Proof of concept: client-side logout

Signed-off-by: Margo Crawford <margaretc@vmware.com>
Updated versions in docs for v0.14.0 release
2026-01-30 01:22:30 +00:00 · 2022-03-04 17:01:26 -08:00 · 2022-03-03 21:57:36 +00:00 · 2022-03-03 11:14:33 -08:00 · 2022-03-03 10:36:42 -08:00 · 2022-03-03 13:04:09 -05:00
1353 changed files with 48069 additions and 2072 deletions
--- a/.github/ISSUE_TEMPLATE/feature-proposal.md
+++ b/.github/ISSUE_TEMPLATE/feature-proposal.md
@@ -1,5 +1,5 @@
 ---
-name: Feature proposal
+name: Feature request
 about: Suggest a way to improve this project
 title: ''
 labels: ''
@@ -16,12 +16,15 @@ It is recommended that you include screenshots and logs to help everyone achieve
 -->

 **Is your feature request related to a problem? Please describe.**
+
 A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]

 **Describe the solution you'd like**
+
 A clear and concise description of what you want to happen.

 **Describe alternatives you've considered**
+
 A clear and concise description of any alternative solutions or features you've considered.

 **Are you considering submitting a PR for this feature?**
@@ -32,4 +35,5 @@ A clear and concise description of any alternative solutions or features you've
 - **How will this feature be documented?**

 **Additional context**
+
 Add any other context or screenshots about the feature request here.
--- a/.github/ISSUE_TEMPLATE/proposal_tracking.md
+++ b/.github/ISSUE_TEMPLATE/proposal_tracking.md
@@ -0,0 +1,34 @@
+---
+name: Proposal tracking
+about: A tracking issue for a proposal document
+title: '[Proposal] Your proposal title'
+labels: 'proposal-tracking'
+assignees: ''
+
+---
+
+<!--
+
+Hey! Thanks for opening an issue!
+
+This type of issue should only be opened if you intend to create a
+formal proposal document. Please refer to the proposal process in
+[proposals/README.md](proposals/README.md).
+
+Please title this issue starting with `[Proposal]` followed by a
+title for what you are going to propose. For example:
+`[Proposal] Lunar landing module authentication via Pinniped`.
+
+-->
+
+### Proposal Tracking Issue
+
+- Proposal: <!-- this starts empty, then please update to link to proposal PR, then also link to proposal doc file after it is merged -->
+
+- Discussion Links: <!-- link to any mailing list threads, Slack conversations, community meetings, or other places where the proposal was discussed, if any -->
+    - <!-- A -->
+    - <!-- B -->
+
+- Pull requests: <!-- link to all PRs related to this proposal such as updates to the proposal doc, implementation PRs, etc. - keep this list up to date -->
+    - <!-- #123: briefly describe this PR -->
+    - <!-- #456: briefly describe this PR -->
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -3,6 +3,7 @@
 version: 2
 updates:
  - package-ecosystem: "gomod"
+    open-pull-requests-limit: 100
    directory: "/"
    schedule:
      interval: "daily"
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -72,7 +72,7 @@ Please follow the procedure described in [SECURITY.md](SECURITY.md).

 ## CLA

-We welcome contributions from everyone but we can only accept them if you sign
+We welcome contributions from everyone, but we can only accept them if you sign
 our Contributor License Agreement (CLA). If you would like to contribute and you
 have not signed it, our CLA-bot will walk you through the process when you open
 a Pull Request. For questions about the CLA process, see the
@@ -82,13 +82,21 @@ tracker.
 ## Building

 The [Dockerfile](Dockerfile) at the root of the repo can be used to build and
-package the code. After making a change to the code, rebuild the docker image with the following command.
+package the server-side code. After making a change to the code, rebuild the
+docker image with the following command.

 ```bash
 # From the root directory of the repo...
 docker build .
 ```

+The Pinniped CLI client can be built for local use with the following command.
+
+```bash
+# From the root directory of the repo...
+go build -o pinniped ./cmd/pinniped
+```
+
 ## Testing

 ### Running Lint
@@ -122,7 +130,7 @@ docker build .
   brew install kind k14s/tap/ytt k14s/tap/kapp kubectl chromedriver nmap && brew cask install docker
   ```

-1. Create a kind cluster, compile, create container images, and install Pinniped and supporting dependencies using:
+1. Create a kind cluster, compile, create container images, and install Pinniped and supporting test dependencies using:

   ```bash
   ./hack/prepare-for-integration-tests.sh
--- a/2
+++ b/2
@@ -3,7 +3,7 @@
 # Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0

-FROM golang:1.17.6 as build-env
+FROM golang:1.17.7 as build-env

 WORKDIR /work
 COPY . .
--- a/GOVERNANCE.md
+++ b/GOVERNANCE.md
@@ -4,48 +4,65 @@ This document defines the project governance for Pinniped.

 # Overview

-**Pinniped** is committed to building an open, inclusive, productive and self-governing open source community focused on building authentication services for Kubernetes clusters. The
-community is governed by this document which defines how all members should work together to achieve this goal.
+**Pinniped** is committed to building an open, inclusive, productive and self-governing open source community focused on
+building authentication services for Kubernetes clusters. The community is governed by this document which defines how
+all members should work together to achieve this goal.

 # Code of Conduct

-The Pinniped community abides by this [code of conduct](https://github.com/vmware-tanzu/pinniped/blob/main/CODE_OF_CONDUCT.md).
+The Pinniped community abides by this
+[code of conduct](https://github.com/vmware-tanzu/pinniped/blob/main/CODE_OF_CONDUCT.md).

 # Community Roles

 * **Users:** Members that engage with the Pinniped community via any medium (Slack, GitHub, mailing lists, etc.).
-* **Contributors:** Do regular contributions to the Pinniped project (documentation, code reviews, responding to issues, participating in proposal discussions, contributing code, etc.).
-* **Maintainers:** Responsible for the overall health and direction of the project. They are the final reviewers of PRs and responsible for Pinniped releases.
+* **Contributors:** Do regular contributions to the Pinniped project (documentation, code reviews, responding to issues,
+  participating in proposal discussions, contributing code, etc.).
+* **Maintainers:** Responsible for the overall health and direction of the project. They are the final reviewers of PRs
+  and responsible for Pinniped releases.

 # Maintainers
-New maintainers must be nominated by an existing maintainer and must be elected by a supermajority of existing maintainers. Likewise, maintainers can be removed by a supermajority of the existing maintainers or can resign by notifying one of the maintainers.

-**Note:** If a maintainer leaves their employer they are still considered a maintainer of Pinniped, unless they voluntarily resign. Employment is not taken into consideration when determining maintainer eligibility unless the company itself violates our [Code of Conduct](https://github.com/vmware-tanzu/pinniped/blob/main/CODE_OF_CONDUCT.md).
+New maintainers must be nominated by an existing maintainer and must be elected by a supermajority of existing
+maintainers. Likewise, maintainers can be removed by a supermajority of the existing maintainers or can resign by
+notifying one of the maintainers.

---
-# Supermajority
-A supermajority is defined as two-thirds of members in the group. A supermajority of Maintainers is required for certain decisions as outlined above. A supermajority vote is equivalent to the number of votes in favor of being at least twice the number of votes against. For example, if you have 5 maintainers, a supermajority vote is 4 votes. Voting on decisions can happen on the mailing list, GitHub, Slack, email, or via a voting service, when appropriate. Maintainers can either vote "agree, yes, +1", "disagree, no, -1", or "abstain". A vote passes when supermajority is met. An abstain vote equals not voting at all.
+**Note:** If a maintainer leaves their employer they are still considered a maintainer of Pinniped, unless they
+voluntarily resign. Employment is not taken into consideration when determining maintainer eligibility unless the
+company itself violates our [Code of Conduct](https://github.com/vmware-tanzu/pinniped/blob/main/CODE_OF_CONDUCT.md).

---
 # Decision Making
-Ideally, all project decisions are resolved by consensus. If impossible, any maintainer may call a vote. Unless otherwise specified in this document, any vote will be decided by a supermajority of maintainers.

---
-# Proposal Process 
-The proposal process is currently being worked on. No formal process is available at this time. You may reach out to the maintainers in the Kubernetes Slack Workspace within the [#pinniped](https://kubernetes.slack.com/archives/C01BW364RJA) channel or on the [Pinniped mailing list](project-pinniped@googlegroups.com) with any questions you may have or to send us your proposals.
+Ideally, all project decisions are resolved by consensus. If impossible, any maintainer may call a vote. Unless
+otherwise specified in this document, any vote will be decided by a supermajority of maintainers.

---
-# Lazy Consensus
-To maintain velocity in Pinniped, the concept of [Lazy Consensus](http://en.osswiki.info/concepts/lazy_consensus) is practiced. Ideas and / or proposals should be shared by maintainers via GitHub. Out of respect for other contributors, major changes should also be accompanied by a ping on the Kubernetes Slack in [#Pinniped](https://kubernetes.slack.com/archives/C01BW364RJA) or a note on the [Pinniped mailing list](project-pinniped@googlegroups.com) as appropriate. Author(s) of proposals for major changes will give a time period of no less than five (5) working days for comment and remain cognizant of popular observed world holidays.
+## Supermajority

-**What constitutes the need for a proposal?**
-If there is significant risk with a potential feature or track of work (such as complexity, cost to implement, product viability, etc.), then we recommend creating a proposal for feedback and approval. If a potential feature is well understood and doesn't impose risk, then we recommend a **standard GitHub issue** to clarify the details.
+A supermajority is defined as two-thirds of members in the group. A supermajority of maintainers is required for certain
+decisions as outlined in this document. A supermajority vote is equivalent to the number of votes in favor being at
+least twice the number of votes against. A vote to abstain equals not voting at all. For example, if you have 5
+maintainers who all cast non-abstaining votes, then a supermajority vote is at least 4 votes in favor. Voting on
+decisions can happen on the mailing list, GitHub, Slack, email, or via a voting service, when appropriate. Maintainers
+can either vote "agree, yes, +1", "disagree, no, -1", or "abstain". A vote passes when supermajority is met.

-Other maintainers may chime in and request additional time for review, but should remain cognizant of blocking progress and abstain from delaying progress unless absolutely needed. The expectation is that blocking progress is accompanied by a guarantee to review and respond to the relevant action in short order.
+## Lazy Consensus
+
+To maintain velocity in Pinniped, the concept of [Lazy Consensus](http://en.osswiki.info/concepts/lazy_consensus) is
+practiced.
+
+Other maintainers may chime in and request additional time for review, but should remain cognizant of blocking progress
+and abstain from delaying progress unless absolutely needed. The expectation is that blocking progress is accompanied by
+a guarantee to review and respond to the relevant action in short order.

 Lazy consensus does not apply to the process of:
+
 * Removal of maintainers from Pinniped

---
-# Updating Governance
-All substantive changes in Governance require a supermajority agreement by all maintainers.
+## Updating Governance
+
+All substantive changes in Governance, including substantive changes to the proposal process, require a supermajority
+agreement by all maintainers.
+
+# Proposal Process
+
+The proposal process is defined in [proposals/README.md](proposals/README.md).
--- a/ROADMAP.md
+++ b/ROADMAP.md
@@ -33,16 +33,15 @@ The following table includes the current roadmap for Pinniped. If you have any q



-Last Updated: Sept 2021
+Last Updated: Jan 2022
 |Theme|Description|Timeline|
 |--|--|--|
-|Improving Security Posture|Supervisor token refresh fails when the upstream refresh token no longer works for OIDC |Jan 2022|
-|Improving Security Posture|Supervisor token refresh fails when the upstream user is in an invalid state for LDAP/AD |Jan 2022|
-|Improving Security Posture|Set stricter default TLS versions and Ciphers |Jan 2022|
-|Improving Security Posture|Support FIPS compliant Boring crypto libraries |Feb 2022|
-|Multiple IDP support|Support multiple IDPs configured on a single Supervisor|March/April 2022|
+|Improving Security Posture|Support for refreshing LDAP/AD Group information |March 2022| 
+|Improving Security Posture|Support FIPS compliant Boring crypto libraries |March/April 2022|
+|Multiple IDP support|Support multiple IDPs configured on a single Supervisor|April 2022|
 |Improving Security Posture|TLS hardening |March/April 2022|
 |Improving Security Posture|Support Audit logging of security events related to Authentication |April/May 2022|
+|Improving Usability|Support for integrating with UI/Dashboards  |June/July 2022|
 |Improving Security Posture|mTLS for Supervisor sessions |Exploring/Ongoing|
 |Improving Security Posture|Key management/rotation for Pinniped components with minimal downtime |Exploring/Ongoing|
 |Improving Security Posture|Support for Session Logout |Exploring/Ongoing|
--- a/apis/concierge/authentication/v1alpha1/doc.go.tmpl
+++ b/apis/concierge/authentication/v1alpha1/doc.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // +k8s:openapi-gen=true
--- a/apis/concierge/authentication/v1alpha1/register.go.tmpl
+++ b/apis/concierge/authentication/v1alpha1/register.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/apis/concierge/authentication/v1alpha1/types_jwtauthenticator.go.tmpl
+++ b/apis/concierge/authentication/v1alpha1/types_jwtauthenticator.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/apis/concierge/authentication/v1alpha1/types_meta.go.tmpl
+++ b/apis/concierge/authentication/v1alpha1/types_meta.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/apis/concierge/authentication/v1alpha1/types_tls.go.tmpl
+++ b/apis/concierge/authentication/v1alpha1/types_tls.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/apis/concierge/authentication/v1alpha1/types_webhookauthenticator.go.tmpl
+++ b/apis/concierge/authentication/v1alpha1/types_webhookauthenticator.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/apis/concierge/config/v1alpha1/doc.go.tmpl
+++ b/apis/concierge/config/v1alpha1/doc.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // +k8s:openapi-gen=true
--- a/apis/concierge/config/v1alpha1/register.go.tmpl
+++ b/apis/concierge/config/v1alpha1/register.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/apis/concierge/config/v1alpha1/types_credentialissuer.go.tmpl
+++ b/apis/concierge/config/v1alpha1/types_credentialissuer.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/apis/concierge/identity/doc.go.tmpl
+++ b/apis/concierge/identity/doc.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // +k8s:deepcopy-gen=package
--- a/apis/concierge/identity/register.go.tmpl
+++ b/apis/concierge/identity/register.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package identity
--- a/apis/concierge/identity/types_userinfo.go.tmpl
+++ b/apis/concierge/identity/types_userinfo.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package identity
--- a/apis/concierge/identity/types_whoami.go.tmpl
+++ b/apis/concierge/identity/types_whoami.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package identity
--- a/apis/concierge/identity/v1alpha1/conversion.go.tmpl
+++ b/apis/concierge/identity/v1alpha1/conversion.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/apis/concierge/identity/v1alpha1/defaults.go.tmpl
+++ b/apis/concierge/identity/v1alpha1/defaults.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/apis/concierge/identity/v1alpha1/doc.go.tmpl
+++ b/apis/concierge/identity/v1alpha1/doc.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // +k8s:openapi-gen=true
--- a/apis/concierge/identity/v1alpha1/register.go.tmpl
+++ b/apis/concierge/identity/v1alpha1/register.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/apis/concierge/identity/v1alpha1/types_userinfo.go.tmpl
+++ b/apis/concierge/identity/v1alpha1/types_userinfo.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/apis/concierge/identity/v1alpha1/types_whoami.go.tmpl
+++ b/apis/concierge/identity/v1alpha1/types_whoami.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/apis/concierge/identity/validation/validation.go.tmpl
+++ b/apis/concierge/identity/validation/validation.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package validation
--- a/apis/concierge/login/doc.go.tmpl
+++ b/apis/concierge/login/doc.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // +k8s:deepcopy-gen=package
--- a/apis/concierge/login/register.go.tmpl
+++ b/apis/concierge/login/register.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package login
--- a/apis/concierge/login/types_clustercred.go.tmpl
+++ b/apis/concierge/login/types_clustercred.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package login
--- a/apis/concierge/login/types_token.go.tmpl
+++ b/apis/concierge/login/types_token.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package login
--- a/apis/concierge/login/v1alpha1/conversion.go.tmpl
+++ b/apis/concierge/login/v1alpha1/conversion.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/apis/concierge/login/v1alpha1/defaults.go.tmpl
+++ b/apis/concierge/login/v1alpha1/defaults.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/apis/concierge/login/v1alpha1/doc.go.tmpl
+++ b/apis/concierge/login/v1alpha1/doc.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // +k8s:openapi-gen=true
--- a/apis/concierge/login/v1alpha1/register.go.tmpl
+++ b/apis/concierge/login/v1alpha1/register.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/apis/concierge/login/v1alpha1/types_clustercred.go.tmpl
+++ b/apis/concierge/login/v1alpha1/types_clustercred.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/apis/concierge/login/v1alpha1/types_token.go.tmpl
+++ b/apis/concierge/login/v1alpha1/types_token.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/apis/supervisor/config/v1alpha1/doc.go.tmpl
+++ b/apis/supervisor/config/v1alpha1/doc.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // +k8s:openapi-gen=true
--- a/apis/supervisor/config/v1alpha1/register.go.tmpl
+++ b/apis/supervisor/config/v1alpha1/register.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/apis/supervisor/config/v1alpha1/types_federationdomain.go.tmpl
+++ b/apis/supervisor/config/v1alpha1/types_federationdomain.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/apis/supervisor/idp/v1alpha1/doc.go.tmpl
+++ b/apis/supervisor/idp/v1alpha1/doc.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // +k8s:openapi-gen=true
--- a/apis/supervisor/idp/v1alpha1/register.go.tmpl
+++ b/apis/supervisor/idp/v1alpha1/register.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/apis/supervisor/idp/v1alpha1/types_activedirectoryidentityprovider.go.tmpl
+++ b/apis/supervisor/idp/v1alpha1/types_activedirectoryidentityprovider.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
@@ -131,6 +131,31 @@ type ActiveDirectoryIdentityProviderGroupSearch struct {
 	// the result of the group search.
 	// +optional
 	Attributes ActiveDirectoryIdentityProviderGroupSearchAttributes `json:"attributes,omitempty"`
+
+	// The user's group membership is refreshed as they interact with the supervisor
+	// to obtain new credentials (as their old credentials expire).  This allows group
+	// membership changes to be quickly reflected into Kubernetes clusters.  Since
+	// group membership is often used to bind authorization policies, it is important
+	// to keep the groups observed in Kubernetes clusters in-sync with the identity
+	// provider.
+	//
+	// In some environments, frequent group membership queries may result in a
+	// significant performance impact on the identity provider and/or the supervisor.
+	// The best approach to handle performance impacts is to tweak the group query
+	// to be more performant, for example by disabling nested group search or by
+	// using a more targeted group search base.
+	//
+	// If the group search query cannot be made performant and you are willing to
+	// have group memberships remain static for approximately a day, then set
+	// skipGroupRefresh to true.  This is an insecure configuration as authorization
+	// policies that are bound to group membership will not notice if a user has
+	// been removed from a particular group until their next login.
+	//
+	// This is an experimental feature that may be removed or significantly altered
+	// in the future.  Consumers of this configuration should carefully read all
+	// release notes before upgrading to ensure that the meaning of this field has
+	// not changed.
+	SkipGroupRefresh bool `json:"skipGroupRefresh,omitempty"`
 }

 // Spec for configuring an ActiveDirectory identity provider.
--- a/apis/supervisor/idp/v1alpha1/types_ldapidentityprovider.go.tmpl
+++ b/apis/supervisor/idp/v1alpha1/types_ldapidentityprovider.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
@@ -119,6 +119,31 @@ type LDAPIdentityProviderGroupSearch struct {
 	// the result of the group search.
 	// +optional
 	Attributes LDAPIdentityProviderGroupSearchAttributes `json:"attributes,omitempty"`
+
+	// The user's group membership is refreshed as they interact with the supervisor
+	// to obtain new credentials (as their old credentials expire).  This allows group
+	// membership changes to be quickly reflected into Kubernetes clusters.  Since
+	// group membership is often used to bind authorization policies, it is important
+	// to keep the groups observed in Kubernetes clusters in-sync with the identity
+	// provider.
+	//
+	// In some environments, frequent group membership queries may result in a
+	// significant performance impact on the identity provider and/or the supervisor.
+	// The best approach to handle performance impacts is to tweak the group query
+	// to be more performant, for example by disabling nested group search or by
+	// using a more targeted group search base.
+	//
+	// If the group search query cannot be made performant and you are willing to
+	// have group memberships remain static for approximately a day, then set
+	// skipGroupRefresh to true.  This is an insecure configuration as authorization
+	// policies that are bound to group membership will not notice if a user has
+	// been removed from a particular group until their next login.
+	//
+	// This is an experimental feature that may be removed or significantly altered
+	// in the future.  Consumers of this configuration should carefully read all
+	// release notes before upgrading to ensure that the meaning of this field has
+	// not changed.
+	SkipGroupRefresh bool `json:"skipGroupRefresh,omitempty"`
 }

 // Spec for configuring an LDAP identity provider.
--- a/apis/supervisor/idp/v1alpha1/types_meta.go.tmpl
+++ b/apis/supervisor/idp/v1alpha1/types_meta.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/apis/supervisor/idp/v1alpha1/types_tls.go.tmpl
+++ b/apis/supervisor/idp/v1alpha1/types_tls.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/apis/supervisor/idpdiscovery/v1alpha1/types_supervisor_idp_discovery.go.tmpl
+++ b/apis/supervisor/idpdiscovery/v1alpha1/types_supervisor_idp_discovery.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/apis/supervisor/oidc/types_supervisor_oidc.go.tmpl
+++ b/apis/supervisor/oidc/types_supervisor_oidc.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package oidc
--- a/cmd/pinniped/cmd/login_oidc.go
+++ b/cmd/pinniped/cmd/login_oidc.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package cmd
@@ -125,7 +125,7 @@ func oidcLoginCommand(deps oidcLoginCommandDeps) *cobra.Command {
 }

 func runOIDCLogin(cmd *cobra.Command, deps oidcLoginCommandDeps, flags oidcLoginFlags) error { //nolint:funlen
-	pLogger, err := SetLogLevel(deps.lookupEnv)
+	pLogger, err := SetLogLevel(deps.lookupEnv, "Pinniped login: ")
 	if err != nil {
 		plog.WarningErr("Received error while setting log level", err)
 	}
@@ -326,7 +326,7 @@ func tokenCredential(token *oidctypes.Token) *clientauthv1beta1.ExecCredential {
 	return &cred
 }

-func SetLogLevel(lookupEnv func(string) (string, bool)) (plog.Logger, error) {
+func SetLogLevel(lookupEnv func(string) (string, bool), prefix string) (plog.Logger, error) {
 	debug, _ := lookupEnv("PINNIPED_DEBUG")
 	if debug == "true" {
 		err := plog.ValidateAndSetLogLevelGlobally(plog.LevelDebug)
@@ -334,7 +334,7 @@ func SetLogLevel(lookupEnv func(string) (string, bool)) (plog.Logger, error) {
 			return nil, err
 		}
 	}
-	logger := plog.New("Pinniped login: ")
+	logger := plog.New(prefix)
 	return logger, nil
 }

--- a/cmd/pinniped/cmd/login_static.go
+++ b/cmd/pinniped/cmd/login_static.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package cmd
@@ -84,7 +84,7 @@ func staticLoginCommand(deps staticLoginDeps) *cobra.Command {
 }

 func runStaticLogin(out io.Writer, deps staticLoginDeps, flags staticLoginParams) error {
-	pLogger, err := SetLogLevel(deps.lookupEnv)
+	pLogger, err := SetLogLevel(deps.lookupEnv, "Pinniped login: ")
 	if err != nil {
 		plog.WarningErr("Received error while setting log level", err)
 	}
--- a/cmd/pinniped/cmd/logout.go
+++ b/cmd/pinniped/cmd/logout.go
@@ -0,0 +1,153 @@
+// Copyright 2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+package cmd
+
+import (
+	"errors"
+	"fmt"
+	"net/url"
+	"os"
+	"path/filepath"
+	"sort"
+
+	"go.pinniped.dev/internal/plog"
+
+	coreosoidc "github.com/coreos/go-oidc/v3/oidc"
+	"github.com/spf13/cobra"
+
+	"go.pinniped.dev/pkg/oidcclient"
+	"go.pinniped.dev/pkg/oidcclient/filesession"
+)
+
+//nolint: gochecknoinits
+func init() {
+	rootCmd.AddCommand(newLogoutCommand())
+}
+
+type logoutFlags struct {
+	kubeconfigPath            string
+	kubeconfigContextOverride string
+}
+
+// This implements client side logout-- i.e. deleting the cached tokens and certificates for a user
+// without telling the supervisor to forget about the users tokens. From a user experience
+// perspective these are identical, but it leaves orphaned tokens lying around that the supervisor
+// won't garbage collect for up to 9 hours.
+// Fosite supports token revocation requests ala https://tools.ietf.org/html/rfc7009#section-2.1
+// with their TokenRevocationHandler, but we would also want to turn around and revoke the upstream
+// tokens in the case of OIDC.
+// That's something that could be done to improve security and stop storage from getting too
+// big.
+// It works by parsing the provided kubeconfig to get the arguments to pinniped login oidc,
+// grabbing the issuer and the cache paths, then using that issuer to find and delete the entry
+// in the session cache.
+func newLogoutCommand() *cobra.Command {
+	cmd := &cobra.Command{
+		Args:  cobra.NoArgs,
+		Use:   "logout",
+		Short: "Terminate the current user's session.",
+	}
+	flags := &logoutFlags{}
+
+	cmd.Flags().StringVar(&flags.kubeconfigPath, "kubeconfig", os.Getenv("KUBECONFIG"), "Path to kubeconfig file")
+	cmd.Flags().StringVar(&flags.kubeconfigContextOverride, "kubeconfig-context", "", "Kubeconfig context name (default: current active context)")
+
+	cmd.RunE = func(cmd *cobra.Command, args []string) error {
+		return runLogout(flags)
+	}
+	return cmd
+}
+
+func runLogout(flags *logoutFlags) error {
+	pLogger, err := SetLogLevel(os.LookupEnv, "Pinniped logout: ")
+	if err != nil {
+		plog.WarningErr("Received error while setting log level", err)
+	}
+	clientConfig := newClientConfig(flags.kubeconfigPath, flags.kubeconfigContextOverride)
+	currentKubeConfig, err := clientConfig.RawConfig()
+	if err != nil {
+		return err
+	}
+
+	// start by getting the current context or another context if provided.
+	contextName := currentKubeConfig.CurrentContext
+	if len(flags.kubeconfigContextOverride) > 0 {
+		contextName = flags.kubeconfigContextOverride
+	}
+	kubeContext, ok := currentKubeConfig.Contexts[contextName]
+	if !ok {
+		return fmt.Errorf("couldn't find current context")
+	}
+
+	// then get the authinfo associated with that context.
+	authInfo := currentKubeConfig.AuthInfos[kubeContext.AuthInfo]
+	if authInfo == nil {
+		return fmt.Errorf("could not find auth info-- are you sure this is a Pinniped kubeconfig?")
+	}
+
+	// get the exec credential out of the authinfo and validate that it takes the shape of a pinniped login command.
+	exec := authInfo.Exec
+	if exec == nil {
+		return fmt.Errorf("could not find exec credential-- are you sure this is a Pinniped kubeconfig?")
+	}
+	execArgs := exec.Args
+	if execArgs == nil {
+		return fmt.Errorf("could not find exec credential arguments-- are you sure this is a Pinniped kubeconfig?")
+	}
+
+	// parse the arguments in the exec credential (which should be the pinniped login command).
+	loginCommand := oidcLoginCommand(oidcLoginCommandDeps{})
+	err = loginCommand.ParseFlags(execArgs)
+	if err != nil {
+		return err
+	}
+	// Get the issuer flag. If this doesn't exist we have no way to get in to the cache so we have to exit.
+	issuer := loginCommand.Flag("issuer").Value.String()
+	if issuer == "" {
+		return fmt.Errorf("could not find issuer-- are you sure this is a Pinniped kubeconfig?")
+	}
+
+	// Get the session cache. If it doesn't exist just use the default value.
+	sessionCachePath := loginCommand.Flag("session-cache").Value.String()
+	if sessionCachePath == "" {
+		sessionCachePath = filepath.Join(mustGetConfigDir(), "sessions.yaml")
+	}
+	// Get the credential cache. If it doesn't exist just use the default value.
+	credentialCachePath := loginCommand.Flag("credential-cache").Value.String()
+	if credentialCachePath == "" {
+		credentialCachePath = filepath.Join(mustGetConfigDir(), "credentials.yaml")
+	}
+
+	// TODO this should probably be a more targeted removal rather than the whole file...
+	//  but that involves figuring out the cache key which is hard.
+	// Remove the credential cache that stores the users x509 certificates.
+	err = os.Remove(credentialCachePath)
+	// a not found error is fine and we should move on and try to delete the
+	// session cache if possible. Other errors might be a problem.
+	if err != nil && !errors.Is(err, os.ErrNotExist) {
+		return err
+	}
+
+	// Remove the cache entry for this issuer.
+	var sessionOptions []filesession.Option
+	sessionCache := filesession.New(sessionCachePath, sessionOptions...)
+	downstreamScopes := []string{coreosoidc.ScopeOfflineAccess, coreosoidc.ScopeOpenID, "pinniped:request-audience"}
+	sort.Strings(downstreamScopes)
+	sessionCacheKey := oidcclient.SessionCacheKey{
+		Issuer:      issuer,
+		ClientID:    "pinniped-cli",
+		Scopes:      downstreamScopes,
+		RedirectURI: (&url.URL{Scheme: "http", Host: "localhost:0", Path: "/callback"}).String(),
+	}
+	deleted := sessionCache.DeleteToken(sessionCacheKey)
+
+	if deleted {
+		pLogger.Warning("Successfully logged out of session.")
+	} else {
+		// this is likely because you're already logged out, but you might still want to know.
+		pLogger.Warning("Could not find session to log out of.")
+		pLogger.Debug("debug info", "issuer", issuer, "session cache path", sessionCachePath, "credential cache path", credentialCachePath)
+	}
+
+	return nil
+}
--- a/deploy/concierge/deployment.yaml
+++ b/deploy/concierge/deployment.yaml
@@ -1,4 +1,4 @@
-#! Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
+#! Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 #! SPDX-License-Identifier: Apache-2.0

 #@ load("@ytt:data", "data")
@@ -221,7 +221,9 @@ spec:
      tolerations:
        - key: CriticalAddonsOnly
          operator: Exists
-        - key: node-role.kubernetes.io/master #! Allow running on master nodes too
+        - key: node-role.kubernetes.io/master #! Allow running on master nodes too (name deprecated by kubernetes 1.20).
+          effect: NoSchedule
+        - key: node-role.kubernetes.io/control-plane #! The new name for these nodes as of Kubernetes 1.24.
          effect: NoSchedule
      #! "system-cluster-critical" cannot be used outside the kube-system namespace until Kubernetes >= 1.17,
      #! so we skip setting this for now (see https://github.com/kubernetes/kubernetes/issues/60596).
--- a/deploy/supervisor/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml
+++ b/deploy/supervisor/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml
@@ -119,6 +119,30 @@ spec:
                      search can be slow for some Active Directory servers. To disable
                      it, you can set the filter to "(&(objectClass=group)(member={})"
                    type: string
+                  skipGroupRefresh:
+                    description: "The user's group membership is refreshed as they
+                      interact with the supervisor to obtain new credentials (as their
+                      old credentials expire).  This allows group membership changes
+                      to be quickly reflected into Kubernetes clusters.  Since group
+                      membership is often used to bind authorization policies, it
+                      is important to keep the groups observed in Kubernetes clusters
+                      in-sync with the identity provider. \n In some environments,
+                      frequent group membership queries may result in a significant
+                      performance impact on the identity provider and/or the supervisor.
+                      The best approach to handle performance impacts is to tweak
+                      the group query to be more performant, for example by disabling
+                      nested group search or by using a more targeted group search
+                      base. \n If the group search query cannot be made performant
+                      and you are willing to have group memberships remain static
+                      for approximately a day, then set skipGroupRefresh to true.
+                      \ This is an insecure configuration as authorization policies
+                      that are bound to group membership will not notice if a user
+                      has been removed from a particular group until their next login.
+                      \n This is an experimental feature that may be removed or significantly
+                      altered in the future.  Consumers of this configuration should
+                      carefully read all release notes before upgrading to ensure
+                      that the meaning of this field has not changed."
+                    type: boolean
                type: object
              host:
                description: 'Host is the hostname of this Active Directory identity
--- a/deploy/supervisor/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml
+++ b/deploy/supervisor/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml
@@ -111,6 +111,30 @@ spec:
                      an entry, so "dn={}" cannot be used. Optional. When not specified,
                      the default will act as if the Filter were specified as "member={}".
                    type: string
+                  skipGroupRefresh:
+                    description: "The user's group membership is refreshed as they
+                      interact with the supervisor to obtain new credentials (as their
+                      old credentials expire).  This allows group membership changes
+                      to be quickly reflected into Kubernetes clusters.  Since group
+                      membership is often used to bind authorization policies, it
+                      is important to keep the groups observed in Kubernetes clusters
+                      in-sync with the identity provider. \n In some environments,
+                      frequent group membership queries may result in a significant
+                      performance impact on the identity provider and/or the supervisor.
+                      The best approach to handle performance impacts is to tweak
+                      the group query to be more performant, for example by disabling
+                      nested group search or by using a more targeted group search
+                      base. \n If the group search query cannot be made performant
+                      and you are willing to have group memberships remain static
+                      for approximately a day, then set skipGroupRefresh to true.
+                      \ This is an insecure configuration as authorization policies
+                      that are bound to group membership will not notice if a user
+                      has been removed from a particular group until their next login.
+                      \n This is an experimental feature that may be removed or significantly
+                      altered in the future.  Consumers of this configuration should
+                      carefully read all release notes before upgrading to ensure
+                      that the meaning of this field has not changed."
+                    type: boolean
                type: object
              host:
                description: 'Host is the hostname of this LDAP identity provider,
--- a/generated/1.17/README.adoc
+++ b/generated/1.17/README.adoc
@@ -24,7 +24,7 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped concierge authenticatio
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-authentication-v1alpha1-condition"]
 ==== Condition 

-
+Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API version we can switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413.

 .Appears In:
 ****
@@ -36,7 +36,7 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped concierge authenticatio
 |===
 | Field | Description
 | *`type`* __string__ | type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
-| *`status`* __ConditionStatus__ | status of the condition, one of True, False, Unknown.
+| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-authentication-v1alpha1-conditionstatus[$$ConditionStatus$$]__ | status of the condition, one of True, False, Unknown.
 | *`observedGeneration`* __integer__ | observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.
 | *`lastTransitionTime`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.17/#time-v1-meta[$$Time$$]__ | lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
 | *`reason`* __string__ | reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.
@@ -47,7 +47,7 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped concierge authenticatio
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-authentication-v1alpha1-conditionstatus"]
 ==== ConditionStatus (string) 

-
+ConditionStatus is effectively an enum type for Condition.Status.

 .Appears In:
 ****
@@ -137,7 +137,7 @@ JWTTokenClaims allows customization of the claims that will be mapped to user id
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-authentication-v1alpha1-tlsspec"]
 ==== TLSSpec 

-
+Configuration for configuring TLS on various authenticators.

 .Appears In:
 ****
@@ -240,7 +240,7 @@ CredentialIssuer describes the configuration and status of the Pinniped Concierg
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-credentialissuerfrontend"]
 ==== CredentialIssuerFrontend 

-
+CredentialIssuerFrontend describes how to connect using a particular integration strategy.

 .Appears In:
 ****
@@ -259,7 +259,7 @@ CredentialIssuer describes the configuration and status of the Pinniped Concierg
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-credentialissuerkubeconfiginfo"]
 ==== CredentialIssuerKubeConfigInfo 

-
+CredentialIssuerKubeConfigInfo provides the information needed to form a valid Pinniped-based kubeconfig using this credential issuer. This type is deprecated and will be removed in a future version.

 .Appears In:
 ****
@@ -314,7 +314,7 @@ CredentialIssuerStatus describes the status of the Concierge.
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-credentialissuerstrategy"]
 ==== CredentialIssuerStrategy 

-
+CredentialIssuerStrategy describes the status of an integration strategy that was attempted by Pinniped.

 .Appears In:
 ****
@@ -336,7 +336,7 @@ CredentialIssuerStatus describes the status of the Concierge.
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-impersonationproxyinfo"]
 ==== ImpersonationProxyInfo 

-
+ImpersonationProxyInfo describes the parameters for the impersonation proxy on this Concierge.

 .Appears In:
 ****
@@ -354,7 +354,7 @@ CredentialIssuerStatus describes the status of the Concierge.
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-impersonationproxymode"]
 ==== ImpersonationProxyMode (string) 

-
+ImpersonationProxyMode enumerates the configuration modes for the impersonation proxy.

 .Appears In:
 ****
@@ -376,7 +376,7 @@ ImpersonationProxyServiceSpec describes how the Concierge should provision a Ser
 [cols="25a,75a", options="header"]
 |===
 | Field | Description
-| *`type`* __ImpersonationProxyServiceType__ | Type specifies the type of Service to provision for the impersonation proxy. 
+| *`type`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-impersonationproxyservicetype[$$ImpersonationProxyServiceType$$]__ | Type specifies the type of Service to provision for the impersonation proxy. 
 If the type is "None", then the "spec.impersonationProxy.externalEndpoint" field must be set to a non-empty value so that the Concierge can properly advertise the endpoint in the CredentialIssuer's status.
 | *`loadBalancerIP`* __string__ | LoadBalancerIP specifies the IP address to set in the spec.loadBalancerIP field of the provisioned Service. This is not supported on all cloud providers.
 | *`annotations`* __object (keys:string, values:string)__ | Annotations specifies zero or more key/value pairs to set as annotations on the provisioned Service.
@@ -386,7 +386,7 @@ ImpersonationProxyServiceSpec describes how the Concierge should provision a Ser
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-impersonationproxyservicetype"]
 ==== ImpersonationProxyServiceType (string) 

-
+ImpersonationProxyServiceType enumerates the types of service that can be provisioned for the impersonation proxy.

 .Appears In:
 ****
@@ -398,7 +398,7 @@ ImpersonationProxyServiceSpec describes how the Concierge should provision a Ser
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-impersonationproxyspec"]
 ==== ImpersonationProxySpec 

-
+ImpersonationProxySpec describes the intended configuration of the Concierge impersonation proxy.

 .Appears In:
 ****
@@ -408,7 +408,7 @@ ImpersonationProxyServiceSpec describes how the Concierge should provision a Ser
 [cols="25a,75a", options="header"]
 |===
 | Field | Description
-| *`mode`* __ImpersonationProxyMode__ | Mode configures whether the impersonation proxy should be started: - "disabled" explicitly disables the impersonation proxy. This is the default. - "enabled" explicitly enables the impersonation proxy. - "auto" enables or disables the impersonation proxy based upon the cluster in which it is running.
+| *`mode`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-impersonationproxymode[$$ImpersonationProxyMode$$]__ | Mode configures whether the impersonation proxy should be started: - "disabled" explicitly disables the impersonation proxy. This is the default. - "enabled" explicitly enables the impersonation proxy. - "auto" enables or disables the impersonation proxy based upon the cluster in which it is running.
 | *`service`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-impersonationproxyservicespec[$$ImpersonationProxyServiceSpec$$]__ | Service describes the configuration of the Service provisioned to expose the impersonation proxy to clients.
 | *`externalEndpoint`* __string__ | ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will be served using the external name of the LoadBalancer service or the cluster service DNS name. 
 This field must be non-empty when spec.impersonationProxy.service.type is "None".
@@ -418,7 +418,7 @@ ImpersonationProxyServiceSpec describes how the Concierge should provision a Ser
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-tokencredentialrequestapiinfo"]
 ==== TokenCredentialRequestAPIInfo 

-
+TokenCredentialRequestAPIInfo describes the parameters for the TokenCredentialRequest API on this Concierge.

 .Appears In:
 ****
@@ -801,6 +801,10 @@ ActiveDirectoryIdentityProvider describes the configuration of an upstream Micro
 | *`base`* __string__ | Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". Optional, when not specified it will be based on the result of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). The default behavior searches your entire domain for groups. It may make sense to specify a subtree as a search base if you wish to exclude some groups for security reasons or to make searches faster.
 | *`filter`* __string__ | Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". This searches nested groups by default. Note that nested group search can be slow for some Active Directory servers. To disable it, you can set the filter to "(&(objectClass=group)(member={})"
 | *`attributes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-activedirectoryidentityprovidergroupsearchattributes[$$ActiveDirectoryIdentityProviderGroupSearchAttributes$$]__ | Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as the result of the group search.
+| *`skipGroupRefresh`* __boolean__ | The user's group membership is refreshed as they interact with the supervisor to obtain new credentials (as their old credentials expire).  This allows group membership changes to be quickly reflected into Kubernetes clusters.  Since group membership is often used to bind authorization policies, it is important to keep the groups observed in Kubernetes clusters in-sync with the identity provider. 
+ In some environments, frequent group membership queries may result in a significant performance impact on the identity provider and/or the supervisor. The best approach to handle performance impacts is to tweak the group query to be more performant, for example by disabling nested group search or by using a more targeted group search base. 
+ If the group search query cannot be made performant and you are willing to have group memberships remain static for approximately a day, then set skipGroupRefresh to true.  This is an insecure configuration as authorization policies that are bound to group membership will not notice if a user has been removed from a particular group until their next login. 
+ This is an experimental feature that may be removed or significantly altered in the future.  Consumers of this configuration should carefully read all release notes before upgrading to ensure that the meaning of this field has not changed.
 |===


@@ -876,7 +880,7 @@ Status of an Active Directory identity provider.
 |===
 | Field | Description
 | *`base`* __string__ | Base is the dn (distinguished name) that should be used as the search base when searching for users. E.g. "ou=users,dc=example,dc=com". Optional, when not specified it will be based on the result of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). The default behavior searches your entire domain for users. It may make sense to specify a subtree as a search base if you wish to exclude some users or to make searches faster.
-| *`filter`* __string__ | Filter is the search filter which should be applied when searching for users. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the username for which the search is being run. E.g. "mail={}" or "&(objectClass=person)(uid={})". For more information about LDAP filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will be '(&(objectClass=person)(!(objectClass=computer))(!(showInAdvancedViewOnly=TRUE))(|(sAMAccountName={}")(mail={})(userPrincipalName={})(sAMAccountType=805306368))' This means that the user is a person, is not a computer, the sAMAccountType is for a normal user account, and is not shown in advanced view only (which would likely mean its a system created service account with advanced permissions). Also, either the sAMAccountName, the userPrincipalName, or the mail attribute matches the input username.
+| *`filter`* __string__ | Filter is the search filter which should be applied when searching for users. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the username for which the search is being run. E.g. "mail={}" or "&(objectClass=person)(uid={})". For more information about LDAP filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will be '(&(objectClass=person)(!(objectClass=computer))(!(showInAdvancedViewOnly=TRUE))(\|(sAMAccountName={}")(mail={})(userPrincipalName={})(sAMAccountType=805306368))' This means that the user is a person, is not a computer, the sAMAccountType is for a normal user account, and is not shown in advanced view only (which would likely mean its a system created service account with advanced permissions). Also, either the sAMAccountName, the userPrincipalName, or the mail attribute matches the input username.
 | *`attributes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-activedirectoryidentityproviderusersearchattributes[$$ActiveDirectoryIdentityProviderUserSearchAttributes$$]__ | Attributes specifies how the user's information should be read from the ActiveDirectory entry which was found as the result of the user search.
 |===

@@ -902,7 +906,7 @@ Status of an Active Directory identity provider.
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-condition"]
 ==== Condition 

-
+Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API version we can switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413.

 .Appears In:
 ****
@@ -915,7 +919,7 @@ Status of an Active Directory identity provider.
 |===
 | Field | Description
 | *`type`* __string__ | type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
-| *`status`* __ConditionStatus__ | status of the condition, one of True, False, Unknown.
+| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-conditionstatus[$$ConditionStatus$$]__ | status of the condition, one of True, False, Unknown.
 | *`observedGeneration`* __integer__ | observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.
 | *`lastTransitionTime`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.17/#time-v1-meta[$$Time$$]__ | lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
 | *`reason`* __string__ | reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.
@@ -926,7 +930,7 @@ Status of an Active Directory identity provider.
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-conditionstatus"]
 ==== ConditionStatus (string) 

-
+ConditionStatus is effectively an enum type for Condition.Status.

 .Appears In:
 ****
@@ -988,6 +992,10 @@ LDAPIdentityProvider describes the configuration of an upstream Lightweight Dire
 | *`base`* __string__ | Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". When not specified, no group search will be performed and authenticated users will not belong to any groups from the LDAP provider. Also, when not specified, the values of Filter and Attributes are ignored.
 | *`filter`* __string__ | Filter is the LDAP search filter which should be applied when searching for groups for a user. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". For more information about LDAP filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will act as if the Filter were specified as "member={}".
 | *`attributes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-ldapidentityprovidergroupsearchattributes[$$LDAPIdentityProviderGroupSearchAttributes$$]__ | Attributes specifies how the group's information should be read from each LDAP entry which was found as the result of the group search.
+| *`skipGroupRefresh`* __boolean__ | The user's group membership is refreshed as they interact with the supervisor to obtain new credentials (as their old credentials expire).  This allows group membership changes to be quickly reflected into Kubernetes clusters.  Since group membership is often used to bind authorization policies, it is important to keep the groups observed in Kubernetes clusters in-sync with the identity provider. 
+ In some environments, frequent group membership queries may result in a significant performance impact on the identity provider and/or the supervisor. The best approach to handle performance impacts is to tweak the group query to be more performant, for example by disabling nested group search or by using a more targeted group search base. 
+ If the group search query cannot be made performant and you are willing to have group memberships remain static for approximately a day, then set skipGroupRefresh to true.  This is an insecure configuration as authorization policies that are bound to group membership will not notice if a user has been removed from a particular group until their next login. 
+ This is an experimental feature that may be removed or significantly altered in the future.  Consumers of this configuration should carefully read all release notes before upgrading to ensure that the meaning of this field has not changed.
 |===


@@ -1204,7 +1212,7 @@ OIDCIdentityProviderStatus is the status of an OIDC identity provider.
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-parameter"]
 ==== Parameter 

-
+Parameter is a key/value pair which represents a parameter in an HTTP request.

 .Appears In:
 ****
@@ -1222,7 +1230,7 @@ OIDCIdentityProviderStatus is the status of an OIDC identity provider.
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-tlsspec"]
 ==== TLSSpec 

-
+Configuration for TLS parameters related to identity provider integration.

 .Appears In:
 ****
--- a/generated/1.17/apis/concierge/authentication/v1alpha1/doc.go
+++ b/generated/1.17/apis/concierge/authentication/v1alpha1/doc.go
@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // +k8s:openapi-gen=true
--- a/generated/1.17/apis/concierge/authentication/v1alpha1/register.go
+++ b/generated/1.17/apis/concierge/authentication/v1alpha1/register.go
@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/generated/1.17/apis/concierge/authentication/v1alpha1/types_jwtauthenticator.go
+++ b/generated/1.17/apis/concierge/authentication/v1alpha1/types_jwtauthenticator.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/generated/1.17/apis/concierge/authentication/v1alpha1/types_meta.go
+++ b/generated/1.17/apis/concierge/authentication/v1alpha1/types_meta.go
@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/generated/1.17/apis/concierge/authentication/v1alpha1/types_tls.go
+++ b/generated/1.17/apis/concierge/authentication/v1alpha1/types_tls.go
@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/generated/1.17/apis/concierge/authentication/v1alpha1/types_webhookauthenticator.go
+++ b/generated/1.17/apis/concierge/authentication/v1alpha1/types_webhookauthenticator.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/generated/1.17/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go
+++ b/generated/1.17/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go
@@ -1,6 +1,7 @@
+//go:build !ignore_autogenerated
 // +build !ignore_autogenerated

-// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // Code generated by deepcopy-gen. DO NOT EDIT.
--- a/generated/1.17/apis/concierge/config/v1alpha1/doc.go
+++ b/generated/1.17/apis/concierge/config/v1alpha1/doc.go
@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // +k8s:openapi-gen=true
--- a/generated/1.17/apis/concierge/config/v1alpha1/register.go
+++ b/generated/1.17/apis/concierge/config/v1alpha1/register.go
@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/generated/1.17/apis/concierge/config/v1alpha1/types_credentialissuer.go
+++ b/generated/1.17/apis/concierge/config/v1alpha1/types_credentialissuer.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/generated/1.17/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go
+++ b/generated/1.17/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go
@@ -1,6 +1,7 @@
+//go:build !ignore_autogenerated
 // +build !ignore_autogenerated

-// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // Code generated by deepcopy-gen. DO NOT EDIT.
--- a/generated/1.17/apis/concierge/identity/doc.go
+++ b/generated/1.17/apis/concierge/identity/doc.go
@@ -1,4 +1,4 @@
-// Copyright 2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // +k8s:deepcopy-gen=package
--- a/generated/1.17/apis/concierge/identity/register.go
+++ b/generated/1.17/apis/concierge/identity/register.go
@@ -1,4 +1,4 @@
-// Copyright 2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package identity
--- a/generated/1.17/apis/concierge/identity/types_userinfo.go
+++ b/generated/1.17/apis/concierge/identity/types_userinfo.go
@@ -1,4 +1,4 @@
-// Copyright 2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package identity
--- a/generated/1.17/apis/concierge/identity/types_whoami.go
+++ b/generated/1.17/apis/concierge/identity/types_whoami.go
@@ -1,4 +1,4 @@
-// Copyright 2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package identity
--- a/generated/1.17/apis/concierge/identity/v1alpha1/conversion.go
+++ b/generated/1.17/apis/concierge/identity/v1alpha1/conversion.go
@@ -1,4 +1,4 @@
-// Copyright 2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/generated/1.17/apis/concierge/identity/v1alpha1/defaults.go
+++ b/generated/1.17/apis/concierge/identity/v1alpha1/defaults.go
@@ -1,4 +1,4 @@
-// Copyright 2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/generated/1.17/apis/concierge/identity/v1alpha1/doc.go
+++ b/generated/1.17/apis/concierge/identity/v1alpha1/doc.go
@@ -1,4 +1,4 @@
-// Copyright 2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // +k8s:openapi-gen=true
--- a/generated/1.17/apis/concierge/identity/v1alpha1/register.go
+++ b/generated/1.17/apis/concierge/identity/v1alpha1/register.go
@@ -1,4 +1,4 @@
-// Copyright 2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/generated/1.17/apis/concierge/identity/v1alpha1/types_userinfo.go
+++ b/generated/1.17/apis/concierge/identity/v1alpha1/types_userinfo.go
@@ -1,4 +1,4 @@
-// Copyright 2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/generated/1.17/apis/concierge/identity/v1alpha1/types_whoami.go
+++ b/generated/1.17/apis/concierge/identity/v1alpha1/types_whoami.go
@@ -1,4 +1,4 @@
-// Copyright 2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/generated/1.17/apis/concierge/identity/v1alpha1/zz_generated.conversion.go
+++ b/generated/1.17/apis/concierge/identity/v1alpha1/zz_generated.conversion.go
@@ -1,6 +1,7 @@
+//go:build !ignore_autogenerated
 // +build !ignore_autogenerated

-// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // Code generated by conversion-gen. DO NOT EDIT.
--- a/generated/1.17/apis/concierge/identity/v1alpha1/zz_generated.deepcopy.go
+++ b/generated/1.17/apis/concierge/identity/v1alpha1/zz_generated.deepcopy.go
@@ -1,6 +1,7 @@
+//go:build !ignore_autogenerated
 // +build !ignore_autogenerated

-// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // Code generated by deepcopy-gen. DO NOT EDIT.
--- a/generated/1.17/apis/concierge/identity/v1alpha1/zz_generated.defaults.go
+++ b/generated/1.17/apis/concierge/identity/v1alpha1/zz_generated.defaults.go
@@ -1,6 +1,7 @@
+//go:build !ignore_autogenerated
 // +build !ignore_autogenerated

-// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // Code generated by defaulter-gen. DO NOT EDIT.
--- a/generated/1.17/apis/concierge/identity/validation/validation.go
+++ b/generated/1.17/apis/concierge/identity/validation/validation.go
@@ -1,4 +1,4 @@
-// Copyright 2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package validation
--- a/generated/1.17/apis/concierge/identity/zz_generated.deepcopy.go
+++ b/generated/1.17/apis/concierge/identity/zz_generated.deepcopy.go
@@ -1,6 +1,7 @@
+//go:build !ignore_autogenerated
 // +build !ignore_autogenerated

-// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // Code generated by deepcopy-gen. DO NOT EDIT.
--- a/generated/1.17/apis/concierge/login/doc.go
+++ b/generated/1.17/apis/concierge/login/doc.go
@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // +k8s:deepcopy-gen=package
--- a/generated/1.17/apis/concierge/login/register.go
+++ b/generated/1.17/apis/concierge/login/register.go
@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package login
--- a/generated/1.17/apis/concierge/login/types_clustercred.go
+++ b/generated/1.17/apis/concierge/login/types_clustercred.go
@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package login
--- a/generated/1.17/apis/concierge/login/types_token.go
+++ b/generated/1.17/apis/concierge/login/types_token.go
@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package login
--- a/generated/1.17/apis/concierge/login/v1alpha1/conversion.go
+++ b/generated/1.17/apis/concierge/login/v1alpha1/conversion.go
@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/generated/1.17/apis/concierge/login/v1alpha1/defaults.go
+++ b/generated/1.17/apis/concierge/login/v1alpha1/defaults.go
@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/generated/1.17/apis/concierge/login/v1alpha1/doc.go
+++ b/generated/1.17/apis/concierge/login/v1alpha1/doc.go
@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // +k8s:openapi-gen=true
--- a/generated/1.17/apis/concierge/login/v1alpha1/register.go
+++ b/generated/1.17/apis/concierge/login/v1alpha1/register.go
@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/generated/1.17/apis/concierge/login/v1alpha1/types_clustercred.go
+++ b/generated/1.17/apis/concierge/login/v1alpha1/types_clustercred.go
@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/generated/1.17/apis/concierge/login/v1alpha1/types_token.go
+++ b/generated/1.17/apis/concierge/login/v1alpha1/types_token.go
@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/generated/1.17/apis/concierge/login/v1alpha1/zz_generated.conversion.go
+++ b/generated/1.17/apis/concierge/login/v1alpha1/zz_generated.conversion.go
@@ -1,6 +1,7 @@
+//go:build !ignore_autogenerated
 // +build !ignore_autogenerated

-// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // Code generated by conversion-gen. DO NOT EDIT.
--- a/generated/1.17/apis/concierge/login/v1alpha1/zz_generated.deepcopy.go
+++ b/generated/1.17/apis/concierge/login/v1alpha1/zz_generated.deepcopy.go
@@ -1,6 +1,7 @@
+//go:build !ignore_autogenerated
 // +build !ignore_autogenerated

-// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // Code generated by deepcopy-gen. DO NOT EDIT.
--- a/generated/1.17/apis/concierge/login/v1alpha1/zz_generated.defaults.go
+++ b/generated/1.17/apis/concierge/login/v1alpha1/zz_generated.defaults.go
@@ -1,6 +1,7 @@
+//go:build !ignore_autogenerated
 // +build !ignore_autogenerated

-// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // Code generated by defaulter-gen. DO NOT EDIT.
--- a/generated/1.17/apis/concierge/login/zz_generated.deepcopy.go
+++ b/generated/1.17/apis/concierge/login/zz_generated.deepcopy.go
@@ -1,6 +1,7 @@
+//go:build !ignore_autogenerated
 // +build !ignore_autogenerated

-// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // Code generated by deepcopy-gen. DO NOT EDIT.
--- a/generated/1.17/apis/go.mod
+++ b/generated/1.17/apis/go.mod
@@ -4,6 +4,6 @@ module go.pinniped.dev/generated/1.17/apis
 go 1.13

 require (
-	k8s.io/api v0.17.11
-	k8s.io/apimachinery v0.17.11
+	k8s.io/api v0.17.16
+	k8s.io/apimachinery v0.17.16
 )
--- a/generated/1.17/apis/go.sum
+++ b/generated/1.17/apis/go.sum
@@ -7,7 +7,7 @@ github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs
 github.com/docker/spdystream v0.0.0-20160310174837-449fdfce4d96/go.mod h1:Qh8CwZgvJUkLughtfhJv5dyTYa91l1fOUCrgjqmcifM=
 github.com/elazarl/goproxy v0.0.0-20170405201442-c4fc26588b6e/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc=
 github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
-github.com/evanphx/json-patch v0.0.0-20200808040245-162e5629780b/go.mod h1:NAJj0yf/KaRKURN6nyi7A9IZydMivZEm9oQLWNjfKDc=
+github.com/evanphx/json-patch v4.9.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
 github.com/ghodss/yaml v0.0.0-20150909031657-73d445a93680/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
 github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas=
@@ -29,7 +29,6 @@ github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+
 github.com/googleapis/gnostic v0.0.0-20170729233727-0c5108395e2d/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY=
 github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
-github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=
 github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
 github.com/json-iterator/go v1.1.8 h1:QiWkFLKq0T7mpzwOTu6BzNDbfTE8OLrYhVKYMLF46Ok=
 github.com/json-iterator/go v1.1.8/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
@@ -64,7 +63,6 @@ github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.4.0 h1:2E4SXV/wtOkTonXsotYi4li6zVWxYlZuYNCXe9XRJyk=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
-golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2 h1:VklqNMn3ovrHsnt90PveolxSbWFaJdECFbxSq0Mqo2M=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/net v0.0.0-20170114055629-f2499483f923/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -74,7 +72,6 @@ golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sys v0.0.0-20170830134202-bb24a47a89ea/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190826190057-c7b8b68b1456 h1:ng0gs1AKnRRuEMZoTLLlbOd+C17zUDepwGQBb/n+JVg=
 golang.org/x/sys v0.0.0-20190826190057-c7b8b68b1456/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -94,10 +91,10 @@ gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.8 h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10=
 gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-k8s.io/api v0.17.11 h1:FAO+RMv/JhjBawixa33qZNZ2Yb5lNjgGuK8IjN2Ac3s=
-k8s.io/api v0.17.11/go.mod h1:WR3CbTwCAxtfMcEB6c92W3l5aZw09unPCyxmxjYV3xg=
-k8s.io/apimachinery v0.17.11 h1:hgMFLIR+ofBpaPb27lZkf44v3bLn3MLqcbnw32PgoGA=
-k8s.io/apimachinery v0.17.11/go.mod h1:q+iFxLyaMeWIBhSlQ4OMkvdwbwrb8Ux0ALl90XD9paU=
+k8s.io/api v0.17.16 h1:whKfZJJp9m5fklRnlvO8+mJzpXat0gX0n+90d1hWTu0=
+k8s.io/api v0.17.16/go.mod h1:W8uKRxJeYRlAbWuk4CZv6BzuC7KuZnB6bSTPI7Pi8no=
+k8s.io/apimachinery v0.17.16 h1:A9HqHhUGgUNwki1c1lY6w773WMY1Qx/jR3r9baX1unQ=
+k8s.io/apimachinery v0.17.16/go.mod h1:T54ZSpncArE25c5r2PbUPsLeTpkPWY/ivafigSX6+xk=
 k8s.io/gengo v0.0.0-20190128074634-0689ccc1d7d6/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
 k8s.io/klog v0.0.0-20181102134211-b9b56d5dfc92/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk=
 k8s.io/klog v1.0.0 h1:Pt+yjF5aB1xDSVbau4VsWe+dQNzA0qv1LlXdC2dF6Q8=
--- a/generated/1.17/apis/supervisor/config/v1alpha1/doc.go
+++ b/generated/1.17/apis/supervisor/config/v1alpha1/doc.go
@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // +k8s:openapi-gen=true
--- a/generated/1.17/apis/supervisor/config/v1alpha1/register.go
+++ b/generated/1.17/apis/supervisor/config/v1alpha1/register.go
@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/generated/1.17/apis/supervisor/config/v1alpha1/types_federationdomain.go
+++ b/generated/1.17/apis/supervisor/config/v1alpha1/types_federationdomain.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Margo Crawford	8a4bbbfcbe	Proof of concept: client-side logout Signed-off-by: Margo Crawford <margaretc@vmware.com>	2022-03-04 17:01:26 -08:00
Pinny	89e68489ea	Updated versions in docs for v0.14.0 release	2022-03-03 21:57:36 +00:00
Margo Crawford	b987783c62	Merge pull request #1047 from vmware-tanzu/docs-k8s-codegen-version Update docs to reference the latest k8s codegen version	2022-03-03 11:14:33 -08:00
Margo Crawford	b8bdfa1b9a	Update docs to reference the latest k8s codegen version Signed-off-by: Margo Crawford <margaretc@vmware.com>	2022-03-03 10:36:42 -08:00
Mo Khan	6347d7c0e2	Merge pull request #1044 from vmware-tanzu/upgrade-crd-ref-docs Regenerate reference docs and escape pipe characters	2022-03-03 13:04:09 -05:00
anjalitelang	ab4a66131b	Update ROADMAP.md Updated roadmap for March	2022-03-03 11:51:24 -05:00
Margo Crawford	60d2b852ae	Corresponds with making our CI use the head of the master branch of crd-ref-docs This fixes #906 Signed-off-by: Margo Crawford <margaretc@vmware.com>	2022-03-02 14:31:58 -08:00
Mo Khan	ec74158ebc	Merge pull request #1043 from vmware-tanzu/active-directory-group-change-warning Add group change warning test for Active Directory	2022-03-02 15:43:59 -05:00
Margo Crawford	f6ad5d5c45	Add group change warning test for Active Directory Also refactor some of the AD test helper functions Signed-off-by: Margo Crawford <margaretc@vmware.com>	2022-03-02 11:54:36 -08:00
Mo Khan	dd4394a0d6	Merge pull request #1042 from enj/enj/i/group_warn_typo Fix typo in group removed warning	2022-03-02 14:41:22 -05:00
Monis Khan	eae55a8595	Fix typo in group removed warning Signed-off-by: Monis Khan <mok@vmware.com>	2022-03-02 12:58:30 -05:00
Ryan Richard	541811a7a6	Merge pull request #1028 from jvanzyl/main Minimal changes to allow an alternate deployment mechanism	2022-03-02 09:23:16 -08:00
Ryan Richard	0a63784ca2	Merge branch 'main' into main	2022-03-02 08:41:06 -08:00
Mo Khan	be2aee957c	Bump API docs to 1.23 Seems like this should be automated.	2022-03-02 09:04:41 -05:00
Margo Crawford	9a4a862808	Merge pull request #1039 from vmware-tanzu/group-change-warning Group change warning	2022-03-01 14:38:35 -08:00
Margo Crawford	609b55a6d7	Pinniped Supervisor should issue a warning when groups change during refresh	2022-03-01 14:01:57 -08:00
Ryan Richard	d1f756c9ab	Merge pull request #1040 from vmware-tanzu/codegen-21-22-23 Add generated code for Kube 1.21, 1.22, and 1.23	2022-03-01 12:53:54 -08:00
Ryan Richard	58f790c1c6	generate code for 1.17-1.20 using Go 1.17	2022-03-01 10:39:58 -08:00
Ryan Richard	956d046cf0	Merge branch 'main' into codegen-21-22-23	2022-03-01 10:02:05 -08:00
Ryan Richard	bf7457db59	expose env var for debug level of codegen	2022-03-01 10:01:49 -08:00
Mo Khan	0c866a6f98	Merge pull request #1041 from enj/enj/i/bump_0004 Bump kube to v0.23.4, rest to latest	2022-03-01 12:25:30 -05:00
Monis Khan	8179a7e802	Bump kube to v0.23.4, rest to latest Signed-off-by: Monis Khan <mok@vmware.com>	2022-03-01 09:25:56 -05:00
Ryan Richard	f501c76acc	Add generated code for Kube 1.21, 1.22, and 1.23 Also: - Make our code generator script work with Go 1.17 - Make our update.sh script work on linux - Update the patch versions of the old Kube versions that we were using to generate code (see kube-versions.txt) - Use our container images from ghcr instead of projects.registry.vmware.com for codegen purposes - Make it easier to debug in the future by passing "-v" to the Kube codegen scripts - Updated copyright years to make commit checks pass	2022-02-28 17:58:48 -08:00
Mo Khan	04c6b3331b	Merge pull request #1031 from vmware-tanzu/tolerate-control-plane Add toleration for new "control-plane" node label for Concierge deploy	2022-02-26 12:56:14 -05:00
Jason van Zyl	0ea10c77c7	Consolidate declaration of variables	2022-02-25 11:26:53 -05:00
Jason van Zyl	782157e1df	Remove debug output	2022-02-25 06:25:20 -05:00
Jason van Zyl	1e3f3555a4	Add line in help output for --alternate-deploy	2022-02-25 06:22:25 -05:00
Ryan Richard	8dc4a890ed	Merge branch 'main' into tolerate-control-plane	2022-02-24 10:12:31 -08:00
Mo Khan	619b8c19ad	Merge pull request #1032 from vmware-tanzu/increase-e2e-timeout Increase a test timeout to account for slower test on EKS in CI	2022-02-23 11:36:39 -05:00
Ryan Richard	e1e3342b3d	Increase a test timeout to account for slower test on EKS in CI The test takes longer on EKS because it has to wait about 2 minutes for the EKS load balancer to be ready during the test.	2022-02-22 11:46:15 -08:00
Ryan Richard	0651b9a912	Add toleration for new "control-plane" node label for Concierge deploy	2022-02-22 11:24:26 -08:00
Jason van Zyl	6491742c3a	Minimal changes to allow an alternate deployment mechanism The purpose of this change is to allow Helm to be used to deploy Pinniped into the local KinD cluster for the local integration tests. That said, the change allows any alternate deployment mechanism, I just happen to be using it with Helm. All default behavior is preserved. This won't change how anyone uses the script today, it just allows me not to copy/paste the whole setup for the integration tests. Changes: 1) An option called `--alternate-deploy <path-to-deploy-script>` has been added, that when enabled calls the specified script instead of using ytt and kapp. The alternate deploy script is called with the app to deploy and the tag of the docker image to use. We set the default value of the alternate_deploy variable to undefined, and there is a check that tests if the alternate deploy is defined. For the superivsor it looks like this: ``` if [ "$alternate_deploy" != "undefined" ]; then log_note "The Pinniped Supervisor will be deployed with $alternate_deploy pinniped-supervisor $tag..." $alternate_deploy pinniped-supervisor $tag else normal ytt/kapp deploy fi ``` 2) Additional log_note entries have been added to enumerate all values passed into the ytt/kapp deploy. Used while I was trying to reach parity in the integration tests, but I think they are useful for debugging. 3) The manifests produced by ytt and written to /tmp are now named individually. This is so an easy comparison can be made between manifests produced by a ytt/kapp run of integration tests and manifests produced by helm run of the integration tests. If something is not working I have been comparing the manifests after these runs to find differences.	2022-02-20 10:15:29 -05:00
Margo Crawford	339bb84765	Merge pull request #982 from vmware-tanzu/upstream-ldap-group-refresh-skip Only run group refresh when the skipGroupRefresh boolean isn't set	2022-02-17 13:59:07 -08:00
Margo Crawford	b9582f864e	Update comment for skipGroupRefresh	2022-02-17 12:50:28 -08:00
Margo Crawford	e2c6dcd6e6	Add integration test	2022-02-17 12:50:28 -08:00
Margo Crawford	fdac4d16f0	Only run group refresh when the skipGroupRefresh boolean isn't set for AD and LDAP	2022-02-17 12:50:28 -08:00
Ryan Richard	67085e9dbb	Merge pull request #973 from vmware-tanzu/proposal_process Introduce a proposal process in the governance doc	2022-02-17 12:49:23 -08:00
Ryan Richard	dec89b5378	Merge branch 'main' into proposal_process	2022-02-17 12:48:58 -08:00
Margo Crawford	c7aaa69b4b	Merge pull request #975 from vmware-tanzu/upstream-ldap-group-refresh Inline upstream ldap group refresh	2022-02-17 12:47:22 -08:00
Margo Crawford	662f2cef9c	Integration test for updating group search base Also a small change to a comment	2022-02-17 11:29:59 -08:00
Margo Crawford	ca523b1f20	Always update groups even if it's nil Also de-dup groups and various small formatting changes	2022-02-17 11:29:59 -08:00
Margo Crawford	c28602f275	Add unit tests for group parsing overrides	2022-02-17 11:29:59 -08:00
Margo Crawford	dd11c02b6a	Add back entries because I think it's actually necessary	2022-02-17 11:29:59 -08:00
Margo Crawford	f890fad90c	Rename a function, sort strings inside searchGroupsForUserDN	2022-02-17 11:29:59 -08:00
Margo Crawford	cd7538861a	Add integration test where we don't get groups back	2022-02-17 11:29:59 -08:00
Margo Crawford	013b521838	Upstream ldap group refresh: - Doing it inline on the refresh request	2022-02-17 11:29:59 -08:00
Ryan Richard	9526009f74	Fix spelling typo in proposals/README.md Co-authored-by: Mo Khan <i@monis.app>	2022-02-17 10:59:23 -08:00
Ryan Richard	2f7713889a	Remove an unnecessary step from the proposal lifecycle	2022-02-17 10:56:13 -08:00
Ryan Richard	60cc61cdaa	Add the concept of a tracking issue to the proposal process	2022-02-17 10:42:10 -08:00
Ryan Richard	bc6827b2e1	Auto-format GOVERNANCE.md	2022-02-17 10:08:37 -08:00
Ryan Richard	9dbf7d6bf5	Merge branch 'main' into proposal_process	2022-02-17 10:07:37 -08:00
Ryan Richard	46dd73de70	Merge pull request #1006 from vmware-tanzu/fix_int_test_macos Fix int test that was failing on MacOS, and some small doc changes	2022-02-16 12:56:30 -08:00
Ryan Richard	9a6136761d	Merge branch 'main' into fix_int_test_macos	2022-02-16 12:01:47 -08:00
Ryan Richard	eaa3e9f612	Merge pull request #1013 from vmware-tanzu/cli_require_https_issuers CLI requires HTTPS OIDC issuer, authorize, and token URLS	2022-02-16 11:22:26 -08:00
Ryan Richard	c09daa8513	Merge branch 'main' into fix_int_test_macos	2022-02-16 11:09:11 -08:00
Ryan Richard	e5a60a8c84	Update a comment	2022-02-16 11:09:05 -08:00
Ryan Richard	79467318f4	CLI requires HTTPS OIDC issuer, authorize, and token URLS	2022-02-16 10:41:51 -08:00
Mo Khan	cc50fc980c	Merge pull request #1009 from enj/enj/i/chrome_beta_build_5 Enforce naming convention for browser based tests	2022-02-16 11:21:27 -05:00
Monis Khan	b8202d89d9	Enforce naming convention for browser based tests This allows us to target browser based tests with the regex: go test -v -race -count 1 -timeout 0 ./test/integration -run '/_Browser' New tests that call browsertest.Open will automatically be forced to follow this convention. Signed-off-by: Monis Khan <mok@vmware.com>	2022-02-16 09:20:28 -05:00
Ryan Richard	f1f42052fb	Merge branch 'main' into fix_int_test_macos	2022-02-15 16:45:59 -08:00
Ryan Richard	3f4e6cf367	Fix a typo in CONTRIBUTING.md from a recent commit: comma in wrong place	2022-02-15 16:45:49 -08:00
Ryan Richard	1aa17bd84d	Check for darwin before relaxing stderr vs stdout assertion in e2e test	2022-02-15 13:45:04 -08:00
Mo Khan	c4ae5cfebb	Merge pull request #1003 from enj/enj/d/dex_password Update dex docs regarding password grant	2022-02-15 15:45:54 -05:00
Ryan Richard	b0c36c6633	Fix int test that was failing on MacOS, and some small doc changes	2022-02-15 11:19:49 -08:00
Ryan Richard	461c0ae56c	Merge branch 'main' into proposal_process	2022-02-15 10:15:46 -08:00
Ryan Richard	42db13d044	Move the proposal process doc to the `proposals` directory's README.md	2022-02-15 10:14:59 -08:00
Ryan Richard	82cdc870a6	Merge pull request #996 from vmware-tanzu/gke_tutorial Replace old tutorial with a new Supervisor + Concierge tutorial which uses GKE to demonstrate both	2022-02-15 09:37:29 -08:00
Ryan Richard	0175445ece	Merge branch 'main' into gke_tutorial	2022-02-15 09:22:52 -08:00
Ryan Richard	f728ea743f	Add --ignore-not-found to delete Supervisor app command	2022-02-15 09:04:47 -08:00
Ryan Richard	230e563ab7	Another draft of the new tutorial guide	2022-02-14 17:23:57 -08:00
Ryan Richard	26dcbd9ec1	Try using ```markdown instead of` ``md for coloring	2022-02-14 13:45:30 -08:00
Monis Khan	a21a5bca1e	Update dex docs regarding password grant Signed-off-by: Monis Khan <mok@vmware.com>	2022-02-13 12:48:20 -05:00
Ryan Richard	05ec8cba8c	Add a new subheading to the tutorial doc	2022-02-11 17:16:40 -08:00
Ryan Richard	e57a1a7891	Overwrite the old Supervisor+Concierge tutorial with the new one And make it easier for web site readers to find by adding prominent links to it from several places.	2022-02-11 17:03:13 -08:00
Mo Khan	11d9b4f21a	Merge pull request #999 from vmware-tanzu/dependabot/docker/golang-1.17.7 Bump golang from 1.17.6 to 1.17.7	2022-02-10 21:55:27 -05:00
dependabot[bot]	93e4d5d956	Bump golang from 1.17.6 to 1.17.7 Bumps golang from 1.17.6 to 1.17.7. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>	2022-02-11 01:13:54 +00:00
Mo Khan	390af8f476	Merge pull request #997 from enj/enj/i/bump_0003 Bump Kube to v0.23.3 and rest to latest	2022-02-10 18:19:54 -05:00
Monis Khan	49e88dd74a	Change some single quotes to double quotes in minified JS Signed-off-by: Monis Khan <mok@vmware.com>	2022-02-10 16:15:26 -05:00
Monis Khan	4be2dd3b2a	Bump Kube to v0.23.3 and rest to latest Signed-off-by: Monis Khan <mok@vmware.com>	2022-02-10 16:15:26 -05:00
Mo Khan	2c0b5b733b	Bump site latest_version to v0.14.0	2022-02-10 16:13:39 -05:00
Ryan Richard	c56ef5c40c	First draft of a Supervisor on GKE + Concierge on GKE tutorial Including ingress, DNS, cert-manager + letsencrypt for TLS certs, Okta, multiple workload clusters, etc.	2022-02-09 17:13:40 -08:00
Mo Khan	e1080e1225	Allow dependabot to open more pull requests	2022-02-09 16:15:57 -05:00
Mo Khan	59be3008fd	Merge pull request #985 from microwavables/update-docs updated search functionality of docs on site	2022-02-09 12:01:59 -05:00
Nanci Lancaster	d728c89ba6	updated search functionality of docs on site Signed-off-by: Nanci Lancaster <nancil@vmware.com>	2022-02-09 11:01:37 -05:00
Mo Khan	863aadd9ea	Merge pull request #989 from vmware-tanzu/chrome_cors2 Followup for CORS request handling to CLI's localhost listener	2022-02-09 10:27:00 -05:00
Ryan Richard	5d79d4b9dc	Fix form_post.js mistake from recent commit; Better CORS on callback	2022-02-08 17:30:48 -08:00
Ryan Richard	f6f188565b	Merge pull request #987 from vmware-tanzu/chrome_cors Add CORS request handling to CLI's localhost listener	2022-02-08 14:31:45 -08:00
Mo Khan	29368e8242	Make the linter happy	2022-02-08 16:31:04 -05:00
Ryan Richard	cd825c5e51	Use "-v6" for kubectl for an e2e test so we can get more failure output	2022-02-08 13:00:49 -08:00
Mo Khan	874b567974	Merge pull request #988 from enj/enj/t/e2e_hung e2e_test: handle hung go routines and readers	2022-02-08 12:57:54 -05:00
Monis Khan	8ee461ae8a	e2e_test: handle hung go routines and readers Signed-off-by: Monis Khan <mok@vmware.com>	2022-02-08 11:40:10 -05:00
Mo Khan	1388183bf1	TestE2EFullIntegration: reduce timeout This causes the test to timeout before concourse terminates the entire test run.	2022-02-07 20:53:03 -05:00
Ryan Richard	f1962ccf86	Merge branch 'main' into chrome_cors	2022-02-07 16:35:44 -08:00
Ryan Richard	0431a072ae	Remove an unnecessary nolint comment	2022-02-07 16:26:39 -08:00
Ryan Richard	6781bfd7d8	Fix JS bug: form post UI shows manual copy/paste UI upon failed callback When the POST to the CLI's localhost callback endpoint results in a non-2XX status code, then treat that as a failed login attempt and automatically show the manual copy/paste UI.	2022-02-07 16:21:23 -08:00
Ryan Richard	aa56f174db	Capture and print the full kubectl output in an e2e test upon failure	2022-02-07 16:17:38 -08:00
Ryan Richard	3c7e387137	Keep the CLI localhost listener running after requests with wrong verb Just in case some future browser change sends some new kind of request to our CLI, just ignore them by returning StatusMethodNotAllowed and continuing to listen.	2022-02-07 13:32:31 -08:00
Ryan Richard	2b93fdf357	Fix a bug in the e2e tests When the test was going to fail, a goroutine would accidentally block on writing to an unbuffered channel, and the spawnTestGoroutine helper would wait for that goroutine to end on cleanup, causing the test to hang forever while it was trying to fail.	2022-02-07 11:57:54 -08:00
Ryan Richard	7b97f1533e	Add CORS request handling to CLI's localhost listener This is to support the new changes in Google Chrome v98 which now performs CORS preflight requests for the Javascript form submission on the Supervisor's login page, even though the form is being submitted to a localhost listener.	2022-02-04 16:57:37 -08:00
anjalitelang	7c246784dc	Update ROADMAP.md Updated roadmap to reflect changes planned for v0.14 release and beyond.	2022-02-03 08:57:47 -05:00
anjalitelang	0dd3b40694	Update ROADMAP.md	2022-01-31 12:13:18 -05:00
Ryan Richard	a2a05548f9	More updates to draft proposal process based on feedback	2022-01-27 14:56:10 -08:00
Ryan Richard	d4725423a9	More updates to draft proposal process based on feedback	2022-01-27 14:51:52 -08:00
Ryan Richard	e9e56689cf	Update draft proposal process based on feedback	2022-01-25 11:22:19 -08:00
Ryan Richard	31bd50c011	first draft of proposal process	2022-01-24 15:17:09 -08:00
Margo Crawford	3b1153cd91	Update latest version to v0.13.0	2022-01-21 15:19:40 -08:00
anjalitelang	6590230bcd	Merge pull request #954 from anjaltelang/main Blog for v0.13.0	2022-01-21 15:17:18 -08:00
Pinny	4f06cd3c2e	Update CLI docs for v0.13.0 release	2022-01-21 23:12:12 +00:00