Merge pull request #2034 from vmware-tanzu/jtc/older-idps-should-use-unknown-condition-status

OIDC/LDAP/AD IDPs should use unknown condition status

.golangci.yaml

@@ -48,6 +48,10 @@ linters:
     - fatcontext
     # - canonicalheader Can't do this one since it alerts on valid headers such as X-XSS-Protection
     - spancheck
+    - importas
+    - makezero
+    - prealloc
+    - gofmt
 
 issues:
   exclude-dirs:
@@ -91,3 +95,70 @@ linters-settings:
     - end
     - record-error
     - set-status
+  importas:
+    no-unaliased: true # All packages explicitly listed below must be aliased
+    no-extra-aliases: false # Allow other aliases than the ones explicitly listed below
+    alias:
+    # k8s.io/apimachinery
+    - pkg: k8s.io/apimachinery/pkg/util/errors
+      alias: utilerrors
+    - pkg: k8s.io/apimachinery/pkg/api/errors
+      alias: apierrors
+    - pkg: k8s.io/apimachinery/pkg/apis/meta/v1
+      alias: metav1
+    # k8s.io
+    - pkg: k8s.io/api/core/v1
+      alias: corev1
+    # OAuth2/OIDC/Fosite/JOSE
+    - pkg: github.com/coreos/go-oidc/v3/oidc
+      alias: coreosoidc
+    - pkg: github.com/ory/fosite/handler/oauth2
+      alias: fositeoauth2
+    - pkg: github.com/ory/fosite/token/jwt
+      alias: fositejwt
+    - pkg: github.com/go-jose/go-jose/v4/jwt
+      alias: josejwt
+    - pkg: github.com/go-jose/go-jose/v3
+      alias: oldjosev3
+    # Generated Pinniped
+    - pkg: go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1
+      alias: authenticationv1alpha1
+    - pkg: go.pinniped.dev/generated/latest/apis/supervisor/clientsecret/v1alpha1
+      alias: clientsecretv1alpha1
+    - pkg: go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1
+      alias: supervisorconfigv1alpha1
+    - pkg: go.pinniped.dev/generated/latest/apis/concierge/config/v1alpha1
+      alias: conciergeconfigv1alpha1
+    - pkg: go.pinniped.dev/generated/latest/client/concierge/clientset/versioned
+      alias: conciergeclientset
+    - pkg: go.pinniped.dev/generated/latest/client/concierge/clientset/versioned/scheme
+      alias: conciergeclientsetscheme
+    - pkg: go.pinniped.dev/generated/latest/client/concierge/clientset/versioned/fake
+      alias: conciergefake
+    - pkg: go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned
+      alias: supervisorclientset
+    - pkg: go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/scheme
+      alias: supervisorclientsetscheme
+    - pkg: go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/fake
+      alias: supervisorfake
+    - pkg: go.pinniped.dev/generated/latest/apis/supervisor/idp/v1alpha1
+      alias: idpv1alpha1
+    - pkg: go.pinniped.dev/generated/latest/client/concierge/informers/externalversions
+      alias: conciergeinformers
+    - pkg: go.pinniped.dev/generated/latest/client/supervisor/informers/externalversions
+      alias: supervisorinformers
+    # Pinniped internal
+    - pkg: go.pinniped.dev/internal/concierge/scheme
+      alias: conciergescheme
+  gofmt:
+    # Simplify code: gofmt with `-s` option.
+    # Default: true
+    simplify: false
+    # Apply the rewrite rules to the source before reformatting.
+    # https://pkg.go.dev/cmd/gofmt
+    # Default: []
+    rewrite-rules:
+    - pattern: 'interface{}'
+      replacement: 'any'
+    - pattern: 'a[b:len(a)]'
+      replacement: 'a[b:]'

Dockerfile

@@ -3,8 +3,8 @@
 # Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
 
-ARG BUILD_IMAGE=golang:1.22.4@sha256:969349b8121a56d51c74f4c273ab974c15b3a8ae246a5cffc1df7d28b66cf978
-ARG BASE_IMAGE=gcr.io/distroless/static:nonroot@sha256:e9ac71e2b8e279a8372741b7a0293afda17650d926900233ec3a7b2b7c22a246
+ARG BUILD_IMAGE=golang:1.22.5@sha256:86a3c48a61915a8c62c0e1d7594730399caa3feb73655dfe96c7bc17710e96cf
+ARG BASE_IMAGE=gcr.io/distroless/static:nonroot@sha256:8dd8d3ca2cf283383304fd45a5c9c74d5f2cd9da8d3b077d720e264880077c65
 
 # Prepare to cross-compile by always running the build stage in the build platform, not the target platform.
 FROM --platform=$BUILDPLATFORM $BUILD_IMAGE as build-env

apis/concierge/authentication/v1alpha1/types_jwtauthenticator.go.tmpl

@@ -79,6 +79,7 @@ type JWTTokenClaims struct {
 // +kubebuilder:resource:categories=pinniped;pinniped-authenticator;pinniped-authenticators,scope=Cluster
 // +kubebuilder:printcolumn:name="Issuer",type=string,JSONPath=`.spec.issuer`
 // +kubebuilder:printcolumn:name="Audience",type=string,JSONPath=`.spec.audience`
+// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase`
 // +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
 // +kubebuilder:subresource:status
 type JWTAuthenticator struct {

apis/concierge/authentication/v1alpha1/types_tls.go.tmpl

@@ -1,11 +1,47 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
 
-// Configuration for configuring TLS on various authenticators.
+// CertificateAuthorityDataSourceKind enumerates the sources for CA Bundles.
+//
+// +kubebuilder:validation:Enum=Secret;ConfigMap
+type CertificateAuthorityDataSourceKind string
+
+const (
+	// CertificateAuthorityDataSourceKindConfigMap uses a Kubernetes configmap to source CA Bundles.
+	CertificateAuthorityDataSourceKindConfigMap = CertificateAuthorityDataSourceKind("ConfigMap")
+
+	// CertificateAuthorityDataSourceKindSecret uses a Kubernetes secret to source CA Bundles.
+	// Secrets used to source CA Bundles must be of type kubernetes.io/tls or Opaque.
+	CertificateAuthorityDataSourceKindSecret = CertificateAuthorityDataSourceKind("Secret")
+)
+
+// CertificateAuthorityDataSourceSpec provides a source for CA bundle used for client-side TLS verification.
+type CertificateAuthorityDataSourceSpec struct {
+	// Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
+	// Allowed values are "Secret" or "ConfigMap".
+	// "ConfigMap" uses a Kubernetes configmap to source CA Bundles.
+	// "Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
+	Kind CertificateAuthorityDataSourceKind `json:"kind"`
+	// Name is the resource name of the secret or configmap from which to read the CA bundle.
+	// The referenced secret or configmap must be created in the same namespace where Pinniped Concierge is installed.
+	// +kubebuilder:validation:MinLength=1
+	Name string `json:"name"`
+	// Key is the key name within the secret or configmap from which to read the CA bundle.
+	// The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
+	// certificate bundle.
+	// +kubebuilder:validation:MinLength=1
+	Key string `json:"key"`
+}
+
+// TLSSpec provides TLS configuration on various authenticators.
 type TLSSpec struct {
 	// X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted.
 	// +optional
 	CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"`
+	// Reference to a CA bundle in a secret or a configmap.
+	// Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
+	// +optional
+	CertificateAuthorityDataSource *CertificateAuthorityDataSourceSpec `json:"certificateAuthorityDataSource,omitempty"`
 }

apis/concierge/authentication/v1alpha1/types_webhookauthenticator.go.tmpl

@@ -50,6 +50,7 @@ type WebhookAuthenticatorSpec struct {
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 // +kubebuilder:resource:categories=pinniped;pinniped-authenticator;pinniped-authenticators,scope=Cluster
 // +kubebuilder:printcolumn:name="Endpoint",type=string,JSONPath=`.spec.endpoint`
+// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase`
 // +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
 // +kubebuilder:subresource:status
 type WebhookAuthenticator struct {

apis/concierge/config/v1alpha1/types_credentialissuer.go.tmpl

@@ -1,4 +1,4 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
@@ -49,6 +49,7 @@ type CredentialIssuerSpec struct {
 }
 
 // ImpersonationProxyMode enumerates the configuration modes for the impersonation proxy.
+// Allowed values are "auto", "enabled", or "disabled".
 //
 // +kubebuilder:validation:Enum=auto;enabled;disabled
 type ImpersonationProxyMode string
@@ -65,6 +66,7 @@ const (
 )
 
 // ImpersonationProxyServiceType enumerates the types of service that can be provisioned for the impersonation proxy.
+// Allowed values are "LoadBalancer", "ClusterIP", or "None".
 //
 // +kubebuilder:validation:Enum=LoadBalancer;ClusterIP;None
 type ImpersonationProxyServiceType string

apis/supervisor/config/v1alpha1/types_federationdomain.go.tmpl

@@ -1,4 +1,4 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
@@ -55,6 +55,7 @@ type FederationDomainTransformsConstant struct {
 	Name string `json:"name"`
 
 	// Type determines the type of the constant, and indicates which other field should be non-empty.
+	// Allowed values are "string" or "stringList".
 	// +kubebuilder:validation:Enum=string;stringList
 	Type string `json:"type"`
 
@@ -70,6 +71,7 @@ type FederationDomainTransformsConstant struct {
 // FederationDomainTransformsExpression defines a transform expression.
 type FederationDomainTransformsExpression struct {
 	// Type determines the type of the expression. It must be one of the supported types.
+	// Allowed values are "policy/v1", "username/v1", or "groups/v1".
 	// +kubebuilder:validation:Enum=policy/v1;username/v1;groups/v1
 	Type string `json:"type"`
 

apis/supervisor/idp/v1alpha1/types_githubidentityprovider.go.tmpl

@@ -53,9 +53,10 @@ type GitHubIdentityProviderStatus struct {
 type GitHubAPIConfig struct {
 	// Host is required only for GitHub Enterprise Server.
 	// Defaults to using GitHub's public API ("github.com").
+	// For convenience, specifying "github.com" is equivalent to specifying "api.github.com".
 	// Do not specify a protocol or scheme since "https://" will always be used.
 	// Port is optional. Do not specify a path, query, fragment, or userinfo.
-	// Only domain name or IP address, subdomains (optional), and port (optional).
+	// Only specify domain name or IP address, subdomains (optional), and port (optional).
 	// IPv4 and IPv6 are supported. If using an IPv6 address with a port, you must enclose the IPv6 address
 	// in square brackets. Example: "[::1]:443".
 	//
@@ -65,6 +66,9 @@ type GitHubAPIConfig struct {
 	Host *string `json:"host"`
 
 	// TLS configuration for GitHub Enterprise Server.
+	// Note that this field should not be needed when using GitHub's public API ("github.com").
+	// However, if you choose to specify this field when using GitHub's public API, you must
+	// specify a CA bundle that will verify connections to "api.github.com".
 	//
 	// +optional
 	TLS *TLSSpec `json:"tls,omitempty"`
@@ -167,7 +171,10 @@ type GitHubClientSpec struct {
 }
 
 type GitHubOrganizationsSpec struct {
-	// Policy must be set to "AllGitHubUsers" if allowed is empty.
+	// Allowed values are "OnlyUsersFromAllowedOrganizations" or "AllGitHubUsers".
+	// Defaults to "OnlyUsersFromAllowedOrganizations".
+	//
+	// Must be set to "AllGitHubUsers" if the allowed field is empty.
 	//
 	// This field only exists to ensure that Pinniped administrators are aware that an empty list of
 	// allowedOrganizations means all GitHub users are allowed to log in.

apis/supervisor/idp/v1alpha1/types_tls.go.tmpl

@@ -3,9 +3,45 @@
 
 package v1alpha1
 
+// CertificateAuthorityDataSourceKind enumerates the sources for CA Bundles.
+//
+// +kubebuilder:validation:Enum=Secret;ConfigMap
+type CertificateAuthorityDataSourceKind string
+
+const (
+	// CertificateAuthorityDataSourceKindConfigMap uses a Kubernetes configmap to source CA Bundles.
+	CertificateAuthorityDataSourceKindConfigMap = CertificateAuthorityDataSourceKind("ConfigMap")
+
+	// CertificateAuthorityDataSourceKindSecret uses a Kubernetes secret to source CA Bundles.
+	// Secrets used to source CA Bundles must be of type kubernetes.io/tls or Opaque.
+	CertificateAuthorityDataSourceKindSecret = CertificateAuthorityDataSourceKind("Secret")
+)
+
+// CertificateAuthorityDataSourceSpec provides a source for CA bundle used for client-side TLS verification.
+type CertificateAuthorityDataSourceSpec struct {
+	// Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
+	// Allowed values are "Secret" or "ConfigMap".
+	// "ConfigMap" uses a Kubernetes configmap to source CA Bundles.
+	// "Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
+	Kind CertificateAuthorityDataSourceKind `json:"kind"`
+	// Name is the resource name of the secret or configmap from which to read the CA bundle.
+	// The referenced secret or configmap must be created in the same namespace where Pinniped Supervisor is installed.
+	// +kubebuilder:validation:MinLength=1
+	Name string `json:"name"`
+	// Key is the key name within the secret or configmap from which to read the CA bundle.
+	// The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
+	// certificate bundle.
+	// +kubebuilder:validation:MinLength=1
+	Key string `json:"key"`
+}
+
 // TLSSpec provides TLS configuration for identity provider integration.
 type TLSSpec struct {
 	// X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted.
 	// +optional
 	CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"`
+	// Reference to a CA bundle in a secret or a configmap.
+	// Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
+	// +optional
+	CertificateAuthorityDataSource *CertificateAuthorityDataSourceSpec `json:"certificateAuthorityDataSource,omitempty"`
 }

cmd/pinniped-concierge-kube-cert-agent/main_test.go

@@ -94,7 +94,7 @@ func TestEntrypoint(t *testing.T) {
 			var logBuf bytes.Buffer
 			testLog := log.New(&logBuf, "", 0)
 			exited := "exiting via fatal"
-			fail = func(format string, v ...interface{}) {
+			fail = func(format string, v ...any) {
 				testLog.Printf(format, v...)
 				panic(exited)
 			}

cmd/pinniped-server/main_test.go

@@ -42,7 +42,7 @@ func TestEntrypoint(t *testing.T) {
 			var logBuf bytes.Buffer
 			testLog := log.New(&logBuf, "", 0)
 			exited := "exiting via fatal"
-			fail = func(err error, keysAndValues ...interface{}) {
+			fail = func(err error, keysAndValues ...any) {
 				testLog.Print(err)
 				if len(keysAndValues) > 0 {
 					testLog.Print(keysAndValues...)

cmd/pinniped/cmd/flag_types.go

@@ -1,4 +1,4 @@
-// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package cmd
@@ -13,7 +13,7 @@ import (
 
 	"github.com/spf13/pflag"
 
-	configv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/config/v1alpha1"
+	conciergeconfigv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/config/v1alpha1"
 )
 
 // conciergeModeFlag represents the method by which we should connect to the Concierge on a cluster during login.
@@ -62,12 +62,12 @@ func (f *conciergeModeFlag) Type() string {
 }
 
 // MatchesFrontend returns true iff the flag matches the type of the provided frontend.
-func (f *conciergeModeFlag) MatchesFrontend(frontend *configv1alpha1.CredentialIssuerFrontend) bool {
+func (f *conciergeModeFlag) MatchesFrontend(frontend *conciergeconfigv1alpha1.CredentialIssuerFrontend) bool {
 	switch *f {
 	case modeImpersonationProxy:
-		return frontend.Type == configv1alpha1.ImpersonationProxyFrontendType
+		return frontend.Type == conciergeconfigv1alpha1.ImpersonationProxyFrontendType
 	case modeTokenCredentialRequestAPI:
-		return frontend.Type == configv1alpha1.TokenCredentialRequestAPIFrontendType
+		return frontend.Type == conciergeconfigv1alpha1.TokenCredentialRequestAPIFrontendType
 	case modeUnknown:
 		fallthrough
 	default:

cmd/pinniped/cmd/flag_types_test.go

@@ -1,4 +1,4 @@
-// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package cmd
@@ -13,7 +13,7 @@ import (
 
 	"github.com/stretchr/testify/require"
 
-	configv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/config/v1alpha1"
+	conciergeconfigv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/config/v1alpha1"
 	"go.pinniped.dev/internal/certauthority"
 )
 
@@ -24,14 +24,14 @@ func TestConciergeModeFlag(t *testing.T) {
 	require.NoError(t, f.Set(""))
 	require.Equal(t, modeUnknown, f)
 	require.EqualError(t, f.Set("foo"), `invalid mode "foo", valid modes are TokenCredentialRequestAPI and ImpersonationProxy`)
-	require.True(t, f.MatchesFrontend(&configv1alpha1.CredentialIssuerFrontend{Type: configv1alpha1.TokenCredentialRequestAPIFrontendType}))
-	require.True(t, f.MatchesFrontend(&configv1alpha1.CredentialIssuerFrontend{Type: configv1alpha1.ImpersonationProxyFrontendType}))
+	require.True(t, f.MatchesFrontend(&conciergeconfigv1alpha1.CredentialIssuerFrontend{Type: conciergeconfigv1alpha1.TokenCredentialRequestAPIFrontendType}))
+	require.True(t, f.MatchesFrontend(&conciergeconfigv1alpha1.CredentialIssuerFrontend{Type: conciergeconfigv1alpha1.ImpersonationProxyFrontendType}))
 
 	require.NoError(t, f.Set("TokenCredentialRequestAPI"))
 	require.Equal(t, modeTokenCredentialRequestAPI, f)
 	require.Equal(t, "TokenCredentialRequestAPI", f.String())
-	require.True(t, f.MatchesFrontend(&configv1alpha1.CredentialIssuerFrontend{Type: configv1alpha1.TokenCredentialRequestAPIFrontendType}))
-	require.False(t, f.MatchesFrontend(&configv1alpha1.CredentialIssuerFrontend{Type: configv1alpha1.ImpersonationProxyFrontendType}))
+	require.True(t, f.MatchesFrontend(&conciergeconfigv1alpha1.CredentialIssuerFrontend{Type: conciergeconfigv1alpha1.TokenCredentialRequestAPIFrontendType}))
+	require.False(t, f.MatchesFrontend(&conciergeconfigv1alpha1.CredentialIssuerFrontend{Type: conciergeconfigv1alpha1.ImpersonationProxyFrontendType}))
 
 	require.NoError(t, f.Set("tokencredentialrequestapi"))
 	require.Equal(t, modeTokenCredentialRequestAPI, f)
@@ -40,8 +40,8 @@ func TestConciergeModeFlag(t *testing.T) {
 	require.NoError(t, f.Set("ImpersonationProxy"))
 	require.Equal(t, modeImpersonationProxy, f)
 	require.Equal(t, "ImpersonationProxy", f.String())
-	require.False(t, f.MatchesFrontend(&configv1alpha1.CredentialIssuerFrontend{Type: configv1alpha1.TokenCredentialRequestAPIFrontendType}))
-	require.True(t, f.MatchesFrontend(&configv1alpha1.CredentialIssuerFrontend{Type: configv1alpha1.ImpersonationProxyFrontendType}))
+	require.False(t, f.MatchesFrontend(&conciergeconfigv1alpha1.CredentialIssuerFrontend{Type: conciergeconfigv1alpha1.TokenCredentialRequestAPIFrontendType}))
+	require.True(t, f.MatchesFrontend(&conciergeconfigv1alpha1.CredentialIssuerFrontend{Type: conciergeconfigv1alpha1.ImpersonationProxyFrontendType}))
 
 	require.NoError(t, f.Set("impersonationproxy"))
 	require.Equal(t, modeImpersonationProxy, f)

cmd/pinniped/cmd/kubeconfig.go

@@ -12,6 +12,7 @@ import (
 	"io"
 	"net/http"
 	"os"
+	"slices"
 	"strconv"
 	"strings"
 	"time"
@@ -23,10 +24,9 @@ import (
 	_ "k8s.io/client-go/plugin/pkg/client/auth" // Adds handlers for various dynamic auth plugins in client-go
 	"k8s.io/client-go/tools/clientcmd"
 	clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
-	"k8s.io/utils/strings/slices"
 
-	conciergev1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"
-	configv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/config/v1alpha1"
+	authenticationv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"
+	conciergeconfigv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/config/v1alpha1"
 	idpdiscoveryv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/idpdiscovery/v1alpha1"
 	oidcapi "go.pinniped.dev/generated/latest/apis/supervisor/oidc"
 	conciergeclientset "go.pinniped.dev/generated/latest/client/concierge/clientset/versioned"
@@ -193,7 +193,7 @@ func runGetKubeconfig(ctx context.Context, out io.Writer, deps kubeconfigDeps, f
 	ctx, cancel := context.WithTimeout(ctx, flags.timeout)
 	defer cancel()
 
-	// the log statements in this file assume that Info logs are unconditionally printed so we set the global level to info
+	// the log statements in this file assume that Info logs are unconditionally printed, so we set the global level to info
 	if err := plog.ValidateAndSetLogLevelAndFormatGlobally(ctx, plog.LogSpec{Level: plog.LevelInfo, Format: plog.FormatCLI}); err != nil {
 		return err
 	}
@@ -314,7 +314,7 @@ func newExecConfig(deps kubeconfigDeps, flags getKubeconfigParams) (*clientcmdap
 		if flags.staticToken != "" && flags.staticTokenEnvName != "" {
 			return nil, fmt.Errorf("only one of --static-token and --static-token-env can be specified")
 		}
-		execConfig.Args = append([]string{"login", "static"}, execConfig.Args...)
+		execConfig.Args = slices.Concat([]string{"login", "static"}, execConfig.Args)
 		if flags.staticToken != "" {
 			execConfig.Args = append(execConfig.Args, "--token="+flags.staticToken)
 		}
@@ -325,7 +325,7 @@ func newExecConfig(deps kubeconfigDeps, flags getKubeconfigParams) (*clientcmdap
 	}
 
 	// Otherwise continue to parse the OIDC-related flags and output a config that runs `pinniped login oidc`.
-	execConfig.Args = append([]string{"login", "oidc"}, execConfig.Args...)
+	execConfig.Args = slices.Concat([]string{"login", "oidc"}, execConfig.Args)
 	if flags.oidc.issuer == "" {
 		return nil, fmt.Errorf("could not autodiscover --oidc-issuer and none was provided")
 	}
@@ -391,7 +391,7 @@ func getCurrentContext(currentKubeConfig clientcmdapi.Config, flags getKubeconfi
 	return &kubeconfigNames{ContextName: contextName, UserName: ctx.AuthInfo, ClusterName: ctx.Cluster}, nil
 }
 
-func waitForCredentialIssuer(ctx context.Context, clientset conciergeclientset.Interface, flags getKubeconfigParams, deps kubeconfigDeps) (*configv1alpha1.CredentialIssuer, error) {
+func waitForCredentialIssuer(ctx context.Context, clientset conciergeclientset.Interface, flags getKubeconfigParams, deps kubeconfigDeps) (*conciergeconfigv1alpha1.CredentialIssuer, error) {
 	credentialIssuer, err := lookupCredentialIssuer(clientset, flags.concierge.credentialIssuer, deps.log)
 	if err != nil {
 		return nil, err
@@ -427,7 +427,7 @@ func waitForCredentialIssuer(ctx context.Context, clientset conciergeclientset.I
 	return credentialIssuer, nil
 }
 
-func discoverConciergeParams(credentialIssuer *configv1alpha1.CredentialIssuer, flags *getKubeconfigParams, v1Cluster *clientcmdapi.Cluster, log plog.MinLogger) error {
+func discoverConciergeParams(credentialIssuer *conciergeconfigv1alpha1.CredentialIssuer, flags *getKubeconfigParams, v1Cluster *clientcmdapi.Cluster, log plog.MinLogger) error {
 	// Autodiscover the --concierge-mode.
 	frontend, err := getConciergeFrontend(credentialIssuer, flags.concierge.mode)
 	if err != nil {
@@ -438,10 +438,10 @@ func discoverConciergeParams(credentialIssuer *configv1alpha1.CredentialIssuer,
 	// Auto-set --concierge-mode if it wasn't explicitly set.
 	if flags.concierge.mode == modeUnknown {
 		switch frontend.Type {
-		case configv1alpha1.TokenCredentialRequestAPIFrontendType:
+		case conciergeconfigv1alpha1.TokenCredentialRequestAPIFrontendType:
 			log.Info("discovered Concierge operating in TokenCredentialRequest API mode")
 			flags.concierge.mode = modeTokenCredentialRequestAPI
-		case configv1alpha1.ImpersonationProxyFrontendType:
+		case conciergeconfigv1alpha1.ImpersonationProxyFrontendType:
 			log.Info("discovered Concierge operating in impersonation proxy mode")
 			flags.concierge.mode = modeImpersonationProxy
 		}
@@ -450,9 +450,9 @@ func discoverConciergeParams(credentialIssuer *configv1alpha1.CredentialIssuer,
 	// Auto-set --concierge-endpoint if it wasn't explicitly set.
 	if flags.concierge.endpoint == "" {
 		switch frontend.Type {
-		case configv1alpha1.TokenCredentialRequestAPIFrontendType:
+		case conciergeconfigv1alpha1.TokenCredentialRequestAPIFrontendType:
 			flags.concierge.endpoint = v1Cluster.Server
-		case configv1alpha1.ImpersonationProxyFrontendType:
+		case conciergeconfigv1alpha1.ImpersonationProxyFrontendType:
 			flags.concierge.endpoint = frontend.ImpersonationProxyInfo.Endpoint
 		}
 		log.Info("discovered Concierge endpoint", "endpoint", flags.concierge.endpoint)
@@ -461,9 +461,9 @@ func discoverConciergeParams(credentialIssuer *configv1alpha1.CredentialIssuer,
 	// Auto-set --concierge-ca-bundle if it wasn't explicitly set..
 	if len(flags.concierge.caBundle) == 0 {
 		switch frontend.Type {
-		case configv1alpha1.TokenCredentialRequestAPIFrontendType:
+		case conciergeconfigv1alpha1.TokenCredentialRequestAPIFrontendType:
 			flags.concierge.caBundle = v1Cluster.CertificateAuthorityData
-		case configv1alpha1.ImpersonationProxyFrontendType:
+		case conciergeconfigv1alpha1.ImpersonationProxyFrontendType:
 			data, err := base64.StdEncoding.DecodeString(frontend.ImpersonationProxyInfo.CertificateAuthorityData)
 			if err != nil {
 				return fmt.Errorf("autodiscovered Concierge CA bundle is invalid: %w", err)
@@ -475,7 +475,7 @@ func discoverConciergeParams(credentialIssuer *configv1alpha1.CredentialIssuer,
 	return nil
 }
 
-func logStrategies(credentialIssuer *configv1alpha1.CredentialIssuer, log plog.MinLogger) {
+func logStrategies(credentialIssuer *conciergeconfigv1alpha1.CredentialIssuer, log plog.MinLogger) {
 	for _, strategy := range credentialIssuer.Status.Strategies {
 		log.Info("found CredentialIssuer strategy",
 			"type", strategy.Type,
@@ -488,7 +488,7 @@ func logStrategies(credentialIssuer *configv1alpha1.CredentialIssuer, log plog.M
 
 func discoverAuthenticatorParams(authenticator metav1.Object, flags *getKubeconfigParams, log plog.MinLogger) error {
 	switch auth := authenticator.(type) {
-	case *conciergev1alpha1.WebhookAuthenticator:
+	case *authenticationv1alpha1.WebhookAuthenticator:
 		// If the --concierge-authenticator-type/--concierge-authenticator-name flags were not set explicitly, set
 		// them to point at the discovered WebhookAuthenticator.
 		if flags.concierge.authenticatorType == "" && flags.concierge.authenticatorName == "" {
@@ -496,7 +496,7 @@ func discoverAuthenticatorParams(authenticator metav1.Object, flags *getKubeconf
 			flags.concierge.authenticatorType = "webhook"
 			flags.concierge.authenticatorName = auth.Name
 		}
-	case *conciergev1alpha1.JWTAuthenticator:
+	case *authenticationv1alpha1.JWTAuthenticator:
 		// If the --concierge-authenticator-type/--concierge-authenticator-name flags were not set explicitly, set
 		// them to point at the discovered JWTAuthenticator.
 		if flags.concierge.authenticatorType == "" && flags.concierge.authenticatorName == "" {
@@ -531,19 +531,19 @@ func discoverAuthenticatorParams(authenticator metav1.Object, flags *getKubeconf
 	return nil
 }
 
-func getConciergeFrontend(credentialIssuer *configv1alpha1.CredentialIssuer, mode conciergeModeFlag) (*configv1alpha1.CredentialIssuerFrontend, error) {
+func getConciergeFrontend(credentialIssuer *conciergeconfigv1alpha1.CredentialIssuer, mode conciergeModeFlag) (*conciergeconfigv1alpha1.CredentialIssuerFrontend, error) {
 	for _, strategy := range credentialIssuer.Status.Strategies {
 		// Skip unhealthy strategies.
-		if strategy.Status != configv1alpha1.SuccessStrategyStatus {
+		if strategy.Status != conciergeconfigv1alpha1.SuccessStrategyStatus {
 			continue
 		}
 
 		// Backfill the .status.strategies[].frontend field from .status.kubeConfigInfo for backwards compatibility.
-		if strategy.Type == configv1alpha1.KubeClusterSigningCertificateStrategyType && strategy.Frontend == nil && credentialIssuer.Status.KubeConfigInfo != nil {
+		if strategy.Type == conciergeconfigv1alpha1.KubeClusterSigningCertificateStrategyType && strategy.Frontend == nil && credentialIssuer.Status.KubeConfigInfo != nil {
 			strategy = *strategy.DeepCopy()
-			strategy.Frontend = &configv1alpha1.CredentialIssuerFrontend{
-				Type: configv1alpha1.TokenCredentialRequestAPIFrontendType,
-				TokenCredentialRequestAPIInfo: &configv1alpha1.TokenCredentialRequestAPIInfo{
+			strategy.Frontend = &conciergeconfigv1alpha1.CredentialIssuerFrontend{
+				Type: conciergeconfigv1alpha1.TokenCredentialRequestAPIFrontendType,
+				TokenCredentialRequestAPIInfo: &conciergeconfigv1alpha1.TokenCredentialRequestAPIInfo{
 					Server:                   credentialIssuer.Status.KubeConfigInfo.Server,
 					CertificateAuthorityData: credentialIssuer.Status.KubeConfigInfo.CertificateAuthorityData,
 				},
@@ -557,7 +557,7 @@ func getConciergeFrontend(credentialIssuer *configv1alpha1.CredentialIssuer, mod
 
 		//	Skip any unknown frontend types.
 		switch strategy.Frontend.Type {
-		case configv1alpha1.TokenCredentialRequestAPIFrontendType, configv1alpha1.ImpersonationProxyFrontendType:
+		case conciergeconfigv1alpha1.TokenCredentialRequestAPIFrontendType, conciergeconfigv1alpha1.ImpersonationProxyFrontendType:
 		default:
 			continue
 		}
@@ -585,7 +585,7 @@ func newExecKubeconfig(cluster *clientcmdapi.Cluster, execConfig *clientcmdapi.E
 	}
 }
 
-func lookupCredentialIssuer(clientset conciergeclientset.Interface, name string, log plog.MinLogger) (*configv1alpha1.CredentialIssuer, error) {
+func lookupCredentialIssuer(clientset conciergeclientset.Interface, name string, log plog.MinLogger) (*conciergeconfigv1alpha1.CredentialIssuer, error) {
 	ctx, cancelFunc := context.WithTimeout(context.Background(), time.Second*20)
 	defer cancelFunc()
 
@@ -747,9 +747,9 @@ func countCACerts(pemData []byte) int {
 	return len(pool.Subjects())
 }
 
-func hasPendingStrategy(credentialIssuer *configv1alpha1.CredentialIssuer) bool {
+func hasPendingStrategy(credentialIssuer *conciergeconfigv1alpha1.CredentialIssuer) bool {
 	for _, strategy := range credentialIssuer.Status.Strategies {
-		if strategy.Reason == configv1alpha1.PendingStrategyReason {
+		if strategy.Reason == conciergeconfigv1alpha1.PendingStrategyReason {
 			return true
 		}
 	}
@@ -794,12 +794,12 @@ func pinnipedSupervisorDiscovery(ctx context.Context, flags *getKubeconfigParams
 		return err
 	}
 	if !supervisorSupportsBothUsernameAndGroupsScopes {
-		flags.oidc.scopes = slices.Filter(nil, flags.oidc.scopes, func(scope string) bool {
+		flags.oidc.scopes = slices.DeleteFunc(flags.oidc.scopes, func(scope string) bool {
 			if scope == oidcapi.ScopeUsername || scope == oidcapi.ScopeGroups {
 				log.Info("removed scope from --oidc-scopes list because it is not supported by this Supervisor", "scope", scope)
-				return false // Remove username and groups scopes if there were present in the flags.
+				return true // Remove username and groups scopes if there were present in the flags.
 			}
-			return true // Keep any other scopes in the flag list.
+			return false // Keep any other scopes in the flag list.
 		})
 	}
 

cmd/pinniped/cmd/login_oidc.go

@@ -176,9 +176,8 @@ func runOIDCLogin(cmd *cobra.Command, deps oidcLoginCommandDeps, flags oidcLogin
 
 	// If the hidden --debug-session-cache option is passed, log all the errors from the session cache.
 	if flags.debugSessionCache {
-		logger := plog.WithName("session")
 		sessionOptions = append(sessionOptions, filesession.WithErrorReporter(func(err error) {
-			logger.Error("error during session cache operation", err)
+			pLogger.Error("error during session cache operation", err)
 		}))
 	}
 	sessionCache := filesession.New(flags.sessionCachePath, sessionOptions...)
@@ -186,7 +185,7 @@ func runOIDCLogin(cmd *cobra.Command, deps oidcLoginCommandDeps, flags oidcLogin
 	// Initialize the login handler.
 	opts := []oidcclient.Option{
 		deps.optionsFactory.WithContext(cmd.Context()),
-		deps.optionsFactory.WithLogger(plog.Logr()), //nolint:staticcheck // old code with lots of log statements
+		deps.optionsFactory.WithLoginLogger(pLogger),
 		deps.optionsFactory.WithScopes(flags.scopes),
 		deps.optionsFactory.WithSessionCache(sessionCache),
 	}
@@ -339,8 +338,7 @@ func SetLogLevel(ctx context.Context, lookupEnv func(string) (string, bool)) (pl
 			return nil, err
 		}
 	}
-	logger := plog.New().WithName("pinniped-login")
-	return logger, nil
+	return plog.New(), nil
 }
 
 /*

cmd/pinniped/cmd/login_oidc_test.go

@@ -48,7 +48,7 @@ func TestLoginOIDCCommand(t *testing.T) {
 
 	defaultWantedOptions := func(f *mockoidcclientoptions.MockOIDCClientOptions) {
 		f.EXPECT().WithContext(gomock.Any())
-		f.EXPECT().WithLogger(gomock.Any())
+		f.EXPECT().WithLoginLogger(gomock.Any())
 		f.EXPECT().WithScopes([]string{oidcapi.ScopeOfflineAccess, oidcapi.ScopeOpenID, oidcapi.ScopeRequestAudience, oidcapi.ScopeUsername, oidcapi.ScopeGroups})
 		f.EXPECT().WithSessionCache(gomock.Any())
 	}
@@ -274,8 +274,8 @@ func TestLoginOIDCCommand(t *testing.T) {
 			wantOptionsCount: 4,
 			wantStdout:       `{"kind":"ExecCredential","apiVersion":"client.authentication.k8s.io/v1beta1","spec":{"interactive":false},"status":{"expirationTimestamp":"3020-10-12T13:14:15Z","token":"test-id-token"}}` + "\n",
 			wantLogs: []string{
-				nowStr + `  pinniped-login  cmd/login_oidc.go:268  Performing OIDC login  {"issuer": "test-issuer", "client id": "test-client-id"}`,
-				nowStr + `  pinniped-login  cmd/login_oidc.go:288  No concierge configured, skipping token credential exchange`,
+				nowStr + `  cmd/login_oidc.go:267  Performing OIDC login  {"issuer": "test-issuer", "client id": "test-client-id"}`,
+				nowStr + `  cmd/login_oidc.go:287  No concierge configured, skipping token credential exchange`,
 			},
 		},
 		{
@@ -304,7 +304,7 @@ func TestLoginOIDCCommand(t *testing.T) {
 			env: map[string]string{"PINNIPED_DEBUG": "true", "PINNIPED_SKIP_PRINT_LOGIN_URL": "true"},
 			wantOptions: func(f *mockoidcclientoptions.MockOIDCClientOptions) {
 				f.EXPECT().WithContext(gomock.Any())
-				f.EXPECT().WithLogger(gomock.Any())
+				f.EXPECT().WithLoginLogger(gomock.Any())
 				f.EXPECT().WithScopes([]string{oidcapi.ScopeOfflineAccess, oidcapi.ScopeOpenID, oidcapi.ScopeRequestAudience, oidcapi.ScopeUsername, oidcapi.ScopeGroups})
 				f.EXPECT().WithSessionCache(gomock.Any())
 				f.EXPECT().WithListenPort(uint16(1234))
@@ -319,10 +319,10 @@ func TestLoginOIDCCommand(t *testing.T) {
 			wantOptionsCount: 12,
 			wantStdout:       `{"kind":"ExecCredential","apiVersion":"client.authentication.k8s.io/v1beta1","spec":{"interactive":false},"status":{"token":"exchanged-token"}}` + "\n",
 			wantLogs: []string{
-				nowStr + `  pinniped-login  cmd/login_oidc.go:268  Performing OIDC login  {"issuer": "test-issuer", "client id": "test-client-id"}`,
-				nowStr + `  pinniped-login  cmd/login_oidc.go:278  Exchanging token for cluster credential  {"endpoint": "https://127.0.0.1:1234/", "authenticator type": "webhook", "authenticator name": "test-authenticator"}`,
-				nowStr + `  pinniped-login  cmd/login_oidc.go:286  Successfully exchanged token for cluster credential.`,
-				nowStr + `  pinniped-login  cmd/login_oidc.go:293  caching cluster credential for future use.`,
+				nowStr + `  cmd/login_oidc.go:267  Performing OIDC login  {"issuer": "test-issuer", "client id": "test-client-id"}`,
+				nowStr + `  cmd/login_oidc.go:277  Exchanging token for cluster credential  {"endpoint": "https://127.0.0.1:1234/", "authenticator type": "webhook", "authenticator name": "test-authenticator"}`,
+				nowStr + `  cmd/login_oidc.go:285  Successfully exchanged token for cluster credential.`,
+				nowStr + `  cmd/login_oidc.go:292  caching cluster credential for future use.`,
 			},
 		},
 	}

cmd/pinniped/cmd/login_static_test.go

@@ -147,7 +147,7 @@ func TestLoginStaticCommand(t *testing.T) {
 				Error: could not complete Concierge credential exchange: some concierge error
 			`),
 			wantLogs: []string{
-				nowStr + `  pinniped-login  cmd/login_static.go:159  exchanging static token for cluster credential  {"endpoint": "https://127.0.0.1/", "authenticator type": "webhook", "authenticator name": "test-authenticator"}`,
+				nowStr + `  cmd/login_static.go:159  exchanging static token for cluster credential  {"endpoint": "https://127.0.0.1/", "authenticator type": "webhook", "authenticator name": "test-authenticator"}`,
 			},
 		},
 		{

cmd/pinniped/cmd/oidc_client_options.go

@@ -7,8 +7,6 @@ import (
 	"context"
 	"net/http"
 
-	"github.com/go-logr/logr"
-
 	"go.pinniped.dev/generated/latest/apis/supervisor/idpdiscovery/v1alpha1"
 	"go.pinniped.dev/pkg/oidcclient"
 )
@@ -16,9 +14,10 @@ import (
 // OIDCClientOptions is an interface that wraps the creation of Options for the purpose of making them
 // more friendly to unit tests. Because the Option type refers to a private struct type, it is hard
 // to create mocks for them in tests of other packages. This provides a seam that can be mocked.
+// No need for this interface to include deprecated options (such as WithLogger), since those should never be invoked.
 type OIDCClientOptions interface {
 	WithContext(ctx context.Context) oidcclient.Option
-	WithLogger(logger logr.Logger) oidcclient.Option
+	WithLoginLogger(logger oidcclient.Logger) oidcclient.Option
 	WithListenPort(port uint16) oidcclient.Option
 	WithSkipBrowserOpen() oidcclient.Option
 	WithSkipListen() oidcclient.Option
@@ -40,8 +39,8 @@ func (o *clientOptions) WithContext(ctx context.Context) oidcclient.Option {
 	return oidcclient.WithContext(ctx)
 }
 
-func (o *clientOptions) WithLogger(logger logr.Logger) oidcclient.Option {
-	return oidcclient.WithLogger(logger)
+func (o *clientOptions) WithLoginLogger(logger oidcclient.Logger) oidcclient.Option {
+	return oidcclient.WithLoginLogger(logger)
 }
 
 func (o *clientOptions) WithListenPort(port uint16) oidcclient.Option {

cmd/pinniped/cmd/whoami.go

@@ -1,4 +1,4 @@
-// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package cmd
@@ -12,7 +12,7 @@ import (
 	"time"
 
 	"github.com/spf13/cobra"
-	"k8s.io/apimachinery/pkg/api/errors"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/serializer"
@@ -99,7 +99,7 @@ func runWhoami(output io.Writer, getClientset getConciergeClientsetFunc, flags *
 	whoAmI, err := clientset.IdentityV1alpha1().WhoAmIRequests().Create(ctx, &identityv1alpha1.WhoAmIRequest{}, metav1.CreateOptions{})
 	if err != nil {
 		hint := ""
-		if errors.IsNotFound(err) {
+		if apierrors.IsNotFound(err) {
 			hint = " (is the Pinniped WhoAmI API running and healthy?)"
 		}
 		return fmt.Errorf("could not complete WhoAmIRequest%s: %w", hint, err)

cmd/pinniped/cmd/whoami_test.go

@@ -8,14 +8,14 @@ import (
 	"testing"
 
 	"github.com/stretchr/testify/require"
-	"k8s.io/apimachinery/pkg/api/errors"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/runtime"
 	kubetesting "k8s.io/client-go/testing"
 	"k8s.io/client-go/tools/clientcmd"
 
 	identityv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/identity/v1alpha1"
 	conciergeclientset "go.pinniped.dev/generated/latest/client/concierge/clientset/versioned"
-	fakeconciergeclientset "go.pinniped.dev/generated/latest/client/concierge/clientset/versioned/fake"
+	conciergefake "go.pinniped.dev/generated/latest/client/concierge/clientset/versioned/fake"
 	"go.pinniped.dev/internal/constable"
 	"go.pinniped.dev/internal/here"
 )
@@ -273,7 +273,7 @@ func TestWhoami(t *testing.T) {
 		},
 		{
 			name:          "calling API fails because WhoAmI API is not installed",
-			callingAPIErr: errors.NewNotFound(identityv1alpha1.SchemeGroupVersion.WithResource("whoamirequests").GroupResource(), "whatever"),
+			callingAPIErr: apierrors.NewNotFound(identityv1alpha1.SchemeGroupVersion.WithResource("whoamirequests").GroupResource(), "whatever"),
 			wantError:     true,
 			wantStderr:    "Error: could not complete WhoAmIRequest (is the Pinniped WhoAmI API running and healthy?): whoamirequests.identity.concierge.pinniped.dev \"whatever\" not found\n",
 		},
@@ -284,7 +284,7 @@ func TestWhoami(t *testing.T) {
 				if test.gettingClientsetErr != nil {
 					return nil, test.gettingClientsetErr
 				}
-				clientset := fakeconciergeclientset.NewSimpleClientset()
+				clientset := conciergefake.NewSimpleClientset()
 				clientset.PrependReactor("create", "whoamirequests", func(_ kubetesting.Action) (bool, runtime.Object, error) {
 					if test.callingAPIErr != nil {
 						return true, nil, test.callingAPIErr

deploy/concierge/authentication.concierge.pinniped.dev_jwtauthenticators.yaml

@@ -25,6 +25,9 @@ spec:
     - jsonPath: .spec.audience
       name: Audience
       type: string
+    - jsonPath: .status.phase
+      name: Status
+      type: string
     - jsonPath: .metadata.creationTimestamp
       name: Age
       type: date
@@ -92,6 +95,39 @@ spec:
                     description: X.509 Certificate Authority (base64-encoded PEM bundle).
                       If omitted, a default set of system roots will be trusted.
                     type: string
+                  certificateAuthorityDataSource:
+                    description: |-
+                      Reference to a CA bundle in a secret or a configmap.
+                      Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
+                    properties:
+                      key:
+                        description: |-
+                          Key is the key name within the secret or configmap from which to read the CA bundle.
+                          The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
+                          certificate bundle.
+                        minLength: 1
+                        type: string
+                      kind:
+                        description: |-
+                          Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
+                          Allowed values are "Secret" or "ConfigMap".
+                          "ConfigMap" uses a Kubernetes configmap to source CA Bundles.
+                          "Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
+                        enum:
+                        - Secret
+                        - ConfigMap
+                        type: string
+                      name:
+                        description: |-
+                          Name is the resource name of the secret or configmap from which to read the CA bundle.
+                          The referenced secret or configmap must be created in the same namespace where Pinniped Concierge is installed.
+                        minLength: 1
+                        type: string
+                    required:
+                    - key
+                    - kind
+                    - name
+                    type: object
                 type: object
             required:
             - audience

deploy/concierge/authentication.concierge.pinniped.dev_webhookauthenticators.yaml

@@ -22,6 +22,9 @@ spec:
     - jsonPath: .spec.endpoint
       name: Endpoint
       type: string
+    - jsonPath: .status.phase
+      name: Status
+      type: string
     - jsonPath: .metadata.creationTimestamp
       name: Age
       type: date
@@ -63,6 +66,39 @@ spec:
                     description: X.509 Certificate Authority (base64-encoded PEM bundle).
                       If omitted, a default set of system roots will be trusted.
                     type: string
+                  certificateAuthorityDataSource:
+                    description: |-
+                      Reference to a CA bundle in a secret or a configmap.
+                      Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
+                    properties:
+                      key:
+                        description: |-
+                          Key is the key name within the secret or configmap from which to read the CA bundle.
+                          The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
+                          certificate bundle.
+                        minLength: 1
+                        type: string
+                      kind:
+                        description: |-
+                          Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
+                          Allowed values are "Secret" or "ConfigMap".
+                          "ConfigMap" uses a Kubernetes configmap to source CA Bundles.
+                          "Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
+                        enum:
+                        - Secret
+                        - ConfigMap
+                        type: string
+                      name:
+                        description: |-
+                          Name is the resource name of the secret or configmap from which to read the CA bundle.
+                          The referenced secret or configmap must be created in the same namespace where Pinniped Concierge is installed.
+                        minLength: 1
+                        type: string
+                    required:
+                    - key
+                    - kind
+                    - name
+                    type: object
                 type: object
             required:
             - endpoint

deploy/concierge/deployment.yaml

@@ -100,6 +100,9 @@ data:
     log:
       level: (@= getAndValidateLogLevel() @)
     (@ end @)
+    tls:
+      onedottwo:
+        allowedCiphers: (@= str(data.values.allowed_ciphers_for_tls_onedottwo) @)
 ---
 #@ if data.values.image_pull_dockerconfigjson and data.values.image_pull_dockerconfigjson != "":
 apiVersion: v1

deploy/concierge/values.yaml

@@ -214,3 +214,20 @@ https_proxy: ""
 #@ localhost endpoints, and the known instance metadata IP address for public cloud providers."
 #@schema/desc no_proxy_desc
 no_proxy: "$(KUBERNETES_SERVICE_HOST),169.254.169.254,127.0.0.1,localhost,.svc,.cluster.local"
+
+#@schema/title "Allowed Ciphers for TLS 1.2"
+#@ allowed_ciphers_for_tls_onedottwo_desc = "When specified, only the ciphers listed will be used for TLS 1.2. \
+#@ This includes both server-side and client-side TLS connections. \
+#@ This list must only include cipher suites that Pinniped is configured to accept \
+#@ (see internal/crypto/ptls/profiles.go and internal/crypto/ptls/profiles_fips_strict.go). \
+#@ Allowing too few ciphers may cause critical parts of Pinniped to be unable to function. For example, \
+#@ Kubernetes pod readiness checks, Pinniped pods acting as a client to the Kubernetes API server, \
+#@ Pinniped pods acting as a client to external identity providers, or Pinniped pods acting as an APIService server \
+#@ all need to be able to function with the allowed TLS cipher suites. \
+#@ An empty array means accept Pinniped's defaults."
+#@schema/desc allowed_ciphers_for_tls_onedottwo_desc
+#@schema/examples ("Example with a few secure ciphers", ["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"])
+#! No type, default, or validation is required here.
+#! An empty array is perfectly valid, as is any array of strings.
+allowed_ciphers_for_tls_onedottwo:
+- ""

deploy/supervisor/config.supervisor.pinniped.dev_federationdomains.yaml

@@ -143,8 +143,9 @@ spec:
                                   Type is "string", and is otherwise ignored.
                                 type: string
                               type:
-                                description: Type determines the type of the constant,
-                                  and indicates which other field should be non-empty.
+                                description: |-
+                                  Type determines the type of the constant, and indicates which other field should be non-empty.
+                                  Allowed values are "string" or "stringList".
                                 enum:
                                 - string
                                 - stringList
@@ -262,8 +263,9 @@ spec:
                                   an authentication attempt. When empty, a default message will be used.
                                 type: string
                               type:
-                                description: Type determines the type of the expression.
-                                  It must be one of the supported types.
+                                description: |-
+                                  Type determines the type of the expression. It must be one of the supported types.
+                                  Allowed values are "policy/v1", "username/v1", or "groups/v1".
                                 enum:
                                 - policy/v1
                                 - username/v1

deploy/supervisor/helpers.lib.yaml

@@ -53,6 +53,11 @@ _: #@ template.replace(data.values.custom_labels)
 #@       "apiService": defaultResourceNameWithSuffix("api"),
 #@     },
 #@     "labels": labels(),
+#@     "tls": {
+#@       "onedottwo": {
+#@         "allowedCiphers": data.values.allowed_ciphers_for_tls_onedottwo
+#@       }
+#@     }
 #@   }
 #@   if data.values.log_level:
 #@     config["log"] = {}

deploy/supervisor/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml

@@ -170,6 +170,39 @@ spec:
                     description: X.509 Certificate Authority (base64-encoded PEM bundle).
                       If omitted, a default set of system roots will be trusted.
                     type: string
+                  certificateAuthorityDataSource:
+                    description: |-
+                      Reference to a CA bundle in a secret or a configmap.
+                      Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
+                    properties:
+                      key:
+                        description: |-
+                          Key is the key name within the secret or configmap from which to read the CA bundle.
+                          The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
+                          certificate bundle.
+                        minLength: 1
+                        type: string
+                      kind:
+                        description: |-
+                          Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
+                          Allowed values are "Secret" or "ConfigMap".
+                          "ConfigMap" uses a Kubernetes configmap to source CA Bundles.
+                          "Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
+                        enum:
+                        - Secret
+                        - ConfigMap
+                        type: string
+                      name:
+                        description: |-
+                          Name is the resource name of the secret or configmap from which to read the CA bundle.
+                          The referenced secret or configmap must be created in the same namespace where Pinniped Supervisor is installed.
+                        minLength: 1
+                        type: string
+                    required:
+                    - key
+                    - kind
+                    - name
+                    type: object
                 type: object
               userSearch:
                 description: UserSearch contains the configuration for searching for

deploy/supervisor/idp.supervisor.pinniped.dev_githubidentityproviders.yaml

@@ -89,7 +89,11 @@ spec:
                       policy:
                         default: OnlyUsersFromAllowedOrganizations
                         description: |-
-                          Policy must be set to "AllGitHubUsers" if allowed is empty.
+                          Allowed values are "OnlyUsersFromAllowedOrganizations" or "AllGitHubUsers".
+                          Defaults to "OnlyUsersFromAllowedOrganizations".
+
+
+                          Must be set to "AllGitHubUsers" if the allowed field is empty.
 
 
                           This field only exists to ensure that Pinniped administrators are aware that an empty list of
@@ -210,21 +214,59 @@ spec:
                     description: |-
                       Host is required only for GitHub Enterprise Server.
                       Defaults to using GitHub's public API ("github.com").
+                      For convenience, specifying "github.com" is equivalent to specifying "api.github.com".
                       Do not specify a protocol or scheme since "https://" will always be used.
                       Port is optional. Do not specify a path, query, fragment, or userinfo.
-                      Only domain name or IP address, subdomains (optional), and port (optional).
+                      Only specify domain name or IP address, subdomains (optional), and port (optional).
                       IPv4 and IPv6 are supported. If using an IPv6 address with a port, you must enclose the IPv6 address
                       in square brackets. Example: "[::1]:443".
                     minLength: 1
                     type: string
                   tls:
-                    description: TLS configuration for GitHub Enterprise Server.
+                    description: |-
+                      TLS configuration for GitHub Enterprise Server.
+                      Note that this field should not be needed when using GitHub's public API ("github.com").
+                      However, if you choose to specify this field when using GitHub's public API, you must
+                      specify a CA bundle that will verify connections to "api.github.com".
                     properties:
                       certificateAuthorityData:
                         description: X.509 Certificate Authority (base64-encoded PEM
                           bundle). If omitted, a default set of system roots will
                           be trusted.
                         type: string
+                      certificateAuthorityDataSource:
+                        description: |-
+                          Reference to a CA bundle in a secret or a configmap.
+                          Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
+                        properties:
+                          key:
+                            description: |-
+                              Key is the key name within the secret or configmap from which to read the CA bundle.
+                              The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
+                              certificate bundle.
+                            minLength: 1
+                            type: string
+                          kind:
+                            description: |-
+                              Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
+                              Allowed values are "Secret" or "ConfigMap".
+                              "ConfigMap" uses a Kubernetes configmap to source CA Bundles.
+                              "Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
+                            enum:
+                            - Secret
+                            - ConfigMap
+                            type: string
+                          name:
+                            description: |-
+                              Name is the resource name of the secret or configmap from which to read the CA bundle.
+                              The referenced secret or configmap must be created in the same namespace where Pinniped Supervisor is installed.
+                            minLength: 1
+                            type: string
+                        required:
+                        - key
+                        - kind
+                        - name
+                        type: object
                     type: object
                 type: object
             required:

deploy/supervisor/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml

@@ -161,6 +161,39 @@ spec:
                     description: X.509 Certificate Authority (base64-encoded PEM bundle).
                       If omitted, a default set of system roots will be trusted.
                     type: string
+                  certificateAuthorityDataSource:
+                    description: |-
+                      Reference to a CA bundle in a secret or a configmap.
+                      Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
+                    properties:
+                      key:
+                        description: |-
+                          Key is the key name within the secret or configmap from which to read the CA bundle.
+                          The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
+                          certificate bundle.
+                        minLength: 1
+                        type: string
+                      kind:
+                        description: |-
+                          Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
+                          Allowed values are "Secret" or "ConfigMap".
+                          "ConfigMap" uses a Kubernetes configmap to source CA Bundles.
+                          "Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
+                        enum:
+                        - Secret
+                        - ConfigMap
+                        type: string
+                      name:
+                        description: |-
+                          Name is the resource name of the secret or configmap from which to read the CA bundle.
+                          The referenced secret or configmap must be created in the same namespace where Pinniped Supervisor is installed.
+                        minLength: 1
+                        type: string
+                    required:
+                    - key
+                    - kind
+                    - name
+                    type: object
                 type: object
               userSearch:
                 description: UserSearch contains the configuration for searching for

deploy/supervisor/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml

@@ -211,6 +211,39 @@ spec:
                     description: X.509 Certificate Authority (base64-encoded PEM bundle).
                       If omitted, a default set of system roots will be trusted.
                     type: string
+                  certificateAuthorityDataSource:
+                    description: |-
+                      Reference to a CA bundle in a secret or a configmap.
+                      Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
+                    properties:
+                      key:
+                        description: |-
+                          Key is the key name within the secret or configmap from which to read the CA bundle.
+                          The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
+                          certificate bundle.
+                        minLength: 1
+                        type: string
+                      kind:
+                        description: |-
+                          Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
+                          Allowed values are "Secret" or "ConfigMap".
+                          "ConfigMap" uses a Kubernetes configmap to source CA Bundles.
+                          "Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
+                        enum:
+                        - Secret
+                        - ConfigMap
+                        type: string
+                      name:
+                        description: |-
+                          Name is the resource name of the secret or configmap from which to read the CA bundle.
+                          The referenced secret or configmap must be created in the same namespace where Pinniped Supervisor is installed.
+                        minLength: 1
+                        type: string
+                    required:
+                    - key
+                    - kind
+                    - name
+                    type: object
                 type: object
             required:
             - client

deploy/supervisor/rbac.yaml

@@ -16,6 +16,9 @@ rules:
   - apiGroups: [""]
     resources: [secrets]
     verbs: [create, get, list, patch, update, watch, delete]
+  - apiGroups: [""]
+    resources: [configmaps]
+    verbs: [get, list, watch]
   - apiGroups:
       - #@ pinnipedDevAPIGroupWithPrefix("config.supervisor")
     resources: [federationdomains]

deploy/supervisor/values.yaml

@@ -203,3 +203,20 @@ no_proxy: "$(KUBERNETES_SERVICE_HOST),169.254.169.254,127.0.0.1,localhost,.svc,.
 #@schema/nullable
 #@schema/validation ("a map with keys 'http' and 'https', whose values are either the string 'disabled' or a map having keys 'network' and 'address', and the value of 'network' must be one of the allowed values", validate_endpoints)
 endpoints: { }
+
+#@schema/title "Allowed Ciphers for TLS 1.2"
+#@ allowed_ciphers_for_tls_onedottwo_desc = "When specified, only the ciphers listed will be used for TLS 1.2. \
+#@ This includes both server-side and client-side TLS connections. \
+#@ This list must only include cipher suites that Pinniped is configured to accept \
+#@ (see internal/crypto/ptls/profiles.go and internal/crypto/ptls/profiles_fips_strict.go). \
+#@ Allowing too few ciphers may cause critical parts of Pinniped to be unable to function. For example, \
+#@ Kubernetes pod readiness checks, Pinniped pods acting as a client to the Kubernetes API server, \
+#@ Pinniped pods acting as a client to external identity providers, or Pinniped pods acting as an APIService server \
+#@ all need to be able to function with the allowed TLS cipher suites. \
+#@ An empty array means accept Pinniped's defaults."
+#@schema/desc allowed_ciphers_for_tls_onedottwo_desc
+#@schema/examples ("Example with a few secure ciphers", ["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"])
+#! No type, default, or validation is required here.
+#! An empty array is perfectly valid, as is any array of strings.
+allowed_ciphers_for_tls_onedottwo:
+- ""

generated/1.24/README.adoc

@@ -23,6 +23,43 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped concierge authenticatio
 
 
 
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-concierge-authentication-v1alpha1-certificateauthoritydatasourcekind"]
+==== CertificateAuthorityDataSourceKind (string) 
+
+CertificateAuthorityDataSourceKind enumerates the sources for CA Bundles.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-concierge-authentication-v1alpha1-certificateauthoritydatasourcespec[$$CertificateAuthorityDataSourceSpec$$]
+****
+
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-concierge-authentication-v1alpha1-certificateauthoritydatasourcespec"]
+==== CertificateAuthorityDataSourceSpec 
+
+CertificateAuthorityDataSourceSpec provides a source for CA bundle used for client-side TLS verification.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-concierge-authentication-v1alpha1-tlsspec[$$TLSSpec$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`kind`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-concierge-authentication-v1alpha1-certificateauthoritydatasourcekind[$$CertificateAuthorityDataSourceKind$$]__ | Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap. +
+Allowed values are "Secret" or "ConfigMap". +
+"ConfigMap" uses a Kubernetes configmap to source CA Bundles. +
+"Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles. +
+| *`name`* __string__ | Name is the resource name of the secret or configmap from which to read the CA bundle. +
+The referenced secret or configmap must be created in the same namespace where Pinniped Concierge is installed. +
+| *`key`* __string__ | Key is the key name within the secret or configmap from which to read the CA bundle. +
+The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded +
+certificate bundle. +
+|===
+
+
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-concierge-authentication-v1alpha1-jwtauthenticator"]
 ==== JWTAuthenticator 
 
@@ -125,7 +162,7 @@ username from the JWT token. When not specified, it will default to "username".
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-concierge-authentication-v1alpha1-tlsspec"]
 ==== TLSSpec 
 
-Configuration for configuring TLS on various authenticators.
+TLSSpec provides TLS configuration on various authenticators.
 
 .Appears In:
 ****
@@ -137,6 +174,8 @@ Configuration for configuring TLS on various authenticators.
 |===
 | Field | Description
 | *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. +
+| *`certificateAuthorityDataSource`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-concierge-authentication-v1alpha1-certificateauthoritydatasourcespec[$$CertificateAuthorityDataSourceSpec$$]__ | Reference to a CA bundle in a secret or a configmap. +
+Any changes to the CA bundle in the secret or configmap will be dynamically reloaded. +
 |===
 
 
@@ -503,6 +542,7 @@ ImpersonationProxyInfo describes the parameters for the impersonation proxy on t
 ==== ImpersonationProxyMode (string) 
 
 ImpersonationProxyMode enumerates the configuration modes for the impersonation proxy.
+Allowed values are "auto", "enabled", or "disabled".
 
 .Appears In:
 ****
@@ -539,6 +579,7 @@ This is not supported on all cloud providers. +
 ==== ImpersonationProxyServiceType (string) 
 
 ImpersonationProxyServiceType enumerates the types of service that can be provisioned for the impersonation proxy.
+Allowed values are "LoadBalancer", "ClusterIP", or "None".
 
 .Appears In:
 ****
@@ -928,6 +969,7 @@ the transform expressions. This is a union type, and Type is the discriminator f
 | Field | Description
 | *`name`* __string__ | Name determines the name of the constant. It must be a valid identifier name. +
 | *`type`* __string__ | Type determines the type of the constant, and indicates which other field should be non-empty. +
+Allowed values are "string" or "stringList". +
 | *`stringValue`* __string__ | StringValue should hold the value when Type is "string", and is otherwise ignored. +
 | *`stringListValue`* __string array__ | StringListValue should hold the value when Type is "stringList", and is otherwise ignored. +
 |===
@@ -994,6 +1036,7 @@ FederationDomainTransformsExpression defines a transform expression.
 |===
 | Field | Description
 | *`type`* __string__ | Type determines the type of the expression. It must be one of the supported types. +
+Allowed values are "policy/v1", "username/v1", or "groups/v1". +
 | *`expression`* __string__ | Expression is a CEL expression that will be evaluated based on the Type during an authentication. +
 | *`message`* __string__ | Message is only used when Type is policy/v1. It defines an error message to be used when the policy rejects +
 an authentication attempt. When empty, a default message will be used. +
@@ -1645,6 +1688,43 @@ Optional, when empty this defaults to "objectGUID". +
 |===
 
 
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-certificateauthoritydatasourcekind"]
+==== CertificateAuthorityDataSourceKind (string) 
+
+CertificateAuthorityDataSourceKind enumerates the sources for CA Bundles.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-certificateauthoritydatasourcespec[$$CertificateAuthorityDataSourceSpec$$]
+****
+
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-certificateauthoritydatasourcespec"]
+==== CertificateAuthorityDataSourceSpec 
+
+CertificateAuthorityDataSourceSpec provides a source for CA bundle used for client-side TLS verification.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-tlsspec[$$TLSSpec$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`kind`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-certificateauthoritydatasourcekind[$$CertificateAuthorityDataSourceKind$$]__ | Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap. +
+Allowed values are "Secret" or "ConfigMap". +
+"ConfigMap" uses a Kubernetes configmap to source CA Bundles. +
+"Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles. +
+| *`name`* __string__ | Name is the resource name of the secret or configmap from which to read the CA bundle. +
+The referenced secret or configmap must be created in the same namespace where Pinniped Supervisor is installed. +
+| *`key`* __string__ | Key is the key name within the secret or configmap from which to read the CA bundle. +
+The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded +
+certificate bundle. +
+|===
+
+
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubapiconfig"]
 ==== GitHubAPIConfig 
 
@@ -1660,12 +1740,16 @@ GitHubAPIConfig allows configuration for GitHub Enterprise Server
 | Field | Description
 | *`host`* __string__ | Host is required only for GitHub Enterprise Server. +
 Defaults to using GitHub's public API ("github.com"). +
+For convenience, specifying "github.com" is equivalent to specifying "api.github.com". +
 Do not specify a protocol or scheme since "https://" will always be used. +
 Port is optional. Do not specify a path, query, fragment, or userinfo. +
-Only domain name or IP address, subdomains (optional), and port (optional). +
+Only specify domain name or IP address, subdomains (optional), and port (optional). +
 IPv4 and IPv6 are supported. If using an IPv6 address with a port, you must enclose the IPv6 address +
 in square brackets. Example: "[::1]:443". +
 | *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration for GitHub Enterprise Server. +
+Note that this field should not be needed when using GitHub's public API ("github.com"). +
+However, if you choose to specify this field when using GitHub's public API, you must +
+specify a CA bundle that will verify connections to "api.github.com". +
 |===
 
 
@@ -1890,7 +1974,11 @@ GitHubIdentityProviderStatus is the status of an GitHub identity provider.
 [cols="25a,75a", options="header"]
 |===
 | Field | Description
-| *`policy`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githuballowedauthorganizationspolicy[$$GitHubAllowedAuthOrganizationsPolicy$$]__ | Policy must be set to "AllGitHubUsers" if allowed is empty. +
+| *`policy`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githuballowedauthorganizationspolicy[$$GitHubAllowedAuthOrganizationsPolicy$$]__ | Allowed values are "OnlyUsersFromAllowedOrganizations" or "AllGitHubUsers". +
+Defaults to "OnlyUsersFromAllowedOrganizations". +
+
+
+Must be set to "AllGitHubUsers" if the allowed field is empty. +
 
 
 This field only exists to ensure that Pinniped administrators are aware that an empty list of +
@@ -2401,6 +2489,8 @@ TLSSpec provides TLS configuration for identity provider integration.
 |===
 | Field | Description
 | *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. +
+| *`certificateAuthorityDataSource`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-certificateauthoritydatasourcespec[$$CertificateAuthorityDataSourceSpec$$]__ | Reference to a CA bundle in a secret or a configmap. +
+Any changes to the CA bundle in the secret or configmap will be dynamically reloaded. +
 |===
 
 

generated/1.24/apis/concierge/authentication/v1alpha1/types_jwtauthenticator.go

@@ -79,6 +79,7 @@ type JWTTokenClaims struct {
 // +kubebuilder:resource:categories=pinniped;pinniped-authenticator;pinniped-authenticators,scope=Cluster
 // +kubebuilder:printcolumn:name="Issuer",type=string,JSONPath=`.spec.issuer`
 // +kubebuilder:printcolumn:name="Audience",type=string,JSONPath=`.spec.audience`
+// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase`
 // +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
 // +kubebuilder:subresource:status
 type JWTAuthenticator struct {

generated/1.24/apis/concierge/authentication/v1alpha1/types_tls.go

@@ -1,11 +1,47 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
 
-// Configuration for configuring TLS on various authenticators.
+// CertificateAuthorityDataSourceKind enumerates the sources for CA Bundles.
+//
+// +kubebuilder:validation:Enum=Secret;ConfigMap
+type CertificateAuthorityDataSourceKind string
+
+const (
+	// CertificateAuthorityDataSourceKindConfigMap uses a Kubernetes configmap to source CA Bundles.
+	CertificateAuthorityDataSourceKindConfigMap = CertificateAuthorityDataSourceKind("ConfigMap")
+
+	// CertificateAuthorityDataSourceKindSecret uses a Kubernetes secret to source CA Bundles.
+	// Secrets used to source CA Bundles must be of type kubernetes.io/tls or Opaque.
+	CertificateAuthorityDataSourceKindSecret = CertificateAuthorityDataSourceKind("Secret")
+)
+
+// CertificateAuthorityDataSourceSpec provides a source for CA bundle used for client-side TLS verification.
+type CertificateAuthorityDataSourceSpec struct {
+	// Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
+	// Allowed values are "Secret" or "ConfigMap".
+	// "ConfigMap" uses a Kubernetes configmap to source CA Bundles.
+	// "Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
+	Kind CertificateAuthorityDataSourceKind `json:"kind"`
+	// Name is the resource name of the secret or configmap from which to read the CA bundle.
+	// The referenced secret or configmap must be created in the same namespace where Pinniped Concierge is installed.
+	// +kubebuilder:validation:MinLength=1
+	Name string `json:"name"`
+	// Key is the key name within the secret or configmap from which to read the CA bundle.
+	// The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
+	// certificate bundle.
+	// +kubebuilder:validation:MinLength=1
+	Key string `json:"key"`
+}
+
+// TLSSpec provides TLS configuration on various authenticators.
 type TLSSpec struct {
 	// X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted.
 	// +optional
 	CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"`
+	// Reference to a CA bundle in a secret or a configmap.
+	// Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
+	// +optional
+	CertificateAuthorityDataSource *CertificateAuthorityDataSourceSpec `json:"certificateAuthorityDataSource,omitempty"`
 }

generated/1.24/apis/concierge/authentication/v1alpha1/types_webhookauthenticator.go

@@ -50,6 +50,7 @@ type WebhookAuthenticatorSpec struct {
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 // +kubebuilder:resource:categories=pinniped;pinniped-authenticator;pinniped-authenticators,scope=Cluster
 // +kubebuilder:printcolumn:name="Endpoint",type=string,JSONPath=`.spec.endpoint`
+// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase`
 // +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
 // +kubebuilder:subresource:status
 type WebhookAuthenticator struct {

generated/1.24/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go

@@ -13,6 +13,22 @@ import (
 	runtime "k8s.io/apimachinery/pkg/runtime"
 )
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CertificateAuthorityDataSourceSpec) DeepCopyInto(out *CertificateAuthorityDataSourceSpec) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateAuthorityDataSourceSpec.
+func (in *CertificateAuthorityDataSourceSpec) DeepCopy() *CertificateAuthorityDataSourceSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(CertificateAuthorityDataSourceSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *JWTAuthenticator) DeepCopyInto(out *JWTAuthenticator) {
 	*out = *in
@@ -81,7 +97,7 @@ func (in *JWTAuthenticatorSpec) DeepCopyInto(out *JWTAuthenticatorSpec) {
 	if in.TLS != nil {
 		in, out := &in.TLS, &out.TLS
 		*out = new(TLSSpec)
-		**out = **in
+		(*in).DeepCopyInto(*out)
 	}
 	return
 }
@@ -138,6 +154,11 @@ func (in *JWTTokenClaims) DeepCopy() *JWTTokenClaims {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TLSSpec) DeepCopyInto(out *TLSSpec) {
 	*out = *in
+	if in.CertificateAuthorityDataSource != nil {
+		in, out := &in.CertificateAuthorityDataSource, &out.CertificateAuthorityDataSource
+		*out = new(CertificateAuthorityDataSourceSpec)
+		**out = **in
+	}
 	return
 }
 
@@ -218,7 +239,7 @@ func (in *WebhookAuthenticatorSpec) DeepCopyInto(out *WebhookAuthenticatorSpec)
 	if in.TLS != nil {
 		in, out := &in.TLS, &out.TLS
 		*out = new(TLSSpec)
-		**out = **in
+		(*in).DeepCopyInto(*out)
 	}
 	return
 }

generated/1.24/apis/concierge/config/v1alpha1/types_credentialissuer.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
@@ -49,6 +49,7 @@ type CredentialIssuerSpec struct {
 }
 
 // ImpersonationProxyMode enumerates the configuration modes for the impersonation proxy.
+// Allowed values are "auto", "enabled", or "disabled".
 //
 // +kubebuilder:validation:Enum=auto;enabled;disabled
 type ImpersonationProxyMode string
@@ -65,6 +66,7 @@ const (
 )
 
 // ImpersonationProxyServiceType enumerates the types of service that can be provisioned for the impersonation proxy.
+// Allowed values are "LoadBalancer", "ClusterIP", or "None".
 //
 // +kubebuilder:validation:Enum=LoadBalancer;ClusterIP;None
 type ImpersonationProxyServiceType string

generated/1.24/apis/supervisor/config/v1alpha1/types_federationdomain.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
@@ -55,6 +55,7 @@ type FederationDomainTransformsConstant struct {
 	Name string `json:"name"`
 
 	// Type determines the type of the constant, and indicates which other field should be non-empty.
+	// Allowed values are "string" or "stringList".
 	// +kubebuilder:validation:Enum=string;stringList
 	Type string `json:"type"`
 
@@ -70,6 +71,7 @@ type FederationDomainTransformsConstant struct {
 // FederationDomainTransformsExpression defines a transform expression.
 type FederationDomainTransformsExpression struct {
 	// Type determines the type of the expression. It must be one of the supported types.
+	// Allowed values are "policy/v1", "username/v1", or "groups/v1".
 	// +kubebuilder:validation:Enum=policy/v1;username/v1;groups/v1
 	Type string `json:"type"`
 

generated/1.24/apis/supervisor/idp/v1alpha1/types_githubidentityprovider.go

@@ -53,9 +53,10 @@ type GitHubIdentityProviderStatus struct {
 type GitHubAPIConfig struct {
 	// Host is required only for GitHub Enterprise Server.
 	// Defaults to using GitHub's public API ("github.com").
+	// For convenience, specifying "github.com" is equivalent to specifying "api.github.com".
 	// Do not specify a protocol or scheme since "https://" will always be used.
 	// Port is optional. Do not specify a path, query, fragment, or userinfo.
-	// Only domain name or IP address, subdomains (optional), and port (optional).
+	// Only specify domain name or IP address, subdomains (optional), and port (optional).
 	// IPv4 and IPv6 are supported. If using an IPv6 address with a port, you must enclose the IPv6 address
 	// in square brackets. Example: "[::1]:443".
 	//
@@ -65,6 +66,9 @@ type GitHubAPIConfig struct {
 	Host *string `json:"host"`
 
 	// TLS configuration for GitHub Enterprise Server.
+	// Note that this field should not be needed when using GitHub's public API ("github.com").
+	// However, if you choose to specify this field when using GitHub's public API, you must
+	// specify a CA bundle that will verify connections to "api.github.com".
 	//
 	// +optional
 	TLS *TLSSpec `json:"tls,omitempty"`
@@ -167,7 +171,10 @@ type GitHubClientSpec struct {
 }
 
 type GitHubOrganizationsSpec struct {
-	// Policy must be set to "AllGitHubUsers" if allowed is empty.
+	// Allowed values are "OnlyUsersFromAllowedOrganizations" or "AllGitHubUsers".
+	// Defaults to "OnlyUsersFromAllowedOrganizations".
+	//
+	// Must be set to "AllGitHubUsers" if the allowed field is empty.
 	//
 	// This field only exists to ensure that Pinniped administrators are aware that an empty list of
 	// allowedOrganizations means all GitHub users are allowed to log in.

generated/1.24/apis/supervisor/idp/v1alpha1/types_tls.go

@@ -3,9 +3,45 @@
 
 package v1alpha1
 
+// CertificateAuthorityDataSourceKind enumerates the sources for CA Bundles.
+//
+// +kubebuilder:validation:Enum=Secret;ConfigMap
+type CertificateAuthorityDataSourceKind string
+
+const (
+	// CertificateAuthorityDataSourceKindConfigMap uses a Kubernetes configmap to source CA Bundles.
+	CertificateAuthorityDataSourceKindConfigMap = CertificateAuthorityDataSourceKind("ConfigMap")
+
+	// CertificateAuthorityDataSourceKindSecret uses a Kubernetes secret to source CA Bundles.
+	// Secrets used to source CA Bundles must be of type kubernetes.io/tls or Opaque.
+	CertificateAuthorityDataSourceKindSecret = CertificateAuthorityDataSourceKind("Secret")
+)
+
+// CertificateAuthorityDataSourceSpec provides a source for CA bundle used for client-side TLS verification.
+type CertificateAuthorityDataSourceSpec struct {
+	// Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
+	// Allowed values are "Secret" or "ConfigMap".
+	// "ConfigMap" uses a Kubernetes configmap to source CA Bundles.
+	// "Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
+	Kind CertificateAuthorityDataSourceKind `json:"kind"`
+	// Name is the resource name of the secret or configmap from which to read the CA bundle.
+	// The referenced secret or configmap must be created in the same namespace where Pinniped Supervisor is installed.
+	// +kubebuilder:validation:MinLength=1
+	Name string `json:"name"`
+	// Key is the key name within the secret or configmap from which to read the CA bundle.
+	// The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
+	// certificate bundle.
+	// +kubebuilder:validation:MinLength=1
+	Key string `json:"key"`
+}
+
 // TLSSpec provides TLS configuration for identity provider integration.
 type TLSSpec struct {
 	// X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted.
 	// +optional
 	CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"`
+	// Reference to a CA bundle in a secret or a configmap.
+	// Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
+	// +optional
+	CertificateAuthorityDataSource *CertificateAuthorityDataSourceSpec `json:"certificateAuthorityDataSource,omitempty"`
 }

generated/1.24/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go

@@ -129,7 +129,7 @@ func (in *ActiveDirectoryIdentityProviderSpec) DeepCopyInto(out *ActiveDirectory
 	if in.TLS != nil {
 		in, out := &in.TLS, &out.TLS
 		*out = new(TLSSpec)
-		**out = **in
+		(*in).DeepCopyInto(*out)
 	}
 	out.Bind = in.Bind
 	out.UserSearch = in.UserSearch
@@ -203,6 +203,22 @@ func (in *ActiveDirectoryIdentityProviderUserSearchAttributes) DeepCopy() *Activ
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CertificateAuthorityDataSourceSpec) DeepCopyInto(out *CertificateAuthorityDataSourceSpec) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateAuthorityDataSourceSpec.
+func (in *CertificateAuthorityDataSourceSpec) DeepCopy() *CertificateAuthorityDataSourceSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(CertificateAuthorityDataSourceSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *GitHubAPIConfig) DeepCopyInto(out *GitHubAPIConfig) {
 	*out = *in
@@ -214,7 +230,7 @@ func (in *GitHubAPIConfig) DeepCopyInto(out *GitHubAPIConfig) {
 	if in.TLS != nil {
 		in, out := &in.TLS, &out.TLS
 		*out = new(TLSSpec)
-		**out = **in
+		(*in).DeepCopyInto(*out)
 	}
 	return
 }
@@ -534,7 +550,7 @@ func (in *LDAPIdentityProviderSpec) DeepCopyInto(out *LDAPIdentityProviderSpec)
 	if in.TLS != nil {
 		in, out := &in.TLS, &out.TLS
 		*out = new(TLSSpec)
-		**out = **in
+		(*in).DeepCopyInto(*out)
 	}
 	out.Bind = in.Bind
 	out.UserSearch = in.UserSearch
@@ -740,7 +756,7 @@ func (in *OIDCIdentityProviderSpec) DeepCopyInto(out *OIDCIdentityProviderSpec)
 	if in.TLS != nil {
 		in, out := &in.TLS, &out.TLS
 		*out = new(TLSSpec)
-		**out = **in
+		(*in).DeepCopyInto(*out)
 	}
 	in.AuthorizationConfig.DeepCopyInto(&out.AuthorizationConfig)
 	in.Claims.DeepCopyInto(&out.Claims)
@@ -800,6 +816,11 @@ func (in *Parameter) DeepCopy() *Parameter {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TLSSpec) DeepCopyInto(out *TLSSpec) {
 	*out = *in
+	if in.CertificateAuthorityDataSource != nil {
+		in, out := &in.CertificateAuthorityDataSource, &out.CertificateAuthorityDataSource
+		*out = new(CertificateAuthorityDataSourceSpec)
+		**out = **in
+	}
 	return
 }
 

generated/1.24/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml

@@ -25,6 +25,9 @@ spec:
     - jsonPath: .spec.audience
       name: Audience
       type: string
+    - jsonPath: .status.phase
+      name: Status
+      type: string
     - jsonPath: .metadata.creationTimestamp
       name: Age
       type: date
@@ -92,6 +95,39 @@ spec:
                     description: X.509 Certificate Authority (base64-encoded PEM bundle).
                       If omitted, a default set of system roots will be trusted.
                     type: string
+                  certificateAuthorityDataSource:
+                    description: |-
+                      Reference to a CA bundle in a secret or a configmap.
+                      Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
+                    properties:
+                      key:
+                        description: |-
+                          Key is the key name within the secret or configmap from which to read the CA bundle.
+                          The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
+                          certificate bundle.
+                        minLength: 1
+                        type: string
+                      kind:
+                        description: |-
+                          Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
+                          Allowed values are "Secret" or "ConfigMap".
+                          "ConfigMap" uses a Kubernetes configmap to source CA Bundles.
+                          "Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
+                        enum:
+                        - Secret
+                        - ConfigMap
+                        type: string
+                      name:
+                        description: |-
+                          Name is the resource name of the secret or configmap from which to read the CA bundle.
+                          The referenced secret or configmap must be created in the same namespace where Pinniped Concierge is installed.
+                        minLength: 1
+                        type: string
+                    required:
+                    - key
+                    - kind
+                    - name
+                    type: object
                 type: object
             required:
             - audience

generated/1.24/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml

@@ -22,6 +22,9 @@ spec:
     - jsonPath: .spec.endpoint
       name: Endpoint
       type: string
+    - jsonPath: .status.phase
+      name: Status
+      type: string
     - jsonPath: .metadata.creationTimestamp
       name: Age
       type: date
@@ -63,6 +66,39 @@ spec:
                     description: X.509 Certificate Authority (base64-encoded PEM bundle).
                       If omitted, a default set of system roots will be trusted.
                     type: string
+                  certificateAuthorityDataSource:
+                    description: |-
+                      Reference to a CA bundle in a secret or a configmap.
+                      Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
+                    properties:
+                      key:
+                        description: |-
+                          Key is the key name within the secret or configmap from which to read the CA bundle.
+                          The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
+                          certificate bundle.
+                        minLength: 1
+                        type: string
+                      kind:
+                        description: |-
+                          Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
+                          Allowed values are "Secret" or "ConfigMap".
+                          "ConfigMap" uses a Kubernetes configmap to source CA Bundles.
+                          "Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
+                        enum:
+                        - Secret
+                        - ConfigMap
+                        type: string
+                      name:
+                        description: |-
+                          Name is the resource name of the secret or configmap from which to read the CA bundle.
+                          The referenced secret or configmap must be created in the same namespace where Pinniped Concierge is installed.
+                        minLength: 1
+                        type: string
+                    required:
+                    - key
+                    - kind
+                    - name
+                    type: object
                 type: object
             required:
             - endpoint

generated/1.24/crds/config.supervisor.pinniped.dev_federationdomains.yaml

@@ -143,8 +143,9 @@ spec:
                                   Type is "string", and is otherwise ignored.
                                 type: string
                               type:
-                                description: Type determines the type of the constant,
-                                  and indicates which other field should be non-empty.
+                                description: |-
+                                  Type determines the type of the constant, and indicates which other field should be non-empty.
+                                  Allowed values are "string" or "stringList".
                                 enum:
                                 - string
                                 - stringList
@@ -262,8 +263,9 @@ spec:
                                   an authentication attempt. When empty, a default message will be used.
                                 type: string
                               type:
-                                description: Type determines the type of the expression.
-                                  It must be one of the supported types.
+                                description: |-
+                                  Type determines the type of the expression. It must be one of the supported types.
+                                  Allowed values are "policy/v1", "username/v1", or "groups/v1".
                                 enum:
                                 - policy/v1
                                 - username/v1

generated/1.24/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml

@@ -170,6 +170,39 @@ spec:
                     description: X.509 Certificate Authority (base64-encoded PEM bundle).
                       If omitted, a default set of system roots will be trusted.
                     type: string
+                  certificateAuthorityDataSource:
+                    description: |-
+                      Reference to a CA bundle in a secret or a configmap.
+                      Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
+                    properties:
+                      key:
+                        description: |-
+                          Key is the key name within the secret or configmap from which to read the CA bundle.
+                          The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
+                          certificate bundle.
+                        minLength: 1
+                        type: string
+                      kind:
+                        description: |-
+                          Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
+                          Allowed values are "Secret" or "ConfigMap".
+                          "ConfigMap" uses a Kubernetes configmap to source CA Bundles.
+                          "Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
+                        enum:
+                        - Secret
+                        - ConfigMap
+                        type: string
+                      name:
+                        description: |-
+                          Name is the resource name of the secret or configmap from which to read the CA bundle.
+                          The referenced secret or configmap must be created in the same namespace where Pinniped Supervisor is installed.
+                        minLength: 1
+                        type: string
+                    required:
+                    - key
+                    - kind
+                    - name
+                    type: object
                 type: object
               userSearch:
                 description: UserSearch contains the configuration for searching for

generated/1.24/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml

@@ -89,7 +89,11 @@ spec:
                       policy:
                         default: OnlyUsersFromAllowedOrganizations
                         description: |-
-                          Policy must be set to "AllGitHubUsers" if allowed is empty.
+                          Allowed values are "OnlyUsersFromAllowedOrganizations" or "AllGitHubUsers".
+                          Defaults to "OnlyUsersFromAllowedOrganizations".
+
+
+                          Must be set to "AllGitHubUsers" if the allowed field is empty.
 
 
                           This field only exists to ensure that Pinniped administrators are aware that an empty list of
@@ -210,21 +214,59 @@ spec:
                     description: |-
                       Host is required only for GitHub Enterprise Server.
                       Defaults to using GitHub's public API ("github.com").
+                      For convenience, specifying "github.com" is equivalent to specifying "api.github.com".
                       Do not specify a protocol or scheme since "https://" will always be used.
                       Port is optional. Do not specify a path, query, fragment, or userinfo.
-                      Only domain name or IP address, subdomains (optional), and port (optional).
+                      Only specify domain name or IP address, subdomains (optional), and port (optional).
                       IPv4 and IPv6 are supported. If using an IPv6 address with a port, you must enclose the IPv6 address
                       in square brackets. Example: "[::1]:443".
                     minLength: 1
                     type: string
                   tls:
-                    description: TLS configuration for GitHub Enterprise Server.
+                    description: |-
+                      TLS configuration for GitHub Enterprise Server.
+                      Note that this field should not be needed when using GitHub's public API ("github.com").
+                      However, if you choose to specify this field when using GitHub's public API, you must
+                      specify a CA bundle that will verify connections to "api.github.com".
                     properties:
                       certificateAuthorityData:
                         description: X.509 Certificate Authority (base64-encoded PEM
                           bundle). If omitted, a default set of system roots will
                           be trusted.
                         type: string
+                      certificateAuthorityDataSource:
+                        description: |-
+                          Reference to a CA bundle in a secret or a configmap.
+                          Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
+                        properties:
+                          key:
+                            description: |-
+                              Key is the key name within the secret or configmap from which to read the CA bundle.
+                              The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
+                              certificate bundle.
+                            minLength: 1
+                            type: string
+                          kind:
+                            description: |-
+                              Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
+                              Allowed values are "Secret" or "ConfigMap".
+                              "ConfigMap" uses a Kubernetes configmap to source CA Bundles.
+                              "Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
+                            enum:
+                            - Secret
+                            - ConfigMap
+                            type: string
+                          name:
+                            description: |-
+                              Name is the resource name of the secret or configmap from which to read the CA bundle.
+                              The referenced secret or configmap must be created in the same namespace where Pinniped Supervisor is installed.
+                            minLength: 1
+                            type: string
+                        required:
+                        - key
+                        - kind
+                        - name
+                        type: object
                     type: object
                 type: object
             required:

generated/1.24/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml

@@ -161,6 +161,39 @@ spec:
                     description: X.509 Certificate Authority (base64-encoded PEM bundle).
                       If omitted, a default set of system roots will be trusted.
                     type: string
+                  certificateAuthorityDataSource:
+                    description: |-
+                      Reference to a CA bundle in a secret or a configmap.
+                      Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
+                    properties:
+                      key:
+                        description: |-
+                          Key is the key name within the secret or configmap from which to read the CA bundle.
+                          The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
+                          certificate bundle.
+                        minLength: 1
+                        type: string
+                      kind:
+                        description: |-
+                          Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
+                          Allowed values are "Secret" or "ConfigMap".
+                          "ConfigMap" uses a Kubernetes configmap to source CA Bundles.
+                          "Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
+                        enum:
+                        - Secret
+                        - ConfigMap
+                        type: string
+                      name:
+                        description: |-
+                          Name is the resource name of the secret or configmap from which to read the CA bundle.
+                          The referenced secret or configmap must be created in the same namespace where Pinniped Supervisor is installed.
+                        minLength: 1
+                        type: string
+                    required:
+                    - key
+                    - kind
+                    - name
+                    type: object
                 type: object
               userSearch:
                 description: UserSearch contains the configuration for searching for

generated/1.24/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml

@@ -211,6 +211,39 @@ spec:
                     description: X.509 Certificate Authority (base64-encoded PEM bundle).
                       If omitted, a default set of system roots will be trusted.
                     type: string
+                  certificateAuthorityDataSource:
+                    description: |-
+                      Reference to a CA bundle in a secret or a configmap.
+                      Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
+                    properties:
+                      key:
+                        description: |-
+                          Key is the key name within the secret or configmap from which to read the CA bundle.
+                          The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
+                          certificate bundle.
+                        minLength: 1
+                        type: string
+                      kind:
+                        description: |-
+                          Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
+                          Allowed values are "Secret" or "ConfigMap".
+                          "ConfigMap" uses a Kubernetes configmap to source CA Bundles.
+                          "Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
+                        enum:
+                        - Secret
+                        - ConfigMap
+                        type: string
+                      name:
+                        description: |-
+                          Name is the resource name of the secret or configmap from which to read the CA bundle.
+                          The referenced secret or configmap must be created in the same namespace where Pinniped Supervisor is installed.
+                        minLength: 1
+                        type: string
+                    required:
+                    - key
+                    - kind
+                    - name
+                    type: object
                 type: object
             required:
             - client

generated/1.25/README.adoc

@@ -23,6 +23,43 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped concierge authenticatio
 
 
 
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-concierge-authentication-v1alpha1-certificateauthoritydatasourcekind"]
+==== CertificateAuthorityDataSourceKind (string) 
+
+CertificateAuthorityDataSourceKind enumerates the sources for CA Bundles.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-concierge-authentication-v1alpha1-certificateauthoritydatasourcespec[$$CertificateAuthorityDataSourceSpec$$]
+****
+
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-concierge-authentication-v1alpha1-certificateauthoritydatasourcespec"]
+==== CertificateAuthorityDataSourceSpec 
+
+CertificateAuthorityDataSourceSpec provides a source for CA bundle used for client-side TLS verification.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-concierge-authentication-v1alpha1-tlsspec[$$TLSSpec$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`kind`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-concierge-authentication-v1alpha1-certificateauthoritydatasourcekind[$$CertificateAuthorityDataSourceKind$$]__ | Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap. +
+Allowed values are "Secret" or "ConfigMap". +
+"ConfigMap" uses a Kubernetes configmap to source CA Bundles. +
+"Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles. +
+| *`name`* __string__ | Name is the resource name of the secret or configmap from which to read the CA bundle. +
+The referenced secret or configmap must be created in the same namespace where Pinniped Concierge is installed. +
+| *`key`* __string__ | Key is the key name within the secret or configmap from which to read the CA bundle. +
+The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded +
+certificate bundle. +
+|===
+
+
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-concierge-authentication-v1alpha1-jwtauthenticator"]
 ==== JWTAuthenticator 
 
@@ -125,7 +162,7 @@ username from the JWT token. When not specified, it will default to "username".
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-concierge-authentication-v1alpha1-tlsspec"]
 ==== TLSSpec 
 
-Configuration for configuring TLS on various authenticators.
+TLSSpec provides TLS configuration on various authenticators.
 
 .Appears In:
 ****
@@ -137,6 +174,8 @@ Configuration for configuring TLS on various authenticators.
 |===
 | Field | Description
 | *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. +
+| *`certificateAuthorityDataSource`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-concierge-authentication-v1alpha1-certificateauthoritydatasourcespec[$$CertificateAuthorityDataSourceSpec$$]__ | Reference to a CA bundle in a secret or a configmap. +
+Any changes to the CA bundle in the secret or configmap will be dynamically reloaded. +
 |===
 
 
@@ -503,6 +542,7 @@ ImpersonationProxyInfo describes the parameters for the impersonation proxy on t
 ==== ImpersonationProxyMode (string) 
 
 ImpersonationProxyMode enumerates the configuration modes for the impersonation proxy.
+Allowed values are "auto", "enabled", or "disabled".
 
 .Appears In:
 ****
@@ -539,6 +579,7 @@ This is not supported on all cloud providers. +
 ==== ImpersonationProxyServiceType (string) 
 
 ImpersonationProxyServiceType enumerates the types of service that can be provisioned for the impersonation proxy.
+Allowed values are "LoadBalancer", "ClusterIP", or "None".
 
 .Appears In:
 ****
@@ -928,6 +969,7 @@ the transform expressions. This is a union type, and Type is the discriminator f
 | Field | Description
 | *`name`* __string__ | Name determines the name of the constant. It must be a valid identifier name. +
 | *`type`* __string__ | Type determines the type of the constant, and indicates which other field should be non-empty. +
+Allowed values are "string" or "stringList". +
 | *`stringValue`* __string__ | StringValue should hold the value when Type is "string", and is otherwise ignored. +
 | *`stringListValue`* __string array__ | StringListValue should hold the value when Type is "stringList", and is otherwise ignored. +
 |===
@@ -994,6 +1036,7 @@ FederationDomainTransformsExpression defines a transform expression.
 |===
 | Field | Description
 | *`type`* __string__ | Type determines the type of the expression. It must be one of the supported types. +
+Allowed values are "policy/v1", "username/v1", or "groups/v1". +
 | *`expression`* __string__ | Expression is a CEL expression that will be evaluated based on the Type during an authentication. +
 | *`message`* __string__ | Message is only used when Type is policy/v1. It defines an error message to be used when the policy rejects +
 an authentication attempt. When empty, a default message will be used. +
@@ -1645,6 +1688,43 @@ Optional, when empty this defaults to "objectGUID". +
 |===
 
 
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-certificateauthoritydatasourcekind"]
+==== CertificateAuthorityDataSourceKind (string) 
+
+CertificateAuthorityDataSourceKind enumerates the sources for CA Bundles.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-certificateauthoritydatasourcespec[$$CertificateAuthorityDataSourceSpec$$]
+****
+
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-certificateauthoritydatasourcespec"]
+==== CertificateAuthorityDataSourceSpec 
+
+CertificateAuthorityDataSourceSpec provides a source for CA bundle used for client-side TLS verification.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-tlsspec[$$TLSSpec$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`kind`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-certificateauthoritydatasourcekind[$$CertificateAuthorityDataSourceKind$$]__ | Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap. +
+Allowed values are "Secret" or "ConfigMap". +
+"ConfigMap" uses a Kubernetes configmap to source CA Bundles. +
+"Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles. +
+| *`name`* __string__ | Name is the resource name of the secret or configmap from which to read the CA bundle. +
+The referenced secret or configmap must be created in the same namespace where Pinniped Supervisor is installed. +
+| *`key`* __string__ | Key is the key name within the secret or configmap from which to read the CA bundle. +
+The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded +
+certificate bundle. +
+|===
+
+
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubapiconfig"]
 ==== GitHubAPIConfig 
 
@@ -1660,12 +1740,16 @@ GitHubAPIConfig allows configuration for GitHub Enterprise Server
 | Field | Description
 | *`host`* __string__ | Host is required only for GitHub Enterprise Server. +
 Defaults to using GitHub's public API ("github.com"). +
+For convenience, specifying "github.com" is equivalent to specifying "api.github.com". +
 Do not specify a protocol or scheme since "https://" will always be used. +
 Port is optional. Do not specify a path, query, fragment, or userinfo. +
-Only domain name or IP address, subdomains (optional), and port (optional). +
+Only specify domain name or IP address, subdomains (optional), and port (optional). +
 IPv4 and IPv6 are supported. If using an IPv6 address with a port, you must enclose the IPv6 address +
 in square brackets. Example: "[::1]:443". +
 | *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration for GitHub Enterprise Server. +
+Note that this field should not be needed when using GitHub's public API ("github.com"). +
+However, if you choose to specify this field when using GitHub's public API, you must +
+specify a CA bundle that will verify connections to "api.github.com". +
 |===
 
 
@@ -1890,7 +1974,11 @@ GitHubIdentityProviderStatus is the status of an GitHub identity provider.
 [cols="25a,75a", options="header"]
 |===
 | Field | Description
-| *`policy`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githuballowedauthorganizationspolicy[$$GitHubAllowedAuthOrganizationsPolicy$$]__ | Policy must be set to "AllGitHubUsers" if allowed is empty. +
+| *`policy`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githuballowedauthorganizationspolicy[$$GitHubAllowedAuthOrganizationsPolicy$$]__ | Allowed values are "OnlyUsersFromAllowedOrganizations" or "AllGitHubUsers". +
+Defaults to "OnlyUsersFromAllowedOrganizations". +
+
+
+Must be set to "AllGitHubUsers" if the allowed field is empty. +
 
 
 This field only exists to ensure that Pinniped administrators are aware that an empty list of +
@@ -2401,6 +2489,8 @@ TLSSpec provides TLS configuration for identity provider integration.
 |===
 | Field | Description
 | *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. +
+| *`certificateAuthorityDataSource`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-certificateauthoritydatasourcespec[$$CertificateAuthorityDataSourceSpec$$]__ | Reference to a CA bundle in a secret or a configmap. +
+Any changes to the CA bundle in the secret or configmap will be dynamically reloaded. +
 |===
 
 

generated/1.25/apis/concierge/authentication/v1alpha1/types_jwtauthenticator.go

@@ -79,6 +79,7 @@ type JWTTokenClaims struct {
 // +kubebuilder:resource:categories=pinniped;pinniped-authenticator;pinniped-authenticators,scope=Cluster
 // +kubebuilder:printcolumn:name="Issuer",type=string,JSONPath=`.spec.issuer`
 // +kubebuilder:printcolumn:name="Audience",type=string,JSONPath=`.spec.audience`
+// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase`
 // +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
 // +kubebuilder:subresource:status
 type JWTAuthenticator struct {

generated/1.25/apis/concierge/authentication/v1alpha1/types_tls.go

@@ -1,11 +1,47 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
 
-// Configuration for configuring TLS on various authenticators.
+// CertificateAuthorityDataSourceKind enumerates the sources for CA Bundles.
+//
+// +kubebuilder:validation:Enum=Secret;ConfigMap
+type CertificateAuthorityDataSourceKind string
+
+const (
+	// CertificateAuthorityDataSourceKindConfigMap uses a Kubernetes configmap to source CA Bundles.
+	CertificateAuthorityDataSourceKindConfigMap = CertificateAuthorityDataSourceKind("ConfigMap")
+
+	// CertificateAuthorityDataSourceKindSecret uses a Kubernetes secret to source CA Bundles.
+	// Secrets used to source CA Bundles must be of type kubernetes.io/tls or Opaque.
+	CertificateAuthorityDataSourceKindSecret = CertificateAuthorityDataSourceKind("Secret")
+)
+
+// CertificateAuthorityDataSourceSpec provides a source for CA bundle used for client-side TLS verification.
+type CertificateAuthorityDataSourceSpec struct {
+	// Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
+	// Allowed values are "Secret" or "ConfigMap".
+	// "ConfigMap" uses a Kubernetes configmap to source CA Bundles.
+	// "Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
+	Kind CertificateAuthorityDataSourceKind `json:"kind"`
+	// Name is the resource name of the secret or configmap from which to read the CA bundle.
+	// The referenced secret or configmap must be created in the same namespace where Pinniped Concierge is installed.
+	// +kubebuilder:validation:MinLength=1
+	Name string `json:"name"`
+	// Key is the key name within the secret or configmap from which to read the CA bundle.
+	// The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
+	// certificate bundle.
+	// +kubebuilder:validation:MinLength=1
+	Key string `json:"key"`
+}
+
+// TLSSpec provides TLS configuration on various authenticators.
 type TLSSpec struct {
 	// X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted.
 	// +optional
 	CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"`
+	// Reference to a CA bundle in a secret or a configmap.
+	// Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
+	// +optional
+	CertificateAuthorityDataSource *CertificateAuthorityDataSourceSpec `json:"certificateAuthorityDataSource,omitempty"`
 }

generated/1.25/apis/concierge/authentication/v1alpha1/types_webhookauthenticator.go

@@ -50,6 +50,7 @@ type WebhookAuthenticatorSpec struct {
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 // +kubebuilder:resource:categories=pinniped;pinniped-authenticator;pinniped-authenticators,scope=Cluster
 // +kubebuilder:printcolumn:name="Endpoint",type=string,JSONPath=`.spec.endpoint`
+// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase`
 // +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
 // +kubebuilder:subresource:status
 type WebhookAuthenticator struct {

generated/1.25/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go

@@ -13,6 +13,22 @@ import (
 	runtime "k8s.io/apimachinery/pkg/runtime"
 )
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CertificateAuthorityDataSourceSpec) DeepCopyInto(out *CertificateAuthorityDataSourceSpec) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateAuthorityDataSourceSpec.
+func (in *CertificateAuthorityDataSourceSpec) DeepCopy() *CertificateAuthorityDataSourceSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(CertificateAuthorityDataSourceSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *JWTAuthenticator) DeepCopyInto(out *JWTAuthenticator) {
 	*out = *in
@@ -81,7 +97,7 @@ func (in *JWTAuthenticatorSpec) DeepCopyInto(out *JWTAuthenticatorSpec) {
 	if in.TLS != nil {
 		in, out := &in.TLS, &out.TLS
 		*out = new(TLSSpec)
-		**out = **in
+		(*in).DeepCopyInto(*out)
 	}
 	return
 }
@@ -138,6 +154,11 @@ func (in *JWTTokenClaims) DeepCopy() *JWTTokenClaims {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TLSSpec) DeepCopyInto(out *TLSSpec) {
 	*out = *in
+	if in.CertificateAuthorityDataSource != nil {
+		in, out := &in.CertificateAuthorityDataSource, &out.CertificateAuthorityDataSource
+		*out = new(CertificateAuthorityDataSourceSpec)
+		**out = **in
+	}
 	return
 }
 
@@ -218,7 +239,7 @@ func (in *WebhookAuthenticatorSpec) DeepCopyInto(out *WebhookAuthenticatorSpec)
 	if in.TLS != nil {
 		in, out := &in.TLS, &out.TLS
 		*out = new(TLSSpec)
-		**out = **in
+		(*in).DeepCopyInto(*out)
 	}
 	return
 }

generated/1.25/apis/concierge/config/v1alpha1/types_credentialissuer.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
@@ -49,6 +49,7 @@ type CredentialIssuerSpec struct {
 }
 
 // ImpersonationProxyMode enumerates the configuration modes for the impersonation proxy.
+// Allowed values are "auto", "enabled", or "disabled".
 //
 // +kubebuilder:validation:Enum=auto;enabled;disabled
 type ImpersonationProxyMode string
@@ -65,6 +66,7 @@ const (
 )
 
 // ImpersonationProxyServiceType enumerates the types of service that can be provisioned for the impersonation proxy.
+// Allowed values are "LoadBalancer", "ClusterIP", or "None".
 //
 // +kubebuilder:validation:Enum=LoadBalancer;ClusterIP;None
 type ImpersonationProxyServiceType string

generated/1.25/apis/supervisor/config/v1alpha1/types_federationdomain.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
@@ -55,6 +55,7 @@ type FederationDomainTransformsConstant struct {
 	Name string `json:"name"`
 
 	// Type determines the type of the constant, and indicates which other field should be non-empty.
+	// Allowed values are "string" or "stringList".
 	// +kubebuilder:validation:Enum=string;stringList
 	Type string `json:"type"`
 
@@ -70,6 +71,7 @@ type FederationDomainTransformsConstant struct {
 // FederationDomainTransformsExpression defines a transform expression.
 type FederationDomainTransformsExpression struct {
 	// Type determines the type of the expression. It must be one of the supported types.
+	// Allowed values are "policy/v1", "username/v1", or "groups/v1".
 	// +kubebuilder:validation:Enum=policy/v1;username/v1;groups/v1
 	Type string `json:"type"`
 

generated/1.25/apis/supervisor/idp/v1alpha1/types_githubidentityprovider.go

@@ -53,9 +53,10 @@ type GitHubIdentityProviderStatus struct {
 type GitHubAPIConfig struct {
 	// Host is required only for GitHub Enterprise Server.
 	// Defaults to using GitHub's public API ("github.com").
+	// For convenience, specifying "github.com" is equivalent to specifying "api.github.com".
 	// Do not specify a protocol or scheme since "https://" will always be used.
 	// Port is optional. Do not specify a path, query, fragment, or userinfo.
-	// Only domain name or IP address, subdomains (optional), and port (optional).
+	// Only specify domain name or IP address, subdomains (optional), and port (optional).
 	// IPv4 and IPv6 are supported. If using an IPv6 address with a port, you must enclose the IPv6 address
 	// in square brackets. Example: "[::1]:443".
 	//
@@ -65,6 +66,9 @@ type GitHubAPIConfig struct {
 	Host *string `json:"host"`
 
 	// TLS configuration for GitHub Enterprise Server.
+	// Note that this field should not be needed when using GitHub's public API ("github.com").
+	// However, if you choose to specify this field when using GitHub's public API, you must
+	// specify a CA bundle that will verify connections to "api.github.com".
 	//
 	// +optional
 	TLS *TLSSpec `json:"tls,omitempty"`
@@ -167,7 +171,10 @@ type GitHubClientSpec struct {
 }
 
 type GitHubOrganizationsSpec struct {
-	// Policy must be set to "AllGitHubUsers" if allowed is empty.
+	// Allowed values are "OnlyUsersFromAllowedOrganizations" or "AllGitHubUsers".
+	// Defaults to "OnlyUsersFromAllowedOrganizations".
+	//
+	// Must be set to "AllGitHubUsers" if the allowed field is empty.
 	//
 	// This field only exists to ensure that Pinniped administrators are aware that an empty list of
 	// allowedOrganizations means all GitHub users are allowed to log in.

generated/1.25/apis/supervisor/idp/v1alpha1/types_tls.go

@@ -3,9 +3,45 @@
 
 package v1alpha1
 
+// CertificateAuthorityDataSourceKind enumerates the sources for CA Bundles.
+//
+// +kubebuilder:validation:Enum=Secret;ConfigMap
+type CertificateAuthorityDataSourceKind string
+
+const (
+	// CertificateAuthorityDataSourceKindConfigMap uses a Kubernetes configmap to source CA Bundles.
+	CertificateAuthorityDataSourceKindConfigMap = CertificateAuthorityDataSourceKind("ConfigMap")
+
+	// CertificateAuthorityDataSourceKindSecret uses a Kubernetes secret to source CA Bundles.
+	// Secrets used to source CA Bundles must be of type kubernetes.io/tls or Opaque.
+	CertificateAuthorityDataSourceKindSecret = CertificateAuthorityDataSourceKind("Secret")
+)
+
+// CertificateAuthorityDataSourceSpec provides a source for CA bundle used for client-side TLS verification.
+type CertificateAuthorityDataSourceSpec struct {
+	// Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
+	// Allowed values are "Secret" or "ConfigMap".
+	// "ConfigMap" uses a Kubernetes configmap to source CA Bundles.
+	// "Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
+	Kind CertificateAuthorityDataSourceKind `json:"kind"`
+	// Name is the resource name of the secret or configmap from which to read the CA bundle.
+	// The referenced secret or configmap must be created in the same namespace where Pinniped Supervisor is installed.
+	// +kubebuilder:validation:MinLength=1
+	Name string `json:"name"`
+	// Key is the key name within the secret or configmap from which to read the CA bundle.
+	// The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
+	// certificate bundle.
+	// +kubebuilder:validation:MinLength=1
+	Key string `json:"key"`
+}
+
 // TLSSpec provides TLS configuration for identity provider integration.
 type TLSSpec struct {
 	// X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted.
 	// +optional
 	CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"`
+	// Reference to a CA bundle in a secret or a configmap.
+	// Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
+	// +optional
+	CertificateAuthorityDataSource *CertificateAuthorityDataSourceSpec `json:"certificateAuthorityDataSource,omitempty"`
 }

generated/1.25/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go

@@ -129,7 +129,7 @@ func (in *ActiveDirectoryIdentityProviderSpec) DeepCopyInto(out *ActiveDirectory
 	if in.TLS != nil {
 		in, out := &in.TLS, &out.TLS
 		*out = new(TLSSpec)
-		**out = **in
+		(*in).DeepCopyInto(*out)
 	}
 	out.Bind = in.Bind
 	out.UserSearch = in.UserSearch
@@ -203,6 +203,22 @@ func (in *ActiveDirectoryIdentityProviderUserSearchAttributes) DeepCopy() *Activ
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CertificateAuthorityDataSourceSpec) DeepCopyInto(out *CertificateAuthorityDataSourceSpec) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateAuthorityDataSourceSpec.
+func (in *CertificateAuthorityDataSourceSpec) DeepCopy() *CertificateAuthorityDataSourceSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(CertificateAuthorityDataSourceSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *GitHubAPIConfig) DeepCopyInto(out *GitHubAPIConfig) {
 	*out = *in
@@ -214,7 +230,7 @@ func (in *GitHubAPIConfig) DeepCopyInto(out *GitHubAPIConfig) {
 	if in.TLS != nil {
 		in, out := &in.TLS, &out.TLS
 		*out = new(TLSSpec)
-		**out = **in
+		(*in).DeepCopyInto(*out)
 	}
 	return
 }
@@ -534,7 +550,7 @@ func (in *LDAPIdentityProviderSpec) DeepCopyInto(out *LDAPIdentityProviderSpec)
 	if in.TLS != nil {
 		in, out := &in.TLS, &out.TLS
 		*out = new(TLSSpec)
-		**out = **in
+		(*in).DeepCopyInto(*out)
 	}
 	out.Bind = in.Bind
 	out.UserSearch = in.UserSearch
@@ -740,7 +756,7 @@ func (in *OIDCIdentityProviderSpec) DeepCopyInto(out *OIDCIdentityProviderSpec)
 	if in.TLS != nil {
 		in, out := &in.TLS, &out.TLS
 		*out = new(TLSSpec)
-		**out = **in
+		(*in).DeepCopyInto(*out)
 	}
 	in.AuthorizationConfig.DeepCopyInto(&out.AuthorizationConfig)
 	in.Claims.DeepCopyInto(&out.Claims)
@@ -800,6 +816,11 @@ func (in *Parameter) DeepCopy() *Parameter {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TLSSpec) DeepCopyInto(out *TLSSpec) {
 	*out = *in
+	if in.CertificateAuthorityDataSource != nil {
+		in, out := &in.CertificateAuthorityDataSource, &out.CertificateAuthorityDataSource
+		*out = new(CertificateAuthorityDataSourceSpec)
+		**out = **in
+	}
 	return
 }
 

generated/1.25/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml

@@ -25,6 +25,9 @@ spec:
     - jsonPath: .spec.audience
       name: Audience
       type: string
+    - jsonPath: .status.phase
+      name: Status
+      type: string
     - jsonPath: .metadata.creationTimestamp
       name: Age
       type: date
@@ -92,6 +95,39 @@ spec:
                     description: X.509 Certificate Authority (base64-encoded PEM bundle).
                       If omitted, a default set of system roots will be trusted.
                     type: string
+                  certificateAuthorityDataSource:
+                    description: |-
+                      Reference to a CA bundle in a secret or a configmap.
+                      Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
+                    properties:
+                      key:
+                        description: |-
+                          Key is the key name within the secret or configmap from which to read the CA bundle.
+                          The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
+                          certificate bundle.
+                        minLength: 1
+                        type: string
+                      kind:
+                        description: |-
+                          Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
+                          Allowed values are "Secret" or "ConfigMap".
+                          "ConfigMap" uses a Kubernetes configmap to source CA Bundles.
+                          "Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
+                        enum:
+                        - Secret
+                        - ConfigMap
+                        type: string
+                      name:
+                        description: |-
+                          Name is the resource name of the secret or configmap from which to read the CA bundle.
+                          The referenced secret or configmap must be created in the same namespace where Pinniped Concierge is installed.
+                        minLength: 1
+                        type: string
+                    required:
+                    - key
+                    - kind
+                    - name
+                    type: object
                 type: object
             required:
             - audience

generated/1.25/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml

@@ -22,6 +22,9 @@ spec:
     - jsonPath: .spec.endpoint
       name: Endpoint
       type: string
+    - jsonPath: .status.phase
+      name: Status
+      type: string
     - jsonPath: .metadata.creationTimestamp
       name: Age
       type: date
@@ -63,6 +66,39 @@ spec:
                     description: X.509 Certificate Authority (base64-encoded PEM bundle).
                       If omitted, a default set of system roots will be trusted.
                     type: string
+                  certificateAuthorityDataSource:
+                    description: |-
+                      Reference to a CA bundle in a secret or a configmap.
+                      Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
+                    properties:
+                      key:
+                        description: |-
+                          Key is the key name within the secret or configmap from which to read the CA bundle.
+                          The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
+                          certificate bundle.
+                        minLength: 1
+                        type: string
+                      kind:
+                        description: |-
+                          Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
+                          Allowed values are "Secret" or "ConfigMap".
+                          "ConfigMap" uses a Kubernetes configmap to source CA Bundles.
+                          "Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
+                        enum:
+                        - Secret
+                        - ConfigMap
+                        type: string
+                      name:
+                        description: |-
+                          Name is the resource name of the secret or configmap from which to read the CA bundle.
+                          The referenced secret or configmap must be created in the same namespace where Pinniped Concierge is installed.
+                        minLength: 1
+                        type: string
+                    required:
+                    - key
+                    - kind
+                    - name
+                    type: object
                 type: object
             required:
             - endpoint

generated/1.25/crds/config.supervisor.pinniped.dev_federationdomains.yaml

@@ -143,8 +143,9 @@ spec:
                                   Type is "string", and is otherwise ignored.
                                 type: string
                               type:
-                                description: Type determines the type of the constant,
-                                  and indicates which other field should be non-empty.
+                                description: |-
+                                  Type determines the type of the constant, and indicates which other field should be non-empty.
+                                  Allowed values are "string" or "stringList".
                                 enum:
                                 - string
                                 - stringList
@@ -262,8 +263,9 @@ spec:
                                   an authentication attempt. When empty, a default message will be used.
                                 type: string
                               type:
-                                description: Type determines the type of the expression.
-                                  It must be one of the supported types.
+                                description: |-
+                                  Type determines the type of the expression. It must be one of the supported types.
+                                  Allowed values are "policy/v1", "username/v1", or "groups/v1".
                                 enum:
                                 - policy/v1
                                 - username/v1

generated/1.25/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml

@@ -170,6 +170,39 @@ spec:
                     description: X.509 Certificate Authority (base64-encoded PEM bundle).
                       If omitted, a default set of system roots will be trusted.
                     type: string
+                  certificateAuthorityDataSource:
+                    description: |-
+                      Reference to a CA bundle in a secret or a configmap.
+                      Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
+                    properties:
+                      key:
+                        description: |-
+                          Key is the key name within the secret or configmap from which to read the CA bundle.
+                          The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
+                          certificate bundle.
+                        minLength: 1
+                        type: string
+                      kind:
+                        description: |-
+                          Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
+                          Allowed values are "Secret" or "ConfigMap".
+                          "ConfigMap" uses a Kubernetes configmap to source CA Bundles.
+                          "Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
+                        enum:
+                        - Secret
+                        - ConfigMap
+                        type: string
+                      name:
+                        description: |-
+                          Name is the resource name of the secret or configmap from which to read the CA bundle.
+                          The referenced secret or configmap must be created in the same namespace where Pinniped Supervisor is installed.
+                        minLength: 1
+                        type: string
+                    required:
+                    - key
+                    - kind
+                    - name
+                    type: object
                 type: object
               userSearch:
                 description: UserSearch contains the configuration for searching for

generated/1.25/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml

@@ -89,7 +89,11 @@ spec:
                       policy:
                         default: OnlyUsersFromAllowedOrganizations
                         description: |-
-                          Policy must be set to "AllGitHubUsers" if allowed is empty.
+                          Allowed values are "OnlyUsersFromAllowedOrganizations" or "AllGitHubUsers".
+                          Defaults to "OnlyUsersFromAllowedOrganizations".
+
+
+                          Must be set to "AllGitHubUsers" if the allowed field is empty.
 
 
                           This field only exists to ensure that Pinniped administrators are aware that an empty list of
@@ -210,21 +214,59 @@ spec:
                     description: |-
                       Host is required only for GitHub Enterprise Server.
                       Defaults to using GitHub's public API ("github.com").
+                      For convenience, specifying "github.com" is equivalent to specifying "api.github.com".
                       Do not specify a protocol or scheme since "https://" will always be used.
                       Port is optional. Do not specify a path, query, fragment, or userinfo.
-                      Only domain name or IP address, subdomains (optional), and port (optional).
+                      Only specify domain name or IP address, subdomains (optional), and port (optional).
                       IPv4 and IPv6 are supported. If using an IPv6 address with a port, you must enclose the IPv6 address
                       in square brackets. Example: "[::1]:443".
                     minLength: 1
                     type: string
                   tls:
-                    description: TLS configuration for GitHub Enterprise Server.
+                    description: |-
+                      TLS configuration for GitHub Enterprise Server.
+                      Note that this field should not be needed when using GitHub's public API ("github.com").
+                      However, if you choose to specify this field when using GitHub's public API, you must
+                      specify a CA bundle that will verify connections to "api.github.com".
                     properties:
                       certificateAuthorityData:
                         description: X.509 Certificate Authority (base64-encoded PEM
                           bundle). If omitted, a default set of system roots will
                           be trusted.
                         type: string
+                      certificateAuthorityDataSource:
+                        description: |-
+                          Reference to a CA bundle in a secret or a configmap.
+                          Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
+                        properties:
+                          key:
+                            description: |-
+                              Key is the key name within the secret or configmap from which to read the CA bundle.
+                              The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
+                              certificate bundle.
+                            minLength: 1
+                            type: string
+                          kind:
+                            description: |-
+                              Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
+                              Allowed values are "Secret" or "ConfigMap".
+                              "ConfigMap" uses a Kubernetes configmap to source CA Bundles.
+                              "Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
+                            enum:
+                            - Secret
+                            - ConfigMap
+                            type: string
+                          name:
+                            description: |-
+                              Name is the resource name of the secret or configmap from which to read the CA bundle.
+                              The referenced secret or configmap must be created in the same namespace where Pinniped Supervisor is installed.
+                            minLength: 1
+                            type: string
+                        required:
+                        - key
+                        - kind
+                        - name
+                        type: object
                     type: object
                 type: object
             required:

generated/1.25/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml

@@ -161,6 +161,39 @@ spec:
                     description: X.509 Certificate Authority (base64-encoded PEM bundle).
                       If omitted, a default set of system roots will be trusted.
                     type: string
+                  certificateAuthorityDataSource:
+                    description: |-
+                      Reference to a CA bundle in a secret or a configmap.
+                      Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
+                    properties:
+                      key:
+                        description: |-
+                          Key is the key name within the secret or configmap from which to read the CA bundle.
+                          The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
+                          certificate bundle.
+                        minLength: 1
+                        type: string
+                      kind:
+                        description: |-
+                          Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
+                          Allowed values are "Secret" or "ConfigMap".
+                          "ConfigMap" uses a Kubernetes configmap to source CA Bundles.
+                          "Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
+                        enum:
+                        - Secret
+                        - ConfigMap
+                        type: string
+                      name:
+                        description: |-
+                          Name is the resource name of the secret or configmap from which to read the CA bundle.
+                          The referenced secret or configmap must be created in the same namespace where Pinniped Supervisor is installed.
+                        minLength: 1
+                        type: string
+                    required:
+                    - key
+                    - kind
+                    - name
+                    type: object
                 type: object
               userSearch:
                 description: UserSearch contains the configuration for searching for

generated/1.25/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml

@@ -211,6 +211,39 @@ spec:
                     description: X.509 Certificate Authority (base64-encoded PEM bundle).
                       If omitted, a default set of system roots will be trusted.
                     type: string
+                  certificateAuthorityDataSource:
+                    description: |-
+                      Reference to a CA bundle in a secret or a configmap.
+                      Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
+                    properties:
+                      key:
+                        description: |-
+                          Key is the key name within the secret or configmap from which to read the CA bundle.
+                          The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
+                          certificate bundle.
+                        minLength: 1
+                        type: string
+                      kind:
+                        description: |-
+                          Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
+                          Allowed values are "Secret" or "ConfigMap".
+                          "ConfigMap" uses a Kubernetes configmap to source CA Bundles.
+                          "Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
+                        enum:
+                        - Secret
+                        - ConfigMap
+                        type: string
+                      name:
+                        description: |-
+                          Name is the resource name of the secret or configmap from which to read the CA bundle.
+                          The referenced secret or configmap must be created in the same namespace where Pinniped Supervisor is installed.
+                        minLength: 1
+                        type: string
+                    required:
+                    - key
+                    - kind
+                    - name
+                    type: object
                 type: object
             required:
             - client

generated/1.26/README.adoc

@@ -23,6 +23,43 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped concierge authenticatio
 
 
 
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-concierge-authentication-v1alpha1-certificateauthoritydatasourcekind"]
+==== CertificateAuthorityDataSourceKind (string) 
+
+CertificateAuthorityDataSourceKind enumerates the sources for CA Bundles.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-concierge-authentication-v1alpha1-certificateauthoritydatasourcespec[$$CertificateAuthorityDataSourceSpec$$]
+****
+
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-concierge-authentication-v1alpha1-certificateauthoritydatasourcespec"]
+==== CertificateAuthorityDataSourceSpec 
+
+CertificateAuthorityDataSourceSpec provides a source for CA bundle used for client-side TLS verification.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-concierge-authentication-v1alpha1-tlsspec[$$TLSSpec$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`kind`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-concierge-authentication-v1alpha1-certificateauthoritydatasourcekind[$$CertificateAuthorityDataSourceKind$$]__ | Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap. +
+Allowed values are "Secret" or "ConfigMap". +
+"ConfigMap" uses a Kubernetes configmap to source CA Bundles. +
+"Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles. +
+| *`name`* __string__ | Name is the resource name of the secret or configmap from which to read the CA bundle. +
+The referenced secret or configmap must be created in the same namespace where Pinniped Concierge is installed. +
+| *`key`* __string__ | Key is the key name within the secret or configmap from which to read the CA bundle. +
+The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded +
+certificate bundle. +
+|===
+
+
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-concierge-authentication-v1alpha1-jwtauthenticator"]
 ==== JWTAuthenticator 
 
@@ -125,7 +162,7 @@ username from the JWT token. When not specified, it will default to "username".
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-concierge-authentication-v1alpha1-tlsspec"]
 ==== TLSSpec 
 
-Configuration for configuring TLS on various authenticators.
+TLSSpec provides TLS configuration on various authenticators.
 
 .Appears In:
 ****
@@ -137,6 +174,8 @@ Configuration for configuring TLS on various authenticators.
 |===
 | Field | Description
 | *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. +
+| *`certificateAuthorityDataSource`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-concierge-authentication-v1alpha1-certificateauthoritydatasourcespec[$$CertificateAuthorityDataSourceSpec$$]__ | Reference to a CA bundle in a secret or a configmap. +
+Any changes to the CA bundle in the secret or configmap will be dynamically reloaded. +
 |===
 
 
@@ -503,6 +542,7 @@ ImpersonationProxyInfo describes the parameters for the impersonation proxy on t
 ==== ImpersonationProxyMode (string) 
 
 ImpersonationProxyMode enumerates the configuration modes for the impersonation proxy.
+Allowed values are "auto", "enabled", or "disabled".
 
 .Appears In:
 ****
@@ -539,6 +579,7 @@ This is not supported on all cloud providers. +
 ==== ImpersonationProxyServiceType (string) 
 
 ImpersonationProxyServiceType enumerates the types of service that can be provisioned for the impersonation proxy.
+Allowed values are "LoadBalancer", "ClusterIP", or "None".
 
 .Appears In:
 ****
@@ -928,6 +969,7 @@ the transform expressions. This is a union type, and Type is the discriminator f
 | Field | Description
 | *`name`* __string__ | Name determines the name of the constant. It must be a valid identifier name. +
 | *`type`* __string__ | Type determines the type of the constant, and indicates which other field should be non-empty. +
+Allowed values are "string" or "stringList". +
 | *`stringValue`* __string__ | StringValue should hold the value when Type is "string", and is otherwise ignored. +
 | *`stringListValue`* __string array__ | StringListValue should hold the value when Type is "stringList", and is otherwise ignored. +
 |===
@@ -994,6 +1036,7 @@ FederationDomainTransformsExpression defines a transform expression.
 |===
 | Field | Description
 | *`type`* __string__ | Type determines the type of the expression. It must be one of the supported types. +
+Allowed values are "policy/v1", "username/v1", or "groups/v1". +
 | *`expression`* __string__ | Expression is a CEL expression that will be evaluated based on the Type during an authentication. +
 | *`message`* __string__ | Message is only used when Type is policy/v1. It defines an error message to be used when the policy rejects +
 an authentication attempt. When empty, a default message will be used. +
@@ -1645,6 +1688,43 @@ Optional, when empty this defaults to "objectGUID". +
 |===
 
 
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-certificateauthoritydatasourcekind"]
+==== CertificateAuthorityDataSourceKind (string) 
+
+CertificateAuthorityDataSourceKind enumerates the sources for CA Bundles.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-certificateauthoritydatasourcespec[$$CertificateAuthorityDataSourceSpec$$]
+****
+
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-certificateauthoritydatasourcespec"]
+==== CertificateAuthorityDataSourceSpec 
+
+CertificateAuthorityDataSourceSpec provides a source for CA bundle used for client-side TLS verification.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-tlsspec[$$TLSSpec$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`kind`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-certificateauthoritydatasourcekind[$$CertificateAuthorityDataSourceKind$$]__ | Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap. +
+Allowed values are "Secret" or "ConfigMap". +
+"ConfigMap" uses a Kubernetes configmap to source CA Bundles. +
+"Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles. +
+| *`name`* __string__ | Name is the resource name of the secret or configmap from which to read the CA bundle. +
+The referenced secret or configmap must be created in the same namespace where Pinniped Supervisor is installed. +
+| *`key`* __string__ | Key is the key name within the secret or configmap from which to read the CA bundle. +
+The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded +
+certificate bundle. +
+|===
+
+
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubapiconfig"]
 ==== GitHubAPIConfig 
 
@@ -1660,12 +1740,16 @@ GitHubAPIConfig allows configuration for GitHub Enterprise Server
 | Field | Description
 | *`host`* __string__ | Host is required only for GitHub Enterprise Server. +
 Defaults to using GitHub's public API ("github.com"). +
+For convenience, specifying "github.com" is equivalent to specifying "api.github.com". +
 Do not specify a protocol or scheme since "https://" will always be used. +
 Port is optional. Do not specify a path, query, fragment, or userinfo. +
-Only domain name or IP address, subdomains (optional), and port (optional). +
+Only specify domain name or IP address, subdomains (optional), and port (optional). +
 IPv4 and IPv6 are supported. If using an IPv6 address with a port, you must enclose the IPv6 address +
 in square brackets. Example: "[::1]:443". +
 | *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration for GitHub Enterprise Server. +
+Note that this field should not be needed when using GitHub's public API ("github.com"). +
+However, if you choose to specify this field when using GitHub's public API, you must +
+specify a CA bundle that will verify connections to "api.github.com". +
 |===
 
 
@@ -1890,7 +1974,11 @@ GitHubIdentityProviderStatus is the status of an GitHub identity provider.
 [cols="25a,75a", options="header"]
 |===
 | Field | Description
-| *`policy`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githuballowedauthorganizationspolicy[$$GitHubAllowedAuthOrganizationsPolicy$$]__ | Policy must be set to "AllGitHubUsers" if allowed is empty. +
+| *`policy`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githuballowedauthorganizationspolicy[$$GitHubAllowedAuthOrganizationsPolicy$$]__ | Allowed values are "OnlyUsersFromAllowedOrganizations" or "AllGitHubUsers". +
+Defaults to "OnlyUsersFromAllowedOrganizations". +
+
+
+Must be set to "AllGitHubUsers" if the allowed field is empty. +
 
 
 This field only exists to ensure that Pinniped administrators are aware that an empty list of +
@@ -2401,6 +2489,8 @@ TLSSpec provides TLS configuration for identity provider integration.
 |===
 | Field | Description
 | *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. +
+| *`certificateAuthorityDataSource`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-certificateauthoritydatasourcespec[$$CertificateAuthorityDataSourceSpec$$]__ | Reference to a CA bundle in a secret or a configmap. +
+Any changes to the CA bundle in the secret or configmap will be dynamically reloaded. +
 |===
 
 

generated/1.26/apis/concierge/authentication/v1alpha1/types_jwtauthenticator.go

@@ -79,6 +79,7 @@ type JWTTokenClaims struct {
 // +kubebuilder:resource:categories=pinniped;pinniped-authenticator;pinniped-authenticators,scope=Cluster
 // +kubebuilder:printcolumn:name="Issuer",type=string,JSONPath=`.spec.issuer`
 // +kubebuilder:printcolumn:name="Audience",type=string,JSONPath=`.spec.audience`
+// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase`
 // +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
 // +kubebuilder:subresource:status
 type JWTAuthenticator struct {

generated/1.26/apis/concierge/authentication/v1alpha1/types_tls.go

@@ -1,11 +1,47 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
 
-// Configuration for configuring TLS on various authenticators.
+// CertificateAuthorityDataSourceKind enumerates the sources for CA Bundles.
+//
+// +kubebuilder:validation:Enum=Secret;ConfigMap
+type CertificateAuthorityDataSourceKind string
+
+const (
+	// CertificateAuthorityDataSourceKindConfigMap uses a Kubernetes configmap to source CA Bundles.
+	CertificateAuthorityDataSourceKindConfigMap = CertificateAuthorityDataSourceKind("ConfigMap")
+
+	// CertificateAuthorityDataSourceKindSecret uses a Kubernetes secret to source CA Bundles.
+	// Secrets used to source CA Bundles must be of type kubernetes.io/tls or Opaque.
+	CertificateAuthorityDataSourceKindSecret = CertificateAuthorityDataSourceKind("Secret")
+)
+
+// CertificateAuthorityDataSourceSpec provides a source for CA bundle used for client-side TLS verification.
+type CertificateAuthorityDataSourceSpec struct {
+	// Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
+	// Allowed values are "Secret" or "ConfigMap".
+	// "ConfigMap" uses a Kubernetes configmap to source CA Bundles.
+	// "Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
+	Kind CertificateAuthorityDataSourceKind `json:"kind"`
+	// Name is the resource name of the secret or configmap from which to read the CA bundle.
+	// The referenced secret or configmap must be created in the same namespace where Pinniped Concierge is installed.
+	// +kubebuilder:validation:MinLength=1
+	Name string `json:"name"`
+	// Key is the key name within the secret or configmap from which to read the CA bundle.
+	// The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
+	// certificate bundle.
+	// +kubebuilder:validation:MinLength=1
+	Key string `json:"key"`
+}
+
+// TLSSpec provides TLS configuration on various authenticators.
 type TLSSpec struct {
 	// X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted.
 	// +optional
 	CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"`
+	// Reference to a CA bundle in a secret or a configmap.
+	// Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
+	// +optional
+	CertificateAuthorityDataSource *CertificateAuthorityDataSourceSpec `json:"certificateAuthorityDataSource,omitempty"`
 }

generated/1.26/apis/concierge/authentication/v1alpha1/types_webhookauthenticator.go

@@ -50,6 +50,7 @@ type WebhookAuthenticatorSpec struct {
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 // +kubebuilder:resource:categories=pinniped;pinniped-authenticator;pinniped-authenticators,scope=Cluster
 // +kubebuilder:printcolumn:name="Endpoint",type=string,JSONPath=`.spec.endpoint`
+// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase`
 // +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
 // +kubebuilder:subresource:status
 type WebhookAuthenticator struct {

generated/1.26/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go

@@ -13,6 +13,22 @@ import (
 	runtime "k8s.io/apimachinery/pkg/runtime"
 )
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CertificateAuthorityDataSourceSpec) DeepCopyInto(out *CertificateAuthorityDataSourceSpec) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateAuthorityDataSourceSpec.
+func (in *CertificateAuthorityDataSourceSpec) DeepCopy() *CertificateAuthorityDataSourceSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(CertificateAuthorityDataSourceSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *JWTAuthenticator) DeepCopyInto(out *JWTAuthenticator) {
 	*out = *in
@@ -81,7 +97,7 @@ func (in *JWTAuthenticatorSpec) DeepCopyInto(out *JWTAuthenticatorSpec) {
 	if in.TLS != nil {
 		in, out := &in.TLS, &out.TLS
 		*out = new(TLSSpec)
-		**out = **in
+		(*in).DeepCopyInto(*out)
 	}
 	return
 }
@@ -138,6 +154,11 @@ func (in *JWTTokenClaims) DeepCopy() *JWTTokenClaims {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TLSSpec) DeepCopyInto(out *TLSSpec) {
 	*out = *in
+	if in.CertificateAuthorityDataSource != nil {
+		in, out := &in.CertificateAuthorityDataSource, &out.CertificateAuthorityDataSource
+		*out = new(CertificateAuthorityDataSourceSpec)
+		**out = **in
+	}
 	return
 }
 
@@ -218,7 +239,7 @@ func (in *WebhookAuthenticatorSpec) DeepCopyInto(out *WebhookAuthenticatorSpec)
 	if in.TLS != nil {
 		in, out := &in.TLS, &out.TLS
 		*out = new(TLSSpec)
-		**out = **in
+		(*in).DeepCopyInto(*out)
 	}
 	return
 }

generated/1.26/apis/concierge/config/v1alpha1/types_credentialissuer.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
@@ -49,6 +49,7 @@ type CredentialIssuerSpec struct {
 }
 
 // ImpersonationProxyMode enumerates the configuration modes for the impersonation proxy.
+// Allowed values are "auto", "enabled", or "disabled".
 //
 // +kubebuilder:validation:Enum=auto;enabled;disabled
 type ImpersonationProxyMode string
@@ -65,6 +66,7 @@ const (
 )
 
 // ImpersonationProxyServiceType enumerates the types of service that can be provisioned for the impersonation proxy.
+// Allowed values are "LoadBalancer", "ClusterIP", or "None".
 //
 // +kubebuilder:validation:Enum=LoadBalancer;ClusterIP;None
 type ImpersonationProxyServiceType string

generated/1.26/apis/supervisor/config/v1alpha1/types_federationdomain.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
@@ -55,6 +55,7 @@ type FederationDomainTransformsConstant struct {
 	Name string `json:"name"`
 
 	// Type determines the type of the constant, and indicates which other field should be non-empty.
+	// Allowed values are "string" or "stringList".
 	// +kubebuilder:validation:Enum=string;stringList
 	Type string `json:"type"`
 
@@ -70,6 +71,7 @@ type FederationDomainTransformsConstant struct {
 // FederationDomainTransformsExpression defines a transform expression.
 type FederationDomainTransformsExpression struct {
 	// Type determines the type of the expression. It must be one of the supported types.
+	// Allowed values are "policy/v1", "username/v1", or "groups/v1".
 	// +kubebuilder:validation:Enum=policy/v1;username/v1;groups/v1
 	Type string `json:"type"`
 

generated/1.26/apis/supervisor/idp/v1alpha1/types_githubidentityprovider.go

@@ -53,9 +53,10 @@ type GitHubIdentityProviderStatus struct {
 type GitHubAPIConfig struct {
 	// Host is required only for GitHub Enterprise Server.
 	// Defaults to using GitHub's public API ("github.com").
+	// For convenience, specifying "github.com" is equivalent to specifying "api.github.com".
 	// Do not specify a protocol or scheme since "https://" will always be used.
 	// Port is optional. Do not specify a path, query, fragment, or userinfo.
-	// Only domain name or IP address, subdomains (optional), and port (optional).
+	// Only specify domain name or IP address, subdomains (optional), and port (optional).
 	// IPv4 and IPv6 are supported. If using an IPv6 address with a port, you must enclose the IPv6 address
 	// in square brackets. Example: "[::1]:443".
 	//
@@ -65,6 +66,9 @@ type GitHubAPIConfig struct {
 	Host *string `json:"host"`
 
 	// TLS configuration for GitHub Enterprise Server.
+	// Note that this field should not be needed when using GitHub's public API ("github.com").
+	// However, if you choose to specify this field when using GitHub's public API, you must
+	// specify a CA bundle that will verify connections to "api.github.com".
 	//
 	// +optional
 	TLS *TLSSpec `json:"tls,omitempty"`
@@ -167,7 +171,10 @@ type GitHubClientSpec struct {
 }
 
 type GitHubOrganizationsSpec struct {
-	// Policy must be set to "AllGitHubUsers" if allowed is empty.
+	// Allowed values are "OnlyUsersFromAllowedOrganizations" or "AllGitHubUsers".
+	// Defaults to "OnlyUsersFromAllowedOrganizations".
+	//
+	// Must be set to "AllGitHubUsers" if the allowed field is empty.
 	//
 	// This field only exists to ensure that Pinniped administrators are aware that an empty list of
 	// allowedOrganizations means all GitHub users are allowed to log in.

generated/1.26/apis/supervisor/idp/v1alpha1/types_tls.go

@@ -3,9 +3,45 @@
 
 package v1alpha1
 
+// CertificateAuthorityDataSourceKind enumerates the sources for CA Bundles.
+//
+// +kubebuilder:validation:Enum=Secret;ConfigMap
+type CertificateAuthorityDataSourceKind string
+
+const (
+	// CertificateAuthorityDataSourceKindConfigMap uses a Kubernetes configmap to source CA Bundles.
+	CertificateAuthorityDataSourceKindConfigMap = CertificateAuthorityDataSourceKind("ConfigMap")
+
+	// CertificateAuthorityDataSourceKindSecret uses a Kubernetes secret to source CA Bundles.
+	// Secrets used to source CA Bundles must be of type kubernetes.io/tls or Opaque.
+	CertificateAuthorityDataSourceKindSecret = CertificateAuthorityDataSourceKind("Secret")
+)
+
+// CertificateAuthorityDataSourceSpec provides a source for CA bundle used for client-side TLS verification.
+type CertificateAuthorityDataSourceSpec struct {
+	// Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
+	// Allowed values are "Secret" or "ConfigMap".
+	// "ConfigMap" uses a Kubernetes configmap to source CA Bundles.
+	// "Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
+	Kind CertificateAuthorityDataSourceKind `json:"kind"`
+	// Name is the resource name of the secret or configmap from which to read the CA bundle.
+	// The referenced secret or configmap must be created in the same namespace where Pinniped Supervisor is installed.
+	// +kubebuilder:validation:MinLength=1
+	Name string `json:"name"`
+	// Key is the key name within the secret or configmap from which to read the CA bundle.
+	// The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
+	// certificate bundle.
+	// +kubebuilder:validation:MinLength=1
+	Key string `json:"key"`
+}
+
 // TLSSpec provides TLS configuration for identity provider integration.
 type TLSSpec struct {
 	// X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted.
 	// +optional
 	CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"`
+	// Reference to a CA bundle in a secret or a configmap.
+	// Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
+	// +optional
+	CertificateAuthorityDataSource *CertificateAuthorityDataSourceSpec `json:"certificateAuthorityDataSource,omitempty"`
 }

generated/1.26/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go

@@ -129,7 +129,7 @@ func (in *ActiveDirectoryIdentityProviderSpec) DeepCopyInto(out *ActiveDirectory
 	if in.TLS != nil {
 		in, out := &in.TLS, &out.TLS
 		*out = new(TLSSpec)
-		**out = **in
+		(*in).DeepCopyInto(*out)
 	}
 	out.Bind = in.Bind
 	out.UserSearch = in.UserSearch
@@ -203,6 +203,22 @@ func (in *ActiveDirectoryIdentityProviderUserSearchAttributes) DeepCopy() *Activ
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CertificateAuthorityDataSourceSpec) DeepCopyInto(out *CertificateAuthorityDataSourceSpec) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateAuthorityDataSourceSpec.
+func (in *CertificateAuthorityDataSourceSpec) DeepCopy() *CertificateAuthorityDataSourceSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(CertificateAuthorityDataSourceSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *GitHubAPIConfig) DeepCopyInto(out *GitHubAPIConfig) {
 	*out = *in
@@ -214,7 +230,7 @@ func (in *GitHubAPIConfig) DeepCopyInto(out *GitHubAPIConfig) {
 	if in.TLS != nil {
 		in, out := &in.TLS, &out.TLS
 		*out = new(TLSSpec)
-		**out = **in
+		(*in).DeepCopyInto(*out)
 	}
 	return
 }
@@ -534,7 +550,7 @@ func (in *LDAPIdentityProviderSpec) DeepCopyInto(out *LDAPIdentityProviderSpec)
 	if in.TLS != nil {
 		in, out := &in.TLS, &out.TLS
 		*out = new(TLSSpec)
-		**out = **in
+		(*in).DeepCopyInto(*out)
 	}
 	out.Bind = in.Bind
 	out.UserSearch = in.UserSearch
@@ -740,7 +756,7 @@ func (in *OIDCIdentityProviderSpec) DeepCopyInto(out *OIDCIdentityProviderSpec)
 	if in.TLS != nil {
 		in, out := &in.TLS, &out.TLS
 		*out = new(TLSSpec)
-		**out = **in
+		(*in).DeepCopyInto(*out)
 	}
 	in.AuthorizationConfig.DeepCopyInto(&out.AuthorizationConfig)
 	in.Claims.DeepCopyInto(&out.Claims)
@@ -800,6 +816,11 @@ func (in *Parameter) DeepCopy() *Parameter {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TLSSpec) DeepCopyInto(out *TLSSpec) {
 	*out = *in
+	if in.CertificateAuthorityDataSource != nil {
+		in, out := &in.CertificateAuthorityDataSource, &out.CertificateAuthorityDataSource
+		*out = new(CertificateAuthorityDataSourceSpec)
+		**out = **in
+	}
 	return
 }
 

generated/1.26/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml

@@ -25,6 +25,9 @@ spec:
     - jsonPath: .spec.audience
       name: Audience
       type: string
+    - jsonPath: .status.phase
+      name: Status
+      type: string
     - jsonPath: .metadata.creationTimestamp
       name: Age
       type: date
@@ -92,6 +95,39 @@ spec:
                     description: X.509 Certificate Authority (base64-encoded PEM bundle).
                       If omitted, a default set of system roots will be trusted.
                     type: string
+                  certificateAuthorityDataSource:
+                    description: |-
+                      Reference to a CA bundle in a secret or a configmap.
+                      Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
+                    properties:
+                      key:
+                        description: |-
+                          Key is the key name within the secret or configmap from which to read the CA bundle.
+                          The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
+                          certificate bundle.
+                        minLength: 1
+                        type: string
+                      kind:
+                        description: |-
+                          Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
+                          Allowed values are "Secret" or "ConfigMap".
+                          "ConfigMap" uses a Kubernetes configmap to source CA Bundles.
+                          "Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
+                        enum:
+                        - Secret
+                        - ConfigMap
+                        type: string
+                      name:
+                        description: |-
+                          Name is the resource name of the secret or configmap from which to read the CA bundle.
+                          The referenced secret or configmap must be created in the same namespace where Pinniped Concierge is installed.
+                        minLength: 1
+                        type: string
+                    required:
+                    - key
+                    - kind
+                    - name
+                    type: object
                 type: object
             required:
             - audience

generated/1.26/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml

@@ -22,6 +22,9 @@ spec:
     - jsonPath: .spec.endpoint
       name: Endpoint
       type: string
+    - jsonPath: .status.phase
+      name: Status
+      type: string
     - jsonPath: .metadata.creationTimestamp
       name: Age
       type: date
@@ -63,6 +66,39 @@ spec:
                     description: X.509 Certificate Authority (base64-encoded PEM bundle).
                       If omitted, a default set of system roots will be trusted.
                     type: string
+                  certificateAuthorityDataSource:
+                    description: |-
+                      Reference to a CA bundle in a secret or a configmap.
+                      Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
+                    properties:
+                      key:
+                        description: |-
+                          Key is the key name within the secret or configmap from which to read the CA bundle.
+                          The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
+                          certificate bundle.
+                        minLength: 1
+                        type: string
+                      kind:
+                        description: |-
+                          Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
+                          Allowed values are "Secret" or "ConfigMap".
+                          "ConfigMap" uses a Kubernetes configmap to source CA Bundles.
+                          "Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
+                        enum:
+                        - Secret
+                        - ConfigMap
+                        type: string
+                      name:
+                        description: |-
+                          Name is the resource name of the secret or configmap from which to read the CA bundle.
+                          The referenced secret or configmap must be created in the same namespace where Pinniped Concierge is installed.
+                        minLength: 1
+                        type: string
+                    required:
+                    - key
+                    - kind
+                    - name
+                    type: object
                 type: object
             required:
             - endpoint

generated/1.26/crds/config.supervisor.pinniped.dev_federationdomains.yaml

@@ -143,8 +143,9 @@ spec:
                                   Type is "string", and is otherwise ignored.
                                 type: string
                               type:
-                                description: Type determines the type of the constant,
-                                  and indicates which other field should be non-empty.
+                                description: |-
+                                  Type determines the type of the constant, and indicates which other field should be non-empty.
+                                  Allowed values are "string" or "stringList".
                                 enum:
                                 - string
                                 - stringList
@@ -262,8 +263,9 @@ spec:
                                   an authentication attempt. When empty, a default message will be used.
                                 type: string
                               type:
-                                description: Type determines the type of the expression.
-                                  It must be one of the supported types.
+                                description: |-
+                                  Type determines the type of the expression. It must be one of the supported types.
+                                  Allowed values are "policy/v1", "username/v1", or "groups/v1".
                                 enum:
                                 - policy/v1
                                 - username/v1

generated/1.26/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml

@@ -170,6 +170,39 @@ spec:
                     description: X.509 Certificate Authority (base64-encoded PEM bundle).
                       If omitted, a default set of system roots will be trusted.
                     type: string
+                  certificateAuthorityDataSource:
+                    description: |-
+                      Reference to a CA bundle in a secret or a configmap.
+                      Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
+                    properties:
+                      key:
+                        description: |-
+                          Key is the key name within the secret or configmap from which to read the CA bundle.
+                          The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
+                          certificate bundle.
+                        minLength: 1
+                        type: string
+                      kind:
+                        description: |-
+                          Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
+                          Allowed values are "Secret" or "ConfigMap".
+                          "ConfigMap" uses a Kubernetes configmap to source CA Bundles.
+                          "Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
+                        enum:
+                        - Secret
+                        - ConfigMap
+                        type: string
+                      name:
+                        description: |-
+                          Name is the resource name of the secret or configmap from which to read the CA bundle.
+                          The referenced secret or configmap must be created in the same namespace where Pinniped Supervisor is installed.
+                        minLength: 1
+                        type: string
+                    required:
+                    - key
+                    - kind
+                    - name
+                    type: object
                 type: object
               userSearch:
                 description: UserSearch contains the configuration for searching for

generated/1.26/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml

@@ -89,7 +89,11 @@ spec:
                       policy:
                         default: OnlyUsersFromAllowedOrganizations
                         description: |-
-                          Policy must be set to "AllGitHubUsers" if allowed is empty.
+                          Allowed values are "OnlyUsersFromAllowedOrganizations" or "AllGitHubUsers".
+                          Defaults to "OnlyUsersFromAllowedOrganizations".
+
+
+                          Must be set to "AllGitHubUsers" if the allowed field is empty.
 
 
                           This field only exists to ensure that Pinniped administrators are aware that an empty list of
@@ -210,21 +214,59 @@ spec:
                     description: |-
                       Host is required only for GitHub Enterprise Server.
                       Defaults to using GitHub's public API ("github.com").
+                      For convenience, specifying "github.com" is equivalent to specifying "api.github.com".
                       Do not specify a protocol or scheme since "https://" will always be used.
                       Port is optional. Do not specify a path, query, fragment, or userinfo.
-                      Only domain name or IP address, subdomains (optional), and port (optional).
+                      Only specify domain name or IP address, subdomains (optional), and port (optional).
                       IPv4 and IPv6 are supported. If using an IPv6 address with a port, you must enclose the IPv6 address
                       in square brackets. Example: "[::1]:443".
                     minLength: 1
                     type: string
                   tls:
-                    description: TLS configuration for GitHub Enterprise Server.
+                    description: |-
+                      TLS configuration for GitHub Enterprise Server.
+                      Note that this field should not be needed when using GitHub's public API ("github.com").
+                      However, if you choose to specify this field when using GitHub's public API, you must
+                      specify a CA bundle that will verify connections to "api.github.com".
                     properties:
                       certificateAuthorityData:
                         description: X.509 Certificate Authority (base64-encoded PEM
                           bundle). If omitted, a default set of system roots will
                           be trusted.
                         type: string
+                      certificateAuthorityDataSource:
+                        description: |-
+                          Reference to a CA bundle in a secret or a configmap.
+                          Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
+                        properties:
+                          key:
+                            description: |-
+                              Key is the key name within the secret or configmap from which to read the CA bundle.
+                              The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
+                              certificate bundle.
+                            minLength: 1
+                            type: string
+                          kind:
+                            description: |-
+                              Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
+                              Allowed values are "Secret" or "ConfigMap".
+                              "ConfigMap" uses a Kubernetes configmap to source CA Bundles.
+                              "Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
+                            enum:
+                            - Secret
+                            - ConfigMap
+                            type: string
+                          name:
+                            description: |-
+                              Name is the resource name of the secret or configmap from which to read the CA bundle.
+                              The referenced secret or configmap must be created in the same namespace where Pinniped Supervisor is installed.
+                            minLength: 1
+                            type: string
+                        required:
+                        - key
+                        - kind
+                        - name
+                        type: object
                     type: object
                 type: object
             required:

generated/1.26/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml

@@ -161,6 +161,39 @@ spec:
                     description: X.509 Certificate Authority (base64-encoded PEM bundle).
                       If omitted, a default set of system roots will be trusted.
                     type: string
+                  certificateAuthorityDataSource:
+                    description: |-
+                      Reference to a CA bundle in a secret or a configmap.
+                      Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
+                    properties:
+                      key:
+                        description: |-
+                          Key is the key name within the secret or configmap from which to read the CA bundle.
+                          The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
+                          certificate bundle.
+                        minLength: 1
+                        type: string
+                      kind:
+                        description: |-
+                          Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
+                          Allowed values are "Secret" or "ConfigMap".
+                          "ConfigMap" uses a Kubernetes configmap to source CA Bundles.
+                          "Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
+                        enum:
+                        - Secret
+                        - ConfigMap
+                        type: string
+                      name:
+                        description: |-
+                          Name is the resource name of the secret or configmap from which to read the CA bundle.
+                          The referenced secret or configmap must be created in the same namespace where Pinniped Supervisor is installed.
+                        minLength: 1
+                        type: string
+                    required:
+                    - key
+                    - kind
+                    - name
+                    type: object
                 type: object
               userSearch:
                 description: UserSearch contains the configuration for searching for

generated/1.26/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml

@@ -211,6 +211,39 @@ spec:
                     description: X.509 Certificate Authority (base64-encoded PEM bundle).
                       If omitted, a default set of system roots will be trusted.
                     type: string
+                  certificateAuthorityDataSource:
+                    description: |-
+                      Reference to a CA bundle in a secret or a configmap.
+                      Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
+                    properties:
+                      key:
+                        description: |-
+                          Key is the key name within the secret or configmap from which to read the CA bundle.
+                          The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
+                          certificate bundle.
+                        minLength: 1
+                        type: string
+                      kind:
+                        description: |-
+                          Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
+                          Allowed values are "Secret" or "ConfigMap".
+                          "ConfigMap" uses a Kubernetes configmap to source CA Bundles.
+                          "Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
+                        enum:
+                        - Secret
+                        - ConfigMap
+                        type: string
+                      name:
+                        description: |-
+                          Name is the resource name of the secret or configmap from which to read the CA bundle.
+                          The referenced secret or configmap must be created in the same namespace where Pinniped Supervisor is installed.
+                        minLength: 1
+                        type: string
+                    required:
+                    - key
+                    - kind
+                    - name
+                    type: object
                 type: object
             required:
             - client

generated/1.27/README.adoc

@@ -23,6 +23,43 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped concierge authenticatio
 
 
 
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-concierge-authentication-v1alpha1-certificateauthoritydatasourcekind"]
+==== CertificateAuthorityDataSourceKind (string) 
+
+CertificateAuthorityDataSourceKind enumerates the sources for CA Bundles.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-concierge-authentication-v1alpha1-certificateauthoritydatasourcespec[$$CertificateAuthorityDataSourceSpec$$]
+****
+
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-concierge-authentication-v1alpha1-certificateauthoritydatasourcespec"]
+==== CertificateAuthorityDataSourceSpec 
+
+CertificateAuthorityDataSourceSpec provides a source for CA bundle used for client-side TLS verification.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-concierge-authentication-v1alpha1-tlsspec[$$TLSSpec$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`kind`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-concierge-authentication-v1alpha1-certificateauthoritydatasourcekind[$$CertificateAuthorityDataSourceKind$$]__ | Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap. +
+Allowed values are "Secret" or "ConfigMap". +
+"ConfigMap" uses a Kubernetes configmap to source CA Bundles. +
+"Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles. +
+| *`name`* __string__ | Name is the resource name of the secret or configmap from which to read the CA bundle. +
+The referenced secret or configmap must be created in the same namespace where Pinniped Concierge is installed. +
+| *`key`* __string__ | Key is the key name within the secret or configmap from which to read the CA bundle. +
+The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded +
+certificate bundle. +
+|===
+
+
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-concierge-authentication-v1alpha1-jwtauthenticator"]
 ==== JWTAuthenticator 
 
@@ -125,7 +162,7 @@ username from the JWT token. When not specified, it will default to "username".
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-concierge-authentication-v1alpha1-tlsspec"]
 ==== TLSSpec 
 
-Configuration for configuring TLS on various authenticators.
+TLSSpec provides TLS configuration on various authenticators.
 
 .Appears In:
 ****
@@ -137,6 +174,8 @@ Configuration for configuring TLS on various authenticators.
 |===
 | Field | Description
 | *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. +
+| *`certificateAuthorityDataSource`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-concierge-authentication-v1alpha1-certificateauthoritydatasourcespec[$$CertificateAuthorityDataSourceSpec$$]__ | Reference to a CA bundle in a secret or a configmap. +
+Any changes to the CA bundle in the secret or configmap will be dynamically reloaded. +
 |===
 
 
@@ -503,6 +542,7 @@ ImpersonationProxyInfo describes the parameters for the impersonation proxy on t
 ==== ImpersonationProxyMode (string) 
 
 ImpersonationProxyMode enumerates the configuration modes for the impersonation proxy.
+Allowed values are "auto", "enabled", or "disabled".
 
 .Appears In:
 ****
@@ -539,6 +579,7 @@ This is not supported on all cloud providers. +
 ==== ImpersonationProxyServiceType (string) 
 
 ImpersonationProxyServiceType enumerates the types of service that can be provisioned for the impersonation proxy.
+Allowed values are "LoadBalancer", "ClusterIP", or "None".
 
 .Appears In:
 ****
@@ -928,6 +969,7 @@ the transform expressions. This is a union type, and Type is the discriminator f
 | Field | Description
 | *`name`* __string__ | Name determines the name of the constant. It must be a valid identifier name. +
 | *`type`* __string__ | Type determines the type of the constant, and indicates which other field should be non-empty. +
+Allowed values are "string" or "stringList". +
 | *`stringValue`* __string__ | StringValue should hold the value when Type is "string", and is otherwise ignored. +
 | *`stringListValue`* __string array__ | StringListValue should hold the value when Type is "stringList", and is otherwise ignored. +
 |===
@@ -994,6 +1036,7 @@ FederationDomainTransformsExpression defines a transform expression.
 |===
 | Field | Description
 | *`type`* __string__ | Type determines the type of the expression. It must be one of the supported types. +
+Allowed values are "policy/v1", "username/v1", or "groups/v1". +
 | *`expression`* __string__ | Expression is a CEL expression that will be evaluated based on the Type during an authentication. +
 | *`message`* __string__ | Message is only used when Type is policy/v1. It defines an error message to be used when the policy rejects +
 an authentication attempt. When empty, a default message will be used. +
@@ -1645,6 +1688,43 @@ Optional, when empty this defaults to "objectGUID". +
 |===
 
 
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-certificateauthoritydatasourcekind"]
+==== CertificateAuthorityDataSourceKind (string) 
+
+CertificateAuthorityDataSourceKind enumerates the sources for CA Bundles.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-certificateauthoritydatasourcespec[$$CertificateAuthorityDataSourceSpec$$]
+****
+
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-certificateauthoritydatasourcespec"]
+==== CertificateAuthorityDataSourceSpec 
+
+CertificateAuthorityDataSourceSpec provides a source for CA bundle used for client-side TLS verification.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-tlsspec[$$TLSSpec$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`kind`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-certificateauthoritydatasourcekind[$$CertificateAuthorityDataSourceKind$$]__ | Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap. +
+Allowed values are "Secret" or "ConfigMap". +
+"ConfigMap" uses a Kubernetes configmap to source CA Bundles. +
+"Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles. +
+| *`name`* __string__ | Name is the resource name of the secret or configmap from which to read the CA bundle. +
+The referenced secret or configmap must be created in the same namespace where Pinniped Supervisor is installed. +
+| *`key`* __string__ | Key is the key name within the secret or configmap from which to read the CA bundle. +
+The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded +
+certificate bundle. +
+|===
+
+
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubapiconfig"]
 ==== GitHubAPIConfig 
 
@@ -1660,12 +1740,16 @@ GitHubAPIConfig allows configuration for GitHub Enterprise Server
 | Field | Description
 | *`host`* __string__ | Host is required only for GitHub Enterprise Server. +
 Defaults to using GitHub's public API ("github.com"). +
+For convenience, specifying "github.com" is equivalent to specifying "api.github.com". +
 Do not specify a protocol or scheme since "https://" will always be used. +
 Port is optional. Do not specify a path, query, fragment, or userinfo. +
-Only domain name or IP address, subdomains (optional), and port (optional). +
+Only specify domain name or IP address, subdomains (optional), and port (optional). +
 IPv4 and IPv6 are supported. If using an IPv6 address with a port, you must enclose the IPv6 address +
 in square brackets. Example: "[::1]:443". +
 | *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration for GitHub Enterprise Server. +
+Note that this field should not be needed when using GitHub's public API ("github.com"). +
+However, if you choose to specify this field when using GitHub's public API, you must +
+specify a CA bundle that will verify connections to "api.github.com". +
 |===
 
 
@@ -1890,7 +1974,11 @@ GitHubIdentityProviderStatus is the status of an GitHub identity provider.
 [cols="25a,75a", options="header"]
 |===
 | Field | Description
-| *`policy`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githuballowedauthorganizationspolicy[$$GitHubAllowedAuthOrganizationsPolicy$$]__ | Policy must be set to "AllGitHubUsers" if allowed is empty. +
+| *`policy`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githuballowedauthorganizationspolicy[$$GitHubAllowedAuthOrganizationsPolicy$$]__ | Allowed values are "OnlyUsersFromAllowedOrganizations" or "AllGitHubUsers". +
+Defaults to "OnlyUsersFromAllowedOrganizations". +
+
+
+Must be set to "AllGitHubUsers" if the allowed field is empty. +
 
 
 This field only exists to ensure that Pinniped administrators are aware that an empty list of +
@@ -2401,6 +2489,8 @@ TLSSpec provides TLS configuration for identity provider integration.
 |===
 | Field | Description
 | *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. +
+| *`certificateAuthorityDataSource`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-certificateauthoritydatasourcespec[$$CertificateAuthorityDataSourceSpec$$]__ | Reference to a CA bundle in a secret or a configmap. +
+Any changes to the CA bundle in the secret or configmap will be dynamically reloaded. +
 |===
 
 

generated/1.27/apis/concierge/authentication/v1alpha1/types_jwtauthenticator.go

@@ -79,6 +79,7 @@ type JWTTokenClaims struct {
 // +kubebuilder:resource:categories=pinniped;pinniped-authenticator;pinniped-authenticators,scope=Cluster
 // +kubebuilder:printcolumn:name="Issuer",type=string,JSONPath=`.spec.issuer`
 // +kubebuilder:printcolumn:name="Audience",type=string,JSONPath=`.spec.audience`
+// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase`
 // +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
 // +kubebuilder:subresource:status
 type JWTAuthenticator struct {

generated/1.27/apis/concierge/authentication/v1alpha1/types_tls.go

@@ -1,11 +1,47 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
 
-// Configuration for configuring TLS on various authenticators.
+// CertificateAuthorityDataSourceKind enumerates the sources for CA Bundles.
+//
+// +kubebuilder:validation:Enum=Secret;ConfigMap
+type CertificateAuthorityDataSourceKind string
+
+const (
+	// CertificateAuthorityDataSourceKindConfigMap uses a Kubernetes configmap to source CA Bundles.
+	CertificateAuthorityDataSourceKindConfigMap = CertificateAuthorityDataSourceKind("ConfigMap")
+
+	// CertificateAuthorityDataSourceKindSecret uses a Kubernetes secret to source CA Bundles.
+	// Secrets used to source CA Bundles must be of type kubernetes.io/tls or Opaque.
+	CertificateAuthorityDataSourceKindSecret = CertificateAuthorityDataSourceKind("Secret")
+)
+
+// CertificateAuthorityDataSourceSpec provides a source for CA bundle used for client-side TLS verification.
+type CertificateAuthorityDataSourceSpec struct {
+	// Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
+	// Allowed values are "Secret" or "ConfigMap".
+	// "ConfigMap" uses a Kubernetes configmap to source CA Bundles.
+	// "Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
+	Kind CertificateAuthorityDataSourceKind `json:"kind"`
+	// Name is the resource name of the secret or configmap from which to read the CA bundle.
+	// The referenced secret or configmap must be created in the same namespace where Pinniped Concierge is installed.
+	// +kubebuilder:validation:MinLength=1
+	Name string `json:"name"`
+	// Key is the key name within the secret or configmap from which to read the CA bundle.
+	// The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
+	// certificate bundle.
+	// +kubebuilder:validation:MinLength=1
+	Key string `json:"key"`
+}
+
+// TLSSpec provides TLS configuration on various authenticators.
 type TLSSpec struct {
 	// X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted.
 	// +optional
 	CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"`
+	// Reference to a CA bundle in a secret or a configmap.
+	// Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
+	// +optional
+	CertificateAuthorityDataSource *CertificateAuthorityDataSourceSpec `json:"certificateAuthorityDataSource,omitempty"`
 }

generated/1.27/apis/concierge/authentication/v1alpha1/types_webhookauthenticator.go

@@ -50,6 +50,7 @@ type WebhookAuthenticatorSpec struct {
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 // +kubebuilder:resource:categories=pinniped;pinniped-authenticator;pinniped-authenticators,scope=Cluster
 // +kubebuilder:printcolumn:name="Endpoint",type=string,JSONPath=`.spec.endpoint`
+// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase`
 // +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
 // +kubebuilder:subresource:status
 type WebhookAuthenticator struct {

generated/1.27/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go

@@ -13,6 +13,22 @@ import (
 	runtime "k8s.io/apimachinery/pkg/runtime"
 )
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CertificateAuthorityDataSourceSpec) DeepCopyInto(out *CertificateAuthorityDataSourceSpec) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateAuthorityDataSourceSpec.
+func (in *CertificateAuthorityDataSourceSpec) DeepCopy() *CertificateAuthorityDataSourceSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(CertificateAuthorityDataSourceSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *JWTAuthenticator) DeepCopyInto(out *JWTAuthenticator) {
 	*out = *in
@@ -81,7 +97,7 @@ func (in *JWTAuthenticatorSpec) DeepCopyInto(out *JWTAuthenticatorSpec) {
 	if in.TLS != nil {
 		in, out := &in.TLS, &out.TLS
 		*out = new(TLSSpec)
-		**out = **in
+		(*in).DeepCopyInto(*out)
 	}
 	return
 }
@@ -138,6 +154,11 @@ func (in *JWTTokenClaims) DeepCopy() *JWTTokenClaims {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TLSSpec) DeepCopyInto(out *TLSSpec) {
 	*out = *in
+	if in.CertificateAuthorityDataSource != nil {
+		in, out := &in.CertificateAuthorityDataSource, &out.CertificateAuthorityDataSource
+		*out = new(CertificateAuthorityDataSourceSpec)
+		**out = **in
+	}
 	return
 }
 
@@ -218,7 +239,7 @@ func (in *WebhookAuthenticatorSpec) DeepCopyInto(out *WebhookAuthenticatorSpec)
 	if in.TLS != nil {
 		in, out := &in.TLS, &out.TLS
 		*out = new(TLSSpec)
-		**out = **in
+		(*in).DeepCopyInto(*out)
 	}
 	return
 }

generated/1.27/apis/concierge/config/v1alpha1/types_credentialissuer.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
@@ -49,6 +49,7 @@ type CredentialIssuerSpec struct {
 }
 
 // ImpersonationProxyMode enumerates the configuration modes for the impersonation proxy.
+// Allowed values are "auto", "enabled", or "disabled".
 //
 // +kubebuilder:validation:Enum=auto;enabled;disabled
 type ImpersonationProxyMode string
@@ -65,6 +66,7 @@ const (
 )
 
 // ImpersonationProxyServiceType enumerates the types of service that can be provisioned for the impersonation proxy.
+// Allowed values are "LoadBalancer", "ClusterIP", or "None".
 //
 // +kubebuilder:validation:Enum=LoadBalancer;ClusterIP;None
 type ImpersonationProxyServiceType string

generated/1.27/apis/go.mod

@@ -4,6 +4,6 @@ module go.pinniped.dev/generated/1.27/apis
 go 1.13
 
 require (
-	k8s.io/api v0.27.14
-	k8s.io/apimachinery v0.27.14
+	k8s.io/api v0.27.16
+	k8s.io/apimachinery v0.27.16
 )

generated/1.27/apis/go.sum

@@ -330,10 +330,10 @@ gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-k8s.io/api v0.27.14 h1:/oKAF9HiSB47polol2Ji2TaFnC400JK57jSPUXY5MzU=
-k8s.io/api v0.27.14/go.mod h1:Jekhd9Kyo2CsmJlYbqZPXNwIxiHvyGJCdp0X56yDyvU=
-k8s.io/apimachinery v0.27.14 h1:jAIGvPbvAg4XJysK7JPFa6DdjTR6vts4/p4Q6ZrcQ+4=
-k8s.io/apimachinery v0.27.14/go.mod h1:TWo+8wOIz3CytsrlI9k/LBWXLRr9dqf5hRSCbbggMAg=
+k8s.io/api v0.27.16 h1:70IBoTuiPfd+Tm68WH0tGXQRSQq0R1xnbyhTRe8WYQY=
+k8s.io/api v0.27.16/go.mod h1:5j0Cgo6X4qovBOu3OjzRwETDEYqMxq2qafhDQXOPy3A=
+k8s.io/apimachinery v0.27.16 h1:Nmbei3P/6w6vxbNxV8/sDCZz+TQrJ9A4+bVIRjDufuM=
+k8s.io/apimachinery v0.27.16/go.mod h1:TWo+8wOIz3CytsrlI9k/LBWXLRr9dqf5hRSCbbggMAg=
 k8s.io/gengo v0.0.0-20210813121822-485abfe95c7c/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E=
 k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE=
 k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y=

generated/1.27/apis/supervisor/config/v1alpha1/types_federationdomain.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
@@ -55,6 +55,7 @@ type FederationDomainTransformsConstant struct {
 	Name string `json:"name"`
 
 	// Type determines the type of the constant, and indicates which other field should be non-empty.
+	// Allowed values are "string" or "stringList".
 	// +kubebuilder:validation:Enum=string;stringList
 	Type string `json:"type"`
 
@@ -70,6 +71,7 @@ type FederationDomainTransformsConstant struct {
 // FederationDomainTransformsExpression defines a transform expression.
 type FederationDomainTransformsExpression struct {
 	// Type determines the type of the expression. It must be one of the supported types.
+	// Allowed values are "policy/v1", "username/v1", or "groups/v1".
 	// +kubebuilder:validation:Enum=policy/v1;username/v1;groups/v1
 	Type string `json:"type"`
 

generated/1.27/apis/supervisor/idp/v1alpha1/types_githubidentityprovider.go

@@ -53,9 +53,10 @@ type GitHubIdentityProviderStatus struct {
 type GitHubAPIConfig struct {
 	// Host is required only for GitHub Enterprise Server.
 	// Defaults to using GitHub's public API ("github.com").
+	// For convenience, specifying "github.com" is equivalent to specifying "api.github.com".
 	// Do not specify a protocol or scheme since "https://" will always be used.
 	// Port is optional. Do not specify a path, query, fragment, or userinfo.
-	// Only domain name or IP address, subdomains (optional), and port (optional).
+	// Only specify domain name or IP address, subdomains (optional), and port (optional).
 	// IPv4 and IPv6 are supported. If using an IPv6 address with a port, you must enclose the IPv6 address
 	// in square brackets. Example: "[::1]:443".
 	//
@@ -65,6 +66,9 @@ type GitHubAPIConfig struct {
 	Host *string `json:"host"`
 
 	// TLS configuration for GitHub Enterprise Server.
+	// Note that this field should not be needed when using GitHub's public API ("github.com").
+	// However, if you choose to specify this field when using GitHub's public API, you must
+	// specify a CA bundle that will verify connections to "api.github.com".
 	//
 	// +optional
 	TLS *TLSSpec `json:"tls,omitempty"`
@@ -167,7 +171,10 @@ type GitHubClientSpec struct {
 }
 
 type GitHubOrganizationsSpec struct {
-	// Policy must be set to "AllGitHubUsers" if allowed is empty.
+	// Allowed values are "OnlyUsersFromAllowedOrganizations" or "AllGitHubUsers".
+	// Defaults to "OnlyUsersFromAllowedOrganizations".
+	//
+	// Must be set to "AllGitHubUsers" if the allowed field is empty.
 	//
 	// This field only exists to ensure that Pinniped administrators are aware that an empty list of
 	// allowedOrganizations means all GitHub users are allowed to log in.

generated/1.27/apis/supervisor/idp/v1alpha1/types_tls.go

@@ -3,9 +3,45 @@
 
 package v1alpha1
 
+// CertificateAuthorityDataSourceKind enumerates the sources for CA Bundles.
+//
+// +kubebuilder:validation:Enum=Secret;ConfigMap
+type CertificateAuthorityDataSourceKind string
+
+const (
+	// CertificateAuthorityDataSourceKindConfigMap uses a Kubernetes configmap to source CA Bundles.
+	CertificateAuthorityDataSourceKindConfigMap = CertificateAuthorityDataSourceKind("ConfigMap")
+
+	// CertificateAuthorityDataSourceKindSecret uses a Kubernetes secret to source CA Bundles.
+	// Secrets used to source CA Bundles must be of type kubernetes.io/tls or Opaque.
+	CertificateAuthorityDataSourceKindSecret = CertificateAuthorityDataSourceKind("Secret")
+)
+
+// CertificateAuthorityDataSourceSpec provides a source for CA bundle used for client-side TLS verification.
+type CertificateAuthorityDataSourceSpec struct {
+	// Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
+	// Allowed values are "Secret" or "ConfigMap".
+	// "ConfigMap" uses a Kubernetes configmap to source CA Bundles.
+	// "Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
+	Kind CertificateAuthorityDataSourceKind `json:"kind"`
+	// Name is the resource name of the secret or configmap from which to read the CA bundle.
+	// The referenced secret or configmap must be created in the same namespace where Pinniped Supervisor is installed.
+	// +kubebuilder:validation:MinLength=1
+	Name string `json:"name"`
+	// Key is the key name within the secret or configmap from which to read the CA bundle.
+	// The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
+	// certificate bundle.
+	// +kubebuilder:validation:MinLength=1
+	Key string `json:"key"`
+}
+
 // TLSSpec provides TLS configuration for identity provider integration.
 type TLSSpec struct {
 	// X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted.
 	// +optional
 	CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"`
+	// Reference to a CA bundle in a secret or a configmap.
+	// Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
+	// +optional
+	CertificateAuthorityDataSource *CertificateAuthorityDataSourceSpec `json:"certificateAuthorityDataSource,omitempty"`
 }

generated/1.27/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go

@@ -129,7 +129,7 @@ func (in *ActiveDirectoryIdentityProviderSpec) DeepCopyInto(out *ActiveDirectory
 	if in.TLS != nil {
 		in, out := &in.TLS, &out.TLS
 		*out = new(TLSSpec)
-		**out = **in
+		(*in).DeepCopyInto(*out)
 	}
 	out.Bind = in.Bind
 	out.UserSearch = in.UserSearch
@@ -203,6 +203,22 @@ func (in *ActiveDirectoryIdentityProviderUserSearchAttributes) DeepCopy() *Activ
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CertificateAuthorityDataSourceSpec) DeepCopyInto(out *CertificateAuthorityDataSourceSpec) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateAuthorityDataSourceSpec.
+func (in *CertificateAuthorityDataSourceSpec) DeepCopy() *CertificateAuthorityDataSourceSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(CertificateAuthorityDataSourceSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *GitHubAPIConfig) DeepCopyInto(out *GitHubAPIConfig) {
 	*out = *in
@@ -214,7 +230,7 @@ func (in *GitHubAPIConfig) DeepCopyInto(out *GitHubAPIConfig) {
 	if in.TLS != nil {
 		in, out := &in.TLS, &out.TLS
 		*out = new(TLSSpec)
-		**out = **in
+		(*in).DeepCopyInto(*out)
 	}
 	return
 }
@@ -534,7 +550,7 @@ func (in *LDAPIdentityProviderSpec) DeepCopyInto(out *LDAPIdentityProviderSpec)
 	if in.TLS != nil {
 		in, out := &in.TLS, &out.TLS
 		*out = new(TLSSpec)
-		**out = **in
+		(*in).DeepCopyInto(*out)
 	}
 	out.Bind = in.Bind
 	out.UserSearch = in.UserSearch
@@ -740,7 +756,7 @@ func (in *OIDCIdentityProviderSpec) DeepCopyInto(out *OIDCIdentityProviderSpec)
 	if in.TLS != nil {
 		in, out := &in.TLS, &out.TLS
 		*out = new(TLSSpec)
-		**out = **in
+		(*in).DeepCopyInto(*out)
 	}
 	in.AuthorizationConfig.DeepCopyInto(&out.AuthorizationConfig)
 	in.Claims.DeepCopyInto(&out.Claims)
@@ -800,6 +816,11 @@ func (in *Parameter) DeepCopy() *Parameter {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TLSSpec) DeepCopyInto(out *TLSSpec) {
 	*out = *in
+	if in.CertificateAuthorityDataSource != nil {
+		in, out := &in.CertificateAuthorityDataSource, &out.CertificateAuthorityDataSource
+		*out = new(CertificateAuthorityDataSourceSpec)
+		**out = **in
+	}
 	return
 }
 

generated/1.27/client/go.mod

@@ -7,7 +7,7 @@ replace go.pinniped.dev/generated/1.27/apis => ../apis
 
 require (
 	go.pinniped.dev/generated/1.27/apis v0.0.0
-	k8s.io/apimachinery v0.27.14
-	k8s.io/client-go v0.27.14
+	k8s.io/apimachinery v0.27.16
+	k8s.io/client-go v0.27.16
 	k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f
 )

generated/1.27/client/go.sum

@@ -370,12 +370,12 @@ gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-k8s.io/api v0.27.14 h1:/oKAF9HiSB47polol2Ji2TaFnC400JK57jSPUXY5MzU=
-k8s.io/api v0.27.14/go.mod h1:Jekhd9Kyo2CsmJlYbqZPXNwIxiHvyGJCdp0X56yDyvU=
-k8s.io/apimachinery v0.27.14 h1:jAIGvPbvAg4XJysK7JPFa6DdjTR6vts4/p4Q6ZrcQ+4=
-k8s.io/apimachinery v0.27.14/go.mod h1:TWo+8wOIz3CytsrlI9k/LBWXLRr9dqf5hRSCbbggMAg=
-k8s.io/client-go v0.27.14 h1:5KwfSakOTQFRlPru2Ql/wp1URjPgzoP7QpTlEH9a+ys=
-k8s.io/client-go v0.27.14/go.mod h1:cy+p3ijvbPQpdcwg01qnHBmkYDtbOatNC83anA9y18g=
+k8s.io/api v0.27.16 h1:70IBoTuiPfd+Tm68WH0tGXQRSQq0R1xnbyhTRe8WYQY=
+k8s.io/api v0.27.16/go.mod h1:5j0Cgo6X4qovBOu3OjzRwETDEYqMxq2qafhDQXOPy3A=
+k8s.io/apimachinery v0.27.16 h1:Nmbei3P/6w6vxbNxV8/sDCZz+TQrJ9A4+bVIRjDufuM=
+k8s.io/apimachinery v0.27.16/go.mod h1:TWo+8wOIz3CytsrlI9k/LBWXLRr9dqf5hRSCbbggMAg=
+k8s.io/client-go v0.27.16 h1:x06Jk6/SIQQ6kAsWs5uzQIkBLHtcAQlbTAgmj1tZzG0=
+k8s.io/client-go v0.27.16/go.mod h1:bPZUNRj8XsHa+JVS5jU6qeU2H/Za8+7riWA08FUjaA8=
 k8s.io/gengo v0.0.0-20210813121822-485abfe95c7c/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E=
 k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE=
 k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y=

generated/1.27/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml

@@ -25,6 +25,9 @@ spec:
     - jsonPath: .spec.audience
       name: Audience
       type: string
+    - jsonPath: .status.phase
+      name: Status
+      type: string
     - jsonPath: .metadata.creationTimestamp
       name: Age
       type: date
@@ -92,6 +95,39 @@ spec:
                     description: X.509 Certificate Authority (base64-encoded PEM bundle).
                       If omitted, a default set of system roots will be trusted.
                     type: string
+                  certificateAuthorityDataSource:
+                    description: |-
+                      Reference to a CA bundle in a secret or a configmap.
+                      Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
+                    properties:
+                      key:
+                        description: |-
+                          Key is the key name within the secret or configmap from which to read the CA bundle.
+                          The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
+                          certificate bundle.
+                        minLength: 1
+                        type: string
+                      kind:
+                        description: |-
+                          Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
+                          Allowed values are "Secret" or "ConfigMap".
+                          "ConfigMap" uses a Kubernetes configmap to source CA Bundles.
+                          "Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
+                        enum:
+                        - Secret
+                        - ConfigMap
+                        type: string
+                      name:
+                        description: |-
+                          Name is the resource name of the secret or configmap from which to read the CA bundle.
+                          The referenced secret or configmap must be created in the same namespace where Pinniped Concierge is installed.
+                        minLength: 1
+                        type: string
+                    required:
+                    - key
+                    - kind
+                    - name
+                    type: object
                 type: object
             required:
             - audience

generated/1.27/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml

@@ -22,6 +22,9 @@ spec:
     - jsonPath: .spec.endpoint
       name: Endpoint
       type: string
+    - jsonPath: .status.phase
+      name: Status
+      type: string
     - jsonPath: .metadata.creationTimestamp
       name: Age
       type: date
@@ -63,6 +66,39 @@ spec:
                     description: X.509 Certificate Authority (base64-encoded PEM bundle).
                       If omitted, a default set of system roots will be trusted.
                     type: string
+                  certificateAuthorityDataSource:
+                    description: |-
+                      Reference to a CA bundle in a secret or a configmap.
+                      Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
+                    properties:
+                      key:
+                        description: |-
+                          Key is the key name within the secret or configmap from which to read the CA bundle.
+                          The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
+                          certificate bundle.
+                        minLength: 1
+                        type: string
+                      kind:
+                        description: |-
+                          Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
+                          Allowed values are "Secret" or "ConfigMap".
+                          "ConfigMap" uses a Kubernetes configmap to source CA Bundles.
+                          "Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
+                        enum:
+                        - Secret
+                        - ConfigMap
+                        type: string
+                      name:
+                        description: |-
+                          Name is the resource name of the secret or configmap from which to read the CA bundle.
+                          The referenced secret or configmap must be created in the same namespace where Pinniped Concierge is installed.
+                        minLength: 1
+                        type: string
+                    required:
+                    - key
+                    - kind
+                    - name
+                    type: object
                 type: object
             required:
             - endpoint