From 6bf962afad3932f53b2c14d5d3a02222e378e8f3 Mon Sep 17 00:00:00 2001
From: Sorin Dumitru <sdumitru@bloomberg.net>
Date: Tue, 27 May 2025 10:39:07 +0100
Subject: [PATCH] Add method to stream local bundle updates

Signed-off-by: Sorin Dumitru <sdumitru@bloomberg.net>
---
 .../v1/upstreamauthority.pb.go                | 250 ++++++++++++++----
 .../v1/upstreamauthority.proto                |  19 ++
 .../v1/upstreamauthority_grpc.pb.go           |  77 ++++++
 3 files changed, 296 insertions(+), 50 deletions(-)

diff --git a/proto/spire/plugin/server/upstreamauthority/v1/upstreamauthority.pb.go b/proto/spire/plugin/server/upstreamauthority/v1/upstreamauthority.pb.go
index 9f0b89e..1509e9d 100644
--- a/proto/spire/plugin/server/upstreamauthority/v1/upstreamauthority.pb.go
+++ b/proto/spire/plugin/server/upstreamauthority/v1/upstreamauthority.pb.go
@@ -236,6 +236,101 @@ func (x *PublishJWTKeyResponse) GetUpstreamJwtKeys() []*types.JWTKey {
 	return nil
 }
 
+type SubscribeToLocalBundleRequest struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+}
+
+func (x *SubscribeToLocalBundleRequest) Reset() {
+	*x = SubscribeToLocalBundleRequest{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_spire_plugin_server_upstreamauthority_v1_upstreamauthority_proto_msgTypes[4]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *SubscribeToLocalBundleRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*SubscribeToLocalBundleRequest) ProtoMessage() {}
+
+func (x *SubscribeToLocalBundleRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_spire_plugin_server_upstreamauthority_v1_upstreamauthority_proto_msgTypes[4]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use SubscribeToLocalBundleRequest.ProtoReflect.Descriptor instead.
+func (*SubscribeToLocalBundleRequest) Descriptor() ([]byte, []int) {
+	return file_spire_plugin_server_upstreamauthority_v1_upstreamauthority_proto_rawDescGZIP(), []int{4}
+}
+
+type SubscribeToLocalBundleResponse struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	// Required. The trusted X.509 root authorities for the upstream authority.
+	UpstreamX509Roots []*types.X509Certificate `protobuf:"bytes,1,rep,name=upstream_x509_roots,json=upstreamX509Roots,proto3" json:"upstream_x509_roots,omitempty"`
+	// Required. The upstream JWT signing keys.
+	UpstreamJwtKeys []*types.JWTKey `protobuf:"bytes,2,rep,name=upstream_jwt_keys,json=upstreamJwtKeys,proto3" json:"upstream_jwt_keys,omitempty"`
+}
+
+func (x *SubscribeToLocalBundleResponse) Reset() {
+	*x = SubscribeToLocalBundleResponse{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_spire_plugin_server_upstreamauthority_v1_upstreamauthority_proto_msgTypes[5]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *SubscribeToLocalBundleResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*SubscribeToLocalBundleResponse) ProtoMessage() {}
+
+func (x *SubscribeToLocalBundleResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_spire_plugin_server_upstreamauthority_v1_upstreamauthority_proto_msgTypes[5]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use SubscribeToLocalBundleResponse.ProtoReflect.Descriptor instead.
+func (*SubscribeToLocalBundleResponse) Descriptor() ([]byte, []int) {
+	return file_spire_plugin_server_upstreamauthority_v1_upstreamauthority_proto_rawDescGZIP(), []int{5}
+}
+
+func (x *SubscribeToLocalBundleResponse) GetUpstreamX509Roots() []*types.X509Certificate {
+	if x != nil {
+		return x.UpstreamX509Roots
+	}
+	return nil
+}
+
+func (x *SubscribeToLocalBundleResponse) GetUpstreamJwtKeys() []*types.JWTKey {
+	if x != nil {
+		return x.UpstreamJwtKeys
+	}
+	return nil
+}
+
 var File_spire_plugin_server_upstreamauthority_v1_upstreamauthority_proto protoreflect.FileDescriptor
 
 var file_spire_plugin_server_upstreamauthority_v1_upstreamauthority_proto_rawDesc = []byte{
@@ -277,35 +372,60 @@ var file_spire_plugin_server_upstreamauthority_v1_upstreamauthority_proto_rawDes
 	0x65, 0x79, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x73, 0x70, 0x69, 0x72,
 	0x65, 0x2e, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x2e, 0x74, 0x79, 0x70, 0x65, 0x73, 0x2e, 0x4a,
 	0x57, 0x54, 0x4b, 0x65, 0x79, 0x52, 0x0f, 0x75, 0x70, 0x73, 0x74, 0x72, 0x65, 0x61, 0x6d, 0x4a,
-	0x77, 0x74, 0x4b, 0x65, 0x79, 0x73, 0x32, 0xcc, 0x02, 0x0a, 0x11, 0x55, 0x70, 0x73, 0x74, 0x72,
-	0x65, 0x61, 0x6d, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x12, 0x95, 0x01, 0x0a,
-	0x16, 0x4d, 0x69, 0x6e, 0x74, 0x58, 0x35, 0x30, 0x39, 0x43, 0x41, 0x41, 0x6e, 0x64, 0x53, 0x75,
-	0x62, 0x73, 0x63, 0x72, 0x69, 0x62, 0x65, 0x12, 0x3b, 0x2e, 0x73, 0x70, 0x69, 0x72, 0x65, 0x2e,
-	0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x2e, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x2e, 0x75, 0x70,
-	0x73, 0x74, 0x72, 0x65, 0x61, 0x6d, 0x61, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x2e,
-	0x76, 0x31, 0x2e, 0x4d, 0x69, 0x6e, 0x74, 0x58, 0x35, 0x30, 0x39, 0x43, 0x41, 0x52, 0x65, 0x71,
-	0x75, 0x65, 0x73, 0x74, 0x1a, 0x3c, 0x2e, 0x73, 0x70, 0x69, 0x72, 0x65, 0x2e, 0x70, 0x6c, 0x75,
-	0x67, 0x69, 0x6e, 0x2e, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x2e, 0x75, 0x70, 0x73, 0x74, 0x72,
-	0x65, 0x61, 0x6d, 0x61, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x2e, 0x76, 0x31, 0x2e,
-	0x4d, 0x69, 0x6e, 0x74, 0x58, 0x35, 0x30, 0x39, 0x43, 0x41, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e,
-	0x73, 0x65, 0x30, 0x01, 0x12, 0x9e, 0x01, 0x0a, 0x19, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x73, 0x68,
-	0x4a, 0x57, 0x54, 0x4b, 0x65, 0x79, 0x41, 0x6e, 0x64, 0x53, 0x75, 0x62, 0x73, 0x63, 0x72, 0x69,
-	0x62, 0x65, 0x12, 0x3e, 0x2e, 0x73, 0x70, 0x69, 0x72, 0x65, 0x2e, 0x70, 0x6c, 0x75, 0x67, 0x69,
-	0x6e, 0x2e, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x2e, 0x75, 0x70, 0x73, 0x74, 0x72, 0x65, 0x61,
-	0x6d, 0x61, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x2e, 0x76, 0x31, 0x2e, 0x50, 0x75,
-	0x62, 0x6c, 0x69, 0x73, 0x68, 0x4a, 0x57, 0x54, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65,
-	0x73, 0x74, 0x1a, 0x3f, 0x2e, 0x73, 0x70, 0x69, 0x72, 0x65, 0x2e, 0x70, 0x6c, 0x75, 0x67, 0x69,
-	0x6e, 0x2e, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x2e, 0x75, 0x70, 0x73, 0x74, 0x72, 0x65, 0x61,
-	0x6d, 0x61, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x2e, 0x76, 0x31, 0x2e, 0x50, 0x75,
-	0x62, 0x6c, 0x69, 0x73, 0x68, 0x4a, 0x57, 0x54, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f,
-	0x6e, 0x73, 0x65, 0x30, 0x01, 0x42, 0x67, 0x5a, 0x65, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e,
-	0x63, 0x6f, 0x6d, 0x2f, 0x73, 0x70, 0x69, 0x66, 0x66, 0x65, 0x2f, 0x73, 0x70, 0x69, 0x72, 0x65,
-	0x2d, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x2d, 0x73, 0x64, 0x6b, 0x2f, 0x70, 0x72, 0x6f, 0x74,
-	0x6f, 0x2f, 0x73, 0x70, 0x69, 0x72, 0x65, 0x2f, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x2f, 0x73,
-	0x65, 0x72, 0x76, 0x65, 0x72, 0x2f, 0x75, 0x70, 0x73, 0x74, 0x72, 0x65, 0x61, 0x6d, 0x61, 0x75,
-	0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x2f, 0x76, 0x31, 0x3b, 0x75, 0x70, 0x73, 0x74, 0x72,
-	0x65, 0x61, 0x6d, 0x61, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x76, 0x31, 0x62, 0x06,
-	0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+	0x77, 0x74, 0x4b, 0x65, 0x79, 0x73, 0x22, 0x1f, 0x0a, 0x1d, 0x53, 0x75, 0x62, 0x73, 0x63, 0x72,
+	0x69, 0x62, 0x65, 0x54, 0x6f, 0x4c, 0x6f, 0x63, 0x61, 0x6c, 0x42, 0x75, 0x6e, 0x64, 0x6c, 0x65,
+	0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x22, 0xbd, 0x01, 0x0a, 0x1e, 0x53, 0x75, 0x62, 0x73,
+	0x63, 0x72, 0x69, 0x62, 0x65, 0x54, 0x6f, 0x4c, 0x6f, 0x63, 0x61, 0x6c, 0x42, 0x75, 0x6e, 0x64,
+	0x6c, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x53, 0x0a, 0x13, 0x75, 0x70,
+	0x73, 0x74, 0x72, 0x65, 0x61, 0x6d, 0x5f, 0x78, 0x35, 0x30, 0x39, 0x5f, 0x72, 0x6f, 0x6f, 0x74,
+	0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x23, 0x2e, 0x73, 0x70, 0x69, 0x72, 0x65, 0x2e,
+	0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x2e, 0x74, 0x79, 0x70, 0x65, 0x73, 0x2e, 0x58, 0x35, 0x30,
+	0x39, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x52, 0x11, 0x75, 0x70,
+	0x73, 0x74, 0x72, 0x65, 0x61, 0x6d, 0x58, 0x35, 0x30, 0x39, 0x52, 0x6f, 0x6f, 0x74, 0x73, 0x12,
+	0x46, 0x0a, 0x11, 0x75, 0x70, 0x73, 0x74, 0x72, 0x65, 0x61, 0x6d, 0x5f, 0x6a, 0x77, 0x74, 0x5f,
+	0x6b, 0x65, 0x79, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x73, 0x70, 0x69,
+	0x72, 0x65, 0x2e, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x2e, 0x74, 0x79, 0x70, 0x65, 0x73, 0x2e,
+	0x4a, 0x57, 0x54, 0x4b, 0x65, 0x79, 0x52, 0x0f, 0x75, 0x70, 0x73, 0x74, 0x72, 0x65, 0x61, 0x6d,
+	0x4a, 0x77, 0x74, 0x4b, 0x65, 0x79, 0x73, 0x32, 0xfc, 0x03, 0x0a, 0x11, 0x55, 0x70, 0x73, 0x74,
+	0x72, 0x65, 0x61, 0x6d, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x12, 0x95, 0x01,
+	0x0a, 0x16, 0x4d, 0x69, 0x6e, 0x74, 0x58, 0x35, 0x30, 0x39, 0x43, 0x41, 0x41, 0x6e, 0x64, 0x53,
+	0x75, 0x62, 0x73, 0x63, 0x72, 0x69, 0x62, 0x65, 0x12, 0x3b, 0x2e, 0x73, 0x70, 0x69, 0x72, 0x65,
+	0x2e, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x2e, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x2e, 0x75,
+	0x70, 0x73, 0x74, 0x72, 0x65, 0x61, 0x6d, 0x61, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79,
+	0x2e, 0x76, 0x31, 0x2e, 0x4d, 0x69, 0x6e, 0x74, 0x58, 0x35, 0x30, 0x39, 0x43, 0x41, 0x52, 0x65,
+	0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x3c, 0x2e, 0x73, 0x70, 0x69, 0x72, 0x65, 0x2e, 0x70, 0x6c,
+	0x75, 0x67, 0x69, 0x6e, 0x2e, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x2e, 0x75, 0x70, 0x73, 0x74,
+	0x72, 0x65, 0x61, 0x6d, 0x61, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x2e, 0x76, 0x31,
+	0x2e, 0x4d, 0x69, 0x6e, 0x74, 0x58, 0x35, 0x30, 0x39, 0x43, 0x41, 0x52, 0x65, 0x73, 0x70, 0x6f,
+	0x6e, 0x73, 0x65, 0x30, 0x01, 0x12, 0x9e, 0x01, 0x0a, 0x19, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x73,
+	0x68, 0x4a, 0x57, 0x54, 0x4b, 0x65, 0x79, 0x41, 0x6e, 0x64, 0x53, 0x75, 0x62, 0x73, 0x63, 0x72,
+	0x69, 0x62, 0x65, 0x12, 0x3e, 0x2e, 0x73, 0x70, 0x69, 0x72, 0x65, 0x2e, 0x70, 0x6c, 0x75, 0x67,
+	0x69, 0x6e, 0x2e, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x2e, 0x75, 0x70, 0x73, 0x74, 0x72, 0x65,
+	0x61, 0x6d, 0x61, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x2e, 0x76, 0x31, 0x2e, 0x50,
+	0x75, 0x62, 0x6c, 0x69, 0x73, 0x68, 0x4a, 0x57, 0x54, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75,
+	0x65, 0x73, 0x74, 0x1a, 0x3f, 0x2e, 0x73, 0x70, 0x69, 0x72, 0x65, 0x2e, 0x70, 0x6c, 0x75, 0x67,
+	0x69, 0x6e, 0x2e, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x2e, 0x75, 0x70, 0x73, 0x74, 0x72, 0x65,
+	0x61, 0x6d, 0x61, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x2e, 0x76, 0x31, 0x2e, 0x50,
+	0x75, 0x62, 0x6c, 0x69, 0x73, 0x68, 0x4a, 0x57, 0x54, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70,
+	0x6f, 0x6e, 0x73, 0x65, 0x30, 0x01, 0x12, 0xad, 0x01, 0x0a, 0x16, 0x53, 0x75, 0x62, 0x73, 0x63,
+	0x72, 0x69, 0x62, 0x65, 0x54, 0x6f, 0x4c, 0x6f, 0x63, 0x61, 0x6c, 0x42, 0x75, 0x6e, 0x64, 0x6c,
+	0x65, 0x12, 0x47, 0x2e, 0x73, 0x70, 0x69, 0x72, 0x65, 0x2e, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e,
+	0x2e, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x2e, 0x75, 0x70, 0x73, 0x74, 0x72, 0x65, 0x61, 0x6d,
+	0x61, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x2e, 0x76, 0x31, 0x2e, 0x53, 0x75, 0x62,
+	0x73, 0x63, 0x72, 0x69, 0x62, 0x65, 0x54, 0x6f, 0x4c, 0x6f, 0x63, 0x61, 0x6c, 0x42, 0x75, 0x6e,
+	0x64, 0x6c, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x48, 0x2e, 0x73, 0x70, 0x69,
+	0x72, 0x65, 0x2e, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x2e, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72,
+	0x2e, 0x75, 0x70, 0x73, 0x74, 0x72, 0x65, 0x61, 0x6d, 0x61, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69,
+	0x74, 0x79, 0x2e, 0x76, 0x31, 0x2e, 0x53, 0x75, 0x62, 0x73, 0x63, 0x72, 0x69, 0x62, 0x65, 0x54,
+	0x6f, 0x4c, 0x6f, 0x63, 0x61, 0x6c, 0x42, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x52, 0x65, 0x73, 0x70,
+	0x6f, 0x6e, 0x73, 0x65, 0x30, 0x01, 0x42, 0x67, 0x5a, 0x65, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62,
+	0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x73, 0x70, 0x69, 0x66, 0x66, 0x65, 0x2f, 0x73, 0x70, 0x69, 0x72,
+	0x65, 0x2d, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x2d, 0x73, 0x64, 0x6b, 0x2f, 0x70, 0x72, 0x6f,
+	0x74, 0x6f, 0x2f, 0x73, 0x70, 0x69, 0x72, 0x65, 0x2f, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x2f,
+	0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x2f, 0x75, 0x70, 0x73, 0x74, 0x72, 0x65, 0x61, 0x6d, 0x61,
+	0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x2f, 0x76, 0x31, 0x3b, 0x75, 0x70, 0x73, 0x74,
+	0x72, 0x65, 0x61, 0x6d, 0x61, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x76, 0x31, 0x62,
+	0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
 }
 
 var (
@@ -320,29 +440,35 @@ func file_spire_plugin_server_upstreamauthority_v1_upstreamauthority_proto_rawDe
 	return file_spire_plugin_server_upstreamauthority_v1_upstreamauthority_proto_rawDescData
 }
 
-var file_spire_plugin_server_upstreamauthority_v1_upstreamauthority_proto_msgTypes = make([]protoimpl.MessageInfo, 4)
+var file_spire_plugin_server_upstreamauthority_v1_upstreamauthority_proto_msgTypes = make([]protoimpl.MessageInfo, 6)
 var file_spire_plugin_server_upstreamauthority_v1_upstreamauthority_proto_goTypes = []interface{}{
-	(*MintX509CARequest)(nil),     // 0: spire.plugin.server.upstreamauthority.v1.MintX509CARequest
-	(*MintX509CAResponse)(nil),    // 1: spire.plugin.server.upstreamauthority.v1.MintX509CAResponse
-	(*PublishJWTKeyRequest)(nil),  // 2: spire.plugin.server.upstreamauthority.v1.PublishJWTKeyRequest
-	(*PublishJWTKeyResponse)(nil), // 3: spire.plugin.server.upstreamauthority.v1.PublishJWTKeyResponse
-	(*types.X509Certificate)(nil), // 4: spire.plugin.types.X509Certificate
-	(*types.JWTKey)(nil),          // 5: spire.plugin.types.JWTKey
+	(*MintX509CARequest)(nil),              // 0: spire.plugin.server.upstreamauthority.v1.MintX509CARequest
+	(*MintX509CAResponse)(nil),             // 1: spire.plugin.server.upstreamauthority.v1.MintX509CAResponse
+	(*PublishJWTKeyRequest)(nil),           // 2: spire.plugin.server.upstreamauthority.v1.PublishJWTKeyRequest
+	(*PublishJWTKeyResponse)(nil),          // 3: spire.plugin.server.upstreamauthority.v1.PublishJWTKeyResponse
+	(*SubscribeToLocalBundleRequest)(nil),  // 4: spire.plugin.server.upstreamauthority.v1.SubscribeToLocalBundleRequest
+	(*SubscribeToLocalBundleResponse)(nil), // 5: spire.plugin.server.upstreamauthority.v1.SubscribeToLocalBundleResponse
+	(*types.X509Certificate)(nil),          // 6: spire.plugin.types.X509Certificate
+	(*types.JWTKey)(nil),                   // 7: spire.plugin.types.JWTKey
 }
 var file_spire_plugin_server_upstreamauthority_v1_upstreamauthority_proto_depIdxs = []int32{
-	4, // 0: spire.plugin.server.upstreamauthority.v1.MintX509CAResponse.x509_ca_chain:type_name -> spire.plugin.types.X509Certificate
-	4, // 1: spire.plugin.server.upstreamauthority.v1.MintX509CAResponse.upstream_x509_roots:type_name -> spire.plugin.types.X509Certificate
-	5, // 2: spire.plugin.server.upstreamauthority.v1.PublishJWTKeyRequest.jwt_key:type_name -> spire.plugin.types.JWTKey
-	5, // 3: spire.plugin.server.upstreamauthority.v1.PublishJWTKeyResponse.upstream_jwt_keys:type_name -> spire.plugin.types.JWTKey
-	0, // 4: spire.plugin.server.upstreamauthority.v1.UpstreamAuthority.MintX509CAAndSubscribe:input_type -> spire.plugin.server.upstreamauthority.v1.MintX509CARequest
-	2, // 5: spire.plugin.server.upstreamauthority.v1.UpstreamAuthority.PublishJWTKeyAndSubscribe:input_type -> spire.plugin.server.upstreamauthority.v1.PublishJWTKeyRequest
-	1, // 6: spire.plugin.server.upstreamauthority.v1.UpstreamAuthority.MintX509CAAndSubscribe:output_type -> spire.plugin.server.upstreamauthority.v1.MintX509CAResponse
-	3, // 7: spire.plugin.server.upstreamauthority.v1.UpstreamAuthority.PublishJWTKeyAndSubscribe:output_type -> spire.plugin.server.upstreamauthority.v1.PublishJWTKeyResponse
-	6, // [6:8] is the sub-list for method output_type
-	4, // [4:6] is the sub-list for method input_type
-	4, // [4:4] is the sub-list for extension type_name
-	4, // [4:4] is the sub-list for extension extendee
-	0, // [0:4] is the sub-list for field type_name
+	6, // 0: spire.plugin.server.upstreamauthority.v1.MintX509CAResponse.x509_ca_chain:type_name -> spire.plugin.types.X509Certificate
+	6, // 1: spire.plugin.server.upstreamauthority.v1.MintX509CAResponse.upstream_x509_roots:type_name -> spire.plugin.types.X509Certificate
+	7, // 2: spire.plugin.server.upstreamauthority.v1.PublishJWTKeyRequest.jwt_key:type_name -> spire.plugin.types.JWTKey
+	7, // 3: spire.plugin.server.upstreamauthority.v1.PublishJWTKeyResponse.upstream_jwt_keys:type_name -> spire.plugin.types.JWTKey
+	6, // 4: spire.plugin.server.upstreamauthority.v1.SubscribeToLocalBundleResponse.upstream_x509_roots:type_name -> spire.plugin.types.X509Certificate
+	7, // 5: spire.plugin.server.upstreamauthority.v1.SubscribeToLocalBundleResponse.upstream_jwt_keys:type_name -> spire.plugin.types.JWTKey
+	0, // 6: spire.plugin.server.upstreamauthority.v1.UpstreamAuthority.MintX509CAAndSubscribe:input_type -> spire.plugin.server.upstreamauthority.v1.MintX509CARequest
+	2, // 7: spire.plugin.server.upstreamauthority.v1.UpstreamAuthority.PublishJWTKeyAndSubscribe:input_type -> spire.plugin.server.upstreamauthority.v1.PublishJWTKeyRequest
+	4, // 8: spire.plugin.server.upstreamauthority.v1.UpstreamAuthority.SubscribeToLocalBundle:input_type -> spire.plugin.server.upstreamauthority.v1.SubscribeToLocalBundleRequest
+	1, // 9: spire.plugin.server.upstreamauthority.v1.UpstreamAuthority.MintX509CAAndSubscribe:output_type -> spire.plugin.server.upstreamauthority.v1.MintX509CAResponse
+	3, // 10: spire.plugin.server.upstreamauthority.v1.UpstreamAuthority.PublishJWTKeyAndSubscribe:output_type -> spire.plugin.server.upstreamauthority.v1.PublishJWTKeyResponse
+	5, // 11: spire.plugin.server.upstreamauthority.v1.UpstreamAuthority.SubscribeToLocalBundle:output_type -> spire.plugin.server.upstreamauthority.v1.SubscribeToLocalBundleResponse
+	9, // [9:12] is the sub-list for method output_type
+	6, // [6:9] is the sub-list for method input_type
+	6, // [6:6] is the sub-list for extension type_name
+	6, // [6:6] is the sub-list for extension extendee
+	0, // [0:6] is the sub-list for field type_name
 }
 
 func init() { file_spire_plugin_server_upstreamauthority_v1_upstreamauthority_proto_init() }
@@ -399,6 +525,30 @@ func file_spire_plugin_server_upstreamauthority_v1_upstreamauthority_proto_init(
 				return nil
 			}
 		}
+		file_spire_plugin_server_upstreamauthority_v1_upstreamauthority_proto_msgTypes[4].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*SubscribeToLocalBundleRequest); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_spire_plugin_server_upstreamauthority_v1_upstreamauthority_proto_msgTypes[5].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*SubscribeToLocalBundleResponse); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
 	}
 	type x struct{}
 	out := protoimpl.TypeBuilder{
@@ -406,7 +556,7 @@ func file_spire_plugin_server_upstreamauthority_v1_upstreamauthority_proto_init(
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
 			RawDescriptor: file_spire_plugin_server_upstreamauthority_v1_upstreamauthority_proto_rawDesc,
 			NumEnums:      0,
-			NumMessages:   4,
+			NumMessages:   6,
 			NumExtensions: 0,
 			NumServices:   1,
 		},
diff --git a/proto/spire/plugin/server/upstreamauthority/v1/upstreamauthority.proto b/proto/spire/plugin/server/upstreamauthority/v1/upstreamauthority.proto
index a039e52..a094532 100644
--- a/proto/spire/plugin/server/upstreamauthority/v1/upstreamauthority.proto
+++ b/proto/spire/plugin/server/upstreamauthority/v1/upstreamauthority.proto
@@ -29,6 +29,15 @@ service UpstreamAuthority {
     // encountered while tracking changes to the upstream JWT keys as SPIRE
     // Server will not reopen a closed stream until the next JWT key rotation.
     rpc PublishJWTKeyAndSubscribe(PublishJWTKeyRequest) returns (stream PublishJWTKeyResponse);
+
+    // Returns the trust bundle of the local trust domain as seen by the upstream
+    // authority. Returns the current set of X.509 roots and JWT public keys
+    // that make up the trust bundle of the trust domain. If supported by the
+    // implementation, subsequent responses on the stream contain trust bundle
+    // updates, otherwise the stream is closed after the initial response.
+    //
+    // This RPC is optional and will return NotImplemented if unsupported.
+    rpc SubscribeToLocalBundle(SubscribeToLocalBundleRequest) returns (stream SubscribeToLocalBundleResponse);
 }
 
 message MintX509CARequest {
@@ -61,3 +70,13 @@ message PublishJWTKeyResponse {
     // Required. The upstream JWT signing keys.
     repeated spire.plugin.types.JWTKey upstream_jwt_keys = 1;
 }
+
+message SubscribeToLocalBundleRequest {
+}
+
+message SubscribeToLocalBundleResponse {
+    // Required. The trusted X.509 root authorities for the upstream authority.
+    repeated spire.plugin.types.X509Certificate upstream_x509_roots = 1;
+    // Required. The upstream JWT signing keys.
+    repeated spire.plugin.types.JWTKey upstream_jwt_keys = 2;
+}
diff --git a/proto/spire/plugin/server/upstreamauthority/v1/upstreamauthority_grpc.pb.go b/proto/spire/plugin/server/upstreamauthority/v1/upstreamauthority_grpc.pb.go
index 05b98b2..3e74f26 100644
--- a/proto/spire/plugin/server/upstreamauthority/v1/upstreamauthority_grpc.pb.go
+++ b/proto/spire/plugin/server/upstreamauthority/v1/upstreamauthority_grpc.pb.go
@@ -40,6 +40,14 @@ type UpstreamAuthorityClient interface {
 	// encountered while tracking changes to the upstream JWT keys as SPIRE
 	// Server will not reopen a closed stream until the next JWT key rotation.
 	PublishJWTKeyAndSubscribe(ctx context.Context, in *PublishJWTKeyRequest, opts ...grpc.CallOption) (UpstreamAuthority_PublishJWTKeyAndSubscribeClient, error)
+	// Returns the trust bundle of the local trust domain as seen by the upstream
+	// authority. Returns the current set of X.509 roots and JWT public keys
+	// that make up the trust bundle of the trust domain. If supported by the
+	// implementation, subsequent responses on the stream contain trust bundle
+	// updates, otherwise the stream is closed after the initial response.
+	//
+	// This RPC is optional and will return NotImplemented if unsupported.
+	SubscribeToLocalBundle(ctx context.Context, in *SubscribeToLocalBundleRequest, opts ...grpc.CallOption) (UpstreamAuthority_SubscribeToLocalBundleClient, error)
 }
 
 type upstreamAuthorityClient struct {
@@ -114,6 +122,38 @@ func (x *upstreamAuthorityPublishJWTKeyAndSubscribeClient) Recv() (*PublishJWTKe
 	return m, nil
 }
 
+func (c *upstreamAuthorityClient) SubscribeToLocalBundle(ctx context.Context, in *SubscribeToLocalBundleRequest, opts ...grpc.CallOption) (UpstreamAuthority_SubscribeToLocalBundleClient, error) {
+	stream, err := c.cc.NewStream(ctx, &UpstreamAuthority_ServiceDesc.Streams[2], "/spire.plugin.server.upstreamauthority.v1.UpstreamAuthority/SubscribeToLocalBundle", opts...)
+	if err != nil {
+		return nil, err
+	}
+	x := &upstreamAuthoritySubscribeToLocalBundleClient{stream}
+	if err := x.ClientStream.SendMsg(in); err != nil {
+		return nil, err
+	}
+	if err := x.ClientStream.CloseSend(); err != nil {
+		return nil, err
+	}
+	return x, nil
+}
+
+type UpstreamAuthority_SubscribeToLocalBundleClient interface {
+	Recv() (*SubscribeToLocalBundleResponse, error)
+	grpc.ClientStream
+}
+
+type upstreamAuthoritySubscribeToLocalBundleClient struct {
+	grpc.ClientStream
+}
+
+func (x *upstreamAuthoritySubscribeToLocalBundleClient) Recv() (*SubscribeToLocalBundleResponse, error) {
+	m := new(SubscribeToLocalBundleResponse)
+	if err := x.ClientStream.RecvMsg(m); err != nil {
+		return nil, err
+	}
+	return m, nil
+}
+
 // UpstreamAuthorityServer is the server API for UpstreamAuthority service.
 // All implementations must embed UnimplementedUpstreamAuthorityServer
 // for forward compatibility
@@ -140,6 +180,14 @@ type UpstreamAuthorityServer interface {
 	// encountered while tracking changes to the upstream JWT keys as SPIRE
 	// Server will not reopen a closed stream until the next JWT key rotation.
 	PublishJWTKeyAndSubscribe(*PublishJWTKeyRequest, UpstreamAuthority_PublishJWTKeyAndSubscribeServer) error
+	// Returns the trust bundle of the local trust domain as seen by the upstream
+	// authority. Returns the current set of X.509 roots and JWT public keys
+	// that make up the trust bundle of the trust domain. If supported by the
+	// implementation, subsequent responses on the stream contain trust bundle
+	// updates, otherwise the stream is closed after the initial response.
+	//
+	// This RPC is optional and will return NotImplemented if unsupported.
+	SubscribeToLocalBundle(*SubscribeToLocalBundleRequest, UpstreamAuthority_SubscribeToLocalBundleServer) error
 	mustEmbedUnimplementedUpstreamAuthorityServer()
 }
 
@@ -153,6 +201,9 @@ func (UnimplementedUpstreamAuthorityServer) MintX509CAAndSubscribe(*MintX509CARe
 func (UnimplementedUpstreamAuthorityServer) PublishJWTKeyAndSubscribe(*PublishJWTKeyRequest, UpstreamAuthority_PublishJWTKeyAndSubscribeServer) error {
 	return status.Errorf(codes.Unimplemented, "method PublishJWTKeyAndSubscribe not implemented")
 }
+func (UnimplementedUpstreamAuthorityServer) SubscribeToLocalBundle(*SubscribeToLocalBundleRequest, UpstreamAuthority_SubscribeToLocalBundleServer) error {
+	return status.Errorf(codes.Unimplemented, "method SubscribeToLocalBundle not implemented")
+}
 func (UnimplementedUpstreamAuthorityServer) mustEmbedUnimplementedUpstreamAuthorityServer() {}
 
 // UnsafeUpstreamAuthorityServer may be embedded to opt out of forward compatibility for this service.
@@ -208,6 +259,27 @@ func (x *upstreamAuthorityPublishJWTKeyAndSubscribeServer) Send(m *PublishJWTKey
 	return x.ServerStream.SendMsg(m)
 }
 
+func _UpstreamAuthority_SubscribeToLocalBundle_Handler(srv interface{}, stream grpc.ServerStream) error {
+	m := new(SubscribeToLocalBundleRequest)
+	if err := stream.RecvMsg(m); err != nil {
+		return err
+	}
+	return srv.(UpstreamAuthorityServer).SubscribeToLocalBundle(m, &upstreamAuthoritySubscribeToLocalBundleServer{stream})
+}
+
+type UpstreamAuthority_SubscribeToLocalBundleServer interface {
+	Send(*SubscribeToLocalBundleResponse) error
+	grpc.ServerStream
+}
+
+type upstreamAuthoritySubscribeToLocalBundleServer struct {
+	grpc.ServerStream
+}
+
+func (x *upstreamAuthoritySubscribeToLocalBundleServer) Send(m *SubscribeToLocalBundleResponse) error {
+	return x.ServerStream.SendMsg(m)
+}
+
 // UpstreamAuthority_ServiceDesc is the grpc.ServiceDesc for UpstreamAuthority service.
 // It's only intended for direct use with grpc.RegisterService,
 // and not to be introspected or modified (even as a copy)
@@ -226,6 +298,11 @@ var UpstreamAuthority_ServiceDesc = grpc.ServiceDesc{
 			Handler:       _UpstreamAuthority_PublishJWTKeyAndSubscribe_Handler,
 			ServerStreams: true,
 		},
+		{
+			StreamName:    "SubscribeToLocalBundle",
+			Handler:       _UpstreamAuthority_SubscribeToLocalBundle_Handler,
+			ServerStreams: true,
+		},
 	},
 	Metadata: "spire/plugin/server/upstreamauthority/v1/upstreamauthority.proto",
 }