Generate rough starting protos

api/proto/teleport/legacy/types/events/events.proto

@@ -6732,6 +6732,12 @@ message SPIFFESVIDIssued {
   // Audiences is the list of audiences in the issued SVID.
   // Only present if the SVID is a JWT.
   repeated string Audiences = 11 [(gogoproto.jsontag) = "audiences,omitempty"];
+  // The WorkloadIdentity resource that was used to issue the SVID, this will
+  // be empty if the legacy RPCs were used.
+  string WorkloadIdentity = 12 [(gogoproto.jsontag) = "workload_identity,omitempty"];
+  // The revision of the WorkloadIdentity resource that was used to issue the
+  // SVID. This will be empty if the legacy RPCs were used.
+  string WorkloadIdentityRevision = 13 [(gogoproto.jsontag) = "workload_identity_revision,omitempty"];
 }
 
 // AuthPreferenceUpdate is emitted when the auth preference is updated.

api/proto/teleport/workloadidentity/v1/attrs.proto

@@ -0,0 +1,83 @@
+// Copyright 2024 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.workloadidentity.v1;
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/workloadidentity/v1;workloadidentityv1pb";
+
+// Attributes sourced from the Kubernetes workload attestor.
+message WorkloadAttrsKubernetes {
+  // Whether the workload passed Kubernetes attestation.
+  bool attested = 1;
+  // The namespace of the workload pod.
+  string namespace = 2;
+  // The name of the workload pod.
+  string pod_name = 3;
+  // The service account of the workload pod.
+  string service_account = 4;
+  // The UID of the workload pod.
+  string pod_uid = 5;
+  // The labels of the workload pod.
+  map<string, string> labels = 6;
+}
+
+// Attributes sourced from the Unix workload attestor.
+message WorkloadAttrsUnix {
+  // Whether the workload passed Kubernetes attestation.
+  bool attested = 1;
+  // The PID of the workload process.
+  int32 pid = 2;
+  // The primary user ID of the workload process.
+  uint32 gid = 3;
+  // The primary group ID of the workload process.
+  uint32 uid = 4;
+}
+
+// The attributes provided by `tbot` regarding the workload's attestation.
+// This will be mostly unset if the workload has not requested credentials via
+// the SPIFFE Workload API.
+message WorkloadAttrs {
+  // The Unix-specific attributes.
+  WorkloadAttrsUnix unix = 1;
+  // The Kubernetes-specific attributes.
+  WorkloadAttrsKubernetes kubernetes = 2;
+}
+
+// Attributes related to the user/bot making the request for a workload
+// identity.
+message UserAttrs {
+  // The name of the user.
+  string name = 1;
+  // Whether the user is a bot.
+  bool is_bot = 2;
+  // If the user is a bot, the name of the bot.
+  string bot_name = 3;
+  // If the user is a bot, the instance ID of the bot.
+  string bot_instance_id = 4;
+  // Labels of the user.
+  map<string, string> labels = 5;
+}
+
+// The attributes of a principal requesting a workload identity. These
+// attributes can be leveraged in rules, expressions and templating within the
+// WorkloadIdentity resource.
+message Attrs {
+  // Attributes sourced by workload attestation performed by `tbot`.
+  WorkloadAttrs workload = 1;
+  // Attributes sourced from the user/bot making the request for a workload
+  // identity credential.
+  UserAttrs user = 2;
+}