Code generation: Add 1.30.0 and bump other patch versions

generated/1.26/apis/go.mod

@@ -4,6 +4,6 @@ module go.pinniped.dev/generated/1.26/apis
 go 1.13
 
 require (
-	k8s.io/api v0.26.14
-	k8s.io/apimachinery v0.26.14
+	k8s.io/api v0.26.15
+	k8s.io/apimachinery v0.26.15
 )

generated/1.26/apis/go.sum

@@ -47,7 +47,7 @@ github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QD
 github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
 github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
 github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
-github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
+github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
 github.com/google/gnostic v0.5.7-v3refs/go.mod h1:73MKFl6jIHelAJNaBGFzt3SPtZULs9dYrGFt8OiIsHQ=
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
 github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
@@ -255,7 +255,7 @@ google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp0
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
 google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
 google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
-google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
+google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
@@ -278,10 +278,10 @@ gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-k8s.io/api v0.26.14 h1:r+gEQ9L08uPAITk9gVwDJ6ErMuvZ79tgVoQFvyxaESQ=
-k8s.io/api v0.26.14/go.mod h1:OXHRNHZUItD1Oun/DnrHirVrnVCOPyybHNTI6sBcDRs=
-k8s.io/apimachinery v0.26.14 h1:u1s90TEuMBg+0+Q+lABBSKEwqTFYlUW5NJyD/YXqSZ0=
-k8s.io/apimachinery v0.26.14/go.mod h1:2/HZp0l6coXtS26du1Bk36fCuAEr/lVs9Q9NbpBtd1Y=
+k8s.io/api v0.26.15 h1:tjMERUjIwkq+2UtPZL5ZbSsLkpxUv4gXWZfV5lQl+Og=
+k8s.io/api v0.26.15/go.mod h1:CtWOrFl8VLCTLolRlhbBxo4fy83tjCLEtYa5pMubIe0=
+k8s.io/apimachinery v0.26.15 h1:GPxeERYBSqSZlj3xIkX4L6mBjzZ9q8JPnJ+Vj15qe+g=
+k8s.io/apimachinery v0.26.15/go.mod h1:O/uIhIOWuy6ndHqQ6qbkjD7OgeMhVtlk8+Z66ZcmJQc=
 k8s.io/gengo v0.0.0-20210813121822-485abfe95c7c/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E=
 k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE=
 k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y=

generated/1.26/client/go.mod

@@ -7,7 +7,7 @@ replace go.pinniped.dev/generated/1.26/apis => ../apis
 
 require (
 	go.pinniped.dev/generated/1.26/apis v0.0.0
-	k8s.io/apimachinery v0.26.14
-	k8s.io/client-go v0.26.14
+	k8s.io/apimachinery v0.26.15
+	k8s.io/client-go v0.26.15
 	k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280
 )

generated/1.26/client/go.sum

@@ -58,8 +58,8 @@ github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QD
 github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
 github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
 github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
-github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg=
-github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
+github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
+github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
 github.com/google/btree v1.0.1/go.mod h1:xXMiIv4Fb/0kKde4SpL7qlzvu5cMJDRkFDxJfI9uaxA=
 github.com/google/gnostic v0.5.7-v3refs h1:FhTMOKj2VhjpouxvWJAV1TL304uMlb9zcDqkl6cEI54=
 github.com/google/gnostic v0.5.7-v3refs/go.mod h1:73MKFl6jIHelAJNaBGFzt3SPtZULs9dYrGFt8OiIsHQ=
@@ -296,8 +296,8 @@ google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp0
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
 google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
 google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
-google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8=
-google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
+google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI=
+google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
@@ -320,12 +320,12 @@ gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-k8s.io/api v0.26.14 h1:r+gEQ9L08uPAITk9gVwDJ6ErMuvZ79tgVoQFvyxaESQ=
-k8s.io/api v0.26.14/go.mod h1:OXHRNHZUItD1Oun/DnrHirVrnVCOPyybHNTI6sBcDRs=
-k8s.io/apimachinery v0.26.14 h1:u1s90TEuMBg+0+Q+lABBSKEwqTFYlUW5NJyD/YXqSZ0=
-k8s.io/apimachinery v0.26.14/go.mod h1:2/HZp0l6coXtS26du1Bk36fCuAEr/lVs9Q9NbpBtd1Y=
-k8s.io/client-go v0.26.14 h1:pPtDTiRTYu2M2zjHLEH7p6oWI++mGZq/2ZT0893poTE=
-k8s.io/client-go v0.26.14/go.mod h1:yaORlvYE4xtoA0SkpIBZIdoTi1FiQQHVIbD58xB1824=
+k8s.io/api v0.26.15 h1:tjMERUjIwkq+2UtPZL5ZbSsLkpxUv4gXWZfV5lQl+Og=
+k8s.io/api v0.26.15/go.mod h1:CtWOrFl8VLCTLolRlhbBxo4fy83tjCLEtYa5pMubIe0=
+k8s.io/apimachinery v0.26.15 h1:GPxeERYBSqSZlj3xIkX4L6mBjzZ9q8JPnJ+Vj15qe+g=
+k8s.io/apimachinery v0.26.15/go.mod h1:O/uIhIOWuy6ndHqQ6qbkjD7OgeMhVtlk8+Z66ZcmJQc=
+k8s.io/client-go v0.26.15 h1:A2Yav2v+VZQfpEsf5ESFp2Lqq5XACKBDrwkG+jEtOg0=
+k8s.io/client-go v0.26.15/go.mod h1:KJs7snLEyKPlypqTQG/ngcaqE6h3/6qTvVHDViRL+iI=
 k8s.io/gengo v0.0.0-20210813121822-485abfe95c7c/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E=
 k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE=
 k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y=

generated/1.27/apis/go.mod

@@ -4,6 +4,6 @@ module go.pinniped.dev/generated/1.27/apis
 go 1.13
 
 require (
-	k8s.io/api v0.27.11
-	k8s.io/apimachinery v0.27.11
+	k8s.io/api v0.27.13
+	k8s.io/apimachinery v0.27.13
 )

generated/1.27/apis/go.sum

@@ -44,6 +44,7 @@ github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw
 github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
 github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
 github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
+github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
 github.com/google/gnostic v0.5.7-v3refs/go.mod h1:73MKFl6jIHelAJNaBGFzt3SPtZULs9dYrGFt8OiIsHQ=
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
 github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
@@ -146,6 +147,8 @@ golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5y
 golang.org/x/crypto v0.1.0/go.mod h1:RecgLatLF4+eUMCP1PoPZQb+cVrJcOPbHkTkbkB9sbw=
 golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
 golang.org/x/crypto v0.16.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4=
+golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
+golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
@@ -186,8 +189,10 @@ golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
 golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
 golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
-golang.org/x/net v0.19.0 h1:zTwKpTd2XuCqf8huc7Fo2iSy+4RHPd10s4KzeTnVr1c=
 golang.org/x/net v0.19.0/go.mod h1:CfAk/cbD4CthTvqiEl8NpboMuiuOYsAr/7NOjZJtv1U=
+golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
+golang.org/x/net v0.23.0 h1:7EYJ93RZ9vYSZAIb2x3lnuvqO5zneoD6IvWjuhfxjTs=
+golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -228,6 +233,8 @@ golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
@@ -239,6 +246,8 @@ golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U=
 golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
 golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU=
 golang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0=
+golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
+golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
@@ -298,7 +307,7 @@ google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp0
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
 google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
 google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
-google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
+google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
@@ -321,10 +330,10 @@ gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-k8s.io/api v0.27.11 h1:IsGrWbXt7RkE+arc9GLQPYI5AtZkT+feBMorY+Nzx4I=
-k8s.io/api v0.27.11/go.mod h1:SGqTcyqa0e+Db3pgyH6v+por5dO2OdTkKDCdD3Op3Ng=
-k8s.io/apimachinery v0.27.11 h1:ivrKMN7JgdtKhay14S5UQlvilV3z6W+wjiSQTzyr5zc=
-k8s.io/apimachinery v0.27.11/go.mod h1:IHu2ovJ60RqxyPSLmTel7KDLdOCRbpOxwtUBmwBnT/E=
+k8s.io/api v0.27.13 h1:d49LYs1dh+JMMDNYQSu8FhEzCjc2TNpYvDWoSGAKs80=
+k8s.io/api v0.27.13/go.mod h1:W3lYMPs34i0XQA+cmKfejve+HwbRZjy67fL05RyJUTo=
+k8s.io/apimachinery v0.27.13 h1:xDAnOWaRVNSkaKdfB0Ab11hixH90KGTbLwEHMloMjFM=
+k8s.io/apimachinery v0.27.13/go.mod h1:TWo+8wOIz3CytsrlI9k/LBWXLRr9dqf5hRSCbbggMAg=
 k8s.io/gengo v0.0.0-20210813121822-485abfe95c7c/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E=
 k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE=
 k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y=

generated/1.27/client/go.mod

@@ -7,7 +7,7 @@ replace go.pinniped.dev/generated/1.27/apis => ../apis
 
 require (
 	go.pinniped.dev/generated/1.27/apis v0.0.0
-	k8s.io/apimachinery v0.27.11
-	k8s.io/client-go v0.27.11
+	k8s.io/apimachinery v0.27.13
+	k8s.io/client-go v0.27.13
 	k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f
 )

generated/1.27/client/go.sum

@@ -53,8 +53,9 @@ github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QD
 github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
 github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
 github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
-github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg=
 github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
+github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
+github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
 github.com/google/btree v1.0.1/go.mod h1:xXMiIv4Fb/0kKde4SpL7qlzvu5cMJDRkFDxJfI9uaxA=
 github.com/google/gnostic v0.5.7-v3refs h1:FhTMOKj2VhjpouxvWJAV1TL304uMlb9zcDqkl6cEI54=
 github.com/google/gnostic v0.5.7-v3refs/go.mod h1:73MKFl6jIHelAJNaBGFzt3SPtZULs9dYrGFt8OiIsHQ=
@@ -172,6 +173,8 @@ golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5y
 golang.org/x/crypto v0.1.0/go.mod h1:RecgLatLF4+eUMCP1PoPZQb+cVrJcOPbHkTkbkB9sbw=
 golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
 golang.org/x/crypto v0.16.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4=
+golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
+golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
@@ -214,8 +217,10 @@ golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
 golang.org/x/net v0.9.0/go.mod h1:d48xBJpPfHeWQsugry2m+kC02ZBRGRgulfHnEXEuWns=
 golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
 golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
-golang.org/x/net v0.19.0 h1:zTwKpTd2XuCqf8huc7Fo2iSy+4RHPd10s4KzeTnVr1c=
 golang.org/x/net v0.19.0/go.mod h1:CfAk/cbD4CthTvqiEl8NpboMuiuOYsAr/7NOjZJtv1U=
+golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
+golang.org/x/net v0.23.0 h1:7EYJ93RZ9vYSZAIb2x3lnuvqO5zneoD6IvWjuhfxjTs=
+golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.7.0 h1:qe6s0zUXlPX80/dITx3440hWZ7GwMwgDDyrSGTPJG/g=
 golang.org/x/oauth2 v0.7.0/go.mod h1:hPLQkd9LyjfXTiRohC/41GhcFqxisoUQ99sCUOHO9x4=
@@ -258,8 +263,10 @@ golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.7.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc=
 golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.18.0 h1:DBdB3niSjOA/O0blCZBqDefyWNYveAYMNF1Wum0DYQ4=
+golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
@@ -271,8 +278,10 @@ golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U=
 golang.org/x/term v0.7.0/go.mod h1:P32HKFT3hSsZrRxla30E9HqToFYAQPCMs/zFMBUFqPY=
 golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
 golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU=
-golang.org/x/term v0.15.0 h1:y/Oo/a/q3IXu26lQgl04j/gjuBDOBlx7X6Om1j2CPW4=
 golang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0=
+golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
+golang.org/x/term v0.18.0 h1:FcHjZXDMxI8mM3nwhX9HlKop4C0YQvCVCdwYl2wOtE8=
+golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
@@ -337,8 +346,8 @@ google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp0
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
 google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
 google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
-google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8=
-google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
+google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI=
+google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
@@ -361,12 +370,12 @@ gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-k8s.io/api v0.27.11 h1:IsGrWbXt7RkE+arc9GLQPYI5AtZkT+feBMorY+Nzx4I=
-k8s.io/api v0.27.11/go.mod h1:SGqTcyqa0e+Db3pgyH6v+por5dO2OdTkKDCdD3Op3Ng=
-k8s.io/apimachinery v0.27.11 h1:ivrKMN7JgdtKhay14S5UQlvilV3z6W+wjiSQTzyr5zc=
-k8s.io/apimachinery v0.27.11/go.mod h1:IHu2ovJ60RqxyPSLmTel7KDLdOCRbpOxwtUBmwBnT/E=
-k8s.io/client-go v0.27.11 h1:SZChXsDaN6lB5IYywCpvQs/ZUa5vK2NHkpEwUhoK3fQ=
-k8s.io/client-go v0.27.11/go.mod h1:Rg3Yeuk9sX87gpVunVn3AsvMkGZfXuutTDC/jigBNUo=
+k8s.io/api v0.27.13 h1:d49LYs1dh+JMMDNYQSu8FhEzCjc2TNpYvDWoSGAKs80=
+k8s.io/api v0.27.13/go.mod h1:W3lYMPs34i0XQA+cmKfejve+HwbRZjy67fL05RyJUTo=
+k8s.io/apimachinery v0.27.13 h1:xDAnOWaRVNSkaKdfB0Ab11hixH90KGTbLwEHMloMjFM=
+k8s.io/apimachinery v0.27.13/go.mod h1:TWo+8wOIz3CytsrlI9k/LBWXLRr9dqf5hRSCbbggMAg=
+k8s.io/client-go v0.27.13 h1:SfUbIukb6BSqaadlYRX0AzMoN6+e+9FZGEKqfisidho=
+k8s.io/client-go v0.27.13/go.mod h1:I9SBaI28r6ii465Fb0dTpf5O3adOnDwNBoeqlDNbbFg=
 k8s.io/gengo v0.0.0-20210813121822-485abfe95c7c/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E=
 k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE=
 k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y=

generated/1.28/apis/go.mod

@@ -4,6 +4,6 @@ module go.pinniped.dev/generated/1.28/apis
 go 1.13
 
 require (
-	k8s.io/api v0.28.7
-	k8s.io/apimachinery v0.28.7
+	k8s.io/api v0.28.9
+	k8s.io/apimachinery v0.28.9
 )

generated/1.28/apis/go.sum

@@ -36,6 +36,7 @@ github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw
 github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
 github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
 github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
+github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
 github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U=
 github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
@@ -140,6 +141,8 @@ golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5y
 golang.org/x/crypto v0.1.0/go.mod h1:RecgLatLF4+eUMCP1PoPZQb+cVrJcOPbHkTkbkB9sbw=
 golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
 golang.org/x/crypto v0.16.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4=
+golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
+golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.6.0-dev.0.20220106191415-9b9b3d81d5e3/go.mod h1:3p9vT2HGsQu2K1YbXdKPJLVgG5VJdoTa1poYQBtP1AY=
@@ -173,8 +176,10 @@ golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
 golang.org/x/net v0.9.0/go.mod h1:d48xBJpPfHeWQsugry2m+kC02ZBRGRgulfHnEXEuWns=
 golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
 golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
-golang.org/x/net v0.19.0 h1:zTwKpTd2XuCqf8huc7Fo2iSy+4RHPd10s4KzeTnVr1c=
 golang.org/x/net v0.19.0/go.mod h1:CfAk/cbD4CthTvqiEl8NpboMuiuOYsAr/7NOjZJtv1U=
+golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
+golang.org/x/net v0.23.0 h1:7EYJ93RZ9vYSZAIb2x3lnuvqO5zneoD6IvWjuhfxjTs=
+golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -213,6 +218,8 @@ golang.org/x/sys v0.7.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
@@ -225,6 +232,8 @@ golang.org/x/term v0.7.0/go.mod h1:P32HKFT3hSsZrRxla30E9HqToFYAQPCMs/zFMBUFqPY=
 golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
 golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU=
 golang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0=
+golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
+golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
@@ -269,7 +278,7 @@ google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp0
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
 google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
 google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
-google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
+google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
@@ -288,10 +297,10 @@ gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C
 gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-k8s.io/api v0.28.7 h1:YKIhBxjXKaxuxWJnwohV0aGjRA5l4IU0Eywf/q19AVI=
-k8s.io/api v0.28.7/go.mod h1:y4RbcjCCMff1930SG/TcP3AUKNfaJUgIeUp58e/2vyY=
-k8s.io/apimachinery v0.28.7 h1:2Z38/XRAOcpb+PonxmBEmjG7hBfmmr41xnr0XvpTnB4=
-k8s.io/apimachinery v0.28.7/go.mod h1:QFNX/kCl/EMT2WTSz8k4WLCv2XnkOLMaL8GAVRMdpsA=
+k8s.io/api v0.28.9 h1:E7VEXXCAlSrp+08zq4zgd+ko6Ttu0Mw+XoXlIkDTVW0=
+k8s.io/api v0.28.9/go.mod h1:AnCsDYf3SHjfa8mPG5LGYf+iF4mie+3peLQR51MMCgw=
+k8s.io/apimachinery v0.28.9 h1:aXz4Zxsw+Pk4KhBerAtKRxNN1uSMWKfciL/iOdBfXvA=
+k8s.io/apimachinery v0.28.9/go.mod h1:zUG757HaKs6Dc3iGtKjzIpBfqTM4yiRsEe3/E7NX15o=
 k8s.io/gengo v0.0.0-20210813121822-485abfe95c7c/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E=
 k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE=
 k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y=

generated/1.28/client/go.mod

@@ -7,7 +7,7 @@ replace go.pinniped.dev/generated/1.28/apis => ../apis
 
 require (
 	go.pinniped.dev/generated/1.28/apis v0.0.0
-	k8s.io/apimachinery v0.28.7
-	k8s.io/client-go v0.28.7
+	k8s.io/apimachinery v0.28.9
+	k8s.io/client-go v0.28.9
 	k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9
 )

generated/1.28/client/go.sum

@@ -45,8 +45,9 @@ github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvq
 github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
 github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
 github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
-github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg=
 github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
+github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
+github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
 github.com/google/btree v1.0.1/go.mod h1:xXMiIv4Fb/0kKde4SpL7qlzvu5cMJDRkFDxJfI9uaxA=
 github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I=
 github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U=
@@ -166,6 +167,8 @@ golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5y
 golang.org/x/crypto v0.1.0/go.mod h1:RecgLatLF4+eUMCP1PoPZQb+cVrJcOPbHkTkbkB9sbw=
 golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
 golang.org/x/crypto v0.16.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4=
+golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
+golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.6.0-dev.0.20220106191415-9b9b3d81d5e3/go.mod h1:3p9vT2HGsQu2K1YbXdKPJLVgG5VJdoTa1poYQBtP1AY=
@@ -200,8 +203,10 @@ golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
 golang.org/x/net v0.9.0/go.mod h1:d48xBJpPfHeWQsugry2m+kC02ZBRGRgulfHnEXEuWns=
 golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
 golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
-golang.org/x/net v0.19.0 h1:zTwKpTd2XuCqf8huc7Fo2iSy+4RHPd10s4KzeTnVr1c=
 golang.org/x/net v0.19.0/go.mod h1:CfAk/cbD4CthTvqiEl8NpboMuiuOYsAr/7NOjZJtv1U=
+golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
+golang.org/x/net v0.23.0 h1:7EYJ93RZ9vYSZAIb2x3lnuvqO5zneoD6IvWjuhfxjTs=
+golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
 golang.org/x/oauth2 v0.8.0 h1:6dkIjl3j3LtZ/O3sTgZTMsLKSftL/B8Zgq4huOIIUu8=
 golang.org/x/oauth2 v0.8.0/go.mod h1:yr7u4HXZRm1R1kBWqr/xKNqewf0plRYoB7sla+BCIXE=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -241,8 +246,10 @@ golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.7.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc=
 golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.18.0 h1:DBdB3niSjOA/O0blCZBqDefyWNYveAYMNF1Wum0DYQ4=
+golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
@@ -254,8 +261,10 @@ golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U=
 golang.org/x/term v0.7.0/go.mod h1:P32HKFT3hSsZrRxla30E9HqToFYAQPCMs/zFMBUFqPY=
 golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
 golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU=
-golang.org/x/term v0.15.0 h1:y/Oo/a/q3IXu26lQgl04j/gjuBDOBlx7X6Om1j2CPW4=
 golang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0=
+golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
+golang.org/x/term v0.18.0 h1:FcHjZXDMxI8mM3nwhX9HlKop4C0YQvCVCdwYl2wOtE8=
+golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
@@ -305,8 +314,8 @@ google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp0
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
 google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
 google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
-google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8=
-google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
+google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI=
+google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
@@ -325,12 +334,12 @@ gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C
 gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-k8s.io/api v0.28.7 h1:YKIhBxjXKaxuxWJnwohV0aGjRA5l4IU0Eywf/q19AVI=
-k8s.io/api v0.28.7/go.mod h1:y4RbcjCCMff1930SG/TcP3AUKNfaJUgIeUp58e/2vyY=
-k8s.io/apimachinery v0.28.7 h1:2Z38/XRAOcpb+PonxmBEmjG7hBfmmr41xnr0XvpTnB4=
-k8s.io/apimachinery v0.28.7/go.mod h1:QFNX/kCl/EMT2WTSz8k4WLCv2XnkOLMaL8GAVRMdpsA=
-k8s.io/client-go v0.28.7 h1:3L6402+tjmOl8twX3fjUQ/wsYAkw6UlVNDVP+rF6YGA=
-k8s.io/client-go v0.28.7/go.mod h1:xIoEaDewZ+EwWOo1/F1t0IOKMPe1rwBZhLu9Es6y0tE=
+k8s.io/api v0.28.9 h1:E7VEXXCAlSrp+08zq4zgd+ko6Ttu0Mw+XoXlIkDTVW0=
+k8s.io/api v0.28.9/go.mod h1:AnCsDYf3SHjfa8mPG5LGYf+iF4mie+3peLQR51MMCgw=
+k8s.io/apimachinery v0.28.9 h1:aXz4Zxsw+Pk4KhBerAtKRxNN1uSMWKfciL/iOdBfXvA=
+k8s.io/apimachinery v0.28.9/go.mod h1:zUG757HaKs6Dc3iGtKjzIpBfqTM4yiRsEe3/E7NX15o=
+k8s.io/client-go v0.28.9 h1:mmMvejwc/KDjMLmDpyaxkWNzlWRCJ6ht7Qsbsnwn39Y=
+k8s.io/client-go v0.28.9/go.mod h1:GFDy3rUNId++WGrr0hRaBrs+y1eZz5JtVZODEalhRMo=
 k8s.io/gengo v0.0.0-20210813121822-485abfe95c7c/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E=
 k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE=
 k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y=

generated/1.29/apis/go.mod

@@ -4,8 +4,8 @@ module go.pinniped.dev/generated/1.29/apis
 go 1.21
 
 require (
-	k8s.io/api v0.29.2
-	k8s.io/apimachinery v0.29.2
+	k8s.io/api v0.29.4
+	k8s.io/apimachinery v0.29.4
 )
 
 require (
@@ -15,7 +15,7 @@ require (
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
-	golang.org/x/net v0.19.0 // indirect
+	golang.org/x/net v0.23.0 // indirect
 	golang.org/x/text v0.14.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect

generated/1.29/apis/go.sum

@@ -45,8 +45,8 @@ golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.19.0 h1:zTwKpTd2XuCqf8huc7Fo2iSy+4RHPd10s4KzeTnVr1c=
-golang.org/x/net v0.19.0/go.mod h1:CfAk/cbD4CthTvqiEl8NpboMuiuOYsAr/7NOjZJtv1U=
+golang.org/x/net v0.23.0 h1:7EYJ93RZ9vYSZAIb2x3lnuvqO5zneoD6IvWjuhfxjTs=
+golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -75,10 +75,10 @@ gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-k8s.io/api v0.29.2 h1:hBC7B9+MU+ptchxEqTNW2DkUosJpp1P+Wn6YncZ474A=
-k8s.io/api v0.29.2/go.mod h1:sdIaaKuU7P44aoyyLlikSLayT6Vb7bvJNCX105xZXY0=
-k8s.io/apimachinery v0.29.2 h1:EWGpfJ856oj11C52NRCHuU7rFDwxev48z+6DSlGNsV8=
-k8s.io/apimachinery v0.29.2/go.mod h1:6HVkd1FwxIagpYrHSwJlQqZI3G9LfYWRPAkUvLnXTKU=
+k8s.io/api v0.29.4 h1:WEnF/XdxuCxdG3ayHNRR8yH3cI1B/llkWBma6bq4R3w=
+k8s.io/api v0.29.4/go.mod h1:DetSv0t4FBTcEpfA84NJV3g9a7+rSzlUHk5ADAYHUv0=
+k8s.io/apimachinery v0.29.4 h1:RaFdJiDmuKs/8cm1M6Dh1Kvyh59YQFDcFuFTSmXes6Q=
+k8s.io/apimachinery v0.29.4/go.mod h1:i3FJVwhvSp/6n8Fl4K97PJEP8C+MM+aoDq4+ZJBf70Y=
 k8s.io/klog/v2 v2.110.1 h1:U/Af64HJf7FcwMcXyKm2RPM22WZzyR7OSpYj5tg3cL0=
 k8s.io/klog/v2 v2.110.1/go.mod h1:YGtd1984u+GgbuZ7e08/yBuAfKLSO0+uR1Fhi6ExXjo=
 k8s.io/utils v0.0.0-20230726121419-3b25d923346b h1:sgn3ZU783SCgtaSJjpcVVlRqd6GSnlTLKgpAAttJvpI=

generated/1.29/client/go.mod

@@ -7,8 +7,8 @@ replace go.pinniped.dev/generated/1.29/apis => ../apis
 
 require (
 	go.pinniped.dev/generated/1.29/apis v0.0.0
-	k8s.io/apimachinery v0.29.2
-	k8s.io/client-go v0.29.2
+	k8s.io/apimachinery v0.29.4
+	k8s.io/client-go v0.29.4
 	k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00
 )
 
@@ -21,7 +21,7 @@ require (
 	github.com/go-openapi/jsonreference v0.20.2 // indirect
 	github.com/go-openapi/swag v0.22.3 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/golang/protobuf v1.5.3 // indirect
+	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/google/gnostic-models v0.6.8 // indirect
 	github.com/google/go-cmp v0.6.0 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
@@ -33,18 +33,18 @@ require (
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
-	golang.org/x/net v0.19.0 // indirect
+	golang.org/x/net v0.23.0 // indirect
 	golang.org/x/oauth2 v0.10.0 // indirect
-	golang.org/x/sys v0.15.0 // indirect
-	golang.org/x/term v0.15.0 // indirect
+	golang.org/x/sys v0.18.0 // indirect
+	golang.org/x/term v0.18.0 // indirect
 	golang.org/x/text v0.14.0 // indirect
 	golang.org/x/time v0.3.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/protobuf v1.31.0 // indirect
+	google.golang.org/protobuf v1.33.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/api v0.29.2 // indirect
+	k8s.io/api v0.29.4 // indirect
 	k8s.io/klog/v2 v2.110.1 // indirect
 	k8s.io/utils v0.0.0-20230726121419-3b25d923346b // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect

generated/1.29/client/go.sum

@@ -19,12 +19,10 @@ github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
-github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg=
-github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
+github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
+github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
 github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I=
 github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U=
-github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
@@ -90,8 +88,8 @@ golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.19.0 h1:zTwKpTd2XuCqf8huc7Fo2iSy+4RHPd10s4KzeTnVr1c=
-golang.org/x/net v0.19.0/go.mod h1:CfAk/cbD4CthTvqiEl8NpboMuiuOYsAr/7NOjZJtv1U=
+golang.org/x/net v0.23.0 h1:7EYJ93RZ9vYSZAIb2x3lnuvqO5zneoD6IvWjuhfxjTs=
+golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
 golang.org/x/oauth2 v0.10.0 h1:zHCpF2Khkwy4mMB4bv0U37YtJdTGW8jI0glAApi0Kh8=
 golang.org/x/oauth2 v0.10.0/go.mod h1:kTpgurOux7LqtuxjuyZa4Gj2gdezIt/jQtGnNFfypQI=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -100,10 +98,10 @@ golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc=
-golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/term v0.15.0 h1:y/Oo/a/q3IXu26lQgl04j/gjuBDOBlx7X6Om1j2CPW4=
-golang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0=
+golang.org/x/sys v0.18.0 h1:DBdB3niSjOA/O0blCZBqDefyWNYveAYMNF1Wum0DYQ4=
+golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/term v0.18.0 h1:FcHjZXDMxI8mM3nwhX9HlKop4C0YQvCVCdwYl2wOtE8=
+golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
@@ -123,10 +121,8 @@ golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8T
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c=
 google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
-google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
-google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
-google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8=
-google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
+google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI=
+google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
@@ -138,12 +134,12 @@ gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-k8s.io/api v0.29.2 h1:hBC7B9+MU+ptchxEqTNW2DkUosJpp1P+Wn6YncZ474A=
-k8s.io/api v0.29.2/go.mod h1:sdIaaKuU7P44aoyyLlikSLayT6Vb7bvJNCX105xZXY0=
-k8s.io/apimachinery v0.29.2 h1:EWGpfJ856oj11C52NRCHuU7rFDwxev48z+6DSlGNsV8=
-k8s.io/apimachinery v0.29.2/go.mod h1:6HVkd1FwxIagpYrHSwJlQqZI3G9LfYWRPAkUvLnXTKU=
-k8s.io/client-go v0.29.2 h1:FEg85el1TeZp+/vYJM7hkDlSTFZ+c5nnK44DJ4FyoRg=
-k8s.io/client-go v0.29.2/go.mod h1:knlvFZE58VpqbQpJNbCbctTVXcd35mMyAAwBdpt4jrA=
+k8s.io/api v0.29.4 h1:WEnF/XdxuCxdG3ayHNRR8yH3cI1B/llkWBma6bq4R3w=
+k8s.io/api v0.29.4/go.mod h1:DetSv0t4FBTcEpfA84NJV3g9a7+rSzlUHk5ADAYHUv0=
+k8s.io/apimachinery v0.29.4 h1:RaFdJiDmuKs/8cm1M6Dh1Kvyh59YQFDcFuFTSmXes6Q=
+k8s.io/apimachinery v0.29.4/go.mod h1:i3FJVwhvSp/6n8Fl4K97PJEP8C+MM+aoDq4+ZJBf70Y=
+k8s.io/client-go v0.29.4 h1:79ytIedxVfyXV8rpH3jCBW0u+un0fxHDwX5F9K8dPR8=
+k8s.io/client-go v0.29.4/go.mod h1:kC1thZQ4zQWYwldsfI088BbK6RkxK+aF5ebV8y9Q4tk=
 k8s.io/klog/v2 v2.110.1 h1:U/Af64HJf7FcwMcXyKm2RPM22WZzyR7OSpYj5tg3cL0=
 k8s.io/klog/v2 v2.110.1/go.mod h1:YGtd1984u+GgbuZ7e08/yBuAfKLSO0+uR1Fhi6ExXjo=
 k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 h1:aVUu9fTY98ivBPKR9Y5w/AuzbMm96cd3YHRTU83I780=

generated/1.30/apis/concierge/authentication/v1alpha1/doc.go

@@ -0,0 +1,10 @@
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// +k8s:openapi-gen=true
+// +k8s:deepcopy-gen=package
+// +k8s:defaulter-gen=TypeMeta
+// +groupName=authentication.concierge.pinniped.dev
+
+// Package v1alpha1 is the v1alpha1 version of the Pinniped concierge authentication API.
+package v1alpha1

generated/1.30/apis/concierge/authentication/v1alpha1/register.go

@@ -0,0 +1,45 @@
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+const GroupName = "authentication.concierge.pinniped.dev"
+
+// SchemeGroupVersion is group version used to register these objects.
+var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"}
+
+var (
+	SchemeBuilder      runtime.SchemeBuilder
+	localSchemeBuilder = &SchemeBuilder
+	AddToScheme        = localSchemeBuilder.AddToScheme
+)
+
+func init() {
+	// We only register manually written functions here. The registration of the
+	// generated functions takes place in the generated files. The separation
+	// makes the code compile even when the generated files are missing.
+	localSchemeBuilder.Register(addKnownTypes)
+}
+
+// Adds the list of known types to the given scheme.
+func addKnownTypes(scheme *runtime.Scheme) error {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&WebhookAuthenticator{},
+		&WebhookAuthenticatorList{},
+		&JWTAuthenticator{},
+		&JWTAuthenticatorList{},
+	)
+	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
+	return nil
+}
+
+// Resource takes an unqualified resource and returns a Group qualified GroupResource.
+func Resource(resource string) schema.GroupResource {
+	return SchemeGroupVersion.WithResource(resource).GroupResource()
+}

generated/1.30/apis/concierge/authentication/v1alpha1/types_jwtauthenticator.go

@@ -0,0 +1,102 @@
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+type JWTAuthenticatorPhase string
+
+const (
+	// JWTAuthenticatorPhasePending is the default phase for newly-created JWTAuthenticator resources.
+	JWTAuthenticatorPhasePending JWTAuthenticatorPhase = "Pending"
+
+	// JWTAuthenticatorPhaseReady is the phase for an JWTAuthenticator resource in a healthy state.
+	JWTAuthenticatorPhaseReady JWTAuthenticatorPhase = "Ready"
+
+	// JWTAuthenticatorPhaseError is the phase for an JWTAuthenticator in an unhealthy state.
+	JWTAuthenticatorPhaseError JWTAuthenticatorPhase = "Error"
+)
+
+// Status of a JWT authenticator.
+type JWTAuthenticatorStatus struct {
+	// Represents the observations of the authenticator's current state.
+	// +patchMergeKey=type
+	// +patchStrategy=merge
+	// +listType=map
+	// +listMapKey=type
+	Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
+	// Phase summarizes the overall status of the JWTAuthenticator.
+	// +kubebuilder:default=Pending
+	// +kubebuilder:validation:Enum=Pending;Ready;Error
+	Phase JWTAuthenticatorPhase `json:"phase,omitempty"`
+}
+
+// Spec for configuring a JWT authenticator.
+type JWTAuthenticatorSpec struct {
+	// Issuer is the OIDC issuer URL that will be used to discover public signing keys. Issuer is
+	// also used to validate the "iss" JWT claim.
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:Pattern=`^https://`
+	Issuer string `json:"issuer"`
+
+	// Audience is the required value of the "aud" JWT claim.
+	// +kubebuilder:validation:MinLength=1
+	Audience string `json:"audience"`
+
+	// Claims allows customization of the claims that will be mapped to user identity
+	// for Kubernetes access.
+	// +optional
+	Claims JWTTokenClaims `json:"claims"`
+
+	// TLS configuration for communicating with the OIDC provider.
+	// +optional
+	TLS *TLSSpec `json:"tls,omitempty"`
+}
+
+// JWTTokenClaims allows customization of the claims that will be mapped to user identity
+// for Kubernetes access.
+type JWTTokenClaims struct {
+	// Groups is the name of the claim which should be read to extract the user's
+	// group membership from the JWT token. When not specified, it will default to "groups".
+	// +optional
+	Groups string `json:"groups"`
+
+	// Username is the name of the claim which should be read to extract the
+	// username from the JWT token. When not specified, it will default to "username".
+	// +optional
+	Username string `json:"username"`
+}
+
+// JWTAuthenticator describes the configuration of a JWT authenticator.
+//
+// Upon receiving a signed JWT, a JWTAuthenticator will performs some validation on it (e.g., valid
+// signature, existence of claims, etc.) and extract the username and groups from the token.
+//
+// +genclient
+// +genclient:nonNamespaced
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +kubebuilder:resource:categories=pinniped;pinniped-authenticator;pinniped-authenticators,scope=Cluster
+// +kubebuilder:printcolumn:name="Issuer",type=string,JSONPath=`.spec.issuer`
+// +kubebuilder:printcolumn:name="Audience",type=string,JSONPath=`.spec.audience`
+// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
+// +kubebuilder:subresource:status
+type JWTAuthenticator struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	// Spec for configuring the authenticator.
+	Spec JWTAuthenticatorSpec `json:"spec"`
+
+	// Status of the authenticator.
+	Status JWTAuthenticatorStatus `json:"status,omitempty"`
+}
+
+// List of JWTAuthenticator objects.
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type JWTAuthenticatorList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+
+	Items []JWTAuthenticator `json:"items"`
+}

generated/1.30/apis/concierge/authentication/v1alpha1/types_tls.go

@@ -0,0 +1,11 @@
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+// Configuration for configuring TLS on various authenticators.
+type TLSSpec struct {
+	// X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted.
+	// +optional
+	CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"`
+}

generated/1.30/apis/concierge/authentication/v1alpha1/types_webhookauthenticator.go

@@ -0,0 +1,73 @@
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+type WebhookAuthenticatorPhase string
+
+const (
+	// WebhookAuthenticatorPhasePending is the default phase for newly-created WebhookAuthenticator resources.
+	WebhookAuthenticatorPhasePending WebhookAuthenticatorPhase = "Pending"
+
+	// WebhookAuthenticatorPhaseReady is the phase for an WebhookAuthenticator resource in a healthy state.
+	WebhookAuthenticatorPhaseReady WebhookAuthenticatorPhase = "Ready"
+
+	// WebhookAuthenticatorPhaseError is the phase for an WebhookAuthenticator in an unhealthy state.
+	WebhookAuthenticatorPhaseError WebhookAuthenticatorPhase = "Error"
+)
+
+// Status of a webhook authenticator.
+type WebhookAuthenticatorStatus struct {
+	// Represents the observations of the authenticator's current state.
+	// +patchMergeKey=type
+	// +patchStrategy=merge
+	// +listType=map
+	// +listMapKey=type
+	Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
+	// Phase summarizes the overall status of the WebhookAuthenticator.
+	// +kubebuilder:default=Pending
+	// +kubebuilder:validation:Enum=Pending;Ready;Error
+	Phase WebhookAuthenticatorPhase `json:"phase,omitempty"`
+}
+
+// Spec for configuring a webhook authenticator.
+type WebhookAuthenticatorSpec struct {
+	// Webhook server endpoint URL.
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:Pattern=`^https://`
+	Endpoint string `json:"endpoint"`
+
+	// TLS configuration.
+	// +optional
+	TLS *TLSSpec `json:"tls,omitempty"`
+}
+
+// WebhookAuthenticator describes the configuration of a webhook authenticator.
+// +genclient
+// +genclient:nonNamespaced
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +kubebuilder:resource:categories=pinniped;pinniped-authenticator;pinniped-authenticators,scope=Cluster
+// +kubebuilder:printcolumn:name="Endpoint",type=string,JSONPath=`.spec.endpoint`
+// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
+// +kubebuilder:subresource:status
+type WebhookAuthenticator struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	// Spec for configuring the authenticator.
+	Spec WebhookAuthenticatorSpec `json:"spec"`
+
+	// Status of the authenticator.
+	Status WebhookAuthenticatorStatus `json:"status,omitempty"`
+}
+
+// List of WebhookAuthenticator objects.
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type WebhookAuthenticatorList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+
+	Items []WebhookAuthenticator `json:"items"`
+}

generated/1.30/apis/concierge/config/v1alpha1/doc.go

@@ -0,0 +1,10 @@
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// +k8s:openapi-gen=true
+// +k8s:deepcopy-gen=package
+// +k8s:defaulter-gen=TypeMeta
+// +groupName=config.concierge.pinniped.dev
+
+// Package v1alpha1 is the v1alpha1 version of the Pinniped concierge configuration API.
+package v1alpha1

generated/1.30/apis/concierge/config/v1alpha1/register.go

@@ -0,0 +1,43 @@
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+const GroupName = "config.concierge.pinniped.dev"
+
+// SchemeGroupVersion is group version used to register these objects.
+var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"}
+
+var (
+	SchemeBuilder      runtime.SchemeBuilder
+	localSchemeBuilder = &SchemeBuilder
+	AddToScheme        = localSchemeBuilder.AddToScheme
+)
+
+func init() {
+	// We only register manually written functions here. The registration of the
+	// generated functions takes place in the generated files. The separation
+	// makes the code compile even when the generated files are missing.
+	localSchemeBuilder.Register(addKnownTypes)
+}
+
+// Adds the list of known types to the given scheme.
+func addKnownTypes(scheme *runtime.Scheme) error {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&CredentialIssuer{},
+		&CredentialIssuerList{},
+	)
+	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
+	return nil
+}
+
+// Resource takes an unqualified resource and returns a Group qualified GroupResource.
+func Resource(resource string) schema.GroupResource {
+	return SchemeGroupVersion.WithResource(resource).GroupResource()
+}

generated/1.30/apis/concierge/config/v1alpha1/types_credentialissuer.go

@@ -0,0 +1,273 @@
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// StrategyType enumerates a type of "strategy" used to implement credential access on a cluster.
+// +kubebuilder:validation:Enum=KubeClusterSigningCertificate;ImpersonationProxy
+type StrategyType string
+
+// FrontendType enumerates a type of "frontend" used to provide access to users of a cluster.
+// +kubebuilder:validation:Enum=TokenCredentialRequestAPI;ImpersonationProxy
+type FrontendType string
+
+// StrategyStatus enumerates whether a strategy is working on a cluster.
+// +kubebuilder:validation:Enum=Success;Error
+type StrategyStatus string
+
+// StrategyReason enumerates the detailed reason why a strategy is in a particular status.
+// +kubebuilder:validation:Enum=Listening;Pending;Disabled;ErrorDuringSetup;CouldNotFetchKey;CouldNotGetClusterInfo;FetchedKey
+type StrategyReason string
+
+const (
+	KubeClusterSigningCertificateStrategyType = StrategyType("KubeClusterSigningCertificate")
+	ImpersonationProxyStrategyType            = StrategyType("ImpersonationProxy")
+
+	TokenCredentialRequestAPIFrontendType = FrontendType("TokenCredentialRequestAPI")
+	ImpersonationProxyFrontendType        = FrontendType("ImpersonationProxy")
+
+	SuccessStrategyStatus = StrategyStatus("Success")
+	ErrorStrategyStatus   = StrategyStatus("Error")
+
+	ListeningStrategyReason              = StrategyReason("Listening")
+	PendingStrategyReason                = StrategyReason("Pending")
+	DisabledStrategyReason               = StrategyReason("Disabled")
+	ErrorDuringSetupStrategyReason       = StrategyReason("ErrorDuringSetup")
+	CouldNotFetchKeyStrategyReason       = StrategyReason("CouldNotFetchKey")
+	CouldNotGetClusterInfoStrategyReason = StrategyReason("CouldNotGetClusterInfo")
+	FetchedKeyStrategyReason             = StrategyReason("FetchedKey")
+)
+
+// CredentialIssuerSpec describes the intended configuration of the Concierge.
+type CredentialIssuerSpec struct {
+	// ImpersonationProxy describes the intended configuration of the Concierge impersonation proxy.
+	ImpersonationProxy *ImpersonationProxySpec `json:"impersonationProxy"`
+}
+
+// ImpersonationProxyMode enumerates the configuration modes for the impersonation proxy.
+//
+// +kubebuilder:validation:Enum=auto;enabled;disabled
+type ImpersonationProxyMode string
+
+const (
+	// ImpersonationProxyModeDisabled explicitly disables the impersonation proxy.
+	ImpersonationProxyModeDisabled = ImpersonationProxyMode("disabled")
+
+	// ImpersonationProxyModeEnabled explicitly enables the impersonation proxy.
+	ImpersonationProxyModeEnabled = ImpersonationProxyMode("enabled")
+
+	// ImpersonationProxyModeAuto enables or disables the impersonation proxy based upon the cluster in which it is running.
+	ImpersonationProxyModeAuto = ImpersonationProxyMode("auto")
+)
+
+// ImpersonationProxyServiceType enumerates the types of service that can be provisioned for the impersonation proxy.
+//
+// +kubebuilder:validation:Enum=LoadBalancer;ClusterIP;None
+type ImpersonationProxyServiceType string
+
+const (
+	// ImpersonationProxyServiceTypeLoadBalancer provisions a service of type LoadBalancer.
+	ImpersonationProxyServiceTypeLoadBalancer = ImpersonationProxyServiceType("LoadBalancer")
+
+	// ImpersonationProxyServiceTypeClusterIP provisions a service of type ClusterIP.
+	ImpersonationProxyServiceTypeClusterIP = ImpersonationProxyServiceType("ClusterIP")
+
+	// ImpersonationProxyServiceTypeNone does not automatically provision any service.
+	ImpersonationProxyServiceTypeNone = ImpersonationProxyServiceType("None")
+)
+
+// ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should
+// serve TLS.
+//
+// If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret
+// for a field called "ca.crt", which will be used as the CertificateAuthorityData.
+//
+// If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for
+// the impersonation proxy endpoint.
+type ImpersonationProxyTLSSpec struct {
+	// X.509 Certificate Authority (base64-encoded PEM bundle).
+	// Used to advertise the CA bundle for the impersonation proxy endpoint.
+	//
+	// +optional
+	CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"`
+
+	// SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains
+	// the TLS serving certificate for the Concierge impersonation proxy endpoint.
+	//
+	// +kubebuilder:validation:MinLength=1
+	SecretName string `json:"secretName,omitempty"`
+}
+
+// ImpersonationProxySpec describes the intended configuration of the Concierge impersonation proxy.
+type ImpersonationProxySpec struct {
+	// Mode configures whether the impersonation proxy should be started:
+	// - "disabled" explicitly disables the impersonation proxy. This is the default.
+	// - "enabled" explicitly enables the impersonation proxy.
+	// - "auto" enables or disables the impersonation proxy based upon the cluster in which it is running.
+	Mode ImpersonationProxyMode `json:"mode"`
+
+	// Service describes the configuration of the Service provisioned to expose the impersonation proxy to clients.
+	//
+	// +kubebuilder:default:={"type": "LoadBalancer"}
+	Service ImpersonationProxyServiceSpec `json:"service"`
+
+	// ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will
+	// be served using the external name of the LoadBalancer service or the cluster service DNS name.
+	//
+	// This field must be non-empty when spec.impersonationProxy.service.type is "None".
+	//
+	// +optional
+	ExternalEndpoint string `json:"externalEndpoint,omitempty"`
+
+	// TLS contains information about how the Concierge impersonation proxy should serve TLS.
+	//
+	// If this field is empty, the impersonation proxy will generate its own TLS certificate.
+	//
+	// +optional
+	TLS *ImpersonationProxyTLSSpec `json:"tls,omitempty"`
+}
+
+// ImpersonationProxyServiceSpec describes how the Concierge should provision a Service to expose the impersonation proxy.
+type ImpersonationProxyServiceSpec struct {
+	// Type specifies the type of Service to provision for the impersonation proxy.
+	//
+	// If the type is "None", then the "spec.impersonationProxy.externalEndpoint" field must be set to a non-empty
+	// value so that the Concierge can properly advertise the endpoint in the CredentialIssuer's status.
+	//
+	// +kubebuilder:default:="LoadBalancer"
+	Type ImpersonationProxyServiceType `json:"type,omitempty"`
+
+	// LoadBalancerIP specifies the IP address to set in the spec.loadBalancerIP field of the provisioned Service.
+	// This is not supported on all cloud providers.
+	//
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=255
+	// +optional
+	LoadBalancerIP string `json:"loadBalancerIP,omitempty"`
+
+	// Annotations specifies zero or more key/value pairs to set as annotations on the provisioned Service.
+	//
+	// +optional
+	Annotations map[string]string `json:"annotations,omitempty"`
+}
+
+// CredentialIssuerStatus describes the status of the Concierge.
+type CredentialIssuerStatus struct {
+	// List of integration strategies that were attempted by Pinniped.
+	Strategies []CredentialIssuerStrategy `json:"strategies"`
+
+	// Information needed to form a valid Pinniped-based kubeconfig using this credential issuer.
+	// This field is deprecated and will be removed in a future version.
+	// +optional
+	KubeConfigInfo *CredentialIssuerKubeConfigInfo `json:"kubeConfigInfo,omitempty"`
+}
+
+// CredentialIssuerKubeConfigInfo provides the information needed to form a valid Pinniped-based kubeconfig using this credential issuer.
+// This type is deprecated and will be removed in a future version.
+type CredentialIssuerKubeConfigInfo struct {
+	// The K8s API server URL.
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:Pattern=`^https://|^http://`
+	Server string `json:"server"`
+
+	// The K8s API server CA bundle.
+	// +kubebuilder:validation:MinLength=1
+	CertificateAuthorityData string `json:"certificateAuthorityData"`
+}
+
+// CredentialIssuerStrategy describes the status of an integration strategy that was attempted by Pinniped.
+type CredentialIssuerStrategy struct {
+	// Type of integration attempted.
+	Type StrategyType `json:"type"`
+
+	// Status of the attempted integration strategy.
+	Status StrategyStatus `json:"status"`
+
+	// Reason for the current status.
+	Reason StrategyReason `json:"reason"`
+
+	// Human-readable description of the current status.
+	// +kubebuilder:validation:MinLength=1
+	Message string `json:"message"`
+
+	// When the status was last checked.
+	LastUpdateTime metav1.Time `json:"lastUpdateTime"`
+
+	// Frontend describes how clients can connect using this strategy.
+	Frontend *CredentialIssuerFrontend `json:"frontend,omitempty"`
+}
+
+// CredentialIssuerFrontend describes how to connect using a particular integration strategy.
+type CredentialIssuerFrontend struct {
+	// Type describes which frontend mechanism clients can use with a strategy.
+	Type FrontendType `json:"type"`
+
+	// TokenCredentialRequestAPIInfo describes the parameters for the TokenCredentialRequest API on this Concierge.
+	// This field is only set when Type is "TokenCredentialRequestAPI".
+	TokenCredentialRequestAPIInfo *TokenCredentialRequestAPIInfo `json:"tokenCredentialRequestInfo,omitempty"`
+
+	// ImpersonationProxyInfo describes the parameters for the impersonation proxy on this Concierge.
+	// This field is only set when Type is "ImpersonationProxy".
+	ImpersonationProxyInfo *ImpersonationProxyInfo `json:"impersonationProxyInfo,omitempty"`
+}
+
+// TokenCredentialRequestAPIInfo describes the parameters for the TokenCredentialRequest API on this Concierge.
+type TokenCredentialRequestAPIInfo struct {
+	// Server is the Kubernetes API server URL.
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:Pattern=`^https://|^http://`
+	Server string `json:"server"`
+
+	// CertificateAuthorityData is the base64-encoded Kubernetes API server CA bundle.
+	// +kubebuilder:validation:MinLength=1
+	CertificateAuthorityData string `json:"certificateAuthorityData"`
+}
+
+// ImpersonationProxyInfo describes the parameters for the impersonation proxy on this Concierge.
+type ImpersonationProxyInfo struct {
+	// Endpoint is the HTTPS endpoint of the impersonation proxy.
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:Pattern=`^https://`
+	Endpoint string `json:"endpoint"`
+
+	// CertificateAuthorityData is the base64-encoded PEM CA bundle of the impersonation proxy.
+	// +kubebuilder:validation:MinLength=1
+	CertificateAuthorityData string `json:"certificateAuthorityData"`
+}
+
+// CredentialIssuer describes the configuration and status of the Pinniped Concierge credential issuer.
+// +genclient
+// +genclient:nonNamespaced
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +kubebuilder:resource:categories=pinniped,scope=Cluster
+// +kubebuilder:printcolumn:name="ProxyMode",type=string,JSONPath=`.spec.impersonationProxy.mode`
+// +kubebuilder:printcolumn:name="DefaultStrategy",type=string,JSONPath=`.status.strategies[?(@.status == "Success")].type`
+// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
+// +kubebuilder:subresource:status
+type CredentialIssuer struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	// Spec describes the intended configuration of the Concierge.
+	//
+	// +optional
+	Spec CredentialIssuerSpec `json:"spec"`
+
+	// CredentialIssuerStatus describes the status of the Concierge.
+	//
+	// +optional
+	Status CredentialIssuerStatus `json:"status"`
+}
+
+// CredentialIssuerList is a list of CredentialIssuer objects.
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type CredentialIssuerList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+
+	Items []CredentialIssuer `json:"items"`
+}

generated/1.30/apis/concierge/identity/doc.go

@@ -0,0 +1,8 @@
+// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// +k8s:deepcopy-gen=package
+// +groupName=identity.concierge.pinniped.dev
+
+// Package identity is the internal version of the Pinniped identity API.
+package identity

generated/1.30/apis/concierge/identity/register.go

@@ -0,0 +1,38 @@
+// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package identity
+
+import (
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+const GroupName = "identity.concierge.pinniped.dev"
+
+// SchemeGroupVersion is group version used to register these objects.
+var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: runtime.APIVersionInternal}
+
+// Kind takes an unqualified kind and returns back a Group qualified GroupKind.
+func Kind(kind string) schema.GroupKind {
+	return SchemeGroupVersion.WithKind(kind).GroupKind()
+}
+
+// Resource takes an unqualified resource and returns back a Group qualified GroupResource.
+func Resource(resource string) schema.GroupResource {
+	return SchemeGroupVersion.WithResource(resource).GroupResource()
+}
+
+var (
+	SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes)
+	AddToScheme   = SchemeBuilder.AddToScheme
+)
+
+// Adds the list of known types to the given scheme.
+func addKnownTypes(scheme *runtime.Scheme) error {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&WhoAmIRequest{},
+		&WhoAmIRequestList{},
+	)
+	return nil
+}

generated/1.30/apis/concierge/identity/types_userinfo.go

@@ -0,0 +1,37 @@
+// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package identity
+
+import "fmt"
+
+// KubernetesUserInfo represents the current authenticated user, exactly as Kubernetes understands it.
+// Copied from the Kubernetes token review API.
+type KubernetesUserInfo struct {
+	// User is the UserInfo associated with the current user.
+	User UserInfo
+	// Audiences are audience identifiers chosen by the authenticator.
+	Audiences []string
+}
+
+// UserInfo holds the information about the user needed to implement the
+// user.Info interface.
+type UserInfo struct {
+	// The name that uniquely identifies this user among all active users.
+	Username string
+	// A unique value that identifies this user across time. If this user is
+	// deleted and another user by the same name is added, they will have
+	// different UIDs.
+	UID string
+	// The names of groups this user is a part of.
+	Groups []string
+	// Any additional information provided by the authenticator.
+	Extra map[string]ExtraValue
+}
+
+// ExtraValue masks the value so protobuf can generate
+type ExtraValue []string
+
+func (t ExtraValue) String() string {
+	return fmt.Sprintf("%v", []string(t))
+}

generated/1.30/apis/concierge/identity/types_whoamirequest.go

@@ -0,0 +1,42 @@
+// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package identity
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// WhoAmIRequest submits a request to echo back the current authenticated user.
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type WhoAmIRequest struct {
+	metav1.TypeMeta
+	metav1.ObjectMeta
+
+	Spec   WhoAmIRequestSpec
+	Status WhoAmIRequestStatus
+}
+
+// Spec is always empty for a WhoAmIRequest.
+type WhoAmIRequestSpec struct {
+	// empty for now but we may add some config here in the future
+	// any such config must be safe in the context of an unauthenticated user
+}
+
+// Status is set by the server in the response to a WhoAmIRequest.
+type WhoAmIRequestStatus struct {
+	// The current authenticated user, exactly as Kubernetes understands it.
+	KubernetesUserInfo KubernetesUserInfo
+
+	// We may add concierge specific information here in the future.
+}
+
+// WhoAmIRequestList is a list of WhoAmIRequest objects.
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type WhoAmIRequestList struct {
+	metav1.TypeMeta
+	metav1.ListMeta
+
+	// Items is a list of WhoAmIRequest.
+	Items []WhoAmIRequest
+}

generated/1.30/apis/concierge/identity/v1alpha1/conversion.go

@@ -0,0 +1,4 @@
+// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1

generated/1.30/apis/concierge/identity/v1alpha1/defaults.go

@@ -0,0 +1,12 @@
+// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+import (
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+func addDefaultingFuncs(scheme *runtime.Scheme) error {
+	return RegisterDefaults(scheme)
+}

generated/1.30/apis/concierge/identity/v1alpha1/doc.go

@@ -0,0 +1,11 @@
+// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// +k8s:openapi-gen=true
+// +k8s:deepcopy-gen=package
+// +k8s:conversion-gen=go.pinniped.dev/generated/1.30/apis/concierge/identity
+// +k8s:defaulter-gen=TypeMeta
+// +groupName=identity.concierge.pinniped.dev
+
+// Package v1alpha1 is the v1alpha1 version of the Pinniped identity API.
+package v1alpha1

generated/1.30/apis/concierge/identity/v1alpha1/register.go

@@ -0,0 +1,43 @@
+// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+const GroupName = "identity.concierge.pinniped.dev"
+
+// SchemeGroupVersion is group version used to register these objects.
+var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"}
+
+var (
+	SchemeBuilder      runtime.SchemeBuilder
+	localSchemeBuilder = &SchemeBuilder
+	AddToScheme        = localSchemeBuilder.AddToScheme
+)
+
+func init() {
+	// We only register manually written functions here. The registration of the
+	// generated functions takes place in the generated files. The separation
+	// makes the code compile even when the generated files are missing.
+	localSchemeBuilder.Register(addKnownTypes, addDefaultingFuncs)
+}
+
+// Adds the list of known types to the given scheme.
+func addKnownTypes(scheme *runtime.Scheme) error {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&WhoAmIRequest{},
+		&WhoAmIRequestList{},
+	)
+	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
+	return nil
+}
+
+// Resource takes an unqualified resource and returns a Group qualified GroupResource.
+func Resource(resource string) schema.GroupResource {
+	return SchemeGroupVersion.WithResource(resource).GroupResource()
+}

generated/1.30/apis/concierge/identity/v1alpha1/types_userinfo.go

@@ -0,0 +1,41 @@
+// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+import "fmt"
+
+// KubernetesUserInfo represents the current authenticated user, exactly as Kubernetes understands it.
+// Copied from the Kubernetes token review API.
+type KubernetesUserInfo struct {
+	// User is the UserInfo associated with the current user.
+	User UserInfo `json:"user"`
+	// Audiences are audience identifiers chosen by the authenticator.
+	// +optional
+	Audiences []string `json:"audiences,omitempty"`
+}
+
+// UserInfo holds the information about the user needed to implement the
+// user.Info interface.
+type UserInfo struct {
+	// The name that uniquely identifies this user among all active users.
+	Username string `json:"username"`
+	// A unique value that identifies this user across time. If this user is
+	// deleted and another user by the same name is added, they will have
+	// different UIDs.
+	// +optional
+	UID string `json:"uid,omitempty"`
+	// The names of groups this user is a part of.
+	// +optional
+	Groups []string `json:"groups,omitempty"`
+	// Any additional information provided by the authenticator.
+	// +optional
+	Extra map[string]ExtraValue `json:"extra,omitempty"`
+}
+
+// ExtraValue masks the value so protobuf can generate
+type ExtraValue []string
+
+func (t ExtraValue) String() string {
+	return fmt.Sprintf("%v", []string(t))
+}

generated/1.30/apis/concierge/identity/v1alpha1/types_whoamirequest.go

@@ -0,0 +1,45 @@
+// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// WhoAmIRequest submits a request to echo back the current authenticated user.
+// +genclient
+// +genclient:nonNamespaced
+// +genclient:onlyVerbs=create
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type WhoAmIRequest struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   WhoAmIRequestSpec   `json:"spec,omitempty"`
+	Status WhoAmIRequestStatus `json:"status,omitempty"`
+}
+
+// Spec is always empty for a WhoAmIRequest.
+type WhoAmIRequestSpec struct {
+	// empty for now but we may add some config here in the future
+	// any such config must be safe in the context of an unauthenticated user
+}
+
+// Status is set by the server in the response to a WhoAmIRequest.
+type WhoAmIRequestStatus struct {
+	// The current authenticated user, exactly as Kubernetes understands it.
+	KubernetesUserInfo KubernetesUserInfo `json:"kubernetesUserInfo"`
+
+	// We may add concierge specific information here in the future.
+}
+
+// WhoAmIRequestList is a list of WhoAmIRequest objects.
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type WhoAmIRequestList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+
+	// Items is a list of WhoAmIRequest.
+	Items []WhoAmIRequest `json:"items"`
+}

generated/1.30/apis/concierge/identity/validation/validation.go

@@ -0,0 +1,14 @@
+// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package validation
+
+import (
+	"k8s.io/apimachinery/pkg/util/validation/field"
+
+	identityapi "go.pinniped.dev/generated/1.30/apis/concierge/identity"
+)
+
+func ValidateWhoAmIRequest(whoAmIRequest *identityapi.WhoAmIRequest) field.ErrorList {
+	return nil // add validation for spec here if we expand it
+}

generated/1.30/apis/concierge/login/doc.go

@@ -0,0 +1,8 @@
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// +k8s:deepcopy-gen=package
+// +groupName=login.concierge.pinniped.dev
+
+// Package login is the internal version of the Pinniped login API.
+package login

generated/1.30/apis/concierge/login/register.go

@@ -0,0 +1,38 @@
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package login
+
+import (
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+const GroupName = "login.concierge.pinniped.dev"
+
+// SchemeGroupVersion is group version used to register these objects.
+var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: runtime.APIVersionInternal}
+
+// Kind takes an unqualified kind and returns back a Group qualified GroupKind.
+func Kind(kind string) schema.GroupKind {
+	return SchemeGroupVersion.WithKind(kind).GroupKind()
+}
+
+// Resource takes an unqualified resource and returns back a Group qualified GroupResource.
+func Resource(resource string) schema.GroupResource {
+	return SchemeGroupVersion.WithResource(resource).GroupResource()
+}
+
+var (
+	SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes)
+	AddToScheme   = SchemeBuilder.AddToScheme
+)
+
+// Adds the list of known types to the given scheme.
+func addKnownTypes(scheme *runtime.Scheme) error {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&TokenCredentialRequest{},
+		&TokenCredentialRequestList{},
+	)
+	return nil
+}

generated/1.30/apis/concierge/login/types_clustercredential.go

@@ -0,0 +1,22 @@
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package login
+
+import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+// ClusterCredential is the cluster-specific credential returned on a successful credential request. It
+// contains either a valid bearer token or a valid TLS certificate and corresponding private key for the cluster.
+type ClusterCredential struct {
+	// ExpirationTimestamp indicates a time when the provided credentials expire.
+	ExpirationTimestamp metav1.Time
+
+	// Token is a bearer token used by the client for request authentication.
+	Token string
+
+	// PEM-encoded client TLS certificates (including intermediates, if any).
+	ClientCertificateData string
+
+	// PEM-encoded private key for the above certificate.
+	ClientKeyData string
+}

generated/1.30/apis/concierge/login/types_tokencredentialrequest.go

@@ -0,0 +1,49 @@
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package login
+
+import (
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// Specification of a TokenCredentialRequest, expected on requests to the Pinniped API.
+type TokenCredentialRequestSpec struct {
+	// Bearer token supplied with the credential request.
+	Token string
+
+	// Reference to an authenticator which can validate this credential request.
+	Authenticator corev1.TypedLocalObjectReference
+}
+
+// Status of a TokenCredentialRequest, returned on responses to the Pinniped API.
+type TokenCredentialRequestStatus struct {
+	// A Credential will be returned for a successful credential request.
+	// +optional
+	Credential *ClusterCredential
+
+	// An error message will be returned for an unsuccessful credential request.
+	// +optional
+	Message *string
+}
+
+// TokenCredentialRequest submits an IDP-specific credential to Pinniped in exchange for a cluster-specific credential.
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type TokenCredentialRequest struct {
+	metav1.TypeMeta
+	metav1.ObjectMeta
+
+	Spec   TokenCredentialRequestSpec
+	Status TokenCredentialRequestStatus
+}
+
+// TokenCredentialRequestList is a list of TokenCredentialRequest objects.
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type TokenCredentialRequestList struct {
+	metav1.TypeMeta
+	metav1.ListMeta
+
+	// Items is a list of TokenCredentialRequest.
+	Items []TokenCredentialRequest
+}

generated/1.30/apis/concierge/login/v1alpha1/conversion.go

@@ -0,0 +1,4 @@
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1

generated/1.30/apis/concierge/login/v1alpha1/defaults.go

@@ -0,0 +1,12 @@
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+import (
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+func addDefaultingFuncs(scheme *runtime.Scheme) error {
+	return RegisterDefaults(scheme)
+}

generated/1.30/apis/concierge/login/v1alpha1/doc.go

@@ -0,0 +1,11 @@
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// +k8s:openapi-gen=true
+// +k8s:deepcopy-gen=package
+// +k8s:conversion-gen=go.pinniped.dev/generated/1.30/apis/concierge/login
+// +k8s:defaulter-gen=TypeMeta
+// +groupName=login.concierge.pinniped.dev
+
+// Package v1alpha1 is the v1alpha1 version of the Pinniped login API.
+package v1alpha1

generated/1.30/apis/concierge/login/v1alpha1/register.go

@@ -0,0 +1,43 @@
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+const GroupName = "login.concierge.pinniped.dev"
+
+// SchemeGroupVersion is group version used to register these objects.
+var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"}
+
+var (
+	SchemeBuilder      runtime.SchemeBuilder
+	localSchemeBuilder = &SchemeBuilder
+	AddToScheme        = localSchemeBuilder.AddToScheme
+)
+
+func init() {
+	// We only register manually written functions here. The registration of the
+	// generated functions takes place in the generated files. The separation
+	// makes the code compile even when the generated files are missing.
+	localSchemeBuilder.Register(addKnownTypes, addDefaultingFuncs)
+}
+
+// Adds the list of known types to the given scheme.
+func addKnownTypes(scheme *runtime.Scheme) error {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&TokenCredentialRequest{},
+		&TokenCredentialRequestList{},
+	)
+	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
+	return nil
+}
+
+// Resource takes an unqualified resource and returns a Group qualified GroupResource.
+func Resource(resource string) schema.GroupResource {
+	return SchemeGroupVersion.WithResource(resource).GroupResource()
+}

generated/1.30/apis/concierge/login/v1alpha1/types_clustercredential.go

@@ -0,0 +1,22 @@
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+// ClusterCredential is the cluster-specific credential returned on a successful credential request. It
+// contains either a valid bearer token or a valid TLS certificate and corresponding private key for the cluster.
+type ClusterCredential struct {
+	// ExpirationTimestamp indicates a time when the provided credentials expire.
+	ExpirationTimestamp metav1.Time `json:"expirationTimestamp,omitempty"`
+
+	// Token is a bearer token used by the client for request authentication.
+	Token string `json:"token,omitempty"`
+
+	// PEM-encoded client TLS certificates (including intermediates, if any).
+	ClientCertificateData string `json:"clientCertificateData,omitempty"`
+
+	// PEM-encoded private key for the above certificate.
+	ClientKeyData string `json:"clientKeyData,omitempty"`
+}

generated/1.30/apis/concierge/login/v1alpha1/types_tokencredentialrequest.go

@@ -0,0 +1,52 @@
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+import (
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// Specification of a TokenCredentialRequest, expected on requests to the Pinniped API.
+type TokenCredentialRequestSpec struct {
+	// Bearer token supplied with the credential request.
+	Token string `json:"token,omitempty"`
+
+	// Reference to an authenticator which can validate this credential request.
+	Authenticator corev1.TypedLocalObjectReference `json:"authenticator"`
+}
+
+// Status of a TokenCredentialRequest, returned on responses to the Pinniped API.
+type TokenCredentialRequestStatus struct {
+	// A Credential will be returned for a successful credential request.
+	// +optional
+	Credential *ClusterCredential `json:"credential,omitempty"`
+
+	// An error message will be returned for an unsuccessful credential request.
+	// +optional
+	Message *string `json:"message,omitempty"`
+}
+
+// TokenCredentialRequest submits an IDP-specific credential to Pinniped in exchange for a cluster-specific credential.
+// +genclient
+// +genclient:nonNamespaced
+// +genclient:onlyVerbs=create
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type TokenCredentialRequest struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   TokenCredentialRequestSpec   `json:"spec,omitempty"`
+	Status TokenCredentialRequestStatus `json:"status,omitempty"`
+}
+
+// TokenCredentialRequestList is a list of TokenCredentialRequest objects.
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type TokenCredentialRequestList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+
+	// Items is a list of TokenCredentialRequest.
+	Items []TokenCredentialRequest `json:"items"`
+}

generated/1.30/apis/go.mod

@@ -0,0 +1,26 @@
+// This go.mod file is generated by ./hack/update.sh.
+module go.pinniped.dev/generated/1.30/apis
+
+go 1.22.0
+
+require (
+	k8s.io/api v0.30.0
+	k8s.io/apimachinery v0.30.0
+)
+
+require (
+	github.com/go-logr/logr v1.4.1 // indirect
+	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/google/gofuzz v1.2.0 // indirect
+	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.2 // indirect
+	golang.org/x/net v0.23.0 // indirect
+	golang.org/x/text v0.14.0 // indirect
+	gopkg.in/inf.v0 v0.9.1 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
+	k8s.io/klog/v2 v2.120.1 // indirect
+	k8s.io/utils v0.0.0-20230726121419-3b25d923346b // indirect
+	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
+)

generated/1.30/apis/go.sum

@@ -0,0 +1,91 @@
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ=
+github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
+github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
+github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
+github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
+github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
+github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
+github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
+github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
+github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
+github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
+github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
+github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
+github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=
+github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ=
+github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog=
+github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
+github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
+github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
+github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
+golang.org/x/net v0.23.0 h1:7EYJ93RZ9vYSZAIb2x3lnuvqO5zneoD6IvWjuhfxjTs=
+golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
+golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
+golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
+golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
+golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
+gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
+gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
+gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
+gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+k8s.io/api v0.30.0 h1:siWhRq7cNjy2iHssOB9SCGNCl2spiF1dO3dABqZ8niA=
+k8s.io/api v0.30.0/go.mod h1:OPlaYhoHs8EQ1ql0R/TsUgaRPhpKNxIMrKQfWUp8QSE=
+k8s.io/apimachinery v0.30.0 h1:qxVPsyDM5XS96NIh9Oj6LavoVFYff/Pon9cZeDIkHHA=
+k8s.io/apimachinery v0.30.0/go.mod h1:iexa2somDaxdnj7bha06bhb43Zpa6eWH8N8dbqVjTUc=
+k8s.io/klog/v2 v2.120.1 h1:QXU6cPEOIslTGvZaXvFWiP9VKyeet3sawzTOvdXb4Vw=
+k8s.io/klog/v2 v2.120.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
+k8s.io/utils v0.0.0-20230726121419-3b25d923346b h1:sgn3ZU783SCgtaSJjpcVVlRqd6GSnlTLKgpAAttJvpI=
+k8s.io/utils v0.0.0-20230726121419-3b25d923346b/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo=
+sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0=
+sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4=
+sigs.k8s.io/structured-merge-diff/v4 v4.4.1/go.mod h1:N8hJocpFajUSSeSJ9bOZ77VzejKZaXsTtZo4/u7Io08=
+sigs.k8s.io/yaml v1.3.0 h1:a2VclLzOGrwOHDiV8EfBGhvjHvP46CtW5j6POvhYGGo=
+sigs.k8s.io/yaml v1.3.0/go.mod h1:GeOyir5tyXNByN85N/dRIT9es5UQNerPYEKK56eTBm8=

generated/1.30/apis/supervisor/clientsecret/doc.go

@@ -0,0 +1,8 @@
+// Copyright 2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// +k8s:deepcopy-gen=package
+// +groupName=clientsecret.supervisor.pinniped.dev
+
+// Package clientsecret is the internal version of the Pinniped client secret API.
+package clientsecret

generated/1.30/apis/supervisor/clientsecret/register.go

@@ -0,0 +1,38 @@
+// Copyright 2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package clientsecret
+
+import (
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+const GroupName = "clientsecret.supervisor.pinniped.dev"
+
+// SchemeGroupVersion is group version used to register these objects.
+var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: runtime.APIVersionInternal}
+
+// Kind takes an unqualified kind and returns back a Group qualified GroupKind.
+func Kind(kind string) schema.GroupKind {
+	return SchemeGroupVersion.WithKind(kind).GroupKind()
+}
+
+// Resource takes an unqualified resource and returns back a Group qualified GroupResource.
+func Resource(resource string) schema.GroupResource {
+	return SchemeGroupVersion.WithResource(resource).GroupResource()
+}
+
+var (
+	SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes)
+	AddToScheme   = SchemeBuilder.AddToScheme
+)
+
+// Adds the list of known types to the given scheme.
+func addKnownTypes(scheme *runtime.Scheme) error {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&OIDCClientSecretRequest{},
+		&OIDCClientSecretRequestList{},
+	)
+	return nil
+}

generated/1.30/apis/supervisor/clientsecret/types_oidcclientsecretrequest.go

@@ -0,0 +1,50 @@
+// Copyright 2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package clientsecret
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// OIDCClientSecretRequest can be used to update the client secrets associated with an OIDCClient.
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type OIDCClientSecretRequest struct {
+	metav1.TypeMeta
+	metav1.ObjectMeta // metadata.name must be set to the client ID
+
+	Spec OIDCClientSecretRequestSpec
+
+	// +optional
+	Status OIDCClientSecretRequestStatus
+}
+
+// Spec of the OIDCClientSecretRequest.
+type OIDCClientSecretRequestSpec struct {
+	// Request a new client secret to for the OIDCClient referenced by the metadata.name field.
+	// +optional
+	GenerateNewSecret bool
+
+	// Revoke the old client secrets associated with the OIDCClient referenced by the metadata.name field.
+	// +optional
+	RevokeOldSecrets bool
+}
+
+// Status of the OIDCClientSecretRequest.
+type OIDCClientSecretRequestStatus struct {
+	// The unencrypted OIDC Client Secret. This will only be shared upon creation and cannot be recovered if lost.
+	GeneratedSecret string
+
+	// The total number of client secrets associated with the OIDCClient referenced by the metadata.name field.
+	TotalClientSecrets int
+}
+
+// OIDCClientSecretRequestList is a list of OIDCClientSecretRequest objects.
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type OIDCClientSecretRequestList struct {
+	metav1.TypeMeta
+	metav1.ListMeta
+
+	// Items is a list of OIDCClientSecretRequest.
+	Items []OIDCClientSecretRequest
+}

generated/1.30/apis/supervisor/clientsecret/v1alpha1/conversion.go

@@ -0,0 +1,4 @@
+// Copyright 2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1

generated/1.30/apis/supervisor/clientsecret/v1alpha1/defaults.go

@@ -0,0 +1,12 @@
+// Copyright 2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+import (
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+func addDefaultingFuncs(scheme *runtime.Scheme) error {
+	return RegisterDefaults(scheme)
+}

generated/1.30/apis/supervisor/clientsecret/v1alpha1/doc.go

@@ -0,0 +1,11 @@
+// Copyright 2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// +k8s:openapi-gen=true
+// +k8s:deepcopy-gen=package
+// +k8s:conversion-gen=go.pinniped.dev/generated/1.30/apis/supervisor/clientsecret
+// +k8s:defaulter-gen=TypeMeta
+// +groupName=clientsecret.supervisor.pinniped.dev
+
+// Package v1alpha1 is the v1alpha1 version of the Pinniped client secret API.
+package v1alpha1

generated/1.30/apis/supervisor/clientsecret/v1alpha1/register.go

@@ -0,0 +1,43 @@
+// Copyright 2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+const GroupName = "clientsecret.supervisor.pinniped.dev"
+
+// SchemeGroupVersion is group version used to register these objects.
+var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"}
+
+var (
+	SchemeBuilder      runtime.SchemeBuilder
+	localSchemeBuilder = &SchemeBuilder
+	AddToScheme        = SchemeBuilder.AddToScheme
+)
+
+func init() {
+	// We only register manually written functions here. The registration of the
+	// generated functions takes place in the generated files. The separation
+	// makes the code compile even when the generated files are missing.
+	localSchemeBuilder.Register(addKnownTypes, addDefaultingFuncs)
+}
+
+// Adds the list of known types to the given scheme.
+func addKnownTypes(scheme *runtime.Scheme) error {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&OIDCClientSecretRequest{},
+		&OIDCClientSecretRequestList{},
+	)
+	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
+	return nil
+}
+
+// Resource takes an unqualified resource and returns back a Group qualified GroupResource.
+func Resource(resource string) schema.GroupResource {
+	return SchemeGroupVersion.WithResource(resource).GroupResource()
+}

generated/1.30/apis/supervisor/clientsecret/v1alpha1/types_oidcclientsecretrequest.go

@@ -0,0 +1,53 @@
+// Copyright 2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// OIDCClientSecretRequest can be used to update the client secrets associated with an OIDCClient.
+// +genclient
+// +genclient:onlyVerbs=create
+// +kubebuilder:subresource:status
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type OIDCClientSecretRequest struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"` // metadata.name must be set to the client ID
+
+	Spec OIDCClientSecretRequestSpec `json:"spec"`
+
+	// +optional
+	Status OIDCClientSecretRequestStatus `json:"status"`
+}
+
+// Spec of the OIDCClientSecretRequest.
+type OIDCClientSecretRequestSpec struct {
+	// Request a new client secret to for the OIDCClient referenced by the metadata.name field.
+	// +optional
+	GenerateNewSecret bool `json:"generateNewSecret"`
+
+	// Revoke the old client secrets associated with the OIDCClient referenced by the metadata.name field.
+	// +optional
+	RevokeOldSecrets bool `json:"revokeOldSecrets"`
+}
+
+// Status of the OIDCClientSecretRequest.
+type OIDCClientSecretRequestStatus struct {
+	// The unencrypted OIDC Client Secret. This will only be shared upon creation and cannot be recovered if lost.
+	GeneratedSecret string `json:"generatedSecret,omitempty"`
+
+	// The total number of client secrets associated with the OIDCClient referenced by the metadata.name field.
+	TotalClientSecrets int `json:"totalClientSecrets"`
+}
+
+// OIDCClientSecretRequestList is a list of OIDCClientSecretRequest objects.
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type OIDCClientSecretRequestList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+
+	// Items is a list of OIDCClientSecretRequest.
+	Items []OIDCClientSecretRequest `json:"items"`
+}

generated/1.30/apis/supervisor/config/v1alpha1/doc.go

@@ -0,0 +1,11 @@
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// +k8s:openapi-gen=true
+// +k8s:deepcopy-gen=package
+// +k8s:conversion-gen=go.pinniped.dev/generated/1.30/apis/supervisor/config
+// +k8s:defaulter-gen=TypeMeta
+// +groupName=config.supervisor.pinniped.dev
+
+// Package v1alpha1 is the v1alpha1 version of the Pinniped supervisor configuration API.
+package v1alpha1

generated/1.30/apis/supervisor/config/v1alpha1/register.go

@@ -0,0 +1,45 @@
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+const GroupName = "config.supervisor.pinniped.dev"
+
+// SchemeGroupVersion is group version used to register these objects.
+var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"}
+
+var (
+	SchemeBuilder      runtime.SchemeBuilder
+	localSchemeBuilder = &SchemeBuilder
+	AddToScheme        = localSchemeBuilder.AddToScheme
+)
+
+func init() {
+	// We only register manually written functions here. The registration of the
+	// generated functions takes place in the generated files. The separation
+	// makes the code compile even when the generated files are missing.
+	localSchemeBuilder.Register(addKnownTypes)
+}
+
+// Adds the list of known types to the given scheme.
+func addKnownTypes(scheme *runtime.Scheme) error {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&FederationDomain{},
+		&FederationDomainList{},
+		&OIDCClient{},
+		&OIDCClientList{},
+	)
+	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
+	return nil
+}
+
+// Resource takes an unqualified resource and returns a Group qualified GroupResource.
+func Resource(resource string) schema.GroupResource {
+	return SchemeGroupVersion.WithResource(resource).GroupResource()
+}

generated/1.30/apis/supervisor/config/v1alpha1/types_federationdomain.go

@@ -0,0 +1,312 @@
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+import (
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+type FederationDomainPhase string
+
+const (
+	// FederationDomainPhasePending is the default phase for newly-created FederationDomain resources.
+	FederationDomainPhasePending FederationDomainPhase = "Pending"
+
+	// FederationDomainPhaseReady is the phase for an FederationDomain resource in a healthy state.
+	FederationDomainPhaseReady FederationDomainPhase = "Ready"
+
+	// FederationDomainPhaseError is the phase for an FederationDomain in an unhealthy state.
+	FederationDomainPhaseError FederationDomainPhase = "Error"
+)
+
+// FederationDomainTLSSpec is a struct that describes the TLS configuration for an OIDC Provider.
+type FederationDomainTLSSpec struct {
+	// SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains
+	// the TLS serving certificate for the HTTPS endpoints served by this FederationDomain. When provided, the TLS Secret
+	// named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use
+	// for TLS.
+	//
+	// Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.
+	//
+	// SecretName is required if you would like to use different TLS certificates for issuers of different hostnames.
+	// SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same
+	// SecretName value even if they have different port numbers.
+	//
+	// SecretName is not required when you would like to use only the HTTP endpoints (e.g. when the HTTP listener is
+	// configured to listen on loopback interfaces or UNIX domain sockets for traffic from a service mesh sidecar).
+	// It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to
+	// use the default TLS certificate, which is configured elsewhere.
+	//
+	// When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses.
+	//
+	// +optional
+	SecretName string `json:"secretName,omitempty"`
+}
+
+// FederationDomainTransformsConstant defines a constant variable and its value which will be made available to
+// the transform expressions. This is a union type, and Type is the discriminator field.
+type FederationDomainTransformsConstant struct {
+	// Name determines the name of the constant. It must be a valid identifier name.
+	// +kubebuilder:validation:Pattern=`^[a-zA-Z][_a-zA-Z0-9]*$`
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=64
+	Name string `json:"name"`
+
+	// Type determines the type of the constant, and indicates which other field should be non-empty.
+	// +kubebuilder:validation:Enum=string;stringList
+	Type string `json:"type"`
+
+	// StringValue should hold the value when Type is "string", and is otherwise ignored.
+	// +optional
+	StringValue string `json:"stringValue,omitempty"`
+
+	// StringListValue should hold the value when Type is "stringList", and is otherwise ignored.
+	// +optional
+	StringListValue []string `json:"stringListValue,omitempty"`
+}
+
+// FederationDomainTransformsExpression defines a transform expression.
+type FederationDomainTransformsExpression struct {
+	// Type determines the type of the expression. It must be one of the supported types.
+	// +kubebuilder:validation:Enum=policy/v1;username/v1;groups/v1
+	Type string `json:"type"`
+
+	// Expression is a CEL expression that will be evaluated based on the Type during an authentication.
+	// +kubebuilder:validation:MinLength=1
+	Expression string `json:"expression"`
+
+	// Message is only used when Type is policy/v1. It defines an error message to be used when the policy rejects
+	// an authentication attempt. When empty, a default message will be used.
+	// +optional
+	Message string `json:"message,omitempty"`
+}
+
+// FederationDomainTransformsExample defines a transform example.
+type FederationDomainTransformsExample struct {
+	// Username is the input username.
+	// +kubebuilder:validation:MinLength=1
+	Username string `json:"username"`
+
+	// Groups is the input list of group names.
+	// +optional
+	Groups []string `json:"groups,omitempty"`
+
+	// Expects is the expected output of the entire sequence of transforms when they are run against the
+	// input Username and Groups.
+	Expects FederationDomainTransformsExampleExpects `json:"expects"`
+}
+
+// FederationDomainTransformsExampleExpects defines the expected result for a transforms example.
+type FederationDomainTransformsExampleExpects struct {
+	// Username is the expected username after the transformations have been applied.
+	// +optional
+	Username string `json:"username,omitempty"`
+
+	// Groups is the expected list of group names after the transformations have been applied.
+	// +optional
+	Groups []string `json:"groups,omitempty"`
+
+	// Rejected is a boolean that indicates whether authentication is expected to be rejected by a policy expression
+	// after the transformations have been applied. True means that it is expected that the authentication would be
+	// rejected. The default value of false means that it is expected that the authentication would not be rejected
+	// by any policy expression.
+	// +optional
+	Rejected bool `json:"rejected,omitempty"`
+
+	// Message is the expected error message of the transforms. When Rejected is true, then Message is the expected
+	// message for the policy which rejected the authentication attempt. When Rejected is true and Message is blank,
+	// then Message will be treated as the default error message for authentication attempts which are rejected by a
+	// policy. When Rejected is false, then Message is the expected error message for some other non-policy
+	// transformation error, such as a runtime error. When Rejected is false, there is no default expected Message.
+	// +optional
+	Message string `json:"message,omitempty"`
+}
+
+// FederationDomainTransforms defines identity transformations for an identity provider's usage on a FederationDomain.
+type FederationDomainTransforms struct {
+	// Constants defines constant variables and their values which will be made available to the transform expressions.
+	// +patchMergeKey=name
+	// +patchStrategy=merge
+	// +listType=map
+	// +listMapKey=name
+	// +optional
+	Constants []FederationDomainTransformsConstant `json:"constants,omitempty"`
+
+	// Expressions are an optional list of transforms and policies to be executed in the order given during every
+	// authentication attempt, including during every session refresh.
+	// Each is a CEL expression. It may use the basic CEL language as defined in
+	// https://github.com/google/cel-spec/blob/master/doc/langdef.md plus the CEL string extensions defined in
+	// https://github.com/google/cel-go/tree/master/ext#strings.
+	//
+	// The username and groups extracted from the identity provider, and the constants defined in this CR, are
+	// available as variables in all expressions. The username is provided via a variable called `username` and
+	// the list of group names is provided via a variable called `groups` (which may be an empty list).
+	// Each user-provided constants is provided via a variable named `strConst.varName` for string constants
+	// and `strListConst.varName` for string list constants.
+	//
+	// The only allowed types for expressions are currently policy/v1, username/v1, and groups/v1.
+	// Each policy/v1 must return a boolean, and when it returns false, no more expressions from the list are evaluated
+	// and the authentication attempt is rejected.
+	// Transformations of type policy/v1 do not return usernames or group names, and therefore cannot change the
+	// username or group names.
+	// Each username/v1 transform must return the new username (a string), which can be the same as the old username.
+	// Transformations of type username/v1 do not return group names, and therefore cannot change the group names.
+	// Each groups/v1 transform must return the new groups list (list of strings), which can be the same as the old
+	// groups list.
+	// Transformations of type groups/v1 do not return usernames, and therefore cannot change the usernames.
+	// After each expression, the new (potentially changed) username or groups get passed to the following expression.
+	//
+	// Any compilation or static type-checking failure of any expression will cause an error status on the FederationDomain.
+	// During an authentication attempt, any unexpected runtime evaluation errors (e.g. division by zero) cause the
+	// authentication attempt to fail. When all expressions evaluate successfully, then the (potentially changed) username
+	// and group names have been decided for that authentication attempt.
+	//
+	// +optional
+	Expressions []FederationDomainTransformsExpression `json:"expressions,omitempty"`
+
+	// Examples can optionally be used to ensure that the sequence of transformation expressions are working as
+	// expected. Examples define sample input identities which are then run through the expression list, and the
+	// results are compared to the expected results. If any example in this list fails, then this
+	// identity provider will not be available for use within this FederationDomain, and the error(s) will be
+	// added to the FederationDomain status. This can be used to help guard against programming mistakes in the
+	// expressions, and also act as living documentation for other administrators to better understand the expressions.
+	// +optional
+	Examples []FederationDomainTransformsExample `json:"examples,omitempty"`
+}
+
+// FederationDomainIdentityProvider describes how an identity provider is made available in this FederationDomain.
+type FederationDomainIdentityProvider struct {
+	// DisplayName is the name of this identity provider as it will appear to clients. This name ends up in the
+	// kubeconfig of end users, so changing the name of an identity provider that is in use by end users will be a
+	// disruptive change for those users.
+	// +kubebuilder:validation:MinLength=1
+	DisplayName string `json:"displayName"`
+
+	// ObjectRef is a reference to a Pinniped identity provider resource. A valid reference is required.
+	// If the reference cannot be resolved then the identity provider will not be made available.
+	// Must refer to a resource of one of the Pinniped identity provider types, e.g. OIDCIdentityProvider,
+	// LDAPIdentityProvider, ActiveDirectoryIdentityProvider.
+	ObjectRef corev1.TypedLocalObjectReference `json:"objectRef"`
+
+	// Transforms is an optional way to specify transformations to be applied during user authentication and
+	// session refresh.
+	// +optional
+	Transforms FederationDomainTransforms `json:"transforms,omitempty"`
+}
+
+// FederationDomainSpec is a struct that describes an OIDC Provider.
+type FederationDomainSpec struct {
+	// Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the
+	// identifier that it will use for the iss claim in issued JWTs. This field will also be used as
+	// the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is
+	// https://example.com/foo, then your authorization endpoint will look like
+	// https://example.com/foo/some/path/to/auth/endpoint).
+	//
+	// See
+	// https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information.
+	// +kubebuilder:validation:MinLength=1
+	Issuer string `json:"issuer"`
+
+	// TLS specifies a secret which will contain Transport Layer Security (TLS) configuration for the FederationDomain.
+	// +optional
+	TLS *FederationDomainTLSSpec `json:"tls,omitempty"`
+
+	// IdentityProviders is the list of identity providers available for use by this FederationDomain.
+	//
+	// An identity provider CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes how to connect to a server,
+	// how to talk in a specific protocol for authentication, and how to use the schema of that server/protocol to
+	// extract a normalized user identity. Normalized user identities include a username and a list of group names.
+	// In contrast, IdentityProviders describes how to use that normalized identity in those Kubernetes clusters which
+	// belong to this FederationDomain. Each entry in IdentityProviders can be configured with arbitrary transformations
+	// on that normalized identity. For example, a transformation can add a prefix to all usernames to help avoid
+	// accidental conflicts when multiple identity providers have different users with the same username (e.g.
+	// "idp1:ryan" versus "idp2:ryan"). Each entry in IdentityProviders can also implement arbitrary authentication
+	// rejection policies. Even though a user was able to authenticate with the identity provider, a policy can disallow
+	// the authentication to the Kubernetes clusters that belong to this FederationDomain. For example, a policy could
+	// disallow the authentication unless the user belongs to a specific group in the identity provider.
+	//
+	// For backwards compatibility with versions of Pinniped which predate support for multiple identity providers,
+	// an empty IdentityProviders list will cause the FederationDomain to use all available identity providers which
+	// exist in the same namespace, but also to reject all authentication requests when there is more than one identity
+	// provider currently defined. In this backwards compatibility mode, the name of the identity provider resource
+	// (e.g. the Name of an OIDCIdentityProvider resource) will be used as the name of the identity provider in this
+	// FederationDomain. This mode is provided to make upgrading from older versions easier. However, instead of
+	// relying on this backwards compatibility mode, please consider this mode to be deprecated and please instead
+	// explicitly list the identity provider using this IdentityProviders field.
+	//
+	// +optional
+	IdentityProviders []FederationDomainIdentityProvider `json:"identityProviders,omitempty"`
+}
+
+// FederationDomainSecrets holds information about this OIDC Provider's secrets.
+type FederationDomainSecrets struct {
+	// JWKS holds the name of the corev1.Secret in which this OIDC Provider's signing/verification keys are
+	// stored. If it is empty, then the signing/verification keys are either unknown or they don't
+	// exist.
+	// +optional
+	JWKS corev1.LocalObjectReference `json:"jwks,omitempty"`
+
+	// TokenSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for
+	// signing tokens is stored.
+	// +optional
+	TokenSigningKey corev1.LocalObjectReference `json:"tokenSigningKey,omitempty"`
+
+	// StateSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for
+	// signing state parameters is stored.
+	// +optional
+	StateSigningKey corev1.LocalObjectReference `json:"stateSigningKey,omitempty"`
+
+	// StateSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for
+	// encrypting state parameters is stored.
+	// +optional
+	StateEncryptionKey corev1.LocalObjectReference `json:"stateEncryptionKey,omitempty"`
+}
+
+// FederationDomainStatus is a struct that describes the actual state of an OIDC Provider.
+type FederationDomainStatus struct {
+	// Phase summarizes the overall status of the FederationDomain.
+	// +kubebuilder:default=Pending
+	// +kubebuilder:validation:Enum=Pending;Ready;Error
+	Phase FederationDomainPhase `json:"phase,omitempty"`
+
+	// Conditions represent the observations of an FederationDomain's current state.
+	// +patchMergeKey=type
+	// +patchStrategy=merge
+	// +listType=map
+	// +listMapKey=type
+	Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
+
+	// Secrets contains information about this OIDC Provider's secrets.
+	// +optional
+	Secrets FederationDomainSecrets `json:"secrets,omitempty"`
+}
+
+// FederationDomain describes the configuration of an OIDC provider.
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +kubebuilder:resource:categories=pinniped
+// +kubebuilder:printcolumn:name="Issuer",type=string,JSONPath=`.spec.issuer`
+// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase`
+// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
+// +kubebuilder:subresource:status
+type FederationDomain struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	// Spec of the OIDC provider.
+	Spec FederationDomainSpec `json:"spec"`
+
+	// Status of the OIDC provider.
+	Status FederationDomainStatus `json:"status,omitempty"`
+}
+
+// List of FederationDomain objects.
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type FederationDomainList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+
+	Items []FederationDomain `json:"items"`
+}

generated/1.30/apis/supervisor/config/v1alpha1/types_oidcclient.go

@@ -0,0 +1,122 @@
+// Copyright 2022-2023 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+type OIDCClientPhase string
+
+const (
+	// OIDCClientPhasePending is the default phase for newly-created OIDCClient resources.
+	OIDCClientPhasePending OIDCClientPhase = "Pending"
+
+	// OIDCClientPhaseReady is the phase for an OIDCClient resource in a healthy state.
+	OIDCClientPhaseReady OIDCClientPhase = "Ready"
+
+	// OIDCClientPhaseError is the phase for an OIDCClient in an unhealthy state.
+	OIDCClientPhaseError OIDCClientPhase = "Error"
+)
+
+// +kubebuilder:validation:Pattern=`^https://.+|^http://(127\.0\.0\.1|\[::1\])(:\d+)?/`
+type RedirectURI string
+
+// +kubebuilder:validation:Enum="authorization_code";"refresh_token";"urn:ietf:params:oauth:grant-type:token-exchange"
+type GrantType string
+
+// +kubebuilder:validation:Enum="openid";"offline_access";"username";"groups";"pinniped:request-audience"
+type Scope string
+
+// OIDCClientSpec is a struct that describes an OIDCClient.
+type OIDCClientSpec struct {
+	// allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this
+	// client. Any other uris will be rejected.
+	// Must be a URI with the https scheme, unless the hostname is 127.0.0.1 or ::1 which may use the http scheme.
+	// Port numbers are not required for 127.0.0.1 or ::1 and are ignored when checking for a matching redirect_uri.
+	// +listType=set
+	// +kubebuilder:validation:MinItems=1
+	AllowedRedirectURIs []RedirectURI `json:"allowedRedirectURIs"`
+
+	// allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this
+	// client.
+	//
+	// Must only contain the following values:
+	// - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to
+	//   authenticate users. This grant must always be listed.
+	// - refresh_token: allows the client to perform refresh grants for the user to extend the user's session.
+	//   This grant must be listed if allowedScopes lists offline_access.
+	// - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange,
+	//   which is a step in the process to be able to get a cluster credential for the user.
+	//   This grant must be listed if allowedScopes lists pinniped:request-audience.
+	// +listType=set
+	// +kubebuilder:validation:MinItems=1
+	AllowedGrantTypes []GrantType `json:"allowedGrantTypes"`
+
+	// allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client.
+	//
+	// Must only contain the following values:
+	// - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat).
+	//   This scope must always be listed.
+	// - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow.
+	//   This scope must be listed if allowedGrantTypes lists refresh_token.
+	// - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange,
+	//   which is a step in the process to be able to get a cluster credential for the user.
+	//   openid, username and groups scopes must be listed when this scope is present.
+	//   This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange.
+	// - username: The client is allowed to request that ID tokens contain the user's username.
+	//   Without the username scope being requested and allowed, the ID token will not contain the user's username.
+	// - groups: The client is allowed to request that ID tokens contain the user's group membership,
+	//   if their group membership is discoverable by the Supervisor.
+	//   Without the groups scope being requested and allowed, the ID token will not contain groups.
+	// +listType=set
+	// +kubebuilder:validation:MinItems=1
+	AllowedScopes []Scope `json:"allowedScopes"`
+}
+
+// OIDCClientStatus is a struct that describes the actual state of an OIDCClient.
+type OIDCClientStatus struct {
+	// phase summarizes the overall status of the OIDCClient.
+	// +kubebuilder:default=Pending
+	// +kubebuilder:validation:Enum=Pending;Ready;Error
+	Phase OIDCClientPhase `json:"phase,omitempty"`
+
+	// conditions represent the observations of an OIDCClient's current state.
+	// +patchMergeKey=type
+	// +patchStrategy=merge
+	// +listType=map
+	// +listMapKey=type
+	Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
+
+	// totalClientSecrets is the current number of client secrets that are detected for this OIDCClient.
+	// +optional
+	TotalClientSecrets int32 `json:"totalClientSecrets"` // do not omitempty to allow it to show in the printer column even when it is 0
+}
+
+// OIDCClient describes the configuration of an OIDC client.
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +kubebuilder:resource:categories=pinniped
+// +kubebuilder:printcolumn:name="Privileged Scopes",type=string,JSONPath=`.spec.allowedScopes[?(@ == "pinniped:request-audience")]`
+// +kubebuilder:printcolumn:name="Client Secrets",type=integer,JSONPath=`.status.totalClientSecrets`
+// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase`
+// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
+// +kubebuilder:subresource:status
+type OIDCClient struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	// Spec of the OIDC client.
+	Spec OIDCClientSpec `json:"spec"`
+
+	// Status of the OIDC client.
+	Status OIDCClientStatus `json:"status,omitempty"`
+}
+
+// List of OIDCClient objects.
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type OIDCClientList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+
+	Items []OIDCClient `json:"items"`
+}

generated/1.30/apis/supervisor/idp/v1alpha1/doc.go

@@ -0,0 +1,11 @@
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// +k8s:openapi-gen=true
+// +k8s:deepcopy-gen=package
+// +k8s:defaulter-gen=TypeMeta
+// +groupName=idp.supervisor.pinniped.dev
+// +groupGoName=IDP
+
+// Package v1alpha1 is the v1alpha1 version of the Pinniped supervisor identity provider (IDP) API.
+package v1alpha1

generated/1.30/apis/supervisor/idp/v1alpha1/register.go

@@ -0,0 +1,47 @@
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+const GroupName = "idp.supervisor.pinniped.dev"
+
+// SchemeGroupVersion is group version used to register these objects.
+var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"}
+
+var (
+	SchemeBuilder      runtime.SchemeBuilder
+	localSchemeBuilder = &SchemeBuilder
+	AddToScheme        = localSchemeBuilder.AddToScheme
+)
+
+func init() {
+	// We only register manually written functions here. The registration of the
+	// generated functions takes place in the generated files. The separation
+	// makes the code compile even when the generated files are missing.
+	localSchemeBuilder.Register(addKnownTypes)
+}
+
+// Adds the list of known types to the given scheme.
+func addKnownTypes(scheme *runtime.Scheme) error {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&OIDCIdentityProvider{},
+		&OIDCIdentityProviderList{},
+		&LDAPIdentityProvider{},
+		&LDAPIdentityProviderList{},
+		&ActiveDirectoryIdentityProvider{},
+		&ActiveDirectoryIdentityProviderList{},
+	)
+	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
+	return nil
+}
+
+// Resource takes an unqualified resource and returns a Group qualified GroupResource.
+func Resource(resource string) schema.GroupResource {
+	return SchemeGroupVersion.WithResource(resource).GroupResource()
+}

generated/1.30/apis/supervisor/idp/v1alpha1/types_activedirectoryidentityprovider.go

@@ -0,0 +1,219 @@
+// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+type ActiveDirectoryIdentityProviderPhase string
+
+const (
+	// ActiveDirectoryPhasePending is the default phase for newly-created ActiveDirectoryIdentityProvider resources.
+	ActiveDirectoryPhasePending ActiveDirectoryIdentityProviderPhase = "Pending"
+
+	// ActiveDirectoryPhaseReady is the phase for an ActiveDirectoryIdentityProvider resource in a healthy state.
+	ActiveDirectoryPhaseReady ActiveDirectoryIdentityProviderPhase = "Ready"
+
+	// ActiveDirectoryPhaseError is the phase for an ActiveDirectoryIdentityProvider in an unhealthy state.
+	ActiveDirectoryPhaseError ActiveDirectoryIdentityProviderPhase = "Error"
+)
+
+// Status of an Active Directory identity provider.
+type ActiveDirectoryIdentityProviderStatus struct {
+	// Phase summarizes the overall status of the ActiveDirectoryIdentityProvider.
+	// +kubebuilder:default=Pending
+	// +kubebuilder:validation:Enum=Pending;Ready;Error
+	Phase ActiveDirectoryIdentityProviderPhase `json:"phase,omitempty"`
+
+	// Represents the observations of an identity provider's current state.
+	// +patchMergeKey=type
+	// +patchStrategy=merge
+	// +listType=map
+	// +listMapKey=type
+	Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
+}
+
+type ActiveDirectoryIdentityProviderBind struct {
+	// SecretName contains the name of a namespace-local Secret object that provides the username and
+	// password for an Active Directory bind user. This account will be used to perform LDAP searches. The Secret should be
+	// of type "kubernetes.io/basic-auth" which includes "username" and "password" keys. The username value
+	// should be the full dn (distinguished name) of your bind account, e.g. "cn=bind-account,ou=users,dc=example,dc=com".
+	// The password must be non-empty.
+	// +kubebuilder:validation:MinLength=1
+	SecretName string `json:"secretName"`
+}
+
+type ActiveDirectoryIdentityProviderUserSearchAttributes struct {
+	// Username specifies the name of the attribute in Active Directory entry whose value shall become the username
+	// of the user after a successful authentication.
+	// Optional, when empty this defaults to "userPrincipalName".
+	// +optional
+	Username string `json:"username,omitempty"`
+
+	// UID specifies the name of the attribute in the ActiveDirectory entry which whose value shall be used to uniquely
+	// identify the user within this ActiveDirectory provider after a successful authentication.
+	// Optional, when empty this defaults to "objectGUID".
+	// +optional
+	UID string `json:"uid,omitempty"`
+}
+
+type ActiveDirectoryIdentityProviderGroupSearchAttributes struct {
+	// GroupName specifies the name of the attribute in the Active Directory entries whose value shall become a group name
+	// in the user's list of groups after a successful authentication.
+	// The value of this field is case-sensitive and must match the case of the attribute name returned by the ActiveDirectory
+	// server in the user's entry. E.g. "cn" for common name. Distinguished names can be used by specifying lower-case "dn".
+	// Optional. When not specified, this defaults to a custom field that looks like "sAMAccountName@domain",
+	// where domain is constructed from the domain components of the group DN.
+	// +optional
+	GroupName string `json:"groupName,omitempty"`
+}
+
+type ActiveDirectoryIdentityProviderUserSearch struct {
+	// Base is the dn (distinguished name) that should be used as the search base when searching for users.
+	// E.g. "ou=users,dc=example,dc=com".
+	// Optional, when not specified it will be based on the result of a query for the defaultNamingContext
+	// (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse).
+	// The default behavior searches your entire domain for users.
+	// It may make sense to specify a subtree as a search base if you wish to exclude some users
+	// or to make searches faster.
+	// +optional
+	Base string `json:"base,omitempty"`
+
+	// Filter is the search filter which should be applied when searching for users. The pattern "{}" must occur
+	// in the filter at least once and will be dynamically replaced by the username for which the search is being run.
+	// E.g. "mail={}" or "&(objectClass=person)(uid={})". For more information about LDAP filters, see
+	// https://ldap.com/ldap-filters.
+	// Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used.
+	// Optional. When not specified, the default will be
+	// '(&(objectClass=person)(!(objectClass=computer))(!(showInAdvancedViewOnly=TRUE))(|(sAMAccountName={}")(mail={})(userPrincipalName={})(sAMAccountType=805306368))'
+	// This means that the user is a person, is not a computer, the sAMAccountType is for a normal user account,
+	// and is not shown in advanced view only
+	// (which would likely mean its a system created service account with advanced permissions).
+	// Also, either the sAMAccountName, the userPrincipalName, or the mail attribute matches the input username.
+	// +optional
+	Filter string `json:"filter,omitempty"`
+
+	// Attributes specifies how the user's information should be read from the ActiveDirectory entry which was found as
+	// the result of the user search.
+	// +optional
+	Attributes ActiveDirectoryIdentityProviderUserSearchAttributes `json:"attributes,omitempty"`
+}
+
+type ActiveDirectoryIdentityProviderGroupSearch struct {
+	// Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g.
+	// "ou=groups,dc=example,dc=com".
+	// Optional, when not specified it will be based on the result of a query for the defaultNamingContext
+	// (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse).
+	// The default behavior searches your entire domain for groups.
+	// It may make sense to specify a subtree as a search base if you wish to exclude some groups
+	// for security reasons or to make searches faster.
+	// +optional
+	Base string `json:"base,omitempty"`
+
+	// Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user.
+	// The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the
+	// value of an attribute of the user entry found as a result of the user search. Which attribute's
+	// value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter.
+	// E.g. "member={}" or "&(objectClass=groupOfNames)(member={})".
+	// For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters.
+	// Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used.
+	// Optional. When not specified, the default will act as if the filter were specified as
+	// "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})".
+	// This searches nested groups by default.
+	// Note that nested group search can be slow for some Active Directory servers. To disable it,
+	// you can set the filter to
+	// "(&(objectClass=group)(member={})"
+	// +optional
+	Filter string `json:"filter,omitempty"`
+
+	// UserAttributeForFilter specifies which attribute's value from the user entry found as a result of
+	// the user search will be used to replace the "{}" placeholder(s) in the group search Filter.
+	// For example, specifying "uid" as the UserAttributeForFilter while specifying
+	// "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing
+	// the "{}" placeholder in the Filter with the value of the user's "uid" attribute.
+	// Optional. When not specified, the default will act as if "dn" were specified. For example, leaving
+	// UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter
+	// would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user.
+	// +optional
+	UserAttributeForFilter string `json:"userAttributeForFilter,omitempty"`
+
+	// Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as
+	// the result of the group search.
+	// +optional
+	Attributes ActiveDirectoryIdentityProviderGroupSearchAttributes `json:"attributes,omitempty"`
+
+	// The user's group membership is refreshed as they interact with the supervisor
+	// to obtain new credentials (as their old credentials expire).  This allows group
+	// membership changes to be quickly reflected into Kubernetes clusters.  Since
+	// group membership is often used to bind authorization policies, it is important
+	// to keep the groups observed in Kubernetes clusters in-sync with the identity
+	// provider.
+	//
+	// In some environments, frequent group membership queries may result in a
+	// significant performance impact on the identity provider and/or the supervisor.
+	// The best approach to handle performance impacts is to tweak the group query
+	// to be more performant, for example by disabling nested group search or by
+	// using a more targeted group search base.
+	//
+	// If the group search query cannot be made performant and you are willing to
+	// have group memberships remain static for approximately a day, then set
+	// skipGroupRefresh to true.  This is an insecure configuration as authorization
+	// policies that are bound to group membership will not notice if a user has
+	// been removed from a particular group until their next login.
+	//
+	// This is an experimental feature that may be removed or significantly altered
+	// in the future.  Consumers of this configuration should carefully read all
+	// release notes before upgrading to ensure that the meaning of this field has
+	// not changed.
+	SkipGroupRefresh bool `json:"skipGroupRefresh,omitempty"`
+}
+
+// Spec for configuring an ActiveDirectory identity provider.
+type ActiveDirectoryIdentityProviderSpec struct {
+	// Host is the hostname of this Active Directory identity provider, i.e., where to connect. For example: ldap.example.com:636.
+	// +kubebuilder:validation:MinLength=1
+	Host string `json:"host"`
+
+	// TLS contains the connection settings for how to establish the connection to the Host.
+	TLS *TLSSpec `json:"tls,omitempty"`
+
+	// Bind contains the configuration for how to provide access credentials during an initial bind to the ActiveDirectory server
+	// to be allowed to perform searches and binds to validate a user's credentials during a user's authentication attempt.
+	Bind ActiveDirectoryIdentityProviderBind `json:"bind,omitempty"`
+
+	// UserSearch contains the configuration for searching for a user by name in Active Directory.
+	UserSearch ActiveDirectoryIdentityProviderUserSearch `json:"userSearch,omitempty"`
+
+	// GroupSearch contains the configuration for searching for a user's group membership in ActiveDirectory.
+	GroupSearch ActiveDirectoryIdentityProviderGroupSearch `json:"groupSearch,omitempty"`
+}
+
+// ActiveDirectoryIdentityProvider describes the configuration of an upstream Microsoft Active Directory identity provider.
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +kubebuilder:resource:categories=pinniped;pinniped-idp;pinniped-idps
+// +kubebuilder:printcolumn:name="Host",type=string,JSONPath=`.spec.host`
+// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase`
+// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
+// +kubebuilder:subresource:status
+type ActiveDirectoryIdentityProvider struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	// Spec for configuring the identity provider.
+	Spec ActiveDirectoryIdentityProviderSpec `json:"spec"`
+
+	// Status of the identity provider.
+	Status ActiveDirectoryIdentityProviderStatus `json:"status,omitempty"`
+}
+
+// List of ActiveDirectoryIdentityProvider objects.
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type ActiveDirectoryIdentityProviderList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+
+	Items []ActiveDirectoryIdentityProvider `json:"items"`
+}

generated/1.30/apis/supervisor/idp/v1alpha1/types_ldapidentityprovider.go

@@ -0,0 +1,207 @@
+// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+type LDAPIdentityProviderPhase string
+
+const (
+	// LDAPPhasePending is the default phase for newly-created LDAPIdentityProvider resources.
+	LDAPPhasePending LDAPIdentityProviderPhase = "Pending"
+
+	// LDAPPhaseReady is the phase for an LDAPIdentityProvider resource in a healthy state.
+	LDAPPhaseReady LDAPIdentityProviderPhase = "Ready"
+
+	// LDAPPhaseError is the phase for an LDAPIdentityProvider in an unhealthy state.
+	LDAPPhaseError LDAPIdentityProviderPhase = "Error"
+)
+
+// Status of an LDAP identity provider.
+type LDAPIdentityProviderStatus struct {
+	// Phase summarizes the overall status of the LDAPIdentityProvider.
+	// +kubebuilder:default=Pending
+	// +kubebuilder:validation:Enum=Pending;Ready;Error
+	Phase LDAPIdentityProviderPhase `json:"phase,omitempty"`
+
+	// Represents the observations of an identity provider's current state.
+	// +patchMergeKey=type
+	// +patchStrategy=merge
+	// +listType=map
+	// +listMapKey=type
+	Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
+}
+
+type LDAPIdentityProviderBind struct {
+	// SecretName contains the name of a namespace-local Secret object that provides the username and
+	// password for an LDAP bind user. This account will be used to perform LDAP searches. The Secret should be
+	// of type "kubernetes.io/basic-auth" which includes "username" and "password" keys. The username value
+	// should be the full dn (distinguished name) of your bind account, e.g. "cn=bind-account,ou=users,dc=example,dc=com".
+	// The password must be non-empty.
+	// +kubebuilder:validation:MinLength=1
+	SecretName string `json:"secretName"`
+}
+
+type LDAPIdentityProviderUserSearchAttributes struct {
+	// Username specifies the name of the attribute in the LDAP entry whose value shall become the username
+	// of the user after a successful authentication. This would typically be the same attribute name used in
+	// the user search filter, although it can be different. E.g. "mail" or "uid" or "userPrincipalName".
+	// The value of this field is case-sensitive and must match the case of the attribute name returned by the LDAP
+	// server in the user's entry. Distinguished names can be used by specifying lower-case "dn". When this field
+	// is set to "dn" then the LDAPIdentityProviderUserSearch's Filter field cannot be blank, since the default
+	// value of "dn={}" would not work.
+	// +kubebuilder:validation:MinLength=1
+	Username string `json:"username,omitempty"`
+
+	// UID specifies the name of the attribute in the LDAP entry which whose value shall be used to uniquely
+	// identify the user within this LDAP provider after a successful authentication. E.g. "uidNumber" or "objectGUID".
+	// The value of this field is case-sensitive and must match the case of the attribute name returned by the LDAP
+	// server in the user's entry. Distinguished names can be used by specifying lower-case "dn".
+	// +kubebuilder:validation:MinLength=1
+	UID string `json:"uid,omitempty"`
+}
+
+type LDAPIdentityProviderGroupSearchAttributes struct {
+	// GroupName specifies the name of the attribute in the LDAP entries whose value shall become a group name
+	// in the user's list of groups after a successful authentication.
+	// The value of this field is case-sensitive and must match the case of the attribute name returned by the LDAP
+	// server in the user's entry. E.g. "cn" for common name. Distinguished names can be used by specifying lower-case "dn".
+	// Optional. When not specified, the default will act as if the GroupName were specified as "dn" (distinguished name).
+	// +optional
+	GroupName string `json:"groupName,omitempty"`
+}
+
+type LDAPIdentityProviderUserSearch struct {
+	// Base is the dn (distinguished name) that should be used as the search base when searching for users.
+	// E.g. "ou=users,dc=example,dc=com".
+	// +kubebuilder:validation:MinLength=1
+	Base string `json:"base,omitempty"`
+
+	// Filter is the LDAP search filter which should be applied when searching for users. The pattern "{}" must occur
+	// in the filter at least once and will be dynamically replaced by the username for which the search is being run.
+	// E.g. "mail={}" or "&(objectClass=person)(uid={})". For more information about LDAP filters, see
+	// https://ldap.com/ldap-filters.
+	// Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used.
+	// Optional. When not specified, the default will act as if the Filter were specified as the value from
+	// Attributes.Username appended by "={}". When the Attributes.Username is set to "dn" then the Filter must be
+	// explicitly specified, since the default value of "dn={}" would not work.
+	// +optional
+	Filter string `json:"filter,omitempty"`
+
+	// Attributes specifies how the user's information should be read from the LDAP entry which was found as
+	// the result of the user search.
+	// +optional
+	Attributes LDAPIdentityProviderUserSearchAttributes `json:"attributes,omitempty"`
+}
+
+type LDAPIdentityProviderGroupSearch struct {
+	// Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g.
+	// "ou=groups,dc=example,dc=com". When not specified, no group search will be performed and
+	// authenticated users will not belong to any groups from the LDAP provider. Also, when not specified,
+	// the values of Filter, UserAttributeForFilter, Attributes, and SkipGroupRefresh are ignored.
+	// +optional
+	Base string `json:"base,omitempty"`
+
+	// Filter is the LDAP search filter which should be applied when searching for groups for a user.
+	// The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the
+	// value of an attribute of the user entry found as a result of the user search. Which attribute's
+	// value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter.
+	// For more information about LDAP filters, see https://ldap.com/ldap-filters.
+	// Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used.
+	// Optional. When not specified, the default will act as if the Filter were specified as "member={}".
+	// +optional
+	Filter string `json:"filter,omitempty"`
+
+	// UserAttributeForFilter specifies which attribute's value from the user entry found as a result of
+	// the user search will be used to replace the "{}" placeholder(s) in the group search Filter.
+	// For example, specifying "uid" as the UserAttributeForFilter while specifying
+	// "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing
+	// the "{}" placeholder in the Filter with the value of the user's "uid" attribute.
+	// Optional. When not specified, the default will act as if "dn" were specified. For example, leaving
+	// UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter
+	// would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user.
+	// +optional
+	UserAttributeForFilter string `json:"userAttributeForFilter,omitempty"`
+
+	// Attributes specifies how the group's information should be read from each LDAP entry which was found as
+	// the result of the group search.
+	// +optional
+	Attributes LDAPIdentityProviderGroupSearchAttributes `json:"attributes,omitempty"`
+
+	// The user's group membership is refreshed as they interact with the supervisor
+	// to obtain new credentials (as their old credentials expire).  This allows group
+	// membership changes to be quickly reflected into Kubernetes clusters.  Since
+	// group membership is often used to bind authorization policies, it is important
+	// to keep the groups observed in Kubernetes clusters in-sync with the identity
+	// provider.
+	//
+	// In some environments, frequent group membership queries may result in a
+	// significant performance impact on the identity provider and/or the supervisor.
+	// The best approach to handle performance impacts is to tweak the group query
+	// to be more performant, for example by disabling nested group search or by
+	// using a more targeted group search base.
+	//
+	// If the group search query cannot be made performant and you are willing to
+	// have group memberships remain static for approximately a day, then set
+	// skipGroupRefresh to true.  This is an insecure configuration as authorization
+	// policies that are bound to group membership will not notice if a user has
+	// been removed from a particular group until their next login.
+	//
+	// This is an experimental feature that may be removed or significantly altered
+	// in the future.  Consumers of this configuration should carefully read all
+	// release notes before upgrading to ensure that the meaning of this field has
+	// not changed.
+	SkipGroupRefresh bool `json:"skipGroupRefresh,omitempty"`
+}
+
+// Spec for configuring an LDAP identity provider.
+type LDAPIdentityProviderSpec struct {
+	// Host is the hostname of this LDAP identity provider, i.e., where to connect. For example: ldap.example.com:636.
+	// +kubebuilder:validation:MinLength=1
+	Host string `json:"host"`
+
+	// TLS contains the connection settings for how to establish the connection to the Host.
+	TLS *TLSSpec `json:"tls,omitempty"`
+
+	// Bind contains the configuration for how to provide access credentials during an initial bind to the LDAP server
+	// to be allowed to perform searches and binds to validate a user's credentials during a user's authentication attempt.
+	Bind LDAPIdentityProviderBind `json:"bind,omitempty"`
+
+	// UserSearch contains the configuration for searching for a user by name in the LDAP provider.
+	UserSearch LDAPIdentityProviderUserSearch `json:"userSearch,omitempty"`
+
+	// GroupSearch contains the configuration for searching for a user's group membership in the LDAP provider.
+	GroupSearch LDAPIdentityProviderGroupSearch `json:"groupSearch,omitempty"`
+}
+
+// LDAPIdentityProvider describes the configuration of an upstream Lightweight Directory Access
+// Protocol (LDAP) identity provider.
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +kubebuilder:resource:categories=pinniped;pinniped-idp;pinniped-idps
+// +kubebuilder:printcolumn:name="Host",type=string,JSONPath=`.spec.host`
+// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase`
+// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
+// +kubebuilder:subresource:status
+type LDAPIdentityProvider struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	// Spec for configuring the identity provider.
+	Spec LDAPIdentityProviderSpec `json:"spec"`
+
+	// Status of the identity provider.
+	Status LDAPIdentityProviderStatus `json:"status,omitempty"`
+}
+
+// List of LDAPIdentityProvider objects.
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type LDAPIdentityProviderList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+
+	Items []LDAPIdentityProvider `json:"items"`
+}

generated/1.30/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go

@@ -0,0 +1,217 @@
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+type OIDCIdentityProviderPhase string
+
+const (
+	// PhasePending is the default phase for newly-created OIDCIdentityProvider resources.
+	PhasePending OIDCIdentityProviderPhase = "Pending"
+
+	// PhaseReady is the phase for an OIDCIdentityProvider resource in a healthy state.
+	PhaseReady OIDCIdentityProviderPhase = "Ready"
+
+	// PhaseError is the phase for an OIDCIdentityProvider in an unhealthy state.
+	PhaseError OIDCIdentityProviderPhase = "Error"
+)
+
+// OIDCIdentityProviderStatus is the status of an OIDC identity provider.
+type OIDCIdentityProviderStatus struct {
+	// Phase summarizes the overall status of the OIDCIdentityProvider.
+	// +kubebuilder:default=Pending
+	// +kubebuilder:validation:Enum=Pending;Ready;Error
+	Phase OIDCIdentityProviderPhase `json:"phase,omitempty"`
+
+	// Represents the observations of an identity provider's current state.
+	// +patchMergeKey=type
+	// +patchStrategy=merge
+	// +listType=map
+	// +listMapKey=type
+	Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
+}
+
+// OIDCAuthorizationConfig provides information about how to form the OAuth2 authorization
+// request parameters.
+type OIDCAuthorizationConfig struct {
+	// additionalScopes are the additional scopes that will be requested from your OIDC provider in the authorization
+	// request during an OIDC Authorization Code Flow and in the token request during a Resource Owner Password Credentials
+	// Grant. Note that the "openid" scope will always be requested regardless of the value in this setting, since it is
+	// always required according to the OIDC spec. By default, when this field is not set, the Supervisor will request
+	// the following scopes: "openid", "offline_access", "email", and "profile". See
+	// https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims for a description of the "profile" and "email"
+	// scopes. See https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess for a description of the
+	// "offline_access" scope. This default value may change in future versions of Pinniped as the standard evolves,
+	// or as common patterns used by providers who implement the standard in the ecosystem evolve.
+	// By setting this list to anything other than an empty list, you are overriding the
+	// default value, so you may wish to include some of "offline_access", "email", and "profile" in your override list.
+	// If you do not want any of these scopes to be requested, you may set this list to contain only "openid".
+	// Some OIDC providers may also require a scope to get access to the user's group membership, in which case you
+	// may wish to include it in this list. Sometimes the scope to request the user's group membership is called
+	// "groups", but unfortunately this is not specified in the OIDC standard.
+	// Generally speaking, you should include any scopes required to cause the appropriate claims to be the returned by
+	// your OIDC provider in the ID token or userinfo endpoint results for those claims which you would like to use in
+	// the oidcClaims settings to determine the usernames and group memberships of your Kubernetes users. See
+	// your OIDC provider's documentation for more information about what scopes are available to request claims.
+	// Additionally, the Pinniped Supervisor requires that your OIDC provider returns refresh tokens to the Supervisor
+	// from these authorization flows. For most OIDC providers, the scope required to receive refresh tokens will be
+	// "offline_access". See the documentation of your OIDC provider's authorization and token endpoints for its
+	// requirements for what to include in the request in order to receive a refresh token in the response, if anything.
+	// Note that it may be safe to send "offline_access" even to providers which do not require it, since the provider
+	// may ignore scopes that it does not understand or require (see
+	// https://datatracker.ietf.org/doc/html/rfc6749#section-3.3). In the unusual case that you must avoid sending the
+	// "offline_access" scope, then you must override the default value of this setting. This is required if your OIDC
+	// provider will reject the request when it includes "offline_access" (e.g. GitLab's OIDC provider).
+	// +optional
+	AdditionalScopes []string `json:"additionalScopes,omitempty"`
+
+	// additionalAuthorizeParameters are extra query parameters that should be included in the authorize request to your
+	// OIDC provider in the authorization request during an OIDC Authorization Code Flow. By default, no extra
+	// parameters are sent. The standard parameters that will be sent are "response_type", "scope", "client_id",
+	// "state", "nonce", "code_challenge", "code_challenge_method", and "redirect_uri". These parameters cannot be
+	// included in this setting. Additionally, the "hd" parameter cannot be included in this setting at this time.
+	// The "hd" parameter is used by Google's OIDC provider to provide a hint as to which "hosted domain" the user
+	// should use during login. However, Pinniped does not yet support validating the hosted domain in the resulting
+	// ID token, so it is not yet safe to use this feature of Google's OIDC provider with Pinniped.
+	// This setting does not influence the parameters sent to the token endpoint in the Resource Owner Password
+	// Credentials Grant. The Pinniped Supervisor requires that your OIDC provider returns refresh tokens to the
+	// Supervisor from the authorization flows. Some OIDC providers may require a certain value for the "prompt"
+	// parameter in order to properly request refresh tokens. See the documentation of your OIDC provider's
+	// authorization endpoint for its requirements for what to include in the request in order to receive a refresh
+	// token in the response, if anything. If your provider requires the prompt parameter to request a refresh token,
+	// then include it here. Also note that most providers also require a certain scope to be requested in order to
+	// receive refresh tokens. See the additionalScopes setting for more information about using scopes to request
+	// refresh tokens.
+	// +optional
+	// +patchMergeKey=name
+	// +patchStrategy=merge
+	// +listType=map
+	// +listMapKey=name
+	AdditionalAuthorizeParameters []Parameter `json:"additionalAuthorizeParameters,omitempty"`
+
+	// allowPasswordGrant, when true, will allow the use of OAuth 2.0's Resource Owner Password Credentials Grant
+	// (see https://datatracker.ietf.org/doc/html/rfc6749#section-4.3) to authenticate to the OIDC provider using a
+	// username and password without a web browser, in addition to the usual browser-based OIDC Authorization Code Flow.
+	// The Resource Owner Password Credentials Grant is not officially part of the OIDC specification, so it may not be
+	// supported by your OIDC provider. If your OIDC provider supports returning ID tokens from a Resource Owner Password
+	// Credentials Grant token request, then you can choose to set this field to true. This will allow end users to choose
+	// to present their username and password to the kubectl CLI (using the Pinniped plugin) to authenticate to the
+	// cluster, without using a web browser to log in as is customary in OIDC Authorization Code Flow. This may be
+	// convenient for users, especially for identities from your OIDC provider which are not intended to represent a human
+	// actor, such as service accounts performing actions in a CI/CD environment. Even if your OIDC provider supports it,
+	// you may wish to disable this behavior by setting this field to false when you prefer to only allow users of this
+	// OIDCIdentityProvider to log in via the browser-based OIDC Authorization Code Flow. Using the Resource Owner Password
+	// Credentials Grant means that the Pinniped CLI and Pinniped Supervisor will directly handle your end users' passwords
+	// (similar to LDAPIdentityProvider), and you will not be able to require multi-factor authentication or use the other
+	// web-based login features of your OIDC provider during Resource Owner Password Credentials Grant logins.
+	// allowPasswordGrant defaults to false.
+	// +optional
+	AllowPasswordGrant bool `json:"allowPasswordGrant,omitempty"`
+}
+
+// Parameter is a key/value pair which represents a parameter in an HTTP request.
+type Parameter struct {
+	// The name of the parameter. Required.
+	// +kubebuilder:validation:MinLength=1
+	Name string `json:"name"`
+
+	// The value of the parameter.
+	// +optional
+	Value string `json:"value,omitempty"`
+}
+
+// OIDCClaims provides a mapping from upstream claims into identities.
+type OIDCClaims struct {
+	// Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain
+	// the groups to which an identity belongs. By default, the identities will not include any group memberships when
+	// this setting is not configured.
+	// +optional
+	Groups string `json:"groups"`
+
+	// Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to
+	// ascertain an identity's username. When not set, the username will be an automatically constructed unique string
+	// which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from
+	// the ID token.
+	// +optional
+	Username string `json:"username"`
+
+	// AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the
+	// "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of
+	// new claim names as the keys, and upstream claim names as the values. These new claim names will be nested
+	// under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this
+	// OIDCIdentityProvider was used for user authentication. These claims will be made available to all clients.
+	// This feature is not required to use the Supervisor to provide authentication for Kubernetes clusters, but can be
+	// used when using the Supervisor for other authentication purposes. When this map is empty or the upstream claims
+	// are not available, the "additionalClaims" claim will be excluded from the ID tokens generated by the Supervisor.
+	// +optional
+	AdditionalClaimMappings map[string]string `json:"additionalClaimMappings,omitempty"`
+}
+
+// OIDCClient contains information about an OIDC client (e.g., client ID and client
+// secret).
+type OIDCClient struct {
+	// SecretName contains the name of a namespace-local Secret object that provides the clientID and
+	// clientSecret for an OIDC client. If only the SecretName is specified in an OIDCClient
+	// struct, then it is expected that the Secret is of type "secrets.pinniped.dev/oidc-client" with keys
+	// "clientID" and "clientSecret".
+	SecretName string `json:"secretName"`
+}
+
+// OIDCIdentityProviderSpec is the spec for configuring an OIDC identity provider.
+type OIDCIdentityProviderSpec struct {
+	// Issuer is the issuer URL of this OIDC identity provider, i.e., where to fetch
+	// /.well-known/openid-configuration.
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:Pattern=`^https://`
+	Issuer string `json:"issuer"`
+
+	// TLS configuration for discovery/JWKS requests to the issuer.
+	// +optional
+	TLS *TLSSpec `json:"tls,omitempty"`
+
+	// AuthorizationConfig holds information about how to form the OAuth2 authorization request
+	// parameters to be used with this OIDC identity provider.
+	// +optional
+	AuthorizationConfig OIDCAuthorizationConfig `json:"authorizationConfig,omitempty"`
+
+	// Claims provides the names of token claims that will be used when inspecting an identity from
+	// this OIDC identity provider.
+	// +optional
+	Claims OIDCClaims `json:"claims"`
+
+	// OIDCClient contains OIDC client information to be used used with this OIDC identity
+	// provider.
+	Client OIDCClient `json:"client"`
+}
+
+// OIDCIdentityProvider describes the configuration of an upstream OpenID Connect identity provider.
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +kubebuilder:resource:categories=pinniped;pinniped-idp;pinniped-idps
+// +kubebuilder:printcolumn:name="Issuer",type=string,JSONPath=`.spec.issuer`
+// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase`
+// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
+// +kubebuilder:subresource:status
+type OIDCIdentityProvider struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	// Spec for configuring the identity provider.
+	Spec OIDCIdentityProviderSpec `json:"spec"`
+
+	// Status of the identity provider.
+	Status OIDCIdentityProviderStatus `json:"status,omitempty"`
+}
+
+// OIDCIdentityProviderList lists OIDCIdentityProvider objects.
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type OIDCIdentityProviderList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+
+	Items []OIDCIdentityProvider `json:"items"`
+}

generated/1.30/apis/supervisor/idp/v1alpha1/types_tls.go

@@ -0,0 +1,11 @@
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+// Configuration for TLS parameters related to identity provider integration.
+type TLSSpec struct {
+	// X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted.
+	// +optional
+	CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"`
+}

generated/1.30/apis/supervisor/idpdiscovery/v1alpha1/types_supervisor_idp_discovery.go

@@ -0,0 +1,66 @@
+// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+// IDPType are the strings that can be returned by the Supervisor identity provider discovery endpoint
+// as the "type" of each returned identity provider.
+type IDPType string
+
+// IDPFlow are the strings that can be returned by the Supervisor identity provider discovery endpoint
+// in the array of allowed client "flows" for each returned identity provider.
+type IDPFlow string
+
+const (
+	IDPTypeOIDC            IDPType = "oidc"
+	IDPTypeLDAP            IDPType = "ldap"
+	IDPTypeActiveDirectory IDPType = "activedirectory"
+
+	IDPFlowCLIPassword     IDPFlow = "cli_password"
+	IDPFlowBrowserAuthcode IDPFlow = "browser_authcode"
+)
+
+// Equals is a convenience function for comparing an IDPType to a string.
+func (r IDPType) Equals(s string) bool {
+	return string(r) == s
+}
+
+// String is a convenience function to convert an IDPType to a string.
+func (r IDPType) String() string {
+	return string(r)
+}
+
+// Equals is a convenience function for comparing an IDPFlow to a string.
+func (r IDPFlow) Equals(s string) bool {
+	return string(r) == s
+}
+
+// String is a convenience function to convert an IDPFlow to a string.
+func (r IDPFlow) String() string {
+	return string(r)
+}
+
+// OIDCDiscoveryResponse is part of the response from a FederationDomain's OpenID Provider Configuration
+// Document returned by the .well-known/openid-configuration endpoint. It ignores all the standard OpenID Provider
+// configuration metadata and only picks out the portion related to Supervisor identity provider discovery.
+type OIDCDiscoveryResponse struct {
+	SupervisorDiscovery OIDCDiscoveryResponseIDPEndpoint `json:"discovery.supervisor.pinniped.dev/v1alpha1"`
+}
+
+// OIDCDiscoveryResponseIDPEndpoint contains the URL for the identity provider discovery endpoint.
+type OIDCDiscoveryResponseIDPEndpoint struct {
+	PinnipedIDPsEndpoint string `json:"pinniped_identity_providers_endpoint"`
+}
+
+// IDPDiscoveryResponse is the response of a FederationDomain's identity provider discovery endpoint.
+type IDPDiscoveryResponse struct {
+	PinnipedIDPs []PinnipedIDP `json:"pinniped_identity_providers"`
+}
+
+// PinnipedIDP describes a single identity provider as included in the response of a FederationDomain's
+// identity provider discovery endpoint.
+type PinnipedIDP struct {
+	Name  string    `json:"name"`
+	Type  IDPType   `json:"type"`
+	Flows []IDPFlow `json:"flows,omitempty"`
+}

generated/1.30/apis/supervisor/oidc/types_supervisor_oidc.go

@@ -0,0 +1,90 @@
+// Copyright 2021-2024 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package oidc
+
+// Constants related to the Supervisor FederationDomain's authorization and token endpoints.
+const (
+	// AuthorizeUsernameHeaderName is the name of the HTTP header which can be used to transmit a username
+	// to the authorize endpoint when using a password flow, for example an OIDCIdentityProvider with a password grant
+	// or an LDAPIdentityProvider.
+	AuthorizeUsernameHeaderName = "Pinniped-Username"
+
+	// AuthorizePasswordHeaderName is the name of the HTTP header which can be used to transmit a password
+	// to the authorize endpoint when using a password flow, for example an OIDCIdentityProvider with a password grant
+	// or an LDAPIdentityProvider.
+	AuthorizePasswordHeaderName = "Pinniped-Password" //nolint:gosec // this is not a credential
+
+	// AuthorizeUpstreamIDPNameParamName is the name of the HTTP request parameter which can be used to help select
+	// which identity provider should be used for authentication by sending the name of the desired identity provider.
+	AuthorizeUpstreamIDPNameParamName = "pinniped_idp_name"
+
+	// AuthorizeUpstreamIDPTypeParamName is the name of the HTTP request parameter which can be used to help select
+	// which identity provider should be used for authentication by sending the type of the desired identity provider.
+	AuthorizeUpstreamIDPTypeParamName = "pinniped_idp_type"
+
+	// IDTokenClaimIssuer is name of the issuer claim defined by the OIDC spec.
+	IDTokenClaimIssuer = "iss"
+
+	// IDTokenClaimSubject is name of the subject claim defined by the OIDC spec.
+	IDTokenClaimSubject = "sub"
+
+	// IDTokenSubClaimIDPNameQueryParam is the name of the query param used in the values of the "sub" claim
+	// in Supervisor-issued ID tokens to identify with which external identity provider the user authenticated.
+	IDTokenSubClaimIDPNameQueryParam = "idpName"
+
+	// IDTokenClaimAuthorizedParty is name of the authorized party claim defined by the OIDC spec.
+	IDTokenClaimAuthorizedParty = "azp"
+
+	// IDTokenClaimUsername is the name of a custom claim in the downstream ID token whose value will contain the user's
+	// username which was mapped from the upstream identity provider.
+	IDTokenClaimUsername = "username"
+
+	// IDTokenClaimGroups is the name of a custom claim in the downstream ID token whose value will contain the user's
+	// group names which were mapped from the upstream identity provider.
+	IDTokenClaimGroups = "groups"
+
+	// IDTokenClaimAdditionalClaims is the top level claim used to hold additional claims in the downstream ID
+	// token, if any claims are present.
+	IDTokenClaimAdditionalClaims = "additionalClaims"
+
+	// GrantTypeAuthorizationCode is the name of the grant type for authorization code flows defined by the OIDC spec.
+	GrantTypeAuthorizationCode = "authorization_code"
+
+	// GrantTypeRefreshToken is the name of the grant type for refresh flow defined by the OIDC spec.
+	GrantTypeRefreshToken = "refresh_token"
+
+	// GrantTypeTokenExchange is the name of a custom grant type for RFC8693 token exchanges.
+	GrantTypeTokenExchange = "urn:ietf:params:oauth:grant-type:token-exchange" //nolint:gosec // this is not a credential
+
+	// ScopeOpenID is name of the openid scope defined by the OIDC spec.
+	ScopeOpenID = "openid"
+
+	// ScopeOfflineAccess is name of the offline access scope defined by the OIDC spec, used for requesting refresh
+	// tokens.
+	ScopeOfflineAccess = "offline_access"
+
+	// ScopeEmail is name of the email scope defined by the OIDC spec.
+	ScopeEmail = "email"
+
+	// ScopeProfile is name of the profile scope defined by the OIDC spec.
+	ScopeProfile = "profile"
+
+	// ScopeUsername is the name of a custom scope that determines whether the username claim will be returned inside
+	// ID tokens.
+	ScopeUsername = "username"
+
+	// ScopeGroups is the name of a custom scope that determines whether the groups claim will be returned inside
+	// ID tokens.
+	ScopeGroups = "groups"
+
+	// ScopeRequestAudience is the name of a custom scope that determines whether a RFC8693 token exchange is allowed to
+	// be used to request a different audience.
+	ScopeRequestAudience = "pinniped:request-audience"
+
+	// ClientIDPinnipedCLI is the client ID of the statically defined public OIDC client which is used by the CLI.
+	ClientIDPinnipedCLI = "pinniped-cli"
+
+	// ClientIDRequiredOIDCClientPrefix is the required prefix for the metadata.name of OIDCClient CRs.
+	ClientIDRequiredOIDCClientPrefix = "client.oauth.pinniped.dev-"
+)

generated/1.30/client/go.mod

@@ -0,0 +1,13 @@
+// This go.mod file is generated by ./hack/update.sh.
+module go.pinniped.dev/generated/1.30/client
+
+go 1.22.0
+
+replace go.pinniped.dev/generated/1.30/apis => ../apis
+
+require (
+	go.pinniped.dev/generated/1.30/apis v0.0.0
+	k8s.io/api v0.30.0
+	k8s.io/apimachinery v0.30.0
+	k8s.io/client-go v0.30.0
+)

generated/1.30/client/go.sum

@@ -0,0 +1,52 @@
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ=
+github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
+github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
+github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
+github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
+github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
+github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
+github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
+github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=
+github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
+github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
+github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
+golang.org/x/net v0.23.0 h1:7EYJ93RZ9vYSZAIb2x3lnuvqO5zneoD6IvWjuhfxjTs=
+golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
+golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
+golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI=
+google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
+gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
+gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
+gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
+gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+k8s.io/api v0.30.0 h1:siWhRq7cNjy2iHssOB9SCGNCl2spiF1dO3dABqZ8niA=
+k8s.io/api v0.30.0/go.mod h1:OPlaYhoHs8EQ1ql0R/TsUgaRPhpKNxIMrKQfWUp8QSE=
+k8s.io/apimachinery v0.30.0 h1:qxVPsyDM5XS96NIh9Oj6LavoVFYff/Pon9cZeDIkHHA=
+k8s.io/apimachinery v0.30.0/go.mod h1:iexa2somDaxdnj7bha06bhb43Zpa6eWH8N8dbqVjTUc=
+k8s.io/client-go v0.30.0 h1:sB1AGGlhY/o7KCyCEQ0bPWzYDL0pwOZO4vAtTSh/gJQ=
+k8s.io/client-go v0.30.0/go.mod h1:g7li5O5256qe6TYdAMyX/otJqMhIiGgTapdLchhmOaY=
+k8s.io/klog/v2 v2.120.1 h1:QXU6cPEOIslTGvZaXvFWiP9VKyeet3sawzTOvdXb4Vw=
+k8s.io/klog/v2 v2.120.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
+k8s.io/utils v0.0.0-20230726121419-3b25d923346b h1:sgn3ZU783SCgtaSJjpcVVlRqd6GSnlTLKgpAAttJvpI=
+k8s.io/utils v0.0.0-20230726121419-3b25d923346b/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo=
+sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0=
+sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4=
+sigs.k8s.io/structured-merge-diff/v4 v4.4.1/go.mod h1:N8hJocpFajUSSeSJ9bOZ77VzejKZaXsTtZo4/u7Io08=
+sigs.k8s.io/yaml v1.3.0 h1:a2VclLzOGrwOHDiV8EfBGhvjHvP46CtW5j6POvhYGGo=
+sigs.k8s.io/yaml v1.3.0/go.mod h1:GeOyir5tyXNByN85N/dRIT9es5UQNerPYEKK56eTBm8=

hack/lib/kube-versions.txt

@@ -1,9 +1,12 @@
 # This file lists the versions of Kubernetes to use for codegen.
 # They must be listed newest to oldest.
-1.29.2
-1.28.7
-1.27.11
-1.26.14
+# New releases are listed at https://kubernetes.io/releases/.
+# Older releases are listed at https://kubernetes.io/releases/patch-releases/.
+1.30.0
+1.29.4
+1.28.9
+1.27.13
+1.26.15
 1.25.16
 1.24.17
 1.23.17