Update dependencies, including Kube packages to v0.29.0

2026-02-14 18:10:17 +00:00 · 2024-01-03 13:32:10 -08:00
parent 659224a207
commit c7299f4daf
17 changed files with 371 additions and 1205 deletions
--- a/go.mod
+++ b/go.mod
@@ -1,36 +1,30 @@
 module go.pinniped.dev

-go 1.20
+// k8s.io/api@v0.29.0 requires go@1.21
+go 1.21

-// This version taken from https://github.com/kubernetes/apiserver/blob/v0.28.4/go.mod#L14
-replace github.com/google/cel-go => github.com/google/cel-go v0.16.1
+// This version taken from https://github.com/kubernetes/apiserver/blob/v0.29.0/go.mod#L14 to avoid compile failures.
+replace github.com/google/cel-go => github.com/google/cel-go v0.17.7

-// This version taken from https://github.com/kubernetes/apiserver/blob/v0.28.4/go.mod#L50
-replace k8s.io/kube-openapi => k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9
-
-// This version taken from https://github.com/kubernetes/apiserver/blob/v0.28.4/go.mod#L40
-replace google.golang.org/grpc => google.golang.org/grpc v1.56.3
-
-// Fostite depends on ory/x which depends on more recent versions of opentelemetry.
-// We need to use the older versions of opentelemetry which are the direct dependencies of
-// https://github.com/kubernetes/apiserver/blob/v0.28.4/go.mod. Wherever they clash, replace
-// with the version which is more consistent with kubernetes/apiserver. We will update these
-// when kubernetes/apiserver v0.29.x is released and it bumps these dependencies.
+// Fostite depends on ory/x which depends on opentelemetry. kubernetes/apiserver also depends on opentelemetry.
+// Where they clash and cause "go mod tidy" to fail, use replace directives to make it work.
+// Copied from https://github.com/kubernetes/apiserver/blob/v0.29.0/go.mod#L28-L33.
 replace (
-	go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace => go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace v0.35.0
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp => go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.35.1
-	go.opentelemetry.io/otel => go.opentelemetry.io/otel v1.10.0
-	go.opentelemetry.io/otel/exporters/jaeger => go.opentelemetry.io/otel/exporters/jaeger v1.10.0
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace => go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.10.0
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp => go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.10.0
-	go.opentelemetry.io/otel/exporters/zipkin => go.opentelemetry.io/otel/exporters/zipkin v1.10.0
-	go.opentelemetry.io/otel/metric => go.opentelemetry.io/otel/metric v0.31.0
-	go.opentelemetry.io/otel/sdk => go.opentelemetry.io/otel/sdk v1.10.0
+	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc => go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.42.0
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp => go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.44.0
+	go.opentelemetry.io/otel => go.opentelemetry.io/otel v1.19.0
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc => go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.19.0
+	go.opentelemetry.io/otel/sdk => go.opentelemetry.io/otel/sdk v1.19.0
+	go.opentelemetry.io/otel/trace => go.opentelemetry.io/otel/trace v1.19.0
 )

+// https://github.com/kubernetes/apiserver/blob/v0.29.0/go.mod does not include this one, but it is also needed
+// to resolve the clashes with ory/x, so use the same version that kubernetes/apiserver chooses for opentelemetry.
+replace go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp => go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.19.0
+
 require (
 	github.com/MakeNowJust/heredoc/v2 v2.0.1
-	github.com/chromedp/cdproto v0.0.0-20231205062650-00455a960d61
+	github.com/chromedp/cdproto v0.0.0-20240102194822-c006b26f21c7
 	github.com/chromedp/chromedp v0.9.3
 	github.com/coreos/go-oidc/v3 v3.9.0
 	github.com/coreos/go-semver v0.3.1
@@ -39,7 +33,7 @@ require (
 	github.com/felixge/httpsnoop v1.0.4
 	github.com/go-jose/go-jose/v3 v3.0.1
 	github.com/go-ldap/ldap/v3 v3.4.6
-	github.com/go-logr/logr v1.3.0
+	github.com/go-logr/logr v1.4.1
 	github.com/go-logr/stdr v1.2.2
 	github.com/go-logr/zapr v1.3.0
 	github.com/gofrs/flock v0.8.1
@@ -52,32 +46,32 @@ require (
 	github.com/gorilla/websocket v1.5.1
 	github.com/joshlf/go-acl v0.0.0-20200411065538-eae00ae38531
 	github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826
-	github.com/ory/fosite v0.44.1-0.20231113125121-dfa2c0a1b63c
-	github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8
+	github.com/ory/fosite v0.45.1-0.20240103162202-f4114878826c
+	github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c
 	github.com/pkg/errors v0.9.1
 	github.com/sclevine/spec v1.4.0
 	github.com/spf13/cobra v1.8.0
 	github.com/spf13/pflag v1.0.5
 	github.com/stretchr/testify v1.8.4
-	github.com/tdewolff/minify/v2 v2.20.9
+	github.com/tdewolff/minify/v2 v2.20.10
 	go.uber.org/zap v1.26.0
-	golang.org/x/crypto v0.16.0
+	golang.org/x/crypto v0.17.0
 	golang.org/x/net v0.19.0
 	golang.org/x/oauth2 v0.15.0
 	golang.org/x/sync v0.5.0
 	golang.org/x/term v0.15.0
 	golang.org/x/text v0.14.0
-	k8s.io/api v0.28.4
-	k8s.io/apiextensions-apiserver v0.28.4
-	k8s.io/apimachinery v0.28.4
-	k8s.io/apiserver v0.28.4
-	k8s.io/client-go v0.28.4
-	k8s.io/component-base v0.28.4
+	k8s.io/api v0.29.0
+	k8s.io/apiextensions-apiserver v0.29.0
+	k8s.io/apimachinery v0.29.0
+	k8s.io/apiserver v0.29.0
+	k8s.io/client-go v0.29.0
+	k8s.io/component-base v0.29.0
 	k8s.io/gengo v0.0.0-20230829151522-9cce18d56c01
 	k8s.io/klog/v2 v2.110.1
-	k8s.io/kube-aggregator v0.28.4
-	k8s.io/kube-openapi v0.0.0-20231206194836-bf4651e18aa8
-	k8s.io/utils v0.0.0-20231127182322-b307cd553661
+	k8s.io/kube-aggregator v0.29.0
+	k8s.io/kube-openapi v0.0.0-20240103160808-8a9faedaf1cd
+	k8s.io/utils v0.0.0-20240102154912-e7106e64919e
 	sigs.k8s.io/yaml v1.4.0
 )

@@ -100,7 +94,7 @@ require (
 	github.com/dgraph-io/ristretto v0.1.1 // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
 	github.com/ecordell/optgen v0.0.9 // indirect
-	github.com/emicklei/go-restful/v3 v3.9.0 // indirect
+	github.com/emicklei/go-restful/v3 v3.11.0 // indirect
 	github.com/evanphx/json-patch v5.6.0+incompatible // indirect
 	github.com/fatih/structtag v1.2.0 // indirect
 	github.com/fsnotify/fsnotify v1.7.0 // indirect
@@ -113,7 +107,7 @@ require (
 	github.com/gobwas/pool v0.2.1 // indirect
 	github.com/gobwas/ws v1.3.0 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/golang/glog v1.1.1 // indirect
+	github.com/golang/glog v1.1.2 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/google/gnostic-models v0.6.8 // indirect
@@ -136,6 +130,7 @@ require (
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
+	github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect
 	github.com/openzipkin/zipkin-go v0.4.1 // indirect
 	github.com/ory/go-acc v0.2.9-0.20230103102148-6b1c9a70dbbe // indirect
 	github.com/ory/go-convenience v0.1.0 // indirect
@@ -156,38 +151,37 @@ require (
 	github.com/spf13/viper v1.16.0 // indirect
 	github.com/stoewer/go-strcase v1.2.0 // indirect
 	github.com/subosito/gotenv v1.4.2 // indirect
-	github.com/tdewolff/parse/v2 v2.7.6 // indirect
-	go.etcd.io/etcd/api/v3 v3.5.9 // indirect
-	go.etcd.io/etcd/client/pkg/v3 v3.5.9 // indirect
-	go.etcd.io/etcd/client/v3 v3.5.9 // indirect
-	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.35.0 // indirect
+	github.com/tdewolff/parse/v2 v2.7.7 // indirect
+	go.etcd.io/etcd/api/v3 v3.5.10 // indirect
+	go.etcd.io/etcd/client/pkg/v3 v3.5.10 // indirect
+	go.etcd.io/etcd/client/v3 v3.5.10 // indirect
+	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.42.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace v0.42.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.42.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.44.0 // indirect
 	go.opentelemetry.io/contrib/propagators/b3 v1.17.0 // indirect
 	go.opentelemetry.io/contrib/propagators/jaeger v1.17.0 // indirect
 	go.opentelemetry.io/contrib/samplers/jaegerremote v0.11.0 // indirect
-	go.opentelemetry.io/otel v1.16.0 // indirect
+	go.opentelemetry.io/otel v1.21.0 // indirect
 	go.opentelemetry.io/otel/exporters/jaeger v1.16.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/internal/retry v1.16.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.16.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.10.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.21.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.19.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.16.0 // indirect
 	go.opentelemetry.io/otel/exporters/zipkin v1.16.0 // indirect
-	go.opentelemetry.io/otel/metric v1.16.0 // indirect
-	go.opentelemetry.io/otel/sdk v1.16.0 // indirect
-	go.opentelemetry.io/otel/trace v1.16.0 // indirect
+	go.opentelemetry.io/otel/metric v1.21.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.21.0 // indirect
+	go.opentelemetry.io/otel/trace v1.21.0 // indirect
 	go.opentelemetry.io/proto/otlp v1.0.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
-	golang.org/x/exp v0.0.0-20220827204233-334a2380cb91 // indirect
+	golang.org/x/exp v0.0.0-20230515195305-f3d0a9c9a5cc // indirect
 	golang.org/x/mod v0.12.0 // indirect
 	golang.org/x/sys v0.15.0 // indirect
 	golang.org/x/time v0.3.0 // indirect
-	golang.org/x/tools v0.11.1 // indirect
+	golang.org/x/tools v0.12.0 // indirect
 	google.golang.org/appengine v1.6.8 // indirect
-	google.golang.org/genproto v0.0.0-20230731193218-e0aa005b6bdf // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20230803162519-f966b187b2e5 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20230803162519-f966b187b2e5 // indirect
-	google.golang.org/grpc v1.57.0 // indirect
+	google.golang.org/genproto v0.0.0-20230822172742-b8732ec3820d // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20230822172742-b8732ec3820d // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20230822172742-b8732ec3820d // indirect
+	google.golang.org/grpc v1.59.0 // indirect
 	google.golang.org/protobuf v1.31.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
@@ -195,8 +189,8 @@ require (
 	gopkg.in/square/go-jose.v2 v2.6.0 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/kms v0.28.4 // indirect
-	sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.1.2 // indirect
+	k8s.io/kms v0.29.0 // indirect
+	sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.28.0 // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
-	sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
 )
--- a/go.sum
+++ b/go.sum
--- a/hack/update-copyright-year.sh
+++ b/hack/update-copyright-year.sh
@@ -1,6 +1,6 @@
 #!/bin/bash

-# Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
+# Copyright 2021-2024 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0

 set -euo pipefail
@@ -30,9 +30,9 @@ if [[ "${#missing_copyright_files[@]}" -gt "0" ]]; then
        # The rule when updating copyrights is to always keep the starting year,
        # and to replace the ending year with the current year.
        # This uses MacOS sed flags to replace "XXXX-YYYY" with "XXXX-year" in the copyright notice.
-        sed -E -e 's/Copyright ([0-9]{4})-([0-9]{4}) the Pinniped contributors/Copyright \1-2023 the Pinniped contributors/' -i '' "$f"
+        sed -E -e 's/Copyright ([0-9]{4})-([0-9]{4}) the Pinniped contributors/Copyright \1-'"$year"' the Pinniped contributors/' -i '' "$f"
        # This uses MacOS sed flags to replace "XXXX" with "XXXX-year" in the copyright notice.
-        sed -E -e 's/Copyright ([0-9]{4}) the Pinniped contributors/Copyright \1-2023 the Pinniped contributors/' -i '' "$f"
+        sed -E -e 's/Copyright ([0-9]{4}) the Pinniped contributors/Copyright \1-'"$year"' the Pinniped contributors/' -i '' "$f"
    done
    echo "Done!"
    exit 1
--- a/hack/update-go-mod/go.mod
+++ b/hack/update-go-mod/go.mod
@@ -1,5 +1,5 @@
 module go.pinniped.dev/update-go-mod

-go 1.20
+go 1.21

 require golang.org/x/mod v0.14.0
--- a/internal/celtransformer/celformer_test.go
+++ b/internal/celtransformer/celformer_test.go
@@ -1,4 +1,4 @@
-// Copyright 2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2023-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package celtransformer
@@ -732,9 +732,12 @@ func TestTransformer(t *testing.T) {
 			username: "ryan",
 			groups:   []string{"admins", "developers", "other"},
 			transforms: []CELTransformation{
-				&GroupsTransformation{Expression: `groups.map(g, {"admins": dyn(1), "developers":"a"}[g])`},
+				&GroupsTransformation{Expression: `groups.map(g, {"admins": dyn(1), "developers": "a"}[g])`},
 			},
-			wantCompileErr: `CEL expression should return type "list(string)" but returns type "list(dyn)"`,
+			wantCompileErr: here.Doc(`
+				CEL expression compile error: ERROR: <input>:1:48: expected type 'dyn' but found 'string'
+				 | groups.map(g, {"admins": dyn(1), "developers": "a"}[g])
+				 | ...............................................^`),
 		},
 		{
 			name:     "using string constants which were not were provided",
--- a/internal/concierge/impersonator/impersonator.go
+++ b/internal/concierge/impersonator/impersonator.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package impersonator
@@ -121,7 +121,8 @@ func newInternal(
 		// secure TLS for connections coming from external clients and going to the Kube API server
 		// this is best effort because not all options provide the right hooks to override TLS config
 		// since any client could connect to the impersonation proxy, this uses the default TLS config
-		if err := ptls.DefaultRecommendedOptions(recommendedOptions, restConfigFunc); err != nil {
+		prepareServerConfigFunc, err := ptls.DefaultRecommendedOptions(recommendedOptions, restConfigFunc)
+		if err != nil {
 			return nil, fmt.Errorf("failed to secure recommended options: %w", err)
 		}

@@ -149,6 +150,10 @@ func newInternal(

 		serverConfig := genericapiserver.NewRecommendedConfig(codecs)

+		// Get ready to call recommendedOptions.ApplyTo(serverConfig) by preparing the
+		// serverConfig using the function returned by the ptls package above.
+		prepareServerConfigFunc(serverConfig)
+
 		// Note that ApplyTo is going to create a network listener and bind to the requested port.
 		// It puts this listener into serverConfig.SecureServing.Listener.
 		err = recommendedOptions.ApplyTo(serverConfig)
--- a/internal/concierge/impersonator/impersonator_test.go
+++ b/internal/concierge/impersonator/impersonator_test.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package impersonator
@@ -35,14 +35,11 @@ import (
 	"k8s.io/apiserver/pkg/authentication/user"
 	"k8s.io/apiserver/pkg/authorization/authorizer"
 	"k8s.io/apiserver/pkg/endpoints/request"
-	"k8s.io/apiserver/pkg/features"
 	genericapiserver "k8s.io/apiserver/pkg/server"
 	genericoptions "k8s.io/apiserver/pkg/server/options"
-	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/rest"
 	"k8s.io/client-go/tools/clientcmd/api"
-	featuregatetesting "k8s.io/component-base/featuregate/testing"
 	"k8s.io/utils/ptr"

 	loginv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/login/v1alpha1"
@@ -81,9 +78,6 @@ func TestImpersonator(t *testing.T) {
 	unrelatedCA, err := certauthority.New("ca", time.Hour)
 	require.NoError(t, err)

-	// turn off this code path for all tests because it does not handle the config we remove correctly
-	defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.APIPriorityAndFairness, false)()
-
 	tests := []struct {
 		name                            string
 		clientCert                      *clientCert
@@ -830,6 +824,9 @@ func TestImpersonator(t *testing.T) {
 				options.Authorization.RemoteKubeConfigFileOptional = true
 				options.Admission = nil
 				options.SecureServing.Listener = listener // use our listener with the dynamic port
+
+				// turn off this code path for all tests because it does not handle the config we remove correctly
+				options.Features.EnablePriorityAndFairness = false
 			}

 			recorder := &attributeRecorder{}
@@ -2066,6 +2063,8 @@ func Test_withBearerTokenPreservation(t *testing.T) {
 	for _, tt := range tests {
 		tt := tt
 		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+
 			inputReq := (&http.Request{Header: tt.headers}).WithContext(context.Background())
 			inputReqCopy := inputReq.Clone(inputReq.Context())

--- a/internal/concierge/server/server.go
+++ b/internal/concierge/server/server.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // Package server is the command line entry point for pinniped-concierge.
@@ -17,6 +17,7 @@ import (
 	"k8s.io/apimachinery/pkg/runtime/serializer"
 	apimachineryversion "k8s.io/apimachinery/pkg/version"
 	openapinamer "k8s.io/apiserver/pkg/endpoints/openapi"
+	"k8s.io/apiserver/pkg/features"
 	genericapiserver "k8s.io/apiserver/pkg/server"
 	genericoptions "k8s.io/apiserver/pkg/server/options"
 	"k8s.io/client-go/rest"
@@ -27,6 +28,7 @@ import (
 	"go.pinniped.dev/internal/concierge/apiserver"
 	conciergescheme "go.pinniped.dev/internal/concierge/scheme"
 	"go.pinniped.dev/internal/config/concierge"
+	"go.pinniped.dev/internal/config/featuregates"
 	"go.pinniped.dev/internal/controller/authenticator/authncache"
 	"go.pinniped.dev/internal/controllerinit"
 	"go.pinniped.dev/internal/controllermanager"
@@ -105,8 +107,8 @@ func addCommandlineFlagsToCommand(cmd *cobra.Command, app *App) {
 func (a *App) runServer(ctx context.Context) error {
 	// We tried to enable the feature gate from https://github.com/kubernetes/kubernetes/pull/121120,
 	// but it causes errors when there are lots of parallel anonymous requests for our aggregated API endpoints.
-	// We will need to figure out if that is a bug in Kubernetes before we enable this again.
-	// featuregates.EnableKubeFeatureGate(features.UnauthenticatedHTTP2DOSMitigation)
+	// Make sure https://github.com/kubernetes/kubernetes/issues/122308 is resolved before enabling this.
+	featuregates.DisableKubeFeatureGate(features.UnauthenticatedHTTP2DOSMitigation)

 	// Read the server config file.
 	cfg, err := concierge.FromPath(ctx, a.configPath)
@@ -248,7 +250,8 @@ func getAggregatedAPIServerConfig(
 	// secure TLS for connections coming from and going to the Kube API server
 	// this is best effort because not all options provide the right hooks to override TLS config
 	// since our only client is the Kube API server, this uses the most secure TLS config
-	if err := ptls.SecureRecommendedOptions(recommendedOptions, kubeclient.Secure); err != nil {
+	prepareServerConfigFunc, err := ptls.SecureRecommendedOptions(recommendedOptions, kubeclient.Secure)
+	if err != nil {
 		return nil, fmt.Errorf("failed to secure recommended options: %w", err)
 	}

@@ -261,6 +264,11 @@ func getAggregatedAPIServerConfig(
 	serverConfig.OpenAPIV3Config = genericapiserver.DefaultOpenAPIV3Config(
 		conciergeopenapi.GetOpenAPIDefinitions, openapinamer.NewDefinitionNamer(scheme))
 	// serverConfig.OpenAPIV3Config.Info.InfoProps.Title = "Pinniped Concierge"
+
+	// Get ready to call recommendedOptions.ApplyTo(serverConfig) by preparing the
+	// serverConfig using the function returned by the ptls package above.
+	prepareServerConfigFunc(serverConfig)
+
 	// Note that among other things, this ApplyTo() function copies
 	// `recommendedOptions.SecureServing.ServerCert.GeneratedCert` into
 	// `serverConfig.SecureServing.Cert` thus making `dynamicCertProvider`
--- a/internal/config/featuregates/featuregates.go
+++ b/internal/config/featuregates/featuregates.go
@@ -1,4 +1,4 @@
-// Copyright 2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2023-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package featuregates
@@ -11,9 +11,17 @@ import (
 )

 func EnableKubeFeatureGate(f featuregate.Feature) {
+	setKubeFeatureGate(f, true)
+}
+
+func DisableKubeFeatureGate(f featuregate.Feature) {
+	setKubeFeatureGate(f, false)
+}
+
+func setKubeFeatureGate(f featuregate.Feature, newValue bool) {
 	initialValue := feature.DefaultFeatureGate.Enabled(f)

-	if err := feature.DefaultMutableFeatureGate.SetFromMap(map[string]bool{string(f): true}); err != nil {
+	if err := feature.DefaultMutableFeatureGate.SetFromMap(map[string]bool{string(f): newValue}); err != nil {
 		panic(err) // this should never happen as long as a feature gate still exists
 	}

--- a/internal/config/featuregates/featuregates_test.go
+++ b/internal/config/featuregates/featuregates_test.go
@@ -1,4 +1,4 @@
-// Copyright 2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2023-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package featuregates
@@ -12,17 +12,25 @@ import (
 	featuregatetesting "k8s.io/component-base/featuregate/testing"
 )

-func TestEnableKubeFeatureGate(t *testing.T) {
+func TestEnableAndDisableKubeFeatureGate(t *testing.T) {
 	f := features.UnauthenticatedHTTP2DOSMitigation

-	// This feature gate is currently disabled by default in the Kubernetes library.
-	// Assert this as a precondition so if that ever changes during a dependency bump
-	// we will be forced to take note and decide if any code deserves to change.
+	// This feature gate is currently enabled by default in the Kubernetes library.
+	// Assert this as a precondition.
+	require.True(t, feature.DefaultFeatureGate.Enabled(f))
+
+	// Set it back to its default value of true at the end of this test.
+	defer featuregatetesting.SetFeatureGateDuringTest(t, feature.DefaultFeatureGate, f, true)()
+
+	EnableKubeFeatureGate(f)
+	require.True(t, feature.DefaultFeatureGate.Enabled(f))
+
+	DisableKubeFeatureGate(f)
 	require.False(t, feature.DefaultFeatureGate.Enabled(f))

-	defer featuregatetesting.SetFeatureGateDuringTest(t, feature.DefaultFeatureGate, f, false)()
-
+	DisableKubeFeatureGate(f)
 	require.False(t, feature.DefaultFeatureGate.Enabled(f))
+
 	EnableKubeFeatureGate(f)
 	require.True(t, feature.DefaultFeatureGate.Enabled(f))
 }
--- a/internal/controller/authenticator/jwtcachefiller/jwtcachefiller.go
+++ b/internal/controller/authenticator/jwtcachefiller/jwtcachefiller.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // Package jwtcachefiller implements a controller for filling an authncache.Cache with each
@@ -16,9 +16,11 @@ import (
 	"github.com/go-jose/go-jose/v3"
 	"github.com/go-logr/logr"
 	"k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apiserver/pkg/apis/apiserver"
 	"k8s.io/apiserver/pkg/authentication/authenticator"
 	"k8s.io/apiserver/plugin/pkg/authenticator/token/oidc"
 	"k8s.io/klog/v2"
+	"k8s.io/utils/ptr"

 	auth1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"
 	oidcapi "go.pinniped.dev/generated/latest/apis/supervisor/oidc"
@@ -192,11 +194,23 @@ func newJWTAuthenticator(spec *auth1alpha1.JWTAuthenticatorSpec) (*jwtAuthentica
 		return nil, fmt.Errorf("issuer %q does not have jwks_uri set", spec.Issuer)
 	}
 	oidcAuthenticator, err := oidc.New(oidc.Options{
-		IssuerURL:            spec.Issuer,
+		JWTAuthenticator: apiserver.JWTAuthenticator{
+			Issuer: apiserver.Issuer{
+				URL:       spec.Issuer,
+				Audiences: []string{spec.Audience},
+			},
+			ClaimMappings: apiserver.ClaimMappings{
+				Username: apiserver.PrefixedClaimOrExpression{
+					Claim:  usernameClaim,
+					Prefix: ptr.To(""),
+				},
+				Groups: apiserver.PrefixedClaimOrExpression{
+					Claim:  groupsClaim,
+					Prefix: ptr.To(""),
+				},
+			},
+		},
 		KeySet:               coreosoidc.NewRemoteKeySet(ctx, providerJSON.JWKSURL),
-		ClientID:             spec.Audience,
-		UsernameClaim:        usernameClaim,
-		GroupsClaim:          groupsClaim,
 		SupportedSigningAlgs: defaultSupportedSigningAlgos(),
 		Client:               client,
 	})
--- a/internal/crypto/ptls/ptls.go
+++ b/internal/crypto/ptls/ptls.go
@@ -1,4 +1,4 @@
-// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package ptls
@@ -61,12 +61,23 @@ func Merge(tlsConfigFunc ConfigFunc, tlsConfig *tls.Config) {
 // RestConfigFunc allows this package to not depend on the kubeclient package.
 type RestConfigFunc func(*rest.Config) (kubernetes.Interface, *rest.Config, error)

-func DefaultRecommendedOptions(opts *options.RecommendedOptions, f RestConfigFunc) error {
+// PrepareServerConfigFunc is a function that can prepare a RecommendedConfig before the use of RecommendedOptions.ApplyTo().
+type PrepareServerConfigFunc func(c *genericapiserver.RecommendedConfig)
+
+// DefaultRecommendedOptions configures the RecommendedOptions for a server to use the appropriate cipher suites,
+// min TLS version, and client configuration options for servers that need to accept incoming connections from
+// arbitrary clients (like the impersonation proxy).
+// It returns a PrepareServerConfigFunc which must be used on a RecommendedConfig before passing it to RecommendedOptions.ApplyTo().
+func DefaultRecommendedOptions(opts *options.RecommendedOptions, f RestConfigFunc) (PrepareServerConfigFunc, error) {
 	defaultServing(opts.SecureServing)
 	return secureClient(opts, f)
 }

-func SecureRecommendedOptions(opts *options.RecommendedOptions, f RestConfigFunc) error {
+// SecureRecommendedOptions configures the RecommendedOptions for a server to use the appropriate cipher suites,
+// min TLS version, and client configuration options for servers that only need to accept incoming connections from
+// certain well known clients which we expect will always use modern TLS settings (like the Kube API server).
+// It returns a PrepareServerConfigFunc which must be used on a RecommendedConfig before passing it to RecommendedOptions.ApplyTo().
+func SecureRecommendedOptions(opts *options.RecommendedOptions, f RestConfigFunc) (PrepareServerConfigFunc, error) {
 	secureServing(opts.SecureServing)
 	return secureClient(opts, f)
 }
@@ -82,14 +93,14 @@ func defaultServing(opts *options.SecureServingOptionsWithLoopback) {
 	opts.MinTLSVersion = defaultServingOptionsMinTLSVersion
 }

-func secureClient(opts *options.RecommendedOptions, f RestConfigFunc) error {
+func secureClient(opts *options.RecommendedOptions, f RestConfigFunc) (PrepareServerConfigFunc, error) {
 	inClusterClient, inClusterConfig, err := f(nil)
 	if err != nil {
-		return fmt.Errorf("failed to build in cluster client: %w", err)
+		return nil, fmt.Errorf("failed to build in cluster client: %w", err)
 	}

 	if n, z := opts.Authentication.RemoteKubeConfigFile, opts.Authorization.RemoteKubeConfigFile; len(n) > 0 || len(z) > 0 {
-		return fmt.Errorf("delgating auth is not using in-cluster config:\nauthentication=%s\nauthorization=%s", n, z)
+		return nil, fmt.Errorf("delgating auth is not using in-cluster config:\nauthentication=%s\nauthorization=%s", n, z)
 	}

 	// delegated authn and authz provide easy hooks for us to set the TLS config.
@@ -99,25 +110,31 @@ func secureClient(opts *options.RecommendedOptions, f RestConfigFunc) error {
 	opts.Authentication.CustomRoundTripperFn = wrapperFunc
 	opts.Authorization.CustomRoundTripperFn = wrapperFunc

-	opts.CoreAPI = nil // set this to nil to make sure our ExtraAdmissionInitializers is used
+	// Set this to nil to because it would normally set up c.ClientConfig and c.SharedInformerFactory, but we want to
+	// do that ourselves instead by calling the func returned below before we call RecommendedOptions.ApplyTo().
+	opts.CoreAPI = nil
+
 	baseExtraAdmissionInitializers := opts.ExtraAdmissionInitializers
 	opts.ExtraAdmissionInitializers = func(c *genericapiserver.RecommendedConfig) ([]admission.PluginInitializer, error) {
-		// abuse this closure to rewrite how we load admission plugins
-		c.ClientConfig = inClusterConfig
-		c.SharedInformerFactory = k8sinformers.NewSharedInformerFactory(inClusterClient, 0)
-
-		// abuse this closure to rewrite our loopback config
-		// this is mostly future proofing for post start hooks
+		// Abuse this closure to rewrite our loopback config. This is mostly future proofing for post start hooks.
+		// Note that c.LoopbackClientConfig has already been set up inside RecommendedOptions.ApplyTo() before this
+		// ExtraAdmissionInitializers function is invoked, so it is okay to use it here.
 		_, loopbackConfig, err := f(c.LoopbackClientConfig)
 		if err != nil {
 			return nil, fmt.Errorf("failed to build loopback config: %w", err)
 		}
 		c.LoopbackClientConfig = loopbackConfig
-
 		return baseExtraAdmissionInitializers(c)
 	}

-	return nil
+	// This returned function is intended to be called before RecommendedOptions.ApplyTo(). Is is intended
+	// that the above setting of opts.CoreAPI to nil will make the below function the only thing that sets
+	// the c.ClientConfig and c.SharedInformerFactory, although this is highly dependent on the implementation
+	// details ofRecommendedOptions.ApplyTo() and all its helpers that it invokes.
+	return func(c *genericapiserver.RecommendedConfig) {
+		c.ClientConfig = inClusterConfig
+		c.SharedInformerFactory = k8sinformers.NewSharedInformerFactory(inClusterClient, 0)
+	}, nil
 }

 func wrapTransportOnce(f transport.WrapperFunc) transport.WrapperFunc {
--- a/internal/plog/plog_test.go
+++ b/internal/plog/plog_test.go
@@ -1,4 +1,4 @@
-// Copyright 2022-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2022-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package plog
@@ -233,7 +233,7 @@ func TestPlog(t *testing.T) {
 				testAllPlogMethods(l.withDepth(-2))
 			},
 			want: `
-{"level":"error","timestamp":"2099-08-08T13:57:36.123456Z","caller":"logr@v1.3.0/logr.go:<line>$logr.Logger.Error","message":"e","panda":2,"error":"some err"}
+{"level":"error","timestamp":"2099-08-08T13:57:36.123456Z","caller":"logr@v1.4.1/logr.go:<line>$logr.Logger.Error","message":"e","panda":2,"error":"some err"}
 {"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"plog/plog.go:<line>$plog.pLogger.warningDepth","message":"w","warning":true,"panda":2}
 {"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"plog/plog.go:<line>$plog.pLogger.warningDepth","message":"we","warning":true,"error":"some err","panda":2}
 {"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"plog/plog.go:<line>$plog.pLogger.infoDepth","message":"i","panda":2}
@@ -242,8 +242,8 @@ func TestPlog(t *testing.T) {
 {"level":"debug","timestamp":"2099-08-08T13:57:36.123456Z","caller":"plog/plog.go:<line>$plog.pLogger.debugDepth","message":"de","error":"some err","panda":2}
 {"level":"trace","timestamp":"2099-08-08T13:57:36.123456Z","caller":"plog/plog.go:<line>$plog.pLogger.traceDepth","message":"t","panda":2}
 {"level":"trace","timestamp":"2099-08-08T13:57:36.123456Z","caller":"plog/plog.go:<line>$plog.pLogger.traceDepth","message":"te","error":"some err","panda":2}
-{"level":"all","timestamp":"2099-08-08T13:57:36.123456Z","caller":"logr@v1.3.0/logr.go:<line>$logr.Logger.Info","message":"all","panda":2}
-{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"logr@v1.3.0/logr.go:<line>$logr.Logger.Info","message":"always","panda":2}
+{"level":"all","timestamp":"2099-08-08T13:57:36.123456Z","caller":"logr@v1.4.1/logr.go:<line>$logr.Logger.Info","message":"all","panda":2}
+{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"logr@v1.4.1/logr.go:<line>$logr.Logger.Info","message":"always","panda":2}
 `,
 		},
 		{
@@ -253,14 +253,14 @@ func TestPlog(t *testing.T) {
 			},
 			want: `
 {"level":"error","timestamp":"2099-08-08T13:57:36.123456Z","caller":"zapr@v1.3.0/zapr.go:<line>$zapr.(*zapLogger).Error","message":"e","panda":2,"error":"some err"}
-{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"logr@v1.3.0/logr.go:<line>$logr.Logger.Info","message":"w","warning":true,"panda":2}
-{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"logr@v1.3.0/logr.go:<line>$logr.Logger.Info","message":"we","warning":true,"error":"some err","panda":2}
-{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"logr@v1.3.0/logr.go:<line>$logr.Logger.Info","message":"i","panda":2}
-{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"logr@v1.3.0/logr.go:<line>$logr.Logger.Info","message":"ie","error":"some err","panda":2}
-{"level":"debug","timestamp":"2099-08-08T13:57:36.123456Z","caller":"logr@v1.3.0/logr.go:<line>$logr.Logger.Info","message":"d","panda":2}
-{"level":"debug","timestamp":"2099-08-08T13:57:36.123456Z","caller":"logr@v1.3.0/logr.go:<line>$logr.Logger.Info","message":"de","error":"some err","panda":2}
-{"level":"trace","timestamp":"2099-08-08T13:57:36.123456Z","caller":"logr@v1.3.0/logr.go:<line>$logr.Logger.Info","message":"t","panda":2}
-{"level":"trace","timestamp":"2099-08-08T13:57:36.123456Z","caller":"logr@v1.3.0/logr.go:<line>$logr.Logger.Info","message":"te","error":"some err","panda":2}
+{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"logr@v1.4.1/logr.go:<line>$logr.Logger.Info","message":"w","warning":true,"panda":2}
+{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"logr@v1.4.1/logr.go:<line>$logr.Logger.Info","message":"we","warning":true,"error":"some err","panda":2}
+{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"logr@v1.4.1/logr.go:<line>$logr.Logger.Info","message":"i","panda":2}
+{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"logr@v1.4.1/logr.go:<line>$logr.Logger.Info","message":"ie","error":"some err","panda":2}
+{"level":"debug","timestamp":"2099-08-08T13:57:36.123456Z","caller":"logr@v1.4.1/logr.go:<line>$logr.Logger.Info","message":"d","panda":2}
+{"level":"debug","timestamp":"2099-08-08T13:57:36.123456Z","caller":"logr@v1.4.1/logr.go:<line>$logr.Logger.Info","message":"de","error":"some err","panda":2}
+{"level":"trace","timestamp":"2099-08-08T13:57:36.123456Z","caller":"logr@v1.4.1/logr.go:<line>$logr.Logger.Info","message":"t","panda":2}
+{"level":"trace","timestamp":"2099-08-08T13:57:36.123456Z","caller":"logr@v1.4.1/logr.go:<line>$logr.Logger.Info","message":"te","error":"some err","panda":2}
 {"level":"all","timestamp":"2099-08-08T13:57:36.123456Z","caller":"zapr@v1.3.0/zapr.go:<line>$zapr.(*zapLogger).Info","message":"all","panda":2}
 {"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"zapr@v1.3.0/zapr.go:<line>$zapr.(*zapLogger).Info","message":"always","panda":2}`,
 		},
--- a/internal/registry/clientsecretrequest/rest.go
+++ b/internal/registry/clientsecretrequest/rest.go
@@ -1,4 +1,4 @@
-// Copyright 2022-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2022-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // Package clientsecretrequest provides REST functionality for the CredentialRequest resource.
@@ -279,7 +279,7 @@ func (r *REST) validateRequest(
 	if options != nil {
 		if len(options.DryRun) != 0 {
 			traceValidationFailure(tracer, "dryRun not supported")
-			errs := field.ErrorList{field.NotSupported(field.NewPath("dryRun"), options.DryRun, nil)}
+			errs := field.ErrorList{field.NotSupported(field.NewPath("dryRun"), options.DryRun, []string(nil))}
 			return nil, apierrors.NewInvalid(kindFromContext(ctx), clientSecretRequest.Name, errs)
 		}
 	}
--- a/internal/registry/credentialrequest/rest.go
+++ b/internal/registry/credentialrequest/rest.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // Package credentialrequest provides REST functionality for the CredentialRequest resource.
@@ -151,7 +151,7 @@ func validateRequest(ctx context.Context, obj runtime.Object, createValidation r
 	if options != nil {
 		if len(options.DryRun) != 0 {
 			traceValidationFailure(t, "dryRun not supported")
-			errs := field.ErrorList{field.NotSupported(field.NewPath("dryRun"), options.DryRun, nil)}
+			errs := field.ErrorList{field.NotSupported(field.NewPath("dryRun"), options.DryRun, []string(nil))}
 			return nil, apierrors.NewInvalid(loginapi.Kind(credentialRequest.Kind), credentialRequest.Name, errs)
 		}
 	}
--- a/internal/registry/whoamirequest/rest.go
+++ b/internal/registry/whoamirequest/rest.go
@@ -1,4 +1,4 @@
-// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package whoamirequest
@@ -90,7 +90,7 @@ func (r *REST) Create(ctx context.Context, obj runtime.Object, createValidation
 	// just a sanity check, not sure how to honor a dry run on a virtual API
 	if options != nil {
 		if len(options.DryRun) != 0 {
-			errs := field.ErrorList{field.NotSupported(field.NewPath("dryRun"), options.DryRun, nil)}
+			errs := field.ErrorList{field.NotSupported(field.NewPath("dryRun"), options.DryRun, []string(nil))}
 			return nil, apierrors.NewInvalid(identityapi.Kind(whoAmIRequest.Kind), whoAmIRequest.Name, errs)
 		}
 	}
--- a/internal/supervisor/server/server.go
+++ b/internal/supervisor/server/server.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // Package server defines the entrypoint for the Pinniped Supervisor server.
@@ -28,6 +28,7 @@ import (
 	apimachineryversion "k8s.io/apimachinery/pkg/version"
 	genericapifilters "k8s.io/apiserver/pkg/endpoints/filters"
 	openapinamer "k8s.io/apiserver/pkg/endpoints/openapi"
+	"k8s.io/apiserver/pkg/features"
 	genericapiserver "k8s.io/apiserver/pkg/server"
 	genericoptions "k8s.io/apiserver/pkg/server/options"
 	k8sinformers "k8s.io/client-go/informers"
@@ -43,6 +44,7 @@ import (
 	supervisorinformers "go.pinniped.dev/generated/latest/client/supervisor/informers/externalversions"
 	supervisoropenapi "go.pinniped.dev/generated/latest/client/supervisor/openapi"
 	"go.pinniped.dev/internal/apiserviceref"
+	"go.pinniped.dev/internal/config/featuregates"
 	"go.pinniped.dev/internal/config/supervisor"
 	"go.pinniped.dev/internal/controller/apicerts"
 	"go.pinniped.dev/internal/controller/supervisorconfig"
@@ -388,8 +390,8 @@ func prepareControllers(
 func runSupervisor(ctx context.Context, podInfo *downward.PodInfo, cfg *supervisor.Config) error { //nolint:funlen
 	// We tried to enable the feature gate from https://github.com/kubernetes/kubernetes/pull/121120,
 	// but it causes errors when there are lots of parallel anonymous requests for our aggregated API endpoints.
-	// We will need to figure out if that is a bug in Kubernetes before we enable this again.
-	// featuregates.EnableKubeFeatureGate(features.UnauthenticatedHTTP2DOSMitigation)
+	// Make sure https://github.com/kubernetes/kubernetes/issues/122308 is resolved before enabling this.
+	featuregates.DisableKubeFeatureGate(features.UnauthenticatedHTTP2DOSMitigation)

 	serverInstallationNamespace := podInfo.Namespace
 	clientSecretSupervisorGroupData := groupsuffix.SupervisorAggregatedGroups(*cfg.APIGroupSuffix)
@@ -623,7 +625,8 @@ func getAggregatedAPIServerConfig(
 	// secure TLS for connections coming from and going to the Kube API server
 	// this is best effort because not all options provide the right hooks to override TLS config
 	// since our only client is the Kube API server, this uses the most secure TLS config
-	if err := ptls.SecureRecommendedOptions(recommendedOptions, kubeclient.Secure); err != nil {
+	prepareServerConfigFunc, err := ptls.SecureRecommendedOptions(recommendedOptions, kubeclient.Secure)
+	if err != nil {
 		return nil, fmt.Errorf("failed to secure recommended options: %w", err)
 	}

@@ -636,6 +639,11 @@ func getAggregatedAPIServerConfig(
 	serverConfig.OpenAPIV3Config = genericapiserver.DefaultOpenAPIV3Config(
 		supervisoropenapi.GetOpenAPIDefinitions, openapinamer.NewDefinitionNamer(scheme))
 	// serverConfig.OpenAPIV3Config.Info.InfoProps.Title = "Pinniped Supervisor"
+
+	// Get ready to call recommendedOptions.ApplyTo(serverConfig) by preparing the
+	// serverConfig using the function returned by the ptls package above.
+	prepareServerConfigFunc(serverConfig)
+
 	// Note that among other things, this ApplyTo() function copies
 	// `recommendedOptions.SecureServing.ServerCert.GeneratedCert` into
 	// `serverConfig.SecureServing.Cert` thus making `dynamicCertProvider`