Update ROADMAP.md

Changing the roadmap based on current priorities.

.dockerignore

@@ -1,12 +1,23 @@
-./.*
-./*.md
-./*.yaml
-./apis
-./deploy
-./Dockerfile
-./generated/1.1*
-./internal/mocks
-./LICENSE
-./site/
-./test
-**/*_test.go
+# This is effectively a copy of the .gitignore file.
+# The whole git repo, including the .git directory, should get copied into the Docker build context,
+# to enable the use of hack/get-ldflags.sh inside the Dockerfile.
+# When you change the .gitignore file, please consider also changing this file.
+
+# Binaries for programs and plugins
+*.exe
+*.exe~
+*.dll
+*.so
+*.dylib
+
+# Test binary, built with `go test -c`
+*.test
+
+# Output of the go coverage tool, specifically when used with LiteIDE
+*.out
+
+# GoLand
+.idea
+
+# MacOS Desktop Services Store
+.DS_Store

.gitignore

@@ -1,3 +1,6 @@
+# When you change this file, please consider also changing the .dockerignore file.
+# See comments at the top of .dockerignore for more information.
+
 # Binaries for programs and plugins
 *.exe
 *.exe~
@@ -11,9 +14,6 @@
 # Output of the go coverage tool, specifically when used with LiteIDE
 *.out
 
-# Dependency directories (remove the comment below to include it)
-# vendor/
-
 # GoLand
 .idea
 

.golangci.yaml

@@ -47,7 +47,6 @@ linters:
   - scopelint
   - sqlclosecheck
   - unconvert
-  - unparam
   - whitespace
 
 issues:

CONTRIBUTING.md

@@ -10,15 +10,28 @@ Please see the [Code of Conduct](./CODE_OF_CONDUCT.md).
 
 See [SCOPE.md](./SCOPE.md) for some guidelines about what we consider in and out of scope for Pinniped.
 
+## Roadmap
+
+The near-term and mid-term roadmap for the work planned for the project [maintainers](MAINTAINERS.md) is documented in [ROADMAP.md](ROADMAP.md).
+
 ## Community Meetings
 
-Pinniped is better because of our contributors and maintainers. It is because of you that we can bring great software to the community. Please join us during our online community meetings, occuring every first and third Thursday of the month at 9AM PT / 12PM PT. Use [this Zoom Link](https://vmware.zoom.us/j/93798188973?pwd=T3pIMWxReEQvcWljNm1admRoZTFSZz09) to attend and add any agenda items you wish to discuss to [the notes document](https://hackmd.io/rd_kVJhjQfOvfAWzK8A3tQ?view). Join our [Google Group](https://groups.google.com/u/1/g/project-pinniped) to receive invites to this meeting.
+Pinniped is better because of our contributors and [maintainers](MAINTAINERS.md). It is because of you that we can bring great
+software to the community. Please join us during our online community meetings,
+occurring every first and third Thursday of the month at 9 AM PT / 12 PM PT.
+Use [this Zoom Link](https://vmware.zoom.us/j/93798188973?pwd=T3pIMWxReEQvcWljNm1admRoZTFSZz09)
+to attend and add any agenda items you wish to discuss
+to [the notes document](https://hackmd.io/rd_kVJhjQfOvfAWzK8A3tQ?view).
+Join our [Google Group](https://groups.google.com/g/project-pinniped) to receive invites to this meeting.
 
 If the meeting day falls on a US holiday, please consider that occurrence of the meeting to be canceled.
 
 ## Discussion
 
-Got a question, comment, or idea? Please don't hesitate to reach out via the GitHub [Discussions](https://github.com/vmware-tanzu/pinniped/discussions) tab at the top of this page or reach out in Kubernetes Slack Workspace within the [#pinniped channel](https://kubernetes.slack.com/archives/C01BW364RJA).
+Got a question, comment, or idea? Please don't hesitate to reach out
+via GitHub [Discussions](https://github.com/vmware-tanzu/pinniped/discussions),
+GitHub [Issues](https://github.com/vmware-tanzu/pinniped/issues),
+or in the Kubernetes Slack Workspace within the [#pinniped channel](https://kubernetes.slack.com/archives/C01BW364RJA).
 
 ## Issues
 
@@ -45,7 +58,7 @@ guidelines in the issue and pull request templates.
 To suggest a feature, please first open an
 [issue](https://github.com/vmware-tanzu/pinniped/issues/new?template=feature-proposal.md)
 and tag it with `proposal`, or create a new [Discussion](https://github.com/vmware-tanzu/pinniped/discussions).
-The project team will work with you on your feature request.
+The project [maintainers](MAINTAINERS.md) will work with you on your feature request.
 
 Once the feature request has been validated, a [pull request](https://github.com/vmware-tanzu/pinniped/compare)
 can be opened to implement the feature.
@@ -53,6 +66,10 @@ can be opened to implement the feature.
 For specifics on what to include in your feature request, please follow the
 guidelines in the issue and pull request templates.
 
+### Reporting security vulnerabilities
+
+Please follow the procedure described in [SECURITY.md](SECURITY.md).
+
 ## CLA
 
 We welcome contributions from everyone but we can only accept them if you sign

Dockerfile

@@ -3,7 +3,7 @@
 # Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
 
-FROM golang:1.16.4 as build-env
+FROM golang:1.17.1 as build-env
 
 WORKDIR /work
 COPY . .
@@ -16,26 +16,18 @@ RUN \
   --mount=type=cache,target=/cache/gocache \
   --mount=type=cache,target=/cache/gomodcache \
   mkdir out && \
-  GOCACHE=/cache/gocache \
-  GOMODCACHE=/cache/gomodcache \
-  CGO_ENABLED=0 \
-  GOOS=linux \
-  GOARCH=amd64 \
-  go build -v -ldflags "$(hack/get-ldflags.sh)" -o out \
-    ./cmd/pinniped-concierge/... \
-    ./cmd/pinniped-supervisor/... \
-    ./cmd/local-user-authenticator/...
+  export GOCACHE=/cache/gocache GOMODCACHE=/cache/gomodcache CGO_ENABLED=0 GOOS=linux GOARCH=amd64 && \
+  go build -v -ldflags "$(hack/get-ldflags.sh) -w -s" -o /usr/local/bin/pinniped-concierge-kube-cert-agent ./cmd/pinniped-concierge-kube-cert-agent/main.go && \
+  go build -v -ldflags "$(hack/get-ldflags.sh) -w -s" -o /usr/local/bin/pinniped-server ./cmd/pinniped-server/main.go && \
+  ln -s /usr/local/bin/pinniped-server /usr/local/bin/pinniped-concierge && \
+  ln -s /usr/local/bin/pinniped-server /usr/local/bin/pinniped-supervisor && \
+  ln -s /usr/local/bin/pinniped-server /usr/local/bin/local-user-authenticator
 
-# Use a Debian slim image to grab a reasonable default CA bundle.
-FROM debian:10.9-slim AS get-ca-bundle-env
-RUN apt-get update && apt-get install -y --no-install-recommends ca-certificates && rm -rf /var/lib/apt/lists/* /var/cache/debconf/*
+# Use a distroless runtime image with CA certificates, timezone data, and not much else.
+FROM gcr.io/distroless/static:nonroot@sha256:be5d77c62dbe7fedfb0a4e5ec2f91078080800ab1f18358e5f31fcc8faa023c4
 
-# Use a runtime image based on Debian slim.
-FROM debian:10.9-slim
-COPY --from=get-ca-bundle-env /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
-
-# Copy the binaries from the build-env stage.
-COPY --from=build-env /work/out/ /usr/local/bin/
+# Copy the server binary from the build-env stage.
+COPY --from=build-env /usr/local/bin /usr/local/bin
 
 # Document the ports
 EXPOSE 8080 8443
@@ -44,4 +36,4 @@ EXPOSE 8080 8443
 USER 1001:1001
 
 # Set the entrypoint
-ENTRYPOINT ["/usr/local/bin/pinniped-concierge"]
+ENTRYPOINT ["/usr/local/bin/pinniped-server"]

MAINTAINERS.md

@@ -4,16 +4,21 @@ This is the current list of maintainers for the Pinniped project.
 
 | Maintainer | GitHub ID | Affiliation |
 | --------------- | --------- | ----------- |
-| Andrew Keesler | [ankeesler](https://github.com/ankeesler) | [VMware](https://www.github.com/vmware/) |
 | Margo Crawford | [margocrawf](https://github.com/margocrawf) | [VMware](https://www.github.com/vmware/) |
-| Matt Moyer | [mattmoyer](https://github.com/mattmoyer) | [VMware](https://www.github.com/vmware/) |
 | Mo Khan | [enj](https://github.com/enj) | [VMware](https://www.github.com/vmware/) |
-| Pablo Schuhmacher | [pabloschuhmacher](https://github.com/pabloschuhmacher) | [VMware](https://www.github.com/vmware/) |
+| Anjali Telang | [anjaltelang](https://github.com/anjaltelang) | [VMware](https://www.github.com/vmware/) |
 | Ryan Richard | [cfryanr](https://github.com/cfryanr) | [VMware](https://www.github.com/vmware/) |
 
+## Emeritus Maintainers
+
+* Andrew Keesler, [ankeesler](https://github.com/ankeesler)
+* Pablo Schuhmacher, [pabloschuhmacher](https://github.com/pabloschuhmacher)
+* Matt Moyer, [mattmoyer](https://github.com/mattmoyer)
+
 ## Pinniped Contributors & Stakeholders
 
 | Feature Area | Lead |
 | ----------------------------- | :---------------------: |
-| Technical Lead | Matt Moyer (mattmoyer) |
-| Product Management | Pablo Schuhmacher (pabloschuhmacher) |
+| Technical Lead | Mo Khan (enj) |
+| Product Management | Anjali Telang (anjaltelang) |
+| Community Management | Nanci Lancaster (microwavables) |

README.md

@@ -1,63 +1,51 @@
-<img src="site/content/docs/img/pinniped_logo.svg" alt="Pinniped Logo" width="100%"/>
+<a href="https://pinniped.dev" target="_blank">
+  <img src="site/content/docs/img/pinniped_logo.svg" alt="Pinniped Logo" width="100%"/>
+</a>
 
 ## Overview
 
 Pinniped provides identity services to Kubernetes.
 
-Pinniped allows cluster administrators to easily plug in external identity
-providers (IDPs) into Kubernetes clusters. This is achieved via a uniform
-install procedure across all types and origins of Kubernetes clusters,
-declarative configuration via Kubernetes APIs, enterprise-grade integrations
-with IDPs, and distribution-specific integration strategies.
+- Easily plug in external identity providers into Kubernetes clusters while offering a simple install and configuration experience. Leverage first class integration with Kubernetes and kubectl command-line.
+- Give users a consistent, unified login experience across all your clusters, including on-premises and managed cloud environments.
+- Securely integrate with an enterprise IDP using standard protocols or use secure, externally managed identities instead of relying on simple, shared credentials.
 
-### Example use cases
-
-* Your team uses a large enterprise IDP, and has many clusters that they
-  manage. Pinniped provides:
-  * Seamless and robust integration with the IDP
-  * Easy installation across clusters of any type and origin
-  * A simplified login flow across all clusters
-* Your team shares a single cluster. Pinniped provides:
-  * Simple configuration to integrate an IDP
-  * Individual, revocable identities
-
-### Architecture
-
-The Pinniped Supervisor component offers identity federation to enable a user to
-access multiple clusters with a single daily login to their external IDP. The
-Pinniped Supervisor supports various external [IDP
-types](https://github.com/vmware-tanzu/pinniped/tree/main/generated/1.20#k8s-api-idp-supervisor-pinniped-dev-v1alpha1).
-
-The Pinniped Concierge component offers credential exchange to enable a user to
-exchange an external credential for a short-lived, cluster-specific
-credential. Pinniped supports various [authentication
-methods](https://github.com/vmware-tanzu/pinniped/tree/main/generated/1.20#authenticationconciergepinnipeddevv1alpha1)
-and implements different integration strategies for various Kubernetes
-distributions to make authentication possible.
-
-The Pinniped Concierge can be configured to hook into the Pinniped Supervisor's
-federated credentials, or it can authenticate users directly via external IDP
-credentials.
-
-To learn more, see [architecture](https://pinniped.dev/docs/background/architecture/).
+To learn more, please visit the Pinniped project's website, https://pinniped.dev.
 
 ## Getting started with Pinniped
 
 Care to kick the tires? It's easy to [install and try Pinniped](https://pinniped.dev/docs/).
 
-## Community meetings
-
-Pinniped is better because of our contributors and maintainers. It is because of you that we can bring great software to the community. Please join us during our online community meetings, occurring every first and third Thursday of the month at 9 AM PT / 12 PM PT. Use [this Zoom Link](https://vmware.zoom.us/j/93798188973?pwd=T3pIMWxReEQvcWljNm1admRoZTFSZz09) to attend and add any agenda items you wish to discuss to [the notes document](https://hackmd.io/rd_kVJhjQfOvfAWzK8A3tQ?view). Join our [Google Group](https://groups.google.com/g/project-pinniped) to receive invites to this meeting.
-
-If the meeting day falls on a US holiday, please consider that occurrence of the meeting to be canceled.
-
 ## Discussion
 
-Got a question, comment, or idea? Please don't hesitate to reach out via the GitHub [Discussions](https://github.com/vmware-tanzu/pinniped/discussions) tab at the top of this page or reach out in Kubernetes Slack Workspace within the [#pinniped channel](https://kubernetes.slack.com/archives/C01BW364RJA).
+Got a question, comment, or idea? Please don't hesitate to reach out
+via GitHub [Discussions](https://github.com/vmware-tanzu/pinniped/discussions),
+GitHub [Issues](https://github.com/vmware-tanzu/pinniped/issues),
+or in the Kubernetes Slack Workspace within the [#pinniped channel](https://kubernetes.slack.com/archives/C01BW364RJA).
 
 ## Contributions
 
-Contributions are welcome. Before contributing, please see the [contributing guide](CONTRIBUTING.md).
+Want to get involved? Contributions are welcome.
+
+Please see the [contributing guide](CONTRIBUTING.md) for more information about reporting bugs, requesting features,
+building and testing the code, submitting PRs, and other contributor topics.
+
+## Community meetings
+
+Pinniped is better because of our contributors and [maintainers](MAINTAINERS.md). It is because of you that we can bring great
+software to the community. Please join us during our online community meetings,
+occurring every first and third Thursday of the month at 9 AM PT / 12 PM PT.
+Use [this Zoom Link](https://vmware.zoom.us/j/93798188973?pwd=T3pIMWxReEQvcWljNm1admRoZTFSZz09)
+to attend and add any agenda items you wish to discuss
+to [the notes document](https://hackmd.io/rd_kVJhjQfOvfAWzK8A3tQ?view).
+Join our [Google Group](https://groups.google.com/g/project-pinniped) to receive invites to this meeting.
+
+If the meeting day falls on a US holiday, please consider that occurrence of the meeting to be canceled.
+
+## Adopters
+
+Some organizations and products using Pinniped are featured in [ADOPTERS.md](ADOPTERS.md).
+Add your own organization or product [here](https://github.com/vmware-tanzu/pinniped/discussions/152).
 
 ## Reporting security vulnerabilities
 
@@ -67,4 +55,4 @@ Please follow the procedure described in [SECURITY.md](SECURITY.md).
 
 Pinniped is open source and licensed under Apache License Version 2.0. See [LICENSE](LICENSE).
 
-Copyright 2020 the Pinniped contributors. All Rights Reserved.
+Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.

ROADMAP.md

@@ -33,18 +33,21 @@ The following table includes the current roadmap for Pinniped. If you have any q
 
 
 
-Last Updated: April 2021
-Theme|Description|Timeline|
+Last Updated: Sept 2021
+|Theme|Description|Timeline|
 |--|--|--|
-|LDAP Support|Extends upstream IDP protocols|May 2021|
-|Improved Documentation|Reorganizing and improving Pinniped docs; new how-to guides and tutorials|May 2021|
-|Multiple IDPs|Support for multiple upstream IDPs to be configured simultaneously|Jun 2021|
-|Wider Concierge cluster support|Support for more cluster types in the Concierge|Jul 2021|
-|Improving Security Posture|Offer the best security posture for Kubernetes cluster authentication|Exploring/Ongoing|
+|Improving Security Posture|Supervisor token refresh fails when the upstream refresh token no longer works|Sept 2021|
+|Wider Concierge cluster support|Support for OpenShift cluster types in the Concierge|Sept 2021|
+|Multiple IDP support|Support multiple IDPs configured on a single Supervisor|Exploring/Ongoing|
+|Identity transforms|Support prefixing, filtering, or performing coarse-grained checks on upstream users and groups|Exploring/Ongoing|
+|CLI SSO|Support Kerberos based authentication on CLI |Exploring/Ongoing|
+|Extended IDP support|Support more types of identity providers on the Supervisor|Exploring/Ongoing|
+|Improved Documentation|Reorganizing and improving Pinniped docs; new how-to guides and tutorials|Exploring/Ongoing|
 |Improve our CI/CD systems|Upgrade tests; make Kind more efficient and reliable for CI ; Windows tests; performance tests; scale tests; soak tests|Exploring/Ongoing|
 |CLI Improvements|Improving CLI UX for setting up Supervisor IDPs|Exploring/Ongoing|
 |Telemetry|Adding some useful phone home metrics as well as some vanity metrics|Exploring/Ongoing|
 |Observability|Expose Pinniped metrics through Prometheus Integration|Exploring/Ongoing|
 |Device Code Flow|Add support for OAuth 2.0 Device Authorization Grant in the Pinniped CLI and Supervisor|Exploring/Ongoing|
+|Supervisor with New Clients|Enable registering new clients with Supervisor|Exploring/Ongoing|
 
    

apis/concierge/config/v1alpha1/types_credentialissuer.go.tmpl

@@ -3,17 +3,23 @@
 
 package v1alpha1
 
-import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
 
+// StrategyType enumerates a type of "strategy" used to implement credential access on a cluster.
 // +kubebuilder:validation:Enum=KubeClusterSigningCertificate;ImpersonationProxy
 type StrategyType string
 
+// FrontendType enumerates a type of "frontend" used to provide access to users of a cluster.
 // +kubebuilder:validation:Enum=TokenCredentialRequestAPI;ImpersonationProxy
 type FrontendType string
 
+// StrategyStatus enumerates whether a strategy is working on a cluster.
 // +kubebuilder:validation:Enum=Success;Error
 type StrategyStatus string
 
+// StrategyReason enumerates the detailed reason why a strategy is in a particular status.
 // +kubebuilder:validation:Enum=Listening;Pending;Disabled;ErrorDuringSetup;CouldNotFetchKey;CouldNotGetClusterInfo;FetchedKey
 type StrategyReason string
 
@@ -36,7 +42,91 @@ const (
 	FetchedKeyStrategyReason             = StrategyReason("FetchedKey")
 )
 
-// Status of a credential issuer.
+// CredentialIssuerSpec describes the intended configuration of the Concierge.
+type CredentialIssuerSpec struct {
+	// ImpersonationProxy describes the intended configuration of the Concierge impersonation proxy.
+	ImpersonationProxy *ImpersonationProxySpec `json:"impersonationProxy"`
+}
+
+// ImpersonationProxyMode enumerates the configuration modes for the impersonation proxy.
+//
+// +kubebuilder:validation:Enum=auto;enabled;disabled
+type ImpersonationProxyMode string
+
+const (
+	// ImpersonationProxyModeDisabled explicitly disables the impersonation proxy.
+	ImpersonationProxyModeDisabled = ImpersonationProxyMode("disabled")
+
+	// ImpersonationProxyModeEnabled explicitly enables the impersonation proxy.
+	ImpersonationProxyModeEnabled = ImpersonationProxyMode("enabled")
+
+	// ImpersonationProxyModeAuto enables or disables the impersonation proxy based upon the cluster in which it is running.
+	ImpersonationProxyModeAuto = ImpersonationProxyMode("auto")
+)
+
+// ImpersonationProxyServiceType enumerates the types of service that can be provisioned for the impersonation proxy.
+//
+// +kubebuilder:validation:Enum=LoadBalancer;ClusterIP;None
+type ImpersonationProxyServiceType string
+
+const (
+	// ImpersonationProxyServiceTypeLoadBalancer provisions a service of type LoadBalancer.
+	ImpersonationProxyServiceTypeLoadBalancer = ImpersonationProxyServiceType("LoadBalancer")
+
+	// ImpersonationProxyServiceTypeClusterIP provisions a service of type ClusterIP.
+	ImpersonationProxyServiceTypeClusterIP = ImpersonationProxyServiceType("ClusterIP")
+
+	// ImpersonationProxyServiceTypeNone does not automatically provision any service.
+	ImpersonationProxyServiceTypeNone = ImpersonationProxyServiceType("None")
+)
+
+// ImpersonationProxySpec describes the intended configuration of the Concierge impersonation proxy.
+type ImpersonationProxySpec struct {
+	// Mode configures whether the impersonation proxy should be started:
+	// - "disabled" explicitly disables the impersonation proxy. This is the default.
+	// - "enabled" explicitly enables the impersonation proxy.
+	// - "auto" enables or disables the impersonation proxy based upon the cluster in which it is running.
+	Mode ImpersonationProxyMode `json:"mode"`
+
+	// Service describes the configuration of the Service provisioned to expose the impersonation proxy to clients.
+	//
+	// +kubebuilder:default:={"type": "LoadBalancer"}
+	Service ImpersonationProxyServiceSpec `json:"service"`
+
+	// ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will
+	// be served using the external name of the LoadBalancer service or the cluster service DNS name.
+	//
+	// This field must be non-empty when spec.impersonationProxy.service.type is "None".
+	//
+	// +optional
+	ExternalEndpoint string `json:"externalEndpoint,omitempty"`
+}
+
+// ImpersonationProxyServiceSpec describes how the Concierge should provision a Service to expose the impersonation proxy.
+type ImpersonationProxyServiceSpec struct {
+	// Type specifies the type of Service to provision for the impersonation proxy.
+	//
+	// If the type is "None", then the "spec.impersonationProxy.externalEndpoint" field must be set to a non-empty
+	// value so that the Concierge can properly advertise the endpoint in the CredentialIssuer's status.
+	//
+	// +kubebuilder:default:="LoadBalancer"
+	Type ImpersonationProxyServiceType `json:"type,omitempty"`
+
+	// LoadBalancerIP specifies the IP address to set in the spec.loadBalancerIP field of the provisioned Service.
+	// This is not supported on all cloud providers.
+	//
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=255
+	// +optional
+	LoadBalancerIP string `json:"loadBalancerIP,omitempty"`
+
+	// Annotations specifies zero or more key/value pairs to set as annotations on the provisioned Service.
+	//
+	// +optional
+	Annotations map[string]string `json:"annotations,omitempty"`
+}
+
+// CredentialIssuerStatus describes the status of the Concierge.
 type CredentialIssuerStatus struct {
 	// List of integration strategies that were attempted by Pinniped.
 	Strategies []CredentialIssuerStrategy `json:"strategies"`
@@ -47,7 +137,8 @@ type CredentialIssuerStatus struct {
 	KubeConfigInfo *CredentialIssuerKubeConfigInfo `json:"kubeConfigInfo,omitempty"`
 }
 
-// Information needed to form a valid Pinniped-based kubeconfig using this credential issuer.
+// CredentialIssuerKubeConfigInfo provides the information needed to form a valid Pinniped-based kubeconfig using this credential issuer.
+// This type is deprecated and will be removed in a future version.
 type CredentialIssuerKubeConfigInfo struct {
 	// The K8s API server URL.
 	// +kubebuilder:validation:MinLength=1
@@ -59,7 +150,7 @@ type CredentialIssuerKubeConfigInfo struct {
 	CertificateAuthorityData string `json:"certificateAuthorityData"`
 }
 
-// Status of an integration strategy that was attempted by Pinniped.
+// CredentialIssuerStrategy describes the status of an integration strategy that was attempted by Pinniped.
 type CredentialIssuerStrategy struct {
 	// Type of integration attempted.
 	Type StrategyType `json:"type"`
@@ -81,6 +172,7 @@ type CredentialIssuerStrategy struct {
 	Frontend *CredentialIssuerFrontend `json:"frontend,omitempty"`
 }
 
+// CredentialIssuerFrontend describes how to connect using a particular integration strategy.
 type CredentialIssuerFrontend struct {
 	// Type describes which frontend mechanism clients can use with a strategy.
 	Type FrontendType `json:"type"`
@@ -118,7 +210,7 @@ type ImpersonationProxyInfo struct {
 	CertificateAuthorityData string `json:"certificateAuthorityData"`
 }
 
-// Describes the configuration status of a Pinniped credential issuer.
+// CredentialIssuer describes the configuration and status of the Pinniped Concierge credential issuer.
 // +genclient
 // +genclient:nonNamespaced
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
@@ -128,12 +220,18 @@ type CredentialIssuer struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
 
-	// Status of the credential issuer.
+	// Spec describes the intended configuration of the Concierge.
+	//
+	// +optional
+	Spec CredentialIssuerSpec `json:"spec"`
+
+	// CredentialIssuerStatus describes the status of the Concierge.
+	//
 	// +optional
 	Status CredentialIssuerStatus `json:"status"`
 }
 
-// List of CredentialIssuer objects.
+// CredentialIssuerList is a list of CredentialIssuer objects.
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 type CredentialIssuerList struct {
 	metav1.TypeMeta `json:",inline"`

apis/supervisor/idp/v1alpha1/register.go.tmpl

@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
@@ -32,6 +32,10 @@ func addKnownTypes(scheme *runtime.Scheme) error {
 	scheme.AddKnownTypes(SchemeGroupVersion,
 		&OIDCIdentityProvider{},
 		&OIDCIdentityProviderList{},
+		&LDAPIdentityProvider{},
+		&LDAPIdentityProviderList{},
+		&ActiveDirectoryIdentityProvider{},
+		&ActiveDirectoryIdentityProviderList{},
 	)
 	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
 	return nil

apis/supervisor/idp/v1alpha1/types_activedirectoryidentityprovider.go.tmpl

@@ -0,0 +1,182 @@
+// Copyright 2021 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+type ActiveDirectoryIdentityProviderPhase string
+
+const (
+	// ActiveDirectoryPhasePending is the default phase for newly-created ActiveDirectoryIdentityProvider resources.
+	ActiveDirectoryPhasePending ActiveDirectoryIdentityProviderPhase = "Pending"
+
+	// ActiveDirectoryPhaseReady is the phase for an ActiveDirectoryIdentityProvider resource in a healthy state.
+	ActiveDirectoryPhaseReady ActiveDirectoryIdentityProviderPhase = "Ready"
+
+	// ActiveDirectoryPhaseError is the phase for an ActiveDirectoryIdentityProvider in an unhealthy state.
+	ActiveDirectoryPhaseError ActiveDirectoryIdentityProviderPhase = "Error"
+)
+
+// Status of an Active Directory identity provider.
+type ActiveDirectoryIdentityProviderStatus struct {
+	// Phase summarizes the overall status of the ActiveDirectoryIdentityProvider.
+	// +kubebuilder:default=Pending
+	// +kubebuilder:validation:Enum=Pending;Ready;Error
+	Phase ActiveDirectoryIdentityProviderPhase `json:"phase,omitempty"`
+
+	// Represents the observations of an identity provider's current state.
+	// +patchMergeKey=type
+	// +patchStrategy=merge
+	// +listType=map
+	// +listMapKey=type
+	Conditions []Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
+}
+
+type ActiveDirectoryIdentityProviderBind struct {
+	// SecretName contains the name of a namespace-local Secret object that provides the username and
+	// password for an Active Directory bind user. This account will be used to perform LDAP searches. The Secret should be
+	// of type "kubernetes.io/basic-auth" which includes "username" and "password" keys. The username value
+	// should be the full dn (distinguished name) of your bind account, e.g. "cn=bind-account,ou=users,dc=example,dc=com".
+	// The password must be non-empty.
+	// +kubebuilder:validation:MinLength=1
+	SecretName string `json:"secretName"`
+}
+
+type ActiveDirectoryIdentityProviderUserSearchAttributes struct {
+	// Username specifies the name of the attribute in Active Directory entry whose value shall become the username
+	// of the user after a successful authentication.
+	// Optional, when empty this defaults to "userPrincipalName".
+	// +optional
+	Username string `json:"username,omitempty"`
+
+	// UID specifies the name of the attribute in the ActiveDirectory entry which whose value shall be used to uniquely
+	// identify the user within this ActiveDirectory provider after a successful authentication.
+	// Optional, when empty this defaults to "objectGUID".
+	// +optional
+	UID string `json:"uid,omitempty"`
+}
+
+type ActiveDirectoryIdentityProviderGroupSearchAttributes struct {
+	// GroupName specifies the name of the attribute in the Active Directory entries whose value shall become a group name
+	// in the user's list of groups after a successful authentication.
+	// The value of this field is case-sensitive and must match the case of the attribute name returned by the ActiveDirectory
+	// server in the user's entry. E.g. "cn" for common name. Distinguished names can be used by specifying lower-case "dn".
+	// Optional. When not specified, this defaults to a custom field that looks like "sAMAccountName@domain",
+	// where domain is constructed from the domain components of the group DN.
+	// +optional
+	GroupName string `json:"groupName,omitempty"`
+}
+
+type ActiveDirectoryIdentityProviderUserSearch struct {
+	// Base is the dn (distinguished name) that should be used as the search base when searching for users.
+	// E.g. "ou=users,dc=example,dc=com".
+	// Optional, when not specified it will be based on the result of a query for the defaultNamingContext
+	// (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse).
+	// The default behavior searches your entire domain for users.
+	// It may make sense to specify a subtree as a search base if you wish to exclude some users
+	// or to make searches faster.
+	// +optional
+	Base string `json:"base,omitempty"`
+
+	// Filter is the search filter which should be applied when searching for users. The pattern "{}" must occur
+	// in the filter at least once and will be dynamically replaced by the username for which the search is being run.
+	// E.g. "mail={}" or "&(objectClass=person)(uid={})". For more information about LDAP filters, see
+	// https://ldap.com/ldap-filters.
+	// Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used.
+	// Optional. When not specified, the default will be
+	// '(&(objectClass=person)(!(objectClass=computer))(!(showInAdvancedViewOnly=TRUE))(|(sAMAccountName={}")(mail={})(userPrincipalName={})(sAMAccountType=805306368))'
+	// This means that the user is a person, is not a computer, the sAMAccountType is for a normal user account,
+	// and is not shown in advanced view only
+	// (which would likely mean its a system created service account with advanced permissions).
+	// Also, either the sAMAccountName, the userPrincipalName, or the mail attribute matches the input username.
+	// +optional
+	Filter string `json:"filter,omitempty"`
+
+	// Attributes specifies how the user's information should be read from the ActiveDirectory entry which was found as
+	// the result of the user search.
+	// +optional
+	Attributes ActiveDirectoryIdentityProviderUserSearchAttributes `json:"attributes,omitempty"`
+}
+
+type ActiveDirectoryIdentityProviderGroupSearch struct {
+	// Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g.
+	// "ou=groups,dc=example,dc=com".
+	// Optional, when not specified it will be based on the result of a query for the defaultNamingContext
+	// (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse).
+	// The default behavior searches your entire domain for groups.
+	// It may make sense to specify a subtree as a search base if you wish to exclude some groups
+	// for security reasons or to make searches faster.
+	// +optional
+	Base string `json:"base,omitempty"`
+
+	// Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user.
+	// The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the
+	// dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or
+	// "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see
+	// https://ldap.com/ldap-filters.
+	// Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used.
+	// Optional. When not specified, the default will act as if the filter were specified as
+	// "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})".
+	// This searches nested groups by default.
+	// Note that nested group search can be slow for some Active Directory servers. To disable it,
+	// you can set the filter to
+	// "(&(objectClass=group)(member={})"
+	// +optional
+	Filter string `json:"filter,omitempty"`
+
+	// Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as
+	// the result of the group search.
+	// +optional
+	Attributes ActiveDirectoryIdentityProviderGroupSearchAttributes `json:"attributes,omitempty"`
+}
+
+// Spec for configuring an ActiveDirectory identity provider.
+type ActiveDirectoryIdentityProviderSpec struct {
+	// Host is the hostname of this Active Directory identity provider, i.e., where to connect. For example: ldap.example.com:636.
+	// +kubebuilder:validation:MinLength=1
+	Host string `json:"host"`
+
+	// TLS contains the connection settings for how to establish the connection to the Host.
+	TLS *TLSSpec `json:"tls,omitempty"`
+
+	// Bind contains the configuration for how to provide access credentials during an initial bind to the ActiveDirectory server
+	// to be allowed to perform searches and binds to validate a user's credentials during a user's authentication attempt.
+	Bind ActiveDirectoryIdentityProviderBind `json:"bind,omitempty"`
+
+	// UserSearch contains the configuration for searching for a user by name in Active Directory.
+	UserSearch ActiveDirectoryIdentityProviderUserSearch `json:"userSearch,omitempty"`
+
+	// GroupSearch contains the configuration for searching for a user's group membership in ActiveDirectory.
+	GroupSearch ActiveDirectoryIdentityProviderGroupSearch `json:"groupSearch,omitempty"`
+}
+
+// ActiveDirectoryIdentityProvider describes the configuration of an upstream Microsoft Active Directory identity provider.
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +kubebuilder:resource:categories=pinniped;pinniped-idp;pinniped-idps
+// +kubebuilder:printcolumn:name="Host",type=string,JSONPath=`.spec.host`
+// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase`
+// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
+// +kubebuilder:subresource:status
+type ActiveDirectoryIdentityProvider struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	// Spec for configuring the identity provider.
+	Spec ActiveDirectoryIdentityProviderSpec `json:"spec"`
+
+	// Status of the identity provider.
+	Status ActiveDirectoryIdentityProviderStatus `json:"status,omitempty"`
+}
+
+// List of ActiveDirectoryIdentityProvider objects.
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type ActiveDirectoryIdentityProviderList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+
+	Items []ActiveDirectoryIdentityProvider `json:"items"`
+}

apis/supervisor/idp/v1alpha1/types_ldapidentityprovider.go.tmpl

@@ -0,0 +1,171 @@
+// Copyright 2021 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+type LDAPIdentityProviderPhase string
+
+const (
+	// LDAPPhasePending is the default phase for newly-created LDAPIdentityProvider resources.
+	LDAPPhasePending LDAPIdentityProviderPhase = "Pending"
+
+	// LDAPPhaseReady is the phase for an LDAPIdentityProvider resource in a healthy state.
+	LDAPPhaseReady LDAPIdentityProviderPhase = "Ready"
+
+	// LDAPPhaseError is the phase for an LDAPIdentityProvider in an unhealthy state.
+	LDAPPhaseError LDAPIdentityProviderPhase = "Error"
+)
+
+// Status of an LDAP identity provider.
+type LDAPIdentityProviderStatus struct {
+	// Phase summarizes the overall status of the LDAPIdentityProvider.
+	// +kubebuilder:default=Pending
+	// +kubebuilder:validation:Enum=Pending;Ready;Error
+	Phase LDAPIdentityProviderPhase `json:"phase,omitempty"`
+
+	// Represents the observations of an identity provider's current state.
+	// +patchMergeKey=type
+	// +patchStrategy=merge
+	// +listType=map
+	// +listMapKey=type
+	Conditions []Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
+}
+
+type LDAPIdentityProviderBind struct {
+	// SecretName contains the name of a namespace-local Secret object that provides the username and
+	// password for an LDAP bind user. This account will be used to perform LDAP searches. The Secret should be
+	// of type "kubernetes.io/basic-auth" which includes "username" and "password" keys. The username value
+	// should be the full dn (distinguished name) of your bind account, e.g. "cn=bind-account,ou=users,dc=example,dc=com".
+	// The password must be non-empty.
+	// +kubebuilder:validation:MinLength=1
+	SecretName string `json:"secretName"`
+}
+
+type LDAPIdentityProviderUserSearchAttributes struct {
+	// Username specifies the name of the attribute in the LDAP entry whose value shall become the username
+	// of the user after a successful authentication. This would typically be the same attribute name used in
+	// the user search filter, although it can be different. E.g. "mail" or "uid" or "userPrincipalName".
+	// The value of this field is case-sensitive and must match the case of the attribute name returned by the LDAP
+	// server in the user's entry. Distinguished names can be used by specifying lower-case "dn". When this field
+	// is set to "dn" then the LDAPIdentityProviderUserSearch's Filter field cannot be blank, since the default
+	// value of "dn={}" would not work.
+	// +kubebuilder:validation:MinLength=1
+	Username string `json:"username,omitempty"`
+
+	// UID specifies the name of the attribute in the LDAP entry which whose value shall be used to uniquely
+	// identify the user within this LDAP provider after a successful authentication. E.g. "uidNumber" or "objectGUID".
+	// The value of this field is case-sensitive and must match the case of the attribute name returned by the LDAP
+	// server in the user's entry. Distinguished names can be used by specifying lower-case "dn".
+	// +kubebuilder:validation:MinLength=1
+	UID string `json:"uid,omitempty"`
+}
+
+type LDAPIdentityProviderGroupSearchAttributes struct {
+	// GroupName specifies the name of the attribute in the LDAP entries whose value shall become a group name
+	// in the user's list of groups after a successful authentication.
+	// The value of this field is case-sensitive and must match the case of the attribute name returned by the LDAP
+	// server in the user's entry. E.g. "cn" for common name. Distinguished names can be used by specifying lower-case "dn".
+	// Optional. When not specified, the default will act as if the GroupName were specified as "dn" (distinguished name).
+	// +optional
+	GroupName string `json:"groupName,omitempty"`
+}
+
+type LDAPIdentityProviderUserSearch struct {
+	// Base is the dn (distinguished name) that should be used as the search base when searching for users.
+	// E.g. "ou=users,dc=example,dc=com".
+	// +kubebuilder:validation:MinLength=1
+	Base string `json:"base,omitempty"`
+
+	// Filter is the LDAP search filter which should be applied when searching for users. The pattern "{}" must occur
+	// in the filter at least once and will be dynamically replaced by the username for which the search is being run.
+	// E.g. "mail={}" or "&(objectClass=person)(uid={})". For more information about LDAP filters, see
+	// https://ldap.com/ldap-filters.
+	// Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used.
+	// Optional. When not specified, the default will act as if the Filter were specified as the value from
+	// Attributes.Username appended by "={}". When the Attributes.Username is set to "dn" then the Filter must be
+	// explicitly specified, since the default value of "dn={}" would not work.
+	// +optional
+	Filter string `json:"filter,omitempty"`
+
+	// Attributes specifies how the user's information should be read from the LDAP entry which was found as
+	// the result of the user search.
+	// +optional
+	Attributes LDAPIdentityProviderUserSearchAttributes `json:"attributes,omitempty"`
+}
+
+type LDAPIdentityProviderGroupSearch struct {
+	// Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g.
+	// "ou=groups,dc=example,dc=com". When not specified, no group search will be performed and
+	// authenticated users will not belong to any groups from the LDAP provider. Also, when not specified,
+	// the values of Filter and Attributes are ignored.
+	// +optional
+	Base string `json:"base,omitempty"`
+
+	// Filter is the LDAP search filter which should be applied when searching for groups for a user.
+	// The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the
+	// dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or
+	// "&(objectClass=groupOfNames)(member={})". For more information about LDAP filters, see
+	// https://ldap.com/ldap-filters.
+	// Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used.
+	// Optional. When not specified, the default will act as if the Filter were specified as "member={}".
+	// +optional
+	Filter string `json:"filter,omitempty"`
+
+	// Attributes specifies how the group's information should be read from each LDAP entry which was found as
+	// the result of the group search.
+	// +optional
+	Attributes LDAPIdentityProviderGroupSearchAttributes `json:"attributes,omitempty"`
+}
+
+// Spec for configuring an LDAP identity provider.
+type LDAPIdentityProviderSpec struct {
+	// Host is the hostname of this LDAP identity provider, i.e., where to connect. For example: ldap.example.com:636.
+	// +kubebuilder:validation:MinLength=1
+	Host string `json:"host"`
+
+	// TLS contains the connection settings for how to establish the connection to the Host.
+	TLS *TLSSpec `json:"tls,omitempty"`
+
+	// Bind contains the configuration for how to provide access credentials during an initial bind to the LDAP server
+	// to be allowed to perform searches and binds to validate a user's credentials during a user's authentication attempt.
+	Bind LDAPIdentityProviderBind `json:"bind,omitempty"`
+
+	// UserSearch contains the configuration for searching for a user by name in the LDAP provider.
+	UserSearch LDAPIdentityProviderUserSearch `json:"userSearch,omitempty"`
+
+	// GroupSearch contains the configuration for searching for a user's group membership in the LDAP provider.
+	GroupSearch LDAPIdentityProviderGroupSearch `json:"groupSearch,omitempty"`
+}
+
+// LDAPIdentityProvider describes the configuration of an upstream Lightweight Directory Access
+// Protocol (LDAP) identity provider.
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +kubebuilder:resource:categories=pinniped;pinniped-idp;pinniped-idps
+// +kubebuilder:printcolumn:name="Host",type=string,JSONPath=`.spec.host`
+// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase`
+// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
+// +kubebuilder:subresource:status
+type LDAPIdentityProvider struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	// Spec for configuring the identity provider.
+	Spec LDAPIdentityProviderSpec `json:"spec"`
+
+	// Status of the identity provider.
+	Status LDAPIdentityProviderStatus `json:"status,omitempty"`
+}
+
+// List of LDAPIdentityProvider objects.
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type LDAPIdentityProviderList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+
+	Items []LDAPIdentityProvider `json:"items"`
+}

apis/supervisor/idp/v1alpha1/types_meta.go.tmpl

@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1

apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go.tmpl

@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
@@ -39,9 +39,31 @@ type OIDCIdentityProviderStatus struct {
 // request parameters.
 type OIDCAuthorizationConfig struct {
 	// AdditionalScopes are the scopes in addition to "openid" that will be requested as part of the authorization
-	// request flow with an OIDC identity provider. By default only the "openid" scope will be requested.
+	// request flow with an OIDC identity provider.
+	// In the case of a Resource Owner Password Credentials Grant flow, AdditionalScopes are the scopes
+	// in addition to "openid" that will be requested as part of the token request (see also the allowPasswordGrant field).
+	// By default, only the "openid" scope will be requested.
 	// +optional
 	AdditionalScopes []string `json:"additionalScopes,omitempty"`
+
+	// AllowPasswordGrant, when true, will allow the use of OAuth 2.0's Resource Owner Password Credentials Grant
+	// (see https://datatracker.ietf.org/doc/html/rfc6749#section-4.3) to authenticate to the OIDC provider using a
+	// username and password without a web browser, in addition to the usual browser-based OIDC Authorization Code Flow.
+	// The Resource Owner Password Credentials Grant is not officially part of the OIDC specification, so it may not be
+	// supported by your OIDC provider. If your OIDC provider supports returning ID tokens from a Resource Owner Password
+	// Credentials Grant token request, then you can choose to set this field to true. This will allow end users to choose
+	// to present their username and password to the kubectl CLI (using the Pinniped plugin) to authenticate to the
+	// cluster, without using a web browser to log in as is customary in OIDC Authorization Code Flow. This may be
+	// convenient for users, especially for identities from your OIDC provider which are not intended to represent a human
+	// actor, such as service accounts performing actions in a CI/CD environment. Even if your OIDC provider supports it,
+	// you may wish to disable this behavior by setting this field to false when you prefer to only allow users of this
+	// OIDCIdentityProvider to log in via the browser-based OIDC Authorization Code Flow. Using the Resource Owner Password
+	// Credentials Grant means that the Pinniped CLI and Pinniped Supervisor will directly handle your end users' passwords
+	// (similar to LDAPIdentityProvider), and you will not be able to require multi-factor authentication or use the other
+	// web-based login features of your OIDC provider during Resource Owner Password Credentials Grant logins.
+	// AllowPasswordGrant defaults to false.
+	// +optional
+	AllowPasswordGrant bool `json:"allowPasswordGrant,omitempty"`
 }
 
 // OIDCClaims provides a mapping from upstream claims into identities.

apis/supervisor/idpdiscovery/v1alpha1/types_supervisor_idp_discovery.go.tmpl

@@ -0,0 +1,66 @@
+// Copyright 2021 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+// IDPType are the strings that can be returned by the Supervisor identity provider discovery endpoint
+// as the "type" of each returned identity provider.
+type IDPType string
+
+// IDPFlow are the strings that can be returned by the Supervisor identity provider discovery endpoint
+// in the array of allowed client "flows" for each returned identity provider.
+type IDPFlow string
+
+const (
+	IDPTypeOIDC            IDPType = "oidc"
+	IDPTypeLDAP            IDPType = "ldap"
+	IDPTypeActiveDirectory IDPType = "activedirectory"
+
+	IDPFlowCLIPassword     IDPFlow = "cli_password"
+	IDPFlowBrowserAuthcode IDPFlow = "browser_authcode"
+)
+
+// Equals is a convenience function for comparing an IDPType to a string.
+func (r IDPType) Equals(s string) bool {
+	return string(r) == s
+}
+
+// String is a convenience function to convert an IDPType to a string.
+func (r IDPType) String() string {
+	return string(r)
+}
+
+// Equals is a convenience function for comparing an IDPFlow to a string.
+func (r IDPFlow) Equals(s string) bool {
+	return string(r) == s
+}
+
+// String is a convenience function to convert an IDPFlow to a string.
+func (r IDPFlow) String() string {
+	return string(r)
+}
+
+// OIDCDiscoveryResponse is part of the response from a FederationDomain's OpenID Provider Configuration
+// Document returned by the .well-known/openid-configuration endpoint. It ignores all the standard OpenID Provider
+// configuration metadata and only picks out the portion related to Supervisor identity provider discovery.
+type OIDCDiscoveryResponse struct {
+	SupervisorDiscovery OIDCDiscoveryResponseIDPEndpoint `json:"discovery.supervisor.pinniped.dev/v1alpha1"`
+}
+
+// OIDCDiscoveryResponseIDPEndpoint contains the URL for the identity provider discovery endpoint.
+type OIDCDiscoveryResponseIDPEndpoint struct {
+	PinnipedIDPsEndpoint string `json:"pinniped_identity_providers_endpoint"`
+}
+
+// IDPDiscoveryResponse is the response of a FederationDomain's identity provider discovery endpoint.
+type IDPDiscoveryResponse struct {
+	PinnipedIDPs []PinnipedIDP `json:"pinniped_identity_providers"`
+}
+
+// PinnipedIDP describes a single identity provider as included in the response of a FederationDomain's
+// identity provider discovery endpoint.
+type PinnipedIDP struct {
+	Name  string    `json:"name"`
+	Type  IDPType   `json:"type"`
+	Flows []IDPFlow `json:"flows,omitempty"`
+}

apis/supervisor/oidc/types_supervisor_oidc.go.tmpl

@@ -0,0 +1,25 @@
+// Copyright 2021 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package oidc
+
+// Constants related to the Supervisor FederationDomain's authorization and token endpoints.
+const (
+	// AuthorizeUsernameHeaderName is the name of the HTTP header which can be used to transmit a username
+	// to the authorize endpoint when using a password flow, for example an OIDCIdentityProvider with a password grant
+	// or an LDAPIdentityProvider.
+	AuthorizeUsernameHeaderName = "Pinniped-Username"
+
+	// AuthorizePasswordHeaderName is the name of the HTTP header which can be used to transmit a password
+	// to the authorize endpoint when using a password flow, for example an OIDCIdentityProvider with a password grant
+	// or an LDAPIdentityProvider.
+	AuthorizePasswordHeaderName = "Pinniped-Password" //nolint:gosec // this is not a credential
+
+	// AuthorizeUpstreamIDPNameParamName is the name of the HTTP request parameter which can be used to help select which
+	// identity provider should be used for authentication by sending the name of the desired identity provider.
+	AuthorizeUpstreamIDPNameParamName = "pinniped_idp_name"
+
+	// AuthorizeUpstreamIDPTypeParamName is the name of the HTTP request parameter which can be used to help select which
+	// identity provider should be used for authentication by sending the type of the desired identity provider.
+	AuthorizeUpstreamIDPTypeParamName = "pinniped_idp_type"
+)

cmd/pinniped-concierge-kube-cert-agent/main.go

@@ -0,0 +1,55 @@
+// Copyright 2021 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Package main is the combined entrypoint for the Pinniped "kube-cert-agent" component.
+package main
+
+import (
+	"encoding/base64"
+	"encoding/json"
+	"io"
+	"io/ioutil"
+	"log"
+	"math"
+	"os"
+	"time"
+)
+
+//nolint: gochecknoglobals // these are swapped during unit tests.
+var (
+	getenv = os.Getenv
+	fail   = log.Fatalf
+	sleep  = time.Sleep
+	out    = io.Writer(os.Stdout)
+)
+
+func main() {
+	if len(os.Args) < 2 {
+		fail("missing subcommand")
+	}
+
+	switch os.Args[1] {
+	case "sleep":
+		sleep(math.MaxInt64)
+	case "print":
+		certBytes, err := ioutil.ReadFile(getenv("CERT_PATH"))
+		if err != nil {
+			fail("could not read CERT_PATH: %v", err)
+		}
+		keyBytes, err := ioutil.ReadFile(getenv("KEY_PATH"))
+		if err != nil {
+			fail("could not read KEY_PATH: %v", err)
+		}
+		if err := json.NewEncoder(out).Encode(&struct {
+			Cert string `json:"tls.crt"`
+			Key  string `json:"tls.key"`
+		}{
+			Cert: base64.StdEncoding.EncodeToString(certBytes),
+			Key:  base64.StdEncoding.EncodeToString(keyBytes),
+		}); err != nil {
+			fail("failed to write output: %v", err)
+		}
+	default:
+		fail("invalid subcommand %q", os.Args[1])
+	}
+}

cmd/pinniped-concierge-kube-cert-agent/main_test.go

@@ -0,0 +1,128 @@
+// Copyright 2021 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package main
+
+import (
+	"bytes"
+	"fmt"
+	"log"
+	"os"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/require"
+)
+
+type errWriter struct{}
+
+func (e errWriter) Write([]byte) (int, error) { return 0, fmt.Errorf("some write error") }
+
+func TestEntrypoint(t *testing.T) {
+	for _, tt := range []struct {
+		name        string
+		args        []string
+		env         map[string]string
+		failOutput  bool
+		wantSleep   time.Duration
+		wantLog     string
+		wantOutJSON string
+		wantFail    bool
+	}{
+		{
+			name:     "missing args",
+			args:     []string{},
+			wantLog:  "missing subcommand\n",
+			wantFail: true,
+		},
+		{
+			name:     "invalid subcommand",
+			args:     []string{"/path/to/binary", "invalid"},
+			wantLog:  "invalid subcommand \"invalid\"\n",
+			wantFail: true,
+		},
+		{
+			name:      "valid sleep",
+			args:      []string{"/path/to/binary", "sleep"},
+			wantSleep: 2562047*time.Hour + 47*time.Minute + 16*time.Second + 854775807*time.Nanosecond, // math.MaxInt64 nanoseconds, approximately 290 years
+		},
+		{
+			name: "missing cert file",
+			args: []string{"/path/to/binary", "print"},
+			env: map[string]string{
+				"CERT_PATH": "./does/not/exist",
+				"KEY_PATH":  "./testdata/test.key",
+			},
+			wantFail: true,
+			wantLog:  "could not read CERT_PATH: open ./does/not/exist: no such file or directory\n",
+		},
+		{
+			name: "missing key file",
+			args: []string{"/path/to/binary", "print"},
+			env: map[string]string{
+				"CERT_PATH": "./testdata/test.crt",
+				"KEY_PATH":  "./does/not/exist",
+			},
+			wantFail: true,
+			wantLog:  "could not read KEY_PATH: open ./does/not/exist: no such file or directory\n",
+		},
+		{
+			name: "fail to write output",
+			args: []string{"/path/to/binary", "print"},
+			env: map[string]string{
+				"CERT_PATH": "./testdata/test.crt",
+				"KEY_PATH":  "./testdata/test.key",
+			},
+			failOutput: true,
+			wantFail:   true,
+			wantLog:    "failed to write output: some write error\n",
+		},
+		{
+			name: "successful print",
+			args: []string{"/path/to/binary", "print"},
+			env: map[string]string{
+				"CERT_PATH": "./testdata/test.crt",
+				"KEY_PATH":  "./testdata/test.key",
+			},
+			wantOutJSON: `{
+				"tls.crt": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJd01EY3lOVEl4TURReE9Gb1hEVE13TURjeU16SXhNRFF4T0Zvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTDNLCmhZdjJnSVExRHd6aDJjV01pZCtvZkFudkxJZlYyWHY2MXZUTEdwclVJK1hVcUI0L2d0ZjZYNlVObjBMZXR0Mm4KZDhwNHd5N2h3NzNoVS9nZ2R2bVdKdnFCclNqYzNKR2Z5K2tqNjZmS1hYK1BUbGJMN1Fid2lSdmNTcUlYSVdsVgpsSEh4RUNXckVEOGpDdWx3L05WcWZvb2svaDVpTlVDVDl5c3dTSnIvMGZJbWlWbm9UbElvRVlHMmVDTmVqWjVjCmczOXVEM1pUcWQ5WnhXd1NMTG5JKzJrcEpuWkJQY2QxWlE4QVFxekRnWnRZUkNxYWNuNWdja1FVS1pXS1FseG8KRWZ0NmcxWEhKb3VBV0FadzdoRXRrMHY4ckcwL2VLRjd3YW14Rmk2QkZWbGJqV0JzQjRUOXJBcGJkQldUS2VDSgpIdjhmdjVSTUZTenBUM3V6VE84Q0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFDaDVSaGJ4cUplK1ovZ2MxN2NaaEtObWRpd3UKSTJwTHAzUUJmd3ZOK1dibWFqencvN3JZaFkwZDhKWVZUSnpYU0NQV2k2VUFLeEF0WE9MRjhXSUlmOWkzOW42Ugp1S09CR1cxNEZ6ekd5UkppRDNxYUcvSlR2RVcrU0xod2w2OE5kcjVMSFNuYnVnQXFxMzFhYmNReTZabDl2NUE4CkpLQzk3TGovU244cmo3b3BLeTRXM29xN05DUXNBYjB6aDRJbGxSRjZVdlNuSnlTZnNnN3hkWEhIcHhZREh0T1MKWGNPdTV5U1VJWlRnRmU5UmZlVVpsR1o1eG4wY2tNbFE3cVcyV3gxcTBPVld3NXVzNE50a0dxS3JIRzRUbjFYNwp1d28vWXl0bjVzRHhyRHYxL29paTZBWk9Dc1RQcmU0b0Qzd3o0bm1WekNWSmNncnFINFEyNGhUOFdOZz0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=",
+				"tls.key": "LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb2dJQkFBS0NBUUVBdmNxRmkvYUFoRFVQRE9IWnhZeUozNmg4Q2U4c2g5WFplL3JXOU1zYW10UWo1ZFNvCkhqK0MxL3BmcFEyZlF0NjIzYWQzeW5qREx1SER2ZUZUK0NCMitaWW0rb0d0S056Y2taL0w2U1BycDhwZGY0OU8KVnN2dEJ2Q0pHOXhLb2hjaGFWV1VjZkVRSmFzUVB5TUs2WEQ4MVdwK2lpVCtIbUkxUUpQM0t6Qkltdi9SOGlhSgpXZWhPVWlnUmdiWjRJMTZObmx5RGYyNFBkbE9wMzFuRmJCSXN1Y2o3YVNrbWRrRTl4M1ZsRHdCQ3JNT0JtMWhFCktwcHlmbUJ5UkJRcGxZcENYR2dSKzNxRFZjY21pNEJZQm5EdUVTMlRTL3lzYlQ5NG9YdkJxYkVXTG9FVldWdU4KWUd3SGhQMnNDbHQwRlpNcDRJa2UveCsvbEV3VkxPbFBlN05NN3dJREFRQUJBb0lCQUZDMXRVRW1ITlVjTTBCSgpNM0Q5S1F6Qis2M0YxbXdWbHgxUU9PVjFFZVZSM2NvNU94MVI2UFNyOXN5Y0ZHUTlqZ3FJMHpwNVRKZTlUcDZMCkdraGtsZlBoMU1Xbks5bzZ3bG56V0tYV3JycDJKbmkrbXBQeXVPUEFtcTRNYW5pdjJYZVArMGJST3dxcHlvanYKQUE3eUM3TStUSDIyNlpKR05WczNFVjkrY3dIbWwweXV6QmZJSm4vcnYvdzJnK1dSS00vTUMwUzdrMmQ4YlJsQQpOeWNLVkdBR0JoS1RsdGpvVllPZWg2YUhFcFNqSzh6ZmFlUGpvNWRZSnZvVklsaTYwWUNnY0pPVS84alhUK05wCjFGbTd0UnZBdGozcFVwMFNxZGFmMlJVemg5amZKcDJWRkNIdVNKNlRQcUFyT3lRb2p0TWNUSEYwVGlXN3hySFAKeE9DUklBRUNnWUVBd0dCUFU3dmR0aE1KQmcrT1JVb0dRUWFJdFRlSnZRd0lxSnZiS0Qyb3NwNGpoUzFkR1pCdwpXMzBHS0VjL2dkOEpOdE9xOUJCbk1pY1BGN2hrdHV5K2JTUHY0MVhQdWQ2N3JTU083VHN3MjBDMTBnRlJxMDZCCnpJSldGQVVxSzNJa3ZWYzNWRG10U0xTRG94NFFaL0JkcWFNbFE1eTVKQ3NDNWtUaG1rWkZsTzhDZ1lFQS9JOVgKWUhpNlJpb01KRTFmcU9ISkw0RERqbGV6bWN1UnJEN2ZFNUluS2J0SloySmhHWU9YL0MwS1huSFRPV1RDRHh4TgpGQnZwdkQ2WHY1bzNQaEI5WjZrMmZxdko0R1M4dXJrRy9LVTR4Y0MrYmFrKzlhdmE4b2FpU3FHMTZ6RDlOSDJQCmpKNjBOcmJMbDFKMHBVOWZpd3VGVlVLSjRoRFpPZk45UnFZZHlBRUNnWUFWd284V2hKaUdnTTZ6ZmN6MDczT1gKcFZxUFRQSHFqVkxwWjMrNXBJZlJkR3ZHSTZSMVFNNUV1dmFZVmI3TVBPTTQ3V1pYNXdjVk9DL1AyZzZpVmxNUAoyMUhHSUMyMzg0YTlCZmFZeE9vNDBxLytTaUhudzZDUTlta3dLSWxsa3Fxdk5BOVJHcGtNTVViMmkyOEZvcjJsCmM0dkNneGE2RFpkdFhuczZUUnFQeHdLQmdDZlk1Y3hPdi9UNkJWaGs3TWJVZU0ySjMxREIvWkF5VWhWL0Jlc3MKa0FsQmgxOU1ZazJJT1o2TDdLcmlBcFYzbERhV0hJTWp0RWtEQnlZdnlxOThJbzBNWVpDeXdmTXBjYTEwSytvSQpsMkI3L0krSXVHcENaeFVFc081ZGZUcFNUR0RQdnFwTkQ5bmlGVlVXcVZpN29UTnE2ZXA5eVF0bDVTQURqcXhxCjRTQUJBb0dBSW0waFVnMXd0Y1M0NmNHTHk2UElrUE01dG9jVFNnaHR6NHZGc3VrL2k0UUE5R0JvQk8yZ0g2dHkKK2tKSG1lYVh0MmRtZ3lTcDBRQVdpdDVVbGNlRXVtQjBOWG5BZEpaUXhlR1NGU3lZa0RXaHdYZDh3RGNlS28vMQpMZkNVNkRrOElOL1NzcHBWVVdYUTJybE9SdnhsckhlQ2lvOG8wa1M5WWl1NTVXTVlnNGc9Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg=="
+			}`,
+		},
+	} {
+		tt := tt
+		t.Run(tt.name, func(t *testing.T) {
+			var logBuf bytes.Buffer
+			testLog := log.New(&logBuf, "", 0)
+			exited := "exiting via fatal"
+			fail = func(format string, v ...interface{}) {
+				testLog.Printf(format, v...)
+				panic(exited)
+			}
+
+			var sawSleep time.Duration
+			sleep = func(d time.Duration) { sawSleep = d }
+
+			var sawOutput bytes.Buffer
+			out = &sawOutput
+			if tt.failOutput {
+				out = &errWriter{}
+			}
+
+			os.Args = tt.args
+			getenv = func(key string) string { return tt.env[key] }
+			if tt.wantFail {
+				require.PanicsWithValue(t, exited, main)
+			} else {
+				require.NotPanics(t, main)
+			}
+			require.Equal(t, tt.wantSleep.String(), sawSleep.String())
+			require.Equal(t, tt.wantLog, logBuf.String())
+			if tt.wantOutJSON == "" {
+				require.Empty(t, sawOutput.String())
+			} else {
+				require.JSONEq(t, tt.wantOutJSON, sawOutput.String())
+			}
+		})
+	}
+}

cmd/pinniped-concierge-kube-cert-agent/testdata/test.crt

@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyDCCAbCgAwIBAgIBADANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwprdWJl
+cm5ldGVzMB4XDTIwMDcyNTIxMDQxOFoXDTMwMDcyMzIxMDQxOFowFTETMBEGA1UE
+AxMKa3ViZXJuZXRlczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL3K
+hYv2gIQ1Dwzh2cWMid+ofAnvLIfV2Xv61vTLGprUI+XUqB4/gtf6X6UNn0Lett2n
+d8p4wy7hw73hU/ggdvmWJvqBrSjc3JGfy+kj66fKXX+PTlbL7QbwiRvcSqIXIWlV
+lHHxECWrED8jCulw/NVqfook/h5iNUCT9yswSJr/0fImiVnoTlIoEYG2eCNejZ5c
+g39uD3ZTqd9ZxWwSLLnI+2kpJnZBPcd1ZQ8AQqzDgZtYRCqacn5gckQUKZWKQlxo
+Eft6g1XHJouAWAZw7hEtk0v8rG0/eKF7wamxFi6BFVlbjWBsB4T9rApbdBWTKeCJ
+Hv8fv5RMFSzpT3uzTO8CAwEAAaMjMCEwDgYDVR0PAQH/BAQDAgKkMA8GA1UdEwEB
+/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBACh5RhbxqJe+Z/gc17cZhKNmdiwu
+I2pLp3QBfwvN+Wbmajzw/7rYhY0d8JYVTJzXSCPWi6UAKxAtXOLF8WIIf9i39n6R
+uKOBGW14FzzGyRJiD3qaG/JTvEW+SLhwl68Ndr5LHSnbugAqq31abcQy6Zl9v5A8
+JKC97Lj/Sn8rj7opKy4W3oq7NCQsAb0zh4IllRF6UvSnJySfsg7xdXHHpxYDHtOS
+XcOu5ySUIZTgFe9RfeUZlGZ5xn0ckMlQ7qW2Wx1q0OVWw5us4NtkGqKrHG4Tn1X7
+uwo/Yytn5sDxrDv1/oii6AZOCsTPre4oD3wz4nmVzCVJcgrqH4Q24hT8WNg=
+-----END CERTIFICATE-----

cmd/pinniped-concierge-kube-cert-agent/testdata/test.key

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEAvcqFi/aAhDUPDOHZxYyJ36h8Ce8sh9XZe/rW9MsamtQj5dSo
+Hj+C1/pfpQ2fQt623ad3ynjDLuHDveFT+CB2+ZYm+oGtKNzckZ/L6SPrp8pdf49O
+VsvtBvCJG9xKohchaVWUcfEQJasQPyMK6XD81Wp+iiT+HmI1QJP3KzBImv/R8iaJ
+WehOUigRgbZ4I16NnlyDf24PdlOp31nFbBIsucj7aSkmdkE9x3VlDwBCrMOBm1hE
+KppyfmByRBQplYpCXGgR+3qDVccmi4BYBnDuES2TS/ysbT94oXvBqbEWLoEVWVuN
+YGwHhP2sClt0FZMp4Ike/x+/lEwVLOlPe7NM7wIDAQABAoIBAFC1tUEmHNUcM0BJ
+M3D9KQzB+63F1mwVlx1QOOV1EeVR3co5Ox1R6PSr9sycFGQ9jgqI0zp5TJe9Tp6L
+GkhklfPh1MWnK9o6wlnzWKXWrrp2Jni+mpPyuOPAmq4Maniv2XeP+0bROwqpyojv
+AA7yC7M+TH226ZJGNVs3EV9+cwHml0yuzBfIJn/rv/w2g+WRKM/MC0S7k2d8bRlA
+NycKVGAGBhKTltjoVYOeh6aHEpSjK8zfaePjo5dYJvoVIli60YCgcJOU/8jXT+Np
+1Fm7tRvAtj3pUp0Sqdaf2RUzh9jfJp2VFCHuSJ6TPqArOyQojtMcTHF0TiW7xrHP
+xOCRIAECgYEAwGBPU7vdthMJBg+ORUoGQQaItTeJvQwIqJvbKD2osp4jhS1dGZBw
+W30GKEc/gd8JNtOq9BBnMicPF7hktuy+bSPv41XPud67rSSO7Tsw20C10gFRq06B
+zIJWFAUqK3IkvVc3VDmtSLSDox4QZ/BdqaMlQ5y5JCsC5kThmkZFlO8CgYEA/I9X
+YHi6RioMJE1fqOHJL4DDjlezmcuRrD7fE5InKbtJZ2JhGYOX/C0KXnHTOWTCDxxN
+FBvpvD6Xv5o3PhB9Z6k2fqvJ4GS8urkG/KU4xcC+bak+9ava8oaiSqG16zD9NH2P
+jJ60NrbLl1J0pU9fiwuFVUKJ4hDZOfN9RqYdyAECgYAVwo8WhJiGgM6zfcz073OX
+pVqPTPHqjVLpZ3+5pIfRdGvGI6R1QM5EuvaYVb7MPOM47WZX5wcVOC/P2g6iVlMP
+21HGIC2384a9BfaYxOo40q/+SiHnw6CQ9mkwKIllkqqvNA9RGpkMMUb2i28For2l
+c4vCgxa6DZdtXns6TRqPxwKBgCfY5cxOv/T6BVhk7MbUeM2J31DB/ZAyUhV/Bess
+kAlBh19MYk2IOZ6L7KriApV3lDaWHIMjtEkDByYvyq98Io0MYZCywfMpca10K+oI
+l2B7/I+IuGpCZxUEsO5dfTpSTGDPvqpND9niFVUWqVi7oTNq6ep9yQtl5SADjqxq
+4SABAoGAIm0hUg1wtcS46cGLy6PIkPM5tocTSghtz4vFsuk/i4QA9GBoBO2gH6ty
++kJHmeaXt2dmgySp0QAWit5UlceEumB0NXnAdJZQxeGSFSyYkDWhwXd8wDceKo/1
+LfCU6Dk8IN/SsppVUWXQ2rlORvxlrHeCio8o0kS9Yiu55WMYg4g=
+-----END RSA PRIVATE KEY-----

cmd/pinniped-concierge/main.go

@@ -1,35 +0,0 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
-// SPDX-License-Identifier: Apache-2.0
-
-package main
-
-import (
-	"os"
-	"time"
-
-	genericapiserver "k8s.io/apiserver/pkg/server"
-	"k8s.io/client-go/pkg/version"
-	"k8s.io/client-go/rest"
-	"k8s.io/component-base/logs"
-	"k8s.io/klog/v2"
-
-	"go.pinniped.dev/internal/concierge/server"
-)
-
-func main() {
-	logs.InitLogs()
-	defer logs.FlushLogs()
-
-	// Dump out the time since compile (mostly useful for benchmarking our local development cycle latency).
-	var timeSinceCompile time.Duration
-	if buildDate, err := time.Parse(time.RFC3339, version.Get().BuildDate); err == nil {
-		timeSinceCompile = time.Since(buildDate).Round(time.Second)
-	}
-	klog.Infof("Running %s at %#v (%s since build)", rest.DefaultKubernetesUserAgent(), version.Get(), timeSinceCompile)
-
-	ctx := genericapiserver.SetupSignalContext()
-
-	if err := server.New(ctx, os.Args[1:], os.Stdout, os.Stderr).Run(); err != nil {
-		klog.Fatal(err)
-	}
-}

cmd/pinniped-server/main.go

@@ -0,0 +1,41 @@
+// Copyright 2021 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Package main is the combined entrypoint for all Pinniped server components.
+//
+// It dispatches to the appropriate Main() entrypoint based the name it is invoked as (os.Args[0]). In our server
+// container image, this binary is symlinked to several names such as `/usr/local/bin/pinniped-concierge`.
+package main
+
+import (
+	"os"
+	"path/filepath"
+
+	"k8s.io/apimachinery/pkg/util/sets"
+	"k8s.io/klog/v2"
+
+	concierge "go.pinniped.dev/internal/concierge/server"
+	lua "go.pinniped.dev/internal/localuserauthenticator"
+	supervisor "go.pinniped.dev/internal/supervisor/server"
+)
+
+//nolint: gochecknoglobals // these are swapped during unit tests.
+var (
+	fail        = klog.Fatalf
+	subcommands = map[string]func(){
+		"pinniped-concierge":       concierge.Main,
+		"pinniped-supervisor":      supervisor.Main,
+		"local-user-authenticator": lua.Main,
+	}
+)
+
+func main() {
+	if len(os.Args) == 0 {
+		fail("missing os.Args")
+	}
+	binary := filepath.Base(os.Args[0])
+	if subcommands[binary] == nil {
+		fail("must be invoked as one of %v, not %q", sets.StringKeySet(subcommands).List(), binary)
+	}
+	subcommands[binary]()
+}

cmd/pinniped-server/main_test.go

@@ -0,0 +1,72 @@
+// Copyright 2021 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package main
+
+import (
+	"bytes"
+	"log"
+	"os"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestEntrypoint(t *testing.T) {
+	for _, tt := range []struct {
+		name       string
+		args       []string
+		wantOutput string
+		wantFail   bool
+		wantArgs   []string
+	}{
+		{
+			name:       "missing args",
+			args:       []string{},
+			wantOutput: "missing os.Args\n",
+			wantFail:   true,
+		},
+		{
+			name:       "invalid subcommand",
+			args:       []string{"/path/to/invalid", "some", "args"},
+			wantOutput: "must be invoked as one of [another-test-binary valid-test-binary], not \"invalid\"\n",
+			wantFail:   true,
+		},
+		{
+			name:     "valid",
+			args:     []string{"/path/to/valid-test-binary", "foo", "bar"},
+			wantArgs: []string{"/path/to/valid-test-binary", "foo", "bar"},
+		},
+	} {
+		tt := tt
+		t.Run(tt.name, func(t *testing.T) {
+			var logBuf bytes.Buffer
+			testLog := log.New(&logBuf, "", 0)
+			exited := "exiting via fatal"
+			fail = func(format string, v ...interface{}) {
+				testLog.Printf(format, v...)
+				panic(exited)
+			}
+
+			// Make a test command that records os.Args when it's invoked.
+			var gotArgs []string
+			subcommands = map[string]func(){
+				"valid-test-binary":   func() { gotArgs = os.Args },
+				"another-test-binary": func() {},
+			}
+
+			os.Args = tt.args
+			if tt.wantFail {
+				require.PanicsWithValue(t, exited, main)
+			} else {
+				require.NotPanics(t, main)
+			}
+			if tt.wantArgs != nil {
+				require.Equal(t, tt.wantArgs, gotArgs)
+			}
+			if tt.wantOutput != "" {
+				require.Equal(t, tt.wantOutput, logBuf.String())
+			}
+		})
+	}
+}

cmd/pinniped/cmd/kubeconfig.go

@@ -8,8 +8,10 @@ import (
 	"crypto/tls"
 	"crypto/x509"
 	"encoding/base64"
+	"encoding/json"
 	"fmt"
 	"io"
+	"io/ioutil"
 	"log"
 	"net/http"
 	"os"
@@ -26,9 +28,11 @@ import (
 	_ "k8s.io/client-go/plugin/pkg/client/auth" // Adds handlers for various dynamic auth plugins in client-go
 	"k8s.io/client-go/tools/clientcmd"
 	clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
+	"k8s.io/client-go/transport"
 
 	conciergev1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"
 	configv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/config/v1alpha1"
+	idpdiscoveryv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/idpdiscovery/v1alpha1"
 	conciergeclientset "go.pinniped.dev/generated/latest/client/concierge/clientset/versioned"
 	"go.pinniped.dev/internal/groupsuffix"
 )
@@ -58,10 +62,14 @@ type getKubeconfigOIDCParams struct {
 	listenPort        uint16
 	scopes            []string
 	skipBrowser       bool
+	skipListen        bool
 	sessionCachePath  string
 	debugSessionCache bool
 	caBundle          caBundleFlag
 	requestAudience   string
+	upstreamIDPName   string
+	upstreamIDPType   string
+	upstreamIDPFlow   string
 }
 
 type getKubeconfigConciergeParams struct {
@@ -124,10 +132,14 @@ func kubeconfigCommand(deps kubeconfigDeps) *cobra.Command {
 	f.Uint16Var(&flags.oidc.listenPort, "oidc-listen-port", 0, "TCP port for localhost listener (authorization code flow only)")
 	f.StringSliceVar(&flags.oidc.scopes, "oidc-scopes", []string{oidc.ScopeOfflineAccess, oidc.ScopeOpenID, "pinniped:request-audience"}, "OpenID Connect scopes to request during login")
 	f.BoolVar(&flags.oidc.skipBrowser, "oidc-skip-browser", false, "During OpenID Connect login, skip opening the browser (just print the URL)")
+	f.BoolVar(&flags.oidc.skipListen, "oidc-skip-listen", false, "During OpenID Connect login, skip starting a localhost callback listener (manual copy/paste flow only)")
 	f.StringVar(&flags.oidc.sessionCachePath, "oidc-session-cache", "", "Path to OpenID Connect session cache file")
 	f.Var(&flags.oidc.caBundle, "oidc-ca-bundle", "Path to TLS certificate authority bundle (PEM format, optional, can be repeated)")
 	f.BoolVar(&flags.oidc.debugSessionCache, "oidc-debug-session-cache", false, "Print debug logs related to the OpenID Connect session cache")
 	f.StringVar(&flags.oidc.requestAudience, "oidc-request-audience", "", "Request a token with an alternate audience using RFC8693 token exchange")
+	f.StringVar(&flags.oidc.upstreamIDPName, "upstream-identity-provider-name", "", "The name of the upstream identity provider used during login with a Supervisor")
+	f.StringVar(&flags.oidc.upstreamIDPType, "upstream-identity-provider-type", "", fmt.Sprintf("The type of the upstream identity provider used during login with a Supervisor (e.g. '%s', '%s', '%s')", idpdiscoveryv1alpha1.IDPTypeOIDC, idpdiscoveryv1alpha1.IDPTypeLDAP, idpdiscoveryv1alpha1.IDPTypeActiveDirectory))
+	f.StringVar(&flags.oidc.upstreamIDPFlow, "upstream-identity-provider-flow", "", fmt.Sprintf("The type of client flow to use with the upstream identity provider during login with a Supervisor (e.g. '%s', '%s')", idpdiscoveryv1alpha1.IDPFlowCLIPassword, idpdiscoveryv1alpha1.IDPFlowBrowserAuthcode))
 	f.StringVar(&flags.kubeconfigPath, "kubeconfig", os.Getenv("KUBECONFIG"), "Path to kubeconfig file")
 	f.StringVar(&flags.kubeconfigContextOverride, "kubeconfig-context", "", "Kubeconfig context name (default: current active context)")
 	f.BoolVar(&flags.skipValidate, "skip-validation", false, "Skip final validation of the kubeconfig (default: false)")
@@ -137,6 +149,9 @@ func kubeconfigCommand(deps kubeconfigDeps) *cobra.Command {
 	f.StringVar(&flags.credentialCachePath, "credential-cache", "", "Path to cluster-specific credentials cache")
 	mustMarkHidden(cmd, "oidc-debug-session-cache")
 
+	// --oidc-skip-listen is mainly needed for testing. We'll leave it hidden until we have a non-testing use case.
+	mustMarkHidden(cmd, "oidc-skip-listen")
+
 	mustMarkDeprecated(cmd, "concierge-namespace", "not needed anymore")
 	mustMarkHidden(cmd, "concierge-namespace")
 
@@ -165,19 +180,6 @@ func runGetKubeconfig(ctx context.Context, out io.Writer, deps kubeconfigDeps, f
 		return fmt.Errorf("invalid API group suffix: %w", err)
 	}
 
-	execConfig := clientcmdapi.ExecConfig{
-		APIVersion: clientauthenticationv1beta1.SchemeGroupVersion.String(),
-		Args:       []string{},
-		Env:        []clientcmdapi.ExecEnvVar{},
-	}
-
-	var err error
-	execConfig.Command, err = deps.getPathToSelf()
-	if err != nil {
-		return fmt.Errorf("could not determine the Pinniped executable path: %w", err)
-	}
-	execConfig.ProvideClusterInfo = true
-
 	clientConfig := newClientConfig(flags.kubeconfigPath, flags.kubeconfigContextOverride)
 	currentKubeConfig, err := clientConfig.RawConfig()
 	if err != nil {
@@ -221,6 +223,49 @@ func runGetKubeconfig(ctx context.Context, out io.Writer, deps kubeconfigDeps, f
 		if err := discoverAuthenticatorParams(authenticator, &flags, deps.log); err != nil {
 			return err
 		}
+
+		// Point kubectl at the concierge endpoint.
+		cluster.Server = flags.concierge.endpoint
+		cluster.CertificateAuthorityData = flags.concierge.caBundle
+	}
+
+	// If there is an issuer, and if any upstream IDP flags are not already set, then try to discover Supervisor upstream IDP details.
+	// When all the upstream IDP flags are set by the user, then skip discovery and don't validate their input. Maybe they know something
+	// that we can't know, like the name of an IDP that they are going to define in the future.
+	if len(flags.oidc.issuer) > 0 && (flags.oidc.upstreamIDPType == "" || flags.oidc.upstreamIDPName == "" || flags.oidc.upstreamIDPFlow == "") {
+		if err := discoverSupervisorUpstreamIDP(ctx, &flags); err != nil {
+			return err
+		}
+	}
+
+	execConfig, err := newExecConfig(deps, flags)
+	if err != nil {
+		return err
+	}
+
+	kubeconfig := newExecKubeconfig(cluster, execConfig, newKubeconfigNames)
+	if err := validateKubeconfig(ctx, flags, kubeconfig, deps.log); err != nil {
+		return err
+	}
+
+	return writeConfigAsYAML(out, kubeconfig)
+}
+
+func newExecConfig(deps kubeconfigDeps, flags getKubeconfigParams) (*clientcmdapi.ExecConfig, error) {
+	execConfig := &clientcmdapi.ExecConfig{
+		APIVersion:         clientauthenticationv1beta1.SchemeGroupVersion.String(),
+		Args:               []string{},
+		Env:                []clientcmdapi.ExecEnvVar{},
+		ProvideClusterInfo: true,
+	}
+
+	var err error
+	execConfig.Command, err = deps.getPathToSelf()
+	if err != nil {
+		return nil, fmt.Errorf("could not determine the Pinniped executable path: %w", err)
+	}
+
+	if !flags.concierge.disabled {
 		// Append the flags to configure the Concierge credential exchange at runtime.
 		execConfig.Args = append(execConfig.Args,
 			"--enable-concierge",
@@ -230,10 +275,6 @@ func runGetKubeconfig(ctx context.Context, out io.Writer, deps kubeconfigDeps, f
 			"--concierge-endpoint="+flags.concierge.endpoint,
 			"--concierge-ca-bundle-data="+base64.StdEncoding.EncodeToString(flags.concierge.caBundle),
 		)
-
-		// Point kubectl at the concierge endpoint.
-		cluster.Server = flags.concierge.endpoint
-		cluster.CertificateAuthorityData = flags.concierge.caBundle
 	}
 
 	// If --credential-cache is set, pass it through.
@@ -244,7 +285,7 @@ func runGetKubeconfig(ctx context.Context, out io.Writer, deps kubeconfigDeps, f
 	// If one of the --static-* flags was passed, output a config that runs `pinniped login static`.
 	if flags.staticToken != "" || flags.staticTokenEnvName != "" {
 		if flags.staticToken != "" && flags.staticTokenEnvName != "" {
-			return fmt.Errorf("only one of --static-token and --static-token-env can be specified")
+			return nil, fmt.Errorf("only one of --static-token and --static-token-env can be specified")
 		}
 		execConfig.Args = append([]string{"login", "static"}, execConfig.Args...)
 		if flags.staticToken != "" {
@@ -253,18 +294,13 @@ func runGetKubeconfig(ctx context.Context, out io.Writer, deps kubeconfigDeps, f
 		if flags.staticTokenEnvName != "" {
 			execConfig.Args = append(execConfig.Args, "--token-env="+flags.staticTokenEnvName)
 		}
-
-		kubeconfig := newExecKubeconfig(cluster, &execConfig, newKubeconfigNames)
-		if err := validateKubeconfig(ctx, flags, kubeconfig, deps.log); err != nil {
-			return err
-		}
-		return writeConfigAsYAML(out, kubeconfig)
+		return execConfig, nil
 	}
 
 	// Otherwise continue to parse the OIDC-related flags and output a config that runs `pinniped login oidc`.
 	execConfig.Args = append([]string{"login", "oidc"}, execConfig.Args...)
 	if flags.oidc.issuer == "" {
-		return fmt.Errorf("could not autodiscover --oidc-issuer and none was provided")
+		return nil, fmt.Errorf("could not autodiscover --oidc-issuer and none was provided")
 	}
 	execConfig.Args = append(execConfig.Args,
 		"--issuer="+flags.oidc.issuer,
@@ -274,6 +310,9 @@ func runGetKubeconfig(ctx context.Context, out io.Writer, deps kubeconfigDeps, f
 	if flags.oidc.skipBrowser {
 		execConfig.Args = append(execConfig.Args, "--skip-browser")
 	}
+	if flags.oidc.skipListen {
+		execConfig.Args = append(execConfig.Args, "--skip-listen")
+	}
 	if flags.oidc.listenPort != 0 {
 		execConfig.Args = append(execConfig.Args, "--listen-port="+strconv.Itoa(int(flags.oidc.listenPort)))
 	}
@@ -289,11 +328,17 @@ func runGetKubeconfig(ctx context.Context, out io.Writer, deps kubeconfigDeps, f
 	if flags.oidc.requestAudience != "" {
 		execConfig.Args = append(execConfig.Args, "--request-audience="+flags.oidc.requestAudience)
 	}
-	kubeconfig := newExecKubeconfig(cluster, &execConfig, newKubeconfigNames)
-	if err := validateKubeconfig(ctx, flags, kubeconfig, deps.log); err != nil {
-		return err
+	if flags.oidc.upstreamIDPName != "" {
+		execConfig.Args = append(execConfig.Args, "--upstream-identity-provider-name="+flags.oidc.upstreamIDPName)
 	}
-	return writeConfigAsYAML(out, kubeconfig)
+	if flags.oidc.upstreamIDPType != "" {
+		execConfig.Args = append(execConfig.Args, "--upstream-identity-provider-type="+flags.oidc.upstreamIDPType)
+	}
+	if flags.oidc.upstreamIDPFlow != "" {
+		execConfig.Args = append(execConfig.Args, "--upstream-identity-provider-flow="+flags.oidc.upstreamIDPFlow)
+	}
+
+	return execConfig, nil
 }
 
 type kubeconfigNames struct{ ContextName, UserName, ClusterName string }
@@ -688,3 +733,214 @@ func hasPendingStrategy(credentialIssuer *configv1alpha1.CredentialIssuer) bool
 	}
 	return false
 }
+
+func discoverSupervisorUpstreamIDP(ctx context.Context, flags *getKubeconfigParams) error {
+	httpClient, err := newDiscoveryHTTPClient(flags.oidc.caBundle)
+	if err != nil {
+		return err
+	}
+
+	pinnipedIDPsEndpoint, err := discoverIDPsDiscoveryEndpointURL(ctx, flags.oidc.issuer, httpClient)
+	if err != nil {
+		return err
+	}
+	if pinnipedIDPsEndpoint == "" {
+		// The issuer is not advertising itself as a Pinniped Supervisor which supports upstream IDP discovery.
+		return nil
+	}
+
+	discoveredUpstreamIDPs, err := discoverAllAvailableSupervisorUpstreamIDPs(ctx, pinnipedIDPsEndpoint, httpClient)
+	if err != nil {
+		return err
+	}
+
+	if len(discoveredUpstreamIDPs) == 0 {
+		// Discovered that the Supervisor does not have any upstream IDPs defined. Continue without putting one into the
+		// kubeconfig. This kubeconfig will only work if the user defines one (and only one) OIDC IDP in the Supervisor
+		// later and wants to use the default client flow for OIDC (browser-based auth).
+		return nil
+	}
+
+	selectedIDPName, selectedIDPType, discoveredIDPFlows, err := selectUpstreamIDPNameAndType(discoveredUpstreamIDPs, flags.oidc.upstreamIDPName, flags.oidc.upstreamIDPType)
+	if err != nil {
+		return err
+	}
+
+	selectedIDPFlow, err := selectUpstreamIDPFlow(discoveredIDPFlows, selectedIDPName, selectedIDPType, flags.oidc.upstreamIDPFlow)
+	if err != nil {
+		return err
+	}
+
+	flags.oidc.upstreamIDPName = selectedIDPName
+	flags.oidc.upstreamIDPType = selectedIDPType.String()
+	flags.oidc.upstreamIDPFlow = selectedIDPFlow.String()
+	return nil
+}
+
+func newDiscoveryHTTPClient(caBundleFlag caBundleFlag) (*http.Client, error) {
+	t := &http.Transport{
+		TLSClientConfig: &tls.Config{MinVersion: tls.VersionTLS12},
+		Proxy:           http.ProxyFromEnvironment,
+	}
+	httpClient := &http.Client{Transport: t}
+	if caBundleFlag != nil {
+		rootCAs := x509.NewCertPool()
+		ok := rootCAs.AppendCertsFromPEM(caBundleFlag)
+		if !ok {
+			return nil, fmt.Errorf("unable to fetch OIDC discovery data from issuer: could not parse CA bundle")
+		}
+		t.TLSClientConfig.RootCAs = rootCAs
+	}
+	httpClient.Transport = transport.DebugWrappers(httpClient.Transport)
+	return httpClient, nil
+}
+
+func discoverIDPsDiscoveryEndpointURL(ctx context.Context, issuer string, httpClient *http.Client) (string, error) {
+	discoveredProvider, err := oidc.NewProvider(oidc.ClientContext(ctx, httpClient), issuer)
+	if err != nil {
+		return "", fmt.Errorf("while fetching OIDC discovery data from issuer: %w", err)
+	}
+
+	var body idpdiscoveryv1alpha1.OIDCDiscoveryResponse
+	err = discoveredProvider.Claims(&body)
+	if err != nil {
+		return "", fmt.Errorf("while fetching OIDC discovery data from issuer: %w", err)
+	}
+
+	return body.SupervisorDiscovery.PinnipedIDPsEndpoint, nil
+}
+
+func discoverAllAvailableSupervisorUpstreamIDPs(ctx context.Context, pinnipedIDPsEndpoint string, httpClient *http.Client) ([]idpdiscoveryv1alpha1.PinnipedIDP, error) {
+	request, err := http.NewRequestWithContext(ctx, http.MethodGet, pinnipedIDPsEndpoint, nil)
+	if err != nil {
+		return nil, fmt.Errorf("while forming request to IDP discovery URL: %w", err)
+	}
+
+	response, err := httpClient.Do(request)
+	if err != nil {
+		return nil, fmt.Errorf("unable to fetch IDP discovery data from issuer: %w", err)
+	}
+	defer func() {
+		_ = response.Body.Close()
+	}()
+	if response.StatusCode != http.StatusOK {
+		return nil, fmt.Errorf("unable to fetch IDP discovery data from issuer: unexpected http response status: %s", response.Status)
+	}
+
+	rawBody, err := ioutil.ReadAll(response.Body)
+	if err != nil {
+		return nil, fmt.Errorf("unable to fetch IDP discovery data from issuer: could not read response body: %w", err)
+	}
+
+	var body idpdiscoveryv1alpha1.IDPDiscoveryResponse
+	err = json.Unmarshal(rawBody, &body)
+	if err != nil {
+		return nil, fmt.Errorf("unable to fetch IDP discovery data from issuer: could not parse response JSON: %w", err)
+	}
+
+	return body.PinnipedIDPs, nil
+}
+
+func selectUpstreamIDPNameAndType(pinnipedIDPs []idpdiscoveryv1alpha1.PinnipedIDP, specifiedIDPName, specifiedIDPType string) (string, idpdiscoveryv1alpha1.IDPType, []idpdiscoveryv1alpha1.IDPFlow, error) {
+	pinnipedIDPsString, _ := json.Marshal(pinnipedIDPs)
+	var discoveredFlows []idpdiscoveryv1alpha1.IDPFlow
+	switch {
+	case specifiedIDPName != "" && specifiedIDPType != "":
+		// The user specified both name and type, so check to see if there exists an exact match.
+		for _, idp := range pinnipedIDPs {
+			if idp.Name == specifiedIDPName && idp.Type.Equals(specifiedIDPType) {
+				return specifiedIDPName, idp.Type, idp.Flows, nil
+			}
+		}
+		return "", "", nil, fmt.Errorf(
+			"no Supervisor upstream identity providers with name %q of type %q were found. "+
+				"Found these upstreams: %s", specifiedIDPName, specifiedIDPType, pinnipedIDPsString)
+	case specifiedIDPType != "":
+		// The user specified only a type, so check if there is only one of that type found.
+		discoveredName := ""
+		var discoveredType idpdiscoveryv1alpha1.IDPType
+		for _, idp := range pinnipedIDPs {
+			if idp.Type.Equals(specifiedIDPType) {
+				if discoveredName != "" {
+					return "", "", nil, fmt.Errorf(
+						"multiple Supervisor upstream identity providers of type %q were found, "+
+							"so the --upstream-identity-provider-name flag must be specified. "+
+							"Found these upstreams: %s",
+						specifiedIDPType, pinnipedIDPsString)
+				}
+				discoveredName = idp.Name
+				discoveredType = idp.Type
+				discoveredFlows = idp.Flows
+			}
+		}
+		if discoveredName == "" {
+			return "", "", nil, fmt.Errorf(
+				"no Supervisor upstream identity providers of type %q were found. "+
+					"Found these upstreams: %s", specifiedIDPType, pinnipedIDPsString)
+		}
+		return discoveredName, discoveredType, discoveredFlows, nil
+	case specifiedIDPName != "":
+		// The user specified only a name, so check if there is only one of that name found.
+		var discoveredType idpdiscoveryv1alpha1.IDPType
+		for _, idp := range pinnipedIDPs {
+			if idp.Name == specifiedIDPName {
+				if discoveredType != "" {
+					return "", "", nil, fmt.Errorf(
+						"multiple Supervisor upstream identity providers with name %q were found, "+
+							"so the --upstream-identity-provider-type flag must be specified. Found these upstreams: %s",
+						specifiedIDPName, pinnipedIDPsString)
+				}
+				discoveredType = idp.Type
+				discoveredFlows = idp.Flows
+			}
+		}
+		if discoveredType == "" {
+			return "", "", nil, fmt.Errorf(
+				"no Supervisor upstream identity providers with name %q were found. "+
+					"Found these upstreams: %s", specifiedIDPName, pinnipedIDPsString)
+		}
+		return specifiedIDPName, discoveredType, discoveredFlows, nil
+	case len(pinnipedIDPs) == 1:
+		// The user did not specify any name or type, but there is only one found, so select it.
+		return pinnipedIDPs[0].Name, pinnipedIDPs[0].Type, pinnipedIDPs[0].Flows, nil
+	default:
+		// The user did not specify any name or type, and there is more than one found.
+		return "", "", nil, fmt.Errorf(
+			"multiple Supervisor upstream identity providers were found, "+
+				"so the --upstream-identity-provider-name/--upstream-identity-provider-type flags must be specified. "+
+				"Found these upstreams: %s",
+			pinnipedIDPsString)
+	}
+}
+
+func selectUpstreamIDPFlow(discoveredIDPFlows []idpdiscoveryv1alpha1.IDPFlow, selectedIDPName string, selectedIDPType idpdiscoveryv1alpha1.IDPType, specifiedFlow string) (idpdiscoveryv1alpha1.IDPFlow, error) {
+	switch {
+	case len(discoveredIDPFlows) == 0:
+		// No flows listed by discovery means that we are talking to an old Supervisor from before this feature existed.
+		// If the user specified a flow on the CLI flag then use it without validation, otherwise skip flow selection
+		// and return empty string.
+		return idpdiscoveryv1alpha1.IDPFlow(specifiedFlow), nil
+	case specifiedFlow != "":
+		// The user specified a flow, so validate that it is available for the selected IDP.
+		for _, flow := range discoveredIDPFlows {
+			if flow.Equals(specifiedFlow) {
+				// Found it, so use it as specified by the user.
+				return flow, nil
+			}
+		}
+		return "", fmt.Errorf(
+			"no client flow %q for Supervisor upstream identity provider %q of type %q were found. "+
+				"Found these flows: %v",
+			specifiedFlow, selectedIDPName, selectedIDPType, discoveredIDPFlows)
+	case len(discoveredIDPFlows) == 1:
+		// The user did not specify a flow, but there is only one found, so select it.
+		return discoveredIDPFlows[0], nil
+	default:
+		// The user did not specify a flow, and more than one was found.
+		return "", fmt.Errorf(
+			"multiple client flows for Supervisor upstream identity provider %q of type %q were found, "+
+				"so the --upstream-identity-provider-flow flag must be specified. "+
+				"Found these flows: %v",
+			selectedIDPName, selectedIDPType, discoveredIDPFlows)
+	}
+}

cmd/pinniped/cmd/login.go

@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package cmd

cmd/pinniped/cmd/login_oidc.go

@@ -14,6 +14,7 @@ import (
 	"net/http"
 	"os"
 	"path/filepath"
+	"strings"
 	"time"
 
 	"github.com/coreos/go-oidc/v3/oidc"
@@ -23,6 +24,7 @@ import (
 	"k8s.io/client-go/transport"
 	"k8s.io/klog/v2/klogr"
 
+	idpdiscoveryv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/idpdiscovery/v1alpha1"
 	"go.pinniped.dev/internal/execcredcache"
 	"go.pinniped.dev/internal/groupsuffix"
 	"go.pinniped.dev/internal/plog"
@@ -54,23 +56,27 @@ func oidcLoginCommandRealDeps() oidcLoginCommandDeps {
 }
 
 type oidcLoginFlags struct {
-	issuer                     string
-	clientID                   string
-	listenPort                 uint16
-	scopes                     []string
-	skipBrowser                bool
-	sessionCachePath           string
-	caBundlePaths              []string
-	caBundleData               []string
-	debugSessionCache          bool
-	requestAudience            string
-	conciergeEnabled           bool
-	conciergeAuthenticatorType string
-	conciergeAuthenticatorName string
-	conciergeEndpoint          string
-	conciergeCABundle          string
-	conciergeAPIGroupSuffix    string
-	credentialCachePath        string
+	issuer                       string
+	clientID                     string
+	listenPort                   uint16
+	scopes                       []string
+	skipBrowser                  bool
+	skipListen                   bool
+	sessionCachePath             string
+	caBundlePaths                []string
+	caBundleData                 []string
+	debugSessionCache            bool
+	requestAudience              string
+	conciergeEnabled             bool
+	conciergeAuthenticatorType   string
+	conciergeAuthenticatorName   string
+	conciergeEndpoint            string
+	conciergeCABundle            string
+	conciergeAPIGroupSuffix      string
+	credentialCachePath          string
+	upstreamIdentityProviderName string
+	upstreamIdentityProviderType string
+	upstreamIdentityProviderFlow string
 }
 
 func oidcLoginCommand(deps oidcLoginCommandDeps) *cobra.Command {
@@ -89,6 +95,7 @@ func oidcLoginCommand(deps oidcLoginCommandDeps) *cobra.Command {
 	cmd.Flags().Uint16Var(&flags.listenPort, "listen-port", 0, "TCP port for localhost listener (authorization code flow only)")
 	cmd.Flags().StringSliceVar(&flags.scopes, "scopes", []string{oidc.ScopeOfflineAccess, oidc.ScopeOpenID, "pinniped:request-audience"}, "OIDC scopes to request during login")
 	cmd.Flags().BoolVar(&flags.skipBrowser, "skip-browser", false, "Skip opening the browser (just print the URL)")
+	cmd.Flags().BoolVar(&flags.skipListen, "skip-listen", false, "Skip starting a localhost callback listener (manual copy/paste flow only)")
 	cmd.Flags().StringVar(&flags.sessionCachePath, "session-cache", filepath.Join(mustGetConfigDir(), "sessions.yaml"), "Path to session cache file")
 	cmd.Flags().StringSliceVar(&flags.caBundlePaths, "ca-bundle", nil, "Path to TLS certificate authority bundle (PEM format, optional, can be repeated)")
 	cmd.Flags().StringSliceVar(&flags.caBundleData, "ca-bundle-data", nil, "Base64 encoded TLS certificate authority bundle (base64 encoded PEM format, optional, can be repeated)")
@@ -102,7 +109,12 @@ func oidcLoginCommand(deps oidcLoginCommandDeps) *cobra.Command {
 	cmd.Flags().StringVar(&flags.conciergeCABundle, "concierge-ca-bundle-data", "", "CA bundle to use when connecting to the Concierge")
 	cmd.Flags().StringVar(&flags.conciergeAPIGroupSuffix, "concierge-api-group-suffix", groupsuffix.PinnipedDefaultSuffix, "Concierge API group suffix")
 	cmd.Flags().StringVar(&flags.credentialCachePath, "credential-cache", filepath.Join(mustGetConfigDir(), "credentials.yaml"), "Path to cluster-specific credentials cache (\"\" disables the cache)")
+	cmd.Flags().StringVar(&flags.upstreamIdentityProviderName, "upstream-identity-provider-name", "", "The name of the upstream identity provider used during login with a Supervisor")
+	cmd.Flags().StringVar(&flags.upstreamIdentityProviderType, "upstream-identity-provider-type", idpdiscoveryv1alpha1.IDPTypeOIDC.String(), fmt.Sprintf("The type of the upstream identity provider used during login with a Supervisor (e.g. '%s', '%s', '%s')", idpdiscoveryv1alpha1.IDPTypeOIDC, idpdiscoveryv1alpha1.IDPTypeLDAP, idpdiscoveryv1alpha1.IDPTypeActiveDirectory))
+	cmd.Flags().StringVar(&flags.upstreamIdentityProviderFlow, "upstream-identity-provider-flow", "", fmt.Sprintf("The type of client flow to use with the upstream identity provider during login with a Supervisor (e.g. '%s', '%s')", idpdiscoveryv1alpha1.IDPFlowBrowserAuthcode, idpdiscoveryv1alpha1.IDPFlowCLIPassword))
 
+	// --skip-listen is mainly needed for testing. We'll leave it hidden until we have a non-testing use case.
+	mustMarkHidden(cmd, "skip-listen")
 	mustMarkHidden(cmd, "debug-session-cache")
 	mustMarkRequired(cmd, "issuer")
 	cmd.RunE = func(cmd *cobra.Command, args []string) error { return runOIDCLogin(cmd, deps, flags) }
@@ -113,7 +125,7 @@ func oidcLoginCommand(deps oidcLoginCommandDeps) *cobra.Command {
 	return cmd
 }
 
-func runOIDCLogin(cmd *cobra.Command, deps oidcLoginCommandDeps, flags oidcLoginFlags) error {
+func runOIDCLogin(cmd *cobra.Command, deps oidcLoginCommandDeps, flags oidcLoginFlags) error { //nolint:funlen
 	pLogger, err := SetLogLevel(deps.lookupEnv)
 	if err != nil {
 		plog.WarningErr("Received error while setting log level", err)
@@ -147,6 +159,20 @@ func runOIDCLogin(cmd *cobra.Command, deps oidcLoginCommandDeps, flags oidcLogin
 		opts = append(opts, oidcclient.WithRequestAudience(flags.requestAudience))
 	}
 
+	if flags.upstreamIdentityProviderName != "" {
+		opts = append(opts, oidcclient.WithUpstreamIdentityProvider(
+			flags.upstreamIdentityProviderName, flags.upstreamIdentityProviderType))
+	}
+
+	flowOpts, err := flowOptions(
+		idpdiscoveryv1alpha1.IDPType(flags.upstreamIdentityProviderType),
+		idpdiscoveryv1alpha1.IDPFlow(flags.upstreamIdentityProviderFlow),
+	)
+	if err != nil {
+		return err
+	}
+	opts = append(opts, flowOpts...)
+
 	var concierge *conciergeclient.Client
 	if flags.conciergeEnabled {
 		var err error
@@ -161,12 +187,14 @@ func runOIDCLogin(cmd *cobra.Command, deps oidcLoginCommandDeps, flags oidcLogin
 		}
 	}
 
-	// --skip-browser replaces the default "browser open" function with one that prints to stderr.
+	// --skip-browser skips opening the browser.
 	if flags.skipBrowser {
-		opts = append(opts, oidcclient.WithBrowserOpen(func(url string) error {
-			cmd.PrintErr("Please log in: ", url, "\n")
-			return nil
-		}))
+		opts = append(opts, oidcclient.WithSkipBrowserOpen())
+	}
+
+	// --skip-listen skips starting the localhost callback listener.
+	if flags.skipListen {
+		opts = append(opts, oidcclient.WithSkipListen())
 	}
 
 	if len(flags.caBundlePaths) > 0 || len(flags.caBundleData) > 0 {
@@ -224,6 +252,46 @@ func runOIDCLogin(cmd *cobra.Command, deps oidcLoginCommandDeps, flags oidcLogin
 	return json.NewEncoder(cmd.OutOrStdout()).Encode(cred)
 }
 
+func flowOptions(requestedIDPType idpdiscoveryv1alpha1.IDPType, requestedFlow idpdiscoveryv1alpha1.IDPFlow) ([]oidcclient.Option, error) {
+	useCLIFlow := []oidcclient.Option{oidcclient.WithCLISendingCredentials()}
+
+	switch requestedIDPType {
+	case idpdiscoveryv1alpha1.IDPTypeOIDC:
+		switch requestedFlow {
+		case idpdiscoveryv1alpha1.IDPFlowCLIPassword:
+			return useCLIFlow, nil
+		case idpdiscoveryv1alpha1.IDPFlowBrowserAuthcode, "":
+			return nil, nil // browser authcode flow is the default Option, so don't need to return an Option here
+		default:
+			return nil, fmt.Errorf(
+				"--upstream-identity-provider-flow value not recognized for identity provider type %q: %s (supported values: %s)",
+				requestedIDPType, requestedFlow, strings.Join([]string{idpdiscoveryv1alpha1.IDPFlowBrowserAuthcode.String(), idpdiscoveryv1alpha1.IDPFlowCLIPassword.String()}, ", "))
+		}
+	case idpdiscoveryv1alpha1.IDPTypeLDAP, idpdiscoveryv1alpha1.IDPTypeActiveDirectory:
+		switch requestedFlow {
+		case idpdiscoveryv1alpha1.IDPFlowCLIPassword, "":
+			return useCLIFlow, nil
+		case idpdiscoveryv1alpha1.IDPFlowBrowserAuthcode:
+			fallthrough // not supported for LDAP providers, so fallthrough to error case
+		default:
+			return nil, fmt.Errorf(
+				"--upstream-identity-provider-flow value not recognized for identity provider type %q: %s (supported values: %s)",
+				requestedIDPType, requestedFlow, []string{idpdiscoveryv1alpha1.IDPFlowCLIPassword.String()})
+		}
+	default:
+		// Surprisingly cobra does not support this kind of flag validation. See https://github.com/spf13/pflag/issues/236
+		return nil, fmt.Errorf(
+			"--upstream-identity-provider-type value not recognized: %s (supported values: %s)",
+			requestedIDPType,
+			strings.Join([]string{
+				idpdiscoveryv1alpha1.IDPTypeOIDC.String(),
+				idpdiscoveryv1alpha1.IDPTypeLDAP.String(),
+				idpdiscoveryv1alpha1.IDPTypeActiveDirectory.String(),
+			}, ", "),
+		)
+	}
+}
+
 func makeClient(caBundlePaths []string, caBundleData []string) (*http.Client, error) {
 	pool := x509.NewCertPool()
 	for _, p := range caBundlePaths {

cmd/pinniped/cmd/login_oidc_test.go

@@ -60,23 +60,26 @@ func TestLoginOIDCCommand(t *testing.T) {
 				  oidc --issuer ISSUER [flags]
 
 				Flags:
-				      --ca-bundle strings                     Path to TLS certificate authority bundle (PEM format, optional, can be repeated)
-				      --ca-bundle-data strings                Base64 encoded TLS certificate authority bundle (base64 encoded PEM format, optional, can be repeated)
-				      --client-id string                      OpenID Connect client ID (default "pinniped-cli")
-				      --concierge-api-group-suffix string     Concierge API group suffix (default "pinniped.dev")
-				      --concierge-authenticator-name string   Concierge authenticator name
-				      --concierge-authenticator-type string   Concierge authenticator type (e.g., 'webhook', 'jwt')
-				      --concierge-ca-bundle-data string       CA bundle to use when connecting to the Concierge
-				      --concierge-endpoint string             API base for the Concierge endpoint
-				      --credential-cache string               Path to cluster-specific credentials cache ("" disables the cache) (default "` + cfgDir + `/credentials.yaml")
-				      --enable-concierge                      Use the Concierge to login
-				  -h, --help                                  help for oidc
-				      --issuer string                         OpenID Connect issuer URL
-				      --listen-port uint16                    TCP port for localhost listener (authorization code flow only)
-				      --request-audience string               Request a token with an alternate audience using RFC8693 token exchange
-				      --scopes strings                        OIDC scopes to request during login (default [offline_access,openid,pinniped:request-audience])
-				      --session-cache string                  Path to session cache file (default "` + cfgDir + `/sessions.yaml")
-				      --skip-browser                          Skip opening the browser (just print the URL)
+				      --ca-bundle strings                        Path to TLS certificate authority bundle (PEM format, optional, can be repeated)
+				      --ca-bundle-data strings                   Base64 encoded TLS certificate authority bundle (base64 encoded PEM format, optional, can be repeated)
+				      --client-id string                         OpenID Connect client ID (default "pinniped-cli")
+				      --concierge-api-group-suffix string        Concierge API group suffix (default "pinniped.dev")
+				      --concierge-authenticator-name string      Concierge authenticator name
+				      --concierge-authenticator-type string      Concierge authenticator type (e.g., 'webhook', 'jwt')
+				      --concierge-ca-bundle-data string          CA bundle to use when connecting to the Concierge
+				      --concierge-endpoint string                API base for the Concierge endpoint
+				      --credential-cache string                  Path to cluster-specific credentials cache ("" disables the cache) (default "` + cfgDir + `/credentials.yaml")
+				      --enable-concierge                         Use the Concierge to login
+				  -h, --help                                     help for oidc
+				      --issuer string                            OpenID Connect issuer URL
+				      --listen-port uint16                       TCP port for localhost listener (authorization code flow only)
+				      --request-audience string                  Request a token with an alternate audience using RFC8693 token exchange
+				      --scopes strings                           OIDC scopes to request during login (default [offline_access,openid,pinniped:request-audience])
+				      --session-cache string                     Path to session cache file (default "` + cfgDir + `/sessions.yaml")
+				      --skip-browser                             Skip opening the browser (just print the URL)
+					  --upstream-identity-provider-flow string   The type of client flow to use with the upstream identity provider during login with a Supervisor (e.g. 'browser_authcode', 'cli_password')
+					  --upstream-identity-provider-name string   The name of the upstream identity provider used during login with a Supervisor
+					  --upstream-identity-provider-type string   The type of the upstream identity provider used during login with a Supervisor (e.g. 'oidc', 'ldap', 'activedirectory') (default "oidc")
 			`),
 		},
 		{
@@ -138,11 +141,146 @@ func TestLoginOIDCCommand(t *testing.T) {
 				Error: invalid Concierge parameters: invalid API group suffix: a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*')
 			`),
 		},
+		{
+			name: "invalid upstream type",
+			args: []string{
+				"--issuer", "test-issuer",
+				"--upstream-identity-provider-type", "invalid",
+			},
+			wantError: true,
+			wantStderr: here.Doc(`
+				Error: --upstream-identity-provider-type value not recognized: invalid (supported values: oidc, ldap, activedirectory)
+			`),
+		},
+		{
+			name: "oidc upstream type with default flow is allowed",
+			args: []string{
+				"--issuer", "test-issuer",
+				"--client-id", "test-client-id",
+				"--upstream-identity-provider-type", "oidc",
+				"--credential-cache", "", // must specify --credential-cache or else the cache file on disk causes test pollution
+			},
+			wantOptionsCount: 4,
+			wantStdout:       `{"kind":"ExecCredential","apiVersion":"client.authentication.k8s.io/v1beta1","spec":{"interactive":false},"status":{"expirationTimestamp":"3020-10-12T13:14:15Z","token":"test-id-token"}}` + "\n",
+		},
+		{
+			name: "oidc upstream type with CLI flow is allowed",
+			args: []string{
+				"--issuer", "test-issuer",
+				"--client-id", "test-client-id",
+				"--upstream-identity-provider-type", "oidc",
+				"--upstream-identity-provider-flow", "cli_password",
+				"--credential-cache", "", // must specify --credential-cache or else the cache file on disk causes test pollution
+			},
+			wantOptionsCount: 5,
+			wantStdout:       `{"kind":"ExecCredential","apiVersion":"client.authentication.k8s.io/v1beta1","spec":{"interactive":false},"status":{"expirationTimestamp":"3020-10-12T13:14:15Z","token":"test-id-token"}}` + "\n",
+		},
+		{
+			name: "oidc upstream type with browser flow is allowed",
+			args: []string{
+				"--issuer", "test-issuer",
+				"--client-id", "test-client-id",
+				"--upstream-identity-provider-type", "oidc",
+				"--upstream-identity-provider-flow", "browser_authcode",
+				"--credential-cache", "", // must specify --credential-cache or else the cache file on disk causes test pollution
+			},
+			wantOptionsCount: 4,
+			wantStdout:       `{"kind":"ExecCredential","apiVersion":"client.authentication.k8s.io/v1beta1","spec":{"interactive":false},"status":{"expirationTimestamp":"3020-10-12T13:14:15Z","token":"test-id-token"}}` + "\n",
+		},
+		{
+			name: "oidc upstream type with unsupported flow is an error",
+			args: []string{
+				"--issuer", "test-issuer",
+				"--client-id", "test-client-id",
+				"--upstream-identity-provider-type", "oidc",
+				"--upstream-identity-provider-flow", "foobar",
+				"--credential-cache", "", // must specify --credential-cache or else the cache file on disk causes test pollution
+			},
+			wantError: true,
+			wantStderr: here.Doc(`
+				Error: --upstream-identity-provider-flow value not recognized for identity provider type "oidc": foobar (supported values: browser_authcode, cli_password)
+			`),
+		},
+		{
+			name: "ldap upstream type with default flow is allowed",
+			args: []string{
+				"--issuer", "test-issuer",
+				"--client-id", "test-client-id",
+				"--upstream-identity-provider-type", "ldap",
+				"--credential-cache", "", // must specify --credential-cache or else the cache file on disk causes test pollution
+			},
+			wantOptionsCount: 5,
+			wantStdout:       `{"kind":"ExecCredential","apiVersion":"client.authentication.k8s.io/v1beta1","spec":{"interactive":false},"status":{"expirationTimestamp":"3020-10-12T13:14:15Z","token":"test-id-token"}}` + "\n",
+		},
+		{
+			name: "activedirectory upstream type with default flow is allowed",
+			args: []string{
+				"--issuer", "test-issuer",
+				"--client-id", "test-client-id",
+				"--upstream-identity-provider-type", "activedirectory",
+				"--credential-cache", "", // must specify --credential-cache or else the cache file on disk causes test pollution
+			},
+			wantOptionsCount: 5,
+			wantStdout:       `{"kind":"ExecCredential","apiVersion":"client.authentication.k8s.io/v1beta1","spec":{"interactive":false},"status":{"expirationTimestamp":"3020-10-12T13:14:15Z","token":"test-id-token"}}` + "\n",
+		},
+		{
+			name: "ldap upstream type with CLI flow is allowed",
+			args: []string{
+				"--issuer", "test-issuer",
+				"--client-id", "test-client-id",
+				"--upstream-identity-provider-type", "ldap",
+				"--upstream-identity-provider-flow", "cli_password",
+				"--credential-cache", "", // must specify --credential-cache or else the cache file on disk causes test pollution
+			},
+			wantOptionsCount: 5,
+			wantStdout:       `{"kind":"ExecCredential","apiVersion":"client.authentication.k8s.io/v1beta1","spec":{"interactive":false},"status":{"expirationTimestamp":"3020-10-12T13:14:15Z","token":"test-id-token"}}` + "\n",
+		},
+		{
+			name: "ldap upstream type with unsupported flow is an error",
+			args: []string{
+				"--issuer", "test-issuer",
+				"--client-id", "test-client-id",
+				"--upstream-identity-provider-type", "ldap",
+				"--upstream-identity-provider-flow", "browser_authcode", // "browser_authcode" is only supported for OIDC upstreams
+				"--credential-cache", "", // must specify --credential-cache or else the cache file on disk causes test pollution
+			},
+			wantError: true,
+			wantStderr: here.Doc(`
+				Error: --upstream-identity-provider-flow value not recognized for identity provider type "ldap": browser_authcode (supported values: [cli_password])
+			`),
+		},
+		{
+			name: "active directory upstream type with CLI flow is allowed",
+			args: []string{
+				"--issuer", "test-issuer",
+				"--client-id", "test-client-id",
+				"--upstream-identity-provider-type", "activedirectory",
+				"--upstream-identity-provider-flow", "cli_password",
+				"--credential-cache", "", // must specify --credential-cache or else the cache file on disk causes test pollution
+			},
+			wantOptionsCount: 5,
+			wantStdout:       `{"kind":"ExecCredential","apiVersion":"client.authentication.k8s.io/v1beta1","spec":{"interactive":false},"status":{"expirationTimestamp":"3020-10-12T13:14:15Z","token":"test-id-token"}}` + "\n",
+		},
+		{
+			name: "active directory upstream type with unsupported flow is an error",
+			args: []string{
+				"--issuer", "test-issuer",
+				"--client-id", "test-client-id",
+				"--upstream-identity-provider-type", "activedirectory",
+				"--upstream-identity-provider-flow", "browser_authcode", // "browser_authcode" is only supported for OIDC upstreams
+				"--credential-cache", "", // must specify --credential-cache or else the cache file on disk causes test pollution
+			},
+			wantError: true,
+			wantStderr: here.Doc(`
+				Error: --upstream-identity-provider-flow value not recognized for identity provider type "activedirectory": browser_authcode (supported values: [cli_password])
+			`),
+		},
 		{
 			name: "login error",
 			args: []string{
 				"--client-id", "test-client-id",
 				"--issuer", "test-issuer",
+				"--credential-cache", "", // must specify --credential-cache or else the cache file on disk causes test pollution
 			},
 			loginErr:         fmt.Errorf("some login error"),
 			wantOptionsCount: 4,
@@ -160,6 +298,7 @@ func TestLoginOIDCCommand(t *testing.T) {
 				"--concierge-authenticator-type", "jwt",
 				"--concierge-authenticator-name", "test-authenticator",
 				"--concierge-endpoint", "https://127.0.0.1:1234/",
+				"--credential-cache", "", // must specify --credential-cache or else the cache file on disk causes test pollution
 			},
 			conciergeErr:     fmt.Errorf("some concierge error"),
 			wantOptionsCount: 4,
@@ -173,14 +312,14 @@ func TestLoginOIDCCommand(t *testing.T) {
 			args: []string{
 				"--client-id", "test-client-id",
 				"--issuer", "test-issuer",
+				"--credential-cache", "", // must specify --credential-cache or else the cache file on disk causes test pollution
 			},
 			env:              map[string]string{"PINNIPED_DEBUG": "true"},
 			wantOptionsCount: 4,
-			wantStdout:       `{"kind":"ExecCredential","apiVersion":"client.authentication.k8s.io/v1beta1","spec":{},"status":{"expirationTimestamp":"3020-10-12T13:14:15Z","token":"test-id-token"}}` + "\n",
+			wantStdout:       `{"kind":"ExecCredential","apiVersion":"client.authentication.k8s.io/v1beta1","spec":{"interactive":false},"status":{"expirationTimestamp":"3020-10-12T13:14:15Z","token":"test-id-token"}}` + "\n",
 			wantLogs: []string{
 				"\"level\"=0 \"msg\"=\"Pinniped login: Performing OIDC login\"  \"client id\"=\"test-client-id\" \"issuer\"=\"test-issuer\"",
 				"\"level\"=0 \"msg\"=\"Pinniped login: No concierge configured, skipping token credential exchange\"",
-				"\"level\"=0 \"msg\"=\"Pinniped login: caching cluster credential for future use.\"",
 			},
 		},
 		{
@@ -189,6 +328,7 @@ func TestLoginOIDCCommand(t *testing.T) {
 				"--client-id", "test-client-id",
 				"--issuer", "test-issuer",
 				"--skip-browser",
+				"--skip-listen",
 				"--listen-port", "1234",
 				"--debug-session-cache",
 				"--request-audience", "cluster-1234",
@@ -200,11 +340,13 @@ func TestLoginOIDCCommand(t *testing.T) {
 				"--concierge-endpoint", "https://127.0.0.1:1234/",
 				"--concierge-ca-bundle-data", base64.StdEncoding.EncodeToString(testCA.Bundle()),
 				"--concierge-api-group-suffix", "some.suffix.com",
-				"--credential-cache", testutil.TempDir(t) + "/credentials.yaml",
+				"--credential-cache", testutil.TempDir(t) + "/credentials.yaml", // must specify --credential-cache or else the cache file on disk causes test pollution
+				"--upstream-identity-provider-name", "some-upstream-name",
+				"--upstream-identity-provider-type", "ldap",
 			},
 			env:              map[string]string{"PINNIPED_DEBUG": "true"},
-			wantOptionsCount: 8,
-			wantStdout:       `{"kind":"ExecCredential","apiVersion":"client.authentication.k8s.io/v1beta1","spec":{},"status":{"token":"exchanged-token"}}` + "\n",
+			wantOptionsCount: 11,
+			wantStdout:       `{"kind":"ExecCredential","apiVersion":"client.authentication.k8s.io/v1beta1","spec":{"interactive":false},"status":{"token":"exchanged-token"}}` + "\n",
 			wantLogs: []string{
 				"\"level\"=0 \"msg\"=\"Pinniped login: Performing OIDC login\"  \"client id\"=\"test-client-id\" \"issuer\"=\"test-issuer\"",
 				"\"level\"=0 \"msg\"=\"Pinniped login: Exchanging token for cluster credential\"  \"authenticator name\"=\"test-authenticator\" \"authenticator type\"=\"webhook\" \"endpoint\"=\"https://127.0.0.1:1234/\"",

cmd/pinniped/cmd/login_static_test.go

@@ -119,7 +119,7 @@ func TestLoginStaticCommand(t *testing.T) {
 			env: map[string]string{
 				"TEST_TOKEN_ENV": "test-token",
 			},
-			wantStdout: `{"kind":"ExecCredential","apiVersion":"client.authentication.k8s.io/v1beta1","spec":{},"status":{"token":"test-token"}}` + "\n",
+			wantStdout: `{"kind":"ExecCredential","apiVersion":"client.authentication.k8s.io/v1beta1","spec":{"interactive":false},"status":{"token":"test-token"}}` + "\n",
 		},
 		{
 			name: "concierge failure",
@@ -159,7 +159,7 @@ func TestLoginStaticCommand(t *testing.T) {
 				"--token", "test-token",
 			},
 			env:        map[string]string{"PINNIPED_DEBUG": "true"},
-			wantStdout: `{"kind":"ExecCredential","apiVersion":"client.authentication.k8s.io/v1beta1","spec":{},"status":{"token":"test-token"}}` + "\n",
+			wantStdout: `{"kind":"ExecCredential","apiVersion":"client.authentication.k8s.io/v1beta1","spec":{"interactive":false},"status":{"token":"test-token"}}` + "\n",
 		},
 	}
 	for _, tt := range tests {

cmd/pinniped/main.go

@@ -3,7 +3,20 @@
 
 package main
 
-import "go.pinniped.dev/cmd/pinniped/cmd"
+import (
+	"os"
+
+	"github.com/pkg/browser"
+
+	"go.pinniped.dev/cmd/pinniped/cmd"
+)
+
+//nolint: gochecknoinits
+func init() {
+	// browsers like chrome like to write to our std out which breaks our JSON ExecCredential output
+	// thus we redirect the browser's std out to our std err
+	browser.Stdout = os.Stderr
+}
 
 func main() {
 	cmd.Execute()

deploy/concierge/config.concierge.pinniped.dev_credentialissuers.yaml

@@ -21,7 +21,8 @@ spec:
   - name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: Describes the configuration status of a Pinniped credential issuer.
+        description: CredentialIssuer describes the configuration and status of the
+          Pinniped Concierge credential issuer.
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -35,8 +36,73 @@ spec:
             type: string
           metadata:
             type: object
+          spec:
+            description: Spec describes the intended configuration of the Concierge.
+            properties:
+              impersonationProxy:
+                description: ImpersonationProxy describes the intended configuration
+                  of the Concierge impersonation proxy.
+                properties:
+                  externalEndpoint:
+                    description: "ExternalEndpoint describes the HTTPS endpoint where
+                      the proxy will be exposed. If not set, the proxy will be served
+                      using the external name of the LoadBalancer service or the cluster
+                      service DNS name. \n This field must be non-empty when spec.impersonationProxy.service.type
+                      is \"None\"."
+                    type: string
+                  mode:
+                    description: 'Mode configures whether the impersonation proxy
+                      should be started: - "disabled" explicitly disables the impersonation
+                      proxy. This is the default. - "enabled" explicitly enables the
+                      impersonation proxy. - "auto" enables or disables the impersonation
+                      proxy based upon the cluster in which it is running.'
+                    enum:
+                    - auto
+                    - enabled
+                    - disabled
+                    type: string
+                  service:
+                    default:
+                      type: LoadBalancer
+                    description: Service describes the configuration of the Service
+                      provisioned to expose the impersonation proxy to clients.
+                    properties:
+                      annotations:
+                        additionalProperties:
+                          type: string
+                        description: Annotations specifies zero or more key/value
+                          pairs to set as annotations on the provisioned Service.
+                        type: object
+                      loadBalancerIP:
+                        description: LoadBalancerIP specifies the IP address to set
+                          in the spec.loadBalancerIP field of the provisioned Service.
+                          This is not supported on all cloud providers.
+                        maxLength: 255
+                        minLength: 1
+                        type: string
+                      type:
+                        default: LoadBalancer
+                        description: "Type specifies the type of Service to provision
+                          for the impersonation proxy. \n If the type is \"None\",
+                          then the \"spec.impersonationProxy.externalEndpoint\" field
+                          must be set to a non-empty value so that the Concierge can
+                          properly advertise the endpoint in the CredentialIssuer's
+                          status."
+                        enum:
+                        - LoadBalancer
+                        - ClusterIP
+                        - None
+                        type: string
+                    type: object
+                required:
+                - mode
+                - service
+                type: object
+            required:
+            - impersonationProxy
+            type: object
           status:
-            description: Status of the credential issuer.
+            description: CredentialIssuerStatus describes the status of the Concierge.
             properties:
               kubeConfigInfo:
                 description: Information needed to form a valid Pinniped-based kubeconfig
@@ -60,8 +126,8 @@ spec:
                 description: List of integration strategies that were attempted by
                   Pinniped.
                 items:
-                  description: Status of an integration strategy that was attempted
-                    by Pinniped.
+                  description: CredentialIssuerStrategy describes the status of an
+                    integration strategy that was attempted by Pinniped.
                   properties:
                     frontend:
                       description: Frontend describes how clients can connect using

deploy/concierge/deployment.yaml

@@ -3,7 +3,8 @@
 
 #@ load("@ytt:data", "data")
 #@ load("@ytt:json", "json")
-#@ load("helpers.lib.yaml", "defaultLabel", "labels", "namespace", "defaultResourceName", "defaultResourceNameWithSuffix", "getAndValidateLogLevel", "pinnipedDevAPIGroupWithPrefix")
+#@ load("helpers.lib.yaml", "defaultLabel", "labels", "deploymentPodLabel", "namespace", "defaultResourceName", "defaultResourceNameWithSuffix", "getAndValidateLogLevel", "pinnipedDevAPIGroupWithPrefix")
+#@ load("@ytt:template", "template")
 
 #@ if not data.values.into_namespace:
 ---
@@ -29,6 +30,18 @@ metadata:
   labels: #@ labels()
 ---
 apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: #@ defaultResourceNameWithSuffix("impersonation-proxy")
+  namespace: #@ namespace()
+  labels: #@ labels()
+  annotations:
+    #! we need to create this service account before we create the secret
+    kapp.k14s.io/change-group: "impersonation-proxy.concierge.pinniped.dev/serviceaccount"
+secrets: #! make sure the token controller does not create any other secrets
+- name: #@ defaultResourceNameWithSuffix("impersonation-proxy")
+---
+apiVersion: v1
 kind: ConfigMap
 metadata:
   name: #@ defaultResourceNameWithSuffix("config")
@@ -49,8 +62,8 @@ data:
       servingCertificateSecret: (@= defaultResourceNameWithSuffix("api-tls-serving-certificate") @)
       credentialIssuer: (@= defaultResourceNameWithSuffix("config") @)
       apiService: (@= defaultResourceNameWithSuffix("api") @)
-      impersonationConfigMap: (@= defaultResourceNameWithSuffix("impersonation-proxy-config") @)
       impersonationLoadBalancerService: (@= defaultResourceNameWithSuffix("impersonation-proxy-load-balancer") @)
+      impersonationClusterIPService: (@= defaultResourceNameWithSuffix("impersonation-proxy-cluster-ip") @)
       impersonationTLSCertificateSecret: (@= defaultResourceNameWithSuffix("impersonation-proxy-tls-serving-certificate") @)
       impersonationCACertificateSecret: (@= defaultResourceNameWithSuffix("impersonation-proxy-ca-certificate") @)
       impersonationSignerSecret: (@= defaultResourceNameWithSuffix("impersonation-proxy-signer-ca-certificate") @)
@@ -96,10 +109,16 @@ metadata:
 spec:
   replicas: #@ data.values.replicas
   selector:
+    #! In hindsight, this should have been deploymentPodLabel(), but this field is immutable so changing it would break upgrades.
     matchLabels: #@ defaultLabel()
   template:
     metadata:
-      labels: #@ defaultLabel()
+      labels:
+        #! This has always included defaultLabel(), which is used by this Deployment's selector.
+        _: #@ template.replace(defaultLabel())
+        #! More recently added the more unique deploymentPodLabel() so Services can select these Pods more specifically
+        #! without accidentally selecting any other Deployment's Pods, especially the kube cert agent Deployment's Pods.
+        _: #@ template.replace(deploymentPodLabel())
       annotations:
         scheduler.alpha.kubernetes.io/critical-pod: ""
     spec:
@@ -119,6 +138,8 @@ spec:
           image: #@ data.values.image_repo + ":" + data.values.image_tag
           #@ end
           imagePullPolicy: IfNotPresent
+          securityContext:
+            readOnlyRootFilesystem: true
           resources:
             requests:
               cpu: "100m"
@@ -126,14 +147,31 @@ spec:
             limits:
               cpu: "100m"
               memory: "128Mi"
-          args:
+          command:
+            - pinniped-concierge
             - --config=/etc/config/pinniped.yaml
             - --downward-api-path=/etc/podinfo
           volumeMounts:
+            - name: tmp
+              mountPath: /tmp
             - name: config-volume
               mountPath: /etc/config
+              readOnly: true
             - name: podinfo
               mountPath: /etc/podinfo
+              readOnly: true
+            - name: impersonation-proxy
+              mountPath: /var/run/secrets/impersonation-proxy.concierge.pinniped.dev/serviceaccount
+              readOnly: true
+          env:
+            #@ if data.values.https_proxy:
+            - name: HTTPS_PROXY
+              value: #@ data.values.https_proxy
+            #@ end
+            #@ if data.values.https_proxy and data.values.no_proxy:
+            - name: NO_PROXY
+              value: #@ data.values.no_proxy
+            #@ end
           livenessProbe:
             httpGet:
               path: /healthz
@@ -153,9 +191,19 @@ spec:
             periodSeconds: 10
             failureThreshold: 3
       volumes:
+        - name: tmp
+          emptyDir:
+            medium: Memory
+            sizeLimit: 100Mi
         - name: config-volume
           configMap:
             name: #@ defaultResourceNameWithSuffix("config")
+        - name: impersonation-proxy
+          secret:
+            secretName: #@ defaultResourceNameWithSuffix("impersonation-proxy")
+            items: #! make sure our pod does not start until the token controller has a chance to populate the secret
+              - key: token
+                path: token
         - name: podinfo
           downwardAPI:
             items:
@@ -184,7 +232,7 @@ spec:
             - weight: 50
               podAffinityTerm:
                 labelSelector:
-                  matchLabels: #@ defaultLabel()
+                  matchLabels: #@ deploymentPodLabel()
                 topologyKey: kubernetes.io/hostname
 ---
 apiVersion: v1
@@ -194,9 +242,12 @@ metadata:
   name: #@ defaultResourceNameWithSuffix("api")
   namespace: #@ namespace()
   labels: #@ labels()
+  #! prevent kapp from altering the selector of our services to match kubectl behavior
+  annotations:
+    kapp.k14s.io/disable-default-label-scoping-rules: ""
 spec:
   type: ClusterIP
-  selector: #@ defaultLabel()
+  selector: #@ deploymentPodLabel()
   ports:
     - protocol: TCP
       port: 443
@@ -208,9 +259,12 @@ metadata:
   name: #@ defaultResourceNameWithSuffix("proxy")
   namespace: #@ namespace()
   labels: #@ labels()
+  #! prevent kapp from altering the selector of our services to match kubectl behavior
+  annotations:
+    kapp.k14s.io/disable-default-label-scoping-rules: ""
 spec:
   type: ClusterIP
-  selector: #@ defaultLabel()
+  selector: #@ deploymentPodLabel()
   ports:
     - protocol: TCP
       port: 443
@@ -247,3 +301,34 @@ spec:
     name: #@ defaultResourceNameWithSuffix("api")
     namespace: #@ namespace()
     port: 443
+---
+apiVersion: #@ pinnipedDevAPIGroupWithPrefix("config.concierge") + "/v1alpha1"
+kind: CredentialIssuer
+metadata:
+  name: #@ defaultResourceNameWithSuffix("config")
+  labels: #@ labels()
+spec:
+  impersonationProxy:
+    mode: #@ data.values.impersonation_proxy_spec.mode
+    #@ if data.values.impersonation_proxy_spec.external_endpoint:
+    externalEndpoint: #@ data.values.impersonation_proxy_spec.external_endpoint
+    #@ end
+    service:
+      type: #@ data.values.impersonation_proxy_spec.service.type
+      #@ if data.values.impersonation_proxy_spec.service.load_balancer_ip:
+      loadBalancerIP: #@ data.values.impersonation_proxy_spec.service.load_balancer_ip
+      #@ end
+      annotations: #@ data.values.impersonation_proxy_spec.service.annotations
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: #@ defaultResourceNameWithSuffix("impersonation-proxy")
+  namespace: #@ namespace()
+  labels: #@ labels()
+  annotations:
+    #! wait until the SA exists to create this secret so that the token controller does not delete it
+    #! we have this secret at the end so that kubectl will create the service account first
+    kapp.k14s.io/change-rule: "upsert after upserting impersonation-proxy.concierge.pinniped.dev/serviceaccount"
+    kubernetes.io/service-account.name: #@ defaultResourceNameWithSuffix("impersonation-proxy")
+type: kubernetes.io/service-account-token

deploy/concierge/helpers.lib.yaml

@@ -25,9 +25,14 @@
 #@ end
 
 #@ def defaultLabel():
+#! Note that the name of this label's key is also assumed by kubecertagent.go and impersonator_config.go
 app: #@ data.values.app_name
 #@ end
 
+#@ def deploymentPodLabel():
+deployment.pinniped.dev: concierge
+#@ end
+
 #@ def labels():
 _: #@ template.replace(defaultLabel())
 _: #@ template.replace(data.values.custom_labels)

deploy/concierge/rbac.yaml

@@ -28,12 +28,6 @@ rules:
     resources: [ securitycontextconstraints ]
     verbs: [ use ]
     resourceNames: [ nonroot ]
-  - apiGroups: [ "" ]
-    resources: [ "users", "groups", "serviceaccounts" ]
-    verbs: [ "impersonate" ]
-  - apiGroups: [ "authentication.k8s.io" ]
-    resources: [ "*" ]  #! What we really want is userextras/* but the RBAC authorizer only supports */subresource, not resource/*
-    verbs: [ "impersonate" ]
   - apiGroups: [ "" ]
     resources: [ nodes ]
     verbs: [ list ]
@@ -64,6 +58,35 @@ roleRef:
   name: #@ defaultResourceNameWithSuffix("aggregated-api-server")
   apiGroup: rbac.authorization.k8s.io
 
+#! Give minimal permissions to impersonation proxy service account
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: #@ defaultResourceNameWithSuffix("impersonation-proxy")
+  labels: #@ labels()
+rules:
+  - apiGroups: [ "" ]
+    resources: [ "users", "groups", "serviceaccounts" ]
+    verbs: [ "impersonate" ]
+  - apiGroups: [ "authentication.k8s.io" ]
+    resources: [ "*" ]  #! What we really want is userextras/* but the RBAC authorizer only supports */subresource, not resource/*
+    verbs: [ "impersonate" ]
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: #@ defaultResourceNameWithSuffix("impersonation-proxy")
+  labels: #@ labels()
+subjects:
+  - kind: ServiceAccount
+    name: #@ defaultResourceNameWithSuffix("impersonation-proxy")
+    namespace: #@ namespace()
+roleRef:
+  kind: ClusterRole
+  name: #@ defaultResourceNameWithSuffix("impersonation-proxy")
+  apiGroup: rbac.authorization.k8s.io
+
 #! Give permission to the kube-cert-agent Pod to run privileged.
 ---
 apiVersion: rbac.authorization.k8s.io/v1
@@ -122,7 +145,7 @@ rules:
   #! We need to be able to create and update deployments in our namespace so we can manage the kube-cert-agent Deployment.
   - apiGroups: [ apps ]
     resources: [ deployments ]
-    verbs: [ create, get, list, patch, update, watch ]
+    verbs: [ create, get, list, patch, update, watch, delete ]
   #! We need to be able to get replicasets so we can form the correct owner references on our generated objects.
   - apiGroups: [ apps ]
     resources: [ replicasets ]
@@ -130,6 +153,9 @@ rules:
   - apiGroups: [ "" ]
     resources: [ configmaps ]
     verbs: [ list, get, watch ]
+  - apiGroups: [ coordination.k8s.io ]
+    resources: [ leases ]
+    verbs: [ create, get, update ]
 ---
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1

deploy/concierge/values.yaml

@@ -63,3 +63,41 @@ run_as_group: 1001 #! run_as_group specifies the group ID that will own the proc
 #! authentication.concierge.pinniped.dev, etc. As an example, if this is set to tuna.io, then
 #! Pinniped API groups will look like foo.tuna.io. authentication.concierge.tuna.io, etc.
 api_group_suffix: pinniped.dev
+
+#! Customize CredentialIssuer.spec.impersonationProxy to change how the concierge
+#! handles impersonation.
+impersonation_proxy_spec:
+  #! options are "auto", "disabled" or "enabled".
+  #! If auto, the impersonation proxy will run only if the cluster signing key is not available
+  #! and the other strategy does not work.
+  #! If disabled, the impersonation proxy will never run, which could mean that the concierge
+  #! doesn't work at all.
+  #! If enabled, the impersonation proxy will always run regardless of other strategies available.
+  mode: auto
+  #! The endpoint which the client should use to connect to the impersonation proxy.
+  #! If left unset, the client will default to connecting based on the ClusterIP or LoadBalancer
+  #! endpoint.
+  external_endpoint:
+  service:
+    #! Options are "LoadBalancer", "ClusterIP" and "None".
+    #! LoadBalancer automatically provisions a Service of type LoadBalancer pointing at
+    #! the impersonation proxy. Some cloud providers will allocate
+    #! a public IP address by default even on private clusters.
+    #! ClusterIP automatically provisions a Service of type ClusterIP pointing at the
+    #! impersonation proxy.
+    #! None does not provision either and assumes that you have set the external_endpoint
+    #! and set up your own ingress to connect to the impersonation proxy.
+    type: LoadBalancer
+    #! The annotations that should be set on the ClusterIP or LoadBalancer Service.
+    annotations:
+      {service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "4000"}
+    #! When mode LoadBalancer is set, this will set the LoadBalancer Service's Spec.LoadBalancerIP.
+    load_balancer_ip:
+
+#! Set the standard golang HTTPS_PROXY and NO_PROXY environment variables on the Concierge containers.
+#! These will be used when the Concierge makes backend-to-backend calls to authenticators using HTTPS,
+#! e.g. when the Concierge fetches discovery documents, JWKS keys, and POSTs to token webhooks.
+#! The Concierge never makes insecure HTTP calls, so there is no reason to set HTTP_PROXY.
+#! Optional.
+https_proxy: #! e.g. http://proxy.example.com
+no_proxy: "$(KUBERNETES_SERVICE_HOST),169.254.169.254,127.0.0.1,localhost,.svc,.cluster.local" #! do not proxy Kubernetes endpoints

deploy/local-user-authenticator/deployment.yaml

@@ -63,8 +63,8 @@ spec:
           image: #@ data.values.image_repo + ":" + data.values.image_tag
           #@ end
           imagePullPolicy: IfNotPresent
-          command: #! override the default entrypoint
-            - /usr/local/bin/local-user-authenticator
+          command:
+            - local-user-authenticator
 ---
 apiVersion: v1
 kind: Service
@@ -73,6 +73,9 @@ metadata:
   namespace: local-user-authenticator
   labels:
     app: local-user-authenticator
+  #! prevent kapp from altering the selector of our services to match kubectl behavior
+  annotations:
+    kapp.k14s.io/disable-default-label-scoping-rules: ""
 spec:
   type: ClusterIP
   selector:

deploy/supervisor/deployment.yaml

@@ -3,7 +3,8 @@
 
 #@ load("@ytt:data", "data")
 #@ load("@ytt:json", "json")
-#@ load("helpers.lib.yaml", "defaultLabel", "labels", "namespace", "defaultResourceName", "defaultResourceNameWithSuffix", "getAndValidateLogLevel")
+#@ load("helpers.lib.yaml", "defaultLabel", "labels", "deploymentPodLabel", "namespace", "defaultResourceName", "defaultResourceNameWithSuffix", "getAndValidateLogLevel")
+#@ load("@ytt:template", "template")
 
 #@ if not data.values.into_namespace:
 ---
@@ -59,10 +60,16 @@ metadata:
 spec:
   replicas: #@ data.values.replicas
   selector:
+    #! In hindsight, this should have been deploymentPodLabel(), but this field is immutable so changing it would break upgrades.
     matchLabels: #@ defaultLabel()
   template:
     metadata:
-      labels: #@ defaultLabel()
+      labels:
+        #! This has always included defaultLabel(), which is used by this Deployment's selector.
+        _: #@ template.replace(defaultLabel())
+        #! More recently added the more unique deploymentPodLabel() so Services can select these Pods more specifically
+        #! without accidentally selecting pods from any future Deployments which might also want to use the defaultLabel().
+        _: #@ template.replace(deploymentPodLabel())
     spec:
       securityContext:
         runAsUser: #@ data.values.run_as_user
@@ -80,11 +87,12 @@ spec:
           image: #@ data.values.image_repo + ":" + data.values.image_tag
           #@ end
           imagePullPolicy: IfNotPresent
-          command: #! override the default entrypoint
-            - /usr/local/bin/pinniped-supervisor
-          args:
+          command:
+            - pinniped-supervisor
             - /etc/podinfo
             - /etc/config/pinniped.yaml
+          securityContext:
+            readOnlyRootFilesystem: true
           resources:
             requests:
               cpu: "100m"
@@ -95,13 +103,24 @@ spec:
           volumeMounts:
             - name: config-volume
               mountPath: /etc/config
+              readOnly: true
             - name: podinfo
               mountPath: /etc/podinfo
+              readOnly: true
           ports:
             - containerPort: 8080
               protocol: TCP
             - containerPort: 8443
               protocol: TCP
+          env:
+            #@ if data.values.https_proxy:
+            - name: HTTPS_PROXY
+              value: #@ data.values.https_proxy
+            #@ end
+            #@ if data.values.https_proxy and data.values.no_proxy:
+            - name: NO_PROXY
+              value: #@ data.values.no_proxy
+            #@ end
           livenessProbe:
             httpGet:
               path: /healthz
@@ -144,5 +163,5 @@ spec:
             - weight: 50
               podAffinityTerm:
                 labelSelector:
-                  matchLabels: #@ defaultLabel()
+                  matchLabels: #@ deploymentPodLabel()
                 topologyKey: kubernetes.io/hostname

deploy/supervisor/helpers.lib.yaml

@@ -28,6 +28,10 @@
 app: #@ data.values.app_name
 #@ end
 
+#@ def deploymentPodLabel():
+deployment.pinniped.dev: supervisor
+#@ end
+
 #@ def labels():
 _: #@ template.replace(defaultLabel())
 _: #@ template.replace(data.values.custom_labels)

deploy/supervisor/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml

@@ -0,0 +1,281 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.4.0
+  creationTimestamp: null
+  name: activedirectoryidentityproviders.idp.supervisor.pinniped.dev
+spec:
+  group: idp.supervisor.pinniped.dev
+  names:
+    categories:
+    - pinniped
+    - pinniped-idp
+    - pinniped-idps
+    kind: ActiveDirectoryIdentityProvider
+    listKind: ActiveDirectoryIdentityProviderList
+    plural: activedirectoryidentityproviders
+    singular: activedirectoryidentityprovider
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .spec.host
+      name: Host
+      type: string
+    - jsonPath: .status.phase
+      name: Status
+      type: string
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: ActiveDirectoryIdentityProvider describes the configuration of
+          an upstream Microsoft Active Directory identity provider.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: Spec for configuring the identity provider.
+            properties:
+              bind:
+                description: Bind contains the configuration for how to provide access
+                  credentials during an initial bind to the ActiveDirectory server
+                  to be allowed to perform searches and binds to validate a user's
+                  credentials during a user's authentication attempt.
+                properties:
+                  secretName:
+                    description: SecretName contains the name of a namespace-local
+                      Secret object that provides the username and password for an
+                      Active Directory bind user. This account will be used to perform
+                      LDAP searches. The Secret should be of type "kubernetes.io/basic-auth"
+                      which includes "username" and "password" keys. The username
+                      value should be the full dn (distinguished name) of your bind
+                      account, e.g. "cn=bind-account,ou=users,dc=example,dc=com".
+                      The password must be non-empty.
+                    minLength: 1
+                    type: string
+                required:
+                - secretName
+                type: object
+              groupSearch:
+                description: GroupSearch contains the configuration for searching
+                  for a user's group membership in ActiveDirectory.
+                properties:
+                  attributes:
+                    description: Attributes specifies how the group's information
+                      should be read from each ActiveDirectory entry which was found
+                      as the result of the group search.
+                    properties:
+                      groupName:
+                        description: GroupName specifies the name of the attribute
+                          in the Active Directory entries whose value shall become
+                          a group name in the user's list of groups after a successful
+                          authentication. The value of this field is case-sensitive
+                          and must match the case of the attribute name returned by
+                          the ActiveDirectory server in the user's entry. E.g. "cn"
+                          for common name. Distinguished names can be used by specifying
+                          lower-case "dn". Optional. When not specified, this defaults
+                          to a custom field that looks like "sAMAccountName@domain",
+                          where domain is constructed from the domain components of
+                          the group DN.
+                        type: string
+                    type: object
+                  base:
+                    description: Base is the dn (distinguished name) that should be
+                      used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com".
+                      Optional, when not specified it will be based on the result
+                      of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse).
+                      The default behavior searches your entire domain for groups.
+                      It may make sense to specify a subtree as a search base if you
+                      wish to exclude some groups for security reasons or to make
+                      searches faster.
+                    type: string
+                  filter:
+                    description: Filter is the ActiveDirectory search filter which
+                      should be applied when searching for groups for a user. The
+                      pattern "{}" must occur in the filter at least once and will
+                      be dynamically replaced by the dn (distinguished name) of the
+                      user entry found as a result of the user search. E.g. "member={}"
+                      or "&(objectClass=groupOfNames)(member={})". For more information
+                      about ActiveDirectory filters, see https://ldap.com/ldap-filters.
+                      Note that the dn (distinguished name) is not an attribute of
+                      an entry, so "dn={}" cannot be used. Optional. When not specified,
+                      the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})".
+                      This searches nested groups by default. Note that nested group
+                      search can be slow for some Active Directory servers. To disable
+                      it, you can set the filter to "(&(objectClass=group)(member={})"
+                    type: string
+                type: object
+              host:
+                description: 'Host is the hostname of this Active Directory identity
+                  provider, i.e., where to connect. For example: ldap.example.com:636.'
+                minLength: 1
+                type: string
+              tls:
+                description: TLS contains the connection settings for how to establish
+                  the connection to the Host.
+                properties:
+                  certificateAuthorityData:
+                    description: X.509 Certificate Authority (base64-encoded PEM bundle).
+                      If omitted, a default set of system roots will be trusted.
+                    type: string
+                type: object
+              userSearch:
+                description: UserSearch contains the configuration for searching for
+                  a user by name in Active Directory.
+                properties:
+                  attributes:
+                    description: Attributes specifies how the user's information should
+                      be read from the ActiveDirectory entry which was found as the
+                      result of the user search.
+                    properties:
+                      uid:
+                        description: UID specifies the name of the attribute in the
+                          ActiveDirectory entry which whose value shall be used to
+                          uniquely identify the user within this ActiveDirectory provider
+                          after a successful authentication. Optional, when empty
+                          this defaults to "objectGUID".
+                        type: string
+                      username:
+                        description: Username specifies the name of the attribute
+                          in Active Directory entry whose value shall become the username
+                          of the user after a successful authentication. Optional,
+                          when empty this defaults to "userPrincipalName".
+                        type: string
+                    type: object
+                  base:
+                    description: Base is the dn (distinguished name) that should be
+                      used as the search base when searching for users. E.g. "ou=users,dc=example,dc=com".
+                      Optional, when not specified it will be based on the result
+                      of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse).
+                      The default behavior searches your entire domain for users.
+                      It may make sense to specify a subtree as a search base if you
+                      wish to exclude some users or to make searches faster.
+                    type: string
+                  filter:
+                    description: Filter is the search filter which should be applied
+                      when searching for users. The pattern "{}" must occur in the
+                      filter at least once and will be dynamically replaced by the
+                      username for which the search is being run. E.g. "mail={}" or
+                      "&(objectClass=person)(uid={})". For more information about
+                      LDAP filters, see https://ldap.com/ldap-filters. Note that the
+                      dn (distinguished name) is not an attribute of an entry, so
+                      "dn={}" cannot be used. Optional. When not specified, the default
+                      will be '(&(objectClass=person)(!(objectClass=computer))(!(showInAdvancedViewOnly=TRUE))(|(sAMAccountName={}")(mail={})(userPrincipalName={})(sAMAccountType=805306368))'
+                      This means that the user is a person, is not a computer, the
+                      sAMAccountType is for a normal user account, and is not shown
+                      in advanced view only (which would likely mean its a system
+                      created service account with advanced permissions). Also, either
+                      the sAMAccountName, the userPrincipalName, or the mail attribute
+                      matches the input username.
+                    type: string
+                type: object
+            required:
+            - host
+            type: object
+          status:
+            description: Status of the identity provider.
+            properties:
+              conditions:
+                description: Represents the observations of an identity provider's
+                  current state.
+                items:
+                  description: Condition status of a resource (mirrored from the metav1.Condition
+                    type added in Kubernetes 1.19). In a future API version we can
+                    switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413.
+                  properties:
+                    lastTransitionTime:
+                      description: lastTransitionTime is the last time the condition
+                        transitioned from one status to another. This should be when
+                        the underlying condition changed.  If that is not known, then
+                        using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: message is a human readable message indicating
+                        details about the transition. This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: observedGeneration represents the .metadata.generation
+                        that the condition was set based upon. For instance, if .metadata.generation
+                        is currently 12, but the .status.conditions[x].observedGeneration
+                        is 9, the condition is out of date with respect to the current
+                        state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: reason contains a programmatic identifier indicating
+                        the reason for the condition's last transition. Producers
+                        of specific condition types may define expected values and
+                        meanings for this field, and whether the values are considered
+                        a guaranteed API. The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
+                        --- Many .condition.type values are consistent across resources
+                        like Available, but because arbitrary conditions can be useful
+                        (see .node.status.conditions), the ability to deconflict is
+                        important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                type: array
+                x-kubernetes-list-map-keys:
+                - type
+                x-kubernetes-list-type: map
+              phase:
+                default: Pending
+                description: Phase summarizes the overall status of the ActiveDirectoryIdentityProvider.
+                enum:
+                - Pending
+                - Ready
+                - Error
+                type: string
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

deploy/supervisor/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml

@@ -0,0 +1,278 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.4.0
+  creationTimestamp: null
+  name: ldapidentityproviders.idp.supervisor.pinniped.dev
+spec:
+  group: idp.supervisor.pinniped.dev
+  names:
+    categories:
+    - pinniped
+    - pinniped-idp
+    - pinniped-idps
+    kind: LDAPIdentityProvider
+    listKind: LDAPIdentityProviderList
+    plural: ldapidentityproviders
+    singular: ldapidentityprovider
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .spec.host
+      name: Host
+      type: string
+    - jsonPath: .status.phase
+      name: Status
+      type: string
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: LDAPIdentityProvider describes the configuration of an upstream
+          Lightweight Directory Access Protocol (LDAP) identity provider.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: Spec for configuring the identity provider.
+            properties:
+              bind:
+                description: Bind contains the configuration for how to provide access
+                  credentials during an initial bind to the LDAP server to be allowed
+                  to perform searches and binds to validate a user's credentials during
+                  a user's authentication attempt.
+                properties:
+                  secretName:
+                    description: SecretName contains the name of a namespace-local
+                      Secret object that provides the username and password for an
+                      LDAP bind user. This account will be used to perform LDAP searches.
+                      The Secret should be of type "kubernetes.io/basic-auth" which
+                      includes "username" and "password" keys. The username value
+                      should be the full dn (distinguished name) of your bind account,
+                      e.g. "cn=bind-account,ou=users,dc=example,dc=com". The password
+                      must be non-empty.
+                    minLength: 1
+                    type: string
+                required:
+                - secretName
+                type: object
+              groupSearch:
+                description: GroupSearch contains the configuration for searching
+                  for a user's group membership in the LDAP provider.
+                properties:
+                  attributes:
+                    description: Attributes specifies how the group's information
+                      should be read from each LDAP entry which was found as the result
+                      of the group search.
+                    properties:
+                      groupName:
+                        description: GroupName specifies the name of the attribute
+                          in the LDAP entries whose value shall become a group name
+                          in the user's list of groups after a successful authentication.
+                          The value of this field is case-sensitive and must match
+                          the case of the attribute name returned by the LDAP server
+                          in the user's entry. E.g. "cn" for common name. Distinguished
+                          names can be used by specifying lower-case "dn". Optional.
+                          When not specified, the default will act as if the GroupName
+                          were specified as "dn" (distinguished name).
+                        type: string
+                    type: object
+                  base:
+                    description: Base is the dn (distinguished name) that should be
+                      used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com".
+                      When not specified, no group search will be performed and authenticated
+                      users will not belong to any groups from the LDAP provider.
+                      Also, when not specified, the values of Filter and Attributes
+                      are ignored.
+                    type: string
+                  filter:
+                    description: Filter is the LDAP search filter which should be
+                      applied when searching for groups for a user. The pattern "{}"
+                      must occur in the filter at least once and will be dynamically
+                      replaced by the dn (distinguished name) of the user entry found
+                      as a result of the user search. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})".
+                      For more information about LDAP filters, see https://ldap.com/ldap-filters.
+                      Note that the dn (distinguished name) is not an attribute of
+                      an entry, so "dn={}" cannot be used. Optional. When not specified,
+                      the default will act as if the Filter were specified as "member={}".
+                    type: string
+                type: object
+              host:
+                description: 'Host is the hostname of this LDAP identity provider,
+                  i.e., where to connect. For example: ldap.example.com:636.'
+                minLength: 1
+                type: string
+              tls:
+                description: TLS contains the connection settings for how to establish
+                  the connection to the Host.
+                properties:
+                  certificateAuthorityData:
+                    description: X.509 Certificate Authority (base64-encoded PEM bundle).
+                      If omitted, a default set of system roots will be trusted.
+                    type: string
+                type: object
+              userSearch:
+                description: UserSearch contains the configuration for searching for
+                  a user by name in the LDAP provider.
+                properties:
+                  attributes:
+                    description: Attributes specifies how the user's information should
+                      be read from the LDAP entry which was found as the result of
+                      the user search.
+                    properties:
+                      uid:
+                        description: UID specifies the name of the attribute in the
+                          LDAP entry which whose value shall be used to uniquely identify
+                          the user within this LDAP provider after a successful authentication.
+                          E.g. "uidNumber" or "objectGUID". The value of this field
+                          is case-sensitive and must match the case of the attribute
+                          name returned by the LDAP server in the user's entry. Distinguished
+                          names can be used by specifying lower-case "dn".
+                        minLength: 1
+                        type: string
+                      username:
+                        description: Username specifies the name of the attribute
+                          in the LDAP entry whose value shall become the username
+                          of the user after a successful authentication. This would
+                          typically be the same attribute name used in the user search
+                          filter, although it can be different. E.g. "mail" or "uid"
+                          or "userPrincipalName". The value of this field is case-sensitive
+                          and must match the case of the attribute name returned by
+                          the LDAP server in the user's entry. Distinguished names
+                          can be used by specifying lower-case "dn". When this field
+                          is set to "dn" then the LDAPIdentityProviderUserSearch's
+                          Filter field cannot be blank, since the default value of
+                          "dn={}" would not work.
+                        minLength: 1
+                        type: string
+                    type: object
+                  base:
+                    description: Base is the dn (distinguished name) that should be
+                      used as the search base when searching for users. E.g. "ou=users,dc=example,dc=com".
+                    minLength: 1
+                    type: string
+                  filter:
+                    description: Filter is the LDAP search filter which should be
+                      applied when searching for users. The pattern "{}" must occur
+                      in the filter at least once and will be dynamically replaced
+                      by the username for which the search is being run. E.g. "mail={}"
+                      or "&(objectClass=person)(uid={})". For more information about
+                      LDAP filters, see https://ldap.com/ldap-filters. Note that the
+                      dn (distinguished name) is not an attribute of an entry, so
+                      "dn={}" cannot be used. Optional. When not specified, the default
+                      will act as if the Filter were specified as the value from Attributes.Username
+                      appended by "={}". When the Attributes.Username is set to "dn"
+                      then the Filter must be explicitly specified, since the default
+                      value of "dn={}" would not work.
+                    type: string
+                type: object
+            required:
+            - host
+            type: object
+          status:
+            description: Status of the identity provider.
+            properties:
+              conditions:
+                description: Represents the observations of an identity provider's
+                  current state.
+                items:
+                  description: Condition status of a resource (mirrored from the metav1.Condition
+                    type added in Kubernetes 1.19). In a future API version we can
+                    switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413.
+                  properties:
+                    lastTransitionTime:
+                      description: lastTransitionTime is the last time the condition
+                        transitioned from one status to another. This should be when
+                        the underlying condition changed.  If that is not known, then
+                        using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: message is a human readable message indicating
+                        details about the transition. This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: observedGeneration represents the .metadata.generation
+                        that the condition was set based upon. For instance, if .metadata.generation
+                        is currently 12, but the .status.conditions[x].observedGeneration
+                        is 9, the condition is out of date with respect to the current
+                        state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: reason contains a programmatic identifier indicating
+                        the reason for the condition's last transition. Producers
+                        of specific condition types may define expected values and
+                        meanings for this field, and whether the values are considered
+                        a guaranteed API. The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
+                        --- Many .condition.type values are consistent across resources
+                        like Available, but because arbitrary conditions can be useful
+                        (see .node.status.conditions), the ability to deconflict is
+                        important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                type: array
+                x-kubernetes-list-map-keys:
+                - type
+                x-kubernetes-list-type: map
+              phase:
+                default: Pending
+                description: Phase summarizes the overall status of the LDAPIdentityProvider.
+                enum:
+                - Pending
+                - Ready
+                - Error
+                type: string
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

deploy/supervisor/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml

@@ -59,11 +59,44 @@ spec:
                   additionalScopes:
                     description: AdditionalScopes are the scopes in addition to "openid"
                       that will be requested as part of the authorization request
-                      flow with an OIDC identity provider. By default only the "openid"
-                      scope will be requested.
+                      flow with an OIDC identity provider. In the case of a Resource
+                      Owner Password Credentials Grant flow, AdditionalScopes are
+                      the scopes in addition to "openid" that will be requested as
+                      part of the token request (see also the allowPasswordGrant field).
+                      By default, only the "openid" scope will be requested.
                     items:
                       type: string
                     type: array
+                  allowPasswordGrant:
+                    description: AllowPasswordGrant, when true, will allow the use
+                      of OAuth 2.0's Resource Owner Password Credentials Grant (see
+                      https://datatracker.ietf.org/doc/html/rfc6749#section-4.3) to
+                      authenticate to the OIDC provider using a username and password
+                      without a web browser, in addition to the usual browser-based
+                      OIDC Authorization Code Flow. The Resource Owner Password Credentials
+                      Grant is not officially part of the OIDC specification, so it
+                      may not be supported by your OIDC provider. If your OIDC provider
+                      supports returning ID tokens from a Resource Owner Password
+                      Credentials Grant token request, then you can choose to set
+                      this field to true. This will allow end users to choose to present
+                      their username and password to the kubectl CLI (using the Pinniped
+                      plugin) to authenticate to the cluster, without using a web
+                      browser to log in as is customary in OIDC Authorization Code
+                      Flow. This may be convenient for users, especially for identities
+                      from your OIDC provider which are not intended to represent
+                      a human actor, such as service accounts performing actions in
+                      a CI/CD environment. Even if your OIDC provider supports it,
+                      you may wish to disable this behavior by setting this field
+                      to false when you prefer to only allow users of this OIDCIdentityProvider
+                      to log in via the browser-based OIDC Authorization Code Flow.
+                      Using the Resource Owner Password Credentials Grant means that
+                      the Pinniped CLI and Pinniped Supervisor will directly handle
+                      your end users' passwords (similar to LDAPIdentityProvider),
+                      and you will not be able to require multi-factor authentication
+                      or use the other web-based login features of your OIDC provider
+                      during Resource Owner Password Credentials Grant logins. AllowPasswordGrant
+                      defaults to false.
+                    type: boolean
                 type: object
               claims:
                 description: Claims provides the names of token claims that will be

deploy/supervisor/rbac.yaml

@@ -32,6 +32,22 @@ rules:
       - #@ pinnipedDevAPIGroupWithPrefix("idp.supervisor")
     resources: [oidcidentityproviders/status]
     verbs: [get, patch, update]
+  - apiGroups:
+      - #@ pinnipedDevAPIGroupWithPrefix("idp.supervisor")
+    resources: [ldapidentityproviders]
+    verbs: [get, list, watch]
+  - apiGroups:
+      - #@ pinnipedDevAPIGroupWithPrefix("idp.supervisor")
+    resources: [ldapidentityproviders/status]
+    verbs: [get, patch, update]
+  - apiGroups:
+      - #@ pinnipedDevAPIGroupWithPrefix("idp.supervisor")
+    resources: [activedirectoryidentityproviders]
+    verbs: [get, list, watch]
+  - apiGroups:
+      - #@ pinnipedDevAPIGroupWithPrefix("idp.supervisor")
+    resources: [activedirectoryidentityproviders/status]
+    verbs: [get, patch, update]
     #! We want to be able to read pods/replicasets/deployment so we can learn who our deployment is to set
     #! as an owner reference.
   - apiGroups: [""]
@@ -40,6 +56,9 @@ rules:
   - apiGroups: [apps]
     resources: [replicasets,deployments]
     verbs: [get]
+  - apiGroups: [ coordination.k8s.io ]
+    resources: [ leases ]
+    verbs: [ create, get, update ]
 ---
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1

deploy/supervisor/service.yaml

@@ -1,8 +1,8 @@
-#! Copyright 2020 the Pinniped contributors. All Rights Reserved.
+#! Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
 #! SPDX-License-Identifier: Apache-2.0
 
 #@ load("@ytt:data", "data")
-#@ load("helpers.lib.yaml", "defaultLabel", "labels", "namespace", "defaultResourceName", "defaultResourceNameWithSuffix")
+#@ load("helpers.lib.yaml", "labels", "deploymentPodLabel", "namespace", "defaultResourceName", "defaultResourceNameWithSuffix")
 
 #@ if data.values.service_http_nodeport_port or data.values.service_https_nodeport_port:
 ---
@@ -12,10 +12,12 @@ metadata:
   name: #@ defaultResourceNameWithSuffix("nodeport")
   namespace: #@ namespace()
   labels: #@ labels()
+  #! prevent kapp from altering the selector of our services to match kubectl behavior
+  annotations:
+    kapp.k14s.io/disable-default-label-scoping-rules: ""
 spec:
   type: NodePort
-  selector:
-    app: #@ data.values.app_name
+  selector: #@ deploymentPodLabel()
   ports:
     #@ if data.values.service_http_nodeport_port:
     - name: http
@@ -45,9 +47,12 @@ metadata:
   name: #@ defaultResourceNameWithSuffix("clusterip")
   namespace: #@ namespace()
   labels: #@ labels()
+  #! prevent kapp from altering the selector of our services to match kubectl behavior
+  annotations:
+    kapp.k14s.io/disable-default-label-scoping-rules: ""
 spec:
   type: ClusterIP
-  selector: #@ defaultLabel()
+  selector: #@ deploymentPodLabel()
   ports:
     #@ if data.values.service_http_clusterip_port:
     - name: http
@@ -71,9 +76,12 @@ metadata:
   name: #@ defaultResourceNameWithSuffix("loadbalancer")
   namespace: #@ namespace()
   labels: #@ labels()
+  #! prevent kapp from altering the selector of our services to match kubectl behavior
+  annotations:
+    kapp.k14s.io/disable-default-label-scoping-rules: ""
 spec:
   type: LoadBalancer
-  selector: #@ defaultLabel()
+  selector: #@ deploymentPodLabel()
   #@ if data.values.service_loadbalancer_ip:
   loadBalancerIP: #@ data.values.service_loadbalancer_ip
   #@ end

deploy/supervisor/values.yaml

@@ -65,3 +65,11 @@ run_as_group: 1001 #! run_as_group specifies the group ID that will own the proc
 #! authentication.concierge.pinniped.dev, etc. As an example, if this is set to tuna.io, then
 #! Pinniped API groups will look like foo.tuna.io. authentication.concierge.tuna.io, etc.
 api_group_suffix: pinniped.dev
+
+#! Set the standard golang HTTPS_PROXY and NO_PROXY environment variables on the Supervisor containers.
+#! These will be used when the Supervisor makes backend-to-backend calls to upstream identity providers using HTTPS,
+#! e.g. when the Supervisor fetches discovery documents, JWKS keys, and tokens from an upstream OIDC Provider.
+#! The Supervisor never makes insecure HTTP calls, so there is no reason to set HTTP_PROXY.
+#! Optional.
+https_proxy: #! e.g. http://proxy.example.com
+no_proxy: "$(KUBERNETES_SERVICE_HOST),169.254.169.254,127.0.0.1,localhost,.svc,.cluster.local" #! do not proxy Kubernetes endpoints

deploy/supervisor/z0_crd_overlay.yaml

@@ -22,3 +22,21 @@ metadata:
   name: #@ pinnipedDevAPIGroupWithPrefix("oidcidentityproviders.idp.supervisor")
 spec:
   group: #@ pinnipedDevAPIGroupWithPrefix("idp.supervisor")
+
+#@overlay/match by=overlay.subset({"kind": "CustomResourceDefinition", "metadata":{"name":"ldapidentityproviders.idp.supervisor.pinniped.dev"}}), expects=1
+---
+metadata:
+  #@overlay/match missing_ok=True
+  labels: #@ labels()
+  name: #@ pinnipedDevAPIGroupWithPrefix("ldapidentityproviders.idp.supervisor")
+spec:
+  group: #@ pinnipedDevAPIGroupWithPrefix("idp.supervisor")
+
+#@overlay/match by=overlay.subset({"kind": "CustomResourceDefinition", "metadata":{"name":"activedirectoryidentityproviders.idp.supervisor.pinniped.dev"}}), expects=1
+---
+metadata:
+  #@overlay/match missing_ok=True
+  labels: #@ labels()
+  name: #@ pinnipedDevAPIGroupWithPrefix("activedirectoryidentityproviders.idp.supervisor")
+spec:
+  group: #@ pinnipedDevAPIGroupWithPrefix("idp.supervisor")

generated/1.17/README.adoc

@@ -220,7 +220,7 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped concierge configuration
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-credentialissuer"]
 ==== CredentialIssuer 
 
-Describes the configuration status of a Pinniped credential issuer.
+CredentialIssuer describes the configuration and status of the Pinniped Concierge credential issuer.
 
 .Appears In:
 ****
@@ -232,7 +232,8 @@ Describes the configuration status of a Pinniped credential issuer.
 | Field | Description
 | *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.17/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`.
 
-| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-credentialissuerstatus[$$CredentialIssuerStatus$$]__ | Status of the credential issuer.
+| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-credentialissuerspec[$$CredentialIssuerSpec$$]__ | Spec describes the intended configuration of the Concierge.
+| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-credentialissuerstatus[$$CredentialIssuerStatus$$]__ | CredentialIssuerStatus describes the status of the Concierge.
 |===
 
 
@@ -275,10 +276,27 @@ Describes the configuration status of a Pinniped credential issuer.
 
 
 
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-credentialissuerspec"]
+==== CredentialIssuerSpec 
+
+CredentialIssuerSpec describes the intended configuration of the Concierge.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-credentialissuer[$$CredentialIssuer$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`impersonationProxy`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-impersonationproxyspec[$$ImpersonationProxySpec$$]__ | ImpersonationProxy describes the intended configuration of the Concierge impersonation proxy.
+|===
+
+
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-credentialissuerstatus"]
 ==== CredentialIssuerStatus 
 
-Status of a credential issuer.
+CredentialIssuerStatus describes the status of the Concierge.
 
 .Appears In:
 ****
@@ -333,6 +351,70 @@ Status of a credential issuer.
 |===
 
 
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-impersonationproxymode"]
+==== ImpersonationProxyMode (string) 
+
+
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-impersonationproxyspec[$$ImpersonationProxySpec$$]
+****
+
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-impersonationproxyservicespec"]
+==== ImpersonationProxyServiceSpec 
+
+ImpersonationProxyServiceSpec describes how the Concierge should provision a Service to expose the impersonation proxy.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-impersonationproxyspec[$$ImpersonationProxySpec$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`type`* __ImpersonationProxyServiceType__ | Type specifies the type of Service to provision for the impersonation proxy. 
+ If the type is "None", then the "spec.impersonationProxy.externalEndpoint" field must be set to a non-empty value so that the Concierge can properly advertise the endpoint in the CredentialIssuer's status.
+| *`loadBalancerIP`* __string__ | LoadBalancerIP specifies the IP address to set in the spec.loadBalancerIP field of the provisioned Service. This is not supported on all cloud providers.
+| *`annotations`* __object (keys:string, values:string)__ | Annotations specifies zero or more key/value pairs to set as annotations on the provisioned Service.
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-impersonationproxyservicetype"]
+==== ImpersonationProxyServiceType (string) 
+
+
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-impersonationproxyservicespec[$$ImpersonationProxyServiceSpec$$]
+****
+
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-impersonationproxyspec"]
+==== ImpersonationProxySpec 
+
+
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-credentialissuerspec[$$CredentialIssuerSpec$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`mode`* __ImpersonationProxyMode__ | Mode configures whether the impersonation proxy should be started: - "disabled" explicitly disables the impersonation proxy. This is the default. - "enabled" explicitly enables the impersonation proxy. - "auto" enables or disables the impersonation proxy based upon the cluster in which it is running.
+| *`service`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-impersonationproxyservicespec[$$ImpersonationProxyServiceSpec$$]__ | Service describes the configuration of the Service provisioned to expose the impersonation proxy to clients.
+| *`externalEndpoint`* __string__ | ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will be served using the external name of the LoadBalancer service or the cluster service DNS name. 
+ This field must be non-empty when spec.impersonationProxy.service.type is "None".
+|===
+
+
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-tokencredentialrequestapiinfo"]
 ==== TokenCredentialRequestAPIInfo 
 
@@ -666,13 +748,166 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped supervisor identity pro
 
 
 
-[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-condition"]
-==== Condition 
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-activedirectoryidentityprovider"]
+==== ActiveDirectoryIdentityProvider 
 
-Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API version we can switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413.
+ActiveDirectoryIdentityProvider describes the configuration of an upstream Microsoft Active Directory identity provider.
 
 .Appears In:
 ****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-activedirectoryidentityproviderlist[$$ActiveDirectoryIdentityProviderList$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.17/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`.
+
+| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-activedirectoryidentityproviderspec[$$ActiveDirectoryIdentityProviderSpec$$]__ | Spec for configuring the identity provider.
+| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-activedirectoryidentityproviderstatus[$$ActiveDirectoryIdentityProviderStatus$$]__ | Status of the identity provider.
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-activedirectoryidentityproviderbind"]
+==== ActiveDirectoryIdentityProviderBind 
+
+
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-activedirectoryidentityproviderspec[$$ActiveDirectoryIdentityProviderSpec$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`secretName`* __string__ | SecretName contains the name of a namespace-local Secret object that provides the username and password for an Active Directory bind user. This account will be used to perform LDAP searches. The Secret should be of type "kubernetes.io/basic-auth" which includes "username" and "password" keys. The username value should be the full dn (distinguished name) of your bind account, e.g. "cn=bind-account,ou=users,dc=example,dc=com". The password must be non-empty.
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-activedirectoryidentityprovidergroupsearch"]
+==== ActiveDirectoryIdentityProviderGroupSearch 
+
+
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-activedirectoryidentityproviderspec[$$ActiveDirectoryIdentityProviderSpec$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`base`* __string__ | Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". Optional, when not specified it will be based on the result of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). The default behavior searches your entire domain for groups. It may make sense to specify a subtree as a search base if you wish to exclude some groups for security reasons or to make searches faster.
+| *`filter`* __string__ | Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". This searches nested groups by default. Note that nested group search can be slow for some Active Directory servers. To disable it, you can set the filter to "(&(objectClass=group)(member={})"
+| *`attributes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-activedirectoryidentityprovidergroupsearchattributes[$$ActiveDirectoryIdentityProviderGroupSearchAttributes$$]__ | Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as the result of the group search.
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-activedirectoryidentityprovidergroupsearchattributes"]
+==== ActiveDirectoryIdentityProviderGroupSearchAttributes 
+
+
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-activedirectoryidentityprovidergroupsearch[$$ActiveDirectoryIdentityProviderGroupSearch$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`groupName`* __string__ | GroupName specifies the name of the attribute in the Active Directory entries whose value shall become a group name in the user's list of groups after a successful authentication. The value of this field is case-sensitive and must match the case of the attribute name returned by the ActiveDirectory server in the user's entry. E.g. "cn" for common name. Distinguished names can be used by specifying lower-case "dn". Optional. When not specified, this defaults to a custom field that looks like "sAMAccountName@domain", where domain is constructed from the domain components of the group DN.
+|===
+
+
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-activedirectoryidentityproviderspec"]
+==== ActiveDirectoryIdentityProviderSpec 
+
+Spec for configuring an ActiveDirectory identity provider.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-activedirectoryidentityprovider[$$ActiveDirectoryIdentityProvider$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`host`* __string__ | Host is the hostname of this Active Directory identity provider, i.e., where to connect. For example: ldap.example.com:636.
+| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS contains the connection settings for how to establish the connection to the Host.
+| *`bind`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-activedirectoryidentityproviderbind[$$ActiveDirectoryIdentityProviderBind$$]__ | Bind contains the configuration for how to provide access credentials during an initial bind to the ActiveDirectory server to be allowed to perform searches and binds to validate a user's credentials during a user's authentication attempt.
+| *`userSearch`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-activedirectoryidentityproviderusersearch[$$ActiveDirectoryIdentityProviderUserSearch$$]__ | UserSearch contains the configuration for searching for a user by name in Active Directory.
+| *`groupSearch`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-activedirectoryidentityprovidergroupsearch[$$ActiveDirectoryIdentityProviderGroupSearch$$]__ | GroupSearch contains the configuration for searching for a user's group membership in ActiveDirectory.
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-activedirectoryidentityproviderstatus"]
+==== ActiveDirectoryIdentityProviderStatus 
+
+Status of an Active Directory identity provider.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-activedirectoryidentityprovider[$$ActiveDirectoryIdentityProvider$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`phase`* __ActiveDirectoryIdentityProviderPhase__ | Phase summarizes the overall status of the ActiveDirectoryIdentityProvider.
+| *`conditions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-condition[$$Condition$$] array__ | Represents the observations of an identity provider's current state.
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-activedirectoryidentityproviderusersearch"]
+==== ActiveDirectoryIdentityProviderUserSearch 
+
+
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-activedirectoryidentityproviderspec[$$ActiveDirectoryIdentityProviderSpec$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`base`* __string__ | Base is the dn (distinguished name) that should be used as the search base when searching for users. E.g. "ou=users,dc=example,dc=com". Optional, when not specified it will be based on the result of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). The default behavior searches your entire domain for users. It may make sense to specify a subtree as a search base if you wish to exclude some users or to make searches faster.
+| *`filter`* __string__ | Filter is the search filter which should be applied when searching for users. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the username for which the search is being run. E.g. "mail={}" or "&(objectClass=person)(uid={})". For more information about LDAP filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will be '(&(objectClass=person)(!(objectClass=computer))(!(showInAdvancedViewOnly=TRUE))(|(sAMAccountName={}")(mail={})(userPrincipalName={})(sAMAccountType=805306368))' This means that the user is a person, is not a computer, the sAMAccountType is for a normal user account, and is not shown in advanced view only (which would likely mean its a system created service account with advanced permissions). Also, either the sAMAccountName, the userPrincipalName, or the mail attribute matches the input username.
+| *`attributes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-activedirectoryidentityproviderusersearchattributes[$$ActiveDirectoryIdentityProviderUserSearchAttributes$$]__ | Attributes specifies how the user's information should be read from the ActiveDirectory entry which was found as the result of the user search.
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-activedirectoryidentityproviderusersearchattributes"]
+==== ActiveDirectoryIdentityProviderUserSearchAttributes 
+
+
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-activedirectoryidentityproviderusersearch[$$ActiveDirectoryIdentityProviderUserSearch$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`username`* __string__ | Username specifies the name of the attribute in Active Directory entry whose value shall become the username of the user after a successful authentication. Optional, when empty this defaults to "userPrincipalName".
+| *`uid`* __string__ | UID specifies the name of the attribute in the ActiveDirectory entry which whose value shall be used to uniquely identify the user within this ActiveDirectory provider after a successful authentication. Optional, when empty this defaults to "objectGUID".
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-condition"]
+==== Condition 
+
+
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-activedirectoryidentityproviderstatus[$$ActiveDirectoryIdentityProviderStatus$$]
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-ldapidentityproviderstatus[$$LDAPIdentityProviderStatus$$]
 - xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-oidcidentityproviderstatus[$$OIDCIdentityProviderStatus$$]
 ****
 
@@ -688,6 +923,169 @@ Condition status of a resource (mirrored from the metav1.Condition type added in
 |===
 
 
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-conditionstatus"]
+==== ConditionStatus (string) 
+
+
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-condition[$$Condition$$]
+****
+
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-ldapidentityprovider"]
+==== LDAPIdentityProvider 
+
+LDAPIdentityProvider describes the configuration of an upstream Lightweight Directory Access Protocol (LDAP) identity provider.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-ldapidentityproviderlist[$$LDAPIdentityProviderList$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.17/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`.
+
+| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-ldapidentityproviderspec[$$LDAPIdentityProviderSpec$$]__ | Spec for configuring the identity provider.
+| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-ldapidentityproviderstatus[$$LDAPIdentityProviderStatus$$]__ | Status of the identity provider.
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-ldapidentityproviderbind"]
+==== LDAPIdentityProviderBind 
+
+
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-ldapidentityproviderspec[$$LDAPIdentityProviderSpec$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`secretName`* __string__ | SecretName contains the name of a namespace-local Secret object that provides the username and password for an LDAP bind user. This account will be used to perform LDAP searches. The Secret should be of type "kubernetes.io/basic-auth" which includes "username" and "password" keys. The username value should be the full dn (distinguished name) of your bind account, e.g. "cn=bind-account,ou=users,dc=example,dc=com". The password must be non-empty.
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-ldapidentityprovidergroupsearch"]
+==== LDAPIdentityProviderGroupSearch 
+
+
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-ldapidentityproviderspec[$$LDAPIdentityProviderSpec$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`base`* __string__ | Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". When not specified, no group search will be performed and authenticated users will not belong to any groups from the LDAP provider. Also, when not specified, the values of Filter and Attributes are ignored.
+| *`filter`* __string__ | Filter is the LDAP search filter which should be applied when searching for groups for a user. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". For more information about LDAP filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will act as if the Filter were specified as "member={}".
+| *`attributes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-ldapidentityprovidergroupsearchattributes[$$LDAPIdentityProviderGroupSearchAttributes$$]__ | Attributes specifies how the group's information should be read from each LDAP entry which was found as the result of the group search.
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-ldapidentityprovidergroupsearchattributes"]
+==== LDAPIdentityProviderGroupSearchAttributes 
+
+
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-ldapidentityprovidergroupsearch[$$LDAPIdentityProviderGroupSearch$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`groupName`* __string__ | GroupName specifies the name of the attribute in the LDAP entries whose value shall become a group name in the user's list of groups after a successful authentication. The value of this field is case-sensitive and must match the case of the attribute name returned by the LDAP server in the user's entry. E.g. "cn" for common name. Distinguished names can be used by specifying lower-case "dn". Optional. When not specified, the default will act as if the GroupName were specified as "dn" (distinguished name).
+|===
+
+
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-ldapidentityproviderspec"]
+==== LDAPIdentityProviderSpec 
+
+Spec for configuring an LDAP identity provider.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-ldapidentityprovider[$$LDAPIdentityProvider$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`host`* __string__ | Host is the hostname of this LDAP identity provider, i.e., where to connect. For example: ldap.example.com:636.
+| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS contains the connection settings for how to establish the connection to the Host.
+| *`bind`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-ldapidentityproviderbind[$$LDAPIdentityProviderBind$$]__ | Bind contains the configuration for how to provide access credentials during an initial bind to the LDAP server to be allowed to perform searches and binds to validate a user's credentials during a user's authentication attempt.
+| *`userSearch`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-ldapidentityproviderusersearch[$$LDAPIdentityProviderUserSearch$$]__ | UserSearch contains the configuration for searching for a user by name in the LDAP provider.
+| *`groupSearch`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-ldapidentityprovidergroupsearch[$$LDAPIdentityProviderGroupSearch$$]__ | GroupSearch contains the configuration for searching for a user's group membership in the LDAP provider.
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-ldapidentityproviderstatus"]
+==== LDAPIdentityProviderStatus 
+
+Status of an LDAP identity provider.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-ldapidentityprovider[$$LDAPIdentityProvider$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`phase`* __LDAPIdentityProviderPhase__ | Phase summarizes the overall status of the LDAPIdentityProvider.
+| *`conditions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-condition[$$Condition$$] array__ | Represents the observations of an identity provider's current state.
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-ldapidentityproviderusersearch"]
+==== LDAPIdentityProviderUserSearch 
+
+
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-ldapidentityproviderspec[$$LDAPIdentityProviderSpec$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`base`* __string__ | Base is the dn (distinguished name) that should be used as the search base when searching for users. E.g. "ou=users,dc=example,dc=com".
+| *`filter`* __string__ | Filter is the LDAP search filter which should be applied when searching for users. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the username for which the search is being run. E.g. "mail={}" or "&(objectClass=person)(uid={})". For more information about LDAP filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will act as if the Filter were specified as the value from Attributes.Username appended by "={}". When the Attributes.Username is set to "dn" then the Filter must be explicitly specified, since the default value of "dn={}" would not work.
+| *`attributes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-ldapidentityproviderusersearchattributes[$$LDAPIdentityProviderUserSearchAttributes$$]__ | Attributes specifies how the user's information should be read from the LDAP entry which was found as the result of the user search.
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-ldapidentityproviderusersearchattributes"]
+==== LDAPIdentityProviderUserSearchAttributes 
+
+
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-ldapidentityproviderusersearch[$$LDAPIdentityProviderUserSearch$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`username`* __string__ | Username specifies the name of the attribute in the LDAP entry whose value shall become the username of the user after a successful authentication. This would typically be the same attribute name used in the user search filter, although it can be different. E.g. "mail" or "uid" or "userPrincipalName". The value of this field is case-sensitive and must match the case of the attribute name returned by the LDAP server in the user's entry. Distinguished names can be used by specifying lower-case "dn". When this field is set to "dn" then the LDAPIdentityProviderUserSearch's Filter field cannot be blank, since the default value of "dn={}" would not work.
+| *`uid`* __string__ | UID specifies the name of the attribute in the LDAP entry which whose value shall be used to uniquely identify the user within this LDAP provider after a successful authentication. E.g. "uidNumber" or "objectGUID". The value of this field is case-sensitive and must match the case of the attribute name returned by the LDAP server in the user's entry. Distinguished names can be used by specifying lower-case "dn".
+|===
+
+
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-oidcauthorizationconfig"]
 ==== OIDCAuthorizationConfig 
 
@@ -701,7 +1099,8 @@ OIDCAuthorizationConfig provides information about how to form the OAuth2 author
 [cols="25a,75a", options="header"]
 |===
 | Field | Description
-| *`additionalScopes`* __string array__ | AdditionalScopes are the scopes in addition to "openid" that will be requested as part of the authorization request flow with an OIDC identity provider. By default only the "openid" scope will be requested.
+| *`additionalScopes`* __string array__ | AdditionalScopes are the scopes in addition to "openid" that will be requested as part of the authorization request flow with an OIDC identity provider. In the case of a Resource Owner Password Credentials Grant flow, AdditionalScopes are the scopes in addition to "openid" that will be requested as part of the token request (see also the allowPasswordGrant field). By default, only the "openid" scope will be requested.
+| *`allowPasswordGrant`* __boolean__ | AllowPasswordGrant, when true, will allow the use of OAuth 2.0's Resource Owner Password Credentials Grant (see https://datatracker.ietf.org/doc/html/rfc6749#section-4.3) to authenticate to the OIDC provider using a username and password without a web browser, in addition to the usual browser-based OIDC Authorization Code Flow. The Resource Owner Password Credentials Grant is not officially part of the OIDC specification, so it may not be supported by your OIDC provider. If your OIDC provider supports returning ID tokens from a Resource Owner Password Credentials Grant token request, then you can choose to set this field to true. This will allow end users to choose to present their username and password to the kubectl CLI (using the Pinniped plugin) to authenticate to the cluster, without using a web browser to log in as is customary in OIDC Authorization Code Flow. This may be convenient for users, especially for identities from your OIDC provider which are not intended to represent a human actor, such as service accounts performing actions in a CI/CD environment. Even if your OIDC provider supports it, you may wish to disable this behavior by setting this field to false when you prefer to only allow users of this OIDCIdentityProvider to log in via the browser-based OIDC Authorization Code Flow. Using the Resource Owner Password Credentials Grant means that the Pinniped CLI and Pinniped Supervisor will directly handle your end users' passwords (similar to LDAPIdentityProvider), and you will not be able to require multi-factor authentication or use the other web-based login features of your OIDC provider during Resource Owner Password Credentials Grant logins. AllowPasswordGrant defaults to false.
 |===
 
 
@@ -797,7 +1196,7 @@ Status of an OIDC identity provider.
 |===
 | Field | Description
 | *`phase`* __OIDCIdentityProviderPhase__ | Phase summarizes the overall status of the OIDCIdentityProvider.
-| *`conditions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-condition[$$Condition$$]__ | Represents the observations of an identity provider's current state.
+| *`conditions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-condition[$$Condition$$] array__ | Represents the observations of an identity provider's current state.
 |===
 
 
@@ -808,6 +1207,8 @@ Status of an OIDC identity provider.
 
 .Appears In:
 ****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-activedirectoryidentityproviderspec[$$ActiveDirectoryIdentityProviderSpec$$]
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-ldapidentityproviderspec[$$LDAPIdentityProviderSpec$$]
 - xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-oidcidentityproviderspec[$$OIDCIdentityProviderSpec$$]
 ****
 

generated/1.17/apis/concierge/config/v1alpha1/types_credentialissuer.go

@@ -3,17 +3,23 @@
 
 package v1alpha1
 
-import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
 
+// StrategyType enumerates a type of "strategy" used to implement credential access on a cluster.
 // +kubebuilder:validation:Enum=KubeClusterSigningCertificate;ImpersonationProxy
 type StrategyType string
 
+// FrontendType enumerates a type of "frontend" used to provide access to users of a cluster.
 // +kubebuilder:validation:Enum=TokenCredentialRequestAPI;ImpersonationProxy
 type FrontendType string
 
+// StrategyStatus enumerates whether a strategy is working on a cluster.
 // +kubebuilder:validation:Enum=Success;Error
 type StrategyStatus string
 
+// StrategyReason enumerates the detailed reason why a strategy is in a particular status.
 // +kubebuilder:validation:Enum=Listening;Pending;Disabled;ErrorDuringSetup;CouldNotFetchKey;CouldNotGetClusterInfo;FetchedKey
 type StrategyReason string
 
@@ -36,7 +42,91 @@ const (
 	FetchedKeyStrategyReason             = StrategyReason("FetchedKey")
 )
 
-// Status of a credential issuer.
+// CredentialIssuerSpec describes the intended configuration of the Concierge.
+type CredentialIssuerSpec struct {
+	// ImpersonationProxy describes the intended configuration of the Concierge impersonation proxy.
+	ImpersonationProxy *ImpersonationProxySpec `json:"impersonationProxy"`
+}
+
+// ImpersonationProxyMode enumerates the configuration modes for the impersonation proxy.
+//
+// +kubebuilder:validation:Enum=auto;enabled;disabled
+type ImpersonationProxyMode string
+
+const (
+	// ImpersonationProxyModeDisabled explicitly disables the impersonation proxy.
+	ImpersonationProxyModeDisabled = ImpersonationProxyMode("disabled")
+
+	// ImpersonationProxyModeEnabled explicitly enables the impersonation proxy.
+	ImpersonationProxyModeEnabled = ImpersonationProxyMode("enabled")
+
+	// ImpersonationProxyModeAuto enables or disables the impersonation proxy based upon the cluster in which it is running.
+	ImpersonationProxyModeAuto = ImpersonationProxyMode("auto")
+)
+
+// ImpersonationProxyServiceType enumerates the types of service that can be provisioned for the impersonation proxy.
+//
+// +kubebuilder:validation:Enum=LoadBalancer;ClusterIP;None
+type ImpersonationProxyServiceType string
+
+const (
+	// ImpersonationProxyServiceTypeLoadBalancer provisions a service of type LoadBalancer.
+	ImpersonationProxyServiceTypeLoadBalancer = ImpersonationProxyServiceType("LoadBalancer")
+
+	// ImpersonationProxyServiceTypeClusterIP provisions a service of type ClusterIP.
+	ImpersonationProxyServiceTypeClusterIP = ImpersonationProxyServiceType("ClusterIP")
+
+	// ImpersonationProxyServiceTypeNone does not automatically provision any service.
+	ImpersonationProxyServiceTypeNone = ImpersonationProxyServiceType("None")
+)
+
+// ImpersonationProxySpec describes the intended configuration of the Concierge impersonation proxy.
+type ImpersonationProxySpec struct {
+	// Mode configures whether the impersonation proxy should be started:
+	// - "disabled" explicitly disables the impersonation proxy. This is the default.
+	// - "enabled" explicitly enables the impersonation proxy.
+	// - "auto" enables or disables the impersonation proxy based upon the cluster in which it is running.
+	Mode ImpersonationProxyMode `json:"mode"`
+
+	// Service describes the configuration of the Service provisioned to expose the impersonation proxy to clients.
+	//
+	// +kubebuilder:default:={"type": "LoadBalancer"}
+	Service ImpersonationProxyServiceSpec `json:"service"`
+
+	// ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will
+	// be served using the external name of the LoadBalancer service or the cluster service DNS name.
+	//
+	// This field must be non-empty when spec.impersonationProxy.service.type is "None".
+	//
+	// +optional
+	ExternalEndpoint string `json:"externalEndpoint,omitempty"`
+}
+
+// ImpersonationProxyServiceSpec describes how the Concierge should provision a Service to expose the impersonation proxy.
+type ImpersonationProxyServiceSpec struct {
+	// Type specifies the type of Service to provision for the impersonation proxy.
+	//
+	// If the type is "None", then the "spec.impersonationProxy.externalEndpoint" field must be set to a non-empty
+	// value so that the Concierge can properly advertise the endpoint in the CredentialIssuer's status.
+	//
+	// +kubebuilder:default:="LoadBalancer"
+	Type ImpersonationProxyServiceType `json:"type,omitempty"`
+
+	// LoadBalancerIP specifies the IP address to set in the spec.loadBalancerIP field of the provisioned Service.
+	// This is not supported on all cloud providers.
+	//
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=255
+	// +optional
+	LoadBalancerIP string `json:"loadBalancerIP,omitempty"`
+
+	// Annotations specifies zero or more key/value pairs to set as annotations on the provisioned Service.
+	//
+	// +optional
+	Annotations map[string]string `json:"annotations,omitempty"`
+}
+
+// CredentialIssuerStatus describes the status of the Concierge.
 type CredentialIssuerStatus struct {
 	// List of integration strategies that were attempted by Pinniped.
 	Strategies []CredentialIssuerStrategy `json:"strategies"`
@@ -47,7 +137,8 @@ type CredentialIssuerStatus struct {
 	KubeConfigInfo *CredentialIssuerKubeConfigInfo `json:"kubeConfigInfo,omitempty"`
 }
 
-// Information needed to form a valid Pinniped-based kubeconfig using this credential issuer.
+// CredentialIssuerKubeConfigInfo provides the information needed to form a valid Pinniped-based kubeconfig using this credential issuer.
+// This type is deprecated and will be removed in a future version.
 type CredentialIssuerKubeConfigInfo struct {
 	// The K8s API server URL.
 	// +kubebuilder:validation:MinLength=1
@@ -59,7 +150,7 @@ type CredentialIssuerKubeConfigInfo struct {
 	CertificateAuthorityData string `json:"certificateAuthorityData"`
 }
 
-// Status of an integration strategy that was attempted by Pinniped.
+// CredentialIssuerStrategy describes the status of an integration strategy that was attempted by Pinniped.
 type CredentialIssuerStrategy struct {
 	// Type of integration attempted.
 	Type StrategyType `json:"type"`
@@ -81,6 +172,7 @@ type CredentialIssuerStrategy struct {
 	Frontend *CredentialIssuerFrontend `json:"frontend,omitempty"`
 }
 
+// CredentialIssuerFrontend describes how to connect using a particular integration strategy.
 type CredentialIssuerFrontend struct {
 	// Type describes which frontend mechanism clients can use with a strategy.
 	Type FrontendType `json:"type"`
@@ -118,7 +210,7 @@ type ImpersonationProxyInfo struct {
 	CertificateAuthorityData string `json:"certificateAuthorityData"`
 }
 
-// Describes the configuration status of a Pinniped credential issuer.
+// CredentialIssuer describes the configuration and status of the Pinniped Concierge credential issuer.
 // +genclient
 // +genclient:nonNamespaced
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
@@ -128,12 +220,18 @@ type CredentialIssuer struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
 
-	// Status of the credential issuer.
+	// Spec describes the intended configuration of the Concierge.
+	//
+	// +optional
+	Spec CredentialIssuerSpec `json:"spec"`
+
+	// CredentialIssuerStatus describes the status of the Concierge.
+	//
 	// +optional
 	Status CredentialIssuerStatus `json:"status"`
 }
 
-// List of CredentialIssuer objects.
+// CredentialIssuerList is a list of CredentialIssuer objects.
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 type CredentialIssuerList struct {
 	metav1.TypeMeta `json:",inline"`

generated/1.17/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go

@@ -16,6 +16,7 @@ func (in *CredentialIssuer) DeepCopyInto(out *CredentialIssuer) {
 	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
 	in.Status.DeepCopyInto(&out.Status)
 	return
 }
@@ -113,6 +114,27 @@ func (in *CredentialIssuerList) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CredentialIssuerSpec) DeepCopyInto(out *CredentialIssuerSpec) {
+	*out = *in
+	if in.ImpersonationProxy != nil {
+		in, out := &in.ImpersonationProxy, &out.ImpersonationProxy
+		*out = new(ImpersonationProxySpec)
+		(*in).DeepCopyInto(*out)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialIssuerSpec.
+func (in *CredentialIssuerSpec) DeepCopy() *CredentialIssuerSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(CredentialIssuerSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CredentialIssuerStatus) DeepCopyInto(out *CredentialIssuerStatus) {
 	*out = *in
@@ -179,6 +201,46 @@ func (in *ImpersonationProxyInfo) DeepCopy() *ImpersonationProxyInfo {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ImpersonationProxyServiceSpec) DeepCopyInto(out *ImpersonationProxyServiceSpec) {
+	*out = *in
+	if in.Annotations != nil {
+		in, out := &in.Annotations, &out.Annotations
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImpersonationProxyServiceSpec.
+func (in *ImpersonationProxyServiceSpec) DeepCopy() *ImpersonationProxyServiceSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(ImpersonationProxyServiceSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ImpersonationProxySpec) DeepCopyInto(out *ImpersonationProxySpec) {
+	*out = *in
+	in.Service.DeepCopyInto(&out.Service)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImpersonationProxySpec.
+func (in *ImpersonationProxySpec) DeepCopy() *ImpersonationProxySpec {
+	if in == nil {
+		return nil
+	}
+	out := new(ImpersonationProxySpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TokenCredentialRequestAPIInfo) DeepCopyInto(out *TokenCredentialRequestAPIInfo) {
 	*out = *in

generated/1.17/apis/supervisor/idp/v1alpha1/register.go

@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
@@ -32,6 +32,10 @@ func addKnownTypes(scheme *runtime.Scheme) error {
 	scheme.AddKnownTypes(SchemeGroupVersion,
 		&OIDCIdentityProvider{},
 		&OIDCIdentityProviderList{},
+		&LDAPIdentityProvider{},
+		&LDAPIdentityProviderList{},
+		&ActiveDirectoryIdentityProvider{},
+		&ActiveDirectoryIdentityProviderList{},
 	)
 	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
 	return nil

generated/1.17/apis/supervisor/idp/v1alpha1/types_activedirectoryidentityprovider.go

@@ -0,0 +1,182 @@
+// Copyright 2021 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+type ActiveDirectoryIdentityProviderPhase string
+
+const (
+	// ActiveDirectoryPhasePending is the default phase for newly-created ActiveDirectoryIdentityProvider resources.
+	ActiveDirectoryPhasePending ActiveDirectoryIdentityProviderPhase = "Pending"
+
+	// ActiveDirectoryPhaseReady is the phase for an ActiveDirectoryIdentityProvider resource in a healthy state.
+	ActiveDirectoryPhaseReady ActiveDirectoryIdentityProviderPhase = "Ready"
+
+	// ActiveDirectoryPhaseError is the phase for an ActiveDirectoryIdentityProvider in an unhealthy state.
+	ActiveDirectoryPhaseError ActiveDirectoryIdentityProviderPhase = "Error"
+)
+
+// Status of an Active Directory identity provider.
+type ActiveDirectoryIdentityProviderStatus struct {
+	// Phase summarizes the overall status of the ActiveDirectoryIdentityProvider.
+	// +kubebuilder:default=Pending
+	// +kubebuilder:validation:Enum=Pending;Ready;Error
+	Phase ActiveDirectoryIdentityProviderPhase `json:"phase,omitempty"`
+
+	// Represents the observations of an identity provider's current state.
+	// +patchMergeKey=type
+	// +patchStrategy=merge
+	// +listType=map
+	// +listMapKey=type
+	Conditions []Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
+}
+
+type ActiveDirectoryIdentityProviderBind struct {
+	// SecretName contains the name of a namespace-local Secret object that provides the username and
+	// password for an Active Directory bind user. This account will be used to perform LDAP searches. The Secret should be
+	// of type "kubernetes.io/basic-auth" which includes "username" and "password" keys. The username value
+	// should be the full dn (distinguished name) of your bind account, e.g. "cn=bind-account,ou=users,dc=example,dc=com".
+	// The password must be non-empty.
+	// +kubebuilder:validation:MinLength=1
+	SecretName string `json:"secretName"`
+}
+
+type ActiveDirectoryIdentityProviderUserSearchAttributes struct {
+	// Username specifies the name of the attribute in Active Directory entry whose value shall become the username
+	// of the user after a successful authentication.
+	// Optional, when empty this defaults to "userPrincipalName".
+	// +optional
+	Username string `json:"username,omitempty"`
+
+	// UID specifies the name of the attribute in the ActiveDirectory entry which whose value shall be used to uniquely
+	// identify the user within this ActiveDirectory provider after a successful authentication.
+	// Optional, when empty this defaults to "objectGUID".
+	// +optional
+	UID string `json:"uid,omitempty"`
+}
+
+type ActiveDirectoryIdentityProviderGroupSearchAttributes struct {
+	// GroupName specifies the name of the attribute in the Active Directory entries whose value shall become a group name
+	// in the user's list of groups after a successful authentication.
+	// The value of this field is case-sensitive and must match the case of the attribute name returned by the ActiveDirectory
+	// server in the user's entry. E.g. "cn" for common name. Distinguished names can be used by specifying lower-case "dn".
+	// Optional. When not specified, this defaults to a custom field that looks like "sAMAccountName@domain",
+	// where domain is constructed from the domain components of the group DN.
+	// +optional
+	GroupName string `json:"groupName,omitempty"`
+}
+
+type ActiveDirectoryIdentityProviderUserSearch struct {
+	// Base is the dn (distinguished name) that should be used as the search base when searching for users.
+	// E.g. "ou=users,dc=example,dc=com".
+	// Optional, when not specified it will be based on the result of a query for the defaultNamingContext
+	// (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse).
+	// The default behavior searches your entire domain for users.
+	// It may make sense to specify a subtree as a search base if you wish to exclude some users
+	// or to make searches faster.
+	// +optional
+	Base string `json:"base,omitempty"`
+
+	// Filter is the search filter which should be applied when searching for users. The pattern "{}" must occur
+	// in the filter at least once and will be dynamically replaced by the username for which the search is being run.
+	// E.g. "mail={}" or "&(objectClass=person)(uid={})". For more information about LDAP filters, see
+	// https://ldap.com/ldap-filters.
+	// Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used.
+	// Optional. When not specified, the default will be
+	// '(&(objectClass=person)(!(objectClass=computer))(!(showInAdvancedViewOnly=TRUE))(|(sAMAccountName={}")(mail={})(userPrincipalName={})(sAMAccountType=805306368))'
+	// This means that the user is a person, is not a computer, the sAMAccountType is for a normal user account,
+	// and is not shown in advanced view only
+	// (which would likely mean its a system created service account with advanced permissions).
+	// Also, either the sAMAccountName, the userPrincipalName, or the mail attribute matches the input username.
+	// +optional
+	Filter string `json:"filter,omitempty"`
+
+	// Attributes specifies how the user's information should be read from the ActiveDirectory entry which was found as
+	// the result of the user search.
+	// +optional
+	Attributes ActiveDirectoryIdentityProviderUserSearchAttributes `json:"attributes,omitempty"`
+}
+
+type ActiveDirectoryIdentityProviderGroupSearch struct {
+	// Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g.
+	// "ou=groups,dc=example,dc=com".
+	// Optional, when not specified it will be based on the result of a query for the defaultNamingContext
+	// (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse).
+	// The default behavior searches your entire domain for groups.
+	// It may make sense to specify a subtree as a search base if you wish to exclude some groups
+	// for security reasons or to make searches faster.
+	// +optional
+	Base string `json:"base,omitempty"`
+
+	// Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user.
+	// The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the
+	// dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or
+	// "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see
+	// https://ldap.com/ldap-filters.
+	// Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used.
+	// Optional. When not specified, the default will act as if the filter were specified as
+	// "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})".
+	// This searches nested groups by default.
+	// Note that nested group search can be slow for some Active Directory servers. To disable it,
+	// you can set the filter to
+	// "(&(objectClass=group)(member={})"
+	// +optional
+	Filter string `json:"filter,omitempty"`
+
+	// Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as
+	// the result of the group search.
+	// +optional
+	Attributes ActiveDirectoryIdentityProviderGroupSearchAttributes `json:"attributes,omitempty"`
+}
+
+// Spec for configuring an ActiveDirectory identity provider.
+type ActiveDirectoryIdentityProviderSpec struct {
+	// Host is the hostname of this Active Directory identity provider, i.e., where to connect. For example: ldap.example.com:636.
+	// +kubebuilder:validation:MinLength=1
+	Host string `json:"host"`
+
+	// TLS contains the connection settings for how to establish the connection to the Host.
+	TLS *TLSSpec `json:"tls,omitempty"`
+
+	// Bind contains the configuration for how to provide access credentials during an initial bind to the ActiveDirectory server
+	// to be allowed to perform searches and binds to validate a user's credentials during a user's authentication attempt.
+	Bind ActiveDirectoryIdentityProviderBind `json:"bind,omitempty"`
+
+	// UserSearch contains the configuration for searching for a user by name in Active Directory.
+	UserSearch ActiveDirectoryIdentityProviderUserSearch `json:"userSearch,omitempty"`
+
+	// GroupSearch contains the configuration for searching for a user's group membership in ActiveDirectory.
+	GroupSearch ActiveDirectoryIdentityProviderGroupSearch `json:"groupSearch,omitempty"`
+}
+
+// ActiveDirectoryIdentityProvider describes the configuration of an upstream Microsoft Active Directory identity provider.
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +kubebuilder:resource:categories=pinniped;pinniped-idp;pinniped-idps
+// +kubebuilder:printcolumn:name="Host",type=string,JSONPath=`.spec.host`
+// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase`
+// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
+// +kubebuilder:subresource:status
+type ActiveDirectoryIdentityProvider struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	// Spec for configuring the identity provider.
+	Spec ActiveDirectoryIdentityProviderSpec `json:"spec"`
+
+	// Status of the identity provider.
+	Status ActiveDirectoryIdentityProviderStatus `json:"status,omitempty"`
+}
+
+// List of ActiveDirectoryIdentityProvider objects.
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type ActiveDirectoryIdentityProviderList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+
+	Items []ActiveDirectoryIdentityProvider `json:"items"`
+}

generated/1.17/apis/supervisor/idp/v1alpha1/types_ldapidentityprovider.go

@@ -0,0 +1,171 @@
+// Copyright 2021 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+type LDAPIdentityProviderPhase string
+
+const (
+	// LDAPPhasePending is the default phase for newly-created LDAPIdentityProvider resources.
+	LDAPPhasePending LDAPIdentityProviderPhase = "Pending"
+
+	// LDAPPhaseReady is the phase for an LDAPIdentityProvider resource in a healthy state.
+	LDAPPhaseReady LDAPIdentityProviderPhase = "Ready"
+
+	// LDAPPhaseError is the phase for an LDAPIdentityProvider in an unhealthy state.
+	LDAPPhaseError LDAPIdentityProviderPhase = "Error"
+)
+
+// Status of an LDAP identity provider.
+type LDAPIdentityProviderStatus struct {
+	// Phase summarizes the overall status of the LDAPIdentityProvider.
+	// +kubebuilder:default=Pending
+	// +kubebuilder:validation:Enum=Pending;Ready;Error
+	Phase LDAPIdentityProviderPhase `json:"phase,omitempty"`
+
+	// Represents the observations of an identity provider's current state.
+	// +patchMergeKey=type
+	// +patchStrategy=merge
+	// +listType=map
+	// +listMapKey=type
+	Conditions []Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
+}
+
+type LDAPIdentityProviderBind struct {
+	// SecretName contains the name of a namespace-local Secret object that provides the username and
+	// password for an LDAP bind user. This account will be used to perform LDAP searches. The Secret should be
+	// of type "kubernetes.io/basic-auth" which includes "username" and "password" keys. The username value
+	// should be the full dn (distinguished name) of your bind account, e.g. "cn=bind-account,ou=users,dc=example,dc=com".
+	// The password must be non-empty.
+	// +kubebuilder:validation:MinLength=1
+	SecretName string `json:"secretName"`
+}
+
+type LDAPIdentityProviderUserSearchAttributes struct {
+	// Username specifies the name of the attribute in the LDAP entry whose value shall become the username
+	// of the user after a successful authentication. This would typically be the same attribute name used in
+	// the user search filter, although it can be different. E.g. "mail" or "uid" or "userPrincipalName".
+	// The value of this field is case-sensitive and must match the case of the attribute name returned by the LDAP
+	// server in the user's entry. Distinguished names can be used by specifying lower-case "dn". When this field
+	// is set to "dn" then the LDAPIdentityProviderUserSearch's Filter field cannot be blank, since the default
+	// value of "dn={}" would not work.
+	// +kubebuilder:validation:MinLength=1
+	Username string `json:"username,omitempty"`
+
+	// UID specifies the name of the attribute in the LDAP entry which whose value shall be used to uniquely
+	// identify the user within this LDAP provider after a successful authentication. E.g. "uidNumber" or "objectGUID".
+	// The value of this field is case-sensitive and must match the case of the attribute name returned by the LDAP
+	// server in the user's entry. Distinguished names can be used by specifying lower-case "dn".
+	// +kubebuilder:validation:MinLength=1
+	UID string `json:"uid,omitempty"`
+}
+
+type LDAPIdentityProviderGroupSearchAttributes struct {
+	// GroupName specifies the name of the attribute in the LDAP entries whose value shall become a group name
+	// in the user's list of groups after a successful authentication.
+	// The value of this field is case-sensitive and must match the case of the attribute name returned by the LDAP
+	// server in the user's entry. E.g. "cn" for common name. Distinguished names can be used by specifying lower-case "dn".
+	// Optional. When not specified, the default will act as if the GroupName were specified as "dn" (distinguished name).
+	// +optional
+	GroupName string `json:"groupName,omitempty"`
+}
+
+type LDAPIdentityProviderUserSearch struct {
+	// Base is the dn (distinguished name) that should be used as the search base when searching for users.
+	// E.g. "ou=users,dc=example,dc=com".
+	// +kubebuilder:validation:MinLength=1
+	Base string `json:"base,omitempty"`
+
+	// Filter is the LDAP search filter which should be applied when searching for users. The pattern "{}" must occur
+	// in the filter at least once and will be dynamically replaced by the username for which the search is being run.
+	// E.g. "mail={}" or "&(objectClass=person)(uid={})". For more information about LDAP filters, see
+	// https://ldap.com/ldap-filters.
+	// Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used.
+	// Optional. When not specified, the default will act as if the Filter were specified as the value from
+	// Attributes.Username appended by "={}". When the Attributes.Username is set to "dn" then the Filter must be
+	// explicitly specified, since the default value of "dn={}" would not work.
+	// +optional
+	Filter string `json:"filter,omitempty"`
+
+	// Attributes specifies how the user's information should be read from the LDAP entry which was found as
+	// the result of the user search.
+	// +optional
+	Attributes LDAPIdentityProviderUserSearchAttributes `json:"attributes,omitempty"`
+}
+
+type LDAPIdentityProviderGroupSearch struct {
+	// Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g.
+	// "ou=groups,dc=example,dc=com". When not specified, no group search will be performed and
+	// authenticated users will not belong to any groups from the LDAP provider. Also, when not specified,
+	// the values of Filter and Attributes are ignored.
+	// +optional
+	Base string `json:"base,omitempty"`
+
+	// Filter is the LDAP search filter which should be applied when searching for groups for a user.
+	// The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the
+	// dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or
+	// "&(objectClass=groupOfNames)(member={})". For more information about LDAP filters, see
+	// https://ldap.com/ldap-filters.
+	// Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used.
+	// Optional. When not specified, the default will act as if the Filter were specified as "member={}".
+	// +optional
+	Filter string `json:"filter,omitempty"`
+
+	// Attributes specifies how the group's information should be read from each LDAP entry which was found as
+	// the result of the group search.
+	// +optional
+	Attributes LDAPIdentityProviderGroupSearchAttributes `json:"attributes,omitempty"`
+}
+
+// Spec for configuring an LDAP identity provider.
+type LDAPIdentityProviderSpec struct {
+	// Host is the hostname of this LDAP identity provider, i.e., where to connect. For example: ldap.example.com:636.
+	// +kubebuilder:validation:MinLength=1
+	Host string `json:"host"`
+
+	// TLS contains the connection settings for how to establish the connection to the Host.
+	TLS *TLSSpec `json:"tls,omitempty"`
+
+	// Bind contains the configuration for how to provide access credentials during an initial bind to the LDAP server
+	// to be allowed to perform searches and binds to validate a user's credentials during a user's authentication attempt.
+	Bind LDAPIdentityProviderBind `json:"bind,omitempty"`
+
+	// UserSearch contains the configuration for searching for a user by name in the LDAP provider.
+	UserSearch LDAPIdentityProviderUserSearch `json:"userSearch,omitempty"`
+
+	// GroupSearch contains the configuration for searching for a user's group membership in the LDAP provider.
+	GroupSearch LDAPIdentityProviderGroupSearch `json:"groupSearch,omitempty"`
+}
+
+// LDAPIdentityProvider describes the configuration of an upstream Lightweight Directory Access
+// Protocol (LDAP) identity provider.
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +kubebuilder:resource:categories=pinniped;pinniped-idp;pinniped-idps
+// +kubebuilder:printcolumn:name="Host",type=string,JSONPath=`.spec.host`
+// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase`
+// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
+// +kubebuilder:subresource:status
+type LDAPIdentityProvider struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	// Spec for configuring the identity provider.
+	Spec LDAPIdentityProviderSpec `json:"spec"`
+
+	// Status of the identity provider.
+	Status LDAPIdentityProviderStatus `json:"status,omitempty"`
+}
+
+// List of LDAPIdentityProvider objects.
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type LDAPIdentityProviderList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+
+	Items []LDAPIdentityProvider `json:"items"`
+}

generated/1.17/apis/supervisor/idp/v1alpha1/types_meta.go

@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1

generated/1.17/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go

@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
@@ -39,9 +39,31 @@ type OIDCIdentityProviderStatus struct {
 // request parameters.
 type OIDCAuthorizationConfig struct {
 	// AdditionalScopes are the scopes in addition to "openid" that will be requested as part of the authorization
-	// request flow with an OIDC identity provider. By default only the "openid" scope will be requested.
+	// request flow with an OIDC identity provider.
+	// In the case of a Resource Owner Password Credentials Grant flow, AdditionalScopes are the scopes
+	// in addition to "openid" that will be requested as part of the token request (see also the allowPasswordGrant field).
+	// By default, only the "openid" scope will be requested.
 	// +optional
 	AdditionalScopes []string `json:"additionalScopes,omitempty"`
+
+	// AllowPasswordGrant, when true, will allow the use of OAuth 2.0's Resource Owner Password Credentials Grant
+	// (see https://datatracker.ietf.org/doc/html/rfc6749#section-4.3) to authenticate to the OIDC provider using a
+	// username and password without a web browser, in addition to the usual browser-based OIDC Authorization Code Flow.
+	// The Resource Owner Password Credentials Grant is not officially part of the OIDC specification, so it may not be
+	// supported by your OIDC provider. If your OIDC provider supports returning ID tokens from a Resource Owner Password
+	// Credentials Grant token request, then you can choose to set this field to true. This will allow end users to choose
+	// to present their username and password to the kubectl CLI (using the Pinniped plugin) to authenticate to the
+	// cluster, without using a web browser to log in as is customary in OIDC Authorization Code Flow. This may be
+	// convenient for users, especially for identities from your OIDC provider which are not intended to represent a human
+	// actor, such as service accounts performing actions in a CI/CD environment. Even if your OIDC provider supports it,
+	// you may wish to disable this behavior by setting this field to false when you prefer to only allow users of this
+	// OIDCIdentityProvider to log in via the browser-based OIDC Authorization Code Flow. Using the Resource Owner Password
+	// Credentials Grant means that the Pinniped CLI and Pinniped Supervisor will directly handle your end users' passwords
+	// (similar to LDAPIdentityProvider), and you will not be able to require multi-factor authentication or use the other
+	// web-based login features of your OIDC provider during Resource Owner Password Credentials Grant logins.
+	// AllowPasswordGrant defaults to false.
+	// +optional
+	AllowPasswordGrant bool `json:"allowPasswordGrant,omitempty"`
 }
 
 // OIDCClaims provides a mapping from upstream claims into identities.

generated/1.17/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go

@@ -11,6 +11,196 @@ import (
 	runtime "k8s.io/apimachinery/pkg/runtime"
 )
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ActiveDirectoryIdentityProvider) DeepCopyInto(out *ActiveDirectoryIdentityProvider) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ActiveDirectoryIdentityProvider.
+func (in *ActiveDirectoryIdentityProvider) DeepCopy() *ActiveDirectoryIdentityProvider {
+	if in == nil {
+		return nil
+	}
+	out := new(ActiveDirectoryIdentityProvider)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ActiveDirectoryIdentityProvider) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ActiveDirectoryIdentityProviderBind) DeepCopyInto(out *ActiveDirectoryIdentityProviderBind) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ActiveDirectoryIdentityProviderBind.
+func (in *ActiveDirectoryIdentityProviderBind) DeepCopy() *ActiveDirectoryIdentityProviderBind {
+	if in == nil {
+		return nil
+	}
+	out := new(ActiveDirectoryIdentityProviderBind)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ActiveDirectoryIdentityProviderGroupSearch) DeepCopyInto(out *ActiveDirectoryIdentityProviderGroupSearch) {
+	*out = *in
+	out.Attributes = in.Attributes
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ActiveDirectoryIdentityProviderGroupSearch.
+func (in *ActiveDirectoryIdentityProviderGroupSearch) DeepCopy() *ActiveDirectoryIdentityProviderGroupSearch {
+	if in == nil {
+		return nil
+	}
+	out := new(ActiveDirectoryIdentityProviderGroupSearch)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ActiveDirectoryIdentityProviderGroupSearchAttributes) DeepCopyInto(out *ActiveDirectoryIdentityProviderGroupSearchAttributes) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ActiveDirectoryIdentityProviderGroupSearchAttributes.
+func (in *ActiveDirectoryIdentityProviderGroupSearchAttributes) DeepCopy() *ActiveDirectoryIdentityProviderGroupSearchAttributes {
+	if in == nil {
+		return nil
+	}
+	out := new(ActiveDirectoryIdentityProviderGroupSearchAttributes)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ActiveDirectoryIdentityProviderList) DeepCopyInto(out *ActiveDirectoryIdentityProviderList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]ActiveDirectoryIdentityProvider, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ActiveDirectoryIdentityProviderList.
+func (in *ActiveDirectoryIdentityProviderList) DeepCopy() *ActiveDirectoryIdentityProviderList {
+	if in == nil {
+		return nil
+	}
+	out := new(ActiveDirectoryIdentityProviderList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ActiveDirectoryIdentityProviderList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ActiveDirectoryIdentityProviderSpec) DeepCopyInto(out *ActiveDirectoryIdentityProviderSpec) {
+	*out = *in
+	if in.TLS != nil {
+		in, out := &in.TLS, &out.TLS
+		*out = new(TLSSpec)
+		**out = **in
+	}
+	out.Bind = in.Bind
+	out.UserSearch = in.UserSearch
+	out.GroupSearch = in.GroupSearch
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ActiveDirectoryIdentityProviderSpec.
+func (in *ActiveDirectoryIdentityProviderSpec) DeepCopy() *ActiveDirectoryIdentityProviderSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(ActiveDirectoryIdentityProviderSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ActiveDirectoryIdentityProviderStatus) DeepCopyInto(out *ActiveDirectoryIdentityProviderStatus) {
+	*out = *in
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]Condition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ActiveDirectoryIdentityProviderStatus.
+func (in *ActiveDirectoryIdentityProviderStatus) DeepCopy() *ActiveDirectoryIdentityProviderStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(ActiveDirectoryIdentityProviderStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ActiveDirectoryIdentityProviderUserSearch) DeepCopyInto(out *ActiveDirectoryIdentityProviderUserSearch) {
+	*out = *in
+	out.Attributes = in.Attributes
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ActiveDirectoryIdentityProviderUserSearch.
+func (in *ActiveDirectoryIdentityProviderUserSearch) DeepCopy() *ActiveDirectoryIdentityProviderUserSearch {
+	if in == nil {
+		return nil
+	}
+	out := new(ActiveDirectoryIdentityProviderUserSearch)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ActiveDirectoryIdentityProviderUserSearchAttributes) DeepCopyInto(out *ActiveDirectoryIdentityProviderUserSearchAttributes) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ActiveDirectoryIdentityProviderUserSearchAttributes.
+func (in *ActiveDirectoryIdentityProviderUserSearchAttributes) DeepCopy() *ActiveDirectoryIdentityProviderUserSearchAttributes {
+	if in == nil {
+		return nil
+	}
+	out := new(ActiveDirectoryIdentityProviderUserSearchAttributes)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *Condition) DeepCopyInto(out *Condition) {
 	*out = *in
@@ -28,6 +218,196 @@ func (in *Condition) DeepCopy() *Condition {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *LDAPIdentityProvider) DeepCopyInto(out *LDAPIdentityProvider) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LDAPIdentityProvider.
+func (in *LDAPIdentityProvider) DeepCopy() *LDAPIdentityProvider {
+	if in == nil {
+		return nil
+	}
+	out := new(LDAPIdentityProvider)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *LDAPIdentityProvider) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *LDAPIdentityProviderBind) DeepCopyInto(out *LDAPIdentityProviderBind) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LDAPIdentityProviderBind.
+func (in *LDAPIdentityProviderBind) DeepCopy() *LDAPIdentityProviderBind {
+	if in == nil {
+		return nil
+	}
+	out := new(LDAPIdentityProviderBind)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *LDAPIdentityProviderGroupSearch) DeepCopyInto(out *LDAPIdentityProviderGroupSearch) {
+	*out = *in
+	out.Attributes = in.Attributes
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LDAPIdentityProviderGroupSearch.
+func (in *LDAPIdentityProviderGroupSearch) DeepCopy() *LDAPIdentityProviderGroupSearch {
+	if in == nil {
+		return nil
+	}
+	out := new(LDAPIdentityProviderGroupSearch)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *LDAPIdentityProviderGroupSearchAttributes) DeepCopyInto(out *LDAPIdentityProviderGroupSearchAttributes) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LDAPIdentityProviderGroupSearchAttributes.
+func (in *LDAPIdentityProviderGroupSearchAttributes) DeepCopy() *LDAPIdentityProviderGroupSearchAttributes {
+	if in == nil {
+		return nil
+	}
+	out := new(LDAPIdentityProviderGroupSearchAttributes)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *LDAPIdentityProviderList) DeepCopyInto(out *LDAPIdentityProviderList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]LDAPIdentityProvider, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LDAPIdentityProviderList.
+func (in *LDAPIdentityProviderList) DeepCopy() *LDAPIdentityProviderList {
+	if in == nil {
+		return nil
+	}
+	out := new(LDAPIdentityProviderList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *LDAPIdentityProviderList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *LDAPIdentityProviderSpec) DeepCopyInto(out *LDAPIdentityProviderSpec) {
+	*out = *in
+	if in.TLS != nil {
+		in, out := &in.TLS, &out.TLS
+		*out = new(TLSSpec)
+		**out = **in
+	}
+	out.Bind = in.Bind
+	out.UserSearch = in.UserSearch
+	out.GroupSearch = in.GroupSearch
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LDAPIdentityProviderSpec.
+func (in *LDAPIdentityProviderSpec) DeepCopy() *LDAPIdentityProviderSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(LDAPIdentityProviderSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *LDAPIdentityProviderStatus) DeepCopyInto(out *LDAPIdentityProviderStatus) {
+	*out = *in
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]Condition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LDAPIdentityProviderStatus.
+func (in *LDAPIdentityProviderStatus) DeepCopy() *LDAPIdentityProviderStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(LDAPIdentityProviderStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *LDAPIdentityProviderUserSearch) DeepCopyInto(out *LDAPIdentityProviderUserSearch) {
+	*out = *in
+	out.Attributes = in.Attributes
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LDAPIdentityProviderUserSearch.
+func (in *LDAPIdentityProviderUserSearch) DeepCopy() *LDAPIdentityProviderUserSearch {
+	if in == nil {
+		return nil
+	}
+	out := new(LDAPIdentityProviderUserSearch)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *LDAPIdentityProviderUserSearchAttributes) DeepCopyInto(out *LDAPIdentityProviderUserSearchAttributes) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LDAPIdentityProviderUserSearchAttributes.
+func (in *LDAPIdentityProviderUserSearchAttributes) DeepCopy() *LDAPIdentityProviderUserSearchAttributes {
+	if in == nil {
+		return nil
+	}
+	out := new(LDAPIdentityProviderUserSearchAttributes)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OIDCAuthorizationConfig) DeepCopyInto(out *OIDCAuthorizationConfig) {
 	*out = *in

generated/1.17/apis/supervisor/idpdiscovery/v1alpha1/types_supervisor_idp_discovery.go

@@ -0,0 +1,66 @@
+// Copyright 2021 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+// IDPType are the strings that can be returned by the Supervisor identity provider discovery endpoint
+// as the "type" of each returned identity provider.
+type IDPType string
+
+// IDPFlow are the strings that can be returned by the Supervisor identity provider discovery endpoint
+// in the array of allowed client "flows" for each returned identity provider.
+type IDPFlow string
+
+const (
+	IDPTypeOIDC            IDPType = "oidc"
+	IDPTypeLDAP            IDPType = "ldap"
+	IDPTypeActiveDirectory IDPType = "activedirectory"
+
+	IDPFlowCLIPassword     IDPFlow = "cli_password"
+	IDPFlowBrowserAuthcode IDPFlow = "browser_authcode"
+)
+
+// Equals is a convenience function for comparing an IDPType to a string.
+func (r IDPType) Equals(s string) bool {
+	return string(r) == s
+}
+
+// String is a convenience function to convert an IDPType to a string.
+func (r IDPType) String() string {
+	return string(r)
+}
+
+// Equals is a convenience function for comparing an IDPFlow to a string.
+func (r IDPFlow) Equals(s string) bool {
+	return string(r) == s
+}
+
+// String is a convenience function to convert an IDPFlow to a string.
+func (r IDPFlow) String() string {
+	return string(r)
+}
+
+// OIDCDiscoveryResponse is part of the response from a FederationDomain's OpenID Provider Configuration
+// Document returned by the .well-known/openid-configuration endpoint. It ignores all the standard OpenID Provider
+// configuration metadata and only picks out the portion related to Supervisor identity provider discovery.
+type OIDCDiscoveryResponse struct {
+	SupervisorDiscovery OIDCDiscoveryResponseIDPEndpoint `json:"discovery.supervisor.pinniped.dev/v1alpha1"`
+}
+
+// OIDCDiscoveryResponseIDPEndpoint contains the URL for the identity provider discovery endpoint.
+type OIDCDiscoveryResponseIDPEndpoint struct {
+	PinnipedIDPsEndpoint string `json:"pinniped_identity_providers_endpoint"`
+}
+
+// IDPDiscoveryResponse is the response of a FederationDomain's identity provider discovery endpoint.
+type IDPDiscoveryResponse struct {
+	PinnipedIDPs []PinnipedIDP `json:"pinniped_identity_providers"`
+}
+
+// PinnipedIDP describes a single identity provider as included in the response of a FederationDomain's
+// identity provider discovery endpoint.
+type PinnipedIDP struct {
+	Name  string    `json:"name"`
+	Type  IDPType   `json:"type"`
+	Flows []IDPFlow `json:"flows,omitempty"`
+}

generated/1.17/apis/supervisor/oidc/types_supervisor_oidc.go

@@ -0,0 +1,25 @@
+// Copyright 2021 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package oidc
+
+// Constants related to the Supervisor FederationDomain's authorization and token endpoints.
+const (
+	// AuthorizeUsernameHeaderName is the name of the HTTP header which can be used to transmit a username
+	// to the authorize endpoint when using a password flow, for example an OIDCIdentityProvider with a password grant
+	// or an LDAPIdentityProvider.
+	AuthorizeUsernameHeaderName = "Pinniped-Username"
+
+	// AuthorizePasswordHeaderName is the name of the HTTP header which can be used to transmit a password
+	// to the authorize endpoint when using a password flow, for example an OIDCIdentityProvider with a password grant
+	// or an LDAPIdentityProvider.
+	AuthorizePasswordHeaderName = "Pinniped-Password" //nolint:gosec // this is not a credential
+
+	// AuthorizeUpstreamIDPNameParamName is the name of the HTTP request parameter which can be used to help select which
+	// identity provider should be used for authentication by sending the name of the desired identity provider.
+	AuthorizeUpstreamIDPNameParamName = "pinniped_idp_name"
+
+	// AuthorizeUpstreamIDPTypeParamName is the name of the HTTP request parameter which can be used to help select which
+	// identity provider should be used for authentication by sending the type of the desired identity provider.
+	AuthorizeUpstreamIDPTypeParamName = "pinniped_idp_type"
+)

generated/1.17/client/go.mod

@@ -4,11 +4,9 @@ module go.pinniped.dev/generated/1.17/client
 go 1.13
 
 require (
-	github.com/go-openapi/spec v0.19.9
 	go.pinniped.dev/generated/1.17/apis v0.0.0-00010101000000-000000000000
 	k8s.io/apimachinery v0.17.11
 	k8s.io/client-go v0.17.11
-	k8s.io/kube-openapi v0.0.0-20200410145947-bcb3869e6f29
 )
 
 replace go.pinniped.dev/generated/1.17/apis => ../apis

generated/1.17/client/go.sum

@@ -11,11 +11,7 @@ github.com/Azure/go-autorest/tracing v0.5.0/go.mod h1:r/s2XiOKccPW3HrqB+W0TQzfbt
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ=
 github.com/PuerkitoBio/purell v1.0.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
-github.com/PuerkitoBio/purell v1.1.1 h1:WEQqlqaGbrPkxLJWfBwQmfEAE1Z7ONdDLqrN38tNFfI=
-github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
 github.com/PuerkitoBio/urlesc v0.0.0-20160726150825-5bd2802263f2/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE=
-github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 h1:d+Bc7a5rLufV/sSk/8dngufqelfh6jnri85riMAaF/M=
-github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
@@ -23,7 +19,6 @@ github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs
 github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
 github.com/docker/spdystream v0.0.0-20160310174837-449fdfce4d96/go.mod h1:Qh8CwZgvJUkLughtfhJv5dyTYa91l1fOUCrgjqmcifM=
 github.com/elazarl/goproxy v0.0.0-20170405201442-c4fc26588b6e/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc=
-github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633 h1:H2pdYOb3KQ1/YsqVWoWNLQO+fusocsw354rqGTZtAgw=
 github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
 github.com/evanphx/json-patch v0.0.0-20200808040245-162e5629780b h1:vCplRbYcTTeBVLjIU0KvipEeVBSxl6sakUBRmeLBTkw=
 github.com/evanphx/json-patch v0.0.0-20200808040245-162e5629780b/go.mod h1:NAJj0yf/KaRKURN6nyi7A9IZydMivZEm9oQLWNjfKDc=
@@ -32,17 +27,9 @@ github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMo
 github.com/ghodss/yaml v0.0.0-20150909031657-73d445a93680/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
 github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas=
 github.com/go-openapi/jsonpointer v0.0.0-20160704185906-46af16f9f7b1/go.mod h1:+35s3my2LFTysnkMfxsJBAMHj/DoqoB9knIWoYG/Vk0=
-github.com/go-openapi/jsonpointer v0.19.3 h1:gihV7YNZK1iK6Tgwwsxo2rJbD1GTbdm72325Bq8FI3w=
-github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg=
 github.com/go-openapi/jsonreference v0.0.0-20160704190145-13c6e3589ad9/go.mod h1:W3Z9FmVs9qj+KR4zFKmDPGiLdk1D9Rlm7cyMvf57TTg=
-github.com/go-openapi/jsonreference v0.19.4 h1:3Vw+rh13uq2JFNxgnMTGE1rnoieU9FmyE1gvnyylsYg=
-github.com/go-openapi/jsonreference v0.19.4/go.mod h1:RdybgQwPxbL4UEjuAruzK1x3nE69AqPYEJeo/TWfEeg=
 github.com/go-openapi/spec v0.0.0-20160808142527-6aced65f8501/go.mod h1:J8+jY1nAiCcj+friV/PDoE1/3eeccG9LYBs0tYvLOWc=
-github.com/go-openapi/spec v0.19.9 h1:9z9cbFuZJ7AcvOHKIY+f6Aevb4vObNDkTEyoMfO7rAc=
-github.com/go-openapi/spec v0.19.9/go.mod h1:vqK/dIdLGCosfvYsQV3WfC7N3TiZSnGY2RZKoFK7X28=
 github.com/go-openapi/swag v0.0.0-20160704191624-1d0bd113de87/go.mod h1:DXUve3Dpr1UfpPtxFw+EFuQ41HhCWZfha5jSVRG7C7I=
-github.com/go-openapi/swag v0.19.5 h1:lTz6Ys4CmqqCQmZPBlbQENR1/GucA2bzYTE12Pw4tFY=
-github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk=
 github.com/gogo/protobuf v1.2.2-0.20190723190241-65acae22fc9d h1:3PaI8p3seN09VjbTYC/QWlUZdZ1qS1zGjy7LH2Wt07I=
 github.com/gogo/protobuf v1.2.2-0.20190723190241-65acae22fc9d/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
@@ -89,9 +76,6 @@ github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/mailru/easyjson v0.0.0-20160728113105-d5b7844b561a/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
-github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
-github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e h1:hB2xlXdHp/pmPZq0y3QnmWAArdw9PqbmotexnWx/FU8=
-github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
@@ -137,7 +121,6 @@ golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73r
 golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20191004110552-13f9640d40b9 h1:rjwSpXsdiK0dV8/Naq3kAw9ymfAeJIyd0upUIElB+lI=
 golang.org/x/net v0.0.0-20191004110552-13f9640d40b9/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
@@ -159,9 +142,8 @@ golang.org/x/sys v0.0.0-20190826190057-c7b8b68b1456/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.2 h1:tW2bmiBqwgJj/UpqtC8EpXEZVYOwU0yG4iWbprSVAcs=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
-golang.org/x/text v0.3.3 h1:cokOdA+Jmi5PJGXLlLllQSgYigAEfHXJAERHVMaCc2k=
-golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4 h1:SvFZT6jyqRaOeXpc5h/JSfZenJ2O330aBsf7JfSUXmQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
@@ -191,7 +173,6 @@ gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkep
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
 gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.8 h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10=
 gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=

generated/1.17/client/supervisor/clientset/versioned/typed/idp/v1alpha1/activedirectoryidentityprovider.go

@@ -0,0 +1,178 @@
+// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	"time"
+
+	v1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/idp/v1alpha1"
+	scheme "go.pinniped.dev/generated/1.17/client/supervisor/clientset/versioned/scheme"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	rest "k8s.io/client-go/rest"
+)
+
+// ActiveDirectoryIdentityProvidersGetter has a method to return a ActiveDirectoryIdentityProviderInterface.
+// A group's client should implement this interface.
+type ActiveDirectoryIdentityProvidersGetter interface {
+	ActiveDirectoryIdentityProviders(namespace string) ActiveDirectoryIdentityProviderInterface
+}
+
+// ActiveDirectoryIdentityProviderInterface has methods to work with ActiveDirectoryIdentityProvider resources.
+type ActiveDirectoryIdentityProviderInterface interface {
+	Create(*v1alpha1.ActiveDirectoryIdentityProvider) (*v1alpha1.ActiveDirectoryIdentityProvider, error)
+	Update(*v1alpha1.ActiveDirectoryIdentityProvider) (*v1alpha1.ActiveDirectoryIdentityProvider, error)
+	UpdateStatus(*v1alpha1.ActiveDirectoryIdentityProvider) (*v1alpha1.ActiveDirectoryIdentityProvider, error)
+	Delete(name string, options *v1.DeleteOptions) error
+	DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error
+	Get(name string, options v1.GetOptions) (*v1alpha1.ActiveDirectoryIdentityProvider, error)
+	List(opts v1.ListOptions) (*v1alpha1.ActiveDirectoryIdentityProviderList, error)
+	Watch(opts v1.ListOptions) (watch.Interface, error)
+	Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.ActiveDirectoryIdentityProvider, err error)
+	ActiveDirectoryIdentityProviderExpansion
+}
+
+// activeDirectoryIdentityProviders implements ActiveDirectoryIdentityProviderInterface
+type activeDirectoryIdentityProviders struct {
+	client rest.Interface
+	ns     string
+}
+
+// newActiveDirectoryIdentityProviders returns a ActiveDirectoryIdentityProviders
+func newActiveDirectoryIdentityProviders(c *IDPV1alpha1Client, namespace string) *activeDirectoryIdentityProviders {
+	return &activeDirectoryIdentityProviders{
+		client: c.RESTClient(),
+		ns:     namespace,
+	}
+}
+
+// Get takes name of the activeDirectoryIdentityProvider, and returns the corresponding activeDirectoryIdentityProvider object, and an error if there is any.
+func (c *activeDirectoryIdentityProviders) Get(name string, options v1.GetOptions) (result *v1alpha1.ActiveDirectoryIdentityProvider, err error) {
+	result = &v1alpha1.ActiveDirectoryIdentityProvider{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("activedirectoryidentityproviders").
+		Name(name).
+		VersionedParams(&options, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// List takes label and field selectors, and returns the list of ActiveDirectoryIdentityProviders that match those selectors.
+func (c *activeDirectoryIdentityProviders) List(opts v1.ListOptions) (result *v1alpha1.ActiveDirectoryIdentityProviderList, err error) {
+	var timeout time.Duration
+	if opts.TimeoutSeconds != nil {
+		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
+	}
+	result = &v1alpha1.ActiveDirectoryIdentityProviderList{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("activedirectoryidentityproviders").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Do().
+		Into(result)
+	return
+}
+
+// Watch returns a watch.Interface that watches the requested activeDirectoryIdentityProviders.
+func (c *activeDirectoryIdentityProviders) Watch(opts v1.ListOptions) (watch.Interface, error) {
+	var timeout time.Duration
+	if opts.TimeoutSeconds != nil {
+		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
+	}
+	opts.Watch = true
+	return c.client.Get().
+		Namespace(c.ns).
+		Resource("activedirectoryidentityproviders").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Watch()
+}
+
+// Create takes the representation of a activeDirectoryIdentityProvider and creates it.  Returns the server's representation of the activeDirectoryIdentityProvider, and an error, if there is any.
+func (c *activeDirectoryIdentityProviders) Create(activeDirectoryIdentityProvider *v1alpha1.ActiveDirectoryIdentityProvider) (result *v1alpha1.ActiveDirectoryIdentityProvider, err error) {
+	result = &v1alpha1.ActiveDirectoryIdentityProvider{}
+	err = c.client.Post().
+		Namespace(c.ns).
+		Resource("activedirectoryidentityproviders").
+		Body(activeDirectoryIdentityProvider).
+		Do().
+		Into(result)
+	return
+}
+
+// Update takes the representation of a activeDirectoryIdentityProvider and updates it. Returns the server's representation of the activeDirectoryIdentityProvider, and an error, if there is any.
+func (c *activeDirectoryIdentityProviders) Update(activeDirectoryIdentityProvider *v1alpha1.ActiveDirectoryIdentityProvider) (result *v1alpha1.ActiveDirectoryIdentityProvider, err error) {
+	result = &v1alpha1.ActiveDirectoryIdentityProvider{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("activedirectoryidentityproviders").
+		Name(activeDirectoryIdentityProvider.Name).
+		Body(activeDirectoryIdentityProvider).
+		Do().
+		Into(result)
+	return
+}
+
+// UpdateStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+
+func (c *activeDirectoryIdentityProviders) UpdateStatus(activeDirectoryIdentityProvider *v1alpha1.ActiveDirectoryIdentityProvider) (result *v1alpha1.ActiveDirectoryIdentityProvider, err error) {
+	result = &v1alpha1.ActiveDirectoryIdentityProvider{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("activedirectoryidentityproviders").
+		Name(activeDirectoryIdentityProvider.Name).
+		SubResource("status").
+		Body(activeDirectoryIdentityProvider).
+		Do().
+		Into(result)
+	return
+}
+
+// Delete takes name of the activeDirectoryIdentityProvider and deletes it. Returns an error if one occurs.
+func (c *activeDirectoryIdentityProviders) Delete(name string, options *v1.DeleteOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("activedirectoryidentityproviders").
+		Name(name).
+		Body(options).
+		Do().
+		Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *activeDirectoryIdentityProviders) DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error {
+	var timeout time.Duration
+	if listOptions.TimeoutSeconds != nil {
+		timeout = time.Duration(*listOptions.TimeoutSeconds) * time.Second
+	}
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("activedirectoryidentityproviders").
+		VersionedParams(&listOptions, scheme.ParameterCodec).
+		Timeout(timeout).
+		Body(options).
+		Do().
+		Error()
+}
+
+// Patch applies the patch and returns the patched activeDirectoryIdentityProvider.
+func (c *activeDirectoryIdentityProviders) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.ActiveDirectoryIdentityProvider, err error) {
+	result = &v1alpha1.ActiveDirectoryIdentityProvider{}
+	err = c.client.Patch(pt).
+		Namespace(c.ns).
+		Resource("activedirectoryidentityproviders").
+		SubResource(subresources...).
+		Name(name).
+		Body(data).
+		Do().
+		Into(result)
+	return
+}

generated/1.17/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_activedirectoryidentityprovider.go

@@ -0,0 +1,127 @@
+// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package fake
+
+import (
+	v1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/idp/v1alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	labels "k8s.io/apimachinery/pkg/labels"
+	schema "k8s.io/apimachinery/pkg/runtime/schema"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	testing "k8s.io/client-go/testing"
+)
+
+// FakeActiveDirectoryIdentityProviders implements ActiveDirectoryIdentityProviderInterface
+type FakeActiveDirectoryIdentityProviders struct {
+	Fake *FakeIDPV1alpha1
+	ns   string
+}
+
+var activedirectoryidentityprovidersResource = schema.GroupVersionResource{Group: "idp.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "activedirectoryidentityproviders"}
+
+var activedirectoryidentityprovidersKind = schema.GroupVersionKind{Group: "idp.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "ActiveDirectoryIdentityProvider"}
+
+// Get takes name of the activeDirectoryIdentityProvider, and returns the corresponding activeDirectoryIdentityProvider object, and an error if there is any.
+func (c *FakeActiveDirectoryIdentityProviders) Get(name string, options v1.GetOptions) (result *v1alpha1.ActiveDirectoryIdentityProvider, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewGetAction(activedirectoryidentityprovidersResource, c.ns, name), &v1alpha1.ActiveDirectoryIdentityProvider{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.ActiveDirectoryIdentityProvider), err
+}
+
+// List takes label and field selectors, and returns the list of ActiveDirectoryIdentityProviders that match those selectors.
+func (c *FakeActiveDirectoryIdentityProviders) List(opts v1.ListOptions) (result *v1alpha1.ActiveDirectoryIdentityProviderList, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewListAction(activedirectoryidentityprovidersResource, activedirectoryidentityprovidersKind, c.ns, opts), &v1alpha1.ActiveDirectoryIdentityProviderList{})
+
+	if obj == nil {
+		return nil, err
+	}
+
+	label, _, _ := testing.ExtractFromListOptions(opts)
+	if label == nil {
+		label = labels.Everything()
+	}
+	list := &v1alpha1.ActiveDirectoryIdentityProviderList{ListMeta: obj.(*v1alpha1.ActiveDirectoryIdentityProviderList).ListMeta}
+	for _, item := range obj.(*v1alpha1.ActiveDirectoryIdentityProviderList).Items {
+		if label.Matches(labels.Set(item.Labels)) {
+			list.Items = append(list.Items, item)
+		}
+	}
+	return list, err
+}
+
+// Watch returns a watch.Interface that watches the requested activeDirectoryIdentityProviders.
+func (c *FakeActiveDirectoryIdentityProviders) Watch(opts v1.ListOptions) (watch.Interface, error) {
+	return c.Fake.
+		InvokesWatch(testing.NewWatchAction(activedirectoryidentityprovidersResource, c.ns, opts))
+
+}
+
+// Create takes the representation of a activeDirectoryIdentityProvider and creates it.  Returns the server's representation of the activeDirectoryIdentityProvider, and an error, if there is any.
+func (c *FakeActiveDirectoryIdentityProviders) Create(activeDirectoryIdentityProvider *v1alpha1.ActiveDirectoryIdentityProvider) (result *v1alpha1.ActiveDirectoryIdentityProvider, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewCreateAction(activedirectoryidentityprovidersResource, c.ns, activeDirectoryIdentityProvider), &v1alpha1.ActiveDirectoryIdentityProvider{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.ActiveDirectoryIdentityProvider), err
+}
+
+// Update takes the representation of a activeDirectoryIdentityProvider and updates it. Returns the server's representation of the activeDirectoryIdentityProvider, and an error, if there is any.
+func (c *FakeActiveDirectoryIdentityProviders) Update(activeDirectoryIdentityProvider *v1alpha1.ActiveDirectoryIdentityProvider) (result *v1alpha1.ActiveDirectoryIdentityProvider, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewUpdateAction(activedirectoryidentityprovidersResource, c.ns, activeDirectoryIdentityProvider), &v1alpha1.ActiveDirectoryIdentityProvider{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.ActiveDirectoryIdentityProvider), err
+}
+
+// UpdateStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+func (c *FakeActiveDirectoryIdentityProviders) UpdateStatus(activeDirectoryIdentityProvider *v1alpha1.ActiveDirectoryIdentityProvider) (*v1alpha1.ActiveDirectoryIdentityProvider, error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewUpdateSubresourceAction(activedirectoryidentityprovidersResource, "status", c.ns, activeDirectoryIdentityProvider), &v1alpha1.ActiveDirectoryIdentityProvider{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.ActiveDirectoryIdentityProvider), err
+}
+
+// Delete takes name of the activeDirectoryIdentityProvider and deletes it. Returns an error if one occurs.
+func (c *FakeActiveDirectoryIdentityProviders) Delete(name string, options *v1.DeleteOptions) error {
+	_, err := c.Fake.
+		Invokes(testing.NewDeleteAction(activedirectoryidentityprovidersResource, c.ns, name), &v1alpha1.ActiveDirectoryIdentityProvider{})
+
+	return err
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *FakeActiveDirectoryIdentityProviders) DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error {
+	action := testing.NewDeleteCollectionAction(activedirectoryidentityprovidersResource, c.ns, listOptions)
+
+	_, err := c.Fake.Invokes(action, &v1alpha1.ActiveDirectoryIdentityProviderList{})
+	return err
+}
+
+// Patch applies the patch and returns the patched activeDirectoryIdentityProvider.
+func (c *FakeActiveDirectoryIdentityProviders) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.ActiveDirectoryIdentityProvider, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewPatchSubresourceAction(activedirectoryidentityprovidersResource, c.ns, name, pt, data, subresources...), &v1alpha1.ActiveDirectoryIdentityProvider{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.ActiveDirectoryIdentityProvider), err
+}

generated/1.17/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go

@@ -15,6 +15,14 @@ type FakeIDPV1alpha1 struct {
 	*testing.Fake
 }
 
+func (c *FakeIDPV1alpha1) ActiveDirectoryIdentityProviders(namespace string) v1alpha1.ActiveDirectoryIdentityProviderInterface {
+	return &FakeActiveDirectoryIdentityProviders{c, namespace}
+}
+
+func (c *FakeIDPV1alpha1) LDAPIdentityProviders(namespace string) v1alpha1.LDAPIdentityProviderInterface {
+	return &FakeLDAPIdentityProviders{c, namespace}
+}
+
 func (c *FakeIDPV1alpha1) OIDCIdentityProviders(namespace string) v1alpha1.OIDCIdentityProviderInterface {
 	return &FakeOIDCIdentityProviders{c, namespace}
 }

generated/1.17/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_ldapidentityprovider.go

@@ -0,0 +1,127 @@
+// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package fake
+
+import (
+	v1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/idp/v1alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	labels "k8s.io/apimachinery/pkg/labels"
+	schema "k8s.io/apimachinery/pkg/runtime/schema"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	testing "k8s.io/client-go/testing"
+)
+
+// FakeLDAPIdentityProviders implements LDAPIdentityProviderInterface
+type FakeLDAPIdentityProviders struct {
+	Fake *FakeIDPV1alpha1
+	ns   string
+}
+
+var ldapidentityprovidersResource = schema.GroupVersionResource{Group: "idp.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "ldapidentityproviders"}
+
+var ldapidentityprovidersKind = schema.GroupVersionKind{Group: "idp.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "LDAPIdentityProvider"}
+
+// Get takes name of the lDAPIdentityProvider, and returns the corresponding lDAPIdentityProvider object, and an error if there is any.
+func (c *FakeLDAPIdentityProviders) Get(name string, options v1.GetOptions) (result *v1alpha1.LDAPIdentityProvider, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewGetAction(ldapidentityprovidersResource, c.ns, name), &v1alpha1.LDAPIdentityProvider{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.LDAPIdentityProvider), err
+}
+
+// List takes label and field selectors, and returns the list of LDAPIdentityProviders that match those selectors.
+func (c *FakeLDAPIdentityProviders) List(opts v1.ListOptions) (result *v1alpha1.LDAPIdentityProviderList, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewListAction(ldapidentityprovidersResource, ldapidentityprovidersKind, c.ns, opts), &v1alpha1.LDAPIdentityProviderList{})
+
+	if obj == nil {
+		return nil, err
+	}
+
+	label, _, _ := testing.ExtractFromListOptions(opts)
+	if label == nil {
+		label = labels.Everything()
+	}
+	list := &v1alpha1.LDAPIdentityProviderList{ListMeta: obj.(*v1alpha1.LDAPIdentityProviderList).ListMeta}
+	for _, item := range obj.(*v1alpha1.LDAPIdentityProviderList).Items {
+		if label.Matches(labels.Set(item.Labels)) {
+			list.Items = append(list.Items, item)
+		}
+	}
+	return list, err
+}
+
+// Watch returns a watch.Interface that watches the requested lDAPIdentityProviders.
+func (c *FakeLDAPIdentityProviders) Watch(opts v1.ListOptions) (watch.Interface, error) {
+	return c.Fake.
+		InvokesWatch(testing.NewWatchAction(ldapidentityprovidersResource, c.ns, opts))
+
+}
+
+// Create takes the representation of a lDAPIdentityProvider and creates it.  Returns the server's representation of the lDAPIdentityProvider, and an error, if there is any.
+func (c *FakeLDAPIdentityProviders) Create(lDAPIdentityProvider *v1alpha1.LDAPIdentityProvider) (result *v1alpha1.LDAPIdentityProvider, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewCreateAction(ldapidentityprovidersResource, c.ns, lDAPIdentityProvider), &v1alpha1.LDAPIdentityProvider{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.LDAPIdentityProvider), err
+}
+
+// Update takes the representation of a lDAPIdentityProvider and updates it. Returns the server's representation of the lDAPIdentityProvider, and an error, if there is any.
+func (c *FakeLDAPIdentityProviders) Update(lDAPIdentityProvider *v1alpha1.LDAPIdentityProvider) (result *v1alpha1.LDAPIdentityProvider, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewUpdateAction(ldapidentityprovidersResource, c.ns, lDAPIdentityProvider), &v1alpha1.LDAPIdentityProvider{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.LDAPIdentityProvider), err
+}
+
+// UpdateStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+func (c *FakeLDAPIdentityProviders) UpdateStatus(lDAPIdentityProvider *v1alpha1.LDAPIdentityProvider) (*v1alpha1.LDAPIdentityProvider, error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewUpdateSubresourceAction(ldapidentityprovidersResource, "status", c.ns, lDAPIdentityProvider), &v1alpha1.LDAPIdentityProvider{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.LDAPIdentityProvider), err
+}
+
+// Delete takes name of the lDAPIdentityProvider and deletes it. Returns an error if one occurs.
+func (c *FakeLDAPIdentityProviders) Delete(name string, options *v1.DeleteOptions) error {
+	_, err := c.Fake.
+		Invokes(testing.NewDeleteAction(ldapidentityprovidersResource, c.ns, name), &v1alpha1.LDAPIdentityProvider{})
+
+	return err
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *FakeLDAPIdentityProviders) DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error {
+	action := testing.NewDeleteCollectionAction(ldapidentityprovidersResource, c.ns, listOptions)
+
+	_, err := c.Fake.Invokes(action, &v1alpha1.LDAPIdentityProviderList{})
+	return err
+}
+
+// Patch applies the patch and returns the patched lDAPIdentityProvider.
+func (c *FakeLDAPIdentityProviders) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.LDAPIdentityProvider, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewPatchSubresourceAction(ldapidentityprovidersResource, c.ns, name, pt, data, subresources...), &v1alpha1.LDAPIdentityProvider{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.LDAPIdentityProvider), err
+}

generated/1.17/client/supervisor/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go

@@ -5,4 +5,8 @@
 
 package v1alpha1
 
+type ActiveDirectoryIdentityProviderExpansion interface{}
+
+type LDAPIdentityProviderExpansion interface{}
+
 type OIDCIdentityProviderExpansion interface{}

generated/1.17/client/supervisor/clientset/versioned/typed/idp/v1alpha1/idp_client.go

@@ -13,6 +13,8 @@ import (
 
 type IDPV1alpha1Interface interface {
 	RESTClient() rest.Interface
+	ActiveDirectoryIdentityProvidersGetter
+	LDAPIdentityProvidersGetter
 	OIDCIdentityProvidersGetter
 }
 
@@ -21,6 +23,14 @@ type IDPV1alpha1Client struct {
 	restClient rest.Interface
 }
 
+func (c *IDPV1alpha1Client) ActiveDirectoryIdentityProviders(namespace string) ActiveDirectoryIdentityProviderInterface {
+	return newActiveDirectoryIdentityProviders(c, namespace)
+}
+
+func (c *IDPV1alpha1Client) LDAPIdentityProviders(namespace string) LDAPIdentityProviderInterface {
+	return newLDAPIdentityProviders(c, namespace)
+}
+
 func (c *IDPV1alpha1Client) OIDCIdentityProviders(namespace string) OIDCIdentityProviderInterface {
 	return newOIDCIdentityProviders(c, namespace)
 }

generated/1.17/client/supervisor/clientset/versioned/typed/idp/v1alpha1/ldapidentityprovider.go

@@ -0,0 +1,178 @@
+// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	"time"
+
+	v1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/idp/v1alpha1"
+	scheme "go.pinniped.dev/generated/1.17/client/supervisor/clientset/versioned/scheme"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	rest "k8s.io/client-go/rest"
+)
+
+// LDAPIdentityProvidersGetter has a method to return a LDAPIdentityProviderInterface.
+// A group's client should implement this interface.
+type LDAPIdentityProvidersGetter interface {
+	LDAPIdentityProviders(namespace string) LDAPIdentityProviderInterface
+}
+
+// LDAPIdentityProviderInterface has methods to work with LDAPIdentityProvider resources.
+type LDAPIdentityProviderInterface interface {
+	Create(*v1alpha1.LDAPIdentityProvider) (*v1alpha1.LDAPIdentityProvider, error)
+	Update(*v1alpha1.LDAPIdentityProvider) (*v1alpha1.LDAPIdentityProvider, error)
+	UpdateStatus(*v1alpha1.LDAPIdentityProvider) (*v1alpha1.LDAPIdentityProvider, error)
+	Delete(name string, options *v1.DeleteOptions) error
+	DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error
+	Get(name string, options v1.GetOptions) (*v1alpha1.LDAPIdentityProvider, error)
+	List(opts v1.ListOptions) (*v1alpha1.LDAPIdentityProviderList, error)
+	Watch(opts v1.ListOptions) (watch.Interface, error)
+	Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.LDAPIdentityProvider, err error)
+	LDAPIdentityProviderExpansion
+}
+
+// lDAPIdentityProviders implements LDAPIdentityProviderInterface
+type lDAPIdentityProviders struct {
+	client rest.Interface
+	ns     string
+}
+
+// newLDAPIdentityProviders returns a LDAPIdentityProviders
+func newLDAPIdentityProviders(c *IDPV1alpha1Client, namespace string) *lDAPIdentityProviders {
+	return &lDAPIdentityProviders{
+		client: c.RESTClient(),
+		ns:     namespace,
+	}
+}
+
+// Get takes name of the lDAPIdentityProvider, and returns the corresponding lDAPIdentityProvider object, and an error if there is any.
+func (c *lDAPIdentityProviders) Get(name string, options v1.GetOptions) (result *v1alpha1.LDAPIdentityProvider, err error) {
+	result = &v1alpha1.LDAPIdentityProvider{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("ldapidentityproviders").
+		Name(name).
+		VersionedParams(&options, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// List takes label and field selectors, and returns the list of LDAPIdentityProviders that match those selectors.
+func (c *lDAPIdentityProviders) List(opts v1.ListOptions) (result *v1alpha1.LDAPIdentityProviderList, err error) {
+	var timeout time.Duration
+	if opts.TimeoutSeconds != nil {
+		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
+	}
+	result = &v1alpha1.LDAPIdentityProviderList{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("ldapidentityproviders").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Do().
+		Into(result)
+	return
+}
+
+// Watch returns a watch.Interface that watches the requested lDAPIdentityProviders.
+func (c *lDAPIdentityProviders) Watch(opts v1.ListOptions) (watch.Interface, error) {
+	var timeout time.Duration
+	if opts.TimeoutSeconds != nil {
+		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
+	}
+	opts.Watch = true
+	return c.client.Get().
+		Namespace(c.ns).
+		Resource("ldapidentityproviders").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Watch()
+}
+
+// Create takes the representation of a lDAPIdentityProvider and creates it.  Returns the server's representation of the lDAPIdentityProvider, and an error, if there is any.
+func (c *lDAPIdentityProviders) Create(lDAPIdentityProvider *v1alpha1.LDAPIdentityProvider) (result *v1alpha1.LDAPIdentityProvider, err error) {
+	result = &v1alpha1.LDAPIdentityProvider{}
+	err = c.client.Post().
+		Namespace(c.ns).
+		Resource("ldapidentityproviders").
+		Body(lDAPIdentityProvider).
+		Do().
+		Into(result)
+	return
+}
+
+// Update takes the representation of a lDAPIdentityProvider and updates it. Returns the server's representation of the lDAPIdentityProvider, and an error, if there is any.
+func (c *lDAPIdentityProviders) Update(lDAPIdentityProvider *v1alpha1.LDAPIdentityProvider) (result *v1alpha1.LDAPIdentityProvider, err error) {
+	result = &v1alpha1.LDAPIdentityProvider{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("ldapidentityproviders").
+		Name(lDAPIdentityProvider.Name).
+		Body(lDAPIdentityProvider).
+		Do().
+		Into(result)
+	return
+}
+
+// UpdateStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+
+func (c *lDAPIdentityProviders) UpdateStatus(lDAPIdentityProvider *v1alpha1.LDAPIdentityProvider) (result *v1alpha1.LDAPIdentityProvider, err error) {
+	result = &v1alpha1.LDAPIdentityProvider{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("ldapidentityproviders").
+		Name(lDAPIdentityProvider.Name).
+		SubResource("status").
+		Body(lDAPIdentityProvider).
+		Do().
+		Into(result)
+	return
+}
+
+// Delete takes name of the lDAPIdentityProvider and deletes it. Returns an error if one occurs.
+func (c *lDAPIdentityProviders) Delete(name string, options *v1.DeleteOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("ldapidentityproviders").
+		Name(name).
+		Body(options).
+		Do().
+		Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *lDAPIdentityProviders) DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error {
+	var timeout time.Duration
+	if listOptions.TimeoutSeconds != nil {
+		timeout = time.Duration(*listOptions.TimeoutSeconds) * time.Second
+	}
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("ldapidentityproviders").
+		VersionedParams(&listOptions, scheme.ParameterCodec).
+		Timeout(timeout).
+		Body(options).
+		Do().
+		Error()
+}
+
+// Patch applies the patch and returns the patched lDAPIdentityProvider.
+func (c *lDAPIdentityProviders) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.LDAPIdentityProvider, err error) {
+	result = &v1alpha1.LDAPIdentityProvider{}
+	err = c.client.Patch(pt).
+		Namespace(c.ns).
+		Resource("ldapidentityproviders").
+		SubResource(subresources...).
+		Name(name).
+		Body(data).
+		Do().
+		Into(result)
+	return
+}

generated/1.17/client/supervisor/informers/externalversions/generic.go

@@ -45,6 +45,10 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource
 		return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().FederationDomains().Informer()}, nil
 
 		// Group=idp.supervisor.pinniped.dev, Version=v1alpha1
+	case idpv1alpha1.SchemeGroupVersion.WithResource("activedirectoryidentityproviders"):
+		return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().ActiveDirectoryIdentityProviders().Informer()}, nil
+	case idpv1alpha1.SchemeGroupVersion.WithResource("ldapidentityproviders"):
+		return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().LDAPIdentityProviders().Informer()}, nil
 	case idpv1alpha1.SchemeGroupVersion.WithResource("oidcidentityproviders"):
 		return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().OIDCIdentityProviders().Informer()}, nil
 

generated/1.17/client/supervisor/informers/externalversions/idp/v1alpha1/activedirectoryidentityprovider.go

@@ -0,0 +1,76 @@
+// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by informer-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	time "time"
+
+	idpv1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/idp/v1alpha1"
+	versioned "go.pinniped.dev/generated/1.17/client/supervisor/clientset/versioned"
+	internalinterfaces "go.pinniped.dev/generated/1.17/client/supervisor/informers/externalversions/internalinterfaces"
+	v1alpha1 "go.pinniped.dev/generated/1.17/client/supervisor/listers/idp/v1alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	watch "k8s.io/apimachinery/pkg/watch"
+	cache "k8s.io/client-go/tools/cache"
+)
+
+// ActiveDirectoryIdentityProviderInformer provides access to a shared informer and lister for
+// ActiveDirectoryIdentityProviders.
+type ActiveDirectoryIdentityProviderInformer interface {
+	Informer() cache.SharedIndexInformer
+	Lister() v1alpha1.ActiveDirectoryIdentityProviderLister
+}
+
+type activeDirectoryIdentityProviderInformer struct {
+	factory          internalinterfaces.SharedInformerFactory
+	tweakListOptions internalinterfaces.TweakListOptionsFunc
+	namespace        string
+}
+
+// NewActiveDirectoryIdentityProviderInformer constructs a new informer for ActiveDirectoryIdentityProvider type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewActiveDirectoryIdentityProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
+	return NewFilteredActiveDirectoryIdentityProviderInformer(client, namespace, resyncPeriod, indexers, nil)
+}
+
+// NewFilteredActiveDirectoryIdentityProviderInformer constructs a new informer for ActiveDirectoryIdentityProvider type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewFilteredActiveDirectoryIdentityProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
+	return cache.NewSharedIndexInformer(
+		&cache.ListWatch{
+			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.IDPV1alpha1().ActiveDirectoryIdentityProviders(namespace).List(options)
+			},
+			WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.IDPV1alpha1().ActiveDirectoryIdentityProviders(namespace).Watch(options)
+			},
+		},
+		&idpv1alpha1.ActiveDirectoryIdentityProvider{},
+		resyncPeriod,
+		indexers,
+	)
+}
+
+func (f *activeDirectoryIdentityProviderInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
+	return NewFilteredActiveDirectoryIdentityProviderInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
+}
+
+func (f *activeDirectoryIdentityProviderInformer) Informer() cache.SharedIndexInformer {
+	return f.factory.InformerFor(&idpv1alpha1.ActiveDirectoryIdentityProvider{}, f.defaultInformer)
+}
+
+func (f *activeDirectoryIdentityProviderInformer) Lister() v1alpha1.ActiveDirectoryIdentityProviderLister {
+	return v1alpha1.NewActiveDirectoryIdentityProviderLister(f.Informer().GetIndexer())
+}

generated/1.17/client/supervisor/informers/externalversions/idp/v1alpha1/interface.go

@@ -11,6 +11,10 @@ import (
 
 // Interface provides access to all the informers in this group version.
 type Interface interface {
+	// ActiveDirectoryIdentityProviders returns a ActiveDirectoryIdentityProviderInformer.
+	ActiveDirectoryIdentityProviders() ActiveDirectoryIdentityProviderInformer
+	// LDAPIdentityProviders returns a LDAPIdentityProviderInformer.
+	LDAPIdentityProviders() LDAPIdentityProviderInformer
 	// OIDCIdentityProviders returns a OIDCIdentityProviderInformer.
 	OIDCIdentityProviders() OIDCIdentityProviderInformer
 }
@@ -26,6 +30,16 @@ func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakList
 	return &version{factory: f, namespace: namespace, tweakListOptions: tweakListOptions}
 }
 
+// ActiveDirectoryIdentityProviders returns a ActiveDirectoryIdentityProviderInformer.
+func (v *version) ActiveDirectoryIdentityProviders() ActiveDirectoryIdentityProviderInformer {
+	return &activeDirectoryIdentityProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
+}
+
+// LDAPIdentityProviders returns a LDAPIdentityProviderInformer.
+func (v *version) LDAPIdentityProviders() LDAPIdentityProviderInformer {
+	return &lDAPIdentityProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
+}
+
 // OIDCIdentityProviders returns a OIDCIdentityProviderInformer.
 func (v *version) OIDCIdentityProviders() OIDCIdentityProviderInformer {
 	return &oIDCIdentityProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}

generated/1.17/client/supervisor/informers/externalversions/idp/v1alpha1/ldapidentityprovider.go

@@ -0,0 +1,76 @@
+// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by informer-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	time "time"
+
+	idpv1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/idp/v1alpha1"
+	versioned "go.pinniped.dev/generated/1.17/client/supervisor/clientset/versioned"
+	internalinterfaces "go.pinniped.dev/generated/1.17/client/supervisor/informers/externalversions/internalinterfaces"
+	v1alpha1 "go.pinniped.dev/generated/1.17/client/supervisor/listers/idp/v1alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	watch "k8s.io/apimachinery/pkg/watch"
+	cache "k8s.io/client-go/tools/cache"
+)
+
+// LDAPIdentityProviderInformer provides access to a shared informer and lister for
+// LDAPIdentityProviders.
+type LDAPIdentityProviderInformer interface {
+	Informer() cache.SharedIndexInformer
+	Lister() v1alpha1.LDAPIdentityProviderLister
+}
+
+type lDAPIdentityProviderInformer struct {
+	factory          internalinterfaces.SharedInformerFactory
+	tweakListOptions internalinterfaces.TweakListOptionsFunc
+	namespace        string
+}
+
+// NewLDAPIdentityProviderInformer constructs a new informer for LDAPIdentityProvider type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewLDAPIdentityProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
+	return NewFilteredLDAPIdentityProviderInformer(client, namespace, resyncPeriod, indexers, nil)
+}
+
+// NewFilteredLDAPIdentityProviderInformer constructs a new informer for LDAPIdentityProvider type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewFilteredLDAPIdentityProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
+	return cache.NewSharedIndexInformer(
+		&cache.ListWatch{
+			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.IDPV1alpha1().LDAPIdentityProviders(namespace).List(options)
+			},
+			WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.IDPV1alpha1().LDAPIdentityProviders(namespace).Watch(options)
+			},
+		},
+		&idpv1alpha1.LDAPIdentityProvider{},
+		resyncPeriod,
+		indexers,
+	)
+}
+
+func (f *lDAPIdentityProviderInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
+	return NewFilteredLDAPIdentityProviderInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
+}
+
+func (f *lDAPIdentityProviderInformer) Informer() cache.SharedIndexInformer {
+	return f.factory.InformerFor(&idpv1alpha1.LDAPIdentityProvider{}, f.defaultInformer)
+}
+
+func (f *lDAPIdentityProviderInformer) Lister() v1alpha1.LDAPIdentityProviderLister {
+	return v1alpha1.NewLDAPIdentityProviderLister(f.Informer().GetIndexer())
+}

generated/1.17/client/supervisor/listers/idp/v1alpha1/activedirectoryidentityprovider.go

@@ -0,0 +1,81 @@
+// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by lister-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	v1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/idp/v1alpha1"
+	"k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/client-go/tools/cache"
+)
+
+// ActiveDirectoryIdentityProviderLister helps list ActiveDirectoryIdentityProviders.
+type ActiveDirectoryIdentityProviderLister interface {
+	// List lists all ActiveDirectoryIdentityProviders in the indexer.
+	List(selector labels.Selector) (ret []*v1alpha1.ActiveDirectoryIdentityProvider, err error)
+	// ActiveDirectoryIdentityProviders returns an object that can list and get ActiveDirectoryIdentityProviders.
+	ActiveDirectoryIdentityProviders(namespace string) ActiveDirectoryIdentityProviderNamespaceLister
+	ActiveDirectoryIdentityProviderListerExpansion
+}
+
+// activeDirectoryIdentityProviderLister implements the ActiveDirectoryIdentityProviderLister interface.
+type activeDirectoryIdentityProviderLister struct {
+	indexer cache.Indexer
+}
+
+// NewActiveDirectoryIdentityProviderLister returns a new ActiveDirectoryIdentityProviderLister.
+func NewActiveDirectoryIdentityProviderLister(indexer cache.Indexer) ActiveDirectoryIdentityProviderLister {
+	return &activeDirectoryIdentityProviderLister{indexer: indexer}
+}
+
+// List lists all ActiveDirectoryIdentityProviders in the indexer.
+func (s *activeDirectoryIdentityProviderLister) List(selector labels.Selector) (ret []*v1alpha1.ActiveDirectoryIdentityProvider, err error) {
+	err = cache.ListAll(s.indexer, selector, func(m interface{}) {
+		ret = append(ret, m.(*v1alpha1.ActiveDirectoryIdentityProvider))
+	})
+	return ret, err
+}
+
+// ActiveDirectoryIdentityProviders returns an object that can list and get ActiveDirectoryIdentityProviders.
+func (s *activeDirectoryIdentityProviderLister) ActiveDirectoryIdentityProviders(namespace string) ActiveDirectoryIdentityProviderNamespaceLister {
+	return activeDirectoryIdentityProviderNamespaceLister{indexer: s.indexer, namespace: namespace}
+}
+
+// ActiveDirectoryIdentityProviderNamespaceLister helps list and get ActiveDirectoryIdentityProviders.
+type ActiveDirectoryIdentityProviderNamespaceLister interface {
+	// List lists all ActiveDirectoryIdentityProviders in the indexer for a given namespace.
+	List(selector labels.Selector) (ret []*v1alpha1.ActiveDirectoryIdentityProvider, err error)
+	// Get retrieves the ActiveDirectoryIdentityProvider from the indexer for a given namespace and name.
+	Get(name string) (*v1alpha1.ActiveDirectoryIdentityProvider, error)
+	ActiveDirectoryIdentityProviderNamespaceListerExpansion
+}
+
+// activeDirectoryIdentityProviderNamespaceLister implements the ActiveDirectoryIdentityProviderNamespaceLister
+// interface.
+type activeDirectoryIdentityProviderNamespaceLister struct {
+	indexer   cache.Indexer
+	namespace string
+}
+
+// List lists all ActiveDirectoryIdentityProviders in the indexer for a given namespace.
+func (s activeDirectoryIdentityProviderNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.ActiveDirectoryIdentityProvider, err error) {
+	err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) {
+		ret = append(ret, m.(*v1alpha1.ActiveDirectoryIdentityProvider))
+	})
+	return ret, err
+}
+
+// Get retrieves the ActiveDirectoryIdentityProvider from the indexer for a given namespace and name.
+func (s activeDirectoryIdentityProviderNamespaceLister) Get(name string) (*v1alpha1.ActiveDirectoryIdentityProvider, error) {
+	obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name)
+	if err != nil {
+		return nil, err
+	}
+	if !exists {
+		return nil, errors.NewNotFound(v1alpha1.Resource("activedirectoryidentityprovider"), name)
+	}
+	return obj.(*v1alpha1.ActiveDirectoryIdentityProvider), nil
+}

generated/1.17/client/supervisor/listers/idp/v1alpha1/expansion_generated.go

@@ -5,6 +5,22 @@
 
 package v1alpha1
 
+// ActiveDirectoryIdentityProviderListerExpansion allows custom methods to be added to
+// ActiveDirectoryIdentityProviderLister.
+type ActiveDirectoryIdentityProviderListerExpansion interface{}
+
+// ActiveDirectoryIdentityProviderNamespaceListerExpansion allows custom methods to be added to
+// ActiveDirectoryIdentityProviderNamespaceLister.
+type ActiveDirectoryIdentityProviderNamespaceListerExpansion interface{}
+
+// LDAPIdentityProviderListerExpansion allows custom methods to be added to
+// LDAPIdentityProviderLister.
+type LDAPIdentityProviderListerExpansion interface{}
+
+// LDAPIdentityProviderNamespaceListerExpansion allows custom methods to be added to
+// LDAPIdentityProviderNamespaceLister.
+type LDAPIdentityProviderNamespaceListerExpansion interface{}
+
 // OIDCIdentityProviderListerExpansion allows custom methods to be added to
 // OIDCIdentityProviderLister.
 type OIDCIdentityProviderListerExpansion interface{}

generated/1.17/client/supervisor/listers/idp/v1alpha1/ldapidentityprovider.go

@@ -0,0 +1,81 @@
+// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by lister-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	v1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/idp/v1alpha1"
+	"k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/client-go/tools/cache"
+)
+
+// LDAPIdentityProviderLister helps list LDAPIdentityProviders.
+type LDAPIdentityProviderLister interface {
+	// List lists all LDAPIdentityProviders in the indexer.
+	List(selector labels.Selector) (ret []*v1alpha1.LDAPIdentityProvider, err error)
+	// LDAPIdentityProviders returns an object that can list and get LDAPIdentityProviders.
+	LDAPIdentityProviders(namespace string) LDAPIdentityProviderNamespaceLister
+	LDAPIdentityProviderListerExpansion
+}
+
+// lDAPIdentityProviderLister implements the LDAPIdentityProviderLister interface.
+type lDAPIdentityProviderLister struct {
+	indexer cache.Indexer
+}
+
+// NewLDAPIdentityProviderLister returns a new LDAPIdentityProviderLister.
+func NewLDAPIdentityProviderLister(indexer cache.Indexer) LDAPIdentityProviderLister {
+	return &lDAPIdentityProviderLister{indexer: indexer}
+}
+
+// List lists all LDAPIdentityProviders in the indexer.
+func (s *lDAPIdentityProviderLister) List(selector labels.Selector) (ret []*v1alpha1.LDAPIdentityProvider, err error) {
+	err = cache.ListAll(s.indexer, selector, func(m interface{}) {
+		ret = append(ret, m.(*v1alpha1.LDAPIdentityProvider))
+	})
+	return ret, err
+}
+
+// LDAPIdentityProviders returns an object that can list and get LDAPIdentityProviders.
+func (s *lDAPIdentityProviderLister) LDAPIdentityProviders(namespace string) LDAPIdentityProviderNamespaceLister {
+	return lDAPIdentityProviderNamespaceLister{indexer: s.indexer, namespace: namespace}
+}
+
+// LDAPIdentityProviderNamespaceLister helps list and get LDAPIdentityProviders.
+type LDAPIdentityProviderNamespaceLister interface {
+	// List lists all LDAPIdentityProviders in the indexer for a given namespace.
+	List(selector labels.Selector) (ret []*v1alpha1.LDAPIdentityProvider, err error)
+	// Get retrieves the LDAPIdentityProvider from the indexer for a given namespace and name.
+	Get(name string) (*v1alpha1.LDAPIdentityProvider, error)
+	LDAPIdentityProviderNamespaceListerExpansion
+}
+
+// lDAPIdentityProviderNamespaceLister implements the LDAPIdentityProviderNamespaceLister
+// interface.
+type lDAPIdentityProviderNamespaceLister struct {
+	indexer   cache.Indexer
+	namespace string
+}
+
+// List lists all LDAPIdentityProviders in the indexer for a given namespace.
+func (s lDAPIdentityProviderNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.LDAPIdentityProvider, err error) {
+	err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) {
+		ret = append(ret, m.(*v1alpha1.LDAPIdentityProvider))
+	})
+	return ret, err
+}
+
+// Get retrieves the LDAPIdentityProvider from the indexer for a given namespace and name.
+func (s lDAPIdentityProviderNamespaceLister) Get(name string) (*v1alpha1.LDAPIdentityProvider, error) {
+	obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name)
+	if err != nil {
+		return nil, err
+	}
+	if !exists {
+		return nil, errors.NewNotFound(v1alpha1.Resource("ldapidentityprovider"), name)
+	}
+	return obj.(*v1alpha1.LDAPIdentityProvider), nil
+}

generated/1.17/crds/config.concierge.pinniped.dev_credentialissuers.yaml

@@ -21,7 +21,8 @@ spec:
   - name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: Describes the configuration status of a Pinniped credential issuer.
+        description: CredentialIssuer describes the configuration and status of the
+          Pinniped Concierge credential issuer.
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -35,8 +36,73 @@ spec:
             type: string
           metadata:
             type: object
+          spec:
+            description: Spec describes the intended configuration of the Concierge.
+            properties:
+              impersonationProxy:
+                description: ImpersonationProxy describes the intended configuration
+                  of the Concierge impersonation proxy.
+                properties:
+                  externalEndpoint:
+                    description: "ExternalEndpoint describes the HTTPS endpoint where
+                      the proxy will be exposed. If not set, the proxy will be served
+                      using the external name of the LoadBalancer service or the cluster
+                      service DNS name. \n This field must be non-empty when spec.impersonationProxy.service.type
+                      is \"None\"."
+                    type: string
+                  mode:
+                    description: 'Mode configures whether the impersonation proxy
+                      should be started: - "disabled" explicitly disables the impersonation
+                      proxy. This is the default. - "enabled" explicitly enables the
+                      impersonation proxy. - "auto" enables or disables the impersonation
+                      proxy based upon the cluster in which it is running.'
+                    enum:
+                    - auto
+                    - enabled
+                    - disabled
+                    type: string
+                  service:
+                    default:
+                      type: LoadBalancer
+                    description: Service describes the configuration of the Service
+                      provisioned to expose the impersonation proxy to clients.
+                    properties:
+                      annotations:
+                        additionalProperties:
+                          type: string
+                        description: Annotations specifies zero or more key/value
+                          pairs to set as annotations on the provisioned Service.
+                        type: object
+                      loadBalancerIP:
+                        description: LoadBalancerIP specifies the IP address to set
+                          in the spec.loadBalancerIP field of the provisioned Service.
+                          This is not supported on all cloud providers.
+                        maxLength: 255
+                        minLength: 1
+                        type: string
+                      type:
+                        default: LoadBalancer
+                        description: "Type specifies the type of Service to provision
+                          for the impersonation proxy. \n If the type is \"None\",
+                          then the \"spec.impersonationProxy.externalEndpoint\" field
+                          must be set to a non-empty value so that the Concierge can
+                          properly advertise the endpoint in the CredentialIssuer's
+                          status."
+                        enum:
+                        - LoadBalancer
+                        - ClusterIP
+                        - None
+                        type: string
+                    type: object
+                required:
+                - mode
+                - service
+                type: object
+            required:
+            - impersonationProxy
+            type: object
           status:
-            description: Status of the credential issuer.
+            description: CredentialIssuerStatus describes the status of the Concierge.
             properties:
               kubeConfigInfo:
                 description: Information needed to form a valid Pinniped-based kubeconfig
@@ -60,8 +126,8 @@ spec:
                 description: List of integration strategies that were attempted by
                   Pinniped.
                 items:
-                  description: Status of an integration strategy that was attempted
-                    by Pinniped.
+                  description: CredentialIssuerStrategy describes the status of an
+                    integration strategy that was attempted by Pinniped.
                   properties:
                     frontend:
                       description: Frontend describes how clients can connect using

generated/1.17/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml

@@ -0,0 +1,281 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.4.0
+  creationTimestamp: null
+  name: activedirectoryidentityproviders.idp.supervisor.pinniped.dev
+spec:
+  group: idp.supervisor.pinniped.dev
+  names:
+    categories:
+    - pinniped
+    - pinniped-idp
+    - pinniped-idps
+    kind: ActiveDirectoryIdentityProvider
+    listKind: ActiveDirectoryIdentityProviderList
+    plural: activedirectoryidentityproviders
+    singular: activedirectoryidentityprovider
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .spec.host
+      name: Host
+      type: string
+    - jsonPath: .status.phase
+      name: Status
+      type: string
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: ActiveDirectoryIdentityProvider describes the configuration of
+          an upstream Microsoft Active Directory identity provider.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: Spec for configuring the identity provider.
+            properties:
+              bind:
+                description: Bind contains the configuration for how to provide access
+                  credentials during an initial bind to the ActiveDirectory server
+                  to be allowed to perform searches and binds to validate a user's
+                  credentials during a user's authentication attempt.
+                properties:
+                  secretName:
+                    description: SecretName contains the name of a namespace-local
+                      Secret object that provides the username and password for an
+                      Active Directory bind user. This account will be used to perform
+                      LDAP searches. The Secret should be of type "kubernetes.io/basic-auth"
+                      which includes "username" and "password" keys. The username
+                      value should be the full dn (distinguished name) of your bind
+                      account, e.g. "cn=bind-account,ou=users,dc=example,dc=com".
+                      The password must be non-empty.
+                    minLength: 1
+                    type: string
+                required:
+                - secretName
+                type: object
+              groupSearch:
+                description: GroupSearch contains the configuration for searching
+                  for a user's group membership in ActiveDirectory.
+                properties:
+                  attributes:
+                    description: Attributes specifies how the group's information
+                      should be read from each ActiveDirectory entry which was found
+                      as the result of the group search.
+                    properties:
+                      groupName:
+                        description: GroupName specifies the name of the attribute
+                          in the Active Directory entries whose value shall become
+                          a group name in the user's list of groups after a successful
+                          authentication. The value of this field is case-sensitive
+                          and must match the case of the attribute name returned by
+                          the ActiveDirectory server in the user's entry. E.g. "cn"
+                          for common name. Distinguished names can be used by specifying
+                          lower-case "dn". Optional. When not specified, this defaults
+                          to a custom field that looks like "sAMAccountName@domain",
+                          where domain is constructed from the domain components of
+                          the group DN.
+                        type: string
+                    type: object
+                  base:
+                    description: Base is the dn (distinguished name) that should be
+                      used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com".
+                      Optional, when not specified it will be based on the result
+                      of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse).
+                      The default behavior searches your entire domain for groups.
+                      It may make sense to specify a subtree as a search base if you
+                      wish to exclude some groups for security reasons or to make
+                      searches faster.
+                    type: string
+                  filter:
+                    description: Filter is the ActiveDirectory search filter which
+                      should be applied when searching for groups for a user. The
+                      pattern "{}" must occur in the filter at least once and will
+                      be dynamically replaced by the dn (distinguished name) of the
+                      user entry found as a result of the user search. E.g. "member={}"
+                      or "&(objectClass=groupOfNames)(member={})". For more information
+                      about ActiveDirectory filters, see https://ldap.com/ldap-filters.
+                      Note that the dn (distinguished name) is not an attribute of
+                      an entry, so "dn={}" cannot be used. Optional. When not specified,
+                      the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})".
+                      This searches nested groups by default. Note that nested group
+                      search can be slow for some Active Directory servers. To disable
+                      it, you can set the filter to "(&(objectClass=group)(member={})"
+                    type: string
+                type: object
+              host:
+                description: 'Host is the hostname of this Active Directory identity
+                  provider, i.e., where to connect. For example: ldap.example.com:636.'
+                minLength: 1
+                type: string
+              tls:
+                description: TLS contains the connection settings for how to establish
+                  the connection to the Host.
+                properties:
+                  certificateAuthorityData:
+                    description: X.509 Certificate Authority (base64-encoded PEM bundle).
+                      If omitted, a default set of system roots will be trusted.
+                    type: string
+                type: object
+              userSearch:
+                description: UserSearch contains the configuration for searching for
+                  a user by name in Active Directory.
+                properties:
+                  attributes:
+                    description: Attributes specifies how the user's information should
+                      be read from the ActiveDirectory entry which was found as the
+                      result of the user search.
+                    properties:
+                      uid:
+                        description: UID specifies the name of the attribute in the
+                          ActiveDirectory entry which whose value shall be used to
+                          uniquely identify the user within this ActiveDirectory provider
+                          after a successful authentication. Optional, when empty
+                          this defaults to "objectGUID".
+                        type: string
+                      username:
+                        description: Username specifies the name of the attribute
+                          in Active Directory entry whose value shall become the username
+                          of the user after a successful authentication. Optional,
+                          when empty this defaults to "userPrincipalName".
+                        type: string
+                    type: object
+                  base:
+                    description: Base is the dn (distinguished name) that should be
+                      used as the search base when searching for users. E.g. "ou=users,dc=example,dc=com".
+                      Optional, when not specified it will be based on the result
+                      of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse).
+                      The default behavior searches your entire domain for users.
+                      It may make sense to specify a subtree as a search base if you
+                      wish to exclude some users or to make searches faster.
+                    type: string
+                  filter:
+                    description: Filter is the search filter which should be applied
+                      when searching for users. The pattern "{}" must occur in the
+                      filter at least once and will be dynamically replaced by the
+                      username for which the search is being run. E.g. "mail={}" or
+                      "&(objectClass=person)(uid={})". For more information about
+                      LDAP filters, see https://ldap.com/ldap-filters. Note that the
+                      dn (distinguished name) is not an attribute of an entry, so
+                      "dn={}" cannot be used. Optional. When not specified, the default
+                      will be '(&(objectClass=person)(!(objectClass=computer))(!(showInAdvancedViewOnly=TRUE))(|(sAMAccountName={}")(mail={})(userPrincipalName={})(sAMAccountType=805306368))'
+                      This means that the user is a person, is not a computer, the
+                      sAMAccountType is for a normal user account, and is not shown
+                      in advanced view only (which would likely mean its a system
+                      created service account with advanced permissions). Also, either
+                      the sAMAccountName, the userPrincipalName, or the mail attribute
+                      matches the input username.
+                    type: string
+                type: object
+            required:
+            - host
+            type: object
+          status:
+            description: Status of the identity provider.
+            properties:
+              conditions:
+                description: Represents the observations of an identity provider's
+                  current state.
+                items:
+                  description: Condition status of a resource (mirrored from the metav1.Condition
+                    type added in Kubernetes 1.19). In a future API version we can
+                    switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413.
+                  properties:
+                    lastTransitionTime:
+                      description: lastTransitionTime is the last time the condition
+                        transitioned from one status to another. This should be when
+                        the underlying condition changed.  If that is not known, then
+                        using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: message is a human readable message indicating
+                        details about the transition. This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: observedGeneration represents the .metadata.generation
+                        that the condition was set based upon. For instance, if .metadata.generation
+                        is currently 12, but the .status.conditions[x].observedGeneration
+                        is 9, the condition is out of date with respect to the current
+                        state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: reason contains a programmatic identifier indicating
+                        the reason for the condition's last transition. Producers
+                        of specific condition types may define expected values and
+                        meanings for this field, and whether the values are considered
+                        a guaranteed API. The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
+                        --- Many .condition.type values are consistent across resources
+                        like Available, but because arbitrary conditions can be useful
+                        (see .node.status.conditions), the ability to deconflict is
+                        important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                type: array
+                x-kubernetes-list-map-keys:
+                - type
+                x-kubernetes-list-type: map
+              phase:
+                default: Pending
+                description: Phase summarizes the overall status of the ActiveDirectoryIdentityProvider.
+                enum:
+                - Pending
+                - Ready
+                - Error
+                type: string
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

generated/1.17/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml

@@ -0,0 +1,278 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.4.0
+  creationTimestamp: null
+  name: ldapidentityproviders.idp.supervisor.pinniped.dev
+spec:
+  group: idp.supervisor.pinniped.dev
+  names:
+    categories:
+    - pinniped
+    - pinniped-idp
+    - pinniped-idps
+    kind: LDAPIdentityProvider
+    listKind: LDAPIdentityProviderList
+    plural: ldapidentityproviders
+    singular: ldapidentityprovider
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .spec.host
+      name: Host
+      type: string
+    - jsonPath: .status.phase
+      name: Status
+      type: string
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: LDAPIdentityProvider describes the configuration of an upstream
+          Lightweight Directory Access Protocol (LDAP) identity provider.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: Spec for configuring the identity provider.
+            properties:
+              bind:
+                description: Bind contains the configuration for how to provide access
+                  credentials during an initial bind to the LDAP server to be allowed
+                  to perform searches and binds to validate a user's credentials during
+                  a user's authentication attempt.
+                properties:
+                  secretName:
+                    description: SecretName contains the name of a namespace-local
+                      Secret object that provides the username and password for an
+                      LDAP bind user. This account will be used to perform LDAP searches.
+                      The Secret should be of type "kubernetes.io/basic-auth" which
+                      includes "username" and "password" keys. The username value
+                      should be the full dn (distinguished name) of your bind account,
+                      e.g. "cn=bind-account,ou=users,dc=example,dc=com". The password
+                      must be non-empty.
+                    minLength: 1
+                    type: string
+                required:
+                - secretName
+                type: object
+              groupSearch:
+                description: GroupSearch contains the configuration for searching
+                  for a user's group membership in the LDAP provider.
+                properties:
+                  attributes:
+                    description: Attributes specifies how the group's information
+                      should be read from each LDAP entry which was found as the result
+                      of the group search.
+                    properties:
+                      groupName:
+                        description: GroupName specifies the name of the attribute
+                          in the LDAP entries whose value shall become a group name
+                          in the user's list of groups after a successful authentication.
+                          The value of this field is case-sensitive and must match
+                          the case of the attribute name returned by the LDAP server
+                          in the user's entry. E.g. "cn" for common name. Distinguished
+                          names can be used by specifying lower-case "dn". Optional.
+                          When not specified, the default will act as if the GroupName
+                          were specified as "dn" (distinguished name).
+                        type: string
+                    type: object
+                  base:
+                    description: Base is the dn (distinguished name) that should be
+                      used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com".
+                      When not specified, no group search will be performed and authenticated
+                      users will not belong to any groups from the LDAP provider.
+                      Also, when not specified, the values of Filter and Attributes
+                      are ignored.
+                    type: string
+                  filter:
+                    description: Filter is the LDAP search filter which should be
+                      applied when searching for groups for a user. The pattern "{}"
+                      must occur in the filter at least once and will be dynamically
+                      replaced by the dn (distinguished name) of the user entry found
+                      as a result of the user search. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})".
+                      For more information about LDAP filters, see https://ldap.com/ldap-filters.
+                      Note that the dn (distinguished name) is not an attribute of
+                      an entry, so "dn={}" cannot be used. Optional. When not specified,
+                      the default will act as if the Filter were specified as "member={}".
+                    type: string
+                type: object
+              host:
+                description: 'Host is the hostname of this LDAP identity provider,
+                  i.e., where to connect. For example: ldap.example.com:636.'
+                minLength: 1
+                type: string
+              tls:
+                description: TLS contains the connection settings for how to establish
+                  the connection to the Host.
+                properties:
+                  certificateAuthorityData:
+                    description: X.509 Certificate Authority (base64-encoded PEM bundle).
+                      If omitted, a default set of system roots will be trusted.
+                    type: string
+                type: object
+              userSearch:
+                description: UserSearch contains the configuration for searching for
+                  a user by name in the LDAP provider.
+                properties:
+                  attributes:
+                    description: Attributes specifies how the user's information should
+                      be read from the LDAP entry which was found as the result of
+                      the user search.
+                    properties:
+                      uid:
+                        description: UID specifies the name of the attribute in the
+                          LDAP entry which whose value shall be used to uniquely identify
+                          the user within this LDAP provider after a successful authentication.
+                          E.g. "uidNumber" or "objectGUID". The value of this field
+                          is case-sensitive and must match the case of the attribute
+                          name returned by the LDAP server in the user's entry. Distinguished
+                          names can be used by specifying lower-case "dn".
+                        minLength: 1
+                        type: string
+                      username:
+                        description: Username specifies the name of the attribute
+                          in the LDAP entry whose value shall become the username
+                          of the user after a successful authentication. This would
+                          typically be the same attribute name used in the user search
+                          filter, although it can be different. E.g. "mail" or "uid"
+                          or "userPrincipalName". The value of this field is case-sensitive
+                          and must match the case of the attribute name returned by
+                          the LDAP server in the user's entry. Distinguished names
+                          can be used by specifying lower-case "dn". When this field
+                          is set to "dn" then the LDAPIdentityProviderUserSearch's
+                          Filter field cannot be blank, since the default value of
+                          "dn={}" would not work.
+                        minLength: 1
+                        type: string
+                    type: object
+                  base:
+                    description: Base is the dn (distinguished name) that should be
+                      used as the search base when searching for users. E.g. "ou=users,dc=example,dc=com".
+                    minLength: 1
+                    type: string
+                  filter:
+                    description: Filter is the LDAP search filter which should be
+                      applied when searching for users. The pattern "{}" must occur
+                      in the filter at least once and will be dynamically replaced
+                      by the username for which the search is being run. E.g. "mail={}"
+                      or "&(objectClass=person)(uid={})". For more information about
+                      LDAP filters, see https://ldap.com/ldap-filters. Note that the
+                      dn (distinguished name) is not an attribute of an entry, so
+                      "dn={}" cannot be used. Optional. When not specified, the default
+                      will act as if the Filter were specified as the value from Attributes.Username
+                      appended by "={}". When the Attributes.Username is set to "dn"
+                      then the Filter must be explicitly specified, since the default
+                      value of "dn={}" would not work.
+                    type: string
+                type: object
+            required:
+            - host
+            type: object
+          status:
+            description: Status of the identity provider.
+            properties:
+              conditions:
+                description: Represents the observations of an identity provider's
+                  current state.
+                items:
+                  description: Condition status of a resource (mirrored from the metav1.Condition
+                    type added in Kubernetes 1.19). In a future API version we can
+                    switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413.
+                  properties:
+                    lastTransitionTime:
+                      description: lastTransitionTime is the last time the condition
+                        transitioned from one status to another. This should be when
+                        the underlying condition changed.  If that is not known, then
+                        using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: message is a human readable message indicating
+                        details about the transition. This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: observedGeneration represents the .metadata.generation
+                        that the condition was set based upon. For instance, if .metadata.generation
+                        is currently 12, but the .status.conditions[x].observedGeneration
+                        is 9, the condition is out of date with respect to the current
+                        state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: reason contains a programmatic identifier indicating
+                        the reason for the condition's last transition. Producers
+                        of specific condition types may define expected values and
+                        meanings for this field, and whether the values are considered
+                        a guaranteed API. The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
+                        --- Many .condition.type values are consistent across resources
+                        like Available, but because arbitrary conditions can be useful
+                        (see .node.status.conditions), the ability to deconflict is
+                        important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                type: array
+                x-kubernetes-list-map-keys:
+                - type
+                x-kubernetes-list-type: map
+              phase:
+                default: Pending
+                description: Phase summarizes the overall status of the LDAPIdentityProvider.
+                enum:
+                - Pending
+                - Ready
+                - Error
+                type: string
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

generated/1.17/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml

@@ -59,11 +59,44 @@ spec:
                   additionalScopes:
                     description: AdditionalScopes are the scopes in addition to "openid"
                       that will be requested as part of the authorization request
-                      flow with an OIDC identity provider. By default only the "openid"
-                      scope will be requested.
+                      flow with an OIDC identity provider. In the case of a Resource
+                      Owner Password Credentials Grant flow, AdditionalScopes are
+                      the scopes in addition to "openid" that will be requested as
+                      part of the token request (see also the allowPasswordGrant field).
+                      By default, only the "openid" scope will be requested.
                     items:
                       type: string
                     type: array
+                  allowPasswordGrant:
+                    description: AllowPasswordGrant, when true, will allow the use
+                      of OAuth 2.0's Resource Owner Password Credentials Grant (see
+                      https://datatracker.ietf.org/doc/html/rfc6749#section-4.3) to
+                      authenticate to the OIDC provider using a username and password
+                      without a web browser, in addition to the usual browser-based
+                      OIDC Authorization Code Flow. The Resource Owner Password Credentials
+                      Grant is not officially part of the OIDC specification, so it
+                      may not be supported by your OIDC provider. If your OIDC provider
+                      supports returning ID tokens from a Resource Owner Password
+                      Credentials Grant token request, then you can choose to set
+                      this field to true. This will allow end users to choose to present
+                      their username and password to the kubectl CLI (using the Pinniped
+                      plugin) to authenticate to the cluster, without using a web
+                      browser to log in as is customary in OIDC Authorization Code
+                      Flow. This may be convenient for users, especially for identities
+                      from your OIDC provider which are not intended to represent
+                      a human actor, such as service accounts performing actions in
+                      a CI/CD environment. Even if your OIDC provider supports it,
+                      you may wish to disable this behavior by setting this field
+                      to false when you prefer to only allow users of this OIDCIdentityProvider
+                      to log in via the browser-based OIDC Authorization Code Flow.
+                      Using the Resource Owner Password Credentials Grant means that
+                      the Pinniped CLI and Pinniped Supervisor will directly handle
+                      your end users' passwords (similar to LDAPIdentityProvider),
+                      and you will not be able to require multi-factor authentication
+                      or use the other web-based login features of your OIDC provider
+                      during Resource Owner Password Credentials Grant logins. AllowPasswordGrant
+                      defaults to false.
+                    type: boolean
                 type: object
               claims:
                 description: Claims provides the names of token claims that will be

generated/1.18/README.adoc

@@ -220,7 +220,7 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped concierge configuration
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-credentialissuer"]
 ==== CredentialIssuer 
 
-Describes the configuration status of a Pinniped credential issuer.
+CredentialIssuer describes the configuration and status of the Pinniped Concierge credential issuer.
 
 .Appears In:
 ****
@@ -232,7 +232,8 @@ Describes the configuration status of a Pinniped credential issuer.
 | Field | Description
 | *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`.
 
-| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-credentialissuerstatus[$$CredentialIssuerStatus$$]__ | Status of the credential issuer.
+| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-credentialissuerspec[$$CredentialIssuerSpec$$]__ | Spec describes the intended configuration of the Concierge.
+| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-credentialissuerstatus[$$CredentialIssuerStatus$$]__ | CredentialIssuerStatus describes the status of the Concierge.
 |===
 
 
@@ -275,10 +276,27 @@ Describes the configuration status of a Pinniped credential issuer.
 
 
 
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-credentialissuerspec"]
+==== CredentialIssuerSpec 
+
+CredentialIssuerSpec describes the intended configuration of the Concierge.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-credentialissuer[$$CredentialIssuer$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`impersonationProxy`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-impersonationproxyspec[$$ImpersonationProxySpec$$]__ | ImpersonationProxy describes the intended configuration of the Concierge impersonation proxy.
+|===
+
+
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-credentialissuerstatus"]
 ==== CredentialIssuerStatus 
 
-Status of a credential issuer.
+CredentialIssuerStatus describes the status of the Concierge.
 
 .Appears In:
 ****
@@ -333,6 +351,70 @@ Status of a credential issuer.
 |===
 
 
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-impersonationproxymode"]
+==== ImpersonationProxyMode (string) 
+
+
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-impersonationproxyspec[$$ImpersonationProxySpec$$]
+****
+
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-impersonationproxyservicespec"]
+==== ImpersonationProxyServiceSpec 
+
+ImpersonationProxyServiceSpec describes how the Concierge should provision a Service to expose the impersonation proxy.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-impersonationproxyspec[$$ImpersonationProxySpec$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`type`* __ImpersonationProxyServiceType__ | Type specifies the type of Service to provision for the impersonation proxy. 
+ If the type is "None", then the "spec.impersonationProxy.externalEndpoint" field must be set to a non-empty value so that the Concierge can properly advertise the endpoint in the CredentialIssuer's status.
+| *`loadBalancerIP`* __string__ | LoadBalancerIP specifies the IP address to set in the spec.loadBalancerIP field of the provisioned Service. This is not supported on all cloud providers.
+| *`annotations`* __object (keys:string, values:string)__ | Annotations specifies zero or more key/value pairs to set as annotations on the provisioned Service.
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-impersonationproxyservicetype"]
+==== ImpersonationProxyServiceType (string) 
+
+
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-impersonationproxyservicespec[$$ImpersonationProxyServiceSpec$$]
+****
+
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-impersonationproxyspec"]
+==== ImpersonationProxySpec 
+
+
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-credentialissuerspec[$$CredentialIssuerSpec$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`mode`* __ImpersonationProxyMode__ | Mode configures whether the impersonation proxy should be started: - "disabled" explicitly disables the impersonation proxy. This is the default. - "enabled" explicitly enables the impersonation proxy. - "auto" enables or disables the impersonation proxy based upon the cluster in which it is running.
+| *`service`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-impersonationproxyservicespec[$$ImpersonationProxyServiceSpec$$]__ | Service describes the configuration of the Service provisioned to expose the impersonation proxy to clients.
+| *`externalEndpoint`* __string__ | ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will be served using the external name of the LoadBalancer service or the cluster service DNS name. 
+ This field must be non-empty when spec.impersonationProxy.service.type is "None".
+|===
+
+
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-tokencredentialrequestapiinfo"]
 ==== TokenCredentialRequestAPIInfo 
 
@@ -666,13 +748,166 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped supervisor identity pro
 
 
 
-[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-condition"]
-==== Condition 
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-activedirectoryidentityprovider"]
+==== ActiveDirectoryIdentityProvider 
 
-Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API version we can switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413.
+ActiveDirectoryIdentityProvider describes the configuration of an upstream Microsoft Active Directory identity provider.
 
 .Appears In:
 ****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-activedirectoryidentityproviderlist[$$ActiveDirectoryIdentityProviderList$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`.
+
+| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-activedirectoryidentityproviderspec[$$ActiveDirectoryIdentityProviderSpec$$]__ | Spec for configuring the identity provider.
+| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-activedirectoryidentityproviderstatus[$$ActiveDirectoryIdentityProviderStatus$$]__ | Status of the identity provider.
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-activedirectoryidentityproviderbind"]
+==== ActiveDirectoryIdentityProviderBind 
+
+
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-activedirectoryidentityproviderspec[$$ActiveDirectoryIdentityProviderSpec$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`secretName`* __string__ | SecretName contains the name of a namespace-local Secret object that provides the username and password for an Active Directory bind user. This account will be used to perform LDAP searches. The Secret should be of type "kubernetes.io/basic-auth" which includes "username" and "password" keys. The username value should be the full dn (distinguished name) of your bind account, e.g. "cn=bind-account,ou=users,dc=example,dc=com". The password must be non-empty.
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-activedirectoryidentityprovidergroupsearch"]
+==== ActiveDirectoryIdentityProviderGroupSearch 
+
+
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-activedirectoryidentityproviderspec[$$ActiveDirectoryIdentityProviderSpec$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`base`* __string__ | Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". Optional, when not specified it will be based on the result of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). The default behavior searches your entire domain for groups. It may make sense to specify a subtree as a search base if you wish to exclude some groups for security reasons or to make searches faster.
+| *`filter`* __string__ | Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". This searches nested groups by default. Note that nested group search can be slow for some Active Directory servers. To disable it, you can set the filter to "(&(objectClass=group)(member={})"
+| *`attributes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-activedirectoryidentityprovidergroupsearchattributes[$$ActiveDirectoryIdentityProviderGroupSearchAttributes$$]__ | Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as the result of the group search.
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-activedirectoryidentityprovidergroupsearchattributes"]
+==== ActiveDirectoryIdentityProviderGroupSearchAttributes 
+
+
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-activedirectoryidentityprovidergroupsearch[$$ActiveDirectoryIdentityProviderGroupSearch$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`groupName`* __string__ | GroupName specifies the name of the attribute in the Active Directory entries whose value shall become a group name in the user's list of groups after a successful authentication. The value of this field is case-sensitive and must match the case of the attribute name returned by the ActiveDirectory server in the user's entry. E.g. "cn" for common name. Distinguished names can be used by specifying lower-case "dn". Optional. When not specified, this defaults to a custom field that looks like "sAMAccountName@domain", where domain is constructed from the domain components of the group DN.
+|===
+
+
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-activedirectoryidentityproviderspec"]
+==== ActiveDirectoryIdentityProviderSpec 
+
+Spec for configuring an ActiveDirectory identity provider.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-activedirectoryidentityprovider[$$ActiveDirectoryIdentityProvider$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`host`* __string__ | Host is the hostname of this Active Directory identity provider, i.e., where to connect. For example: ldap.example.com:636.
+| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS contains the connection settings for how to establish the connection to the Host.
+| *`bind`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-activedirectoryidentityproviderbind[$$ActiveDirectoryIdentityProviderBind$$]__ | Bind contains the configuration for how to provide access credentials during an initial bind to the ActiveDirectory server to be allowed to perform searches and binds to validate a user's credentials during a user's authentication attempt.
+| *`userSearch`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-activedirectoryidentityproviderusersearch[$$ActiveDirectoryIdentityProviderUserSearch$$]__ | UserSearch contains the configuration for searching for a user by name in Active Directory.
+| *`groupSearch`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-activedirectoryidentityprovidergroupsearch[$$ActiveDirectoryIdentityProviderGroupSearch$$]__ | GroupSearch contains the configuration for searching for a user's group membership in ActiveDirectory.
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-activedirectoryidentityproviderstatus"]
+==== ActiveDirectoryIdentityProviderStatus 
+
+Status of an Active Directory identity provider.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-activedirectoryidentityprovider[$$ActiveDirectoryIdentityProvider$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`phase`* __ActiveDirectoryIdentityProviderPhase__ | Phase summarizes the overall status of the ActiveDirectoryIdentityProvider.
+| *`conditions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-condition[$$Condition$$] array__ | Represents the observations of an identity provider's current state.
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-activedirectoryidentityproviderusersearch"]
+==== ActiveDirectoryIdentityProviderUserSearch 
+
+
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-activedirectoryidentityproviderspec[$$ActiveDirectoryIdentityProviderSpec$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`base`* __string__ | Base is the dn (distinguished name) that should be used as the search base when searching for users. E.g. "ou=users,dc=example,dc=com". Optional, when not specified it will be based on the result of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). The default behavior searches your entire domain for users. It may make sense to specify a subtree as a search base if you wish to exclude some users or to make searches faster.
+| *`filter`* __string__ | Filter is the search filter which should be applied when searching for users. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the username for which the search is being run. E.g. "mail={}" or "&(objectClass=person)(uid={})". For more information about LDAP filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will be '(&(objectClass=person)(!(objectClass=computer))(!(showInAdvancedViewOnly=TRUE))(|(sAMAccountName={}")(mail={})(userPrincipalName={})(sAMAccountType=805306368))' This means that the user is a person, is not a computer, the sAMAccountType is for a normal user account, and is not shown in advanced view only (which would likely mean its a system created service account with advanced permissions). Also, either the sAMAccountName, the userPrincipalName, or the mail attribute matches the input username.
+| *`attributes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-activedirectoryidentityproviderusersearchattributes[$$ActiveDirectoryIdentityProviderUserSearchAttributes$$]__ | Attributes specifies how the user's information should be read from the ActiveDirectory entry which was found as the result of the user search.
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-activedirectoryidentityproviderusersearchattributes"]
+==== ActiveDirectoryIdentityProviderUserSearchAttributes 
+
+
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-activedirectoryidentityproviderusersearch[$$ActiveDirectoryIdentityProviderUserSearch$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`username`* __string__ | Username specifies the name of the attribute in Active Directory entry whose value shall become the username of the user after a successful authentication. Optional, when empty this defaults to "userPrincipalName".
+| *`uid`* __string__ | UID specifies the name of the attribute in the ActiveDirectory entry which whose value shall be used to uniquely identify the user within this ActiveDirectory provider after a successful authentication. Optional, when empty this defaults to "objectGUID".
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-condition"]
+==== Condition 
+
+
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-activedirectoryidentityproviderstatus[$$ActiveDirectoryIdentityProviderStatus$$]
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-ldapidentityproviderstatus[$$LDAPIdentityProviderStatus$$]
 - xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-oidcidentityproviderstatus[$$OIDCIdentityProviderStatus$$]
 ****
 
@@ -688,6 +923,169 @@ Condition status of a resource (mirrored from the metav1.Condition type added in
 |===
 
 
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-conditionstatus"]
+==== ConditionStatus (string) 
+
+
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-condition[$$Condition$$]
+****
+
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-ldapidentityprovider"]
+==== LDAPIdentityProvider 
+
+LDAPIdentityProvider describes the configuration of an upstream Lightweight Directory Access Protocol (LDAP) identity provider.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-ldapidentityproviderlist[$$LDAPIdentityProviderList$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`.
+
+| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-ldapidentityproviderspec[$$LDAPIdentityProviderSpec$$]__ | Spec for configuring the identity provider.
+| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-ldapidentityproviderstatus[$$LDAPIdentityProviderStatus$$]__ | Status of the identity provider.
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-ldapidentityproviderbind"]
+==== LDAPIdentityProviderBind 
+
+
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-ldapidentityproviderspec[$$LDAPIdentityProviderSpec$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`secretName`* __string__ | SecretName contains the name of a namespace-local Secret object that provides the username and password for an LDAP bind user. This account will be used to perform LDAP searches. The Secret should be of type "kubernetes.io/basic-auth" which includes "username" and "password" keys. The username value should be the full dn (distinguished name) of your bind account, e.g. "cn=bind-account,ou=users,dc=example,dc=com". The password must be non-empty.
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-ldapidentityprovidergroupsearch"]
+==== LDAPIdentityProviderGroupSearch 
+
+
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-ldapidentityproviderspec[$$LDAPIdentityProviderSpec$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`base`* __string__ | Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". When not specified, no group search will be performed and authenticated users will not belong to any groups from the LDAP provider. Also, when not specified, the values of Filter and Attributes are ignored.
+| *`filter`* __string__ | Filter is the LDAP search filter which should be applied when searching for groups for a user. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". For more information about LDAP filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will act as if the Filter were specified as "member={}".
+| *`attributes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-ldapidentityprovidergroupsearchattributes[$$LDAPIdentityProviderGroupSearchAttributes$$]__ | Attributes specifies how the group's information should be read from each LDAP entry which was found as the result of the group search.
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-ldapidentityprovidergroupsearchattributes"]
+==== LDAPIdentityProviderGroupSearchAttributes 
+
+
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-ldapidentityprovidergroupsearch[$$LDAPIdentityProviderGroupSearch$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`groupName`* __string__ | GroupName specifies the name of the attribute in the LDAP entries whose value shall become a group name in the user's list of groups after a successful authentication. The value of this field is case-sensitive and must match the case of the attribute name returned by the LDAP server in the user's entry. E.g. "cn" for common name. Distinguished names can be used by specifying lower-case "dn". Optional. When not specified, the default will act as if the GroupName were specified as "dn" (distinguished name).
+|===
+
+
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-ldapidentityproviderspec"]
+==== LDAPIdentityProviderSpec 
+
+Spec for configuring an LDAP identity provider.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-ldapidentityprovider[$$LDAPIdentityProvider$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`host`* __string__ | Host is the hostname of this LDAP identity provider, i.e., where to connect. For example: ldap.example.com:636.
+| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS contains the connection settings for how to establish the connection to the Host.
+| *`bind`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-ldapidentityproviderbind[$$LDAPIdentityProviderBind$$]__ | Bind contains the configuration for how to provide access credentials during an initial bind to the LDAP server to be allowed to perform searches and binds to validate a user's credentials during a user's authentication attempt.
+| *`userSearch`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-ldapidentityproviderusersearch[$$LDAPIdentityProviderUserSearch$$]__ | UserSearch contains the configuration for searching for a user by name in the LDAP provider.
+| *`groupSearch`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-ldapidentityprovidergroupsearch[$$LDAPIdentityProviderGroupSearch$$]__ | GroupSearch contains the configuration for searching for a user's group membership in the LDAP provider.
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-ldapidentityproviderstatus"]
+==== LDAPIdentityProviderStatus 
+
+Status of an LDAP identity provider.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-ldapidentityprovider[$$LDAPIdentityProvider$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`phase`* __LDAPIdentityProviderPhase__ | Phase summarizes the overall status of the LDAPIdentityProvider.
+| *`conditions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-condition[$$Condition$$] array__ | Represents the observations of an identity provider's current state.
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-ldapidentityproviderusersearch"]
+==== LDAPIdentityProviderUserSearch 
+
+
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-ldapidentityproviderspec[$$LDAPIdentityProviderSpec$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`base`* __string__ | Base is the dn (distinguished name) that should be used as the search base when searching for users. E.g. "ou=users,dc=example,dc=com".
+| *`filter`* __string__ | Filter is the LDAP search filter which should be applied when searching for users. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the username for which the search is being run. E.g. "mail={}" or "&(objectClass=person)(uid={})". For more information about LDAP filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will act as if the Filter were specified as the value from Attributes.Username appended by "={}". When the Attributes.Username is set to "dn" then the Filter must be explicitly specified, since the default value of "dn={}" would not work.
+| *`attributes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-ldapidentityproviderusersearchattributes[$$LDAPIdentityProviderUserSearchAttributes$$]__ | Attributes specifies how the user's information should be read from the LDAP entry which was found as the result of the user search.
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-ldapidentityproviderusersearchattributes"]
+==== LDAPIdentityProviderUserSearchAttributes 
+
+
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-ldapidentityproviderusersearch[$$LDAPIdentityProviderUserSearch$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`username`* __string__ | Username specifies the name of the attribute in the LDAP entry whose value shall become the username of the user after a successful authentication. This would typically be the same attribute name used in the user search filter, although it can be different. E.g. "mail" or "uid" or "userPrincipalName". The value of this field is case-sensitive and must match the case of the attribute name returned by the LDAP server in the user's entry. Distinguished names can be used by specifying lower-case "dn". When this field is set to "dn" then the LDAPIdentityProviderUserSearch's Filter field cannot be blank, since the default value of "dn={}" would not work.
+| *`uid`* __string__ | UID specifies the name of the attribute in the LDAP entry which whose value shall be used to uniquely identify the user within this LDAP provider after a successful authentication. E.g. "uidNumber" or "objectGUID". The value of this field is case-sensitive and must match the case of the attribute name returned by the LDAP server in the user's entry. Distinguished names can be used by specifying lower-case "dn".
+|===
+
+
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-oidcauthorizationconfig"]
 ==== OIDCAuthorizationConfig 
 
@@ -701,7 +1099,8 @@ OIDCAuthorizationConfig provides information about how to form the OAuth2 author
 [cols="25a,75a", options="header"]
 |===
 | Field | Description
-| *`additionalScopes`* __string array__ | AdditionalScopes are the scopes in addition to "openid" that will be requested as part of the authorization request flow with an OIDC identity provider. By default only the "openid" scope will be requested.
+| *`additionalScopes`* __string array__ | AdditionalScopes are the scopes in addition to "openid" that will be requested as part of the authorization request flow with an OIDC identity provider. In the case of a Resource Owner Password Credentials Grant flow, AdditionalScopes are the scopes in addition to "openid" that will be requested as part of the token request (see also the allowPasswordGrant field). By default, only the "openid" scope will be requested.
+| *`allowPasswordGrant`* __boolean__ | AllowPasswordGrant, when true, will allow the use of OAuth 2.0's Resource Owner Password Credentials Grant (see https://datatracker.ietf.org/doc/html/rfc6749#section-4.3) to authenticate to the OIDC provider using a username and password without a web browser, in addition to the usual browser-based OIDC Authorization Code Flow. The Resource Owner Password Credentials Grant is not officially part of the OIDC specification, so it may not be supported by your OIDC provider. If your OIDC provider supports returning ID tokens from a Resource Owner Password Credentials Grant token request, then you can choose to set this field to true. This will allow end users to choose to present their username and password to the kubectl CLI (using the Pinniped plugin) to authenticate to the cluster, without using a web browser to log in as is customary in OIDC Authorization Code Flow. This may be convenient for users, especially for identities from your OIDC provider which are not intended to represent a human actor, such as service accounts performing actions in a CI/CD environment. Even if your OIDC provider supports it, you may wish to disable this behavior by setting this field to false when you prefer to only allow users of this OIDCIdentityProvider to log in via the browser-based OIDC Authorization Code Flow. Using the Resource Owner Password Credentials Grant means that the Pinniped CLI and Pinniped Supervisor will directly handle your end users' passwords (similar to LDAPIdentityProvider), and you will not be able to require multi-factor authentication or use the other web-based login features of your OIDC provider during Resource Owner Password Credentials Grant logins. AllowPasswordGrant defaults to false.
 |===
 
 
@@ -797,7 +1196,7 @@ Status of an OIDC identity provider.
 |===
 | Field | Description
 | *`phase`* __OIDCIdentityProviderPhase__ | Phase summarizes the overall status of the OIDCIdentityProvider.
-| *`conditions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-condition[$$Condition$$]__ | Represents the observations of an identity provider's current state.
+| *`conditions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-condition[$$Condition$$] array__ | Represents the observations of an identity provider's current state.
 |===
 
 
@@ -808,6 +1207,8 @@ Status of an OIDC identity provider.
 
 .Appears In:
 ****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-activedirectoryidentityproviderspec[$$ActiveDirectoryIdentityProviderSpec$$]
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-ldapidentityproviderspec[$$LDAPIdentityProviderSpec$$]
 - xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-oidcidentityproviderspec[$$OIDCIdentityProviderSpec$$]
 ****
 

generated/1.18/apis/concierge/config/v1alpha1/types_credentialissuer.go

@@ -3,17 +3,23 @@
 
 package v1alpha1
 
-import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
 
+// StrategyType enumerates a type of "strategy" used to implement credential access on a cluster.
 // +kubebuilder:validation:Enum=KubeClusterSigningCertificate;ImpersonationProxy
 type StrategyType string
 
+// FrontendType enumerates a type of "frontend" used to provide access to users of a cluster.
 // +kubebuilder:validation:Enum=TokenCredentialRequestAPI;ImpersonationProxy
 type FrontendType string
 
+// StrategyStatus enumerates whether a strategy is working on a cluster.
 // +kubebuilder:validation:Enum=Success;Error
 type StrategyStatus string
 
+// StrategyReason enumerates the detailed reason why a strategy is in a particular status.
 // +kubebuilder:validation:Enum=Listening;Pending;Disabled;ErrorDuringSetup;CouldNotFetchKey;CouldNotGetClusterInfo;FetchedKey
 type StrategyReason string
 
@@ -36,7 +42,91 @@ const (
 	FetchedKeyStrategyReason             = StrategyReason("FetchedKey")
 )
 
-// Status of a credential issuer.
+// CredentialIssuerSpec describes the intended configuration of the Concierge.
+type CredentialIssuerSpec struct {
+	// ImpersonationProxy describes the intended configuration of the Concierge impersonation proxy.
+	ImpersonationProxy *ImpersonationProxySpec `json:"impersonationProxy"`
+}
+
+// ImpersonationProxyMode enumerates the configuration modes for the impersonation proxy.
+//
+// +kubebuilder:validation:Enum=auto;enabled;disabled
+type ImpersonationProxyMode string
+
+const (
+	// ImpersonationProxyModeDisabled explicitly disables the impersonation proxy.
+	ImpersonationProxyModeDisabled = ImpersonationProxyMode("disabled")
+
+	// ImpersonationProxyModeEnabled explicitly enables the impersonation proxy.
+	ImpersonationProxyModeEnabled = ImpersonationProxyMode("enabled")
+
+	// ImpersonationProxyModeAuto enables or disables the impersonation proxy based upon the cluster in which it is running.
+	ImpersonationProxyModeAuto = ImpersonationProxyMode("auto")
+)
+
+// ImpersonationProxyServiceType enumerates the types of service that can be provisioned for the impersonation proxy.
+//
+// +kubebuilder:validation:Enum=LoadBalancer;ClusterIP;None
+type ImpersonationProxyServiceType string
+
+const (
+	// ImpersonationProxyServiceTypeLoadBalancer provisions a service of type LoadBalancer.
+	ImpersonationProxyServiceTypeLoadBalancer = ImpersonationProxyServiceType("LoadBalancer")
+
+	// ImpersonationProxyServiceTypeClusterIP provisions a service of type ClusterIP.
+	ImpersonationProxyServiceTypeClusterIP = ImpersonationProxyServiceType("ClusterIP")
+
+	// ImpersonationProxyServiceTypeNone does not automatically provision any service.
+	ImpersonationProxyServiceTypeNone = ImpersonationProxyServiceType("None")
+)
+
+// ImpersonationProxySpec describes the intended configuration of the Concierge impersonation proxy.
+type ImpersonationProxySpec struct {
+	// Mode configures whether the impersonation proxy should be started:
+	// - "disabled" explicitly disables the impersonation proxy. This is the default.
+	// - "enabled" explicitly enables the impersonation proxy.
+	// - "auto" enables or disables the impersonation proxy based upon the cluster in which it is running.
+	Mode ImpersonationProxyMode `json:"mode"`
+
+	// Service describes the configuration of the Service provisioned to expose the impersonation proxy to clients.
+	//
+	// +kubebuilder:default:={"type": "LoadBalancer"}
+	Service ImpersonationProxyServiceSpec `json:"service"`
+
+	// ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will
+	// be served using the external name of the LoadBalancer service or the cluster service DNS name.
+	//
+	// This field must be non-empty when spec.impersonationProxy.service.type is "None".
+	//
+	// +optional
+	ExternalEndpoint string `json:"externalEndpoint,omitempty"`
+}
+
+// ImpersonationProxyServiceSpec describes how the Concierge should provision a Service to expose the impersonation proxy.
+type ImpersonationProxyServiceSpec struct {
+	// Type specifies the type of Service to provision for the impersonation proxy.
+	//
+	// If the type is "None", then the "spec.impersonationProxy.externalEndpoint" field must be set to a non-empty
+	// value so that the Concierge can properly advertise the endpoint in the CredentialIssuer's status.
+	//
+	// +kubebuilder:default:="LoadBalancer"
+	Type ImpersonationProxyServiceType `json:"type,omitempty"`
+
+	// LoadBalancerIP specifies the IP address to set in the spec.loadBalancerIP field of the provisioned Service.
+	// This is not supported on all cloud providers.
+	//
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=255
+	// +optional
+	LoadBalancerIP string `json:"loadBalancerIP,omitempty"`
+
+	// Annotations specifies zero or more key/value pairs to set as annotations on the provisioned Service.
+	//
+	// +optional
+	Annotations map[string]string `json:"annotations,omitempty"`
+}
+
+// CredentialIssuerStatus describes the status of the Concierge.
 type CredentialIssuerStatus struct {
 	// List of integration strategies that were attempted by Pinniped.
 	Strategies []CredentialIssuerStrategy `json:"strategies"`
@@ -47,7 +137,8 @@ type CredentialIssuerStatus struct {
 	KubeConfigInfo *CredentialIssuerKubeConfigInfo `json:"kubeConfigInfo,omitempty"`
 }
 
-// Information needed to form a valid Pinniped-based kubeconfig using this credential issuer.
+// CredentialIssuerKubeConfigInfo provides the information needed to form a valid Pinniped-based kubeconfig using this credential issuer.
+// This type is deprecated and will be removed in a future version.
 type CredentialIssuerKubeConfigInfo struct {
 	// The K8s API server URL.
 	// +kubebuilder:validation:MinLength=1
@@ -59,7 +150,7 @@ type CredentialIssuerKubeConfigInfo struct {
 	CertificateAuthorityData string `json:"certificateAuthorityData"`
 }
 
-// Status of an integration strategy that was attempted by Pinniped.
+// CredentialIssuerStrategy describes the status of an integration strategy that was attempted by Pinniped.
 type CredentialIssuerStrategy struct {
 	// Type of integration attempted.
 	Type StrategyType `json:"type"`
@@ -81,6 +172,7 @@ type CredentialIssuerStrategy struct {
 	Frontend *CredentialIssuerFrontend `json:"frontend,omitempty"`
 }
 
+// CredentialIssuerFrontend describes how to connect using a particular integration strategy.
 type CredentialIssuerFrontend struct {
 	// Type describes which frontend mechanism clients can use with a strategy.
 	Type FrontendType `json:"type"`
@@ -118,7 +210,7 @@ type ImpersonationProxyInfo struct {
 	CertificateAuthorityData string `json:"certificateAuthorityData"`
 }
 
-// Describes the configuration status of a Pinniped credential issuer.
+// CredentialIssuer describes the configuration and status of the Pinniped Concierge credential issuer.
 // +genclient
 // +genclient:nonNamespaced
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
@@ -128,12 +220,18 @@ type CredentialIssuer struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
 
-	// Status of the credential issuer.
+	// Spec describes the intended configuration of the Concierge.
+	//
+	// +optional
+	Spec CredentialIssuerSpec `json:"spec"`
+
+	// CredentialIssuerStatus describes the status of the Concierge.
+	//
 	// +optional
 	Status CredentialIssuerStatus `json:"status"`
 }
 
-// List of CredentialIssuer objects.
+// CredentialIssuerList is a list of CredentialIssuer objects.
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 type CredentialIssuerList struct {
 	metav1.TypeMeta `json:",inline"`

generated/1.18/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go

@@ -16,6 +16,7 @@ func (in *CredentialIssuer) DeepCopyInto(out *CredentialIssuer) {
 	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
 	in.Status.DeepCopyInto(&out.Status)
 	return
 }
@@ -113,6 +114,27 @@ func (in *CredentialIssuerList) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CredentialIssuerSpec) DeepCopyInto(out *CredentialIssuerSpec) {
+	*out = *in
+	if in.ImpersonationProxy != nil {
+		in, out := &in.ImpersonationProxy, &out.ImpersonationProxy
+		*out = new(ImpersonationProxySpec)
+		(*in).DeepCopyInto(*out)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialIssuerSpec.
+func (in *CredentialIssuerSpec) DeepCopy() *CredentialIssuerSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(CredentialIssuerSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CredentialIssuerStatus) DeepCopyInto(out *CredentialIssuerStatus) {
 	*out = *in
@@ -179,6 +201,46 @@ func (in *ImpersonationProxyInfo) DeepCopy() *ImpersonationProxyInfo {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ImpersonationProxyServiceSpec) DeepCopyInto(out *ImpersonationProxyServiceSpec) {
+	*out = *in
+	if in.Annotations != nil {
+		in, out := &in.Annotations, &out.Annotations
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImpersonationProxyServiceSpec.
+func (in *ImpersonationProxyServiceSpec) DeepCopy() *ImpersonationProxyServiceSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(ImpersonationProxyServiceSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ImpersonationProxySpec) DeepCopyInto(out *ImpersonationProxySpec) {
+	*out = *in
+	in.Service.DeepCopyInto(&out.Service)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImpersonationProxySpec.
+func (in *ImpersonationProxySpec) DeepCopy() *ImpersonationProxySpec {
+	if in == nil {
+		return nil
+	}
+	out := new(ImpersonationProxySpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TokenCredentialRequestAPIInfo) DeepCopyInto(out *TokenCredentialRequestAPIInfo) {
 	*out = *in

generated/1.18/apis/supervisor/idp/v1alpha1/register.go

@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
@@ -32,6 +32,10 @@ func addKnownTypes(scheme *runtime.Scheme) error {
 	scheme.AddKnownTypes(SchemeGroupVersion,
 		&OIDCIdentityProvider{},
 		&OIDCIdentityProviderList{},
+		&LDAPIdentityProvider{},
+		&LDAPIdentityProviderList{},
+		&ActiveDirectoryIdentityProvider{},
+		&ActiveDirectoryIdentityProviderList{},
 	)
 	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
 	return nil

generated/1.18/apis/supervisor/idp/v1alpha1/types_activedirectoryidentityprovider.go

@@ -0,0 +1,182 @@
+// Copyright 2021 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+type ActiveDirectoryIdentityProviderPhase string
+
+const (
+	// ActiveDirectoryPhasePending is the default phase for newly-created ActiveDirectoryIdentityProvider resources.
+	ActiveDirectoryPhasePending ActiveDirectoryIdentityProviderPhase = "Pending"
+
+	// ActiveDirectoryPhaseReady is the phase for an ActiveDirectoryIdentityProvider resource in a healthy state.
+	ActiveDirectoryPhaseReady ActiveDirectoryIdentityProviderPhase = "Ready"
+
+	// ActiveDirectoryPhaseError is the phase for an ActiveDirectoryIdentityProvider in an unhealthy state.
+	ActiveDirectoryPhaseError ActiveDirectoryIdentityProviderPhase = "Error"
+)
+
+// Status of an Active Directory identity provider.
+type ActiveDirectoryIdentityProviderStatus struct {
+	// Phase summarizes the overall status of the ActiveDirectoryIdentityProvider.
+	// +kubebuilder:default=Pending
+	// +kubebuilder:validation:Enum=Pending;Ready;Error
+	Phase ActiveDirectoryIdentityProviderPhase `json:"phase,omitempty"`
+
+	// Represents the observations of an identity provider's current state.
+	// +patchMergeKey=type
+	// +patchStrategy=merge
+	// +listType=map
+	// +listMapKey=type
+	Conditions []Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
+}
+
+type ActiveDirectoryIdentityProviderBind struct {
+	// SecretName contains the name of a namespace-local Secret object that provides the username and
+	// password for an Active Directory bind user. This account will be used to perform LDAP searches. The Secret should be
+	// of type "kubernetes.io/basic-auth" which includes "username" and "password" keys. The username value
+	// should be the full dn (distinguished name) of your bind account, e.g. "cn=bind-account,ou=users,dc=example,dc=com".
+	// The password must be non-empty.
+	// +kubebuilder:validation:MinLength=1
+	SecretName string `json:"secretName"`
+}
+
+type ActiveDirectoryIdentityProviderUserSearchAttributes struct {
+	// Username specifies the name of the attribute in Active Directory entry whose value shall become the username
+	// of the user after a successful authentication.
+	// Optional, when empty this defaults to "userPrincipalName".
+	// +optional
+	Username string `json:"username,omitempty"`
+
+	// UID specifies the name of the attribute in the ActiveDirectory entry which whose value shall be used to uniquely
+	// identify the user within this ActiveDirectory provider after a successful authentication.
+	// Optional, when empty this defaults to "objectGUID".
+	// +optional
+	UID string `json:"uid,omitempty"`
+}
+
+type ActiveDirectoryIdentityProviderGroupSearchAttributes struct {
+	// GroupName specifies the name of the attribute in the Active Directory entries whose value shall become a group name
+	// in the user's list of groups after a successful authentication.
+	// The value of this field is case-sensitive and must match the case of the attribute name returned by the ActiveDirectory
+	// server in the user's entry. E.g. "cn" for common name. Distinguished names can be used by specifying lower-case "dn".
+	// Optional. When not specified, this defaults to a custom field that looks like "sAMAccountName@domain",
+	// where domain is constructed from the domain components of the group DN.
+	// +optional
+	GroupName string `json:"groupName,omitempty"`
+}
+
+type ActiveDirectoryIdentityProviderUserSearch struct {
+	// Base is the dn (distinguished name) that should be used as the search base when searching for users.
+	// E.g. "ou=users,dc=example,dc=com".
+	// Optional, when not specified it will be based on the result of a query for the defaultNamingContext
+	// (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse).
+	// The default behavior searches your entire domain for users.
+	// It may make sense to specify a subtree as a search base if you wish to exclude some users
+	// or to make searches faster.
+	// +optional
+	Base string `json:"base,omitempty"`
+
+	// Filter is the search filter which should be applied when searching for users. The pattern "{}" must occur
+	// in the filter at least once and will be dynamically replaced by the username for which the search is being run.
+	// E.g. "mail={}" or "&(objectClass=person)(uid={})". For more information about LDAP filters, see
+	// https://ldap.com/ldap-filters.
+	// Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used.
+	// Optional. When not specified, the default will be
+	// '(&(objectClass=person)(!(objectClass=computer))(!(showInAdvancedViewOnly=TRUE))(|(sAMAccountName={}")(mail={})(userPrincipalName={})(sAMAccountType=805306368))'
+	// This means that the user is a person, is not a computer, the sAMAccountType is for a normal user account,
+	// and is not shown in advanced view only
+	// (which would likely mean its a system created service account with advanced permissions).
+	// Also, either the sAMAccountName, the userPrincipalName, or the mail attribute matches the input username.
+	// +optional
+	Filter string `json:"filter,omitempty"`
+
+	// Attributes specifies how the user's information should be read from the ActiveDirectory entry which was found as
+	// the result of the user search.
+	// +optional
+	Attributes ActiveDirectoryIdentityProviderUserSearchAttributes `json:"attributes,omitempty"`
+}
+
+type ActiveDirectoryIdentityProviderGroupSearch struct {
+	// Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g.
+	// "ou=groups,dc=example,dc=com".
+	// Optional, when not specified it will be based on the result of a query for the defaultNamingContext
+	// (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse).
+	// The default behavior searches your entire domain for groups.
+	// It may make sense to specify a subtree as a search base if you wish to exclude some groups
+	// for security reasons or to make searches faster.
+	// +optional
+	Base string `json:"base,omitempty"`
+
+	// Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user.
+	// The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the
+	// dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or
+	// "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see
+	// https://ldap.com/ldap-filters.
+	// Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used.
+	// Optional. When not specified, the default will act as if the filter were specified as
+	// "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})".
+	// This searches nested groups by default.
+	// Note that nested group search can be slow for some Active Directory servers. To disable it,
+	// you can set the filter to
+	// "(&(objectClass=group)(member={})"
+	// +optional
+	Filter string `json:"filter,omitempty"`
+
+	// Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as
+	// the result of the group search.
+	// +optional
+	Attributes ActiveDirectoryIdentityProviderGroupSearchAttributes `json:"attributes,omitempty"`
+}
+
+// Spec for configuring an ActiveDirectory identity provider.
+type ActiveDirectoryIdentityProviderSpec struct {
+	// Host is the hostname of this Active Directory identity provider, i.e., where to connect. For example: ldap.example.com:636.
+	// +kubebuilder:validation:MinLength=1
+	Host string `json:"host"`
+
+	// TLS contains the connection settings for how to establish the connection to the Host.
+	TLS *TLSSpec `json:"tls,omitempty"`
+
+	// Bind contains the configuration for how to provide access credentials during an initial bind to the ActiveDirectory server
+	// to be allowed to perform searches and binds to validate a user's credentials during a user's authentication attempt.
+	Bind ActiveDirectoryIdentityProviderBind `json:"bind,omitempty"`
+
+	// UserSearch contains the configuration for searching for a user by name in Active Directory.
+	UserSearch ActiveDirectoryIdentityProviderUserSearch `json:"userSearch,omitempty"`
+
+	// GroupSearch contains the configuration for searching for a user's group membership in ActiveDirectory.
+	GroupSearch ActiveDirectoryIdentityProviderGroupSearch `json:"groupSearch,omitempty"`
+}
+
+// ActiveDirectoryIdentityProvider describes the configuration of an upstream Microsoft Active Directory identity provider.
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +kubebuilder:resource:categories=pinniped;pinniped-idp;pinniped-idps
+// +kubebuilder:printcolumn:name="Host",type=string,JSONPath=`.spec.host`
+// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase`
+// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
+// +kubebuilder:subresource:status
+type ActiveDirectoryIdentityProvider struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	// Spec for configuring the identity provider.
+	Spec ActiveDirectoryIdentityProviderSpec `json:"spec"`
+
+	// Status of the identity provider.
+	Status ActiveDirectoryIdentityProviderStatus `json:"status,omitempty"`
+}
+
+// List of ActiveDirectoryIdentityProvider objects.
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type ActiveDirectoryIdentityProviderList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+
+	Items []ActiveDirectoryIdentityProvider `json:"items"`
+}

generated/1.18/apis/supervisor/idp/v1alpha1/types_ldapidentityprovider.go

@@ -0,0 +1,171 @@
+// Copyright 2021 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+type LDAPIdentityProviderPhase string
+
+const (
+	// LDAPPhasePending is the default phase for newly-created LDAPIdentityProvider resources.
+	LDAPPhasePending LDAPIdentityProviderPhase = "Pending"
+
+	// LDAPPhaseReady is the phase for an LDAPIdentityProvider resource in a healthy state.
+	LDAPPhaseReady LDAPIdentityProviderPhase = "Ready"
+
+	// LDAPPhaseError is the phase for an LDAPIdentityProvider in an unhealthy state.
+	LDAPPhaseError LDAPIdentityProviderPhase = "Error"
+)
+
+// Status of an LDAP identity provider.
+type LDAPIdentityProviderStatus struct {
+	// Phase summarizes the overall status of the LDAPIdentityProvider.
+	// +kubebuilder:default=Pending
+	// +kubebuilder:validation:Enum=Pending;Ready;Error
+	Phase LDAPIdentityProviderPhase `json:"phase,omitempty"`
+
+	// Represents the observations of an identity provider's current state.
+	// +patchMergeKey=type
+	// +patchStrategy=merge
+	// +listType=map
+	// +listMapKey=type
+	Conditions []Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
+}
+
+type LDAPIdentityProviderBind struct {
+	// SecretName contains the name of a namespace-local Secret object that provides the username and
+	// password for an LDAP bind user. This account will be used to perform LDAP searches. The Secret should be
+	// of type "kubernetes.io/basic-auth" which includes "username" and "password" keys. The username value
+	// should be the full dn (distinguished name) of your bind account, e.g. "cn=bind-account,ou=users,dc=example,dc=com".
+	// The password must be non-empty.
+	// +kubebuilder:validation:MinLength=1
+	SecretName string `json:"secretName"`
+}
+
+type LDAPIdentityProviderUserSearchAttributes struct {
+	// Username specifies the name of the attribute in the LDAP entry whose value shall become the username
+	// of the user after a successful authentication. This would typically be the same attribute name used in
+	// the user search filter, although it can be different. E.g. "mail" or "uid" or "userPrincipalName".
+	// The value of this field is case-sensitive and must match the case of the attribute name returned by the LDAP
+	// server in the user's entry. Distinguished names can be used by specifying lower-case "dn". When this field
+	// is set to "dn" then the LDAPIdentityProviderUserSearch's Filter field cannot be blank, since the default
+	// value of "dn={}" would not work.
+	// +kubebuilder:validation:MinLength=1
+	Username string `json:"username,omitempty"`
+
+	// UID specifies the name of the attribute in the LDAP entry which whose value shall be used to uniquely
+	// identify the user within this LDAP provider after a successful authentication. E.g. "uidNumber" or "objectGUID".
+	// The value of this field is case-sensitive and must match the case of the attribute name returned by the LDAP
+	// server in the user's entry. Distinguished names can be used by specifying lower-case "dn".
+	// +kubebuilder:validation:MinLength=1
+	UID string `json:"uid,omitempty"`
+}
+
+type LDAPIdentityProviderGroupSearchAttributes struct {
+	// GroupName specifies the name of the attribute in the LDAP entries whose value shall become a group name
+	// in the user's list of groups after a successful authentication.
+	// The value of this field is case-sensitive and must match the case of the attribute name returned by the LDAP
+	// server in the user's entry. E.g. "cn" for common name. Distinguished names can be used by specifying lower-case "dn".
+	// Optional. When not specified, the default will act as if the GroupName were specified as "dn" (distinguished name).
+	// +optional
+	GroupName string `json:"groupName,omitempty"`
+}
+
+type LDAPIdentityProviderUserSearch struct {
+	// Base is the dn (distinguished name) that should be used as the search base when searching for users.
+	// E.g. "ou=users,dc=example,dc=com".
+	// +kubebuilder:validation:MinLength=1
+	Base string `json:"base,omitempty"`
+
+	// Filter is the LDAP search filter which should be applied when searching for users. The pattern "{}" must occur
+	// in the filter at least once and will be dynamically replaced by the username for which the search is being run.
+	// E.g. "mail={}" or "&(objectClass=person)(uid={})". For more information about LDAP filters, see
+	// https://ldap.com/ldap-filters.
+	// Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used.
+	// Optional. When not specified, the default will act as if the Filter were specified as the value from
+	// Attributes.Username appended by "={}". When the Attributes.Username is set to "dn" then the Filter must be
+	// explicitly specified, since the default value of "dn={}" would not work.
+	// +optional
+	Filter string `json:"filter,omitempty"`
+
+	// Attributes specifies how the user's information should be read from the LDAP entry which was found as
+	// the result of the user search.
+	// +optional
+	Attributes LDAPIdentityProviderUserSearchAttributes `json:"attributes,omitempty"`
+}
+
+type LDAPIdentityProviderGroupSearch struct {
+	// Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g.
+	// "ou=groups,dc=example,dc=com". When not specified, no group search will be performed and
+	// authenticated users will not belong to any groups from the LDAP provider. Also, when not specified,
+	// the values of Filter and Attributes are ignored.
+	// +optional
+	Base string `json:"base,omitempty"`
+
+	// Filter is the LDAP search filter which should be applied when searching for groups for a user.
+	// The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the
+	// dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or
+	// "&(objectClass=groupOfNames)(member={})". For more information about LDAP filters, see
+	// https://ldap.com/ldap-filters.
+	// Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used.
+	// Optional. When not specified, the default will act as if the Filter were specified as "member={}".
+	// +optional
+	Filter string `json:"filter,omitempty"`
+
+	// Attributes specifies how the group's information should be read from each LDAP entry which was found as
+	// the result of the group search.
+	// +optional
+	Attributes LDAPIdentityProviderGroupSearchAttributes `json:"attributes,omitempty"`
+}
+
+// Spec for configuring an LDAP identity provider.
+type LDAPIdentityProviderSpec struct {
+	// Host is the hostname of this LDAP identity provider, i.e., where to connect. For example: ldap.example.com:636.
+	// +kubebuilder:validation:MinLength=1
+	Host string `json:"host"`
+
+	// TLS contains the connection settings for how to establish the connection to the Host.
+	TLS *TLSSpec `json:"tls,omitempty"`
+
+	// Bind contains the configuration for how to provide access credentials during an initial bind to the LDAP server
+	// to be allowed to perform searches and binds to validate a user's credentials during a user's authentication attempt.
+	Bind LDAPIdentityProviderBind `json:"bind,omitempty"`
+
+	// UserSearch contains the configuration for searching for a user by name in the LDAP provider.
+	UserSearch LDAPIdentityProviderUserSearch `json:"userSearch,omitempty"`
+
+	// GroupSearch contains the configuration for searching for a user's group membership in the LDAP provider.
+	GroupSearch LDAPIdentityProviderGroupSearch `json:"groupSearch,omitempty"`
+}
+
+// LDAPIdentityProvider describes the configuration of an upstream Lightweight Directory Access
+// Protocol (LDAP) identity provider.
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +kubebuilder:resource:categories=pinniped;pinniped-idp;pinniped-idps
+// +kubebuilder:printcolumn:name="Host",type=string,JSONPath=`.spec.host`
+// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase`
+// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
+// +kubebuilder:subresource:status
+type LDAPIdentityProvider struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	// Spec for configuring the identity provider.
+	Spec LDAPIdentityProviderSpec `json:"spec"`
+
+	// Status of the identity provider.
+	Status LDAPIdentityProviderStatus `json:"status,omitempty"`
+}
+
+// List of LDAPIdentityProvider objects.
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type LDAPIdentityProviderList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+
+	Items []LDAPIdentityProvider `json:"items"`
+}

generated/1.18/apis/supervisor/idp/v1alpha1/types_meta.go

@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1

generated/1.18/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go

@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
@@ -39,9 +39,31 @@ type OIDCIdentityProviderStatus struct {
 // request parameters.
 type OIDCAuthorizationConfig struct {
 	// AdditionalScopes are the scopes in addition to "openid" that will be requested as part of the authorization
-	// request flow with an OIDC identity provider. By default only the "openid" scope will be requested.
+	// request flow with an OIDC identity provider.
+	// In the case of a Resource Owner Password Credentials Grant flow, AdditionalScopes are the scopes
+	// in addition to "openid" that will be requested as part of the token request (see also the allowPasswordGrant field).
+	// By default, only the "openid" scope will be requested.
 	// +optional
 	AdditionalScopes []string `json:"additionalScopes,omitempty"`
+
+	// AllowPasswordGrant, when true, will allow the use of OAuth 2.0's Resource Owner Password Credentials Grant
+	// (see https://datatracker.ietf.org/doc/html/rfc6749#section-4.3) to authenticate to the OIDC provider using a
+	// username and password without a web browser, in addition to the usual browser-based OIDC Authorization Code Flow.
+	// The Resource Owner Password Credentials Grant is not officially part of the OIDC specification, so it may not be
+	// supported by your OIDC provider. If your OIDC provider supports returning ID tokens from a Resource Owner Password
+	// Credentials Grant token request, then you can choose to set this field to true. This will allow end users to choose
+	// to present their username and password to the kubectl CLI (using the Pinniped plugin) to authenticate to the
+	// cluster, without using a web browser to log in as is customary in OIDC Authorization Code Flow. This may be
+	// convenient for users, especially for identities from your OIDC provider which are not intended to represent a human
+	// actor, such as service accounts performing actions in a CI/CD environment. Even if your OIDC provider supports it,
+	// you may wish to disable this behavior by setting this field to false when you prefer to only allow users of this
+	// OIDCIdentityProvider to log in via the browser-based OIDC Authorization Code Flow. Using the Resource Owner Password
+	// Credentials Grant means that the Pinniped CLI and Pinniped Supervisor will directly handle your end users' passwords
+	// (similar to LDAPIdentityProvider), and you will not be able to require multi-factor authentication or use the other
+	// web-based login features of your OIDC provider during Resource Owner Password Credentials Grant logins.
+	// AllowPasswordGrant defaults to false.
+	// +optional
+	AllowPasswordGrant bool `json:"allowPasswordGrant,omitempty"`
 }
 
 // OIDCClaims provides a mapping from upstream claims into identities.

generated/1.18/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go

@@ -11,6 +11,196 @@ import (
 	runtime "k8s.io/apimachinery/pkg/runtime"
 )
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ActiveDirectoryIdentityProvider) DeepCopyInto(out *ActiveDirectoryIdentityProvider) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ActiveDirectoryIdentityProvider.
+func (in *ActiveDirectoryIdentityProvider) DeepCopy() *ActiveDirectoryIdentityProvider {
+	if in == nil {
+		return nil
+	}
+	out := new(ActiveDirectoryIdentityProvider)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ActiveDirectoryIdentityProvider) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ActiveDirectoryIdentityProviderBind) DeepCopyInto(out *ActiveDirectoryIdentityProviderBind) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ActiveDirectoryIdentityProviderBind.
+func (in *ActiveDirectoryIdentityProviderBind) DeepCopy() *ActiveDirectoryIdentityProviderBind {
+	if in == nil {
+		return nil
+	}
+	out := new(ActiveDirectoryIdentityProviderBind)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ActiveDirectoryIdentityProviderGroupSearch) DeepCopyInto(out *ActiveDirectoryIdentityProviderGroupSearch) {
+	*out = *in
+	out.Attributes = in.Attributes
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ActiveDirectoryIdentityProviderGroupSearch.
+func (in *ActiveDirectoryIdentityProviderGroupSearch) DeepCopy() *ActiveDirectoryIdentityProviderGroupSearch {
+	if in == nil {
+		return nil
+	}
+	out := new(ActiveDirectoryIdentityProviderGroupSearch)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ActiveDirectoryIdentityProviderGroupSearchAttributes) DeepCopyInto(out *ActiveDirectoryIdentityProviderGroupSearchAttributes) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ActiveDirectoryIdentityProviderGroupSearchAttributes.
+func (in *ActiveDirectoryIdentityProviderGroupSearchAttributes) DeepCopy() *ActiveDirectoryIdentityProviderGroupSearchAttributes {
+	if in == nil {
+		return nil
+	}
+	out := new(ActiveDirectoryIdentityProviderGroupSearchAttributes)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ActiveDirectoryIdentityProviderList) DeepCopyInto(out *ActiveDirectoryIdentityProviderList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]ActiveDirectoryIdentityProvider, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ActiveDirectoryIdentityProviderList.
+func (in *ActiveDirectoryIdentityProviderList) DeepCopy() *ActiveDirectoryIdentityProviderList {
+	if in == nil {
+		return nil
+	}
+	out := new(ActiveDirectoryIdentityProviderList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ActiveDirectoryIdentityProviderList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ActiveDirectoryIdentityProviderSpec) DeepCopyInto(out *ActiveDirectoryIdentityProviderSpec) {
+	*out = *in
+	if in.TLS != nil {
+		in, out := &in.TLS, &out.TLS
+		*out = new(TLSSpec)
+		**out = **in
+	}
+	out.Bind = in.Bind
+	out.UserSearch = in.UserSearch
+	out.GroupSearch = in.GroupSearch
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ActiveDirectoryIdentityProviderSpec.
+func (in *ActiveDirectoryIdentityProviderSpec) DeepCopy() *ActiveDirectoryIdentityProviderSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(ActiveDirectoryIdentityProviderSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ActiveDirectoryIdentityProviderStatus) DeepCopyInto(out *ActiveDirectoryIdentityProviderStatus) {
+	*out = *in
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]Condition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ActiveDirectoryIdentityProviderStatus.
+func (in *ActiveDirectoryIdentityProviderStatus) DeepCopy() *ActiveDirectoryIdentityProviderStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(ActiveDirectoryIdentityProviderStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ActiveDirectoryIdentityProviderUserSearch) DeepCopyInto(out *ActiveDirectoryIdentityProviderUserSearch) {
+	*out = *in
+	out.Attributes = in.Attributes
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ActiveDirectoryIdentityProviderUserSearch.
+func (in *ActiveDirectoryIdentityProviderUserSearch) DeepCopy() *ActiveDirectoryIdentityProviderUserSearch {
+	if in == nil {
+		return nil
+	}
+	out := new(ActiveDirectoryIdentityProviderUserSearch)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ActiveDirectoryIdentityProviderUserSearchAttributes) DeepCopyInto(out *ActiveDirectoryIdentityProviderUserSearchAttributes) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ActiveDirectoryIdentityProviderUserSearchAttributes.
+func (in *ActiveDirectoryIdentityProviderUserSearchAttributes) DeepCopy() *ActiveDirectoryIdentityProviderUserSearchAttributes {
+	if in == nil {
+		return nil
+	}
+	out := new(ActiveDirectoryIdentityProviderUserSearchAttributes)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *Condition) DeepCopyInto(out *Condition) {
 	*out = *in
@@ -28,6 +218,196 @@ func (in *Condition) DeepCopy() *Condition {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *LDAPIdentityProvider) DeepCopyInto(out *LDAPIdentityProvider) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LDAPIdentityProvider.
+func (in *LDAPIdentityProvider) DeepCopy() *LDAPIdentityProvider {
+	if in == nil {
+		return nil
+	}
+	out := new(LDAPIdentityProvider)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *LDAPIdentityProvider) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *LDAPIdentityProviderBind) DeepCopyInto(out *LDAPIdentityProviderBind) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LDAPIdentityProviderBind.
+func (in *LDAPIdentityProviderBind) DeepCopy() *LDAPIdentityProviderBind {
+	if in == nil {
+		return nil
+	}
+	out := new(LDAPIdentityProviderBind)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *LDAPIdentityProviderGroupSearch) DeepCopyInto(out *LDAPIdentityProviderGroupSearch) {
+	*out = *in
+	out.Attributes = in.Attributes
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LDAPIdentityProviderGroupSearch.
+func (in *LDAPIdentityProviderGroupSearch) DeepCopy() *LDAPIdentityProviderGroupSearch {
+	if in == nil {
+		return nil
+	}
+	out := new(LDAPIdentityProviderGroupSearch)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *LDAPIdentityProviderGroupSearchAttributes) DeepCopyInto(out *LDAPIdentityProviderGroupSearchAttributes) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LDAPIdentityProviderGroupSearchAttributes.
+func (in *LDAPIdentityProviderGroupSearchAttributes) DeepCopy() *LDAPIdentityProviderGroupSearchAttributes {
+	if in == nil {
+		return nil
+	}
+	out := new(LDAPIdentityProviderGroupSearchAttributes)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *LDAPIdentityProviderList) DeepCopyInto(out *LDAPIdentityProviderList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]LDAPIdentityProvider, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LDAPIdentityProviderList.
+func (in *LDAPIdentityProviderList) DeepCopy() *LDAPIdentityProviderList {
+	if in == nil {
+		return nil
+	}
+	out := new(LDAPIdentityProviderList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *LDAPIdentityProviderList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *LDAPIdentityProviderSpec) DeepCopyInto(out *LDAPIdentityProviderSpec) {
+	*out = *in
+	if in.TLS != nil {
+		in, out := &in.TLS, &out.TLS
+		*out = new(TLSSpec)
+		**out = **in
+	}
+	out.Bind = in.Bind
+	out.UserSearch = in.UserSearch
+	out.GroupSearch = in.GroupSearch
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LDAPIdentityProviderSpec.
+func (in *LDAPIdentityProviderSpec) DeepCopy() *LDAPIdentityProviderSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(LDAPIdentityProviderSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *LDAPIdentityProviderStatus) DeepCopyInto(out *LDAPIdentityProviderStatus) {
+	*out = *in
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]Condition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LDAPIdentityProviderStatus.
+func (in *LDAPIdentityProviderStatus) DeepCopy() *LDAPIdentityProviderStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(LDAPIdentityProviderStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *LDAPIdentityProviderUserSearch) DeepCopyInto(out *LDAPIdentityProviderUserSearch) {
+	*out = *in
+	out.Attributes = in.Attributes
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LDAPIdentityProviderUserSearch.
+func (in *LDAPIdentityProviderUserSearch) DeepCopy() *LDAPIdentityProviderUserSearch {
+	if in == nil {
+		return nil
+	}
+	out := new(LDAPIdentityProviderUserSearch)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *LDAPIdentityProviderUserSearchAttributes) DeepCopyInto(out *LDAPIdentityProviderUserSearchAttributes) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LDAPIdentityProviderUserSearchAttributes.
+func (in *LDAPIdentityProviderUserSearchAttributes) DeepCopy() *LDAPIdentityProviderUserSearchAttributes {
+	if in == nil {
+		return nil
+	}
+	out := new(LDAPIdentityProviderUserSearchAttributes)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OIDCAuthorizationConfig) DeepCopyInto(out *OIDCAuthorizationConfig) {
 	*out = *in

generated/1.18/apis/supervisor/idpdiscovery/v1alpha1/types_supervisor_idp_discovery.go

@@ -0,0 +1,66 @@
+// Copyright 2021 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+// IDPType are the strings that can be returned by the Supervisor identity provider discovery endpoint
+// as the "type" of each returned identity provider.
+type IDPType string
+
+// IDPFlow are the strings that can be returned by the Supervisor identity provider discovery endpoint
+// in the array of allowed client "flows" for each returned identity provider.
+type IDPFlow string
+
+const (
+	IDPTypeOIDC            IDPType = "oidc"
+	IDPTypeLDAP            IDPType = "ldap"
+	IDPTypeActiveDirectory IDPType = "activedirectory"
+
+	IDPFlowCLIPassword     IDPFlow = "cli_password"
+	IDPFlowBrowserAuthcode IDPFlow = "browser_authcode"
+)
+
+// Equals is a convenience function for comparing an IDPType to a string.
+func (r IDPType) Equals(s string) bool {
+	return string(r) == s
+}
+
+// String is a convenience function to convert an IDPType to a string.
+func (r IDPType) String() string {
+	return string(r)
+}
+
+// Equals is a convenience function for comparing an IDPFlow to a string.
+func (r IDPFlow) Equals(s string) bool {
+	return string(r) == s
+}
+
+// String is a convenience function to convert an IDPFlow to a string.
+func (r IDPFlow) String() string {
+	return string(r)
+}
+
+// OIDCDiscoveryResponse is part of the response from a FederationDomain's OpenID Provider Configuration
+// Document returned by the .well-known/openid-configuration endpoint. It ignores all the standard OpenID Provider
+// configuration metadata and only picks out the portion related to Supervisor identity provider discovery.
+type OIDCDiscoveryResponse struct {
+	SupervisorDiscovery OIDCDiscoveryResponseIDPEndpoint `json:"discovery.supervisor.pinniped.dev/v1alpha1"`
+}
+
+// OIDCDiscoveryResponseIDPEndpoint contains the URL for the identity provider discovery endpoint.
+type OIDCDiscoveryResponseIDPEndpoint struct {
+	PinnipedIDPsEndpoint string `json:"pinniped_identity_providers_endpoint"`
+}
+
+// IDPDiscoveryResponse is the response of a FederationDomain's identity provider discovery endpoint.
+type IDPDiscoveryResponse struct {
+	PinnipedIDPs []PinnipedIDP `json:"pinniped_identity_providers"`
+}
+
+// PinnipedIDP describes a single identity provider as included in the response of a FederationDomain's
+// identity provider discovery endpoint.
+type PinnipedIDP struct {
+	Name  string    `json:"name"`
+	Type  IDPType   `json:"type"`
+	Flows []IDPFlow `json:"flows,omitempty"`
+}

generated/1.18/apis/supervisor/oidc/types_supervisor_oidc.go

@@ -0,0 +1,25 @@
+// Copyright 2021 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package oidc
+
+// Constants related to the Supervisor FederationDomain's authorization and token endpoints.
+const (
+	// AuthorizeUsernameHeaderName is the name of the HTTP header which can be used to transmit a username
+	// to the authorize endpoint when using a password flow, for example an OIDCIdentityProvider with a password grant
+	// or an LDAPIdentityProvider.
+	AuthorizeUsernameHeaderName = "Pinniped-Username"
+
+	// AuthorizePasswordHeaderName is the name of the HTTP header which can be used to transmit a password
+	// to the authorize endpoint when using a password flow, for example an OIDCIdentityProvider with a password grant
+	// or an LDAPIdentityProvider.
+	AuthorizePasswordHeaderName = "Pinniped-Password" //nolint:gosec // this is not a credential
+
+	// AuthorizeUpstreamIDPNameParamName is the name of the HTTP request parameter which can be used to help select which
+	// identity provider should be used for authentication by sending the name of the desired identity provider.
+	AuthorizeUpstreamIDPNameParamName = "pinniped_idp_name"
+
+	// AuthorizeUpstreamIDPTypeParamName is the name of the HTTP request parameter which can be used to help select which
+	// identity provider should be used for authentication by sending the type of the desired identity provider.
+	AuthorizeUpstreamIDPTypeParamName = "pinniped_idp_type"
+)

generated/1.18/client/go.mod

@@ -4,11 +4,9 @@ module go.pinniped.dev/generated/1.18/client
 go 1.13
 
 require (
-	github.com/go-openapi/spec v0.19.9
 	go.pinniped.dev/generated/1.18/apis v0.0.0-00010101000000-000000000000
 	k8s.io/apimachinery v0.18.2
 	k8s.io/client-go v0.18.2
-	k8s.io/kube-openapi v0.0.0-20200121204235-bf4fb3bd569c
 )
 
 replace go.pinniped.dev/generated/1.18/apis => ../apis

generated/1.18/client/go.sum

@@ -11,11 +11,7 @@ github.com/Azure/go-autorest/tracing v0.5.0/go.mod h1:r/s2XiOKccPW3HrqB+W0TQzfbt
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ=
 github.com/PuerkitoBio/purell v1.0.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
-github.com/PuerkitoBio/purell v1.1.1 h1:WEQqlqaGbrPkxLJWfBwQmfEAE1Z7ONdDLqrN38tNFfI=
-github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
 github.com/PuerkitoBio/urlesc v0.0.0-20160726150825-5bd2802263f2/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE=
-github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 h1:d+Bc7a5rLufV/sSk/8dngufqelfh6jnri85riMAaF/M=
-github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
@@ -23,7 +19,6 @@ github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs
 github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
 github.com/docker/spdystream v0.0.0-20160310174837-449fdfce4d96/go.mod h1:Qh8CwZgvJUkLughtfhJv5dyTYa91l1fOUCrgjqmcifM=
 github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc=
-github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633 h1:H2pdYOb3KQ1/YsqVWoWNLQO+fusocsw354rqGTZtAgw=
 github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
 github.com/evanphx/json-patch v4.2.0+incompatible h1:fUDGZCv/7iAN7u0puUVhvKCcsR6vRfwrJatElLBEf0I=
 github.com/evanphx/json-patch v4.2.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
@@ -32,17 +27,9 @@ github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMo
 github.com/ghodss/yaml v0.0.0-20150909031657-73d445a93680/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
 github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas=
 github.com/go-openapi/jsonpointer v0.0.0-20160704185906-46af16f9f7b1/go.mod h1:+35s3my2LFTysnkMfxsJBAMHj/DoqoB9knIWoYG/Vk0=
-github.com/go-openapi/jsonpointer v0.19.3 h1:gihV7YNZK1iK6Tgwwsxo2rJbD1GTbdm72325Bq8FI3w=
-github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg=
 github.com/go-openapi/jsonreference v0.0.0-20160704190145-13c6e3589ad9/go.mod h1:W3Z9FmVs9qj+KR4zFKmDPGiLdk1D9Rlm7cyMvf57TTg=
-github.com/go-openapi/jsonreference v0.19.4 h1:3Vw+rh13uq2JFNxgnMTGE1rnoieU9FmyE1gvnyylsYg=
-github.com/go-openapi/jsonreference v0.19.4/go.mod h1:RdybgQwPxbL4UEjuAruzK1x3nE69AqPYEJeo/TWfEeg=
 github.com/go-openapi/spec v0.0.0-20160808142527-6aced65f8501/go.mod h1:J8+jY1nAiCcj+friV/PDoE1/3eeccG9LYBs0tYvLOWc=
-github.com/go-openapi/spec v0.19.9 h1:9z9cbFuZJ7AcvOHKIY+f6Aevb4vObNDkTEyoMfO7rAc=
-github.com/go-openapi/spec v0.19.9/go.mod h1:vqK/dIdLGCosfvYsQV3WfC7N3TiZSnGY2RZKoFK7X28=
 github.com/go-openapi/swag v0.0.0-20160704191624-1d0bd113de87/go.mod h1:DXUve3Dpr1UfpPtxFw+EFuQ41HhCWZfha5jSVRG7C7I=
-github.com/go-openapi/swag v0.19.5 h1:lTz6Ys4CmqqCQmZPBlbQENR1/GucA2bzYTE12Pw4tFY=
-github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk=
 github.com/gogo/protobuf v1.3.1 h1:DqDEcV5aeaTmdFBePNpYsp3FlcVH/2ISVVM9Qf8PSls=
 github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
@@ -90,9 +77,6 @@ github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/mailru/easyjson v0.0.0-20160728113105-d5b7844b561a/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
-github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
-github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e h1:hB2xlXdHp/pmPZq0y3QnmWAArdw9PqbmotexnWx/FU8=
-github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
@@ -136,7 +120,6 @@ golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73r
 golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20191004110552-13f9640d40b9 h1:rjwSpXsdiK0dV8/Naq3kAw9ymfAeJIyd0upUIElB+lI=
 golang.org/x/net v0.0.0-20191004110552-13f9640d40b9/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
@@ -158,9 +141,8 @@ golang.org/x/sys v0.0.0-20191022100944-742c48ecaeb7/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.2 h1:tW2bmiBqwgJj/UpqtC8EpXEZVYOwU0yG4iWbprSVAcs=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
-golang.org/x/text v0.3.3 h1:cokOdA+Jmi5PJGXLlLllQSgYigAEfHXJAERHVMaCc2k=
-golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4 h1:SvFZT6jyqRaOeXpc5h/JSfZenJ2O330aBsf7JfSUXmQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
@@ -190,7 +172,6 @@ gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkep
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
 gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.8 h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10=
 gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=

generated/1.18/client/supervisor/clientset/versioned/typed/idp/v1alpha1/activedirectoryidentityprovider.go

@@ -0,0 +1,182 @@
+// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	"context"
+	"time"
+
+	v1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/idp/v1alpha1"
+	scheme "go.pinniped.dev/generated/1.18/client/supervisor/clientset/versioned/scheme"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	rest "k8s.io/client-go/rest"
+)
+
+// ActiveDirectoryIdentityProvidersGetter has a method to return a ActiveDirectoryIdentityProviderInterface.
+// A group's client should implement this interface.
+type ActiveDirectoryIdentityProvidersGetter interface {
+	ActiveDirectoryIdentityProviders(namespace string) ActiveDirectoryIdentityProviderInterface
+}
+
+// ActiveDirectoryIdentityProviderInterface has methods to work with ActiveDirectoryIdentityProvider resources.
+type ActiveDirectoryIdentityProviderInterface interface {
+	Create(ctx context.Context, activeDirectoryIdentityProvider *v1alpha1.ActiveDirectoryIdentityProvider, opts v1.CreateOptions) (*v1alpha1.ActiveDirectoryIdentityProvider, error)
+	Update(ctx context.Context, activeDirectoryIdentityProvider *v1alpha1.ActiveDirectoryIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.ActiveDirectoryIdentityProvider, error)
+	UpdateStatus(ctx context.Context, activeDirectoryIdentityProvider *v1alpha1.ActiveDirectoryIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.ActiveDirectoryIdentityProvider, error)
+	Delete(ctx context.Context, name string, opts v1.DeleteOptions) error
+	DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error
+	Get(ctx context.Context, name string, opts v1.GetOptions) (*v1alpha1.ActiveDirectoryIdentityProvider, error)
+	List(ctx context.Context, opts v1.ListOptions) (*v1alpha1.ActiveDirectoryIdentityProviderList, error)
+	Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error)
+	Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.ActiveDirectoryIdentityProvider, err error)
+	ActiveDirectoryIdentityProviderExpansion
+}
+
+// activeDirectoryIdentityProviders implements ActiveDirectoryIdentityProviderInterface
+type activeDirectoryIdentityProviders struct {
+	client rest.Interface
+	ns     string
+}
+
+// newActiveDirectoryIdentityProviders returns a ActiveDirectoryIdentityProviders
+func newActiveDirectoryIdentityProviders(c *IDPV1alpha1Client, namespace string) *activeDirectoryIdentityProviders {
+	return &activeDirectoryIdentityProviders{
+		client: c.RESTClient(),
+		ns:     namespace,
+	}
+}
+
+// Get takes name of the activeDirectoryIdentityProvider, and returns the corresponding activeDirectoryIdentityProvider object, and an error if there is any.
+func (c *activeDirectoryIdentityProviders) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.ActiveDirectoryIdentityProvider, err error) {
+	result = &v1alpha1.ActiveDirectoryIdentityProvider{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("activedirectoryidentityproviders").
+		Name(name).
+		VersionedParams(&options, scheme.ParameterCodec).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// List takes label and field selectors, and returns the list of ActiveDirectoryIdentityProviders that match those selectors.
+func (c *activeDirectoryIdentityProviders) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.ActiveDirectoryIdentityProviderList, err error) {
+	var timeout time.Duration
+	if opts.TimeoutSeconds != nil {
+		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
+	}
+	result = &v1alpha1.ActiveDirectoryIdentityProviderList{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("activedirectoryidentityproviders").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// Watch returns a watch.Interface that watches the requested activeDirectoryIdentityProviders.
+func (c *activeDirectoryIdentityProviders) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
+	var timeout time.Duration
+	if opts.TimeoutSeconds != nil {
+		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
+	}
+	opts.Watch = true
+	return c.client.Get().
+		Namespace(c.ns).
+		Resource("activedirectoryidentityproviders").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Watch(ctx)
+}
+
+// Create takes the representation of a activeDirectoryIdentityProvider and creates it.  Returns the server's representation of the activeDirectoryIdentityProvider, and an error, if there is any.
+func (c *activeDirectoryIdentityProviders) Create(ctx context.Context, activeDirectoryIdentityProvider *v1alpha1.ActiveDirectoryIdentityProvider, opts v1.CreateOptions) (result *v1alpha1.ActiveDirectoryIdentityProvider, err error) {
+	result = &v1alpha1.ActiveDirectoryIdentityProvider{}
+	err = c.client.Post().
+		Namespace(c.ns).
+		Resource("activedirectoryidentityproviders").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(activeDirectoryIdentityProvider).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// Update takes the representation of a activeDirectoryIdentityProvider and updates it. Returns the server's representation of the activeDirectoryIdentityProvider, and an error, if there is any.
+func (c *activeDirectoryIdentityProviders) Update(ctx context.Context, activeDirectoryIdentityProvider *v1alpha1.ActiveDirectoryIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.ActiveDirectoryIdentityProvider, err error) {
+	result = &v1alpha1.ActiveDirectoryIdentityProvider{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("activedirectoryidentityproviders").
+		Name(activeDirectoryIdentityProvider.Name).
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(activeDirectoryIdentityProvider).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// UpdateStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+func (c *activeDirectoryIdentityProviders) UpdateStatus(ctx context.Context, activeDirectoryIdentityProvider *v1alpha1.ActiveDirectoryIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.ActiveDirectoryIdentityProvider, err error) {
+	result = &v1alpha1.ActiveDirectoryIdentityProvider{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("activedirectoryidentityproviders").
+		Name(activeDirectoryIdentityProvider.Name).
+		SubResource("status").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(activeDirectoryIdentityProvider).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// Delete takes name of the activeDirectoryIdentityProvider and deletes it. Returns an error if one occurs.
+func (c *activeDirectoryIdentityProviders) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("activedirectoryidentityproviders").
+		Name(name).
+		Body(&opts).
+		Do(ctx).
+		Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *activeDirectoryIdentityProviders) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
+	var timeout time.Duration
+	if listOpts.TimeoutSeconds != nil {
+		timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second
+	}
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("activedirectoryidentityproviders").
+		VersionedParams(&listOpts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Body(&opts).
+		Do(ctx).
+		Error()
+}
+
+// Patch applies the patch and returns the patched activeDirectoryIdentityProvider.
+func (c *activeDirectoryIdentityProviders) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.ActiveDirectoryIdentityProvider, err error) {
+	result = &v1alpha1.ActiveDirectoryIdentityProvider{}
+	err = c.client.Patch(pt).
+		Namespace(c.ns).
+		Resource("activedirectoryidentityproviders").
+		Name(name).
+		SubResource(subresources...).
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(data).
+		Do(ctx).
+		Into(result)
+	return
+}

generated/1.18/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_activedirectoryidentityprovider.go

@@ -0,0 +1,129 @@
+// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package fake
+
+import (
+	"context"
+
+	v1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/idp/v1alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	labels "k8s.io/apimachinery/pkg/labels"
+	schema "k8s.io/apimachinery/pkg/runtime/schema"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	testing "k8s.io/client-go/testing"
+)
+
+// FakeActiveDirectoryIdentityProviders implements ActiveDirectoryIdentityProviderInterface
+type FakeActiveDirectoryIdentityProviders struct {
+	Fake *FakeIDPV1alpha1
+	ns   string
+}
+
+var activedirectoryidentityprovidersResource = schema.GroupVersionResource{Group: "idp.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "activedirectoryidentityproviders"}
+
+var activedirectoryidentityprovidersKind = schema.GroupVersionKind{Group: "idp.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "ActiveDirectoryIdentityProvider"}
+
+// Get takes name of the activeDirectoryIdentityProvider, and returns the corresponding activeDirectoryIdentityProvider object, and an error if there is any.
+func (c *FakeActiveDirectoryIdentityProviders) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.ActiveDirectoryIdentityProvider, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewGetAction(activedirectoryidentityprovidersResource, c.ns, name), &v1alpha1.ActiveDirectoryIdentityProvider{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.ActiveDirectoryIdentityProvider), err
+}
+
+// List takes label and field selectors, and returns the list of ActiveDirectoryIdentityProviders that match those selectors.
+func (c *FakeActiveDirectoryIdentityProviders) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.ActiveDirectoryIdentityProviderList, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewListAction(activedirectoryidentityprovidersResource, activedirectoryidentityprovidersKind, c.ns, opts), &v1alpha1.ActiveDirectoryIdentityProviderList{})
+
+	if obj == nil {
+		return nil, err
+	}
+
+	label, _, _ := testing.ExtractFromListOptions(opts)
+	if label == nil {
+		label = labels.Everything()
+	}
+	list := &v1alpha1.ActiveDirectoryIdentityProviderList{ListMeta: obj.(*v1alpha1.ActiveDirectoryIdentityProviderList).ListMeta}
+	for _, item := range obj.(*v1alpha1.ActiveDirectoryIdentityProviderList).Items {
+		if label.Matches(labels.Set(item.Labels)) {
+			list.Items = append(list.Items, item)
+		}
+	}
+	return list, err
+}
+
+// Watch returns a watch.Interface that watches the requested activeDirectoryIdentityProviders.
+func (c *FakeActiveDirectoryIdentityProviders) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
+	return c.Fake.
+		InvokesWatch(testing.NewWatchAction(activedirectoryidentityprovidersResource, c.ns, opts))
+
+}
+
+// Create takes the representation of a activeDirectoryIdentityProvider and creates it.  Returns the server's representation of the activeDirectoryIdentityProvider, and an error, if there is any.
+func (c *FakeActiveDirectoryIdentityProviders) Create(ctx context.Context, activeDirectoryIdentityProvider *v1alpha1.ActiveDirectoryIdentityProvider, opts v1.CreateOptions) (result *v1alpha1.ActiveDirectoryIdentityProvider, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewCreateAction(activedirectoryidentityprovidersResource, c.ns, activeDirectoryIdentityProvider), &v1alpha1.ActiveDirectoryIdentityProvider{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.ActiveDirectoryIdentityProvider), err
+}
+
+// Update takes the representation of a activeDirectoryIdentityProvider and updates it. Returns the server's representation of the activeDirectoryIdentityProvider, and an error, if there is any.
+func (c *FakeActiveDirectoryIdentityProviders) Update(ctx context.Context, activeDirectoryIdentityProvider *v1alpha1.ActiveDirectoryIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.ActiveDirectoryIdentityProvider, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewUpdateAction(activedirectoryidentityprovidersResource, c.ns, activeDirectoryIdentityProvider), &v1alpha1.ActiveDirectoryIdentityProvider{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.ActiveDirectoryIdentityProvider), err
+}
+
+// UpdateStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+func (c *FakeActiveDirectoryIdentityProviders) UpdateStatus(ctx context.Context, activeDirectoryIdentityProvider *v1alpha1.ActiveDirectoryIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.ActiveDirectoryIdentityProvider, error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewUpdateSubresourceAction(activedirectoryidentityprovidersResource, "status", c.ns, activeDirectoryIdentityProvider), &v1alpha1.ActiveDirectoryIdentityProvider{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.ActiveDirectoryIdentityProvider), err
+}
+
+// Delete takes name of the activeDirectoryIdentityProvider and deletes it. Returns an error if one occurs.
+func (c *FakeActiveDirectoryIdentityProviders) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
+	_, err := c.Fake.
+		Invokes(testing.NewDeleteAction(activedirectoryidentityprovidersResource, c.ns, name), &v1alpha1.ActiveDirectoryIdentityProvider{})
+
+	return err
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *FakeActiveDirectoryIdentityProviders) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
+	action := testing.NewDeleteCollectionAction(activedirectoryidentityprovidersResource, c.ns, listOpts)
+
+	_, err := c.Fake.Invokes(action, &v1alpha1.ActiveDirectoryIdentityProviderList{})
+	return err
+}
+
+// Patch applies the patch and returns the patched activeDirectoryIdentityProvider.
+func (c *FakeActiveDirectoryIdentityProviders) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.ActiveDirectoryIdentityProvider, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewPatchSubresourceAction(activedirectoryidentityprovidersResource, c.ns, name, pt, data, subresources...), &v1alpha1.ActiveDirectoryIdentityProvider{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.ActiveDirectoryIdentityProvider), err
+}

generated/1.18/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go

@@ -15,6 +15,14 @@ type FakeIDPV1alpha1 struct {
 	*testing.Fake
 }
 
+func (c *FakeIDPV1alpha1) ActiveDirectoryIdentityProviders(namespace string) v1alpha1.ActiveDirectoryIdentityProviderInterface {
+	return &FakeActiveDirectoryIdentityProviders{c, namespace}
+}
+
+func (c *FakeIDPV1alpha1) LDAPIdentityProviders(namespace string) v1alpha1.LDAPIdentityProviderInterface {
+	return &FakeLDAPIdentityProviders{c, namespace}
+}
+
 func (c *FakeIDPV1alpha1) OIDCIdentityProviders(namespace string) v1alpha1.OIDCIdentityProviderInterface {
 	return &FakeOIDCIdentityProviders{c, namespace}
 }

generated/1.18/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_ldapidentityprovider.go

@@ -0,0 +1,129 @@
+// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package fake
+
+import (
+	"context"
+
+	v1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/idp/v1alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	labels "k8s.io/apimachinery/pkg/labels"
+	schema "k8s.io/apimachinery/pkg/runtime/schema"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	testing "k8s.io/client-go/testing"
+)
+
+// FakeLDAPIdentityProviders implements LDAPIdentityProviderInterface
+type FakeLDAPIdentityProviders struct {
+	Fake *FakeIDPV1alpha1
+	ns   string
+}
+
+var ldapidentityprovidersResource = schema.GroupVersionResource{Group: "idp.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "ldapidentityproviders"}
+
+var ldapidentityprovidersKind = schema.GroupVersionKind{Group: "idp.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "LDAPIdentityProvider"}
+
+// Get takes name of the lDAPIdentityProvider, and returns the corresponding lDAPIdentityProvider object, and an error if there is any.
+func (c *FakeLDAPIdentityProviders) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.LDAPIdentityProvider, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewGetAction(ldapidentityprovidersResource, c.ns, name), &v1alpha1.LDAPIdentityProvider{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.LDAPIdentityProvider), err
+}
+
+// List takes label and field selectors, and returns the list of LDAPIdentityProviders that match those selectors.
+func (c *FakeLDAPIdentityProviders) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.LDAPIdentityProviderList, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewListAction(ldapidentityprovidersResource, ldapidentityprovidersKind, c.ns, opts), &v1alpha1.LDAPIdentityProviderList{})
+
+	if obj == nil {
+		return nil, err
+	}
+
+	label, _, _ := testing.ExtractFromListOptions(opts)
+	if label == nil {
+		label = labels.Everything()
+	}
+	list := &v1alpha1.LDAPIdentityProviderList{ListMeta: obj.(*v1alpha1.LDAPIdentityProviderList).ListMeta}
+	for _, item := range obj.(*v1alpha1.LDAPIdentityProviderList).Items {
+		if label.Matches(labels.Set(item.Labels)) {
+			list.Items = append(list.Items, item)
+		}
+	}
+	return list, err
+}
+
+// Watch returns a watch.Interface that watches the requested lDAPIdentityProviders.
+func (c *FakeLDAPIdentityProviders) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
+	return c.Fake.
+		InvokesWatch(testing.NewWatchAction(ldapidentityprovidersResource, c.ns, opts))
+
+}
+
+// Create takes the representation of a lDAPIdentityProvider and creates it.  Returns the server's representation of the lDAPIdentityProvider, and an error, if there is any.
+func (c *FakeLDAPIdentityProviders) Create(ctx context.Context, lDAPIdentityProvider *v1alpha1.LDAPIdentityProvider, opts v1.CreateOptions) (result *v1alpha1.LDAPIdentityProvider, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewCreateAction(ldapidentityprovidersResource, c.ns, lDAPIdentityProvider), &v1alpha1.LDAPIdentityProvider{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.LDAPIdentityProvider), err
+}
+
+// Update takes the representation of a lDAPIdentityProvider and updates it. Returns the server's representation of the lDAPIdentityProvider, and an error, if there is any.
+func (c *FakeLDAPIdentityProviders) Update(ctx context.Context, lDAPIdentityProvider *v1alpha1.LDAPIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.LDAPIdentityProvider, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewUpdateAction(ldapidentityprovidersResource, c.ns, lDAPIdentityProvider), &v1alpha1.LDAPIdentityProvider{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.LDAPIdentityProvider), err
+}
+
+// UpdateStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+func (c *FakeLDAPIdentityProviders) UpdateStatus(ctx context.Context, lDAPIdentityProvider *v1alpha1.LDAPIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.LDAPIdentityProvider, error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewUpdateSubresourceAction(ldapidentityprovidersResource, "status", c.ns, lDAPIdentityProvider), &v1alpha1.LDAPIdentityProvider{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.LDAPIdentityProvider), err
+}
+
+// Delete takes name of the lDAPIdentityProvider and deletes it. Returns an error if one occurs.
+func (c *FakeLDAPIdentityProviders) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
+	_, err := c.Fake.
+		Invokes(testing.NewDeleteAction(ldapidentityprovidersResource, c.ns, name), &v1alpha1.LDAPIdentityProvider{})
+
+	return err
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *FakeLDAPIdentityProviders) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
+	action := testing.NewDeleteCollectionAction(ldapidentityprovidersResource, c.ns, listOpts)
+
+	_, err := c.Fake.Invokes(action, &v1alpha1.LDAPIdentityProviderList{})
+	return err
+}
+
+// Patch applies the patch and returns the patched lDAPIdentityProvider.
+func (c *FakeLDAPIdentityProviders) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.LDAPIdentityProvider, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewPatchSubresourceAction(ldapidentityprovidersResource, c.ns, name, pt, data, subresources...), &v1alpha1.LDAPIdentityProvider{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.LDAPIdentityProvider), err
+}

generated/1.18/client/supervisor/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go

@@ -5,4 +5,8 @@
 
 package v1alpha1
 
+type ActiveDirectoryIdentityProviderExpansion interface{}
+
+type LDAPIdentityProviderExpansion interface{}
+
 type OIDCIdentityProviderExpansion interface{}

generated/1.18/client/supervisor/clientset/versioned/typed/idp/v1alpha1/idp_client.go

@@ -13,6 +13,8 @@ import (
 
 type IDPV1alpha1Interface interface {
 	RESTClient() rest.Interface
+	ActiveDirectoryIdentityProvidersGetter
+	LDAPIdentityProvidersGetter
 	OIDCIdentityProvidersGetter
 }
 
@@ -21,6 +23,14 @@ type IDPV1alpha1Client struct {
 	restClient rest.Interface
 }
 
+func (c *IDPV1alpha1Client) ActiveDirectoryIdentityProviders(namespace string) ActiveDirectoryIdentityProviderInterface {
+	return newActiveDirectoryIdentityProviders(c, namespace)
+}
+
+func (c *IDPV1alpha1Client) LDAPIdentityProviders(namespace string) LDAPIdentityProviderInterface {
+	return newLDAPIdentityProviders(c, namespace)
+}
+
 func (c *IDPV1alpha1Client) OIDCIdentityProviders(namespace string) OIDCIdentityProviderInterface {
 	return newOIDCIdentityProviders(c, namespace)
 }

generated/1.18/client/supervisor/clientset/versioned/typed/idp/v1alpha1/ldapidentityprovider.go

@@ -0,0 +1,182 @@
+// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	"context"
+	"time"
+
+	v1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/idp/v1alpha1"
+	scheme "go.pinniped.dev/generated/1.18/client/supervisor/clientset/versioned/scheme"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	rest "k8s.io/client-go/rest"
+)
+
+// LDAPIdentityProvidersGetter has a method to return a LDAPIdentityProviderInterface.
+// A group's client should implement this interface.
+type LDAPIdentityProvidersGetter interface {
+	LDAPIdentityProviders(namespace string) LDAPIdentityProviderInterface
+}
+
+// LDAPIdentityProviderInterface has methods to work with LDAPIdentityProvider resources.
+type LDAPIdentityProviderInterface interface {
+	Create(ctx context.Context, lDAPIdentityProvider *v1alpha1.LDAPIdentityProvider, opts v1.CreateOptions) (*v1alpha1.LDAPIdentityProvider, error)
+	Update(ctx context.Context, lDAPIdentityProvider *v1alpha1.LDAPIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.LDAPIdentityProvider, error)
+	UpdateStatus(ctx context.Context, lDAPIdentityProvider *v1alpha1.LDAPIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.LDAPIdentityProvider, error)
+	Delete(ctx context.Context, name string, opts v1.DeleteOptions) error
+	DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error
+	Get(ctx context.Context, name string, opts v1.GetOptions) (*v1alpha1.LDAPIdentityProvider, error)
+	List(ctx context.Context, opts v1.ListOptions) (*v1alpha1.LDAPIdentityProviderList, error)
+	Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error)
+	Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.LDAPIdentityProvider, err error)
+	LDAPIdentityProviderExpansion
+}
+
+// lDAPIdentityProviders implements LDAPIdentityProviderInterface
+type lDAPIdentityProviders struct {
+	client rest.Interface
+	ns     string
+}
+
+// newLDAPIdentityProviders returns a LDAPIdentityProviders
+func newLDAPIdentityProviders(c *IDPV1alpha1Client, namespace string) *lDAPIdentityProviders {
+	return &lDAPIdentityProviders{
+		client: c.RESTClient(),
+		ns:     namespace,
+	}
+}
+
+// Get takes name of the lDAPIdentityProvider, and returns the corresponding lDAPIdentityProvider object, and an error if there is any.
+func (c *lDAPIdentityProviders) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.LDAPIdentityProvider, err error) {
+	result = &v1alpha1.LDAPIdentityProvider{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("ldapidentityproviders").
+		Name(name).
+		VersionedParams(&options, scheme.ParameterCodec).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// List takes label and field selectors, and returns the list of LDAPIdentityProviders that match those selectors.
+func (c *lDAPIdentityProviders) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.LDAPIdentityProviderList, err error) {
+	var timeout time.Duration
+	if opts.TimeoutSeconds != nil {
+		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
+	}
+	result = &v1alpha1.LDAPIdentityProviderList{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("ldapidentityproviders").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// Watch returns a watch.Interface that watches the requested lDAPIdentityProviders.
+func (c *lDAPIdentityProviders) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
+	var timeout time.Duration
+	if opts.TimeoutSeconds != nil {
+		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
+	}
+	opts.Watch = true
+	return c.client.Get().
+		Namespace(c.ns).
+		Resource("ldapidentityproviders").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Watch(ctx)
+}
+
+// Create takes the representation of a lDAPIdentityProvider and creates it.  Returns the server's representation of the lDAPIdentityProvider, and an error, if there is any.
+func (c *lDAPIdentityProviders) Create(ctx context.Context, lDAPIdentityProvider *v1alpha1.LDAPIdentityProvider, opts v1.CreateOptions) (result *v1alpha1.LDAPIdentityProvider, err error) {
+	result = &v1alpha1.LDAPIdentityProvider{}
+	err = c.client.Post().
+		Namespace(c.ns).
+		Resource("ldapidentityproviders").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(lDAPIdentityProvider).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// Update takes the representation of a lDAPIdentityProvider and updates it. Returns the server's representation of the lDAPIdentityProvider, and an error, if there is any.
+func (c *lDAPIdentityProviders) Update(ctx context.Context, lDAPIdentityProvider *v1alpha1.LDAPIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.LDAPIdentityProvider, err error) {
+	result = &v1alpha1.LDAPIdentityProvider{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("ldapidentityproviders").
+		Name(lDAPIdentityProvider.Name).
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(lDAPIdentityProvider).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// UpdateStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+func (c *lDAPIdentityProviders) UpdateStatus(ctx context.Context, lDAPIdentityProvider *v1alpha1.LDAPIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.LDAPIdentityProvider, err error) {
+	result = &v1alpha1.LDAPIdentityProvider{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("ldapidentityproviders").
+		Name(lDAPIdentityProvider.Name).
+		SubResource("status").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(lDAPIdentityProvider).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// Delete takes name of the lDAPIdentityProvider and deletes it. Returns an error if one occurs.
+func (c *lDAPIdentityProviders) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("ldapidentityproviders").
+		Name(name).
+		Body(&opts).
+		Do(ctx).
+		Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *lDAPIdentityProviders) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
+	var timeout time.Duration
+	if listOpts.TimeoutSeconds != nil {
+		timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second
+	}
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("ldapidentityproviders").
+		VersionedParams(&listOpts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Body(&opts).
+		Do(ctx).
+		Error()
+}
+
+// Patch applies the patch and returns the patched lDAPIdentityProvider.
+func (c *lDAPIdentityProviders) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.LDAPIdentityProvider, err error) {
+	result = &v1alpha1.LDAPIdentityProvider{}
+	err = c.client.Patch(pt).
+		Namespace(c.ns).
+		Resource("ldapidentityproviders").
+		Name(name).
+		SubResource(subresources...).
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(data).
+		Do(ctx).
+		Into(result)
+	return
+}

generated/1.18/client/supervisor/informers/externalversions/generic.go

@@ -45,6 +45,10 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource
 		return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().FederationDomains().Informer()}, nil
 
 		// Group=idp.supervisor.pinniped.dev, Version=v1alpha1
+	case idpv1alpha1.SchemeGroupVersion.WithResource("activedirectoryidentityproviders"):
+		return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().ActiveDirectoryIdentityProviders().Informer()}, nil
+	case idpv1alpha1.SchemeGroupVersion.WithResource("ldapidentityproviders"):
+		return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().LDAPIdentityProviders().Informer()}, nil
 	case idpv1alpha1.SchemeGroupVersion.WithResource("oidcidentityproviders"):
 		return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().OIDCIdentityProviders().Informer()}, nil
 

generated/1.18/client/supervisor/informers/externalversions/idp/v1alpha1/activedirectoryidentityprovider.go

@@ -0,0 +1,77 @@
+// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by informer-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	"context"
+	time "time"
+
+	idpv1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/idp/v1alpha1"
+	versioned "go.pinniped.dev/generated/1.18/client/supervisor/clientset/versioned"
+	internalinterfaces "go.pinniped.dev/generated/1.18/client/supervisor/informers/externalversions/internalinterfaces"
+	v1alpha1 "go.pinniped.dev/generated/1.18/client/supervisor/listers/idp/v1alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	watch "k8s.io/apimachinery/pkg/watch"
+	cache "k8s.io/client-go/tools/cache"
+)
+
+// ActiveDirectoryIdentityProviderInformer provides access to a shared informer and lister for
+// ActiveDirectoryIdentityProviders.
+type ActiveDirectoryIdentityProviderInformer interface {
+	Informer() cache.SharedIndexInformer
+	Lister() v1alpha1.ActiveDirectoryIdentityProviderLister
+}
+
+type activeDirectoryIdentityProviderInformer struct {
+	factory          internalinterfaces.SharedInformerFactory
+	tweakListOptions internalinterfaces.TweakListOptionsFunc
+	namespace        string
+}
+
+// NewActiveDirectoryIdentityProviderInformer constructs a new informer for ActiveDirectoryIdentityProvider type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewActiveDirectoryIdentityProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
+	return NewFilteredActiveDirectoryIdentityProviderInformer(client, namespace, resyncPeriod, indexers, nil)
+}
+
+// NewFilteredActiveDirectoryIdentityProviderInformer constructs a new informer for ActiveDirectoryIdentityProvider type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewFilteredActiveDirectoryIdentityProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
+	return cache.NewSharedIndexInformer(
+		&cache.ListWatch{
+			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.IDPV1alpha1().ActiveDirectoryIdentityProviders(namespace).List(context.TODO(), options)
+			},
+			WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.IDPV1alpha1().ActiveDirectoryIdentityProviders(namespace).Watch(context.TODO(), options)
+			},
+		},
+		&idpv1alpha1.ActiveDirectoryIdentityProvider{},
+		resyncPeriod,
+		indexers,
+	)
+}
+
+func (f *activeDirectoryIdentityProviderInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
+	return NewFilteredActiveDirectoryIdentityProviderInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
+}
+
+func (f *activeDirectoryIdentityProviderInformer) Informer() cache.SharedIndexInformer {
+	return f.factory.InformerFor(&idpv1alpha1.ActiveDirectoryIdentityProvider{}, f.defaultInformer)
+}
+
+func (f *activeDirectoryIdentityProviderInformer) Lister() v1alpha1.ActiveDirectoryIdentityProviderLister {
+	return v1alpha1.NewActiveDirectoryIdentityProviderLister(f.Informer().GetIndexer())
+}