rerun codegen: adds rest of 1.30 codegen, updates old generated doc files

2026-04-28 11:57:14 +00:00 · 2024-04-30 14:06:40 -07:00
parent d0781c42dc
commit 9d21bcacb6
174 changed files with 65694 additions and 1889 deletions
--- a/generated/1.24/README.adoc
+++ b/generated/1.24/README.adoc
--- a/generated/1.24/apis/concierge/authentication/v1alpha1/doc.go
+++ b/generated/1.24/apis/concierge/authentication/v1alpha1/doc.go
@@ -1,9 +1,7 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

-// +k8s:openapi-gen=true
 // +k8s:deepcopy-gen=package
-// +k8s:defaulter-gen=TypeMeta
 // +groupName=authentication.concierge.pinniped.dev

 // Package v1alpha1 is the v1alpha1 version of the Pinniped concierge authentication API.
--- a/generated/1.24/apis/concierge/config/v1alpha1/doc.go
+++ b/generated/1.24/apis/concierge/config/v1alpha1/doc.go
@@ -1,9 +1,7 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

-// +k8s:openapi-gen=true
 // +k8s:deepcopy-gen=package
-// +k8s:defaulter-gen=TypeMeta
 // +groupName=config.concierge.pinniped.dev

 // Package v1alpha1 is the v1alpha1 version of the Pinniped concierge configuration API.
--- a/generated/1.24/apis/supervisor/config/v1alpha1/doc.go
+++ b/generated/1.24/apis/supervisor/config/v1alpha1/doc.go
@@ -1,10 +1,7 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

-// +k8s:openapi-gen=true
 // +k8s:deepcopy-gen=package
-// +k8s:conversion-gen=go.pinniped.dev/generated/1.24/apis/supervisor/config
-// +k8s:defaulter-gen=TypeMeta
 // +groupName=config.supervisor.pinniped.dev

 // Package v1alpha1 is the v1alpha1 version of the Pinniped supervisor configuration API.
--- a/generated/1.24/apis/supervisor/idp/v1alpha1/doc.go
+++ b/generated/1.24/apis/supervisor/idp/v1alpha1/doc.go
@@ -1,9 +1,7 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

-// +k8s:openapi-gen=true
 // +k8s:deepcopy-gen=package
-// +k8s:defaulter-gen=TypeMeta
 // +groupName=idp.supervisor.pinniped.dev
 // +groupGoName=IDP

--- a/generated/1.25/README.adoc
+++ b/generated/1.25/README.adoc
--- a/generated/1.25/apis/concierge/authentication/v1alpha1/doc.go
+++ b/generated/1.25/apis/concierge/authentication/v1alpha1/doc.go
@@ -1,9 +1,7 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

-// +k8s:openapi-gen=true
 // +k8s:deepcopy-gen=package
-// +k8s:defaulter-gen=TypeMeta
 // +groupName=authentication.concierge.pinniped.dev

 // Package v1alpha1 is the v1alpha1 version of the Pinniped concierge authentication API.
--- a/generated/1.25/apis/concierge/config/v1alpha1/doc.go
+++ b/generated/1.25/apis/concierge/config/v1alpha1/doc.go
@@ -1,9 +1,7 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

-// +k8s:openapi-gen=true
 // +k8s:deepcopy-gen=package
-// +k8s:defaulter-gen=TypeMeta
 // +groupName=config.concierge.pinniped.dev

 // Package v1alpha1 is the v1alpha1 version of the Pinniped concierge configuration API.
--- a/generated/1.25/apis/supervisor/config/v1alpha1/doc.go
+++ b/generated/1.25/apis/supervisor/config/v1alpha1/doc.go
@@ -1,10 +1,7 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

-// +k8s:openapi-gen=true
 // +k8s:deepcopy-gen=package
-// +k8s:conversion-gen=go.pinniped.dev/generated/1.25/apis/supervisor/config
-// +k8s:defaulter-gen=TypeMeta
 // +groupName=config.supervisor.pinniped.dev

 // Package v1alpha1 is the v1alpha1 version of the Pinniped supervisor configuration API.
--- a/generated/1.25/apis/supervisor/idp/v1alpha1/doc.go
+++ b/generated/1.25/apis/supervisor/idp/v1alpha1/doc.go
@@ -1,9 +1,7 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

-// +k8s:openapi-gen=true
 // +k8s:deepcopy-gen=package
-// +k8s:defaulter-gen=TypeMeta
 // +groupName=idp.supervisor.pinniped.dev
 // +groupGoName=IDP

--- a/generated/1.26/README.adoc
+++ b/generated/1.26/README.adoc
--- a/generated/1.26/apis/concierge/authentication/v1alpha1/doc.go
+++ b/generated/1.26/apis/concierge/authentication/v1alpha1/doc.go
@@ -1,9 +1,7 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

-// +k8s:openapi-gen=true
 // +k8s:deepcopy-gen=package
-// +k8s:defaulter-gen=TypeMeta
 // +groupName=authentication.concierge.pinniped.dev

 // Package v1alpha1 is the v1alpha1 version of the Pinniped concierge authentication API.
--- a/generated/1.26/apis/concierge/config/v1alpha1/doc.go
+++ b/generated/1.26/apis/concierge/config/v1alpha1/doc.go
@@ -1,9 +1,7 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

-// +k8s:openapi-gen=true
 // +k8s:deepcopy-gen=package
-// +k8s:defaulter-gen=TypeMeta
 // +groupName=config.concierge.pinniped.dev

 // Package v1alpha1 is the v1alpha1 version of the Pinniped concierge configuration API.
--- a/generated/1.26/apis/supervisor/config/v1alpha1/doc.go
+++ b/generated/1.26/apis/supervisor/config/v1alpha1/doc.go
@@ -1,10 +1,7 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

-// +k8s:openapi-gen=true
 // +k8s:deepcopy-gen=package
-// +k8s:conversion-gen=go.pinniped.dev/generated/1.26/apis/supervisor/config
-// +k8s:defaulter-gen=TypeMeta
 // +groupName=config.supervisor.pinniped.dev

 // Package v1alpha1 is the v1alpha1 version of the Pinniped supervisor configuration API.
--- a/generated/1.26/apis/supervisor/idp/v1alpha1/doc.go
+++ b/generated/1.26/apis/supervisor/idp/v1alpha1/doc.go
@@ -1,9 +1,7 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

-// +k8s:openapi-gen=true
 // +k8s:deepcopy-gen=package
-// +k8s:defaulter-gen=TypeMeta
 // +groupName=idp.supervisor.pinniped.dev
 // +groupGoName=IDP

--- a/generated/1.27/README.adoc
+++ b/generated/1.27/README.adoc
--- a/generated/1.27/apis/concierge/authentication/v1alpha1/doc.go
+++ b/generated/1.27/apis/concierge/authentication/v1alpha1/doc.go
@@ -1,9 +1,7 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

-// +k8s:openapi-gen=true
 // +k8s:deepcopy-gen=package
-// +k8s:defaulter-gen=TypeMeta
 // +groupName=authentication.concierge.pinniped.dev

 // Package v1alpha1 is the v1alpha1 version of the Pinniped concierge authentication API.
--- a/generated/1.27/apis/concierge/config/v1alpha1/doc.go
+++ b/generated/1.27/apis/concierge/config/v1alpha1/doc.go
@@ -1,9 +1,7 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

-// +k8s:openapi-gen=true
 // +k8s:deepcopy-gen=package
-// +k8s:defaulter-gen=TypeMeta
 // +groupName=config.concierge.pinniped.dev

 // Package v1alpha1 is the v1alpha1 version of the Pinniped concierge configuration API.
--- a/generated/1.27/apis/supervisor/config/v1alpha1/doc.go
+++ b/generated/1.27/apis/supervisor/config/v1alpha1/doc.go
@@ -1,10 +1,7 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

-// +k8s:openapi-gen=true
 // +k8s:deepcopy-gen=package
-// +k8s:conversion-gen=go.pinniped.dev/generated/1.27/apis/supervisor/config
-// +k8s:defaulter-gen=TypeMeta
 // +groupName=config.supervisor.pinniped.dev

 // Package v1alpha1 is the v1alpha1 version of the Pinniped supervisor configuration API.
--- a/generated/1.27/apis/supervisor/idp/v1alpha1/doc.go
+++ b/generated/1.27/apis/supervisor/idp/v1alpha1/doc.go
@@ -1,9 +1,7 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

-// +k8s:openapi-gen=true
 // +k8s:deepcopy-gen=package
-// +k8s:defaulter-gen=TypeMeta
 // +groupName=idp.supervisor.pinniped.dev
 // +groupGoName=IDP

--- a/generated/1.28/README.adoc
+++ b/generated/1.28/README.adoc
--- a/generated/1.28/apis/concierge/authentication/v1alpha1/doc.go
+++ b/generated/1.28/apis/concierge/authentication/v1alpha1/doc.go
@@ -1,9 +1,7 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

-// +k8s:openapi-gen=true
 // +k8s:deepcopy-gen=package
-// +k8s:defaulter-gen=TypeMeta
 // +groupName=authentication.concierge.pinniped.dev

 // Package v1alpha1 is the v1alpha1 version of the Pinniped concierge authentication API.
--- a/generated/1.28/apis/concierge/config/v1alpha1/doc.go
+++ b/generated/1.28/apis/concierge/config/v1alpha1/doc.go
@@ -1,9 +1,7 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

-// +k8s:openapi-gen=true
 // +k8s:deepcopy-gen=package
-// +k8s:defaulter-gen=TypeMeta
 // +groupName=config.concierge.pinniped.dev

 // Package v1alpha1 is the v1alpha1 version of the Pinniped concierge configuration API.
--- a/generated/1.28/apis/supervisor/config/v1alpha1/doc.go
+++ b/generated/1.28/apis/supervisor/config/v1alpha1/doc.go
@@ -1,10 +1,7 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

-// +k8s:openapi-gen=true
 // +k8s:deepcopy-gen=package
-// +k8s:conversion-gen=go.pinniped.dev/generated/1.28/apis/supervisor/config
-// +k8s:defaulter-gen=TypeMeta
 // +groupName=config.supervisor.pinniped.dev

 // Package v1alpha1 is the v1alpha1 version of the Pinniped supervisor configuration API.
--- a/generated/1.28/apis/supervisor/idp/v1alpha1/doc.go
+++ b/generated/1.28/apis/supervisor/idp/v1alpha1/doc.go
@@ -1,9 +1,7 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

-// +k8s:openapi-gen=true
 // +k8s:deepcopy-gen=package
-// +k8s:defaulter-gen=TypeMeta
 // +groupName=idp.supervisor.pinniped.dev
 // +groupGoName=IDP

--- a/generated/1.29/README.adoc
+++ b/generated/1.29/README.adoc
--- a/generated/1.29/apis/concierge/authentication/v1alpha1/doc.go
+++ b/generated/1.29/apis/concierge/authentication/v1alpha1/doc.go
@@ -1,9 +1,7 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

-// +k8s:openapi-gen=true
 // +k8s:deepcopy-gen=package
-// +k8s:defaulter-gen=TypeMeta
 // +groupName=authentication.concierge.pinniped.dev

 // Package v1alpha1 is the v1alpha1 version of the Pinniped concierge authentication API.
--- a/generated/1.29/apis/concierge/config/v1alpha1/doc.go
+++ b/generated/1.29/apis/concierge/config/v1alpha1/doc.go
@@ -1,9 +1,7 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

-// +k8s:openapi-gen=true
 // +k8s:deepcopy-gen=package
-// +k8s:defaulter-gen=TypeMeta
 // +groupName=config.concierge.pinniped.dev

 // Package v1alpha1 is the v1alpha1 version of the Pinniped concierge configuration API.
--- a/generated/1.29/apis/supervisor/config/v1alpha1/doc.go
+++ b/generated/1.29/apis/supervisor/config/v1alpha1/doc.go
@@ -1,10 +1,7 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

-// +k8s:openapi-gen=true
 // +k8s:deepcopy-gen=package
-// +k8s:conversion-gen=go.pinniped.dev/generated/1.29/apis/supervisor/config
-// +k8s:defaulter-gen=TypeMeta
 // +groupName=config.supervisor.pinniped.dev

 // Package v1alpha1 is the v1alpha1 version of the Pinniped supervisor configuration API.
--- a/generated/1.29/apis/supervisor/idp/v1alpha1/doc.go
+++ b/generated/1.29/apis/supervisor/idp/v1alpha1/doc.go
@@ -1,9 +1,7 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

-// +k8s:openapi-gen=true
 // +k8s:deepcopy-gen=package
-// +k8s:defaulter-gen=TypeMeta
 // +groupName=idp.supervisor.pinniped.dev
 // +groupGoName=IDP

--- a/generated/1.30/README.adoc
+++ b/generated/1.30/README.adoc
--- a/generated/1.30/apis/concierge/authentication/v1alpha1/doc.go
+++ b/generated/1.30/apis/concierge/authentication/v1alpha1/doc.go
@@ -1,9 +1,7 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

-// +k8s:openapi-gen=true
 // +k8s:deepcopy-gen=package
-// +k8s:defaulter-gen=TypeMeta
 // +groupName=authentication.concierge.pinniped.dev

 // Package v1alpha1 is the v1alpha1 version of the Pinniped concierge authentication API.
--- a/generated/1.30/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go
+++ b/generated/1.30/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go
@@ -0,0 +1,257 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by deepcopy-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+)
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *JWTAuthenticator) DeepCopyInto(out *JWTAuthenticator) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JWTAuthenticator.
+func (in *JWTAuthenticator) DeepCopy() *JWTAuthenticator {
+	if in == nil {
+		return nil
+	}
+	out := new(JWTAuthenticator)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *JWTAuthenticator) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *JWTAuthenticatorList) DeepCopyInto(out *JWTAuthenticatorList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]JWTAuthenticator, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JWTAuthenticatorList.
+func (in *JWTAuthenticatorList) DeepCopy() *JWTAuthenticatorList {
+	if in == nil {
+		return nil
+	}
+	out := new(JWTAuthenticatorList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *JWTAuthenticatorList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *JWTAuthenticatorSpec) DeepCopyInto(out *JWTAuthenticatorSpec) {
+	*out = *in
+	out.Claims = in.Claims
+	if in.TLS != nil {
+		in, out := &in.TLS, &out.TLS
+		*out = new(TLSSpec)
+		**out = **in
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JWTAuthenticatorSpec.
+func (in *JWTAuthenticatorSpec) DeepCopy() *JWTAuthenticatorSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(JWTAuthenticatorSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *JWTAuthenticatorStatus) DeepCopyInto(out *JWTAuthenticatorStatus) {
+	*out = *in
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]v1.Condition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JWTAuthenticatorStatus.
+func (in *JWTAuthenticatorStatus) DeepCopy() *JWTAuthenticatorStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(JWTAuthenticatorStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *JWTTokenClaims) DeepCopyInto(out *JWTTokenClaims) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JWTTokenClaims.
+func (in *JWTTokenClaims) DeepCopy() *JWTTokenClaims {
+	if in == nil {
+		return nil
+	}
+	out := new(JWTTokenClaims)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TLSSpec) DeepCopyInto(out *TLSSpec) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TLSSpec.
+func (in *TLSSpec) DeepCopy() *TLSSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(TLSSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *WebhookAuthenticator) DeepCopyInto(out *WebhookAuthenticator) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookAuthenticator.
+func (in *WebhookAuthenticator) DeepCopy() *WebhookAuthenticator {
+	if in == nil {
+		return nil
+	}
+	out := new(WebhookAuthenticator)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *WebhookAuthenticator) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *WebhookAuthenticatorList) DeepCopyInto(out *WebhookAuthenticatorList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]WebhookAuthenticator, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookAuthenticatorList.
+func (in *WebhookAuthenticatorList) DeepCopy() *WebhookAuthenticatorList {
+	if in == nil {
+		return nil
+	}
+	out := new(WebhookAuthenticatorList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *WebhookAuthenticatorList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *WebhookAuthenticatorSpec) DeepCopyInto(out *WebhookAuthenticatorSpec) {
+	*out = *in
+	if in.TLS != nil {
+		in, out := &in.TLS, &out.TLS
+		*out = new(TLSSpec)
+		**out = **in
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookAuthenticatorSpec.
+func (in *WebhookAuthenticatorSpec) DeepCopy() *WebhookAuthenticatorSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(WebhookAuthenticatorSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *WebhookAuthenticatorStatus) DeepCopyInto(out *WebhookAuthenticatorStatus) {
+	*out = *in
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]v1.Condition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookAuthenticatorStatus.
+func (in *WebhookAuthenticatorStatus) DeepCopy() *WebhookAuthenticatorStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(WebhookAuthenticatorStatus)
+	in.DeepCopyInto(out)
+	return out
+}
--- a/generated/1.30/apis/concierge/config/v1alpha1/doc.go
+++ b/generated/1.30/apis/concierge/config/v1alpha1/doc.go
@@ -1,9 +1,7 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

-// +k8s:openapi-gen=true
 // +k8s:deepcopy-gen=package
-// +k8s:defaulter-gen=TypeMeta
 // +groupName=config.concierge.pinniped.dev

 // Package v1alpha1 is the v1alpha1 version of the Pinniped concierge configuration API.
--- a/generated/1.30/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go
+++ b/generated/1.30/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go
@@ -0,0 +1,280 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by deepcopy-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	runtime "k8s.io/apimachinery/pkg/runtime"
+)
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CredentialIssuer) DeepCopyInto(out *CredentialIssuer) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialIssuer.
+func (in *CredentialIssuer) DeepCopy() *CredentialIssuer {
+	if in == nil {
+		return nil
+	}
+	out := new(CredentialIssuer)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *CredentialIssuer) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CredentialIssuerFrontend) DeepCopyInto(out *CredentialIssuerFrontend) {
+	*out = *in
+	if in.TokenCredentialRequestAPIInfo != nil {
+		in, out := &in.TokenCredentialRequestAPIInfo, &out.TokenCredentialRequestAPIInfo
+		*out = new(TokenCredentialRequestAPIInfo)
+		**out = **in
+	}
+	if in.ImpersonationProxyInfo != nil {
+		in, out := &in.ImpersonationProxyInfo, &out.ImpersonationProxyInfo
+		*out = new(ImpersonationProxyInfo)
+		**out = **in
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialIssuerFrontend.
+func (in *CredentialIssuerFrontend) DeepCopy() *CredentialIssuerFrontend {
+	if in == nil {
+		return nil
+	}
+	out := new(CredentialIssuerFrontend)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CredentialIssuerKubeConfigInfo) DeepCopyInto(out *CredentialIssuerKubeConfigInfo) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialIssuerKubeConfigInfo.
+func (in *CredentialIssuerKubeConfigInfo) DeepCopy() *CredentialIssuerKubeConfigInfo {
+	if in == nil {
+		return nil
+	}
+	out := new(CredentialIssuerKubeConfigInfo)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CredentialIssuerList) DeepCopyInto(out *CredentialIssuerList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]CredentialIssuer, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialIssuerList.
+func (in *CredentialIssuerList) DeepCopy() *CredentialIssuerList {
+	if in == nil {
+		return nil
+	}
+	out := new(CredentialIssuerList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *CredentialIssuerList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CredentialIssuerSpec) DeepCopyInto(out *CredentialIssuerSpec) {
+	*out = *in
+	if in.ImpersonationProxy != nil {
+		in, out := &in.ImpersonationProxy, &out.ImpersonationProxy
+		*out = new(ImpersonationProxySpec)
+		(*in).DeepCopyInto(*out)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialIssuerSpec.
+func (in *CredentialIssuerSpec) DeepCopy() *CredentialIssuerSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(CredentialIssuerSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CredentialIssuerStatus) DeepCopyInto(out *CredentialIssuerStatus) {
+	*out = *in
+	if in.Strategies != nil {
+		in, out := &in.Strategies, &out.Strategies
+		*out = make([]CredentialIssuerStrategy, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.KubeConfigInfo != nil {
+		in, out := &in.KubeConfigInfo, &out.KubeConfigInfo
+		*out = new(CredentialIssuerKubeConfigInfo)
+		**out = **in
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialIssuerStatus.
+func (in *CredentialIssuerStatus) DeepCopy() *CredentialIssuerStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(CredentialIssuerStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CredentialIssuerStrategy) DeepCopyInto(out *CredentialIssuerStrategy) {
+	*out = *in
+	in.LastUpdateTime.DeepCopyInto(&out.LastUpdateTime)
+	if in.Frontend != nil {
+		in, out := &in.Frontend, &out.Frontend
+		*out = new(CredentialIssuerFrontend)
+		(*in).DeepCopyInto(*out)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialIssuerStrategy.
+func (in *CredentialIssuerStrategy) DeepCopy() *CredentialIssuerStrategy {
+	if in == nil {
+		return nil
+	}
+	out := new(CredentialIssuerStrategy)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ImpersonationProxyInfo) DeepCopyInto(out *ImpersonationProxyInfo) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImpersonationProxyInfo.
+func (in *ImpersonationProxyInfo) DeepCopy() *ImpersonationProxyInfo {
+	if in == nil {
+		return nil
+	}
+	out := new(ImpersonationProxyInfo)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ImpersonationProxyServiceSpec) DeepCopyInto(out *ImpersonationProxyServiceSpec) {
+	*out = *in
+	if in.Annotations != nil {
+		in, out := &in.Annotations, &out.Annotations
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImpersonationProxyServiceSpec.
+func (in *ImpersonationProxyServiceSpec) DeepCopy() *ImpersonationProxyServiceSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(ImpersonationProxyServiceSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ImpersonationProxySpec) DeepCopyInto(out *ImpersonationProxySpec) {
+	*out = *in
+	in.Service.DeepCopyInto(&out.Service)
+	if in.TLS != nil {
+		in, out := &in.TLS, &out.TLS
+		*out = new(ImpersonationProxyTLSSpec)
+		**out = **in
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImpersonationProxySpec.
+func (in *ImpersonationProxySpec) DeepCopy() *ImpersonationProxySpec {
+	if in == nil {
+		return nil
+	}
+	out := new(ImpersonationProxySpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ImpersonationProxyTLSSpec) DeepCopyInto(out *ImpersonationProxyTLSSpec) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImpersonationProxyTLSSpec.
+func (in *ImpersonationProxyTLSSpec) DeepCopy() *ImpersonationProxyTLSSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(ImpersonationProxyTLSSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TokenCredentialRequestAPIInfo) DeepCopyInto(out *TokenCredentialRequestAPIInfo) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TokenCredentialRequestAPIInfo.
+func (in *TokenCredentialRequestAPIInfo) DeepCopy() *TokenCredentialRequestAPIInfo {
+	if in == nil {
+		return nil
+	}
+	out := new(TokenCredentialRequestAPIInfo)
+	in.DeepCopyInto(out)
+	return out
+}
--- a/generated/1.30/apis/concierge/identity/v1alpha1/zz_generated.conversion.go
+++ b/generated/1.30/apis/concierge/identity/v1alpha1/zz_generated.conversion.go
@@ -0,0 +1,235 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by conversion-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	unsafe "unsafe"
+
+	identity "go.pinniped.dev/generated/1.30/apis/concierge/identity"
+	conversion "k8s.io/apimachinery/pkg/conversion"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+)
+
+func init() {
+	localSchemeBuilder.Register(RegisterConversions)
+}
+
+// RegisterConversions adds conversion functions to the given scheme.
+// Public to allow building arbitrary schemes.
+func RegisterConversions(s *runtime.Scheme) error {
+	if err := s.AddGeneratedConversionFunc((*KubernetesUserInfo)(nil), (*identity.KubernetesUserInfo)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1alpha1_KubernetesUserInfo_To_identity_KubernetesUserInfo(a.(*KubernetesUserInfo), b.(*identity.KubernetesUserInfo), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*identity.KubernetesUserInfo)(nil), (*KubernetesUserInfo)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_identity_KubernetesUserInfo_To_v1alpha1_KubernetesUserInfo(a.(*identity.KubernetesUserInfo), b.(*KubernetesUserInfo), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*UserInfo)(nil), (*identity.UserInfo)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1alpha1_UserInfo_To_identity_UserInfo(a.(*UserInfo), b.(*identity.UserInfo), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*identity.UserInfo)(nil), (*UserInfo)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_identity_UserInfo_To_v1alpha1_UserInfo(a.(*identity.UserInfo), b.(*UserInfo), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*WhoAmIRequest)(nil), (*identity.WhoAmIRequest)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1alpha1_WhoAmIRequest_To_identity_WhoAmIRequest(a.(*WhoAmIRequest), b.(*identity.WhoAmIRequest), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*identity.WhoAmIRequest)(nil), (*WhoAmIRequest)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_identity_WhoAmIRequest_To_v1alpha1_WhoAmIRequest(a.(*identity.WhoAmIRequest), b.(*WhoAmIRequest), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*WhoAmIRequestList)(nil), (*identity.WhoAmIRequestList)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1alpha1_WhoAmIRequestList_To_identity_WhoAmIRequestList(a.(*WhoAmIRequestList), b.(*identity.WhoAmIRequestList), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*identity.WhoAmIRequestList)(nil), (*WhoAmIRequestList)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_identity_WhoAmIRequestList_To_v1alpha1_WhoAmIRequestList(a.(*identity.WhoAmIRequestList), b.(*WhoAmIRequestList), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*WhoAmIRequestSpec)(nil), (*identity.WhoAmIRequestSpec)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1alpha1_WhoAmIRequestSpec_To_identity_WhoAmIRequestSpec(a.(*WhoAmIRequestSpec), b.(*identity.WhoAmIRequestSpec), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*identity.WhoAmIRequestSpec)(nil), (*WhoAmIRequestSpec)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_identity_WhoAmIRequestSpec_To_v1alpha1_WhoAmIRequestSpec(a.(*identity.WhoAmIRequestSpec), b.(*WhoAmIRequestSpec), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*WhoAmIRequestStatus)(nil), (*identity.WhoAmIRequestStatus)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1alpha1_WhoAmIRequestStatus_To_identity_WhoAmIRequestStatus(a.(*WhoAmIRequestStatus), b.(*identity.WhoAmIRequestStatus), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*identity.WhoAmIRequestStatus)(nil), (*WhoAmIRequestStatus)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_identity_WhoAmIRequestStatus_To_v1alpha1_WhoAmIRequestStatus(a.(*identity.WhoAmIRequestStatus), b.(*WhoAmIRequestStatus), scope)
+	}); err != nil {
+		return err
+	}
+	return nil
+}
+
+func autoConvert_v1alpha1_KubernetesUserInfo_To_identity_KubernetesUserInfo(in *KubernetesUserInfo, out *identity.KubernetesUserInfo, s conversion.Scope) error {
+	if err := Convert_v1alpha1_UserInfo_To_identity_UserInfo(&in.User, &out.User, s); err != nil {
+		return err
+	}
+	out.Audiences = *(*[]string)(unsafe.Pointer(&in.Audiences))
+	return nil
+}
+
+// Convert_v1alpha1_KubernetesUserInfo_To_identity_KubernetesUserInfo is an autogenerated conversion function.
+func Convert_v1alpha1_KubernetesUserInfo_To_identity_KubernetesUserInfo(in *KubernetesUserInfo, out *identity.KubernetesUserInfo, s conversion.Scope) error {
+	return autoConvert_v1alpha1_KubernetesUserInfo_To_identity_KubernetesUserInfo(in, out, s)
+}
+
+func autoConvert_identity_KubernetesUserInfo_To_v1alpha1_KubernetesUserInfo(in *identity.KubernetesUserInfo, out *KubernetesUserInfo, s conversion.Scope) error {
+	if err := Convert_identity_UserInfo_To_v1alpha1_UserInfo(&in.User, &out.User, s); err != nil {
+		return err
+	}
+	out.Audiences = *(*[]string)(unsafe.Pointer(&in.Audiences))
+	return nil
+}
+
+// Convert_identity_KubernetesUserInfo_To_v1alpha1_KubernetesUserInfo is an autogenerated conversion function.
+func Convert_identity_KubernetesUserInfo_To_v1alpha1_KubernetesUserInfo(in *identity.KubernetesUserInfo, out *KubernetesUserInfo, s conversion.Scope) error {
+	return autoConvert_identity_KubernetesUserInfo_To_v1alpha1_KubernetesUserInfo(in, out, s)
+}
+
+func autoConvert_v1alpha1_UserInfo_To_identity_UserInfo(in *UserInfo, out *identity.UserInfo, s conversion.Scope) error {
+	out.Username = in.Username
+	out.UID = in.UID
+	out.Groups = *(*[]string)(unsafe.Pointer(&in.Groups))
+	out.Extra = *(*map[string]identity.ExtraValue)(unsafe.Pointer(&in.Extra))
+	return nil
+}
+
+// Convert_v1alpha1_UserInfo_To_identity_UserInfo is an autogenerated conversion function.
+func Convert_v1alpha1_UserInfo_To_identity_UserInfo(in *UserInfo, out *identity.UserInfo, s conversion.Scope) error {
+	return autoConvert_v1alpha1_UserInfo_To_identity_UserInfo(in, out, s)
+}
+
+func autoConvert_identity_UserInfo_To_v1alpha1_UserInfo(in *identity.UserInfo, out *UserInfo, s conversion.Scope) error {
+	out.Username = in.Username
+	out.UID = in.UID
+	out.Groups = *(*[]string)(unsafe.Pointer(&in.Groups))
+	out.Extra = *(*map[string]ExtraValue)(unsafe.Pointer(&in.Extra))
+	return nil
+}
+
+// Convert_identity_UserInfo_To_v1alpha1_UserInfo is an autogenerated conversion function.
+func Convert_identity_UserInfo_To_v1alpha1_UserInfo(in *identity.UserInfo, out *UserInfo, s conversion.Scope) error {
+	return autoConvert_identity_UserInfo_To_v1alpha1_UserInfo(in, out, s)
+}
+
+func autoConvert_v1alpha1_WhoAmIRequest_To_identity_WhoAmIRequest(in *WhoAmIRequest, out *identity.WhoAmIRequest, s conversion.Scope) error {
+	out.ObjectMeta = in.ObjectMeta
+	if err := Convert_v1alpha1_WhoAmIRequestSpec_To_identity_WhoAmIRequestSpec(&in.Spec, &out.Spec, s); err != nil {
+		return err
+	}
+	if err := Convert_v1alpha1_WhoAmIRequestStatus_To_identity_WhoAmIRequestStatus(&in.Status, &out.Status, s); err != nil {
+		return err
+	}
+	return nil
+}
+
+// Convert_v1alpha1_WhoAmIRequest_To_identity_WhoAmIRequest is an autogenerated conversion function.
+func Convert_v1alpha1_WhoAmIRequest_To_identity_WhoAmIRequest(in *WhoAmIRequest, out *identity.WhoAmIRequest, s conversion.Scope) error {
+	return autoConvert_v1alpha1_WhoAmIRequest_To_identity_WhoAmIRequest(in, out, s)
+}
+
+func autoConvert_identity_WhoAmIRequest_To_v1alpha1_WhoAmIRequest(in *identity.WhoAmIRequest, out *WhoAmIRequest, s conversion.Scope) error {
+	out.ObjectMeta = in.ObjectMeta
+	if err := Convert_identity_WhoAmIRequestSpec_To_v1alpha1_WhoAmIRequestSpec(&in.Spec, &out.Spec, s); err != nil {
+		return err
+	}
+	if err := Convert_identity_WhoAmIRequestStatus_To_v1alpha1_WhoAmIRequestStatus(&in.Status, &out.Status, s); err != nil {
+		return err
+	}
+	return nil
+}
+
+// Convert_identity_WhoAmIRequest_To_v1alpha1_WhoAmIRequest is an autogenerated conversion function.
+func Convert_identity_WhoAmIRequest_To_v1alpha1_WhoAmIRequest(in *identity.WhoAmIRequest, out *WhoAmIRequest, s conversion.Scope) error {
+	return autoConvert_identity_WhoAmIRequest_To_v1alpha1_WhoAmIRequest(in, out, s)
+}
+
+func autoConvert_v1alpha1_WhoAmIRequestList_To_identity_WhoAmIRequestList(in *WhoAmIRequestList, out *identity.WhoAmIRequestList, s conversion.Scope) error {
+	out.ListMeta = in.ListMeta
+	out.Items = *(*[]identity.WhoAmIRequest)(unsafe.Pointer(&in.Items))
+	return nil
+}
+
+// Convert_v1alpha1_WhoAmIRequestList_To_identity_WhoAmIRequestList is an autogenerated conversion function.
+func Convert_v1alpha1_WhoAmIRequestList_To_identity_WhoAmIRequestList(in *WhoAmIRequestList, out *identity.WhoAmIRequestList, s conversion.Scope) error {
+	return autoConvert_v1alpha1_WhoAmIRequestList_To_identity_WhoAmIRequestList(in, out, s)
+}
+
+func autoConvert_identity_WhoAmIRequestList_To_v1alpha1_WhoAmIRequestList(in *identity.WhoAmIRequestList, out *WhoAmIRequestList, s conversion.Scope) error {
+	out.ListMeta = in.ListMeta
+	out.Items = *(*[]WhoAmIRequest)(unsafe.Pointer(&in.Items))
+	return nil
+}
+
+// Convert_identity_WhoAmIRequestList_To_v1alpha1_WhoAmIRequestList is an autogenerated conversion function.
+func Convert_identity_WhoAmIRequestList_To_v1alpha1_WhoAmIRequestList(in *identity.WhoAmIRequestList, out *WhoAmIRequestList, s conversion.Scope) error {
+	return autoConvert_identity_WhoAmIRequestList_To_v1alpha1_WhoAmIRequestList(in, out, s)
+}
+
+func autoConvert_v1alpha1_WhoAmIRequestSpec_To_identity_WhoAmIRequestSpec(in *WhoAmIRequestSpec, out *identity.WhoAmIRequestSpec, s conversion.Scope) error {
+	return nil
+}
+
+// Convert_v1alpha1_WhoAmIRequestSpec_To_identity_WhoAmIRequestSpec is an autogenerated conversion function.
+func Convert_v1alpha1_WhoAmIRequestSpec_To_identity_WhoAmIRequestSpec(in *WhoAmIRequestSpec, out *identity.WhoAmIRequestSpec, s conversion.Scope) error {
+	return autoConvert_v1alpha1_WhoAmIRequestSpec_To_identity_WhoAmIRequestSpec(in, out, s)
+}
+
+func autoConvert_identity_WhoAmIRequestSpec_To_v1alpha1_WhoAmIRequestSpec(in *identity.WhoAmIRequestSpec, out *WhoAmIRequestSpec, s conversion.Scope) error {
+	return nil
+}
+
+// Convert_identity_WhoAmIRequestSpec_To_v1alpha1_WhoAmIRequestSpec is an autogenerated conversion function.
+func Convert_identity_WhoAmIRequestSpec_To_v1alpha1_WhoAmIRequestSpec(in *identity.WhoAmIRequestSpec, out *WhoAmIRequestSpec, s conversion.Scope) error {
+	return autoConvert_identity_WhoAmIRequestSpec_To_v1alpha1_WhoAmIRequestSpec(in, out, s)
+}
+
+func autoConvert_v1alpha1_WhoAmIRequestStatus_To_identity_WhoAmIRequestStatus(in *WhoAmIRequestStatus, out *identity.WhoAmIRequestStatus, s conversion.Scope) error {
+	if err := Convert_v1alpha1_KubernetesUserInfo_To_identity_KubernetesUserInfo(&in.KubernetesUserInfo, &out.KubernetesUserInfo, s); err != nil {
+		return err
+	}
+	return nil
+}
+
+// Convert_v1alpha1_WhoAmIRequestStatus_To_identity_WhoAmIRequestStatus is an autogenerated conversion function.
+func Convert_v1alpha1_WhoAmIRequestStatus_To_identity_WhoAmIRequestStatus(in *WhoAmIRequestStatus, out *identity.WhoAmIRequestStatus, s conversion.Scope) error {
+	return autoConvert_v1alpha1_WhoAmIRequestStatus_To_identity_WhoAmIRequestStatus(in, out, s)
+}
+
+func autoConvert_identity_WhoAmIRequestStatus_To_v1alpha1_WhoAmIRequestStatus(in *identity.WhoAmIRequestStatus, out *WhoAmIRequestStatus, s conversion.Scope) error {
+	if err := Convert_identity_KubernetesUserInfo_To_v1alpha1_KubernetesUserInfo(&in.KubernetesUserInfo, &out.KubernetesUserInfo, s); err != nil {
+		return err
+	}
+	return nil
+}
+
+// Convert_identity_WhoAmIRequestStatus_To_v1alpha1_WhoAmIRequestStatus is an autogenerated conversion function.
+func Convert_identity_WhoAmIRequestStatus_To_v1alpha1_WhoAmIRequestStatus(in *identity.WhoAmIRequestStatus, out *WhoAmIRequestStatus, s conversion.Scope) error {
+	return autoConvert_identity_WhoAmIRequestStatus_To_v1alpha1_WhoAmIRequestStatus(in, out, s)
+}
--- a/generated/1.30/apis/concierge/identity/v1alpha1/zz_generated.deepcopy.go
+++ b/generated/1.30/apis/concierge/identity/v1alpha1/zz_generated.deepcopy.go
@@ -0,0 +1,185 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by deepcopy-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	runtime "k8s.io/apimachinery/pkg/runtime"
+)
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in ExtraValue) DeepCopyInto(out *ExtraValue) {
+	{
+		in := &in
+		*out = make(ExtraValue, len(*in))
+		copy(*out, *in)
+		return
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExtraValue.
+func (in ExtraValue) DeepCopy() ExtraValue {
+	if in == nil {
+		return nil
+	}
+	out := new(ExtraValue)
+	in.DeepCopyInto(out)
+	return *out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *KubernetesUserInfo) DeepCopyInto(out *KubernetesUserInfo) {
+	*out = *in
+	in.User.DeepCopyInto(&out.User)
+	if in.Audiences != nil {
+		in, out := &in.Audiences, &out.Audiences
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KubernetesUserInfo.
+func (in *KubernetesUserInfo) DeepCopy() *KubernetesUserInfo {
+	if in == nil {
+		return nil
+	}
+	out := new(KubernetesUserInfo)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *UserInfo) DeepCopyInto(out *UserInfo) {
+	*out = *in
+	if in.Groups != nil {
+		in, out := &in.Groups, &out.Groups
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.Extra != nil {
+		in, out := &in.Extra, &out.Extra
+		*out = make(map[string]ExtraValue, len(*in))
+		for key, val := range *in {
+			var outVal []string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = make(ExtraValue, len(*in))
+				copy(*out, *in)
+			}
+			(*out)[key] = outVal
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UserInfo.
+func (in *UserInfo) DeepCopy() *UserInfo {
+	if in == nil {
+		return nil
+	}
+	out := new(UserInfo)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *WhoAmIRequest) DeepCopyInto(out *WhoAmIRequest) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	out.Spec = in.Spec
+	in.Status.DeepCopyInto(&out.Status)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WhoAmIRequest.
+func (in *WhoAmIRequest) DeepCopy() *WhoAmIRequest {
+	if in == nil {
+		return nil
+	}
+	out := new(WhoAmIRequest)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *WhoAmIRequest) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *WhoAmIRequestList) DeepCopyInto(out *WhoAmIRequestList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]WhoAmIRequest, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WhoAmIRequestList.
+func (in *WhoAmIRequestList) DeepCopy() *WhoAmIRequestList {
+	if in == nil {
+		return nil
+	}
+	out := new(WhoAmIRequestList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *WhoAmIRequestList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *WhoAmIRequestSpec) DeepCopyInto(out *WhoAmIRequestSpec) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WhoAmIRequestSpec.
+func (in *WhoAmIRequestSpec) DeepCopy() *WhoAmIRequestSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(WhoAmIRequestSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *WhoAmIRequestStatus) DeepCopyInto(out *WhoAmIRequestStatus) {
+	*out = *in
+	in.KubernetesUserInfo.DeepCopyInto(&out.KubernetesUserInfo)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WhoAmIRequestStatus.
+func (in *WhoAmIRequestStatus) DeepCopy() *WhoAmIRequestStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(WhoAmIRequestStatus)
+	in.DeepCopyInto(out)
+	return out
+}
--- a/generated/1.30/apis/concierge/identity/v1alpha1/zz_generated.defaults.go
+++ b/generated/1.30/apis/concierge/identity/v1alpha1/zz_generated.defaults.go
@@ -0,0 +1,20 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by defaulter-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	runtime "k8s.io/apimachinery/pkg/runtime"
+)
+
+// RegisterDefaults adds defaulters functions to the given scheme.
+// Public to allow building arbitrary schemes.
+// All generated defaulters are covering - they call all nested defaulters.
+func RegisterDefaults(scheme *runtime.Scheme) error {
+	return nil
+}
--- a/generated/1.30/apis/concierge/identity/zz_generated.deepcopy.go
+++ b/generated/1.30/apis/concierge/identity/zz_generated.deepcopy.go
@@ -0,0 +1,185 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by deepcopy-gen. DO NOT EDIT.
+
+package identity
+
+import (
+	runtime "k8s.io/apimachinery/pkg/runtime"
+)
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in ExtraValue) DeepCopyInto(out *ExtraValue) {
+	{
+		in := &in
+		*out = make(ExtraValue, len(*in))
+		copy(*out, *in)
+		return
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExtraValue.
+func (in ExtraValue) DeepCopy() ExtraValue {
+	if in == nil {
+		return nil
+	}
+	out := new(ExtraValue)
+	in.DeepCopyInto(out)
+	return *out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *KubernetesUserInfo) DeepCopyInto(out *KubernetesUserInfo) {
+	*out = *in
+	in.User.DeepCopyInto(&out.User)
+	if in.Audiences != nil {
+		in, out := &in.Audiences, &out.Audiences
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KubernetesUserInfo.
+func (in *KubernetesUserInfo) DeepCopy() *KubernetesUserInfo {
+	if in == nil {
+		return nil
+	}
+	out := new(KubernetesUserInfo)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *UserInfo) DeepCopyInto(out *UserInfo) {
+	*out = *in
+	if in.Groups != nil {
+		in, out := &in.Groups, &out.Groups
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.Extra != nil {
+		in, out := &in.Extra, &out.Extra
+		*out = make(map[string]ExtraValue, len(*in))
+		for key, val := range *in {
+			var outVal []string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = make(ExtraValue, len(*in))
+				copy(*out, *in)
+			}
+			(*out)[key] = outVal
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UserInfo.
+func (in *UserInfo) DeepCopy() *UserInfo {
+	if in == nil {
+		return nil
+	}
+	out := new(UserInfo)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *WhoAmIRequest) DeepCopyInto(out *WhoAmIRequest) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	out.Spec = in.Spec
+	in.Status.DeepCopyInto(&out.Status)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WhoAmIRequest.
+func (in *WhoAmIRequest) DeepCopy() *WhoAmIRequest {
+	if in == nil {
+		return nil
+	}
+	out := new(WhoAmIRequest)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *WhoAmIRequest) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *WhoAmIRequestList) DeepCopyInto(out *WhoAmIRequestList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]WhoAmIRequest, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WhoAmIRequestList.
+func (in *WhoAmIRequestList) DeepCopy() *WhoAmIRequestList {
+	if in == nil {
+		return nil
+	}
+	out := new(WhoAmIRequestList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *WhoAmIRequestList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *WhoAmIRequestSpec) DeepCopyInto(out *WhoAmIRequestSpec) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WhoAmIRequestSpec.
+func (in *WhoAmIRequestSpec) DeepCopy() *WhoAmIRequestSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(WhoAmIRequestSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *WhoAmIRequestStatus) DeepCopyInto(out *WhoAmIRequestStatus) {
+	*out = *in
+	in.KubernetesUserInfo.DeepCopyInto(&out.KubernetesUserInfo)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WhoAmIRequestStatus.
+func (in *WhoAmIRequestStatus) DeepCopy() *WhoAmIRequestStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(WhoAmIRequestStatus)
+	in.DeepCopyInto(out)
+	return out
+}
--- a/generated/1.30/apis/concierge/login/v1alpha1/zz_generated.conversion.go
+++ b/generated/1.30/apis/concierge/login/v1alpha1/zz_generated.conversion.go
@@ -0,0 +1,201 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by conversion-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	unsafe "unsafe"
+
+	login "go.pinniped.dev/generated/1.30/apis/concierge/login"
+	conversion "k8s.io/apimachinery/pkg/conversion"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+)
+
+func init() {
+	localSchemeBuilder.Register(RegisterConversions)
+}
+
+// RegisterConversions adds conversion functions to the given scheme.
+// Public to allow building arbitrary schemes.
+func RegisterConversions(s *runtime.Scheme) error {
+	if err := s.AddGeneratedConversionFunc((*ClusterCredential)(nil), (*login.ClusterCredential)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1alpha1_ClusterCredential_To_login_ClusterCredential(a.(*ClusterCredential), b.(*login.ClusterCredential), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*login.ClusterCredential)(nil), (*ClusterCredential)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_login_ClusterCredential_To_v1alpha1_ClusterCredential(a.(*login.ClusterCredential), b.(*ClusterCredential), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*TokenCredentialRequest)(nil), (*login.TokenCredentialRequest)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1alpha1_TokenCredentialRequest_To_login_TokenCredentialRequest(a.(*TokenCredentialRequest), b.(*login.TokenCredentialRequest), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*login.TokenCredentialRequest)(nil), (*TokenCredentialRequest)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_login_TokenCredentialRequest_To_v1alpha1_TokenCredentialRequest(a.(*login.TokenCredentialRequest), b.(*TokenCredentialRequest), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*TokenCredentialRequestList)(nil), (*login.TokenCredentialRequestList)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1alpha1_TokenCredentialRequestList_To_login_TokenCredentialRequestList(a.(*TokenCredentialRequestList), b.(*login.TokenCredentialRequestList), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*login.TokenCredentialRequestList)(nil), (*TokenCredentialRequestList)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_login_TokenCredentialRequestList_To_v1alpha1_TokenCredentialRequestList(a.(*login.TokenCredentialRequestList), b.(*TokenCredentialRequestList), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*TokenCredentialRequestSpec)(nil), (*login.TokenCredentialRequestSpec)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1alpha1_TokenCredentialRequestSpec_To_login_TokenCredentialRequestSpec(a.(*TokenCredentialRequestSpec), b.(*login.TokenCredentialRequestSpec), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*login.TokenCredentialRequestSpec)(nil), (*TokenCredentialRequestSpec)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_login_TokenCredentialRequestSpec_To_v1alpha1_TokenCredentialRequestSpec(a.(*login.TokenCredentialRequestSpec), b.(*TokenCredentialRequestSpec), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*TokenCredentialRequestStatus)(nil), (*login.TokenCredentialRequestStatus)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1alpha1_TokenCredentialRequestStatus_To_login_TokenCredentialRequestStatus(a.(*TokenCredentialRequestStatus), b.(*login.TokenCredentialRequestStatus), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*login.TokenCredentialRequestStatus)(nil), (*TokenCredentialRequestStatus)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_login_TokenCredentialRequestStatus_To_v1alpha1_TokenCredentialRequestStatus(a.(*login.TokenCredentialRequestStatus), b.(*TokenCredentialRequestStatus), scope)
+	}); err != nil {
+		return err
+	}
+	return nil
+}
+
+func autoConvert_v1alpha1_ClusterCredential_To_login_ClusterCredential(in *ClusterCredential, out *login.ClusterCredential, s conversion.Scope) error {
+	out.ExpirationTimestamp = in.ExpirationTimestamp
+	out.Token = in.Token
+	out.ClientCertificateData = in.ClientCertificateData
+	out.ClientKeyData = in.ClientKeyData
+	return nil
+}
+
+// Convert_v1alpha1_ClusterCredential_To_login_ClusterCredential is an autogenerated conversion function.
+func Convert_v1alpha1_ClusterCredential_To_login_ClusterCredential(in *ClusterCredential, out *login.ClusterCredential, s conversion.Scope) error {
+	return autoConvert_v1alpha1_ClusterCredential_To_login_ClusterCredential(in, out, s)
+}
+
+func autoConvert_login_ClusterCredential_To_v1alpha1_ClusterCredential(in *login.ClusterCredential, out *ClusterCredential, s conversion.Scope) error {
+	out.ExpirationTimestamp = in.ExpirationTimestamp
+	out.Token = in.Token
+	out.ClientCertificateData = in.ClientCertificateData
+	out.ClientKeyData = in.ClientKeyData
+	return nil
+}
+
+// Convert_login_ClusterCredential_To_v1alpha1_ClusterCredential is an autogenerated conversion function.
+func Convert_login_ClusterCredential_To_v1alpha1_ClusterCredential(in *login.ClusterCredential, out *ClusterCredential, s conversion.Scope) error {
+	return autoConvert_login_ClusterCredential_To_v1alpha1_ClusterCredential(in, out, s)
+}
+
+func autoConvert_v1alpha1_TokenCredentialRequest_To_login_TokenCredentialRequest(in *TokenCredentialRequest, out *login.TokenCredentialRequest, s conversion.Scope) error {
+	out.ObjectMeta = in.ObjectMeta
+	if err := Convert_v1alpha1_TokenCredentialRequestSpec_To_login_TokenCredentialRequestSpec(&in.Spec, &out.Spec, s); err != nil {
+		return err
+	}
+	if err := Convert_v1alpha1_TokenCredentialRequestStatus_To_login_TokenCredentialRequestStatus(&in.Status, &out.Status, s); err != nil {
+		return err
+	}
+	return nil
+}
+
+// Convert_v1alpha1_TokenCredentialRequest_To_login_TokenCredentialRequest is an autogenerated conversion function.
+func Convert_v1alpha1_TokenCredentialRequest_To_login_TokenCredentialRequest(in *TokenCredentialRequest, out *login.TokenCredentialRequest, s conversion.Scope) error {
+	return autoConvert_v1alpha1_TokenCredentialRequest_To_login_TokenCredentialRequest(in, out, s)
+}
+
+func autoConvert_login_TokenCredentialRequest_To_v1alpha1_TokenCredentialRequest(in *login.TokenCredentialRequest, out *TokenCredentialRequest, s conversion.Scope) error {
+	out.ObjectMeta = in.ObjectMeta
+	if err := Convert_login_TokenCredentialRequestSpec_To_v1alpha1_TokenCredentialRequestSpec(&in.Spec, &out.Spec, s); err != nil {
+		return err
+	}
+	if err := Convert_login_TokenCredentialRequestStatus_To_v1alpha1_TokenCredentialRequestStatus(&in.Status, &out.Status, s); err != nil {
+		return err
+	}
+	return nil
+}
+
+// Convert_login_TokenCredentialRequest_To_v1alpha1_TokenCredentialRequest is an autogenerated conversion function.
+func Convert_login_TokenCredentialRequest_To_v1alpha1_TokenCredentialRequest(in *login.TokenCredentialRequest, out *TokenCredentialRequest, s conversion.Scope) error {
+	return autoConvert_login_TokenCredentialRequest_To_v1alpha1_TokenCredentialRequest(in, out, s)
+}
+
+func autoConvert_v1alpha1_TokenCredentialRequestList_To_login_TokenCredentialRequestList(in *TokenCredentialRequestList, out *login.TokenCredentialRequestList, s conversion.Scope) error {
+	out.ListMeta = in.ListMeta
+	out.Items = *(*[]login.TokenCredentialRequest)(unsafe.Pointer(&in.Items))
+	return nil
+}
+
+// Convert_v1alpha1_TokenCredentialRequestList_To_login_TokenCredentialRequestList is an autogenerated conversion function.
+func Convert_v1alpha1_TokenCredentialRequestList_To_login_TokenCredentialRequestList(in *TokenCredentialRequestList, out *login.TokenCredentialRequestList, s conversion.Scope) error {
+	return autoConvert_v1alpha1_TokenCredentialRequestList_To_login_TokenCredentialRequestList(in, out, s)
+}
+
+func autoConvert_login_TokenCredentialRequestList_To_v1alpha1_TokenCredentialRequestList(in *login.TokenCredentialRequestList, out *TokenCredentialRequestList, s conversion.Scope) error {
+	out.ListMeta = in.ListMeta
+	out.Items = *(*[]TokenCredentialRequest)(unsafe.Pointer(&in.Items))
+	return nil
+}
+
+// Convert_login_TokenCredentialRequestList_To_v1alpha1_TokenCredentialRequestList is an autogenerated conversion function.
+func Convert_login_TokenCredentialRequestList_To_v1alpha1_TokenCredentialRequestList(in *login.TokenCredentialRequestList, out *TokenCredentialRequestList, s conversion.Scope) error {
+	return autoConvert_login_TokenCredentialRequestList_To_v1alpha1_TokenCredentialRequestList(in, out, s)
+}
+
+func autoConvert_v1alpha1_TokenCredentialRequestSpec_To_login_TokenCredentialRequestSpec(in *TokenCredentialRequestSpec, out *login.TokenCredentialRequestSpec, s conversion.Scope) error {
+	out.Token = in.Token
+	out.Authenticator = in.Authenticator
+	return nil
+}
+
+// Convert_v1alpha1_TokenCredentialRequestSpec_To_login_TokenCredentialRequestSpec is an autogenerated conversion function.
+func Convert_v1alpha1_TokenCredentialRequestSpec_To_login_TokenCredentialRequestSpec(in *TokenCredentialRequestSpec, out *login.TokenCredentialRequestSpec, s conversion.Scope) error {
+	return autoConvert_v1alpha1_TokenCredentialRequestSpec_To_login_TokenCredentialRequestSpec(in, out, s)
+}
+
+func autoConvert_login_TokenCredentialRequestSpec_To_v1alpha1_TokenCredentialRequestSpec(in *login.TokenCredentialRequestSpec, out *TokenCredentialRequestSpec, s conversion.Scope) error {
+	out.Token = in.Token
+	out.Authenticator = in.Authenticator
+	return nil
+}
+
+// Convert_login_TokenCredentialRequestSpec_To_v1alpha1_TokenCredentialRequestSpec is an autogenerated conversion function.
+func Convert_login_TokenCredentialRequestSpec_To_v1alpha1_TokenCredentialRequestSpec(in *login.TokenCredentialRequestSpec, out *TokenCredentialRequestSpec, s conversion.Scope) error {
+	return autoConvert_login_TokenCredentialRequestSpec_To_v1alpha1_TokenCredentialRequestSpec(in, out, s)
+}
+
+func autoConvert_v1alpha1_TokenCredentialRequestStatus_To_login_TokenCredentialRequestStatus(in *TokenCredentialRequestStatus, out *login.TokenCredentialRequestStatus, s conversion.Scope) error {
+	out.Credential = (*login.ClusterCredential)(unsafe.Pointer(in.Credential))
+	out.Message = (*string)(unsafe.Pointer(in.Message))
+	return nil
+}
+
+// Convert_v1alpha1_TokenCredentialRequestStatus_To_login_TokenCredentialRequestStatus is an autogenerated conversion function.
+func Convert_v1alpha1_TokenCredentialRequestStatus_To_login_TokenCredentialRequestStatus(in *TokenCredentialRequestStatus, out *login.TokenCredentialRequestStatus, s conversion.Scope) error {
+	return autoConvert_v1alpha1_TokenCredentialRequestStatus_To_login_TokenCredentialRequestStatus(in, out, s)
+}
+
+func autoConvert_login_TokenCredentialRequestStatus_To_v1alpha1_TokenCredentialRequestStatus(in *login.TokenCredentialRequestStatus, out *TokenCredentialRequestStatus, s conversion.Scope) error {
+	out.Credential = (*ClusterCredential)(unsafe.Pointer(in.Credential))
+	out.Message = (*string)(unsafe.Pointer(in.Message))
+	return nil
+}
+
+// Convert_login_TokenCredentialRequestStatus_To_v1alpha1_TokenCredentialRequestStatus is an autogenerated conversion function.
+func Convert_login_TokenCredentialRequestStatus_To_v1alpha1_TokenCredentialRequestStatus(in *login.TokenCredentialRequestStatus, out *TokenCredentialRequestStatus, s conversion.Scope) error {
+	return autoConvert_login_TokenCredentialRequestStatus_To_v1alpha1_TokenCredentialRequestStatus(in, out, s)
+}
--- a/generated/1.30/apis/concierge/login/v1alpha1/zz_generated.deepcopy.go
+++ b/generated/1.30/apis/concierge/login/v1alpha1/zz_generated.deepcopy.go
@@ -0,0 +1,134 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by deepcopy-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	runtime "k8s.io/apimachinery/pkg/runtime"
+)
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ClusterCredential) DeepCopyInto(out *ClusterCredential) {
+	*out = *in
+	in.ExpirationTimestamp.DeepCopyInto(&out.ExpirationTimestamp)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterCredential.
+func (in *ClusterCredential) DeepCopy() *ClusterCredential {
+	if in == nil {
+		return nil
+	}
+	out := new(ClusterCredential)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TokenCredentialRequest) DeepCopyInto(out *TokenCredentialRequest) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TokenCredentialRequest.
+func (in *TokenCredentialRequest) DeepCopy() *TokenCredentialRequest {
+	if in == nil {
+		return nil
+	}
+	out := new(TokenCredentialRequest)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *TokenCredentialRequest) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TokenCredentialRequestList) DeepCopyInto(out *TokenCredentialRequestList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]TokenCredentialRequest, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TokenCredentialRequestList.
+func (in *TokenCredentialRequestList) DeepCopy() *TokenCredentialRequestList {
+	if in == nil {
+		return nil
+	}
+	out := new(TokenCredentialRequestList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *TokenCredentialRequestList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TokenCredentialRequestSpec) DeepCopyInto(out *TokenCredentialRequestSpec) {
+	*out = *in
+	in.Authenticator.DeepCopyInto(&out.Authenticator)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TokenCredentialRequestSpec.
+func (in *TokenCredentialRequestSpec) DeepCopy() *TokenCredentialRequestSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(TokenCredentialRequestSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TokenCredentialRequestStatus) DeepCopyInto(out *TokenCredentialRequestStatus) {
+	*out = *in
+	if in.Credential != nil {
+		in, out := &in.Credential, &out.Credential
+		*out = new(ClusterCredential)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Message != nil {
+		in, out := &in.Message, &out.Message
+		*out = new(string)
+		**out = **in
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TokenCredentialRequestStatus.
+func (in *TokenCredentialRequestStatus) DeepCopy() *TokenCredentialRequestStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(TokenCredentialRequestStatus)
+	in.DeepCopyInto(out)
+	return out
+}
--- a/generated/1.30/apis/concierge/login/v1alpha1/zz_generated.defaults.go
+++ b/generated/1.30/apis/concierge/login/v1alpha1/zz_generated.defaults.go
@@ -0,0 +1,20 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by defaulter-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	runtime "k8s.io/apimachinery/pkg/runtime"
+)
+
+// RegisterDefaults adds defaulters functions to the given scheme.
+// Public to allow building arbitrary schemes.
+// All generated defaulters are covering - they call all nested defaulters.
+func RegisterDefaults(scheme *runtime.Scheme) error {
+	return nil
+}
--- a/generated/1.30/apis/concierge/login/zz_generated.deepcopy.go
+++ b/generated/1.30/apis/concierge/login/zz_generated.deepcopy.go
@@ -0,0 +1,134 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by deepcopy-gen. DO NOT EDIT.
+
+package login
+
+import (
+	runtime "k8s.io/apimachinery/pkg/runtime"
+)
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ClusterCredential) DeepCopyInto(out *ClusterCredential) {
+	*out = *in
+	in.ExpirationTimestamp.DeepCopyInto(&out.ExpirationTimestamp)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterCredential.
+func (in *ClusterCredential) DeepCopy() *ClusterCredential {
+	if in == nil {
+		return nil
+	}
+	out := new(ClusterCredential)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TokenCredentialRequest) DeepCopyInto(out *TokenCredentialRequest) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TokenCredentialRequest.
+func (in *TokenCredentialRequest) DeepCopy() *TokenCredentialRequest {
+	if in == nil {
+		return nil
+	}
+	out := new(TokenCredentialRequest)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *TokenCredentialRequest) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TokenCredentialRequestList) DeepCopyInto(out *TokenCredentialRequestList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]TokenCredentialRequest, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TokenCredentialRequestList.
+func (in *TokenCredentialRequestList) DeepCopy() *TokenCredentialRequestList {
+	if in == nil {
+		return nil
+	}
+	out := new(TokenCredentialRequestList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *TokenCredentialRequestList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TokenCredentialRequestSpec) DeepCopyInto(out *TokenCredentialRequestSpec) {
+	*out = *in
+	in.Authenticator.DeepCopyInto(&out.Authenticator)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TokenCredentialRequestSpec.
+func (in *TokenCredentialRequestSpec) DeepCopy() *TokenCredentialRequestSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(TokenCredentialRequestSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TokenCredentialRequestStatus) DeepCopyInto(out *TokenCredentialRequestStatus) {
+	*out = *in
+	if in.Credential != nil {
+		in, out := &in.Credential, &out.Credential
+		*out = new(ClusterCredential)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Message != nil {
+		in, out := &in.Message, &out.Message
+		*out = new(string)
+		**out = **in
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TokenCredentialRequestStatus.
+func (in *TokenCredentialRequestStatus) DeepCopy() *TokenCredentialRequestStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(TokenCredentialRequestStatus)
+	in.DeepCopyInto(out)
+	return out
+}
--- a/generated/1.30/apis/go.mod
+++ b/generated/1.30/apis/go.mod
@@ -3,6 +3,8 @@ module go.pinniped.dev/generated/1.30/apis

 go 1.22.0

+toolchain go1.22.2
+
 require (
 	k8s.io/api v0.30.0
 	k8s.io/apimachinery v0.30.0
--- a/generated/1.30/apis/supervisor/clientsecret/v1alpha1/zz_generated.conversion.go
+++ b/generated/1.30/apis/supervisor/clientsecret/v1alpha1/zz_generated.conversion.go
@@ -0,0 +1,165 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by conversion-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	unsafe "unsafe"
+
+	clientsecret "go.pinniped.dev/generated/1.30/apis/supervisor/clientsecret"
+	conversion "k8s.io/apimachinery/pkg/conversion"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+)
+
+func init() {
+	localSchemeBuilder.Register(RegisterConversions)
+}
+
+// RegisterConversions adds conversion functions to the given scheme.
+// Public to allow building arbitrary schemes.
+func RegisterConversions(s *runtime.Scheme) error {
+	if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequest)(nil), (*clientsecret.OIDCClientSecretRequest)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1alpha1_OIDCClientSecretRequest_To_clientsecret_OIDCClientSecretRequest(a.(*OIDCClientSecretRequest), b.(*clientsecret.OIDCClientSecretRequest), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*clientsecret.OIDCClientSecretRequest)(nil), (*OIDCClientSecretRequest)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_clientsecret_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(a.(*clientsecret.OIDCClientSecretRequest), b.(*OIDCClientSecretRequest), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequestList)(nil), (*clientsecret.OIDCClientSecretRequestList)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1alpha1_OIDCClientSecretRequestList_To_clientsecret_OIDCClientSecretRequestList(a.(*OIDCClientSecretRequestList), b.(*clientsecret.OIDCClientSecretRequestList), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*clientsecret.OIDCClientSecretRequestList)(nil), (*OIDCClientSecretRequestList)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_clientsecret_OIDCClientSecretRequestList_To_v1alpha1_OIDCClientSecretRequestList(a.(*clientsecret.OIDCClientSecretRequestList), b.(*OIDCClientSecretRequestList), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequestSpec)(nil), (*clientsecret.OIDCClientSecretRequestSpec)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1alpha1_OIDCClientSecretRequestSpec_To_clientsecret_OIDCClientSecretRequestSpec(a.(*OIDCClientSecretRequestSpec), b.(*clientsecret.OIDCClientSecretRequestSpec), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*clientsecret.OIDCClientSecretRequestSpec)(nil), (*OIDCClientSecretRequestSpec)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_clientsecret_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(a.(*clientsecret.OIDCClientSecretRequestSpec), b.(*OIDCClientSecretRequestSpec), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequestStatus)(nil), (*clientsecret.OIDCClientSecretRequestStatus)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1alpha1_OIDCClientSecretRequestStatus_To_clientsecret_OIDCClientSecretRequestStatus(a.(*OIDCClientSecretRequestStatus), b.(*clientsecret.OIDCClientSecretRequestStatus), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*clientsecret.OIDCClientSecretRequestStatus)(nil), (*OIDCClientSecretRequestStatus)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_clientsecret_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(a.(*clientsecret.OIDCClientSecretRequestStatus), b.(*OIDCClientSecretRequestStatus), scope)
+	}); err != nil {
+		return err
+	}
+	return nil
+}
+
+func autoConvert_v1alpha1_OIDCClientSecretRequest_To_clientsecret_OIDCClientSecretRequest(in *OIDCClientSecretRequest, out *clientsecret.OIDCClientSecretRequest, s conversion.Scope) error {
+	out.ObjectMeta = in.ObjectMeta
+	if err := Convert_v1alpha1_OIDCClientSecretRequestSpec_To_clientsecret_OIDCClientSecretRequestSpec(&in.Spec, &out.Spec, s); err != nil {
+		return err
+	}
+	if err := Convert_v1alpha1_OIDCClientSecretRequestStatus_To_clientsecret_OIDCClientSecretRequestStatus(&in.Status, &out.Status, s); err != nil {
+		return err
+	}
+	return nil
+}
+
+// Convert_v1alpha1_OIDCClientSecretRequest_To_clientsecret_OIDCClientSecretRequest is an autogenerated conversion function.
+func Convert_v1alpha1_OIDCClientSecretRequest_To_clientsecret_OIDCClientSecretRequest(in *OIDCClientSecretRequest, out *clientsecret.OIDCClientSecretRequest, s conversion.Scope) error {
+	return autoConvert_v1alpha1_OIDCClientSecretRequest_To_clientsecret_OIDCClientSecretRequest(in, out, s)
+}
+
+func autoConvert_clientsecret_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in *clientsecret.OIDCClientSecretRequest, out *OIDCClientSecretRequest, s conversion.Scope) error {
+	out.ObjectMeta = in.ObjectMeta
+	if err := Convert_clientsecret_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(&in.Spec, &out.Spec, s); err != nil {
+		return err
+	}
+	if err := Convert_clientsecret_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(&in.Status, &out.Status, s); err != nil {
+		return err
+	}
+	return nil
+}
+
+// Convert_clientsecret_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest is an autogenerated conversion function.
+func Convert_clientsecret_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in *clientsecret.OIDCClientSecretRequest, out *OIDCClientSecretRequest, s conversion.Scope) error {
+	return autoConvert_clientsecret_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in, out, s)
+}
+
+func autoConvert_v1alpha1_OIDCClientSecretRequestList_To_clientsecret_OIDCClientSecretRequestList(in *OIDCClientSecretRequestList, out *clientsecret.OIDCClientSecretRequestList, s conversion.Scope) error {
+	out.ListMeta = in.ListMeta
+	out.Items = *(*[]clientsecret.OIDCClientSecretRequest)(unsafe.Pointer(&in.Items))
+	return nil
+}
+
+// Convert_v1alpha1_OIDCClientSecretRequestList_To_clientsecret_OIDCClientSecretRequestList is an autogenerated conversion function.
+func Convert_v1alpha1_OIDCClientSecretRequestList_To_clientsecret_OIDCClientSecretRequestList(in *OIDCClientSecretRequestList, out *clientsecret.OIDCClientSecretRequestList, s conversion.Scope) error {
+	return autoConvert_v1alpha1_OIDCClientSecretRequestList_To_clientsecret_OIDCClientSecretRequestList(in, out, s)
+}
+
+func autoConvert_clientsecret_OIDCClientSecretRequestList_To_v1alpha1_OIDCClientSecretRequestList(in *clientsecret.OIDCClientSecretRequestList, out *OIDCClientSecretRequestList, s conversion.Scope) error {
+	out.ListMeta = in.ListMeta
+	out.Items = *(*[]OIDCClientSecretRequest)(unsafe.Pointer(&in.Items))
+	return nil
+}
+
+// Convert_clientsecret_OIDCClientSecretRequestList_To_v1alpha1_OIDCClientSecretRequestList is an autogenerated conversion function.
+func Convert_clientsecret_OIDCClientSecretRequestList_To_v1alpha1_OIDCClientSecretRequestList(in *clientsecret.OIDCClientSecretRequestList, out *OIDCClientSecretRequestList, s conversion.Scope) error {
+	return autoConvert_clientsecret_OIDCClientSecretRequestList_To_v1alpha1_OIDCClientSecretRequestList(in, out, s)
+}
+
+func autoConvert_v1alpha1_OIDCClientSecretRequestSpec_To_clientsecret_OIDCClientSecretRequestSpec(in *OIDCClientSecretRequestSpec, out *clientsecret.OIDCClientSecretRequestSpec, s conversion.Scope) error {
+	out.GenerateNewSecret = in.GenerateNewSecret
+	out.RevokeOldSecrets = in.RevokeOldSecrets
+	return nil
+}
+
+// Convert_v1alpha1_OIDCClientSecretRequestSpec_To_clientsecret_OIDCClientSecretRequestSpec is an autogenerated conversion function.
+func Convert_v1alpha1_OIDCClientSecretRequestSpec_To_clientsecret_OIDCClientSecretRequestSpec(in *OIDCClientSecretRequestSpec, out *clientsecret.OIDCClientSecretRequestSpec, s conversion.Scope) error {
+	return autoConvert_v1alpha1_OIDCClientSecretRequestSpec_To_clientsecret_OIDCClientSecretRequestSpec(in, out, s)
+}
+
+func autoConvert_clientsecret_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(in *clientsecret.OIDCClientSecretRequestSpec, out *OIDCClientSecretRequestSpec, s conversion.Scope) error {
+	out.GenerateNewSecret = in.GenerateNewSecret
+	out.RevokeOldSecrets = in.RevokeOldSecrets
+	return nil
+}
+
+// Convert_clientsecret_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec is an autogenerated conversion function.
+func Convert_clientsecret_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(in *clientsecret.OIDCClientSecretRequestSpec, out *OIDCClientSecretRequestSpec, s conversion.Scope) error {
+	return autoConvert_clientsecret_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(in, out, s)
+}
+
+func autoConvert_v1alpha1_OIDCClientSecretRequestStatus_To_clientsecret_OIDCClientSecretRequestStatus(in *OIDCClientSecretRequestStatus, out *clientsecret.OIDCClientSecretRequestStatus, s conversion.Scope) error {
+	out.GeneratedSecret = in.GeneratedSecret
+	out.TotalClientSecrets = in.TotalClientSecrets
+	return nil
+}
+
+// Convert_v1alpha1_OIDCClientSecretRequestStatus_To_clientsecret_OIDCClientSecretRequestStatus is an autogenerated conversion function.
+func Convert_v1alpha1_OIDCClientSecretRequestStatus_To_clientsecret_OIDCClientSecretRequestStatus(in *OIDCClientSecretRequestStatus, out *clientsecret.OIDCClientSecretRequestStatus, s conversion.Scope) error {
+	return autoConvert_v1alpha1_OIDCClientSecretRequestStatus_To_clientsecret_OIDCClientSecretRequestStatus(in, out, s)
+}
+
+func autoConvert_clientsecret_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(in *clientsecret.OIDCClientSecretRequestStatus, out *OIDCClientSecretRequestStatus, s conversion.Scope) error {
+	out.GeneratedSecret = in.GeneratedSecret
+	out.TotalClientSecrets = in.TotalClientSecrets
+	return nil
+}
+
+// Convert_clientsecret_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus is an autogenerated conversion function.
+func Convert_clientsecret_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(in *clientsecret.OIDCClientSecretRequestStatus, out *OIDCClientSecretRequestStatus, s conversion.Scope) error {
+	return autoConvert_clientsecret_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(in, out, s)
+}
--- a/generated/1.30/apis/supervisor/clientsecret/v1alpha1/zz_generated.deepcopy.go
+++ b/generated/1.30/apis/supervisor/clientsecret/v1alpha1/zz_generated.deepcopy.go
@@ -0,0 +1,106 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by deepcopy-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	runtime "k8s.io/apimachinery/pkg/runtime"
+)
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OIDCClientSecretRequest) DeepCopyInto(out *OIDCClientSecretRequest) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	out.Spec = in.Spec
+	out.Status = in.Status
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequest.
+func (in *OIDCClientSecretRequest) DeepCopy() *OIDCClientSecretRequest {
+	if in == nil {
+		return nil
+	}
+	out := new(OIDCClientSecretRequest)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *OIDCClientSecretRequest) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OIDCClientSecretRequestList) DeepCopyInto(out *OIDCClientSecretRequestList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]OIDCClientSecretRequest, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestList.
+func (in *OIDCClientSecretRequestList) DeepCopy() *OIDCClientSecretRequestList {
+	if in == nil {
+		return nil
+	}
+	out := new(OIDCClientSecretRequestList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *OIDCClientSecretRequestList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OIDCClientSecretRequestSpec) DeepCopyInto(out *OIDCClientSecretRequestSpec) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestSpec.
+func (in *OIDCClientSecretRequestSpec) DeepCopy() *OIDCClientSecretRequestSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(OIDCClientSecretRequestSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OIDCClientSecretRequestStatus) DeepCopyInto(out *OIDCClientSecretRequestStatus) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestStatus.
+func (in *OIDCClientSecretRequestStatus) DeepCopy() *OIDCClientSecretRequestStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(OIDCClientSecretRequestStatus)
+	in.DeepCopyInto(out)
+	return out
+}
--- a/generated/1.30/apis/supervisor/clientsecret/v1alpha1/zz_generated.defaults.go
+++ b/generated/1.30/apis/supervisor/clientsecret/v1alpha1/zz_generated.defaults.go
@@ -0,0 +1,20 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by defaulter-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	runtime "k8s.io/apimachinery/pkg/runtime"
+)
+
+// RegisterDefaults adds defaulters functions to the given scheme.
+// Public to allow building arbitrary schemes.
+// All generated defaulters are covering - they call all nested defaulters.
+func RegisterDefaults(scheme *runtime.Scheme) error {
+	return nil
+}
--- a/generated/1.30/apis/supervisor/clientsecret/zz_generated.deepcopy.go
+++ b/generated/1.30/apis/supervisor/clientsecret/zz_generated.deepcopy.go
@@ -0,0 +1,106 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by deepcopy-gen. DO NOT EDIT.
+
+package clientsecret
+
+import (
+	runtime "k8s.io/apimachinery/pkg/runtime"
+)
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OIDCClientSecretRequest) DeepCopyInto(out *OIDCClientSecretRequest) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	out.Spec = in.Spec
+	out.Status = in.Status
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequest.
+func (in *OIDCClientSecretRequest) DeepCopy() *OIDCClientSecretRequest {
+	if in == nil {
+		return nil
+	}
+	out := new(OIDCClientSecretRequest)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *OIDCClientSecretRequest) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OIDCClientSecretRequestList) DeepCopyInto(out *OIDCClientSecretRequestList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]OIDCClientSecretRequest, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestList.
+func (in *OIDCClientSecretRequestList) DeepCopy() *OIDCClientSecretRequestList {
+	if in == nil {
+		return nil
+	}
+	out := new(OIDCClientSecretRequestList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *OIDCClientSecretRequestList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OIDCClientSecretRequestSpec) DeepCopyInto(out *OIDCClientSecretRequestSpec) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestSpec.
+func (in *OIDCClientSecretRequestSpec) DeepCopy() *OIDCClientSecretRequestSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(OIDCClientSecretRequestSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OIDCClientSecretRequestStatus) DeepCopyInto(out *OIDCClientSecretRequestStatus) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestStatus.
+func (in *OIDCClientSecretRequestStatus) DeepCopy() *OIDCClientSecretRequestStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(OIDCClientSecretRequestStatus)
+	in.DeepCopyInto(out)
+	return out
+}
--- a/generated/1.30/apis/supervisor/config/v1alpha1/doc.go
+++ b/generated/1.30/apis/supervisor/config/v1alpha1/doc.go
@@ -1,10 +1,7 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

-// +k8s:openapi-gen=true
 // +k8s:deepcopy-gen=package
-// +k8s:conversion-gen=go.pinniped.dev/generated/1.30/apis/supervisor/config
-// +k8s:defaulter-gen=TypeMeta
 // +groupName=config.supervisor.pinniped.dev

 // Package v1alpha1 is the v1alpha1 version of the Pinniped supervisor configuration API.
--- a/generated/1.30/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go
+++ b/generated/1.30/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go
@@ -0,0 +1,433 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by deepcopy-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+)
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *FederationDomain) DeepCopyInto(out *FederationDomain) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomain.
+func (in *FederationDomain) DeepCopy() *FederationDomain {
+	if in == nil {
+		return nil
+	}
+	out := new(FederationDomain)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *FederationDomain) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *FederationDomainIdentityProvider) DeepCopyInto(out *FederationDomainIdentityProvider) {
+	*out = *in
+	in.ObjectRef.DeepCopyInto(&out.ObjectRef)
+	in.Transforms.DeepCopyInto(&out.Transforms)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainIdentityProvider.
+func (in *FederationDomainIdentityProvider) DeepCopy() *FederationDomainIdentityProvider {
+	if in == nil {
+		return nil
+	}
+	out := new(FederationDomainIdentityProvider)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *FederationDomainList) DeepCopyInto(out *FederationDomainList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]FederationDomain, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainList.
+func (in *FederationDomainList) DeepCopy() *FederationDomainList {
+	if in == nil {
+		return nil
+	}
+	out := new(FederationDomainList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *FederationDomainList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *FederationDomainSecrets) DeepCopyInto(out *FederationDomainSecrets) {
+	*out = *in
+	out.JWKS = in.JWKS
+	out.TokenSigningKey = in.TokenSigningKey
+	out.StateSigningKey = in.StateSigningKey
+	out.StateEncryptionKey = in.StateEncryptionKey
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainSecrets.
+func (in *FederationDomainSecrets) DeepCopy() *FederationDomainSecrets {
+	if in == nil {
+		return nil
+	}
+	out := new(FederationDomainSecrets)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *FederationDomainSpec) DeepCopyInto(out *FederationDomainSpec) {
+	*out = *in
+	if in.TLS != nil {
+		in, out := &in.TLS, &out.TLS
+		*out = new(FederationDomainTLSSpec)
+		**out = **in
+	}
+	if in.IdentityProviders != nil {
+		in, out := &in.IdentityProviders, &out.IdentityProviders
+		*out = make([]FederationDomainIdentityProvider, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainSpec.
+func (in *FederationDomainSpec) DeepCopy() *FederationDomainSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(FederationDomainSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *FederationDomainStatus) DeepCopyInto(out *FederationDomainStatus) {
+	*out = *in
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]v1.Condition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	out.Secrets = in.Secrets
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainStatus.
+func (in *FederationDomainStatus) DeepCopy() *FederationDomainStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(FederationDomainStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *FederationDomainTLSSpec) DeepCopyInto(out *FederationDomainTLSSpec) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTLSSpec.
+func (in *FederationDomainTLSSpec) DeepCopy() *FederationDomainTLSSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(FederationDomainTLSSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *FederationDomainTransforms) DeepCopyInto(out *FederationDomainTransforms) {
+	*out = *in
+	if in.Constants != nil {
+		in, out := &in.Constants, &out.Constants
+		*out = make([]FederationDomainTransformsConstant, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Expressions != nil {
+		in, out := &in.Expressions, &out.Expressions
+		*out = make([]FederationDomainTransformsExpression, len(*in))
+		copy(*out, *in)
+	}
+	if in.Examples != nil {
+		in, out := &in.Examples, &out.Examples
+		*out = make([]FederationDomainTransformsExample, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransforms.
+func (in *FederationDomainTransforms) DeepCopy() *FederationDomainTransforms {
+	if in == nil {
+		return nil
+	}
+	out := new(FederationDomainTransforms)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *FederationDomainTransformsConstant) DeepCopyInto(out *FederationDomainTransformsConstant) {
+	*out = *in
+	if in.StringListValue != nil {
+		in, out := &in.StringListValue, &out.StringListValue
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransformsConstant.
+func (in *FederationDomainTransformsConstant) DeepCopy() *FederationDomainTransformsConstant {
+	if in == nil {
+		return nil
+	}
+	out := new(FederationDomainTransformsConstant)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *FederationDomainTransformsExample) DeepCopyInto(out *FederationDomainTransformsExample) {
+	*out = *in
+	if in.Groups != nil {
+		in, out := &in.Groups, &out.Groups
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	in.Expects.DeepCopyInto(&out.Expects)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransformsExample.
+func (in *FederationDomainTransformsExample) DeepCopy() *FederationDomainTransformsExample {
+	if in == nil {
+		return nil
+	}
+	out := new(FederationDomainTransformsExample)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *FederationDomainTransformsExampleExpects) DeepCopyInto(out *FederationDomainTransformsExampleExpects) {
+	*out = *in
+	if in.Groups != nil {
+		in, out := &in.Groups, &out.Groups
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransformsExampleExpects.
+func (in *FederationDomainTransformsExampleExpects) DeepCopy() *FederationDomainTransformsExampleExpects {
+	if in == nil {
+		return nil
+	}
+	out := new(FederationDomainTransformsExampleExpects)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *FederationDomainTransformsExpression) DeepCopyInto(out *FederationDomainTransformsExpression) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransformsExpression.
+func (in *FederationDomainTransformsExpression) DeepCopy() *FederationDomainTransformsExpression {
+	if in == nil {
+		return nil
+	}
+	out := new(FederationDomainTransformsExpression)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OIDCClient) DeepCopyInto(out *OIDCClient) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClient.
+func (in *OIDCClient) DeepCopy() *OIDCClient {
+	if in == nil {
+		return nil
+	}
+	out := new(OIDCClient)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *OIDCClient) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OIDCClientList) DeepCopyInto(out *OIDCClientList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]OIDCClient, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientList.
+func (in *OIDCClientList) DeepCopy() *OIDCClientList {
+	if in == nil {
+		return nil
+	}
+	out := new(OIDCClientList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *OIDCClientList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OIDCClientSpec) DeepCopyInto(out *OIDCClientSpec) {
+	*out = *in
+	if in.AllowedRedirectURIs != nil {
+		in, out := &in.AllowedRedirectURIs, &out.AllowedRedirectURIs
+		*out = make([]RedirectURI, len(*in))
+		copy(*out, *in)
+	}
+	if in.AllowedGrantTypes != nil {
+		in, out := &in.AllowedGrantTypes, &out.AllowedGrantTypes
+		*out = make([]GrantType, len(*in))
+		copy(*out, *in)
+	}
+	if in.AllowedScopes != nil {
+		in, out := &in.AllowedScopes, &out.AllowedScopes
+		*out = make([]Scope, len(*in))
+		copy(*out, *in)
+	}
+	in.TokenLifetimes.DeepCopyInto(&out.TokenLifetimes)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSpec.
+func (in *OIDCClientSpec) DeepCopy() *OIDCClientSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(OIDCClientSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OIDCClientStatus) DeepCopyInto(out *OIDCClientStatus) {
+	*out = *in
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]v1.Condition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientStatus.
+func (in *OIDCClientStatus) DeepCopy() *OIDCClientStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(OIDCClientStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OIDCClientTokenLifetimes) DeepCopyInto(out *OIDCClientTokenLifetimes) {
+	*out = *in
+	if in.IDTokenSeconds != nil {
+		in, out := &in.IDTokenSeconds, &out.IDTokenSeconds
+		*out = new(int32)
+		**out = **in
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientTokenLifetimes.
+func (in *OIDCClientTokenLifetimes) DeepCopy() *OIDCClientTokenLifetimes {
+	if in == nil {
+		return nil
+	}
+	out := new(OIDCClientTokenLifetimes)
+	in.DeepCopyInto(out)
+	return out
+}
--- a/generated/1.30/apis/supervisor/idp/v1alpha1/doc.go
+++ b/generated/1.30/apis/supervisor/idp/v1alpha1/doc.go
@@ -1,9 +1,7 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

-// +k8s:openapi-gen=true
 // +k8s:deepcopy-gen=package
-// +k8s:defaulter-gen=TypeMeta
 // +groupName=idp.supervisor.pinniped.dev
 // +groupGoName=IDP

--- a/generated/1.30/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go
+++ b/generated/1.30/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go
@@ -0,0 +1,599 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by deepcopy-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+)
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ActiveDirectoryIdentityProvider) DeepCopyInto(out *ActiveDirectoryIdentityProvider) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ActiveDirectoryIdentityProvider.
+func (in *ActiveDirectoryIdentityProvider) DeepCopy() *ActiveDirectoryIdentityProvider {
+	if in == nil {
+		return nil
+	}
+	out := new(ActiveDirectoryIdentityProvider)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ActiveDirectoryIdentityProvider) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ActiveDirectoryIdentityProviderBind) DeepCopyInto(out *ActiveDirectoryIdentityProviderBind) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ActiveDirectoryIdentityProviderBind.
+func (in *ActiveDirectoryIdentityProviderBind) DeepCopy() *ActiveDirectoryIdentityProviderBind {
+	if in == nil {
+		return nil
+	}
+	out := new(ActiveDirectoryIdentityProviderBind)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ActiveDirectoryIdentityProviderGroupSearch) DeepCopyInto(out *ActiveDirectoryIdentityProviderGroupSearch) {
+	*out = *in
+	out.Attributes = in.Attributes
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ActiveDirectoryIdentityProviderGroupSearch.
+func (in *ActiveDirectoryIdentityProviderGroupSearch) DeepCopy() *ActiveDirectoryIdentityProviderGroupSearch {
+	if in == nil {
+		return nil
+	}
+	out := new(ActiveDirectoryIdentityProviderGroupSearch)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ActiveDirectoryIdentityProviderGroupSearchAttributes) DeepCopyInto(out *ActiveDirectoryIdentityProviderGroupSearchAttributes) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ActiveDirectoryIdentityProviderGroupSearchAttributes.
+func (in *ActiveDirectoryIdentityProviderGroupSearchAttributes) DeepCopy() *ActiveDirectoryIdentityProviderGroupSearchAttributes {
+	if in == nil {
+		return nil
+	}
+	out := new(ActiveDirectoryIdentityProviderGroupSearchAttributes)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ActiveDirectoryIdentityProviderList) DeepCopyInto(out *ActiveDirectoryIdentityProviderList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]ActiveDirectoryIdentityProvider, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ActiveDirectoryIdentityProviderList.
+func (in *ActiveDirectoryIdentityProviderList) DeepCopy() *ActiveDirectoryIdentityProviderList {
+	if in == nil {
+		return nil
+	}
+	out := new(ActiveDirectoryIdentityProviderList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ActiveDirectoryIdentityProviderList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ActiveDirectoryIdentityProviderSpec) DeepCopyInto(out *ActiveDirectoryIdentityProviderSpec) {
+	*out = *in
+	if in.TLS != nil {
+		in, out := &in.TLS, &out.TLS
+		*out = new(TLSSpec)
+		**out = **in
+	}
+	out.Bind = in.Bind
+	out.UserSearch = in.UserSearch
+	out.GroupSearch = in.GroupSearch
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ActiveDirectoryIdentityProviderSpec.
+func (in *ActiveDirectoryIdentityProviderSpec) DeepCopy() *ActiveDirectoryIdentityProviderSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(ActiveDirectoryIdentityProviderSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ActiveDirectoryIdentityProviderStatus) DeepCopyInto(out *ActiveDirectoryIdentityProviderStatus) {
+	*out = *in
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]v1.Condition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ActiveDirectoryIdentityProviderStatus.
+func (in *ActiveDirectoryIdentityProviderStatus) DeepCopy() *ActiveDirectoryIdentityProviderStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(ActiveDirectoryIdentityProviderStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ActiveDirectoryIdentityProviderUserSearch) DeepCopyInto(out *ActiveDirectoryIdentityProviderUserSearch) {
+	*out = *in
+	out.Attributes = in.Attributes
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ActiveDirectoryIdentityProviderUserSearch.
+func (in *ActiveDirectoryIdentityProviderUserSearch) DeepCopy() *ActiveDirectoryIdentityProviderUserSearch {
+	if in == nil {
+		return nil
+	}
+	out := new(ActiveDirectoryIdentityProviderUserSearch)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ActiveDirectoryIdentityProviderUserSearchAttributes) DeepCopyInto(out *ActiveDirectoryIdentityProviderUserSearchAttributes) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ActiveDirectoryIdentityProviderUserSearchAttributes.
+func (in *ActiveDirectoryIdentityProviderUserSearchAttributes) DeepCopy() *ActiveDirectoryIdentityProviderUserSearchAttributes {
+	if in == nil {
+		return nil
+	}
+	out := new(ActiveDirectoryIdentityProviderUserSearchAttributes)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *LDAPIdentityProvider) DeepCopyInto(out *LDAPIdentityProvider) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LDAPIdentityProvider.
+func (in *LDAPIdentityProvider) DeepCopy() *LDAPIdentityProvider {
+	if in == nil {
+		return nil
+	}
+	out := new(LDAPIdentityProvider)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *LDAPIdentityProvider) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *LDAPIdentityProviderBind) DeepCopyInto(out *LDAPIdentityProviderBind) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LDAPIdentityProviderBind.
+func (in *LDAPIdentityProviderBind) DeepCopy() *LDAPIdentityProviderBind {
+	if in == nil {
+		return nil
+	}
+	out := new(LDAPIdentityProviderBind)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *LDAPIdentityProviderGroupSearch) DeepCopyInto(out *LDAPIdentityProviderGroupSearch) {
+	*out = *in
+	out.Attributes = in.Attributes
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LDAPIdentityProviderGroupSearch.
+func (in *LDAPIdentityProviderGroupSearch) DeepCopy() *LDAPIdentityProviderGroupSearch {
+	if in == nil {
+		return nil
+	}
+	out := new(LDAPIdentityProviderGroupSearch)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *LDAPIdentityProviderGroupSearchAttributes) DeepCopyInto(out *LDAPIdentityProviderGroupSearchAttributes) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LDAPIdentityProviderGroupSearchAttributes.
+func (in *LDAPIdentityProviderGroupSearchAttributes) DeepCopy() *LDAPIdentityProviderGroupSearchAttributes {
+	if in == nil {
+		return nil
+	}
+	out := new(LDAPIdentityProviderGroupSearchAttributes)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *LDAPIdentityProviderList) DeepCopyInto(out *LDAPIdentityProviderList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]LDAPIdentityProvider, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LDAPIdentityProviderList.
+func (in *LDAPIdentityProviderList) DeepCopy() *LDAPIdentityProviderList {
+	if in == nil {
+		return nil
+	}
+	out := new(LDAPIdentityProviderList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *LDAPIdentityProviderList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *LDAPIdentityProviderSpec) DeepCopyInto(out *LDAPIdentityProviderSpec) {
+	*out = *in
+	if in.TLS != nil {
+		in, out := &in.TLS, &out.TLS
+		*out = new(TLSSpec)
+		**out = **in
+	}
+	out.Bind = in.Bind
+	out.UserSearch = in.UserSearch
+	out.GroupSearch = in.GroupSearch
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LDAPIdentityProviderSpec.
+func (in *LDAPIdentityProviderSpec) DeepCopy() *LDAPIdentityProviderSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(LDAPIdentityProviderSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *LDAPIdentityProviderStatus) DeepCopyInto(out *LDAPIdentityProviderStatus) {
+	*out = *in
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]v1.Condition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LDAPIdentityProviderStatus.
+func (in *LDAPIdentityProviderStatus) DeepCopy() *LDAPIdentityProviderStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(LDAPIdentityProviderStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *LDAPIdentityProviderUserSearch) DeepCopyInto(out *LDAPIdentityProviderUserSearch) {
+	*out = *in
+	out.Attributes = in.Attributes
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LDAPIdentityProviderUserSearch.
+func (in *LDAPIdentityProviderUserSearch) DeepCopy() *LDAPIdentityProviderUserSearch {
+	if in == nil {
+		return nil
+	}
+	out := new(LDAPIdentityProviderUserSearch)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *LDAPIdentityProviderUserSearchAttributes) DeepCopyInto(out *LDAPIdentityProviderUserSearchAttributes) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LDAPIdentityProviderUserSearchAttributes.
+func (in *LDAPIdentityProviderUserSearchAttributes) DeepCopy() *LDAPIdentityProviderUserSearchAttributes {
+	if in == nil {
+		return nil
+	}
+	out := new(LDAPIdentityProviderUserSearchAttributes)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OIDCAuthorizationConfig) DeepCopyInto(out *OIDCAuthorizationConfig) {
+	*out = *in
+	if in.AdditionalScopes != nil {
+		in, out := &in.AdditionalScopes, &out.AdditionalScopes
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.AdditionalAuthorizeParameters != nil {
+		in, out := &in.AdditionalAuthorizeParameters, &out.AdditionalAuthorizeParameters
+		*out = make([]Parameter, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCAuthorizationConfig.
+func (in *OIDCAuthorizationConfig) DeepCopy() *OIDCAuthorizationConfig {
+	if in == nil {
+		return nil
+	}
+	out := new(OIDCAuthorizationConfig)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OIDCClaims) DeepCopyInto(out *OIDCClaims) {
+	*out = *in
+	if in.AdditionalClaimMappings != nil {
+		in, out := &in.AdditionalClaimMappings, &out.AdditionalClaimMappings
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClaims.
+func (in *OIDCClaims) DeepCopy() *OIDCClaims {
+	if in == nil {
+		return nil
+	}
+	out := new(OIDCClaims)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OIDCClient) DeepCopyInto(out *OIDCClient) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClient.
+func (in *OIDCClient) DeepCopy() *OIDCClient {
+	if in == nil {
+		return nil
+	}
+	out := new(OIDCClient)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OIDCIdentityProvider) DeepCopyInto(out *OIDCIdentityProvider) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCIdentityProvider.
+func (in *OIDCIdentityProvider) DeepCopy() *OIDCIdentityProvider {
+	if in == nil {
+		return nil
+	}
+	out := new(OIDCIdentityProvider)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *OIDCIdentityProvider) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OIDCIdentityProviderList) DeepCopyInto(out *OIDCIdentityProviderList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]OIDCIdentityProvider, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCIdentityProviderList.
+func (in *OIDCIdentityProviderList) DeepCopy() *OIDCIdentityProviderList {
+	if in == nil {
+		return nil
+	}
+	out := new(OIDCIdentityProviderList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *OIDCIdentityProviderList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OIDCIdentityProviderSpec) DeepCopyInto(out *OIDCIdentityProviderSpec) {
+	*out = *in
+	if in.TLS != nil {
+		in, out := &in.TLS, &out.TLS
+		*out = new(TLSSpec)
+		**out = **in
+	}
+	in.AuthorizationConfig.DeepCopyInto(&out.AuthorizationConfig)
+	in.Claims.DeepCopyInto(&out.Claims)
+	out.Client = in.Client
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCIdentityProviderSpec.
+func (in *OIDCIdentityProviderSpec) DeepCopy() *OIDCIdentityProviderSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(OIDCIdentityProviderSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OIDCIdentityProviderStatus) DeepCopyInto(out *OIDCIdentityProviderStatus) {
+	*out = *in
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]v1.Condition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCIdentityProviderStatus.
+func (in *OIDCIdentityProviderStatus) DeepCopy() *OIDCIdentityProviderStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(OIDCIdentityProviderStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Parameter) DeepCopyInto(out *Parameter) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Parameter.
+func (in *Parameter) DeepCopy() *Parameter {
+	if in == nil {
+		return nil
+	}
+	out := new(Parameter)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TLSSpec) DeepCopyInto(out *TLSSpec) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TLSSpec.
+func (in *TLSSpec) DeepCopy() *TLSSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(TLSSpec)
+	in.DeepCopyInto(out)
+	return out
+}
--- a/generated/1.30/client/concierge/clientset/versioned/clientset.go
+++ b/generated/1.30/client/concierge/clientset/versioned/clientset.go
@@ -0,0 +1,146 @@
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package versioned
+
+import (
+	"fmt"
+	"net/http"
+
+	authenticationv1alpha1 "go.pinniped.dev/generated/1.30/client/concierge/clientset/versioned/typed/authentication/v1alpha1"
+	configv1alpha1 "go.pinniped.dev/generated/1.30/client/concierge/clientset/versioned/typed/config/v1alpha1"
+	identityv1alpha1 "go.pinniped.dev/generated/1.30/client/concierge/clientset/versioned/typed/identity/v1alpha1"
+	loginv1alpha1 "go.pinniped.dev/generated/1.30/client/concierge/clientset/versioned/typed/login/v1alpha1"
+	discovery "k8s.io/client-go/discovery"
+	rest "k8s.io/client-go/rest"
+	flowcontrol "k8s.io/client-go/util/flowcontrol"
+)
+
+type Interface interface {
+	Discovery() discovery.DiscoveryInterface
+	AuthenticationV1alpha1() authenticationv1alpha1.AuthenticationV1alpha1Interface
+	ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface
+	IdentityV1alpha1() identityv1alpha1.IdentityV1alpha1Interface
+	LoginV1alpha1() loginv1alpha1.LoginV1alpha1Interface
+}
+
+// Clientset contains the clients for groups.
+type Clientset struct {
+	*discovery.DiscoveryClient
+	authenticationV1alpha1 *authenticationv1alpha1.AuthenticationV1alpha1Client
+	configV1alpha1         *configv1alpha1.ConfigV1alpha1Client
+	identityV1alpha1       *identityv1alpha1.IdentityV1alpha1Client
+	loginV1alpha1          *loginv1alpha1.LoginV1alpha1Client
+}
+
+// AuthenticationV1alpha1 retrieves the AuthenticationV1alpha1Client
+func (c *Clientset) AuthenticationV1alpha1() authenticationv1alpha1.AuthenticationV1alpha1Interface {
+	return c.authenticationV1alpha1
+}
+
+// ConfigV1alpha1 retrieves the ConfigV1alpha1Client
+func (c *Clientset) ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface {
+	return c.configV1alpha1
+}
+
+// IdentityV1alpha1 retrieves the IdentityV1alpha1Client
+func (c *Clientset) IdentityV1alpha1() identityv1alpha1.IdentityV1alpha1Interface {
+	return c.identityV1alpha1
+}
+
+// LoginV1alpha1 retrieves the LoginV1alpha1Client
+func (c *Clientset) LoginV1alpha1() loginv1alpha1.LoginV1alpha1Interface {
+	return c.loginV1alpha1
+}
+
+// Discovery retrieves the DiscoveryClient
+func (c *Clientset) Discovery() discovery.DiscoveryInterface {
+	if c == nil {
+		return nil
+	}
+	return c.DiscoveryClient
+}
+
+// NewForConfig creates a new Clientset for the given config.
+// If config's RateLimiter is not set and QPS and Burst are acceptable,
+// NewForConfig will generate a rate-limiter in configShallowCopy.
+// NewForConfig is equivalent to NewForConfigAndClient(c, httpClient),
+// where httpClient was generated with rest.HTTPClientFor(c).
+func NewForConfig(c *rest.Config) (*Clientset, error) {
+	configShallowCopy := *c
+
+	if configShallowCopy.UserAgent == "" {
+		configShallowCopy.UserAgent = rest.DefaultKubernetesUserAgent()
+	}
+
+	// share the transport between all clients
+	httpClient, err := rest.HTTPClientFor(&configShallowCopy)
+	if err != nil {
+		return nil, err
+	}
+
+	return NewForConfigAndClient(&configShallowCopy, httpClient)
+}
+
+// NewForConfigAndClient creates a new Clientset for the given config and http client.
+// Note the http client provided takes precedence over the configured transport values.
+// If config's RateLimiter is not set and QPS and Burst are acceptable,
+// NewForConfigAndClient will generate a rate-limiter in configShallowCopy.
+func NewForConfigAndClient(c *rest.Config, httpClient *http.Client) (*Clientset, error) {
+	configShallowCopy := *c
+	if configShallowCopy.RateLimiter == nil && configShallowCopy.QPS > 0 {
+		if configShallowCopy.Burst <= 0 {
+			return nil, fmt.Errorf("burst is required to be greater than 0 when RateLimiter is not set and QPS is set to greater than 0")
+		}
+		configShallowCopy.RateLimiter = flowcontrol.NewTokenBucketRateLimiter(configShallowCopy.QPS, configShallowCopy.Burst)
+	}
+
+	var cs Clientset
+	var err error
+	cs.authenticationV1alpha1, err = authenticationv1alpha1.NewForConfigAndClient(&configShallowCopy, httpClient)
+	if err != nil {
+		return nil, err
+	}
+	cs.configV1alpha1, err = configv1alpha1.NewForConfigAndClient(&configShallowCopy, httpClient)
+	if err != nil {
+		return nil, err
+	}
+	cs.identityV1alpha1, err = identityv1alpha1.NewForConfigAndClient(&configShallowCopy, httpClient)
+	if err != nil {
+		return nil, err
+	}
+	cs.loginV1alpha1, err = loginv1alpha1.NewForConfigAndClient(&configShallowCopy, httpClient)
+	if err != nil {
+		return nil, err
+	}
+
+	cs.DiscoveryClient, err = discovery.NewDiscoveryClientForConfigAndClient(&configShallowCopy, httpClient)
+	if err != nil {
+		return nil, err
+	}
+	return &cs, nil
+}
+
+// NewForConfigOrDie creates a new Clientset for the given config and
+// panics if there is an error in the config.
+func NewForConfigOrDie(c *rest.Config) *Clientset {
+	cs, err := NewForConfig(c)
+	if err != nil {
+		panic(err)
+	}
+	return cs
+}
+
+// New creates a new Clientset for the given RESTClient.
+func New(c rest.Interface) *Clientset {
+	var cs Clientset
+	cs.authenticationV1alpha1 = authenticationv1alpha1.New(c)
+	cs.configV1alpha1 = configv1alpha1.New(c)
+	cs.identityV1alpha1 = identityv1alpha1.New(c)
+	cs.loginV1alpha1 = loginv1alpha1.New(c)
+
+	cs.DiscoveryClient = discovery.NewDiscoveryClient(c)
+	return &cs
+}
--- a/generated/1.30/client/concierge/clientset/versioned/fake/clientset_generated.go
+++ b/generated/1.30/client/concierge/clientset/versioned/fake/clientset_generated.go
@@ -0,0 +1,93 @@
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package fake
+
+import (
+	clientset "go.pinniped.dev/generated/1.30/client/concierge/clientset/versioned"
+	authenticationv1alpha1 "go.pinniped.dev/generated/1.30/client/concierge/clientset/versioned/typed/authentication/v1alpha1"
+	fakeauthenticationv1alpha1 "go.pinniped.dev/generated/1.30/client/concierge/clientset/versioned/typed/authentication/v1alpha1/fake"
+	configv1alpha1 "go.pinniped.dev/generated/1.30/client/concierge/clientset/versioned/typed/config/v1alpha1"
+	fakeconfigv1alpha1 "go.pinniped.dev/generated/1.30/client/concierge/clientset/versioned/typed/config/v1alpha1/fake"
+	identityv1alpha1 "go.pinniped.dev/generated/1.30/client/concierge/clientset/versioned/typed/identity/v1alpha1"
+	fakeidentityv1alpha1 "go.pinniped.dev/generated/1.30/client/concierge/clientset/versioned/typed/identity/v1alpha1/fake"
+	loginv1alpha1 "go.pinniped.dev/generated/1.30/client/concierge/clientset/versioned/typed/login/v1alpha1"
+	fakeloginv1alpha1 "go.pinniped.dev/generated/1.30/client/concierge/clientset/versioned/typed/login/v1alpha1/fake"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/watch"
+	"k8s.io/client-go/discovery"
+	fakediscovery "k8s.io/client-go/discovery/fake"
+	"k8s.io/client-go/testing"
+)
+
+// NewSimpleClientset returns a clientset that will respond with the provided objects.
+// It's backed by a very simple object tracker that processes creates, updates and deletions as-is,
+// without applying any validations and/or defaults. It shouldn't be considered a replacement
+// for a real clientset and is mostly useful in simple unit tests.
+func NewSimpleClientset(objects ...runtime.Object) *Clientset {
+	o := testing.NewObjectTracker(scheme, codecs.UniversalDecoder())
+	for _, obj := range objects {
+		if err := o.Add(obj); err != nil {
+			panic(err)
+		}
+	}
+
+	cs := &Clientset{tracker: o}
+	cs.discovery = &fakediscovery.FakeDiscovery{Fake: &cs.Fake}
+	cs.AddReactor("*", "*", testing.ObjectReaction(o))
+	cs.AddWatchReactor("*", func(action testing.Action) (handled bool, ret watch.Interface, err error) {
+		gvr := action.GetResource()
+		ns := action.GetNamespace()
+		watch, err := o.Watch(gvr, ns)
+		if err != nil {
+			return false, nil, err
+		}
+		return true, watch, nil
+	})
+
+	return cs
+}
+
+// Clientset implements clientset.Interface. Meant to be embedded into a
+// struct to get a default implementation. This makes faking out just the method
+// you want to test easier.
+type Clientset struct {
+	testing.Fake
+	discovery *fakediscovery.FakeDiscovery
+	tracker   testing.ObjectTracker
+}
+
+func (c *Clientset) Discovery() discovery.DiscoveryInterface {
+	return c.discovery
+}
+
+func (c *Clientset) Tracker() testing.ObjectTracker {
+	return c.tracker
+}
+
+var (
+	_ clientset.Interface = &Clientset{}
+	_ testing.FakeClient  = &Clientset{}
+)
+
+// AuthenticationV1alpha1 retrieves the AuthenticationV1alpha1Client
+func (c *Clientset) AuthenticationV1alpha1() authenticationv1alpha1.AuthenticationV1alpha1Interface {
+	return &fakeauthenticationv1alpha1.FakeAuthenticationV1alpha1{Fake: &c.Fake}
+}
+
+// ConfigV1alpha1 retrieves the ConfigV1alpha1Client
+func (c *Clientset) ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface {
+	return &fakeconfigv1alpha1.FakeConfigV1alpha1{Fake: &c.Fake}
+}
+
+// IdentityV1alpha1 retrieves the IdentityV1alpha1Client
+func (c *Clientset) IdentityV1alpha1() identityv1alpha1.IdentityV1alpha1Interface {
+	return &fakeidentityv1alpha1.FakeIdentityV1alpha1{Fake: &c.Fake}
+}
+
+// LoginV1alpha1 retrieves the LoginV1alpha1Client
+func (c *Clientset) LoginV1alpha1() loginv1alpha1.LoginV1alpha1Interface {
+	return &fakeloginv1alpha1.FakeLoginV1alpha1{Fake: &c.Fake}
+}
--- a/generated/1.30/client/concierge/clientset/versioned/fake/doc.go
+++ b/generated/1.30/client/concierge/clientset/versioned/fake/doc.go
@@ -0,0 +1,7 @@
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+// This package has the automatically generated fake clientset.
+package fake
--- a/generated/1.30/client/concierge/clientset/versioned/fake/register.go
+++ b/generated/1.30/client/concierge/clientset/versioned/fake/register.go
@@ -0,0 +1,49 @@
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package fake
+
+import (
+	authenticationv1alpha1 "go.pinniped.dev/generated/1.30/apis/concierge/authentication/v1alpha1"
+	configv1alpha1 "go.pinniped.dev/generated/1.30/apis/concierge/config/v1alpha1"
+	identityv1alpha1 "go.pinniped.dev/generated/1.30/apis/concierge/identity/v1alpha1"
+	loginv1alpha1 "go.pinniped.dev/generated/1.30/apis/concierge/login/v1alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	schema "k8s.io/apimachinery/pkg/runtime/schema"
+	serializer "k8s.io/apimachinery/pkg/runtime/serializer"
+	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
+)
+
+var scheme = runtime.NewScheme()
+var codecs = serializer.NewCodecFactory(scheme)
+
+var localSchemeBuilder = runtime.SchemeBuilder{
+	authenticationv1alpha1.AddToScheme,
+	configv1alpha1.AddToScheme,
+	identityv1alpha1.AddToScheme,
+	loginv1alpha1.AddToScheme,
+}
+
+// AddToScheme adds all types of this clientset into the given scheme. This allows composition
+// of clientsets, like in:
+//
+//	import (
+//	  "k8s.io/client-go/kubernetes"
+//	  clientsetscheme "k8s.io/client-go/kubernetes/scheme"
+//	  aggregatorclientsetscheme "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset/scheme"
+//	)
+//
+//	kclientset, _ := kubernetes.NewForConfig(c)
+//	_ = aggregatorclientsetscheme.AddToScheme(clientsetscheme.Scheme)
+//
+// After this, RawExtensions in Kubernetes types will serialize kube-aggregator types
+// correctly.
+var AddToScheme = localSchemeBuilder.AddToScheme
+
+func init() {
+	v1.AddToGroupVersion(scheme, schema.GroupVersion{Version: "v1"})
+	utilruntime.Must(AddToScheme(scheme))
+}
--- a/generated/1.30/client/concierge/clientset/versioned/scheme/doc.go
+++ b/generated/1.30/client/concierge/clientset/versioned/scheme/doc.go
@@ -0,0 +1,7 @@
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+// This package contains the scheme of the automatically generated clientset.
+package scheme
--- a/generated/1.30/client/concierge/clientset/versioned/scheme/register.go
+++ b/generated/1.30/client/concierge/clientset/versioned/scheme/register.go
@@ -0,0 +1,49 @@
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package scheme
+
+import (
+	authenticationv1alpha1 "go.pinniped.dev/generated/1.30/apis/concierge/authentication/v1alpha1"
+	configv1alpha1 "go.pinniped.dev/generated/1.30/apis/concierge/config/v1alpha1"
+	identityv1alpha1 "go.pinniped.dev/generated/1.30/apis/concierge/identity/v1alpha1"
+	loginv1alpha1 "go.pinniped.dev/generated/1.30/apis/concierge/login/v1alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	schema "k8s.io/apimachinery/pkg/runtime/schema"
+	serializer "k8s.io/apimachinery/pkg/runtime/serializer"
+	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
+)
+
+var Scheme = runtime.NewScheme()
+var Codecs = serializer.NewCodecFactory(Scheme)
+var ParameterCodec = runtime.NewParameterCodec(Scheme)
+var localSchemeBuilder = runtime.SchemeBuilder{
+	authenticationv1alpha1.AddToScheme,
+	configv1alpha1.AddToScheme,
+	identityv1alpha1.AddToScheme,
+	loginv1alpha1.AddToScheme,
+}
+
+// AddToScheme adds all types of this clientset into the given scheme. This allows composition
+// of clientsets, like in:
+//
+//	import (
+//	  "k8s.io/client-go/kubernetes"
+//	  clientsetscheme "k8s.io/client-go/kubernetes/scheme"
+//	  aggregatorclientsetscheme "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset/scheme"
+//	)
+//
+//	kclientset, _ := kubernetes.NewForConfig(c)
+//	_ = aggregatorclientsetscheme.AddToScheme(clientsetscheme.Scheme)
+//
+// After this, RawExtensions in Kubernetes types will serialize kube-aggregator types
+// correctly.
+var AddToScheme = localSchemeBuilder.AddToScheme
+
+func init() {
+	v1.AddToGroupVersion(Scheme, schema.GroupVersion{Version: "v1"})
+	utilruntime.Must(AddToScheme(Scheme))
+}
--- a/generated/1.30/client/concierge/clientset/versioned/typed/authentication/v1alpha1/authentication_client.go
+++ b/generated/1.30/client/concierge/clientset/versioned/typed/authentication/v1alpha1/authentication_client.go
@@ -0,0 +1,99 @@
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	"net/http"
+
+	v1alpha1 "go.pinniped.dev/generated/1.30/apis/concierge/authentication/v1alpha1"
+	"go.pinniped.dev/generated/1.30/client/concierge/clientset/versioned/scheme"
+	rest "k8s.io/client-go/rest"
+)
+
+type AuthenticationV1alpha1Interface interface {
+	RESTClient() rest.Interface
+	JWTAuthenticatorsGetter
+	WebhookAuthenticatorsGetter
+}
+
+// AuthenticationV1alpha1Client is used to interact with features provided by the authentication.concierge.pinniped.dev group.
+type AuthenticationV1alpha1Client struct {
+	restClient rest.Interface
+}
+
+func (c *AuthenticationV1alpha1Client) JWTAuthenticators() JWTAuthenticatorInterface {
+	return newJWTAuthenticators(c)
+}
+
+func (c *AuthenticationV1alpha1Client) WebhookAuthenticators() WebhookAuthenticatorInterface {
+	return newWebhookAuthenticators(c)
+}
+
+// NewForConfig creates a new AuthenticationV1alpha1Client for the given config.
+// NewForConfig is equivalent to NewForConfigAndClient(c, httpClient),
+// where httpClient was generated with rest.HTTPClientFor(c).
+func NewForConfig(c *rest.Config) (*AuthenticationV1alpha1Client, error) {
+	config := *c
+	if err := setConfigDefaults(&config); err != nil {
+		return nil, err
+	}
+	httpClient, err := rest.HTTPClientFor(&config)
+	if err != nil {
+		return nil, err
+	}
+	return NewForConfigAndClient(&config, httpClient)
+}
+
+// NewForConfigAndClient creates a new AuthenticationV1alpha1Client for the given config and http client.
+// Note the http client provided takes precedence over the configured transport values.
+func NewForConfigAndClient(c *rest.Config, h *http.Client) (*AuthenticationV1alpha1Client, error) {
+	config := *c
+	if err := setConfigDefaults(&config); err != nil {
+		return nil, err
+	}
+	client, err := rest.RESTClientForConfigAndClient(&config, h)
+	if err != nil {
+		return nil, err
+	}
+	return &AuthenticationV1alpha1Client{client}, nil
+}
+
+// NewForConfigOrDie creates a new AuthenticationV1alpha1Client for the given config and
+// panics if there is an error in the config.
+func NewForConfigOrDie(c *rest.Config) *AuthenticationV1alpha1Client {
+	client, err := NewForConfig(c)
+	if err != nil {
+		panic(err)
+	}
+	return client
+}
+
+// New creates a new AuthenticationV1alpha1Client for the given RESTClient.
+func New(c rest.Interface) *AuthenticationV1alpha1Client {
+	return &AuthenticationV1alpha1Client{c}
+}
+
+func setConfigDefaults(config *rest.Config) error {
+	gv := v1alpha1.SchemeGroupVersion
+	config.GroupVersion = &gv
+	config.APIPath = "/apis"
+	config.NegotiatedSerializer = scheme.Codecs.WithoutConversion()
+
+	if config.UserAgent == "" {
+		config.UserAgent = rest.DefaultKubernetesUserAgent()
+	}
+
+	return nil
+}
+
+// RESTClient returns a RESTClient that is used to communicate
+// with API server by this client implementation.
+func (c *AuthenticationV1alpha1Client) RESTClient() rest.Interface {
+	if c == nil {
+		return nil
+	}
+	return c.restClient
+}
--- a/generated/1.30/client/concierge/clientset/versioned/typed/authentication/v1alpha1/doc.go
+++ b/generated/1.30/client/concierge/clientset/versioned/typed/authentication/v1alpha1/doc.go
@@ -0,0 +1,7 @@
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+// This package has the automatically generated typed clients.
+package v1alpha1
--- a/generated/1.30/client/concierge/clientset/versioned/typed/authentication/v1alpha1/fake/doc.go
+++ b/generated/1.30/client/concierge/clientset/versioned/typed/authentication/v1alpha1/fake/doc.go
@@ -0,0 +1,7 @@
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+// Package fake has the automatically generated clients.
+package fake
--- a/generated/1.30/client/concierge/clientset/versioned/typed/authentication/v1alpha1/fake/fake_authentication_client.go
+++ b/generated/1.30/client/concierge/clientset/versioned/typed/authentication/v1alpha1/fake/fake_authentication_client.go
@@ -0,0 +1,31 @@
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package fake
+
+import (
+	v1alpha1 "go.pinniped.dev/generated/1.30/client/concierge/clientset/versioned/typed/authentication/v1alpha1"
+	rest "k8s.io/client-go/rest"
+	testing "k8s.io/client-go/testing"
+)
+
+type FakeAuthenticationV1alpha1 struct {
+	*testing.Fake
+}
+
+func (c *FakeAuthenticationV1alpha1) JWTAuthenticators() v1alpha1.JWTAuthenticatorInterface {
+	return &FakeJWTAuthenticators{c}
+}
+
+func (c *FakeAuthenticationV1alpha1) WebhookAuthenticators() v1alpha1.WebhookAuthenticatorInterface {
+	return &FakeWebhookAuthenticators{c}
+}
+
+// RESTClient returns a RESTClient that is used to communicate
+// with API server by this client implementation.
+func (c *FakeAuthenticationV1alpha1) RESTClient() rest.Interface {
+	var ret *rest.RESTClient
+	return ret
+}
--- a/generated/1.30/client/concierge/clientset/versioned/typed/authentication/v1alpha1/fake/fake_jwtauthenticator.go
+++ b/generated/1.30/client/concierge/clientset/versioned/typed/authentication/v1alpha1/fake/fake_jwtauthenticator.go
@@ -0,0 +1,119 @@
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package fake
+
+import (
+	"context"
+
+	v1alpha1 "go.pinniped.dev/generated/1.30/apis/concierge/authentication/v1alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	labels "k8s.io/apimachinery/pkg/labels"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	testing "k8s.io/client-go/testing"
+)
+
+// FakeJWTAuthenticators implements JWTAuthenticatorInterface
+type FakeJWTAuthenticators struct {
+	Fake *FakeAuthenticationV1alpha1
+}
+
+var jwtauthenticatorsResource = v1alpha1.SchemeGroupVersion.WithResource("jwtauthenticators")
+
+var jwtauthenticatorsKind = v1alpha1.SchemeGroupVersion.WithKind("JWTAuthenticator")
+
+// Get takes name of the jWTAuthenticator, and returns the corresponding jWTAuthenticator object, and an error if there is any.
+func (c *FakeJWTAuthenticators) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.JWTAuthenticator, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewRootGetAction(jwtauthenticatorsResource, name), &v1alpha1.JWTAuthenticator{})
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.JWTAuthenticator), err
+}
+
+// List takes label and field selectors, and returns the list of JWTAuthenticators that match those selectors.
+func (c *FakeJWTAuthenticators) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.JWTAuthenticatorList, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewRootListAction(jwtauthenticatorsResource, jwtauthenticatorsKind, opts), &v1alpha1.JWTAuthenticatorList{})
+	if obj == nil {
+		return nil, err
+	}
+
+	label, _, _ := testing.ExtractFromListOptions(opts)
+	if label == nil {
+		label = labels.Everything()
+	}
+	list := &v1alpha1.JWTAuthenticatorList{ListMeta: obj.(*v1alpha1.JWTAuthenticatorList).ListMeta}
+	for _, item := range obj.(*v1alpha1.JWTAuthenticatorList).Items {
+		if label.Matches(labels.Set(item.Labels)) {
+			list.Items = append(list.Items, item)
+		}
+	}
+	return list, err
+}
+
+// Watch returns a watch.Interface that watches the requested jWTAuthenticators.
+func (c *FakeJWTAuthenticators) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
+	return c.Fake.
+		InvokesWatch(testing.NewRootWatchAction(jwtauthenticatorsResource, opts))
+}
+
+// Create takes the representation of a jWTAuthenticator and creates it.  Returns the server's representation of the jWTAuthenticator, and an error, if there is any.
+func (c *FakeJWTAuthenticators) Create(ctx context.Context, jWTAuthenticator *v1alpha1.JWTAuthenticator, opts v1.CreateOptions) (result *v1alpha1.JWTAuthenticator, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewRootCreateAction(jwtauthenticatorsResource, jWTAuthenticator), &v1alpha1.JWTAuthenticator{})
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.JWTAuthenticator), err
+}
+
+// Update takes the representation of a jWTAuthenticator and updates it. Returns the server's representation of the jWTAuthenticator, and an error, if there is any.
+func (c *FakeJWTAuthenticators) Update(ctx context.Context, jWTAuthenticator *v1alpha1.JWTAuthenticator, opts v1.UpdateOptions) (result *v1alpha1.JWTAuthenticator, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewRootUpdateAction(jwtauthenticatorsResource, jWTAuthenticator), &v1alpha1.JWTAuthenticator{})
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.JWTAuthenticator), err
+}
+
+// UpdateStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+func (c *FakeJWTAuthenticators) UpdateStatus(ctx context.Context, jWTAuthenticator *v1alpha1.JWTAuthenticator, opts v1.UpdateOptions) (*v1alpha1.JWTAuthenticator, error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewRootUpdateSubresourceAction(jwtauthenticatorsResource, "status", jWTAuthenticator), &v1alpha1.JWTAuthenticator{})
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.JWTAuthenticator), err
+}
+
+// Delete takes name of the jWTAuthenticator and deletes it. Returns an error if one occurs.
+func (c *FakeJWTAuthenticators) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
+	_, err := c.Fake.
+		Invokes(testing.NewRootDeleteActionWithOptions(jwtauthenticatorsResource, name, opts), &v1alpha1.JWTAuthenticator{})
+	return err
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *FakeJWTAuthenticators) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
+	action := testing.NewRootDeleteCollectionAction(jwtauthenticatorsResource, listOpts)
+
+	_, err := c.Fake.Invokes(action, &v1alpha1.JWTAuthenticatorList{})
+	return err
+}
+
+// Patch applies the patch and returns the patched jWTAuthenticator.
+func (c *FakeJWTAuthenticators) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.JWTAuthenticator, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewRootPatchSubresourceAction(jwtauthenticatorsResource, name, pt, data, subresources...), &v1alpha1.JWTAuthenticator{})
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.JWTAuthenticator), err
+}
--- a/generated/1.30/client/concierge/clientset/versioned/typed/authentication/v1alpha1/fake/fake_webhookauthenticator.go
+++ b/generated/1.30/client/concierge/clientset/versioned/typed/authentication/v1alpha1/fake/fake_webhookauthenticator.go
@@ -0,0 +1,119 @@
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package fake
+
+import (
+	"context"
+
+	v1alpha1 "go.pinniped.dev/generated/1.30/apis/concierge/authentication/v1alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	labels "k8s.io/apimachinery/pkg/labels"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	testing "k8s.io/client-go/testing"
+)
+
+// FakeWebhookAuthenticators implements WebhookAuthenticatorInterface
+type FakeWebhookAuthenticators struct {
+	Fake *FakeAuthenticationV1alpha1
+}
+
+var webhookauthenticatorsResource = v1alpha1.SchemeGroupVersion.WithResource("webhookauthenticators")
+
+var webhookauthenticatorsKind = v1alpha1.SchemeGroupVersion.WithKind("WebhookAuthenticator")
+
+// Get takes name of the webhookAuthenticator, and returns the corresponding webhookAuthenticator object, and an error if there is any.
+func (c *FakeWebhookAuthenticators) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.WebhookAuthenticator, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewRootGetAction(webhookauthenticatorsResource, name), &v1alpha1.WebhookAuthenticator{})
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.WebhookAuthenticator), err
+}
+
+// List takes label and field selectors, and returns the list of WebhookAuthenticators that match those selectors.
+func (c *FakeWebhookAuthenticators) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.WebhookAuthenticatorList, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewRootListAction(webhookauthenticatorsResource, webhookauthenticatorsKind, opts), &v1alpha1.WebhookAuthenticatorList{})
+	if obj == nil {
+		return nil, err
+	}
+
+	label, _, _ := testing.ExtractFromListOptions(opts)
+	if label == nil {
+		label = labels.Everything()
+	}
+	list := &v1alpha1.WebhookAuthenticatorList{ListMeta: obj.(*v1alpha1.WebhookAuthenticatorList).ListMeta}
+	for _, item := range obj.(*v1alpha1.WebhookAuthenticatorList).Items {
+		if label.Matches(labels.Set(item.Labels)) {
+			list.Items = append(list.Items, item)
+		}
+	}
+	return list, err
+}
+
+// Watch returns a watch.Interface that watches the requested webhookAuthenticators.
+func (c *FakeWebhookAuthenticators) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
+	return c.Fake.
+		InvokesWatch(testing.NewRootWatchAction(webhookauthenticatorsResource, opts))
+}
+
+// Create takes the representation of a webhookAuthenticator and creates it.  Returns the server's representation of the webhookAuthenticator, and an error, if there is any.
+func (c *FakeWebhookAuthenticators) Create(ctx context.Context, webhookAuthenticator *v1alpha1.WebhookAuthenticator, opts v1.CreateOptions) (result *v1alpha1.WebhookAuthenticator, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewRootCreateAction(webhookauthenticatorsResource, webhookAuthenticator), &v1alpha1.WebhookAuthenticator{})
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.WebhookAuthenticator), err
+}
+
+// Update takes the representation of a webhookAuthenticator and updates it. Returns the server's representation of the webhookAuthenticator, and an error, if there is any.
+func (c *FakeWebhookAuthenticators) Update(ctx context.Context, webhookAuthenticator *v1alpha1.WebhookAuthenticator, opts v1.UpdateOptions) (result *v1alpha1.WebhookAuthenticator, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewRootUpdateAction(webhookauthenticatorsResource, webhookAuthenticator), &v1alpha1.WebhookAuthenticator{})
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.WebhookAuthenticator), err
+}
+
+// UpdateStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+func (c *FakeWebhookAuthenticators) UpdateStatus(ctx context.Context, webhookAuthenticator *v1alpha1.WebhookAuthenticator, opts v1.UpdateOptions) (*v1alpha1.WebhookAuthenticator, error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewRootUpdateSubresourceAction(webhookauthenticatorsResource, "status", webhookAuthenticator), &v1alpha1.WebhookAuthenticator{})
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.WebhookAuthenticator), err
+}
+
+// Delete takes name of the webhookAuthenticator and deletes it. Returns an error if one occurs.
+func (c *FakeWebhookAuthenticators) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
+	_, err := c.Fake.
+		Invokes(testing.NewRootDeleteActionWithOptions(webhookauthenticatorsResource, name, opts), &v1alpha1.WebhookAuthenticator{})
+	return err
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *FakeWebhookAuthenticators) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
+	action := testing.NewRootDeleteCollectionAction(webhookauthenticatorsResource, listOpts)
+
+	_, err := c.Fake.Invokes(action, &v1alpha1.WebhookAuthenticatorList{})
+	return err
+}
+
+// Patch applies the patch and returns the patched webhookAuthenticator.
+func (c *FakeWebhookAuthenticators) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.WebhookAuthenticator, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewRootPatchSubresourceAction(webhookauthenticatorsResource, name, pt, data, subresources...), &v1alpha1.WebhookAuthenticator{})
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.WebhookAuthenticator), err
+}
--- a/generated/1.30/client/concierge/clientset/versioned/typed/authentication/v1alpha1/generated_expansion.go
+++ b/generated/1.30/client/concierge/clientset/versioned/typed/authentication/v1alpha1/generated_expansion.go
@@ -0,0 +1,10 @@
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package v1alpha1
+
+type JWTAuthenticatorExpansion interface{}
+
+type WebhookAuthenticatorExpansion interface{}
--- a/generated/1.30/client/concierge/clientset/versioned/typed/authentication/v1alpha1/jwtauthenticator.go
+++ b/generated/1.30/client/concierge/clientset/versioned/typed/authentication/v1alpha1/jwtauthenticator.go
@@ -0,0 +1,171 @@
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	"context"
+	"time"
+
+	v1alpha1 "go.pinniped.dev/generated/1.30/apis/concierge/authentication/v1alpha1"
+	scheme "go.pinniped.dev/generated/1.30/client/concierge/clientset/versioned/scheme"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	rest "k8s.io/client-go/rest"
+)
+
+// JWTAuthenticatorsGetter has a method to return a JWTAuthenticatorInterface.
+// A group's client should implement this interface.
+type JWTAuthenticatorsGetter interface {
+	JWTAuthenticators() JWTAuthenticatorInterface
+}
+
+// JWTAuthenticatorInterface has methods to work with JWTAuthenticator resources.
+type JWTAuthenticatorInterface interface {
+	Create(ctx context.Context, jWTAuthenticator *v1alpha1.JWTAuthenticator, opts v1.CreateOptions) (*v1alpha1.JWTAuthenticator, error)
+	Update(ctx context.Context, jWTAuthenticator *v1alpha1.JWTAuthenticator, opts v1.UpdateOptions) (*v1alpha1.JWTAuthenticator, error)
+	UpdateStatus(ctx context.Context, jWTAuthenticator *v1alpha1.JWTAuthenticator, opts v1.UpdateOptions) (*v1alpha1.JWTAuthenticator, error)
+	Delete(ctx context.Context, name string, opts v1.DeleteOptions) error
+	DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error
+	Get(ctx context.Context, name string, opts v1.GetOptions) (*v1alpha1.JWTAuthenticator, error)
+	List(ctx context.Context, opts v1.ListOptions) (*v1alpha1.JWTAuthenticatorList, error)
+	Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error)
+	Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.JWTAuthenticator, err error)
+	JWTAuthenticatorExpansion
+}
+
+// jWTAuthenticators implements JWTAuthenticatorInterface
+type jWTAuthenticators struct {
+	client rest.Interface
+}
+
+// newJWTAuthenticators returns a JWTAuthenticators
+func newJWTAuthenticators(c *AuthenticationV1alpha1Client) *jWTAuthenticators {
+	return &jWTAuthenticators{
+		client: c.RESTClient(),
+	}
+}
+
+// Get takes name of the jWTAuthenticator, and returns the corresponding jWTAuthenticator object, and an error if there is any.
+func (c *jWTAuthenticators) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.JWTAuthenticator, err error) {
+	result = &v1alpha1.JWTAuthenticator{}
+	err = c.client.Get().
+		Resource("jwtauthenticators").
+		Name(name).
+		VersionedParams(&options, scheme.ParameterCodec).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// List takes label and field selectors, and returns the list of JWTAuthenticators that match those selectors.
+func (c *jWTAuthenticators) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.JWTAuthenticatorList, err error) {
+	var timeout time.Duration
+	if opts.TimeoutSeconds != nil {
+		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
+	}
+	result = &v1alpha1.JWTAuthenticatorList{}
+	err = c.client.Get().
+		Resource("jwtauthenticators").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// Watch returns a watch.Interface that watches the requested jWTAuthenticators.
+func (c *jWTAuthenticators) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
+	var timeout time.Duration
+	if opts.TimeoutSeconds != nil {
+		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
+	}
+	opts.Watch = true
+	return c.client.Get().
+		Resource("jwtauthenticators").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Watch(ctx)
+}
+
+// Create takes the representation of a jWTAuthenticator and creates it.  Returns the server's representation of the jWTAuthenticator, and an error, if there is any.
+func (c *jWTAuthenticators) Create(ctx context.Context, jWTAuthenticator *v1alpha1.JWTAuthenticator, opts v1.CreateOptions) (result *v1alpha1.JWTAuthenticator, err error) {
+	result = &v1alpha1.JWTAuthenticator{}
+	err = c.client.Post().
+		Resource("jwtauthenticators").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(jWTAuthenticator).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// Update takes the representation of a jWTAuthenticator and updates it. Returns the server's representation of the jWTAuthenticator, and an error, if there is any.
+func (c *jWTAuthenticators) Update(ctx context.Context, jWTAuthenticator *v1alpha1.JWTAuthenticator, opts v1.UpdateOptions) (result *v1alpha1.JWTAuthenticator, err error) {
+	result = &v1alpha1.JWTAuthenticator{}
+	err = c.client.Put().
+		Resource("jwtauthenticators").
+		Name(jWTAuthenticator.Name).
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(jWTAuthenticator).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// UpdateStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+func (c *jWTAuthenticators) UpdateStatus(ctx context.Context, jWTAuthenticator *v1alpha1.JWTAuthenticator, opts v1.UpdateOptions) (result *v1alpha1.JWTAuthenticator, err error) {
+	result = &v1alpha1.JWTAuthenticator{}
+	err = c.client.Put().
+		Resource("jwtauthenticators").
+		Name(jWTAuthenticator.Name).
+		SubResource("status").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(jWTAuthenticator).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// Delete takes name of the jWTAuthenticator and deletes it. Returns an error if one occurs.
+func (c *jWTAuthenticators) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
+	return c.client.Delete().
+		Resource("jwtauthenticators").
+		Name(name).
+		Body(&opts).
+		Do(ctx).
+		Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *jWTAuthenticators) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
+	var timeout time.Duration
+	if listOpts.TimeoutSeconds != nil {
+		timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second
+	}
+	return c.client.Delete().
+		Resource("jwtauthenticators").
+		VersionedParams(&listOpts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Body(&opts).
+		Do(ctx).
+		Error()
+}
+
+// Patch applies the patch and returns the patched jWTAuthenticator.
+func (c *jWTAuthenticators) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.JWTAuthenticator, err error) {
+	result = &v1alpha1.JWTAuthenticator{}
+	err = c.client.Patch(pt).
+		Resource("jwtauthenticators").
+		Name(name).
+		SubResource(subresources...).
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(data).
+		Do(ctx).
+		Into(result)
+	return
+}
--- a/generated/1.30/client/concierge/clientset/versioned/typed/authentication/v1alpha1/webhookauthenticator.go
+++ b/generated/1.30/client/concierge/clientset/versioned/typed/authentication/v1alpha1/webhookauthenticator.go
@@ -0,0 +1,171 @@
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	"context"
+	"time"
+
+	v1alpha1 "go.pinniped.dev/generated/1.30/apis/concierge/authentication/v1alpha1"
+	scheme "go.pinniped.dev/generated/1.30/client/concierge/clientset/versioned/scheme"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	rest "k8s.io/client-go/rest"
+)
+
+// WebhookAuthenticatorsGetter has a method to return a WebhookAuthenticatorInterface.
+// A group's client should implement this interface.
+type WebhookAuthenticatorsGetter interface {
+	WebhookAuthenticators() WebhookAuthenticatorInterface
+}
+
+// WebhookAuthenticatorInterface has methods to work with WebhookAuthenticator resources.
+type WebhookAuthenticatorInterface interface {
+	Create(ctx context.Context, webhookAuthenticator *v1alpha1.WebhookAuthenticator, opts v1.CreateOptions) (*v1alpha1.WebhookAuthenticator, error)
+	Update(ctx context.Context, webhookAuthenticator *v1alpha1.WebhookAuthenticator, opts v1.UpdateOptions) (*v1alpha1.WebhookAuthenticator, error)
+	UpdateStatus(ctx context.Context, webhookAuthenticator *v1alpha1.WebhookAuthenticator, opts v1.UpdateOptions) (*v1alpha1.WebhookAuthenticator, error)
+	Delete(ctx context.Context, name string, opts v1.DeleteOptions) error
+	DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error
+	Get(ctx context.Context, name string, opts v1.GetOptions) (*v1alpha1.WebhookAuthenticator, error)
+	List(ctx context.Context, opts v1.ListOptions) (*v1alpha1.WebhookAuthenticatorList, error)
+	Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error)
+	Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.WebhookAuthenticator, err error)
+	WebhookAuthenticatorExpansion
+}
+
+// webhookAuthenticators implements WebhookAuthenticatorInterface
+type webhookAuthenticators struct {
+	client rest.Interface
+}
+
+// newWebhookAuthenticators returns a WebhookAuthenticators
+func newWebhookAuthenticators(c *AuthenticationV1alpha1Client) *webhookAuthenticators {
+	return &webhookAuthenticators{
+		client: c.RESTClient(),
+	}
+}
+
+// Get takes name of the webhookAuthenticator, and returns the corresponding webhookAuthenticator object, and an error if there is any.
+func (c *webhookAuthenticators) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.WebhookAuthenticator, err error) {
+	result = &v1alpha1.WebhookAuthenticator{}
+	err = c.client.Get().
+		Resource("webhookauthenticators").
+		Name(name).
+		VersionedParams(&options, scheme.ParameterCodec).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// List takes label and field selectors, and returns the list of WebhookAuthenticators that match those selectors.
+func (c *webhookAuthenticators) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.WebhookAuthenticatorList, err error) {
+	var timeout time.Duration
+	if opts.TimeoutSeconds != nil {
+		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
+	}
+	result = &v1alpha1.WebhookAuthenticatorList{}
+	err = c.client.Get().
+		Resource("webhookauthenticators").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// Watch returns a watch.Interface that watches the requested webhookAuthenticators.
+func (c *webhookAuthenticators) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
+	var timeout time.Duration
+	if opts.TimeoutSeconds != nil {
+		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
+	}
+	opts.Watch = true
+	return c.client.Get().
+		Resource("webhookauthenticators").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Watch(ctx)
+}
+
+// Create takes the representation of a webhookAuthenticator and creates it.  Returns the server's representation of the webhookAuthenticator, and an error, if there is any.
+func (c *webhookAuthenticators) Create(ctx context.Context, webhookAuthenticator *v1alpha1.WebhookAuthenticator, opts v1.CreateOptions) (result *v1alpha1.WebhookAuthenticator, err error) {
+	result = &v1alpha1.WebhookAuthenticator{}
+	err = c.client.Post().
+		Resource("webhookauthenticators").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(webhookAuthenticator).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// Update takes the representation of a webhookAuthenticator and updates it. Returns the server's representation of the webhookAuthenticator, and an error, if there is any.
+func (c *webhookAuthenticators) Update(ctx context.Context, webhookAuthenticator *v1alpha1.WebhookAuthenticator, opts v1.UpdateOptions) (result *v1alpha1.WebhookAuthenticator, err error) {
+	result = &v1alpha1.WebhookAuthenticator{}
+	err = c.client.Put().
+		Resource("webhookauthenticators").
+		Name(webhookAuthenticator.Name).
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(webhookAuthenticator).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// UpdateStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+func (c *webhookAuthenticators) UpdateStatus(ctx context.Context, webhookAuthenticator *v1alpha1.WebhookAuthenticator, opts v1.UpdateOptions) (result *v1alpha1.WebhookAuthenticator, err error) {
+	result = &v1alpha1.WebhookAuthenticator{}
+	err = c.client.Put().
+		Resource("webhookauthenticators").
+		Name(webhookAuthenticator.Name).
+		SubResource("status").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(webhookAuthenticator).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// Delete takes name of the webhookAuthenticator and deletes it. Returns an error if one occurs.
+func (c *webhookAuthenticators) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
+	return c.client.Delete().
+		Resource("webhookauthenticators").
+		Name(name).
+		Body(&opts).
+		Do(ctx).
+		Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *webhookAuthenticators) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
+	var timeout time.Duration
+	if listOpts.TimeoutSeconds != nil {
+		timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second
+	}
+	return c.client.Delete().
+		Resource("webhookauthenticators").
+		VersionedParams(&listOpts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Body(&opts).
+		Do(ctx).
+		Error()
+}
+
+// Patch applies the patch and returns the patched webhookAuthenticator.
+func (c *webhookAuthenticators) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.WebhookAuthenticator, err error) {
+	result = &v1alpha1.WebhookAuthenticator{}
+	err = c.client.Patch(pt).
+		Resource("webhookauthenticators").
+		Name(name).
+		SubResource(subresources...).
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(data).
+		Do(ctx).
+		Into(result)
+	return
+}
--- a/generated/1.30/client/concierge/clientset/versioned/typed/config/v1alpha1/config_client.go
+++ b/generated/1.30/client/concierge/clientset/versioned/typed/config/v1alpha1/config_client.go
@@ -0,0 +1,94 @@
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	"net/http"
+
+	v1alpha1 "go.pinniped.dev/generated/1.30/apis/concierge/config/v1alpha1"
+	"go.pinniped.dev/generated/1.30/client/concierge/clientset/versioned/scheme"
+	rest "k8s.io/client-go/rest"
+)
+
+type ConfigV1alpha1Interface interface {
+	RESTClient() rest.Interface
+	CredentialIssuersGetter
+}
+
+// ConfigV1alpha1Client is used to interact with features provided by the config.concierge.pinniped.dev group.
+type ConfigV1alpha1Client struct {
+	restClient rest.Interface
+}
+
+func (c *ConfigV1alpha1Client) CredentialIssuers() CredentialIssuerInterface {
+	return newCredentialIssuers(c)
+}
+
+// NewForConfig creates a new ConfigV1alpha1Client for the given config.
+// NewForConfig is equivalent to NewForConfigAndClient(c, httpClient),
+// where httpClient was generated with rest.HTTPClientFor(c).
+func NewForConfig(c *rest.Config) (*ConfigV1alpha1Client, error) {
+	config := *c
+	if err := setConfigDefaults(&config); err != nil {
+		return nil, err
+	}
+	httpClient, err := rest.HTTPClientFor(&config)
+	if err != nil {
+		return nil, err
+	}
+	return NewForConfigAndClient(&config, httpClient)
+}
+
+// NewForConfigAndClient creates a new ConfigV1alpha1Client for the given config and http client.
+// Note the http client provided takes precedence over the configured transport values.
+func NewForConfigAndClient(c *rest.Config, h *http.Client) (*ConfigV1alpha1Client, error) {
+	config := *c
+	if err := setConfigDefaults(&config); err != nil {
+		return nil, err
+	}
+	client, err := rest.RESTClientForConfigAndClient(&config, h)
+	if err != nil {
+		return nil, err
+	}
+	return &ConfigV1alpha1Client{client}, nil
+}
+
+// NewForConfigOrDie creates a new ConfigV1alpha1Client for the given config and
+// panics if there is an error in the config.
+func NewForConfigOrDie(c *rest.Config) *ConfigV1alpha1Client {
+	client, err := NewForConfig(c)
+	if err != nil {
+		panic(err)
+	}
+	return client
+}
+
+// New creates a new ConfigV1alpha1Client for the given RESTClient.
+func New(c rest.Interface) *ConfigV1alpha1Client {
+	return &ConfigV1alpha1Client{c}
+}
+
+func setConfigDefaults(config *rest.Config) error {
+	gv := v1alpha1.SchemeGroupVersion
+	config.GroupVersion = &gv
+	config.APIPath = "/apis"
+	config.NegotiatedSerializer = scheme.Codecs.WithoutConversion()
+
+	if config.UserAgent == "" {
+		config.UserAgent = rest.DefaultKubernetesUserAgent()
+	}
+
+	return nil
+}
+
+// RESTClient returns a RESTClient that is used to communicate
+// with API server by this client implementation.
+func (c *ConfigV1alpha1Client) RESTClient() rest.Interface {
+	if c == nil {
+		return nil
+	}
+	return c.restClient
+}
--- a/generated/1.30/client/concierge/clientset/versioned/typed/config/v1alpha1/credentialissuer.go
+++ b/generated/1.30/client/concierge/clientset/versioned/typed/config/v1alpha1/credentialissuer.go
@@ -0,0 +1,171 @@
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	"context"
+	"time"
+
+	v1alpha1 "go.pinniped.dev/generated/1.30/apis/concierge/config/v1alpha1"
+	scheme "go.pinniped.dev/generated/1.30/client/concierge/clientset/versioned/scheme"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	rest "k8s.io/client-go/rest"
+)
+
+// CredentialIssuersGetter has a method to return a CredentialIssuerInterface.
+// A group's client should implement this interface.
+type CredentialIssuersGetter interface {
+	CredentialIssuers() CredentialIssuerInterface
+}
+
+// CredentialIssuerInterface has methods to work with CredentialIssuer resources.
+type CredentialIssuerInterface interface {
+	Create(ctx context.Context, credentialIssuer *v1alpha1.CredentialIssuer, opts v1.CreateOptions) (*v1alpha1.CredentialIssuer, error)
+	Update(ctx context.Context, credentialIssuer *v1alpha1.CredentialIssuer, opts v1.UpdateOptions) (*v1alpha1.CredentialIssuer, error)
+	UpdateStatus(ctx context.Context, credentialIssuer *v1alpha1.CredentialIssuer, opts v1.UpdateOptions) (*v1alpha1.CredentialIssuer, error)
+	Delete(ctx context.Context, name string, opts v1.DeleteOptions) error
+	DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error
+	Get(ctx context.Context, name string, opts v1.GetOptions) (*v1alpha1.CredentialIssuer, error)
+	List(ctx context.Context, opts v1.ListOptions) (*v1alpha1.CredentialIssuerList, error)
+	Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error)
+	Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.CredentialIssuer, err error)
+	CredentialIssuerExpansion
+}
+
+// credentialIssuers implements CredentialIssuerInterface
+type credentialIssuers struct {
+	client rest.Interface
+}
+
+// newCredentialIssuers returns a CredentialIssuers
+func newCredentialIssuers(c *ConfigV1alpha1Client) *credentialIssuers {
+	return &credentialIssuers{
+		client: c.RESTClient(),
+	}
+}
+
+// Get takes name of the credentialIssuer, and returns the corresponding credentialIssuer object, and an error if there is any.
+func (c *credentialIssuers) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.CredentialIssuer, err error) {
+	result = &v1alpha1.CredentialIssuer{}
+	err = c.client.Get().
+		Resource("credentialissuers").
+		Name(name).
+		VersionedParams(&options, scheme.ParameterCodec).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// List takes label and field selectors, and returns the list of CredentialIssuers that match those selectors.
+func (c *credentialIssuers) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.CredentialIssuerList, err error) {
+	var timeout time.Duration
+	if opts.TimeoutSeconds != nil {
+		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
+	}
+	result = &v1alpha1.CredentialIssuerList{}
+	err = c.client.Get().
+		Resource("credentialissuers").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// Watch returns a watch.Interface that watches the requested credentialIssuers.
+func (c *credentialIssuers) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
+	var timeout time.Duration
+	if opts.TimeoutSeconds != nil {
+		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
+	}
+	opts.Watch = true
+	return c.client.Get().
+		Resource("credentialissuers").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Watch(ctx)
+}
+
+// Create takes the representation of a credentialIssuer and creates it.  Returns the server's representation of the credentialIssuer, and an error, if there is any.
+func (c *credentialIssuers) Create(ctx context.Context, credentialIssuer *v1alpha1.CredentialIssuer, opts v1.CreateOptions) (result *v1alpha1.CredentialIssuer, err error) {
+	result = &v1alpha1.CredentialIssuer{}
+	err = c.client.Post().
+		Resource("credentialissuers").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(credentialIssuer).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// Update takes the representation of a credentialIssuer and updates it. Returns the server's representation of the credentialIssuer, and an error, if there is any.
+func (c *credentialIssuers) Update(ctx context.Context, credentialIssuer *v1alpha1.CredentialIssuer, opts v1.UpdateOptions) (result *v1alpha1.CredentialIssuer, err error) {
+	result = &v1alpha1.CredentialIssuer{}
+	err = c.client.Put().
+		Resource("credentialissuers").
+		Name(credentialIssuer.Name).
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(credentialIssuer).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// UpdateStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+func (c *credentialIssuers) UpdateStatus(ctx context.Context, credentialIssuer *v1alpha1.CredentialIssuer, opts v1.UpdateOptions) (result *v1alpha1.CredentialIssuer, err error) {
+	result = &v1alpha1.CredentialIssuer{}
+	err = c.client.Put().
+		Resource("credentialissuers").
+		Name(credentialIssuer.Name).
+		SubResource("status").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(credentialIssuer).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// Delete takes name of the credentialIssuer and deletes it. Returns an error if one occurs.
+func (c *credentialIssuers) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
+	return c.client.Delete().
+		Resource("credentialissuers").
+		Name(name).
+		Body(&opts).
+		Do(ctx).
+		Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *credentialIssuers) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
+	var timeout time.Duration
+	if listOpts.TimeoutSeconds != nil {
+		timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second
+	}
+	return c.client.Delete().
+		Resource("credentialissuers").
+		VersionedParams(&listOpts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Body(&opts).
+		Do(ctx).
+		Error()
+}
+
+// Patch applies the patch and returns the patched credentialIssuer.
+func (c *credentialIssuers) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.CredentialIssuer, err error) {
+	result = &v1alpha1.CredentialIssuer{}
+	err = c.client.Patch(pt).
+		Resource("credentialissuers").
+		Name(name).
+		SubResource(subresources...).
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(data).
+		Do(ctx).
+		Into(result)
+	return
+}
--- a/generated/1.30/client/concierge/clientset/versioned/typed/config/v1alpha1/doc.go
+++ b/generated/1.30/client/concierge/clientset/versioned/typed/config/v1alpha1/doc.go
@@ -0,0 +1,7 @@
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+// This package has the automatically generated typed clients.
+package v1alpha1
--- a/generated/1.30/client/concierge/clientset/versioned/typed/config/v1alpha1/fake/doc.go
+++ b/generated/1.30/client/concierge/clientset/versioned/typed/config/v1alpha1/fake/doc.go
@@ -0,0 +1,7 @@
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+// Package fake has the automatically generated clients.
+package fake
--- a/generated/1.30/client/concierge/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go
+++ b/generated/1.30/client/concierge/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go
@@ -0,0 +1,27 @@
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package fake
+
+import (
+	v1alpha1 "go.pinniped.dev/generated/1.30/client/concierge/clientset/versioned/typed/config/v1alpha1"
+	rest "k8s.io/client-go/rest"
+	testing "k8s.io/client-go/testing"
+)
+
+type FakeConfigV1alpha1 struct {
+	*testing.Fake
+}
+
+func (c *FakeConfigV1alpha1) CredentialIssuers() v1alpha1.CredentialIssuerInterface {
+	return &FakeCredentialIssuers{c}
+}
+
+// RESTClient returns a RESTClient that is used to communicate
+// with API server by this client implementation.
+func (c *FakeConfigV1alpha1) RESTClient() rest.Interface {
+	var ret *rest.RESTClient
+	return ret
+}
--- a/generated/1.30/client/concierge/clientset/versioned/typed/config/v1alpha1/fake/fake_credentialissuer.go
+++ b/generated/1.30/client/concierge/clientset/versioned/typed/config/v1alpha1/fake/fake_credentialissuer.go
@@ -0,0 +1,119 @@
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package fake
+
+import (
+	"context"
+
+	v1alpha1 "go.pinniped.dev/generated/1.30/apis/concierge/config/v1alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	labels "k8s.io/apimachinery/pkg/labels"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	testing "k8s.io/client-go/testing"
+)
+
+// FakeCredentialIssuers implements CredentialIssuerInterface
+type FakeCredentialIssuers struct {
+	Fake *FakeConfigV1alpha1
+}
+
+var credentialissuersResource = v1alpha1.SchemeGroupVersion.WithResource("credentialissuers")
+
+var credentialissuersKind = v1alpha1.SchemeGroupVersion.WithKind("CredentialIssuer")
+
+// Get takes name of the credentialIssuer, and returns the corresponding credentialIssuer object, and an error if there is any.
+func (c *FakeCredentialIssuers) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.CredentialIssuer, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewRootGetAction(credentialissuersResource, name), &v1alpha1.CredentialIssuer{})
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.CredentialIssuer), err
+}
+
+// List takes label and field selectors, and returns the list of CredentialIssuers that match those selectors.
+func (c *FakeCredentialIssuers) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.CredentialIssuerList, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewRootListAction(credentialissuersResource, credentialissuersKind, opts), &v1alpha1.CredentialIssuerList{})
+	if obj == nil {
+		return nil, err
+	}
+
+	label, _, _ := testing.ExtractFromListOptions(opts)
+	if label == nil {
+		label = labels.Everything()
+	}
+	list := &v1alpha1.CredentialIssuerList{ListMeta: obj.(*v1alpha1.CredentialIssuerList).ListMeta}
+	for _, item := range obj.(*v1alpha1.CredentialIssuerList).Items {
+		if label.Matches(labels.Set(item.Labels)) {
+			list.Items = append(list.Items, item)
+		}
+	}
+	return list, err
+}
+
+// Watch returns a watch.Interface that watches the requested credentialIssuers.
+func (c *FakeCredentialIssuers) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
+	return c.Fake.
+		InvokesWatch(testing.NewRootWatchAction(credentialissuersResource, opts))
+}
+
+// Create takes the representation of a credentialIssuer and creates it.  Returns the server's representation of the credentialIssuer, and an error, if there is any.
+func (c *FakeCredentialIssuers) Create(ctx context.Context, credentialIssuer *v1alpha1.CredentialIssuer, opts v1.CreateOptions) (result *v1alpha1.CredentialIssuer, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewRootCreateAction(credentialissuersResource, credentialIssuer), &v1alpha1.CredentialIssuer{})
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.CredentialIssuer), err
+}
+
+// Update takes the representation of a credentialIssuer and updates it. Returns the server's representation of the credentialIssuer, and an error, if there is any.
+func (c *FakeCredentialIssuers) Update(ctx context.Context, credentialIssuer *v1alpha1.CredentialIssuer, opts v1.UpdateOptions) (result *v1alpha1.CredentialIssuer, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewRootUpdateAction(credentialissuersResource, credentialIssuer), &v1alpha1.CredentialIssuer{})
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.CredentialIssuer), err
+}
+
+// UpdateStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+func (c *FakeCredentialIssuers) UpdateStatus(ctx context.Context, credentialIssuer *v1alpha1.CredentialIssuer, opts v1.UpdateOptions) (*v1alpha1.CredentialIssuer, error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewRootUpdateSubresourceAction(credentialissuersResource, "status", credentialIssuer), &v1alpha1.CredentialIssuer{})
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.CredentialIssuer), err
+}
+
+// Delete takes name of the credentialIssuer and deletes it. Returns an error if one occurs.
+func (c *FakeCredentialIssuers) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
+	_, err := c.Fake.
+		Invokes(testing.NewRootDeleteActionWithOptions(credentialissuersResource, name, opts), &v1alpha1.CredentialIssuer{})
+	return err
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *FakeCredentialIssuers) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
+	action := testing.NewRootDeleteCollectionAction(credentialissuersResource, listOpts)
+
+	_, err := c.Fake.Invokes(action, &v1alpha1.CredentialIssuerList{})
+	return err
+}
+
+// Patch applies the patch and returns the patched credentialIssuer.
+func (c *FakeCredentialIssuers) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.CredentialIssuer, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewRootPatchSubresourceAction(credentialissuersResource, name, pt, data, subresources...), &v1alpha1.CredentialIssuer{})
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.CredentialIssuer), err
+}
--- a/generated/1.30/client/concierge/clientset/versioned/typed/config/v1alpha1/generated_expansion.go
+++ b/generated/1.30/client/concierge/clientset/versioned/typed/config/v1alpha1/generated_expansion.go
@@ -0,0 +1,8 @@
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package v1alpha1
+
+type CredentialIssuerExpansion interface{}
--- a/generated/1.30/client/concierge/clientset/versioned/typed/identity/v1alpha1/doc.go
+++ b/generated/1.30/client/concierge/clientset/versioned/typed/identity/v1alpha1/doc.go
@@ -0,0 +1,7 @@
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+// This package has the automatically generated typed clients.
+package v1alpha1
--- a/generated/1.30/client/concierge/clientset/versioned/typed/identity/v1alpha1/fake/doc.go
+++ b/generated/1.30/client/concierge/clientset/versioned/typed/identity/v1alpha1/fake/doc.go
@@ -0,0 +1,7 @@
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+// Package fake has the automatically generated clients.
+package fake
--- a/generated/1.30/client/concierge/clientset/versioned/typed/identity/v1alpha1/fake/fake_identity_client.go
+++ b/generated/1.30/client/concierge/clientset/versioned/typed/identity/v1alpha1/fake/fake_identity_client.go
@@ -0,0 +1,27 @@
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package fake
+
+import (
+	v1alpha1 "go.pinniped.dev/generated/1.30/client/concierge/clientset/versioned/typed/identity/v1alpha1"
+	rest "k8s.io/client-go/rest"
+	testing "k8s.io/client-go/testing"
+)
+
+type FakeIdentityV1alpha1 struct {
+	*testing.Fake
+}
+
+func (c *FakeIdentityV1alpha1) WhoAmIRequests() v1alpha1.WhoAmIRequestInterface {
+	return &FakeWhoAmIRequests{c}
+}
+
+// RESTClient returns a RESTClient that is used to communicate
+// with API server by this client implementation.
+func (c *FakeIdentityV1alpha1) RESTClient() rest.Interface {
+	var ret *rest.RESTClient
+	return ret
+}
--- a/generated/1.30/client/concierge/clientset/versioned/typed/identity/v1alpha1/fake/fake_whoamirequest.go
+++ b/generated/1.30/client/concierge/clientset/versioned/typed/identity/v1alpha1/fake/fake_whoamirequest.go
@@ -0,0 +1,33 @@
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package fake
+
+import (
+	"context"
+
+	v1alpha1 "go.pinniped.dev/generated/1.30/apis/concierge/identity/v1alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	testing "k8s.io/client-go/testing"
+)
+
+// FakeWhoAmIRequests implements WhoAmIRequestInterface
+type FakeWhoAmIRequests struct {
+	Fake *FakeIdentityV1alpha1
+}
+
+var whoamirequestsResource = v1alpha1.SchemeGroupVersion.WithResource("whoamirequests")
+
+var whoamirequestsKind = v1alpha1.SchemeGroupVersion.WithKind("WhoAmIRequest")
+
+// Create takes the representation of a whoAmIRequest and creates it.  Returns the server's representation of the whoAmIRequest, and an error, if there is any.
+func (c *FakeWhoAmIRequests) Create(ctx context.Context, whoAmIRequest *v1alpha1.WhoAmIRequest, opts v1.CreateOptions) (result *v1alpha1.WhoAmIRequest, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewRootCreateAction(whoamirequestsResource, whoAmIRequest), &v1alpha1.WhoAmIRequest{})
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.WhoAmIRequest), err
+}
--- a/generated/1.30/client/concierge/clientset/versioned/typed/identity/v1alpha1/generated_expansion.go
+++ b/generated/1.30/client/concierge/clientset/versioned/typed/identity/v1alpha1/generated_expansion.go
@@ -0,0 +1,8 @@
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package v1alpha1
+
+type WhoAmIRequestExpansion interface{}
--- a/generated/1.30/client/concierge/clientset/versioned/typed/identity/v1alpha1/identity_client.go
+++ b/generated/1.30/client/concierge/clientset/versioned/typed/identity/v1alpha1/identity_client.go
@@ -0,0 +1,94 @@
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	"net/http"
+
+	v1alpha1 "go.pinniped.dev/generated/1.30/apis/concierge/identity/v1alpha1"
+	"go.pinniped.dev/generated/1.30/client/concierge/clientset/versioned/scheme"
+	rest "k8s.io/client-go/rest"
+)
+
+type IdentityV1alpha1Interface interface {
+	RESTClient() rest.Interface
+	WhoAmIRequestsGetter
+}
+
+// IdentityV1alpha1Client is used to interact with features provided by the identity.concierge.pinniped.dev group.
+type IdentityV1alpha1Client struct {
+	restClient rest.Interface
+}
+
+func (c *IdentityV1alpha1Client) WhoAmIRequests() WhoAmIRequestInterface {
+	return newWhoAmIRequests(c)
+}
+
+// NewForConfig creates a new IdentityV1alpha1Client for the given config.
+// NewForConfig is equivalent to NewForConfigAndClient(c, httpClient),
+// where httpClient was generated with rest.HTTPClientFor(c).
+func NewForConfig(c *rest.Config) (*IdentityV1alpha1Client, error) {
+	config := *c
+	if err := setConfigDefaults(&config); err != nil {
+		return nil, err
+	}
+	httpClient, err := rest.HTTPClientFor(&config)
+	if err != nil {
+		return nil, err
+	}
+	return NewForConfigAndClient(&config, httpClient)
+}
+
+// NewForConfigAndClient creates a new IdentityV1alpha1Client for the given config and http client.
+// Note the http client provided takes precedence over the configured transport values.
+func NewForConfigAndClient(c *rest.Config, h *http.Client) (*IdentityV1alpha1Client, error) {
+	config := *c
+	if err := setConfigDefaults(&config); err != nil {
+		return nil, err
+	}
+	client, err := rest.RESTClientForConfigAndClient(&config, h)
+	if err != nil {
+		return nil, err
+	}
+	return &IdentityV1alpha1Client{client}, nil
+}
+
+// NewForConfigOrDie creates a new IdentityV1alpha1Client for the given config and
+// panics if there is an error in the config.
+func NewForConfigOrDie(c *rest.Config) *IdentityV1alpha1Client {
+	client, err := NewForConfig(c)
+	if err != nil {
+		panic(err)
+	}
+	return client
+}
+
+// New creates a new IdentityV1alpha1Client for the given RESTClient.
+func New(c rest.Interface) *IdentityV1alpha1Client {
+	return &IdentityV1alpha1Client{c}
+}
+
+func setConfigDefaults(config *rest.Config) error {
+	gv := v1alpha1.SchemeGroupVersion
+	config.GroupVersion = &gv
+	config.APIPath = "/apis"
+	config.NegotiatedSerializer = scheme.Codecs.WithoutConversion()
+
+	if config.UserAgent == "" {
+		config.UserAgent = rest.DefaultKubernetesUserAgent()
+	}
+
+	return nil
+}
+
+// RESTClient returns a RESTClient that is used to communicate
+// with API server by this client implementation.
+func (c *IdentityV1alpha1Client) RESTClient() rest.Interface {
+	if c == nil {
+		return nil
+	}
+	return c.restClient
+}
--- a/generated/1.30/client/concierge/clientset/versioned/typed/identity/v1alpha1/whoamirequest.go
+++ b/generated/1.30/client/concierge/clientset/versioned/typed/identity/v1alpha1/whoamirequest.go
@@ -0,0 +1,51 @@
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	"context"
+
+	v1alpha1 "go.pinniped.dev/generated/1.30/apis/concierge/identity/v1alpha1"
+	scheme "go.pinniped.dev/generated/1.30/client/concierge/clientset/versioned/scheme"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	rest "k8s.io/client-go/rest"
+)
+
+// WhoAmIRequestsGetter has a method to return a WhoAmIRequestInterface.
+// A group's client should implement this interface.
+type WhoAmIRequestsGetter interface {
+	WhoAmIRequests() WhoAmIRequestInterface
+}
+
+// WhoAmIRequestInterface has methods to work with WhoAmIRequest resources.
+type WhoAmIRequestInterface interface {
+	Create(ctx context.Context, whoAmIRequest *v1alpha1.WhoAmIRequest, opts v1.CreateOptions) (*v1alpha1.WhoAmIRequest, error)
+	WhoAmIRequestExpansion
+}
+
+// whoAmIRequests implements WhoAmIRequestInterface
+type whoAmIRequests struct {
+	client rest.Interface
+}
+
+// newWhoAmIRequests returns a WhoAmIRequests
+func newWhoAmIRequests(c *IdentityV1alpha1Client) *whoAmIRequests {
+	return &whoAmIRequests{
+		client: c.RESTClient(),
+	}
+}
+
+// Create takes the representation of a whoAmIRequest and creates it.  Returns the server's representation of the whoAmIRequest, and an error, if there is any.
+func (c *whoAmIRequests) Create(ctx context.Context, whoAmIRequest *v1alpha1.WhoAmIRequest, opts v1.CreateOptions) (result *v1alpha1.WhoAmIRequest, err error) {
+	result = &v1alpha1.WhoAmIRequest{}
+	err = c.client.Post().
+		Resource("whoamirequests").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(whoAmIRequest).
+		Do(ctx).
+		Into(result)
+	return
+}
--- a/generated/1.30/client/concierge/clientset/versioned/typed/login/v1alpha1/doc.go
+++ b/generated/1.30/client/concierge/clientset/versioned/typed/login/v1alpha1/doc.go
@@ -0,0 +1,7 @@
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+// This package has the automatically generated typed clients.
+package v1alpha1
--- a/generated/1.30/client/concierge/clientset/versioned/typed/login/v1alpha1/fake/doc.go
+++ b/generated/1.30/client/concierge/clientset/versioned/typed/login/v1alpha1/fake/doc.go
@@ -0,0 +1,7 @@
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+// Package fake has the automatically generated clients.
+package fake
--- a/generated/1.30/client/concierge/clientset/versioned/typed/login/v1alpha1/fake/fake_login_client.go
+++ b/generated/1.30/client/concierge/clientset/versioned/typed/login/v1alpha1/fake/fake_login_client.go
@@ -0,0 +1,27 @@
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package fake
+
+import (
+	v1alpha1 "go.pinniped.dev/generated/1.30/client/concierge/clientset/versioned/typed/login/v1alpha1"
+	rest "k8s.io/client-go/rest"
+	testing "k8s.io/client-go/testing"
+)
+
+type FakeLoginV1alpha1 struct {
+	*testing.Fake
+}
+
+func (c *FakeLoginV1alpha1) TokenCredentialRequests() v1alpha1.TokenCredentialRequestInterface {
+	return &FakeTokenCredentialRequests{c}
+}
+
+// RESTClient returns a RESTClient that is used to communicate
+// with API server by this client implementation.
+func (c *FakeLoginV1alpha1) RESTClient() rest.Interface {
+	var ret *rest.RESTClient
+	return ret
+}
--- a/generated/1.30/client/concierge/clientset/versioned/typed/login/v1alpha1/fake/fake_tokencredentialrequest.go
+++ b/generated/1.30/client/concierge/clientset/versioned/typed/login/v1alpha1/fake/fake_tokencredentialrequest.go
@@ -0,0 +1,33 @@
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package fake
+
+import (
+	"context"
+
+	v1alpha1 "go.pinniped.dev/generated/1.30/apis/concierge/login/v1alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	testing "k8s.io/client-go/testing"
+)
+
+// FakeTokenCredentialRequests implements TokenCredentialRequestInterface
+type FakeTokenCredentialRequests struct {
+	Fake *FakeLoginV1alpha1
+}
+
+var tokencredentialrequestsResource = v1alpha1.SchemeGroupVersion.WithResource("tokencredentialrequests")
+
+var tokencredentialrequestsKind = v1alpha1.SchemeGroupVersion.WithKind("TokenCredentialRequest")
+
+// Create takes the representation of a tokenCredentialRequest and creates it.  Returns the server's representation of the tokenCredentialRequest, and an error, if there is any.
+func (c *FakeTokenCredentialRequests) Create(ctx context.Context, tokenCredentialRequest *v1alpha1.TokenCredentialRequest, opts v1.CreateOptions) (result *v1alpha1.TokenCredentialRequest, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewRootCreateAction(tokencredentialrequestsResource, tokenCredentialRequest), &v1alpha1.TokenCredentialRequest{})
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.TokenCredentialRequest), err
+}
--- a/generated/1.30/client/concierge/clientset/versioned/typed/login/v1alpha1/generated_expansion.go
+++ b/generated/1.30/client/concierge/clientset/versioned/typed/login/v1alpha1/generated_expansion.go
@@ -0,0 +1,8 @@
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package v1alpha1
+
+type TokenCredentialRequestExpansion interface{}
--- a/generated/1.30/client/concierge/clientset/versioned/typed/login/v1alpha1/login_client.go
+++ b/generated/1.30/client/concierge/clientset/versioned/typed/login/v1alpha1/login_client.go
@@ -0,0 +1,94 @@
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	"net/http"
+
+	v1alpha1 "go.pinniped.dev/generated/1.30/apis/concierge/login/v1alpha1"
+	"go.pinniped.dev/generated/1.30/client/concierge/clientset/versioned/scheme"
+	rest "k8s.io/client-go/rest"
+)
+
+type LoginV1alpha1Interface interface {
+	RESTClient() rest.Interface
+	TokenCredentialRequestsGetter
+}
+
+// LoginV1alpha1Client is used to interact with features provided by the login.concierge.pinniped.dev group.
+type LoginV1alpha1Client struct {
+	restClient rest.Interface
+}
+
+func (c *LoginV1alpha1Client) TokenCredentialRequests() TokenCredentialRequestInterface {
+	return newTokenCredentialRequests(c)
+}
+
+// NewForConfig creates a new LoginV1alpha1Client for the given config.
+// NewForConfig is equivalent to NewForConfigAndClient(c, httpClient),
+// where httpClient was generated with rest.HTTPClientFor(c).
+func NewForConfig(c *rest.Config) (*LoginV1alpha1Client, error) {
+	config := *c
+	if err := setConfigDefaults(&config); err != nil {
+		return nil, err
+	}
+	httpClient, err := rest.HTTPClientFor(&config)
+	if err != nil {
+		return nil, err
+	}
+	return NewForConfigAndClient(&config, httpClient)
+}
+
+// NewForConfigAndClient creates a new LoginV1alpha1Client for the given config and http client.
+// Note the http client provided takes precedence over the configured transport values.
+func NewForConfigAndClient(c *rest.Config, h *http.Client) (*LoginV1alpha1Client, error) {
+	config := *c
+	if err := setConfigDefaults(&config); err != nil {
+		return nil, err
+	}
+	client, err := rest.RESTClientForConfigAndClient(&config, h)
+	if err != nil {
+		return nil, err
+	}
+	return &LoginV1alpha1Client{client}, nil
+}
+
+// NewForConfigOrDie creates a new LoginV1alpha1Client for the given config and
+// panics if there is an error in the config.
+func NewForConfigOrDie(c *rest.Config) *LoginV1alpha1Client {
+	client, err := NewForConfig(c)
+	if err != nil {
+		panic(err)
+	}
+	return client
+}
+
+// New creates a new LoginV1alpha1Client for the given RESTClient.
+func New(c rest.Interface) *LoginV1alpha1Client {
+	return &LoginV1alpha1Client{c}
+}
+
+func setConfigDefaults(config *rest.Config) error {
+	gv := v1alpha1.SchemeGroupVersion
+	config.GroupVersion = &gv
+	config.APIPath = "/apis"
+	config.NegotiatedSerializer = scheme.Codecs.WithoutConversion()
+
+	if config.UserAgent == "" {
+		config.UserAgent = rest.DefaultKubernetesUserAgent()
+	}
+
+	return nil
+}
+
+// RESTClient returns a RESTClient that is used to communicate
+// with API server by this client implementation.
+func (c *LoginV1alpha1Client) RESTClient() rest.Interface {
+	if c == nil {
+		return nil
+	}
+	return c.restClient
+}
--- a/generated/1.30/client/concierge/clientset/versioned/typed/login/v1alpha1/tokencredentialrequest.go
+++ b/generated/1.30/client/concierge/clientset/versioned/typed/login/v1alpha1/tokencredentialrequest.go
@@ -0,0 +1,51 @@
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	"context"
+
+	v1alpha1 "go.pinniped.dev/generated/1.30/apis/concierge/login/v1alpha1"
+	scheme "go.pinniped.dev/generated/1.30/client/concierge/clientset/versioned/scheme"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	rest "k8s.io/client-go/rest"
+)
+
+// TokenCredentialRequestsGetter has a method to return a TokenCredentialRequestInterface.
+// A group's client should implement this interface.
+type TokenCredentialRequestsGetter interface {
+	TokenCredentialRequests() TokenCredentialRequestInterface
+}
+
+// TokenCredentialRequestInterface has methods to work with TokenCredentialRequest resources.
+type TokenCredentialRequestInterface interface {
+	Create(ctx context.Context, tokenCredentialRequest *v1alpha1.TokenCredentialRequest, opts v1.CreateOptions) (*v1alpha1.TokenCredentialRequest, error)
+	TokenCredentialRequestExpansion
+}
+
+// tokenCredentialRequests implements TokenCredentialRequestInterface
+type tokenCredentialRequests struct {
+	client rest.Interface
+}
+
+// newTokenCredentialRequests returns a TokenCredentialRequests
+func newTokenCredentialRequests(c *LoginV1alpha1Client) *tokenCredentialRequests {
+	return &tokenCredentialRequests{
+		client: c.RESTClient(),
+	}
+}
+
+// Create takes the representation of a tokenCredentialRequest and creates it.  Returns the server's representation of the tokenCredentialRequest, and an error, if there is any.
+func (c *tokenCredentialRequests) Create(ctx context.Context, tokenCredentialRequest *v1alpha1.TokenCredentialRequest, opts v1.CreateOptions) (result *v1alpha1.TokenCredentialRequest, err error) {
+	result = &v1alpha1.TokenCredentialRequest{}
+	err = c.client.Post().
+		Resource("tokencredentialrequests").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(tokenCredentialRequest).
+		Do(ctx).
+		Into(result)
+	return
+}
--- a/generated/1.30/client/concierge/informers/externalversions/authentication/interface.go
+++ b/generated/1.30/client/concierge/informers/externalversions/authentication/interface.go
@@ -0,0 +1,33 @@
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by informer-gen. DO NOT EDIT.
+
+package authentication
+
+import (
+	v1alpha1 "go.pinniped.dev/generated/1.30/client/concierge/informers/externalversions/authentication/v1alpha1"
+	internalinterfaces "go.pinniped.dev/generated/1.30/client/concierge/informers/externalversions/internalinterfaces"
+)
+
+// Interface provides access to each of this group's versions.
+type Interface interface {
+	// V1alpha1 provides access to shared informers for resources in V1alpha1.
+	V1alpha1() v1alpha1.Interface
+}
+
+type group struct {
+	factory          internalinterfaces.SharedInformerFactory
+	namespace        string
+	tweakListOptions internalinterfaces.TweakListOptionsFunc
+}
+
+// New returns a new Interface.
+func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface {
+	return &group{factory: f, namespace: namespace, tweakListOptions: tweakListOptions}
+}
+
+// V1alpha1 returns a new v1alpha1.Interface.
+func (g *group) V1alpha1() v1alpha1.Interface {
+	return v1alpha1.New(g.factory, g.namespace, g.tweakListOptions)
+}
--- a/generated/1.30/client/concierge/informers/externalversions/authentication/v1alpha1/interface.go
+++ b/generated/1.30/client/concierge/informers/externalversions/authentication/v1alpha1/interface.go
@@ -0,0 +1,39 @@
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by informer-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	internalinterfaces "go.pinniped.dev/generated/1.30/client/concierge/informers/externalversions/internalinterfaces"
+)
+
+// Interface provides access to all the informers in this group version.
+type Interface interface {
+	// JWTAuthenticators returns a JWTAuthenticatorInformer.
+	JWTAuthenticators() JWTAuthenticatorInformer
+	// WebhookAuthenticators returns a WebhookAuthenticatorInformer.
+	WebhookAuthenticators() WebhookAuthenticatorInformer
+}
+
+type version struct {
+	factory          internalinterfaces.SharedInformerFactory
+	namespace        string
+	tweakListOptions internalinterfaces.TweakListOptionsFunc
+}
+
+// New returns a new Interface.
+func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface {
+	return &version{factory: f, namespace: namespace, tweakListOptions: tweakListOptions}
+}
+
+// JWTAuthenticators returns a JWTAuthenticatorInformer.
+func (v *version) JWTAuthenticators() JWTAuthenticatorInformer {
+	return &jWTAuthenticatorInformer{factory: v.factory, tweakListOptions: v.tweakListOptions}
+}
+
+// WebhookAuthenticators returns a WebhookAuthenticatorInformer.
+func (v *version) WebhookAuthenticators() WebhookAuthenticatorInformer {
+	return &webhookAuthenticatorInformer{factory: v.factory, tweakListOptions: v.tweakListOptions}
+}
--- a/generated/1.30/client/concierge/informers/externalversions/authentication/v1alpha1/jwtauthenticator.go
+++ b/generated/1.30/client/concierge/informers/externalversions/authentication/v1alpha1/jwtauthenticator.go
@@ -0,0 +1,76 @@
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by informer-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	"context"
+	time "time"
+
+	authenticationv1alpha1 "go.pinniped.dev/generated/1.30/apis/concierge/authentication/v1alpha1"
+	versioned "go.pinniped.dev/generated/1.30/client/concierge/clientset/versioned"
+	internalinterfaces "go.pinniped.dev/generated/1.30/client/concierge/informers/externalversions/internalinterfaces"
+	v1alpha1 "go.pinniped.dev/generated/1.30/client/concierge/listers/authentication/v1alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	watch "k8s.io/apimachinery/pkg/watch"
+	cache "k8s.io/client-go/tools/cache"
+)
+
+// JWTAuthenticatorInformer provides access to a shared informer and lister for
+// JWTAuthenticators.
+type JWTAuthenticatorInformer interface {
+	Informer() cache.SharedIndexInformer
+	Lister() v1alpha1.JWTAuthenticatorLister
+}
+
+type jWTAuthenticatorInformer struct {
+	factory          internalinterfaces.SharedInformerFactory
+	tweakListOptions internalinterfaces.TweakListOptionsFunc
+}
+
+// NewJWTAuthenticatorInformer constructs a new informer for JWTAuthenticator type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewJWTAuthenticatorInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
+	return NewFilteredJWTAuthenticatorInformer(client, resyncPeriod, indexers, nil)
+}
+
+// NewFilteredJWTAuthenticatorInformer constructs a new informer for JWTAuthenticator type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewFilteredJWTAuthenticatorInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
+	return cache.NewSharedIndexInformer(
+		&cache.ListWatch{
+			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.AuthenticationV1alpha1().JWTAuthenticators().List(context.TODO(), options)
+			},
+			WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.AuthenticationV1alpha1().JWTAuthenticators().Watch(context.TODO(), options)
+			},
+		},
+		&authenticationv1alpha1.JWTAuthenticator{},
+		resyncPeriod,
+		indexers,
+	)
+}
+
+func (f *jWTAuthenticatorInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
+	return NewFilteredJWTAuthenticatorInformer(client, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
+}
+
+func (f *jWTAuthenticatorInformer) Informer() cache.SharedIndexInformer {
+	return f.factory.InformerFor(&authenticationv1alpha1.JWTAuthenticator{}, f.defaultInformer)
+}
+
+func (f *jWTAuthenticatorInformer) Lister() v1alpha1.JWTAuthenticatorLister {
+	return v1alpha1.NewJWTAuthenticatorLister(f.Informer().GetIndexer())
+}
--- a/generated/1.30/client/concierge/informers/externalversions/authentication/v1alpha1/webhookauthenticator.go
+++ b/generated/1.30/client/concierge/informers/externalversions/authentication/v1alpha1/webhookauthenticator.go
@@ -0,0 +1,76 @@
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by informer-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	"context"
+	time "time"
+
+	authenticationv1alpha1 "go.pinniped.dev/generated/1.30/apis/concierge/authentication/v1alpha1"
+	versioned "go.pinniped.dev/generated/1.30/client/concierge/clientset/versioned"
+	internalinterfaces "go.pinniped.dev/generated/1.30/client/concierge/informers/externalversions/internalinterfaces"
+	v1alpha1 "go.pinniped.dev/generated/1.30/client/concierge/listers/authentication/v1alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	watch "k8s.io/apimachinery/pkg/watch"
+	cache "k8s.io/client-go/tools/cache"
+)
+
+// WebhookAuthenticatorInformer provides access to a shared informer and lister for
+// WebhookAuthenticators.
+type WebhookAuthenticatorInformer interface {
+	Informer() cache.SharedIndexInformer
+	Lister() v1alpha1.WebhookAuthenticatorLister
+}
+
+type webhookAuthenticatorInformer struct {
+	factory          internalinterfaces.SharedInformerFactory
+	tweakListOptions internalinterfaces.TweakListOptionsFunc
+}
+
+// NewWebhookAuthenticatorInformer constructs a new informer for WebhookAuthenticator type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewWebhookAuthenticatorInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
+	return NewFilteredWebhookAuthenticatorInformer(client, resyncPeriod, indexers, nil)
+}
+
+// NewFilteredWebhookAuthenticatorInformer constructs a new informer for WebhookAuthenticator type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewFilteredWebhookAuthenticatorInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
+	return cache.NewSharedIndexInformer(
+		&cache.ListWatch{
+			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.AuthenticationV1alpha1().WebhookAuthenticators().List(context.TODO(), options)
+			},
+			WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.AuthenticationV1alpha1().WebhookAuthenticators().Watch(context.TODO(), options)
+			},
+		},
+		&authenticationv1alpha1.WebhookAuthenticator{},
+		resyncPeriod,
+		indexers,
+	)
+}
+
+func (f *webhookAuthenticatorInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
+	return NewFilteredWebhookAuthenticatorInformer(client, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
+}
+
+func (f *webhookAuthenticatorInformer) Informer() cache.SharedIndexInformer {
+	return f.factory.InformerFor(&authenticationv1alpha1.WebhookAuthenticator{}, f.defaultInformer)
+}
+
+func (f *webhookAuthenticatorInformer) Lister() v1alpha1.WebhookAuthenticatorLister {
+	return v1alpha1.NewWebhookAuthenticatorLister(f.Informer().GetIndexer())
+}
--- a/generated/1.30/client/concierge/informers/externalversions/config/interface.go
+++ b/generated/1.30/client/concierge/informers/externalversions/config/interface.go
@@ -0,0 +1,33 @@
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by informer-gen. DO NOT EDIT.
+
+package config
+
+import (
+	v1alpha1 "go.pinniped.dev/generated/1.30/client/concierge/informers/externalversions/config/v1alpha1"
+	internalinterfaces "go.pinniped.dev/generated/1.30/client/concierge/informers/externalversions/internalinterfaces"
+)
+
+// Interface provides access to each of this group's versions.
+type Interface interface {
+	// V1alpha1 provides access to shared informers for resources in V1alpha1.
+	V1alpha1() v1alpha1.Interface
+}
+
+type group struct {
+	factory          internalinterfaces.SharedInformerFactory
+	namespace        string
+	tweakListOptions internalinterfaces.TweakListOptionsFunc
+}
+
+// New returns a new Interface.
+func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface {
+	return &group{factory: f, namespace: namespace, tweakListOptions: tweakListOptions}
+}
+
+// V1alpha1 returns a new v1alpha1.Interface.
+func (g *group) V1alpha1() v1alpha1.Interface {
+	return v1alpha1.New(g.factory, g.namespace, g.tweakListOptions)
+}
--- a/generated/1.30/client/concierge/informers/externalversions/config/v1alpha1/credentialissuer.go
+++ b/generated/1.30/client/concierge/informers/externalversions/config/v1alpha1/credentialissuer.go
@@ -0,0 +1,76 @@
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by informer-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	"context"
+	time "time"
+
+	configv1alpha1 "go.pinniped.dev/generated/1.30/apis/concierge/config/v1alpha1"
+	versioned "go.pinniped.dev/generated/1.30/client/concierge/clientset/versioned"
+	internalinterfaces "go.pinniped.dev/generated/1.30/client/concierge/informers/externalversions/internalinterfaces"
+	v1alpha1 "go.pinniped.dev/generated/1.30/client/concierge/listers/config/v1alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	watch "k8s.io/apimachinery/pkg/watch"
+	cache "k8s.io/client-go/tools/cache"
+)
+
+// CredentialIssuerInformer provides access to a shared informer and lister for
+// CredentialIssuers.
+type CredentialIssuerInformer interface {
+	Informer() cache.SharedIndexInformer
+	Lister() v1alpha1.CredentialIssuerLister
+}
+
+type credentialIssuerInformer struct {
+	factory          internalinterfaces.SharedInformerFactory
+	tweakListOptions internalinterfaces.TweakListOptionsFunc
+}
+
+// NewCredentialIssuerInformer constructs a new informer for CredentialIssuer type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewCredentialIssuerInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
+	return NewFilteredCredentialIssuerInformer(client, resyncPeriod, indexers, nil)
+}
+
+// NewFilteredCredentialIssuerInformer constructs a new informer for CredentialIssuer type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewFilteredCredentialIssuerInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
+	return cache.NewSharedIndexInformer(
+		&cache.ListWatch{
+			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.ConfigV1alpha1().CredentialIssuers().List(context.TODO(), options)
+			},
+			WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.ConfigV1alpha1().CredentialIssuers().Watch(context.TODO(), options)
+			},
+		},
+		&configv1alpha1.CredentialIssuer{},
+		resyncPeriod,
+		indexers,
+	)
+}
+
+func (f *credentialIssuerInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
+	return NewFilteredCredentialIssuerInformer(client, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
+}
+
+func (f *credentialIssuerInformer) Informer() cache.SharedIndexInformer {
+	return f.factory.InformerFor(&configv1alpha1.CredentialIssuer{}, f.defaultInformer)
+}
+
+func (f *credentialIssuerInformer) Lister() v1alpha1.CredentialIssuerLister {
+	return v1alpha1.NewCredentialIssuerLister(f.Informer().GetIndexer())
+}
--- a/generated/1.30/client/concierge/informers/externalversions/config/v1alpha1/interface.go
+++ b/generated/1.30/client/concierge/informers/externalversions/config/v1alpha1/interface.go
@@ -0,0 +1,32 @@
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by informer-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	internalinterfaces "go.pinniped.dev/generated/1.30/client/concierge/informers/externalversions/internalinterfaces"
+)
+
+// Interface provides access to all the informers in this group version.
+type Interface interface {
+	// CredentialIssuers returns a CredentialIssuerInformer.
+	CredentialIssuers() CredentialIssuerInformer
+}
+
+type version struct {
+	factory          internalinterfaces.SharedInformerFactory
+	namespace        string
+	tweakListOptions internalinterfaces.TweakListOptionsFunc
+}
+
+// New returns a new Interface.
+func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface {
+	return &version{factory: f, namespace: namespace, tweakListOptions: tweakListOptions}
+}
+
+// CredentialIssuers returns a CredentialIssuerInformer.
+func (v *version) CredentialIssuers() CredentialIssuerInformer {
+	return &credentialIssuerInformer{factory: v.factory, tweakListOptions: v.tweakListOptions}
+}
--- a/generated/1.30/client/concierge/informers/externalversions/factory.go
+++ b/generated/1.30/client/concierge/informers/externalversions/factory.go
@@ -0,0 +1,254 @@
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by informer-gen. DO NOT EDIT.
+
+package externalversions
+
+import (
+	reflect "reflect"
+	sync "sync"
+	time "time"
+
+	versioned "go.pinniped.dev/generated/1.30/client/concierge/clientset/versioned"
+	authentication "go.pinniped.dev/generated/1.30/client/concierge/informers/externalversions/authentication"
+	config "go.pinniped.dev/generated/1.30/client/concierge/informers/externalversions/config"
+	internalinterfaces "go.pinniped.dev/generated/1.30/client/concierge/informers/externalversions/internalinterfaces"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	schema "k8s.io/apimachinery/pkg/runtime/schema"
+	cache "k8s.io/client-go/tools/cache"
+)
+
+// SharedInformerOption defines the functional option type for SharedInformerFactory.
+type SharedInformerOption func(*sharedInformerFactory) *sharedInformerFactory
+
+type sharedInformerFactory struct {
+	client           versioned.Interface
+	namespace        string
+	tweakListOptions internalinterfaces.TweakListOptionsFunc
+	lock             sync.Mutex
+	defaultResync    time.Duration
+	customResync     map[reflect.Type]time.Duration
+	transform        cache.TransformFunc
+
+	informers map[reflect.Type]cache.SharedIndexInformer
+	// startedInformers is used for tracking which informers have been started.
+	// This allows Start() to be called multiple times safely.
+	startedInformers map[reflect.Type]bool
+	// wg tracks how many goroutines were started.
+	wg sync.WaitGroup
+	// shuttingDown is true when Shutdown has been called. It may still be running
+	// because it needs to wait for goroutines.
+	shuttingDown bool
+}
+
+// WithCustomResyncConfig sets a custom resync period for the specified informer types.
+func WithCustomResyncConfig(resyncConfig map[v1.Object]time.Duration) SharedInformerOption {
+	return func(factory *sharedInformerFactory) *sharedInformerFactory {
+		for k, v := range resyncConfig {
+			factory.customResync[reflect.TypeOf(k)] = v
+		}
+		return factory
+	}
+}
+
+// WithTweakListOptions sets a custom filter on all listers of the configured SharedInformerFactory.
+func WithTweakListOptions(tweakListOptions internalinterfaces.TweakListOptionsFunc) SharedInformerOption {
+	return func(factory *sharedInformerFactory) *sharedInformerFactory {
+		factory.tweakListOptions = tweakListOptions
+		return factory
+	}
+}
+
+// WithNamespace limits the SharedInformerFactory to the specified namespace.
+func WithNamespace(namespace string) SharedInformerOption {
+	return func(factory *sharedInformerFactory) *sharedInformerFactory {
+		factory.namespace = namespace
+		return factory
+	}
+}
+
+// WithTransform sets a transform on all informers.
+func WithTransform(transform cache.TransformFunc) SharedInformerOption {
+	return func(factory *sharedInformerFactory) *sharedInformerFactory {
+		factory.transform = transform
+		return factory
+	}
+}
+
+// NewSharedInformerFactory constructs a new instance of sharedInformerFactory for all namespaces.
+func NewSharedInformerFactory(client versioned.Interface, defaultResync time.Duration) SharedInformerFactory {
+	return NewSharedInformerFactoryWithOptions(client, defaultResync)
+}
+
+// NewFilteredSharedInformerFactory constructs a new instance of sharedInformerFactory.
+// Listers obtained via this SharedInformerFactory will be subject to the same filters
+// as specified here.
+// Deprecated: Please use NewSharedInformerFactoryWithOptions instead
+func NewFilteredSharedInformerFactory(client versioned.Interface, defaultResync time.Duration, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) SharedInformerFactory {
+	return NewSharedInformerFactoryWithOptions(client, defaultResync, WithNamespace(namespace), WithTweakListOptions(tweakListOptions))
+}
+
+// NewSharedInformerFactoryWithOptions constructs a new instance of a SharedInformerFactory with additional options.
+func NewSharedInformerFactoryWithOptions(client versioned.Interface, defaultResync time.Duration, options ...SharedInformerOption) SharedInformerFactory {
+	factory := &sharedInformerFactory{
+		client:           client,
+		namespace:        v1.NamespaceAll,
+		defaultResync:    defaultResync,
+		informers:        make(map[reflect.Type]cache.SharedIndexInformer),
+		startedInformers: make(map[reflect.Type]bool),
+		customResync:     make(map[reflect.Type]time.Duration),
+	}
+
+	// Apply all options
+	for _, opt := range options {
+		factory = opt(factory)
+	}
+
+	return factory
+}
+
+func (f *sharedInformerFactory) Start(stopCh <-chan struct{}) {
+	f.lock.Lock()
+	defer f.lock.Unlock()
+
+	if f.shuttingDown {
+		return
+	}
+
+	for informerType, informer := range f.informers {
+		if !f.startedInformers[informerType] {
+			f.wg.Add(1)
+			// We need a new variable in each loop iteration,
+			// otherwise the goroutine would use the loop variable
+			// and that keeps changing.
+			informer := informer
+			go func() {
+				defer f.wg.Done()
+				informer.Run(stopCh)
+			}()
+			f.startedInformers[informerType] = true
+		}
+	}
+}
+
+func (f *sharedInformerFactory) Shutdown() {
+	f.lock.Lock()
+	f.shuttingDown = true
+	f.lock.Unlock()
+
+	// Will return immediately if there is nothing to wait for.
+	f.wg.Wait()
+}
+
+func (f *sharedInformerFactory) WaitForCacheSync(stopCh <-chan struct{}) map[reflect.Type]bool {
+	informers := func() map[reflect.Type]cache.SharedIndexInformer {
+		f.lock.Lock()
+		defer f.lock.Unlock()
+
+		informers := map[reflect.Type]cache.SharedIndexInformer{}
+		for informerType, informer := range f.informers {
+			if f.startedInformers[informerType] {
+				informers[informerType] = informer
+			}
+		}
+		return informers
+	}()
+
+	res := map[reflect.Type]bool{}
+	for informType, informer := range informers {
+		res[informType] = cache.WaitForCacheSync(stopCh, informer.HasSynced)
+	}
+	return res
+}
+
+// InformerFor returns the SharedIndexInformer for obj using an internal
+// client.
+func (f *sharedInformerFactory) InformerFor(obj runtime.Object, newFunc internalinterfaces.NewInformerFunc) cache.SharedIndexInformer {
+	f.lock.Lock()
+	defer f.lock.Unlock()
+
+	informerType := reflect.TypeOf(obj)
+	informer, exists := f.informers[informerType]
+	if exists {
+		return informer
+	}
+
+	resyncPeriod, exists := f.customResync[informerType]
+	if !exists {
+		resyncPeriod = f.defaultResync
+	}
+
+	informer = newFunc(f.client, resyncPeriod)
+	informer.SetTransform(f.transform)
+	f.informers[informerType] = informer
+
+	return informer
+}
+
+// SharedInformerFactory provides shared informers for resources in all known
+// API group versions.
+//
+// It is typically used like this:
+//
+//	ctx, cancel := context.Background()
+//	defer cancel()
+//	factory := NewSharedInformerFactory(client, resyncPeriod)
+//	defer factory.WaitForStop()    // Returns immediately if nothing was started.
+//	genericInformer := factory.ForResource(resource)
+//	typedInformer := factory.SomeAPIGroup().V1().SomeType()
+//	factory.Start(ctx.Done())          // Start processing these informers.
+//	synced := factory.WaitForCacheSync(ctx.Done())
+//	for v, ok := range synced {
+//	    if !ok {
+//	        fmt.Fprintf(os.Stderr, "caches failed to sync: %v", v)
+//	        return
+//	    }
+//	}
+//
+//	// Creating informers can also be created after Start, but then
+//	// Start must be called again:
+//	anotherGenericInformer := factory.ForResource(resource)
+//	factory.Start(ctx.Done())
+type SharedInformerFactory interface {
+	internalinterfaces.SharedInformerFactory
+
+	// Start initializes all requested informers. They are handled in goroutines
+	// which run until the stop channel gets closed.
+	Start(stopCh <-chan struct{})
+
+	// Shutdown marks a factory as shutting down. At that point no new
+	// informers can be started anymore and Start will return without
+	// doing anything.
+	//
+	// In addition, Shutdown blocks until all goroutines have terminated. For that
+	// to happen, the close channel(s) that they were started with must be closed,
+	// either before Shutdown gets called or while it is waiting.
+	//
+	// Shutdown may be called multiple times, even concurrently. All such calls will
+	// block until all goroutines have terminated.
+	Shutdown()
+
+	// WaitForCacheSync blocks until all started informers' caches were synced
+	// or the stop channel gets closed.
+	WaitForCacheSync(stopCh <-chan struct{}) map[reflect.Type]bool
+
+	// ForResource gives generic access to a shared informer of the matching type.
+	ForResource(resource schema.GroupVersionResource) (GenericInformer, error)
+
+	// InformerFor returns the SharedIndexInformer for obj using an internal
+	// client.
+	InformerFor(obj runtime.Object, newFunc internalinterfaces.NewInformerFunc) cache.SharedIndexInformer
+
+	Authentication() authentication.Interface
+	Config() config.Interface
+}
+
+func (f *sharedInformerFactory) Authentication() authentication.Interface {
+	return authentication.New(f, f.namespace, f.tweakListOptions)
+}
+
+func (f *sharedInformerFactory) Config() config.Interface {
+	return config.New(f, f.namespace, f.tweakListOptions)
+}
--- a/generated/1.30/client/concierge/informers/externalversions/generic.go
+++ b/generated/1.30/client/concierge/informers/externalversions/generic.go
@@ -0,0 +1,56 @@
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by informer-gen. DO NOT EDIT.
+
+package externalversions
+
+import (
+	"fmt"
+
+	v1alpha1 "go.pinniped.dev/generated/1.30/apis/concierge/authentication/v1alpha1"
+	configv1alpha1 "go.pinniped.dev/generated/1.30/apis/concierge/config/v1alpha1"
+	schema "k8s.io/apimachinery/pkg/runtime/schema"
+	cache "k8s.io/client-go/tools/cache"
+)
+
+// GenericInformer is type of SharedIndexInformer which will locate and delegate to other
+// sharedInformers based on type
+type GenericInformer interface {
+	Informer() cache.SharedIndexInformer
+	Lister() cache.GenericLister
+}
+
+type genericInformer struct {
+	informer cache.SharedIndexInformer
+	resource schema.GroupResource
+}
+
+// Informer returns the SharedIndexInformer.
+func (f *genericInformer) Informer() cache.SharedIndexInformer {
+	return f.informer
+}
+
+// Lister returns the GenericLister.
+func (f *genericInformer) Lister() cache.GenericLister {
+	return cache.NewGenericLister(f.Informer().GetIndexer(), f.resource)
+}
+
+// ForResource gives generic access to a shared informer of the matching type
+// TODO extend this to unknown resources with a client pool
+func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource) (GenericInformer, error) {
+	switch resource {
+	// Group=authentication.concierge.pinniped.dev, Version=v1alpha1
+	case v1alpha1.SchemeGroupVersion.WithResource("jwtauthenticators"):
+		return &genericInformer{resource: resource.GroupResource(), informer: f.Authentication().V1alpha1().JWTAuthenticators().Informer()}, nil
+	case v1alpha1.SchemeGroupVersion.WithResource("webhookauthenticators"):
+		return &genericInformer{resource: resource.GroupResource(), informer: f.Authentication().V1alpha1().WebhookAuthenticators().Informer()}, nil
+
+		// Group=config.concierge.pinniped.dev, Version=v1alpha1
+	case configv1alpha1.SchemeGroupVersion.WithResource("credentialissuers"):
+		return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().CredentialIssuers().Informer()}, nil
+
+	}
+
+	return nil, fmt.Errorf("no informer found for %v", resource)
+}
--- a/generated/1.30/client/concierge/informers/externalversions/internalinterfaces/factory_interfaces.go
+++ b/generated/1.30/client/concierge/informers/externalversions/internalinterfaces/factory_interfaces.go
@@ -0,0 +1,27 @@
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by informer-gen. DO NOT EDIT.
+
+package internalinterfaces
+
+import (
+	time "time"
+
+	versioned "go.pinniped.dev/generated/1.30/client/concierge/clientset/versioned"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	cache "k8s.io/client-go/tools/cache"
+)
+
+// NewInformerFunc takes versioned.Interface and time.Duration to return a SharedIndexInformer.
+type NewInformerFunc func(versioned.Interface, time.Duration) cache.SharedIndexInformer
+
+// SharedInformerFactory a small interface to allow for adding an informer without an import cycle
+type SharedInformerFactory interface {
+	Start(stopCh <-chan struct{})
+	InformerFor(obj runtime.Object, newFunc NewInformerFunc) cache.SharedIndexInformer
+}
+
+// TweakListOptionsFunc is a function that transforms a v1.ListOptions.
+type TweakListOptionsFunc func(*v1.ListOptions)
--- a/generated/1.30/client/concierge/listers/authentication/v1alpha1/expansion_generated.go
+++ b/generated/1.30/client/concierge/listers/authentication/v1alpha1/expansion_generated.go
@@ -0,0 +1,14 @@
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by lister-gen. DO NOT EDIT.
+
+package v1alpha1
+
+// JWTAuthenticatorListerExpansion allows custom methods to be added to
+// JWTAuthenticatorLister.
+type JWTAuthenticatorListerExpansion interface{}
+
+// WebhookAuthenticatorListerExpansion allows custom methods to be added to
+// WebhookAuthenticatorLister.
+type WebhookAuthenticatorListerExpansion interface{}
--- a/generated/1.30/client/concierge/listers/authentication/v1alpha1/jwtauthenticator.go
+++ b/generated/1.30/client/concierge/listers/authentication/v1alpha1/jwtauthenticator.go
@@ -0,0 +1,55 @@
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by lister-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	v1alpha1 "go.pinniped.dev/generated/1.30/apis/concierge/authentication/v1alpha1"
+	"k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/client-go/tools/cache"
+)
+
+// JWTAuthenticatorLister helps list JWTAuthenticators.
+// All objects returned here must be treated as read-only.
+type JWTAuthenticatorLister interface {
+	// List lists all JWTAuthenticators in the indexer.
+	// Objects returned here must be treated as read-only.
+	List(selector labels.Selector) (ret []*v1alpha1.JWTAuthenticator, err error)
+	// Get retrieves the JWTAuthenticator from the index for a given name.
+	// Objects returned here must be treated as read-only.
+	Get(name string) (*v1alpha1.JWTAuthenticator, error)
+	JWTAuthenticatorListerExpansion
+}
+
+// jWTAuthenticatorLister implements the JWTAuthenticatorLister interface.
+type jWTAuthenticatorLister struct {
+	indexer cache.Indexer
+}
+
+// NewJWTAuthenticatorLister returns a new JWTAuthenticatorLister.
+func NewJWTAuthenticatorLister(indexer cache.Indexer) JWTAuthenticatorLister {
+	return &jWTAuthenticatorLister{indexer: indexer}
+}
+
+// List lists all JWTAuthenticators in the indexer.
+func (s *jWTAuthenticatorLister) List(selector labels.Selector) (ret []*v1alpha1.JWTAuthenticator, err error) {
+	err = cache.ListAll(s.indexer, selector, func(m interface{}) {
+		ret = append(ret, m.(*v1alpha1.JWTAuthenticator))
+	})
+	return ret, err
+}
+
+// Get retrieves the JWTAuthenticator from the index for a given name.
+func (s *jWTAuthenticatorLister) Get(name string) (*v1alpha1.JWTAuthenticator, error) {
+	obj, exists, err := s.indexer.GetByKey(name)
+	if err != nil {
+		return nil, err
+	}
+	if !exists {
+		return nil, errors.NewNotFound(v1alpha1.Resource("jwtauthenticator"), name)
+	}
+	return obj.(*v1alpha1.JWTAuthenticator), nil
+}
--- a/Show More
+++ b/Show More