Add enum validation for scopes and grant types

Signed-off-by: Margo Crawford <margaretc@vmware.com>

deploy/supervisor/oauth.supervisor.pinniped.dev_oidcclients.yaml

@@ -54,6 +54,10 @@ spec:
                   step in the process to be able to get a cluster credential for the
                   user. This grant must be listed if allowedScopes lists pinniped:request-audience."
                 items:
+                  enum:
+                  - authorization_code
+                  - refresh_token
+                  - urn:ietf:params:oauth:grant-type:token-exchange
                   type: string
                 minItems: 1
                 type: array
@@ -89,6 +93,12 @@ spec:
                   the groups scope being requested and allowed, the ID token will
                   not contain groups."
                 items:
+                  enum:
+                  - openid
+                  - offline_access
+                  - username
+                  - groups
+                  - pinniped:request-audience
                   type: string
                 minItems: 1
                 type: array

deploy/supervisor/z0_crd_overlay.yaml

@@ -1,4 +1,4 @@
-#! Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
+#! Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 #! SPDX-License-Identifier: Apache-2.0
 
 #@ load("@ytt:overlay", "overlay")
@@ -40,3 +40,12 @@ metadata:
   name: #@ pinnipedDevAPIGroupWithPrefix("activedirectoryidentityproviders.idp.supervisor")
 spec:
   group: #@ pinnipedDevAPIGroupWithPrefix("idp.supervisor")
+
+#@overlay/match by=overlay.subset({"kind": "CustomResourceDefinition", "metadata":{"name":"oidcclients.oauth.supervisor.pinniped.dev"}}), expects=1
+---
+metadata:
+  #@overlay/match missing_ok=True
+  labels: #@ labels()
+  name: #@ pinnipedDevAPIGroupWithPrefix("oidcclients.oauth.supervisor")
+spec:
+  group: #@ pinnipedDevAPIGroupWithPrefix("oauth.supervisor")