Deprecate retry_bootstrap (#6050 )

* Deprecate retry_bootstrap Signed-off-by: Kevin Fox <Kevin.Fox@pnnl.gov>
Wait for server to come up before using it (#6174 )
2025-07-10 10:06:38 -03:00 · 2025-07-09 07:19:04 +01:00 · 2025-07-08 22:41:56 +01:00 · 2025-07-08 21:43:37 +01:00 · 2025-07-07 20:21:53 +01:00 · 2025-07-04 16:14:29 -03:00
1264 changed files with 69276 additions and 24022 deletions
--- a/.envrc.example
+++ b/.envrc.example
@ -0,0 +1,8 @@
+toplevel="$(git rev-parse --show-toplevel)"
+
+# build and use the managed go sdk
+unset GOROOT
+make -C "$toplevel" go-check
+PATH="$(make --no-print-directory -C "$toplevel" go-bin-path)"
+
+# add custom direnv initialization below here
--- a/.githooks/pre-commit
+++ b/.githooks/pre-commit
@ -1,26 +0,0 @@
-#!/bin/sh
-# Copyright 2012 The Go Authors. All rights reserved.
-# Use of this source code is governed by a BSD-style
-# license that can be found in the LICENSE file.
-
-# git gofmt pre-commit hook
-#
-# To use, store as .git/hooks/pre-commit inside your repository and make sure
-# it has execute permissions.
-#
-# This script does not handle file names that contain spaces.
-
-gofiles=$(git diff --cached --name-only --diff-filter=ACM | grep '\.go$')
-[ -z "$gofiles" ] && exit 0
-
-unformatted=$(gofmt -l $gofiles)
-[ -z "$unformatted" ] && exit 0
-
-# Some files are not gofmt'd. Print message and fail.
-
-echo >&2 "Go files must be formatted with gofmt. Please run:"
-for fn in $unformatted; do
-	echo >&2 "  gofmt -w $PWD/$fn"
-done
-
-exit 1
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -6,6 +6,25 @@ updates:
    interval: "daily"
    time: "09:00"
    timezone: "America/Los_Angeles"
+  groups:
+    actions:
+      patterns:
+        - "github.com/actions/*"
+    aws-sdk:
+      patterns:
+        - "github.com/aws/aws-sdk-go-v2/*"
+    azure-sdk:
+      patterns:
+        - "github.com/Azure/azure-sdk-for-go/*"
+    google-cloud-sdk:
+      patterns:
+        - "cloud.google.com/go/*"
+    k8s.io:
+      patterns:
+        - "k8s.io/*"
+    sigs.k8s.io:
+      patterns:
+        - "sig.k8s.io/*"
  ignore:
  - dependency-name: "github.com/spiffe/spire-api-sdk"
  - dependency-name: "github.com/spiffe/spire-plugin-sdk"
--- a/.github/workflows/dco.yaml
+++ b/.github/workflows/dco.yaml
@ -0,0 +1,23 @@
+name: DCO
+on:
+  pull_request: {}
+  workflow_dispatch: {}
+  merge_group:
+    types:
+      - checks_requested
+jobs:
+  check-dco:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Set up Python 3.x
+        uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
+        with:
+          python-version: '3.x'
+      - name: Check DCO
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          pip3 install -U dco-check
+          dco-check --exclude-pattern 'dependabot\[bot\]@users\.noreply\.github\.com'
--- a/.github/workflows/depsreview.yaml
+++ b/.github/workflows/depsreview.yaml
@ -10,6 +10,6 @@ jobs:

    steps:
      - name: 'Checkout Repository'
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: 'Dependency Review'
-        uses: actions/dependency-review-action@1360a344ccb0ab6e9475edef90ad2f46bf8003b1 # v3.0.6
+        uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019 # v4.5.0
--- a/.github/workflows/nightly_build.yaml
+++ b/.github/workflows/nightly_build.yaml
@ -10,29 +10,26 @@ env:

 jobs:
  build-and-publish-images:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04

    permissions:
      contents: read
      id-token: write
      packages: write

-    env:
-      COSIGN_EXPERIMENTAL: 1
-
    steps:
      - name: Checkout
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Install cosign
-        uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 # v3.1.1
+        uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
        with:
-          cosign-release: v1.13.1
+          cosign-release: v2.2.3
      - name: Install regctl
-        uses: regclient/actions/regctl-installer@b6614f5f56245066b533343a85f4109bdc38c8cc # main
+        uses: regclient/actions/regctl-installer@ce5fd131e371ffcdd7508b478cb223b3511a9183 # main
      - name: Build images
        run: make images
      - name: Log in to GHCR
-        uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
--- a/.github/workflows/pr_build.yaml
+++ b/.github/workflows/pr_build.yaml
@ -2,15 +2,16 @@ name: PR Build
 on:
  pull_request: {}
  workflow_dispatch: {}
-env:
-  GO_VERSION: 1.20.5
+  merge_group:
+    types:
+      - checks_requested
 permissions:
  contents: read

 jobs:
  cache-deps:
    name: cache-deps (linux)
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
    timeout-minutes: 30

    permissions:
@ -18,13 +19,13 @@ jobs:

    steps:
      - name: Checkout
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup go
-        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: 'go.mod'
      - name: Setup dep cache
-        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
@ -33,7 +34,7 @@ jobs:

  lint:
    name: lint (linux)
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
    needs: cache-deps
    timeout-minutes: 30

@ -42,18 +43,18 @@ jobs:

    steps:
      - name: Checkout
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup go
-        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: 'go.mod'
      - name: Load cached deps
-        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
      - name: Setup build tool cache
-        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: .build
          key: ${{ runner.os }}-tools-${{ hashFiles('.go-version','Makefile') }}
@ -69,7 +70,7 @@ jobs:
  unit-test:
    strategy:
      matrix:
-        OS: [ubuntu-20.04, macos-latest]
+        OS: [ubuntu-22.04, macos-latest]
    runs-on: ${{ matrix.OS }}
    needs: cache-deps
    timeout-minutes: 30
@ -79,13 +80,13 @@ jobs:

    steps:
      - name: Checkout
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup go
-        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: 'go.mod'
      - name: Load cached deps
-        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
@ -94,7 +95,7 @@ jobs:

  unit-test-race-detector:
    name: unit-test (linux with race detection)
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
    needs: cache-deps
    timeout-minutes: 30

@ -103,13 +104,13 @@ jobs:

    steps:
      - name: Checkout
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup go
-        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: 'go.mod'
      - name: Load cached deps
-        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
@ -118,8 +119,8 @@ jobs:

  artifacts:
    name: artifacts (linux)
-    runs-on: ubuntu-20.04
-    needs: [cache-deps]
+    runs-on: ubuntu-22.04
+    needs: [cache-deps, images]
    timeout-minutes: 30

    permissions:
@ -127,32 +128,32 @@ jobs:

    steps:
      - name: Checkout
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup go
-        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
-          go-version: ${{ env.GO_VERSION }}
-      - name: Load cached deps
-        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
+          go-version-file: 'go.mod'
+      - name: Install regctl
+        uses: regclient/actions/regctl-installer@ce5fd131e371ffcdd7508b478cb223b3511a9183 # main
+      - name: Download archived images
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
        with:
-          path: ~/go/pkg/mod
-          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
-      - name: Load cached build tools
-        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
-        with:
-          path: .build
-          key: ${{ runner.os }}-tools-${{ hashFiles('.go-version','Makefile') }}
+          name: images
+          path: .
+      - name: Expand archived images
+        run: |
+          tar xvf images.tar.gz
      - name: Build artifacts
        run: ./.github/workflows/scripts/build_artifacts.sh ${{ runner.os }}
      - name: Archive artifacts
-        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4
        with:
-          name: binaries
+          name: binaries-linux
          path: ./artifacts/

  images:
    name: images (linux)
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
    needs: [cache-deps]
    timeout-minutes: 30

@ -161,31 +162,31 @@ jobs:

    steps:
      - name: Checkout
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup go
-        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: 'go.mod'
      - name: Load cached deps
-        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
      - name: Load cached build tools
-        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: .build
          key: ${{ runner.os }}-tools-${{ hashFiles('.go-version','Makefile') }}
      - name: Set up QEMU
-        uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # v2.2.0
+        uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@4c0219f9ac95b02789c1075625400b2acbff50b1 # v2.9.1
+        uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0
      - name: Build images
        run: make images-no-load
      - name: Export images
        run: tar -czvf images.tar.gz *-image.tar
      - name: Archive images
-        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4
        with:
          name: images
          path: images.tar.gz
@ -193,7 +194,7 @@ jobs:
  images-windows:
    name: images (windows)
    runs-on: windows-2022
-    needs: artifact-windows
+    needs: artifacts-windows
    timeout-minutes: 45

    permissions:
@ -201,12 +202,12 @@ jobs:

    steps:
      - name: Checkout
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
-      - name: Download artifacts
-        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Load cached executables
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
-          name: bin-windows
          path: ./bin/
+          key: ${{ runner.os }}-executables-${{ github.sha }}
      - name: Build images
        run: make images-windows
      - name: Export images
@ -214,14 +215,33 @@ jobs:
          docker save spire-server-windows:latest-local spire-agent-windows:latest-local oidc-discovery-provider-windows:latest-local -o images-windows.tar
          gzip images-windows.tar
      - name: Archive images
-        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4
        with:
          name: images-windows
          path: images-windows.tar.gz

+  build-matrix:
+    name: Build matrix
+    runs-on: ubuntu-22.04
+    needs: [cache-deps]
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - id: set-matrix
+        name: Collect versions
+        run: |
+          json_array=$(bash ./.github/workflows/scripts/find_k8s.sh)
+          echo "test=$json_array" >> $GITHUB_OUTPUT
+          echo "Collected tests: $json_array"
+
+    outputs:
+      test: ${{ steps.set-matrix.outputs.test }}
+  
  integration:
-    name: integration (linux)
-    runs-on: ubuntu-20.04
+    name: integration (${{ matrix.arch }}) (${{ strategy.job-index}}/${{ strategy.job-total }})
+    runs-on: ${{ matrix.runs-on }}
    needs: [cache-deps, images]
    timeout-minutes: 45

@ -231,11 +251,17 @@ jobs:
    strategy:
      fail-fast: false
      matrix:
-        num_runners: [5]
-        runner_id: [1, 2, 3, 4, 5]
+        arch: [x64, arm64]
+        num_runners: [10]
+        runner_id: [1, 2, 3, 4, 5, 6, 7, 8, 9, 10]
+        include:
+          - arch: x64
+            runs-on: ubuntu-22.04
+          - arch: arm64
+            runs-on: ubuntu-22.04-arm
    steps:
      - name: Checkout
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          # The "upgrade" integration test needs the history to ensure
          # that the version number in the source code has been bumped as
@ -243,23 +269,23 @@ jobs:
          # fetch depth of zero.
          fetch-depth: 0
      - name: Setup go
-        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: 'go.mod'
      - name: Install regctl
-        uses: regclient/actions/regctl-installer@b6614f5f56245066b533343a85f4109bdc38c8cc # main
+        uses: regclient/actions/regctl-installer@ce5fd131e371ffcdd7508b478cb223b3511a9183 # main
      - name: Load cached deps
-        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
      - name: Load cached build tools
-        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: .build
          key: ${{ runner.os }}-tools-${{ hashFiles('.go-version','Makefile') }}
      - name: Download archived images
-        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
        with:
          name: images
          path: .
@ -273,14 +299,90 @@ jobs:
          THIS_RUNNER: ${{ matrix.runner_id }}
          TERM: dumb
          CICD_TARGET_BRANCH: ${{ github.event.pull_request.base.ref }}
+          IGNORE_SUITES: ${{ matrix.arch == 'arm64' && 'suites/upstream-authority-ejbca' || '' }} # Waiting for EJBCA to support arm64 (https://github.com/spiffe/spire/issues/6060)
        run: ./.github/workflows/scripts/split.sh | xargs ./test/integration/test.sh

+  integration-k8s:
+    name: integration-k8s-${{ matrix.test[0] }}-${{ matrix.arch }}
+    runs-on: ${{ matrix.runs-on }}
+    needs: [cache-deps, images, build-matrix]
+    timeout-minutes: 45
+
+    permissions:
+      contents: read
+
+    strategy:
+      fail-fast: false
+      matrix:
+        arch: [x64, arm64]
+        include:
+          - arch: x64
+            runs-on: ubuntu-22.04
+            num_runners: 1
+            runner_id: 1
+          - arch: arm64
+            runs-on: ubuntu-22.04-arm
+            num_runners: 1
+            runner_id: 1
+        #Test elements should be added as [KubeCTLVersion, K8s-image, KindVersion]
+        test: ${{ fromJson(needs.build-matrix.outputs.test) }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          # The "upgrade" integration test needs the history to ensure
+          # that the version number in the source code has been bumped as
+          # expected. This action does not fetch tags unless we supply a
+          # fetch depth of zero.
+          fetch-depth: 0
+      - name: Setup go
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
+        with:
+          go-version-file: 'go.mod'
+      - name: Install regctl
+        uses: regclient/actions/regctl-installer@ce5fd131e371ffcdd7508b478cb223b3511a9183 # main
+      - name: Load cached deps
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
+        with:
+          path: ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+      - name: Load cached build tools
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
+        with:
+          path: .build
+          key: ${{ runner.os }}-tools-${{ hashFiles('.go-version','Makefile') }}
+      - name: Download archived images
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        with:
+          name: images
+          path: .
+      - name: Load archived images
+        run: |
+          tar xvf images.tar.gz
+          make load-images
+      - name: Run k8s integration
+        env:
+          NUM_RUNNERS: ${{ matrix.num_runners }}
+          THIS_RUNNER: ${{ matrix.runner_id }}
+          KUBECTLVERSION: ${{ matrix.test[0] }}
+          K8SIMAGE: ${{ matrix.test[1] }}
+          KINDVERSION: ${{ matrix.test[2] }}
+          TERM: dumb
+          CICD_TARGET_BRANCH: ${{ github.event.pull_request.base.ref }}
+        run: ./.github/workflows/scripts/split_k8s.sh | xargs ./test/integration/test-k8s.sh
+
+
  integration-windows:
    name: integration (windows)
    runs-on: windows-2022
    needs: images-windows
    timeout-minutes: 45

+    env:
+      GOPATH: 'D:\golang\go'
+      GOCACHE: 'D:\golang\cache'
+      GOMODCACHE: 'D:\golang\modcache'
+
    permissions:
      contents: read

@ -289,23 +391,24 @@ jobs:
        shell: msys2 {0}
    steps:
      - name: Checkout
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup go
-        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: 'go.mod'
+          cache: true
      - name: Load cached deps
-        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
      - name: Load cached build tools
-        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: .build
          key: ${{ runner.os }}-tools-${{ hashFiles('.go-version','Makefile') }}
      - name: Install msys2
-        uses: msys2/setup-msys2@07aeda7763550b267746a772dcea5e5ac3340b36 # v2
+        uses: msys2/setup-msys2@d44ca8e88d8b43d56cf5670f91747359d5537f97 # v2.26.0
        with:
          msystem: MINGW64
          update: true
@ -313,7 +416,7 @@ jobs:
          install: >-
            git base-devel mingw-w64-x86_64-toolchain unzip
      - name: Download archived images
-        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
        with:
          name: images-windows
          path: .
@ -328,18 +431,24 @@ jobs:
    runs-on: windows-2022
    timeout-minutes: 45

+    env:
+      GOPATH: 'D:\golang\go'
+      GOCACHE: 'D:\golang\cache'
+      GOMODCACHE: 'D:\golang\modcache'
+
    permissions:
      contents: read

    steps:
      - name: Checkout
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup go
-        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: 'go.mod'
+          cache: true
      - name: Setup dep cache
-        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
@ -352,6 +461,11 @@ jobs:
    needs: cache-deps-windows
    timeout-minutes: 45

+    env:
+      GOPATH: 'D:\golang\go'
+      GOCACHE: 'D:\golang\cache'
+      GOMODCACHE: 'D:\golang\modcache'
+
    permissions:
      contents: read

@ -360,23 +474,24 @@ jobs:
        shell: msys2 {0}
    steps:
      - name: Checkout
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup go
-        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: 'go.mod'
+          cache: true
      - name: Load cached deps
-        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
      - name: Setup build tool cache
-        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: .build
          key: ${{ runner.os }}-tools-${{ hashFiles('.go-version','Makefile') }}
      - name: Install msys2
-        uses: msys2/setup-msys2@07aeda7763550b267746a772dcea5e5ac3340b36 # v2
+        uses: msys2/setup-msys2@d44ca8e88d8b43d56cf5670f91747359d5537f97 # v2.26.0
        with:
          msystem: MINGW64
          update: true
@ -395,6 +510,11 @@ jobs:
    needs: cache-deps-windows
    timeout-minutes: 45

+    env:
+      GOPATH: 'D:\golang\go'
+      GOCACHE: 'D:\golang\cache'
+      GOMODCACHE: 'D:\golang\modcache'
+
    permissions:
      contents: read

@ -403,18 +523,19 @@ jobs:
        shell: msys2 {0}
    steps:
      - name: Checkout
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup go
-        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: 'go.mod'
+          cache: true
      - name: Load cached deps
-        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
      - name: Install msys2
-        uses: msys2/setup-msys2@07aeda7763550b267746a772dcea5e5ac3340b36 # v2
+        uses: msys2/setup-msys2@d44ca8e88d8b43d56cf5670f91747359d5537f97 # v2.26.0
        with:
          msystem: MINGW64
          update: true
@ -423,12 +544,17 @@ jobs:
      - name: Run unit tests
        run: ./.github/workflows/scripts/run_unit_tests.sh

-  artifact-windows:
-    name: artifact (windows)
+  artifacts-windows:
+    name: artifacts (windows)
    runs-on: windows-2022
    needs: cache-deps-windows
    timeout-minutes: 45

+    env:
+      GOPATH: 'D:\golang\go'
+      GOCACHE: 'D:\golang\cache'
+      GOMODCACHE: 'D:\golang\modcache'
+
    permissions:
      contents: read

@ -437,44 +563,47 @@ jobs:
        shell: msys2 {0}
    steps:
      - name: Checkout
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup go
-        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: 'go.mod'
+          cache: true
      - name: Load cached deps
-        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
      - name: Load cached build tools
-        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: .build
          key: ${{ runner.os }}-tools-${{ hashFiles('.go-version','Makefile') }}
      - name: Install msys2
-        uses: msys2/setup-msys2@07aeda7763550b267746a772dcea5e5ac3340b36 # v2
+        uses: msys2/setup-msys2@d44ca8e88d8b43d56cf5670f91747359d5537f97 # v2.26.0
        with:
          msystem: MINGW64
          update: true
          install: >-
            git base-devel mingw-w64-x86_64-toolchain zip unzip
+      - name: Build binaries
+        run: make build
+      - name: Setup executables cache
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
+        with:
+          path: ./bin/
+          key: ${{ runner.os }}-executables-${{ github.sha }}
      - name: Build artifacts
        run: ./.github/workflows/scripts/build_artifacts.sh ${{ runner.os }}
-      - name: Archive binaries
-        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3
-        with:
-          name: bin-windows
-          path: ./bin/
      - name: Archive artifacts
-        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4
        with:
-          name: binaries
+          name: binaries-windows
          path: ./artifacts/

  success:
-    runs-on: ubuntu-20.04
-    needs: [lint, unit-test, unit-test-race-detector, artifacts, integration, lint-windows, unit-test-windows, artifact-windows, integration-windows]
+    runs-on: ubuntu-22.04
+    needs: [lint, unit-test, unit-test-race-detector, artifacts, integration, integration-k8s, lint-windows, unit-test-windows, artifacts-windows, integration-windows]
    timeout-minutes: 30
    permissions:
      contents: read
--- a/.github/workflows/release_build.yaml
+++ b/.github/workflows/release_build.yaml
@ -3,25 +3,23 @@ on:
  push:
    tags:
      - 'v[0-9].[0-9]+.[0-9]+'
-env:
-  GO_VERSION: 1.20.5
 jobs:
  cache-deps:
    name: cache-deps (linux)
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04

    permissions:
      contents: read

    steps:
      - name: Checkout
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup go
-        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: 'go.mod'
      - name: Setup dep cache
-        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
@ -30,7 +28,7 @@ jobs:

  lint:
    name: lint (linux)
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
    needs: cache-deps

    permissions:
@ -38,18 +36,18 @@ jobs:

    steps:
      - name: Checkout
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup go
-        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: 'go.mod'
      - name: Load cached deps
-        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
      - name: Setup build tool cache
-        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: .build
          key: ${{ runner.os }}-tools-${{ hashFiles('.go-version','Makefile') }}
@ -65,7 +63,7 @@ jobs:
  unit-test:
    strategy:
      matrix:
-        OS: [ubuntu-20.04, macos-latest]
+        OS: [ubuntu-22.04, macos-latest]
    runs-on: ${{ matrix.OS }}
    needs: cache-deps

@ -74,13 +72,13 @@ jobs:

    steps:
      - name: Checkout
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup go
-        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: 'go.mod'
      - name: Load cached deps
-        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
@ -89,7 +87,7 @@ jobs:

  unit-test-race-detector:
    name: unit-test (linux with race detection)
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
    needs: cache-deps

    permissions:
@ -97,13 +95,13 @@ jobs:

    steps:
      - name: Checkout
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup go
-        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: 'go.mod'
      - name: Load cached deps
-        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
@ -112,40 +110,41 @@ jobs:

  artifacts:
    name: artifacts (linux)
-    runs-on: ubuntu-20.04
-    needs: [cache-deps]
+    runs-on: ubuntu-22.04
+    needs: [cache-deps, images]
+    timeout-minutes: 30

    permissions:
      contents: read

    steps:
      - name: Checkout
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup go
-        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
-          go-version: ${{ env.GO_VERSION }}
-      - name: Load cached deps
-        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
+          go-version-file: 'go.mod'
+      - name: Install regctl
+        uses: regclient/actions/regctl-installer@ce5fd131e371ffcdd7508b478cb223b3511a9183 # main
+      - name: Download archived images
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
        with:
-          path: ~/go/pkg/mod
-          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
-      - name: Load cached build tools
-        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
-        with:
-          path: .build
-          key: ${{ runner.os }}-tools-${{ hashFiles('.go-version','Makefile') }}
+          name: images
+          path: .
+      - name: Expand archived images
+        run: |
+          tar xvf images.tar.gz
      - name: Build artifacts
        run: ./.github/workflows/scripts/build_artifacts.sh ${{ runner.os }}
      - name: Archive artifacts
-        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4
        with:
-          name: binaries
+          name: binaries-linux
          path: ./artifacts/

  images:
    name: images (linux)
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
    needs: [cache-deps]

    permissions:
@ -153,27 +152,27 @@ jobs:

    steps:
      - name: Checkout
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup go
-        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: 'go.mod'
      - name: Load cached deps
-        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
      - name: Load cached build tools
-        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: .build
          key: ${{ runner.os }}-tools-${{ hashFiles('.go-version','Makefile') }}
      - name: Build images
-        run: make images-no-load
+        run: TAG=${GITHUB_REF##refs/tags/v} make images-no-load
      - name: Export images
        run: tar -czvf images.tar.gz *-image.tar
      - name: Archive images
-        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4
        with:
          name: images
          path: images.tar.gz
@ -181,19 +180,19 @@ jobs:
  images-windows:
    name: images (windows)
    runs-on: windows-2022
-    needs: artifact-windows
+    needs: artifacts-windows

    permissions:
      contents: read

    steps:
      - name: Checkout
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
-      - name: Download artifacts
-        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Load cached executables
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
-          name: bin-windows
          path: ./bin/
+          key: ${{ runner.os }}-executables-${{ github.sha }}
      - name: Build images
        run: make images-windows
      - name: Export images
@ -201,15 +200,35 @@ jobs:
          docker save spire-server-windows:latest-local spire-agent-windows:latest-local oidc-discovery-provider-windows:latest-local -o images-windows.tar
          gzip images-windows.tar
      - name: Archive images
-        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4
        with:
          name: images-windows
          path: images-windows.tar.gz

+  build-matrix:
+    name: Build matrix
+    runs-on: ubuntu-22.04
+    needs: [cache-deps]
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - id: set-matrix
+        name: Collect versions
+        run: |
+          json_array=$(bash ./.github/workflows/scripts/find_k8s.sh)
+          echo "test=$json_array" >> $GITHUB_OUTPUT
+          echo "Collected tests: $json_array"
+
+    outputs:
+      test: ${{ steps.set-matrix.outputs.test }}
+
  integration:
-    name: integration (linux)
-    runs-on: ubuntu-20.04
+    name: integration (${{ matrix.arch }}) (${{ strategy.job-index}}/${{ strategy.job-total }})
+    runs-on: ${{ matrix.runs-on }}
    needs: [cache-deps, images]
+    timeout-minutes: 45

    permissions:
      contents: read
@ -217,11 +236,17 @@ jobs:
    strategy:
      fail-fast: false
      matrix:
-        num_runners: [5]
-        runner_id: [1, 2, 3, 4, 5]
+        arch: [x64, arm64]
+        num_runners: [10]
+        runner_id: [1, 2, 3, 4, 5, 6, 7, 8, 9, 10]
+        include:
+          - arch: x64
+            runs-on: ubuntu-22.04
+          - arch: arm64
+            runs-on: ubuntu-22.04-arm
    steps:
      - name: Checkout
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          # The "upgrade" integration test needs the history to ensure
          # that the version number in the source code has been bumped as
@ -238,23 +263,23 @@ jobs:
      - name: Fix tag annotations
        run: git fetch --tags --force
      - name: Setup go
-        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: 'go.mod'
      - name: Install regctl
-        uses: regclient/actions/regctl-installer@b6614f5f56245066b533343a85f4109bdc38c8cc # main
+        uses: regclient/actions/regctl-installer@ce5fd131e371ffcdd7508b478cb223b3511a9183 # main
      - name: Load cached deps
-        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
      - name: Load cached build tools
-        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: .build
          key: ${{ runner.os }}-tools-${{ hashFiles('.go-version','Makefile') }}
      - name: Download archived images
-        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
        with:
          name: images
          path: .
@ -267,11 +292,81 @@ jobs:
          NUM_RUNNERS: ${{ matrix.num_runners }}
          THIS_RUNNER: ${{ matrix.runner_id }}
          TERM: dumb
+          IGNORE_SUITES: ${{ matrix.arch == 'arm64' && 'suites/upstream-authority-ejbca' || '' }} # Waiting for EJBCA to support arm64 (https://github.com/spiffe/spire/issues/6060)
          # We don't need to specify CICD_TARGET_BRANCH since the upgrade
          # integration test will detect the annotated tag for version checking.
          # CICD_TARGET_BRANCH:
        run: ./.github/workflows/scripts/split.sh | xargs ./test/integration/test.sh

+  integration-k8s:
+    name: integration-k8s-${{ matrix.test[0] }}-${{ matrix.arch }}
+    runs-on: ${{ matrix.runs-on }}
+    needs: [cache-deps, images, build-matrix]
+    timeout-minutes: 45
+
+    permissions:
+      contents: read
+
+    strategy:
+      fail-fast: false
+      matrix:
+        arch: [x64, arm64]
+        include:
+          - arch: x64
+            runs-on: ubuntu-22.04
+            num_runners: 1
+            runner_id: 1
+          - arch: arm64
+            runs-on: ubuntu-22.04-arm
+            num_runners: 1
+            runner_id: 1
+        #Test elements should be added as [KubeCTLVersion, K8s-image, KindVersion]
+        test: ${{ fromJson(needs.build-matrix.outputs.test) }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          # The "upgrade" integration test needs the history to ensure
+          # that the version number in the source code has been bumped as
+          # expected. This action does not fetch tags unless we supply a
+          # fetch depth of zero.
+          fetch-depth: 0
+      - name: Setup go
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
+        with:
+          go-version-file: 'go.mod'
+      - name: Install regctl
+        uses: regclient/actions/regctl-installer@ce5fd131e371ffcdd7508b478cb223b3511a9183 # main
+      - name: Load cached deps
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
+        with:
+          path: ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+      - name: Load cached build tools
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
+        with:
+          path: .build
+          key: ${{ runner.os }}-tools-${{ hashFiles('.go-version','Makefile') }}
+      - name: Download archived images
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        with:
+          name: images
+          path: .
+      - name: Load archived images
+        run: |
+          tar xvf images.tar.gz
+          make load-images
+      - name: Run k8s integration
+        env:
+          NUM_RUNNERS: ${{ matrix.num_runners }}
+          THIS_RUNNER: ${{ matrix.runner_id }}
+          KUBECTLVERSION: ${{ matrix.test[0] }}
+          K8SIMAGE: ${{ matrix.test[1] }}
+          KINDVERSION: ${{ matrix.test[2] }}
+          TERM: dumb
+          CICD_TARGET_BRANCH: ${{ github.event.pull_request.base.ref }}
+        run: ./.github/workflows/scripts/split_k8s.sh | xargs ./test/integration/test-k8s.sh
+
  integration-windows:
    name: integration (windows)
    runs-on: windows-2022
@ -285,23 +380,23 @@ jobs:
        shell: msys2 {0}
    steps:
      - name: Checkout
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup go
-        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: 'go.mod'
      - name: Load cached deps
-        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
      - name: Load cached build tools
-        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: .build
          key: ${{ runner.os }}-tools-${{ hashFiles('.go-version','Makefile') }}
      - name: Install msys2
-        uses: msys2/setup-msys2@07aeda7763550b267746a772dcea5e5ac3340b36 # v2
+        uses: msys2/setup-msys2@d44ca8e88d8b43d56cf5670f91747359d5537f97 # v2.26.0
        with:
          msystem: MINGW64
          update: true
@ -309,7 +404,7 @@ jobs:
          install: >-
            git base-devel mingw-w64-x86_64-toolchain unzip
      - name: Download archived images
-        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
        with:
          name: images-windows
          path: .
@ -328,13 +423,13 @@ jobs:

    steps:
      - name: Checkout
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup go
-        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: 'go.mod'
      - name: Setup dep cache
-        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
@ -354,23 +449,23 @@ jobs:
        shell: msys2 {0}
    steps:
      - name: Checkout
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup go
-        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: 'go.mod'
      - name: Load cached deps
-        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
      - name: Setup build tool cache
-        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: .build
          key: ${{ runner.os }}-tools-${{ hashFiles('.go-version','Makefile') }}
      - name: Install msys2
-        uses: msys2/setup-msys2@07aeda7763550b267746a772dcea5e5ac3340b36 # v2
+        uses: msys2/setup-msys2@d44ca8e88d8b43d56cf5670f91747359d5537f97 # v2.26.0
        with:
          msystem: MINGW64
          update: true
@ -396,18 +491,18 @@ jobs:
        shell: msys2 {0}
    steps:
      - name: Checkout
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup go
-        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: 'go.mod'
      - name: Load cached deps
-        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
      - name: Install msys2
-        uses: msys2/setup-msys2@07aeda7763550b267746a772dcea5e5ac3340b36 # v2
+        uses: msys2/setup-msys2@d44ca8e88d8b43d56cf5670f91747359d5537f97 # v2.26.0
        with:
          msystem: MINGW64
          update: true
@ -416,8 +511,8 @@ jobs:
      - name: Run unit tests
        run: ./.github/workflows/scripts/run_unit_tests.sh

-  artifact-windows:
-    name: artifact (windows)
+  artifacts-windows:
+    name: artifacts (windows)
    runs-on: windows-2022
    needs: cache-deps-windows

@ -429,59 +524,67 @@ jobs:
        shell: msys2 {0}
    steps:
      - name: Checkout
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup go
-        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: 'go.mod'
      - name: Load cached deps
-        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
      - name: Load cached build tools
-        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: .build
          key: ${{ runner.os }}-tools-${{ hashFiles('.go-version','Makefile') }}
      - name: Install msys2
-        uses: msys2/setup-msys2@07aeda7763550b267746a772dcea5e5ac3340b36 # v2
+        uses: msys2/setup-msys2@d44ca8e88d8b43d56cf5670f91747359d5537f97 # v2.26.0
        with:
          msystem: MINGW64
          update: true
          install: >-
            git base-devel mingw-w64-x86_64-toolchain zip unzip
+      - name: Build binaries
+        run: make build
      - name: Build artifacts
        run: ./.github/workflows/scripts/build_artifacts.sh ${{ runner.os }}
-      - name: Archive binaries
-        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3
+      - name: Setup executables cache
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
-          name: bin-windows
          path: ./bin/
+          key: ${{ runner.os }}-executables-${{ github.sha }}
      - name: Archive artifacts
-        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4
        with:
-          name: binaries
+          name: binaries-windows
          path: ./artifacts/

  publish-artifacts:
-    runs-on: ubuntu-20.04
-    needs: [lint, unit-test, unit-test-race-detector, artifacts, integration, lint-windows, unit-test-windows, artifact-windows, integration-windows]
+    runs-on: ubuntu-22.04
+    needs: [lint, unit-test, unit-test-race-detector, artifacts, integration, integration-k8s, lint-windows, unit-test-windows, artifacts-windows, integration-windows]
    permissions:
      contents: write

    steps:
      - name: Checkout
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
-      - name: Download archived artifacts
-        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Download archived Linux artifacts
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
        with:
-          name: binaries
+          name: binaries-linux
          path: ./artifacts/
+      - name: Download archived Windows artifacts
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        with:
+          name: binaries-windows
+          path: ./artifacts/
+
      - name: Create Release
        env:
          # GH_REPO is required for older releases of `gh`. Until we're
-          # reasonably confident that that the gh release is new enough,
+          # reasonably confident that the gh release is new enough,
          # set GH_REPO to the repository to create the release in.
          #
          # See https://github.com/cli/cli/issues/3556
@ -491,32 +594,29 @@ jobs:
        run: gh release create "${GITHUB_REF#refs/tags/}" ./artifacts/*.zip ./artifacts/*.tar.gz ./artifacts/*.txt --title "${GITHUB_REF#refs/tags/}"

  publish-images:
-    runs-on: ubuntu-20.04
-    needs: [lint, unit-test, unit-test-race-detector, artifacts, integration, lint-windows, unit-test-windows, artifact-windows, integration-windows]
+    runs-on: ubuntu-22.04
+    needs: [lint, unit-test, unit-test-race-detector, artifacts, integration, integration-k8s, lint-windows, unit-test-windows, artifacts-windows, integration-windows]
    permissions:
      contents: read
      id-token: write
      packages: write

-    env:
-      COSIGN_EXPERIMENTAL: 1
-
    steps:
      - name: Checkout
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Install cosign
-        uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 # v3.1.1
+        uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
        with:
-          cosign-release: v1.13.1
+          cosign-release: v2.2.3
      - name: Install regctl
-        uses: regclient/actions/regctl-installer@b6614f5f56245066b533343a85f4109bdc38c8cc # main
+        uses: regclient/actions/regctl-installer@ce5fd131e371ffcdd7508b478cb223b3511a9183 # main
      - name: Download archived images
-        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
        with:
          name: images
          path: .
      - name: Log in to GHCR
-        uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
--- a/.github/workflows/scripts/build_artifacts.sh
+++ b/.github/workflows/scripts/build_artifacts.sh
@ -5,32 +5,32 @@
 set -e

 usage() {
-    echo "usage: ${BASH_SOURCE[0]} <Linux|Windows|macOS>"
+    echo "usage: ${BASH_SOURCE[0]} <Linux|Windows>"
    exit 1
 }

+SCRIPTDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+export TAG=
+if [[ "$GITHUB_REF" =~ ^refs/tags/v[0-9.]+$ ]]; then
+    # Strip off the leading "v" from the release tag. Release artifacts are
+    # named just with the version number (e.g. v0.9.3 tag produces
+    # spire-0.9.3-linux-x64.tar.gz).
+    TAG="${GITHUB_REF##refs/tags/v}"
+fi
+
 [[ $# -eq 1 ]] || usage

 os="$1"
-declare -a supported_archs
-if [[ "${os}" == "Linux" ]] || [[ "${os}" == "macOS" ]]; then
-    supported_archs=(amd64 arm64)
-elif [[ "${os}" == "Windows" ]]; then
-    supported_archs=(amd64)
-else
-    echo "unrecognized OS: ${os}"
-    usage
-fi
-
-export TAG=
-if [[ "$GITHUB_REF" =~ ^refs/tags/v[0-9.]+$ ]]; then
-        # Strip off the leading "v" from the release tag. Release artifacts are
-        # named just with the version number (e.g. v0.9.3 tag produces
-        # spire-0.9.3-linux-x64.tar.gz).
-        TAG="${GITHUB_REF##refs/tags/v}"
-fi
-
-# Make references the $TAG environment variable set above
-for arch in "${supported_archs[@]}"; do
-    GOARCH=$arch make artifact
-done
+case "${os}" in
+    Linux)
+        "${SCRIPTDIR}"/build_linux_artifacts.sh
+        ;;
+    Windows)
+        "${SCRIPTDIR}"/build_windows_artifacts.sh
+        ;;
+    *)
+        echo "Only artifacts for Linux and Windows are supported" 1>&2
+        usage
+        ;;
+esac
--- a/.github/workflows/scripts/build_linux_artifacts.sh
+++ b/.github/workflows/scripts/build_linux_artifacts.sh
@ -0,0 +1,83 @@
+#!/bin/bash
+
+set -e
+
+REPODIR=$(git rev-parse --show-toplevel)
+
+TAG=${TAG:-$(git log -n1 --pretty=%h)}
+OUTDIR=${OUTDIR:-"${REPODIR}/artifacts"}
+
+TAROPTS=("--owner=root" "--group=root")
+
+TMPDIR=$(mktemp -d)
+cleanup() {
+    rm -rf "${TMPDIR}"
+}
+trap cleanup EXIT
+
+copy_binary_from_multiarch_tar() {
+    local arch=$1
+    local binary=$2
+    local destdir=$3
+
+    local srcpath="/opt/spire/bin/${binary}"
+    local destpath="${destdir}/${binary}"
+    local ocidir="ocidir://${TMPDIR}/${arch}/oci/${binary}"
+    local imagetar="${REPODIR}/${binary}-image.tar"
+    local platform="linux/${arch}"
+
+    echo "Importing multiarch image ${imagetar}..."
+    regctl image import "${ocidir}" "${imagetar}"
+
+    echo "Copying ${srcpath} for platform ${platform}..."
+    regctl image get-file "${ocidir}" "${srcpath}" "${destpath}" -p "${platform}"
+
+    # file does not retain permission bits, so fix up the executable bit.
+    chmod +x "${destpath}"
+}
+
+build_artifact() {
+    local arch="$1"
+
+    local artifact="${OUTDIR}/spire-${TAG}-linux-${arch}-musl.tar.gz"
+    local checksum="${OUTDIR}/spire-${TAG}-linux-${arch}-musl_sha256sum.txt"
+
+    local extras_artifact="${OUTDIR}/spire-extras-${TAG}-linux-${arch}-musl.tar.gz"
+    local extras_checksum="${OUTDIR}/spire-extras-${TAG}-linux-${arch}-musl_sha256sum.txt"
+
+    local tardir="${TMPDIR}/${arch}/tar" 
+    local staging="${tardir}"/spire/spire-${TAG}
+    local extras_staging="${tardir}"/spire-extras/spire-extras-${TAG}
+
+    mkdir -p "${staging}"/bin 
+    mkdir -p "${extras_staging}"/bin
+    mkdir -p "${OUTDIR}"
+
+    echo "Creating \"${artifact}\" and \"${extras_artifact}\""
+
+    # Copy in the contents under release/
+    cp -r "${REPODIR}"/release/posix/spire/* "${staging}"
+    cp -r "${REPODIR}"/release/posix/spire-extras/* "${extras_staging}"
+
+    # Copy in the LICENSE
+    cp "${REPODIR}"/LICENSE "${staging}"
+    cp "${REPODIR}"/LICENSE "${extras_staging}"
+
+    # Copy in the SPIRE binaries from the docker images:
+    # 1. import the image from the multiarch tarball into the OCI directory
+    copy_binary_from_multiarch_tar "$arch" "spire-server" "${staging}/bin"
+    copy_binary_from_multiarch_tar "$arch" "spire-agent" "${staging}/bin"
+    copy_binary_from_multiarch_tar "$arch" "oidc-discovery-provider" "${extras_staging}/bin"
+
+    # Create the tarballs and checksums
+    (cd "${tardir}/spire"; tar -cvzf "${artifact}" "${TAROPTS[@]}" -- *)
+    (cd "${tardir}/spire-extras"; tar -cvzf "${extras_artifact}" "${TAROPTS[@]}" -- *)
+
+    (cd "$(dirname "${artifact}")"; shasum -a 256 "$(basename "${artifact}")" > "${checksum}" )
+    (cd "$(dirname "${extras_artifact}")"; shasum -a 256 "$(basename "${extras_artifact}")" > "${extras_checksum}" )
+}
+
+command -v regctl >/dev/null 2>&1 || { echo -e "The regctl cli is required to run this script." >&2 ; exit 1; }
+
+build_artifact amd64
+build_artifact arm64
--- a/.github/workflows/scripts/build_windows_artifacts.sh
+++ b/.github/workflows/scripts/build_windows_artifacts.sh
@ -0,0 +1,51 @@
+#!/bin/bash
+
+set -e
+
+REPODIR=$(git rev-parse --show-toplevel)
+BINDIR="${REPODIR}/bin"
+
+TAG=${TAG:-$(git log -n1 --pretty=%h)}
+OUTDIR=${OUTDIR:-"${REPODIR}/artifacts"}
+
+ARCH=amd64
+
+ARTIFACT="${OUTDIR}/spire-${TAG}-windows-${ARCH}.zip"
+CHECKSUM="${OUTDIR}/spire-${TAG}-windows-${ARCH}_sha256sum.txt"
+
+EXTRAS_ARTIFACT="${OUTDIR}/spire-extras-${TAG}-windows-${ARCH}.zip"
+EXTRAS_CHECKSUM="${OUTDIR}/spire-extras-${TAG}-windows-${ARCH}_sha256sum.txt"
+
+TMPDIR=$(mktemp -d)
+cleanup() {
+    rm -rf "${TMPDIR}"
+}
+trap cleanup EXIT
+
+STAGING="${TMPDIR}"/spire/spire-${TAG}
+EXTRAS_STAGING="${TMPDIR}"/spire-extras/spire-extras-${TAG}
+mkdir -p "${STAGING}" "${EXTRAS_STAGING}"
+
+echo "Creating \"${ARTIFACT}\" and \"${EXTRAS_ARTIFACT}\""
+
+# Copy in the contents under release/
+cp -r "${REPODIR}"/release/windows/spire/* "${STAGING}"
+cp -r "${REPODIR}"/release/windows/spire-extras/* "${EXTRAS_STAGING}"
+
+# Copy in the LICENSE
+cp "${REPODIR}"/LICENSE "${STAGING}"
+cp "${REPODIR}"/LICENSE "${EXTRAS_STAGING}"
+
+# Copy in the SPIRE binaries
+mkdir -p "${STAGING}"/bin "${EXTRAS_STAGING}"/bin
+cp "${BINDIR}"/spire-server.exe "${STAGING}"/bin
+cp "${BINDIR}"/spire-agent.exe "${STAGING}"/bin
+cp "${BINDIR}"/oidc-discovery-provider.exe "${EXTRAS_STAGING}"/bin
+
+mkdir -p "${OUTDIR}"
+
+(cd "${TMPDIR}/spire"; zip -rv "${ARTIFACT}" -- *)
+(cd "${TMPDIR}/spire-extras"; zip -rv "${EXTRAS_ARTIFACT}" -- *)
+
+(cd "$(dirname "${ARTIFACT}")"; CertUtil -hashfile "$(basename "${ARTIFACT}")" SHA256 > "${CHECKSUM}")
+(cd "$(dirname "${EXTRAS_ARTIFACT}")"; CertUtil -hashfile "$(basename "${EXTRAS_ARTIFACT}")" SHA256 > "${EXTRAS_CHECKSUM}")
--- a/.github/workflows/scripts/find_k8s.sh
+++ b/.github/workflows/scripts/find_k8s.sh
@ -0,0 +1,74 @@
+#!/usr/bin/env bash
+          kind_release_info=$(curl -s https://api.github.com/repos/kubernetes-sigs/kind/releases/latest)
+          kind_version=$(echo "$kind_release_info" | jq -r '.tag_name')
+          
+          all_tags=()
+          # Currently we're taking the first 5 pages of the URL
+            for ((page=1; page<=5; page++)); do
+                # Fetch tags for the current page using curl and jq
+                tags=$(curl -s "https://hub.docker.com/v2/repositories/kindest/node/tags?page=$page" | jq -r '.results[].name')
+
+                # Check if the tags variable is empty
+                if [[ -z "$tags" ]]; then
+                    break
+                fi
+
+                # Append the current page tags to the all_tags array
+                all_tags+=( "$tags" )
+            done
+          
+          readarray -t tags_sorted < <(printf '%s\n' "${all_tags[@]}" | sort -V)
+
+          lowest_target_version=$(cat ./test/integration/suites/k8s/integration_k8s_min_version.txt)
+          
+          declare -A tags_map
+          for element in "${tags_sorted[@]}"; do
+            # Skip 1.32.1 until either a new version of kind is released the problem
+            # with the kindest/node:1.32.1 image is fixed. See upstream kind issue:
+            # https://github.com/kubernetes-sigs/kind/issues/3853
+            if [[ "$element" == "v1.32.1" ]]; then
+              continue
+            fi
+
+            # Element is in this form: "X.XX.YY"
+            # If not, continue
+            num_dots=$(echo "$element" | grep -o '\.' | wc -l)
+
+            # Continue to the next iteration if the number of dots is not equal to 2
+            if [[ "$num_dots" -ne 2 ]]; then
+                continue
+            fi
+
+            # Extract the "X.XX" part as the key for the map
+            key="${element%.*}"
+            key="${key//\"}"
+            # Check if the key is greater than or equal to "1.21"
+            if [[ $(printf "%s\n$lowest_target_version" "$key" | sort -V | head -n1) == "$lowest_target_version" ]]; then
+                # Extract the "YY" part as the value for the map
+                value="${element##*.}"
+                tags_map["$key"]=$value
+            fi
+           done
+
+          # Read the content of the array.txt file
+          # Currently we just have one row as example, add more if we need to test a specific version
+          # Test elements should be added as [KubeCTLVersion, K8s-image, KindVersion]
+          IFS= readarray -t matrix_lines < ./test/integration/suites/k8s/integration_k8s_versions.txt
+
+          # Convert each line of the file into a JSON array element
+          json_array="["
+          for line in "${matrix_lines[@]}"; do
+            json_array+="$line,"
+          done
+
+          # Add every version from tags_map
+          for key in "${!tags_map[@]}"; do
+              value="${tags_map[$key]}"
+              k8s_image="kindest/node:$key.$value"
+              new_version_row="[\"$key.$value\",\"$k8s_image\",\"$kind_version\"]"
+              json_array+="$new_version_row,"
+          done
+
+          json_array="${json_array%,}]"
+
+echo "${json_array}"
--- a/.github/workflows/scripts/push-images.sh
+++ b/.github/workflows/scripts/push-images.sh
@ -68,5 +68,5 @@ for img in "${OCI_IMAGES[@]}"; do

  image_digest="$(jq -r '.manifests[0].digest' "${ROOTDIR}oci/${img}/index.json")"

-  cosign sign "${registry}/${img}@${image_digest}"
+  cosign sign -y "${registry}/${img}@${image_digest}"
 done
--- a/.github/workflows/scripts/split.sh
+++ b/.github/workflows/scripts/split.sh
@ -18,7 +18,7 @@ for FILE in test/integration/suites/*; do
        job_set[$current_runner]+="${FILE##test/integration/} "

        ((current_runner++))
-        if [ $current_runner -gt "$NUM_RUNNERS" ]; then
+        if [ "$current_runner" -gt "$NUM_RUNNERS" ]; then
                current_runner=1
        fi
 done
--- a/.github/workflows/scripts/split_k8s.sh
+++ b/.github/workflows/scripts/split_k8s.sh
@ -0,0 +1,26 @@
+#!/bin/bash
+
+set -e
+
+if [ -z "$NUM_RUNNERS" ]; then
+        echo "split.sh: NUM_RUNNERS environment variable must be set"
+        exit 1
+fi
+
+if [ -z "$THIS_RUNNER" ]; then
+        echo "split.sh: THIS_RUNNER environment variable must be set"
+        exit 1
+fi
+
+declare -a job_set
+current_runner=1
+for FILE in test/integration/suites/k8s*; do
+        job_set[$current_runner]+="${FILE##test/integration/} "
+
+        ((current_runner++))
+        if [ "$current_runner" -gt "$NUM_RUNNERS" ]; then
+                current_runner=1
+        fi
+done
+
+echo "${job_set[$THIS_RUNNER]}"
--- a/.github/workflows/stalebot.yaml
+++ b/.github/workflows/stalebot.yaml
@ -11,12 +11,29 @@ jobs:
      issues: write
      pull-requests: write
    steps:
-    - uses: actions/stale@1160a2240286f5da8ec72b1c0816ce2481aabf84 # v8.0.0
+    - uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e # v9.0.0
      with:
        days-before-issue-stale: 365 # 1 year
        days-before-issue-close: 30
        stale-issue-label: "stale"
+        exempt-issue-labels: "blocked" # Ignore blocked issues
        stale-issue-message: "This issue is stale because it has been open for 365 days with no activity."
        close-issue-message: "This issue was closed because it has been inactive for 30 days since being marked as stale."
        days-before-pr-stale: -1 # Don't handle PRs
        days-before-pr-close: -1 # Don't handle PRs
+
+  process-stale-blocked-issues:
+    runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
+    steps:
+    - uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e # v9.0.0
+      with:
+        only-labels: "blocked"
+        days-before-issue-stale: 30
+        days-before-issue-close: -1 # Don't close blocked issues
+        stale-issue-label: "stale"
+        stale-issue-message: "This issue has been in the blocked state for 30 days, marking as stale so the blocking issue is re-checked."
+        days-before-pr-stale: -1 # Don't handle PRs
+        days-before-pr-close: -1 # Don't handle PRs
--- a/.gitignore
+++ b/.gitignore
@ -1,6 +1,7 @@
 .build
 .cache
 .data
+.envrc
 .glide
 .tmp
 .DS_Store
@ -36,3 +37,7 @@ tools/spire-plugingen/spire-plugingen
 # oci artifacts
 *-image.tar
 oci/
+
+# Go workspace files
+go.work
+go.work.sum
--- a/.go-version
+++ b/.go-version
@ -1 +1 @@
-1.20.5
+1.24.4
--- a/.golangci.yml
+++ b/.golangci.yml
@ -1,31 +1,87 @@
+version: "2"
 run:
-  # timeout for analysis, e.g. 30s, 5m, default is 1m
  timeout: 12m
-
-  skip-dirs:
-    - testdata$
-    - test/mock
-
-  skip-files:
-    - ".*\\.pb\\.go"
-
 linters:
  enable:
    - bodyclose
+    - copyloopvar
    - durationcheck
    - errorlint
-    - goimports
-    - revive
+    - exptostd
+    - gocritic
    - gosec
+    - intrange
+    - mirror
    - misspell
    - nakedret
+    - nilnesserr
+    - nolintlint
+    - predeclared
+    - reassign
+    - revive
    - unconvert
    - unparam
+    - wastedassign
    - whitespace
-    - gocritic
-    - nolintlint
-
-linters-settings:
-  revive:
-    # minimal confidence for issues, default is 0.8
-    confidence: 0.0
+  settings:
+    govet:
+      enable:
+        - sortslice
+        - unusedwrite
+    revive:
+      confidence: 0
+      rules:
+        - name: atomic
+        - name: bool-literal-in-expr
+        - name: constant-logical-expr
+        - name: context-as-argument
+        - name: datarace
+        - name: error-naming
+        - name: error-return
+        - name: errorf
+        - name: identical-branches
+        - name: if-return
+        - name: increment-decrement
+        - name: modifies-value-receiver
+        - name: optimize-operands-order
+        - name: range
+        - name: receiver-naming
+        - name: redundant-import-alias
+        - name: redundant-test-main-exit
+        - name: string-of-int
+        - name: time-equal
+        - name: unconditional-recursion
+        - name: unnecessary-stmt
+        - name: unreachable-code
+        - name: use-any
+        - name: use-errors-new
+        - name: useless-break
+        - name: var-declaration
+        - name: waitgroup-by-value
+    staticcheck:
+      checks:
+        - all
+        - -ST1003
+        - -QF1001
+        - -QF1008
+  exclusions:
+    generated: lax
+    presets:
+      - comments
+      - common-false-positives
+      - legacy
+      - std-error-handling
+    rules:
+      - linters:
+          - gosec
+        path: (.*_test\.go$)|(^test/.*)
+        text: integer overflow conversion
+      - linters:
+          - revive
+        text: Import alias "v1" is redundant
+formatters:
+  enable:
+    - gofmt
+    - goimports
+  exclusions:
+    generated: lax
--- a/.spire-tool-versions
+++ b/.spire-tool-versions
@ -0,0 +1,3 @@
+golangci-lint v2.1.6
+markdown_lint v0.37.0
+protoc 29.4
--- a/ADOPTERS.md
+++ b/ADOPTERS.md
@ -20,6 +20,7 @@ Known end users with notable contributions to the advancement of the project inc

 SPIFFE and SPIRE are being used by numerous other companies, both large and small, to build higher layer products and services. The list includes but is not limited to:

+* AccuKnox
 * Amazon
 * Arm
 * Cisco
@ -42,34 +43,35 @@ SPIFFE and SPIRE have integrations available with a number of open-source projec

 * [App Mesh Controller](https://github.com/aws/aws-app-mesh-controller-for-k8s)  
 * [Athenz](https://github.com/yahoo/athenz)
-* [Cert-Manager](https://github.com/cert-manager/csi-driver-spiffe)  
-* [Consul](https://github.com/hashicorp/consul)  
-* [Dapr](https://github.com/dapr)  
-* [Docker](https://github.com/containerd/containerd)  
-* [Emissary](https://github.com/github/emissary)  
-* [Envoy](https://github.com/envoyproxy/envoy)  
-* [Ghostunnel](https://github.com/square/ghostunnel)  
+* [Cert-Manager](https://github.com/cert-manager/csi-driver-spiffe)
+* [Consul](https://github.com/hashicorp/consul)
+* [Dapr](https://github.com/dapr)
+* [Docker](https://github.com/containerd/containerd)
+* [Emissary](https://github.com/github/emissary)
+* [Envoy](https://github.com/envoyproxy/envoy)
+* [Ghostunnel](https://github.com/square/ghostunnel)
 * [gRPC](https://pkg.go.dev/github.com/spiffe/go-spiffe/v2/examples/spiffe-grpc)
-* [Hamlet](https://github.com/vmware/hamlet)  
-* [Istio](https://github.com/istio/istio)  
-* [Knox](https://github.com/pinterest/knox)  
-* [Kubernetes](https://github.com/kubernetes/kubernetes)  
-* [NGINX](http://hg.nginx.org/nginx/)  
-* [Parsec](https://github.com/parallaxsecond/parsec)  
-* [Sigstore](https://github.com/sigstore/fulcio)  
-* [Tekton](https://github.com/tektoncd/chains)  
-* [Tornjak](https://github.com/spiffe/tornjak)  
+* [Hamlet](https://github.com/vmware/hamlet)
+* [Istio](https://github.com/istio/istio)
+* [Knox](https://github.com/pinterest/knox)
+* [Kubernetes](https://github.com/kubernetes/kubernetes)
+* [Linkerd](https://github.com/linkerd/linkerd2)
+* [NGINX](http://hg.nginx.org/nginx/)
+* [Parsec](https://github.com/parallaxsecond/parsec)
+* [Sigstore](https://github.com/sigstore/fulcio)
+* [Tekton](https://github.com/tektoncd/chains)
+* [Tornjak](https://github.com/spiffe/tornjak)
 * [Traefik](https://github.com/traefik/traefik)

 ## Case Studies/User Stories

-* Amazon Web Services blogs about using mTLS with SPIFFE/SPIRE in AWS App Mesh on Amazon EKS
+* Amazon Web Services blogs about using mTLS with SPIFFE/SPIRE in AWS App Mesh on Amazon EKS:
 <https://aws.amazon.com/blogs/containers/using-mtls-with-spiffe-spire-in-app-mesh-on-eks/>

 * Anthem writes about developing a zero trust framework at Anthem Using SPIFFE and SPIRE:
 <https://upshotstories.com/stories/developing-a-zero-trust-framework-at-anthem-using-spiffe-and-spire>

-* ARM and VMware showcase hardware backed security for multi-tenancy at the Edge with SPIFFE & PARSEC
+* ARM and VMware showcase hardware backed security for multi-tenancy at the Edge with SPIFFE & PARSEC:
 <https://www.youtube.com/watch?v=-I_rCKMyY7Y>

 * Bloomberg talks about TPM node attestation with SPIRE:
@ -78,19 +80,22 @@ SPIFFE and SPIRE have integrations available with a number of open-source projec
 * Coinbase details Container Technologies part of their stack:
 <https://blog.coinbase.com/container-technologies-at-coinbase-d4ae118dcb6c>

-* Duke Energy describes securing the Microgrid using SPIFFE and SPIRE with TPMs
+* Duke Energy describes securing the Microgrid using SPIFFE and SPIRE with TPMs:
 <https://www.distributech.com/distributech-international-2022-conference-sessions/achieving-the-promise-of-grid-security-with-openfmb-and-cybersecurity-zero-trust-best-practices>

-* NGINX/F5 on how NGINX service mesh leverages SPIFFE and SPIRE
+* Google announces standardization on SPIFFE across Google Cloud as the unified workload identity platform offered as a managed service:
+<https://www.youtube.com/watch?v=aaPvEUCXvvw>
+
+* NGINX/F5 on how NGINX service mesh leverages SPIFFE and SPIRE:
 <https://youtu.be/plRkDK5xFpM>

-* Styra demonstrates fortifying microservices with SPIRE and OPA
+* Styra demonstrates fortifying microservices with SPIRE and OPA:
 <https://www.youtube.com/watch?v=iQ5ctLQswUc>

 * Square talks about how Square uses SPIFFE and SPIRE to secure communications across hybrid infrastructure services:
 <https://youtu.be/H5IlmYmEDKk?t=2585>

-* Square describes how they provide mTLS identities to Lambdas using SPIFFE and SPIRE
+* Square describes how they provide mTLS identities to Lambdas using SPIFFE and SPIRE:
 <https://developer.squareup.com/blog/providing-mtls-identities-to-lambdas/>

 * Tigera demonstrates how Calico, Envoy and SPIRE are used to deliver unified Layer 4 and Layer 7 authorization policies:
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,5 +1,519 @@
 # Changelog

+## [1.12.4] - 2025-07-01
+
+### Added
+
+- `k8s_configmap` BundlePublisher plugin (#6105, #6139)
+- UpstreamAuthority.SubscribeToLocalBundle RPC to stream updates in the local trust bundle (#6090)
+- Integration tests running on ARM64 platform (#6059)
+- The OIDC Discovery Provider can now read the trust bundle from a file (#6025)
+
+### Changed
+
+- The "Container id not found" log message in the `k8s` WorkloadAttestor has been lowered to Debug level (#6128)
+- Improvements in lookup performance for entries (#6100, #6034)
+- Agent no longer pulls the bundle from `trust_bundle_url` if it is not required (#6065)
+
+### Fixed
+
+- The `subject_types_supported` value in the discovery document is now properly populated by the OIDC Discovery Provider (#6126)
+- SPIRE Server gRPC servers are now gracefully stopped (#6076)
+
+## [1.12.3] - 2025-06-17
+
+### Security
+
+- Fixed an issue in spire-agent where the WorkloadAPI.ValidateJWTSVID endpoint did not enforce the presence of the exp (expiration) claim in JWT-SVIDs, as required by the SPIFFE specification.
+This vulnerability has limited impact: by default, SPIRE does not issue JWT-SVIDs without an expiration claim. Exploitation would require federating with a misconfigured or non-compliant trust domain.
+Thanks to Edoardo Geraci for reporting this issue.
+
+## [1.12.2] - 2025-05-19
+
+### Fixed
+
+- Regression where PolicyCredentials set by CredentialComposer plugins were not correctly applied to CA certificates. (#6074)
+
+## [1.12.1] - 2025-05-06
+
+### Added
+
+- Support for Unix sockets in trust bundle URLs (#5932)
+- Documentation improvements and additions (#5989, #6012)
+
+### Changed
+
+- `sql_transaction_timeout` replaced by `event_timeout` and value reduced to 15 minutes (#5966)
+- Experimental events-based cache performance improvements by batch fetching updated entries (#5970)
+- Improved error messages when retrieving CGroups (#6030).
+
+### Fixed
+
+- Corrected invalid `user-agent` value in OIDC Discovery Provider debug logs (#5981).
+
+## [1.12.0] - 2025-03-21
+
+### Added
+
+- Support for any S3 compatible object storage such as MinIO in the `aws_s3` BundlePublisher plugin (#5757)
+- Support for Rego V1 in the authorization policy engine (#5769)
+- Support for SAN-based selectors in the `x509pop` NodeAttestor plugin (#5775)
+
+### Changed
+
+- Agents now use the SyncAuthorizedEntries API for periodically synchronization of authorized entries by default (#5906)
+- Timestamps in logs are now formatted to include nanoseconds (#5798)
+- Improved entry lookup performance in NewJWTSVID and BatchNewX509SVID server RPCs (#5819)
+- Increased the maximum number of idle database connections to 100 (#5853)
+- The maximum idle time per database connection is now set to 30 seconds (#5853)
+- Small documentation improvements (#5873, #5876)
+- The experimental events-based cache now supports reading events from read-only replicas when data staleness is tolerated, enhancing read performance (#5911)
+- The `use_legacy_downstream_x509_ca_ttl` server setting is now set to false by default (#5917)
+
+### Deprecated
+
+- `use_sync_authorized_entries` experimental agent setting (#5906)
+- `use_legacy_downstream_x509_ca_ttl` server setting (#5917)
+
+### Removed
+
+- The deprecated `k8s_sat` NodeAttestor plugin (#5703)
+
+### Fixed
+
+- Issue where agents did not receive entry updates when new entries with the same entry ID were created while `use_sync_authorized_entries` was enabled (#5764)
+
+## [1.11.3] - 2025-06-17
+
+### Security
+
+- Fixed an issue in spire-agent where the WorkloadAPI.ValidateJWTSVID endpoint did not enforce the presence of the exp (expiration) claim in JWT-SVIDs, as required by the SPIFFE specification.
+This vulnerability has limited impact: by default, SPIRE does not issue JWT-SVIDs without an expiration claim. Exploitation would require federating with a misconfigured or non-compliant trust domain.
+Thanks to Edoardo Geraci for reporting this issue.
+
+## [1.11.2] - 2025-02-13
+
+### Added
+
+- `gcp_secretmanager` SVIDStore plugin now supports specifying the regions where secrets are created (#5718)
+- Support for expanding environment variables in the OIDC Discovery Provider configuration (#5689)
+- Support for optionally enabling `trust_domain` label for all metrics (#5673)
+- The JWKS URI returned in the discovery document can now be configured in the OIDC Discovery Provider (#5690)
+- A server path prefix can now be specified in the OIDC Discovery Provider (#5690)
+
+### Changed
+
+- Small documentation improvements (#5809, #5720)
+
+### Fixed
+
+- Regression in the hydration of the experimental event-based cache that caused a delay in availability (#5842)
+- Do not log an error when the Envoy SDS v3 API connection has been closed cleanly (#5835)
+- SVIDStore plugins to properly parse metadata in entry selectors containing ':' characters (#5750)
+- Compatibility with deployments that use a server port other than 443 when the `jwt_issuer` configuration is set in the OIDC Discovery Provider (#5690)
+- Domain verification is now properly done when setting the `jwt_issuer` configuration in the OIDC Discovery Provider (#5690)
+
+### Security
+
+- Fixed to properly call the CompareObjectHandles function when it's available on Windows systems, as an extra security measure in the peertracker (#5749)
+
+## [1.11.1] - 2024-12-12
+
+### Added
+
+- The Go based text/template engine used in various plugins has been extended to include a set of functions from the SPRIG library (#5593, #5625)
+- The JWT-SVID cache in the agent is now configurable (#5633)
+- The JWT issuer is now configurable in the OIDC Discovery Provider (#5657)
+
+### Changed
+
+- CA journal now relies on the authority ID instead of the issued time when updating the status of keys (#5622)
+
+### Fixed
+
+- Spelling and grammar fixes (#5571)
+- Handling of IPv6 address consistently for the binding address of the server and health checks (#5623)
+- Link to Telemetry documentation in the Contributing guide (#5650)
+- Handling of registration entries with revision number 0 when the agent syncs entries with the server (#5680)
+
+### Known Issues
+
+- Setting the new `jwt_issuer` configuration property in oidc-discovery-provider is not compatible with deployments that use a server port other than 443 (#5696)
+- Domain verification is bypassed when setting the new `jwt_issuer` configuration property in oidc-discovery-provider (#5697)
+
+## [1.11.0] - 2024-10-24
+
+### Added
+
+- Support for forced rotation and revocation (<https://github.com/orgs/spiffe/projects/21>)
+- New EJBCA UpstreamAuthority plugin for SPIRE Server (#5378)
+- Support for variables in templates contained in the config file (#5576)
+- Support for the configuration validation RPC on all built-in plugins (#5303)
+- Improved logging when built-in plugins panic (#5476)
+- Improved CPU and memory resource usage for concurrent Kubernetes Workload attestation (#5408)
+- Documentation additions and improvements (#5589, #5588, #5499, #5433, #5430, #5269)
+
+### Changed
+
+- SPIRE Agent LRU identity cache is now unconditionally enabled. The LRU size can be controlled via the `x509_svid_cache_max_size` configuration option. (#5383, #5531)
+- Entry API RPCs return per-entry InvalidArgument status when creating/updating malformed entries (#5506)
+- Support for CGroups v2 in K8s and Docker workload attestors is now enabled by default (#5454)
+
+### Removed
+
+- Deprecated -ttl flag from the SPIRE Server `entry create` and `entry update` commands (#5483)
+- Official support for MySQL 5.X. While SPIRE may continue to work with this version, no explicit testing will be performed by the project (#5487)
+
+### Fixed
+
+- Missing TrustDomain field passed to x509pop path template (#5577)
+- Behavior in the experimental events-based cache causing duplicate entries/agents evaluation in the same cycle (#5509)
+
+## [1.10.4] - 2024-09-12
+
+### Fixed
+
+- Add missing commits to spire-plugin-sdk and spire-api-sdk releases (spiffe/spire-api-sdk#66, spiffe/spire-plugin-sdk#39)
+
+## [1.10.3] - 2024-09-03
+
+### Fixed
+
+- Regression in agent health check, requiring the agent to have an SVID on disk to be healthy (#5459)
+
+## [1.10.2] - 2024-09-03
+
+### Added
+
+- `http_challenge` NodeAttestor plugin (#4909)
+- Experimental support for validating container image signatures through Sigstore selectors in the docker Workload Attestor (#5272)
+- Metrics for monitoring the event-based cache (#5411)
+
+### Changed
+
+- Delegated Identity API to allow subscription by process ID (#5272)
+- Agent Debug endpoint to count SVIDs by type (#5352)
+- Agent health check to report an unhealthy status until the Agent SVID is attested (#5298)
+- Small documentation improvements (#5393)
+
+### Fixed
+
+- `aws_iid` NodeAttestor to properly handle multiple network interfaces (#5300)
+- Server configuration to correctly propagate the `sql_transaction_timeout` setting in the experimental events-based cache (#5345)
+
+## [1.10.1] - 2024-08-01
+
+### Added
+
+- New Grafana dashboard template (#5188)
+- `aws_rolesanywhere_trustanchor` BundlePublisher plugin (#5048)
+
+### Changed
+
+- `spire` UpstreamAuthority to optionally use the Preferred TTL on intermediate authorities (#5264)
+- Federation endpoint to support custom bundle and certificates for authorization (#5163)
+- Small documentation improvements (#5235, #5220)
+
+### Fixed
+
+- Event-based cache to handle events missed at the cache startup (#5289)
+- LRU cache to no longer send update notifications to all subscribers (#5281)
+
+## [1.10.0] - 2024-06-24
+
+### Added
+
+- Plugin reconfiguration support using the `plugin_data_file` configurable (#5166)
+
+### Changed
+
+- SPIRE Server and OIDC provider images to use non-root users (#4967, #5227)
+- `k8s_psat` NodeAttestor attestor to no longer fail when a cluster is not configured (#5216)
+- Agents are required to renew SVIDs through re-attestation when using a supporting Node Attestor (#5204)
+- Small documentation improvements (#5181, #5189)
+- Evicted agents that support reattestation can now reattest without being restarted (#4991)
+
+### Fixed
+
+- PSAT node attestor to cross-check the audience fields (#5142)
+- Events-based cache to handle out of order events (#5071)
+
+### Deprecated
+
+- `x509_svid_cache_max_size` and `disable_lru_cache` in agent configuration (#5150)
+
+### Removed
+
+- The deprecated `disable_reattest_to_renew` agent configurable (#5217)
+- The deprecated `key_metadata_file` configurable from the `aws_kms`, `azure_key_vault` and  `gcp_kms` server KeyManagers (#5207)
+- The deprecated `use_msi` configurable from the `azure_key_vault` server KeyManager and `azure_msi` NodeAttestor (#5207, #5209)
+- The deprecated `exclude_sn_from_ca_subject` server configurable (#5203)
+- Agent no longer cleans up deprecated bundle and SVID files (#5205)
+- The CA journal file is no longer stored on disk, and existing CA journal files are cleaned up  (#5202)
+
+## [1.9.6] - 2024-05-14
+
+### Added
+
+- Opt-in support for CGroups v2 in K8s and Docker workload attestors (#5076)
+- `gcp_cloudstorage` BundlePublisher plugin (#4961)
+- The `aws_iid` node attestor can now check if the AWS account ID is part of an AWS Organization (#4838)
+- More filtering options to count and show entries and agents (#4714)
+
+### Changed
+
+- Credential composer to not convert timestamp related claims (i.e., exp and iat) to floating point values (#5115)
+- FetchJWTBundles now returns an empty collection of keys instead of null (#5031)
+
+### Fixed
+
+- Using expired tokens when connecting to database (#5119)
+- Server no longer tries to create JWT authority when X.509 authority fails (#5064)
+- Issues in experimental events-based entry cache (#5030, #5037, #5042)
+
+## [1.9.5] - 2024-05-07
+
+### Security
+
+- Updated to Go 1.21.10 to address CVE-2024-24788
+
+## [1.9.4] - 2023-04-05
+
+### Security
+
+- Updated to google.golang.org/grpc v1.62.2 and golang.org/x/net v0.24.0 to address CVE-2023-45288
+
+## [1.9.3] - 2024-04-03
+
+### Security
+
+- Updated to Go 1.21.9 to address CVE-2023-45288
+- Limit the preallocation of memory when making paginated requests to the ListEntries and ListAgents RPCs
+
+## [1.9.2] - 2024-03-25
+
+### Added
+
+- Support for AWS IAM-based authentication with AWS RDS backed databases (#4828)
+- Support for adjusting the SPIRE Server log level at runtime (#4880)
+- New `retry_bootstrap` option to SPIRE Agent to retry failed bootstrapping with SPIRE Server, with a backoff, in lieu of failing the startup process (#4597)
+- Improved logging (#4902, #4906)
+- Documentation improvements (#4895, #4951, #4907)
+
+## [1.9.1] - 2024-03-05
+
+### Security
+
+- Update Go to v1.21.8 to patch CVE-2024-24783
+
+## [1.9.0] - 2024-02-22
+
+### Added
+
+- `uniqueid` CredentialComposer plugin that adds the x509UniqueIdentifier attribute to workload X509-SVIDs (#4862)
+- Agent's Admin API has now a default location defined (#4856)
+- Partial selectors from workload attestation are now logged when attestation is interrupted (#4846)
+- X509-SVIDs minted by SPIRE can now include wildcards in the DNS names (#4814)
+
+### Changed
+
+- CA journal data is now stored in the datastore, removing the on-disk dependency of the server (#4690)
+- `aws_kms`, `azure_key_vault`, and `gcp_kms` KeyManager plugins no longer require storing metadata files on disk (#4700)
+- Bundle endpoint refresh hint now defaults to 5 minutes (#4847, #4888)
+- Graceful shutdown is now blocked while built-in plugin RPCs drain (#4820)
+- Entry cache hydration is now done with paginated requests to the datastore (#4721, #4826)
+- Agents renew SVIDs through re-attestation by default when using a supporting Node Attestor (#4791)
+- The SPIRE Agent LRU SVID cache is no longer experimental and is enabled by default (#4773)
+- Small documentation improvements (#4764, #4787)
+- Read-replicas are no longer used when hydrating the experimental events-based entry cache (#4868)
+- Workload gRPC connections are now terminated when the peertracker liveness check fails instead of just failing the RPC calls (#4611)
+
+### Fixed
+
+- Missing creation of events in the experimental events-based cache entry when an entry was pruned (#4860)
+- Bug in SPIRE Agent LRU SVID cache that caused health checks to fail (#4852)
+- Refreshing of selectors of attested agents when using the experimental events-based entry cache (#4803)
+
+### Deprecated
+
+- `k8s_sat` NodeAttestor plugin (#4841)
+
+### Removed
+
+- X509-SVIDs issued by the server no longer have the x509UniqueIdentifier attribute as part of the subject (#4862)
+
+## [1.8.11] - 2024-05-07
+
+### Security
+
+- Updated to Go 1.21.10 to address CVE-2024-24788
+
+## [1.8.10] - 2023-04-05
+
+### Security
+
+- Updated to google.golang.org/grpc v1.62.2 and golang.org/x/net v0.24.0 to address CVE-2023-45288
+
+## [1.8.9] - 2024-04-03
+
+### Security
+
+- Updated to Go 1.21.9 to address CVE-2023-45288
+- Limit the preallocation of memory when making paginated requests to the ListEntries and ListAgents RPCs
+
+## [1.8.8] - 2024-03-05
+
+### Security
+
+- Update Go to v1.21.8 to patch CVE-2024-24783
+
+## [1.8.7] - 2023-12-21
+
+### Added
+
+- Agents can now be configured with an availability target, which establishes the minimum amount of time desired to gracefully handle server or agent downtime, influencing how aggressively X509-SVIDs should be rotated (#4599)
+- SyncAuthorizedEntries RPC, which allows agents to only sync down changes instead of the entire set of entries. Agents can be configured to use this new RPC through the `use_sync_authorized_entries` experimental setting (#4648)
+- Experimental support for an events based entry cache which reduces overhead on the database (#4379, #4411, #4527, #4451, #4562, #4723, #4731)
+
+### Changed
+
+- The maximum number of open database connections in the datastore now defaults to 100 instead of unlimited (#4656)
+- Agents now shut down when they can't synchronize entries with the server due to an unknown authority error (#4617)
+
+### Removed
+
+- Agents no longer maintains agent SVID and bundle information in the legacy paths in the data directory (#4717)
+
+## [1.8.6] - 2023-12-07
+
+### Security
+
+- Updated to Go 1.21.5 to address CVE-2023-39326
+
+## [1.8.5] - 2023-11-22
+
+### Added
+
+- All credential types supported by Azure can now be used in `azure_msi` NodeAttestor plugin and `azure_key_vault` KeyManager plugin (#4568)
+- `EnableHostnameLabel` field in Server and Agent `telemetry` configuration section that enables addition of a hostname label to metrics (#4584)
+
+### Changed
+
+- Agent SDS API now provides a SPIFFEValidationContext as the default CertificateValidationContext when the Envoy version cannot be determined (#4618)
+- Server CAs now contain a `serialNumber` attribute in the `Subject` DN (#4585)
+- Improved accuracy of Agent log message for SVID renewal events (#4654)
+
+### Deprecated
+
+- `use_msi` configuration fields in `azure_msi` NodeAttestor plugin and `azure_key_vault` KeyManager plugin are deprecated in favor of the chained Azure SDK credential loading strategy (#4568)
+
+### Fixed
+
+- Agent SDS API now provides correct CertificateValidationContext when Envoy registered in SPIRE after the first SDS request (#4611)
+
+## [1.8.4] - 2023-11-07
+
+### Security
+
+- Updated to Go 1.21.4 to address CVE-2023-45283, CVE-2023-45284
+
+## [1.8.3] - 2023-10-25
+
+### Added
+
+- SPIRE Agent distributes sync requests to the SPIRE server to mitigate thundering herd situations (#4534)
+- Allow configuring prefixes for all metrics (#4535)
+- Documentation improvements (#4579, #4569)
+
+### Changed
+
+- SPIRE Agent performs the initial sync more aggressively when tuned with a longer sync interval (#4479)
+
+### Fixed
+
+- Release artifacts have the correct version information (#4564)
+- The SPIRE Agent `insecureBootstrap` and `trustBundleUrl` configurables are now mutually exclusive (#4532)
+- Bug preventing JWT-SVIDs from being minted when a Credential Composer plugin is configured (#4489)
+
+## [1.8.2] - 2023-10-12
+
+### Security
+
+- Updated to google.golang.org/grpc v1.58.3 and golang.org/x/net v0.17.0 to address CVE-2023-39325, CVE-2023-44487
+
+## [1.8.1] - 2023-10-10
+
+### Security
+
+- Updated to Go 1.21.3 to address CVE-2023-39325, CVE-2023-44487
+
+## [1.8.0] - 2023-09-20
+
+### Added
+
+- `azure_key_vault` KeyManager plugin (#4458)
+- Server configuration to set refresh hint of local bundle (#4400)
+- Support for batch entry deletion in `spire-server` CLI (#4371)
+- `aws_iid` NodeAttestor can now be used in AWS Gov Cloud and China regions (#4427)
+- `status_code` and `status_message` fields in SPIRE Agent logs on gRPC errors (#4262)
+
+### Changed
+
+- Bundle server configuration is now organized by endpoint profiles (#4476)
+- Release artifacts are now statically linked with musl rather than glibc (#4491)
+- Agent no longer requests unused SVIDs for node aliases they belong to, reducing server signing load (#4467)
+- Entry IDs can now be optionally set by the client for BatchCreateEntry requests (#4477)
+
+### Fixed
+
+- Concurrent workload attestation using `systemd` plugin (#4360)
+- Bug in `k8s` WorkloadAttestor plugin that failed attestation in some scenarios (#4468)
+- Server can now be run on Linux arm64 when using SQLite (#4491)
+
+### Removed
+
+- Support for Envoy SDS v2 API (#4444)
+- Server no longer cleans up stale data in the database on startup (#4443)
+- Server no longer deletes entries with invalid SPIFFE IDs on startup (#4449)
+
+## [1.7.6] - 2023-12-07
+
+### Security
+
+- Updated to Go 1.20.12 to address CVE-2023-39326
+
+## [1.7.5] - 2023-11-07
+
+### Security
+
+- Updated to Go 1.20.11 to address CVE-2023-45283, CVE-2023-45284
+
+## [1.7.4] - 2023-10-12
+
+### Security
+
+- Updated to google.golang.org/grpc v1.58.3 and golang.org/x/net v0.17.0 to address CVE-2023-39325, CVE-2023-44487
+
+## [1.7.3] - 2023-10-10
+
+### Security
+
+- Updated to Go 1.20.10 to address CVE-2023-39325, CVE-2023-44487
+
+## [1.7.2] - 2023-08-16
+
+### Added
+
+- `aws_s3` BundlePublisher plugin (#4355)
+- SPIRE Server bundle endpoint now includes bundle sequence number (#4389)
+- Telemetry in experimental Agent LRU cache (#4335)
+- Telemetry in Agent Delegated Identity API (#4399)
+- Documentation improvements (#4336, #4407)
+
+### Fixed
+
+- Server no longer unnecessarily activates its CA a second time on startup (#4368)
+
 ## [1.7.1] - 2023-07-27

 ### Added
@ -702,7 +1216,7 @@
 - Regression preventing agent selectors from showing in `spire-server agent show` command (#2133)
 - Issue in the token authentication method of the Vault Upstream Authority plugin (#2110)
 - Reporting of errors in server entry cache telemetry (#2091)
- Agent logs an error and automatically shuts down when its SVID has expired and it requires re-attestation (#2065)
+- Agent logs an error and automatically shuts down when its SVID has expired, and it requires re-attestation (#2065)

 ## [0.12.1] - 2021-03-04

@ -788,7 +1302,7 @@

 - Fixed Kubernetes Workload Registrar issues (#1814, #1818, #1823)
 - Fixed BatchCreateEntry return value to match docs, returning the contents of an entry if it already exists (#1824)
- Fixed issue preventing brand new deployments from downgrading successfully (#1829)
+- Fixed issue preventing brand-new deployments from downgrading successfully (#1829)
 - Fixed a regression introduced in 0.11.0 that caused external node attestor plugins that rely on binary data to fail (#1863)

 ## [0.11.0] - 2020-08-28
@ -892,7 +1406,7 @@

 ## [0.9.0] - 2019-11-14

- Users can now opt-out of workload executable hashing when enabling the workload path as a selector (#1078)
+- Users can now opt out of workload executable hashing when enabling the workload path as a selector (#1078)
 - Added M3 support to telemetry and other telemetry and logging improvements (#1059, #1085, #1086, #1094, #1102, #1122,#1138,#1160,#1186,#1208)
 - SQL auto-migration can be disabled (#1089)
 - SQL schema compatibility checks are aligned with upgrade compatibility guarantees (#1089)
--- a/14
+++ b/14
@ -1,27 +1,27 @@
-* @evan2645 @amartinezfayo @azdagron @MarcosDY @rturner3
+* @evan2645 @amartinezfayo @sorindumitru @MarcosDY @rturner3

 ##########################################
 # Maintainers
 ##########################################

 # Evan Gilman
-# VMware, Inc
+# SPIRL, Inc.
 # @evan2645

 # Agustin Martínez Fayó
 # Hewlett-Packard Enterprise	
 # @amartinezfayo

-# Andrew Harding
-# VMware, Inc
-# @azdagron
+# Sorin Dumitru
+# Bloomberg L.P.
+# @sorindumitru

 # Marcos Yacob
 # Hewlett-Packard Enterprise
 # @MarcosDY

 # Ryan Turner
-# Uber Technologies, Inc
+# Cielara AI
 # @rturner3

 ##########################################
@ -29,5 +29,5 @@
 ##########################################

 # Umair Khan
-# Hewlett-Packard Enterprise
+# Stacklet, Inc.
 # @umairmkhan
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -45,7 +45,7 @@ toolchain and other build related files are cached under the `.build` folder

 ### Development in Docker

-You can either build SPIRE on your host or in a Ubuntu docker container. In
+You can either build SPIRE on your host or in an Ubuntu docker container. In
 both cases you will use the same Makefile commands.

 To build SPIRE within a container, first build the development image:
@ -105,14 +105,14 @@ Packages should be exported through interfaces. Interaction with packages must b
 interfaces

 Interfaces should be defined in their own file, named (in lowercase) after the name of the
-interface. eg. `foodata.go` implements `type FooData interface{}`
+interface. e.g. `foodata.go` implements `type FooData any`

 ### Metrics

 As much as possible, label names should be constants defined in the `telemetry` package. Additionally,
 specific metrics should be centrally defined in the `telemetry` package or its subpackages. Functions
 desiring metrics should delegate counter, gauge, timer, etc. creation to such packages.
-The metrics emitted by SPIRE are listed in the [telemetry document](doc/telemetry.md) and should be kept up to date.
+The metrics emitted by SPIRE are listed in the [telemetry document](doc/telemetry/telemetry.md) and should be kept up to date.

 In addition, metrics should be unit-tested where reasonable.

@ -233,15 +233,21 @@ implementation can easily serve the needs for an entire suite of tests and
 the behavior is in a centralized location when it needs to be updated. Fakes
 are also less inclined to be impacted by changes to usage patterns.

-## Git hooks
+## Example [direnv][direnv_link] .envrc

-We have checked in a pre-commit hook which enforces `go fmt` styling. Please install it
-before sending a pull request. From the project root:
+We have committed a basic `.envrc.example`. If you use [direnv][direnv_link],
+copy it into `.envrc`, edit as desired, and enable it with `direnv allow`. The
+`.envrc` is `.gitignored`. Be aware that [source_env][source_env] is insecure
+so keep your customizations in `.envrc`.

-```shell
-$ ln -s .githooks/pre-commit .git/hooks/pre-commit
-```
+[direnv_link]: https://direnv.net/
+[source_env]: https://direnv.net/man/direnv-stdlib.1.html#codesourceenv-ltfileordirpathgtcode
+
+## Project Tool Versions
+
+This project uses a `.spire-tool-versions` file to centralize the versions of various tools used for
+development, linting, and other tasks.

 ## Reporting security vulnerabilities

-If you've found a vulnerability or a potential vulnerability in SPIRE please let us know at security@spiffe.io. We'll send a confirmation email to acknowledge your report, and we'll send an additional email when we've identified the issue positively or negatively.
+If you've found a vulnerability or a potential vulnerability in SPIRE please let us know at <security@spiffe.io>. We'll send a confirmation email to acknowledge your report, and we'll send an additional email when we've identified the issue positively or negatively.
--- a/87
+++ b/87
@ -1,8 +1,8 @@
-# syntax = docker/dockerfile:1.4.2@sha256:443aab4ca21183e069e7d8b2dc68006594f40bddf1b15bbd83f5137bd93e80e2
+# syntax = docker/dockerfile:1.6.0@sha256:ac85f380a63b13dfcefa89046420e1781752bab202122f8f50032edf31be0021

 # Build stage
 ARG goversion
-FROM --platform=${BUILDPLATFORM} golang:${goversion}-alpine as base
+FROM --platform=${BUILDPLATFORM} golang:${goversion}-alpine3.22 as base
 WORKDIR /spire
 RUN apk --no-cache --update add file bash clang lld pkgconfig git make
 COPY go.* ./
@ -13,76 +13,73 @@ COPY . .
 # xx is a helper for cross-compilation
 # when bumping to a new version analyze the new version for security issues
 # then use crane to lookup the digest of that version so we are immutable
-# crane digest tonistiigi/xx:1.1.2
-FROM --platform=$BUILDPLATFORM tonistiigi/xx@sha256:9dde7edeb9e4a957ce78be9f8c0fbabe0129bf5126933cd3574888f443731cda AS xx
+# crane digest tonistiigi/xx:1.3.0
+FROM --platform=$BUILDPLATFORM tonistiigi/xx:1.5.0@sha256:0c6a569797744e45955f39d4f7538ac344bfb7ebf0a54006a0a4297b153ccf0f AS xx

 FROM --platform=${BUILDPLATFORM} base as builder
+ARG TAG
 ARG TARGETPLATFORM
 ARG TARGETARCH
 COPY --link --from=xx / /

-# For users that wish to run SPIRE containers as a non-root user,
-# provide a default unprivileged user such that the default paths
-# that SPIRE will try to read from, write to, and create at runtime
-# can be given the correct file ownership/permissions at build time.
-ARG spireuid=1000
-ARG spiregid=1000
-
-# Set up directories that SPIRE expects by default
-# Set up base directories
-RUN install -d -o root -g root -m 777 /spireroot
-RUN install -d -o root -g root -m 755 /spireroot/etc/ssl/certs
-RUN install -d -o root -g root -m 755 /spireroot/run
-RUN install -d -o root -g root -m 755 /spireroot/var/lib
-RUN install -d -o root -g root -m 1777 /spireroot/tmp
-
-# Set up directories used by SPIRE
-RUN install -d -o ${spireuid} -g ${spiregid} -m 755 /spireroot/etc/spire
-RUN install -d -o ${spireuid} -g ${spiregid} -m 755 /spireroot/run/spire
-RUN install -d -o ${spireuid} -g ${spiregid} -m 755 /spireroot/var/lib/spire
-
-# Set up spire-server directories
-RUN cp -r /spireroot /spireserverroot
-RUN install -d -o ${spireuid} -g ${spiregid} -m 755 /spireserverroot/etc/spire/server
-RUN install -d -o ${spireuid} -g ${spiregid} -m 755 /spireserverroot/run/spire/server/private
-RUN install -d -o ${spireuid} -g ${spiregid} -m 755 /spireserverroot/var/lib/spire/server
-
-# Set up spire-agent directories
-RUN cp -r /spireroot /spireagentroot
-RUN install -d -o ${spireuid} -g ${spiregid} -m 755 /spireagentroot/etc/spire/agent
-RUN install -d -o ${spireuid} -g ${spiregid} -m 755 /spireagentroot/run/spire/agent/public
-RUN install -d -o ${spireuid} -g ${spiregid} -m 755 /spireagentroot/var/lib/spire/agent
-
 RUN xx-go --wrap
 RUN set -e ; xx-apk --no-cache --update add build-base musl-dev libseccomp-dev
 ENV CGO_ENABLED=1
 RUN --mount=type=cache,target=/root/.cache/go-build \
    --mount=type=cache,target=/go/pkg/mod \
    if [ "$TARGETARCH" = "arm64" ]; then CC=aarch64-alpine-linux-musl; elif [ "$TARGETARCH" = "s390x" ]; then CC=s390x-alpine-linux-musl; fi && \
-    make build-static && \
-    for f in $(find bin -executable -type f); do xx-verify $f; done
+    make build-static git_tag=$TAG git_dirty="" && \
+    for f in $(find bin -executable -type f); do xx-verify --static $f; done

 FROM --platform=${BUILDPLATFORM} scratch AS spire-base
+COPY --link --from=builder --chown=root:root --chmod=755 /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
 WORKDIR /opt/spire
-CMD []
-COPY --link --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
+
+# Preparation environment for setting up directories
+FROM alpine as prep-spire-server
+RUN mkdir -p /spireroot/opt/spire/bin \
+    /spireroot/etc/spire/server \
+    /spireroot/run/spire/server/private \
+    /spireroot/tmp/spire-server/private \
+    /spireroot/var/lib/spire/server
+
+FROM alpine as prep-spire-agent
+RUN mkdir -p /spireroot/opt/spire/bin \
+    /spireroot/etc/spire/agent \
+    /spireroot/run/spire/agent/public \
+    /spireroot/tmp/spire-agent/public \
+    /spireroot/var/lib/spire/agent
+
+# For users that wish to run SPIRE containers with a specific uid and gid, the
+# spireuid and spiregid arguments are provided. The default paths that SPIRE
+# will try to read from, write to, and create at runtime are given the
+# corresponding file ownership/permissions at build time.
+# A default non-root user is defined for SPIRE Server and the OIDC Discovery
+# Provider. The SPIRE Agent image runs as root by default to facilitate the
+# sharing of the agent socket in Kubernetes environments.

 # SPIRE Server
 FROM spire-base AS spire-server
+ARG spireuid=1000
+ARG spiregid=1000
 USER ${spireuid}:${spiregid}
 ENTRYPOINT ["/opt/spire/bin/spire-server", "run"]
-COPY --link --from=builder /spireserverroot /
-COPY --link --from=builder /spire/bin/static/spire-server bin/
+COPY --link --from=prep-spire-server --chown=${spireuid}:${spiregid} --chmod=755 /spireroot /
+COPY --link --from=builder --chown=${spireuid}:${spiregid} --chmod=755 /spire/bin/static/spire-server /opt/spire/bin/

 # SPIRE Agent
 FROM spire-base AS spire-agent
+ARG spireuid=0
+ARG spiregid=0
 USER ${spireuid}:${spiregid}
 ENTRYPOINT ["/opt/spire/bin/spire-agent", "run"]
-COPY --link --from=builder /spireagentroot /
-COPY --link --from=builder /spire/bin/static/spire-agent bin/
+COPY --link --from=prep-spire-agent --chown=${spireuid}:${spiregid} --chmod=755 /spireroot /
+COPY --link --from=builder --chown=${spireuid}:${spiregid} --chmod=755 /spire/bin/static/spire-agent /opt/spire/bin/

 # OIDC Discovery Provider
 FROM spire-base AS oidc-discovery-provider
+ARG spireuid=1000
+ARG spiregid=1000
 USER ${spireuid}:${spiregid}
 ENTRYPOINT ["/opt/spire/bin/oidc-discovery-provider"]
-COPY --link --from=builder /spire/bin/static/oidc-discovery-provider bin/
+COPY --link --from=builder --chown=${spireuid}:${spiregid} --chmod=755 /spire/bin/static/oidc-discovery-provider /opt/spire/bin/
--- a/Dockerfile.dev
+++ b/Dockerfile.dev
@ -1,4 +1,4 @@
-FROM ubuntu:xenial
+FROM ubuntu:24.04
 WORKDIR /spire
 RUN apt-get update && apt-get -y install \
    curl unzip git build-essential ca-certificates libssl-dev
--- a/MAINTAINERS.md
+++ b/MAINTAINERS.md
@ -31,9 +31,9 @@ This section of the document can and should be updated as the above consideratio

 ### Changes in Maintainership

-SPIRE maintainers are appointed according to the [process described in the governance document][2]. Maintainers may voluntarily step down at any time. Unseating a maintainer against their will requires a unanimous vote with the exception of the unseated.
+SPIRE maintainers are appointed according to the [process described in the governance document][2]. Maintainers may voluntarily step down at any time. Unseating a maintainer against their will requires a unanimous vote except the unseated.

-Unseating a maintainer is an extraordinary circumstance. A process to do so is necessary, but its use is not intended. Careful consideration should be made when voting in a new maintainer, particularly in validating that they pledge to uphold the terms of this document. To ensure that these decisions are not taken lightly, and to maintain long term project stability and foresight, no more than one maintainer can be involuntarily unseated in any given nine month period.
+Unseating a maintainer is an extraordinary circumstance. A process to do so is necessary, but its use is not intended. Careful consideration should be made when voting in a new maintainer, particularly in validating that they pledge to uphold the terms of this document. To ensure that these decisions are not taken lightly, and to maintain long term project stability and foresight, no more than one maintainer can be involuntarily unseated in any given nine-month period.

 The CNCF MUST be notified of any changes in maintainership via the CNCF Service Desk.

@ -103,7 +103,7 @@ This is a very important aspect of SPIRE maintainership. Adoption and contributi

 ## Product Management and Roadmap Curation

-In addition to the maintainer seats, the SPIRE project designates one product manager seat. While maintainers strive to ensure that project development and direction is a function of community needs, and interact with end users and contributors on a daily basis, the product manager works to clarify user needs by gathering additional information and context. This includes, but is not limited to, conducting user research and field testing to better inform maintainers, and communicating project development information to the community.
+In addition to the maintainer seats, the SPIRE project designates one product manager seat. While maintainers strive to ensure that project development and direction is a function of community needs, and interact with end users and contributors on a daily basis, the product manager works to clarify user needs by gathering additional information and context. This includes, but is not limited to, conducting user research and field-testing to better inform maintainers, and communicating project development information to the community.

 Maintainers are expected to have heavy participation in the community, but it may be impractical to dedicate themselves to gathering and analyzing community feedback and end-user pain points. Based on data collection, the role of the product manager is intended to aid maintainers to validate the desirability, feasibility, and viability of efforts to help drive project direction and priorities in long term planning.

--- a/65
+++ b/65
@ -26,13 +26,13 @@ help:
 	@echo
 	@echo "$(bold)Build:$(reset)"
 	@echo "  $(cyan)build$(reset)                                 - build all SPIRE binaries (default)"
-	@echo "  $(cyan)artifact$(reset)                              - build SPIRE tarball artifact"
 	@echo
 	@echo "$(bold)Test:$(reset)"
 	@echo "  $(cyan)test$(reset)                                  - run unit tests"
 	@echo "  $(cyan)race-test$(reset)                             - run unit tests with race detection"
 	@echo "  $(cyan)integration$(reset)                           - run integration tests (requires Docker images)"
 	@echo "                                          support 'SUITES' variable for executing specific tests"
+	@echo "                                          and 'IGNORE_SUITES' variable for ignoring tests"
 	@echo "                                          e.g. SUITES='suites/join-token suites/k8s' make integration"
 	@echo "  $(cyan)integration-windows$(reset)                   - run integration tests for windows (requires Docker images)"
 	@echo "                                          support 'SUITES' variable for executing specific tests"
@ -104,6 +104,8 @@ else
 $(error unsupported ARCH: $(arch1))
 endif

+ignore_suites := $(IGNORE_SUITES)
+
 ############################################################################
 # Docker TLS detection for buildx
 ############################################################################
@ -122,31 +124,29 @@ binaries := spire-server spire-agent oidc-discovery-provider

 build_dir := $(DIR)/.build/$(os1)-$(arch1)

-go_version_full := $(shell cat .go-version)
-go_version := $(go_version_full:.0=)
+go_version := $(shell cat .go-version)
 go_dir := $(build_dir)/go/$(go_version)

 ifeq ($(os1),windows)
 	go_bin_dir = $(go_dir)/go/bin
-	go_url = https://storage.googleapis.com/golang/go$(go_version).$(os1)-$(arch2).zip
+	go_url = https://go.dev/dl/go$(go_version).$(os1)-$(arch2).zip
 	exe=".exe"
 else
 	go_bin_dir = $(go_dir)/bin
-	go_url = https://storage.googleapis.com/golang/go$(go_version).$(os1)-$(arch2).tar.gz
+	go_url = https://go.dev/dl/go$(go_version).$(os1)-$(arch2).tar.gz
 	exe=
 endif

 go_path := PATH="$(go_bin_dir):$(PATH)"

-golangci_lint_version = v1.53.3
+golangci_lint_version := $(shell awk '/golangci-lint/{print $$2}' .spire-tool-versions)
 golangci_lint_dir = $(build_dir)/golangci_lint/$(golangci_lint_version)
-golangci_lint_bin = $(golangci_lint_dir)/golangci-lint
 golangci_lint_cache = $(golangci_lint_dir)/cache

-markdown_lint_version = v0.33.0
+markdown_lint_version := $(shell awk '/markdown_lint/{print $$2}' .spire-tool-versions)
 markdown_lint_image = ghcr.io/igorshubovych/markdownlint-cli:$(markdown_lint_version)

-protoc_version = 3.20.1
+protoc_version := $(shell awk '/protoc/{print $$2}' .spire-tool-versions)
 ifeq ($(os1),windows)
 protoc_url = https://github.com/protocolbuffers/protobuf/releases/download/v$(protoc_version)/protoc-$(protoc_version)-win64.zip
 else ifeq ($(arch2),arm64)
@ -166,7 +166,7 @@ protoc_gen_go_base_dir := $(build_dir)/protoc-gen-go
 protoc_gen_go_dir := $(protoc_gen_go_base_dir)/$(protoc_gen_go_version)-go$(go_version)
 protoc_gen_go_bin := $(protoc_gen_go_dir)/protoc-gen-go

-protoc_gen_go_grpc_version := v1.1.0
+protoc_gen_go_grpc_version := v1.3.0
 protoc_gen_go_grpc_base_dir := $(build_dir)/protoc-gen-go-grpc
 protoc_gen_go_grpc_dir := $(protoc_gen_go_grpc_base_dir)/$(protoc_gen_go_grpc_version)-go$(go_version)
 protoc_gen_go_grpc_bin := $(protoc_gen_go_grpc_dir)/protoc-gen-go-grpc
@ -269,10 +269,6 @@ bin/%: support/% FORCE | go-check
 	@echo Building $@…
 	$(E)$(go_build) $@$(exe) ./$<

-bin/%: support/k8s/% FORCE | go-check
-	@echo Building $@…
-	$(E)$(go_build) $@$(exe) ./$<
-
 #############################################################################
 # Build static binaries for docker images
 #############################################################################
@ -290,11 +286,6 @@ bin/static/%: cmd/% FORCE | go-check
 	$(E)$(go_build_static) $@$(exe) ./$<

 bin/static/%: support/% FORCE | go-check
-	@echo Building $@…
-	$(E)$(go_build_static) $@$(exe) ./$<
-
-bin/static/%: support/k8s/% FORCE | go-check
-	@echo Building $@…
 	$(E)$(go_build_static) $@$(exe) ./$<

 #############################################################################
@ -321,20 +312,11 @@ integration:
 ifeq ($(os1), windows)
 	$(error Integration tests are not supported on windows)
 else
-	$(E)$(go_path) ./test/integration/test.sh $(SUITES)
+	$(E)$(go_path) IGNORE_SUITES='$(ignore_suites)' ./test/integration/test.sh $(SUITES)
 endif

 integration-windows:
-	$(E)./test/integration/test-windows.sh $(SUITES)
-
-#############################################################################
-# Build Artifact
-#############################################################################
-
-.PHONY: artifact
-
-artifact: build
-	$(E)OUTDIR="$(OUTDIR)" TAG="$(TAG)" ./script/build-artifact.sh
+	$(E)$(go_path) IGNORE_SUITES='$(ignore_suites)' ./test/integration/test-windows.sh $(SUITES)

 #############################################################################
 # Docker Images
@ -355,7 +337,8 @@ $1: $3 container-builder
 	@echo Building docker image $2 $(PLATFORM)…
 	$(E)docker buildx build \
 		--platform $(PLATFORMS) \
-		--build-arg goversion=$(go_version_full) \
+		--build-arg goversion=$(go_version) \
+		--build-arg TAG=$(TAG) \
 		--target $2 \
 		-o type=oci,dest=$2-image.tar \
 		-f $3 \
@ -386,7 +369,7 @@ define windows_image_rule
 $1: $3
 	@echo Building docker image $2…
 	$(E)docker build \
-		--build-arg goversion=$(go_version_full) \
+		--build-arg goversion=$(go_version) \
 		--target $2 \
 		-t $2 -t $2:latest-local \
 		-f $3 \
@ -421,8 +404,11 @@ endif

 lint: lint-code lint-md

-lint-code: $(golangci_lint_bin)
-	$(E)PATH="$(go_bin_dir):$(PATH)" GOLANGCI_LINT_CACHE="$(golangci_lint_cache)" $(golangci_lint_bin) run ./...
+lint-code: | go-check
+	$(E)mkdir -p $(golangci_lint_cache)
+	$(E)$(go_path) GOLANGCI_LINT_CACHE="$(golangci_lint_cache)" \
+		go run github.com/golangci/golangci-lint/v2/cmd/golangci-lint@$(golangci_lint_version) \
+		run --max-issues-per-linter=0 --max-same-issues=0 ./...

 lint-md:
 	$(E)docker run --rm -v "$(DIR):/workdir" $(markdown_lint_image) "**/*.md"
@ -526,7 +512,7 @@ endif
 go-bin-path: go-check
 	@echo "$(go_bin_dir):${PATH}"

-install-toolchain: install-protoc install-golangci-lint install-protoc-gen-go install-protoc-gen-doc | go-check
+install-toolchain: install-protoc install-protoc-gen-go | go-check

 install-protoc: $(protoc_bin)

@ -536,15 +522,6 @@ $(protoc_bin):
 	$(E)mkdir -p $(protoc_dir)
 	$(E)curl -sSfL $(protoc_url) -o $(build_dir)/tmp.zip; unzip -q -d $(protoc_dir) $(build_dir)/tmp.zip; rm $(build_dir)/tmp.zip

-install-golangci-lint: $(golangci_lint_bin)
-
-$(golangci_lint_bin): | go-check
-	@echo "Installing golangci-lint $(golangci_lint_version)..."
-	$(E)rm -rf $(dir $(golangci_lint_dir))
-	$(E)mkdir -p $(golangci_lint_dir)
-	$(E)mkdir -p $(golangci_lint_cache)
-	$(E)GOBIN=$(golangci_lint_dir) $(go_path) go install github.com/golangci/golangci-lint/cmd/golangci-lint@$(golangci_lint_version)
-
 install-protoc-gen-go: $(protoc_gen_go_bin)

 $(protoc_gen_go_bin): | go-check
--- a/README.md
+++ b/README.md
@ -3,7 +3,6 @@
 [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/3303/badge)](https://bestpractices.coreinfrastructure.org/projects/3303)
 [![Build Status](https://github.com/spiffe/spire/actions/workflows/pr_build.yaml/badge.svg)](https://github.com/spiffe/spire/actions/workflows/pr_build.yaml)
 [![Go Report Card](https://goreportcard.com/badge/github.com/spiffe/spire)](https://goreportcard.com/report/github.com/spiffe/spire)
-[![Slack Status](https://slack.spiffe.io/badge.svg)](https://slack.spiffe.io)
 [![Production Phase](https://img.shields.io/badge/SPIFFE-Prod-green.svg?logoWidth=18&logo=data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHJvbGU9ImltZyIgdmlld0JveD0iMC4xMSAxLjg2IDM1OC4yOCAzNTguMjgiPjxzdHlsZT5zdmcge2VuYWJsZS1iYWNrZ3JvdW5kOm5ldyAwIDAgMzYwIDM2MH08L3N0eWxlPjxzdHlsZT4uc3QyLC5zdDN7ZmlsbC1ydWxlOmV2ZW5vZGQ7Y2xpcC1ydWxlOmV2ZW5vZGQ7ZmlsbDojYmNkOTE4fS5zdDN7ZmlsbDojMDRiZGQ5fTwvc3R5bGU+PGcgaWQ9IkxPR08iPjxwYXRoIGQ9Ik0xMi4xIDguOWgyOC4zYzIuNyAwIDUgMi4yIDUgNXYyOC4zYzAgMi43LTIuMiA1LTUgNUgxMi4xYy0yLjcgMC01LTIuMi01LTVWMTMuOWMuMS0yLjcgMi4zLTUgNS01eiIgY2xhc3M9InN0MiIvPjxwYXRoIGQ9Ik04OC43IDguOWgyNThjMi43IDAgNSAyLjIgNSA1djI4LjNjMCAyLjctMi4yIDUtNSA1aC0yNThjLTIuNyAwLTUtMi4yLTUtNVYxMy45YzAtMi43IDIuMi01IDUtNXoiIGNsYXNzPSJzdDMiLz48cGF0aCBkPSJNMzQ2LjcgODUuNWgtMjguM2MtMi43IDAtNSAyLjItNSA1djI4LjNjMCAyLjggMi4yIDUgNSA1aDI4LjNjMi43IDAgNS0yLjIgNS01VjkwLjVjMC0yLjgtMi4zLTUtNS01eiIgY2xhc3M9InN0MiIvPjxwYXRoIGQ9Ik0xOTMuNiA4NS41SDEyLjFjLTIuNyAwLTUgMi4zLTUgNXYyOC4zYzAgMi43IDIuMiA1IDUgNWgxODEuNWMyLjcgMCA1LTIuMiA1LTVWOTAuNWMwLTIuOC0yLjItNS01LTV6IiBjbGFzcz0ic3QzIi8+PHBhdGggZD0iTTI3MC4yIDg1LjVoLTI4LjNjLTIuNyAwLTUgMi4yLTUgNXYyOC4zYzAgMi44IDIuMiA1IDUgNWgyOC4zYzIuNyAwIDUtMi4yIDUtNVY5MC41Yy0uMS0yLjgtMi4zLTUtNS01eiIgY2xhc3M9InN0MiIvPjxwYXRoIGQ9Ik0yNzAuMiAxNjJIODguN2MtMi43IDAtNSAyLjItNSA1djI4LjNjMCAyLjcgMi4yIDUgNSA1aDE4MS41YzIuNyAwIDUtMi4yIDUtNVYxNjdjLS4xLTIuOC0yLjMtNS01LTV6IiBjbGFzcz0ic3QzIi8+PHBhdGggZD0iTTM0Ni43IDE2MmgtMjguM2MtMi43IDAtNSAyLjItNSA1djI4LjNjMCAyLjggMi4yIDUgNSA1aDI4LjNjMi43IDAgNS0yLjIgNS01VjE2N2MwLTIuOC0yLjMtNS01LTV6bS0zMDYuMyAwSDEyLjFjLTIuNyAwLTUgMi4yLTUgNXYyOC4zYzAgMi44IDIuMiA1IDUgNWgyOC4zYzIuNyAwIDUtMi4yIDUtNVYxNjdjMC0yLjgtMi4yLTUtNS01em0tMjguMyA3Ni41aDI4LjNjMi43IDAgNSAyLjIgNSA1djI4LjNjMCAyLjctMi4yIDUtNSA1SDEyLjFjLTIuNyAwLTUtMi4yLTUtNXYtMjguM2MuMS0yLjcgMi4zLTUgNS01eiIgY2xhc3M9InN0MiIvPjxwYXRoIGQ9Ik0xNjUuMiAyMzguNWgxODEuNWMyLjcgMCA1IDIuMiA1IDV2MjguM2MwIDIuNy0yLjIgNS01IDVIMTY1LjJjLTIuNyAwLTUtMi4yLTUtNXYtMjguM2MwLTIuNyAyLjItNSA1LTV6IiBjbGFzcz0ic3QzIi8+PHBhdGggZD0iTTg4LjcgMjM4LjVIMTE3YzIuNyAwIDUgMi4yIDUgNXYyOC4zYzAgMi43LTIuMiA1LTUgNUg4OC43Yy0yLjcgMC01LTIuMi01LTV2LTI4LjNjMC0yLjcgMi4yLTUgNS01em0yNTggNzYuN2gtMjguM2MtMi43IDAtNSAyLjItNSA1djI4LjNjMCAyLjggMi4yIDUgNSA1aDI4LjNjMi43IDAgNS0yLjIgNS01di0yOC4zYzAtMi44LTIuMy01LTUtNXoiIGNsYXNzPSJzdDIiLz48cGF0aCBkPSJNMjcwLjIgMzE1LjJoLTI1OGMtMi43IDAtNSAyLjItNSA1djI4LjNjMCAyLjcgMi4yIDUgNSA1aDI1OGMyLjcgMCA1LTIuMiA1LTV2LTI4LjNjLS4xLTIuOC0yLjMtNS01LTV6IiBjbGFzcz0ic3QzIi8+PC9nPjwvc3ZnPg==)](https://github.com/spiffe/spiffe/blob/main/MATURITY.md#production)

 SPIRE (the [SPIFFE](https://github.com/spiffe/spiffe) Runtime Environment) is a toolchain of APIs for establishing trust between software systems across a wide variety of hosting platforms. SPIRE exposes the [SPIFFE Workload API](https://github.com/spiffe/go-spiffe/blob/main/v2/proto/spiffe/workload/workload.proto), which can attest running software systems and issue [SPIFFE IDs](https://github.com/spiffe/spiffe/blob/main/standards/SPIFFE-ID.md) and [SVID](https://github.com/spiffe/spiffe/blob/main/standards/SPIFFE-ID.md)s to them.  This in turn allows two workloads to establish trust between each other, for example by establishing an mTLS connection or by signing and verifying a JWT token. SPIRE can also enable workloads to securely authenticate to a secret store, a database, or a cloud provider service.
@ -62,12 +61,12 @@ The SPIFFE community maintains the SPIRE project. Information on the various SIG
 A third party security firm ([Cure53](https://cure53.de/)) completed a security audit of SPIFFE and SPIRE in February of 2021. Additionally, the [CNCF Technical Advisory Group for Security](https://github.com/cncf/tag-security) conducted two assessments on SPIFFE and SPIRE in 2018 and 2020. Please find the reports and supporting material, including the threat model exercise results, below.

 - [Cure53 Security Audit Report](doc/cure53-report.pdf)
- [SIG-Security SPIFFE/SPIRE Security Assessment: summary](https://github.com/cncf/sig-security/tree/main/assessments/projects/spiffe-spire)
- [SIG-Security SPIFFE/SPIRE Security Assessment: full assessment](https://github.com/cncf/sig-security/blob/main/assessments/projects/spiffe-spire/self-assessment.md)
+- [SIG-Security SPIFFE/SPIRE Security Assessment: summary](https://github.com/cncf/sig-security/tree/main/community/assessments/projects/spiffe-spire)
+- [SIG-Security SPIFFE/SPIRE Security Assessment: full assessment](https://github.com/cncf/sig-security/blob/main/community/assessments/projects/spiffe-spire/self-assessment.md)
 - [Scrutinizing SPIRE to Sensibly Strengthen SPIFFE Security](https://blog.spiffe.io/scrutinizing-spire-security-9c82ba542019)

 ### Reporting Security Vulnerabilities

-If you've found a vulnerability or a potential vulnerability in SPIRE please let us know at security@spiffe.io. We'll send a confirmation email to acknowledge your report, and we'll send an additional email when we've identified the issue positively or negatively.
+If you've found a vulnerability or a potential vulnerability in SPIRE please let us know at <security@spiffe.io>. We'll send a confirmation email to acknowledge your report, and we'll send an additional email when we've identified the issue positively or negatively.

 <!-- markdownlint-configure-file { "MD041": false } -->
--- a/RELEASING.md
+++ b/RELEASING.md
@ -1,6 +1,6 @@
 # Release and Branch Management

-The SPIRE project maintains active support for both the current and the previous major versions. All active development occurs in the `main` branch. Version branches are used for minor releases of the previous major version when necessary.
+The SPIRE project maintains active support for both the current and the previous minor versions. All active development occurs in the `main` branch. Version branches are used for patch releases of the previous minor version when necessary.

 ## Version Branches

@ -14,7 +14,7 @@ The base commit of the release branch is based on the type of release being gene

 When a bug is discovered in the latest release that also affects releases of the prior minor version, it is necessary to backport the fix.

-Once the version branch is created, the patch is either cherry picked or backported into a PR against the version branch. The version branch is maintained via the same process as the main branch, including PR approval process etc.
+Once the version branch is created, the patch is either cherry-picked or backported into a PR against the version branch. The version branch is maintained via the same process as the main branch, including PR approval process etc.

 Ensure that the CHANGELOG is updated in both `main` and the version branch to reflect the new release.

@ -59,7 +59,7 @@ The following steps must be completed by the primary on-call maintainer to perfo
  * If the build fails, or anything unusual is encountered, abort the release.
    * Ensure that the GitHub release, container images, and release artifacts are deleted/rolled back if necessary.
 * Visit the releases page on GitHub, copy the release notes, click edit and paste them back in. This works around a GitHub Markdown rendering bug that you will notice before completing this task.
-* Create Git tags (not annotated) with the name `vX.Y.Z` in the [spire-api-sdk](https://github.com/spiffe/spire-api-sdk) and [spire-plugin-sdk](https://github.com/spiffe/spire-plugin-sdk) repositories for the HEAD commit of the main branch.
+* Cut new SDK releases (see [SDK Releases](#sdk-releases)).
 * Open a PR targeted for the main branch with the following changes:
  * Cherry-pick of the changelog commit from the latest release so that the changelog on the main branch contains all the release notes.
  * Bump the SPIRE version to the next projected version. As for determining the next projected version, the project generally releases three patch releases per minor release cycle (e.g. `vX.Y.[0-3]`), not including dedicated security releases. The version needs to be updated in the following places:
@ -75,3 +75,27 @@ The following steps must be completed by the primary on-call maintainer to perfo

 * PRs to update spiffe.io and spire-examples repo to the latest major version must be merged.
  * Ensure that the PRs have been updated to use the version tag instead of the commit sha.
+
+### SDK Releases
+
+SPIRE has two SDK repositories:
+
+* [API SDK](https://github.com/spiffe/spire-api-sdk)
+* [Plugin SDK](https://github.com/spiffe/spire-plugin-sdk)
+
+SPIRE consumes these SDKs using pseudo-versions from the `next` branch in each SDK repository. This allows unreleased changes to be reviewed, merged, and consumed by SPIRE.
+
+These SDKs need to be released with each SPIRE release.
+
+SDK releases take place using tagged commits from the `main` branch in each repository. When cutting a new release, the `main` branch needs to be prepared with any previously unreleased changes that are part of the new release.
+
+To create a release for an SDK, perform the following steps:
+
+1. Review the diff between `next` and `main`.
+1. Determine the commits in `next` that are missing from `main`, in other words, commits containing features that were under development that are now publicly available through the new SPIRE release (e.g. API or plugin interface additions).
+1. Cherry-pick those commits, if any, into `main`.
+1. Create a git tag (not annotated) with the name `vX.Y.Z`, corresponding to the SPIRE release version, for the `HEAD` commit of the main branch.
+1. Push the `vX.Y.Z` tag to Github.
+
+> [!WARNING]  
+> Extra care should be taken to ensure that the tagged commit is correct before pushing. Once it has been pushed, anyone running `go get <SDK module>@latest` will cause the repository to be pulled into the Go module cache at that cache. Changing it afterwards is not without consequence.
--- a/SECURITY.md
+++ b/SECURITY.md
@ -6,4 +6,4 @@ The project supports security releases for the current minor release series and

 ## Reporting a Vulnerability

-If you've found a vulnerability or a potential vulnerability in SPIRE please let us know at security@spiffe.io. We'll send a confirmation email to acknowledge your report, and we'll send an additional email when we've identified the issue positively or negatively.
+If you've found a vulnerability or a potential vulnerability in SPIRE please let us know at <security@spiffe.io>. We'll send a confirmation email to acknowledge your report, and we'll send an additional email when we've identified the issue positively or negatively.
--- a/cmd/spire-agent/cli/api/api_posix_test.go
+++ b/cmd/spire-agent/cli/api/api_posix_test.go
@ -1,5 +1,4 @@
 //go:build !windows
-// +build !windows

 package api

--- a/cmd/spire-agent/cli/api/api_test.go
+++ b/cmd/spire-agent/cli/api/api_test.go
@ -15,9 +15,9 @@ import (
 	"github.com/mitchellh/cli"
 	"github.com/spiffe/go-spiffe/v2/proto/spiffe/workload"
 	"github.com/spiffe/go-spiffe/v2/spiffeid"
-	"github.com/spiffe/spire/cmd/spire-server/cli/common"
 	commoncli "github.com/spiffe/spire/pkg/common/cli"
 	"github.com/spiffe/spire/pkg/common/x509util"
+	"github.com/spiffe/spire/test/clitest"
 	"github.com/spiffe/spire/test/fakes/fakeworkloadapi"
 	"github.com/spiffe/spire/test/spiretest"
 	"github.com/spiffe/spire/test/testca"
@ -416,9 +416,10 @@ func TestValidateJWTCommand(t *testing.T) {
 						Claims: &structpb.Struct{
 							Fields: map[string]*structpb.Value{
 								"aud": {
-									Kind: &structpb.Value_ListValue{ListValue: &structpb.ListValue{
-										Values: []*structpb.Value{{Kind: &structpb.Value_StringValue{StringValue: "foo"}}},
-									},
+									Kind: &structpb.Value_ListValue{
+										ListValue: &structpb.ListValue{
+											Values: []*structpb.Value{{Kind: &structpb.Value_StringValue{StringValue: "foo"}}},
+										},
 									},
 								},
 							},
@ -504,7 +505,7 @@ func setupTest(t *testing.T, newCmd func(env *commoncli.Env, clientMaker workloa
 	}, newWorkloadClient)

 	test := &apiTest{
-		addr:        common.GetAddr(addr),
+		addr:        clitest.GetAddr(addr),
 		stdin:       stdin,
 		stdout:      stdout,
 		stderr:      stderr,
@ -538,7 +539,7 @@ func (s *apiTest) afterTest(t *testing.T) {
 }

 func (s *apiTest) args(extra ...string) []string {
-	return append([]string{common.AddrArg, s.addr}, extra...)
+	return append([]string{clitest.AddrArg, s.addr}, extra...)
 }

 func assertOutputBasedOnFormat(t *testing.T, format, stdoutString, expectedStdoutJSON string, expectedStdoutPretty ...string) {
--- a/cmd/spire-agent/cli/api/api_windows_test.go
+++ b/cmd/spire-agent/cli/api/api_windows_test.go
@ -1,5 +1,4 @@
 //go:build windows
-// +build windows

 package api

--- a/cmd/spire-agent/cli/api/common.go
+++ b/cmd/spire-agent/cli/api/common.go
@ -28,7 +28,7 @@ func newWorkloadClient(ctx context.Context, addr net.Addr, timeout time.Duration
 	if err != nil {
 		return nil, err
 	}
-	conn, err := util.GRPCDialContext(ctx, target)
+	conn, err := util.NewGRPCClient(target)
 	if err != nil {
 		return nil, err
 	}
--- a/cmd/spire-agent/cli/api/fetch_jwt.go
+++ b/cmd/spire-agent/cli/api/fetch_jwt.go
@ -78,7 +78,7 @@ func (c *fetchJWTCommand) fetchJWTBundles(ctx context.Context, client *workloadC
 	return stream.Recv()
 }

-func printPrettyResult(env *commoncli.Env, results ...interface{}) error {
+func printPrettyResult(env *commoncli.Env, results ...any) error {
 	svidResp, ok := results[0].(*workload.JWTSVIDResponse)
 	if !ok {
 		env.Println(cliprinter.ErrInternalCustomPrettyFunc.Error())
--- a/cmd/spire-agent/cli/api/fetch_x509.go
+++ b/cmd/spire-agent/cli/api/fetch_x509.go
@ -151,7 +151,7 @@ func (c *fetchX509Command) writeFile(filename string, data []byte) error {
 	return diskutil.WritePubliclyReadableFile(filename, data)
 }

-func (c *fetchX509Command) prettyPrintFetchX509(env *commoncli.Env, results ...interface{}) error {
+func (c *fetchX509Command) prettyPrintFetchX509(env *commoncli.Env, results ...any) error {
 	resp, ok := results[0].(*workload.X509SVIDResponse)
 	if !ok {
 		return cliprinter.ErrInternalCustomPrettyFunc
--- a/cmd/spire-agent/cli/api/validate_jwt.go
+++ b/cmd/spire-agent/cli/api/validate_jwt.go
@ -76,7 +76,7 @@ func (c *validateJWTCommand) validateJWTSVID(ctx context.Context, client *worklo
 	return resp, nil
 }

-func prettyPrintValidate(env *commoncli.Env, results ...interface{}) error {
+func prettyPrintValidate(env *commoncli.Env, results ...any) error {
 	resp, ok := results[0].(*workload.ValidateJWTSVIDResponse)
 	if !ok {
 		return cliprinter.ErrInternalCustomPrettyFunc
--- a/cmd/spire-agent/cli/common/config_posix.go
+++ b/cmd/spire-agent/cli/common/config_posix.go
@ -1,5 +1,4 @@
 //go:build !windows
-// +build !windows

 package common

--- a/cmd/spire-agent/cli/common/config_windows.go
+++ b/cmd/spire-agent/cli/common/config_windows.go
@ -1,5 +1,4 @@
 //go:build windows
-// +build windows

 package common

--- a/cmd/spire-agent/cli/common/defaults_posix.go
+++ b/cmd/spire-agent/cli/common/defaults_posix.go
@ -1,9 +1,10 @@
 //go:build !windows
-// +build !windows

 package common

 const (
 	// DefaultSocketPath is the SPIRE agent's default socket path
 	DefaultSocketPath = "/tmp/spire-agent/public/api.sock"
+	// DefaultAdminSocketPath is the SPIRE agent's default admin socket path
+	DefaultAdminSocketPath = "/tmp/spire-agent/private/admin.sock"
 )
--- a/cmd/spire-agent/cli/common/defaults_windows.go
+++ b/cmd/spire-agent/cli/common/defaults_windows.go
@ -1,9 +1,10 @@
 //go:build windows
-// +build windows

 package common

 const (
 	// DefaultNamedPipeName is the SPIRE agent's default named pipe name
 	DefaultNamedPipeName = "\\spire-agent\\public\\api"
+	// DefaultAdminNamedPipeName is the SPIRE agent's default admin named pipe name
+	DefaultAdminNamedPipeName = "\\spire-agent\\private\\admin"
 )
--- a/cmd/spire-agent/cli/healthcheck/healthcheck.go
+++ b/cmd/spire-agent/cli/healthcheck/healthcheck.go
@ -79,7 +79,7 @@ func (c *healthCheckCommand) run() error {
 	if err != nil {
 		return err
 	}
-	conn, err := util.GRPCDialContext(context.Background(), target)
+	conn, err := util.NewGRPCClient(target)
 	if err != nil {
 		return err
 	}
--- a/cmd/spire-agent/cli/healthcheck/healthcheck_posix.go
+++ b/cmd/spire-agent/cli/healthcheck/healthcheck_posix.go
@ -1,5 +1,4 @@
 //go:build !windows
-// +build !windows

 package healthcheck

--- a/cmd/spire-agent/cli/healthcheck/healthcheck_posix_test.go
+++ b/cmd/spire-agent/cli/healthcheck/healthcheck_posix_test.go
@ -1,5 +1,4 @@
 //go:build !windows
-// +build !windows

 package healthcheck

--- a/cmd/spire-agent/cli/healthcheck/healthcheck_windows.go
+++ b/cmd/spire-agent/cli/healthcheck/healthcheck_windows.go
@ -1,5 +1,4 @@
 //go:build windows
-// +build windows

 package healthcheck

--- a/cmd/spire-agent/cli/healthcheck/healthcheck_windows_test.go
+++ b/cmd/spire-agent/cli/healthcheck/healthcheck_windows_test.go
@ -1,5 +1,4 @@
 //go:build windows
-// +build windows

 package healthcheck

--- a/cmd/spire-agent/cli/run/run.go
+++ b/cmd/spire-agent/cli/run/run.go
@ -2,13 +2,11 @@ package run

 import (
 	"context"
-	"crypto/x509"
 	"errors"
 	"flag"
 	"fmt"
 	"io"
 	"net"
-	"net/http"
 	"net/url"
 	"os"
 	"os/signal"
@ -26,18 +24,18 @@ import (
 	"github.com/imdario/mergo"
 	"github.com/mitchellh/cli"
 	"github.com/sirupsen/logrus"
-	"github.com/spiffe/go-spiffe/v2/spiffeid"
 	"github.com/spiffe/spire/pkg/agent"
+	"github.com/spiffe/spire/pkg/agent/trustbundlesources"
 	"github.com/spiffe/spire/pkg/agent/workloadkey"
-	"github.com/spiffe/spire/pkg/common/bundleutil"
 	"github.com/spiffe/spire/pkg/common/catalog"
 	common_cli "github.com/spiffe/spire/pkg/common/cli"
+	"github.com/spiffe/spire/pkg/common/config"
 	"github.com/spiffe/spire/pkg/common/fflag"
 	"github.com/spiffe/spire/pkg/common/health"
 	"github.com/spiffe/spire/pkg/common/idutil"
 	"github.com/spiffe/spire/pkg/common/log"
-	"github.com/spiffe/spire/pkg/common/pemutil"
 	"github.com/spiffe/spire/pkg/common/telemetry"
+	"github.com/spiffe/spire/pkg/common/tlspolicy"
 )

 const (
@ -53,8 +51,7 @@ const (
 	defaultDefaultAllBundlesName       = "ALL"
 	defaultDisableSPIFFECertValidation = false

-	bundleFormatPEM    = "pem"
-	bundleFormatSPIFFE = "spiffe"
+	minimumAvailabilityTarget = 24 * time.Hour
 )

 // Config contains all available configurables, arranged by section
@ -70,6 +67,7 @@ type agentConfig struct {
 	DataDir                       string    `hcl:"data_dir"`
 	AdminSocketPath               string    `hcl:"admin_socket_path"`
 	InsecureBootstrap             bool      `hcl:"insecure_bootstrap"`
+	RetryBootstrap                *bool     `hcl:"retry_bootstrap"`
 	JoinToken                     string    `hcl:"join_token"`
 	LogFile                       string    `hcl:"log_file"`
 	LogFormat                     string    `hcl:"log_format"`
@ -82,10 +80,14 @@ type agentConfig struct {
 	WorkloadX509SVIDKeyType       string    `hcl:"workload_x509_svid_key_type"`
 	TrustBundleFormat             string    `hcl:"trust_bundle_format"`
 	TrustBundlePath               string    `hcl:"trust_bundle_path"`
+	TrustBundleUnixSocket         string    `hcl:"trust_bundle_unix_socket"`
 	TrustBundleURL                string    `hcl:"trust_bundle_url"`
 	TrustDomain                   string    `hcl:"trust_domain"`
 	AllowUnauthenticatedVerifiers bool      `hcl:"allow_unauthenticated_verifiers"`
 	AllowedForeignJWTClaims       []string  `hcl:"allowed_foreign_jwt_claims"`
+	AvailabilityTarget            string    `hcl:"availability_target"`
+	X509SVIDCacheMaxSize          int       `hcl:"x509_svid_cache_max_size"`
+	JWTSVIDCacheMaxSize           int       `hcl:"jwt_svid_cache_max_size"`

 	AuthorizedDelegates []string `hcl:"authorized_delegates"`

@ -107,18 +109,16 @@ type sdsConfig struct {
 	DefaultBundleName           string `hcl:"default_bundle_name"`
 	DefaultAllBundlesName       string `hcl:"default_all_bundles_name"`
 	DisableSPIFFECertValidation bool   `hcl:"disable_spiffe_cert_validation"`
-	EnableDeprecatedv2API       bool   `hcl:"enable_deprecated_v2_api"`
 }

 type experimentalConfig struct {
-	SyncInterval       string `hcl:"sync_interval"`
-	NamedPipeName      string `hcl:"named_pipe_name"`
-	AdminNamedPipeName string `hcl:"admin_named_pipe_name"`
+	SyncInterval             string `hcl:"sync_interval"`
+	NamedPipeName            string `hcl:"named_pipe_name"`
+	AdminNamedPipeName       string `hcl:"admin_named_pipe_name"`
+	UseSyncAuthorizedEntries *bool  `hcl:"use_sync_authorized_entries"`
+	RequirePQKEM             bool   `hcl:"require_pq_kem"`

 	Flags fflag.RawConfig `hcl:"feature_flags"`
-
-	UnusedKeyPositions   map[string][]token.Pos `hcl:",unusedKeyPositions"`
-	X509SVIDCacheMaxSize int                    `hcl:"x509_svid_cache_max_size"`
 }

 type Command struct {
@ -234,11 +234,21 @@ func (c *agentConfig) validate() error {
 		return errors.New("trust_domain must be configured")
 	}

+	// If insecure_bootstrap is set, trust_bundle_path or trust_bundle_url cannot be set
 	// If trust_bundle_url is set, download the trust bundle using HTTP and parse it from memory
 	// If trust_bundle_path is set, parse the trust bundle file on disk
 	// Both cannot be set
 	// The trust bundle URL must start with HTTPS
-	if c.TrustBundlePath == "" && c.TrustBundleURL == "" && !c.InsecureBootstrap {
+	if c.InsecureBootstrap {
+		switch {
+		case c.TrustBundleURL != "" && c.TrustBundlePath != "":
+			return errors.New("only one of insecure_bootstrap, trust_bundle_url, or trust_bundle_path can be specified, not the three options")
+		case c.TrustBundleURL != "":
+			return errors.New("only one of insecure_bootstrap or trust_bundle_url can be specified, not both")
+		case c.TrustBundlePath != "":
+			return errors.New("only one of insecure_bootstrap or trust_bundle_path can be specified, not both")
+		}
+	} else if c.TrustBundlePath == "" && c.TrustBundleURL == "" {
 		return errors.New("trust_bundle_path or trust_bundle_url must be configured unless insecure_bootstrap is set")
 	}

@ -246,16 +256,32 @@ func (c *agentConfig) validate() error {
 		return errors.New("only one of trust_bundle_url or trust_bundle_path can be specified, not both")
 	}

-	if c.TrustBundleFormat != bundleFormatPEM && c.TrustBundleFormat != bundleFormatSPIFFE {
-		return fmt.Errorf("invalid value for trust_bundle_format, expected %q or %q", bundleFormatPEM, bundleFormatSPIFFE)
+	if c.TrustBundleFormat != trustbundlesources.BundleFormatPEM && c.TrustBundleFormat != trustbundlesources.BundleFormatSPIFFE {
+		return fmt.Errorf("invalid value for trust_bundle_format, expected %q or %q", trustbundlesources.BundleFormatPEM, trustbundlesources.BundleFormatSPIFFE)
 	}

+	if c.TrustBundleUnixSocket != "" && c.TrustBundleURL == "" {
+		return errors.New("if trust_bundle_unix_socket is specified, so must be trust_bundle_url")
+	}
 	if c.TrustBundleURL != "" {
 		u, err := url.Parse(c.TrustBundleURL)
 		if err != nil {
 			return fmt.Errorf("unable to parse trust bundle URL: %w", err)
 		}
-		if u.Scheme != "https" {
+		if c.TrustBundleUnixSocket != "" {
+			if u.Scheme != "http" {
+				return errors.New("trust bundle URL must start with http:// when used with trust bundle unix socket")
+			}
+			params := u.Query()
+			for key := range params {
+				if strings.HasPrefix(key, "spiffe-") {
+					return errors.New("trust_bundle_url query params can not start with spiffe-")
+				}
+				if strings.HasPrefix(key, "spire-") {
+					return errors.New("trust_bundle_url query params can not start with spire-")
+				}
+			}
+		} else if u.Scheme != "https" {
 			return errors.New("trust bundle URL must start with https://")
 		}
 	}
@ -289,7 +315,7 @@ func ParseFile(path string, expandEnv bool) (*Config, error) {

 	// If envTemplate flag is passed, substitute $VARIABLES in configuration file
 	if expandEnv {
-		data = os.ExpandEnv(data)
+		data = config.ExpandEnv(data)
 	}

 	if err := hcl.Decode(&c, data); err != nil {
@ -303,6 +329,7 @@ func parseFlags(name string, args []string, output io.Writer) (*agentConfig, err
 	flags := flag.NewFlagSet(name, flag.ContinueOnError)
 	flags.SetOutput(output)
 	c := &agentConfig{}
+	retryBootstrap := false

 	flags.StringVar(&c.ConfigPath, "config", defaultConfigPath, "Path to a SPIRE config file")
 	flags.StringVar(&c.DataDir, "dataDir", "", "A directory the agent can use for its runtime data")
@ -316,9 +343,10 @@ func parseFlags(name string, args []string, output io.Writer) (*agentConfig, err
 	flags.StringVar(&c.TrustDomain, "trustDomain", "", "The trust domain that this agent belongs to")
 	flags.StringVar(&c.TrustBundlePath, "trustBundle", "", "Path to the SPIRE server CA bundle")
 	flags.StringVar(&c.TrustBundleURL, "trustBundleUrl", "", "URL to download the SPIRE server CA bundle")
-	flags.StringVar(&c.TrustBundleFormat, "trustBundleFormat", "", fmt.Sprintf("Format of the bootstrap trust bundle, %q or %q", bundleFormatPEM, bundleFormatSPIFFE))
+	flags.StringVar(&c.TrustBundleFormat, "trustBundleFormat", "", fmt.Sprintf("Format of the bootstrap trust bundle, %q or %q", trustbundlesources.BundleFormatPEM, trustbundlesources.BundleFormatSPIFFE))
 	flags.BoolVar(&c.AllowUnauthenticatedVerifiers, "allowUnauthenticatedVerifiers", false, "If true, the agent permits the retrieval of X509 certificate bundles by unregistered clients")
 	flags.BoolVar(&c.InsecureBootstrap, "insecureBootstrap", false, "If true, the agent bootstraps without verifying the server's identity")
+	flags.BoolVar(&retryBootstrap, "retryBootstrap", true, "If true, the agent retries bootstrap with backoff")
 	flags.BoolVar(&c.ExpandEnv, "expandEnv", false, "Expand environment variables in SPIRE config file")

 	c.addOSFlags(flags)
@ -328,6 +356,12 @@ func parseFlags(name string, args []string, output io.Writer) (*agentConfig, err
 		return nil, err
 	}

+	flags.Visit(func(f *flag.Flag) {
+		if f.Name == "retryBootstrap" {
+			c.RetryBootstrap = &retryBootstrap
+		}
+	})
+
 	return c, nil
 }

@ -353,87 +387,6 @@ func mergeInput(fileInput *Config, cliInput *agentConfig) (*Config, error) {
 	return c, nil
 }

-func parseTrustBundle(bundleBytes []byte, trustBundleContentType string) ([]*x509.Certificate, error) {
-	switch trustBundleContentType {
-	case bundleFormatPEM:
-		bundle, err := pemutil.ParseCertificates(bundleBytes)
-		if err != nil {
-			return nil, err
-		}
-		return bundle, nil
-	case bundleFormatSPIFFE:
-		bundle, err := bundleutil.Unmarshal(spiffeid.TrustDomain{}, bundleBytes)
-		if err != nil {
-			return nil, fmt.Errorf("unable to parse SPIFFE trust bundle: %w", err)
-		}
-		return bundle.X509Authorities(), nil
-	}
-
-	return nil, fmt.Errorf("unknown trust bundle format: %s", trustBundleContentType)
-}
-
-func downloadTrustBundle(trustBundleURL string) ([]byte, error) {
-	// Download the trust bundle URL from the user specified URL
-	// We use gosec -- the annotation below will disable a security check that URLs are not tainted
-	/* #nosec G107 */
-	resp, err := http.Get(trustBundleURL)
-	if err != nil {
-		return nil, fmt.Errorf("unable to fetch trust bundle URL %s: %w", trustBundleURL, err)
-	}
-
-	defer resp.Body.Close()
-
-	if resp.StatusCode != http.StatusOK {
-		return nil, fmt.Errorf("error downloading trust bundle: %s", resp.Status)
-	}
-	pemBytes, err := io.ReadAll(resp.Body)
-	if err != nil {
-		return nil, fmt.Errorf("unable to read from trust bundle URL %s: %w", trustBundleURL, err)
-	}
-
-	return pemBytes, nil
-}
-
-func setupTrustBundle(ac *agent.Config, c *Config) error {
-	// Either download the trust bundle if TrustBundleURL is set, or read it
-	// from disk if TrustBundlePath is set
-	ac.InsecureBootstrap = c.Agent.InsecureBootstrap
-
-	var bundleBytes []byte
-	var err error
-
-	switch {
-	case c.Agent.TrustBundleURL != "":
-		bundleBytes, err = downloadTrustBundle(c.Agent.TrustBundleURL)
-		if err != nil {
-			return err
-		}
-	case c.Agent.TrustBundlePath != "":
-		bundleBytes, err = loadTrustBundle(c.Agent.TrustBundlePath)
-		if err != nil {
-			return fmt.Errorf("could not parse trust bundle: %w", err)
-		}
-	default:
-		// If InsecureBootstrap is configured, the bundle is not required
-		if ac.InsecureBootstrap {
-			return nil
-		}
-	}
-
-	bundle, err := parseTrustBundle(bundleBytes, c.Agent.TrustBundleFormat)
-	if err != nil {
-		return err
-	}
-
-	if len(bundle) == 0 {
-		return errors.New("no certificates found in trust bundle")
-	}
-
-	ac.TrustBundle = bundle
-
-	return nil
-}
-
 func NewAgentConfig(c *Config, logOptions []log.Option, allowUnknownConfig bool) (*agent.Config, error) {
 	ac := &agent.Config{}

@ -449,11 +402,6 @@ func NewAgentConfig(c *Config, logOptions []log.Option, allowUnknownConfig bool)
 		}
 	}

-	if c.Agent.Experimental.X509SVIDCacheMaxSize < 0 {
-		return nil, errors.New("x509_svid_cache_max_size should not be negative")
-	}
-	ac.X509SVIDCacheMaxSize = c.Agent.Experimental.X509SVIDCacheMaxSize
-
 	serverHostPort := net.JoinHostPort(c.Agent.ServerAddress, strconv.Itoa(c.Agent.ServerPort))
 	ac.ServerAddress = fmt.Sprintf("dns:///%s", serverHostPort)

@ -466,7 +414,8 @@ func NewAgentConfig(c *Config, logOptions []log.Option, allowUnknownConfig bool)
 	}
 	var reopenableFile *log.ReopenableFile
 	if c.Agent.LogFile != "" {
-		reopenableFile, err := log.NewReopenableFile(c.Agent.LogFile)
+		var err error
+		reopenableFile, err = log.NewReopenableFile(c.Agent.LogFile)
 		if err != nil {
 			return nil, err
 		}
@ -482,6 +431,28 @@ func NewAgentConfig(c *Config, logOptions []log.Option, allowUnknownConfig bool)
 		ac.LogReopener = log.ReopenOnSignal(logger, reopenableFile)
 	}

+	ac.RetryBootstrap = true
+	if c.Agent.RetryBootstrap != nil {
+		ac.Log.Warn("The 'retry_bootstrap' configuration is deprecated. It will be removed in SPIRE 1.14. Please test without the flag before upgrading.")
+		ac.RetryBootstrap = *c.Agent.RetryBootstrap
+	}
+
+	ac.UseSyncAuthorizedEntries = true
+	if c.Agent.Experimental.UseSyncAuthorizedEntries != nil {
+		ac.Log.Warn("The 'use_sync_authorized_entries' configuration is deprecated. The option to disable it will be removed in SPIRE 1.13.")
+		ac.UseSyncAuthorizedEntries = *c.Agent.Experimental.UseSyncAuthorizedEntries
+	}
+
+	if c.Agent.X509SVIDCacheMaxSize < 0 {
+		return nil, errors.New("x509_svid_cache_max_size should not be negative")
+	}
+	ac.X509SVIDCacheMaxSize = c.Agent.X509SVIDCacheMaxSize
+
+	if c.Agent.JWTSVIDCacheMaxSize < 0 {
+		return nil, errors.New("jwt_svid_cache_max_size should not be negative")
+	}
+	ac.JWTSVIDCacheMaxSize = c.Agent.JWTSVIDCacheMaxSize
+
 	td, err := common_cli.ParseTrustDomain(c.Agent.TrustDomain, logger)
 	if err != nil {
 		return nil, err
@ -504,10 +475,6 @@ func NewAgentConfig(c *Config, logOptions []log.Option, allowUnknownConfig bool)
 	ac.JoinToken = c.Agent.JoinToken
 	ac.DataDir = c.Agent.DataDir
 	ac.DefaultSVIDName = c.Agent.SDS.DefaultSVIDName
-	ac.EnableDeprecatedSDSv2API = c.Agent.SDS.EnableDeprecatedv2API
-	if ac.EnableDeprecatedSDSv2API {
-		logger.Warn("The Envoy SDS v2 API is now deprecated in SPIRE and is no longer supported by Envoy. It is recommended that users of the SDS v2 API migrate to the SDS v3 API. The SDS v2 API and this config setting will be removed in a future version.")
-	}
 	ac.DefaultBundleName = c.Agent.SDS.DefaultBundleName
 	ac.DefaultAllBundlesName = c.Agent.SDS.DefaultAllBundlesName
 	if ac.DefaultAllBundlesName == ac.DefaultBundleName {
@ -515,11 +482,16 @@ func NewAgentConfig(c *Config, logOptions []log.Option, allowUnknownConfig bool)
 	}
 	ac.DisableSPIFFECertValidation = c.Agent.SDS.DisableSPIFFECertValidation

-	err = setupTrustBundle(ac, c)
-	if err != nil {
-		return nil, err
+	ts := &trustbundlesources.Config{
+		InsecureBootstrap:     c.Agent.InsecureBootstrap,
+		TrustBundleFormat:     c.Agent.TrustBundleFormat,
+		TrustBundlePath:       c.Agent.TrustBundlePath,
+		TrustBundleURL:        c.Agent.TrustBundleURL,
+		TrustBundleUnixSocket: c.Agent.TrustBundleUnixSocket,
 	}

+	ac.TrustBundleSources = trustbundlesources.New(ts, ac.Log.WithField("Logger", "TrustBundleSources"))
+
 	ac.WorkloadKeyType = workloadkey.ECP256
 	if c.Agent.WorkloadX509SVIDKeyType != "" {
 		ac.WorkloadKeyType, err = workloadkey.KeyTypeFromString(c.Agent.WorkloadX509SVIDKeyType)
@ -559,6 +531,23 @@ func NewAgentConfig(c *Config, logOptions []log.Option, allowUnknownConfig bool)

 	ac.AuthorizedDelegates = c.Agent.AuthorizedDelegates

+	if c.Agent.AvailabilityTarget != "" {
+		t, err := time.ParseDuration(c.Agent.AvailabilityTarget)
+		if err != nil {
+			return nil, fmt.Errorf("unable to parse availability_target: %w", err)
+		}
+		if t < minimumAvailabilityTarget {
+			return nil, fmt.Errorf("availability_target must be at least %s", minimumAvailabilityTarget.String())
+		}
+		ac.AvailabilityTarget = t
+	}
+
+	ac.TLSPolicy = tlspolicy.Policy{
+		RequirePQKEM: c.Agent.Experimental.RequirePQKEM,
+	}
+
+	tlspolicy.LogPolicy(ac.TLSPolicy, log.NewHCLogAdapter(logger, "tlspolicy"))
+
 	if cmp.Diff(experimentalConfig{}, c.Agent.Experimental) != "" {
 		logger.Warn("Experimental features have been enabled. Please see doc/upgrading.md for upgrade and compatibility considerations for experimental features.")
 	}
@ -647,7 +636,7 @@ func defaultConfig() *Config {
 			DataDir:           defaultDataDir,
 			LogLevel:          defaultLogLevel,
 			LogFormat:         log.DefaultFormat,
-			TrustBundleFormat: bundleFormatPEM,
+			TrustBundleFormat: trustbundlesources.BundleFormatPEM,
 			SDS: sdsConfig{
 				DefaultBundleName:           defaultDefaultBundleName,
 				DefaultSVIDName:             defaultDefaultSVIDName,
@ -660,12 +649,3 @@ func defaultConfig() *Config {

 	return c
 }
-
-func loadTrustBundle(path string) ([]byte, error) {
-	bundleBytes, err := os.ReadFile(path)
-	if err != nil {
-		return nil, err
-	}
-
-	return bundleBytes, nil
-}
--- a/cmd/spire-agent/cli/run/run_posix.go
+++ b/cmd/spire-agent/cli/run/run_posix.go
@ -1,5 +1,4 @@
 //go:build !windows
-// +build !windows

 package run

--- a/cmd/spire-agent/cli/run/run_posix_test.go
+++ b/cmd/spire-agent/cli/run/run_posix_test.go
@ -1,5 +1,4 @@
 //go:build !windows
-// +build !windows

 package run

@ -7,7 +6,7 @@ import (
 	"bytes"
 	"fmt"
 	"os"
-	"syscall"
+	"path"
 	"testing"

 	"github.com/spiffe/spire/pkg/agent"
@ -17,6 +16,7 @@ import (
 	"github.com/spiffe/spire/pkg/common/log"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"golang.org/x/sys/unix"
 )

 func TestCommand_Run(t *testing.T) {
@ -130,8 +130,8 @@ func TestCommand_Run(t *testing.T) {
 			}
 			if testCase.want.agentUdsDirCreated {
 				assert.DirExistsf(t, testAgentSocketDir, "spire-agent uds dir should be created")
-				currentUmask := syscall.Umask(0)
-				assert.Equalf(t, currentUmask, 0027, "spire-agent process should be created with 0027 umask")
+				currentUmask := unix.Umask(0)
+				assert.Equalf(t, currentUmask, 0o027, "spire-agent process should be created with 0027 umask")
 			} else {
 				assert.NoDirExistsf(t, testAgentSocketDir, "spire-agent uds dir should not be created")
 			}
@ -187,28 +187,28 @@ func TestParseConfigGood(t *testing.T) {
 	// Check for plugins configurations
 	expectedPluginConfigs := catalog.PluginConfigs{
 		{
-			Type:     "plugin_type_agent",
-			Name:     "plugin_name_agent",
-			Path:     "./pluginAgentCmd",
-			Checksum: "pluginAgentChecksum",
-			Data:     data,
-			Disabled: false,
+			Type:       "plugin_type_agent",
+			Name:       "plugin_name_agent",
+			Path:       "./pluginAgentCmd",
+			Checksum:   "pluginAgentChecksum",
+			DataSource: catalog.FixedData(data),
+			Disabled:   false,
 		},
 		{
-			Type:     "plugin_type_agent",
-			Name:     "plugin_disabled",
-			Path:     "./pluginAgentCmd",
-			Checksum: "pluginAgentChecksum",
-			Data:     data,
-			Disabled: true,
+			Type:       "plugin_type_agent",
+			Name:       "plugin_disabled",
+			Path:       "./pluginAgentCmd",
+			Checksum:   "pluginAgentChecksum",
+			DataSource: catalog.FixedData(data),
+			Disabled:   true,
 		},
 		{
-			Type:     "plugin_type_agent",
-			Name:     "plugin_enabled",
-			Path:     "./pluginAgentCmd",
-			Checksum: "pluginAgentChecksum",
-			Data:     data,
-			Disabled: false,
+			Type:       "plugin_type_agent",
+			Name:       "plugin_enabled",
+			Path:       "./pluginAgentCmd",
+			Checksum:   "pluginAgentChecksum",
+			DataSource: catalog.FileData("plugin.conf"),
+			Disabled:   false,
 		},
 	}

@ -238,7 +238,7 @@ func mergeInputCasesOS() []mergeInputCase {
 			},
 		},
 		{
-			msg:       "socket_path should be configuable by CLI flag",
+			msg:       "socket_path should be configurable by CLI flag",
 			fileInput: func(c *Config) {},
 			cliInput: func(c *agentConfig) {
 				c.SocketPath = "foo"
@ -272,7 +272,9 @@ func mergeInputCasesOS() []mergeInputCase {
 	}
 }

-func newAgentConfigCasesOS() []newAgentConfigCase {
+func newAgentConfigCasesOS(t *testing.T) []newAgentConfigCase {
+	testDir := t.TempDir()
+
 	return []newAgentConfigCase{
 		{
 			msg: "socket_path should be correctly configured",
@ -360,5 +362,15 @@ func newAgentConfigCasesOS() []newAgentConfigCase {
 				require.Nil(t, c.AdminBindAddress)
 			},
 		},
+		{
+			msg: "log_file allows to reopen",
+			input: func(c *Config) {
+				c.Agent.LogFile = path.Join(testDir, "foo")
+			},
+			test: func(t *testing.T, c *agent.Config) {
+				require.NotNil(t, c.Log)
+				require.NotNil(t, c.LogReopener)
+			},
+		},
 	}
 }
--- a/cmd/spire-agent/cli/run/run_test.go
+++ b/cmd/spire-agent/cli/run/run_test.go
@ -2,13 +2,12 @@ package run

 import (
 	"io"
-	"net/http"
-	"net/http/httptest"
 	"os"
 	"path"
 	"path/filepath"
 	"strings"
 	"testing"
+	"time"

 	"github.com/hashicorp/hcl/hcl/ast"
 	"github.com/sirupsen/logrus"
@ -30,124 +29,12 @@ type mergeInputCase struct {
 }

 type newAgentConfigCase struct {
-	msg         string
-	expectError bool
-	input       func(*Config)
-	logOptions  func(t *testing.T) []log.Option
-	test        func(*testing.T, *agent.Config)
-}
-
-func TestDownloadTrustBundle(t *testing.T) {
-	testTB, _ := os.ReadFile(path.Join(util.ProjectRoot(), "conf/agent/dummy_root_ca.crt"))
-	testTBSPIFFE := `{
-    "keys": [
-        {
-            "use": "x509-svid",
-            "kty": "EC",
-            "crv": "P-384",
-            "x": "WjB-nSGSxIYiznb84xu5WGDZj80nL7W1c3zf48Why0ma7Y7mCBKzfQkrgDguI4j0",
-            "y": "Z-0_tDH_r8gtOtLLrIpuMwWHoe4vbVBFte1vj6Xt6WeE8lXwcCvLs_mcmvPqVK9j",
-            "x5c": [
-                "MIIBzDCCAVOgAwIBAgIJAJM4DhRH0vmuMAoGCCqGSM49BAMEMB4xCzAJBgNVBAYTAlVTMQ8wDQYDVQQKDAZTUElGRkUwHhcNMTgwNTEzMTkzMzQ3WhcNMjMwNTEyMTkzMzQ3WjAeMQswCQYDVQQGEwJVUzEPMA0GA1UECgwGU1BJRkZFMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEWjB+nSGSxIYiznb84xu5WGDZj80nL7W1c3zf48Why0ma7Y7mCBKzfQkrgDguI4j0Z+0/tDH/r8gtOtLLrIpuMwWHoe4vbVBFte1vj6Xt6WeE8lXwcCvLs/mcmvPqVK9jo10wWzAdBgNVHQ4EFgQUh6XzV6LwNazA+GTEVOdu07o5yOgwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwGQYDVR0RBBIwEIYOc3BpZmZlOi8vbG9jYWwwCgYIKoZIzj0EAwQDZwAwZAIwE4Me13qMC9i6Fkx0h26y09QZIbuRqA9puLg9AeeAAyo5tBzRl1YL0KNEp02VKSYJAjBdeJvqjJ9wW55OGj1JQwDFD7kWeEB6oMlwPbI/5hEY3azJi16I0uN1JSYTSWGSqWc="
-            ]
-        }
-    ]
-}`
-
-	cases := []struct {
-		msg                 string
-		status              int
-		fileContents        string
-		format              string
-		expectDownloadError bool
-		expectParseError    bool
-	}{
-		{
-			msg:                 "if URL is not found, should be an error",
-			status:              http.StatusNotFound,
-			fileContents:        "",
-			format:              bundleFormatPEM,
-			expectDownloadError: true,
-			expectParseError:    false,
-		},
-		{
-			msg:                 "if URL returns error 500, should be an error",
-			status:              http.StatusInternalServerError,
-			fileContents:        "",
-			format:              bundleFormatPEM,
-			expectDownloadError: true,
-			expectParseError:    false,
-		},
-		{
-			msg:                 "if file is not parseable, should be an error",
-			status:              http.StatusOK,
-			fileContents:        "NON PEM PARSEABLE TEXT HERE",
-			format:              bundleFormatPEM,
-			expectDownloadError: false,
-			expectParseError:    true,
-		},
-		{
-			msg:                 "if file is empty, should be an error",
-			status:              http.StatusOK,
-			fileContents:        "",
-			format:              bundleFormatPEM,
-			expectDownloadError: false,
-			expectParseError:    true,
-		},
-		{
-			msg:                 "if file is valid, should not be an error",
-			status:              http.StatusOK,
-			fileContents:        string(testTB),
-			format:              bundleFormatPEM,
-			expectDownloadError: false,
-			expectParseError:    false,
-		},
-		{
-			msg:                 "if file is not parseable, format is SPIFFE, should not be an error",
-			status:              http.StatusOK,
-			fileContents:        "[}",
-			format:              bundleFormatSPIFFE,
-			expectDownloadError: false,
-			expectParseError:    true,
-		},
-		{
-			msg:                 "if file is valid, format is SPIFFE, should not be an error",
-			status:              http.StatusOK,
-			fileContents:        testTBSPIFFE,
-			format:              bundleFormatSPIFFE,
-			expectDownloadError: false,
-			expectParseError:    false,
-		},
-	}
-
-	for _, testCase := range cases {
-		testCase := testCase
-
-		t.Run(testCase.msg, func(t *testing.T) {
-			testServer := httptest.NewServer(http.HandlerFunc(
-				func(w http.ResponseWriter, r *http.Request) {
-					w.WriteHeader(testCase.status)
-					_, _ = io.WriteString(w, testCase.fileContents)
-					// if err != nil {
-					// 	return
-					// }
-				}))
-			defer testServer.Close()
-			bundleBytes, err := downloadTrustBundle(testServer.URL)
-			if testCase.expectDownloadError {
-				require.Error(t, err)
-			} else {
-				require.NoError(t, err)
-
-				_, err := parseTrustBundle(bundleBytes, testCase.format)
-				if testCase.expectParseError {
-					require.Error(t, err)
-				} else {
-					require.NoError(t, err)
-				}
-			}
-		})
-	}
+	msg                string
+	expectError        bool
+	requireErrorPrefix string
+	input              func(*Config)
+	logOptions         func(t *testing.T) []log.Option
+	test               func(*testing.T, *agent.Config)
 }

 func TestMergeInput(t *testing.T) {
@ -244,18 +131,6 @@ func TestMergeInput(t *testing.T) {
 				require.Equal(t, "foo", c.Agent.SDS.DefaultAllBundlesName)
 			},
 		},
-		{
-			msg: "enable_deprecated_v2_api should be configurable by file",
-			fileInput: func(c *Config) {
-				c.Agent.SDS = sdsConfig{
-					EnableDeprecatedv2API: true,
-				}
-			},
-			cliInput: func(ac *agentConfig) {},
-			test: func(t *testing.T, c *Config) {
-				require.True(t, c.Agent.SDS.EnableDeprecatedv2API)
-			},
-		},
 		{
 			msg:       "disable_spiffe_cert_validation should default value of false",
 			fileInput: func(c *Config) {},
@ -625,12 +500,20 @@ func TestMergeInput(t *testing.T) {
 				require.Equal(t, "bar", c.Agent.TrustDomain)
 			},
 		},
+		{
+			msg: "require_pq_kem should be configurable by file",
+			fileInput: func(c *Config) {
+				c.Agent.Experimental.RequirePQKEM = true
+			},
+			cliInput: func(c *agentConfig) {},
+			test: func(t *testing.T, c *Config) {
+				require.True(t, c.Agent.Experimental.RequirePQKEM)
+			},
+		},
 	}
 	cases = append(cases, mergeInputCasesOS()...)

 	for _, testCase := range cases {
-		testCase := testCase
-
 		fileInput := &Config{Agent: &agentConfig{}}
 		cliInput := &agentConfig{}

@ -683,16 +566,39 @@ func TestNewAgentConfig(t *testing.T) {
 				c.Agent.InsecureBootstrap = false
 			},
 			test: func(t *testing.T, c *agent.Config) {
-				require.False(t, c.InsecureBootstrap)
+				require.False(t, c.TrustBundleSources.GetInsecureBootstrap())
 			},
 		},
 		{
 			msg: "insecure_bootstrap should be correctly set to true",
 			input: func(c *Config) {
+				// in this case, remove trust_bundle_path provided by defaultValidConfig()
+				// because trust_bundle_path and insecure_bootstrap cannot be set at the same time
+				c.Agent.TrustBundlePath = ""
 				c.Agent.InsecureBootstrap = true
 			},
 			test: func(t *testing.T, c *agent.Config) {
-				require.True(t, c.InsecureBootstrap)
+				require.True(t, c.TrustBundleSources.GetInsecureBootstrap())
+			},
+		},
+		{
+			msg: "retry_bootstrap should be correctly set to false",
+			input: func(c *Config) {
+				rb := false
+				c.Agent.RetryBootstrap = &rb
+			},
+			test: func(t *testing.T, c *agent.Config) {
+				require.False(t, c.RetryBootstrap)
+			},
+		},
+		{
+			msg: "retry_bootstrap should be correctly set to true",
+			input: func(c *Config) {
+				rb := true
+				c.Agent.RetryBootstrap = &rb
+			},
+			test: func(t *testing.T, c *agent.Config) {
+				require.True(t, c.RetryBootstrap)
 			},
 		},
 		{
@ -742,8 +648,9 @@ func TestNewAgentConfig(t *testing.T) {
 			},
 		},
 		{
-			msg:         "trust_bundle_path and trust_bundle_url cannot both be set",
-			expectError: true,
+			msg:                "trust_bundle_path and trust_bundle_url cannot both be set",
+			expectError:        true,
+			requireErrorPrefix: "only one of trust_bundle_url or trust_bundle_path can be specified, not both",
 			input: func(c *Config) {
 				c.Agent.TrustBundlePath = "foo"
 				c.Agent.TrustBundleURL = "foo2"
@ -753,10 +660,111 @@ func TestNewAgentConfig(t *testing.T) {
 			},
 		},
 		{
-			msg:         "insecure_bootstrap and trust_bundle_url cannot both be set",
-			expectError: true,
+			msg:                "insecure_bootstrap and trust_bundle_path cannot both be set",
+			expectError:        true,
+			requireErrorPrefix: "only one of insecure_bootstrap or trust_bundle_path can be specified, not both",
 			input: func(c *Config) {
+				c.Agent.TrustBundlePath = "foo"
+				c.Agent.InsecureBootstrap = true
+			},
+			test: func(t *testing.T, c *agent.Config) {
+				require.Nil(t, c)
+			},
+		},
+		{
+			msg:                "insecure_bootstrap and trust_bundle_url cannot both be set",
+			expectError:        true,
+			requireErrorPrefix: "only one of insecure_bootstrap or trust_bundle_url can be specified, not both",
+			input: func(c *Config) {
+				// in this case, remove trust_bundle_path provided by defaultValidConfig()
+				c.Agent.TrustBundlePath = ""
 				c.Agent.TrustBundleURL = "foo"
+				c.Agent.InsecureBootstrap = true
+			},
+			test: func(t *testing.T, c *agent.Config) {
+				require.Nil(t, c)
+			},
+		},
+		{
+			msg:                "insecure_bootstrap, trust_bundle_url, trust_bundle_path cannot be set at the same time",
+			expectError:        true,
+			requireErrorPrefix: "only one of insecure_bootstrap, trust_bundle_url, or trust_bundle_path can be specified, not the three options",
+			input: func(c *Config) {
+				c.Agent.TrustBundlePath = "bar"
+				c.Agent.TrustBundleURL = "foo"
+				c.Agent.InsecureBootstrap = true
+			},
+			test: func(t *testing.T, c *agent.Config) {
+				require.Nil(t, c)
+			},
+		},
+		{
+			msg:                "trust_bundle_path or trust_bundle_url must be configured unless insecure_bootstrap is set",
+			expectError:        true,
+			requireErrorPrefix: "trust_bundle_path or trust_bundle_url must be configured unless insecure_bootstrap is set",
+			input: func(c *Config) {
+				// in this case, remove trust_bundle_path provided by defaultValidConfig()
+				c.Agent.TrustBundlePath = ""
+				c.Agent.TrustBundleURL = ""
+				c.Agent.InsecureBootstrap = false
+			},
+			test: func(t *testing.T, c *agent.Config) {
+				require.Nil(t, c)
+			},
+		},
+		{
+			msg:                "trust_bundle_url must start with https://",
+			expectError:        true,
+			requireErrorPrefix: "trust bundle URL must start with https://",
+			input: func(c *Config) {
+				// remove trust_bundle_path provided by defaultValidConfig()
+				c.Agent.TrustBundlePath = ""
+				c.Agent.TrustBundleURL = "foo.bar"
+				c.Agent.InsecureBootstrap = false
+			},
+			test: func(t *testing.T, c *agent.Config) {
+				require.Nil(t, c)
+			},
+		},
+		{
+			msg:                "trust_bundle_url must start with http:// when unix socket",
+			expectError:        true,
+			requireErrorPrefix: "trust bundle URL must start with http://",
+			input: func(c *Config) {
+				// remove trust_bundle_path provided by defaultValidConfig()
+				c.Agent.TrustBundlePath = ""
+				c.Agent.TrustBundleURL = "foo.bar"
+				c.Agent.TrustBundleUnixSocket = "foo.bar"
+				c.Agent.InsecureBootstrap = false
+			},
+			test: func(t *testing.T, c *agent.Config) {
+				require.Nil(t, c)
+			},
+		},
+		{
+			msg:                "trust_bundle_url query params can not start with spiffe- when unix socket",
+			expectError:        true,
+			requireErrorPrefix: "trust_bundle_url query params can not start with spiffe-",
+			input: func(c *Config) {
+				// remove trust_bundle_path provided by defaultValidConfig()
+				c.Agent.TrustBundlePath = ""
+				c.Agent.TrustBundleURL = "http://localhost/trustbundle?spiffe-test=foo"
+				c.Agent.TrustBundleUnixSocket = "foo.bar"
+				c.Agent.InsecureBootstrap = false
+			},
+			test: func(t *testing.T, c *agent.Config) {
+				require.Nil(t, c)
+			},
+		},
+		{
+			msg:                "trust_bundle_url query params can not start with spire- when unix socket",
+			expectError:        true,
+			requireErrorPrefix: "trust_bundle_url query params can not start with spire-",
+			input: func(c *Config) {
+				// remove trust_bundle_path provided by defaultValidConfig()
+				c.Agent.TrustBundlePath = ""
+				c.Agent.TrustBundleURL = "http://localhost/trustbundle?spire-test=foo"
+				c.Agent.TrustBundleUnixSocket = "foo.bar"
 				c.Agent.InsecureBootstrap = false
 			},
 			test: func(t *testing.T, c *agent.Config) {
@ -832,7 +840,7 @@ func TestNewAgentConfig(t *testing.T) {
 		{
 			msg: "x509_svid_cache_max_size is set",
 			input: func(c *Config) {
-				c.Agent.Experimental.X509SVIDCacheMaxSize = 100
+				c.Agent.X509SVIDCacheMaxSize = 100
 			},
 			test: func(t *testing.T, c *agent.Config) {
 				require.EqualValues(t, 100, c.X509SVIDCacheMaxSize)
@ -849,7 +857,7 @@ func TestNewAgentConfig(t *testing.T) {
 		{
 			msg: "x509_svid_cache_max_size is zero",
 			input: func(c *Config) {
-				c.Agent.Experimental.X509SVIDCacheMaxSize = 0
+				c.Agent.X509SVIDCacheMaxSize = 0
 			},
 			test: func(t *testing.T, c *agent.Config) {
 				require.EqualValues(t, 0, c.X509SVIDCacheMaxSize)
@ -859,7 +867,7 @@ func TestNewAgentConfig(t *testing.T) {
 			msg:         "x509_svid_cache_max_size is negative",
 			expectError: true,
 			input: func(c *Config) {
-				c.Agent.Experimental.X509SVIDCacheMaxSize = -10
+				c.Agent.X509SVIDCacheMaxSize = -10
 			},
 			test: func(t *testing.T, c *agent.Config) {
 				require.Nil(t, c)
@ -881,14 +889,12 @@ func TestNewAgentConfig(t *testing.T) {
 				c.Agent.SDS.DefaultBundleName = "DefaultBundleName"
 				c.Agent.SDS.DefaultAllBundlesName = "DefaultAllBundlesName"
 				c.Agent.SDS.DisableSPIFFECertValidation = true
-				c.Agent.SDS.EnableDeprecatedv2API = true
 			},
 			test: func(t *testing.T, c *agent.Config) {
 				assert.Equal(t, c.DefaultSVIDName, "DefaultSVIDName")
 				assert.Equal(t, c.DefaultBundleName, "DefaultBundleName")
 				assert.Equal(t, c.DefaultAllBundlesName, "DefaultAllBundlesName")
 				assert.True(t, c.DisableSPIFFECertValidation)
-				assert.True(t, c.EnableDeprecatedSDSv2API)
 			},
 		},
 		{
@ -912,7 +918,7 @@ func TestNewAgentConfig(t *testing.T) {
 						t.Cleanup(func() {
 							spiretest.AssertLogsContainEntries(t, hook.AllEntries(), []spiretest.LogEntry{
 								{
-									Data:  map[string]interface{}{"trust_domain": strings.Repeat("a", 256)},
+									Data:  map[string]any{"trust_domain": strings.Repeat("a", 256)},
 									Level: logrus.WarnLevel,
 									Message: "Configured trust domain name should be less than 255 characters to be " +
 										"SPIFFE compliant; a longer trust domain name may impact interoperability",
@ -927,11 +933,45 @@ func TestNewAgentConfig(t *testing.T) {
 				assert.NotNil(t, c)
 			},
 		},
-	}
-	cases = append(cases, newAgentConfigCasesOS()...)
-	for _, testCase := range cases {
-		testCase := testCase
+		{
+			msg: "availability_target parses a duration",
+			input: func(c *Config) {
+				c.Agent.AvailabilityTarget = "24h"
+			},
+			test: func(t *testing.T, c *agent.Config) {
+				require.EqualValues(t, 24*time.Hour, c.AvailabilityTarget)
+			},
+		},
+		{
+			msg:         "availability_target is too short",
+			expectError: true,
+			input: func(c *Config) {
+				c.Agent.AvailabilityTarget = "1h"
+			},
+			test: func(t *testing.T, c *agent.Config) {
+				require.Nil(t, c)
+			},
+		},

+		{
+			msg:   "require PQ KEM is disabled (default)",
+			input: func(c *Config) {},
+			test: func(t *testing.T, c *agent.Config) {
+				require.Equal(t, false, c.TLSPolicy.RequirePQKEM)
+			},
+		},
+		{
+			msg: "require PQ KEM is enabled",
+			input: func(c *Config) {
+				c.Agent.Experimental.RequirePQKEM = true
+			},
+			test: func(t *testing.T, c *agent.Config) {
+				require.Equal(t, true, c.TLSPolicy.RequirePQKEM)
+			},
+		},
+	}
+	cases = append(cases, newAgentConfigCasesOS(t)...)
+	for _, testCase := range cases {
 		input := defaultValidConfig()

 		testCase.input(input)
@ -945,6 +985,9 @@ func TestNewAgentConfig(t *testing.T) {
 			ac, err := NewAgentConfig(input, logOpts, false)
 			if testCase.expectError {
 				require.Error(t, err)
+				if testCase.requireErrorPrefix != "" {
+					spiretest.RequireErrorPrefix(t, err, testCase.requireErrorPrefix)
+				}
 			} else {
 				require.NoError(t, err)
 			}
@ -1091,8 +1134,6 @@ func TestWarnOnUnknownConfig(t *testing.T) {
 	}

 	for _, testCase := range cases {
-		testCase := testCase
-
 		c, err := ParseFile(filepath.Join(testFileDir, testCase.confFile), false)
 		require.NoError(t, err)

--- a/cmd/spire-agent/cli/run/run_windows.go
+++ b/cmd/spire-agent/cli/run/run_windows.go
@ -1,5 +1,4 @@
 //go:build windows
-// +build windows

 package run

--- a/cmd/spire-agent/cli/run/run_windows_test.go
+++ b/cmd/spire-agent/cli/run/run_windows_test.go
@ -1,5 +1,4 @@
 //go:build windows
-// +build windows

 package run

@ -174,28 +173,28 @@ func TestParseConfigGood(t *testing.T) {
 	// Check for plugins configurations
 	expectedPluginConfigs := catalog.PluginConfigs{
 		{
-			Type:     "plugin_type_agent",
-			Name:     "plugin_name_agent",
-			Path:     "./pluginAgentCmd",
-			Checksum: "pluginAgentChecksum",
-			Data:     data,
-			Disabled: false,
+			Type:       "plugin_type_agent",
+			Name:       "plugin_name_agent",
+			Path:       "./pluginAgentCmd",
+			Checksum:   "pluginAgentChecksum",
+			DataSource: catalog.FixedData(data),
+			Disabled:   false,
 		},
 		{
-			Type:     "plugin_type_agent",
-			Name:     "plugin_disabled",
-			Path:     ".\\pluginAgentCmd",
-			Checksum: "pluginAgentChecksum",
-			Data:     data,
-			Disabled: true,
+			Type:       "plugin_type_agent",
+			Name:       "plugin_disabled",
+			Path:       ".\\pluginAgentCmd",
+			Checksum:   "pluginAgentChecksum",
+			DataSource: catalog.FixedData(data),
+			Disabled:   true,
 		},
 		{
-			Type:     "plugin_type_agent",
-			Name:     "plugin_enabled",
-			Path:     "c:/temp/pluginAgentCmd",
-			Checksum: "pluginAgentChecksum",
-			Data:     data,
-			Disabled: false,
+			Type:       "plugin_type_agent",
+			Name:       "plugin_enabled",
+			Path:       "c:/temp/pluginAgentCmd",
+			Checksum:   "pluginAgentChecksum",
+			DataSource: catalog.FileData("plugin.conf"),
+			Disabled:   false,
 		},
 	}

@ -225,7 +224,7 @@ func mergeInputCasesOS() []mergeInputCase {
 			},
 		},
 		{
-			msg:       "named_pipe_name should be configuable by CLI flag",
+			msg:       "named_pipe_name should be configurable by CLI flag",
 			fileInput: func(c *Config) {},
 			cliInput: func(c *agentConfig) {
 				c.Experimental.NamedPipeName = "foo"
@ -259,7 +258,7 @@ func mergeInputCasesOS() []mergeInputCase {
 	}
 }

-func newAgentConfigCasesOS() []newAgentConfigCase {
+func newAgentConfigCasesOS(*testing.T) []newAgentConfigCase {
 	return []newAgentConfigCase{
 		{
 			msg: "named_pipe_name should be correctly configured",
--- a/cmd/spire-server/cli/agent/agent_posix_test.go
+++ b/cmd/spire-server/cli/agent/agent_posix_test.go
@ -1,5 +1,4 @@
 //go:build !windows
-// +build !windows

 package agent_test

@ -15,6 +14,14 @@ var (
    	Path to the SPIRE Server API socket (default "/tmp/spire-server/private/api.sock")
 `
 	listUsage = `Usage of agent list:
+  -attestationType string
+    	Filter by attestation type, like join_token or x509pop.
+  -banned value
+    	Filter based on string received, 'true': banned agents, 'false': not banned agents, other value will return all.
+  -canReattest value
+    	Filter based on string received, 'true': agents that can reattest, 'false': agents that can't reattest, other value will return all.
+  -expiresBefore string
+    	Filter by expiration time (format: "2006-01-02 15:04:05 -0700 -07")
  -matchSelectorsOn string
    	The match mode used when filtering by selectors. Options: exact, any, superset and subset (default "superset")
  -output value
@ -41,8 +48,20 @@ var (
    	The SPIFFE ID of the agent to evict (agent identity)
 `
 	countUsage = `Usage of agent count:
+  -attestationType string
+    	Filter by attestation type, like join_token or x509pop.
+  -banned value
+    	Filter based on string received, 'true': banned agents, 'false': not banned agents, other value will return all.
+  -canReattest value
+    	Filter based on string received, 'true': agents that can reattest, 'false': agents that can't reattest, other value will return all.
+  -expiresBefore string
+    	Filter by expiration time (format: "2006-01-02 15:04:05 -0700 -07")
+  -matchSelectorsOn string
+    	The match mode used when filtering by selectors. Options: exact, any, superset and subset (default "superset")
  -output value
    	Desired output format (pretty, json); default: pretty.
+  -selector value
+    	A colon-delimited type:value selector. Can be used more than once
  -socketPath string
    	Path to the SPIRE Server API socket (default "/tmp/spire-server/private/api.sock")
 `
--- a/cmd/spire-server/cli/agent/agent_test.go
+++ b/cmd/spire-server/cli/agent/agent_test.go
@ -12,8 +12,8 @@ import (
 	agentv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/agent/v1"
 	"github.com/spiffe/spire-api-sdk/proto/spire/api/types"
 	"github.com/spiffe/spire/cmd/spire-server/cli/agent"
-	"github.com/spiffe/spire/cmd/spire-server/cli/common"
 	commoncli "github.com/spiffe/spire/pkg/common/cli"
+	"github.com/spiffe/spire/test/clitest"
 	"github.com/spiffe/spire/test/spiretest"
 	"github.com/stretchr/testify/require"
 	"google.golang.org/grpc"
@ -92,10 +92,13 @@ func TestBan(t *testing.T) {
 			expectStderr:     "Error: a SPIFFE ID is required\n",
 		},
 		{
-			name:             "wrong UDS path",
-			args:             []string{common.AddrArg, common.AddrValue},
+			name: "wrong UDS path",
+			args: []string{
+				clitest.AddrArg, clitest.AddrValue,
+				"-spiffeID", "spiffe://example.org/spire/agent/agent1",
+			},
 			expectReturnCode: 1,
-			expectStderr:     common.AddrError,
+			expectStderr:     "Error: " + clitest.AddrError,
 		},
 		{
 			name:             "server error",
@ -152,10 +155,13 @@ func TestEvict(t *testing.T) {
 			expectedStderr:     "Error: a SPIFFE ID is required\n",
 		},
 		{
-			name:               "wrong UDS path",
-			args:               []string{common.AddrArg, common.AddrValue},
+			name: "wrong UDS path",
+			args: []string{
+				clitest.AddrArg, clitest.AddrValue,
+				"-spiffeID", "spiffe://example.org/spire/agent/agent1",
+			},
 			expectedReturnCode: 1,
-			expectedStderr:     common.AddrError,
+			expectedStderr:     "Error: " + clitest.AddrError,
 		},
 		{
 			name:               "server error",
@ -221,9 +227,15 @@ func TestCount(t *testing.T) {
 		},
 		{
 			name:               "wrong UDS path",
-			args:               []string{common.AddrArg, common.AddrValue},
+			args:               []string{clitest.AddrArg, clitest.AddrValue},
 			expectedReturnCode: 1,
-			expectedStderr:     common.AddrError,
+			expectedStderr:     "Error: " + clitest.AddrError,
+		},
+		{
+			name:               "Count by expiresBefore: month out of range",
+			args:               []string{"-expiresBefore", "2001-13-05"},
+			expectedReturnCode: 1,
+			expectedStderr:     "Error: date is not valid: parsing time \"2001-13-05\": month out of range\n",
 		},
 	} {
 		for _, format := range availableFormats {
@ -389,6 +401,45 @@ func TestList(t *testing.T) {
 			expectedStdoutPretty: "Found 1 attested agent:\n\nSPIFFE ID         : spiffe://example.org/spire/agent/agent1",
 			expectedStdoutJSON:   `{"agents":[{"id":{"trust_domain":"example.org","path":"/spire/agent/agent1"},"attestation_type":"","x509svid_serial_number":"","x509svid_expires_at":"0","selectors":[],"banned":false,"can_reattest":true}],"next_page_token":""}`,
 		},
+		{
+			name: "by expiresBefore",
+			args: []string{"-expiresBefore", "2000-01-01 15:04:05 -0700 -07"},
+			expectReq: &agentv1.ListAgentsRequest{
+				Filter: &agentv1.ListAgentsRequest_Filter{
+					ByExpiresBefore: "2000-01-01 15:04:05 -0700 -07",
+				},
+				PageSize: 1000,
+			},
+			existentAgents:       testAgents,
+			expectedStdoutPretty: "Found 1 attested agent:\n\nSPIFFE ID         : spiffe://example.org/spire/agent/agent1",
+			expectedStdoutJSON:   `{"agents":[{"id":{"trust_domain":"example.org","path":"/spire/agent/agent1"},"attestation_type":"","x509svid_serial_number":"","x509svid_expires_at":"0","selectors":[],"banned":false,"can_reattest":true}],"next_page_token":""}`,
+		},
+		{
+			name: "by banned",
+			args: []string{"-banned", "true"},
+			expectReq: &agentv1.ListAgentsRequest{
+				Filter: &agentv1.ListAgentsRequest_Filter{
+					ByBanned: wrapperspb.Bool(true),
+				},
+				PageSize: 1000,
+			},
+			existentAgents:       testAgentsWithBanned,
+			expectedStdoutPretty: "Found 1 attested agent:\n\nSPIFFE ID         : spiffe://example.org/spire/agent/banned",
+			expectedStdoutJSON:   `{"agents":[{"id":{"trust_domain":"example.org","path":"/spire/agent/banned"},"attestation_type":"","x509svid_serial_number":"","x509svid_expires_at":"0","selectors":[],"banned":true,"can_reattest":false}],"next_page_token":""}`,
+		},
+		{
+			name: "by canReattest",
+			args: []string{"-canReattest", "true"},
+			expectReq: &agentv1.ListAgentsRequest{
+				Filter: &agentv1.ListAgentsRequest_Filter{
+					ByCanReattest: wrapperspb.Bool(true),
+				},
+				PageSize: 1000,
+			},
+			existentAgents:       testAgents,
+			expectedStdoutPretty: "Found 1 attested agent:\n\nSPIFFE ID         : spiffe://example.org/spire/agent/agent1",
+			expectedStdoutJSON:   `{"agents":[{"id":{"trust_domain":"example.org","path":"/spire/agent/agent1"},"attestation_type":"","x509svid_serial_number":"","x509svid_expires_at":"0","selectors":[],"banned":false,"can_reattest":true}],"next_page_token":""}`,
+		},
 		{
 			name:               "List by selectors: Invalid matcher",
 			args:               []string{"-selector", "foo:bar", "-selector", "bar:baz", "-matchSelectorsOn", "NO-MATCHER"},
@ -403,9 +454,15 @@ func TestList(t *testing.T) {
 		},
 		{
 			name:               "wrong UDS path",
-			args:               []string{common.AddrArg, common.AddrValue},
+			args:               []string{clitest.AddrArg, clitest.AddrValue},
 			expectedReturnCode: 1,
-			expectedStderr:     common.AddrError,
+			expectedStderr:     "Error: " + clitest.AddrError,
+		},
+		{
+			name:               "List by expiresBefore: month out of range",
+			args:               []string{"-expiresBefore", "2001-13-05"},
+			expectedReturnCode: 1,
+			expectedStderr:     "Error: date is not valid: parsing time \"2001-13-05\": month out of range\n",
 		},
 	} {
 		for _, format := range availableFormats {
@ -689,10 +746,13 @@ func TestShow(t *testing.T) {
 			expectedStderr:     "Error: rpc error: code = Internal desc = internal server error\n",
 		},
 		{
-			name:               "wrong UDS path",
-			args:               []string{common.AddrArg, common.AddrValue},
+			name: "wrong UDS path",
+			args: []string{
+				clitest.AddrArg, clitest.AddrValue,
+				"-spiffeID", "spiffe://example.org/spire/agent/agent1",
+			},
 			expectedReturnCode: 1,
-			expectedStderr:     common.AddrError,
+			expectedStderr:     "Error: " + clitest.AddrError,
 		},
 		{
 			name:                 "show selectors",
@ -750,7 +810,7 @@ func setupTest(t *testing.T, newClient func(*commoncli.Env) cli.Command) *agentT
 		stdin:  stdin,
 		stdout: stdout,
 		stderr: stderr,
-		args:   []string{common.AddrArg, common.GetAddr(addr)},
+		args:   []string{clitest.AddrArg, clitest.GetAddr(addr)},
 		server: server,
 		client: client,
 	}
--- a/cmd/spire-server/cli/agent/agent_windows_test.go
+++ b/cmd/spire-server/cli/agent/agent_windows_test.go
@ -1,5 +1,4 @@
 //go:build windows
-// +build windows

 package agent_test

@ -15,6 +14,14 @@ var (
    	Desired output format (pretty, json); default: pretty.
 `
 	listUsage = `Usage of agent list:
+  -attestationType string
+    	Filter by attestation type, like join_token or x509pop.
+  -banned value
+    	Filter based on string received, 'true': banned agents, 'false': not banned agents, other value will return all.
+  -canReattest value
+    	Filter based on string received, 'true': agents that can reattest, 'false': agents that can't reattest, other value will return all.
+  -expiresBefore string
+    	Filter by expiration time (format: "2006-01-02 15:04:05 -0700 -07")
  -matchSelectorsOn string
    	The match mode used when filtering by selectors. Options: exact, any, superset and subset (default "superset")
  -namedPipeName string
@ -41,10 +48,22 @@ var (
    	The SPIFFE ID of the agent to evict (agent identity)
 `
 	countUsage = `Usage of agent count:
+  -attestationType string
+    	Filter by attestation type, like join_token or x509pop.
+  -banned value
+    	Filter based on string received, 'true': banned agents, 'false': not banned agents, other value will return all.
+  -canReattest value
+    	Filter based on string received, 'true': agents that can reattest, 'false': agents that can't reattest, other value will return all.
+  -expiresBefore string
+    	Filter by expiration time (format: "2006-01-02 15:04:05 -0700 -07")
+  -matchSelectorsOn string
+    	The match mode used when filtering by selectors. Options: exact, any, superset and subset (default "superset")
  -namedPipeName string
    	Pipe name of the SPIRE Server API named pipe (default "\\spire-server\\private\\api")
  -output value
    	Desired output format (pretty, json); default: pretty.
+  -selector value
+    	A colon-delimited type:value selector. Can be used more than once
 `
 	showUsage = `Usage of agent show:
  -namedPipeName string
--- a/cmd/spire-server/cli/agent/ban.go
+++ b/cmd/spire-server/cli/agent/ban.go
@ -67,7 +67,7 @@ func (c *banCommand) AppendFlags(fs *flag.FlagSet) {
 	cliprinter.AppendFlagWithCustomPretty(&c.printer, fs, c.env, prettyPrintBanResult)
 }

-func prettyPrintBanResult(env *commoncli.Env, _ ...interface{}) error {
+func prettyPrintBanResult(env *commoncli.Env, _ ...any) error {
 	env.Println("Agent banned successfully")
 	return nil
 }
--- a/cmd/spire-server/cli/agent/count.go
+++ b/cmd/spire-server/cli/agent/count.go
@ -1,20 +1,43 @@
 package agent

 import (
+	"context"
 	"errors"
 	"flag"
 	"fmt"
+	"time"

 	"github.com/mitchellh/cli"
 	agentv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/agent/v1"
+	"github.com/spiffe/spire-api-sdk/proto/spire/api/types"
 	"github.com/spiffe/spire/cmd/spire-server/util"
 	commoncli "github.com/spiffe/spire/pkg/common/cli"
 	"github.com/spiffe/spire/pkg/common/cliprinter"
-	"golang.org/x/net/context"
+	"google.golang.org/protobuf/types/known/wrapperspb"
 )

 type countCommand struct {
-	env     *commoncli.Env
+	// Type and value are delimited by a colon (:)
+	// ex. "unix:uid:1000" or "spiffe_id:spiffe://example.org/foo"
+	selectors commoncli.StringsFlag
+
+	// Match used when filtering by selectors
+	matchSelectorsOn string
+
+	// Filters agents to those that are banned.
+	banned commoncli.BoolFlag
+
+	// Filters agents by those that expire before this value.
+	expiresBefore string
+
+	// Filters agents to those matching the attestation type.
+	attestationType string
+
+	// Filters agents that can re-attest.
+	canReattest commoncli.BoolFlag
+
+	env *commoncli.Env
+
 	printer cliprinter.Printer
 }

@ -39,8 +62,61 @@ func (*countCommand) Synopsis() string {

 // Run counts attested agents
 func (c *countCommand) Run(ctx context.Context, _ *commoncli.Env, serverClient util.ServerClient) error {
+	filter := &agentv1.CountAgentsRequest_Filter{}
+	if len(c.selectors) > 0 {
+		matchBehavior, err := parseToSelectorMatch(c.matchSelectorsOn)
+		if err != nil {
+			return err
+		}
+
+		selectors := make([]*types.Selector, len(c.selectors))
+		for i, sel := range c.selectors {
+			selector, err := util.ParseSelector(sel)
+			if err != nil {
+				return fmt.Errorf("error parsing selector %q: %w", sel, err)
+			}
+			selectors[i] = selector
+		}
+		filter.BySelectorMatch = &types.SelectorMatch{
+			Selectors: selectors,
+			Match:     matchBehavior,
+		}
+	}
+
+	if c.expiresBefore != "" {
+		// Parse the time string into a time.Time object
+		_, err := time.Parse("2006-01-02 15:04:05 -0700 -07", c.expiresBefore)
+		if err != nil {
+			return fmt.Errorf("date is not valid: %w", err)
+		}
+		filter.ByExpiresBefore = c.expiresBefore
+	}
+
+	if c.attestationType != "" {
+		filter.ByAttestationType = c.attestationType
+	}
+
+	// 0: all, 1: can't reattest, 2: can reattest
+	if c.canReattest == 1 {
+		filter.ByCanReattest = wrapperspb.Bool(false)
+	}
+	if c.canReattest == 2 {
+		filter.ByCanReattest = wrapperspb.Bool(true)
+	}
+
+	// 0: all, 1: no-banned, 2: banned
+	if c.banned == 1 {
+		filter.ByBanned = wrapperspb.Bool(false)
+	}
+	if c.banned == 2 {
+		filter.ByBanned = wrapperspb.Bool(true)
+	}
+
 	agentClient := serverClient.NewAgentClient()
-	countResponse, err := agentClient.CountAgents(ctx, &agentv1.CountAgentsRequest{})
+
+	countResponse, err := agentClient.CountAgents(ctx, &agentv1.CountAgentsRequest{
+		Filter: filter,
+	})
 	if err != nil {
 		return err
 	}
@ -49,10 +125,16 @@ func (c *countCommand) Run(ctx context.Context, _ *commoncli.Env, serverClient u
 }

 func (c *countCommand) AppendFlags(fs *flag.FlagSet) {
+	fs.Var(&c.selectors, "selector", "A colon-delimited type:value selector. Can be used more than once")
+	fs.StringVar(&c.attestationType, "attestationType", "", "Filter by attestation type, like join_token or x509pop.")
+	fs.Var(&c.canReattest, "canReattest", "Filter based on string received, 'true': agents that can reattest, 'false': agents that can't reattest, other value will return all.")
+	fs.Var(&c.banned, "banned", "Filter based on string received, 'true': banned agents, 'false': not banned agents, other value will return all.")
+	fs.StringVar(&c.expiresBefore, "expiresBefore", "", "Filter by expiration time (format: \"2006-01-02 15:04:05 -0700 -07\")")
+	fs.StringVar(&c.matchSelectorsOn, "matchSelectorsOn", "superset", "The match mode used when filtering by selectors. Options: exact, any, superset and subset")
 	cliprinter.AppendFlagWithCustomPretty(&c.printer, fs, c.env, prettyPrintCount)
 }

-func prettyPrintCount(env *commoncli.Env, results ...interface{}) error {
+func prettyPrintCount(env *commoncli.Env, results ...any) error {
 	countResp, ok := results[0].(*agentv1.CountAgentsResponse)
 	if !ok {
 		return errors.New("internal error: cli printer; please report this bug")
--- a/cmd/spire-server/cli/agent/evict.go
+++ b/cmd/spire-server/cli/agent/evict.go
@ -1,6 +1,7 @@
 package agent

 import (
+	"context"
 	"errors"
 	"flag"

@ -11,7 +12,6 @@ import (
 	commoncli "github.com/spiffe/spire/pkg/common/cli"
 	"github.com/spiffe/spire/pkg/common/cliprinter"
 	"github.com/spiffe/spire/pkg/server/api"
-	"golang.org/x/net/context"
 )

 type evictCommand struct {
@ -65,7 +65,7 @@ func (c *evictCommand) AppendFlags(fs *flag.FlagSet) {
 	cliprinter.AppendFlagWithCustomPretty(&c.printer, fs, c.env, prettyPrintEvictResult)
 }

-func prettyPrintEvictResult(env *commoncli.Env, _ ...interface{}) error {
+func prettyPrintEvictResult(env *commoncli.Env, _ ...any) error {
 	env.Println("Agent evicted successfully")
 	return nil
 }
--- a/cmd/spire-server/cli/agent/list.go
+++ b/cmd/spire-server/cli/agent/list.go
@ -1,6 +1,7 @@
 package agent

 import (
+	"context"
 	"errors"
 	"flag"
 	"fmt"
@ -13,17 +14,32 @@ import (
 	commoncli "github.com/spiffe/spire/pkg/common/cli"
 	"github.com/spiffe/spire/pkg/common/cliprinter"
 	"github.com/spiffe/spire/pkg/common/idutil"
-	"golang.org/x/net/context"
+	"google.golang.org/protobuf/types/known/wrapperspb"
 )

 type listCommand struct {
-	env *commoncli.Env
 	// Type and value are delimited by a colon (:)
 	// ex. "unix:uid:1000" or "spiffe_id:spiffe://example.org/foo"
 	selectors commoncli.StringsFlag
-	// Match used when filtering agents by selectors
+
+	// Match used when filtering by selectors
 	matchSelectorsOn string
-	printer          cliprinter.Printer
+
+	// Filters agents to those that are banned.
+	banned commoncli.BoolFlag
+
+	// Filters agents by those that expire before this value.
+	expiresBefore string
+
+	// Filters agents to those matching the attestation type.
+	attestationType string
+
+	// Filters agents that can re-attest.
+	canReattest commoncli.BoolFlag
+
+	env *commoncli.Env
+
+	printer cliprinter.Printer
 }

 // NewListCommand creates a new "list" subcommand for "agent" command.
@ -68,6 +84,35 @@ func (c *listCommand) Run(ctx context.Context, _ *commoncli.Env, serverClient ut
 		}
 	}

+	if c.expiresBefore != "" {
+		// Parse the time string into a time.Time object
+		_, err := time.Parse("2006-01-02 15:04:05 -0700 -07", c.expiresBefore)
+		if err != nil {
+			return fmt.Errorf("date is not valid: %w", err)
+		}
+		filter.ByExpiresBefore = c.expiresBefore
+	}
+
+	if c.attestationType != "" {
+		filter.ByAttestationType = c.attestationType
+	}
+
+	// 0: all, 1: can't reattest, 2: can reattest
+	if c.canReattest == 1 {
+		filter.ByCanReattest = wrapperspb.Bool(false)
+	}
+	if c.canReattest == 2 {
+		filter.ByCanReattest = wrapperspb.Bool(true)
+	}
+
+	// 0: all, 1: no-banned, 2: banned
+	if c.banned == 1 {
+		filter.ByBanned = wrapperspb.Bool(false)
+	}
+	if c.banned == 2 {
+		filter.ByBanned = wrapperspb.Bool(true)
+	}
+
 	agentClient := serverClient.NewAgentClient()

 	pageToken := ""
@ -91,12 +136,16 @@ func (c *listCommand) Run(ctx context.Context, _ *commoncli.Env, serverClient ut
 }

 func (c *listCommand) AppendFlags(fs *flag.FlagSet) {
-	fs.StringVar(&c.matchSelectorsOn, "matchSelectorsOn", "superset", "The match mode used when filtering by selectors. Options: exact, any, superset and subset")
 	fs.Var(&c.selectors, "selector", "A colon-delimited type:value selector. Can be used more than once")
+	fs.StringVar(&c.attestationType, "attestationType", "", "Filter by attestation type, like join_token or x509pop.")
+	fs.Var(&c.canReattest, "canReattest", "Filter based on string received, 'true': agents that can reattest, 'false': agents that can't reattest, other value will return all.")
+	fs.Var(&c.banned, "banned", "Filter based on string received, 'true': banned agents, 'false': not banned agents, other value will return all.")
+	fs.StringVar(&c.expiresBefore, "expiresBefore", "", "Filter by expiration time (format: \"2006-01-02 15:04:05 -0700 -07\")")
+	fs.StringVar(&c.matchSelectorsOn, "matchSelectorsOn", "superset", "The match mode used when filtering by selectors. Options: exact, any, superset and subset")
 	cliprinter.AppendFlagWithCustomPretty(&c.printer, fs, c.env, prettyPrintAgents)
 }

-func prettyPrintAgents(env *commoncli.Env, results ...interface{}) error {
+func prettyPrintAgents(env *commoncli.Env, results ...any) error {
 	listResp, ok := results[0].(*agentv1.ListAgentsResponse)
 	if !ok {
 		return errors.New("internal error: cli printer; please report this bug")
--- a/cmd/spire-server/cli/agent/purge.go
+++ b/cmd/spire-server/cli/agent/purge.go
@ -1,6 +1,7 @@
 package agent

 import (
+	"context"
 	"flag"
 	"fmt"
 	"time"
@ -13,7 +14,6 @@ import (
 	commoncli "github.com/spiffe/spire/pkg/common/cli"
 	"github.com/spiffe/spire/pkg/common/cliprinter"
 	"github.com/spiffe/spire/pkg/common/idutil"
-	"golang.org/x/net/context"
 	"google.golang.org/protobuf/types/known/wrapperspb"
 )

@ -95,8 +95,8 @@ type expiredAgent struct {
 	Error   string      `json:"error,omitempty"`
 }

-func (c *purgeCommand) prettyPrintPurgeResult(env *commoncli.Env, results ...interface{}) error {
-	if expAgents, ok := results[0].([]interface{})[0].(*expiredAgents); ok {
+func (c *purgeCommand) prettyPrintPurgeResult(env *commoncli.Env, results ...any) error {
+	if expAgents, ok := results[0].([]any)[0].(*expiredAgents); ok {
 		if len(expAgents.Agents) == 0 {
 			env.Println("No agents to purge.")
 			return nil
--- a/cmd/spire-server/cli/agent/show.go
+++ b/cmd/spire-server/cli/agent/show.go
@ -1,6 +1,7 @@
 package agent

 import (
+	"context"
 	"errors"
 	"flag"

@ -12,12 +13,11 @@ import (
 	commoncli "github.com/spiffe/spire/pkg/common/cli"
 	"github.com/spiffe/spire/pkg/common/cliprinter"
 	"github.com/spiffe/spire/pkg/server/api"
-	"golang.org/x/net/context"
 )

 type showCommand struct {
 	env *commoncli.Env
-	// SPIFFE ID of the agent being showed
+	// SPIFFE ID of the agent being shown
 	spiffeID string
 	printer  cliprinter.Printer
 }
@ -66,7 +66,7 @@ func (c *showCommand) AppendFlags(fs *flag.FlagSet) {
 	cliprinter.AppendFlagWithCustomPretty(&c.printer, fs, c.env, prettyPrintAgent)
 }

-func prettyPrintAgent(env *commoncli.Env, results ...interface{}) error {
+func prettyPrintAgent(env *commoncli.Env, results ...any) error {
 	agent, ok := results[0].(*types.Agent)
 	if !ok {
 		return errors.New("internal error: cli printer; please report this bug")
--- a/cmd/spire-server/cli/authoritycommon/authoritycommon.go
+++ b/cmd/spire-server/cli/authoritycommon/authoritycommon.go
@ -0,0 +1,31 @@
+package authoritycommon
+
+import (
+	"time"
+
+	localauthorityv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/localauthority/v1"
+	commoncli "github.com/spiffe/spire/pkg/common/cli"
+)
+
+func PrettyPrintJWTAuthorityState(env *commoncli.Env, authorityState *localauthorityv1.AuthorityState) {
+	prettyPrintAuthorityState(env, authorityState, false)
+}
+
+func PrettyPrintX509AuthorityState(env *commoncli.Env, authorityState *localauthorityv1.AuthorityState) {
+	prettyPrintAuthorityState(env, authorityState, true)
+}
+
+func prettyPrintAuthorityState(env *commoncli.Env, authorityState *localauthorityv1.AuthorityState, includeUpstreamAuthority bool) {
+	env.Printf("  Authority ID: %s\n", authorityState.AuthorityId)
+	env.Printf("  Expires at: %s\n", time.Unix(authorityState.ExpiresAt, 0).UTC())
+	if !includeUpstreamAuthority {
+		return
+	}
+
+	if authorityState.UpstreamAuthoritySubjectKeyId != "" {
+		env.Printf("  Upstream authority Subject Key ID: %s\n", authorityState.UpstreamAuthoritySubjectKeyId)
+		return
+	}
+
+	env.Println("  Upstream authority ID: No upstream authority")
+}
--- a/cmd/spire-server/cli/authoritycommon/test/authoritycommontest.go
+++ b/cmd/spire-server/cli/authoritycommon/test/authoritycommontest.go
@ -0,0 +1,174 @@
+package authoritycommontest
+
+import (
+	"bytes"
+	"context"
+	"testing"
+
+	"github.com/mitchellh/cli"
+	localauthorityv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/localauthority/v1"
+	commoncli "github.com/spiffe/spire/pkg/common/cli"
+	"github.com/spiffe/spire/test/clitest"
+	"github.com/spiffe/spire/test/spiretest"
+	"github.com/stretchr/testify/require"
+	"google.golang.org/grpc"
+)
+
+var AvailableFormats = []string{"pretty", "json"}
+
+type localAuthorityTest struct {
+	Stdin  *bytes.Buffer
+	Stdout *bytes.Buffer
+	Stderr *bytes.Buffer
+	Args   []string
+	Server *fakeLocalAuthorityServer
+	Client cli.Command
+}
+
+func (s *localAuthorityTest) afterTest(t *testing.T) {
+	t.Logf("TEST:%s", t.Name())
+	t.Logf("STDOUT:\n%s", s.Stdout.String())
+	t.Logf("STDIN:\n%s", s.Stdin.String())
+	t.Logf("STDERR:\n%s", s.Stderr.String())
+}
+
+func SetupTest(t *testing.T, newClient func(*commoncli.Env) cli.Command) *localAuthorityTest {
+	server := &fakeLocalAuthorityServer{}
+
+	addr := spiretest.StartGRPCServer(t, func(s *grpc.Server) {
+		localauthorityv1.RegisterLocalAuthorityServer(s, server)
+	})
+
+	stdin := new(bytes.Buffer)
+	stdout := new(bytes.Buffer)
+	stderr := new(bytes.Buffer)
+
+	client := newClient(&commoncli.Env{
+		Stdin:  stdin,
+		Stdout: stdout,
+		Stderr: stderr,
+	})
+
+	test := &localAuthorityTest{
+		Stdin:  stdin,
+		Stdout: stdout,
+		Stderr: stderr,
+		Args:   []string{clitest.AddrArg, clitest.GetAddr(addr)},
+		Server: server,
+		Client: client,
+	}
+
+	t.Cleanup(func() {
+		test.afterTest(t)
+	})
+
+	return test
+}
+
+type fakeLocalAuthorityServer struct {
+	localauthorityv1.UnsafeLocalAuthorityServer
+
+	ActiveJWT,
+	PreparedJWT,
+	OldJWT,
+	ActiveX509,
+	PreparedX509,
+	OldX509,
+	TaintedX509,
+	RevokedX509,
+	TaintedJWT,
+	RevokedJWT *localauthorityv1.AuthorityState
+
+	TaintedUpstreamAuthoritySubjectKeyId,
+	RevokedUpstreamAuthoritySubjectKeyId string
+	Err error
+}
+
+func (s *fakeLocalAuthorityServer) GetJWTAuthorityState(context.Context, *localauthorityv1.GetJWTAuthorityStateRequest) (*localauthorityv1.GetJWTAuthorityStateResponse, error) {
+	return &localauthorityv1.GetJWTAuthorityStateResponse{
+		Active:   s.ActiveJWT,
+		Prepared: s.PreparedJWT,
+		Old:      s.OldJWT,
+	}, s.Err
+}
+
+func (s *fakeLocalAuthorityServer) PrepareJWTAuthority(context.Context, *localauthorityv1.PrepareJWTAuthorityRequest) (*localauthorityv1.PrepareJWTAuthorityResponse, error) {
+	return &localauthorityv1.PrepareJWTAuthorityResponse{
+		PreparedAuthority: s.PreparedJWT,
+	}, s.Err
+}
+
+func (s *fakeLocalAuthorityServer) ActivateJWTAuthority(context.Context, *localauthorityv1.ActivateJWTAuthorityRequest) (*localauthorityv1.ActivateJWTAuthorityResponse, error) {
+	return &localauthorityv1.ActivateJWTAuthorityResponse{
+		ActivatedAuthority: s.ActiveJWT,
+	}, s.Err
+}
+
+func (s *fakeLocalAuthorityServer) TaintJWTAuthority(context.Context, *localauthorityv1.TaintJWTAuthorityRequest) (*localauthorityv1.TaintJWTAuthorityResponse, error) {
+	return &localauthorityv1.TaintJWTAuthorityResponse{
+		TaintedAuthority: s.TaintedJWT,
+	}, s.Err
+}
+
+func (s *fakeLocalAuthorityServer) RevokeJWTAuthority(context.Context, *localauthorityv1.RevokeJWTAuthorityRequest) (*localauthorityv1.RevokeJWTAuthorityResponse, error) {
+	return &localauthorityv1.RevokeJWTAuthorityResponse{
+		RevokedAuthority: s.RevokedJWT,
+	}, s.Err
+}
+
+func (s *fakeLocalAuthorityServer) GetX509AuthorityState(context.Context, *localauthorityv1.GetX509AuthorityStateRequest) (*localauthorityv1.GetX509AuthorityStateResponse, error) {
+	return &localauthorityv1.GetX509AuthorityStateResponse{
+		Active:   s.ActiveX509,
+		Prepared: s.PreparedX509,
+		Old:      s.OldX509,
+	}, s.Err
+}
+
+func (s *fakeLocalAuthorityServer) PrepareX509Authority(context.Context, *localauthorityv1.PrepareX509AuthorityRequest) (*localauthorityv1.PrepareX509AuthorityResponse, error) {
+	return &localauthorityv1.PrepareX509AuthorityResponse{
+		PreparedAuthority: s.PreparedX509,
+	}, s.Err
+}
+
+func (s *fakeLocalAuthorityServer) ActivateX509Authority(context.Context, *localauthorityv1.ActivateX509AuthorityRequest) (*localauthorityv1.ActivateX509AuthorityResponse, error) {
+	return &localauthorityv1.ActivateX509AuthorityResponse{
+		ActivatedAuthority: s.ActiveX509,
+	}, s.Err
+}
+
+func (s *fakeLocalAuthorityServer) TaintX509Authority(context.Context, *localauthorityv1.TaintX509AuthorityRequest) (*localauthorityv1.TaintX509AuthorityResponse, error) {
+	return &localauthorityv1.TaintX509AuthorityResponse{
+		TaintedAuthority: s.TaintedX509,
+	}, s.Err
+}
+
+func (s *fakeLocalAuthorityServer) TaintX509UpstreamAuthority(context.Context, *localauthorityv1.TaintX509UpstreamAuthorityRequest) (*localauthorityv1.TaintX509UpstreamAuthorityResponse, error) {
+	return &localauthorityv1.TaintX509UpstreamAuthorityResponse{
+		UpstreamAuthoritySubjectKeyId: s.TaintedUpstreamAuthoritySubjectKeyId,
+	}, s.Err
+}
+
+func (s *fakeLocalAuthorityServer) RevokeX509Authority(context.Context, *localauthorityv1.RevokeX509AuthorityRequest) (*localauthorityv1.RevokeX509AuthorityResponse, error) {
+	return &localauthorityv1.RevokeX509AuthorityResponse{
+		RevokedAuthority: s.RevokedX509,
+	}, s.Err
+}
+
+func (s *fakeLocalAuthorityServer) RevokeX509UpstreamAuthority(context.Context, *localauthorityv1.RevokeX509UpstreamAuthorityRequest) (*localauthorityv1.RevokeX509UpstreamAuthorityResponse, error) {
+	return &localauthorityv1.RevokeX509UpstreamAuthorityResponse{
+		UpstreamAuthoritySubjectKeyId: s.RevokedUpstreamAuthoritySubjectKeyId,
+	}, s.Err
+}
+
+func RequireOutputBasedOnFormat(t *testing.T, format, stdoutString string, expectedStdoutPretty, expectedStdoutJSON string) {
+	switch format {
+	case "pretty":
+		require.Contains(t, stdoutString, expectedStdoutPretty)
+	case "json":
+		if expectedStdoutJSON != "" {
+			require.JSONEq(t, expectedStdoutJSON, stdoutString)
+		} else {
+			require.Empty(t, stdoutString)
+		}
+	}
+}
--- a/cmd/spire-server/cli/bundle/bundle_posix_test.go
+++ b/cmd/spire-server/cli/bundle/bundle_posix_test.go
@ -1,5 +1,4 @@
 //go:build !windows
-// +build !windows

 package bundle

--- a/cmd/spire-server/cli/bundle/bundle_test.go
+++ b/cmd/spire-server/cli/bundle/bundle_test.go
@ -113,7 +113,7 @@ func TestSetHelp(t *testing.T) {

 func TestSetSynopsis(t *testing.T) {
 	test := setupTest(t, newSetCommand)
-	require.Equal(t, "Creates or updates bundle data", test.client.Synopsis())
+	require.Equal(t, "Creates or updates federated bundle data", test.client.Synopsis())
 }

 func TestSet(t *testing.T) {
@ -697,7 +697,7 @@ func TestDeleteHelp(t *testing.T) {

 func TestDeleteSynopsis(t *testing.T) {
 	test := setupTest(t, newDeleteCommand)
-	require.Equal(t, "Deletes bundle data", test.client.Synopsis())
+	require.Equal(t, "Deletes federated bundle data", test.client.Synopsis())
 }

 func TestDelete(t *testing.T) {
--- a/cmd/spire-server/cli/bundle/bundle_windows_test.go
+++ b/cmd/spire-server/cli/bundle/bundle_windows_test.go
@ -1,5 +1,4 @@
 //go:build windows
-// +build windows

 package bundle

--- a/cmd/spire-server/cli/bundle/common.go
+++ b/cmd/spire-server/cli/bundle/common.go
@ -2,7 +2,6 @@ package bundle

 import (
 	"bytes"
-	"crypto"
 	"crypto/x509"
 	"encoding/json"
 	"encoding/pem"
@ -17,7 +16,7 @@ import (
 	"github.com/spiffe/go-spiffe/v2/spiffeid"
 	"github.com/spiffe/spire-api-sdk/proto/spire/api/types"
 	"github.com/spiffe/spire/cmd/spire-server/util"
-	"github.com/zeebo/errs"
+	"github.com/spiffe/spire/pkg/common/jwtutil"
 )

 const (
@ -78,7 +77,7 @@ func printBundle(out io.Writer, bundle *types.Bundle) error {

 	docBytes, err := b.Marshal()
 	if err != nil {
-		return errs.Wrap(err)
+		return err
 	}

 	var o bytes.Buffer
@ -86,11 +85,8 @@ func printBundle(out io.Writer, bundle *types.Bundle) error {
 		return err
 	}

-	if _, err := fmt.Fprintln(out, o.String()); err != nil {
-		return errs.Wrap(err)
-	}
-
-	return nil
+	_, err = fmt.Fprintln(out, o.String())
+	return err
 }

 // bundleFromProto converts a bundle from the given *types.Bundle to *spiffebundle.Bundle
@ -103,7 +99,7 @@ func bundleFromProto(bundleProto *types.Bundle) (*spiffebundle.Bundle, error) {
 	if err != nil {
 		return nil, err
 	}
-	jwtAuthorities, err := jwtKeysFromProto(bundleProto.JwtAuthorities)
+	jwtAuthorities, err := jwtutil.JWTKeysFromProto(bundleProto.JwtAuthorities)
 	if err != nil {
 		return nil, err
 	}
@ -132,20 +128,6 @@ func x509CertificatesFromProto(proto []*types.X509Certificate) ([]*x509.Certific
 	return certs, nil
 }

-// jwtKeysFromProto converts JWT keys from the given []*types.JWTKey to map[string]crypto.PublicKey.
-// The key ID of the public key is used as the key in the returned map.
-func jwtKeysFromProto(proto []*types.JWTKey) (map[string]crypto.PublicKey, error) {
-	keys := make(map[string]crypto.PublicKey)
-	for i, publicKey := range proto {
-		jwtSigningKey, err := x509.ParsePKIXPublicKey(publicKey.PublicKey)
-		if err != nil {
-			return nil, fmt.Errorf("unable to parse JWT signing key %d: %w", i, err)
-		}
-		keys[publicKey.KeyId] = jwtSigningKey
-	}
-	return keys, nil
-}
-
 func printBundleWithFormat(out io.Writer, bundle *types.Bundle, format string, header bool) error {
 	if bundle == nil {
 		return errors.New("no bundle provided")
--- a/cmd/spire-server/cli/bundle/common_test.go
+++ b/cmd/spire-server/cli/bundle/common_test.go
@ -9,9 +9,9 @@ import (
 	"github.com/mitchellh/cli"
 	bundlev1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/bundle/v1"
 	"github.com/spiffe/spire-api-sdk/proto/spire/api/types"
-	"github.com/spiffe/spire/cmd/spire-server/cli/common"
 	common_cli "github.com/spiffe/spire/pkg/common/cli"
 	"github.com/spiffe/spire/pkg/common/pemutil"
+	"github.com/spiffe/spire/test/clitest"
 	"github.com/spiffe/spire/test/spiretest"
 	"github.com/stretchr/testify/require"
 	"google.golang.org/grpc"
@ -203,7 +203,7 @@ func setupTest(t *testing.T, newClient func(*common_cli.Env) cli.Command) *bundl
 		cert1:    cert1,
 		cert2:    cert2,
 		key1Pkix: key1Pkix,
-		addr:     common.GetAddr(addr),
+		addr:     clitest.GetAddr(addr),
 		stdin:    stdin,
 		stdout:   stdout,
 		stderr:   stderr,
@ -241,7 +241,7 @@ func (s *bundleTest) afterTest(t *testing.T) {
 }

 func (s *bundleTest) args(extra ...string) []string {
-	return append([]string{common.AddrArg, s.addr}, extra...)
+	return append([]string{clitest.AddrArg, s.addr}, extra...)
 }

 type fakeBundleServer struct {
--- a/cmd/spire-server/cli/bundle/count.go
+++ b/cmd/spire-server/cli/bundle/count.go
@ -1,6 +1,7 @@
 package bundle

 import (
+	"context"
 	"flag"
 	"fmt"

@ -10,8 +11,6 @@ import (
 	bundlev1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/bundle/v1"
 	"github.com/spiffe/spire/cmd/spire-server/util"
 	commoncli "github.com/spiffe/spire/pkg/common/cli"
-
-	"golang.org/x/net/context"
 )

 type countCommand struct {
@ -53,7 +52,7 @@ func (c *countCommand) AppendFlags(fs *flag.FlagSet) {
 	cliprinter.AppendFlagWithCustomPretty(&c.printer, fs, c.env, prettyPrintCount)
 }

-func prettyPrintCount(env *commoncli.Env, results ...interface{}) error {
+func prettyPrintCount(env *commoncli.Env, results ...any) error {
 	countResp, ok := results[0].(*bundlev1.CountBundlesResponse)
 	if !ok {
 		return cliprinter.ErrInternalCustomPrettyFunc
--- a/cmd/spire-server/cli/bundle/delete.go
+++ b/cmd/spire-server/cli/bundle/delete.go
@ -44,7 +44,7 @@ func (c *deleteCommand) Name() string {
 }

 func (c *deleteCommand) Synopsis() string {
-	return "Deletes bundle data"
+	return "Deletes federated bundle data"
 }

 func (c *deleteCommand) AppendFlags(fs *flag.FlagSet) {
@ -77,7 +77,7 @@ func (c *deleteCommand) Run(ctx context.Context, _ *commoncli.Env, serverClient
 	return c.printer.PrintProto(resp)
 }

-func prettyPrintDelete(env *commoncli.Env, results ...interface{}) error {
+func prettyPrintDelete(env *commoncli.Env, results ...any) error {
 	deleteResp, ok := results[0].(*bundlev1.BatchDeleteFederatedBundleResponse)
 	if !ok {
 		return cliprinter.ErrInternalCustomPrettyFunc
--- a/cmd/spire-server/cli/bundle/list.go
+++ b/cmd/spire-server/cli/bundle/list.go
@ -63,7 +63,7 @@ func (c *listCommand) Run(ctx context.Context, _ *commoncli.Env, serverClient ut
 	return c.printer.PrintProto(resp)
 }

-func (c *listCommand) prettyPrintList(env *commoncli.Env, results ...interface{}) error {
+func (c *listCommand) prettyPrintList(env *commoncli.Env, results ...any) error {
 	if listResp, ok := results[0].(*bundlev1.ListFederatedBundlesResponse); ok {
 		for i, bundle := range listResp.Bundles {
 			if i != 0 {
--- a/cmd/spire-server/cli/bundle/set.go
+++ b/cmd/spire-server/cli/bundle/set.go
@ -39,7 +39,7 @@ func (c *setCommand) Name() string {
 }

 func (c *setCommand) Synopsis() string {
-	return "Creates or updates bundle data"
+	return "Creates or updates federated bundle data"
 }

 func (c *setCommand) AppendFlags(fs *flag.FlagSet) {
@ -80,7 +80,7 @@ func (c *setCommand) Run(ctx context.Context, env *common_cli.Env, serverClient
 	return c.printer.PrintProto(resp)
 }

-func prettyPrintSet(env *common_cli.Env, results ...interface{}) error {
+func prettyPrintSet(env *common_cli.Env, results ...any) error {
 	setResp, ok := results[0].(*bundlev1.BatchSetFederatedBundleResponse)
 	if !ok {
 		return cliprinter.ErrInternalCustomPrettyFunc
--- a/cmd/spire-server/cli/bundle/show.go
+++ b/cmd/spire-server/cli/bundle/show.go
@ -51,7 +51,7 @@ func (c *showCommand) Run(ctx context.Context, _ *common_cli.Env, serverClient u
 	return c.printer.PrintProto(resp)
 }

-func (c *showCommand) prettyPrintBundle(env *common_cli.Env, results ...interface{}) error {
+func (c *showCommand) prettyPrintBundle(env *common_cli.Env, results ...any) error {
 	showResp, ok := results[0].(*types.Bundle)
 	if !ok {
 		return cliprinter.ErrInternalCustomPrettyFunc
--- a/cmd/spire-server/cli/cli.go
+++ b/cmd/spire-server/cli/cli.go
@ -11,8 +11,12 @@ import (
 	"github.com/spiffe/spire/cmd/spire-server/cli/federation"
 	"github.com/spiffe/spire/cmd/spire-server/cli/healthcheck"
 	"github.com/spiffe/spire/cmd/spire-server/cli/jwt"
+	localauthority_jwt "github.com/spiffe/spire/cmd/spire-server/cli/localauthority/jwt"
+	localauthority_x509 "github.com/spiffe/spire/cmd/spire-server/cli/localauthority/x509"
+	"github.com/spiffe/spire/cmd/spire-server/cli/logger"
 	"github.com/spiffe/spire/cmd/spire-server/cli/run"
 	"github.com/spiffe/spire/cmd/spire-server/cli/token"
+	"github.com/spiffe/spire/cmd/spire-server/cli/upstreamauthority"
 	"github.com/spiffe/spire/cmd/spire-server/cli/validate"
 	"github.com/spiffe/spire/cmd/spire-server/cli/x509"
 	"github.com/spiffe/spire/pkg/common/log"
@ -96,6 +100,15 @@ func (cc *CLI) Run(ctx context.Context, args []string) int {
 		"federation update": func() (cli.Command, error) {
 			return federation.NewUpdateCommand(), nil
 		},
+		"logger get": func() (cli.Command, error) {
+			return logger.NewGetCommand(), nil
+		},
+		"logger set": func() (cli.Command, error) {
+			return logger.NewSetCommand(), nil
+		},
+		"logger reset": func() (cli.Command, error) {
+			return logger.NewResetCommand(), nil
+		},
 		"run": func() (cli.Command, error) {
 			return run.NewRunCommand(ctx, cc.LogOptions, cc.AllowUnknownConfig), nil
 		},
@ -114,6 +127,42 @@ func (cc *CLI) Run(ctx context.Context, args []string) int {
 		"validate": func() (cli.Command, error) {
 			return validate.NewValidateCommand(), nil
 		},
+		"localauthority x509 show": func() (cli.Command, error) {
+			return localauthority_x509.NewX509ShowCommand(), nil
+		},
+		"localauthority x509 prepare": func() (cli.Command, error) {
+			return localauthority_x509.NewX509PrepareCommand(), nil
+		},
+		"localauthority x509 activate": func() (cli.Command, error) {
+			return localauthority_x509.NewX509ActivateCommand(), nil
+		},
+		"localauthority x509 taint": func() (cli.Command, error) {
+			return localauthority_x509.NewX509TaintCommand(), nil
+		},
+		"localauthority x509 revoke": func() (cli.Command, error) {
+			return localauthority_x509.NewX509RevokeCommand(), nil
+		},
+		"localauthority jwt show": func() (cli.Command, error) {
+			return localauthority_jwt.NewJWTShowCommand(), nil
+		},
+		"localauthority jwt prepare": func() (cli.Command, error) {
+			return localauthority_jwt.NewJWTPrepareCommand(), nil
+		},
+		"localauthority jwt activate": func() (cli.Command, error) {
+			return localauthority_jwt.NewJWTActivateCommand(), nil
+		},
+		"localauthority jwt taint": func() (cli.Command, error) {
+			return localauthority_jwt.NewJWTTaintCommand(), nil
+		},
+		"localauthority jwt revoke": func() (cli.Command, error) {
+			return localauthority_jwt.NewJWTRevokeCommand(), nil
+		},
+		"upstreamauthority taint": func() (cli.Command, error) {
+			return upstreamauthority.NewTaintCommand(), nil
+		},
+		"upstreamauthority revoke": func() (cli.Command, error) {
+			return upstreamauthority.NewRevokeCommand(), nil
+		},
 	}

 	exitStatus, err := c.Run()
--- a/cmd/spire-server/cli/common/common_windows.go
+++ b/cmd/spire-server/cli/common/common_windows.go
@ -1,26 +0,0 @@
-//go:build windows
-// +build windows
-
-package common
-
-import (
-	"net"
-
-	"github.com/spiffe/spire/pkg/common/namedpipe"
-)
-
-var (
-	AddrArg         = "-namedPipeName"
-	AddrError       = "Error: connection error: desc = \"transport: error while dialing: open \\\\\\\\.\\\\pipe\\\\does-not-exist: The system cannot find the file specified.\"\n"
-	AddrOutputUsage = `
-  -namedPipeName string
-    	Pipe name of the SPIRE Server API named pipe (default "\\spire-server\\private\\api")
-  -output value
-    	Desired output format (pretty, json); default: pretty.
-`
-	AddrValue = "\\does-not-exist"
-)
-
-func GetAddr(addr net.Addr) string {
-	return namedpipe.GetPipeName(addr.String())
-}
--- a/cmd/spire-server/cli/entry/count.go
+++ b/cmd/spire-server/cli/entry/count.go
@ -1,20 +1,45 @@
 package entry

 import (
+	"context"
 	"flag"
 	"fmt"

 	"github.com/mitchellh/cli"
-	"github.com/spiffe/spire/pkg/common/cliprinter"
-
 	entryv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/entry/v1"
+	"github.com/spiffe/spire-api-sdk/proto/spire/api/types"
 	"github.com/spiffe/spire/cmd/spire-server/util"
 	commoncli "github.com/spiffe/spire/pkg/common/cli"
-
-	"golang.org/x/net/context"
+	"github.com/spiffe/spire/pkg/common/cliprinter"
+	"google.golang.org/protobuf/types/known/wrapperspb"
 )

 type countCommand struct {
+	// Type and value are delimited by a colon (:)
+	// ex. "unix:uid:1000" or "spiffe_id:spiffe://example.org/foo"
+	selectors StringsFlag
+
+	// Workload parent spiffeID
+	parentID string
+
+	// Workload spiffeID
+	spiffeID string
+
+	// Entry hint
+	hint string
+
+	// List of SPIFFE IDs of trust domains the registration entry is federated with
+	federatesWith StringsFlag
+
+	// Whether the entry is for a downstream SPIRE server
+	downstream bool
+
+	// Match used when filtering by federates with
+	matchFederatesWithOn string
+
+	// Match used when filtering by selectors
+	matchSelectorsOn string
+
 	printer cliprinter.Printer
 	env     *commoncli.Env
 }
@ -41,7 +66,66 @@ func (*countCommand) Synopsis() string {
 // Run counts attested entries
 func (c *countCommand) Run(ctx context.Context, _ *commoncli.Env, serverClient util.ServerClient) error {
 	entryClient := serverClient.NewEntryClient()
-	countResponse, err := entryClient.CountEntries(ctx, &entryv1.CountEntriesRequest{})
+
+	filter := &entryv1.CountEntriesRequest_Filter{}
+	if c.parentID != "" {
+		id, err := idStringToProto(c.parentID)
+		if err != nil {
+			return fmt.Errorf("error parsing parent ID %q: %w", c.parentID, err)
+		}
+		filter.ByParentId = id
+	}
+
+	if c.spiffeID != "" {
+		id, err := idStringToProto(c.spiffeID)
+		if err != nil {
+			return fmt.Errorf("error parsing SPIFFE ID %q: %w", c.spiffeID, err)
+		}
+		filter.BySpiffeId = id
+	}
+
+	if len(c.selectors) != 0 {
+		matchSelectorBehavior, err := parseToSelectorMatch(c.matchSelectorsOn)
+		if err != nil {
+			return err
+		}
+
+		selectors := make([]*types.Selector, len(c.selectors))
+		for i, sel := range c.selectors {
+			selector, err := util.ParseSelector(sel)
+			if err != nil {
+				return fmt.Errorf("error parsing selectors: %w", err)
+			}
+			selectors[i] = selector
+		}
+		filter.BySelectors = &types.SelectorMatch{
+			Selectors: selectors,
+			Match:     matchSelectorBehavior,
+		}
+	}
+
+	filter.ByDownstream = wrapperspb.Bool(c.downstream)
+
+	if len(c.federatesWith) > 0 {
+		matchFederatesWithBehavior, err := parseToFederatesWithMatch(c.matchFederatesWithOn)
+		if err != nil {
+			return err
+		}
+
+		filter.ByFederatesWith = &types.FederatesWithMatch{
+			TrustDomains: c.federatesWith,
+			Match:        matchFederatesWithBehavior,
+		}
+	}
+
+	if c.hint != "" {
+		filter.ByHint = wrapperspb.String(c.hint)
+	}
+
+	countResponse, err := entryClient.CountEntries(ctx, &entryv1.CountEntriesRequest{
+		Filter: filter,
+	})
+
 	if err != nil {
 		return err
 	}
@ -50,10 +134,19 @@ func (c *countCommand) Run(ctx context.Context, _ *commoncli.Env, serverClient u
 }

 func (c *countCommand) AppendFlags(fs *flag.FlagSet) {
+	fs.StringVar(&c.parentID, "parentID", "", "The Parent ID of the records to count")
+	fs.StringVar(&c.spiffeID, "spiffeID", "", "The SPIFFE ID of the records to count")
+	fs.BoolVar(&c.downstream, "downstream", false, "A boolean value that, when set, indicates that the entry describes a downstream SPIRE server")
+	fs.Var(&c.selectors, "selector", "A colon-delimited type:value selector. Can be used more than once")
+	fs.Var(&c.federatesWith, "federatesWith", "SPIFFE ID of a trust domain an entry is federate with. Can be used more than once")
+	fs.StringVar(&c.matchFederatesWithOn, "matchFederatesWithOn", "superset", "The match mode used when filtering by federates with. Options: exact, any, superset and subset")
+	fs.StringVar(&c.matchSelectorsOn, "matchSelectorsOn", "superset", "The match mode used when filtering by selectors. Options: exact, any, superset and subset")
+	fs.StringVar(&c.hint, "hint", "", "The Hint of the records to count (optional)")
+
 	cliprinter.AppendFlagWithCustomPretty(&c.printer, fs, c.env, c.prettyPrintCount)
 }

-func (c *countCommand) prettyPrintCount(env *commoncli.Env, results ...interface{}) error {
+func (c *countCommand) prettyPrintCount(env *commoncli.Env, results ...any) error {
 	countResp, ok := results[0].(*entryv1.CountEntriesResponse)
 	if !ok {
 		return cliprinter.ErrInternalCustomPrettyFunc
--- a/cmd/spire-server/cli/entry/count_test.go
+++ b/cmd/spire-server/cli/entry/count_test.go
@ -5,9 +5,11 @@ import (
 	"testing"

 	entryv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/entry/v1"
+	"github.com/spiffe/spire-api-sdk/proto/spire/api/types"
 	"github.com/stretchr/testify/require"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
+	"google.golang.org/protobuf/types/known/wrapperspb"
 )

 func TestCountHelp(t *testing.T) {
@ -31,12 +33,262 @@ func TestCount(t *testing.T) {
 	for _, tt := range []struct {
 		name          string
 		args          []string
+		expCountReq   *entryv1.CountEntriesRequest
 		fakeCountResp *entryv1.CountEntriesResponse
 		serverErr     error
 		expOutPretty  string
 		expOutJSON    string
 		expErr        string
 	}{
+		{
+			name: "Count all entries (empty filter)",
+			expCountReq: &entryv1.CountEntriesRequest{
+				Filter: &entryv1.CountEntriesRequest_Filter{
+					ByDownstream: wrapperspb.Bool(false),
+				},
+			},
+			fakeCountResp: fakeResp4,
+			expOutPretty:  "4 registration entries",
+			expOutJSON:    `{"count":4}`,
+		},
+		{
+			name: "Count by parentID",
+			args: []string{"-parentID", "spiffe://example.org/father"},
+			expCountReq: &entryv1.CountEntriesRequest{
+				Filter: &entryv1.CountEntriesRequest_Filter{
+					ByParentId:   &types.SPIFFEID{TrustDomain: "example.org", Path: "/father"},
+					ByDownstream: wrapperspb.Bool(false),
+				},
+			},
+			fakeCountResp: fakeResp2,
+			expOutPretty:  "2 registration entries",
+			expOutJSON:    `{"count":2}`,
+		},
+		{
+			name:   "Count by parent ID using invalid ID",
+			args:   []string{"-parentID", "invalid-id"},
+			expErr: "Error: error parsing parent ID \"invalid-id\": scheme is missing or invalid\n",
+		},
+		{
+			name: "Count by SPIFFE ID",
+			args: []string{"-spiffeID", "spiffe://example.org/daughter"},
+			expCountReq: &entryv1.CountEntriesRequest{
+				Filter: &entryv1.CountEntriesRequest_Filter{
+					BySpiffeId:   &types.SPIFFEID{TrustDomain: "example.org", Path: "/daughter"},
+					ByDownstream: wrapperspb.Bool(false),
+				},
+			},
+			fakeCountResp: fakeResp2,
+			expOutPretty:  "2 registration entries",
+			expOutJSON:    `{"count":2}`,
+		},
+		{
+			name:   "Count by SPIFFE ID using invalid ID",
+			args:   []string{"-spiffeID", "invalid-id"},
+			expErr: "Error: error parsing SPIFFE ID \"invalid-id\": scheme is missing or invalid\n",
+		},
+		{
+			name: "Count by selectors: default matcher",
+			args: []string{"-selector", "foo:bar", "-selector", "bar:baz"},
+			expCountReq: &entryv1.CountEntriesRequest{
+				Filter: &entryv1.CountEntriesRequest_Filter{
+					BySelectors: &types.SelectorMatch{
+						Selectors: []*types.Selector{
+							{Type: "foo", Value: "bar"},
+							{Type: "bar", Value: "baz"},
+						},
+						Match: types.SelectorMatch_MATCH_SUPERSET,
+					},
+					ByDownstream: wrapperspb.Bool(false),
+				},
+			},
+			fakeCountResp: fakeResp1,
+			expOutPretty:  "1 registration entry",
+			expOutJSON:    `{"count":1}`,
+		},
+		{
+			name: "Count by selectors: exact matcher",
+			args: []string{"-selector", "foo:bar", "-selector", "bar:baz", "-matchSelectorsOn", "exact"},
+			expCountReq: &entryv1.CountEntriesRequest{
+				Filter: &entryv1.CountEntriesRequest_Filter{
+					BySelectors: &types.SelectorMatch{
+						Selectors: []*types.Selector{
+							{Type: "foo", Value: "bar"},
+							{Type: "bar", Value: "baz"},
+						},
+						Match: types.SelectorMatch_MATCH_EXACT,
+					},
+					ByDownstream: wrapperspb.Bool(false),
+				},
+			},
+			fakeCountResp: fakeResp1,
+			expOutPretty:  "1 registration entry",
+			expOutJSON:    `{"count":1}`,
+		},
+		{
+			name: "Count by selectors: superset matcher",
+			args: []string{"-selector", "foo:bar", "-selector", "bar:baz", "-matchSelectorsOn", "superset"},
+			expCountReq: &entryv1.CountEntriesRequest{
+				Filter: &entryv1.CountEntriesRequest_Filter{
+					BySelectors: &types.SelectorMatch{
+						Selectors: []*types.Selector{
+							{Type: "foo", Value: "bar"},
+							{Type: "bar", Value: "baz"},
+						},
+						Match: types.SelectorMatch_MATCH_SUPERSET,
+					},
+					ByDownstream: wrapperspb.Bool(false),
+				},
+			},
+			fakeCountResp: fakeResp1,
+			expOutPretty:  "1 registration entry",
+			expOutJSON:    `{"count":1}`,
+		},
+		{
+			name: "Count by selectors: subset matcher",
+			args: []string{"-selector", "foo:bar", "-selector", "bar:baz", "-matchSelectorsOn", "subset"},
+			expCountReq: &entryv1.CountEntriesRequest{
+				Filter: &entryv1.CountEntriesRequest_Filter{
+					BySelectors: &types.SelectorMatch{
+						Selectors: []*types.Selector{
+							{Type: "foo", Value: "bar"},
+							{Type: "bar", Value: "baz"},
+						},
+						Match: types.SelectorMatch_MATCH_SUBSET,
+					},
+					ByDownstream: wrapperspb.Bool(false),
+				},
+			},
+			fakeCountResp: fakeResp1,
+			expOutPretty:  "1 registration entry",
+			expOutJSON:    `{"count":1}`,
+		},
+		{
+			name: "Count by selectors: Any matcher",
+			args: []string{"-selector", "foo:bar", "-selector", "bar:baz", "-matchSelectorsOn", "any"},
+			expCountReq: &entryv1.CountEntriesRequest{
+				Filter: &entryv1.CountEntriesRequest_Filter{
+					BySelectors: &types.SelectorMatch{
+						Selectors: []*types.Selector{
+							{Type: "foo", Value: "bar"},
+							{Type: "bar", Value: "baz"},
+						},
+						Match: types.SelectorMatch_MATCH_ANY,
+					},
+					ByDownstream: wrapperspb.Bool(false),
+				},
+			},
+			fakeCountResp: fakeResp1,
+			expOutPretty:  "1 registration entry",
+			expOutJSON:    `{"count":1}`,
+		},
+		{
+			name:   "Count by selectors: Invalid matcher",
+			args:   []string{"-selector", "foo:bar", "-selector", "bar:baz", "-matchSelectorsOn", "NO-MATCHER"},
+			expErr: "Error: match behavior \"NO-MATCHER\" unknown\n",
+		},
+		{
+			name:   "Count by selector using invalid selector",
+			args:   []string{"-selector", "invalid-selector"},
+			expErr: "Error: error parsing selectors: selector \"invalid-selector\" must be formatted as type:value\n",
+		},
+		{
+			name: "Server error",
+			args: []string{"-spiffeID", "spiffe://example.org/daughter"},
+			expCountReq: &entryv1.CountEntriesRequest{
+				Filter: &entryv1.CountEntriesRequest_Filter{
+					BySpiffeId:   &types.SPIFFEID{TrustDomain: "example.org", Path: "/daughter"},
+					ByDownstream: wrapperspb.Bool(false),
+				},
+			},
+			serverErr: status.Error(codes.Internal, "internal server error"),
+			expErr:    "Error: rpc error: code = Internal desc = internal server error\n",
+		},
+		{
+			name: "Count by Federates With: default matcher",
+			args: []string{"-federatesWith", "spiffe://domain.test"},
+			expCountReq: &entryv1.CountEntriesRequest{
+				Filter: &entryv1.CountEntriesRequest_Filter{
+					ByFederatesWith: &types.FederatesWithMatch{
+						TrustDomains: []string{"spiffe://domain.test"},
+						Match:        types.FederatesWithMatch_MATCH_SUPERSET,
+					},
+					ByDownstream: wrapperspb.Bool(false),
+				},
+			},
+			fakeCountResp: fakeResp1,
+			expOutPretty:  "1 registration entry",
+			expOutJSON:    `{"count":1}`,
+		},
+		{
+			name: "Count by Federates With: exact matcher",
+			args: []string{"-federatesWith", "spiffe://domain.test", "-matchFederatesWithOn", "exact"},
+			expCountReq: &entryv1.CountEntriesRequest{
+				Filter: &entryv1.CountEntriesRequest_Filter{
+					ByFederatesWith: &types.FederatesWithMatch{
+						TrustDomains: []string{"spiffe://domain.test"},
+						Match:        types.FederatesWithMatch_MATCH_EXACT,
+					},
+					ByDownstream: wrapperspb.Bool(false),
+				},
+			},
+			fakeCountResp: fakeResp1,
+			expOutPretty:  "1 registration entry",
+			expOutJSON:    `{"count":1}`,
+		},
+		{
+			name: "Count by Federates With: Any matcher",
+			args: []string{"-federatesWith", "spiffe://domain.test", "-matchFederatesWithOn", "any"},
+			expCountReq: &entryv1.CountEntriesRequest{
+				Filter: &entryv1.CountEntriesRequest_Filter{
+					ByFederatesWith: &types.FederatesWithMatch{
+						TrustDomains: []string{"spiffe://domain.test"},
+						Match:        types.FederatesWithMatch_MATCH_ANY,
+					},
+					ByDownstream: wrapperspb.Bool(false),
+				},
+			},
+			fakeCountResp: fakeResp1,
+			expOutPretty:  "1 registration entry",
+			expOutJSON:    `{"count":1}`,
+		},
+		{
+			name: "Count by Federates With: superset matcher",
+			args: []string{"-federatesWith", "spiffe://domain.test", "-matchFederatesWithOn", "superset"},
+			expCountReq: &entryv1.CountEntriesRequest{
+				Filter: &entryv1.CountEntriesRequest_Filter{
+					ByFederatesWith: &types.FederatesWithMatch{
+						TrustDomains: []string{"spiffe://domain.test"},
+						Match:        types.FederatesWithMatch_MATCH_SUPERSET,
+					},
+					ByDownstream: wrapperspb.Bool(false),
+				},
+			},
+			fakeCountResp: fakeResp1,
+			expOutPretty:  "1 registration entry",
+			expOutJSON:    `{"count":1}`,
+		},
+		{
+			name: "Count by Federates With: subset matcher",
+			args: []string{"-federatesWith", "spiffe://domain.test", "-matchFederatesWithOn", "subset"},
+			expCountReq: &entryv1.CountEntriesRequest{
+				Filter: &entryv1.CountEntriesRequest_Filter{
+					ByFederatesWith: &types.FederatesWithMatch{
+						TrustDomains: []string{"spiffe://domain.test"},
+						Match:        types.FederatesWithMatch_MATCH_SUBSET,
+					},
+					ByDownstream: wrapperspb.Bool(false),
+				},
+			},
+			fakeCountResp: fakeResp1,
+			expOutPretty:  "1 registration entry",
+			expOutJSON:    `{"count":1}`,
+		},
+		{
+			name:   "Count by Federates With: Invalid matcher",
+			args:   []string{"-federatesWith", "spiffe://domain.test", "-matchFederatesWithOn", "NO-MATCHER"},
+			expErr: "Error: match behavior \"NO-MATCHER\" unknown\n",
+		},
 		{
 			name:          "4 entries",
 			fakeCountResp: fakeResp4,
@ -73,13 +325,16 @@ func TestCount(t *testing.T) {
 				test.server.err = tt.serverErr
 				test.server.countEntriesResp = tt.fakeCountResp

-				rc := test.client.Run(test.args(tt.args...))
+				args := tt.args
+				args = append(args, "-output", format)
+
+				rc := test.client.Run(test.args(args...))
 				if tt.expErr != "" {
 					require.Equal(t, 1, rc)
 					require.Equal(t, tt.expErr, test.stderr.String())
 					return
 				}
-				requireOutputBasedOnFormat(t, test.stdout.String(), format, tt.expOutPretty, tt.expOutJSON)
+				requireOutputBasedOnFormat(t, format, test.stdout.String(), tt.expOutPretty, tt.expOutJSON)
 				require.Equal(t, 0, rc)
 			})
 		}
--- a/cmd/spire-server/cli/entry/create.go
+++ b/cmd/spire-server/cli/entry/create.go
@ -1,19 +1,20 @@
 package entry

 import (
+	"context"
 	"errors"
 	"flag"
+	"fmt"

 	"github.com/mitchellh/cli"
 	entryv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/entry/v1"
 	"github.com/spiffe/spire-api-sdk/proto/spire/api/types"
-	"github.com/spiffe/spire/cmd/spire-server/util"
+	serverutil "github.com/spiffe/spire/cmd/spire-server/util"
 	commoncli "github.com/spiffe/spire/pkg/common/cli"
 	"github.com/spiffe/spire/pkg/common/cliprinter"
 	"github.com/spiffe/spire/pkg/common/idutil"
+	"github.com/spiffe/spire/pkg/common/util"
 	"google.golang.org/grpc/codes"
-
-	"golang.org/x/net/context"
 )

 // NewCreateCommand creates a new "create" subcommand for "entry" command.
@ -22,7 +23,7 @@ func NewCreateCommand() cli.Command {
 }

 func newCreateCommand(env *commoncli.Env) cli.Command {
-	return util.AdaptCommand(env, &createCommand{env: env})
+	return serverutil.AdaptCommand(env, &createCommand{env: env})
 }

 type createCommand struct {
@ -34,6 +35,9 @@ type createCommand struct {
 	// ex. "unix:uid:1000" or "spiffe_id:spiffe://example.org/foo"
 	selectors StringsFlag

+	// Registration entry ID
+	entryID string
+
 	// Workload parent spiffeID
 	parentID string

@ -43,11 +47,6 @@ type createCommand struct {
 	// Entry hint, used to disambiguate entries with the same SPIFFE ID
 	hint string

-	// TTL for x509 and JWT SVIDs issued to this workload, unless type specific TTLs are set.
-	// This field is deprecated in favor of the x509SVIDTTL and jwtSVIDTTL fields and will be
-	// removed in a future release.
-	ttl int
-
 	// TTL for x509 SVIDs issued to this workload
 	x509SVIDTTL int

@ -57,13 +56,13 @@ type createCommand struct {
 	// List of SPIFFE IDs of trust domains the registration entry is federated with
 	federatesWith StringsFlag

-	// Whether or not the registration entry is for an "admin" workload
+	// whether the registration entry is for an "admin" workload
 	admin bool

-	// Whether or not the entry is for a downstream SPIRE server
+	// whether the entry is for a downstream SPIRE server
 	downstream bool

-	// Whether or not the entry represents a node or group of nodes
+	// whether the entry represents a node or group of nodes
 	node bool

 	// Expiry of entry
@ -89,11 +88,11 @@ func (*createCommand) Synopsis() string {
 }

 func (c *createCommand) AppendFlags(f *flag.FlagSet) {
+	f.StringVar(&c.entryID, "entryID", "", "A custom ID for this registration entry (optional). If not set, a new entry ID will be generated")
 	f.StringVar(&c.parentID, "parentID", "", "The SPIFFE ID of this record's parent")
 	f.StringVar(&c.spiffeID, "spiffeID", "", "The SPIFFE ID that this record represents")
-	f.IntVar(&c.ttl, "ttl", 0, "The lifetime, in seconds, for SVIDs issued based on this registration entry. This flag is deprecated in favor of x509SVIDTTL and jwtSVIDTTL and will be removed in a future version")
-	f.IntVar(&c.x509SVIDTTL, "x509SVIDTTL", 0, "The lifetime, in seconds, for x509-SVIDs issued based on this registration entry. Overrides ttl flag")
-	f.IntVar(&c.jwtSVIDTTL, "jwtSVIDTTL", 0, "The lifetime, in seconds, for JWT-SVIDs issued based on this registration entry. Overrides ttl flag")
+	f.IntVar(&c.x509SVIDTTL, "x509SVIDTTL", 0, "The lifetime, in seconds, for x509-SVIDs issued based on this registration entry.")
+	f.IntVar(&c.jwtSVIDTTL, "jwtSVIDTTL", 0, "The lifetime, in seconds, for JWT-SVIDs issued based on this registration entry.")
 	f.StringVar(&c.path, "data", "", "Path to a file containing registration JSON (optional). If set to '-', read the JSON from stdin.")
 	f.Var(&c.selectors, "selector", "A colon-delimited type:value selector. Can be used more than once")
 	f.Var(&c.federatesWith, "federatesWith", "SPIFFE ID of a trust domain to federate with. Can be used more than once")
@ -107,7 +106,7 @@ func (c *createCommand) AppendFlags(f *flag.FlagSet) {
 	cliprinter.AppendFlagWithCustomPretty(&c.printer, f, c.env, prettyPrintCreate)
 }

-func (c *createCommand) Run(ctx context.Context, _ *commoncli.Env, serverClient util.ServerClient) error {
+func (c *createCommand) Run(ctx context.Context, _ *commoncli.Env, serverClient serverutil.ServerClient) error {
 	if err := c.validate(); err != nil {
 		return err
 	}
@ -155,10 +154,6 @@ func (c *createCommand) validate() (err error) {
 		return errors.New("a SPIFFE ID is required")
 	}

-	if c.ttl < 0 {
-		return errors.New("a positive TTL is required")
-	}
-
 	if c.x509SVIDTTL < 0 {
 		return errors.New("a positive x509-SVID TTL is required")
 	}
@ -167,10 +162,6 @@ func (c *createCommand) validate() (err error) {
 		return errors.New("a positive JWT-SVID TTL is required")
 	}

-	if c.ttl > 0 && (c.x509SVIDTTL > 0 || c.jwtSVIDTTL > 0) {
-		return errors.New("use x509SVIDTTL and jwtSVIDTTL flags or the deprecated ttl flag")
-	}
-
 	return nil
 }

@ -186,33 +177,32 @@ func (c *createCommand) parseConfig() ([]*types.Entry, error) {
 		return nil, err
 	}

+	x509SvidTTL, err := util.CheckedCast[int32](c.x509SVIDTTL)
+	if err != nil {
+		return nil, fmt.Errorf("invalid value for X509 SVID TTL: %w", err)
+	}
+
+	jwtSvidTTL, err := util.CheckedCast[int32](c.jwtSVIDTTL)
+	if err != nil {
+		return nil, fmt.Errorf("invalid value for JWT SVID TTL: %w", err)
+	}
+
 	e := &types.Entry{
+		Id:          c.entryID,
 		ParentId:    parentID,
 		SpiffeId:    spiffeID,
 		Downstream:  c.downstream,
 		ExpiresAt:   c.entryExpiry,
 		DnsNames:    c.dnsNames,
 		StoreSvid:   c.storeSVID,
-		X509SvidTtl: int32(c.x509SVIDTTL),
-		JwtSvidTtl:  int32(c.jwtSVIDTTL),
+		X509SvidTtl: x509SvidTTL,
+		JwtSvidTtl:  jwtSvidTTL,
 		Hint:        c.hint,
 	}

-	// c.ttl is deprecated but usable if the new c.x509Svid field is not used.
-	// c.ttl should not be used to set the jwtSVIDTTL value because the previous
-	// behavior was to have a hard-coded 5 minute JWT TTL no matter what the value
-	// of ttl was set to.
-	// validate(...) ensures that either the new fields or the deprecated field is
-	// used, but never a mixture.
-	//
-	// https://github.com/spiffe/spire/issues/2700
-	if e.X509SvidTtl == 0 {
-		e.X509SvidTtl = int32(c.ttl)
-	}
-
 	selectors := []*types.Selector{}
 	for _, s := range c.selectors {
-		cs, err := util.ParseSelector(s)
+		cs, err := serverutil.ParseSelector(s)
 		if err != nil {
 			return nil, err
 		}
@ -254,7 +244,7 @@ func getParentID(config *createCommand, td string) (*types.SPIFFEID, error) {
 	return idStringToProto(config.parentID)
 }

-func prettyPrintCreate(env *commoncli.Env, results ...interface{}) error {
+func prettyPrintCreate(env *commoncli.Env, results ...any) error {
 	var succeeded, failed []*entryv1.BatchCreateEntryResponse_Result
 	createResp, ok := results[0].(*entryv1.BatchCreateEntryResponse)
 	if !ok {
@ -276,7 +266,7 @@ func prettyPrintCreate(env *commoncli.Env, results ...interface{}) error {

 	for _, r := range failed {
 		env.ErrPrintf("Failed to create the following entry (code: %s, msg: %q):\n",
-			codes.Code(r.Status.Code),
+			util.MustCast[codes.Code](r.Status.Code),
 			r.Status.Message)
 		printEntry(r.Entry, env.ErrPrintf)
 	}
--- a/cmd/spire-server/cli/entry/create_test.go
+++ b/cmd/spire-server/cli/entry/create_test.go
@ -54,7 +54,7 @@ func TestCreate(t *testing.T) {
 		},
 	}

-	fakeRespOKFromCmd2 := &entryv1.BatchCreateEntryResponse{
+	fakeRespOKFromCmdWithoutJwtTtl := &entryv1.BatchCreateEntryResponse{
 		Results: []*entryv1.BatchCreateEntryResponse_Result{
 			{
 				Entry: &types.Entry{
@ -186,28 +186,16 @@ func TestCreate(t *testing.T) {
 			expErrJSON:   "Error: selector \"unix\" must be formatted as type:value\n",
 		},
 		{
-			name:         "Negative TTL",
-			args:         []string{"-selector", "unix", "-parentID", "spiffe://example.org/parent", "-spiffeID", "spiffe://example.org/workload", "-ttl", "-10"},
-			expErrPretty: "Error: a positive TTL is required\n",
-			expErrJSON:   "Error: a positive TTL is required\n",
+			name:         "Negative X509SvidTtl",
+			args:         []string{"-selector", "unix", "-parentID", "spiffe://example.org/parent", "-spiffeID", "spiffe://example.org/workload", "-x509SVIDTTL", "-10"},
+			expErrPretty: "Error: a positive x509-SVID TTL is required\n",
+			expErrJSON:   "Error: a positive x509-SVID TTL is required\n",
 		},
 		{
-			name:         "Invalid TTL and X509SvidTtl",
-			args:         []string{"-selector", "unix", "-parentID", "spiffe://example.org/parent", "-spiffeID", "spiffe://example.org/workload", "-ttl", "10", "-x509SVIDTTL", "20"},
-			expErrPretty: "Error: use x509SVIDTTL and jwtSVIDTTL flags or the deprecated ttl flag\n",
-			expErrJSON:   "Error: use x509SVIDTTL and jwtSVIDTTL flags or the deprecated ttl flag\n",
-		},
-		{
-			name:         "Invalid TTL and JwtSvidTtl",
-			args:         []string{"-selector", "unix", "-parentID", "spiffe://example.org/parent", "-spiffeID", "spiffe://example.org/workload", "-ttl", "10", "-jwtSVIDTTL", "20"},
-			expErrPretty: "Error: use x509SVIDTTL and jwtSVIDTTL flags or the deprecated ttl flag\n",
-			expErrJSON:   "Error: use x509SVIDTTL and jwtSVIDTTL flags or the deprecated ttl flag\n",
-		},
-		{
-			name:         "Invalid TTL and both X509SvidTtl and JwtSvidTtl",
-			args:         []string{"-selector", "unix", "-parentID", "spiffe://example.org/parent", "-spiffeID", "spiffe://example.org/workload", "-ttl", "10", "-x509SVIDTTL", "20", "-jwtSVIDTTL", "30"},
-			expErrPretty: "Error: use x509SVIDTTL and jwtSVIDTTL flags or the deprecated ttl flag\n",
-			expErrJSON:   "Error: use x509SVIDTTL and jwtSVIDTTL flags or the deprecated ttl flag\n",
+			name:         "Negative jwtSVIDTTL",
+			args:         []string{"-selector", "unix", "-parentID", "spiffe://example.org/parent", "-spiffeID", "spiffe://example.org/workload", "-jwtSVIDTTL", "-10"},
+			expErrPretty: "Error: a positive JWT-SVID TTL is required\n",
+			expErrJSON:   "Error: a positive JWT-SVID TTL is required\n",
 		},
 		{
 			name:         "Federated node entries",
@ -339,13 +327,14 @@ StoreSvid        : true
 `,
 		},
 		{
-			name: "Create succeeds using deprecated command line arguments",
+			name: "Create succeeds with custom entry ID",
 			args: []string{
+				"-entryID", "entry-id",
 				"-spiffeID", "spiffe://example.org/workload",
 				"-parentID", "spiffe://example.org/parent",
 				"-selector", "zebra:zebra:2000",
 				"-selector", "alpha:alpha:2000",
-				"-ttl", "60",
+				"-x509SVIDTTL", "60",
 				"-federatesWith", "spiffe://domaina.test",
 				"-federatesWith", "spiffe://domainb.test",
 				"-admin",
@ -358,6 +347,7 @@ StoreSvid        : true
 			expReq: &entryv1.BatchCreateEntryRequest{
 				Entries: []*types.Entry{
 					{
+						Id:       "entry-id",
 						SpiffeId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/workload"},
 						ParentId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/parent"},
 						Selectors: []*types.Selector{
@ -374,7 +364,7 @@ StoreSvid        : true
 					},
 				},
 			},
-			fakeResp: fakeRespOKFromCmd2,
+			fakeResp: fakeRespOKFromCmdWithoutJwtTtl,
 			expOutPretty: fmt.Sprintf(`Entry ID         : entry-id
 SPIFFE ID        : spiffe://example.org/workload
 Parent ID        : spiffe://example.org/parent
--- a/cmd/spire-server/cli/entry/delete.go
+++ b/cmd/spire-server/cli/entry/delete.go
@ -1,18 +1,20 @@
 package entry

 import (
+	"context"
+	"encoding/json"
 	"errors"
 	"flag"
-	"fmt"
+	"io"
+	"os"

 	"github.com/mitchellh/cli"
 	entryv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/entry/v1"
-	"github.com/spiffe/spire/cmd/spire-server/util"
+	serverutil "github.com/spiffe/spire/cmd/spire-server/util"
 	commoncli "github.com/spiffe/spire/pkg/common/cli"
 	"github.com/spiffe/spire/pkg/common/cliprinter"
+	"github.com/spiffe/spire/pkg/common/util"
 	"google.golang.org/grpc/codes"
-
-	"golang.org/x/net/context"
 )

 // NewDeleteCommand creates a new "delete" subcommand for "entry" command.
@ -21,12 +23,13 @@ func NewDeleteCommand() cli.Command {
 }

 func newDeleteCommand(env *commoncli.Env) cli.Command {
-	return util.AdaptCommand(env, &deleteCommand{env: env})
+	return serverutil.AdaptCommand(env, &deleteCommand{env: env})
 }

 type deleteCommand struct {
 	// ID of the record to delete
 	entryID string
+	file    string
 	env     *commoncli.Env
 	printer cliprinter.Printer
 }
@ -40,16 +43,51 @@ func (*deleteCommand) Synopsis() string {
 }

 func (c *deleteCommand) AppendFlags(f *flag.FlagSet) {
-	f.StringVar(&c.entryID, "entryID", "", "The Registration Entry ID of the record to delete")
+	f.StringVar(&c.entryID, "entryID", "", "The Registration Entry ID of the record to delete.")
+	f.StringVar(&c.file, "file", "", "Path to a file containing a JSON structure for batch deletion (optional). If set to '-', read from stdin.")
 	cliprinter.AppendFlagWithCustomPretty(&c.printer, f, c.env, c.prettyPrintDelete)
 }

-func (c *deleteCommand) Run(ctx context.Context, _ *commoncli.Env, serverClient util.ServerClient) error {
+func parseEntryDeleteJSON(path string) ([]string, error) {
+	r := os.Stdin
+	if path != "-" {
+		f, err := os.Open(path)
+		if err != nil {
+			return nil, err
+		}
+		defer f.Close()
+		r = f
+	}
+
+	dat, err := io.ReadAll(r)
+	if err != nil {
+		return nil, err
+	}
+
+	batchDeleteEntryRequest := &entryv1.BatchDeleteEntryRequest{}
+	if err := json.Unmarshal(dat, batchDeleteEntryRequest); err != nil {
+		return nil, err
+	}
+	return batchDeleteEntryRequest.Ids, nil
+}
+
+func (c *deleteCommand) Run(ctx context.Context, _ *commoncli.Env, serverClient serverutil.ServerClient) error {
 	if err := c.validate(); err != nil {
 		return err
 	}

-	req := &entryv1.BatchDeleteEntryRequest{Ids: []string{c.entryID}}
+	var err error
+	entriesIDs := []string{}
+	if c.file != "" {
+		entriesIDs, err = parseEntryDeleteJSON(c.file)
+		if err != nil {
+			return err
+		}
+	} else {
+		entriesIDs = append(entriesIDs, c.entryID)
+	}
+
+	req := &entryv1.BatchDeleteEntryRequest{Ids: entriesIDs}
 	resp, err := serverClient.NewEntryClient().BatchDeleteEntry(ctx, req)
 	if err != nil {
 		return err
@ -60,6 +98,10 @@ func (c *deleteCommand) Run(ctx context.Context, _ *commoncli.Env, serverClient

 // Perform basic validation.
 func (c *deleteCommand) validate() error {
+	if c.file != "" {
+		return nil
+	}
+
 	if c.entryID == "" {
 		return errors.New("an entry ID is required")
 	}
@ -67,18 +109,43 @@ func (c *deleteCommand) validate() error {
 	return nil
 }

-func (c *deleteCommand) prettyPrintDelete(env *commoncli.Env, results ...interface{}) error {
+func (c *deleteCommand) prettyPrintDelete(env *commoncli.Env, results ...any) error {
 	deleteResp, ok := results[0].(*entryv1.BatchDeleteEntryResponse)
 	if !ok {
 		return cliprinter.ErrInternalCustomPrettyFunc
 	}

-	sts := deleteResp.Results[0].Status
-	switch sts.Code {
-	case int32(codes.OK):
-		env.Printf("Deleted entry with ID: %s\n", c.entryID)
-		return nil
-	default:
-		return fmt.Errorf("failed to delete entry: %s", sts.Message)
+	var failed, succeeded []*entryv1.BatchDeleteEntryResponse_Result
+	for _, result := range deleteResp.Results {
+		switch result.Status.Code {
+		case int32(codes.OK):
+			succeeded = append(succeeded, result)
+		default:
+			failed = append(failed, result)
+		}
 	}
+
+	for _, result := range succeeded {
+		env.Printf("Deleted entry with ID: %s\n", result.Id)
+	}
+
+	if len(succeeded) > 0 {
+		env.Printf("\n\n")
+	}
+
+	for _, result := range failed {
+		env.ErrPrintf("Failed to delete entry with ID %s (code: %s, msg: %q)\n",
+			result.Id,
+			util.MustCast[codes.Code](result.Status.Code),
+			result.Status.Message)
+	}
+
+	if len(failed) > 0 {
+		env.Printf("\n\n")
+		return errors.New("failed to delete one or more entries")
+	}
+
+	env.Printf("Deleted %d entries successfully, but failed to delete %d entries", len(succeeded), len(failed))
+
+	return nil
 }
--- a/cmd/spire-server/cli/entry/delete_test.go
+++ b/cmd/spire-server/cli/entry/delete_test.go
@ -24,18 +24,6 @@ func TestDeleteSynopsis(t *testing.T) {
 }

 func TestDelete(t *testing.T) {
-	fakeRespOK := &entryv1.BatchDeleteEntryResponse{
-		Results: []*entryv1.BatchDeleteEntryResponse_Result{
-			{
-				Id: "entry-id",
-				Status: &types.Status{
-					Code:    int32(codes.OK),
-					Message: "OK",
-				},
-			},
-		},
-	}
-
 	fakeRespErr := &entryv1.BatchDeleteEntryResponse{
 		Results: []*entryv1.BatchDeleteEntryResponse_Result{
 			{
@ -67,12 +55,13 @@ func TestDelete(t *testing.T) {
 			expErrJSON:   "Error: an entry ID is required\n",
 		},
 		{
-			name:         "Entry not found",
-			args:         []string{"-entryID", "entry-id"},
-			expReq:       &entryv1.BatchDeleteEntryRequest{Ids: []string{"entry-id"}},
-			fakeResp:     fakeRespErr,
-			expErrPretty: "Error: failed to delete entry: entry not found\n",
-			expOutJSON:   `{"results":[{"status":{"code":5,"message":"entry not found"},"id":"entry-id"}]}`,
+			name:     "Entry not found",
+			args:     []string{"-entryID", "entry-id"},
+			expReq:   &entryv1.BatchDeleteEntryRequest{Ids: []string{"entry-id"}},
+			fakeResp: fakeRespErr,
+			expErrPretty: "Failed to delete entry with ID entry-id (code: NotFound, msg: \"entry not found\")" +
+				"\nError: failed to delete one or more entries\n",
+			expOutJSON: `{"results":[{"status":{"code":5,"message":"entry not found"},"id":"entry-id"}]}`,
 		},
 		{
 			name:         "Server error",
@ -83,12 +72,113 @@ func TestDelete(t *testing.T) {
 			expErrJSON:   "Error: rpc error: code = Unknown desc = server-error\n",
 		},
 		{
-			name:         "Delete succeeds",
-			args:         []string{"-entryID", "entry-id"},
-			expReq:       &entryv1.BatchDeleteEntryRequest{Ids: []string{"entry-id"}},
-			fakeResp:     fakeRespOK,
-			expOutPretty: "Deleted entry with ID: entry-id\n",
-			expOutJSON:   `{"results":[{"status":{"code":0,"message":"OK"},"id":"entry-id"}]}`,
+			name:   "Delete succeeded",
+			args:   []string{"-entryID", "entry-0"},
+			expReq: &entryv1.BatchDeleteEntryRequest{Ids: []string{"entry-0"}},
+			fakeResp: &entryv1.BatchDeleteEntryResponse{
+				Results: []*entryv1.BatchDeleteEntryResponse_Result{
+					{
+						Id: "entry-0",
+						Status: &types.Status{
+							Code:    int32(codes.OK),
+							Message: "OK",
+						},
+					},
+				},
+			},
+			expOutPretty: "Deleted entry with ID: entry-0\n",
+			expOutJSON:   `{"results":[{"status":{"code":0,"message":"OK"},"id":"entry-0"}]}`,
+		},
+		{
+			name:   "Delete succeeded using data file",
+			args:   []string{"-file", "../../../../test/fixture/registration/good-for-delete.json"},
+			expReq: &entryv1.BatchDeleteEntryRequest{Ids: []string{"entry-0", "entry-1"}},
+			fakeResp: &entryv1.BatchDeleteEntryResponse{
+				Results: []*entryv1.BatchDeleteEntryResponse_Result{
+					{
+						Id: "entry-0",
+						Status: &types.Status{
+							Code:    int32(codes.OK),
+							Message: "OK",
+						},
+					},
+					{
+						Id: "entry-1",
+						Status: &types.Status{
+							Code:    int32(codes.OK),
+							Message: "OK",
+						},
+					},
+				},
+			},
+			expOutPretty: "Deleted entry with ID: entry-0\nDeleted entry with ID: entry-1\n",
+			expOutJSON:   `{"results":[{"status":{"code":0,"message":"OK"},"id":"entry-0"},{"status":{"code":0,"message":"OK"},"id":"entry-1"}]}`,
+		},
+		{
+			name:   "Delete partially succeeded",
+			args:   []string{"-file", "../../../../test/fixture/registration/partially-good-for-delete.json"},
+			expReq: &entryv1.BatchDeleteEntryRequest{Ids: []string{"entry-0", "entry-1", "entry-2", "entry-3"}},
+			fakeResp: &entryv1.BatchDeleteEntryResponse{
+				Results: []*entryv1.BatchDeleteEntryResponse_Result{
+					{
+						Id: "entry-0",
+						Status: &types.Status{
+							Code:    int32(codes.NotFound),
+							Message: "entry not found",
+						},
+					},
+					{
+						Id: "entry-1",
+						Status: &types.Status{
+							Code:    int32(codes.OK),
+							Message: "OK",
+						},
+					},
+					{
+						Id: "entry-2",
+						Status: &types.Status{
+							Code:    int32(codes.NotFound),
+							Message: "entry not found",
+						},
+					},
+					{
+						Id: "entry-3",
+						Status: &types.Status{
+							Code:    int32(codes.OK),
+							Message: "OK",
+						},
+					},
+				},
+			},
+			expOutPretty: "Deleted entry with ID: entry-1\nDeleted entry with ID: entry-3\n",
+			expErrPretty: "Failed to delete entry with ID entry-0 (code: NotFound, msg: \"entry not found\")\n" +
+				"Failed to delete entry with ID entry-2 (code: NotFound, msg: \"entry not found\")\n" +
+				"Error: failed to delete one or more entries\n",
+			expOutJSON: `{"results":[` +
+				`{"status":{"code":5,"message":"entry not found"},"id":"entry-0"},` +
+				`{"status":{"code":0,"message":"OK"},"id":"entry-1"},` +
+				`{"status":{"code":5,"message":"entry not found"},"id":"entry-2"},` +
+				`{"status":{"code":0,"message":"OK"},"id":"entry-3"}]}`,
+		},
+		{
+			name:   "Delete failed",
+			args:   []string{"-entryID", "entry-0"},
+			expReq: &entryv1.BatchDeleteEntryRequest{Ids: []string{"entry-0"}},
+			fakeResp: &entryv1.BatchDeleteEntryResponse{
+				Results: []*entryv1.BatchDeleteEntryResponse_Result{
+					{
+						Id: "entry-0",
+						Status: &types.Status{
+							Code:    int32(codes.NotFound),
+							Message: "entry not found",
+						},
+					},
+				},
+			},
+			expErrPretty: "Failed to delete entry with ID entry-0 (code: NotFound, msg: \"entry not found\")\n" +
+				"Error: failed to delete one or more entries\n",
+			expOutJSON: `{"results":[` +
+				`{"status":{"code":5,"message":"entry not found"},"id":"entry-0"}]}`,
 		},
 	} {
 		for _, format := range availableFormats {
--- a/cmd/spire-server/cli/entry/show.go
+++ b/cmd/spire-server/cli/entry/show.go
@ -1,6 +1,7 @@
 package entry

 import (
+	"context"
 	"errors"
 	"flag"
 	"fmt"
@ -13,8 +14,6 @@ import (
 	"github.com/spiffe/spire/pkg/common/cliprinter"
 	commonutil "github.com/spiffe/spire/pkg/common/util"
 	"google.golang.org/protobuf/types/known/wrapperspb"
-
-	"golang.org/x/net/context"
 )

 const listEntriesRequestPageSize = 500
@ -48,7 +47,7 @@ type showCommand struct {
 	// List of SPIFFE IDs of trust domains the registration entry is federated with
 	federatesWith StringsFlag

-	// Whether or not the entry is for a downstream SPIRE server
+	// whether the entry is for a downstream SPIRE server
 	downstream bool

 	// Match used when filtering by federates with
@ -176,6 +175,8 @@ func (c *showCommand) fetchEntries(ctx context.Context, client entryv1.EntryClie
 		filter.ByHint = wrapperspb.String(c.hint)
 	}

+	filter.ByDownstream = wrapperspb.Bool(c.downstream)
+
 	pageToken := ""

 	for {
@ -246,7 +247,7 @@ func parseToFederatesWithMatch(match string) (types.FederatesWithMatch_MatchBeha
 	}
 }

-func prettyPrintShow(env *commoncli.Env, results ...interface{}) error {
+func prettyPrintShow(env *commoncli.Env, results ...any) error {
 	listResp, ok := results[0].(*entryv1.ListEntriesResponse)
 	if !ok {
 		return cliprinter.ErrInternalCustomPrettyFunc
--- a/cmd/spire-server/cli/entry/show_test.go
+++ b/cmd/spire-server/cli/entry/show_test.go
@ -10,6 +10,7 @@ import (
 	"github.com/stretchr/testify/require"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
+	"google.golang.org/protobuf/types/known/wrapperspb"
 )

 func TestShowHelp(t *testing.T) {
@ -61,7 +62,9 @@ func TestShow(t *testing.T) {
 			name: "List all entries (empty filter)",
 			expListReq: &entryv1.ListEntriesRequest{
 				PageSize: listEntriesRequestPageSize,
-				Filter:   &entryv1.ListEntriesRequest_Filter{},
+				Filter: &entryv1.ListEntriesRequest_Filter{
+					ByDownstream: wrapperspb.Bool(false),
+				},
 			},
 			fakeListResp: fakeRespAll,
 			expOutPretty: fmt.Sprintf("Found 4 entries\n%s%s%s%s",
@ -103,7 +106,8 @@ func TestShow(t *testing.T) {
 			expListReq: &entryv1.ListEntriesRequest{
 				PageSize: listEntriesRequestPageSize,
 				Filter: &entryv1.ListEntriesRequest_Filter{
-					ByParentId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/father"},
+					ByParentId:   &types.SPIFFEID{TrustDomain: "example.org", Path: "/father"},
+					ByDownstream: wrapperspb.Bool(false),
 				},
 			},
 			fakeListResp: fakeRespFather,
@ -124,7 +128,8 @@ func TestShow(t *testing.T) {
 			expListReq: &entryv1.ListEntriesRequest{
 				PageSize: listEntriesRequestPageSize,
 				Filter: &entryv1.ListEntriesRequest_Filter{
-					BySpiffeId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/daughter"},
+					BySpiffeId:   &types.SPIFFEID{TrustDomain: "example.org", Path: "/daughter"},
+					ByDownstream: wrapperspb.Bool(false),
 				},
 			},
 			fakeListResp: fakeRespDaughter,
@ -152,6 +157,7 @@ func TestShow(t *testing.T) {
 						},
 						Match: types.SelectorMatch_MATCH_SUPERSET,
 					},
+					ByDownstream: wrapperspb.Bool(false),
 				},
 			},
 			fakeListResp: fakeRespFatherDaughter,
@ -173,6 +179,7 @@ func TestShow(t *testing.T) {
 						},
 						Match: types.SelectorMatch_MATCH_EXACT,
 					},
+					ByDownstream: wrapperspb.Bool(false),
 				},
 			},
 			fakeListResp: fakeRespFatherDaughter,
@ -194,6 +201,7 @@ func TestShow(t *testing.T) {
 						},
 						Match: types.SelectorMatch_MATCH_SUPERSET,
 					},
+					ByDownstream: wrapperspb.Bool(false),
 				},
 			},
 			fakeListResp: fakeRespFatherDaughter,
@ -215,6 +223,7 @@ func TestShow(t *testing.T) {
 						},
 						Match: types.SelectorMatch_MATCH_SUBSET,
 					},
+					ByDownstream: wrapperspb.Bool(false),
 				},
 			},
 			fakeListResp: fakeRespFatherDaughter,
@ -236,6 +245,7 @@ func TestShow(t *testing.T) {
 						},
 						Match: types.SelectorMatch_MATCH_ANY,
 					},
+					ByDownstream: wrapperspb.Bool(false),
 				},
 			},
 			fakeListResp: fakeRespFatherDaughter,
@ -260,7 +270,8 @@ func TestShow(t *testing.T) {
 			expListReq: &entryv1.ListEntriesRequest{
 				PageSize: listEntriesRequestPageSize,
 				Filter: &entryv1.ListEntriesRequest_Filter{
-					BySpiffeId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/daughter"},
+					BySpiffeId:   &types.SPIFFEID{TrustDomain: "example.org", Path: "/daughter"},
+					ByDownstream: wrapperspb.Bool(false),
 				},
 			},
 			serverErr: status.Error(codes.Internal, "internal server error"),
@ -276,6 +287,7 @@ func TestShow(t *testing.T) {
 						TrustDomains: []string{"spiffe://domain.test"},
 						Match:        types.FederatesWithMatch_MATCH_SUPERSET,
 					},
+					ByDownstream: wrapperspb.Bool(false),
 				},
 			},
 			fakeListResp: fakeRespMotherDaughter,
@ -294,6 +306,7 @@ func TestShow(t *testing.T) {
 						TrustDomains: []string{"spiffe://domain.test"},
 						Match:        types.FederatesWithMatch_MATCH_EXACT,
 					},
+					ByDownstream: wrapperspb.Bool(false),
 				},
 			},
 			fakeListResp: fakeRespMotherDaughter,
@ -312,6 +325,7 @@ func TestShow(t *testing.T) {
 						TrustDomains: []string{"spiffe://domain.test"},
 						Match:        types.FederatesWithMatch_MATCH_ANY,
 					},
+					ByDownstream: wrapperspb.Bool(false),
 				},
 			},
 			fakeListResp: fakeRespMotherDaughter,
@ -330,6 +344,7 @@ func TestShow(t *testing.T) {
 						TrustDomains: []string{"spiffe://domain.test"},
 						Match:        types.FederatesWithMatch_MATCH_SUPERSET,
 					},
+					ByDownstream: wrapperspb.Bool(false),
 				},
 			},
 			fakeListResp: fakeRespMotherDaughter,
@ -348,6 +363,7 @@ func TestShow(t *testing.T) {
 						TrustDomains: []string{"spiffe://domain.test"},
 						Match:        types.FederatesWithMatch_MATCH_SUBSET,
 					},
+					ByDownstream: wrapperspb.Bool(false),
 				},
 			},
 			fakeListResp: fakeRespMotherDaughter,
@ -429,7 +445,7 @@ func getEntries(count int) []*types.Entry {
 	}

 	e := []*types.Entry{}
-	for i := 0; i < count; i++ {
+	for i := range count {
 		e = append(e, entries[i])
 	}

--- a/cmd/spire-server/cli/entry/update.go
+++ b/cmd/spire-server/cli/entry/update.go
@ -1,18 +1,19 @@
 package entry

 import (
+	"context"
 	"errors"
 	"flag"
+	"fmt"

 	"github.com/mitchellh/cli"
 	entryv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/entry/v1"
 	"github.com/spiffe/spire-api-sdk/proto/spire/api/types"
-	"github.com/spiffe/spire/cmd/spire-server/util"
+	serverutil "github.com/spiffe/spire/cmd/spire-server/util"
 	commoncli "github.com/spiffe/spire/pkg/common/cli"
 	"github.com/spiffe/spire/pkg/common/cliprinter"
+	"github.com/spiffe/spire/pkg/common/util"
 	"google.golang.org/grpc/codes"
-
-	"golang.org/x/net/context"
 )

 // NewUpdateCommand creates a new "update" subcommand for "entry" command.
@ -21,7 +22,7 @@ func NewUpdateCommand() cli.Command {
 }

 func newUpdateCommand(env *commoncli.Env) cli.Command {
-	return util.AdaptCommand(env, &updateCommand{env: env})
+	return serverutil.AdaptCommand(env, &updateCommand{env: env})
 }

 type updateCommand struct {
@ -42,12 +43,9 @@ type updateCommand struct {
 	// Workload spiffeID
 	spiffeID string

-	// Whether or not the entry is for a downstream SPIRE server
+	// whether the entry is for a downstream SPIRE server
 	downstream bool

-	// TTL for certificates issued to this workload
-	ttl int
-
 	// TTL for x509 SVIDs issued to this workload
 	x509SvidTTL int

@ -57,7 +55,7 @@ type updateCommand struct {
 	// List of SPIFFE IDs of trust domains the registration entry is federated with
 	federatesWith StringsFlag

-	// Whether or not the registration entry is for an "admin" workload
+	// whether the registration entry is for an "admin" workload
 	admin bool

 	// Expiry of entry
@ -89,9 +87,8 @@ func (c *updateCommand) AppendFlags(f *flag.FlagSet) {
 	f.StringVar(&c.entryID, "entryID", "", "The Registration Entry ID of the record to update")
 	f.StringVar(&c.parentID, "parentID", "", "The SPIFFE ID of this record's parent")
 	f.StringVar(&c.spiffeID, "spiffeID", "", "The SPIFFE ID that this record represents")
-	f.IntVar(&c.ttl, "ttl", 0, "The lifetime, in seconds, for SVIDs issued based on this registration entry. This flag is deprecated in favor of x509SVIDTTL and jwtSVIDTTL and will be removed in a future version")
-	f.IntVar(&c.x509SvidTTL, "x509SVIDTTL", 0, "The lifetime, in seconds, for x509-SVIDs issued based on this registration entry. Overrides ttl flag")
-	f.IntVar(&c.jwtSvidTTL, "jwtSVIDTTL", 0, "The lifetime, in seconds, for JWT-SVIDs issued based on this registration entry. Overrides ttl flag")
+	f.IntVar(&c.x509SvidTTL, "x509SVIDTTL", 0, "The lifetime, in seconds, for x509-SVIDs issued based on this registration entry.")
+	f.IntVar(&c.jwtSvidTTL, "jwtSVIDTTL", 0, "The lifetime, in seconds, for JWT-SVIDs issued based on this registration entry.")
 	f.StringVar(&c.path, "data", "", "Path to a file containing registration JSON (optional). If set to '-', read the JSON from stdin.")
 	f.Var(&c.selectors, "selector", "A colon-delimited type:value selector. Can be used more than once")
 	f.Var(&c.federatesWith, "federatesWith", "SPIFFE ID of a trust domain to federate with. Can be used more than once")
@ -104,7 +101,7 @@ func (c *updateCommand) AppendFlags(f *flag.FlagSet) {
 	cliprinter.AppendFlagWithCustomPretty(&c.printer, f, c.env, prettyPrintUpdate)
 }

-func (c *updateCommand) Run(ctx context.Context, _ *commoncli.Env, serverClient util.ServerClient) error {
+func (c *updateCommand) Run(ctx context.Context, _ *commoncli.Env, serverClient serverutil.ServerClient) error {
 	if err := c.validate(); err != nil {
 		return err
 	}
@ -152,10 +149,6 @@ func (c *updateCommand) validate() (err error) {
 		return errors.New("a SPIFFE ID is required")
 	}

-	if c.ttl < 0 {
-		return errors.New("a positive TTL is required")
-	}
-
 	if c.x509SvidTTL < 0 {
 		return errors.New("a positive x509-SVID TTL is required")
 	}
@ -164,10 +157,6 @@ func (c *updateCommand) validate() (err error) {
 		return errors.New("a positive JWT-SVID TTL is required")
 	}

-	if c.ttl > 0 && (c.x509SvidTTL > 0 || c.jwtSvidTTL > 0) {
-		return errors.New("use x509SVIDTTL and jwtSVIDTTL flags or the deprecated ttl flag")
-	}
-
 	return nil
 }

@ -182,6 +171,16 @@ func (c *updateCommand) parseConfig() ([]*types.Entry, error) {
 		return nil, err
 	}

+	x509SvidTTL, err := util.CheckedCast[int32](c.x509SvidTTL)
+	if err != nil {
+		return nil, fmt.Errorf("invalid value for X509 SVID TTL: %w", err)
+	}
+
+	jwtSvidTTL, err := util.CheckedCast[int32](c.jwtSvidTTL)
+	if err != nil {
+		return nil, fmt.Errorf("invalid value for JWT SVID TTL: %w", err)
+	}
+
 	e := &types.Entry{
 		Id:          c.entryID,
 		ParentId:    parentID,
@ -189,26 +188,14 @@ func (c *updateCommand) parseConfig() ([]*types.Entry, error) {
 		Downstream:  c.downstream,
 		ExpiresAt:   c.entryExpiry,
 		DnsNames:    c.dnsNames,
-		X509SvidTtl: int32(c.x509SvidTTL),
-		JwtSvidTtl:  int32(c.jwtSvidTTL),
+		X509SvidTtl: x509SvidTTL,
+		JwtSvidTtl:  jwtSvidTTL,
 		Hint:        c.hint,
 	}

-	// c.ttl is deprecated but usable if the new c.x509Svid field is not used.
-	// c.ttl should not be used to set the jwtSVIDTTL value because the previous
-	// behavior was to have a hard-coded 5 minute JWT TTL no matter what the value
-	// of ttl was set to.
-	// validate(...) ensures that either the new fields or the deprecated field is
-	// used, but never a mixture.
-	//
-	// https://github.com/spiffe/spire/issues/2700
-	if e.X509SvidTtl == 0 {
-		e.X509SvidTtl = int32(c.ttl)
-	}
-
 	selectors := []*types.Selector{}
 	for _, s := range c.selectors {
-		cs, err := util.ParseSelector(s)
+		cs, err := serverutil.ParseSelector(s)
 		if err != nil {
 			return nil, err
 		}
@ -242,7 +229,7 @@ func updateEntries(ctx context.Context, c entryv1.EntryClient, entries []*types.
 	return
 }

-func prettyPrintUpdate(env *commoncli.Env, results ...interface{}) error {
+func prettyPrintUpdate(env *commoncli.Env, results ...any) error {
 	var succeeded, failed []*entryv1.BatchUpdateEntryResponse_Result
 	updateResp, ok := results[0].(*entryv1.BatchUpdateEntryResponse)
 	if !ok {
@ -265,7 +252,7 @@ func prettyPrintUpdate(env *commoncli.Env, results ...interface{}) error {
 	// Print entries that failed to be updated
 	for _, r := range failed {
 		env.ErrPrintf("Failed to update the following entry (code: %s, msg: %q):\n",
-			codes.Code(r.Status.Code),
+			util.MustCast[codes.Code](r.Status.Code),
 			r.Status.Message)
 		printEntry(r.Entry, env.ErrPrintf)
 	}
--- a/cmd/spire-server/cli/entry/update_test.go
+++ b/cmd/spire-server/cli/entry/update_test.go
@ -321,24 +321,6 @@ func TestUpdate(t *testing.T) {
 		JwtSvidTtl:  300,
 	}

-	entry5 := &types.Entry{
-		Id:       "entry-id",
-		SpiffeId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/workload"},
-		ParentId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/parent"},
-		Selectors: []*types.Selector{
-			{Type: "zebra", Value: "zebra:2000"},
-			{Type: "alpha", Value: "alpha:2000"},
-		},
-		X509SvidTtl:   60,
-		JwtSvidTtl:    0,
-		FederatesWith: []string{"spiffe://domaina.test", "spiffe://domainb.test"},
-		Admin:         true,
-		ExpiresAt:     1552410266,
-		DnsNames:      []string{"unu1000", "ung1000"},
-		Downstream:    true,
-		Hint:          "external",
-	}
-
 	entry2Resp := proto.Clone(entry2).(*types.Entry)
 	entry2Resp.CreatedAt = 1547583197
 	entry3Resp := proto.Clone(entry3).(*types.Entry)
@ -416,30 +398,6 @@ func TestUpdate(t *testing.T) {
 			expErrPretty: "Error: selector \"unix\" must be formatted as type:value\n",
 			expErrJSON:   "Error: selector \"unix\" must be formatted as type:value\n",
 		},
-		{
-			name:         "Negative TTL",
-			args:         []string{"-entryID", "entry-id", "-selector", "unix", "-parentID", "spiffe://example.org/parent", "-spiffeID", "spiffe://example.org/workload", "-ttl", "-10"},
-			expErrPretty: "Error: a positive TTL is required\n",
-			expErrJSON:   "Error: a positive TTL is required\n",
-		},
-		{
-			name:         "Invalid TTL and X509SvidTtl",
-			args:         []string{"-entryID", "entry-id", "-selector", "unix", "-parentID", "spiffe://example.org/parent", "-spiffeID", "spiffe://example.org/workload", "-ttl", "10", "-x509SVIDTTL", "20"},
-			expErrPretty: "Error: use x509SVIDTTL and jwtSVIDTTL flags or the deprecated ttl flag\n",
-			expErrJSON:   "Error: use x509SVIDTTL and jwtSVIDTTL flags or the deprecated ttl flag\n",
-		},
-		{
-			name:         "Invalid TTL and JwtSvidTtl",
-			args:         []string{"-entryID", "entry-id", "-selector", "unix", "-parentID", "spiffe://example.org/parent", "-spiffeID", "spiffe://example.org/workload", "-ttl", "10", "-jwtSVIDTTL", "20"},
-			expErrPretty: "Error: use x509SVIDTTL and jwtSVIDTTL flags or the deprecated ttl flag\n",
-			expErrJSON:   "Error: use x509SVIDTTL and jwtSVIDTTL flags or the deprecated ttl flag\n",
-		},
-		{
-			name:         "Invalid TTL and both X509SvidTtl and JwtSvidTtl",
-			args:         []string{"-entryID", "entry-id", "-selector", "unix", "-parentID", "spiffe://example.org/parent", "-spiffeID", "spiffe://example.org/workload", "-ttl", "10", "-x509SVIDTTL", "20", "-jwtSVIDTTL", "30"},
-			expErrPretty: "Error: use x509SVIDTTL and jwtSVIDTTL flags or the deprecated ttl flag\n",
-			expErrJSON:   "Error: use x509SVIDTTL and jwtSVIDTTL flags or the deprecated ttl flag\n",
-		},
 		{
 			name: "Server error",
 			args: []string{"-entryID", "entry-id", "-spiffeID", "spiffe://example.org/workload", "-parentID", "spiffe://example.org/parent", "-selector", "unix:uid:1"},
@ -495,58 +453,6 @@ DNS name         : ung1000
 Admin            : true
 Hint             : external

-`, time.Unix(1552410266, 0).UTC()),
-			expOutJSON: fmt.Sprintf(`{
-  "results": [
-    {
-      "status": {
-        "code": 0,
-        "message": "OK"
-      },
-      "entry": %s
-    }
-  ]
-}`, entry0AdminJSON),
-		},
-		{
-			name: "Update succeeds using deprecated command line arguments",
-			args: []string{
-				"-entryID", "entry-id",
-				"-spiffeID", "spiffe://example.org/workload",
-				"-parentID", "spiffe://example.org/parent",
-				"-selector", "zebra:zebra:2000",
-				"-selector", "alpha:alpha:2000",
-				"-ttl", "60",
-				"-federatesWith", "spiffe://domaina.test",
-				"-federatesWith", "spiffe://domainb.test",
-				"-admin",
-				"-entryExpiry", "1552410266",
-				"-dns", "unu1000",
-				"-dns", "ung1000",
-				"-downstream",
-				"-hint", "external",
-			},
-			expReq: &entryv1.BatchUpdateEntryRequest{
-				Entries: []*types.Entry{entry5},
-			},
-			fakeResp: fakeRespOKFromCmd,
-			expOutPretty: fmt.Sprintf(`Entry ID         : entry-id
-SPIFFE ID        : spiffe://example.org/workload
-Parent ID        : spiffe://example.org/parent
-Revision         : 0
-Downstream       : true
-X509-SVID TTL    : 60
-JWT-SVID TTL     : 30
-Expiration time  : %s
-Selector         : zebra:zebra:2000
-Selector         : alpha:alpha:2000
-FederatesWith    : spiffe://domaina.test
-FederatesWith    : spiffe://domainb.test
-DNS name         : unu1000
-DNS name         : ung1000
-Admin            : true
-Hint             : external
-
 `, time.Unix(1552410266, 0).UTC()),
 			expOutJSON: fmt.Sprintf(`{
  "results": [
--- a/cmd/spire-server/cli/entry/util.go
+++ b/cmd/spire-server/cli/entry/util.go
@ -13,7 +13,7 @@ import (
 	"github.com/spiffe/spire/proto/spire/common"
 )

-func printEntry(e *types.Entry, printf func(string, ...interface{}) error) {
+func printEntry(e *types.Entry, printf func(string, ...any) error) {
 	_ = printf("Entry ID         : %s\n", printableEntryID(e.Id))
 	_ = printf("SPIFFE ID        : %s\n", protoToIDString(e.SpiffeId))
 	_ = printf("Parent ID        : %s\n", protoToIDString(e.ParentId))
--- a/cmd/spire-server/cli/entry/util_posix_test.go
+++ b/cmd/spire-server/cli/entry/util_posix_test.go
@ -1,5 +1,4 @@
 //go:build !windows
-// +build !windows

 package entry

@ -15,12 +14,14 @@ const (
    	A boolean value that, when set, indicates that the entry describes a downstream SPIRE server
  -entryExpiry int
    	An expiry, from epoch in seconds, for the resulting registration entry to be pruned
+  -entryID string
+    	A custom ID for this registration entry (optional). If not set, a new entry ID will be generated
  -federatesWith value
    	SPIFFE ID of a trust domain to federate with. Can be used more than once
  -hint string
    	The entry hint, used to disambiguate entries with the same SPIFFE ID
  -jwtSVIDTTL int
-    	The lifetime, in seconds, for JWT-SVIDs issued based on this registration entry. Overrides ttl flag
+    	The lifetime, in seconds, for JWT-SVIDs issued based on this registration entry.
  -node
    	If set, this entry will be applied to matching nodes rather than workloads
  -output value
@ -35,10 +36,8 @@ const (
    	The SPIFFE ID that this record represents
  -storeSVID
    	A boolean value that, when set, indicates that the resulting issued SVID from this entry must be stored through an SVIDStore plugin
-  -ttl int
-    	The lifetime, in seconds, for SVIDs issued based on this registration entry. This flag is deprecated in favor of x509SVIDTTL and jwtSVIDTTL and will be removed in a future version
  -x509SVIDTTL int
-    	The lifetime, in seconds, for x509-SVIDs issued based on this registration entry. Overrides ttl flag
+    	The lifetime, in seconds, for x509-SVIDs issued based on this registration entry.
 `
 	showUsage = `Usage of entry show:
  -downstream
@ -82,7 +81,7 @@ const (
  -hint string
    	The entry hint, used to disambiguate entries with the same SPIFFE ID
  -jwtSVIDTTL int
-    	The lifetime, in seconds, for JWT-SVIDs issued based on this registration entry. Overrides ttl flag
+    	The lifetime, in seconds, for JWT-SVIDs issued based on this registration entry.
  -output value
    	Desired output format (pretty, json); default: pretty.
  -parentID string
@ -95,23 +94,39 @@ const (
    	The SPIFFE ID that this record represents
  -storeSVID
    	A boolean value that, when set, indicates that the resulting issued SVID from this entry must be stored through an SVIDStore plugin
-  -ttl int
-    	The lifetime, in seconds, for SVIDs issued based on this registration entry. This flag is deprecated in favor of x509SVIDTTL and jwtSVIDTTL and will be removed in a future version
  -x509SVIDTTL int
-    	The lifetime, in seconds, for x509-SVIDs issued based on this registration entry. Overrides ttl flag
+    	The lifetime, in seconds, for x509-SVIDs issued based on this registration entry.
 `
 	deleteUsage = `Usage of entry delete:
  -entryID string
-    	The Registration Entry ID of the record to delete
+    	The Registration Entry ID of the record to delete.
+  -file string
+    	Path to a file containing a JSON structure for batch deletion (optional). If set to '-', read from stdin.
  -output value
    	Desired output format (pretty, json); default: pretty.
  -socketPath string
    	Path to the SPIRE Server API socket (default "/tmp/spire-server/private/api.sock")
 `
 	countUsage = `Usage of entry count:
+  -downstream
+    	A boolean value that, when set, indicates that the entry describes a downstream SPIRE server
+  -federatesWith value
+    	SPIFFE ID of a trust domain an entry is federate with. Can be used more than once
+  -hint string
+    	The Hint of the records to count (optional)
+  -matchFederatesWithOn string
+    	The match mode used when filtering by federates with. Options: exact, any, superset and subset (default "superset")
+  -matchSelectorsOn string
+    	The match mode used when filtering by selectors. Options: exact, any, superset and subset (default "superset")
  -output value
    	Desired output format (pretty, json); default: pretty.
+  -parentID string
+    	The Parent ID of the records to count
+  -selector value
+    	A colon-delimited type:value selector. Can be used more than once
  -socketPath string
    	Path to the SPIRE Server API socket (default "/tmp/spire-server/private/api.sock")
+  -spiffeID string
+    	The SPIFFE ID of the records to count
 `
 )
--- a/cmd/spire-server/cli/entry/util_test.go
+++ b/cmd/spire-server/cli/entry/util_test.go
@ -2,6 +2,7 @@ package entry

 import (
 	"bytes"
+	"context"
 	"os"
 	"path"
 	"testing"
@ -9,13 +10,12 @@ import (
 	"github.com/mitchellh/cli"
 	entryv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/entry/v1"
 	"github.com/spiffe/spire-api-sdk/proto/spire/api/types"
-	"github.com/spiffe/spire/cmd/spire-server/cli/common"
 	common_cli "github.com/spiffe/spire/pkg/common/cli"
+	"github.com/spiffe/spire/test/clitest"
 	"github.com/spiffe/spire/test/spiretest"
 	"github.com/spiffe/spire/test/util"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	"golang.org/x/net/context"
 	"google.golang.org/grpc"
 )

@ -45,7 +45,6 @@ func TestParseEntryJSON(t *testing.T) {
 	}

 	for _, testCase := range testCases {
-		testCase := testCase
 		t.Run(testCase.name, func(t *testing.T) {
 			p := testCase.testDataPath

@ -155,7 +154,7 @@ func (e *entryTest) afterTest(t *testing.T) {
 }

 func (e *entryTest) args(extra ...string) []string {
-	return append([]string{common.AddrArg, e.addr}, extra...)
+	return append([]string{clitest.AddrArg, e.addr}, extra...)
 }

 type fakeEntryServer struct {
@ -242,7 +241,7 @@ func setupTest(t *testing.T, newClient func(*common_cli.Env) cli.Command) *entry
 	})

 	test := &entryTest{
-		addr:   common.GetAddr(addr),
+		addr:   clitest.GetAddr(addr),
 		stdin:  stdin,
 		stdout: stdout,
 		stderr: stderr,
--- a/cmd/spire-server/cli/entry/util_windows_test.go
+++ b/cmd/spire-server/cli/entry/util_windows_test.go
@ -1,5 +1,4 @@
 //go:build windows
-// +build windows

 package entry

@ -15,12 +14,14 @@ const (
    	A boolean value that, when set, indicates that the entry describes a downstream SPIRE server
  -entryExpiry int
    	An expiry, from epoch in seconds, for the resulting registration entry to be pruned
+  -entryID string
+    	A custom ID for this registration entry (optional). If not set, a new entry ID will be generated
  -federatesWith value
    	SPIFFE ID of a trust domain to federate with. Can be used more than once
  -hint string
    	The entry hint, used to disambiguate entries with the same SPIFFE ID
  -jwtSVIDTTL int
-    	The lifetime, in seconds, for JWT-SVIDs issued based on this registration entry. Overrides ttl flag
+    	The lifetime, in seconds, for JWT-SVIDs issued based on this registration entry.
  -namedPipeName string
    	Pipe name of the SPIRE Server API named pipe (default "\\spire-server\\private\\api")
  -node
@ -35,10 +36,8 @@ const (
    	The SPIFFE ID that this record represents
  -storeSVID
    	A boolean value that, when set, indicates that the resulting issued SVID from this entry must be stored through an SVIDStore plugin
-  -ttl int
-    	The lifetime, in seconds, for SVIDs issued based on this registration entry. This flag is deprecated in favor of x509SVIDTTL and jwtSVIDTTL and will be removed in a future version
  -x509SVIDTTL int
-    	The lifetime, in seconds, for x509-SVIDs issued based on this registration entry. Overrides ttl flag
+    	The lifetime, in seconds, for x509-SVIDs issued based on this registration entry.
 `
 	showUsage = `Usage of entry show:
  -downstream
@ -82,7 +81,7 @@ const (
  -hint string
    	The entry hint, used to disambiguate entries with the same SPIFFE ID
  -jwtSVIDTTL int
-    	The lifetime, in seconds, for JWT-SVIDs issued based on this registration entry. Overrides ttl flag
+    	The lifetime, in seconds, for JWT-SVIDs issued based on this registration entry.
  -namedPipeName string
    	Pipe name of the SPIRE Server API named pipe (default "\\spire-server\\private\\api")
  -output value
@ -95,23 +94,39 @@ const (
    	The SPIFFE ID that this record represents
  -storeSVID
    	A boolean value that, when set, indicates that the resulting issued SVID from this entry must be stored through an SVIDStore plugin
-  -ttl int
-    	The lifetime, in seconds, for SVIDs issued based on this registration entry. This flag is deprecated in favor of x509SVIDTTL and jwtSVIDTTL and will be removed in a future version
  -x509SVIDTTL int
-    	The lifetime, in seconds, for x509-SVIDs issued based on this registration entry. Overrides ttl flag
+    	The lifetime, in seconds, for x509-SVIDs issued based on this registration entry.
 `
 	deleteUsage = `Usage of entry delete:
  -entryID string
-    	The Registration Entry ID of the record to delete
+    	The Registration Entry ID of the record to delete.
+  -file string
+    	Path to a file containing a JSON structure for batch deletion (optional). If set to '-', read from stdin.
  -namedPipeName string
    	Pipe name of the SPIRE Server API named pipe (default "\\spire-server\\private\\api")
  -output value
    	Desired output format (pretty, json); default: pretty.
 `
 	countUsage = `Usage of entry count:
+  -downstream
+    	A boolean value that, when set, indicates that the entry describes a downstream SPIRE server
+  -federatesWith value
+    	SPIFFE ID of a trust domain an entry is federate with. Can be used more than once
+  -hint string
+    	The Hint of the records to count (optional)
+  -matchFederatesWithOn string
+    	The match mode used when filtering by federates with. Options: exact, any, superset and subset (default "superset")
+  -matchSelectorsOn string
+    	The match mode used when filtering by selectors. Options: exact, any, superset and subset (default "superset")
  -namedPipeName string
    	Pipe name of the SPIRE Server API named pipe (default "\\spire-server\\private\\api")
  -output value
    	Desired output format (pretty, json); default: pretty.
+  -parentID string
+    	The Parent ID of the records to count
+  -selector value
+    	A colon-delimited type:value selector. Can be used more than once
+  -spiffeID string
+    	The SPIFFE ID of the records to count
 `
 )
--- a/cmd/spire-server/cli/federation/common.go
+++ b/cmd/spire-server/cli/federation/common.go
@ -170,7 +170,7 @@ func bundleFromRawMessage(raw json.RawMessage, bundleFormat string, endpointTrus
 	return util.ParseBundle(bundle, bundleFormat, endpointTrustDomain)
 }

-func printFederationRelationship(fr *types.FederationRelationship, printf func(format string, args ...interface{}) error) {
+func printFederationRelationship(fr *types.FederationRelationship, printf func(format string, args ...any) error) {
 	_ = printf("Trust domain              : %s\n", fr.TrustDomain)
 	_ = printf("Bundle endpoint URL       : %s\n", fr.BundleEndpointUrl)

--- a/cmd/spire-server/cli/federation/common_test.go
+++ b/cmd/spire-server/cli/federation/common_test.go
@ -11,9 +11,9 @@ import (
 	"github.com/spiffe/go-spiffe/v2/spiffeid"
 	trustdomainv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/trustdomain/v1"
 	"github.com/spiffe/spire-api-sdk/proto/spire/api/types"
-	"github.com/spiffe/spire/cmd/spire-server/cli/common"
 	common_cli "github.com/spiffe/spire/pkg/common/cli"
 	"github.com/spiffe/spire/pkg/common/pemutil"
+	"github.com/spiffe/spire/test/clitest"
 	"github.com/spiffe/spire/test/fakes/fakeserverca"
 	"github.com/spiffe/spire/test/spiretest"
 	"github.com/stretchr/testify/require"
@ -124,7 +124,7 @@ func (c *cmdTest) afterTest(t *testing.T) {
 }

 func (c *cmdTest) args(extra ...string) []string {
-	return append([]string{common.AddrArg, c.addr}, extra...)
+	return append([]string{clitest.AddrArg, c.addr}, extra...)
 }

 type fakeServer struct {
@ -222,7 +222,7 @@ func setupTest(t *testing.T, newClient func(*common_cli.Env) cli.Command) *cmdTe
 	})

 	test := &cmdTest{
-		addr:   common.GetAddr(addr),
+		addr:   clitest.GetAddr(addr),
 		stdin:  stdin,
 		stdout: stdout,
 		stderr: stderr,
@ -241,7 +241,7 @@ func createBundle(t *testing.T, trustDomain string) (*types.Bundle, string) {
 	td := spiffeid.RequireTrustDomainFromString(trustDomain)
 	bundlePath := path.Join(t.TempDir(), "bundle.pem")
 	ca := fakeserverca.New(t, td, &fakeserverca.Options{})
-	require.NoError(t, os.WriteFile(bundlePath, pemutil.EncodeCertificates(ca.Bundle()), 0600))
+	require.NoError(t, os.WriteFile(bundlePath, pemutil.EncodeCertificates(ca.Bundle()), 0o600))

 	return &types.Bundle{
 		TrustDomain: td.Name(),
@ -253,13 +253,13 @@ func createBundle(t *testing.T, trustDomain string) (*types.Bundle, string) {

 func createCorruptedBundle(t *testing.T) string {
 	bundlePath := path.Join(t.TempDir(), "bundle.pem")
-	require.NoError(t, os.WriteFile(bundlePath, []byte("corrupted-bundle"), 0600))
+	require.NoError(t, os.WriteFile(bundlePath, []byte("corrupted-bundle"), 0o600))
 	return bundlePath
 }

 func createJSONDataFile(t *testing.T, data string) string {
 	jsonDataFilePath := path.Join(t.TempDir(), "bundle.pem")
-	require.NoError(t, os.WriteFile(jsonDataFilePath, []byte(data), 0600))
+	require.NoError(t, os.WriteFile(jsonDataFilePath, []byte(data), 0o600))
 	return jsonDataFilePath
 }

--- a/cmd/spire-server/cli/federation/create.go
+++ b/cmd/spire-server/cli/federation/create.go
@ -9,9 +9,10 @@ import (
 	"github.com/mitchellh/cli"
 	trustdomainv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/trustdomain/v1"
 	"github.com/spiffe/spire-api-sdk/proto/spire/api/types"
-	"github.com/spiffe/spire/cmd/spire-server/util"
+	serverutil "github.com/spiffe/spire/cmd/spire-server/util"
 	commoncli "github.com/spiffe/spire/pkg/common/cli"
 	"github.com/spiffe/spire/pkg/common/cliprinter"
+	"github.com/spiffe/spire/pkg/common/util"
 	"google.golang.org/grpc/codes"
 )

@ -26,7 +27,7 @@ func NewCreateCommand() cli.Command {
 }

 func newCreateCommand(env *commoncli.Env) cli.Command {
-	return util.AdaptCommand(env, &createCommand{env: env})
+	return serverutil.AdaptCommand(env, &createCommand{env: env})
 }

 type createCommand struct {
@ -52,7 +53,7 @@ func (c *createCommand) AppendFlags(f *flag.FlagSet) {
 	cliprinter.AppendFlagWithCustomPretty(&c.printer, f, c.env, c.prettyPrintCreate)
 }

-func (c *createCommand) Run(ctx context.Context, _ *commoncli.Env, serverClient util.ServerClient) error {
+func (c *createCommand) Run(ctx context.Context, _ *commoncli.Env, serverClient serverutil.ServerClient) error {
 	federationRelationships, err := getRelationships(c.config, c.path)
 	if err != nil {
 		return err
@ -71,7 +72,7 @@ func (c *createCommand) Run(ctx context.Context, _ *commoncli.Env, serverClient
 	return c.printer.PrintProto(resp)
 }

-func (c *createCommand) prettyPrintCreate(env *commoncli.Env, results ...interface{}) error {
+func (c *createCommand) prettyPrintCreate(env *commoncli.Env, results ...any) error {
 	createResp, ok := results[0].(*trustdomainv1.BatchCreateFederationRelationshipResponse)
 	if !ok || len(c.federationRelationships) < len(createResp.Results) {
 		return cliprinter.ErrInternalCustomPrettyFunc
@ -101,7 +102,7 @@ func (c *createCommand) prettyPrintCreate(env *commoncli.Env, results ...interfa
 	for _, r := range failed {
 		env.Println()
 		env.ErrPrintf("Failed to create the following federation relationship (code: %s, msg: %q):\n",
-			codes.Code(r.Status.Code),
+			util.MustCast[codes.Code](r.Status.Code),
 			r.Status.Message)
 		printFederationRelationship(r.FederationRelationship, env.ErrPrintf)
 	}
--- a/cmd/spire-server/cli/federation/create_test.go
+++ b/cmd/spire-server/cli/federation/create_test.go
@ -18,7 +18,7 @@ import (
 	"google.golang.org/grpc/codes"
 )

-func TestCreatetHelp(t *testing.T) {
+func TestCreateHelp(t *testing.T) {
 	test := setupTest(t, newCreateCommand)
 	test.client.Help()

--- a/cmd/spire-server/cli/federation/delete.go
+++ b/cmd/spire-server/cli/federation/delete.go
@ -57,7 +57,7 @@ func (c *deleteCommand) Run(ctx context.Context, _ *commoncli.Env, serverClient
 	return c.printer.PrintProto(resp)
 }

-func prettyPrintDelete(env *commoncli.Env, results ...interface{}) error {
+func prettyPrintDelete(env *commoncli.Env, results ...any) error {
 	if deleteResp, ok := results[0].(*trustdomain.BatchDeleteFederationRelationshipResponse); ok && len(deleteResp.Results) > 0 {
 		result := deleteResp.Results[0]
 		switch result.Status.Code {
--- a/cmd/spire-server/cli/federation/list.go
+++ b/cmd/spire-server/cli/federation/list.go
@ -47,7 +47,7 @@ func (c *listCommand) Run(ctx context.Context, _ *commoncli.Env, serverClient ut
 	return c.printer.PrintProto(resp)
 }

-func prettyPrintList(env *commoncli.Env, results ...interface{}) error {
+func prettyPrintList(env *commoncli.Env, results ...any) error {
 	listResp, ok := results[0].(*trustdomainv1.ListFederationRelationshipsResponse)
 	if !ok {
 		return cliprinter.ErrInternalCustomPrettyFunc
--- a/cmd/spire-server/cli/federation/refresh.go
+++ b/cmd/spire-server/cli/federation/refresh.go
@ -63,6 +63,6 @@ func (c *refreshCommand) Run(ctx context.Context, _ *commoncli.Env, serverClient
 	}
 }

-func prettyPrintRefresh(env *commoncli.Env, _ ...interface{}) error {
+func prettyPrintRefresh(env *commoncli.Env, _ ...any) error {
 	return env.Println("Bundle refreshed")
 }
--- a/cmd/spire-server/cli/federation/show.go
+++ b/cmd/spire-server/cli/federation/show.go
@ -59,7 +59,7 @@ func (c *showCommand) Run(ctx context.Context, _ *commoncli.Env, serverClient ut
 	return c.printer.PrintProto(fr)
 }

-func (c *showCommand) prettyPrintShow(env *commoncli.Env, results ...interface{}) error {
+func (c *showCommand) prettyPrintShow(env *commoncli.Env, results ...any) error {
 	fr, ok := results[0].(*prototypes.FederationRelationship)
 	if !ok {
 		return cliprinter.ErrInternalCustomPrettyFunc
--- a/cmd/spire-server/cli/federation/update.go
+++ b/cmd/spire-server/cli/federation/update.go
@ -9,9 +9,10 @@ import (
 	"github.com/mitchellh/cli"
 	trustdomainv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/trustdomain/v1"
 	"github.com/spiffe/spire-api-sdk/proto/spire/api/types"
-	"github.com/spiffe/spire/cmd/spire-server/util"
+	serverutil "github.com/spiffe/spire/cmd/spire-server/util"
 	commoncli "github.com/spiffe/spire/pkg/common/cli"
 	"github.com/spiffe/spire/pkg/common/cliprinter"
+	"github.com/spiffe/spire/pkg/common/util"
 	"google.golang.org/grpc/codes"
 )

@ -21,7 +22,7 @@ func NewUpdateCommand() cli.Command {
 }

 func newUpdateCommand(env *commoncli.Env) cli.Command {
-	return util.AdaptCommand(env, &updateCommand{env: env})
+	return serverutil.AdaptCommand(env, &updateCommand{env: env})
 }

 type updateCommand struct {
@ -47,7 +48,7 @@ func (c *updateCommand) AppendFlags(f *flag.FlagSet) {
 	cliprinter.AppendFlagWithCustomPretty(&c.printer, f, c.env, c.prettyPrintUpdate)
 }

-func (c *updateCommand) Run(ctx context.Context, _ *commoncli.Env, serverClient util.ServerClient) error {
+func (c *updateCommand) Run(ctx context.Context, _ *commoncli.Env, serverClient serverutil.ServerClient) error {
 	federationRelationships, err := getRelationships(c.config, c.path)
 	if err != nil {
 		return err
@ -66,7 +67,7 @@ func (c *updateCommand) Run(ctx context.Context, _ *commoncli.Env, serverClient
 	return c.printer.PrintProto(resp)
 }

-func (c *updateCommand) prettyPrintUpdate(env *commoncli.Env, results ...interface{}) error {
+func (c *updateCommand) prettyPrintUpdate(env *commoncli.Env, results ...any) error {
 	updateResp, ok := results[0].(*trustdomainv1.BatchUpdateFederationRelationshipResponse)
 	if !ok || len(c.federationRelationships) < len(updateResp.Results) {
 		return cliprinter.ErrInternalCustomPrettyFunc
@ -97,7 +98,7 @@ func (c *updateCommand) prettyPrintUpdate(env *commoncli.Env, results ...interfa
 	for _, r := range failed {
 		env.Println()
 		env.ErrPrintf("Failed to update the following federation relationship (code: %s, msg: %q):\n",
-			codes.Code(r.Status.Code),
+			util.MustCast[codes.Code](r.Status.Code),
 			r.Status.Message)
 		printFederationRelationship(r.FederationRelationship, env.ErrPrintf)
 	}
--- a/cmd/spire-server/cli/federation/util_posix_test.go
+++ b/cmd/spire-server/cli/federation/util_posix_test.go
@ -1,5 +1,4 @@
 //go:build !windows
-// +build !windows

 package federation

--- a/Show More
+++ b/Show More
 @ -1 +1 @@
 .20.5
 .24.4