Bump dependencies and codgen

generated/1.26/README.adoc

@@ -65,6 +65,7 @@ certificate bundle. +
 
 JWTAuthenticator describes the configuration of a JWT authenticator.
 
+
 Upon receiving a signed JWT, a JWTAuthenticator will performs some validation on it (e.g., valid
 signature, existence of claims, etc.) and extract the username and groups from the token.
 
@@ -565,6 +566,7 @@ ImpersonationProxyServiceSpec describes how the Concierge should provision a Ser
 | Field | Description
 | *`type`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-concierge-config-v1alpha1-impersonationproxyservicetype[$$ImpersonationProxyServiceType$$]__ | Type specifies the type of Service to provision for the impersonation proxy. +
 
+
 If the type is "None", then the "spec.impersonationProxy.externalEndpoint" field must be set to a non-empty +
 value so that the Concierge can properly advertise the endpoint in the CredentialIssuer's status. +
 | *`loadBalancerIP`* __string__ | LoadBalancerIP specifies the IP address to set in the spec.loadBalancerIP field of the provisioned Service. +
@@ -607,9 +609,11 @@ ImpersonationProxySpec describes the intended configuration of the Concierge imp
 | *`externalEndpoint`* __string__ | ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will +
 be served using the external name of the LoadBalancer service or the cluster service DNS name. +
 
+
 This field must be non-empty when spec.impersonationProxy.service.type is "None". +
 | *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-concierge-config-v1alpha1-impersonationproxytlsspec[$$ImpersonationProxyTLSSpec$$]__ | TLS contains information about how the Concierge impersonation proxy should serve TLS. +
 
+
 If this field is empty, the impersonation proxy will generate its own TLS certificate. +
 |===
 
@@ -620,9 +624,11 @@ If this field is empty, the impersonation proxy will generate its own TLS certif
 ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should
 serve TLS.
 
+
 If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret
 for a field called "ca.crt", which will be used as the CertificateAuthorityData.
 
+
 If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for
 the impersonation proxy endpoint.
 
@@ -806,11 +812,13 @@ the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer i
 https://example.com/foo, then your authorization endpoint will look like +
 https://example.com/foo/some/path/to/auth/endpoint). +
 
+
 See +
 https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information. +
 | *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-config-v1alpha1-federationdomaintlsspec[$$FederationDomainTLSSpec$$]__ | TLS specifies a secret which will contain Transport Layer Security (TLS) configuration for the FederationDomain. +
 | *`identityProviders`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-config-v1alpha1-federationdomainidentityprovider[$$FederationDomainIdentityProvider$$] array__ | IdentityProviders is the list of identity providers available for use by this FederationDomain. +
 
+
 An identity provider CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes how to connect to a server, +
 how to talk in a specific protocol for authentication, and how to use the schema of that server/protocol to +
 extract a normalized user identity. Normalized user identities include a username and a list of group names. +
@@ -823,6 +831,7 @@ rejection policies. Even though a user was able to authenticate with the identit
 the authentication to the Kubernetes clusters that belong to this FederationDomain. For example, a policy could +
 disallow the authentication unless the user belongs to a specific group in the identity provider. +
 
+
 For backwards compatibility with versions of Pinniped which predate support for multiple identity providers, +
 an empty IdentityProviders list will cause the FederationDomain to use all available identity providers which +
 exist in the same namespace, but also to reject all authentication requests when there is more than one identity +
@@ -871,17 +880,21 @@ the TLS serving certificate for the HTTPS endpoints served by this FederationDom
 named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use +
 for TLS. +
 
+
 Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers. +
 
+
 SecretName is required if you would like to use different TLS certificates for issuers of different hostnames. +
 SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same +
 SecretName value even if they have different port numbers. +
 
+
 SecretName is not required when you would like to use only the HTTP endpoints (e.g. when the HTTP listener is +
 configured to listen on loopback interfaces or UNIX domain sockets for traffic from a service mesh sidecar). +
 It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to +
 use the default TLS certificate, which is configured elsewhere. +
 
+
 When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses. +
 |===
 
@@ -906,12 +919,14 @@ Each is a CEL expression. It may use the basic CEL language as defined in +
 https://github.com/google/cel-spec/blob/master/doc/langdef.md plus the CEL string extensions defined in +
 https://github.com/google/cel-go/tree/master/ext#strings. +
 
+
 The username and groups extracted from the identity provider, and the constants defined in this CR, are +
 available as variables in all expressions. The username is provided via a variable called `username` and +
 the list of group names is provided via a variable called `groups` (which may be an empty list). +
 Each user-provided constants is provided via a variable named `strConst.varName` for string constants +
 and `strListConst.varName` for string list constants. +
 
+
 The only allowed types for expressions are currently policy/v1, username/v1, and groups/v1. +
 Each policy/v1 must return a boolean, and when it returns false, no more expressions from the list are evaluated +
 and the authentication attempt is rejected. +
@@ -924,6 +939,7 @@ groups list. +
 Transformations of type groups/v1 do not return usernames, and therefore cannot change the usernames. +
 After each expression, the new (potentially changed) username or groups get passed to the following expression. +
 
+
 Any compilation or static type-checking failure of any expression will cause an error status on the FederationDomain. +
 During an authentication attempt, any unexpected runtime evaluation errors (e.g. division by zero) cause the +
 authentication attempt to fail. When all expressions evaluate successfully, then the (potentially changed) username +
@@ -1093,6 +1109,7 @@ Port numbers are not required for 127.0.0.1 or ::1 and are ignored when checking
 | *`allowedGrantTypes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-config-v1alpha1-granttype[$$GrantType$$] array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this +
 client. +
 
+
 Must only contain the following values: +
 - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to +
 authenticate users. This grant must always be listed. +
@@ -1103,6 +1120,7 @@ which is a step in the process to be able to get a cluster credential for the us
 This grant must be listed if allowedScopes lists pinniped:request-audience. +
 | *`allowedScopes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-config-v1alpha1-scope[$$Scope$$] array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. +
 
+
 Must only contain the following values: +
 - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). +
 This scope must always be listed. +
@@ -1514,18 +1532,21 @@ group membership is often used to bind authorization policies, it is important +
 to keep the groups observed in Kubernetes clusters in-sync with the identity +
 provider. +
 
+
 In some environments, frequent group membership queries may result in a +
 significant performance impact on the identity provider and/or the supervisor. +
 The best approach to handle performance impacts is to tweak the group query +
 to be more performant, for example by disabling nested group search or by +
 using a more targeted group search base. +
 
+
 If the group search query cannot be made performant and you are willing to +
 have group memberships remain static for approximately a day, then set +
 skipGroupRefresh to true.  This is an insecure configuration as authorization +
 policies that are bound to group membership will not notice if a user has +
 been removed from a particular group until their next login. +
 
+
 This is an experimental feature that may be removed or significantly altered +
 in the future.  Consumers of this configuration should carefully read all +
 release notes before upgrading to ensure that the meaning of this field has +
@@ -1776,8 +1797,10 @@ GitHubClaims allows customization of the username and groups claims.
 | Field | Description
 | *`username`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubusernameattribute[$$GitHubUsernameAttribute$$]__ | Username configures which property of the GitHub user record shall determine the username in Kubernetes. +
 
+
 Can be either "id", "login", or "login:id". Defaults to "login:id". +
 
+
 GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens, +
 and may not start or end with hyphens. GitHub users are allowed to change their login name, +
 although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar", +
@@ -1785,32 +1808,41 @@ then a second user might change their name from "baz" to "foo" in order to take
 username of the first user. For this reason, it is not as safe to make authorization decisions +
 based only on the user's login attribute. +
 
+
 If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's +
 FederationDomain to further customize how these usernames are presented to Kubernetes. +
 
+
 Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and +
 unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value +
 from GitHub. Colons are not allowed in GitHub login attributes or ID numbers, so this is a reasonable +
 choice to concatenate the two values. +
 
+
 See the response schema for +
 [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). +
 | *`groups`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubgroupnameattribute[$$GitHubGroupNameAttribute$$]__ | Groups configures which property of the GitHub team record shall determine the group names in Kubernetes. +
 
+
 Can be either "name" or "slug". Defaults to "slug". +
 
+
 GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!"). +
 
+
 GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins"). +
 
+
 Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a +
 forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters +
 or single hyphens, so the first forward slash `/` will be the separator between the organization login name and +
 the team name or slug. +
 
+
 If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's +
 FederationDomain to further customize how these group names are presented to Kubernetes. +
 
+
 See the response schema for +
 [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). +
 |===
@@ -1833,6 +1865,7 @@ for web-based login flows.
 | *`secretName`* __string__ | SecretName contains the name of a namespace-local Secret object that provides the clientID and +
 clientSecret for an GitHub App or GitHub OAuth2 client. +
 
+
 This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret". +
 |===
 
@@ -1857,6 +1890,7 @@ names to present to Kubernetes. See the response schema for
 GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider.
 This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App.
 
+
 Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured
 as OIDCClients.
 
@@ -1943,8 +1977,10 @@ GitHubIdentityProviderStatus is the status of an GitHub identity provider.
 | *`policy`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githuballowedauthorganizationspolicy[$$GitHubAllowedAuthOrganizationsPolicy$$]__ | Allowed values are "OnlyUsersFromAllowedOrganizations" or "AllGitHubUsers". +
 Defaults to "OnlyUsersFromAllowedOrganizations". +
 
+
 Must be set to "AllGitHubUsers" if the allowed field is empty. +
 
+
 This field only exists to ensure that Pinniped administrators are aware that an empty list of +
 allowedOrganizations means all GitHub users are allowed to log in. +
 | *`allowed`* __string array__ | Allowed, when specified, indicates that only users with membership in at least one of the listed +
@@ -1952,10 +1988,12 @@ GitHub organizations may log in. In addition, the group membership presented to
 teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be +
 provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP. +
 
+
 The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations, +
 otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams +
 within that organization. +
 
+
 If no organizations are listed, you must set organizations: AllGitHubUsers. +
 |===
 
@@ -2057,18 +2095,21 @@ group membership is often used to bind authorization policies, it is important +
 to keep the groups observed in Kubernetes clusters in-sync with the identity +
 provider. +
 
+
 In some environments, frequent group membership queries may result in a +
 significant performance impact on the identity provider and/or the supervisor. +
 The best approach to handle performance impacts is to tweak the group query +
 to be more performant, for example by disabling nested group search or by +
 using a more targeted group search base. +
 
+
 If the group search query cannot be made performant and you are willing to +
 have group memberships remain static for approximately a day, then set +
 skipGroupRefresh to true.  This is an insecure configuration as authorization +
 policies that are bound to group membership will not notice if a user has +
 been removed from a particular group until their next login. +
 
+
 This is an experimental feature that may be removed or significantly altered +
 in the future.  Consumers of this configuration should carefully read all +
 release notes before upgrading to ensure that the meaning of this field has +

generated/1.26/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.17.1
+    controller-gen.kubebuilder.io/version: v0.16.5
   name: jwtauthenticators.authentication.concierge.pinniped.dev
 spec:
   group: authentication.concierge.pinniped.dev

generated/1.26/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.17.1
+    controller-gen.kubebuilder.io/version: v0.16.5
   name: webhookauthenticators.authentication.concierge.pinniped.dev
 spec:
   group: authentication.concierge.pinniped.dev

generated/1.26/crds/config.concierge.pinniped.dev_credentialissuers.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.17.1
+    controller-gen.kubebuilder.io/version: v0.16.5
   name: credentialissuers.config.concierge.pinniped.dev
 spec:
   group: config.concierge.pinniped.dev

generated/1.26/crds/config.supervisor.pinniped.dev_federationdomains.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.17.1
+    controller-gen.kubebuilder.io/version: v0.16.5
   name: federationdomains.config.supervisor.pinniped.dev
 spec:
   group: config.supervisor.pinniped.dev

generated/1.26/crds/config.supervisor.pinniped.dev_oidcclients.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.17.1
+    controller-gen.kubebuilder.io/version: v0.16.5
   name: oidcclients.config.supervisor.pinniped.dev
 spec:
   group: config.supervisor.pinniped.dev

generated/1.26/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.17.1
+    controller-gen.kubebuilder.io/version: v0.16.5
   name: activedirectoryidentityproviders.idp.supervisor.pinniped.dev
 spec:
   group: idp.supervisor.pinniped.dev

generated/1.26/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.17.1
+    controller-gen.kubebuilder.io/version: v0.16.5
   name: githubidentityproviders.idp.supervisor.pinniped.dev
 spec:
   group: idp.supervisor.pinniped.dev

generated/1.26/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.17.1
+    controller-gen.kubebuilder.io/version: v0.16.5
   name: ldapidentityproviders.idp.supervisor.pinniped.dev
 spec:
   group: idp.supervisor.pinniped.dev

generated/1.26/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.17.1
+    controller-gen.kubebuilder.io/version: v0.16.5
   name: oidcidentityproviders.idp.supervisor.pinniped.dev
 spec:
   group: idp.supervisor.pinniped.dev

generated/1.29/README.adoc

@@ -65,6 +65,7 @@ certificate bundle. +
 
 JWTAuthenticator describes the configuration of a JWT authenticator.
 
+
 Upon receiving a signed JWT, a JWTAuthenticator will performs some validation on it (e.g., valid
 signature, existence of claims, etc.) and extract the username and groups from the token.
 
@@ -565,6 +566,7 @@ ImpersonationProxyServiceSpec describes how the Concierge should provision a Ser
 | Field | Description
 | *`type`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-concierge-config-v1alpha1-impersonationproxyservicetype[$$ImpersonationProxyServiceType$$]__ | Type specifies the type of Service to provision for the impersonation proxy. +
 
+
 If the type is "None", then the "spec.impersonationProxy.externalEndpoint" field must be set to a non-empty +
 value so that the Concierge can properly advertise the endpoint in the CredentialIssuer's status. +
 | *`loadBalancerIP`* __string__ | LoadBalancerIP specifies the IP address to set in the spec.loadBalancerIP field of the provisioned Service. +
@@ -607,9 +609,11 @@ ImpersonationProxySpec describes the intended configuration of the Concierge imp
 | *`externalEndpoint`* __string__ | ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will +
 be served using the external name of the LoadBalancer service or the cluster service DNS name. +
 
+
 This field must be non-empty when spec.impersonationProxy.service.type is "None". +
 | *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-concierge-config-v1alpha1-impersonationproxytlsspec[$$ImpersonationProxyTLSSpec$$]__ | TLS contains information about how the Concierge impersonation proxy should serve TLS. +
 
+
 If this field is empty, the impersonation proxy will generate its own TLS certificate. +
 |===
 
@@ -620,9 +624,11 @@ If this field is empty, the impersonation proxy will generate its own TLS certif
 ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should
 serve TLS.
 
+
 If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret
 for a field called "ca.crt", which will be used as the CertificateAuthorityData.
 
+
 If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for
 the impersonation proxy endpoint.
 
@@ -806,11 +812,13 @@ the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer i
 https://example.com/foo, then your authorization endpoint will look like +
 https://example.com/foo/some/path/to/auth/endpoint). +
 
+
 See +
 https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information. +
 | *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-config-v1alpha1-federationdomaintlsspec[$$FederationDomainTLSSpec$$]__ | TLS specifies a secret which will contain Transport Layer Security (TLS) configuration for the FederationDomain. +
 | *`identityProviders`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-config-v1alpha1-federationdomainidentityprovider[$$FederationDomainIdentityProvider$$] array__ | IdentityProviders is the list of identity providers available for use by this FederationDomain. +
 
+
 An identity provider CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes how to connect to a server, +
 how to talk in a specific protocol for authentication, and how to use the schema of that server/protocol to +
 extract a normalized user identity. Normalized user identities include a username and a list of group names. +
@@ -823,6 +831,7 @@ rejection policies. Even though a user was able to authenticate with the identit
 the authentication to the Kubernetes clusters that belong to this FederationDomain. For example, a policy could +
 disallow the authentication unless the user belongs to a specific group in the identity provider. +
 
+
 For backwards compatibility with versions of Pinniped which predate support for multiple identity providers, +
 an empty IdentityProviders list will cause the FederationDomain to use all available identity providers which +
 exist in the same namespace, but also to reject all authentication requests when there is more than one identity +
@@ -871,17 +880,21 @@ the TLS serving certificate for the HTTPS endpoints served by this FederationDom
 named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use +
 for TLS. +
 
+
 Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers. +
 
+
 SecretName is required if you would like to use different TLS certificates for issuers of different hostnames. +
 SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same +
 SecretName value even if they have different port numbers. +
 
+
 SecretName is not required when you would like to use only the HTTP endpoints (e.g. when the HTTP listener is +
 configured to listen on loopback interfaces or UNIX domain sockets for traffic from a service mesh sidecar). +
 It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to +
 use the default TLS certificate, which is configured elsewhere. +
 
+
 When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses. +
 |===
 
@@ -906,12 +919,14 @@ Each is a CEL expression. It may use the basic CEL language as defined in +
 https://github.com/google/cel-spec/blob/master/doc/langdef.md plus the CEL string extensions defined in +
 https://github.com/google/cel-go/tree/master/ext#strings. +
 
+
 The username and groups extracted from the identity provider, and the constants defined in this CR, are +
 available as variables in all expressions. The username is provided via a variable called `username` and +
 the list of group names is provided via a variable called `groups` (which may be an empty list). +
 Each user-provided constants is provided via a variable named `strConst.varName` for string constants +
 and `strListConst.varName` for string list constants. +
 
+
 The only allowed types for expressions are currently policy/v1, username/v1, and groups/v1. +
 Each policy/v1 must return a boolean, and when it returns false, no more expressions from the list are evaluated +
 and the authentication attempt is rejected. +
@@ -924,6 +939,7 @@ groups list. +
 Transformations of type groups/v1 do not return usernames, and therefore cannot change the usernames. +
 After each expression, the new (potentially changed) username or groups get passed to the following expression. +
 
+
 Any compilation or static type-checking failure of any expression will cause an error status on the FederationDomain. +
 During an authentication attempt, any unexpected runtime evaluation errors (e.g. division by zero) cause the +
 authentication attempt to fail. When all expressions evaluate successfully, then the (potentially changed) username +
@@ -1093,6 +1109,7 @@ Port numbers are not required for 127.0.0.1 or ::1 and are ignored when checking
 | *`allowedGrantTypes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-config-v1alpha1-granttype[$$GrantType$$] array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this +
 client. +
 
+
 Must only contain the following values: +
 - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to +
 authenticate users. This grant must always be listed. +
@@ -1103,6 +1120,7 @@ which is a step in the process to be able to get a cluster credential for the us
 This grant must be listed if allowedScopes lists pinniped:request-audience. +
 | *`allowedScopes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-config-v1alpha1-scope[$$Scope$$] array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. +
 
+
 Must only contain the following values: +
 - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). +
 This scope must always be listed. +
@@ -1514,18 +1532,21 @@ group membership is often used to bind authorization policies, it is important +
 to keep the groups observed in Kubernetes clusters in-sync with the identity +
 provider. +
 
+
 In some environments, frequent group membership queries may result in a +
 significant performance impact on the identity provider and/or the supervisor. +
 The best approach to handle performance impacts is to tweak the group query +
 to be more performant, for example by disabling nested group search or by +
 using a more targeted group search base. +
 
+
 If the group search query cannot be made performant and you are willing to +
 have group memberships remain static for approximately a day, then set +
 skipGroupRefresh to true.  This is an insecure configuration as authorization +
 policies that are bound to group membership will not notice if a user has +
 been removed from a particular group until their next login. +
 
+
 This is an experimental feature that may be removed or significantly altered +
 in the future.  Consumers of this configuration should carefully read all +
 release notes before upgrading to ensure that the meaning of this field has +
@@ -1776,8 +1797,10 @@ GitHubClaims allows customization of the username and groups claims.
 | Field | Description
 | *`username`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubusernameattribute[$$GitHubUsernameAttribute$$]__ | Username configures which property of the GitHub user record shall determine the username in Kubernetes. +
 
+
 Can be either "id", "login", or "login:id". Defaults to "login:id". +
 
+
 GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens, +
 and may not start or end with hyphens. GitHub users are allowed to change their login name, +
 although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar", +
@@ -1785,32 +1808,41 @@ then a second user might change their name from "baz" to "foo" in order to take
 username of the first user. For this reason, it is not as safe to make authorization decisions +
 based only on the user's login attribute. +
 
+
 If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's +
 FederationDomain to further customize how these usernames are presented to Kubernetes. +
 
+
 Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and +
 unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value +
 from GitHub. Colons are not allowed in GitHub login attributes or ID numbers, so this is a reasonable +
 choice to concatenate the two values. +
 
+
 See the response schema for +
 [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). +
 | *`groups`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubgroupnameattribute[$$GitHubGroupNameAttribute$$]__ | Groups configures which property of the GitHub team record shall determine the group names in Kubernetes. +
 
+
 Can be either "name" or "slug". Defaults to "slug". +
 
+
 GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!"). +
 
+
 GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins"). +
 
+
 Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a +
 forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters +
 or single hyphens, so the first forward slash `/` will be the separator between the organization login name and +
 the team name or slug. +
 
+
 If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's +
 FederationDomain to further customize how these group names are presented to Kubernetes. +
 
+
 See the response schema for +
 [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). +
 |===
@@ -1833,6 +1865,7 @@ for web-based login flows.
 | *`secretName`* __string__ | SecretName contains the name of a namespace-local Secret object that provides the clientID and +
 clientSecret for an GitHub App or GitHub OAuth2 client. +
 
+
 This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret". +
 |===
 
@@ -1857,6 +1890,7 @@ names to present to Kubernetes. See the response schema for
 GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider.
 This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App.
 
+
 Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured
 as OIDCClients.
 
@@ -1943,8 +1977,10 @@ GitHubIdentityProviderStatus is the status of an GitHub identity provider.
 | *`policy`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githuballowedauthorganizationspolicy[$$GitHubAllowedAuthOrganizationsPolicy$$]__ | Allowed values are "OnlyUsersFromAllowedOrganizations" or "AllGitHubUsers". +
 Defaults to "OnlyUsersFromAllowedOrganizations". +
 
+
 Must be set to "AllGitHubUsers" if the allowed field is empty. +
 
+
 This field only exists to ensure that Pinniped administrators are aware that an empty list of +
 allowedOrganizations means all GitHub users are allowed to log in. +
 | *`allowed`* __string array__ | Allowed, when specified, indicates that only users with membership in at least one of the listed +
@@ -1952,10 +1988,12 @@ GitHub organizations may log in. In addition, the group membership presented to
 teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be +
 provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP. +
 
+
 The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations, +
 otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams +
 within that organization. +
 
+
 If no organizations are listed, you must set organizations: AllGitHubUsers. +
 |===
 
@@ -2057,18 +2095,21 @@ group membership is often used to bind authorization policies, it is important +
 to keep the groups observed in Kubernetes clusters in-sync with the identity +
 provider. +
 
+
 In some environments, frequent group membership queries may result in a +
 significant performance impact on the identity provider and/or the supervisor. +
 The best approach to handle performance impacts is to tweak the group query +
 to be more performant, for example by disabling nested group search or by +
 using a more targeted group search base. +
 
+
 If the group search query cannot be made performant and you are willing to +
 have group memberships remain static for approximately a day, then set +
 skipGroupRefresh to true.  This is an insecure configuration as authorization +
 policies that are bound to group membership will not notice if a user has +
 been removed from a particular group until their next login. +
 
+
 This is an experimental feature that may be removed or significantly altered +
 in the future.  Consumers of this configuration should carefully read all +
 release notes before upgrading to ensure that the meaning of this field has +

generated/1.29/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.17.1
+    controller-gen.kubebuilder.io/version: v0.16.5
   name: jwtauthenticators.authentication.concierge.pinniped.dev
 spec:
   group: authentication.concierge.pinniped.dev

generated/1.29/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.17.1
+    controller-gen.kubebuilder.io/version: v0.16.5
   name: webhookauthenticators.authentication.concierge.pinniped.dev
 spec:
   group: authentication.concierge.pinniped.dev

generated/1.29/crds/config.concierge.pinniped.dev_credentialissuers.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.17.1
+    controller-gen.kubebuilder.io/version: v0.16.5
   name: credentialissuers.config.concierge.pinniped.dev
 spec:
   group: config.concierge.pinniped.dev

generated/1.29/crds/config.supervisor.pinniped.dev_federationdomains.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.17.1
+    controller-gen.kubebuilder.io/version: v0.16.5
   name: federationdomains.config.supervisor.pinniped.dev
 spec:
   group: config.supervisor.pinniped.dev

generated/1.29/crds/config.supervisor.pinniped.dev_oidcclients.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.17.1
+    controller-gen.kubebuilder.io/version: v0.16.5
   name: oidcclients.config.supervisor.pinniped.dev
 spec:
   group: config.supervisor.pinniped.dev

generated/1.29/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.17.1
+    controller-gen.kubebuilder.io/version: v0.16.5
   name: activedirectoryidentityproviders.idp.supervisor.pinniped.dev
 spec:
   group: idp.supervisor.pinniped.dev

generated/1.29/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.17.1
+    controller-gen.kubebuilder.io/version: v0.16.5
   name: githubidentityproviders.idp.supervisor.pinniped.dev
 spec:
   group: idp.supervisor.pinniped.dev

generated/1.29/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.17.1
+    controller-gen.kubebuilder.io/version: v0.16.5
   name: ldapidentityproviders.idp.supervisor.pinniped.dev
 spec:
   group: idp.supervisor.pinniped.dev

generated/1.29/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.17.1
+    controller-gen.kubebuilder.io/version: v0.16.5
   name: oidcidentityproviders.idp.supervisor.pinniped.dev
 spec:
   group: idp.supervisor.pinniped.dev

go.mod

@@ -24,7 +24,7 @@ require (
 	github.com/go-logr/stdr v1.2.2
 	github.com/go-logr/zapr v1.3.0
 	github.com/gofrs/flock v0.12.1
-	github.com/google/cel-go v0.22.1
+	github.com/google/cel-go v0.23.0
 	github.com/google/go-cmp v0.6.0
 	github.com/google/go-github/v68 v68.0.0
 	github.com/google/gofuzz v1.2.0
@@ -65,7 +65,7 @@ require (
 )
 
 require (
-	cel.dev/expr v0.18.0 // indirect
+	cel.dev/expr v0.19.1 // indirect
 	github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect
 	github.com/NYTimes/gziphandler v1.1.1 // indirect
 	github.com/antlr4-go/antlr/v4 v4.13.0 // indirect

go.sum

@@ -1,5 +1,5 @@
-cel.dev/expr v0.18.0 h1:CJ6drgk+Hf96lkLikr4rFf19WrU0BOWEihyZnI2TAzo=
-cel.dev/expr v0.18.0/go.mod h1:MrpN08Q+lEBs+bGYdLxxHkZoUSsCp0nSKTs0nTymJgw=
+cel.dev/expr v0.19.1 h1:NciYrtDRIR0lNCnH1LFJegdjspNx9fI59O7TWcua/W4=
+cel.dev/expr v0.19.1/go.mod h1:MrpN08Q+lEBs+bGYdLxxHkZoUSsCp0nSKTs0nTymJgw=
 cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
 cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
 cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU=
@@ -228,8 +228,8 @@ github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Z
 github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/btree v1.0.1 h1:gK4Kx5IaGY9CD5sPJ36FHiBJ6ZXl0kilRiiCj+jdYp4=
 github.com/google/btree v1.0.1/go.mod h1:xXMiIv4Fb/0kKde4SpL7qlzvu5cMJDRkFDxJfI9uaxA=
-github.com/google/cel-go v0.22.1 h1:AfVXx3chM2qwoSbM7Da8g8hX8OVSkBFwX+rz2+PcK40=
-github.com/google/cel-go v0.22.1/go.mod h1:BuznPXXfQDpXKWQ9sPW3TzlAJN5zzFe+i9tIs0yC4s8=
+github.com/google/cel-go v0.23.0 h1:knsnzeUOcREUFo0ZFJqZI8Rk6uEVyobAlir7GEbf5v0=
+github.com/google/cel-go v0.23.0/go.mod h1:52Pb6QsDbC5kvgxvZhiL9QX1oZEkcUF/ZqaPx1J5Wwo=
 github.com/google/gnostic-models v0.6.9 h1:MU/8wDLif2qCXZmzncUQ/BOfxWfthHi63KqpoNbWqVw=
 github.com/google/gnostic-models v0.6.9/go.mod h1:CiWsm0s6BSQd1hRn8/QmxqB6BesYcbSZxsz9b0KuDBw=
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=