From 68c031693f52907d0735bdd27601ba251738a085 Mon Sep 17 00:00:00 2001
From: Raphael Campos <raphaelcampos.rp@gmail.com>
Date: Tue, 17 Aug 2021 16:46:35 -0300
Subject: [PATCH] proto/agent: add Delegated Identity API (#8)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Add proto definitions for new Delegated Identity API. This API includes two
rpcs: SubscribeToX509SVIDs and SubscribeToX509Bundles.

The SubscribeToX509SVIDs rpc allows a privileged client to get X509-SVIDs
for a given workload. This method uses a directional gRPC stream.

The request is used to subscribe a workload, and the response (stream
from server to client) is used to send SVID updates (for the subscribed
workload). The client subscription is based on the workload's selectors.
X509-SVIDs for registration entries matching *all* the passed selectors
are returned.

The SubscribeToX509Bundles rpc streams get local and all federated
bundles.

Co-authored-by: Mauricio Vásquez <mauricio@kinvolk.io>
Co-authored-by: Raphael Campos <raphael@accuknox.com>
Co-authored-by: Thiago Navarro <navarro@accuknox.com>
Signed-off-by: Mauricio Vásquez <mauricio@accuknox.com>
Signed-off-by: Raphael Campos <raphael@accuknox.com>
Signed-off-by: Thiago Navarro <navarro@accuknox.com>
---
 Makefile                                      |   1 +
 .../v1/delegatedidentity.pb.go                | 491 ++++++++++++++++++
 .../v1/delegatedidentity.proto                |  60 +++
 .../v1/delegatedidentity_grpc.pb.go           | 195 +++++++
 4 files changed, 747 insertions(+)
 create mode 100644 proto/spire/api/agent/delegatedidentity/v1/delegatedidentity.pb.go
 create mode 100644 proto/spire/api/agent/delegatedidentity/v1/delegatedidentity.proto
 create mode 100644 proto/spire/api/agent/delegatedidentity/v1/delegatedidentity_grpc.pb.go

diff --git a/Makefile b/Makefile
index f79a383..5272bbc 100644
--- a/Makefile
+++ b/Makefile
@@ -24,6 +24,7 @@ protos := \
 
 apiprotos := \
 	proto/spire/api/agent/debug/v1/debug.proto \
+	proto/spire/api/agent/delegatedidentity/v1/delegatedidentity.proto \
 	proto/spire/api/server/agent/v1/agent.proto \
 	proto/spire/api/server/bundle/v1/bundle.proto \
 	proto/spire/api/server/debug/v1/debug.proto \
diff --git a/proto/spire/api/agent/delegatedidentity/v1/delegatedidentity.pb.go b/proto/spire/api/agent/delegatedidentity/v1/delegatedidentity.pb.go
new file mode 100644
index 0000000..29d4a74
--- /dev/null
+++ b/proto/spire/api/agent/delegatedidentity/v1/delegatedidentity.pb.go
@@ -0,0 +1,491 @@
+// Code generated by protoc-gen-go. DO NOT EDIT.
+// versions:
+// 	protoc-gen-go v1.25.0
+// 	protoc        v3.14.0
+// source: spire/api/agent/delegatedidentity/v1/delegatedidentity.proto
+
+package delegatedidentityv1
+
+import (
+	proto "github.com/golang/protobuf/proto"
+	types "github.com/spiffe/spire-api-sdk/proto/spire/api/types"
+	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
+	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
+	reflect "reflect"
+	sync "sync"
+)
+
+const (
+	// Verify that this generated code is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
+	// Verify that runtime/protoimpl is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
+)
+
+// This is a compile-time assertion that a sufficiently up-to-date version
+// of the legacy proto package is being used.
+const _ = proto.ProtoPackageIsVersion4
+
+// X.509 SPIFFE Verifiable Identity Document with the private key.
+type X509SVIDWithKey struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	// The workload X509-SVID.
+	X509Svid *types.X509SVID `protobuf:"bytes,1,opt,name=x509_svid,json=x509Svid,proto3" json:"x509_svid,omitempty"`
+	// Private key (encoding DER PKCS#8).
+	X509SvidKey []byte `protobuf:"bytes,2,opt,name=x509_svid_key,json=x509SvidKey,proto3" json:"x509_svid_key,omitempty"`
+}
+
+func (x *X509SVIDWithKey) Reset() {
+	*x = X509SVIDWithKey{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_spire_api_agent_delegatedidentity_v1_delegatedidentity_proto_msgTypes[0]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *X509SVIDWithKey) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*X509SVIDWithKey) ProtoMessage() {}
+
+func (x *X509SVIDWithKey) ProtoReflect() protoreflect.Message {
+	mi := &file_spire_api_agent_delegatedidentity_v1_delegatedidentity_proto_msgTypes[0]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use X509SVIDWithKey.ProtoReflect.Descriptor instead.
+func (*X509SVIDWithKey) Descriptor() ([]byte, []int) {
+	return file_spire_api_agent_delegatedidentity_v1_delegatedidentity_proto_rawDescGZIP(), []int{0}
+}
+
+func (x *X509SVIDWithKey) GetX509Svid() *types.X509SVID {
+	if x != nil {
+		return x.X509Svid
+	}
+	return nil
+}
+
+func (x *X509SVIDWithKey) GetX509SvidKey() []byte {
+	if x != nil {
+		return x.X509SvidKey
+	}
+	return nil
+}
+
+// SubscribeToX509SVIDsRequest is used by clients to subscribe the set of SVIDs that
+// any given workload is entitled to. Clients subscribe to a workload's SVIDs by providing
+// a set of selectors describing the workload.
+type SubscribeToX509SVIDsRequest struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	// Required. Selectors describing the workload to subscribe to.
+	Selectors []*types.Selector `protobuf:"bytes,1,rep,name=selectors,proto3" json:"selectors,omitempty"`
+}
+
+func (x *SubscribeToX509SVIDsRequest) Reset() {
+	*x = SubscribeToX509SVIDsRequest{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_spire_api_agent_delegatedidentity_v1_delegatedidentity_proto_msgTypes[1]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *SubscribeToX509SVIDsRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*SubscribeToX509SVIDsRequest) ProtoMessage() {}
+
+func (x *SubscribeToX509SVIDsRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_spire_api_agent_delegatedidentity_v1_delegatedidentity_proto_msgTypes[1]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use SubscribeToX509SVIDsRequest.ProtoReflect.Descriptor instead.
+func (*SubscribeToX509SVIDsRequest) Descriptor() ([]byte, []int) {
+	return file_spire_api_agent_delegatedidentity_v1_delegatedidentity_proto_rawDescGZIP(), []int{1}
+}
+
+func (x *SubscribeToX509SVIDsRequest) GetSelectors() []*types.Selector {
+	if x != nil {
+		return x.Selectors
+	}
+	return nil
+}
+
+type SubscribeToX509SVIDsResponse struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	X509Svids []*X509SVIDWithKey `protobuf:"bytes,1,rep,name=x509_svids,json=x509Svids,proto3" json:"x509_svids,omitempty"`
+	// Names of the trust domains that this workload should federates with.
+	FederatesWith []string `protobuf:"bytes,2,rep,name=federates_with,json=federatesWith,proto3" json:"federates_with,omitempty"`
+}
+
+func (x *SubscribeToX509SVIDsResponse) Reset() {
+	*x = SubscribeToX509SVIDsResponse{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_spire_api_agent_delegatedidentity_v1_delegatedidentity_proto_msgTypes[2]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *SubscribeToX509SVIDsResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*SubscribeToX509SVIDsResponse) ProtoMessage() {}
+
+func (x *SubscribeToX509SVIDsResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_spire_api_agent_delegatedidentity_v1_delegatedidentity_proto_msgTypes[2]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use SubscribeToX509SVIDsResponse.ProtoReflect.Descriptor instead.
+func (*SubscribeToX509SVIDsResponse) Descriptor() ([]byte, []int) {
+	return file_spire_api_agent_delegatedidentity_v1_delegatedidentity_proto_rawDescGZIP(), []int{2}
+}
+
+func (x *SubscribeToX509SVIDsResponse) GetX509Svids() []*X509SVIDWithKey {
+	if x != nil {
+		return x.X509Svids
+	}
+	return nil
+}
+
+func (x *SubscribeToX509SVIDsResponse) GetFederatesWith() []string {
+	if x != nil {
+		return x.FederatesWith
+	}
+	return nil
+}
+
+type SubscribeToX509BundlesRequest struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+}
+
+func (x *SubscribeToX509BundlesRequest) Reset() {
+	*x = SubscribeToX509BundlesRequest{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_spire_api_agent_delegatedidentity_v1_delegatedidentity_proto_msgTypes[3]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *SubscribeToX509BundlesRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*SubscribeToX509BundlesRequest) ProtoMessage() {}
+
+func (x *SubscribeToX509BundlesRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_spire_api_agent_delegatedidentity_v1_delegatedidentity_proto_msgTypes[3]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use SubscribeToX509BundlesRequest.ProtoReflect.Descriptor instead.
+func (*SubscribeToX509BundlesRequest) Descriptor() ([]byte, []int) {
+	return file_spire_api_agent_delegatedidentity_v1_delegatedidentity_proto_rawDescGZIP(), []int{3}
+}
+
+// SubscribeToX509BundlesResponse contains all bundles that the agent is tracking,
+// including the local bundle. When an update occurs, or bundles are added or removed,
+// a new response with the full set of bundles is sent.
+type SubscribeToX509BundlesResponse struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	// A map keyed by trust domain name, with ASN.1 DER-encoded
+	// X.509 CA certificates as the values
+	CaCertificates map[string][]byte `protobuf:"bytes,1,rep,name=ca_certificates,json=caCertificates,proto3" json:"ca_certificates,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
+}
+
+func (x *SubscribeToX509BundlesResponse) Reset() {
+	*x = SubscribeToX509BundlesResponse{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_spire_api_agent_delegatedidentity_v1_delegatedidentity_proto_msgTypes[4]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *SubscribeToX509BundlesResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*SubscribeToX509BundlesResponse) ProtoMessage() {}
+
+func (x *SubscribeToX509BundlesResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_spire_api_agent_delegatedidentity_v1_delegatedidentity_proto_msgTypes[4]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use SubscribeToX509BundlesResponse.ProtoReflect.Descriptor instead.
+func (*SubscribeToX509BundlesResponse) Descriptor() ([]byte, []int) {
+	return file_spire_api_agent_delegatedidentity_v1_delegatedidentity_proto_rawDescGZIP(), []int{4}
+}
+
+func (x *SubscribeToX509BundlesResponse) GetCaCertificates() map[string][]byte {
+	if x != nil {
+		return x.CaCertificates
+	}
+	return nil
+}
+
+var File_spire_api_agent_delegatedidentity_v1_delegatedidentity_proto protoreflect.FileDescriptor
+
+var file_spire_api_agent_delegatedidentity_v1_delegatedidentity_proto_rawDesc = []byte{
+	0x0a, 0x3c, 0x73, 0x70, 0x69, 0x72, 0x65, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x61, 0x67, 0x65, 0x6e,
+	0x74, 0x2f, 0x64, 0x65, 0x6c, 0x65, 0x67, 0x61, 0x74, 0x65, 0x64, 0x69, 0x64, 0x65, 0x6e, 0x74,
+	0x69, 0x74, 0x79, 0x2f, 0x76, 0x31, 0x2f, 0x64, 0x65, 0x6c, 0x65, 0x67, 0x61, 0x74, 0x65, 0x64,
+	0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x24,
+	0x73, 0x70, 0x69, 0x72, 0x65, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x61, 0x67, 0x65, 0x6e, 0x74, 0x2e,
+	0x64, 0x65, 0x6c, 0x65, 0x67, 0x61, 0x74, 0x65, 0x64, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74,
+	0x79, 0x2e, 0x76, 0x31, 0x1a, 0x1e, 0x73, 0x70, 0x69, 0x72, 0x65, 0x2f, 0x61, 0x70, 0x69, 0x2f,
+	0x74, 0x79, 0x70, 0x65, 0x73, 0x2f, 0x73, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x2e, 0x70,
+	0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x1e, 0x73, 0x70, 0x69, 0x72, 0x65, 0x2f, 0x61, 0x70, 0x69, 0x2f,
+	0x74, 0x79, 0x70, 0x65, 0x73, 0x2f, 0x78, 0x35, 0x30, 0x39, 0x73, 0x76, 0x69, 0x64, 0x2e, 0x70,
+	0x72, 0x6f, 0x74, 0x6f, 0x22, 0x6d, 0x0a, 0x0f, 0x58, 0x35, 0x30, 0x39, 0x53, 0x56, 0x49, 0x44,
+	0x57, 0x69, 0x74, 0x68, 0x4b, 0x65, 0x79, 0x12, 0x36, 0x0a, 0x09, 0x78, 0x35, 0x30, 0x39, 0x5f,
+	0x73, 0x76, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x19, 0x2e, 0x73, 0x70, 0x69,
+	0x72, 0x65, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x74, 0x79, 0x70, 0x65, 0x73, 0x2e, 0x58, 0x35, 0x30,
+	0x39, 0x53, 0x56, 0x49, 0x44, 0x52, 0x08, 0x78, 0x35, 0x30, 0x39, 0x53, 0x76, 0x69, 0x64, 0x12,
+	0x22, 0x0a, 0x0d, 0x78, 0x35, 0x30, 0x39, 0x5f, 0x73, 0x76, 0x69, 0x64, 0x5f, 0x6b, 0x65, 0x79,
+	0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x0b, 0x78, 0x35, 0x30, 0x39, 0x53, 0x76, 0x69, 0x64,
+	0x4b, 0x65, 0x79, 0x22, 0x56, 0x0a, 0x1b, 0x53, 0x75, 0x62, 0x73, 0x63, 0x72, 0x69, 0x62, 0x65,
+	0x54, 0x6f, 0x58, 0x35, 0x30, 0x39, 0x53, 0x56, 0x49, 0x44, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65,
+	0x73, 0x74, 0x12, 0x37, 0x0a, 0x09, 0x73, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x73, 0x18,
+	0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x19, 0x2e, 0x73, 0x70, 0x69, 0x72, 0x65, 0x2e, 0x61, 0x70,
+	0x69, 0x2e, 0x74, 0x79, 0x70, 0x65, 0x73, 0x2e, 0x53, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72,
+	0x52, 0x09, 0x73, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x73, 0x22, 0x9b, 0x01, 0x0a, 0x1c,
+	0x53, 0x75, 0x62, 0x73, 0x63, 0x72, 0x69, 0x62, 0x65, 0x54, 0x6f, 0x58, 0x35, 0x30, 0x39, 0x53,
+	0x56, 0x49, 0x44, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x54, 0x0a, 0x0a,
+	0x78, 0x35, 0x30, 0x39, 0x5f, 0x73, 0x76, 0x69, 0x64, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b,
+	0x32, 0x35, 0x2e, 0x73, 0x70, 0x69, 0x72, 0x65, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x61, 0x67, 0x65,
+	0x6e, 0x74, 0x2e, 0x64, 0x65, 0x6c, 0x65, 0x67, 0x61, 0x74, 0x65, 0x64, 0x69, 0x64, 0x65, 0x6e,
+	0x74, 0x69, 0x74, 0x79, 0x2e, 0x76, 0x31, 0x2e, 0x58, 0x35, 0x30, 0x39, 0x53, 0x56, 0x49, 0x44,
+	0x57, 0x69, 0x74, 0x68, 0x4b, 0x65, 0x79, 0x52, 0x09, 0x78, 0x35, 0x30, 0x39, 0x53, 0x76, 0x69,
+	0x64, 0x73, 0x12, 0x25, 0x0a, 0x0e, 0x66, 0x65, 0x64, 0x65, 0x72, 0x61, 0x74, 0x65, 0x73, 0x5f,
+	0x77, 0x69, 0x74, 0x68, 0x18, 0x02, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0d, 0x66, 0x65, 0x64, 0x65,
+	0x72, 0x61, 0x74, 0x65, 0x73, 0x57, 0x69, 0x74, 0x68, 0x22, 0x1f, 0x0a, 0x1d, 0x53, 0x75, 0x62,
+	0x73, 0x63, 0x72, 0x69, 0x62, 0x65, 0x54, 0x6f, 0x58, 0x35, 0x30, 0x39, 0x42, 0x75, 0x6e, 0x64,
+	0x6c, 0x65, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x22, 0xe7, 0x01, 0x0a, 0x1e, 0x53,
+	0x75, 0x62, 0x73, 0x63, 0x72, 0x69, 0x62, 0x65, 0x54, 0x6f, 0x58, 0x35, 0x30, 0x39, 0x42, 0x75,
+	0x6e, 0x64, 0x6c, 0x65, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x81, 0x01,
+	0x0a, 0x0f, 0x63, 0x61, 0x5f, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65,
+	0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x58, 0x2e, 0x73, 0x70, 0x69, 0x72, 0x65, 0x2e,
+	0x61, 0x70, 0x69, 0x2e, 0x61, 0x67, 0x65, 0x6e, 0x74, 0x2e, 0x64, 0x65, 0x6c, 0x65, 0x67, 0x61,
+	0x74, 0x65, 0x64, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2e, 0x76, 0x31, 0x2e, 0x53,
+	0x75, 0x62, 0x73, 0x63, 0x72, 0x69, 0x62, 0x65, 0x54, 0x6f, 0x58, 0x35, 0x30, 0x39, 0x42, 0x75,
+	0x6e, 0x64, 0x6c, 0x65, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x2e, 0x43, 0x61,
+	0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x73, 0x45, 0x6e, 0x74, 0x72,
+	0x79, 0x52, 0x0e, 0x63, 0x61, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65,
+	0x73, 0x1a, 0x41, 0x0a, 0x13, 0x43, 0x61, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61,
+	0x74, 0x65, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18,
+	0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61,
+	0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65,
+	0x3a, 0x02, 0x38, 0x01, 0x32, 0xdd, 0x02, 0x0a, 0x11, 0x44, 0x65, 0x6c, 0x65, 0x67, 0x61, 0x74,
+	0x65, 0x64, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x12, 0x9f, 0x01, 0x0a, 0x14, 0x53,
+	0x75, 0x62, 0x73, 0x63, 0x72, 0x69, 0x62, 0x65, 0x54, 0x6f, 0x58, 0x35, 0x30, 0x39, 0x53, 0x56,
+	0x49, 0x44, 0x73, 0x12, 0x41, 0x2e, 0x73, 0x70, 0x69, 0x72, 0x65, 0x2e, 0x61, 0x70, 0x69, 0x2e,
+	0x61, 0x67, 0x65, 0x6e, 0x74, 0x2e, 0x64, 0x65, 0x6c, 0x65, 0x67, 0x61, 0x74, 0x65, 0x64, 0x69,
+	0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2e, 0x76, 0x31, 0x2e, 0x53, 0x75, 0x62, 0x73, 0x63,
+	0x72, 0x69, 0x62, 0x65, 0x54, 0x6f, 0x58, 0x35, 0x30, 0x39, 0x53, 0x56, 0x49, 0x44, 0x73, 0x52,
+	0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x42, 0x2e, 0x73, 0x70, 0x69, 0x72, 0x65, 0x2e, 0x61,
+	0x70, 0x69, 0x2e, 0x61, 0x67, 0x65, 0x6e, 0x74, 0x2e, 0x64, 0x65, 0x6c, 0x65, 0x67, 0x61, 0x74,
+	0x65, 0x64, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2e, 0x76, 0x31, 0x2e, 0x53, 0x75,
+	0x62, 0x73, 0x63, 0x72, 0x69, 0x62, 0x65, 0x54, 0x6f, 0x58, 0x35, 0x30, 0x39, 0x53, 0x56, 0x49,
+	0x44, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x30, 0x01, 0x12, 0xa5, 0x01, 0x0a,
+	0x16, 0x53, 0x75, 0x62, 0x73, 0x63, 0x72, 0x69, 0x62, 0x65, 0x54, 0x6f, 0x58, 0x35, 0x30, 0x39,
+	0x42, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x73, 0x12, 0x43, 0x2e, 0x73, 0x70, 0x69, 0x72, 0x65, 0x2e,
+	0x61, 0x70, 0x69, 0x2e, 0x61, 0x67, 0x65, 0x6e, 0x74, 0x2e, 0x64, 0x65, 0x6c, 0x65, 0x67, 0x61,
+	0x74, 0x65, 0x64, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2e, 0x76, 0x31, 0x2e, 0x53,
+	0x75, 0x62, 0x73, 0x63, 0x72, 0x69, 0x62, 0x65, 0x54, 0x6f, 0x58, 0x35, 0x30, 0x39, 0x42, 0x75,
+	0x6e, 0x64, 0x6c, 0x65, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x44, 0x2e, 0x73,
+	0x70, 0x69, 0x72, 0x65, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x61, 0x67, 0x65, 0x6e, 0x74, 0x2e, 0x64,
+	0x65, 0x6c, 0x65, 0x67, 0x61, 0x74, 0x65, 0x64, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79,
+	0x2e, 0x76, 0x31, 0x2e, 0x53, 0x75, 0x62, 0x73, 0x63, 0x72, 0x69, 0x62, 0x65, 0x54, 0x6f, 0x58,
+	0x35, 0x30, 0x39, 0x42, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e,
+	0x73, 0x65, 0x30, 0x01, 0x42, 0x60, 0x5a, 0x5e, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63,
+	0x6f, 0x6d, 0x2f, 0x73, 0x70, 0x69, 0x66, 0x66, 0x65, 0x2f, 0x73, 0x70, 0x69, 0x72, 0x65, 0x2d,
+	0x61, 0x70, 0x69, 0x2d, 0x73, 0x64, 0x6b, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x73, 0x70,
+	0x69, 0x72, 0x65, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x61, 0x67, 0x65, 0x6e, 0x74, 0x2f, 0x64, 0x65,
+	0x6c, 0x65, 0x67, 0x61, 0x74, 0x65, 0x64, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2f,
+	0x76, 0x31, 0x3b, 0x64, 0x65, 0x6c, 0x65, 0x67, 0x61, 0x74, 0x65, 0x64, 0x69, 0x64, 0x65, 0x6e,
+	0x74, 0x69, 0x74, 0x79, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+}
+
+var (
+	file_spire_api_agent_delegatedidentity_v1_delegatedidentity_proto_rawDescOnce sync.Once
+	file_spire_api_agent_delegatedidentity_v1_delegatedidentity_proto_rawDescData = file_spire_api_agent_delegatedidentity_v1_delegatedidentity_proto_rawDesc
+)
+
+func file_spire_api_agent_delegatedidentity_v1_delegatedidentity_proto_rawDescGZIP() []byte {
+	file_spire_api_agent_delegatedidentity_v1_delegatedidentity_proto_rawDescOnce.Do(func() {
+		file_spire_api_agent_delegatedidentity_v1_delegatedidentity_proto_rawDescData = protoimpl.X.CompressGZIP(file_spire_api_agent_delegatedidentity_v1_delegatedidentity_proto_rawDescData)
+	})
+	return file_spire_api_agent_delegatedidentity_v1_delegatedidentity_proto_rawDescData
+}
+
+var file_spire_api_agent_delegatedidentity_v1_delegatedidentity_proto_msgTypes = make([]protoimpl.MessageInfo, 6)
+var file_spire_api_agent_delegatedidentity_v1_delegatedidentity_proto_goTypes = []interface{}{
+	(*X509SVIDWithKey)(nil),                // 0: spire.api.agent.delegatedidentity.v1.X509SVIDWithKey
+	(*SubscribeToX509SVIDsRequest)(nil),    // 1: spire.api.agent.delegatedidentity.v1.SubscribeToX509SVIDsRequest
+	(*SubscribeToX509SVIDsResponse)(nil),   // 2: spire.api.agent.delegatedidentity.v1.SubscribeToX509SVIDsResponse
+	(*SubscribeToX509BundlesRequest)(nil),  // 3: spire.api.agent.delegatedidentity.v1.SubscribeToX509BundlesRequest
+	(*SubscribeToX509BundlesResponse)(nil), // 4: spire.api.agent.delegatedidentity.v1.SubscribeToX509BundlesResponse
+	nil,                                    // 5: spire.api.agent.delegatedidentity.v1.SubscribeToX509BundlesResponse.CaCertificatesEntry
+	(*types.X509SVID)(nil),                 // 6: spire.api.types.X509SVID
+	(*types.Selector)(nil),                 // 7: spire.api.types.Selector
+}
+var file_spire_api_agent_delegatedidentity_v1_delegatedidentity_proto_depIdxs = []int32{
+	6, // 0: spire.api.agent.delegatedidentity.v1.X509SVIDWithKey.x509_svid:type_name -> spire.api.types.X509SVID
+	7, // 1: spire.api.agent.delegatedidentity.v1.SubscribeToX509SVIDsRequest.selectors:type_name -> spire.api.types.Selector
+	0, // 2: spire.api.agent.delegatedidentity.v1.SubscribeToX509SVIDsResponse.x509_svids:type_name -> spire.api.agent.delegatedidentity.v1.X509SVIDWithKey
+	5, // 3: spire.api.agent.delegatedidentity.v1.SubscribeToX509BundlesResponse.ca_certificates:type_name -> spire.api.agent.delegatedidentity.v1.SubscribeToX509BundlesResponse.CaCertificatesEntry
+	1, // 4: spire.api.agent.delegatedidentity.v1.DelegatedIdentity.SubscribeToX509SVIDs:input_type -> spire.api.agent.delegatedidentity.v1.SubscribeToX509SVIDsRequest
+	3, // 5: spire.api.agent.delegatedidentity.v1.DelegatedIdentity.SubscribeToX509Bundles:input_type -> spire.api.agent.delegatedidentity.v1.SubscribeToX509BundlesRequest
+	2, // 6: spire.api.agent.delegatedidentity.v1.DelegatedIdentity.SubscribeToX509SVIDs:output_type -> spire.api.agent.delegatedidentity.v1.SubscribeToX509SVIDsResponse
+	4, // 7: spire.api.agent.delegatedidentity.v1.DelegatedIdentity.SubscribeToX509Bundles:output_type -> spire.api.agent.delegatedidentity.v1.SubscribeToX509BundlesResponse
+	6, // [6:8] is the sub-list for method output_type
+	4, // [4:6] is the sub-list for method input_type
+	4, // [4:4] is the sub-list for extension type_name
+	4, // [4:4] is the sub-list for extension extendee
+	0, // [0:4] is the sub-list for field type_name
+}
+
+func init() { file_spire_api_agent_delegatedidentity_v1_delegatedidentity_proto_init() }
+func file_spire_api_agent_delegatedidentity_v1_delegatedidentity_proto_init() {
+	if File_spire_api_agent_delegatedidentity_v1_delegatedidentity_proto != nil {
+		return
+	}
+	if !protoimpl.UnsafeEnabled {
+		file_spire_api_agent_delegatedidentity_v1_delegatedidentity_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*X509SVIDWithKey); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_spire_api_agent_delegatedidentity_v1_delegatedidentity_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*SubscribeToX509SVIDsRequest); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_spire_api_agent_delegatedidentity_v1_delegatedidentity_proto_msgTypes[2].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*SubscribeToX509SVIDsResponse); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_spire_api_agent_delegatedidentity_v1_delegatedidentity_proto_msgTypes[3].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*SubscribeToX509BundlesRequest); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_spire_api_agent_delegatedidentity_v1_delegatedidentity_proto_msgTypes[4].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*SubscribeToX509BundlesResponse); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+	}
+	type x struct{}
+	out := protoimpl.TypeBuilder{
+		File: protoimpl.DescBuilder{
+			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
+			RawDescriptor: file_spire_api_agent_delegatedidentity_v1_delegatedidentity_proto_rawDesc,
+			NumEnums:      0,
+			NumMessages:   6,
+			NumExtensions: 0,
+			NumServices:   1,
+		},
+		GoTypes:           file_spire_api_agent_delegatedidentity_v1_delegatedidentity_proto_goTypes,
+		DependencyIndexes: file_spire_api_agent_delegatedidentity_v1_delegatedidentity_proto_depIdxs,
+		MessageInfos:      file_spire_api_agent_delegatedidentity_v1_delegatedidentity_proto_msgTypes,
+	}.Build()
+	File_spire_api_agent_delegatedidentity_v1_delegatedidentity_proto = out.File
+	file_spire_api_agent_delegatedidentity_v1_delegatedidentity_proto_rawDesc = nil
+	file_spire_api_agent_delegatedidentity_v1_delegatedidentity_proto_goTypes = nil
+	file_spire_api_agent_delegatedidentity_v1_delegatedidentity_proto_depIdxs = nil
+}
diff --git a/proto/spire/api/agent/delegatedidentity/v1/delegatedidentity.proto b/proto/spire/api/agent/delegatedidentity/v1/delegatedidentity.proto
new file mode 100644
index 0000000..6be0844
--- /dev/null
+++ b/proto/spire/api/agent/delegatedidentity/v1/delegatedidentity.proto
@@ -0,0 +1,60 @@
+syntax = "proto3";
+package spire.api.agent.delegatedidentity.v1;
+option go_package = "github.com/spiffe/spire-api-sdk/proto/spire/api/agent/delegatedidentity/v1;delegatedidentityv1";
+
+import "spire/api/types/selector.proto";
+import "spire/api/types/x509svid.proto";
+
+// The delegatedIdentity service provides an interface to get the SVIDs of other
+// workloads on the host. This service is intended for use cases where a process
+// (different than the workload one) should access the workload's SVID to
+// perform actions on behalf of the workload. One example of is using a single
+// node instance of Envoy that upgrades TCP connections for different processes
+// running in such a node.
+//
+// The caller must be local and its identity must be listed in the allowed
+// clients on the spire-agent configuration.
+service DelegatedIdentity {
+    // Subscribe to get X.509-SVIDs for workloads that match the given selectors.
+    // The lifetime of the subscription aligns to the lifetime of the stream.
+    rpc SubscribeToX509SVIDs(SubscribeToX509SVIDsRequest) returns (stream SubscribeToX509SVIDsResponse);
+
+    // Subscribe to get local and all federated bundles.
+    // The lifetime of the subscription aligns to the lifetime of the stream.
+    rpc SubscribeToX509Bundles(SubscribeToX509BundlesRequest) returns (stream SubscribeToX509BundlesResponse);
+}
+
+// X.509 SPIFFE Verifiable Identity Document with the private key.
+message X509SVIDWithKey {
+    // The workload X509-SVID.
+    spire.api.types.X509SVID x509_svid = 1;
+
+    // Private key (encoding DER PKCS#8).
+    bytes x509_svid_key = 2;
+}
+
+// SubscribeToX509SVIDsRequest is used by clients to subscribe the set of SVIDs that
+// any given workload is entitled to. Clients subscribe to a workload's SVIDs by providing
+// a set of selectors describing the workload.
+message SubscribeToX509SVIDsRequest {
+    // Required. Selectors describing the workload to subscribe to.
+    repeated spire.api.types.Selector selectors = 1;
+}
+
+message SubscribeToX509SVIDsResponse {
+    repeated X509SVIDWithKey x509_svids = 1;
+
+    // Names of the trust domains that this workload should federates with.
+    repeated string federates_with = 2;
+}
+
+message SubscribeToX509BundlesRequest {}
+
+// SubscribeToX509BundlesResponse contains all bundles that the agent is tracking,
+// including the local bundle. When an update occurs, or bundles are added or removed,
+// a new response with the full set of bundles is sent.
+message SubscribeToX509BundlesResponse {
+    // A map keyed by trust domain name, with ASN.1 DER-encoded
+    // X.509 CA certificates as the values
+    map<string, bytes> ca_certificates = 1;
+}
diff --git a/proto/spire/api/agent/delegatedidentity/v1/delegatedidentity_grpc.pb.go b/proto/spire/api/agent/delegatedidentity/v1/delegatedidentity_grpc.pb.go
new file mode 100644
index 0000000..add6924
--- /dev/null
+++ b/proto/spire/api/agent/delegatedidentity/v1/delegatedidentity_grpc.pb.go
@@ -0,0 +1,195 @@
+// Code generated by protoc-gen-go-grpc. DO NOT EDIT.
+
+package delegatedidentityv1
+
+import (
+	context "context"
+	grpc "google.golang.org/grpc"
+	codes "google.golang.org/grpc/codes"
+	status "google.golang.org/grpc/status"
+)
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the grpc package it is being compiled against.
+const _ = grpc.SupportPackageIsVersion7
+
+// DelegatedIdentityClient is the client API for DelegatedIdentity service.
+//
+// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
+type DelegatedIdentityClient interface {
+	// Subscribe to get X.509-SVIDs for workloads that match the given selectors.
+	// The lifetime of the subscription aligns to the lifetime of the stream.
+	SubscribeToX509SVIDs(ctx context.Context, in *SubscribeToX509SVIDsRequest, opts ...grpc.CallOption) (DelegatedIdentity_SubscribeToX509SVIDsClient, error)
+	// Subscribe to get local and all federated bundles.
+	// The lifetime of the subscription aligns to the lifetime of the stream.
+	SubscribeToX509Bundles(ctx context.Context, in *SubscribeToX509BundlesRequest, opts ...grpc.CallOption) (DelegatedIdentity_SubscribeToX509BundlesClient, error)
+}
+
+type delegatedIdentityClient struct {
+	cc grpc.ClientConnInterface
+}
+
+func NewDelegatedIdentityClient(cc grpc.ClientConnInterface) DelegatedIdentityClient {
+	return &delegatedIdentityClient{cc}
+}
+
+func (c *delegatedIdentityClient) SubscribeToX509SVIDs(ctx context.Context, in *SubscribeToX509SVIDsRequest, opts ...grpc.CallOption) (DelegatedIdentity_SubscribeToX509SVIDsClient, error) {
+	stream, err := c.cc.NewStream(ctx, &_DelegatedIdentity_serviceDesc.Streams[0], "/spire.api.agent.delegatedidentity.v1.DelegatedIdentity/SubscribeToX509SVIDs", opts...)
+	if err != nil {
+		return nil, err
+	}
+	x := &delegatedIdentitySubscribeToX509SVIDsClient{stream}
+	if err := x.ClientStream.SendMsg(in); err != nil {
+		return nil, err
+	}
+	if err := x.ClientStream.CloseSend(); err != nil {
+		return nil, err
+	}
+	return x, nil
+}
+
+type DelegatedIdentity_SubscribeToX509SVIDsClient interface {
+	Recv() (*SubscribeToX509SVIDsResponse, error)
+	grpc.ClientStream
+}
+
+type delegatedIdentitySubscribeToX509SVIDsClient struct {
+	grpc.ClientStream
+}
+
+func (x *delegatedIdentitySubscribeToX509SVIDsClient) Recv() (*SubscribeToX509SVIDsResponse, error) {
+	m := new(SubscribeToX509SVIDsResponse)
+	if err := x.ClientStream.RecvMsg(m); err != nil {
+		return nil, err
+	}
+	return m, nil
+}
+
+func (c *delegatedIdentityClient) SubscribeToX509Bundles(ctx context.Context, in *SubscribeToX509BundlesRequest, opts ...grpc.CallOption) (DelegatedIdentity_SubscribeToX509BundlesClient, error) {
+	stream, err := c.cc.NewStream(ctx, &_DelegatedIdentity_serviceDesc.Streams[1], "/spire.api.agent.delegatedidentity.v1.DelegatedIdentity/SubscribeToX509Bundles", opts...)
+	if err != nil {
+		return nil, err
+	}
+	x := &delegatedIdentitySubscribeToX509BundlesClient{stream}
+	if err := x.ClientStream.SendMsg(in); err != nil {
+		return nil, err
+	}
+	if err := x.ClientStream.CloseSend(); err != nil {
+		return nil, err
+	}
+	return x, nil
+}
+
+type DelegatedIdentity_SubscribeToX509BundlesClient interface {
+	Recv() (*SubscribeToX509BundlesResponse, error)
+	grpc.ClientStream
+}
+
+type delegatedIdentitySubscribeToX509BundlesClient struct {
+	grpc.ClientStream
+}
+
+func (x *delegatedIdentitySubscribeToX509BundlesClient) Recv() (*SubscribeToX509BundlesResponse, error) {
+	m := new(SubscribeToX509BundlesResponse)
+	if err := x.ClientStream.RecvMsg(m); err != nil {
+		return nil, err
+	}
+	return m, nil
+}
+
+// DelegatedIdentityServer is the server API for DelegatedIdentity service.
+// All implementations must embed UnimplementedDelegatedIdentityServer
+// for forward compatibility
+type DelegatedIdentityServer interface {
+	// Subscribe to get X.509-SVIDs for workloads that match the given selectors.
+	// The lifetime of the subscription aligns to the lifetime of the stream.
+	SubscribeToX509SVIDs(*SubscribeToX509SVIDsRequest, DelegatedIdentity_SubscribeToX509SVIDsServer) error
+	// Subscribe to get local and all federated bundles.
+	// The lifetime of the subscription aligns to the lifetime of the stream.
+	SubscribeToX509Bundles(*SubscribeToX509BundlesRequest, DelegatedIdentity_SubscribeToX509BundlesServer) error
+	mustEmbedUnimplementedDelegatedIdentityServer()
+}
+
+// UnimplementedDelegatedIdentityServer must be embedded to have forward compatible implementations.
+type UnimplementedDelegatedIdentityServer struct {
+}
+
+func (UnimplementedDelegatedIdentityServer) SubscribeToX509SVIDs(*SubscribeToX509SVIDsRequest, DelegatedIdentity_SubscribeToX509SVIDsServer) error {
+	return status.Errorf(codes.Unimplemented, "method SubscribeToX509SVIDs not implemented")
+}
+func (UnimplementedDelegatedIdentityServer) SubscribeToX509Bundles(*SubscribeToX509BundlesRequest, DelegatedIdentity_SubscribeToX509BundlesServer) error {
+	return status.Errorf(codes.Unimplemented, "method SubscribeToX509Bundles not implemented")
+}
+func (UnimplementedDelegatedIdentityServer) mustEmbedUnimplementedDelegatedIdentityServer() {}
+
+// UnsafeDelegatedIdentityServer may be embedded to opt out of forward compatibility for this service.
+// Use of this interface is not recommended, as added methods to DelegatedIdentityServer will
+// result in compilation errors.
+type UnsafeDelegatedIdentityServer interface {
+	mustEmbedUnimplementedDelegatedIdentityServer()
+}
+
+func RegisterDelegatedIdentityServer(s grpc.ServiceRegistrar, srv DelegatedIdentityServer) {
+	s.RegisterService(&_DelegatedIdentity_serviceDesc, srv)
+}
+
+func _DelegatedIdentity_SubscribeToX509SVIDs_Handler(srv interface{}, stream grpc.ServerStream) error {
+	m := new(SubscribeToX509SVIDsRequest)
+	if err := stream.RecvMsg(m); err != nil {
+		return err
+	}
+	return srv.(DelegatedIdentityServer).SubscribeToX509SVIDs(m, &delegatedIdentitySubscribeToX509SVIDsServer{stream})
+}
+
+type DelegatedIdentity_SubscribeToX509SVIDsServer interface {
+	Send(*SubscribeToX509SVIDsResponse) error
+	grpc.ServerStream
+}
+
+type delegatedIdentitySubscribeToX509SVIDsServer struct {
+	grpc.ServerStream
+}
+
+func (x *delegatedIdentitySubscribeToX509SVIDsServer) Send(m *SubscribeToX509SVIDsResponse) error {
+	return x.ServerStream.SendMsg(m)
+}
+
+func _DelegatedIdentity_SubscribeToX509Bundles_Handler(srv interface{}, stream grpc.ServerStream) error {
+	m := new(SubscribeToX509BundlesRequest)
+	if err := stream.RecvMsg(m); err != nil {
+		return err
+	}
+	return srv.(DelegatedIdentityServer).SubscribeToX509Bundles(m, &delegatedIdentitySubscribeToX509BundlesServer{stream})
+}
+
+type DelegatedIdentity_SubscribeToX509BundlesServer interface {
+	Send(*SubscribeToX509BundlesResponse) error
+	grpc.ServerStream
+}
+
+type delegatedIdentitySubscribeToX509BundlesServer struct {
+	grpc.ServerStream
+}
+
+func (x *delegatedIdentitySubscribeToX509BundlesServer) Send(m *SubscribeToX509BundlesResponse) error {
+	return x.ServerStream.SendMsg(m)
+}
+
+var _DelegatedIdentity_serviceDesc = grpc.ServiceDesc{
+	ServiceName: "spire.api.agent.delegatedidentity.v1.DelegatedIdentity",
+	HandlerType: (*DelegatedIdentityServer)(nil),
+	Methods:     []grpc.MethodDesc{},
+	Streams: []grpc.StreamDesc{
+		{
+			StreamName:    "SubscribeToX509SVIDs",
+			Handler:       _DelegatedIdentity_SubscribeToX509SVIDs_Handler,
+			ServerStreams: true,
+		},
+		{
+			StreamName:    "SubscribeToX509Bundles",
+			Handler:       _DelegatedIdentity_SubscribeToX509Bundles_Handler,
+			ServerStreams: true,
+		},
+	},
+	Metadata: "spire/api/agent/delegatedidentity/v1/delegatedidentity.proto",
+}