) synopsis() string {
 	return "Fetches X509 SVIDs from the Workload API"
 }

-func (c *fetchX509Command) run(ctx context.Context, env *common_cli.Env, client *workloadClient) error {
+func (c *fetchX509Command) run(ctx context.Context, _ *commoncli.Env, client *workloadClient) error {
 	start := time.Now()
 	resp, err := c.fetchX509SVID(ctx, client)
-	respTime := time.Since(start)
+	c.respTime = time.Since(start)
 	if err != nil {
 		return err
 	}

-	svids, err := parseAndValidateX509SVIDResponse(resp)
-	if err != nil {
-		return err
-	}
-
-	if !c.silent {
-		printX509SVIDResponse(svids, respTime)
-	}
-
-	if c.writePath != "" {
-		if err := c.writeResponse(svids); err != nil {
-			return err
-		}
-	}
-
-	return nil
+	return c.printer.PrintProto(resp)
 }

 func (c *fetchX509Command) appendFlags(fs *flag.FlagSet) {
 	fs.BoolVar(&c.silent, "silent", false, "Suppress stdout")
-	fs.StringVar(&c.writePath, "write", "", "Write SVID data to the specified path (optional)")
+	fs.StringVar(&c.writePath, "write", "", "Write SVID data to the specified path (optional; only available for pretty output format)")
+	cliprinter.AppendFlagWithCustomPretty(&c.printer, fs, c.env, c.prettyPrintFetchX509)
 }

 func (c *fetchX509Command) fetchX509SVID(ctx context.Context, client *workloadClient) (*workload.X509SVIDResponse, error) {
@ -90,19 +80,19 @@ func (c *fetchX509Command) writeResponse(svids []*X509SVID) error {
 		keyPath := path.Join(c.writePath, fmt.Sprintf("svid.%v.key", i))
 		bundlePath := path.Join(c.writePath, fmt.Sprintf("bundle.%v.pem", i))

-		fmt.Printf("Writing SVID #%d to file %s.\n", i, svidPath)
+		c.env.Printf("Writing SVID #%d to file %s.\n", i, svidPath)
 		err := c.writeCerts(svidPath, svid.Certificates)
 		if err != nil {
 			return err
 		}

-		fmt.Printf("Writing key #%d to file %s.\n", i, keyPath)
+		c.env.Printf("Writing key #%d to file %s.\n", i, keyPath)
 		err = c.writeKey(keyPath, svid.PrivateKey)
 		if err != nil {
 			return err
 		}

-		fmt.Printf("Writing bundle #%d to file %s.\n", i, bundlePath)
+		c.env.Printf("Writing bundle #%d to file %s.\n", i, bundlePath)
 		err = c.writeCerts(bundlePath, svid.Bundle)
 		if err != nil {
 			return err
@ -116,7 +106,7 @@ func (c *fetchX509Command) writeResponse(svids []*X509SVID) error {

 		for j, trustDomain := range federatedDomains {
 			bundlePath := path.Join(c.writePath, fmt.Sprintf("federated_bundle.%d.%d.pem", i, j))
-			fmt.Printf("Writing federated bundle #%d for trust domain %s to file %s.\n", j, trustDomain, bundlePath)
+			c.env.Printf("Writing federated bundle #%d for trust domain %s to file %s.\n", j, trustDomain, bundlePath)
 			err = c.writeCerts(bundlePath, svid.FederatedBundles[trustDomain])
 			if err != nil {
 				return err
@ -153,16 +143,41 @@ func (c *fetchX509Command) writeKey(filename string, privateKey crypto.PrivateKe
 		Bytes: data,
 	}

-	return os.WriteFile(filename, pem.EncodeToMemory(b), 0600)
+	return diskutil.WritePrivateFile(filename, pem.EncodeToMemory(b))
 }

 // writeFile creates or truncates filename, and writes data to it
 func (c *fetchX509Command) writeFile(filename string, data []byte) error {
-	return os.WriteFile(filename, data, 0644) // nolint: gosec // expected permission for certificates
+	return diskutil.WritePubliclyReadableFile(filename, data)
+}
+
+func (c *fetchX509Command) prettyPrintFetchX509(env *commoncli.Env, results ...any) error {
+	resp, ok := results[0].(*workload.X509SVIDResponse)
+	if !ok {
+		return cliprinter.ErrInternalCustomPrettyFunc
+	}
+
+	svids, err := parseAndValidateX509SVIDResponse(resp)
+	if err != nil {
+		return err
+	}
+
+	if !c.silent {
+		printX509SVIDResponse(env, svids, c.respTime)
+	}
+
+	if c.writePath != "" {
+		if err := c.writeResponse(svids); err != nil {
+			return err
+		}
+	}
+
+	return nil
 }

 type X509SVID struct {
 	SPIFFEID         string
+	Hint             string
 	Certificates     []*x509.Certificate
 	PrivateKey       crypto.Signer
 	Bundle           []*x509.Certificate
@ -201,7 +216,7 @@ func parseX509SVIDResponse(resp *workload.X509SVIDResponse) ([]*X509SVID, error)
 	for i, respSVID := range resp.Svids {
 		svid, err := parseX509SVID(respSVID, federatedBundles)
 		if err != nil {
-			return nil, fmt.Errorf("failed to parse svid entry %d for spiffe id %q: %w", i, svid.SPIFFEID, err)
+			return nil, fmt.Errorf("failed to parse svid entry %d for spiffe id %q: %w", i, respSVID.SpiffeId, err)
 		}
 		svids = append(svids, svid)
 	}
@ -239,6 +254,7 @@ func parseX509SVID(svid *workload.X509SVID, federatedBundles map[string][]*x509.
 		Certificates:     certificates,
 		Bundle:           bundle,
 		FederatedBundles: federatedBundles,
+		Hint:             svid.Hint,
 	}, nil
 }

--- a/cmd/spire-agent/cli/api/printer.go
+++ b/cmd/spire-agent/cli/api/printer.go
@ -4,50 +4,55 @@ import (
 	"crypto/x509"
 	"fmt"
 	"time"
+
+	commoncli "github.com/spiffe/spire/pkg/common/cli"
 )

-func printX509SVIDResponse(svids []*X509SVID, respTime time.Duration) {
+func printX509SVIDResponse(env *commoncli.Env, svids []*X509SVID, respTime time.Duration) {
 	lenMsg := fmt.Sprintf("Received %d svid", len(svids))
 	if len(svids) != 1 {
 		lenMsg += "s"
 	}
 	lenMsg += fmt.Sprintf(" after %s", respTime)

-	fmt.Println(lenMsg)
+	env.Println(lenMsg)
 	for _, svid := range svids {
-		fmt.Println()
-		printX509SVID(svid)
+		env.Println()
+		printX509SVID(env, svid)
 		for trustDomain, bundle := range svid.FederatedBundles {
-			printX509FederatedBundle(trustDomain, bundle)
+			printX509FederatedBundle(env, trustDomain, bundle)
 		}
 	}

-	fmt.Println()
+	env.Println()
 }

-func printX509SVID(svid *X509SVID) {
+func printX509SVID(env *commoncli.Env, svid *X509SVID) {
 	// Print SPIFFE ID first so if we run into a problem, we
 	// get to know which record it was
-	fmt.Printf("SPIFFE ID:\t\t%s\n", svid.SPIFFEID)
+	env.Printf("SPIFFE ID:\t\t%s\n", svid.SPIFFEID)
+	if svid.Hint != "" {
+		env.Printf("Hint:\t\t\t%s\n", svid.Hint)
+	}

-	fmt.Printf("SVID Valid After:\t%v\n", svid.Certificates[0].NotBefore)
-	fmt.Printf("SVID Valid Until:\t%v\n", svid.Certificates[0].NotAfter)
+	env.Printf("SVID Valid After:\t%v\n", svid.Certificates[0].NotBefore)
+	env.Printf("SVID Valid Until:\t%v\n", svid.Certificates[0].NotAfter)
 	for i, intermediate := range svid.Certificates[1:] {
 		num := i + 1
-		fmt.Printf("Intermediate #%v Valid After:\t%v\n", num, intermediate.NotBefore)
-		fmt.Printf("Intermediate #%v Valid Until:\t%v\n", num, intermediate.NotAfter)
+		env.Printf("Intermediate #%v Valid After:\t%v\n", num, intermediate.NotBefore)
+		env.Printf("Intermediate #%v Valid Until:\t%v\n", num, intermediate.NotAfter)
 	}
 	for i, ca := range svid.Bundle {
 		num := i + 1
-		fmt.Printf("CA #%v Valid After:\t%v\n", num, ca.NotBefore)
-		fmt.Printf("CA #%v Valid Until:\t%v\n", num, ca.NotAfter)
+		env.Printf("CA #%v Valid After:\t%v\n", num, ca.NotBefore)
+		env.Printf("CA #%v Valid Until:\t%v\n", num, ca.NotAfter)
 	}
 }

-func printX509FederatedBundle(trustDomain string, bundle []*x509.Certificate) {
+func printX509FederatedBundle(env *commoncli.Env, trustDomain string, bundle []*x509.Certificate) {
 	for i, ca := range bundle {
 		num := i + 1
-		fmt.Printf("[%s] CA #%v Valid After:\t%v\n", trustDomain, num, ca.NotBefore)
-		fmt.Printf("[%s] CA #%v Valid Until:\t%v\n", trustDomain, num, ca.NotAfter)
+		env.Printf("[%s] CA #%v Valid After:\t%v\n", trustDomain, num, ca.NotBefore)
+		env.Printf("[%s] CA #%v Valid Until:\t%v\n", trustDomain, num, ca.NotAfter)
 	}
 }
--- a/cmd/spire-agent/cli/api/validate_jwt.go
+++ b/cmd/spire-agent/cli/api/validate_jwt.go
@ -8,23 +8,26 @@ import (

 	"github.com/mitchellh/cli"
 	"github.com/spiffe/go-spiffe/v2/proto/spiffe/workload"
-	common_cli "github.com/spiffe/spire/pkg/common/cli"
+	commoncli "github.com/spiffe/spire/pkg/common/cli"
+	"github.com/spiffe/spire/pkg/common/cliprinter"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
 	"google.golang.org/protobuf/encoding/protojson"
 )

 func NewValidateJWTCommand() cli.Command {
-	return newValidateJWTCommand(common_cli.DefaultEnv, newWorkloadClient)
+	return newValidateJWTCommand(commoncli.DefaultEnv, newWorkloadClient)
 }

-func newValidateJWTCommand(env *common_cli.Env, clientMaker workloadClientMaker) cli.Command {
-	return adaptCommand(env, clientMaker, new(validateJWTCommand))
+func newValidateJWTCommand(env *commoncli.Env, clientMaker workloadClientMaker) cli.Command {
+	return adaptCommand(env, clientMaker, &validateJWTCommand{env: env})
 }

 type validateJWTCommand struct {
 	audience string
 	svid     string
+	env      *commoncli.Env
+	printer  cliprinter.Printer
 }

 func (*validateJWTCommand) name() string {
@ -38,9 +41,10 @@ func (*validateJWTCommand) synopsis() string {
 func (c *validateJWTCommand) appendFlags(fs *flag.FlagSet) {
 	fs.StringVar(&c.audience, "audience", "", "expected audience value")
 	fs.StringVar(&c.svid, "svid", "", "JWT SVID")
+	cliprinter.AppendFlagWithCustomPretty(&c.printer, fs, c.env, prettyPrintValidate)
 }

-func (c *validateJWTCommand) run(ctx context.Context, env *common_cli.Env, client *workloadClient) error {
+func (c *validateJWTCommand) run(ctx context.Context, _ *commoncli.Env, client *workloadClient) error {
 	if c.audience == "" {
 		return errors.New("audience must be specified")
 	}
@ -53,17 +57,7 @@ func (c *validateJWTCommand) run(ctx context.Context, env *common_cli.Env, clien
 		return err
 	}

-	if err := env.Println("SVID is valid."); err != nil {
-		return err
-	}
-	if err := env.Println("SPIFFE ID :", resp.SpiffeId); err != nil {
-		return err
-	}
-	claims, err := protojson.Marshal(resp.Claims)
-	if err != nil {
-		return fmt.Errorf("unable to unmarshal claims: %w", err)
-	}
-	return env.Println("Claims    :", string(claims))
+	return c.printer.PrintProto(resp)
 }

 func (c *validateJWTCommand) validateJWTSVID(ctx context.Context, client *workloadClient) (*workload.ValidateJWTSVIDResponse, error) {
@ -81,3 +75,21 @@ func (c *validateJWTCommand) validateJWTSVID(ctx context.Context, client *worklo
 	}
 	return resp, nil
 }
+
+func prettyPrintValidate(env *commoncli.Env, results ...any) error {
+	resp, ok := results[0].(*workload.ValidateJWTSVIDResponse)
+	if !ok {
+		return cliprinter.ErrInternalCustomPrettyFunc
+	}
+	if err := env.Println("SVID is valid."); err != nil {
+		return err
+	}
+	if err := env.Println("SPIFFE ID :", resp.SpiffeId); err != nil {
+		return err
+	}
+	claims, err := protojson.Marshal(resp.Claims)
+	if err != nil {
+		return fmt.Errorf("unable to unmarshal claims: %w", err)
+	}
+	return env.Println("Claims    :", string(claims))
+}
--- a/cmd/spire-agent/cli/api/watch.go
+++ b/cmd/spire-agent/cli/api/watch.go
@ -11,6 +11,7 @@ import (

 	"github.com/spiffe/go-spiffe/v2/workloadapi"
 	"github.com/spiffe/spire/cmd/spire-agent/cli/common"
+	commoncli "github.com/spiffe/spire/pkg/common/cli"
 	"github.com/spiffe/spire/pkg/common/util"
 )

@ -86,7 +87,7 @@ func (w *watcher) OnX509ContextUpdate(x509Context *workloadapi.X509Context) {
 			if candidateBundle.TrustDomain() == svid.ID.TrustDomain() {
 				bundle = candidateBundle.X509Authorities()
 			} else {
-				federatedBundles[candidateBundle.TrustDomain().String()] = candidateBundle.X509Authorities()
+				federatedBundles[candidateBundle.TrustDomain().Name()] = candidateBundle.X509Authorities()
 			}
 		}

@ -98,7 +99,7 @@ func (w *watcher) OnX509ContextUpdate(x509Context *workloadapi.X509Context) {
 			FederatedBundles: federatedBundles,
 		})
 	}
-	printX509SVIDResponse(svids, time.Since(w.updateTime))
+	printX509SVIDResponse(commoncli.DefaultEnv, svids, time.Since(w.updateTime))
 	w.updateTime = time.Now()
 }

--- a/cmd/spire-agent/cli/cli.go
+++ b/cmd/spire-agent/cli/cli.go
@ -1,6 +1,7 @@
 package cli

 import (
+	"context"
 	stdlog "log"

 	"github.com/mitchellh/cli"
@ -17,7 +18,7 @@ type CLI struct {
 	AllowUnknownConfig bool
 }

-func (cc *CLI) Run(args []string) int {
+func (cc *CLI) Run(ctx context.Context, args []string) int {
 	c := cli.NewCLI("spire-agent", version.Version())
 	c.Args = args
 	c.Commands = map[string]cli.CommandFactory{
@ -37,7 +38,7 @@ func (cc *CLI) Run(args []string) int {
 			return &api.WatchCLI{}, nil
 		},
 		"run": func() (cli.Command, error) {
-			return run.NewRunCommand(cc.LogOptions, cc.AllowUnknownConfig), nil
+			return run.NewRunCommand(ctx, cc.LogOptions, cc.AllowUnknownConfig), nil
 		},
 		"healthcheck": func() (cli.Command, error) {
 			return healthcheck.NewHealthCheckCommand(), nil
--- a/cmd/spire-agent/cli/common/config_posix.go
+++ b/cmd/spire-agent/cli/common/config_posix.go
@ -1,5 +1,4 @@
 //go:build !windows
-// +build !windows

 package common

--- a/cmd/spire-agent/cli/common/config_windows.go
+++ b/cmd/spire-agent/cli/common/config_windows.go
@ -1,5 +1,4 @@
 //go:build windows
-// +build windows

 package common

--- a/cmd/spire-agent/cli/common/defaults_posix.go
+++ b/cmd/spire-agent/cli/common/defaults_posix.go
@ -1,9 +1,10 @@
 //go:build !windows
-// +build !windows

 package common

 const (
 	// DefaultSocketPath is the SPIRE agent's default socket path
 	DefaultSocketPath = "/tmp/spire-agent/public/api.sock"
+	// DefaultAdminSocketPath is the SPIRE agent's default admin socket path
+	DefaultAdminSocketPath = "/tmp/spire-agent/private/admin.sock"
 )
--- a/cmd/spire-agent/cli/common/defaults_windows.go
+++ b/cmd/spire-agent/cli/common/defaults_windows.go
@ -1,9 +1,10 @@
 //go:build windows
-// +build windows

 package common

 const (
 	// DefaultNamedPipeName is the SPIRE agent's default named pipe name
 	DefaultNamedPipeName = "\\spire-agent\\public\\api"
+	// DefaultAdminNamedPipeName is the SPIRE agent's default admin named pipe name
+	DefaultAdminNamedPipeName = "\\spire-agent\\private\\admin"
 )
--- a/cmd/spire-agent/cli/healthcheck/healthcheck.go
+++ b/cmd/spire-agent/cli/healthcheck/healthcheck.go
@ -79,7 +79,7 @@ func (c *healthCheckCommand) run() error {
 	if err != nil {
 		return err
 	}
-	conn, err := util.GRPCDialContext(context.Background(), target)
+	conn, err := util.NewGRPCClient(target)
 	if err != nil {
 		return err
 	}
--- a/cmd/spire-agent/cli/healthcheck/healthcheck_posix.go
+++ b/cmd/spire-agent/cli/healthcheck/healthcheck_posix.go
@ -1,5 +1,4 @@
 //go:build !windows
-// +build !windows

 package healthcheck

--- a/cmd/spire-agent/cli/healthcheck/healthcheck_posix_test.go
+++ b/cmd/spire-agent/cli/healthcheck/healthcheck_posix_test.go
@ -1,5 +1,4 @@
 //go:build !windows
-// +build !windows

 package healthcheck

@ -21,7 +20,7 @@ var (
 `
 	socketAddrArg         = "-socketPath"
 	socketAddrUnavailable = "/tmp/doesnotexist.sock"
-	unavailableErr        = "Failed to check health: rpc error: code = Unavailable desc = connection error: desc = \"transport: Error while dialing dial unix /tmp/doesnotexist.sock: connect: no such file or directory\"\nAgent is unhealthy: unable to determine health\n"
+	unavailableErr        = "Failed to check health: rpc error: code = Unavailable desc = connection error: desc = \"transport: Error while dialing: dial unix /tmp/doesnotexist.sock: connect: no such file or directory\"\nAgent is unhealthy: unable to determine health\n"
 )

 func startGRPCSocketServer(t *testing.T, registerFn func(srv *grpc.Server)) string {
--- a/cmd/spire-agent/cli/healthcheck/healthcheck_windows.go
+++ b/cmd/spire-agent/cli/healthcheck/healthcheck_windows.go
@ -1,5 +1,4 @@
 //go:build windows
-// +build windows

 package healthcheck

--- a/cmd/spire-agent/cli/healthcheck/healthcheck_windows_test.go
+++ b/cmd/spire-agent/cli/healthcheck/healthcheck_windows_test.go
@ -1,5 +1,4 @@
 //go:build windows
-// +build windows

 package healthcheck

@ -22,7 +21,7 @@ var (
 `
 	socketAddrArg         = "-namedPipeName"
 	socketAddrUnavailable = "doesnotexist"
-	unavailableErr        = "Failed to check health: rpc error: code = Unavailable desc = connection error: desc = \"transport: Error while dialing open \\\\\\\\.\\\\pipe\\\\doesnotexist: The system cannot find the file specified.\"\nAgent is unhealthy: unable to determine health\n"
+	unavailableErr        = "Failed to check health: rpc error: code = Unavailable desc = connection error: desc = \"transport: Error while dialing: open \\\\\\\\.\\\\pipe\\\\doesnotexist: The system cannot find the file specified.\"\nAgent is unhealthy: unable to determine health\n"
 )

 func startGRPCSocketServer(t *testing.T, registerFn func(srv *grpc.Server)) string {
--- a/cmd/spire-agent/cli/run/run.go
+++ b/cmd/spire-agent/cli/run/run.go
@ -2,17 +2,16 @@ package run

 import (
 	"context"
-	"crypto/x509"
 	"errors"
 	"flag"
 	"fmt"
 	"io"
 	"net"
-	"net/http"
 	"net/url"
 	"os"
 	"os/signal"
 	"path/filepath"
+	"sort"
 	"strconv"
 	"strings"
 	"syscall"
@ -20,19 +19,23 @@ import (

 	"github.com/google/go-cmp/cmp"
 	"github.com/hashicorp/hcl"
+	"github.com/hashicorp/hcl/hcl/ast"
+	"github.com/hashicorp/hcl/hcl/token"
 	"github.com/imdario/mergo"
 	"github.com/mitchellh/cli"
 	"github.com/sirupsen/logrus"
 	"github.com/spiffe/spire/pkg/agent"
+	"github.com/spiffe/spire/pkg/agent/trustbundlesources"
 	"github.com/spiffe/spire/pkg/agent/workloadkey"
 	"github.com/spiffe/spire/pkg/common/catalog"
 	common_cli "github.com/spiffe/spire/pkg/common/cli"
+	"github.com/spiffe/spire/pkg/common/config"
 	"github.com/spiffe/spire/pkg/common/fflag"
 	"github.com/spiffe/spire/pkg/common/health"
 	"github.com/spiffe/spire/pkg/common/idutil"
 	"github.com/spiffe/spire/pkg/common/log"
-	"github.com/spiffe/spire/pkg/common/pemutil"
 	"github.com/spiffe/spire/pkg/common/telemetry"
+	"github.com/spiffe/spire/pkg/common/tlspolicy"
 )

 const (
@ -47,35 +50,44 @@ const (
 	defaultDefaultBundleName           = "ROOTCA"
 	defaultDefaultAllBundlesName       = "ALL"
 	defaultDisableSPIFFECertValidation = false
+
+	minimumAvailabilityTarget = 24 * time.Hour
 )

 // Config contains all available configurables, arranged by section
 type Config struct {
-	Agent        *agentConfig                `hcl:"agent"`
-	Plugins      *catalog.HCLPluginConfigMap `hcl:"plugins"`
-	Telemetry    telemetry.FileConfig        `hcl:"telemetry"`
-	HealthChecks health.Config               `hcl:"health_checks"`
-	UnusedKeys   []string                    `hcl:",unusedKeys"`
+	Agent              *agentConfig           `hcl:"agent"`
+	Plugins            ast.Node               `hcl:"plugins"`
+	Telemetry          telemetry.FileConfig   `hcl:"telemetry"`
+	HealthChecks       health.Config          `hcl:"health_checks"`
+	UnusedKeyPositions map[string][]token.Pos `hcl:",unusedKeyPositions"`
 }

 type agentConfig struct {
 	DataDir                       string    `hcl:"data_dir"`
 	AdminSocketPath               string    `hcl:"admin_socket_path"`
 	InsecureBootstrap             bool      `hcl:"insecure_bootstrap"`
+	RetryBootstrap                *bool     `hcl:"retry_bootstrap"`
 	JoinToken                     string    `hcl:"join_token"`
 	LogFile                       string    `hcl:"log_file"`
 	LogFormat                     string    `hcl:"log_format"`
 	LogLevel                      string    `hcl:"log_level"`
+	LogSourceLocation             bool      `hcl:"log_source_location"`
 	SDS                           sdsConfig `hcl:"sds"`
 	ServerAddress                 string    `hcl:"server_address"`
 	ServerPort                    int       `hcl:"server_port"`
 	SocketPath                    string    `hcl:"socket_path"`
 	WorkloadX509SVIDKeyType       string    `hcl:"workload_x509_svid_key_type"`
+	TrustBundleFormat             string    `hcl:"trust_bundle_format"`
 	TrustBundlePath               string    `hcl:"trust_bundle_path"`
+	TrustBundleUnixSocket         string    `hcl:"trust_bundle_unix_socket"`
 	TrustBundleURL                string    `hcl:"trust_bundle_url"`
 	TrustDomain                   string    `hcl:"trust_domain"`
 	AllowUnauthenticatedVerifiers bool      `hcl:"allow_unauthenticated_verifiers"`
 	AllowedForeignJWTClaims       []string  `hcl:"allowed_foreign_jwt_claims"`
+	AvailabilityTarget            string    `hcl:"availability_target"`
+	X509SVIDCacheMaxSize          int       `hcl:"x509_svid_cache_max_size"`
+	JWTSVIDCacheMaxSize           int       `hcl:"jwt_svid_cache_max_size"`

 	AuthorizedDelegates []string `hcl:"authorized_delegates"`

@ -89,7 +101,7 @@ type agentConfig struct {
 	ProfilingNames   []string           `hcl:"profiling_names"`
 	Experimental     experimentalConfig `hcl:"experimental"`

-	UnusedKeys []string `hcl:",unusedKeys"`
+	UnusedKeyPositions map[string][]token.Pos `hcl:",unusedKeyPositions"`
 }

 type sdsConfig struct {
@ -100,28 +112,29 @@ type sdsConfig struct {
 }

 type experimentalConfig struct {
-	SyncInterval       string `hcl:"sync_interval"`
-	NamedPipeName      string `hcl:"named_pipe_name"`
-	AdminNamedPipeName string `hcl:"admin_named_pipe_name"`
+	SyncInterval             string `hcl:"sync_interval"`
+	NamedPipeName            string `hcl:"named_pipe_name"`
+	AdminNamedPipeName       string `hcl:"admin_named_pipe_name"`
+	UseSyncAuthorizedEntries *bool  `hcl:"use_sync_authorized_entries"`
+	RequirePQKEM             bool   `hcl:"require_pq_kem"`

 	Flags fflag.RawConfig `hcl:"feature_flags"`
-
-	UnusedKeys           []string `hcl:",unusedKeys"`
-	X509SVIDCacheMaxSize int      `hcl:"x509_svid_cache_max_size"`
 }

 type Command struct {
+	ctx                context.Context
 	logOptions         []log.Option
 	env                *common_cli.Env
 	allowUnknownConfig bool
 }

-func NewRunCommand(logOptions []log.Option, allowUnknownConfig bool) cli.Command {
-	return newRunCommand(common_cli.DefaultEnv, logOptions, allowUnknownConfig)
+func NewRunCommand(ctx context.Context, logOptions []log.Option, allowUnknownConfig bool) cli.Command {
+	return newRunCommand(ctx, common_cli.DefaultEnv, logOptions, allowUnknownConfig)
 }

-func newRunCommand(env *common_cli.Env, logOptions []log.Option, allowUnknownConfig bool) *Command {
+func newRunCommand(ctx context.Context, env *common_cli.Env, logOptions []log.Option, allowUnknownConfig bool) *Command {
 	return &Command{
+		ctx:                ctx,
 		env:                env,
 		logOptions:         logOptions,
 		allowUnknownConfig: allowUnknownConfig,
@ -183,7 +196,11 @@ func (cmd *Command) Run(args []string) int {

 	a := agent.New(c)

-	ctx, stop := signal.NotifyContext(context.Background(), syscall.SIGINT, syscall.SIGTERM)
+	ctx := cmd.ctx
+	if ctx == nil {
+		ctx = context.Background()
+	}
+	ctx, stop := signal.NotifyContext(ctx, syscall.SIGINT, syscall.SIGTERM)
 	defer stop()

 	err = a.Run(ctx)
@ -217,11 +234,21 @@ func (c *agentConfig) validate() error {
 		return errors.New("trust_domain must be configured")
 	}

+	// If insecure_bootstrap is set, trust_bundle_path or trust_bundle_url cannot be set
 	// If trust_bundle_url is set, download the trust bundle using HTTP and parse it from memory
 	// If trust_bundle_path is set, parse the trust bundle file on disk
 	// Both cannot be set
 	// The trust bundle URL must start with HTTPS
-	if c.TrustBundlePath == "" && c.TrustBundleURL == "" && !c.InsecureBootstrap {
+	if c.InsecureBootstrap {
+		switch {
+		case c.TrustBundleURL != "" && c.TrustBundlePath != "":
+			return errors.New("only one of insecure_bootstrap, trust_bundle_url, or trust_bundle_path can be specified, not the three options")
+		case c.TrustBundleURL != "":
+			return errors.New("only one of insecure_bootstrap or trust_bundle_url can be specified, not both")
+		case c.TrustBundlePath != "":
+			return errors.New("only one of insecure_bootstrap or trust_bundle_path can be specified, not both")
+		}
+	} else if c.TrustBundlePath == "" && c.TrustBundleURL == "" {
 		return errors.New("trust_bundle_path or trust_bundle_url must be configured unless insecure_bootstrap is set")
 	}

@ -229,12 +256,32 @@ func (c *agentConfig) validate() error {
 		return errors.New("only one of trust_bundle_url or trust_bundle_path can be specified, not both")
 	}

+	if c.TrustBundleFormat != trustbundlesources.BundleFormatPEM && c.TrustBundleFormat != trustbundlesources.BundleFormatSPIFFE {
+		return fmt.Errorf("invalid value for trust_bundle_format, expected %q or %q", trustbundlesources.BundleFormatPEM, trustbundlesources.BundleFormatSPIFFE)
+	}
+
+	if c.TrustBundleUnixSocket != "" && c.TrustBundleURL == "" {
+		return errors.New("if trust_bundle_unix_socket is specified, so must be trust_bundle_url")
+	}
 	if c.TrustBundleURL != "" {
 		u, err := url.Parse(c.TrustBundleURL)
 		if err != nil {
 			return fmt.Errorf("unable to parse trust bundle URL: %w", err)
 		}
-		if u.Scheme != "https" {
+		if c.TrustBundleUnixSocket != "" {
+			if u.Scheme != "http" {
+				return errors.New("trust bundle URL must start with http:// when used with trust bundle unix socket")
+			}
+			params := u.Query()
+			for key := range params {
+				if strings.HasPrefix(key, "spiffe-") {
+					return errors.New("trust_bundle_url query params can not start with spiffe-")
+				}
+				if strings.HasPrefix(key, "spire-") {
+					return errors.New("trust_bundle_url query params can not start with spire-")
+				}
+			}
+		} else if u.Scheme != "https" {
 			return errors.New("trust bundle URL must start with https://")
 		}
 	}
@ -268,7 +315,7 @@ func ParseFile(path string, expandEnv bool) (*Config, error) {

 	// If envTemplate flag is passed, substitute $VARIABLES in configuration file
 	if expandEnv {
-		data = os.ExpandEnv(data)
+		data = config.ExpandEnv(data)
 	}

 	if err := hcl.Decode(&c, data); err != nil {
@ -282,6 +329,7 @@ func parseFlags(name string, args []string, output io.Writer) (*agentConfig, err
 	flags := flag.NewFlagSet(name, flag.ContinueOnError)
 	flags.SetOutput(output)
 	c := &agentConfig{}
+	retryBootstrap := false

 	flags.StringVar(&c.ConfigPath, "config", defaultConfigPath, "Path to a SPIRE config file")
 	flags.StringVar(&c.DataDir, "dataDir", "", "A directory the agent can use for its runtime data")
@ -289,13 +337,16 @@ func parseFlags(name string, args []string, output io.Writer) (*agentConfig, err
 	flags.StringVar(&c.LogFile, "logFile", "", "File to write logs to")
 	flags.StringVar(&c.LogFormat, "logFormat", "", "'text' or 'json'")
 	flags.StringVar(&c.LogLevel, "logLevel", "", "'debug', 'info', 'warn', or 'error'")
+	flags.BoolVar(&c.LogSourceLocation, "logSourceLocation", false, "Include source file, line number and function name in log lines")
 	flags.StringVar(&c.ServerAddress, "serverAddress", "", "IP address or DNS name of the SPIRE server")
 	flags.IntVar(&c.ServerPort, "serverPort", 0, "Port number of the SPIRE server")
 	flags.StringVar(&c.TrustDomain, "trustDomain", "", "The trust domain that this agent belongs to")
 	flags.StringVar(&c.TrustBundlePath, "trustBundle", "", "Path to the SPIRE server CA bundle")
 	flags.StringVar(&c.TrustBundleURL, "trustBundleUrl", "", "URL to download the SPIRE server CA bundle")
+	flags.StringVar(&c.TrustBundleFormat, "trustBundleFormat", "", fmt.Sprintf("Format of the bootstrap trust bundle, %q or %q", trustbundlesources.BundleFormatPEM, trustbundlesources.BundleFormatSPIFFE))
 	flags.BoolVar(&c.AllowUnauthenticatedVerifiers, "allowUnauthenticatedVerifiers", false, "If true, the agent permits the retrieval of X509 certificate bundles by unregistered clients")
 	flags.BoolVar(&c.InsecureBootstrap, "insecureBootstrap", false, "If true, the agent bootstraps without verifying the server's identity")
+	flags.BoolVar(&retryBootstrap, "retryBootstrap", true, "If true, the agent retries bootstrap with backoff")
 	flags.BoolVar(&c.ExpandEnv, "expandEnv", false, "Expand environment variables in SPIRE config file")

 	c.addOSFlags(flags)
@ -305,6 +356,12 @@ func parseFlags(name string, args []string, output io.Writer) (*agentConfig, err
 		return nil, err
 	}

+	flags.Visit(func(f *flag.Flag) {
+		if f.Name == "retryBootstrap" {
+			c.RetryBootstrap = &retryBootstrap
+		}
+	})
+
 	return c, nil
 }

@ -330,56 +387,6 @@ func mergeInput(fileInput *Config, cliInput *agentConfig) (*Config, error) {
 	return c, nil
 }

-func downloadTrustBundle(trustBundleURL string) ([]*x509.Certificate, error) {
-	// Download the trust bundle URL from the user specified URL
-	// We use gosec -- the annotation below will disable a security check that URLs are not tainted
-	/* #nosec G107 */
-	resp, err := http.Get(trustBundleURL)
-	if err != nil {
-		return nil, fmt.Errorf("unable to fetch trust bundle URL %s: %w", trustBundleURL, err)
-	}
-
-	defer resp.Body.Close()
-
-	if resp.StatusCode != http.StatusOK {
-		return nil, fmt.Errorf("error downloading trust bundle: %s", resp.Status)
-	}
-	pemBytes, err := io.ReadAll(resp.Body)
-	if err != nil {
-		return nil, fmt.Errorf("unable to read from trust bundle URL %s: %w", trustBundleURL, err)
-	}
-
-	bundle, err := pemutil.ParseCertificates(pemBytes)
-	if err != nil {
-		return nil, err
-	}
-
-	return bundle, nil
-}
-
-func setupTrustBundle(ac *agent.Config, c *Config) error {
-	// Either download the turst bundle if TrustBundleURL is set, or read it
-	// from disk if TrustBundlePath is set
-	ac.InsecureBootstrap = c.Agent.InsecureBootstrap
-
-	switch {
-	case c.Agent.TrustBundleURL != "":
-		bundle, err := downloadTrustBundle(c.Agent.TrustBundleURL)
-		if err != nil {
-			return err
-		}
-		ac.TrustBundle = bundle
-	case c.Agent.TrustBundlePath != "":
-		bundle, err := parseTrustBundle(c.Agent.TrustBundlePath)
-		if err != nil {
-			return fmt.Errorf("could not parse trust bundle: %w", err)
-		}
-		ac.TrustBundle = bundle
-	}
-
-	return nil
-}
-
 func NewAgentConfig(c *Config, logOptions []log.Option, allowUnknownConfig bool) (*agent.Config, error) {
 	ac := &agent.Config{}

@ -395,11 +402,6 @@ func NewAgentConfig(c *Config, logOptions []log.Option, allowUnknownConfig bool)
 		}
 	}

-	if c.Agent.Experimental.X509SVIDCacheMaxSize < 0 {
-		return nil, errors.New("x509_svid_cache_max_size should not be negative")
-	}
-	ac.X509SVIDCacheMaxSize = c.Agent.Experimental.X509SVIDCacheMaxSize
-
 	serverHostPort := net.JoinHostPort(c.Agent.ServerAddress, strconv.Itoa(c.Agent.ServerPort))
 	ac.ServerAddress = fmt.Sprintf("dns:///%s", serverHostPort)

@ -407,9 +409,13 @@ func NewAgentConfig(c *Config, logOptions []log.Option, allowUnknownConfig bool)
 		log.WithLevel(c.Agent.LogLevel),
 		log.WithFormat(c.Agent.LogFormat),
 	)
+	if c.Agent.LogSourceLocation {
+		logOptions = append(logOptions, log.WithSourceLocation())
+	}
 	var reopenableFile *log.ReopenableFile
 	if c.Agent.LogFile != "" {
-		reopenableFile, err := log.NewReopenableFile(c.Agent.LogFile)
+		var err error
+		reopenableFile, err = log.NewReopenableFile(c.Agent.LogFile)
 		if err != nil {
 			return nil, err
 		}
@ -425,6 +431,28 @@ func NewAgentConfig(c *Config, logOptions []log.Option, allowUnknownConfig bool)
 		ac.LogReopener = log.ReopenOnSignal(logger, reopenableFile)
 	}

+	ac.RetryBootstrap = true
+	if c.Agent.RetryBootstrap != nil {
+		ac.Log.Warn("The 'retry_bootstrap' configuration is deprecated. It will be removed in SPIRE 1.14. Please test without the flag before upgrading.")
+		ac.RetryBootstrap = *c.Agent.RetryBootstrap
+	}
+
+	ac.UseSyncAuthorizedEntries = true
+	if c.Agent.Experimental.UseSyncAuthorizedEntries != nil {
+		ac.Log.Warn("The 'use_sync_authorized_entries' configuration is deprecated. The option to disable it will be removed in SPIRE 1.13.")
+		ac.UseSyncAuthorizedEntries = *c.Agent.Experimental.UseSyncAuthorizedEntries
+	}
+
+	if c.Agent.X509SVIDCacheMaxSize < 0 {
+		return nil, errors.New("x509_svid_cache_max_size should not be negative")
+	}
+	ac.X509SVIDCacheMaxSize = c.Agent.X509SVIDCacheMaxSize
+
+	if c.Agent.JWTSVIDCacheMaxSize < 0 {
+		return nil, errors.New("jwt_svid_cache_max_size should not be negative")
+	}
+	ac.JWTSVIDCacheMaxSize = c.Agent.JWTSVIDCacheMaxSize
+
 	td, err := common_cli.ParseTrustDomain(c.Agent.TrustDomain, logger)
 	if err != nil {
 		return nil, err
@ -454,11 +482,16 @@ func NewAgentConfig(c *Config, logOptions []log.Option, allowUnknownConfig bool)
 	}
 	ac.DisableSPIFFECertValidation = c.Agent.SDS.DisableSPIFFECertValidation

-	err = setupTrustBundle(ac, c)
-	if err != nil {
-		return nil, err
+	ts := &trustbundlesources.Config{
+		InsecureBootstrap:     c.Agent.InsecureBootstrap,
+		TrustBundleFormat:     c.Agent.TrustBundleFormat,
+		TrustBundlePath:       c.Agent.TrustBundlePath,
+		TrustBundleURL:        c.Agent.TrustBundleURL,
+		TrustBundleUnixSocket: c.Agent.TrustBundleUnixSocket,
 	}

+	ac.TrustBundleSources = trustbundlesources.New(ts, ac.Log.WithField("Logger", "TrustBundleSources"))
+
 	ac.WorkloadKeyType = workloadkey.ECP256
 	if c.Agent.WorkloadX509SVIDKeyType != "" {
 		ac.WorkloadKeyType, err = workloadkey.KeyTypeFromString(c.Agent.WorkloadX509SVIDKeyType)
@ -474,7 +507,11 @@ func NewAgentConfig(c *Config, logOptions []log.Option, allowUnknownConfig bool)

 	ac.AllowedForeignJWTClaims = c.Agent.AllowedForeignJWTClaims

-	ac.PluginConfigs = *c.Plugins
+	ac.PluginConfigs, err = catalog.PluginConfigsFromHCLNode(c.Plugins)
+	if err != nil {
+		return nil, err
+	}
+
 	ac.Telemetry = c.Telemetry
 	ac.HealthChecks = c.HealthChecks

@ -494,6 +531,23 @@ func NewAgentConfig(c *Config, logOptions []log.Option, allowUnknownConfig bool)

 	ac.AuthorizedDelegates = c.Agent.AuthorizedDelegates

+	if c.Agent.AvailabilityTarget != "" {
+		t, err := time.ParseDuration(c.Agent.AvailabilityTarget)
+		if err != nil {
+			return nil, fmt.Errorf("unable to parse availability_target: %w", err)
+		}
+		if t < minimumAvailabilityTarget {
+			return nil, fmt.Errorf("availability_target must be at least %s", minimumAvailabilityTarget.String())
+		}
+		ac.AvailabilityTarget = t
+	}
+
+	ac.TLSPolicy = tlspolicy.Policy{
+		RequirePQKEM: c.Agent.Experimental.RequirePQKEM,
+	}
+
+	tlspolicy.LogPolicy(ac.TLSPolicy, log.NewHCLogAdapter(logger, "tlspolicy"))
+
 	if cmp.Diff(experimentalConfig{}, c.Agent.Experimental) != "" {
 		logger.Warn("Experimental features have been enabled. Please see doc/upgrading.md for upgrade and compatibility considerations for experimental features.")
 	}
@ -510,15 +564,17 @@ func validateConfig(c *Config) error {
 		return errors.New("plugins section must be configured")
 	}

-	if err := c.Agent.validate(); err != nil {
-		return err
-	}
-
-	return nil
+	return c.Agent.validate()
 }

 func checkForUnknownConfig(c *Config, l logrus.FieldLogger) (err error) {
-	detectedUnknown := func(section string, keys []string) {
+	detectedUnknown := func(section string, keyPositions map[string][]token.Pos) {
+		var keys []string
+		for k := range keyPositions {
+			keys = append(keys, k)
+		}
+
+		sort.Strings(keys)
 		l.WithFields(logrus.Fields{
 			"section": section,
 			"keys":    strings.Join(keys, ","),
@ -526,49 +582,49 @@ func checkForUnknownConfig(c *Config, l logrus.FieldLogger) (err error) {
 		err = errors.New("unknown configuration detected")
 	}

-	if len(c.UnusedKeys) != 0 {
-		detectedUnknown("top-level", c.UnusedKeys)
+	if len(c.UnusedKeyPositions) != 0 {
+		detectedUnknown("top-level", c.UnusedKeyPositions)
 	}

-	if a := c.Agent; a != nil && len(a.UnusedKeys) != 0 {
-		detectedUnknown("agent", a.UnusedKeys)
+	if a := c.Agent; a != nil && len(a.UnusedKeyPositions) != 0 {
+		detectedUnknown("agent", a.UnusedKeyPositions)
 	}

 	// TODO: Re-enable unused key detection for telemetry. See
 	// https://github.com/spiffe/spire/issues/1101 for more information
 	//
-	// if len(c.Telemetry.UnusedKeys) != 0 {
-	//	detectedUnknown("telemetry", c.Telemetry.UnusedKeys)
+	// if len(c.Telemetry.UnusedKeyPositions) != 0 {
+	//	detectedUnknown("telemetry", c.Telemetry.UnusedKeyPositions)
 	// }

-	if p := c.Telemetry.Prometheus; p != nil && len(p.UnusedKeys) != 0 {
-		detectedUnknown("Prometheus", p.UnusedKeys)
+	if p := c.Telemetry.Prometheus; p != nil && len(p.UnusedKeyPositions) != 0 {
+		detectedUnknown("Prometheus", p.UnusedKeyPositions)
 	}

 	for _, v := range c.Telemetry.DogStatsd {
-		if len(v.UnusedKeys) != 0 {
-			detectedUnknown("DogStatsd", v.UnusedKeys)
+		if len(v.UnusedKeyPositions) != 0 {
+			detectedUnknown("DogStatsd", v.UnusedKeyPositions)
 		}
 	}

 	for _, v := range c.Telemetry.Statsd {
-		if len(v.UnusedKeys) != 0 {
-			detectedUnknown("Statsd", v.UnusedKeys)
+		if len(v.UnusedKeyPositions) != 0 {
+			detectedUnknown("Statsd", v.UnusedKeyPositions)
 		}
 	}

 	for _, v := range c.Telemetry.M3 {
-		if len(v.UnusedKeys) != 0 {
-			detectedUnknown("M3", v.UnusedKeys)
+		if len(v.UnusedKeyPositions) != 0 {
+			detectedUnknown("M3", v.UnusedKeyPositions)
 		}
 	}

-	if p := c.Telemetry.InMem; p != nil && len(p.UnusedKeys) != 0 {
-		detectedUnknown("InMem", p.UnusedKeys)
+	if p := c.Telemetry.InMem; p != nil && len(p.UnusedKeyPositions) != 0 {
+		detectedUnknown("InMem", p.UnusedKeyPositions)
 	}

-	if len(c.HealthChecks.UnusedKeys) != 0 {
-		detectedUnknown("health check", c.HealthChecks.UnusedKeys)
+	if len(c.HealthChecks.UnusedKeyPositions) != 0 {
+		detectedUnknown("health check", c.HealthChecks.UnusedKeyPositions)
 	}

 	return err
@ -577,9 +633,10 @@ func checkForUnknownConfig(c *Config, l logrus.FieldLogger) (err error) {
 func defaultConfig() *Config {
 	c := &Config{
 		Agent: &agentConfig{
-			DataDir:   defaultDataDir,
-			LogLevel:  defaultLogLevel,
-			LogFormat: log.DefaultFormat,
+			DataDir:           defaultDataDir,
+			LogLevel:          defaultLogLevel,
+			LogFormat:         log.DefaultFormat,
+			TrustBundleFormat: trustbundlesources.BundleFormatPEM,
 			SDS: sdsConfig{
 				DefaultBundleName:           defaultDefaultBundleName,
 				DefaultSVIDName:             defaultDefaultSVIDName,
@ -592,16 +649,3 @@ func defaultConfig() *Config {

 	return c
 }
-
-func parseTrustBundle(path string) ([]*x509.Certificate, error) {
-	bundle, err := pemutil.LoadCertificates(path)
-	if err != nil {
-		return nil, err
-	}
-
-	if len(bundle) == 0 {
-		return nil, errors.New("no certificates found in trust bundle")
-	}
-
-	return bundle, nil
-}
--- a/cmd/spire-agent/cli/run/run_posix.go
+++ b/cmd/spire-agent/cli/run/run_posix.go
@ -1,5 +1,4 @@
 //go:build !windows
-// +build !windows

 package run

--- a/cmd/spire-agent/cli/run/run_posix_test.go
+++ b/cmd/spire-agent/cli/run/run_posix_test.go
@ -1,19 +1,149 @@
 //go:build !windows
-// +build !windows

 package run

 import (
 	"bytes"
+	"fmt"
 	"os"
+	"path"
 	"testing"

-	"github.com/hashicorp/hcl/hcl/printer"
 	"github.com/spiffe/spire/pkg/agent"
+	"github.com/spiffe/spire/pkg/common/catalog"
+	commoncli "github.com/spiffe/spire/pkg/common/cli"
+	"github.com/spiffe/spire/pkg/common/fflag"
+	"github.com/spiffe/spire/pkg/common/log"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"golang.org/x/sys/unix"
 )

+func TestCommand_Run(t *testing.T) {
+	testTempDir := t.TempDir()
+	testDataDir := fmt.Sprintf("%s/data", testTempDir)
+	testAgentSocketDir := fmt.Sprintf("%s/spire-agent", testTempDir)
+
+	type fields struct {
+		logOptions         []log.Option
+		env                *commoncli.Env
+		allowUnknownConfig bool
+	}
+	type args struct {
+		args []string
+	}
+	type want struct {
+		code               int
+		dataDirCreated     bool
+		agentUdsDirCreated bool
+		stderrContent      string
+	}
+	tests := []struct {
+		name   string
+		fields fields
+		args   args
+		want   want
+	}{
+		{
+			name: "don't create any dir when error loading nonexistent config",
+			args: args{
+				args: []string{},
+			},
+			fields: fields{
+				logOptions: []log.Option{},
+				env: &commoncli.Env{
+					Stderr: new(bytes.Buffer),
+				},
+				allowUnknownConfig: false,
+			},
+			want: want{
+				code:               1,
+				agentUdsDirCreated: false,
+				dataDirCreated:     false,
+				stderrContent:      "could not find config file",
+			},
+		},
+		{
+			name: "don't create any dir when error loading invalid config",
+			args: args{
+				args: []string{
+					"-config", "../../../../test/fixture/config/agent_run_posix.conf",
+					"-namedPipeName", "\\spire-agent\\public\\api",
+				},
+			},
+			fields: fields{
+				logOptions: []log.Option{},
+				env: &commoncli.Env{
+					Stderr: new(bytes.Buffer),
+				},
+				allowUnknownConfig: false,
+			},
+			want: want{
+				code:               1,
+				agentUdsDirCreated: false,
+				dataDirCreated:     false,
+				stderrContent:      "flag provided but not defined: -namedPipeName",
+			},
+		},
+		{
+			name: "creates spire-agent uds and data dirs",
+			args: args{
+				args: []string{
+					"-config", "../../../../test/fixture/config/agent_run_posix.conf",
+					"-trustBundle", "../../../../conf/agent/dummy_root_ca.crt",
+					"-dataDir", testDataDir,
+					"-socketPath", fmt.Sprintf("%s/spire-agent/api.sock", testTempDir),
+				},
+			},
+			fields: fields{
+				logOptions: []log.Option{},
+				env: &commoncli.Env{
+					Stderr: new(bytes.Buffer),
+				},
+				allowUnknownConfig: false,
+			},
+			want: want{
+				code:               1,
+				agentUdsDirCreated: true,
+				dataDirCreated:     true,
+			},
+		},
+	}
+	for _, testCase := range tests {
+		t.Run(testCase.name, func(t *testing.T) {
+			_ = fflag.Unload()
+			os.RemoveAll(testDataDir)
+
+			cmd := &Command{
+				logOptions:         testCase.fields.logOptions,
+				env:                testCase.fields.env,
+				allowUnknownConfig: testCase.fields.allowUnknownConfig,
+			}
+
+			code := cmd.Run(testCase.args.args)
+
+			assert.Equal(t, testCase.want.code, code)
+			if testCase.want.stderrContent == "" {
+				assert.Empty(t, testCase.fields.env.Stderr.(*bytes.Buffer).String())
+			} else {
+				assert.Contains(t, testCase.fields.env.Stderr.(*bytes.Buffer).String(), testCase.want.stderrContent)
+			}
+			if testCase.want.agentUdsDirCreated {
+				assert.DirExistsf(t, testAgentSocketDir, "spire-agent uds dir should be created")
+				currentUmask := unix.Umask(0)
+				assert.Equalf(t, currentUmask, 0o027, "spire-agent process should be created with 0027 umask")
+			} else {
+				assert.NoDirExistsf(t, testAgentSocketDir, "spire-agent uds dir should not be created")
+			}
+			if testCase.want.dataDirCreated {
+				assert.DirExistsf(t, testDataDir, "expected data directory to be created")
+			} else {
+				assert.NoDirExistsf(t, testDataDir, "expected data directory to not be created")
+			}
+		})
+	}
+}
+
 func TestParseFlagsGood(t *testing.T) {
 	c, err := parseFlags("run", []string{
 		"-dataDir=.",
@ -51,38 +181,40 @@ func TestParseConfigGood(t *testing.T) {
 	assert.Equal(t, true, c.Agent.AllowUnauthenticatedVerifiers)
 	assert.Equal(t, []string{"c1", "c2", "c3"}, c.Agent.AllowedForeignJWTClaims)

+	// Parse/reprint cycle trims outer whitespace
+	const data = `join_token = "PLUGIN-AGENT-NOT-A-SECRET"`
+
 	// Check for plugins configurations
-	pluginConfigs := *c.Plugins
-	expectedData := "join_token = \"PLUGIN-AGENT-NOT-A-SECRET\""
-	var data bytes.Buffer
-	err = printer.DefaultConfig.Fprint(&data, pluginConfigs["plugin_type_agent"]["plugin_name_agent"].PluginData)
-	assert.NoError(t, err)
+	expectedPluginConfigs := catalog.PluginConfigs{
+		{
+			Type:       "plugin_type_agent",
+			Name:       "plugin_name_agent",
+			Path:       "./pluginAgentCmd",
+			Checksum:   "pluginAgentChecksum",
+			DataSource: catalog.FixedData(data),
+			Disabled:   false,
+		},
+		{
+			Type:       "plugin_type_agent",
+			Name:       "plugin_disabled",
+			Path:       "./pluginAgentCmd",
+			Checksum:   "pluginAgentChecksum",
+			DataSource: catalog.FixedData(data),
+			Disabled:   true,
+		},
+		{
+			Type:       "plugin_type_agent",
+			Name:       "plugin_enabled",
+			Path:       "./pluginAgentCmd",
+			Checksum:   "pluginAgentChecksum",
+			DataSource: catalog.FileData("plugin.conf"),
+			Disabled:   false,
+		},
+	}

-	assert.Len(t, pluginConfigs, 1)
-	assert.Len(t, pluginConfigs["plugin_type_agent"], 3)
-
-	pluginConfig := pluginConfigs["plugin_type_agent"]["plugin_name_agent"]
-	assert.Nil(t, pluginConfig.Enabled)
-	assert.Equal(t, true, pluginConfig.IsEnabled())
-	assert.Equal(t, "pluginAgentChecksum", pluginConfig.PluginChecksum)
-	assert.Equal(t, "./pluginAgentCmd", pluginConfig.PluginCmd)
-	assert.Equal(t, data.String(), expectedData)
-
-	// Disabled plugin
-	pluginConfig = pluginConfigs["plugin_type_agent"]["plugin_disabled"]
-	assert.NotNil(t, pluginConfig.Enabled)
-	assert.Equal(t, false, pluginConfig.IsEnabled())
-	assert.Equal(t, "pluginAgentChecksum", pluginConfig.PluginChecksum)
-	assert.Equal(t, "./pluginAgentCmd", pluginConfig.PluginCmd)
-	assert.Equal(t, data.String(), expectedData)
-
-	// Enabled plugin
-	pluginConfig = pluginConfigs["plugin_type_agent"]["plugin_enabled"]
-	assert.NotNil(t, pluginConfig.Enabled)
-	assert.Equal(t, true, pluginConfig.IsEnabled())
-	assert.Equal(t, "pluginAgentChecksum", pluginConfig.PluginChecksum)
-	assert.Equal(t, "./pluginAgentCmd", pluginConfig.PluginCmd)
-	assert.Equal(t, data.String(), expectedData)
+	pluginConfigs, err := catalog.PluginConfigsFromHCLNode(c.Plugins)
+	require.NoError(t, err)
+	require.Equal(t, expectedPluginConfigs, pluginConfigs)
 }

 func mergeInputCasesOS() []mergeInputCase {
@ -106,7 +238,7 @@ func mergeInputCasesOS() []mergeInputCase {
 			},
 		},
 		{
-			msg:       "socket_path should be configuable by CLI flag",
+			msg:       "socket_path should be configurable by CLI flag",
 			fileInput: func(c *Config) {},
 			cliInput: func(c *agentConfig) {
 				c.SocketPath = "foo"
@ -140,7 +272,9 @@ func mergeInputCasesOS() []mergeInputCase {
 	}
 }

-func newAgentConfigCasesOS() []newAgentConfigCase {
+func newAgentConfigCasesOS(t *testing.T) []newAgentConfigCase {
+	testDir := t.TempDir()
+
 	return []newAgentConfigCase{
 		{
 			msg: "socket_path should be correctly configured",
@ -163,7 +297,7 @@ func newAgentConfigCasesOS() []newAgentConfigCase {
 			},
 		},
 		{
-			msg: "admin_socket_path configured with similar folther that socket_path",
+			msg: "admin_socket_path configured with similar folder that socket_path",
 			input: func(c *Config) {
 				c.Agent.SocketPath = "/tmp/workload/workload.sock"
 				c.Agent.AdminSocketPath = "/tmp/workload-admin/admin.sock"
@ -228,5 +362,15 @@ func newAgentConfigCasesOS() []newAgentConfigCase {
 				require.Nil(t, c.AdminBindAddress)
 			},
 		},
+		{
+			msg: "log_file allows to reopen",
+			input: func(c *Config) {
+				c.Agent.LogFile = path.Join(testDir, "foo")
+			},
+			test: func(t *testing.T, c *agent.Config) {
+				require.NotNil(t, c.Log)
+				require.NotNil(t, c.LogReopener)
+			},
+		},
 	}
 }
--- a/cmd/spire-agent/cli/run/run_test.go
+++ b/cmd/spire-agent/cli/run/run_test.go
@ -2,19 +2,18 @@ package run

 import (
 	"io"
-	"net/http"
-	"net/http/httptest"
 	"os"
 	"path"
 	"path/filepath"
 	"strings"
 	"testing"
+	"time"

+	"github.com/hashicorp/hcl/hcl/ast"
 	"github.com/sirupsen/logrus"
 	"github.com/sirupsen/logrus/hooks/test"
 	"github.com/spiffe/spire/pkg/agent"
 	"github.com/spiffe/spire/pkg/agent/workloadkey"
-	"github.com/spiffe/spire/pkg/common/catalog"
 	"github.com/spiffe/spire/pkg/common/log"
 	"github.com/spiffe/spire/test/spiretest"
 	"github.com/spiffe/spire/test/util"
@ -30,74 +29,12 @@ type mergeInputCase struct {
 }

 type newAgentConfigCase struct {
-	msg         string
-	expectError bool
-	input       func(*Config)
-	logOptions  func(t *testing.T) []log.Option
-	test        func(*testing.T, *agent.Config)
-}
-
-func TestDownloadTrustBundle(t *testing.T) {
-	testTB, _ := os.ReadFile(path.Join(util.ProjectRoot(), "conf/agent/dummy_root_ca.crt"))
-	cases := []struct {
-		msg          string
-		status       int
-		fileContents string
-		expectError  bool
-	}{
-		{
-			msg:          "if URL is not found, should be an error",
-			status:       http.StatusNotFound,
-			fileContents: "",
-			expectError:  true,
-		},
-		{
-			msg:          "if URL returns error 500, should be an error",
-			status:       http.StatusInternalServerError,
-			fileContents: "",
-			expectError:  true,
-		},
-		{
-			msg:          "if file is not parseable, should be an error",
-			status:       http.StatusOK,
-			fileContents: "NON PEM PARSEABLE TEXT HERE",
-			expectError:  true,
-		},
-		{
-			msg:          "if file is empty, should be error",
-			status:       http.StatusOK,
-			fileContents: "",
-			expectError:  true,
-		},
-		{
-			msg:          "if file is valid, should be error",
-			status:       http.StatusOK,
-			fileContents: string(testTB),
-			expectError:  false,
-		},
-	}
-
-	for _, testCase := range cases {
-		testCase := testCase
-
-		t.Run(testCase.msg, func(t *testing.T) {
-			testServer := httptest.NewServer(http.HandlerFunc(
-				func(w http.ResponseWriter, r *http.Request) {
-					w.WriteHeader(testCase.status)
-					_, _ = io.WriteString(w, testCase.fileContents)
-					// if err != nil {
-					// 	return
-					// }
-				}))
-			defer testServer.Close()
-			_, err := downloadTrustBundle(testServer.URL)
-			if testCase.expectError {
-				require.Error(t, err)
-			} else {
-				require.NoError(t, err)
-			}
-		})
-	}
+	msg                string
+	expectError        bool
+	requireErrorPrefix string
+	input              func(*Config)
+	logOptions         func(t *testing.T) []log.Option
+	test               func(*testing.T, *agent.Config)
 }

 func TestMergeInput(t *testing.T) {
@ -368,6 +305,46 @@ func TestMergeInput(t *testing.T) {
 				require.Equal(t, "DEBUG", c.Agent.LogLevel)
 			},
 		},
+		{
+			msg:       "log_source_location should default to false if not set",
+			fileInput: func(c *Config) {},
+			cliInput:  func(c *agentConfig) {},
+			test: func(t *testing.T, c *Config) {
+				require.False(t, c.Agent.LogSourceLocation)
+			},
+		},
+		{
+			msg: "log_source_location should be configurable by file",
+			fileInput: func(c *Config) {
+				c.Agent.LogSourceLocation = true
+			},
+			cliInput: func(c *agentConfig) {},
+			test: func(t *testing.T, c *Config) {
+				require.True(t, c.Agent.LogSourceLocation)
+			},
+		},
+		{
+			msg:       "log_source_location should be configurable by CLI flag",
+			fileInput: func(c *Config) {},
+			cliInput: func(c *agentConfig) {
+				c.LogSourceLocation = true
+			},
+			test: func(t *testing.T, c *Config) {
+				require.True(t, c.Agent.LogSourceLocation)
+			},
+		},
+		{
+			msg: "log_source_location specified by CLI flag should take precedence over file",
+			fileInput: func(c *Config) {
+				c.Agent.LogSourceLocation = false
+			},
+			cliInput: func(c *agentConfig) {
+				c.LogSourceLocation = true
+			},
+			test: func(t *testing.T, c *Config) {
+				require.True(t, c.Agent.LogSourceLocation)
+			},
+		},
 		{
 			msg:       "server_address should not have a default value",
 			fileInput: func(c *Config) {},
@ -523,12 +500,20 @@ func TestMergeInput(t *testing.T) {
 				require.Equal(t, "bar", c.Agent.TrustDomain)
 			},
 		},
+		{
+			msg: "require_pq_kem should be configurable by file",
+			fileInput: func(c *Config) {
+				c.Agent.Experimental.RequirePQKEM = true
+			},
+			cliInput: func(c *agentConfig) {},
+			test: func(t *testing.T, c *Config) {
+				require.True(t, c.Agent.Experimental.RequirePQKEM)
+			},
+		},
 	}
 	cases = append(cases, mergeInputCasesOS()...)

 	for _, testCase := range cases {
-		testCase := testCase
-
 		fileInput := &Config{Agent: &agentConfig{}}
 		cliInput := &agentConfig{}

@ -581,16 +566,39 @@ func TestNewAgentConfig(t *testing.T) {
 				c.Agent.InsecureBootstrap = false
 			},
 			test: func(t *testing.T, c *agent.Config) {
-				require.False(t, c.InsecureBootstrap)
+				require.False(t, c.TrustBundleSources.GetInsecureBootstrap())
 			},
 		},
 		{
 			msg: "insecure_bootstrap should be correctly set to true",
 			input: func(c *Config) {
+				// in this case, remove trust_bundle_path provided by defaultValidConfig()
+				// because trust_bundle_path and insecure_bootstrap cannot be set at the same time
+				c.Agent.TrustBundlePath = ""
 				c.Agent.InsecureBootstrap = true
 			},
 			test: func(t *testing.T, c *agent.Config) {
-				require.True(t, c.InsecureBootstrap)
+				require.True(t, c.TrustBundleSources.GetInsecureBootstrap())
+			},
+		},
+		{
+			msg: "retry_bootstrap should be correctly set to false",
+			input: func(c *Config) {
+				rb := false
+				c.Agent.RetryBootstrap = &rb
+			},
+			test: func(t *testing.T, c *agent.Config) {
+				require.False(t, c.RetryBootstrap)
+			},
+		},
+		{
+			msg: "retry_bootstrap should be correctly set to true",
+			input: func(c *Config) {
+				rb := true
+				c.Agent.RetryBootstrap = &rb
+			},
+			test: func(t *testing.T, c *agent.Config) {
+				require.True(t, c.RetryBootstrap)
 			},
 		},
 		{
@ -640,8 +648,9 @@ func TestNewAgentConfig(t *testing.T) {
 			},
 		},
 		{
-			msg:         "trust_bundle_path and trust_bundle_url cannot both be set",
-			expectError: true,
+			msg:                "trust_bundle_path and trust_bundle_url cannot both be set",
+			expectError:        true,
+			requireErrorPrefix: "only one of trust_bundle_url or trust_bundle_path can be specified, not both",
 			input: func(c *Config) {
 				c.Agent.TrustBundlePath = "foo"
 				c.Agent.TrustBundleURL = "foo2"
@ -651,10 +660,111 @@ func TestNewAgentConfig(t *testing.T) {
 			},
 		},
 		{
-			msg:         "insecure_bootstrap and trust_bundle_url cannot both be set",
-			expectError: true,
+			msg:                "insecure_bootstrap and trust_bundle_path cannot both be set",
+			expectError:        true,
+			requireErrorPrefix: "only one of insecure_bootstrap or trust_bundle_path can be specified, not both",
 			input: func(c *Config) {
+				c.Agent.TrustBundlePath = "foo"
+				c.Agent.InsecureBootstrap = true
+			},
+			test: func(t *testing.T, c *agent.Config) {
+				require.Nil(t, c)
+			},
+		},
+		{
+			msg:                "insecure_bootstrap and trust_bundle_url cannot both be set",
+			expectError:        true,
+			requireErrorPrefix: "only one of insecure_bootstrap or trust_bundle_url can be specified, not both",
+			input: func(c *Config) {
+				// in this case, remove trust_bundle_path provided by defaultValidConfig()
+				c.Agent.TrustBundlePath = ""
 				c.Agent.TrustBundleURL = "foo"
+				c.Agent.InsecureBootstrap = true
+			},
+			test: func(t *testing.T, c *agent.Config) {
+				require.Nil(t, c)
+			},
+		},
+		{
+			msg:                "insecure_bootstrap, trust_bundle_url, trust_bundle_path cannot be set at the same time",
+			expectError:        true,
+			requireErrorPrefix: "only one of insecure_bootstrap, trust_bundle_url, or trust_bundle_path can be specified, not the three options",
+			input: func(c *Config) {
+				c.Agent.TrustBundlePath = "bar"
+				c.Agent.TrustBundleURL = "foo"
+				c.Agent.InsecureBootstrap = true
+			},
+			test: func(t *testing.T, c *agent.Config) {
+				require.Nil(t, c)
+			},
+		},
+		{
+			msg:                "trust_bundle_path or trust_bundle_url must be configured unless insecure_bootstrap is set",
+			expectError:        true,
+			requireErrorPrefix: "trust_bundle_path or trust_bundle_url must be configured unless insecure_bootstrap is set",
+			input: func(c *Config) {
+				// in this case, remove trust_bundle_path provided by defaultValidConfig()
+				c.Agent.TrustBundlePath = ""
+				c.Agent.TrustBundleURL = ""
+				c.Agent.InsecureBootstrap = false
+			},
+			test: func(t *testing.T, c *agent.Config) {
+				require.Nil(t, c)
+			},
+		},
+		{
+			msg:                "trust_bundle_url must start with https://",
+			expectError:        true,
+			requireErrorPrefix: "trust bundle URL must start with https://",
+			input: func(c *Config) {
+				// remove trust_bundle_path provided by defaultValidConfig()
+				c.Agent.TrustBundlePath = ""
+				c.Agent.TrustBundleURL = "foo.bar"
+				c.Agent.InsecureBootstrap = false
+			},
+			test: func(t *testing.T, c *agent.Config) {
+				require.Nil(t, c)
+			},
+		},
+		{
+			msg:                "trust_bundle_url must start with http:// when unix socket",
+			expectError:        true,
+			requireErrorPrefix: "trust bundle URL must start with http://",
+			input: func(c *Config) {
+				// remove trust_bundle_path provided by defaultValidConfig()
+				c.Agent.TrustBundlePath = ""
+				c.Agent.TrustBundleURL = "foo.bar"
+				c.Agent.TrustBundleUnixSocket = "foo.bar"
+				c.Agent.InsecureBootstrap = false
+			},
+			test: func(t *testing.T, c *agent.Config) {
+				require.Nil(t, c)
+			},
+		},
+		{
+			msg:                "trust_bundle_url query params can not start with spiffe- when unix socket",
+			expectError:        true,
+			requireErrorPrefix: "trust_bundle_url query params can not start with spiffe-",
+			input: func(c *Config) {
+				// remove trust_bundle_path provided by defaultValidConfig()
+				c.Agent.TrustBundlePath = ""
+				c.Agent.TrustBundleURL = "http://localhost/trustbundle?spiffe-test=foo"
+				c.Agent.TrustBundleUnixSocket = "foo.bar"
+				c.Agent.InsecureBootstrap = false
+			},
+			test: func(t *testing.T, c *agent.Config) {
+				require.Nil(t, c)
+			},
+		},
+		{
+			msg:                "trust_bundle_url query params can not start with spire- when unix socket",
+			expectError:        true,
+			requireErrorPrefix: "trust_bundle_url query params can not start with spire-",
+			input: func(c *Config) {
+				// remove trust_bundle_path provided by defaultValidConfig()
+				c.Agent.TrustBundlePath = ""
+				c.Agent.TrustBundleURL = "http://localhost/trustbundle?spire-test=foo"
+				c.Agent.TrustBundleUnixSocket = "foo.bar"
 				c.Agent.InsecureBootstrap = false
 			},
 			test: func(t *testing.T, c *agent.Config) {
@ -730,7 +840,7 @@ func TestNewAgentConfig(t *testing.T) {
 		{
 			msg: "x509_svid_cache_max_size is set",
 			input: func(c *Config) {
-				c.Agent.Experimental.X509SVIDCacheMaxSize = 100
+				c.Agent.X509SVIDCacheMaxSize = 100
 			},
 			test: func(t *testing.T, c *agent.Config) {
 				require.EqualValues(t, 100, c.X509SVIDCacheMaxSize)
@ -747,7 +857,7 @@ func TestNewAgentConfig(t *testing.T) {
 		{
 			msg: "x509_svid_cache_max_size is zero",
 			input: func(c *Config) {
-				c.Agent.Experimental.X509SVIDCacheMaxSize = 0
+				c.Agent.X509SVIDCacheMaxSize = 0
 			},
 			test: func(t *testing.T, c *agent.Config) {
 				require.EqualValues(t, 0, c.X509SVIDCacheMaxSize)
@ -757,7 +867,7 @@ func TestNewAgentConfig(t *testing.T) {
 			msg:         "x509_svid_cache_max_size is negative",
 			expectError: true,
 			input: func(c *Config) {
-				c.Agent.Experimental.X509SVIDCacheMaxSize = -10
+				c.Agent.X509SVIDCacheMaxSize = -10
 			},
 			test: func(t *testing.T, c *agent.Config) {
 				require.Nil(t, c)
@ -808,7 +918,7 @@ func TestNewAgentConfig(t *testing.T) {
 						t.Cleanup(func() {
 							spiretest.AssertLogsContainEntries(t, hook.AllEntries(), []spiretest.LogEntry{
 								{
-									Data:  map[string]interface{}{"trust_domain": strings.Repeat("a", 256)},
+									Data:  map[string]any{"trust_domain": strings.Repeat("a", 256)},
 									Level: logrus.WarnLevel,
 									Message: "Configured trust domain name should be less than 255 characters to be " +
 										"SPIFFE compliant; a longer trust domain name may impact interoperability",
@ -823,11 +933,45 @@ func TestNewAgentConfig(t *testing.T) {
 				assert.NotNil(t, c)
 			},
 		},
-	}
-	cases = append(cases, newAgentConfigCasesOS()...)
-	for _, testCase := range cases {
-		testCase := testCase
+		{
+			msg: "availability_target parses a duration",
+			input: func(c *Config) {
+				c.Agent.AvailabilityTarget = "24h"
+			},
+			test: func(t *testing.T, c *agent.Config) {
+				require.EqualValues(t, 24*time.Hour, c.AvailabilityTarget)
+			},
+		},
+		{
+			msg:         "availability_target is too short",
+			expectError: true,
+			input: func(c *Config) {
+				c.Agent.AvailabilityTarget = "1h"
+			},
+			test: func(t *testing.T, c *agent.Config) {
+				require.Nil(t, c)
+			},
+		},

+		{
+			msg:   "require PQ KEM is disabled (default)",
+			input: func(c *Config) {},
+			test: func(t *testing.T, c *agent.Config) {
+				require.Equal(t, false, c.TLSPolicy.RequirePQKEM)
+			},
+		},
+		{
+			msg: "require PQ KEM is enabled",
+			input: func(c *Config) {
+				c.Agent.Experimental.RequirePQKEM = true
+			},
+			test: func(t *testing.T, c *agent.Config) {
+				require.Equal(t, true, c.TLSPolicy.RequirePQKEM)
+			},
+		},
+	}
+	cases = append(cases, newAgentConfigCasesOS(t)...)
+	for _, testCase := range cases {
 		input := defaultValidConfig()

 		testCase.input(input)
@ -841,6 +985,9 @@ func TestNewAgentConfig(t *testing.T) {
 			ac, err := NewAgentConfig(input, logOpts, false)
 			if testCase.expectError {
 				require.Error(t, err)
+				if testCase.requireErrorPrefix != "" {
+					spiretest.RequireErrorPrefix(t, err, testCase.requireErrorPrefix)
+				}
 			} else {
 				require.NoError(t, err)
 			}
@ -861,7 +1008,7 @@ func defaultValidConfig() *Config {
 	c.Agent.TrustBundlePath = path.Join(util.ProjectRoot(), "conf/agent/dummy_root_ca.crt")
 	c.Agent.TrustDomain = "example.org"

-	c.Plugins = &catalog.HCLPluginConfigMap{}
+	c.Plugins = &ast.ObjectList{}

 	return c
 }
@ -987,8 +1134,6 @@ func TestWarnOnUnknownConfig(t *testing.T) {
 	}

 	for _, testCase := range cases {
-		testCase := testCase
-
 		c, err := ParseFile(filepath.Join(testFileDir, testCase.confFile), false)
 		require.NoError(t, err)

--- a/cmd/spire-agent/cli/run/run_windows.go
+++ b/cmd/spire-agent/cli/run/run_windows.go
@ -1,5 +1,4 @@
 //go:build windows
-// +build windows

 package run

@ -44,7 +43,7 @@ func (c *agentConfig) validateOS() error {
 	return nil
 }

-func prepareEndpoints(c *agent.Config) error {
+func prepareEndpoints(*agent.Config) error {
 	// Nothing to do in this platform
 	return nil
 }
--- a/cmd/spire-agent/cli/run/run_windows_test.go
+++ b/cmd/spire-agent/cli/run/run_windows_test.go
@ -1,20 +1,135 @@
 //go:build windows
-// +build windows

 package run

 import (
 	"bytes"
+	"fmt"
 	"os"
 	"testing"

-	"github.com/hashicorp/hcl/hcl/printer"
 	"github.com/spiffe/spire/pkg/agent"
+	"github.com/spiffe/spire/pkg/common/catalog"
+	commoncli "github.com/spiffe/spire/pkg/common/cli"
+	"github.com/spiffe/spire/pkg/common/fflag"
+	"github.com/spiffe/spire/pkg/common/log"
 	"github.com/spiffe/spire/pkg/common/namedpipe"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )

+func TestCommand_Run(t *testing.T) {
+	testTempDir := t.TempDir()
+	testDataDir := fmt.Sprintf("%s/data", testTempDir)
+
+	type fields struct {
+		logOptions         []log.Option
+		env                *commoncli.Env
+		allowUnknownConfig bool
+	}
+	type args struct {
+		args []string
+	}
+	type want struct {
+		code           int
+		stderrContent  string
+		dataDirCreated bool
+	}
+	tests := []struct {
+		name   string
+		fields fields
+		args   args
+		want   want
+	}{
+		{
+			name: "don't create any dir when error loading nonexistent config",
+			args: args{
+				args: []string{},
+			},
+			fields: fields{
+				logOptions: []log.Option{},
+				env: &commoncli.Env{
+					Stderr: new(bytes.Buffer),
+				},
+				allowUnknownConfig: false,
+			},
+			want: want{
+				code:           1,
+				dataDirCreated: false,
+				stderrContent:  "could not find config file",
+			},
+		},
+		{
+			name: "don't create any dir when error loading invalid config",
+			args: args{
+				args: []string{
+					"-config", "../../../../test/fixture/config/agent_run_windows.conf",
+					"-socketPath", "unix:///tmp/agent.sock",
+				},
+			},
+			fields: fields{
+				logOptions: []log.Option{},
+				env: &commoncli.Env{
+					Stderr: new(bytes.Buffer),
+				},
+				allowUnknownConfig: false,
+			},
+			want: want{
+				code:           1,
+				dataDirCreated: false,
+				stderrContent:  "flag provided but not defined: -socketPath",
+			},
+		},
+		{
+			name: "create data dir and uses named pipe",
+			args: args{
+				args: []string{
+					"-config", "../../../../test/fixture/config/agent_run_windows.conf",
+					"-dataDir", testDataDir,
+					"-namedPipeName", "\\spire-agent\\public\\api",
+				},
+			},
+			fields: fields{
+				logOptions: []log.Option{},
+				env: &commoncli.Env{
+					Stderr: new(bytes.Buffer),
+				},
+				allowUnknownConfig: false,
+			},
+			want: want{
+				code:           1,
+				dataDirCreated: true,
+			},
+		},
+	}
+	for _, testCase := range tests {
+		t.Run(testCase.name, func(t *testing.T) {
+			_ = fflag.Unload()
+			os.RemoveAll(testTempDir)
+
+			cmd := &Command{
+				logOptions:         testCase.fields.logOptions,
+				env:                testCase.fields.env,
+				allowUnknownConfig: testCase.fields.allowUnknownConfig,
+			}
+
+			result := cmd.Run(testCase.args.args)
+
+			assert.Equal(t, testCase.want.code, result)
+			if testCase.want.stderrContent == "" {
+				assert.Empty(t, testCase.fields.env.Stderr.(*bytes.Buffer).String())
+			} else {
+				assert.Contains(t, testCase.fields.env.Stderr.(*bytes.Buffer).String(), testCase.want.stderrContent)
+			}
+			if testCase.want.dataDirCreated {
+				assert.DirExistsf(t, testDataDir, "expected data directory to be created")
+			} else {
+				assert.NoDirExistsf(t, testDataDir, "expected data directory to not be created")
+			}
+		})
+	}
+}
+
 func TestParseFlagsGood(t *testing.T) {
 	c, err := parseFlags("run", []string{
 		"-dataDir=.",
@ -52,38 +167,40 @@ func TestParseConfigGood(t *testing.T) {
 	assert.Equal(t, true, c.Agent.AllowUnauthenticatedVerifiers)
 	assert.Equal(t, []string{"c1", "c2", "c3"}, c.Agent.AllowedForeignJWTClaims)

+	// Parse/reprint cycle trims outer whitespace
+	const data = `join_token = "PLUGIN-AGENT-NOT-A-SECRET"`
+
 	// Check for plugins configurations
-	pluginConfigs := *c.Plugins
-	expectedData := "join_token = \"PLUGIN-AGENT-NOT-A-SECRET\""
-	var data bytes.Buffer
-	err = printer.DefaultConfig.Fprint(&data, pluginConfigs["plugin_type_agent"]["plugin_name_agent"].PluginData)
-	assert.NoError(t, err)
+	expectedPluginConfigs := catalog.PluginConfigs{
+		{
+			Type:       "plugin_type_agent",
+			Name:       "plugin_name_agent",
+			Path:       "./pluginAgentCmd",
+			Checksum:   "pluginAgentChecksum",
+			DataSource: catalog.FixedData(data),
+			Disabled:   false,
+		},
+		{
+			Type:       "plugin_type_agent",
+			Name:       "plugin_disabled",
+			Path:       ".\\pluginAgentCmd",
+			Checksum:   "pluginAgentChecksum",
+			DataSource: catalog.FixedData(data),
+			Disabled:   true,
+		},
+		{
+			Type:       "plugin_type_agent",
+			Name:       "plugin_enabled",
+			Path:       "c:/temp/pluginAgentCmd",
+			Checksum:   "pluginAgentChecksum",
+			DataSource: catalog.FileData("plugin.conf"),
+			Disabled:   false,
+		},
+	}

-	assert.Len(t, pluginConfigs, 1)
-	assert.Len(t, pluginConfigs["plugin_type_agent"], 3)
-
-	pluginConfig := pluginConfigs["plugin_type_agent"]["plugin_name_agent"]
-	assert.Nil(t, pluginConfig.Enabled)
-	assert.Equal(t, pluginConfig.IsEnabled(), true)
-	assert.Equal(t, pluginConfig.PluginChecksum, "pluginAgentChecksum")
-	assert.Equal(t, pluginConfig.PluginCmd, "./pluginAgentCmd")
-	assert.Equal(t, expectedData, data.String())
-
-	// Disabled plugin
-	pluginConfig = pluginConfigs["plugin_type_agent"]["plugin_disabled"]
-	assert.NotNil(t, pluginConfig.Enabled)
-	assert.Equal(t, pluginConfig.IsEnabled(), false)
-	assert.Equal(t, pluginConfig.PluginChecksum, "pluginAgentChecksum")
-	assert.Equal(t, pluginConfig.PluginCmd, ".\\pluginAgentCmd")
-	assert.Equal(t, expectedData, data.String())
-
-	// Enabled plugin
-	pluginConfig = pluginConfigs["plugin_type_agent"]["plugin_enabled"]
-	assert.NotNil(t, pluginConfig.Enabled)
-	assert.Equal(t, pluginConfig.IsEnabled(), true)
-	assert.Equal(t, pluginConfig.PluginChecksum, "pluginAgentChecksum")
-	assert.Equal(t, pluginConfig.PluginCmd, "c:/temp/pluginAgentCmd")
-	assert.Equal(t, expectedData, data.String())
+	pluginConfigs, err := catalog.PluginConfigsFromHCLNode(c.Plugins)
+	require.NoError(t, err)
+	require.Equal(t, expectedPluginConfigs, pluginConfigs)
 }

 func mergeInputCasesOS() []mergeInputCase {
@ -107,7 +224,7 @@ func mergeInputCasesOS() []mergeInputCase {
 			},
 		},
 		{
-			msg:       "named_pipe_name should be configuable by CLI flag",
+			msg:       "named_pipe_name should be configurable by CLI flag",
 			fileInput: func(c *Config) {},
 			cliInput: func(c *agentConfig) {
 				c.Experimental.NamedPipeName = "foo"
@ -141,7 +258,7 @@ func mergeInputCasesOS() []mergeInputCase {
 	}
 }

-func newAgentConfigCasesOS() []newAgentConfigCase {
+func newAgentConfigCasesOS(*testing.T) []newAgentConfigCase {
 	return []newAgentConfigCase{
 		{
 			msg: "named_pipe_name should be correctly configured",
--- a/cmd/spire-agent/main.go
+++ b/cmd/spire-agent/main.go
@ -4,8 +4,9 @@ import (
 	"os"

 	"github.com/spiffe/spire/cmd/spire-agent/cli"
+	"github.com/spiffe/spire/pkg/common/entrypoint"
 )

 func main() {
-	os.Exit(new(cli.CLI).Run(os.Args[1:]))
+	os.Exit(entrypoint.NewEntryPoint(new(cli.CLI).Run).Main())
 }
--- a/cmd/spire-server/cli/agent/agent_posix_test.go
+++ b/cmd/spire-server/cli/agent/agent_posix_test.go
@ -1,15 +1,76 @@
 //go:build !windows
-// +build !windows

 package agent_test

 var (
+	purgeUsage = `Usage of agent purge:
+  -dryRun
+    	Indicates that the command will not perform any action, but will print the agents that would be purged.
+  -expiredFor duration
+    	Amount of time that has passed since the agent's SVID has expired. It is used to determine which agents to purge. (default 720h0m0s)
+  -output value
+    	Desired output format (pretty, json); default: pretty.
+  -socketPath string
+    	Path to the SPIRE Server API socket (default "/tmp/spire-server/private/api.sock")
+`
 	listUsage = `Usage of agent list:
+  -attestationType string
+    	Filter by attestation type, like join_token or x509pop.
+  -banned value
+    	Filter based on string received, 'true': banned agents, 'false': not banned agents, other value will return all.
+  -canReattest value
+    	Filter based on string received, 'true': agents that can reattest, 'false': agents that can't reattest, other value will return all.
+  -expiresBefore string
+    	Filter by expiration time (format: "2006-01-02 15:04:05 -0700 -07")
  -matchSelectorsOn string
    	The match mode used when filtering by selectors. Options: exact, any, superset and subset (default "superset")
+  -output value
+    	Desired output format (pretty, json); default: pretty.
  -selector value
    	A colon-delimited type:value selector. Can be used more than once
  -socketPath string
    	Path to the SPIRE Server API socket (default "/tmp/spire-server/private/api.sock")
+`
+	banUsage = `Usage of agent ban:
+  -output value
+    	Desired output format (pretty, json); default: pretty.
+  -socketPath string
+    	Path to the SPIRE Server API socket (default "/tmp/spire-server/private/api.sock")
+  -spiffeID string
+    	The SPIFFE ID of the agent to ban (agent identity)
+`
+	evictUsage = `Usage of agent evict:
+  -output value
+    	Desired output format (pretty, json); default: pretty.
+  -socketPath string
+    	Path to the SPIRE Server API socket (default "/tmp/spire-server/private/api.sock")
+  -spiffeID string
+    	The SPIFFE ID of the agent to evict (agent identity)
+`
+	countUsage = `Usage of agent count:
+  -attestationType string
+    	Filter by attestation type, like join_token or x509pop.
+  -banned value
+    	Filter based on string received, 'true': banned agents, 'false': not banned agents, other value will return all.
+  -canReattest value
+    	Filter based on string received, 'true': agents that can reattest, 'false': agents that can't reattest, other value will return all.
+  -expiresBefore string
+    	Filter by expiration time (format: "2006-01-02 15:04:05 -0700 -07")
+  -matchSelectorsOn string
+    	The match mode used when filtering by selectors. Options: exact, any, superset and subset (default "superset")
+  -output value
+    	Desired output format (pretty, json); default: pretty.
+  -selector value
+    	A colon-delimited type:value selector. Can be used more than once
+  -socketPath string
+    	Path to the SPIRE Server API socket (default "/tmp/spire-server/private/api.sock")
+`
+	showUsage = `Usage of agent show:
+  -output value
+    	Desired output format (pretty, json); default: pretty.
+  -socketPath string
+    	Path to the SPIRE Server API socket (default "/tmp/spire-server/private/api.sock")
+  -spiffeID string
+    	The SPIFFE ID of the agent to show (agent identity)
 `
 )
--- a/cmd/spire-server/cli/agent/agent_test.go
+++ b/cmd/spire-server/cli/agent/agent_test.go
@ -3,26 +3,29 @@ package agent_test
 import (
 	"bytes"
 	"context"
+	"fmt"
 	"testing"
-
-	"google.golang.org/grpc/codes"
-	"google.golang.org/grpc/status"
+	"time"

 	"github.com/mitchellh/cli"
+	"github.com/spiffe/go-spiffe/v2/spiffeid"
 	agentv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/agent/v1"
 	"github.com/spiffe/spire-api-sdk/proto/spire/api/types"
 	"github.com/spiffe/spire/cmd/spire-server/cli/agent"
-	"github.com/spiffe/spire/cmd/spire-server/cli/common"
-	common_cli "github.com/spiffe/spire/pkg/common/cli"
+	commoncli "github.com/spiffe/spire/pkg/common/cli"
+	"github.com/spiffe/spire/test/clitest"
 	"github.com/spiffe/spire/test/spiretest"
 	"github.com/stretchr/testify/require"
 	"google.golang.org/grpc"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
 	"google.golang.org/protobuf/types/known/emptypb"
+	"google.golang.org/protobuf/types/known/wrapperspb"
 )

 var (
 	testAgents = []*types.Agent{
-		{Id: &types.SPIFFEID{TrustDomain: "example.org", Path: "/spire/agent/agent1"}},
+		{Id: &types.SPIFFEID{TrustDomain: "example.org", Path: "/spire/agent/agent1"}, CanReattest: true},
 	}
 	testAgentsWithBanned = []*types.Agent{
 		{
@ -40,16 +43,15 @@ var (
 			},
 		},
 	}
+	availableFormats = []string{"pretty", "json"}
 )

 type agentTest struct {
 	stdin  *bytes.Buffer
 	stdout *bytes.Buffer
 	stderr *bytes.Buffer
-
 	args   []string
 	server *fakeAgentServer
-
 	client cli.Command
 }

@ -64,26 +66,25 @@ func TestBanHelp(t *testing.T) {
 	test := setupTest(t, agent.NewBanCommandWithEnv)

 	test.client.Help()
-	require.Equal(t, `Usage of agent ban:`+common.AddrUsage+
-		`  -spiffeID string
-    	The SPIFFE ID of the agent to ban (agent identity)
-`, test.stderr.String())
+	require.Equal(t, banUsage, test.stderr.String())
 }

 func TestBan(t *testing.T) {
 	for _, tt := range []struct {
-		name             string
-		args             []string
-		expectReturnCode int
-		expectStdout     string
-		expectStderr     string
-		serverErr        error
+		name               string
+		args               []string
+		expectReturnCode   int
+		expectStdoutPretty string
+		expectStdoutJSON   string
+		expectStderr       string
+		serverErr          error
 	}{
 		{
-			name:             "success",
-			args:             []string{"-spiffeID", "spiffe://example.org/spire/agent/agent1"},
-			expectReturnCode: 0,
-			expectStdout:     "Agent banned successfully\n",
+			name:               "success",
+			args:               []string{"-spiffeID", "spiffe://example.org/spire/agent/agent1"},
+			expectReturnCode:   0,
+			expectStdoutPretty: "Agent banned successfully\n",
+			expectStdoutJSON:   "{}",
 		},
 		{
 			name:             "no spiffe id",
@ -91,10 +92,13 @@ func TestBan(t *testing.T) {
 			expectStderr:     "Error: a SPIFFE ID is required\n",
 		},
 		{
-			name:             "wrong UDS path",
-			args:             []string{common.AddrArg, common.AddrValue},
+			name: "wrong UDS path",
+			args: []string{
+				clitest.AddrArg, clitest.AddrValue,
+				"-spiffeID", "spiffe://example.org/spire/agent/agent1",
+			},
 			expectReturnCode: 1,
-			expectStderr:     common.AddrError,
+			expectStderr:     "Error: " + clitest.AddrError,
 		},
 		{
 			name:             "server error",
@ -104,16 +108,20 @@ func TestBan(t *testing.T) {
 			expectStderr:     "Error: rpc error: code = Internal desc = internal server error\n",
 		},
 	} {
-		tt := tt
-		t.Run(tt.name, func(t *testing.T) {
-			test := setupTest(t, agent.NewBanCommandWithEnv)
-			test.server.err = tt.serverErr
+		for _, format := range availableFormats {
+			t.Run(fmt.Sprintf("%s using %s format", tt.name, format), func(t *testing.T) {
+				test := setupTest(t, agent.NewBanCommandWithEnv)
+				test.server.err = tt.serverErr
+				args := tt.args
+				args = append(args, "-output", format)

-			returnCode := test.client.Run(append(test.args, tt.args...))
-			require.Equal(t, tt.expectStdout, test.stdout.String())
-			require.Equal(t, tt.expectStderr, test.stderr.String())
-			require.Equal(t, tt.expectReturnCode, returnCode)
-		})
+				returnCode := test.client.Run(append(test.args, args...))
+
+				requireOutputBasedOnFormat(t, format, test.stdout.String(), tt.expectStdoutPretty, tt.expectStdoutJSON)
+				require.Equal(t, tt.expectStderr, test.stderr.String())
+				require.Equal(t, tt.expectReturnCode, returnCode)
+			})
+		}
 	}
 }

@ -121,26 +129,25 @@ func TestEvictHelp(t *testing.T) {
 	test := setupTest(t, agent.NewEvictCommandWithEnv)

 	test.client.Help()
-	require.Equal(t, `Usage of agent evict:`+common.AddrUsage+
-		`  -spiffeID string
-    	The SPIFFE ID of the agent to evict (agent identity)
-`, test.stderr.String())
+	require.Equal(t, evictUsage, test.stderr.String())
 }

 func TestEvict(t *testing.T) {
 	for _, tt := range []struct {
-		name               string
-		args               []string
-		expectedReturnCode int
-		expectedStdout     string
-		expectedStderr     string
-		serverErr          error
+		name                 string
+		args                 []string
+		expectedReturnCode   int
+		expectedStdoutPretty string
+		expectedStdoutJSON   string
+		expectedStderr       string
+		serverErr            error
 	}{
 		{
-			name:               "success",
-			args:               []string{"-spiffeID", "spiffe://example.org/spire/agent/agent1"},
-			expectedReturnCode: 0,
-			expectedStdout:     "Agent evicted successfully\n",
+			name:                 "success",
+			args:                 []string{"-spiffeID", "spiffe://example.org/spire/agent/agent1"},
+			expectedReturnCode:   0,
+			expectedStdoutPretty: "Agent evicted successfully\n",
+			expectedStdoutJSON:   "{}",
 		},
 		{
 			name:               "no spiffe id",
@ -148,10 +155,13 @@ func TestEvict(t *testing.T) {
 			expectedStderr:     "Error: a SPIFFE ID is required\n",
 		},
 		{
-			name:               "wrong UDS path",
-			args:               []string{common.AddrArg, common.AddrValue},
+			name: "wrong UDS path",
+			args: []string{
+				clitest.AddrArg, clitest.AddrValue,
+				"-spiffeID", "spiffe://example.org/spire/agent/agent1",
+			},
 			expectedReturnCode: 1,
-			expectedStderr:     common.AddrError,
+			expectedStderr:     "Error: " + clitest.AddrError,
 		},
 		{
 			name:               "server error",
@ -161,16 +171,20 @@ func TestEvict(t *testing.T) {
 			expectedStderr:     "Error: rpc error: code = Internal desc = internal server error\n",
 		},
 	} {
-		tt := tt
-		t.Run(tt.name, func(t *testing.T) {
-			test := setupTest(t, agent.NewEvictCommandWithEnv)
-			test.server.err = tt.serverErr
+		for _, format := range availableFormats {
+			t.Run(fmt.Sprintf("%s using %s format", tt.name, format), func(t *testing.T) {
+				test := setupTest(t, agent.NewEvictCommandWithEnv)
+				test.server.deleteErr = tt.serverErr
+				args := tt.args
+				args = append(args, "-output", format)

-			returnCode := test.client.Run(append(test.args, tt.args...))
-			require.Equal(t, tt.expectedStdout, test.stdout.String())
-			require.Equal(t, tt.expectedStderr, test.stderr.String())
-			require.Equal(t, tt.expectedReturnCode, returnCode)
-		})
+				returnCode := test.client.Run(append(test.args, args...))
+
+				requireOutputBasedOnFormat(t, format, test.stdout.String(), tt.expectedStdoutPretty, tt.expectedStdoutJSON)
+				require.Equal(t, tt.expectedStderr, test.stderr.String())
+				require.Equal(t, tt.expectedReturnCode, returnCode)
+			})
+		}
 	}
 }

@ -178,29 +192,32 @@ func TestCountHelp(t *testing.T) {
 	test := setupTest(t, agent.NewCountCommandWithEnv)

 	test.client.Help()
-	require.Equal(t, `Usage of agent count:`+common.AddrUsage, test.stderr.String())
+	require.Equal(t, countUsage, test.stderr.String())
 }

 func TestCount(t *testing.T) {
 	for _, tt := range []struct {
-		name               string
-		args               []string
-		expectedReturnCode int
-		expectedStdout     string
-		expectedStderr     string
-		existentAgents     []*types.Agent
-		serverErr          error
+		name                 string
+		args                 []string
+		expectedReturnCode   int
+		expectedStdoutPretty string
+		expectedStdoutJSON   string
+		expectedStderr       string
+		existentAgents       []*types.Agent
+		serverErr            error
 	}{
 		{
-			name:               "0 agents",
-			expectedReturnCode: 0,
-			expectedStdout:     "0 attested agents",
+			name:                 "0 agents",
+			expectedReturnCode:   0,
+			expectedStdoutPretty: "0 attested agents",
+			expectedStdoutJSON:   `{"count":0}`,
 		},
 		{
-			name:               "count 1 agent",
-			expectedReturnCode: 0,
-			expectedStdout:     "1 attested agent",
-			existentAgents:     testAgents,
+			name:                 "count 1 agent",
+			expectedReturnCode:   0,
+			expectedStdoutPretty: "1 attested agent",
+			expectedStdoutJSON:   `{"count":1}`,
+			existentAgents:       testAgents,
 		},
 		{
 			name:               "server error",
@ -210,21 +227,32 @@ func TestCount(t *testing.T) {
 		},
 		{
 			name:               "wrong UDS path",
-			args:               []string{common.AddrArg, common.AddrValue},
+			args:               []string{clitest.AddrArg, clitest.AddrValue},
 			expectedReturnCode: 1,
-			expectedStderr:     common.AddrError,
+			expectedStderr:     "Error: " + clitest.AddrError,
+		},
+		{
+			name:               "Count by expiresBefore: month out of range",
+			args:               []string{"-expiresBefore", "2001-13-05"},
+			expectedReturnCode: 1,
+			expectedStderr:     "Error: date is not valid: parsing time \"2001-13-05\": month out of range\n",
 		},
 	} {
-		tt := tt
-		t.Run(tt.name, func(t *testing.T) {
-			test := setupTest(t, agent.NewCountCommandWithEnv)
-			test.server.agents = tt.existentAgents
-			test.server.err = tt.serverErr
-			returnCode := test.client.Run(append(test.args, tt.args...))
-			require.Contains(t, test.stdout.String(), tt.expectedStdout)
-			require.Equal(t, tt.expectedStderr, test.stderr.String())
-			require.Equal(t, tt.expectedReturnCode, returnCode)
-		})
+		for _, format := range availableFormats {
+			t.Run(fmt.Sprintf("%s using %s format", tt.name, format), func(t *testing.T) {
+				test := setupTest(t, agent.NewCountCommandWithEnv)
+				test.server.agents = tt.existentAgents
+				test.server.err = tt.serverErr
+				args := tt.args
+				args = append(args, "-output", format)
+
+				returnCode := test.client.Run(append(test.args, args...))
+
+				requireOutputBasedOnFormat(t, format, test.stdout.String(), tt.expectedStdoutPretty, tt.expectedStdoutJSON)
+				require.Equal(t, tt.expectedStderr, test.stderr.String())
+				require.Equal(t, tt.expectedReturnCode, returnCode)
+			})
+		}
 	}
 }

@ -237,20 +265,23 @@ func TestListHelp(t *testing.T) {

 func TestList(t *testing.T) {
 	for _, tt := range []struct {
-		name               string
-		args               []string
-		expectedReturnCode int
-		expectedStdout     string
-		expectedStderr     string
-		expectReq          *agentv1.ListAgentsRequest
-		existentAgents     []*types.Agent
-		serverErr          error
+		name                 string
+		args                 []string
+		expectedReturnCode   int
+		expectedStdoutPretty string
+		expectedStdoutJSON   string
+		expectedStderr       string
+		expectReq            *agentv1.ListAgentsRequest
+		existentAgents       []*types.Agent
+		expectedFormat       string
+		serverErr            error
 	}{
 		{
-			name:               "1 agent",
-			expectedReturnCode: 0,
-			existentAgents:     testAgents,
-			expectedStdout:     "Found 1 attested agent:\n\nSPIFFE ID         : spiffe://example.org/spire/agent/agent1",
+			name:                 "1 agent",
+			expectedReturnCode:   0,
+			existentAgents:       testAgents,
+			expectedStdoutPretty: "Found 1 attested agent:\n\nSPIFFE ID         : spiffe://example.org/spire/agent/agent1",
+			expectedStdoutJSON:   `{"agents":[{"id":{"trust_domain":"example.org","path":"/spire/agent/agent1"},"attestation_type":"","x509svid_serial_number":"","x509svid_expires_at":"0","selectors":[],"banned":false,"can_reattest":true}],"next_page_token":""}`,
 			expectReq: &agentv1.ListAgentsRequest{
 				Filter:   &agentv1.ListAgentsRequest_Filter{},
 				PageSize: 1000,
@ -259,6 +290,7 @@ func TestList(t *testing.T) {
 		{
 			name:               "no agents",
 			expectedReturnCode: 0,
+			expectedStdoutJSON: `{"agents":[],"next_page_token":""}`,
 			expectReq: &agentv1.ListAgentsRequest{
 				Filter:   &agentv1.ListAgentsRequest_Filter{},
 				PageSize: 1000,
@ -289,8 +321,9 @@ func TestList(t *testing.T) {
 				},
 				PageSize: 1000,
 			},
-			existentAgents: testAgents,
-			expectedStdout: "Found 1 attested agent:\n\nSPIFFE ID         : spiffe://example.org/spire/agent/agent1",
+			existentAgents:       testAgents,
+			expectedStdoutPretty: "Found 1 attested agent:\n\nSPIFFE ID         : spiffe://example.org/spire/agent/agent1",
+			expectedStdoutJSON:   `{"agents":[{"id":{"trust_domain":"example.org","path":"/spire/agent/agent1"},"attestation_type":"","x509svid_serial_number":"","x509svid_expires_at":"0","selectors":[],"banned":false,"can_reattest":true}],"next_page_token":""}`,
 		},
 		{
 			name: "by selector: any matcher",
@ -307,8 +340,9 @@ func TestList(t *testing.T) {
 				},
 				PageSize: 1000,
 			},
-			existentAgents: testAgents,
-			expectedStdout: "Found 1 attested agent:\n\nSPIFFE ID         : spiffe://example.org/spire/agent/agent1",
+			existentAgents:       testAgents,
+			expectedStdoutPretty: "Found 1 attested agent:\n\nSPIFFE ID         : spiffe://example.org/spire/agent/agent1",
+			expectedStdoutJSON:   `{"agents":[{"id":{"trust_domain":"example.org","path":"/spire/agent/agent1"},"attestation_type":"","x509svid_serial_number":"","x509svid_expires_at":"0","selectors":[],"banned":false,"can_reattest":true}],"next_page_token":""}`,
 		},
 		{
 			name: "by selector: exact matcher",
@ -325,8 +359,9 @@ func TestList(t *testing.T) {
 				},
 				PageSize: 1000,
 			},
-			existentAgents: testAgents,
-			expectedStdout: "Found 1 attested agent:\n\nSPIFFE ID         : spiffe://example.org/spire/agent/agent1",
+			existentAgents:       testAgents,
+			expectedStdoutPretty: "Found 1 attested agent:\n\nSPIFFE ID         : spiffe://example.org/spire/agent/agent1",
+			expectedStdoutJSON:   `{"agents":[{"id":{"trust_domain":"example.org","path":"/spire/agent/agent1"},"attestation_type":"","x509svid_serial_number":"","x509svid_expires_at":"0","selectors":[],"banned":false,"can_reattest":true}],"next_page_token":""}`,
 		},
 		{
 			name: "by selector: superset matcher",
@ -343,8 +378,9 @@ func TestList(t *testing.T) {
 				},
 				PageSize: 1000,
 			},
-			existentAgents: testAgents,
-			expectedStdout: "Found 1 attested agent:\n\nSPIFFE ID         : spiffe://example.org/spire/agent/agent1",
+			existentAgents:       testAgents,
+			expectedStdoutPretty: "Found 1 attested agent:\n\nSPIFFE ID         : spiffe://example.org/spire/agent/agent1",
+			expectedStdoutJSON:   `{"agents":[{"id":{"trust_domain":"example.org","path":"/spire/agent/agent1"},"attestation_type":"","x509svid_serial_number":"","x509svid_expires_at":"0","selectors":[],"banned":false,"can_reattest":true}],"next_page_token":""}`,
 		},
 		{
 			name: "by selector: subset matcher",
@ -361,8 +397,48 @@ func TestList(t *testing.T) {
 				},
 				PageSize: 1000,
 			},
-			existentAgents: testAgents,
-			expectedStdout: "Found 1 attested agent:\n\nSPIFFE ID         : spiffe://example.org/spire/agent/agent1",
+			existentAgents:       testAgents,
+			expectedStdoutPretty: "Found 1 attested agent:\n\nSPIFFE ID         : spiffe://example.org/spire/agent/agent1",
+			expectedStdoutJSON:   `{"agents":[{"id":{"trust_domain":"example.org","path":"/spire/agent/agent1"},"attestation_type":"","x509svid_serial_number":"","x509svid_expires_at":"0","selectors":[],"banned":false,"can_reattest":true}],"next_page_token":""}`,
+		},
+		{
+			name: "by expiresBefore",
+			args: []string{"-expiresBefore", "2000-01-01 15:04:05 -0700 -07"},
+			expectReq: &agentv1.ListAgentsRequest{
+				Filter: &agentv1.ListAgentsRequest_Filter{
+					ByExpiresBefore: "2000-01-01 15:04:05 -0700 -07",
+				},
+				PageSize: 1000,
+			},
+			existentAgents:       testAgents,
+			expectedStdoutPretty: "Found 1 attested agent:\n\nSPIFFE ID         : spiffe://example.org/spire/agent/agent1",
+			expectedStdoutJSON:   `{"agents":[{"id":{"trust_domain":"example.org","path":"/spire/agent/agent1"},"attestation_type":"","x509svid_serial_number":"","x509svid_expires_at":"0","selectors":[],"banned":false,"can_reattest":true}],"next_page_token":""}`,
+		},
+		{
+			name: "by banned",
+			args: []string{"-banned", "true"},
+			expectReq: &agentv1.ListAgentsRequest{
+				Filter: &agentv1.ListAgentsRequest_Filter{
+					ByBanned: wrapperspb.Bool(true),
+				},
+				PageSize: 1000,
+			},
+			existentAgents:       testAgentsWithBanned,
+			expectedStdoutPretty: "Found 1 attested agent:\n\nSPIFFE ID         : spiffe://example.org/spire/agent/banned",
+			expectedStdoutJSON:   `{"agents":[{"id":{"trust_domain":"example.org","path":"/spire/agent/banned"},"attestation_type":"","x509svid_serial_number":"","x509svid_expires_at":"0","selectors":[],"banned":true,"can_reattest":false}],"next_page_token":""}`,
+		},
+		{
+			name: "by canReattest",
+			args: []string{"-canReattest", "true"},
+			expectReq: &agentv1.ListAgentsRequest{
+				Filter: &agentv1.ListAgentsRequest_Filter{
+					ByCanReattest: wrapperspb.Bool(true),
+				},
+				PageSize: 1000,
+			},
+			existentAgents:       testAgents,
+			expectedStdoutPretty: "Found 1 attested agent:\n\nSPIFFE ID         : spiffe://example.org/spire/agent/agent1",
+			expectedStdoutJSON:   `{"agents":[{"id":{"trust_domain":"example.org","path":"/spire/agent/agent1"},"attestation_type":"","x509svid_serial_number":"","x509svid_expires_at":"0","selectors":[],"banned":false,"can_reattest":true}],"next_page_token":""}`,
 		},
 		{
 			name:               "List by selectors: Invalid matcher",
@ -378,23 +454,255 @@ func TestList(t *testing.T) {
 		},
 		{
 			name:               "wrong UDS path",
-			args:               []string{common.AddrArg, common.AddrValue},
+			args:               []string{clitest.AddrArg, clitest.AddrValue},
 			expectedReturnCode: 1,
-			expectedStderr:     common.AddrError,
+			expectedStderr:     "Error: " + clitest.AddrError,
+		},
+		{
+			name:               "List by expiresBefore: month out of range",
+			args:               []string{"-expiresBefore", "2001-13-05"},
+			expectedReturnCode: 1,
+			expectedStderr:     "Error: date is not valid: parsing time \"2001-13-05\": month out of range\n",
 		},
 	} {
-		tt := tt
-		t.Run(tt.name, func(t *testing.T) {
-			test := setupTest(t, agent.NewListCommandWithEnv)
-			test.server.agents = tt.existentAgents
-			test.server.err = tt.serverErr
-			returnCode := test.client.Run(append(test.args, tt.args...))
+		for _, format := range availableFormats {
+			t.Run(fmt.Sprintf("%s using %s format", tt.name, format), func(t *testing.T) {
+				test := setupTest(t, agent.NewListCommandWithEnv)
+				test.server.agents = tt.existentAgents
+				test.server.err = tt.serverErr
+				args := tt.args
+				args = append(args, "-output", format)

-			spiretest.RequireProtoEqual(t, tt.expectReq, test.server.gotListAgentRequest)
-			require.Contains(t, test.stdout.String(), tt.expectedStdout)
-			require.Equal(t, tt.expectedStderr, test.stderr.String())
-			require.Equal(t, tt.expectedReturnCode, returnCode)
-		})
+				returnCode := test.client.Run(append(test.args, args...))
+
+				requireOutputBasedOnFormat(t, format, test.stdout.String(), tt.expectedStdoutPretty, tt.expectedStdoutJSON)
+				spiretest.RequireProtoEqual(t, tt.expectReq, test.server.gotListAgentRequest)
+				require.Equal(t, tt.expectedStderr, test.stderr.String())
+				require.Equal(t, tt.expectedReturnCode, returnCode)
+			})
+		}
+	}
+}
+
+func TestPurgeHelp(t *testing.T) {
+	test := setupTest(t, agent.NewPurgeCommandWithEnv)
+
+	test.client.Help()
+	require.Equal(t, purgeUsage, test.stderr.String())
+}
+
+func TestPurge(t *testing.T) {
+	now := time.Now()
+	td := spiffeid.RequireTrustDomainFromString("example.org")
+
+	expiredAgents := []*types.Agent{
+		{Id: &types.SPIFFEID{TrustDomain: "example.org", Path: "/spire/agent/agent1"}, CanReattest: true, X509SvidExpiresAt: now.Add(-time.Hour).Unix()},
+		{Id: &types.SPIFFEID{TrustDomain: "example.org", Path: "/spire/agent/agent2"}, CanReattest: true, X509SvidExpiresAt: now.Add(-24 * time.Hour).Unix()},
+		{Id: &types.SPIFFEID{TrustDomain: "example.org", Path: "/spire/agent/agent3"}, CanReattest: true, X509SvidExpiresAt: now.Add(-720 * time.Hour).Unix()},
+	}
+	activeAgents := []*types.Agent{
+		{Id: &types.SPIFFEID{TrustDomain: "example.org", Path: "/spire/agent/agent6"}, CanReattest: true, X509SvidExpiresAt: now.Add(time.Hour).Unix()},
+		{Id: &types.SPIFFEID{TrustDomain: "example.org", Path: "/spire/agent/agent7"}, CanReattest: true, X509SvidExpiresAt: now.Add(2 * time.Hour).Unix()},
+		{Id: &types.SPIFFEID{TrustDomain: "example.org", Path: "/spire/agent/agent8"}, CanReattest: true, X509SvidExpiresAt: now.Add(3 * time.Hour).Unix()},
+	}
+
+	for _, tt := range []struct {
+		name                 string
+		args                 []string
+		expectedReturnCode   int
+		expectedStdoutPretty string
+		expectedStdoutJSON   string
+		expectedStderr       string
+		expectListReq        *agentv1.ListAgentsRequest
+		expectDeleteReqs     []*agentv1.DeleteAgentRequest
+		existentAgents       []*types.Agent
+		expectedFormat       string
+		serverErr            error
+		deleteErr            error
+	}{
+		{
+			name:           "error listing agents",
+			args:           []string{},
+			existentAgents: append(activeAgents, expiredAgents...),
+			expectListReq: &agentv1.ListAgentsRequest{
+				Filter:     &agentv1.ListAgentsRequest_Filter{ByCanReattest: wrapperspb.Bool(true)},
+				OutputMask: &types.AgentMask{X509SvidExpiresAt: true},
+			},
+			serverErr:          status.Error(codes.Internal, "some error"),
+			expectedStderr:     "Error: failed to list agents: rpc error: code = Internal desc = some error\n",
+			expectedReturnCode: 1,
+		},
+		{
+			name:               "malformed expiredFor flag",
+			args:               []string{"-expiredFor", "5d"},
+			existentAgents:     append(activeAgents, expiredAgents...),
+			expectedStderr:     `invalid value "5d" for flag -expiredFor: parse error`,
+			expectedReturnCode: 1,
+		},
+		{
+			name:           "error deleting expired agents",
+			args:           []string{"-expiredFor", "24h"},
+			existentAgents: append(activeAgents, expiredAgents...),
+			deleteErr:      status.Error(codes.Internal, "some error when deleting agent"),
+			expectListReq: &agentv1.ListAgentsRequest{
+				Filter:     &agentv1.ListAgentsRequest_Filter{ByCanReattest: wrapperspb.Bool(true)},
+				OutputMask: &types.AgentMask{X509SvidExpiresAt: true},
+			},
+			expectDeleteReqs: []*agentv1.DeleteAgentRequest{
+				{Id: expiredAgents[1].Id},
+				{Id: expiredAgents[2].Id},
+			},
+			expectedStdoutPretty: `Found 2 expired agents
+
+Agents not purged:
+SPIFFE ID         : spiffe://example.org/spire/agent/agent2
+Error             : rpc error: code = Internal desc = some error when deleting agent
+SPIFFE ID         : spiffe://example.org/spire/agent/agent3
+Error             : rpc error: code = Internal desc = some error when deleting agent
+`,
+			expectedStdoutJSON: fmt.Sprintf(
+				`[{"expired_agents":[
+{"agent_id":"%s","deleted":false,"error":"rpc error: code = Internal desc = some error when deleting agent"},
+{"agent_id":"%s","deleted":false,"error":"rpc error: code = Internal desc = some error when deleting agent"}
+]}]`,
+				spiffeid.RequireFromPath(td, expiredAgents[1].Id.Path).String(),
+				spiffeid.RequireFromPath(td, expiredAgents[2].Id.Path).String(),
+			),
+		},
+		{
+			name:           "no args using default expiration for purging agents that expired for one month",
+			args:           []string{},
+			existentAgents: append(activeAgents, expiredAgents...),
+			expectListReq: &agentv1.ListAgentsRequest{
+				Filter:     &agentv1.ListAgentsRequest_Filter{ByCanReattest: wrapperspb.Bool(true)},
+				OutputMask: &types.AgentMask{X509SvidExpiresAt: true},
+			},
+			expectDeleteReqs: []*agentv1.DeleteAgentRequest{
+				{Id: expiredAgents[2].Id},
+			},
+			expectedStdoutPretty: `Found 1 expired agent
+
+Agents purged:
+SPIFFE ID         : spiffe://example.org/spire/agent/agent3
+`,
+			expectedStdoutJSON: fmt.Sprintf(
+				`[{"expired_agents":[{"agent_id":"%s","deleted":true}]}]`,
+				spiffeid.RequireFromPath(td, expiredAgents[2].Id.Path).String(),
+			),
+		},
+		{
+			name:           "providing expiration time for purging agents that has expired for 1 hour",
+			args:           []string{"-expiredFor", "1h"},
+			existentAgents: append(activeAgents, expiredAgents...),
+			expectListReq: &agentv1.ListAgentsRequest{
+				Filter:     &agentv1.ListAgentsRequest_Filter{ByCanReattest: wrapperspb.Bool(true)},
+				OutputMask: &types.AgentMask{X509SvidExpiresAt: true},
+			},
+			expectDeleteReqs: []*agentv1.DeleteAgentRequest{
+				{Id: expiredAgents[0].Id},
+				{Id: expiredAgents[1].Id},
+				{Id: expiredAgents[2].Id},
+			},
+			expectedStdoutPretty: `Found 3 expired agents
+
+Agents purged:
+SPIFFE ID         : spiffe://example.org/spire/agent/agent1
+SPIFFE ID         : spiffe://example.org/spire/agent/agent2
+SPIFFE ID         : spiffe://example.org/spire/agent/agent3
+`,
+			expectedStdoutJSON: fmt.Sprintf(
+				`[{"expired_agents":[{"agent_id":"%s","deleted":true},{"agent_id":"%s","deleted":true},{"agent_id":"%s","deleted":true}]}]`,
+				spiffeid.RequireFromPath(td, expiredAgents[0].Id.Path).String(),
+				spiffeid.RequireFromPath(td, expiredAgents[1].Id.Path).String(),
+				spiffeid.RequireFromPath(td, expiredAgents[2].Id.Path).String(),
+			),
+		},
+		{
+			name:           "providing expiration time for purging agents that has expired for 2 hours",
+			args:           []string{"-expiredFor", "2h30m30s"},
+			existentAgents: append(activeAgents, expiredAgents...),
+			expectListReq: &agentv1.ListAgentsRequest{
+				Filter:     &agentv1.ListAgentsRequest_Filter{ByCanReattest: wrapperspb.Bool(true)},
+				OutputMask: &types.AgentMask{X509SvidExpiresAt: true},
+			},
+			expectDeleteReqs: []*agentv1.DeleteAgentRequest{
+				{Id: expiredAgents[1].Id},
+				{Id: expiredAgents[2].Id},
+			},
+			expectedStdoutPretty: `Found 2 expired agents
+
+Agents purged:
+SPIFFE ID         : spiffe://example.org/spire/agent/agent2
+SPIFFE ID         : spiffe://example.org/spire/agent/agent3
+`,
+			expectedStdoutJSON: fmt.Sprintf(
+				`[{"expired_agents":[{"agent_id":"%s","deleted":true},{"agent_id":"%s","deleted":true}]}]`,
+				spiffeid.RequireFromPath(td, expiredAgents[1].Id.Path).String(),
+				spiffeid.RequireFromPath(td, expiredAgents[2].Id.Path).String(),
+			),
+		},
+		{
+			name:           "providing expiration time for purging agents that has expired for 2 months",
+			args:           []string{"-expiredFor", "1440h"},
+			existentAgents: append(activeAgents, expiredAgents...),
+			expectListReq: &agentv1.ListAgentsRequest{
+				Filter:     &agentv1.ListAgentsRequest_Filter{ByCanReattest: wrapperspb.Bool(true)},
+				OutputMask: &types.AgentMask{X509SvidExpiresAt: true},
+			},
+			expectedStdoutPretty: `No agents to purge.`,
+			expectedStdoutJSON:   `[{"expired_agents":[]}]`,
+		},
+		{
+			name:           "using dry run",
+			args:           []string{"-dryRun", "-expiredFor", "24h"},
+			existentAgents: append(activeAgents, expiredAgents...),
+			expectListReq: &agentv1.ListAgentsRequest{
+				Filter:     &agentv1.ListAgentsRequest_Filter{ByCanReattest: wrapperspb.Bool(true)},
+				OutputMask: &types.AgentMask{X509SvidExpiresAt: true},
+			},
+			expectedStdoutPretty: `Found 2 expired agents
+
+
+Agents that can be purged:
+SPIFFE ID         : spiffe://example.org/spire/agent/agent2
+SPIFFE ID         : spiffe://example.org/spire/agent/agent3
+`,
+			expectedStdoutJSON: fmt.Sprintf(
+				`[{"expired_agents":[{"agent_id":"%s","deleted":false},{"agent_id":"%s","deleted":false}]}]`,
+				spiffeid.RequireFromPath(td, expiredAgents[1].Id.Path).String(),
+				spiffeid.RequireFromPath(td, expiredAgents[2].Id.Path).String(),
+			),
+		},
+		{
+			name:           "no expired agent found",
+			args:           []string{},
+			existentAgents: activeAgents,
+			expectListReq: &agentv1.ListAgentsRequest{
+				Filter:     &agentv1.ListAgentsRequest_Filter{ByCanReattest: wrapperspb.Bool(true)},
+				OutputMask: &types.AgentMask{X509SvidExpiresAt: true},
+			},
+			expectedStdoutPretty: `No agents to purge.`,
+			expectedStdoutJSON:   `[{"expired_agents":[]}]`,
+		},
+	} {
+		for _, format := range availableFormats {
+			t.Run(fmt.Sprintf("%s using %s format", tt.name, format), func(t *testing.T) {
+				test := setupTest(t, agent.NewPurgeCommandWithEnv)
+				test.server.agents = tt.existentAgents
+				test.server.err = tt.serverErr
+				test.server.deleteErr = tt.deleteErr
+				args := tt.args
+				args = append(args, "-output", format)
+
+				returnCode := test.client.Run(append(test.args, args...))
+
+				requireOutputBasedOnFormat(t, format, test.stdout.String(), tt.expectedStdoutPretty, tt.expectedStdoutJSON)
+				spiretest.RequireProtoEqual(t, tt.expectListReq, test.server.gotListAgentRequest)
+				spiretest.RequireProtoListEqual(t, tt.expectDeleteReqs, test.server.gotDeleteAgentRequests)
+				require.Contains(t, test.stderr.String(), tt.expectedStderr)
+				require.Equal(t, tt.expectedReturnCode, returnCode)
+			})
+		}
 	}
 }

@ -402,28 +710,27 @@ func TestShowHelp(t *testing.T) {
 	test := setupTest(t, agent.NewShowCommandWithEnv)

 	test.client.Help()
-	require.Equal(t, `Usage of agent show:`+common.AddrUsage+
-		`  -spiffeID string
-    	The SPIFFE ID of the agent to show (agent identity)
-`, test.stderr.String())
+	require.Equal(t, showUsage, test.stderr.String())
 }

 func TestShow(t *testing.T) {
 	for _, tt := range []struct {
-		name               string
-		args               []string
-		expectedReturnCode int
-		expectedStdout     string
-		expectedStderr     string
-		existentAgents     []*types.Agent
-		serverErr          error
+		name                 string
+		args                 []string
+		expectedReturnCode   int
+		expectedStdoutPretty string
+		expectedStdoutJSON   string
+		expectedStderr       string
+		existentAgents       []*types.Agent
+		serverErr            error
 	}{
 		{
-			name:               "success",
-			args:               []string{"-spiffeID", "spiffe://example.org/spire/agent/agent1"},
-			expectedReturnCode: 0,
-			existentAgents:     testAgents,
-			expectedStdout:     "Found an attested agent given its SPIFFE ID\n\nSPIFFE ID         : spiffe://example.org/spire/agent/agent1",
+			name:                 "success",
+			args:                 []string{"-spiffeID", "spiffe://example.org/spire/agent/agent1"},
+			expectedReturnCode:   0,
+			existentAgents:       testAgents,
+			expectedStdoutPretty: "Found an attested agent given its SPIFFE ID\n\nSPIFFE ID         : spiffe://example.org/spire/agent/agent1",
+			expectedStdoutJSON:   `{"id":{"trust_domain":"example.org","path":"/spire/agent/agent1"},"attestation_type":"","x509svid_serial_number":"","x509svid_expires_at":"0","selectors":[],"banned":false,"can_reattest":true}`,
 		},
 		{
 			name:               "no spiffe id",
@ -439,41 +746,50 @@ func TestShow(t *testing.T) {
 			expectedStderr:     "Error: rpc error: code = Internal desc = internal server error\n",
 		},
 		{
-			name:               "wrong UDS path",
-			args:               []string{common.AddrArg, common.AddrValue},
+			name: "wrong UDS path",
+			args: []string{
+				clitest.AddrArg, clitest.AddrValue,
+				"-spiffeID", "spiffe://example.org/spire/agent/agent1",
+			},
 			expectedReturnCode: 1,
-			expectedStderr:     common.AddrError,
+			expectedStderr:     "Error: " + clitest.AddrError,
 		},
 		{
-			name:               "show selectors",
-			args:               []string{"-spiffeID", "spiffe://example.org/spire/agent/agent2"},
-			existentAgents:     testAgentsWithSelectors,
-			expectedReturnCode: 0,
-			expectedStdout:     "Selectors         : k8s_psat:agent_ns:spire\nSelectors         : k8s_psat:agent_sa:spire-agent\nSelectors         : k8s_psat:cluster:demo-cluster",
+			name:                 "show selectors",
+			args:                 []string{"-spiffeID", "spiffe://example.org/spire/agent/agent2"},
+			existentAgents:       testAgentsWithSelectors,
+			expectedReturnCode:   0,
+			expectedStdoutPretty: "Selectors         : k8s_psat:agent_ns:spire\nSelectors         : k8s_psat:agent_sa:spire-agent\nSelectors         : k8s_psat:cluster:demo-cluster",
+			expectedStdoutJSON:   `{"id":{"trust_domain":"example.org","path":"/spire/agent/agent2"},"attestation_type":"","x509svid_serial_number":"","x509svid_expires_at":"0","selectors":[{"type":"k8s_psat","value":"agent_ns:spire"},{"type":"k8s_psat","value":"agent_sa:spire-agent"},{"type":"k8s_psat","value":"cluster:demo-cluster"}],"banned":false,"can_reattest":false}`,
 		},
 		{
-			name:               "show banned",
-			args:               []string{"-spiffeID", "spiffe://example.org/spire/agent/banned"},
-			existentAgents:     testAgentsWithBanned,
-			expectedReturnCode: 0,
-			expectedStdout:     "Banned            : true",
+			name:                 "show banned",
+			args:                 []string{"-spiffeID", "spiffe://example.org/spire/agent/banned"},
+			existentAgents:       testAgentsWithBanned,
+			expectedReturnCode:   0,
+			expectedStdoutPretty: "Banned            : true",
+			expectedStdoutJSON:   `{"id":{"trust_domain":"example.org","path":"/spire/agent/banned"},"attestation_type":"","x509svid_serial_number":"","x509svid_expires_at":"0","selectors":[],"banned":true,"can_reattest":false}`,
 		},
 	} {
-		tt := tt
-		t.Run(tt.name, func(t *testing.T) {
-			test := setupTest(t, agent.NewShowCommandWithEnv)
-			test.server.err = tt.serverErr
-			test.server.agents = tt.existentAgents
+		for _, format := range availableFormats {
+			t.Run(fmt.Sprintf("%s using %s format", tt.name, format), func(t *testing.T) {
+				test := setupTest(t, agent.NewShowCommandWithEnv)
+				test.server.err = tt.serverErr
+				test.server.agents = tt.existentAgents
+				args := tt.args
+				args = append(args, "-output", format)

-			returnCode := test.client.Run(append(test.args, tt.args...))
-			require.Contains(t, test.stdout.String(), tt.expectedStdout)
-			require.Equal(t, tt.expectedStderr, test.stderr.String())
-			require.Equal(t, tt.expectedReturnCode, returnCode)
-		})
+				returnCode := test.client.Run(append(test.args, args...))
+
+				requireOutputBasedOnFormat(t, format, test.stdout.String(), tt.expectedStdoutPretty, tt.expectedStdoutJSON)
+				require.Equal(t, tt.expectedStderr, test.stderr.String())
+				require.Equal(t, tt.expectedReturnCode, returnCode)
+			})
+		}
 	}
 }

-func setupTest(t *testing.T, newClient func(*common_cli.Env) cli.Command) *agentTest {
+func setupTest(t *testing.T, newClient func(*commoncli.Env) cli.Command) *agentTest {
 	server := &fakeAgentServer{}

 	addr := spiretest.StartGRPCServer(t, func(s *grpc.Server) {
@ -484,7 +800,7 @@ func setupTest(t *testing.T, newClient func(*common_cli.Env) cli.Command) *agent
 	stdout := new(bytes.Buffer)
 	stderr := new(bytes.Buffer)

-	client := newClient(&common_cli.Env{
+	client := newClient(&commoncli.Env{
 		Stdin:  stdin,
 		Stdout: stdout,
 		Stderr: stderr,
@ -494,7 +810,7 @@ func setupTest(t *testing.T, newClient func(*common_cli.Env) cli.Command) *agent
 		stdin:  stdin,
 		stdout: stdout,
 		stderr: stderr,
-		args:   []string{common.AddrArg, common.GetAddr(addr)},
+		args:   []string{clitest.AddrArg, clitest.GetAddr(addr)},
 		server: server,
 		client: client,
 	}
@ -509,36 +825,52 @@ func setupTest(t *testing.T, newClient func(*common_cli.Env) cli.Command) *agent
 type fakeAgentServer struct {
 	agentv1.UnimplementedAgentServer

-	agents              []*types.Agent
-	gotListAgentRequest *agentv1.ListAgentsRequest
-	err                 error
+	agents                 []*types.Agent
+	gotListAgentRequest    *agentv1.ListAgentsRequest
+	gotDeleteAgentRequests []*agentv1.DeleteAgentRequest
+	deleteErr              error
+	err                    error
 }

-func (s *fakeAgentServer) BanAgent(ctx context.Context, req *agentv1.BanAgentRequest) (*emptypb.Empty, error) {
+func (s *fakeAgentServer) BanAgent(context.Context, *agentv1.BanAgentRequest) (*emptypb.Empty, error) {
 	return &emptypb.Empty{}, s.err
 }

-func (s *fakeAgentServer) DeleteAgent(ctx context.Context, req *agentv1.DeleteAgentRequest) (*emptypb.Empty, error) {
-	return &emptypb.Empty{}, s.err
+func (s *fakeAgentServer) DeleteAgent(_ context.Context, req *agentv1.DeleteAgentRequest) (*emptypb.Empty, error) {
+	s.gotDeleteAgentRequests = append(s.gotDeleteAgentRequests, req)
+	return &emptypb.Empty{}, s.deleteErr
 }

-func (s *fakeAgentServer) CountAgents(ctx context.Context, req *agentv1.CountAgentsRequest) (*agentv1.CountAgentsResponse, error) {
+func (s *fakeAgentServer) CountAgents(context.Context, *agentv1.CountAgentsRequest) (*agentv1.CountAgentsResponse, error) {
 	return &agentv1.CountAgentsResponse{
 		Count: int32(len(s.agents)),
 	}, s.err
 }

-func (s *fakeAgentServer) ListAgents(ctx context.Context, req *agentv1.ListAgentsRequest) (*agentv1.ListAgentsResponse, error) {
+func (s *fakeAgentServer) ListAgents(_ context.Context, req *agentv1.ListAgentsRequest) (*agentv1.ListAgentsResponse, error) {
 	s.gotListAgentRequest = req
 	return &agentv1.ListAgentsResponse{
 		Agents: s.agents,
 	}, s.err
 }

-func (s *fakeAgentServer) GetAgent(ctx context.Context, req *agentv1.GetAgentRequest) (*types.Agent, error) {
+func (s *fakeAgentServer) GetAgent(context.Context, *agentv1.GetAgentRequest) (*types.Agent, error) {
 	if len(s.agents) > 0 {
 		return s.agents[0], s.err
 	}

 	return nil, s.err
 }
+
+func requireOutputBasedOnFormat(t *testing.T, format, stdoutString string, expectedStdoutPretty, expectedStdoutJSON string) {
+	switch format {
+	case "pretty":
+		require.Contains(t, stdoutString, expectedStdoutPretty)
+	case "json":
+		if expectedStdoutJSON != "" {
+			require.JSONEq(t, expectedStdoutJSON, stdoutString)
+		} else {
+			require.Empty(t, stdoutString)
+		}
+	}
+}
--- a/cmd/spire-server/cli/agent/agent_windows_test.go
+++ b/cmd/spire-server/cli/agent/agent_windows_test.go
@ -1,15 +1,76 @@
 //go:build windows
-// +build windows

 package agent_test

 var (
+	purgeUsage = `Usage of agent purge:
+  -dryRun
+    	Indicates that the command will not perform any action, but will print the agents that would be purged.
+  -expiredFor duration
+    	Amount of time that has passed since the agent's SVID has expired. It is used to determine which agents to purge. (default 720h0m0s)
+  -namedPipeName string
+    	Pipe name of the SPIRE Server API named pipe (default "\\spire-server\\private\\api")
+  -output value
+    	Desired output format (pretty, json); default: pretty.
+`
 	listUsage = `Usage of agent list:
+  -attestationType string
+    	Filter by attestation type, like join_token or x509pop.
+  -banned value
+    	Filter based on string received, 'true': banned agents, 'false': not banned agents, other value will return all.
+  -canReattest value
+    	Filter based on string received, 'true': agents that can reattest, 'false': agents that can't reattest, other value will return all.
+  -expiresBefore string
+    	Filter by expiration time (format: "2006-01-02 15:04:05 -0700 -07")
  -matchSelectorsOn string
    	The match mode used when filtering by selectors. Options: exact, any, superset and subset (default "superset")
  -namedPipeName string
    	Pipe name of the SPIRE Server API named pipe (default "\\spire-server\\private\\api")
+  -output value
+    	Desired output format (pretty, json); default: pretty.
  -selector value
    	A colon-delimited type:value selector. Can be used more than once
+`
+	banUsage = `Usage of agent ban:
+  -namedPipeName string
+    	Pipe name of the SPIRE Server API named pipe (default "\\spire-server\\private\\api")
+  -output value
+    	Desired output format (pretty, json); default: pretty.
+  -spiffeID string
+    	The SPIFFE ID of the agent to ban (agent identity)
+`
+	evictUsage = `Usage of agent evict:
+  -namedPipeName string
+    	Pipe name of the SPIRE Server API named pipe (default "\\spire-server\\private\\api")
+  -output value
+    	Desired output format (pretty, json); default: pretty.
+  -spiffeID string
+    	The SPIFFE ID of the agent to evict (agent identity)
+`
+	countUsage = `Usage of agent count:
+  -attestationType string
+    	Filter by attestation type, like join_token or x509pop.
+  -banned value
+    	Filter based on string received, 'true': banned agents, 'false': not banned agents, other value will return all.
+  -canReattest value
+    	Filter based on string received, 'true': agents that can reattest, 'false': agents that can't reattest, other value will return all.
+  -expiresBefore string
+    	Filter by expiration time (format: "2006-01-02 15:04:05 -0700 -07")
+  -matchSelectorsOn string
+    	The match mode used when filtering by selectors. Options: exact, any, superset and subset (default "superset")
+  -namedPipeName string
+    	Pipe name of the SPIRE Server API named pipe (default "\\spire-server\\private\\api")
+  -output value
+    	Desired output format (pretty, json); default: pretty.
+  -selector value
+    	A colon-delimited type:value selector. Can be used more than once
+`
+	showUsage = `Usage of agent show:
+  -namedPipeName string
+    	Pipe name of the SPIRE Server API named pipe (default "\\spire-server\\private\\api")
+  -output value
+    	Desired output format (pretty, json); default: pretty.
+  -spiffeID string
+    	The SPIFFE ID of the agent to show (agent identity)
 `
 )
--- a/cmd/spire-server/cli/agent/ban.go
+++ b/cmd/spire-server/cli/agent/ban.go
@ -9,24 +9,27 @@ import (
 	"github.com/spiffe/go-spiffe/v2/spiffeid"
 	agentv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/agent/v1"
 	"github.com/spiffe/spire/cmd/spire-server/util"
-	common_cli "github.com/spiffe/spire/pkg/common/cli"
+	commoncli "github.com/spiffe/spire/pkg/common/cli"
+	"github.com/spiffe/spire/pkg/common/cliprinter"
 	"github.com/spiffe/spire/pkg/server/api"
 )

 type banCommand struct {
+	env *commoncli.Env
 	// SPIFFE ID of agent being banned
 	spiffeID string
+	printer  cliprinter.Printer
 }

 // NewBanCommand creates a new "ban" subcommand for "agent" command.
 func NewBanCommand() cli.Command {
-	return NewBanCommandWithEnv(common_cli.DefaultEnv)
+	return NewBanCommandWithEnv(commoncli.DefaultEnv)
 }

 // NewBanCommandWithEnv creates a new "ban" subcommand for "agent" command
 // using the environment specified
-func NewBanCommandWithEnv(env *common_cli.Env) cli.Command {
-	return util.AdaptCommand(env, new(banCommand))
+func NewBanCommandWithEnv(env *commoncli.Env) cli.Command {
+	return util.AdaptCommand(env, &banCommand{env: env})
 }

 func (*banCommand) Name() string {
@ -38,7 +41,7 @@ func (*banCommand) Synopsis() string {
 }

 // Run ban an agent given its SPIFFE ID
-func (c *banCommand) Run(ctx context.Context, env *common_cli.Env, serverClient util.ServerClient) error {
+func (c *banCommand) Run(ctx context.Context, _ *commoncli.Env, serverClient util.ServerClient) error {
 	if c.spiffeID == "" {
 		return errors.New("a SPIFFE ID is required")
 	}
@ -49,15 +52,22 @@ func (c *banCommand) Run(ctx context.Context, env *common_cli.Env, serverClient
 	}

 	agentClient := serverClient.NewAgentClient()
-	if _, err := agentClient.BanAgent(ctx, &agentv1.BanAgentRequest{
+	banResponse, err := agentClient.BanAgent(ctx, &agentv1.BanAgentRequest{
 		Id: api.ProtoFromID(id),
-	}); err != nil {
+	})
+	if err != nil {
 		return err
 	}

-	return env.Println("Agent banned successfully")
+	return c.printer.PrintProto(banResponse)
 }

 func (c *banCommand) AppendFlags(fs *flag.FlagSet) {
 	fs.StringVar(&c.spiffeID, "spiffeID", "", "The SPIFFE ID of the agent to ban (agent identity)")
+	cliprinter.AppendFlagWithCustomPretty(&c.printer, fs, c.env, prettyPrintBanResult)
+}
+
+func prettyPrintBanResult(env *commoncli.Env, _ ...any) error {
+	env.Println("Agent banned successfully")
+	return nil
 }
--- a/cmd/spire-server/cli/agent/count.go
+++ b/cmd/spire-server/cli/agent/count.go
@ -1,54 +1,147 @@
 package agent

 import (
+	"context"
+	"errors"
 	"flag"
 	"fmt"
+	"time"

 	"github.com/mitchellh/cli"
-
 	agentv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/agent/v1"
+	"github.com/spiffe/spire-api-sdk/proto/spire/api/types"
 	"github.com/spiffe/spire/cmd/spire-server/util"
-	common_cli "github.com/spiffe/spire/pkg/common/cli"
-
-	"golang.org/x/net/context"
+	commoncli "github.com/spiffe/spire/pkg/common/cli"
+	"github.com/spiffe/spire/pkg/common/cliprinter"
+	"google.golang.org/protobuf/types/known/wrapperspb"
 )

-type countCommand struct{}
+type countCommand struct {
+	// Type and value are delimited by a colon (:)
+	// ex. "unix:uid:1000" or "spiffe_id:spiffe://example.org/foo"
+	selectors commoncli.StringsFlag
+
+	// Match used when filtering by selectors
+	matchSelectorsOn string
+
+	// Filters agents to those that are banned.
+	banned commoncli.BoolFlag
+
+	// Filters agents by those that expire before this value.
+	expiresBefore string
+
+	// Filters agents to those matching the attestation type.
+	attestationType string
+
+	// Filters agents that can re-attest.
+	canReattest commoncli.BoolFlag
+
+	env *commoncli.Env
+
+	printer cliprinter.Printer
+}

 // NewCountCommand creates a new "count" subcommand for "agent" command.
 func NewCountCommand() cli.Command {
-	return NewCountCommandWithEnv(common_cli.DefaultEnv)
+	return NewCountCommandWithEnv(commoncli.DefaultEnv)
 }

 // NewCountCommandWithEnv creates a new "count" subcommand for "agent" command
 // using the environment specified.
-func NewCountCommandWithEnv(env *common_cli.Env) cli.Command {
-	return util.AdaptCommand(env, new(countCommand))
+func NewCountCommandWithEnv(env *commoncli.Env) cli.Command {
+	return util.AdaptCommand(env, &countCommand{env: env})
 }

 func (*countCommand) Name() string {
 	return "agent count"
 }

-func (countCommand) Synopsis() string {
+func (*countCommand) Synopsis() string {
 	return "Count attested agents"
 }

 // Run counts attested agents
-func (c *countCommand) Run(ctx context.Context, env *common_cli.Env, serverClient util.ServerClient) error {
+func (c *countCommand) Run(ctx context.Context, _ *commoncli.Env, serverClient util.ServerClient) error {
+	filter := &agentv1.CountAgentsRequest_Filter{}
+	if len(c.selectors) > 0 {
+		matchBehavior, err := parseToSelectorMatch(c.matchSelectorsOn)
+		if err != nil {
+			return err
+		}
+
+		selectors := make([]*types.Selector, len(c.selectors))
+		for i, sel := range c.selectors {
+			selector, err := util.ParseSelector(sel)
+			if err != nil {
+				return fmt.Errorf("error parsing selector %q: %w", sel, err)
+			}
+			selectors[i] = selector
+		}
+		filter.BySelectorMatch = &types.SelectorMatch{
+			Selectors: selectors,
+			Match:     matchBehavior,
+		}
+	}
+
+	if c.expiresBefore != "" {
+		// Parse the time string into a time.Time object
+		_, err := time.Parse("2006-01-02 15:04:05 -0700 -07", c.expiresBefore)
+		if err != nil {
+			return fmt.Errorf("date is not valid: %w", err)
+		}
+		filter.ByExpiresBefore = c.expiresBefore
+	}
+
+	if c.attestationType != "" {
+		filter.ByAttestationType = c.attestationType
+	}
+
+	// 0: all, 1: can't reattest, 2: can reattest
+	if c.canReattest == 1 {
+		filter.ByCanReattest = wrapperspb.Bool(false)
+	}
+	if c.canReattest == 2 {
+		filter.ByCanReattest = wrapperspb.Bool(true)
+	}
+
+	// 0: all, 1: no-banned, 2: banned
+	if c.banned == 1 {
+		filter.ByBanned = wrapperspb.Bool(false)
+	}
+	if c.banned == 2 {
+		filter.ByBanned = wrapperspb.Bool(true)
+	}
+
 	agentClient := serverClient.NewAgentClient()
-	countResponse, err := agentClient.CountAgents(ctx, &agentv1.CountAgentsRequest{})
+
+	countResponse, err := agentClient.CountAgents(ctx, &agentv1.CountAgentsRequest{
+		Filter: filter,
+	})
 	if err != nil {
 		return err
 	}

-	count := int(countResponse.Count)
-	msg := fmt.Sprintf("%d attested ", count)
-	msg = util.Pluralizer(msg, "agent", "agents", count)
-	_ = env.Println(msg)
-
-	return nil
+	return c.printer.PrintProto(countResponse)
 }

 func (c *countCommand) AppendFlags(fs *flag.FlagSet) {
+	fs.Var(&c.selectors, "selector", "A colon-delimited type:value selector. Can be used more than once")
+	fs.StringVar(&c.attestationType, "attestationType", "", "Filter by attestation type, like join_token or x509pop.")
+	fs.Var(&c.canReattest, "canReattest", "Filter based on string received, 'true': agents that can reattest, 'false': agents that can't reattest, other value will return all.")
+	fs.Var(&c.banned, "banned", "Filter based on string received, 'true': banned agents, 'false': not banned agents, other value will return all.")
+	fs.StringVar(&c.expiresBefore, "expiresBefore", "", "Filter by expiration time (format: \"2006-01-02 15:04:05 -0700 -07\")")
+	fs.StringVar(&c.matchSelectorsOn, "matchSelectorsOn", "superset", "The match mode used when filtering by selectors. Options: exact, any, superset and subset")
+	cliprinter.AppendFlagWithCustomPretty(&c.printer, fs, c.env, prettyPrintCount)
+}
+
+func prettyPrintCount(env *commoncli.Env, results ...any) error {
+	countResp, ok := results[0].(*agentv1.CountAgentsResponse)
+	if !ok {
+		return errors.New("internal error: cli printer; please report this bug")
+	}
+	count := int(countResp.Count)
+	msg := fmt.Sprintf("%d attested ", count)
+	msg = util.Pluralizer(msg, "agent", "agents", count)
+	env.Println(msg)
+	return nil
 }
--- a/cmd/spire-server/cli/agent/evict.go
+++ b/cmd/spire-server/cli/agent/evict.go
@ -1,46 +1,47 @@
 package agent

 import (
+	"context"
 	"errors"
 	"flag"

 	"github.com/mitchellh/cli"
 	"github.com/spiffe/go-spiffe/v2/spiffeid"
-
 	agentv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/agent/v1"
 	"github.com/spiffe/spire/cmd/spire-server/util"
-	common_cli "github.com/spiffe/spire/pkg/common/cli"
+	commoncli "github.com/spiffe/spire/pkg/common/cli"
+	"github.com/spiffe/spire/pkg/common/cliprinter"
 	"github.com/spiffe/spire/pkg/server/api"
-
-	"golang.org/x/net/context"
 )

 type evictCommand struct {
+	env *commoncli.Env
 	// SPIFFE ID of the agent being evicted
 	spiffeID string
+	printer  cliprinter.Printer
 }

 // NewEvictCommand creates a new "evict" subcommand for "agent" command.
 func NewEvictCommand() cli.Command {
-	return NewEvictCommandWithEnv(common_cli.DefaultEnv)
+	return NewEvictCommandWithEnv(commoncli.DefaultEnv)
 }

 // NewEvictCommandWithEnv creates a new "evict" subcommand for "agent" command
 // using the environment specified
-func NewEvictCommandWithEnv(env *common_cli.Env) cli.Command {
-	return util.AdaptCommand(env, new(evictCommand))
+func NewEvictCommandWithEnv(env *commoncli.Env) cli.Command {
+	return util.AdaptCommand(env, &evictCommand{env: env})
 }

 func (*evictCommand) Name() string {
 	return "agent evict"
 }

-func (evictCommand) Synopsis() string {
+func (*evictCommand) Synopsis() string {
 	return "Evicts an attested agent given its SPIFFE ID"
 }

 // Run evicts an agent given its SPIFFE ID
-func (c *evictCommand) Run(ctx context.Context, env *common_cli.Env, serverClient util.ServerClient) error {
+func (c *evictCommand) Run(ctx context.Context, _ *commoncli.Env, serverClient util.ServerClient) error {
 	if c.spiffeID == "" {
 		return errors.New("a SPIFFE ID is required")
 	}
@ -51,14 +52,20 @@ func (c *evictCommand) Run(ctx context.Context, env *common_cli.Env, serverClien
 	}

 	agentClient := serverClient.NewAgentClient()
-	_, err = agentClient.DeleteAgent(ctx, &agentv1.DeleteAgentRequest{Id: api.ProtoFromID(id)})
+	delAgentResponse, err := agentClient.DeleteAgent(ctx, &agentv1.DeleteAgentRequest{Id: api.ProtoFromID(id)})
 	if err != nil {
 		return err
 	}

-	return env.Println("Agent evicted successfully")
+	return c.printer.PrintProto(delAgentResponse)
 }

 func (c *evictCommand) AppendFlags(fs *flag.FlagSet) {
 	fs.StringVar(&c.spiffeID, "spiffeID", "", "The SPIFFE ID of the agent to evict (agent identity)")
+	cliprinter.AppendFlagWithCustomPretty(&c.printer, fs, c.env, prettyPrintEvictResult)
+}
+
+func prettyPrintEvictResult(env *commoncli.Env, _ ...any) error {
+	env.Println("Agent evicted successfully")
+	return nil
 }
--- a/cmd/spire-server/cli/agent/list.go
+++ b/cmd/spire-server/cli/agent/list.go
@ -1,52 +1,68 @@
 package agent

 import (
+	"context"
 	"errors"
 	"flag"
 	"fmt"
 	"time"

 	"github.com/mitchellh/cli"
-
 	agentv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/agent/v1"
 	"github.com/spiffe/spire-api-sdk/proto/spire/api/types"
 	"github.com/spiffe/spire/cmd/spire-server/util"
-	common_cli "github.com/spiffe/spire/pkg/common/cli"
+	commoncli "github.com/spiffe/spire/pkg/common/cli"
+	"github.com/spiffe/spire/pkg/common/cliprinter"
 	"github.com/spiffe/spire/pkg/common/idutil"
-
-	"golang.org/x/net/context"
+	"google.golang.org/protobuf/types/known/wrapperspb"
 )

 type listCommand struct {
 	// Type and value are delimited by a colon (:)
 	// ex. "unix:uid:1000" or "spiffe_id:spiffe://example.org/foo"
-	selectors common_cli.StringsFlag
+	selectors commoncli.StringsFlag

-	// Match used when filtering agents by selectors
+	// Match used when filtering by selectors
 	matchSelectorsOn string
+
+	// Filters agents to those that are banned.
+	banned commoncli.BoolFlag
+
+	// Filters agents by those that expire before this value.
+	expiresBefore string
+
+	// Filters agents to those matching the attestation type.
+	attestationType string
+
+	// Filters agents that can re-attest.
+	canReattest commoncli.BoolFlag
+
+	env *commoncli.Env
+
+	printer cliprinter.Printer
 }

 // NewListCommand creates a new "list" subcommand for "agent" command.
 func NewListCommand() cli.Command {
-	return NewListCommandWithEnv(common_cli.DefaultEnv)
+	return NewListCommandWithEnv(commoncli.DefaultEnv)
 }

 // NewListCommandWithEnv creates a new "list" subcommand for "agent" command
 // using the environment specified
-func NewListCommandWithEnv(env *common_cli.Env) cli.Command {
-	return util.AdaptCommand(env, new(listCommand))
+func NewListCommandWithEnv(env *commoncli.Env) cli.Command {
+	return util.AdaptCommand(env, &listCommand{env: env})
 }

 func (*listCommand) Name() string {
 	return "agent list"
 }

-func (listCommand) Synopsis() string {
+func (*listCommand) Synopsis() string {
 	return "Lists attested agents and their SPIFFE IDs"
 }

 // Run lists attested agents
-func (c *listCommand) Run(ctx context.Context, env *common_cli.Env, serverClient util.ServerClient) error {
+func (c *listCommand) Run(ctx context.Context, _ *commoncli.Env, serverClient util.ServerClient) error {
 	filter := &agentv1.ListAgentsRequest_Filter{}
 	if len(c.selectors) > 0 {
 		matchBehavior, err := parseToSelectorMatch(c.matchSelectorsOn)
@ -68,10 +84,39 @@ func (c *listCommand) Run(ctx context.Context, env *common_cli.Env, serverClient
 		}
 	}

+	if c.expiresBefore != "" {
+		// Parse the time string into a time.Time object
+		_, err := time.Parse("2006-01-02 15:04:05 -0700 -07", c.expiresBefore)
+		if err != nil {
+			return fmt.Errorf("date is not valid: %w", err)
+		}
+		filter.ByExpiresBefore = c.expiresBefore
+	}
+
+	if c.attestationType != "" {
+		filter.ByAttestationType = c.attestationType
+	}
+
+	// 0: all, 1: can't reattest, 2: can reattest
+	if c.canReattest == 1 {
+		filter.ByCanReattest = wrapperspb.Bool(false)
+	}
+	if c.canReattest == 2 {
+		filter.ByCanReattest = wrapperspb.Bool(true)
+	}
+
+	// 0: all, 1: no-banned, 2: banned
+	if c.banned == 1 {
+		filter.ByBanned = wrapperspb.Bool(false)
+	}
+	if c.banned == 2 {
+		filter.ByBanned = wrapperspb.Bool(true)
+	}
+
 	agentClient := serverClient.NewAgentClient()

 	pageToken := ""
-	var agents []*types.Agent
+	response := new(agentv1.ListAgentsResponse)
 	for {
 		listResponse, err := agentClient.ListAgents(ctx, &agentv1.ListAgentsRequest{
 			PageSize:  1000, // comfortably under the (4 MB/theoretical maximum size of 1 agent in MB)
@ -81,29 +126,43 @@ func (c *listCommand) Run(ctx context.Context, env *common_cli.Env, serverClient
 		if err != nil {
 			return err
 		}
-		agents = append(agents, listResponse.Agents...)
+		response.Agents = append(response.Agents, listResponse.Agents...)
 		if pageToken = listResponse.NextPageToken; pageToken == "" {
 			break
 		}
 	}

+	return c.printer.PrintProto(response)
+}
+
+func (c *listCommand) AppendFlags(fs *flag.FlagSet) {
+	fs.Var(&c.selectors, "selector", "A colon-delimited type:value selector. Can be used more than once")
+	fs.StringVar(&c.attestationType, "attestationType", "", "Filter by attestation type, like join_token or x509pop.")
+	fs.Var(&c.canReattest, "canReattest", "Filter based on string received, 'true': agents that can reattest, 'false': agents that can't reattest, other value will return all.")
+	fs.Var(&c.banned, "banned", "Filter based on string received, 'true': banned agents, 'false': not banned agents, other value will return all.")
+	fs.StringVar(&c.expiresBefore, "expiresBefore", "", "Filter by expiration time (format: \"2006-01-02 15:04:05 -0700 -07\")")
+	fs.StringVar(&c.matchSelectorsOn, "matchSelectorsOn", "superset", "The match mode used when filtering by selectors. Options: exact, any, superset and subset")
+	cliprinter.AppendFlagWithCustomPretty(&c.printer, fs, c.env, prettyPrintAgents)
+}
+
+func prettyPrintAgents(env *commoncli.Env, results ...any) error {
+	listResp, ok := results[0].(*agentv1.ListAgentsResponse)
+	if !ok {
+		return errors.New("internal error: cli printer; please report this bug")
+	}
+	agents := listResp.Agents
+
 	if len(agents) == 0 {
 		return env.Printf("No attested agents found\n")
 	}

 	msg := fmt.Sprintf("Found %d attested ", len(agents))
 	msg = util.Pluralizer(msg, "agent", "agents", len(agents))
-	env.Printf(msg + ":\n\n")
-
+	env.Printf("%s:\n\n", msg)
 	return printAgents(env, agents...)
 }

-func (c *listCommand) AppendFlags(fs *flag.FlagSet) {
-	fs.StringVar(&c.matchSelectorsOn, "matchSelectorsOn", "superset", "The match mode used when filtering by selectors. Options: exact, any, superset and subset")
-	fs.Var(&c.selectors, "selector", "A colon-delimited type:value selector. Can be used more than once")
-}
-
-func printAgents(env *common_cli.Env, agents ...*types.Agent) error {
+func printAgents(env *commoncli.Env, agents ...*types.Agent) error {
 	for _, agent := range agents {
 		id, err := idutil.IDFromProto(agent.Id)
 		if err != nil {
@ -129,6 +188,10 @@ func printAgents(env *common_cli.Env, agents ...*types.Agent) error {
 				return err
 			}
 		}
+		if err := env.Printf("Can re-attest     : %t\n", agent.CanReattest); err != nil {
+			return err
+		}
+
 		if err := env.Println(); err != nil {
 			return err
 		}
--- a/cmd/spire-server/cli/agent/purge.go
+++ b/cmd/spire-server/cli/agent/purge.go
@ -0,0 +1,154 @@
+package agent
+
+import (
+	"context"
+	"flag"
+	"fmt"
+	"time"
+
+	"github.com/mitchellh/cli"
+	"github.com/spiffe/go-spiffe/v2/spiffeid"
+	agentv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/agent/v1"
+	"github.com/spiffe/spire-api-sdk/proto/spire/api/types"
+	"github.com/spiffe/spire/cmd/spire-server/util"
+	commoncli "github.com/spiffe/spire/pkg/common/cli"
+	"github.com/spiffe/spire/pkg/common/cliprinter"
+	"github.com/spiffe/spire/pkg/common/idutil"
+	"google.golang.org/protobuf/types/known/wrapperspb"
+)
+
+type purgeCommand struct {
+	env        *commoncli.Env
+	expiredFor time.Duration
+	dryRun     bool
+	printer    cliprinter.Printer
+}
+
+func NewPurgeCommand() cli.Command {
+	return NewPurgeCommandWithEnv(commoncli.DefaultEnv)
+}
+
+func NewPurgeCommandWithEnv(env *commoncli.Env) cli.Command {
+	return util.AdaptCommand(env, &purgeCommand{env: env})
+}
+
+func (*purgeCommand) Name() string {
+	return "agent purge"
+}
+
+func (*purgeCommand) Synopsis() string {
+	return "Purge expired agents that were attested using a non-TOFU security model based on a given time"
+}
+
+func (c *purgeCommand) Run(ctx context.Context, _ *commoncli.Env, serverClient util.ServerClient) (err error) {
+	agentClient := serverClient.NewAgentClient()
+	resp, err := agentClient.ListAgents(ctx, &agentv1.ListAgentsRequest{
+		Filter:     &agentv1.ListAgentsRequest_Filter{ByCanReattest: wrapperspb.Bool(true)},
+		OutputMask: &types.AgentMask{X509SvidExpiresAt: true},
+	})
+	if err != nil {
+		return fmt.Errorf("failed to list agents: %w", err)
+	}
+
+	agents := resp.GetAgents()
+	expiredAgents := &expiredAgents{Agents: []*expiredAgent{}}
+
+	for _, agent := range agents {
+		id, err := idutil.IDFromProto(agent.Id)
+		if err != nil {
+			return err
+		}
+
+		expirationTime := time.Unix(agent.X509SvidExpiresAt, 0)
+
+		if time.Since(expirationTime) > c.expiredFor {
+			result := &expiredAgent{AgentID: id}
+
+			if !c.dryRun {
+				if _, err := agentClient.DeleteAgent(ctx, &agentv1.DeleteAgentRequest{Id: agent.Id}); err != nil {
+					result.Error = err.Error()
+				} else {
+					result.Deleted = true
+				}
+			}
+			expiredAgents.Agents = append(expiredAgents.Agents, result)
+		}
+	}
+
+	return c.printer.PrintStruct(expiredAgents)
+}
+
+func (c *purgeCommand) AppendFlags(fs *flag.FlagSet) {
+	fs.DurationVar(&c.expiredFor, "expiredFor", 30*24*time.Hour, "Amount of time that has passed since the agent's SVID has expired. It is used to determine which agents to purge.")
+	fs.BoolVar(&c.dryRun, "dryRun", false, "Indicates that the command will not perform any action, but will print the agents that would be purged.")
+
+	cliprinter.AppendFlagWithCustomPretty(&c.printer, fs, c.env, c.prettyPrintPurgeResult)
+}
+
+type expiredAgents struct {
+	Agents []*expiredAgent `json:"expired_agents"`
+}
+
+type expiredAgent struct {
+	AgentID spiffeid.ID `json:"agent_id"`
+	Deleted bool        `json:"deleted"`
+	Error   string      `json:"error,omitempty"`
+}
+
+func (c *purgeCommand) prettyPrintPurgeResult(env *commoncli.Env, results ...any) error {
+	if expAgents, ok := results[0].([]any)[0].(*expiredAgents); ok {
+		if len(expAgents.Agents) == 0 {
+			env.Println("No agents to purge.")
+			return nil
+		}
+
+		msg := fmt.Sprintf("Found %d expired ", len(expAgents.Agents))
+		msg = util.Pluralizer(msg, "agent", "agents", len(expAgents.Agents))
+		env.Printf("%s\n\n", msg)
+
+		if c.dryRun {
+			env.Println("\nAgents that can be purged:")
+			for _, result := range expAgents.Agents {
+				env.Printf("SPIFFE ID         : %s\n", result.AgentID.String())
+			}
+			return nil
+		}
+
+		var agentsNotPurged []*expiredAgent
+		var agentsPurged []*expiredAgent
+
+		for _, result := range expAgents.Agents {
+			if result.Deleted {
+				agentsPurged = append(agentsPurged, result)
+			} else {
+				agentsNotPurged = append(agentsNotPurged, result)
+			}
+		}
+
+		if len(agentsPurged) > 0 {
+			c.printAgentsPurged(agentsPurged)
+		}
+
+		if len(agentsNotPurged) > 0 {
+			c.printAgentsNotPurged(agentsNotPurged)
+		}
+
+		return nil
+	}
+	return cliprinter.ErrInternalCustomPrettyFunc
+}
+
+func (c *purgeCommand) printAgentsNotPurged(agentsNotPurged []*expiredAgent) {
+	c.env.Println("Agents not purged:")
+	for _, result := range agentsNotPurged {
+		c.env.Printf("SPIFFE ID         : %s\n", result.AgentID.String())
+		c.env.Printf("Error             : %s\n", result.Error)
+	}
+}
+
+func (c *purgeCommand) printAgentsPurged(agentsPurged []*expiredAgent) {
+	c.env.Println("Agents purged:")
+	for _, result := range agentsPurged {
+		c.env.Printf("SPIFFE ID         : %s\n", result.AgentID.String())
+	}
+}
--- a/cmd/spire-server/cli/agent/show.go
+++ b/cmd/spire-server/cli/agent/show.go
@ -1,46 +1,48 @@
 package agent

 import (
+	"context"
 	"errors"
 	"flag"

 	"github.com/mitchellh/cli"
 	"github.com/spiffe/go-spiffe/v2/spiffeid"
-
 	agentv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/agent/v1"
+	"github.com/spiffe/spire-api-sdk/proto/spire/api/types"
 	"github.com/spiffe/spire/cmd/spire-server/util"
-	common_cli "github.com/spiffe/spire/pkg/common/cli"
+	commoncli "github.com/spiffe/spire/pkg/common/cli"
+	"github.com/spiffe/spire/pkg/common/cliprinter"
 	"github.com/spiffe/spire/pkg/server/api"
-
-	"golang.org/x/net/context"
 )

 type showCommand struct {
-	// SPIFFE ID of the agent being showed
+	env *commoncli.Env
+	// SPIFFE ID of the agent being shown
 	spiffeID string
+	printer  cliprinter.Printer
 }

 // NewShowCommand creates a new "show" subcommand for "agent" command.
 func NewShowCommand() cli.Command {
-	return NewShowCommandWithEnv(common_cli.DefaultEnv)
+	return NewShowCommandWithEnv(commoncli.DefaultEnv)
 }

 // NewShowCommandWithEnv creates a new "show" subcommand for "agent" command
 // using the environment specified
-func NewShowCommandWithEnv(env *common_cli.Env) cli.Command {
-	return util.AdaptCommand(env, new(showCommand))
+func NewShowCommandWithEnv(env *commoncli.Env) cli.Command {
+	return util.AdaptCommand(env, &showCommand{env: env})
 }

 func (*showCommand) Name() string {
 	return "agent show"
 }

-func (showCommand) Synopsis() string {
+func (*showCommand) Synopsis() string {
 	return "Shows the details of an attested agent given its SPIFFE ID"
 }

 // Run shows an agent given its SPIFFE ID
-func (c *showCommand) Run(ctx context.Context, env *common_cli.Env, serverClient util.ServerClient) error {
+func (c *showCommand) Run(ctx context.Context, _ *commoncli.Env, serverClient util.ServerClient) error {
 	if c.spiffeID == "" {
 		return errors.New("a SPIFFE ID is required")
 	}
@ -56,8 +58,21 @@ func (c *showCommand) Run(ctx context.Context, env *common_cli.Env, serverClient
 		return err
 	}

-	env.Printf("Found an attested agent given its SPIFFE ID\n\n")
+	return c.printer.PrintProto(agent)
+}

+func (c *showCommand) AppendFlags(fs *flag.FlagSet) {
+	fs.StringVar(&c.spiffeID, "spiffeID", "", "The SPIFFE ID of the agent to show (agent identity)")
+	cliprinter.AppendFlagWithCustomPretty(&c.printer, fs, c.env, prettyPrintAgent)
+}
+
+func prettyPrintAgent(env *commoncli.Env, results ...any) error {
+	agent, ok := results[0].(*types.Agent)
+	if !ok {
+		return errors.New("internal error: cli printer; please report this bug")
+	}
+
+	env.Printf("Found an attested agent given its SPIFFE ID\n\n")
 	if err := printAgents(env, agent); err != nil {
 		return err
 	}
@ -67,7 +82,3 @@ func (c *showCommand) Run(ctx context.Context, env *common_cli.Env, serverClient
 	}
 	return nil
 }
-
-func (c *showCommand) AppendFlags(fs *flag.FlagSet) {
-	fs.StringVar(&c.spiffeID, "spiffeID", "", "The SPIFFE ID of the agent to show (agent identity)")
-}
--- a/cmd/spire-server/cli/authoritycommon/authoritycommon.go
+++ b/cmd/spire-server/cli/authoritycommon/authoritycommon.go
@ -0,0 +1,31 @@
+package authoritycommon
+
+import (
+	"time"
+
+	localauthorityv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/localauthority/v1"
+	commoncli "github.com/spiffe/spire/pkg/common/cli"
+)
+
+func PrettyPrintJWTAuthorityState(env *commoncli.Env, authorityState *localauthorityv1.AuthorityState) {
+	prettyPrintAuthorityState(env, authorityState, false)
+}
+
+func PrettyPrintX509AuthorityState(env *commoncli.Env, authorityState *localauthorityv1.AuthorityState) {
+	prettyPrintAuthorityState(env, authorityState, true)
+}
+
+func prettyPrintAuthorityState(env *commoncli.Env, authorityState *localauthorityv1.AuthorityState, includeUpstreamAuthority bool) {
+	env.Printf("  Authority ID: %s\n", authorityState.AuthorityId)
+	env.Printf("  Expires at: %s\n", time.Unix(authorityState.ExpiresAt, 0).UTC())
+	if !includeUpstreamAuthority {
+		return
+	}
+
+	if authorityState.UpstreamAuthoritySubjectKeyId != "" {
+		env.Printf("  Upstream authority Subject Key ID: %s\n", authorityState.UpstreamAuthoritySubjectKeyId)
+		return
+	}
+
+	env.Println("  Upstream authority ID: No upstream authority")
+}
--- a/cmd/spire-server/cli/authoritycommon/test/authoritycommontest.go
+++ b/cmd/spire-server/cli/authoritycommon/test/authoritycommontest.go
@ -0,0 +1,174 @@
+package authoritycommontest
+
+import (
+	"bytes"
+	"context"
+	"testing"
+
+	"github.com/mitchellh/cli"
+	localauthorityv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/localauthority/v1"
+	commoncli "github.com/spiffe/spire/pkg/common/cli"
+	"github.com/spiffe/spire/test/clitest"
+	"github.com/spiffe/spire/test/spiretest"
+	"github.com/stretchr/testify/require"
+	"google.golang.org/grpc"
+)
+
+var AvailableFormats = []string{"pretty", "json"}
+
+type localAuthorityTest struct {
+	Stdin  *bytes.Buffer
+	Stdout *bytes.Buffer
+	Stderr *bytes.Buffer
+	Args   []string
+	Server *fakeLocalAuthorityServer
+	Client cli.Command
+}
+
+func (s *localAuthorityTest) afterTest(t *testing.T) {
+	t.Logf("TEST:%s", t.Name())
+	t.Logf("STDOUT:\n%s", s.Stdout.String())
+	t.Logf("STDIN:\n%s", s.Stdin.String())
+	t.Logf("STDERR:\n%s", s.Stderr.String())
+}
+
+func SetupTest(t *testing.T, newClient func(*commoncli.Env) cli.Command) *localAuthorityTest {
+	server := &fakeLocalAuthorityServer{}
+
+	addr := spiretest.StartGRPCServer(t, func(s *grpc.Server) {
+		localauthorityv1.RegisterLocalAuthorityServer(s, server)
+	})
+
+	stdin := new(bytes.Buffer)
+	stdout := new(bytes.Buffer)
+	stderr := new(bytes.Buffer)
+
+	client := newClient(&commoncli.Env{
+		Stdin:  stdin,
+		Stdout: stdout,
+		Stderr: stderr,
+	})
+
+	test := &localAuthorityTest{
+		Stdin:  stdin,
+		Stdout: stdout,
+		Stderr: stderr,
+		Args:   []string{clitest.AddrArg, clitest.GetAddr(addr)},
+		Server: server,
+		Client: client,
+	}
+
+	t.Cleanup(func() {
+		test.afterTest(t)
+	})
+
+	return test
+}
+
+type fakeLocalAuthorityServer struct {
+	localauthorityv1.UnsafeLocalAuthorityServer
+
+	ActiveJWT,
+	PreparedJWT,
+	OldJWT,
+	ActiveX509,
+	PreparedX509,
+	OldX509,
+	TaintedX509,
+	RevokedX509,
+	TaintedJWT,
+	RevokedJWT *localauthorityv1.AuthorityState
+
+	TaintedUpstreamAuthoritySubjectKeyId,
+	RevokedUpstreamAuthoritySubjectKeyId string
+	Err error
+}
+
+func (s *fakeLocalAuthorityServer) GetJWTAuthorityState(context.Context, *localauthorityv1.GetJWTAuthorityStateRequest) (*localauthorityv1.GetJWTAuthorityStateResponse, error) {
+	return &localauthorityv1.GetJWTAuthorityStateResponse{
+		Active:   s.ActiveJWT,
+		Prepared: s.PreparedJWT,
+		Old:      s.OldJWT,
+	}, s.Err
+}
+
+func (s *fakeLocalAuthorityServer) PrepareJWTAuthority(context.Context, *localauthorityv1.PrepareJWTAuthorityRequest) (*localauthorityv1.PrepareJWTAuthorityResponse, error) {
+	return &localauthorityv1.PrepareJWTAuthorityResponse{
+		PreparedAuthority: s.PreparedJWT,
+	}, s.Err
+}
+
+func (s *fakeLocalAuthorityServer) ActivateJWTAuthority(context.Context, *localauthorityv1.ActivateJWTAuthorityRequest) (*localauthorityv1.ActivateJWTAuthorityResponse, error) {
+	return &localauthorityv1.ActivateJWTAuthorityResponse{
+		ActivatedAuthority: s.ActiveJWT,
+	}, s.Err
+}
+
+func (s *fakeLocalAuthorityServer) TaintJWTAuthority(context.Context, *localauthorityv1.TaintJWTAuthorityRequest) (*localauthorityv1.TaintJWTAuthorityResponse, error) {
+	return &localauthorityv1.TaintJWTAuthorityResponse{
+		TaintedAuthority: s.TaintedJWT,
+	}, s.Err
+}
+
+func (s *fakeLocalAuthorityServer) RevokeJWTAuthority(context.Context, *localauthorityv1.RevokeJWTAuthorityRequest) (*localauthorityv1.RevokeJWTAuthorityResponse, error) {
+	return &localauthorityv1.RevokeJWTAuthorityResponse{
+		RevokedAuthority: s.RevokedJWT,
+	}, s.Err
+}
+
+func (s *fakeLocalAuthorityServer) GetX509AuthorityState(context.Context, *localauthorityv1.GetX509AuthorityStateRequest) (*localauthorityv1.GetX509AuthorityStateResponse, error) {
+	return &localauthorityv1.GetX509AuthorityStateResponse{
+		Active:   s.ActiveX509,
+		Prepared: s.PreparedX509,
+		Old:      s.OldX509,
+	}, s.Err
+}
+
+func (s *fakeLocalAuthorityServer) PrepareX509Authority(context.Context, *localauthorityv1.PrepareX509AuthorityRequest) (*localauthorityv1.PrepareX509AuthorityResponse, error) {
+	return &localauthorityv1.PrepareX509AuthorityResponse{
+		PreparedAuthority: s.PreparedX509,
+	}, s.Err
+}
+
+func (s *fakeLocalAuthorityServer) ActivateX509Authority(context.Context, *localauthorityv1.ActivateX509AuthorityRequest) (*localauthorityv1.ActivateX509AuthorityResponse, error) {
+	return &localauthorityv1.ActivateX509AuthorityResponse{
+		ActivatedAuthority: s.ActiveX509,
+	}, s.Err
+}
+
+func (s *fakeLocalAuthorityServer) TaintX509Authority(context.Context, *localauthorityv1.TaintX509AuthorityRequest) (*localauthorityv1.TaintX509AuthorityResponse, error) {
+	return &localauthorityv1.TaintX509AuthorityResponse{
+		TaintedAuthority: s.TaintedX509,
+	}, s.Err
+}
+
+func (s *fakeLocalAuthorityServer) TaintX509UpstreamAuthority(context.Context, *localauthorityv1.TaintX509UpstreamAuthorityRequest) (*localauthorityv1.TaintX509UpstreamAuthorityResponse, error) {
+	return &localauthorityv1.TaintX509UpstreamAuthorityResponse{
+		UpstreamAuthoritySubjectKeyId: s.TaintedUpstreamAuthoritySubjectKeyId,
+	}, s.Err
+}
+
+func (s *fakeLocalAuthorityServer) RevokeX509Authority(context.Context, *localauthorityv1.RevokeX509AuthorityRequest) (*localauthorityv1.RevokeX509AuthorityResponse, error) {
+	return &localauthorityv1.RevokeX509AuthorityResponse{
+		RevokedAuthority: s.RevokedX509,
+	}, s.Err
+}
+
+func (s *fakeLocalAuthorityServer) RevokeX509UpstreamAuthority(context.Context, *localauthorityv1.RevokeX509UpstreamAuthorityRequest) (*localauthorityv1.RevokeX509UpstreamAuthorityResponse, error) {
+	return &localauthorityv1.RevokeX509UpstreamAuthorityResponse{
+		UpstreamAuthoritySubjectKeyId: s.RevokedUpstreamAuthoritySubjectKeyId,
+	}, s.Err
+}
+
+func RequireOutputBasedOnFormat(t *testing.T, format, stdoutString string, expectedStdoutPretty, expectedStdoutJSON string) {
+	switch format {
+	case "pretty":
+		require.Contains(t, stdoutString, expectedStdoutPretty)
+	case "json":
+		if expectedStdoutJSON != "" {
+			require.JSONEq(t, expectedStdoutJSON, stdoutString)
+		} else {
+			require.Empty(t, stdoutString)
+		}
+	}
+}
--- a/cmd/spire-server/cli/bundle/bundle_posix_test.go
+++ b/cmd/spire-server/cli/bundle/bundle_posix_test.go
@ -1,5 +1,4 @@
 //go:build !windows
-// +build !windows

 package bundle

@ -9,9 +8,45 @@ var (
    	The format of the bundle data. Either "pem" or "spiffe". (default "pem")
  -id string
    	SPIFFE ID of the trust domain
+  -output value
+    	Desired output format (pretty, json); default: pretty.
  -path string
    	Path to the bundle data
  -socketPath string
    	Path to the SPIRE Server API socket (default "/tmp/spire-server/private/api.sock")
+`
+	countUsage = `Usage of bundle count:
+  -output value
+    	Desired output format (pretty, json); default: pretty.
+  -socketPath string
+    	Path to the SPIRE Server API socket (default "/tmp/spire-server/private/api.sock")
+`
+	deleteUsage = `Usage of bundle delete:
+  -id string
+    	SPIFFE ID of the trust domain
+  -mode string
+    	Deletion mode: one of restrict, delete, or dissociate (default "restrict")
+  -output value
+    	Desired output format (pretty, json); default: pretty.
+  -socketPath string
+    	Path to the SPIRE Server API socket (default "/tmp/spire-server/private/api.sock")
+`
+	listUsage = `Usage of bundle list:
+  -format string
+    	The format to list federated bundles (only pretty output format supports this flag). Either "pem" or "spiffe". (default "pem")
+  -id string
+    	SPIFFE ID of the trust domain
+  -output value
+    	Desired output format (pretty, json); default: pretty.
+  -socketPath string
+    	Path to the SPIRE Server API socket (default "/tmp/spire-server/private/api.sock")
+`
+	showUsage = `Usage of bundle show:
+  -format string
+    	The format to show the bundle (only pretty output format supports this flag). Either "pem" or "spiffe". (default "pem")
+  -output value
+    	Desired output format (pretty, json); default: pretty.
+  -socketPath string
+    	Path to the SPIRE Server API socket (default "/tmp/spire-server/private/api.sock")
 `
 )
--- a/cmd/spire-server/cli/bundle/bundle_test.go
+++ b/cmd/spire-server/cli/bundle/bundle_test.go
@ -10,7 +10,6 @@ import (

 	bundlev1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/bundle/v1"
 	"github.com/spiffe/spire-api-sdk/proto/spire/api/types"
-	"github.com/spiffe/spire/cmd/spire-server/cli/common"
 	"github.com/spiffe/spire/cmd/spire-server/util"
 	"github.com/spiffe/spire/pkg/common/pemutil"
 	"github.com/spiffe/spire/test/spiretest"
@ -19,13 +18,13 @@ import (
 	"google.golang.org/grpc/status"
 )

+var availableFormats = []string{"pretty", "json"}
+
 func TestShowHelp(t *testing.T) {
 	test := setupTest(t, newShowCommand)
 	test.client.Help()

-	require.Equal(t, `Usage of bundle show:
-  -format string
-    	The format to show the bundle. Either "pem" or "spiffe". (default "pem")`+common.AddrUsage, test.stderr.String())
+	require.Equal(t, showUsage, test.stderr.String())
 }

 func TestShowSynopsis(t *testing.T) {
@ -34,26 +33,42 @@ func TestShowSynopsis(t *testing.T) {
 }

 func TestShow(t *testing.T) {
+	expectedShowResultJSON := `{
+  "trust_domain": "spiffe://example.test",
+  "x509_authorities": [
+    {
+      "asn1": "MIIBKjCB0aADAgECAgEBMAoGCCqGSM49BAMCMAAwIhgPMDAwMTAxMDEwMDAwMDBaGA85OTk5MTIzMTIzNTk1OVowADBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABHyvsCk5yi+yhSzNu5aquQwvm8a1Wh+qw1fiHAkhDni+wq+g3TQWxYlV51TCPH030yXsRxvujD4hUUaIQrXk4KKjODA2MA8GA1UdEwEB/wQFMAMBAf8wIwYDVR0RAQH/BBkwF4YVc3BpZmZlOi8vZG9tYWluMS50ZXN0MAoGCCqGSM49BAMCA0gAMEUCIA2dO09Xmakw2ekuHKWC4hBhCkpr5qY4bI8YUcXfxg/1AiEA67kMyH7bQnr7OVLUrL+b9ylAdZglS5kKnYigmwDh+/U=",
+      "tainted": false
+    }
+  ],
+  "jwt_authorities": [],
+  "refresh_hint": "60",
+  "sequence_number": "42"
+}`
 	for _, tt := range []struct {
-		name          string
-		args          []string
-		expectedOut   string
-		serverErr     error
-		expectedError string
+		name                 string
+		args                 []string
+		expectedStdoutPretty string
+		expectedStdoutJSON   string
+		serverErr            error
+		expectedError        string
 	}{
 		{
-			name:        "default",
-			expectedOut: cert1PEM,
+			name:                 "default",
+			expectedStdoutPretty: cert1PEM,
+			expectedStdoutJSON:   expectedShowResultJSON,
 		},
 		{
-			name:        "pem",
-			args:        []string{"-format", util.FormatPEM},
-			expectedOut: cert1PEM,
+			name:                 "pem",
+			args:                 []string{"-format", util.FormatPEM},
+			expectedStdoutPretty: cert1PEM,
+			expectedStdoutJSON:   expectedShowResultJSON,
 		},
 		{
-			name:        "spiffe",
-			args:        []string{"-format", util.FormatSPIFFE},
-			expectedOut: cert1JWKS,
+			name:                 "spiffe",
+			args:                 []string{"-format", util.FormatSPIFFE},
+			expectedStdoutPretty: cert1JWKS,
+			expectedStdoutJSON:   expectedShowResultJSON,
 		},
 		{
 			name:          "server fails",
@ -61,29 +76,32 @@ func TestShow(t *testing.T) {
 			expectedError: "Error: rpc error: code = Unknown desc = some error\n",
 		},
 	} {
-		tt := tt
-		t.Run(tt.name, func(t *testing.T) {
-			test := setupTest(t, newShowCommand)
-			test.server.err = tt.serverErr
-			test.server.bundles = []*types.Bundle{{
-				TrustDomain: "spiffe://example.test",
-				X509Authorities: []*types.X509Certificate{
-					{Asn1: test.cert1.Raw},
+		for _, format := range availableFormats {
+			t.Run(fmt.Sprintf("%s using %s format", tt.name, format), func(t *testing.T) {
+				test := setupTest(t, newShowCommand)
+				test.server.err = tt.serverErr
+				test.server.bundles = []*types.Bundle{{
+					TrustDomain: "spiffe://example.test",
+					X509Authorities: []*types.X509Certificate{
+						{Asn1: test.cert1.Raw},
+					},
+					RefreshHint:    60,
+					SequenceNumber: 42,
 				},
-				RefreshHint: 60,
-			},
-			}
+				}
+				args := tt.args
+				args = append(args, "-output", format)

-			rc := test.client.Run(test.args(tt.args...))
-			if tt.expectedError != "" {
-				require.Equal(t, 1, rc)
-				require.Equal(t, tt.expectedError, test.stderr.String())
-				return
-			}
-
-			require.Equal(t, 0, rc)
-			require.Equal(t, test.stdout.String(), tt.expectedOut)
-		})
+				rc := test.client.Run(test.args(args...))
+				if tt.expectedError != "" {
+					require.Equal(t, 1, rc)
+					require.Equal(t, tt.expectedError, test.stderr.String())
+					return
+				}
+				assertOutputBasedOnFormat(t, format, test.stdout.String(), tt.expectedStdoutPretty, tt.expectedStdoutJSON)
+				require.Equal(t, 0, rc)
+			})
+		}
 	}
 }

@ -95,10 +113,27 @@ func TestSetHelp(t *testing.T) {

 func TestSetSynopsis(t *testing.T) {
 	test := setupTest(t, newSetCommand)
-	require.Equal(t, "Creates or updates bundle data", test.client.Synopsis())
+	require.Equal(t, "Creates or updates federated bundle data", test.client.Synopsis())
 }

 func TestSet(t *testing.T) {
+	expectedSetResultJSON := `{
+  "results": [
+    {
+      "status": {
+        "code": 0,
+        "message": ""
+      },
+      "bundle": {
+        "trust_domain": "spiffe://otherdomain.test",
+        "x509_authorities": [],
+        "jwt_authorities": [],
+        "refresh_hint": "0",
+        "sequence_number": "0"
+      }
+    }
+  ]
+}`
 	cert1, err := pemutil.ParseCertificate([]byte(cert1PEM))
 	require.NoError(t, err)

@ -106,54 +141,64 @@ func TestSet(t *testing.T) {
 	require.NoError(t, err)

 	for _, tt := range []struct {
-		name           string
-		args           []string
-		expectedStderr string
-		stdin          string
-		fileData       string
-		serverErr      error
-		toSet          *types.Bundle
-		setResponse    *bundlev1.BatchSetFederatedBundleResponse
+		name                 string
+		args                 []string
+		expectedStderrPretty string
+		expectedStderrJSON   string
+		expectedStdoutPretty string
+		expectedStdoutJSON   string
+		stdin                string
+		fileData             string
+		serverErr            error
+		toSet                *types.Bundle
+		setResponse          *bundlev1.BatchSetFederatedBundleResponse
 	}{
 		{
-			name:           "no id",
-			expectedStderr: "Error: id flag is required\n",
+			name:                 "no id",
+			expectedStderrPretty: "Error: id flag is required\n",
+			expectedStderrJSON:   "Error: id flag is required\n",
 		},
 		{
-			name:           "invalid trust domain ID",
-			expectedStderr: "Error: unable to parse bundle data: no PEM blocks\n",
-			args:           []string{"-id", "spiffe://otherdomain.test"},
+			name:                 "invalid trust domain ID",
+			expectedStderrPretty: "Error: unable to parse bundle data: no PEM blocks\n",
+			expectedStderrJSON:   "Error: unable to parse bundle data: no PEM blocks\n",
+			args:                 []string{"-id", "spiffe://otherdomain.test"},
 		},
 		{
-			name:           "invalid output format",
-			stdin:          cert1PEM,
-			args:           []string{"-id", "spiffe://otherdomain.test", "-format", "invalidFormat"},
-			expectedStderr: "Error: invalid format: \"invalidformat\"\n",
+			name:                 "invalid output format",
+			stdin:                cert1PEM,
+			args:                 []string{"-id", "spiffe://otherdomain.test", "-format", "invalidFormat"},
+			expectedStderrPretty: "Error: invalid format: \"invalidformat\"\n",
+			expectedStderrJSON:   "Error: invalid format: \"invalidformat\"\n",
 		},
 		{
-			name:           "invalid bundle (pem)",
-			stdin:          "invalid bundle",
-			args:           []string{"-id", "spiffe://otherdomain.test"},
-			expectedStderr: "Error: unable to parse bundle data: no PEM blocks\n",
+			name:                 "invalid bundle (pem)",
+			stdin:                "invalid bundle",
+			args:                 []string{"-id", "spiffe://otherdomain.test"},
+			expectedStderrPretty: "Error: unable to parse bundle data: no PEM blocks\n",
+			expectedStderrJSON:   "Error: unable to parse bundle data: no PEM blocks\n",
 		},
 		{
-			name:           "invalid bundle (spiffe)",
-			stdin:          "invalid bundle",
-			args:           []string{"-id", "spiffe://otherdomain.test", "-format", util.FormatSPIFFE},
-			expectedStderr: "Error: unable to parse to spiffe bundle: spiffebundle: unable to parse JWKS: invalid character 'i' looking for beginning of value\n",
+			name:                 "invalid bundle (spiffe)",
+			stdin:                "invalid bundle",
+			args:                 []string{"-id", "spiffe://otherdomain.test", "-format", util.FormatSPIFFE},
+			expectedStderrPretty: "Error: unable to parse to spiffe bundle: spiffebundle: unable to parse JWKS: invalid character 'i' looking for beginning of value\n",
+			expectedStderrJSON:   "Error: unable to parse to spiffe bundle: spiffebundle: unable to parse JWKS: invalid character 'i' looking for beginning of value\n",
 		},
 		{
-			name:           "server fails",
-			stdin:          cert1PEM,
-			args:           []string{"-id", "spiffe://otherdomain.test"},
-			serverErr:      status.New(codes.Internal, "some error").Err(),
-			expectedStderr: "Error: failed to set federated bundle: rpc error: code = Internal desc = some error\n",
+			name:                 "server fails",
+			stdin:                cert1PEM,
+			args:                 []string{"-id", "spiffe://otherdomain.test"},
+			serverErr:            status.New(codes.Internal, "some error").Err(),
+			expectedStderrPretty: "Error: failed to set federated bundle: rpc error: code = Internal desc = some error\n",
+			expectedStderrJSON:   "Error: failed to set federated bundle: rpc error: code = Internal desc = some error\n",
 		},
 		{
-			name:           "failed to set",
-			stdin:          cert1PEM,
-			args:           []string{"-id", "spiffe://otherdomain.test"},
-			expectedStderr: "Error: failed to set federated bundle: failed to set\n",
+			name:                 "failed to set",
+			stdin:                cert1PEM,
+			args:                 []string{"-id", "spiffe://otherdomain.test"},
+			expectedStderrPretty: "Error: failed to set federated bundle: failed to set\n",
+			expectedStdoutJSON:   `{"results":[{"status":{"code":13,"message":"failed to set"}}]}`,
 			toSet: &types.Bundle{
 				TrustDomain: "spiffe://otherdomain.test",
 				X509Authorities: []*types.X509Certificate{
@ -192,6 +237,8 @@ func TestSet(t *testing.T) {
 					},
 				},
 			},
+			expectedStdoutPretty: "bundle set.",
+			expectedStdoutJSON:   expectedSetResultJSON,
 		},
 		{
 			name:  "set bundle (pem)",
@ -215,6 +262,8 @@ func TestSet(t *testing.T) {
 					},
 				},
 			},
+			expectedStdoutPretty: "bundle set.",
+			expectedStdoutJSON:   expectedSetResultJSON,
 		},
 		{
 			name:  "set bundle (jwks)",
@ -244,11 +293,14 @@ func TestSet(t *testing.T) {
 					},
 				},
 			},
+			expectedStdoutPretty: "bundle set.",
+			expectedStdoutJSON:   expectedSetResultJSON,
 		},
 		{
-			name:           "invalid file name",
-			expectedStderr: fmt.Sprintf("Error: unable to load bundle data: open /not/a/real/path/to/a/bundle: %s\n", spiretest.PathNotFound()),
-			args:           []string{"-id", "spiffe://otherdomain.test", "-path", "/not/a/real/path/to/a/bundle"},
+			name:                 "invalid file name",
+			expectedStderrPretty: fmt.Sprintf("Error: unable to load bundle data: open /not/a/real/path/to/a/bundle: %s\n", spiretest.PathNotFound()),
+			expectedStderrJSON:   fmt.Sprintf("Error: unable to load bundle data: open /not/a/real/path/to/a/bundle: %s\n", spiretest.PathNotFound()),
+			args:                 []string{"-id", "spiffe://otherdomain.test", "-path", "/not/a/real/path/to/a/bundle"},
 		},
 		{
 			name:     "set from file (default)",
@ -272,6 +324,8 @@ func TestSet(t *testing.T) {
 					},
 				},
 			},
+			expectedStdoutPretty: "bundle set.",
+			expectedStdoutJSON:   expectedSetResultJSON,
 		},
 		{
 			name:     "set from file (pem)",
@ -295,6 +349,8 @@ func TestSet(t *testing.T) {
 					},
 				},
 			},
+			expectedStdoutPretty: "bundle set.",
+			expectedStdoutJSON:   expectedSetResultJSON,
 		},
 		{
 			name:     "set from file (jwks)",
@ -324,36 +380,44 @@ func TestSet(t *testing.T) {
 					},
 				},
 			},
+			expectedStdoutPretty: "bundle set.",
+			expectedStdoutJSON:   expectedSetResultJSON,
 		},
 	} {
-		tt := tt
-		t.Run(tt.name, func(t *testing.T) {
-			test := setupTest(t, newSetCommand)
-			test.server.expectedSetBundle = tt.toSet
-			test.server.setResponse = tt.setResponse
-			test.server.err = tt.serverErr
+		for _, format := range availableFormats {
+			t.Run(fmt.Sprintf("%s using %s format", tt.name, format), func(t *testing.T) {
+				test := setupTest(t, newSetCommand)
+				test.server.expectedSetBundle = tt.toSet
+				test.server.setResponse = tt.setResponse
+				test.server.err = tt.serverErr
+				test.stdin.WriteString(tt.stdin)
+				var extraArgs []string
+				if tt.fileData != "" {
+					tmpDir := spiretest.TempDir(t)
+					bundlePath := filepath.Join(tmpDir, "bundle_data")
+					require.NoError(t, os.WriteFile(bundlePath, []byte(tt.fileData), 0600))
+					extraArgs = append(extraArgs, "-path", bundlePath)
+				}
+				args := tt.args
+				args = append(args, "-output", format)

-			test.stdin.WriteString(tt.stdin)
-			var extraArgs []string
-			if tt.fileData != "" {
-				tmpDir := spiretest.TempDir(t)
-				bundlePath := filepath.Join(tmpDir, "bundle_data")
-				require.NoError(t, os.WriteFile(bundlePath, []byte(tt.fileData), 0600))
-				extraArgs = append(extraArgs, "-path", bundlePath)
-			}
+				rc := test.client.Run(test.args(append(args, extraArgs...)...))

-			rc := test.client.Run(test.args(append(tt.args, extraArgs...)...))
-
-			if tt.expectedStderr != "" {
-				require.Equal(t, 1, rc)
-				require.Equal(t, tt.expectedStderr, test.stderr.String())
-				return
-			}
-
-			require.Empty(t, test.stderr.String())
-			require.Equal(t, 0, rc)
-			require.Equal(t, "bundle set.\n", test.stdout.String())
-		})
+				if tt.expectedStderrPretty != "" && format == "pretty" {
+					require.Equal(t, 1, rc)
+					require.Equal(t, tt.expectedStderrPretty, test.stderr.String())
+					return
+				}
+				if tt.expectedStderrJSON != "" && format == "json" {
+					require.Equal(t, 1, rc)
+					require.Equal(t, tt.expectedStderrJSON, test.stderr.String())
+					return
+				}
+				assertOutputBasedOnFormat(t, format, test.stdout.String(), tt.expectedStdoutPretty, tt.expectedStdoutJSON)
+				require.Empty(t, test.stderr.String())
+				require.Equal(t, 0, rc)
+			})
+		}
 	}
 }

@ -361,7 +425,7 @@ func TestCountHelp(t *testing.T) {
 	test := setupTest(t, NewCountCommandWithEnv)
 	test.client.Help()

-	require.Equal(t, `Usage of bundle count:`+common.AddrUsage, test.stderr.String())
+	require.Equal(t, countUsage, test.stderr.String())
 }

 func TestCountSynopsis(t *testing.T) {
@ -371,17 +435,19 @@ func TestCountSynopsis(t *testing.T) {

 func TestCount(t *testing.T) {
 	for _, tt := range []struct {
-		name           string
-		args           []string
-		count          int
-		expectedStdout string
-		expectedStderr string
-		serverErr      error
+		name                 string
+		args                 []string
+		count                int
+		expectedStdoutPretty string
+		expectedStdoutJSON   string
+		expectedStderr       string
+		serverErr            error
 	}{
 		{
-			name:           "all bundles",
-			count:          2,
-			expectedStdout: "2 bundles\n",
+			name:                 "all bundles",
+			count:                2,
+			expectedStdoutPretty: "2 bundles\n",
+			expectedStdoutJSON:   `{"count":2}`,
 		},
 		{
 			name:           "all bundles server fails",
@ -390,9 +456,10 @@ func TestCount(t *testing.T) {
 			serverErr:      status.Error(codes.Internal, "some error"),
 		},
 		{
-			name:           "one bundle",
-			count:          1,
-			expectedStdout: "1 bundle\n",
+			name:                 "one bundle",
+			count:                1,
+			expectedStdoutPretty: "1 bundle\n",
+			expectedStdoutJSON:   `{"count":1}`,
 		},
 		{
 			name:           "one bundle server fails",
@ -401,45 +468,49 @@ func TestCount(t *testing.T) {
 			serverErr:      status.Error(codes.Internal, "some error"),
 		},
 		{
-			name:           "no bundles",
-			count:          0,
-			expectedStdout: "0 bundles\n",
+			name:                 "no bundles",
+			count:                0,
+			expectedStdoutPretty: "0 bundles\n",
+			expectedStdoutJSON:   `{"count":0}`,
 		},
 	} {
-		tt := tt
-		t.Run(tt.name, func(t *testing.T) {
-			test := setupTest(t, NewCountCommandWithEnv)
-			test.server.err = tt.serverErr
-			bundles := []*types.Bundle{
-				{
-					TrustDomain: "spiffe://domain1.test",
-					X509Authorities: []*types.X509Certificate{
-						{Asn1: test.cert1.Raw},
+		for _, format := range availableFormats {
+			t.Run(fmt.Sprintf("%s using %s format", tt.name, format), func(t *testing.T) {
+				test := setupTest(t, NewCountCommandWithEnv)
+				test.server.err = tt.serverErr
+				bundles := []*types.Bundle{
+					{
+						TrustDomain: "spiffe://domain1.test",
+						X509Authorities: []*types.X509Certificate{
+							{Asn1: test.cert1.Raw},
+						},
+						JwtAuthorities: []*types.JWTKey{
+							{KeyId: "KID", PublicKey: test.key1Pkix},
+						},
 					},
-					JwtAuthorities: []*types.JWTKey{
-						{KeyId: "KID", PublicKey: test.key1Pkix},
+					{
+						TrustDomain: "spiffe://domain2.test",
+						X509Authorities: []*types.X509Certificate{
+							{Asn1: test.cert2.Raw},
+						},
 					},
-				},
-				{
-					TrustDomain: "spiffe://domain2.test",
-					X509Authorities: []*types.X509Certificate{
-						{Asn1: test.cert2.Raw},
-					},
-				},
-			}
+				}
+				test.server.bundles = bundles[0:tt.count]
+				args := tt.args
+				args = append(args, "-output", format)

-			test.server.bundles = bundles[0:tt.count]
-			rc := test.client.Run(test.args(tt.args...))
-			if tt.expectedStderr != "" {
-				require.Equal(t, tt.expectedStderr, test.stderr.String())
-				require.Equal(t, 1, rc)
-				return
-			}
+				rc := test.client.Run(test.args(args...))

-			require.Equal(t, 0, rc)
-			require.Empty(t, test.stderr.String())
-			require.Equal(t, tt.expectedStdout, test.stdout.String())
-		})
+				if tt.expectedStderr != "" {
+					require.Equal(t, tt.expectedStderr, test.stderr.String())
+					require.Equal(t, 1, rc)
+					return
+				}
+				assertOutputBasedOnFormat(t, format, test.stdout.String(), tt.expectedStdoutPretty, tt.expectedStdoutJSON)
+				require.Equal(t, 0, rc)
+				require.Empty(t, test.stderr.String())
+			})
+		}
 	}
 }

@ -447,11 +518,7 @@ func TestListHelp(t *testing.T) {
 	test := setupTest(t, newListCommand)
 	test.client.Help()

-	require.Equal(t, `Usage of bundle list:
-  -format string
-    	The format to list federated bundles. Either "pem" or "spiffe". (default "pem")
-  -id string
-    	SPIFFE ID of the trust domain`+common.AddrUsage, test.stderr.String())
+	require.Equal(t, listUsage, test.stderr.String())
 }

 func TestListSynopsis(t *testing.T) {
@ -460,131 +527,209 @@ func TestListSynopsis(t *testing.T) {
 }

 func TestList(t *testing.T) {
+	allBundlesResultJSON := `{
+  "bundles": [
+    {
+      "trust_domain": "spiffe://domain1.test",
+      "x509_authorities": [
+        {
+          "asn1": "MIIBKjCB0aADAgECAgEBMAoGCCqGSM49BAMCMAAwIhgPMDAwMTAxMDEwMDAwMDBaGA85OTk5MTIzMTIzNTk1OVowADBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABHyvsCk5yi+yhSzNu5aquQwvm8a1Wh+qw1fiHAkhDni+wq+g3TQWxYlV51TCPH030yXsRxvujD4hUUaIQrXk4KKjODA2MA8GA1UdEwEB/wQFMAMBAf8wIwYDVR0RAQH/BBkwF4YVc3BpZmZlOi8vZG9tYWluMS50ZXN0MAoGCCqGSM49BAMCA0gAMEUCIA2dO09Xmakw2ekuHKWC4hBhCkpr5qY4bI8YUcXfxg/1AiEA67kMyH7bQnr7OVLUrL+b9ylAdZglS5kKnYigmwDh+/U=",
+	  "tainted": false
+        }
+      ],
+      "jwt_authorities": [
+        {
+          "public_key": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEfK+wKTnKL7KFLM27lqq5DC+bxrVaH6rDV+IcCSEOeL7Cr6DdNBbFiVXnVMI8fTfTJexHG+6MPiFRRohCteTgog==",
+	  "tainted": false,
+          "key_id": "KID",
+          "expires_at": "0"
+        }
+      ],
+      "refresh_hint": "0",
+      "sequence_number": "0"
+    },
+    {
+      "trust_domain": "spiffe://domain2.test",
+      "x509_authorities": [
+        {
+          "asn1": "MIIBKjCB0aADAgECAgEBMAoGCCqGSM49BAMCMAAwIhgPMDAwMTAxMDEwMDAwMDBaGA85OTk5MTIzMTIzNTk1OVowADBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABB8VbmlJ8YIuN9RuQ94PYanmkIRG7MkGV5mmrO6rFAv3SFd/uVlwYNkXrh0219eHUSD4o+4RGXoiMFJKysw5GK6jODA2MA8GA1UdEwEB/wQFMAMBAf8wIwYDVR0RAQH/BBkwF4YVc3BpZmZlOi8vZG9tYWluMi50ZXN0MAoGCCqGSM49BAMCA0gAMEUCIQDMKwYtq+2ZoNyl4udPj7IMYIGX8yuCNRmh7m3d9tvoDgIgbS26wSwDjngGqdiHHL8fTcggdiIqWtxAqBLFrx8zNS4=",
+	  "tainted": false
+        }
+      ],
+      "jwt_authorities": [],
+      "refresh_hint": "0",
+      "sequence_number": "0"
+    }
+  ],
+  "next_page_token": ""
+}`
+	oneBundleResultJSON := `{
+  "trust_domain": "spiffe://domain2.test",
+  "x509_authorities": [
+    {
+      "asn1": "MIIBKjCB0aADAgECAgEBMAoGCCqGSM49BAMCMAAwIhgPMDAwMTAxMDEwMDAwMDBaGA85OTk5MTIzMTIzNTk1OVowADBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABB8VbmlJ8YIuN9RuQ94PYanmkIRG7MkGV5mmrO6rFAv3SFd/uVlwYNkXrh0219eHUSD4o+4RGXoiMFJKysw5GK6jODA2MA8GA1UdEwEB/wQFMAMBAf8wIwYDVR0RAQH/BBkwF4YVc3BpZmZlOi8vZG9tYWluMi50ZXN0MAoGCCqGSM49BAMCA0gAMEUCIQDMKwYtq+2ZoNyl4udPj7IMYIGX8yuCNRmh7m3d9tvoDgIgbS26wSwDjngGqdiHHL8fTcggdiIqWtxAqBLFrx8zNS4=",
+       "tainted": false
+    }
+  ],
+  "jwt_authorities": [],
+  "refresh_hint": "0",
+  "sequence_number": "0"
+}`
 	for _, tt := range []struct {
-		name           string
-		args           []string
-		expectedStdout string
-		expectedStderr string
-		serverErr      error
+		name                 string
+		args                 []string
+		expectedStdoutPretty string
+		expectedStdoutJSON   string
+		expectedStderrPretty string
+		expectedStderrJSON   string
+		serverErr            error
 	}{
 		{
-			name:           "all bundles (default)",
-			expectedStdout: allBundlesPEM,
+			name:                 "all bundles (default)",
+			expectedStdoutPretty: allBundlesPEM,
+			expectedStdoutJSON:   allBundlesResultJSON,
 		},
 		{
-			name:           "all bundles server fails",
-			expectedStderr: "Error: rpc error: code = Internal desc = some error\n",
-			serverErr:      status.New(codes.Internal, "some error").Err(),
+			name:                 "all bundles server fails",
+			expectedStderrPretty: "Error: rpc error: code = Internal desc = some error\n",
+			expectedStderrJSON:   "Error: rpc error: code = Internal desc = some error\n",
+			serverErr:            status.New(codes.Internal, "some error").Err(),
 		},
 		{
-			name:           "all bundles invalid format",
-			args:           []string{"-format", "invalid"},
-			expectedStderr: "Error: invalid format: \"invalid\"\n",
+			name:                 "all bundles invalid bundle format",
+			args:                 []string{"-format", "invalid"},
+			expectedStderrPretty: "Error: invalid format: \"invalid\"\n",
+			expectedStdoutJSON:   allBundlesResultJSON,
 		},
 		{
-			name:           "all bundles (pem)",
-			args:           []string{"-format", util.FormatPEM},
-			expectedStdout: allBundlesPEM,
+			name:                 "all bundles (pem)",
+			args:                 []string{"-format", util.FormatPEM},
+			expectedStdoutPretty: allBundlesPEM,
+			expectedStdoutJSON:   allBundlesResultJSON,
 		},
 		{
-			name:           "all bundles (jwks)",
-			args:           []string{"-format", util.FormatSPIFFE},
-			expectedStdout: allBundlesJWKS,
+			name:                 "all bundles (jwks)",
+			args:                 []string{"-format", util.FormatSPIFFE},
+			expectedStdoutPretty: allBundlesJWKS,
+			expectedStdoutJSON:   allBundlesResultJSON,
 		},
 		{
-			name:           "one bundle (default)",
-			args:           []string{"-id", "spiffe://domain2.test"},
-			expectedStdout: cert2PEM,
+			name:                 "one bundle (default)",
+			args:                 []string{"-id", "spiffe://domain2.test"},
+			expectedStdoutPretty: cert2PEM,
+			expectedStdoutJSON:   oneBundleResultJSON,
 		},
 		{
-			name:           "one bundle server fails",
-			args:           []string{"-id", "spiffe://domain2.test"},
-			expectedStderr: "Error: rpc error: code = Internal desc = some error\n",
-			serverErr:      status.New(codes.Internal, "some error").Err(),
+			name:                 "one bundle server fails",
+			args:                 []string{"-id", "spiffe://domain2.test"},
+			expectedStderrPretty: "Error: rpc error: code = Internal desc = some error\n",
+			expectedStderrJSON:   "Error: rpc error: code = Internal desc = some error\n",
+			serverErr:            status.New(codes.Internal, "some error").Err(),
 		},
 		{
-			name:           "one bundle invalid format",
-			args:           []string{"-id", "spiffe://domain2.test", "-format", "invalid"},
-			expectedStderr: "Error: invalid format: \"invalid\"\n",
+			name:                 "one bundle invalid bundle format",
+			args:                 []string{"-id", "spiffe://domain2.test", "-format", "invalid"},
+			expectedStderrPretty: "Error: invalid format: \"invalid\"\n",
+			expectedStdoutJSON:   oneBundleResultJSON,
 		},
 		{
-			name:           "one bundle (pem)",
-			args:           []string{"-id", "spiffe://domain2.test", "-format", util.FormatPEM},
-			expectedStdout: cert2PEM,
+			name:                 "one bundle (pem)",
+			args:                 []string{"-id", "spiffe://domain2.test", "-format", util.FormatPEM},
+			expectedStdoutPretty: cert2PEM,
+			expectedStdoutJSON:   oneBundleResultJSON,
 		},
 		{
-			name:           "one bundle (jwks)",
-			args:           []string{"-id", "spiffe://domain2.test", "-format", util.FormatSPIFFE},
-			expectedStdout: cert2JWKS,
+			name:                 "one bundle (jwks)",
+			args:                 []string{"-id", "spiffe://domain2.test", "-format", util.FormatSPIFFE},
+			expectedStdoutPretty: cert2JWKS,
+			expectedStdoutJSON:   oneBundleResultJSON,
 		},
 	} {
-		tt := tt
-		t.Run(tt.name, func(t *testing.T) {
-			test := setupTest(t, newListCommand)
-			test.server.err = tt.serverErr
-			test.server.bundles = []*types.Bundle{
-				{
-					TrustDomain: "spiffe://domain1.test",
-					X509Authorities: []*types.X509Certificate{
-						{Asn1: test.cert1.Raw},
+		for _, format := range availableFormats {
+			t.Run(fmt.Sprintf("%s using %s format", tt.name, format), func(t *testing.T) {
+				test := setupTest(t, newListCommand)
+				test.server.err = tt.serverErr
+				test.server.bundles = []*types.Bundle{
+					{
+						TrustDomain: "spiffe://domain1.test",
+						X509Authorities: []*types.X509Certificate{
+							{Asn1: test.cert1.Raw},
+						},
+						JwtAuthorities: []*types.JWTKey{
+							{KeyId: "KID", PublicKey: test.key1Pkix},
+						},
 					},
-					JwtAuthorities: []*types.JWTKey{
-						{KeyId: "KID", PublicKey: test.key1Pkix},
+					{
+						TrustDomain: "spiffe://domain2.test",
+						X509Authorities: []*types.X509Certificate{
+							{Asn1: test.cert2.Raw},
+						},
 					},
-				},
-				{
-					TrustDomain: "spiffe://domain2.test",
-					X509Authorities: []*types.X509Certificate{
-						{Asn1: test.cert2.Raw},
-					},
-				},
-			}
+				}
+				args := tt.args
+				args = append(args, "-output", format)

-			rc := test.client.Run(test.args(tt.args...))
-			if tt.expectedStderr != "" {
-				require.Equal(t, tt.expectedStderr, test.stderr.String())
-				require.Equal(t, 1, rc)
-				return
-			}
+				rc := test.client.Run(test.args(args...))

-			require.Equal(t, 0, rc)
-			require.Empty(t, test.stderr.String())
-			require.Equal(t, tt.expectedStdout, test.stdout.String())
-		})
+				if tt.expectedStderrPretty != "" && format == "pretty" {
+					require.Equal(t, tt.expectedStderrPretty, test.stderr.String())
+					require.Equal(t, 1, rc)
+					return
+				}
+				if tt.expectedStderrJSON != "" && format == "json" {
+					require.Equal(t, tt.expectedStderrJSON, test.stderr.String())
+					require.Equal(t, 1, rc)
+					return
+				}
+				assertOutputBasedOnFormat(t, format, test.stdout.String(), tt.expectedStdoutPretty, tt.expectedStdoutJSON)
+				require.Equal(t, 0, rc)
+				require.Empty(t, test.stderr.String())
+			})
+		}
 	}
 }

 func TestDeleteHelp(t *testing.T) {
 	test := setupTest(t, newDeleteCommand)
 	test.client.Help()
-	require.Equal(t, `Usage of bundle delete:
-  -id string
-    	SPIFFE ID of the trust domain
-  -mode string
-    	Deletion mode: one of restrict, delete, or dissociate (default "restrict")`+common.AddrUsage, test.stderr.String())
+	require.Equal(t, deleteUsage, test.stderr.String())
 }

 func TestDeleteSynopsis(t *testing.T) {
 	test := setupTest(t, newDeleteCommand)
-	require.Equal(t, "Deletes bundle data", test.client.Synopsis())
+	require.Equal(t, "Deletes federated bundle data", test.client.Synopsis())
 }

 func TestDelete(t *testing.T) {
+	deleteResultJSON := `{
+  "results": [
+    {
+      "status": {
+        "code": 0,
+        "message": "ok"
+      },
+      "trust_domain": "domain1.test"
+    }
+  ]
+}`
 	for _, tt := range []struct {
-		name           string
-		args           []string
-		expectedStderr string
-		expectedStdout string
-		deleteResults  []*bundlev1.BatchDeleteFederatedBundleResponse_Result
-		mode           bundlev1.BatchDeleteFederatedBundleRequest_Mode
-		toDelete       []string
-		serverErr      error
+		name                 string
+		args                 []string
+		expectedStderrPretty string
+		expectedStderrJSON   string
+		expectedStdoutPretty string
+		expectedStdoutJSON   string
+		deleteResults        []*bundlev1.BatchDeleteFederatedBundleResponse_Result
+		mode                 bundlev1.BatchDeleteFederatedBundleRequest_Mode
+		toDelete             []string
+		serverErr            error
 	}{
 		{
-			name:           "success default mode",
-			args:           []string{"-id", "spiffe://domain1.test"},
-			expectedStdout: "bundle deleted.\n",
-			toDelete:       []string{"spiffe://domain1.test"},
+			name:                 "success default mode",
+			args:                 []string{"-id", "spiffe://domain1.test"},
+			expectedStdoutPretty: "bundle deleted.\n",
+			expectedStdoutJSON:   deleteResultJSON,
+			toDelete:             []string{"spiffe://domain1.test"},
 			deleteResults: []*bundlev1.BatchDeleteFederatedBundleResponse_Result{
 				{
 					Status: &types.Status{
@ -597,15 +742,17 @@ func TestDelete(t *testing.T) {
 			},
 		},
 		{
-			name:           "no id",
-			expectedStderr: "Error: id is required\n",
+			name:                 "no id",
+			expectedStderrPretty: "Error: id is required\n",
+			expectedStderrJSON:   "Error: id is required\n",
 		},
 		{
-			name:           "success RESTRICT mode",
-			args:           []string{"-id", "spiffe://domain1.test", "-mode", "restrict"},
-			expectedStdout: "bundle deleted.\n",
-			mode:           bundlev1.BatchDeleteFederatedBundleRequest_RESTRICT,
-			toDelete:       []string{"spiffe://domain1.test"},
+			name:                 "success RESTRICT mode",
+			args:                 []string{"-id", "spiffe://domain1.test", "-mode", "restrict"},
+			expectedStdoutPretty: "bundle deleted.\n",
+			expectedStdoutJSON:   deleteResultJSON,
+			mode:                 bundlev1.BatchDeleteFederatedBundleRequest_RESTRICT,
+			toDelete:             []string{"spiffe://domain1.test"},
 			deleteResults: []*bundlev1.BatchDeleteFederatedBundleResponse_Result{
 				{
 					Status: &types.Status{
@ -618,11 +765,12 @@ func TestDelete(t *testing.T) {
 			},
 		},
 		{
-			name:           "success DISSOCIATE mode",
-			args:           []string{"-id", "spiffe://domain1.test", "-mode", "dissociate"},
-			expectedStdout: "bundle deleted.\n",
-			mode:           bundlev1.BatchDeleteFederatedBundleRequest_DISSOCIATE,
-			toDelete:       []string{"spiffe://domain1.test"},
+			name:                 "success DISSOCIATE mode",
+			args:                 []string{"-id", "spiffe://domain1.test", "-mode", "dissociate"},
+			expectedStdoutPretty: "bundle deleted.\n",
+			expectedStdoutJSON:   deleteResultJSON,
+			mode:                 bundlev1.BatchDeleteFederatedBundleRequest_DISSOCIATE,
+			toDelete:             []string{"spiffe://domain1.test"},
 			deleteResults: []*bundlev1.BatchDeleteFederatedBundleResponse_Result{
 				{
 					Status: &types.Status{
@ -635,11 +783,12 @@ func TestDelete(t *testing.T) {
 			},
 		},
 		{
-			name:           "success DELETE mode",
-			args:           []string{"-id", "spiffe://domain1.test", "-mode", "delete"},
-			expectedStdout: "bundle deleted.\n",
-			mode:           bundlev1.BatchDeleteFederatedBundleRequest_DELETE,
-			toDelete:       []string{"spiffe://domain1.test"},
+			name:                 "success DELETE mode",
+			args:                 []string{"-id", "spiffe://domain1.test", "-mode", "delete"},
+			expectedStdoutPretty: "bundle deleted.\n",
+			expectedStdoutJSON:   deleteResultJSON,
+			mode:                 bundlev1.BatchDeleteFederatedBundleRequest_DELETE,
+			toDelete:             []string{"spiffe://domain1.test"},
 			deleteResults: []*bundlev1.BatchDeleteFederatedBundleResponse_Result{
 				{
 					Status: &types.Status{
@ -652,15 +801,17 @@ func TestDelete(t *testing.T) {
 			},
 		},
 		{
-			name:           "invalid mode",
-			args:           []string{"-id", "spiffe://domain1.test", "-mode", "invalid"},
-			expectedStderr: "Error: unsupported mode \"invalid\"\n",
+			name:                 "invalid mode",
+			args:                 []string{"-id", "spiffe://domain1.test", "-mode", "invalid"},
+			expectedStderrPretty: "Error: unsupported mode \"invalid\"\n",
+			expectedStderrJSON:   "Error: unsupported mode \"invalid\"\n",
 		},
 		{
-			name:           "server fails",
-			args:           []string{"-id", "spiffe://domain1.test"},
-			expectedStderr: "Error: failed to delete federated bundle: rpc error: code = Internal desc = some error\n",
-			serverErr:      status.New(codes.Internal, "some error").Err(),
+			name:                 "server fails",
+			args:                 []string{"-id", "spiffe://domain1.test"},
+			expectedStderrPretty: "Error: failed to delete federated bundle: rpc error: code = Internal desc = some error\n",
+			expectedStderrJSON:   "Error: failed to delete federated bundle: rpc error: code = Internal desc = some error\n",
+			serverErr:            status.New(codes.Internal, "some error").Err(),
 		},
 		{
 			name:     "fails to delete",
@ -676,28 +827,51 @@ func TestDelete(t *testing.T) {
 					TrustDomain: "domain1.test",
 				},
 			},
-			expectedStderr: "Error: failed to delete federated bundle \"domain1.test\": some error\n",
+			expectedStderrPretty: "Error: failed to delete federated bundle \"domain1.test\": some error\n",
+			expectedStdoutJSON:   `{"results":[{"status":{"code":13,"message":"some error"},"trust_domain":"domain1.test"}]}`,
 		},
 	} {
-		tt := tt
-		t.Run(tt.name, func(t *testing.T) {
-			test := setupTest(t, newDeleteCommand)
-			test.server.deleteResults = tt.deleteResults
-			test.server.err = tt.serverErr
-			test.server.mode = tt.mode
-			test.server.toDelete = tt.toDelete
+		for _, format := range availableFormats {
+			t.Run(fmt.Sprintf("%s using %s format", tt.name, format), func(t *testing.T) {
+				test := setupTest(t, newDeleteCommand)
+				test.server.deleteResults = tt.deleteResults
+				test.server.err = tt.serverErr
+				test.server.mode = tt.mode
+				test.server.toDelete = tt.toDelete
+				args := tt.args
+				args = append(args, "-output", format)

-			rc := test.client.Run(test.args(tt.args...))
-			if tt.expectedStderr != "" {
-				require.Equal(t, 1, rc)
-				require.Equal(t, tt.expectedStderr, test.stderr.String())
+				rc := test.client.Run(test.args(args...))

-				return
-			}
+				if tt.expectedStderrPretty != "" && format == "pretty" {
+					require.Equal(t, 1, rc)
+					require.Equal(t, tt.expectedStderrPretty, test.stderr.String())

-			require.Empty(t, test.stderr.String())
-			require.Equal(t, 0, rc)
-			require.Equal(t, tt.expectedStdout, test.stdout.String())
-		})
+					return
+				}
+				if tt.expectedStderrJSON != "" && format == "json" {
+					require.Equal(t, 1, rc)
+					require.Equal(t, tt.expectedStderrJSON, test.stderr.String())
+
+					return
+				}
+				assertOutputBasedOnFormat(t, format, test.stdout.String(), tt.expectedStdoutPretty, tt.expectedStdoutJSON)
+				require.Empty(t, test.stderr.String())
+				require.Equal(t, 0, rc)
+			})
+		}
+	}
+}
+
+func assertOutputBasedOnFormat(t *testing.T, format, stdoutString string, expectedStdoutPretty, expectedStdoutJSON string) {
+	switch format {
+	case "pretty":
+		require.Contains(t, stdoutString, expectedStdoutPretty)
+	case "json":
+		if expectedStdoutJSON != "" {
+			require.JSONEq(t, expectedStdoutJSON, stdoutString)
+		} else {
+			require.Empty(t, stdoutString)
+		}
 	}
 }
--- a/cmd/spire-server/cli/bundle/bundle_windows_test.go
+++ b/cmd/spire-server/cli/bundle/bundle_windows_test.go
@ -1,5 +1,4 @@
 //go:build windows
-// +build windows

 package bundle

@ -11,7 +10,43 @@ var (
    	SPIFFE ID of the trust domain
  -namedPipeName string
    	Pipe name of the SPIRE Server API named pipe (default "\\spire-server\\private\\api")
+  -output value
+    	Desired output format (pretty, json); default: pretty.
  -path string
    	Path to the bundle data
+`
+	showUsage = `Usage of bundle show:
+  -format string
+    	The format to show the bundle (only pretty output format supports this flag). Either "pem" or "spiffe". (default "pem")
+  -namedPipeName string
+    	Pipe name of the SPIRE Server API named pipe (default "\\spire-server\\private\\api")
+  -output value
+    	Desired output format (pretty, json); default: pretty.
+`
+	countUsage = `Usage of bundle count:
+  -namedPipeName string
+    	Pipe name of the SPIRE Server API named pipe (default "\\spire-server\\private\\api")
+  -output value
+    	Desired output format (pretty, json); default: pretty.
+`
+	listUsage = `Usage of bundle list:
+  -format string
+    	The format to list federated bundles (only pretty output format supports this flag). Either "pem" or "spiffe". (default "pem")
+  -id string
+    	SPIFFE ID of the trust domain
+  -namedPipeName string
+    	Pipe name of the SPIRE Server API named pipe (default "\\spire-server\\private\\api")
+  -output value
+    	Desired output format (pretty, json); default: pretty.
+`
+	deleteUsage = `Usage of bundle delete:
+  -id string
+    	SPIFFE ID of the trust domain
+  -mode string
+    	Deletion mode: one of restrict, delete, or dissociate (default "restrict")
+  -namedPipeName string
+    	Pipe name of the SPIRE Server API named pipe (default "\\spire-server\\private\\api")
+  -output value
+    	Desired output format (pretty, json); default: pretty.
 `
 )
--- a/cmd/spire-server/cli/bundle/common.go
+++ b/cmd/spire-server/cli/bundle/common.go
@ -2,7 +2,6 @@ package bundle

 import (
 	"bytes"
-	"crypto"
 	"crypto/x509"
 	"encoding/json"
 	"encoding/pem"
@ -17,7 +16,7 @@ import (
 	"github.com/spiffe/go-spiffe/v2/spiffeid"
 	"github.com/spiffe/spire-api-sdk/proto/spire/api/types"
 	"github.com/spiffe/spire/cmd/spire-server/util"
-	"github.com/zeebo/errs"
+	"github.com/spiffe/spire/pkg/common/jwtutil"
 )

 const (
@ -78,7 +77,7 @@ func printBundle(out io.Writer, bundle *types.Bundle) error {

 	docBytes, err := b.Marshal()
 	if err != nil {
-		return errs.Wrap(err)
+		return err
 	}

 	var o bytes.Buffer
@ -86,11 +85,8 @@ func printBundle(out io.Writer, bundle *types.Bundle) error {
 		return err
 	}

-	if _, err := fmt.Fprintln(out, o.String()); err != nil {
-		return errs.Wrap(err)
-	}
-
-	return nil
+	_, err = fmt.Fprintln(out, o.String())
+	return err
 }

 // bundleFromProto converts a bundle from the given *types.Bundle to *spiffebundle.Bundle
@ -103,7 +99,7 @@ func bundleFromProto(bundleProto *types.Bundle) (*spiffebundle.Bundle, error) {
 	if err != nil {
 		return nil, err
 	}
-	jwtAuthorities, err := jwtKeysFromProto(bundleProto.JwtAuthorities)
+	jwtAuthorities, err := jwtutil.JWTKeysFromProto(bundleProto.JwtAuthorities)
 	if err != nil {
 		return nil, err
 	}
@ -132,20 +128,6 @@ func x509CertificatesFromProto(proto []*types.X509Certificate) ([]*x509.Certific
 	return certs, nil
 }

-// jwtKeysFromProto converts JWT keys from the given []*types.JWTKey to map[string]crypto.PublicKey.
-// The key ID of the public key is used as the key in the returned map.
-func jwtKeysFromProto(proto []*types.JWTKey) (map[string]crypto.PublicKey, error) {
-	keys := make(map[string]crypto.PublicKey)
-	for i, publicKey := range proto {
-		jwtSigningKey, err := x509.ParsePKIXPublicKey(publicKey.PublicKey)
-		if err != nil {
-			return nil, fmt.Errorf("unable to parse JWT signing key %d: %w", i, err)
-		}
-		keys[publicKey.KeyId] = jwtSigningKey
-	}
-	return keys, nil
-}
-
 func printBundleWithFormat(out io.Writer, bundle *types.Bundle, format string, header bool) error {
 	if bundle == nil {
 		return errors.New("no bundle provided")
--- a/cmd/spire-server/cli/bundle/common_test.go
+++ b/cmd/spire-server/cli/bundle/common_test.go
@ -9,9 +9,9 @@ import (
 	"github.com/mitchellh/cli"
 	bundlev1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/bundle/v1"
 	"github.com/spiffe/spire-api-sdk/proto/spire/api/types"
-	"github.com/spiffe/spire/cmd/spire-server/cli/common"
 	common_cli "github.com/spiffe/spire/pkg/common/cli"
 	"github.com/spiffe/spire/pkg/common/pemutil"
+	"github.com/spiffe/spire/test/clitest"
 	"github.com/spiffe/spire/test/spiretest"
 	"github.com/stretchr/testify/require"
 	"google.golang.org/grpc"
@ -79,6 +79,7 @@ diIqWtxAqBLFrx8zNS4=
            ]
        }
    ],
+    "spiffe_sequence": 42,
    "spiffe_refresh_hint": 60
 }
 `
@ -202,7 +203,7 @@ func setupTest(t *testing.T, newClient func(*common_cli.Env) cli.Command) *bundl
 		cert1:    cert1,
 		cert2:    cert2,
 		key1Pkix: key1Pkix,
-		addr:     common.GetAddr(addr),
+		addr:     clitest.GetAddr(addr),
 		stdin:    stdin,
 		stdout:   stdout,
 		stderr:   stderr,
@ -240,7 +241,7 @@ func (s *bundleTest) afterTest(t *testing.T) {
 }

 func (s *bundleTest) args(extra ...string) []string {
-	return append([]string{common.AddrArg, s.addr}, extra...)
+	return append([]string{clitest.AddrArg, s.addr}, extra...)
 }

 type fakeBundleServer struct {
@ -256,7 +257,7 @@ type fakeBundleServer struct {
 	toDelete          []string
 }

-func (f *fakeBundleServer) GetBundle(ctx context.Context, in *bundlev1.GetBundleRequest) (*types.Bundle, error) {
+func (f *fakeBundleServer) GetBundle(context.Context, *bundlev1.GetBundleRequest) (*types.Bundle, error) {
 	if f.err != nil {
 		return nil, f.err
 	}
@ -265,7 +266,7 @@ func (f *fakeBundleServer) GetBundle(ctx context.Context, in *bundlev1.GetBundle
 	return f.bundles[0], nil
 }

-func (f *fakeBundleServer) BatchSetFederatedBundle(ctx context.Context, req *bundlev1.BatchSetFederatedBundleRequest) (*bundlev1.BatchSetFederatedBundleResponse, error) {
+func (f *fakeBundleServer) BatchSetFederatedBundle(_ context.Context, req *bundlev1.BatchSetFederatedBundleRequest) (*bundlev1.BatchSetFederatedBundleResponse, error) {
 	if f.err != nil {
 		return nil, f.err
 	}
@ -292,7 +293,7 @@ func (f *fakeBundleServer) ListFederatedBundles(context.Context, *bundlev1.ListF
 	}, nil
 }

-func (f *fakeBundleServer) GetFederatedBundle(ctx context.Context, req *bundlev1.GetFederatedBundleRequest) (*types.Bundle, error) {
+func (f *fakeBundleServer) GetFederatedBundle(_ context.Context, req *bundlev1.GetFederatedBundleRequest) (*types.Bundle, error) {
 	if f.err != nil {
 		return nil, f.err
 	}
@ -306,7 +307,7 @@ func (f *fakeBundleServer) GetFederatedBundle(ctx context.Context, req *bundlev1
 	return nil, status.New(codes.NotFound, "not found").Err()
 }

-func (f *fakeBundleServer) BatchDeleteFederatedBundle(ctx context.Context, req *bundlev1.BatchDeleteFederatedBundleRequest) (*bundlev1.BatchDeleteFederatedBundleResponse, error) {
+func (f *fakeBundleServer) BatchDeleteFederatedBundle(_ context.Context, req *bundlev1.BatchDeleteFederatedBundleRequest) (*bundlev1.BatchDeleteFederatedBundleResponse, error) {
 	if f.err != nil {
 		return nil, f.err
 	}
--- a/cmd/spire-server/cli/bundle/count.go
+++ b/cmd/spire-server/cli/bundle/count.go
@ -1,54 +1,64 @@
 package bundle

 import (
+	"context"
 	"flag"
 	"fmt"

 	"github.com/mitchellh/cli"
+	"github.com/spiffe/spire/pkg/common/cliprinter"

 	bundlev1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/bundle/v1"
 	"github.com/spiffe/spire/cmd/spire-server/util"
-	common_cli "github.com/spiffe/spire/pkg/common/cli"
-
-	"golang.org/x/net/context"
+	commoncli "github.com/spiffe/spire/pkg/common/cli"
 )

-type countCommand struct{}
+type countCommand struct {
+	env     *commoncli.Env
+	printer cliprinter.Printer
+}

 // NewCountCommand creates a new "count" subcommand for "bundle" command.
 func NewCountCommand() cli.Command {
-	return NewCountCommandWithEnv(common_cli.DefaultEnv)
+	return NewCountCommandWithEnv(commoncli.DefaultEnv)
 }

 // NewCountCommandWithEnv creates a new "count" subcommand for "bundle" command
 // using the environment specified.
-func NewCountCommandWithEnv(env *common_cli.Env) cli.Command {
-	return util.AdaptCommand(env, new(countCommand))
+func NewCountCommandWithEnv(env *commoncli.Env) cli.Command {
+	return util.AdaptCommand(env, &countCommand{env: env})
 }

 func (*countCommand) Name() string {
 	return "bundle count"
 }

-func (countCommand) Synopsis() string {
+func (*countCommand) Synopsis() string {
 	return "Count bundles"
 }

 // Run counts attested bundles
-func (c *countCommand) Run(ctx context.Context, env *common_cli.Env, serverClient util.ServerClient) error {
+func (c *countCommand) Run(ctx context.Context, _ *commoncli.Env, serverClient util.ServerClient) error {
 	bundleClient := serverClient.NewBundleClient()
-	countResponse, err := bundleClient.CountBundles(ctx, &bundlev1.CountBundlesRequest{})
+	countResp, err := bundleClient.CountBundles(ctx, &bundlev1.CountBundlesRequest{})
 	if err != nil {
 		return err
 	}

-	count := int(countResponse.Count)
-	msg := fmt.Sprintf("%d ", count)
-	msg = util.Pluralizer(msg, "bundle", "bundles", count)
-	env.Println(msg)
-
-	return nil
+	return c.printer.PrintProto(countResp)
 }

 func (c *countCommand) AppendFlags(fs *flag.FlagSet) {
+	cliprinter.AppendFlagWithCustomPretty(&c.printer, fs, c.env, prettyPrintCount)
+}
+
+func prettyPrintCount(env *commoncli.Env, results ...any) error {
+	countResp, ok := results[0].(*bundlev1.CountBundlesResponse)
+	if !ok {
+		return cliprinter.ErrInternalCustomPrettyFunc
+	}
+	count := int(countResp.Count)
+	msg := fmt.Sprintf("%d ", count)
+	msg = util.Pluralizer(msg, "bundle", "bundles", count)
+	return env.Println(msg)
 }
--- a/cmd/spire-server/cli/bundle/delete.go
+++ b/cmd/spire-server/cli/bundle/delete.go
@ -9,7 +9,8 @@ import (
 	"github.com/mitchellh/cli"
 	bundlev1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/bundle/v1"
 	"github.com/spiffe/spire/cmd/spire-server/util"
-	common_cli "github.com/spiffe/spire/pkg/common/cli"
+	commoncli "github.com/spiffe/spire/pkg/common/cli"
+	"github.com/spiffe/spire/pkg/common/cliprinter"
 	"google.golang.org/grpc/codes"
 )

@ -21,19 +22,21 @@ const (

 // NewDeleteCommand creates a new "delete" subcommand for "bundle" command.
 func NewDeleteCommand() cli.Command {
-	return newDeleteCommand(common_cli.DefaultEnv)
+	return newDeleteCommand(commoncli.DefaultEnv)
 }

-func newDeleteCommand(env *common_cli.Env) cli.Command {
-	return util.AdaptCommand(env, new(deleteCommand))
+func newDeleteCommand(env *commoncli.Env) cli.Command {
+	return util.AdaptCommand(env, &deleteCommand{env: env})
 }

 type deleteCommand struct {
+	env *commoncli.Env
 	// SPIFFE ID of the trust domain bundle
 	id string
-
 	// Deletion mode
 	mode string
+	// Command printer
+	printer cliprinter.Printer
 }

 func (c *deleteCommand) Name() string {
@ -41,15 +44,16 @@ func (c *deleteCommand) Name() string {
 }

 func (c *deleteCommand) Synopsis() string {
-	return "Deletes bundle data"
+	return "Deletes federated bundle data"
 }

 func (c *deleteCommand) AppendFlags(fs *flag.FlagSet) {
 	fs.StringVar(&c.id, "id", "", "SPIFFE ID of the trust domain")
 	fs.StringVar(&c.mode, "mode", deleteBundleRestrict, fmt.Sprintf("Deletion mode: one of %s, %s, or %s", deleteBundleRestrict, deleteBundleDelete, deleteBundleDissociate))
+	cliprinter.AppendFlagWithCustomPretty(&c.printer, fs, c.env, prettyPrintDelete)
 }

-func (c *deleteCommand) Run(ctx context.Context, env *common_cli.Env, serverClient util.ServerClient) error {
+func (c *deleteCommand) Run(ctx context.Context, _ *commoncli.Env, serverClient util.ServerClient) error {
 	if c.id == "" {
 		return errors.New("id is required")
 	}
@ -69,7 +73,16 @@ func (c *deleteCommand) Run(ctx context.Context, env *common_cli.Env, serverClie
 	if err != nil {
 		return fmt.Errorf("failed to delete federated bundle: %w", err)
 	}
-	result := resp.Results[0]
+
+	return c.printer.PrintProto(resp)
+}
+
+func prettyPrintDelete(env *commoncli.Env, results ...any) error {
+	deleteResp, ok := results[0].(*bundlev1.BatchDeleteFederatedBundleResponse)
+	if !ok {
+		return cliprinter.ErrInternalCustomPrettyFunc
+	}
+	result := deleteResp.Results[0]
 	switch result.Status.Code {
 	case int32(codes.OK):
 		env.Println("bundle deleted.")
--- a/cmd/spire-server/cli/bundle/list.go
+++ b/cmd/spire-server/cli/bundle/list.go
@ -7,22 +7,26 @@ import (

 	"github.com/mitchellh/cli"
 	bundlev1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/bundle/v1"
+	"github.com/spiffe/spire-api-sdk/proto/spire/api/types"
 	"github.com/spiffe/spire/cmd/spire-server/util"
-	common_cli "github.com/spiffe/spire/pkg/common/cli"
+	commoncli "github.com/spiffe/spire/pkg/common/cli"
+	"github.com/spiffe/spire/pkg/common/cliprinter"
 )

 // NewListCommand creates a new "list" subcommand for "bundle" command.
 func NewListCommand() cli.Command {
-	return newListCommand(common_cli.DefaultEnv)
+	return newListCommand(commoncli.DefaultEnv)
 }

-func newListCommand(env *common_cli.Env) cli.Command {
-	return util.AdaptCommand(env, new(listCommand))
+func newListCommand(env *commoncli.Env) cli.Command {
+	return util.AdaptCommand(env, &listCommand{env: env})
 }

 type listCommand struct {
-	id     string // SPIFFE ID of the trust bundle
-	format string
+	env          *commoncli.Env
+	id           string // SPIFFE ID of the trust bundle
+	bundleFormat string
+	printer      cliprinter.Printer
 }

 func (c *listCommand) Name() string {
@ -35,10 +39,11 @@ func (c *listCommand) Synopsis() string {

 func (c *listCommand) AppendFlags(fs *flag.FlagSet) {
 	fs.StringVar(&c.id, "id", "", "SPIFFE ID of the trust domain")
-	fs.StringVar(&c.format, "format", util.FormatPEM, fmt.Sprintf("The format to list federated bundles. Either %q or %q.", util.FormatPEM, util.FormatSPIFFE))
+	fs.StringVar(&c.bundleFormat, "format", util.FormatPEM, fmt.Sprintf("The format to list federated bundles (only pretty output format supports this flag). Either %q or %q.", util.FormatPEM, util.FormatSPIFFE))
+	cliprinter.AppendFlagWithCustomPretty(&c.printer, fs, c.env, c.prettyPrintList)
 }

-func (c *listCommand) Run(ctx context.Context, env *common_cli.Env, serverClient util.ServerClient) error {
+func (c *listCommand) Run(ctx context.Context, _ *commoncli.Env, serverClient util.ServerClient) error {
 	bundleClient := serverClient.NewBundleClient()
 	if c.id != "" {
 		resp, err := bundleClient.GetFederatedBundle(ctx, &bundlev1.GetFederatedBundleRequest{
@ -47,7 +52,7 @@ func (c *listCommand) Run(ctx context.Context, env *common_cli.Env, serverClient
 		if err != nil {
 			return err
 		}
-		return printBundleWithFormat(env.Stdout, resp, c.format, false)
+		return c.printer.PrintProto(resp)
 	}

 	resp, err := bundleClient.ListFederatedBundles(ctx, &bundlev1.ListFederatedBundlesRequest{})
@ -55,16 +60,27 @@ func (c *listCommand) Run(ctx context.Context, env *common_cli.Env, serverClient
 		return err
 	}

-	for i, b := range resp.Bundles {
-		if i != 0 {
-			if err := env.Println(); err != nil {
+	return c.printer.PrintProto(resp)
+}
+
+func (c *listCommand) prettyPrintList(env *commoncli.Env, results ...any) error {
+	if listResp, ok := results[0].(*bundlev1.ListFederatedBundlesResponse); ok {
+		for i, bundle := range listResp.Bundles {
+			if i != 0 {
+				if err := env.Println(); err != nil {
+					return err
+				}
+			}
+
+			if err := printBundleWithFormat(env.Stdout, bundle, c.bundleFormat, true); err != nil {
 				return err
 			}
 		}
-
-		if err := printBundleWithFormat(env.Stdout, b, c.format, true); err != nil {
-			return err
-		}
+		return nil
 	}
-	return nil
+	if resp, ok := results[0].(*types.Bundle); ok {
+		return printBundleWithFormat(env.Stdout, resp, c.bundleFormat, false)
+	}
+
+	return cliprinter.ErrInternalCustomPrettyFunc
 }
--- a/cmd/spire-server/cli/bundle/set.go
+++ b/cmd/spire-server/cli/bundle/set.go
@ -11,6 +11,7 @@ import (
 	"github.com/spiffe/spire-api-sdk/proto/spire/api/types"
 	"github.com/spiffe/spire/cmd/spire-server/util"
 	common_cli "github.com/spiffe/spire/pkg/common/cli"
+	"github.com/spiffe/spire/pkg/common/cliprinter"
 	"google.golang.org/grpc/codes"
 )

@ -20,17 +21,17 @@ func NewSetCommand() cli.Command {
 }

 func newSetCommand(env *common_cli.Env) cli.Command {
-	return util.AdaptCommand(env, new(setCommand))
+	return util.AdaptCommand(env, &setCommand{env: env})
 }

 type setCommand struct {
+	env *common_cli.Env
 	// SPIFFE ID of the trust bundle
 	id string
-
 	// Path to the bundle on disk (optional). If empty, reads from stdin.
-	path string
-
-	format string
+	path         string
+	bundleFormat string
+	printer      cliprinter.Printer
 }

 func (c *setCommand) Name() string {
@ -38,13 +39,14 @@ func (c *setCommand) Name() string {
 }

 func (c *setCommand) Synopsis() string {
-	return "Creates or updates bundle data"
+	return "Creates or updates federated bundle data"
 }

 func (c *setCommand) AppendFlags(fs *flag.FlagSet) {
 	fs.StringVar(&c.id, "id", "", "SPIFFE ID of the trust domain")
 	fs.StringVar(&c.path, "path", "", "Path to the bundle data")
-	fs.StringVar(&c.format, "format", util.FormatPEM, fmt.Sprintf("The format of the bundle data. Either %q or %q.", util.FormatPEM, util.FormatSPIFFE))
+	fs.StringVar(&c.bundleFormat, "format", util.FormatPEM, fmt.Sprintf("The format of the bundle data. Either %q or %q.", util.FormatPEM, util.FormatSPIFFE))
+	cliprinter.AppendFlagWithCustomPretty(&c.printer, fs, c.env, prettyPrintSet)
 }

 func (c *setCommand) Run(ctx context.Context, env *common_cli.Env, serverClient util.ServerClient) error {
@ -52,7 +54,7 @@ func (c *setCommand) Run(ctx context.Context, env *common_cli.Env, serverClient
 		return errors.New("id flag is required")
 	}

-	format, err := validateFormat(c.format)
+	bundleFormat, err := validateFormat(c.bundleFormat)
 	if err != nil {
 		return err
 	}
@ -62,7 +64,7 @@ func (c *setCommand) Run(ctx context.Context, env *common_cli.Env, serverClient
 		return fmt.Errorf("unable to load bundle data: %w", err)
 	}

-	bundle, err := util.ParseBundle(bundleBytes, format, c.id)
+	bundle, err := util.ParseBundle(bundleBytes, bundleFormat, c.id)
 	if err != nil {
 		return err
 	}
@ -75,7 +77,15 @@ func (c *setCommand) Run(ctx context.Context, env *common_cli.Env, serverClient
 		return fmt.Errorf("failed to set federated bundle: %w", err)
 	}

-	result := resp.Results[0]
+	return c.printer.PrintProto(resp)
+}
+
+func prettyPrintSet(env *common_cli.Env, results ...any) error {
+	setResp, ok := results[0].(*bundlev1.BatchSetFederatedBundleResponse)
+	if !ok {
+		return cliprinter.ErrInternalCustomPrettyFunc
+	}
+	result := setResp.Results[0]
 	switch result.Status.Code {
 	case int32(codes.OK):
 		env.Println("bundle set.")
--- a/cmd/spire-server/cli/bundle/show.go
+++ b/cmd/spire-server/cli/bundle/show.go
@ -7,8 +7,10 @@ import (

 	"github.com/mitchellh/cli"
 	bundlev1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/bundle/v1"
+	"github.com/spiffe/spire-api-sdk/proto/spire/api/types"
 	"github.com/spiffe/spire/cmd/spire-server/util"
 	common_cli "github.com/spiffe/spire/pkg/common/cli"
+	"github.com/spiffe/spire/pkg/common/cliprinter"
 )

 // NewShowCommand creates a new "show" subcommand for "bundle" command.
@ -17,11 +19,13 @@ func NewShowCommand() cli.Command {
 }

 func newShowCommand(env *common_cli.Env) cli.Command {
-	return util.AdaptCommand(env, new(showCommand))
+	return util.AdaptCommand(env, &showCommand{env: env})
 }

 type showCommand struct {
-	format string
+	env          *common_cli.Env
+	bundleFormat string
+	printer      cliprinter.Printer
 }

 func (c *showCommand) Name() string {
@ -33,15 +37,24 @@ func (c *showCommand) Synopsis() string {
 }

 func (c *showCommand) AppendFlags(fs *flag.FlagSet) {
-	fs.StringVar(&c.format, "format", util.FormatPEM, fmt.Sprintf("The format to show the bundle. Either %q or %q.", util.FormatPEM, util.FormatSPIFFE))
+	fs.StringVar(&c.bundleFormat, "format", util.FormatPEM, fmt.Sprintf("The format to show the bundle (only pretty output format supports this flag). Either %q or %q.", util.FormatPEM, util.FormatSPIFFE))
+	cliprinter.AppendFlagWithCustomPretty(&c.printer, fs, c.env, c.prettyPrintBundle)
 }

-func (c *showCommand) Run(ctx context.Context, env *common_cli.Env, serverClient util.ServerClient) error {
+func (c *showCommand) Run(ctx context.Context, _ *common_cli.Env, serverClient util.ServerClient) error {
 	bundleClient := serverClient.NewBundleClient()
 	resp, err := bundleClient.GetBundle(ctx, &bundlev1.GetBundleRequest{})
 	if err != nil {
 		return err
 	}

-	return printBundleWithFormat(env.Stdout, resp, c.format, false)
+	return c.printer.PrintProto(resp)
+}
+
+func (c *showCommand) prettyPrintBundle(env *common_cli.Env, results ...any) error {
+	showResp, ok := results[0].(*types.Bundle)
+	if !ok {
+		return cliprinter.ErrInternalCustomPrettyFunc
+	}
+	return printBundleWithFormat(env.Stdout, showResp, c.bundleFormat, false)
 }
--- a/cmd/spire-server/cli/cli.go
+++ b/cmd/spire-server/cli/cli.go
@ -1,6 +1,7 @@
 package cli

 import (
+	"context"
 	stdlog "log"

 	"github.com/mitchellh/cli"
@ -10,8 +11,12 @@ import (
 	"github.com/spiffe/spire/cmd/spire-server/cli/federation"
 	"github.com/spiffe/spire/cmd/spire-server/cli/healthcheck"
 	"github.com/spiffe/spire/cmd/spire-server/cli/jwt"
+	localauthority_jwt "github.com/spiffe/spire/cmd/spire-server/cli/localauthority/jwt"
+	localauthority_x509 "github.com/spiffe/spire/cmd/spire-server/cli/localauthority/x509"
+	"github.com/spiffe/spire/cmd/spire-server/cli/logger"
 	"github.com/spiffe/spire/cmd/spire-server/cli/run"
 	"github.com/spiffe/spire/cmd/spire-server/cli/token"
+	"github.com/spiffe/spire/cmd/spire-server/cli/upstreamauthority"
 	"github.com/spiffe/spire/cmd/spire-server/cli/validate"
 	"github.com/spiffe/spire/cmd/spire-server/cli/x509"
 	"github.com/spiffe/spire/pkg/common/log"
@ -25,7 +30,7 @@ type CLI struct {
 }

 // Run configures the server CLI commands and subcommands.
-func (cc *CLI) Run(args []string) int {
+func (cc *CLI) Run(ctx context.Context, args []string) int {
 	c := cli.NewCLI("spire-server", version.Version())
 	c.Args = args
 	c.Commands = map[string]cli.CommandFactory{
@ -44,6 +49,9 @@ func (cc *CLI) Run(args []string) int {
 		"agent show": func() (cli.Command, error) {
 			return agent.NewShowCommand(), nil
 		},
+		"agent purge": func() (cli.Command, error) {
+			return agent.NewPurgeCommand(), nil
+		},
 		"bundle count": func() (cli.Command, error) {
 			return bundle.NewCountCommand(), nil
 		},
@ -92,8 +100,17 @@ func (cc *CLI) Run(args []string) int {
 		"federation update": func() (cli.Command, error) {
 			return federation.NewUpdateCommand(), nil
 		},
+		"logger get": func() (cli.Command, error) {
+			return logger.NewGetCommand(), nil
+		},
+		"logger set": func() (cli.Command, error) {
+			return logger.NewSetCommand(), nil
+		},
+		"logger reset": func() (cli.Command, error) {
+			return logger.NewResetCommand(), nil
+		},
 		"run": func() (cli.Command, error) {
-			return run.NewRunCommand(cc.LogOptions, cc.AllowUnknownConfig), nil
+			return run.NewRunCommand(ctx, cc.LogOptions, cc.AllowUnknownConfig), nil
 		},
 		"token generate": func() (cli.Command, error) {
 			return token.NewGenerateCommand(), nil
@ -110,6 +127,42 @@ func (cc *CLI) Run(args []string) int {
 		"validate": func() (cli.Command, error) {
 			return validate.NewValidateCommand(), nil
 		},
+		"localauthority x509 show": func() (cli.Command, error) {
+			return localauthority_x509.NewX509ShowCommand(), nil
+		},
+		"localauthority x509 prepare": func() (cli.Command, error) {
+			return localauthority_x509.NewX509PrepareCommand(), nil
+		},
+		"localauthority x509 activate": func() (cli.Command, error) {
+			return localauthority_x509.NewX509ActivateCommand(), nil
+		},
+		"localauthority x509 taint": func() (cli.Command, error) {
+			return localauthority_x509.NewX509TaintCommand(), nil
+		},
+		"localauthority x509 revoke": func() (cli.Command, error) {
+			return localauthority_x509.NewX509RevokeCommand(), nil
+		},
+		"localauthority jwt show": func() (cli.Command, error) {
+			return localauthority_jwt.NewJWTShowCommand(), nil
+		},
+		"localauthority jwt prepare": func() (cli.Command, error) {
+			return localauthority_jwt.NewJWTPrepareCommand(), nil
+		},
+		"localauthority jwt activate": func() (cli.Command, error) {
+			return localauthority_jwt.NewJWTActivateCommand(), nil
+		},
+		"localauthority jwt taint": func() (cli.Command, error) {
+			return localauthority_jwt.NewJWTTaintCommand(), nil
+		},
+		"localauthority jwt revoke": func() (cli.Command, error) {
+			return localauthority_jwt.NewJWTRevokeCommand(), nil
+		},
+		"upstreamauthority taint": func() (cli.Command, error) {
+			return upstreamauthority.NewTaintCommand(), nil
+		},
+		"upstreamauthority revoke": func() (cli.Command, error) {
+			return upstreamauthority.NewRevokeCommand(), nil
+		},
 	}

 	exitStatus, err := c.Run()
--- a/cmd/spire-server/cli/common/common_posix.go
+++ b/cmd/spire-server/cli/common/common_posix.go
@ -1,20 +0,0 @@
-//go:build !windows
-// +build !windows
-
-package common
-
-import "net"
-
-var (
-	AddrArg   = "-socketPath"
-	AddrError = "Error: connection error: desc = \"transport: error while dialing: dial unix /does-not-exist.sock: connect: no such file or directory\"\n"
-	AddrUsage = `
-  -socketPath string
-    	Path to the SPIRE Server API socket (default "/tmp/spire-server/private/api.sock")
-`
-	AddrValue = "/does-not-exist.sock"
-)
-
-func GetAddr(addr net.Addr) string {
-	return addr.String()
-}
--- a/cmd/spire-server/cli/common/common_windows.go
+++ b/cmd/spire-server/cli/common/common_windows.go
@ -1,24 +0,0 @@
-//go:build windows
-// +build windows
-
-package common
-
-import (
-	"net"
-
-	"github.com/spiffe/spire/pkg/common/namedpipe"
-)
-
-var (
-	AddrArg   = "-namedPipeName"
-	AddrError = "Error: connection error: desc = \"transport: error while dialing: open \\\\\\\\.\\\\pipe\\\\does-not-exist: The system cannot find the file specified.\"\n"
-	AddrUsage = `
-  -namedPipeName string
-    	Pipe name of the SPIRE Server API named pipe (default "\\spire-server\\private\\api")
-`
-	AddrValue = "\\does-not-exist"
-)
-
-func GetAddr(addr net.Addr) string {
-	return namedpipe.GetPipeName(addr.String())
-}
--- a/cmd/spire-server/cli/entry/count.go
+++ b/cmd/spire-server/cli/entry/count.go
@ -1,54 +1,160 @@
 package entry

 import (
+	"context"
 	"flag"
 	"fmt"

 	"github.com/mitchellh/cli"
-
 	entryv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/entry/v1"
+	"github.com/spiffe/spire-api-sdk/proto/spire/api/types"
 	"github.com/spiffe/spire/cmd/spire-server/util"
-	common_cli "github.com/spiffe/spire/pkg/common/cli"
-
-	"golang.org/x/net/context"
+	commoncli "github.com/spiffe/spire/pkg/common/cli"
+	"github.com/spiffe/spire/pkg/common/cliprinter"
+	"google.golang.org/protobuf/types/known/wrapperspb"
 )

-type countCommand struct{}
+type countCommand struct {
+	// Type and value are delimited by a colon (:)
+	// ex. "unix:uid:1000" or "spiffe_id:spiffe://example.org/foo"
+	selectors StringsFlag
+
+	// Workload parent spiffeID
+	parentID string
+
+	// Workload spiffeID
+	spiffeID string
+
+	// Entry hint
+	hint string
+
+	// List of SPIFFE IDs of trust domains the registration entry is federated with
+	federatesWith StringsFlag
+
+	// Whether the entry is for a downstream SPIRE server
+	downstream bool
+
+	// Match used when filtering by federates with
+	matchFederatesWithOn string
+
+	// Match used when filtering by selectors
+	matchSelectorsOn string
+
+	printer cliprinter.Printer
+	env     *commoncli.Env
+}

 // NewCountCommand creates a new "count" subcommand for "entry" command.
 func NewCountCommand() cli.Command {
-	return NewCountCommandWithEnv(common_cli.DefaultEnv)
+	return NewCountCommandWithEnv(commoncli.DefaultEnv)
 }

 // NewCountCommandWithEnv creates a new "count" subcommand for "entry" command
 // using the environment specified.
-func NewCountCommandWithEnv(env *common_cli.Env) cli.Command {
-	return util.AdaptCommand(env, new(countCommand))
+func NewCountCommandWithEnv(env *commoncli.Env) cli.Command {
+	return util.AdaptCommand(env, &countCommand{env: env})
 }

 func (*countCommand) Name() string {
 	return "entry count"
 }

-func (countCommand) Synopsis() string {
+func (*countCommand) Synopsis() string {
 	return "Count registration entries"
 }

 // Run counts attested entries
-func (c *countCommand) Run(ctx context.Context, env *common_cli.Env, serverClient util.ServerClient) error {
+func (c *countCommand) Run(ctx context.Context, _ *commoncli.Env, serverClient util.ServerClient) error {
 	entryClient := serverClient.NewEntryClient()
-	countResponse, err := entryClient.CountEntries(ctx, &entryv1.CountEntriesRequest{})
+
+	filter := &entryv1.CountEntriesRequest_Filter{}
+	if c.parentID != "" {
+		id, err := idStringToProto(c.parentID)
+		if err != nil {
+			return fmt.Errorf("error parsing parent ID %q: %w", c.parentID, err)
+		}
+		filter.ByParentId = id
+	}
+
+	if c.spiffeID != "" {
+		id, err := idStringToProto(c.spiffeID)
+		if err != nil {
+			return fmt.Errorf("error parsing SPIFFE ID %q: %w", c.spiffeID, err)
+		}
+		filter.BySpiffeId = id
+	}
+
+	if len(c.selectors) != 0 {
+		matchSelectorBehavior, err := parseToSelectorMatch(c.matchSelectorsOn)
+		if err != nil {
+			return err
+		}
+
+		selectors := make([]*types.Selector, len(c.selectors))
+		for i, sel := range c.selectors {
+			selector, err := util.ParseSelector(sel)
+			if err != nil {
+				return fmt.Errorf("error parsing selectors: %w", err)
+			}
+			selectors[i] = selector
+		}
+		filter.BySelectors = &types.SelectorMatch{
+			Selectors: selectors,
+			Match:     matchSelectorBehavior,
+		}
+	}
+
+	filter.ByDownstream = wrapperspb.Bool(c.downstream)
+
+	if len(c.federatesWith) > 0 {
+		matchFederatesWithBehavior, err := parseToFederatesWithMatch(c.matchFederatesWithOn)
+		if err != nil {
+			return err
+		}
+
+		filter.ByFederatesWith = &types.FederatesWithMatch{
+			TrustDomains: c.federatesWith,
+			Match:        matchFederatesWithBehavior,
+		}
+	}
+
+	if c.hint != "" {
+		filter.ByHint = wrapperspb.String(c.hint)
+	}
+
+	countResponse, err := entryClient.CountEntries(ctx, &entryv1.CountEntriesRequest{
+		Filter: filter,
+	})
+
 	if err != nil {
 		return err
 	}

-	count := int(countResponse.Count)
+	return c.printer.PrintProto(countResponse)
+}
+
+func (c *countCommand) AppendFlags(fs *flag.FlagSet) {
+	fs.StringVar(&c.parentID, "parentID", "", "The Parent ID of the records to count")
+	fs.StringVar(&c.spiffeID, "spiffeID", "", "The SPIFFE ID of the records to count")
+	fs.BoolVar(&c.downstream, "downstream", false, "A boolean value that, when set, indicates that the entry describes a downstream SPIRE server")
+	fs.Var(&c.selectors, "selector", "A colon-delimited type:value selector. Can be used more than once")
+	fs.Var(&c.federatesWith, "federatesWith", "SPIFFE ID of a trust domain an entry is federate with. Can be used more than once")
+	fs.StringVar(&c.matchFederatesWithOn, "matchFederatesWithOn", "superset", "The match mode used when filtering by federates with. Options: exact, any, superset and subset")
+	fs.StringVar(&c.matchSelectorsOn, "matchSelectorsOn", "superset", "The match mode used when filtering by selectors. Options: exact, any, superset and subset")
+	fs.StringVar(&c.hint, "hint", "", "The Hint of the records to count (optional)")
+
+	cliprinter.AppendFlagWithCustomPretty(&c.printer, fs, c.env, c.prettyPrintCount)
+}
+
+func (c *countCommand) prettyPrintCount(env *commoncli.Env, results ...any) error {
+	countResp, ok := results[0].(*entryv1.CountEntriesResponse)
+	if !ok {
+		return cliprinter.ErrInternalCustomPrettyFunc
+	}
+	count := int(countResp.Count)
 	msg := fmt.Sprintf("%d registration ", count)
 	msg = util.Pluralizer(msg, "entry", "entries", count)
 	env.Println(msg)

 	return nil
 }
-
-func (c *countCommand) AppendFlags(fs *flag.FlagSet) {
-}
--- a/cmd/spire-server/cli/entry/count_test.go
+++ b/cmd/spire-server/cli/entry/count_test.go
@ -1,20 +1,22 @@
 package entry

 import (
+	"fmt"
 	"testing"

 	entryv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/entry/v1"
-	"github.com/spiffe/spire/cmd/spire-server/cli/common"
+	"github.com/spiffe/spire-api-sdk/proto/spire/api/types"
 	"github.com/stretchr/testify/require"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
+	"google.golang.org/protobuf/types/known/wrapperspb"
 )

 func TestCountHelp(t *testing.T) {
 	test := setupTest(t, NewCountCommandWithEnv)
 	test.client.Help()

-	require.Equal(t, `Usage of entry count:`+common.AddrUsage, test.stderr.String())
+	require.Equal(t, countUsage, test.stderr.String())
 }

 func TestCountSynopsis(t *testing.T) {
@ -31,30 +33,285 @@ func TestCount(t *testing.T) {
 	for _, tt := range []struct {
 		name          string
 		args          []string
+		expCountReq   *entryv1.CountEntriesRequest
 		fakeCountResp *entryv1.CountEntriesResponse
 		serverErr     error
-		expOut        string
+		expOutPretty  string
+		expOutJSON    string
 		expErr        string
 	}{
+		{
+			name: "Count all entries (empty filter)",
+			expCountReq: &entryv1.CountEntriesRequest{
+				Filter: &entryv1.CountEntriesRequest_Filter{
+					ByDownstream: wrapperspb.Bool(false),
+				},
+			},
+			fakeCountResp: fakeResp4,
+			expOutPretty:  "4 registration entries",
+			expOutJSON:    `{"count":4}`,
+		},
+		{
+			name: "Count by parentID",
+			args: []string{"-parentID", "spiffe://example.org/father"},
+			expCountReq: &entryv1.CountEntriesRequest{
+				Filter: &entryv1.CountEntriesRequest_Filter{
+					ByParentId:   &types.SPIFFEID{TrustDomain: "example.org", Path: "/father"},
+					ByDownstream: wrapperspb.Bool(false),
+				},
+			},
+			fakeCountResp: fakeResp2,
+			expOutPretty:  "2 registration entries",
+			expOutJSON:    `{"count":2}`,
+		},
+		{
+			name:   "Count by parent ID using invalid ID",
+			args:   []string{"-parentID", "invalid-id"},
+			expErr: "Error: error parsing parent ID \"invalid-id\": scheme is missing or invalid\n",
+		},
+		{
+			name: "Count by SPIFFE ID",
+			args: []string{"-spiffeID", "spiffe://example.org/daughter"},
+			expCountReq: &entryv1.CountEntriesRequest{
+				Filter: &entryv1.CountEntriesRequest_Filter{
+					BySpiffeId:   &types.SPIFFEID{TrustDomain: "example.org", Path: "/daughter"},
+					ByDownstream: wrapperspb.Bool(false),
+				},
+			},
+			fakeCountResp: fakeResp2,
+			expOutPretty:  "2 registration entries",
+			expOutJSON:    `{"count":2}`,
+		},
+		{
+			name:   "Count by SPIFFE ID using invalid ID",
+			args:   []string{"-spiffeID", "invalid-id"},
+			expErr: "Error: error parsing SPIFFE ID \"invalid-id\": scheme is missing or invalid\n",
+		},
+		{
+			name: "Count by selectors: default matcher",
+			args: []string{"-selector", "foo:bar", "-selector", "bar:baz"},
+			expCountReq: &entryv1.CountEntriesRequest{
+				Filter: &entryv1.CountEntriesRequest_Filter{
+					BySelectors: &types.SelectorMatch{
+						Selectors: []*types.Selector{
+							{Type: "foo", Value: "bar"},
+							{Type: "bar", Value: "baz"},
+						},
+						Match: types.SelectorMatch_MATCH_SUPERSET,
+					},
+					ByDownstream: wrapperspb.Bool(false),
+				},
+			},
+			fakeCountResp: fakeResp1,
+			expOutPretty:  "1 registration entry",
+			expOutJSON:    `{"count":1}`,
+		},
+		{
+			name: "Count by selectors: exact matcher",
+			args: []string{"-selector", "foo:bar", "-selector", "bar:baz", "-matchSelectorsOn", "exact"},
+			expCountReq: &entryv1.CountEntriesRequest{
+				Filter: &entryv1.CountEntriesRequest_Filter{
+					BySelectors: &types.SelectorMatch{
+						Selectors: []*types.Selector{
+							{Type: "foo", Value: "bar"},
+							{Type: "bar", Value: "baz"},
+						},
+						Match: types.SelectorMatch_MATCH_EXACT,
+					},
+					ByDownstream: wrapperspb.Bool(false),
+				},
+			},
+			fakeCountResp: fakeResp1,
+			expOutPretty:  "1 registration entry",
+			expOutJSON:    `{"count":1}`,
+		},
+		{
+			name: "Count by selectors: superset matcher",
+			args: []string{"-selector", "foo:bar", "-selector", "bar:baz", "-matchSelectorsOn", "superset"},
+			expCountReq: &entryv1.CountEntriesRequest{
+				Filter: &entryv1.CountEntriesRequest_Filter{
+					BySelectors: &types.SelectorMatch{
+						Selectors: []*types.Selector{
+							{Type: "foo", Value: "bar"},
+							{Type: "bar", Value: "baz"},
+						},
+						Match: types.SelectorMatch_MATCH_SUPERSET,
+					},
+					ByDownstream: wrapperspb.Bool(false),
+				},
+			},
+			fakeCountResp: fakeResp1,
+			expOutPretty:  "1 registration entry",
+			expOutJSON:    `{"count":1}`,
+		},
+		{
+			name: "Count by selectors: subset matcher",
+			args: []string{"-selector", "foo:bar", "-selector", "bar:baz", "-matchSelectorsOn", "subset"},
+			expCountReq: &entryv1.CountEntriesRequest{
+				Filter: &entryv1.CountEntriesRequest_Filter{
+					BySelectors: &types.SelectorMatch{
+						Selectors: []*types.Selector{
+							{Type: "foo", Value: "bar"},
+							{Type: "bar", Value: "baz"},
+						},
+						Match: types.SelectorMatch_MATCH_SUBSET,
+					},
+					ByDownstream: wrapperspb.Bool(false),
+				},
+			},
+			fakeCountResp: fakeResp1,
+			expOutPretty:  "1 registration entry",
+			expOutJSON:    `{"count":1}`,
+		},
+		{
+			name: "Count by selectors: Any matcher",
+			args: []string{"-selector", "foo:bar", "-selector", "bar:baz", "-matchSelectorsOn", "any"},
+			expCountReq: &entryv1.CountEntriesRequest{
+				Filter: &entryv1.CountEntriesRequest_Filter{
+					BySelectors: &types.SelectorMatch{
+						Selectors: []*types.Selector{
+							{Type: "foo", Value: "bar"},
+							{Type: "bar", Value: "baz"},
+						},
+						Match: types.SelectorMatch_MATCH_ANY,
+					},
+					ByDownstream: wrapperspb.Bool(false),
+				},
+			},
+			fakeCountResp: fakeResp1,
+			expOutPretty:  "1 registration entry",
+			expOutJSON:    `{"count":1}`,
+		},
+		{
+			name:   "Count by selectors: Invalid matcher",
+			args:   []string{"-selector", "foo:bar", "-selector", "bar:baz", "-matchSelectorsOn", "NO-MATCHER"},
+			expErr: "Error: match behavior \"NO-MATCHER\" unknown\n",
+		},
+		{
+			name:   "Count by selector using invalid selector",
+			args:   []string{"-selector", "invalid-selector"},
+			expErr: "Error: error parsing selectors: selector \"invalid-selector\" must be formatted as type:value\n",
+		},
+		{
+			name: "Server error",
+			args: []string{"-spiffeID", "spiffe://example.org/daughter"},
+			expCountReq: &entryv1.CountEntriesRequest{
+				Filter: &entryv1.CountEntriesRequest_Filter{
+					BySpiffeId:   &types.SPIFFEID{TrustDomain: "example.org", Path: "/daughter"},
+					ByDownstream: wrapperspb.Bool(false),
+				},
+			},
+			serverErr: status.Error(codes.Internal, "internal server error"),
+			expErr:    "Error: rpc error: code = Internal desc = internal server error\n",
+		},
+		{
+			name: "Count by Federates With: default matcher",
+			args: []string{"-federatesWith", "spiffe://domain.test"},
+			expCountReq: &entryv1.CountEntriesRequest{
+				Filter: &entryv1.CountEntriesRequest_Filter{
+					ByFederatesWith: &types.FederatesWithMatch{
+						TrustDomains: []string{"spiffe://domain.test"},
+						Match:        types.FederatesWithMatch_MATCH_SUPERSET,
+					},
+					ByDownstream: wrapperspb.Bool(false),
+				},
+			},
+			fakeCountResp: fakeResp1,
+			expOutPretty:  "1 registration entry",
+			expOutJSON:    `{"count":1}`,
+		},
+		{
+			name: "Count by Federates With: exact matcher",
+			args: []string{"-federatesWith", "spiffe://domain.test", "-matchFederatesWithOn", "exact"},
+			expCountReq: &entryv1.CountEntriesRequest{
+				Filter: &entryv1.CountEntriesRequest_Filter{
+					ByFederatesWith: &types.FederatesWithMatch{
+						TrustDomains: []string{"spiffe://domain.test"},
+						Match:        types.FederatesWithMatch_MATCH_EXACT,
+					},
+					ByDownstream: wrapperspb.Bool(false),
+				},
+			},
+			fakeCountResp: fakeResp1,
+			expOutPretty:  "1 registration entry",
+			expOutJSON:    `{"count":1}`,
+		},
+		{
+			name: "Count by Federates With: Any matcher",
+			args: []string{"-federatesWith", "spiffe://domain.test", "-matchFederatesWithOn", "any"},
+			expCountReq: &entryv1.CountEntriesRequest{
+				Filter: &entryv1.CountEntriesRequest_Filter{
+					ByFederatesWith: &types.FederatesWithMatch{
+						TrustDomains: []string{"spiffe://domain.test"},
+						Match:        types.FederatesWithMatch_MATCH_ANY,
+					},
+					ByDownstream: wrapperspb.Bool(false),
+				},
+			},
+			fakeCountResp: fakeResp1,
+			expOutPretty:  "1 registration entry",
+			expOutJSON:    `{"count":1}`,
+		},
+		{
+			name: "Count by Federates With: superset matcher",
+			args: []string{"-federatesWith", "spiffe://domain.test", "-matchFederatesWithOn", "superset"},
+			expCountReq: &entryv1.CountEntriesRequest{
+				Filter: &entryv1.CountEntriesRequest_Filter{
+					ByFederatesWith: &types.FederatesWithMatch{
+						TrustDomains: []string{"spiffe://domain.test"},
+						Match:        types.FederatesWithMatch_MATCH_SUPERSET,
+					},
+					ByDownstream: wrapperspb.Bool(false),
+				},
+			},
+			fakeCountResp: fakeResp1,
+			expOutPretty:  "1 registration entry",
+			expOutJSON:    `{"count":1}`,
+		},
+		{
+			name: "Count by Federates With: subset matcher",
+			args: []string{"-federatesWith", "spiffe://domain.test", "-matchFederatesWithOn", "subset"},
+			expCountReq: &entryv1.CountEntriesRequest{
+				Filter: &entryv1.CountEntriesRequest_Filter{
+					ByFederatesWith: &types.FederatesWithMatch{
+						TrustDomains: []string{"spiffe://domain.test"},
+						Match:        types.FederatesWithMatch_MATCH_SUBSET,
+					},
+					ByDownstream: wrapperspb.Bool(false),
+				},
+			},
+			fakeCountResp: fakeResp1,
+			expOutPretty:  "1 registration entry",
+			expOutJSON:    `{"count":1}`,
+		},
+		{
+			name:   "Count by Federates With: Invalid matcher",
+			args:   []string{"-federatesWith", "spiffe://domain.test", "-matchFederatesWithOn", "NO-MATCHER"},
+			expErr: "Error: match behavior \"NO-MATCHER\" unknown\n",
+		},
 		{
 			name:          "4 entries",
 			fakeCountResp: fakeResp4,
-			expOut:        "4 registration entries\n",
+			expOutPretty:  "4 registration entries\n",
+			expOutJSON:    `{"count":4}`,
 		},
 		{
 			name:          "2 entries",
 			fakeCountResp: fakeResp2,
-			expOut:        "2 registration entries\n",
+			expOutPretty:  "2 registration entries\n",
+			expOutJSON:    `{"count":2}`,
 		},
 		{
 			name:          "1 entry",
 			fakeCountResp: fakeResp1,
-			expOut:        "1 registration entry\n",
+			expOutPretty:  "1 registration entry\n",
+			expOutJSON:    `{"count":1}`,
 		},
 		{
 			name:          "0 entries",
 			fakeCountResp: fakeResp0,
-			expOut:        "0 registration entries\n",
+			expOutPretty:  "0 registration entries\n",
+			expOutJSON:    `{"count":0}`,
 		},
 		{
 			name:      "Server error",
@ -62,21 +319,24 @@ func TestCount(t *testing.T) {
 			expErr:    "Error: rpc error: code = Internal desc = internal server error\n",
 		},
 	} {
-		tt := tt
-		t.Run(tt.name, func(t *testing.T) {
-			test := setupTest(t, NewCountCommandWithEnv)
-			test.server.err = tt.serverErr
-			test.server.countEntriesResp = tt.fakeCountResp
+		for _, format := range availableFormats {
+			t.Run(fmt.Sprintf("%s using %s format", tt.name, format), func(t *testing.T) {
+				test := setupTest(t, NewCountCommandWithEnv)
+				test.server.err = tt.serverErr
+				test.server.countEntriesResp = tt.fakeCountResp

-			rc := test.client.Run(test.args(tt.args...))
-			if tt.expErr != "" {
-				require.Equal(t, 1, rc)
-				require.Equal(t, tt.expErr, test.stderr.String())
-				return
-			}
+				args := tt.args
+				args = append(args, "-output", format)

-			require.Equal(t, 0, rc)
-			require.Equal(t, tt.expOut, test.stdout.String())
-		})
+				rc := test.client.Run(test.args(args...))
+				if tt.expErr != "" {
+					require.Equal(t, 1, rc)
+					require.Equal(t, tt.expErr, test.stderr.String())
+					return
+				}
+				requireOutputBasedOnFormat(t, format, test.stdout.String(), tt.expOutPretty, tt.expOutJSON)
+				require.Equal(t, 0, rc)
+			})
+		}
 	}
 }
--- a/cmd/spire-server/cli/entry/create.go
+++ b/cmd/spire-server/cli/entry/create.go
@ -1,27 +1,29 @@
 package entry

 import (
+	"context"
 	"errors"
 	"flag"
+	"fmt"

 	"github.com/mitchellh/cli"
 	entryv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/entry/v1"
 	"github.com/spiffe/spire-api-sdk/proto/spire/api/types"
-	"github.com/spiffe/spire/cmd/spire-server/util"
-	common_cli "github.com/spiffe/spire/pkg/common/cli"
+	serverutil "github.com/spiffe/spire/cmd/spire-server/util"
+	commoncli "github.com/spiffe/spire/pkg/common/cli"
+	"github.com/spiffe/spire/pkg/common/cliprinter"
 	"github.com/spiffe/spire/pkg/common/idutil"
+	"github.com/spiffe/spire/pkg/common/util"
 	"google.golang.org/grpc/codes"
-
-	"golang.org/x/net/context"
 )

 // NewCreateCommand creates a new "create" subcommand for "entry" command.
 func NewCreateCommand() cli.Command {
-	return newCreateCommand(common_cli.DefaultEnv)
+	return newCreateCommand(commoncli.DefaultEnv)
 }

-func newCreateCommand(env *common_cli.Env) cli.Command {
-	return util.AdaptCommand(env, new(createCommand))
+func newCreateCommand(env *commoncli.Env) cli.Command {
+	return serverutil.AdaptCommand(env, &createCommand{env: env})
 }

 type createCommand struct {
@ -33,25 +35,34 @@ type createCommand struct {
 	// ex. "unix:uid:1000" or "spiffe_id:spiffe://example.org/foo"
 	selectors StringsFlag

+	// Registration entry ID
+	entryID string
+
 	// Workload parent spiffeID
 	parentID string

 	// Workload spiffeID
 	spiffeID string

-	// TTL for certificates issued to this workload
-	ttl int
+	// Entry hint, used to disambiguate entries with the same SPIFFE ID
+	hint string
+
+	// TTL for x509 SVIDs issued to this workload
+	x509SVIDTTL int
+
+	// TTL for JWT SVIDs issued to this workload
+	jwtSVIDTTL int

 	// List of SPIFFE IDs of trust domains the registration entry is federated with
 	federatesWith StringsFlag

-	// Whether or not the registration entry is for an "admin" workload
+	// whether the registration entry is for an "admin" workload
 	admin bool

-	// Whether or not the entry is for a downstream SPIRE server
+	// whether the entry is for a downstream SPIRE server
 	downstream bool

-	// Whether or not the entry represents a node or group of nodes
+	// whether the entry represents a node or group of nodes
 	node bool

 	// Expiry of entry
@ -62,6 +73,10 @@ type createCommand struct {

 	// storeSVID determines if the issued SVID must be stored through an SVIDStore plugin
 	storeSVID bool
+
+	printer cliprinter.Printer
+
+	env *commoncli.Env
 }

 func (*createCommand) Name() string {
@ -73,9 +88,11 @@ func (*createCommand) Synopsis() string {
 }

 func (c *createCommand) AppendFlags(f *flag.FlagSet) {
+	f.StringVar(&c.entryID, "entryID", "", "A custom ID for this registration entry (optional). If not set, a new entry ID will be generated")
 	f.StringVar(&c.parentID, "parentID", "", "The SPIFFE ID of this record's parent")
 	f.StringVar(&c.spiffeID, "spiffeID", "", "The SPIFFE ID that this record represents")
-	f.IntVar(&c.ttl, "ttl", 0, "The lifetime, in seconds, for SVIDs issued based on this registration entry")
+	f.IntVar(&c.x509SVIDTTL, "x509SVIDTTL", 0, "The lifetime, in seconds, for x509-SVIDs issued based on this registration entry.")
+	f.IntVar(&c.jwtSVIDTTL, "jwtSVIDTTL", 0, "The lifetime, in seconds, for JWT-SVIDs issued based on this registration entry.")
 	f.StringVar(&c.path, "data", "", "Path to a file containing registration JSON (optional). If set to '-', read the JSON from stdin.")
 	f.Var(&c.selectors, "selector", "A colon-delimited type:value selector. Can be used more than once")
 	f.Var(&c.federatesWith, "federatesWith", "SPIFFE ID of a trust domain to federate with. Can be used more than once")
@ -85,9 +102,11 @@ func (c *createCommand) AppendFlags(f *flag.FlagSet) {
 	f.BoolVar(&c.downstream, "downstream", false, "A boolean value that, when set, indicates that the entry describes a downstream SPIRE server")
 	f.Int64Var(&c.entryExpiry, "entryExpiry", 0, "An expiry, from epoch in seconds, for the resulting registration entry to be pruned")
 	f.Var(&c.dnsNames, "dns", "A DNS name that will be included in SVIDs issued based on this entry, where appropriate. Can be used more than once")
+	f.StringVar(&c.hint, "hint", "", "The entry hint, used to disambiguate entries with the same SPIFFE ID")
+	cliprinter.AppendFlagWithCustomPretty(&c.printer, f, c.env, prettyPrintCreate)
 }

-func (c *createCommand) Run(ctx context.Context, env *common_cli.Env, serverClient util.ServerClient) error {
+func (c *createCommand) Run(ctx context.Context, _ *commoncli.Env, serverClient serverutil.ServerClient) error {
 	if err := c.validate(); err != nil {
 		return err
 	}
@ -103,29 +122,12 @@ func (c *createCommand) Run(ctx context.Context, env *common_cli.Env, serverClie
 		return err
 	}

-	succeeded, failed, err := createEntries(ctx, serverClient.NewEntryClient(), entries)
+	resp, err := createEntries(ctx, serverClient.NewEntryClient(), entries)
 	if err != nil {
 		return err
 	}

-	// Print entries that succeeded to be created
-	for _, r := range succeeded {
-		printEntry(r.Entry, env.Printf)
-	}
-
-	// Print entries that failed to be created
-	for _, r := range failed {
-		env.ErrPrintf("Failed to create the following entry (code: %s, msg: %q):\n",
-			codes.Code(r.Status.Code),
-			r.Status.Message)
-		printEntry(r.Entry, env.ErrPrintf)
-	}
-
-	if len(failed) > 0 {
-		return errors.New("failed to create one or more entries")
-	}
-
-	return nil
+	return c.printer.PrintProto(resp)
 }

 // validate performs basic validation, even on fields that we
@ -152,8 +154,12 @@ func (c *createCommand) validate() (err error) {
 		return errors.New("a SPIFFE ID is required")
 	}

-	if c.ttl < 0 {
-		return errors.New("a positive TTL is required")
+	if c.x509SVIDTTL < 0 {
+		return errors.New("a positive x509-SVID TTL is required")
+	}
+
+	if c.jwtSVIDTTL < 0 {
+		return errors.New("a positive JWT-SVID TTL is required")
 	}

 	return nil
@ -171,19 +177,32 @@ func (c *createCommand) parseConfig() ([]*types.Entry, error) {
 		return nil, err
 	}

+	x509SvidTTL, err := util.CheckedCast[int32](c.x509SVIDTTL)
+	if err != nil {
+		return nil, fmt.Errorf("invalid value for X509 SVID TTL: %w", err)
+	}
+
+	jwtSvidTTL, err := util.CheckedCast[int32](c.jwtSVIDTTL)
+	if err != nil {
+		return nil, fmt.Errorf("invalid value for JWT SVID TTL: %w", err)
+	}
+
 	e := &types.Entry{
-		ParentId:   parentID,
-		SpiffeId:   spiffeID,
-		Ttl:        int32(c.ttl),
-		Downstream: c.downstream,
-		ExpiresAt:  c.entryExpiry,
-		DnsNames:   c.dnsNames,
-		StoreSvid:  c.storeSVID,
+		Id:          c.entryID,
+		ParentId:    parentID,
+		SpiffeId:    spiffeID,
+		Downstream:  c.downstream,
+		ExpiresAt:   c.entryExpiry,
+		DnsNames:    c.dnsNames,
+		StoreSvid:   c.storeSVID,
+		X509SvidTtl: x509SvidTTL,
+		JwtSvidTtl:  jwtSvidTTL,
+		Hint:        c.hint,
 	}

 	selectors := []*types.Selector{}
 	for _, s := range c.selectors {
-		cs, err := util.ParseSelector(s)
+		cs, err := serverutil.ParseSelector(s)
 		if err != nil {
 			return nil, err
 		}
@ -197,25 +216,21 @@ func (c *createCommand) parseConfig() ([]*types.Entry, error) {
 	return []*types.Entry{e}, nil
 }

-func createEntries(ctx context.Context, c entryv1.EntryClient, entries []*types.Entry) (succeeded, failed []*entryv1.BatchCreateEntryResponse_Result, err error) {
-	resp, err := c.BatchCreateEntry(ctx, &entryv1.BatchCreateEntryRequest{Entries: entries})
+func createEntries(ctx context.Context, c entryv1.EntryClient, entries []*types.Entry) (resp *entryv1.BatchCreateEntryResponse, err error) {
+	resp, err = c.BatchCreateEntry(ctx, &entryv1.BatchCreateEntryRequest{Entries: entries})
 	if err != nil {
-		return nil, nil, err
+		return
 	}

 	for i, r := range resp.Results {
-		switch r.Status.Code {
-		case int32(codes.OK):
-			succeeded = append(succeeded, r)
-		default:
+		if r.Status.Code != int32(codes.OK) {
 			// The Entry API does not include in the results the entries that
 			// failed to be created, so we populate them from the request data.
 			r.Entry = entries[i]
-			failed = append(failed, r)
 		}
 	}

-	return succeeded, failed, nil
+	return
 }

 func getParentID(config *createCommand, td string) (*types.SPIFFEID, error) {
@ -228,3 +243,37 @@ func getParentID(config *createCommand, td string) (*types.SPIFFEID, error) {
 	}
 	return idStringToProto(config.parentID)
 }
+
+func prettyPrintCreate(env *commoncli.Env, results ...any) error {
+	var succeeded, failed []*entryv1.BatchCreateEntryResponse_Result
+	createResp, ok := results[0].(*entryv1.BatchCreateEntryResponse)
+	if !ok {
+		return cliprinter.ErrInternalCustomPrettyFunc
+	}
+
+	for _, r := range createResp.Results {
+		switch r.Status.Code {
+		case int32(codes.OK):
+			succeeded = append(succeeded, r)
+		default:
+			failed = append(failed, r)
+		}
+	}
+
+	for _, r := range succeeded {
+		printEntry(r.Entry, env.Printf)
+	}
+
+	for _, r := range failed {
+		env.ErrPrintf("Failed to create the following entry (code: %s, msg: %q):\n",
+			util.MustCast[codes.Code](r.Status.Code),
+			r.Status.Message)
+		printEntry(r.Entry, env.ErrPrintf)
+	}
+
+	if len(failed) > 0 {
+		return errors.New("failed to create one or more entries")
+	}
+
+	return nil
+}
--- a/cmd/spire-server/cli/entry/create_test.go
+++ b/cmd/spire-server/cli/entry/create_test.go
@ -36,13 +36,43 @@ func TestCreate(t *testing.T) {
 						{Type: "zebra", Value: "zebra:2000"},
 						{Type: "alpha", Value: "alpha:2000"},
 					},
-					Ttl:           60,
+					X509SvidTtl:   60,
+					JwtSvidTtl:    30,
 					FederatesWith: []string{"spiffe://domaina.test", "spiffe://domainb.test"},
 					Admin:         true,
 					ExpiresAt:     1552410266,
 					DnsNames:      []string{"unu1000", "ung1000"},
 					Downstream:    true,
 					StoreSvid:     true,
+					CreatedAt:     1547583197,
+				},
+				Status: &types.Status{
+					Code:    int32(codes.OK),
+					Message: "OK",
+				},
+			},
+		},
+	}
+
+	fakeRespOKFromCmdWithoutJwtTtl := &entryv1.BatchCreateEntryResponse{
+		Results: []*entryv1.BatchCreateEntryResponse_Result{
+			{
+				Entry: &types.Entry{
+					Id:       "entry-id",
+					SpiffeId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/workload"},
+					ParentId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/parent"},
+					Selectors: []*types.Selector{
+						{Type: "zebra", Value: "zebra:2000"},
+						{Type: "alpha", Value: "alpha:2000"},
+					},
+					X509SvidTtl:   60,
+					FederatesWith: []string{"spiffe://domaina.test", "spiffe://domainb.test"},
+					Admin:         true,
+					ExpiresAt:     1552410266,
+					DnsNames:      []string{"unu1000", "ung1000"},
+					Downstream:    true,
+					StoreSvid:     true,
+					CreatedAt:     1547583197,
 				},
 				Status: &types.Status{
 					Code:    int32(codes.OK),
@ -56,12 +86,14 @@ func TestCreate(t *testing.T) {
 		Results: []*entryv1.BatchCreateEntryResponse_Result{
 			{
 				Entry: &types.Entry{
-					Id:        "entry-id-1",
-					SpiffeId:  &types.SPIFFEID{TrustDomain: "example.org", Path: "/Blog"},
-					ParentId:  &types.SPIFFEID{TrustDomain: "example.org", Path: "/spire/agent/join_token/TokenBlog"},
-					Selectors: []*types.Selector{{Type: "unix", Value: "uid:1111"}},
-					Ttl:       200,
-					Admin:     true,
+					Id:          "entry-id-1",
+					SpiffeId:    &types.SPIFFEID{TrustDomain: "example.org", Path: "/Blog"},
+					ParentId:    &types.SPIFFEID{TrustDomain: "example.org", Path: "/spire/agent/join_token/TokenBlog"},
+					Selectors:   []*types.Selector{{Type: "unix", Value: "uid:1111"}},
+					X509SvidTtl: 200,
+					JwtSvidTtl:  30,
+					Admin:       true,
+					CreatedAt:   1547583197,
 				},
 				Status: &types.Status{
 					Code:    int32(codes.OK),
@ -70,11 +102,14 @@ func TestCreate(t *testing.T) {
 			},
 			{
 				Entry: &types.Entry{
-					Id:        "entry-id-2",
-					SpiffeId:  &types.SPIFFEID{TrustDomain: "example.org", Path: "/Database"},
-					ParentId:  &types.SPIFFEID{TrustDomain: "example.org", Path: "/spire/agent/join_token/TokenDatabase"},
-					Selectors: []*types.Selector{{Type: "unix", Value: "uid:1111"}},
-					Ttl:       200,
+					Id:          "entry-id-2",
+					SpiffeId:    &types.SPIFFEID{TrustDomain: "example.org", Path: "/Database"},
+					ParentId:    &types.SPIFFEID{TrustDomain: "example.org", Path: "/spire/agent/join_token/TokenDatabase"},
+					Selectors:   []*types.Selector{{Type: "unix", Value: "uid:1111"}},
+					X509SvidTtl: 200,
+					JwtSvidTtl:  30,
+					Hint:        "internal",
+					CreatedAt:   1547583197,
 				},
 				Status: &types.Status{
 					Code:    int32(codes.OK),
@ -90,8 +125,10 @@ func TestCreate(t *testing.T) {
 						{Type: "type", Value: "key1:value"},
 						{Type: "type", Value: "key2:value"},
 					},
-					StoreSvid: true,
-					Ttl:       200,
+					StoreSvid:   true,
+					X509SvidTtl: 200,
+					JwtSvidTtl:  30,
+					CreatedAt:   1547583197,
 				},
 				Status: &types.Status{
 					Code:    int32(codes.OK),
@ -120,37 +157,51 @@ func TestCreate(t *testing.T) {
 		fakeResp  *entryv1.BatchCreateEntryResponse
 		serverErr error

-		expOut string
-		expErr string
+		expOutPretty string
+		expOutJSON   string
+		expErrJSON   string
+		expErrPretty string
 	}{
 		{
-			name:   "Missing selectors",
-			expErr: "Error: at least one selector is required\n",
+			name:         "Missing selectors",
+			expErrPretty: "Error: at least one selector is required\n",
+			expErrJSON:   "Error: at least one selector is required\n",
 		},
 		{
-			name:   "Missing parent SPIFFE ID",
-			args:   []string{"-selector", "unix:uid:1"},
-			expErr: "Error: a parent ID is required if the node flag is not set\n",
+			name:         "Missing parent SPIFFE ID",
+			args:         []string{"-selector", "unix:uid:1"},
+			expErrPretty: "Error: a parent ID is required if the node flag is not set\n",
+			expErrJSON:   "Error: a parent ID is required if the node flag is not set\n",
 		},
 		{
-			name:   "Missing SPIFFE ID",
-			args:   []string{"-selector", "unix:uid:1", "-parentID", "spiffe://example.org/parent"},
-			expErr: "Error: a SPIFFE ID is required\n",
+			name:         "Missing SPIFFE ID",
+			args:         []string{"-selector", "unix:uid:1", "-parentID", "spiffe://example.org/parent"},
+			expErrPretty: "Error: a SPIFFE ID is required\n",
+			expErrJSON:   "Error: a SPIFFE ID is required\n",
 		},
 		{
-			name:   "Wrong selectors",
-			args:   []string{"-selector", "unix", "-parentID", "spiffe://example.org/parent", "-spiffeID", "spiffe://example.org/workload"},
-			expErr: "Error: selector \"unix\" must be formatted as type:value\n",
+			name:         "Wrong selectors",
+			args:         []string{"-selector", "unix", "-parentID", "spiffe://example.org/parent", "-spiffeID", "spiffe://example.org/workload"},
+			expErrPretty: "Error: selector \"unix\" must be formatted as type:value\n",
+			expErrJSON:   "Error: selector \"unix\" must be formatted as type:value\n",
 		},
 		{
-			name:   "Negative TTL",
-			args:   []string{"-selector", "unix", "-parentID", "spiffe://example.org/parent", "-spiffeID", "spiffe://example.org/workload", "-ttl", "-10"},
-			expErr: "Error: a positive TTL is required\n",
+			name:         "Negative X509SvidTtl",
+			args:         []string{"-selector", "unix", "-parentID", "spiffe://example.org/parent", "-spiffeID", "spiffe://example.org/workload", "-x509SVIDTTL", "-10"},
+			expErrPretty: "Error: a positive x509-SVID TTL is required\n",
+			expErrJSON:   "Error: a positive x509-SVID TTL is required\n",
 		},
 		{
-			name:   "Federated node entries",
-			args:   []string{"-selector", "unix", "-spiffeID", "spiffe://example.org/workload", "-node", "-federatesWith", "spiffe://another.org"},
-			expErr: "Error: node entries can not federate\n",
+			name:         "Negative jwtSVIDTTL",
+			args:         []string{"-selector", "unix", "-parentID", "spiffe://example.org/parent", "-spiffeID", "spiffe://example.org/workload", "-jwtSVIDTTL", "-10"},
+			expErrPretty: "Error: a positive JWT-SVID TTL is required\n",
+			expErrJSON:   "Error: a positive JWT-SVID TTL is required\n",
+		},
+		{
+			name:         "Federated node entries",
+			args:         []string{"-selector", "unix", "-spiffeID", "spiffe://example.org/workload", "-node", "-federatesWith", "spiffe://another.org"},
+			expErrPretty: "Error: node entries can not federate\n",
+			expErrJSON:   "Error: node entries can not federate\n",
 		},
 		{
 			name: "Server error",
@ -162,8 +213,9 @@ func TestCreate(t *testing.T) {
 					Selectors: []*types.Selector{{Type: "unix", Value: "uid:1"}},
 				},
 			}},
-			serverErr: errors.New("server-error"),
-			expErr:    "Error: rpc error: code = Unknown desc = server-error\n",
+			serverErr:    errors.New("server-error"),
+			expErrPretty: "Error: rpc error: code = Unknown desc = server-error\n",
+			expErrJSON:   "Error: rpc error: code = Unknown desc = server-error\n",
 		},
 		{
 			name: "Create succeeds using command line arguments",
@ -172,7 +224,117 @@ func TestCreate(t *testing.T) {
 				"-parentID", "spiffe://example.org/parent",
 				"-selector", "zebra:zebra:2000",
 				"-selector", "alpha:alpha:2000",
-				"-ttl", "60",
+				"-x509SVIDTTL", "60",
+				"-jwtSVIDTTL", "30",
+				"-federatesWith", "spiffe://domaina.test",
+				"-federatesWith", "spiffe://domainb.test",
+				"-admin",
+				"-entryExpiry", "1552410266",
+				"-dns", "unu1000",
+				"-dns", "ung1000",
+				"-downstream",
+				"-storeSVID",
+				"-hint", "internal",
+			},
+			expReq: &entryv1.BatchCreateEntryRequest{
+				Entries: []*types.Entry{
+					{
+						SpiffeId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/workload"},
+						ParentId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/parent"},
+						Selectors: []*types.Selector{
+							{Type: "zebra", Value: "zebra:2000"},
+							{Type: "alpha", Value: "alpha:2000"},
+						},
+						X509SvidTtl:   60,
+						JwtSvidTtl:    30,
+						FederatesWith: []string{"spiffe://domaina.test", "spiffe://domainb.test"},
+						Admin:         true,
+						ExpiresAt:     1552410266,
+						DnsNames:      []string{"unu1000", "ung1000"},
+						Downstream:    true,
+						StoreSvid:     true,
+						Hint:          "internal",
+					},
+				},
+			},
+			fakeResp: fakeRespOKFromCmd,
+			expOutPretty: fmt.Sprintf(`Entry ID         : entry-id
+SPIFFE ID        : spiffe://example.org/workload
+Parent ID        : spiffe://example.org/parent
+Revision         : 0
+Downstream       : true
+X509-SVID TTL    : 60
+JWT-SVID TTL     : 30
+Expiration time  : %s
+Selector         : zebra:zebra:2000
+Selector         : alpha:alpha:2000
+FederatesWith    : spiffe://domaina.test
+FederatesWith    : spiffe://domainb.test
+DNS name         : unu1000
+DNS name         : ung1000
+Admin            : true
+StoreSvid        : true
+
+`, time.Unix(1552410266, 0).UTC()),
+			expOutJSON: `{
+  "results": [
+    {
+      "status": {
+        "code": 0,
+        "message": "OK"
+      },
+      "entry": {
+        "id": "entry-id",
+        "spiffe_id": {
+          "trust_domain": "example.org",
+          "path": "/workload"
+        },
+        "parent_id": {
+          "trust_domain": "example.org",
+          "path": "/parent"
+        },
+        "selectors": [
+          {
+            "type": "zebra",
+            "value": "zebra:2000"
+          },
+          {
+            "type": "alpha",
+            "value": "alpha:2000"
+          }
+        ],
+        "x509_svid_ttl": 60,
+        "federates_with": [
+          "spiffe://domaina.test",
+          "spiffe://domainb.test"
+        ],
+        "hint": "",
+        "admin": true,
+        "created_at": "1547583197",
+        "downstream": true,
+        "expires_at": "1552410266",
+        "dns_names": [
+          "unu1000",
+          "ung1000"
+        ],
+        "revision_number": "0",
+        "store_svid": true,
+        "jwt_svid_ttl": 30
+      }
+    }
+  ]
+}
+`,
+		},
+		{
+			name: "Create succeeds with custom entry ID",
+			args: []string{
+				"-entryID", "entry-id",
+				"-spiffeID", "spiffe://example.org/workload",
+				"-parentID", "spiffe://example.org/parent",
+				"-selector", "zebra:zebra:2000",
+				"-selector", "alpha:alpha:2000",
+				"-x509SVIDTTL", "60",
 				"-federatesWith", "spiffe://domaina.test",
 				"-federatesWith", "spiffe://domainb.test",
 				"-admin",
@ -185,13 +347,14 @@ func TestCreate(t *testing.T) {
 			expReq: &entryv1.BatchCreateEntryRequest{
 				Entries: []*types.Entry{
 					{
+						Id:       "entry-id",
 						SpiffeId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/workload"},
 						ParentId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/parent"},
 						Selectors: []*types.Selector{
 							{Type: "zebra", Value: "zebra:2000"},
 							{Type: "alpha", Value: "alpha:2000"},
 						},
-						Ttl:           60,
+						X509SvidTtl:   60,
 						FederatesWith: []string{"spiffe://domaina.test", "spiffe://domainb.test"},
 						Admin:         true,
 						ExpiresAt:     1552410266,
@ -201,13 +364,14 @@ func TestCreate(t *testing.T) {
 					},
 				},
 			},
-			fakeResp: fakeRespOKFromCmd,
-			expOut: fmt.Sprintf(`Entry ID         : entry-id
+			fakeResp: fakeRespOKFromCmdWithoutJwtTtl,
+			expOutPretty: fmt.Sprintf(`Entry ID         : entry-id
 SPIFFE ID        : spiffe://example.org/workload
 Parent ID        : spiffe://example.org/parent
 Revision         : 0
 Downstream       : true
-TTL              : 60
+X509-SVID TTL    : 60
+JWT-SVID TTL     : default
 Expiration time  : %s
 Selector         : zebra:zebra:2000
 Selector         : alpha:alpha:2000
@ -219,6 +383,54 @@ Admin            : true
 StoreSvid        : true

 `, time.Unix(1552410266, 0).UTC()),
+			expOutJSON: `{
+  "results": [
+    {
+      "status": {
+        "code": 0,
+        "message": "OK"
+      },
+      "entry": {
+        "id": "entry-id",
+        "spiffe_id": {
+          "trust_domain": "example.org",
+          "path": "/workload"
+        },
+        "parent_id": {
+          "trust_domain": "example.org",
+          "path": "/parent"
+        },
+        "selectors": [
+          {
+            "type": "zebra",
+            "value": "zebra:2000"
+          },
+          {
+            "type": "alpha",
+            "value": "alpha:2000"
+          }
+        ],
+        "x509_svid_ttl": 60,
+        "federates_with": [
+          "spiffe://domaina.test",
+          "spiffe://domainb.test"
+        ],
+        "hint": "",
+        "admin": true,
+        "created_at": "1547583197",
+        "downstream": true,
+        "expires_at": "1552410266",
+        "dns_names": [
+          "unu1000",
+          "ung1000"
+        ],
+        "revision_number": "0",
+        "store_svid": true,
+        "jwt_svid_ttl": 0
+      }
+    }
+  ]
+}`,
 		},
 		{
 			name: "Create succeeds using data file",
@ -228,17 +440,20 @@ StoreSvid        : true
 			expReq: &entryv1.BatchCreateEntryRequest{
 				Entries: []*types.Entry{
 					{
-						SpiffeId:  &types.SPIFFEID{TrustDomain: "example.org", Path: "/Blog"},
-						ParentId:  &types.SPIFFEID{TrustDomain: "example.org", Path: "/spire/agent/join_token/TokenBlog"},
-						Selectors: []*types.Selector{{Type: "unix", Value: "uid:1111"}},
-						Ttl:       200,
-						Admin:     true,
+						SpiffeId:    &types.SPIFFEID{TrustDomain: "example.org", Path: "/Blog"},
+						ParentId:    &types.SPIFFEID{TrustDomain: "example.org", Path: "/spire/agent/join_token/TokenBlog"},
+						Selectors:   []*types.Selector{{Type: "unix", Value: "uid:1111"}},
+						X509SvidTtl: 200,
+						JwtSvidTtl:  30,
+						Admin:       true,
 					},
 					{
-						SpiffeId:  &types.SPIFFEID{TrustDomain: "example.org", Path: "/Database"},
-						ParentId:  &types.SPIFFEID{TrustDomain: "example.org", Path: "/spire/agent/join_token/TokenDatabase"},
-						Selectors: []*types.Selector{{Type: "unix", Value: "uid:1111"}},
-						Ttl:       200,
+						SpiffeId:    &types.SPIFFEID{TrustDomain: "example.org", Path: "/Database"},
+						ParentId:    &types.SPIFFEID{TrustDomain: "example.org", Path: "/spire/agent/join_token/TokenDatabase"},
+						Selectors:   []*types.Selector{{Type: "unix", Value: "uid:1111"}},
+						X509SvidTtl: 200,
+						JwtSvidTtl:  30,
+						Hint:        "internal",
 					},
 					{
 						SpiffeId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/storesvid"},
@ -247,17 +462,19 @@ StoreSvid        : true
 							{Type: "type", Value: "key1:value"},
 							{Type: "type", Value: "key2:value"},
 						},
-						Ttl:       200,
-						StoreSvid: true,
+						X509SvidTtl: 200,
+						JwtSvidTtl:  30,
+						StoreSvid:   true,
 					},
 				},
 			},
 			fakeResp: fakeRespOKFromFile,
-			expOut: `Entry ID         : entry-id-1
+			expOutPretty: `Entry ID         : entry-id-1
 SPIFFE ID        : spiffe://example.org/Blog
 Parent ID        : spiffe://example.org/spire/agent/join_token/TokenBlog
 Revision         : 0
-TTL              : 200
+X509-SVID TTL    : 200
+JWT-SVID TTL     : 30
 Selector         : unix:uid:1111
 Admin            : true

@ -265,19 +482,132 @@ Entry ID         : entry-id-2
 SPIFFE ID        : spiffe://example.org/Database
 Parent ID        : spiffe://example.org/spire/agent/join_token/TokenDatabase
 Revision         : 0
-TTL              : 200
+X509-SVID TTL    : 200
+JWT-SVID TTL     : 30
 Selector         : unix:uid:1111
+Hint             : internal

 Entry ID         : entry-id-3
 SPIFFE ID        : spiffe://example.org/storesvid
 Parent ID        : spiffe://example.org/spire/agent/join_token/TokenDatabase
 Revision         : 0
-TTL              : 200
+X509-SVID TTL    : 200
+JWT-SVID TTL     : 30
 Selector         : type:key1:value
 Selector         : type:key2:value
 StoreSvid        : true

 `,
+			expOutJSON: `{
+  "results": [
+    {
+      "status": {
+        "code": 0,
+        "message": "OK"
+      },
+      "entry": {
+        "id": "entry-id-1",
+        "spiffe_id": {
+          "trust_domain": "example.org",
+          "path": "/Blog"
+        },
+        "parent_id": {
+          "trust_domain": "example.org",
+          "path": "/spire/agent/join_token/TokenBlog"
+        },
+        "selectors": [
+          {
+            "type": "unix",
+            "value": "uid:1111"
+          }
+        ],
+        "x509_svid_ttl": 200,
+        "federates_with": [],
+        "hint": "",
+        "admin": true,
+        "created_at": "1547583197",
+        "downstream": false,
+        "expires_at": "0",
+        "dns_names": [],
+        "revision_number": "0",
+        "store_svid": false,
+        "jwt_svid_ttl": 30
+      }
+    },
+    {
+      "status": {
+        "code": 0,
+        "message": "OK"
+      },
+      "entry": {
+        "id": "entry-id-2",
+        "spiffe_id": {
+          "trust_domain": "example.org",
+          "path": "/Database"
+        },
+        "parent_id": {
+          "trust_domain": "example.org",
+          "path": "/spire/agent/join_token/TokenDatabase"
+        },
+        "selectors": [
+          {
+            "type": "unix",
+            "value": "uid:1111"
+          }
+        ],
+        "x509_svid_ttl": 200,
+        "federates_with": [],
+        "hint": "internal",
+        "admin": false,
+        "created_at": "1547583197",
+        "downstream": false,
+        "expires_at": "0",
+        "dns_names": [],
+        "revision_number": "0",
+        "store_svid": false,
+        "jwt_svid_ttl": 30
+      }
+    },
+    {
+      "status": {
+        "code": 0,
+        "message": "OK"
+      },
+      "entry": {
+        "id": "entry-id-3",
+        "spiffe_id": {
+          "trust_domain": "example.org",
+          "path": "/storesvid"
+        },
+        "parent_id": {
+          "trust_domain": "example.org",
+          "path": "/spire/agent/join_token/TokenDatabase"
+        },
+        "selectors": [
+          {
+            "type": "type",
+            "value": "key1:value"
+          },
+          {
+            "type": "type",
+            "value": "key2:value"
+          }
+        ],
+        "x509_svid_ttl": 200,
+        "federates_with": [],
+        "hint": "",
+        "admin": false,
+        "created_at": "1547583197",
+        "downstream": false,
+        "expires_at": "0",
+        "dns_names": [],
+        "revision_number": "0",
+        "store_svid": true,
+        "jwt_svid_ttl": 30
+      }
+    }
+  ]
+}`,
 		},
 		{
 			name: "Entry already exist",
@ -290,34 +620,81 @@ StoreSvid        : true
 				},
 			}},
 			fakeResp: fakeRespErr,
-			expErr: `Failed to create the following entry (code: AlreadyExists, msg: "similar entry already exists"):
+			expErrPretty: `Failed to create the following entry (code: AlreadyExists, msg: "similar entry already exists"):
 Entry ID         : (none)
 SPIFFE ID        : spiffe://example.org/already-exist
 Parent ID        : spiffe://example.org/spire/server
 Revision         : 0
-TTL              : default
+X509-SVID TTL    : default
+JWT-SVID TTL     : default
 Selector         : unix:uid:1

 Error: failed to create one or more entries
 `,
+			expOutJSON: `{
+  "results": [
+    {
+      "status": {
+        "code": 6,
+        "message": "similar entry already exists"
+      },
+      "entry": {
+        "id": "",
+        "spiffe_id": {
+          "trust_domain": "example.org",
+          "path": "/already-exist"
+        },
+        "parent_id": {
+          "trust_domain": "example.org",
+          "path": "/spire/server"
+        },
+        "selectors": [
+          {
+            "type": "unix",
+            "value": "uid:1"
+          }
+        ],
+        "x509_svid_ttl": 0,
+        "federates_with": [],
+        "hint": "",
+        "admin": false,
+        "created_at": "0",
+        "downstream": false,
+        "expires_at": "0",
+        "dns_names": [],
+        "revision_number": "0",
+        "store_svid": false,
+        "jwt_svid_ttl": 0
+      }
+    }
+  ]
+}`,
 		},
 	} {
-		tt := tt
-		t.Run(tt.name, func(t *testing.T) {
-			test := setupTest(t, newCreateCommand)
-			test.server.err = tt.serverErr
-			test.server.expBatchCreateEntryReq = tt.expReq
-			test.server.batchCreateEntryResp = tt.fakeResp
+		for _, format := range availableFormats {
+			t.Run(fmt.Sprintf("%s using %s format", tt.name, format), func(t *testing.T) {
+				test := setupTest(t, newCreateCommand)
+				test.server.err = tt.serverErr
+				test.server.expBatchCreateEntryReq = tt.expReq
+				test.server.batchCreateEntryResp = tt.fakeResp
+				args := tt.args
+				args = append(args, "-output", format)

-			rc := test.client.Run(test.args(tt.args...))
-			if tt.expErr != "" {
-				require.Equal(t, 1, rc)
-				require.Equal(t, tt.expErr, test.stderr.String())
-				return
-			}
+				rc := test.client.Run(test.args(args...))

-			require.Equal(t, 0, rc)
-			require.Equal(t, tt.expOut, test.stdout.String())
-		})
+				if tt.expErrJSON != "" && format == "json" {
+					require.Equal(t, 1, rc)
+					require.Equal(t, tt.expErrJSON, test.stderr.String())
+					return
+				}
+				if tt.expErrPretty != "" && format == "pretty" {
+					require.Equal(t, 1, rc)
+					require.Equal(t, tt.expErrPretty, test.stderr.String())
+					return
+				}
+				require.Equal(t, 0, rc)
+				requireOutputBasedOnFormat(t, format, test.stdout.String(), tt.expOutPretty, tt.expOutJSON)
+			})
+		}
 	}
 }
--- a/cmd/spire-server/cli/entry/delete.go
+++ b/cmd/spire-server/cli/entry/delete.go
@ -1,31 +1,37 @@
 package entry

 import (
+	"context"
+	"encoding/json"
 	"errors"
 	"flag"
-	"fmt"
+	"io"
+	"os"

 	"github.com/mitchellh/cli"
 	entryv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/entry/v1"
-	"github.com/spiffe/spire/cmd/spire-server/util"
-	common_cli "github.com/spiffe/spire/pkg/common/cli"
+	serverutil "github.com/spiffe/spire/cmd/spire-server/util"
+	commoncli "github.com/spiffe/spire/pkg/common/cli"
+	"github.com/spiffe/spire/pkg/common/cliprinter"
+	"github.com/spiffe/spire/pkg/common/util"
 	"google.golang.org/grpc/codes"
-
-	"golang.org/x/net/context"
 )

 // NewDeleteCommand creates a new "delete" subcommand for "entry" command.
 func NewDeleteCommand() cli.Command {
-	return newDeleteCommand(common_cli.DefaultEnv)
+	return newDeleteCommand(commoncli.DefaultEnv)
 }

-func newDeleteCommand(env *common_cli.Env) cli.Command {
-	return util.AdaptCommand(env, new(deleteCommand))
+func newDeleteCommand(env *commoncli.Env) cli.Command {
+	return serverutil.AdaptCommand(env, &deleteCommand{env: env})
 }

 type deleteCommand struct {
 	// ID of the record to delete
 	entryID string
+	file    string
+	env     *commoncli.Env
+	printer cliprinter.Printer
 }

 func (*deleteCommand) Name() string {
@ -37,35 +43,109 @@ func (*deleteCommand) Synopsis() string {
 }

 func (c *deleteCommand) AppendFlags(f *flag.FlagSet) {
-	f.StringVar(&c.entryID, "entryID", "", "The Registration Entry ID of the record to delete")
+	f.StringVar(&c.entryID, "entryID", "", "The Registration Entry ID of the record to delete.")
+	f.StringVar(&c.file, "file", "", "Path to a file containing a JSON structure for batch deletion (optional). If set to '-', read from stdin.")
+	cliprinter.AppendFlagWithCustomPretty(&c.printer, f, c.env, c.prettyPrintDelete)
 }

-func (c *deleteCommand) Run(ctx context.Context, env *common_cli.Env, serverClient util.ServerClient) error {
+func parseEntryDeleteJSON(path string) ([]string, error) {
+	r := os.Stdin
+	if path != "-" {
+		f, err := os.Open(path)
+		if err != nil {
+			return nil, err
+		}
+		defer f.Close()
+		r = f
+	}
+
+	dat, err := io.ReadAll(r)
+	if err != nil {
+		return nil, err
+	}
+
+	batchDeleteEntryRequest := &entryv1.BatchDeleteEntryRequest{}
+	if err := json.Unmarshal(dat, batchDeleteEntryRequest); err != nil {
+		return nil, err
+	}
+	return batchDeleteEntryRequest.Ids, nil
+}
+
+func (c *deleteCommand) Run(ctx context.Context, _ *commoncli.Env, serverClient serverutil.ServerClient) error {
 	if err := c.validate(); err != nil {
 		return err
 	}

-	req := &entryv1.BatchDeleteEntryRequest{Ids: []string{c.entryID}}
+	var err error
+	entriesIDs := []string{}
+	if c.file != "" {
+		entriesIDs, err = parseEntryDeleteJSON(c.file)
+		if err != nil {
+			return err
+		}
+	} else {
+		entriesIDs = append(entriesIDs, c.entryID)
+	}
+
+	req := &entryv1.BatchDeleteEntryRequest{Ids: entriesIDs}
 	resp, err := serverClient.NewEntryClient().BatchDeleteEntry(ctx, req)
 	if err != nil {
 		return err
 	}

-	sts := resp.Results[0].Status
-	switch sts.Code {
-	case int32(codes.OK):
-		env.Printf("Deleted entry with ID: %s\n", c.entryID)
-		return nil
-	default:
-		return fmt.Errorf("failed to delete entry: %s", sts.Message)
-	}
+	return c.printer.PrintProto(resp)
 }

 // Perform basic validation.
 func (c *deleteCommand) validate() error {
+	if c.file != "" {
+		return nil
+	}
+
 	if c.entryID == "" {
 		return errors.New("an entry ID is required")
 	}

 	return nil
 }
+
+func (c *deleteCommand) prettyPrintDelete(env *commoncli.Env, results ...any) error {
+	deleteResp, ok := results[0].(*entryv1.BatchDeleteEntryResponse)
+	if !ok {
+		return cliprinter.ErrInternalCustomPrettyFunc
+	}
+
+	var failed, succeeded []*entryv1.BatchDeleteEntryResponse_Result
+	for _, result := range deleteResp.Results {
+		switch result.Status.Code {
+		case int32(codes.OK):
+			succeeded = append(succeeded, result)
+		default:
+			failed = append(failed, result)
+		}
+	}
+
+	for _, result := range succeeded {
+		env.Printf("Deleted entry with ID: %s\n", result.Id)
+	}
+
+	if len(succeeded) > 0 {
+		env.Printf("\n\n")
+	}
+
+	for _, result := range failed {
+		env.ErrPrintf("Failed to delete entry with ID %s (code: %s, msg: %q)\n",
+			result.Id,
+			util.MustCast[codes.Code](result.Status.Code),
+			result.Status.Message)
+	}
+
+	if len(failed) > 0 {
+		env.Printf("\n\n")
+		return errors.New("failed to delete one or more entries")
+	}
+
+	env.Printf("Deleted %d entries successfully, but failed to delete %d entries", len(succeeded), len(failed))
+
+	return nil
+}
--- a/cmd/spire-server/cli/entry/delete_test.go
+++ b/cmd/spire-server/cli/entry/delete_test.go
@ -2,11 +2,11 @@ package entry

 import (
 	"errors"
+	"fmt"
 	"testing"

 	entryv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/entry/v1"
 	"github.com/spiffe/spire-api-sdk/proto/spire/api/types"
-	"github.com/spiffe/spire/cmd/spire-server/cli/common"
 	"github.com/stretchr/testify/require"
 	"google.golang.org/grpc/codes"
 )
@ -15,9 +15,7 @@ func TestDeleteHelp(t *testing.T) {
 	test := setupTest(t, newDeleteCommand)
 	test.client.Help()

-	require.Equal(t, `Usage of entry delete:
-  -entryID string
-    	The Registration Entry ID of the record to delete`+common.AddrUsage, test.stderr.String())
+	require.Equal(t, deleteUsage, test.stderr.String())
 }

 func TestDeleteSynopsis(t *testing.T) {
@ -26,18 +24,6 @@ func TestDeleteSynopsis(t *testing.T) {
 }

 func TestDelete(t *testing.T) {
-	fakeRespOK := &entryv1.BatchDeleteEntryResponse{
-		Results: []*entryv1.BatchDeleteEntryResponse_Result{
-			{
-				Id: "entry-id",
-				Status: &types.Status{
-					Code:    int32(codes.OK),
-					Message: "OK",
-				},
-			},
-		},
-	}
-
 	fakeRespErr := &entryv1.BatchDeleteEntryResponse{
 		Results: []*entryv1.BatchDeleteEntryResponse_Result{
 			{
@ -58,51 +44,167 @@ func TestDelete(t *testing.T) {
 		fakeResp  *entryv1.BatchDeleteEntryResponse
 		serverErr error

-		expOut string
-		expErr string
+		expOutPretty string
+		expOutJSON   string
+		expErrPretty string
+		expErrJSON   string
 	}{
 		{
-			name:   "Empty entry ID",
-			expErr: "Error: an entry ID is required\n",
+			name:         "Empty entry ID",
+			expErrPretty: "Error: an entry ID is required\n",
+			expErrJSON:   "Error: an entry ID is required\n",
 		},
 		{
 			name:     "Entry not found",
 			args:     []string{"-entryID", "entry-id"},
 			expReq:   &entryv1.BatchDeleteEntryRequest{Ids: []string{"entry-id"}},
 			fakeResp: fakeRespErr,
-			expErr:   "Error: failed to delete entry: entry not found\n",
+			expErrPretty: "Failed to delete entry with ID entry-id (code: NotFound, msg: \"entry not found\")" +
+				"\nError: failed to delete one or more entries\n",
+			expOutJSON: `{"results":[{"status":{"code":5,"message":"entry not found"},"id":"entry-id"}]}`,
 		},
 		{
-			name:      "Server error",
-			args:      []string{"-entryID", "entry-id"},
-			expReq:    &entryv1.BatchDeleteEntryRequest{Ids: []string{"entry-id"}},
-			serverErr: errors.New("server-error"),
-			expErr:    "Error: rpc error: code = Unknown desc = server-error\n",
+			name:         "Server error",
+			args:         []string{"-entryID", "entry-id"},
+			expReq:       &entryv1.BatchDeleteEntryRequest{Ids: []string{"entry-id"}},
+			serverErr:    errors.New("server-error"),
+			expErrPretty: "Error: rpc error: code = Unknown desc = server-error\n",
+			expErrJSON:   "Error: rpc error: code = Unknown desc = server-error\n",
 		},
 		{
-			name:     "Delete succeeds",
-			args:     []string{"-entryID", "entry-id"},
-			expReq:   &entryv1.BatchDeleteEntryRequest{Ids: []string{"entry-id"}},
-			fakeResp: fakeRespOK,
-			expOut:   "Deleted entry with ID: entry-id\n",
+			name:   "Delete succeeded",
+			args:   []string{"-entryID", "entry-0"},
+			expReq: &entryv1.BatchDeleteEntryRequest{Ids: []string{"entry-0"}},
+			fakeResp: &entryv1.BatchDeleteEntryResponse{
+				Results: []*entryv1.BatchDeleteEntryResponse_Result{
+					{
+						Id: "entry-0",
+						Status: &types.Status{
+							Code:    int32(codes.OK),
+							Message: "OK",
+						},
+					},
+				},
+			},
+			expOutPretty: "Deleted entry with ID: entry-0\n",
+			expOutJSON:   `{"results":[{"status":{"code":0,"message":"OK"},"id":"entry-0"}]}`,
+		},
+		{
+			name:   "Delete succeeded using data file",
+			args:   []string{"-file", "../../../../test/fixture/registration/good-for-delete.json"},
+			expReq: &entryv1.BatchDeleteEntryRequest{Ids: []string{"entry-0", "entry-1"}},
+			fakeResp: &entryv1.BatchDeleteEntryResponse{
+				Results: []*entryv1.BatchDeleteEntryResponse_Result{
+					{
+						Id: "entry-0",
+						Status: &types.Status{
+							Code:    int32(codes.OK),
+							Message: "OK",
+						},
+					},
+					{
+						Id: "entry-1",
+						Status: &types.Status{
+							Code:    int32(codes.OK),
+							Message: "OK",
+						},
+					},
+				},
+			},
+			expOutPretty: "Deleted entry with ID: entry-0\nDeleted entry with ID: entry-1\n",
+			expOutJSON:   `{"results":[{"status":{"code":0,"message":"OK"},"id":"entry-0"},{"status":{"code":0,"message":"OK"},"id":"entry-1"}]}`,
+		},
+		{
+			name:   "Delete partially succeeded",
+			args:   []string{"-file", "../../../../test/fixture/registration/partially-good-for-delete.json"},
+			expReq: &entryv1.BatchDeleteEntryRequest{Ids: []string{"entry-0", "entry-1", "entry-2", "entry-3"}},
+			fakeResp: &entryv1.BatchDeleteEntryResponse{
+				Results: []*entryv1.BatchDeleteEntryResponse_Result{
+					{
+						Id: "entry-0",
+						Status: &types.Status{
+							Code:    int32(codes.NotFound),
+							Message: "entry not found",
+						},
+					},
+					{
+						Id: "entry-1",
+						Status: &types.Status{
+							Code:    int32(codes.OK),
+							Message: "OK",
+						},
+					},
+					{
+						Id: "entry-2",
+						Status: &types.Status{
+							Code:    int32(codes.NotFound),
+							Message: "entry not found",
+						},
+					},
+					{
+						Id: "entry-3",
+						Status: &types.Status{
+							Code:    int32(codes.OK),
+							Message: "OK",
+						},
+					},
+				},
+			},
+			expOutPretty: "Deleted entry with ID: entry-1\nDeleted entry with ID: entry-3\n",
+			expErrPretty: "Failed to delete entry with ID entry-0 (code: NotFound, msg: \"entry not found\")\n" +
+				"Failed to delete entry with ID entry-2 (code: NotFound, msg: \"entry not found\")\n" +
+				"Error: failed to delete one or more entries\n",
+			expOutJSON: `{"results":[` +
+				`{"status":{"code":5,"message":"entry not found"},"id":"entry-0"},` +
+				`{"status":{"code":0,"message":"OK"},"id":"entry-1"},` +
+				`{"status":{"code":5,"message":"entry not found"},"id":"entry-2"},` +
+				`{"status":{"code":0,"message":"OK"},"id":"entry-3"}]}`,
+		},
+		{
+			name:   "Delete failed",
+			args:   []string{"-entryID", "entry-0"},
+			expReq: &entryv1.BatchDeleteEntryRequest{Ids: []string{"entry-0"}},
+			fakeResp: &entryv1.BatchDeleteEntryResponse{
+				Results: []*entryv1.BatchDeleteEntryResponse_Result{
+					{
+						Id: "entry-0",
+						Status: &types.Status{
+							Code:    int32(codes.NotFound),
+							Message: "entry not found",
+						},
+					},
+				},
+			},
+			expErrPretty: "Failed to delete entry with ID entry-0 (code: NotFound, msg: \"entry not found\")\n" +
+				"Error: failed to delete one or more entries\n",
+			expOutJSON: `{"results":[` +
+				`{"status":{"code":5,"message":"entry not found"},"id":"entry-0"}]}`,
 		},
 	} {
-		tt := tt
-		t.Run(tt.name, func(t *testing.T) {
-			test := setupTest(t, newDeleteCommand)
-			test.server.err = tt.serverErr
-			test.server.expBatchDeleteEntryReq = tt.expReq
-			test.server.batchDeleteEntryResp = tt.fakeResp
+		for _, format := range availableFormats {
+			t.Run(fmt.Sprintf("%s using %s format", tt.name, format), func(t *testing.T) {
+				test := setupTest(t, newDeleteCommand)
+				test.server.err = tt.serverErr
+				test.server.expBatchDeleteEntryReq = tt.expReq
+				test.server.batchDeleteEntryResp = tt.fakeResp
+				args := tt.args
+				args = append(args, "-output", format)

-			rc := test.client.Run(test.args(tt.args...))
-			if tt.expErr != "" {
-				require.Equal(t, 1, rc)
-				require.Equal(t, tt.expErr, test.stderr.String())
-				return
-			}
+				rc := test.client.Run(test.args(args...))

-			require.Equal(t, 0, rc)
-			require.Equal(t, tt.expOut, test.stdout.String())
-		})
+				if tt.expErrJSON != "" && format == "json" {
+					require.Equal(t, 1, rc)
+					require.Equal(t, tt.expErrJSON, test.stderr.String())
+					return
+				}
+				if tt.expErrPretty != "" && format == "pretty" {
+					require.Equal(t, 1, rc)
+					require.Equal(t, tt.expErrPretty, test.stderr.String())
+					return
+				}
+				requireOutputBasedOnFormat(t, format, test.stdout.String(), tt.expOutPretty, tt.expOutJSON)
+				require.Equal(t, 0, rc)
+			})
+		}
 	}
 }
--- a/cmd/spire-server/cli/entry/show.go
+++ b/cmd/spire-server/cli/entry/show.go
@ -1,6 +1,7 @@
 package entry

 import (
+	"context"
 	"errors"
 	"flag"
 	"fmt"
@ -9,21 +10,21 @@ import (
 	entryv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/entry/v1"
 	"github.com/spiffe/spire-api-sdk/proto/spire/api/types"
 	"github.com/spiffe/spire/cmd/spire-server/util"
-	common_cli "github.com/spiffe/spire/pkg/common/cli"
+	commoncli "github.com/spiffe/spire/pkg/common/cli"
+	"github.com/spiffe/spire/pkg/common/cliprinter"
 	commonutil "github.com/spiffe/spire/pkg/common/util"
-
-	"golang.org/x/net/context"
+	"google.golang.org/protobuf/types/known/wrapperspb"
 )

 const listEntriesRequestPageSize = 500

 // NewShowCommand creates a new "show" subcommand for "entry" command.
 func NewShowCommand() cli.Command {
-	return newShowCommand(common_cli.DefaultEnv)
+	return newShowCommand(commoncli.DefaultEnv)
 }

-func newShowCommand(env *common_cli.Env) cli.Command {
-	return util.AdaptCommand(env, new(showCommand))
+func newShowCommand(env *commoncli.Env) cli.Command {
+	return util.AdaptCommand(env, &showCommand{env: env})
 }

 type showCommand struct {
@ -40,10 +41,13 @@ type showCommand struct {
 	// Workload spiffeID
 	spiffeID string

+	// Entry hint
+	hint string
+
 	// List of SPIFFE IDs of trust domains the registration entry is federated with
 	federatesWith StringsFlag

-	// Whether or not the entry is for a downstream SPIRE server
+	// whether the entry is for a downstream SPIRE server
 	downstream bool

 	// Match used when filtering by federates with
@ -51,6 +55,10 @@ type showCommand struct {

 	// Match used when filtering by selectors
 	matchSelectorsOn string
+
+	printer cliprinter.Printer
+
+	env *commoncli.Env
 }

 func (c *showCommand) Name() string {
@ -70,23 +78,24 @@ func (c *showCommand) AppendFlags(f *flag.FlagSet) {
 	f.Var(&c.federatesWith, "federatesWith", "SPIFFE ID of a trust domain an entry is federate with. Can be used more than once")
 	f.StringVar(&c.matchFederatesWithOn, "matchFederatesWithOn", "superset", "The match mode used when filtering by federates with. Options: exact, any, superset and subset")
 	f.StringVar(&c.matchSelectorsOn, "matchSelectorsOn", "superset", "The match mode used when filtering by selectors. Options: exact, any, superset and subset")
+	f.StringVar(&c.hint, "hint", "", "The Hint of the records to show (optional)")
+	cliprinter.AppendFlagWithCustomPretty(&c.printer, f, c.env, prettyPrintShow)
 }

 // Run executes all logic associated with a single invocation of the
 // `spire-server entry show` CLI command
-func (c *showCommand) Run(ctx context.Context, env *common_cli.Env, serverClient util.ServerClient) error {
+func (c *showCommand) Run(ctx context.Context, _ *commoncli.Env, serverClient util.ServerClient) error {
 	if err := c.validate(); err != nil {
 		return err
 	}

-	entries, err := c.fetchEntries(ctx, serverClient.NewEntryClient())
+	resp, err := c.fetchEntries(ctx, serverClient.NewEntryClient())
 	if err != nil {
 		return err
 	}

-	commonutil.SortTypesEntries(entries)
-	printEntries(entries, env)
-	return nil
+	commonutil.SortTypesEntries(resp.Entries)
+	return c.printer.PrintProto(resp)
 }

 // validate ensures that the values in showCommand are valid
@ -101,14 +110,16 @@ func (c *showCommand) validate() error {
 	return nil
 }

-func (c *showCommand) fetchEntries(ctx context.Context, client entryv1.EntryClient) ([]*types.Entry, error) {
+func (c *showCommand) fetchEntries(ctx context.Context, client entryv1.EntryClient) (*entryv1.ListEntriesResponse, error) {
+	listResp := &entryv1.ListEntriesResponse{}
 	// If an Entry ID was specified, look it up directly
 	if c.entryID != "" {
 		entry, err := c.fetchByEntryID(ctx, c.entryID, client)
 		if err != nil {
 			return nil, fmt.Errorf("error fetching entry ID %s: %w", c.entryID, err)
 		}
-		return []*types.Entry{entry}, nil
+		listResp.Entries = append(listResp.Entries, entry)
+		return listResp, nil
 	}

 	filter := &entryv1.ListEntriesRequest_Filter{}
@ -160,8 +171,13 @@ func (c *showCommand) fetchEntries(ctx context.Context, client entryv1.EntryClie
 		}
 	}

+	if c.hint != "" {
+		filter.ByHint = wrapperspb.String(c.hint)
+	}
+
+	filter.ByDownstream = wrapperspb.Bool(c.downstream)
+
 	pageToken := ""
-	var entries []*types.Entry

 	for {
 		resp, err := client.ListEntries(ctx, &entryv1.ListEntriesRequest{
@ -172,13 +188,13 @@ func (c *showCommand) fetchEntries(ctx context.Context, client entryv1.EntryClie
 		if err != nil {
 			return nil, fmt.Errorf("error fetching entries: %w", err)
 		}
-		entries = append(entries, resp.Entries...)
+		listResp.Entries = append(listResp.Entries, resp.Entries...)
 		if pageToken = resp.NextPageToken; pageToken == "" {
 			break
 		}
 	}

-	return entries, nil
+	return listResp, nil
 }

 // fetchByEntryID uses the configured EntryID to fetch the appropriate registration entry
@ -191,7 +207,7 @@ func (c *showCommand) fetchByEntryID(ctx context.Context, id string, client entr
 	return entry, nil
 }

-func printEntries(entries []*types.Entry, env *common_cli.Env) {
+func printEntries(entries []*types.Entry, env *commoncli.Env) {
 	msg := fmt.Sprintf("Found %v ", len(entries))
 	msg = util.Pluralizer(msg, "entry", "entries", len(entries))

@ -230,3 +246,12 @@ func parseToFederatesWithMatch(match string) (types.FederatesWithMatch_MatchBeha
 		return types.FederatesWithMatch_MATCH_SUPERSET, fmt.Errorf("match behavior %q unknown", match)
 	}
 }
+
+func prettyPrintShow(env *commoncli.Env, results ...any) error {
+	listResp, ok := results[0].(*entryv1.ListEntriesResponse)
+	if !ok {
+		return cliprinter.ErrInternalCustomPrettyFunc
+	}
+	printEntries(listResp.Entries, env)
+	return nil
+}
--- a/cmd/spire-server/cli/entry/show_test.go
+++ b/cmd/spire-server/cli/entry/show_test.go
@ -10,6 +10,7 @@ import (
 	"github.com/stretchr/testify/require"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
+	"google.golang.org/protobuf/types/known/wrapperspb"
 )

 func TestShowHelp(t *testing.T) {
@ -53,29 +54,39 @@ func TestShow(t *testing.T) {

 		serverErr error

-		expOut string
-		expErr string
+		expOutPretty string
+		expOutJSON   string
+		expErr       string
 	}{
 		{
 			name: "List all entries (empty filter)",
 			expListReq: &entryv1.ListEntriesRequest{
 				PageSize: listEntriesRequestPageSize,
-				Filter:   &entryv1.ListEntriesRequest_Filter{},
+				Filter: &entryv1.ListEntriesRequest_Filter{
+					ByDownstream: wrapperspb.Bool(false),
+				},
 			},
 			fakeListResp: fakeRespAll,
-			expOut: fmt.Sprintf("Found 4 entries\n%s%s%s%s",
-				getPrintedEntry(1),
-				getPrintedEntry(2),
-				getPrintedEntry(0),
-				getPrintedEntry(3),
+			expOutPretty: fmt.Sprintf("Found 4 entries\n%s%s%s%s",
+				getPrettyPrintedEntry(1),
+				getPrettyPrintedEntry(2),
+				getPrettyPrintedEntry(0),
+				getPrettyPrintedEntry(3),
+			),
+			expOutJSON: fmt.Sprintf(`{"entries": [%s,%s,%s,%s],"next_page_token": ""}`,
+				getJSONPrintedEntry(1),
+				getJSONPrintedEntry(2),
+				getJSONPrintedEntry(0),
+				getJSONPrintedEntry(3),
 			),
 		},
 		{
-			name:        "List by entry ID",
-			args:        []string{"-entryID", getEntries(1)[0].Id},
-			expGetReq:   &entryv1.GetEntryRequest{Id: getEntries(1)[0].Id},
-			fakeGetResp: getEntries(1)[0],
-			expOut:      fmt.Sprintf("Found 1 entry\n%s", getPrintedEntry(0)),
+			name:         "List by entry ID",
+			args:         []string{"-entryID", getEntries(1)[0].Id},
+			expGetReq:    &entryv1.GetEntryRequest{Id: getEntries(1)[0].Id},
+			fakeGetResp:  getEntries(1)[0],
+			expOutPretty: fmt.Sprintf("Found 1 entry\n%s", getPrettyPrintedEntry(0)),
+			expOutJSON:   fmt.Sprintf(`{"entries": [%s],"next_page_token": ""}`, getJSONPrintedEntry(0)),
 		},
 		{
 			name:      "List by entry ID not found",
@ -95,14 +106,16 @@ func TestShow(t *testing.T) {
 			expListReq: &entryv1.ListEntriesRequest{
 				PageSize: listEntriesRequestPageSize,
 				Filter: &entryv1.ListEntriesRequest_Filter{
-					ByParentId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/father"},
+					ByParentId:   &types.SPIFFEID{TrustDomain: "example.org", Path: "/father"},
+					ByDownstream: wrapperspb.Bool(false),
 				},
 			},
 			fakeListResp: fakeRespFather,
-			expOut: fmt.Sprintf("Found 2 entries\n%s%s",
-				getPrintedEntry(1),
-				getPrintedEntry(0),
+			expOutPretty: fmt.Sprintf("Found 2 entries\n%s%s",
+				getPrettyPrintedEntry(1),
+				getPrettyPrintedEntry(0),
 			),
+			expOutJSON: fmt.Sprintf(`{"entries": [%s,%s],"next_page_token": ""}`, getJSONPrintedEntry(1), getJSONPrintedEntry(0)),
 		},
 		{
 			name:   "List by parent ID using invalid ID",
@ -115,14 +128,16 @@ func TestShow(t *testing.T) {
 			expListReq: &entryv1.ListEntriesRequest{
 				PageSize: listEntriesRequestPageSize,
 				Filter: &entryv1.ListEntriesRequest_Filter{
-					BySpiffeId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/daughter"},
+					BySpiffeId:   &types.SPIFFEID{TrustDomain: "example.org", Path: "/daughter"},
+					ByDownstream: wrapperspb.Bool(false),
 				},
 			},
 			fakeListResp: fakeRespDaughter,
-			expOut: fmt.Sprintf("Found 2 entries\n%s%s",
-				getPrintedEntry(1),
-				getPrintedEntry(2),
+			expOutPretty: fmt.Sprintf("Found 2 entries\n%s%s",
+				getPrettyPrintedEntry(1),
+				getPrettyPrintedEntry(2),
 			),
+			expOutJSON: fmt.Sprintf(`{"entries": [%s, %s],"next_page_token": ""}`, getJSONPrintedEntry(1), getJSONPrintedEntry(2)),
 		},
 		{
 			name:   "List by SPIFFE ID using invalid ID",
@ -142,12 +157,14 @@ func TestShow(t *testing.T) {
 						},
 						Match: types.SelectorMatch_MATCH_SUPERSET,
 					},
+					ByDownstream: wrapperspb.Bool(false),
 				},
 			},
 			fakeListResp: fakeRespFatherDaughter,
-			expOut: fmt.Sprintf("Found 1 entry\n%s",
-				getPrintedEntry(1),
+			expOutPretty: fmt.Sprintf("Found 1 entry\n%s",
+				getPrettyPrintedEntry(1),
 			),
+			expOutJSON: fmt.Sprintf(`{"entries": [%s],"next_page_token": ""}`, getJSONPrintedEntry(1)),
 		},
 		{
 			name: "List by selectors: exact matcher",
@ -162,12 +179,14 @@ func TestShow(t *testing.T) {
 						},
 						Match: types.SelectorMatch_MATCH_EXACT,
 					},
+					ByDownstream: wrapperspb.Bool(false),
 				},
 			},
 			fakeListResp: fakeRespFatherDaughter,
-			expOut: fmt.Sprintf("Found 1 entry\n%s",
-				getPrintedEntry(1),
+			expOutPretty: fmt.Sprintf("Found 1 entry\n%s",
+				getPrettyPrintedEntry(1),
 			),
+			expOutJSON: fmt.Sprintf(`{"entries": [%s],"next_page_token": ""}`, getJSONPrintedEntry(1)),
 		},
 		{
 			name: "List by selectors: superset matcher",
@ -182,12 +201,14 @@ func TestShow(t *testing.T) {
 						},
 						Match: types.SelectorMatch_MATCH_SUPERSET,
 					},
+					ByDownstream: wrapperspb.Bool(false),
 				},
 			},
 			fakeListResp: fakeRespFatherDaughter,
-			expOut: fmt.Sprintf("Found 1 entry\n%s",
-				getPrintedEntry(1),
+			expOutPretty: fmt.Sprintf("Found 1 entry\n%s",
+				getPrettyPrintedEntry(1),
 			),
+			expOutJSON: fmt.Sprintf(`{"entries": [%s],"next_page_token": ""}`, getJSONPrintedEntry(1)),
 		},
 		{
 			name: "List by selectors: subset matcher",
@ -202,12 +223,14 @@ func TestShow(t *testing.T) {
 						},
 						Match: types.SelectorMatch_MATCH_SUBSET,
 					},
+					ByDownstream: wrapperspb.Bool(false),
 				},
 			},
 			fakeListResp: fakeRespFatherDaughter,
-			expOut: fmt.Sprintf("Found 1 entry\n%s",
-				getPrintedEntry(1),
+			expOutPretty: fmt.Sprintf("Found 1 entry\n%s",
+				getPrettyPrintedEntry(1),
 			),
+			expOutJSON: fmt.Sprintf(`{"entries": [%s],"next_page_token": ""}`, getJSONPrintedEntry(1)),
 		},
 		{
 			name: "List by selectors: Any matcher",
@ -222,12 +245,14 @@ func TestShow(t *testing.T) {
 						},
 						Match: types.SelectorMatch_MATCH_ANY,
 					},
+					ByDownstream: wrapperspb.Bool(false),
 				},
 			},
 			fakeListResp: fakeRespFatherDaughter,
-			expOut: fmt.Sprintf("Found 1 entry\n%s",
-				getPrintedEntry(1),
+			expOutPretty: fmt.Sprintf("Found 1 entry\n%s",
+				getPrettyPrintedEntry(1),
 			),
+			expOutJSON: fmt.Sprintf(`{"entries": [%s],"next_page_token": ""}`, getJSONPrintedEntry(1)),
 		},
 		{
 			name:   "List by selectors: Invalid matcher",
@ -245,7 +270,8 @@ func TestShow(t *testing.T) {
 			expListReq: &entryv1.ListEntriesRequest{
 				PageSize: listEntriesRequestPageSize,
 				Filter: &entryv1.ListEntriesRequest_Filter{
-					BySpiffeId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/daughter"},
+					BySpiffeId:   &types.SPIFFEID{TrustDomain: "example.org", Path: "/daughter"},
+					ByDownstream: wrapperspb.Bool(false),
 				},
 			},
 			serverErr: status.Error(codes.Internal, "internal server error"),
@ -261,12 +287,14 @@ func TestShow(t *testing.T) {
 						TrustDomains: []string{"spiffe://domain.test"},
 						Match:        types.FederatesWithMatch_MATCH_SUPERSET,
 					},
+					ByDownstream: wrapperspb.Bool(false),
 				},
 			},
 			fakeListResp: fakeRespMotherDaughter,
-			expOut: fmt.Sprintf("Found 1 entry\n%s",
-				getPrintedEntry(2),
+			expOutPretty: fmt.Sprintf("Found 1 entry\n%s",
+				getPrettyPrintedEntry(2),
 			),
+			expOutJSON: fmt.Sprintf(`{"entries": [%s],"next_page_token": ""}`, getJSONPrintedEntry(2)),
 		},
 		{
 			name: "List by Federates With: exact matcher",
@ -278,12 +306,14 @@ func TestShow(t *testing.T) {
 						TrustDomains: []string{"spiffe://domain.test"},
 						Match:        types.FederatesWithMatch_MATCH_EXACT,
 					},
+					ByDownstream: wrapperspb.Bool(false),
 				},
 			},
 			fakeListResp: fakeRespMotherDaughter,
-			expOut: fmt.Sprintf("Found 1 entry\n%s",
-				getPrintedEntry(2),
+			expOutPretty: fmt.Sprintf("Found 1 entry\n%s",
+				getPrettyPrintedEntry(2),
 			),
+			expOutJSON: fmt.Sprintf(`{"entries": [%s],"next_page_token": ""}`, getJSONPrintedEntry(2)),
 		},
 		{
 			name: "List by Federates With: Any matcher",
@ -295,12 +325,14 @@ func TestShow(t *testing.T) {
 						TrustDomains: []string{"spiffe://domain.test"},
 						Match:        types.FederatesWithMatch_MATCH_ANY,
 					},
+					ByDownstream: wrapperspb.Bool(false),
 				},
 			},
 			fakeListResp: fakeRespMotherDaughter,
-			expOut: fmt.Sprintf("Found 1 entry\n%s",
-				getPrintedEntry(2),
+			expOutPretty: fmt.Sprintf("Found 1 entry\n%s",
+				getPrettyPrintedEntry(2),
 			),
+			expOutJSON: fmt.Sprintf(`{"entries": [%s],"next_page_token": ""}`, getJSONPrintedEntry(2)),
 		},
 		{
 			name: "List by Federates With: superset matcher",
@ -312,12 +344,14 @@ func TestShow(t *testing.T) {
 						TrustDomains: []string{"spiffe://domain.test"},
 						Match:        types.FederatesWithMatch_MATCH_SUPERSET,
 					},
+					ByDownstream: wrapperspb.Bool(false),
 				},
 			},
 			fakeListResp: fakeRespMotherDaughter,
-			expOut: fmt.Sprintf("Found 1 entry\n%s",
-				getPrintedEntry(2),
+			expOutPretty: fmt.Sprintf("Found 1 entry\n%s",
+				getPrettyPrintedEntry(2),
 			),
+			expOutJSON: fmt.Sprintf(`{"entries": [%s],"next_page_token": ""}`, getJSONPrintedEntry(2)),
 		},
 		{
 			name: "List by Federates With: subset matcher",
@ -329,12 +363,14 @@ func TestShow(t *testing.T) {
 						TrustDomains: []string{"spiffe://domain.test"},
 						Match:        types.FederatesWithMatch_MATCH_SUBSET,
 					},
+					ByDownstream: wrapperspb.Bool(false),
 				},
 			},
 			fakeListResp: fakeRespMotherDaughter,
-			expOut: fmt.Sprintf("Found 1 entry\n%s",
-				getPrintedEntry(2),
+			expOutPretty: fmt.Sprintf("Found 1 entry\n%s",
+				getPrettyPrintedEntry(2),
 			),
+			expOutJSON: fmt.Sprintf(`{"entries": [%s],"next_page_token": ""}`, getJSONPrintedEntry(2)),
 		},
 		{
 			name:   "List by Federates With: Invalid matcher",
@ -342,25 +378,27 @@ func TestShow(t *testing.T) {
 			expErr: "Error: match behavior \"NO-MATCHER\" unknown\n",
 		},
 	} {
-		tt := tt
-		t.Run(tt.name, func(t *testing.T) {
-			test := setupTest(t, newShowCommand)
-			test.server.err = tt.serverErr
-			test.server.expListEntriesReq = tt.expListReq
-			test.server.listEntriesResp = tt.fakeListResp
-			test.server.expGetEntryReq = tt.expGetReq
-			test.server.getEntryResp = tt.fakeGetResp
+		for _, format := range availableFormats {
+			t.Run(fmt.Sprintf("%s using %s format", tt.name, format), func(t *testing.T) {
+				test := setupTest(t, newShowCommand)
+				test.server.err = tt.serverErr
+				test.server.expListEntriesReq = tt.expListReq
+				test.server.listEntriesResp = tt.fakeListResp
+				test.server.expGetEntryReq = tt.expGetReq
+				test.server.getEntryResp = tt.fakeGetResp
+				args := tt.args
+				args = append(args, "-output", format)

-			rc := test.client.Run(test.args(tt.args...))
-			if tt.expErr != "" {
-				require.Equal(t, 1, rc)
-				require.Equal(t, tt.expErr, test.stderr.String())
-				return
-			}
-
-			require.Equal(t, 0, rc)
-			require.Equal(t, tt.expOut, test.stdout.String())
-		})
+				rc := test.client.Run(test.args(args...))
+				if tt.expErr != "" {
+					require.Equal(t, 1, rc)
+					require.Equal(t, tt.expErr, test.stderr.String())
+					return
+				}
+				requireOutputBasedOnFormat(t, format, test.stdout.String(), tt.expOutPretty, tt.expOutJSON)
+				require.Equal(t, 0, rc)
+			})
+		}
 	}
 }

@ -377,12 +415,16 @@ func getEntries(count int) []*types.Entry {
 			SpiffeId:  &types.SPIFFEID{TrustDomain: "example.org", Path: "/son"},
 			Selectors: []*types.Selector{selectors[0]},
 			Id:        "00000000-0000-0000-0000-000000000000",
+			Hint:      "internal",
+			CreatedAt: 1547583197,
 		},
 		{
 			ParentId:  &types.SPIFFEID{TrustDomain: "example.org", Path: "/father"},
 			SpiffeId:  &types.SPIFFEID{TrustDomain: "example.org", Path: "/daughter"},
 			Selectors: []*types.Selector{selectors[0], selectors[1]},
 			Id:        "00000000-0000-0000-0000-000000000001",
+			Hint:      "external",
+			CreatedAt: 1547583197,
 		},
 		{
 			ParentId:      &types.SPIFFEID{TrustDomain: "example.org", Path: "/mother"},
@ -390,6 +432,7 @@ func getEntries(count int) []*types.Entry {
 			Selectors:     []*types.Selector{selectors[1], selectors[2]},
 			Id:            "00000000-0000-0000-0000-000000000002",
 			FederatesWith: []string{"spiffe://domain.test"},
+			CreatedAt:     1547583197,
 		},
 		{
 			ParentId:  &types.SPIFFEID{TrustDomain: "example.org", Path: "/mother"},
@ -397,26 +440,29 @@ func getEntries(count int) []*types.Entry {
 			Selectors: []*types.Selector{selectors[2]},
 			ExpiresAt: 1552410266,
 			Id:        "00000000-0000-0000-0000-000000000003",
+			CreatedAt: 1547583197,
 		},
 	}

 	e := []*types.Entry{}
-	for i := 0; i < count; i++ {
+	for i := range count {
 		e = append(e, entries[i])
 	}

 	return e
 }

-func getPrintedEntry(idx int) string {
+func getPrettyPrintedEntry(idx int) string {
 	switch idx {
 	case 0:
 		return `Entry ID         : 00000000-0000-0000-0000-000000000000
 SPIFFE ID        : spiffe://example.org/son
 Parent ID        : spiffe://example.org/father
 Revision         : 0
-TTL              : default
+X509-SVID TTL    : default
+JWT-SVID TTL     : default
 Selector         : foo:bar
+Hint             : internal

 `
 	case 1:
@ -424,9 +470,11 @@ Selector         : foo:bar
 SPIFFE ID        : spiffe://example.org/daughter
 Parent ID        : spiffe://example.org/father
 Revision         : 0
-TTL              : default
+X509-SVID TTL    : default
+JWT-SVID TTL     : default
 Selector         : bar:baz
 Selector         : foo:bar
+Hint             : external

 `
 	case 2:
@ -434,7 +482,8 @@ Selector         : foo:bar
 SPIFFE ID        : spiffe://example.org/daughter
 Parent ID        : spiffe://example.org/mother
 Revision         : 0
-TTL              : default
+X509-SVID TTL    : default
+JWT-SVID TTL     : default
 Selector         : bar:baz
 Selector         : baz:bat
 FederatesWith    : spiffe://domain.test
@ -445,7 +494,8 @@ FederatesWith    : spiffe://domain.test
 SPIFFE ID        : spiffe://example.org/son
 Parent ID        : spiffe://example.org/mother
 Revision         : 0
-TTL              : default
+X509-SVID TTL    : default
+JWT-SVID TTL     : default
 Expiration time  : %s
 Selector         : baz:bat

@ -454,3 +504,136 @@ Selector         : baz:bat
 		return "index should be lower than 4"
 	}
 }
+
+func getJSONPrintedEntry(idx int) string {
+	switch idx {
+	case 0:
+		return `{
+      "id": "00000000-0000-0000-0000-000000000000",
+      "spiffe_id": {
+        "trust_domain": "example.org",
+        "path": "/son"
+      },
+      "parent_id": {
+        "trust_domain": "example.org",
+        "path": "/father"
+      },
+      "selectors": [
+        {
+          "type": "foo",
+          "value": "bar"
+        }
+      ],
+      "x509_svid_ttl": 0,
+      "federates_with": [],
+      "hint": "internal",
+      "admin": false,
+      "created_at": "1547583197",
+      "downstream": false,
+      "expires_at": "0",
+      "dns_names": [],
+      "revision_number": "0",
+      "store_svid": false,
+      "jwt_svid_ttl": 0
+    }`
+	case 1:
+		return `{
+      "id": "00000000-0000-0000-0000-000000000001",
+      "spiffe_id": {
+        "trust_domain": "example.org",
+        "path": "/daughter"
+      },
+      "parent_id": {
+        "trust_domain": "example.org",
+        "path": "/father"
+      },
+      "selectors": [
+        {
+          "type": "bar",
+          "value": "baz"
+        },
+        {
+          "type": "foo",
+          "value": "bar"
+        }
+      ],
+      "x509_svid_ttl": 0,
+      "federates_with": [],
+      "hint": "external",
+      "admin": false,
+      "created_at": "1547583197",
+      "downstream": false,
+      "expires_at": "0",
+      "dns_names": [],
+      "revision_number": "0",
+      "store_svid": false,
+      "jwt_svid_ttl": 0
+    }`
+	case 2:
+		return `{
+      "id": "00000000-0000-0000-0000-000000000002",
+      "spiffe_id": {
+        "trust_domain": "example.org",
+        "path": "/daughter"
+      },
+      "parent_id": {
+        "trust_domain": "example.org",
+        "path": "/mother"
+      },
+      "selectors": [
+        {
+          "type": "bar",
+          "value": "baz"
+        },
+        {
+          "type": "baz",
+          "value": "bat"
+        }
+      ],
+      "x509_svid_ttl": 0,
+      "federates_with": [
+        "spiffe://domain.test"
+      ],
+      "hint": "",
+      "admin": false,
+      "created_at": "1547583197",
+      "downstream": false,
+      "expires_at": "0",
+      "dns_names": [],
+      "revision_number": "0",
+      "store_svid": false,
+      "jwt_svid_ttl": 0
+    }`
+	case 3:
+		return `{
+      "id": "00000000-0000-0000-0000-000000000003",
+      "spiffe_id": {
+        "trust_domain": "example.org",
+        "path": "/son"
+      },
+      "parent_id": {
+        "trust_domain": "example.org",
+        "path": "/mother"
+      },
+      "selectors": [
+        {
+          "type": "baz",
+          "value": "bat"
+        }
+      ],
+      "x509_svid_ttl": 0,
+      "federates_with": [],
+      "hint": "",
+      "admin": false,
+      "created_at": "1547583197",
+      "downstream": false,
+      "expires_at": "1552410266",
+      "dns_names": [],
+      "revision_number": "0",
+      "store_svid": false,
+      "jwt_svid_ttl": 0
+    }`
+	default:
+		return "index should be lower than 4"
+	}
+}
--- a/cmd/spire-server/cli/entry/update.go
+++ b/cmd/spire-server/cli/entry/update.go
@ -1,26 +1,28 @@
 package entry

 import (
+	"context"
 	"errors"
 	"flag"
+	"fmt"

 	"github.com/mitchellh/cli"
 	entryv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/entry/v1"
 	"github.com/spiffe/spire-api-sdk/proto/spire/api/types"
-	"github.com/spiffe/spire/cmd/spire-server/util"
-	common_cli "github.com/spiffe/spire/pkg/common/cli"
+	serverutil "github.com/spiffe/spire/cmd/spire-server/util"
+	commoncli "github.com/spiffe/spire/pkg/common/cli"
+	"github.com/spiffe/spire/pkg/common/cliprinter"
+	"github.com/spiffe/spire/pkg/common/util"
 	"google.golang.org/grpc/codes"
-
-	"golang.org/x/net/context"
 )

 // NewUpdateCommand creates a new "update" subcommand for "entry" command.
 func NewUpdateCommand() cli.Command {
-	return newUpdateCommand(common_cli.DefaultEnv)
+	return newUpdateCommand(commoncli.DefaultEnv)
 }

-func newUpdateCommand(env *common_cli.Env) cli.Command {
-	return util.AdaptCommand(env, new(updateCommand))
+func newUpdateCommand(env *commoncli.Env) cli.Command {
+	return serverutil.AdaptCommand(env, &updateCommand{env: env})
 }

 type updateCommand struct {
@ -41,16 +43,19 @@ type updateCommand struct {
 	// Workload spiffeID
 	spiffeID string

-	// Whether or not the entry is for a downstream SPIRE server
+	// whether the entry is for a downstream SPIRE server
 	downstream bool

-	// TTL for certificates issued to this workload
-	ttl int
+	// TTL for x509 SVIDs issued to this workload
+	x509SvidTTL int
+
+	// TTL for JWT SVIDs issued to this workload
+	jwtSvidTTL int

 	// List of SPIFFE IDs of trust domains the registration entry is federated with
 	federatesWith StringsFlag

-	// Whether or not the registration entry is for an "admin" workload
+	// whether the registration entry is for an "admin" workload
 	admin bool

 	// Expiry of entry
@ -61,6 +66,13 @@ type updateCommand struct {

 	// storeSVID determines if the issued SVID must be stored through an SVIDStore plugin
 	storeSVID bool
+
+	// Entry hint, used to disambiguate entries with the same SPIFFE ID
+	hint string
+
+	printer cliprinter.Printer
+
+	env *commoncli.Env
 }

 func (*updateCommand) Name() string {
@ -75,7 +87,8 @@ func (c *updateCommand) AppendFlags(f *flag.FlagSet) {
 	f.StringVar(&c.entryID, "entryID", "", "The Registration Entry ID of the record to update")
 	f.StringVar(&c.parentID, "parentID", "", "The SPIFFE ID of this record's parent")
 	f.StringVar(&c.spiffeID, "spiffeID", "", "The SPIFFE ID that this record represents")
-	f.IntVar(&c.ttl, "ttl", 0, "The lifetime, in seconds, for SVIDs issued based on this registration entry")
+	f.IntVar(&c.x509SvidTTL, "x509SVIDTTL", 0, "The lifetime, in seconds, for x509-SVIDs issued based on this registration entry.")
+	f.IntVar(&c.jwtSvidTTL, "jwtSVIDTTL", 0, "The lifetime, in seconds, for JWT-SVIDs issued based on this registration entry.")
 	f.StringVar(&c.path, "data", "", "Path to a file containing registration JSON (optional). If set to '-', read the JSON from stdin.")
 	f.Var(&c.selectors, "selector", "A colon-delimited type:value selector. Can be used more than once")
 	f.Var(&c.federatesWith, "federatesWith", "SPIFFE ID of a trust domain to federate with. Can be used more than once")
@ -84,9 +97,11 @@ func (c *updateCommand) AppendFlags(f *flag.FlagSet) {
 	f.BoolVar(&c.storeSVID, "storeSVID", false, "A boolean value that, when set, indicates that the resulting issued SVID from this entry must be stored through an SVIDStore plugin")
 	f.Int64Var(&c.entryExpiry, "entryExpiry", 0, "An expiry, from epoch in seconds, for the resulting registration entry to be pruned")
 	f.Var(&c.dnsNames, "dns", "A DNS name that will be included in SVIDs issued based on this entry, where appropriate. Can be used more than once")
+	f.StringVar(&c.hint, "hint", "", "The entry hint, used to disambiguate entries with the same SPIFFE ID")
+	cliprinter.AppendFlagWithCustomPretty(&c.printer, f, c.env, prettyPrintUpdate)
 }

-func (c *updateCommand) Run(ctx context.Context, env *common_cli.Env, serverClient util.ServerClient) error {
+func (c *updateCommand) Run(ctx context.Context, _ *commoncli.Env, serverClient serverutil.ServerClient) error {
 	if err := c.validate(); err != nil {
 		return err
 	}
@ -102,29 +117,12 @@ func (c *updateCommand) Run(ctx context.Context, env *common_cli.Env, serverClie
 		return err
 	}

-	succeeded, failed, err := updateEntries(ctx, serverClient.NewEntryClient(), entries)
+	resp, err := updateEntries(ctx, serverClient.NewEntryClient(), entries)
 	if err != nil {
 		return err
 	}

-	// Print entries that succeeded to be updated
-	for _, e := range succeeded {
-		printEntry(e.Entry, env.Printf)
-	}
-
-	// Print entries that failed to be updated
-	for _, r := range failed {
-		env.ErrPrintf("Failed to update the following entry (code: %s, msg: %q):\n",
-			codes.Code(r.Status.Code),
-			r.Status.Message)
-		printEntry(r.Entry, env.ErrPrintf)
-	}
-
-	if len(failed) > 0 {
-		return errors.New("failed to update one or more entries")
-	}
-
-	return nil
+	return c.printer.PrintProto(resp)
 }

 // validate performs basic validation, even on fields that we
@ -151,8 +149,12 @@ func (c *updateCommand) validate() (err error) {
 		return errors.New("a SPIFFE ID is required")
 	}

-	if c.ttl < 0 {
-		return errors.New("a positive TTL is required")
+	if c.x509SvidTTL < 0 {
+		return errors.New("a positive x509-SVID TTL is required")
+	}
+
+	if c.jwtSvidTTL < 0 {
+		return errors.New("a positive JWT-SVID TTL is required")
 	}

 	return nil
@ -169,19 +171,31 @@ func (c *updateCommand) parseConfig() ([]*types.Entry, error) {
 		return nil, err
 	}

+	x509SvidTTL, err := util.CheckedCast[int32](c.x509SvidTTL)
+	if err != nil {
+		return nil, fmt.Errorf("invalid value for X509 SVID TTL: %w", err)
+	}
+
+	jwtSvidTTL, err := util.CheckedCast[int32](c.jwtSvidTTL)
+	if err != nil {
+		return nil, fmt.Errorf("invalid value for JWT SVID TTL: %w", err)
+	}
+
 	e := &types.Entry{
-		Id:         c.entryID,
-		ParentId:   parentID,
-		SpiffeId:   spiffeID,
-		Ttl:        int32(c.ttl),
-		Downstream: c.downstream,
-		ExpiresAt:  c.entryExpiry,
-		DnsNames:   c.dnsNames,
+		Id:          c.entryID,
+		ParentId:    parentID,
+		SpiffeId:    spiffeID,
+		Downstream:  c.downstream,
+		ExpiresAt:   c.entryExpiry,
+		DnsNames:    c.dnsNames,
+		X509SvidTtl: x509SvidTTL,
+		JwtSvidTtl:  jwtSvidTTL,
+		Hint:        c.hint,
 	}

 	selectors := []*types.Selector{}
 	for _, s := range c.selectors {
-		cs, err := util.ParseSelector(s)
+		cs, err := serverutil.ParseSelector(s)
 		if err != nil {
 			return nil, err
 		}
@ -196,25 +210,56 @@ func (c *updateCommand) parseConfig() ([]*types.Entry, error) {
 	return []*types.Entry{e}, nil
 }

-func updateEntries(ctx context.Context, c entryv1.EntryClient, entries []*types.Entry) (succeeded, failed []*entryv1.BatchUpdateEntryResponse_Result, err error) {
-	resp, err := c.BatchUpdateEntry(ctx, &entryv1.BatchUpdateEntryRequest{
+func updateEntries(ctx context.Context, c entryv1.EntryClient, entries []*types.Entry) (resp *entryv1.BatchUpdateEntryResponse, err error) {
+	resp, err = c.BatchUpdateEntry(ctx, &entryv1.BatchUpdateEntryRequest{
 		Entries: entries,
 	})
 	if err != nil {
-		return nil, nil, err
+		return
 	}

 	for i, r := range resp.Results {
+		if r.Status.Code != int32(codes.OK) {
+			// The Entry API does not include in the results the entries that
+			// failed to be updated, so we populate them from the request data.
+			r.Entry = entries[i]
+		}
+	}
+
+	return
+}
+
+func prettyPrintUpdate(env *commoncli.Env, results ...any) error {
+	var succeeded, failed []*entryv1.BatchUpdateEntryResponse_Result
+	updateResp, ok := results[0].(*entryv1.BatchUpdateEntryResponse)
+	if !ok {
+		return cliprinter.ErrInternalCustomPrettyFunc
+	}
+
+	for _, r := range updateResp.Results {
 		switch r.Status.Code {
 		case int32(codes.OK):
 			succeeded = append(succeeded, r)
 		default:
-			// The Entry API does not include in the results the entries that
-			// failed to be updated, so we populate them from the request data.
-			r.Entry = entries[i]
 			failed = append(failed, r)
 		}
 	}
+	// Print entries that succeeded to be updated
+	for _, e := range succeeded {
+		printEntry(e.Entry, env.Printf)
+	}

-	return succeeded, failed, nil
+	// Print entries that failed to be updated
+	for _, r := range failed {
+		env.ErrPrintf("Failed to update the following entry (code: %s, msg: %q):\n",
+			util.MustCast[codes.Code](r.Status.Code),
+			r.Status.Message)
+		printEntry(r.Entry, env.ErrPrintf)
+	}
+
+	if len(failed) > 0 {
+		return errors.New("failed to update one or more entries")
+	}
+
+	return nil
 }
--- a/Show More
+++ b/Show More
 @ -1 +1 @@
 .19.1
 .24.4