From 9c2d9a87509f20260d78eac977a13f51868221be Mon Sep 17 00:00:00 2001
From: Aidan Obley <aobley@vmware.com>
Date: Thu, 4 Feb 2021 16:41:21 -0800
Subject: [PATCH] add rpc to fetch x509 bundles

This is the first step on the journey to complete
[#2089](https://github.com/spiffe/spire/issues/2089)

SPIRE will need to implement the handler for this rpc in
order for the client library to start using this call.

SPIRE relies on this repo for the definition and codegen so this needs
to be first.

Signed-off-by: Samuel Waggoner <swaggoner@vmware.com>
Co-authored-by: Samuel Waggoner <swaggoner@vmware.com>
---
 v2/proto/spiffe/workload/workload.pb.go      | 344 +++++++++++++------
 v2/proto/spiffe/workload/workload.proto      |   8 +
 v2/proto/spiffe/workload/workload_grpc.pb.go |  75 +++-
 3 files changed, 316 insertions(+), 111 deletions(-)

diff --git a/v2/proto/spiffe/workload/workload.pb.go b/v2/proto/spiffe/workload/workload.pb.go
index 99d4625a..99cf2f4b 100644
--- a/v2/proto/spiffe/workload/workload.pb.go
+++ b/v2/proto/spiffe/workload/workload.pb.go
@@ -216,6 +216,92 @@ func (x *X509SVID) GetBundle() []byte {
 	return nil
 }
 
+type X509BundlesRequest struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+}
+
+func (x *X509BundlesRequest) Reset() {
+	*x = X509BundlesRequest{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_workload_proto_msgTypes[3]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *X509BundlesRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*X509BundlesRequest) ProtoMessage() {}
+
+func (x *X509BundlesRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_workload_proto_msgTypes[3]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use X509BundlesRequest.ProtoReflect.Descriptor instead.
+func (*X509BundlesRequest) Descriptor() ([]byte, []int) {
+	return file_workload_proto_rawDescGZIP(), []int{3}
+}
+
+type X509BundlesResponse struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	// x509 certificates, keyed by trust domain URI
+	Bundles map[string][]byte `protobuf:"bytes,1,rep,name=bundles,proto3" json:"bundles,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
+}
+
+func (x *X509BundlesResponse) Reset() {
+	*x = X509BundlesResponse{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_workload_proto_msgTypes[4]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *X509BundlesResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*X509BundlesResponse) ProtoMessage() {}
+
+func (x *X509BundlesResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_workload_proto_msgTypes[4]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use X509BundlesResponse.ProtoReflect.Descriptor instead.
+func (*X509BundlesResponse) Descriptor() ([]byte, []int) {
+	return file_workload_proto_rawDescGZIP(), []int{4}
+}
+
+func (x *X509BundlesResponse) GetBundles() map[string][]byte {
+	if x != nil {
+		return x.Bundles
+	}
+	return nil
+}
+
 type JWTSVID struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
@@ -229,7 +315,7 @@ type JWTSVID struct {
 func (x *JWTSVID) Reset() {
 	*x = JWTSVID{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_workload_proto_msgTypes[3]
+		mi := &file_workload_proto_msgTypes[5]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -242,7 +328,7 @@ func (x *JWTSVID) String() string {
 func (*JWTSVID) ProtoMessage() {}
 
 func (x *JWTSVID) ProtoReflect() protoreflect.Message {
-	mi := &file_workload_proto_msgTypes[3]
+	mi := &file_workload_proto_msgTypes[5]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -255,7 +341,7 @@ func (x *JWTSVID) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use JWTSVID.ProtoReflect.Descriptor instead.
 func (*JWTSVID) Descriptor() ([]byte, []int) {
-	return file_workload_proto_rawDescGZIP(), []int{3}
+	return file_workload_proto_rawDescGZIP(), []int{5}
 }
 
 func (x *JWTSVID) GetSpiffeId() string {
@@ -286,7 +372,7 @@ type JWTSVIDRequest struct {
 func (x *JWTSVIDRequest) Reset() {
 	*x = JWTSVIDRequest{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_workload_proto_msgTypes[4]
+		mi := &file_workload_proto_msgTypes[6]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -299,7 +385,7 @@ func (x *JWTSVIDRequest) String() string {
 func (*JWTSVIDRequest) ProtoMessage() {}
 
 func (x *JWTSVIDRequest) ProtoReflect() protoreflect.Message {
-	mi := &file_workload_proto_msgTypes[4]
+	mi := &file_workload_proto_msgTypes[6]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -312,7 +398,7 @@ func (x *JWTSVIDRequest) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use JWTSVIDRequest.ProtoReflect.Descriptor instead.
 func (*JWTSVIDRequest) Descriptor() ([]byte, []int) {
-	return file_workload_proto_rawDescGZIP(), []int{4}
+	return file_workload_proto_rawDescGZIP(), []int{6}
 }
 
 func (x *JWTSVIDRequest) GetAudience() []string {
@@ -340,7 +426,7 @@ type JWTSVIDResponse struct {
 func (x *JWTSVIDResponse) Reset() {
 	*x = JWTSVIDResponse{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_workload_proto_msgTypes[5]
+		mi := &file_workload_proto_msgTypes[7]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -353,7 +439,7 @@ func (x *JWTSVIDResponse) String() string {
 func (*JWTSVIDResponse) ProtoMessage() {}
 
 func (x *JWTSVIDResponse) ProtoReflect() protoreflect.Message {
-	mi := &file_workload_proto_msgTypes[5]
+	mi := &file_workload_proto_msgTypes[7]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -366,7 +452,7 @@ func (x *JWTSVIDResponse) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use JWTSVIDResponse.ProtoReflect.Descriptor instead.
 func (*JWTSVIDResponse) Descriptor() ([]byte, []int) {
-	return file_workload_proto_rawDescGZIP(), []int{5}
+	return file_workload_proto_rawDescGZIP(), []int{7}
 }
 
 func (x *JWTSVIDResponse) GetSvids() []*JWTSVID {
@@ -385,7 +471,7 @@ type JWTBundlesRequest struct {
 func (x *JWTBundlesRequest) Reset() {
 	*x = JWTBundlesRequest{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_workload_proto_msgTypes[6]
+		mi := &file_workload_proto_msgTypes[8]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -398,7 +484,7 @@ func (x *JWTBundlesRequest) String() string {
 func (*JWTBundlesRequest) ProtoMessage() {}
 
 func (x *JWTBundlesRequest) ProtoReflect() protoreflect.Message {
-	mi := &file_workload_proto_msgTypes[6]
+	mi := &file_workload_proto_msgTypes[8]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -411,7 +497,7 @@ func (x *JWTBundlesRequest) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use JWTBundlesRequest.ProtoReflect.Descriptor instead.
 func (*JWTBundlesRequest) Descriptor() ([]byte, []int) {
-	return file_workload_proto_rawDescGZIP(), []int{6}
+	return file_workload_proto_rawDescGZIP(), []int{8}
 }
 
 type JWTBundlesResponse struct {
@@ -426,7 +512,7 @@ type JWTBundlesResponse struct {
 func (x *JWTBundlesResponse) Reset() {
 	*x = JWTBundlesResponse{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_workload_proto_msgTypes[7]
+		mi := &file_workload_proto_msgTypes[9]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -439,7 +525,7 @@ func (x *JWTBundlesResponse) String() string {
 func (*JWTBundlesResponse) ProtoMessage() {}
 
 func (x *JWTBundlesResponse) ProtoReflect() protoreflect.Message {
-	mi := &file_workload_proto_msgTypes[7]
+	mi := &file_workload_proto_msgTypes[9]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -452,7 +538,7 @@ func (x *JWTBundlesResponse) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use JWTBundlesResponse.ProtoReflect.Descriptor instead.
 func (*JWTBundlesResponse) Descriptor() ([]byte, []int) {
-	return file_workload_proto_rawDescGZIP(), []int{7}
+	return file_workload_proto_rawDescGZIP(), []int{9}
 }
 
 func (x *JWTBundlesResponse) GetBundles() map[string][]byte {
@@ -475,7 +561,7 @@ type ValidateJWTSVIDRequest struct {
 func (x *ValidateJWTSVIDRequest) Reset() {
 	*x = ValidateJWTSVIDRequest{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_workload_proto_msgTypes[8]
+		mi := &file_workload_proto_msgTypes[10]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -488,7 +574,7 @@ func (x *ValidateJWTSVIDRequest) String() string {
 func (*ValidateJWTSVIDRequest) ProtoMessage() {}
 
 func (x *ValidateJWTSVIDRequest) ProtoReflect() protoreflect.Message {
-	mi := &file_workload_proto_msgTypes[8]
+	mi := &file_workload_proto_msgTypes[10]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -501,7 +587,7 @@ func (x *ValidateJWTSVIDRequest) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use ValidateJWTSVIDRequest.ProtoReflect.Descriptor instead.
 func (*ValidateJWTSVIDRequest) Descriptor() ([]byte, []int) {
-	return file_workload_proto_rawDescGZIP(), []int{8}
+	return file_workload_proto_rawDescGZIP(), []int{10}
 }
 
 func (x *ValidateJWTSVIDRequest) GetAudience() string {
@@ -530,7 +616,7 @@ type ValidateJWTSVIDResponse struct {
 func (x *ValidateJWTSVIDResponse) Reset() {
 	*x = ValidateJWTSVIDResponse{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_workload_proto_msgTypes[9]
+		mi := &file_workload_proto_msgTypes[11]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -543,7 +629,7 @@ func (x *ValidateJWTSVIDResponse) String() string {
 func (*ValidateJWTSVIDResponse) ProtoMessage() {}
 
 func (x *ValidateJWTSVIDResponse) ProtoReflect() protoreflect.Message {
-	mi := &file_workload_proto_msgTypes[9]
+	mi := &file_workload_proto_msgTypes[11]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -556,7 +642,7 @@ func (x *ValidateJWTSVIDResponse) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use ValidateJWTSVIDResponse.ProtoReflect.Descriptor instead.
 func (*ValidateJWTSVIDResponse) Descriptor() ([]byte, []int) {
-	return file_workload_proto_rawDescGZIP(), []int{9}
+	return file_workload_proto_rawDescGZIP(), []int{11}
 }
 
 func (x *ValidateJWTSVIDResponse) GetSpiffeId() string {
@@ -602,57 +688,71 @@ var file_workload_proto_rawDesc = []byte{
 	0x35, 0x30, 0x39, 0x5f, 0x73, 0x76, 0x69, 0x64, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x03, 0x20, 0x01,
 	0x28, 0x0c, 0x52, 0x0b, 0x78, 0x35, 0x30, 0x39, 0x53, 0x76, 0x69, 0x64, 0x4b, 0x65, 0x79, 0x12,
 	0x16, 0x0a, 0x06, 0x62, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0c, 0x52,
-	0x06, 0x62, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x22, 0x3a, 0x0a, 0x07, 0x4a, 0x57, 0x54, 0x53, 0x56,
-	0x49, 0x44, 0x12, 0x1b, 0x0a, 0x09, 0x73, 0x70, 0x69, 0x66, 0x66, 0x65, 0x5f, 0x69, 0x64, 0x18,
-	0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x73, 0x70, 0x69, 0x66, 0x66, 0x65, 0x49, 0x64, 0x12,
-	0x12, 0x0a, 0x04, 0x73, 0x76, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x73,
-	0x76, 0x69, 0x64, 0x22, 0x49, 0x0a, 0x0e, 0x4a, 0x57, 0x54, 0x53, 0x56, 0x49, 0x44, 0x52, 0x65,
-	0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x1a, 0x0a, 0x08, 0x61, 0x75, 0x64, 0x69, 0x65, 0x6e, 0x63,
-	0x65, 0x18, 0x01, 0x20, 0x03, 0x28, 0x09, 0x52, 0x08, 0x61, 0x75, 0x64, 0x69, 0x65, 0x6e, 0x63,
-	0x65, 0x12, 0x1b, 0x0a, 0x09, 0x73, 0x70, 0x69, 0x66, 0x66, 0x65, 0x5f, 0x69, 0x64, 0x18, 0x02,
-	0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x73, 0x70, 0x69, 0x66, 0x66, 0x65, 0x49, 0x64, 0x22, 0x31,
-	0x0a, 0x0f, 0x4a, 0x57, 0x54, 0x53, 0x56, 0x49, 0x44, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73,
-	0x65, 0x12, 0x1e, 0x0a, 0x05, 0x73, 0x76, 0x69, 0x64, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b,
-	0x32, 0x08, 0x2e, 0x4a, 0x57, 0x54, 0x53, 0x56, 0x49, 0x44, 0x52, 0x05, 0x73, 0x76, 0x69, 0x64,
-	0x73, 0x22, 0x13, 0x0a, 0x11, 0x4a, 0x57, 0x54, 0x42, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x73, 0x52,
-	0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x22, 0x8c, 0x01, 0x0a, 0x12, 0x4a, 0x57, 0x54, 0x42, 0x75,
-	0x6e, 0x64, 0x6c, 0x65, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x3a, 0x0a,
-	0x07, 0x62, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x20,
-	0x2e, 0x4a, 0x57, 0x54, 0x42, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f,
-	0x6e, 0x73, 0x65, 0x2e, 0x42, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79,
-	0x52, 0x07, 0x62, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x73, 0x1a, 0x3a, 0x0a, 0x0c, 0x42, 0x75, 0x6e,
-	0x64, 0x6c, 0x65, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79,
-	0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a, 0x05, 0x76,
-	0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75,
-	0x65, 0x3a, 0x02, 0x38, 0x01, 0x22, 0x48, 0x0a, 0x16, 0x56, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74,
-	0x65, 0x4a, 0x57, 0x54, 0x53, 0x56, 0x49, 0x44, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12,
-	0x1a, 0x0a, 0x08, 0x61, 0x75, 0x64, 0x69, 0x65, 0x6e, 0x63, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28,
-	0x09, 0x52, 0x08, 0x61, 0x75, 0x64, 0x69, 0x65, 0x6e, 0x63, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x73,
-	0x76, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x73, 0x76, 0x69, 0x64, 0x22,
-	0x67, 0x0a, 0x17, 0x56, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x65, 0x4a, 0x57, 0x54, 0x53, 0x56,
-	0x49, 0x44, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x1b, 0x0a, 0x09, 0x73, 0x70,
-	0x69, 0x66, 0x66, 0x65, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x73,
-	0x70, 0x69, 0x66, 0x66, 0x65, 0x49, 0x64, 0x12, 0x2f, 0x0a, 0x06, 0x63, 0x6c, 0x61, 0x69, 0x6d,
-	0x73, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x17, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65,
-	0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x53, 0x74, 0x72, 0x75, 0x63, 0x74,
-	0x52, 0x06, 0x63, 0x6c, 0x61, 0x69, 0x6d, 0x73, 0x32, 0x82, 0x02, 0x0a, 0x11, 0x53, 0x70, 0x69,
-	0x66, 0x66, 0x65, 0x57, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x41, 0x50, 0x49, 0x12, 0x31,
-	0x0a, 0x0c, 0x46, 0x65, 0x74, 0x63, 0x68, 0x4a, 0x57, 0x54, 0x53, 0x56, 0x49, 0x44, 0x12, 0x0f,
-	0x2e, 0x4a, 0x57, 0x54, 0x53, 0x56, 0x49, 0x44, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a,
-	0x10, 0x2e, 0x4a, 0x57, 0x54, 0x53, 0x56, 0x49, 0x44, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73,
-	0x65, 0x12, 0x3c, 0x0a, 0x0f, 0x46, 0x65, 0x74, 0x63, 0x68, 0x4a, 0x57, 0x54, 0x42, 0x75, 0x6e,
-	0x64, 0x6c, 0x65, 0x73, 0x12, 0x12, 0x2e, 0x4a, 0x57, 0x54, 0x42, 0x75, 0x6e, 0x64, 0x6c, 0x65,
-	0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x13, 0x2e, 0x4a, 0x57, 0x54, 0x42, 0x75,
-	0x6e, 0x64, 0x6c, 0x65, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x30, 0x01, 0x12,
-	0x44, 0x0a, 0x0f, 0x56, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x65, 0x4a, 0x57, 0x54, 0x53, 0x56,
-	0x49, 0x44, 0x12, 0x17, 0x2e, 0x56, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x65, 0x4a, 0x57, 0x54,
-	0x53, 0x56, 0x49, 0x44, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x18, 0x2e, 0x56, 0x61,
-	0x6c, 0x69, 0x64, 0x61, 0x74, 0x65, 0x4a, 0x57, 0x54, 0x53, 0x56, 0x49, 0x44, 0x52, 0x65, 0x73,
-	0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x36, 0x0a, 0x0d, 0x46, 0x65, 0x74, 0x63, 0x68, 0x58, 0x35,
-	0x30, 0x39, 0x53, 0x56, 0x49, 0x44, 0x12, 0x10, 0x2e, 0x58, 0x35, 0x30, 0x39, 0x53, 0x56, 0x49,
-	0x44, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x11, 0x2e, 0x58, 0x35, 0x30, 0x39, 0x53,
-	0x56, 0x49, 0x44, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x30, 0x01, 0x62, 0x06, 0x70,
-	0x72, 0x6f, 0x74, 0x6f, 0x33,
+	0x06, 0x62, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x22, 0x14, 0x0a, 0x12, 0x58, 0x35, 0x30, 0x39, 0x42,
+	0x75, 0x6e, 0x64, 0x6c, 0x65, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x22, 0x8e, 0x01,
+	0x0a, 0x13, 0x58, 0x35, 0x30, 0x39, 0x42, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x73, 0x52, 0x65, 0x73,
+	0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x3b, 0x0a, 0x07, 0x62, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x73,
+	0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x21, 0x2e, 0x58, 0x35, 0x30, 0x39, 0x42, 0x75, 0x6e,
+	0x64, 0x6c, 0x65, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x2e, 0x42, 0x75, 0x6e,
+	0x64, 0x6c, 0x65, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x07, 0x62, 0x75, 0x6e, 0x64, 0x6c,
+	0x65, 0x73, 0x1a, 0x3a, 0x0a, 0x0c, 0x42, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x73, 0x45, 0x6e, 0x74,
+	0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52,
+	0x03, 0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20,
+	0x01, 0x28, 0x0c, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x22, 0x3a,
+	0x0a, 0x07, 0x4a, 0x57, 0x54, 0x53, 0x56, 0x49, 0x44, 0x12, 0x1b, 0x0a, 0x09, 0x73, 0x70, 0x69,
+	0x66, 0x66, 0x65, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x73, 0x70,
+	0x69, 0x66, 0x66, 0x65, 0x49, 0x64, 0x12, 0x12, 0x0a, 0x04, 0x73, 0x76, 0x69, 0x64, 0x18, 0x02,
+	0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x73, 0x76, 0x69, 0x64, 0x22, 0x49, 0x0a, 0x0e, 0x4a, 0x57,
+	0x54, 0x53, 0x56, 0x49, 0x44, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x1a, 0x0a, 0x08,
+	0x61, 0x75, 0x64, 0x69, 0x65, 0x6e, 0x63, 0x65, 0x18, 0x01, 0x20, 0x03, 0x28, 0x09, 0x52, 0x08,
+	0x61, 0x75, 0x64, 0x69, 0x65, 0x6e, 0x63, 0x65, 0x12, 0x1b, 0x0a, 0x09, 0x73, 0x70, 0x69, 0x66,
+	0x66, 0x65, 0x5f, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x73, 0x70, 0x69,
+	0x66, 0x66, 0x65, 0x49, 0x64, 0x22, 0x31, 0x0a, 0x0f, 0x4a, 0x57, 0x54, 0x53, 0x56, 0x49, 0x44,
+	0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x1e, 0x0a, 0x05, 0x73, 0x76, 0x69, 0x64,
+	0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x08, 0x2e, 0x4a, 0x57, 0x54, 0x53, 0x56, 0x49,
+	0x44, 0x52, 0x05, 0x73, 0x76, 0x69, 0x64, 0x73, 0x22, 0x13, 0x0a, 0x11, 0x4a, 0x57, 0x54, 0x42,
+	0x75, 0x6e, 0x64, 0x6c, 0x65, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x22, 0x8c, 0x01,
+	0x0a, 0x12, 0x4a, 0x57, 0x54, 0x42, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x73, 0x52, 0x65, 0x73, 0x70,
+	0x6f, 0x6e, 0x73, 0x65, 0x12, 0x3a, 0x0a, 0x07, 0x62, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x73, 0x18,
+	0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x20, 0x2e, 0x4a, 0x57, 0x54, 0x42, 0x75, 0x6e, 0x64, 0x6c,
+	0x65, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x2e, 0x42, 0x75, 0x6e, 0x64, 0x6c,
+	0x65, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x07, 0x62, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x73,
+	0x1a, 0x3a, 0x0a, 0x0c, 0x42, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79,
+	0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b,
+	0x65, 0x79, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28,
+	0x0c, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x22, 0x48, 0x0a, 0x16,
+	0x56, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x65, 0x4a, 0x57, 0x54, 0x53, 0x56, 0x49, 0x44, 0x52,
+	0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x1a, 0x0a, 0x08, 0x61, 0x75, 0x64, 0x69, 0x65, 0x6e,
+	0x63, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x61, 0x75, 0x64, 0x69, 0x65, 0x6e,
+	0x63, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x73, 0x76, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09,
+	0x52, 0x04, 0x73, 0x76, 0x69, 0x64, 0x22, 0x67, 0x0a, 0x17, 0x56, 0x61, 0x6c, 0x69, 0x64, 0x61,
+	0x74, 0x65, 0x4a, 0x57, 0x54, 0x53, 0x56, 0x49, 0x44, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73,
+	0x65, 0x12, 0x1b, 0x0a, 0x09, 0x73, 0x70, 0x69, 0x66, 0x66, 0x65, 0x5f, 0x69, 0x64, 0x18, 0x01,
+	0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x73, 0x70, 0x69, 0x66, 0x66, 0x65, 0x49, 0x64, 0x12, 0x2f,
+	0x0a, 0x06, 0x63, 0x6c, 0x61, 0x69, 0x6d, 0x73, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x17,
+	0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66,
+	0x2e, 0x53, 0x74, 0x72, 0x75, 0x63, 0x74, 0x52, 0x06, 0x63, 0x6c, 0x61, 0x69, 0x6d, 0x73, 0x32,
+	0xc3, 0x02, 0x0a, 0x11, 0x53, 0x70, 0x69, 0x66, 0x66, 0x65, 0x57, 0x6f, 0x72, 0x6b, 0x6c, 0x6f,
+	0x61, 0x64, 0x41, 0x50, 0x49, 0x12, 0x31, 0x0a, 0x0c, 0x46, 0x65, 0x74, 0x63, 0x68, 0x4a, 0x57,
+	0x54, 0x53, 0x56, 0x49, 0x44, 0x12, 0x0f, 0x2e, 0x4a, 0x57, 0x54, 0x53, 0x56, 0x49, 0x44, 0x52,
+	0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x10, 0x2e, 0x4a, 0x57, 0x54, 0x53, 0x56, 0x49, 0x44,
+	0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x3c, 0x0a, 0x0f, 0x46, 0x65, 0x74, 0x63,
+	0x68, 0x4a, 0x57, 0x54, 0x42, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x73, 0x12, 0x12, 0x2e, 0x4a, 0x57,
+	0x54, 0x42, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a,
+	0x13, 0x2e, 0x4a, 0x57, 0x54, 0x42, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x73, 0x52, 0x65, 0x73, 0x70,
+	0x6f, 0x6e, 0x73, 0x65, 0x30, 0x01, 0x12, 0x44, 0x0a, 0x0f, 0x56, 0x61, 0x6c, 0x69, 0x64, 0x61,
+	0x74, 0x65, 0x4a, 0x57, 0x54, 0x53, 0x56, 0x49, 0x44, 0x12, 0x17, 0x2e, 0x56, 0x61, 0x6c, 0x69,
+	0x64, 0x61, 0x74, 0x65, 0x4a, 0x57, 0x54, 0x53, 0x56, 0x49, 0x44, 0x52, 0x65, 0x71, 0x75, 0x65,
+	0x73, 0x74, 0x1a, 0x18, 0x2e, 0x56, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x65, 0x4a, 0x57, 0x54,
+	0x53, 0x56, 0x49, 0x44, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x36, 0x0a, 0x0d,
+	0x46, 0x65, 0x74, 0x63, 0x68, 0x58, 0x35, 0x30, 0x39, 0x53, 0x56, 0x49, 0x44, 0x12, 0x10, 0x2e,
+	0x58, 0x35, 0x30, 0x39, 0x53, 0x56, 0x49, 0x44, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a,
+	0x11, 0x2e, 0x58, 0x35, 0x30, 0x39, 0x53, 0x56, 0x49, 0x44, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e,
+	0x73, 0x65, 0x30, 0x01, 0x12, 0x3f, 0x0a, 0x10, 0x46, 0x65, 0x74, 0x63, 0x68, 0x58, 0x35, 0x30,
+	0x39, 0x42, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x73, 0x12, 0x13, 0x2e, 0x58, 0x35, 0x30, 0x39, 0x42,
+	0x75, 0x6e, 0x64, 0x6c, 0x65, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x14, 0x2e,
+	0x58, 0x35, 0x30, 0x39, 0x42, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f,
+	0x6e, 0x73, 0x65, 0x30, 0x01, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
 }
 
 var (
@@ -667,41 +767,47 @@ func file_workload_proto_rawDescGZIP() []byte {
 	return file_workload_proto_rawDescData
 }
 
-var file_workload_proto_msgTypes = make([]protoimpl.MessageInfo, 12)
+var file_workload_proto_msgTypes = make([]protoimpl.MessageInfo, 15)
 var file_workload_proto_goTypes = []interface{}{
 	(*X509SVIDRequest)(nil),         // 0: X509SVIDRequest
 	(*X509SVIDResponse)(nil),        // 1: X509SVIDResponse
 	(*X509SVID)(nil),                // 2: X509SVID
-	(*JWTSVID)(nil),                 // 3: JWTSVID
-	(*JWTSVIDRequest)(nil),          // 4: JWTSVIDRequest
-	(*JWTSVIDResponse)(nil),         // 5: JWTSVIDResponse
-	(*JWTBundlesRequest)(nil),       // 6: JWTBundlesRequest
-	(*JWTBundlesResponse)(nil),      // 7: JWTBundlesResponse
-	(*ValidateJWTSVIDRequest)(nil),  // 8: ValidateJWTSVIDRequest
-	(*ValidateJWTSVIDResponse)(nil), // 9: ValidateJWTSVIDResponse
-	nil,                             // 10: X509SVIDResponse.FederatedBundlesEntry
-	nil,                             // 11: JWTBundlesResponse.BundlesEntry
-	(*structpb.Struct)(nil),         // 12: google.protobuf.Struct
+	(*X509BundlesRequest)(nil),      // 3: X509BundlesRequest
+	(*X509BundlesResponse)(nil),     // 4: X509BundlesResponse
+	(*JWTSVID)(nil),                 // 5: JWTSVID
+	(*JWTSVIDRequest)(nil),          // 6: JWTSVIDRequest
+	(*JWTSVIDResponse)(nil),         // 7: JWTSVIDResponse
+	(*JWTBundlesRequest)(nil),       // 8: JWTBundlesRequest
+	(*JWTBundlesResponse)(nil),      // 9: JWTBundlesResponse
+	(*ValidateJWTSVIDRequest)(nil),  // 10: ValidateJWTSVIDRequest
+	(*ValidateJWTSVIDResponse)(nil), // 11: ValidateJWTSVIDResponse
+	nil,                             // 12: X509SVIDResponse.FederatedBundlesEntry
+	nil,                             // 13: X509BundlesResponse.BundlesEntry
+	nil,                             // 14: JWTBundlesResponse.BundlesEntry
+	(*structpb.Struct)(nil),         // 15: google.protobuf.Struct
 }
 var file_workload_proto_depIdxs = []int32{
 	2,  // 0: X509SVIDResponse.svids:type_name -> X509SVID
-	10, // 1: X509SVIDResponse.federated_bundles:type_name -> X509SVIDResponse.FederatedBundlesEntry
-	3,  // 2: JWTSVIDResponse.svids:type_name -> JWTSVID
-	11, // 3: JWTBundlesResponse.bundles:type_name -> JWTBundlesResponse.BundlesEntry
-	12, // 4: ValidateJWTSVIDResponse.claims:type_name -> google.protobuf.Struct
-	4,  // 5: SpiffeWorkloadAPI.FetchJWTSVID:input_type -> JWTSVIDRequest
-	6,  // 6: SpiffeWorkloadAPI.FetchJWTBundles:input_type -> JWTBundlesRequest
-	8,  // 7: SpiffeWorkloadAPI.ValidateJWTSVID:input_type -> ValidateJWTSVIDRequest
-	0,  // 8: SpiffeWorkloadAPI.FetchX509SVID:input_type -> X509SVIDRequest
-	5,  // 9: SpiffeWorkloadAPI.FetchJWTSVID:output_type -> JWTSVIDResponse
-	7,  // 10: SpiffeWorkloadAPI.FetchJWTBundles:output_type -> JWTBundlesResponse
-	9,  // 11: SpiffeWorkloadAPI.ValidateJWTSVID:output_type -> ValidateJWTSVIDResponse
-	1,  // 12: SpiffeWorkloadAPI.FetchX509SVID:output_type -> X509SVIDResponse
-	9,  // [9:13] is the sub-list for method output_type
-	5,  // [5:9] is the sub-list for method input_type
-	5,  // [5:5] is the sub-list for extension type_name
-	5,  // [5:5] is the sub-list for extension extendee
-	0,  // [0:5] is the sub-list for field type_name
+	12, // 1: X509SVIDResponse.federated_bundles:type_name -> X509SVIDResponse.FederatedBundlesEntry
+	13, // 2: X509BundlesResponse.bundles:type_name -> X509BundlesResponse.BundlesEntry
+	5,  // 3: JWTSVIDResponse.svids:type_name -> JWTSVID
+	14, // 4: JWTBundlesResponse.bundles:type_name -> JWTBundlesResponse.BundlesEntry
+	15, // 5: ValidateJWTSVIDResponse.claims:type_name -> google.protobuf.Struct
+	6,  // 6: SpiffeWorkloadAPI.FetchJWTSVID:input_type -> JWTSVIDRequest
+	8,  // 7: SpiffeWorkloadAPI.FetchJWTBundles:input_type -> JWTBundlesRequest
+	10, // 8: SpiffeWorkloadAPI.ValidateJWTSVID:input_type -> ValidateJWTSVIDRequest
+	0,  // 9: SpiffeWorkloadAPI.FetchX509SVID:input_type -> X509SVIDRequest
+	3,  // 10: SpiffeWorkloadAPI.FetchX509Bundles:input_type -> X509BundlesRequest
+	7,  // 11: SpiffeWorkloadAPI.FetchJWTSVID:output_type -> JWTSVIDResponse
+	9,  // 12: SpiffeWorkloadAPI.FetchJWTBundles:output_type -> JWTBundlesResponse
+	11, // 13: SpiffeWorkloadAPI.ValidateJWTSVID:output_type -> ValidateJWTSVIDResponse
+	1,  // 14: SpiffeWorkloadAPI.FetchX509SVID:output_type -> X509SVIDResponse
+	4,  // 15: SpiffeWorkloadAPI.FetchX509Bundles:output_type -> X509BundlesResponse
+	11, // [11:16] is the sub-list for method output_type
+	6,  // [6:11] is the sub-list for method input_type
+	6,  // [6:6] is the sub-list for extension type_name
+	6,  // [6:6] is the sub-list for extension extendee
+	0,  // [0:6] is the sub-list for field type_name
 }
 
 func init() { file_workload_proto_init() }
@@ -747,7 +853,7 @@ func file_workload_proto_init() {
 			}
 		}
 		file_workload_proto_msgTypes[3].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*JWTSVID); i {
+			switch v := v.(*X509BundlesRequest); i {
 			case 0:
 				return &v.state
 			case 1:
@@ -759,7 +865,7 @@ func file_workload_proto_init() {
 			}
 		}
 		file_workload_proto_msgTypes[4].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*JWTSVIDRequest); i {
+			switch v := v.(*X509BundlesResponse); i {
 			case 0:
 				return &v.state
 			case 1:
@@ -771,7 +877,7 @@ func file_workload_proto_init() {
 			}
 		}
 		file_workload_proto_msgTypes[5].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*JWTSVIDResponse); i {
+			switch v := v.(*JWTSVID); i {
 			case 0:
 				return &v.state
 			case 1:
@@ -783,7 +889,7 @@ func file_workload_proto_init() {
 			}
 		}
 		file_workload_proto_msgTypes[6].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*JWTBundlesRequest); i {
+			switch v := v.(*JWTSVIDRequest); i {
 			case 0:
 				return &v.state
 			case 1:
@@ -795,7 +901,7 @@ func file_workload_proto_init() {
 			}
 		}
 		file_workload_proto_msgTypes[7].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*JWTBundlesResponse); i {
+			switch v := v.(*JWTSVIDResponse); i {
 			case 0:
 				return &v.state
 			case 1:
@@ -807,7 +913,7 @@ func file_workload_proto_init() {
 			}
 		}
 		file_workload_proto_msgTypes[8].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*ValidateJWTSVIDRequest); i {
+			switch v := v.(*JWTBundlesRequest); i {
 			case 0:
 				return &v.state
 			case 1:
@@ -819,6 +925,30 @@ func file_workload_proto_init() {
 			}
 		}
 		file_workload_proto_msgTypes[9].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*JWTBundlesResponse); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_workload_proto_msgTypes[10].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*ValidateJWTSVIDRequest); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_workload_proto_msgTypes[11].Exporter = func(v interface{}, i int) interface{} {
 			switch v := v.(*ValidateJWTSVIDResponse); i {
 			case 0:
 				return &v.state
@@ -837,7 +967,7 @@ func file_workload_proto_init() {
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
 			RawDescriptor: file_workload_proto_rawDesc,
 			NumEnums:      0,
-			NumMessages:   12,
+			NumMessages:   15,
 			NumExtensions: 0,
 			NumServices:   1,
 		},
diff --git a/v2/proto/spiffe/workload/workload.proto b/v2/proto/spiffe/workload/workload.proto
index 44beefee..1dac36e8 100644
--- a/v2/proto/spiffe/workload/workload.proto
+++ b/v2/proto/spiffe/workload/workload.proto
@@ -40,6 +40,13 @@ message X509SVID {
     bytes bundle = 4;
 }
 
+message X509BundlesRequest { }
+
+message X509BundlesResponse {
+    // x509 certificates, keyed by trust domain URI
+    map<string, bytes> bundles = 1;
+}
+
 message JWTSVID {
     string spiffe_id = 1;
 
@@ -89,4 +96,5 @@ service SpiffeWorkloadAPI {
     // well as related information like trust bundles and CRLs. As
     // this information changes, subsequent messages will be sent.
     rpc FetchX509SVID(X509SVIDRequest) returns (stream X509SVIDResponse);
+    rpc FetchX509Bundles(X509BundlesRequest) returns (stream X509BundlesResponse);
 }
diff --git a/v2/proto/spiffe/workload/workload_grpc.pb.go b/v2/proto/spiffe/workload/workload_grpc.pb.go
index 789c3c17..ebebfa81 100644
--- a/v2/proto/spiffe/workload/workload_grpc.pb.go
+++ b/v2/proto/spiffe/workload/workload_grpc.pb.go
@@ -11,6 +11,7 @@ import (
 
 // This is a compile-time assertion to ensure that this generated file
 // is compatible with the grpc package it is being compiled against.
+// Requires gRPC-Go v1.32.0 or later.
 const _ = grpc.SupportPackageIsVersion7
 
 // SpiffeWorkloadAPIClient is the client API for SpiffeWorkloadAPI service.
@@ -26,6 +27,7 @@ type SpiffeWorkloadAPIClient interface {
 	// well as related information like trust bundles and CRLs. As
 	// this information changes, subsequent messages will be sent.
 	FetchX509SVID(ctx context.Context, in *X509SVIDRequest, opts ...grpc.CallOption) (SpiffeWorkloadAPI_FetchX509SVIDClient, error)
+	FetchX509Bundles(ctx context.Context, in *X509BundlesRequest, opts ...grpc.CallOption) (SpiffeWorkloadAPI_FetchX509BundlesClient, error)
 }
 
 type spiffeWorkloadAPIClient struct {
@@ -46,7 +48,7 @@ func (c *spiffeWorkloadAPIClient) FetchJWTSVID(ctx context.Context, in *JWTSVIDR
 }
 
 func (c *spiffeWorkloadAPIClient) FetchJWTBundles(ctx context.Context, in *JWTBundlesRequest, opts ...grpc.CallOption) (SpiffeWorkloadAPI_FetchJWTBundlesClient, error) {
-	stream, err := c.cc.NewStream(ctx, &_SpiffeWorkloadAPI_serviceDesc.Streams[0], "/SpiffeWorkloadAPI/FetchJWTBundles", opts...)
+	stream, err := c.cc.NewStream(ctx, &SpiffeWorkloadAPI_ServiceDesc.Streams[0], "/SpiffeWorkloadAPI/FetchJWTBundles", opts...)
 	if err != nil {
 		return nil, err
 	}
@@ -87,7 +89,7 @@ func (c *spiffeWorkloadAPIClient) ValidateJWTSVID(ctx context.Context, in *Valid
 }
 
 func (c *spiffeWorkloadAPIClient) FetchX509SVID(ctx context.Context, in *X509SVIDRequest, opts ...grpc.CallOption) (SpiffeWorkloadAPI_FetchX509SVIDClient, error) {
-	stream, err := c.cc.NewStream(ctx, &_SpiffeWorkloadAPI_serviceDesc.Streams[1], "/SpiffeWorkloadAPI/FetchX509SVID", opts...)
+	stream, err := c.cc.NewStream(ctx, &SpiffeWorkloadAPI_ServiceDesc.Streams[1], "/SpiffeWorkloadAPI/FetchX509SVID", opts...)
 	if err != nil {
 		return nil, err
 	}
@@ -118,6 +120,38 @@ func (x *spiffeWorkloadAPIFetchX509SVIDClient) Recv() (*X509SVIDResponse, error)
 	return m, nil
 }
 
+func (c *spiffeWorkloadAPIClient) FetchX509Bundles(ctx context.Context, in *X509BundlesRequest, opts ...grpc.CallOption) (SpiffeWorkloadAPI_FetchX509BundlesClient, error) {
+	stream, err := c.cc.NewStream(ctx, &SpiffeWorkloadAPI_ServiceDesc.Streams[2], "/SpiffeWorkloadAPI/FetchX509Bundles", opts...)
+	if err != nil {
+		return nil, err
+	}
+	x := &spiffeWorkloadAPIFetchX509BundlesClient{stream}
+	if err := x.ClientStream.SendMsg(in); err != nil {
+		return nil, err
+	}
+	if err := x.ClientStream.CloseSend(); err != nil {
+		return nil, err
+	}
+	return x, nil
+}
+
+type SpiffeWorkloadAPI_FetchX509BundlesClient interface {
+	Recv() (*X509BundlesResponse, error)
+	grpc.ClientStream
+}
+
+type spiffeWorkloadAPIFetchX509BundlesClient struct {
+	grpc.ClientStream
+}
+
+func (x *spiffeWorkloadAPIFetchX509BundlesClient) Recv() (*X509BundlesResponse, error) {
+	m := new(X509BundlesResponse)
+	if err := x.ClientStream.RecvMsg(m); err != nil {
+		return nil, err
+	}
+	return m, nil
+}
+
 // SpiffeWorkloadAPIServer is the server API for SpiffeWorkloadAPI service.
 // All implementations must embed UnimplementedSpiffeWorkloadAPIServer
 // for forward compatibility
@@ -131,6 +165,7 @@ type SpiffeWorkloadAPIServer interface {
 	// well as related information like trust bundles and CRLs. As
 	// this information changes, subsequent messages will be sent.
 	FetchX509SVID(*X509SVIDRequest, SpiffeWorkloadAPI_FetchX509SVIDServer) error
+	FetchX509Bundles(*X509BundlesRequest, SpiffeWorkloadAPI_FetchX509BundlesServer) error
 	mustEmbedUnimplementedSpiffeWorkloadAPIServer()
 }
 
@@ -150,6 +185,9 @@ func (UnimplementedSpiffeWorkloadAPIServer) ValidateJWTSVID(context.Context, *Va
 func (UnimplementedSpiffeWorkloadAPIServer) FetchX509SVID(*X509SVIDRequest, SpiffeWorkloadAPI_FetchX509SVIDServer) error {
 	return status.Errorf(codes.Unimplemented, "method FetchX509SVID not implemented")
 }
+func (UnimplementedSpiffeWorkloadAPIServer) FetchX509Bundles(*X509BundlesRequest, SpiffeWorkloadAPI_FetchX509BundlesServer) error {
+	return status.Errorf(codes.Unimplemented, "method FetchX509Bundles not implemented")
+}
 func (UnimplementedSpiffeWorkloadAPIServer) mustEmbedUnimplementedSpiffeWorkloadAPIServer() {}
 
 // UnsafeSpiffeWorkloadAPIServer may be embedded to opt out of forward compatibility for this service.
@@ -160,7 +198,7 @@ type UnsafeSpiffeWorkloadAPIServer interface {
 }
 
 func RegisterSpiffeWorkloadAPIServer(s grpc.ServiceRegistrar, srv SpiffeWorkloadAPIServer) {
-	s.RegisterService(&_SpiffeWorkloadAPI_serviceDesc, srv)
+	s.RegisterService(&SpiffeWorkloadAPI_ServiceDesc, srv)
 }
 
 func _SpiffeWorkloadAPI_FetchJWTSVID_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
@@ -241,7 +279,31 @@ func (x *spiffeWorkloadAPIFetchX509SVIDServer) Send(m *X509SVIDResponse) error {
 	return x.ServerStream.SendMsg(m)
 }
 
-var _SpiffeWorkloadAPI_serviceDesc = grpc.ServiceDesc{
+func _SpiffeWorkloadAPI_FetchX509Bundles_Handler(srv interface{}, stream grpc.ServerStream) error {
+	m := new(X509BundlesRequest)
+	if err := stream.RecvMsg(m); err != nil {
+		return err
+	}
+	return srv.(SpiffeWorkloadAPIServer).FetchX509Bundles(m, &spiffeWorkloadAPIFetchX509BundlesServer{stream})
+}
+
+type SpiffeWorkloadAPI_FetchX509BundlesServer interface {
+	Send(*X509BundlesResponse) error
+	grpc.ServerStream
+}
+
+type spiffeWorkloadAPIFetchX509BundlesServer struct {
+	grpc.ServerStream
+}
+
+func (x *spiffeWorkloadAPIFetchX509BundlesServer) Send(m *X509BundlesResponse) error {
+	return x.ServerStream.SendMsg(m)
+}
+
+// SpiffeWorkloadAPI_ServiceDesc is the grpc.ServiceDesc for SpiffeWorkloadAPI service.
+// It's only intended for direct use with grpc.RegisterService,
+// and not to be introspected or modified (even as a copy)
+var SpiffeWorkloadAPI_ServiceDesc = grpc.ServiceDesc{
 	ServiceName: "SpiffeWorkloadAPI",
 	HandlerType: (*SpiffeWorkloadAPIServer)(nil),
 	Methods: []grpc.MethodDesc{
@@ -265,6 +327,11 @@ var _SpiffeWorkloadAPI_serviceDesc = grpc.ServiceDesc{
 			Handler:       _SpiffeWorkloadAPI_FetchX509SVID_Handler,
 			ServerStreams: true,
 		},
+		{
+			StreamName:    "FetchX509Bundles",
+			Handler:       _SpiffeWorkloadAPI_FetchX509Bundles_Handler,
+			ServerStreams: true,
+		},
 	},
 	Metadata: "workload.proto",
 }