Add template for selector

docs/pages/includes/machine-id/workload-identity-selector-config.yaml

@@ -0,0 +1,3 @@
+# TODO: explanation of selector
+selector:
+  name: foo

docs/pages/reference/machine-id/configuration.mdx

@@ -311,8 +311,55 @@ principals:
 (!docs/pages/includes/machine-id/common-output-config.yaml!)
 ```
 
+### `workload-identity-x509`
+
+The output generates the following artifacts:
+
+See [Workload Identity introduction](../../enroll-resources/workload-identity/introduction.mdx)
+for more information on Workload Identity functionality.
+
+### `workload-identity-jwt`
+
+The `workload-identity-jwt` output is used to issue a JWT workload identity
+credential and write this to a configured destination.
+
+The JWT workload identity credential is compatible with the [SPIFFE JWT SVID
+specification](https://github.com/spiffe/spiffe/blob/main/standards/JWT-SVID.md).
+
+The output generates the following artifacts:
+
+- `jwt_svid`: the JWT SVID.
+
+See [Workload Identity introduction](../../enroll-resources/workload-identity/introduction.mdx)
+for more information on Workload Identity functionality.
+
+```yaml
+# type specifies the type of the output. For the JWT Workload Identity output,
+# this will always be `workload-identity-jwt`.
+type: workload-identity-jwt
+# audiences specifies the values that should be included in the `aud` claim of
+# the JWT. Typically, this identifies the intended recipient of the JWT and
+# contains a single value.
+#
+# At least one audience value must be specified.
+audiences:
+ - example.com
+ - foo.example.com
+(!docs/pages/includes/machine-id/workload-identity-selector-config.yaml!)
+(!docs/pages/includes/machine-id/common-output-config.yaml!)
+```
+
 ### `spiffe-svid`
 
+<Admonition type="warning" >
+The use of this service has been deprecated as part of the introduction of the
+new Workload Identity configuration experience. You can replace the use of this
+output with the new `workload-identity-x509` or `workload-identity-jwt` service.
+
+For further information, see [the new Workload Identity configuration experience
+and how to migrate](../workload-identity/configuration-resource-migration.mdx).
+</Admonition>
+
 The `spiffe-svid` output is used to generate a SPIFFE X509 SVID and write this
 to a configured destination.
 
@@ -384,7 +431,7 @@ new Workload Identity configuration experience. You can replace the use of this
 service with the new `workload-identity-api` service.
 
 For further information, see [the new Workload Identity configuration experience
-and how to migrate](../workload-identity/new-configuration-experience.mdx).
+and how to migrate](../workload-identity/configuration-resource-migration.mdx).
 </Admonition>
 
 The `spiffe-workload-api` service opens a listener for a service that implements

docs/pages/reference/workload-identity/workload-identity-api-service.mdx

@@ -58,8 +58,7 @@ attestors:
       # unspecified, this defaults to false. If set, the token_path field is
       # ignored.
       anonymous: false
-selector:
-  name: example-workload-identity
+(!docs/pages/includes/machine-id/workload-identity-selector-config.yaml!)
 ```
 
 ## SPIFFE Workload API