Merge pull request #1615 from vmware-tanzu/jtc/fix-double-decoding-of-ca-crt

Fix #1582 by not double-decoding the ca.crt field in external TLS secrets for the impersonation proxy

.github/dependabot.yml

@@ -8,6 +8,12 @@ updates:
     schedule:
       interval: "daily"
 
+  - package-ecosystem: "gomod"
+    open-pull-requests-limit: 2
+    directory: "/hack/update-go-mod"
+    schedule:
+      interval: "daily"
+
   - package-ecosystem: "docker"
     directory: "/"
     schedule:

.github/workflows/codeql-analysis.yml

@@ -1,18 +1,23 @@
+# See https://codeql.github.com and https://github.com/github/codeql-action
+# This action runs GitHub's industry-leading semantic code analysis engine, CodeQL, against a
+# repository's source code to find security vulnerabilities. It then automatically uploads the
+# results to GitHub so they can be displayed in the repository's security tab.
 name: "CodeQL"
 
 on:
   push:
-    branches: [ main, release*, dynamic_clients ]
+    branches: [ "main", release* ]
   pull_request:
     # The branches below must be a subset of the branches above
-    branches: [ main, release*, dynamic_clients ]
+    branches: [ "main" ]
   schedule:
-    - cron: '39 13 * * 2'
+    - cron: '24 3 * * 3'
 
 jobs:
   analyze:
     name: Analyze
-    runs-on: ubuntu-latest
+    runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
+    timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }}
     permissions:
       actions: read
       contents: read
@@ -25,33 +30,35 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v2
-
+      uses: actions/checkout@v3
 
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v1
+      uses: github/codeql-action/init@v2
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
         # By default, queries listed here will override any specified in a config file.
         # Prefix the list here with "+" to use these queries and those in the config file.
-        # queries: ./path/to/local/query, your-org/your-repo/queries@main
+
+        # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+        # queries: security-extended,security-and-quality
 
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v1
+      uses: github/codeql-action/autobuild@v2
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
 
-    # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
-    #    and modify them (or add more) to build your code if your project
-    #    uses a compiled language
+    #   If the Autobuild fails above, remove it and uncomment the following three lines.
+    #   modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
 
-    #- run: |
-    #   make bootstrap
-    #   make release
+    # - run: |
+    #     echo "Run, Build Application using script"
+    #     ./location_of_script_within_repo/buildscript.sh
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v1
+      uses: github/codeql-action/analyze@v2
+      with:
+        category: "/language:${{matrix.language}}"

.github/workflows/scorecards.yml

@@ -1,55 +0,0 @@
-name: Scorecards supply-chain security
-on:
-  # Only the default branch is supported.
-  branch_protection_rule:
-  schedule:
-    - cron: '29 11 * * 3'
-  push:
-    branches: [ main, release* ]
-
-# Declare default permissions as read only.
-permissions: read-all
-
-jobs:
-  analysis:
-    name: Scorecards analysis
-    runs-on: ubuntu-latest
-    permissions:
-      # Needed to upload the results to code-scanning dashboard.
-      security-events: write
-      actions: read
-      contents: read
-
-    steps:
-      - name: "Checkout code"
-        uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # v3.0.0
-        with:
-          persist-credentials: false
-
-      - name: "Run analysis"
-        uses: ossf/scorecard-action@c1aec4ac820532bab364f02a81873c555a0ba3a1 # v1.0.4
-        with:
-          results_file: results.sarif
-          results_format: sarif
-          # Read-only PAT token. To create it,
-          # follow the steps in https://github.com/ossf/scorecard-action#pat-token-creation.
-          repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}
-          # Publish the results to enable scorecard badges. For more details, see
-          # https://github.com/ossf/scorecard-action#publishing-results.
-          # For private repositories, `publish_results` will automatically be set to `false`,
-          # regardless of the value entered here.
-          publish_results: true
-
-      # Upload the results as artifacts (optional).
-      - name: "Upload artifact"
-        uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # v3.0.0
-        with:
-          name: SARIF file
-          path: results.sarif
-          retention-days: 5
-
-      # Upload the results to GitHub's code scanning dashboard.
-      - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@5f532563584d71fdef14ee64d17bafb34f751ce5 # v1.0.26
-        with:
-          sarif_file: results.sarif

CONTRIBUTING.md

@@ -114,7 +114,6 @@ go build -o pinniped ./cmd/pinniped
 
 1. Install dependencies:
 
-   - [`chromedriver`](https://chromedriver.chromium.org/) (and [Chrome](https://www.google.com/chrome/))
    - [`docker`](https://www.docker.com/)
    - `htpasswd` (installed by default on MacOS, usually found in `apache2-utils` package for linux)
    - [`kapp`](https://carvel.dev/#getting-started)
@@ -122,11 +121,13 @@ go build -o pinniped ./cmd/pinniped
    - [`kubectl`](https://kubernetes.io/docs/tasks/tools/install-kubectl/)
    - [`ytt`](https://carvel.dev/#getting-started)
    - [`nmap`](https://nmap.org/download.html)
+   - [`openssl`](https://www.openssl.org) (installed by default on MacOS)
+   - [Chrome](https://www.google.com/chrome/)
 
    On macOS, these tools can be installed with [Homebrew](https://brew.sh/) (assuming you have Chrome installed already):
 
    ```bash
-   brew install kind vmware-tanzu/carvel/ytt vmware-tanzu/carvel/kapp kubectl chromedriver nmap && brew cask install docker
+   brew install kind vmware-tanzu/carvel/ytt vmware-tanzu/carvel/kapp kubectl nmap && brew cask install docker
    ```
 
 1. Create a kind cluster, compile, create container images, and install Pinniped and supporting test dependencies using:

Dockerfile

@@ -1,9 +1,9 @@
 # syntax=docker/dockerfile:1
 
-# Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+# Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
 
-FROM golang:1.19.4 as build-env
+FROM golang:1.20.7 as build-env
 
 WORKDIR /work
 COPY . .

MAINTAINERS.md

@@ -16,9 +16,3 @@
 | Matt Moyer        | [mattmoyer](https://github.com/mattmoyer)               |
 | Mo Khan           | [enj](https://github.com/enj)                           |
 | Pablo Schuhmacher | [pabloschuhmacher](https://github.com/pabloschuhmacher) |
-
-## Pinniped Community Management
-
-| Community Manager | GitHub ID                             |
-|-------------------|---------------------------------------|
-| Nigel Brown       | [pnbrown](https://github.com/pnbrown) |

apis/concierge/config/v1alpha1/types_credentialissuer.go.tmpl

@@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
@@ -80,6 +80,28 @@ const (
 	ImpersonationProxyServiceTypeNone = ImpersonationProxyServiceType("None")
 )
 
+// ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should
+// serve TLS.
+//
+// If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret
+// for a field called "ca.crt", which will be used as the CertificateAuthorityData.
+//
+// If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for
+// the impersonation proxy endpoint.
+type ImpersonationProxyTLSSpec struct {
+	// X.509 Certificate Authority (base64-encoded PEM bundle).
+	// Used to advertise the CA bundle for the impersonation proxy endpoint.
+	//
+	// +optional
+	CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"`
+
+	// SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains
+	// the TLS serving certificate for the Concierge impersonation proxy endpoint.
+	//
+	// +kubebuilder:validation:MinLength=1
+	SecretName string `json:"secretName,omitempty"`
+}
+
 // ImpersonationProxySpec describes the intended configuration of the Concierge impersonation proxy.
 type ImpersonationProxySpec struct {
 	// Mode configures whether the impersonation proxy should be started:
@@ -100,6 +122,13 @@ type ImpersonationProxySpec struct {
 	//
 	// +optional
 	ExternalEndpoint string `json:"externalEndpoint,omitempty"`
+
+	// TLS contains information about how the Concierge impersonation proxy should serve TLS.
+	//
+	// If this field is empty, the impersonation proxy will generate its own TLS certificate.
+	//
+	// +optional
+	TLS *ImpersonationProxyTLSSpec `json:"tls,omitempty"`
 }
 
 // ImpersonationProxyServiceSpec describes how the Concierge should provision a Service to expose the impersonation proxy.

apis/supervisor/idp/v1alpha1/types_activedirectoryidentityprovider.go.tmpl

@@ -1,4 +1,4 @@
-// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
@@ -114,9 +114,10 @@ type ActiveDirectoryIdentityProviderGroupSearch struct {
 
 	// Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user.
 	// The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the
-	// dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or
-	// "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see
-	// https://ldap.com/ldap-filters.
+	// value of an attribute of the user entry found as a result of the user search. Which attribute's
+	// value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter.
+	// E.g. "member={}" or "&(objectClass=groupOfNames)(member={})".
+	// For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters.
 	// Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used.
 	// Optional. When not specified, the default will act as if the filter were specified as
 	// "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})".
@@ -127,6 +128,17 @@ type ActiveDirectoryIdentityProviderGroupSearch struct {
 	// +optional
 	Filter string `json:"filter,omitempty"`
 
+	// UserAttributeForFilter specifies which attribute's value from the user entry found as a result of
+	// the user search will be used to replace the "{}" placeholder(s) in the group search Filter.
+	// For example, specifying "uid" as the UserAttributeForFilter while specifying
+	// "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing
+	// the "{}" placeholder in the Filter with the value of the user's "uid" attribute.
+	// Optional. When not specified, the default will act as if "dn" were specified. For example, leaving
+	// UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter
+	// would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user.
+	// +optional
+	UserAttributeForFilter string `json:"userAttributeForFilter,omitempty"`
+
 	// Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as
 	// the result of the group search.
 	// +optional

apis/supervisor/idp/v1alpha1/types_ldapidentityprovider.go.tmpl

@@ -1,4 +1,4 @@
-// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
@@ -101,20 +101,31 @@ type LDAPIdentityProviderGroupSearch struct {
 	// Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g.
 	// "ou=groups,dc=example,dc=com". When not specified, no group search will be performed and
 	// authenticated users will not belong to any groups from the LDAP provider. Also, when not specified,
-	// the values of Filter and Attributes are ignored.
+	// the values of Filter, UserAttributeForFilter, Attributes, and SkipGroupRefresh are ignored.
 	// +optional
 	Base string `json:"base,omitempty"`
 
 	// Filter is the LDAP search filter which should be applied when searching for groups for a user.
 	// The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the
-	// dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or
-	// "&(objectClass=groupOfNames)(member={})". For more information about LDAP filters, see
-	// https://ldap.com/ldap-filters.
+	// value of an attribute of the user entry found as a result of the user search. Which attribute's
+	// value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter.
+	// For more information about LDAP filters, see https://ldap.com/ldap-filters.
 	// Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used.
 	// Optional. When not specified, the default will act as if the Filter were specified as "member={}".
 	// +optional
 	Filter string `json:"filter,omitempty"`
 
+	// UserAttributeForFilter specifies which attribute's value from the user entry found as a result of
+	// the user search will be used to replace the "{}" placeholder(s) in the group search Filter.
+	// For example, specifying "uid" as the UserAttributeForFilter while specifying
+	// "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing
+	// the "{}" placeholder in the Filter with the value of the user's "uid" attribute.
+	// Optional. When not specified, the default will act as if "dn" were specified. For example, leaving
+	// UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter
+	// would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user.
+	// +optional
+	UserAttributeForFilter string `json:"userAttributeForFilter,omitempty"`
+
 	// Attributes specifies how the group's information should be read from each LDAP entry which was found as
 	// the result of the group search.
 	// +optional

apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go.tmpl

@@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
@@ -138,6 +138,17 @@ type OIDCClaims struct {
 	// the ID token.
 	// +optional
 	Username string `json:"username"`
+
+	// AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the
+	// "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of
+	// new claim names as the keys, and upstream claim names as the values. These new claim names will be nested
+	// under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this
+	// OIDCIdentityProvider was used for user authentication. These claims will be made available to all clients.
+	// This feature is not required to use the Supervisor to provide authentication for Kubernetes clusters, but can be
+	// used when using the Supervisor for other authentication purposes. When this map is empty or the upstream claims
+	// are not available, the "additionalClaims" claim will be excluded from the ID tokens generated by the Supervisor.
+	// +optional
+	AdditionalClaimMappings map[string]string `json:"additionalClaimMappings,omitempty"`
 }
 
 // OIDCClient contains information about an OIDC client (e.g., client ID and client

apis/supervisor/oidc/types_supervisor_oidc.go.tmpl

@@ -1,4 +1,4 @@
-// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package oidc
@@ -40,6 +40,10 @@ const (
 	// group names which were mapped from the upstream identity provider.
 	IDTokenClaimGroups = "groups"
 
+	// IDTokenClaimAdditionalClaims is the top level claim used to hold additional claims in the downstream ID
+	// token, if any claims are present.
+	IDTokenClaimAdditionalClaims = "additionalClaims"
+
 	// GrantTypeAuthorizationCode is the name of the grant type for authorization code flows defined by the OIDC spec.
 	GrantTypeAuthorizationCode = "authorization_code"
 

cmd/pinniped-concierge-kube-cert-agent/main.go

@@ -1,4 +1,4 @@
-// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 // Package main is the combined entrypoint for the Pinniped "kube-cert-agent" component.
@@ -13,8 +13,23 @@ import (
 	"os"
 	"time"
 
-	// this side effect import ensures that we use fipsonly crypto in fips_strict mode.
-	_ "go.pinniped.dev/internal/crypto/ptls"
+	// This side effect import ensures that we use fipsonly crypto during TLS in fips_strict mode.
+	//
+	// Commenting this out because it causes the runtime memory consumption of this binary to increase
+	// from ~1 MB to ~8 MB (as measured when running the sleep subcommand). This binary does not use TLS,
+	// so it should not be needed. If this binary is ever changed to make use of TLS client and/or server
+	// code, then we should bring this import back to support the use of the ptls library for client and
+	// server code, and we should also increase the memory limits on the kube cert agent deployment (as
+	// decided by the kube cert agent controller in the Concierge).
+	//
+	//nolint:godot // This is not sentence, it is a commented out line of import code.
+	// _ "go.pinniped.dev/internal/crypto/ptls"
+
+	// This side effect imports cgo so that runtime/cgo gets linked, when in fips_strict mode.
+	// Without this line, the binary will exit 133 upon startup in fips_strict mode.
+	// It also enables fipsonly tls mode, just to be absolutely sure that the fips code is enabled,
+	// even though it shouldn't be used currently by this binary.
+	_ "go.pinniped.dev/internal/crypto/fips"
 )
 
 //nolint:gochecknoglobals // these are swapped during unit tests.

cmd/pinniped-server/main.go

@@ -1,4 +1,4 @@
-// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 // Package main is the combined entrypoint for all Pinniped server components.
@@ -14,8 +14,8 @@ import (
 
 	"k8s.io/apimachinery/pkg/util/sets"
 
-	// this side effect import ensures that we use fipsonly crypto in fips_strict mode.
 	concierge "go.pinniped.dev/internal/concierge/server"
+	// this side effect import ensures that we use fipsonly crypto in fips_strict mode.
 	_ "go.pinniped.dev/internal/crypto/ptls"
 	lua "go.pinniped.dev/internal/localuserauthenticator"
 	"go.pinniped.dev/internal/plog"

cmd/pinniped/cmd/alpha.go

@@ -1,22 +0,0 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
-// SPDX-License-Identifier: Apache-2.0
-
-package cmd
-
-import (
-	"github.com/spf13/cobra"
-)
-
-//nolint:gochecknoglobals
-var alphaCmd = &cobra.Command{
-	Use:          "alpha",
-	Short:        "alpha",
-	Long:         "alpha subcommands (syntax or flags are still subject to change)",
-	SilenceUsage: true, // do not print usage message when commands fail
-	Hidden:       true,
-}
-
-//nolint:gochecknoinits
-func init() {
-	rootCmd.AddCommand(alphaCmd)
-}

cmd/pinniped/cmd/generate_markdown_help.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package cmd
@@ -24,7 +24,7 @@ func generateMarkdownHelpCommand() *cobra.Command {
 		Args:         cobra.NoArgs,
 		Use:          "generate-markdown-help",
 		Short:        "Generate markdown help for the current set of non-hidden CLI commands",
-		SilenceUsage: true,
+		SilenceUsage: true, // do not print usage message when commands fail
 		Hidden:       true,
 		RunE:         runGenerateMarkdownHelp,
 	}

cmd/pinniped/cmd/get.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package cmd
@@ -8,7 +8,11 @@ import (
 )
 
 //nolint:gochecknoglobals
-var getCmd = &cobra.Command{Use: "get", Short: "get"}
+var getCmd = &cobra.Command{
+	Use:          "get",
+	Short:        "Gets one of [kubeconfig]",
+	SilenceUsage: true, // Do not print usage message when commands fail.
+}
 
 //nolint:gochecknoinits
 func init() {

cmd/pinniped/cmd/kubeconfig.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package cmd
@@ -23,6 +23,7 @@ import (
 	_ "k8s.io/client-go/plugin/pkg/client/auth" // Adds handlers for various dynamic auth plugins in client-go
 	"k8s.io/client-go/tools/clientcmd"
 	clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
+	"k8s.io/utils/strings/slices"
 
 	conciergev1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"
 	configv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/config/v1alpha1"
@@ -97,13 +98,18 @@ type getKubeconfigParams struct {
 	installHint               string
 }
 
+type discoveryResponseScopesSupported struct {
+	// Same as ScopesSupported in the Supervisor's discovery handler's struct.
+	ScopesSupported []string `json:"scopes_supported"`
+}
+
 func kubeconfigCommand(deps kubeconfigDeps) *cobra.Command {
 	var (
 		cmd = &cobra.Command{
 			Args:         cobra.NoArgs,
 			Use:          "kubeconfig",
 			Short:        "Generate a Pinniped-based kubeconfig for a cluster",
-			SilenceUsage: true,
+			SilenceUsage: true, // do not print usage message when commands fail
 		}
 		flags     getKubeconfigParams
 		namespace string // unused now
@@ -232,11 +238,9 @@ func runGetKubeconfig(ctx context.Context, out io.Writer, deps kubeconfigDeps, f
 		cluster.CertificateAuthorityData = flags.concierge.caBundle
 	}
 
-	// If there is an issuer, and if any upstream IDP flags are not already set, then try to discover Supervisor upstream IDP details.
-	// When all the upstream IDP flags are set by the user, then skip discovery and don't validate their input. Maybe they know something
-	// that we can't know, like the name of an IDP that they are going to define in the future.
-	if len(flags.oidc.issuer) > 0 && (flags.oidc.upstreamIDPType == "" || flags.oidc.upstreamIDPName == "" || flags.oidc.upstreamIDPFlow == "") {
-		if err := discoverSupervisorUpstreamIDP(ctx, &flags, deps.log); err != nil {
+	if len(flags.oidc.issuer) > 0 {
+		err = pinnipedSupervisorDiscovery(ctx, &flags, deps.log)
+		if err != nil {
 			return err
 		}
 	}
@@ -720,6 +724,7 @@ func validateKubeconfig(ctx context.Context, flags getKubeconfigParams, kubeconf
 func countCACerts(pemData []byte) int {
 	pool := x509.NewCertPool()
 	pool.AppendCertsFromPEM(pemData)
+	//nolint:staticcheck // since we're not using .Subjects() to access the system pool
 	return len(pool.Subjects())
 }
 
@@ -732,21 +737,75 @@ func hasPendingStrategy(credentialIssuer *configv1alpha1.CredentialIssuer) bool
 	return false
 }
 
-func discoverSupervisorUpstreamIDP(ctx context.Context, flags *getKubeconfigParams, log plog.MinLogger) error {
-	httpClient, err := newDiscoveryHTTPClient(flags.oidc.caBundle)
+func pinnipedSupervisorDiscovery(ctx context.Context, flags *getKubeconfigParams, log plog.MinLogger) error {
+	// Make a client suitable for calling the provider, which may or may not be a Pinniped Supervisor.
+	oidcProviderHTTPClient, err := newDiscoveryHTTPClient(flags.oidc.caBundle)
 	if err != nil {
 		return err
 	}
 
-	pinnipedIDPsEndpoint, err := discoverIDPsDiscoveryEndpointURL(ctx, flags.oidc.issuer, httpClient)
+	// Call the provider's discovery endpoint, but don't parse the results yet.
+	discoveredProvider, err := discoverOIDCProvider(ctx, flags.oidc.issuer, oidcProviderHTTPClient)
+	if err != nil {
+		return err
+	}
+
+	// Parse the discovery response to find the Supervisor IDP discovery endpoint.
+	pinnipedIDPsEndpoint, err := discoverIDPsDiscoveryEndpointURL(discoveredProvider)
 	if err != nil {
 		return err
 	}
 	if pinnipedIDPsEndpoint == "" {
 		// The issuer is not advertising itself as a Pinniped Supervisor which supports upstream IDP discovery.
+		// Since this field is not present, then assume that the provider is not a Pinniped Supervisor. This field
+		// was added to the discovery response in v0.9.0, which is so long ago that we can assume there are no such
+		// old Supervisors in the wild which need to work with this CLI command anymore. Since the issuer is not a
+		// Supervisor, then there is no need to do the rest of the Supervisor-specific business logic below related
+		// to username/groups scopes or IDP types/names/flows.
 		return nil
 	}
 
+	// Now that we know that the provider is a Supervisor, perform an additional check based on its response.
+	// The username and groups scopes were added to the Supervisor in v0.20.0, and were also added to the
+	// "scopes_supported" field in the discovery response in that same version. If this CLI command is talking
+	// to an older Supervisor, then remove the username and groups scopes from the list of requested scopes
+	// since they will certainly cause an error from the old Supervisor during authentication.
+	supervisorSupportsBothUsernameAndGroupsScopes, err := discoverScopesSupportedIncludesBothUsernameAndGroups(discoveredProvider)
+	if err != nil {
+		return err
+	}
+	if !supervisorSupportsBothUsernameAndGroupsScopes {
+		flags.oidc.scopes = slices.Filter(nil, flags.oidc.scopes, func(scope string) bool {
+			if scope == oidcapi.ScopeUsername || scope == oidcapi.ScopeGroups {
+				log.Info("removed scope from --oidc-scopes list because it is not supported by this Supervisor", "scope", scope)
+				return false // Remove username and groups scopes if there were present in the flags.
+			}
+			return true // Keep any other scopes in the flag list.
+		})
+	}
+
+	// If any upstream IDP flags are not already set, then try to discover Supervisor upstream IDP details.
+	// When all the upstream IDP flags are set by the user, then skip discovery and don't validate their input.
+	// Maybe they know something that we can't know, like the name of an IDP that they are going to define in the
+	// future.
+	if flags.oidc.upstreamIDPType == "" || flags.oidc.upstreamIDPName == "" || flags.oidc.upstreamIDPFlow == "" {
+		if err := discoverSupervisorUpstreamIDP(ctx, pinnipedIDPsEndpoint, oidcProviderHTTPClient, flags, log); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func discoverOIDCProvider(ctx context.Context, issuer string, httpClient *http.Client) (*coreosoidc.Provider, error) {
+	discoveredProvider, err := coreosoidc.NewProvider(coreosoidc.ClientContext(ctx, httpClient), issuer)
+	if err != nil {
+		return nil, fmt.Errorf("while fetching OIDC discovery data from issuer: %w", err)
+	}
+	return discoveredProvider, nil
+}
+
+func discoverSupervisorUpstreamIDP(ctx context.Context, pinnipedIDPsEndpoint string, httpClient *http.Client, flags *getKubeconfigParams, log plog.MinLogger) error {
 	discoveredUpstreamIDPs, err := discoverAllAvailableSupervisorUpstreamIDPs(ctx, pinnipedIDPsEndpoint, httpClient)
 	if err != nil {
 		return err
@@ -786,21 +845,24 @@ func newDiscoveryHTTPClient(caBundleFlag caBundleFlag) (*http.Client, error) {
 	return phttp.Default(rootCAs), nil
 }
 
-func discoverIDPsDiscoveryEndpointURL(ctx context.Context, issuer string, httpClient *http.Client) (string, error) {
-	discoveredProvider, err := coreosoidc.NewProvider(coreosoidc.ClientContext(ctx, httpClient), issuer)
-	if err != nil {
-		return "", fmt.Errorf("while fetching OIDC discovery data from issuer: %w", err)
-	}
-
+func discoverIDPsDiscoveryEndpointURL(discoveredProvider *coreosoidc.Provider) (string, error) {
 	var body idpdiscoveryv1alpha1.OIDCDiscoveryResponse
-	err = discoveredProvider.Claims(&body)
+	err := discoveredProvider.Claims(&body)
 	if err != nil {
 		return "", fmt.Errorf("while fetching OIDC discovery data from issuer: %w", err)
 	}
-
 	return body.SupervisorDiscovery.PinnipedIDPsEndpoint, nil
 }
 
+func discoverScopesSupportedIncludesBothUsernameAndGroups(discoveredProvider *coreosoidc.Provider) (bool, error) {
+	var body discoveryResponseScopesSupported
+	err := discoveredProvider.Claims(&body)
+	if err != nil {
+		return false, fmt.Errorf("while fetching OIDC discovery data from issuer: %w", err)
+	}
+	return slices.Contains(body.ScopesSupported, oidcapi.ScopeUsername) && slices.Contains(body.ScopesSupported, oidcapi.ScopeGroups), nil
+}
+
 func discoverAllAvailableSupervisorUpstreamIDPs(ctx context.Context, pinnipedIDPsEndpoint string, httpClient *http.Client) ([]idpdiscoveryv1alpha1.PinnipedIDP, error) {
 	request, err := http.NewRequestWithContext(ctx, http.MethodGet, pinnipedIDPsEndpoint, nil)
 	if err != nil {

cmd/pinniped/cmd/login.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package cmd
@@ -7,15 +7,27 @@ import (
 	"github.com/spf13/cobra"
 	clientauthv1beta1 "k8s.io/client-go/pkg/apis/clientauthentication/v1beta1"
 	"k8s.io/client-go/tools/auth/exec"
+
+	"go.pinniped.dev/internal/here"
 )
 
 //nolint:gochecknoglobals
 var loginCmd = &cobra.Command{
-	Use:          "login",
-	Short:        "login",
-	Long:         "Login to a Pinniped server",
+	Use:   "login",
+	Short: "Authenticates with one of [oidc, static]",
+	Long: here.Doc(
+		`Authenticates with one of [oidc, static]
+
+			Use "pinniped get kubeconfig" to generate a kubeconfig file which will include
+			one of these login subcommands in its configuration. The oidc and static
+			subcommands are not meant to be invoked directly by a user.
+
+			The oidc and static subcommands are Kubernetes client-go credential plugins
+			which are meant to be configured inside a kubeconfig file. (See the Kubernetes
+			authentication documentation for more information about client-go credential
+			plugins.)`,
+	),
 	SilenceUsage: true, // Do not print usage message when commands fail.
-	Hidden:       true, // These commands are not really meant to be used directly by users, so it's confusing to have them discoverable.
 }
 
 //nolint:gochecknoinits

cmd/pinniped/cmd/login_oidc.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package cmd
@@ -23,6 +23,7 @@ import (
 	oidcapi "go.pinniped.dev/generated/latest/apis/supervisor/oidc"
 	"go.pinniped.dev/internal/execcredcache"
 	"go.pinniped.dev/internal/groupsuffix"
+	"go.pinniped.dev/internal/here"
 	"go.pinniped.dev/internal/net/phttp"
 	"go.pinniped.dev/internal/plog"
 	"go.pinniped.dev/pkg/conciergeclient"
@@ -88,10 +89,21 @@ type oidcLoginFlags struct {
 func oidcLoginCommand(deps oidcLoginCommandDeps) *cobra.Command {
 	var (
 		cmd = &cobra.Command{
-			Args:         cobra.NoArgs,
-			Use:          "oidc --issuer ISSUER",
-			Short:        "Login using an OpenID Connect provider",
-			SilenceUsage: true,
+			Args:  cobra.NoArgs,
+			Use:   "oidc --issuer ISSUER",
+			Short: "Login using an OpenID Connect provider",
+			Long: here.Doc(
+				`Login using an OpenID Connect provider
+
+					Use "pinniped get kubeconfig" to generate a kubeconfig file which includes this
+					login command in its configuration. This login command is not meant to be
+					invoked directly by a user.
+
+					This login command is a Kubernetes client-go credential plugin which is meant to
+					be configured inside a kubeconfig file. (See the Kubernetes authentication
+					documentation for more information about client-go credential plugins.)`,
+			),
+			SilenceUsage: true, // do not print usage message when commands fail
 		}
 		flags              oidcLoginFlags
 		conciergeNamespace string // unused now

cmd/pinniped/cmd/login_oidc_test.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package cmd
@@ -62,6 +62,14 @@ func TestLoginOIDCCommand(t *testing.T) {
 			wantStdout: here.Doc(`
 				Login using an OpenID Connect provider
 
+				Use "pinniped get kubeconfig" to generate a kubeconfig file which includes this
+				login command in its configuration. This login command is not meant to be
+				invoked directly by a user.
+
+				This login command is a Kubernetes client-go credential plugin which is meant to
+				be configured inside a kubeconfig file. (See the Kubernetes authentication
+				documentation for more information about client-go credential plugins.)
+
 				Usage:
 				  oidc --issuer ISSUER [flags]
 
@@ -483,8 +491,8 @@ func TestLoginOIDCCommand(t *testing.T) {
 			wantOptionsCount: 4,
 			wantStdout:       `{"kind":"ExecCredential","apiVersion":"client.authentication.k8s.io/v1beta1","spec":{"interactive":false},"status":{"expirationTimestamp":"3020-10-12T13:14:15Z","token":"test-id-token"}}` + "\n",
 			wantLogs: []string{
-				nowStr + `  pinniped-login  cmd/login_oidc.go:231  Performing OIDC login  {"issuer": "test-issuer", "client id": "test-client-id"}`,
-				nowStr + `  pinniped-login  cmd/login_oidc.go:251  No concierge configured, skipping token credential exchange`,
+				nowStr + `  pinniped-login  cmd/login_oidc.go:243  Performing OIDC login  {"issuer": "test-issuer", "client id": "test-client-id"}`,
+				nowStr + `  pinniped-login  cmd/login_oidc.go:263  No concierge configured, skipping token credential exchange`,
 			},
 		},
 		{
@@ -513,10 +521,10 @@ func TestLoginOIDCCommand(t *testing.T) {
 			wantOptionsCount: 11,
 			wantStdout:       `{"kind":"ExecCredential","apiVersion":"client.authentication.k8s.io/v1beta1","spec":{"interactive":false},"status":{"token":"exchanged-token"}}` + "\n",
 			wantLogs: []string{
-				nowStr + `  pinniped-login  cmd/login_oidc.go:231  Performing OIDC login  {"issuer": "test-issuer", "client id": "test-client-id"}`,
-				nowStr + `  pinniped-login  cmd/login_oidc.go:241  Exchanging token for cluster credential  {"endpoint": "https://127.0.0.1:1234/", "authenticator type": "webhook", "authenticator name": "test-authenticator"}`,
-				nowStr + `  pinniped-login  cmd/login_oidc.go:249  Successfully exchanged token for cluster credential.`,
-				nowStr + `  pinniped-login  cmd/login_oidc.go:256  caching cluster credential for future use.`,
+				nowStr + `  pinniped-login  cmd/login_oidc.go:243  Performing OIDC login  {"issuer": "test-issuer", "client id": "test-client-id"}`,
+				nowStr + `  pinniped-login  cmd/login_oidc.go:253  Exchanging token for cluster credential  {"endpoint": "https://127.0.0.1:1234/", "authenticator type": "webhook", "authenticator name": "test-authenticator"}`,
+				nowStr + `  pinniped-login  cmd/login_oidc.go:261  Successfully exchanged token for cluster credential.`,
+				nowStr + `  pinniped-login  cmd/login_oidc.go:268  caching cluster credential for future use.`,
 			},
 		},
 	}

cmd/pinniped/cmd/login_static.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package cmd
@@ -16,6 +16,7 @@ import (
 
 	"go.pinniped.dev/internal/execcredcache"
 	"go.pinniped.dev/internal/groupsuffix"
+	"go.pinniped.dev/internal/here"
 	"go.pinniped.dev/internal/plog"
 	"go.pinniped.dev/pkg/conciergeclient"
 	"go.pinniped.dev/pkg/oidcclient/oidctypes"
@@ -55,10 +56,21 @@ type staticLoginParams struct {
 func staticLoginCommand(deps staticLoginDeps) *cobra.Command {
 	var (
 		cmd = &cobra.Command{
-			Args:         cobra.NoArgs,
-			Use:          "static [--token TOKEN] [--token-env TOKEN_NAME]",
-			Short:        "Login using a static token",
-			SilenceUsage: true,
+			Args:  cobra.NoArgs,
+			Use:   "static [--token TOKEN] [--token-env TOKEN_NAME]",
+			Short: "Login using a static token",
+			Long: here.Doc(
+				`Login using a static token
+
+					Use "pinniped get kubeconfig" to generate a kubeconfig file which includes this
+					login command in its configuration. This login command is not meant to be
+					invoked directly by a user.
+
+					This login command is a Kubernetes client-go credential plugin which is meant to
+					be configured inside a kubeconfig file. (See the Kubernetes authentication
+					documentation for more information about client-go credential plugins.)`,
+			),
+			SilenceUsage: true, // do not print usage message when commands fail
 		}
 		flags              staticLoginParams
 		conciergeNamespace string // unused now

cmd/pinniped/cmd/login_static_test.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package cmd
@@ -56,6 +56,14 @@ func TestLoginStaticCommand(t *testing.T) {
 			wantStdout: here.Doc(`
 				Login using a static token
 
+				Use "pinniped get kubeconfig" to generate a kubeconfig file which includes this
+				login command in its configuration. This login command is not meant to be
+				invoked directly by a user.
+
+				This login command is a Kubernetes client-go credential plugin which is meant to
+				be configured inside a kubeconfig file. (See the Kubernetes authentication
+				documentation for more information about client-go credential plugins.)
+
 				Usage:
 				  static [--token TOKEN] [--token-env TOKEN_NAME] [flags]
 
@@ -140,7 +148,7 @@ func TestLoginStaticCommand(t *testing.T) {
 				Error: could not complete Concierge credential exchange: some concierge error
 			`),
 			wantLogs: []string{
-				nowStr + `  pinniped-login  cmd/login_static.go:147  exchanging static token for cluster credential  {"endpoint": "https://127.0.0.1/", "authenticator type": "webhook", "authenticator name": "test-authenticator"}`,
+				nowStr + `  pinniped-login  cmd/login_static.go:159  exchanging static token for cluster credential  {"endpoint": "https://127.0.0.1/", "authenticator type": "webhook", "authenticator name": "test-authenticator"}`,
 			},
 		},
 		{

cmd/pinniped/cmd/root.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package cmd
@@ -8,14 +8,18 @@ import (
 
 	"github.com/spf13/cobra"
 
+	"go.pinniped.dev/internal/here"
 	"go.pinniped.dev/internal/plog"
 )
 
 //nolint:gochecknoglobals
 var rootCmd = &cobra.Command{
-	Use:          "pinniped",
-	Short:        "pinniped",
-	Long:         "pinniped is the client-side binary for use with Pinniped-enabled Kubernetes clusters.",
+	Use: "pinniped",
+	Long: here.Doc(
+		`The Pinniped CLI is the client-side binary for use with Pinniped-enabled Kubernetes clusters
+
+		 Find more information at: https://pinniped.dev`,
+	),
 	SilenceUsage: true, // do not print usage message when commands fail
 }
 

cmd/pinniped/cmd/whoami.go

@@ -1,4 +1,4 @@
-// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package cmd
@@ -48,7 +48,7 @@ func newWhoamiCommand(getClientset getConciergeClientsetFunc) *cobra.Command {
 		Args:         cobra.NoArgs, // do not accept positional arguments for this command
 		Use:          "whoami",
 		Short:        "Print information about the current user",
-		SilenceUsage: true,
+		SilenceUsage: true, // do not print usage message when commands fail
 	}
 	flags := &whoamiFlags{}
 

deploy/concierge/config.concierge.pinniped.dev_credentialissuers.yaml

@@ -103,6 +103,24 @@ spec:
                         - None
                         type: string
                     type: object
+                  tls:
+                    description: "TLS contains information about how the Concierge
+                      impersonation proxy should serve TLS. \n If this field is empty,
+                      the impersonation proxy will generate its own TLS certificate."
+                    properties:
+                      certificateAuthorityData:
+                        description: X.509 Certificate Authority (base64-encoded PEM
+                          bundle). Used to advertise the CA bundle for the impersonation
+                          proxy endpoint.
+                        type: string
+                      secretName:
+                        description: SecretName is the name of a Secret in the same
+                          namespace, of type `kubernetes.io/tls`, which contains the
+                          TLS serving certificate for the Concierge impersonation
+                          proxy endpoint.
+                        minLength: 1
+                        type: string
+                    type: object
                 required:
                 - mode
                 - service

deploy/supervisor/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml

@@ -107,10 +107,11 @@ spec:
                     description: Filter is the ActiveDirectory search filter which
                       should be applied when searching for groups for a user. The
                       pattern "{}" must occur in the filter at least once and will
-                      be dynamically replaced by the dn (distinguished name) of the
-                      user entry found as a result of the user search. E.g. "member={}"
-                      or "&(objectClass=groupOfNames)(member={})". For more information
-                      about ActiveDirectory filters, see https://ldap.com/ldap-filters.
+                      be dynamically replaced by the value of an attribute of the
+                      user entry found as a result of the user search. Which attribute's
+                      value is used to replace the placeholder(s) depends on the value
+                      of UserAttributeForFilter. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})".
+                      For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters.
                       Note that the dn (distinguished name) is not an attribute of
                       an entry, so "dn={}" cannot be used. Optional. When not specified,
                       the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})".
@@ -142,6 +143,20 @@ spec:
                       carefully read all release notes before upgrading to ensure
                       that the meaning of this field has not changed."
                     type: boolean
+                  userAttributeForFilter:
+                    description: UserAttributeForFilter specifies which attribute's
+                      value from the user entry found as a result of the user search
+                      will be used to replace the "{}" placeholder(s) in the group
+                      search Filter. For example, specifying "uid" as the UserAttributeForFilter
+                      while specifying "&(objectClass=posixGroup)(memberUid={})" as
+                      the Filter would search for groups by replacing the "{}" placeholder
+                      in the Filter with the value of the user's "uid" attribute.
+                      Optional. When not specified, the default will act as if "dn"
+                      were specified. For example, leaving UserAttributeForFilter
+                      unspecified while specifying "&(objectClass=groupOfNames)(member={})"
+                      as the Filter would search for groups by replacing the "{}"
+                      placeholder(s) with the dn (distinguished name) of the user.
+                    type: string
                 type: object
               host:
                 description: 'Host is the hostname of this Active Directory identity

deploy/supervisor/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml

@@ -96,15 +96,16 @@ spec:
                       used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com".
                       When not specified, no group search will be performed and authenticated
                       users will not belong to any groups from the LDAP provider.
-                      Also, when not specified, the values of Filter and Attributes
-                      are ignored.
+                      Also, when not specified, the values of Filter, UserAttributeForFilter,
+                      Attributes, and SkipGroupRefresh are ignored.
                     type: string
                   filter:
                     description: Filter is the LDAP search filter which should be
                       applied when searching for groups for a user. The pattern "{}"
                       must occur in the filter at least once and will be dynamically
-                      replaced by the dn (distinguished name) of the user entry found
-                      as a result of the user search. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})".
+                      replaced by the value of an attribute of the user entry found
+                      as a result of the user search. Which attribute's value is used
+                      to replace the placeholder(s) depends on the value of UserAttributeForFilter.
                       For more information about LDAP filters, see https://ldap.com/ldap-filters.
                       Note that the dn (distinguished name) is not an attribute of
                       an entry, so "dn={}" cannot be used. Optional. When not specified,
@@ -134,6 +135,20 @@ spec:
                       carefully read all release notes before upgrading to ensure
                       that the meaning of this field has not changed."
                     type: boolean
+                  userAttributeForFilter:
+                    description: UserAttributeForFilter specifies which attribute's
+                      value from the user entry found as a result of the user search
+                      will be used to replace the "{}" placeholder(s) in the group
+                      search Filter. For example, specifying "uid" as the UserAttributeForFilter
+                      while specifying "&(objectClass=posixGroup)(memberUid={})" as
+                      the Filter would search for groups by replacing the "{}" placeholder
+                      in the Filter with the value of the user's "uid" attribute.
+                      Optional. When not specified, the default will act as if "dn"
+                      were specified. For example, leaving UserAttributeForFilter
+                      unspecified while specifying "&(objectClass=groupOfNames)(member={})"
+                      as the Filter would search for groups by replacing the "{}"
+                      placeholder(s) with the dn (distinguished name) of the user.
+                    type: string
                 type: object
               host:
                 description: 'Host is the hostname of this LDAP identity provider,

deploy/supervisor/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml

@@ -185,6 +185,24 @@ spec:
                 description: Claims provides the names of token claims that will be
                   used when inspecting an identity from this OIDC identity provider.
                 properties:
+                  additionalClaimMappings:
+                    additionalProperties:
+                      type: string
+                    description: AdditionalClaimMappings allows for additional arbitrary
+                      upstream claim values to be mapped into the "additionalClaims"
+                      claim of the ID tokens generated by the Supervisor. This should
+                      be specified as a map of new claim names as the keys, and upstream
+                      claim names as the values. These new claim names will be nested
+                      under the top-level "additionalClaims" claim in ID tokens generated
+                      by the Supervisor when this OIDCIdentityProvider was used for
+                      user authentication. These claims will be made available to
+                      all clients. This feature is not required to use the Supervisor
+                      to provide authentication for Kubernetes clusters, but can be
+                      used when using the Supervisor for other authentication purposes.
+                      When this map is empty or the upstream claims are not available,
+                      the "additionalClaims" claim will be excluded from the ID tokens
+                      generated by the Supervisor.
+                    type: object
                   groups:
                     description: Groups provides the name of the ID token claim or
                       userinfo endpoint response claim that will be used to ascertain

generated/1.17/README.adoc

@@ -568,6 +568,28 @@ ImpersonationProxySpec describes the intended configuration of the Concierge imp
 | *`service`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-impersonationproxyservicespec[$$ImpersonationProxyServiceSpec$$]__ | Service describes the configuration of the Service provisioned to expose the impersonation proxy to clients.
 | *`externalEndpoint`* __string__ | ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will be served using the external name of the LoadBalancer service or the cluster service DNS name. 
  This field must be non-empty when spec.impersonationProxy.service.type is "None".
+| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-impersonationproxytlsspec[$$ImpersonationProxyTLSSpec$$]__ | TLS contains information about how the Concierge impersonation proxy should serve TLS. 
+ If this field is empty, the impersonation proxy will generate its own TLS certificate.
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-impersonationproxytlsspec"]
+==== ImpersonationProxyTLSSpec 
+
+ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should serve TLS. 
+ If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret for a field called "ca.crt", which will be used as the CertificateAuthorityData. 
+ If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for the impersonation proxy endpoint.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-impersonationproxyspec[$$ImpersonationProxySpec$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). Used to advertise the CA bundle for the impersonation proxy endpoint.
+| *`secretName`* __string__ | SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the Concierge impersonation proxy endpoint.
 |===
 
 
@@ -758,9 +780,9 @@ OIDCClientSpec is a struct that describes an OIDCClient.
 | Field | Description
 | *`allowedRedirectURIs`* __RedirectURI array__ | allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this client. Any other uris will be rejected. Must be a URI with the https scheme, unless the hostname is 127.0.0.1 or ::1 which may use the http scheme. Port numbers are not required for 127.0.0.1 or ::1 and are ignored when checking for a matching redirect_uri.
 | *`allowedGrantTypes`* __GrantType array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. 
- Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to   authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session.   This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange,   which is a step in the process to be able to get a cluster credential for the user.   This grant must be listed if allowedScopes lists pinniped:request-audience.
+ Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience.
 | *`allowedScopes`* __Scope array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. 
- Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat).   This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow.   This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange,   which is a step in the process to be able to get a cluster credential for the user.   openid, username and groups scopes must be listed when this scope is present.   This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username.   Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership,   if their group membership is discoverable by the Supervisor.   Without the groups scope being requested and allowed, the ID token will not contain groups.
+ Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups.
 |===
 
 
@@ -1062,7 +1084,8 @@ ActiveDirectoryIdentityProvider describes the configuration of an upstream Micro
 |===
 | Field | Description
 | *`base`* __string__ | Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". Optional, when not specified it will be based on the result of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). The default behavior searches your entire domain for groups. It may make sense to specify a subtree as a search base if you wish to exclude some groups for security reasons or to make searches faster.
-| *`filter`* __string__ | Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". This searches nested groups by default. Note that nested group search can be slow for some Active Directory servers. To disable it, you can set the filter to "(&(objectClass=group)(member={})"
+| *`filter`* __string__ | Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the value of an attribute of the user entry found as a result of the user search. Which attribute's value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". This searches nested groups by default. Note that nested group search can be slow for some Active Directory servers. To disable it, you can set the filter to "(&(objectClass=group)(member={})"
+| *`userAttributeForFilter`* __string__ | UserAttributeForFilter specifies which attribute's value from the user entry found as a result of the user search will be used to replace the "{}" placeholder(s) in the group search Filter. For example, specifying "uid" as the UserAttributeForFilter while specifying "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing the "{}" placeholder in the Filter with the value of the user's "uid" attribute. Optional. When not specified, the default will act as if "dn" were specified. For example, leaving UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user.
 | *`attributes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-activedirectoryidentityprovidergroupsearchattributes[$$ActiveDirectoryIdentityProviderGroupSearchAttributes$$]__ | Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as the result of the group search.
 | *`skipGroupRefresh`* __boolean__ | The user's group membership is refreshed as they interact with the supervisor to obtain new credentials (as their old credentials expire).  This allows group membership changes to be quickly reflected into Kubernetes clusters.  Since group membership is often used to bind authorization policies, it is important to keep the groups observed in Kubernetes clusters in-sync with the identity provider. 
  In some environments, frequent group membership queries may result in a significant performance impact on the identity provider and/or the supervisor. The best approach to handle performance impacts is to tweak the group query to be more performant, for example by disabling nested group search or by using a more targeted group search base. 
@@ -1252,8 +1275,9 @@ LDAPIdentityProvider describes the configuration of an upstream Lightweight Dire
 [cols="25a,75a", options="header"]
 |===
 | Field | Description
-| *`base`* __string__ | Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". When not specified, no group search will be performed and authenticated users will not belong to any groups from the LDAP provider. Also, when not specified, the values of Filter and Attributes are ignored.
-| *`filter`* __string__ | Filter is the LDAP search filter which should be applied when searching for groups for a user. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". For more information about LDAP filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will act as if the Filter were specified as "member={}".
+| *`base`* __string__ | Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". When not specified, no group search will be performed and authenticated users will not belong to any groups from the LDAP provider. Also, when not specified, the values of Filter, UserAttributeForFilter, Attributes, and SkipGroupRefresh are ignored.
+| *`filter`* __string__ | Filter is the LDAP search filter which should be applied when searching for groups for a user. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the value of an attribute of the user entry found as a result of the user search. Which attribute's value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter. For more information about LDAP filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will act as if the Filter were specified as "member={}".
+| *`userAttributeForFilter`* __string__ | UserAttributeForFilter specifies which attribute's value from the user entry found as a result of the user search will be used to replace the "{}" placeholder(s) in the group search Filter. For example, specifying "uid" as the UserAttributeForFilter while specifying "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing the "{}" placeholder in the Filter with the value of the user's "uid" attribute. Optional. When not specified, the default will act as if "dn" were specified. For example, leaving UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user.
 | *`attributes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-ldapidentityprovidergroupsearchattributes[$$LDAPIdentityProviderGroupSearchAttributes$$]__ | Attributes specifies how the group's information should be read from each LDAP entry which was found as the result of the group search.
 | *`skipGroupRefresh`* __boolean__ | The user's group membership is refreshed as they interact with the supervisor to obtain new credentials (as their old credentials expire).  This allows group membership changes to be quickly reflected into Kubernetes clusters.  Since group membership is often used to bind authorization policies, it is important to keep the groups observed in Kubernetes clusters in-sync with the identity provider. 
  In some environments, frequent group membership queries may result in a significant performance impact on the identity provider and/or the supervisor. The best approach to handle performance impacts is to tweak the group query to be more performant, for example by disabling nested group search or by using a more targeted group search base. 
@@ -1391,6 +1415,7 @@ OIDCClaims provides a mapping from upstream claims into identities.
 | Field | Description
 | *`groups`* __string__ | Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain the groups to which an identity belongs. By default, the identities will not include any group memberships when this setting is not configured.
 | *`username`* __string__ | Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain an identity's username. When not set, the username will be an automatically constructed unique string which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from the ID token.
+| *`additionalClaimMappings`* __object (keys:string, values:string)__ | AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of new claim names as the keys, and upstream claim names as the values. These new claim names will be nested under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this OIDCIdentityProvider was used for user authentication. These claims will be made available to all clients. This feature is not required to use the Supervisor to provide authentication for Kubernetes clusters, but can be used when using the Supervisor for other authentication purposes. When this map is empty or the upstream claims are not available, the "additionalClaims" claim will be excluded from the ID tokens generated by the Supervisor.
 |===
 
 

generated/1.17/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go

@@ -1,7 +1,7 @@
 //go:build !ignore_autogenerated
 // +build !ignore_autogenerated
 
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 // Code generated by deepcopy-gen. DO NOT EDIT.

generated/1.17/apis/concierge/config/v1alpha1/types_credentialissuer.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
@@ -80,6 +80,28 @@ const (
 	ImpersonationProxyServiceTypeNone = ImpersonationProxyServiceType("None")
 )
 
+// ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should
+// serve TLS.
+//
+// If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret
+// for a field called "ca.crt", which will be used as the CertificateAuthorityData.
+//
+// If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for
+// the impersonation proxy endpoint.
+type ImpersonationProxyTLSSpec struct {
+	// X.509 Certificate Authority (base64-encoded PEM bundle).
+	// Used to advertise the CA bundle for the impersonation proxy endpoint.
+	//
+	// +optional
+	CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"`
+
+	// SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains
+	// the TLS serving certificate for the Concierge impersonation proxy endpoint.
+	//
+	// +kubebuilder:validation:MinLength=1
+	SecretName string `json:"secretName,omitempty"`
+}
+
 // ImpersonationProxySpec describes the intended configuration of the Concierge impersonation proxy.
 type ImpersonationProxySpec struct {
 	// Mode configures whether the impersonation proxy should be started:
@@ -100,6 +122,13 @@ type ImpersonationProxySpec struct {
 	//
 	// +optional
 	ExternalEndpoint string `json:"externalEndpoint,omitempty"`
+
+	// TLS contains information about how the Concierge impersonation proxy should serve TLS.
+	//
+	// If this field is empty, the impersonation proxy will generate its own TLS certificate.
+	//
+	// +optional
+	TLS *ImpersonationProxyTLSSpec `json:"tls,omitempty"`
 }
 
 // ImpersonationProxyServiceSpec describes how the Concierge should provision a Service to expose the impersonation proxy.

generated/1.17/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go

@@ -1,7 +1,7 @@
 //go:build !ignore_autogenerated
 // +build !ignore_autogenerated
 
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 // Code generated by deepcopy-gen. DO NOT EDIT.
@@ -229,6 +229,11 @@ func (in *ImpersonationProxyServiceSpec) DeepCopy() *ImpersonationProxyServiceSp
 func (in *ImpersonationProxySpec) DeepCopyInto(out *ImpersonationProxySpec) {
 	*out = *in
 	in.Service.DeepCopyInto(&out.Service)
+	if in.TLS != nil {
+		in, out := &in.TLS, &out.TLS
+		*out = new(ImpersonationProxyTLSSpec)
+		**out = **in
+	}
 	return
 }
 
@@ -242,6 +247,22 @@ func (in *ImpersonationProxySpec) DeepCopy() *ImpersonationProxySpec {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ImpersonationProxyTLSSpec) DeepCopyInto(out *ImpersonationProxyTLSSpec) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImpersonationProxyTLSSpec.
+func (in *ImpersonationProxyTLSSpec) DeepCopy() *ImpersonationProxyTLSSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(ImpersonationProxyTLSSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TokenCredentialRequestAPIInfo) DeepCopyInto(out *TokenCredentialRequestAPIInfo) {
 	*out = *in

generated/1.17/apis/concierge/identity/v1alpha1/zz_generated.conversion.go

@@ -1,7 +1,7 @@
 //go:build !ignore_autogenerated
 // +build !ignore_autogenerated
 
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 // Code generated by conversion-gen. DO NOT EDIT.

generated/1.17/apis/concierge/identity/v1alpha1/zz_generated.deepcopy.go

@@ -1,7 +1,7 @@
 //go:build !ignore_autogenerated
 // +build !ignore_autogenerated
 
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 // Code generated by deepcopy-gen. DO NOT EDIT.

generated/1.17/apis/concierge/identity/v1alpha1/zz_generated.defaults.go

@@ -1,7 +1,7 @@
 //go:build !ignore_autogenerated
 // +build !ignore_autogenerated
 
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 // Code generated by defaulter-gen. DO NOT EDIT.

generated/1.17/apis/concierge/identity/zz_generated.deepcopy.go

@@ -1,7 +1,7 @@
 //go:build !ignore_autogenerated
 // +build !ignore_autogenerated
 
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 // Code generated by deepcopy-gen. DO NOT EDIT.

generated/1.17/apis/concierge/login/v1alpha1/zz_generated.conversion.go

@@ -1,7 +1,7 @@
 //go:build !ignore_autogenerated
 // +build !ignore_autogenerated
 
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 // Code generated by conversion-gen. DO NOT EDIT.

generated/1.17/apis/concierge/login/v1alpha1/zz_generated.deepcopy.go

@@ -1,7 +1,7 @@
 //go:build !ignore_autogenerated
 // +build !ignore_autogenerated
 
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 // Code generated by deepcopy-gen. DO NOT EDIT.

generated/1.17/apis/concierge/login/v1alpha1/zz_generated.defaults.go

@@ -1,7 +1,7 @@
 //go:build !ignore_autogenerated
 // +build !ignore_autogenerated
 
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 // Code generated by defaulter-gen. DO NOT EDIT.

generated/1.17/apis/concierge/login/zz_generated.deepcopy.go

@@ -1,7 +1,7 @@
 //go:build !ignore_autogenerated
 // +build !ignore_autogenerated
 
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 // Code generated by deepcopy-gen. DO NOT EDIT.

generated/1.17/apis/supervisor/clientsecret/v1alpha1/zz_generated.conversion.go

@@ -1,7 +1,7 @@
 //go:build !ignore_autogenerated
 // +build !ignore_autogenerated
 
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 // Code generated by conversion-gen. DO NOT EDIT.

generated/1.17/apis/supervisor/clientsecret/v1alpha1/zz_generated.deepcopy.go

@@ -1,7 +1,7 @@
 //go:build !ignore_autogenerated
 // +build !ignore_autogenerated
 
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 // Code generated by deepcopy-gen. DO NOT EDIT.

generated/1.17/apis/supervisor/clientsecret/v1alpha1/zz_generated.defaults.go

@@ -1,7 +1,7 @@
 //go:build !ignore_autogenerated
 // +build !ignore_autogenerated
 
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 // Code generated by defaulter-gen. DO NOT EDIT.

generated/1.17/apis/supervisor/clientsecret/zz_generated.deepcopy.go

@@ -1,7 +1,7 @@
 //go:build !ignore_autogenerated
 // +build !ignore_autogenerated
 
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 // Code generated by deepcopy-gen. DO NOT EDIT.

generated/1.17/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go

@@ -1,7 +1,7 @@
 //go:build !ignore_autogenerated
 // +build !ignore_autogenerated
 
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 // Code generated by deepcopy-gen. DO NOT EDIT.

generated/1.17/apis/supervisor/idp/v1alpha1/types_activedirectoryidentityprovider.go

@@ -1,4 +1,4 @@
-// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
@@ -114,9 +114,10 @@ type ActiveDirectoryIdentityProviderGroupSearch struct {
 
 	// Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user.
 	// The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the
-	// dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or
-	// "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see
-	// https://ldap.com/ldap-filters.
+	// value of an attribute of the user entry found as a result of the user search. Which attribute's
+	// value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter.
+	// E.g. "member={}" or "&(objectClass=groupOfNames)(member={})".
+	// For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters.
 	// Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used.
 	// Optional. When not specified, the default will act as if the filter were specified as
 	// "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})".
@@ -127,6 +128,17 @@ type ActiveDirectoryIdentityProviderGroupSearch struct {
 	// +optional
 	Filter string `json:"filter,omitempty"`
 
+	// UserAttributeForFilter specifies which attribute's value from the user entry found as a result of
+	// the user search will be used to replace the "{}" placeholder(s) in the group search Filter.
+	// For example, specifying "uid" as the UserAttributeForFilter while specifying
+	// "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing
+	// the "{}" placeholder in the Filter with the value of the user's "uid" attribute.
+	// Optional. When not specified, the default will act as if "dn" were specified. For example, leaving
+	// UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter
+	// would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user.
+	// +optional
+	UserAttributeForFilter string `json:"userAttributeForFilter,omitempty"`
+
 	// Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as
 	// the result of the group search.
 	// +optional

generated/1.17/apis/supervisor/idp/v1alpha1/types_ldapidentityprovider.go

@@ -1,4 +1,4 @@
-// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
@@ -101,20 +101,31 @@ type LDAPIdentityProviderGroupSearch struct {
 	// Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g.
 	// "ou=groups,dc=example,dc=com". When not specified, no group search will be performed and
 	// authenticated users will not belong to any groups from the LDAP provider. Also, when not specified,
-	// the values of Filter and Attributes are ignored.
+	// the values of Filter, UserAttributeForFilter, Attributes, and SkipGroupRefresh are ignored.
 	// +optional
 	Base string `json:"base,omitempty"`
 
 	// Filter is the LDAP search filter which should be applied when searching for groups for a user.
 	// The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the
-	// dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or
-	// "&(objectClass=groupOfNames)(member={})". For more information about LDAP filters, see
-	// https://ldap.com/ldap-filters.
+	// value of an attribute of the user entry found as a result of the user search. Which attribute's
+	// value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter.
+	// For more information about LDAP filters, see https://ldap.com/ldap-filters.
 	// Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used.
 	// Optional. When not specified, the default will act as if the Filter were specified as "member={}".
 	// +optional
 	Filter string `json:"filter,omitempty"`
 
+	// UserAttributeForFilter specifies which attribute's value from the user entry found as a result of
+	// the user search will be used to replace the "{}" placeholder(s) in the group search Filter.
+	// For example, specifying "uid" as the UserAttributeForFilter while specifying
+	// "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing
+	// the "{}" placeholder in the Filter with the value of the user's "uid" attribute.
+	// Optional. When not specified, the default will act as if "dn" were specified. For example, leaving
+	// UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter
+	// would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user.
+	// +optional
+	UserAttributeForFilter string `json:"userAttributeForFilter,omitempty"`
+
 	// Attributes specifies how the group's information should be read from each LDAP entry which was found as
 	// the result of the group search.
 	// +optional

generated/1.17/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
@@ -138,6 +138,17 @@ type OIDCClaims struct {
 	// the ID token.
 	// +optional
 	Username string `json:"username"`
+
+	// AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the
+	// "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of
+	// new claim names as the keys, and upstream claim names as the values. These new claim names will be nested
+	// under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this
+	// OIDCIdentityProvider was used for user authentication. These claims will be made available to all clients.
+	// This feature is not required to use the Supervisor to provide authentication for Kubernetes clusters, but can be
+	// used when using the Supervisor for other authentication purposes. When this map is empty or the upstream claims
+	// are not available, the "additionalClaims" claim will be excluded from the ID tokens generated by the Supervisor.
+	// +optional
+	AdditionalClaimMappings map[string]string `json:"additionalClaimMappings,omitempty"`
 }
 
 // OIDCClient contains information about an OIDC client (e.g., client ID and client

generated/1.17/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go

@@ -1,7 +1,7 @@
 //go:build !ignore_autogenerated
 // +build !ignore_autogenerated
 
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 // Code generated by deepcopy-gen. DO NOT EDIT.
@@ -438,6 +438,13 @@ func (in *OIDCAuthorizationConfig) DeepCopy() *OIDCAuthorizationConfig {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OIDCClaims) DeepCopyInto(out *OIDCClaims) {
 	*out = *in
+	if in.AdditionalClaimMappings != nil {
+		in, out := &in.AdditionalClaimMappings, &out.AdditionalClaimMappings
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
 	return
 }
 
@@ -537,7 +544,7 @@ func (in *OIDCIdentityProviderSpec) DeepCopyInto(out *OIDCIdentityProviderSpec)
 		**out = **in
 	}
 	in.AuthorizationConfig.DeepCopyInto(&out.AuthorizationConfig)
-	out.Claims = in.Claims
+	in.Claims.DeepCopyInto(&out.Claims)
 	out.Client = in.Client
 	return
 }

generated/1.17/apis/supervisor/oidc/types_supervisor_oidc.go

@@ -1,4 +1,4 @@
-// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package oidc
@@ -40,6 +40,10 @@ const (
 	// group names which were mapped from the upstream identity provider.
 	IDTokenClaimGroups = "groups"
 
+	// IDTokenClaimAdditionalClaims is the top level claim used to hold additional claims in the downstream ID
+	// token, if any claims are present.
+	IDTokenClaimAdditionalClaims = "additionalClaims"
+
 	// GrantTypeAuthorizationCode is the name of the grant type for authorization code flows defined by the OIDC spec.
 	GrantTypeAuthorizationCode = "authorization_code"
 

generated/1.17/client/concierge/clientset/versioned/clientset.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 // Code generated by client-gen. DO NOT EDIT.

generated/1.17/client/concierge/clientset/versioned/doc.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 // Code generated by client-gen. DO NOT EDIT.

generated/1.17/client/concierge/clientset/versioned/fake/clientset_generated.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 // Code generated by client-gen. DO NOT EDIT.

generated/1.17/client/concierge/clientset/versioned/fake/doc.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 // Code generated by client-gen. DO NOT EDIT.

generated/1.17/client/concierge/clientset/versioned/fake/register.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 // Code generated by client-gen. DO NOT EDIT.

generated/1.17/client/concierge/clientset/versioned/scheme/doc.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 // Code generated by client-gen. DO NOT EDIT.

generated/1.17/client/concierge/clientset/versioned/scheme/register.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 // Code generated by client-gen. DO NOT EDIT.

generated/1.17/client/concierge/clientset/versioned/typed/authentication/v1alpha1/authentication_client.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 // Code generated by client-gen. DO NOT EDIT.

generated/1.17/client/concierge/clientset/versioned/typed/authentication/v1alpha1/doc.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 // Code generated by client-gen. DO NOT EDIT.

generated/1.17/client/concierge/clientset/versioned/typed/authentication/v1alpha1/fake/doc.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 // Code generated by client-gen. DO NOT EDIT.

generated/1.17/client/concierge/clientset/versioned/typed/authentication/v1alpha1/fake/fake_authentication_client.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 // Code generated by client-gen. DO NOT EDIT.

generated/1.17/client/concierge/clientset/versioned/typed/authentication/v1alpha1/fake/fake_jwtauthenticator.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 // Code generated by client-gen. DO NOT EDIT.

generated/1.17/client/concierge/clientset/versioned/typed/authentication/v1alpha1/fake/fake_webhookauthenticator.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 // Code generated by client-gen. DO NOT EDIT.

generated/1.17/client/concierge/clientset/versioned/typed/authentication/v1alpha1/generated_expansion.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 // Code generated by client-gen. DO NOT EDIT.

generated/1.17/client/concierge/clientset/versioned/typed/authentication/v1alpha1/jwtauthenticator.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 // Code generated by client-gen. DO NOT EDIT.

generated/1.17/client/concierge/clientset/versioned/typed/authentication/v1alpha1/webhookauthenticator.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 // Code generated by client-gen. DO NOT EDIT.

generated/1.17/client/concierge/clientset/versioned/typed/config/v1alpha1/config_client.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 // Code generated by client-gen. DO NOT EDIT.

generated/1.17/client/concierge/clientset/versioned/typed/config/v1alpha1/credentialissuer.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 // Code generated by client-gen. DO NOT EDIT.

generated/1.17/client/concierge/clientset/versioned/typed/config/v1alpha1/doc.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 // Code generated by client-gen. DO NOT EDIT.

generated/1.17/client/concierge/clientset/versioned/typed/config/v1alpha1/fake/doc.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 // Code generated by client-gen. DO NOT EDIT.

generated/1.17/client/concierge/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 // Code generated by client-gen. DO NOT EDIT.

generated/1.17/client/concierge/clientset/versioned/typed/config/v1alpha1/fake/fake_credentialissuer.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 // Code generated by client-gen. DO NOT EDIT.

generated/1.17/client/concierge/clientset/versioned/typed/config/v1alpha1/generated_expansion.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 // Code generated by client-gen. DO NOT EDIT.

generated/1.17/client/concierge/clientset/versioned/typed/identity/v1alpha1/doc.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 // Code generated by client-gen. DO NOT EDIT.

generated/1.17/client/concierge/clientset/versioned/typed/identity/v1alpha1/fake/doc.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 // Code generated by client-gen. DO NOT EDIT.

generated/1.17/client/concierge/clientset/versioned/typed/identity/v1alpha1/fake/fake_identity_client.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 // Code generated by client-gen. DO NOT EDIT.

generated/1.17/client/concierge/clientset/versioned/typed/identity/v1alpha1/fake/fake_whoamirequest.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 // Code generated by client-gen. DO NOT EDIT.

generated/1.17/client/concierge/clientset/versioned/typed/identity/v1alpha1/generated_expansion.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 // Code generated by client-gen. DO NOT EDIT.

generated/1.17/client/concierge/clientset/versioned/typed/identity/v1alpha1/identity_client.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 // Code generated by client-gen. DO NOT EDIT.

generated/1.17/client/concierge/clientset/versioned/typed/identity/v1alpha1/whoamirequest.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 // Code generated by client-gen. DO NOT EDIT.

generated/1.17/client/concierge/clientset/versioned/typed/login/v1alpha1/doc.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 // Code generated by client-gen. DO NOT EDIT.

generated/1.17/client/concierge/clientset/versioned/typed/login/v1alpha1/fake/doc.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 // Code generated by client-gen. DO NOT EDIT.

generated/1.17/client/concierge/clientset/versioned/typed/login/v1alpha1/fake/fake_login_client.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 // Code generated by client-gen. DO NOT EDIT.

generated/1.17/client/concierge/clientset/versioned/typed/login/v1alpha1/fake/fake_tokencredentialrequest.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 // Code generated by client-gen. DO NOT EDIT.

generated/1.17/client/concierge/clientset/versioned/typed/login/v1alpha1/generated_expansion.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 // Code generated by client-gen. DO NOT EDIT.

generated/1.17/client/concierge/clientset/versioned/typed/login/v1alpha1/login_client.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 // Code generated by client-gen. DO NOT EDIT.

generated/1.17/client/concierge/clientset/versioned/typed/login/v1alpha1/tokencredentialrequest.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 // Code generated by client-gen. DO NOT EDIT.

generated/1.17/client/concierge/informers/externalversions/authentication/interface.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 // Code generated by informer-gen. DO NOT EDIT.

generated/1.17/client/concierge/informers/externalversions/authentication/v1alpha1/interface.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 // Code generated by informer-gen. DO NOT EDIT.

generated/1.17/client/concierge/informers/externalversions/authentication/v1alpha1/jwtauthenticator.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 // Code generated by informer-gen. DO NOT EDIT.

generated/1.17/client/concierge/informers/externalversions/authentication/v1alpha1/webhookauthenticator.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 // Code generated by informer-gen. DO NOT EDIT.

generated/1.17/client/concierge/informers/externalversions/config/interface.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 // Code generated by informer-gen. DO NOT EDIT.

generated/1.17/client/concierge/informers/externalversions/config/v1alpha1/credentialissuer.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 // Code generated by informer-gen. DO NOT EDIT.

generated/1.17/client/concierge/informers/externalversions/config/v1alpha1/interface.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 // Code generated by informer-gen. DO NOT EDIT.

generated/1.17/client/concierge/informers/externalversions/factory.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 // Code generated by informer-gen. DO NOT EDIT.

generated/1.17/client/concierge/informers/externalversions/generic.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 // Code generated by informer-gen. DO NOT EDIT.

generated/1.17/client/concierge/informers/externalversions/internalinterfaces/factory_interfaces.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 // Code generated by informer-gen. DO NOT EDIT.

generated/1.17/client/concierge/listers/authentication/v1alpha1/expansion_generated.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 // Code generated by lister-gen. DO NOT EDIT.

generated/1.17/client/concierge/listers/authentication/v1alpha1/jwtauthenticator.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 // Code generated by lister-gen. DO NOT EDIT.