Merge pull request #1893 from vmware-tanzu/pinny/bump-deps

Bump dependencies
2026-01-31 10:02:33 +00:00 · 2024-03-13 09:46:15 -05:00 · 2024-03-13 13:03:41 +00:00 · 2024-03-12 09:13:47 -07:00 · 2024-03-12 13:02:12 +00:00 · 2024-03-11 16:08:50 -05:00
1703 changed files with 61759 additions and 17594 deletions
--- a/.dockerignore
+++ b/.dockerignore
@@ -21,3 +21,6 @@

 # MacOS Desktop Services Store
 .DS_Store
+
+# Hugo temp file
+.hugo_build.lock
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -2,11 +2,6 @@

 version: 2
 updates:
-  - package-ecosystem: "gomod"
-    open-pull-requests-limit: 100
-    directory: "/"
-    schedule:
-      interval: "daily"

  - package-ecosystem: "gomod"
    open-pull-requests-limit: 2
@@ -14,12 +9,21 @@ updates:
    schedule:
      interval: "daily"

-  - package-ecosystem: "docker"
-    directory: "/"
-    schedule:
-      interval: "daily"
+# Our own CI job is responsible for updating this go.mod file now.
+#  - package-ecosystem: "gomod"
+#    open-pull-requests-limit: 100
+#    directory: "/"
+#    schedule:
+#      interval: "daily"

-  - package-ecosystem: "docker"
-    directory: "/hack"  # this should keep the FIPS dockerfile updated per https://github.com/dependabot/feedback/issues/145#issuecomment-414738498
-    schedule:
-      interval: "daily"
+# Our own CI job is responsible for updating this Docker file now.
+#  - package-ecosystem: "docker"
+#    directory: "/"
+#    schedule:
+#      interval: "daily"
+
+# Our own CI job is responsible for updating this Docker file now.
+#  - package-ecosystem: "docker"
+#    directory: "/hack"  # this should keep the FIPS dockerfile updated per https://github.com/dependabot/feedback/issues/145#issuecomment-414738498
+#    schedule:
+#      interval: "daily"
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -29,11 +29,13 @@ jobs:
        language: [ 'go', 'javascript' ]

    steps:
+    # Checkout our repository.
+    # See https://github.com/actions/checkout for documentation.
    - name: Checkout repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4

    - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@v3
      with:
        languages: ${{ matrix.language }}
        # If you wish to specify custom queries, you can do so here or in a config file.
@@ -43,10 +45,16 @@ jobs:
        # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
        # queries: security-extended,security-and-quality

+    # Install Go.
+    # See https://github.com/actions/setup-go?tab=readme-ov-file#getting-go-version-from-the-gomod-file.
+    - uses: actions/setup-go@v5
+      with:
+        go-version-file: 'go.mod'
+
    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
    # If this step fails, then you should remove it and run the build manually (see below)
    - name: Autobuild
-      uses: github/codeql-action/autobuild@v2
+      uses: github/codeql-action/autobuild@v3

    # ℹ️ Command-line programs to run using the OS shell.
    # 📚 https://git.io/JvXDl
@@ -59,6 +67,6 @@ jobs:
    #     ./location_of_script_within_repo/buildscript.sh

    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@v3
      with:
        category: "/language:${{matrix.language}}"
--- a/.gitignore
+++ b/.gitignore
@@ -19,3 +19,6 @@

 # MacOS Desktop Services Store
 .DS_Store
+
+# Hugo temp file
+.hugo_build.lock
--- a/.golangci.yaml
+++ b/.golangci.yaml
@@ -7,52 +7,52 @@ run:
 linters:
  disable-all: true
  enable:
-  # default linters
-  - errcheck
-  - gosimple
-  - govet
-  - ineffassign
-  - staticcheck
-  - typecheck
-  - unused
+    # default linters
+    - errcheck
+    - gosimple
+    - govet
+    - ineffassign
+    - staticcheck
+    - typecheck
+    - unused

-  # additional linters for this project (we should disable these if they get annoying).
-  - asciicheck
-  - bodyclose
-  - depguard
-  - dogsled
-  - exhaustive
-  - exportloopref
-  - funlen
-  - gochecknoglobals
-  - gochecknoinits
-  - gocritic
-  - gocyclo
-  - godot
-  - goheader
-  - goimports
-  - revive
-  - goprintffuncname
-  - gosec
-  - misspell
-  - nakedret
-  - nestif
-  - noctx
-  - nolintlint
-  - prealloc
-  - rowserrcheck
-  - exportloopref
-  - sqlclosecheck
-  - unconvert
-  - whitespace
+    # additional linters for this project (we should disable these if they get annoying).
+    - asciicheck
+    - bodyclose
+    # - depguard
+    - dogsled
+    - exhaustive
+    - exportloopref
+    - funlen
+    - gochecknoglobals
+    - gochecknoinits
+    - gocritic
+    - gocyclo
+    - godot
+    - goheader
+    - goimports
+    - revive
+    - goprintffuncname
+    - gosec
+    - misspell
+    - nakedret
+    - nestif
+    - noctx
+    - nolintlint
+    - prealloc
+    - rowserrcheck
+    - exportloopref
+    - sqlclosecheck
+    - unconvert
+    - whitespace

 issues:
  exclude-rules:
    # exclude tests from some rules for things that are useful in a testing context.
-  - path: _test\.go
-    linters:
-    - funlen
-    - gochecknoglobals
+    - path: _test\.go
+      linters:
+        - funlen
+        - gochecknoglobals

 linters-settings:
  funlen:
@@ -64,7 +64,15 @@ linters-settings:
        # YYYY or YYYY-YYYY
        YEARS: \d\d\d\d(-\d\d\d\d)?
    template: |-
-        Copyright {{YEARS}} the Pinniped contributors. All Rights Reserved.
-        SPDX-License-Identifier: Apache-2.0
+      Copyright {{YEARS}} the Pinniped contributors. All Rights Reserved.
+      SPDX-License-Identifier: Apache-2.0
  goimports:
    local-prefixes: go.pinniped.dev
+  revive:
+    max-open-files: 2048
+    rules:
+      - name: unused-parameter
+        arguments:
+          # Allow unused params that start with underscore. It can be nice to keep unused param names when implementing
+          # an interface sometimes, to help readers understand why it is unused in that particular implementation.
+          - allowRegex: "^_"
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -3,7 +3,7 @@
 exclude: '^(site|generated)/'
 repos:
 - repo: https://github.com/pre-commit/pre-commit-hooks
-  rev: v3.2.0
+  rev: v4.5.0
  hooks:
  # TODO: find a version of this to validate ytt templates?
  # - id: check-yaml
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -154,7 +154,7 @@ To destroy the local Kubernetes cluster, run `./hack/kind-down.sh`.

 ### Observing Tests on the Continuous Integration Environment

-[CI](https://hush-house.pivotal.io/teams/tanzu-user-auth/pipelines/pinniped-pull-requests)
+[CI](https://ci.pinniped.dev/teams/main/pipelines/pull-requests)
 will not be triggered on a pull request until the pull request is reviewed and
 approved for CI by a project [maintainer](MAINTAINERS.md). Once CI is triggered,
 the progress and results will appear on the Github page for that
--- a/28
+++ b/28
@@ -3,23 +3,32 @@
 # Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0

-FROM golang:1.21.1 as build-env
+ARG BUILD_IMAGE=golang:1.22.1@sha256:0b55ab82ac2a54a6f8f85ec8b943b9e470c39e32c109b766bbc1b801f3fa8d3b
+ARG BASE_IMAGE=gcr.io/distroless/static:nonroot@sha256:55c636171053dbc8ae07a280023bd787d2921f10e569f3e319f1539076dbba11
+
+# Prepare to cross-compile by always running the build stage in the build platform, not the target platform.
+FROM --platform=$BUILDPLATFORM $BUILD_IMAGE as build-env

 WORKDIR /work
-COPY . .
+
 ARG GOPROXY

 ARG KUBE_GIT_VERSION
 ENV KUBE_GIT_VERSION=$KUBE_GIT_VERSION

-# Build the executable binary (CGO_ENABLED=0 means static linking)
-# Pass in GOCACHE (build cache) and GOMODCACHE (module cache) so they
-# can be re-used between image builds.
+# These will be set by buildkit automatically, e.g. TARGETOS set to "linux" and TARGETARCH set to "amd64" or "arm64".
+# Useful for building multi-arch container images.
+ARG TARGETOS
+ARG TARGETARCH
+
+# Build the statically linked (CGO_ENABLED=0) binary.
+# Mount source, build cache, and module cache for performance reasons.
+# See https://www.docker.com/blog/faster-multi-platform-builds-dockerfile-cross-compilation-guide/
 RUN \
+  --mount=target=. \
  --mount=type=cache,target=/cache/gocache \
  --mount=type=cache,target=/cache/gomodcache \
-  mkdir out && \
-  export GOCACHE=/cache/gocache GOMODCACHE=/cache/gomodcache CGO_ENABLED=0 GOOS=linux GOARCH=amd64 && \
+  export GOCACHE=/cache/gocache GOMODCACHE=/cache/gomodcache CGO_ENABLED=0 GOOS=$TARGETOS GOARCH=$TARGETARCH && \
  go build -v -trimpath -ldflags "$(hack/get-ldflags.sh) -w -s" -o /usr/local/bin/pinniped-concierge-kube-cert-agent ./cmd/pinniped-concierge-kube-cert-agent/... && \
  go build -v -trimpath -ldflags "$(hack/get-ldflags.sh) -w -s" -o /usr/local/bin/pinniped-server ./cmd/pinniped-server/... && \
  ln -s /usr/local/bin/pinniped-server /usr/local/bin/pinniped-concierge && \
@@ -27,7 +36,10 @@ RUN \
  ln -s /usr/local/bin/pinniped-server /usr/local/bin/local-user-authenticator

 # Use a distroless runtime image with CA certificates, timezone data, and not much else.
-FROM gcr.io/distroless/static:nonroot@sha256:2a9e2b4fa771d31fe3346a873be845bfc2159695b9f90ca08e950497006ccc2e
+# Note that we are not using --platform here, so it will choose the base image for the target platform, not the build platform.
+# By using "distroless/static" instead of "distroless/static-debianXX" we can float on the latest stable version of debian.
+# See https://github.com/GoogleContainerTools/distroless#base-operating-system
+FROM $BASE_IMAGE

 # Copy the server binary from the build-env stage.
 COPY --from=build-env /usr/local/bin /usr/local/bin
--- a/apis/concierge/authentication/v1alpha1/types_jwtauthenticator.go.tmpl
+++ b/apis/concierge/authentication/v1alpha1/types_jwtauthenticator.go.tmpl
@@ -1,10 +1,23 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1

 import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

+type JWTAuthenticatorPhase string
+
+const (
+	// JWTAuthenticatorPhasePending is the default phase for newly-created JWTAuthenticator resources.
+	JWTAuthenticatorPhasePending JWTAuthenticatorPhase = "Pending"
+
+	// JWTAuthenticatorPhaseReady is the phase for an JWTAuthenticator resource in a healthy state.
+	JWTAuthenticatorPhaseReady JWTAuthenticatorPhase = "Ready"
+
+	// JWTAuthenticatorPhaseError is the phase for an JWTAuthenticator in an unhealthy state.
+	JWTAuthenticatorPhaseError JWTAuthenticatorPhase = "Error"
+)
+
 // Status of a JWT authenticator.
 type JWTAuthenticatorStatus struct {
 	// Represents the observations of the authenticator's current state.
@@ -13,6 +26,10 @@ type JWTAuthenticatorStatus struct {
 	// +listType=map
 	// +listMapKey=type
 	Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
+	// Phase summarizes the overall status of the JWTAuthenticator.
+	// +kubebuilder:default=Pending
+	// +kubebuilder:validation:Enum=Pending;Ready;Error
+	Phase JWTAuthenticatorPhase `json:"phase,omitempty"`
 }

 // Spec for configuring a JWT authenticator.
--- a/apis/supervisor/oidc/types_supervisor_oidc.go.tmpl
+++ b/apis/supervisor/oidc/types_supervisor_oidc.go.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package oidc
@@ -29,6 +29,10 @@ const (
 	// IDTokenClaimSubject is name of the subject claim defined by the OIDC spec.
 	IDTokenClaimSubject = "sub"

+	// IDTokenSubClaimIDPNameQueryParam is the name of the query param used in the values of the "sub" claim
+	// in Supervisor-issued ID tokens to identify with which external identity provider the user authenticated.
+	IDTokenSubClaimIDPNameQueryParam = "idpName"
+
 	// IDTokenClaimAuthorizedParty is name of the authorized party claim defined by the OIDC spec.
 	IDTokenClaimAuthorizedParty = "azp"

--- a/cmd/pinniped/cmd/kubeconfig.go
+++ b/cmd/pinniped/cmd/kubeconfig.go
@@ -96,6 +96,7 @@ type getKubeconfigParams struct {
 	credentialCachePath       string
 	credentialCachePathSet    bool
 	installHint               string
+	pinnipedCliPath           string
 }

 type discoveryResponseScopesSupported struct {
@@ -151,14 +152,16 @@ func kubeconfigCommand(deps kubeconfigDeps) *cobra.Command {
 	f.StringVarP(&flags.outputPath, "output", "o", "", "Output file path (default: stdout)")
 	f.StringVar(&flags.generatedNameSuffix, "generated-name-suffix", "-pinniped", "Suffix to append to generated cluster, context, user kubeconfig entries")
 	f.StringVar(&flags.credentialCachePath, "credential-cache", "", "Path to cluster-specific credentials cache")
+	f.StringVar(&flags.pinnipedCliPath, "pinniped-cli-path", "", "Full path or executable name for the Pinniped CLI binary to be embedded in the resulting kubeconfig output (e.g. 'pinniped') (default: full path of the binary used to execute this command)")
 	f.StringVar(&flags.installHint, "install-hint", "The pinniped CLI does not appear to be installed.  See https://get.pinniped.dev/cli for more details", "This text is shown to the user when the pinniped CLI is not installed.")
-	mustMarkHidden(cmd, "oidc-debug-session-cache")

-	// --oidc-skip-listen is mainly needed for testing. We'll leave it hidden until we have a non-testing use case.
-	mustMarkHidden(cmd, "oidc-skip-listen")
+	mustMarkHidden(cmd,
+		"oidc-debug-session-cache",
+		"oidc-skip-listen", // --oidc-skip-listen is mainly needed for testing. We'll leave it hidden until we have a non-testing use case.
+		"concierge-namespace",
+	)

 	mustMarkDeprecated(cmd, "concierge-namespace", "not needed anymore")
-	mustMarkHidden(cmd, "concierge-namespace")

 	cmd.RunE = func(cmd *cobra.Command, args []string) error {
 		if flags.outputPath != "" {
@@ -268,7 +271,12 @@ func newExecConfig(deps kubeconfigDeps, flags getKubeconfigParams) (*clientcmdap

 	execConfig.InstallHint = flags.installHint
 	var err error
-	execConfig.Command, err = deps.getPathToSelf()
+	execConfig.Command, err = func() (string, error) {
+		if flags.pinnipedCliPath != "" {
+			return flags.pinnipedCliPath, nil
+		}
+		return deps.getPathToSelf()
+	}()
 	if err != nil {
 		return nil, fmt.Errorf("could not determine the Pinniped executable path: %w", err)
 	}
--- a/cmd/pinniped/cmd/kubeconfig_test.go
+++ b/cmd/pinniped/cmd/kubeconfig_test.go
@@ -147,6 +147,7 @@ func TestGetKubeconfig(t *testing.T) {
 				      --oidc-session-cache string                Path to OpenID Connect session cache file
 				      --oidc-skip-browser                        During OpenID Connect login, skip opening the browser (just print the URL)
 				  -o, --output string                            Output file path (default: stdout)
+				      --pinniped-cli-path string                 Full path or executable name for the Pinniped CLI binary to be embedded in the resulting kubeconfig output (e.g. 'pinniped') (default: full path of the binary used to execute this command)
 				      --skip-validation                          Skip final validation of the kubeconfig (default: false)
 				      --static-token string                      Instead of doing an OIDC-based login, specify a static token
 				      --static-token-env string                  Instead of doing an OIDC-based login, read a static token from the environment
@@ -1583,7 +1584,6 @@ func TestGetKubeconfig(t *testing.T) {
 			},
 		},
 		{
-
 			name: "autodetect nothing, set a bunch of options",
 			args: func(issuerCABundle string, issuerURL string) []string {
 				f := testutil.WriteStringToTempFile(t, "testca-*.pem", issuerCABundle)
@@ -1607,6 +1607,7 @@ func TestGetKubeconfig(t *testing.T) {
 					"--skip-validation",
 					"--generated-name-suffix", "-sso",
 					"--credential-cache", "/path/to/cache/dir/credentials.yaml",
+					"--pinniped-cli-path", "/some/path/to/command-exe",
 				}
 			},
 			conciergeObjects: func(issuerCABundle string, issuerURL string) []runtime.Object {
@@ -1658,7 +1659,7 @@ func TestGetKubeconfig(t *testing.T) {
 						  - --session-cache=/path/to/cache/dir/sessions.yaml
 						  - --debug-session-cache
 						  - --request-audience=test-audience
-						  command: '.../path/to/pinniped'
+						  command: /some/path/to/command-exe
 						  env: []
 						  installHint: The pinniped CLI does not appear to be installed.  See https://get.pinniped.dev/cli
 						    for more details
--- a/cmd/pinniped/cmd/login_oidc.go
+++ b/cmd/pinniped/cmd/login_oidc.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package cmd
@@ -241,12 +241,12 @@ func runOIDCLogin(cmd *cobra.Command, deps oidcLoginCommandDeps, flags oidcLogin
 	}

 	pLogger.Debug("Performing OIDC login", "issuer", flags.issuer, "client id", flags.clientID)
-	// Do the basic login to get an OIDC token.
+	// Do the basic login to get an OIDC token. Although this can return several tokens, we only need the ID token here.
 	token, err := deps.login(flags.issuer, flags.clientID, opts...)
 	if err != nil {
 		return fmt.Errorf("could not complete Pinniped login: %w", err)
 	}
-	cred := tokenCredential(token)
+	cred := tokenCredential(token.IDToken)

 	// If the concierge was configured, exchange the credential for a separate short-lived, cluster-specific credential.
 	if concierge != nil {
@@ -344,18 +344,18 @@ func makeClient(caBundlePaths []string, caBundleData []string) (*http.Client, er
 	return phttp.Default(pool), nil
 }

-func tokenCredential(token *oidctypes.Token) *clientauthv1beta1.ExecCredential {
+func tokenCredential(idToken *oidctypes.IDToken) *clientauthv1beta1.ExecCredential {
 	cred := clientauthv1beta1.ExecCredential{
 		TypeMeta: metav1.TypeMeta{
 			Kind:       "ExecCredential",
 			APIVersion: "client.authentication.k8s.io/v1beta1",
 		},
 		Status: &clientauthv1beta1.ExecCredentialStatus{
-			Token: token.IDToken.Token,
+			Token: idToken.Token,
 		},
 	}
-	if !token.IDToken.Expiry.IsZero() {
-		cred.Status.ExpirationTimestamp = &token.IDToken.Expiry
+	if !idToken.Expiry.IsZero() {
+		cred.Status.ExpirationTimestamp = &idToken.Expiry
 	}
 	return &cred
 }
--- a/cmd/pinniped/cmd/login_oidc_test.go
+++ b/cmd/pinniped/cmd/login_oidc_test.go
@@ -15,7 +15,6 @@ import (
 	"time"

 	"github.com/stretchr/testify/require"
-	"go.uber.org/zap"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	clientauthv1beta1 "k8s.io/client-go/pkg/apis/clientauthentication/v1beta1"
 	clocktesting "k8s.io/utils/clock/testing"
@@ -531,12 +530,9 @@ func TestLoginOIDCCommand(t *testing.T) {
 		tt := tt
 		t.Run(tt.name, func(t *testing.T) {
 			var buf bytes.Buffer
-			fakeClock := clocktesting.NewFakeClock(now)
-			ctx := plog.TestZapOverrides(context.Background(), t, &buf, nil, zap.WithClock(plog.ZapClock(fakeClock)))
+			ctx := plog.AddZapOverridesToContext(context.Background(), t, &buf, nil, clocktesting.NewFakeClock(now))

-			var (
-				gotOptions []oidcclient.Option
-			)
+			var gotOptions []oidcclient.Option
 			cmd := oidcLoginCommand(oidcLoginCommandDeps{
 				lookupEnv: func(s string) (string, bool) {
 					v, ok := tt.env[s]
--- a/cmd/pinniped/cmd/login_static.go
+++ b/cmd/pinniped/cmd/login_static.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package cmd
@@ -133,7 +133,7 @@ func runStaticLogin(cmd *cobra.Command, deps staticLoginDeps, flags staticLoginP
 			return fmt.Errorf("--token-env variable %q is empty", flags.staticTokenEnvName)
 		}
 	}
-	cred := tokenCredential(&oidctypes.Token{IDToken: &oidctypes.IDToken{Token: token}})
+	cred := tokenCredential(&oidctypes.IDToken{Token: token})

 	// Look up cached credentials based on a hash of all the CLI arguments, the current token value, and the cluster info.
 	cacheKey := struct {
--- a/cmd/pinniped/cmd/login_static_test.go
+++ b/cmd/pinniped/cmd/login_static_test.go
@@ -13,7 +13,6 @@ import (
 	"time"

 	"github.com/stretchr/testify/require"
-	"go.uber.org/zap"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	clientauthv1beta1 "k8s.io/client-go/pkg/apis/clientauthentication/v1beta1"
 	clocktesting "k8s.io/utils/clock/testing"
@@ -178,8 +177,7 @@ func TestLoginStaticCommand(t *testing.T) {
 		tt := tt
 		t.Run(tt.name, func(t *testing.T) {
 			var buf bytes.Buffer
-			fakeClock := clocktesting.NewFakeClock(now)
-			ctx := plog.TestZapOverrides(context.Background(), t, &buf, nil, zap.WithClock(plog.ZapClock(fakeClock)))
+			ctx := plog.AddZapOverridesToContext(context.Background(), t, &buf, nil, clocktesting.NewFakeClock(now))

 			cmd := staticLoginCommand(staticLoginDeps{
 				lookupEnv: func(s string) (string, bool) {
--- a/cmd/pinniped/cmd/whoami.go
+++ b/cmd/pinniped/cmd/whoami.go
@@ -31,6 +31,7 @@ func init() {

 type whoamiFlags struct {
 	outputFormat string // e.g., yaml, json, text
+	timeout      time.Duration

 	kubeconfigPath            string
 	kubeconfigContextOverride string
@@ -58,6 +59,7 @@ func newWhoamiCommand(getClientset getConciergeClientsetFunc) *cobra.Command {
 	f.StringVar(&flags.kubeconfigPath, "kubeconfig", os.Getenv("KUBECONFIG"), "Path to kubeconfig file")
 	f.StringVar(&flags.kubeconfigContextOverride, "kubeconfig-context", "", "Kubeconfig context name (default: current active context)")
 	f.StringVar(&flags.apiGroupSuffix, "api-group-suffix", groupsuffix.PinnipedDefaultSuffix, "Concierge API group suffix")
+	f.DurationVar(&flags.timeout, "timeout", 0, "Timeout for the WhoAmI API request (default: 0, meaning no timeout)")

 	cmd.RunE = func(cmd *cobra.Command, _ []string) error {
 		return runWhoami(cmd.OutOrStdout(), getClientset, flags)
@@ -78,8 +80,22 @@ func runWhoami(output io.Writer, getClientset getConciergeClientsetFunc, flags *
 		return fmt.Errorf("could not get current cluster info: %w", err)
 	}

-	ctx, cancelFunc := context.WithTimeout(context.Background(), time.Second*20)
-	defer cancelFunc()
+	// Making the WhoAmI request may cause client-go to invoke the credential plugin, which may
+	// ask the user to interactively authenticate. The time that the user takes to authenticate
+	// is included in the timeout time, but their authentication is not cancelled by exceeding
+	// this timeout. Only the subsequent whoami API request is cancelled. Using a short timeout
+	// causes the odd behavior of a successful login immediately followed by a whoami request failure
+	// due to timeout. For comparison, kubectl uses an infinite timeout by default on API requests
+	// but also allows the user to adjust this timeout with the `--request-timeout` CLI option,
+	// so we will take a similar approach. Note that kubectl has the same behavior when a client-go
+	// credential plugin is invoked and the user takes longer then the timeout to authenticate.
+	ctx := context.Background()
+	if flags.timeout > 0 {
+		var cancelFunc context.CancelFunc
+		ctx, cancelFunc = context.WithTimeout(ctx, flags.timeout)
+		defer cancelFunc()
+	}
+
 	whoAmI, err := clientset.IdentityV1alpha1().WhoAmIRequests().Create(ctx, &identityv1alpha1.WhoAmIRequest{}, metav1.CreateOptions{})
 	if err != nil {
 		hint := ""
--- a/cmd/pinniped/cmd/whoami_test.go
+++ b/cmd/pinniped/cmd/whoami_test.go
@@ -1,4 +1,4 @@
-// Copyright 2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package cmd
@@ -45,6 +45,7 @@ func TestWhoami(t *testing.T) {
 				      --kubeconfig string           Path to kubeconfig file
 				      --kubeconfig-context string   Kubeconfig context name (default: current active context)
 				  -o, --output string               Output format (e.g., 'yaml', 'json', 'text') (default "text")
+				      --timeout duration            Timeout for the WhoAmI API request (default: 0, meaning no timeout)
 			`),
 		},
 		{
@@ -312,7 +313,12 @@ func TestWhoami(t *testing.T) {
 			stdout, stderr := bytes.NewBuffer([]byte{}), bytes.NewBuffer([]byte{})
 			cmd.SetOut(stdout)
 			cmd.SetErr(stderr)
-			cmd.SetArgs(test.args)
+			if test.args == nil {
+				// cobra uses os.Args[1:] when SetArgs is called with nil, so avoid using nil for tests.
+				cmd.SetArgs([]string{})
+			} else {
+				cmd.SetArgs(test.args)
+			}

 			err := cmd.Execute()
 			if test.wantError {
--- a/deploy/concierge/authentication.concierge.pinniped.dev_jwtauthenticators.yaml
+++ b/deploy/concierge/authentication.concierge.pinniped.dev_jwtauthenticators.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.8.0
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.14.0
  name: jwtauthenticators.authentication.concierge.pinniped.dev
 spec:
  group: authentication.concierge.pinniped.dev
@@ -32,20 +31,27 @@ spec:
    name: v1alpha1
    schema:
      openAPIV3Schema:
-        description: "JWTAuthenticator describes the configuration of a JWT authenticator.
-          \n Upon receiving a signed JWT, a JWTAuthenticator will performs some validation
-          on it (e.g., valid signature, existence of claims, etc.) and extract the
-          username and groups from the token."
+        description: |-
+          JWTAuthenticator describes the configuration of a JWT authenticator.
+
+
+          Upon receiving a signed JWT, a JWTAuthenticator will performs some validation on it (e.g., valid
+          signature, existence of claims, etc.) and extract the username and groups from the token.
        properties:
          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
            type: string
          kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
            type: string
          metadata:
            type: object
@@ -57,24 +63,25 @@ spec:
                minLength: 1
                type: string
              claims:
-                description: Claims allows customization of the claims that will be
-                  mapped to user identity for Kubernetes access.
+                description: |-
+                  Claims allows customization of the claims that will be mapped to user identity
+                  for Kubernetes access.
                properties:
                  groups:
-                    description: Groups is the name of the claim which should be read
-                      to extract the user's group membership from the JWT token. When
-                      not specified, it will default to "groups".
+                    description: |-
+                      Groups is the name of the claim which should be read to extract the user's
+                      group membership from the JWT token. When not specified, it will default to "groups".
                    type: string
                  username:
-                    description: Username is the name of the claim which should be
-                      read to extract the username from the JWT token. When not specified,
-                      it will default to "username".
+                    description: |-
+                      Username is the name of the claim which should be read to extract the
+                      username from the JWT token. When not specified, it will default to "username".
                    type: string
                type: object
              issuer:
-                description: Issuer is the OIDC issuer URL that will be used to discover
-                  public signing keys. Issuer is also used to validate the "iss" JWT
-                  claim.
+                description: |-
+                  Issuer is the OIDC issuer URL that will be used to discover public signing keys. Issuer is
+                  also used to validate the "iss" JWT claim.
                minLength: 1
                pattern: ^https://
                type: string
@@ -98,42 +105,42 @@ spec:
                  state.
                items:
                  description: "Condition contains details for one aspect of the current
-                    state of this API Resource. --- This struct is intended for direct
-                    use as an array at the field path .status.conditions.  For example,
-                    \n type FooStatus struct{ // Represents the observations of a
-                    foo's current state. // Known .status.conditions.type are: \"Available\",
-                    \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
-                    // +listType=map // +listMapKey=type Conditions []metav1.Condition
-                    `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
-                    protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
+                    state of this API Resource.\n---\nThis struct is intended for
+                    direct use as an array at the field path .status.conditions.  For
+                    example,\n\n\n\ttype FooStatus struct{\n\t    // Represents the
+                    observations of a foo's current state.\n\t    // Known .status.conditions.type
+                    are: \"Available\", \"Progressing\", and \"Degraded\"\n\t    //
+                    +patchMergeKey=type\n\t    // +patchStrategy=merge\n\t    // +listType=map\n\t
+                    \   // +listMapKey=type\n\t    Conditions []metav1.Condition `json:\"conditions,omitempty\"
+                    patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
+                    \   // other fields\n\t}"
                  properties:
                    lastTransitionTime:
-                      description: lastTransitionTime is the last time the condition
-                        transitioned from one status to another. This should be when
-                        the underlying condition changed.  If that is not known, then
-                        using the time when the API field changed is acceptable.
+                      description: |-
+                        lastTransitionTime is the last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
                      format: date-time
                      type: string
                    message:
-                      description: message is a human readable message indicating
-                        details about the transition. This may be an empty string.
+                      description: |-
+                        message is a human readable message indicating details about the transition.
+                        This may be an empty string.
                      maxLength: 32768
                      type: string
                    observedGeneration:
-                      description: observedGeneration represents the .metadata.generation
-                        that the condition was set based upon. For instance, if .metadata.generation
-                        is currently 12, but the .status.conditions[x].observedGeneration
-                        is 9, the condition is out of date with respect to the current
-                        state of the instance.
+                      description: |-
+                        observedGeneration represents the .metadata.generation that the condition was set based upon.
+                        For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+                        with respect to the current state of the instance.
                      format: int64
                      minimum: 0
                      type: integer
                    reason:
-                      description: reason contains a programmatic identifier indicating
-                        the reason for the condition's last transition. Producers
-                        of specific condition types may define expected values and
-                        meanings for this field, and whether the values are considered
-                        a guaranteed API. The value should be a CamelCase string.
+                      description: |-
+                        reason contains a programmatic identifier indicating the reason for the condition's last transition.
+                        Producers of specific condition types may define expected values and meanings for this field,
+                        and whether the values are considered a guaranteed API.
+                        The value should be a CamelCase string.
                        This field may not be empty.
                      maxLength: 1024
                      minLength: 1
@@ -147,11 +154,12 @@ spec:
                      - Unknown
                      type: string
                    type:
-                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
-                        --- Many .condition.type values are consistent across resources
-                        like Available, but because arbitrary conditions can be useful
-                        (see .node.status.conditions), the ability to deconflict is
-                        important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+                      description: |-
+                        type of condition in CamelCase or in foo.example.com/CamelCase.
+                        ---
+                        Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
+                        useful (see .node.status.conditions), the ability to deconflict is important.
+                        The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
                      maxLength: 316
                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
                      type: string
@@ -166,6 +174,14 @@ spec:
                x-kubernetes-list-map-keys:
                - type
                x-kubernetes-list-type: map
+              phase:
+                default: Pending
+                description: Phase summarizes the overall status of the JWTAuthenticator.
+                enum:
+                - Pending
+                - Ready
+                - Error
+                type: string
            type: object
        required:
        - spec
@@ -174,9 +190,3 @@ spec:
    storage: true
    subresources:
      status: {}
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: []
-  storedVersions: []
--- a/deploy/concierge/authentication.concierge.pinniped.dev_webhookauthenticators.yaml
+++ b/deploy/concierge/authentication.concierge.pinniped.dev_webhookauthenticators.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.8.0
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.14.0
  name: webhookauthenticators.authentication.concierge.pinniped.dev
 spec:
  group: authentication.concierge.pinniped.dev
@@ -33,14 +32,19 @@ spec:
          authenticator.
        properties:
          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
            type: string
          kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
            type: string
          metadata:
            type: object
@@ -71,42 +75,42 @@ spec:
                  state.
                items:
                  description: "Condition contains details for one aspect of the current
-                    state of this API Resource. --- This struct is intended for direct
-                    use as an array at the field path .status.conditions.  For example,
-                    \n type FooStatus struct{ // Represents the observations of a
-                    foo's current state. // Known .status.conditions.type are: \"Available\",
-                    \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
-                    // +listType=map // +listMapKey=type Conditions []metav1.Condition
-                    `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
-                    protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
+                    state of this API Resource.\n---\nThis struct is intended for
+                    direct use as an array at the field path .status.conditions.  For
+                    example,\n\n\n\ttype FooStatus struct{\n\t    // Represents the
+                    observations of a foo's current state.\n\t    // Known .status.conditions.type
+                    are: \"Available\", \"Progressing\", and \"Degraded\"\n\t    //
+                    +patchMergeKey=type\n\t    // +patchStrategy=merge\n\t    // +listType=map\n\t
+                    \   // +listMapKey=type\n\t    Conditions []metav1.Condition `json:\"conditions,omitempty\"
+                    patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
+                    \   // other fields\n\t}"
                  properties:
                    lastTransitionTime:
-                      description: lastTransitionTime is the last time the condition
-                        transitioned from one status to another. This should be when
-                        the underlying condition changed.  If that is not known, then
-                        using the time when the API field changed is acceptable.
+                      description: |-
+                        lastTransitionTime is the last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
                      format: date-time
                      type: string
                    message:
-                      description: message is a human readable message indicating
-                        details about the transition. This may be an empty string.
+                      description: |-
+                        message is a human readable message indicating details about the transition.
+                        This may be an empty string.
                      maxLength: 32768
                      type: string
                    observedGeneration:
-                      description: observedGeneration represents the .metadata.generation
-                        that the condition was set based upon. For instance, if .metadata.generation
-                        is currently 12, but the .status.conditions[x].observedGeneration
-                        is 9, the condition is out of date with respect to the current
-                        state of the instance.
+                      description: |-
+                        observedGeneration represents the .metadata.generation that the condition was set based upon.
+                        For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+                        with respect to the current state of the instance.
                      format: int64
                      minimum: 0
                      type: integer
                    reason:
-                      description: reason contains a programmatic identifier indicating
-                        the reason for the condition's last transition. Producers
-                        of specific condition types may define expected values and
-                        meanings for this field, and whether the values are considered
-                        a guaranteed API. The value should be a CamelCase string.
+                      description: |-
+                        reason contains a programmatic identifier indicating the reason for the condition's last transition.
+                        Producers of specific condition types may define expected values and meanings for this field,
+                        and whether the values are considered a guaranteed API.
+                        The value should be a CamelCase string.
                        This field may not be empty.
                      maxLength: 1024
                      minLength: 1
@@ -120,11 +124,12 @@ spec:
                      - Unknown
                      type: string
                    type:
-                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
-                        --- Many .condition.type values are consistent across resources
-                        like Available, but because arbitrary conditions can be useful
-                        (see .node.status.conditions), the ability to deconflict is
-                        important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+                      description: |-
+                        type of condition in CamelCase or in foo.example.com/CamelCase.
+                        ---
+                        Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
+                        useful (see .node.status.conditions), the ability to deconflict is important.
+                        The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
                      maxLength: 316
                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
                      type: string
@@ -147,9 +152,3 @@ spec:
    storage: true
    subresources:
      status: {}
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: []
-  storedVersions: []
--- a/deploy/concierge/config.concierge.pinniped.dev_credentialissuers.yaml
+++ b/deploy/concierge/config.concierge.pinniped.dev_credentialissuers.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.8.0
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.14.0
  name: credentialissuers.config.concierge.pinniped.dev
 spec:
  group: config.concierge.pinniped.dev
@@ -34,14 +33,19 @@ spec:
          Pinniped Concierge credential issuer.
        properties:
          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
            type: string
          kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
            type: string
          metadata:
            type: object
@@ -53,18 +57,19 @@ spec:
                  of the Concierge impersonation proxy.
                properties:
                  externalEndpoint:
-                    description: "ExternalEndpoint describes the HTTPS endpoint where
-                      the proxy will be exposed. If not set, the proxy will be served
-                      using the external name of the LoadBalancer service or the cluster
-                      service DNS name. \n This field must be non-empty when spec.impersonationProxy.service.type
-                      is \"None\"."
+                    description: |-
+                      ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will
+                      be served using the external name of the LoadBalancer service or the cluster service DNS name.
+
+
+                      This field must be non-empty when spec.impersonationProxy.service.type is "None".
                    type: string
                  mode:
-                    description: 'Mode configures whether the impersonation proxy
-                      should be started: - "disabled" explicitly disables the impersonation
-                      proxy. This is the default. - "enabled" explicitly enables the
-                      impersonation proxy. - "auto" enables or disables the impersonation
-                      proxy based upon the cluster in which it is running.'
+                    description: |-
+                      Mode configures whether the impersonation proxy should be started:
+                      - "disabled" explicitly disables the impersonation proxy. This is the default.
+                      - "enabled" explicitly enables the impersonation proxy.
+                      - "auto" enables or disables the impersonation proxy based upon the cluster in which it is running.
                    enum:
                    - auto
                    - enabled
@@ -83,20 +88,20 @@ spec:
                          pairs to set as annotations on the provisioned Service.
                        type: object
                      loadBalancerIP:
-                        description: LoadBalancerIP specifies the IP address to set
-                          in the spec.loadBalancerIP field of the provisioned Service.
+                        description: |-
+                          LoadBalancerIP specifies the IP address to set in the spec.loadBalancerIP field of the provisioned Service.
                          This is not supported on all cloud providers.
                        maxLength: 255
                        minLength: 1
                        type: string
                      type:
                        default: LoadBalancer
-                        description: "Type specifies the type of Service to provision
-                          for the impersonation proxy. \n If the type is \"None\",
-                          then the \"spec.impersonationProxy.externalEndpoint\" field
-                          must be set to a non-empty value so that the Concierge can
-                          properly advertise the endpoint in the CredentialIssuer's
-                          status."
+                        description: |-
+                          Type specifies the type of Service to provision for the impersonation proxy.
+
+
+                          If the type is "None", then the "spec.impersonationProxy.externalEndpoint" field must be set to a non-empty
+                          value so that the Concierge can properly advertise the endpoint in the CredentialIssuer's status.
                        enum:
                        - LoadBalancer
                        - ClusterIP
@@ -104,20 +109,21 @@ spec:
                        type: string
                    type: object
                  tls:
-                    description: "TLS contains information about how the Concierge
-                      impersonation proxy should serve TLS. \n If this field is empty,
-                      the impersonation proxy will generate its own TLS certificate."
+                    description: |-
+                      TLS contains information about how the Concierge impersonation proxy should serve TLS.
+
+
+                      If this field is empty, the impersonation proxy will generate its own TLS certificate.
                    properties:
                      certificateAuthorityData:
-                        description: X.509 Certificate Authority (base64-encoded PEM
-                          bundle). Used to advertise the CA bundle for the impersonation
-                          proxy endpoint.
+                        description: |-
+                          X.509 Certificate Authority (base64-encoded PEM bundle).
+                          Used to advertise the CA bundle for the impersonation proxy endpoint.
                        type: string
                      secretName:
-                        description: SecretName is the name of a Secret in the same
-                          namespace, of type `kubernetes.io/tls`, which contains the
-                          TLS serving certificate for the Concierge impersonation
-                          proxy endpoint.
+                        description: |-
+                          SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains
+                          the TLS serving certificate for the Concierge impersonation proxy endpoint.
                        minLength: 1
                        type: string
                    type: object
@@ -132,9 +138,9 @@ spec:
            description: CredentialIssuerStatus describes the status of the Concierge.
            properties:
              kubeConfigInfo:
-                description: Information needed to form a valid Pinniped-based kubeconfig
-                  using this credential issuer. This field is deprecated and will
-                  be removed in a future version.
+                description: |-
+                  Information needed to form a valid Pinniped-based kubeconfig using this credential issuer.
+                  This field is deprecated and will be removed in a future version.
                properties:
                  certificateAuthorityData:
                    description: The K8s API server CA bundle.
@@ -161,9 +167,9 @@ spec:
                        this strategy.
                      properties:
                        impersonationProxyInfo:
-                          description: ImpersonationProxyInfo describes the parameters
-                            for the impersonation proxy on this Concierge. This field
-                            is only set when Type is "ImpersonationProxy".
+                          description: |-
+                            ImpersonationProxyInfo describes the parameters for the impersonation proxy on this Concierge.
+                            This field is only set when Type is "ImpersonationProxy".
                          properties:
                            certificateAuthorityData:
                              description: CertificateAuthorityData is the base64-encoded
@@ -181,9 +187,9 @@ spec:
                          - endpoint
                          type: object
                        tokenCredentialRequestInfo:
-                          description: TokenCredentialRequestAPIInfo describes the
-                            parameters for the TokenCredentialRequest API on this
-                            Concierge. This field is only set when Type is "TokenCredentialRequestAPI".
+                          description: |-
+                            TokenCredentialRequestAPIInfo describes the parameters for the TokenCredentialRequest API on this Concierge.
+                            This field is only set when Type is "TokenCredentialRequestAPI".
                          properties:
                            certificateAuthorityData:
                              description: CertificateAuthorityData is the base64-encoded
@@ -256,9 +262,3 @@ spec:
    storage: true
    subresources:
      status: {}
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: []
-  storedVersions: []
--- a/deploy/concierge/deployment.yaml
+++ b/deploy/concierge/deployment.yaml
@@ -1,4 +1,4 @@
-#! Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+#! Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 #! SPDX-License-Identifier: Apache-2.0

 #@ load("@ytt:data", "data")
@@ -45,8 +45,9 @@ metadata:
  annotations:
    #! we need to create this service account before we create the secret
    kapp.k14s.io/change-group: "impersonation-proxy.concierge.pinniped.dev/serviceaccount"
-secrets: #! make sure the token controller does not create any other secrets
- name: #@ defaultResourceNameWithSuffix("impersonation-proxy")
+    kubernetes.io/enforce-mountable-secrets: "true"
+secrets: [] #! make sure the token controller does not create any secrets
+automountServiceAccountToken: false
 ---
 apiVersion: v1
 kind: ConfigMap
@@ -77,6 +78,8 @@ data:
      impersonationCACertificateSecret: (@= defaultResourceNameWithSuffix("impersonation-proxy-ca-certificate") @)
      impersonationSignerSecret: (@= defaultResourceNameWithSuffix("impersonation-proxy-signer-ca-certificate") @)
      agentServiceAccount: (@= defaultResourceNameWithSuffix("kube-cert-agent") @)
+      impersonationProxyServiceAccount: (@= defaultResourceNameWithSuffix("impersonation-proxy") @)
+      impersonationProxyLegacySecret: (@= defaultResourceNameWithSuffix("impersonation-proxy") @)
    labels: (@= json.encode(labels()).rstrip() @)
    kubeCertAgent:
      namePrefix: (@= defaultResourceNameWithSuffix("kube-cert-agent-") @)
@@ -134,8 +137,6 @@ spec:
        #! More recently added the more unique deploymentPodLabel() so Services can select these Pods more specifically
        #! without accidentally selecting any other Deployment's Pods, especially the kube cert agent Deployment's Pods.
        _: #@ template.replace(deploymentPodLabel())
-      annotations:
-        scheduler.alpha.kubernetes.io/critical-pod: ""
    spec:
      securityContext:
        runAsUser: #@ data.values.run_as_user
@@ -184,9 +185,6 @@ spec:
            - name: podinfo
              mountPath: /etc/podinfo
              readOnly: true
-            - name: impersonation-proxy
-              mountPath: /var/run/secrets/impersonation-proxy.concierge.pinniped.dev/serviceaccount
-              readOnly: true
          env:
            #@ if data.values.https_proxy:
            - name: HTTPS_PROXY
@@ -222,12 +220,6 @@ spec:
        - name: config-volume
          configMap:
            name: #@ defaultResourceNameWithSuffix("config")
-        - name: impersonation-proxy
-          secret:
-            secretName: #@ defaultResourceNameWithSuffix("impersonation-proxy")
-            items: #! make sure our pod does not start until the token controller has a chance to populate the secret
-              - key: token
-                path: token
        - name: podinfo
          downwardAPI:
            items:
@@ -247,9 +239,14 @@ spec:
          effect: NoSchedule
        - key: node-role.kubernetes.io/control-plane #! The new name for these nodes as of Kubernetes 1.24.
          effect: NoSchedule
-      #! "system-cluster-critical" cannot be used outside the kube-system namespace until Kubernetes >= 1.17,
-      #! so we skip setting this for now (see https://github.com/kubernetes/kubernetes/issues/60596).
-      #!priorityClassName: system-cluster-critical
+        - key: kubernetes.io/arch
+          effect: NoSchedule
+          operator: Equal
+          value: amd64 #! Allow running on amd64 nodes.
+        - key: kubernetes.io/arch
+          effect: NoSchedule
+          operator: Equal
+          value: arm64 #! Also allow running on arm64 nodes.
      #! This will help make sure our multiple pods run on different nodes, making
      #! our deployment "more" "HA".
      affinity:
@@ -344,17 +341,9 @@ spec:
      #@ if data.values.impersonation_proxy_spec.service.load_balancer_ip:
      loadBalancerIP: #@ data.values.impersonation_proxy_spec.service.load_balancer_ip
      #@ end
+      #@ if data.values.impersonation_proxy_spec.service.annotations == None:
+      annotations:
+        service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "4000"
+      #@ else:
      annotations: #@ data.values.impersonation_proxy_spec.service.annotations
---
-apiVersion: v1
-kind: Secret
-metadata:
-  name: #@ defaultResourceNameWithSuffix("impersonation-proxy")
-  namespace: #@ namespace()
-  labels: #@ labels()
-  annotations:
-    #! wait until the SA exists to create this secret so that the token controller does not delete it
-    #! we have this secret at the end so that kubectl will create the service account first
-    kapp.k14s.io/change-rule: "upsert after upserting impersonation-proxy.concierge.pinniped.dev/serviceaccount"
-    kubernetes.io/service-account.name: #@ defaultResourceNameWithSuffix("impersonation-proxy")
-type: kubernetes.io/service-account-token
+      #@ end
--- a/deploy/concierge/rbac.yaml
+++ b/deploy/concierge/rbac.yaml
@@ -1,4 +1,4 @@
-#! Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
+#! Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 #! SPDX-License-Identifier: Apache-2.0

 #@ load("@ytt:data", "data")
@@ -43,6 +43,10 @@ rules:
      - #@ pinnipedDevAPIGroupWithPrefix("authentication.concierge")
    resources: [ jwtauthenticators, webhookauthenticators ]
    verbs: [ get, list, watch ]
+  - apiGroups:
+      - #@ pinnipedDevAPIGroupWithPrefix("authentication.concierge")
+    resources: [ jwtauthenticators/status, webhookauthenticators/status ]
+    verbs: [ get, list, watch, update ]
 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
@@ -156,6 +160,13 @@ rules:
  - apiGroups: [ coordination.k8s.io ]
    resources: [ leases ]
    verbs: [ create, get, update ]
+  #! We need to be able to get service accounts and create serviceaccounts/tokens so that we can create short-lived tokens for the impersonation proxy
+  - apiGroups: [""]
+    resources: [ serviceaccounts ]
+    verbs: [ get ]
+  - apiGroups: [""]
+    resources: [ serviceaccounts/token ]
+    verbs: [ create ]
 ---
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
--- a/deploy/concierge/values.yaml
+++ b/deploy/concierge/values.yaml
@@ -1,107 +1,227 @@
-#! Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
+#! Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 #! SPDX-License-Identifier: Apache-2.0

-#@data/values
---
+#@ def validate_strings_map(obj):
+#@   # Returns True if obj is an associative data structure string→string, and False otherwise.
+#@   for key in obj:
+#@     if type(key) != "string" or type(obj[key]) != "string":
+#@       return False
+#@     end
+#@   end
+#@   return True
+#@ end

+#@data/values-schema
+---
+#@schema/title "App name"
+#@schema/desc "Used to help determine the names of various resources and labels."
+#@schema/validation min_len=1
 app_name: pinniped-concierge

-#! Creates a new namespace statically in yaml with the given name and installs the app into that namespace.
+#@schema/title "Namespace"
+#@schema/desc "Creates a new namespace statically in yaml with the given name and installs the app into that namespace."
+#@schema/validation min_len=1
 namespace: pinniped-concierge
-#! If specified, assumes that a namespace of the given name already exists and installs the app into that namespace.
-#! If both `namespace` and `into_namespace` are specified, then only `into_namespace` is used.
-into_namespace: #! e.g. my-preexisting-namespace

-#! All resources created statically by yaml at install-time and all resources created dynamically
-#! by controllers at runtime will be labelled with `app: $app_name` and also with the labels
-#! specified here. The value of `custom_labels` must be a map of string keys to string values.
-#! The app can be uninstalled either by:
-#! 1. Deleting the static install-time yaml resources including the static namespace, which will cascade and also delete
-#!    resources that were dynamically created by controllers at runtime
-#! 2. Or, deleting all resources by label, which does not assume that there was a static install-time yaml namespace.
-custom_labels: {} #! e.g. {myCustomLabelName: myCustomLabelValue, otherCustomLabelName: otherCustomLabelValue}
+#@schema/title "Into namespace"
+#@ into_namespace_desc = "If specified, assumes that a namespace of the given name already exists and installs the app into that namespace. \
+#@ If both `namespace` and `into_namespace` are specified, then only `into_namespace` is used."
+#@schema/desc into_namespace_desc
+#@schema/examples ("The name of an existing namespace", "my-preexisting-namespace")
+#@schema/nullable
+#@schema/validation min_len=1
+into_namespace: ""

-#! Specify how many replicas of the Pinniped server to run.
+#@schema/title "Custom labels"
+#@ custom_labels_desc = "All resources created statically by yaml at install-time and all resources created dynamically \
+#@ by controllers at runtime will be labelled with `app: $app_name` and also with the labels specified here. The value of \
+#@ `custom_labels` must be a map of string keys to string values. The app can be uninstalled either by: 1.) deleting the \
+#@ static install-time yaml resources including the static namespace, which will cascade and also delete \
+#@ resources that were dynamically created by controllers at runtime, or 2.) deleting all resources by label, which does \
+#@ not assume that there was a static install-time yaml namespace."
+#@schema/desc custom_labels_desc
+#@schema/examples ("Example set of labels", {"myCustomLabelName": "myCustomLabelValue", "otherCustomLabelName": "otherCustomLabelValue"})
+#@schema/type any=True
+#@schema/validation ("a map of string keys and string values", validate_strings_map)
+custom_labels: { }
+
+#@schema/title "Replicas"
+#@schema/desc "Specify how many replicas of the Pinniped server to run."
 replicas: 2

-#! Specify either an image_digest or an image_tag. If both are given, only image_digest will be used.
-image_repo: projects.registry.vmware.com/pinniped/pinniped-server
-image_digest: #! e.g. sha256:f3c4fdfd3ef865d4b97a1fd295d94acc3f0c654c46b6f27ffad5cf80216903c8
+#@schema/title "Image repo"
+#@schema/desc "The repository for the Concierge container image."
+#@schema/validation min_len=1
+image_repo: ghcr.io/vmware-tanzu/pinniped/pinniped-server
+
+#@schema/title "Image digest"
+#@schema/desc "The image digest for the Concierge container image. If both image_digest or an image_tag are given, only image_digest will be used."
+#@schema/examples ("Providing a digest", "sha256:f3c4fdfd3ef865d4b97a1fd295d94acc3f0c654c46b6f27ffad5cf80216903c8")
+#@schema/nullable
+#@schema/validation min_len=1, when=lambda _, ctx: ctx.parent["image_tag"] == None
+image_digest: ""
+
+#@schema/title "Image tag"
+#@schema/desc "The image tag for the Concierge container image. If both image_digest or an image_tag are given, only image_digest will be used."
+#@schema/examples ("Providing a tag", "v0.25.0")
+#@schema/validation min_len=1, when=lambda _, ctx: ctx.parent["image_digest"] == None
 image_tag: latest

-#! Optionally specify a different image for the "kube-cert-agent" pod which is scheduled
-#! on the control plane. This image needs only to include `sleep` and `cat` binaries.
-#! By default, the same image specified for image_repo/image_digest/image_tag will be re-used.
-kube_cert_agent_image:
+#@schema/title "Kube Cert Agent image"
+#@ kube_cert_agent_image = "Optionally specify a different image for the 'kube-cert-agent' pod which is scheduled \
+#@ on the control plane. This image needs only to include `sleep` and `cat` binaries. \
+#@ By default, the same image specified for image_repo/image_digest/image_tag will be re-used."
+#@schema/desc kube_cert_agent_image
+#@schema/examples ("Image including tag or digest", "ghcr.io/vmware-tanzu/pinniped/pinniped-server:latest")
+#@schema/nullable
+#@schema/validation min_len=1
+kube_cert_agent_image: ""

-#! Specifies a secret to be used when pulling the above `image_repo` container image.
-#! Can be used when the above image_repo is a private registry.
-#! Typically the value would be the output of: kubectl create secret docker-registry x --docker-server=https://example.io --docker-username="USERNAME" --docker-password="PASSWORD" --dry-run=client -o json | jq -r '.data[".dockerconfigjson"]'
-#! Optional.
-image_pull_dockerconfigjson: #! e.g. {"auths":{"https://registry.example.com":{"username":"USERNAME","password":"PASSWORD","auth":"BASE64_ENCODED_USERNAME_COLON_PASSWORD"}}}
+#@schema/title "Image pull dockerconfigjson"
+#@ image_pull_dockerconfigjson_desc = "A base64 encoded secret to be used when pulling the `image_repo` container image. \
+#@ Can be used when the image_repo is a private registry. Typically, the value would be the output of: \
+#@ kubectl create secret docker-registry x --docker-server=https://example.io --docker-username='USERNAME' --docker-password='PASSWORD' --dry-run=client -o json | jq -r '.data[\".dockerconfigjson\"]'"
+#@schema/desc image_pull_dockerconfigjson_desc
+#@ example_desc = 'base64 encoding of: {"auths":{"https://registry.example.com":{"username":"USERNAME","password":"PASSWORD","auth":"BASE64_ENCODED_USERNAME_COLON_PASSWORD"}}}'
+#@ example_value = "eyJhdXRocyI6eyJodHRwczovL2V4YW1wbGUuaW8iOnsidXNlcm5hbWUiOiJVU0VSTkFNRSIsInBhc3N3b3JkIjoiUEFTU1dPUkQiLCJhdXRoIjoiVlZORlVrNUJUVVU2VUVGVFUxZFBVa1E9In19fQ=="
+#@schema/examples (example_desc, example_value)
+#@schema/nullable
+#@schema/validation min_len=1
+image_pull_dockerconfigjson: ""

-#! Pinniped will try to guess the right K8s API URL for sharing that information with potential clients.
-#! This setting allows the guess to be overridden.
-#! Optional.
-discovery_url: #! e.g., https://example.com
+#@schema/title "Discovery URL"
+#@schema/desc "Pinniped will try to guess the right K8s API URL for sharing that information with potential clients. This setting allows the guess to be overridden."
+#@schema/examples ("Kubernetes API URL","https://example.com")
+#@schema/nullable
+#@schema/validation min_len=1
+discovery_url: ""

-#! Specify the duration and renewal interval for the API serving certificate.
-#! The defaults are set to expire the cert about every 30 days, and to rotate it
-#! about every 25 days.
+#@schema/title "API serving certificate duration seconds"
+#@ api_serving_certificate_duration_seconds_desc = "Specify the duration for the API serving certificate. \
+#@ The default is set to expire the cert about every 30 days. \
+#@ Specify this as an integer or as a string which contains an integer value."
+#@schema/desc api_serving_certificate_duration_seconds_desc
+#@schema/type any=True
+#@schema/validation ("an int or string which contains an integer value", lambda v: type(v) in ["int", "string"])
 api_serving_certificate_duration_seconds: 2592000
+
+#@schema/title "API serving certificate renew before seconds"
+#@ api_serving_certificate_renew_before_seconds_desc = "Specify the renewal interval for the API serving certificate. \
+#@ The default is set to rotate it about every 25 days. \
+#@ Specify this as an integer or as a string which contains an integer value."
+#@schema/desc api_serving_certificate_renew_before_seconds_desc
+#@schema/type any=True
+#@schema/validation ("an int or string which contains an integer value", lambda v: type(v) in ["int", "string"])
 api_serving_certificate_renew_before_seconds: 2160000

-#! Specify the verbosity of logging: info ("nice to know" information), debug (developer
-#! information), trace (timing information), all (kitchen sink).
-log_level: #! By default, when this value is left unset, only warnings and errors are printed. There is no way to suppress warning and error logs.
-#! Specify the format of logging: json (for machine parsable logs) and text (for legacy klog formatted logs).
-#! By default, when this value is left unset, logs are formatted in json.
-#! This configuration is deprecated and will be removed in a future release at which point logs will always be formatted as json.
-deprecated_log_format:
+#@schema/title "Log level"
+#@ log_level_desc = "Specify the verbosity of logging: info (\"nice to know\" information), debug (developer information), trace (timing information), \
+#@ or all (kitchen sink). Do not use trace or all on production systems, as credentials may get logged. \
+#@ When this value is left unset, only warnings and errors are printed. There is no way to suppress warning and error logs."
+#@schema/desc log_level_desc
+#@schema/examples ("Developer logging information","debug")
+#@schema/nullable
+#@schema/validation one_of=["info", "debug", "trace", "all"]
+log_level: ""

-run_as_user: 65532 #! run_as_user specifies the user ID that will own the process, see the Dockerfile for the reasoning behind this choice
-run_as_group: 65532 #! run_as_group specifies the group ID that will own the process, see the Dockerfile for the reasoning behind this choice
+#@schema/title "Log format"
+#@ deprecated_log_format_desc = "Specify the format of logging: json (for machine parsable logs) and text (for legacy klog formatted logs). \
+#@ By default, when this value is left unset, logs are formatted in json. \
+#@ This configuration is deprecated and will be removed in a future release at which point logs will always be formatted as json."
+#@schema/desc deprecated_log_format_desc
+#@schema/examples ("Set logs to JSON format","json")
+#@schema/nullable
+#@schema/validation one_of=["json", "text"]
+#@schema/deprecated "This configuration is deprecated and will be removed in a future release at which point logs will always be formatted as json."
+deprecated_log_format: ""

-#! Specify the API group suffix for all Pinniped API groups. By default, this is set to
-#! pinniped.dev, so Pinniped API groups will look like foo.pinniped.dev,
-#! authentication.concierge.pinniped.dev, etc. As an example, if this is set to tuna.io, then
-#! Pinniped API groups will look like foo.tuna.io. authentication.concierge.tuna.io, etc.
+#@schema/title "Run as user"
+#@schema/desc "The user ID that will own the process."
+#! See the Dockerfile for the reasoning behind this default value.
+run_as_user: 65532
+
+#@schema/title "Run as group"
+#@schema/desc "The group ID that will own the process."
+#! See the Dockerfile for the reasoning behind this default value.
+run_as_group: 65532
+
+#@schema/title "API group suffix"
+#@ api_group_suffix_desc = "Specify the API group suffix for all Pinniped API groups. By default, this is set to \
+#@ pinniped.dev, so Pinniped API groups will look like foo.pinniped.dev, \
+#@ authentication.concierge.pinniped.dev, etc. As an example, if this is set to tuna.io, then \
+#@ Pinniped API groups will look like foo.tuna.io. authentication.concierge.tuna.io, etc."
+#@schema/desc api_group_suffix_desc
+#@schema/validation min_len=1
 api_group_suffix: pinniped.dev

-#! Customize CredentialIssuer.spec.impersonationProxy to change how the concierge
-#! handles impersonation.
+#@schema/title "Impersonation proxy spec"
+#@schema/desc "Customize CredentialIssuer.spec.impersonationProxy to change how the concierge handles impersonation."
 impersonation_proxy_spec:
-  #! options are "auto", "disabled" or "enabled".
-  #! If auto, the impersonation proxy will run only if the cluster signing key is not available
-  #! and the other strategy does not work.
-  #! If disabled, the impersonation proxy will never run, which could mean that the concierge
-  #! doesn't work at all.
-  #! If enabled, the impersonation proxy will always run regardless of other strategies available.
-  mode: auto
-  #! The endpoint which the client should use to connect to the impersonation proxy.
-  #! If left unset, the client will default to connecting based on the ClusterIP or LoadBalancer
-  #! endpoint.
-  external_endpoint:
-  service:
-    #! Options are "LoadBalancer", "ClusterIP" and "None".
-    #! LoadBalancer automatically provisions a Service of type LoadBalancer pointing at
-    #! the impersonation proxy. Some cloud providers will allocate
-    #! a public IP address by default even on private clusters.
-    #! ClusterIP automatically provisions a Service of type ClusterIP pointing at the
-    #! impersonation proxy.
-    #! None does not provision either and assumes that you have set the external_endpoint
-    #! and set up your own ingress to connect to the impersonation proxy.
-    type: LoadBalancer
-    #! The annotations that should be set on the ClusterIP or LoadBalancer Service.
-    annotations:
-      {service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "4000"}
-    #! When mode LoadBalancer is set, this will set the LoadBalancer Service's Spec.LoadBalancerIP.
-    load_balancer_ip:

-#! Set the standard golang HTTPS_PROXY and NO_PROXY environment variables on the Concierge containers.
-#! These will be used when the Concierge makes backend-to-backend calls to authenticators using HTTPS,
-#! e.g. when the Concierge fetches discovery documents, JWKS keys, and POSTs to token webhooks.
-#! The Concierge never makes insecure HTTP calls, so there is no reason to set HTTP_PROXY.
-#! Optional.
-https_proxy: #! e.g. http://proxy.example.com
-no_proxy: "$(KUBERNETES_SERVICE_HOST),169.254.169.254,127.0.0.1,localhost,.svc,.cluster.local" #! do not proxy Kubernetes endpoints
+  #@schema/title "Mode"
+  #@ impersonation_mode_desc = "Enables or disables the impersonation proxy. Options are 'auto', 'disabled' or 'enabled'. \
+  #@ If auto, the impersonation proxy will run only if the cluster signing key is \
+  #@ not available and the other strategy does not work. \
+  #@ If enabled, the impersonation proxy will always run regardless of other strategies available. \
+  #@ If disabled, the impersonation proxy will never run, which could mean \
+  #@ that the concierge doesn't work at all."
+  #@schema/desc impersonation_mode_desc
+  #@schema/validation one_of=["auto", "disabled", "enabled"]
+  mode: auto
+
+  #@schema/title "External endpoint"
+  #@ external_endpoint_desc = "The endpoint which the client should use to connect to the impersonation proxy. \
+  #@ If left unset, the client will default to connecting based on the ClusterIP or LoadBalancer endpoint."
+  #@schema/desc external_endpoint_desc
+  #@schema/examples ("Specified impersonation proxy endpoint", "https://1.2.3.4:5678")
+  #@schema/nullable
+  #@schema/validation min_len=1
+  external_endpoint: ""
+
+  #@schema/title "Service"
+  #@schema/desc "The impersonation proxy service configuration"
+  service:
+
+    #@schema/title "Type"
+    #@ impersonation_service_type_desc = "Service backing the impersonation proxy. Options are 'LoadBalancer', 'ClusterIP' \
+    #@ and 'None'. LoadBalancer automatically provisions a Service of type LoadBalancer pointing at the impersonation \
+    #@ proxy. Some cloud providers will allocate a public IP address by default even on private clusters. ClusterIP \
+    #@ automatically provisions a Service of type ClusterIP pointing at the impersonation proxy. None does not provision \
+    #@ either and assumes that you have set the external_endpoint and set up your own ingress to connect to the impersonation proxy."
+    #@schema/desc impersonation_service_type_desc
+    #@schema/validation one_of=["LoadBalancer", "ClusterIP", "None"]
+    type: LoadBalancer
+
+    #@schema/title "Annotations"
+    #@ annotations_desc = "The annotations that should be set on the ClusterIP or LoadBalancer Service. The default includes \
+    #@ a value for the AWS-specific service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout annotation, which will \
+    #@ be ignored except when using AWS to provide load balancer Services."
+    #@schema/desc annotations_desc
+    #@schema/nullable
+    #@schema/type any=True
+    #@schema/validation ("a map of string keys and string values", validate_strings_map)
+    annotations:
+
+    #@schema/title "Load balancer IP"
+    #@schema/desc "When mode LoadBalancer is set, this will set the LoadBalancer Service's spec.loadBalancerIP."
+    #@schema/examples ("Specifying an IP", "1.2.3.4")
+    #@schema/nullable
+    #@schema/validation min_len=1
+    load_balancer_ip: ""
+
+#@schema/title "HTTPS proxy"
+#@ https_proxy_desc = "Set the standard golang HTTPS_PROXY and NO_PROXY environment variables on the Concierge containers. \
+#@ These will be used when the Concierge makes backend-to-backend calls to authenticators using HTTPS, \
+#@ e.g. when the Concierge fetches discovery documents and JWKS keys for JWTAuthenticators and POSTs to webhooks for WebhookAuthenticators. \
+#@ The Concierge never makes insecure HTTP calls, so there is no reason to set HTTP_PROXY."
+#@schema/desc https_proxy_desc
+#@schema/examples ("Providing a proxy endpoint","http://proxy.example.com")
+#@schema/nullable
+#@schema/validation min_len=1
+https_proxy: ""
+
+#@schema/title "No proxy"
+#@ no_proxy_desc = "Endpoints that should not be proxied. Defaults to not proxying internal Kubernetes endpoints, \
+#@ localhost endpoints, and the known instance metadata IP address for public cloud providers."
+#@schema/desc no_proxy_desc
+no_proxy: "$(KUBERNETES_SERVICE_HOST),169.254.169.254,127.0.0.1,localhost,.svc,.cluster.local"
--- a/deploy/local-user-authenticator/deployment.yaml
+++ b/deploy/local-user-authenticator/deployment.yaml
@@ -1,4 +1,4 @@
-#! Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+#! Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 #! SPDX-License-Identifier: Apache-2.0

 #@ load("@ytt:data", "data")
@@ -76,6 +76,15 @@ spec:
            #! `--validate=false` flag. Note that installing via `kapp` does not complain about this validation error.
            seccompProfile:
              type: "RuntimeDefault"
+      tolerations:
+        - key: kubernetes.io/arch
+          effect: NoSchedule
+          operator: Equal
+          value: amd64 #! Allow running on amd64 nodes.
+        - key: kubernetes.io/arch
+          effect: NoSchedule
+          operator: Equal
+          value: arm64 #! Also allow running on arm64 nodes.
 ---
 apiVersion: v1
 kind: Service
--- a/deploy/local-user-authenticator/values.yaml
+++ b/deploy/local-user-authenticator/values.yaml
@@ -1,19 +1,44 @@
-#! Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
+#! Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 #! SPDX-License-Identifier: Apache-2.0

-#@data/values
+#@data/values-schema
 ---
+#@schema/title "Image repo"
+#@schema/desc "The repository for the local-user-authenticator container image."
+#@schema/validation min_len=1
+image_repo: ghcr.io/vmware-tanzu/pinniped/pinniped-server

-#! Specify either an image_digest or an image_tag. If both are given, only image_digest will be used.
-image_repo: projects.registry.vmware.com/pinniped/pinniped-server
-image_digest: #! e.g. sha256:f3c4fdfd3ef865d4b97a1fd295d94acc3f0c654c46b6f27ffad5cf80216903c8
+#@schema/title "Image digest"
+#@schema/desc "The image digest for the local-user-authenticator container image. If both image_digest or an image_tag are given, only image_digest will be used."
+#@schema/examples ("Providing a digest", "sha256:f3c4fdfd3ef865d4b97a1fd295d94acc3f0c654c46b6f27ffad5cf80216903c8")
+#@schema/nullable
+#@schema/validation min_len=1, when=lambda _, ctx: ctx.parent["image_tag"] == None
+image_digest: ""
+
+#@schema/title "Image tag"
+#@schema/desc "The image tag for the local-user-authenticator container image. If both image_digest or an image_tag are given, only image_digest will be used."
+#@schema/examples ("Providing a tag", "v0.25.0")
+#@schema/validation min_len=1, when=lambda _, ctx: ctx.parent["image_digest"] == None
 image_tag: latest

-#! Specifies a secret to be used when pulling the above `image_repo` container image.
-#! Can be used when the above image_repo is a private registry.
-#! Typically the value would be the output of: kubectl create secret docker-registry x --docker-server=https://example.io --docker-username="USERNAME" --docker-password="PASSWORD" --dry-run=client -o json | jq -r '.data[".dockerconfigjson"]'
-#! Optional.
-image_pull_dockerconfigjson: #! e.g. {"auths":{"https://registry.example.com":{"username":"USERNAME","password":"PASSWORD","auth":"BASE64_ENCODED_USERNAME_COLON_PASSWORD"}}}
+#@schema/title "Image pull dockerconfigjson"
+#@ image_pull_dockerconfigjson_desc = "A base64 encoded secret to be used when pulling the `image_repo` container image. \
+#@ Can be used when the image_repo is a private registry. Typically, the value would be the output of: \
+#@ kubectl create secret docker-registry x --docker-server=https://example.io --docker-username='USERNAME' --docker-password='PASSWORD' --dry-run=client -o json | jq -r '.data[\".dockerconfigjson\"]'"
+#@schema/desc image_pull_dockerconfigjson_desc
+#@ example_desc = 'base64 encoding of: {"auths":{"https://registry.example.com":{"username":"USERNAME","password":"PASSWORD","auth":"BASE64_ENCODED_USERNAME_COLON_PASSWORD"}}}'
+#@ example_value = "eyJhdXRocyI6eyJodHRwczovL2V4YW1wbGUuaW8iOnsidXNlcm5hbWUiOiJVU0VSTkFNRSIsInBhc3N3b3JkIjoiUEFTU1dPUkQiLCJhdXRoIjoiVlZORlVrNUJUVVU2VUVGVFUxZFBVa1E9In19fQ=="
+#@schema/examples (example_desc, example_value)
+#@schema/nullable
+#@schema/validation min_len=1
+image_pull_dockerconfigjson: ""

-run_as_user: 65532 #! run_as_user specifies the user ID that will own the process, see the Dockerfile for the reasoning behind this choice
-run_as_group: 65532 #! run_as_group specifies the group ID that will own the process, see the Dockerfile for the reasoning behind this choice
+#@schema/title "Run as user"
+#@schema/desc "The user ID that will own the process."
+#! See the Dockerfile for the reasoning behind this default value.
+run_as_user: 65532
+
+#@schema/title "Run as group"
+#@schema/desc "The group ID that will own the process."
+#! See the Dockerfile for the reasoning behind this default value.
+run_as_group: 65532
--- a/deploy/supervisor/config.supervisor.pinniped.dev_federationdomains.yaml
+++ b/deploy/supervisor/config.supervisor.pinniped.dev_federationdomains.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.8.0
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.14.0
  name: federationdomains.config.supervisor.pinniped.dev
 spec:
  group: config.supervisor.pinniped.dev
@@ -33,14 +32,19 @@ spec:
        description: FederationDomain describes the configuration of an OIDC provider.
        properties:
          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
            type: string
          kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
            type: string
          metadata:
            type: object
@@ -48,63 +52,54 @@ spec:
            description: Spec of the OIDC provider.
            properties:
              identityProviders:
-                description: "IdentityProviders is the list of identity providers
-                  available for use by this FederationDomain. \n An identity provider
-                  CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes
-                  how to connect to a server, how to talk in a specific protocol for
-                  authentication, and how to use the schema of that server/protocol
-                  to extract a normalized user identity. Normalized user identities
-                  include a username and a list of group names. In contrast, IdentityProviders
-                  describes how to use that normalized identity in those Kubernetes
-                  clusters which belong to this FederationDomain. Each entry in IdentityProviders
-                  can be configured with arbitrary transformations on that normalized
-                  identity. For example, a transformation can add a prefix to all
-                  usernames to help avoid accidental conflicts when multiple identity
-                  providers have different users with the same username (e.g. \"idp1:ryan\"
-                  versus \"idp2:ryan\"). Each entry in IdentityProviders can also
-                  implement arbitrary authentication rejection policies. Even though
-                  a user was able to authenticate with the identity provider, a policy
-                  can disallow the authentication to the Kubernetes clusters that
-                  belong to this FederationDomain. For example, a policy could disallow
-                  the authentication unless the user belongs to a specific group in
-                  the identity provider. \n For backwards compatibility with versions
-                  of Pinniped which predate support for multiple identity providers,
-                  an empty IdentityProviders list will cause the FederationDomain
-                  to use all available identity providers which exist in the same
-                  namespace, but also to reject all authentication requests when there
-                  is more than one identity provider currently defined. In this backwards
-                  compatibility mode, the name of the identity provider resource (e.g.
-                  the Name of an OIDCIdentityProvider resource) will be used as the
-                  name of the identity provider in this FederationDomain. This mode
-                  is provided to make upgrading from older versions easier. However,
-                  instead of relying on this backwards compatibility mode, please
-                  consider this mode to be deprecated and please instead explicitly
-                  list the identity provider using this IdentityProviders field."
+                description: |-
+                  IdentityProviders is the list of identity providers available for use by this FederationDomain.
+
+
+                  An identity provider CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes how to connect to a server,
+                  how to talk in a specific protocol for authentication, and how to use the schema of that server/protocol to
+                  extract a normalized user identity. Normalized user identities include a username and a list of group names.
+                  In contrast, IdentityProviders describes how to use that normalized identity in those Kubernetes clusters which
+                  belong to this FederationDomain. Each entry in IdentityProviders can be configured with arbitrary transformations
+                  on that normalized identity. For example, a transformation can add a prefix to all usernames to help avoid
+                  accidental conflicts when multiple identity providers have different users with the same username (e.g.
+                  "idp1:ryan" versus "idp2:ryan"). Each entry in IdentityProviders can also implement arbitrary authentication
+                  rejection policies. Even though a user was able to authenticate with the identity provider, a policy can disallow
+                  the authentication to the Kubernetes clusters that belong to this FederationDomain. For example, a policy could
+                  disallow the authentication unless the user belongs to a specific group in the identity provider.
+
+
+                  For backwards compatibility with versions of Pinniped which predate support for multiple identity providers,
+                  an empty IdentityProviders list will cause the FederationDomain to use all available identity providers which
+                  exist in the same namespace, but also to reject all authentication requests when there is more than one identity
+                  provider currently defined. In this backwards compatibility mode, the name of the identity provider resource
+                  (e.g. the Name of an OIDCIdentityProvider resource) will be used as the name of the identity provider in this
+                  FederationDomain. This mode is provided to make upgrading from older versions easier. However, instead of
+                  relying on this backwards compatibility mode, please consider this mode to be deprecated and please instead
+                  explicitly list the identity provider using this IdentityProviders field.
                items:
                  description: FederationDomainIdentityProvider describes how an identity
                    provider is made available in this FederationDomain.
                  properties:
                    displayName:
-                      description: DisplayName is the name of this identity provider
-                        as it will appear to clients. This name ends up in the kubeconfig
-                        of end users, so changing the name of an identity provider
-                        that is in use by end users will be a disruptive change for
-                        those users.
+                      description: |-
+                        DisplayName is the name of this identity provider as it will appear to clients. This name ends up in the
+                        kubeconfig of end users, so changing the name of an identity provider that is in use by end users will be a
+                        disruptive change for those users.
                      minLength: 1
                      type: string
                    objectRef:
-                      description: ObjectRef is a reference to a Pinniped identity
-                        provider resource. A valid reference is required. If the reference
-                        cannot be resolved then the identity provider will not be
-                        made available. Must refer to a resource of one of the Pinniped
-                        identity provider types, e.g. OIDCIdentityProvider, LDAPIdentityProvider,
-                        ActiveDirectoryIdentityProvider.
+                      description: |-
+                        ObjectRef is a reference to a Pinniped identity provider resource. A valid reference is required.
+                        If the reference cannot be resolved then the identity provider will not be made available.
+                        Must refer to a resource of one of the Pinniped identity provider types, e.g. OIDCIdentityProvider,
+                        LDAPIdentityProvider, ActiveDirectoryIdentityProvider.
                      properties:
                        apiGroup:
-                          description: APIGroup is the group for the resource being
-                            referenced. If APIGroup is not specified, the specified
-                            Kind must be in the core API group. For any other third-party
-                            types, APIGroup is required.
+                          description: |-
+                            APIGroup is the group for the resource being referenced.
+                            If APIGroup is not specified, the specified Kind must be in the core API group.
+                            For any other third-party types, APIGroup is required.
                          type: string
                        kind:
                          description: Kind is the type of resource being referenced
@@ -116,18 +111,19 @@ spec:
                      - kind
                      - name
                      type: object
+                      x-kubernetes-map-type: atomic
                    transforms:
-                      description: Transforms is an optional way to specify transformations
-                        to be applied during user authentication and session refresh.
+                      description: |-
+                        Transforms is an optional way to specify transformations to be applied during user authentication and
+                        session refresh.
                      properties:
                        constants:
                          description: Constants defines constant variables and their
                            values which will be made available to the transform expressions.
                          items:
-                            description: FederationDomainTransformsConstant defines
-                              a constant variable and its value which will be made
-                              available to the transform expressions. This is a union
-                              type, and Type is the discriminator field.
+                            description: |-
+                              FederationDomainTransformsConstant defines a constant variable and its value which will be made available to
+                              the transform expressions. This is a union type, and Type is the discriminator field.
                            properties:
                              name:
                                description: Name determines the name of the constant.
@@ -162,25 +158,21 @@ spec:
                          - name
                          x-kubernetes-list-type: map
                        examples:
-                          description: Examples can optionally be used to ensure that
-                            the sequence of transformation expressions are working
-                            as expected. Examples define sample input identities which
-                            are then run through the expression list, and the results
-                            are compared to the expected results. If any example in
-                            this list fails, then this identity provider will not
-                            be available for use within this FederationDomain, and
-                            the error(s) will be added to the FederationDomain status.
-                            This can be used to help guard against programming mistakes
-                            in the expressions, and also act as living documentation
-                            for other administrators to better understand the expressions.
+                          description: |-
+                            Examples can optionally be used to ensure that the sequence of transformation expressions are working as
+                            expected. Examples define sample input identities which are then run through the expression list, and the
+                            results are compared to the expected results. If any example in this list fails, then this
+                            identity provider will not be available for use within this FederationDomain, and the error(s) will be
+                            added to the FederationDomain status. This can be used to help guard against programming mistakes in the
+                            expressions, and also act as living documentation for other administrators to better understand the expressions.
                          items:
                            description: FederationDomainTransformsExample defines
                              a transform example.
                            properties:
                              expects:
-                                description: Expects is the expected output of the
-                                  entire sequence of transforms when they are run
-                                  against the input Username and Groups.
+                                description: |-
+                                  Expects is the expected output of the entire sequence of transforms when they are run against the
+                                  input Username and Groups.
                                properties:
                                  groups:
                                    description: Groups is the expected list of group
@@ -189,27 +181,18 @@ spec:
                                      type: string
                                    type: array
                                  message:
-                                    description: Message is the expected error message
-                                      of the transforms. When Rejected is true, then
-                                      Message is the expected message for the policy
-                                      which rejected the authentication attempt. When
-                                      Rejected is true and Message is blank, then
-                                      Message will be treated as the default error
-                                      message for authentication attempts which are
-                                      rejected by a policy. When Rejected is false,
-                                      then Message is the expected error message for
-                                      some other non-policy transformation error,
-                                      such as a runtime error. When Rejected is false,
-                                      there is no default expected Message.
+                                    description: |-
+                                      Message is the expected error message of the transforms. When Rejected is true, then Message is the expected
+                                      message for the policy which rejected the authentication attempt. When Rejected is true and Message is blank,
+                                      then Message will be treated as the default error message for authentication attempts which are rejected by a
+                                      policy. When Rejected is false, then Message is the expected error message for some other non-policy
+                                      transformation error, such as a runtime error. When Rejected is false, there is no default expected Message.
                                    type: string
                                  rejected:
-                                    description: Rejected is a boolean that indicates
-                                      whether authentication is expected to be rejected
-                                      by a policy expression after the transformations
-                                      have been applied. True means that it is expected
-                                      that the authentication would be rejected. The
-                                      default value of false means that it is expected
-                                      that the authentication would not be rejected
+                                    description: |-
+                                      Rejected is a boolean that indicates whether authentication is expected to be rejected by a policy expression
+                                      after the transformations have been applied. True means that it is expected that the authentication would be
+                                      rejected. The default value of false means that it is expected that the authentication would not be rejected
                                      by any policy expression.
                                    type: boolean
                                  username:
@@ -232,44 +215,38 @@ spec:
                            type: object
                          type: array
                        expressions:
-                          description: "Expressions are an optional list of transforms
-                            and policies to be executed in the order given during
-                            every authentication attempt, including during every session
-                            refresh. Each is a CEL expression. It may use the basic
-                            CEL language as defined in https://github.com/google/cel-spec/blob/master/doc/langdef.md
-                            plus the CEL string extensions defined in https://github.com/google/cel-go/tree/master/ext#strings.
-                            \n The username and groups extracted from the identity
-                            provider, and the constants defined in this CR, are available
-                            as variables in all expressions. The username is provided
-                            via a variable called `username` and the list of group
-                            names is provided via a variable called `groups` (which
-                            may be an empty list). Each user-provided constants is
-                            provided via a variable named `strConst.varName` for string
-                            constants and `strListConst.varName` for string list constants.
-                            \n The only allowed types for expressions are currently
-                            policy/v1, username/v1, and groups/v1. Each policy/v1
-                            must return a boolean, and when it returns false, no more
-                            expressions from the list are evaluated and the authentication
-                            attempt is rejected. Transformations of type policy/v1
-                            do not return usernames or group names, and therefore
-                            cannot change the username or group names. Each username/v1
-                            transform must return the new username (a string), which
-                            can be the same as the old username. Transformations of
-                            type username/v1 do not return group names, and therefore
-                            cannot change the group names. Each groups/v1 transform
-                            must return the new groups list (list of strings), which
-                            can be the same as the old groups list. Transformations
-                            of type groups/v1 do not return usernames, and therefore
-                            cannot change the usernames. After each expression, the
-                            new (potentially changed) username or groups get passed
-                            to the following expression. \n Any compilation or static
-                            type-checking failure of any expression will cause an
-                            error status on the FederationDomain. During an authentication
-                            attempt, any unexpected runtime evaluation errors (e.g.
-                            division by zero) cause the authentication attempt to
-                            fail. When all expressions evaluate successfully, then
-                            the (potentially changed) username and group names have
-                            been decided for that authentication attempt."
+                          description: |-
+                            Expressions are an optional list of transforms and policies to be executed in the order given during every
+                            authentication attempt, including during every session refresh.
+                            Each is a CEL expression. It may use the basic CEL language as defined in
+                            https://github.com/google/cel-spec/blob/master/doc/langdef.md plus the CEL string extensions defined in
+                            https://github.com/google/cel-go/tree/master/ext#strings.
+
+
+                            The username and groups extracted from the identity provider, and the constants defined in this CR, are
+                            available as variables in all expressions. The username is provided via a variable called `username` and
+                            the list of group names is provided via a variable called `groups` (which may be an empty list).
+                            Each user-provided constants is provided via a variable named `strConst.varName` for string constants
+                            and `strListConst.varName` for string list constants.
+
+
+                            The only allowed types for expressions are currently policy/v1, username/v1, and groups/v1.
+                            Each policy/v1 must return a boolean, and when it returns false, no more expressions from the list are evaluated
+                            and the authentication attempt is rejected.
+                            Transformations of type policy/v1 do not return usernames or group names, and therefore cannot change the
+                            username or group names.
+                            Each username/v1 transform must return the new username (a string), which can be the same as the old username.
+                            Transformations of type username/v1 do not return group names, and therefore cannot change the group names.
+                            Each groups/v1 transform must return the new groups list (list of strings), which can be the same as the old
+                            groups list.
+                            Transformations of type groups/v1 do not return usernames, and therefore cannot change the usernames.
+                            After each expression, the new (potentially changed) username or groups get passed to the following expression.
+
+
+                            Any compilation or static type-checking failure of any expression will cause an error status on the FederationDomain.
+                            During an authentication attempt, any unexpected runtime evaluation errors (e.g. division by zero) cause the
+                            authentication attempt to fail. When all expressions evaluate successfully, then the (potentially changed) username
+                            and group names have been decided for that authentication attempt.
                          items:
                            description: FederationDomainTransformsExpression defines
                              a transform expression.
@@ -280,10 +257,9 @@ spec:
                                minLength: 1
                                type: string
                              message:
-                                description: Message is only used when Type is policy/v1.
-                                  It defines an error message to be used when the
-                                  policy rejects an authentication attempt. When empty,
-                                  a default message will be used.
+                                description: |-
+                                  Message is only used when Type is policy/v1. It defines an error message to be used when the policy rejects
+                                  an authentication attempt. When empty, a default message will be used.
                                type: string
                              type:
                                description: Type determines the type of the expression.
@@ -305,14 +281,16 @@ spec:
                  type: object
                type: array
              issuer:
-                description: "Issuer is the OIDC Provider's issuer, per the OIDC Discovery
-                  Metadata document, as well as the identifier that it will use for
-                  the iss claim in issued JWTs. This field will also be used as the
-                  base URL for any endpoints used by the OIDC Provider (e.g., if your
-                  issuer is https://example.com/foo, then your authorization endpoint
-                  will look like https://example.com/foo/some/path/to/auth/endpoint).
-                  \n See https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3
-                  for more information."
+                description: |-
+                  Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the
+                  identifier that it will use for the iss claim in issued JWTs. This field will also be used as
+                  the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is
+                  https://example.com/foo, then your authorization endpoint will look like
+                  https://example.com/foo/some/path/to/auth/endpoint).
+
+
+                  See
+                  https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information.
                minLength: 1
                type: string
              tls:
@@ -320,26 +298,28 @@ spec:
                  Security (TLS) configuration for the FederationDomain.
                properties:
                  secretName:
-                    description: "SecretName is an optional name of a Secret in the
-                      same namespace, of type `kubernetes.io/tls`, which contains
-                      the TLS serving certificate for the HTTPS endpoints served by
-                      this FederationDomain. When provided, the TLS Secret named here
-                      must contain keys named `tls.crt` and `tls.key` that contain
-                      the certificate and private key to use for TLS. \n Server Name
-                      Indication (SNI) is an extension to the Transport Layer Security
-                      (TLS) supported by all major browsers. \n SecretName is required
-                      if you would like to use different TLS certificates for issuers
-                      of different hostnames. SNI requests do not include port numbers,
-                      so all issuers with the same DNS hostname must use the same
-                      SecretName value even if they have different port numbers. \n
-                      SecretName is not required when you would like to use only the
-                      HTTP endpoints (e.g. when the HTTP listener is configured to
-                      listen on loopback interfaces or UNIX domain sockets for traffic
-                      from a service mesh sidecar). It is also not required when you
-                      would like all requests to this OIDC Provider's HTTPS endpoints
-                      to use the default TLS certificate, which is configured elsewhere.
-                      \n When your Issuer URL's host is an IP address, then this field
-                      is ignored. SNI does not work for IP addresses."
+                    description: |-
+                      SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains
+                      the TLS serving certificate for the HTTPS endpoints served by this FederationDomain. When provided, the TLS Secret
+                      named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use
+                      for TLS.
+
+
+                      Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.
+
+
+                      SecretName is required if you would like to use different TLS certificates for issuers of different hostnames.
+                      SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same
+                      SecretName value even if they have different port numbers.
+
+
+                      SecretName is not required when you would like to use only the HTTP endpoints (e.g. when the HTTP listener is
+                      configured to listen on loopback interfaces or UNIX domain sockets for traffic from a service mesh sidecar).
+                      It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to
+                      use the default TLS certificate, which is configured elsewhere.
+
+
+                      When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses.
                    type: string
                type: object
            required:
@@ -353,42 +333,42 @@ spec:
                  current state.
                items:
                  description: "Condition contains details for one aspect of the current
-                    state of this API Resource. --- This struct is intended for direct
-                    use as an array at the field path .status.conditions.  For example,
-                    \n type FooStatus struct{ // Represents the observations of a
-                    foo's current state. // Known .status.conditions.type are: \"Available\",
-                    \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
-                    // +listType=map // +listMapKey=type Conditions []metav1.Condition
-                    `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
-                    protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
+                    state of this API Resource.\n---\nThis struct is intended for
+                    direct use as an array at the field path .status.conditions.  For
+                    example,\n\n\n\ttype FooStatus struct{\n\t    // Represents the
+                    observations of a foo's current state.\n\t    // Known .status.conditions.type
+                    are: \"Available\", \"Progressing\", and \"Degraded\"\n\t    //
+                    +patchMergeKey=type\n\t    // +patchStrategy=merge\n\t    // +listType=map\n\t
+                    \   // +listMapKey=type\n\t    Conditions []metav1.Condition `json:\"conditions,omitempty\"
+                    patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
+                    \   // other fields\n\t}"
                  properties:
                    lastTransitionTime:
-                      description: lastTransitionTime is the last time the condition
-                        transitioned from one status to another. This should be when
-                        the underlying condition changed.  If that is not known, then
-                        using the time when the API field changed is acceptable.
+                      description: |-
+                        lastTransitionTime is the last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
                      format: date-time
                      type: string
                    message:
-                      description: message is a human readable message indicating
-                        details about the transition. This may be an empty string.
+                      description: |-
+                        message is a human readable message indicating details about the transition.
+                        This may be an empty string.
                      maxLength: 32768
                      type: string
                    observedGeneration:
-                      description: observedGeneration represents the .metadata.generation
-                        that the condition was set based upon. For instance, if .metadata.generation
-                        is currently 12, but the .status.conditions[x].observedGeneration
-                        is 9, the condition is out of date with respect to the current
-                        state of the instance.
+                      description: |-
+                        observedGeneration represents the .metadata.generation that the condition was set based upon.
+                        For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+                        with respect to the current state of the instance.
                      format: int64
                      minimum: 0
                      type: integer
                    reason:
-                      description: reason contains a programmatic identifier indicating
-                        the reason for the condition's last transition. Producers
-                        of specific condition types may define expected values and
-                        meanings for this field, and whether the values are considered
-                        a guaranteed API. The value should be a CamelCase string.
+                      description: |-
+                        reason contains a programmatic identifier indicating the reason for the condition's last transition.
+                        Producers of specific condition types may define expected values and meanings for this field,
+                        and whether the values are considered a guaranteed API.
+                        The value should be a CamelCase string.
                        This field may not be empty.
                      maxLength: 1024
                      minLength: 1
@@ -402,11 +382,12 @@ spec:
                      - Unknown
                      type: string
                    type:
-                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
-                        --- Many .condition.type values are consistent across resources
-                        like Available, but because arbitrary conditions can be useful
-                        (see .node.status.conditions), the ability to deconflict is
-                        important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+                      description: |-
+                        type of condition in CamelCase or in foo.example.com/CamelCase.
+                        ---
+                        Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
+                        useful (see .node.status.conditions), the ability to deconflict is important.
+                        The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
                      maxLength: 316
                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
                      type: string
@@ -434,45 +415,58 @@ spec:
                  secrets.
                properties:
                  jwks:
-                    description: JWKS holds the name of the corev1.Secret in which
-                      this OIDC Provider's signing/verification keys are stored. If
-                      it is empty, then the signing/verification keys are either unknown
-                      or they don't exist.
+                    description: |-
+                      JWKS holds the name of the corev1.Secret in which this OIDC Provider's signing/verification keys are
+                      stored. If it is empty, then the signing/verification keys are either unknown or they don't
+                      exist.
                    properties:
                      name:
-                        description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                          TODO: Add other useful fields. apiVersion, kind, uid?'
+                        description: |-
+                          Name of the referent.
+                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                          TODO: Add other useful fields. apiVersion, kind, uid?
                        type: string
                    type: object
+                    x-kubernetes-map-type: atomic
                  stateEncryptionKey:
-                    description: StateSigningKey holds the name of the corev1.Secret
-                      in which this OIDC Provider's key for encrypting state parameters
-                      is stored.
+                    description: |-
+                      StateSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for
+                      encrypting state parameters is stored.
                    properties:
                      name:
-                        description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                          TODO: Add other useful fields. apiVersion, kind, uid?'
+                        description: |-
+                          Name of the referent.
+                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                          TODO: Add other useful fields. apiVersion, kind, uid?
                        type: string
                    type: object
+                    x-kubernetes-map-type: atomic
                  stateSigningKey:
-                    description: StateSigningKey holds the name of the corev1.Secret
-                      in which this OIDC Provider's key for signing state parameters
-                      is stored.
+                    description: |-
+                      StateSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for
+                      signing state parameters is stored.
                    properties:
                      name:
-                        description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                          TODO: Add other useful fields. apiVersion, kind, uid?'
+                        description: |-
+                          Name of the referent.
+                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                          TODO: Add other useful fields. apiVersion, kind, uid?
                        type: string
                    type: object
+                    x-kubernetes-map-type: atomic
                  tokenSigningKey:
-                    description: TokenSigningKey holds the name of the corev1.Secret
-                      in which this OIDC Provider's key for signing tokens is stored.
+                    description: |-
+                      TokenSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for
+                      signing tokens is stored.
                    properties:
                      name:
-                        description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                          TODO: Add other useful fields. apiVersion, kind, uid?'
+                        description: |-
+                          Name of the referent.
+                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                          TODO: Add other useful fields. apiVersion, kind, uid?
                        type: string
                    type: object
+                    x-kubernetes-map-type: atomic
                type: object
            type: object
        required:
@@ -482,9 +476,3 @@ spec:
    storage: true
    subresources:
      status: {}
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: []
-  storedVersions: []
--- a/deploy/supervisor/config.supervisor.pinniped.dev_oidcclients.yaml
+++ b/deploy/supervisor/config.supervisor.pinniped.dev_oidcclients.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.8.0
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.14.0
  name: oidcclients.config.supervisor.pinniped.dev
 spec:
  group: config.supervisor.pinniped.dev
@@ -36,14 +35,19 @@ spec:
        description: OIDCClient describes the configuration of an OIDC client.
        properties:
          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
            type: string
          kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
            type: string
          metadata:
            type: object
@@ -51,17 +55,19 @@ spec:
            description: Spec of the OIDC client.
            properties:
              allowedGrantTypes:
-                description: "allowedGrantTypes is a list of the allowed grant_type
-                  param values that should be accepted during OIDC flows with this
-                  client. \n Must only contain the following values: - authorization_code:
-                  allows the client to perform the authorization code grant flow,
-                  i.e. allows the webapp to authenticate users. This grant must always
-                  be listed. - refresh_token: allows the client to perform refresh
-                  grants for the user to extend the user's session. This grant must
-                  be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange:
-                  allows the client to perform RFC8693 token exchange, which is a
-                  step in the process to be able to get a cluster credential for the
-                  user. This grant must be listed if allowedScopes lists pinniped:request-audience."
+                description: |-
+                  allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this
+                  client.
+
+
+                  Must only contain the following values:
+                  - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to
+                    authenticate users. This grant must always be listed.
+                  - refresh_token: allows the client to perform refresh grants for the user to extend the user's session.
+                    This grant must be listed if allowedScopes lists offline_access.
+                  - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange,
+                    which is a step in the process to be able to get a cluster credential for the user.
+                    This grant must be listed if allowedScopes lists pinniped:request-audience.
                items:
                  enum:
                  - authorization_code
@@ -72,12 +78,11 @@ spec:
                type: array
                x-kubernetes-list-type: set
              allowedRedirectURIs:
-                description: allowedRedirectURIs is a list of the allowed redirect_uri
-                  param values that should be accepted during OIDC flows with this
-                  client. Any other uris will be rejected. Must be a URI with the
-                  https scheme, unless the hostname is 127.0.0.1 or ::1 which may
-                  use the http scheme. Port numbers are not required for 127.0.0.1
-                  or ::1 and are ignored when checking for a matching redirect_uri.
+                description: |-
+                  allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this
+                  client. Any other uris will be rejected.
+                  Must be a URI with the https scheme, unless the hostname is 127.0.0.1 or ::1 which may use the http scheme.
+                  Port numbers are not required for 127.0.0.1 or ::1 and are ignored when checking for a matching redirect_uri.
                items:
                  pattern: ^https://.+|^http://(127\.0\.0\.1|\[::1\])(:\d+)?/
                  type: string
@@ -85,27 +90,24 @@ spec:
                type: array
                x-kubernetes-list-type: set
              allowedScopes:
-                description: "allowedScopes is a list of the allowed scopes param
-                  values that should be accepted during OIDC flows with this client.
-                  \n Must only contain the following values: - openid: The client
-                  is allowed to request ID tokens. ID tokens only include the required
-                  claims by default (iss, sub, aud, exp, iat). This scope must always
-                  be listed. - offline_access: The client is allowed to request an
-                  initial refresh token during the authorization code grant flow.
-                  This scope must be listed if allowedGrantTypes lists refresh_token.
-                  - pinniped:request-audience: The client is allowed to request a
-                  new audience value during a RFC8693 token exchange, which is a step
-                  in the process to be able to get a cluster credential for the user.
-                  openid, username and groups scopes must be listed when this scope
-                  is present. This scope must be listed if allowedGrantTypes lists
-                  urn:ietf:params:oauth:grant-type:token-exchange. - username: The
-                  client is allowed to request that ID tokens contain the user's username.
-                  Without the username scope being requested and allowed, the ID token
-                  will not contain the user's username. - groups: The client is allowed
-                  to request that ID tokens contain the user's group membership, if
-                  their group membership is discoverable by the Supervisor. Without
-                  the groups scope being requested and allowed, the ID token will
-                  not contain groups."
+                description: |-
+                  allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client.
+
+
+                  Must only contain the following values:
+                  - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat).
+                    This scope must always be listed.
+                  - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow.
+                    This scope must be listed if allowedGrantTypes lists refresh_token.
+                  - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange,
+                    which is a step in the process to be able to get a cluster credential for the user.
+                    openid, username and groups scopes must be listed when this scope is present.
+                    This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange.
+                  - username: The client is allowed to request that ID tokens contain the user's username.
+                    Without the username scope being requested and allowed, the ID token will not contain the user's username.
+                  - groups: The client is allowed to request that ID tokens contain the user's group membership,
+                    if their group membership is discoverable by the Supervisor.
+                    Without the groups scope being requested and allowed, the ID token will not contain groups.
                items:
                  enum:
                  - openid
@@ -130,42 +132,42 @@ spec:
                  current state.
                items:
                  description: "Condition contains details for one aspect of the current
-                    state of this API Resource. --- This struct is intended for direct
-                    use as an array at the field path .status.conditions.  For example,
-                    \n type FooStatus struct{ // Represents the observations of a
-                    foo's current state. // Known .status.conditions.type are: \"Available\",
-                    \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
-                    // +listType=map // +listMapKey=type Conditions []metav1.Condition
-                    `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
-                    protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
+                    state of this API Resource.\n---\nThis struct is intended for
+                    direct use as an array at the field path .status.conditions.  For
+                    example,\n\n\n\ttype FooStatus struct{\n\t    // Represents the
+                    observations of a foo's current state.\n\t    // Known .status.conditions.type
+                    are: \"Available\", \"Progressing\", and \"Degraded\"\n\t    //
+                    +patchMergeKey=type\n\t    // +patchStrategy=merge\n\t    // +listType=map\n\t
+                    \   // +listMapKey=type\n\t    Conditions []metav1.Condition `json:\"conditions,omitempty\"
+                    patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
+                    \   // other fields\n\t}"
                  properties:
                    lastTransitionTime:
-                      description: lastTransitionTime is the last time the condition
-                        transitioned from one status to another. This should be when
-                        the underlying condition changed.  If that is not known, then
-                        using the time when the API field changed is acceptable.
+                      description: |-
+                        lastTransitionTime is the last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
                      format: date-time
                      type: string
                    message:
-                      description: message is a human readable message indicating
-                        details about the transition. This may be an empty string.
+                      description: |-
+                        message is a human readable message indicating details about the transition.
+                        This may be an empty string.
                      maxLength: 32768
                      type: string
                    observedGeneration:
-                      description: observedGeneration represents the .metadata.generation
-                        that the condition was set based upon. For instance, if .metadata.generation
-                        is currently 12, but the .status.conditions[x].observedGeneration
-                        is 9, the condition is out of date with respect to the current
-                        state of the instance.
+                      description: |-
+                        observedGeneration represents the .metadata.generation that the condition was set based upon.
+                        For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+                        with respect to the current state of the instance.
                      format: int64
                      minimum: 0
                      type: integer
                    reason:
-                      description: reason contains a programmatic identifier indicating
-                        the reason for the condition's last transition. Producers
-                        of specific condition types may define expected values and
-                        meanings for this field, and whether the values are considered
-                        a guaranteed API. The value should be a CamelCase string.
+                      description: |-
+                        reason contains a programmatic identifier indicating the reason for the condition's last transition.
+                        Producers of specific condition types may define expected values and meanings for this field,
+                        and whether the values are considered a guaranteed API.
+                        The value should be a CamelCase string.
                        This field may not be empty.
                      maxLength: 1024
                      minLength: 1
@@ -179,11 +181,12 @@ spec:
                      - Unknown
                      type: string
                    type:
-                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
-                        --- Many .condition.type values are consistent across resources
-                        like Available, but because arbitrary conditions can be useful
-                        (see .node.status.conditions), the ability to deconflict is
-                        important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+                      description: |-
+                        type of condition in CamelCase or in foo.example.com/CamelCase.
+                        ---
+                        Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
+                        useful (see .node.status.conditions), the ability to deconflict is important.
+                        The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
                      maxLength: 316
                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
                      type: string
@@ -219,9 +222,3 @@ spec:
    storage: true
    subresources:
      status: {}
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: []
-  storedVersions: []
--- a/deploy/supervisor/deployment.yaml
+++ b/deploy/supervisor/deployment.yaml
@@ -1,4 +1,4 @@
-#! Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+#! Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 #! SPDX-License-Identifier: Apache-2.0

 #@ load("@ytt:data", "data")
@@ -190,6 +190,15 @@ spec:
        - name: socket
          emptyDir: {}
        #@ end
+      tolerations:
+        - key: kubernetes.io/arch
+          effect: NoSchedule
+          operator: Equal
+          value: amd64 #! Allow running on amd64 nodes.
+        - key: kubernetes.io/arch
+          effect: NoSchedule
+          operator: Equal
+          value: arm64 #! Also allow running on arm64 nodes.
      #! This will help make sure our multiple pods run on different nodes, making
      #! our deployment "more" "HA".
      affinity:
--- a/deploy/supervisor/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml
+++ b/deploy/supervisor/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.8.0
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.14.0
  name: activedirectoryidentityproviders.idp.supervisor.pinniped.dev
 spec:
  group: idp.supervisor.pinniped.dev
@@ -36,14 +35,19 @@ spec:
          an upstream Microsoft Active Directory identity provider.
        properties:
          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
            type: string
          kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
            type: string
          metadata:
            type: object
@@ -51,19 +55,16 @@ spec:
            description: Spec for configuring the identity provider.
            properties:
              bind:
-                description: Bind contains the configuration for how to provide access
-                  credentials during an initial bind to the ActiveDirectory server
-                  to be allowed to perform searches and binds to validate a user's
-                  credentials during a user's authentication attempt.
+                description: |-
+                  Bind contains the configuration for how to provide access credentials during an initial bind to the ActiveDirectory server
+                  to be allowed to perform searches and binds to validate a user's credentials during a user's authentication attempt.
                properties:
                  secretName:
-                    description: SecretName contains the name of a namespace-local
-                      Secret object that provides the username and password for an
-                      Active Directory bind user. This account will be used to perform
-                      LDAP searches. The Secret should be of type "kubernetes.io/basic-auth"
-                      which includes "username" and "password" keys. The username
-                      value should be the full dn (distinguished name) of your bind
-                      account, e.g. "cn=bind-account,ou=users,dc=example,dc=com".
+                    description: |-
+                      SecretName contains the name of a namespace-local Secret object that provides the username and
+                      password for an Active Directory bind user. This account will be used to perform LDAP searches. The Secret should be
+                      of type "kubernetes.io/basic-auth" which includes "username" and "password" keys. The username value
+                      should be the full dn (distinguished name) of your bind account, e.g. "cn=bind-account,ou=users,dc=example,dc=com".
                      The password must be non-empty.
                    minLength: 1
                    type: string
@@ -75,87 +76,85 @@ spec:
                  for a user's group membership in ActiveDirectory.
                properties:
                  attributes:
-                    description: Attributes specifies how the group's information
-                      should be read from each ActiveDirectory entry which was found
-                      as the result of the group search.
+                    description: |-
+                      Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as
+                      the result of the group search.
                    properties:
                      groupName:
-                        description: GroupName specifies the name of the attribute
-                          in the Active Directory entries whose value shall become
-                          a group name in the user's list of groups after a successful
-                          authentication. The value of this field is case-sensitive
-                          and must match the case of the attribute name returned by
-                          the ActiveDirectory server in the user's entry. E.g. "cn"
-                          for common name. Distinguished names can be used by specifying
-                          lower-case "dn". Optional. When not specified, this defaults
-                          to a custom field that looks like "sAMAccountName@domain",
-                          where domain is constructed from the domain components of
-                          the group DN.
+                        description: |-
+                          GroupName specifies the name of the attribute in the Active Directory entries whose value shall become a group name
+                          in the user's list of groups after a successful authentication.
+                          The value of this field is case-sensitive and must match the case of the attribute name returned by the ActiveDirectory
+                          server in the user's entry. E.g. "cn" for common name. Distinguished names can be used by specifying lower-case "dn".
+                          Optional. When not specified, this defaults to a custom field that looks like "sAMAccountName@domain",
+                          where domain is constructed from the domain components of the group DN.
                        type: string
                    type: object
                  base:
-                    description: Base is the dn (distinguished name) that should be
-                      used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com".
-                      Optional, when not specified it will be based on the result
-                      of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse).
+                    description: |-
+                      Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g.
+                      "ou=groups,dc=example,dc=com".
+                      Optional, when not specified it will be based on the result of a query for the defaultNamingContext
+                      (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse).
                      The default behavior searches your entire domain for groups.
-                      It may make sense to specify a subtree as a search base if you
-                      wish to exclude some groups for security reasons or to make
-                      searches faster.
+                      It may make sense to specify a subtree as a search base if you wish to exclude some groups
+                      for security reasons or to make searches faster.
                    type: string
                  filter:
-                    description: Filter is the ActiveDirectory search filter which
-                      should be applied when searching for groups for a user. The
-                      pattern "{}" must occur in the filter at least once and will
-                      be dynamically replaced by the value of an attribute of the
-                      user entry found as a result of the user search. Which attribute's
-                      value is used to replace the placeholder(s) depends on the value
-                      of UserAttributeForFilter. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})".
+                    description: |-
+                      Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user.
+                      The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the
+                      value of an attribute of the user entry found as a result of the user search. Which attribute's
+                      value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter.
+                      E.g. "member={}" or "&(objectClass=groupOfNames)(member={})".
                      For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters.
-                      Note that the dn (distinguished name) is not an attribute of
-                      an entry, so "dn={}" cannot be used. Optional. When not specified,
-                      the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})".
-                      This searches nested groups by default. Note that nested group
-                      search can be slow for some Active Directory servers. To disable
-                      it, you can set the filter to "(&(objectClass=group)(member={})"
+                      Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used.
+                      Optional. When not specified, the default will act as if the filter were specified as
+                      "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})".
+                      This searches nested groups by default.
+                      Note that nested group search can be slow for some Active Directory servers. To disable it,
+                      you can set the filter to
+                      "(&(objectClass=group)(member={})"
                    type: string
                  skipGroupRefresh:
-                    description: "The user's group membership is refreshed as they
-                      interact with the supervisor to obtain new credentials (as their
-                      old credentials expire).  This allows group membership changes
-                      to be quickly reflected into Kubernetes clusters.  Since group
-                      membership is often used to bind authorization policies, it
-                      is important to keep the groups observed in Kubernetes clusters
-                      in-sync with the identity provider. \n In some environments,
-                      frequent group membership queries may result in a significant
-                      performance impact on the identity provider and/or the supervisor.
-                      The best approach to handle performance impacts is to tweak
-                      the group query to be more performant, for example by disabling
-                      nested group search or by using a more targeted group search
-                      base. \n If the group search query cannot be made performant
-                      and you are willing to have group memberships remain static
-                      for approximately a day, then set skipGroupRefresh to true.
-                      \ This is an insecure configuration as authorization policies
-                      that are bound to group membership will not notice if a user
-                      has been removed from a particular group until their next login.
-                      \n This is an experimental feature that may be removed or significantly
-                      altered in the future.  Consumers of this configuration should
-                      carefully read all release notes before upgrading to ensure
-                      that the meaning of this field has not changed."
+                    description: |-
+                      The user's group membership is refreshed as they interact with the supervisor
+                      to obtain new credentials (as their old credentials expire).  This allows group
+                      membership changes to be quickly reflected into Kubernetes clusters.  Since
+                      group membership is often used to bind authorization policies, it is important
+                      to keep the groups observed in Kubernetes clusters in-sync with the identity
+                      provider.
+
+
+                      In some environments, frequent group membership queries may result in a
+                      significant performance impact on the identity provider and/or the supervisor.
+                      The best approach to handle performance impacts is to tweak the group query
+                      to be more performant, for example by disabling nested group search or by
+                      using a more targeted group search base.
+
+
+                      If the group search query cannot be made performant and you are willing to
+                      have group memberships remain static for approximately a day, then set
+                      skipGroupRefresh to true.  This is an insecure configuration as authorization
+                      policies that are bound to group membership will not notice if a user has
+                      been removed from a particular group until their next login.
+
+
+                      This is an experimental feature that may be removed or significantly altered
+                      in the future.  Consumers of this configuration should carefully read all
+                      release notes before upgrading to ensure that the meaning of this field has
+                      not changed.
                    type: boolean
                  userAttributeForFilter:
-                    description: UserAttributeForFilter specifies which attribute's
-                      value from the user entry found as a result of the user search
-                      will be used to replace the "{}" placeholder(s) in the group
-                      search Filter. For example, specifying "uid" as the UserAttributeForFilter
-                      while specifying "&(objectClass=posixGroup)(memberUid={})" as
-                      the Filter would search for groups by replacing the "{}" placeholder
-                      in the Filter with the value of the user's "uid" attribute.
-                      Optional. When not specified, the default will act as if "dn"
-                      were specified. For example, leaving UserAttributeForFilter
-                      unspecified while specifying "&(objectClass=groupOfNames)(member={})"
-                      as the Filter would search for groups by replacing the "{}"
-                      placeholder(s) with the dn (distinguished name) of the user.
+                    description: |-
+                      UserAttributeForFilter specifies which attribute's value from the user entry found as a result of
+                      the user search will be used to replace the "{}" placeholder(s) in the group search Filter.
+                      For example, specifying "uid" as the UserAttributeForFilter while specifying
+                      "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing
+                      the "{}" placeholder in the Filter with the value of the user's "uid" attribute.
+                      Optional. When not specified, the default will act as if "dn" were specified. For example, leaving
+                      UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter
+                      would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user.
                    type: string
                type: object
              host:
@@ -177,49 +176,46 @@ spec:
                  a user by name in Active Directory.
                properties:
                  attributes:
-                    description: Attributes specifies how the user's information should
-                      be read from the ActiveDirectory entry which was found as the
-                      result of the user search.
+                    description: |-
+                      Attributes specifies how the user's information should be read from the ActiveDirectory entry which was found as
+                      the result of the user search.
                    properties:
                      uid:
-                        description: UID specifies the name of the attribute in the
-                          ActiveDirectory entry which whose value shall be used to
-                          uniquely identify the user within this ActiveDirectory provider
-                          after a successful authentication. Optional, when empty
-                          this defaults to "objectGUID".
+                        description: |-
+                          UID specifies the name of the attribute in the ActiveDirectory entry which whose value shall be used to uniquely
+                          identify the user within this ActiveDirectory provider after a successful authentication.
+                          Optional, when empty this defaults to "objectGUID".
                        type: string
                      username:
-                        description: Username specifies the name of the attribute
-                          in Active Directory entry whose value shall become the username
-                          of the user after a successful authentication. Optional,
-                          when empty this defaults to "userPrincipalName".
+                        description: |-
+                          Username specifies the name of the attribute in Active Directory entry whose value shall become the username
+                          of the user after a successful authentication.
+                          Optional, when empty this defaults to "userPrincipalName".
                        type: string
                    type: object
                  base:
-                    description: Base is the dn (distinguished name) that should be
-                      used as the search base when searching for users. E.g. "ou=users,dc=example,dc=com".
-                      Optional, when not specified it will be based on the result
-                      of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse).
+                    description: |-
+                      Base is the dn (distinguished name) that should be used as the search base when searching for users.
+                      E.g. "ou=users,dc=example,dc=com".
+                      Optional, when not specified it will be based on the result of a query for the defaultNamingContext
+                      (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse).
                      The default behavior searches your entire domain for users.
-                      It may make sense to specify a subtree as a search base if you
-                      wish to exclude some users or to make searches faster.
+                      It may make sense to specify a subtree as a search base if you wish to exclude some users
+                      or to make searches faster.
                    type: string
                  filter:
-                    description: Filter is the search filter which should be applied
-                      when searching for users. The pattern "{}" must occur in the
-                      filter at least once and will be dynamically replaced by the
-                      username for which the search is being run. E.g. "mail={}" or
-                      "&(objectClass=person)(uid={})". For more information about
-                      LDAP filters, see https://ldap.com/ldap-filters. Note that the
-                      dn (distinguished name) is not an attribute of an entry, so
-                      "dn={}" cannot be used. Optional. When not specified, the default
-                      will be '(&(objectClass=person)(!(objectClass=computer))(!(showInAdvancedViewOnly=TRUE))(|(sAMAccountName={}")(mail={})(userPrincipalName={})(sAMAccountType=805306368))'
-                      This means that the user is a person, is not a computer, the
-                      sAMAccountType is for a normal user account, and is not shown
-                      in advanced view only (which would likely mean its a system
-                      created service account with advanced permissions). Also, either
-                      the sAMAccountName, the userPrincipalName, or the mail attribute
-                      matches the input username.
+                    description: |-
+                      Filter is the search filter which should be applied when searching for users. The pattern "{}" must occur
+                      in the filter at least once and will be dynamically replaced by the username for which the search is being run.
+                      E.g. "mail={}" or "&(objectClass=person)(uid={})". For more information about LDAP filters, see
+                      https://ldap.com/ldap-filters.
+                      Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used.
+                      Optional. When not specified, the default will be
+                      '(&(objectClass=person)(!(objectClass=computer))(!(showInAdvancedViewOnly=TRUE))(|(sAMAccountName={}")(mail={})(userPrincipalName={})(sAMAccountType=805306368))'
+                      This means that the user is a person, is not a computer, the sAMAccountType is for a normal user account,
+                      and is not shown in advanced view only
+                      (which would likely mean its a system created service account with advanced permissions).
+                      Also, either the sAMAccountName, the userPrincipalName, or the mail attribute matches the input username.
                    type: string
                type: object
            required:
@@ -233,42 +229,42 @@ spec:
                  current state.
                items:
                  description: "Condition contains details for one aspect of the current
-                    state of this API Resource. --- This struct is intended for direct
-                    use as an array at the field path .status.conditions.  For example,
-                    \n type FooStatus struct{ // Represents the observations of a
-                    foo's current state. // Known .status.conditions.type are: \"Available\",
-                    \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
-                    // +listType=map // +listMapKey=type Conditions []metav1.Condition
-                    `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
-                    protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
+                    state of this API Resource.\n---\nThis struct is intended for
+                    direct use as an array at the field path .status.conditions.  For
+                    example,\n\n\n\ttype FooStatus struct{\n\t    // Represents the
+                    observations of a foo's current state.\n\t    // Known .status.conditions.type
+                    are: \"Available\", \"Progressing\", and \"Degraded\"\n\t    //
+                    +patchMergeKey=type\n\t    // +patchStrategy=merge\n\t    // +listType=map\n\t
+                    \   // +listMapKey=type\n\t    Conditions []metav1.Condition `json:\"conditions,omitempty\"
+                    patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
+                    \   // other fields\n\t}"
                  properties:
                    lastTransitionTime:
-                      description: lastTransitionTime is the last time the condition
-                        transitioned from one status to another. This should be when
-                        the underlying condition changed.  If that is not known, then
-                        using the time when the API field changed is acceptable.
+                      description: |-
+                        lastTransitionTime is the last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
                      format: date-time
                      type: string
                    message:
-                      description: message is a human readable message indicating
-                        details about the transition. This may be an empty string.
+                      description: |-
+                        message is a human readable message indicating details about the transition.
+                        This may be an empty string.
                      maxLength: 32768
                      type: string
                    observedGeneration:
-                      description: observedGeneration represents the .metadata.generation
-                        that the condition was set based upon. For instance, if .metadata.generation
-                        is currently 12, but the .status.conditions[x].observedGeneration
-                        is 9, the condition is out of date with respect to the current
-                        state of the instance.
+                      description: |-
+                        observedGeneration represents the .metadata.generation that the condition was set based upon.
+                        For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+                        with respect to the current state of the instance.
                      format: int64
                      minimum: 0
                      type: integer
                    reason:
-                      description: reason contains a programmatic identifier indicating
-                        the reason for the condition's last transition. Producers
-                        of specific condition types may define expected values and
-                        meanings for this field, and whether the values are considered
-                        a guaranteed API. The value should be a CamelCase string.
+                      description: |-
+                        reason contains a programmatic identifier indicating the reason for the condition's last transition.
+                        Producers of specific condition types may define expected values and meanings for this field,
+                        and whether the values are considered a guaranteed API.
+                        The value should be a CamelCase string.
                        This field may not be empty.
                      maxLength: 1024
                      minLength: 1
@@ -282,11 +278,12 @@ spec:
                      - Unknown
                      type: string
                    type:
-                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
-                        --- Many .condition.type values are consistent across resources
-                        like Available, but because arbitrary conditions can be useful
-                        (see .node.status.conditions), the ability to deconflict is
-                        important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+                      description: |-
+                        type of condition in CamelCase or in foo.example.com/CamelCase.
+                        ---
+                        Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
+                        useful (see .node.status.conditions), the ability to deconflict is important.
+                        The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
                      maxLength: 316
                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
                      type: string
@@ -317,9 +314,3 @@ spec:
    storage: true
    subresources:
      status: {}
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: []
-  storedVersions: []
--- a/deploy/supervisor/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml
+++ b/deploy/supervisor/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.8.0
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.14.0
  name: ldapidentityproviders.idp.supervisor.pinniped.dev
 spec:
  group: idp.supervisor.pinniped.dev
@@ -32,18 +31,24 @@ spec:
    name: v1alpha1
    schema:
      openAPIV3Schema:
-        description: LDAPIdentityProvider describes the configuration of an upstream
-          Lightweight Directory Access Protocol (LDAP) identity provider.
+        description: |-
+          LDAPIdentityProvider describes the configuration of an upstream Lightweight Directory Access
+          Protocol (LDAP) identity provider.
        properties:
          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
            type: string
          kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
            type: string
          metadata:
            type: object
@@ -51,20 +56,17 @@ spec:
            description: Spec for configuring the identity provider.
            properties:
              bind:
-                description: Bind contains the configuration for how to provide access
-                  credentials during an initial bind to the LDAP server to be allowed
-                  to perform searches and binds to validate a user's credentials during
-                  a user's authentication attempt.
+                description: |-
+                  Bind contains the configuration for how to provide access credentials during an initial bind to the LDAP server
+                  to be allowed to perform searches and binds to validate a user's credentials during a user's authentication attempt.
                properties:
                  secretName:
-                    description: SecretName contains the name of a namespace-local
-                      Secret object that provides the username and password for an
-                      LDAP bind user. This account will be used to perform LDAP searches.
-                      The Secret should be of type "kubernetes.io/basic-auth" which
-                      includes "username" and "password" keys. The username value
-                      should be the full dn (distinguished name) of your bind account,
-                      e.g. "cn=bind-account,ou=users,dc=example,dc=com". The password
-                      must be non-empty.
+                    description: |-
+                      SecretName contains the name of a namespace-local Secret object that provides the username and
+                      password for an LDAP bind user. This account will be used to perform LDAP searches. The Secret should be
+                      of type "kubernetes.io/basic-auth" which includes "username" and "password" keys. The username value
+                      should be the full dn (distinguished name) of your bind account, e.g. "cn=bind-account,ou=users,dc=example,dc=com".
+                      The password must be non-empty.
                    minLength: 1
                    type: string
                required:
@@ -75,79 +77,75 @@ spec:
                  for a user's group membership in the LDAP provider.
                properties:
                  attributes:
-                    description: Attributes specifies how the group's information
-                      should be read from each LDAP entry which was found as the result
-                      of the group search.
+                    description: |-
+                      Attributes specifies how the group's information should be read from each LDAP entry which was found as
+                      the result of the group search.
                    properties:
                      groupName:
-                        description: GroupName specifies the name of the attribute
-                          in the LDAP entries whose value shall become a group name
+                        description: |-
+                          GroupName specifies the name of the attribute in the LDAP entries whose value shall become a group name
                          in the user's list of groups after a successful authentication.
-                          The value of this field is case-sensitive and must match
-                          the case of the attribute name returned by the LDAP server
-                          in the user's entry. E.g. "cn" for common name. Distinguished
-                          names can be used by specifying lower-case "dn". Optional.
-                          When not specified, the default will act as if the GroupName
-                          were specified as "dn" (distinguished name).
+                          The value of this field is case-sensitive and must match the case of the attribute name returned by the LDAP
+                          server in the user's entry. E.g. "cn" for common name. Distinguished names can be used by specifying lower-case "dn".
+                          Optional. When not specified, the default will act as if the GroupName were specified as "dn" (distinguished name).
                        type: string
                    type: object
                  base:
-                    description: Base is the dn (distinguished name) that should be
-                      used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com".
-                      When not specified, no group search will be performed and authenticated
-                      users will not belong to any groups from the LDAP provider.
-                      Also, when not specified, the values of Filter, UserAttributeForFilter,
-                      Attributes, and SkipGroupRefresh are ignored.
+                    description: |-
+                      Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g.
+                      "ou=groups,dc=example,dc=com". When not specified, no group search will be performed and
+                      authenticated users will not belong to any groups from the LDAP provider. Also, when not specified,
+                      the values of Filter, UserAttributeForFilter, Attributes, and SkipGroupRefresh are ignored.
                    type: string
                  filter:
-                    description: Filter is the LDAP search filter which should be
-                      applied when searching for groups for a user. The pattern "{}"
-                      must occur in the filter at least once and will be dynamically
-                      replaced by the value of an attribute of the user entry found
-                      as a result of the user search. Which attribute's value is used
-                      to replace the placeholder(s) depends on the value of UserAttributeForFilter.
+                    description: |-
+                      Filter is the LDAP search filter which should be applied when searching for groups for a user.
+                      The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the
+                      value of an attribute of the user entry found as a result of the user search. Which attribute's
+                      value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter.
                      For more information about LDAP filters, see https://ldap.com/ldap-filters.
-                      Note that the dn (distinguished name) is not an attribute of
-                      an entry, so "dn={}" cannot be used. Optional. When not specified,
-                      the default will act as if the Filter were specified as "member={}".
+                      Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used.
+                      Optional. When not specified, the default will act as if the Filter were specified as "member={}".
                    type: string
                  skipGroupRefresh:
-                    description: "The user's group membership is refreshed as they
-                      interact with the supervisor to obtain new credentials (as their
-                      old credentials expire).  This allows group membership changes
-                      to be quickly reflected into Kubernetes clusters.  Since group
-                      membership is often used to bind authorization policies, it
-                      is important to keep the groups observed in Kubernetes clusters
-                      in-sync with the identity provider. \n In some environments,
-                      frequent group membership queries may result in a significant
-                      performance impact on the identity provider and/or the supervisor.
-                      The best approach to handle performance impacts is to tweak
-                      the group query to be more performant, for example by disabling
-                      nested group search or by using a more targeted group search
-                      base. \n If the group search query cannot be made performant
-                      and you are willing to have group memberships remain static
-                      for approximately a day, then set skipGroupRefresh to true.
-                      \ This is an insecure configuration as authorization policies
-                      that are bound to group membership will not notice if a user
-                      has been removed from a particular group until their next login.
-                      \n This is an experimental feature that may be removed or significantly
-                      altered in the future.  Consumers of this configuration should
-                      carefully read all release notes before upgrading to ensure
-                      that the meaning of this field has not changed."
+                    description: |-
+                      The user's group membership is refreshed as they interact with the supervisor
+                      to obtain new credentials (as their old credentials expire).  This allows group
+                      membership changes to be quickly reflected into Kubernetes clusters.  Since
+                      group membership is often used to bind authorization policies, it is important
+                      to keep the groups observed in Kubernetes clusters in-sync with the identity
+                      provider.
+
+
+                      In some environments, frequent group membership queries may result in a
+                      significant performance impact on the identity provider and/or the supervisor.
+                      The best approach to handle performance impacts is to tweak the group query
+                      to be more performant, for example by disabling nested group search or by
+                      using a more targeted group search base.
+
+
+                      If the group search query cannot be made performant and you are willing to
+                      have group memberships remain static for approximately a day, then set
+                      skipGroupRefresh to true.  This is an insecure configuration as authorization
+                      policies that are bound to group membership will not notice if a user has
+                      been removed from a particular group until their next login.
+
+
+                      This is an experimental feature that may be removed or significantly altered
+                      in the future.  Consumers of this configuration should carefully read all
+                      release notes before upgrading to ensure that the meaning of this field has
+                      not changed.
                    type: boolean
                  userAttributeForFilter:
-                    description: UserAttributeForFilter specifies which attribute's
-                      value from the user entry found as a result of the user search
-                      will be used to replace the "{}" placeholder(s) in the group
-                      search Filter. For example, specifying "uid" as the UserAttributeForFilter
-                      while specifying "&(objectClass=posixGroup)(memberUid={})" as
-                      the Filter would search for groups by replacing the "{}" placeholder
-                      in the Filter with the value of the user's "uid" attribute.
-                      Optional. When not specified, the default will act as if "dn"
-                      were specified. For example, leaving UserAttributeForFilter
-                      unspecified while specifying "&(objectClass=groupOfNames)(member={})"
-                      as the Filter would search for groups by replacing the "{}"
-                      placeholder(s) with the dn (distinguished name) of the user.
+                    description: |-
+                      UserAttributeForFilter specifies which attribute's value from the user entry found as a result of
+                      the user search will be used to replace the "{}" placeholder(s) in the group search Filter.
+                      For example, specifying "uid" as the UserAttributeForFilter while specifying
+                      "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing
+                      the "{}" placeholder in the Filter with the value of the user's "uid" attribute.
+                      Optional. When not specified, the default will act as if "dn" were specified. For example, leaving
+                      UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter
+                      would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user.
                    type: string
                type: object
              host:
@@ -169,54 +167,46 @@ spec:
                  a user by name in the LDAP provider.
                properties:
                  attributes:
-                    description: Attributes specifies how the user's information should
-                      be read from the LDAP entry which was found as the result of
-                      the user search.
+                    description: |-
+                      Attributes specifies how the user's information should be read from the LDAP entry which was found as
+                      the result of the user search.
                    properties:
                      uid:
-                        description: UID specifies the name of the attribute in the
-                          LDAP entry which whose value shall be used to uniquely identify
-                          the user within this LDAP provider after a successful authentication.
-                          E.g. "uidNumber" or "objectGUID". The value of this field
-                          is case-sensitive and must match the case of the attribute
-                          name returned by the LDAP server in the user's entry. Distinguished
-                          names can be used by specifying lower-case "dn".
+                        description: |-
+                          UID specifies the name of the attribute in the LDAP entry which whose value shall be used to uniquely
+                          identify the user within this LDAP provider after a successful authentication. E.g. "uidNumber" or "objectGUID".
+                          The value of this field is case-sensitive and must match the case of the attribute name returned by the LDAP
+                          server in the user's entry. Distinguished names can be used by specifying lower-case "dn".
                        minLength: 1
                        type: string
                      username:
-                        description: Username specifies the name of the attribute
-                          in the LDAP entry whose value shall become the username
-                          of the user after a successful authentication. This would
-                          typically be the same attribute name used in the user search
-                          filter, although it can be different. E.g. "mail" or "uid"
-                          or "userPrincipalName". The value of this field is case-sensitive
-                          and must match the case of the attribute name returned by
-                          the LDAP server in the user's entry. Distinguished names
-                          can be used by specifying lower-case "dn". When this field
-                          is set to "dn" then the LDAPIdentityProviderUserSearch's
-                          Filter field cannot be blank, since the default value of
-                          "dn={}" would not work.
+                        description: |-
+                          Username specifies the name of the attribute in the LDAP entry whose value shall become the username
+                          of the user after a successful authentication. This would typically be the same attribute name used in
+                          the user search filter, although it can be different. E.g. "mail" or "uid" or "userPrincipalName".
+                          The value of this field is case-sensitive and must match the case of the attribute name returned by the LDAP
+                          server in the user's entry. Distinguished names can be used by specifying lower-case "dn". When this field
+                          is set to "dn" then the LDAPIdentityProviderUserSearch's Filter field cannot be blank, since the default
+                          value of "dn={}" would not work.
                        minLength: 1
                        type: string
                    type: object
                  base:
-                    description: Base is the dn (distinguished name) that should be
-                      used as the search base when searching for users. E.g. "ou=users,dc=example,dc=com".
+                    description: |-
+                      Base is the dn (distinguished name) that should be used as the search base when searching for users.
+                      E.g. "ou=users,dc=example,dc=com".
                    minLength: 1
                    type: string
                  filter:
-                    description: Filter is the LDAP search filter which should be
-                      applied when searching for users. The pattern "{}" must occur
-                      in the filter at least once and will be dynamically replaced
-                      by the username for which the search is being run. E.g. "mail={}"
-                      or "&(objectClass=person)(uid={})". For more information about
-                      LDAP filters, see https://ldap.com/ldap-filters. Note that the
-                      dn (distinguished name) is not an attribute of an entry, so
-                      "dn={}" cannot be used. Optional. When not specified, the default
-                      will act as if the Filter were specified as the value from Attributes.Username
-                      appended by "={}". When the Attributes.Username is set to "dn"
-                      then the Filter must be explicitly specified, since the default
-                      value of "dn={}" would not work.
+                    description: |-
+                      Filter is the LDAP search filter which should be applied when searching for users. The pattern "{}" must occur
+                      in the filter at least once and will be dynamically replaced by the username for which the search is being run.
+                      E.g. "mail={}" or "&(objectClass=person)(uid={})". For more information about LDAP filters, see
+                      https://ldap.com/ldap-filters.
+                      Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used.
+                      Optional. When not specified, the default will act as if the Filter were specified as the value from
+                      Attributes.Username appended by "={}". When the Attributes.Username is set to "dn" then the Filter must be
+                      explicitly specified, since the default value of "dn={}" would not work.
                    type: string
                type: object
            required:
@@ -230,42 +220,42 @@ spec:
                  current state.
                items:
                  description: "Condition contains details for one aspect of the current
-                    state of this API Resource. --- This struct is intended for direct
-                    use as an array at the field path .status.conditions.  For example,
-                    \n type FooStatus struct{ // Represents the observations of a
-                    foo's current state. // Known .status.conditions.type are: \"Available\",
-                    \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
-                    // +listType=map // +listMapKey=type Conditions []metav1.Condition
-                    `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
-                    protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
+                    state of this API Resource.\n---\nThis struct is intended for
+                    direct use as an array at the field path .status.conditions.  For
+                    example,\n\n\n\ttype FooStatus struct{\n\t    // Represents the
+                    observations of a foo's current state.\n\t    // Known .status.conditions.type
+                    are: \"Available\", \"Progressing\", and \"Degraded\"\n\t    //
+                    +patchMergeKey=type\n\t    // +patchStrategy=merge\n\t    // +listType=map\n\t
+                    \   // +listMapKey=type\n\t    Conditions []metav1.Condition `json:\"conditions,omitempty\"
+                    patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
+                    \   // other fields\n\t}"
                  properties:
                    lastTransitionTime:
-                      description: lastTransitionTime is the last time the condition
-                        transitioned from one status to another. This should be when
-                        the underlying condition changed.  If that is not known, then
-                        using the time when the API field changed is acceptable.
+                      description: |-
+                        lastTransitionTime is the last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
                      format: date-time
                      type: string
                    message:
-                      description: message is a human readable message indicating
-                        details about the transition. This may be an empty string.
+                      description: |-
+                        message is a human readable message indicating details about the transition.
+                        This may be an empty string.
                      maxLength: 32768
                      type: string
                    observedGeneration:
-                      description: observedGeneration represents the .metadata.generation
-                        that the condition was set based upon. For instance, if .metadata.generation
-                        is currently 12, but the .status.conditions[x].observedGeneration
-                        is 9, the condition is out of date with respect to the current
-                        state of the instance.
+                      description: |-
+                        observedGeneration represents the .metadata.generation that the condition was set based upon.
+                        For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+                        with respect to the current state of the instance.
                      format: int64
                      minimum: 0
                      type: integer
                    reason:
-                      description: reason contains a programmatic identifier indicating
-                        the reason for the condition's last transition. Producers
-                        of specific condition types may define expected values and
-                        meanings for this field, and whether the values are considered
-                        a guaranteed API. The value should be a CamelCase string.
+                      description: |-
+                        reason contains a programmatic identifier indicating the reason for the condition's last transition.
+                        Producers of specific condition types may define expected values and meanings for this field,
+                        and whether the values are considered a guaranteed API.
+                        The value should be a CamelCase string.
                        This field may not be empty.
                      maxLength: 1024
                      minLength: 1
@@ -279,11 +269,12 @@ spec:
                      - Unknown
                      type: string
                    type:
-                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
-                        --- Many .condition.type values are consistent across resources
-                        like Available, but because arbitrary conditions can be useful
-                        (see .node.status.conditions), the ability to deconflict is
-                        important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+                      description: |-
+                        type of condition in CamelCase or in foo.example.com/CamelCase.
+                        ---
+                        Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
+                        useful (see .node.status.conditions), the ability to deconflict is important.
+                        The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
                      maxLength: 316
                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
                      type: string
@@ -314,9 +305,3 @@ spec:
    storage: true
    subresources:
      status: {}
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: []
-  storedVersions: []
--- a/deploy/supervisor/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml
+++ b/deploy/supervisor/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.8.0
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.14.0
  name: oidcidentityproviders.idp.supervisor.pinniped.dev
 spec:
  group: idp.supervisor.pinniped.dev
@@ -36,14 +35,19 @@ spec:
          OpenID Connect identity provider.
        properties:
          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
            type: string
          kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
            type: string
          metadata:
            type: object
@@ -51,39 +55,29 @@ spec:
            description: Spec for configuring the identity provider.
            properties:
              authorizationConfig:
-                description: AuthorizationConfig holds information about how to form
-                  the OAuth2 authorization request parameters to be used with this
-                  OIDC identity provider.
+                description: |-
+                  AuthorizationConfig holds information about how to form the OAuth2 authorization request
+                  parameters to be used with this OIDC identity provider.
                properties:
                  additionalAuthorizeParameters:
-                    description: additionalAuthorizeParameters are extra query parameters
-                      that should be included in the authorize request to your OIDC
-                      provider in the authorization request during an OIDC Authorization
-                      Code Flow. By default, no extra parameters are sent. The standard
-                      parameters that will be sent are "response_type", "scope", "client_id",
-                      "state", "nonce", "code_challenge", "code_challenge_method",
-                      and "redirect_uri". These parameters cannot be included in this
-                      setting. Additionally, the "hd" parameter cannot be included
-                      in this setting at this time. The "hd" parameter is used by
-                      Google's OIDC provider to provide a hint as to which "hosted
-                      domain" the user should use during login. However, Pinniped
-                      does not yet support validating the hosted domain in the resulting
-                      ID token, so it is not yet safe to use this feature of Google's
-                      OIDC provider with Pinniped. This setting does not influence
-                      the parameters sent to the token endpoint in the Resource Owner
-                      Password Credentials Grant. The Pinniped Supervisor requires
-                      that your OIDC provider returns refresh tokens to the Supervisor
-                      from the authorization flows. Some OIDC providers may require
-                      a certain value for the "prompt" parameter in order to properly
-                      request refresh tokens. See the documentation of your OIDC provider's
-                      authorization endpoint for its requirements for what to include
-                      in the request in order to receive a refresh token in the response,
-                      if anything. If your provider requires the prompt parameter
-                      to request a refresh token, then include it here. Also note
-                      that most providers also require a certain scope to be requested
-                      in order to receive refresh tokens. See the additionalScopes
-                      setting for more information about using scopes to request refresh
-                      tokens.
+                    description: |-
+                      additionalAuthorizeParameters are extra query parameters that should be included in the authorize request to your
+                      OIDC provider in the authorization request during an OIDC Authorization Code Flow. By default, no extra
+                      parameters are sent. The standard parameters that will be sent are "response_type", "scope", "client_id",
+                      "state", "nonce", "code_challenge", "code_challenge_method", and "redirect_uri". These parameters cannot be
+                      included in this setting. Additionally, the "hd" parameter cannot be included in this setting at this time.
+                      The "hd" parameter is used by Google's OIDC provider to provide a hint as to which "hosted domain" the user
+                      should use during login. However, Pinniped does not yet support validating the hosted domain in the resulting
+                      ID token, so it is not yet safe to use this feature of Google's OIDC provider with Pinniped.
+                      This setting does not influence the parameters sent to the token endpoint in the Resource Owner Password
+                      Credentials Grant. The Pinniped Supervisor requires that your OIDC provider returns refresh tokens to the
+                      Supervisor from the authorization flows. Some OIDC providers may require a certain value for the "prompt"
+                      parameter in order to properly request refresh tokens. See the documentation of your OIDC provider's
+                      authorization endpoint for its requirements for what to include in the request in order to receive a refresh
+                      token in the response, if anything. If your provider requires the prompt parameter to request a refresh token,
+                      then include it here. Also note that most providers also require a certain scope to be requested in order to
+                      receive refresh tokens. See the additionalScopes setting for more information about using scopes to request
+                      refresh tokens.
                    items:
                      description: Parameter is a key/value pair which represents
                        a parameter in an HTTP request.
@@ -103,139 +97,109 @@ spec:
                    - name
                    x-kubernetes-list-type: map
                  additionalScopes:
-                    description: 'additionalScopes are the additional scopes that
-                      will be requested from your OIDC provider in the authorization
-                      request during an OIDC Authorization Code Flow and in the token
-                      request during a Resource Owner Password Credentials Grant.
-                      Note that the "openid" scope will always be requested regardless
-                      of the value in this setting, since it is always required according
-                      to the OIDC spec. By default, when this field is not set, the
-                      Supervisor will request the following scopes: "openid", "offline_access",
-                      "email", and "profile". See https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims
-                      for a description of the "profile" and "email" scopes. See https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess
-                      for a description of the "offline_access" scope. This default
-                      value may change in future versions of Pinniped as the standard
-                      evolves, or as common patterns used by providers who implement
-                      the standard in the ecosystem evolve. By setting this list to
-                      anything other than an empty list, you are overriding the default
-                      value, so you may wish to include some of "offline_access",
-                      "email", and "profile" in your override list. If you do not
-                      want any of these scopes to be requested, you may set this list
-                      to contain only "openid". Some OIDC providers may also require
-                      a scope to get access to the user''s group membership, in which
-                      case you may wish to include it in this list. Sometimes the
-                      scope to request the user''s group membership is called "groups",
-                      but unfortunately this is not specified in the OIDC standard.
-                      Generally speaking, you should include any scopes required to
-                      cause the appropriate claims to be the returned by your OIDC
-                      provider in the ID token or userinfo endpoint results for those
-                      claims which you would like to use in the oidcClaims settings
-                      to determine the usernames and group memberships of your Kubernetes
-                      users. See your OIDC provider''s documentation for more information
-                      about what scopes are available to request claims. Additionally,
-                      the Pinniped Supervisor requires that your OIDC provider returns
-                      refresh tokens to the Supervisor from these authorization flows.
-                      For most OIDC providers, the scope required to receive refresh
-                      tokens will be "offline_access". See the documentation of your
-                      OIDC provider''s authorization and token endpoints for its requirements
-                      for what to include in the request in order to receive a refresh
-                      token in the response, if anything. Note that it may be safe
-                      to send "offline_access" even to providers which do not require
-                      it, since the provider may ignore scopes that it does not understand
-                      or require (see https://datatracker.ietf.org/doc/html/rfc6749#section-3.3).
-                      In the unusual case that you must avoid sending the "offline_access"
-                      scope, then you must override the default value of this setting.
-                      This is required if your OIDC provider will reject the request
-                      when it includes "offline_access" (e.g. GitLab''s OIDC provider).'
+                    description: |-
+                      additionalScopes are the additional scopes that will be requested from your OIDC provider in the authorization
+                      request during an OIDC Authorization Code Flow and in the token request during a Resource Owner Password Credentials
+                      Grant. Note that the "openid" scope will always be requested regardless of the value in this setting, since it is
+                      always required according to the OIDC spec. By default, when this field is not set, the Supervisor will request
+                      the following scopes: "openid", "offline_access", "email", and "profile". See
+                      https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims for a description of the "profile" and "email"
+                      scopes. See https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess for a description of the
+                      "offline_access" scope. This default value may change in future versions of Pinniped as the standard evolves,
+                      or as common patterns used by providers who implement the standard in the ecosystem evolve.
+                      By setting this list to anything other than an empty list, you are overriding the
+                      default value, so you may wish to include some of "offline_access", "email", and "profile" in your override list.
+                      If you do not want any of these scopes to be requested, you may set this list to contain only "openid".
+                      Some OIDC providers may also require a scope to get access to the user's group membership, in which case you
+                      may wish to include it in this list. Sometimes the scope to request the user's group membership is called
+                      "groups", but unfortunately this is not specified in the OIDC standard.
+                      Generally speaking, you should include any scopes required to cause the appropriate claims to be the returned by
+                      your OIDC provider in the ID token or userinfo endpoint results for those claims which you would like to use in
+                      the oidcClaims settings to determine the usernames and group memberships of your Kubernetes users. See
+                      your OIDC provider's documentation for more information about what scopes are available to request claims.
+                      Additionally, the Pinniped Supervisor requires that your OIDC provider returns refresh tokens to the Supervisor
+                      from these authorization flows. For most OIDC providers, the scope required to receive refresh tokens will be
+                      "offline_access". See the documentation of your OIDC provider's authorization and token endpoints for its
+                      requirements for what to include in the request in order to receive a refresh token in the response, if anything.
+                      Note that it may be safe to send "offline_access" even to providers which do not require it, since the provider
+                      may ignore scopes that it does not understand or require (see
+                      https://datatracker.ietf.org/doc/html/rfc6749#section-3.3). In the unusual case that you must avoid sending the
+                      "offline_access" scope, then you must override the default value of this setting. This is required if your OIDC
+                      provider will reject the request when it includes "offline_access" (e.g. GitLab's OIDC provider).
                    items:
                      type: string
                    type: array
                  allowPasswordGrant:
-                    description: allowPasswordGrant, when true, will allow the use
-                      of OAuth 2.0's Resource Owner Password Credentials Grant (see
-                      https://datatracker.ietf.org/doc/html/rfc6749#section-4.3) to
-                      authenticate to the OIDC provider using a username and password
-                      without a web browser, in addition to the usual browser-based
-                      OIDC Authorization Code Flow. The Resource Owner Password Credentials
-                      Grant is not officially part of the OIDC specification, so it
-                      may not be supported by your OIDC provider. If your OIDC provider
-                      supports returning ID tokens from a Resource Owner Password
-                      Credentials Grant token request, then you can choose to set
-                      this field to true. This will allow end users to choose to present
-                      their username and password to the kubectl CLI (using the Pinniped
-                      plugin) to authenticate to the cluster, without using a web
-                      browser to log in as is customary in OIDC Authorization Code
-                      Flow. This may be convenient for users, especially for identities
-                      from your OIDC provider which are not intended to represent
-                      a human actor, such as service accounts performing actions in
-                      a CI/CD environment. Even if your OIDC provider supports it,
-                      you may wish to disable this behavior by setting this field
-                      to false when you prefer to only allow users of this OIDCIdentityProvider
-                      to log in via the browser-based OIDC Authorization Code Flow.
-                      Using the Resource Owner Password Credentials Grant means that
-                      the Pinniped CLI and Pinniped Supervisor will directly handle
-                      your end users' passwords (similar to LDAPIdentityProvider),
-                      and you will not be able to require multi-factor authentication
-                      or use the other web-based login features of your OIDC provider
-                      during Resource Owner Password Credentials Grant logins. allowPasswordGrant
-                      defaults to false.
+                    description: |-
+                      allowPasswordGrant, when true, will allow the use of OAuth 2.0's Resource Owner Password Credentials Grant
+                      (see https://datatracker.ietf.org/doc/html/rfc6749#section-4.3) to authenticate to the OIDC provider using a
+                      username and password without a web browser, in addition to the usual browser-based OIDC Authorization Code Flow.
+                      The Resource Owner Password Credentials Grant is not officially part of the OIDC specification, so it may not be
+                      supported by your OIDC provider. If your OIDC provider supports returning ID tokens from a Resource Owner Password
+                      Credentials Grant token request, then you can choose to set this field to true. This will allow end users to choose
+                      to present their username and password to the kubectl CLI (using the Pinniped plugin) to authenticate to the
+                      cluster, without using a web browser to log in as is customary in OIDC Authorization Code Flow. This may be
+                      convenient for users, especially for identities from your OIDC provider which are not intended to represent a human
+                      actor, such as service accounts performing actions in a CI/CD environment. Even if your OIDC provider supports it,
+                      you may wish to disable this behavior by setting this field to false when you prefer to only allow users of this
+                      OIDCIdentityProvider to log in via the browser-based OIDC Authorization Code Flow. Using the Resource Owner Password
+                      Credentials Grant means that the Pinniped CLI and Pinniped Supervisor will directly handle your end users' passwords
+                      (similar to LDAPIdentityProvider), and you will not be able to require multi-factor authentication or use the other
+                      web-based login features of your OIDC provider during Resource Owner Password Credentials Grant logins.
+                      allowPasswordGrant defaults to false.
                    type: boolean
                type: object
              claims:
-                description: Claims provides the names of token claims that will be
-                  used when inspecting an identity from this OIDC identity provider.
+                description: |-
+                  Claims provides the names of token claims that will be used when inspecting an identity from
+                  this OIDC identity provider.
                properties:
                  additionalClaimMappings:
                    additionalProperties:
                      type: string
-                    description: AdditionalClaimMappings allows for additional arbitrary
-                      upstream claim values to be mapped into the "additionalClaims"
-                      claim of the ID tokens generated by the Supervisor. This should
-                      be specified as a map of new claim names as the keys, and upstream
-                      claim names as the values. These new claim names will be nested
-                      under the top-level "additionalClaims" claim in ID tokens generated
-                      by the Supervisor when this OIDCIdentityProvider was used for
-                      user authentication. These claims will be made available to
-                      all clients. This feature is not required to use the Supervisor
-                      to provide authentication for Kubernetes clusters, but can be
-                      used when using the Supervisor for other authentication purposes.
-                      When this map is empty or the upstream claims are not available,
-                      the "additionalClaims" claim will be excluded from the ID tokens
-                      generated by the Supervisor.
+                    description: |-
+                      AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the
+                      "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of
+                      new claim names as the keys, and upstream claim names as the values. These new claim names will be nested
+                      under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this
+                      OIDCIdentityProvider was used for user authentication. These claims will be made available to all clients.
+                      This feature is not required to use the Supervisor to provide authentication for Kubernetes clusters, but can be
+                      used when using the Supervisor for other authentication purposes. When this map is empty or the upstream claims
+                      are not available, the "additionalClaims" claim will be excluded from the ID tokens generated by the Supervisor.
                    type: object
                  groups:
-                    description: Groups provides the name of the ID token claim or
-                      userinfo endpoint response claim that will be used to ascertain
-                      the groups to which an identity belongs. By default, the identities
-                      will not include any group memberships when this setting is
-                      not configured.
+                    description: |-
+                      Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain
+                      the groups to which an identity belongs. By default, the identities will not include any group memberships when
+                      this setting is not configured.
                    type: string
                  username:
-                    description: Username provides the name of the ID token claim
-                      or userinfo endpoint response claim that will be used to ascertain
-                      an identity's username. When not set, the username will be an
-                      automatically constructed unique string which will include the
-                      issuer URL of your OIDC provider along with the value of the
-                      "sub" (subject) claim from the ID token.
+                    description: |-
+                      Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to
+                      ascertain an identity's username. When not set, the username will be an automatically constructed unique string
+                      which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from
+                      the ID token.
                    type: string
                type: object
              client:
-                description: OIDCClient contains OIDC client information to be used
-                  used with this OIDC identity provider.
+                description: |-
+                  OIDCClient contains OIDC client information to be used used with this OIDC identity
+                  provider.
                properties:
                  secretName:
-                    description: SecretName contains the name of a namespace-local
-                      Secret object that provides the clientID and clientSecret for
-                      an OIDC client. If only the SecretName is specified in an OIDCClient
-                      struct, then it is expected that the Secret is of type "secrets.pinniped.dev/oidc-client"
-                      with keys "clientID" and "clientSecret".
+                    description: |-
+                      SecretName contains the name of a namespace-local Secret object that provides the clientID and
+                      clientSecret for an OIDC client. If only the SecretName is specified in an OIDCClient
+                      struct, then it is expected that the Secret is of type "secrets.pinniped.dev/oidc-client" with keys
+                      "clientID" and "clientSecret".
                    type: string
                required:
                - secretName
                type: object
              issuer:
-                description: Issuer is the issuer URL of this OIDC identity provider,
-                  i.e., where to fetch /.well-known/openid-configuration.
+                description: |-
+                  Issuer is the issuer URL of this OIDC identity provider, i.e., where to fetch
+                  /.well-known/openid-configuration.
                minLength: 1
                pattern: ^https://
                type: string
@@ -260,42 +224,42 @@ spec:
                  current state.
                items:
                  description: "Condition contains details for one aspect of the current
-                    state of this API Resource. --- This struct is intended for direct
-                    use as an array at the field path .status.conditions.  For example,
-                    \n type FooStatus struct{ // Represents the observations of a
-                    foo's current state. // Known .status.conditions.type are: \"Available\",
-                    \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
-                    // +listType=map // +listMapKey=type Conditions []metav1.Condition
-                    `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
-                    protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
+                    state of this API Resource.\n---\nThis struct is intended for
+                    direct use as an array at the field path .status.conditions.  For
+                    example,\n\n\n\ttype FooStatus struct{\n\t    // Represents the
+                    observations of a foo's current state.\n\t    // Known .status.conditions.type
+                    are: \"Available\", \"Progressing\", and \"Degraded\"\n\t    //
+                    +patchMergeKey=type\n\t    // +patchStrategy=merge\n\t    // +listType=map\n\t
+                    \   // +listMapKey=type\n\t    Conditions []metav1.Condition `json:\"conditions,omitempty\"
+                    patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
+                    \   // other fields\n\t}"
                  properties:
                    lastTransitionTime:
-                      description: lastTransitionTime is the last time the condition
-                        transitioned from one status to another. This should be when
-                        the underlying condition changed.  If that is not known, then
-                        using the time when the API field changed is acceptable.
+                      description: |-
+                        lastTransitionTime is the last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
                      format: date-time
                      type: string
                    message:
-                      description: message is a human readable message indicating
-                        details about the transition. This may be an empty string.
+                      description: |-
+                        message is a human readable message indicating details about the transition.
+                        This may be an empty string.
                      maxLength: 32768
                      type: string
                    observedGeneration:
-                      description: observedGeneration represents the .metadata.generation
-                        that the condition was set based upon. For instance, if .metadata.generation
-                        is currently 12, but the .status.conditions[x].observedGeneration
-                        is 9, the condition is out of date with respect to the current
-                        state of the instance.
+                      description: |-
+                        observedGeneration represents the .metadata.generation that the condition was set based upon.
+                        For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+                        with respect to the current state of the instance.
                      format: int64
                      minimum: 0
                      type: integer
                    reason:
-                      description: reason contains a programmatic identifier indicating
-                        the reason for the condition's last transition. Producers
-                        of specific condition types may define expected values and
-                        meanings for this field, and whether the values are considered
-                        a guaranteed API. The value should be a CamelCase string.
+                      description: |-
+                        reason contains a programmatic identifier indicating the reason for the condition's last transition.
+                        Producers of specific condition types may define expected values and meanings for this field,
+                        and whether the values are considered a guaranteed API.
+                        The value should be a CamelCase string.
                        This field may not be empty.
                      maxLength: 1024
                      minLength: 1
@@ -309,11 +273,12 @@ spec:
                      - Unknown
                      type: string
                    type:
-                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
-                        --- Many .condition.type values are consistent across resources
-                        like Available, but because arbitrary conditions can be useful
-                        (see .node.status.conditions), the ability to deconflict is
-                        important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+                      description: |-
+                        type of condition in CamelCase or in foo.example.com/CamelCase.
+                        ---
+                        Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
+                        useful (see .node.status.conditions), the ability to deconflict is important.
+                        The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
                      maxLength: 316
                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
                      type: string
@@ -344,9 +309,3 @@ spec:
    storage: true
    subresources:
      status: {}
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: []
-  storedVersions: []
--- a/deploy/supervisor/values.yaml
+++ b/deploy/supervisor/values.yaml
@@ -1,133 +1,260 @@
-#! Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+#! Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 #! SPDX-License-Identifier: Apache-2.0

-#@data/values
---
+#@ def validate_strings_map(obj):
+#@   # Returns True if obj is an associative data structure string→string, and False otherwise.
+#@   for key in obj:
+#@     if type(key) != "string" or type(obj[key]) != "string":
+#@       return False
+#@     end
+#@   end
+#@   return True
+#@ end

+#@data/values-schema
+---
+#@schema/title "App name"
+#@schema/desc "Used to help determine the names of various resources and labels."
+#@schema/validation min_len=1
 app_name: pinniped-supervisor

-#! Creates a new namespace statically in yaml with the given name and installs the app into that namespace.
+#@schema/title "Namespace"
+#@schema/desc "Creates a new namespace statically in yaml with the given name and installs the app into that namespace."
+#@schema/validation min_len=1
 namespace: pinniped-supervisor
-#! If specified, assumes that a namespace of the given name already exists and installs the app into that namespace.
-#! If both `namespace` and `into_namespace` are specified, then only `into_namespace` is used.
-into_namespace: #! e.g. my-preexisting-namespace

-#! All resources created statically by yaml at install-time and all resources created dynamically
-#! by controllers at runtime will be labelled with `app: $app_name` and also with the labels
-#! specified here. The value of `custom_labels` must be a map of string keys to string values.
-#! The app can be uninstalled either by:
-#! 1. Deleting the static install-time yaml resources including the static namespace, which will cascade and also delete
-#!    resources that were dynamically created by controllers at runtime
-#! 2. Or, deleting all resources by label, which does not assume that there was a static install-time yaml namespace.
-custom_labels: {} #! e.g. {myCustomLabelName: myCustomLabelValue, otherCustomLabelName: otherCustomLabelValue}
+#@schema/title "Into namespace"
+#@ into_namespace_desc = "If specified, assumes that a namespace of the given name already exists and installs the app into that namespace. \
+#@ If both `namespace` and `into_namespace` are specified, then only `into_namespace` is used."
+#@schema/desc into_namespace_desc
+#@schema/examples ("The name of an existing namespace", "my-preexisting-namespace")
+#@schema/nullable
+#@schema/validation min_len=1
+into_namespace: ""

-#! Specify how many replicas of the Pinniped server to run.
+#@schema/title "Custom labels"
+#@ custom_labels_desc = "All resources created statically by yaml at install-time and all resources created dynamically \
+#@ by controllers at runtime will be labelled with `app: $app_name` and also with the labels specified here. The value of \
+#@ `custom_labels` must be a map of string keys to string values. The app can be uninstalled either by: 1.) deleting the \
+#@ static install-time yaml resources including the static namespace, which will cascade and also delete \
+#@ resources that were dynamically created by controllers at runtime, or 2.) deleting all resources by label, which does \
+#@ not assume that there was a static install-time yaml namespace."
+#@schema/desc custom_labels_desc
+#@schema/examples ("Example set of labels", {"myCustomLabelName": "myCustomLabelValue", "otherCustomLabelName": "otherCustomLabelValue"})
+#@schema/type any=True
+#@schema/validation ("a map of keys and values", validate_strings_map)
+custom_labels: { }
+
+#@schema/title "Replicas"
+#@schema/desc "Specify how many replicas of the Pinniped server to run."
 replicas: 2

-#! Specify either an image_digest or an image_tag. If both are given, only image_digest will be used.
-image_repo: projects.registry.vmware.com/pinniped/pinniped-server
-image_digest: #! e.g. sha256:f3c4fdfd3ef865d4b97a1fd295d94acc3f0c654c46b6f27ffad5cf80216903c8
+#@schema/title "Image repo"
+#@schema/desc "The repository for the Supervisor container image."
+#@schema/validation min_len=1
+image_repo: ghcr.io/vmware-tanzu/pinniped/pinniped-server
+
+#@schema/title "Image digest"
+#@schema/desc "The image digest for the Supervisor container image. If both image_digest or an image_tag are given, only image_digest will be used."
+#@schema/examples ("Digest", "sha256:f3c4fdfd3ef865d4b97a1fd295d94acc3f0c654c46b6f27ffad5cf80216903c8")
+#@schema/nullable
+#@schema/validation min_len=1, when=lambda _, ctx: ctx.parent["image_tag"] == None
+image_digest: ""
+
+#@schema/title "Image tag"
+#@schema/desc "The image tag for the Supervisor container image. If both image_digest or an image_tag are given, only image_digest will be used."
+#@schema/examples ("Tag", "v0.25.0")
+#@schema/validation min_len=1, when=lambda _, ctx: ctx.parent["image_digest"] == None
 image_tag: latest

-#! Specifies a secret to be used when pulling the above `image_repo` container image.
-#! Can be used when the above image_repo is a private registry.
-#! Typically the value would be the output of: kubectl create secret docker-registry x --docker-server=https://example.io --docker-username="USERNAME" --docker-password="PASSWORD" --dry-run=client -o json | jq -r '.data[".dockerconfigjson"]'
-#! Optional.
-image_pull_dockerconfigjson: #! e.g. {"auths":{"https://registry.example.com":{"username":"USERNAME","password":"PASSWORD","auth":"BASE64_ENCODED_USERNAME_COLON_PASSWORD"}}}
+#@schema/title "Image pull dockerconfigjson"
+#@ image_pull_dockerconfigjson_desc = "A base64 encoded secret to be used when pulling the `image_repo` container image. \
+#@ Can be used when the image_repo is a private registry. Typically, the value would be the output of: \
+#@ kubectl create secret docker-registry x --docker-server=https://example.io --docker-username='USERNAME' --docker-password='PASSWORD' --dry-run=client -o json | jq -r '.data[\".dockerconfigjson\"]'"
+#@schema/desc image_pull_dockerconfigjson_desc
+#@ example_desc = 'base64 encoding of: {"auths":{"https://registry.example.com":{"username":"USERNAME","password":"PASSWORD","auth":"BASE64_ENCODED_USERNAME_COLON_PASSWORD"}}}'
+#@ example_value = "eyJhdXRocyI6eyJodHRwczovL2V4YW1wbGUuaW8iOnsidXNlcm5hbWUiOiJVU0VSTkFNRSIsInBhc3N3b3JkIjoiUEFTU1dPUkQiLCJhdXRoIjoiVlZORlVrNUJUVVU2VUVGVFUxZFBVa1E9In19fQ=="
+#@schema/examples (example_desc, example_value)
+#@schema/nullable
+#@schema/validation min_len=1
+image_pull_dockerconfigjson: ""

-#! Specify how to expose the Supervisor app's HTTPS port as a Service.
-#! Typically, you would set a value for only one of the following service types.
-#! Setting any of these values means that a Service of that type will be created. They are all optional.
-#! Note that all port numbers should be numbers (not strings), i.e. use ytt's `--data-value-yaml` instead of `--data-value`.
-#! Several of these values have been deprecated and will be removed in a future release. Their names have been changed to
-#! mark them as deprecated and to make it obvious upon upgrade to anyone who was using them that they have been deprecated.
-deprecated_service_http_nodeport_port: #! will be removed in a future release; when specified, creates a NodePort Service with this `port` value, with port 8080 as its `targetPort`; e.g. 31234
-deprecated_service_http_nodeport_nodeport: #! will be removed in a future release; the `nodePort` value of the NodePort Service, optional when `deprecated_service_http_nodeport_port` is specified; e.g. 31234
-deprecated_service_http_loadbalancer_port: #! will be removed in a future release; when specified, creates a LoadBalancer Service with this `port` value, with port 8080 as its `targetPort`; e.g. 8443
-deprecated_service_http_clusterip_port: #! will be removed in a future release; when specified, creates a ClusterIP Service with this `port` value, with port 8080 as its `targetPort`; e.g. 8443
-service_https_nodeport_port: #! when specified, creates a NodePort Service with this `port` value, with port 8443 as its `targetPort`; e.g. 31243
-service_https_nodeport_nodeport: #! the `nodePort` value of the NodePort Service, optional when `service_https_nodeport_port` is specified; e.g. 31243
-service_https_loadbalancer_port: #! when specified, creates a LoadBalancer Service with this `port` value, with port 8443 as its `targetPort`; e.g. 8443
-service_https_clusterip_port: #! when specified, creates a ClusterIP Service with this `port` value, with port 8443 as its `targetPort`; e.g. 8443
-#! The `loadBalancerIP` value of the LoadBalancer Service.
-#! Ignored unless service_https_loadbalancer_port is provided.
-#! Optional.
-service_loadbalancer_ip: #! e.g. 1.2.3.4
+#@schema/title "Deprecated service HTTP nodeport port"
+#@schema/desc "When specified, creates a NodePort Service with this `port` value, with port 8080 as its `targetPort`"
+#@schema/examples ("Specify port",31234)
+#@schema/nullable
+#@schema/deprecated "This data value will be removed in a future release"
+deprecated_service_http_nodeport_port: 0

-#! Specify the verbosity of logging: info ("nice to know" information), debug (developer information), trace (timing information),
-#! or all (kitchen sink). Do not use trace or all on production systems, as credentials may get logged.
-log_level: #! By default, when this value is left unset, only warnings and errors are printed. There is no way to suppress warning and error logs.
-#! Specify the format of logging: json (for machine parsable logs) and text (for legacy klog formatted logs).
-#! By default, when this value is left unset, logs are formatted in json.
-#! This configuration is deprecated and will be removed in a future release at which point logs will always be formatted as json.
-deprecated_log_format:
+#@schema/title "Deprecated service http nodeport nodeport"
+#@schema/desc "The `nodePort` value of the NodePort Service, optional when `deprecated_service_http_nodeport_port` is specified"
+#@schema/examples ("Specify port",31234)
+#@schema/nullable
+#@schema/deprecated "This data value will be removed in a future release"
+deprecated_service_http_nodeport_nodeport: 0

-run_as_user: 65532 #! run_as_user specifies the user ID that will own the process, see the Dockerfile for the reasoning behind this choice
-run_as_group: 65532 #! run_as_group specifies the group ID that will own the process, see the Dockerfile for the reasoning behind this choice
+#@schema/title "Deprecated service http loadbalancer port"
+#@schema/desc "When specified, creates a LoadBalancer Service with this `port` value, with port 8080 as its `targetPort`"
+#@schema/examples ("Specify port",8443)
+#@schema/nullable
+#@schema/deprecated "This data value will be removed in a future release"
+deprecated_service_http_loadbalancer_port: 0

-#! Specify the API group suffix for all Pinniped API groups. By default, this is set to
-#! pinniped.dev, so Pinniped API groups will look like foo.pinniped.dev,
-#! authentication.concierge.pinniped.dev, etc. As an example, if this is set to tuna.io, then
-#! Pinniped API groups will look like foo.tuna.io. authentication.concierge.tuna.io, etc.
+#@schema/title "Deprecated service http clusterip port"
+#@schema/desc "Creates a ClusterIP Service with this `port` value, with port 8080 as its `targetPort`"
+#@schema/examples ("Specify port",8443)
+#@schema/nullable
+#@schema/deprecated "This data value will be removed in a future release"
+deprecated_service_http_clusterip_port: 0
+
+#@schema/title "Service https nodeport port"
+#@schema/desc "When specified, creates a NodePort Service with this `port` value, with port 8443 as its `targetPort`"
+#@schema/examples ("Specify port",31243)
+#@schema/nullable
+service_https_nodeport_port: 0
+
+#@schema/title "Service https nodeport nodeport"
+#@schema/desc "The `nodePort` value of the NodePort Service, optional when `service_https_nodeport_port` is specified"
+#@schema/examples ("Specify port",31243)
+#@schema/nullable
+service_https_nodeport_nodeport: 0
+
+#@schema/title "Service https loadbalancer port"
+#@schema/desc "When specified, creates a LoadBalancer Service with this `port` value, with port 8443 as its `targetPort`"
+#@schema/examples ("Specify port",8443)
+#@schema/nullable
+service_https_loadbalancer_port: 0
+
+#@schema/title "Service https clusterip port"
+#@schema/desc "When specified, creates a ClusterIP Service with this `port` value, with port 8443 as its `targetPort`"
+#@schema/examples ("Specify port",8443)
+#@schema/nullable
+service_https_clusterip_port: 0
+
+#@schema/title "Service loadbalancer ip"
+#@schema/desc "The `loadBalancerIP` value of the LoadBalancer Service. Ignored unless service_https_loadbalancer_port is provided."
+#@schema/examples ("Example IP address","1.2.3.4")
+#@schema/nullable
+service_loadbalancer_ip: ""
+
+#@schema/title "Log level"
+#@ log_level_desc = "Specify the verbosity of logging: info (\"nice to know\" information), debug (developer information), trace (timing information), \
+#@ or all (kitchen sink). Do not use trace or all on production systems, as credentials may get logged. \
+#@ When this value is left unset, only warnings and errors are printed. There is no way to suppress warning and error logs."
+#@schema/desc log_level_desc
+#@schema/examples ("Developer logging information","debug")
+#@schema/nullable
+#@schema/validation one_of=["info", "debug", "trace", "all"]
+log_level: ""
+
+#@schema/title "Log format"
+#@ deprecated_log_format_desc = "Specify the format of logging: json (for machine parsable logs) and text (for legacy klog formatted logs). \
+#@ By default, when this value is left unset, logs are formatted in json. \
+#@ This configuration is deprecated and will be removed in a future release at which point logs will always be formatted as json."
+#@schema/desc deprecated_log_format_desc
+#@schema/examples ("Set logs to JSON format","json")
+#@schema/nullable
+#@schema/validation one_of=["json", "text"]
+#@schema/deprecated "This configuration is deprecated and will be removed in a future release at which point logs will always be formatted as json."
+deprecated_log_format: ""
+
+#@schema/title "Run as user"
+#@schema/desc "The user ID that will own the process."
+#! See the Dockerfile for the reasoning behind this default value.
+run_as_user: 65532
+
+#@schema/title "Run as group"
+#@schema/desc "The group ID that will own the process."
+#! See the Dockerfile for the reasoning behind this default value.
+run_as_group: 65532
+
+#@schema/title "API group suffix"
+#@ api_group_suffix_desc = "Specify the API group suffix for all Pinniped API groups. By default, this is set to \
+#@ pinniped.dev, so Pinniped API groups will look like foo.pinniped.dev, \
+#@ config.supervisor.pinniped.dev, etc. As an example, if this is set to tuna.io, then \
+#@ Pinniped API groups will look like foo.tuna.io. config.supervisor.tuna.io, etc."
+#@schema/desc api_group_suffix_desc
+#@schema/validation min_len=1
 api_group_suffix: pinniped.dev

-#! Set the standard golang HTTPS_PROXY and NO_PROXY environment variables on the Supervisor containers.
-#! These will be used when the Supervisor makes backend-to-backend calls to upstream identity providers using HTTPS,
-#! e.g. when the Supervisor fetches discovery documents, JWKS keys, and tokens from an upstream OIDC Provider.
-#! The Supervisor never makes insecure HTTP calls, so there is no reason to set HTTP_PROXY.
-#! Optional.
-https_proxy: #! e.g. http://proxy.example.com
-no_proxy: "$(KUBERNETES_SERVICE_HOST),169.254.169.254,127.0.0.1,localhost,.svc,.cluster.local" #! do not proxy Kubernetes endpoints
+#@schema/title "HTTPS proxy"
+#@ https_proxy_desc = "Set the standard golang HTTPS_PROXY and NO_PROXY environment variables on the Supervisor containers. \
+#@ These will be used when the Supervisor makes backend-to-backend calls to upstream identity providers using HTTPS, \
+#@ e.g. when the Supervisor fetches discovery documents, JWKS keys, and tokens from an upstream OIDC Provider. \
+#@ The Supervisor never makes insecure HTTP calls, so there is no reason to set HTTP_PROXY."
+#@schema/desc https_proxy_desc
+#@schema/examples ("Providing a proxy endpoint","http://proxy.example.com")
+#@schema/nullable
+#@schema/validation min_len=1
+https_proxy: ""

-#! Control the HTTP and HTTPS listeners of the Supervisor.
-#!
-#! The schema of this config is as follows:
-#!
-#! endpoints:
-#!   https:
-#!     network: tcp | unix | disabled
-#!     address: host:port when network=tcp or /pinniped_socket/socketfile.sock when network=unix
-#!   http:
-#!     network: same as above
-#!     address: same as above, except that when network=tcp then the address is only allowed to bind to loopback interfaces
-#!
-#! Setting network to disabled turns off that particular listener.
-#! See https://pkg.go.dev/net#Listen and https://pkg.go.dev/net#Dial for a description of what can be
-#! specified in the address parameter based on the given network parameter.  To aid in the use of unix
-#! domain sockets, a writable empty dir volume is mounted at /pinniped_socket when network is set to "unix."
-#!
-#! The current defaults are:
-#!
-#! endpoints:
-#!   https:
-#!     network: tcp
-#!     address: :8443
-#!   http:
-#!     network: disabled
-#!
-#! These defaults mean: For HTTPS listening, bind to all interfaces using TCP on port 8443.
-#! Disable HTTP listening by default.
-#!
-#! The HTTP listener can only be bound to loopback interfaces. This allows the listener to accept
-#! traffic from within the pod, e.g. from a service mesh sidecar. The HTTP listener should not be
-#! used to accept traffic from outside the pod, since that would mean that the network traffic could be
-#! transmitted unencrypted. The HTTPS listener should be used instead to accept traffic from outside the pod.
-#! Ingresses and load balancers that terminate TLS connections should re-encrypt the data and route traffic
-#! to the HTTPS listener. Unix domain sockets may also be used for integrations with service meshes.
-#!
-#! Changing the HTTPS port number must be accompanied by matching changes to the service and deployment
-#! manifests. Changes to the HTTPS listener must be coordinated with the deployment health checks.
-#!
-#! Optional.
-endpoints:
+#@schema/title "No proxy"
+#@ no_proxy_desc = "Endpoints that should not be proxied. Defaults to not proxying internal Kubernetes endpoints, \
+#@ localhost endpoints, and the known instance metadata IP address for public cloud providers."
+#@schema/desc no_proxy_desc
+no_proxy: "$(KUBERNETES_SERVICE_HOST),169.254.169.254,127.0.0.1,localhost,.svc,.cluster.local"

-#! Optionally override the validation on the endpoints.http value which checks that only loopback interfaces are used.
-#! When deprecated_insecure_accept_external_unencrypted_http_requests is true, the HTTP listener is allowed to bind to any
-#! interface, including interfaces that are listening for traffic from outside the pod. This value is being introduced
-#! to ease the transition to the new loopback interface validation for the HTTP port for any users who need more time
-#! to change their ingress strategy to avoid using plain HTTP into the Supervisor pods.
-#! This value is immediately deprecated upon its introduction. It will be removed in some future release, at which time
-#! traffic from outside the pod will need to be sent to the HTTPS listener instead, with no simple workaround available.
-#! Allowed values are true (boolean), "true" (string), false (boolean), and "false" (string). The default is false.
-#! Optional.
+#@schema/title "Endpoints"
+#@ endpoints_desc = "Control the HTTP and HTTPS listeners of the Supervisor.  The current defaults are: \
+#@ {\"https\":{\"network\":\"tcp\",\"address\":\":8443\"},\"http\":\"disabled\"}. \
+#@ These defaults mean: 1.) for HTTPS listening, bind to all interfaces using TCP on port 8443 and \
+#@ 2.) disable HTTP listening by default. \
+#@ The schema of this config is as follows: \
+#@ {\"https\":{\"network\":\"tcp | unix | disabled\",\"address\":\"host:port when network=tcp or /pinniped_socket/socketfile.sock when network=unix\"},\"http\":{\"network\":\"tcp | unix | disabled\",\"address\":\"same as https, except that when network=tcp then the address is only allowed to bind to loopback interfaces\"}} \
+#@ The HTTP listener can only be bound to loopback interfaces. This allows the listener to accept \
+#@ traffic from within the pod, e.g. from a service mesh sidecar. The HTTP listener should not be \
+#@ used to accept traffic from outside the pod, since that would mean that the network traffic could be \
+#@ transmitted unencrypted. The HTTPS listener should be used instead to accept traffic from outside the pod. \
+#@ Ingresses and load balancers that terminate TLS connections should re-encrypt the data and route traffic \
+#@ to the HTTPS listener. Unix domain sockets may also be used for integrations with service meshes. \
+#@ Changing the HTTPS port number must be accompanied by matching changes to the service and deployment \
+#@ manifests. Changes to the HTTPS listener must be coordinated with the deployment health checks."
+#@schema/desc endpoints_desc
+#@schema/examples ("Example matching default settings", '{"https":{"network":"tcp","address":":8443"},"http":"disabled"}')
+#@schema/type any=True
+#@ def validate_endpoint(endpoint):
+#@   if(type(endpoint) not in ["yamlfragment", "string"]):
+#@     return False
+#@   end
+#@   if(type(endpoint) in ["string"]):
+#@     if (endpoint != "disabled"):
+#@        return False
+#@     end
+#@   end
+#@   if(type(endpoint) in ["yamlfragment"]):
+#@     if (endpoint["network"] not in ["tcp", "unix", "disabled"]):
+#@        return False
+#@     end
+#@     if (type(endpoint["address"]) not in ["string"]):
+#@        return False
+#@     end
+#@   end
+#@   return True
+#@ end
+#@ def validate_endpoints(endpoints):
+#@   """
+#@   Returns True if endpoints fulfill the expected structure
+#@   """
+#@   http_val = endpoints["http"]
+#@   https_val = endpoints["https"]
+#@   return validate_endpoint(http_val) and validate_endpoint(https_val)
+#@ end
+#@schema/nullable
+#@schema/validation ("a map with keys 'http' and 'https', whose values are either the string 'disabled' or a map having keys 'network' and 'address', and the value of 'network' must be one of the allowed values", validate_endpoints)
+endpoints: { }
+
+#@ deprecated_insecure_accept_external_unencrypted_http_requests_desc = "Optionally override the validation on the endpoints.http \
+#@ value which checks that only loopback interfaces are used. \
+#@ When deprecated_insecure_accept_external_unencrypted_http_requests is true, the HTTP listener is allowed to bind to any \
+#@ interface, including interfaces that are listening for traffic from outside the pod. This value is being introduced \
+#@ to ease the transition to the new loopback interface validation for the HTTP port for any users who need more time \
+#@ to change their ingress strategy to avoid using plain HTTP into the Supervisor pods. \
+#@ This value is immediately deprecated upon its introduction. It will be removed in some future release, at which time \
+#@ traffic from outside the pod will need to be sent to the HTTPS listener instead, with no simple workaround available. \
+#@ Allowed values are true (boolean), 'true' (string), false (boolean), and 'false' (string). The default is false."
+#@schema/desc deprecated_insecure_accept_external_unencrypted_http_requests_desc
+#@schema/type any=True
+#@schema/validation ("a boolean or string version of boolean", lambda v: type(v) in ["string", "boolean"])
+#@schema/validation one_of=["true", "false", True, False]
+#@schema/deprecated "This data value will be removed in a future release"
 deprecated_insecure_accept_external_unencrypted_http_requests: false
--- a/generated/1.21/README.adoc
+++ b/generated/1.21/README.adoc
@@ -46,6 +46,18 @@ JWTAuthenticator describes the configuration of a JWT authenticator.



+[id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-concierge-authentication-v1alpha1-jwtauthenticatorphase"]
+==== JWTAuthenticatorPhase (string) 
+
+
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-concierge-authentication-v1alpha1-jwtauthenticatorstatus[$$JWTAuthenticatorStatus$$]
+****
+
+
+
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-concierge-authentication-v1alpha1-jwtauthenticatorspec"]
 ==== JWTAuthenticatorSpec 

@@ -80,6 +92,7 @@ Status of a JWT authenticator.
 |===
 | Field | Description
 | *`conditions`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.21/#condition-v1-meta[$$Condition$$] array__ | Represents the observations of the authenticator's current state.
+| *`phase`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-concierge-authentication-v1alpha1-jwtauthenticatorphase[$$JWTAuthenticatorPhase$$]__ | Phase summarizes the overall status of the JWTAuthenticator.
 |===


@@ -197,30 +210,7 @@ OIDCClientSecretRequest can be used to update the client secrets associated with
 [cols="25a,75a", options="header"]
 |===
 | Field | Description
-| *`name`* __string__ | Name must be unique within a namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropriate name automatically. Name is primarily intended for creation idempotence and configuration definition. Cannot be updated. More info: http://kubernetes.io/docs/user-guide/identifiers#names
-| *`generateName`* __string__ | GenerateName is an optional prefix, used by the server, to generate a unique name ONLY IF the Name field has not been provided. If this field is used, the name returned to the client will be different than the name passed. This value will also be combined with a unique suffix. The provided value has the same validation rules as the Name field, and may be truncated by the length of the suffix required to make the value unique on the server. 
- If this field is specified and the generated name exists, the server will NOT return a 409 - instead, it will either return 201 Created or 500 with Reason ServerTimeout indicating a unique name could not be found in the time allotted, and the client should retry (optionally after the time indicated in the Retry-After header). 
- Applied only if Name is not specified. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#idempotency
-| *`namespace`* __string__ | Namespace defines the space within which each name must be unique. An empty namespace is equivalent to the "default" namespace, but "default" is the canonical representation. Not all objects are required to be scoped to a namespace - the value of this field for those objects will be empty. 
- Must be a DNS_LABEL. Cannot be updated. More info: http://kubernetes.io/docs/user-guide/namespaces
-| *`selfLink`* __string__ | SelfLink is a URL representing this object. Populated by the system. Read-only. 
- DEPRECATED Kubernetes will stop propagating this field in 1.20 release and the field is planned to be removed in 1.21 release.
-| *`uid`* __UID__ | UID is the unique in time and space value for this object. It is typically generated by the server on successful creation of a resource and is not allowed to change on PUT operations. 
- Populated by the system. Read-only. More info: http://kubernetes.io/docs/user-guide/identifiers#uids
-| *`resourceVersion`* __string__ | An opaque value that represents the internal version of this object that can be used by clients to determine when objects have changed. May be used for optimistic concurrency, change detection, and the watch operation on a resource or set of resources. Clients must treat these values as opaque and passed unmodified back to the server. They may only be valid for a particular resource or set of resources. 
- Populated by the system. Read-only. Value must be treated as opaque by clients and . More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
-| *`generation`* __integer__ | A sequence number representing a specific generation of the desired state. Populated by the system. Read-only.
-| *`creationTimestamp`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.21/#time-v1-meta[$$Time$$]__ | CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. 
- Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-| *`deletionTimestamp`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.21/#time-v1-meta[$$Time$$]__ | DeletionTimestamp is RFC 3339 date and time at which this resource will be deleted. This field is set by the server when a graceful deletion is requested by the user, and is not directly settable by a client. The resource is expected to be deleted (no longer visible from resource lists, and not reachable by name) after the time in this field, once the finalizers list is empty. As long as the finalizers list contains items, deletion is blocked. Once the deletionTimestamp is set, this value may not be unset or be set further into the future, although it may be shortened or the resource may be deleted prior to this time. For example, a user may request that a pod is deleted in 30 seconds. The Kubelet will react by sending a graceful termination signal to the containers in the pod. After that 30 seconds, the Kubelet will send a hard termination signal (SIGKILL) to the container and after cleanup, remove the pod from the API. In the presence of network partitions, this object may still exist after this timestamp, until an administrator or automated process can determine the resource is fully terminated. If not set, graceful deletion of the object has not been requested. 
- Populated by the system when a graceful deletion is requested. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-| *`deletionGracePeriodSeconds`* __integer__ | Number of seconds allowed for this object to gracefully terminate before it will be removed from the system. Only set when deletionTimestamp is also set. May only be shortened. Read-only.
-| *`labels`* __object (keys:string, values:string)__ | Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: http://kubernetes.io/docs/user-guide/labels
-| *`annotations`* __object (keys:string, values:string)__ | Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: http://kubernetes.io/docs/user-guide/annotations
-| *`ownerReferences`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.21/#ownerreference-v1-meta[$$OwnerReference$$] array__ | List of objects depended by this object. If ALL objects in the list have been deleted, this object will be garbage collected. If this object is managed by a controller, then an entry in this list will point to this controller, with the controller field set to true. There cannot be more than one managing controller.
-| *`finalizers`* __string array__ | Must be empty before the object is deleted from the registry. Each entry is an identifier for the responsible component that will remove the entry from the list. If the deletionTimestamp of the object is non-nil, entries in this list can only be removed. Finalizers may be processed and removed in any order.  Order is NOT enforced because it introduces significant risk of stuck finalizers. finalizers is a shared field, any actor with permission can reorder it. If the finalizer list is processed in order, then this can lead to a situation in which the component responsible for the first finalizer in the list is waiting for a signal (field value, external system, or other) produced by a component responsible for a finalizer later in the list, resulting in a deadlock. Without enforced ordering finalizers are free to order amongst themselves and are not vulnerable to ordering changes in the list.
-| *`clusterName`* __string__ | The name of the cluster which the object belongs to. This is used to distinguish resources with same name and namespace in different clusters. This field is not set anywhere right now and apiserver is going to ignore it if set in create or update request.
-| *`managedFields`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.21/#managedfieldsentry-v1-meta[$$ManagedFieldsEntry$$] array__ | ManagedFields maps workflow-id and version to the set of fields that are managed by that workflow. This is mostly for internal housekeeping, and users typically shouldn't need to set or understand this field. A workflow can be the user's name, a controller's name, or the name of a specific apply path like "ci-cd". The set of fields is always in the version that the workflow used when modifying the object.
+| *`ObjectMeta`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.21/#objectmeta-v1-meta[$$ObjectMeta$$]__ | 
 | *`Spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-clientsecret-oidcclientsecretrequestspec[$$OIDCClientSecretRequestSpec$$]__ | 
 | *`Status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-clientsecret-oidcclientsecretrequeststatus[$$OIDCClientSecretRequestStatus$$]__ | 
 |===
@@ -467,7 +457,7 @@ FrontendType enumerates a type of "frontend" used to provide access to users of


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-concierge-config-v1alpha1-impersonationproxyinfo"]
-==== ImpersonationProxyInfo 
+==== ImpersonationProxyInfo (xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-concierge-config-v1alpha1-struct-endpoint string -json-endpoint- certificateauthoritydata string -json-certificateauthoritydata-[$$struct{Endpoint string "json:\"endpoint\""; CertificateAuthorityData string "json:\"certificateAuthorityData\""}$$]) 

 ImpersonationProxyInfo describes the parameters for the impersonation proxy on this Concierge.

@@ -476,12 +466,6 @@ ImpersonationProxyInfo describes the parameters for the impersonation proxy on t
 - xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-concierge-config-v1alpha1-credentialissuerfrontend[$$CredentialIssuerFrontend$$]
 ****

-[cols="25a,75a", options="header"]
-|===
-| Field | Description
-| *`endpoint`* __string__ | Endpoint is the HTTPS endpoint of the impersonation proxy.
-| *`certificateAuthorityData`* __string__ | CertificateAuthorityData is the base64-encoded PEM CA bundle of the impersonation proxy.
-|===


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-concierge-config-v1alpha1-impersonationproxymode"]
@@ -509,8 +493,9 @@ ImpersonationProxyServiceSpec describes how the Concierge should provision a Ser
 [cols="25a,75a", options="header"]
 |===
 | Field | Description
-| *`type`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-concierge-config-v1alpha1-impersonationproxyservicetype[$$ImpersonationProxyServiceType$$]__ | Type specifies the type of Service to provision for the impersonation proxy. 
- If the type is "None", then the "spec.impersonationProxy.externalEndpoint" field must be set to a non-empty value so that the Concierge can properly advertise the endpoint in the CredentialIssuer's status.
+| *`type`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-concierge-config-v1alpha1-impersonationproxyservicetype[$$ImpersonationProxyServiceType$$]__ | Type specifies the type of Service to provision for the impersonation proxy. +
+
+If the type is "None", then the "spec.impersonationProxy.externalEndpoint" field must be set to a non-empty value so that the Concierge can properly advertise the endpoint in the CredentialIssuer's status.
 | *`loadBalancerIP`* __string__ | LoadBalancerIP specifies the IP address to set in the spec.loadBalancerIP field of the provisioned Service. This is not supported on all cloud providers.
 | *`annotations`* __object (keys:string, values:string)__ | Annotations specifies zero or more key/value pairs to set as annotations on the provisioned Service.
 |===
@@ -543,10 +528,12 @@ ImpersonationProxySpec describes the intended configuration of the Concierge imp
 | Field | Description
 | *`mode`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-concierge-config-v1alpha1-impersonationproxymode[$$ImpersonationProxyMode$$]__ | Mode configures whether the impersonation proxy should be started: - "disabled" explicitly disables the impersonation proxy. This is the default. - "enabled" explicitly enables the impersonation proxy. - "auto" enables or disables the impersonation proxy based upon the cluster in which it is running.
 | *`service`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-concierge-config-v1alpha1-impersonationproxyservicespec[$$ImpersonationProxyServiceSpec$$]__ | Service describes the configuration of the Service provisioned to expose the impersonation proxy to clients.
-| *`externalEndpoint`* __string__ | ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will be served using the external name of the LoadBalancer service or the cluster service DNS name. 
- This field must be non-empty when spec.impersonationProxy.service.type is "None".
-| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-concierge-config-v1alpha1-impersonationproxytlsspec[$$ImpersonationProxyTLSSpec$$]__ | TLS contains information about how the Concierge impersonation proxy should serve TLS. 
- If this field is empty, the impersonation proxy will generate its own TLS certificate.
+| *`externalEndpoint`* __string__ | ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will be served using the external name of the LoadBalancer service or the cluster service DNS name. +
+
+This field must be non-empty when spec.impersonationProxy.service.type is "None".
+| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-concierge-config-v1alpha1-impersonationproxytlsspec[$$ImpersonationProxyTLSSpec$$]__ | TLS contains information about how the Concierge impersonation proxy should serve TLS. +
+
+If this field is empty, the impersonation proxy will generate its own TLS certificate.
 |===


@@ -607,7 +594,7 @@ StrategyType enumerates a type of "strategy" used to implement credential access


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-concierge-config-v1alpha1-tokencredentialrequestapiinfo"]
-==== TokenCredentialRequestAPIInfo 
+==== TokenCredentialRequestAPIInfo (xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-concierge-config-v1alpha1-struct-server string -json-server- certificateauthoritydata string -json-certificateauthoritydata-[$$struct{Server string "json:\"server\""; CertificateAuthorityData string "json:\"certificateAuthorityData\""}$$]) 

 TokenCredentialRequestAPIInfo describes the parameters for the TokenCredentialRequest API on this Concierge.

@@ -616,12 +603,6 @@ TokenCredentialRequestAPIInfo describes the parameters for the TokenCredentialRe
 - xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-concierge-config-v1alpha1-credentialissuerfrontend[$$CredentialIssuerFrontend$$]
 ****

-[cols="25a,75a", options="header"]
-|===
-| Field | Description
-| *`server`* __string__ | Server is the Kubernetes API server URL.
-| *`certificateAuthorityData`* __string__ | CertificateAuthorityData is the base64-encoded Kubernetes API server CA bundle.
-|===



@@ -718,12 +699,15 @@ FederationDomainSpec is a struct that describes an OIDC Provider.
 [cols="25a,75a", options="header"]
 |===
 | Field | Description
-| *`issuer`* __string__ | Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the identifier that it will use for the iss claim in issued JWTs. This field will also be used as the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is https://example.com/foo, then your authorization endpoint will look like https://example.com/foo/some/path/to/auth/endpoint). 
- See https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information.
+| *`issuer`* __string__ | Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the identifier that it will use for the iss claim in issued JWTs. This field will also be used as the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is https://example.com/foo, then your authorization endpoint will look like https://example.com/foo/some/path/to/auth/endpoint). +
+
+See https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information.
 | *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-federationdomaintlsspec[$$FederationDomainTLSSpec$$]__ | TLS specifies a secret which will contain Transport Layer Security (TLS) configuration for the FederationDomain.
-| *`identityProviders`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-federationdomainidentityprovider[$$FederationDomainIdentityProvider$$] array__ | IdentityProviders is the list of identity providers available for use by this FederationDomain. 
- An identity provider CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes how to connect to a server, how to talk in a specific protocol for authentication, and how to use the schema of that server/protocol to extract a normalized user identity. Normalized user identities include a username and a list of group names. In contrast, IdentityProviders describes how to use that normalized identity in those Kubernetes clusters which belong to this FederationDomain. Each entry in IdentityProviders can be configured with arbitrary transformations on that normalized identity. For example, a transformation can add a prefix to all usernames to help avoid accidental conflicts when multiple identity providers have different users with the same username (e.g. "idp1:ryan" versus "idp2:ryan"). Each entry in IdentityProviders can also implement arbitrary authentication rejection policies. Even though a user was able to authenticate with the identity provider, a policy can disallow the authentication to the Kubernetes clusters that belong to this FederationDomain. For example, a policy could disallow the authentication unless the user belongs to a specific group in the identity provider. 
- For backwards compatibility with versions of Pinniped which predate support for multiple identity providers, an empty IdentityProviders list will cause the FederationDomain to use all available identity providers which exist in the same namespace, but also to reject all authentication requests when there is more than one identity provider currently defined. In this backwards compatibility mode, the name of the identity provider resource (e.g. the Name of an OIDCIdentityProvider resource) will be used as the name of the identity provider in this FederationDomain. This mode is provided to make upgrading from older versions easier. However, instead of relying on this backwards compatibility mode, please consider this mode to be deprecated and please instead explicitly list the identity provider using this IdentityProviders field.
+| *`identityProviders`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-federationdomainidentityprovider[$$FederationDomainIdentityProvider$$] array__ | IdentityProviders is the list of identity providers available for use by this FederationDomain. +
+
+An identity provider CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes how to connect to a server, how to talk in a specific protocol for authentication, and how to use the schema of that server/protocol to extract a normalized user identity. Normalized user identities include a username and a list of group names. In contrast, IdentityProviders describes how to use that normalized identity in those Kubernetes clusters which belong to this FederationDomain. Each entry in IdentityProviders can be configured with arbitrary transformations on that normalized identity. For example, a transformation can add a prefix to all usernames to help avoid accidental conflicts when multiple identity providers have different users with the same username (e.g. "idp1:ryan" versus "idp2:ryan"). Each entry in IdentityProviders can also implement arbitrary authentication rejection policies. Even though a user was able to authenticate with the identity provider, a policy can disallow the authentication to the Kubernetes clusters that belong to this FederationDomain. For example, a policy could disallow the authentication unless the user belongs to a specific group in the identity provider. +
+
+For backwards compatibility with versions of Pinniped which predate support for multiple identity providers, an empty IdentityProviders list will cause the FederationDomain to use all available identity providers which exist in the same namespace, but also to reject all authentication requests when there is more than one identity provider currently defined. In this backwards compatibility mode, the name of the identity provider resource (e.g. the Name of an OIDCIdentityProvider resource) will be used as the name of the identity provider in this FederationDomain. This mode is provided to make upgrading from older versions easier. However, instead of relying on this backwards compatibility mode, please consider this mode to be deprecated and please instead explicitly list the identity provider using this IdentityProviders field.
 |===


@@ -759,11 +743,15 @@ FederationDomainTLSSpec is a struct that describes the TLS configuration for an
 [cols="25a,75a", options="header"]
 |===
 | Field | Description
-| *`secretName`* __string__ | SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this FederationDomain. When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS. 
- Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers. 
- SecretName is required if you would like to use different TLS certificates for issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same SecretName value even if they have different port numbers. 
- SecretName is not required when you would like to use only the HTTP endpoints (e.g. when the HTTP listener is configured to listen on loopback interfaces or UNIX domain sockets for traffic from a service mesh sidecar). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, which is configured elsewhere. 
- When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses.
+| *`secretName`* __string__ | SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this FederationDomain. When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS. +
+
+Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers. +
+
+SecretName is required if you would like to use different TLS certificates for issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same SecretName value even if they have different port numbers. +
+
+SecretName is not required when you would like to use only the HTTP endpoints (e.g. when the HTTP listener is configured to listen on loopback interfaces or UNIX domain sockets for traffic from a service mesh sidecar). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, which is configured elsewhere. +
+
+When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses.
 |===


@@ -781,10 +769,13 @@ FederationDomainTransforms defines identity transformations for an identity prov
 |===
 | Field | Description
 | *`constants`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-federationdomaintransformsconstant[$$FederationDomainTransformsConstant$$] array__ | Constants defines constant variables and their values which will be made available to the transform expressions.
-| *`expressions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-federationdomaintransformsexpression[$$FederationDomainTransformsExpression$$] array__ | Expressions are an optional list of transforms and policies to be executed in the order given during every authentication attempt, including during every session refresh. Each is a CEL expression. It may use the basic CEL language as defined in https://github.com/google/cel-spec/blob/master/doc/langdef.md plus the CEL string extensions defined in https://github.com/google/cel-go/tree/master/ext#strings. 
- The username and groups extracted from the identity provider, and the constants defined in this CR, are available as variables in all expressions. The username is provided via a variable called `username` and the list of group names is provided via a variable called `groups` (which may be an empty list). Each user-provided constants is provided via a variable named `strConst.varName` for string constants and `strListConst.varName` for string list constants. 
- The only allowed types for expressions are currently policy/v1, username/v1, and groups/v1. Each policy/v1 must return a boolean, and when it returns false, no more expressions from the list are evaluated and the authentication attempt is rejected. Transformations of type policy/v1 do not return usernames or group names, and therefore cannot change the username or group names. Each username/v1 transform must return the new username (a string), which can be the same as the old username. Transformations of type username/v1 do not return group names, and therefore cannot change the group names. Each groups/v1 transform must return the new groups list (list of strings), which can be the same as the old groups list. Transformations of type groups/v1 do not return usernames, and therefore cannot change the usernames. After each expression, the new (potentially changed) username or groups get passed to the following expression. 
- Any compilation or static type-checking failure of any expression will cause an error status on the FederationDomain. During an authentication attempt, any unexpected runtime evaluation errors (e.g. division by zero) cause the authentication attempt to fail. When all expressions evaluate successfully, then the (potentially changed) username and group names have been decided for that authentication attempt.
+| *`expressions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-federationdomaintransformsexpression[$$FederationDomainTransformsExpression$$] array__ | Expressions are an optional list of transforms and policies to be executed in the order given during every authentication attempt, including during every session refresh. Each is a CEL expression. It may use the basic CEL language as defined in https://github.com/google/cel-spec/blob/master/doc/langdef.md plus the CEL string extensions defined in https://github.com/google/cel-go/tree/master/ext#strings. +
+
+The username and groups extracted from the identity provider, and the constants defined in this CR, are available as variables in all expressions. The username is provided via a variable called `username` and the list of group names is provided via a variable called `groups` (which may be an empty list). Each user-provided constants is provided via a variable named `strConst.varName` for string constants and `strListConst.varName` for string list constants. +
+
+The only allowed types for expressions are currently policy/v1, username/v1, and groups/v1. Each policy/v1 must return a boolean, and when it returns false, no more expressions from the list are evaluated and the authentication attempt is rejected. Transformations of type policy/v1 do not return usernames or group names, and therefore cannot change the username or group names. Each username/v1 transform must return the new username (a string), which can be the same as the old username. Transformations of type username/v1 do not return group names, and therefore cannot change the group names. Each groups/v1 transform must return the new groups list (list of strings), which can be the same as the old groups list. Transformations of type groups/v1 do not return usernames, and therefore cannot change the usernames. After each expression, the new (potentially changed) username or groups get passed to the following expression. +
+
+Any compilation or static type-checking failure of any expression will cause an error status on the FederationDomain. During an authentication attempt, any unexpected runtime evaluation errors (e.g. division by zero) cause the authentication attempt to fail. When all expressions evaluate successfully, then the (potentially changed) username and group names have been decided for that authentication attempt.
 | *`examples`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-federationdomaintransformsexample[$$FederationDomainTransformsExample$$] array__ | Examples can optionally be used to ensure that the sequence of transformation expressions are working as expected. Examples define sample input identities which are then run through the expression list, and the results are compared to the expected results. If any example in this list fails, then this identity provider will not be available for use within this FederationDomain, and the error(s) will be added to the FederationDomain status. This can be used to help guard against programming mistakes in the expressions, and also act as living documentation for other administrators to better understand the expressions.
 |===

@@ -927,10 +918,12 @@ OIDCClientSpec is a struct that describes an OIDCClient.
 |===
 | Field | Description
 | *`allowedRedirectURIs`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-redirecturi[$$RedirectURI$$] array__ | allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this client. Any other uris will be rejected. Must be a URI with the https scheme, unless the hostname is 127.0.0.1 or ::1 which may use the http scheme. Port numbers are not required for 127.0.0.1 or ::1 and are ignored when checking for a matching redirect_uri.
-| *`allowedGrantTypes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-granttype[$$GrantType$$] array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. 
- Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience.
-| *`allowedScopes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-scope[$$Scope$$] array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. 
- Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups.
+| *`allowedGrantTypes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-granttype[$$GrantType$$] array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. +
+
+Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience.
+| *`allowedScopes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-scope[$$Scope$$] array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. +
+
+Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups.
 |===


@@ -986,7 +979,7 @@ Package identity is the internal version of the Pinniped identity API.


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-concierge-identity-extravalue"]
-==== ExtraValue 
+==== ExtraValue (string array) 

 ExtraValue masks the value so protobuf can generate

@@ -1048,30 +1041,7 @@ WhoAmIRequest submits a request to echo back the current authenticated user.
 [cols="25a,75a", options="header"]
 |===
 | Field | Description
-| *`name`* __string__ | Name must be unique within a namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropriate name automatically. Name is primarily intended for creation idempotence and configuration definition. Cannot be updated. More info: http://kubernetes.io/docs/user-guide/identifiers#names
-| *`generateName`* __string__ | GenerateName is an optional prefix, used by the server, to generate a unique name ONLY IF the Name field has not been provided. If this field is used, the name returned to the client will be different than the name passed. This value will also be combined with a unique suffix. The provided value has the same validation rules as the Name field, and may be truncated by the length of the suffix required to make the value unique on the server. 
- If this field is specified and the generated name exists, the server will NOT return a 409 - instead, it will either return 201 Created or 500 with Reason ServerTimeout indicating a unique name could not be found in the time allotted, and the client should retry (optionally after the time indicated in the Retry-After header). 
- Applied only if Name is not specified. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#idempotency
-| *`namespace`* __string__ | Namespace defines the space within which each name must be unique. An empty namespace is equivalent to the "default" namespace, but "default" is the canonical representation. Not all objects are required to be scoped to a namespace - the value of this field for those objects will be empty. 
- Must be a DNS_LABEL. Cannot be updated. More info: http://kubernetes.io/docs/user-guide/namespaces
-| *`selfLink`* __string__ | SelfLink is a URL representing this object. Populated by the system. Read-only. 
- DEPRECATED Kubernetes will stop propagating this field in 1.20 release and the field is planned to be removed in 1.21 release.
-| *`uid`* __UID__ | UID is the unique in time and space value for this object. It is typically generated by the server on successful creation of a resource and is not allowed to change on PUT operations. 
- Populated by the system. Read-only. More info: http://kubernetes.io/docs/user-guide/identifiers#uids
-| *`resourceVersion`* __string__ | An opaque value that represents the internal version of this object that can be used by clients to determine when objects have changed. May be used for optimistic concurrency, change detection, and the watch operation on a resource or set of resources. Clients must treat these values as opaque and passed unmodified back to the server. They may only be valid for a particular resource or set of resources. 
- Populated by the system. Read-only. Value must be treated as opaque by clients and . More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
-| *`generation`* __integer__ | A sequence number representing a specific generation of the desired state. Populated by the system. Read-only.
-| *`creationTimestamp`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.21/#time-v1-meta[$$Time$$]__ | CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. 
- Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-| *`deletionTimestamp`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.21/#time-v1-meta[$$Time$$]__ | DeletionTimestamp is RFC 3339 date and time at which this resource will be deleted. This field is set by the server when a graceful deletion is requested by the user, and is not directly settable by a client. The resource is expected to be deleted (no longer visible from resource lists, and not reachable by name) after the time in this field, once the finalizers list is empty. As long as the finalizers list contains items, deletion is blocked. Once the deletionTimestamp is set, this value may not be unset or be set further into the future, although it may be shortened or the resource may be deleted prior to this time. For example, a user may request that a pod is deleted in 30 seconds. The Kubelet will react by sending a graceful termination signal to the containers in the pod. After that 30 seconds, the Kubelet will send a hard termination signal (SIGKILL) to the container and after cleanup, remove the pod from the API. In the presence of network partitions, this object may still exist after this timestamp, until an administrator or automated process can determine the resource is fully terminated. If not set, graceful deletion of the object has not been requested. 
- Populated by the system when a graceful deletion is requested. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-| *`deletionGracePeriodSeconds`* __integer__ | Number of seconds allowed for this object to gracefully terminate before it will be removed from the system. Only set when deletionTimestamp is also set. May only be shortened. Read-only.
-| *`labels`* __object (keys:string, values:string)__ | Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: http://kubernetes.io/docs/user-guide/labels
-| *`annotations`* __object (keys:string, values:string)__ | Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: http://kubernetes.io/docs/user-guide/annotations
-| *`ownerReferences`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.21/#ownerreference-v1-meta[$$OwnerReference$$] array__ | List of objects depended by this object. If ALL objects in the list have been deleted, this object will be garbage collected. If this object is managed by a controller, then an entry in this list will point to this controller, with the controller field set to true. There cannot be more than one managing controller.
-| *`finalizers`* __string array__ | Must be empty before the object is deleted from the registry. Each entry is an identifier for the responsible component that will remove the entry from the list. If the deletionTimestamp of the object is non-nil, entries in this list can only be removed. Finalizers may be processed and removed in any order.  Order is NOT enforced because it introduces significant risk of stuck finalizers. finalizers is a shared field, any actor with permission can reorder it. If the finalizer list is processed in order, then this can lead to a situation in which the component responsible for the first finalizer in the list is waiting for a signal (field value, external system, or other) produced by a component responsible for a finalizer later in the list, resulting in a deadlock. Without enforced ordering finalizers are free to order amongst themselves and are not vulnerable to ordering changes in the list.
-| *`clusterName`* __string__ | The name of the cluster which the object belongs to. This is used to distinguish resources with same name and namespace in different clusters. This field is not set anywhere right now and apiserver is going to ignore it if set in create or update request.
-| *`managedFields`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.21/#managedfieldsentry-v1-meta[$$ManagedFieldsEntry$$] array__ | ManagedFields maps workflow-id and version to the set of fields that are managed by that workflow. This is mostly for internal housekeeping, and users typically shouldn't need to set or understand this field. A workflow can be the user's name, a controller's name, or the name of a specific apply path like "ci-cd". The set of fields is always in the version that the workflow used when modifying the object.
+| *`ObjectMeta`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.21/#objectmeta-v1-meta[$$ObjectMeta$$]__ | 
 | *`Spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-concierge-identity-whoamirequestspec[$$WhoAmIRequestSpec$$]__ | 
 | *`Status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-concierge-identity-whoamirequeststatus[$$WhoAmIRequestStatus$$]__ | 
 |===
@@ -1079,6 +1049,16 @@ WhoAmIRequest submits a request to echo back the current authenticated user.



+[id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-concierge-identity-whoamirequestspec"]
+==== WhoAmIRequestSpec 
+
+Spec is always empty for a WhoAmIRequest.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-concierge-identity-whoamirequest[$$WhoAmIRequest$$]
+****
+


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-concierge-identity-whoamirequeststatus"]
@@ -1107,7 +1087,7 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped identity API.


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-concierge-identity-v1alpha1-extravalue"]
-==== ExtraValue 
+==== ExtraValue (string array) 

 ExtraValue masks the value so protobuf can generate

@@ -1178,6 +1158,16 @@ WhoAmIRequest submits a request to echo back the current authenticated user.



+[id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-concierge-identity-v1alpha1-whoamirequestspec"]
+==== WhoAmIRequestSpec 
+
+Spec is always empty for a WhoAmIRequest.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-concierge-identity-v1alpha1-whoamirequest[$$WhoAmIRequest$$]
+****
+


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-concierge-identity-v1alpha1-whoamirequeststatus"]
@@ -1259,10 +1249,13 @@ ActiveDirectoryIdentityProvider describes the configuration of an upstream Micro
 | *`filter`* __string__ | Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the value of an attribute of the user entry found as a result of the user search. Which attribute's value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". This searches nested groups by default. Note that nested group search can be slow for some Active Directory servers. To disable it, you can set the filter to "(&(objectClass=group)(member={})"
 | *`userAttributeForFilter`* __string__ | UserAttributeForFilter specifies which attribute's value from the user entry found as a result of the user search will be used to replace the "{}" placeholder(s) in the group search Filter. For example, specifying "uid" as the UserAttributeForFilter while specifying "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing the "{}" placeholder in the Filter with the value of the user's "uid" attribute. Optional. When not specified, the default will act as if "dn" were specified. For example, leaving UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user.
 | *`attributes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-idp-v1alpha1-activedirectoryidentityprovidergroupsearchattributes[$$ActiveDirectoryIdentityProviderGroupSearchAttributes$$]__ | Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as the result of the group search.
-| *`skipGroupRefresh`* __boolean__ | The user's group membership is refreshed as they interact with the supervisor to obtain new credentials (as their old credentials expire).  This allows group membership changes to be quickly reflected into Kubernetes clusters.  Since group membership is often used to bind authorization policies, it is important to keep the groups observed in Kubernetes clusters in-sync with the identity provider. 
- In some environments, frequent group membership queries may result in a significant performance impact on the identity provider and/or the supervisor. The best approach to handle performance impacts is to tweak the group query to be more performant, for example by disabling nested group search or by using a more targeted group search base. 
- If the group search query cannot be made performant and you are willing to have group memberships remain static for approximately a day, then set skipGroupRefresh to true.  This is an insecure configuration as authorization policies that are bound to group membership will not notice if a user has been removed from a particular group until their next login. 
- This is an experimental feature that may be removed or significantly altered in the future.  Consumers of this configuration should carefully read all release notes before upgrading to ensure that the meaning of this field has not changed.
+| *`skipGroupRefresh`* __boolean__ | The user's group membership is refreshed as they interact with the supervisor to obtain new credentials (as their old credentials expire).  This allows group membership changes to be quickly reflected into Kubernetes clusters.  Since group membership is often used to bind authorization policies, it is important to keep the groups observed in Kubernetes clusters in-sync with the identity provider. +
+
+In some environments, frequent group membership queries may result in a significant performance impact on the identity provider and/or the supervisor. The best approach to handle performance impacts is to tweak the group query to be more performant, for example by disabling nested group search or by using a more targeted group search base. +
+
+If the group search query cannot be made performant and you are willing to have group memberships remain static for approximately a day, then set skipGroupRefresh to true.  This is an insecure configuration as authorization policies that are bound to group membership will not notice if a user has been removed from a particular group until their next login. +
+
+This is an experimental feature that may be removed or significantly altered in the future.  Consumers of this configuration should carefully read all release notes before upgrading to ensure that the meaning of this field has not changed.
 |===


@@ -1427,10 +1420,13 @@ LDAPIdentityProvider describes the configuration of an upstream Lightweight Dire
 | *`filter`* __string__ | Filter is the LDAP search filter which should be applied when searching for groups for a user. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the value of an attribute of the user entry found as a result of the user search. Which attribute's value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter. For more information about LDAP filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will act as if the Filter were specified as "member={}".
 | *`userAttributeForFilter`* __string__ | UserAttributeForFilter specifies which attribute's value from the user entry found as a result of the user search will be used to replace the "{}" placeholder(s) in the group search Filter. For example, specifying "uid" as the UserAttributeForFilter while specifying "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing the "{}" placeholder in the Filter with the value of the user's "uid" attribute. Optional. When not specified, the default will act as if "dn" were specified. For example, leaving UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user.
 | *`attributes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-idp-v1alpha1-ldapidentityprovidergroupsearchattributes[$$LDAPIdentityProviderGroupSearchAttributes$$]__ | Attributes specifies how the group's information should be read from each LDAP entry which was found as the result of the group search.
-| *`skipGroupRefresh`* __boolean__ | The user's group membership is refreshed as they interact with the supervisor to obtain new credentials (as their old credentials expire).  This allows group membership changes to be quickly reflected into Kubernetes clusters.  Since group membership is often used to bind authorization policies, it is important to keep the groups observed in Kubernetes clusters in-sync with the identity provider. 
- In some environments, frequent group membership queries may result in a significant performance impact on the identity provider and/or the supervisor. The best approach to handle performance impacts is to tweak the group query to be more performant, for example by disabling nested group search or by using a more targeted group search base. 
- If the group search query cannot be made performant and you are willing to have group memberships remain static for approximately a day, then set skipGroupRefresh to true.  This is an insecure configuration as authorization policies that are bound to group membership will not notice if a user has been removed from a particular group until their next login. 
- This is an experimental feature that may be removed or significantly altered in the future.  Consumers of this configuration should carefully read all release notes before upgrading to ensure that the meaning of this field has not changed.
+| *`skipGroupRefresh`* __boolean__ | The user's group membership is refreshed as they interact with the supervisor to obtain new credentials (as their old credentials expire).  This allows group membership changes to be quickly reflected into Kubernetes clusters.  Since group membership is often used to bind authorization policies, it is important to keep the groups observed in Kubernetes clusters in-sync with the identity provider. +
+
+In some environments, frequent group membership queries may result in a significant performance impact on the identity provider and/or the supervisor. The best approach to handle performance impacts is to tweak the group query to be more performant, for example by disabling nested group search or by using a more targeted group search base. +
+
+If the group search query cannot be made performant and you are willing to have group memberships remain static for approximately a day, then set skipGroupRefresh to true.  This is an insecure configuration as authorization policies that are bound to group membership will not notice if a user has been removed from a particular group until their next login. +
+
+This is an experimental feature that may be removed or significantly altered in the future.  Consumers of this configuration should carefully read all release notes before upgrading to ensure that the meaning of this field has not changed.
 |===


--- a/generated/1.21/apis/concierge/authentication/v1alpha1/types_jwtauthenticator.go
+++ b/generated/1.21/apis/concierge/authentication/v1alpha1/types_jwtauthenticator.go
@@ -1,10 +1,23 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package v1alpha1

 import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

+type JWTAuthenticatorPhase string
+
+const (
+	// JWTAuthenticatorPhasePending is the default phase for newly-created JWTAuthenticator resources.
+	JWTAuthenticatorPhasePending JWTAuthenticatorPhase = "Pending"
+
+	// JWTAuthenticatorPhaseReady is the phase for an JWTAuthenticator resource in a healthy state.
+	JWTAuthenticatorPhaseReady JWTAuthenticatorPhase = "Ready"
+
+	// JWTAuthenticatorPhaseError is the phase for an JWTAuthenticator in an unhealthy state.
+	JWTAuthenticatorPhaseError JWTAuthenticatorPhase = "Error"
+)
+
 // Status of a JWT authenticator.
 type JWTAuthenticatorStatus struct {
 	// Represents the observations of the authenticator's current state.
@@ -13,6 +26,10 @@ type JWTAuthenticatorStatus struct {
 	// +listType=map
 	// +listMapKey=type
 	Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
+	// Phase summarizes the overall status of the JWTAuthenticator.
+	// +kubebuilder:default=Pending
+	// +kubebuilder:validation:Enum=Pending;Ready;Error
+	Phase JWTAuthenticatorPhase `json:"phase,omitempty"`
 }

 // Spec for configuring a JWT authenticator.
--- a/generated/1.21/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go
+++ b/generated/1.21/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go
@@ -1,7 +1,7 @@
 //go:build !ignore_autogenerated
 // +build !ignore_autogenerated

-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // Code generated by deepcopy-gen. DO NOT EDIT.
--- a/generated/1.21/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go
+++ b/generated/1.21/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go
@@ -1,7 +1,7 @@
 //go:build !ignore_autogenerated
 // +build !ignore_autogenerated

-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // Code generated by deepcopy-gen. DO NOT EDIT.
--- a/generated/1.21/apis/concierge/identity/v1alpha1/zz_generated.conversion.go
+++ b/generated/1.21/apis/concierge/identity/v1alpha1/zz_generated.conversion.go
@@ -1,7 +1,7 @@
 //go:build !ignore_autogenerated
 // +build !ignore_autogenerated

-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // Code generated by conversion-gen. DO NOT EDIT.
--- a/generated/1.21/apis/concierge/identity/v1alpha1/zz_generated.deepcopy.go
+++ b/generated/1.21/apis/concierge/identity/v1alpha1/zz_generated.deepcopy.go
@@ -1,7 +1,7 @@
 //go:build !ignore_autogenerated
 // +build !ignore_autogenerated

-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // Code generated by deepcopy-gen. DO NOT EDIT.
--- a/generated/1.21/apis/concierge/identity/v1alpha1/zz_generated.defaults.go
+++ b/generated/1.21/apis/concierge/identity/v1alpha1/zz_generated.defaults.go
@@ -1,7 +1,7 @@
 //go:build !ignore_autogenerated
 // +build !ignore_autogenerated

-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // Code generated by defaulter-gen. DO NOT EDIT.
--- a/generated/1.21/apis/concierge/identity/zz_generated.deepcopy.go
+++ b/generated/1.21/apis/concierge/identity/zz_generated.deepcopy.go
@@ -1,7 +1,7 @@
 //go:build !ignore_autogenerated
 // +build !ignore_autogenerated

-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // Code generated by deepcopy-gen. DO NOT EDIT.
--- a/generated/1.21/apis/concierge/login/v1alpha1/zz_generated.conversion.go
+++ b/generated/1.21/apis/concierge/login/v1alpha1/zz_generated.conversion.go
@@ -1,7 +1,7 @@
 //go:build !ignore_autogenerated
 // +build !ignore_autogenerated

-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // Code generated by conversion-gen. DO NOT EDIT.
--- a/generated/1.21/apis/concierge/login/v1alpha1/zz_generated.deepcopy.go
+++ b/generated/1.21/apis/concierge/login/v1alpha1/zz_generated.deepcopy.go
@@ -1,7 +1,7 @@
 //go:build !ignore_autogenerated
 // +build !ignore_autogenerated

-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // Code generated by deepcopy-gen. DO NOT EDIT.
--- a/generated/1.21/apis/concierge/login/v1alpha1/zz_generated.defaults.go
+++ b/generated/1.21/apis/concierge/login/v1alpha1/zz_generated.defaults.go
@@ -1,7 +1,7 @@
 //go:build !ignore_autogenerated
 // +build !ignore_autogenerated

-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // Code generated by defaulter-gen. DO NOT EDIT.
--- a/generated/1.21/apis/concierge/login/zz_generated.deepcopy.go
+++ b/generated/1.21/apis/concierge/login/zz_generated.deepcopy.go
@@ -1,7 +1,7 @@
 //go:build !ignore_autogenerated
 // +build !ignore_autogenerated

-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // Code generated by deepcopy-gen. DO NOT EDIT.
--- a/generated/1.21/apis/go.mod
+++ b/generated/1.21/apis/go.mod
@@ -1,4 +1,4 @@
-// This go.mod file is generated by ./hack/codegen.sh.
+// This go.mod file is generated by ./hack/update.sh.
 module go.pinniped.dev/generated/1.21/apis

 go 1.13
--- a/generated/1.21/apis/supervisor/clientsecret/v1alpha1/zz_generated.conversion.go
+++ b/generated/1.21/apis/supervisor/clientsecret/v1alpha1/zz_generated.conversion.go
@@ -1,7 +1,7 @@
 //go:build !ignore_autogenerated
 // +build !ignore_autogenerated

-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // Code generated by conversion-gen. DO NOT EDIT.
--- a/generated/1.21/apis/supervisor/clientsecret/v1alpha1/zz_generated.deepcopy.go
+++ b/generated/1.21/apis/supervisor/clientsecret/v1alpha1/zz_generated.deepcopy.go
@@ -1,7 +1,7 @@
 //go:build !ignore_autogenerated
 // +build !ignore_autogenerated

-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // Code generated by deepcopy-gen. DO NOT EDIT.
--- a/generated/1.21/apis/supervisor/clientsecret/v1alpha1/zz_generated.defaults.go
+++ b/generated/1.21/apis/supervisor/clientsecret/v1alpha1/zz_generated.defaults.go
@@ -1,7 +1,7 @@
 //go:build !ignore_autogenerated
 // +build !ignore_autogenerated

-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // Code generated by defaulter-gen. DO NOT EDIT.
--- a/generated/1.21/apis/supervisor/clientsecret/zz_generated.deepcopy.go
+++ b/generated/1.21/apis/supervisor/clientsecret/zz_generated.deepcopy.go
@@ -1,7 +1,7 @@
 //go:build !ignore_autogenerated
 // +build !ignore_autogenerated

-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // Code generated by deepcopy-gen. DO NOT EDIT.
--- a/generated/1.21/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go
+++ b/generated/1.21/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go
@@ -1,7 +1,7 @@
 //go:build !ignore_autogenerated
 // +build !ignore_autogenerated

-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // Code generated by deepcopy-gen. DO NOT EDIT.
--- a/generated/1.21/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go
+++ b/generated/1.21/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go
@@ -1,7 +1,7 @@
 //go:build !ignore_autogenerated
 // +build !ignore_autogenerated

-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // Code generated by deepcopy-gen. DO NOT EDIT.
--- a/generated/1.21/apis/supervisor/oidc/types_supervisor_oidc.go
+++ b/generated/1.21/apis/supervisor/oidc/types_supervisor_oidc.go
@@ -1,4 +1,4 @@
-// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package oidc
@@ -29,6 +29,10 @@ const (
 	// IDTokenClaimSubject is name of the subject claim defined by the OIDC spec.
 	IDTokenClaimSubject = "sub"

+	// IDTokenSubClaimIDPNameQueryParam is the name of the query param used in the values of the "sub" claim
+	// in Supervisor-issued ID tokens to identify with which external identity provider the user authenticated.
+	IDTokenSubClaimIDPNameQueryParam = "idpName"
+
 	// IDTokenClaimAuthorizedParty is name of the authorized party claim defined by the OIDC spec.
 	IDTokenClaimAuthorizedParty = "azp"

--- a/generated/1.21/client/concierge/clientset/versioned/clientset.go
+++ b/generated/1.21/client/concierge/clientset/versioned/clientset.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // Code generated by client-gen. DO NOT EDIT.
--- a/generated/1.21/client/concierge/clientset/versioned/doc.go
+++ b/generated/1.21/client/concierge/clientset/versioned/doc.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // Code generated by client-gen. DO NOT EDIT.
--- a/generated/1.21/client/concierge/clientset/versioned/fake/clientset_generated.go
+++ b/generated/1.21/client/concierge/clientset/versioned/fake/clientset_generated.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // Code generated by client-gen. DO NOT EDIT.
--- a/generated/1.21/client/concierge/clientset/versioned/fake/doc.go
+++ b/generated/1.21/client/concierge/clientset/versioned/fake/doc.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // Code generated by client-gen. DO NOT EDIT.
--- a/generated/1.21/client/concierge/clientset/versioned/fake/register.go
+++ b/generated/1.21/client/concierge/clientset/versioned/fake/register.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // Code generated by client-gen. DO NOT EDIT.
--- a/generated/1.21/client/concierge/clientset/versioned/scheme/doc.go
+++ b/generated/1.21/client/concierge/clientset/versioned/scheme/doc.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // Code generated by client-gen. DO NOT EDIT.
--- a/generated/1.21/client/concierge/clientset/versioned/scheme/register.go
+++ b/generated/1.21/client/concierge/clientset/versioned/scheme/register.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // Code generated by client-gen. DO NOT EDIT.
--- a/generated/1.21/client/concierge/clientset/versioned/typed/authentication/v1alpha1/authentication_client.go
+++ b/generated/1.21/client/concierge/clientset/versioned/typed/authentication/v1alpha1/authentication_client.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // Code generated by client-gen. DO NOT EDIT.
--- a/generated/1.21/client/concierge/clientset/versioned/typed/authentication/v1alpha1/doc.go
+++ b/generated/1.21/client/concierge/clientset/versioned/typed/authentication/v1alpha1/doc.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // Code generated by client-gen. DO NOT EDIT.
--- a/generated/1.21/client/concierge/clientset/versioned/typed/authentication/v1alpha1/fake/doc.go
+++ b/generated/1.21/client/concierge/clientset/versioned/typed/authentication/v1alpha1/fake/doc.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // Code generated by client-gen. DO NOT EDIT.
--- a/generated/1.21/client/concierge/clientset/versioned/typed/authentication/v1alpha1/fake/fake_authentication_client.go
+++ b/generated/1.21/client/concierge/clientset/versioned/typed/authentication/v1alpha1/fake/fake_authentication_client.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // Code generated by client-gen. DO NOT EDIT.
--- a/generated/1.21/client/concierge/clientset/versioned/typed/authentication/v1alpha1/fake/fake_jwtauthenticator.go
+++ b/generated/1.21/client/concierge/clientset/versioned/typed/authentication/v1alpha1/fake/fake_jwtauthenticator.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // Code generated by client-gen. DO NOT EDIT.
--- a/generated/1.21/client/concierge/clientset/versioned/typed/authentication/v1alpha1/fake/fake_webhookauthenticator.go
+++ b/generated/1.21/client/concierge/clientset/versioned/typed/authentication/v1alpha1/fake/fake_webhookauthenticator.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // Code generated by client-gen. DO NOT EDIT.
--- a/generated/1.21/client/concierge/clientset/versioned/typed/authentication/v1alpha1/generated_expansion.go
+++ b/generated/1.21/client/concierge/clientset/versioned/typed/authentication/v1alpha1/generated_expansion.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // Code generated by client-gen. DO NOT EDIT.
--- a/generated/1.21/client/concierge/clientset/versioned/typed/authentication/v1alpha1/jwtauthenticator.go
+++ b/generated/1.21/client/concierge/clientset/versioned/typed/authentication/v1alpha1/jwtauthenticator.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // Code generated by client-gen. DO NOT EDIT.
--- a/generated/1.21/client/concierge/clientset/versioned/typed/authentication/v1alpha1/webhookauthenticator.go
+++ b/generated/1.21/client/concierge/clientset/versioned/typed/authentication/v1alpha1/webhookauthenticator.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // Code generated by client-gen. DO NOT EDIT.
--- a/generated/1.21/client/concierge/clientset/versioned/typed/config/v1alpha1/config_client.go
+++ b/generated/1.21/client/concierge/clientset/versioned/typed/config/v1alpha1/config_client.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // Code generated by client-gen. DO NOT EDIT.
--- a/generated/1.21/client/concierge/clientset/versioned/typed/config/v1alpha1/credentialissuer.go
+++ b/generated/1.21/client/concierge/clientset/versioned/typed/config/v1alpha1/credentialissuer.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // Code generated by client-gen. DO NOT EDIT.
--- a/generated/1.21/client/concierge/clientset/versioned/typed/config/v1alpha1/doc.go
+++ b/generated/1.21/client/concierge/clientset/versioned/typed/config/v1alpha1/doc.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // Code generated by client-gen. DO NOT EDIT.
--- a/generated/1.21/client/concierge/clientset/versioned/typed/config/v1alpha1/fake/doc.go
+++ b/generated/1.21/client/concierge/clientset/versioned/typed/config/v1alpha1/fake/doc.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // Code generated by client-gen. DO NOT EDIT.
--- a/generated/1.21/client/concierge/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go
+++ b/generated/1.21/client/concierge/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // Code generated by client-gen. DO NOT EDIT.
--- a/generated/1.21/client/concierge/clientset/versioned/typed/config/v1alpha1/fake/fake_credentialissuer.go
+++ b/generated/1.21/client/concierge/clientset/versioned/typed/config/v1alpha1/fake/fake_credentialissuer.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // Code generated by client-gen. DO NOT EDIT.
--- a/generated/1.21/client/concierge/clientset/versioned/typed/config/v1alpha1/generated_expansion.go
+++ b/generated/1.21/client/concierge/clientset/versioned/typed/config/v1alpha1/generated_expansion.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // Code generated by client-gen. DO NOT EDIT.
--- a/generated/1.21/client/concierge/clientset/versioned/typed/identity/v1alpha1/doc.go
+++ b/generated/1.21/client/concierge/clientset/versioned/typed/identity/v1alpha1/doc.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // Code generated by client-gen. DO NOT EDIT.
--- a/generated/1.21/client/concierge/clientset/versioned/typed/identity/v1alpha1/fake/doc.go
+++ b/generated/1.21/client/concierge/clientset/versioned/typed/identity/v1alpha1/fake/doc.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // Code generated by client-gen. DO NOT EDIT.
--- a/generated/1.21/client/concierge/clientset/versioned/typed/identity/v1alpha1/fake/fake_identity_client.go
+++ b/generated/1.21/client/concierge/clientset/versioned/typed/identity/v1alpha1/fake/fake_identity_client.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // Code generated by client-gen. DO NOT EDIT.
--- a/generated/1.21/client/concierge/clientset/versioned/typed/identity/v1alpha1/fake/fake_whoamirequest.go
+++ b/generated/1.21/client/concierge/clientset/versioned/typed/identity/v1alpha1/fake/fake_whoamirequest.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // Code generated by client-gen. DO NOT EDIT.
--- a/generated/1.21/client/concierge/clientset/versioned/typed/identity/v1alpha1/generated_expansion.go
+++ b/generated/1.21/client/concierge/clientset/versioned/typed/identity/v1alpha1/generated_expansion.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // Code generated by client-gen. DO NOT EDIT.
--- a/generated/1.21/client/concierge/clientset/versioned/typed/identity/v1alpha1/identity_client.go
+++ b/generated/1.21/client/concierge/clientset/versioned/typed/identity/v1alpha1/identity_client.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // Code generated by client-gen. DO NOT EDIT.
--- a/generated/1.21/client/concierge/clientset/versioned/typed/identity/v1alpha1/whoamirequest.go
+++ b/generated/1.21/client/concierge/clientset/versioned/typed/identity/v1alpha1/whoamirequest.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // Code generated by client-gen. DO NOT EDIT.
--- a/generated/1.21/client/concierge/clientset/versioned/typed/login/v1alpha1/doc.go
+++ b/generated/1.21/client/concierge/clientset/versioned/typed/login/v1alpha1/doc.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // Code generated by client-gen. DO NOT EDIT.
--- a/generated/1.21/client/concierge/clientset/versioned/typed/login/v1alpha1/fake/doc.go
+++ b/generated/1.21/client/concierge/clientset/versioned/typed/login/v1alpha1/fake/doc.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // Code generated by client-gen. DO NOT EDIT.
--- a/generated/1.21/client/concierge/clientset/versioned/typed/login/v1alpha1/fake/fake_login_client.go
+++ b/generated/1.21/client/concierge/clientset/versioned/typed/login/v1alpha1/fake/fake_login_client.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // Code generated by client-gen. DO NOT EDIT.
--- a/generated/1.21/client/concierge/clientset/versioned/typed/login/v1alpha1/fake/fake_tokencredentialrequest.go
+++ b/generated/1.21/client/concierge/clientset/versioned/typed/login/v1alpha1/fake/fake_tokencredentialrequest.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // Code generated by client-gen. DO NOT EDIT.
--- a/generated/1.21/client/concierge/clientset/versioned/typed/login/v1alpha1/generated_expansion.go
+++ b/generated/1.21/client/concierge/clientset/versioned/typed/login/v1alpha1/generated_expansion.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // Code generated by client-gen. DO NOT EDIT.
--- a/generated/1.21/client/concierge/clientset/versioned/typed/login/v1alpha1/login_client.go
+++ b/generated/1.21/client/concierge/clientset/versioned/typed/login/v1alpha1/login_client.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // Code generated by client-gen. DO NOT EDIT.
--- a/generated/1.21/client/concierge/clientset/versioned/typed/login/v1alpha1/tokencredentialrequest.go
+++ b/generated/1.21/client/concierge/clientset/versioned/typed/login/v1alpha1/tokencredentialrequest.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // Code generated by client-gen. DO NOT EDIT.
--- a/generated/1.21/client/concierge/informers/externalversions/authentication/interface.go
+++ b/generated/1.21/client/concierge/informers/externalversions/authentication/interface.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // Code generated by informer-gen. DO NOT EDIT.
--- a/generated/1.21/client/concierge/informers/externalversions/authentication/v1alpha1/interface.go
+++ b/generated/1.21/client/concierge/informers/externalversions/authentication/v1alpha1/interface.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // Code generated by informer-gen. DO NOT EDIT.
--- a/generated/1.21/client/concierge/informers/externalversions/authentication/v1alpha1/jwtauthenticator.go
+++ b/generated/1.21/client/concierge/informers/externalversions/authentication/v1alpha1/jwtauthenticator.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // Code generated by informer-gen. DO NOT EDIT.
--- a/generated/1.21/client/concierge/informers/externalversions/authentication/v1alpha1/webhookauthenticator.go
+++ b/generated/1.21/client/concierge/informers/externalversions/authentication/v1alpha1/webhookauthenticator.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // Code generated by informer-gen. DO NOT EDIT.
--- a/generated/1.21/client/concierge/informers/externalversions/config/interface.go
+++ b/generated/1.21/client/concierge/informers/externalversions/config/interface.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // Code generated by informer-gen. DO NOT EDIT.
--- a/generated/1.21/client/concierge/informers/externalversions/config/v1alpha1/credentialissuer.go
+++ b/generated/1.21/client/concierge/informers/externalversions/config/v1alpha1/credentialissuer.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // Code generated by informer-gen. DO NOT EDIT.
--- a/generated/1.21/client/concierge/informers/externalversions/config/v1alpha1/interface.go
+++ b/generated/1.21/client/concierge/informers/externalversions/config/v1alpha1/interface.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // Code generated by informer-gen. DO NOT EDIT.
--- a/generated/1.21/client/concierge/informers/externalversions/factory.go
+++ b/generated/1.21/client/concierge/informers/externalversions/factory.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // Code generated by informer-gen. DO NOT EDIT.
--- a/generated/1.21/client/concierge/informers/externalversions/generic.go
+++ b/generated/1.21/client/concierge/informers/externalversions/generic.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // Code generated by informer-gen. DO NOT EDIT.
--- a/generated/1.21/client/concierge/informers/externalversions/internalinterfaces/factory_interfaces.go
+++ b/generated/1.21/client/concierge/informers/externalversions/internalinterfaces/factory_interfaces.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // Code generated by informer-gen. DO NOT EDIT.
--- a/Show More
+++ b/Show More