Merge pull request #405 from enj/enj/i/cluster_scope_concierge

Cluster scope all concierge APIs

.dockerignore

@@ -0,0 +1,13 @@
+./.*
+./*.md
+./*.yaml
+./apis
+./deploy
+./Dockerfile
+./generated/1.1*
+./hack/lib/tilt/
+./internal/mocks
+./LICENSE
+./site/
+./test
+**/*_test.go

.github/codecov.yml

@@ -0,0 +1,13 @@
+codecov:
+  strict_yaml_branch: main
+  require_ci_to_pass: no
+  notify:
+    wait_for_ci: no  
+coverage:
+  status:
+    project:
+      default:
+        informational: true
+    patch:
+      default:
+        informational: true

.pre-commit-hooks.yaml

@@ -1,4 +0,0 @@
-- id: validate-copyright-year
-  name: Validate copyright year
-  entry: hack/check-copyright-year.sh
-  language: script

CONTRIBUTING.md

@@ -10,22 +10,15 @@ Please see the [Code of Conduct](./CODE_OF_CONDUCT.md).
 
 Learn about the [scope](https://pinniped.dev/docs/scope/) of the project.
 
-## Meeting with the Maintainers
+## Community Meetings
 
-The maintainers aspire to hold a video conference every other week with the Pinniped community.
-Any community member may request to add topics to the agenda by contacting a [maintainer](MAINTAINERS.md)
-in advance, or by attending and raising the topic during time remaining after the agenda is covered.
-Typical agenda items include topics regarding the roadmap, feature requests, bug reports, pull requests, etc.
-A [public document](https://docs.google.com/document/d/1qYA35wZV-6bxcH5375vOnIGkNBo7e4OROgsV4Sj8WjQ)
-tracks the agendas and notes for these meetings.
+Pinniped is better because of our contributors and maintainers. It is because of you that we can bring great software to the community. Please join us during our online community meetings, occuring every first and third Thursday of the month at 9AM PT / 12PM PT. Use [this Zoom Link](https://vmware.zoom.us/j/93798188973?pwd=T3pIMWxReEQvcWljNm1admRoZTFSZz09) to attend and add any agenda items you wish to discuss to [the notes document](https://hackmd.io/rd_kVJhjQfOvfAWzK8A3tQ?view). Join our [Google Group](https://groups.google.com/u/1/g/project-pinniped) to receive invites to this meeting.
 
-These meetings are currently scheduled for the first and third Thursday mornings of each month
-at 9 AM Pacific Time, using this [Zoom meeting](https://VMware.zoom.us/j/94638309756?pwd=V3NvRXJIdDg5QVc0TUdFM2dYRzgrUT09).
 If the meeting day falls on a US holiday, please consider that occurrence of the meeting to be canceled.
 
 ## Discussion
 
-Got a question, comment, or idea? Please don't hesitate to reach out via the GitHub [Discussions](https://github.com/vmware-tanzu/pinniped/discussions) tab at the top of this page.
+Got a question, comment, or idea? Please don't hesitate to reach out via the GitHub [Discussions](https://github.com/vmware-tanzu/pinniped/discussions) tab at the top of this page or reach out in Kubernetes Slack Workspace within the [#pinniped channel](https://kubernetes.slack.com/archives/C01BW364RJA).
 
 ## Issues
 

Dockerfile

@@ -1,36 +1,41 @@
+# syntax = docker/dockerfile:1.0-experimental
+
 # Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
 
-FROM golang:1.15.12 as build-env
+FROM golang:1.15.8 as build-env
 
 WORKDIR /work
-# Get dependencies first so they can be cached as a layer
-COPY go.* ./
-COPY generated/1.20/apis/go.* ./generated/1.20/apis/
-COPY generated/1.20/client/go.* ./generated/1.20/client/
-RUN go mod download
-
-# Copy only the production source code to avoid cache misses when editing other files
-COPY generated ./generated
-COPY cmd ./cmd
-COPY pkg ./pkg
-COPY internal ./internal
-COPY hack ./hack
+COPY . .
+ARG GOPROXY
 
 # Build the executable binary (CGO_ENABLED=0 means static linking)
-RUN mkdir out \
-  && CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -ldflags "$(hack/get-ldflags.sh)" -o out ./cmd/pinniped-concierge/... \
-  && CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -ldflags "$(hack/get-ldflags.sh)" -o out ./cmd/pinniped-supervisor/... \
-  && CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -o out ./cmd/local-user-authenticator/...
+# Pass in GOCACHE (build cache) and GOMODCACHE (module cache) so they
+# can be re-used between image builds.
+RUN \
+  --mount=type=cache,target=/cache/gocache \
+  --mount=type=cache,target=/cache/gomodcache \
+  mkdir out && \
+  GOCACHE=/cache/gocache \
+  GOMODCACHE=/cache/gomodcache \
+  CGO_ENABLED=0 \
+  GOOS=linux \
+  GOARCH=amd64 \
+  go build -v -ldflags "$(hack/get-ldflags.sh)" -o out \
+    ./cmd/pinniped-concierge/... \
+    ./cmd/pinniped-supervisor/... \
+    ./cmd/local-user-authenticator/...
 
-# Use a runtime image based on Debian slim
-FROM debian:10.9-slim
-RUN apt-get update && apt-get install -y ca-certificates procps && rm -rf /var/lib/apt/lists/*
+# Use a Debian slim image to grab a reasonable default CA bundle.
+FROM debian:10.8-slim AS get-ca-bundle-env
+RUN apt-get update && apt-get install -y --no-install-recommends ca-certificates && rm -rf /var/lib/apt/lists/* /var/cache/debconf/*
 
-# Copy the binaries from the build-env stage
-COPY --from=build-env /work/out/pinniped-concierge /usr/local/bin/pinniped-concierge
-COPY --from=build-env /work/out/pinniped-supervisor /usr/local/bin/pinniped-supervisor
-COPY --from=build-env /work/out/local-user-authenticator /usr/local/bin/local-user-authenticator
+# Use a runtime image based on Debian slim.
+FROM debian:10.8-slim
+COPY --from=get-ca-bundle-env /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
+
+# Copy the binaries from the build-env stage.
+COPY --from=build-env /work/out/ /usr/local/bin/
 
 # Document the ports
 EXPOSE 8080 8443

README.md

@@ -47,9 +47,15 @@ To learn more, see [architecture](https://pinniped.dev/docs/architecture/).
 
 Care to kick the tires? It's easy to [install and try Pinniped](https://pinniped.dev/docs/demo/).
 
+## Community Meetings
+
+Pinniped is better because of our contributors and maintainers. It is because of you that we can bring great software to the community. Please join us during our online community meetings, occuring every first and third Thursday of the month at 9AM PT / 12PM PT. Use [this Zoom Link](https://vmware.zoom.us/j/93798188973?pwd=T3pIMWxReEQvcWljNm1admRoZTFSZz09) to attend and add any agenda items you wish to discuss to [the notes document](https://hackmd.io/rd_kVJhjQfOvfAWzK8A3tQ?view). Join our [Google Group](https://groups.google.com/u/1/g/project-pinniped) to receive invites to this meeting.
+
+If the meeting day falls on a US holiday, please consider that occurrence of the meeting to be canceled.
+
 ## Discussion
 
-Got a question, comment, or idea? Please don't hesitate to reach out via the GitHub [Discussions](https://github.com/vmware-tanzu/pinniped/discussions) tab at the top of this page.
+Got a question, comment, or idea? Please don't hesitate to reach out via the GitHub [Discussions](https://github.com/vmware-tanzu/pinniped/discussions) tab at the top of this page or reach out in Kubernetes Slack Workspace within the [#pinniped channel](https://kubernetes.slack.com/archives/C01BW364RJA).
 
 ## Contributions
 

SECURITY.md

@@ -1,12 +1,92 @@
-# Reporting a Vulnerability
+# Security Release Process
 
-Pinniped development is sponsored by VMware, and the Pinniped team encourages users
-who become aware of a security vulnerability in Pinniped to report any potential
-vulnerabilities found to security@vmware.com. If possible, please include a description
-of the effects of the vulnerability, reproduction steps, and a description of in which
-version of Pinniped or its dependencies the vulnerability was discovered.
-The use of encrypted email is encouraged. The public PGP key can be found at https://kb.vmware.com/kb/1055.
+Pinniped provides identity services for Kubernetes clusters. The community has adopted this security disclosure and response policy to ensure we responsibly handle critical issues.
 
-The Pinniped team hopes that users encountering a new vulnerability will contact
-us privately as it is in the best interests of our users that the Pinniped team has
-an opportunity to investigate and confirm a suspected vulnerability before it becomes public knowledge.
+## Supported Versions
+
+As of right now, only the latest version of Pinniped is supported.
+
+## Reporting a Vulnerability - Private Disclosure Process
+
+Security is of the highest importance and all security vulnerabilities or suspected security vulnerabilities should be reported to Pinniped privately, to minimize attacks against current users of Pinniped before they are fixed. Vulnerabilities will be investigated and patched on the next patch (or minor) release as soon as possible. This information could be kept entirely internal to the project.
+
+If you know of a publicly disclosed security vulnerability for Pinniped, please **IMMEDIATELY** contact the VMware Security Team (security@vmware.com). The use of encrypted email is encouraged. The public PGP key can be found at https://kb.vmware.com/kb/1055.
+
+**IMPORTANT: Do not file public issues on GitHub for security vulnerabilities**
+
+To report a vulnerability or a security-related issue, please contact the VMware email address with the details of the vulnerability. The email will be fielded by the VMware Security Team and then shared with the Pinniped maintainers who have committer and release permissions. Emails will be addressed within 3 business days, including a detailed plan to investigate the issue and any potential workarounds to perform in the meantime. Do not report non-security-impacting bugs through this channel. Use [GitHub issues](https://github.com/vmware-tanzu/pinniped/issues/new/choose) instead.
+
+## Proposed Email Content
+
+Provide a descriptive subject line and in the body of the email include the following information:
+
+*   Basic identity information, such as your name and your affiliation or company.
+*   Detailed steps to reproduce the vulnerability  (POC scripts, screenshots, and logs are all helpful to us).
+*   Description of the effects of the vulnerability on Pinniped and the related hardware and software configurations, so that the VMware Security Team can reproduce it.
+*   How the vulnerability affects Pinniped usage and an estimation of the attack surface, if there is one.
+*   List other projects or dependencies that were used in conjunction with Pinniped to produce the vulnerability.
+
+## When to report a vulnerability
+
+*   When you think Pinniped has a potential security vulnerability.
+*   When you suspect a potential vulnerability but you are unsure that it impacts Pinniped.
+*   When you know of or suspect a potential vulnerability on another project that is used by Pinniped.
+
+## Patch, Release, and Disclosure
+
+The VMware Security Team will respond to vulnerability reports as follows:
+
+1. The Security Team will investigate the vulnerability and determine its effects and criticality.
+2. If the issue is not deemed to be a vulnerability, the Security Team will follow up with a detailed reason for rejection.
+3. The Security Team will initiate a conversation with the reporter within 3 business days.
+4. If a vulnerability is acknowledged and the timeline for a fix is determined, the Security Team will work on a plan to communicate with the appropriate community, including identifying mitigating steps that affected users can take to protect themselves until the fix is rolled out.
+5. The Security Team will also create a [CVSS](https://www.first.org/cvss/specification-document) using the [CVSS Calculator](https://www.first.org/cvss/calculator/3.0). The Security Team makes the final call on the calculated CVSS; it is better to move quickly than making the CVSS perfect. Issues may also be reported to [Mitre](https://cve.mitre.org/) using this [scoring calculator](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator). The CVE will initially be set to private.
+6. The Security Team will work on fixing the vulnerability and perform internal testing before preparing to roll out the fix.
+7. The Security Team will provide early disclosure of the vulnerability by emailing the [Pinniped Distributors](https://groups.google.com/g/project-pinniped-distributors) mailing list. Distributors can initially plan for the vulnerability patch ahead of the fix, and later can test the fix and provide feedback to the Pinniped team. See the section **Early Disclosure to Pinniped Distributors List** for details about how to join this mailing list.
+8. A public disclosure date is negotiated by the VMware SecurityTeam, the bug submitter, and the distributors list. We prefer to fully disclose the bug as soon as possible once a user mitigation or patch is available. It is reasonable to delay disclosure when the bug or the fix is not yet fully understood, the solution is not well-tested, or for distributor coordination. The timeframe for disclosure is from immediate (especially if it’s already publicly known) to a few weeks. For a critical vulnerability with a straightforward mitigation, we expect the report date for the public disclosure date to be on the order of 14 business days. The VMware Security Team holds the final say when setting a public disclosure date.
+9. Once the fix is confirmed, the Security Team will patch the vulnerability in the next patch or minor release, and backport a patch release into all earlier supported releases. Upon release of the patched version of Pinniped, we will follow the **Public Disclosure Process**.
+
+## Public Disclosure Process
+
+The Security Team publishes a [public advisory](https://github.com/vmware-tanzu/pinniped/security/advisories) to the Pinniped community via GitHub. In most cases, additional communication via Slack, Twitter, mailing lists, blog and other channels will assist in educating Pinniped users and rolling out the patched release to affected users.
+
+The Security Team will also publish any mitigating steps users can take until the fix can be applied to their Pinniped instances. Pinniped distributors will handle creating and publishing their own security advisories.
+
+## Mailing lists
+
+*   Use security@vmware.com to report security concerns to the VMware Security Team, who uses the list to privately discuss security issues and fixes prior to disclosure. The use of encrypted email is encouraged. The public PGP key can be found at https://kb.vmware.com/kb/1055.
+*   Join the [Pinniped Distributors](https://groups.google.com/g/project-pinniped-distributors) mailing list for early private information and vulnerability disclosure. Early disclosure may include mitigating steps and additional information on security patch releases. See below for information on how Pinniped distributors or vendors can apply to join this list.
+
+## Early Disclosure to Pinniped Distributors List
+
+The private list is intended to be used primarily to provide actionable information to multiple distributor projects at once. This list is not intended to inform individuals about security issues.
+
+## Membership Criteria
+
+To be eligible to join the [Pinniped Distributors](https://groups.google.com/g/project-pinniped-distributors) mailing list, you should:
+
+1. Be an active distributor of Pinniped.
+2. Have a user base that is not limited to your own organization.
+3. Have a publicly verifiable track record up to the present day of fixing security issues.
+4. Not be a downstream or rebuild of another distributor.
+5. Be a participant and active contributor in the Pinniped community.
+6. Accept the Embargo Policy that is outlined below.
+7. Have someone who is already on the list vouch for the person requesting membership on behalf of your distribution.
+
+**The terms and conditions of the Embargo Policy apply to all members of this mailing list. A request for membership represents your acceptance to the terms and conditions of the Embargo Policy.**
+
+## Embargo Policy
+
+The information that members receive on the Pinniped Distributors mailing list must not be made public, shared, or even hinted at anywhere beyond those who need to know within your specific team, unless you receive explicit approval to do so from the VMware Security Team. This remains true until the public disclosure date/time agreed upon by the list. Members of the list and others cannot use the information for any reason other than to get the issue fixed for your respective distribution's users.
+
+Before you share any information from the list with members of your team who are required to fix the issue, these team members must agree to the same terms, and only be provided with information on a need-to-know basis.
+
+In the unfortunate event that you share information beyond what is permitted by this policy, you must urgently inform the VMware Security Team (security@vmware.com) of exactly what information was leaked and to whom. If you continue to leak information and break the policy outlined here, you will be permanently removed from the list.
+
+## Requesting to Join
+
+Send new membership requests to https://groups.google.com/g/project-pinniped-distributors. In the body of your request please specify how you qualify for membership and fulfill each criterion listed in the Membership Criteria section above.
+
+## Confidentiality, integrity and availability
+
+We consider vulnerabilities leading to the compromise of data confidentiality, elevation of privilege, or integrity to be our highest priority concerns. Availability, in particular in areas relating to DoS and resource exhaustion, is also a serious security concern. The VMware Security Team takes all vulnerabilities, potential vulnerabilities, and suspected vulnerabilities seriously and will investigate them in an urgent and expeditious manner.

apis/concierge/authentication/v1alpha1/types_jwt.go.tmpl

@@ -57,9 +57,11 @@ type JWTTokenClaims struct {
 // signature, existence of claims, etc.) and extract the username and groups from the token.
 //
 // +genclient
+// +genclient:nonNamespaced
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
-// +kubebuilder:resource:categories=pinniped;pinniped-authenticator;pinniped-authenticators
+// +kubebuilder:resource:categories=pinniped;pinniped-authenticator;pinniped-authenticators,scope=Cluster
 // +kubebuilder:printcolumn:name="Issuer",type=string,JSONPath=`.spec.issuer`
+// +kubebuilder:subresource:status
 type JWTAuthenticator struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`

apis/concierge/authentication/v1alpha1/types_webhook.go.tmpl

@@ -29,9 +29,11 @@ type WebhookAuthenticatorSpec struct {
 
 // WebhookAuthenticator describes the configuration of a webhook authenticator.
 // +genclient
+// +genclient:nonNamespaced
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
-// +kubebuilder:resource:categories=pinniped;pinniped-authenticator;pinniped-authenticators
+// +kubebuilder:resource:categories=pinniped;pinniped-authenticator;pinniped-authenticators,scope=Cluster
 // +kubebuilder:printcolumn:name="Endpoint",type=string,JSONPath=`.spec.endpoint`
+// +kubebuilder:subresource:status
 type WebhookAuthenticator struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`

apis/concierge/config/v1alpha1/types_credentialissuer.go.tmpl

@@ -67,13 +67,16 @@ type CredentialIssuerStrategy struct {
 
 // Describes the configuration status of a Pinniped credential issuer.
 // +genclient
+// +genclient:nonNamespaced
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
-// +kubebuilder:resource:categories=pinniped
+// +kubebuilder:resource:categories=pinniped,scope=Cluster
+// +kubebuilder:subresource:status
 type CredentialIssuer struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
 
 	// Status of the credential issuer.
+	// +optional
 	Status CredentialIssuerStatus `json:"status"`
 }
 

apis/concierge/login/types_token.go.tmpl

@@ -27,7 +27,6 @@ type TokenCredentialRequestStatus struct {
 }
 
 // TokenCredentialRequest submits an IDP-specific credential to Pinniped in exchange for a cluster-specific credential.
-// +genclient
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 type TokenCredentialRequest struct {
 	metav1.TypeMeta

apis/concierge/login/v1alpha1/types_token.go.tmpl

@@ -30,6 +30,7 @@ type TokenCredentialRequestStatus struct {
 
 // TokenCredentialRequest submits an IDP-specific credential to Pinniped in exchange for a cluster-specific credential.
 // +genclient
+// +genclient:nonNamespaced
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 type TokenCredentialRequest struct {
 	metav1.TypeMeta   `json:",inline"`

apis/supervisor/config/v1alpha1/types_federationdomain.go.tmpl

@@ -109,6 +109,7 @@ type FederationDomainStatus struct {
 // +genclient
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 // +kubebuilder:resource:categories=pinniped
+// +kubebuilder:subresource:status
 type FederationDomain struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`

cmd/pinniped-supervisor/main.go

@@ -37,6 +37,7 @@ import (
 	"go.pinniped.dev/internal/controllerlib"
 	"go.pinniped.dev/internal/deploymentref"
 	"go.pinniped.dev/internal/downward"
+	"go.pinniped.dev/internal/groupsuffix"
 	"go.pinniped.dev/internal/kubeclient"
 	"go.pinniped.dev/internal/oidc/jwks"
 	"go.pinniped.dev/internal/oidc/provider"
@@ -174,8 +175,8 @@ func startControllers(
 						secretCache.SetTokenHMACKey(federationDomainIssuer, symmetricKey)
 					},
 				),
-				func(fd *configv1alpha1.FederationDomain) *corev1.LocalObjectReference {
-					return &fd.Status.Secrets.TokenSigningKey
+				func(fd *configv1alpha1.FederationDomainStatus) *corev1.LocalObjectReference {
+					return &fd.Secrets.TokenSigningKey
 				},
 				kubeClient,
 				pinnipedClient,
@@ -197,8 +198,8 @@ func startControllers(
 						secretCache.SetStateEncoderHashKey(federationDomainIssuer, symmetricKey)
 					},
 				),
-				func(fd *configv1alpha1.FederationDomain) *corev1.LocalObjectReference {
-					return &fd.Status.Secrets.StateSigningKey
+				func(fd *configv1alpha1.FederationDomainStatus) *corev1.LocalObjectReference {
+					return &fd.Secrets.StateSigningKey
 				},
 				kubeClient,
 				pinnipedClient,
@@ -220,8 +221,8 @@ func startControllers(
 						secretCache.SetStateEncoderBlockKey(federationDomainIssuer, symmetricKey)
 					},
 				),
-				func(fd *configv1alpha1.FederationDomain) *corev1.LocalObjectReference {
-					return &fd.Status.Secrets.StateEncryptionKey
+				func(fd *configv1alpha1.FederationDomainStatus) *corev1.LocalObjectReference {
+					return &fd.Secrets.StateEncryptionKey
 				},
 				kubeClient,
 				pinnipedClient,
@@ -258,13 +259,15 @@ func run(podInfo *downward.PodInfo, cfg *supervisor.Config) error {
 	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel()
 
-	// TODO remove code that relies on supervisorDeployment directly
 	dref, supervisorDeployment, err := deploymentref.New(podInfo)
 	if err != nil {
 		return fmt.Errorf("cannot create deployment ref: %w", err)
 	}
 
-	client, err := kubeclient.New(dref)
+	client, err := kubeclient.New(
+		dref,
+		kubeclient.WithMiddleware(groupsuffix.New(*cfg.APIGroupSuffix)),
+	)
 	if err != nil {
 		return fmt.Errorf("cannot create k8s client: %w", err)
 	}

cmd/pinniped/cmd/cobra_util.go

@@ -22,3 +22,9 @@ func mustMarkHidden(cmd *cobra.Command, flags ...string) {
 		}
 	}
 }
+
+func mustMarkDeprecated(cmd *cobra.Command, flag, usageMessage string) {
+	if err := cmd.Flags().MarkDeprecated(flag, usageMessage); err != nil {
+		panic(err)
+	}
+}

cmd/pinniped/cmd/deprecated.go

@@ -1,136 +0,0 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
-// SPDX-License-Identifier: Apache-2.0
-
-package cmd
-
-import (
-	"encoding/base64"
-	"fmt"
-	"os"
-
-	"github.com/spf13/cobra"
-
-	"go.pinniped.dev/internal/here"
-	"go.pinniped.dev/internal/plog"
-)
-
-//nolint: gochecknoinits
-func init() {
-	rootCmd.AddCommand(legacyGetKubeconfigCommand(kubeconfigRealDeps()))
-	rootCmd.AddCommand(legacyExchangeTokenCommand(staticLoginRealDeps()))
-}
-
-func legacyGetKubeconfigCommand(deps kubeconfigDeps) *cobra.Command {
-	var (
-		cmd = &cobra.Command{
-			Hidden:     true,
-			Deprecated: "Please use `pinniped get kubeconfig` instead.",
-
-			Args:  cobra.NoArgs, // do not accept positional arguments for this command
-			Use:   "get-kubeconfig",
-			Short: "Print a kubeconfig for authenticating into a cluster via Pinniped",
-			Long: here.Doc(`
-			Print a kubeconfig for authenticating into a cluster via Pinniped.
-			Requires admin-like access to the cluster using the current
-			kubeconfig context in order to access Pinniped's metadata.
-			The current kubeconfig is found similar to how kubectl finds it:
-			using the value of the --kubeconfig option, or if that is not
-			specified then from the value of the KUBECONFIG environment
-			variable, or if that is not specified then it defaults to
-			.kube/config in your home directory.
-			Prints a kubeconfig which is suitable to access the cluster using
-			Pinniped as the authentication mechanism. This kubeconfig output
-			can be saved to a file and used with future kubectl commands, e.g.:
-				pinniped get-kubeconfig --token $MY_TOKEN > $HOME/mycluster-kubeconfig
-				kubectl --kubeconfig $HOME/mycluster-kubeconfig get pods
-		`),
-		}
-		token             string
-		kubeconfig        string
-		contextOverride   string
-		namespace         string
-		authenticatorType string
-		authenticatorName string
-	)
-
-	cmd.Flags().StringVar(&token, "token", "", "Credential to include in the resulting kubeconfig output (Required)")
-	cmd.Flags().StringVar(&kubeconfig, "kubeconfig", "", "Path to the kubeconfig file")
-	cmd.Flags().StringVar(&contextOverride, "kubeconfig-context", "", "Kubeconfig context override")
-	cmd.Flags().StringVar(&namespace, "pinniped-namespace", "pinniped-concierge", "Namespace in which Pinniped was installed")
-	cmd.Flags().StringVar(&authenticatorType, "authenticator-type", "", "Authenticator type (e.g., 'webhook', 'jwt')")
-	cmd.Flags().StringVar(&authenticatorName, "authenticator-name", "", "Authenticator name")
-	mustMarkRequired(cmd, "token")
-	plog.RemoveKlogGlobalFlags()
-	cmd.RunE = func(cmd *cobra.Command, args []string) error {
-		return runGetKubeconfig(cmd.OutOrStdout(), deps, getKubeconfigParams{
-			kubeconfigPath:            kubeconfig,
-			kubeconfigContextOverride: contextOverride,
-			staticToken:               token,
-			concierge: getKubeconfigConciergeParams{
-				namespace:         namespace,
-				authenticatorName: authenticatorName,
-				authenticatorType: authenticatorType,
-			},
-		})
-	}
-	return cmd
-}
-
-func legacyExchangeTokenCommand(deps staticLoginDeps) *cobra.Command {
-	cmd := &cobra.Command{
-		Hidden:     true,
-		Deprecated: "Please use `pinniped login static` instead.",
-
-		Args:  cobra.NoArgs, // do not accept positional arguments for this command
-		Use:   "exchange-credential",
-		Short: "Exchange a credential for a cluster-specific access credential",
-		Long: here.Doc(`
-			Exchange a credential which proves your identity for a time-limited,
-			cluster-specific access credential.
-			Designed to be conveniently used as an credential plugin for kubectl.
-			See the help message for 'pinniped get-kubeconfig' for more
-			information about setting up a kubeconfig file using Pinniped.
-			Requires all of the following environment variables, which are
-			typically set in the kubeconfig:
-			  - PINNIPED_TOKEN: the token to send to Pinniped for exchange
-			  - PINNIPED_NAMESPACE: the namespace of the authenticator to authenticate
-			    against
-			  - PINNIPED_AUTHENTICATOR_TYPE: the type of authenticator to authenticate
-			    against (e.g., "webhook", "jwt")
-			  - PINNIPED_AUTHENTICATOR_NAME: the name of the authenticator to authenticate
-			    against
-			  - PINNIPED_CA_BUNDLE: the CA bundle to trust when calling
-				Pinniped's HTTPS endpoint
-			  - PINNIPED_K8S_API_ENDPOINT: the URL for the Pinniped credential
-				exchange API
-			For more information about credential plugins in general, see
-			https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins
-		`),
-	}
-	plog.RemoveKlogGlobalFlags()
-	cmd.RunE = func(cmd *cobra.Command, args []string) error {
-		// Make a little helper to grab OS environment variables and keep a list that were missing.
-		var missing []string
-		getEnv := func(name string) string {
-			value, ok := os.LookupEnv(name)
-			if !ok {
-				missing = append(missing, name)
-			}
-			return value
-		}
-		flags := staticLoginParams{
-			staticToken:                getEnv("PINNIPED_TOKEN"),
-			conciergeEnabled:           true,
-			conciergeNamespace:         getEnv("PINNIPED_NAMESPACE"),
-			conciergeAuthenticatorType: getEnv("PINNIPED_AUTHENTICATOR_TYPE"),
-			conciergeAuthenticatorName: getEnv("PINNIPED_AUTHENTICATOR_NAME"),
-			conciergeEndpoint:          getEnv("PINNIPED_K8S_API_ENDPOINT"),
-			conciergeCABundle:          base64.StdEncoding.EncodeToString([]byte(getEnv("PINNIPED_CA_BUNDLE"))),
-		}
-		if len(missing) > 0 {
-			return fmt.Errorf("failed to get credential: required environment variable(s) not set: %v", missing)
-		}
-		return runStaticLogin(cmd.OutOrStdout(), deps, flags)
-	}
-	return cmd
-}

cmd/pinniped/cmd/kubeconfig.go

@@ -15,7 +15,7 @@ import (
 	"strings"
 	"time"
 
-	"github.com/coreos/go-oidc"
+	"github.com/coreos/go-oidc/v3/oidc"
 	"github.com/spf13/cobra"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	clientauthenticationv1beta1 "k8s.io/client-go/pkg/apis/clientauthentication/v1beta1"
@@ -26,23 +26,27 @@ import (
 
 	conciergev1alpha1 "go.pinniped.dev/generated/1.20/apis/concierge/authentication/v1alpha1"
 	conciergeclientset "go.pinniped.dev/generated/1.20/client/concierge/clientset/versioned"
+	"go.pinniped.dev/internal/groupsuffix"
 	"go.pinniped.dev/internal/kubeclient"
 )
 
 type kubeconfigDeps struct {
 	getPathToSelf func() (string, error)
-	getClientset  func(clientcmd.ClientConfig) (conciergeclientset.Interface, error)
+	getClientset  func(clientConfig clientcmd.ClientConfig, apiGroupSuffix string) (conciergeclientset.Interface, error)
 }
 
 func kubeconfigRealDeps() kubeconfigDeps {
 	return kubeconfigDeps{
 		getPathToSelf: os.Executable,
-		getClientset: func(clientConfig clientcmd.ClientConfig) (conciergeclientset.Interface, error) {
+		getClientset: func(clientConfig clientcmd.ClientConfig, apiGroupSuffix string) (conciergeclientset.Interface, error) {
 			restConfig, err := clientConfig.ClientConfig()
 			if err != nil {
 				return nil, err
 			}
-			client, err := kubeclient.New(kubeclient.WithConfig(restConfig))
+			client, err := kubeclient.New(
+				kubeclient.WithConfig(restConfig),
+				kubeclient.WithMiddleware(groupsuffix.New(apiGroupSuffix)),
+			)
 			if err != nil {
 				return nil, err
 			}
@@ -70,9 +74,9 @@ type getKubeconfigOIDCParams struct {
 
 type getKubeconfigConciergeParams struct {
 	disabled          bool
-	namespace         string
 	authenticatorName string
 	authenticatorType string
+	apiGroupSuffix    string
 }
 
 type getKubeconfigParams struct {
@@ -86,13 +90,14 @@ type getKubeconfigParams struct {
 
 func kubeconfigCommand(deps kubeconfigDeps) *cobra.Command {
 	var (
-		cmd = cobra.Command{
+		cmd = &cobra.Command{
 			Args:         cobra.NoArgs,
 			Use:          "kubeconfig",
 			Short:        "Generate a Pinniped-based kubeconfig for a cluster",
 			SilenceUsage: true,
 		}
-		flags getKubeconfigParams
+		flags     getKubeconfigParams
+		namespace string // unused now
 	)
 
 	f := cmd.Flags()
@@ -100,9 +105,10 @@ func kubeconfigCommand(deps kubeconfigDeps) *cobra.Command {
 	f.StringVar(&flags.staticTokenEnvName, "static-token-env", "", "Instead of doing an OIDC-based login, read a static token from the environment")
 
 	f.BoolVar(&flags.concierge.disabled, "no-concierge", false, "Generate a configuration which does not use the concierge, but sends the credential to the cluster directly")
-	f.StringVar(&flags.concierge.namespace, "concierge-namespace", "pinniped-concierge", "Namespace in which the concierge was installed")
+	f.StringVar(&namespace, "concierge-namespace", "pinniped-concierge", "Namespace in which the concierge was installed")
 	f.StringVar(&flags.concierge.authenticatorType, "concierge-authenticator-type", "", "Concierge authenticator type (e.g., 'webhook', 'jwt') (default: autodiscover)")
 	f.StringVar(&flags.concierge.authenticatorName, "concierge-authenticator-name", "", "Concierge authenticator name (default: autodiscover)")
+	f.StringVar(&flags.concierge.apiGroupSuffix, "concierge-api-group-suffix", "pinniped.dev", "Concierge API group suffix")
 
 	f.StringVar(&flags.oidc.issuer, "oidc-issuer", "", "OpenID Connect issuer URL (default: autodiscover)")
 	f.StringVar(&flags.oidc.clientID, "oidc-client-id", "pinniped-cli", "OpenID Connect client ID (default: autodiscover)")
@@ -116,14 +122,22 @@ func kubeconfigCommand(deps kubeconfigDeps) *cobra.Command {
 	f.StringVar(&flags.kubeconfigPath, "kubeconfig", os.Getenv("KUBECONFIG"), "Path to kubeconfig file")
 	f.StringVar(&flags.kubeconfigContextOverride, "kubeconfig-context", "", "Kubeconfig context name (default: current active context)")
 
-	mustMarkHidden(&cmd, "oidc-debug-session-cache")
+	mustMarkHidden(cmd, "oidc-debug-session-cache")
+
+	mustMarkDeprecated(cmd, "concierge-namespace", "not needed anymore")
+	mustMarkHidden(cmd, "concierge-namespace")
 
 	cmd.RunE = func(cmd *cobra.Command, args []string) error { return runGetKubeconfig(cmd.OutOrStdout(), deps, flags) }
-	return &cmd
+	return cmd
 }
 
 //nolint:funlen
 func runGetKubeconfig(out io.Writer, deps kubeconfigDeps, flags getKubeconfigParams) error {
+	// Validate api group suffix and immediately return an error if it is invalid.
+	if err := groupsuffix.Validate(flags.concierge.apiGroupSuffix); err != nil {
+		return fmt.Errorf("invalid api group suffix: %w", err)
+	}
+
 	execConfig := clientcmdapi.ExecConfig{
 		APIVersion: clientauthenticationv1beta1.SchemeGroupVersion.String(),
 		Args:       []string{},
@@ -151,7 +165,7 @@ func runGetKubeconfig(out io.Writer, deps kubeconfigDeps, flags getKubeconfigPar
 	if err != nil {
 		return fmt.Errorf("could not load --kubeconfig/--kubeconfig-context: %w", err)
 	}
-	clientset, err := deps.getClientset(clientConfig)
+	clientset, err := deps.getClientset(clientConfig, flags.concierge.apiGroupSuffix)
 	if err != nil {
 		return fmt.Errorf("could not configure Kubernetes client: %w", err)
 	}
@@ -159,7 +173,6 @@ func runGetKubeconfig(out io.Writer, deps kubeconfigDeps, flags getKubeconfigPar
 	if !flags.concierge.disabled {
 		authenticator, err := lookupAuthenticator(
 			clientset,
-			flags.concierge.namespace,
 			flags.concierge.authenticatorType,
 			flags.concierge.authenticatorName,
 		)
@@ -249,7 +262,7 @@ func configureConcierge(authenticator metav1.Object, flags *getKubeconfigParams,
 		if *oidcCABundle == "" && auth.Spec.TLS != nil && auth.Spec.TLS.CertificateAuthorityData != "" {
 			decoded, err := base64.StdEncoding.DecodeString(auth.Spec.TLS.CertificateAuthorityData)
 			if err != nil {
-				return fmt.Errorf("tried to autodiscover --oidc-ca-bundle, but JWTAuthenticator %s/%s has invalid spec.tls.certificateAuthorityData: %w", auth.Namespace, auth.Name, err)
+				return fmt.Errorf("tried to autodiscover --oidc-ca-bundle, but JWTAuthenticator %s has invalid spec.tls.certificateAuthorityData: %w", auth.Name, err)
 			}
 			*oidcCABundle = string(decoded)
 		}
@@ -258,7 +271,7 @@ func configureConcierge(authenticator metav1.Object, flags *getKubeconfigParams,
 	// Append the flags to configure the Concierge credential exchange at runtime.
 	execConfig.Args = append(execConfig.Args,
 		"--enable-concierge",
-		"--concierge-namespace="+flags.concierge.namespace,
+		"--concierge-api-group-suffix="+flags.concierge.apiGroupSuffix,
 		"--concierge-authenticator-name="+flags.concierge.authenticatorName,
 		"--concierge-authenticator-type="+flags.concierge.authenticatorType,
 		"--concierge-endpoint="+v1Cluster.Server,
@@ -294,7 +307,7 @@ func newExecKubeconfig(cluster *clientcmdapi.Cluster, execConfig *clientcmdapi.E
 	}
 }
 
-func lookupAuthenticator(clientset conciergeclientset.Interface, namespace, authType, authName string) (metav1.Object, error) {
+func lookupAuthenticator(clientset conciergeclientset.Interface, authType, authName string) (metav1.Object, error) {
 	ctx, cancelFunc := context.WithTimeout(context.Background(), time.Second*20)
 	defer cancelFunc()
 
@@ -302,9 +315,9 @@ func lookupAuthenticator(clientset conciergeclientset.Interface, namespace, auth
 	if authName != "" && authType != "" {
 		switch strings.ToLower(authType) {
 		case "webhook":
-			return clientset.AuthenticationV1alpha1().WebhookAuthenticators(namespace).Get(ctx, authName, metav1.GetOptions{})
+			return clientset.AuthenticationV1alpha1().WebhookAuthenticators().Get(ctx, authName, metav1.GetOptions{})
 		case "jwt":
-			return clientset.AuthenticationV1alpha1().JWTAuthenticators(namespace).Get(ctx, authName, metav1.GetOptions{})
+			return clientset.AuthenticationV1alpha1().JWTAuthenticators().Get(ctx, authName, metav1.GetOptions{})
 		default:
 			return nil, fmt.Errorf(`invalid authenticator type %q, supported values are "webhook" and "jwt"`, authType)
 		}
@@ -312,11 +325,11 @@ func lookupAuthenticator(clientset conciergeclientset.Interface, namespace, auth
 
 	// Otherwise list all the available authenticators and hope there's just a single one.
 
-	jwtAuths, err := clientset.AuthenticationV1alpha1().JWTAuthenticators(namespace).List(ctx, metav1.ListOptions{})
+	jwtAuths, err := clientset.AuthenticationV1alpha1().JWTAuthenticators().List(ctx, metav1.ListOptions{})
 	if err != nil {
 		return nil, fmt.Errorf("failed to list JWTAuthenticator objects for autodiscovery: %w", err)
 	}
-	webhooks, err := clientset.AuthenticationV1alpha1().WebhookAuthenticators(namespace).List(ctx, metav1.ListOptions{})
+	webhooks, err := clientset.AuthenticationV1alpha1().WebhookAuthenticators().List(ctx, metav1.ListOptions{})
 	if err != nil {
 		return nil, fmt.Errorf("failed to list WebhookAuthenticator objects for autodiscovery: %w", err)
 	}
@@ -329,10 +342,10 @@ func lookupAuthenticator(clientset conciergeclientset.Interface, namespace, auth
 		results = append(results, &webhooks.Items[i])
 	}
 	if len(results) == 0 {
-		return nil, fmt.Errorf("no authenticators were found in namespace %q (try setting --concierge-namespace)", namespace)
+		return nil, fmt.Errorf("no authenticators were found")
 	}
 	if len(results) > 1 {
-		return nil, fmt.Errorf("multiple authenticators were found in namespace %q, so the --concierge-authenticator-type/--concierge-authenticator-name flags must be specified", namespace)
+		return nil, fmt.Errorf("multiple authenticators were found, so the --concierge-authenticator-type/--concierge-authenticator-name flags must be specified")
 	}
 	return results[0], nil
 }

cmd/pinniped/cmd/kubeconfig_test.go

@@ -46,6 +46,7 @@ func TestGetKubeconfig(t *testing.T) {
 		wantStdout         string
 		wantStderr         string
 		wantOptionsCount   int
+		wantAPIGroupSuffix string
 	}{
 		{
 			name: "help flag passed",
@@ -57,9 +58,9 @@ func TestGetKubeconfig(t *testing.T) {
 				  kubeconfig [flags]
 
 				Flags:
+				      --concierge-api-group-suffix string     Concierge API group suffix (default "pinniped.dev")
 				      --concierge-authenticator-name string   Concierge authenticator name (default: autodiscover)
 				      --concierge-authenticator-type string   Concierge authenticator type (e.g., 'webhook', 'jwt') (default: autodiscover)
-				      --concierge-namespace string            Namespace in which the concierge was installed (default "pinniped-concierge")
 				  -h, --help                                  help for kubeconfig
 				      --kubeconfig string                     Path to kubeconfig file
 				      --kubeconfig-context string             Kubeconfig context name (default: current active context)
@@ -208,34 +209,32 @@ func TestGetKubeconfig(t *testing.T) {
 			},
 			wantError: true,
 			wantStderr: here.Doc(`
-				Error: no authenticators were found in namespace "pinniped-concierge" (try setting --concierge-namespace)
+				Error: no authenticators were found
 			`),
 		},
 		{
 			name: "fail to autodetect authenticator, multiple found",
 			args: []string{
 				"--kubeconfig", "./testdata/kubeconfig.yaml",
-				"--concierge-namespace", "test-namespace",
 			},
 			conciergeObjects: []runtime.Object{
-				&conciergev1alpha1.JWTAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator-1", Namespace: "test-namespace"}},
-				&conciergev1alpha1.JWTAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator-2", Namespace: "test-namespace"}},
-				&conciergev1alpha1.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator-3", Namespace: "test-namespace"}},
-				&conciergev1alpha1.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator-4", Namespace: "test-namespace"}},
+				&conciergev1alpha1.JWTAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator-1"}},
+				&conciergev1alpha1.JWTAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator-2"}},
+				&conciergev1alpha1.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator-3"}},
+				&conciergev1alpha1.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator-4"}},
 			},
 			wantError: true,
 			wantStderr: here.Doc(`
-				Error: multiple authenticators were found in namespace "test-namespace", so the --concierge-authenticator-type/--concierge-authenticator-name flags must be specified
+				Error: multiple authenticators were found, so the --concierge-authenticator-type/--concierge-authenticator-name flags must be specified
 			`),
 		},
 		{
 			name: "autodetect webhook authenticator, missing --oidc-issuer",
 			args: []string{
 				"--kubeconfig", "./testdata/kubeconfig.yaml",
-				"--concierge-namespace", "test-namespace",
 			},
 			conciergeObjects: []runtime.Object{
-				&conciergev1alpha1.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator", Namespace: "test-namespace"}},
+				&conciergev1alpha1.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator"}},
 			},
 			wantError: true,
 			wantStderr: here.Doc(`
@@ -246,11 +245,10 @@ func TestGetKubeconfig(t *testing.T) {
 			name: "autodetect JWT authenticator, invalid TLS bundle",
 			args: []string{
 				"--kubeconfig", "./testdata/kubeconfig.yaml",
-				"--concierge-namespace", "test-namespace",
 			},
 			conciergeObjects: []runtime.Object{
 				&conciergev1alpha1.JWTAuthenticator{
-					ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator", Namespace: "test-namespace"},
+					ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator"},
 					Spec: conciergev1alpha1.JWTAuthenticatorSpec{
 						TLS: &conciergev1alpha1.TLSSpec{
 							CertificateAuthorityData: "invalid-base64",
@@ -260,34 +258,42 @@ func TestGetKubeconfig(t *testing.T) {
 			},
 			wantError: true,
 			wantStderr: here.Doc(`
-				Error: tried to autodiscover --oidc-ca-bundle, but JWTAuthenticator test-namespace/test-authenticator has invalid spec.tls.certificateAuthorityData: illegal base64 data at input byte 7
+				Error: tried to autodiscover --oidc-ca-bundle, but JWTAuthenticator test-authenticator has invalid spec.tls.certificateAuthorityData: illegal base64 data at input byte 7
 			`),
 		},
 		{
 			name: "invalid static token flags",
 			args: []string{
 				"--kubeconfig", "./testdata/kubeconfig.yaml",
-				"--concierge-namespace", "test-namespace",
 				"--static-token", "test-token",
 				"--static-token-env", "TEST_TOKEN",
 			},
 			conciergeObjects: []runtime.Object{
-				&conciergev1alpha1.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator", Namespace: "test-namespace"}},
+				&conciergev1alpha1.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator"}},
 			},
 			wantError: true,
 			wantStderr: here.Doc(`
 				Error: only one of --static-token and --static-token-env can be specified
 			`),
 		},
+		{
+			name: "invalid api group suffix",
+			args: []string{
+				"--concierge-api-group-suffix", ".starts.with.dot",
+			},
+			wantError: true,
+			wantStderr: here.Doc(`
+				Error: invalid api group suffix: a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*')
+			`),
+		},
 		{
 			name: "valid static token",
 			args: []string{
 				"--kubeconfig", "./testdata/kubeconfig.yaml",
-				"--concierge-namespace", "test-namespace",
 				"--static-token", "test-token",
 			},
 			conciergeObjects: []runtime.Object{
-				&conciergev1alpha1.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator", Namespace: "test-namespace"}},
+				&conciergev1alpha1.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator"}},
 			},
 			wantStdout: here.Doc(`
         		apiVersion: v1
@@ -313,7 +319,7 @@ func TestGetKubeconfig(t *testing.T) {
         		      - login
         		      - static
         		      - --enable-concierge
-        		      - --concierge-namespace=test-namespace
+        		      - --concierge-api-group-suffix=pinniped.dev
         		      - --concierge-authenticator-name=test-authenticator
         		      - --concierge-authenticator-type=webhook
         		      - --concierge-endpoint=https://fake-server-url-value
@@ -328,11 +334,10 @@ func TestGetKubeconfig(t *testing.T) {
 			name: "valid static token from env var",
 			args: []string{
 				"--kubeconfig", "./testdata/kubeconfig.yaml",
-				"--concierge-namespace", "test-namespace",
 				"--static-token-env", "TEST_TOKEN",
 			},
 			conciergeObjects: []runtime.Object{
-				&conciergev1alpha1.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator", Namespace: "test-namespace"}},
+				&conciergev1alpha1.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator"}},
 			},
 			wantStdout: here.Doc(`
         		apiVersion: v1
@@ -358,7 +363,7 @@ func TestGetKubeconfig(t *testing.T) {
         		      - login
         		      - static
         		      - --enable-concierge
-        		      - --concierge-namespace=test-namespace
+        		      - --concierge-api-group-suffix=pinniped.dev
         		      - --concierge-authenticator-name=test-authenticator
         		      - --concierge-authenticator-type=webhook
         		      - --concierge-endpoint=https://fake-server-url-value
@@ -376,7 +381,7 @@ func TestGetKubeconfig(t *testing.T) {
 			},
 			conciergeObjects: []runtime.Object{
 				&conciergev1alpha1.JWTAuthenticator{
-					ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator", Namespace: "pinniped-concierge"},
+					ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator"},
 					Spec: conciergev1alpha1.JWTAuthenticatorSpec{
 						Issuer:   "https://example.com/issuer",
 						Audience: "test-audience",
@@ -410,7 +415,7 @@ func TestGetKubeconfig(t *testing.T) {
         		      - login
         		      - oidc
         		      - --enable-concierge
-        		      - --concierge-namespace=pinniped-concierge
+        		      - --concierge-api-group-suffix=pinniped.dev
         		      - --concierge-authenticator-name=test-authenticator
         		      - --concierge-authenticator-type=jwt
         		      - --concierge-endpoint=https://fake-server-url-value
@@ -429,6 +434,7 @@ func TestGetKubeconfig(t *testing.T) {
 			name: "autodetect nothing, set a bunch of options",
 			args: []string{
 				"--kubeconfig", "./testdata/kubeconfig.yaml",
+				"--concierge-api-group-suffix", "tuna.io",
 				"--concierge-authenticator-type", "webhook",
 				"--concierge-authenticator-name", "test-authenticator",
 				"--oidc-issuer", "https://example.com/issuer",
@@ -441,7 +447,7 @@ func TestGetKubeconfig(t *testing.T) {
 			},
 			conciergeObjects: []runtime.Object{
 				&conciergev1alpha1.WebhookAuthenticator{
-					ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator", Namespace: "pinniped-concierge"},
+					ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator"},
 				},
 			},
 			wantStdout: here.Docf(`
@@ -468,7 +474,7 @@ func TestGetKubeconfig(t *testing.T) {
         		      - login
         		      - oidc
         		      - --enable-concierge
-        		      - --concierge-namespace=pinniped-concierge
+        		      - --concierge-api-group-suffix=tuna.io
         		      - --concierge-authenticator-name=test-authenticator
         		      - --concierge-authenticator-type=webhook
         		      - --concierge-endpoint=https://fake-server-url-value
@@ -486,6 +492,7 @@ func TestGetKubeconfig(t *testing.T) {
         		      env: []
         		      provideClusterInfo: true
 			`, base64.StdEncoding.EncodeToString(testCA.Bundle())),
+			wantAPIGroupSuffix: "tuna.io",
 		},
 	}
 	for _, tt := range tests {
@@ -498,7 +505,12 @@ func TestGetKubeconfig(t *testing.T) {
 					}
 					return ".../path/to/pinniped", nil
 				},
-				getClientset: func(clientConfig clientcmd.ClientConfig) (conciergeclientset.Interface, error) {
+				getClientset: func(clientConfig clientcmd.ClientConfig, apiGroupSuffix string) (conciergeclientset.Interface, error) {
+					if tt.wantAPIGroupSuffix == "" {
+						require.Equal(t, "pinniped.dev", apiGroupSuffix) // "pinniped.dev" = api group suffix default
+					} else {
+						require.Equal(t, tt.wantAPIGroupSuffix, apiGroupSuffix)
+					}
 					if tt.getClientsetErr != nil {
 						return nil, tt.getClientsetErr
 					}

cmd/pinniped/cmd/login_oidc.go

@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package cmd
@@ -16,7 +16,7 @@ import (
 	"path/filepath"
 	"time"
 
-	"github.com/coreos/go-oidc"
+	"github.com/coreos/go-oidc/v3/oidc"
 	"github.com/spf13/cobra"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	clientauthv1beta1 "k8s.io/client-go/pkg/apis/clientauthentication/v1beta1"
@@ -59,22 +59,23 @@ type oidcLoginFlags struct {
 	debugSessionCache          bool
 	requestAudience            string
 	conciergeEnabled           bool
-	conciergeNamespace         string
 	conciergeAuthenticatorType string
 	conciergeAuthenticatorName string
 	conciergeEndpoint          string
 	conciergeCABundle          string
+	conciergeAPIGroupSuffix    string
 }
 
 func oidcLoginCommand(deps oidcLoginCommandDeps) *cobra.Command {
 	var (
-		cmd = cobra.Command{
+		cmd = &cobra.Command{
 			Args:         cobra.NoArgs,
 			Use:          "oidc --issuer ISSUER",
 			Short:        "Login using an OpenID Connect provider",
 			SilenceUsage: true,
 		}
-		flags oidcLoginFlags
+		flags              oidcLoginFlags
+		conciergeNamespace string // unused now
 	)
 	cmd.Flags().StringVar(&flags.issuer, "issuer", "", "OpenID Connect issuer URL")
 	cmd.Flags().StringVar(&flags.clientID, "client-id", "pinniped-cli", "OpenID Connect client ID")
@@ -87,16 +88,21 @@ func oidcLoginCommand(deps oidcLoginCommandDeps) *cobra.Command {
 	cmd.Flags().BoolVar(&flags.debugSessionCache, "debug-session-cache", false, "Print debug logs related to the session cache")
 	cmd.Flags().StringVar(&flags.requestAudience, "request-audience", "", "Request a token with an alternate audience using RFC8693 token exchange")
 	cmd.Flags().BoolVar(&flags.conciergeEnabled, "enable-concierge", false, "Exchange the OIDC ID token with the Pinniped concierge during login")
-	cmd.Flags().StringVar(&flags.conciergeNamespace, "concierge-namespace", "pinniped-concierge", "Namespace in which the concierge was installed")
+	cmd.Flags().StringVar(&conciergeNamespace, "concierge-namespace", "pinniped-concierge", "Namespace in which the concierge was installed")
 	cmd.Flags().StringVar(&flags.conciergeAuthenticatorType, "concierge-authenticator-type", "", "Concierge authenticator type (e.g., 'webhook', 'jwt')")
 	cmd.Flags().StringVar(&flags.conciergeAuthenticatorName, "concierge-authenticator-name", "", "Concierge authenticator name")
 	cmd.Flags().StringVar(&flags.conciergeEndpoint, "concierge-endpoint", "", "API base for the Pinniped concierge endpoint")
 	cmd.Flags().StringVar(&flags.conciergeCABundle, "concierge-ca-bundle-data", "", "CA bundle to use when connecting to the concierge")
+	cmd.Flags().StringVar(&flags.conciergeAPIGroupSuffix, "concierge-api-group-suffix", "pinniped.dev", "Concierge API group suffix")
 
-	mustMarkHidden(&cmd, "debug-session-cache")
-	mustMarkRequired(&cmd, "issuer")
+	mustMarkHidden(cmd, "debug-session-cache")
+	mustMarkRequired(cmd, "issuer")
 	cmd.RunE = func(cmd *cobra.Command, args []string) error { return runOIDCLogin(cmd, deps, flags) }
-	return &cmd
+
+	mustMarkDeprecated(cmd, "concierge-namespace", "not needed anymore")
+	mustMarkHidden(cmd, "concierge-namespace")
+
+	return cmd
 }
 
 func runOIDCLogin(cmd *cobra.Command, deps oidcLoginCommandDeps, flags oidcLoginFlags) error {
@@ -131,10 +137,10 @@ func runOIDCLogin(cmd *cobra.Command, deps oidcLoginCommandDeps, flags oidcLogin
 	if flags.conciergeEnabled {
 		var err error
 		concierge, err = conciergeclient.New(
-			conciergeclient.WithNamespace(flags.conciergeNamespace),
 			conciergeclient.WithEndpoint(flags.conciergeEndpoint),
 			conciergeclient.WithBase64CABundle(flags.conciergeCABundle),
 			conciergeclient.WithAuthenticator(flags.conciergeAuthenticatorType, flags.conciergeAuthenticatorName),
+			conciergeclient.WithAPIGroupSuffix(flags.conciergeAPIGroupSuffix),
 		)
 		if err != nil {
 			return fmt.Errorf("invalid concierge parameters: %w", err)

cmd/pinniped/cmd/login_oidc_test.go

@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package cmd
@@ -60,11 +60,11 @@ func TestLoginOIDCCommand(t *testing.T) {
 				      --ca-bundle strings                     Path to TLS certificate authority bundle (PEM format, optional, can be repeated)
 				      --ca-bundle-data strings                Base64 endcoded TLS certificate authority bundle (base64 encoded PEM format, optional, can be repeated)
 				      --client-id string                      OpenID Connect client ID (default "pinniped-cli")
+				      --concierge-api-group-suffix string     Concierge API group suffix (default "pinniped.dev")
 				      --concierge-authenticator-name string   Concierge authenticator name
 				      --concierge-authenticator-type string   Concierge authenticator type (e.g., 'webhook', 'jwt')
 				      --concierge-ca-bundle-data string       CA bundle to use when connecting to the concierge
 				      --concierge-endpoint string             API base for the Pinniped concierge endpoint
-				      --concierge-namespace string            Namespace in which the concierge was installed (default "pinniped-concierge")
 				      --enable-concierge                      Exchange the OIDC ID token with the Pinniped concierge during login
 				  -h, --help                                  help for oidc
 				      --issuer string                         OpenID Connect issuer URL
@@ -119,6 +119,21 @@ func TestLoginOIDCCommand(t *testing.T) {
 				Error: could not read --ca-bundle-data: illegal base64 data at input byte 7
 			`),
 		},
+		{
+			name: "invalid api group suffix",
+			args: []string{
+				"--issuer", "test-issuer",
+				"--enable-concierge",
+				"--concierge-api-group-suffix", ".starts.with.dot",
+				"--concierge-authenticator-type", "jwt",
+				"--concierge-authenticator-name", "test-authenticator",
+				"--concierge-endpoint", "https://127.0.0.1:1234/",
+			},
+			wantError: true,
+			wantStderr: here.Doc(`
+				Error: invalid concierge parameters: invalid api group suffix: a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*')
+			`),
+		},
 		{
 			name: "login error",
 			args: []string{
@@ -170,11 +185,11 @@ func TestLoginOIDCCommand(t *testing.T) {
 				"--ca-bundle-data", base64.StdEncoding.EncodeToString(testCA.Bundle()),
 				"--ca-bundle", testCABundlePath,
 				"--enable-concierge",
-				"--concierge-namespace", "test-namespace",
 				"--concierge-authenticator-type", "webhook",
 				"--concierge-authenticator-name", "test-authenticator",
 				"--concierge-endpoint", "https://127.0.0.1:1234/",
 				"--concierge-ca-bundle-data", base64.StdEncoding.EncodeToString(testCA.Bundle()),
+				"--concierge-api-group-suffix", "some.suffix.com",
 			},
 			wantOptionsCount: 7,
 			wantStdout:       `{"kind":"ExecCredential","apiVersion":"client.authentication.k8s.io/v1beta1","spec":{},"status":{"token":"exchanged-token"}}` + "\n",

cmd/pinniped/cmd/login_static.go

@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package cmd
@@ -41,33 +41,39 @@ type staticLoginParams struct {
 	staticToken                string
 	staticTokenEnvName         string
 	conciergeEnabled           bool
-	conciergeNamespace         string
 	conciergeAuthenticatorType string
 	conciergeAuthenticatorName string
 	conciergeEndpoint          string
 	conciergeCABundle          string
+	conciergeAPIGroupSuffix    string
 }
 
 func staticLoginCommand(deps staticLoginDeps) *cobra.Command {
 	var (
-		cmd = cobra.Command{
+		cmd = &cobra.Command{
 			Args:         cobra.NoArgs,
 			Use:          "static [--token TOKEN] [--token-env TOKEN_NAME]",
 			Short:        "Login using a static token",
 			SilenceUsage: true,
 		}
-		flags staticLoginParams
+		flags              staticLoginParams
+		conciergeNamespace string // unused now
 	)
 	cmd.Flags().StringVar(&flags.staticToken, "token", "", "Static token to present during login")
 	cmd.Flags().StringVar(&flags.staticTokenEnvName, "token-env", "", "Environment variable containing a static token")
 	cmd.Flags().BoolVar(&flags.conciergeEnabled, "enable-concierge", false, "Exchange the token with the Pinniped concierge during login")
-	cmd.Flags().StringVar(&flags.conciergeNamespace, "concierge-namespace", "pinniped-concierge", "Namespace in which the concierge was installed")
+	cmd.Flags().StringVar(&conciergeNamespace, "concierge-namespace", "pinniped-concierge", "Namespace in which the concierge was installed")
 	cmd.Flags().StringVar(&flags.conciergeAuthenticatorType, "concierge-authenticator-type", "", "Concierge authenticator type (e.g., 'webhook', 'jwt')")
 	cmd.Flags().StringVar(&flags.conciergeAuthenticatorName, "concierge-authenticator-name", "", "Concierge authenticator name")
 	cmd.Flags().StringVar(&flags.conciergeEndpoint, "concierge-endpoint", "", "API base for the Pinniped concierge endpoint")
 	cmd.Flags().StringVar(&flags.conciergeCABundle, "concierge-ca-bundle-data", "", "CA bundle to use when connecting to the concierge")
+	cmd.Flags().StringVar(&flags.conciergeAPIGroupSuffix, "concierge-api-group-suffix", "pinniped.dev", "Concierge API group suffix")
 	cmd.RunE = func(cmd *cobra.Command, args []string) error { return runStaticLogin(cmd.OutOrStdout(), deps, flags) }
-	return &cmd
+
+	mustMarkDeprecated(cmd, "concierge-namespace", "not needed anymore")
+	mustMarkHidden(cmd, "concierge-namespace")
+
+	return cmd
 }
 
 func runStaticLogin(out io.Writer, deps staticLoginDeps, flags staticLoginParams) error {
@@ -79,10 +85,10 @@ func runStaticLogin(out io.Writer, deps staticLoginDeps, flags staticLoginParams
 	if flags.conciergeEnabled {
 		var err error
 		concierge, err = conciergeclient.New(
-			conciergeclient.WithNamespace(flags.conciergeNamespace),
 			conciergeclient.WithEndpoint(flags.conciergeEndpoint),
 			conciergeclient.WithBase64CABundle(flags.conciergeCABundle),
 			conciergeclient.WithAuthenticator(flags.conciergeAuthenticatorType, flags.conciergeAuthenticatorName),
+			conciergeclient.WithAPIGroupSuffix(flags.conciergeAPIGroupSuffix),
 		)
 		if err != nil {
 			return fmt.Errorf("invalid concierge parameters: %w", err)

cmd/pinniped/cmd/login_static_test.go

@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package cmd
@@ -51,11 +51,11 @@ func TestLoginStaticCommand(t *testing.T) {
 				  static [--token TOKEN] [--token-env TOKEN_NAME] [flags]
 
 				Flags:
+				      --concierge-api-group-suffix string     Concierge API group suffix (default "pinniped.dev")
 				      --concierge-authenticator-name string   Concierge authenticator name
 				      --concierge-authenticator-type string   Concierge authenticator type (e.g., 'webhook', 'jwt')
 				      --concierge-ca-bundle-data string       CA bundle to use when connecting to the concierge
 				      --concierge-endpoint string             API base for the Pinniped concierge endpoint
-				      --concierge-namespace string            Namespace in which the concierge was installed (default "pinniped-concierge")
 				      --enable-concierge                      Exchange the token with the Pinniped concierge during login
 				  -h, --help                                  help for static
 				      --token string                          Static token to present during login
@@ -129,6 +129,21 @@ func TestLoginStaticCommand(t *testing.T) {
 				Error: could not complete concierge credential exchange: some concierge error
 			`),
 		},
+		{
+			name: "invalid api group suffix",
+			args: []string{
+				"--token", "test-token",
+				"--enable-concierge",
+				"--concierge-api-group-suffix", ".starts.with.dot",
+				"--concierge-authenticator-type", "jwt",
+				"--concierge-authenticator-name", "test-authenticator",
+				"--concierge-endpoint", "https://127.0.0.1:1234/",
+			},
+			wantError: true,
+			wantStderr: here.Doc(`
+				Error: invalid concierge parameters: invalid api group suffix: a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*')
+			`),
+		},
 		{
 			name: "static token success",
 			args: []string{

cmd/pinniped/cmd/root.go

@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package cmd
@@ -7,6 +7,8 @@ import (
 	"os"
 
 	"github.com/spf13/cobra"
+
+	"go.pinniped.dev/internal/plog"
 )
 
 //nolint: gochecknoglobals
@@ -17,6 +19,12 @@ var rootCmd = &cobra.Command{
 	SilenceUsage: true, // do not print usage message when commands fail
 }
 
+//nolint: gochecknoinits
+func init() {
+	// We don't want klog flags showing up in our CLI.
+	plog.RemoveKlogGlobalFlags()
+}
+
 // Execute adds all child commands to the root command and sets flags appropriately.
 // This is called by main.main(). It only needs to happen once to the rootCmd.
 func Execute() {

deploy/concierge/README.md

@@ -10,17 +10,17 @@ for details.
 ## Installing the Latest Version with Default Options
 
 ```bash
-kubectl apply -f https://github.com/vmware-tanzu/pinniped/releases/download/$(curl https://api.github.com/repos/vmware-tanzu/pinniped/releases/latest -s | jq .name -r)/install-pinniped-concierge.yaml
+kubectl apply -f https://get.pinniped.dev/latest/install-pinniped-concierge.yaml
 ```
 
-## Installing an Older Version with Default Options
+## Installing a Specific Version with Default Options
 
 Choose your preferred [release](https://github.com/vmware-tanzu/pinniped/releases) version number
 and use it to replace the version number in the URL below.
 
 ```bash
-# Replace v0.2.0 with your preferred version in the URL below
-kubectl apply -f https://github.com/vmware-tanzu/pinniped/releases/download/v0.2.0/install-pinniped-concierge.yaml
+# Replace v0.4.1 with your preferred version in the URL below
+kubectl apply -f https://get.pinniped.dev/v0.4.1/install-pinniped-concierge.yaml
 ```
 
 ## Installing with Custom Options

deploy/concierge/authentication.concierge.pinniped.dev_jwtauthenticators.yaml

@@ -18,7 +18,7 @@ spec:
     listKind: JWTAuthenticatorList
     plural: jwtauthenticators
     singular: jwtauthenticator
-  scope: Namespaced
+  scope: Cluster
   versions:
   - additionalPrinterColumns:
     - jsonPath: .spec.issuer
@@ -161,7 +161,8 @@ spec:
         type: object
     served: true
     storage: true
-    subresources: {}
+    subresources:
+      status: {}
 status:
   acceptedNames:
     kind: ""

deploy/concierge/authentication.concierge.pinniped.dev_webhookauthenticators.yaml

@@ -18,7 +18,7 @@ spec:
     listKind: WebhookAuthenticatorList
     plural: webhookauthenticators
     singular: webhookauthenticator
-  scope: Namespaced
+  scope: Cluster
   versions:
   - additionalPrinterColumns:
     - jsonPath: .spec.endpoint
@@ -137,7 +137,8 @@ spec:
         type: object
     served: true
     storage: true
-    subresources: {}
+    subresources:
+      status: {}
 status:
   acceptedNames:
     kind: ""

deploy/concierge/config.concierge.pinniped.dev_credentialissuers.yaml

@@ -16,7 +16,7 @@ spec:
     listKind: CredentialIssuerList
     plural: credentialissuers
     singular: credentialissuer
-  scope: Namespaced
+  scope: Cluster
   versions:
   - name: v1alpha1
     schema:
@@ -98,11 +98,11 @@ spec:
             required:
             - strategies
             type: object
-        required:
-        - status
         type: object
     served: true
     storage: true
+    subresources:
+      status: {}
 status:
   acceptedNames:
     kind: ""

deploy/concierge/deployment.yaml

@@ -3,7 +3,7 @@
 
 #@ load("@ytt:data", "data")
 #@ load("@ytt:json", "json")
-#@ load("helpers.lib.yaml", "defaultLabel", "labels", "namespace", "defaultResourceName", "defaultResourceNameWithSuffix", "getAndValidateLogLevel")
+#@ load("helpers.lib.yaml", "defaultLabel", "labels", "namespace", "defaultResourceName", "defaultResourceNameWithSuffix", "getAndValidateLogLevel", "pinnipedDevAPIGroupWithPrefix")
 
 #@ if not data.values.into_namespace:
 ---
@@ -37,6 +37,7 @@ data:
       servingCertificate:
         durationSeconds: (@= str(data.values.api_serving_certificate_duration_seconds) @)
         renewBeforeSeconds: (@= str(data.values.api_serving_certificate_renew_before_seconds) @)
+    apiGroupSuffix: (@= data.values.api_group_suffix @)
     names:
       servingCertificateSecret: (@= defaultResourceNameWithSuffix("api-tls-serving-certificate") @)
       credentialIssuer: (@= defaultResourceNameWithSuffix("config") @)
@@ -90,8 +91,8 @@ spec:
         scheduler.alpha.kubernetes.io/critical-pod: ""
     spec:
       securityContext:
-        runAsUser: 1001
-        runAsGroup: 1001
+        runAsUser: #@ data.values.run_as_user
+        runAsGroup: #@ data.values.run_as_group
       serviceAccountName: #@ defaultResourceName()
       #@ if data.values.image_pull_dockerconfigjson and data.values.image_pull_dockerconfigjson != "":
       imagePullSecrets:
@@ -191,11 +192,11 @@ spec:
 apiVersion: apiregistration.k8s.io/v1
 kind: APIService
 metadata:
-  name: v1alpha1.login.concierge.pinniped.dev
+  name: #@ pinnipedDevAPIGroupWithPrefix("v1alpha1.login.concierge")
   labels: #@ labels()
 spec:
   version: v1alpha1
-  group: login.concierge.pinniped.dev
+  group: #@ pinnipedDevAPIGroupWithPrefix("login.concierge")
   groupPriorityMinimum: 2500
   versionPriority: 10
   #! caBundle: Do not include this key here. Starts out null, will be updated/owned by the golang code.

deploy/concierge/helpers.lib.yaml

@@ -1,4 +1,4 @@
-#! Copyright 2020 the Pinniped contributors. All Rights Reserved.
+#! Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
 #! SPDX-License-Identifier: Apache-2.0
 
 #@ load("@ytt:data", "data")
@@ -12,6 +12,10 @@
 #@   return data.values.app_name + "-" + suffix
 #@ end
 
+#@ def pinnipedDevAPIGroupWithPrefix(prefix):
+#@   return prefix + "." + data.values.api_group_suffix
+#@ end
+
 #@ def namespace():
 #@   if data.values.into_namespace:
 #@     return data.values.into_namespace

deploy/concierge/rbac.yaml

@@ -2,7 +2,7 @@
 #! SPDX-License-Identifier: Apache-2.0
 
 #@ load("@ytt:data", "data")
-#@ load("helpers.lib.yaml", "labels", "namespace", "defaultResourceName", "defaultResourceNameWithSuffix")
+#@ load("helpers.lib.yaml", "labels", "namespace", "defaultResourceName", "defaultResourceNameWithSuffix", "pinnipedDevAPIGroupWithPrefix")
 
 #! Give permission to various cluster-scoped objects
 ---
@@ -17,10 +17,13 @@ rules:
     verbs: [ get, list, watch ]
   - apiGroups: [ apiregistration.k8s.io ]
     resources: [ apiservices ]
-    verbs: [ create, get, list, patch, update, watch ]
+    verbs: [ get, list, patch, update, watch ]
   - apiGroups: [ admissionregistration.k8s.io ]
     resources: [ validatingwebhookconfigurations, mutatingwebhookconfigurations ]
     verbs: [ get, list, watch ]
+  - apiGroups: [ flowcontrol.apiserver.k8s.io ]
+    resources: [ flowschemas, prioritylevelconfigurations ]
+    verbs: [ get, list, watch ]
   - apiGroups: [ policy ]
     resources: [ podsecuritypolicies ]
     verbs: [ use ]
@@ -28,6 +31,18 @@ rules:
     resources: [ securitycontextconstraints ]
     verbs: [ use ]
     resourceNames: [ nonroot ]
+  - apiGroups:
+      - #@ pinnipedDevAPIGroupWithPrefix("config.concierge")
+    resources: [ credentialissuers ]
+    verbs: [ get, list, watch, create ]
+  - apiGroups:
+      - #@ pinnipedDevAPIGroupWithPrefix("config.concierge")
+    resources: [ credentialissuers/status ]
+    verbs: [get, patch, update]
+  - apiGroups:
+      - #@ pinnipedDevAPIGroupWithPrefix("authentication.concierge")
+    resources: [ jwtauthenticators, webhookauthenticators ]
+    verbs: [ get, list, watch ]
 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
@@ -66,9 +81,6 @@ rules:
   - apiGroups: [ "" ]
     resources: [ pods/exec ]
     verbs: [ create ]
-  - apiGroups: [ config.concierge.pinniped.dev, authentication.concierge.pinniped.dev ]
-    resources: [ "*" ]
-    verbs: [ create, get, list, update, watch ]
   - apiGroups: [apps]
     resources: [replicasets,deployments]
     verbs: [get]
@@ -124,7 +136,8 @@ metadata:
   name: #@ defaultResourceNameWithSuffix("create-token-credential-requests")
   labels: #@ labels()
 rules:
-  - apiGroups: [ login.concierge.pinniped.dev ]
+  - apiGroups:
+      - #@ pinnipedDevAPIGroupWithPrefix("login.concierge")
     resources: [ tokencredentialrequests ]
     verbs: [ create ]
 ---

deploy/concierge/values.yaml

@@ -1,4 +1,4 @@
-#! Copyright 2020 the Pinniped contributors. All Rights Reserved.
+#! Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
 #! SPDX-License-Identifier: Apache-2.0
 
 #@data/values
@@ -54,3 +54,12 @@ api_serving_certificate_renew_before_seconds: 2160000
 #! Specify the verbosity of logging: info ("nice to know" information), debug (developer
 #! information), trace (timing information), all (kitchen sink).
 log_level: #! By default, when this value is left unset, only warnings and errors are printed. There is no way to suppress warning and error logs.
+
+run_as_user: 1001 #! run_as_user specifies the user ID that will own the local-user-authenticator process
+run_as_group: 1001 #! run_as_group specifies the group ID that will own the local-user-authenticator process
+
+#! Specify the API group suffix for all Pinniped API groups. By default, this is set to
+#! pinniped.dev, so Pinniped API groups will look like foo.pinniped.dev,
+#! authentication.concierge.pinniped.dev, etc. As an example, if this is set to tuna.io, then
+#! Pinniped API groups will look like foo.tuna.io. authentication.concierge.tuna.io, etc.
+api_group_suffix: pinniped.dev

deploy/concierge/z0_crd_overlay.yaml

@@ -1,23 +1,33 @@
-#! Copyright 2020 the Pinniped contributors. All Rights Reserved.
+#! Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
 #! SPDX-License-Identifier: Apache-2.0
 
 #@ load("@ytt:overlay", "overlay")
-#@ load("helpers.lib.yaml", "labels")
+#@ load("helpers.lib.yaml", "labels", "pinnipedDevAPIGroupWithPrefix")
+#@ load("@ytt:data", "data")
 
 #@overlay/match by=overlay.subset({"kind": "CustomResourceDefinition", "metadata":{"name":"credentialissuers.config.concierge.pinniped.dev"}}), expects=1
 ---
 metadata:
   #@overlay/match missing_ok=True
   labels: #@ labels()
+  name: #@ pinnipedDevAPIGroupWithPrefix("credentialissuers.config.concierge")
+spec:
+  group: #@ pinnipedDevAPIGroupWithPrefix("config.concierge")
 
 #@overlay/match by=overlay.subset({"kind": "CustomResourceDefinition", "metadata":{"name":"webhookauthenticators.authentication.concierge.pinniped.dev"}}), expects=1
 ---
 metadata:
   #@overlay/match missing_ok=True
   labels: #@ labels()
+  name: #@ pinnipedDevAPIGroupWithPrefix("webhookauthenticators.authentication.concierge")
+spec:
+  group: #@ pinnipedDevAPIGroupWithPrefix("authentication.concierge")
 
 #@overlay/match by=overlay.subset({"kind": "CustomResourceDefinition", "metadata":{"name":"jwtauthenticators.authentication.concierge.pinniped.dev"}}), expects=1
 ---
 metadata:
   #@overlay/match missing_ok=True
   labels: #@ labels()
+  name: #@ pinnipedDevAPIGroupWithPrefix("jwtauthenticators.authentication.concierge")
+spec:
+  group: #@ pinnipedDevAPIGroupWithPrefix("authentication.concierge")

deploy/local-user-authenticator/README.md

@@ -15,17 +15,17 @@ User accounts can be created and edited dynamically using `kubectl` commands (se
 ## Installing the Latest Version with Default Options
 
 ```bash
-kubectl apply -f https://github.com/vmware-tanzu/pinniped/releases/latest/download/install-local-user-authenticator.yaml
+kubectl apply -f https://get.pinniped.dev/latest/install-local-user-authenticator.yaml
 ```
 
-## Installing an Older Version with Default Options
+## Installing a Specific Version with Default Options
 
 Choose your preferred [release](https://github.com/vmware-tanzu/pinniped/releases) version number
 and use it to replace the version number in the URL below.
 
 ```bash
-# Replace v0.2.0 with your preferred version in the URL below
-kubectl apply -f https://github.com/vmware-tanzu/pinniped/releases/download/v0.2.0/install-local-user-authenticator.yaml
+# Replace v0.4.1 with your preferred version in the URL below
+kubectl apply -f https://get.pinniped.dev/v0.4.1/install-local-user-authenticator.yaml
 ```
 
 ## Installing with Custom Options

deploy/local-user-authenticator/deployment.yaml

@@ -1,4 +1,4 @@
-#! Copyright 2020 the Pinniped contributors. All Rights Reserved.
+#! Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
 #! SPDX-License-Identifier: Apache-2.0
 
 #@ load("@ytt:data", "data")
@@ -48,8 +48,8 @@ spec:
         app: local-user-authenticator
     spec:
       securityContext:
-        runAsUser: 1001
-        runAsGroup: 1001
+        runAsUser: #@ data.values.run_as_user
+        runAsGroup: #@ data.values.run_as_group
       serviceAccountName: local-user-authenticator
       #@ if data.values.image_pull_dockerconfigjson and data.values.image_pull_dockerconfigjson != "":
       imagePullSecrets:

deploy/local-user-authenticator/values.yaml

@@ -1,4 +1,4 @@
-#! Copyright 2020 the Pinniped contributors. All Rights Reserved.
+#! Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
 #! SPDX-License-Identifier: Apache-2.0
 
 #@data/values
@@ -14,3 +14,6 @@ image_tag: latest
 #! Typically the value would be the output of: kubectl create secret docker-registry x --docker-server=https://example.io --docker-username="USERNAME" --docker-password="PASSWORD" --dry-run=client -o json | jq -r '.data[".dockerconfigjson"]'
 #! Optional.
 image_pull_dockerconfigjson: #! e.g. {"auths":{"https://registry.example.com":{"username":"USERNAME","password":"PASSWORD","auth":"BASE64_ENCODED_USERNAME_COLON_PASSWORD"}}}
+
+run_as_user: 1001 #! run_as_user specifies the user ID that will own the local-user-authenticator process
+run_as_group: 1001 #! run_as_group specifies the group ID that will own the local-user-authenticator process

deploy/supervisor/README.md

@@ -8,17 +8,17 @@ It can be deployed when those features are needed.
 ## Installing the Latest Version with Default Options
 
 ```bash
-kubectl apply -f https://github.com/vmware-tanzu/pinniped/releases/latest/download/install-pinniped-supervisor.yaml
+kubectl apply -f https://get.pinniped.dev/latest/install-pinniped-supervisor.yaml
 ```
 
-## Installing an Older Version with Default Options
+## Installing a Specific Version with Default Options
 
 Choose your preferred [release](https://github.com/vmware-tanzu/pinniped/releases) version number
 and use it to replace the version number in the URL below.
 
 ```bash
-# Replace v0.3.0 with your preferred version in the URL below
-kubectl apply -f https://github.com/vmware-tanzu/pinniped/releases/download/v0.3.0/install-pinniped-supervisor.yaml
+# Replace v0.4.1 with your preferred version in the URL below
+kubectl apply -f https://get.pinniped.dev/v0.4.1/install-pinniped-supervisor.yaml
 ```
 
 ## Installing with Custom Options

deploy/supervisor/config.supervisor.pinniped.dev_federationdomains.yaml

@@ -150,6 +150,8 @@ spec:
         type: object
     served: true
     storage: true
+    subresources:
+      status: {}
 status:
   acceptedNames:
     kind: ""

deploy/supervisor/deployment.yaml

@@ -30,6 +30,7 @@ metadata:
 data:
   #@yaml/text-templated-strings
   pinniped.yaml: |
+    apiGroupSuffix: (@= data.values.api_group_suffix @)
     names:
       defaultTLSCertificateSecret: (@= defaultResourceNameWithSuffix("default-tls-certificate") @)
     labels: (@= json.encode(labels()).rstrip() @)
@@ -64,8 +65,8 @@ spec:
       labels: #@ defaultLabel()
     spec:
       securityContext:
-        runAsUser: 1001
-        runAsGroup: 1001
+        runAsUser: #@ data.values.run_as_user
+        runAsGroup: #@ data.values.run_as_group
       serviceAccountName: #@ defaultResourceName()
       #@ if data.values.image_pull_dockerconfigjson and data.values.image_pull_dockerconfigjson != "":
       imagePullSecrets:
@@ -101,15 +102,6 @@ spec:
               protocol: TCP
             - containerPort: 8443
               protocol: TCP
-          env:
-            #@ if data.values.https_proxy:
-            - name: HTTPS_PROXY
-              value: #@ data.values.https_proxy
-            #@ end
-            #@ if data.values.no_proxy:
-            - name: NO_PROXY
-              value: #@ data.values.no_proxy
-            #@ end
           livenessProbe:
             httpGet:
               path: /healthz

deploy/supervisor/helpers.lib.yaml

@@ -1,4 +1,4 @@
-#! Copyright 2020 the Pinniped contributors. All Rights Reserved.
+#! Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
 #! SPDX-License-Identifier: Apache-2.0
 
 #@ load("@ytt:data", "data")
@@ -12,6 +12,10 @@
 #@   return data.values.app_name + "-" + suffix
 #@ end
 
+#@ def pinnipedDevAPIGroupWithPrefix(prefix):
+#@   return prefix + "." + data.values.api_group_suffix
+#@ end
+
 #@ def namespace():
 #@   if data.values.into_namespace:
 #@     return data.values.into_namespace

deploy/supervisor/rbac.yaml

@@ -1,8 +1,8 @@
-#! Copyright 2020 the Pinniped contributors. All Rights Reserved.
+#! Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
 #! SPDX-License-Identifier: Apache-2.0
 
 #@ load("@ytt:data", "data")
-#@ load("helpers.lib.yaml", "labels", "namespace", "defaultResourceName", "defaultResourceNameWithSuffix")
+#@ load("helpers.lib.yaml", "labels", "namespace", "defaultResourceName", "defaultResourceNameWithSuffix", "pinnipedDevAPIGroupWithPrefix")
 
 #! Give permission to various objects within the app's own namespace
 ---
@@ -16,13 +16,20 @@ rules:
   - apiGroups: [""]
     resources: [secrets]
     verbs: [create, get, list, patch, update, watch, delete]
-  - apiGroups: [config.supervisor.pinniped.dev]
+  - apiGroups:
+      - #@ pinnipedDevAPIGroupWithPrefix("config.supervisor")
     resources: [federationdomains]
-    verbs: [update, get, list, watch]
-  - apiGroups: [idp.supervisor.pinniped.dev]
+    verbs: [get, list, watch]
+  - apiGroups:
+      - #@ pinnipedDevAPIGroupWithPrefix("config.supervisor")
+    resources: [federationdomains/status]
+    verbs: [get, patch, update]
+  - apiGroups:
+      - #@ pinnipedDevAPIGroupWithPrefix("idp.supervisor")
     resources: [oidcidentityproviders]
     verbs: [get, list, watch]
-  - apiGroups: [idp.supervisor.pinniped.dev]
+  - apiGroups:
+      - #@ pinnipedDevAPIGroupWithPrefix("idp.supervisor")
     resources: [oidcidentityproviders/status]
     verbs: [get, patch, update]
     #! We want to be able to read pods/replicasets/deployment so we can learn who our deployment is to set

deploy/supervisor/values.yaml

@@ -57,10 +57,11 @@ service_loadbalancer_ip: #! e.g. 1.2.3.4
 #! information), trace (timing information), all (kitchen sink).
 log_level: #! By default, when this value is left unset, only warnings and errors are printed. There is no way to suppress warning and error logs.
 
-#! Set the standard golang HTTPS_PROXY and NO_PROXY environment variables on the Supervisor containers.
-#! These will be used when the Supervisor makes backend-to-backend calls to upstream identity providers using HTTPS,
-#! e.g. when the Supervisor fetches discovery documents, JWKS keys, and tokens from an upstream OIDC Provider.
-#! The Supervisor never makes insecure HTTP calls, so there is no reason to set HTTP_PROXY.
-#! Optional.
-https_proxy: #! e.g. http://proxy.example.com
-no_proxy: #! e.g. 127.0.0.1
+run_as_user: 1001 #! run_as_user specifies the user ID that will own the local-user-authenticator process
+run_as_group: 1001 #! run_as_group specifies the group ID that will own the local-user-authenticator process
+
+#! Specify the API group suffix for all Pinniped API groups. By default, this is set to
+#! pinniped.dev, so Pinniped API groups will look like foo.pinniped.dev,
+#! authentication.concierge.pinniped.dev, etc. As an example, if this is set to tuna.io, then
+#! Pinniped API groups will look like foo.tuna.io. authentication.concierge.tuna.io, etc.
+api_group_suffix: pinniped.dev

deploy/supervisor/z0_crd_overlay.yaml

@@ -1,17 +1,24 @@
-#! Copyright 2020 the Pinniped contributors. All Rights Reserved.
+#! Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
 #! SPDX-License-Identifier: Apache-2.0
 
 #@ load("@ytt:overlay", "overlay")
-#@ load("helpers.lib.yaml", "labels")
+#@ load("helpers.lib.yaml", "labels", "pinnipedDevAPIGroupWithPrefix")
+#@ load("@ytt:data", "data")
 
 #@overlay/match by=overlay.subset({"kind": "CustomResourceDefinition", "metadata":{"name":"federationdomains.config.supervisor.pinniped.dev"}}), expects=1
 ---
 metadata:
   #@overlay/match missing_ok=True
   labels: #@ labels()
+  name: #@ pinnipedDevAPIGroupWithPrefix("federationdomains.config.supervisor")
+spec:
+  group: #@ pinnipedDevAPIGroupWithPrefix("config.supervisor")
 
 #@overlay/match by=overlay.subset({"kind": "CustomResourceDefinition", "metadata":{"name":"oidcidentityproviders.idp.supervisor.pinniped.dev"}}), expects=1
 ---
 metadata:
   #@overlay/match missing_ok=True
   labels: #@ labels()
+  name: #@ pinnipedDevAPIGroupWithPrefix("oidcidentityproviders.idp.supervisor")
+spec:
+  group: #@ pinnipedDevAPIGroupWithPrefix("idp.supervisor")

generated/1.17/apis/concierge/authentication/v1alpha1/types_jwt.go

@@ -57,9 +57,11 @@ type JWTTokenClaims struct {
 // signature, existence of claims, etc.) and extract the username and groups from the token.
 //
 // +genclient
+// +genclient:nonNamespaced
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
-// +kubebuilder:resource:categories=pinniped;pinniped-authenticator;pinniped-authenticators
+// +kubebuilder:resource:categories=pinniped;pinniped-authenticator;pinniped-authenticators,scope=Cluster
 // +kubebuilder:printcolumn:name="Issuer",type=string,JSONPath=`.spec.issuer`
+// +kubebuilder:subresource:status
 type JWTAuthenticator struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`

generated/1.17/apis/concierge/authentication/v1alpha1/types_webhook.go

@@ -29,9 +29,11 @@ type WebhookAuthenticatorSpec struct {
 
 // WebhookAuthenticator describes the configuration of a webhook authenticator.
 // +genclient
+// +genclient:nonNamespaced
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
-// +kubebuilder:resource:categories=pinniped;pinniped-authenticator;pinniped-authenticators
+// +kubebuilder:resource:categories=pinniped;pinniped-authenticator;pinniped-authenticators,scope=Cluster
 // +kubebuilder:printcolumn:name="Endpoint",type=string,JSONPath=`.spec.endpoint`
+// +kubebuilder:subresource:status
 type WebhookAuthenticator struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`

generated/1.17/apis/concierge/config/v1alpha1/types_credentialissuer.go

@@ -67,13 +67,16 @@ type CredentialIssuerStrategy struct {
 
 // Describes the configuration status of a Pinniped credential issuer.
 // +genclient
+// +genclient:nonNamespaced
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
-// +kubebuilder:resource:categories=pinniped
+// +kubebuilder:resource:categories=pinniped,scope=Cluster
+// +kubebuilder:subresource:status
 type CredentialIssuer struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
 
 	// Status of the credential issuer.
+	// +optional
 	Status CredentialIssuerStatus `json:"status"`
 }
 

generated/1.17/apis/concierge/login/types_token.go

@@ -27,7 +27,6 @@ type TokenCredentialRequestStatus struct {
 }
 
 // TokenCredentialRequest submits an IDP-specific credential to Pinniped in exchange for a cluster-specific credential.
-// +genclient
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 type TokenCredentialRequest struct {
 	metav1.TypeMeta

generated/1.17/apis/concierge/login/v1alpha1/types_token.go

@@ -30,6 +30,7 @@ type TokenCredentialRequestStatus struct {
 
 // TokenCredentialRequest submits an IDP-specific credential to Pinniped in exchange for a cluster-specific credential.
 // +genclient
+// +genclient:nonNamespaced
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 type TokenCredentialRequest struct {
 	metav1.TypeMeta   `json:",inline"`

generated/1.17/apis/supervisor/config/v1alpha1/types_federationdomain.go

@@ -109,6 +109,7 @@ type FederationDomainStatus struct {
 // +genclient
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 // +kubebuilder:resource:categories=pinniped
+// +kubebuilder:subresource:status
 type FederationDomain struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`

generated/1.17/client/concierge/clientset/versioned/typed/authentication/v1alpha1/authentication_client.go

@@ -22,12 +22,12 @@ type AuthenticationV1alpha1Client struct {
 	restClient rest.Interface
 }
 
-func (c *AuthenticationV1alpha1Client) JWTAuthenticators(namespace string) JWTAuthenticatorInterface {
-	return newJWTAuthenticators(c, namespace)
+func (c *AuthenticationV1alpha1Client) JWTAuthenticators() JWTAuthenticatorInterface {
+	return newJWTAuthenticators(c)
 }
 
-func (c *AuthenticationV1alpha1Client) WebhookAuthenticators(namespace string) WebhookAuthenticatorInterface {
-	return newWebhookAuthenticators(c, namespace)
+func (c *AuthenticationV1alpha1Client) WebhookAuthenticators() WebhookAuthenticatorInterface {
+	return newWebhookAuthenticators(c)
 }
 
 // NewForConfig creates a new AuthenticationV1alpha1Client for the given config.

generated/1.17/client/concierge/clientset/versioned/typed/authentication/v1alpha1/fake/fake_authentication_client.go

@@ -15,12 +15,12 @@ type FakeAuthenticationV1alpha1 struct {
 	*testing.Fake
 }
 
-func (c *FakeAuthenticationV1alpha1) JWTAuthenticators(namespace string) v1alpha1.JWTAuthenticatorInterface {
-	return &FakeJWTAuthenticators{c, namespace}
+func (c *FakeAuthenticationV1alpha1) JWTAuthenticators() v1alpha1.JWTAuthenticatorInterface {
+	return &FakeJWTAuthenticators{c}
 }
 
-func (c *FakeAuthenticationV1alpha1) WebhookAuthenticators(namespace string) v1alpha1.WebhookAuthenticatorInterface {
-	return &FakeWebhookAuthenticators{c, namespace}
+func (c *FakeAuthenticationV1alpha1) WebhookAuthenticators() v1alpha1.WebhookAuthenticatorInterface {
+	return &FakeWebhookAuthenticators{c}
 }
 
 // RESTClient returns a RESTClient that is used to communicate

generated/1.17/client/concierge/clientset/versioned/typed/authentication/v1alpha1/fake/fake_jwtauthenticator.go

@@ -18,7 +18,6 @@ import (
 // FakeJWTAuthenticators implements JWTAuthenticatorInterface
 type FakeJWTAuthenticators struct {
 	Fake *FakeAuthenticationV1alpha1
-	ns   string
 }
 
 var jwtauthenticatorsResource = schema.GroupVersionResource{Group: "authentication.concierge.pinniped.dev", Version: "v1alpha1", Resource: "jwtauthenticators"}
@@ -28,8 +27,7 @@ var jwtauthenticatorsKind = schema.GroupVersionKind{Group: "authentication.conci
 // Get takes name of the jWTAuthenticator, and returns the corresponding jWTAuthenticator object, and an error if there is any.
 func (c *FakeJWTAuthenticators) Get(name string, options v1.GetOptions) (result *v1alpha1.JWTAuthenticator, err error) {
 	obj, err := c.Fake.
-		Invokes(testing.NewGetAction(jwtauthenticatorsResource, c.ns, name), &v1alpha1.JWTAuthenticator{})
-
+		Invokes(testing.NewRootGetAction(jwtauthenticatorsResource, name), &v1alpha1.JWTAuthenticator{})
 	if obj == nil {
 		return nil, err
 	}
@@ -39,8 +37,7 @@ func (c *FakeJWTAuthenticators) Get(name string, options v1.GetOptions) (result
 // List takes label and field selectors, and returns the list of JWTAuthenticators that match those selectors.
 func (c *FakeJWTAuthenticators) List(opts v1.ListOptions) (result *v1alpha1.JWTAuthenticatorList, err error) {
 	obj, err := c.Fake.
-		Invokes(testing.NewListAction(jwtauthenticatorsResource, jwtauthenticatorsKind, c.ns, opts), &v1alpha1.JWTAuthenticatorList{})
-
+		Invokes(testing.NewRootListAction(jwtauthenticatorsResource, jwtauthenticatorsKind, opts), &v1alpha1.JWTAuthenticatorList{})
 	if obj == nil {
 		return nil, err
 	}
@@ -61,15 +58,13 @@ func (c *FakeJWTAuthenticators) List(opts v1.ListOptions) (result *v1alpha1.JWTA
 // Watch returns a watch.Interface that watches the requested jWTAuthenticators.
 func (c *FakeJWTAuthenticators) Watch(opts v1.ListOptions) (watch.Interface, error) {
 	return c.Fake.
-		InvokesWatch(testing.NewWatchAction(jwtauthenticatorsResource, c.ns, opts))
-
+		InvokesWatch(testing.NewRootWatchAction(jwtauthenticatorsResource, opts))
 }
 
 // Create takes the representation of a jWTAuthenticator and creates it.  Returns the server's representation of the jWTAuthenticator, and an error, if there is any.
 func (c *FakeJWTAuthenticators) Create(jWTAuthenticator *v1alpha1.JWTAuthenticator) (result *v1alpha1.JWTAuthenticator, err error) {
 	obj, err := c.Fake.
-		Invokes(testing.NewCreateAction(jwtauthenticatorsResource, c.ns, jWTAuthenticator), &v1alpha1.JWTAuthenticator{})
-
+		Invokes(testing.NewRootCreateAction(jwtauthenticatorsResource, jWTAuthenticator), &v1alpha1.JWTAuthenticator{})
 	if obj == nil {
 		return nil, err
 	}
@@ -79,8 +74,7 @@ func (c *FakeJWTAuthenticators) Create(jWTAuthenticator *v1alpha1.JWTAuthenticat
 // Update takes the representation of a jWTAuthenticator and updates it. Returns the server's representation of the jWTAuthenticator, and an error, if there is any.
 func (c *FakeJWTAuthenticators) Update(jWTAuthenticator *v1alpha1.JWTAuthenticator) (result *v1alpha1.JWTAuthenticator, err error) {
 	obj, err := c.Fake.
-		Invokes(testing.NewUpdateAction(jwtauthenticatorsResource, c.ns, jWTAuthenticator), &v1alpha1.JWTAuthenticator{})
-
+		Invokes(testing.NewRootUpdateAction(jwtauthenticatorsResource, jWTAuthenticator), &v1alpha1.JWTAuthenticator{})
 	if obj == nil {
 		return nil, err
 	}
@@ -91,8 +85,7 @@ func (c *FakeJWTAuthenticators) Update(jWTAuthenticator *v1alpha1.JWTAuthenticat
 // Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
 func (c *FakeJWTAuthenticators) UpdateStatus(jWTAuthenticator *v1alpha1.JWTAuthenticator) (*v1alpha1.JWTAuthenticator, error) {
 	obj, err := c.Fake.
-		Invokes(testing.NewUpdateSubresourceAction(jwtauthenticatorsResource, "status", c.ns, jWTAuthenticator), &v1alpha1.JWTAuthenticator{})
-
+		Invokes(testing.NewRootUpdateSubresourceAction(jwtauthenticatorsResource, "status", jWTAuthenticator), &v1alpha1.JWTAuthenticator{})
 	if obj == nil {
 		return nil, err
 	}
@@ -102,14 +95,13 @@ func (c *FakeJWTAuthenticators) UpdateStatus(jWTAuthenticator *v1alpha1.JWTAuthe
 // Delete takes name of the jWTAuthenticator and deletes it. Returns an error if one occurs.
 func (c *FakeJWTAuthenticators) Delete(name string, options *v1.DeleteOptions) error {
 	_, err := c.Fake.
-		Invokes(testing.NewDeleteAction(jwtauthenticatorsResource, c.ns, name), &v1alpha1.JWTAuthenticator{})
-
+		Invokes(testing.NewRootDeleteAction(jwtauthenticatorsResource, name), &v1alpha1.JWTAuthenticator{})
 	return err
 }
 
 // DeleteCollection deletes a collection of objects.
 func (c *FakeJWTAuthenticators) DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error {
-	action := testing.NewDeleteCollectionAction(jwtauthenticatorsResource, c.ns, listOptions)
+	action := testing.NewRootDeleteCollectionAction(jwtauthenticatorsResource, listOptions)
 
 	_, err := c.Fake.Invokes(action, &v1alpha1.JWTAuthenticatorList{})
 	return err
@@ -118,8 +110,7 @@ func (c *FakeJWTAuthenticators) DeleteCollection(options *v1.DeleteOptions, list
 // Patch applies the patch and returns the patched jWTAuthenticator.
 func (c *FakeJWTAuthenticators) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.JWTAuthenticator, err error) {
 	obj, err := c.Fake.
-		Invokes(testing.NewPatchSubresourceAction(jwtauthenticatorsResource, c.ns, name, pt, data, subresources...), &v1alpha1.JWTAuthenticator{})
-
+		Invokes(testing.NewRootPatchSubresourceAction(jwtauthenticatorsResource, name, pt, data, subresources...), &v1alpha1.JWTAuthenticator{})
 	if obj == nil {
 		return nil, err
 	}

generated/1.17/client/concierge/clientset/versioned/typed/authentication/v1alpha1/fake/fake_webhookauthenticator.go

@@ -18,7 +18,6 @@ import (
 // FakeWebhookAuthenticators implements WebhookAuthenticatorInterface
 type FakeWebhookAuthenticators struct {
 	Fake *FakeAuthenticationV1alpha1
-	ns   string
 }
 
 var webhookauthenticatorsResource = schema.GroupVersionResource{Group: "authentication.concierge.pinniped.dev", Version: "v1alpha1", Resource: "webhookauthenticators"}
@@ -28,8 +27,7 @@ var webhookauthenticatorsKind = schema.GroupVersionKind{Group: "authentication.c
 // Get takes name of the webhookAuthenticator, and returns the corresponding webhookAuthenticator object, and an error if there is any.
 func (c *FakeWebhookAuthenticators) Get(name string, options v1.GetOptions) (result *v1alpha1.WebhookAuthenticator, err error) {
 	obj, err := c.Fake.
-		Invokes(testing.NewGetAction(webhookauthenticatorsResource, c.ns, name), &v1alpha1.WebhookAuthenticator{})
-
+		Invokes(testing.NewRootGetAction(webhookauthenticatorsResource, name), &v1alpha1.WebhookAuthenticator{})
 	if obj == nil {
 		return nil, err
 	}
@@ -39,8 +37,7 @@ func (c *FakeWebhookAuthenticators) Get(name string, options v1.GetOptions) (res
 // List takes label and field selectors, and returns the list of WebhookAuthenticators that match those selectors.
 func (c *FakeWebhookAuthenticators) List(opts v1.ListOptions) (result *v1alpha1.WebhookAuthenticatorList, err error) {
 	obj, err := c.Fake.
-		Invokes(testing.NewListAction(webhookauthenticatorsResource, webhookauthenticatorsKind, c.ns, opts), &v1alpha1.WebhookAuthenticatorList{})
-
+		Invokes(testing.NewRootListAction(webhookauthenticatorsResource, webhookauthenticatorsKind, opts), &v1alpha1.WebhookAuthenticatorList{})
 	if obj == nil {
 		return nil, err
 	}
@@ -61,15 +58,13 @@ func (c *FakeWebhookAuthenticators) List(opts v1.ListOptions) (result *v1alpha1.
 // Watch returns a watch.Interface that watches the requested webhookAuthenticators.
 func (c *FakeWebhookAuthenticators) Watch(opts v1.ListOptions) (watch.Interface, error) {
 	return c.Fake.
-		InvokesWatch(testing.NewWatchAction(webhookauthenticatorsResource, c.ns, opts))
-
+		InvokesWatch(testing.NewRootWatchAction(webhookauthenticatorsResource, opts))
 }
 
 // Create takes the representation of a webhookAuthenticator and creates it.  Returns the server's representation of the webhookAuthenticator, and an error, if there is any.
 func (c *FakeWebhookAuthenticators) Create(webhookAuthenticator *v1alpha1.WebhookAuthenticator) (result *v1alpha1.WebhookAuthenticator, err error) {
 	obj, err := c.Fake.
-		Invokes(testing.NewCreateAction(webhookauthenticatorsResource, c.ns, webhookAuthenticator), &v1alpha1.WebhookAuthenticator{})
-
+		Invokes(testing.NewRootCreateAction(webhookauthenticatorsResource, webhookAuthenticator), &v1alpha1.WebhookAuthenticator{})
 	if obj == nil {
 		return nil, err
 	}
@@ -79,8 +74,7 @@ func (c *FakeWebhookAuthenticators) Create(webhookAuthenticator *v1alpha1.Webhoo
 // Update takes the representation of a webhookAuthenticator and updates it. Returns the server's representation of the webhookAuthenticator, and an error, if there is any.
 func (c *FakeWebhookAuthenticators) Update(webhookAuthenticator *v1alpha1.WebhookAuthenticator) (result *v1alpha1.WebhookAuthenticator, err error) {
 	obj, err := c.Fake.
-		Invokes(testing.NewUpdateAction(webhookauthenticatorsResource, c.ns, webhookAuthenticator), &v1alpha1.WebhookAuthenticator{})
-
+		Invokes(testing.NewRootUpdateAction(webhookauthenticatorsResource, webhookAuthenticator), &v1alpha1.WebhookAuthenticator{})
 	if obj == nil {
 		return nil, err
 	}
@@ -91,8 +85,7 @@ func (c *FakeWebhookAuthenticators) Update(webhookAuthenticator *v1alpha1.Webhoo
 // Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
 func (c *FakeWebhookAuthenticators) UpdateStatus(webhookAuthenticator *v1alpha1.WebhookAuthenticator) (*v1alpha1.WebhookAuthenticator, error) {
 	obj, err := c.Fake.
-		Invokes(testing.NewUpdateSubresourceAction(webhookauthenticatorsResource, "status", c.ns, webhookAuthenticator), &v1alpha1.WebhookAuthenticator{})
-
+		Invokes(testing.NewRootUpdateSubresourceAction(webhookauthenticatorsResource, "status", webhookAuthenticator), &v1alpha1.WebhookAuthenticator{})
 	if obj == nil {
 		return nil, err
 	}
@@ -102,14 +95,13 @@ func (c *FakeWebhookAuthenticators) UpdateStatus(webhookAuthenticator *v1alpha1.
 // Delete takes name of the webhookAuthenticator and deletes it. Returns an error if one occurs.
 func (c *FakeWebhookAuthenticators) Delete(name string, options *v1.DeleteOptions) error {
 	_, err := c.Fake.
-		Invokes(testing.NewDeleteAction(webhookauthenticatorsResource, c.ns, name), &v1alpha1.WebhookAuthenticator{})
-
+		Invokes(testing.NewRootDeleteAction(webhookauthenticatorsResource, name), &v1alpha1.WebhookAuthenticator{})
 	return err
 }
 
 // DeleteCollection deletes a collection of objects.
 func (c *FakeWebhookAuthenticators) DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error {
-	action := testing.NewDeleteCollectionAction(webhookauthenticatorsResource, c.ns, listOptions)
+	action := testing.NewRootDeleteCollectionAction(webhookauthenticatorsResource, listOptions)
 
 	_, err := c.Fake.Invokes(action, &v1alpha1.WebhookAuthenticatorList{})
 	return err
@@ -118,8 +110,7 @@ func (c *FakeWebhookAuthenticators) DeleteCollection(options *v1.DeleteOptions,
 // Patch applies the patch and returns the patched webhookAuthenticator.
 func (c *FakeWebhookAuthenticators) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.WebhookAuthenticator, err error) {
 	obj, err := c.Fake.
-		Invokes(testing.NewPatchSubresourceAction(webhookauthenticatorsResource, c.ns, name, pt, data, subresources...), &v1alpha1.WebhookAuthenticator{})
-
+		Invokes(testing.NewRootPatchSubresourceAction(webhookauthenticatorsResource, name, pt, data, subresources...), &v1alpha1.WebhookAuthenticator{})
 	if obj == nil {
 		return nil, err
 	}

generated/1.17/client/concierge/clientset/versioned/typed/authentication/v1alpha1/jwtauthenticator.go

@@ -19,7 +19,7 @@ import (
 // JWTAuthenticatorsGetter has a method to return a JWTAuthenticatorInterface.
 // A group's client should implement this interface.
 type JWTAuthenticatorsGetter interface {
-	JWTAuthenticators(namespace string) JWTAuthenticatorInterface
+	JWTAuthenticators() JWTAuthenticatorInterface
 }
 
 // JWTAuthenticatorInterface has methods to work with JWTAuthenticator resources.
@@ -39,14 +39,12 @@ type JWTAuthenticatorInterface interface {
 // jWTAuthenticators implements JWTAuthenticatorInterface
 type jWTAuthenticators struct {
 	client rest.Interface
-	ns     string
 }
 
 // newJWTAuthenticators returns a JWTAuthenticators
-func newJWTAuthenticators(c *AuthenticationV1alpha1Client, namespace string) *jWTAuthenticators {
+func newJWTAuthenticators(c *AuthenticationV1alpha1Client) *jWTAuthenticators {
 	return &jWTAuthenticators{
 		client: c.RESTClient(),
-		ns:     namespace,
 	}
 }
 
@@ -54,7 +52,6 @@ func newJWTAuthenticators(c *AuthenticationV1alpha1Client, namespace string) *jW
 func (c *jWTAuthenticators) Get(name string, options v1.GetOptions) (result *v1alpha1.JWTAuthenticator, err error) {
 	result = &v1alpha1.JWTAuthenticator{}
 	err = c.client.Get().
-		Namespace(c.ns).
 		Resource("jwtauthenticators").
 		Name(name).
 		VersionedParams(&options, scheme.ParameterCodec).
@@ -71,7 +68,6 @@ func (c *jWTAuthenticators) List(opts v1.ListOptions) (result *v1alpha1.JWTAuthe
 	}
 	result = &v1alpha1.JWTAuthenticatorList{}
 	err = c.client.Get().
-		Namespace(c.ns).
 		Resource("jwtauthenticators").
 		VersionedParams(&opts, scheme.ParameterCodec).
 		Timeout(timeout).
@@ -88,7 +84,6 @@ func (c *jWTAuthenticators) Watch(opts v1.ListOptions) (watch.Interface, error)
 	}
 	opts.Watch = true
 	return c.client.Get().
-		Namespace(c.ns).
 		Resource("jwtauthenticators").
 		VersionedParams(&opts, scheme.ParameterCodec).
 		Timeout(timeout).
@@ -99,7 +94,6 @@ func (c *jWTAuthenticators) Watch(opts v1.ListOptions) (watch.Interface, error)
 func (c *jWTAuthenticators) Create(jWTAuthenticator *v1alpha1.JWTAuthenticator) (result *v1alpha1.JWTAuthenticator, err error) {
 	result = &v1alpha1.JWTAuthenticator{}
 	err = c.client.Post().
-		Namespace(c.ns).
 		Resource("jwtauthenticators").
 		Body(jWTAuthenticator).
 		Do().
@@ -111,7 +105,6 @@ func (c *jWTAuthenticators) Create(jWTAuthenticator *v1alpha1.JWTAuthenticator)
 func (c *jWTAuthenticators) Update(jWTAuthenticator *v1alpha1.JWTAuthenticator) (result *v1alpha1.JWTAuthenticator, err error) {
 	result = &v1alpha1.JWTAuthenticator{}
 	err = c.client.Put().
-		Namespace(c.ns).
 		Resource("jwtauthenticators").
 		Name(jWTAuthenticator.Name).
 		Body(jWTAuthenticator).
@@ -126,7 +119,6 @@ func (c *jWTAuthenticators) Update(jWTAuthenticator *v1alpha1.JWTAuthenticator)
 func (c *jWTAuthenticators) UpdateStatus(jWTAuthenticator *v1alpha1.JWTAuthenticator) (result *v1alpha1.JWTAuthenticator, err error) {
 	result = &v1alpha1.JWTAuthenticator{}
 	err = c.client.Put().
-		Namespace(c.ns).
 		Resource("jwtauthenticators").
 		Name(jWTAuthenticator.Name).
 		SubResource("status").
@@ -139,7 +131,6 @@ func (c *jWTAuthenticators) UpdateStatus(jWTAuthenticator *v1alpha1.JWTAuthentic
 // Delete takes name of the jWTAuthenticator and deletes it. Returns an error if one occurs.
 func (c *jWTAuthenticators) Delete(name string, options *v1.DeleteOptions) error {
 	return c.client.Delete().
-		Namespace(c.ns).
 		Resource("jwtauthenticators").
 		Name(name).
 		Body(options).
@@ -154,7 +145,6 @@ func (c *jWTAuthenticators) DeleteCollection(options *v1.DeleteOptions, listOpti
 		timeout = time.Duration(*listOptions.TimeoutSeconds) * time.Second
 	}
 	return c.client.Delete().
-		Namespace(c.ns).
 		Resource("jwtauthenticators").
 		VersionedParams(&listOptions, scheme.ParameterCodec).
 		Timeout(timeout).
@@ -167,7 +157,6 @@ func (c *jWTAuthenticators) DeleteCollection(options *v1.DeleteOptions, listOpti
 func (c *jWTAuthenticators) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.JWTAuthenticator, err error) {
 	result = &v1alpha1.JWTAuthenticator{}
 	err = c.client.Patch(pt).
-		Namespace(c.ns).
 		Resource("jwtauthenticators").
 		SubResource(subresources...).
 		Name(name).

generated/1.17/client/concierge/clientset/versioned/typed/authentication/v1alpha1/webhookauthenticator.go

@@ -19,7 +19,7 @@ import (
 // WebhookAuthenticatorsGetter has a method to return a WebhookAuthenticatorInterface.
 // A group's client should implement this interface.
 type WebhookAuthenticatorsGetter interface {
-	WebhookAuthenticators(namespace string) WebhookAuthenticatorInterface
+	WebhookAuthenticators() WebhookAuthenticatorInterface
 }
 
 // WebhookAuthenticatorInterface has methods to work with WebhookAuthenticator resources.
@@ -39,14 +39,12 @@ type WebhookAuthenticatorInterface interface {
 // webhookAuthenticators implements WebhookAuthenticatorInterface
 type webhookAuthenticators struct {
 	client rest.Interface
-	ns     string
 }
 
 // newWebhookAuthenticators returns a WebhookAuthenticators
-func newWebhookAuthenticators(c *AuthenticationV1alpha1Client, namespace string) *webhookAuthenticators {
+func newWebhookAuthenticators(c *AuthenticationV1alpha1Client) *webhookAuthenticators {
 	return &webhookAuthenticators{
 		client: c.RESTClient(),
-		ns:     namespace,
 	}
 }
 
@@ -54,7 +52,6 @@ func newWebhookAuthenticators(c *AuthenticationV1alpha1Client, namespace string)
 func (c *webhookAuthenticators) Get(name string, options v1.GetOptions) (result *v1alpha1.WebhookAuthenticator, err error) {
 	result = &v1alpha1.WebhookAuthenticator{}
 	err = c.client.Get().
-		Namespace(c.ns).
 		Resource("webhookauthenticators").
 		Name(name).
 		VersionedParams(&options, scheme.ParameterCodec).
@@ -71,7 +68,6 @@ func (c *webhookAuthenticators) List(opts v1.ListOptions) (result *v1alpha1.Webh
 	}
 	result = &v1alpha1.WebhookAuthenticatorList{}
 	err = c.client.Get().
-		Namespace(c.ns).
 		Resource("webhookauthenticators").
 		VersionedParams(&opts, scheme.ParameterCodec).
 		Timeout(timeout).
@@ -88,7 +84,6 @@ func (c *webhookAuthenticators) Watch(opts v1.ListOptions) (watch.Interface, err
 	}
 	opts.Watch = true
 	return c.client.Get().
-		Namespace(c.ns).
 		Resource("webhookauthenticators").
 		VersionedParams(&opts, scheme.ParameterCodec).
 		Timeout(timeout).
@@ -99,7 +94,6 @@ func (c *webhookAuthenticators) Watch(opts v1.ListOptions) (watch.Interface, err
 func (c *webhookAuthenticators) Create(webhookAuthenticator *v1alpha1.WebhookAuthenticator) (result *v1alpha1.WebhookAuthenticator, err error) {
 	result = &v1alpha1.WebhookAuthenticator{}
 	err = c.client.Post().
-		Namespace(c.ns).
 		Resource("webhookauthenticators").
 		Body(webhookAuthenticator).
 		Do().
@@ -111,7 +105,6 @@ func (c *webhookAuthenticators) Create(webhookAuthenticator *v1alpha1.WebhookAut
 func (c *webhookAuthenticators) Update(webhookAuthenticator *v1alpha1.WebhookAuthenticator) (result *v1alpha1.WebhookAuthenticator, err error) {
 	result = &v1alpha1.WebhookAuthenticator{}
 	err = c.client.Put().
-		Namespace(c.ns).
 		Resource("webhookauthenticators").
 		Name(webhookAuthenticator.Name).
 		Body(webhookAuthenticator).
@@ -126,7 +119,6 @@ func (c *webhookAuthenticators) Update(webhookAuthenticator *v1alpha1.WebhookAut
 func (c *webhookAuthenticators) UpdateStatus(webhookAuthenticator *v1alpha1.WebhookAuthenticator) (result *v1alpha1.WebhookAuthenticator, err error) {
 	result = &v1alpha1.WebhookAuthenticator{}
 	err = c.client.Put().
-		Namespace(c.ns).
 		Resource("webhookauthenticators").
 		Name(webhookAuthenticator.Name).
 		SubResource("status").
@@ -139,7 +131,6 @@ func (c *webhookAuthenticators) UpdateStatus(webhookAuthenticator *v1alpha1.Webh
 // Delete takes name of the webhookAuthenticator and deletes it. Returns an error if one occurs.
 func (c *webhookAuthenticators) Delete(name string, options *v1.DeleteOptions) error {
 	return c.client.Delete().
-		Namespace(c.ns).
 		Resource("webhookauthenticators").
 		Name(name).
 		Body(options).
@@ -154,7 +145,6 @@ func (c *webhookAuthenticators) DeleteCollection(options *v1.DeleteOptions, list
 		timeout = time.Duration(*listOptions.TimeoutSeconds) * time.Second
 	}
 	return c.client.Delete().
-		Namespace(c.ns).
 		Resource("webhookauthenticators").
 		VersionedParams(&listOptions, scheme.ParameterCodec).
 		Timeout(timeout).
@@ -167,7 +157,6 @@ func (c *webhookAuthenticators) DeleteCollection(options *v1.DeleteOptions, list
 func (c *webhookAuthenticators) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.WebhookAuthenticator, err error) {
 	result = &v1alpha1.WebhookAuthenticator{}
 	err = c.client.Patch(pt).
-		Namespace(c.ns).
 		Resource("webhookauthenticators").
 		SubResource(subresources...).
 		Name(name).

generated/1.17/client/concierge/clientset/versioned/typed/config/v1alpha1/config_client.go

@@ -21,8 +21,8 @@ type ConfigV1alpha1Client struct {
 	restClient rest.Interface
 }
 
-func (c *ConfigV1alpha1Client) CredentialIssuers(namespace string) CredentialIssuerInterface {
-	return newCredentialIssuers(c, namespace)
+func (c *ConfigV1alpha1Client) CredentialIssuers() CredentialIssuerInterface {
+	return newCredentialIssuers(c)
 }
 
 // NewForConfig creates a new ConfigV1alpha1Client for the given config.

generated/1.17/client/concierge/clientset/versioned/typed/config/v1alpha1/credentialissuer.go

@@ -19,7 +19,7 @@ import (
 // CredentialIssuersGetter has a method to return a CredentialIssuerInterface.
 // A group's client should implement this interface.
 type CredentialIssuersGetter interface {
-	CredentialIssuers(namespace string) CredentialIssuerInterface
+	CredentialIssuers() CredentialIssuerInterface
 }
 
 // CredentialIssuerInterface has methods to work with CredentialIssuer resources.
@@ -39,14 +39,12 @@ type CredentialIssuerInterface interface {
 // credentialIssuers implements CredentialIssuerInterface
 type credentialIssuers struct {
 	client rest.Interface
-	ns     string
 }
 
 // newCredentialIssuers returns a CredentialIssuers
-func newCredentialIssuers(c *ConfigV1alpha1Client, namespace string) *credentialIssuers {
+func newCredentialIssuers(c *ConfigV1alpha1Client) *credentialIssuers {
 	return &credentialIssuers{
 		client: c.RESTClient(),
-		ns:     namespace,
 	}
 }
 
@@ -54,7 +52,6 @@ func newCredentialIssuers(c *ConfigV1alpha1Client, namespace string) *credential
 func (c *credentialIssuers) Get(name string, options v1.GetOptions) (result *v1alpha1.CredentialIssuer, err error) {
 	result = &v1alpha1.CredentialIssuer{}
 	err = c.client.Get().
-		Namespace(c.ns).
 		Resource("credentialissuers").
 		Name(name).
 		VersionedParams(&options, scheme.ParameterCodec).
@@ -71,7 +68,6 @@ func (c *credentialIssuers) List(opts v1.ListOptions) (result *v1alpha1.Credenti
 	}
 	result = &v1alpha1.CredentialIssuerList{}
 	err = c.client.Get().
-		Namespace(c.ns).
 		Resource("credentialissuers").
 		VersionedParams(&opts, scheme.ParameterCodec).
 		Timeout(timeout).
@@ -88,7 +84,6 @@ func (c *credentialIssuers) Watch(opts v1.ListOptions) (watch.Interface, error)
 	}
 	opts.Watch = true
 	return c.client.Get().
-		Namespace(c.ns).
 		Resource("credentialissuers").
 		VersionedParams(&opts, scheme.ParameterCodec).
 		Timeout(timeout).
@@ -99,7 +94,6 @@ func (c *credentialIssuers) Watch(opts v1.ListOptions) (watch.Interface, error)
 func (c *credentialIssuers) Create(credentialIssuer *v1alpha1.CredentialIssuer) (result *v1alpha1.CredentialIssuer, err error) {
 	result = &v1alpha1.CredentialIssuer{}
 	err = c.client.Post().
-		Namespace(c.ns).
 		Resource("credentialissuers").
 		Body(credentialIssuer).
 		Do().
@@ -111,7 +105,6 @@ func (c *credentialIssuers) Create(credentialIssuer *v1alpha1.CredentialIssuer)
 func (c *credentialIssuers) Update(credentialIssuer *v1alpha1.CredentialIssuer) (result *v1alpha1.CredentialIssuer, err error) {
 	result = &v1alpha1.CredentialIssuer{}
 	err = c.client.Put().
-		Namespace(c.ns).
 		Resource("credentialissuers").
 		Name(credentialIssuer.Name).
 		Body(credentialIssuer).
@@ -126,7 +119,6 @@ func (c *credentialIssuers) Update(credentialIssuer *v1alpha1.CredentialIssuer)
 func (c *credentialIssuers) UpdateStatus(credentialIssuer *v1alpha1.CredentialIssuer) (result *v1alpha1.CredentialIssuer, err error) {
 	result = &v1alpha1.CredentialIssuer{}
 	err = c.client.Put().
-		Namespace(c.ns).
 		Resource("credentialissuers").
 		Name(credentialIssuer.Name).
 		SubResource("status").
@@ -139,7 +131,6 @@ func (c *credentialIssuers) UpdateStatus(credentialIssuer *v1alpha1.CredentialIs
 // Delete takes name of the credentialIssuer and deletes it. Returns an error if one occurs.
 func (c *credentialIssuers) Delete(name string, options *v1.DeleteOptions) error {
 	return c.client.Delete().
-		Namespace(c.ns).
 		Resource("credentialissuers").
 		Name(name).
 		Body(options).
@@ -154,7 +145,6 @@ func (c *credentialIssuers) DeleteCollection(options *v1.DeleteOptions, listOpti
 		timeout = time.Duration(*listOptions.TimeoutSeconds) * time.Second
 	}
 	return c.client.Delete().
-		Namespace(c.ns).
 		Resource("credentialissuers").
 		VersionedParams(&listOptions, scheme.ParameterCodec).
 		Timeout(timeout).
@@ -167,7 +157,6 @@ func (c *credentialIssuers) DeleteCollection(options *v1.DeleteOptions, listOpti
 func (c *credentialIssuers) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.CredentialIssuer, err error) {
 	result = &v1alpha1.CredentialIssuer{}
 	err = c.client.Patch(pt).
-		Namespace(c.ns).
 		Resource("credentialissuers").
 		SubResource(subresources...).
 		Name(name).

generated/1.17/client/concierge/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go

@@ -15,8 +15,8 @@ type FakeConfigV1alpha1 struct {
 	*testing.Fake
 }
 
-func (c *FakeConfigV1alpha1) CredentialIssuers(namespace string) v1alpha1.CredentialIssuerInterface {
-	return &FakeCredentialIssuers{c, namespace}
+func (c *FakeConfigV1alpha1) CredentialIssuers() v1alpha1.CredentialIssuerInterface {
+	return &FakeCredentialIssuers{c}
 }
 
 // RESTClient returns a RESTClient that is used to communicate

generated/1.17/client/concierge/clientset/versioned/typed/config/v1alpha1/fake/fake_credentialissuer.go

@@ -18,7 +18,6 @@ import (
 // FakeCredentialIssuers implements CredentialIssuerInterface
 type FakeCredentialIssuers struct {
 	Fake *FakeConfigV1alpha1
-	ns   string
 }
 
 var credentialissuersResource = schema.GroupVersionResource{Group: "config.concierge.pinniped.dev", Version: "v1alpha1", Resource: "credentialissuers"}
@@ -28,8 +27,7 @@ var credentialissuersKind = schema.GroupVersionKind{Group: "config.concierge.pin
 // Get takes name of the credentialIssuer, and returns the corresponding credentialIssuer object, and an error if there is any.
 func (c *FakeCredentialIssuers) Get(name string, options v1.GetOptions) (result *v1alpha1.CredentialIssuer, err error) {
 	obj, err := c.Fake.
-		Invokes(testing.NewGetAction(credentialissuersResource, c.ns, name), &v1alpha1.CredentialIssuer{})
-
+		Invokes(testing.NewRootGetAction(credentialissuersResource, name), &v1alpha1.CredentialIssuer{})
 	if obj == nil {
 		return nil, err
 	}
@@ -39,8 +37,7 @@ func (c *FakeCredentialIssuers) Get(name string, options v1.GetOptions) (result
 // List takes label and field selectors, and returns the list of CredentialIssuers that match those selectors.
 func (c *FakeCredentialIssuers) List(opts v1.ListOptions) (result *v1alpha1.CredentialIssuerList, err error) {
 	obj, err := c.Fake.
-		Invokes(testing.NewListAction(credentialissuersResource, credentialissuersKind, c.ns, opts), &v1alpha1.CredentialIssuerList{})
-
+		Invokes(testing.NewRootListAction(credentialissuersResource, credentialissuersKind, opts), &v1alpha1.CredentialIssuerList{})
 	if obj == nil {
 		return nil, err
 	}
@@ -61,15 +58,13 @@ func (c *FakeCredentialIssuers) List(opts v1.ListOptions) (result *v1alpha1.Cred
 // Watch returns a watch.Interface that watches the requested credentialIssuers.
 func (c *FakeCredentialIssuers) Watch(opts v1.ListOptions) (watch.Interface, error) {
 	return c.Fake.
-		InvokesWatch(testing.NewWatchAction(credentialissuersResource, c.ns, opts))
-
+		InvokesWatch(testing.NewRootWatchAction(credentialissuersResource, opts))
 }
 
 // Create takes the representation of a credentialIssuer and creates it.  Returns the server's representation of the credentialIssuer, and an error, if there is any.
 func (c *FakeCredentialIssuers) Create(credentialIssuer *v1alpha1.CredentialIssuer) (result *v1alpha1.CredentialIssuer, err error) {
 	obj, err := c.Fake.
-		Invokes(testing.NewCreateAction(credentialissuersResource, c.ns, credentialIssuer), &v1alpha1.CredentialIssuer{})
-
+		Invokes(testing.NewRootCreateAction(credentialissuersResource, credentialIssuer), &v1alpha1.CredentialIssuer{})
 	if obj == nil {
 		return nil, err
 	}
@@ -79,8 +74,7 @@ func (c *FakeCredentialIssuers) Create(credentialIssuer *v1alpha1.CredentialIssu
 // Update takes the representation of a credentialIssuer and updates it. Returns the server's representation of the credentialIssuer, and an error, if there is any.
 func (c *FakeCredentialIssuers) Update(credentialIssuer *v1alpha1.CredentialIssuer) (result *v1alpha1.CredentialIssuer, err error) {
 	obj, err := c.Fake.
-		Invokes(testing.NewUpdateAction(credentialissuersResource, c.ns, credentialIssuer), &v1alpha1.CredentialIssuer{})
-
+		Invokes(testing.NewRootUpdateAction(credentialissuersResource, credentialIssuer), &v1alpha1.CredentialIssuer{})
 	if obj == nil {
 		return nil, err
 	}
@@ -91,8 +85,7 @@ func (c *FakeCredentialIssuers) Update(credentialIssuer *v1alpha1.CredentialIssu
 // Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
 func (c *FakeCredentialIssuers) UpdateStatus(credentialIssuer *v1alpha1.CredentialIssuer) (*v1alpha1.CredentialIssuer, error) {
 	obj, err := c.Fake.
-		Invokes(testing.NewUpdateSubresourceAction(credentialissuersResource, "status", c.ns, credentialIssuer), &v1alpha1.CredentialIssuer{})
-
+		Invokes(testing.NewRootUpdateSubresourceAction(credentialissuersResource, "status", credentialIssuer), &v1alpha1.CredentialIssuer{})
 	if obj == nil {
 		return nil, err
 	}
@@ -102,14 +95,13 @@ func (c *FakeCredentialIssuers) UpdateStatus(credentialIssuer *v1alpha1.Credenti
 // Delete takes name of the credentialIssuer and deletes it. Returns an error if one occurs.
 func (c *FakeCredentialIssuers) Delete(name string, options *v1.DeleteOptions) error {
 	_, err := c.Fake.
-		Invokes(testing.NewDeleteAction(credentialissuersResource, c.ns, name), &v1alpha1.CredentialIssuer{})
-
+		Invokes(testing.NewRootDeleteAction(credentialissuersResource, name), &v1alpha1.CredentialIssuer{})
 	return err
 }
 
 // DeleteCollection deletes a collection of objects.
 func (c *FakeCredentialIssuers) DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error {
-	action := testing.NewDeleteCollectionAction(credentialissuersResource, c.ns, listOptions)
+	action := testing.NewRootDeleteCollectionAction(credentialissuersResource, listOptions)
 
 	_, err := c.Fake.Invokes(action, &v1alpha1.CredentialIssuerList{})
 	return err
@@ -118,8 +110,7 @@ func (c *FakeCredentialIssuers) DeleteCollection(options *v1.DeleteOptions, list
 // Patch applies the patch and returns the patched credentialIssuer.
 func (c *FakeCredentialIssuers) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.CredentialIssuer, err error) {
 	obj, err := c.Fake.
-		Invokes(testing.NewPatchSubresourceAction(credentialissuersResource, c.ns, name, pt, data, subresources...), &v1alpha1.CredentialIssuer{})
-
+		Invokes(testing.NewRootPatchSubresourceAction(credentialissuersResource, name, pt, data, subresources...), &v1alpha1.CredentialIssuer{})
 	if obj == nil {
 		return nil, err
 	}

generated/1.17/client/concierge/clientset/versioned/typed/login/v1alpha1/fake/fake_login_client.go

@@ -15,8 +15,8 @@ type FakeLoginV1alpha1 struct {
 	*testing.Fake
 }
 
-func (c *FakeLoginV1alpha1) TokenCredentialRequests(namespace string) v1alpha1.TokenCredentialRequestInterface {
-	return &FakeTokenCredentialRequests{c, namespace}
+func (c *FakeLoginV1alpha1) TokenCredentialRequests() v1alpha1.TokenCredentialRequestInterface {
+	return &FakeTokenCredentialRequests{c}
 }
 
 // RESTClient returns a RESTClient that is used to communicate

generated/1.17/client/concierge/clientset/versioned/typed/login/v1alpha1/fake/fake_tokencredentialrequest.go

@@ -18,7 +18,6 @@ import (
 // FakeTokenCredentialRequests implements TokenCredentialRequestInterface
 type FakeTokenCredentialRequests struct {
 	Fake *FakeLoginV1alpha1
-	ns   string
 }
 
 var tokencredentialrequestsResource = schema.GroupVersionResource{Group: "login.concierge.pinniped.dev", Version: "v1alpha1", Resource: "tokencredentialrequests"}
@@ -28,8 +27,7 @@ var tokencredentialrequestsKind = schema.GroupVersionKind{Group: "login.concierg
 // Get takes name of the tokenCredentialRequest, and returns the corresponding tokenCredentialRequest object, and an error if there is any.
 func (c *FakeTokenCredentialRequests) Get(name string, options v1.GetOptions) (result *v1alpha1.TokenCredentialRequest, err error) {
 	obj, err := c.Fake.
-		Invokes(testing.NewGetAction(tokencredentialrequestsResource, c.ns, name), &v1alpha1.TokenCredentialRequest{})
-
+		Invokes(testing.NewRootGetAction(tokencredentialrequestsResource, name), &v1alpha1.TokenCredentialRequest{})
 	if obj == nil {
 		return nil, err
 	}
@@ -39,8 +37,7 @@ func (c *FakeTokenCredentialRequests) Get(name string, options v1.GetOptions) (r
 // List takes label and field selectors, and returns the list of TokenCredentialRequests that match those selectors.
 func (c *FakeTokenCredentialRequests) List(opts v1.ListOptions) (result *v1alpha1.TokenCredentialRequestList, err error) {
 	obj, err := c.Fake.
-		Invokes(testing.NewListAction(tokencredentialrequestsResource, tokencredentialrequestsKind, c.ns, opts), &v1alpha1.TokenCredentialRequestList{})
-
+		Invokes(testing.NewRootListAction(tokencredentialrequestsResource, tokencredentialrequestsKind, opts), &v1alpha1.TokenCredentialRequestList{})
 	if obj == nil {
 		return nil, err
 	}
@@ -61,15 +58,13 @@ func (c *FakeTokenCredentialRequests) List(opts v1.ListOptions) (result *v1alpha
 // Watch returns a watch.Interface that watches the requested tokenCredentialRequests.
 func (c *FakeTokenCredentialRequests) Watch(opts v1.ListOptions) (watch.Interface, error) {
 	return c.Fake.
-		InvokesWatch(testing.NewWatchAction(tokencredentialrequestsResource, c.ns, opts))
-
+		InvokesWatch(testing.NewRootWatchAction(tokencredentialrequestsResource, opts))
 }
 
 // Create takes the representation of a tokenCredentialRequest and creates it.  Returns the server's representation of the tokenCredentialRequest, and an error, if there is any.
 func (c *FakeTokenCredentialRequests) Create(tokenCredentialRequest *v1alpha1.TokenCredentialRequest) (result *v1alpha1.TokenCredentialRequest, err error) {
 	obj, err := c.Fake.
-		Invokes(testing.NewCreateAction(tokencredentialrequestsResource, c.ns, tokenCredentialRequest), &v1alpha1.TokenCredentialRequest{})
-
+		Invokes(testing.NewRootCreateAction(tokencredentialrequestsResource, tokenCredentialRequest), &v1alpha1.TokenCredentialRequest{})
 	if obj == nil {
 		return nil, err
 	}
@@ -79,8 +74,7 @@ func (c *FakeTokenCredentialRequests) Create(tokenCredentialRequest *v1alpha1.To
 // Update takes the representation of a tokenCredentialRequest and updates it. Returns the server's representation of the tokenCredentialRequest, and an error, if there is any.
 func (c *FakeTokenCredentialRequests) Update(tokenCredentialRequest *v1alpha1.TokenCredentialRequest) (result *v1alpha1.TokenCredentialRequest, err error) {
 	obj, err := c.Fake.
-		Invokes(testing.NewUpdateAction(tokencredentialrequestsResource, c.ns, tokenCredentialRequest), &v1alpha1.TokenCredentialRequest{})
-
+		Invokes(testing.NewRootUpdateAction(tokencredentialrequestsResource, tokenCredentialRequest), &v1alpha1.TokenCredentialRequest{})
 	if obj == nil {
 		return nil, err
 	}
@@ -91,8 +85,7 @@ func (c *FakeTokenCredentialRequests) Update(tokenCredentialRequest *v1alpha1.To
 // Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
 func (c *FakeTokenCredentialRequests) UpdateStatus(tokenCredentialRequest *v1alpha1.TokenCredentialRequest) (*v1alpha1.TokenCredentialRequest, error) {
 	obj, err := c.Fake.
-		Invokes(testing.NewUpdateSubresourceAction(tokencredentialrequestsResource, "status", c.ns, tokenCredentialRequest), &v1alpha1.TokenCredentialRequest{})
-
+		Invokes(testing.NewRootUpdateSubresourceAction(tokencredentialrequestsResource, "status", tokenCredentialRequest), &v1alpha1.TokenCredentialRequest{})
 	if obj == nil {
 		return nil, err
 	}
@@ -102,14 +95,13 @@ func (c *FakeTokenCredentialRequests) UpdateStatus(tokenCredentialRequest *v1alp
 // Delete takes name of the tokenCredentialRequest and deletes it. Returns an error if one occurs.
 func (c *FakeTokenCredentialRequests) Delete(name string, options *v1.DeleteOptions) error {
 	_, err := c.Fake.
-		Invokes(testing.NewDeleteAction(tokencredentialrequestsResource, c.ns, name), &v1alpha1.TokenCredentialRequest{})
-
+		Invokes(testing.NewRootDeleteAction(tokencredentialrequestsResource, name), &v1alpha1.TokenCredentialRequest{})
 	return err
 }
 
 // DeleteCollection deletes a collection of objects.
 func (c *FakeTokenCredentialRequests) DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error {
-	action := testing.NewDeleteCollectionAction(tokencredentialrequestsResource, c.ns, listOptions)
+	action := testing.NewRootDeleteCollectionAction(tokencredentialrequestsResource, listOptions)
 
 	_, err := c.Fake.Invokes(action, &v1alpha1.TokenCredentialRequestList{})
 	return err
@@ -118,8 +110,7 @@ func (c *FakeTokenCredentialRequests) DeleteCollection(options *v1.DeleteOptions
 // Patch applies the patch and returns the patched tokenCredentialRequest.
 func (c *FakeTokenCredentialRequests) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.TokenCredentialRequest, err error) {
 	obj, err := c.Fake.
-		Invokes(testing.NewPatchSubresourceAction(tokencredentialrequestsResource, c.ns, name, pt, data, subresources...), &v1alpha1.TokenCredentialRequest{})
-
+		Invokes(testing.NewRootPatchSubresourceAction(tokencredentialrequestsResource, name, pt, data, subresources...), &v1alpha1.TokenCredentialRequest{})
 	if obj == nil {
 		return nil, err
 	}

generated/1.17/client/concierge/clientset/versioned/typed/login/v1alpha1/login_client.go

@@ -21,8 +21,8 @@ type LoginV1alpha1Client struct {
 	restClient rest.Interface
 }
 
-func (c *LoginV1alpha1Client) TokenCredentialRequests(namespace string) TokenCredentialRequestInterface {
-	return newTokenCredentialRequests(c, namespace)
+func (c *LoginV1alpha1Client) TokenCredentialRequests() TokenCredentialRequestInterface {
+	return newTokenCredentialRequests(c)
 }
 
 // NewForConfig creates a new LoginV1alpha1Client for the given config.

generated/1.17/client/concierge/clientset/versioned/typed/login/v1alpha1/tokencredentialrequest.go

@@ -19,7 +19,7 @@ import (
 // TokenCredentialRequestsGetter has a method to return a TokenCredentialRequestInterface.
 // A group's client should implement this interface.
 type TokenCredentialRequestsGetter interface {
-	TokenCredentialRequests(namespace string) TokenCredentialRequestInterface
+	TokenCredentialRequests() TokenCredentialRequestInterface
 }
 
 // TokenCredentialRequestInterface has methods to work with TokenCredentialRequest resources.
@@ -39,14 +39,12 @@ type TokenCredentialRequestInterface interface {
 // tokenCredentialRequests implements TokenCredentialRequestInterface
 type tokenCredentialRequests struct {
 	client rest.Interface
-	ns     string
 }
 
 // newTokenCredentialRequests returns a TokenCredentialRequests
-func newTokenCredentialRequests(c *LoginV1alpha1Client, namespace string) *tokenCredentialRequests {
+func newTokenCredentialRequests(c *LoginV1alpha1Client) *tokenCredentialRequests {
 	return &tokenCredentialRequests{
 		client: c.RESTClient(),
-		ns:     namespace,
 	}
 }
 
@@ -54,7 +52,6 @@ func newTokenCredentialRequests(c *LoginV1alpha1Client, namespace string) *token
 func (c *tokenCredentialRequests) Get(name string, options v1.GetOptions) (result *v1alpha1.TokenCredentialRequest, err error) {
 	result = &v1alpha1.TokenCredentialRequest{}
 	err = c.client.Get().
-		Namespace(c.ns).
 		Resource("tokencredentialrequests").
 		Name(name).
 		VersionedParams(&options, scheme.ParameterCodec).
@@ -71,7 +68,6 @@ func (c *tokenCredentialRequests) List(opts v1.ListOptions) (result *v1alpha1.To
 	}
 	result = &v1alpha1.TokenCredentialRequestList{}
 	err = c.client.Get().
-		Namespace(c.ns).
 		Resource("tokencredentialrequests").
 		VersionedParams(&opts, scheme.ParameterCodec).
 		Timeout(timeout).
@@ -88,7 +84,6 @@ func (c *tokenCredentialRequests) Watch(opts v1.ListOptions) (watch.Interface, e
 	}
 	opts.Watch = true
 	return c.client.Get().
-		Namespace(c.ns).
 		Resource("tokencredentialrequests").
 		VersionedParams(&opts, scheme.ParameterCodec).
 		Timeout(timeout).
@@ -99,7 +94,6 @@ func (c *tokenCredentialRequests) Watch(opts v1.ListOptions) (watch.Interface, e
 func (c *tokenCredentialRequests) Create(tokenCredentialRequest *v1alpha1.TokenCredentialRequest) (result *v1alpha1.TokenCredentialRequest, err error) {
 	result = &v1alpha1.TokenCredentialRequest{}
 	err = c.client.Post().
-		Namespace(c.ns).
 		Resource("tokencredentialrequests").
 		Body(tokenCredentialRequest).
 		Do().
@@ -111,7 +105,6 @@ func (c *tokenCredentialRequests) Create(tokenCredentialRequest *v1alpha1.TokenC
 func (c *tokenCredentialRequests) Update(tokenCredentialRequest *v1alpha1.TokenCredentialRequest) (result *v1alpha1.TokenCredentialRequest, err error) {
 	result = &v1alpha1.TokenCredentialRequest{}
 	err = c.client.Put().
-		Namespace(c.ns).
 		Resource("tokencredentialrequests").
 		Name(tokenCredentialRequest.Name).
 		Body(tokenCredentialRequest).
@@ -126,7 +119,6 @@ func (c *tokenCredentialRequests) Update(tokenCredentialRequest *v1alpha1.TokenC
 func (c *tokenCredentialRequests) UpdateStatus(tokenCredentialRequest *v1alpha1.TokenCredentialRequest) (result *v1alpha1.TokenCredentialRequest, err error) {
 	result = &v1alpha1.TokenCredentialRequest{}
 	err = c.client.Put().
-		Namespace(c.ns).
 		Resource("tokencredentialrequests").
 		Name(tokenCredentialRequest.Name).
 		SubResource("status").
@@ -139,7 +131,6 @@ func (c *tokenCredentialRequests) UpdateStatus(tokenCredentialRequest *v1alpha1.
 // Delete takes name of the tokenCredentialRequest and deletes it. Returns an error if one occurs.
 func (c *tokenCredentialRequests) Delete(name string, options *v1.DeleteOptions) error {
 	return c.client.Delete().
-		Namespace(c.ns).
 		Resource("tokencredentialrequests").
 		Name(name).
 		Body(options).
@@ -154,7 +145,6 @@ func (c *tokenCredentialRequests) DeleteCollection(options *v1.DeleteOptions, li
 		timeout = time.Duration(*listOptions.TimeoutSeconds) * time.Second
 	}
 	return c.client.Delete().
-		Namespace(c.ns).
 		Resource("tokencredentialrequests").
 		VersionedParams(&listOptions, scheme.ParameterCodec).
 		Timeout(timeout).
@@ -167,7 +157,6 @@ func (c *tokenCredentialRequests) DeleteCollection(options *v1.DeleteOptions, li
 func (c *tokenCredentialRequests) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.TokenCredentialRequest, err error) {
 	result = &v1alpha1.TokenCredentialRequest{}
 	err = c.client.Patch(pt).
-		Namespace(c.ns).
 		Resource("tokencredentialrequests").
 		SubResource(subresources...).
 		Name(name).

generated/1.17/client/concierge/informers/externalversions/authentication/v1alpha1/interface.go

@@ -30,10 +30,10 @@ func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakList
 
 // JWTAuthenticators returns a JWTAuthenticatorInformer.
 func (v *version) JWTAuthenticators() JWTAuthenticatorInformer {
-	return &jWTAuthenticatorInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
+	return &jWTAuthenticatorInformer{factory: v.factory, tweakListOptions: v.tweakListOptions}
 }
 
 // WebhookAuthenticators returns a WebhookAuthenticatorInformer.
 func (v *version) WebhookAuthenticators() WebhookAuthenticatorInformer {
-	return &webhookAuthenticatorInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
+	return &webhookAuthenticatorInformer{factory: v.factory, tweakListOptions: v.tweakListOptions}
 }

generated/1.17/client/concierge/informers/externalversions/authentication/v1alpha1/jwtauthenticator.go

@@ -28,33 +28,32 @@ type JWTAuthenticatorInformer interface {
 type jWTAuthenticatorInformer struct {
 	factory          internalinterfaces.SharedInformerFactory
 	tweakListOptions internalinterfaces.TweakListOptionsFunc
-	namespace        string
 }
 
 // NewJWTAuthenticatorInformer constructs a new informer for JWTAuthenticator type.
 // Always prefer using an informer factory to get a shared informer instead of getting an independent
 // one. This reduces memory footprint and number of connections to the server.
-func NewJWTAuthenticatorInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
-	return NewFilteredJWTAuthenticatorInformer(client, namespace, resyncPeriod, indexers, nil)
+func NewJWTAuthenticatorInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
+	return NewFilteredJWTAuthenticatorInformer(client, resyncPeriod, indexers, nil)
 }
 
 // NewFilteredJWTAuthenticatorInformer constructs a new informer for JWTAuthenticator type.
 // Always prefer using an informer factory to get a shared informer instead of getting an independent
 // one. This reduces memory footprint and number of connections to the server.
-func NewFilteredJWTAuthenticatorInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
+func NewFilteredJWTAuthenticatorInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
 		&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
 				}
-				return client.AuthenticationV1alpha1().JWTAuthenticators(namespace).List(options)
+				return client.AuthenticationV1alpha1().JWTAuthenticators().List(options)
 			},
 			WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
 				}
-				return client.AuthenticationV1alpha1().JWTAuthenticators(namespace).Watch(options)
+				return client.AuthenticationV1alpha1().JWTAuthenticators().Watch(options)
 			},
 		},
 		&authenticationv1alpha1.JWTAuthenticator{},
@@ -64,7 +63,7 @@ func NewFilteredJWTAuthenticatorInformer(client versioned.Interface, namespace s
 }
 
 func (f *jWTAuthenticatorInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
-	return NewFilteredJWTAuthenticatorInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
+	return NewFilteredJWTAuthenticatorInformer(client, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
 }
 
 func (f *jWTAuthenticatorInformer) Informer() cache.SharedIndexInformer {

generated/1.17/client/concierge/informers/externalversions/authentication/v1alpha1/webhookauthenticator.go

@@ -28,33 +28,32 @@ type WebhookAuthenticatorInformer interface {
 type webhookAuthenticatorInformer struct {
 	factory          internalinterfaces.SharedInformerFactory
 	tweakListOptions internalinterfaces.TweakListOptionsFunc
-	namespace        string
 }
 
 // NewWebhookAuthenticatorInformer constructs a new informer for WebhookAuthenticator type.
 // Always prefer using an informer factory to get a shared informer instead of getting an independent
 // one. This reduces memory footprint and number of connections to the server.
-func NewWebhookAuthenticatorInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
-	return NewFilteredWebhookAuthenticatorInformer(client, namespace, resyncPeriod, indexers, nil)
+func NewWebhookAuthenticatorInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
+	return NewFilteredWebhookAuthenticatorInformer(client, resyncPeriod, indexers, nil)
 }
 
 // NewFilteredWebhookAuthenticatorInformer constructs a new informer for WebhookAuthenticator type.
 // Always prefer using an informer factory to get a shared informer instead of getting an independent
 // one. This reduces memory footprint and number of connections to the server.
-func NewFilteredWebhookAuthenticatorInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
+func NewFilteredWebhookAuthenticatorInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
 		&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
 				}
-				return client.AuthenticationV1alpha1().WebhookAuthenticators(namespace).List(options)
+				return client.AuthenticationV1alpha1().WebhookAuthenticators().List(options)
 			},
 			WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
 				}
-				return client.AuthenticationV1alpha1().WebhookAuthenticators(namespace).Watch(options)
+				return client.AuthenticationV1alpha1().WebhookAuthenticators().Watch(options)
 			},
 		},
 		&authenticationv1alpha1.WebhookAuthenticator{},
@@ -64,7 +63,7 @@ func NewFilteredWebhookAuthenticatorInformer(client versioned.Interface, namespa
 }
 
 func (f *webhookAuthenticatorInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
-	return NewFilteredWebhookAuthenticatorInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
+	return NewFilteredWebhookAuthenticatorInformer(client, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
 }
 
 func (f *webhookAuthenticatorInformer) Informer() cache.SharedIndexInformer {

generated/1.17/client/concierge/informers/externalversions/config/v1alpha1/credentialissuer.go

@@ -28,33 +28,32 @@ type CredentialIssuerInformer interface {
 type credentialIssuerInformer struct {
 	factory          internalinterfaces.SharedInformerFactory
 	tweakListOptions internalinterfaces.TweakListOptionsFunc
-	namespace        string
 }
 
 // NewCredentialIssuerInformer constructs a new informer for CredentialIssuer type.
 // Always prefer using an informer factory to get a shared informer instead of getting an independent
 // one. This reduces memory footprint and number of connections to the server.
-func NewCredentialIssuerInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
-	return NewFilteredCredentialIssuerInformer(client, namespace, resyncPeriod, indexers, nil)
+func NewCredentialIssuerInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
+	return NewFilteredCredentialIssuerInformer(client, resyncPeriod, indexers, nil)
 }
 
 // NewFilteredCredentialIssuerInformer constructs a new informer for CredentialIssuer type.
 // Always prefer using an informer factory to get a shared informer instead of getting an independent
 // one. This reduces memory footprint and number of connections to the server.
-func NewFilteredCredentialIssuerInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
+func NewFilteredCredentialIssuerInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
 		&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
 				}
-				return client.ConfigV1alpha1().CredentialIssuers(namespace).List(options)
+				return client.ConfigV1alpha1().CredentialIssuers().List(options)
 			},
 			WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
 				}
-				return client.ConfigV1alpha1().CredentialIssuers(namespace).Watch(options)
+				return client.ConfigV1alpha1().CredentialIssuers().Watch(options)
 			},
 		},
 		&configv1alpha1.CredentialIssuer{},
@@ -64,7 +63,7 @@ func NewFilteredCredentialIssuerInformer(client versioned.Interface, namespace s
 }
 
 func (f *credentialIssuerInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
-	return NewFilteredCredentialIssuerInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
+	return NewFilteredCredentialIssuerInformer(client, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
 }
 
 func (f *credentialIssuerInformer) Informer() cache.SharedIndexInformer {

generated/1.17/client/concierge/informers/externalversions/config/v1alpha1/interface.go

@@ -28,5 +28,5 @@ func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakList
 
 // CredentialIssuers returns a CredentialIssuerInformer.
 func (v *version) CredentialIssuers() CredentialIssuerInformer {
-	return &credentialIssuerInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
+	return &credentialIssuerInformer{factory: v.factory, tweakListOptions: v.tweakListOptions}
 }

generated/1.17/client/concierge/informers/externalversions/login/v1alpha1/interface.go

@@ -28,5 +28,5 @@ func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakList
 
 // TokenCredentialRequests returns a TokenCredentialRequestInformer.
 func (v *version) TokenCredentialRequests() TokenCredentialRequestInformer {
-	return &tokenCredentialRequestInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
+	return &tokenCredentialRequestInformer{factory: v.factory, tweakListOptions: v.tweakListOptions}
 }

generated/1.17/client/concierge/informers/externalversions/login/v1alpha1/tokencredentialrequest.go

@@ -28,33 +28,32 @@ type TokenCredentialRequestInformer interface {
 type tokenCredentialRequestInformer struct {
 	factory          internalinterfaces.SharedInformerFactory
 	tweakListOptions internalinterfaces.TweakListOptionsFunc
-	namespace        string
 }
 
 // NewTokenCredentialRequestInformer constructs a new informer for TokenCredentialRequest type.
 // Always prefer using an informer factory to get a shared informer instead of getting an independent
 // one. This reduces memory footprint and number of connections to the server.
-func NewTokenCredentialRequestInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
-	return NewFilteredTokenCredentialRequestInformer(client, namespace, resyncPeriod, indexers, nil)
+func NewTokenCredentialRequestInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
+	return NewFilteredTokenCredentialRequestInformer(client, resyncPeriod, indexers, nil)
 }
 
 // NewFilteredTokenCredentialRequestInformer constructs a new informer for TokenCredentialRequest type.
 // Always prefer using an informer factory to get a shared informer instead of getting an independent
 // one. This reduces memory footprint and number of connections to the server.
-func NewFilteredTokenCredentialRequestInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
+func NewFilteredTokenCredentialRequestInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
 		&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
 				}
-				return client.LoginV1alpha1().TokenCredentialRequests(namespace).List(options)
+				return client.LoginV1alpha1().TokenCredentialRequests().List(options)
 			},
 			WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
 				}
-				return client.LoginV1alpha1().TokenCredentialRequests(namespace).Watch(options)
+				return client.LoginV1alpha1().TokenCredentialRequests().Watch(options)
 			},
 		},
 		&loginv1alpha1.TokenCredentialRequest{},
@@ -64,7 +63,7 @@ func NewFilteredTokenCredentialRequestInformer(client versioned.Interface, names
 }
 
 func (f *tokenCredentialRequestInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
-	return NewFilteredTokenCredentialRequestInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
+	return NewFilteredTokenCredentialRequestInformer(client, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
 }
 
 func (f *tokenCredentialRequestInformer) Informer() cache.SharedIndexInformer {

generated/1.17/client/concierge/listers/authentication/v1alpha1/expansion_generated.go

@@ -9,14 +9,6 @@ package v1alpha1
 // JWTAuthenticatorLister.
 type JWTAuthenticatorListerExpansion interface{}
 
-// JWTAuthenticatorNamespaceListerExpansion allows custom methods to be added to
-// JWTAuthenticatorNamespaceLister.
-type JWTAuthenticatorNamespaceListerExpansion interface{}
-
 // WebhookAuthenticatorListerExpansion allows custom methods to be added to
 // WebhookAuthenticatorLister.
 type WebhookAuthenticatorListerExpansion interface{}
-
-// WebhookAuthenticatorNamespaceListerExpansion allows custom methods to be added to
-// WebhookAuthenticatorNamespaceLister.
-type WebhookAuthenticatorNamespaceListerExpansion interface{}

generated/1.17/client/concierge/listers/authentication/v1alpha1/jwtauthenticator.go

@@ -16,8 +16,8 @@ import (
 type JWTAuthenticatorLister interface {
 	// List lists all JWTAuthenticators in the indexer.
 	List(selector labels.Selector) (ret []*v1alpha1.JWTAuthenticator, err error)
-	// JWTAuthenticators returns an object that can list and get JWTAuthenticators.
-	JWTAuthenticators(namespace string) JWTAuthenticatorNamespaceLister
+	// Get retrieves the JWTAuthenticator from the index for a given name.
+	Get(name string) (*v1alpha1.JWTAuthenticator, error)
 	JWTAuthenticatorListerExpansion
 }
 
@@ -39,38 +39,9 @@ func (s *jWTAuthenticatorLister) List(selector labels.Selector) (ret []*v1alpha1
 	return ret, err
 }
 
-// JWTAuthenticators returns an object that can list and get JWTAuthenticators.
-func (s *jWTAuthenticatorLister) JWTAuthenticators(namespace string) JWTAuthenticatorNamespaceLister {
-	return jWTAuthenticatorNamespaceLister{indexer: s.indexer, namespace: namespace}
-}
-
-// JWTAuthenticatorNamespaceLister helps list and get JWTAuthenticators.
-type JWTAuthenticatorNamespaceLister interface {
-	// List lists all JWTAuthenticators in the indexer for a given namespace.
-	List(selector labels.Selector) (ret []*v1alpha1.JWTAuthenticator, err error)
-	// Get retrieves the JWTAuthenticator from the indexer for a given namespace and name.
-	Get(name string) (*v1alpha1.JWTAuthenticator, error)
-	JWTAuthenticatorNamespaceListerExpansion
-}
-
-// jWTAuthenticatorNamespaceLister implements the JWTAuthenticatorNamespaceLister
-// interface.
-type jWTAuthenticatorNamespaceLister struct {
-	indexer   cache.Indexer
-	namespace string
-}
-
-// List lists all JWTAuthenticators in the indexer for a given namespace.
-func (s jWTAuthenticatorNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.JWTAuthenticator, err error) {
-	err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) {
-		ret = append(ret, m.(*v1alpha1.JWTAuthenticator))
-	})
-	return ret, err
-}
-
-// Get retrieves the JWTAuthenticator from the indexer for a given namespace and name.
-func (s jWTAuthenticatorNamespaceLister) Get(name string) (*v1alpha1.JWTAuthenticator, error) {
-	obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name)
+// Get retrieves the JWTAuthenticator from the index for a given name.
+func (s *jWTAuthenticatorLister) Get(name string) (*v1alpha1.JWTAuthenticator, error) {
+	obj, exists, err := s.indexer.GetByKey(name)
 	if err != nil {
 		return nil, err
 	}

generated/1.17/client/concierge/listers/authentication/v1alpha1/webhookauthenticator.go

@@ -16,8 +16,8 @@ import (
 type WebhookAuthenticatorLister interface {
 	// List lists all WebhookAuthenticators in the indexer.
 	List(selector labels.Selector) (ret []*v1alpha1.WebhookAuthenticator, err error)
-	// WebhookAuthenticators returns an object that can list and get WebhookAuthenticators.
-	WebhookAuthenticators(namespace string) WebhookAuthenticatorNamespaceLister
+	// Get retrieves the WebhookAuthenticator from the index for a given name.
+	Get(name string) (*v1alpha1.WebhookAuthenticator, error)
 	WebhookAuthenticatorListerExpansion
 }
 
@@ -39,38 +39,9 @@ func (s *webhookAuthenticatorLister) List(selector labels.Selector) (ret []*v1al
 	return ret, err
 }
 
-// WebhookAuthenticators returns an object that can list and get WebhookAuthenticators.
-func (s *webhookAuthenticatorLister) WebhookAuthenticators(namespace string) WebhookAuthenticatorNamespaceLister {
-	return webhookAuthenticatorNamespaceLister{indexer: s.indexer, namespace: namespace}
-}
-
-// WebhookAuthenticatorNamespaceLister helps list and get WebhookAuthenticators.
-type WebhookAuthenticatorNamespaceLister interface {
-	// List lists all WebhookAuthenticators in the indexer for a given namespace.
-	List(selector labels.Selector) (ret []*v1alpha1.WebhookAuthenticator, err error)
-	// Get retrieves the WebhookAuthenticator from the indexer for a given namespace and name.
-	Get(name string) (*v1alpha1.WebhookAuthenticator, error)
-	WebhookAuthenticatorNamespaceListerExpansion
-}
-
-// webhookAuthenticatorNamespaceLister implements the WebhookAuthenticatorNamespaceLister
-// interface.
-type webhookAuthenticatorNamespaceLister struct {
-	indexer   cache.Indexer
-	namespace string
-}
-
-// List lists all WebhookAuthenticators in the indexer for a given namespace.
-func (s webhookAuthenticatorNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.WebhookAuthenticator, err error) {
-	err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) {
-		ret = append(ret, m.(*v1alpha1.WebhookAuthenticator))
-	})
-	return ret, err
-}
-
-// Get retrieves the WebhookAuthenticator from the indexer for a given namespace and name.
-func (s webhookAuthenticatorNamespaceLister) Get(name string) (*v1alpha1.WebhookAuthenticator, error) {
-	obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name)
+// Get retrieves the WebhookAuthenticator from the index for a given name.
+func (s *webhookAuthenticatorLister) Get(name string) (*v1alpha1.WebhookAuthenticator, error) {
+	obj, exists, err := s.indexer.GetByKey(name)
 	if err != nil {
 		return nil, err
 	}

generated/1.17/client/concierge/listers/config/v1alpha1/credentialissuer.go

@@ -16,8 +16,8 @@ import (
 type CredentialIssuerLister interface {
 	// List lists all CredentialIssuers in the indexer.
 	List(selector labels.Selector) (ret []*v1alpha1.CredentialIssuer, err error)
-	// CredentialIssuers returns an object that can list and get CredentialIssuers.
-	CredentialIssuers(namespace string) CredentialIssuerNamespaceLister
+	// Get retrieves the CredentialIssuer from the index for a given name.
+	Get(name string) (*v1alpha1.CredentialIssuer, error)
 	CredentialIssuerListerExpansion
 }
 
@@ -39,38 +39,9 @@ func (s *credentialIssuerLister) List(selector labels.Selector) (ret []*v1alpha1
 	return ret, err
 }
 
-// CredentialIssuers returns an object that can list and get CredentialIssuers.
-func (s *credentialIssuerLister) CredentialIssuers(namespace string) CredentialIssuerNamespaceLister {
-	return credentialIssuerNamespaceLister{indexer: s.indexer, namespace: namespace}
-}
-
-// CredentialIssuerNamespaceLister helps list and get CredentialIssuers.
-type CredentialIssuerNamespaceLister interface {
-	// List lists all CredentialIssuers in the indexer for a given namespace.
-	List(selector labels.Selector) (ret []*v1alpha1.CredentialIssuer, err error)
-	// Get retrieves the CredentialIssuer from the indexer for a given namespace and name.
-	Get(name string) (*v1alpha1.CredentialIssuer, error)
-	CredentialIssuerNamespaceListerExpansion
-}
-
-// credentialIssuerNamespaceLister implements the CredentialIssuerNamespaceLister
-// interface.
-type credentialIssuerNamespaceLister struct {
-	indexer   cache.Indexer
-	namespace string
-}
-
-// List lists all CredentialIssuers in the indexer for a given namespace.
-func (s credentialIssuerNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.CredentialIssuer, err error) {
-	err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) {
-		ret = append(ret, m.(*v1alpha1.CredentialIssuer))
-	})
-	return ret, err
-}
-
-// Get retrieves the CredentialIssuer from the indexer for a given namespace and name.
-func (s credentialIssuerNamespaceLister) Get(name string) (*v1alpha1.CredentialIssuer, error) {
-	obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name)
+// Get retrieves the CredentialIssuer from the index for a given name.
+func (s *credentialIssuerLister) Get(name string) (*v1alpha1.CredentialIssuer, error) {
+	obj, exists, err := s.indexer.GetByKey(name)
 	if err != nil {
 		return nil, err
 	}

generated/1.17/client/concierge/listers/config/v1alpha1/expansion_generated.go

@@ -8,7 +8,3 @@ package v1alpha1
 // CredentialIssuerListerExpansion allows custom methods to be added to
 // CredentialIssuerLister.
 type CredentialIssuerListerExpansion interface{}
-
-// CredentialIssuerNamespaceListerExpansion allows custom methods to be added to
-// CredentialIssuerNamespaceLister.
-type CredentialIssuerNamespaceListerExpansion interface{}

generated/1.17/client/concierge/listers/login/v1alpha1/expansion_generated.go

@@ -8,7 +8,3 @@ package v1alpha1
 // TokenCredentialRequestListerExpansion allows custom methods to be added to
 // TokenCredentialRequestLister.
 type TokenCredentialRequestListerExpansion interface{}
-
-// TokenCredentialRequestNamespaceListerExpansion allows custom methods to be added to
-// TokenCredentialRequestNamespaceLister.
-type TokenCredentialRequestNamespaceListerExpansion interface{}

generated/1.17/client/concierge/listers/login/v1alpha1/tokencredentialrequest.go

@@ -16,8 +16,8 @@ import (
 type TokenCredentialRequestLister interface {
 	// List lists all TokenCredentialRequests in the indexer.
 	List(selector labels.Selector) (ret []*v1alpha1.TokenCredentialRequest, err error)
-	// TokenCredentialRequests returns an object that can list and get TokenCredentialRequests.
-	TokenCredentialRequests(namespace string) TokenCredentialRequestNamespaceLister
+	// Get retrieves the TokenCredentialRequest from the index for a given name.
+	Get(name string) (*v1alpha1.TokenCredentialRequest, error)
 	TokenCredentialRequestListerExpansion
 }
 
@@ -39,38 +39,9 @@ func (s *tokenCredentialRequestLister) List(selector labels.Selector) (ret []*v1
 	return ret, err
 }
 
-// TokenCredentialRequests returns an object that can list and get TokenCredentialRequests.
-func (s *tokenCredentialRequestLister) TokenCredentialRequests(namespace string) TokenCredentialRequestNamespaceLister {
-	return tokenCredentialRequestNamespaceLister{indexer: s.indexer, namespace: namespace}
-}
-
-// TokenCredentialRequestNamespaceLister helps list and get TokenCredentialRequests.
-type TokenCredentialRequestNamespaceLister interface {
-	// List lists all TokenCredentialRequests in the indexer for a given namespace.
-	List(selector labels.Selector) (ret []*v1alpha1.TokenCredentialRequest, err error)
-	// Get retrieves the TokenCredentialRequest from the indexer for a given namespace and name.
-	Get(name string) (*v1alpha1.TokenCredentialRequest, error)
-	TokenCredentialRequestNamespaceListerExpansion
-}
-
-// tokenCredentialRequestNamespaceLister implements the TokenCredentialRequestNamespaceLister
-// interface.
-type tokenCredentialRequestNamespaceLister struct {
-	indexer   cache.Indexer
-	namespace string
-}
-
-// List lists all TokenCredentialRequests in the indexer for a given namespace.
-func (s tokenCredentialRequestNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.TokenCredentialRequest, err error) {
-	err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) {
-		ret = append(ret, m.(*v1alpha1.TokenCredentialRequest))
-	})
-	return ret, err
-}
-
-// Get retrieves the TokenCredentialRequest from the indexer for a given namespace and name.
-func (s tokenCredentialRequestNamespaceLister) Get(name string) (*v1alpha1.TokenCredentialRequest, error) {
-	obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name)
+// Get retrieves the TokenCredentialRequest from the index for a given name.
+func (s *tokenCredentialRequestLister) Get(name string) (*v1alpha1.TokenCredentialRequest, error) {
+	obj, exists, err := s.indexer.GetByKey(name)
 	if err != nil {
 		return nil, err
 	}

generated/1.17/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml

@@ -18,7 +18,7 @@ spec:
     listKind: JWTAuthenticatorList
     plural: jwtauthenticators
     singular: jwtauthenticator
-  scope: Namespaced
+  scope: Cluster
   versions:
   - additionalPrinterColumns:
     - jsonPath: .spec.issuer
@@ -161,7 +161,8 @@ spec:
         type: object
     served: true
     storage: true
-    subresources: {}
+    subresources:
+      status: {}
 status:
   acceptedNames:
     kind: ""

generated/1.17/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml

@@ -18,7 +18,7 @@ spec:
     listKind: WebhookAuthenticatorList
     plural: webhookauthenticators
     singular: webhookauthenticator
-  scope: Namespaced
+  scope: Cluster
   versions:
   - additionalPrinterColumns:
     - jsonPath: .spec.endpoint
@@ -137,7 +137,8 @@ spec:
         type: object
     served: true
     storage: true
-    subresources: {}
+    subresources:
+      status: {}
 status:
   acceptedNames:
     kind: ""

generated/1.17/crds/config.concierge.pinniped.dev_credentialissuers.yaml

@@ -16,7 +16,7 @@ spec:
     listKind: CredentialIssuerList
     plural: credentialissuers
     singular: credentialissuer
-  scope: Namespaced
+  scope: Cluster
   versions:
   - name: v1alpha1
     schema:
@@ -98,11 +98,11 @@ spec:
             required:
             - strategies
             type: object
-        required:
-        - status
         type: object
     served: true
     storage: true
+    subresources:
+      status: {}
 status:
   acceptedNames:
     kind: ""

generated/1.17/crds/config.supervisor.pinniped.dev_federationdomains.yaml

@@ -150,6 +150,8 @@ spec:
         type: object
     served: true
     storage: true
+    subresources:
+      status: {}
 status:
   acceptedNames:
     kind: ""

generated/1.18/apis/concierge/authentication/v1alpha1/types_jwt.go

@@ -57,9 +57,11 @@ type JWTTokenClaims struct {
 // signature, existence of claims, etc.) and extract the username and groups from the token.
 //
 // +genclient
+// +genclient:nonNamespaced
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
-// +kubebuilder:resource:categories=pinniped;pinniped-authenticator;pinniped-authenticators
+// +kubebuilder:resource:categories=pinniped;pinniped-authenticator;pinniped-authenticators,scope=Cluster
 // +kubebuilder:printcolumn:name="Issuer",type=string,JSONPath=`.spec.issuer`
+// +kubebuilder:subresource:status
 type JWTAuthenticator struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`

generated/1.18/apis/concierge/authentication/v1alpha1/types_webhook.go

@@ -29,9 +29,11 @@ type WebhookAuthenticatorSpec struct {
 
 // WebhookAuthenticator describes the configuration of a webhook authenticator.
 // +genclient
+// +genclient:nonNamespaced
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
-// +kubebuilder:resource:categories=pinniped;pinniped-authenticator;pinniped-authenticators
+// +kubebuilder:resource:categories=pinniped;pinniped-authenticator;pinniped-authenticators,scope=Cluster
 // +kubebuilder:printcolumn:name="Endpoint",type=string,JSONPath=`.spec.endpoint`
+// +kubebuilder:subresource:status
 type WebhookAuthenticator struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`

generated/1.18/apis/concierge/config/v1alpha1/types_credentialissuer.go

@@ -67,13 +67,16 @@ type CredentialIssuerStrategy struct {
 
 // Describes the configuration status of a Pinniped credential issuer.
 // +genclient
+// +genclient:nonNamespaced
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
-// +kubebuilder:resource:categories=pinniped
+// +kubebuilder:resource:categories=pinniped,scope=Cluster
+// +kubebuilder:subresource:status
 type CredentialIssuer struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
 
 	// Status of the credential issuer.
+	// +optional
 	Status CredentialIssuerStatus `json:"status"`
 }
 

generated/1.18/apis/concierge/login/types_token.go

@@ -27,7 +27,6 @@ type TokenCredentialRequestStatus struct {
 }
 
 // TokenCredentialRequest submits an IDP-specific credential to Pinniped in exchange for a cluster-specific credential.
-// +genclient
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 type TokenCredentialRequest struct {
 	metav1.TypeMeta

generated/1.18/apis/concierge/login/v1alpha1/types_token.go

@@ -30,6 +30,7 @@ type TokenCredentialRequestStatus struct {
 
 // TokenCredentialRequest submits an IDP-specific credential to Pinniped in exchange for a cluster-specific credential.
 // +genclient
+// +genclient:nonNamespaced
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 type TokenCredentialRequest struct {
 	metav1.TypeMeta   `json:",inline"`

generated/1.18/apis/supervisor/config/v1alpha1/types_federationdomain.go

@@ -109,6 +109,7 @@ type FederationDomainStatus struct {
 // +genclient
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 // +kubebuilder:resource:categories=pinniped
+// +kubebuilder:subresource:status
 type FederationDomain struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`

generated/1.18/client/concierge/clientset/versioned/typed/authentication/v1alpha1/authentication_client.go

@@ -22,12 +22,12 @@ type AuthenticationV1alpha1Client struct {
 	restClient rest.Interface
 }
 
-func (c *AuthenticationV1alpha1Client) JWTAuthenticators(namespace string) JWTAuthenticatorInterface {
-	return newJWTAuthenticators(c, namespace)
+func (c *AuthenticationV1alpha1Client) JWTAuthenticators() JWTAuthenticatorInterface {
+	return newJWTAuthenticators(c)
 }
 
-func (c *AuthenticationV1alpha1Client) WebhookAuthenticators(namespace string) WebhookAuthenticatorInterface {
-	return newWebhookAuthenticators(c, namespace)
+func (c *AuthenticationV1alpha1Client) WebhookAuthenticators() WebhookAuthenticatorInterface {
+	return newWebhookAuthenticators(c)
 }
 
 // NewForConfig creates a new AuthenticationV1alpha1Client for the given config.

generated/1.18/client/concierge/clientset/versioned/typed/authentication/v1alpha1/fake/fake_authentication_client.go

@@ -15,12 +15,12 @@ type FakeAuthenticationV1alpha1 struct {
 	*testing.Fake
 }
 
-func (c *FakeAuthenticationV1alpha1) JWTAuthenticators(namespace string) v1alpha1.JWTAuthenticatorInterface {
-	return &FakeJWTAuthenticators{c, namespace}
+func (c *FakeAuthenticationV1alpha1) JWTAuthenticators() v1alpha1.JWTAuthenticatorInterface {
+	return &FakeJWTAuthenticators{c}
 }
 
-func (c *FakeAuthenticationV1alpha1) WebhookAuthenticators(namespace string) v1alpha1.WebhookAuthenticatorInterface {
-	return &FakeWebhookAuthenticators{c, namespace}
+func (c *FakeAuthenticationV1alpha1) WebhookAuthenticators() v1alpha1.WebhookAuthenticatorInterface {
+	return &FakeWebhookAuthenticators{c}
 }
 
 // RESTClient returns a RESTClient that is used to communicate

generated/1.18/client/concierge/clientset/versioned/typed/authentication/v1alpha1/fake/fake_jwtauthenticator.go

@@ -20,7 +20,6 @@ import (
 // FakeJWTAuthenticators implements JWTAuthenticatorInterface
 type FakeJWTAuthenticators struct {
 	Fake *FakeAuthenticationV1alpha1
-	ns   string
 }
 
 var jwtauthenticatorsResource = schema.GroupVersionResource{Group: "authentication.concierge.pinniped.dev", Version: "v1alpha1", Resource: "jwtauthenticators"}
@@ -30,8 +29,7 @@ var jwtauthenticatorsKind = schema.GroupVersionKind{Group: "authentication.conci
 // Get takes name of the jWTAuthenticator, and returns the corresponding jWTAuthenticator object, and an error if there is any.
 func (c *FakeJWTAuthenticators) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.JWTAuthenticator, err error) {
 	obj, err := c.Fake.
-		Invokes(testing.NewGetAction(jwtauthenticatorsResource, c.ns, name), &v1alpha1.JWTAuthenticator{})
-
+		Invokes(testing.NewRootGetAction(jwtauthenticatorsResource, name), &v1alpha1.JWTAuthenticator{})
 	if obj == nil {
 		return nil, err
 	}
@@ -41,8 +39,7 @@ func (c *FakeJWTAuthenticators) Get(ctx context.Context, name string, options v1
 // List takes label and field selectors, and returns the list of JWTAuthenticators that match those selectors.
 func (c *FakeJWTAuthenticators) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.JWTAuthenticatorList, err error) {
 	obj, err := c.Fake.
-		Invokes(testing.NewListAction(jwtauthenticatorsResource, jwtauthenticatorsKind, c.ns, opts), &v1alpha1.JWTAuthenticatorList{})
-
+		Invokes(testing.NewRootListAction(jwtauthenticatorsResource, jwtauthenticatorsKind, opts), &v1alpha1.JWTAuthenticatorList{})
 	if obj == nil {
 		return nil, err
 	}
@@ -63,15 +60,13 @@ func (c *FakeJWTAuthenticators) List(ctx context.Context, opts v1.ListOptions) (
 // Watch returns a watch.Interface that watches the requested jWTAuthenticators.
 func (c *FakeJWTAuthenticators) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
 	return c.Fake.
-		InvokesWatch(testing.NewWatchAction(jwtauthenticatorsResource, c.ns, opts))
-
+		InvokesWatch(testing.NewRootWatchAction(jwtauthenticatorsResource, opts))
 }
 
 // Create takes the representation of a jWTAuthenticator and creates it.  Returns the server's representation of the jWTAuthenticator, and an error, if there is any.
 func (c *FakeJWTAuthenticators) Create(ctx context.Context, jWTAuthenticator *v1alpha1.JWTAuthenticator, opts v1.CreateOptions) (result *v1alpha1.JWTAuthenticator, err error) {
 	obj, err := c.Fake.
-		Invokes(testing.NewCreateAction(jwtauthenticatorsResource, c.ns, jWTAuthenticator), &v1alpha1.JWTAuthenticator{})
-
+		Invokes(testing.NewRootCreateAction(jwtauthenticatorsResource, jWTAuthenticator), &v1alpha1.JWTAuthenticator{})
 	if obj == nil {
 		return nil, err
 	}
@@ -81,8 +76,7 @@ func (c *FakeJWTAuthenticators) Create(ctx context.Context, jWTAuthenticator *v1
 // Update takes the representation of a jWTAuthenticator and updates it. Returns the server's representation of the jWTAuthenticator, and an error, if there is any.
 func (c *FakeJWTAuthenticators) Update(ctx context.Context, jWTAuthenticator *v1alpha1.JWTAuthenticator, opts v1.UpdateOptions) (result *v1alpha1.JWTAuthenticator, err error) {
 	obj, err := c.Fake.
-		Invokes(testing.NewUpdateAction(jwtauthenticatorsResource, c.ns, jWTAuthenticator), &v1alpha1.JWTAuthenticator{})
-
+		Invokes(testing.NewRootUpdateAction(jwtauthenticatorsResource, jWTAuthenticator), &v1alpha1.JWTAuthenticator{})
 	if obj == nil {
 		return nil, err
 	}
@@ -93,8 +87,7 @@ func (c *FakeJWTAuthenticators) Update(ctx context.Context, jWTAuthenticator *v1
 // Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
 func (c *FakeJWTAuthenticators) UpdateStatus(ctx context.Context, jWTAuthenticator *v1alpha1.JWTAuthenticator, opts v1.UpdateOptions) (*v1alpha1.JWTAuthenticator, error) {
 	obj, err := c.Fake.
-		Invokes(testing.NewUpdateSubresourceAction(jwtauthenticatorsResource, "status", c.ns, jWTAuthenticator), &v1alpha1.JWTAuthenticator{})
-
+		Invokes(testing.NewRootUpdateSubresourceAction(jwtauthenticatorsResource, "status", jWTAuthenticator), &v1alpha1.JWTAuthenticator{})
 	if obj == nil {
 		return nil, err
 	}
@@ -104,14 +97,13 @@ func (c *FakeJWTAuthenticators) UpdateStatus(ctx context.Context, jWTAuthenticat
 // Delete takes name of the jWTAuthenticator and deletes it. Returns an error if one occurs.
 func (c *FakeJWTAuthenticators) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
 	_, err := c.Fake.
-		Invokes(testing.NewDeleteAction(jwtauthenticatorsResource, c.ns, name), &v1alpha1.JWTAuthenticator{})
-
+		Invokes(testing.NewRootDeleteAction(jwtauthenticatorsResource, name), &v1alpha1.JWTAuthenticator{})
 	return err
 }
 
 // DeleteCollection deletes a collection of objects.
 func (c *FakeJWTAuthenticators) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
-	action := testing.NewDeleteCollectionAction(jwtauthenticatorsResource, c.ns, listOpts)
+	action := testing.NewRootDeleteCollectionAction(jwtauthenticatorsResource, listOpts)
 
 	_, err := c.Fake.Invokes(action, &v1alpha1.JWTAuthenticatorList{})
 	return err
@@ -120,8 +112,7 @@ func (c *FakeJWTAuthenticators) DeleteCollection(ctx context.Context, opts v1.De
 // Patch applies the patch and returns the patched jWTAuthenticator.
 func (c *FakeJWTAuthenticators) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.JWTAuthenticator, err error) {
 	obj, err := c.Fake.
-		Invokes(testing.NewPatchSubresourceAction(jwtauthenticatorsResource, c.ns, name, pt, data, subresources...), &v1alpha1.JWTAuthenticator{})
-
+		Invokes(testing.NewRootPatchSubresourceAction(jwtauthenticatorsResource, name, pt, data, subresources...), &v1alpha1.JWTAuthenticator{})
 	if obj == nil {
 		return nil, err
 	}

generated/1.18/client/concierge/clientset/versioned/typed/authentication/v1alpha1/fake/fake_webhookauthenticator.go

@@ -20,7 +20,6 @@ import (
 // FakeWebhookAuthenticators implements WebhookAuthenticatorInterface
 type FakeWebhookAuthenticators struct {
 	Fake *FakeAuthenticationV1alpha1
-	ns   string
 }
 
 var webhookauthenticatorsResource = schema.GroupVersionResource{Group: "authentication.concierge.pinniped.dev", Version: "v1alpha1", Resource: "webhookauthenticators"}
@@ -30,8 +29,7 @@ var webhookauthenticatorsKind = schema.GroupVersionKind{Group: "authentication.c
 // Get takes name of the webhookAuthenticator, and returns the corresponding webhookAuthenticator object, and an error if there is any.
 func (c *FakeWebhookAuthenticators) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.WebhookAuthenticator, err error) {
 	obj, err := c.Fake.
-		Invokes(testing.NewGetAction(webhookauthenticatorsResource, c.ns, name), &v1alpha1.WebhookAuthenticator{})
-
+		Invokes(testing.NewRootGetAction(webhookauthenticatorsResource, name), &v1alpha1.WebhookAuthenticator{})
 	if obj == nil {
 		return nil, err
 	}
@@ -41,8 +39,7 @@ func (c *FakeWebhookAuthenticators) Get(ctx context.Context, name string, option
 // List takes label and field selectors, and returns the list of WebhookAuthenticators that match those selectors.
 func (c *FakeWebhookAuthenticators) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.WebhookAuthenticatorList, err error) {
 	obj, err := c.Fake.
-		Invokes(testing.NewListAction(webhookauthenticatorsResource, webhookauthenticatorsKind, c.ns, opts), &v1alpha1.WebhookAuthenticatorList{})
-
+		Invokes(testing.NewRootListAction(webhookauthenticatorsResource, webhookauthenticatorsKind, opts), &v1alpha1.WebhookAuthenticatorList{})
 	if obj == nil {
 		return nil, err
 	}
@@ -63,15 +60,13 @@ func (c *FakeWebhookAuthenticators) List(ctx context.Context, opts v1.ListOption
 // Watch returns a watch.Interface that watches the requested webhookAuthenticators.
 func (c *FakeWebhookAuthenticators) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
 	return c.Fake.
-		InvokesWatch(testing.NewWatchAction(webhookauthenticatorsResource, c.ns, opts))
-
+		InvokesWatch(testing.NewRootWatchAction(webhookauthenticatorsResource, opts))
 }
 
 // Create takes the representation of a webhookAuthenticator and creates it.  Returns the server's representation of the webhookAuthenticator, and an error, if there is any.
 func (c *FakeWebhookAuthenticators) Create(ctx context.Context, webhookAuthenticator *v1alpha1.WebhookAuthenticator, opts v1.CreateOptions) (result *v1alpha1.WebhookAuthenticator, err error) {
 	obj, err := c.Fake.
-		Invokes(testing.NewCreateAction(webhookauthenticatorsResource, c.ns, webhookAuthenticator), &v1alpha1.WebhookAuthenticator{})
-
+		Invokes(testing.NewRootCreateAction(webhookauthenticatorsResource, webhookAuthenticator), &v1alpha1.WebhookAuthenticator{})
 	if obj == nil {
 		return nil, err
 	}
@@ -81,8 +76,7 @@ func (c *FakeWebhookAuthenticators) Create(ctx context.Context, webhookAuthentic
 // Update takes the representation of a webhookAuthenticator and updates it. Returns the server's representation of the webhookAuthenticator, and an error, if there is any.
 func (c *FakeWebhookAuthenticators) Update(ctx context.Context, webhookAuthenticator *v1alpha1.WebhookAuthenticator, opts v1.UpdateOptions) (result *v1alpha1.WebhookAuthenticator, err error) {
 	obj, err := c.Fake.
-		Invokes(testing.NewUpdateAction(webhookauthenticatorsResource, c.ns, webhookAuthenticator), &v1alpha1.WebhookAuthenticator{})
-
+		Invokes(testing.NewRootUpdateAction(webhookauthenticatorsResource, webhookAuthenticator), &v1alpha1.WebhookAuthenticator{})
 	if obj == nil {
 		return nil, err
 	}
@@ -93,8 +87,7 @@ func (c *FakeWebhookAuthenticators) Update(ctx context.Context, webhookAuthentic
 // Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
 func (c *FakeWebhookAuthenticators) UpdateStatus(ctx context.Context, webhookAuthenticator *v1alpha1.WebhookAuthenticator, opts v1.UpdateOptions) (*v1alpha1.WebhookAuthenticator, error) {
 	obj, err := c.Fake.
-		Invokes(testing.NewUpdateSubresourceAction(webhookauthenticatorsResource, "status", c.ns, webhookAuthenticator), &v1alpha1.WebhookAuthenticator{})
-
+		Invokes(testing.NewRootUpdateSubresourceAction(webhookauthenticatorsResource, "status", webhookAuthenticator), &v1alpha1.WebhookAuthenticator{})
 	if obj == nil {
 		return nil, err
 	}
@@ -104,14 +97,13 @@ func (c *FakeWebhookAuthenticators) UpdateStatus(ctx context.Context, webhookAut
 // Delete takes name of the webhookAuthenticator and deletes it. Returns an error if one occurs.
 func (c *FakeWebhookAuthenticators) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
 	_, err := c.Fake.
-		Invokes(testing.NewDeleteAction(webhookauthenticatorsResource, c.ns, name), &v1alpha1.WebhookAuthenticator{})
-
+		Invokes(testing.NewRootDeleteAction(webhookauthenticatorsResource, name), &v1alpha1.WebhookAuthenticator{})
 	return err
 }
 
 // DeleteCollection deletes a collection of objects.
 func (c *FakeWebhookAuthenticators) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
-	action := testing.NewDeleteCollectionAction(webhookauthenticatorsResource, c.ns, listOpts)
+	action := testing.NewRootDeleteCollectionAction(webhookauthenticatorsResource, listOpts)
 
 	_, err := c.Fake.Invokes(action, &v1alpha1.WebhookAuthenticatorList{})
 	return err
@@ -120,8 +112,7 @@ func (c *FakeWebhookAuthenticators) DeleteCollection(ctx context.Context, opts v
 // Patch applies the patch and returns the patched webhookAuthenticator.
 func (c *FakeWebhookAuthenticators) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.WebhookAuthenticator, err error) {
 	obj, err := c.Fake.
-		Invokes(testing.NewPatchSubresourceAction(webhookauthenticatorsResource, c.ns, name, pt, data, subresources...), &v1alpha1.WebhookAuthenticator{})
-
+		Invokes(testing.NewRootPatchSubresourceAction(webhookauthenticatorsResource, name, pt, data, subresources...), &v1alpha1.WebhookAuthenticator{})
 	if obj == nil {
 		return nil, err
 	}

generated/1.18/client/concierge/clientset/versioned/typed/authentication/v1alpha1/jwtauthenticator.go

@@ -20,7 +20,7 @@ import (
 // JWTAuthenticatorsGetter has a method to return a JWTAuthenticatorInterface.
 // A group's client should implement this interface.
 type JWTAuthenticatorsGetter interface {
-	JWTAuthenticators(namespace string) JWTAuthenticatorInterface
+	JWTAuthenticators() JWTAuthenticatorInterface
 }
 
 // JWTAuthenticatorInterface has methods to work with JWTAuthenticator resources.
@@ -40,14 +40,12 @@ type JWTAuthenticatorInterface interface {
 // jWTAuthenticators implements JWTAuthenticatorInterface
 type jWTAuthenticators struct {
 	client rest.Interface
-	ns     string
 }
 
 // newJWTAuthenticators returns a JWTAuthenticators
-func newJWTAuthenticators(c *AuthenticationV1alpha1Client, namespace string) *jWTAuthenticators {
+func newJWTAuthenticators(c *AuthenticationV1alpha1Client) *jWTAuthenticators {
 	return &jWTAuthenticators{
 		client: c.RESTClient(),
-		ns:     namespace,
 	}
 }
 
@@ -55,7 +53,6 @@ func newJWTAuthenticators(c *AuthenticationV1alpha1Client, namespace string) *jW
 func (c *jWTAuthenticators) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.JWTAuthenticator, err error) {
 	result = &v1alpha1.JWTAuthenticator{}
 	err = c.client.Get().
-		Namespace(c.ns).
 		Resource("jwtauthenticators").
 		Name(name).
 		VersionedParams(&options, scheme.ParameterCodec).
@@ -72,7 +69,6 @@ func (c *jWTAuthenticators) List(ctx context.Context, opts v1.ListOptions) (resu
 	}
 	result = &v1alpha1.JWTAuthenticatorList{}
 	err = c.client.Get().
-		Namespace(c.ns).
 		Resource("jwtauthenticators").
 		VersionedParams(&opts, scheme.ParameterCodec).
 		Timeout(timeout).
@@ -89,7 +85,6 @@ func (c *jWTAuthenticators) Watch(ctx context.Context, opts v1.ListOptions) (wat
 	}
 	opts.Watch = true
 	return c.client.Get().
-		Namespace(c.ns).
 		Resource("jwtauthenticators").
 		VersionedParams(&opts, scheme.ParameterCodec).
 		Timeout(timeout).
@@ -100,7 +95,6 @@ func (c *jWTAuthenticators) Watch(ctx context.Context, opts v1.ListOptions) (wat
 func (c *jWTAuthenticators) Create(ctx context.Context, jWTAuthenticator *v1alpha1.JWTAuthenticator, opts v1.CreateOptions) (result *v1alpha1.JWTAuthenticator, err error) {
 	result = &v1alpha1.JWTAuthenticator{}
 	err = c.client.Post().
-		Namespace(c.ns).
 		Resource("jwtauthenticators").
 		VersionedParams(&opts, scheme.ParameterCodec).
 		Body(jWTAuthenticator).
@@ -113,7 +107,6 @@ func (c *jWTAuthenticators) Create(ctx context.Context, jWTAuthenticator *v1alph
 func (c *jWTAuthenticators) Update(ctx context.Context, jWTAuthenticator *v1alpha1.JWTAuthenticator, opts v1.UpdateOptions) (result *v1alpha1.JWTAuthenticator, err error) {
 	result = &v1alpha1.JWTAuthenticator{}
 	err = c.client.Put().
-		Namespace(c.ns).
 		Resource("jwtauthenticators").
 		Name(jWTAuthenticator.Name).
 		VersionedParams(&opts, scheme.ParameterCodec).
@@ -128,7 +121,6 @@ func (c *jWTAuthenticators) Update(ctx context.Context, jWTAuthenticator *v1alph
 func (c *jWTAuthenticators) UpdateStatus(ctx context.Context, jWTAuthenticator *v1alpha1.JWTAuthenticator, opts v1.UpdateOptions) (result *v1alpha1.JWTAuthenticator, err error) {
 	result = &v1alpha1.JWTAuthenticator{}
 	err = c.client.Put().
-		Namespace(c.ns).
 		Resource("jwtauthenticators").
 		Name(jWTAuthenticator.Name).
 		SubResource("status").
@@ -142,7 +134,6 @@ func (c *jWTAuthenticators) UpdateStatus(ctx context.Context, jWTAuthenticator *
 // Delete takes name of the jWTAuthenticator and deletes it. Returns an error if one occurs.
 func (c *jWTAuthenticators) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
 	return c.client.Delete().
-		Namespace(c.ns).
 		Resource("jwtauthenticators").
 		Name(name).
 		Body(&opts).
@@ -157,7 +148,6 @@ func (c *jWTAuthenticators) DeleteCollection(ctx context.Context, opts v1.Delete
 		timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second
 	}
 	return c.client.Delete().
-		Namespace(c.ns).
 		Resource("jwtauthenticators").
 		VersionedParams(&listOpts, scheme.ParameterCodec).
 		Timeout(timeout).
@@ -170,7 +160,6 @@ func (c *jWTAuthenticators) DeleteCollection(ctx context.Context, opts v1.Delete
 func (c *jWTAuthenticators) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.JWTAuthenticator, err error) {
 	result = &v1alpha1.JWTAuthenticator{}
 	err = c.client.Patch(pt).
-		Namespace(c.ns).
 		Resource("jwtauthenticators").
 		Name(name).
 		SubResource(subresources...).

generated/1.18/client/concierge/clientset/versioned/typed/authentication/v1alpha1/webhookauthenticator.go

@@ -20,7 +20,7 @@ import (
 // WebhookAuthenticatorsGetter has a method to return a WebhookAuthenticatorInterface.
 // A group's client should implement this interface.
 type WebhookAuthenticatorsGetter interface {
-	WebhookAuthenticators(namespace string) WebhookAuthenticatorInterface
+	WebhookAuthenticators() WebhookAuthenticatorInterface
 }
 
 // WebhookAuthenticatorInterface has methods to work with WebhookAuthenticator resources.
@@ -40,14 +40,12 @@ type WebhookAuthenticatorInterface interface {
 // webhookAuthenticators implements WebhookAuthenticatorInterface
 type webhookAuthenticators struct {
 	client rest.Interface
-	ns     string
 }
 
 // newWebhookAuthenticators returns a WebhookAuthenticators
-func newWebhookAuthenticators(c *AuthenticationV1alpha1Client, namespace string) *webhookAuthenticators {
+func newWebhookAuthenticators(c *AuthenticationV1alpha1Client) *webhookAuthenticators {
 	return &webhookAuthenticators{
 		client: c.RESTClient(),
-		ns:     namespace,
 	}
 }
 
@@ -55,7 +53,6 @@ func newWebhookAuthenticators(c *AuthenticationV1alpha1Client, namespace string)
 func (c *webhookAuthenticators) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.WebhookAuthenticator, err error) {
 	result = &v1alpha1.WebhookAuthenticator{}
 	err = c.client.Get().
-		Namespace(c.ns).
 		Resource("webhookauthenticators").
 		Name(name).
 		VersionedParams(&options, scheme.ParameterCodec).
@@ -72,7 +69,6 @@ func (c *webhookAuthenticators) List(ctx context.Context, opts v1.ListOptions) (
 	}
 	result = &v1alpha1.WebhookAuthenticatorList{}
 	err = c.client.Get().
-		Namespace(c.ns).
 		Resource("webhookauthenticators").
 		VersionedParams(&opts, scheme.ParameterCodec).
 		Timeout(timeout).
@@ -89,7 +85,6 @@ func (c *webhookAuthenticators) Watch(ctx context.Context, opts v1.ListOptions)
 	}
 	opts.Watch = true
 	return c.client.Get().
-		Namespace(c.ns).
 		Resource("webhookauthenticators").
 		VersionedParams(&opts, scheme.ParameterCodec).
 		Timeout(timeout).
@@ -100,7 +95,6 @@ func (c *webhookAuthenticators) Watch(ctx context.Context, opts v1.ListOptions)
 func (c *webhookAuthenticators) Create(ctx context.Context, webhookAuthenticator *v1alpha1.WebhookAuthenticator, opts v1.CreateOptions) (result *v1alpha1.WebhookAuthenticator, err error) {
 	result = &v1alpha1.WebhookAuthenticator{}
 	err = c.client.Post().
-		Namespace(c.ns).
 		Resource("webhookauthenticators").
 		VersionedParams(&opts, scheme.ParameterCodec).
 		Body(webhookAuthenticator).
@@ -113,7 +107,6 @@ func (c *webhookAuthenticators) Create(ctx context.Context, webhookAuthenticator
 func (c *webhookAuthenticators) Update(ctx context.Context, webhookAuthenticator *v1alpha1.WebhookAuthenticator, opts v1.UpdateOptions) (result *v1alpha1.WebhookAuthenticator, err error) {
 	result = &v1alpha1.WebhookAuthenticator{}
 	err = c.client.Put().
-		Namespace(c.ns).
 		Resource("webhookauthenticators").
 		Name(webhookAuthenticator.Name).
 		VersionedParams(&opts, scheme.ParameterCodec).
@@ -128,7 +121,6 @@ func (c *webhookAuthenticators) Update(ctx context.Context, webhookAuthenticator
 func (c *webhookAuthenticators) UpdateStatus(ctx context.Context, webhookAuthenticator *v1alpha1.WebhookAuthenticator, opts v1.UpdateOptions) (result *v1alpha1.WebhookAuthenticator, err error) {
 	result = &v1alpha1.WebhookAuthenticator{}
 	err = c.client.Put().
-		Namespace(c.ns).
 		Resource("webhookauthenticators").
 		Name(webhookAuthenticator.Name).
 		SubResource("status").
@@ -142,7 +134,6 @@ func (c *webhookAuthenticators) UpdateStatus(ctx context.Context, webhookAuthent
 // Delete takes name of the webhookAuthenticator and deletes it. Returns an error if one occurs.
 func (c *webhookAuthenticators) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
 	return c.client.Delete().
-		Namespace(c.ns).
 		Resource("webhookauthenticators").
 		Name(name).
 		Body(&opts).
@@ -157,7 +148,6 @@ func (c *webhookAuthenticators) DeleteCollection(ctx context.Context, opts v1.De
 		timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second
 	}
 	return c.client.Delete().
-		Namespace(c.ns).
 		Resource("webhookauthenticators").
 		VersionedParams(&listOpts, scheme.ParameterCodec).
 		Timeout(timeout).
@@ -170,7 +160,6 @@ func (c *webhookAuthenticators) DeleteCollection(ctx context.Context, opts v1.De
 func (c *webhookAuthenticators) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.WebhookAuthenticator, err error) {
 	result = &v1alpha1.WebhookAuthenticator{}
 	err = c.client.Patch(pt).
-		Namespace(c.ns).
 		Resource("webhookauthenticators").
 		Name(name).
 		SubResource(subresources...).

generated/1.18/client/concierge/clientset/versioned/typed/config/v1alpha1/config_client.go

@@ -21,8 +21,8 @@ type ConfigV1alpha1Client struct {
 	restClient rest.Interface
 }
 
-func (c *ConfigV1alpha1Client) CredentialIssuers(namespace string) CredentialIssuerInterface {
-	return newCredentialIssuers(c, namespace)
+func (c *ConfigV1alpha1Client) CredentialIssuers() CredentialIssuerInterface {
+	return newCredentialIssuers(c)
 }
 
 // NewForConfig creates a new ConfigV1alpha1Client for the given config.

generated/1.18/client/concierge/clientset/versioned/typed/config/v1alpha1/credentialissuer.go

@@ -20,7 +20,7 @@ import (
 // CredentialIssuersGetter has a method to return a CredentialIssuerInterface.
 // A group's client should implement this interface.
 type CredentialIssuersGetter interface {
-	CredentialIssuers(namespace string) CredentialIssuerInterface
+	CredentialIssuers() CredentialIssuerInterface
 }
 
 // CredentialIssuerInterface has methods to work with CredentialIssuer resources.
@@ -40,14 +40,12 @@ type CredentialIssuerInterface interface {
 // credentialIssuers implements CredentialIssuerInterface
 type credentialIssuers struct {
 	client rest.Interface
-	ns     string
 }
 
 // newCredentialIssuers returns a CredentialIssuers
-func newCredentialIssuers(c *ConfigV1alpha1Client, namespace string) *credentialIssuers {
+func newCredentialIssuers(c *ConfigV1alpha1Client) *credentialIssuers {
 	return &credentialIssuers{
 		client: c.RESTClient(),
-		ns:     namespace,
 	}
 }
 
@@ -55,7 +53,6 @@ func newCredentialIssuers(c *ConfigV1alpha1Client, namespace string) *credential
 func (c *credentialIssuers) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.CredentialIssuer, err error) {
 	result = &v1alpha1.CredentialIssuer{}
 	err = c.client.Get().
-		Namespace(c.ns).
 		Resource("credentialissuers").
 		Name(name).
 		VersionedParams(&options, scheme.ParameterCodec).
@@ -72,7 +69,6 @@ func (c *credentialIssuers) List(ctx context.Context, opts v1.ListOptions) (resu
 	}
 	result = &v1alpha1.CredentialIssuerList{}
 	err = c.client.Get().
-		Namespace(c.ns).
 		Resource("credentialissuers").
 		VersionedParams(&opts, scheme.ParameterCodec).
 		Timeout(timeout).
@@ -89,7 +85,6 @@ func (c *credentialIssuers) Watch(ctx context.Context, opts v1.ListOptions) (wat
 	}
 	opts.Watch = true
 	return c.client.Get().
-		Namespace(c.ns).
 		Resource("credentialissuers").
 		VersionedParams(&opts, scheme.ParameterCodec).
 		Timeout(timeout).
@@ -100,7 +95,6 @@ func (c *credentialIssuers) Watch(ctx context.Context, opts v1.ListOptions) (wat
 func (c *credentialIssuers) Create(ctx context.Context, credentialIssuer *v1alpha1.CredentialIssuer, opts v1.CreateOptions) (result *v1alpha1.CredentialIssuer, err error) {
 	result = &v1alpha1.CredentialIssuer{}
 	err = c.client.Post().
-		Namespace(c.ns).
 		Resource("credentialissuers").
 		VersionedParams(&opts, scheme.ParameterCodec).
 		Body(credentialIssuer).
@@ -113,7 +107,6 @@ func (c *credentialIssuers) Create(ctx context.Context, credentialIssuer *v1alph
 func (c *credentialIssuers) Update(ctx context.Context, credentialIssuer *v1alpha1.CredentialIssuer, opts v1.UpdateOptions) (result *v1alpha1.CredentialIssuer, err error) {
 	result = &v1alpha1.CredentialIssuer{}
 	err = c.client.Put().
-		Namespace(c.ns).
 		Resource("credentialissuers").
 		Name(credentialIssuer.Name).
 		VersionedParams(&opts, scheme.ParameterCodec).
@@ -128,7 +121,6 @@ func (c *credentialIssuers) Update(ctx context.Context, credentialIssuer *v1alph
 func (c *credentialIssuers) UpdateStatus(ctx context.Context, credentialIssuer *v1alpha1.CredentialIssuer, opts v1.UpdateOptions) (result *v1alpha1.CredentialIssuer, err error) {
 	result = &v1alpha1.CredentialIssuer{}
 	err = c.client.Put().
-		Namespace(c.ns).
 		Resource("credentialissuers").
 		Name(credentialIssuer.Name).
 		SubResource("status").
@@ -142,7 +134,6 @@ func (c *credentialIssuers) UpdateStatus(ctx context.Context, credentialIssuer *
 // Delete takes name of the credentialIssuer and deletes it. Returns an error if one occurs.
 func (c *credentialIssuers) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
 	return c.client.Delete().
-		Namespace(c.ns).
 		Resource("credentialissuers").
 		Name(name).
 		Body(&opts).
@@ -157,7 +148,6 @@ func (c *credentialIssuers) DeleteCollection(ctx context.Context, opts v1.Delete
 		timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second
 	}
 	return c.client.Delete().
-		Namespace(c.ns).
 		Resource("credentialissuers").
 		VersionedParams(&listOpts, scheme.ParameterCodec).
 		Timeout(timeout).
@@ -170,7 +160,6 @@ func (c *credentialIssuers) DeleteCollection(ctx context.Context, opts v1.Delete
 func (c *credentialIssuers) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.CredentialIssuer, err error) {
 	result = &v1alpha1.CredentialIssuer{}
 	err = c.client.Patch(pt).
-		Namespace(c.ns).
 		Resource("credentialissuers").
 		Name(name).
 		SubResource(subresources...).

generated/1.18/client/concierge/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go

@@ -15,8 +15,8 @@ type FakeConfigV1alpha1 struct {
 	*testing.Fake
 }
 
-func (c *FakeConfigV1alpha1) CredentialIssuers(namespace string) v1alpha1.CredentialIssuerInterface {
-	return &FakeCredentialIssuers{c, namespace}
+func (c *FakeConfigV1alpha1) CredentialIssuers() v1alpha1.CredentialIssuerInterface {
+	return &FakeCredentialIssuers{c}
 }
 
 // RESTClient returns a RESTClient that is used to communicate

generated/1.18/client/concierge/clientset/versioned/typed/config/v1alpha1/fake/fake_credentialissuer.go

@@ -20,7 +20,6 @@ import (
 // FakeCredentialIssuers implements CredentialIssuerInterface
 type FakeCredentialIssuers struct {
 	Fake *FakeConfigV1alpha1
-	ns   string
 }
 
 var credentialissuersResource = schema.GroupVersionResource{Group: "config.concierge.pinniped.dev", Version: "v1alpha1", Resource: "credentialissuers"}
@@ -30,8 +29,7 @@ var credentialissuersKind = schema.GroupVersionKind{Group: "config.concierge.pin
 // Get takes name of the credentialIssuer, and returns the corresponding credentialIssuer object, and an error if there is any.
 func (c *FakeCredentialIssuers) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.CredentialIssuer, err error) {
 	obj, err := c.Fake.
-		Invokes(testing.NewGetAction(credentialissuersResource, c.ns, name), &v1alpha1.CredentialIssuer{})
-
+		Invokes(testing.NewRootGetAction(credentialissuersResource, name), &v1alpha1.CredentialIssuer{})
 	if obj == nil {
 		return nil, err
 	}
@@ -41,8 +39,7 @@ func (c *FakeCredentialIssuers) Get(ctx context.Context, name string, options v1
 // List takes label and field selectors, and returns the list of CredentialIssuers that match those selectors.
 func (c *FakeCredentialIssuers) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.CredentialIssuerList, err error) {
 	obj, err := c.Fake.
-		Invokes(testing.NewListAction(credentialissuersResource, credentialissuersKind, c.ns, opts), &v1alpha1.CredentialIssuerList{})
-
+		Invokes(testing.NewRootListAction(credentialissuersResource, credentialissuersKind, opts), &v1alpha1.CredentialIssuerList{})
 	if obj == nil {
 		return nil, err
 	}
@@ -63,15 +60,13 @@ func (c *FakeCredentialIssuers) List(ctx context.Context, opts v1.ListOptions) (
 // Watch returns a watch.Interface that watches the requested credentialIssuers.
 func (c *FakeCredentialIssuers) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
 	return c.Fake.
-		InvokesWatch(testing.NewWatchAction(credentialissuersResource, c.ns, opts))
-
+		InvokesWatch(testing.NewRootWatchAction(credentialissuersResource, opts))
 }
 
 // Create takes the representation of a credentialIssuer and creates it.  Returns the server's representation of the credentialIssuer, and an error, if there is any.
 func (c *FakeCredentialIssuers) Create(ctx context.Context, credentialIssuer *v1alpha1.CredentialIssuer, opts v1.CreateOptions) (result *v1alpha1.CredentialIssuer, err error) {
 	obj, err := c.Fake.
-		Invokes(testing.NewCreateAction(credentialissuersResource, c.ns, credentialIssuer), &v1alpha1.CredentialIssuer{})
-
+		Invokes(testing.NewRootCreateAction(credentialissuersResource, credentialIssuer), &v1alpha1.CredentialIssuer{})
 	if obj == nil {
 		return nil, err
 	}
@@ -81,8 +76,7 @@ func (c *FakeCredentialIssuers) Create(ctx context.Context, credentialIssuer *v1
 // Update takes the representation of a credentialIssuer and updates it. Returns the server's representation of the credentialIssuer, and an error, if there is any.
 func (c *FakeCredentialIssuers) Update(ctx context.Context, credentialIssuer *v1alpha1.CredentialIssuer, opts v1.UpdateOptions) (result *v1alpha1.CredentialIssuer, err error) {
 	obj, err := c.Fake.
-		Invokes(testing.NewUpdateAction(credentialissuersResource, c.ns, credentialIssuer), &v1alpha1.CredentialIssuer{})
-
+		Invokes(testing.NewRootUpdateAction(credentialissuersResource, credentialIssuer), &v1alpha1.CredentialIssuer{})
 	if obj == nil {
 		return nil, err
 	}
@@ -93,8 +87,7 @@ func (c *FakeCredentialIssuers) Update(ctx context.Context, credentialIssuer *v1
 // Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
 func (c *FakeCredentialIssuers) UpdateStatus(ctx context.Context, credentialIssuer *v1alpha1.CredentialIssuer, opts v1.UpdateOptions) (*v1alpha1.CredentialIssuer, error) {
 	obj, err := c.Fake.
-		Invokes(testing.NewUpdateSubresourceAction(credentialissuersResource, "status", c.ns, credentialIssuer), &v1alpha1.CredentialIssuer{})
-
+		Invokes(testing.NewRootUpdateSubresourceAction(credentialissuersResource, "status", credentialIssuer), &v1alpha1.CredentialIssuer{})
 	if obj == nil {
 		return nil, err
 	}
@@ -104,14 +97,13 @@ func (c *FakeCredentialIssuers) UpdateStatus(ctx context.Context, credentialIssu
 // Delete takes name of the credentialIssuer and deletes it. Returns an error if one occurs.
 func (c *FakeCredentialIssuers) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
 	_, err := c.Fake.
-		Invokes(testing.NewDeleteAction(credentialissuersResource, c.ns, name), &v1alpha1.CredentialIssuer{})
-
+		Invokes(testing.NewRootDeleteAction(credentialissuersResource, name), &v1alpha1.CredentialIssuer{})
 	return err
 }
 
 // DeleteCollection deletes a collection of objects.
 func (c *FakeCredentialIssuers) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
-	action := testing.NewDeleteCollectionAction(credentialissuersResource, c.ns, listOpts)
+	action := testing.NewRootDeleteCollectionAction(credentialissuersResource, listOpts)
 
 	_, err := c.Fake.Invokes(action, &v1alpha1.CredentialIssuerList{})
 	return err
@@ -120,8 +112,7 @@ func (c *FakeCredentialIssuers) DeleteCollection(ctx context.Context, opts v1.De
 // Patch applies the patch and returns the patched credentialIssuer.
 func (c *FakeCredentialIssuers) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.CredentialIssuer, err error) {
 	obj, err := c.Fake.
-		Invokes(testing.NewPatchSubresourceAction(credentialissuersResource, c.ns, name, pt, data, subresources...), &v1alpha1.CredentialIssuer{})
-
+		Invokes(testing.NewRootPatchSubresourceAction(credentialissuersResource, name, pt, data, subresources...), &v1alpha1.CredentialIssuer{})
 	if obj == nil {
 		return nil, err
 	}

generated/1.18/client/concierge/clientset/versioned/typed/login/v1alpha1/fake/fake_login_client.go

@@ -15,8 +15,8 @@ type FakeLoginV1alpha1 struct {
 	*testing.Fake
 }
 
-func (c *FakeLoginV1alpha1) TokenCredentialRequests(namespace string) v1alpha1.TokenCredentialRequestInterface {
-	return &FakeTokenCredentialRequests{c, namespace}
+func (c *FakeLoginV1alpha1) TokenCredentialRequests() v1alpha1.TokenCredentialRequestInterface {
+	return &FakeTokenCredentialRequests{c}
 }
 
 // RESTClient returns a RESTClient that is used to communicate

generated/1.18/client/concierge/clientset/versioned/typed/login/v1alpha1/fake/fake_tokencredentialrequest.go

@@ -20,7 +20,6 @@ import (
 // FakeTokenCredentialRequests implements TokenCredentialRequestInterface
 type FakeTokenCredentialRequests struct {
 	Fake *FakeLoginV1alpha1
-	ns   string
 }
 
 var tokencredentialrequestsResource = schema.GroupVersionResource{Group: "login.concierge.pinniped.dev", Version: "v1alpha1", Resource: "tokencredentialrequests"}
@@ -30,8 +29,7 @@ var tokencredentialrequestsKind = schema.GroupVersionKind{Group: "login.concierg
 // Get takes name of the tokenCredentialRequest, and returns the corresponding tokenCredentialRequest object, and an error if there is any.
 func (c *FakeTokenCredentialRequests) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.TokenCredentialRequest, err error) {
 	obj, err := c.Fake.
-		Invokes(testing.NewGetAction(tokencredentialrequestsResource, c.ns, name), &v1alpha1.TokenCredentialRequest{})
-
+		Invokes(testing.NewRootGetAction(tokencredentialrequestsResource, name), &v1alpha1.TokenCredentialRequest{})
 	if obj == nil {
 		return nil, err
 	}
@@ -41,8 +39,7 @@ func (c *FakeTokenCredentialRequests) Get(ctx context.Context, name string, opti
 // List takes label and field selectors, and returns the list of TokenCredentialRequests that match those selectors.
 func (c *FakeTokenCredentialRequests) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.TokenCredentialRequestList, err error) {
 	obj, err := c.Fake.
-		Invokes(testing.NewListAction(tokencredentialrequestsResource, tokencredentialrequestsKind, c.ns, opts), &v1alpha1.TokenCredentialRequestList{})
-
+		Invokes(testing.NewRootListAction(tokencredentialrequestsResource, tokencredentialrequestsKind, opts), &v1alpha1.TokenCredentialRequestList{})
 	if obj == nil {
 		return nil, err
 	}
@@ -63,15 +60,13 @@ func (c *FakeTokenCredentialRequests) List(ctx context.Context, opts v1.ListOpti
 // Watch returns a watch.Interface that watches the requested tokenCredentialRequests.
 func (c *FakeTokenCredentialRequests) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
 	return c.Fake.
-		InvokesWatch(testing.NewWatchAction(tokencredentialrequestsResource, c.ns, opts))
-
+		InvokesWatch(testing.NewRootWatchAction(tokencredentialrequestsResource, opts))
 }
 
 // Create takes the representation of a tokenCredentialRequest and creates it.  Returns the server's representation of the tokenCredentialRequest, and an error, if there is any.
 func (c *FakeTokenCredentialRequests) Create(ctx context.Context, tokenCredentialRequest *v1alpha1.TokenCredentialRequest, opts v1.CreateOptions) (result *v1alpha1.TokenCredentialRequest, err error) {
 	obj, err := c.Fake.
-		Invokes(testing.NewCreateAction(tokencredentialrequestsResource, c.ns, tokenCredentialRequest), &v1alpha1.TokenCredentialRequest{})
-
+		Invokes(testing.NewRootCreateAction(tokencredentialrequestsResource, tokenCredentialRequest), &v1alpha1.TokenCredentialRequest{})
 	if obj == nil {
 		return nil, err
 	}
@@ -81,8 +76,7 @@ func (c *FakeTokenCredentialRequests) Create(ctx context.Context, tokenCredentia
 // Update takes the representation of a tokenCredentialRequest and updates it. Returns the server's representation of the tokenCredentialRequest, and an error, if there is any.
 func (c *FakeTokenCredentialRequests) Update(ctx context.Context, tokenCredentialRequest *v1alpha1.TokenCredentialRequest, opts v1.UpdateOptions) (result *v1alpha1.TokenCredentialRequest, err error) {
 	obj, err := c.Fake.
-		Invokes(testing.NewUpdateAction(tokencredentialrequestsResource, c.ns, tokenCredentialRequest), &v1alpha1.TokenCredentialRequest{})
-
+		Invokes(testing.NewRootUpdateAction(tokencredentialrequestsResource, tokenCredentialRequest), &v1alpha1.TokenCredentialRequest{})
 	if obj == nil {
 		return nil, err
 	}
@@ -93,8 +87,7 @@ func (c *FakeTokenCredentialRequests) Update(ctx context.Context, tokenCredentia
 // Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
 func (c *FakeTokenCredentialRequests) UpdateStatus(ctx context.Context, tokenCredentialRequest *v1alpha1.TokenCredentialRequest, opts v1.UpdateOptions) (*v1alpha1.TokenCredentialRequest, error) {
 	obj, err := c.Fake.
-		Invokes(testing.NewUpdateSubresourceAction(tokencredentialrequestsResource, "status", c.ns, tokenCredentialRequest), &v1alpha1.TokenCredentialRequest{})
-
+		Invokes(testing.NewRootUpdateSubresourceAction(tokencredentialrequestsResource, "status", tokenCredentialRequest), &v1alpha1.TokenCredentialRequest{})
 	if obj == nil {
 		return nil, err
 	}
@@ -104,14 +97,13 @@ func (c *FakeTokenCredentialRequests) UpdateStatus(ctx context.Context, tokenCre
 // Delete takes name of the tokenCredentialRequest and deletes it. Returns an error if one occurs.
 func (c *FakeTokenCredentialRequests) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
 	_, err := c.Fake.
-		Invokes(testing.NewDeleteAction(tokencredentialrequestsResource, c.ns, name), &v1alpha1.TokenCredentialRequest{})
-
+		Invokes(testing.NewRootDeleteAction(tokencredentialrequestsResource, name), &v1alpha1.TokenCredentialRequest{})
 	return err
 }
 
 // DeleteCollection deletes a collection of objects.
 func (c *FakeTokenCredentialRequests) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
-	action := testing.NewDeleteCollectionAction(tokencredentialrequestsResource, c.ns, listOpts)
+	action := testing.NewRootDeleteCollectionAction(tokencredentialrequestsResource, listOpts)
 
 	_, err := c.Fake.Invokes(action, &v1alpha1.TokenCredentialRequestList{})
 	return err
@@ -120,8 +112,7 @@ func (c *FakeTokenCredentialRequests) DeleteCollection(ctx context.Context, opts
 // Patch applies the patch and returns the patched tokenCredentialRequest.
 func (c *FakeTokenCredentialRequests) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.TokenCredentialRequest, err error) {
 	obj, err := c.Fake.
-		Invokes(testing.NewPatchSubresourceAction(tokencredentialrequestsResource, c.ns, name, pt, data, subresources...), &v1alpha1.TokenCredentialRequest{})
-
+		Invokes(testing.NewRootPatchSubresourceAction(tokencredentialrequestsResource, name, pt, data, subresources...), &v1alpha1.TokenCredentialRequest{})
 	if obj == nil {
 		return nil, err
 	}

generated/1.18/client/concierge/clientset/versioned/typed/login/v1alpha1/login_client.go

@@ -21,8 +21,8 @@ type LoginV1alpha1Client struct {
 	restClient rest.Interface
 }
 
-func (c *LoginV1alpha1Client) TokenCredentialRequests(namespace string) TokenCredentialRequestInterface {
-	return newTokenCredentialRequests(c, namespace)
+func (c *LoginV1alpha1Client) TokenCredentialRequests() TokenCredentialRequestInterface {
+	return newTokenCredentialRequests(c)
 }
 
 // NewForConfig creates a new LoginV1alpha1Client for the given config.

generated/1.18/client/concierge/clientset/versioned/typed/login/v1alpha1/tokencredentialrequest.go

@@ -20,7 +20,7 @@ import (
 // TokenCredentialRequestsGetter has a method to return a TokenCredentialRequestInterface.
 // A group's client should implement this interface.
 type TokenCredentialRequestsGetter interface {
-	TokenCredentialRequests(namespace string) TokenCredentialRequestInterface
+	TokenCredentialRequests() TokenCredentialRequestInterface
 }
 
 // TokenCredentialRequestInterface has methods to work with TokenCredentialRequest resources.
@@ -40,14 +40,12 @@ type TokenCredentialRequestInterface interface {
 // tokenCredentialRequests implements TokenCredentialRequestInterface
 type tokenCredentialRequests struct {
 	client rest.Interface
-	ns     string
 }
 
 // newTokenCredentialRequests returns a TokenCredentialRequests
-func newTokenCredentialRequests(c *LoginV1alpha1Client, namespace string) *tokenCredentialRequests {
+func newTokenCredentialRequests(c *LoginV1alpha1Client) *tokenCredentialRequests {
 	return &tokenCredentialRequests{
 		client: c.RESTClient(),
-		ns:     namespace,
 	}
 }
 
@@ -55,7 +53,6 @@ func newTokenCredentialRequests(c *LoginV1alpha1Client, namespace string) *token
 func (c *tokenCredentialRequests) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.TokenCredentialRequest, err error) {
 	result = &v1alpha1.TokenCredentialRequest{}
 	err = c.client.Get().
-		Namespace(c.ns).
 		Resource("tokencredentialrequests").
 		Name(name).
 		VersionedParams(&options, scheme.ParameterCodec).
@@ -72,7 +69,6 @@ func (c *tokenCredentialRequests) List(ctx context.Context, opts v1.ListOptions)
 	}
 	result = &v1alpha1.TokenCredentialRequestList{}
 	err = c.client.Get().
-		Namespace(c.ns).
 		Resource("tokencredentialrequests").
 		VersionedParams(&opts, scheme.ParameterCodec).
 		Timeout(timeout).
@@ -89,7 +85,6 @@ func (c *tokenCredentialRequests) Watch(ctx context.Context, opts v1.ListOptions
 	}
 	opts.Watch = true
 	return c.client.Get().
-		Namespace(c.ns).
 		Resource("tokencredentialrequests").
 		VersionedParams(&opts, scheme.ParameterCodec).
 		Timeout(timeout).
@@ -100,7 +95,6 @@ func (c *tokenCredentialRequests) Watch(ctx context.Context, opts v1.ListOptions
 func (c *tokenCredentialRequests) Create(ctx context.Context, tokenCredentialRequest *v1alpha1.TokenCredentialRequest, opts v1.CreateOptions) (result *v1alpha1.TokenCredentialRequest, err error) {
 	result = &v1alpha1.TokenCredentialRequest{}
 	err = c.client.Post().
-		Namespace(c.ns).
 		Resource("tokencredentialrequests").
 		VersionedParams(&opts, scheme.ParameterCodec).
 		Body(tokenCredentialRequest).
@@ -113,7 +107,6 @@ func (c *tokenCredentialRequests) Create(ctx context.Context, tokenCredentialReq
 func (c *tokenCredentialRequests) Update(ctx context.Context, tokenCredentialRequest *v1alpha1.TokenCredentialRequest, opts v1.UpdateOptions) (result *v1alpha1.TokenCredentialRequest, err error) {
 	result = &v1alpha1.TokenCredentialRequest{}
 	err = c.client.Put().
-		Namespace(c.ns).
 		Resource("tokencredentialrequests").
 		Name(tokenCredentialRequest.Name).
 		VersionedParams(&opts, scheme.ParameterCodec).
@@ -128,7 +121,6 @@ func (c *tokenCredentialRequests) Update(ctx context.Context, tokenCredentialReq
 func (c *tokenCredentialRequests) UpdateStatus(ctx context.Context, tokenCredentialRequest *v1alpha1.TokenCredentialRequest, opts v1.UpdateOptions) (result *v1alpha1.TokenCredentialRequest, err error) {
 	result = &v1alpha1.TokenCredentialRequest{}
 	err = c.client.Put().
-		Namespace(c.ns).
 		Resource("tokencredentialrequests").
 		Name(tokenCredentialRequest.Name).
 		SubResource("status").
@@ -142,7 +134,6 @@ func (c *tokenCredentialRequests) UpdateStatus(ctx context.Context, tokenCredent
 // Delete takes name of the tokenCredentialRequest and deletes it. Returns an error if one occurs.
 func (c *tokenCredentialRequests) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
 	return c.client.Delete().
-		Namespace(c.ns).
 		Resource("tokencredentialrequests").
 		Name(name).
 		Body(&opts).
@@ -157,7 +148,6 @@ func (c *tokenCredentialRequests) DeleteCollection(ctx context.Context, opts v1.
 		timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second
 	}
 	return c.client.Delete().
-		Namespace(c.ns).
 		Resource("tokencredentialrequests").
 		VersionedParams(&listOpts, scheme.ParameterCodec).
 		Timeout(timeout).
@@ -170,7 +160,6 @@ func (c *tokenCredentialRequests) DeleteCollection(ctx context.Context, opts v1.
 func (c *tokenCredentialRequests) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.TokenCredentialRequest, err error) {
 	result = &v1alpha1.TokenCredentialRequest{}
 	err = c.client.Patch(pt).
-		Namespace(c.ns).
 		Resource("tokencredentialrequests").
 		Name(name).
 		SubResource(subresources...).