Merge branch 'main' into doc_typo

apis/concierge/authentication/v1alpha1/types_jwtauthenticator.go.tmpl

@@ -79,6 +79,7 @@ type JWTTokenClaims struct {
 // +kubebuilder:resource:categories=pinniped;pinniped-authenticator;pinniped-authenticators,scope=Cluster
 // +kubebuilder:printcolumn:name="Issuer",type=string,JSONPath=`.spec.issuer`
 // +kubebuilder:printcolumn:name="Audience",type=string,JSONPath=`.spec.audience`
+// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase`
 // +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
 // +kubebuilder:subresource:status
 type JWTAuthenticator struct {

apis/concierge/authentication/v1alpha1/types_tls.go.tmpl

@@ -1,11 +1,47 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
 
-// Configuration for configuring TLS on various authenticators.
+// CertificateAuthorityDataSourceKind enumerates the sources for CA Bundles.
+//
+// +kubebuilder:validation:Enum=Secret;ConfigMap
+type CertificateAuthorityDataSourceKind string
+
+const (
+	// CertificateAuthorityDataSourceKindConfigMap uses a Kubernetes configmap to source CA Bundles.
+	CertificateAuthorityDataSourceKindConfigMap = CertificateAuthorityDataSourceKind("ConfigMap")
+
+	// CertificateAuthorityDataSourceKindSecret uses a Kubernetes secret to source CA Bundles.
+	// Secrets used to source CA Bundles must be of type kubernetes.io/tls or Opaque.
+	CertificateAuthorityDataSourceKindSecret = CertificateAuthorityDataSourceKind("Secret")
+)
+
+// CertificateAuthorityDataSourceSpec provides a source for CA bundle used for client-side TLS verification.
+type CertificateAuthorityDataSourceSpec struct {
+	// Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
+	// Allowed values are "Secret" or "ConfigMap".
+	// "ConfigMap" uses a Kubernetes configmap to source CA Bundles.
+	// "Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
+	Kind CertificateAuthorityDataSourceKind `json:"kind"`
+	// Name is the resource name of the secret or configmap from which to read the CA bundle.
+	// The referenced secret or configmap must be created in the same namespace where Pinniped Concierge is installed.
+	// +kubebuilder:validation:MinLength=1
+	Name string `json:"name"`
+	// Key is the key name within the secret or configmap from which to read the CA bundle.
+	// The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
+	// certificate bundle.
+	// +kubebuilder:validation:MinLength=1
+	Key string `json:"key"`
+}
+
+// TLSSpec provides TLS configuration on various authenticators.
 type TLSSpec struct {
 	// X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted.
 	// +optional
 	CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"`
+	// Reference to a CA bundle in a secret or a configmap.
+	// Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
+	// +optional
+	CertificateAuthorityDataSource *CertificateAuthorityDataSourceSpec `json:"certificateAuthorityDataSource,omitempty"`
 }

apis/concierge/authentication/v1alpha1/types_webhookauthenticator.go.tmpl

@@ -50,6 +50,7 @@ type WebhookAuthenticatorSpec struct {
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 // +kubebuilder:resource:categories=pinniped;pinniped-authenticator;pinniped-authenticators,scope=Cluster
 // +kubebuilder:printcolumn:name="Endpoint",type=string,JSONPath=`.spec.endpoint`
+// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase`
 // +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
 // +kubebuilder:subresource:status
 type WebhookAuthenticator struct {

apis/concierge/config/v1alpha1/types_credentialissuer.go.tmpl

@@ -1,4 +1,4 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
@@ -49,6 +49,7 @@ type CredentialIssuerSpec struct {
 }
 
 // ImpersonationProxyMode enumerates the configuration modes for the impersonation proxy.
+// Allowed values are "auto", "enabled", or "disabled".
 //
 // +kubebuilder:validation:Enum=auto;enabled;disabled
 type ImpersonationProxyMode string
@@ -65,6 +66,7 @@ const (
 )
 
 // ImpersonationProxyServiceType enumerates the types of service that can be provisioned for the impersonation proxy.
+// Allowed values are "LoadBalancer", "ClusterIP", or "None".
 //
 // +kubebuilder:validation:Enum=LoadBalancer;ClusterIP;None
 type ImpersonationProxyServiceType string

apis/supervisor/config/v1alpha1/types_federationdomain.go.tmpl

@@ -1,4 +1,4 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
@@ -55,6 +55,7 @@ type FederationDomainTransformsConstant struct {
 	Name string `json:"name"`
 
 	// Type determines the type of the constant, and indicates which other field should be non-empty.
+	// Allowed values are "string" or "stringList".
 	// +kubebuilder:validation:Enum=string;stringList
 	Type string `json:"type"`
 
@@ -70,6 +71,7 @@ type FederationDomainTransformsConstant struct {
 // FederationDomainTransformsExpression defines a transform expression.
 type FederationDomainTransformsExpression struct {
 	// Type determines the type of the expression. It must be one of the supported types.
+	// Allowed values are "policy/v1", "username/v1", or "groups/v1".
 	// +kubebuilder:validation:Enum=policy/v1;username/v1;groups/v1
 	Type string `json:"type"`
 

apis/supervisor/idp/v1alpha1/types_githubidentityprovider.go.tmpl

@@ -167,7 +167,10 @@ type GitHubClientSpec struct {
 }
 
 type GitHubOrganizationsSpec struct {
-	// Policy must be set to "AllGitHubUsers" if allowed is empty.
+	// Allowed values are "OnlyUsersFromAllowedOrganizations" or "AllGitHubUsers".
+	// Defaults to "OnlyUsersFromAllowedOrganizations".
+	//
+	// Must be set to "AllGitHubUsers" if the allowed field is empty.
 	//
 	// This field only exists to ensure that Pinniped administrators are aware that an empty list of
 	// allowedOrganizations means all GitHub users are allowed to log in.

apis/supervisor/idp/v1alpha1/types_tls.go.tmpl

@@ -3,9 +3,45 @@
 
 package v1alpha1
 
+// CertificateAuthorityDataSourceKind enumerates the sources for CA Bundles.
+//
+// +kubebuilder:validation:Enum=Secret;ConfigMap
+type CertificateAuthorityDataSourceKind string
+
+const (
+	// CertificateAuthorityDataSourceKindConfigMap uses a Kubernetes configmap to source CA Bundles.
+	CertificateAuthorityDataSourceKindConfigMap = CertificateAuthorityDataSourceKind("ConfigMap")
+
+	// CertificateAuthorityDataSourceKindSecret uses a Kubernetes secret to source CA Bundles.
+	// Secrets used to source CA Bundles must be of type kubernetes.io/tls or Opaque.
+	CertificateAuthorityDataSourceKindSecret = CertificateAuthorityDataSourceKind("Secret")
+)
+
+// CertificateAuthorityDataSourceSpec provides a source for CA bundle used for client-side TLS verification.
+type CertificateAuthorityDataSourceSpec struct {
+	// Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
+	// Allowed values are "Secret" or "ConfigMap".
+	// "ConfigMap" uses a Kubernetes configmap to source CA Bundles.
+	// "Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
+	Kind CertificateAuthorityDataSourceKind `json:"kind"`
+	// Name is the resource name of the secret or configmap from which to read the CA bundle.
+	// The referenced secret or configmap must be created in the same namespace where Pinniped Supervisor is installed.
+	// +kubebuilder:validation:MinLength=1
+	Name string `json:"name"`
+	// Key is the key name within the secret or configmap from which to read the CA bundle.
+	// The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
+	// certificate bundle.
+	// +kubebuilder:validation:MinLength=1
+	Key string `json:"key"`
+}
+
 // TLSSpec provides TLS configuration for identity provider integration.
 type TLSSpec struct {
 	// X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted.
 	// +optional
 	CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"`
+	// Reference to a CA bundle in a secret or a configmap.
+	// Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
+	// +optional
+	CertificateAuthorityDataSource *CertificateAuthorityDataSourceSpec `json:"certificateAuthorityDataSource,omitempty"`
 }

deploy/concierge/authentication.concierge.pinniped.dev_jwtauthenticators.yaml

@@ -25,6 +25,9 @@ spec:
     - jsonPath: .spec.audience
       name: Audience
       type: string
+    - jsonPath: .status.phase
+      name: Status
+      type: string
     - jsonPath: .metadata.creationTimestamp
       name: Age
       type: date
@@ -92,6 +95,39 @@ spec:
                     description: X.509 Certificate Authority (base64-encoded PEM bundle).
                       If omitted, a default set of system roots will be trusted.
                     type: string
+                  certificateAuthorityDataSource:
+                    description: |-
+                      Reference to a CA bundle in a secret or a configmap.
+                      Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
+                    properties:
+                      key:
+                        description: |-
+                          Key is the key name within the secret or configmap from which to read the CA bundle.
+                          The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
+                          certificate bundle.
+                        minLength: 1
+                        type: string
+                      kind:
+                        description: |-
+                          Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
+                          Allowed values are "Secret" or "ConfigMap".
+                          "ConfigMap" uses a Kubernetes configmap to source CA Bundles.
+                          "Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
+                        enum:
+                        - Secret
+                        - ConfigMap
+                        type: string
+                      name:
+                        description: |-
+                          Name is the resource name of the secret or configmap from which to read the CA bundle.
+                          The referenced secret or configmap must be created in the same namespace where Pinniped Concierge is installed.
+                        minLength: 1
+                        type: string
+                    required:
+                    - key
+                    - kind
+                    - name
+                    type: object
                 type: object
             required:
             - audience

deploy/concierge/authentication.concierge.pinniped.dev_webhookauthenticators.yaml

@@ -22,6 +22,9 @@ spec:
     - jsonPath: .spec.endpoint
       name: Endpoint
       type: string
+    - jsonPath: .status.phase
+      name: Status
+      type: string
     - jsonPath: .metadata.creationTimestamp
       name: Age
       type: date
@@ -63,6 +66,39 @@ spec:
                     description: X.509 Certificate Authority (base64-encoded PEM bundle).
                       If omitted, a default set of system roots will be trusted.
                     type: string
+                  certificateAuthorityDataSource:
+                    description: |-
+                      Reference to a CA bundle in a secret or a configmap.
+                      Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
+                    properties:
+                      key:
+                        description: |-
+                          Key is the key name within the secret or configmap from which to read the CA bundle.
+                          The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
+                          certificate bundle.
+                        minLength: 1
+                        type: string
+                      kind:
+                        description: |-
+                          Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
+                          Allowed values are "Secret" or "ConfigMap".
+                          "ConfigMap" uses a Kubernetes configmap to source CA Bundles.
+                          "Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
+                        enum:
+                        - Secret
+                        - ConfigMap
+                        type: string
+                      name:
+                        description: |-
+                          Name is the resource name of the secret or configmap from which to read the CA bundle.
+                          The referenced secret or configmap must be created in the same namespace where Pinniped Concierge is installed.
+                        minLength: 1
+                        type: string
+                    required:
+                    - key
+                    - kind
+                    - name
+                    type: object
                 type: object
             required:
             - endpoint

deploy/supervisor/config.supervisor.pinniped.dev_federationdomains.yaml

@@ -143,8 +143,9 @@ spec:
                                   Type is "string", and is otherwise ignored.
                                 type: string
                               type:
-                                description: Type determines the type of the constant,
-                                  and indicates which other field should be non-empty.
+                                description: |-
+                                  Type determines the type of the constant, and indicates which other field should be non-empty.
+                                  Allowed values are "string" or "stringList".
                                 enum:
                                 - string
                                 - stringList
@@ -262,8 +263,9 @@ spec:
                                   an authentication attempt. When empty, a default message will be used.
                                 type: string
                               type:
-                                description: Type determines the type of the expression.
-                                  It must be one of the supported types.
+                                description: |-
+                                  Type determines the type of the expression. It must be one of the supported types.
+                                  Allowed values are "policy/v1", "username/v1", or "groups/v1".
                                 enum:
                                 - policy/v1
                                 - username/v1

deploy/supervisor/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml

@@ -170,6 +170,39 @@ spec:
                     description: X.509 Certificate Authority (base64-encoded PEM bundle).
                       If omitted, a default set of system roots will be trusted.
                     type: string
+                  certificateAuthorityDataSource:
+                    description: |-
+                      Reference to a CA bundle in a secret or a configmap.
+                      Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
+                    properties:
+                      key:
+                        description: |-
+                          Key is the key name within the secret or configmap from which to read the CA bundle.
+                          The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
+                          certificate bundle.
+                        minLength: 1
+                        type: string
+                      kind:
+                        description: |-
+                          Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
+                          Allowed values are "Secret" or "ConfigMap".
+                          "ConfigMap" uses a Kubernetes configmap to source CA Bundles.
+                          "Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
+                        enum:
+                        - Secret
+                        - ConfigMap
+                        type: string
+                      name:
+                        description: |-
+                          Name is the resource name of the secret or configmap from which to read the CA bundle.
+                          The referenced secret or configmap must be created in the same namespace where Pinniped Supervisor is installed.
+                        minLength: 1
+                        type: string
+                    required:
+                    - key
+                    - kind
+                    - name
+                    type: object
                 type: object
               userSearch:
                 description: UserSearch contains the configuration for searching for

deploy/supervisor/idp.supervisor.pinniped.dev_githubidentityproviders.yaml

@@ -89,7 +89,11 @@ spec:
                       policy:
                         default: OnlyUsersFromAllowedOrganizations
                         description: |-
-                          Policy must be set to "AllGitHubUsers" if allowed is empty.
+                          Allowed values are "OnlyUsersFromAllowedOrganizations" or "AllGitHubUsers".
+                          Defaults to "OnlyUsersFromAllowedOrganizations".
+
+
+                          Must be set to "AllGitHubUsers" if the allowed field is empty.
 
 
                           This field only exists to ensure that Pinniped administrators are aware that an empty list of
@@ -225,6 +229,39 @@ spec:
                           bundle). If omitted, a default set of system roots will
                           be trusted.
                         type: string
+                      certificateAuthorityDataSource:
+                        description: |-
+                          Reference to a CA bundle in a secret or a configmap.
+                          Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
+                        properties:
+                          key:
+                            description: |-
+                              Key is the key name within the secret or configmap from which to read the CA bundle.
+                              The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
+                              certificate bundle.
+                            minLength: 1
+                            type: string
+                          kind:
+                            description: |-
+                              Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
+                              Allowed values are "Secret" or "ConfigMap".
+                              "ConfigMap" uses a Kubernetes configmap to source CA Bundles.
+                              "Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
+                            enum:
+                            - Secret
+                            - ConfigMap
+                            type: string
+                          name:
+                            description: |-
+                              Name is the resource name of the secret or configmap from which to read the CA bundle.
+                              The referenced secret or configmap must be created in the same namespace where Pinniped Supervisor is installed.
+                            minLength: 1
+                            type: string
+                        required:
+                        - key
+                        - kind
+                        - name
+                        type: object
                     type: object
                 type: object
             required:

deploy/supervisor/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml

@@ -161,6 +161,39 @@ spec:
                     description: X.509 Certificate Authority (base64-encoded PEM bundle).
                       If omitted, a default set of system roots will be trusted.
                     type: string
+                  certificateAuthorityDataSource:
+                    description: |-
+                      Reference to a CA bundle in a secret or a configmap.
+                      Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
+                    properties:
+                      key:
+                        description: |-
+                          Key is the key name within the secret or configmap from which to read the CA bundle.
+                          The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
+                          certificate bundle.
+                        minLength: 1
+                        type: string
+                      kind:
+                        description: |-
+                          Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
+                          Allowed values are "Secret" or "ConfigMap".
+                          "ConfigMap" uses a Kubernetes configmap to source CA Bundles.
+                          "Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
+                        enum:
+                        - Secret
+                        - ConfigMap
+                        type: string
+                      name:
+                        description: |-
+                          Name is the resource name of the secret or configmap from which to read the CA bundle.
+                          The referenced secret or configmap must be created in the same namespace where Pinniped Supervisor is installed.
+                        minLength: 1
+                        type: string
+                    required:
+                    - key
+                    - kind
+                    - name
+                    type: object
                 type: object
               userSearch:
                 description: UserSearch contains the configuration for searching for

deploy/supervisor/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml

@@ -211,6 +211,39 @@ spec:
                     description: X.509 Certificate Authority (base64-encoded PEM bundle).
                       If omitted, a default set of system roots will be trusted.
                     type: string
+                  certificateAuthorityDataSource:
+                    description: |-
+                      Reference to a CA bundle in a secret or a configmap.
+                      Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
+                    properties:
+                      key:
+                        description: |-
+                          Key is the key name within the secret or configmap from which to read the CA bundle.
+                          The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
+                          certificate bundle.
+                        minLength: 1
+                        type: string
+                      kind:
+                        description: |-
+                          Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
+                          Allowed values are "Secret" or "ConfigMap".
+                          "ConfigMap" uses a Kubernetes configmap to source CA Bundles.
+                          "Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
+                        enum:
+                        - Secret
+                        - ConfigMap
+                        type: string
+                      name:
+                        description: |-
+                          Name is the resource name of the secret or configmap from which to read the CA bundle.
+                          The referenced secret or configmap must be created in the same namespace where Pinniped Supervisor is installed.
+                        minLength: 1
+                        type: string
+                    required:
+                    - key
+                    - kind
+                    - name
+                    type: object
                 type: object
             required:
             - client

deploy/supervisor/rbac.yaml

@@ -16,6 +16,9 @@ rules:
   - apiGroups: [""]
     resources: [secrets]
     verbs: [create, get, list, patch, update, watch, delete]
+  - apiGroups: [""]
+    resources: [configmaps]
+    verbs: [get, list, watch]
   - apiGroups:
       - #@ pinnipedDevAPIGroupWithPrefix("config.supervisor")
     resources: [federationdomains]

generated/1.24/README.adoc

@@ -23,6 +23,43 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped concierge authenticatio
 
 
 
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-concierge-authentication-v1alpha1-certificateauthoritydatasourcekind"]
+==== CertificateAuthorityDataSourceKind (string) 
+
+CertificateAuthorityDataSourceKind enumerates the sources for CA Bundles.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-concierge-authentication-v1alpha1-certificateauthoritydatasourcespec[$$CertificateAuthorityDataSourceSpec$$]
+****
+
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-concierge-authentication-v1alpha1-certificateauthoritydatasourcespec"]
+==== CertificateAuthorityDataSourceSpec 
+
+CertificateAuthorityDataSourceSpec provides a source for CA bundle used for client-side TLS verification.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-concierge-authentication-v1alpha1-tlsspec[$$TLSSpec$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`kind`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-concierge-authentication-v1alpha1-certificateauthoritydatasourcekind[$$CertificateAuthorityDataSourceKind$$]__ | Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap. +
+Allowed values are "Secret" or "ConfigMap". +
+"ConfigMap" uses a Kubernetes configmap to source CA Bundles. +
+"Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles. +
+| *`name`* __string__ | Name is the resource name of the secret or configmap from which to read the CA bundle. +
+The referenced secret or configmap must be created in the same namespace where Pinniped Concierge is installed. +
+| *`key`* __string__ | Key is the key name within the secret or configmap from which to read the CA bundle. +
+The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded +
+certificate bundle. +
+|===
+
+
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-concierge-authentication-v1alpha1-jwtauthenticator"]
 ==== JWTAuthenticator 
 
@@ -125,7 +162,7 @@ username from the JWT token. When not specified, it will default to "username".
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-concierge-authentication-v1alpha1-tlsspec"]
 ==== TLSSpec 
 
-Configuration for configuring TLS on various authenticators.
+TLSSpec provides TLS configuration on various authenticators.
 
 .Appears In:
 ****
@@ -137,6 +174,8 @@ Configuration for configuring TLS on various authenticators.
 |===
 | Field | Description
 | *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. +
+| *`certificateAuthorityDataSource`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-concierge-authentication-v1alpha1-certificateauthoritydatasourcespec[$$CertificateAuthorityDataSourceSpec$$]__ | Reference to a CA bundle in a secret or a configmap. +
+Any changes to the CA bundle in the secret or configmap will be dynamically reloaded. +
 |===
 
 
@@ -503,6 +542,7 @@ ImpersonationProxyInfo describes the parameters for the impersonation proxy on t
 ==== ImpersonationProxyMode (string) 
 
 ImpersonationProxyMode enumerates the configuration modes for the impersonation proxy.
+Allowed values are "auto", "enabled", or "disabled".
 
 .Appears In:
 ****
@@ -539,6 +579,7 @@ This is not supported on all cloud providers. +
 ==== ImpersonationProxyServiceType (string) 
 
 ImpersonationProxyServiceType enumerates the types of service that can be provisioned for the impersonation proxy.
+Allowed values are "LoadBalancer", "ClusterIP", or "None".
 
 .Appears In:
 ****
@@ -928,6 +969,7 @@ the transform expressions. This is a union type, and Type is the discriminator f
 | Field | Description
 | *`name`* __string__ | Name determines the name of the constant. It must be a valid identifier name. +
 | *`type`* __string__ | Type determines the type of the constant, and indicates which other field should be non-empty. +
+Allowed values are "string" or "stringList". +
 | *`stringValue`* __string__ | StringValue should hold the value when Type is "string", and is otherwise ignored. +
 | *`stringListValue`* __string array__ | StringListValue should hold the value when Type is "stringList", and is otherwise ignored. +
 |===
@@ -994,6 +1036,7 @@ FederationDomainTransformsExpression defines a transform expression.
 |===
 | Field | Description
 | *`type`* __string__ | Type determines the type of the expression. It must be one of the supported types. +
+Allowed values are "policy/v1", "username/v1", or "groups/v1". +
 | *`expression`* __string__ | Expression is a CEL expression that will be evaluated based on the Type during an authentication. +
 | *`message`* __string__ | Message is only used when Type is policy/v1. It defines an error message to be used when the policy rejects +
 an authentication attempt. When empty, a default message will be used. +
@@ -1645,6 +1688,43 @@ Optional, when empty this defaults to "objectGUID". +
 |===
 
 
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-certificateauthoritydatasourcekind"]
+==== CertificateAuthorityDataSourceKind (string) 
+
+CertificateAuthorityDataSourceKind enumerates the sources for CA Bundles.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-certificateauthoritydatasourcespec[$$CertificateAuthorityDataSourceSpec$$]
+****
+
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-certificateauthoritydatasourcespec"]
+==== CertificateAuthorityDataSourceSpec 
+
+CertificateAuthorityDataSourceSpec provides a source for CA bundle used for client-side TLS verification.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-tlsspec[$$TLSSpec$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`kind`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-certificateauthoritydatasourcekind[$$CertificateAuthorityDataSourceKind$$]__ | Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap. +
+Allowed values are "Secret" or "ConfigMap". +
+"ConfigMap" uses a Kubernetes configmap to source CA Bundles. +
+"Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles. +
+| *`name`* __string__ | Name is the resource name of the secret or configmap from which to read the CA bundle. +
+The referenced secret or configmap must be created in the same namespace where Pinniped Supervisor is installed. +
+| *`key`* __string__ | Key is the key name within the secret or configmap from which to read the CA bundle. +
+The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded +
+certificate bundle. +
+|===
+
+
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubapiconfig"]
 ==== GitHubAPIConfig 
 
@@ -1890,7 +1970,11 @@ GitHubIdentityProviderStatus is the status of an GitHub identity provider.
 [cols="25a,75a", options="header"]
 |===
 | Field | Description
-| *`policy`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githuballowedauthorganizationspolicy[$$GitHubAllowedAuthOrganizationsPolicy$$]__ | Policy must be set to "AllGitHubUsers" if allowed is empty. +
+| *`policy`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githuballowedauthorganizationspolicy[$$GitHubAllowedAuthOrganizationsPolicy$$]__ | Allowed values are "OnlyUsersFromAllowedOrganizations" or "AllGitHubUsers". +
+Defaults to "OnlyUsersFromAllowedOrganizations". +
+
+
+Must be set to "AllGitHubUsers" if the allowed field is empty. +
 
 
 This field only exists to ensure that Pinniped administrators are aware that an empty list of +
@@ -2401,6 +2485,8 @@ TLSSpec provides TLS configuration for identity provider integration.
 |===
 | Field | Description
 | *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. +
+| *`certificateAuthorityDataSource`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-certificateauthoritydatasourcespec[$$CertificateAuthorityDataSourceSpec$$]__ | Reference to a CA bundle in a secret or a configmap. +
+Any changes to the CA bundle in the secret or configmap will be dynamically reloaded. +
 |===
 
 

generated/1.24/apis/concierge/authentication/v1alpha1/types_jwtauthenticator.go

@@ -79,6 +79,7 @@ type JWTTokenClaims struct {
 // +kubebuilder:resource:categories=pinniped;pinniped-authenticator;pinniped-authenticators,scope=Cluster
 // +kubebuilder:printcolumn:name="Issuer",type=string,JSONPath=`.spec.issuer`
 // +kubebuilder:printcolumn:name="Audience",type=string,JSONPath=`.spec.audience`
+// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase`
 // +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
 // +kubebuilder:subresource:status
 type JWTAuthenticator struct {

generated/1.24/apis/concierge/authentication/v1alpha1/types_tls.go

@@ -1,11 +1,47 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
 
-// Configuration for configuring TLS on various authenticators.
+// CertificateAuthorityDataSourceKind enumerates the sources for CA Bundles.
+//
+// +kubebuilder:validation:Enum=Secret;ConfigMap
+type CertificateAuthorityDataSourceKind string
+
+const (
+	// CertificateAuthorityDataSourceKindConfigMap uses a Kubernetes configmap to source CA Bundles.
+	CertificateAuthorityDataSourceKindConfigMap = CertificateAuthorityDataSourceKind("ConfigMap")
+
+	// CertificateAuthorityDataSourceKindSecret uses a Kubernetes secret to source CA Bundles.
+	// Secrets used to source CA Bundles must be of type kubernetes.io/tls or Opaque.
+	CertificateAuthorityDataSourceKindSecret = CertificateAuthorityDataSourceKind("Secret")
+)
+
+// CertificateAuthorityDataSourceSpec provides a source for CA bundle used for client-side TLS verification.
+type CertificateAuthorityDataSourceSpec struct {
+	// Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
+	// Allowed values are "Secret" or "ConfigMap".
+	// "ConfigMap" uses a Kubernetes configmap to source CA Bundles.
+	// "Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
+	Kind CertificateAuthorityDataSourceKind `json:"kind"`
+	// Name is the resource name of the secret or configmap from which to read the CA bundle.
+	// The referenced secret or configmap must be created in the same namespace where Pinniped Concierge is installed.
+	// +kubebuilder:validation:MinLength=1
+	Name string `json:"name"`
+	// Key is the key name within the secret or configmap from which to read the CA bundle.
+	// The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
+	// certificate bundle.
+	// +kubebuilder:validation:MinLength=1
+	Key string `json:"key"`
+}
+
+// TLSSpec provides TLS configuration on various authenticators.
 type TLSSpec struct {
 	// X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted.
 	// +optional
 	CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"`
+	// Reference to a CA bundle in a secret or a configmap.
+	// Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
+	// +optional
+	CertificateAuthorityDataSource *CertificateAuthorityDataSourceSpec `json:"certificateAuthorityDataSource,omitempty"`
 }

generated/1.24/apis/concierge/authentication/v1alpha1/types_webhookauthenticator.go

@@ -50,6 +50,7 @@ type WebhookAuthenticatorSpec struct {
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 // +kubebuilder:resource:categories=pinniped;pinniped-authenticator;pinniped-authenticators,scope=Cluster
 // +kubebuilder:printcolumn:name="Endpoint",type=string,JSONPath=`.spec.endpoint`
+// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase`
 // +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
 // +kubebuilder:subresource:status
 type WebhookAuthenticator struct {

generated/1.24/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go

@@ -13,6 +13,22 @@ import (
 	runtime "k8s.io/apimachinery/pkg/runtime"
 )
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CertificateAuthorityDataSourceSpec) DeepCopyInto(out *CertificateAuthorityDataSourceSpec) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateAuthorityDataSourceSpec.
+func (in *CertificateAuthorityDataSourceSpec) DeepCopy() *CertificateAuthorityDataSourceSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(CertificateAuthorityDataSourceSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *JWTAuthenticator) DeepCopyInto(out *JWTAuthenticator) {
 	*out = *in
@@ -81,7 +97,7 @@ func (in *JWTAuthenticatorSpec) DeepCopyInto(out *JWTAuthenticatorSpec) {
 	if in.TLS != nil {
 		in, out := &in.TLS, &out.TLS
 		*out = new(TLSSpec)
-		**out = **in
+		(*in).DeepCopyInto(*out)
 	}
 	return
 }
@@ -138,6 +154,11 @@ func (in *JWTTokenClaims) DeepCopy() *JWTTokenClaims {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TLSSpec) DeepCopyInto(out *TLSSpec) {
 	*out = *in
+	if in.CertificateAuthorityDataSource != nil {
+		in, out := &in.CertificateAuthorityDataSource, &out.CertificateAuthorityDataSource
+		*out = new(CertificateAuthorityDataSourceSpec)
+		**out = **in
+	}
 	return
 }
 
@@ -218,7 +239,7 @@ func (in *WebhookAuthenticatorSpec) DeepCopyInto(out *WebhookAuthenticatorSpec)
 	if in.TLS != nil {
 		in, out := &in.TLS, &out.TLS
 		*out = new(TLSSpec)
-		**out = **in
+		(*in).DeepCopyInto(*out)
 	}
 	return
 }

generated/1.24/apis/concierge/config/v1alpha1/types_credentialissuer.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
@@ -49,6 +49,7 @@ type CredentialIssuerSpec struct {
 }
 
 // ImpersonationProxyMode enumerates the configuration modes for the impersonation proxy.
+// Allowed values are "auto", "enabled", or "disabled".
 //
 // +kubebuilder:validation:Enum=auto;enabled;disabled
 type ImpersonationProxyMode string
@@ -65,6 +66,7 @@ const (
 )
 
 // ImpersonationProxyServiceType enumerates the types of service that can be provisioned for the impersonation proxy.
+// Allowed values are "LoadBalancer", "ClusterIP", or "None".
 //
 // +kubebuilder:validation:Enum=LoadBalancer;ClusterIP;None
 type ImpersonationProxyServiceType string

generated/1.24/apis/supervisor/config/v1alpha1/types_federationdomain.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
@@ -55,6 +55,7 @@ type FederationDomainTransformsConstant struct {
 	Name string `json:"name"`
 
 	// Type determines the type of the constant, and indicates which other field should be non-empty.
+	// Allowed values are "string" or "stringList".
 	// +kubebuilder:validation:Enum=string;stringList
 	Type string `json:"type"`
 
@@ -70,6 +71,7 @@ type FederationDomainTransformsConstant struct {
 // FederationDomainTransformsExpression defines a transform expression.
 type FederationDomainTransformsExpression struct {
 	// Type determines the type of the expression. It must be one of the supported types.
+	// Allowed values are "policy/v1", "username/v1", or "groups/v1".
 	// +kubebuilder:validation:Enum=policy/v1;username/v1;groups/v1
 	Type string `json:"type"`
 

generated/1.24/apis/supervisor/idp/v1alpha1/types_githubidentityprovider.go

@@ -167,7 +167,10 @@ type GitHubClientSpec struct {
 }
 
 type GitHubOrganizationsSpec struct {
-	// Policy must be set to "AllGitHubUsers" if allowed is empty.
+	// Allowed values are "OnlyUsersFromAllowedOrganizations" or "AllGitHubUsers".
+	// Defaults to "OnlyUsersFromAllowedOrganizations".
+	//
+	// Must be set to "AllGitHubUsers" if the allowed field is empty.
 	//
 	// This field only exists to ensure that Pinniped administrators are aware that an empty list of
 	// allowedOrganizations means all GitHub users are allowed to log in.

generated/1.24/apis/supervisor/idp/v1alpha1/types_tls.go

@@ -3,9 +3,45 @@
 
 package v1alpha1
 
+// CertificateAuthorityDataSourceKind enumerates the sources for CA Bundles.
+//
+// +kubebuilder:validation:Enum=Secret;ConfigMap
+type CertificateAuthorityDataSourceKind string
+
+const (
+	// CertificateAuthorityDataSourceKindConfigMap uses a Kubernetes configmap to source CA Bundles.
+	CertificateAuthorityDataSourceKindConfigMap = CertificateAuthorityDataSourceKind("ConfigMap")
+
+	// CertificateAuthorityDataSourceKindSecret uses a Kubernetes secret to source CA Bundles.
+	// Secrets used to source CA Bundles must be of type kubernetes.io/tls or Opaque.
+	CertificateAuthorityDataSourceKindSecret = CertificateAuthorityDataSourceKind("Secret")
+)
+
+// CertificateAuthorityDataSourceSpec provides a source for CA bundle used for client-side TLS verification.
+type CertificateAuthorityDataSourceSpec struct {
+	// Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
+	// Allowed values are "Secret" or "ConfigMap".
+	// "ConfigMap" uses a Kubernetes configmap to source CA Bundles.
+	// "Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
+	Kind CertificateAuthorityDataSourceKind `json:"kind"`
+	// Name is the resource name of the secret or configmap from which to read the CA bundle.
+	// The referenced secret or configmap must be created in the same namespace where Pinniped Supervisor is installed.
+	// +kubebuilder:validation:MinLength=1
+	Name string `json:"name"`
+	// Key is the key name within the secret or configmap from which to read the CA bundle.
+	// The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
+	// certificate bundle.
+	// +kubebuilder:validation:MinLength=1
+	Key string `json:"key"`
+}
+
 // TLSSpec provides TLS configuration for identity provider integration.
 type TLSSpec struct {
 	// X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted.
 	// +optional
 	CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"`
+	// Reference to a CA bundle in a secret or a configmap.
+	// Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
+	// +optional
+	CertificateAuthorityDataSource *CertificateAuthorityDataSourceSpec `json:"certificateAuthorityDataSource,omitempty"`
 }

generated/1.24/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go

@@ -129,7 +129,7 @@ func (in *ActiveDirectoryIdentityProviderSpec) DeepCopyInto(out *ActiveDirectory
 	if in.TLS != nil {
 		in, out := &in.TLS, &out.TLS
 		*out = new(TLSSpec)
-		**out = **in
+		(*in).DeepCopyInto(*out)
 	}
 	out.Bind = in.Bind
 	out.UserSearch = in.UserSearch
@@ -203,6 +203,22 @@ func (in *ActiveDirectoryIdentityProviderUserSearchAttributes) DeepCopy() *Activ
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CertificateAuthorityDataSourceSpec) DeepCopyInto(out *CertificateAuthorityDataSourceSpec) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateAuthorityDataSourceSpec.
+func (in *CertificateAuthorityDataSourceSpec) DeepCopy() *CertificateAuthorityDataSourceSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(CertificateAuthorityDataSourceSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *GitHubAPIConfig) DeepCopyInto(out *GitHubAPIConfig) {
 	*out = *in
@@ -214,7 +230,7 @@ func (in *GitHubAPIConfig) DeepCopyInto(out *GitHubAPIConfig) {
 	if in.TLS != nil {
 		in, out := &in.TLS, &out.TLS
 		*out = new(TLSSpec)
-		**out = **in
+		(*in).DeepCopyInto(*out)
 	}
 	return
 }
@@ -534,7 +550,7 @@ func (in *LDAPIdentityProviderSpec) DeepCopyInto(out *LDAPIdentityProviderSpec)
 	if in.TLS != nil {
 		in, out := &in.TLS, &out.TLS
 		*out = new(TLSSpec)
-		**out = **in
+		(*in).DeepCopyInto(*out)
 	}
 	out.Bind = in.Bind
 	out.UserSearch = in.UserSearch
@@ -740,7 +756,7 @@ func (in *OIDCIdentityProviderSpec) DeepCopyInto(out *OIDCIdentityProviderSpec)
 	if in.TLS != nil {
 		in, out := &in.TLS, &out.TLS
 		*out = new(TLSSpec)
-		**out = **in
+		(*in).DeepCopyInto(*out)
 	}
 	in.AuthorizationConfig.DeepCopyInto(&out.AuthorizationConfig)
 	in.Claims.DeepCopyInto(&out.Claims)
@@ -800,6 +816,11 @@ func (in *Parameter) DeepCopy() *Parameter {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TLSSpec) DeepCopyInto(out *TLSSpec) {
 	*out = *in
+	if in.CertificateAuthorityDataSource != nil {
+		in, out := &in.CertificateAuthorityDataSource, &out.CertificateAuthorityDataSource
+		*out = new(CertificateAuthorityDataSourceSpec)
+		**out = **in
+	}
 	return
 }
 

generated/1.24/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml

@@ -25,6 +25,9 @@ spec:
     - jsonPath: .spec.audience
       name: Audience
       type: string
+    - jsonPath: .status.phase
+      name: Status
+      type: string
     - jsonPath: .metadata.creationTimestamp
       name: Age
       type: date
@@ -92,6 +95,39 @@ spec:
                     description: X.509 Certificate Authority (base64-encoded PEM bundle).
                       If omitted, a default set of system roots will be trusted.
                     type: string
+                  certificateAuthorityDataSource:
+                    description: |-
+                      Reference to a CA bundle in a secret or a configmap.
+                      Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
+                    properties:
+                      key:
+                        description: |-
+                          Key is the key name within the secret or configmap from which to read the CA bundle.
+                          The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
+                          certificate bundle.
+                        minLength: 1
+                        type: string
+                      kind:
+                        description: |-
+                          Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
+                          Allowed values are "Secret" or "ConfigMap".
+                          "ConfigMap" uses a Kubernetes configmap to source CA Bundles.
+                          "Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
+                        enum:
+                        - Secret
+                        - ConfigMap
+                        type: string
+                      name:
+                        description: |-
+                          Name is the resource name of the secret or configmap from which to read the CA bundle.
+                          The referenced secret or configmap must be created in the same namespace where Pinniped Concierge is installed.
+                        minLength: 1
+                        type: string
+                    required:
+                    - key
+                    - kind
+                    - name
+                    type: object
                 type: object
             required:
             - audience

generated/1.24/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml

@@ -22,6 +22,9 @@ spec:
     - jsonPath: .spec.endpoint
       name: Endpoint
       type: string
+    - jsonPath: .status.phase
+      name: Status
+      type: string
     - jsonPath: .metadata.creationTimestamp
       name: Age
       type: date
@@ -63,6 +66,39 @@ spec:
                     description: X.509 Certificate Authority (base64-encoded PEM bundle).
                       If omitted, a default set of system roots will be trusted.
                     type: string
+                  certificateAuthorityDataSource:
+                    description: |-
+                      Reference to a CA bundle in a secret or a configmap.
+                      Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
+                    properties:
+                      key:
+                        description: |-
+                          Key is the key name within the secret or configmap from which to read the CA bundle.
+                          The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
+                          certificate bundle.
+                        minLength: 1
+                        type: string
+                      kind:
+                        description: |-
+                          Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
+                          Allowed values are "Secret" or "ConfigMap".
+                          "ConfigMap" uses a Kubernetes configmap to source CA Bundles.
+                          "Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
+                        enum:
+                        - Secret
+                        - ConfigMap
+                        type: string
+                      name:
+                        description: |-
+                          Name is the resource name of the secret or configmap from which to read the CA bundle.
+                          The referenced secret or configmap must be created in the same namespace where Pinniped Concierge is installed.
+                        minLength: 1
+                        type: string
+                    required:
+                    - key
+                    - kind
+                    - name
+                    type: object
                 type: object
             required:
             - endpoint

generated/1.24/crds/config.supervisor.pinniped.dev_federationdomains.yaml

@@ -143,8 +143,9 @@ spec:
                                   Type is "string", and is otherwise ignored.
                                 type: string
                               type:
-                                description: Type determines the type of the constant,
-                                  and indicates which other field should be non-empty.
+                                description: |-
+                                  Type determines the type of the constant, and indicates which other field should be non-empty.
+                                  Allowed values are "string" or "stringList".
                                 enum:
                                 - string
                                 - stringList
@@ -262,8 +263,9 @@ spec:
                                   an authentication attempt. When empty, a default message will be used.
                                 type: string
                               type:
-                                description: Type determines the type of the expression.
-                                  It must be one of the supported types.
+                                description: |-
+                                  Type determines the type of the expression. It must be one of the supported types.
+                                  Allowed values are "policy/v1", "username/v1", or "groups/v1".
                                 enum:
                                 - policy/v1
                                 - username/v1

generated/1.24/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml

@@ -170,6 +170,39 @@ spec:
                     description: X.509 Certificate Authority (base64-encoded PEM bundle).
                       If omitted, a default set of system roots will be trusted.
                     type: string
+                  certificateAuthorityDataSource:
+                    description: |-
+                      Reference to a CA bundle in a secret or a configmap.
+                      Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
+                    properties:
+                      key:
+                        description: |-
+                          Key is the key name within the secret or configmap from which to read the CA bundle.
+                          The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
+                          certificate bundle.
+                        minLength: 1
+                        type: string
+                      kind:
+                        description: |-
+                          Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
+                          Allowed values are "Secret" or "ConfigMap".
+                          "ConfigMap" uses a Kubernetes configmap to source CA Bundles.
+                          "Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
+                        enum:
+                        - Secret
+                        - ConfigMap
+                        type: string
+                      name:
+                        description: |-
+                          Name is the resource name of the secret or configmap from which to read the CA bundle.
+                          The referenced secret or configmap must be created in the same namespace where Pinniped Supervisor is installed.
+                        minLength: 1
+                        type: string
+                    required:
+                    - key
+                    - kind
+                    - name
+                    type: object
                 type: object
               userSearch:
                 description: UserSearch contains the configuration for searching for

generated/1.24/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml

@@ -89,7 +89,11 @@ spec:
                       policy:
                         default: OnlyUsersFromAllowedOrganizations
                         description: |-
-                          Policy must be set to "AllGitHubUsers" if allowed is empty.
+                          Allowed values are "OnlyUsersFromAllowedOrganizations" or "AllGitHubUsers".
+                          Defaults to "OnlyUsersFromAllowedOrganizations".
+
+
+                          Must be set to "AllGitHubUsers" if the allowed field is empty.
 
 
                           This field only exists to ensure that Pinniped administrators are aware that an empty list of
@@ -225,6 +229,39 @@ spec:
                           bundle). If omitted, a default set of system roots will
                           be trusted.
                         type: string
+                      certificateAuthorityDataSource:
+                        description: |-
+                          Reference to a CA bundle in a secret or a configmap.
+                          Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
+                        properties:
+                          key:
+                            description: |-
+                              Key is the key name within the secret or configmap from which to read the CA bundle.
+                              The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
+                              certificate bundle.
+                            minLength: 1
+                            type: string
+                          kind:
+                            description: |-
+                              Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
+                              Allowed values are "Secret" or "ConfigMap".
+                              "ConfigMap" uses a Kubernetes configmap to source CA Bundles.
+                              "Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
+                            enum:
+                            - Secret
+                            - ConfigMap
+                            type: string
+                          name:
+                            description: |-
+                              Name is the resource name of the secret or configmap from which to read the CA bundle.
+                              The referenced secret or configmap must be created in the same namespace where Pinniped Supervisor is installed.
+                            minLength: 1
+                            type: string
+                        required:
+                        - key
+                        - kind
+                        - name
+                        type: object
                     type: object
                 type: object
             required:

generated/1.24/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml

@@ -161,6 +161,39 @@ spec:
                     description: X.509 Certificate Authority (base64-encoded PEM bundle).
                       If omitted, a default set of system roots will be trusted.
                     type: string
+                  certificateAuthorityDataSource:
+                    description: |-
+                      Reference to a CA bundle in a secret or a configmap.
+                      Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
+                    properties:
+                      key:
+                        description: |-
+                          Key is the key name within the secret or configmap from which to read the CA bundle.
+                          The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
+                          certificate bundle.
+                        minLength: 1
+                        type: string
+                      kind:
+                        description: |-
+                          Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
+                          Allowed values are "Secret" or "ConfigMap".
+                          "ConfigMap" uses a Kubernetes configmap to source CA Bundles.
+                          "Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
+                        enum:
+                        - Secret
+                        - ConfigMap
+                        type: string
+                      name:
+                        description: |-
+                          Name is the resource name of the secret or configmap from which to read the CA bundle.
+                          The referenced secret or configmap must be created in the same namespace where Pinniped Supervisor is installed.
+                        minLength: 1
+                        type: string
+                    required:
+                    - key
+                    - kind
+                    - name
+                    type: object
                 type: object
               userSearch:
                 description: UserSearch contains the configuration for searching for

generated/1.24/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml

@@ -211,6 +211,39 @@ spec:
                     description: X.509 Certificate Authority (base64-encoded PEM bundle).
                       If omitted, a default set of system roots will be trusted.
                     type: string
+                  certificateAuthorityDataSource:
+                    description: |-
+                      Reference to a CA bundle in a secret or a configmap.
+                      Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
+                    properties:
+                      key:
+                        description: |-
+                          Key is the key name within the secret or configmap from which to read the CA bundle.
+                          The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
+                          certificate bundle.
+                        minLength: 1
+                        type: string
+                      kind:
+                        description: |-
+                          Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
+                          Allowed values are "Secret" or "ConfigMap".
+                          "ConfigMap" uses a Kubernetes configmap to source CA Bundles.
+                          "Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
+                        enum:
+                        - Secret
+                        - ConfigMap
+                        type: string
+                      name:
+                        description: |-
+                          Name is the resource name of the secret or configmap from which to read the CA bundle.
+                          The referenced secret or configmap must be created in the same namespace where Pinniped Supervisor is installed.
+                        minLength: 1
+                        type: string
+                    required:
+                    - key
+                    - kind
+                    - name
+                    type: object
                 type: object
             required:
             - client

generated/1.25/README.adoc

@@ -23,6 +23,43 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped concierge authenticatio
 
 
 
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-concierge-authentication-v1alpha1-certificateauthoritydatasourcekind"]
+==== CertificateAuthorityDataSourceKind (string) 
+
+CertificateAuthorityDataSourceKind enumerates the sources for CA Bundles.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-concierge-authentication-v1alpha1-certificateauthoritydatasourcespec[$$CertificateAuthorityDataSourceSpec$$]
+****
+
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-concierge-authentication-v1alpha1-certificateauthoritydatasourcespec"]
+==== CertificateAuthorityDataSourceSpec 
+
+CertificateAuthorityDataSourceSpec provides a source for CA bundle used for client-side TLS verification.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-concierge-authentication-v1alpha1-tlsspec[$$TLSSpec$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`kind`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-concierge-authentication-v1alpha1-certificateauthoritydatasourcekind[$$CertificateAuthorityDataSourceKind$$]__ | Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap. +
+Allowed values are "Secret" or "ConfigMap". +
+"ConfigMap" uses a Kubernetes configmap to source CA Bundles. +
+"Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles. +
+| *`name`* __string__ | Name is the resource name of the secret or configmap from which to read the CA bundle. +
+The referenced secret or configmap must be created in the same namespace where Pinniped Concierge is installed. +
+| *`key`* __string__ | Key is the key name within the secret or configmap from which to read the CA bundle. +
+The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded +
+certificate bundle. +
+|===
+
+
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-concierge-authentication-v1alpha1-jwtauthenticator"]
 ==== JWTAuthenticator 
 
@@ -125,7 +162,7 @@ username from the JWT token. When not specified, it will default to "username".
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-concierge-authentication-v1alpha1-tlsspec"]
 ==== TLSSpec 
 
-Configuration for configuring TLS on various authenticators.
+TLSSpec provides TLS configuration on various authenticators.
 
 .Appears In:
 ****
@@ -137,6 +174,8 @@ Configuration for configuring TLS on various authenticators.
 |===
 | Field | Description
 | *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. +
+| *`certificateAuthorityDataSource`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-concierge-authentication-v1alpha1-certificateauthoritydatasourcespec[$$CertificateAuthorityDataSourceSpec$$]__ | Reference to a CA bundle in a secret or a configmap. +
+Any changes to the CA bundle in the secret or configmap will be dynamically reloaded. +
 |===
 
 
@@ -503,6 +542,7 @@ ImpersonationProxyInfo describes the parameters for the impersonation proxy on t
 ==== ImpersonationProxyMode (string) 
 
 ImpersonationProxyMode enumerates the configuration modes for the impersonation proxy.
+Allowed values are "auto", "enabled", or "disabled".
 
 .Appears In:
 ****
@@ -539,6 +579,7 @@ This is not supported on all cloud providers. +
 ==== ImpersonationProxyServiceType (string) 
 
 ImpersonationProxyServiceType enumerates the types of service that can be provisioned for the impersonation proxy.
+Allowed values are "LoadBalancer", "ClusterIP", or "None".
 
 .Appears In:
 ****
@@ -928,6 +969,7 @@ the transform expressions. This is a union type, and Type is the discriminator f
 | Field | Description
 | *`name`* __string__ | Name determines the name of the constant. It must be a valid identifier name. +
 | *`type`* __string__ | Type determines the type of the constant, and indicates which other field should be non-empty. +
+Allowed values are "string" or "stringList". +
 | *`stringValue`* __string__ | StringValue should hold the value when Type is "string", and is otherwise ignored. +
 | *`stringListValue`* __string array__ | StringListValue should hold the value when Type is "stringList", and is otherwise ignored. +
 |===
@@ -994,6 +1036,7 @@ FederationDomainTransformsExpression defines a transform expression.
 |===
 | Field | Description
 | *`type`* __string__ | Type determines the type of the expression. It must be one of the supported types. +
+Allowed values are "policy/v1", "username/v1", or "groups/v1". +
 | *`expression`* __string__ | Expression is a CEL expression that will be evaluated based on the Type during an authentication. +
 | *`message`* __string__ | Message is only used when Type is policy/v1. It defines an error message to be used when the policy rejects +
 an authentication attempt. When empty, a default message will be used. +
@@ -1645,6 +1688,43 @@ Optional, when empty this defaults to "objectGUID". +
 |===
 
 
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-certificateauthoritydatasourcekind"]
+==== CertificateAuthorityDataSourceKind (string) 
+
+CertificateAuthorityDataSourceKind enumerates the sources for CA Bundles.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-certificateauthoritydatasourcespec[$$CertificateAuthorityDataSourceSpec$$]
+****
+
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-certificateauthoritydatasourcespec"]
+==== CertificateAuthorityDataSourceSpec 
+
+CertificateAuthorityDataSourceSpec provides a source for CA bundle used for client-side TLS verification.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-tlsspec[$$TLSSpec$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`kind`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-certificateauthoritydatasourcekind[$$CertificateAuthorityDataSourceKind$$]__ | Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap. +
+Allowed values are "Secret" or "ConfigMap". +
+"ConfigMap" uses a Kubernetes configmap to source CA Bundles. +
+"Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles. +
+| *`name`* __string__ | Name is the resource name of the secret or configmap from which to read the CA bundle. +
+The referenced secret or configmap must be created in the same namespace where Pinniped Supervisor is installed. +
+| *`key`* __string__ | Key is the key name within the secret or configmap from which to read the CA bundle. +
+The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded +
+certificate bundle. +
+|===
+
+
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubapiconfig"]
 ==== GitHubAPIConfig 
 
@@ -1890,7 +1970,11 @@ GitHubIdentityProviderStatus is the status of an GitHub identity provider.
 [cols="25a,75a", options="header"]
 |===
 | Field | Description
-| *`policy`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githuballowedauthorganizationspolicy[$$GitHubAllowedAuthOrganizationsPolicy$$]__ | Policy must be set to "AllGitHubUsers" if allowed is empty. +
+| *`policy`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githuballowedauthorganizationspolicy[$$GitHubAllowedAuthOrganizationsPolicy$$]__ | Allowed values are "OnlyUsersFromAllowedOrganizations" or "AllGitHubUsers". +
+Defaults to "OnlyUsersFromAllowedOrganizations". +
+
+
+Must be set to "AllGitHubUsers" if the allowed field is empty. +
 
 
 This field only exists to ensure that Pinniped administrators are aware that an empty list of +
@@ -2401,6 +2485,8 @@ TLSSpec provides TLS configuration for identity provider integration.
 |===
 | Field | Description
 | *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. +
+| *`certificateAuthorityDataSource`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-certificateauthoritydatasourcespec[$$CertificateAuthorityDataSourceSpec$$]__ | Reference to a CA bundle in a secret or a configmap. +
+Any changes to the CA bundle in the secret or configmap will be dynamically reloaded. +
 |===
 
 

generated/1.25/apis/concierge/authentication/v1alpha1/types_jwtauthenticator.go

@@ -79,6 +79,7 @@ type JWTTokenClaims struct {
 // +kubebuilder:resource:categories=pinniped;pinniped-authenticator;pinniped-authenticators,scope=Cluster
 // +kubebuilder:printcolumn:name="Issuer",type=string,JSONPath=`.spec.issuer`
 // +kubebuilder:printcolumn:name="Audience",type=string,JSONPath=`.spec.audience`
+// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase`
 // +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
 // +kubebuilder:subresource:status
 type JWTAuthenticator struct {

generated/1.25/apis/concierge/authentication/v1alpha1/types_tls.go

@@ -1,11 +1,47 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
 
-// Configuration for configuring TLS on various authenticators.
+// CertificateAuthorityDataSourceKind enumerates the sources for CA Bundles.
+//
+// +kubebuilder:validation:Enum=Secret;ConfigMap
+type CertificateAuthorityDataSourceKind string
+
+const (
+	// CertificateAuthorityDataSourceKindConfigMap uses a Kubernetes configmap to source CA Bundles.
+	CertificateAuthorityDataSourceKindConfigMap = CertificateAuthorityDataSourceKind("ConfigMap")
+
+	// CertificateAuthorityDataSourceKindSecret uses a Kubernetes secret to source CA Bundles.
+	// Secrets used to source CA Bundles must be of type kubernetes.io/tls or Opaque.
+	CertificateAuthorityDataSourceKindSecret = CertificateAuthorityDataSourceKind("Secret")
+)
+
+// CertificateAuthorityDataSourceSpec provides a source for CA bundle used for client-side TLS verification.
+type CertificateAuthorityDataSourceSpec struct {
+	// Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
+	// Allowed values are "Secret" or "ConfigMap".
+	// "ConfigMap" uses a Kubernetes configmap to source CA Bundles.
+	// "Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
+	Kind CertificateAuthorityDataSourceKind `json:"kind"`
+	// Name is the resource name of the secret or configmap from which to read the CA bundle.
+	// The referenced secret or configmap must be created in the same namespace where Pinniped Concierge is installed.
+	// +kubebuilder:validation:MinLength=1
+	Name string `json:"name"`
+	// Key is the key name within the secret or configmap from which to read the CA bundle.
+	// The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
+	// certificate bundle.
+	// +kubebuilder:validation:MinLength=1
+	Key string `json:"key"`
+}
+
+// TLSSpec provides TLS configuration on various authenticators.
 type TLSSpec struct {
 	// X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted.
 	// +optional
 	CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"`
+	// Reference to a CA bundle in a secret or a configmap.
+	// Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
+	// +optional
+	CertificateAuthorityDataSource *CertificateAuthorityDataSourceSpec `json:"certificateAuthorityDataSource,omitempty"`
 }

generated/1.25/apis/concierge/authentication/v1alpha1/types_webhookauthenticator.go

@@ -50,6 +50,7 @@ type WebhookAuthenticatorSpec struct {
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 // +kubebuilder:resource:categories=pinniped;pinniped-authenticator;pinniped-authenticators,scope=Cluster
 // +kubebuilder:printcolumn:name="Endpoint",type=string,JSONPath=`.spec.endpoint`
+// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase`
 // +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
 // +kubebuilder:subresource:status
 type WebhookAuthenticator struct {

generated/1.25/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go

@@ -13,6 +13,22 @@ import (
 	runtime "k8s.io/apimachinery/pkg/runtime"
 )
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CertificateAuthorityDataSourceSpec) DeepCopyInto(out *CertificateAuthorityDataSourceSpec) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateAuthorityDataSourceSpec.
+func (in *CertificateAuthorityDataSourceSpec) DeepCopy() *CertificateAuthorityDataSourceSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(CertificateAuthorityDataSourceSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *JWTAuthenticator) DeepCopyInto(out *JWTAuthenticator) {
 	*out = *in
@@ -81,7 +97,7 @@ func (in *JWTAuthenticatorSpec) DeepCopyInto(out *JWTAuthenticatorSpec) {
 	if in.TLS != nil {
 		in, out := &in.TLS, &out.TLS
 		*out = new(TLSSpec)
-		**out = **in
+		(*in).DeepCopyInto(*out)
 	}
 	return
 }
@@ -138,6 +154,11 @@ func (in *JWTTokenClaims) DeepCopy() *JWTTokenClaims {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TLSSpec) DeepCopyInto(out *TLSSpec) {
 	*out = *in
+	if in.CertificateAuthorityDataSource != nil {
+		in, out := &in.CertificateAuthorityDataSource, &out.CertificateAuthorityDataSource
+		*out = new(CertificateAuthorityDataSourceSpec)
+		**out = **in
+	}
 	return
 }
 
@@ -218,7 +239,7 @@ func (in *WebhookAuthenticatorSpec) DeepCopyInto(out *WebhookAuthenticatorSpec)
 	if in.TLS != nil {
 		in, out := &in.TLS, &out.TLS
 		*out = new(TLSSpec)
-		**out = **in
+		(*in).DeepCopyInto(*out)
 	}
 	return
 }

generated/1.25/apis/concierge/config/v1alpha1/types_credentialissuer.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
@@ -49,6 +49,7 @@ type CredentialIssuerSpec struct {
 }
 
 // ImpersonationProxyMode enumerates the configuration modes for the impersonation proxy.
+// Allowed values are "auto", "enabled", or "disabled".
 //
 // +kubebuilder:validation:Enum=auto;enabled;disabled
 type ImpersonationProxyMode string
@@ -65,6 +66,7 @@ const (
 )
 
 // ImpersonationProxyServiceType enumerates the types of service that can be provisioned for the impersonation proxy.
+// Allowed values are "LoadBalancer", "ClusterIP", or "None".
 //
 // +kubebuilder:validation:Enum=LoadBalancer;ClusterIP;None
 type ImpersonationProxyServiceType string

generated/1.25/apis/supervisor/config/v1alpha1/types_federationdomain.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
@@ -55,6 +55,7 @@ type FederationDomainTransformsConstant struct {
 	Name string `json:"name"`
 
 	// Type determines the type of the constant, and indicates which other field should be non-empty.
+	// Allowed values are "string" or "stringList".
 	// +kubebuilder:validation:Enum=string;stringList
 	Type string `json:"type"`
 
@@ -70,6 +71,7 @@ type FederationDomainTransformsConstant struct {
 // FederationDomainTransformsExpression defines a transform expression.
 type FederationDomainTransformsExpression struct {
 	// Type determines the type of the expression. It must be one of the supported types.
+	// Allowed values are "policy/v1", "username/v1", or "groups/v1".
 	// +kubebuilder:validation:Enum=policy/v1;username/v1;groups/v1
 	Type string `json:"type"`
 

generated/1.25/apis/supervisor/idp/v1alpha1/types_githubidentityprovider.go

@@ -167,7 +167,10 @@ type GitHubClientSpec struct {
 }
 
 type GitHubOrganizationsSpec struct {
-	// Policy must be set to "AllGitHubUsers" if allowed is empty.
+	// Allowed values are "OnlyUsersFromAllowedOrganizations" or "AllGitHubUsers".
+	// Defaults to "OnlyUsersFromAllowedOrganizations".
+	//
+	// Must be set to "AllGitHubUsers" if the allowed field is empty.
 	//
 	// This field only exists to ensure that Pinniped administrators are aware that an empty list of
 	// allowedOrganizations means all GitHub users are allowed to log in.

generated/1.25/apis/supervisor/idp/v1alpha1/types_tls.go

@@ -3,9 +3,45 @@
 
 package v1alpha1
 
+// CertificateAuthorityDataSourceKind enumerates the sources for CA Bundles.
+//
+// +kubebuilder:validation:Enum=Secret;ConfigMap
+type CertificateAuthorityDataSourceKind string
+
+const (
+	// CertificateAuthorityDataSourceKindConfigMap uses a Kubernetes configmap to source CA Bundles.
+	CertificateAuthorityDataSourceKindConfigMap = CertificateAuthorityDataSourceKind("ConfigMap")
+
+	// CertificateAuthorityDataSourceKindSecret uses a Kubernetes secret to source CA Bundles.
+	// Secrets used to source CA Bundles must be of type kubernetes.io/tls or Opaque.
+	CertificateAuthorityDataSourceKindSecret = CertificateAuthorityDataSourceKind("Secret")
+)
+
+// CertificateAuthorityDataSourceSpec provides a source for CA bundle used for client-side TLS verification.
+type CertificateAuthorityDataSourceSpec struct {
+	// Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
+	// Allowed values are "Secret" or "ConfigMap".
+	// "ConfigMap" uses a Kubernetes configmap to source CA Bundles.
+	// "Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
+	Kind CertificateAuthorityDataSourceKind `json:"kind"`
+	// Name is the resource name of the secret or configmap from which to read the CA bundle.
+	// The referenced secret or configmap must be created in the same namespace where Pinniped Supervisor is installed.
+	// +kubebuilder:validation:MinLength=1
+	Name string `json:"name"`
+	// Key is the key name within the secret or configmap from which to read the CA bundle.
+	// The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
+	// certificate bundle.
+	// +kubebuilder:validation:MinLength=1
+	Key string `json:"key"`
+}
+
 // TLSSpec provides TLS configuration for identity provider integration.
 type TLSSpec struct {
 	// X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted.
 	// +optional
 	CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"`
+	// Reference to a CA bundle in a secret or a configmap.
+	// Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
+	// +optional
+	CertificateAuthorityDataSource *CertificateAuthorityDataSourceSpec `json:"certificateAuthorityDataSource,omitempty"`
 }

generated/1.25/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go

@@ -129,7 +129,7 @@ func (in *ActiveDirectoryIdentityProviderSpec) DeepCopyInto(out *ActiveDirectory
 	if in.TLS != nil {
 		in, out := &in.TLS, &out.TLS
 		*out = new(TLSSpec)
-		**out = **in
+		(*in).DeepCopyInto(*out)
 	}
 	out.Bind = in.Bind
 	out.UserSearch = in.UserSearch
@@ -203,6 +203,22 @@ func (in *ActiveDirectoryIdentityProviderUserSearchAttributes) DeepCopy() *Activ
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CertificateAuthorityDataSourceSpec) DeepCopyInto(out *CertificateAuthorityDataSourceSpec) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateAuthorityDataSourceSpec.
+func (in *CertificateAuthorityDataSourceSpec) DeepCopy() *CertificateAuthorityDataSourceSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(CertificateAuthorityDataSourceSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *GitHubAPIConfig) DeepCopyInto(out *GitHubAPIConfig) {
 	*out = *in
@@ -214,7 +230,7 @@ func (in *GitHubAPIConfig) DeepCopyInto(out *GitHubAPIConfig) {
 	if in.TLS != nil {
 		in, out := &in.TLS, &out.TLS
 		*out = new(TLSSpec)
-		**out = **in
+		(*in).DeepCopyInto(*out)
 	}
 	return
 }
@@ -534,7 +550,7 @@ func (in *LDAPIdentityProviderSpec) DeepCopyInto(out *LDAPIdentityProviderSpec)
 	if in.TLS != nil {
 		in, out := &in.TLS, &out.TLS
 		*out = new(TLSSpec)
-		**out = **in
+		(*in).DeepCopyInto(*out)
 	}
 	out.Bind = in.Bind
 	out.UserSearch = in.UserSearch
@@ -740,7 +756,7 @@ func (in *OIDCIdentityProviderSpec) DeepCopyInto(out *OIDCIdentityProviderSpec)
 	if in.TLS != nil {
 		in, out := &in.TLS, &out.TLS
 		*out = new(TLSSpec)
-		**out = **in
+		(*in).DeepCopyInto(*out)
 	}
 	in.AuthorizationConfig.DeepCopyInto(&out.AuthorizationConfig)
 	in.Claims.DeepCopyInto(&out.Claims)
@@ -800,6 +816,11 @@ func (in *Parameter) DeepCopy() *Parameter {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TLSSpec) DeepCopyInto(out *TLSSpec) {
 	*out = *in
+	if in.CertificateAuthorityDataSource != nil {
+		in, out := &in.CertificateAuthorityDataSource, &out.CertificateAuthorityDataSource
+		*out = new(CertificateAuthorityDataSourceSpec)
+		**out = **in
+	}
 	return
 }
 

generated/1.25/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml

@@ -25,6 +25,9 @@ spec:
     - jsonPath: .spec.audience
       name: Audience
       type: string
+    - jsonPath: .status.phase
+      name: Status
+      type: string
     - jsonPath: .metadata.creationTimestamp
       name: Age
       type: date
@@ -92,6 +95,39 @@ spec:
                     description: X.509 Certificate Authority (base64-encoded PEM bundle).
                       If omitted, a default set of system roots will be trusted.
                     type: string
+                  certificateAuthorityDataSource:
+                    description: |-
+                      Reference to a CA bundle in a secret or a configmap.
+                      Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
+                    properties:
+                      key:
+                        description: |-
+                          Key is the key name within the secret or configmap from which to read the CA bundle.
+                          The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
+                          certificate bundle.
+                        minLength: 1
+                        type: string
+                      kind:
+                        description: |-
+                          Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
+                          Allowed values are "Secret" or "ConfigMap".
+                          "ConfigMap" uses a Kubernetes configmap to source CA Bundles.
+                          "Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
+                        enum:
+                        - Secret
+                        - ConfigMap
+                        type: string
+                      name:
+                        description: |-
+                          Name is the resource name of the secret or configmap from which to read the CA bundle.
+                          The referenced secret or configmap must be created in the same namespace where Pinniped Concierge is installed.
+                        minLength: 1
+                        type: string
+                    required:
+                    - key
+                    - kind
+                    - name
+                    type: object
                 type: object
             required:
             - audience

generated/1.25/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml

@@ -22,6 +22,9 @@ spec:
     - jsonPath: .spec.endpoint
       name: Endpoint
       type: string
+    - jsonPath: .status.phase
+      name: Status
+      type: string
     - jsonPath: .metadata.creationTimestamp
       name: Age
       type: date
@@ -63,6 +66,39 @@ spec:
                     description: X.509 Certificate Authority (base64-encoded PEM bundle).
                       If omitted, a default set of system roots will be trusted.
                     type: string
+                  certificateAuthorityDataSource:
+                    description: |-
+                      Reference to a CA bundle in a secret or a configmap.
+                      Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
+                    properties:
+                      key:
+                        description: |-
+                          Key is the key name within the secret or configmap from which to read the CA bundle.
+                          The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
+                          certificate bundle.
+                        minLength: 1
+                        type: string
+                      kind:
+                        description: |-
+                          Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
+                          Allowed values are "Secret" or "ConfigMap".
+                          "ConfigMap" uses a Kubernetes configmap to source CA Bundles.
+                          "Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
+                        enum:
+                        - Secret
+                        - ConfigMap
+                        type: string
+                      name:
+                        description: |-
+                          Name is the resource name of the secret or configmap from which to read the CA bundle.
+                          The referenced secret or configmap must be created in the same namespace where Pinniped Concierge is installed.
+                        minLength: 1
+                        type: string
+                    required:
+                    - key
+                    - kind
+                    - name
+                    type: object
                 type: object
             required:
             - endpoint

generated/1.25/crds/config.supervisor.pinniped.dev_federationdomains.yaml

@@ -143,8 +143,9 @@ spec:
                                   Type is "string", and is otherwise ignored.
                                 type: string
                               type:
-                                description: Type determines the type of the constant,
-                                  and indicates which other field should be non-empty.
+                                description: |-
+                                  Type determines the type of the constant, and indicates which other field should be non-empty.
+                                  Allowed values are "string" or "stringList".
                                 enum:
                                 - string
                                 - stringList
@@ -262,8 +263,9 @@ spec:
                                   an authentication attempt. When empty, a default message will be used.
                                 type: string
                               type:
-                                description: Type determines the type of the expression.
-                                  It must be one of the supported types.
+                                description: |-
+                                  Type determines the type of the expression. It must be one of the supported types.
+                                  Allowed values are "policy/v1", "username/v1", or "groups/v1".
                                 enum:
                                 - policy/v1
                                 - username/v1

generated/1.25/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml

@@ -170,6 +170,39 @@ spec:
                     description: X.509 Certificate Authority (base64-encoded PEM bundle).
                       If omitted, a default set of system roots will be trusted.
                     type: string
+                  certificateAuthorityDataSource:
+                    description: |-
+                      Reference to a CA bundle in a secret or a configmap.
+                      Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
+                    properties:
+                      key:
+                        description: |-
+                          Key is the key name within the secret or configmap from which to read the CA bundle.
+                          The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
+                          certificate bundle.
+                        minLength: 1
+                        type: string
+                      kind:
+                        description: |-
+                          Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
+                          Allowed values are "Secret" or "ConfigMap".
+                          "ConfigMap" uses a Kubernetes configmap to source CA Bundles.
+                          "Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
+                        enum:
+                        - Secret
+                        - ConfigMap
+                        type: string
+                      name:
+                        description: |-
+                          Name is the resource name of the secret or configmap from which to read the CA bundle.
+                          The referenced secret or configmap must be created in the same namespace where Pinniped Supervisor is installed.
+                        minLength: 1
+                        type: string
+                    required:
+                    - key
+                    - kind
+                    - name
+                    type: object
                 type: object
               userSearch:
                 description: UserSearch contains the configuration for searching for

generated/1.25/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml

@@ -89,7 +89,11 @@ spec:
                       policy:
                         default: OnlyUsersFromAllowedOrganizations
                         description: |-
-                          Policy must be set to "AllGitHubUsers" if allowed is empty.
+                          Allowed values are "OnlyUsersFromAllowedOrganizations" or "AllGitHubUsers".
+                          Defaults to "OnlyUsersFromAllowedOrganizations".
+
+
+                          Must be set to "AllGitHubUsers" if the allowed field is empty.
 
 
                           This field only exists to ensure that Pinniped administrators are aware that an empty list of
@@ -225,6 +229,39 @@ spec:
                           bundle). If omitted, a default set of system roots will
                           be trusted.
                         type: string
+                      certificateAuthorityDataSource:
+                        description: |-
+                          Reference to a CA bundle in a secret or a configmap.
+                          Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
+                        properties:
+                          key:
+                            description: |-
+                              Key is the key name within the secret or configmap from which to read the CA bundle.
+                              The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
+                              certificate bundle.
+                            minLength: 1
+                            type: string
+                          kind:
+                            description: |-
+                              Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
+                              Allowed values are "Secret" or "ConfigMap".
+                              "ConfigMap" uses a Kubernetes configmap to source CA Bundles.
+                              "Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
+                            enum:
+                            - Secret
+                            - ConfigMap
+                            type: string
+                          name:
+                            description: |-
+                              Name is the resource name of the secret or configmap from which to read the CA bundle.
+                              The referenced secret or configmap must be created in the same namespace where Pinniped Supervisor is installed.
+                            minLength: 1
+                            type: string
+                        required:
+                        - key
+                        - kind
+                        - name
+                        type: object
                     type: object
                 type: object
             required:

generated/1.25/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml

@@ -161,6 +161,39 @@ spec:
                     description: X.509 Certificate Authority (base64-encoded PEM bundle).
                       If omitted, a default set of system roots will be trusted.
                     type: string
+                  certificateAuthorityDataSource:
+                    description: |-
+                      Reference to a CA bundle in a secret or a configmap.
+                      Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
+                    properties:
+                      key:
+                        description: |-
+                          Key is the key name within the secret or configmap from which to read the CA bundle.
+                          The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
+                          certificate bundle.
+                        minLength: 1
+                        type: string
+                      kind:
+                        description: |-
+                          Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
+                          Allowed values are "Secret" or "ConfigMap".
+                          "ConfigMap" uses a Kubernetes configmap to source CA Bundles.
+                          "Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
+                        enum:
+                        - Secret
+                        - ConfigMap
+                        type: string
+                      name:
+                        description: |-
+                          Name is the resource name of the secret or configmap from which to read the CA bundle.
+                          The referenced secret or configmap must be created in the same namespace where Pinniped Supervisor is installed.
+                        minLength: 1
+                        type: string
+                    required:
+                    - key
+                    - kind
+                    - name
+                    type: object
                 type: object
               userSearch:
                 description: UserSearch contains the configuration for searching for

generated/1.25/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml

@@ -211,6 +211,39 @@ spec:
                     description: X.509 Certificate Authority (base64-encoded PEM bundle).
                       If omitted, a default set of system roots will be trusted.
                     type: string
+                  certificateAuthorityDataSource:
+                    description: |-
+                      Reference to a CA bundle in a secret or a configmap.
+                      Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
+                    properties:
+                      key:
+                        description: |-
+                          Key is the key name within the secret or configmap from which to read the CA bundle.
+                          The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
+                          certificate bundle.
+                        minLength: 1
+                        type: string
+                      kind:
+                        description: |-
+                          Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
+                          Allowed values are "Secret" or "ConfigMap".
+                          "ConfigMap" uses a Kubernetes configmap to source CA Bundles.
+                          "Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
+                        enum:
+                        - Secret
+                        - ConfigMap
+                        type: string
+                      name:
+                        description: |-
+                          Name is the resource name of the secret or configmap from which to read the CA bundle.
+                          The referenced secret or configmap must be created in the same namespace where Pinniped Supervisor is installed.
+                        minLength: 1
+                        type: string
+                    required:
+                    - key
+                    - kind
+                    - name
+                    type: object
                 type: object
             required:
             - client

generated/1.26/README.adoc

@@ -23,6 +23,43 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped concierge authenticatio
 
 
 
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-concierge-authentication-v1alpha1-certificateauthoritydatasourcekind"]
+==== CertificateAuthorityDataSourceKind (string) 
+
+CertificateAuthorityDataSourceKind enumerates the sources for CA Bundles.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-concierge-authentication-v1alpha1-certificateauthoritydatasourcespec[$$CertificateAuthorityDataSourceSpec$$]
+****
+
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-concierge-authentication-v1alpha1-certificateauthoritydatasourcespec"]
+==== CertificateAuthorityDataSourceSpec 
+
+CertificateAuthorityDataSourceSpec provides a source for CA bundle used for client-side TLS verification.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-concierge-authentication-v1alpha1-tlsspec[$$TLSSpec$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`kind`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-concierge-authentication-v1alpha1-certificateauthoritydatasourcekind[$$CertificateAuthorityDataSourceKind$$]__ | Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap. +
+Allowed values are "Secret" or "ConfigMap". +
+"ConfigMap" uses a Kubernetes configmap to source CA Bundles. +
+"Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles. +
+| *`name`* __string__ | Name is the resource name of the secret or configmap from which to read the CA bundle. +
+The referenced secret or configmap must be created in the same namespace where Pinniped Concierge is installed. +
+| *`key`* __string__ | Key is the key name within the secret or configmap from which to read the CA bundle. +
+The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded +
+certificate bundle. +
+|===
+
+
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-concierge-authentication-v1alpha1-jwtauthenticator"]
 ==== JWTAuthenticator 
 
@@ -125,7 +162,7 @@ username from the JWT token. When not specified, it will default to "username".
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-concierge-authentication-v1alpha1-tlsspec"]
 ==== TLSSpec 
 
-Configuration for configuring TLS on various authenticators.
+TLSSpec provides TLS configuration on various authenticators.
 
 .Appears In:
 ****
@@ -137,6 +174,8 @@ Configuration for configuring TLS on various authenticators.
 |===
 | Field | Description
 | *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. +
+| *`certificateAuthorityDataSource`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-concierge-authentication-v1alpha1-certificateauthoritydatasourcespec[$$CertificateAuthorityDataSourceSpec$$]__ | Reference to a CA bundle in a secret or a configmap. +
+Any changes to the CA bundle in the secret or configmap will be dynamically reloaded. +
 |===
 
 
@@ -503,6 +542,7 @@ ImpersonationProxyInfo describes the parameters for the impersonation proxy on t
 ==== ImpersonationProxyMode (string) 
 
 ImpersonationProxyMode enumerates the configuration modes for the impersonation proxy.
+Allowed values are "auto", "enabled", or "disabled".
 
 .Appears In:
 ****
@@ -539,6 +579,7 @@ This is not supported on all cloud providers. +
 ==== ImpersonationProxyServiceType (string) 
 
 ImpersonationProxyServiceType enumerates the types of service that can be provisioned for the impersonation proxy.
+Allowed values are "LoadBalancer", "ClusterIP", or "None".
 
 .Appears In:
 ****
@@ -928,6 +969,7 @@ the transform expressions. This is a union type, and Type is the discriminator f
 | Field | Description
 | *`name`* __string__ | Name determines the name of the constant. It must be a valid identifier name. +
 | *`type`* __string__ | Type determines the type of the constant, and indicates which other field should be non-empty. +
+Allowed values are "string" or "stringList". +
 | *`stringValue`* __string__ | StringValue should hold the value when Type is "string", and is otherwise ignored. +
 | *`stringListValue`* __string array__ | StringListValue should hold the value when Type is "stringList", and is otherwise ignored. +
 |===
@@ -994,6 +1036,7 @@ FederationDomainTransformsExpression defines a transform expression.
 |===
 | Field | Description
 | *`type`* __string__ | Type determines the type of the expression. It must be one of the supported types. +
+Allowed values are "policy/v1", "username/v1", or "groups/v1". +
 | *`expression`* __string__ | Expression is a CEL expression that will be evaluated based on the Type during an authentication. +
 | *`message`* __string__ | Message is only used when Type is policy/v1. It defines an error message to be used when the policy rejects +
 an authentication attempt. When empty, a default message will be used. +
@@ -1645,6 +1688,43 @@ Optional, when empty this defaults to "objectGUID". +
 |===
 
 
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-certificateauthoritydatasourcekind"]
+==== CertificateAuthorityDataSourceKind (string) 
+
+CertificateAuthorityDataSourceKind enumerates the sources for CA Bundles.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-certificateauthoritydatasourcespec[$$CertificateAuthorityDataSourceSpec$$]
+****
+
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-certificateauthoritydatasourcespec"]
+==== CertificateAuthorityDataSourceSpec 
+
+CertificateAuthorityDataSourceSpec provides a source for CA bundle used for client-side TLS verification.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-tlsspec[$$TLSSpec$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`kind`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-certificateauthoritydatasourcekind[$$CertificateAuthorityDataSourceKind$$]__ | Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap. +
+Allowed values are "Secret" or "ConfigMap". +
+"ConfigMap" uses a Kubernetes configmap to source CA Bundles. +
+"Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles. +
+| *`name`* __string__ | Name is the resource name of the secret or configmap from which to read the CA bundle. +
+The referenced secret or configmap must be created in the same namespace where Pinniped Supervisor is installed. +
+| *`key`* __string__ | Key is the key name within the secret or configmap from which to read the CA bundle. +
+The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded +
+certificate bundle. +
+|===
+
+
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubapiconfig"]
 ==== GitHubAPIConfig 
 
@@ -1890,7 +1970,11 @@ GitHubIdentityProviderStatus is the status of an GitHub identity provider.
 [cols="25a,75a", options="header"]
 |===
 | Field | Description
-| *`policy`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githuballowedauthorganizationspolicy[$$GitHubAllowedAuthOrganizationsPolicy$$]__ | Policy must be set to "AllGitHubUsers" if allowed is empty. +
+| *`policy`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githuballowedauthorganizationspolicy[$$GitHubAllowedAuthOrganizationsPolicy$$]__ | Allowed values are "OnlyUsersFromAllowedOrganizations" or "AllGitHubUsers". +
+Defaults to "OnlyUsersFromAllowedOrganizations". +
+
+
+Must be set to "AllGitHubUsers" if the allowed field is empty. +
 
 
 This field only exists to ensure that Pinniped administrators are aware that an empty list of +
@@ -2401,6 +2485,8 @@ TLSSpec provides TLS configuration for identity provider integration.
 |===
 | Field | Description
 | *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. +
+| *`certificateAuthorityDataSource`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-certificateauthoritydatasourcespec[$$CertificateAuthorityDataSourceSpec$$]__ | Reference to a CA bundle in a secret or a configmap. +
+Any changes to the CA bundle in the secret or configmap will be dynamically reloaded. +
 |===
 
 

generated/1.26/apis/concierge/authentication/v1alpha1/types_jwtauthenticator.go

@@ -79,6 +79,7 @@ type JWTTokenClaims struct {
 // +kubebuilder:resource:categories=pinniped;pinniped-authenticator;pinniped-authenticators,scope=Cluster
 // +kubebuilder:printcolumn:name="Issuer",type=string,JSONPath=`.spec.issuer`
 // +kubebuilder:printcolumn:name="Audience",type=string,JSONPath=`.spec.audience`
+// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase`
 // +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
 // +kubebuilder:subresource:status
 type JWTAuthenticator struct {

generated/1.26/apis/concierge/authentication/v1alpha1/types_tls.go

@@ -1,11 +1,47 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
 
-// Configuration for configuring TLS on various authenticators.
+// CertificateAuthorityDataSourceKind enumerates the sources for CA Bundles.
+//
+// +kubebuilder:validation:Enum=Secret;ConfigMap
+type CertificateAuthorityDataSourceKind string
+
+const (
+	// CertificateAuthorityDataSourceKindConfigMap uses a Kubernetes configmap to source CA Bundles.
+	CertificateAuthorityDataSourceKindConfigMap = CertificateAuthorityDataSourceKind("ConfigMap")
+
+	// CertificateAuthorityDataSourceKindSecret uses a Kubernetes secret to source CA Bundles.
+	// Secrets used to source CA Bundles must be of type kubernetes.io/tls or Opaque.
+	CertificateAuthorityDataSourceKindSecret = CertificateAuthorityDataSourceKind("Secret")
+)
+
+// CertificateAuthorityDataSourceSpec provides a source for CA bundle used for client-side TLS verification.
+type CertificateAuthorityDataSourceSpec struct {
+	// Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
+	// Allowed values are "Secret" or "ConfigMap".
+	// "ConfigMap" uses a Kubernetes configmap to source CA Bundles.
+	// "Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
+	Kind CertificateAuthorityDataSourceKind `json:"kind"`
+	// Name is the resource name of the secret or configmap from which to read the CA bundle.
+	// The referenced secret or configmap must be created in the same namespace where Pinniped Concierge is installed.
+	// +kubebuilder:validation:MinLength=1
+	Name string `json:"name"`
+	// Key is the key name within the secret or configmap from which to read the CA bundle.
+	// The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
+	// certificate bundle.
+	// +kubebuilder:validation:MinLength=1
+	Key string `json:"key"`
+}
+
+// TLSSpec provides TLS configuration on various authenticators.
 type TLSSpec struct {
 	// X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted.
 	// +optional
 	CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"`
+	// Reference to a CA bundle in a secret or a configmap.
+	// Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
+	// +optional
+	CertificateAuthorityDataSource *CertificateAuthorityDataSourceSpec `json:"certificateAuthorityDataSource,omitempty"`
 }

generated/1.26/apis/concierge/authentication/v1alpha1/types_webhookauthenticator.go

@@ -50,6 +50,7 @@ type WebhookAuthenticatorSpec struct {
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 // +kubebuilder:resource:categories=pinniped;pinniped-authenticator;pinniped-authenticators,scope=Cluster
 // +kubebuilder:printcolumn:name="Endpoint",type=string,JSONPath=`.spec.endpoint`
+// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase`
 // +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
 // +kubebuilder:subresource:status
 type WebhookAuthenticator struct {

generated/1.26/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go

@@ -13,6 +13,22 @@ import (
 	runtime "k8s.io/apimachinery/pkg/runtime"
 )
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CertificateAuthorityDataSourceSpec) DeepCopyInto(out *CertificateAuthorityDataSourceSpec) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateAuthorityDataSourceSpec.
+func (in *CertificateAuthorityDataSourceSpec) DeepCopy() *CertificateAuthorityDataSourceSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(CertificateAuthorityDataSourceSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *JWTAuthenticator) DeepCopyInto(out *JWTAuthenticator) {
 	*out = *in
@@ -81,7 +97,7 @@ func (in *JWTAuthenticatorSpec) DeepCopyInto(out *JWTAuthenticatorSpec) {
 	if in.TLS != nil {
 		in, out := &in.TLS, &out.TLS
 		*out = new(TLSSpec)
-		**out = **in
+		(*in).DeepCopyInto(*out)
 	}
 	return
 }
@@ -138,6 +154,11 @@ func (in *JWTTokenClaims) DeepCopy() *JWTTokenClaims {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TLSSpec) DeepCopyInto(out *TLSSpec) {
 	*out = *in
+	if in.CertificateAuthorityDataSource != nil {
+		in, out := &in.CertificateAuthorityDataSource, &out.CertificateAuthorityDataSource
+		*out = new(CertificateAuthorityDataSourceSpec)
+		**out = **in
+	}
 	return
 }
 
@@ -218,7 +239,7 @@ func (in *WebhookAuthenticatorSpec) DeepCopyInto(out *WebhookAuthenticatorSpec)
 	if in.TLS != nil {
 		in, out := &in.TLS, &out.TLS
 		*out = new(TLSSpec)
-		**out = **in
+		(*in).DeepCopyInto(*out)
 	}
 	return
 }

generated/1.26/apis/concierge/config/v1alpha1/types_credentialissuer.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
@@ -49,6 +49,7 @@ type CredentialIssuerSpec struct {
 }
 
 // ImpersonationProxyMode enumerates the configuration modes for the impersonation proxy.
+// Allowed values are "auto", "enabled", or "disabled".
 //
 // +kubebuilder:validation:Enum=auto;enabled;disabled
 type ImpersonationProxyMode string
@@ -65,6 +66,7 @@ const (
 )
 
 // ImpersonationProxyServiceType enumerates the types of service that can be provisioned for the impersonation proxy.
+// Allowed values are "LoadBalancer", "ClusterIP", or "None".
 //
 // +kubebuilder:validation:Enum=LoadBalancer;ClusterIP;None
 type ImpersonationProxyServiceType string

generated/1.26/apis/supervisor/config/v1alpha1/types_federationdomain.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
@@ -55,6 +55,7 @@ type FederationDomainTransformsConstant struct {
 	Name string `json:"name"`
 
 	// Type determines the type of the constant, and indicates which other field should be non-empty.
+	// Allowed values are "string" or "stringList".
 	// +kubebuilder:validation:Enum=string;stringList
 	Type string `json:"type"`
 
@@ -70,6 +71,7 @@ type FederationDomainTransformsConstant struct {
 // FederationDomainTransformsExpression defines a transform expression.
 type FederationDomainTransformsExpression struct {
 	// Type determines the type of the expression. It must be one of the supported types.
+	// Allowed values are "policy/v1", "username/v1", or "groups/v1".
 	// +kubebuilder:validation:Enum=policy/v1;username/v1;groups/v1
 	Type string `json:"type"`
 

generated/1.26/apis/supervisor/idp/v1alpha1/types_githubidentityprovider.go

@@ -167,7 +167,10 @@ type GitHubClientSpec struct {
 }
 
 type GitHubOrganizationsSpec struct {
-	// Policy must be set to "AllGitHubUsers" if allowed is empty.
+	// Allowed values are "OnlyUsersFromAllowedOrganizations" or "AllGitHubUsers".
+	// Defaults to "OnlyUsersFromAllowedOrganizations".
+	//
+	// Must be set to "AllGitHubUsers" if the allowed field is empty.
 	//
 	// This field only exists to ensure that Pinniped administrators are aware that an empty list of
 	// allowedOrganizations means all GitHub users are allowed to log in.

generated/1.26/apis/supervisor/idp/v1alpha1/types_tls.go

@@ -3,9 +3,45 @@
 
 package v1alpha1
 
+// CertificateAuthorityDataSourceKind enumerates the sources for CA Bundles.
+//
+// +kubebuilder:validation:Enum=Secret;ConfigMap
+type CertificateAuthorityDataSourceKind string
+
+const (
+	// CertificateAuthorityDataSourceKindConfigMap uses a Kubernetes configmap to source CA Bundles.
+	CertificateAuthorityDataSourceKindConfigMap = CertificateAuthorityDataSourceKind("ConfigMap")
+
+	// CertificateAuthorityDataSourceKindSecret uses a Kubernetes secret to source CA Bundles.
+	// Secrets used to source CA Bundles must be of type kubernetes.io/tls or Opaque.
+	CertificateAuthorityDataSourceKindSecret = CertificateAuthorityDataSourceKind("Secret")
+)
+
+// CertificateAuthorityDataSourceSpec provides a source for CA bundle used for client-side TLS verification.
+type CertificateAuthorityDataSourceSpec struct {
+	// Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
+	// Allowed values are "Secret" or "ConfigMap".
+	// "ConfigMap" uses a Kubernetes configmap to source CA Bundles.
+	// "Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
+	Kind CertificateAuthorityDataSourceKind `json:"kind"`
+	// Name is the resource name of the secret or configmap from which to read the CA bundle.
+	// The referenced secret or configmap must be created in the same namespace where Pinniped Supervisor is installed.
+	// +kubebuilder:validation:MinLength=1
+	Name string `json:"name"`
+	// Key is the key name within the secret or configmap from which to read the CA bundle.
+	// The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
+	// certificate bundle.
+	// +kubebuilder:validation:MinLength=1
+	Key string `json:"key"`
+}
+
 // TLSSpec provides TLS configuration for identity provider integration.
 type TLSSpec struct {
 	// X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted.
 	// +optional
 	CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"`
+	// Reference to a CA bundle in a secret or a configmap.
+	// Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
+	// +optional
+	CertificateAuthorityDataSource *CertificateAuthorityDataSourceSpec `json:"certificateAuthorityDataSource,omitempty"`
 }

generated/1.26/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go

@@ -129,7 +129,7 @@ func (in *ActiveDirectoryIdentityProviderSpec) DeepCopyInto(out *ActiveDirectory
 	if in.TLS != nil {
 		in, out := &in.TLS, &out.TLS
 		*out = new(TLSSpec)
-		**out = **in
+		(*in).DeepCopyInto(*out)
 	}
 	out.Bind = in.Bind
 	out.UserSearch = in.UserSearch
@@ -203,6 +203,22 @@ func (in *ActiveDirectoryIdentityProviderUserSearchAttributes) DeepCopy() *Activ
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CertificateAuthorityDataSourceSpec) DeepCopyInto(out *CertificateAuthorityDataSourceSpec) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateAuthorityDataSourceSpec.
+func (in *CertificateAuthorityDataSourceSpec) DeepCopy() *CertificateAuthorityDataSourceSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(CertificateAuthorityDataSourceSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *GitHubAPIConfig) DeepCopyInto(out *GitHubAPIConfig) {
 	*out = *in
@@ -214,7 +230,7 @@ func (in *GitHubAPIConfig) DeepCopyInto(out *GitHubAPIConfig) {
 	if in.TLS != nil {
 		in, out := &in.TLS, &out.TLS
 		*out = new(TLSSpec)
-		**out = **in
+		(*in).DeepCopyInto(*out)
 	}
 	return
 }
@@ -534,7 +550,7 @@ func (in *LDAPIdentityProviderSpec) DeepCopyInto(out *LDAPIdentityProviderSpec)
 	if in.TLS != nil {
 		in, out := &in.TLS, &out.TLS
 		*out = new(TLSSpec)
-		**out = **in
+		(*in).DeepCopyInto(*out)
 	}
 	out.Bind = in.Bind
 	out.UserSearch = in.UserSearch
@@ -740,7 +756,7 @@ func (in *OIDCIdentityProviderSpec) DeepCopyInto(out *OIDCIdentityProviderSpec)
 	if in.TLS != nil {
 		in, out := &in.TLS, &out.TLS
 		*out = new(TLSSpec)
-		**out = **in
+		(*in).DeepCopyInto(*out)
 	}
 	in.AuthorizationConfig.DeepCopyInto(&out.AuthorizationConfig)
 	in.Claims.DeepCopyInto(&out.Claims)
@@ -800,6 +816,11 @@ func (in *Parameter) DeepCopy() *Parameter {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TLSSpec) DeepCopyInto(out *TLSSpec) {
 	*out = *in
+	if in.CertificateAuthorityDataSource != nil {
+		in, out := &in.CertificateAuthorityDataSource, &out.CertificateAuthorityDataSource
+		*out = new(CertificateAuthorityDataSourceSpec)
+		**out = **in
+	}
 	return
 }
 

generated/1.26/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml

@@ -25,6 +25,9 @@ spec:
     - jsonPath: .spec.audience
       name: Audience
       type: string
+    - jsonPath: .status.phase
+      name: Status
+      type: string
     - jsonPath: .metadata.creationTimestamp
       name: Age
       type: date
@@ -92,6 +95,39 @@ spec:
                     description: X.509 Certificate Authority (base64-encoded PEM bundle).
                       If omitted, a default set of system roots will be trusted.
                     type: string
+                  certificateAuthorityDataSource:
+                    description: |-
+                      Reference to a CA bundle in a secret or a configmap.
+                      Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
+                    properties:
+                      key:
+                        description: |-
+                          Key is the key name within the secret or configmap from which to read the CA bundle.
+                          The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
+                          certificate bundle.
+                        minLength: 1
+                        type: string
+                      kind:
+                        description: |-
+                          Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
+                          Allowed values are "Secret" or "ConfigMap".
+                          "ConfigMap" uses a Kubernetes configmap to source CA Bundles.
+                          "Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
+                        enum:
+                        - Secret
+                        - ConfigMap
+                        type: string
+                      name:
+                        description: |-
+                          Name is the resource name of the secret or configmap from which to read the CA bundle.
+                          The referenced secret or configmap must be created in the same namespace where Pinniped Concierge is installed.
+                        minLength: 1
+                        type: string
+                    required:
+                    - key
+                    - kind
+                    - name
+                    type: object
                 type: object
             required:
             - audience

generated/1.26/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml

@@ -22,6 +22,9 @@ spec:
     - jsonPath: .spec.endpoint
       name: Endpoint
       type: string
+    - jsonPath: .status.phase
+      name: Status
+      type: string
     - jsonPath: .metadata.creationTimestamp
       name: Age
       type: date
@@ -63,6 +66,39 @@ spec:
                     description: X.509 Certificate Authority (base64-encoded PEM bundle).
                       If omitted, a default set of system roots will be trusted.
                     type: string
+                  certificateAuthorityDataSource:
+                    description: |-
+                      Reference to a CA bundle in a secret or a configmap.
+                      Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
+                    properties:
+                      key:
+                        description: |-
+                          Key is the key name within the secret or configmap from which to read the CA bundle.
+                          The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
+                          certificate bundle.
+                        minLength: 1
+                        type: string
+                      kind:
+                        description: |-
+                          Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
+                          Allowed values are "Secret" or "ConfigMap".
+                          "ConfigMap" uses a Kubernetes configmap to source CA Bundles.
+                          "Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
+                        enum:
+                        - Secret
+                        - ConfigMap
+                        type: string
+                      name:
+                        description: |-
+                          Name is the resource name of the secret or configmap from which to read the CA bundle.
+                          The referenced secret or configmap must be created in the same namespace where Pinniped Concierge is installed.
+                        minLength: 1
+                        type: string
+                    required:
+                    - key
+                    - kind
+                    - name
+                    type: object
                 type: object
             required:
             - endpoint

generated/1.26/crds/config.supervisor.pinniped.dev_federationdomains.yaml

@@ -143,8 +143,9 @@ spec:
                                   Type is "string", and is otherwise ignored.
                                 type: string
                               type:
-                                description: Type determines the type of the constant,
-                                  and indicates which other field should be non-empty.
+                                description: |-
+                                  Type determines the type of the constant, and indicates which other field should be non-empty.
+                                  Allowed values are "string" or "stringList".
                                 enum:
                                 - string
                                 - stringList
@@ -262,8 +263,9 @@ spec:
                                   an authentication attempt. When empty, a default message will be used.
                                 type: string
                               type:
-                                description: Type determines the type of the expression.
-                                  It must be one of the supported types.
+                                description: |-
+                                  Type determines the type of the expression. It must be one of the supported types.
+                                  Allowed values are "policy/v1", "username/v1", or "groups/v1".
                                 enum:
                                 - policy/v1
                                 - username/v1

generated/1.26/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml

@@ -170,6 +170,39 @@ spec:
                     description: X.509 Certificate Authority (base64-encoded PEM bundle).
                       If omitted, a default set of system roots will be trusted.
                     type: string
+                  certificateAuthorityDataSource:
+                    description: |-
+                      Reference to a CA bundle in a secret or a configmap.
+                      Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
+                    properties:
+                      key:
+                        description: |-
+                          Key is the key name within the secret or configmap from which to read the CA bundle.
+                          The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
+                          certificate bundle.
+                        minLength: 1
+                        type: string
+                      kind:
+                        description: |-
+                          Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
+                          Allowed values are "Secret" or "ConfigMap".
+                          "ConfigMap" uses a Kubernetes configmap to source CA Bundles.
+                          "Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
+                        enum:
+                        - Secret
+                        - ConfigMap
+                        type: string
+                      name:
+                        description: |-
+                          Name is the resource name of the secret or configmap from which to read the CA bundle.
+                          The referenced secret or configmap must be created in the same namespace where Pinniped Supervisor is installed.
+                        minLength: 1
+                        type: string
+                    required:
+                    - key
+                    - kind
+                    - name
+                    type: object
                 type: object
               userSearch:
                 description: UserSearch contains the configuration for searching for

generated/1.26/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml

@@ -89,7 +89,11 @@ spec:
                       policy:
                         default: OnlyUsersFromAllowedOrganizations
                         description: |-
-                          Policy must be set to "AllGitHubUsers" if allowed is empty.
+                          Allowed values are "OnlyUsersFromAllowedOrganizations" or "AllGitHubUsers".
+                          Defaults to "OnlyUsersFromAllowedOrganizations".
+
+
+                          Must be set to "AllGitHubUsers" if the allowed field is empty.
 
 
                           This field only exists to ensure that Pinniped administrators are aware that an empty list of
@@ -225,6 +229,39 @@ spec:
                           bundle). If omitted, a default set of system roots will
                           be trusted.
                         type: string
+                      certificateAuthorityDataSource:
+                        description: |-
+                          Reference to a CA bundle in a secret or a configmap.
+                          Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
+                        properties:
+                          key:
+                            description: |-
+                              Key is the key name within the secret or configmap from which to read the CA bundle.
+                              The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
+                              certificate bundle.
+                            minLength: 1
+                            type: string
+                          kind:
+                            description: |-
+                              Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
+                              Allowed values are "Secret" or "ConfigMap".
+                              "ConfigMap" uses a Kubernetes configmap to source CA Bundles.
+                              "Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
+                            enum:
+                            - Secret
+                            - ConfigMap
+                            type: string
+                          name:
+                            description: |-
+                              Name is the resource name of the secret or configmap from which to read the CA bundle.
+                              The referenced secret or configmap must be created in the same namespace where Pinniped Supervisor is installed.
+                            minLength: 1
+                            type: string
+                        required:
+                        - key
+                        - kind
+                        - name
+                        type: object
                     type: object
                 type: object
             required:

generated/1.26/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml

@@ -161,6 +161,39 @@ spec:
                     description: X.509 Certificate Authority (base64-encoded PEM bundle).
                       If omitted, a default set of system roots will be trusted.
                     type: string
+                  certificateAuthorityDataSource:
+                    description: |-
+                      Reference to a CA bundle in a secret or a configmap.
+                      Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
+                    properties:
+                      key:
+                        description: |-
+                          Key is the key name within the secret or configmap from which to read the CA bundle.
+                          The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
+                          certificate bundle.
+                        minLength: 1
+                        type: string
+                      kind:
+                        description: |-
+                          Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
+                          Allowed values are "Secret" or "ConfigMap".
+                          "ConfigMap" uses a Kubernetes configmap to source CA Bundles.
+                          "Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
+                        enum:
+                        - Secret
+                        - ConfigMap
+                        type: string
+                      name:
+                        description: |-
+                          Name is the resource name of the secret or configmap from which to read the CA bundle.
+                          The referenced secret or configmap must be created in the same namespace where Pinniped Supervisor is installed.
+                        minLength: 1
+                        type: string
+                    required:
+                    - key
+                    - kind
+                    - name
+                    type: object
                 type: object
               userSearch:
                 description: UserSearch contains the configuration for searching for

generated/1.26/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml

@@ -211,6 +211,39 @@ spec:
                     description: X.509 Certificate Authority (base64-encoded PEM bundle).
                       If omitted, a default set of system roots will be trusted.
                     type: string
+                  certificateAuthorityDataSource:
+                    description: |-
+                      Reference to a CA bundle in a secret or a configmap.
+                      Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
+                    properties:
+                      key:
+                        description: |-
+                          Key is the key name within the secret or configmap from which to read the CA bundle.
+                          The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
+                          certificate bundle.
+                        minLength: 1
+                        type: string
+                      kind:
+                        description: |-
+                          Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
+                          Allowed values are "Secret" or "ConfigMap".
+                          "ConfigMap" uses a Kubernetes configmap to source CA Bundles.
+                          "Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
+                        enum:
+                        - Secret
+                        - ConfigMap
+                        type: string
+                      name:
+                        description: |-
+                          Name is the resource name of the secret or configmap from which to read the CA bundle.
+                          The referenced secret or configmap must be created in the same namespace where Pinniped Supervisor is installed.
+                        minLength: 1
+                        type: string
+                    required:
+                    - key
+                    - kind
+                    - name
+                    type: object
                 type: object
             required:
             - client

generated/1.27/README.adoc

@@ -23,6 +23,43 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped concierge authenticatio
 
 
 
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-concierge-authentication-v1alpha1-certificateauthoritydatasourcekind"]
+==== CertificateAuthorityDataSourceKind (string) 
+
+CertificateAuthorityDataSourceKind enumerates the sources for CA Bundles.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-concierge-authentication-v1alpha1-certificateauthoritydatasourcespec[$$CertificateAuthorityDataSourceSpec$$]
+****
+
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-concierge-authentication-v1alpha1-certificateauthoritydatasourcespec"]
+==== CertificateAuthorityDataSourceSpec 
+
+CertificateAuthorityDataSourceSpec provides a source for CA bundle used for client-side TLS verification.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-concierge-authentication-v1alpha1-tlsspec[$$TLSSpec$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`kind`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-concierge-authentication-v1alpha1-certificateauthoritydatasourcekind[$$CertificateAuthorityDataSourceKind$$]__ | Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap. +
+Allowed values are "Secret" or "ConfigMap". +
+"ConfigMap" uses a Kubernetes configmap to source CA Bundles. +
+"Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles. +
+| *`name`* __string__ | Name is the resource name of the secret or configmap from which to read the CA bundle. +
+The referenced secret or configmap must be created in the same namespace where Pinniped Concierge is installed. +
+| *`key`* __string__ | Key is the key name within the secret or configmap from which to read the CA bundle. +
+The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded +
+certificate bundle. +
+|===
+
+
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-concierge-authentication-v1alpha1-jwtauthenticator"]
 ==== JWTAuthenticator 
 
@@ -125,7 +162,7 @@ username from the JWT token. When not specified, it will default to "username".
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-concierge-authentication-v1alpha1-tlsspec"]
 ==== TLSSpec 
 
-Configuration for configuring TLS on various authenticators.
+TLSSpec provides TLS configuration on various authenticators.
 
 .Appears In:
 ****
@@ -137,6 +174,8 @@ Configuration for configuring TLS on various authenticators.
 |===
 | Field | Description
 | *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. +
+| *`certificateAuthorityDataSource`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-concierge-authentication-v1alpha1-certificateauthoritydatasourcespec[$$CertificateAuthorityDataSourceSpec$$]__ | Reference to a CA bundle in a secret or a configmap. +
+Any changes to the CA bundle in the secret or configmap will be dynamically reloaded. +
 |===
 
 
@@ -503,6 +542,7 @@ ImpersonationProxyInfo describes the parameters for the impersonation proxy on t
 ==== ImpersonationProxyMode (string) 
 
 ImpersonationProxyMode enumerates the configuration modes for the impersonation proxy.
+Allowed values are "auto", "enabled", or "disabled".
 
 .Appears In:
 ****
@@ -539,6 +579,7 @@ This is not supported on all cloud providers. +
 ==== ImpersonationProxyServiceType (string) 
 
 ImpersonationProxyServiceType enumerates the types of service that can be provisioned for the impersonation proxy.
+Allowed values are "LoadBalancer", "ClusterIP", or "None".
 
 .Appears In:
 ****
@@ -928,6 +969,7 @@ the transform expressions. This is a union type, and Type is the discriminator f
 | Field | Description
 | *`name`* __string__ | Name determines the name of the constant. It must be a valid identifier name. +
 | *`type`* __string__ | Type determines the type of the constant, and indicates which other field should be non-empty. +
+Allowed values are "string" or "stringList". +
 | *`stringValue`* __string__ | StringValue should hold the value when Type is "string", and is otherwise ignored. +
 | *`stringListValue`* __string array__ | StringListValue should hold the value when Type is "stringList", and is otherwise ignored. +
 |===
@@ -994,6 +1036,7 @@ FederationDomainTransformsExpression defines a transform expression.
 |===
 | Field | Description
 | *`type`* __string__ | Type determines the type of the expression. It must be one of the supported types. +
+Allowed values are "policy/v1", "username/v1", or "groups/v1". +
 | *`expression`* __string__ | Expression is a CEL expression that will be evaluated based on the Type during an authentication. +
 | *`message`* __string__ | Message is only used when Type is policy/v1. It defines an error message to be used when the policy rejects +
 an authentication attempt. When empty, a default message will be used. +
@@ -1645,6 +1688,43 @@ Optional, when empty this defaults to "objectGUID". +
 |===
 
 
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-certificateauthoritydatasourcekind"]
+==== CertificateAuthorityDataSourceKind (string) 
+
+CertificateAuthorityDataSourceKind enumerates the sources for CA Bundles.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-certificateauthoritydatasourcespec[$$CertificateAuthorityDataSourceSpec$$]
+****
+
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-certificateauthoritydatasourcespec"]
+==== CertificateAuthorityDataSourceSpec 
+
+CertificateAuthorityDataSourceSpec provides a source for CA bundle used for client-side TLS verification.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-tlsspec[$$TLSSpec$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`kind`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-certificateauthoritydatasourcekind[$$CertificateAuthorityDataSourceKind$$]__ | Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap. +
+Allowed values are "Secret" or "ConfigMap". +
+"ConfigMap" uses a Kubernetes configmap to source CA Bundles. +
+"Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles. +
+| *`name`* __string__ | Name is the resource name of the secret or configmap from which to read the CA bundle. +
+The referenced secret or configmap must be created in the same namespace where Pinniped Supervisor is installed. +
+| *`key`* __string__ | Key is the key name within the secret or configmap from which to read the CA bundle. +
+The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded +
+certificate bundle. +
+|===
+
+
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubapiconfig"]
 ==== GitHubAPIConfig 
 
@@ -1890,7 +1970,11 @@ GitHubIdentityProviderStatus is the status of an GitHub identity provider.
 [cols="25a,75a", options="header"]
 |===
 | Field | Description
-| *`policy`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githuballowedauthorganizationspolicy[$$GitHubAllowedAuthOrganizationsPolicy$$]__ | Policy must be set to "AllGitHubUsers" if allowed is empty. +
+| *`policy`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githuballowedauthorganizationspolicy[$$GitHubAllowedAuthOrganizationsPolicy$$]__ | Allowed values are "OnlyUsersFromAllowedOrganizations" or "AllGitHubUsers". +
+Defaults to "OnlyUsersFromAllowedOrganizations". +
+
+
+Must be set to "AllGitHubUsers" if the allowed field is empty. +
 
 
 This field only exists to ensure that Pinniped administrators are aware that an empty list of +
@@ -2401,6 +2485,8 @@ TLSSpec provides TLS configuration for identity provider integration.
 |===
 | Field | Description
 | *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. +
+| *`certificateAuthorityDataSource`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-certificateauthoritydatasourcespec[$$CertificateAuthorityDataSourceSpec$$]__ | Reference to a CA bundle in a secret or a configmap. +
+Any changes to the CA bundle in the secret or configmap will be dynamically reloaded. +
 |===
 
 

generated/1.27/apis/concierge/authentication/v1alpha1/types_jwtauthenticator.go

@@ -79,6 +79,7 @@ type JWTTokenClaims struct {
 // +kubebuilder:resource:categories=pinniped;pinniped-authenticator;pinniped-authenticators,scope=Cluster
 // +kubebuilder:printcolumn:name="Issuer",type=string,JSONPath=`.spec.issuer`
 // +kubebuilder:printcolumn:name="Audience",type=string,JSONPath=`.spec.audience`
+// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase`
 // +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
 // +kubebuilder:subresource:status
 type JWTAuthenticator struct {

generated/1.27/apis/concierge/authentication/v1alpha1/types_tls.go

@@ -1,11 +1,47 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
 
-// Configuration for configuring TLS on various authenticators.
+// CertificateAuthorityDataSourceKind enumerates the sources for CA Bundles.
+//
+// +kubebuilder:validation:Enum=Secret;ConfigMap
+type CertificateAuthorityDataSourceKind string
+
+const (
+	// CertificateAuthorityDataSourceKindConfigMap uses a Kubernetes configmap to source CA Bundles.
+	CertificateAuthorityDataSourceKindConfigMap = CertificateAuthorityDataSourceKind("ConfigMap")
+
+	// CertificateAuthorityDataSourceKindSecret uses a Kubernetes secret to source CA Bundles.
+	// Secrets used to source CA Bundles must be of type kubernetes.io/tls or Opaque.
+	CertificateAuthorityDataSourceKindSecret = CertificateAuthorityDataSourceKind("Secret")
+)
+
+// CertificateAuthorityDataSourceSpec provides a source for CA bundle used for client-side TLS verification.
+type CertificateAuthorityDataSourceSpec struct {
+	// Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
+	// Allowed values are "Secret" or "ConfigMap".
+	// "ConfigMap" uses a Kubernetes configmap to source CA Bundles.
+	// "Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
+	Kind CertificateAuthorityDataSourceKind `json:"kind"`
+	// Name is the resource name of the secret or configmap from which to read the CA bundle.
+	// The referenced secret or configmap must be created in the same namespace where Pinniped Concierge is installed.
+	// +kubebuilder:validation:MinLength=1
+	Name string `json:"name"`
+	// Key is the key name within the secret or configmap from which to read the CA bundle.
+	// The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
+	// certificate bundle.
+	// +kubebuilder:validation:MinLength=1
+	Key string `json:"key"`
+}
+
+// TLSSpec provides TLS configuration on various authenticators.
 type TLSSpec struct {
 	// X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted.
 	// +optional
 	CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"`
+	// Reference to a CA bundle in a secret or a configmap.
+	// Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
+	// +optional
+	CertificateAuthorityDataSource *CertificateAuthorityDataSourceSpec `json:"certificateAuthorityDataSource,omitempty"`
 }

generated/1.27/apis/concierge/authentication/v1alpha1/types_webhookauthenticator.go

@@ -50,6 +50,7 @@ type WebhookAuthenticatorSpec struct {
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 // +kubebuilder:resource:categories=pinniped;pinniped-authenticator;pinniped-authenticators,scope=Cluster
 // +kubebuilder:printcolumn:name="Endpoint",type=string,JSONPath=`.spec.endpoint`
+// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase`
 // +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
 // +kubebuilder:subresource:status
 type WebhookAuthenticator struct {

generated/1.27/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go

@@ -13,6 +13,22 @@ import (
 	runtime "k8s.io/apimachinery/pkg/runtime"
 )
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CertificateAuthorityDataSourceSpec) DeepCopyInto(out *CertificateAuthorityDataSourceSpec) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateAuthorityDataSourceSpec.
+func (in *CertificateAuthorityDataSourceSpec) DeepCopy() *CertificateAuthorityDataSourceSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(CertificateAuthorityDataSourceSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *JWTAuthenticator) DeepCopyInto(out *JWTAuthenticator) {
 	*out = *in
@@ -81,7 +97,7 @@ func (in *JWTAuthenticatorSpec) DeepCopyInto(out *JWTAuthenticatorSpec) {
 	if in.TLS != nil {
 		in, out := &in.TLS, &out.TLS
 		*out = new(TLSSpec)
-		**out = **in
+		(*in).DeepCopyInto(*out)
 	}
 	return
 }
@@ -138,6 +154,11 @@ func (in *JWTTokenClaims) DeepCopy() *JWTTokenClaims {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TLSSpec) DeepCopyInto(out *TLSSpec) {
 	*out = *in
+	if in.CertificateAuthorityDataSource != nil {
+		in, out := &in.CertificateAuthorityDataSource, &out.CertificateAuthorityDataSource
+		*out = new(CertificateAuthorityDataSourceSpec)
+		**out = **in
+	}
 	return
 }
 
@@ -218,7 +239,7 @@ func (in *WebhookAuthenticatorSpec) DeepCopyInto(out *WebhookAuthenticatorSpec)
 	if in.TLS != nil {
 		in, out := &in.TLS, &out.TLS
 		*out = new(TLSSpec)
-		**out = **in
+		(*in).DeepCopyInto(*out)
 	}
 	return
 }

generated/1.27/apis/concierge/config/v1alpha1/types_credentialissuer.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
@@ -49,6 +49,7 @@ type CredentialIssuerSpec struct {
 }
 
 // ImpersonationProxyMode enumerates the configuration modes for the impersonation proxy.
+// Allowed values are "auto", "enabled", or "disabled".
 //
 // +kubebuilder:validation:Enum=auto;enabled;disabled
 type ImpersonationProxyMode string
@@ -65,6 +66,7 @@ const (
 )
 
 // ImpersonationProxyServiceType enumerates the types of service that can be provisioned for the impersonation proxy.
+// Allowed values are "LoadBalancer", "ClusterIP", or "None".
 //
 // +kubebuilder:validation:Enum=LoadBalancer;ClusterIP;None
 type ImpersonationProxyServiceType string

generated/1.27/apis/supervisor/config/v1alpha1/types_federationdomain.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
@@ -55,6 +55,7 @@ type FederationDomainTransformsConstant struct {
 	Name string `json:"name"`
 
 	// Type determines the type of the constant, and indicates which other field should be non-empty.
+	// Allowed values are "string" or "stringList".
 	// +kubebuilder:validation:Enum=string;stringList
 	Type string `json:"type"`
 
@@ -70,6 +71,7 @@ type FederationDomainTransformsConstant struct {
 // FederationDomainTransformsExpression defines a transform expression.
 type FederationDomainTransformsExpression struct {
 	// Type determines the type of the expression. It must be one of the supported types.
+	// Allowed values are "policy/v1", "username/v1", or "groups/v1".
 	// +kubebuilder:validation:Enum=policy/v1;username/v1;groups/v1
 	Type string `json:"type"`
 

generated/1.27/apis/supervisor/idp/v1alpha1/types_githubidentityprovider.go

@@ -167,7 +167,10 @@ type GitHubClientSpec struct {
 }
 
 type GitHubOrganizationsSpec struct {
-	// Policy must be set to "AllGitHubUsers" if allowed is empty.
+	// Allowed values are "OnlyUsersFromAllowedOrganizations" or "AllGitHubUsers".
+	// Defaults to "OnlyUsersFromAllowedOrganizations".
+	//
+	// Must be set to "AllGitHubUsers" if the allowed field is empty.
 	//
 	// This field only exists to ensure that Pinniped administrators are aware that an empty list of
 	// allowedOrganizations means all GitHub users are allowed to log in.

generated/1.27/apis/supervisor/idp/v1alpha1/types_tls.go

@@ -3,9 +3,45 @@
 
 package v1alpha1
 
+// CertificateAuthorityDataSourceKind enumerates the sources for CA Bundles.
+//
+// +kubebuilder:validation:Enum=Secret;ConfigMap
+type CertificateAuthorityDataSourceKind string
+
+const (
+	// CertificateAuthorityDataSourceKindConfigMap uses a Kubernetes configmap to source CA Bundles.
+	CertificateAuthorityDataSourceKindConfigMap = CertificateAuthorityDataSourceKind("ConfigMap")
+
+	// CertificateAuthorityDataSourceKindSecret uses a Kubernetes secret to source CA Bundles.
+	// Secrets used to source CA Bundles must be of type kubernetes.io/tls or Opaque.
+	CertificateAuthorityDataSourceKindSecret = CertificateAuthorityDataSourceKind("Secret")
+)
+
+// CertificateAuthorityDataSourceSpec provides a source for CA bundle used for client-side TLS verification.
+type CertificateAuthorityDataSourceSpec struct {
+	// Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
+	// Allowed values are "Secret" or "ConfigMap".
+	// "ConfigMap" uses a Kubernetes configmap to source CA Bundles.
+	// "Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
+	Kind CertificateAuthorityDataSourceKind `json:"kind"`
+	// Name is the resource name of the secret or configmap from which to read the CA bundle.
+	// The referenced secret or configmap must be created in the same namespace where Pinniped Supervisor is installed.
+	// +kubebuilder:validation:MinLength=1
+	Name string `json:"name"`
+	// Key is the key name within the secret or configmap from which to read the CA bundle.
+	// The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
+	// certificate bundle.
+	// +kubebuilder:validation:MinLength=1
+	Key string `json:"key"`
+}
+
 // TLSSpec provides TLS configuration for identity provider integration.
 type TLSSpec struct {
 	// X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted.
 	// +optional
 	CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"`
+	// Reference to a CA bundle in a secret or a configmap.
+	// Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
+	// +optional
+	CertificateAuthorityDataSource *CertificateAuthorityDataSourceSpec `json:"certificateAuthorityDataSource,omitempty"`
 }

generated/1.27/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go

@@ -129,7 +129,7 @@ func (in *ActiveDirectoryIdentityProviderSpec) DeepCopyInto(out *ActiveDirectory
 	if in.TLS != nil {
 		in, out := &in.TLS, &out.TLS
 		*out = new(TLSSpec)
-		**out = **in
+		(*in).DeepCopyInto(*out)
 	}
 	out.Bind = in.Bind
 	out.UserSearch = in.UserSearch
@@ -203,6 +203,22 @@ func (in *ActiveDirectoryIdentityProviderUserSearchAttributes) DeepCopy() *Activ
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CertificateAuthorityDataSourceSpec) DeepCopyInto(out *CertificateAuthorityDataSourceSpec) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateAuthorityDataSourceSpec.
+func (in *CertificateAuthorityDataSourceSpec) DeepCopy() *CertificateAuthorityDataSourceSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(CertificateAuthorityDataSourceSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *GitHubAPIConfig) DeepCopyInto(out *GitHubAPIConfig) {
 	*out = *in
@@ -214,7 +230,7 @@ func (in *GitHubAPIConfig) DeepCopyInto(out *GitHubAPIConfig) {
 	if in.TLS != nil {
 		in, out := &in.TLS, &out.TLS
 		*out = new(TLSSpec)
-		**out = **in
+		(*in).DeepCopyInto(*out)
 	}
 	return
 }
@@ -534,7 +550,7 @@ func (in *LDAPIdentityProviderSpec) DeepCopyInto(out *LDAPIdentityProviderSpec)
 	if in.TLS != nil {
 		in, out := &in.TLS, &out.TLS
 		*out = new(TLSSpec)
-		**out = **in
+		(*in).DeepCopyInto(*out)
 	}
 	out.Bind = in.Bind
 	out.UserSearch = in.UserSearch
@@ -740,7 +756,7 @@ func (in *OIDCIdentityProviderSpec) DeepCopyInto(out *OIDCIdentityProviderSpec)
 	if in.TLS != nil {
 		in, out := &in.TLS, &out.TLS
 		*out = new(TLSSpec)
-		**out = **in
+		(*in).DeepCopyInto(*out)
 	}
 	in.AuthorizationConfig.DeepCopyInto(&out.AuthorizationConfig)
 	in.Claims.DeepCopyInto(&out.Claims)
@@ -800,6 +816,11 @@ func (in *Parameter) DeepCopy() *Parameter {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TLSSpec) DeepCopyInto(out *TLSSpec) {
 	*out = *in
+	if in.CertificateAuthorityDataSource != nil {
+		in, out := &in.CertificateAuthorityDataSource, &out.CertificateAuthorityDataSource
+		*out = new(CertificateAuthorityDataSourceSpec)
+		**out = **in
+	}
 	return
 }
 

generated/1.27/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml

@@ -25,6 +25,9 @@ spec:
     - jsonPath: .spec.audience
       name: Audience
       type: string
+    - jsonPath: .status.phase
+      name: Status
+      type: string
     - jsonPath: .metadata.creationTimestamp
       name: Age
       type: date
@@ -92,6 +95,39 @@ spec:
                     description: X.509 Certificate Authority (base64-encoded PEM bundle).
                       If omitted, a default set of system roots will be trusted.
                     type: string
+                  certificateAuthorityDataSource:
+                    description: |-
+                      Reference to a CA bundle in a secret or a configmap.
+                      Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
+                    properties:
+                      key:
+                        description: |-
+                          Key is the key name within the secret or configmap from which to read the CA bundle.
+                          The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
+                          certificate bundle.
+                        minLength: 1
+                        type: string
+                      kind:
+                        description: |-
+                          Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
+                          Allowed values are "Secret" or "ConfigMap".
+                          "ConfigMap" uses a Kubernetes configmap to source CA Bundles.
+                          "Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
+                        enum:
+                        - Secret
+                        - ConfigMap
+                        type: string
+                      name:
+                        description: |-
+                          Name is the resource name of the secret or configmap from which to read the CA bundle.
+                          The referenced secret or configmap must be created in the same namespace where Pinniped Concierge is installed.
+                        minLength: 1
+                        type: string
+                    required:
+                    - key
+                    - kind
+                    - name
+                    type: object
                 type: object
             required:
             - audience

generated/1.27/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml

@@ -22,6 +22,9 @@ spec:
     - jsonPath: .spec.endpoint
       name: Endpoint
       type: string
+    - jsonPath: .status.phase
+      name: Status
+      type: string
     - jsonPath: .metadata.creationTimestamp
       name: Age
       type: date
@@ -63,6 +66,39 @@ spec:
                     description: X.509 Certificate Authority (base64-encoded PEM bundle).
                       If omitted, a default set of system roots will be trusted.
                     type: string
+                  certificateAuthorityDataSource:
+                    description: |-
+                      Reference to a CA bundle in a secret or a configmap.
+                      Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
+                    properties:
+                      key:
+                        description: |-
+                          Key is the key name within the secret or configmap from which to read the CA bundle.
+                          The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
+                          certificate bundle.
+                        minLength: 1
+                        type: string
+                      kind:
+                        description: |-
+                          Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
+                          Allowed values are "Secret" or "ConfigMap".
+                          "ConfigMap" uses a Kubernetes configmap to source CA Bundles.
+                          "Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
+                        enum:
+                        - Secret
+                        - ConfigMap
+                        type: string
+                      name:
+                        description: |-
+                          Name is the resource name of the secret or configmap from which to read the CA bundle.
+                          The referenced secret or configmap must be created in the same namespace where Pinniped Concierge is installed.
+                        minLength: 1
+                        type: string
+                    required:
+                    - key
+                    - kind
+                    - name
+                    type: object
                 type: object
             required:
             - endpoint

generated/1.27/crds/config.supervisor.pinniped.dev_federationdomains.yaml

@@ -143,8 +143,9 @@ spec:
                                   Type is "string", and is otherwise ignored.
                                 type: string
                               type:
-                                description: Type determines the type of the constant,
-                                  and indicates which other field should be non-empty.
+                                description: |-
+                                  Type determines the type of the constant, and indicates which other field should be non-empty.
+                                  Allowed values are "string" or "stringList".
                                 enum:
                                 - string
                                 - stringList
@@ -262,8 +263,9 @@ spec:
                                   an authentication attempt. When empty, a default message will be used.
                                 type: string
                               type:
-                                description: Type determines the type of the expression.
-                                  It must be one of the supported types.
+                                description: |-
+                                  Type determines the type of the expression. It must be one of the supported types.
+                                  Allowed values are "policy/v1", "username/v1", or "groups/v1".
                                 enum:
                                 - policy/v1
                                 - username/v1

generated/1.27/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml

@@ -170,6 +170,39 @@ spec:
                     description: X.509 Certificate Authority (base64-encoded PEM bundle).
                       If omitted, a default set of system roots will be trusted.
                     type: string
+                  certificateAuthorityDataSource:
+                    description: |-
+                      Reference to a CA bundle in a secret or a configmap.
+                      Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
+                    properties:
+                      key:
+                        description: |-
+                          Key is the key name within the secret or configmap from which to read the CA bundle.
+                          The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
+                          certificate bundle.
+                        minLength: 1
+                        type: string
+                      kind:
+                        description: |-
+                          Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
+                          Allowed values are "Secret" or "ConfigMap".
+                          "ConfigMap" uses a Kubernetes configmap to source CA Bundles.
+                          "Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
+                        enum:
+                        - Secret
+                        - ConfigMap
+                        type: string
+                      name:
+                        description: |-
+                          Name is the resource name of the secret or configmap from which to read the CA bundle.
+                          The referenced secret or configmap must be created in the same namespace where Pinniped Supervisor is installed.
+                        minLength: 1
+                        type: string
+                    required:
+                    - key
+                    - kind
+                    - name
+                    type: object
                 type: object
               userSearch:
                 description: UserSearch contains the configuration for searching for

generated/1.27/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml

@@ -89,7 +89,11 @@ spec:
                       policy:
                         default: OnlyUsersFromAllowedOrganizations
                         description: |-
-                          Policy must be set to "AllGitHubUsers" if allowed is empty.
+                          Allowed values are "OnlyUsersFromAllowedOrganizations" or "AllGitHubUsers".
+                          Defaults to "OnlyUsersFromAllowedOrganizations".
+
+
+                          Must be set to "AllGitHubUsers" if the allowed field is empty.
 
 
                           This field only exists to ensure that Pinniped administrators are aware that an empty list of
@@ -225,6 +229,39 @@ spec:
                           bundle). If omitted, a default set of system roots will
                           be trusted.
                         type: string
+                      certificateAuthorityDataSource:
+                        description: |-
+                          Reference to a CA bundle in a secret or a configmap.
+                          Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
+                        properties:
+                          key:
+                            description: |-
+                              Key is the key name within the secret or configmap from which to read the CA bundle.
+                              The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
+                              certificate bundle.
+                            minLength: 1
+                            type: string
+                          kind:
+                            description: |-
+                              Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
+                              Allowed values are "Secret" or "ConfigMap".
+                              "ConfigMap" uses a Kubernetes configmap to source CA Bundles.
+                              "Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
+                            enum:
+                            - Secret
+                            - ConfigMap
+                            type: string
+                          name:
+                            description: |-
+                              Name is the resource name of the secret or configmap from which to read the CA bundle.
+                              The referenced secret or configmap must be created in the same namespace where Pinniped Supervisor is installed.
+                            minLength: 1
+                            type: string
+                        required:
+                        - key
+                        - kind
+                        - name
+                        type: object
                     type: object
                 type: object
             required:

generated/1.27/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml

@@ -161,6 +161,39 @@ spec:
                     description: X.509 Certificate Authority (base64-encoded PEM bundle).
                       If omitted, a default set of system roots will be trusted.
                     type: string
+                  certificateAuthorityDataSource:
+                    description: |-
+                      Reference to a CA bundle in a secret or a configmap.
+                      Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
+                    properties:
+                      key:
+                        description: |-
+                          Key is the key name within the secret or configmap from which to read the CA bundle.
+                          The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
+                          certificate bundle.
+                        minLength: 1
+                        type: string
+                      kind:
+                        description: |-
+                          Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
+                          Allowed values are "Secret" or "ConfigMap".
+                          "ConfigMap" uses a Kubernetes configmap to source CA Bundles.
+                          "Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
+                        enum:
+                        - Secret
+                        - ConfigMap
+                        type: string
+                      name:
+                        description: |-
+                          Name is the resource name of the secret or configmap from which to read the CA bundle.
+                          The referenced secret or configmap must be created in the same namespace where Pinniped Supervisor is installed.
+                        minLength: 1
+                        type: string
+                    required:
+                    - key
+                    - kind
+                    - name
+                    type: object
                 type: object
               userSearch:
                 description: UserSearch contains the configuration for searching for

generated/1.27/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml

@@ -211,6 +211,39 @@ spec:
                     description: X.509 Certificate Authority (base64-encoded PEM bundle).
                       If omitted, a default set of system roots will be trusted.
                     type: string
+                  certificateAuthorityDataSource:
+                    description: |-
+                      Reference to a CA bundle in a secret or a configmap.
+                      Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
+                    properties:
+                      key:
+                        description: |-
+                          Key is the key name within the secret or configmap from which to read the CA bundle.
+                          The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
+                          certificate bundle.
+                        minLength: 1
+                        type: string
+                      kind:
+                        description: |-
+                          Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
+                          Allowed values are "Secret" or "ConfigMap".
+                          "ConfigMap" uses a Kubernetes configmap to source CA Bundles.
+                          "Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
+                        enum:
+                        - Secret
+                        - ConfigMap
+                        type: string
+                      name:
+                        description: |-
+                          Name is the resource name of the secret or configmap from which to read the CA bundle.
+                          The referenced secret or configmap must be created in the same namespace where Pinniped Supervisor is installed.
+                        minLength: 1
+                        type: string
+                    required:
+                    - key
+                    - kind
+                    - name
+                    type: object
                 type: object
             required:
             - client

generated/1.28/README.adoc

@@ -23,6 +23,43 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped concierge authenticatio
 
 
 
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-concierge-authentication-v1alpha1-certificateauthoritydatasourcekind"]
+==== CertificateAuthorityDataSourceKind (string) 
+
+CertificateAuthorityDataSourceKind enumerates the sources for CA Bundles.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-concierge-authentication-v1alpha1-certificateauthoritydatasourcespec[$$CertificateAuthorityDataSourceSpec$$]
+****
+
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-concierge-authentication-v1alpha1-certificateauthoritydatasourcespec"]
+==== CertificateAuthorityDataSourceSpec 
+
+CertificateAuthorityDataSourceSpec provides a source for CA bundle used for client-side TLS verification.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-concierge-authentication-v1alpha1-tlsspec[$$TLSSpec$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`kind`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-concierge-authentication-v1alpha1-certificateauthoritydatasourcekind[$$CertificateAuthorityDataSourceKind$$]__ | Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap. +
+Allowed values are "Secret" or "ConfigMap". +
+"ConfigMap" uses a Kubernetes configmap to source CA Bundles. +
+"Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles. +
+| *`name`* __string__ | Name is the resource name of the secret or configmap from which to read the CA bundle. +
+The referenced secret or configmap must be created in the same namespace where Pinniped Concierge is installed. +
+| *`key`* __string__ | Key is the key name within the secret or configmap from which to read the CA bundle. +
+The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded +
+certificate bundle. +
+|===
+
+
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-concierge-authentication-v1alpha1-jwtauthenticator"]
 ==== JWTAuthenticator 
 
@@ -125,7 +162,7 @@ username from the JWT token. When not specified, it will default to "username".
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-concierge-authentication-v1alpha1-tlsspec"]
 ==== TLSSpec 
 
-Configuration for configuring TLS on various authenticators.
+TLSSpec provides TLS configuration on various authenticators.
 
 .Appears In:
 ****
@@ -137,6 +174,8 @@ Configuration for configuring TLS on various authenticators.
 |===
 | Field | Description
 | *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. +
+| *`certificateAuthorityDataSource`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-concierge-authentication-v1alpha1-certificateauthoritydatasourcespec[$$CertificateAuthorityDataSourceSpec$$]__ | Reference to a CA bundle in a secret or a configmap. +
+Any changes to the CA bundle in the secret or configmap will be dynamically reloaded. +
 |===
 
 
@@ -503,6 +542,7 @@ ImpersonationProxyInfo describes the parameters for the impersonation proxy on t
 ==== ImpersonationProxyMode (string) 
 
 ImpersonationProxyMode enumerates the configuration modes for the impersonation proxy.
+Allowed values are "auto", "enabled", or "disabled".
 
 .Appears In:
 ****
@@ -539,6 +579,7 @@ This is not supported on all cloud providers. +
 ==== ImpersonationProxyServiceType (string) 
 
 ImpersonationProxyServiceType enumerates the types of service that can be provisioned for the impersonation proxy.
+Allowed values are "LoadBalancer", "ClusterIP", or "None".
 
 .Appears In:
 ****
@@ -928,6 +969,7 @@ the transform expressions. This is a union type, and Type is the discriminator f
 | Field | Description
 | *`name`* __string__ | Name determines the name of the constant. It must be a valid identifier name. +
 | *`type`* __string__ | Type determines the type of the constant, and indicates which other field should be non-empty. +
+Allowed values are "string" or "stringList". +
 | *`stringValue`* __string__ | StringValue should hold the value when Type is "string", and is otherwise ignored. +
 | *`stringListValue`* __string array__ | StringListValue should hold the value when Type is "stringList", and is otherwise ignored. +
 |===
@@ -994,6 +1036,7 @@ FederationDomainTransformsExpression defines a transform expression.
 |===
 | Field | Description
 | *`type`* __string__ | Type determines the type of the expression. It must be one of the supported types. +
+Allowed values are "policy/v1", "username/v1", or "groups/v1". +
 | *`expression`* __string__ | Expression is a CEL expression that will be evaluated based on the Type during an authentication. +
 | *`message`* __string__ | Message is only used when Type is policy/v1. It defines an error message to be used when the policy rejects +
 an authentication attempt. When empty, a default message will be used. +
@@ -1645,6 +1688,43 @@ Optional, when empty this defaults to "objectGUID". +
 |===
 
 
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-certificateauthoritydatasourcekind"]
+==== CertificateAuthorityDataSourceKind (string) 
+
+CertificateAuthorityDataSourceKind enumerates the sources for CA Bundles.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-certificateauthoritydatasourcespec[$$CertificateAuthorityDataSourceSpec$$]
+****
+
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-certificateauthoritydatasourcespec"]
+==== CertificateAuthorityDataSourceSpec 
+
+CertificateAuthorityDataSourceSpec provides a source for CA bundle used for client-side TLS verification.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-tlsspec[$$TLSSpec$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`kind`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-certificateauthoritydatasourcekind[$$CertificateAuthorityDataSourceKind$$]__ | Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap. +
+Allowed values are "Secret" or "ConfigMap". +
+"ConfigMap" uses a Kubernetes configmap to source CA Bundles. +
+"Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles. +
+| *`name`* __string__ | Name is the resource name of the secret or configmap from which to read the CA bundle. +
+The referenced secret or configmap must be created in the same namespace where Pinniped Supervisor is installed. +
+| *`key`* __string__ | Key is the key name within the secret or configmap from which to read the CA bundle. +
+The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded +
+certificate bundle. +
+|===
+
+
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-githubapiconfig"]
 ==== GitHubAPIConfig 
 
@@ -1890,7 +1970,11 @@ GitHubIdentityProviderStatus is the status of an GitHub identity provider.
 [cols="25a,75a", options="header"]
 |===
 | Field | Description
-| *`policy`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-githuballowedauthorganizationspolicy[$$GitHubAllowedAuthOrganizationsPolicy$$]__ | Policy must be set to "AllGitHubUsers" if allowed is empty. +
+| *`policy`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-githuballowedauthorganizationspolicy[$$GitHubAllowedAuthOrganizationsPolicy$$]__ | Allowed values are "OnlyUsersFromAllowedOrganizations" or "AllGitHubUsers". +
+Defaults to "OnlyUsersFromAllowedOrganizations". +
+
+
+Must be set to "AllGitHubUsers" if the allowed field is empty. +
 
 
 This field only exists to ensure that Pinniped administrators are aware that an empty list of +
@@ -2401,6 +2485,8 @@ TLSSpec provides TLS configuration for identity provider integration.
 |===
 | Field | Description
 | *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. +
+| *`certificateAuthorityDataSource`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-certificateauthoritydatasourcespec[$$CertificateAuthorityDataSourceSpec$$]__ | Reference to a CA bundle in a secret or a configmap. +
+Any changes to the CA bundle in the secret or configmap will be dynamically reloaded. +
 |===
 
 

generated/1.28/apis/concierge/authentication/v1alpha1/types_jwtauthenticator.go

@@ -79,6 +79,7 @@ type JWTTokenClaims struct {
 // +kubebuilder:resource:categories=pinniped;pinniped-authenticator;pinniped-authenticators,scope=Cluster
 // +kubebuilder:printcolumn:name="Issuer",type=string,JSONPath=`.spec.issuer`
 // +kubebuilder:printcolumn:name="Audience",type=string,JSONPath=`.spec.audience`
+// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase`
 // +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
 // +kubebuilder:subresource:status
 type JWTAuthenticator struct {

generated/1.28/apis/concierge/authentication/v1alpha1/types_tls.go

@@ -1,11 +1,47 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
 
-// Configuration for configuring TLS on various authenticators.
+// CertificateAuthorityDataSourceKind enumerates the sources for CA Bundles.
+//
+// +kubebuilder:validation:Enum=Secret;ConfigMap
+type CertificateAuthorityDataSourceKind string
+
+const (
+	// CertificateAuthorityDataSourceKindConfigMap uses a Kubernetes configmap to source CA Bundles.
+	CertificateAuthorityDataSourceKindConfigMap = CertificateAuthorityDataSourceKind("ConfigMap")
+
+	// CertificateAuthorityDataSourceKindSecret uses a Kubernetes secret to source CA Bundles.
+	// Secrets used to source CA Bundles must be of type kubernetes.io/tls or Opaque.
+	CertificateAuthorityDataSourceKindSecret = CertificateAuthorityDataSourceKind("Secret")
+)
+
+// CertificateAuthorityDataSourceSpec provides a source for CA bundle used for client-side TLS verification.
+type CertificateAuthorityDataSourceSpec struct {
+	// Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
+	// Allowed values are "Secret" or "ConfigMap".
+	// "ConfigMap" uses a Kubernetes configmap to source CA Bundles.
+	// "Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
+	Kind CertificateAuthorityDataSourceKind `json:"kind"`
+	// Name is the resource name of the secret or configmap from which to read the CA bundle.
+	// The referenced secret or configmap must be created in the same namespace where Pinniped Concierge is installed.
+	// +kubebuilder:validation:MinLength=1
+	Name string `json:"name"`
+	// Key is the key name within the secret or configmap from which to read the CA bundle.
+	// The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
+	// certificate bundle.
+	// +kubebuilder:validation:MinLength=1
+	Key string `json:"key"`
+}
+
+// TLSSpec provides TLS configuration on various authenticators.
 type TLSSpec struct {
 	// X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted.
 	// +optional
 	CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"`
+	// Reference to a CA bundle in a secret or a configmap.
+	// Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
+	// +optional
+	CertificateAuthorityDataSource *CertificateAuthorityDataSourceSpec `json:"certificateAuthorityDataSource,omitempty"`
 }

generated/1.28/apis/concierge/authentication/v1alpha1/types_webhookauthenticator.go

@@ -50,6 +50,7 @@ type WebhookAuthenticatorSpec struct {
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 // +kubebuilder:resource:categories=pinniped;pinniped-authenticator;pinniped-authenticators,scope=Cluster
 // +kubebuilder:printcolumn:name="Endpoint",type=string,JSONPath=`.spec.endpoint`
+// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase`
 // +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
 // +kubebuilder:subresource:status
 type WebhookAuthenticator struct {

generated/1.28/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go

@@ -13,6 +13,22 @@ import (
 	runtime "k8s.io/apimachinery/pkg/runtime"
 )
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CertificateAuthorityDataSourceSpec) DeepCopyInto(out *CertificateAuthorityDataSourceSpec) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateAuthorityDataSourceSpec.
+func (in *CertificateAuthorityDataSourceSpec) DeepCopy() *CertificateAuthorityDataSourceSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(CertificateAuthorityDataSourceSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *JWTAuthenticator) DeepCopyInto(out *JWTAuthenticator) {
 	*out = *in
@@ -81,7 +97,7 @@ func (in *JWTAuthenticatorSpec) DeepCopyInto(out *JWTAuthenticatorSpec) {
 	if in.TLS != nil {
 		in, out := &in.TLS, &out.TLS
 		*out = new(TLSSpec)
-		**out = **in
+		(*in).DeepCopyInto(*out)
 	}
 	return
 }
@@ -138,6 +154,11 @@ func (in *JWTTokenClaims) DeepCopy() *JWTTokenClaims {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TLSSpec) DeepCopyInto(out *TLSSpec) {
 	*out = *in
+	if in.CertificateAuthorityDataSource != nil {
+		in, out := &in.CertificateAuthorityDataSource, &out.CertificateAuthorityDataSource
+		*out = new(CertificateAuthorityDataSourceSpec)
+		**out = **in
+	}
 	return
 }
 
@@ -218,7 +239,7 @@ func (in *WebhookAuthenticatorSpec) DeepCopyInto(out *WebhookAuthenticatorSpec)
 	if in.TLS != nil {
 		in, out := &in.TLS, &out.TLS
 		*out = new(TLSSpec)
-		**out = **in
+		(*in).DeepCopyInto(*out)
 	}
 	return
 }

generated/1.28/apis/concierge/config/v1alpha1/types_credentialissuer.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
@@ -49,6 +49,7 @@ type CredentialIssuerSpec struct {
 }
 
 // ImpersonationProxyMode enumerates the configuration modes for the impersonation proxy.
+// Allowed values are "auto", "enabled", or "disabled".
 //
 // +kubebuilder:validation:Enum=auto;enabled;disabled
 type ImpersonationProxyMode string
@@ -65,6 +66,7 @@ const (
 )
 
 // ImpersonationProxyServiceType enumerates the types of service that can be provisioned for the impersonation proxy.
+// Allowed values are "LoadBalancer", "ClusterIP", or "None".
 //
 // +kubebuilder:validation:Enum=LoadBalancer;ClusterIP;None
 type ImpersonationProxyServiceType string

generated/1.28/apis/supervisor/config/v1alpha1/types_federationdomain.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
@@ -55,6 +55,7 @@ type FederationDomainTransformsConstant struct {
 	Name string `json:"name"`
 
 	// Type determines the type of the constant, and indicates which other field should be non-empty.
+	// Allowed values are "string" or "stringList".
 	// +kubebuilder:validation:Enum=string;stringList
 	Type string `json:"type"`
 
@@ -70,6 +71,7 @@ type FederationDomainTransformsConstant struct {
 // FederationDomainTransformsExpression defines a transform expression.
 type FederationDomainTransformsExpression struct {
 	// Type determines the type of the expression. It must be one of the supported types.
+	// Allowed values are "policy/v1", "username/v1", or "groups/v1".
 	// +kubebuilder:validation:Enum=policy/v1;username/v1;groups/v1
 	Type string `json:"type"`
 

generated/1.28/apis/supervisor/idp/v1alpha1/types_githubidentityprovider.go

@@ -167,7 +167,10 @@ type GitHubClientSpec struct {
 }
 
 type GitHubOrganizationsSpec struct {
-	// Policy must be set to "AllGitHubUsers" if allowed is empty.
+	// Allowed values are "OnlyUsersFromAllowedOrganizations" or "AllGitHubUsers".
+	// Defaults to "OnlyUsersFromAllowedOrganizations".
+	//
+	// Must be set to "AllGitHubUsers" if the allowed field is empty.
 	//
 	// This field only exists to ensure that Pinniped administrators are aware that an empty list of
 	// allowedOrganizations means all GitHub users are allowed to log in.

generated/1.28/apis/supervisor/idp/v1alpha1/types_tls.go

@@ -3,9 +3,45 @@
 
 package v1alpha1
 
+// CertificateAuthorityDataSourceKind enumerates the sources for CA Bundles.
+//
+// +kubebuilder:validation:Enum=Secret;ConfigMap
+type CertificateAuthorityDataSourceKind string
+
+const (
+	// CertificateAuthorityDataSourceKindConfigMap uses a Kubernetes configmap to source CA Bundles.
+	CertificateAuthorityDataSourceKindConfigMap = CertificateAuthorityDataSourceKind("ConfigMap")
+
+	// CertificateAuthorityDataSourceKindSecret uses a Kubernetes secret to source CA Bundles.
+	// Secrets used to source CA Bundles must be of type kubernetes.io/tls or Opaque.
+	CertificateAuthorityDataSourceKindSecret = CertificateAuthorityDataSourceKind("Secret")
+)
+
+// CertificateAuthorityDataSourceSpec provides a source for CA bundle used for client-side TLS verification.
+type CertificateAuthorityDataSourceSpec struct {
+	// Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
+	// Allowed values are "Secret" or "ConfigMap".
+	// "ConfigMap" uses a Kubernetes configmap to source CA Bundles.
+	// "Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
+	Kind CertificateAuthorityDataSourceKind `json:"kind"`
+	// Name is the resource name of the secret or configmap from which to read the CA bundle.
+	// The referenced secret or configmap must be created in the same namespace where Pinniped Supervisor is installed.
+	// +kubebuilder:validation:MinLength=1
+	Name string `json:"name"`
+	// Key is the key name within the secret or configmap from which to read the CA bundle.
+	// The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
+	// certificate bundle.
+	// +kubebuilder:validation:MinLength=1
+	Key string `json:"key"`
+}
+
 // TLSSpec provides TLS configuration for identity provider integration.
 type TLSSpec struct {
 	// X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted.
 	// +optional
 	CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"`
+	// Reference to a CA bundle in a secret or a configmap.
+	// Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
+	// +optional
+	CertificateAuthorityDataSource *CertificateAuthorityDataSourceSpec `json:"certificateAuthorityDataSource,omitempty"`
 }

generated/1.28/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go

@@ -129,7 +129,7 @@ func (in *ActiveDirectoryIdentityProviderSpec) DeepCopyInto(out *ActiveDirectory
 	if in.TLS != nil {
 		in, out := &in.TLS, &out.TLS
 		*out = new(TLSSpec)
-		**out = **in
+		(*in).DeepCopyInto(*out)
 	}
 	out.Bind = in.Bind
 	out.UserSearch = in.UserSearch
@@ -203,6 +203,22 @@ func (in *ActiveDirectoryIdentityProviderUserSearchAttributes) DeepCopy() *Activ
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CertificateAuthorityDataSourceSpec) DeepCopyInto(out *CertificateAuthorityDataSourceSpec) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateAuthorityDataSourceSpec.
+func (in *CertificateAuthorityDataSourceSpec) DeepCopy() *CertificateAuthorityDataSourceSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(CertificateAuthorityDataSourceSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *GitHubAPIConfig) DeepCopyInto(out *GitHubAPIConfig) {
 	*out = *in
@@ -214,7 +230,7 @@ func (in *GitHubAPIConfig) DeepCopyInto(out *GitHubAPIConfig) {
 	if in.TLS != nil {
 		in, out := &in.TLS, &out.TLS
 		*out = new(TLSSpec)
-		**out = **in
+		(*in).DeepCopyInto(*out)
 	}
 	return
 }
@@ -534,7 +550,7 @@ func (in *LDAPIdentityProviderSpec) DeepCopyInto(out *LDAPIdentityProviderSpec)
 	if in.TLS != nil {
 		in, out := &in.TLS, &out.TLS
 		*out = new(TLSSpec)
-		**out = **in
+		(*in).DeepCopyInto(*out)
 	}
 	out.Bind = in.Bind
 	out.UserSearch = in.UserSearch
@@ -740,7 +756,7 @@ func (in *OIDCIdentityProviderSpec) DeepCopyInto(out *OIDCIdentityProviderSpec)
 	if in.TLS != nil {
 		in, out := &in.TLS, &out.TLS
 		*out = new(TLSSpec)
-		**out = **in
+		(*in).DeepCopyInto(*out)
 	}
 	in.AuthorizationConfig.DeepCopyInto(&out.AuthorizationConfig)
 	in.Claims.DeepCopyInto(&out.Claims)
@@ -800,6 +816,11 @@ func (in *Parameter) DeepCopy() *Parameter {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TLSSpec) DeepCopyInto(out *TLSSpec) {
 	*out = *in
+	if in.CertificateAuthorityDataSource != nil {
+		in, out := &in.CertificateAuthorityDataSource, &out.CertificateAuthorityDataSource
+		*out = new(CertificateAuthorityDataSourceSpec)
+		**out = **in
+	}
 	return
 }
 

generated/1.28/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml

@@ -25,6 +25,9 @@ spec:
     - jsonPath: .spec.audience
       name: Audience
       type: string
+    - jsonPath: .status.phase
+      name: Status
+      type: string
     - jsonPath: .metadata.creationTimestamp
       name: Age
       type: date
@@ -92,6 +95,39 @@ spec:
                     description: X.509 Certificate Authority (base64-encoded PEM bundle).
                       If omitted, a default set of system roots will be trusted.
                     type: string
+                  certificateAuthorityDataSource:
+                    description: |-
+                      Reference to a CA bundle in a secret or a configmap.
+                      Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
+                    properties:
+                      key:
+                        description: |-
+                          Key is the key name within the secret or configmap from which to read the CA bundle.
+                          The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
+                          certificate bundle.
+                        minLength: 1
+                        type: string
+                      kind:
+                        description: |-
+                          Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
+                          Allowed values are "Secret" or "ConfigMap".
+                          "ConfigMap" uses a Kubernetes configmap to source CA Bundles.
+                          "Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
+                        enum:
+                        - Secret
+                        - ConfigMap
+                        type: string
+                      name:
+                        description: |-
+                          Name is the resource name of the secret or configmap from which to read the CA bundle.
+                          The referenced secret or configmap must be created in the same namespace where Pinniped Concierge is installed.
+                        minLength: 1
+                        type: string
+                    required:
+                    - key
+                    - kind
+                    - name
+                    type: object
                 type: object
             required:
             - audience

generated/1.28/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml

@@ -22,6 +22,9 @@ spec:
     - jsonPath: .spec.endpoint
       name: Endpoint
       type: string
+    - jsonPath: .status.phase
+      name: Status
+      type: string
     - jsonPath: .metadata.creationTimestamp
       name: Age
       type: date
@@ -63,6 +66,39 @@ spec:
                     description: X.509 Certificate Authority (base64-encoded PEM bundle).
                       If omitted, a default set of system roots will be trusted.
                     type: string
+                  certificateAuthorityDataSource:
+                    description: |-
+                      Reference to a CA bundle in a secret or a configmap.
+                      Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
+                    properties:
+                      key:
+                        description: |-
+                          Key is the key name within the secret or configmap from which to read the CA bundle.
+                          The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
+                          certificate bundle.
+                        minLength: 1
+                        type: string
+                      kind:
+                        description: |-
+                          Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
+                          Allowed values are "Secret" or "ConfigMap".
+                          "ConfigMap" uses a Kubernetes configmap to source CA Bundles.
+                          "Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
+                        enum:
+                        - Secret
+                        - ConfigMap
+                        type: string
+                      name:
+                        description: |-
+                          Name is the resource name of the secret or configmap from which to read the CA bundle.
+                          The referenced secret or configmap must be created in the same namespace where Pinniped Concierge is installed.
+                        minLength: 1
+                        type: string
+                    required:
+                    - key
+                    - kind
+                    - name
+                    type: object
                 type: object
             required:
             - endpoint

generated/1.28/crds/config.supervisor.pinniped.dev_federationdomains.yaml

@@ -143,8 +143,9 @@ spec:
                                   Type is "string", and is otherwise ignored.
                                 type: string
                               type:
-                                description: Type determines the type of the constant,
-                                  and indicates which other field should be non-empty.
+                                description: |-
+                                  Type determines the type of the constant, and indicates which other field should be non-empty.
+                                  Allowed values are "string" or "stringList".
                                 enum:
                                 - string
                                 - stringList
@@ -262,8 +263,9 @@ spec:
                                   an authentication attempt. When empty, a default message will be used.
                                 type: string
                               type:
-                                description: Type determines the type of the expression.
-                                  It must be one of the supported types.
+                                description: |-
+                                  Type determines the type of the expression. It must be one of the supported types.
+                                  Allowed values are "policy/v1", "username/v1", or "groups/v1".
                                 enum:
                                 - policy/v1
                                 - username/v1

generated/1.28/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml

@@ -170,6 +170,39 @@ spec:
                     description: X.509 Certificate Authority (base64-encoded PEM bundle).
                       If omitted, a default set of system roots will be trusted.
                     type: string
+                  certificateAuthorityDataSource:
+                    description: |-
+                      Reference to a CA bundle in a secret or a configmap.
+                      Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
+                    properties:
+                      key:
+                        description: |-
+                          Key is the key name within the secret or configmap from which to read the CA bundle.
+                          The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
+                          certificate bundle.
+                        minLength: 1
+                        type: string
+                      kind:
+                        description: |-
+                          Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
+                          Allowed values are "Secret" or "ConfigMap".
+                          "ConfigMap" uses a Kubernetes configmap to source CA Bundles.
+                          "Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
+                        enum:
+                        - Secret
+                        - ConfigMap
+                        type: string
+                      name:
+                        description: |-
+                          Name is the resource name of the secret or configmap from which to read the CA bundle.
+                          The referenced secret or configmap must be created in the same namespace where Pinniped Supervisor is installed.
+                        minLength: 1
+                        type: string
+                    required:
+                    - key
+                    - kind
+                    - name
+                    type: object
                 type: object
               userSearch:
                 description: UserSearch contains the configuration for searching for

generated/1.28/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml

@@ -89,7 +89,11 @@ spec:
                       policy:
                         default: OnlyUsersFromAllowedOrganizations
                         description: |-
-                          Policy must be set to "AllGitHubUsers" if allowed is empty.
+                          Allowed values are "OnlyUsersFromAllowedOrganizations" or "AllGitHubUsers".
+                          Defaults to "OnlyUsersFromAllowedOrganizations".
+
+
+                          Must be set to "AllGitHubUsers" if the allowed field is empty.
 
 
                           This field only exists to ensure that Pinniped administrators are aware that an empty list of
@@ -225,6 +229,39 @@ spec:
                           bundle). If omitted, a default set of system roots will
                           be trusted.
                         type: string
+                      certificateAuthorityDataSource:
+                        description: |-
+                          Reference to a CA bundle in a secret or a configmap.
+                          Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
+                        properties:
+                          key:
+                            description: |-
+                              Key is the key name within the secret or configmap from which to read the CA bundle.
+                              The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
+                              certificate bundle.
+                            minLength: 1
+                            type: string
+                          kind:
+                            description: |-
+                              Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
+                              Allowed values are "Secret" or "ConfigMap".
+                              "ConfigMap" uses a Kubernetes configmap to source CA Bundles.
+                              "Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
+                            enum:
+                            - Secret
+                            - ConfigMap
+                            type: string
+                          name:
+                            description: |-
+                              Name is the resource name of the secret or configmap from which to read the CA bundle.
+                              The referenced secret or configmap must be created in the same namespace where Pinniped Supervisor is installed.
+                            minLength: 1
+                            type: string
+                        required:
+                        - key
+                        - kind
+                        - name
+                        type: object
                     type: object
                 type: object
             required:

generated/1.28/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml

@@ -161,6 +161,39 @@ spec:
                     description: X.509 Certificate Authority (base64-encoded PEM bundle).
                       If omitted, a default set of system roots will be trusted.
                     type: string
+                  certificateAuthorityDataSource:
+                    description: |-
+                      Reference to a CA bundle in a secret or a configmap.
+                      Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
+                    properties:
+                      key:
+                        description: |-
+                          Key is the key name within the secret or configmap from which to read the CA bundle.
+                          The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
+                          certificate bundle.
+                        minLength: 1
+                        type: string
+                      kind:
+                        description: |-
+                          Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
+                          Allowed values are "Secret" or "ConfigMap".
+                          "ConfigMap" uses a Kubernetes configmap to source CA Bundles.
+                          "Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
+                        enum:
+                        - Secret
+                        - ConfigMap
+                        type: string
+                      name:
+                        description: |-
+                          Name is the resource name of the secret or configmap from which to read the CA bundle.
+                          The referenced secret or configmap must be created in the same namespace where Pinniped Supervisor is installed.
+                        minLength: 1
+                        type: string
+                    required:
+                    - key
+                    - kind
+                    - name
+                    type: object
                 type: object
               userSearch:
                 description: UserSearch contains the configuration for searching for

generated/1.28/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml

@@ -211,6 +211,39 @@ spec:
                     description: X.509 Certificate Authority (base64-encoded PEM bundle).
                       If omitted, a default set of system roots will be trusted.
                     type: string
+                  certificateAuthorityDataSource:
+                    description: |-
+                      Reference to a CA bundle in a secret or a configmap.
+                      Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
+                    properties:
+                      key:
+                        description: |-
+                          Key is the key name within the secret or configmap from which to read the CA bundle.
+                          The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
+                          certificate bundle.
+                        minLength: 1
+                        type: string
+                      kind:
+                        description: |-
+                          Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
+                          Allowed values are "Secret" or "ConfigMap".
+                          "ConfigMap" uses a Kubernetes configmap to source CA Bundles.
+                          "Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
+                        enum:
+                        - Secret
+                        - ConfigMap
+                        type: string
+                      name:
+                        description: |-
+                          Name is the resource name of the secret or configmap from which to read the CA bundle.
+                          The referenced secret or configmap must be created in the same namespace where Pinniped Supervisor is installed.
+                        minLength: 1
+                        type: string
+                    required:
+                    - key
+                    - kind
+                    - name
+                    type: object
                 type: object
             required:
             - client