Merge pull request #1159 from vmware-tanzu/fix-openldap-typo

Tiny fix to openldap group name: pinninpeds->pinnipeds
Merge branch 'main' into fix-openldap-typo
2026-02-02 11:02:29 +00:00 · 2022-05-05 12:50:43 -07:00 · 2022-05-05 10:51:09 -07:00 · 2022-05-04 16:06:33 -04:00 · 2022-05-04 12:42:55 -07:00 · 2022-05-04 09:49:20 -07:00
1443 changed files with 49836 additions and 3583 deletions
--- a/.gitattributes
+++ b/.gitattributes
@@ -1,2 +1,3 @@
 *.go.tmpl linguist-language=Go
+hack/Dockerfile_fips linguist-language=Dockerfile
 generated/** linguist-generated
--- a/.github/ISSUE_TEMPLATE/feature-proposal.md
+++ b/.github/ISSUE_TEMPLATE/feature-proposal.md
@@ -1,5 +1,5 @@
 ---
-name: Feature proposal
+name: Feature request
 about: Suggest a way to improve this project
 title: ''
 labels: ''
@@ -16,12 +16,15 @@ It is recommended that you include screenshots and logs to help everyone achieve
 -->

 **Is your feature request related to a problem? Please describe.**
+
 A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]

 **Describe the solution you'd like**
+
 A clear and concise description of what you want to happen.

 **Describe alternatives you've considered**
+
 A clear and concise description of any alternative solutions or features you've considered.

 **Are you considering submitting a PR for this feature?**
@@ -32,4 +35,5 @@ A clear and concise description of any alternative solutions or features you've
 - **How will this feature be documented?**

 **Additional context**
+
 Add any other context or screenshots about the feature request here.
--- a/.github/ISSUE_TEMPLATE/proposal_tracking.md
+++ b/.github/ISSUE_TEMPLATE/proposal_tracking.md
@@ -0,0 +1,34 @@
+---
+name: Proposal tracking
+about: A tracking issue for a proposal document
+title: '[Proposal] Your proposal title'
+labels: 'proposal-tracking'
+assignees: ''
+
+---
+
+<!--
+
+Hey! Thanks for opening an issue!
+
+This type of issue should only be opened if you intend to create a
+formal proposal document. Please refer to the proposal process in
+[proposals/README.md](proposals/README.md).
+
+Please title this issue starting with `[Proposal]` followed by a
+title for what you are going to propose. For example:
+`[Proposal] Lunar landing module authentication via Pinniped`.
+
+-->
+
+### Proposal Tracking Issue
+
+- Proposal: <!-- this starts empty, then please update to link to proposal PR, then also link to proposal doc file after it is merged -->
+
+- Discussion Links: <!-- link to any mailing list threads, Slack conversations, community meetings, or other places where the proposal was discussed, if any -->
+    - <!-- A -->
+    - <!-- B -->
+
+- Pull requests: <!-- link to all PRs related to this proposal such as updates to the proposal doc, implementation PRs, etc. - keep this list up to date -->
+    - <!-- #123: briefly describe this PR -->
+    - <!-- #456: briefly describe this PR -->
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -3,6 +3,7 @@
 version: 2
 updates:
  - package-ecosystem: "gomod"
+    open-pull-requests-limit: 100
    directory: "/"
    schedule:
      interval: "daily"
@@ -11,3 +12,8 @@ updates:
    directory: "/"
    schedule:
      interval: "daily"
+
+  - package-ecosystem: "docker"
+    directory: "/hack"  # this should keep the FIPS dockerfile updated per https://github.com/dependabot/feedback/issues/145#issuecomment-414738498
+    schedule:
+      interval: "daily"
--- a/.github/workflows/scorecards.yml
+++ b/.github/workflows/scorecards.yml
@@ -0,0 +1,55 @@
+name: Scorecards supply-chain security
+on:
+  # Only the default branch is supported.
+  branch_protection_rule:
+  schedule:
+    - cron: '29 11 * * 3'
+  push:
+    branches: [ main, release* ]
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecards analysis
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      actions: read
+      contents: read
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # v3.0.0
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@c1aec4ac820532bab364f02a81873c555a0ba3a1 # v1.0.4
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          # Read-only PAT token. To create it,
+          # follow the steps in https://github.com/ossf/scorecard-action#pat-token-creation.
+          repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}
+          # Publish the results to enable scorecard badges. For more details, see
+          # https://github.com/ossf/scorecard-action#publishing-results.
+          # For private repositories, `publish_results` will automatically be set to `false`,
+          # regardless of the value entered here.
+          publish_results: true
+
+      # Upload the results as artifacts (optional).
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # v3.0.0
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard.
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@5f532563584d71fdef14ee64d17bafb34f751ce5 # v1.0.26
+        with:
+          sarif_file: results.sarif
--- a/.golangci.yaml
+++ b/.golangci.yaml
@@ -34,7 +34,7 @@ linters:
  - godot
  - goheader
  - goimports
-  - golint
+  - revive
  - goprintffuncname
  - gosec
  - misspell
@@ -44,7 +44,7 @@ linters:
  - nolintlint
  - prealloc
  - rowserrcheck
-  - scopelint
+  - exportloopref
  - sqlclosecheck
  - unconvert
  - whitespace
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -11,6 +11,7 @@ repos:
  - id: check-json
  - id: end-of-file-fixer
  - id: trailing-whitespace
+    exclude: 'securetls*' # prevent the linter from running in this file because it's not smart enough not to trim the nmap test output.
  - id: check-merge-conflict
  - id: check-added-large-files
  - id: check-byte-order-marker
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -72,23 +72,38 @@ Please follow the procedure described in [SECURITY.md](SECURITY.md).

 ## CLA

-We welcome contributions from everyone but we can only accept them if you sign
+We welcome contributions from everyone, but we can only accept them if you sign
 our Contributor License Agreement (CLA). If you would like to contribute and you
 have not signed it, our CLA-bot will walk you through the process when you open
 a Pull Request. For questions about the CLA process, see the
 [FAQ](https://cla.vmware.com/faq) or submit a question through the GitHub issue
 tracker.

+## Learning about Pinniped
+
+New to Pinniped?
+- Start here to learn how to install and use Pinniped: [Learn to use Pinniped for federated authentication to Kubernetes clusters](https://pinniped.dev/docs/tutorials/concierge-and-supervisor-demo/)
+- Start here to learn how to navigate the source code: [Code Walk-through](https://pinniped.dev/docs/reference/code-walkthrough/)
+- Other more detailed documentation can be found at: [Pinniped Docs](https://pinniped.dev/docs/)
+
 ## Building

 The [Dockerfile](Dockerfile) at the root of the repo can be used to build and
-package the code. After making a change to the code, rebuild the docker image with the following command.
+package the server-side code. After making a change to the code, rebuild the
+docker image with the following command.

 ```bash
 # From the root directory of the repo...
 docker build .
 ```

+The Pinniped CLI client can be built for local use with the following command.
+
+```bash
+# From the root directory of the repo...
+go build -o pinniped ./cmd/pinniped
+```
+
 ## Testing

 ### Running Lint
@@ -119,10 +134,10 @@ docker build .
   On macOS, these tools can be installed with [Homebrew](https://brew.sh/) (assuming you have Chrome installed already):

   ```bash
-   brew install kind k14s/tap/ytt k14s/tap/kapp kubectl chromedriver nmap && brew cask install docker
+   brew install kind vmware-tanzu/carvel/ytt vmware-tanzu/carvel/kapp kubectl chromedriver nmap && brew cask install docker
   ```

-1. Create a kind cluster, compile, create container images, and install Pinniped and supporting dependencies using:
+1. Create a kind cluster, compile, create container images, and install Pinniped and supporting test dependencies using:

   ```bash
   ./hack/prepare-for-integration-tests.sh
@@ -131,9 +146,14 @@ docker build .
 1. Run the Pinniped integration tests:

   ```bash
-   source /tmp/integration-test-env && go test -v -count 1 -timeout 0 ./test/integration
+   ulimit -n 512 && source /tmp/integration-test-env && go test -v -count 1 -timeout 0 ./test/integration
   ```

+   To run specific integration tests, add the `-run` flag to the above command to specify a regexp for the test names.
+   Use a leading `/` on the regexp because the Pinniped integration tests are automatically nested under several parent tests
+   (see [integration/main_test.go](https://github.com/vmware-tanzu/pinniped/blob/main/test/integration/main_test.go)).
+   For example, to run an integration test called `TestE2E`, add `-run /TestE2E` to the command shown above.
+
 1. After making production code changes, recompile, redeploy, and run tests again by repeating the same
   commands described above. If there are only test code changes, then simply run the tests again.

--- a/8
+++ b/8
@@ -1,9 +1,9 @@
-# syntax = docker/dockerfile:1.0-experimental
+# syntax=docker/dockerfile:1

 # Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0

-FROM golang:1.17.6 as build-env
+FROM golang:1.18.1 as build-env

 WORKDIR /work
 COPY . .
@@ -24,13 +24,13 @@ RUN \
  ln -s /usr/local/bin/pinniped-server /usr/local/bin/local-user-authenticator

 # Use a distroless runtime image with CA certificates, timezone data, and not much else.
-FROM gcr.io/distroless/static:nonroot@sha256:80c956fb0836a17a565c43a4026c9c80b2013c83bea09f74fa4da195a59b7a99
+FROM gcr.io/distroless/static:nonroot@sha256:2556293984c5738fc75208cce52cf0a4762c709cf38e4bf8def65a61992da0ad

 # Copy the server binary from the build-env stage.
 COPY --from=build-env /usr/local/bin /usr/local/bin

 # Document the default server ports for the various server apps
-EXPOSE 8080 8443 8444 10250
+EXPOSE 8443 8444 10250

 # Run as non-root for security posture
 # Use the same non-root user as https://github.com/GoogleContainerTools/distroless/blob/fc3c4eaceb0518900f886aae90407c43be0a42d9/base/base.bzl#L9
--- a/GOVERNANCE.md
+++ b/GOVERNANCE.md
@@ -4,48 +4,65 @@ This document defines the project governance for Pinniped.

 # Overview

-**Pinniped** is committed to building an open, inclusive, productive and self-governing open source community focused on building authentication services for Kubernetes clusters. The
-community is governed by this document which defines how all members should work together to achieve this goal.
+**Pinniped** is committed to building an open, inclusive, productive and self-governing open source community focused on
+building authentication services for Kubernetes clusters. The community is governed by this document which defines how
+all members should work together to achieve this goal.

 # Code of Conduct

-The Pinniped community abides by this [code of conduct](https://github.com/vmware-tanzu/pinniped/blob/main/CODE_OF_CONDUCT.md).
+The Pinniped community abides by this
+[code of conduct](https://github.com/vmware-tanzu/pinniped/blob/main/CODE_OF_CONDUCT.md).

 # Community Roles

 * **Users:** Members that engage with the Pinniped community via any medium (Slack, GitHub, mailing lists, etc.).
-* **Contributors:** Do regular contributions to the Pinniped project (documentation, code reviews, responding to issues, participating in proposal discussions, contributing code, etc.).
-* **Maintainers:** Responsible for the overall health and direction of the project. They are the final reviewers of PRs and responsible for Pinniped releases.
+* **Contributors:** Do regular contributions to the Pinniped project (documentation, code reviews, responding to issues,
+  participating in proposal discussions, contributing code, etc.).
+* **Maintainers:** Responsible for the overall health and direction of the project. They are the final reviewers of PRs
+  and responsible for Pinniped releases.

 # Maintainers
-New maintainers must be nominated by an existing maintainer and must be elected by a supermajority of existing maintainers. Likewise, maintainers can be removed by a supermajority of the existing maintainers or can resign by notifying one of the maintainers.

-**Note:** If a maintainer leaves their employer they are still considered a maintainer of Pinniped, unless they voluntarily resign. Employment is not taken into consideration when determining maintainer eligibility unless the company itself violates our [Code of Conduct](https://github.com/vmware-tanzu/pinniped/blob/main/CODE_OF_CONDUCT.md).
+New maintainers must be nominated by an existing maintainer and must be elected by a supermajority of existing
+maintainers. Likewise, maintainers can be removed by a supermajority of the existing maintainers or can resign by
+notifying one of the maintainers.

---
-# Supermajority
-A supermajority is defined as two-thirds of members in the group. A supermajority of Maintainers is required for certain decisions as outlined above. A supermajority vote is equivalent to the number of votes in favor of being at least twice the number of votes against. For example, if you have 5 maintainers, a supermajority vote is 4 votes. Voting on decisions can happen on the mailing list, GitHub, Slack, email, or via a voting service, when appropriate. Maintainers can either vote "agree, yes, +1", "disagree, no, -1", or "abstain". A vote passes when supermajority is met. An abstain vote equals not voting at all.
+**Note:** If a maintainer leaves their employer they are still considered a maintainer of Pinniped, unless they
+voluntarily resign. Employment is not taken into consideration when determining maintainer eligibility unless the
+company itself violates our [Code of Conduct](https://github.com/vmware-tanzu/pinniped/blob/main/CODE_OF_CONDUCT.md).

---
 # Decision Making
-Ideally, all project decisions are resolved by consensus. If impossible, any maintainer may call a vote. Unless otherwise specified in this document, any vote will be decided by a supermajority of maintainers.

---
-# Proposal Process 
-The proposal process is currently being worked on. No formal process is available at this time. You may reach out to the maintainers in the Kubernetes Slack Workspace within the [#pinniped](https://kubernetes.slack.com/archives/C01BW364RJA) channel or on the [Pinniped mailing list](project-pinniped@googlegroups.com) with any questions you may have or to send us your proposals.
+Ideally, all project decisions are resolved by consensus. If impossible, any maintainer may call a vote. Unless
+otherwise specified in this document, any vote will be decided by a supermajority of maintainers.

---
-# Lazy Consensus
-To maintain velocity in Pinniped, the concept of [Lazy Consensus](http://en.osswiki.info/concepts/lazy_consensus) is practiced. Ideas and / or proposals should be shared by maintainers via GitHub. Out of respect for other contributors, major changes should also be accompanied by a ping on the Kubernetes Slack in [#Pinniped](https://kubernetes.slack.com/archives/C01BW364RJA) or a note on the [Pinniped mailing list](project-pinniped@googlegroups.com) as appropriate. Author(s) of proposals for major changes will give a time period of no less than five (5) working days for comment and remain cognizant of popular observed world holidays.
+## Supermajority

-**What constitutes the need for a proposal?**
-If there is significant risk with a potential feature or track of work (such as complexity, cost to implement, product viability, etc.), then we recommend creating a proposal for feedback and approval. If a potential feature is well understood and doesn't impose risk, then we recommend a **standard GitHub issue** to clarify the details.
+A supermajority is defined as two-thirds of members in the group. A supermajority of maintainers is required for certain
+decisions as outlined in this document. A supermajority vote is equivalent to the number of votes in favor being at
+least twice the number of votes against. A vote to abstain equals not voting at all. For example, if you have 5
+maintainers who all cast non-abstaining votes, then a supermajority vote is at least 4 votes in favor. Voting on
+decisions can happen on the mailing list, GitHub, Slack, email, or via a voting service, when appropriate. Maintainers
+can either vote "agree, yes, +1", "disagree, no, -1", or "abstain". A vote passes when supermajority is met.

-Other maintainers may chime in and request additional time for review, but should remain cognizant of blocking progress and abstain from delaying progress unless absolutely needed. The expectation is that blocking progress is accompanied by a guarantee to review and respond to the relevant action in short order.
+## Lazy Consensus
+
+To maintain velocity in Pinniped, the concept of [Lazy Consensus](http://en.osswiki.info/concepts/lazy_consensus) is
+practiced.
+
+Other maintainers may chime in and request additional time for review, but should remain cognizant of blocking progress
+and abstain from delaying progress unless absolutely needed. The expectation is that blocking progress is accompanied by
+a guarantee to review and respond to the relevant action in short order.

 Lazy consensus does not apply to the process of:
+
 * Removal of maintainers from Pinniped

---
-# Updating Governance
-All substantive changes in Governance require a supermajority agreement by all maintainers.
+## Updating Governance
+
+All substantive changes in Governance, including substantive changes to the proposal process, require a supermajority
+agreement by all maintainers.
+
+# Proposal Process
+
+The proposal process is defined in [proposals/README.md](proposals/README.md).
--- a/MAINTAINERS.md
+++ b/MAINTAINERS.md
@@ -21,4 +21,4 @@ This is the current list of maintainers for the Pinniped project.
 | ----------------------------- | :---------------------: |
 | Technical Lead | Mo Khan (enj) |
 | Product Management | Anjali Telang (anjaltelang) |
-| Community Management | Nanci Lancaster (microwavables) |
+| Community Management | Nigel Brown (pnbrown) |
--- a/README.md
+++ b/README.md
@@ -32,14 +32,12 @@ building and testing the code, submitting PRs, and other contributor topics.

 ## Community meetings

-Pinniped is better because of our contributors and [maintainers](MAINTAINERS.md). It is because of you that we can bring great 
-software to the community. Please join us during our online community meetings, occurring every first and third 
-Thursday of the month at 9 AM PT / 12 PM ET. 
+Pinniped is better because of our contributors and [maintainers](MAINTAINERS.md). It is because of you that we can bring great
+software to the community. Please join us during our online community meetings, occurring every first and third
+Thursday of the month at 9 AM PT / 12 PM ET.

-**Note:** Community meetings are currently paused until early 2022 as we wind down 2021! 
-
-Use [this Zoom Link](https://go.pinniped.dev/community/zoom) to attend and add any agenda items you wish to 
-discuss to [the notes document](https://go.pinniped.dev/community/agenda). 
+Use [this Zoom Link](https://go.pinniped.dev/community/zoom) to attend and add any agenda items you wish to
+discuss to [the notes document](https://go.pinniped.dev/community/agenda).
 Join our [Google Group](https://groups.google.com/g/project-pinniped) to receive invites to this meeting.

 If the meeting day falls on a US holiday, please consider that occurrence of the meeting to be canceled.
@@ -57,4 +55,4 @@ Please follow the procedure described in [SECURITY.md](SECURITY.md).

 Pinniped is open source and licensed under Apache License Version 2.0. See [LICENSE](LICENSE).

-Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
+Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
--- a/ROADMAP.md
+++ b/ROADMAP.md
@@ -33,16 +33,13 @@ The following table includes the current roadmap for Pinniped. If you have any q



-Last Updated: Jan 2022
+Last Updated: March 2022
 |Theme|Description|Timeline|
 |--|--|--|
-|Improving Security Posture|Support for refreshing LDAP/AD Group information |Feb 2022|
-|Improving Documentation|Documentation updates for HowTo guides and Workspace ONE IDP  |Feb/March 2022|
-|Improving Security Posture|Support FIPS compliant Boring crypto libraries |Feb/March 2022|
-|Multiple IDP support|Support multiple IDPs configured on a single Supervisor|March/April 2022|
-|Improving Security Posture|TLS hardening |March/April 2022|
-|Improving Security Posture|Support Audit logging of security events related to Authentication |April/May 2022|
-|Improving Usability|Support for integrating with UI/Dashboards  |June/July 2022|
+|Improving Security Posture|Support Audit logging of security events related to Authentication |May/June 2022|
+|Improving Usability|Support for integrating with UI/Dashboards  |May/June 2022|
+|Improving Security Posture|TLS hardening contd|June/July 2022|
+|Multiple IDP support|Support multiple IDPs configured on a single Supervisor|Exploring/Ongoing|
 |Improving Security Posture|mTLS for Supervisor sessions |Exploring/Ongoing|
 |Improving Security Posture|Key management/rotation for Pinniped components with minimal downtime |Exploring/Ongoing|
 |Improving Security Posture|Support for Session Logout |Exploring/Ongoing|
--- a/apis/concierge/authentication/v1alpha1/doc.go.tmpl
+++ b/apis/concierge/authentication/v1alpha1/doc.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // +k8s:openapi-gen=true
--- a/apis/concierge/authentication/v1alpha1/register.go.tmpl
+++ b/apis/concierge/authentication/v1alpha1/register.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/apis/concierge/authentication/v1alpha1/types_jwtauthenticator.go.tmpl
+++ b/apis/concierge/authentication/v1alpha1/types_jwtauthenticator.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/apis/concierge/authentication/v1alpha1/types_meta.go.tmpl
+++ b/apis/concierge/authentication/v1alpha1/types_meta.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/apis/concierge/authentication/v1alpha1/types_tls.go.tmpl
+++ b/apis/concierge/authentication/v1alpha1/types_tls.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/apis/concierge/authentication/v1alpha1/types_webhookauthenticator.go.tmpl
+++ b/apis/concierge/authentication/v1alpha1/types_webhookauthenticator.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/apis/concierge/config/v1alpha1/doc.go.tmpl
+++ b/apis/concierge/config/v1alpha1/doc.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // +k8s:openapi-gen=true
--- a/apis/concierge/config/v1alpha1/register.go.tmpl
+++ b/apis/concierge/config/v1alpha1/register.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/apis/concierge/config/v1alpha1/types_credentialissuer.go.tmpl
+++ b/apis/concierge/config/v1alpha1/types_credentialissuer.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/apis/concierge/identity/doc.go.tmpl
+++ b/apis/concierge/identity/doc.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // +k8s:deepcopy-gen=package
--- a/apis/concierge/identity/register.go.tmpl
+++ b/apis/concierge/identity/register.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package identity
--- a/apis/concierge/identity/types_userinfo.go.tmpl
+++ b/apis/concierge/identity/types_userinfo.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package identity
--- a/apis/concierge/identity/types_whoami.go.tmpl
+++ b/apis/concierge/identity/types_whoami.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package identity
--- a/apis/concierge/identity/v1alpha1/conversion.go.tmpl
+++ b/apis/concierge/identity/v1alpha1/conversion.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/apis/concierge/identity/v1alpha1/defaults.go.tmpl
+++ b/apis/concierge/identity/v1alpha1/defaults.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/apis/concierge/identity/v1alpha1/doc.go.tmpl
+++ b/apis/concierge/identity/v1alpha1/doc.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // +k8s:openapi-gen=true
--- a/apis/concierge/identity/v1alpha1/register.go.tmpl
+++ b/apis/concierge/identity/v1alpha1/register.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/apis/concierge/identity/v1alpha1/types_userinfo.go.tmpl
+++ b/apis/concierge/identity/v1alpha1/types_userinfo.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/apis/concierge/identity/v1alpha1/types_whoami.go.tmpl
+++ b/apis/concierge/identity/v1alpha1/types_whoami.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/apis/concierge/identity/validation/validation.go.tmpl
+++ b/apis/concierge/identity/validation/validation.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package validation
--- a/apis/concierge/login/doc.go.tmpl
+++ b/apis/concierge/login/doc.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // +k8s:deepcopy-gen=package
--- a/apis/concierge/login/register.go.tmpl
+++ b/apis/concierge/login/register.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package login
--- a/apis/concierge/login/types_clustercred.go.tmpl
+++ b/apis/concierge/login/types_clustercred.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package login
--- a/apis/concierge/login/types_token.go.tmpl
+++ b/apis/concierge/login/types_token.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package login
--- a/apis/concierge/login/v1alpha1/conversion.go.tmpl
+++ b/apis/concierge/login/v1alpha1/conversion.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/apis/concierge/login/v1alpha1/defaults.go.tmpl
+++ b/apis/concierge/login/v1alpha1/defaults.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/apis/concierge/login/v1alpha1/doc.go.tmpl
+++ b/apis/concierge/login/v1alpha1/doc.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // +k8s:openapi-gen=true
--- a/apis/concierge/login/v1alpha1/register.go.tmpl
+++ b/apis/concierge/login/v1alpha1/register.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/apis/concierge/login/v1alpha1/types_clustercred.go.tmpl
+++ b/apis/concierge/login/v1alpha1/types_clustercred.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/apis/concierge/login/v1alpha1/types_token.go.tmpl
+++ b/apis/concierge/login/v1alpha1/types_token.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/apis/supervisor/config/v1alpha1/doc.go.tmpl
+++ b/apis/supervisor/config/v1alpha1/doc.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // +k8s:openapi-gen=true
--- a/apis/supervisor/config/v1alpha1/register.go.tmpl
+++ b/apis/supervisor/config/v1alpha1/register.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/apis/supervisor/config/v1alpha1/types_federationdomain.go.tmpl
+++ b/apis/supervisor/config/v1alpha1/types_federationdomain.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
@@ -31,8 +31,9 @@ type FederationDomainTLSSpec struct {
 	// SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same
 	// SecretName value even if they have different port numbers.
 	//
-	// SecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an
-	// Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to
+	// SecretName is not required when you would like to use only the HTTP endpoints (e.g. when the HTTP listener is
+	// configured to listen on loopback interfaces or UNIX domain sockets for traffic from a service mesh sidecar).
+	// It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to
 	// use the default TLS certificate, which is configured elsewhere.
 	//
 	// When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses.
--- a/apis/supervisor/idp/v1alpha1/doc.go.tmpl
+++ b/apis/supervisor/idp/v1alpha1/doc.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // +k8s:openapi-gen=true
--- a/apis/supervisor/idp/v1alpha1/register.go.tmpl
+++ b/apis/supervisor/idp/v1alpha1/register.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/apis/supervisor/idp/v1alpha1/types_activedirectoryidentityprovider.go.tmpl
+++ b/apis/supervisor/idp/v1alpha1/types_activedirectoryidentityprovider.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
@@ -131,6 +131,31 @@ type ActiveDirectoryIdentityProviderGroupSearch struct {
 	// the result of the group search.
 	// +optional
 	Attributes ActiveDirectoryIdentityProviderGroupSearchAttributes `json:"attributes,omitempty"`
+
+	// The user's group membership is refreshed as they interact with the supervisor
+	// to obtain new credentials (as their old credentials expire).  This allows group
+	// membership changes to be quickly reflected into Kubernetes clusters.  Since
+	// group membership is often used to bind authorization policies, it is important
+	// to keep the groups observed in Kubernetes clusters in-sync with the identity
+	// provider.
+	//
+	// In some environments, frequent group membership queries may result in a
+	// significant performance impact on the identity provider and/or the supervisor.
+	// The best approach to handle performance impacts is to tweak the group query
+	// to be more performant, for example by disabling nested group search or by
+	// using a more targeted group search base.
+	//
+	// If the group search query cannot be made performant and you are willing to
+	// have group memberships remain static for approximately a day, then set
+	// skipGroupRefresh to true.  This is an insecure configuration as authorization
+	// policies that are bound to group membership will not notice if a user has
+	// been removed from a particular group until their next login.
+	//
+	// This is an experimental feature that may be removed or significantly altered
+	// in the future.  Consumers of this configuration should carefully read all
+	// release notes before upgrading to ensure that the meaning of this field has
+	// not changed.
+	SkipGroupRefresh bool `json:"skipGroupRefresh,omitempty"`
 }

 // Spec for configuring an ActiveDirectory identity provider.
--- a/apis/supervisor/idp/v1alpha1/types_ldapidentityprovider.go.tmpl
+++ b/apis/supervisor/idp/v1alpha1/types_ldapidentityprovider.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
@@ -119,6 +119,31 @@ type LDAPIdentityProviderGroupSearch struct {
 	// the result of the group search.
 	// +optional
 	Attributes LDAPIdentityProviderGroupSearchAttributes `json:"attributes,omitempty"`
+
+	// The user's group membership is refreshed as they interact with the supervisor
+	// to obtain new credentials (as their old credentials expire).  This allows group
+	// membership changes to be quickly reflected into Kubernetes clusters.  Since
+	// group membership is often used to bind authorization policies, it is important
+	// to keep the groups observed in Kubernetes clusters in-sync with the identity
+	// provider.
+	//
+	// In some environments, frequent group membership queries may result in a
+	// significant performance impact on the identity provider and/or the supervisor.
+	// The best approach to handle performance impacts is to tweak the group query
+	// to be more performant, for example by disabling nested group search or by
+	// using a more targeted group search base.
+	//
+	// If the group search query cannot be made performant and you are willing to
+	// have group memberships remain static for approximately a day, then set
+	// skipGroupRefresh to true.  This is an insecure configuration as authorization
+	// policies that are bound to group membership will not notice if a user has
+	// been removed from a particular group until their next login.
+	//
+	// This is an experimental feature that may be removed or significantly altered
+	// in the future.  Consumers of this configuration should carefully read all
+	// release notes before upgrading to ensure that the meaning of this field has
+	// not changed.
+	SkipGroupRefresh bool `json:"skipGroupRefresh,omitempty"`
 }

 // Spec for configuring an LDAP identity provider.
--- a/apis/supervisor/idp/v1alpha1/types_meta.go.tmpl
+++ b/apis/supervisor/idp/v1alpha1/types_meta.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/apis/supervisor/idp/v1alpha1/types_tls.go.tmpl
+++ b/apis/supervisor/idp/v1alpha1/types_tls.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/apis/supervisor/idpdiscovery/v1alpha1/types_supervisor_idp_discovery.go.tmpl
+++ b/apis/supervisor/idpdiscovery/v1alpha1/types_supervisor_idp_discovery.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/apis/supervisor/oidc/types_supervisor_oidc.go.tmpl
+++ b/apis/supervisor/oidc/types_supervisor_oidc.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package oidc
--- a/cmd/pinniped-concierge-kube-cert-agent/main.go
+++ b/cmd/pinniped-concierge-kube-cert-agent/main.go
@@ -1,4 +1,4 @@
-// Copyright 2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // Package main is the combined entrypoint for the Pinniped "kube-cert-agent" component.
@@ -13,6 +13,9 @@ import (
 	"math"
 	"os"
 	"time"
+
+	// this side effect import ensures that we use fipsonly crypto in fips_strict mode.
+	_ "go.pinniped.dev/internal/crypto/ptls"
 )

 //nolint: gochecknoglobals // these are swapped during unit tests.
--- a/cmd/pinniped-server/main.go
+++ b/cmd/pinniped-server/main.go
@@ -1,4 +1,4 @@
-// Copyright 2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // Package main is the combined entrypoint for all Pinniped server components.
@@ -15,6 +15,8 @@ import (
 	"k8s.io/klog/v2"

 	concierge "go.pinniped.dev/internal/concierge/server"
+	// this side effect import ensures that we use fipsonly crypto in fips_strict mode.
+	_ "go.pinniped.dev/internal/crypto/ptls"
 	lua "go.pinniped.dev/internal/localuserauthenticator"
 	supervisor "go.pinniped.dev/internal/supervisor/server"
 )
--- a/cmd/pinniped/cmd/kubeconfig.go
+++ b/cmd/pinniped/cmd/kubeconfig.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package cmd
@@ -171,7 +171,6 @@ func kubeconfigCommand(deps kubeconfigDeps) *cobra.Command {
 	return cmd
 }

-//nolint:funlen
 func runGetKubeconfig(ctx context.Context, out io.Writer, deps kubeconfigDeps, flags getKubeconfigParams) error {
 	ctx, cancel := context.WithTimeout(ctx, flags.timeout)
 	defer cancel()
@@ -715,7 +714,7 @@ func validateKubeconfig(ctx context.Context, flags getKubeconfigParams, kubeconf
 func countCACerts(pemData []byte) int {
 	pool := x509.NewCertPool()
 	pool.AppendCertsFromPEM(pemData)
-	return len(pool.Subjects())
+	return len(pool.Subjects()) // nolint: staticcheck  // not system cert pool
 }

 func hasPendingStrategy(credentialIssuer *configv1alpha1.CredentialIssuer) bool {
--- a/cmd/pinniped/cmd/kubeconfig_test.go
+++ b/cmd/pinniped/cmd/kubeconfig_test.go
@@ -955,7 +955,7 @@ func TestGetKubeconfig(t *testing.T) {
 			},
 			wantError: true,
 			wantStderr: func(issuerCABundle string, issuerURL string) string {
-				return fmt.Sprintf("Error: while fetching OIDC discovery data from issuer: Get \"%s/.well-known/openid-configuration\": x509: certificate signed by unknown authority\n", issuerURL)
+				return fmt.Sprintf("Error: while fetching OIDC discovery data from issuer: Get \"%s/.well-known/openid-configuration\": %s\n", issuerURL, testutil.X509UntrustedCertError("Acme Co"))
 			},
 		},
 		{
--- a/cmd/pinniped/main.go
+++ b/cmd/pinniped/main.go
@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package main
@@ -9,6 +9,8 @@ import (
 	"github.com/pkg/browser"

 	"go.pinniped.dev/cmd/pinniped/cmd"
+	// this side effect import ensures that we use fipsonly crypto in fips_strict mode.
+	_ "go.pinniped.dev/internal/crypto/ptls"
 )

 //nolint: gochecknoinits
--- a/deploy/concierge/authentication.concierge.pinniped.dev_jwtauthenticators.yaml
+++ b/deploy/concierge/authentication.concierge.pinniped.dev_jwtauthenticators.yaml
@@ -1,10 +1,9 @@
-
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.4.0
+    controller-gen.kubebuilder.io/version: v0.8.0
  creationTimestamp: null
  name: jwtauthenticators.authentication.concierge.pinniped.dev
 spec:
--- a/deploy/concierge/authentication.concierge.pinniped.dev_webhookauthenticators.yaml
+++ b/deploy/concierge/authentication.concierge.pinniped.dev_webhookauthenticators.yaml
@@ -1,10 +1,9 @@
-
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.4.0
+    controller-gen.kubebuilder.io/version: v0.8.0
  creationTimestamp: null
  name: webhookauthenticators.authentication.concierge.pinniped.dev
 spec:
--- a/deploy/concierge/config.concierge.pinniped.dev_credentialissuers.yaml
+++ b/deploy/concierge/config.concierge.pinniped.dev_credentialissuers.yaml
@@ -1,10 +1,9 @@
-
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.4.0
+    controller-gen.kubebuilder.io/version: v0.8.0
  creationTimestamp: null
  name: credentialissuers.config.concierge.pinniped.dev
 spec:
--- a/deploy/concierge/deployment.yaml
+++ b/deploy/concierge/deployment.yaml
@@ -1,4 +1,4 @@
-#! Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
+#! Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 #! SPDX-License-Identifier: Apache-2.0

 #@ load("@ytt:data", "data")
@@ -221,7 +221,9 @@ spec:
      tolerations:
        - key: CriticalAddonsOnly
          operator: Exists
-        - key: node-role.kubernetes.io/master #! Allow running on master nodes too
+        - key: node-role.kubernetes.io/master #! Allow running on master nodes too (name deprecated by kubernetes 1.20).
+          effect: NoSchedule
+        - key: node-role.kubernetes.io/control-plane #! The new name for these nodes as of Kubernetes 1.24.
          effect: NoSchedule
      #! "system-cluster-critical" cannot be used outside the kube-system namespace until Kubernetes >= 1.17,
      #! so we skip setting this for now (see https://github.com/kubernetes/kubernetes/issues/60596).
--- a/deploy/supervisor/config.supervisor.pinniped.dev_federationdomains.yaml
+++ b/deploy/supervisor/config.supervisor.pinniped.dev_federationdomains.yaml
@@ -1,10 +1,9 @@
-
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.4.0
+    controller-gen.kubebuilder.io/version: v0.8.0
  creationTimestamp: null
  name: federationdomains.config.supervisor.pinniped.dev
 spec:
@@ -77,12 +76,13 @@ spec:
                      so all issuers with the same DNS hostname must use the same
                      SecretName value even if they have different port numbers. \n
                      SecretName is not required when you would like to use only the
-                      HTTP endpoints (e.g. when terminating TLS at an Ingress). It
-                      is also not required when you would like all requests to this
-                      OIDC Provider's HTTPS endpoints to use the default TLS certificate,
-                      which is configured elsewhere. \n When your Issuer URL's host
-                      is an IP address, then this field is ignored. SNI does not work
-                      for IP addresses."
+                      HTTP endpoints (e.g. when the HTTP listener is configured to
+                      listen on loopback interfaces or UNIX domain sockets for traffic
+                      from a service mesh sidecar). It is also not required when you
+                      would like all requests to this OIDC Provider's HTTPS endpoints
+                      to use the default TLS certificate, which is configured elsewhere.
+                      \n When your Issuer URL's host is an IP address, then this field
+                      is ignored. SNI does not work for IP addresses."
                    type: string
                type: object
            required:
--- a/deploy/supervisor/deployment.yaml
+++ b/deploy/supervisor/deployment.yaml
@@ -1,4 +1,4 @@
-#! Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
+#! Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 #! SPDX-License-Identifier: Apache-2.0

 #@ load("@ytt:data", "data")
@@ -115,8 +115,6 @@ spec:
              readOnly: false  #! writable to allow for socket use
            #@ end
          ports:
-            - containerPort: 8080
-              protocol: TCP
            - containerPort: 8443
              protocol: TCP
          env:
--- a/deploy/supervisor/helpers.lib.yaml
+++ b/deploy/supervisor/helpers.lib.yaml
@@ -1,4 +1,4 @@
-#! Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
+#! Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 #! SPDX-License-Identifier: Apache-2.0

 #@ load("@ytt:data", "data")
@@ -52,6 +52,7 @@ _: #@ template.replace(data.values.custom_labels)
 #@       "defaultTLSCertificateSecret": defaultResourceNameWithSuffix("default-tls-certificate"),
 #@     },
 #@     "labels": labels(),
+#@     "insecureAcceptExternalUnencryptedHttpRequests": data.values.deprecated_insecure_accept_external_unencrypted_http_requests
 #@   }
 #@   if data.values.log_level:
 #@     config["logLevel"] = getAndValidateLogLevel()
--- a/deploy/supervisor/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml
+++ b/deploy/supervisor/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml
@@ -1,10 +1,9 @@
-
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.4.0
+    controller-gen.kubebuilder.io/version: v0.8.0
  creationTimestamp: null
  name: activedirectoryidentityproviders.idp.supervisor.pinniped.dev
 spec:
@@ -119,6 +118,30 @@ spec:
                      search can be slow for some Active Directory servers. To disable
                      it, you can set the filter to "(&(objectClass=group)(member={})"
                    type: string
+                  skipGroupRefresh:
+                    description: "The user's group membership is refreshed as they
+                      interact with the supervisor to obtain new credentials (as their
+                      old credentials expire).  This allows group membership changes
+                      to be quickly reflected into Kubernetes clusters.  Since group
+                      membership is often used to bind authorization policies, it
+                      is important to keep the groups observed in Kubernetes clusters
+                      in-sync with the identity provider. \n In some environments,
+                      frequent group membership queries may result in a significant
+                      performance impact on the identity provider and/or the supervisor.
+                      The best approach to handle performance impacts is to tweak
+                      the group query to be more performant, for example by disabling
+                      nested group search or by using a more targeted group search
+                      base. \n If the group search query cannot be made performant
+                      and you are willing to have group memberships remain static
+                      for approximately a day, then set skipGroupRefresh to true.
+                      \ This is an insecure configuration as authorization policies
+                      that are bound to group membership will not notice if a user
+                      has been removed from a particular group until their next login.
+                      \n This is an experimental feature that may be removed or significantly
+                      altered in the future.  Consumers of this configuration should
+                      carefully read all release notes before upgrading to ensure
+                      that the meaning of this field has not changed."
+                    type: boolean
                type: object
              host:
                description: 'Host is the hostname of this Active Directory identity
--- a/deploy/supervisor/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml
+++ b/deploy/supervisor/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml
@@ -1,10 +1,9 @@
-
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.4.0
+    controller-gen.kubebuilder.io/version: v0.8.0
  creationTimestamp: null
  name: ldapidentityproviders.idp.supervisor.pinniped.dev
 spec:
@@ -111,6 +110,30 @@ spec:
                      an entry, so "dn={}" cannot be used. Optional. When not specified,
                      the default will act as if the Filter were specified as "member={}".
                    type: string
+                  skipGroupRefresh:
+                    description: "The user's group membership is refreshed as they
+                      interact with the supervisor to obtain new credentials (as their
+                      old credentials expire).  This allows group membership changes
+                      to be quickly reflected into Kubernetes clusters.  Since group
+                      membership is often used to bind authorization policies, it
+                      is important to keep the groups observed in Kubernetes clusters
+                      in-sync with the identity provider. \n In some environments,
+                      frequent group membership queries may result in a significant
+                      performance impact on the identity provider and/or the supervisor.
+                      The best approach to handle performance impacts is to tweak
+                      the group query to be more performant, for example by disabling
+                      nested group search or by using a more targeted group search
+                      base. \n If the group search query cannot be made performant
+                      and you are willing to have group memberships remain static
+                      for approximately a day, then set skipGroupRefresh to true.
+                      \ This is an insecure configuration as authorization policies
+                      that are bound to group membership will not notice if a user
+                      has been removed from a particular group until their next login.
+                      \n This is an experimental feature that may be removed or significantly
+                      altered in the future.  Consumers of this configuration should
+                      carefully read all release notes before upgrading to ensure
+                      that the meaning of this field has not changed."
+                    type: boolean
                type: object
              host:
                description: 'Host is the hostname of this LDAP identity provider,
--- a/deploy/supervisor/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml
+++ b/deploy/supervisor/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml
@@ -1,10 +1,9 @@
-
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.4.0
+    controller-gen.kubebuilder.io/version: v0.8.0
  creationTimestamp: null
  name: oidcidentityproviders.idp.supervisor.pinniped.dev
 spec:
--- a/deploy/supervisor/service.yaml
+++ b/deploy/supervisor/service.yaml
@@ -1,10 +1,24 @@
-#! Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
+#! Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 #! SPDX-License-Identifier: Apache-2.0

 #@ load("@ytt:data", "data")
+#@ load("@ytt:assert", "assert")
 #@ load("helpers.lib.yaml", "labels", "deploymentPodLabel", "namespace", "defaultResourceName", "defaultResourceNameWithSuffix")

-#@ if data.values.service_http_nodeport_port or data.values.service_https_nodeport_port:
+#@ if hasattr(data.values, "service_http_nodeport_port"):
+#@   assert.fail('value "service_http_nodeport_port" has been renamed to "deprecated_service_http_nodeport_port" and will be removed in a future release')
+#@ end
+#@ if hasattr(data.values, "service_http_nodeport_nodeport"):
+#@   assert.fail('value "service_http_nodeport_nodeport" has been renamed to "deprecated_service_http_nodeport_nodeport" and will be removed in a future release')
+#@ end
+#@ if hasattr(data.values, "service_http_loadbalancer_port"):
+#@   assert.fail('value "service_http_loadbalancer_port" has been renamed to "deprecated_service_http_loadbalancer_port" and will be removed in a future release')
+#@ end
+#@ if hasattr(data.values, "service_http_clusterip_port"):
+#@   assert.fail('value "service_http_clusterip_port" has been renamed to "deprecated_service_http_clusterip_port" and will be removed in a future release')
+#@ end
+
+#@ if data.values.deprecated_service_http_nodeport_port or data.values.service_https_nodeport_port:
 ---
 apiVersion: v1
 kind: Service
@@ -19,13 +33,13 @@ spec:
  type: NodePort
  selector: #@ deploymentPodLabel()
  ports:
-    #@ if data.values.service_http_nodeport_port:
+    #@ if data.values.deprecated_service_http_nodeport_port:
    - name: http
      protocol: TCP
-      port: #@ data.values.service_http_nodeport_port
+      port: #@ data.values.deprecated_service_http_nodeport_port
      targetPort: 8080
-      #@ if data.values.service_http_nodeport_nodeport:
-      nodePort: #@ data.values.service_http_nodeport_nodeport
+      #@ if data.values.deprecated_service_http_nodeport_nodeport:
+      nodePort: #@ data.values.deprecated_service_http_nodeport_nodeport
      #@ end
    #@ end
    #@ if data.values.service_https_nodeport_port:
@@ -39,7 +53,7 @@ spec:
    #@ end
 #@ end

-#@ if data.values.service_http_clusterip_port or data.values.service_https_clusterip_port:
+#@ if data.values.deprecated_service_http_clusterip_port or data.values.service_https_clusterip_port:
 ---
 apiVersion: v1
 kind: Service
@@ -54,10 +68,10 @@ spec:
  type: ClusterIP
  selector: #@ deploymentPodLabel()
  ports:
-    #@ if data.values.service_http_clusterip_port:
+    #@ if data.values.deprecated_service_http_clusterip_port:
    - name: http
      protocol: TCP
-      port: #@ data.values.service_http_clusterip_port
+      port: #@ data.values.deprecated_service_http_clusterip_port
      targetPort: 8080
    #@ end
    #@ if data.values.service_https_clusterip_port:
@@ -68,7 +82,7 @@ spec:
    #@ end
 #@ end

-#@ if data.values.service_http_loadbalancer_port or data.values.service_https_loadbalancer_port:
+#@ if data.values.deprecated_service_http_loadbalancer_port or data.values.service_https_loadbalancer_port:
 ---
 apiVersion: v1
 kind: Service
@@ -86,10 +100,10 @@ spec:
  loadBalancerIP: #@ data.values.service_loadbalancer_ip
  #@ end
  ports:
-    #@ if data.values.service_http_loadbalancer_port:
+    #@ if data.values.deprecated_service_http_loadbalancer_port:
    - name: http
      protocol: TCP
-      port: #@ data.values.service_http_loadbalancer_port
+      port: #@ data.values.deprecated_service_http_loadbalancer_port
      targetPort: 8080
    #@ end
    #@ if data.values.service_https_loadbalancer_port:
--- a/deploy/supervisor/values.yaml
+++ b/deploy/supervisor/values.yaml
@@ -1,4 +1,4 @@
-#! Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
+#! Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 #! SPDX-License-Identifier: Apache-2.0

 #@data/values
@@ -35,26 +35,27 @@ image_tag: latest
 #! Optional.
 image_pull_dockerconfigjson: #! e.g. {"auths":{"https://registry.example.com":{"username":"USERNAME","password":"PASSWORD","auth":"BASE64_ENCODED_USERNAME_COLON_PASSWORD"}}}

-#! Specify how to expose the Supervisor app's HTTP and/or HTTPS ports as a Service.
-#! Typically you would set a value for only one of the following service types, for either HTTP or HTTPS depending on your needs.
-#! An HTTP service should not be exposed outside the cluster. It would not be secure to serve OIDC endpoints to end users via HTTP.
-#! Setting any of these values means that a Service of that type will be created.
+#! Specify how to expose the Supervisor app's HTTPS port as a Service.
+#! Typically, you would set a value for only one of the following service types.
+#! Setting any of these values means that a Service of that type will be created. They are all optional.
 #! Note that all port numbers should be numbers (not strings), i.e. use ytt's `--data-value-yaml` instead of `--data-value`.
-service_http_nodeport_port: #! when specified, creates a NodePort Service with this `port` value, with port 8080 as its `targetPort`; e.g. 31234
-service_http_nodeport_nodeport: #! the `nodePort` value of the NodePort Service, optional when `service_http_nodeport_port` is specified; e.g. 31234
-service_http_loadbalancer_port: #! when specified, creates a LoadBalancer Service with this `port` value, with port 8080 as its `targetPort`; e.g. 8443
-service_http_clusterip_port: #! when specified, creates a ClusterIP Service with this `port` value, with port 8080 as its `targetPort`; e.g. 8443
+#! Several of these values have been deprecated and will be removed in a future release. Their names have been changed to
+#! mark them as deprecated and to make it obvious upon upgrade to anyone who was using them that they have been deprecated.
+deprecated_service_http_nodeport_port: #! will be removed in a future release; when specified, creates a NodePort Service with this `port` value, with port 8080 as its `targetPort`; e.g. 31234
+deprecated_service_http_nodeport_nodeport: #! will be removed in a future release; the `nodePort` value of the NodePort Service, optional when `deprecated_service_http_nodeport_port` is specified; e.g. 31234
+deprecated_service_http_loadbalancer_port: #! will be removed in a future release; when specified, creates a LoadBalancer Service with this `port` value, with port 8080 as its `targetPort`; e.g. 8443
+deprecated_service_http_clusterip_port: #! will be removed in a future release; when specified, creates a ClusterIP Service with this `port` value, with port 8080 as its `targetPort`; e.g. 8443
 service_https_nodeport_port: #! when specified, creates a NodePort Service with this `port` value, with port 8443 as its `targetPort`; e.g. 31243
-service_https_nodeport_nodeport: #! the `nodePort` value of the NodePort Service, optional when `service_http_nodeport_port` is specified; e.g. 31243
+service_https_nodeport_nodeport: #! the `nodePort` value of the NodePort Service, optional when `service_https_nodeport_port` is specified; e.g. 31243
 service_https_loadbalancer_port: #! when specified, creates a LoadBalancer Service with this `port` value, with port 8443 as its `targetPort`; e.g. 8443
 service_https_clusterip_port: #! when specified, creates a ClusterIP Service with this `port` value, with port 8443 as its `targetPort`; e.g. 8443
 #! The `loadBalancerIP` value of the LoadBalancer Service.
-#! Ignored unless service_http_loadbalancer_port and/or service_https_loadbalancer_port are provided.
+#! Ignored unless service_https_loadbalancer_port is provided.
 #! Optional.
 service_loadbalancer_ip: #! e.g. 1.2.3.4

-#! Specify the verbosity of logging: info ("nice to know" information), debug (developer
-#! information), trace (timing information), all (kitchen sink).
+#! Specify the verbosity of logging: info ("nice to know" information), debug (developer information), trace (timing information),
+#! or all (kitchen sink). Do not use trace or all on production systems, as credentials may get logged.
 log_level: #! By default, when this value is left unset, only warnings and errors are printed. There is no way to suppress warning and error logs.

 run_as_user: 65532 #! run_as_user specifies the user ID that will own the process, see the Dockerfile for the reasoning behind this choice
@@ -74,17 +75,17 @@ api_group_suffix: pinniped.dev
 https_proxy: #! e.g. http://proxy.example.com
 no_proxy: "$(KUBERNETES_SERVICE_HOST),169.254.169.254,127.0.0.1,localhost,.svc,.cluster.local" #! do not proxy Kubernetes endpoints

-#! Control the https and http listeners of the Supervisor.
+#! Control the HTTP and HTTPS listeners of the Supervisor.
 #!
 #! The schema of this config is as follows:
 #!
 #! endpoints:
 #!   https:
 #!     network: tcp | unix | disabled
-#!     address: interface:port when network=tcp or /pinniped_socket/socketfile.sock when network=unix
+#!     address: host:port when network=tcp or /pinniped_socket/socketfile.sock when network=unix
 #!   http:
 #!     network: same as above
-#!     address: same as above
+#!     address: same as above, except that when network=tcp then the address is only allowed to bind to loopback interfaces
 #!
 #! Setting network to disabled turns off that particular listener.
 #! See https://pkg.go.dev/net#Listen and https://pkg.go.dev/net#Dial for a description of what can be
@@ -98,23 +99,31 @@ no_proxy: "$(KUBERNETES_SERVICE_HOST),169.254.169.254,127.0.0.1,localhost,.svc,.
 #!     network: tcp
 #!     address: :8443
 #!   http:
-#!     network: tcp
-#!     address: :8080
+#!     network: disabled
 #!
-#! These defaults mean: bind to all interfaces using TCP.  Use port 8443 for https and 8080 for http.
-#! The defaults will change over time.  Users should explicitly set this value if they wish to avoid
-#! any changes on upgrade.
+#! These defaults mean: For HTTPS listening, bind to all interfaces using TCP on port 8443.
+#! Disable HTTP listening by default.
 #!
-#! A future version of the Supervisor app may include a breaking change to adjust the default
-#! behavior of the http listener to only listen on 127.0.0.1 (or perhaps even to be disabled).
+#! The HTTP listener can only be bound to loopback interfaces. This allows the listener to accept
+#! traffic from within the pod, e.g. from a service mesh sidecar. The HTTP listener should not be
+#! used to accept traffic from outside the pod, since that would mean that the network traffic could be
+#! transmitted unencrypted. The HTTPS listener should be used instead to accept traffic from outside the pod.
+#! Ingresses and load balancers that terminate TLS connections should re-encrypt the data and route traffic
+#! to the HTTPS listener. Unix domain sockets may also be used for integrations with service meshes.
 #!
-#! Binding the http listener to addresses other than 127.0.0.1 or ::1 is deprecated.
-#!
-#! Unix domain sockets are recommended for integrations with service meshes.  Ingresses that terminate
-#! TLS connections at the edge should re-encrypt the data and route traffic to the https listener.
-#!
-#! Changing the port numbers used must be accompanied with matching changes to the service and deployment
-#! manifests.  Changes to the https listener must be coordinated with the deployment health checks.
+#! Changing the HTTPS port number must be accompanied by matching changes to the service and deployment
+#! manifests. Changes to the HTTPS listener must be coordinated with the deployment health checks.
 #!
 #! Optional.
 endpoints:
+
+#! Optionally override the validation on the endpoints.http value which checks that only loopback interfaces are used.
+#! When deprecated_insecure_accept_external_unencrypted_http_requests is true, the HTTP listener is allowed to bind to any
+#! interface, including interfaces that are listening for traffic from outside the pod. This value is being introduced
+#! to ease the transition to the new loopback interface validation for the HTTP port for any users who need more time
+#! to change their ingress strategy to avoid using plain HTTP into the Supervisor pods.
+#! This value is immediately deprecated upon its introduction. It will be removed in some future release, at which time
+#! traffic from outside the pod will need to be sent to the HTTPS listener instead, with no simple workaround available.
+#! Allowed values are true (boolean), "true" (string), false (boolean), and "false" (string). The default is false.
+#! Optional.
+deprecated_insecure_accept_external_unencrypted_http_requests: false
--- a/generated/1.17/README.adoc
+++ b/generated/1.17/README.adoc
@@ -24,7 +24,7 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped concierge authenticatio
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-authentication-v1alpha1-condition"]
 ==== Condition 

-
+Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API version we can switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413.

 .Appears In:
 ****
@@ -36,7 +36,7 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped concierge authenticatio
 |===
 | Field | Description
 | *`type`* __string__ | type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
-| *`status`* __ConditionStatus__ | status of the condition, one of True, False, Unknown.
+| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-authentication-v1alpha1-conditionstatus[$$ConditionStatus$$]__ | status of the condition, one of True, False, Unknown.
 | *`observedGeneration`* __integer__ | observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.
 | *`lastTransitionTime`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.17/#time-v1-meta[$$Time$$]__ | lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
 | *`reason`* __string__ | reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.
@@ -47,7 +47,7 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped concierge authenticatio
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-authentication-v1alpha1-conditionstatus"]
 ==== ConditionStatus (string) 

-
+ConditionStatus is effectively an enum type for Condition.Status.

 .Appears In:
 ****
@@ -137,7 +137,7 @@ JWTTokenClaims allows customization of the claims that will be mapped to user id
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-authentication-v1alpha1-tlsspec"]
 ==== TLSSpec 

-
+Configuration for configuring TLS on various authenticators.

 .Appears In:
 ****
@@ -240,7 +240,7 @@ CredentialIssuer describes the configuration and status of the Pinniped Concierg
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-credentialissuerfrontend"]
 ==== CredentialIssuerFrontend 

-
+CredentialIssuerFrontend describes how to connect using a particular integration strategy.

 .Appears In:
 ****
@@ -259,7 +259,7 @@ CredentialIssuer describes the configuration and status of the Pinniped Concierg
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-credentialissuerkubeconfiginfo"]
 ==== CredentialIssuerKubeConfigInfo 

-
+CredentialIssuerKubeConfigInfo provides the information needed to form a valid Pinniped-based kubeconfig using this credential issuer. This type is deprecated and will be removed in a future version.

 .Appears In:
 ****
@@ -314,7 +314,7 @@ CredentialIssuerStatus describes the status of the Concierge.
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-credentialissuerstrategy"]
 ==== CredentialIssuerStrategy 

-
+CredentialIssuerStrategy describes the status of an integration strategy that was attempted by Pinniped.

 .Appears In:
 ****
@@ -336,7 +336,7 @@ CredentialIssuerStatus describes the status of the Concierge.
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-impersonationproxyinfo"]
 ==== ImpersonationProxyInfo 

-
+ImpersonationProxyInfo describes the parameters for the impersonation proxy on this Concierge.

 .Appears In:
 ****
@@ -354,7 +354,7 @@ CredentialIssuerStatus describes the status of the Concierge.
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-impersonationproxymode"]
 ==== ImpersonationProxyMode (string) 

-
+ImpersonationProxyMode enumerates the configuration modes for the impersonation proxy.

 .Appears In:
 ****
@@ -376,7 +376,7 @@ ImpersonationProxyServiceSpec describes how the Concierge should provision a Ser
 [cols="25a,75a", options="header"]
 |===
 | Field | Description
-| *`type`* __ImpersonationProxyServiceType__ | Type specifies the type of Service to provision for the impersonation proxy. 
+| *`type`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-impersonationproxyservicetype[$$ImpersonationProxyServiceType$$]__ | Type specifies the type of Service to provision for the impersonation proxy. 
 If the type is "None", then the "spec.impersonationProxy.externalEndpoint" field must be set to a non-empty value so that the Concierge can properly advertise the endpoint in the CredentialIssuer's status.
 | *`loadBalancerIP`* __string__ | LoadBalancerIP specifies the IP address to set in the spec.loadBalancerIP field of the provisioned Service. This is not supported on all cloud providers.
 | *`annotations`* __object (keys:string, values:string)__ | Annotations specifies zero or more key/value pairs to set as annotations on the provisioned Service.
@@ -386,7 +386,7 @@ ImpersonationProxyServiceSpec describes how the Concierge should provision a Ser
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-impersonationproxyservicetype"]
 ==== ImpersonationProxyServiceType (string) 

-
+ImpersonationProxyServiceType enumerates the types of service that can be provisioned for the impersonation proxy.

 .Appears In:
 ****
@@ -398,7 +398,7 @@ ImpersonationProxyServiceSpec describes how the Concierge should provision a Ser
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-impersonationproxyspec"]
 ==== ImpersonationProxySpec 

-
+ImpersonationProxySpec describes the intended configuration of the Concierge impersonation proxy.

 .Appears In:
 ****
@@ -408,7 +408,7 @@ ImpersonationProxyServiceSpec describes how the Concierge should provision a Ser
 [cols="25a,75a", options="header"]
 |===
 | Field | Description
-| *`mode`* __ImpersonationProxyMode__ | Mode configures whether the impersonation proxy should be started: - "disabled" explicitly disables the impersonation proxy. This is the default. - "enabled" explicitly enables the impersonation proxy. - "auto" enables or disables the impersonation proxy based upon the cluster in which it is running.
+| *`mode`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-impersonationproxymode[$$ImpersonationProxyMode$$]__ | Mode configures whether the impersonation proxy should be started: - "disabled" explicitly disables the impersonation proxy. This is the default. - "enabled" explicitly enables the impersonation proxy. - "auto" enables or disables the impersonation proxy based upon the cluster in which it is running.
 | *`service`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-impersonationproxyservicespec[$$ImpersonationProxyServiceSpec$$]__ | Service describes the configuration of the Service provisioned to expose the impersonation proxy to clients.
 | *`externalEndpoint`* __string__ | ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will be served using the external name of the LoadBalancer service or the cluster service DNS name. 
 This field must be non-empty when spec.impersonationProxy.service.type is "None".
@@ -418,7 +418,7 @@ ImpersonationProxyServiceSpec describes how the Concierge should provision a Ser
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-tokencredentialrequestapiinfo"]
 ==== TokenCredentialRequestAPIInfo 

-
+TokenCredentialRequestAPIInfo describes the parameters for the TokenCredentialRequest API on this Concierge.

 .Appears In:
 ****
@@ -538,7 +538,7 @@ FederationDomainTLSSpec is a struct that describes the TLS configuration for an
 | *`secretName`* __string__ | SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this FederationDomain. When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS. 
 Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers. 
 SecretName is required if you would like to use different TLS certificates for issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same SecretName value even if they have different port numbers. 
- SecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, which is configured elsewhere. 
+ SecretName is not required when you would like to use only the HTTP endpoints (e.g. when the HTTP listener is configured to listen on loopback interfaces or UNIX domain sockets for traffic from a service mesh sidecar). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, which is configured elsewhere. 
 When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses.
 |===

@@ -801,6 +801,10 @@ ActiveDirectoryIdentityProvider describes the configuration of an upstream Micro
 | *`base`* __string__ | Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". Optional, when not specified it will be based on the result of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). The default behavior searches your entire domain for groups. It may make sense to specify a subtree as a search base if you wish to exclude some groups for security reasons or to make searches faster.
 | *`filter`* __string__ | Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". This searches nested groups by default. Note that nested group search can be slow for some Active Directory servers. To disable it, you can set the filter to "(&(objectClass=group)(member={})"
 | *`attributes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-activedirectoryidentityprovidergroupsearchattributes[$$ActiveDirectoryIdentityProviderGroupSearchAttributes$$]__ | Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as the result of the group search.
+| *`skipGroupRefresh`* __boolean__ | The user's group membership is refreshed as they interact with the supervisor to obtain new credentials (as their old credentials expire).  This allows group membership changes to be quickly reflected into Kubernetes clusters.  Since group membership is often used to bind authorization policies, it is important to keep the groups observed in Kubernetes clusters in-sync with the identity provider. 
+ In some environments, frequent group membership queries may result in a significant performance impact on the identity provider and/or the supervisor. The best approach to handle performance impacts is to tweak the group query to be more performant, for example by disabling nested group search or by using a more targeted group search base. 
+ If the group search query cannot be made performant and you are willing to have group memberships remain static for approximately a day, then set skipGroupRefresh to true.  This is an insecure configuration as authorization policies that are bound to group membership will not notice if a user has been removed from a particular group until their next login. 
+ This is an experimental feature that may be removed or significantly altered in the future.  Consumers of this configuration should carefully read all release notes before upgrading to ensure that the meaning of this field has not changed.
 |===


@@ -876,7 +880,7 @@ Status of an Active Directory identity provider.
 |===
 | Field | Description
 | *`base`* __string__ | Base is the dn (distinguished name) that should be used as the search base when searching for users. E.g. "ou=users,dc=example,dc=com". Optional, when not specified it will be based on the result of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). The default behavior searches your entire domain for users. It may make sense to specify a subtree as a search base if you wish to exclude some users or to make searches faster.
-| *`filter`* __string__ | Filter is the search filter which should be applied when searching for users. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the username for which the search is being run. E.g. "mail={}" or "&(objectClass=person)(uid={})". For more information about LDAP filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will be '(&(objectClass=person)(!(objectClass=computer))(!(showInAdvancedViewOnly=TRUE))(|(sAMAccountName={}")(mail={})(userPrincipalName={})(sAMAccountType=805306368))' This means that the user is a person, is not a computer, the sAMAccountType is for a normal user account, and is not shown in advanced view only (which would likely mean its a system created service account with advanced permissions). Also, either the sAMAccountName, the userPrincipalName, or the mail attribute matches the input username.
+| *`filter`* __string__ | Filter is the search filter which should be applied when searching for users. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the username for which the search is being run. E.g. "mail={}" or "&(objectClass=person)(uid={})". For more information about LDAP filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will be '(&(objectClass=person)(!(objectClass=computer))(!(showInAdvancedViewOnly=TRUE))(\|(sAMAccountName={}")(mail={})(userPrincipalName={})(sAMAccountType=805306368))' This means that the user is a person, is not a computer, the sAMAccountType is for a normal user account, and is not shown in advanced view only (which would likely mean its a system created service account with advanced permissions). Also, either the sAMAccountName, the userPrincipalName, or the mail attribute matches the input username.
 | *`attributes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-activedirectoryidentityproviderusersearchattributes[$$ActiveDirectoryIdentityProviderUserSearchAttributes$$]__ | Attributes specifies how the user's information should be read from the ActiveDirectory entry which was found as the result of the user search.
 |===

@@ -902,7 +906,7 @@ Status of an Active Directory identity provider.
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-condition"]
 ==== Condition 

-
+Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API version we can switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413.

 .Appears In:
 ****
@@ -915,7 +919,7 @@ Status of an Active Directory identity provider.
 |===
 | Field | Description
 | *`type`* __string__ | type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
-| *`status`* __ConditionStatus__ | status of the condition, one of True, False, Unknown.
+| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-conditionstatus[$$ConditionStatus$$]__ | status of the condition, one of True, False, Unknown.
 | *`observedGeneration`* __integer__ | observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.
 | *`lastTransitionTime`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.17/#time-v1-meta[$$Time$$]__ | lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
 | *`reason`* __string__ | reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.
@@ -926,7 +930,7 @@ Status of an Active Directory identity provider.
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-conditionstatus"]
 ==== ConditionStatus (string) 

-
+ConditionStatus is effectively an enum type for Condition.Status.

 .Appears In:
 ****
@@ -988,6 +992,10 @@ LDAPIdentityProvider describes the configuration of an upstream Lightweight Dire
 | *`base`* __string__ | Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". When not specified, no group search will be performed and authenticated users will not belong to any groups from the LDAP provider. Also, when not specified, the values of Filter and Attributes are ignored.
 | *`filter`* __string__ | Filter is the LDAP search filter which should be applied when searching for groups for a user. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". For more information about LDAP filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will act as if the Filter were specified as "member={}".
 | *`attributes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-ldapidentityprovidergroupsearchattributes[$$LDAPIdentityProviderGroupSearchAttributes$$]__ | Attributes specifies how the group's information should be read from each LDAP entry which was found as the result of the group search.
+| *`skipGroupRefresh`* __boolean__ | The user's group membership is refreshed as they interact with the supervisor to obtain new credentials (as their old credentials expire).  This allows group membership changes to be quickly reflected into Kubernetes clusters.  Since group membership is often used to bind authorization policies, it is important to keep the groups observed in Kubernetes clusters in-sync with the identity provider. 
+ In some environments, frequent group membership queries may result in a significant performance impact on the identity provider and/or the supervisor. The best approach to handle performance impacts is to tweak the group query to be more performant, for example by disabling nested group search or by using a more targeted group search base. 
+ If the group search query cannot be made performant and you are willing to have group memberships remain static for approximately a day, then set skipGroupRefresh to true.  This is an insecure configuration as authorization policies that are bound to group membership will not notice if a user has been removed from a particular group until their next login. 
+ This is an experimental feature that may be removed or significantly altered in the future.  Consumers of this configuration should carefully read all release notes before upgrading to ensure that the meaning of this field has not changed.
 |===


@@ -1204,7 +1212,7 @@ OIDCIdentityProviderStatus is the status of an OIDC identity provider.
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-parameter"]
 ==== Parameter 

-
+Parameter is a key/value pair which represents a parameter in an HTTP request.

 .Appears In:
 ****
@@ -1222,7 +1230,7 @@ OIDCIdentityProviderStatus is the status of an OIDC identity provider.
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-tlsspec"]
 ==== TLSSpec 

-
+Configuration for TLS parameters related to identity provider integration.

 .Appears In:
 ****
--- a/generated/1.17/apis/concierge/authentication/v1alpha1/doc.go
+++ b/generated/1.17/apis/concierge/authentication/v1alpha1/doc.go
@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // +k8s:openapi-gen=true
--- a/generated/1.17/apis/concierge/authentication/v1alpha1/register.go
+++ b/generated/1.17/apis/concierge/authentication/v1alpha1/register.go
@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/generated/1.17/apis/concierge/authentication/v1alpha1/types_jwtauthenticator.go
+++ b/generated/1.17/apis/concierge/authentication/v1alpha1/types_jwtauthenticator.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/generated/1.17/apis/concierge/authentication/v1alpha1/types_meta.go
+++ b/generated/1.17/apis/concierge/authentication/v1alpha1/types_meta.go
@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/generated/1.17/apis/concierge/authentication/v1alpha1/types_tls.go
+++ b/generated/1.17/apis/concierge/authentication/v1alpha1/types_tls.go
@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/generated/1.17/apis/concierge/authentication/v1alpha1/types_webhookauthenticator.go
+++ b/generated/1.17/apis/concierge/authentication/v1alpha1/types_webhookauthenticator.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/generated/1.17/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go
+++ b/generated/1.17/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go
@@ -1,6 +1,7 @@
+//go:build !ignore_autogenerated
 // +build !ignore_autogenerated

-// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // Code generated by deepcopy-gen. DO NOT EDIT.
--- a/generated/1.17/apis/concierge/config/v1alpha1/doc.go
+++ b/generated/1.17/apis/concierge/config/v1alpha1/doc.go
@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // +k8s:openapi-gen=true
--- a/generated/1.17/apis/concierge/config/v1alpha1/register.go
+++ b/generated/1.17/apis/concierge/config/v1alpha1/register.go
@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/generated/1.17/apis/concierge/config/v1alpha1/types_credentialissuer.go
+++ b/generated/1.17/apis/concierge/config/v1alpha1/types_credentialissuer.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/generated/1.17/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go
+++ b/generated/1.17/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go
@@ -1,6 +1,7 @@
+//go:build !ignore_autogenerated
 // +build !ignore_autogenerated

-// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // Code generated by deepcopy-gen. DO NOT EDIT.
--- a/generated/1.17/apis/concierge/identity/doc.go
+++ b/generated/1.17/apis/concierge/identity/doc.go
@@ -1,4 +1,4 @@
-// Copyright 2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // +k8s:deepcopy-gen=package
--- a/generated/1.17/apis/concierge/identity/register.go
+++ b/generated/1.17/apis/concierge/identity/register.go
@@ -1,4 +1,4 @@
-// Copyright 2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package identity
--- a/generated/1.17/apis/concierge/identity/types_userinfo.go
+++ b/generated/1.17/apis/concierge/identity/types_userinfo.go
@@ -1,4 +1,4 @@
-// Copyright 2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package identity
--- a/generated/1.17/apis/concierge/identity/types_whoami.go
+++ b/generated/1.17/apis/concierge/identity/types_whoami.go
@@ -1,4 +1,4 @@
-// Copyright 2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package identity
--- a/generated/1.17/apis/concierge/identity/v1alpha1/conversion.go
+++ b/generated/1.17/apis/concierge/identity/v1alpha1/conversion.go
@@ -1,4 +1,4 @@
-// Copyright 2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/generated/1.17/apis/concierge/identity/v1alpha1/defaults.go
+++ b/generated/1.17/apis/concierge/identity/v1alpha1/defaults.go
@@ -1,4 +1,4 @@
-// Copyright 2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/generated/1.17/apis/concierge/identity/v1alpha1/doc.go
+++ b/generated/1.17/apis/concierge/identity/v1alpha1/doc.go
@@ -1,4 +1,4 @@
-// Copyright 2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // +k8s:openapi-gen=true
--- a/generated/1.17/apis/concierge/identity/v1alpha1/register.go
+++ b/generated/1.17/apis/concierge/identity/v1alpha1/register.go
@@ -1,4 +1,4 @@
-// Copyright 2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/generated/1.17/apis/concierge/identity/v1alpha1/types_userinfo.go
+++ b/generated/1.17/apis/concierge/identity/v1alpha1/types_userinfo.go
@@ -1,4 +1,4 @@
-// Copyright 2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/generated/1.17/apis/concierge/identity/v1alpha1/types_whoami.go
+++ b/generated/1.17/apis/concierge/identity/v1alpha1/types_whoami.go
@@ -1,4 +1,4 @@
-// Copyright 2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1
--- a/generated/1.17/apis/concierge/identity/v1alpha1/zz_generated.conversion.go
+++ b/generated/1.17/apis/concierge/identity/v1alpha1/zz_generated.conversion.go
@@ -1,6 +1,7 @@
+//go:build !ignore_autogenerated
 // +build !ignore_autogenerated

-// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // Code generated by conversion-gen. DO NOT EDIT.
--- a/generated/1.17/apis/concierge/identity/v1alpha1/zz_generated.deepcopy.go
+++ b/generated/1.17/apis/concierge/identity/v1alpha1/zz_generated.deepcopy.go
@@ -1,6 +1,7 @@
+//go:build !ignore_autogenerated
 // +build !ignore_autogenerated

-// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // Code generated by deepcopy-gen. DO NOT EDIT.
--- a/generated/1.17/apis/concierge/identity/v1alpha1/zz_generated.defaults.go
+++ b/generated/1.17/apis/concierge/identity/v1alpha1/zz_generated.defaults.go
@@ -1,6 +1,7 @@
+//go:build !ignore_autogenerated
 // +build !ignore_autogenerated

-// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // Code generated by defaulter-gen. DO NOT EDIT.
--- a/generated/1.17/apis/concierge/identity/validation/validation.go
+++ b/generated/1.17/apis/concierge/identity/validation/validation.go
@@ -1,4 +1,4 @@
-// Copyright 2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package validation
--- a/generated/1.17/apis/concierge/identity/zz_generated.deepcopy.go
+++ b/generated/1.17/apis/concierge/identity/zz_generated.deepcopy.go
@@ -1,6 +1,7 @@
+//go:build !ignore_autogenerated
 // +build !ignore_autogenerated

-// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // Code generated by deepcopy-gen. DO NOT EDIT.
--- a/generated/1.17/apis/concierge/login/doc.go
+++ b/generated/1.17/apis/concierge/login/doc.go
@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // +k8s:deepcopy-gen=package
--- a/generated/1.17/apis/concierge/login/register.go
+++ b/generated/1.17/apis/concierge/login/register.go
@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package login
--- a/Show More
+++ b/Show More