Merge pull request #1615 from vmware-tanzu/jtc/fix-double-decoding-of-ca-crt

Fix #1582 by not double-decoding the ca.crt field in external TLS secrets for the impersonation proxy

.github/workflows/codeql-analysis.yml

@@ -6,17 +6,18 @@ name: "CodeQL"
 
 on:
   push:
-    branches: [ main, release*, dynamic_clients ]
+    branches: [ "main", release* ]
   pull_request:
     # The branches below must be a subset of the branches above
-    branches: [ main, release*, dynamic_clients ]
+    branches: [ "main" ]
   schedule:
-    - cron: '39 13 * * 2'
+    - cron: '24 3 * * 3'
 
 jobs:
   analyze:
     name: Analyze
-    runs-on: ubuntu-latest
+    runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
+    timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }}
     permissions:
       actions: read
       contents: read
@@ -31,7 +32,6 @@ jobs:
     - name: Checkout repository
       uses: actions/checkout@v3
 
-
     - name: Initialize CodeQL
       uses: github/codeql-action/init@v2
       with:
@@ -39,7 +39,9 @@ jobs:
         # If you wish to specify custom queries, you can do so here or in a config file.
         # By default, queries listed here will override any specified in a config file.
         # Prefix the list here with "+" to use these queries and those in the config file.
-        # queries: ./path/to/local/query, your-org/your-repo/queries@main
+
+        # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+        # queries: security-extended,security-and-quality
 
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
@@ -49,13 +51,14 @@ jobs:
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
 
-    # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
-    #    and modify them (or add more) to build your code if your project
-    #    uses a compiled language
+    #   If the Autobuild fails above, remove it and uncomment the following three lines.
+    #   modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
 
-    #- run: |
-    #   make bootstrap
-    #   make release
+    # - run: |
+    #     echo "Run, Build Application using script"
+    #     ./location_of_script_within_repo/buildscript.sh
 
     - name: Perform CodeQL Analysis
       uses: github/codeql-action/analyze@v2
+      with:
+        category: "/language:${{matrix.language}}"

CONTRIBUTING.md

@@ -114,7 +114,6 @@ go build -o pinniped ./cmd/pinniped
 
 1. Install dependencies:
 
-   - [`chromedriver`](https://chromedriver.chromium.org/) (and [Chrome](https://www.google.com/chrome/))
    - [`docker`](https://www.docker.com/)
    - `htpasswd` (installed by default on MacOS, usually found in `apache2-utils` package for linux)
    - [`kapp`](https://carvel.dev/#getting-started)
@@ -122,11 +121,13 @@ go build -o pinniped ./cmd/pinniped
    - [`kubectl`](https://kubernetes.io/docs/tasks/tools/install-kubectl/)
    - [`ytt`](https://carvel.dev/#getting-started)
    - [`nmap`](https://nmap.org/download.html)
+   - [`openssl`](https://www.openssl.org) (installed by default on MacOS)
+   - [Chrome](https://www.google.com/chrome/)
 
    On macOS, these tools can be installed with [Homebrew](https://brew.sh/) (assuming you have Chrome installed already):
 
    ```bash
-   brew install kind vmware-tanzu/carvel/ytt vmware-tanzu/carvel/kapp kubectl chromedriver nmap && brew cask install docker
+   brew install kind vmware-tanzu/carvel/ytt vmware-tanzu/carvel/kapp kubectl nmap && brew cask install docker
    ```
 
 1. Create a kind cluster, compile, create container images, and install Pinniped and supporting test dependencies using:

Dockerfile

@@ -3,7 +3,7 @@
 # Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
 
-FROM golang:1.20.4 as build-env
+FROM golang:1.20.7 as build-env
 
 WORKDIR /work
 COPY . .

apis/concierge/config/v1alpha1/types_credentialissuer.go.tmpl

@@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
@@ -80,6 +80,28 @@ const (
 	ImpersonationProxyServiceTypeNone = ImpersonationProxyServiceType("None")
 )
 
+// ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should
+// serve TLS.
+//
+// If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret
+// for a field called "ca.crt", which will be used as the CertificateAuthorityData.
+//
+// If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for
+// the impersonation proxy endpoint.
+type ImpersonationProxyTLSSpec struct {
+	// X.509 Certificate Authority (base64-encoded PEM bundle).
+	// Used to advertise the CA bundle for the impersonation proxy endpoint.
+	//
+	// +optional
+	CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"`
+
+	// SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains
+	// the TLS serving certificate for the Concierge impersonation proxy endpoint.
+	//
+	// +kubebuilder:validation:MinLength=1
+	SecretName string `json:"secretName,omitempty"`
+}
+
 // ImpersonationProxySpec describes the intended configuration of the Concierge impersonation proxy.
 type ImpersonationProxySpec struct {
 	// Mode configures whether the impersonation proxy should be started:
@@ -100,6 +122,13 @@ type ImpersonationProxySpec struct {
 	//
 	// +optional
 	ExternalEndpoint string `json:"externalEndpoint,omitempty"`
+
+	// TLS contains information about how the Concierge impersonation proxy should serve TLS.
+	//
+	// If this field is empty, the impersonation proxy will generate its own TLS certificate.
+	//
+	// +optional
+	TLS *ImpersonationProxyTLSSpec `json:"tls,omitempty"`
 }
 
 // ImpersonationProxyServiceSpec describes how the Concierge should provision a Service to expose the impersonation proxy.

deploy/concierge/config.concierge.pinniped.dev_credentialissuers.yaml

@@ -103,6 +103,24 @@ spec:
                         - None
                         type: string
                     type: object
+                  tls:
+                    description: "TLS contains information about how the Concierge
+                      impersonation proxy should serve TLS. \n If this field is empty,
+                      the impersonation proxy will generate its own TLS certificate."
+                    properties:
+                      certificateAuthorityData:
+                        description: X.509 Certificate Authority (base64-encoded PEM
+                          bundle). Used to advertise the CA bundle for the impersonation
+                          proxy endpoint.
+                        type: string
+                      secretName:
+                        description: SecretName is the name of a Secret in the same
+                          namespace, of type `kubernetes.io/tls`, which contains the
+                          TLS serving certificate for the Concierge impersonation
+                          proxy endpoint.
+                        minLength: 1
+                        type: string
+                    type: object
                 required:
                 - mode
                 - service

generated/1.17/README.adoc

@@ -568,6 +568,28 @@ ImpersonationProxySpec describes the intended configuration of the Concierge imp
 | *`service`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-impersonationproxyservicespec[$$ImpersonationProxyServiceSpec$$]__ | Service describes the configuration of the Service provisioned to expose the impersonation proxy to clients.
 | *`externalEndpoint`* __string__ | ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will be served using the external name of the LoadBalancer service or the cluster service DNS name. 
  This field must be non-empty when spec.impersonationProxy.service.type is "None".
+| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-impersonationproxytlsspec[$$ImpersonationProxyTLSSpec$$]__ | TLS contains information about how the Concierge impersonation proxy should serve TLS. 
+ If this field is empty, the impersonation proxy will generate its own TLS certificate.
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-impersonationproxytlsspec"]
+==== ImpersonationProxyTLSSpec 
+
+ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should serve TLS. 
+ If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret for a field called "ca.crt", which will be used as the CertificateAuthorityData. 
+ If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for the impersonation proxy endpoint.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-impersonationproxyspec[$$ImpersonationProxySpec$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). Used to advertise the CA bundle for the impersonation proxy endpoint.
+| *`secretName`* __string__ | SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the Concierge impersonation proxy endpoint.
 |===
 
 

generated/1.17/apis/concierge/config/v1alpha1/types_credentialissuer.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
@@ -80,6 +80,28 @@ const (
 	ImpersonationProxyServiceTypeNone = ImpersonationProxyServiceType("None")
 )
 
+// ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should
+// serve TLS.
+//
+// If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret
+// for a field called "ca.crt", which will be used as the CertificateAuthorityData.
+//
+// If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for
+// the impersonation proxy endpoint.
+type ImpersonationProxyTLSSpec struct {
+	// X.509 Certificate Authority (base64-encoded PEM bundle).
+	// Used to advertise the CA bundle for the impersonation proxy endpoint.
+	//
+	// +optional
+	CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"`
+
+	// SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains
+	// the TLS serving certificate for the Concierge impersonation proxy endpoint.
+	//
+	// +kubebuilder:validation:MinLength=1
+	SecretName string `json:"secretName,omitempty"`
+}
+
 // ImpersonationProxySpec describes the intended configuration of the Concierge impersonation proxy.
 type ImpersonationProxySpec struct {
 	// Mode configures whether the impersonation proxy should be started:
@@ -100,6 +122,13 @@ type ImpersonationProxySpec struct {
 	//
 	// +optional
 	ExternalEndpoint string `json:"externalEndpoint,omitempty"`
+
+	// TLS contains information about how the Concierge impersonation proxy should serve TLS.
+	//
+	// If this field is empty, the impersonation proxy will generate its own TLS certificate.
+	//
+	// +optional
+	TLS *ImpersonationProxyTLSSpec `json:"tls,omitempty"`
 }
 
 // ImpersonationProxyServiceSpec describes how the Concierge should provision a Service to expose the impersonation proxy.

generated/1.17/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go

@@ -229,6 +229,11 @@ func (in *ImpersonationProxyServiceSpec) DeepCopy() *ImpersonationProxyServiceSp
 func (in *ImpersonationProxySpec) DeepCopyInto(out *ImpersonationProxySpec) {
 	*out = *in
 	in.Service.DeepCopyInto(&out.Service)
+	if in.TLS != nil {
+		in, out := &in.TLS, &out.TLS
+		*out = new(ImpersonationProxyTLSSpec)
+		**out = **in
+	}
 	return
 }
 
@@ -242,6 +247,22 @@ func (in *ImpersonationProxySpec) DeepCopy() *ImpersonationProxySpec {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ImpersonationProxyTLSSpec) DeepCopyInto(out *ImpersonationProxyTLSSpec) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImpersonationProxyTLSSpec.
+func (in *ImpersonationProxyTLSSpec) DeepCopy() *ImpersonationProxyTLSSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(ImpersonationProxyTLSSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TokenCredentialRequestAPIInfo) DeepCopyInto(out *TokenCredentialRequestAPIInfo) {
 	*out = *in

generated/1.17/crds/config.concierge.pinniped.dev_credentialissuers.yaml

@@ -103,6 +103,24 @@ spec:
                         - None
                         type: string
                     type: object
+                  tls:
+                    description: "TLS contains information about how the Concierge
+                      impersonation proxy should serve TLS. \n If this field is empty,
+                      the impersonation proxy will generate its own TLS certificate."
+                    properties:
+                      certificateAuthorityData:
+                        description: X.509 Certificate Authority (base64-encoded PEM
+                          bundle). Used to advertise the CA bundle for the impersonation
+                          proxy endpoint.
+                        type: string
+                      secretName:
+                        description: SecretName is the name of a Secret in the same
+                          namespace, of type `kubernetes.io/tls`, which contains the
+                          TLS serving certificate for the Concierge impersonation
+                          proxy endpoint.
+                        minLength: 1
+                        type: string
+                    type: object
                 required:
                 - mode
                 - service

generated/1.18/README.adoc

@@ -568,6 +568,28 @@ ImpersonationProxySpec describes the intended configuration of the Concierge imp
 | *`service`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-impersonationproxyservicespec[$$ImpersonationProxyServiceSpec$$]__ | Service describes the configuration of the Service provisioned to expose the impersonation proxy to clients.
 | *`externalEndpoint`* __string__ | ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will be served using the external name of the LoadBalancer service or the cluster service DNS name. 
  This field must be non-empty when spec.impersonationProxy.service.type is "None".
+| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-impersonationproxytlsspec[$$ImpersonationProxyTLSSpec$$]__ | TLS contains information about how the Concierge impersonation proxy should serve TLS. 
+ If this field is empty, the impersonation proxy will generate its own TLS certificate.
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-impersonationproxytlsspec"]
+==== ImpersonationProxyTLSSpec 
+
+ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should serve TLS. 
+ If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret for a field called "ca.crt", which will be used as the CertificateAuthorityData. 
+ If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for the impersonation proxy endpoint.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-impersonationproxyspec[$$ImpersonationProxySpec$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). Used to advertise the CA bundle for the impersonation proxy endpoint.
+| *`secretName`* __string__ | SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the Concierge impersonation proxy endpoint.
 |===
 
 

generated/1.18/apis/concierge/config/v1alpha1/types_credentialissuer.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
@@ -80,6 +80,28 @@ const (
 	ImpersonationProxyServiceTypeNone = ImpersonationProxyServiceType("None")
 )
 
+// ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should
+// serve TLS.
+//
+// If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret
+// for a field called "ca.crt", which will be used as the CertificateAuthorityData.
+//
+// If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for
+// the impersonation proxy endpoint.
+type ImpersonationProxyTLSSpec struct {
+	// X.509 Certificate Authority (base64-encoded PEM bundle).
+	// Used to advertise the CA bundle for the impersonation proxy endpoint.
+	//
+	// +optional
+	CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"`
+
+	// SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains
+	// the TLS serving certificate for the Concierge impersonation proxy endpoint.
+	//
+	// +kubebuilder:validation:MinLength=1
+	SecretName string `json:"secretName,omitempty"`
+}
+
 // ImpersonationProxySpec describes the intended configuration of the Concierge impersonation proxy.
 type ImpersonationProxySpec struct {
 	// Mode configures whether the impersonation proxy should be started:
@@ -100,6 +122,13 @@ type ImpersonationProxySpec struct {
 	//
 	// +optional
 	ExternalEndpoint string `json:"externalEndpoint,omitempty"`
+
+	// TLS contains information about how the Concierge impersonation proxy should serve TLS.
+	//
+	// If this field is empty, the impersonation proxy will generate its own TLS certificate.
+	//
+	// +optional
+	TLS *ImpersonationProxyTLSSpec `json:"tls,omitempty"`
 }
 
 // ImpersonationProxyServiceSpec describes how the Concierge should provision a Service to expose the impersonation proxy.

generated/1.18/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go

@@ -229,6 +229,11 @@ func (in *ImpersonationProxyServiceSpec) DeepCopy() *ImpersonationProxyServiceSp
 func (in *ImpersonationProxySpec) DeepCopyInto(out *ImpersonationProxySpec) {
 	*out = *in
 	in.Service.DeepCopyInto(&out.Service)
+	if in.TLS != nil {
+		in, out := &in.TLS, &out.TLS
+		*out = new(ImpersonationProxyTLSSpec)
+		**out = **in
+	}
 	return
 }
 
@@ -242,6 +247,22 @@ func (in *ImpersonationProxySpec) DeepCopy() *ImpersonationProxySpec {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ImpersonationProxyTLSSpec) DeepCopyInto(out *ImpersonationProxyTLSSpec) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImpersonationProxyTLSSpec.
+func (in *ImpersonationProxyTLSSpec) DeepCopy() *ImpersonationProxyTLSSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(ImpersonationProxyTLSSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TokenCredentialRequestAPIInfo) DeepCopyInto(out *TokenCredentialRequestAPIInfo) {
 	*out = *in

generated/1.18/crds/config.concierge.pinniped.dev_credentialissuers.yaml

@@ -103,6 +103,24 @@ spec:
                         - None
                         type: string
                     type: object
+                  tls:
+                    description: "TLS contains information about how the Concierge
+                      impersonation proxy should serve TLS. \n If this field is empty,
+                      the impersonation proxy will generate its own TLS certificate."
+                    properties:
+                      certificateAuthorityData:
+                        description: X.509 Certificate Authority (base64-encoded PEM
+                          bundle). Used to advertise the CA bundle for the impersonation
+                          proxy endpoint.
+                        type: string
+                      secretName:
+                        description: SecretName is the name of a Secret in the same
+                          namespace, of type `kubernetes.io/tls`, which contains the
+                          TLS serving certificate for the Concierge impersonation
+                          proxy endpoint.
+                        minLength: 1
+                        type: string
+                    type: object
                 required:
                 - mode
                 - service

generated/1.19/README.adoc

@@ -568,6 +568,28 @@ ImpersonationProxySpec describes the intended configuration of the Concierge imp
 | *`service`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-config-v1alpha1-impersonationproxyservicespec[$$ImpersonationProxyServiceSpec$$]__ | Service describes the configuration of the Service provisioned to expose the impersonation proxy to clients.
 | *`externalEndpoint`* __string__ | ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will be served using the external name of the LoadBalancer service or the cluster service DNS name. 
  This field must be non-empty when spec.impersonationProxy.service.type is "None".
+| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-config-v1alpha1-impersonationproxytlsspec[$$ImpersonationProxyTLSSpec$$]__ | TLS contains information about how the Concierge impersonation proxy should serve TLS. 
+ If this field is empty, the impersonation proxy will generate its own TLS certificate.
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-config-v1alpha1-impersonationproxytlsspec"]
+==== ImpersonationProxyTLSSpec 
+
+ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should serve TLS. 
+ If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret for a field called "ca.crt", which will be used as the CertificateAuthorityData. 
+ If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for the impersonation proxy endpoint.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-config-v1alpha1-impersonationproxyspec[$$ImpersonationProxySpec$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). Used to advertise the CA bundle for the impersonation proxy endpoint.
+| *`secretName`* __string__ | SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the Concierge impersonation proxy endpoint.
 |===
 
 

generated/1.19/apis/concierge/config/v1alpha1/types_credentialissuer.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
@@ -80,6 +80,28 @@ const (
 	ImpersonationProxyServiceTypeNone = ImpersonationProxyServiceType("None")
 )
 
+// ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should
+// serve TLS.
+//
+// If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret
+// for a field called "ca.crt", which will be used as the CertificateAuthorityData.
+//
+// If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for
+// the impersonation proxy endpoint.
+type ImpersonationProxyTLSSpec struct {
+	// X.509 Certificate Authority (base64-encoded PEM bundle).
+	// Used to advertise the CA bundle for the impersonation proxy endpoint.
+	//
+	// +optional
+	CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"`
+
+	// SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains
+	// the TLS serving certificate for the Concierge impersonation proxy endpoint.
+	//
+	// +kubebuilder:validation:MinLength=1
+	SecretName string `json:"secretName,omitempty"`
+}
+
 // ImpersonationProxySpec describes the intended configuration of the Concierge impersonation proxy.
 type ImpersonationProxySpec struct {
 	// Mode configures whether the impersonation proxy should be started:
@@ -100,6 +122,13 @@ type ImpersonationProxySpec struct {
 	//
 	// +optional
 	ExternalEndpoint string `json:"externalEndpoint,omitempty"`
+
+	// TLS contains information about how the Concierge impersonation proxy should serve TLS.
+	//
+	// If this field is empty, the impersonation proxy will generate its own TLS certificate.
+	//
+	// +optional
+	TLS *ImpersonationProxyTLSSpec `json:"tls,omitempty"`
 }
 
 // ImpersonationProxyServiceSpec describes how the Concierge should provision a Service to expose the impersonation proxy.

generated/1.19/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go

@@ -229,6 +229,11 @@ func (in *ImpersonationProxyServiceSpec) DeepCopy() *ImpersonationProxyServiceSp
 func (in *ImpersonationProxySpec) DeepCopyInto(out *ImpersonationProxySpec) {
 	*out = *in
 	in.Service.DeepCopyInto(&out.Service)
+	if in.TLS != nil {
+		in, out := &in.TLS, &out.TLS
+		*out = new(ImpersonationProxyTLSSpec)
+		**out = **in
+	}
 	return
 }
 
@@ -242,6 +247,22 @@ func (in *ImpersonationProxySpec) DeepCopy() *ImpersonationProxySpec {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ImpersonationProxyTLSSpec) DeepCopyInto(out *ImpersonationProxyTLSSpec) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImpersonationProxyTLSSpec.
+func (in *ImpersonationProxyTLSSpec) DeepCopy() *ImpersonationProxyTLSSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(ImpersonationProxyTLSSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TokenCredentialRequestAPIInfo) DeepCopyInto(out *TokenCredentialRequestAPIInfo) {
 	*out = *in

generated/1.19/crds/config.concierge.pinniped.dev_credentialissuers.yaml

@@ -103,6 +103,24 @@ spec:
                         - None
                         type: string
                     type: object
+                  tls:
+                    description: "TLS contains information about how the Concierge
+                      impersonation proxy should serve TLS. \n If this field is empty,
+                      the impersonation proxy will generate its own TLS certificate."
+                    properties:
+                      certificateAuthorityData:
+                        description: X.509 Certificate Authority (base64-encoded PEM
+                          bundle). Used to advertise the CA bundle for the impersonation
+                          proxy endpoint.
+                        type: string
+                      secretName:
+                        description: SecretName is the name of a Secret in the same
+                          namespace, of type `kubernetes.io/tls`, which contains the
+                          TLS serving certificate for the Concierge impersonation
+                          proxy endpoint.
+                        minLength: 1
+                        type: string
+                    type: object
                 required:
                 - mode
                 - service

generated/1.20/README.adoc

@@ -568,6 +568,28 @@ ImpersonationProxySpec describes the intended configuration of the Concierge imp
 | *`service`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-concierge-config-v1alpha1-impersonationproxyservicespec[$$ImpersonationProxyServiceSpec$$]__ | Service describes the configuration of the Service provisioned to expose the impersonation proxy to clients.
 | *`externalEndpoint`* __string__ | ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will be served using the external name of the LoadBalancer service or the cluster service DNS name. 
  This field must be non-empty when spec.impersonationProxy.service.type is "None".
+| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-concierge-config-v1alpha1-impersonationproxytlsspec[$$ImpersonationProxyTLSSpec$$]__ | TLS contains information about how the Concierge impersonation proxy should serve TLS. 
+ If this field is empty, the impersonation proxy will generate its own TLS certificate.
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-concierge-config-v1alpha1-impersonationproxytlsspec"]
+==== ImpersonationProxyTLSSpec 
+
+ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should serve TLS. 
+ If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret for a field called "ca.crt", which will be used as the CertificateAuthorityData. 
+ If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for the impersonation proxy endpoint.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-concierge-config-v1alpha1-impersonationproxyspec[$$ImpersonationProxySpec$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). Used to advertise the CA bundle for the impersonation proxy endpoint.
+| *`secretName`* __string__ | SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the Concierge impersonation proxy endpoint.
 |===
 
 

generated/1.20/apis/concierge/config/v1alpha1/types_credentialissuer.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
@@ -80,6 +80,28 @@ const (
 	ImpersonationProxyServiceTypeNone = ImpersonationProxyServiceType("None")
 )
 
+// ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should
+// serve TLS.
+//
+// If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret
+// for a field called "ca.crt", which will be used as the CertificateAuthorityData.
+//
+// If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for
+// the impersonation proxy endpoint.
+type ImpersonationProxyTLSSpec struct {
+	// X.509 Certificate Authority (base64-encoded PEM bundle).
+	// Used to advertise the CA bundle for the impersonation proxy endpoint.
+	//
+	// +optional
+	CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"`
+
+	// SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains
+	// the TLS serving certificate for the Concierge impersonation proxy endpoint.
+	//
+	// +kubebuilder:validation:MinLength=1
+	SecretName string `json:"secretName,omitempty"`
+}
+
 // ImpersonationProxySpec describes the intended configuration of the Concierge impersonation proxy.
 type ImpersonationProxySpec struct {
 	// Mode configures whether the impersonation proxy should be started:
@@ -100,6 +122,13 @@ type ImpersonationProxySpec struct {
 	//
 	// +optional
 	ExternalEndpoint string `json:"externalEndpoint,omitempty"`
+
+	// TLS contains information about how the Concierge impersonation proxy should serve TLS.
+	//
+	// If this field is empty, the impersonation proxy will generate its own TLS certificate.
+	//
+	// +optional
+	TLS *ImpersonationProxyTLSSpec `json:"tls,omitempty"`
 }
 
 // ImpersonationProxyServiceSpec describes how the Concierge should provision a Service to expose the impersonation proxy.

generated/1.20/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go

@@ -229,6 +229,11 @@ func (in *ImpersonationProxyServiceSpec) DeepCopy() *ImpersonationProxyServiceSp
 func (in *ImpersonationProxySpec) DeepCopyInto(out *ImpersonationProxySpec) {
 	*out = *in
 	in.Service.DeepCopyInto(&out.Service)
+	if in.TLS != nil {
+		in, out := &in.TLS, &out.TLS
+		*out = new(ImpersonationProxyTLSSpec)
+		**out = **in
+	}
 	return
 }
 
@@ -242,6 +247,22 @@ func (in *ImpersonationProxySpec) DeepCopy() *ImpersonationProxySpec {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ImpersonationProxyTLSSpec) DeepCopyInto(out *ImpersonationProxyTLSSpec) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImpersonationProxyTLSSpec.
+func (in *ImpersonationProxyTLSSpec) DeepCopy() *ImpersonationProxyTLSSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(ImpersonationProxyTLSSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TokenCredentialRequestAPIInfo) DeepCopyInto(out *TokenCredentialRequestAPIInfo) {
 	*out = *in

generated/1.20/crds/config.concierge.pinniped.dev_credentialissuers.yaml

@@ -103,6 +103,24 @@ spec:
                         - None
                         type: string
                     type: object
+                  tls:
+                    description: "TLS contains information about how the Concierge
+                      impersonation proxy should serve TLS. \n If this field is empty,
+                      the impersonation proxy will generate its own TLS certificate."
+                    properties:
+                      certificateAuthorityData:
+                        description: X.509 Certificate Authority (base64-encoded PEM
+                          bundle). Used to advertise the CA bundle for the impersonation
+                          proxy endpoint.
+                        type: string
+                      secretName:
+                        description: SecretName is the name of a Secret in the same
+                          namespace, of type `kubernetes.io/tls`, which contains the
+                          TLS serving certificate for the Concierge impersonation
+                          proxy endpoint.
+                        minLength: 1
+                        type: string
+                    type: object
                 required:
                 - mode
                 - service

generated/1.21/README.adoc

@@ -568,6 +568,28 @@ ImpersonationProxySpec describes the intended configuration of the Concierge imp
 | *`service`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-concierge-config-v1alpha1-impersonationproxyservicespec[$$ImpersonationProxyServiceSpec$$]__ | Service describes the configuration of the Service provisioned to expose the impersonation proxy to clients.
 | *`externalEndpoint`* __string__ | ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will be served using the external name of the LoadBalancer service or the cluster service DNS name. 
  This field must be non-empty when spec.impersonationProxy.service.type is "None".
+| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-concierge-config-v1alpha1-impersonationproxytlsspec[$$ImpersonationProxyTLSSpec$$]__ | TLS contains information about how the Concierge impersonation proxy should serve TLS. 
+ If this field is empty, the impersonation proxy will generate its own TLS certificate.
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-concierge-config-v1alpha1-impersonationproxytlsspec"]
+==== ImpersonationProxyTLSSpec 
+
+ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should serve TLS. 
+ If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret for a field called "ca.crt", which will be used as the CertificateAuthorityData. 
+ If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for the impersonation proxy endpoint.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-concierge-config-v1alpha1-impersonationproxyspec[$$ImpersonationProxySpec$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). Used to advertise the CA bundle for the impersonation proxy endpoint.
+| *`secretName`* __string__ | SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the Concierge impersonation proxy endpoint.
 |===
 
 

generated/1.21/apis/concierge/config/v1alpha1/types_credentialissuer.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
@@ -80,6 +80,28 @@ const (
 	ImpersonationProxyServiceTypeNone = ImpersonationProxyServiceType("None")
 )
 
+// ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should
+// serve TLS.
+//
+// If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret
+// for a field called "ca.crt", which will be used as the CertificateAuthorityData.
+//
+// If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for
+// the impersonation proxy endpoint.
+type ImpersonationProxyTLSSpec struct {
+	// X.509 Certificate Authority (base64-encoded PEM bundle).
+	// Used to advertise the CA bundle for the impersonation proxy endpoint.
+	//
+	// +optional
+	CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"`
+
+	// SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains
+	// the TLS serving certificate for the Concierge impersonation proxy endpoint.
+	//
+	// +kubebuilder:validation:MinLength=1
+	SecretName string `json:"secretName,omitempty"`
+}
+
 // ImpersonationProxySpec describes the intended configuration of the Concierge impersonation proxy.
 type ImpersonationProxySpec struct {
 	// Mode configures whether the impersonation proxy should be started:
@@ -100,6 +122,13 @@ type ImpersonationProxySpec struct {
 	//
 	// +optional
 	ExternalEndpoint string `json:"externalEndpoint,omitempty"`
+
+	// TLS contains information about how the Concierge impersonation proxy should serve TLS.
+	//
+	// If this field is empty, the impersonation proxy will generate its own TLS certificate.
+	//
+	// +optional
+	TLS *ImpersonationProxyTLSSpec `json:"tls,omitempty"`
 }
 
 // ImpersonationProxyServiceSpec describes how the Concierge should provision a Service to expose the impersonation proxy.

generated/1.21/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go

@@ -229,6 +229,11 @@ func (in *ImpersonationProxyServiceSpec) DeepCopy() *ImpersonationProxyServiceSp
 func (in *ImpersonationProxySpec) DeepCopyInto(out *ImpersonationProxySpec) {
 	*out = *in
 	in.Service.DeepCopyInto(&out.Service)
+	if in.TLS != nil {
+		in, out := &in.TLS, &out.TLS
+		*out = new(ImpersonationProxyTLSSpec)
+		**out = **in
+	}
 	return
 }
 
@@ -242,6 +247,22 @@ func (in *ImpersonationProxySpec) DeepCopy() *ImpersonationProxySpec {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ImpersonationProxyTLSSpec) DeepCopyInto(out *ImpersonationProxyTLSSpec) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImpersonationProxyTLSSpec.
+func (in *ImpersonationProxyTLSSpec) DeepCopy() *ImpersonationProxyTLSSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(ImpersonationProxyTLSSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TokenCredentialRequestAPIInfo) DeepCopyInto(out *TokenCredentialRequestAPIInfo) {
 	*out = *in

generated/1.21/crds/config.concierge.pinniped.dev_credentialissuers.yaml

@@ -103,6 +103,24 @@ spec:
                         - None
                         type: string
                     type: object
+                  tls:
+                    description: "TLS contains information about how the Concierge
+                      impersonation proxy should serve TLS. \n If this field is empty,
+                      the impersonation proxy will generate its own TLS certificate."
+                    properties:
+                      certificateAuthorityData:
+                        description: X.509 Certificate Authority (base64-encoded PEM
+                          bundle). Used to advertise the CA bundle for the impersonation
+                          proxy endpoint.
+                        type: string
+                      secretName:
+                        description: SecretName is the name of a Secret in the same
+                          namespace, of type `kubernetes.io/tls`, which contains the
+                          TLS serving certificate for the Concierge impersonation
+                          proxy endpoint.
+                        minLength: 1
+                        type: string
+                    type: object
                 required:
                 - mode
                 - service

generated/1.22/README.adoc

@@ -568,6 +568,28 @@ ImpersonationProxySpec describes the intended configuration of the Concierge imp
 | *`service`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-concierge-config-v1alpha1-impersonationproxyservicespec[$$ImpersonationProxyServiceSpec$$]__ | Service describes the configuration of the Service provisioned to expose the impersonation proxy to clients.
 | *`externalEndpoint`* __string__ | ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will be served using the external name of the LoadBalancer service or the cluster service DNS name. 
  This field must be non-empty when spec.impersonationProxy.service.type is "None".
+| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-concierge-config-v1alpha1-impersonationproxytlsspec[$$ImpersonationProxyTLSSpec$$]__ | TLS contains information about how the Concierge impersonation proxy should serve TLS. 
+ If this field is empty, the impersonation proxy will generate its own TLS certificate.
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-concierge-config-v1alpha1-impersonationproxytlsspec"]
+==== ImpersonationProxyTLSSpec 
+
+ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should serve TLS. 
+ If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret for a field called "ca.crt", which will be used as the CertificateAuthorityData. 
+ If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for the impersonation proxy endpoint.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-concierge-config-v1alpha1-impersonationproxyspec[$$ImpersonationProxySpec$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). Used to advertise the CA bundle for the impersonation proxy endpoint.
+| *`secretName`* __string__ | SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the Concierge impersonation proxy endpoint.
 |===
 
 

generated/1.22/apis/concierge/config/v1alpha1/types_credentialissuer.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
@@ -80,6 +80,28 @@ const (
 	ImpersonationProxyServiceTypeNone = ImpersonationProxyServiceType("None")
 )
 
+// ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should
+// serve TLS.
+//
+// If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret
+// for a field called "ca.crt", which will be used as the CertificateAuthorityData.
+//
+// If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for
+// the impersonation proxy endpoint.
+type ImpersonationProxyTLSSpec struct {
+	// X.509 Certificate Authority (base64-encoded PEM bundle).
+	// Used to advertise the CA bundle for the impersonation proxy endpoint.
+	//
+	// +optional
+	CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"`
+
+	// SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains
+	// the TLS serving certificate for the Concierge impersonation proxy endpoint.
+	//
+	// +kubebuilder:validation:MinLength=1
+	SecretName string `json:"secretName,omitempty"`
+}
+
 // ImpersonationProxySpec describes the intended configuration of the Concierge impersonation proxy.
 type ImpersonationProxySpec struct {
 	// Mode configures whether the impersonation proxy should be started:
@@ -100,6 +122,13 @@ type ImpersonationProxySpec struct {
 	//
 	// +optional
 	ExternalEndpoint string `json:"externalEndpoint,omitempty"`
+
+	// TLS contains information about how the Concierge impersonation proxy should serve TLS.
+	//
+	// If this field is empty, the impersonation proxy will generate its own TLS certificate.
+	//
+	// +optional
+	TLS *ImpersonationProxyTLSSpec `json:"tls,omitempty"`
 }
 
 // ImpersonationProxyServiceSpec describes how the Concierge should provision a Service to expose the impersonation proxy.

generated/1.22/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go

@@ -229,6 +229,11 @@ func (in *ImpersonationProxyServiceSpec) DeepCopy() *ImpersonationProxyServiceSp
 func (in *ImpersonationProxySpec) DeepCopyInto(out *ImpersonationProxySpec) {
 	*out = *in
 	in.Service.DeepCopyInto(&out.Service)
+	if in.TLS != nil {
+		in, out := &in.TLS, &out.TLS
+		*out = new(ImpersonationProxyTLSSpec)
+		**out = **in
+	}
 	return
 }
 
@@ -242,6 +247,22 @@ func (in *ImpersonationProxySpec) DeepCopy() *ImpersonationProxySpec {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ImpersonationProxyTLSSpec) DeepCopyInto(out *ImpersonationProxyTLSSpec) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImpersonationProxyTLSSpec.
+func (in *ImpersonationProxyTLSSpec) DeepCopy() *ImpersonationProxyTLSSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(ImpersonationProxyTLSSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TokenCredentialRequestAPIInfo) DeepCopyInto(out *TokenCredentialRequestAPIInfo) {
 	*out = *in

generated/1.22/crds/config.concierge.pinniped.dev_credentialissuers.yaml

@@ -103,6 +103,24 @@ spec:
                         - None
                         type: string
                     type: object
+                  tls:
+                    description: "TLS contains information about how the Concierge
+                      impersonation proxy should serve TLS. \n If this field is empty,
+                      the impersonation proxy will generate its own TLS certificate."
+                    properties:
+                      certificateAuthorityData:
+                        description: X.509 Certificate Authority (base64-encoded PEM
+                          bundle). Used to advertise the CA bundle for the impersonation
+                          proxy endpoint.
+                        type: string
+                      secretName:
+                        description: SecretName is the name of a Secret in the same
+                          namespace, of type `kubernetes.io/tls`, which contains the
+                          TLS serving certificate for the Concierge impersonation
+                          proxy endpoint.
+                        minLength: 1
+                        type: string
+                    type: object
                 required:
                 - mode
                 - service

generated/1.23/README.adoc

@@ -568,6 +568,28 @@ ImpersonationProxySpec describes the intended configuration of the Concierge imp
 | *`service`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-concierge-config-v1alpha1-impersonationproxyservicespec[$$ImpersonationProxyServiceSpec$$]__ | Service describes the configuration of the Service provisioned to expose the impersonation proxy to clients.
 | *`externalEndpoint`* __string__ | ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will be served using the external name of the LoadBalancer service or the cluster service DNS name. 
  This field must be non-empty when spec.impersonationProxy.service.type is "None".
+| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-concierge-config-v1alpha1-impersonationproxytlsspec[$$ImpersonationProxyTLSSpec$$]__ | TLS contains information about how the Concierge impersonation proxy should serve TLS. 
+ If this field is empty, the impersonation proxy will generate its own TLS certificate.
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-concierge-config-v1alpha1-impersonationproxytlsspec"]
+==== ImpersonationProxyTLSSpec 
+
+ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should serve TLS. 
+ If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret for a field called "ca.crt", which will be used as the CertificateAuthorityData. 
+ If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for the impersonation proxy endpoint.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-concierge-config-v1alpha1-impersonationproxyspec[$$ImpersonationProxySpec$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). Used to advertise the CA bundle for the impersonation proxy endpoint.
+| *`secretName`* __string__ | SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the Concierge impersonation proxy endpoint.
 |===
 
 

generated/1.23/apis/concierge/config/v1alpha1/types_credentialissuer.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
@@ -80,6 +80,28 @@ const (
 	ImpersonationProxyServiceTypeNone = ImpersonationProxyServiceType("None")
 )
 
+// ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should
+// serve TLS.
+//
+// If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret
+// for a field called "ca.crt", which will be used as the CertificateAuthorityData.
+//
+// If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for
+// the impersonation proxy endpoint.
+type ImpersonationProxyTLSSpec struct {
+	// X.509 Certificate Authority (base64-encoded PEM bundle).
+	// Used to advertise the CA bundle for the impersonation proxy endpoint.
+	//
+	// +optional
+	CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"`
+
+	// SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains
+	// the TLS serving certificate for the Concierge impersonation proxy endpoint.
+	//
+	// +kubebuilder:validation:MinLength=1
+	SecretName string `json:"secretName,omitempty"`
+}
+
 // ImpersonationProxySpec describes the intended configuration of the Concierge impersonation proxy.
 type ImpersonationProxySpec struct {
 	// Mode configures whether the impersonation proxy should be started:
@@ -100,6 +122,13 @@ type ImpersonationProxySpec struct {
 	//
 	// +optional
 	ExternalEndpoint string `json:"externalEndpoint,omitempty"`
+
+	// TLS contains information about how the Concierge impersonation proxy should serve TLS.
+	//
+	// If this field is empty, the impersonation proxy will generate its own TLS certificate.
+	//
+	// +optional
+	TLS *ImpersonationProxyTLSSpec `json:"tls,omitempty"`
 }
 
 // ImpersonationProxyServiceSpec describes how the Concierge should provision a Service to expose the impersonation proxy.

generated/1.23/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go

@@ -229,6 +229,11 @@ func (in *ImpersonationProxyServiceSpec) DeepCopy() *ImpersonationProxyServiceSp
 func (in *ImpersonationProxySpec) DeepCopyInto(out *ImpersonationProxySpec) {
 	*out = *in
 	in.Service.DeepCopyInto(&out.Service)
+	if in.TLS != nil {
+		in, out := &in.TLS, &out.TLS
+		*out = new(ImpersonationProxyTLSSpec)
+		**out = **in
+	}
 	return
 }
 
@@ -242,6 +247,22 @@ func (in *ImpersonationProxySpec) DeepCopy() *ImpersonationProxySpec {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ImpersonationProxyTLSSpec) DeepCopyInto(out *ImpersonationProxyTLSSpec) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImpersonationProxyTLSSpec.
+func (in *ImpersonationProxyTLSSpec) DeepCopy() *ImpersonationProxyTLSSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(ImpersonationProxyTLSSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TokenCredentialRequestAPIInfo) DeepCopyInto(out *TokenCredentialRequestAPIInfo) {
 	*out = *in

generated/1.23/crds/config.concierge.pinniped.dev_credentialissuers.yaml

@@ -103,6 +103,24 @@ spec:
                         - None
                         type: string
                     type: object
+                  tls:
+                    description: "TLS contains information about how the Concierge
+                      impersonation proxy should serve TLS. \n If this field is empty,
+                      the impersonation proxy will generate its own TLS certificate."
+                    properties:
+                      certificateAuthorityData:
+                        description: X.509 Certificate Authority (base64-encoded PEM
+                          bundle). Used to advertise the CA bundle for the impersonation
+                          proxy endpoint.
+                        type: string
+                      secretName:
+                        description: SecretName is the name of a Secret in the same
+                          namespace, of type `kubernetes.io/tls`, which contains the
+                          TLS serving certificate for the Concierge impersonation
+                          proxy endpoint.
+                        minLength: 1
+                        type: string
+                    type: object
                 required:
                 - mode
                 - service

generated/1.24/README.adoc

@@ -568,6 +568,28 @@ ImpersonationProxySpec describes the intended configuration of the Concierge imp
 | *`service`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-concierge-config-v1alpha1-impersonationproxyservicespec[$$ImpersonationProxyServiceSpec$$]__ | Service describes the configuration of the Service provisioned to expose the impersonation proxy to clients.
 | *`externalEndpoint`* __string__ | ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will be served using the external name of the LoadBalancer service or the cluster service DNS name. 
  This field must be non-empty when spec.impersonationProxy.service.type is "None".
+| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-concierge-config-v1alpha1-impersonationproxytlsspec[$$ImpersonationProxyTLSSpec$$]__ | TLS contains information about how the Concierge impersonation proxy should serve TLS. 
+ If this field is empty, the impersonation proxy will generate its own TLS certificate.
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-concierge-config-v1alpha1-impersonationproxytlsspec"]
+==== ImpersonationProxyTLSSpec 
+
+ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should serve TLS. 
+ If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret for a field called "ca.crt", which will be used as the CertificateAuthorityData. 
+ If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for the impersonation proxy endpoint.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-concierge-config-v1alpha1-impersonationproxyspec[$$ImpersonationProxySpec$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). Used to advertise the CA bundle for the impersonation proxy endpoint.
+| *`secretName`* __string__ | SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the Concierge impersonation proxy endpoint.
 |===
 
 

generated/1.24/apis/concierge/config/v1alpha1/types_credentialissuer.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
@@ -80,6 +80,28 @@ const (
 	ImpersonationProxyServiceTypeNone = ImpersonationProxyServiceType("None")
 )
 
+// ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should
+// serve TLS.
+//
+// If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret
+// for a field called "ca.crt", which will be used as the CertificateAuthorityData.
+//
+// If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for
+// the impersonation proxy endpoint.
+type ImpersonationProxyTLSSpec struct {
+	// X.509 Certificate Authority (base64-encoded PEM bundle).
+	// Used to advertise the CA bundle for the impersonation proxy endpoint.
+	//
+	// +optional
+	CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"`
+
+	// SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains
+	// the TLS serving certificate for the Concierge impersonation proxy endpoint.
+	//
+	// +kubebuilder:validation:MinLength=1
+	SecretName string `json:"secretName,omitempty"`
+}
+
 // ImpersonationProxySpec describes the intended configuration of the Concierge impersonation proxy.
 type ImpersonationProxySpec struct {
 	// Mode configures whether the impersonation proxy should be started:
@@ -100,6 +122,13 @@ type ImpersonationProxySpec struct {
 	//
 	// +optional
 	ExternalEndpoint string `json:"externalEndpoint,omitempty"`
+
+	// TLS contains information about how the Concierge impersonation proxy should serve TLS.
+	//
+	// If this field is empty, the impersonation proxy will generate its own TLS certificate.
+	//
+	// +optional
+	TLS *ImpersonationProxyTLSSpec `json:"tls,omitempty"`
 }
 
 // ImpersonationProxyServiceSpec describes how the Concierge should provision a Service to expose the impersonation proxy.

generated/1.24/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go

@@ -229,6 +229,11 @@ func (in *ImpersonationProxyServiceSpec) DeepCopy() *ImpersonationProxyServiceSp
 func (in *ImpersonationProxySpec) DeepCopyInto(out *ImpersonationProxySpec) {
 	*out = *in
 	in.Service.DeepCopyInto(&out.Service)
+	if in.TLS != nil {
+		in, out := &in.TLS, &out.TLS
+		*out = new(ImpersonationProxyTLSSpec)
+		**out = **in
+	}
 	return
 }
 
@@ -242,6 +247,22 @@ func (in *ImpersonationProxySpec) DeepCopy() *ImpersonationProxySpec {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ImpersonationProxyTLSSpec) DeepCopyInto(out *ImpersonationProxyTLSSpec) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImpersonationProxyTLSSpec.
+func (in *ImpersonationProxyTLSSpec) DeepCopy() *ImpersonationProxyTLSSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(ImpersonationProxyTLSSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TokenCredentialRequestAPIInfo) DeepCopyInto(out *TokenCredentialRequestAPIInfo) {
 	*out = *in

generated/1.24/apis/go.mod

@@ -4,6 +4,6 @@ module go.pinniped.dev/generated/1.24/apis
 go 1.13
 
 require (
-	k8s.io/api v0.24.14
-	k8s.io/apimachinery v0.24.14
+	k8s.io/api v0.24.16
+	k8s.io/apimachinery v0.24.16
 )

generated/1.24/apis/go.sum

@@ -55,6 +55,7 @@ github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/
 github.com/google/gofuzz v1.1.0 h1:Hsa8mG0dQ46ij8Sl2AYJDUv1oA9/d6Vk+3LG99Oe02g=
 github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/gorilla/mux v1.8.0/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB71So=
 github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
 github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
@@ -239,10 +240,10 @@ gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-k8s.io/api v0.24.14 h1:plWo5FZi1VJ7XC2NEeKyGS946e252vijDlqxeiN0cBk=
-k8s.io/api v0.24.14/go.mod h1:dmyjYMJoi/FOIyH1RwYpgskcrl1RRmqsBfDVbB9VpqQ=
-k8s.io/apimachinery v0.24.14 h1:i7GrBju4O0onF1+jqXXPVmfXWilplxWYkTNU6G/h6Cs=
-k8s.io/apimachinery v0.24.14/go.mod h1:Yyft+DTAvOmHyT332HkCMoTKroxYDEEx7NRLsdCYDoc=
+k8s.io/api v0.24.16 h1:9G8eHAtCvY8dLmTmRI/+O1/7alkcz29UKGyLkeMSRw8=
+k8s.io/api v0.24.16/go.mod h1:lNKdTj0W2upnaS9S5kvHTU5T/NTHnDdmQjUjODC8JZs=
+k8s.io/apimachinery v0.24.16 h1:3u2XdCZcV0PUagOuH1+b0vVfZwnOhVwSauuVlIYH278=
+k8s.io/apimachinery v0.24.16/go.mod h1:kSzhCwldu9XB172NDdLffRN0sJ3x95RR7Bmyc4SHhs0=
 k8s.io/gengo v0.0.0-20210813121822-485abfe95c7c/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E=
 k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE=
 k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y=

generated/1.24/client/go.mod

@@ -5,8 +5,8 @@ go 1.13
 
 require (
 	go.pinniped.dev/generated/1.24/apis v0.0.0
-	k8s.io/apimachinery v0.24.14
-	k8s.io/client-go v0.24.14
+	k8s.io/apimachinery v0.24.16
+	k8s.io/client-go v0.24.16
 	k8s.io/kube-openapi v0.0.0-20220328201542-3ee0da9b0b42
 )
 

generated/1.24/client/go.sum

@@ -168,8 +168,9 @@ github.com/google/pprof v0.0.0-20201203190320-1bf35d6f28c2/go.mod h1:kpwsk12EmLe
 github.com/google/pprof v0.0.0-20210122040257-d980be63207e/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
 github.com/google/pprof v0.0.0-20210226084205-cbba55b83ad5/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
 github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
-github.com/google/uuid v1.1.2 h1:EVhdT+1Kseyi1/pUmXKaFxYsDNy9RQYkMWRH68J/W7Y=
 github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
+github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
 github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
 github.com/gorilla/mux v1.8.0/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB71So=
@@ -629,12 +630,12 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh
 honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
 honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
 honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
-k8s.io/api v0.24.14 h1:plWo5FZi1VJ7XC2NEeKyGS946e252vijDlqxeiN0cBk=
-k8s.io/api v0.24.14/go.mod h1:dmyjYMJoi/FOIyH1RwYpgskcrl1RRmqsBfDVbB9VpqQ=
-k8s.io/apimachinery v0.24.14 h1:i7GrBju4O0onF1+jqXXPVmfXWilplxWYkTNU6G/h6Cs=
-k8s.io/apimachinery v0.24.14/go.mod h1:Yyft+DTAvOmHyT332HkCMoTKroxYDEEx7NRLsdCYDoc=
-k8s.io/client-go v0.24.14 h1:vwnWSAPLNN+IHi8yt08Q8InP71JXG5ix8YrBE32OOZU=
-k8s.io/client-go v0.24.14/go.mod h1:/loTxPCTlfIOw1qAgzj7lGyFfXiHBPVWet+NB/+e2ho=
+k8s.io/api v0.24.16 h1:9G8eHAtCvY8dLmTmRI/+O1/7alkcz29UKGyLkeMSRw8=
+k8s.io/api v0.24.16/go.mod h1:lNKdTj0W2upnaS9S5kvHTU5T/NTHnDdmQjUjODC8JZs=
+k8s.io/apimachinery v0.24.16 h1:3u2XdCZcV0PUagOuH1+b0vVfZwnOhVwSauuVlIYH278=
+k8s.io/apimachinery v0.24.16/go.mod h1:kSzhCwldu9XB172NDdLffRN0sJ3x95RR7Bmyc4SHhs0=
+k8s.io/client-go v0.24.16 h1:ZL3OsVQ2FVr4/yo+1ydzuZ/RTDwxtkPHY9kWuI+uF3Q=
+k8s.io/client-go v0.24.16/go.mod h1:H1io/ZQK4Cju1fO5tg9njKjqPups9MIZlKGaUDq3Q64=
 k8s.io/gengo v0.0.0-20210813121822-485abfe95c7c/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E=
 k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE=
 k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y=

generated/1.24/crds/config.concierge.pinniped.dev_credentialissuers.yaml

@@ -103,6 +103,24 @@ spec:
                         - None
                         type: string
                     type: object
+                  tls:
+                    description: "TLS contains information about how the Concierge
+                      impersonation proxy should serve TLS. \n If this field is empty,
+                      the impersonation proxy will generate its own TLS certificate."
+                    properties:
+                      certificateAuthorityData:
+                        description: X.509 Certificate Authority (base64-encoded PEM
+                          bundle). Used to advertise the CA bundle for the impersonation
+                          proxy endpoint.
+                        type: string
+                      secretName:
+                        description: SecretName is the name of a Secret in the same
+                          namespace, of type `kubernetes.io/tls`, which contains the
+                          TLS serving certificate for the Concierge impersonation
+                          proxy endpoint.
+                        minLength: 1
+                        type: string
+                    type: object
                 required:
                 - mode
                 - service

generated/1.25/README.adoc

@@ -566,6 +566,28 @@ ImpersonationProxySpec describes the intended configuration of the Concierge imp
 | *`service`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-concierge-config-v1alpha1-impersonationproxyservicespec[$$ImpersonationProxyServiceSpec$$]__ | Service describes the configuration of the Service provisioned to expose the impersonation proxy to clients.
 | *`externalEndpoint`* __string__ | ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will be served using the external name of the LoadBalancer service or the cluster service DNS name. 
  This field must be non-empty when spec.impersonationProxy.service.type is "None".
+| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-concierge-config-v1alpha1-impersonationproxytlsspec[$$ImpersonationProxyTLSSpec$$]__ | TLS contains information about how the Concierge impersonation proxy should serve TLS. 
+ If this field is empty, the impersonation proxy will generate its own TLS certificate.
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-concierge-config-v1alpha1-impersonationproxytlsspec"]
+==== ImpersonationProxyTLSSpec 
+
+ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should serve TLS. 
+ If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret for a field called "ca.crt", which will be used as the CertificateAuthorityData. 
+ If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for the impersonation proxy endpoint.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-concierge-config-v1alpha1-impersonationproxyspec[$$ImpersonationProxySpec$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). Used to advertise the CA bundle for the impersonation proxy endpoint.
+| *`secretName`* __string__ | SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the Concierge impersonation proxy endpoint.
 |===
 
 

generated/1.25/apis/concierge/config/v1alpha1/types_credentialissuer.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
@@ -80,6 +80,28 @@ const (
 	ImpersonationProxyServiceTypeNone = ImpersonationProxyServiceType("None")
 )
 
+// ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should
+// serve TLS.
+//
+// If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret
+// for a field called "ca.crt", which will be used as the CertificateAuthorityData.
+//
+// If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for
+// the impersonation proxy endpoint.
+type ImpersonationProxyTLSSpec struct {
+	// X.509 Certificate Authority (base64-encoded PEM bundle).
+	// Used to advertise the CA bundle for the impersonation proxy endpoint.
+	//
+	// +optional
+	CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"`
+
+	// SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains
+	// the TLS serving certificate for the Concierge impersonation proxy endpoint.
+	//
+	// +kubebuilder:validation:MinLength=1
+	SecretName string `json:"secretName,omitempty"`
+}
+
 // ImpersonationProxySpec describes the intended configuration of the Concierge impersonation proxy.
 type ImpersonationProxySpec struct {
 	// Mode configures whether the impersonation proxy should be started:
@@ -100,6 +122,13 @@ type ImpersonationProxySpec struct {
 	//
 	// +optional
 	ExternalEndpoint string `json:"externalEndpoint,omitempty"`
+
+	// TLS contains information about how the Concierge impersonation proxy should serve TLS.
+	//
+	// If this field is empty, the impersonation proxy will generate its own TLS certificate.
+	//
+	// +optional
+	TLS *ImpersonationProxyTLSSpec `json:"tls,omitempty"`
 }
 
 // ImpersonationProxyServiceSpec describes how the Concierge should provision a Service to expose the impersonation proxy.

generated/1.25/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go

@@ -229,6 +229,11 @@ func (in *ImpersonationProxyServiceSpec) DeepCopy() *ImpersonationProxyServiceSp
 func (in *ImpersonationProxySpec) DeepCopyInto(out *ImpersonationProxySpec) {
 	*out = *in
 	in.Service.DeepCopyInto(&out.Service)
+	if in.TLS != nil {
+		in, out := &in.TLS, &out.TLS
+		*out = new(ImpersonationProxyTLSSpec)
+		**out = **in
+	}
 	return
 }
 
@@ -242,6 +247,22 @@ func (in *ImpersonationProxySpec) DeepCopy() *ImpersonationProxySpec {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ImpersonationProxyTLSSpec) DeepCopyInto(out *ImpersonationProxyTLSSpec) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImpersonationProxyTLSSpec.
+func (in *ImpersonationProxyTLSSpec) DeepCopy() *ImpersonationProxyTLSSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(ImpersonationProxyTLSSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TokenCredentialRequestAPIInfo) DeepCopyInto(out *TokenCredentialRequestAPIInfo) {
 	*out = *in

generated/1.25/apis/go.mod

@@ -4,6 +4,6 @@ module go.pinniped.dev/generated/1.25/apis
 go 1.13
 
 require (
-	k8s.io/api v0.25.10
-	k8s.io/apimachinery v0.25.10
+	k8s.io/api v0.25.12
+	k8s.io/apimachinery v0.25.12
 )

generated/1.25/apis/go.sum

@@ -62,6 +62,7 @@ github.com/google/gofuzz v1.1.0 h1:Hsa8mG0dQ46ij8Sl2AYJDUv1oA9/d6Vk+3LG99Oe02g=
 github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
 github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/gorilla/mux v1.8.0/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB71So=
 github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
 github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
@@ -258,10 +259,10 @@ gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-k8s.io/api v0.25.10 h1:YfcmWMKDnWpzKV2byP+fu0v00yNTS4+cqw4g0ndUsJA=
-k8s.io/api v0.25.10/go.mod h1:7inWacs1rgsi5uLOONfUmo4on+tVkkuJZNsMLouGAhA=
-k8s.io/apimachinery v0.25.10 h1:uvPXar0BVg9g2R5a5kTjMuHCjLxC5LiAclSrLOP8Q20=
-k8s.io/apimachinery v0.25.10/go.mod h1:PJ+6cm50BMETqCCJx1RXQIXaq937SUdAq2vVKCGDZXU=
+k8s.io/api v0.25.12 h1:vMyRHX3SASysor6zk81DsYXbkVdvzQEIL4gA+6+j6mQ=
+k8s.io/api v0.25.12/go.mod h1:pAGhdr4HvJlOa1g26QpNeiQLNnzc6nwU92MQSqY2pBk=
+k8s.io/apimachinery v0.25.12 h1:xLVMeHrUfO4Eq2CK60YS+ElVYv0AUNSGVYdHKZFBHRE=
+k8s.io/apimachinery v0.25.12/go.mod h1:IFwbcNi3gKkfDhuy0VYu3+BwbxbiIov3p6FR8ge1Epc=
 k8s.io/gengo v0.0.0-20210813121822-485abfe95c7c/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E=
 k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE=
 k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y=

generated/1.25/client/go.mod

@@ -5,8 +5,8 @@ go 1.13
 
 require (
 	go.pinniped.dev/generated/1.25/apis v0.0.0
-	k8s.io/apimachinery v0.25.10
-	k8s.io/client-go v0.25.10
+	k8s.io/apimachinery v0.25.12
+	k8s.io/client-go v0.25.12
 	k8s.io/kube-openapi v0.0.0-20220803162953-67bda5d908f1
 )
 

generated/1.25/client/go.sum

@@ -192,8 +192,9 @@ github.com/google/pprof v0.0.0-20210601050228-01bbb1931b22/go.mod h1:kpwsk12EmLe
 github.com/google/pprof v0.0.0-20210609004039-a478d1d731e9/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
 github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
 github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
-github.com/google/uuid v1.1.2 h1:EVhdT+1Kseyi1/pUmXKaFxYsDNy9RQYkMWRH68J/W7Y=
 github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
+github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
 github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
 github.com/googleapis/gax-go/v2 v2.1.0/go.mod h1:Q3nei7sK6ybPYH7twZdmQpAd1MKb7pfu6SK+H1/DsU0=
@@ -720,12 +721,12 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh
 honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
 honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
 honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
-k8s.io/api v0.25.10 h1:YfcmWMKDnWpzKV2byP+fu0v00yNTS4+cqw4g0ndUsJA=
-k8s.io/api v0.25.10/go.mod h1:7inWacs1rgsi5uLOONfUmo4on+tVkkuJZNsMLouGAhA=
-k8s.io/apimachinery v0.25.10 h1:uvPXar0BVg9g2R5a5kTjMuHCjLxC5LiAclSrLOP8Q20=
-k8s.io/apimachinery v0.25.10/go.mod h1:PJ+6cm50BMETqCCJx1RXQIXaq937SUdAq2vVKCGDZXU=
-k8s.io/client-go v0.25.10 h1:FhTgEpCDboGjByXnoEj/kiHK12SC+fjRMrkNKn72/aU=
-k8s.io/client-go v0.25.10/go.mod h1:zqpG8XvdsDK7q/Dh83v2M3LgTVj8sAbT3BT0JnANjME=
+k8s.io/api v0.25.12 h1:vMyRHX3SASysor6zk81DsYXbkVdvzQEIL4gA+6+j6mQ=
+k8s.io/api v0.25.12/go.mod h1:pAGhdr4HvJlOa1g26QpNeiQLNnzc6nwU92MQSqY2pBk=
+k8s.io/apimachinery v0.25.12 h1:xLVMeHrUfO4Eq2CK60YS+ElVYv0AUNSGVYdHKZFBHRE=
+k8s.io/apimachinery v0.25.12/go.mod h1:IFwbcNi3gKkfDhuy0VYu3+BwbxbiIov3p6FR8ge1Epc=
+k8s.io/client-go v0.25.12 h1:LSwQNUqm368OjEoITifwM8+P/B+7wxvZ+yPKbFanVWI=
+k8s.io/client-go v0.25.12/go.mod h1:WD2cp9N7NLyz2jMoq49vC6+8HKkjhqaDkk93l3eJO0M=
 k8s.io/gengo v0.0.0-20210813121822-485abfe95c7c/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E=
 k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE=
 k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y=

generated/1.25/crds/config.concierge.pinniped.dev_credentialissuers.yaml

@@ -103,6 +103,24 @@ spec:
                         - None
                         type: string
                     type: object
+                  tls:
+                    description: "TLS contains information about how the Concierge
+                      impersonation proxy should serve TLS. \n If this field is empty,
+                      the impersonation proxy will generate its own TLS certificate."
+                    properties:
+                      certificateAuthorityData:
+                        description: X.509 Certificate Authority (base64-encoded PEM
+                          bundle). Used to advertise the CA bundle for the impersonation
+                          proxy endpoint.
+                        type: string
+                      secretName:
+                        description: SecretName is the name of a Secret in the same
+                          namespace, of type `kubernetes.io/tls`, which contains the
+                          TLS serving certificate for the Concierge impersonation
+                          proxy endpoint.
+                        minLength: 1
+                        type: string
+                    type: object
                 required:
                 - mode
                 - service

generated/1.26/README.adoc

@@ -566,6 +566,28 @@ ImpersonationProxySpec describes the intended configuration of the Concierge imp
 | *`service`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-concierge-config-v1alpha1-impersonationproxyservicespec[$$ImpersonationProxyServiceSpec$$]__ | Service describes the configuration of the Service provisioned to expose the impersonation proxy to clients.
 | *`externalEndpoint`* __string__ | ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will be served using the external name of the LoadBalancer service or the cluster service DNS name. 
  This field must be non-empty when spec.impersonationProxy.service.type is "None".
+| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-concierge-config-v1alpha1-impersonationproxytlsspec[$$ImpersonationProxyTLSSpec$$]__ | TLS contains information about how the Concierge impersonation proxy should serve TLS. 
+ If this field is empty, the impersonation proxy will generate its own TLS certificate.
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-concierge-config-v1alpha1-impersonationproxytlsspec"]
+==== ImpersonationProxyTLSSpec 
+
+ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should serve TLS. 
+ If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret for a field called "ca.crt", which will be used as the CertificateAuthorityData. 
+ If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for the impersonation proxy endpoint.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-concierge-config-v1alpha1-impersonationproxyspec[$$ImpersonationProxySpec$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). Used to advertise the CA bundle for the impersonation proxy endpoint.
+| *`secretName`* __string__ | SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the Concierge impersonation proxy endpoint.
 |===
 
 

generated/1.26/apis/concierge/config/v1alpha1/types_credentialissuer.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
@@ -80,6 +80,28 @@ const (
 	ImpersonationProxyServiceTypeNone = ImpersonationProxyServiceType("None")
 )
 
+// ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should
+// serve TLS.
+//
+// If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret
+// for a field called "ca.crt", which will be used as the CertificateAuthorityData.
+//
+// If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for
+// the impersonation proxy endpoint.
+type ImpersonationProxyTLSSpec struct {
+	// X.509 Certificate Authority (base64-encoded PEM bundle).
+	// Used to advertise the CA bundle for the impersonation proxy endpoint.
+	//
+	// +optional
+	CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"`
+
+	// SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains
+	// the TLS serving certificate for the Concierge impersonation proxy endpoint.
+	//
+	// +kubebuilder:validation:MinLength=1
+	SecretName string `json:"secretName,omitempty"`
+}
+
 // ImpersonationProxySpec describes the intended configuration of the Concierge impersonation proxy.
 type ImpersonationProxySpec struct {
 	// Mode configures whether the impersonation proxy should be started:
@@ -100,6 +122,13 @@ type ImpersonationProxySpec struct {
 	//
 	// +optional
 	ExternalEndpoint string `json:"externalEndpoint,omitempty"`
+
+	// TLS contains information about how the Concierge impersonation proxy should serve TLS.
+	//
+	// If this field is empty, the impersonation proxy will generate its own TLS certificate.
+	//
+	// +optional
+	TLS *ImpersonationProxyTLSSpec `json:"tls,omitempty"`
 }
 
 // ImpersonationProxyServiceSpec describes how the Concierge should provision a Service to expose the impersonation proxy.

generated/1.26/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go

@@ -229,6 +229,11 @@ func (in *ImpersonationProxyServiceSpec) DeepCopy() *ImpersonationProxyServiceSp
 func (in *ImpersonationProxySpec) DeepCopyInto(out *ImpersonationProxySpec) {
 	*out = *in
 	in.Service.DeepCopyInto(&out.Service)
+	if in.TLS != nil {
+		in, out := &in.TLS, &out.TLS
+		*out = new(ImpersonationProxyTLSSpec)
+		**out = **in
+	}
 	return
 }
 
@@ -242,6 +247,22 @@ func (in *ImpersonationProxySpec) DeepCopy() *ImpersonationProxySpec {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ImpersonationProxyTLSSpec) DeepCopyInto(out *ImpersonationProxyTLSSpec) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImpersonationProxyTLSSpec.
+func (in *ImpersonationProxyTLSSpec) DeepCopy() *ImpersonationProxyTLSSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(ImpersonationProxyTLSSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TokenCredentialRequestAPIInfo) DeepCopyInto(out *TokenCredentialRequestAPIInfo) {
 	*out = *in

generated/1.26/apis/go.mod

@@ -4,6 +4,6 @@ module go.pinniped.dev/generated/1.26/apis
 go 1.13
 
 require (
-	k8s.io/api v0.26.5
-	k8s.io/apimachinery v0.26.5
+	k8s.io/api v0.26.7
+	k8s.io/apimachinery v0.26.7
 )

generated/1.26/apis/go.sum

@@ -61,6 +61,7 @@ github.com/google/gofuzz v1.1.0 h1:Hsa8mG0dQ46ij8Sl2AYJDUv1oA9/d6Vk+3LG99Oe02g=
 github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
 github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
 github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
 github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
@@ -269,10 +270,10 @@ gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-k8s.io/api v0.26.5 h1:Npao/+sMSng6nkEcNydgH3BNo4s5YoBg7iw35HM7Hcw=
-k8s.io/api v0.26.5/go.mod h1:O7ICW7lj6+ZQQQ3cxekgCoW+fnGo5kWT0nTHkLZ5grc=
-k8s.io/apimachinery v0.26.5 h1:hTQVhJao2piX7vSgCn4Lwd6E0o/+TJIH4NqRf+q4EmE=
-k8s.io/apimachinery v0.26.5/go.mod h1:HUvk6wrOP4v22AIYqeCGSQ6xWCHo41J9d6psb3temAg=
+k8s.io/api v0.26.7 h1:Lf4iEBEJb5OFNmawtBfSZV/UNi9riSJ0t1qdhyZqI40=
+k8s.io/api v0.26.7/go.mod h1:Vk9bMadzA49UHPmHB//lX7VRCQSXGoVwfLd3Sc1SSXI=
+k8s.io/apimachinery v0.26.7 h1:590jSBwaSHCAFCqltaEogY/zybFlhGsnLteLpuF2wig=
+k8s.io/apimachinery v0.26.7/go.mod h1:qYzLkrQ9lhrZRh0jNKo2cfvf/R1/kQONnSiyB7NUJU0=
 k8s.io/gengo v0.0.0-20210813121822-485abfe95c7c/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E=
 k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE=
 k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y=

generated/1.26/client/go.mod

@@ -5,8 +5,8 @@ go 1.13
 
 require (
 	go.pinniped.dev/generated/1.26/apis v0.0.0
-	k8s.io/apimachinery v0.26.5
-	k8s.io/client-go v0.26.5
+	k8s.io/apimachinery v0.26.7
+	k8s.io/client-go v0.26.7
 	k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280
 )
 

generated/1.26/client/go.sum

@@ -139,8 +139,9 @@ github.com/google/pprof v0.0.0-20200430221834-fc25d7d30c6d/go.mod h1:ZgVRPoUq/hf
 github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
 github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
 github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
-github.com/google/uuid v1.1.2 h1:EVhdT+1Kseyi1/pUmXKaFxYsDNy9RQYkMWRH68J/W7Y=
 github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
+github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
 github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
 github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
@@ -563,12 +564,12 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh
 honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
 honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
 honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
-k8s.io/api v0.26.5 h1:Npao/+sMSng6nkEcNydgH3BNo4s5YoBg7iw35HM7Hcw=
-k8s.io/api v0.26.5/go.mod h1:O7ICW7lj6+ZQQQ3cxekgCoW+fnGo5kWT0nTHkLZ5grc=
-k8s.io/apimachinery v0.26.5 h1:hTQVhJao2piX7vSgCn4Lwd6E0o/+TJIH4NqRf+q4EmE=
-k8s.io/apimachinery v0.26.5/go.mod h1:HUvk6wrOP4v22AIYqeCGSQ6xWCHo41J9d6psb3temAg=
-k8s.io/client-go v0.26.5 h1:e8Z44pafL/c6ayF/6qYEypbJoDSakaFxhJ9lqULEJEo=
-k8s.io/client-go v0.26.5/go.mod h1:/CYyNt+ZLMvWqMF8h1SvkUXz2ujFWQLwdDrdiQlZ5X0=
+k8s.io/api v0.26.7 h1:Lf4iEBEJb5OFNmawtBfSZV/UNi9riSJ0t1qdhyZqI40=
+k8s.io/api v0.26.7/go.mod h1:Vk9bMadzA49UHPmHB//lX7VRCQSXGoVwfLd3Sc1SSXI=
+k8s.io/apimachinery v0.26.7 h1:590jSBwaSHCAFCqltaEogY/zybFlhGsnLteLpuF2wig=
+k8s.io/apimachinery v0.26.7/go.mod h1:qYzLkrQ9lhrZRh0jNKo2cfvf/R1/kQONnSiyB7NUJU0=
+k8s.io/client-go v0.26.7 h1:hyU9aKHlwVOykgyxzGYkrDSLCc4+mimZVyUJjPyUn1E=
+k8s.io/client-go v0.26.7/go.mod h1:okYjy0jtq6sdeztALDvCh24tg4opOQS1XNvsJlERDAo=
 k8s.io/gengo v0.0.0-20210813121822-485abfe95c7c/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E=
 k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE=
 k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y=

generated/1.26/crds/config.concierge.pinniped.dev_credentialissuers.yaml

@@ -103,6 +103,24 @@ spec:
                         - None
                         type: string
                     type: object
+                  tls:
+                    description: "TLS contains information about how the Concierge
+                      impersonation proxy should serve TLS. \n If this field is empty,
+                      the impersonation proxy will generate its own TLS certificate."
+                    properties:
+                      certificateAuthorityData:
+                        description: X.509 Certificate Authority (base64-encoded PEM
+                          bundle). Used to advertise the CA bundle for the impersonation
+                          proxy endpoint.
+                        type: string
+                      secretName:
+                        description: SecretName is the name of a Secret in the same
+                          namespace, of type `kubernetes.io/tls`, which contains the
+                          TLS serving certificate for the Concierge impersonation
+                          proxy endpoint.
+                        minLength: 1
+                        type: string
+                    type: object
                 required:
                 - mode
                 - service

generated/1.27/README.adoc

@@ -566,6 +566,28 @@ ImpersonationProxySpec describes the intended configuration of the Concierge imp
 | *`service`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-concierge-config-v1alpha1-impersonationproxyservicespec[$$ImpersonationProxyServiceSpec$$]__ | Service describes the configuration of the Service provisioned to expose the impersonation proxy to clients.
 | *`externalEndpoint`* __string__ | ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will be served using the external name of the LoadBalancer service or the cluster service DNS name. 
  This field must be non-empty when spec.impersonationProxy.service.type is "None".
+| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-concierge-config-v1alpha1-impersonationproxytlsspec[$$ImpersonationProxyTLSSpec$$]__ | TLS contains information about how the Concierge impersonation proxy should serve TLS. 
+ If this field is empty, the impersonation proxy will generate its own TLS certificate.
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-concierge-config-v1alpha1-impersonationproxytlsspec"]
+==== ImpersonationProxyTLSSpec 
+
+ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should serve TLS. 
+ If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret for a field called "ca.crt", which will be used as the CertificateAuthorityData. 
+ If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for the impersonation proxy endpoint.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-concierge-config-v1alpha1-impersonationproxyspec[$$ImpersonationProxySpec$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). Used to advertise the CA bundle for the impersonation proxy endpoint.
+| *`secretName`* __string__ | SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the Concierge impersonation proxy endpoint.
 |===
 
 

generated/1.27/apis/concierge/config/v1alpha1/types_credentialissuer.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
@@ -80,6 +80,28 @@ const (
 	ImpersonationProxyServiceTypeNone = ImpersonationProxyServiceType("None")
 )
 
+// ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should
+// serve TLS.
+//
+// If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret
+// for a field called "ca.crt", which will be used as the CertificateAuthorityData.
+//
+// If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for
+// the impersonation proxy endpoint.
+type ImpersonationProxyTLSSpec struct {
+	// X.509 Certificate Authority (base64-encoded PEM bundle).
+	// Used to advertise the CA bundle for the impersonation proxy endpoint.
+	//
+	// +optional
+	CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"`
+
+	// SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains
+	// the TLS serving certificate for the Concierge impersonation proxy endpoint.
+	//
+	// +kubebuilder:validation:MinLength=1
+	SecretName string `json:"secretName,omitempty"`
+}
+
 // ImpersonationProxySpec describes the intended configuration of the Concierge impersonation proxy.
 type ImpersonationProxySpec struct {
 	// Mode configures whether the impersonation proxy should be started:
@@ -100,6 +122,13 @@ type ImpersonationProxySpec struct {
 	//
 	// +optional
 	ExternalEndpoint string `json:"externalEndpoint,omitempty"`
+
+	// TLS contains information about how the Concierge impersonation proxy should serve TLS.
+	//
+	// If this field is empty, the impersonation proxy will generate its own TLS certificate.
+	//
+	// +optional
+	TLS *ImpersonationProxyTLSSpec `json:"tls,omitempty"`
 }
 
 // ImpersonationProxyServiceSpec describes how the Concierge should provision a Service to expose the impersonation proxy.

generated/1.27/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go

@@ -229,6 +229,11 @@ func (in *ImpersonationProxyServiceSpec) DeepCopy() *ImpersonationProxyServiceSp
 func (in *ImpersonationProxySpec) DeepCopyInto(out *ImpersonationProxySpec) {
 	*out = *in
 	in.Service.DeepCopyInto(&out.Service)
+	if in.TLS != nil {
+		in, out := &in.TLS, &out.TLS
+		*out = new(ImpersonationProxyTLSSpec)
+		**out = **in
+	}
 	return
 }
 
@@ -242,6 +247,22 @@ func (in *ImpersonationProxySpec) DeepCopy() *ImpersonationProxySpec {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ImpersonationProxyTLSSpec) DeepCopyInto(out *ImpersonationProxyTLSSpec) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImpersonationProxyTLSSpec.
+func (in *ImpersonationProxyTLSSpec) DeepCopy() *ImpersonationProxyTLSSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(ImpersonationProxyTLSSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TokenCredentialRequestAPIInfo) DeepCopyInto(out *TokenCredentialRequestAPIInfo) {
 	*out = *in

generated/1.27/apis/go.mod

@@ -4,6 +4,6 @@ module go.pinniped.dev/generated/1.27/apis
 go 1.13
 
 require (
-	k8s.io/api v0.27.2
-	k8s.io/apimachinery v0.27.2
+	k8s.io/api v0.27.4
+	k8s.io/apimachinery v0.27.4
 )

generated/1.27/apis/go.sum

@@ -120,8 +120,8 @@ github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZb
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
 github.com/rogpeppe/go-internal v1.6.1/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc=
-github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ=
-github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog=
+github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M=
+github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA=
 github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk=
 github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
@@ -301,10 +301,10 @@ gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-k8s.io/api v0.27.2 h1:+H17AJpUMvl+clT+BPnKf0E3ksMAzoBBg7CntpSuADo=
-k8s.io/api v0.27.2/go.mod h1:ENmbocXfBT2ADujUXcBhHV55RIT31IIEvkntP6vZKS4=
-k8s.io/apimachinery v0.27.2 h1:vBjGaKKieaIreI+oQwELalVG4d8f3YAMNpWLzDXkxeg=
-k8s.io/apimachinery v0.27.2/go.mod h1:XNfZ6xklnMCOGGFNqXG7bUrQCoR04dh/E7FprV6pb+E=
+k8s.io/api v0.27.4 h1:0pCo/AN9hONazBKlNUdhQymmnfLRbSZjd5H5H3f0bSs=
+k8s.io/api v0.27.4/go.mod h1:O3smaaX15NfxjzILfiln1D8Z3+gEYpjEpiNA/1EVK1Y=
+k8s.io/apimachinery v0.27.4 h1:CdxflD4AF61yewuid0fLl6bM4a3q04jWel0IlP+aYjs=
+k8s.io/apimachinery v0.27.4/go.mod h1:XNfZ6xklnMCOGGFNqXG7bUrQCoR04dh/E7FprV6pb+E=
 k8s.io/gengo v0.0.0-20210813121822-485abfe95c7c/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E=
 k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE=
 k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y=

generated/1.27/client/go.mod

@@ -5,8 +5,8 @@ go 1.13
 
 require (
 	go.pinniped.dev/generated/1.27/apis v0.0.0
-	k8s.io/apimachinery v0.27.2
-	k8s.io/client-go v0.27.2
+	k8s.io/apimachinery v0.27.4
+	k8s.io/client-go v0.27.4
 	k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f
 )
 

generated/1.27/client/go.sum

@@ -219,8 +219,8 @@ github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZN
 github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
 github.com/rogpeppe/go-internal v1.6.1/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc=
-github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ=
-github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog=
+github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M=
+github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA=
 github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk=
 github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
@@ -594,12 +594,12 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh
 honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
 honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
 honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
-k8s.io/api v0.27.2 h1:+H17AJpUMvl+clT+BPnKf0E3ksMAzoBBg7CntpSuADo=
-k8s.io/api v0.27.2/go.mod h1:ENmbocXfBT2ADujUXcBhHV55RIT31IIEvkntP6vZKS4=
-k8s.io/apimachinery v0.27.2 h1:vBjGaKKieaIreI+oQwELalVG4d8f3YAMNpWLzDXkxeg=
-k8s.io/apimachinery v0.27.2/go.mod h1:XNfZ6xklnMCOGGFNqXG7bUrQCoR04dh/E7FprV6pb+E=
-k8s.io/client-go v0.27.2 h1:vDLSeuYvCHKeoQRhCXjxXO45nHVv2Ip4Fe0MfioMrhE=
-k8s.io/client-go v0.27.2/go.mod h1:tY0gVmUsHrAmjzHX9zs7eCjxcBsf8IiNe7KQ52biTcQ=
+k8s.io/api v0.27.4 h1:0pCo/AN9hONazBKlNUdhQymmnfLRbSZjd5H5H3f0bSs=
+k8s.io/api v0.27.4/go.mod h1:O3smaaX15NfxjzILfiln1D8Z3+gEYpjEpiNA/1EVK1Y=
+k8s.io/apimachinery v0.27.4 h1:CdxflD4AF61yewuid0fLl6bM4a3q04jWel0IlP+aYjs=
+k8s.io/apimachinery v0.27.4/go.mod h1:XNfZ6xklnMCOGGFNqXG7bUrQCoR04dh/E7FprV6pb+E=
+k8s.io/client-go v0.27.4 h1:vj2YTtSJ6J4KxaC88P4pMPEQECWMY8gqPqsTgUKzvjk=
+k8s.io/client-go v0.27.4/go.mod h1:ragcly7lUlN0SRPk5/ZkGnDjPknzb37TICq07WhI6Xc=
 k8s.io/gengo v0.0.0-20210813121822-485abfe95c7c/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E=
 k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE=
 k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y=

generated/1.27/crds/config.concierge.pinniped.dev_credentialissuers.yaml

@@ -103,6 +103,24 @@ spec:
                         - None
                         type: string
                     type: object
+                  tls:
+                    description: "TLS contains information about how the Concierge
+                      impersonation proxy should serve TLS. \n If this field is empty,
+                      the impersonation proxy will generate its own TLS certificate."
+                    properties:
+                      certificateAuthorityData:
+                        description: X.509 Certificate Authority (base64-encoded PEM
+                          bundle). Used to advertise the CA bundle for the impersonation
+                          proxy endpoint.
+                        type: string
+                      secretName:
+                        description: SecretName is the name of a Secret in the same
+                          namespace, of type `kubernetes.io/tls`, which contains the
+                          TLS serving certificate for the Concierge impersonation
+                          proxy endpoint.
+                        minLength: 1
+                        type: string
+                    type: object
                 required:
                 - mode
                 - service

generated/latest/apis/concierge/config/v1alpha1/types_credentialissuer.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
@@ -80,6 +80,28 @@ const (
 	ImpersonationProxyServiceTypeNone = ImpersonationProxyServiceType("None")
 )
 
+// ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should
+// serve TLS.
+//
+// If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret
+// for a field called "ca.crt", which will be used as the CertificateAuthorityData.
+//
+// If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for
+// the impersonation proxy endpoint.
+type ImpersonationProxyTLSSpec struct {
+	// X.509 Certificate Authority (base64-encoded PEM bundle).
+	// Used to advertise the CA bundle for the impersonation proxy endpoint.
+	//
+	// +optional
+	CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"`
+
+	// SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains
+	// the TLS serving certificate for the Concierge impersonation proxy endpoint.
+	//
+	// +kubebuilder:validation:MinLength=1
+	SecretName string `json:"secretName,omitempty"`
+}
+
 // ImpersonationProxySpec describes the intended configuration of the Concierge impersonation proxy.
 type ImpersonationProxySpec struct {
 	// Mode configures whether the impersonation proxy should be started:
@@ -100,6 +122,13 @@ type ImpersonationProxySpec struct {
 	//
 	// +optional
 	ExternalEndpoint string `json:"externalEndpoint,omitempty"`
+
+	// TLS contains information about how the Concierge impersonation proxy should serve TLS.
+	//
+	// If this field is empty, the impersonation proxy will generate its own TLS certificate.
+	//
+	// +optional
+	TLS *ImpersonationProxyTLSSpec `json:"tls,omitempty"`
 }
 
 // ImpersonationProxyServiceSpec describes how the Concierge should provision a Service to expose the impersonation proxy.

generated/latest/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go

@@ -229,6 +229,11 @@ func (in *ImpersonationProxyServiceSpec) DeepCopy() *ImpersonationProxyServiceSp
 func (in *ImpersonationProxySpec) DeepCopyInto(out *ImpersonationProxySpec) {
 	*out = *in
 	in.Service.DeepCopyInto(&out.Service)
+	if in.TLS != nil {
+		in, out := &in.TLS, &out.TLS
+		*out = new(ImpersonationProxyTLSSpec)
+		**out = **in
+	}
 	return
 }
 
@@ -242,6 +247,22 @@ func (in *ImpersonationProxySpec) DeepCopy() *ImpersonationProxySpec {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ImpersonationProxyTLSSpec) DeepCopyInto(out *ImpersonationProxyTLSSpec) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImpersonationProxyTLSSpec.
+func (in *ImpersonationProxyTLSSpec) DeepCopy() *ImpersonationProxyTLSSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(ImpersonationProxyTLSSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TokenCredentialRequestAPIInfo) DeepCopyInto(out *TokenCredentialRequestAPIInfo) {
 	*out = *in

go.mod

@@ -2,13 +2,17 @@ module go.pinniped.dev
 
 go 1.19
 
+replace k8s.io/kube-openapi => k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f
+
 require (
 	github.com/MakeNowJust/heredoc/v2 v2.0.1
+	github.com/chromedp/cdproto v0.0.0-20230802225258-3cf4e6d46a89
+	github.com/chromedp/chromedp v0.9.2
 	github.com/coreos/go-oidc/v3 v3.6.0
 	github.com/creack/pty v1.1.18
 	github.com/davecgh/go-spew v1.1.1
 	github.com/felixge/httpsnoop v1.0.3
-	github.com/go-ldap/ldap/v3 v3.4.4
+	github.com/go-ldap/ldap/v3 v3.4.5
 	github.com/go-logr/logr v1.2.4
 	github.com/go-logr/stdr v1.2.2
 	github.com/go-logr/zapr v1.2.4
@@ -24,44 +28,43 @@ require (
 	github.com/ory/fosite v0.44.0
 	github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8
 	github.com/pkg/errors v0.9.1
-	github.com/sclevine/agouti v3.0.0+incompatible
 	github.com/sclevine/spec v1.4.0
 	github.com/spf13/cobra v1.7.0
 	github.com/spf13/pflag v1.0.5
 	github.com/stretchr/testify v1.8.4
-	github.com/tdewolff/minify/v2 v2.12.6
-	go.uber.org/zap v1.24.0
-	golang.org/x/crypto v0.9.0
-	golang.org/x/net v0.10.0
-	golang.org/x/oauth2 v0.8.0
-	golang.org/x/sync v0.2.0
-	golang.org/x/term v0.8.0
-	golang.org/x/text v0.9.0
+	github.com/tdewolff/minify/v2 v2.12.8
+	go.uber.org/zap v1.25.0
+	golang.org/x/crypto v0.12.0
+	golang.org/x/net v0.14.0
+	golang.org/x/oauth2 v0.11.0
+	golang.org/x/sync v0.3.0
+	golang.org/x/term v0.11.0
+	golang.org/x/text v0.12.0
 	gopkg.in/square/go-jose.v2 v2.6.0
-	k8s.io/api v0.27.2
-	k8s.io/apiextensions-apiserver v0.27.2
-	k8s.io/apimachinery v0.27.2
-	k8s.io/apiserver v0.27.2
-	k8s.io/client-go v0.27.2
-	k8s.io/component-base v0.27.2
+	k8s.io/api v0.27.4
+	k8s.io/apiextensions-apiserver v0.27.4
+	k8s.io/apimachinery v0.27.4
+	k8s.io/apiserver v0.27.4
+	k8s.io/client-go v0.27.4
+	k8s.io/component-base v0.27.4
 	k8s.io/gengo v0.0.0-20230306165830-ab3349d207d4
 	k8s.io/klog/v2 v2.100.1
-	k8s.io/kube-aggregator v0.27.2
-	k8s.io/kube-openapi v0.0.0-20230515203736-54b630e78af5
-	k8s.io/utils v0.0.0-20230505201702-9f6742963106
+	k8s.io/kube-aggregator v0.27.4
+	k8s.io/kube-openapi v0.0.0-20230718181711-3c0fae5ee9fd
+	k8s.io/utils v0.0.0-20230726121419-3b25d923346b
 	sigs.k8s.io/yaml v1.3.0
 )
 
 require (
-	cloud.google.com/go/compute v1.7.0 // indirect
-	github.com/Azure/go-ntlmssp v0.0.0-20220621081337-cb9428e4ac1e // indirect
+	github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect
 	github.com/NYTimes/gziphandler v1.1.1 // indirect
 	github.com/antlr/antlr4/runtime/Go/antlr v1.4.10 // indirect
 	github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/blang/semver/v4 v4.0.0 // indirect
 	github.com/cenkalti/backoff/v4 v4.1.3 // indirect
-	github.com/cespare/xxhash/v2 v2.1.2 // indirect
+	github.com/cespare/xxhash/v2 v2.2.0 // indirect
+	github.com/chromedp/sysutil v1.0.0 // indirect
 	github.com/coreos/go-oidc v2.2.1+incompatible // indirect
 	github.com/coreos/go-semver v0.3.1 // indirect
 	github.com/coreos/go-systemd/v22 v22.4.0 // indirect
@@ -79,8 +82,11 @@ require (
 	github.com/go-openapi/jsonpointer v0.19.6 // indirect
 	github.com/go-openapi/jsonreference v0.20.1 // indirect
 	github.com/go-openapi/swag v0.22.3 // indirect
+	github.com/gobwas/httphead v0.1.0 // indirect
+	github.com/gobwas/pool v0.2.1 // indirect
+	github.com/gobwas/ws v1.2.1 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/golang/glog v1.0.0 // indirect
+	github.com/golang/glog v1.1.0 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/google/cel-go v0.12.6 // indirect
@@ -104,7 +110,6 @@ require (
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
-	github.com/onsi/ginkgo v1.16.5 // indirect
 	github.com/ory/go-acc v0.2.8 // indirect
 	github.com/ory/go-convenience v0.1.0 // indirect
 	github.com/ory/viper v1.7.5 // indirect
@@ -123,7 +128,7 @@ require (
 	github.com/spf13/jwalterweatherman v1.1.0 // indirect
 	github.com/stoewer/go-strcase v1.2.0 // indirect
 	github.com/subosito/gotenv v1.4.0 // indirect
-	github.com/tdewolff/parse/v2 v2.6.6 // indirect
+	github.com/tdewolff/parse/v2 v2.6.7 // indirect
 	go.etcd.io/etcd/api/v3 v3.5.7 // indirect
 	go.etcd.io/etcd/client/pkg/v3 v3.5.7 // indirect
 	go.etcd.io/etcd/client/v3 v3.5.7 // indirect
@@ -137,22 +142,23 @@ require (
 	go.opentelemetry.io/otel/sdk v1.10.0 // indirect
 	go.opentelemetry.io/otel/trace v1.10.0 // indirect
 	go.opentelemetry.io/proto/otlp v0.19.0 // indirect
-	go.uber.org/atomic v1.10.0 // indirect
-	go.uber.org/multierr v1.8.0 // indirect
+	go.uber.org/multierr v1.10.0 // indirect
 	golang.org/x/mod v0.9.0 // indirect
-	golang.org/x/sys v0.8.0 // indirect
+	golang.org/x/sys v0.11.0 // indirect
 	golang.org/x/time v0.0.0-20220411224347-583f2d630306 // indirect
 	golang.org/x/tools v0.7.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/genproto v0.0.0-20220616135557-88e70c0c3a90 // indirect
-	google.golang.org/grpc v1.51.0 // indirect
-	google.golang.org/protobuf v1.28.1 // indirect
+	google.golang.org/genproto v0.0.0-20230530153820-e85fd2cbaebc // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20230530153820-e85fd2cbaebc // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20230530153820-e85fd2cbaebc // indirect
+	google.golang.org/grpc v1.55.0 // indirect
+	google.golang.org/protobuf v1.31.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/ini.v1 v1.66.6 // indirect
 	gopkg.in/natefinch/lumberjack.v2 v2.0.0 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/kms v0.27.2 // indirect
+	k8s.io/kms v0.27.4 // indirect
 	sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.1.2 // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect

go.sum

@@ -17,35 +17,17 @@ cloud.google.com/go v0.65.0/go.mod h1:O5N8zS7uWy9vkA9vayVHs65eM1ubvY4h553ofrNHOb
 cloud.google.com/go v0.72.0/go.mod h1:M+5Vjvlc2wnp6tjzE102Dw08nGShTscUx2nZMufOKPI=
 cloud.google.com/go v0.74.0/go.mod h1:VV1xSbzvo+9QJOxLDaJfTjx5e+MePCpCWwvftOeQmWk=
 cloud.google.com/go v0.75.0/go.mod h1:VGuuCn7PG0dwsd5XPVm2Mm3wlh3EL55/79EKB6hlPTY=
-cloud.google.com/go v0.78.0/go.mod h1:QjdrLG0uq+YwhjoVOLsS1t7TW8fs36kLs4XO5R5ECHg=
-cloud.google.com/go v0.79.0/go.mod h1:3bzgcEeQlzbuEAYu4mrWhKqWjmpprinYgKJLgKHnbb8=
-cloud.google.com/go v0.81.0/go.mod h1:mk/AM35KwGk/Nm2YSeZbxXdrNK3KZOYHmLkOqC2V6E0=
-cloud.google.com/go v0.83.0/go.mod h1:Z7MJUsANfY0pYPdw0lbnivPx4/vhy/e2FEkSkF7vAVY=
-cloud.google.com/go v0.84.0/go.mod h1:RazrYuxIK6Kb7YrzzhPoLmCVzl7Sup4NrbKPg8KHSUM=
-cloud.google.com/go v0.87.0/go.mod h1:TpDYlFy7vuLzZMMZ+B6iRiELaY7z/gJPaqbMx6mlWcY=
-cloud.google.com/go v0.90.0/go.mod h1:kRX0mNRHe0e2rC6oNakvwQqzyDmg57xJ+SZU1eT2aDQ=
-cloud.google.com/go v0.93.3/go.mod h1:8utlLll2EF5XMAV15woO4lSbWQlk8rer9aLOfLh7+YI=
-cloud.google.com/go v0.94.1/go.mod h1:qAlAugsXlC+JWO+Bke5vCtc9ONxjQT3drlTTnAplMW4=
-cloud.google.com/go v0.97.0/go.mod h1:GF7l59pYBVlXQIBLx3a761cZ41F9bBH3JUlihCt2Udc=
-cloud.google.com/go v0.99.0/go.mod h1:w0Xx2nLzqWJPuozYQX+hFfCSI8WioryfRDzkoI/Y2ZA=
-cloud.google.com/go v0.100.2/go.mod h1:4Xra9TjzAeYHrl5+oeLlzbM2k3mjVhZh4UqTZ//w99A=
-cloud.google.com/go v0.102.0/go.mod h1:oWcCzKlqJ5zgHQt9YsaeTY9KzIvjyy0ArmiBUgpQ+nc=
+cloud.google.com/go v0.110.0 h1:Zc8gqp3+a9/Eyph2KDmcGaPtbKRIoqq4YTlL4NMD0Ys=
 cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o=
 cloud.google.com/go/bigquery v1.3.0/go.mod h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE=
 cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvftPBK2Dvzc=
 cloud.google.com/go/bigquery v1.5.0/go.mod h1:snEHRnqQbz117VIFhE8bmtwIDY80NLUZUMb4Nv6dBIg=
 cloud.google.com/go/bigquery v1.7.0/go.mod h1://okPTzCYNXSlb24MZs83e2Do+h+VXtc4gLoIoXIAPc=
 cloud.google.com/go/bigquery v1.8.0/go.mod h1:J5hqkt3O0uAFnINi6JXValWIb1v0goeZM77hZzJN/fQ=
-cloud.google.com/go/compute v0.1.0/go.mod h1:GAesmwr110a34z04OlxYkATPBEfVhkymfTBXtfbBFow=
-cloud.google.com/go/compute v1.3.0/go.mod h1:cCZiE1NHEtai4wiufUhW8I8S1JKkAnhnQJWM7YD99wM=
-cloud.google.com/go/compute v1.5.0/go.mod h1:9SMHyhJlzhlkJqrPAc839t2BZFTSk6Jdj6mkzQJeu0M=
-cloud.google.com/go/compute v1.6.0/go.mod h1:T29tfhtVbq1wvAPo0E3+7vhgmkOYeXjhFvz/FMzPu0s=
-cloud.google.com/go/compute v1.6.1/go.mod h1:g85FgpzFvNULZ+S8AYq87axRKuf2Kh7deLqV/jJ3thU=
-cloud.google.com/go/compute v1.7.0 h1:v/k9Eueb8aAJ0vZuxKMrgm6kPhCLZU9HxFU+AFDs9Uk=
-cloud.google.com/go/compute v1.7.0/go.mod h1:435lt8av5oL9P3fv1OEzSbSUe+ybHXGMPQHHZWZxy9U=
+cloud.google.com/go/compute v1.20.1 h1:6aKEtlUiwEpJzM001l0yFkpXmUVXaN8W+fbkb2AZNbg=
+cloud.google.com/go/compute/metadata v0.2.3 h1:mg4jlk7mCAj6xXp9UJ4fjI9VUI5rubuGBW5aJ7UnBMY=
 cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE=
 cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk=
-cloud.google.com/go/iam v0.3.0/go.mod h1:XzJPvDayI+9zsASAFO68Hk07u3z+f+JrT2xXNdp4bnY=
 cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I=
 cloud.google.com/go/pubsub v1.1.0/go.mod h1:EwwdRX2sKPjnvnqCa270oGRyludottCI76h+R3AArQw=
 cloud.google.com/go/pubsub v1.2.0/go.mod h1:jhfEVHT8odbXTkndysNHCcx0awwzvfOlguIAii9o8iA=
@@ -56,10 +38,9 @@ cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohl
 cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RXyy7KQOVs=
 cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0=
 cloud.google.com/go/storage v1.14.0/go.mod h1:GrKmX003DSIwi9o29oFT7YDnHYwZoctc3fOKtUw0Xmo=
-cloud.google.com/go/storage v1.22.1/go.mod h1:S8N1cAStu7BOeFfE8KAQzmyyLkK8p/vmRq6kuBTW58Y=
 dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
-github.com/Azure/go-ntlmssp v0.0.0-20220621081337-cb9428e4ac1e h1:NeAW1fUYUEWhft7pkxDf6WoUvEZJ/uOKsvtpjLnn8MU=
-github.com/Azure/go-ntlmssp v0.0.0-20220621081337-cb9428e4ac1e/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU=
+github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8=
+github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU=
 github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
@@ -73,6 +54,8 @@ github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuy
 github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
 github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
 github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d/go.mod h1:rBZYJk541a8SKzHPHnH3zbiI+7dagKZ0cgpgrD7Fyho=
+github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74 h1:Kk6a4nehpJ3UuJRqlA3JxYxBZEqCeOmATOvrbT4p9RA=
+github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4=
 github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY=
 github.com/antlr/antlr4/runtime/Go/antlr v1.4.10 h1:yL7+Jz0jTC6yykIK/Wh74gnTJnrGr5AyrNMXuA0gves=
 github.com/antlr/antlr4/runtime/Go/antlr v1.4.10/go.mod h1:F7bn7fEU90QkQ3tnmaTx3LTKLEDqnwWODIYppRQ5hnY=
@@ -80,8 +63,8 @@ github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=
 github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d h1:Byv0BzEl3/e6D5CLfI0j/7hiIEtvGVFPCZ7Ei2oq8iQ=
 github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw=
-github.com/benbjohnson/clock v1.1.0 h1:Q92kusRqC1XV2MjkWETPvjJVqKetz1OzxZB7mHJLju8=
 github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=
+github.com/benbjohnson/clock v1.3.0 h1:ip6w0uFQkncKQ979AypyG0ER7mqUSBdKLOgAle/AT8A=
 github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
 github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
@@ -94,9 +77,15 @@ github.com/cenkalti/backoff/v4 v4.1.3/go.mod h1:scbssz8iZGpm3xbr14ovlUdkxfGXNInq
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
 github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc=
 github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
-github.com/cespare/xxhash/v2 v2.1.2 h1:YRXhKfTDauu4ajMg1TPgFO5jnlC2HCbmLXMcTG5cbYE=
 github.com/cespare/xxhash/v2 v2.1.2/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
-github.com/cheekybits/is v0.0.0-20150225183255-68e9c0620927/go.mod h1:h/aW8ynjgkuj+NQRlZcDbAbM1ORAbXjXX77sX7T289U=
+github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44=
+github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
+github.com/chromedp/cdproto v0.0.0-20230802225258-3cf4e6d46a89 h1:aPflPkRFkVwbW6dmcVqfgwp1i+UWGFH6VgR1Jim5Ygc=
+github.com/chromedp/cdproto v0.0.0-20230802225258-3cf4e6d46a89/go.mod h1:GKljq0VrfU4D5yc+2qA6OVr8pmO/MBbPEWqWQ/oqGEs=
+github.com/chromedp/chromedp v0.9.2 h1:dKtNz4kApb06KuSXoTQIyUC2TrA0fhGDwNZf3bcgfKw=
+github.com/chromedp/chromedp v0.9.2/go.mod h1:LkSXJKONWTCHAfQasKFUZI+mxqS4tZqhmtGzzhLsnLs=
+github.com/chromedp/sysutil v1.0.0 h1:+ZxhTpfpZlmchB58ih/LBHX52ky7w2VhQVKQMucy3Ic=
+github.com/chromedp/sysutil v1.0.0/go.mod h1:kgWmDdq8fTzXYcKIBqIYvRRTnYb9aNS9moAV0xufSww=
 github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
 github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
 github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
@@ -108,7 +97,6 @@ github.com/cncf/udpa/go v0.0.0-20210930031921-04548b0d99d4/go.mod h1:6pvJx4me5XP
 github.com/cncf/xds/go v0.0.0-20210312221358-fbca930ec8ed/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
 github.com/cncf/xds/go v0.0.0-20210805033703-aa0b78936158/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
 github.com/cncf/xds/go v0.0.0-20210922020428-25de7278fc84/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
-github.com/cncf/xds/go v0.0.0-20211001041855-01bcc9b48dfe/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
 github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
 github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk=
 github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
@@ -144,7 +132,6 @@ github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZm
 github.com/dgryski/go-farm v0.0.0-20190423205320-6a90982ecee2 h1:tdlZCpZ/P9DhczCTSixgIKmwPv6+wP5DGjqLYw5SUiA=
 github.com/dgryski/go-farm v0.0.0-20190423205320-6a90982ecee2/go.mod h1:SqUrOPUnsFjfmXRMNPybcSiG0BgUW2AuFH8PAnS2iTw=
 github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no=
-github.com/djherbis/atime v1.1.0/go.mod h1:28OF6Y8s3NQWwacXc5eZTsEsiMzp7LF8MbXE+XJPdBE=
 github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE=
 github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
 github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=
@@ -158,10 +145,8 @@ github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.m
 github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
 github.com/envoyproxy/go-control-plane v0.9.7/go.mod h1:cwu0lG7PUMfa9snN8LXBig5ynNVH9qI8YYLbd1fK2po=
 github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk=
-github.com/envoyproxy/go-control-plane v0.9.9-0.20210217033140-668b12f5399d/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk=
 github.com/envoyproxy/go-control-plane v0.9.9-0.20210512163311-63b5d3c536b0/go.mod h1:hliV/p42l8fGbc6Y9bQ70uLwIvmJyVE5k4iMKlh8wCQ=
 github.com/envoyproxy/go-control-plane v0.9.10-0.20210907150352-cf90f659a021/go.mod h1:AFq3mo9L8Lqqiid3OhADV3RfLJnjiw63cSpi+fDTRC0=
-github.com/envoyproxy/go-control-plane v0.10.2-0.20220325020618-49ff273808a1/go.mod h1:KJwIaB5Mv44NWtYuAOFCVOjcI94vtpEz2JU/D2v6IjE=
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
 github.com/evanphx/json-patch v5.6.0+incompatible h1:jBYDEEiFBPxA0v50tFdvOzQQTCvpL6mnFh5mB2/l16U=
 github.com/evanphx/json-patch v5.6.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
@@ -185,8 +170,8 @@ github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2
 github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
 github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vbaY=
 github.com/go-kit/log v0.2.0/go.mod h1:NwTd00d/i8cPZ3xOwwiv2PO5MOcx78fFErGNcVmBjv0=
-github.com/go-ldap/ldap/v3 v3.4.4 h1:qPjipEpt+qDa6SI/h1fzuGWoRUY+qqQ9sOZq67/PYUs=
-github.com/go-ldap/ldap/v3 v3.4.4/go.mod h1:fe1MsuN5eJJ1FeLT/LEBVdWfNWKh459R7aXgXtJC+aI=
+github.com/go-ldap/ldap/v3 v3.4.5 h1:ekEKmaDrpvR2yf5Nc/DClsGG9lAmdDixe44mLzlW5r8=
+github.com/go-ldap/ldap/v3 v3.4.5/go.mod h1:bMGIq3AGbytbaMwf8wdv5Phdxz0FWHTIYMSzyrYgnQs=
 github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
 github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
 github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A=
@@ -208,7 +193,12 @@ github.com/go-openapi/swag v0.22.3 h1:yMBqmnQ0gyZvEb/+KzuWZOXgllrXT4SADYbvDaXHv/
 github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14=
 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
 github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0 h1:p104kn46Q8WdvHunIJ9dAyjPVtrBPhSr3KT2yUst43I=
-github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE=
+github.com/gobwas/httphead v0.1.0 h1:exrUm0f4YX0L7EBwZHuCF4GDp8aJfVeBrlLQrs6NqWU=
+github.com/gobwas/httphead v0.1.0/go.mod h1:O/RXo79gxV8G+RqlR/otEwx4Q36zl9rqC5u12GKvMCM=
+github.com/gobwas/pool v0.2.1 h1:xfeeEhW7pwmX8nuLVlqbzVc7udMDrwetjEv+TZIz1og=
+github.com/gobwas/pool v0.2.1/go.mod h1:q8bcK0KcYlCgd9e7WYLm9LpyS+YeLd8JVDW6WezmKEw=
+github.com/gobwas/ws v1.2.1 h1:F2aeBZrm2NDsc7vbovKrWSogd4wvfAxg0FQ89/iqOTk=
+github.com/gobwas/ws v1.2.1/go.mod h1:hRKAFb8wOxFROYNsT1bqfWnhX+b5MFeJM9r2ZSwg/KY=
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/gofrs/flock v0.8.1 h1:+gYjHKf32LDeiEEFhQaotPbLuUXjY5ZqxKgXy7n59aw=
 github.com/gofrs/flock v0.8.1/go.mod h1:F1TvTiK9OcQqauNUHlbJvyl9Qa1QvF/gOUDKA14jxHU=
@@ -218,8 +208,9 @@ github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/golang-jwt/jwt/v4 v4.4.2 h1:rcc4lwaZgFMCZ5jxF9ABolDcIHdBytAFgqFPbSJQAYs=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
-github.com/golang/glog v1.0.0 h1:nfP3RFugxnNRyKgeWd4oI1nYvXpxrx8ck8ZrcizshdQ=
 github.com/golang/glog v1.0.0/go.mod h1:EWib/APOK0SL3dFbYqvxE3UYd8E6s1ouQ7iEp/0LWV4=
+github.com/golang/glog v1.1.0 h1:/d3pCKDPWNnvIWe0vVUpNP32qc8U3PDVxySP/y360qE=
+github.com/golang/glog v1.1.0/go.mod h1:pfYeQZ3JWZoXTV5sFc986z3HTpwQs9At6P4ImfuP3NQ=
 github.com/golang/groupcache v0.0.0-20190129154638-5b532d6fd5ef/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
@@ -233,7 +224,6 @@ github.com/golang/mock v1.4.0/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt
 github.com/golang/mock v1.4.1/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=
 github.com/golang/mock v1.4.3/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=
 github.com/golang/mock v1.4.4/go.mod h1:l3mdAwkq5BuhzHwde/uurv3sEJeZMXNpwsxVWU71h+4=
-github.com/golang/mock v1.5.0/go.mod h1:CWnOUgYIOo4TcNZ0wHX3YZCqsaM1I1Jvs6v3mP3KVu8=
 github.com/golang/mock v1.6.0 h1:ErTB+efbowRARo13NNdxyJji2egdxLGQhRaY+DUumQc=
 github.com/golang/mock v1.6.0/go.mod h1:p6yTPP+5HYm5mzsMV8JkE6ZKdX+/wYM6Hr+LicevLPs=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
@@ -251,11 +241,9 @@ github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QD
 github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
 github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
 github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
-github.com/golang/protobuf v1.5.1/go.mod h1:DopwsBzvsk0Fs44TXzsVbJyPhcCPeIwnvohx4u74HPM=
 github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
 github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg=
 github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
-github.com/golang/snappy v0.0.3/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
 github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/btree v1.0.1 h1:gK4Kx5IaGY9CD5sPJ36FHiBJ6ZXl0kilRiiCj+jdYp4=
@@ -271,12 +259,9 @@ github.com/google/go-cmp v0.4.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
 github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.7/go.mod h1:n+brtR0CgQNWTVd5ZUFpTBC8YFBDLK/h/bpaJ8/DtOE=
-github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
 github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
@@ -286,7 +271,6 @@ github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/
 github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
 github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0=
 github.com/google/martian/v3 v3.1.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0=
-github.com/google/martian/v3 v3.2.1/go.mod h1:oBOf6HBosgwRXnUGWUB05QECsc6uvmMiJ3+6W4l/CUk=
 github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
 github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
 github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
@@ -297,27 +281,15 @@ github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hf
 github.com/google/pprof v0.0.0-20201023163331-3e6fc7fc9c4c/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
 github.com/google/pprof v0.0.0-20201203190320-1bf35d6f28c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
 github.com/google/pprof v0.0.0-20201218002935-b9804c9f04c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
-github.com/google/pprof v0.0.0-20210122040257-d980be63207e/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
-github.com/google/pprof v0.0.0-20210226084205-cbba55b83ad5/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
-github.com/google/pprof v0.0.0-20210601050228-01bbb1931b22/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
-github.com/google/pprof v0.0.0-20210609004039-a478d1d731e9/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
 github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 h1:K6RDEckDVWvDI9JAJYCmNdQXq6neHJOYx3V6jnqNEec=
-github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
 github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
 github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
 github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/googleapis/enterprise-certificate-proxy v0.0.0-20220520183353-fd19c99a87aa/go.mod h1:17drOmN3MwGY7t0e+Ei9b45FFGA3fBs3x36SsCg1hq8=
 github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
 github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
-github.com/googleapis/gax-go/v2 v2.1.0/go.mod h1:Q3nei7sK6ybPYH7twZdmQpAd1MKb7pfu6SK+H1/DsU0=
-github.com/googleapis/gax-go/v2 v2.1.1/go.mod h1:hddJymUZASv3XPyGkUpKj8pPO47Rmb0eJc8R6ouapiM=
-github.com/googleapis/gax-go/v2 v2.2.0/go.mod h1:as02EH8zWkzwUoLbBaFeQ+arQaj/OthfcblKl4IGNaM=
-github.com/googleapis/gax-go/v2 v2.3.0/go.mod h1:b8LNqSzNabLiUpXKkY7HAR5jr6bIT99EXz9pXxye9YM=
-github.com/googleapis/gax-go/v2 v2.4.0/go.mod h1:XOTVJ59hdnfJLIP/dh8n5CGryZR2LxK9wbMD5+iXC6c=
-github.com/googleapis/go-type-adapters v1.0.0/go.mod h1:zHW75FOG2aur7gAO2B+MLby+cLsWGBF62rFAi7WjWO4=
 github.com/googleapis/google-cloud-go-testing v0.0.0-20200911160855-bcd43fbb19e8/go.mod h1:dvDLG8qkwmyD9a/MJJN3XJcT3xFxOKAvTZGvuZmac9g=
 github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
 github.com/gorilla/securecookie v1.1.1 h1:miw7JPhV+b/lAHSXz4qd/nN9jRiAFV5FwjeKyCS8BvQ=
@@ -346,7 +318,6 @@ github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ
 github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4=
 github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
-github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
 github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/imdario/mergo v0.3.13 h1:lFzP57bqS/wsqKssCGmtLAb8A0wKjLGrve2q3PPVcBk=
@@ -388,13 +359,14 @@ github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
+github.com/ledongthuc/pdf v0.0.0-20220302134840-0c2507a12d80 h1:6Yzfa6GP0rIo/kULo2bwGEkFvCePZ3qHDDTC3/J9Swo=
+github.com/ledongthuc/pdf v0.0.0-20220302134840-0c2507a12d80/go.mod h1:imJHygn/1yfhB7XSJJKlFZKl/J+dCPAknuiaGOshXAs=
 github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
 github.com/magiconair/properties v1.8.1/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
 github.com/magiconair/properties v1.8.6 h1:5ibWZ6iY0NctNGWo87LalDlEZ6R41TqbbDamhfG/Qzo=
 github.com/magiconair/properties v1.8.6/go.mod h1:y3VJvCyxH9uVvJTWEGAELF3aiYNyPKd5NZ3oSwXrF60=
 github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0=
 github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
-github.com/matryer/try v0.0.0-20161228173917-9ac251b645a2/go.mod h1:0KeJpeMD6o+O4hW7qJOT7vyQPKrWmj26uf5wMc/IiIs=
 github.com/mattn/goveralls v0.0.11 h1:eJXea6R6IFlL1QMKNMzDvvHv/hwGrnvyig4N+0+XiMM=
 github.com/mattn/goveralls v0.0.11/go.mod h1:gU8SyhNswsJKchEV93xRQxX6X3Ei4PJdQk/6ZHvrvRk=
 github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
@@ -420,19 +392,12 @@ github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
 github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
 github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
-github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A=
-github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE=
-github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU=
 github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U=
 github.com/oleiade/reflections v1.0.1 h1:D1XO3LVEYroYskEsoSiGItp9RUxG6jWnCVvrqH0HHQM=
-github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
-github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk=
-github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE=
-github.com/onsi/ginkgo v1.16.5/go.mod h1:+E8gABHa3K6zRBolWtd+ROzc/U5bkGt0FwiG042wbpU=
 github.com/onsi/ginkgo/v2 v2.9.1 h1:zie5Ly042PD3bsCvsSOPvRnFwyo3rKe64TJlD6nu0mk=
-github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY=
-github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo=
 github.com/onsi/gomega v1.27.4 h1:Z2AnStgsdSayCMDiCU42qIz+HLqEPcgiOCXjAU/w+8E=
+github.com/orisano/pixelmatch v0.0.0-20220722002657-fb0b55479cde h1:x0TT0RDC7UhAVbbWWBzr41ElhJx5tXPWkIHA2HWPRuw=
+github.com/orisano/pixelmatch v0.0.0-20220722002657-fb0b55479cde/go.mod h1:nZgzbfBr3hhjoZnS66nKrHmduYNpc34ny7RK4z5/HM0=
 github.com/ory/fosite v0.44.0 h1:Z3UjyO11/wlIoa3BotOqcTkfm7kUNA8F7dd8mOMfx0o=
 github.com/ory/fosite v0.44.0/go.mod h1:o/G4kAeNn65l6MCod2+KmFfU6JQBSojS7eXys6lKGzM=
 github.com/ory/go-acc v0.2.8 h1:rOHHAPQjf0u7eHFGWpiXK+gIu/e0GRSJNr9pDukdNC4=
@@ -495,12 +460,10 @@ github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40T
 github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg=
 github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
-github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ=
+github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M=
 github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
-github.com/sclevine/agouti v3.0.0+incompatible h1:8IBJS6PWz3uTlMP3YBIR5f+KAldcGuOeFkFbUWfBgK4=
-github.com/sclevine/agouti v3.0.0+incompatible/go.mod h1:b4WX9W9L1sfQKXeJf1mUTLZKJ48R1S7H23Ji7oFO5Bw=
 github.com/sclevine/spec v1.4.0 h1:z/Q9idDcay5m5irkZ28M7PtQM4aOISzOpj4bUPkDee8=
 github.com/sclevine/spec v1.4.0/go.mod h1:LvpgJaFyvQzRvc1kaDs0bulYwzC70PbiYjC4QnFHkOM=
 github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
@@ -544,7 +507,6 @@ github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.7.2/go.mod h1:R6va5+xMeoiuVRoj+gSkQ7d3FALtqAAGI1FQKckRals=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
 github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
@@ -552,11 +514,10 @@ github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXl
 github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw=
 github.com/subosito/gotenv v1.4.0 h1:yAzM1+SmVcz5R4tXGsNMu1jUl2aOJXoiWUCEwwnGrvs=
 github.com/subosito/gotenv v1.4.0/go.mod h1:mZd6rFysKEcUhUHXJk0C/08wAgyDBFuwEYL7vWWGaGo=
-github.com/tdewolff/minify/v2 v2.12.6 h1:kw5FU0ErJyd7fs+TMojIlBvLyEjsN93wP1n8NUOs320=
-github.com/tdewolff/minify/v2 v2.12.6/go.mod h1:ZRKTheiOGyLSK8hOZWWv+YoJAECzDivNgAlVYDHp/Ws=
-github.com/tdewolff/parse/v2 v2.6.6 h1:Yld+0CrKUJaCV78DL1G2nk3C9lKrxyRTux5aaK/AkDo=
-github.com/tdewolff/parse/v2 v2.6.6/go.mod h1:woz0cgbLwFdtbjJu8PIKxhW05KplTFQkOdX78o+Jgrs=
-github.com/tdewolff/test v1.0.7/go.mod h1:6DAvZliBAAnD7rhVgwaM7DE5/d9NMOAJ09SqYqeK4QE=
+github.com/tdewolff/minify/v2 v2.12.8 h1:Q2BqOTmlMjoutkuD/OPCnJUpIqrzT3nRPkw+q+KpXS0=
+github.com/tdewolff/minify/v2 v2.12.8/go.mod h1:YRgk7CC21LZnbuke2fmYnCTq+zhCgpb0yJACOTUNJ1E=
+github.com/tdewolff/parse/v2 v2.6.7 h1:WrFllrqmzAcrKHzoYgMupqgUBIfBVOb0yscFzDf8bBg=
+github.com/tdewolff/parse/v2 v2.6.7/go.mod h1:XHDhaU6IBgsryfdnpzUXBlT6leW/l25yrFBTEb4eIyM=
 github.com/tdewolff/test v1.0.9 h1:SswqJCmeN4B+9gEAi/5uqT0qpi1y2/2O47V/1hhGZT0=
 github.com/tdewolff/test v1.0.9/go.mod h1:6DAvZliBAAnD7rhVgwaM7DE5/d9NMOAJ09SqYqeK4QE=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
@@ -573,6 +534,7 @@ github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9de
 github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
+github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
 go.etcd.io/bbolt v1.3.6 h1:/ecaJf0sk1l4l6V4awd65v2C3ILy7MSj+s/x1ADCIMU=
 go.etcd.io/etcd/api/v3 v3.5.7 h1:sbcmosSVesNrWOJ58ZQFitHMdncusIifYcrBfwrlJSY=
@@ -591,7 +553,6 @@ go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk=
-go.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E=
 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.35.0 h1:xFSRQBbXF6VvYRf2lqMJXxoB72XI1K/azav8TekHHSw=
 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.35.0/go.mod h1:h8TWwRAhQpOd0aM5nYsRD8+flnkj+526GEIVlarH7eY=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.35.1 h1:sxoY9kG1s1WpSYNyzm24rlwH4lnRYFXUVVBmKMBfRgw=
@@ -615,17 +576,16 @@ go.opentelemetry.io/proto/otlp v0.19.0 h1:IVN6GR+mhC4s5yfcTbmzHYODqvWAp3ZedA2SJP
 go.opentelemetry.io/proto/otlp v0.19.0/go.mod h1:H7XAot3MsfNsj7EXtrA2q5xSNQ10UqI405h3+duxN4U=
 go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
 go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
-go.uber.org/atomic v1.10.0 h1:9qC72Qh0+3MqyJbAn8YU5xVq1frD8bn3JtD2oXtafVQ=
-go.uber.org/atomic v1.10.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0=
 go.uber.org/goleak v1.1.11/go.mod h1:cwTWslyiVhfpKIDGSZEM2HlOvcqm+tG4zioyIeLoqMQ=
 go.uber.org/goleak v1.2.1 h1:NBol2c7O1ZokfZ0LEU9K6Whx/KnwvepVetCUhtKja4A=
 go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0=
 go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU=
-go.uber.org/multierr v1.8.0 h1:dg6GjLku4EH+249NNmoIciG9N/jURbDG+pFlTkhzIC8=
-go.uber.org/multierr v1.8.0/go.mod h1:7EAYxJLBy9rStEaz58O2t4Uvip6FSURkq8/ppBp95ak=
+go.uber.org/multierr v1.10.0 h1:S0h4aNzvfcFsC3dRF1jLoaov7oRaKqRGC/pUEJ2yvPQ=
+go.uber.org/multierr v1.10.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
 go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q=
-go.uber.org/zap v1.24.0 h1:FiJd5l1UOLj0wCgbSE0rwwXHzEdAZS6hiiSnxJN/D60=
 go.uber.org/zap v1.24.0/go.mod h1:2kMP+WWQ8aoFoedH3T2sq6iJ2yDWpHbP0f6MQbS9Gkg=
+go.uber.org/zap v1.25.0 h1:4Hvk6GtkucQ790dqmj7l1eEnRdKm3k3ZUrUMS2d5+5c=
+go.uber.org/zap v1.25.0/go.mod h1:JIAUzQIH94IC4fOJQm7gMmBJP5k7wQfdcnYdPoEXJYk=
 golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
@@ -635,10 +595,11 @@ golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8U
 golang.org/x/crypto v0.0.0-20200510223506-06a226fb4e37/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4=
+golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20211108221036-ceb1ce70b4fa/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
-golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/crypto v0.9.0 h1:LF6fAI+IutBocDJ2OT0Q1g8plpYljMZ4+lty+dsqw3g=
-golang.org/x/crypto v0.9.0/go.mod h1:yrmDGqONDYtNj3tH8X9dzUun2m2lzPa9ngI6/RUPGR0=
+golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU=
+golang.org/x/crypto v0.12.0 h1:tFM/ta59kqch6LlvYnPa0yx5a83cL2nHflFhYKvv9Yk=
+golang.org/x/crypto v0.12.0/go.mod h1:NF0Gs7EO5K4qLn+Ylc+fih8BSTeIjAP05siRnAh98yw=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -662,7 +623,6 @@ golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f/go.mod h1:5qLYkcX4OjUUV8bRu
 golang.org/x/lint v0.0.0-20200130185559-910be7a94367/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
 golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
 golang.org/x/lint v0.0.0-20201208152925-83fdc39ff7b5/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
-golang.org/x/lint v0.0.0-20210508222113-6edffad5e616/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
 golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE=
 golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o=
 golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc=
@@ -674,11 +634,12 @@ golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
+golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.9.0 h1:KENHtAZL2y3NLMYZeHY9DW8HW8V+kQyJsY/V9JlKvCs=
 golang.org/x/mod v0.9.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20181220203305-927f97764cc3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -703,32 +664,25 @@ golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/
 golang.org/x/net v0.0.0-20200501053045-e0ff5e5a1de5/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
 golang.org/x/net v0.0.0-20200506145744-7e3656a0809f/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
 golang.org/x/net v0.0.0-20200513185701-a91f0712d120/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
-golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
 golang.org/x/net v0.0.0-20200520182314-0ba52f642ac2/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
 golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
 golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
 golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20201031054903-ff519b6c9102/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20201209123823-ac852fbbde11/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20201224014010-6772e930b67b/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
-golang.org/x/net v0.0.0-20210119194325-5f4716e94777/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
-golang.org/x/net v0.0.0-20210316092652-d523dce5a7f4/go.mod h1:RBQZq4jEuRlivfhVLdyRGr576XBO4/greRjx4P4O3yc=
 golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
-golang.org/x/net v0.0.0-20210503060351-7fd8e65b6420/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
 golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
-golang.org/x/net v0.0.0-20220325170049-de3da57026de/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
-golang.org/x/net v0.0.0-20220412020605-290c469a71a5/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
-golang.org/x/net v0.0.0-20220425223048-2871e0cb64e4/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
-golang.org/x/net v0.0.0-20220607020251-c690dde0001d/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
-golang.org/x/net v0.10.0 h1:X2//UzNDwYmtCLn7To6G58Wr6f5ahEAQgKNzv9Y951M=
-golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
+golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
+golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
+golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
+golang.org/x/net v0.14.0 h1:BONx9s002vGdD9umnlX1Po8vOZmrgH34qlHcD1MfK14=
+golang.org/x/net v0.14.0/go.mod h1:PpSgVXXLK0OxS0F31C1/tv6XNguvCrnXIDrFMspZIUI=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -738,19 +692,11 @@ golang.org/x/oauth2 v0.0.0-20200902213428-5d25da1a8d43/go.mod h1:KelEdhl1UZF7XfJ
 golang.org/x/oauth2 v0.0.0-20201109201403-9fd604954f58/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20201208152858-08078c50e5b5/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.0.0-20210220000619-9bb904979d93/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.0.0-20210313182246-cd4f82c27b84/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.0.0-20210628180205-a41e5a781914/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.0.0-20210805134026-6f1e6394065a/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.0.0-20210819190943-2bc19b11175f/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20220223155221-ee480838109b/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc=
-golang.org/x/oauth2 v0.0.0-20220309155454-6242fa91716a/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc=
-golang.org/x/oauth2 v0.0.0-20220411215720-9780585627b5/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc=
-golang.org/x/oauth2 v0.0.0-20220608161450-d0670ef3b1eb/go.mod h1:jaDAt6Dkxork7LmZnYtzbRWj0W47D86a3TGe0YHBvmE=
-golang.org/x/oauth2 v0.8.0 h1:6dkIjl3j3LtZ/O3sTgZTMsLKSftL/B8Zgq4huOIIUu8=
-golang.org/x/oauth2 v0.8.0/go.mod h1:yr7u4HXZRm1R1kBWqr/xKNqewf0plRYoB7sla+BCIXE=
+golang.org/x/oauth2 v0.11.0 h1:vPL4xzxBM4niKCW6g9whtaWVXTJf1U5e4aZxxFx/gbU=
+golang.org/x/oauth2 v0.11.0/go.mod h1:LdF7O/8bLR/qWK9DrpXmbHLTouvRHK0SgJl0GmDBchk=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -762,12 +708,12 @@ golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.2.0 h1:PUR+T4wwASmuSTYdKjYHI5TD22Wy5ogLU5qZCOLxBrI=
-golang.org/x/sync v0.2.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.3.0 h1:ftCYgMx6zT/asHUrPw8BLLscYtGznsLAnjq5RH9P66E=
+golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20181107165924-66b7b1311ac8/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -779,10 +725,8 @@ golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190904154756-749cb33beabd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191001151750-bb3f8db39f24/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200106162015-b016eb3dc98e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -807,50 +751,32 @@ golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201201145000-ef89a241ccb3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210104204734-6f8348627aad/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210112080510-489259a85091/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210220050731-9a76102bfb43/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210225134936-a50acf3fe073/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210305230114-8fe3ee5dd75b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210315160823-c6e025ad8005/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210423185535-09eb48e85fd7/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210514084401-e8d321eab015/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210603125802-9665404d3644/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210616045830-e2b7044e8c71/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210806184541-e5e7981a1069/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210823070655-63515b42dcdf/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210908233432-aa78b53d3365/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20211124211545-fe61309f8881/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20211210111614-af8b64212486/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220114195835-da31bd327af9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220128215802-99c3d69c2c27/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220209214540-3681064d5158/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220227234510-4e6760a101f9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220319134239-a9b59b0215f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220328115105-d36c6a25d886/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220412211240-33da011f77ad/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220502124256-b6088ccd6cba/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220503163025-988cb79eb6c6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220610221304-9f5ed59c137d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.8.0 h1:EBmGv8NaZBZTWvrbjNoL6HVt+IVy3QDQpJs7VRIw3tU=
-golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.11.0 h1:eG7RXZHdqOJ1i+0lgLgCpSXAp6M3LYlAo6osgSi0xOM=
+golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-golang.org/x/term v0.8.0 h1:n5xxQn2i3PC0yLAbjTpNT85q/Kgzcr2gIoX9OrJUols=
-golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
+golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
+golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U=
+golang.org/x/term v0.11.0 h1:F9tnn/DA/Im8nCwm+fX+1/eBwi4qFjRT++MhtVC4ZX0=
+golang.org/x/term v0.11.0/go.mod h1:zC9APTIj3jG3FdV/Ons+XE1riIZXG4aZ4GTHiPZJPIU=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -860,8 +786,10 @@ golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
-golang.org/x/text v0.9.0 h1:2sjJmO8cDvYveuX97RDLsxlyUxLl+GHoLxBiRdHllBE=
-golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
+golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
+golang.org/x/text v0.12.0 h1:k+n5B8goJNdU7hSvEtMUz3d1Q6D/XW4COJSJR6fN0mc=
+golang.org/x/text v0.12.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
@@ -916,25 +844,20 @@ golang.org/x/tools v0.0.0-20200904185747-39188db58858/go.mod h1:Cj7w3i3Rnn0Xh82u
 golang.org/x/tools v0.0.0-20201110124207-079ba7bd75cd/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.0.0-20201201161351-ac6f37ff4c2a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.0.0-20201208233053-a543418bbed2/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.0.0-20201224043029-2b0845dc783e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.0.0-20210105154028-b0ab187a4818/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.0.0-20210108195828-e2f9c7f1fc8e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0=
 golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
-golang.org/x/tools v0.1.2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
-golang.org/x/tools v0.1.3/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
-golang.org/x/tools v0.1.4/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
+golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
+golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
 golang.org/x/tools v0.7.0 h1:W4OVu8VVOaIO0yzWMNdepAulS7YfoS3Zabrm8DOXXU4=
 golang.org/x/tools v0.7.0/go.mod h1:4pg6aUX35JBAogB10C9AtvVL+qowtN4pT3CGSQex14s=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20220411194840-2f41105eb62f/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20220517211312-f3a8303e98df/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8=
-golang.org/x/xerrors v0.0.0-20220609144429-65e65417b02f/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8=
 google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=
 google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M=
 google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=
@@ -954,26 +877,6 @@ google.golang.org/api v0.30.0/go.mod h1:QGmEvQ87FHZNiUVJkT14jQNYJ4ZJjdRF23ZXz513
 google.golang.org/api v0.35.0/go.mod h1:/XrVsuzM0rZmrsbjJutiuftIzeuTQcEeaYcSk/mQ1dg=
 google.golang.org/api v0.36.0/go.mod h1:+z5ficQTmoYpPn8LCUNVpK5I7hwkpjbcgqA7I34qYtE=
 google.golang.org/api v0.40.0/go.mod h1:fYKFpnQN0DsDSKRVRcQSDQNtqWPfM9i+zNPxepjRCQ8=
-google.golang.org/api v0.41.0/go.mod h1:RkxM5lITDfTzmyKFPt+wGrCJbVfniCr2ool8kTBzRTU=
-google.golang.org/api v0.43.0/go.mod h1:nQsDGjRXMo4lvh5hP0TKqF244gqhGcr/YSIykhUk/94=
-google.golang.org/api v0.47.0/go.mod h1:Wbvgpq1HddcWVtzsVLyfLp8lDg6AA241LmgIL59tHXo=
-google.golang.org/api v0.48.0/go.mod h1:71Pr1vy+TAZRPkPs/xlCf5SsU8WjuAWv1Pfjbtukyy4=
-google.golang.org/api v0.50.0/go.mod h1:4bNT5pAuq5ji4SRZm+5QIkjny9JAyVD/3gaSihNefaw=
-google.golang.org/api v0.51.0/go.mod h1:t4HdrdoNgyN5cbEfm7Lum0lcLDLiise1F8qDKX00sOU=
-google.golang.org/api v0.54.0/go.mod h1:7C4bFFOvVDGXjfDTAsgGwDgAxRDeQ4X8NvUedIt6z3k=
-google.golang.org/api v0.55.0/go.mod h1:38yMfeP1kfjsl8isn0tliTjIb1rJXcQi4UXlbqivdVE=
-google.golang.org/api v0.56.0/go.mod h1:38yMfeP1kfjsl8isn0tliTjIb1rJXcQi4UXlbqivdVE=
-google.golang.org/api v0.57.0/go.mod h1:dVPlbZyBo2/OjBpmvNdpn2GRm6rPy75jyU7bmhdrMgI=
-google.golang.org/api v0.61.0/go.mod h1:xQRti5UdCmoCEqFxcz93fTl338AVqDgyaDRuOZ3hg9I=
-google.golang.org/api v0.63.0/go.mod h1:gs4ij2ffTRXwuzzgJl/56BdwJaA194ijkfn++9tDuPo=
-google.golang.org/api v0.67.0/go.mod h1:ShHKP8E60yPsKNw/w8w+VYaj9H6buA5UqDp8dhbQZ6g=
-google.golang.org/api v0.70.0/go.mod h1:Bs4ZM2HGifEvXwd50TtW70ovgJffJYw2oRCOFU/SkfA=
-google.golang.org/api v0.71.0/go.mod h1:4PyU6e6JogV1f9eA4voyrTY2batOLdgZ5qZ5HOCc4j8=
-google.golang.org/api v0.74.0/go.mod h1:ZpfMZOVRMywNyvJFeqL9HRWBgAuRfSjJFpe9QtRRyDs=
-google.golang.org/api v0.75.0/go.mod h1:pU9QmyHLnzlpar1Mjt4IbapUCy8J+6HD6GeELN69ljA=
-google.golang.org/api v0.78.0/go.mod h1:1Sg78yoMLOhlQTeF+ARBoytAcH1NNyyl390YMy6rKmw=
-google.golang.org/api v0.80.0/go.mod h1:xY3nI94gbvBrE0J6NHXhxOmW97HG7Khjkku6AFB3Hyg=
-google.golang.org/api v0.84.0/go.mod h1:NTsGnUFJMYROtiquksZHBWtHfeMC7iYthki7Eq3pa8o=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
 google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
 google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
@@ -1018,52 +921,15 @@ google.golang.org/genproto v0.0.0-20201201144952-b05cb90ed32e/go.mod h1:FWY/as6D
 google.golang.org/genproto v0.0.0-20201210142538-e3217bee35cc/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/genproto v0.0.0-20201214200347-8c77b98c765d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/genproto v0.0.0-20210108203827-ffc7fda8c3d7/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20210222152913-aa3ee6e6a81c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/genproto v0.0.0-20210226172003-ab064af71705/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20210303154014-9728d6b83eeb/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20210310155132-4ce2db91004e/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20210319143718-93e7006c17a6/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20210329143202-679c6ae281ee/go.mod h1:9lPAdzaEmUacj36I+k7YKbEc5CXzPIeORRgDAUOu28A=
-google.golang.org/genproto v0.0.0-20210402141018-6c239bbf2bb1/go.mod h1:9lPAdzaEmUacj36I+k7YKbEc5CXzPIeORRgDAUOu28A=
-google.golang.org/genproto v0.0.0-20210513213006-bf773b8c8384/go.mod h1:P3QM42oQyzQSnHPnZ/vqoCdDmzH28fzWByN9asMeM8A=
-google.golang.org/genproto v0.0.0-20210602131652-f16073e35f0c/go.mod h1:UODoCrxHCcBojKKwX1terBiRUaqAsFqJiF615XL43r0=
-google.golang.org/genproto v0.0.0-20210604141403-392c879c8b08/go.mod h1:UODoCrxHCcBojKKwX1terBiRUaqAsFqJiF615XL43r0=
-google.golang.org/genproto v0.0.0-20210608205507-b6d2f5bf0d7d/go.mod h1:UODoCrxHCcBojKKwX1terBiRUaqAsFqJiF615XL43r0=
-google.golang.org/genproto v0.0.0-20210624195500-8bfb893ecb84/go.mod h1:SzzZ/N+nwJDaO1kznhnlzqS8ocJICar6hYhVyhi++24=
-google.golang.org/genproto v0.0.0-20210713002101-d411969a0d9a/go.mod h1:AxrInvYm1dci+enl5hChSFPOmmUF1+uAa/UsgNRWd7k=
-google.golang.org/genproto v0.0.0-20210716133855-ce7ef5c701ea/go.mod h1:AxrInvYm1dci+enl5hChSFPOmmUF1+uAa/UsgNRWd7k=
-google.golang.org/genproto v0.0.0-20210728212813-7823e685a01f/go.mod h1:ob2IJxKrgPT52GcgX759i1sleT07tiKowYBGbczaW48=
-google.golang.org/genproto v0.0.0-20210805201207-89edb61ffb67/go.mod h1:ob2IJxKrgPT52GcgX759i1sleT07tiKowYBGbczaW48=
-google.golang.org/genproto v0.0.0-20210813162853-db860fec028c/go.mod h1:cFeNkxwySK631ADgubI+/XFU/xp8FD5KIVV4rj8UC5w=
-google.golang.org/genproto v0.0.0-20210821163610-241b8fcbd6c8/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY=
-google.golang.org/genproto v0.0.0-20210828152312-66f60bf46e71/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY=
-google.golang.org/genproto v0.0.0-20210831024726-fe130286e0e2/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY=
-google.golang.org/genproto v0.0.0-20210903162649-d08c68adba83/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY=
-google.golang.org/genproto v0.0.0-20210909211513-a8c4777a87af/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY=
-google.golang.org/genproto v0.0.0-20210924002016-3dee208752a0/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
 google.golang.org/genproto v0.0.0-20211118181313-81c1377c94b1/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
-google.golang.org/genproto v0.0.0-20211206160659-862468c7d6e0/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
-google.golang.org/genproto v0.0.0-20211208223120-3a66f561d7aa/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
-google.golang.org/genproto v0.0.0-20211221195035-429b39de9b1c/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
 google.golang.org/genproto v0.0.0-20220107163113-42d7afdf6368/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
-google.golang.org/genproto v0.0.0-20220126215142-9970aeb2e350/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
-google.golang.org/genproto v0.0.0-20220207164111-0872dc986b00/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
-google.golang.org/genproto v0.0.0-20220218161850-94dd64e39d7c/go.mod h1:kGP+zUP2Ddo0ayMi4YuN7C3WZyJvGLZRh8Z5wnAqvEI=
-google.golang.org/genproto v0.0.0-20220222213610-43724f9ea8cf/go.mod h1:kGP+zUP2Ddo0ayMi4YuN7C3WZyJvGLZRh8Z5wnAqvEI=
-google.golang.org/genproto v0.0.0-20220304144024-325a89244dc8/go.mod h1:kGP+zUP2Ddo0ayMi4YuN7C3WZyJvGLZRh8Z5wnAqvEI=
-google.golang.org/genproto v0.0.0-20220310185008-1973136f34c6/go.mod h1:kGP+zUP2Ddo0ayMi4YuN7C3WZyJvGLZRh8Z5wnAqvEI=
-google.golang.org/genproto v0.0.0-20220324131243-acbaeb5b85eb/go.mod h1:hAL49I2IFola2sVEjAn7MEwsja0xp51I0tlGAf9hz4E=
-google.golang.org/genproto v0.0.0-20220407144326-9054f6ed7bac/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo=
-google.golang.org/genproto v0.0.0-20220413183235-5e96e2839df9/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo=
-google.golang.org/genproto v0.0.0-20220414192740-2d67ff6cf2b4/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo=
-google.golang.org/genproto v0.0.0-20220421151946-72621c1f0bd3/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo=
-google.golang.org/genproto v0.0.0-20220429170224-98d788798c3e/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo=
-google.golang.org/genproto v0.0.0-20220505152158-f39f71e6c8f3/go.mod h1:RAyBrSAP7Fh3Nc84ghnVLDPuV51xc9agzmm4Ph6i0Q4=
-google.golang.org/genproto v0.0.0-20220518221133-4f43b3371335/go.mod h1:RAyBrSAP7Fh3Nc84ghnVLDPuV51xc9agzmm4Ph6i0Q4=
-google.golang.org/genproto v0.0.0-20220523171625-347a074981d8/go.mod h1:RAyBrSAP7Fh3Nc84ghnVLDPuV51xc9agzmm4Ph6i0Q4=
-google.golang.org/genproto v0.0.0-20220608133413-ed9918b62aac/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA=
-google.golang.org/genproto v0.0.0-20220616135557-88e70c0c3a90 h1:4SPz2GL2CXJt28MTF8V6Ap/9ZiVbQlJeGSd9qtA7DLs=
-google.golang.org/genproto v0.0.0-20220616135557-88e70c0c3a90/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA=
+google.golang.org/genproto v0.0.0-20230530153820-e85fd2cbaebc h1:8DyZCyvI8mE1IdLy/60bS+52xfymkE72wv1asokgtao=
+google.golang.org/genproto v0.0.0-20230530153820-e85fd2cbaebc/go.mod h1:xZnkP7mREFX5MORlOPEzLMr+90PPZQ2QWzrVTWfAq64=
+google.golang.org/genproto/googleapis/api v0.0.0-20230530153820-e85fd2cbaebc h1:kVKPf/IiYSBWEWtkIn6wZXwWGCnLKcC8oWfZvXjsGnM=
+google.golang.org/genproto/googleapis/api v0.0.0-20230530153820-e85fd2cbaebc/go.mod h1:vHYtlOoi6TsQ3Uk2yxR7NI5z8uoV+3pZtR4jmHIkRig=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20230530153820-e85fd2cbaebc h1:XSJ8Vk1SWuNr8S18z1NZSziL0CPIXLCCMDOEFtHBOFc=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20230530153820-e85fd2cbaebc/go.mod h1:66JfowdXAEgad5O9NnYcsNPLCPZJD++2L9X0PCMODrA=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
 google.golang.org/grpc v1.21.0/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
@@ -1083,23 +949,10 @@ google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv
 google.golang.org/grpc v1.34.0/go.mod h1:WotjhfgOW/POjDeRt8vscBtXq+2VjORFy659qA51WJ8=
 google.golang.org/grpc v1.35.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
 google.golang.org/grpc v1.36.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
-google.golang.org/grpc v1.36.1/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
-google.golang.org/grpc v1.37.0/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM=
-google.golang.org/grpc v1.37.1/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM=
-google.golang.org/grpc v1.38.0/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM=
-google.golang.org/grpc v1.39.0/go.mod h1:PImNr+rS9TWYb2O4/emRugxiyHZ5JyHW5F+RPnDzfrE=
-google.golang.org/grpc v1.39.1/go.mod h1:PImNr+rS9TWYb2O4/emRugxiyHZ5JyHW5F+RPnDzfrE=
 google.golang.org/grpc v1.40.0/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34=
-google.golang.org/grpc v1.40.1/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34=
 google.golang.org/grpc v1.42.0/go.mod h1:k+4IHHFw41K8+bbowsex27ge2rCb65oeWqe4jJ590SU=
-google.golang.org/grpc v1.44.0/go.mod h1:k+4IHHFw41K8+bbowsex27ge2rCb65oeWqe4jJ590SU=
-google.golang.org/grpc v1.45.0/go.mod h1:lN7owxKUQEqMfSyQikvvk5tf/6zMPsrK+ONuO11+0rQ=
-google.golang.org/grpc v1.46.0/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk=
-google.golang.org/grpc v1.46.2/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk=
-google.golang.org/grpc v1.47.0/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk=
-google.golang.org/grpc v1.51.0 h1:E1eGv1FTqoLIdnBCZufiSHgKjlqG6fKFf6pPWtMTh8U=
-google.golang.org/grpc v1.51.0/go.mod h1:wgNDFcnuBGmxLKI/qn4T+m5BtEBYXJPvibbUPsAIPww=
-google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw=
+google.golang.org/grpc v1.55.0 h1:3Oj82/tFSCeUrRTg/5E/7d/W5A1tj6Ky1ABAuZuv5ag=
+google.golang.org/grpc v1.55.0/go.mod h1:iYEXKGkEBhg1PjZQvoYEVPTDkHo1/bjTnfwTeGONTY8=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
 google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
@@ -1113,9 +966,8 @@ google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlba
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
 google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
-google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
-google.golang.org/protobuf v1.28.1 h1:d0NfwRgPtno5B1Wa6L2DAG+KivqkdutMf1UhdNx175w=
-google.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
+google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8=
+google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
 gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
@@ -1123,7 +975,6 @@ gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
 gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
-gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
 gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
 gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
 gopkg.in/ini.v1 v1.51.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
@@ -1135,8 +986,6 @@ gopkg.in/natefinch/lumberjack.v2 v2.0.0/go.mod h1:l0ndWWf7gzL7RNwBG7wST/UCcT4T24
 gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo=
 gopkg.in/square/go-jose.v2 v2.6.0 h1:NGk74WTnPKBNUhNzQX7PYcTLUjoq7mzKk2OKbvwk2iI=
 gopkg.in/square/go-jose.v2 v2.6.0/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
-gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ=
-gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
 gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74=
 gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
@@ -1149,7 +998,6 @@ gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.0/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
@@ -1160,31 +1008,31 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh
 honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
 honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
 honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
-k8s.io/api v0.27.2 h1:+H17AJpUMvl+clT+BPnKf0E3ksMAzoBBg7CntpSuADo=
-k8s.io/api v0.27.2/go.mod h1:ENmbocXfBT2ADujUXcBhHV55RIT31IIEvkntP6vZKS4=
-k8s.io/apiextensions-apiserver v0.27.2 h1:iwhyoeS4xj9Y7v8YExhUwbVuBhMr3Q4bd/laClBV6Bo=
-k8s.io/apiextensions-apiserver v0.27.2/go.mod h1:Oz9UdvGguL3ULgRdY9QMUzL2RZImotgxvGjdWRq6ZXQ=
-k8s.io/apimachinery v0.27.2 h1:vBjGaKKieaIreI+oQwELalVG4d8f3YAMNpWLzDXkxeg=
-k8s.io/apimachinery v0.27.2/go.mod h1:XNfZ6xklnMCOGGFNqXG7bUrQCoR04dh/E7FprV6pb+E=
-k8s.io/apiserver v0.27.2 h1:p+tjwrcQEZDrEorCZV2/qE8osGTINPuS5ZNqWAvKm5E=
-k8s.io/apiserver v0.27.2/go.mod h1:EsOf39d75rMivgvvwjJ3OW/u9n1/BmUMK5otEOJrb1Y=
-k8s.io/client-go v0.27.2 h1:vDLSeuYvCHKeoQRhCXjxXO45nHVv2Ip4Fe0MfioMrhE=
-k8s.io/client-go v0.27.2/go.mod h1:tY0gVmUsHrAmjzHX9zs7eCjxcBsf8IiNe7KQ52biTcQ=
-k8s.io/component-base v0.27.2 h1:neju+7s/r5O4x4/txeUONNTS9r1HsPbyoPBAtHsDCpo=
-k8s.io/component-base v0.27.2/go.mod h1:5UPk7EjfgrfgRIuDBFtsEFAe4DAvP3U+M8RTzoSJkpo=
+k8s.io/api v0.27.4 h1:0pCo/AN9hONazBKlNUdhQymmnfLRbSZjd5H5H3f0bSs=
+k8s.io/api v0.27.4/go.mod h1:O3smaaX15NfxjzILfiln1D8Z3+gEYpjEpiNA/1EVK1Y=
+k8s.io/apiextensions-apiserver v0.27.4 h1:ie1yZG4nY/wvFMIR2hXBeSVq+HfNzib60FjnBYtPGSs=
+k8s.io/apiextensions-apiserver v0.27.4/go.mod h1:KHZaDr5H9IbGEnSskEUp/DsdXe1hMQ7uzpQcYUFt2bM=
+k8s.io/apimachinery v0.27.4 h1:CdxflD4AF61yewuid0fLl6bM4a3q04jWel0IlP+aYjs=
+k8s.io/apimachinery v0.27.4/go.mod h1:XNfZ6xklnMCOGGFNqXG7bUrQCoR04dh/E7FprV6pb+E=
+k8s.io/apiserver v0.27.4 h1:ncZ0MBR9yQ/Gf34rtu1EK+HqT8In1YpfAUINu/Akvho=
+k8s.io/apiserver v0.27.4/go.mod h1:GDEFRfFZ4/l+pAvwYRnoSfz0K4j3TWiN4WsG2KnRteE=
+k8s.io/client-go v0.27.4 h1:vj2YTtSJ6J4KxaC88P4pMPEQECWMY8gqPqsTgUKzvjk=
+k8s.io/client-go v0.27.4/go.mod h1:ragcly7lUlN0SRPk5/ZkGnDjPknzb37TICq07WhI6Xc=
+k8s.io/component-base v0.27.4 h1:Wqc0jMKEDGjKXdae8hBXeskRP//vu1m6ypC+gwErj4c=
+k8s.io/component-base v0.27.4/go.mod h1:hoiEETnLc0ioLv6WPeDt8vD34DDeB35MfQnxCARq3kY=
 k8s.io/gengo v0.0.0-20230306165830-ab3349d207d4 h1:aClvVG6GbX10ISHcc24J+tqbr0S7fEe1MWkFJ7cWWCI=
 k8s.io/gengo v0.0.0-20230306165830-ab3349d207d4/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E=
 k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y=
 k8s.io/klog/v2 v2.100.1 h1:7WCHKK6K8fNhTqfBhISHQ97KrnJNFZMcQvKp7gP/tmg=
 k8s.io/klog/v2 v2.100.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0=
-k8s.io/kms v0.27.2 h1:wCdmPCa3kubcVd3AssOeaVjLQSu45k5g/vruJ3iqwDU=
-k8s.io/kms v0.27.2/go.mod h1:dahSqjI05J55Fo5qipzvHSRbm20d7llrSeQjjl86A7c=
-k8s.io/kube-aggregator v0.27.2 h1:jfHoPip+qN/fn3OcrYs8/xMuVYvkJHKo0H0DYciqdns=
-k8s.io/kube-aggregator v0.27.2/go.mod h1:mwrTt4ESjQ7A6847biwohgZWn8P/KzSFHegEScbSGY4=
-k8s.io/kube-openapi v0.0.0-20230515203736-54b630e78af5 h1:azYPdzztXxPSa8wb+hksEKayiz0o+PPisO/d+QhWnoo=
-k8s.io/kube-openapi v0.0.0-20230515203736-54b630e78af5/go.mod h1:kzo02I3kQ4BTtEfVLaPbjvCkX97YqGve33wzlb3fofQ=
-k8s.io/utils v0.0.0-20230505201702-9f6742963106 h1:EObNQ3TW2D+WptiYXlApGNLVy0zm/JIBVY9i+M4wpAU=
-k8s.io/utils v0.0.0-20230505201702-9f6742963106/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+k8s.io/kms v0.27.4 h1:FeT17HfqxZMP7dTq3Gpa9dG05iP3J3wgGtqGh1SUoN0=
+k8s.io/kms v0.27.4/go.mod h1:0BY6tkfa+zOP85u8yE7iNNf1Yx7rEZnRQSWLEbsSk+w=
+k8s.io/kube-aggregator v0.27.4 h1:WdK9iiBr32G8bWfpUEFVQl70RZO2dU19ZAktUXL5JFc=
+k8s.io/kube-aggregator v0.27.4/go.mod h1:+eG83gkAyh0uilQEAOgheeQW4hr+PkyV+5O1nLGsjlM=
+k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f h1:2kWPakN3i/k81b0gvD5C5FJ2kxm1WrQFanWchyKuqGg=
+k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f/go.mod h1:byini6yhqGC14c3ebc/QwanvYwhuMWF6yz2F8uwW8eg=
+k8s.io/utils v0.0.0-20230726121419-3b25d923346b h1:sgn3ZU783SCgtaSJjpcVVlRqd6GSnlTLKgpAAttJvpI=
+k8s.io/utils v0.0.0-20230726121419-3b25d923346b/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
 rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
 rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=

hack/Dockerfile_fips

@@ -15,7 +15,7 @@
 # hidden behind a `GOEXPERIMENT=boringcrypto` env var.
 # See https://go.googlesource.com/go/+/dev.boringcrypto/README.boringcrypto.md
 # and https://kupczynski.info/posts/fips-golang/ for details.
-FROM golang:1.20.4 as build-env
+FROM golang:1.20.7 as build-env
 
 WORKDIR /work
 COPY . .

hack/lib/kube-versions.txt

@@ -1,7 +1,7 @@
-1.27.2
-1.26.5
-1.25.10
-1.24.14
+1.27.4
+1.26.7
+1.25.12
+1.24.16
 1.23.17
 1.22.17
 1.21.14

hack/prepare-for-integration-tests.sh

@@ -50,7 +50,6 @@ skip_build=no
 clean_kind=no
 api_group_suffix="pinniped.dev" # same default as in the values.yaml ytt file
 dockerfile_path=""
-skip_chromedriver_check=no
 get_active_directory_vars="" # specify a filename for a script to get AD related env variables
 alternate_deploy="undefined"
 
@@ -78,10 +77,6 @@ while (("$#")); do
     api_group_suffix=$1
     shift
     ;;
-  --live-dangerously)
-    skip_chromedriver_check=yes
-    shift
-    ;;
   --get-active-directory-vars)
     shift
     # If there are no more command line arguments, or there is another command line argument but it starts with a dash, then error
@@ -153,28 +148,8 @@ check_dependency kapp "Please install kapp. e.g. 'brew tap vmware-tanzu/carvel &
 check_dependency kubectl "Please install kubectl. e.g. 'brew install kubectl' for MacOS"
 check_dependency htpasswd "Please install htpasswd. Should be pre-installed on MacOS. Usually found in 'apache2-utils' package for linux."
 check_dependency openssl "Please install openssl. Should be pre-installed on MacOS."
-check_dependency chromedriver "Please install chromedriver. e.g. 'brew install chromedriver' for MacOS"
 check_dependency nmap "Please install nmap. e.g. 'brew install nmap' for MacOS"
 
-# Check that Chrome and chromedriver versions match. If chromedriver falls a couple versions behind
-# then usually tests start to fail with strange error messages.
-if [[ "$skip_chromedriver_check" == "no" ]]; then
-  if [[ "$OSTYPE" == "darwin"* ]]; then
-    chrome_version=$(/Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --version | cut -d ' ' -f3 | cut -d '.' -f1)
-  else
-    chrome_version=$(google-chrome --version | cut -d ' ' -f3 | cut -d '.' -f1)
-  fi
-  chromedriver_version=$(chromedriver --version | cut -d ' ' -f2 | cut -d '.' -f1)
-  if [[ "$chrome_version" != "$chromedriver_version" ]]; then
-    log_error "It appears that you are using Chrome $chrome_version with chromedriver $chromedriver_version."
-    log_error "Please use the same version of chromedriver as Chrome."
-    log_error "If you are using the latest version of Chrome, then you can upgrade"
-    log_error "to the latest chromedriver, e.g. 'brew upgrade chromedriver' on MacOS."
-    log_error "Feeling lucky? Add --live-dangerously to skip this check."
-    exit 1
-  fi
-fi
-
 # Require kubectl >= 1.18.x.
 if [ "$(kubectl version --client=true -o=json | grep gitVersion | cut -d '.' -f 2)" -lt 18 ]; then
   log_error "kubectl >= 1.18.x is required, you have $(kubectl version --client=true --short | cut -d ':' -f2)"

hack/update-go-mod/go.mod

@@ -2,4 +2,4 @@ module go.pinniped.dev/update-go-mod
 
 go 1.19
 
-require golang.org/x/mod v0.10.0
+require golang.org/x/mod v0.12.0

hack/update-go-mod/go.sum

@@ -1,2 +1,2 @@
-golang.org/x/mod v0.10.0 h1:lFO9qtOdlre5W1jxS3r/4szv2/6iXxScdzjoBMXNhYk=
-golang.org/x/mod v0.10.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/mod v0.12.0 h1:rmsUpXtvNzj340zd98LZ4KntptpfRHwpFOHG188oHXc=
+golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=

internal/certauthority/certauthority.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 // Package certauthority implements a simple x509 certificate authority suitable for use in an aggregated API service.
@@ -179,13 +179,13 @@ func (c *CA) IssueServerCert(dnsNames []string, ips []net.IP, ttl time.Duration)
 	return c.issueCert(x509.ExtKeyUsageServerAuth, pkix.Name{}, dnsNames, ips, ttl)
 }
 
-// Similar to IssueClientCert, but returning the new cert as a pair of PEM-formatted byte slices
+// IssueClientCertPEM is similar to IssueClientCert, but returns the new cert as a pair of PEM-formatted byte slices
 // for the certificate and private key.
 func (c *CA) IssueClientCertPEM(username string, groups []string, ttl time.Duration) ([]byte, []byte, error) {
 	return toPEM(c.IssueClientCert(username, groups, ttl))
 }
 
-// Similar to IssueServerCert, but returning the new cert as a pair of PEM-formatted byte slices
+// IssueServerCertPEM is similar to IssueServerCert, but returns the new cert as a pair of PEM-formatted byte slices
 // for the certificate and private key.
 func (c *CA) IssueServerCertPEM(dnsNames []string, ips []net.IP, ttl time.Duration) ([]byte, []byte, error) {
 	return toPEM(c.IssueServerCert(dnsNames, ips, ttl))
@@ -260,7 +260,7 @@ func toPEM(cert *tls.Certificate, err error) ([]byte, []byte, error) {
 	return certPEM, keyPEM, nil
 }
 
-// Encode a tls.Certificate into a private key PEM and a cert chain PEM.
+// ToPEM encodes a tls.Certificate into a private key PEM and a cert chain PEM.
 func ToPEM(cert *tls.Certificate) ([]byte, []byte, error) {
 	// Encode the certificate(s) to PEM.
 	certPEMBlocks := make([][]byte, 0, len(cert.Certificate))

internal/certauthority/certauthority_test.go

@@ -7,10 +7,10 @@ import (
 	"crypto"
 	"crypto/tls"
 	"crypto/x509"
+	_ "embed"
 	"fmt"
 	"io"
 	"net"
-	"os"
 	"strings"
 	"testing"
 	"time"
@@ -20,60 +20,65 @@ import (
 	"go.pinniped.dev/internal/testutil"
 )
 
-func loadFromFiles(t *testing.T, certPath string, keyPath string) (*CA, error) {
-	t.Helper()
-
-	certPEM, err := os.ReadFile(certPath)
-	require.NoError(t, err)
-
-	keyPEM, err := os.ReadFile(keyPath)
-	require.NoError(t, err)
-
-	ca, err := Load(string(certPEM), string(keyPEM))
-	return ca, err
-}
+var (
+	//go:embed testdata/empty
+	empty string
+	//go:embed testdata/invalid
+	invalid string
+	//go:embed testdata/multiple.crt
+	multiple string
+	//go:embed testdata/test.crt
+	testCert string
+	//go:embed testdata/test.key
+	testKey string
+	//go:embed testdata/test2.key
+	testKey2 string
+)
 
 func TestLoad(t *testing.T) {
 	tests := []struct {
-		name     string
-		certPath string
-		keyPath  string
-		wantErr  string
+		name    string
+		cert    string
+		key     string
+		wantErr string
+		test    []byte
 	}{
 		{
-			name:     "empty key",
-			certPath: "./testdata/test.crt",
-			keyPath:  "./testdata/empty",
-			wantErr:  "could not load CA: tls: failed to find any PEM data in key input",
+			name:    "empty key",
+			cert:    testCert,
+			key:     empty,
+			wantErr: "could not load CA: tls: failed to find any PEM data in key input",
 		},
 		{
-			name:     "invalid key",
-			certPath: "./testdata/test.crt",
-			keyPath:  "./testdata/invalid",
-			wantErr:  "could not load CA: tls: failed to find any PEM data in key input",
+			name:    "invalid key",
+			cert:    testCert,
+			key:     invalid,
+			wantErr: "could not load CA: tls: failed to find any PEM data in key input",
 		},
 		{
-			name:     "mismatched cert and key",
-			certPath: "./testdata/test.crt",
-			keyPath:  "./testdata/test2.key",
-			wantErr:  "could not load CA: tls: private key does not match public key",
+			name:    "mismatched cert and key",
+			cert:    testCert,
+			key:     testKey2,
+			wantErr: "could not load CA: tls: private key does not match public key",
 		},
 		{
-			name:     "multiple certs",
-			certPath: "./testdata/multiple.crt",
-			keyPath:  "./testdata/test.key",
-			wantErr:  "invalid CA certificate: expected a single certificate, found 2 certificates",
+			name:    "multiple certs",
+			cert:    multiple,
+			key:     testKey,
+			wantErr: "invalid CA certificate: expected a single certificate, found 2 certificates",
 		},
 		{
-			name:     "success",
-			certPath: "./testdata/test.crt",
-			keyPath:  "./testdata/test.key",
+			name: "success",
+			cert: testCert,
+			key:  testKey,
 		},
 	}
 	for _, tt := range tests {
 		tt := tt
 		t.Run(tt.name, func(t *testing.T) {
-			ca, err := loadFromFiles(t, tt.certPath, tt.keyPath)
+			t.Parallel()
+
+			ca, err := Load(tt.cert, tt.key)
 			if tt.wantErr != "" {
 				require.EqualError(t, err, tt.wantErr)
 				return
@@ -226,7 +231,7 @@ func TestIssue(t *testing.T) {
 
 	now := time.Date(2020, 7, 10, 12, 41, 12, 1234, time.UTC)
 
-	realCA, err := loadFromFiles(t, "./testdata/test.crt", "./testdata/test.key")
+	realCA, err := Load(testCert, testKey)
 	require.NoError(t, err)
 
 	tests := []struct {

internal/concierge/impersonator/impersonator_test.go

@@ -43,7 +43,7 @@ import (
 	"k8s.io/client-go/rest"
 	"k8s.io/client-go/tools/clientcmd/api"
 	featuregatetesting "k8s.io/component-base/featuregate/testing"
-	"k8s.io/utils/pointer"
+	"k8s.io/utils/ptr"
 
 	loginv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/login/v1alpha1"
 	"go.pinniped.dev/internal/certauthority"
@@ -988,7 +988,7 @@ func TestImpersonator(t *testing.T) {
 				&loginv1alpha1.TokenCredentialRequest{
 					Spec: loginv1alpha1.TokenCredentialRequestSpec{
 						Authenticator: corev1.TypedLocalObjectReference{
-							APIGroup: pointer.String("anything.pinniped.dev"),
+							APIGroup: ptr.To("anything.pinniped.dev"),
 						},
 					},
 				}, metav1.CreateOptions{})

internal/concierge/server/server.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 // Package server is the command line entry point for pinniped-concierge.
@@ -118,17 +118,17 @@ func (a *App) runServer(ctx context.Context) error {
 
 	// This cert provider will provide certs to the API server and will
 	// be mutated by a controller to keep the certs up to date with what
-	// is stored in a k8s Secret. Therefore it also effectively acting as
-	// an in-memory cache of what is stored in the k8s Secret, helping to
-	// keep incoming requests fast.
+	// is stored in a k8s Secret. Therefore, it acts as an in-memory cache
+	// of what is stored in the k8s Secret, helping to keep incoming requests
+	// fast.
 	dynamicServingCertProvider := dynamiccert.NewServingCert("concierge-serving-cert")
 
 	// This cert provider will be used to provide the Kube signing key to the
-	// cert issuer used to issue certs to Pinniped clients wishing to login.
+	// cert issuer used to issue certs to Pinniped clients wishing to log in.
 	dynamicSigningCertProvider := dynamiccert.NewCA("concierge-kube-signing-cert")
 
 	// This cert provider will be used to provide the impersonation proxy signing key to the
-	// cert issuer used to issue certs to Pinniped clients wishing to login.
+	// cert issuer used to issue certs to Pinniped clients wishing to log in.
 	impersonationProxySigningCertProvider := dynamiccert.NewCA("impersonation-proxy-signing-cert")
 
 	// Get the "real" name of the login concierge API group (i.e., the API group name with the
@@ -256,7 +256,8 @@ func getAggregatedAPIServerConfig(
 	return apiServerConfig, nil
 }
 
-func main() error { // return an error instead of plog.Fatal to allow defer statements to run
+// main returns an error instead of calling plog.Fatal to allow defer statements to run.
+func main() error {
 	defer plog.Setup()()
 
 	// Dump out the time since compile (mostly useful for benchmarking our local development cycle latency).

internal/config/concierge/config.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 // Package concierge contains functionality to load/store Config's from/to
@@ -11,7 +11,7 @@ import (
 	"os"
 	"strings"
 
-	"k8s.io/utils/pointer"
+	"k8s.io/utils/ptr"
 	"sigs.k8s.io/yaml"
 
 	"go.pinniped.dev/internal/constable"
@@ -35,7 +35,7 @@ const (
 	impersonationProxyPortDefault = 8444
 )
 
-// FromPath loads an Config from a provided local file path, inserts any
+// FromPath loads a Config from a provided local file path, inserts any
 // defaults (from the Config documentation), and verifies that the config is
 // valid (per the Config documentation).
 //
@@ -93,39 +93,39 @@ func FromPath(ctx context.Context, path string) (*Config, error) {
 
 func maybeSetAPIDefaults(apiConfig *APIConfigSpec) {
 	if apiConfig.ServingCertificateConfig.DurationSeconds == nil {
-		apiConfig.ServingCertificateConfig.DurationSeconds = pointer.Int64(aboutAYear)
+		apiConfig.ServingCertificateConfig.DurationSeconds = ptr.To[int64](aboutAYear)
 	}
 
 	if apiConfig.ServingCertificateConfig.RenewBeforeSeconds == nil {
-		apiConfig.ServingCertificateConfig.RenewBeforeSeconds = pointer.Int64(about9Months)
+		apiConfig.ServingCertificateConfig.RenewBeforeSeconds = ptr.To[int64](about9Months)
 	}
 }
 
 func maybeSetAPIGroupSuffixDefault(apiGroupSuffix **string) {
 	if *apiGroupSuffix == nil {
-		*apiGroupSuffix = pointer.String(groupsuffix.PinnipedDefaultSuffix)
+		*apiGroupSuffix = ptr.To(groupsuffix.PinnipedDefaultSuffix)
 	}
 }
 
 func maybeSetAggregatedAPIServerPortDefaults(port **int64) {
 	if *port == nil {
-		*port = pointer.Int64(aggregatedAPIServerPortDefault)
+		*port = ptr.To[int64](aggregatedAPIServerPortDefault)
 	}
 }
 
 func maybeSetImpersonationProxyServerPortDefaults(port **int64) {
 	if *port == nil {
-		*port = pointer.Int64(impersonationProxyPortDefault)
+		*port = ptr.To[int64](impersonationProxyPortDefault)
 	}
 }
 
 func maybeSetKubeCertAgentDefaults(cfg *KubeCertAgentSpec) {
 	if cfg.NamePrefix == nil {
-		cfg.NamePrefix = pointer.String("pinniped-kube-cert-agent-")
+		cfg.NamePrefix = ptr.To("pinniped-kube-cert-agent-")
 	}
 
 	if cfg.Image == nil {
-		cfg.Image = pointer.String("debian:latest")
+		cfg.Image = ptr.To("debian:latest")
 	}
 }
 

internal/config/concierge/config_test.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package concierge
@@ -9,7 +9,7 @@ import (
 	"testing"
 
 	"github.com/stretchr/testify/require"
-	"k8s.io/utils/pointer"
+	"k8s.io/utils/ptr"
 
 	"go.pinniped.dev/internal/here"
 	"go.pinniped.dev/internal/plog"
@@ -59,17 +59,17 @@ func TestFromPath(t *testing.T) {
 			`),
 			wantConfig: &Config{
 				DiscoveryInfo: DiscoveryInfoSpec{
-					URL: pointer.String("https://some.discovery/url"),
+					URL: ptr.To("https://some.discovery/url"),
 				},
 				APIConfig: APIConfigSpec{
 					ServingCertificateConfig: ServingCertificateConfigSpec{
-						DurationSeconds:    pointer.Int64(3600),
-						RenewBeforeSeconds: pointer.Int64(2400),
+						DurationSeconds:    ptr.To[int64](3600),
+						RenewBeforeSeconds: ptr.To[int64](2400),
 					},
 				},
-				APIGroupSuffix:               pointer.String("some.suffix.com"),
-				AggregatedAPIServerPort:      pointer.Int64(12345),
-				ImpersonationProxyServerPort: pointer.Int64(4242),
+				APIGroupSuffix:               ptr.To("some.suffix.com"),
+				AggregatedAPIServerPort:      ptr.To[int64](12345),
+				ImpersonationProxyServerPort: ptr.To[int64](4242),
 				NamesConfig: NamesConfigSpec{
 					ServingCertificateSecret:          "pinniped-concierge-api-tls-serving-certificate",
 					CredentialIssuer:                  "pinniped-config",
@@ -86,8 +86,8 @@ func TestFromPath(t *testing.T) {
 					"myLabelKey2": "myLabelValue2",
 				},
 				KubeCertAgentConfig: KubeCertAgentSpec{
-					NamePrefix:       pointer.String("kube-cert-agent-name-prefix-"),
-					Image:            pointer.String("kube-cert-agent-image"),
+					NamePrefix:       ptr.To("kube-cert-agent-name-prefix-"),
+					Image:            ptr.To("kube-cert-agent-image"),
 					ImagePullSecrets: []string{"kube-cert-agent-image-pull-secret"},
 				},
 				LogLevel: func(level plog.LogLevel) *plog.LogLevel { return &level }(plog.LevelDebug),
@@ -135,17 +135,17 @@ func TestFromPath(t *testing.T) {
 			`),
 			wantConfig: &Config{
 				DiscoveryInfo: DiscoveryInfoSpec{
-					URL: pointer.String("https://some.discovery/url"),
+					URL: ptr.To("https://some.discovery/url"),
 				},
 				APIConfig: APIConfigSpec{
 					ServingCertificateConfig: ServingCertificateConfigSpec{
-						DurationSeconds:    pointer.Int64(3600),
-						RenewBeforeSeconds: pointer.Int64(2400),
+						DurationSeconds:    ptr.To[int64](3600),
+						RenewBeforeSeconds: ptr.To[int64](2400),
 					},
 				},
-				APIGroupSuffix:               pointer.String("some.suffix.com"),
-				AggregatedAPIServerPort:      pointer.Int64(12345),
-				ImpersonationProxyServerPort: pointer.Int64(4242),
+				APIGroupSuffix:               ptr.To("some.suffix.com"),
+				AggregatedAPIServerPort:      ptr.To[int64](12345),
+				ImpersonationProxyServerPort: ptr.To[int64](4242),
 				NamesConfig: NamesConfigSpec{
 					ServingCertificateSecret:          "pinniped-concierge-api-tls-serving-certificate",
 					CredentialIssuer:                  "pinniped-config",
@@ -162,8 +162,8 @@ func TestFromPath(t *testing.T) {
 					"myLabelKey2": "myLabelValue2",
 				},
 				KubeCertAgentConfig: KubeCertAgentSpec{
-					NamePrefix:       pointer.String("kube-cert-agent-name-prefix-"),
-					Image:            pointer.String("kube-cert-agent-image"),
+					NamePrefix:       ptr.To("kube-cert-agent-name-prefix-"),
+					Image:            ptr.To("kube-cert-agent-image"),
 					ImagePullSecrets: []string{"kube-cert-agent-image-pull-secret"},
 				},
 				Log: plog.LogSpec{
@@ -212,17 +212,17 @@ func TestFromPath(t *testing.T) {
 			`),
 			wantConfig: &Config{
 				DiscoveryInfo: DiscoveryInfoSpec{
-					URL: pointer.String("https://some.discovery/url"),
+					URL: ptr.To("https://some.discovery/url"),
 				},
 				APIConfig: APIConfigSpec{
 					ServingCertificateConfig: ServingCertificateConfigSpec{
-						DurationSeconds:    pointer.Int64(3600),
-						RenewBeforeSeconds: pointer.Int64(2400),
+						DurationSeconds:    ptr.To[int64](3600),
+						RenewBeforeSeconds: ptr.To[int64](2400),
 					},
 				},
-				APIGroupSuffix:               pointer.String("some.suffix.com"),
-				AggregatedAPIServerPort:      pointer.Int64(12345),
-				ImpersonationProxyServerPort: pointer.Int64(4242),
+				APIGroupSuffix:               ptr.To("some.suffix.com"),
+				AggregatedAPIServerPort:      ptr.To[int64](12345),
+				ImpersonationProxyServerPort: ptr.To[int64](4242),
 				NamesConfig: NamesConfigSpec{
 					ServingCertificateSecret:          "pinniped-concierge-api-tls-serving-certificate",
 					CredentialIssuer:                  "pinniped-config",
@@ -239,8 +239,8 @@ func TestFromPath(t *testing.T) {
 					"myLabelKey2": "myLabelValue2",
 				},
 				KubeCertAgentConfig: KubeCertAgentSpec{
-					NamePrefix:       pointer.String("kube-cert-agent-name-prefix-"),
-					Image:            pointer.String("kube-cert-agent-image"),
+					NamePrefix:       ptr.To("kube-cert-agent-name-prefix-"),
+					Image:            ptr.To("kube-cert-agent-image"),
 					ImagePullSecrets: []string{"kube-cert-agent-image-pull-secret"},
 				},
 				LogLevel: func(level plog.LogLevel) *plog.LogLevel { return &level }(plog.LevelDebug),
@@ -289,13 +289,13 @@ func TestFromPath(t *testing.T) {
 				DiscoveryInfo: DiscoveryInfoSpec{
 					URL: nil,
 				},
-				APIGroupSuffix:               pointer.String("pinniped.dev"),
-				AggregatedAPIServerPort:      pointer.Int64(10250),
-				ImpersonationProxyServerPort: pointer.Int64(8444),
+				APIGroupSuffix:               ptr.To("pinniped.dev"),
+				AggregatedAPIServerPort:      ptr.To[int64](10250),
+				ImpersonationProxyServerPort: ptr.To[int64](8444),
 				APIConfig: APIConfigSpec{
 					ServingCertificateConfig: ServingCertificateConfigSpec{
-						DurationSeconds:    pointer.Int64(60 * 60 * 24 * 365),    // about a year
-						RenewBeforeSeconds: pointer.Int64(60 * 60 * 24 * 30 * 9), // about 9 months
+						DurationSeconds:    ptr.To[int64](60 * 60 * 24 * 365),    // about a year
+						RenewBeforeSeconds: ptr.To[int64](60 * 60 * 24 * 30 * 9), // about 9 months
 					},
 				},
 				NamesConfig: NamesConfigSpec{
@@ -311,8 +311,8 @@ func TestFromPath(t *testing.T) {
 				},
 				Labels: map[string]string{},
 				KubeCertAgentConfig: KubeCertAgentSpec{
-					NamePrefix: pointer.String("pinniped-kube-cert-agent-"),
-					Image:      pointer.String("debian:latest"),
+					NamePrefix: ptr.To("pinniped-kube-cert-agent-"),
+					Image:      ptr.To("debian:latest"),
 				},
 			},
 		},

internal/config/concierge/types.go

@@ -1,11 +1,11 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package concierge
 
 import "go.pinniped.dev/internal/plog"
 
-// Config contains knobs to setup an instance of the Pinniped Concierge.
+// Config contains knobs to set up an instance of the Pinniped Concierge.
 type Config struct {
 	DiscoveryInfo                DiscoveryInfoSpec `json:"discovery"`
 	APIConfig                    APIConfigSpec     `json:"api"`
@@ -21,7 +21,7 @@ type Config struct {
 }
 
 // DiscoveryInfoSpec contains configuration knobs specific to
-// pinniped's publishing of discovery information. These values can be
+// Pinniped's publishing of discovery information. These values can be
 // viewed as overrides, i.e., if these are set, then Pinniped will
 // publish these values in its discovery document instead of the ones it finds.
 type DiscoveryInfoSpec struct {

internal/config/supervisor/config.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 // Package supervisor contains functionality to load/store Config's from/to
@@ -12,7 +12,7 @@ import (
 	"os"
 	"strings"
 
-	"k8s.io/utils/pointer"
+	"k8s.io/utils/ptr"
 	"sigs.k8s.io/yaml"
 
 	"go.pinniped.dev/internal/constable"
@@ -109,7 +109,7 @@ func maybeSetEndpointDefault(endpoint **Endpoint, defaultEndpoint Endpoint) {
 
 func maybeSetAPIGroupSuffixDefault(apiGroupSuffix **string) {
 	if *apiGroupSuffix == nil {
-		*apiGroupSuffix = pointer.String(groupsuffix.PinnipedDefaultSuffix)
+		*apiGroupSuffix = ptr.To(groupsuffix.PinnipedDefaultSuffix)
 	}
 }
 
@@ -119,7 +119,7 @@ func validateAPIGroupSuffix(apiGroupSuffix string) error {
 
 func maybeSetAggregatedAPIServerPortDefaults(port **int64) {
 	if *port == nil {
-		*port = pointer.Int64(aggregatedAPIServerPortDefault)
+		*port = ptr.To[int64](aggregatedAPIServerPortDefault)
 	}
 }
 

internal/config/supervisor/config_test.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package supervisor
@@ -10,7 +10,7 @@ import (
 	"testing"
 
 	"github.com/stretchr/testify/require"
-	"k8s.io/utils/pointer"
+	"k8s.io/utils/ptr"
 
 	"go.pinniped.dev/internal/here"
 	"go.pinniped.dev/internal/plog"
@@ -45,7 +45,7 @@ func TestFromPath(t *testing.T) {
 				aggregatedAPIServerPort: 12345
 			`),
 			wantConfig: &Config{
-				APIGroupSuffix: pointer.String("some.suffix.com"),
+				APIGroupSuffix: ptr.To("some.suffix.com"),
 				Labels: map[string]string{
 					"myLabelKey1": "myLabelValue1",
 					"myLabelKey2": "myLabelValue2",
@@ -68,7 +68,7 @@ func TestFromPath(t *testing.T) {
 				Log: plog.LogSpec{
 					Level: plog.LevelTrace,
 				},
-				AggregatedAPIServerPort: pointer.Int64(12345),
+				AggregatedAPIServerPort: ptr.To[int64](12345),
 			},
 		},
 		{
@@ -95,7 +95,7 @@ func TestFromPath(t *testing.T) {
 				aggregatedAPIServerPort: 12345
 			`),
 			wantConfig: &Config{
-				APIGroupSuffix: pointer.String("some.suffix.com"),
+				APIGroupSuffix: ptr.To("some.suffix.com"),
 				Labels: map[string]string{
 					"myLabelKey1": "myLabelValue1",
 					"myLabelKey2": "myLabelValue2",
@@ -118,7 +118,7 @@ func TestFromPath(t *testing.T) {
 					Level:  plog.LevelInfo,
 					Format: plog.FormatText,
 				},
-				AggregatedAPIServerPort: pointer.Int64(12345),
+				AggregatedAPIServerPort: ptr.To[int64](12345),
 			},
 		},
 		{
@@ -145,7 +145,7 @@ func TestFromPath(t *testing.T) {
 				  format: text
 			`),
 			wantConfig: &Config{
-				APIGroupSuffix: pointer.String("some.suffix.com"),
+				APIGroupSuffix: ptr.To("some.suffix.com"),
 				Labels: map[string]string{
 					"myLabelKey1": "myLabelValue1",
 					"myLabelKey2": "myLabelValue2",
@@ -169,7 +169,7 @@ func TestFromPath(t *testing.T) {
 					Level:  plog.LevelTrace,
 					Format: plog.FormatText,
 				},
-				AggregatedAPIServerPort: pointer.Int64(10250),
+				AggregatedAPIServerPort: ptr.To[int64](10250),
 			},
 		},
 		{
@@ -192,7 +192,7 @@ func TestFromPath(t *testing.T) {
 				  defaultTLSCertificateSecret: my-secret-name
 			`),
 			wantConfig: &Config{
-				APIGroupSuffix: pointer.String("pinniped.dev"),
+				APIGroupSuffix: ptr.To("pinniped.dev"),
 				Labels:         map[string]string{},
 				NamesConfig: NamesConfigSpec{
 					DefaultTLSCertificateSecret: "my-secret-name",
@@ -207,7 +207,7 @@ func TestFromPath(t *testing.T) {
 					},
 				},
 				AllowExternalHTTP:       false,
-				AggregatedAPIServerPort: pointer.Int64(10250),
+				AggregatedAPIServerPort: ptr.To[int64](10250),
 			},
 		},
 		{
@@ -322,7 +322,7 @@ func TestFromPath(t *testing.T) {
 				insecureAcceptExternalUnencryptedHttpRequests: true
 			`),
 			wantConfig: &Config{
-				APIGroupSuffix: pointer.String("pinniped.dev"),
+				APIGroupSuffix: ptr.To("pinniped.dev"),
 				Labels:         map[string]string{},
 				NamesConfig: NamesConfigSpec{
 					DefaultTLSCertificateSecret: "my-secret-name",
@@ -338,7 +338,7 @@ func TestFromPath(t *testing.T) {
 					},
 				},
 				AllowExternalHTTP:       true,
-				AggregatedAPIServerPort: pointer.Int64(10250),
+				AggregatedAPIServerPort: ptr.To[int64](10250),
 			},
 		},
 		{
@@ -354,7 +354,7 @@ func TestFromPath(t *testing.T) {
 				insecureAcceptExternalUnencryptedHttpRequests: "true"
 			`),
 			wantConfig: &Config{
-				APIGroupSuffix: pointer.String("pinniped.dev"),
+				APIGroupSuffix: ptr.To("pinniped.dev"),
 				Labels:         map[string]string{},
 				NamesConfig: NamesConfigSpec{
 					DefaultTLSCertificateSecret: "my-secret-name",
@@ -370,7 +370,7 @@ func TestFromPath(t *testing.T) {
 					},
 				},
 				AllowExternalHTTP:       true,
-				AggregatedAPIServerPort: pointer.Int64(10250),
+				AggregatedAPIServerPort: ptr.To[int64](10250),
 			},
 		},
 		{

internal/controller/impersonatorconfig/impersonator_config.go

@@ -1,4 +1,4 @@
-// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package impersonatorconfig
@@ -17,6 +17,7 @@ import (
 	"time"
 
 	"github.com/go-logr/logr"
+	corev1 "k8s.io/api/core/v1"
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/equality"
 	k8serrors "k8s.io/apimachinery/pkg/api/errors"
@@ -161,7 +162,16 @@ func NewImpersonatorConfigController(
 		withInformer(
 			secretsInformer,
 			pinnipedcontroller.SimpleFilterWithSingletonQueue(func(obj metav1.Object) bool {
-				return obj.GetNamespace() == namespace && secretNames.Has(obj.GetName())
+				secret, ok := obj.(*corev1.Secret)
+				if !ok {
+					return false
+				}
+
+				if secret.GetNamespace() != namespace {
+					return false
+				}
+
+				return secretNames.Has(secret.GetName()) || secret.Type == corev1.SecretTypeTLS
 			}),
 			controllerlib.InformerOption{},
 		),
@@ -238,7 +248,7 @@ func (c *impersonatorConfigController) doSync(syncCtx controllerlib.Context, cre
 	}
 
 	// Make a live API call to avoid the cost of having an informer watch all node changes on the cluster,
-	// since there could be lots and we don't especially care about node changes.
+	// since there could be lots, and we don't especially care about node changes.
 	// Once we have concluded that there is or is not a visible control plane, then cache that decision
 	// to avoid listing nodes very often.
 	if c.hasControlPlaneNodes == nil {
@@ -285,12 +295,15 @@ func (c *impersonatorConfigController) doSync(syncCtx controllerlib.Context, cre
 		return nil, err
 	}
 
-	var impersonationCA *certauthority.CA
-	if c.shouldHaveImpersonator(impersonationSpec) {
-		if impersonationCA, err = c.ensureCASecretIsCreated(ctx); err != nil {
-			return nil, err
+	var impersonationCABundle []byte
+	if c.shouldHaveImpersonator(impersonationSpec) { //nolint:nestif // This is complex but readable
+		if impersonationSpec.TLS != nil {
+			impersonationCABundle, err = c.evaluateExternallyProvidedTLSSecret(ctx, impersonationSpec.TLS)
+		} else {
+			impersonationCABundle, err = c.ensureCAAndTLSSecrets(ctx, nameInfo)
 		}
-		if err = c.ensureTLSSecret(ctx, nameInfo, impersonationCA); err != nil {
+
+		if err != nil {
 			return nil, err
 		}
 	} else {
@@ -300,7 +313,7 @@ func (c *impersonatorConfigController) doSync(syncCtx controllerlib.Context, cre
 		c.clearTLSSecret()
 	}
 
-	credentialIssuerStrategyResult := c.doSyncResult(nameInfo, impersonationSpec, impersonationCA)
+	credentialIssuerStrategyResult := c.doSyncResult(nameInfo, impersonationSpec, impersonationCABundle)
 
 	if c.shouldHaveImpersonator(impersonationSpec) {
 		if err = c.loadSignerCA(); err != nil {
@@ -313,6 +326,72 @@ func (c *impersonatorConfigController) doSync(syncCtx controllerlib.Context, cre
 	return credentialIssuerStrategyResult, nil
 }
 
+func (c *impersonatorConfigController) ensureCAAndTLSSecrets(
+	ctx context.Context,
+	nameInfo *certNameInfo,
+) ([]byte, error) {
+	var (
+		impersonationCA *certauthority.CA
+		err             error
+	)
+	if impersonationCA, err = c.ensureCASecretIsCreated(ctx); err != nil {
+		return nil, err
+	}
+	if err = c.ensureTLSSecret(ctx, nameInfo, impersonationCA); err != nil {
+		return nil, err
+	}
+
+	if impersonationCA != nil {
+		return impersonationCA.Bundle(), nil
+	}
+
+	return nil, nil
+}
+
+func (c *impersonatorConfigController) evaluateExternallyProvidedTLSSecret(
+	ctx context.Context,
+	tlsSpec *v1alpha1.ImpersonationProxyTLSSpec,
+) ([]byte, error) {
+	if tlsSpec.SecretName == "" {
+		return nil, fmt.Errorf("must provide impersonationSpec.TLS.secretName if impersonationSpec.TLS is provided")
+	}
+
+	c.infoLog.Info("configuring the impersonation proxy to use an externally provided TLS secret",
+		"secretName", tlsSpec.SecretName)
+
+	// Ensure that any TLS secret generated by this controller is removed
+	err := c.ensureTLSSecretIsRemoved(ctx)
+	if err != nil {
+		return nil, fmt.Errorf("unable to remove generated TLS secret with name %s: %w", c.tlsSecretName, err)
+	}
+
+	// The CA Bundle may come from either the TLS secret or the CertificateAuthorityData.
+	// Check CertificateAuthorityData last so that it will take priority.
+
+	var caBundle []byte
+	caBundle, err = c.readExternalTLSSecret(tlsSpec.SecretName)
+	if err != nil {
+		return nil, fmt.Errorf("could not load the externally provided TLS secret for the impersonation proxy: %w", err)
+	}
+
+	if tlsSpec.CertificateAuthorityData != "" {
+		caBundle, err = base64.StdEncoding.DecodeString(tlsSpec.CertificateAuthorityData)
+		if err != nil {
+			return nil, fmt.Errorf("could not decode impersonationSpec.TLS.certificateAuthorityData: %w", err)
+		}
+
+		block, _ := pem.Decode(caBundle)
+		if block == nil {
+			return nil, fmt.Errorf("could not decode impersonationSpec.TLS.certificateAuthorityData: data is not a certificate")
+		}
+
+		c.infoLog.Info("the impersonation proxy will advertise its CA Bundle from impersonationSpec.TLS.CertificateAuthorityData",
+			"CertificateAuthorityData", caBundle)
+	}
+
+	return caBundle, nil
+}
+
 func (c *impersonatorConfigController) loadImpersonationProxyConfiguration(credIssuer *v1alpha1.CredentialIssuer) (*v1alpha1.ImpersonationProxySpec, error) {
 	// Make a copy of the spec since we got this object from informer cache.
 	spec := credIssuer.Spec.DeepCopy().ImpersonationProxy
@@ -634,6 +713,40 @@ func (c *impersonatorConfigController) createOrUpdateService(ctx context.Context
 	return err
 }
 
+func (c *impersonatorConfigController) readExternalTLSSecret(externalTLSSecretName string) (impersonationCABundle []byte, err error) {
+	secretFromInformer, err := c.secretsInformer.Lister().Secrets(c.namespace).Get(externalTLSSecretName)
+	if err != nil {
+		c.infoLog.Info("could not find externally provided TLS secret for the impersonation proxy",
+			"secretName", externalTLSSecretName)
+		return nil, err
+	}
+
+	c.infoLog.Info("found externally provided TLS secret for the impersonation proxy",
+		"secretName", externalTLSSecretName)
+
+	err = c.loadTLSCertFromSecret(secretFromInformer)
+	if err != nil {
+		plog.Error("error loading cert from externally provided TLS secret for the impersonation proxy", err)
+		return nil, err
+	}
+
+	if caCertPEM, ok := secretFromInformer.Data[caCrtKey]; ok && len(caCertPEM) > 0 {
+		plog.Info(fmt.Sprintf("found a %s field in the externally provided TLS secret for the impersonation proxy", caCrtKey),
+			"secretName", externalTLSSecretName,
+			"caCertPEM", caCertPEM)
+
+		block, _ := pem.Decode(caCertPEM)
+		if block == nil {
+			plog.Warning("error loading cert from externally provided TLS secret for the impersonation proxy: data is not a certificate")
+			return nil, fmt.Errorf("unable to read provided ca.crt: data is not a certificate")
+		}
+
+		return caCertPEM, nil
+	}
+
+	return nil, nil
+}
+
 func (c *impersonatorConfigController) ensureTLSSecret(ctx context.Context, nameInfo *certNameInfo, ca *certauthority.CA) error {
 	secretFromInformer, err := c.secretsInformer.Lister().Secrets(c.namespace).Get(c.tlsSecretName)
 	notFound := k8serrors.IsNotFound(err)
@@ -707,7 +820,7 @@ func (c *impersonatorConfigController) deleteTLSSecretWhenCertificateDoesNotMatc
 	}
 
 	if !nameInfo.ready {
-		// We currently have a secret but we are waiting for a load balancer to be assigned an ingress, so
+		// We currently have a secret, but we are waiting for a load balancer to be assigned an ingress, so
 		// our current secret must be old/unwanted.
 		if err = c.ensureTLSSecretIsRemoved(ctx); err != nil {
 			return false, err
@@ -1018,7 +1131,7 @@ func (c *impersonatorConfigController) clearSignerCA() {
 	c.impersonationSigningCertProvider.UnsetCertKeyContent()
 }
 
-func (c *impersonatorConfigController) doSyncResult(nameInfo *certNameInfo, config *v1alpha1.ImpersonationProxySpec, ca *certauthority.CA) *v1alpha1.CredentialIssuerStrategy {
+func (c *impersonatorConfigController) doSyncResult(nameInfo *certNameInfo, config *v1alpha1.ImpersonationProxySpec, caBundle []byte) *v1alpha1.CredentialIssuerStrategy {
 	switch {
 	case c.disabledExplicitly(config):
 		return &v1alpha1.CredentialIssuerStrategy{
@@ -1055,7 +1168,7 @@ func (c *impersonatorConfigController) doSyncResult(nameInfo *certNameInfo, conf
 				Type: v1alpha1.ImpersonationProxyFrontendType,
 				ImpersonationProxyInfo: &v1alpha1.ImpersonationProxyInfo{
 					Endpoint:                 "https://" + nameInfo.clientEndpoint,
-					CertificateAuthorityData: base64.StdEncoding.EncodeToString(ca.Bundle()),
+					CertificateAuthorityData: base64.StdEncoding.EncodeToString(caBundle),
 				},
 			},
 		}

internal/controller/kubecertagent/kubecertagent.go

@@ -29,7 +29,7 @@ import (
 	"k8s.io/client-go/tools/clientcmd"
 	"k8s.io/klog/v2"
 	"k8s.io/utils/clock"
-	"k8s.io/utils/pointer"
+	"k8s.io/utils/ptr"
 
 	configv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/config/v1alpha1"
 	configv1alpha1informers "go.pinniped.dev/generated/latest/client/concierge/informers/externalversions/config/v1alpha1"
@@ -521,14 +521,14 @@ func (c *agentController) newAgentDeployment(controllerManagerPod *corev1.Pod) *
 			Labels:    c.cfg.Labels,
 		},
 		Spec: appsv1.DeploymentSpec{
-			Replicas: pointer.Int32(1),
+			Replicas: ptr.To[int32](1),
 			Selector: metav1.SetAsLabelSelector(c.cfg.agentPodSelectorLabels()),
 			Template: corev1.PodTemplateSpec{
 				ObjectMeta: metav1.ObjectMeta{
 					Labels: c.cfg.agentPodLabels(),
 				},
 				Spec: corev1.PodSpec{
-					TerminationGracePeriodSeconds: pointer.Int64(0),
+					TerminationGracePeriodSeconds: ptr.To[int64](0),
 					ImagePullSecrets:              imagePullSecrets,
 					Containers: []corev1.Container{
 						{
@@ -548,7 +548,8 @@ func (c *agentController) newAgentDeployment(controllerManagerPod *corev1.Pod) *
 								},
 								Requests: corev1.ResourceList{
 									corev1.ResourceMemory: resource.MustParse("32Mi"),
-									corev1.ResourceCPU:    resource.MustParse("20m"),
+									// Must be explicitly 0 (not unset) to avoid problem described in https://github.com/vmware-tanzu/pinniped/issues/1507.
+									corev1.ResourceCPU: resource.MustParse("0"),
 								},
 							},
 						},
@@ -556,15 +557,15 @@ func (c *agentController) newAgentDeployment(controllerManagerPod *corev1.Pod) *
 					Volumes:                      controllerManagerPod.Spec.Volumes,
 					RestartPolicy:                corev1.RestartPolicyAlways,
 					NodeSelector:                 controllerManagerPod.Spec.NodeSelector,
-					AutomountServiceAccountToken: pointer.Bool(false),
+					AutomountServiceAccountToken: ptr.To(false),
 					ServiceAccountName:           c.cfg.ServiceAccountName,
 					NodeName:                     controllerManagerPod.Spec.NodeName,
 					Tolerations:                  controllerManagerPod.Spec.Tolerations,
 					// We need to run the agent pod as root since the file permissions
 					// on the cluster keypair usually restricts access to only root.
 					SecurityContext: &corev1.PodSecurityContext{
-						RunAsUser:  pointer.Int64(0),
-						RunAsGroup: pointer.Int64(0),
+						RunAsUser:  ptr.To[int64](0),
+						RunAsGroup: ptr.To[int64](0),
 					},
 					HostNetwork: controllerManagerPod.Spec.HostNetwork,
 				},

internal/controller/kubecertagent/kubecertagent_test.go

@@ -27,7 +27,7 @@ import (
 	kubefake "k8s.io/client-go/kubernetes/fake"
 	coretesting "k8s.io/client-go/testing"
 	clocktesting "k8s.io/utils/clock/testing"
-	"k8s.io/utils/pointer"
+	"k8s.io/utils/ptr"
 
 	configv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/config/v1alpha1"
 	conciergefake "go.pinniped.dev/generated/latest/client/concierge/clientset/versioned/fake"
@@ -95,7 +95,7 @@ func TestAgentController(t *testing.T) {
 			Labels:    map[string]string{"extralabel": "labelvalue", "app": "anything"},
 		},
 		Spec: appsv1.DeploymentSpec{
-			Replicas: pointer.Int32(1),
+			Replicas: ptr.To[int32](1),
 			Selector: metav1.SetAsLabelSelector(map[string]string{
 				"kube-cert-agent.pinniped.dev": "v3",
 			}),
@@ -127,18 +127,18 @@ func TestAgentController(t *testing.T) {
 							},
 							Requests: corev1.ResourceList{
 								corev1.ResourceMemory: resource.MustParse("32Mi"),
-								corev1.ResourceCPU:    resource.MustParse("20m"),
+								corev1.ResourceCPU:    resource.MustParse("0"),
 							},
 						},
 						ImagePullPolicy: corev1.PullIfNotPresent,
 					}},
 					RestartPolicy:                 corev1.RestartPolicyAlways,
-					TerminationGracePeriodSeconds: pointer.Int64(0),
+					TerminationGracePeriodSeconds: ptr.To[int64](0),
 					ServiceAccountName:            "test-service-account-name",
-					AutomountServiceAccountToken:  pointer.Bool(false),
+					AutomountServiceAccountToken:  ptr.To(false),
 					SecurityContext: &corev1.PodSecurityContext{
-						RunAsUser:  pointer.Int64(0),
-						RunAsGroup: pointer.Int64(0),
+						RunAsUser:  ptr.To[int64](0),
+						RunAsGroup: ptr.To[int64](0),
 					},
 					ImagePullSecrets: []corev1.LocalObjectReference{{
 						Name: "pinniped-image-pull-secret",
@@ -992,7 +992,7 @@ func TestAgentController(t *testing.T) {
 				healthyAgentPod,
 				validClusterInfoConfigMap,
 			},
-			discoveryURLOverride:      pointer.String("https://overridden-server.example.com/some/path"),
+			discoveryURLOverride:      ptr.To("https://overridden-server.example.com/some/path"),
 			mocks:                     mockExecSucceeds,
 			wantDistinctErrors:        []string{""},
 			wantAgentDeployment:       healthyAgentDeployment,

internal/controllerlib/manager.go

@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package controllerlib
@@ -39,8 +39,8 @@ func (c *controllerManager) WithController(controller Controller, workers int) M
 	return c
 }
 
-// Start will run all managed controllers and block until all controllers shutdown.
-// When the context passed is cancelled, all controllers are signalled to shutdown.
+// Start will run all managed controllers and block until all controllers have shut down.
+// When the context passed is cancelled, all controllers are signalled to shut down.
 func (c *controllerManager) Start(ctx context.Context) {
 	var wg sync.WaitGroup
 	wg.Add(len(c.controllers))

internal/issuer/issuer.go

@@ -1,4 +1,4 @@
-// Copyright 2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package issuer
@@ -38,15 +38,14 @@ func (c ClientCertIssuers) Name() string {
 }
 
 func (c ClientCertIssuers) IssueClientCertPEM(username string, groups []string, ttl time.Duration) ([]byte, []byte, error) {
-	var errs []error
+	errs := make([]error, 0, len(c))
 
 	for _, issuer := range c {
 		certPEM, keyPEM, err := issuer.IssueClientCertPEM(username, groups, ttl)
-		if err != nil {
-			errs = append(errs, fmt.Errorf("%s failed to issue client cert: %w", issuer.Name(), err))
-			continue
+		if err == nil {
+			return certPEM, keyPEM, nil
 		}
-		return certPEM, keyPEM, nil
+		errs = append(errs, fmt.Errorf("%s failed to issue client cert: %w", issuer.Name(), err))
 	}
 
 	if err := errors.NewAggregate(errs); err != nil {

internal/issuer/issuer_test.go

@@ -0,0 +1,169 @@
+// Copyright 2023 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package issuer
+
+import (
+	"errors"
+	"testing"
+	"time"
+
+	"github.com/golang/mock/gomock"
+	"github.com/stretchr/testify/require"
+
+	"go.pinniped.dev/internal/mocks/issuermocks"
+)
+
+func TestName(t *testing.T) {
+	ctrl := gomock.NewController(t)
+
+	tests := []struct {
+		name             string
+		buildIssuerMocks func() ClientCertIssuers
+		want             string
+	}{
+		{
+			name:             "empty issuers",
+			buildIssuerMocks: func() ClientCertIssuers { return ClientCertIssuers{} },
+			want:             "empty-client-cert-issuers",
+		},
+		{
+			name: "foo issuer",
+			buildIssuerMocks: func() ClientCertIssuers {
+				fooClientCertIssuer := issuermocks.NewMockClientCertIssuer(ctrl)
+				fooClientCertIssuer.EXPECT().Name().Return("foo")
+
+				return ClientCertIssuers{fooClientCertIssuer}
+			},
+			want: "foo",
+		},
+		{
+			name: "foo and bar issuers",
+			buildIssuerMocks: func() ClientCertIssuers {
+				fooClientCertIssuer := issuermocks.NewMockClientCertIssuer(ctrl)
+				fooClientCertIssuer.EXPECT().Name().Return("foo")
+
+				barClientCertIssuer := issuermocks.NewMockClientCertIssuer(ctrl)
+				barClientCertIssuer.EXPECT().Name().Return("bar")
+
+				return ClientCertIssuers{fooClientCertIssuer, barClientCertIssuer}
+			},
+			want: "foo,bar",
+		},
+	}
+
+	for _, tTemp := range tests {
+		testcase := tTemp
+		t.Run(testcase.name, func(t *testing.T) {
+			t.Parallel()
+
+			name := testcase.buildIssuerMocks().Name()
+			require.Equal(t, testcase.want, name)
+		})
+	}
+}
+
+func TestIssueClientCertPEM(t *testing.T) {
+	ctrl := gomock.NewController(t)
+
+	tests := []struct {
+		name             string
+		buildIssuerMocks func() ClientCertIssuers
+		wantErrorMessage string
+		wantCert         []byte
+		wantKey          []byte
+	}{
+		{
+			name:             "empty issuers",
+			buildIssuerMocks: func() ClientCertIssuers { return ClientCertIssuers{} },
+			wantErrorMessage: "failed to issue cert",
+		},
+		{
+			name: "issuers with error",
+			buildIssuerMocks: func() ClientCertIssuers {
+				errClientCertIssuer := issuermocks.NewMockClientCertIssuer(ctrl)
+				errClientCertIssuer.EXPECT().Name().Return("error cert issuer")
+				errClientCertIssuer.EXPECT().
+					IssueClientCertPEM("username", []string{"group1", "group2"}, 32*time.Second).
+					Return(nil, nil, errors.New("error from wrapped cert issuer"))
+				return ClientCertIssuers{errClientCertIssuer}
+			},
+			wantErrorMessage: "error cert issuer failed to issue client cert: error from wrapped cert issuer",
+		},
+		{
+			name: "valid issuer",
+			buildIssuerMocks: func() ClientCertIssuers {
+				validClientCertIssuer := issuermocks.NewMockClientCertIssuer(ctrl)
+				validClientCertIssuer.EXPECT().
+					IssueClientCertPEM("username", []string{"group1", "group2"}, 32*time.Second).
+					Return([]byte("cert"), []byte("key"), nil)
+				return ClientCertIssuers{validClientCertIssuer}
+			},
+			wantCert: []byte("cert"),
+			wantKey:  []byte("key"),
+		},
+		{
+			name: "fallthrough issuer",
+			buildIssuerMocks: func() ClientCertIssuers {
+				errClientCertIssuer := issuermocks.NewMockClientCertIssuer(ctrl)
+				errClientCertIssuer.EXPECT().Name().Return("error cert issuer")
+				errClientCertIssuer.EXPECT().
+					IssueClientCertPEM("username", []string{"group1", "group2"}, 32*time.Second).
+					Return(nil, nil, errors.New("error from wrapped cert issuer"))
+
+				validClientCertIssuer := issuermocks.NewMockClientCertIssuer(ctrl)
+				validClientCertIssuer.EXPECT().
+					IssueClientCertPEM("username", []string{"group1", "group2"}, 32*time.Second).
+					Return([]byte("cert"), []byte("key"), nil)
+				return ClientCertIssuers{
+					errClientCertIssuer,
+					validClientCertIssuer,
+				}
+			},
+			wantCert: []byte("cert"),
+			wantKey:  []byte("key"),
+		},
+		{
+			name: "multiple error issuers",
+			buildIssuerMocks: func() ClientCertIssuers {
+				err1ClientCertIssuer := issuermocks.NewMockClientCertIssuer(ctrl)
+				err1ClientCertIssuer.EXPECT().Name().Return("error1 cert issuer")
+				err1ClientCertIssuer.EXPECT().
+					IssueClientCertPEM("username", []string{"group1", "group2"}, 32*time.Second).
+					Return(nil, nil, errors.New("error1 from wrapped cert issuer"))
+
+				err2ClientCertIssuer := issuermocks.NewMockClientCertIssuer(ctrl)
+				err2ClientCertIssuer.EXPECT().Name().Return("error2 cert issuer")
+				err2ClientCertIssuer.EXPECT().
+					IssueClientCertPEM("username", []string{"group1", "group2"}, 32*time.Second).
+					Return(nil, nil, errors.New("error2 from wrapped cert issuer"))
+
+				return ClientCertIssuers{
+					err1ClientCertIssuer,
+					err2ClientCertIssuer,
+				}
+			},
+			wantErrorMessage: "[error1 cert issuer failed to issue client cert: error1 from wrapped cert issuer, error2 cert issuer failed to issue client cert: error2 from wrapped cert issuer]",
+		},
+	}
+
+	for _, tTemp := range tests {
+		testcase := tTemp
+		t.Run(testcase.name, func(t *testing.T) {
+			t.Parallel()
+
+			certPEM, keyPEM, err := testcase.buildIssuerMocks().
+				IssueClientCertPEM("username", []string{"group1", "group2"}, 32*time.Second)
+
+			if testcase.wantErrorMessage != "" {
+				require.ErrorContains(t, err, testcase.wantErrorMessage)
+				require.Empty(t, certPEM)
+				require.Empty(t, keyPEM)
+			} else {
+				require.NoError(t, err)
+				require.Equal(t, testcase.wantCert, certPEM)
+				require.Equal(t, testcase.wantKey, keyPEM)
+			}
+		})
+	}
+}

internal/leaderelection/leaderelection_test.go

@@ -16,7 +16,7 @@ import (
 	kubefake "k8s.io/client-go/kubernetes/fake"
 	kubetesting "k8s.io/client-go/testing"
 	"k8s.io/client-go/tools/leaderelection"
-	"k8s.io/utils/pointer"
+	"k8s.io/utils/ptr"
 )
 
 // see test/integration/leaderelection_test.go for the bulk of the testing related to this code
@@ -31,7 +31,7 @@ func Test_releaseLock_Update(t *testing.T) {
 			f: func(t *testing.T, internalClient *kubefake.Clientset, isLeader *isLeaderTracker, cancel context.CancelFunc) {
 				internalClient.PrependReactor("update", "*", func(action kubetesting.Action) (handled bool, ret runtime.Object, err error) {
 					lease := action.(kubetesting.UpdateAction).GetObject().(*coordinationv1.Lease)
-					if len(pointer.StringDeref(lease.Spec.HolderIdentity, "")) == 0 {
+					if len(ptr.Deref(lease.Spec.HolderIdentity, "")) == 0 {
 						require.False(t, isLeader.canWrite(), "client must release in-memory leader status before Kube API call")
 					}
 					return true, nil, errors.New("cannot renew")

internal/mocks/mockldapconn/mockldapconn.go

@@ -53,9 +53,10 @@ func (mr *MockConnMockRecorder) Bind(arg0, arg1 interface{}) *gomock.Call {
 }
 
 // Close mocks base method.
-func (m *MockConn) Close() {
+func (m *MockConn) Close() error {
 	m.ctrl.T.Helper()
 	m.ctrl.Call(m, "Close")
+	return nil
 }
 
 // Close indicates an expected call of Close.

internal/oidc/auth/auth_handler_test.go

@@ -25,7 +25,7 @@ import (
 	"k8s.io/apiserver/pkg/authentication/user"
 	"k8s.io/client-go/kubernetes/fake"
 	v1 "k8s.io/client-go/kubernetes/typed/core/v1"
-	"k8s.io/utils/pointer"
+	"k8s.io/utils/ptr"
 
 	supervisorfake "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/fake"
 	"go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/typed/config/v1alpha1"
@@ -695,8 +695,8 @@ func TestAuthorizationEndpoint(t *testing.T) {
 			idps:                              oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(passwordGrantUpstreamOIDCIdentityProviderBuilder().Build()),
 			method:                            http.MethodGet,
 			path:                              happyGetRequestPath,
-			customUsernameHeader:              pointer.String(oidcUpstreamUsername),
-			customPasswordHeader:              pointer.String(oidcUpstreamPassword),
+			customUsernameHeader:              ptr.To(oidcUpstreamUsername),
+			customPasswordHeader:              ptr.To(oidcUpstreamPassword),
 			wantPasswordGrantCall:             happyUpstreamPasswordGrantMockExpectation,
 			wantStatus:                        http.StatusFound,
 			wantContentType:                   htmlContentType,
@@ -725,8 +725,8 @@ func TestAuthorizationEndpoint(t *testing.T) {
 				Build()),
 			method:                            http.MethodGet,
 			path:                              happyGetRequestPath,
-			customUsernameHeader:              pointer.String(oidcUpstreamUsername),
-			customPasswordHeader:              pointer.String(oidcUpstreamPassword),
+			customUsernameHeader:              ptr.To(oidcUpstreamUsername),
+			customPasswordHeader:              ptr.To(oidcUpstreamPassword),
 			wantPasswordGrantCall:             happyUpstreamPasswordGrantMockExpectation,
 			wantStatus:                        http.StatusFound,
 			wantContentType:                   htmlContentType,
@@ -756,8 +756,8 @@ func TestAuthorizationEndpoint(t *testing.T) {
 				Build()),
 			method:                            http.MethodGet,
 			path:                              happyGetRequestPath,
-			customUsernameHeader:              pointer.String(oidcUpstreamUsername),
-			customPasswordHeader:              pointer.String(oidcUpstreamPassword),
+			customUsernameHeader:              ptr.To(oidcUpstreamUsername),
+			customPasswordHeader:              ptr.To(oidcUpstreamPassword),
 			wantPasswordGrantCall:             happyUpstreamPasswordGrantMockExpectation,
 			wantStatus:                        http.StatusFound,
 			wantContentType:                   htmlContentType,
@@ -779,8 +779,8 @@ func TestAuthorizationEndpoint(t *testing.T) {
 			idps:                              oidctestutil.NewUpstreamIDPListerBuilder().WithLDAP(&upstreamLDAPIdentityProvider),
 			method:                            http.MethodGet,
 			path:                              happyGetRequestPath,
-			customUsernameHeader:              pointer.String(happyLDAPUsername),
-			customPasswordHeader:              pointer.String(happyLDAPPassword),
+			customUsernameHeader:              ptr.To(happyLDAPUsername),
+			customPasswordHeader:              ptr.To(happyLDAPPassword),
 			wantStatus:                        http.StatusFound,
 			wantContentType:                   htmlContentType,
 			wantRedirectLocationRegexp:        happyAuthcodeDownstreamRedirectLocationRegexp,
@@ -800,8 +800,8 @@ func TestAuthorizationEndpoint(t *testing.T) {
 			idps:                              oidctestutil.NewUpstreamIDPListerBuilder().WithActiveDirectory(&upstreamActiveDirectoryIdentityProvider),
 			method:                            http.MethodGet,
 			path:                              happyGetRequestPath,
-			customUsernameHeader:              pointer.String(happyLDAPUsername),
-			customPasswordHeader:              pointer.String(happyLDAPPassword),
+			customUsernameHeader:              ptr.To(happyLDAPUsername),
+			customPasswordHeader:              ptr.To(happyLDAPPassword),
 			wantStatus:                        http.StatusFound,
 			wantContentType:                   htmlContentType,
 			wantRedirectLocationRegexp:        happyAuthcodeDownstreamRedirectLocationRegexp,
@@ -991,8 +991,8 @@ func TestAuthorizationEndpoint(t *testing.T) {
 			path:                              "/some/path",
 			contentType:                       formContentType,
 			body:                              encodeQuery(happyGetRequestQueryMap),
-			customUsernameHeader:              pointer.String(oidcUpstreamUsername),
-			customPasswordHeader:              pointer.String(oidcUpstreamPassword),
+			customUsernameHeader:              ptr.To(oidcUpstreamUsername),
+			customPasswordHeader:              ptr.To(oidcUpstreamPassword),
 			wantPasswordGrantCall:             happyUpstreamPasswordGrantMockExpectation,
 			wantStatus:                        http.StatusFound,
 			wantContentType:                   htmlContentType,
@@ -1015,8 +1015,8 @@ func TestAuthorizationEndpoint(t *testing.T) {
 			path:                              "/some/path",
 			contentType:                       formContentType,
 			body:                              encodeQuery(happyGetRequestQueryMap),
-			customUsernameHeader:              pointer.String(happyLDAPUsername),
-			customPasswordHeader:              pointer.String(happyLDAPPassword),
+			customUsernameHeader:              ptr.To(happyLDAPUsername),
+			customPasswordHeader:              ptr.To(happyLDAPPassword),
 			wantStatus:                        http.StatusFound,
 			wantContentType:                   htmlContentType,
 			wantRedirectLocationRegexp:        happyAuthcodeDownstreamRedirectLocationRegexp,
@@ -1038,8 +1038,8 @@ func TestAuthorizationEndpoint(t *testing.T) {
 			path:                              "/some/path",
 			contentType:                       formContentType,
 			body:                              encodeQuery(happyGetRequestQueryMap),
-			customUsernameHeader:              pointer.String(happyLDAPUsername),
-			customPasswordHeader:              pointer.String(happyLDAPPassword),
+			customUsernameHeader:              ptr.To(happyLDAPUsername),
+			customPasswordHeader:              ptr.To(happyLDAPPassword),
 			wantStatus:                        http.StatusFound,
 			wantContentType:                   htmlContentType,
 			wantRedirectLocationRegexp:        happyAuthcodeDownstreamRedirectLocationRegexp,
@@ -1194,8 +1194,8 @@ func TestAuthorizationEndpoint(t *testing.T) {
 			path: modifiedHappyGetRequestPath(map[string]string{
 				"redirect_uri": downstreamRedirectURIWithDifferentPort, // not the same port number that is registered for the client
 			}),
-			customUsernameHeader:              pointer.String(oidcUpstreamUsername),
-			customPasswordHeader:              pointer.String(oidcUpstreamPassword),
+			customUsernameHeader:              ptr.To(oidcUpstreamUsername),
+			customPasswordHeader:              ptr.To(oidcUpstreamPassword),
 			wantPasswordGrantCall:             happyUpstreamPasswordGrantMockExpectation,
 			wantStatus:                        http.StatusFound,
 			wantContentType:                   htmlContentType,
@@ -1218,8 +1218,8 @@ func TestAuthorizationEndpoint(t *testing.T) {
 			path: modifiedHappyGetRequestPath(map[string]string{
 				"redirect_uri": downstreamRedirectURIWithDifferentPort, // not the same port number that is registered for the client
 			}),
-			customUsernameHeader:              pointer.String(happyLDAPUsername),
-			customPasswordHeader:              pointer.String(happyLDAPPassword),
+			customUsernameHeader:              ptr.To(happyLDAPUsername),
+			customPasswordHeader:              ptr.To(happyLDAPPassword),
 			wantStatus:                        http.StatusFound,
 			wantContentType:                   htmlContentType,
 			wantRedirectLocationRegexp:        downstreamRedirectURIWithDifferentPort + `\?code=([^&]+)&scope=openid\+username\+groups&state=` + happyState,
@@ -1258,8 +1258,8 @@ func TestAuthorizationEndpoint(t *testing.T) {
 			idps:                              oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(passwordGrantUpstreamOIDCIdentityProviderBuilder().WithEmptyRefreshToken().WithAccessToken(oidcUpstreamAccessToken, metav1.NewTime(time.Now().Add(9*time.Hour))).WithUserInfoURL().Build()),
 			method:                            http.MethodGet,
 			path:                              happyGetRequestPath,
-			customUsernameHeader:              pointer.String(oidcUpstreamUsername),
-			customPasswordHeader:              pointer.String(oidcUpstreamPassword),
+			customUsernameHeader:              ptr.To(oidcUpstreamUsername),
+			customPasswordHeader:              ptr.To(oidcUpstreamPassword),
 			wantPasswordGrantCall:             happyUpstreamPasswordGrantMockExpectation,
 			wantStatus:                        http.StatusFound,
 			wantContentType:                   htmlContentType,
@@ -1280,8 +1280,8 @@ func TestAuthorizationEndpoint(t *testing.T) {
 			idps:                              oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(passwordGrantUpstreamOIDCIdentityProviderBuilder().WithEmptyRefreshToken().WithAccessToken(oidcUpstreamAccessToken, metav1.NewTime(time.Now().Add(1*time.Hour))).WithUserInfoURL().Build()),
 			method:                            http.MethodGet,
 			path:                              happyGetRequestPath,
-			customUsernameHeader:              pointer.String(oidcUpstreamUsername),
-			customPasswordHeader:              pointer.String(oidcUpstreamPassword),
+			customUsernameHeader:              ptr.To(oidcUpstreamUsername),
+			customPasswordHeader:              ptr.To(oidcUpstreamPassword),
 			wantPasswordGrantCall:             happyUpstreamPasswordGrantMockExpectation,
 			wantStatus:                        http.StatusFound,
 			wantContentType:                   htmlContentType,
@@ -1313,8 +1313,8 @@ func TestAuthorizationEndpoint(t *testing.T) {
 			idps:                              oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(passwordGrantUpstreamOIDCIdentityProviderBuilder().WithoutRefreshToken().WithAccessToken(oidcUpstreamAccessToken, metav1.NewTime(time.Now().Add(9*time.Hour))).WithUserInfoURL().Build()),
 			method:                            http.MethodGet,
 			path:                              happyGetRequestPath,
-			customUsernameHeader:              pointer.String(oidcUpstreamUsername),
-			customPasswordHeader:              pointer.String(oidcUpstreamPassword),
+			customUsernameHeader:              ptr.To(oidcUpstreamUsername),
+			customPasswordHeader:              ptr.To(oidcUpstreamPassword),
 			wantPasswordGrantCall:             happyUpstreamPasswordGrantMockExpectation,
 			wantStatus:                        http.StatusFound,
 			wantContentType:                   htmlContentType,
@@ -1335,8 +1335,8 @@ func TestAuthorizationEndpoint(t *testing.T) {
 			idps:                 oidctestutil.NewUpstreamIDPListerBuilder().WithLDAP(&erroringUpstreamLDAPIdentityProvider),
 			method:               http.MethodGet,
 			path:                 happyGetRequestPath,
-			customUsernameHeader: pointer.String(happyLDAPUsername),
-			customPasswordHeader: pointer.String(happyLDAPPassword),
+			customUsernameHeader: ptr.To(happyLDAPUsername),
+			customPasswordHeader: ptr.To(happyLDAPPassword),
 			wantStatus:           http.StatusBadGateway,
 			wantContentType:      htmlContentType,
 			wantBodyString:       "Bad Gateway: unexpected error during upstream authentication\n",
@@ -1346,8 +1346,8 @@ func TestAuthorizationEndpoint(t *testing.T) {
 			idps:                 oidctestutil.NewUpstreamIDPListerBuilder().WithActiveDirectory(&erroringUpstreamLDAPIdentityProvider),
 			method:               http.MethodGet,
 			path:                 happyGetRequestPath,
-			customUsernameHeader: pointer.String(happyLDAPUsername),
-			customPasswordHeader: pointer.String(happyLDAPPassword),
+			customUsernameHeader: ptr.To(happyLDAPUsername),
+			customPasswordHeader: ptr.To(happyLDAPPassword),
 			wantStatus:           http.StatusBadGateway,
 			wantContentType:      htmlContentType,
 			wantBodyString:       "Bad Gateway: unexpected error during upstream authentication\n",
@@ -1362,8 +1362,8 @@ func TestAuthorizationEndpoint(t *testing.T) {
 			),
 			method:               http.MethodGet,
 			path:                 happyGetRequestPath,
-			customUsernameHeader: pointer.String(oidcUpstreamUsername),
-			customPasswordHeader: pointer.String("wrong-password"),
+			customUsernameHeader: ptr.To(oidcUpstreamUsername),
+			customPasswordHeader: ptr.To("wrong-password"),
 			wantPasswordGrantCall: &expectedPasswordGrant{
 				performedByUpstreamName: oidcPasswordGrantUpstreamName,
 				args: &oidctestutil.PasswordCredentialsGrantAndValidateTokensArgs{
@@ -1380,8 +1380,8 @@ func TestAuthorizationEndpoint(t *testing.T) {
 			idps:                 oidctestutil.NewUpstreamIDPListerBuilder().WithLDAP(&upstreamLDAPIdentityProvider),
 			method:               http.MethodGet,
 			path:                 happyGetRequestPath,
-			customUsernameHeader: pointer.String(happyLDAPUsername),
-			customPasswordHeader: pointer.String("wrong-password"),
+			customUsernameHeader: ptr.To(happyLDAPUsername),
+			customPasswordHeader: ptr.To("wrong-password"),
 			wantStatus:           http.StatusFound,
 			wantContentType:      jsonContentType,
 			wantLocationHeader:   urlWithQuery(downstreamRedirectURI, fositeAccessDeniedWithBadUsernamePasswordHintErrorQuery),
@@ -1392,8 +1392,8 @@ func TestAuthorizationEndpoint(t *testing.T) {
 			idps:                 oidctestutil.NewUpstreamIDPListerBuilder().WithActiveDirectory(&upstreamActiveDirectoryIdentityProvider),
 			method:               http.MethodGet,
 			path:                 happyGetRequestPath,
-			customUsernameHeader: pointer.String(happyLDAPUsername),
-			customPasswordHeader: pointer.String("wrong-password"),
+			customUsernameHeader: ptr.To(happyLDAPUsername),
+			customPasswordHeader: ptr.To("wrong-password"),
 			wantStatus:           http.StatusFound,
 			wantContentType:      jsonContentType,
 			wantLocationHeader:   urlWithQuery(downstreamRedirectURI, fositeAccessDeniedWithBadUsernamePasswordHintErrorQuery),
@@ -1404,8 +1404,8 @@ func TestAuthorizationEndpoint(t *testing.T) {
 			idps:                 oidctestutil.NewUpstreamIDPListerBuilder().WithLDAP(&upstreamLDAPIdentityProvider),
 			method:               http.MethodGet,
 			path:                 happyGetRequestPath,
-			customUsernameHeader: pointer.String("wrong-username"),
-			customPasswordHeader: pointer.String(happyLDAPPassword),
+			customUsernameHeader: ptr.To("wrong-username"),
+			customPasswordHeader: ptr.To(happyLDAPPassword),
 			wantStatus:           http.StatusFound,
 			wantContentType:      jsonContentType,
 			wantLocationHeader:   urlWithQuery(downstreamRedirectURI, fositeAccessDeniedWithBadUsernamePasswordHintErrorQuery),
@@ -1416,8 +1416,8 @@ func TestAuthorizationEndpoint(t *testing.T) {
 			idps:                 oidctestutil.NewUpstreamIDPListerBuilder().WithActiveDirectory(&upstreamActiveDirectoryIdentityProvider),
 			method:               http.MethodGet,
 			path:                 happyGetRequestPath,
-			customUsernameHeader: pointer.String("wrong-username"),
-			customPasswordHeader: pointer.String(happyLDAPPassword),
+			customUsernameHeader: ptr.To("wrong-username"),
+			customPasswordHeader: ptr.To(happyLDAPPassword),
 			wantStatus:           http.StatusFound,
 			wantContentType:      jsonContentType,
 			wantLocationHeader:   urlWithQuery(downstreamRedirectURI, fositeAccessDeniedWithBadUsernamePasswordHintErrorQuery),
@@ -1429,7 +1429,7 @@ func TestAuthorizationEndpoint(t *testing.T) {
 			method:               http.MethodGet,
 			path:                 happyGetRequestPath,
 			customUsernameHeader: nil, // do not send header
-			customPasswordHeader: pointer.String(oidcUpstreamPassword),
+			customPasswordHeader: ptr.To(oidcUpstreamPassword),
 			wantStatus:           http.StatusFound,
 			wantContentType:      jsonContentType,
 			wantLocationHeader:   urlWithQuery(downstreamRedirectURI, fositeAccessDeniedWithMissingUsernamePasswordHintErrorQuery),
@@ -1441,7 +1441,7 @@ func TestAuthorizationEndpoint(t *testing.T) {
 			method:               http.MethodGet,
 			path:                 happyGetRequestPath,
 			customUsernameHeader: nil, // do not send header
-			customPasswordHeader: pointer.String(happyLDAPPassword),
+			customPasswordHeader: ptr.To(happyLDAPPassword),
 			wantStatus:           http.StatusFound,
 			wantContentType:      jsonContentType,
 			wantLocationHeader:   urlWithQuery(downstreamRedirectURI, fositeAccessDeniedWithMissingUsernamePasswordHintErrorQuery),
@@ -1453,7 +1453,7 @@ func TestAuthorizationEndpoint(t *testing.T) {
 			method:               http.MethodGet,
 			path:                 happyGetRequestPath,
 			customUsernameHeader: nil, // do not send header
-			customPasswordHeader: pointer.String(happyLDAPPassword),
+			customPasswordHeader: ptr.To(happyLDAPPassword),
 			wantStatus:           http.StatusFound,
 			wantContentType:      jsonContentType,
 			wantLocationHeader:   urlWithQuery(downstreamRedirectURI, fositeAccessDeniedWithMissingUsernamePasswordHintErrorQuery),
@@ -1464,7 +1464,7 @@ func TestAuthorizationEndpoint(t *testing.T) {
 			idps:                 oidctestutil.NewUpstreamIDPListerBuilder().WithLDAP(&upstreamLDAPIdentityProvider),
 			method:               http.MethodGet,
 			path:                 happyGetRequestPath,
-			customUsernameHeader: pointer.String(happyLDAPUsername),
+			customUsernameHeader: ptr.To(happyLDAPUsername),
 			customPasswordHeader: nil, // do not send header
 			wantStatus:           http.StatusFound,
 			wantContentType:      jsonContentType,
@@ -1476,7 +1476,7 @@ func TestAuthorizationEndpoint(t *testing.T) {
 			idps:                 oidctestutil.NewUpstreamIDPListerBuilder().WithActiveDirectory(&upstreamActiveDirectoryIdentityProvider),
 			method:               http.MethodGet,
 			path:                 happyGetRequestPath,
-			customUsernameHeader: pointer.String(happyLDAPUsername),
+			customUsernameHeader: ptr.To(happyLDAPUsername),
 			customPasswordHeader: nil, // do not send header
 			wantStatus:           http.StatusFound,
 			wantContentType:      jsonContentType,
@@ -1488,8 +1488,8 @@ func TestAuthorizationEndpoint(t *testing.T) {
 			idps:                  oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(passwordGrantUpstreamOIDCIdentityProviderBuilder().WithoutRefreshToken().WithAccessToken(oidcUpstreamAccessToken, metav1.NewTime(time.Now().Add(9*time.Hour))).WithoutUserInfoURL().Build()),
 			method:                http.MethodGet,
 			path:                  happyGetRequestPath,
-			customUsernameHeader:  pointer.String(oidcUpstreamUsername),
-			customPasswordHeader:  pointer.String(oidcUpstreamPassword),
+			customUsernameHeader:  ptr.To(oidcUpstreamUsername),
+			customPasswordHeader:  ptr.To(oidcUpstreamPassword),
 			wantPasswordGrantCall: happyUpstreamPasswordGrantMockExpectation,
 			wantStatus:            http.StatusFound,
 			wantContentType:       jsonContentType,
@@ -1501,8 +1501,8 @@ func TestAuthorizationEndpoint(t *testing.T) {
 			idps:                  oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(passwordGrantUpstreamOIDCIdentityProviderBuilder().WithEmptyRefreshToken().WithAccessToken(oidcUpstreamAccessToken, metav1.NewTime(time.Now().Add(9*time.Hour))).WithoutUserInfoURL().Build()),
 			method:                http.MethodGet,
 			path:                  happyGetRequestPath,
-			customUsernameHeader:  pointer.String(oidcUpstreamUsername),
-			customPasswordHeader:  pointer.String(oidcUpstreamPassword),
+			customUsernameHeader:  ptr.To(oidcUpstreamUsername),
+			customPasswordHeader:  ptr.To(oidcUpstreamPassword),
 			wantPasswordGrantCall: happyUpstreamPasswordGrantMockExpectation,
 			wantStatus:            http.StatusFound,
 			wantContentType:       jsonContentType,
@@ -1514,8 +1514,8 @@ func TestAuthorizationEndpoint(t *testing.T) {
 			idps:                  oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(passwordGrantUpstreamOIDCIdentityProviderBuilder().WithEmptyRefreshToken().WithEmptyAccessToken().Build()),
 			method:                http.MethodGet,
 			path:                  happyGetRequestPath,
-			customUsernameHeader:  pointer.String(oidcUpstreamUsername),
-			customPasswordHeader:  pointer.String(oidcUpstreamPassword),
+			customUsernameHeader:  ptr.To(oidcUpstreamUsername),
+			customPasswordHeader:  ptr.To(oidcUpstreamPassword),
 			wantPasswordGrantCall: happyUpstreamPasswordGrantMockExpectation,
 			wantStatus:            http.StatusFound,
 			wantContentType:       jsonContentType,
@@ -1527,8 +1527,8 @@ func TestAuthorizationEndpoint(t *testing.T) {
 			idps:                  oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(passwordGrantUpstreamOIDCIdentityProviderBuilder().WithoutRefreshToken().WithoutAccessToken().Build()),
 			method:                http.MethodGet,
 			path:                  happyGetRequestPath,
-			customUsernameHeader:  pointer.String(oidcUpstreamUsername),
-			customPasswordHeader:  pointer.String(oidcUpstreamPassword),
+			customUsernameHeader:  ptr.To(oidcUpstreamUsername),
+			customPasswordHeader:  ptr.To(oidcUpstreamPassword),
 			wantPasswordGrantCall: happyUpstreamPasswordGrantMockExpectation,
 			wantStatus:            http.StatusFound,
 			wantContentType:       jsonContentType,
@@ -1540,8 +1540,8 @@ func TestAuthorizationEndpoint(t *testing.T) {
 			idps:                  oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(passwordGrantUpstreamOIDCIdentityProviderBuilder().WithoutRefreshToken().WithEmptyAccessToken().Build()),
 			method:                http.MethodGet,
 			path:                  happyGetRequestPath,
-			customUsernameHeader:  pointer.String(oidcUpstreamUsername),
-			customPasswordHeader:  pointer.String(oidcUpstreamPassword),
+			customUsernameHeader:  ptr.To(oidcUpstreamUsername),
+			customPasswordHeader:  ptr.To(oidcUpstreamPassword),
 			wantPasswordGrantCall: happyUpstreamPasswordGrantMockExpectation,
 			wantStatus:            http.StatusFound,
 			wantContentType:       jsonContentType,
@@ -1553,8 +1553,8 @@ func TestAuthorizationEndpoint(t *testing.T) {
 			idps:                  oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(passwordGrantUpstreamOIDCIdentityProviderBuilder().WithEmptyRefreshToken().WithoutAccessToken().Build()),
 			method:                http.MethodGet,
 			path:                  happyGetRequestPath,
-			customUsernameHeader:  pointer.String(oidcUpstreamUsername),
-			customPasswordHeader:  pointer.String(oidcUpstreamPassword),
+			customUsernameHeader:  ptr.To(oidcUpstreamUsername),
+			customPasswordHeader:  ptr.To(oidcUpstreamPassword),
 			wantPasswordGrantCall: happyUpstreamPasswordGrantMockExpectation,
 			wantStatus:            http.StatusFound,
 			wantContentType:       jsonContentType,
@@ -1566,7 +1566,7 @@ func TestAuthorizationEndpoint(t *testing.T) {
 			idps:                 oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(passwordGrantUpstreamOIDCIdentityProviderBuilder().Build()),
 			method:               http.MethodGet,
 			path:                 happyGetRequestPath,
-			customUsernameHeader: pointer.String(oidcUpstreamUsername),
+			customUsernameHeader: ptr.To(oidcUpstreamUsername),
 			customPasswordHeader: nil, // do not send header
 			wantStatus:           http.StatusFound,
 			wantContentType:      jsonContentType,
@@ -1578,8 +1578,8 @@ func TestAuthorizationEndpoint(t *testing.T) {
 			idps:                 oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(upstreamOIDCIdentityProviderBuilder().Build()),
 			method:               http.MethodGet,
 			path:                 happyGetRequestPath,
-			customUsernameHeader: pointer.String(oidcUpstreamUsername),
-			customPasswordHeader: pointer.String(oidcUpstreamPassword),
+			customUsernameHeader: ptr.To(oidcUpstreamUsername),
+			customPasswordHeader: ptr.To(oidcUpstreamPassword),
 			wantStatus:           http.StatusFound,
 			wantContentType:      jsonContentType,
 			wantLocationHeader:   urlWithQuery(downstreamRedirectURI, fositeAccessDeniedWithPasswordGrantDisallowedHintErrorQuery),
@@ -1591,8 +1591,8 @@ func TestAuthorizationEndpoint(t *testing.T) {
 			kubeResources:        addFullyCapableDynamicClientAndSecretToKubeResources,
 			method:               http.MethodGet,
 			path:                 modifiedHappyGetRequestPath(map[string]string{"client_id": dynamicClientID, "scope": testutil.AllDynamicClientScopesSpaceSep}),
-			customUsernameHeader: pointer.String(oidcUpstreamUsername),
-			customPasswordHeader: pointer.String(oidcUpstreamPassword),
+			customUsernameHeader: ptr.To(oidcUpstreamUsername),
+			customPasswordHeader: ptr.To(oidcUpstreamPassword),
 			wantStatus:           http.StatusFound,
 			wantContentType:      jsonContentType,
 			wantLocationHeader:   urlWithQuery(downstreamRedirectURI, fositeAccessDeniedWithUsernamePasswordHeadersDisallowedHintErrorQuery),
@@ -1604,8 +1604,8 @@ func TestAuthorizationEndpoint(t *testing.T) {
 			kubeResources:        addFullyCapableDynamicClientAndSecretToKubeResources,
 			method:               http.MethodGet,
 			path:                 modifiedHappyGetRequestPath(map[string]string{"client_id": dynamicClientID, "scope": testutil.AllDynamicClientScopesSpaceSep}),
-			customUsernameHeader: pointer.String(happyLDAPUsername),
-			customPasswordHeader: pointer.String(happyLDAPPassword),
+			customUsernameHeader: ptr.To(happyLDAPUsername),
+			customPasswordHeader: ptr.To(happyLDAPPassword),
 			wantStatus:           http.StatusFound,
 			wantContentType:      jsonContentType,
 			wantLocationHeader:   urlWithQuery(downstreamRedirectURI, fositeAccessDeniedWithUsernamePasswordHeadersDisallowedHintErrorQuery),
@@ -1617,8 +1617,8 @@ func TestAuthorizationEndpoint(t *testing.T) {
 			kubeResources:        addFullyCapableDynamicClientAndSecretToKubeResources,
 			method:               http.MethodGet,
 			path:                 modifiedHappyGetRequestPath(map[string]string{"client_id": dynamicClientID, "scope": testutil.AllDynamicClientScopesSpaceSep}),
-			customUsernameHeader: pointer.String(happyLDAPUsername),
-			customPasswordHeader: pointer.String(happyLDAPPassword),
+			customUsernameHeader: ptr.To(happyLDAPUsername),
+			customPasswordHeader: ptr.To(happyLDAPPassword),
 			wantStatus:           http.StatusFound,
 			wantContentType:      jsonContentType,
 			wantLocationHeader:   urlWithQuery(downstreamRedirectURI, fositeAccessDeniedWithUsernamePasswordHeadersDisallowedHintErrorQuery),
@@ -1666,8 +1666,8 @@ func TestAuthorizationEndpoint(t *testing.T) {
 			path: modifiedHappyGetRequestPath(map[string]string{
 				"redirect_uri": "http://127.0.0.1/does-not-match-what-is-configured-for-pinniped-cli-client",
 			}),
-			customUsernameHeader: pointer.String(oidcUpstreamUsername),
-			customPasswordHeader: pointer.String(oidcUpstreamPassword),
+			customUsernameHeader: ptr.To(oidcUpstreamUsername),
+			customPasswordHeader: ptr.To(oidcUpstreamPassword),
 			wantStatus:           http.StatusBadRequest,
 			wantContentType:      jsonContentType,
 			wantBodyJSON:         fositeInvalidRedirectURIErrorBody,
@@ -1679,8 +1679,8 @@ func TestAuthorizationEndpoint(t *testing.T) {
 			path: modifiedHappyGetRequestPath(map[string]string{
 				"redirect_uri": "http://127.0.0.1/does-not-match-what-is-configured-for-pinniped-cli-client",
 			}),
-			customUsernameHeader: pointer.String(happyLDAPUsername),
-			customPasswordHeader: pointer.String(happyLDAPPassword),
+			customUsernameHeader: ptr.To(happyLDAPUsername),
+			customPasswordHeader: ptr.To(happyLDAPPassword),
 			wantStatus:           http.StatusBadRequest,
 			wantContentType:      jsonContentType,
 			wantBodyJSON:         fositeInvalidRedirectURIErrorBody,
@@ -1692,8 +1692,8 @@ func TestAuthorizationEndpoint(t *testing.T) {
 			path: modifiedHappyGetRequestPath(map[string]string{
 				"redirect_uri": "http://127.0.0.1/does-not-match-what-is-configured-for-pinniped-cli-client",
 			}),
-			customUsernameHeader: pointer.String(happyLDAPUsername),
-			customPasswordHeader: pointer.String(happyLDAPPassword),
+			customUsernameHeader: ptr.To(happyLDAPUsername),
+			customPasswordHeader: ptr.To(happyLDAPPassword),
 			wantStatus:           http.StatusBadRequest,
 			wantContentType:      jsonContentType,
 			wantBodyJSON:         fositeInvalidRedirectURIErrorBody,
@@ -1717,8 +1717,8 @@ func TestAuthorizationEndpoint(t *testing.T) {
 			idps:                 oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(passwordGrantUpstreamOIDCIdentityProviderBuilder().Build()),
 			method:               http.MethodGet,
 			path:                 modifiedHappyGetRequestPath(map[string]string{"client_id": "invalid-client"}),
-			customUsernameHeader: pointer.String(oidcUpstreamUsername),
-			customPasswordHeader: pointer.String(oidcUpstreamPassword),
+			customUsernameHeader: ptr.To(oidcUpstreamUsername),
+			customPasswordHeader: ptr.To(oidcUpstreamPassword),
 			wantStatus:           http.StatusUnauthorized,
 			wantContentType:      jsonContentType,
 			wantBodyJSON:         fositeInvalidClientErrorBody,
@@ -1781,8 +1781,8 @@ func TestAuthorizationEndpoint(t *testing.T) {
 			idps:                 oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(passwordGrantUpstreamOIDCIdentityProviderBuilder().Build()),
 			method:               http.MethodGet,
 			path:                 modifiedHappyGetRequestPath(map[string]string{"response_type": "unsupported"}),
-			customUsernameHeader: pointer.String(oidcUpstreamUsername),
-			customPasswordHeader: pointer.String(oidcUpstreamPassword),
+			customUsernameHeader: ptr.To(oidcUpstreamUsername),
+			customPasswordHeader: ptr.To(oidcUpstreamPassword),
 			wantStatus:           http.StatusFound,
 			wantContentType:      jsonContentType,
 			wantLocationHeader:   urlWithQuery(downstreamRedirectURI, fositeUnsupportedResponseTypeErrorQuery),
@@ -1793,8 +1793,8 @@ func TestAuthorizationEndpoint(t *testing.T) {
 			idps:                 oidctestutil.NewUpstreamIDPListerBuilder().WithLDAP(&upstreamLDAPIdentityProvider),
 			method:               http.MethodGet,
 			path:                 modifiedHappyGetRequestPath(map[string]string{"response_type": "unsupported"}),
-			customUsernameHeader: pointer.String(happyLDAPUsername),
-			customPasswordHeader: pointer.String(happyLDAPPassword),
+			customUsernameHeader: ptr.To(happyLDAPUsername),
+			customPasswordHeader: ptr.To(happyLDAPPassword),
 			wantStatus:           http.StatusFound,
 			wantContentType:      jsonContentType,
 			wantLocationHeader:   urlWithQuery(downstreamRedirectURI, fositeUnsupportedResponseTypeErrorQuery),
@@ -1830,8 +1830,8 @@ func TestAuthorizationEndpoint(t *testing.T) {
 			idps:                 oidctestutil.NewUpstreamIDPListerBuilder().WithActiveDirectory(&upstreamActiveDirectoryIdentityProvider),
 			method:               http.MethodGet,
 			path:                 modifiedHappyGetRequestPath(map[string]string{"response_type": "unsupported"}),
-			customUsernameHeader: pointer.String(oidcUpstreamUsername),
-			customPasswordHeader: pointer.String(oidcUpstreamPassword),
+			customUsernameHeader: ptr.To(oidcUpstreamUsername),
+			customPasswordHeader: ptr.To(oidcUpstreamPassword),
 			wantStatus:           http.StatusFound,
 			wantContentType:      jsonContentType,
 			wantLocationHeader:   urlWithQuery(downstreamRedirectURI, fositeUnsupportedResponseTypeErrorQuery),
@@ -1898,8 +1898,8 @@ func TestAuthorizationEndpoint(t *testing.T) {
 			idps:                 oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(passwordGrantUpstreamOIDCIdentityProviderBuilder().Build()),
 			method:               http.MethodGet,
 			path:                 modifiedHappyGetRequestPath(map[string]string{"scope": "openid profile email tuna"}),
-			customUsernameHeader: pointer.String(oidcUpstreamUsername),
-			customPasswordHeader: pointer.String(oidcUpstreamPassword),
+			customUsernameHeader: ptr.To(oidcUpstreamUsername),
+			customPasswordHeader: ptr.To(oidcUpstreamPassword),
 			wantStatus:           http.StatusFound,
 			wantContentType:      jsonContentType,
 			wantLocationHeader:   urlWithQuery(downstreamRedirectURI, fositeInvalidScopeErrorQuery),
@@ -1939,8 +1939,8 @@ func TestAuthorizationEndpoint(t *testing.T) {
 			idps:                 oidctestutil.NewUpstreamIDPListerBuilder().WithLDAP(&upstreamLDAPIdentityProvider),
 			method:               http.MethodGet,
 			path:                 modifiedHappyGetRequestPath(map[string]string{"scope": "openid tuna"}),
-			customUsernameHeader: pointer.String(happyLDAPUsername),
-			customPasswordHeader: pointer.String(happyLDAPPassword),
+			customUsernameHeader: ptr.To(happyLDAPUsername),
+			customPasswordHeader: ptr.To(happyLDAPPassword),
 			wantStatus:           http.StatusFound,
 			wantContentType:      jsonContentType,
 			wantLocationHeader:   urlWithQuery(downstreamRedirectURI, fositeInvalidScopeErrorQuery),
@@ -1951,8 +1951,8 @@ func TestAuthorizationEndpoint(t *testing.T) {
 			idps:                 oidctestutil.NewUpstreamIDPListerBuilder().WithActiveDirectory(&upstreamActiveDirectoryIdentityProvider),
 			method:               http.MethodGet,
 			path:                 modifiedHappyGetRequestPath(map[string]string{"scope": "openid tuna"}),
-			customUsernameHeader: pointer.String(happyLDAPUsername),
-			customPasswordHeader: pointer.String(happyLDAPPassword),
+			customUsernameHeader: ptr.To(happyLDAPUsername),
+			customPasswordHeader: ptr.To(happyLDAPPassword),
 			wantStatus:           http.StatusFound,
 			wantContentType:      jsonContentType,
 			wantLocationHeader:   urlWithQuery(downstreamRedirectURI, fositeInvalidScopeErrorQuery),
@@ -1994,8 +1994,8 @@ func TestAuthorizationEndpoint(t *testing.T) {
 			idps:                 oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(passwordGrantUpstreamOIDCIdentityProviderBuilder().Build()),
 			method:               http.MethodGet,
 			path:                 modifiedHappyGetRequestPath(map[string]string{"response_type": ""}),
-			customUsernameHeader: pointer.String(oidcUpstreamUsername),
-			customPasswordHeader: pointer.String(oidcUpstreamPassword),
+			customUsernameHeader: ptr.To(oidcUpstreamUsername),
+			customPasswordHeader: ptr.To(oidcUpstreamPassword),
 			wantStatus:           http.StatusFound,
 			wantContentType:      jsonContentType,
 			wantLocationHeader:   urlWithQuery(downstreamRedirectURI, fositeMissingResponseTypeErrorQuery),
@@ -2006,8 +2006,8 @@ func TestAuthorizationEndpoint(t *testing.T) {
 			idps:                 oidctestutil.NewUpstreamIDPListerBuilder().WithLDAP(&upstreamLDAPIdentityProvider),
 			method:               http.MethodGet,
 			path:                 modifiedHappyGetRequestPath(map[string]string{"response_type": ""}),
-			customUsernameHeader: pointer.String(oidcUpstreamUsername),
-			customPasswordHeader: pointer.String(oidcUpstreamPassword),
+			customUsernameHeader: ptr.To(oidcUpstreamUsername),
+			customPasswordHeader: ptr.To(oidcUpstreamPassword),
 			wantStatus:           http.StatusFound,
 			wantContentType:      jsonContentType,
 			wantLocationHeader:   urlWithQuery(downstreamRedirectURI, fositeMissingResponseTypeErrorQuery),
@@ -2039,8 +2039,8 @@ func TestAuthorizationEndpoint(t *testing.T) {
 			idps:                 oidctestutil.NewUpstreamIDPListerBuilder().WithActiveDirectory(&upstreamActiveDirectoryIdentityProvider),
 			method:               http.MethodGet,
 			path:                 modifiedHappyGetRequestPath(map[string]string{"response_type": ""}),
-			customUsernameHeader: pointer.String(oidcUpstreamUsername),
-			customPasswordHeader: pointer.String(oidcUpstreamPassword),
+			customUsernameHeader: ptr.To(oidcUpstreamUsername),
+			customPasswordHeader: ptr.To(oidcUpstreamPassword),
 			wantStatus:           http.StatusFound,
 			wantContentType:      jsonContentType,
 			wantLocationHeader:   urlWithQuery(downstreamRedirectURI, fositeMissingResponseTypeErrorQuery),
@@ -2086,8 +2086,8 @@ func TestAuthorizationEndpoint(t *testing.T) {
 			idps:                 oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(passwordGrantUpstreamOIDCIdentityProviderBuilder().Build()),
 			method:               http.MethodGet,
 			path:                 modifiedHappyGetRequestPath(map[string]string{"client_id": ""}),
-			customUsernameHeader: pointer.String(oidcUpstreamUsername),
-			customPasswordHeader: pointer.String(oidcUpstreamPassword),
+			customUsernameHeader: ptr.To(oidcUpstreamUsername),
+			customPasswordHeader: ptr.To(oidcUpstreamPassword),
 			wantStatus:           http.StatusUnauthorized,
 			wantContentType:      jsonContentType,
 			wantBodyJSON:         fositeInvalidClientErrorBody,
@@ -2137,8 +2137,8 @@ func TestAuthorizationEndpoint(t *testing.T) {
 			idps:                         oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(passwordGrantUpstreamOIDCIdentityProviderBuilder().Build()),
 			method:                       http.MethodGet,
 			path:                         modifiedHappyGetRequestPath(map[string]string{"code_challenge": ""}),
-			customUsernameHeader:         pointer.String(oidcUpstreamUsername),
-			customPasswordHeader:         pointer.String(oidcUpstreamPassword),
+			customUsernameHeader:         ptr.To(oidcUpstreamUsername),
+			customPasswordHeader:         ptr.To(oidcUpstreamPassword),
 			wantPasswordGrantCall:        happyUpstreamPasswordGrantMockExpectation,
 			wantStatus:                   http.StatusFound,
 			wantContentType:              jsonContentType,
@@ -2151,8 +2151,8 @@ func TestAuthorizationEndpoint(t *testing.T) {
 			idps:                         oidctestutil.NewUpstreamIDPListerBuilder().WithLDAP(&upstreamLDAPIdentityProvider),
 			method:                       http.MethodGet,
 			path:                         modifiedHappyGetRequestPath(map[string]string{"code_challenge": ""}),
-			customUsernameHeader:         pointer.String(happyLDAPUsername),
-			customPasswordHeader:         pointer.String(happyLDAPPassword),
+			customUsernameHeader:         ptr.To(happyLDAPUsername),
+			customPasswordHeader:         ptr.To(happyLDAPPassword),
 			wantStatus:                   http.StatusFound,
 			wantContentType:              jsonContentType,
 			wantLocationHeader:           urlWithQuery(downstreamRedirectURI, fositeMissingCodeChallengeErrorQuery),
@@ -2195,8 +2195,8 @@ func TestAuthorizationEndpoint(t *testing.T) {
 			idps:                         oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(passwordGrantUpstreamOIDCIdentityProviderBuilder().Build()),
 			method:                       http.MethodGet,
 			path:                         modifiedHappyGetRequestPath(map[string]string{"code_challenge_method": "this-is-not-a-valid-pkce-alg"}),
-			customUsernameHeader:         pointer.String(oidcUpstreamUsername),
-			customPasswordHeader:         pointer.String(oidcUpstreamPassword),
+			customUsernameHeader:         ptr.To(oidcUpstreamUsername),
+			customPasswordHeader:         ptr.To(oidcUpstreamPassword),
 			wantPasswordGrantCall:        happyUpstreamPasswordGrantMockExpectation,
 			wantStatus:                   http.StatusFound,
 			wantContentType:              jsonContentType,
@@ -2209,8 +2209,8 @@ func TestAuthorizationEndpoint(t *testing.T) {
 			idps:                         oidctestutil.NewUpstreamIDPListerBuilder().WithLDAP(&upstreamLDAPIdentityProvider),
 			method:                       http.MethodGet,
 			path:                         modifiedHappyGetRequestPath(map[string]string{"code_challenge_method": "this-is-not-a-valid-pkce-alg"}),
-			customUsernameHeader:         pointer.String(happyLDAPUsername),
-			customPasswordHeader:         pointer.String(happyLDAPPassword),
+			customUsernameHeader:         ptr.To(happyLDAPUsername),
+			customPasswordHeader:         ptr.To(happyLDAPPassword),
 			wantStatus:                   http.StatusFound,
 			wantContentType:              jsonContentType,
 			wantLocationHeader:           urlWithQuery(downstreamRedirectURI, fositeInvalidCodeChallengeErrorQuery),
@@ -2253,8 +2253,8 @@ func TestAuthorizationEndpoint(t *testing.T) {
 			idps:                         oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(passwordGrantUpstreamOIDCIdentityProviderBuilder().Build()),
 			method:                       http.MethodGet,
 			path:                         modifiedHappyGetRequestPath(map[string]string{"code_challenge_method": "plain"}),
-			customUsernameHeader:         pointer.String(oidcUpstreamUsername),
-			customPasswordHeader:         pointer.String(oidcUpstreamPassword),
+			customUsernameHeader:         ptr.To(oidcUpstreamUsername),
+			customPasswordHeader:         ptr.To(oidcUpstreamPassword),
 			wantPasswordGrantCall:        happyUpstreamPasswordGrantMockExpectation,
 			wantStatus:                   http.StatusFound,
 			wantContentType:              jsonContentType,
@@ -2267,8 +2267,8 @@ func TestAuthorizationEndpoint(t *testing.T) {
 			idps:                         oidctestutil.NewUpstreamIDPListerBuilder().WithLDAP(&upstreamLDAPIdentityProvider),
 			method:                       http.MethodGet,
 			path:                         modifiedHappyGetRequestPath(map[string]string{"code_challenge_method": "plain"}),
-			customUsernameHeader:         pointer.String(happyLDAPUsername),
-			customPasswordHeader:         pointer.String(happyLDAPPassword),
+			customUsernameHeader:         ptr.To(happyLDAPUsername),
+			customPasswordHeader:         ptr.To(happyLDAPPassword),
 			wantStatus:                   http.StatusFound,
 			wantContentType:              jsonContentType,
 			wantLocationHeader:           urlWithQuery(downstreamRedirectURI, fositeMissingCodeChallengeMethodErrorQuery),
@@ -2311,8 +2311,8 @@ func TestAuthorizationEndpoint(t *testing.T) {
 			idps:                         oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(passwordGrantUpstreamOIDCIdentityProviderBuilder().Build()),
 			method:                       http.MethodGet,
 			path:                         modifiedHappyGetRequestPath(map[string]string{"code_challenge_method": ""}),
-			customUsernameHeader:         pointer.String(oidcUpstreamUsername),
-			customPasswordHeader:         pointer.String(oidcUpstreamPassword),
+			customUsernameHeader:         ptr.To(oidcUpstreamUsername),
+			customPasswordHeader:         ptr.To(oidcUpstreamPassword),
 			wantPasswordGrantCall:        happyUpstreamPasswordGrantMockExpectation,
 			wantStatus:                   http.StatusFound,
 			wantContentType:              jsonContentType,
@@ -2325,8 +2325,8 @@ func TestAuthorizationEndpoint(t *testing.T) {
 			idps:                         oidctestutil.NewUpstreamIDPListerBuilder().WithLDAP(&upstreamLDAPIdentityProvider),
 			method:                       http.MethodGet,
 			path:                         modifiedHappyGetRequestPath(map[string]string{"code_challenge_method": ""}),
-			customUsernameHeader:         pointer.String(happyLDAPUsername),
-			customPasswordHeader:         pointer.String(happyLDAPPassword),
+			customUsernameHeader:         ptr.To(happyLDAPUsername),
+			customPasswordHeader:         ptr.To(happyLDAPPassword),
 			wantStatus:                   http.StatusFound,
 			wantContentType:              jsonContentType,
 			wantLocationHeader:           urlWithQuery(downstreamRedirectURI, fositeMissingCodeChallengeMethodErrorQuery),
@@ -2375,8 +2375,8 @@ func TestAuthorizationEndpoint(t *testing.T) {
 			idps:                         oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(passwordGrantUpstreamOIDCIdentityProviderBuilder().Build()),
 			method:                       http.MethodGet,
 			path:                         modifiedHappyGetRequestPath(map[string]string{"prompt": "none login"}),
-			customUsernameHeader:         pointer.String(oidcUpstreamUsername),
-			customPasswordHeader:         pointer.String(oidcUpstreamPassword),
+			customUsernameHeader:         ptr.To(oidcUpstreamUsername),
+			customPasswordHeader:         ptr.To(oidcUpstreamPassword),
 			wantPasswordGrantCall:        happyUpstreamPasswordGrantMockExpectation,
 			wantStatus:                   http.StatusFound,
 			wantContentType:              jsonContentType,
@@ -2391,8 +2391,8 @@ func TestAuthorizationEndpoint(t *testing.T) {
 			idps:                         oidctestutil.NewUpstreamIDPListerBuilder().WithLDAP(&upstreamLDAPIdentityProvider),
 			method:                       http.MethodGet,
 			path:                         modifiedHappyGetRequestPath(map[string]string{"prompt": "none login"}),
-			customUsernameHeader:         pointer.String(happyLDAPUsername),
-			customPasswordHeader:         pointer.String(happyLDAPPassword),
+			customUsernameHeader:         ptr.To(happyLDAPUsername),
+			customPasswordHeader:         ptr.To(happyLDAPPassword),
 			wantStatus:                   http.StatusFound,
 			wantContentType:              jsonContentType,
 			wantLocationHeader:           urlWithQuery(downstreamRedirectURI, fositePromptHasNoneAndOtherValueErrorQuery),
@@ -2446,8 +2446,8 @@ func TestAuthorizationEndpoint(t *testing.T) {
 			method: http.MethodGet,
 			// The following prompt value is illegal when openid is requested, but note that openid is not requested.
 			path:                              modifiedHappyGetRequestPath(map[string]string{"prompt": "none login", "scope": "email"}),
-			customUsernameHeader:              pointer.String(oidcUpstreamUsername),
-			customPasswordHeader:              pointer.String(oidcUpstreamPassword),
+			customUsernameHeader:              ptr.To(oidcUpstreamUsername),
+			customPasswordHeader:              ptr.To(oidcUpstreamPassword),
 			wantPasswordGrantCall:             happyUpstreamPasswordGrantMockExpectation,
 			wantStatus:                        http.StatusFound,
 			wantContentType:                   htmlContentType,
@@ -2469,8 +2469,8 @@ func TestAuthorizationEndpoint(t *testing.T) {
 			method: http.MethodGet,
 			// The following prompt value is illegal when openid is requested, but note that openid is not requested.
 			path:                              modifiedHappyGetRequestPath(map[string]string{"prompt": "none login", "scope": "email"}),
-			customUsernameHeader:              pointer.String(happyLDAPUsername),
-			customPasswordHeader:              pointer.String(happyLDAPPassword),
+			customUsernameHeader:              ptr.To(happyLDAPUsername),
+			customPasswordHeader:              ptr.To(happyLDAPPassword),
 			wantStatus:                        http.StatusFound,
 			wantContentType:                   htmlContentType,
 			wantRedirectLocationRegexp:        downstreamRedirectURI + `\?code=([^&]+)&scope=username\+groups&state=` + happyState, // username and groups scopes were not requested, but are granted anyway for backwards compatibility
@@ -2492,8 +2492,8 @@ func TestAuthorizationEndpoint(t *testing.T) {
 			),
 			method:                            http.MethodGet,
 			path:                              happyGetRequestPath,
-			customUsernameHeader:              pointer.String(oidcUpstreamUsername),
-			customPasswordHeader:              pointer.String(oidcUpstreamPassword),
+			customUsernameHeader:              ptr.To(oidcUpstreamUsername),
+			customPasswordHeader:              ptr.To(oidcUpstreamPassword),
 			wantPasswordGrantCall:             happyUpstreamPasswordGrantMockExpectation,
 			wantStatus:                        http.StatusFound,
 			wantContentType:                   htmlContentType,
@@ -2518,8 +2518,8 @@ func TestAuthorizationEndpoint(t *testing.T) {
 			),
 			method:                            http.MethodGet,
 			path:                              happyGetRequestPath,
-			customUsernameHeader:              pointer.String(oidcUpstreamUsername),
-			customPasswordHeader:              pointer.String(oidcUpstreamPassword),
+			customUsernameHeader:              ptr.To(oidcUpstreamUsername),
+			customPasswordHeader:              ptr.To(oidcUpstreamPassword),
 			wantPasswordGrantCall:             happyUpstreamPasswordGrantMockExpectation,
 			wantStatus:                        http.StatusFound,
 			wantContentType:                   htmlContentType,
@@ -2545,8 +2545,8 @@ func TestAuthorizationEndpoint(t *testing.T) {
 			),
 			method:                            http.MethodGet,
 			path:                              happyGetRequestPath,
-			customUsernameHeader:              pointer.String(oidcUpstreamUsername),
-			customPasswordHeader:              pointer.String(oidcUpstreamPassword),
+			customUsernameHeader:              ptr.To(oidcUpstreamUsername),
+			customPasswordHeader:              ptr.To(oidcUpstreamPassword),
 			wantPasswordGrantCall:             happyUpstreamPasswordGrantMockExpectation,
 			wantStatus:                        http.StatusFound,
 			wantContentType:                   htmlContentType,
@@ -2573,8 +2573,8 @@ func TestAuthorizationEndpoint(t *testing.T) {
 			),
 			method:                            http.MethodGet,
 			path:                              happyGetRequestPath,
-			customUsernameHeader:              pointer.String(oidcUpstreamUsername),
-			customPasswordHeader:              pointer.String(oidcUpstreamPassword),
+			customUsernameHeader:              ptr.To(oidcUpstreamUsername),
+			customPasswordHeader:              ptr.To(oidcUpstreamPassword),
 			wantPasswordGrantCall:             happyUpstreamPasswordGrantMockExpectation,
 			wantStatus:                        http.StatusFound,
 			wantContentType:                   htmlContentType,
@@ -2600,8 +2600,8 @@ func TestAuthorizationEndpoint(t *testing.T) {
 			),
 			method:                http.MethodGet,
 			path:                  happyGetRequestPath,
-			customUsernameHeader:  pointer.String(oidcUpstreamUsername),
-			customPasswordHeader:  pointer.String(oidcUpstreamPassword),
+			customUsernameHeader:  ptr.To(oidcUpstreamUsername),
+			customPasswordHeader:  ptr.To(oidcUpstreamPassword),
 			wantPasswordGrantCall: happyUpstreamPasswordGrantMockExpectation,
 			wantStatus:            http.StatusFound,
 			wantContentType:       jsonContentType,
@@ -2618,8 +2618,8 @@ func TestAuthorizationEndpoint(t *testing.T) {
 			),
 			method:                http.MethodGet,
 			path:                  happyGetRequestPath,
-			customUsernameHeader:  pointer.String(oidcUpstreamUsername),
-			customPasswordHeader:  pointer.String(oidcUpstreamPassword),
+			customUsernameHeader:  ptr.To(oidcUpstreamUsername),
+			customPasswordHeader:  ptr.To(oidcUpstreamPassword),
 			wantPasswordGrantCall: happyUpstreamPasswordGrantMockExpectation,
 			wantStatus:            http.StatusFound,
 			wantContentType:       jsonContentType,
@@ -2633,8 +2633,8 @@ func TestAuthorizationEndpoint(t *testing.T) {
 			),
 			method:                            http.MethodGet,
 			path:                              happyGetRequestPath,
-			customUsernameHeader:              pointer.String(oidcUpstreamUsername),
-			customPasswordHeader:              pointer.String(oidcUpstreamPassword),
+			customUsernameHeader:              ptr.To(oidcUpstreamUsername),
+			customPasswordHeader:              ptr.To(oidcUpstreamPassword),
 			wantPasswordGrantCall:             happyUpstreamPasswordGrantMockExpectation,
 			wantStatus:                        http.StatusFound,
 			wantContentType:                   htmlContentType,
@@ -2658,8 +2658,8 @@ func TestAuthorizationEndpoint(t *testing.T) {
 			),
 			method:                            http.MethodGet,
 			path:                              happyGetRequestPath,
-			customUsernameHeader:              pointer.String(oidcUpstreamUsername),
-			customPasswordHeader:              pointer.String(oidcUpstreamPassword),
+			customUsernameHeader:              ptr.To(oidcUpstreamUsername),
+			customPasswordHeader:              ptr.To(oidcUpstreamPassword),
 			wantPasswordGrantCall:             happyUpstreamPasswordGrantMockExpectation,
 			wantStatus:                        http.StatusFound,
 			wantContentType:                   htmlContentType,
@@ -2683,8 +2683,8 @@ func TestAuthorizationEndpoint(t *testing.T) {
 			),
 			method:                            http.MethodGet,
 			path:                              happyGetRequestPath,
-			customUsernameHeader:              pointer.String(oidcUpstreamUsername),
-			customPasswordHeader:              pointer.String(oidcUpstreamPassword),
+			customUsernameHeader:              ptr.To(oidcUpstreamUsername),
+			customPasswordHeader:              ptr.To(oidcUpstreamPassword),
 			wantPasswordGrantCall:             happyUpstreamPasswordGrantMockExpectation,
 			wantStatus:                        http.StatusFound,
 			wantContentType:                   htmlContentType,
@@ -2707,8 +2707,8 @@ func TestAuthorizationEndpoint(t *testing.T) {
 			),
 			method:                http.MethodGet,
 			path:                  happyGetRequestPath,
-			customUsernameHeader:  pointer.String(oidcUpstreamUsername),
-			customPasswordHeader:  pointer.String(oidcUpstreamPassword),
+			customUsernameHeader:  ptr.To(oidcUpstreamUsername),
+			customPasswordHeader:  ptr.To(oidcUpstreamPassword),
 			wantPasswordGrantCall: happyUpstreamPasswordGrantMockExpectation,
 			wantStatus:            http.StatusFound,
 			wantContentType:       jsonContentType,
@@ -2722,8 +2722,8 @@ func TestAuthorizationEndpoint(t *testing.T) {
 			),
 			method:                            http.MethodGet,
 			path:                              happyGetRequestPath,
-			customUsernameHeader:              pointer.String(oidcUpstreamUsername),
-			customPasswordHeader:              pointer.String(oidcUpstreamPassword),
+			customUsernameHeader:              ptr.To(oidcUpstreamUsername),
+			customPasswordHeader:              ptr.To(oidcUpstreamPassword),
 			wantPasswordGrantCall:             happyUpstreamPasswordGrantMockExpectation,
 			wantStatus:                        http.StatusFound,
 			wantContentType:                   htmlContentType,
@@ -2746,8 +2746,8 @@ func TestAuthorizationEndpoint(t *testing.T) {
 			),
 			method:                http.MethodGet,
 			path:                  happyGetRequestPath,
-			customUsernameHeader:  pointer.String(oidcUpstreamUsername),
-			customPasswordHeader:  pointer.String(oidcUpstreamPassword),
+			customUsernameHeader:  ptr.To(oidcUpstreamUsername),
+			customPasswordHeader:  ptr.To(oidcUpstreamPassword),
 			wantPasswordGrantCall: happyUpstreamPasswordGrantMockExpectation,
 			wantStatus:            http.StatusFound,
 			wantContentType:       jsonContentType,
@@ -2761,8 +2761,8 @@ func TestAuthorizationEndpoint(t *testing.T) {
 			),
 			method:                http.MethodGet,
 			path:                  happyGetRequestPath,
-			customUsernameHeader:  pointer.String(oidcUpstreamUsername),
-			customPasswordHeader:  pointer.String(oidcUpstreamPassword),
+			customUsernameHeader:  ptr.To(oidcUpstreamUsername),
+			customPasswordHeader:  ptr.To(oidcUpstreamPassword),
 			wantPasswordGrantCall: happyUpstreamPasswordGrantMockExpectation,
 			wantStatus:            http.StatusFound,
 			wantContentType:       jsonContentType,
@@ -2776,8 +2776,8 @@ func TestAuthorizationEndpoint(t *testing.T) {
 			),
 			method:                http.MethodGet,
 			path:                  happyGetRequestPath,
-			customUsernameHeader:  pointer.String(oidcUpstreamUsername),
-			customPasswordHeader:  pointer.String(oidcUpstreamPassword),
+			customUsernameHeader:  ptr.To(oidcUpstreamUsername),
+			customPasswordHeader:  ptr.To(oidcUpstreamPassword),
 			wantPasswordGrantCall: happyUpstreamPasswordGrantMockExpectation,
 			wantStatus:            http.StatusFound,
 			wantContentType:       jsonContentType,
@@ -2791,8 +2791,8 @@ func TestAuthorizationEndpoint(t *testing.T) {
 			),
 			method:                http.MethodGet,
 			path:                  happyGetRequestPath,
-			customUsernameHeader:  pointer.String(oidcUpstreamUsername),
-			customPasswordHeader:  pointer.String(oidcUpstreamPassword),
+			customUsernameHeader:  ptr.To(oidcUpstreamUsername),
+			customPasswordHeader:  ptr.To(oidcUpstreamPassword),
 			wantPasswordGrantCall: happyUpstreamPasswordGrantMockExpectation,
 			wantStatus:            http.StatusFound,
 			wantContentType:       jsonContentType,
@@ -2806,8 +2806,8 @@ func TestAuthorizationEndpoint(t *testing.T) {
 			),
 			method:                http.MethodGet,
 			path:                  happyGetRequestPath,
-			customUsernameHeader:  pointer.String(oidcUpstreamUsername),
-			customPasswordHeader:  pointer.String(oidcUpstreamPassword),
+			customUsernameHeader:  ptr.To(oidcUpstreamUsername),
+			customPasswordHeader:  ptr.To(oidcUpstreamPassword),
 			wantPasswordGrantCall: happyUpstreamPasswordGrantMockExpectation,
 			wantStatus:            http.StatusFound,
 			wantContentType:       jsonContentType,
@@ -2821,8 +2821,8 @@ func TestAuthorizationEndpoint(t *testing.T) {
 			),
 			method:                http.MethodGet,
 			path:                  happyGetRequestPath,
-			customUsernameHeader:  pointer.String(oidcUpstreamUsername),
-			customPasswordHeader:  pointer.String(oidcUpstreamPassword),
+			customUsernameHeader:  ptr.To(oidcUpstreamUsername),
+			customPasswordHeader:  ptr.To(oidcUpstreamPassword),
 			wantPasswordGrantCall: happyUpstreamPasswordGrantMockExpectation,
 			wantStatus:            http.StatusFound,
 			wantContentType:       jsonContentType,
@@ -2836,8 +2836,8 @@ func TestAuthorizationEndpoint(t *testing.T) {
 			),
 			method:                http.MethodGet,
 			path:                  happyGetRequestPath,
-			customUsernameHeader:  pointer.String(oidcUpstreamUsername),
-			customPasswordHeader:  pointer.String(oidcUpstreamPassword),
+			customUsernameHeader:  ptr.To(oidcUpstreamUsername),
+			customPasswordHeader:  ptr.To(oidcUpstreamPassword),
 			wantPasswordGrantCall: happyUpstreamPasswordGrantMockExpectation,
 			wantStatus:            http.StatusFound,
 			wantContentType:       jsonContentType,
@@ -2851,8 +2851,8 @@ func TestAuthorizationEndpoint(t *testing.T) {
 			),
 			method:                http.MethodGet,
 			path:                  happyGetRequestPath,
-			customUsernameHeader:  pointer.String(oidcUpstreamUsername),
-			customPasswordHeader:  pointer.String(oidcUpstreamPassword),
+			customUsernameHeader:  ptr.To(oidcUpstreamUsername),
+			customPasswordHeader:  ptr.To(oidcUpstreamPassword),
 			wantPasswordGrantCall: happyUpstreamPasswordGrantMockExpectation,
 			wantStatus:            http.StatusFound,
 			wantContentType:       jsonContentType,
@@ -2866,8 +2866,8 @@ func TestAuthorizationEndpoint(t *testing.T) {
 			),
 			method:                http.MethodGet,
 			path:                  happyGetRequestPath,
-			customUsernameHeader:  pointer.String(oidcUpstreamUsername),
-			customPasswordHeader:  pointer.String(oidcUpstreamPassword),
+			customUsernameHeader:  ptr.To(oidcUpstreamUsername),
+			customPasswordHeader:  ptr.To(oidcUpstreamPassword),
 			wantPasswordGrantCall: happyUpstreamPasswordGrantMockExpectation,
 			wantStatus:            http.StatusFound,
 			wantContentType:       jsonContentType,
@@ -2881,8 +2881,8 @@ func TestAuthorizationEndpoint(t *testing.T) {
 			),
 			method:                http.MethodGet,
 			path:                  happyGetRequestPath,
-			customUsernameHeader:  pointer.String(oidcUpstreamUsername),
-			customPasswordHeader:  pointer.String(oidcUpstreamPassword),
+			customUsernameHeader:  ptr.To(oidcUpstreamUsername),
+			customPasswordHeader:  ptr.To(oidcUpstreamPassword),
 			wantPasswordGrantCall: happyUpstreamPasswordGrantMockExpectation,
 			wantStatus:            http.StatusFound,
 			wantContentType:       jsonContentType,
@@ -2896,8 +2896,8 @@ func TestAuthorizationEndpoint(t *testing.T) {
 			),
 			method:                http.MethodGet,
 			path:                  happyGetRequestPath,
-			customUsernameHeader:  pointer.String(oidcUpstreamUsername),
-			customPasswordHeader:  pointer.String(oidcUpstreamPassword),
+			customUsernameHeader:  ptr.To(oidcUpstreamUsername),
+			customPasswordHeader:  ptr.To(oidcUpstreamPassword),
 			wantPasswordGrantCall: happyUpstreamPasswordGrantMockExpectation,
 			wantStatus:            http.StatusFound,
 			wantContentType:       jsonContentType,
@@ -2940,8 +2940,8 @@ func TestAuthorizationEndpoint(t *testing.T) {
 			idps:                 oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(passwordGrantUpstreamOIDCIdentityProviderBuilder().Build()),
 			method:               http.MethodGet,
 			path:                 modifiedHappyGetRequestPath(map[string]string{"state": "short"}),
-			customUsernameHeader: pointer.String(oidcUpstreamUsername),
-			customPasswordHeader: pointer.String(oidcUpstreamPassword),
+			customUsernameHeader: ptr.To(oidcUpstreamUsername),
+			customPasswordHeader: ptr.To(oidcUpstreamPassword),
 			wantStatus:           http.StatusFound,
 			wantContentType:      jsonContentType,
 			wantLocationHeader:   urlWithQuery(downstreamRedirectURI, fositeInvalidStateErrorQuery),
@@ -2952,8 +2952,8 @@ func TestAuthorizationEndpoint(t *testing.T) {
 			idps:                 oidctestutil.NewUpstreamIDPListerBuilder().WithLDAP(&upstreamLDAPIdentityProvider),
 			method:               http.MethodGet,
 			path:                 modifiedHappyGetRequestPath(map[string]string{"state": "short"}),
-			customUsernameHeader: pointer.String(happyLDAPUsername),
-			customPasswordHeader: pointer.String(happyLDAPPassword),
+			customUsernameHeader: ptr.To(happyLDAPUsername),
+			customPasswordHeader: ptr.To(happyLDAPPassword),
 			wantStatus:           http.StatusFound,
 			wantContentType:      jsonContentType,
 			wantLocationHeader:   urlWithQuery(downstreamRedirectURI, fositeInvalidStateErrorQuery),

internal/oidc/provider/federation_domain_issuer.go

@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package provider
@@ -11,7 +11,7 @@ import (
 	"go.pinniped.dev/internal/constable"
 )
 
-// FederationDomainIssuer represents all of the settings and state for a downstream OIDC provider
+// FederationDomainIssuer represents all the settings and state for a downstream OIDC provider
 // as defined by a FederationDomain.
 type FederationDomainIssuer struct {
 	issuer     string
@@ -19,6 +19,8 @@ type FederationDomainIssuer struct {
 	issuerPath string
 }
 
+// NewFederationDomainIssuer returns a FederationDomainIssuer.
+// Performs validation, and returns any error from validation.
 func NewFederationDomainIssuer(issuer string) (*FederationDomainIssuer, error) {
 	p := FederationDomainIssuer{issuer: issuer}
 	err := p.validate()
@@ -42,6 +44,10 @@ func (p *FederationDomainIssuer) validate() error {
 		return constable.Error(`issuer must have "https" scheme`)
 	}
 
+	if issuerURL.Hostname() == "" {
+		return constable.Error(`issuer must have a hostname`)
+	}
+
 	if issuerURL.User != nil {
 		return constable.Error(`issuer must not have username or password`)
 	}
@@ -64,14 +70,17 @@ func (p *FederationDomainIssuer) validate() error {
 	return nil
 }
 
+// Issuer returns the issuer.
 func (p *FederationDomainIssuer) Issuer() string {
 	return p.issuer
 }
 
+// IssuerHost returns the issuerHost.
 func (p *FederationDomainIssuer) IssuerHost() string {
 	return p.issuerHost
 }
 
+// IssuerPath returns the issuerPath.
 func (p *FederationDomainIssuer) IssuerPath() string {
 	return p.issuerPath
 }

internal/oidc/provider/federation_domain_issuer_test.go

@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package provider
@@ -20,6 +20,16 @@ func TestFederationDomainIssuerValidations(t *testing.T) {
 			issuer:    "",
 			wantError: "federation domain must have an issuer",
 		},
+		{
+			name:      "returns url.Parse errors",
+			issuer:    "https://example.com" + string(byte(0x7f)),
+			wantError: "could not parse issuer as URL: parse \"https://example.com\\x7f\": net/url: invalid control character in URL",
+		},
+		{
+			name:      "no hostname",
+			issuer:    "https://",
+			wantError: `issuer must have a hostname`,
+		},
 		{
 			name:      "no scheme",
 			issuer:    "tuna.com",

internal/registry/credentialrequest/rest_test.go

@@ -22,7 +22,7 @@ import (
 	genericapirequest "k8s.io/apiserver/pkg/endpoints/request"
 	"k8s.io/apiserver/pkg/registry/rest"
 	"k8s.io/klog/v2"
-	"k8s.io/utils/pointer"
+	"k8s.io/utils/ptr"
 
 	loginapi "go.pinniped.dev/generated/latest/apis/concierge/login"
 	"go.pinniped.dev/internal/issuer"
@@ -387,7 +387,7 @@ func requireSuccessfulResponseWithAuthenticationFailureMessage(t *testing.T, err
 	require.Equal(t, response, &loginapi.TokenCredentialRequest{
 		Status: loginapi.TokenCredentialRequestStatus{
 			Credential: nil,
-			Message:    pointer.String("authentication failed"),
+			Message:    ptr.To("authentication failed"),
 		},
 	})
 }

internal/upstreamldap/upstreamldap.go

@@ -49,7 +49,7 @@ type Conn interface {
 
 	SearchWithPaging(searchRequest *ldap.SearchRequest, pagingSize uint32) (*ldap.SearchResult, error)
 
-	Close()
+	Close() error
 }
 
 // Our Conn type is subset of the ldap.Client interface, which is implemented by ldap.Conn.
@@ -181,6 +181,13 @@ func (p *Provider) GetConfig() ProviderConfig {
 	return p.c
 }
 
+func closeAndLogError(conn Conn, doingWhat string) {
+	err := conn.Close()
+	if err != nil {
+		plog.Error(fmt.Sprintf("error closing LDAP connection when %s", doingWhat), err)
+	}
+}
+
 func (p *Provider) PerformRefresh(ctx context.Context, storedRefreshAttributes provider.RefreshAttributes) ([]string, error) {
 	t := trace.FromContext(ctx).Nest("slow ldap refresh attempt", trace.Field{Key: "providerName", Value: p.GetName()})
 	defer t.LogIfLong(500 * time.Millisecond) // to help users debug slow LDAP searches
@@ -190,7 +197,7 @@ func (p *Provider) PerformRefresh(ctx context.Context, storedRefreshAttributes p
 	if err != nil {
 		return nil, fmt.Errorf(`error dialing host %q: %w`, p.c.Host, err)
 	}
-	defer conn.Close()
+	defer closeAndLogError(conn, "refreshing connection")
 
 	err = conn.Bind(p.c.BindUsername, p.c.BindPassword)
 	if err != nil {
@@ -402,7 +409,7 @@ func (p *Provider) TestConnection(ctx context.Context) error {
 	if err != nil {
 		return fmt.Errorf(`error dialing host %q: %w`, p.c.Host, err)
 	}
-	defer conn.Close()
+	defer closeAndLogError(conn, "testing connection")
 
 	err = conn.Bind(p.c.BindUsername, p.c.BindPassword)
 	if err != nil {
@@ -453,7 +460,7 @@ func (p *Provider) authenticateUserImpl(ctx context.Context, username string, gr
 		p.traceAuthFailure(t, err)
 		return nil, false, fmt.Errorf(`error dialing host %q: %w`, p.c.Host, err)
 	}
-	defer conn.Close()
+	defer closeAndLogError(conn, "authenticating user")
 
 	err = conn.Bind(p.c.BindUsername, p.c.BindPassword)
 	if err != nil {
@@ -534,7 +541,7 @@ func (p *Provider) SearchForDefaultNamingContext(ctx context.Context) (string, e
 		p.traceSearchBaseDiscoveryFailure(t, err)
 		return "", fmt.Errorf(`error dialing host %q: %w`, p.c.Host, err)
 	}
-	defer conn.Close()
+	defer closeAndLogError(conn, "searching for default naming context")
 
 	err = conn.Bind(p.c.BindUsername, p.c.BindPassword)
 	if err != nil {

proposals/1406_multiple-idps/README.md

@@ -0,0 +1,493 @@
+---
+title: "Multiple Identity Providers"
+authors: [ "@cfryanr" ]
+status: "draft"
+sponsor: []
+approval_date: ""
+---
+
+*Disclaimer*: Proposals are point-in-time designs and decisions. Once approved and implemented, they become historical
+documents. If you are reading an old proposal, please be aware that the features described herein might have continued
+to evolve since.
+
+# Multiple Identity Providers
+
+## Problem Statement
+
+We have identified
+[several use cases](https://docs.google.com/document/d/1ZeMI1VTiArXV70qB6zwhbUp0fRKhsdSia475pWDemBM/edit?usp=sharing)
+where it would be helpful to be able to configure multiple simultaneous sources of identity in the Pinniped Supervisor.
+More specifically, Pinniped would allow having multiple OIDCIdentityProviders, LDAPIdentityProviders, and
+ActiveDirectoryIdentityProviders in use at the same time for a single installation of the Pinniped Supervisor.
+
+To make it possible to safely configure different arbitrary identity providers which contain distinct pools of users,
+Pinniped will provide a mechanism to make it possible to disambiguate usernames and group names. For example, the
+user "ryan" from my LDAP provider, and the user "ryan" from my OIDC provider, may or may not refer to the same actor. A
+group called "developers" from my LDAP server may or may not have the same intended meaning from an RBAC point of view
+as the group called "developers" from my OIDC provider.
+
+### How Pinniped Works Today (as of version v0.22.0)
+
+Much of this is already implemented. The Pinniped source code already supports loading multiple OIDCIdentityProviders,
+LDAPIdentityProviders, and ActiveDirectoryIdentityProviders at the same time. It also has mechanisms in place for
+the `pinniped get kubeconfig` command to choose which identity provider to use when generating a kubeconfig file, and
+for `pinniped login oidc` (the `kubectl` plugin) to handle multiple identity providers during the login procedure.
+Additionally, the server-side code also contains the necessary support to handle logins from different identity
+providers.
+
+We added
+[an artificial limitation](https://github.com/vmware-tanzu/pinniped/blob/60d12d88ac7b32235cc4dd848289adf06ab9c58b/internal/oidc/auth/auth_handler.go#L407-L409)
+in the FederationDomain's authorize endpoint's source code which prevents all logins from proceeding when there are
+multiple OIDCIdentityProviders, LDAPIdentityProviders, and ActiveDirectoryIdentityProviders in use at the same time.
+This was done to defer designing the feature to make it possible to disambiguate usernames and group names from
+different identity providers.
+
+This document proposes that we remove that artificial limitation, and proposes a design for disambiguating usernames and
+group names.
+
+The Pinniped Supervisor has always supported multiple FederationDomains. Each is an OIDC issuer with its own unique
+issuer URL, its own JWT signing keys, etc. Therefore, each Supervisor FederationDomain controls authentication into
+a pool of clusters using isolated credentials which are not honored by clusters of other FederationDomains.
+However, using more than one FederationDomain in a single Supervisor has been of little value because there was
+previously no way to customize each FederationDomain to make them behave differently from each other in a meaningful
+way. This document proposes new configuration options which allow the pool of identities represented in each
+FederationDomain to be meaningfully different, thus making it useful to have multiple FederationDomains for some use
+cases.
+
+## Terminology / Concepts
+
+Let's define the following terms for this proposal.
+
+- *"Normalized identity":* a string username with a list of string group names. This is normalized in the sense that
+  different identity providers have various complex representations of a user account, and speak various protocols, and
+  Pinniped boils that down to the consistent representation of string username and string group names which are needed
+  for Kubernetes. This is simply naming a concept that we already have in Pinniped today. For example, an
+  LDAPIdentityProvider configuration tells the Supervisor how to extract a normalized identity using LDAP queries
+  from an LDAP provider.
+
+- *"Identity transformation":* a function which takes a normalized identity, applies some business logic, and returns a
+  potentially modified normalized identity.
+
+- *"Authentication policy:*" a function which takes a normalized identity, applies some business logic, and returns a
+  result which either allows or denies the authentication for that identity.
+
+Additionally, several simple concepts for supporting multiple identity providers, which can be composed together in
+powerful ways, are proposed in the
+[conceptual model for multiple IDPs](https://docs.google.com/document/d/1rtuZq7X3Mj5j8ERmq0BQ8FQ2cVMl5InXh_jis3H_oVQ/edit?usp=sharing)
+doc.
+
+## Proposal
+
+### Goals and Non-goals
+
+Goals for this proposal:
+
+- Provide a solution that supports
+  all [use cases](https://docs.google.com/document/d/1ZeMI1VTiArXV70qB6zwhbUp0fRKhsdSia475pWDemBM/edit?usp=sharing)
+- Provide a solution that supports the
+  [conceptual model for multiple IDPs](https://docs.google.com/document/d/1rtuZq7X3Mj5j8ERmq0BQ8FQ2cVMl5InXh_jis3H_oVQ/edit?usp=sharing)
+- Provide an iterative implementation plan
+
+### Specification / How it Solves the Use Cases
+
+#### API Changes
+
+##### Choosing identity providers on FederationDomains
+
+First, a FederationDomain needs a way to choose which identity providers it should use as sources of identity.
+
+Because each type of identity provider is a different CRD, it is possible for resources to have the same name. For
+example, an OIDCIdentityProvider and an LDAPIdentityProvider can both be called "my-idp" at the same time. They must
+both be in the same namespace as the Supervisor app. Therefore, we can use a list of TypedLocalObjectReference to
+identify them.
+
+```yaml
+kind: FederationDomain
+apiVersion: config.supervisor.pinniped.dev/v1alpha1
+metadata:
+  name: demo-federation-domain
+  namespace: supervisor
+spec:
+  issuer: https://issuer.example.com/demo-issuer
+  tls:
+    secretName: my-federation-domain-tls
+
+  # Below is the new part.
+  identityProviders:
+    - displayName: ActiveDirectory for Admins
+      objectRef:
+        apiGroup: idp.supervisor.pinniped.dev
+        kind: ActiveDirectoryIdentityProvider
+        name: ad-for-admins
+    - displayName: Okta for Developers
+      objectRef:
+        apiGroup: idp.supervisor.pinniped.dev
+        kind: OIDCIdentityProvider
+        name: okta-for-developers
+```
+
+This example FederationDomain allows logins from any user from either of the two listed identity providers. There may be
+other identity providers defined in the same namespace, and those are not allowed to be used for login in this
+FederationDomain since they were not listed here.
+
+The "displayName" of each identity provider would be a human-readable name for the provider, such as "Corporate LDAP".
+It would be validated to ensure that there are no duplicate "displayName" in the list. The "displayName" would be the name that
+appears in user's kubeconfig to choose the IDP to be used during login. This would provide insulation between the name
+of the identity provider CR and the name that the client sees encoded in the kubeconfig file. It would also make it
+impossible to have two identity providers called "my-idp" in the same FederationDomain, even though there could be two
+CRs of different types both named "my-idp".
+
+##### Implementation detail: changes to the FederationDomain's endpoints to support choosing identity providers on FederationDomains
+
+The OIDC manager `internal/oidc/provider/manager/manager.go` would create the handlers for each FederationDomain in such
+a way that each handler instance can only see the identity providers in the in-memory cache which are supposed to be
+available on that FederationDomain. Therefore, each endpoint could only operate on the appropriate identity providers.
+
+The IDP discovery endpoint will use the "displayName" from the FederationDomain's list of "identityProviders" as the names
+shown in the discovery response, instead of the literal names of the CRs. The names from this discovery response are
+already consumed by `pinniped get kubeconfig` for inclusion in the resulting kubeconfig.
+
+The authorize and callback endpoints already receive URL query parameters to identify which identity provider should be
+used. These names would need to get mapped back to the actual names of the CRs while indexing into the in-memory cache
+of providers. The token endpoint would be changed in a similar way, except that the name and type of the identity
+provider comes from the user's session storage instead of from parameters.
+
+The LDAP/AD login UI endpoint could be changed to show the "displayName" of the IDP in the UI, instead of the CR name.
+It already receives the IDP name and type through the state parameter.
+
+The JWKS and OIDC discovery endpoints don't know anything about identity providers, so they do not need to change.
+
+##### Applying identity transformations and policies to identity providers on FederationDomains
+
+To allow admin users to define their own simple business logic for identity transformations and authentication policies,
+we will embed the Common Expressions Language (CEL) in the Supervisor.
+(See [#694](https://github.com/vmware-tanzu/pinniped/pull/694) for more details about why CEL is a
+good fit for this use case.)
+
+The FederationDomain CRD would be further enhanced to allow identity transformation and authentication policy functions
+to be written as follows.
+
+```yaml
+kind: FederationDomain
+apiVersion: config.supervisor.pinniped.dev/v1alpha1
+metadata:
+  name: demo-federation-domain
+  namespace: supervisor
+spec:
+  issuer: https://issuer.example.com/demo-issuer
+  tls:
+    secretName: my-federation-domain-tls
+
+  # Everything below here is the new part.
+  identityProviders:
+
+  - displayName: ActiveDirectory for Admins
+    objectRef:
+      apiGroup: idp.supervisor.pinniped.dev
+      kind: ActiveDirectoryIdentityProvider
+      name: ad-for-admins
+
+    # Transforms are optional and apply only to logins from this IDP in this FederationDomain.
+    transforms:
+
+       # Optionally define variables that will be available to the expressions below.
+       constants:
+          # Validations would check that these names are legal CEL variable names and are unique within this list.
+         - name: prefix
+           type: string
+           stringValue: "ad:"
+         - name: onlyIncludeGroupsWithThisPrefix
+           type: string
+           stringValue: "kube/"
+         - name: mustBelongToOneOfThese
+           type: stringList
+           stringListValue: [ kube/admins, kube/developers, kube/auditors ]
+         - name: additionalAdmins
+           type: stringList
+           stringListValue: [ ryan@example.com, ben@example.com, josh@example.com ]
+
+       # An optional list of transforms and policies to be executed in the order given during every login attempt.
+       # Each is a CEL expression. It may use the basic CEL language plus the CEL string extensions from cel-go.
+       # The username, groups, and the constants defined above are available as variables in all expressions.
+       # In the first version of this feature, the only allowed types would be policy/v1, username/v1, and groups/v1.
+       # This leaves room for other future possible types and type versions.
+       # Each policy/v1 must return a boolean, and when it returns false, the login is rejected.
+       # Each username/v1 transform must return the new username (a string), which can be the same as the old username.
+       # Each groups/v1 transforms must return the new groups list (list of strings), which can be the same as the old
+       # groups list.
+       # After each expression, the new (potentially changed) username or groups get passed to the following expression.
+       # Any compilation or type-checking failure of any expression will cause an error status on the FederationDomain.
+       # Any unexpected runtime evaluation errors (e.g. division by zero) cause the login to fail.
+       # When all expressions evaluate successfully, then the username and groups has been decided for that login.
+       expressions:
+         # This expression runs first, so it operates on unmodified usernames and groups as extracted from the IDP.
+         # It rejects auth for any user who does not belong to certain groups.
+         - type: policy/v1
+           expression: 'groups.exists(g, g in strListConst.mustBelongToOneOfThese)'
+           message: "Only users in certain kube groups are allowed to authenticate"
+         # This expression runs second, and the previous expression was a policy (which cannot change username or
+         # groups), so this expression also operates on the unmodified usernames and groups as extracted from the
+         # IDP. For certain users, this adds a new group to the list of groups.
+         - type: groups/v1
+           expression: 'username in strListConst.additionalAdmins ? groups + ["kube/admins"] : groups'
+         # This expression runs next. Due to the expression above, this expression operates on the original username,
+         # and on a potentially changed list of groups. This drops all groups which do not start with a certain prefix.
+         - type: groups/v1
+           expression: 'groups.filter(group, group.startsWith(strConst.onlyIncludeGroupsWithThisPrefix))'
+         # Due to the expressions above, this expression operates on the original username, and on a potentially
+         # changed list of groups. This unconditionally prefixes the username.
+         - type: username/v1
+           expression: 'strConst.prefix + username'
+         # The expressions above have already changed the username and might have changed the groups before this
+         # expression runs. This unconditionally prefixes all group names.
+         - type: groups/v1
+           expression: 'groups.map(group, strConst.prefix + group)'
+
+       # Examples can optionally be used to ensure that the above sequence of expressions is working as expected.
+       # Examples define sample input identities which are then run through the above expression list,
+       # and the results are compared to the expected results. If any example in this list fails, then this
+       # FederationDomain will not be available for use, and the error(s) will be added to its status.
+       # This can be used to help guard against programming mistakes in the above CEL expressions, and also
+       # act as living documentation for other administrators to better understand the above CEL expressions.
+       examples:
+         - username: ryan@example.com
+           groups: [ kube/developers, kube/auditors, non-kube-group ]
+           expects:
+              username: ad:ryan@example.com
+              groups: [ ad:kube/developers, ad:kube/auditors, ad:kube/admins ]
+         - username: someone_else@example.com
+           groups: [ kube/developers, kube/other, non-kube-group ]
+           expects:
+              username: ad:someone_else@example.com
+              groups: [ ad:kube/developers, ad:kube/other ]
+         - username: paul@example.com
+           groups: [ kube/other, non-kube-group ]
+           expects:
+              rejected: true
+              message: "Only users in certain kube groups are allowed to authenticate"
+
+  - displayName: Okta for Developers
+    objectRef:
+      apiGroup: idp.supervisor.pinniped.dev
+      kind: OIDCIdentityProvider
+      name: okta-for-developers
+    transforms:
+      # Optionally apply transforms for identities from this IDP.
+```
+
+The existing controller which watches these CRs would perform validations on the new fields, and would
+create an object in an in-memory cache which is capable of applying that list of transforms on any normalized identity
+during login.
+
+##### Implementation detail: changes to the FederationDomain's endpoints to support transforms on FederationDomains
+
+Each time a normalized identity is extracted from an identity provider during an initial login (in the authorize or
+callback endpoints) or during a refresh (in the token endpoint), the transforms loaded into the in-memory cache for that
+identity provider on that FederationDomain would be applied. The resulting potentially changed normalized identity would
+be used as the identity. Any errors or rejections by authentication policy expression would prevent the initial login or
+refresh from succeeding.
+
+##### Resolving identity conflicts between identity providers on a FederationDomain
+
+Identity conflicts can arise when usernames and/or group names from two different identity providers can collide, *and*
+when those colliding strings are *not meant to indicate the same identity*. Both of these conditions must be true for a
+conflict to be possible. In many use cases, there is no actual possibility of conflict, either because there is no
+possibility of collision or because collisions are not considered conflicts. In other cases, where there is a
+possibility of conflict, Pinniped will provide a way to resolve these conflicts.
+
+Pinniped does not take any stance on how RBAC policies should be designed, created, managed, potentially synchronized
+between clusters, or potentially synchronized with the identity provider. Therefore, it is important for Pinniped to
+remain flexible enough to support the admin's ability to design their own RBAC policies. This includes continuing to
+allow the admin to configure how usernames and group names are determined by Pinniped. Previously, this meant allowing
+the admin to configure how to extract the username and group names from the identity provider into the normalized
+identity, which is currently supported by the OIDCIdentityProvider, LDAPIdentityProvider, and
+ActiveDirectoryIdentityProvider CRDs. With the addition of multiple identity provider support, this will now also
+include allowing the admin to configure how conflicts on normalized identities are resolved.
+
+Consider the case where an enterprise has built automation around creating RBAC policies for their employees. For
+example, an automation might read information from some external system to decide which employees should get access to
+which clusters, and to determine which level of access should be granted to each employee. Such a system might, for
+example, create RBAC policies using the corporate email addresses of the employees. For Pinniped to avoid getting in the
+way of this system, Pinniped would need to allow the usernames of users to be their corporate email addresses, even when
+there are multiple identity providers configured.
+
+It's easy to come up with examples of undesirable conflicts, such as when "ryan" from one IDP and "ryan" from another
+IDP do not represent the same person. However, let's also consider some examples where username or group name collisions
+are not considered conflicts:
+- An OIDCIdentityProvider might be used for human authentication with an OIDC provider that
+  requires multi-factor authentication, while another OIDCIdentityProvider might be used to allow the password grant
+  for CI bot accounts to avoid the need for browser-based login flows and multi-factor authentication requirements for
+  CI bots. If both are backed by the same OIDC provider, then both OIDCIdentityProviders could be configured to extract
+  the same usernames and the same group names, in which case there would be no actual possibility of identity conflicts.
+- As another example, if an OIDCIdentityProvider and an LDAPIdentityProvider are both configured to extract usernames
+  as email addresses from the same corporate directory, then the usernames from both providers cannot conflict
+  because an email address, regardless from which identity provider it came, could uniquely identify a single employee.
+  If groups are also sourced from a single corporate directory and are configured to extract the group names in an
+  identical fashion, then the group names also cannot conflict. On the other hand, if the groups are coming from
+  different sources, or if the OIDCIdentityProvider and LDAPIdentityProvider are configured to extract group names
+  differently, then the admin might like to configure Pinniped to modify group names to avoid potential collisions,
+  even while usernames are not modified.
+- As another example, an organizations might keep their administrator accounts in one IDP with regular user accounts
+  in another IDP. If username conflicts are possible, then non-admin users from the first IDP could use unchanged
+  usernames from the IDP, while admins from the second IDP could have their usernames prefixed with "admin/". This
+  resolves any possibility of conflict if the first IDP does not allow usernames to start with "admin/", for example
+  if usernames in that IDP are not allowed to contain a "/" character.
+
+Transformation expressions on the FederationDomain can be easily used to avoid identity collisions as desired.
+For example, the CEL expressions to prefix every username and group name are `"my-prefix:" + username` and
+`groups.map(g, "my-prefix:" + g)`.
+
+#### Upgrades
+
+Any upgrades into a new version of Pinniped which allows multiple IDPs will have a similar configuration. There will
+be a FederationDomain with no IDPs listed on the FederationDomain (since this was not previously allowed), and there
+will be only a single IDP CRD created in the namespace. Any other number of IDP CRDs previously resulted in an
+unusable Pinniped installation.
+
+During an upgrade, an existing installation of the Supervisor would already have a FederationDomain CR defined without
+an "identityProviders" section. To enable smooth upgrades, the "identityProviders" section would be optional.
+
+- The Supervisor code already correctly handles the case when there are no identity provider CRs defined. No users can
+  log in using that FederationDomain.
+- To handle the case where there is exactly one identity provider CR defined, the controller could load that CR for use
+  in the FederationDomain. The "displayName" of the identity provider would be automatically configured to be the same
+  name as the CR. This allows old configurations to continue working after upgrade.
+- When there are multiple identity provider CRs defined, the controller can fail to load the FederationDomain and update
+  its status to include an error saying that using a FederationDomain when multiple identity provider CRs are created
+  requires using the "identityProviders" field on the FederationDomain. This handles the case where the
+  user adds multiple identity provider CRs after upgrading, but forgets to add the "identityProviders" field to the
+  FederationDomain.
+
+If an admin adds "identityProviders" to a pre-existing FederationDomain and changes the "displayName" of a pre-existing
+identity provider, then:
+1. Pre-existing user sessions would fail to refresh, causing those users to need to interactively log in again, since
+   the identity provider names and types are already stored in user sessions for use during refreshes. This code already
+   has sufficient protections to ensure that we can never accidentally use a different identity provider during refresh
+   compared to which was used during initial login, even if there is an accidental name collision (via UID comparisons).
+2. Pre-existing kubeconfigs would now refer to the wrong identity provider name, and would need to be regenerated.
+
+If an admin wants to add a pre-existing identityProvider to a pre-existing FederationDomain without interrupting
+pre-existing sessions or needing to generate new kubeconfigs, they could take care to make the "displayName" of
+the identity provider exactly match the name of the identity provider CR.
+
+#### Tests
+
+Lots of new unit and integration tests will be required for using multiple FederationDomains, multiple identity
+providers, and identity transformations and policies.
+
+#### New Dependencies
+
+https://github.com/google/cel-go would move from being an indirect dependency (via k8s libraries) to a direct dependency.
+
+#### Performance Considerations
+
+No problems are anticipated. CEL is up to the task from a performance point of view.
+
+#### Observability Considerations
+
+The status of FederationDomains will be updated to show new types of validation errors. Unexpected transformation errors
+during login attempts will be logged in the Pod logs.
+
+#### Security Considerations
+
+FederationDomains were already designed to securely control authentication into Kubernetes clusters. Allowing multiple
+sources of identity on a FederationDomain does not change that, except for allowing more potential users. See above for
+detailed discussion of identity conflict considerations on those additional users. Adding identity transformations and
+policies gives the admin more control over how the identities extracted from external identity providers are
+projected into Kubernetes.
+
+#### Usability Considerations
+
+This proposal does not change the user experience for the end user (kubectl user). This proposal does not include
+any changes to their kubeconfig or to the Pinniped CLI.
+
+This proposal adds more powerful configuration options for the Supervisor admin. By choosing CEL, we hope that the
+identity transforms and policies are simple for the admin to create, and are done in a language with which they might
+already be familiar due to its usage in Kubernetes. By allowing the admin to configure "examples" on the
+FederationDomain we hope to reduce the possibility of admins making programming mistakes in CEL expressions. Admins will
+need to understand how to anticipate and resolve identity conflicts, which is a new usability concern that we intend to
+address with documentation.
+
+#### Documentation Considerations
+
+See "Implementation Plan" section below.
+
+### Other Approaches Considered
+
+Rather than using CEL, other embedded languages were also considered.
+See [#694](https://github.com/vmware-tanzu/pinniped/pull/694).
+
+Rather than using any embedded language, Pinniped could implement a library of similar identity transformations and authentication
+policy functions in the Golang source code and allow them to be used by reference on a FederationDomain in a similar
+way (by direct name reference). This would not allow admin users to add their own transformation
+business logic. Rather, users would be constrained in their use cases by what could be expressed by the built-in
+functions. This proposal leaves room in the API to allow for both of these implementations options, as long as
+the user has a way to reference the built-in functions and the CEL functions in a list on the FederationDomains,
+and as long as both implementations are conforming to the same interface behavior regarding handling of parameters and
+return values.
+
+To help users avoid accidental misconfiguration, we considered making Pinniped resolve any potential identity conflicts
+by default. This would mean changing the normalized usernames and group names from the various identity providers in
+such a way that collisions become impossible, for example by automatically prefixing them with unique prefixes, unless
+the admin configures their own transformations. This would need to be done in such a way that it makes upgrades smooth,
+by not suddenly changing the usernames and group names of pre-existing users as the result of simply upgrading Pinniped.
+It would also need to be done in a way that ensures that prefixes for each identity provider within a FederationDomain
+are unique, do not change over time, are predictable by the admin in advance, and are acceptable for use in RBAC policies.
+However, the CEL expressions to configure username and group name prefixing are very simple and can be documented
+clearly. Administrators can take care to configure these transformations if they are concerned about potential identity
+conflicts, rather than trying to solve this in some default way.
+
+An alternative design would do away with the "displayName" field and continue to use the literal CR names everywhere.
+This would be less work to implement, since we already use the CR names everywhere. In this design, the CLI and
+Supervisor endpoints would continue to do what they do today, which is to always pass around the name and the type of
+the identity provider together such that duplicate names are not a problem. However, this would provide no insulation
+between the clients and the names of the *IdentityProvider CRs on the cluster.
+
+## Open Questions
+
+None yet.
+
+## Answered Questions
+
+None yet.
+
+## Implementation Plan
+
+The Pinniped maintainers would implement this proposal.
+
+One way to approach the implementation in an iterative fashion would be to break this feature down into the following
+stories. Each story would include writing all applicable unit and integration tests.
+
+1. *Feature Story:* Remove the current arbitrary limitation. In this early draft, all identity providers are used by all
+   FederationDomains.
+2. *Feature Story:* Enhance FederationDomains to allow users to list applicable "identityProviders", without giving them new
+   "displayName" values. Also implement the backwards-compatible legacy behavior of what will happen when they do not
+   list any identity providers in the "identityProviders" list.
+3. *Feature Story:* Enhance the FederationDomain to allow users to configure transforms, and apply those transforms
+   during login and session refresh.
+4. *Feature Story:* Add the "displayName" concept to the FederationDomain's "identityProviders" list and implement the
+   related code changes.
+5. *Chores:* Make any necessary enhancements to better handle having multiple FederationDomains, now that it is useful
+   to have multiple. Add a validation that FederationDomains are not allowed to have conflicting URL paths. Add tests
+   that ensure FederationDomains cannot lookup sessions from other FederationDomains. Improve logging to make debugging
+   easier for ingress and TLS certificates problems for FederationDomains
+   (see [#1393](https://github.com/vmware-tanzu/pinniped/issues/1393)).
+6. *Docs Story*: Document how to configure FederationDomains, including what is the concept of a
+   FederationDomain, why/when to have multiple, how to debug ingress and TLS certificates for multiple FederationDomains,
+   and how to decide on issuer URLs for the FederationDomains.
+7. *Docs Story*: Document some example use cases for configuring multiple identity providers on a FederationDomain. For
+   each, show the detailed *IdentityProvider and FederationDomain CRs for that use case. Also document how to safely
+   configure multiple IDPs on a FederationDomain, including how to reason about and resolve identity conflicts.
+8. *Docs Story*: Document details of how to configure identity transformations and policies. Show concrete examples of all
+   use cases listed in the [Use Case doc](https://docs.google.com/document/d/1ZeMI1VTiArXV70qB6zwhbUp0fRKhsdSia475pWDemBM/edit?usp=sharing).
+   Point out the most useful parts of CEL that are not necessarily obvious to someone new at CEL (all available string
+   operators and functions, available list operators/macros/functions, and ternary operators) and provide links to the
+   detailed CEL and cel-go docs for more information.
+
+None of this work would be merged to the main branch until it is finished, to avoid blocking other unrelated releases
+from happening from the main branch in the meantime.
+
+## Implementation PRs
+
+This section is a placeholder to list the PRs that implement this proposal. This section should be left empty until
+after the proposal is approved. After implementation, the proposal can be updated to list related implementation PRs.

proposals/1547_impersonation-proxy-external-certs/README.md

@@ -0,0 +1,169 @@
+---
+title: "Concierge Impersonation Proxy | External Certificate Management"
+authors: [ "@joshuatcasey" ]
+status: "in-review"
+sponsor: [ "@cfryanr", "@benjaminapetersen" ]
+approval_date: ""
+---
+
+*Disclaimer*: Proposals are point-in-time designs and decisions.
+Once approved and implemented, they become historical documents.
+If you are reading an old proposal, please be aware that the
+features described herein might have continued to evolve since.
+
+# Concierge Impersonation Proxy | External Certificate Management
+
+## Problem Statement
+
+The impersonation proxy cannot be configured with an external certificate, meaning its CA bundle must be downloaded
+and baked into the Kubeconfig. We should allow Pinniped admins to specify an externally-provided certificate so that
+the impersonation proxy could serve TLS using out of band PKI for TLS verification.
+
+This has the impact of easing integration with ingress providers so that we can put ingress in front of the
+impersonation proxy.
+Note that the impersonation proxy does use mTLS to verify the user's identity, so the ingress should support TLS
+passthrough or something similar.
+
+### How Pinniped Works Today (as of version v0.24.0)
+
+The impersonation proxy today generates a CA and a serving certificate to serve TLS.
+This will be referred to as the “generated cert” below.
+
+## Terminology / Concepts
+
+* Generated cert: The certificate that the impersonation proxy will generate
+* External cert: A certificate provied by something outside of Pinniped, meant for the impersonation proxy to serve TLS
+
+## Proposal
+
+Allow Pinniped admins to specify an externally-provided certificate and CA bundle for the impersonation proxy to use
+to serve TLS.
+
+### Goals and Non-goals
+
+This proposal does not provide implementation details for the following deferred cases:
+
+* SAN/IP address validation from the CA or serving cert
+* Using forwarded client certificate details (such as `x-forwarded-client-cert` from https://projectcontour.io/docs/1.25/config/tls-termination/#client-certificate-details-forwarding) for authentication instead of mTLS.
+
+#### API Changes
+
+```yaml
+apiVersion: "config.concierge.pinniped.dev/v1alpha1"
+kind: CredentialIssuer
+metadata:
+  name: the-credential-issuer
+spec:
+  impersonationProxy:
+    mode: auto
+    externalEndpoint: impersonation-proxy.example.com
+    service:
+      loadBalancerIP: 1.2.3.4
+    # Proposed API below:
+    # The tls configuration block is optional.
+    tls:
+      # certificateAuthorityData contains a CA bundle. This value is not used by the impersation proxy to serve TLS.
+      # This value will be advertised to clients so that they can perform TLS verification with the impersonation proxy.
+      # Specifying multiple CA certs can assist with CA rotation.
+      # Optional.
+      # If not provided, will look in the secret named by secretName for a data field with name ca.crt.
+      # If that field is not available, no CA bundle will be advertised for clients.
+      certificateAuthorityData: <ca-bundle>
+
+      # Names a secret of type "kubernetes.io/tls" (https://kubernetes.io/docs/concepts/configuration/secret/#tls-secrets)
+      # which must contain both a TLS serving certificate and the private key, and which is in the same namespace.
+      # This will support using the "ca.crt" field which is sometimes provided by cert-manager
+      # (https://cert-manager.io/docs/concepts/certificate/), instead of providing certificateAuthorityData above.
+      # Eventually, this serving certificate may be validated against the above externalEndpoint and/or loadBalancerIP.
+      # Required.
+      secretName: my-tls-cert
+```
+
+#### Upgrades
+
+* Upgrading an existing impersonation proxy installation currently using a generated cert should continue to work as-is
+  without intervention
+* Upgrading an existing impersonation proxy installation currently using a generated cert should allow easy transfer to
+  an external cert.
+  The impersonation proxy will clean up its own generated certs that are no longer used.
+  This will require manual intervention for at least the following:
+    * Configure the external cert secret (using cert-manager, manually generated certs, or any other mechanism)
+    * Configure the CredentialIssuer with the new tls configuration block
+    * Regenerate and distribute a new kubeconfig for that cluster
+* Installing a new impersonation proxy with an external cert should work without ever generating a cert
+* Switching an impersonation proxy from an external cert to a generated cert should work by performing the following
+  manual interventions:
+    * Remove the new tls configuration block from the CredentialIssuer
+    * Clean up existing external CA/cert secret objects, and prevent their regeneration
+    * Regenerate and distribute a new kubeconfig for that cluster
+
+#### Tests
+
+Will add unit tests wherever code is changed.
+
+We will also add integration tests in `test/integration/concierge_impersonation_proxy_test.go` that will feature external certs.
+
+#### New Dependencies
+
+No.
+
+#### Performance Considerations
+
+No.
+
+#### Observability Considerations
+
+The impersonation proxy will log a message when it detects any of the following situations:
+
+* Generate a cert to serve TLS
+* Use an external cert to serve TLS
+* Cleanup of any unused resources
+* Error conditions from the external cert
+    * secret not found
+    * tls.crt or tls.key not available in the secret
+    * etc
+
+#### Security Considerations
+
+None. TLS verification will always be enforced by the Pinniped CLI client.
+
+#### Usability Considerations
+
+We designed the API behavior such that it was backwards-compatible and works out of the box.
+
+#### Documentation Considerations
+
+This design doc serves as an announcement that the feature will be implemented.
+It would be helpful to provide a blog post describing how the feature was validated.
+Also include in release notes.
+
+### Other Approaches Considered
+
+None.
+
+## Open Questions
+
+A list of questions that need to be answered.
+
+## Answered Questions
+
+* Can the Impersonation Proxy use the K8s API server TLS cert and key?
+    * No. The impersonation proxy is typically only used when the API server signing key is unavailable.
+* Can ingress (such as contour with TLS passthrough) provide support for mTLS?
+    * Yes. See https://joshuatcasey.medium.com/k8s-mtls-auth-with-tls-passthrough-1bc25e750f52.
+      Other ingress providers may have support for this, although we will not provide a list of compatible providers.
+      It is out of scope for us to test beyond what is necessary to validate that the impersonation proxy is configured
+      correctly.
+
+## Implementation Plan
+
+Three different PRs can implement this in phases:
+
+1. Add the new API, and support the various upgrade/configuration scenarios
+2. Add support for the CA bundle as ca.crt in the secret instead of certificateAuthorityData
+3. Verify that the CA bundle or serving cert references the same DNS names or IP addresses known to the impersonation
+   proxy.
+
+## Implementation PRs
+
+* TBD

site/config.yaml

@@ -7,8 +7,8 @@ params:
   github_url: "https://github.com/vmware-tanzu/pinniped"
   slack_url: "https://go.pinniped.dev/community/slack"
   community_url: "https://go.pinniped.dev/community"
-  latest_version: v0.23.0
-  latest_codegen_version: 1.26
+  latest_version: v0.24.0
+  latest_codegen_version: 1.27
 pygmentsCodefences: true
 pygmentsStyle: "pygments"
 markup: