Merge pull request #2185 from vmware-tanzu/pinny/bump-deps

Bump dependencies
2026-02-19 20:40:14 +00:00 · 2025-01-15 12:21:55 -06:00 · 2025-01-15 10:07:13 -06:00 · 2025-01-14 11:04:42 -08:00 · 2025-01-14 09:40:48 -08:00 · 2025-01-14 09:03:06 -08:00
125 changed files with 781 additions and 817 deletions
--- a/11
+++ b/11
@@ -3,8 +3,8 @@
 # Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0

-ARG BUILD_IMAGE=golang:1.23.4@sha256:574185e5c6b9d09873f455a7c205ea0514bfd99738c5dc7750196403a44ed4b7
-ARG BASE_IMAGE=gcr.io/distroless/static:nonroot@sha256:6cd937e9155bdfd805d1b94e037f9d6a899603306030936a3b11680af0c2ed58
+ARG BUILD_IMAGE=golang:1.23.4@sha256:585103a29aa6d4c98bbb45d2446e1fdf41441698bbdf707d1801f5708e479f04
+ARG BASE_IMAGE=gcr.io/distroless/static:nonroot@sha256:6ec5aa99dc335666e79dc64e4a6c8b89c33a543a1967f20d360922a80dd21f02

 # Prepare to cross-compile by always running the build stage in the build platform, not the target platform.
 FROM --platform=$BUILDPLATFORM $BUILD_IMAGE AS build-env
@@ -21,6 +21,9 @@ ENV KUBE_GIT_VERSION=$KUBE_GIT_VERSION
 ARG TARGETOS
 ARG TARGETARCH

+# If provided, must be a comma-separated list of Go build tags.
+ARG ADDITIONAL_BUILD_TAGS
+
 # Build the statically linked (CGO_ENABLED=0) binary.
 # Mount source, build cache, and module cache for performance reasons.
 # See https://www.docker.com/blog/faster-multi-platform-builds-dockerfile-cross-compilation-guide/
@@ -29,8 +32,8 @@ RUN \
  --mount=type=cache,target=/cache/gocache \
  --mount=type=cache,target=/cache/gomodcache \
  export GOCACHE=/cache/gocache GOMODCACHE=/cache/gomodcache CGO_ENABLED=0 GOOS=$TARGETOS GOARCH=$TARGETARCH && \
-  go build -v -trimpath -ldflags "$(hack/get-ldflags.sh) -w -s" -o /usr/local/bin/pinniped-concierge-kube-cert-agent ./cmd/pinniped-concierge-kube-cert-agent/... && \
-  go build -v -trimpath -ldflags "$(hack/get-ldflags.sh) -w -s" -o /usr/local/bin/pinniped-server ./cmd/pinniped-server/... && \
+  go build -tags $ADDITIONAL_BUILD_TAGS -v -trimpath -ldflags "$(hack/get-ldflags.sh) -w -s" -o /usr/local/bin/pinniped-concierge-kube-cert-agent ./cmd/pinniped-concierge-kube-cert-agent/... && \
+  go build -tags $ADDITIONAL_BUILD_TAGS -v -trimpath -ldflags "$(hack/get-ldflags.sh) -w -s" -o /usr/local/bin/pinniped-server ./cmd/pinniped-server/... && \
  ln -s /usr/local/bin/pinniped-server /usr/local/bin/pinniped-concierge && \
  ln -s /usr/local/bin/pinniped-server /usr/local/bin/pinniped-supervisor && \
  ln -s /usr/local/bin/pinniped-server /usr/local/bin/local-user-authenticator
--- a/deploy/concierge/authentication.concierge.pinniped.dev_jwtauthenticators.yaml
+++ b/deploy/concierge/authentication.concierge.pinniped.dev_jwtauthenticators.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.5
+    controller-gen.kubebuilder.io/version: v0.17.1
  name: jwtauthenticators.authentication.concierge.pinniped.dev
 spec:
  group: authentication.concierge.pinniped.dev
--- a/deploy/concierge/authentication.concierge.pinniped.dev_webhookauthenticators.yaml
+++ b/deploy/concierge/authentication.concierge.pinniped.dev_webhookauthenticators.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.5
+    controller-gen.kubebuilder.io/version: v0.17.1
  name: webhookauthenticators.authentication.concierge.pinniped.dev
 spec:
  group: authentication.concierge.pinniped.dev
--- a/deploy/concierge/config.concierge.pinniped.dev_credentialissuers.yaml
+++ b/deploy/concierge/config.concierge.pinniped.dev_credentialissuers.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.5
+    controller-gen.kubebuilder.io/version: v0.17.1
  name: credentialissuers.config.concierge.pinniped.dev
 spec:
  group: config.concierge.pinniped.dev
--- a/deploy/supervisor/config.supervisor.pinniped.dev_federationdomains.yaml
+++ b/deploy/supervisor/config.supervisor.pinniped.dev_federationdomains.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.5
+    controller-gen.kubebuilder.io/version: v0.17.1
  name: federationdomains.config.supervisor.pinniped.dev
 spec:
  group: config.supervisor.pinniped.dev
--- a/deploy/supervisor/config.supervisor.pinniped.dev_oidcclients.yaml
+++ b/deploy/supervisor/config.supervisor.pinniped.dev_oidcclients.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.5
+    controller-gen.kubebuilder.io/version: v0.17.1
  name: oidcclients.config.supervisor.pinniped.dev
 spec:
  group: config.supervisor.pinniped.dev
--- a/deploy/supervisor/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml
+++ b/deploy/supervisor/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.5
+    controller-gen.kubebuilder.io/version: v0.17.1
  name: activedirectoryidentityproviders.idp.supervisor.pinniped.dev
 spec:
  group: idp.supervisor.pinniped.dev
--- a/deploy/supervisor/idp.supervisor.pinniped.dev_githubidentityproviders.yaml
+++ b/deploy/supervisor/idp.supervisor.pinniped.dev_githubidentityproviders.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.5
+    controller-gen.kubebuilder.io/version: v0.17.1
  name: githubidentityproviders.idp.supervisor.pinniped.dev
 spec:
  group: idp.supervisor.pinniped.dev
--- a/deploy/supervisor/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml
+++ b/deploy/supervisor/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.5
+    controller-gen.kubebuilder.io/version: v0.17.1
  name: ldapidentityproviders.idp.supervisor.pinniped.dev
 spec:
  group: idp.supervisor.pinniped.dev
--- a/deploy/supervisor/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml
+++ b/deploy/supervisor/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.5
+    controller-gen.kubebuilder.io/version: v0.17.1
  name: oidcidentityproviders.idp.supervisor.pinniped.dev
 spec:
  group: idp.supervisor.pinniped.dev
--- a/generated/1.25/README.adoc
+++ b/generated/1.25/README.adoc
@@ -65,7 +65,6 @@ certificate bundle. +

 JWTAuthenticator describes the configuration of a JWT authenticator.

-
 Upon receiving a signed JWT, a JWTAuthenticator will performs some validation on it (e.g., valid
 signature, existence of claims, etc.) and extract the username and groups from the token.

@@ -566,7 +565,6 @@ ImpersonationProxyServiceSpec describes how the Concierge should provision a Ser
 | Field | Description
 | *`type`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-concierge-config-v1alpha1-impersonationproxyservicetype[$$ImpersonationProxyServiceType$$]__ | Type specifies the type of Service to provision for the impersonation proxy. +

-
 If the type is "None", then the "spec.impersonationProxy.externalEndpoint" field must be set to a non-empty +
 value so that the Concierge can properly advertise the endpoint in the CredentialIssuer's status. +
 | *`loadBalancerIP`* __string__ | LoadBalancerIP specifies the IP address to set in the spec.loadBalancerIP field of the provisioned Service. +
@@ -609,11 +607,9 @@ ImpersonationProxySpec describes the intended configuration of the Concierge imp
 | *`externalEndpoint`* __string__ | ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will +
 be served using the external name of the LoadBalancer service or the cluster service DNS name. +

-
 This field must be non-empty when spec.impersonationProxy.service.type is "None". +
 | *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-concierge-config-v1alpha1-impersonationproxytlsspec[$$ImpersonationProxyTLSSpec$$]__ | TLS contains information about how the Concierge impersonation proxy should serve TLS. +

-
 If this field is empty, the impersonation proxy will generate its own TLS certificate. +
 |===

@@ -624,11 +620,9 @@ If this field is empty, the impersonation proxy will generate its own TLS certif
 ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should
 serve TLS.

-
 If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret
 for a field called "ca.crt", which will be used as the CertificateAuthorityData.

-
 If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for
 the impersonation proxy endpoint.

@@ -812,13 +806,11 @@ the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer i
 https://example.com/foo, then your authorization endpoint will look like +
 https://example.com/foo/some/path/to/auth/endpoint). +

-
 See +
 https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information. +
 | *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-config-v1alpha1-federationdomaintlsspec[$$FederationDomainTLSSpec$$]__ | TLS specifies a secret which will contain Transport Layer Security (TLS) configuration for the FederationDomain. +
 | *`identityProviders`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-config-v1alpha1-federationdomainidentityprovider[$$FederationDomainIdentityProvider$$] array__ | IdentityProviders is the list of identity providers available for use by this FederationDomain. +

-
 An identity provider CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes how to connect to a server, +
 how to talk in a specific protocol for authentication, and how to use the schema of that server/protocol to +
 extract a normalized user identity. Normalized user identities include a username and a list of group names. +
@@ -831,7 +823,6 @@ rejection policies. Even though a user was able to authenticate with the identit
 the authentication to the Kubernetes clusters that belong to this FederationDomain. For example, a policy could +
 disallow the authentication unless the user belongs to a specific group in the identity provider. +

-
 For backwards compatibility with versions of Pinniped which predate support for multiple identity providers, +
 an empty IdentityProviders list will cause the FederationDomain to use all available identity providers which +
 exist in the same namespace, but also to reject all authentication requests when there is more than one identity +
@@ -880,21 +871,17 @@ the TLS serving certificate for the HTTPS endpoints served by this FederationDom
 named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use +
 for TLS. +

-
 Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers. +

-
 SecretName is required if you would like to use different TLS certificates for issuers of different hostnames. +
 SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same +
 SecretName value even if they have different port numbers. +

-
 SecretName is not required when you would like to use only the HTTP endpoints (e.g. when the HTTP listener is +
 configured to listen on loopback interfaces or UNIX domain sockets for traffic from a service mesh sidecar). +
 It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to +
 use the default TLS certificate, which is configured elsewhere. +

-
 When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses. +
 |===

@@ -919,14 +906,12 @@ Each is a CEL expression. It may use the basic CEL language as defined in +
 https://github.com/google/cel-spec/blob/master/doc/langdef.md plus the CEL string extensions defined in +
 https://github.com/google/cel-go/tree/master/ext#strings. +

-
 The username and groups extracted from the identity provider, and the constants defined in this CR, are +
 available as variables in all expressions. The username is provided via a variable called `username` and +
 the list of group names is provided via a variable called `groups` (which may be an empty list). +
 Each user-provided constants is provided via a variable named `strConst.varName` for string constants +
 and `strListConst.varName` for string list constants. +

-
 The only allowed types for expressions are currently policy/v1, username/v1, and groups/v1. +
 Each policy/v1 must return a boolean, and when it returns false, no more expressions from the list are evaluated +
 and the authentication attempt is rejected. +
@@ -939,7 +924,6 @@ groups list. +
 Transformations of type groups/v1 do not return usernames, and therefore cannot change the usernames. +
 After each expression, the new (potentially changed) username or groups get passed to the following expression. +

-
 Any compilation or static type-checking failure of any expression will cause an error status on the FederationDomain. +
 During an authentication attempt, any unexpected runtime evaluation errors (e.g. division by zero) cause the +
 authentication attempt to fail. When all expressions evaluate successfully, then the (potentially changed) username +
@@ -1109,7 +1093,6 @@ Port numbers are not required for 127.0.0.1 or ::1 and are ignored when checking
 | *`allowedGrantTypes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-config-v1alpha1-granttype[$$GrantType$$] array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this +
 client. +

-
 Must only contain the following values: +
 - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to +
 authenticate users. This grant must always be listed. +
@@ -1120,7 +1103,6 @@ which is a step in the process to be able to get a cluster credential for the us
 This grant must be listed if allowedScopes lists pinniped:request-audience. +
 | *`allowedScopes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-config-v1alpha1-scope[$$Scope$$] array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. +

-
 Must only contain the following values: +
 - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). +
 This scope must always be listed. +
@@ -1532,21 +1514,18 @@ group membership is often used to bind authorization policies, it is important +
 to keep the groups observed in Kubernetes clusters in-sync with the identity +
 provider. +

-
 In some environments, frequent group membership queries may result in a +
 significant performance impact on the identity provider and/or the supervisor. +
 The best approach to handle performance impacts is to tweak the group query +
 to be more performant, for example by disabling nested group search or by +
 using a more targeted group search base. +

-
 If the group search query cannot be made performant and you are willing to +
 have group memberships remain static for approximately a day, then set +
 skipGroupRefresh to true.  This is an insecure configuration as authorization +
 policies that are bound to group membership will not notice if a user has +
 been removed from a particular group until their next login. +

-
 This is an experimental feature that may be removed or significantly altered +
 in the future.  Consumers of this configuration should carefully read all +
 release notes before upgrading to ensure that the meaning of this field has +
@@ -1797,10 +1776,8 @@ GitHubClaims allows customization of the username and groups claims.
 | Field | Description
 | *`username`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubusernameattribute[$$GitHubUsernameAttribute$$]__ | Username configures which property of the GitHub user record shall determine the username in Kubernetes. +

-
 Can be either "id", "login", or "login:id". Defaults to "login:id". +

-
 GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens, +
 and may not start or end with hyphens. GitHub users are allowed to change their login name, +
 although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar", +
@@ -1808,41 +1785,32 @@ then a second user might change their name from "baz" to "foo" in order to take
 username of the first user. For this reason, it is not as safe to make authorization decisions +
 based only on the user's login attribute. +

-
 If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's +
 FederationDomain to further customize how these usernames are presented to Kubernetes. +

-
 Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and +
 unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value +
 from GitHub. Colons are not allowed in GitHub login attributes or ID numbers, so this is a reasonable +
 choice to concatenate the two values. +

-
 See the response schema for +
 [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). +
 | *`groups`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubgroupnameattribute[$$GitHubGroupNameAttribute$$]__ | Groups configures which property of the GitHub team record shall determine the group names in Kubernetes. +

-
 Can be either "name" or "slug". Defaults to "slug". +

-
 GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!"). +

-
 GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins"). +

-
 Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a +
 forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters +
 or single hyphens, so the first forward slash `/` will be the separator between the organization login name and +
 the team name or slug. +

-
 If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's +
 FederationDomain to further customize how these group names are presented to Kubernetes. +

-
 See the response schema for +
 [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). +
 |===
@@ -1865,7 +1833,6 @@ for web-based login flows.
 | *`secretName`* __string__ | SecretName contains the name of a namespace-local Secret object that provides the clientID and +
 clientSecret for an GitHub App or GitHub OAuth2 client. +

-
 This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret". +
 |===

@@ -1890,7 +1857,6 @@ names to present to Kubernetes. See the response schema for
 GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider.
 This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App.

-
 Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured
 as OIDCClients.

@@ -1977,10 +1943,8 @@ GitHubIdentityProviderStatus is the status of an GitHub identity provider.
 | *`policy`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githuballowedauthorganizationspolicy[$$GitHubAllowedAuthOrganizationsPolicy$$]__ | Allowed values are "OnlyUsersFromAllowedOrganizations" or "AllGitHubUsers". +
 Defaults to "OnlyUsersFromAllowedOrganizations". +

-
 Must be set to "AllGitHubUsers" if the allowed field is empty. +

-
 This field only exists to ensure that Pinniped administrators are aware that an empty list of +
 allowedOrganizations means all GitHub users are allowed to log in. +
 | *`allowed`* __string array__ | Allowed, when specified, indicates that only users with membership in at least one of the listed +
@@ -1988,12 +1952,10 @@ GitHub organizations may log in. In addition, the group membership presented to
 teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be +
 provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP. +

-
 The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations, +
 otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams +
 within that organization. +

-
 If no organizations are listed, you must set organizations: AllGitHubUsers. +
 |===

@@ -2095,21 +2057,18 @@ group membership is often used to bind authorization policies, it is important +
 to keep the groups observed in Kubernetes clusters in-sync with the identity +
 provider. +

-
 In some environments, frequent group membership queries may result in a +
 significant performance impact on the identity provider and/or the supervisor. +
 The best approach to handle performance impacts is to tweak the group query +
 to be more performant, for example by disabling nested group search or by +
 using a more targeted group search base. +

-
 If the group search query cannot be made performant and you are willing to +
 have group memberships remain static for approximately a day, then set +
 skipGroupRefresh to true.  This is an insecure configuration as authorization +
 policies that are bound to group membership will not notice if a user has +
 been removed from a particular group until their next login. +

-
 This is an experimental feature that may be removed or significantly altered +
 in the future.  Consumers of this configuration should carefully read all +
 release notes before upgrading to ensure that the meaning of this field has +
--- a/generated/1.25/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml
+++ b/generated/1.25/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.5
+    controller-gen.kubebuilder.io/version: v0.17.1
  name: jwtauthenticators.authentication.concierge.pinniped.dev
 spec:
  group: authentication.concierge.pinniped.dev
--- a/generated/1.25/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml
+++ b/generated/1.25/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.5
+    controller-gen.kubebuilder.io/version: v0.17.1
  name: webhookauthenticators.authentication.concierge.pinniped.dev
 spec:
  group: authentication.concierge.pinniped.dev
--- a/generated/1.25/crds/config.concierge.pinniped.dev_credentialissuers.yaml
+++ b/generated/1.25/crds/config.concierge.pinniped.dev_credentialissuers.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.5
+    controller-gen.kubebuilder.io/version: v0.17.1
  name: credentialissuers.config.concierge.pinniped.dev
 spec:
  group: config.concierge.pinniped.dev
--- a/generated/1.25/crds/config.supervisor.pinniped.dev_federationdomains.yaml
+++ b/generated/1.25/crds/config.supervisor.pinniped.dev_federationdomains.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.5
+    controller-gen.kubebuilder.io/version: v0.17.1
  name: federationdomains.config.supervisor.pinniped.dev
 spec:
  group: config.supervisor.pinniped.dev
--- a/generated/1.25/crds/config.supervisor.pinniped.dev_oidcclients.yaml
+++ b/generated/1.25/crds/config.supervisor.pinniped.dev_oidcclients.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.5
+    controller-gen.kubebuilder.io/version: v0.17.1
  name: oidcclients.config.supervisor.pinniped.dev
 spec:
  group: config.supervisor.pinniped.dev
--- a/generated/1.25/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml
+++ b/generated/1.25/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.5
+    controller-gen.kubebuilder.io/version: v0.17.1
  name: activedirectoryidentityproviders.idp.supervisor.pinniped.dev
 spec:
  group: idp.supervisor.pinniped.dev
--- a/generated/1.25/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml
+++ b/generated/1.25/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.5
+    controller-gen.kubebuilder.io/version: v0.17.1
  name: githubidentityproviders.idp.supervisor.pinniped.dev
 spec:
  group: idp.supervisor.pinniped.dev
--- a/generated/1.25/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml
+++ b/generated/1.25/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.5
+    controller-gen.kubebuilder.io/version: v0.17.1
  name: ldapidentityproviders.idp.supervisor.pinniped.dev
 spec:
  group: idp.supervisor.pinniped.dev
--- a/generated/1.25/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml
+++ b/generated/1.25/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.5
+    controller-gen.kubebuilder.io/version: v0.17.1
  name: oidcidentityproviders.idp.supervisor.pinniped.dev
 spec:
  group: idp.supervisor.pinniped.dev
--- a/generated/1.26/README.adoc
+++ b/generated/1.26/README.adoc
@@ -65,7 +65,6 @@ certificate bundle. +

 JWTAuthenticator describes the configuration of a JWT authenticator.

-
 Upon receiving a signed JWT, a JWTAuthenticator will performs some validation on it (e.g., valid
 signature, existence of claims, etc.) and extract the username and groups from the token.

@@ -566,7 +565,6 @@ ImpersonationProxyServiceSpec describes how the Concierge should provision a Ser
 | Field | Description
 | *`type`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-concierge-config-v1alpha1-impersonationproxyservicetype[$$ImpersonationProxyServiceType$$]__ | Type specifies the type of Service to provision for the impersonation proxy. +

-
 If the type is "None", then the "spec.impersonationProxy.externalEndpoint" field must be set to a non-empty +
 value so that the Concierge can properly advertise the endpoint in the CredentialIssuer's status. +
 | *`loadBalancerIP`* __string__ | LoadBalancerIP specifies the IP address to set in the spec.loadBalancerIP field of the provisioned Service. +
@@ -609,11 +607,9 @@ ImpersonationProxySpec describes the intended configuration of the Concierge imp
 | *`externalEndpoint`* __string__ | ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will +
 be served using the external name of the LoadBalancer service or the cluster service DNS name. +

-
 This field must be non-empty when spec.impersonationProxy.service.type is "None". +
 | *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-concierge-config-v1alpha1-impersonationproxytlsspec[$$ImpersonationProxyTLSSpec$$]__ | TLS contains information about how the Concierge impersonation proxy should serve TLS. +

-
 If this field is empty, the impersonation proxy will generate its own TLS certificate. +
 |===

@@ -624,11 +620,9 @@ If this field is empty, the impersonation proxy will generate its own TLS certif
 ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should
 serve TLS.

-
 If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret
 for a field called "ca.crt", which will be used as the CertificateAuthorityData.

-
 If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for
 the impersonation proxy endpoint.

@@ -812,13 +806,11 @@ the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer i
 https://example.com/foo, then your authorization endpoint will look like +
 https://example.com/foo/some/path/to/auth/endpoint). +

-
 See +
 https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information. +
 | *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-config-v1alpha1-federationdomaintlsspec[$$FederationDomainTLSSpec$$]__ | TLS specifies a secret which will contain Transport Layer Security (TLS) configuration for the FederationDomain. +
 | *`identityProviders`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-config-v1alpha1-federationdomainidentityprovider[$$FederationDomainIdentityProvider$$] array__ | IdentityProviders is the list of identity providers available for use by this FederationDomain. +

-
 An identity provider CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes how to connect to a server, +
 how to talk in a specific protocol for authentication, and how to use the schema of that server/protocol to +
 extract a normalized user identity. Normalized user identities include a username and a list of group names. +
@@ -831,7 +823,6 @@ rejection policies. Even though a user was able to authenticate with the identit
 the authentication to the Kubernetes clusters that belong to this FederationDomain. For example, a policy could +
 disallow the authentication unless the user belongs to a specific group in the identity provider. +

-
 For backwards compatibility with versions of Pinniped which predate support for multiple identity providers, +
 an empty IdentityProviders list will cause the FederationDomain to use all available identity providers which +
 exist in the same namespace, but also to reject all authentication requests when there is more than one identity +
@@ -880,21 +871,17 @@ the TLS serving certificate for the HTTPS endpoints served by this FederationDom
 named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use +
 for TLS. +

-
 Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers. +

-
 SecretName is required if you would like to use different TLS certificates for issuers of different hostnames. +
 SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same +
 SecretName value even if they have different port numbers. +

-
 SecretName is not required when you would like to use only the HTTP endpoints (e.g. when the HTTP listener is +
 configured to listen on loopback interfaces or UNIX domain sockets for traffic from a service mesh sidecar). +
 It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to +
 use the default TLS certificate, which is configured elsewhere. +

-
 When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses. +
 |===

@@ -919,14 +906,12 @@ Each is a CEL expression. It may use the basic CEL language as defined in +
 https://github.com/google/cel-spec/blob/master/doc/langdef.md plus the CEL string extensions defined in +
 https://github.com/google/cel-go/tree/master/ext#strings. +

-
 The username and groups extracted from the identity provider, and the constants defined in this CR, are +
 available as variables in all expressions. The username is provided via a variable called `username` and +
 the list of group names is provided via a variable called `groups` (which may be an empty list). +
 Each user-provided constants is provided via a variable named `strConst.varName` for string constants +
 and `strListConst.varName` for string list constants. +

-
 The only allowed types for expressions are currently policy/v1, username/v1, and groups/v1. +
 Each policy/v1 must return a boolean, and when it returns false, no more expressions from the list are evaluated +
 and the authentication attempt is rejected. +
@@ -939,7 +924,6 @@ groups list. +
 Transformations of type groups/v1 do not return usernames, and therefore cannot change the usernames. +
 After each expression, the new (potentially changed) username or groups get passed to the following expression. +

-
 Any compilation or static type-checking failure of any expression will cause an error status on the FederationDomain. +
 During an authentication attempt, any unexpected runtime evaluation errors (e.g. division by zero) cause the +
 authentication attempt to fail. When all expressions evaluate successfully, then the (potentially changed) username +
@@ -1109,7 +1093,6 @@ Port numbers are not required for 127.0.0.1 or ::1 and are ignored when checking
 | *`allowedGrantTypes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-config-v1alpha1-granttype[$$GrantType$$] array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this +
 client. +

-
 Must only contain the following values: +
 - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to +
 authenticate users. This grant must always be listed. +
@@ -1120,7 +1103,6 @@ which is a step in the process to be able to get a cluster credential for the us
 This grant must be listed if allowedScopes lists pinniped:request-audience. +
 | *`allowedScopes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-config-v1alpha1-scope[$$Scope$$] array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. +

-
 Must only contain the following values: +
 - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). +
 This scope must always be listed. +
@@ -1532,21 +1514,18 @@ group membership is often used to bind authorization policies, it is important +
 to keep the groups observed in Kubernetes clusters in-sync with the identity +
 provider. +

-
 In some environments, frequent group membership queries may result in a +
 significant performance impact on the identity provider and/or the supervisor. +
 The best approach to handle performance impacts is to tweak the group query +
 to be more performant, for example by disabling nested group search or by +
 using a more targeted group search base. +

-
 If the group search query cannot be made performant and you are willing to +
 have group memberships remain static for approximately a day, then set +
 skipGroupRefresh to true.  This is an insecure configuration as authorization +
 policies that are bound to group membership will not notice if a user has +
 been removed from a particular group until their next login. +

-
 This is an experimental feature that may be removed or significantly altered +
 in the future.  Consumers of this configuration should carefully read all +
 release notes before upgrading to ensure that the meaning of this field has +
@@ -1797,10 +1776,8 @@ GitHubClaims allows customization of the username and groups claims.
 | Field | Description
 | *`username`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubusernameattribute[$$GitHubUsernameAttribute$$]__ | Username configures which property of the GitHub user record shall determine the username in Kubernetes. +

-
 Can be either "id", "login", or "login:id". Defaults to "login:id". +

-
 GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens, +
 and may not start or end with hyphens. GitHub users are allowed to change their login name, +
 although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar", +
@@ -1808,41 +1785,32 @@ then a second user might change their name from "baz" to "foo" in order to take
 username of the first user. For this reason, it is not as safe to make authorization decisions +
 based only on the user's login attribute. +

-
 If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's +
 FederationDomain to further customize how these usernames are presented to Kubernetes. +

-
 Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and +
 unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value +
 from GitHub. Colons are not allowed in GitHub login attributes or ID numbers, so this is a reasonable +
 choice to concatenate the two values. +

-
 See the response schema for +
 [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). +
 | *`groups`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubgroupnameattribute[$$GitHubGroupNameAttribute$$]__ | Groups configures which property of the GitHub team record shall determine the group names in Kubernetes. +

-
 Can be either "name" or "slug". Defaults to "slug". +

-
 GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!"). +

-
 GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins"). +

-
 Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a +
 forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters +
 or single hyphens, so the first forward slash `/` will be the separator between the organization login name and +
 the team name or slug. +

-
 If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's +
 FederationDomain to further customize how these group names are presented to Kubernetes. +

-
 See the response schema for +
 [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). +
 |===
@@ -1865,7 +1833,6 @@ for web-based login flows.
 | *`secretName`* __string__ | SecretName contains the name of a namespace-local Secret object that provides the clientID and +
 clientSecret for an GitHub App or GitHub OAuth2 client. +

-
 This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret". +
 |===

@@ -1890,7 +1857,6 @@ names to present to Kubernetes. See the response schema for
 GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider.
 This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App.

-
 Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured
 as OIDCClients.

@@ -1977,10 +1943,8 @@ GitHubIdentityProviderStatus is the status of an GitHub identity provider.
 | *`policy`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githuballowedauthorganizationspolicy[$$GitHubAllowedAuthOrganizationsPolicy$$]__ | Allowed values are "OnlyUsersFromAllowedOrganizations" or "AllGitHubUsers". +
 Defaults to "OnlyUsersFromAllowedOrganizations". +

-
 Must be set to "AllGitHubUsers" if the allowed field is empty. +

-
 This field only exists to ensure that Pinniped administrators are aware that an empty list of +
 allowedOrganizations means all GitHub users are allowed to log in. +
 | *`allowed`* __string array__ | Allowed, when specified, indicates that only users with membership in at least one of the listed +
@@ -1988,12 +1952,10 @@ GitHub organizations may log in. In addition, the group membership presented to
 teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be +
 provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP. +

-
 The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations, +
 otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams +
 within that organization. +

-
 If no organizations are listed, you must set organizations: AllGitHubUsers. +
 |===

@@ -2095,21 +2057,18 @@ group membership is often used to bind authorization policies, it is important +
 to keep the groups observed in Kubernetes clusters in-sync with the identity +
 provider. +

-
 In some environments, frequent group membership queries may result in a +
 significant performance impact on the identity provider and/or the supervisor. +
 The best approach to handle performance impacts is to tweak the group query +
 to be more performant, for example by disabling nested group search or by +
 using a more targeted group search base. +

-
 If the group search query cannot be made performant and you are willing to +
 have group memberships remain static for approximately a day, then set +
 skipGroupRefresh to true.  This is an insecure configuration as authorization +
 policies that are bound to group membership will not notice if a user has +
 been removed from a particular group until their next login. +

-
 This is an experimental feature that may be removed or significantly altered +
 in the future.  Consumers of this configuration should carefully read all +
 release notes before upgrading to ensure that the meaning of this field has +
--- a/generated/1.26/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml
+++ b/generated/1.26/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.5
+    controller-gen.kubebuilder.io/version: v0.17.1
  name: jwtauthenticators.authentication.concierge.pinniped.dev
 spec:
  group: authentication.concierge.pinniped.dev
--- a/generated/1.26/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml
+++ b/generated/1.26/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.5
+    controller-gen.kubebuilder.io/version: v0.17.1
  name: webhookauthenticators.authentication.concierge.pinniped.dev
 spec:
  group: authentication.concierge.pinniped.dev
--- a/generated/1.26/crds/config.concierge.pinniped.dev_credentialissuers.yaml
+++ b/generated/1.26/crds/config.concierge.pinniped.dev_credentialissuers.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.5
+    controller-gen.kubebuilder.io/version: v0.17.1
  name: credentialissuers.config.concierge.pinniped.dev
 spec:
  group: config.concierge.pinniped.dev
--- a/generated/1.26/crds/config.supervisor.pinniped.dev_federationdomains.yaml
+++ b/generated/1.26/crds/config.supervisor.pinniped.dev_federationdomains.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.5
+    controller-gen.kubebuilder.io/version: v0.17.1
  name: federationdomains.config.supervisor.pinniped.dev
 spec:
  group: config.supervisor.pinniped.dev
--- a/generated/1.26/crds/config.supervisor.pinniped.dev_oidcclients.yaml
+++ b/generated/1.26/crds/config.supervisor.pinniped.dev_oidcclients.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.5
+    controller-gen.kubebuilder.io/version: v0.17.1
  name: oidcclients.config.supervisor.pinniped.dev
 spec:
  group: config.supervisor.pinniped.dev
--- a/generated/1.26/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml
+++ b/generated/1.26/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.5
+    controller-gen.kubebuilder.io/version: v0.17.1
  name: activedirectoryidentityproviders.idp.supervisor.pinniped.dev
 spec:
  group: idp.supervisor.pinniped.dev
--- a/generated/1.26/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml
+++ b/generated/1.26/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.5
+    controller-gen.kubebuilder.io/version: v0.17.1
  name: githubidentityproviders.idp.supervisor.pinniped.dev
 spec:
  group: idp.supervisor.pinniped.dev
--- a/generated/1.26/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml
+++ b/generated/1.26/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.5
+    controller-gen.kubebuilder.io/version: v0.17.1
  name: ldapidentityproviders.idp.supervisor.pinniped.dev
 spec:
  group: idp.supervisor.pinniped.dev
--- a/generated/1.26/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml
+++ b/generated/1.26/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.5
+    controller-gen.kubebuilder.io/version: v0.17.1
  name: oidcidentityproviders.idp.supervisor.pinniped.dev
 spec:
  group: idp.supervisor.pinniped.dev
--- a/generated/1.27/README.adoc
+++ b/generated/1.27/README.adoc
@@ -65,7 +65,6 @@ certificate bundle. +

 JWTAuthenticator describes the configuration of a JWT authenticator.

-
 Upon receiving a signed JWT, a JWTAuthenticator will performs some validation on it (e.g., valid
 signature, existence of claims, etc.) and extract the username and groups from the token.

@@ -566,7 +565,6 @@ ImpersonationProxyServiceSpec describes how the Concierge should provision a Ser
 | Field | Description
 | *`type`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-concierge-config-v1alpha1-impersonationproxyservicetype[$$ImpersonationProxyServiceType$$]__ | Type specifies the type of Service to provision for the impersonation proxy. +

-
 If the type is "None", then the "spec.impersonationProxy.externalEndpoint" field must be set to a non-empty +
 value so that the Concierge can properly advertise the endpoint in the CredentialIssuer's status. +
 | *`loadBalancerIP`* __string__ | LoadBalancerIP specifies the IP address to set in the spec.loadBalancerIP field of the provisioned Service. +
@@ -609,11 +607,9 @@ ImpersonationProxySpec describes the intended configuration of the Concierge imp
 | *`externalEndpoint`* __string__ | ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will +
 be served using the external name of the LoadBalancer service or the cluster service DNS name. +

-
 This field must be non-empty when spec.impersonationProxy.service.type is "None". +
 | *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-concierge-config-v1alpha1-impersonationproxytlsspec[$$ImpersonationProxyTLSSpec$$]__ | TLS contains information about how the Concierge impersonation proxy should serve TLS. +

-
 If this field is empty, the impersonation proxy will generate its own TLS certificate. +
 |===

@@ -624,11 +620,9 @@ If this field is empty, the impersonation proxy will generate its own TLS certif
 ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should
 serve TLS.

-
 If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret
 for a field called "ca.crt", which will be used as the CertificateAuthorityData.

-
 If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for
 the impersonation proxy endpoint.

@@ -812,13 +806,11 @@ the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer i
 https://example.com/foo, then your authorization endpoint will look like +
 https://example.com/foo/some/path/to/auth/endpoint). +

-
 See +
 https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information. +
 | *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-config-v1alpha1-federationdomaintlsspec[$$FederationDomainTLSSpec$$]__ | TLS specifies a secret which will contain Transport Layer Security (TLS) configuration for the FederationDomain. +
 | *`identityProviders`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-config-v1alpha1-federationdomainidentityprovider[$$FederationDomainIdentityProvider$$] array__ | IdentityProviders is the list of identity providers available for use by this FederationDomain. +

-
 An identity provider CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes how to connect to a server, +
 how to talk in a specific protocol for authentication, and how to use the schema of that server/protocol to +
 extract a normalized user identity. Normalized user identities include a username and a list of group names. +
@@ -831,7 +823,6 @@ rejection policies. Even though a user was able to authenticate with the identit
 the authentication to the Kubernetes clusters that belong to this FederationDomain. For example, a policy could +
 disallow the authentication unless the user belongs to a specific group in the identity provider. +

-
 For backwards compatibility with versions of Pinniped which predate support for multiple identity providers, +
 an empty IdentityProviders list will cause the FederationDomain to use all available identity providers which +
 exist in the same namespace, but also to reject all authentication requests when there is more than one identity +
@@ -880,21 +871,17 @@ the TLS serving certificate for the HTTPS endpoints served by this FederationDom
 named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use +
 for TLS. +

-
 Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers. +

-
 SecretName is required if you would like to use different TLS certificates for issuers of different hostnames. +
 SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same +
 SecretName value even if they have different port numbers. +

-
 SecretName is not required when you would like to use only the HTTP endpoints (e.g. when the HTTP listener is +
 configured to listen on loopback interfaces or UNIX domain sockets for traffic from a service mesh sidecar). +
 It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to +
 use the default TLS certificate, which is configured elsewhere. +

-
 When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses. +
 |===

@@ -919,14 +906,12 @@ Each is a CEL expression. It may use the basic CEL language as defined in +
 https://github.com/google/cel-spec/blob/master/doc/langdef.md plus the CEL string extensions defined in +
 https://github.com/google/cel-go/tree/master/ext#strings. +

-
 The username and groups extracted from the identity provider, and the constants defined in this CR, are +
 available as variables in all expressions. The username is provided via a variable called `username` and +
 the list of group names is provided via a variable called `groups` (which may be an empty list). +
 Each user-provided constants is provided via a variable named `strConst.varName` for string constants +
 and `strListConst.varName` for string list constants. +

-
 The only allowed types for expressions are currently policy/v1, username/v1, and groups/v1. +
 Each policy/v1 must return a boolean, and when it returns false, no more expressions from the list are evaluated +
 and the authentication attempt is rejected. +
@@ -939,7 +924,6 @@ groups list. +
 Transformations of type groups/v1 do not return usernames, and therefore cannot change the usernames. +
 After each expression, the new (potentially changed) username or groups get passed to the following expression. +

-
 Any compilation or static type-checking failure of any expression will cause an error status on the FederationDomain. +
 During an authentication attempt, any unexpected runtime evaluation errors (e.g. division by zero) cause the +
 authentication attempt to fail. When all expressions evaluate successfully, then the (potentially changed) username +
@@ -1109,7 +1093,6 @@ Port numbers are not required for 127.0.0.1 or ::1 and are ignored when checking
 | *`allowedGrantTypes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-config-v1alpha1-granttype[$$GrantType$$] array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this +
 client. +

-
 Must only contain the following values: +
 - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to +
 authenticate users. This grant must always be listed. +
@@ -1120,7 +1103,6 @@ which is a step in the process to be able to get a cluster credential for the us
 This grant must be listed if allowedScopes lists pinniped:request-audience. +
 | *`allowedScopes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-config-v1alpha1-scope[$$Scope$$] array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. +

-
 Must only contain the following values: +
 - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). +
 This scope must always be listed. +
@@ -1532,21 +1514,18 @@ group membership is often used to bind authorization policies, it is important +
 to keep the groups observed in Kubernetes clusters in-sync with the identity +
 provider. +

-
 In some environments, frequent group membership queries may result in a +
 significant performance impact on the identity provider and/or the supervisor. +
 The best approach to handle performance impacts is to tweak the group query +
 to be more performant, for example by disabling nested group search or by +
 using a more targeted group search base. +

-
 If the group search query cannot be made performant and you are willing to +
 have group memberships remain static for approximately a day, then set +
 skipGroupRefresh to true.  This is an insecure configuration as authorization +
 policies that are bound to group membership will not notice if a user has +
 been removed from a particular group until their next login. +

-
 This is an experimental feature that may be removed or significantly altered +
 in the future.  Consumers of this configuration should carefully read all +
 release notes before upgrading to ensure that the meaning of this field has +
@@ -1797,10 +1776,8 @@ GitHubClaims allows customization of the username and groups claims.
 | Field | Description
 | *`username`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubusernameattribute[$$GitHubUsernameAttribute$$]__ | Username configures which property of the GitHub user record shall determine the username in Kubernetes. +

-
 Can be either "id", "login", or "login:id". Defaults to "login:id". +

-
 GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens, +
 and may not start or end with hyphens. GitHub users are allowed to change their login name, +
 although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar", +
@@ -1808,41 +1785,32 @@ then a second user might change their name from "baz" to "foo" in order to take
 username of the first user. For this reason, it is not as safe to make authorization decisions +
 based only on the user's login attribute. +

-
 If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's +
 FederationDomain to further customize how these usernames are presented to Kubernetes. +

-
 Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and +
 unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value +
 from GitHub. Colons are not allowed in GitHub login attributes or ID numbers, so this is a reasonable +
 choice to concatenate the two values. +

-
 See the response schema for +
 [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). +
 | *`groups`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubgroupnameattribute[$$GitHubGroupNameAttribute$$]__ | Groups configures which property of the GitHub team record shall determine the group names in Kubernetes. +

-
 Can be either "name" or "slug". Defaults to "slug". +

-
 GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!"). +

-
 GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins"). +

-
 Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a +
 forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters +
 or single hyphens, so the first forward slash `/` will be the separator between the organization login name and +
 the team name or slug. +

-
 If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's +
 FederationDomain to further customize how these group names are presented to Kubernetes. +

-
 See the response schema for +
 [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). +
 |===
@@ -1865,7 +1833,6 @@ for web-based login flows.
 | *`secretName`* __string__ | SecretName contains the name of a namespace-local Secret object that provides the clientID and +
 clientSecret for an GitHub App or GitHub OAuth2 client. +

-
 This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret". +
 |===

@@ -1890,7 +1857,6 @@ names to present to Kubernetes. See the response schema for
 GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider.
 This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App.

-
 Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured
 as OIDCClients.

@@ -1977,10 +1943,8 @@ GitHubIdentityProviderStatus is the status of an GitHub identity provider.
 | *`policy`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githuballowedauthorganizationspolicy[$$GitHubAllowedAuthOrganizationsPolicy$$]__ | Allowed values are "OnlyUsersFromAllowedOrganizations" or "AllGitHubUsers". +
 Defaults to "OnlyUsersFromAllowedOrganizations". +

-
 Must be set to "AllGitHubUsers" if the allowed field is empty. +

-
 This field only exists to ensure that Pinniped administrators are aware that an empty list of +
 allowedOrganizations means all GitHub users are allowed to log in. +
 | *`allowed`* __string array__ | Allowed, when specified, indicates that only users with membership in at least one of the listed +
@@ -1988,12 +1952,10 @@ GitHub organizations may log in. In addition, the group membership presented to
 teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be +
 provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP. +

-
 The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations, +
 otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams +
 within that organization. +

-
 If no organizations are listed, you must set organizations: AllGitHubUsers. +
 |===

@@ -2095,21 +2057,18 @@ group membership is often used to bind authorization policies, it is important +
 to keep the groups observed in Kubernetes clusters in-sync with the identity +
 provider. +

-
 In some environments, frequent group membership queries may result in a +
 significant performance impact on the identity provider and/or the supervisor. +
 The best approach to handle performance impacts is to tweak the group query +
 to be more performant, for example by disabling nested group search or by +
 using a more targeted group search base. +

-
 If the group search query cannot be made performant and you are willing to +
 have group memberships remain static for approximately a day, then set +
 skipGroupRefresh to true.  This is an insecure configuration as authorization +
 policies that are bound to group membership will not notice if a user has +
 been removed from a particular group until their next login. +

-
 This is an experimental feature that may be removed or significantly altered +
 in the future.  Consumers of this configuration should carefully read all +
 release notes before upgrading to ensure that the meaning of this field has +
--- a/generated/1.27/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml
+++ b/generated/1.27/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.5
+    controller-gen.kubebuilder.io/version: v0.17.1
  name: jwtauthenticators.authentication.concierge.pinniped.dev
 spec:
  group: authentication.concierge.pinniped.dev
--- a/generated/1.27/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml
+++ b/generated/1.27/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.5
+    controller-gen.kubebuilder.io/version: v0.17.1
  name: webhookauthenticators.authentication.concierge.pinniped.dev
 spec:
  group: authentication.concierge.pinniped.dev
--- a/generated/1.27/crds/config.concierge.pinniped.dev_credentialissuers.yaml
+++ b/generated/1.27/crds/config.concierge.pinniped.dev_credentialissuers.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.5
+    controller-gen.kubebuilder.io/version: v0.17.1
  name: credentialissuers.config.concierge.pinniped.dev
 spec:
  group: config.concierge.pinniped.dev
--- a/generated/1.27/crds/config.supervisor.pinniped.dev_federationdomains.yaml
+++ b/generated/1.27/crds/config.supervisor.pinniped.dev_federationdomains.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.5
+    controller-gen.kubebuilder.io/version: v0.17.1
  name: federationdomains.config.supervisor.pinniped.dev
 spec:
  group: config.supervisor.pinniped.dev
--- a/generated/1.27/crds/config.supervisor.pinniped.dev_oidcclients.yaml
+++ b/generated/1.27/crds/config.supervisor.pinniped.dev_oidcclients.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.5
+    controller-gen.kubebuilder.io/version: v0.17.1
  name: oidcclients.config.supervisor.pinniped.dev
 spec:
  group: config.supervisor.pinniped.dev
--- a/generated/1.27/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml
+++ b/generated/1.27/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.5
+    controller-gen.kubebuilder.io/version: v0.17.1
  name: activedirectoryidentityproviders.idp.supervisor.pinniped.dev
 spec:
  group: idp.supervisor.pinniped.dev
--- a/generated/1.27/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml
+++ b/generated/1.27/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.5
+    controller-gen.kubebuilder.io/version: v0.17.1
  name: githubidentityproviders.idp.supervisor.pinniped.dev
 spec:
  group: idp.supervisor.pinniped.dev
--- a/generated/1.27/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml
+++ b/generated/1.27/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.5
+    controller-gen.kubebuilder.io/version: v0.17.1
  name: ldapidentityproviders.idp.supervisor.pinniped.dev
 spec:
  group: idp.supervisor.pinniped.dev
--- a/generated/1.27/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml
+++ b/generated/1.27/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.5
+    controller-gen.kubebuilder.io/version: v0.17.1
  name: oidcidentityproviders.idp.supervisor.pinniped.dev
 spec:
  group: idp.supervisor.pinniped.dev
--- a/generated/1.28/README.adoc
+++ b/generated/1.28/README.adoc
@@ -65,7 +65,6 @@ certificate bundle. +

 JWTAuthenticator describes the configuration of a JWT authenticator.

-
 Upon receiving a signed JWT, a JWTAuthenticator will performs some validation on it (e.g., valid
 signature, existence of claims, etc.) and extract the username and groups from the token.

@@ -566,7 +565,6 @@ ImpersonationProxyServiceSpec describes how the Concierge should provision a Ser
 | Field | Description
 | *`type`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-concierge-config-v1alpha1-impersonationproxyservicetype[$$ImpersonationProxyServiceType$$]__ | Type specifies the type of Service to provision for the impersonation proxy. +

-
 If the type is "None", then the "spec.impersonationProxy.externalEndpoint" field must be set to a non-empty +
 value so that the Concierge can properly advertise the endpoint in the CredentialIssuer's status. +
 | *`loadBalancerIP`* __string__ | LoadBalancerIP specifies the IP address to set in the spec.loadBalancerIP field of the provisioned Service. +
@@ -609,11 +607,9 @@ ImpersonationProxySpec describes the intended configuration of the Concierge imp
 | *`externalEndpoint`* __string__ | ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will +
 be served using the external name of the LoadBalancer service or the cluster service DNS name. +

-
 This field must be non-empty when spec.impersonationProxy.service.type is "None". +
 | *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-concierge-config-v1alpha1-impersonationproxytlsspec[$$ImpersonationProxyTLSSpec$$]__ | TLS contains information about how the Concierge impersonation proxy should serve TLS. +

-
 If this field is empty, the impersonation proxy will generate its own TLS certificate. +
 |===

@@ -624,11 +620,9 @@ If this field is empty, the impersonation proxy will generate its own TLS certif
 ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should
 serve TLS.

-
 If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret
 for a field called "ca.crt", which will be used as the CertificateAuthorityData.

-
 If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for
 the impersonation proxy endpoint.

@@ -812,13 +806,11 @@ the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer i
 https://example.com/foo, then your authorization endpoint will look like +
 https://example.com/foo/some/path/to/auth/endpoint). +

-
 See +
 https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information. +
 | *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-config-v1alpha1-federationdomaintlsspec[$$FederationDomainTLSSpec$$]__ | TLS specifies a secret which will contain Transport Layer Security (TLS) configuration for the FederationDomain. +
 | *`identityProviders`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-config-v1alpha1-federationdomainidentityprovider[$$FederationDomainIdentityProvider$$] array__ | IdentityProviders is the list of identity providers available for use by this FederationDomain. +

-
 An identity provider CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes how to connect to a server, +
 how to talk in a specific protocol for authentication, and how to use the schema of that server/protocol to +
 extract a normalized user identity. Normalized user identities include a username and a list of group names. +
@@ -831,7 +823,6 @@ rejection policies. Even though a user was able to authenticate with the identit
 the authentication to the Kubernetes clusters that belong to this FederationDomain. For example, a policy could +
 disallow the authentication unless the user belongs to a specific group in the identity provider. +

-
 For backwards compatibility with versions of Pinniped which predate support for multiple identity providers, +
 an empty IdentityProviders list will cause the FederationDomain to use all available identity providers which +
 exist in the same namespace, but also to reject all authentication requests when there is more than one identity +
@@ -880,21 +871,17 @@ the TLS serving certificate for the HTTPS endpoints served by this FederationDom
 named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use +
 for TLS. +

-
 Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers. +

-
 SecretName is required if you would like to use different TLS certificates for issuers of different hostnames. +
 SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same +
 SecretName value even if they have different port numbers. +

-
 SecretName is not required when you would like to use only the HTTP endpoints (e.g. when the HTTP listener is +
 configured to listen on loopback interfaces or UNIX domain sockets for traffic from a service mesh sidecar). +
 It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to +
 use the default TLS certificate, which is configured elsewhere. +

-
 When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses. +
 |===

@@ -919,14 +906,12 @@ Each is a CEL expression. It may use the basic CEL language as defined in +
 https://github.com/google/cel-spec/blob/master/doc/langdef.md plus the CEL string extensions defined in +
 https://github.com/google/cel-go/tree/master/ext#strings. +

-
 The username and groups extracted from the identity provider, and the constants defined in this CR, are +
 available as variables in all expressions. The username is provided via a variable called `username` and +
 the list of group names is provided via a variable called `groups` (which may be an empty list). +
 Each user-provided constants is provided via a variable named `strConst.varName` for string constants +
 and `strListConst.varName` for string list constants. +

-
 The only allowed types for expressions are currently policy/v1, username/v1, and groups/v1. +
 Each policy/v1 must return a boolean, and when it returns false, no more expressions from the list are evaluated +
 and the authentication attempt is rejected. +
@@ -939,7 +924,6 @@ groups list. +
 Transformations of type groups/v1 do not return usernames, and therefore cannot change the usernames. +
 After each expression, the new (potentially changed) username or groups get passed to the following expression. +

-
 Any compilation or static type-checking failure of any expression will cause an error status on the FederationDomain. +
 During an authentication attempt, any unexpected runtime evaluation errors (e.g. division by zero) cause the +
 authentication attempt to fail. When all expressions evaluate successfully, then the (potentially changed) username +
@@ -1109,7 +1093,6 @@ Port numbers are not required for 127.0.0.1 or ::1 and are ignored when checking
 | *`allowedGrantTypes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-config-v1alpha1-granttype[$$GrantType$$] array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this +
 client. +

-
 Must only contain the following values: +
 - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to +
 authenticate users. This grant must always be listed. +
@@ -1120,7 +1103,6 @@ which is a step in the process to be able to get a cluster credential for the us
 This grant must be listed if allowedScopes lists pinniped:request-audience. +
 | *`allowedScopes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-config-v1alpha1-scope[$$Scope$$] array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. +

-
 Must only contain the following values: +
 - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). +
 This scope must always be listed. +
@@ -1532,21 +1514,18 @@ group membership is often used to bind authorization policies, it is important +
 to keep the groups observed in Kubernetes clusters in-sync with the identity +
 provider. +

-
 In some environments, frequent group membership queries may result in a +
 significant performance impact on the identity provider and/or the supervisor. +
 The best approach to handle performance impacts is to tweak the group query +
 to be more performant, for example by disabling nested group search or by +
 using a more targeted group search base. +

-
 If the group search query cannot be made performant and you are willing to +
 have group memberships remain static for approximately a day, then set +
 skipGroupRefresh to true.  This is an insecure configuration as authorization +
 policies that are bound to group membership will not notice if a user has +
 been removed from a particular group until their next login. +

-
 This is an experimental feature that may be removed or significantly altered +
 in the future.  Consumers of this configuration should carefully read all +
 release notes before upgrading to ensure that the meaning of this field has +
@@ -1797,10 +1776,8 @@ GitHubClaims allows customization of the username and groups claims.
 | Field | Description
 | *`username`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-githubusernameattribute[$$GitHubUsernameAttribute$$]__ | Username configures which property of the GitHub user record shall determine the username in Kubernetes. +

-
 Can be either "id", "login", or "login:id". Defaults to "login:id". +

-
 GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens, +
 and may not start or end with hyphens. GitHub users are allowed to change their login name, +
 although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar", +
@@ -1808,41 +1785,32 @@ then a second user might change their name from "baz" to "foo" in order to take
 username of the first user. For this reason, it is not as safe to make authorization decisions +
 based only on the user's login attribute. +

-
 If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's +
 FederationDomain to further customize how these usernames are presented to Kubernetes. +

-
 Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and +
 unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value +
 from GitHub. Colons are not allowed in GitHub login attributes or ID numbers, so this is a reasonable +
 choice to concatenate the two values. +

-
 See the response schema for +
 [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). +
 | *`groups`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-githubgroupnameattribute[$$GitHubGroupNameAttribute$$]__ | Groups configures which property of the GitHub team record shall determine the group names in Kubernetes. +

-
 Can be either "name" or "slug". Defaults to "slug". +

-
 GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!"). +

-
 GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins"). +

-
 Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a +
 forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters +
 or single hyphens, so the first forward slash `/` will be the separator between the organization login name and +
 the team name or slug. +

-
 If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's +
 FederationDomain to further customize how these group names are presented to Kubernetes. +

-
 See the response schema for +
 [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). +
 |===
@@ -1865,7 +1833,6 @@ for web-based login flows.
 | *`secretName`* __string__ | SecretName contains the name of a namespace-local Secret object that provides the clientID and +
 clientSecret for an GitHub App or GitHub OAuth2 client. +

-
 This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret". +
 |===

@@ -1890,7 +1857,6 @@ names to present to Kubernetes. See the response schema for
 GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider.
 This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App.

-
 Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured
 as OIDCClients.

@@ -1977,10 +1943,8 @@ GitHubIdentityProviderStatus is the status of an GitHub identity provider.
 | *`policy`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-githuballowedauthorganizationspolicy[$$GitHubAllowedAuthOrganizationsPolicy$$]__ | Allowed values are "OnlyUsersFromAllowedOrganizations" or "AllGitHubUsers". +
 Defaults to "OnlyUsersFromAllowedOrganizations". +

-
 Must be set to "AllGitHubUsers" if the allowed field is empty. +

-
 This field only exists to ensure that Pinniped administrators are aware that an empty list of +
 allowedOrganizations means all GitHub users are allowed to log in. +
 | *`allowed`* __string array__ | Allowed, when specified, indicates that only users with membership in at least one of the listed +
@@ -1988,12 +1952,10 @@ GitHub organizations may log in. In addition, the group membership presented to
 teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be +
 provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP. +

-
 The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations, +
 otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams +
 within that organization. +

-
 If no organizations are listed, you must set organizations: AllGitHubUsers. +
 |===

@@ -2095,21 +2057,18 @@ group membership is often used to bind authorization policies, it is important +
 to keep the groups observed in Kubernetes clusters in-sync with the identity +
 provider. +

-
 In some environments, frequent group membership queries may result in a +
 significant performance impact on the identity provider and/or the supervisor. +
 The best approach to handle performance impacts is to tweak the group query +
 to be more performant, for example by disabling nested group search or by +
 using a more targeted group search base. +

-
 If the group search query cannot be made performant and you are willing to +
 have group memberships remain static for approximately a day, then set +
 skipGroupRefresh to true.  This is an insecure configuration as authorization +
 policies that are bound to group membership will not notice if a user has +
 been removed from a particular group until their next login. +

-
 This is an experimental feature that may be removed or significantly altered +
 in the future.  Consumers of this configuration should carefully read all +
 release notes before upgrading to ensure that the meaning of this field has +
--- a/generated/1.28/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml
+++ b/generated/1.28/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.5
+    controller-gen.kubebuilder.io/version: v0.17.1
  name: jwtauthenticators.authentication.concierge.pinniped.dev
 spec:
  group: authentication.concierge.pinniped.dev
--- a/generated/1.28/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml
+++ b/generated/1.28/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.5
+    controller-gen.kubebuilder.io/version: v0.17.1
  name: webhookauthenticators.authentication.concierge.pinniped.dev
 spec:
  group: authentication.concierge.pinniped.dev
--- a/generated/1.28/crds/config.concierge.pinniped.dev_credentialissuers.yaml
+++ b/generated/1.28/crds/config.concierge.pinniped.dev_credentialissuers.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.5
+    controller-gen.kubebuilder.io/version: v0.17.1
  name: credentialissuers.config.concierge.pinniped.dev
 spec:
  group: config.concierge.pinniped.dev
--- a/generated/1.28/crds/config.supervisor.pinniped.dev_federationdomains.yaml
+++ b/generated/1.28/crds/config.supervisor.pinniped.dev_federationdomains.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.5
+    controller-gen.kubebuilder.io/version: v0.17.1
  name: federationdomains.config.supervisor.pinniped.dev
 spec:
  group: config.supervisor.pinniped.dev
--- a/generated/1.28/crds/config.supervisor.pinniped.dev_oidcclients.yaml
+++ b/generated/1.28/crds/config.supervisor.pinniped.dev_oidcclients.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.5
+    controller-gen.kubebuilder.io/version: v0.17.1
  name: oidcclients.config.supervisor.pinniped.dev
 spec:
  group: config.supervisor.pinniped.dev
--- a/generated/1.28/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml
+++ b/generated/1.28/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.5
+    controller-gen.kubebuilder.io/version: v0.17.1
  name: activedirectoryidentityproviders.idp.supervisor.pinniped.dev
 spec:
  group: idp.supervisor.pinniped.dev
--- a/generated/1.28/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml
+++ b/generated/1.28/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.5
+    controller-gen.kubebuilder.io/version: v0.17.1
  name: githubidentityproviders.idp.supervisor.pinniped.dev
 spec:
  group: idp.supervisor.pinniped.dev
--- a/generated/1.28/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml
+++ b/generated/1.28/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.5
+    controller-gen.kubebuilder.io/version: v0.17.1
  name: ldapidentityproviders.idp.supervisor.pinniped.dev
 spec:
  group: idp.supervisor.pinniped.dev
--- a/generated/1.28/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml
+++ b/generated/1.28/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.5
+    controller-gen.kubebuilder.io/version: v0.17.1
  name: oidcidentityproviders.idp.supervisor.pinniped.dev
 spec:
  group: idp.supervisor.pinniped.dev
--- a/generated/1.29/README.adoc
+++ b/generated/1.29/README.adoc
@@ -65,7 +65,6 @@ certificate bundle. +

 JWTAuthenticator describes the configuration of a JWT authenticator.

-
 Upon receiving a signed JWT, a JWTAuthenticator will performs some validation on it (e.g., valid
 signature, existence of claims, etc.) and extract the username and groups from the token.

@@ -566,7 +565,6 @@ ImpersonationProxyServiceSpec describes how the Concierge should provision a Ser
 | Field | Description
 | *`type`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-concierge-config-v1alpha1-impersonationproxyservicetype[$$ImpersonationProxyServiceType$$]__ | Type specifies the type of Service to provision for the impersonation proxy. +

-
 If the type is "None", then the "spec.impersonationProxy.externalEndpoint" field must be set to a non-empty +
 value so that the Concierge can properly advertise the endpoint in the CredentialIssuer's status. +
 | *`loadBalancerIP`* __string__ | LoadBalancerIP specifies the IP address to set in the spec.loadBalancerIP field of the provisioned Service. +
@@ -609,11 +607,9 @@ ImpersonationProxySpec describes the intended configuration of the Concierge imp
 | *`externalEndpoint`* __string__ | ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will +
 be served using the external name of the LoadBalancer service or the cluster service DNS name. +

-
 This field must be non-empty when spec.impersonationProxy.service.type is "None". +
 | *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-concierge-config-v1alpha1-impersonationproxytlsspec[$$ImpersonationProxyTLSSpec$$]__ | TLS contains information about how the Concierge impersonation proxy should serve TLS. +

-
 If this field is empty, the impersonation proxy will generate its own TLS certificate. +
 |===

@@ -624,11 +620,9 @@ If this field is empty, the impersonation proxy will generate its own TLS certif
 ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should
 serve TLS.

-
 If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret
 for a field called "ca.crt", which will be used as the CertificateAuthorityData.

-
 If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for
 the impersonation proxy endpoint.

@@ -812,13 +806,11 @@ the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer i
 https://example.com/foo, then your authorization endpoint will look like +
 https://example.com/foo/some/path/to/auth/endpoint). +

-
 See +
 https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information. +
 | *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-config-v1alpha1-federationdomaintlsspec[$$FederationDomainTLSSpec$$]__ | TLS specifies a secret which will contain Transport Layer Security (TLS) configuration for the FederationDomain. +
 | *`identityProviders`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-config-v1alpha1-federationdomainidentityprovider[$$FederationDomainIdentityProvider$$] array__ | IdentityProviders is the list of identity providers available for use by this FederationDomain. +

-
 An identity provider CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes how to connect to a server, +
 how to talk in a specific protocol for authentication, and how to use the schema of that server/protocol to +
 extract a normalized user identity. Normalized user identities include a username and a list of group names. +
@@ -831,7 +823,6 @@ rejection policies. Even though a user was able to authenticate with the identit
 the authentication to the Kubernetes clusters that belong to this FederationDomain. For example, a policy could +
 disallow the authentication unless the user belongs to a specific group in the identity provider. +

-
 For backwards compatibility with versions of Pinniped which predate support for multiple identity providers, +
 an empty IdentityProviders list will cause the FederationDomain to use all available identity providers which +
 exist in the same namespace, but also to reject all authentication requests when there is more than one identity +
@@ -880,21 +871,17 @@ the TLS serving certificate for the HTTPS endpoints served by this FederationDom
 named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use +
 for TLS. +

-
 Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers. +

-
 SecretName is required if you would like to use different TLS certificates for issuers of different hostnames. +
 SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same +
 SecretName value even if they have different port numbers. +

-
 SecretName is not required when you would like to use only the HTTP endpoints (e.g. when the HTTP listener is +
 configured to listen on loopback interfaces or UNIX domain sockets for traffic from a service mesh sidecar). +
 It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to +
 use the default TLS certificate, which is configured elsewhere. +

-
 When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses. +
 |===

@@ -919,14 +906,12 @@ Each is a CEL expression. It may use the basic CEL language as defined in +
 https://github.com/google/cel-spec/blob/master/doc/langdef.md plus the CEL string extensions defined in +
 https://github.com/google/cel-go/tree/master/ext#strings. +

-
 The username and groups extracted from the identity provider, and the constants defined in this CR, are +
 available as variables in all expressions. The username is provided via a variable called `username` and +
 the list of group names is provided via a variable called `groups` (which may be an empty list). +
 Each user-provided constants is provided via a variable named `strConst.varName` for string constants +
 and `strListConst.varName` for string list constants. +

-
 The only allowed types for expressions are currently policy/v1, username/v1, and groups/v1. +
 Each policy/v1 must return a boolean, and when it returns false, no more expressions from the list are evaluated +
 and the authentication attempt is rejected. +
@@ -939,7 +924,6 @@ groups list. +
 Transformations of type groups/v1 do not return usernames, and therefore cannot change the usernames. +
 After each expression, the new (potentially changed) username or groups get passed to the following expression. +

-
 Any compilation or static type-checking failure of any expression will cause an error status on the FederationDomain. +
 During an authentication attempt, any unexpected runtime evaluation errors (e.g. division by zero) cause the +
 authentication attempt to fail. When all expressions evaluate successfully, then the (potentially changed) username +
@@ -1109,7 +1093,6 @@ Port numbers are not required for 127.0.0.1 or ::1 and are ignored when checking
 | *`allowedGrantTypes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-config-v1alpha1-granttype[$$GrantType$$] array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this +
 client. +

-
 Must only contain the following values: +
 - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to +
 authenticate users. This grant must always be listed. +
@@ -1120,7 +1103,6 @@ which is a step in the process to be able to get a cluster credential for the us
 This grant must be listed if allowedScopes lists pinniped:request-audience. +
 | *`allowedScopes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-config-v1alpha1-scope[$$Scope$$] array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. +

-
 Must only contain the following values: +
 - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). +
 This scope must always be listed. +
@@ -1532,21 +1514,18 @@ group membership is often used to bind authorization policies, it is important +
 to keep the groups observed in Kubernetes clusters in-sync with the identity +
 provider. +

-
 In some environments, frequent group membership queries may result in a +
 significant performance impact on the identity provider and/or the supervisor. +
 The best approach to handle performance impacts is to tweak the group query +
 to be more performant, for example by disabling nested group search or by +
 using a more targeted group search base. +

-
 If the group search query cannot be made performant and you are willing to +
 have group memberships remain static for approximately a day, then set +
 skipGroupRefresh to true.  This is an insecure configuration as authorization +
 policies that are bound to group membership will not notice if a user has +
 been removed from a particular group until their next login. +

-
 This is an experimental feature that may be removed or significantly altered +
 in the future.  Consumers of this configuration should carefully read all +
 release notes before upgrading to ensure that the meaning of this field has +
@@ -1797,10 +1776,8 @@ GitHubClaims allows customization of the username and groups claims.
 | Field | Description
 | *`username`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubusernameattribute[$$GitHubUsernameAttribute$$]__ | Username configures which property of the GitHub user record shall determine the username in Kubernetes. +

-
 Can be either "id", "login", or "login:id". Defaults to "login:id". +

-
 GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens, +
 and may not start or end with hyphens. GitHub users are allowed to change their login name, +
 although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar", +
@@ -1808,41 +1785,32 @@ then a second user might change their name from "baz" to "foo" in order to take
 username of the first user. For this reason, it is not as safe to make authorization decisions +
 based only on the user's login attribute. +

-
 If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's +
 FederationDomain to further customize how these usernames are presented to Kubernetes. +

-
 Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and +
 unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value +
 from GitHub. Colons are not allowed in GitHub login attributes or ID numbers, so this is a reasonable +
 choice to concatenate the two values. +

-
 See the response schema for +
 [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). +
 | *`groups`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubgroupnameattribute[$$GitHubGroupNameAttribute$$]__ | Groups configures which property of the GitHub team record shall determine the group names in Kubernetes. +

-
 Can be either "name" or "slug". Defaults to "slug". +

-
 GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!"). +

-
 GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins"). +

-
 Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a +
 forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters +
 or single hyphens, so the first forward slash `/` will be the separator between the organization login name and +
 the team name or slug. +

-
 If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's +
 FederationDomain to further customize how these group names are presented to Kubernetes. +

-
 See the response schema for +
 [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). +
 |===
@@ -1865,7 +1833,6 @@ for web-based login flows.
 | *`secretName`* __string__ | SecretName contains the name of a namespace-local Secret object that provides the clientID and +
 clientSecret for an GitHub App or GitHub OAuth2 client. +

-
 This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret". +
 |===

@@ -1890,7 +1857,6 @@ names to present to Kubernetes. See the response schema for
 GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider.
 This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App.

-
 Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured
 as OIDCClients.

@@ -1977,10 +1943,8 @@ GitHubIdentityProviderStatus is the status of an GitHub identity provider.
 | *`policy`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githuballowedauthorganizationspolicy[$$GitHubAllowedAuthOrganizationsPolicy$$]__ | Allowed values are "OnlyUsersFromAllowedOrganizations" or "AllGitHubUsers". +
 Defaults to "OnlyUsersFromAllowedOrganizations". +

-
 Must be set to "AllGitHubUsers" if the allowed field is empty. +

-
 This field only exists to ensure that Pinniped administrators are aware that an empty list of +
 allowedOrganizations means all GitHub users are allowed to log in. +
 | *`allowed`* __string array__ | Allowed, when specified, indicates that only users with membership in at least one of the listed +
@@ -1988,12 +1952,10 @@ GitHub organizations may log in. In addition, the group membership presented to
 teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be +
 provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP. +

-
 The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations, +
 otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams +
 within that organization. +

-
 If no organizations are listed, you must set organizations: AllGitHubUsers. +
 |===

@@ -2095,21 +2057,18 @@ group membership is often used to bind authorization policies, it is important +
 to keep the groups observed in Kubernetes clusters in-sync with the identity +
 provider. +

-
 In some environments, frequent group membership queries may result in a +
 significant performance impact on the identity provider and/or the supervisor. +
 The best approach to handle performance impacts is to tweak the group query +
 to be more performant, for example by disabling nested group search or by +
 using a more targeted group search base. +

-
 If the group search query cannot be made performant and you are willing to +
 have group memberships remain static for approximately a day, then set +
 skipGroupRefresh to true.  This is an insecure configuration as authorization +
 policies that are bound to group membership will not notice if a user has +
 been removed from a particular group until their next login. +

-
 This is an experimental feature that may be removed or significantly altered +
 in the future.  Consumers of this configuration should carefully read all +
 release notes before upgrading to ensure that the meaning of this field has +
--- a/generated/1.29/apis/go.mod
+++ b/generated/1.29/apis/go.mod
@@ -4,8 +4,8 @@ module go.pinniped.dev/generated/1.29/apis
 go 1.21

 require (
-	k8s.io/api v0.29.11
-	k8s.io/apimachinery v0.29.11
+	k8s.io/api v0.29.12
+	k8s.io/apimachinery v0.29.12
 )

 require (
--- a/generated/1.29/apis/go.sum
+++ b/generated/1.29/apis/go.sum
@@ -75,10 +75,10 @@ gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-k8s.io/api v0.29.11 h1:6FwDo33f1WX5Yu0RQTX9YAd3wth8Ik0B4SXQKsoQfbk=
-k8s.io/api v0.29.11/go.mod h1:3TDAW1OpFbz/Yx5r0W06b6eiAfHEwtH61VYDzpTU4Ng=
-k8s.io/apimachinery v0.29.11 h1:55+6ue9advpA7T0sX2ZJDHCLKuiFfrAAR/39VQN9KEQ=
-k8s.io/apimachinery v0.29.11/go.mod h1:i3FJVwhvSp/6n8Fl4K97PJEP8C+MM+aoDq4+ZJBf70Y=
+k8s.io/api v0.29.12 h1:SsEEMtFupOAt3pAAtAz0PDu+54g3L5rwbSCi0xQzAJM=
+k8s.io/api v0.29.12/go.mod h1:QFwqOP+7LNoAG1RI3vKAFxjKSLQTCamcPzAQ0Z/Yhuk=
+k8s.io/apimachinery v0.29.12 h1:k6OdfK9xaNANQvWkl1pSICJGLjB4jSuJ3gGP9hBKOhE=
+k8s.io/apimachinery v0.29.12/go.mod h1:i3FJVwhvSp/6n8Fl4K97PJEP8C+MM+aoDq4+ZJBf70Y=
 k8s.io/klog/v2 v2.110.1 h1:U/Af64HJf7FcwMcXyKm2RPM22WZzyR7OSpYj5tg3cL0=
 k8s.io/klog/v2 v2.110.1/go.mod h1:YGtd1984u+GgbuZ7e08/yBuAfKLSO0+uR1Fhi6ExXjo=
 k8s.io/utils v0.0.0-20230726121419-3b25d923346b h1:sgn3ZU783SCgtaSJjpcVVlRqd6GSnlTLKgpAAttJvpI=
--- a/generated/1.29/client/go.mod
+++ b/generated/1.29/client/go.mod
@@ -7,8 +7,8 @@ replace go.pinniped.dev/generated/1.29/apis => ../apis

 require (
 	go.pinniped.dev/generated/1.29/apis v0.0.0
-	k8s.io/apimachinery v0.29.11
-	k8s.io/client-go v0.29.11
+	k8s.io/apimachinery v0.29.12
+	k8s.io/client-go v0.29.12
 	k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00
 )

@@ -44,7 +44,7 @@ require (
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/api v0.29.11 // indirect
+	k8s.io/api v0.29.12 // indirect
 	k8s.io/klog/v2 v2.110.1 // indirect
 	k8s.io/utils v0.0.0-20230726121419-3b25d923346b // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
--- a/generated/1.29/client/go.sum
+++ b/generated/1.29/client/go.sum
@@ -134,12 +134,12 @@ gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-k8s.io/api v0.29.11 h1:6FwDo33f1WX5Yu0RQTX9YAd3wth8Ik0B4SXQKsoQfbk=
-k8s.io/api v0.29.11/go.mod h1:3TDAW1OpFbz/Yx5r0W06b6eiAfHEwtH61VYDzpTU4Ng=
-k8s.io/apimachinery v0.29.11 h1:55+6ue9advpA7T0sX2ZJDHCLKuiFfrAAR/39VQN9KEQ=
-k8s.io/apimachinery v0.29.11/go.mod h1:i3FJVwhvSp/6n8Fl4K97PJEP8C+MM+aoDq4+ZJBf70Y=
-k8s.io/client-go v0.29.11 h1:mBX7Ub0uqpLMwWz3J/AGS/xKOZsjr349qZ1vxVoL1l8=
-k8s.io/client-go v0.29.11/go.mod h1:WOEoi/eLg2YEg3/yEd7YK3CNScYkM8AEScQadxUnaTE=
+k8s.io/api v0.29.12 h1:SsEEMtFupOAt3pAAtAz0PDu+54g3L5rwbSCi0xQzAJM=
+k8s.io/api v0.29.12/go.mod h1:QFwqOP+7LNoAG1RI3vKAFxjKSLQTCamcPzAQ0Z/Yhuk=
+k8s.io/apimachinery v0.29.12 h1:k6OdfK9xaNANQvWkl1pSICJGLjB4jSuJ3gGP9hBKOhE=
+k8s.io/apimachinery v0.29.12/go.mod h1:i3FJVwhvSp/6n8Fl4K97PJEP8C+MM+aoDq4+ZJBf70Y=
+k8s.io/client-go v0.29.12 h1:PjwJXavmpAqOWBRy4U5V/g3JQBpclIHEn5dvfTfsY+w=
+k8s.io/client-go v0.29.12/go.mod h1:hRHG6tAKxaLVKF5SlMqgXrbqPEoUcUpJGFFrC3jU69A=
 k8s.io/klog/v2 v2.110.1 h1:U/Af64HJf7FcwMcXyKm2RPM22WZzyR7OSpYj5tg3cL0=
 k8s.io/klog/v2 v2.110.1/go.mod h1:YGtd1984u+GgbuZ7e08/yBuAfKLSO0+uR1Fhi6ExXjo=
 k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 h1:aVUu9fTY98ivBPKR9Y5w/AuzbMm96cd3YHRTU83I780=
--- a/generated/1.29/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml
+++ b/generated/1.29/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.5
+    controller-gen.kubebuilder.io/version: v0.17.1
  name: jwtauthenticators.authentication.concierge.pinniped.dev
 spec:
  group: authentication.concierge.pinniped.dev
--- a/generated/1.29/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml
+++ b/generated/1.29/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.5
+    controller-gen.kubebuilder.io/version: v0.17.1
  name: webhookauthenticators.authentication.concierge.pinniped.dev
 spec:
  group: authentication.concierge.pinniped.dev
--- a/generated/1.29/crds/config.concierge.pinniped.dev_credentialissuers.yaml
+++ b/generated/1.29/crds/config.concierge.pinniped.dev_credentialissuers.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.5
+    controller-gen.kubebuilder.io/version: v0.17.1
  name: credentialissuers.config.concierge.pinniped.dev
 spec:
  group: config.concierge.pinniped.dev
--- a/generated/1.29/crds/config.supervisor.pinniped.dev_federationdomains.yaml
+++ b/generated/1.29/crds/config.supervisor.pinniped.dev_federationdomains.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.5
+    controller-gen.kubebuilder.io/version: v0.17.1
  name: federationdomains.config.supervisor.pinniped.dev
 spec:
  group: config.supervisor.pinniped.dev
--- a/generated/1.29/crds/config.supervisor.pinniped.dev_oidcclients.yaml
+++ b/generated/1.29/crds/config.supervisor.pinniped.dev_oidcclients.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.5
+    controller-gen.kubebuilder.io/version: v0.17.1
  name: oidcclients.config.supervisor.pinniped.dev
 spec:
  group: config.supervisor.pinniped.dev
--- a/generated/1.29/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml
+++ b/generated/1.29/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.5
+    controller-gen.kubebuilder.io/version: v0.17.1
  name: activedirectoryidentityproviders.idp.supervisor.pinniped.dev
 spec:
  group: idp.supervisor.pinniped.dev
--- a/generated/1.29/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml
+++ b/generated/1.29/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.5
+    controller-gen.kubebuilder.io/version: v0.17.1
  name: githubidentityproviders.idp.supervisor.pinniped.dev
 spec:
  group: idp.supervisor.pinniped.dev
--- a/generated/1.29/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml
+++ b/generated/1.29/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.5
+    controller-gen.kubebuilder.io/version: v0.17.1
  name: ldapidentityproviders.idp.supervisor.pinniped.dev
 spec:
  group: idp.supervisor.pinniped.dev
--- a/generated/1.29/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml
+++ b/generated/1.29/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.5
+    controller-gen.kubebuilder.io/version: v0.17.1
  name: oidcidentityproviders.idp.supervisor.pinniped.dev
 spec:
  group: idp.supervisor.pinniped.dev
--- a/generated/1.30/README.adoc
+++ b/generated/1.30/README.adoc
@@ -65,7 +65,6 @@ certificate bundle. +

 JWTAuthenticator describes the configuration of a JWT authenticator.

-
 Upon receiving a signed JWT, a JWTAuthenticator will performs some validation on it (e.g., valid
 signature, existence of claims, etc.) and extract the username and groups from the token.

@@ -566,7 +565,6 @@ ImpersonationProxyServiceSpec describes how the Concierge should provision a Ser
 | Field | Description
 | *`type`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-30-apis-concierge-config-v1alpha1-impersonationproxyservicetype[$$ImpersonationProxyServiceType$$]__ | Type specifies the type of Service to provision for the impersonation proxy. +

-
 If the type is "None", then the "spec.impersonationProxy.externalEndpoint" field must be set to a non-empty +
 value so that the Concierge can properly advertise the endpoint in the CredentialIssuer's status. +
 | *`loadBalancerIP`* __string__ | LoadBalancerIP specifies the IP address to set in the spec.loadBalancerIP field of the provisioned Service. +
@@ -609,11 +607,9 @@ ImpersonationProxySpec describes the intended configuration of the Concierge imp
 | *`externalEndpoint`* __string__ | ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will +
 be served using the external name of the LoadBalancer service or the cluster service DNS name. +

-
 This field must be non-empty when spec.impersonationProxy.service.type is "None". +
 | *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-30-apis-concierge-config-v1alpha1-impersonationproxytlsspec[$$ImpersonationProxyTLSSpec$$]__ | TLS contains information about how the Concierge impersonation proxy should serve TLS. +

-
 If this field is empty, the impersonation proxy will generate its own TLS certificate. +
 |===

@@ -624,11 +620,9 @@ If this field is empty, the impersonation proxy will generate its own TLS certif
 ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should
 serve TLS.

-
 If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret
 for a field called "ca.crt", which will be used as the CertificateAuthorityData.

-
 If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for
 the impersonation proxy endpoint.

@@ -812,13 +806,11 @@ the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer i
 https://example.com/foo, then your authorization endpoint will look like +
 https://example.com/foo/some/path/to/auth/endpoint). +

-
 See +
 https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information. +
 | *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-30-apis-supervisor-config-v1alpha1-federationdomaintlsspec[$$FederationDomainTLSSpec$$]__ | TLS specifies a secret which will contain Transport Layer Security (TLS) configuration for the FederationDomain. +
 | *`identityProviders`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-30-apis-supervisor-config-v1alpha1-federationdomainidentityprovider[$$FederationDomainIdentityProvider$$] array__ | IdentityProviders is the list of identity providers available for use by this FederationDomain. +

-
 An identity provider CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes how to connect to a server, +
 how to talk in a specific protocol for authentication, and how to use the schema of that server/protocol to +
 extract a normalized user identity. Normalized user identities include a username and a list of group names. +
@@ -831,7 +823,6 @@ rejection policies. Even though a user was able to authenticate with the identit
 the authentication to the Kubernetes clusters that belong to this FederationDomain. For example, a policy could +
 disallow the authentication unless the user belongs to a specific group in the identity provider. +

-
 For backwards compatibility with versions of Pinniped which predate support for multiple identity providers, +
 an empty IdentityProviders list will cause the FederationDomain to use all available identity providers which +
 exist in the same namespace, but also to reject all authentication requests when there is more than one identity +
@@ -880,21 +871,17 @@ the TLS serving certificate for the HTTPS endpoints served by this FederationDom
 named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use +
 for TLS. +

-
 Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers. +

-
 SecretName is required if you would like to use different TLS certificates for issuers of different hostnames. +
 SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same +
 SecretName value even if they have different port numbers. +

-
 SecretName is not required when you would like to use only the HTTP endpoints (e.g. when the HTTP listener is +
 configured to listen on loopback interfaces or UNIX domain sockets for traffic from a service mesh sidecar). +
 It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to +
 use the default TLS certificate, which is configured elsewhere. +

-
 When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses. +
 |===

@@ -919,14 +906,12 @@ Each is a CEL expression. It may use the basic CEL language as defined in +
 https://github.com/google/cel-spec/blob/master/doc/langdef.md plus the CEL string extensions defined in +
 https://github.com/google/cel-go/tree/master/ext#strings. +

-
 The username and groups extracted from the identity provider, and the constants defined in this CR, are +
 available as variables in all expressions. The username is provided via a variable called `username` and +
 the list of group names is provided via a variable called `groups` (which may be an empty list). +
 Each user-provided constants is provided via a variable named `strConst.varName` for string constants +
 and `strListConst.varName` for string list constants. +

-
 The only allowed types for expressions are currently policy/v1, username/v1, and groups/v1. +
 Each policy/v1 must return a boolean, and when it returns false, no more expressions from the list are evaluated +
 and the authentication attempt is rejected. +
@@ -939,7 +924,6 @@ groups list. +
 Transformations of type groups/v1 do not return usernames, and therefore cannot change the usernames. +
 After each expression, the new (potentially changed) username or groups get passed to the following expression. +

-
 Any compilation or static type-checking failure of any expression will cause an error status on the FederationDomain. +
 During an authentication attempt, any unexpected runtime evaluation errors (e.g. division by zero) cause the +
 authentication attempt to fail. When all expressions evaluate successfully, then the (potentially changed) username +
@@ -1109,7 +1093,6 @@ Port numbers are not required for 127.0.0.1 or ::1 and are ignored when checking
 | *`allowedGrantTypes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-30-apis-supervisor-config-v1alpha1-granttype[$$GrantType$$] array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this +
 client. +

-
 Must only contain the following values: +
 - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to +
 authenticate users. This grant must always be listed. +
@@ -1120,7 +1103,6 @@ which is a step in the process to be able to get a cluster credential for the us
 This grant must be listed if allowedScopes lists pinniped:request-audience. +
 | *`allowedScopes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-30-apis-supervisor-config-v1alpha1-scope[$$Scope$$] array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. +

-
 Must only contain the following values: +
 - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). +
 This scope must always be listed. +
@@ -1532,21 +1514,18 @@ group membership is often used to bind authorization policies, it is important +
 to keep the groups observed in Kubernetes clusters in-sync with the identity +
 provider. +

-
 In some environments, frequent group membership queries may result in a +
 significant performance impact on the identity provider and/or the supervisor. +
 The best approach to handle performance impacts is to tweak the group query +
 to be more performant, for example by disabling nested group search or by +
 using a more targeted group search base. +

-
 If the group search query cannot be made performant and you are willing to +
 have group memberships remain static for approximately a day, then set +
 skipGroupRefresh to true.  This is an insecure configuration as authorization +
 policies that are bound to group membership will not notice if a user has +
 been removed from a particular group until their next login. +

-
 This is an experimental feature that may be removed or significantly altered +
 in the future.  Consumers of this configuration should carefully read all +
 release notes before upgrading to ensure that the meaning of this field has +
@@ -1797,10 +1776,8 @@ GitHubClaims allows customization of the username and groups claims.
 | Field | Description
 | *`username`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-30-apis-supervisor-idp-v1alpha1-githubusernameattribute[$$GitHubUsernameAttribute$$]__ | Username configures which property of the GitHub user record shall determine the username in Kubernetes. +

-
 Can be either "id", "login", or "login:id". Defaults to "login:id". +

-
 GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens, +
 and may not start or end with hyphens. GitHub users are allowed to change their login name, +
 although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar", +
@@ -1808,41 +1785,32 @@ then a second user might change their name from "baz" to "foo" in order to take
 username of the first user. For this reason, it is not as safe to make authorization decisions +
 based only on the user's login attribute. +

-
 If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's +
 FederationDomain to further customize how these usernames are presented to Kubernetes. +

-
 Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and +
 unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value +
 from GitHub. Colons are not allowed in GitHub login attributes or ID numbers, so this is a reasonable +
 choice to concatenate the two values. +

-
 See the response schema for +
 [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). +
 | *`groups`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-30-apis-supervisor-idp-v1alpha1-githubgroupnameattribute[$$GitHubGroupNameAttribute$$]__ | Groups configures which property of the GitHub team record shall determine the group names in Kubernetes. +

-
 Can be either "name" or "slug". Defaults to "slug". +

-
 GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!"). +

-
 GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins"). +

-
 Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a +
 forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters +
 or single hyphens, so the first forward slash `/` will be the separator between the organization login name and +
 the team name or slug. +

-
 If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's +
 FederationDomain to further customize how these group names are presented to Kubernetes. +

-
 See the response schema for +
 [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). +
 |===
@@ -1865,7 +1833,6 @@ for web-based login flows.
 | *`secretName`* __string__ | SecretName contains the name of a namespace-local Secret object that provides the clientID and +
 clientSecret for an GitHub App or GitHub OAuth2 client. +

-
 This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret". +
 |===

@@ -1890,7 +1857,6 @@ names to present to Kubernetes. See the response schema for
 GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider.
 This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App.

-
 Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured
 as OIDCClients.

@@ -1977,10 +1943,8 @@ GitHubIdentityProviderStatus is the status of an GitHub identity provider.
 | *`policy`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-30-apis-supervisor-idp-v1alpha1-githuballowedauthorganizationspolicy[$$GitHubAllowedAuthOrganizationsPolicy$$]__ | Allowed values are "OnlyUsersFromAllowedOrganizations" or "AllGitHubUsers". +
 Defaults to "OnlyUsersFromAllowedOrganizations". +

-
 Must be set to "AllGitHubUsers" if the allowed field is empty. +

-
 This field only exists to ensure that Pinniped administrators are aware that an empty list of +
 allowedOrganizations means all GitHub users are allowed to log in. +
 | *`allowed`* __string array__ | Allowed, when specified, indicates that only users with membership in at least one of the listed +
@@ -1988,12 +1952,10 @@ GitHub organizations may log in. In addition, the group membership presented to
 teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be +
 provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP. +

-
 The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations, +
 otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams +
 within that organization. +

-
 If no organizations are listed, you must set organizations: AllGitHubUsers. +
 |===

@@ -2095,21 +2057,18 @@ group membership is often used to bind authorization policies, it is important +
 to keep the groups observed in Kubernetes clusters in-sync with the identity +
 provider. +

-
 In some environments, frequent group membership queries may result in a +
 significant performance impact on the identity provider and/or the supervisor. +
 The best approach to handle performance impacts is to tweak the group query +
 to be more performant, for example by disabling nested group search or by +
 using a more targeted group search base. +

-
 If the group search query cannot be made performant and you are willing to +
 have group memberships remain static for approximately a day, then set +
 skipGroupRefresh to true.  This is an insecure configuration as authorization +
 policies that are bound to group membership will not notice if a user has +
 been removed from a particular group until their next login. +

-
 This is an experimental feature that may be removed or significantly altered +
 in the future.  Consumers of this configuration should carefully read all +
 release notes before upgrading to ensure that the meaning of this field has +
--- a/generated/1.30/apis/go.mod
+++ b/generated/1.30/apis/go.mod
@@ -6,8 +6,8 @@ go 1.22.0
 toolchain go1.23.4

 require (
-	k8s.io/api v0.30.7
-	k8s.io/apimachinery v0.30.7
+	k8s.io/api v0.30.8
+	k8s.io/apimachinery v0.30.8
 )

 require (
--- a/generated/1.30/apis/go.sum
+++ b/generated/1.30/apis/go.sum
@@ -75,10 +75,10 @@ gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-k8s.io/api v0.30.7 h1:wB2eHI+IptVYsz5WsAQpI6+Dqi3+11wEWBqIh4fh980=
-k8s.io/api v0.30.7/go.mod h1:bR0EwbmhYmJvUoeza7ZzBUmYCrVXccQ9JOdfv0BxhH0=
-k8s.io/apimachinery v0.30.7 h1:CoQFxvzPFKwU1eJGN/8LgM3ZJBC3hKgvwGqRrL43uIY=
-k8s.io/apimachinery v0.30.7/go.mod h1:iexa2somDaxdnj7bha06bhb43Zpa6eWH8N8dbqVjTUc=
+k8s.io/api v0.30.8 h1:Y+yZRF3c1WC0MTkLe0qBkiLCquRNa4I21/iDioGMCbo=
+k8s.io/api v0.30.8/go.mod h1:89IE5MzirZ5HHxU/Hq1/KWGqXkhXClu/FHGesFhQ0A4=
+k8s.io/apimachinery v0.30.8 h1:9jyTItYzmJc00cBDxZC5ArFNxUeKCwbw0m760iFUMKY=
+k8s.io/apimachinery v0.30.8/go.mod h1:iexa2somDaxdnj7bha06bhb43Zpa6eWH8N8dbqVjTUc=
 k8s.io/klog/v2 v2.120.1 h1:QXU6cPEOIslTGvZaXvFWiP9VKyeet3sawzTOvdXb4Vw=
 k8s.io/klog/v2 v2.120.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
 k8s.io/utils v0.0.0-20230726121419-3b25d923346b h1:sgn3ZU783SCgtaSJjpcVVlRqd6GSnlTLKgpAAttJvpI=
--- a/generated/1.30/client/go.mod
+++ b/generated/1.30/client/go.mod
@@ -9,8 +9,8 @@ replace go.pinniped.dev/generated/1.30/apis => ../apis

 require (
 	go.pinniped.dev/generated/1.30/apis v0.0.0
-	k8s.io/apimachinery v0.30.7
-	k8s.io/client-go v0.30.7
+	k8s.io/apimachinery v0.30.8
+	k8s.io/client-go v0.30.8
 	k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340
 )

@@ -46,7 +46,7 @@ require (
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/api v0.30.7 // indirect
+	k8s.io/api v0.30.8 // indirect
 	k8s.io/klog/v2 v2.120.1 // indirect
 	k8s.io/utils v0.0.0-20230726121419-3b25d923346b // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
--- a/generated/1.30/client/go.sum
+++ b/generated/1.30/client/go.sum
@@ -134,12 +134,12 @@ gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-k8s.io/api v0.30.7 h1:wB2eHI+IptVYsz5WsAQpI6+Dqi3+11wEWBqIh4fh980=
-k8s.io/api v0.30.7/go.mod h1:bR0EwbmhYmJvUoeza7ZzBUmYCrVXccQ9JOdfv0BxhH0=
-k8s.io/apimachinery v0.30.7 h1:CoQFxvzPFKwU1eJGN/8LgM3ZJBC3hKgvwGqRrL43uIY=
-k8s.io/apimachinery v0.30.7/go.mod h1:iexa2somDaxdnj7bha06bhb43Zpa6eWH8N8dbqVjTUc=
-k8s.io/client-go v0.30.7 h1:DQRfuGWxDzxPEyyiTE/fxzAsZcj2p9sbc5671njR52w=
-k8s.io/client-go v0.30.7/go.mod h1:oED9+njB91ExCc4BNPAotniB7WH1ig7CmiBx5pVA1yw=
+k8s.io/api v0.30.8 h1:Y+yZRF3c1WC0MTkLe0qBkiLCquRNa4I21/iDioGMCbo=
+k8s.io/api v0.30.8/go.mod h1:89IE5MzirZ5HHxU/Hq1/KWGqXkhXClu/FHGesFhQ0A4=
+k8s.io/apimachinery v0.30.8 h1:9jyTItYzmJc00cBDxZC5ArFNxUeKCwbw0m760iFUMKY=
+k8s.io/apimachinery v0.30.8/go.mod h1:iexa2somDaxdnj7bha06bhb43Zpa6eWH8N8dbqVjTUc=
+k8s.io/client-go v0.30.8 h1:fC1SQMZm7bSWiVv9ydN+nv+sqGVAxMdf/5eKUVffNJE=
+k8s.io/client-go v0.30.8/go.mod h1:daF3UcGVqGPHvH5mn/ESkp/VoR8i9tg9IBfKr+AeFYo=
 k8s.io/klog/v2 v2.120.1 h1:QXU6cPEOIslTGvZaXvFWiP9VKyeet3sawzTOvdXb4Vw=
 k8s.io/klog/v2 v2.120.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
 k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 h1:BZqlfIlq5YbRMFko6/PM7FjZpUb45WallggurYhKGag=
--- a/generated/1.30/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml
+++ b/generated/1.30/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.5
+    controller-gen.kubebuilder.io/version: v0.17.1
  name: jwtauthenticators.authentication.concierge.pinniped.dev
 spec:
  group: authentication.concierge.pinniped.dev
--- a/generated/1.30/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml
+++ b/generated/1.30/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.5
+    controller-gen.kubebuilder.io/version: v0.17.1
  name: webhookauthenticators.authentication.concierge.pinniped.dev
 spec:
  group: authentication.concierge.pinniped.dev
--- a/generated/1.30/crds/config.concierge.pinniped.dev_credentialissuers.yaml
+++ b/generated/1.30/crds/config.concierge.pinniped.dev_credentialissuers.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.5
+    controller-gen.kubebuilder.io/version: v0.17.1
  name: credentialissuers.config.concierge.pinniped.dev
 spec:
  group: config.concierge.pinniped.dev
--- a/generated/1.30/crds/config.supervisor.pinniped.dev_federationdomains.yaml
+++ b/generated/1.30/crds/config.supervisor.pinniped.dev_federationdomains.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.5
+    controller-gen.kubebuilder.io/version: v0.17.1
  name: federationdomains.config.supervisor.pinniped.dev
 spec:
  group: config.supervisor.pinniped.dev
--- a/generated/1.30/crds/config.supervisor.pinniped.dev_oidcclients.yaml
+++ b/generated/1.30/crds/config.supervisor.pinniped.dev_oidcclients.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.5
+    controller-gen.kubebuilder.io/version: v0.17.1
  name: oidcclients.config.supervisor.pinniped.dev
 spec:
  group: config.supervisor.pinniped.dev
--- a/generated/1.30/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml
+++ b/generated/1.30/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.5
+    controller-gen.kubebuilder.io/version: v0.17.1
  name: activedirectoryidentityproviders.idp.supervisor.pinniped.dev
 spec:
  group: idp.supervisor.pinniped.dev
--- a/generated/1.30/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml
+++ b/generated/1.30/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.5
+    controller-gen.kubebuilder.io/version: v0.17.1
  name: githubidentityproviders.idp.supervisor.pinniped.dev
 spec:
  group: idp.supervisor.pinniped.dev
--- a/generated/1.30/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml
+++ b/generated/1.30/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.5
+    controller-gen.kubebuilder.io/version: v0.17.1
  name: ldapidentityproviders.idp.supervisor.pinniped.dev
 spec:
  group: idp.supervisor.pinniped.dev
--- a/generated/1.30/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml
+++ b/generated/1.30/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.5
+    controller-gen.kubebuilder.io/version: v0.17.1
  name: oidcidentityproviders.idp.supervisor.pinniped.dev
 spec:
  group: idp.supervisor.pinniped.dev
--- a/generated/1.31/README.adoc
+++ b/generated/1.31/README.adoc
@@ -65,7 +65,6 @@ certificate bundle. +

 JWTAuthenticator describes the configuration of a JWT authenticator.

-
 Upon receiving a signed JWT, a JWTAuthenticator will performs some validation on it (e.g., valid
 signature, existence of claims, etc.) and extract the username and groups from the token.

@@ -566,7 +565,6 @@ ImpersonationProxyServiceSpec describes how the Concierge should provision a Ser
 | Field | Description
 | *`type`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-31-apis-concierge-config-v1alpha1-impersonationproxyservicetype[$$ImpersonationProxyServiceType$$]__ | Type specifies the type of Service to provision for the impersonation proxy. +

-
 If the type is "None", then the "spec.impersonationProxy.externalEndpoint" field must be set to a non-empty +
 value so that the Concierge can properly advertise the endpoint in the CredentialIssuer's status. +
 | *`loadBalancerIP`* __string__ | LoadBalancerIP specifies the IP address to set in the spec.loadBalancerIP field of the provisioned Service. +
@@ -609,11 +607,9 @@ ImpersonationProxySpec describes the intended configuration of the Concierge imp
 | *`externalEndpoint`* __string__ | ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will +
 be served using the external name of the LoadBalancer service or the cluster service DNS name. +

-
 This field must be non-empty when spec.impersonationProxy.service.type is "None". +
 | *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-31-apis-concierge-config-v1alpha1-impersonationproxytlsspec[$$ImpersonationProxyTLSSpec$$]__ | TLS contains information about how the Concierge impersonation proxy should serve TLS. +

-
 If this field is empty, the impersonation proxy will generate its own TLS certificate. +
 |===

@@ -624,11 +620,9 @@ If this field is empty, the impersonation proxy will generate its own TLS certif
 ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should
 serve TLS.

-
 If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret
 for a field called "ca.crt", which will be used as the CertificateAuthorityData.

-
 If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for
 the impersonation proxy endpoint.

@@ -812,13 +806,11 @@ the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer i
 https://example.com/foo, then your authorization endpoint will look like +
 https://example.com/foo/some/path/to/auth/endpoint). +

-
 See +
 https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information. +
 | *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-31-apis-supervisor-config-v1alpha1-federationdomaintlsspec[$$FederationDomainTLSSpec$$]__ | TLS specifies a secret which will contain Transport Layer Security (TLS) configuration for the FederationDomain. +
 | *`identityProviders`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-31-apis-supervisor-config-v1alpha1-federationdomainidentityprovider[$$FederationDomainIdentityProvider$$] array__ | IdentityProviders is the list of identity providers available for use by this FederationDomain. +

-
 An identity provider CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes how to connect to a server, +
 how to talk in a specific protocol for authentication, and how to use the schema of that server/protocol to +
 extract a normalized user identity. Normalized user identities include a username and a list of group names. +
@@ -831,7 +823,6 @@ rejection policies. Even though a user was able to authenticate with the identit
 the authentication to the Kubernetes clusters that belong to this FederationDomain. For example, a policy could +
 disallow the authentication unless the user belongs to a specific group in the identity provider. +

-
 For backwards compatibility with versions of Pinniped which predate support for multiple identity providers, +
 an empty IdentityProviders list will cause the FederationDomain to use all available identity providers which +
 exist in the same namespace, but also to reject all authentication requests when there is more than one identity +
@@ -880,21 +871,17 @@ the TLS serving certificate for the HTTPS endpoints served by this FederationDom
 named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use +
 for TLS. +

-
 Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers. +

-
 SecretName is required if you would like to use different TLS certificates for issuers of different hostnames. +
 SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same +
 SecretName value even if they have different port numbers. +

-
 SecretName is not required when you would like to use only the HTTP endpoints (e.g. when the HTTP listener is +
 configured to listen on loopback interfaces or UNIX domain sockets for traffic from a service mesh sidecar). +
 It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to +
 use the default TLS certificate, which is configured elsewhere. +

-
 When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses. +
 |===

@@ -919,14 +906,12 @@ Each is a CEL expression. It may use the basic CEL language as defined in +
 https://github.com/google/cel-spec/blob/master/doc/langdef.md plus the CEL string extensions defined in +
 https://github.com/google/cel-go/tree/master/ext#strings. +

-
 The username and groups extracted from the identity provider, and the constants defined in this CR, are +
 available as variables in all expressions. The username is provided via a variable called `username` and +
 the list of group names is provided via a variable called `groups` (which may be an empty list). +
 Each user-provided constants is provided via a variable named `strConst.varName` for string constants +
 and `strListConst.varName` for string list constants. +

-
 The only allowed types for expressions are currently policy/v1, username/v1, and groups/v1. +
 Each policy/v1 must return a boolean, and when it returns false, no more expressions from the list are evaluated +
 and the authentication attempt is rejected. +
@@ -939,7 +924,6 @@ groups list. +
 Transformations of type groups/v1 do not return usernames, and therefore cannot change the usernames. +
 After each expression, the new (potentially changed) username or groups get passed to the following expression. +

-
 Any compilation or static type-checking failure of any expression will cause an error status on the FederationDomain. +
 During an authentication attempt, any unexpected runtime evaluation errors (e.g. division by zero) cause the +
 authentication attempt to fail. When all expressions evaluate successfully, then the (potentially changed) username +
@@ -1109,7 +1093,6 @@ Port numbers are not required for 127.0.0.1 or ::1 and are ignored when checking
 | *`allowedGrantTypes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-31-apis-supervisor-config-v1alpha1-granttype[$$GrantType$$] array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this +
 client. +

-
 Must only contain the following values: +
 - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to +
 authenticate users. This grant must always be listed. +
@@ -1120,7 +1103,6 @@ which is a step in the process to be able to get a cluster credential for the us
 This grant must be listed if allowedScopes lists pinniped:request-audience. +
 | *`allowedScopes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-31-apis-supervisor-config-v1alpha1-scope[$$Scope$$] array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. +

-
 Must only contain the following values: +
 - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). +
 This scope must always be listed. +
@@ -1532,21 +1514,18 @@ group membership is often used to bind authorization policies, it is important +
 to keep the groups observed in Kubernetes clusters in-sync with the identity +
 provider. +

-
 In some environments, frequent group membership queries may result in a +
 significant performance impact on the identity provider and/or the supervisor. +
 The best approach to handle performance impacts is to tweak the group query +
 to be more performant, for example by disabling nested group search or by +
 using a more targeted group search base. +

-
 If the group search query cannot be made performant and you are willing to +
 have group memberships remain static for approximately a day, then set +
 skipGroupRefresh to true.  This is an insecure configuration as authorization +
 policies that are bound to group membership will not notice if a user has +
 been removed from a particular group until their next login. +

-
 This is an experimental feature that may be removed or significantly altered +
 in the future.  Consumers of this configuration should carefully read all +
 release notes before upgrading to ensure that the meaning of this field has +
@@ -1797,10 +1776,8 @@ GitHubClaims allows customization of the username and groups claims.
 | Field | Description
 | *`username`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-31-apis-supervisor-idp-v1alpha1-githubusernameattribute[$$GitHubUsernameAttribute$$]__ | Username configures which property of the GitHub user record shall determine the username in Kubernetes. +

-
 Can be either "id", "login", or "login:id". Defaults to "login:id". +

-
 GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens, +
 and may not start or end with hyphens. GitHub users are allowed to change their login name, +
 although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar", +
@@ -1808,41 +1785,32 @@ then a second user might change their name from "baz" to "foo" in order to take
 username of the first user. For this reason, it is not as safe to make authorization decisions +
 based only on the user's login attribute. +

-
 If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's +
 FederationDomain to further customize how these usernames are presented to Kubernetes. +

-
 Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and +
 unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value +
 from GitHub. Colons are not allowed in GitHub login attributes or ID numbers, so this is a reasonable +
 choice to concatenate the two values. +

-
 See the response schema for +
 [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). +
 | *`groups`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-31-apis-supervisor-idp-v1alpha1-githubgroupnameattribute[$$GitHubGroupNameAttribute$$]__ | Groups configures which property of the GitHub team record shall determine the group names in Kubernetes. +

-
 Can be either "name" or "slug". Defaults to "slug". +

-
 GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!"). +

-
 GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins"). +

-
 Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a +
 forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters +
 or single hyphens, so the first forward slash `/` will be the separator between the organization login name and +
 the team name or slug. +

-
 If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's +
 FederationDomain to further customize how these group names are presented to Kubernetes. +

-
 See the response schema for +
 [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). +
 |===
@@ -1865,7 +1833,6 @@ for web-based login flows.
 | *`secretName`* __string__ | SecretName contains the name of a namespace-local Secret object that provides the clientID and +
 clientSecret for an GitHub App or GitHub OAuth2 client. +

-
 This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret". +
 |===

@@ -1890,7 +1857,6 @@ names to present to Kubernetes. See the response schema for
 GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider.
 This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App.

-
 Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured
 as OIDCClients.

@@ -1977,10 +1943,8 @@ GitHubIdentityProviderStatus is the status of an GitHub identity provider.
 | *`policy`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-31-apis-supervisor-idp-v1alpha1-githuballowedauthorganizationspolicy[$$GitHubAllowedAuthOrganizationsPolicy$$]__ | Allowed values are "OnlyUsersFromAllowedOrganizations" or "AllGitHubUsers". +
 Defaults to "OnlyUsersFromAllowedOrganizations". +

-
 Must be set to "AllGitHubUsers" if the allowed field is empty. +

-
 This field only exists to ensure that Pinniped administrators are aware that an empty list of +
 allowedOrganizations means all GitHub users are allowed to log in. +
 | *`allowed`* __string array__ | Allowed, when specified, indicates that only users with membership in at least one of the listed +
@@ -1988,12 +1952,10 @@ GitHub organizations may log in. In addition, the group membership presented to
 teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be +
 provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP. +

-
 The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations, +
 otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams +
 within that organization. +

-
 If no organizations are listed, you must set organizations: AllGitHubUsers. +
 |===

@@ -2095,21 +2057,18 @@ group membership is often used to bind authorization policies, it is important +
 to keep the groups observed in Kubernetes clusters in-sync with the identity +
 provider. +

-
 In some environments, frequent group membership queries may result in a +
 significant performance impact on the identity provider and/or the supervisor. +
 The best approach to handle performance impacts is to tweak the group query +
 to be more performant, for example by disabling nested group search or by +
 using a more targeted group search base. +

-
 If the group search query cannot be made performant and you are willing to +
 have group memberships remain static for approximately a day, then set +
 skipGroupRefresh to true.  This is an insecure configuration as authorization +
 policies that are bound to group membership will not notice if a user has +
 been removed from a particular group until their next login. +

-
 This is an experimental feature that may be removed or significantly altered +
 in the future.  Consumers of this configuration should carefully read all +
 release notes before upgrading to ensure that the meaning of this field has +
--- a/generated/1.31/apis/go.mod
+++ b/generated/1.31/apis/go.mod
@@ -6,8 +6,8 @@ go 1.22.0
 toolchain go1.23.4

 require (
-	k8s.io/api v0.31.3
-	k8s.io/apimachinery v0.31.3
+	k8s.io/api v0.31.4
+	k8s.io/apimachinery v0.31.4
 )

 require (
--- a/generated/1.31/apis/go.sum
+++ b/generated/1.31/apis/go.sum
@@ -81,10 +81,10 @@ gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-k8s.io/api v0.31.3 h1:umzm5o8lFbdN/hIXbrK9oRpOproJO62CV1zqxXrLgk8=
-k8s.io/api v0.31.3/go.mod h1:UJrkIp9pnMOI9K2nlL6vwpxRzzEX5sWgn8kGQe92kCE=
-k8s.io/apimachinery v0.31.3 h1:6l0WhcYgasZ/wk9ktLq5vLaoXJJr5ts6lkaQzgeYPq4=
-k8s.io/apimachinery v0.31.3/go.mod h1:rsPdaZJfTfLsNJSQzNHQvYoTmxhoOEofxtOsF3rtsMo=
+k8s.io/api v0.31.4 h1:I2QNzitPVsPeLQvexMEsj945QumYraqv9m74isPDKhM=
+k8s.io/api v0.31.4/go.mod h1:d+7vgXLvmcdT1BCo79VEgJxHHryww3V5np2OYTr6jdw=
+k8s.io/apimachinery v0.31.4 h1:8xjE2C4CzhYVm9DGf60yohpNUh5AEBnPxCryPBECmlM=
+k8s.io/apimachinery v0.31.4/go.mod h1:rsPdaZJfTfLsNJSQzNHQvYoTmxhoOEofxtOsF3rtsMo=
 k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
 k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
 k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 h1:pUdcCO1Lk/tbT5ztQWOBi5HBgbBP1J8+AsQnQCKsi8A=
--- a/generated/1.31/client/go.mod
+++ b/generated/1.31/client/go.mod
@@ -9,9 +9,9 @@ replace go.pinniped.dev/generated/1.31/apis => ../apis

 require (
 	go.pinniped.dev/generated/1.31/apis v0.0.0
-	k8s.io/api v0.31.3
-	k8s.io/apimachinery v0.31.3
-	k8s.io/client-go v0.31.3
+	k8s.io/api v0.31.4
+	k8s.io/apimachinery v0.31.4
+	k8s.io/client-go v0.31.4
 	k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340
 )

--- a/generated/1.31/client/go.sum
+++ b/generated/1.31/client/go.sum
@@ -136,12 +136,12 @@ gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-k8s.io/api v0.31.3 h1:umzm5o8lFbdN/hIXbrK9oRpOproJO62CV1zqxXrLgk8=
-k8s.io/api v0.31.3/go.mod h1:UJrkIp9pnMOI9K2nlL6vwpxRzzEX5sWgn8kGQe92kCE=
-k8s.io/apimachinery v0.31.3 h1:6l0WhcYgasZ/wk9ktLq5vLaoXJJr5ts6lkaQzgeYPq4=
-k8s.io/apimachinery v0.31.3/go.mod h1:rsPdaZJfTfLsNJSQzNHQvYoTmxhoOEofxtOsF3rtsMo=
-k8s.io/client-go v0.31.3 h1:CAlZuM+PH2cm+86LOBemaJI/lQ5linJ6UFxKX/SoG+4=
-k8s.io/client-go v0.31.3/go.mod h1:2CgjPUTpv3fE5dNygAr2NcM8nhHzXvxB8KL5gYc3kJs=
+k8s.io/api v0.31.4 h1:I2QNzitPVsPeLQvexMEsj945QumYraqv9m74isPDKhM=
+k8s.io/api v0.31.4/go.mod h1:d+7vgXLvmcdT1BCo79VEgJxHHryww3V5np2OYTr6jdw=
+k8s.io/apimachinery v0.31.4 h1:8xjE2C4CzhYVm9DGf60yohpNUh5AEBnPxCryPBECmlM=
+k8s.io/apimachinery v0.31.4/go.mod h1:rsPdaZJfTfLsNJSQzNHQvYoTmxhoOEofxtOsF3rtsMo=
+k8s.io/client-go v0.31.4 h1:t4QEXt4jgHIkKKlx06+W3+1JOwAFU/2OPiOo7H92eRQ=
+k8s.io/client-go v0.31.4/go.mod h1:kvuMro4sFYIa8sulL5Gi5GFqUPvfH2O/dXuKstbaaeg=
 k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
 k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
 k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 h1:BZqlfIlq5YbRMFko6/PM7FjZpUb45WallggurYhKGag=
--- a/generated/1.31/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml
+++ b/generated/1.31/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.5
+    controller-gen.kubebuilder.io/version: v0.17.1
  name: jwtauthenticators.authentication.concierge.pinniped.dev
 spec:
  group: authentication.concierge.pinniped.dev
--- a/generated/1.31/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml
+++ b/generated/1.31/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.5
+    controller-gen.kubebuilder.io/version: v0.17.1
  name: webhookauthenticators.authentication.concierge.pinniped.dev
 spec:
  group: authentication.concierge.pinniped.dev
--- a/generated/1.31/crds/config.concierge.pinniped.dev_credentialissuers.yaml
+++ b/generated/1.31/crds/config.concierge.pinniped.dev_credentialissuers.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.5
+    controller-gen.kubebuilder.io/version: v0.17.1
  name: credentialissuers.config.concierge.pinniped.dev
 spec:
  group: config.concierge.pinniped.dev
--- a/generated/1.31/crds/config.supervisor.pinniped.dev_federationdomains.yaml
+++ b/generated/1.31/crds/config.supervisor.pinniped.dev_federationdomains.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.5
+    controller-gen.kubebuilder.io/version: v0.17.1
  name: federationdomains.config.supervisor.pinniped.dev
 spec:
  group: config.supervisor.pinniped.dev
--- a/generated/1.31/crds/config.supervisor.pinniped.dev_oidcclients.yaml
+++ b/generated/1.31/crds/config.supervisor.pinniped.dev_oidcclients.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.5
+    controller-gen.kubebuilder.io/version: v0.17.1
  name: oidcclients.config.supervisor.pinniped.dev
 spec:
  group: config.supervisor.pinniped.dev
--- a/generated/1.31/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml
+++ b/generated/1.31/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.5
+    controller-gen.kubebuilder.io/version: v0.17.1
  name: activedirectoryidentityproviders.idp.supervisor.pinniped.dev
 spec:
  group: idp.supervisor.pinniped.dev
--- a/generated/1.31/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml
+++ b/generated/1.31/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.5
+    controller-gen.kubebuilder.io/version: v0.17.1
  name: githubidentityproviders.idp.supervisor.pinniped.dev
 spec:
  group: idp.supervisor.pinniped.dev
--- a/generated/1.31/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml
+++ b/generated/1.31/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.5
+    controller-gen.kubebuilder.io/version: v0.17.1
  name: ldapidentityproviders.idp.supervisor.pinniped.dev
 spec:
  group: idp.supervisor.pinniped.dev
--- a/generated/1.31/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml
+++ b/generated/1.31/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.5
+    controller-gen.kubebuilder.io/version: v0.17.1
  name: oidcidentityproviders.idp.supervisor.pinniped.dev
 spec:
  group: idp.supervisor.pinniped.dev
--- a/generated/latest/README.adoc
+++ b/generated/latest/README.adoc
@@ -65,7 +65,6 @@ certificate bundle. +

 JWTAuthenticator describes the configuration of a JWT authenticator.

-
 Upon receiving a signed JWT, a JWTAuthenticator will performs some validation on it (e.g., valid
 signature, existence of claims, etc.) and extract the username and groups from the token.

@@ -566,7 +565,6 @@ ImpersonationProxyServiceSpec describes how the Concierge should provision a Ser
 | Field | Description
 | *`type`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-31-apis-concierge-config-v1alpha1-impersonationproxyservicetype[$$ImpersonationProxyServiceType$$]__ | Type specifies the type of Service to provision for the impersonation proxy. +

-
 If the type is "None", then the "spec.impersonationProxy.externalEndpoint" field must be set to a non-empty +
 value so that the Concierge can properly advertise the endpoint in the CredentialIssuer's status. +
 | *`loadBalancerIP`* __string__ | LoadBalancerIP specifies the IP address to set in the spec.loadBalancerIP field of the provisioned Service. +
@@ -609,11 +607,9 @@ ImpersonationProxySpec describes the intended configuration of the Concierge imp
 | *`externalEndpoint`* __string__ | ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will +
 be served using the external name of the LoadBalancer service or the cluster service DNS name. +

-
 This field must be non-empty when spec.impersonationProxy.service.type is "None". +
 | *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-31-apis-concierge-config-v1alpha1-impersonationproxytlsspec[$$ImpersonationProxyTLSSpec$$]__ | TLS contains information about how the Concierge impersonation proxy should serve TLS. +

-
 If this field is empty, the impersonation proxy will generate its own TLS certificate. +
 |===

@@ -624,11 +620,9 @@ If this field is empty, the impersonation proxy will generate its own TLS certif
 ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should
 serve TLS.

-
 If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret
 for a field called "ca.crt", which will be used as the CertificateAuthorityData.

-
 If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for
 the impersonation proxy endpoint.

@@ -812,13 +806,11 @@ the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer i
 https://example.com/foo, then your authorization endpoint will look like +
 https://example.com/foo/some/path/to/auth/endpoint). +

-
 See +
 https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information. +
 | *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-31-apis-supervisor-config-v1alpha1-federationdomaintlsspec[$$FederationDomainTLSSpec$$]__ | TLS specifies a secret which will contain Transport Layer Security (TLS) configuration for the FederationDomain. +
 | *`identityProviders`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-31-apis-supervisor-config-v1alpha1-federationdomainidentityprovider[$$FederationDomainIdentityProvider$$] array__ | IdentityProviders is the list of identity providers available for use by this FederationDomain. +

-
 An identity provider CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes how to connect to a server, +
 how to talk in a specific protocol for authentication, and how to use the schema of that server/protocol to +
 extract a normalized user identity. Normalized user identities include a username and a list of group names. +
@@ -831,7 +823,6 @@ rejection policies. Even though a user was able to authenticate with the identit
 the authentication to the Kubernetes clusters that belong to this FederationDomain. For example, a policy could +
 disallow the authentication unless the user belongs to a specific group in the identity provider. +

-
 For backwards compatibility with versions of Pinniped which predate support for multiple identity providers, +
 an empty IdentityProviders list will cause the FederationDomain to use all available identity providers which +
 exist in the same namespace, but also to reject all authentication requests when there is more than one identity +
@@ -880,21 +871,17 @@ the TLS serving certificate for the HTTPS endpoints served by this FederationDom
 named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use +
 for TLS. +

-
 Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers. +

-
 SecretName is required if you would like to use different TLS certificates for issuers of different hostnames. +
 SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same +
 SecretName value even if they have different port numbers. +

-
 SecretName is not required when you would like to use only the HTTP endpoints (e.g. when the HTTP listener is +
 configured to listen on loopback interfaces or UNIX domain sockets for traffic from a service mesh sidecar). +
 It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to +
 use the default TLS certificate, which is configured elsewhere. +

-
 When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses. +
 |===

@@ -919,14 +906,12 @@ Each is a CEL expression. It may use the basic CEL language as defined in +
 https://github.com/google/cel-spec/blob/master/doc/langdef.md plus the CEL string extensions defined in +
 https://github.com/google/cel-go/tree/master/ext#strings. +

-
 The username and groups extracted from the identity provider, and the constants defined in this CR, are +
 available as variables in all expressions. The username is provided via a variable called `username` and +
 the list of group names is provided via a variable called `groups` (which may be an empty list). +
 Each user-provided constants is provided via a variable named `strConst.varName` for string constants +
 and `strListConst.varName` for string list constants. +

-
 The only allowed types for expressions are currently policy/v1, username/v1, and groups/v1. +
 Each policy/v1 must return a boolean, and when it returns false, no more expressions from the list are evaluated +
 and the authentication attempt is rejected. +
@@ -939,7 +924,6 @@ groups list. +
 Transformations of type groups/v1 do not return usernames, and therefore cannot change the usernames. +
 After each expression, the new (potentially changed) username or groups get passed to the following expression. +

-
 Any compilation or static type-checking failure of any expression will cause an error status on the FederationDomain. +
 During an authentication attempt, any unexpected runtime evaluation errors (e.g. division by zero) cause the +
 authentication attempt to fail. When all expressions evaluate successfully, then the (potentially changed) username +
@@ -1109,7 +1093,6 @@ Port numbers are not required for 127.0.0.1 or ::1 and are ignored when checking
 | *`allowedGrantTypes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-31-apis-supervisor-config-v1alpha1-granttype[$$GrantType$$] array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this +
 client. +

-
 Must only contain the following values: +
 - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to +
 authenticate users. This grant must always be listed. +
@@ -1120,7 +1103,6 @@ which is a step in the process to be able to get a cluster credential for the us
 This grant must be listed if allowedScopes lists pinniped:request-audience. +
 | *`allowedScopes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-31-apis-supervisor-config-v1alpha1-scope[$$Scope$$] array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. +

-
 Must only contain the following values: +
 - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). +
 This scope must always be listed. +
@@ -1532,21 +1514,18 @@ group membership is often used to bind authorization policies, it is important +
 to keep the groups observed in Kubernetes clusters in-sync with the identity +
 provider. +

-
 In some environments, frequent group membership queries may result in a +
 significant performance impact on the identity provider and/or the supervisor. +
 The best approach to handle performance impacts is to tweak the group query +
 to be more performant, for example by disabling nested group search or by +
 using a more targeted group search base. +

-
 If the group search query cannot be made performant and you are willing to +
 have group memberships remain static for approximately a day, then set +
 skipGroupRefresh to true.  This is an insecure configuration as authorization +
 policies that are bound to group membership will not notice if a user has +
 been removed from a particular group until their next login. +

-
 This is an experimental feature that may be removed or significantly altered +
 in the future.  Consumers of this configuration should carefully read all +
 release notes before upgrading to ensure that the meaning of this field has +
@@ -1797,10 +1776,8 @@ GitHubClaims allows customization of the username and groups claims.
 | Field | Description
 | *`username`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-31-apis-supervisor-idp-v1alpha1-githubusernameattribute[$$GitHubUsernameAttribute$$]__ | Username configures which property of the GitHub user record shall determine the username in Kubernetes. +

-
 Can be either "id", "login", or "login:id". Defaults to "login:id". +

-
 GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens, +
 and may not start or end with hyphens. GitHub users are allowed to change their login name, +
 although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar", +
@@ -1808,41 +1785,32 @@ then a second user might change their name from "baz" to "foo" in order to take
 username of the first user. For this reason, it is not as safe to make authorization decisions +
 based only on the user's login attribute. +

-
 If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's +
 FederationDomain to further customize how these usernames are presented to Kubernetes. +

-
 Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and +
 unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value +
 from GitHub. Colons are not allowed in GitHub login attributes or ID numbers, so this is a reasonable +
 choice to concatenate the two values. +

-
 See the response schema for +
 [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). +
 | *`groups`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-31-apis-supervisor-idp-v1alpha1-githubgroupnameattribute[$$GitHubGroupNameAttribute$$]__ | Groups configures which property of the GitHub team record shall determine the group names in Kubernetes. +

-
 Can be either "name" or "slug". Defaults to "slug". +

-
 GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!"). +

-
 GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins"). +

-
 Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a +
 forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters +
 or single hyphens, so the first forward slash `/` will be the separator between the organization login name and +
 the team name or slug. +

-
 If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's +
 FederationDomain to further customize how these group names are presented to Kubernetes. +

-
 See the response schema for +
 [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). +
 |===
@@ -1865,7 +1833,6 @@ for web-based login flows.
 | *`secretName`* __string__ | SecretName contains the name of a namespace-local Secret object that provides the clientID and +
 clientSecret for an GitHub App or GitHub OAuth2 client. +

-
 This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret". +
 |===

@@ -1890,7 +1857,6 @@ names to present to Kubernetes. See the response schema for
 GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider.
 This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App.

-
 Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured
 as OIDCClients.

@@ -1977,10 +1943,8 @@ GitHubIdentityProviderStatus is the status of an GitHub identity provider.
 | *`policy`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-31-apis-supervisor-idp-v1alpha1-githuballowedauthorganizationspolicy[$$GitHubAllowedAuthOrganizationsPolicy$$]__ | Allowed values are "OnlyUsersFromAllowedOrganizations" or "AllGitHubUsers". +
 Defaults to "OnlyUsersFromAllowedOrganizations". +

-
 Must be set to "AllGitHubUsers" if the allowed field is empty. +

-
 This field only exists to ensure that Pinniped administrators are aware that an empty list of +
 allowedOrganizations means all GitHub users are allowed to log in. +
 | *`allowed`* __string array__ | Allowed, when specified, indicates that only users with membership in at least one of the listed +
@@ -1988,12 +1952,10 @@ GitHub organizations may log in. In addition, the group membership presented to
 teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be +
 provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP. +

-
 The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations, +
 otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams +
 within that organization. +

-
 If no organizations are listed, you must set organizations: AllGitHubUsers. +
 |===

@@ -2095,21 +2057,18 @@ group membership is often used to bind authorization policies, it is important +
 to keep the groups observed in Kubernetes clusters in-sync with the identity +
 provider. +

-
 In some environments, frequent group membership queries may result in a +
 significant performance impact on the identity provider and/or the supervisor. +
 The best approach to handle performance impacts is to tweak the group query +
 to be more performant, for example by disabling nested group search or by +
 using a more targeted group search base. +

-
 If the group search query cannot be made performant and you are willing to +
 have group memberships remain static for approximately a day, then set +
 skipGroupRefresh to true.  This is an insecure configuration as authorization +
 policies that are bound to group membership will not notice if a user has +
 been removed from a particular group until their next login. +

-
 This is an experimental feature that may be removed or significantly altered +
 in the future.  Consumers of this configuration should carefully read all +
 release notes before upgrading to ensure that the meaning of this field has +
--- a/go.mod
+++ b/go.mod
@@ -1,31 +1,32 @@
 module go.pinniped.dev

-go 1.23
+go 1.23.0

 toolchain go1.23.4

-// see https://github.com/kubernetes/apimachinery/blob/v0.31.2/go.mod#L30
+// When using v0.31.4, need to use this version of structured-merge-diff.
+// See https://github.com/kubernetes/apimachinery/blob/v0.31.4/go.mod#L30
 replace sigs.k8s.io/structured-merge-diff/v4 => sigs.k8s.io/structured-merge-diff/v4 v4.4.1

 require (
 	github.com/MakeNowJust/heredoc/v2 v2.0.1
-	github.com/chromedp/cdproto v0.0.0-20241208230723-d1c7de7e5dd2
+	github.com/chromedp/cdproto v0.0.0-20250113203156-3ff4b409e0d4
 	github.com/chromedp/chromedp v0.11.2
-	github.com/coreos/go-oidc/v3 v3.11.0
+	github.com/coreos/go-oidc/v3 v3.12.0
 	github.com/coreos/go-semver v0.3.1
 	github.com/creack/pty v1.1.24
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc
 	github.com/felixge/httpsnoop v1.0.4
 	github.com/go-jose/go-jose/v3 v3.0.3
 	github.com/go-jose/go-jose/v4 v4.0.4
-	github.com/go-ldap/ldap/v3 v3.4.8
+	github.com/go-ldap/ldap/v3 v3.4.10
 	github.com/go-logr/logr v1.4.2
 	github.com/go-logr/stdr v1.2.2
 	github.com/go-logr/zapr v1.3.0
 	github.com/gofrs/flock v0.12.1
 	github.com/google/cel-go v0.22.1
 	github.com/google/go-cmp v0.6.0
-	github.com/google/go-github/v67 v67.0.0
+	github.com/google/go-github/v68 v68.0.0
 	github.com/google/gofuzz v1.2.0
 	github.com/google/uuid v1.6.0
 	github.com/gorilla/securecookie v1.1.2
@@ -33,33 +34,33 @@ require (
 	github.com/joshlf/go-acl v0.0.0-20200411065538-eae00ae38531
 	github.com/migueleliasweb/go-github-mock v1.1.0
 	github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826
-	github.com/ory/fosite v0.48.1-0.20241204153806-6c26dc54eb64
+	github.com/ory/fosite v0.49.1-0.20250102135636-049ed1924cd0
 	github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c
 	github.com/pkg/errors v0.9.1
 	github.com/sclevine/spec v1.4.0
 	github.com/spf13/cobra v1.8.1
 	github.com/spf13/pflag v1.0.5
 	github.com/stretchr/testify v1.10.0
-	github.com/tdewolff/minify/v2 v2.21.2
+	github.com/tdewolff/minify/v2 v2.21.3
 	go.uber.org/mock v0.5.0
 	go.uber.org/zap v1.27.0
-	golang.org/x/crypto v0.30.0
-	golang.org/x/net v0.32.0
-	golang.org/x/oauth2 v0.24.0
+	golang.org/x/crypto v0.32.0
+	golang.org/x/net v0.34.0
+	golang.org/x/oauth2 v0.25.0
 	golang.org/x/sync v0.10.0
-	golang.org/x/term v0.27.0
+	golang.org/x/term v0.28.0
 	golang.org/x/text v0.21.0
-	k8s.io/api v0.31.3
-	k8s.io/apiextensions-apiserver v0.31.3
-	k8s.io/apimachinery v0.31.3
-	k8s.io/apiserver v0.31.3
-	k8s.io/client-go v0.31.3
-	k8s.io/component-base v0.31.3
-	k8s.io/gengo v0.0.0-20240911193312-2b36238f13e9
+	k8s.io/api v0.31.4
+	k8s.io/apiextensions-apiserver v0.31.4
+	k8s.io/apimachinery v0.31.4
+	k8s.io/apiserver v0.31.4
+	k8s.io/client-go v0.31.4
+	k8s.io/component-base v0.31.4
+	k8s.io/gengo v0.0.0-20250106234829-0359904fc2a6
 	k8s.io/klog/v2 v2.130.1
-	k8s.io/kube-aggregator v0.31.3
-	k8s.io/kube-openapi v0.0.0-20241127205056-99599406b04f
-	k8s.io/utils v0.0.0-20241104163129-6fe5fd82f078
+	k8s.io/kube-aggregator v0.31.4
+	k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340
+	k8s.io/utils v0.0.0-20241210054802-24370beab758
 	sigs.k8s.io/yaml v1.4.0
 )

@@ -81,9 +82,9 @@ require (
 	github.com/dgraph-io/ristretto v1.0.0 // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
 	github.com/emicklei/go-restful/v3 v3.12.1 // indirect
-	github.com/fsnotify/fsnotify v1.7.0 // indirect
+	github.com/fsnotify/fsnotify v1.8.0 // indirect
 	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
-	github.com/go-asn1-ber/asn1-ber v1.5.5 // indirect
+	github.com/go-asn1-ber/asn1-ber v1.5.7 // indirect
 	github.com/go-openapi/jsonpointer v0.21.0 // indirect
 	github.com/go-openapi/jsonreference v0.21.0 // indirect
 	github.com/go-openapi/swag v0.23.0 // indirect
@@ -100,7 +101,7 @@ require (
 	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/gorilla/mux v1.8.0 // indirect
 	github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 // indirect
-	github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0 // indirect
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.23.0 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
 	github.com/hashicorp/go-retryablehttp v0.7.7 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
@@ -113,15 +114,15 @@ require (
 	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/mattn/goveralls v0.0.12 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
-	github.com/moby/spdystream v0.4.0 // indirect
+	github.com/moby/spdystream v0.5.0 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect
-	github.com/openzipkin/zipkin-go v0.4.2 // indirect
+	github.com/openzipkin/zipkin-go v0.4.3 // indirect
 	github.com/ory/go-acc v0.2.9-0.20230103102148-6b1c9a70dbbe // indirect
 	github.com/ory/go-convenience v0.1.0 // indirect
-	github.com/ory/x v0.0.665 // indirect
+	github.com/ory/x v0.0.677 // indirect
 	github.com/pelletier/go-toml/v2 v2.0.9 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/pquerna/cachecontrol v0.1.0 // indirect
@@ -136,38 +137,38 @@ require (
 	github.com/spf13/cast v1.5.1 // indirect
 	github.com/spf13/jwalterweatherman v1.1.0 // indirect
 	github.com/spf13/viper v1.16.0 // indirect
-	github.com/stoewer/go-strcase v1.2.0 // indirect
+	github.com/stoewer/go-strcase v1.3.0 // indirect
 	github.com/subosito/gotenv v1.4.2 // indirect
 	github.com/tdewolff/parse/v2 v2.7.19 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
-	go.etcd.io/etcd/api/v3 v3.5.14 // indirect
-	go.etcd.io/etcd/client/pkg/v3 v3.5.14 // indirect
-	go.etcd.io/etcd/client/v3 v3.5.14 // indirect
+	go.etcd.io/etcd/api/v3 v3.5.16 // indirect
+	go.etcd.io/etcd/client/pkg/v3 v3.5.16 // indirect
+	go.etcd.io/etcd/client/v3 v3.5.16 // indirect
 	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.53.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace v0.46.1 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 // indirect
-	go.opentelemetry.io/contrib/propagators/b3 v1.21.0 // indirect
-	go.opentelemetry.io/contrib/propagators/jaeger v1.21.1 // indirect
-	go.opentelemetry.io/contrib/samplers/jaegerremote v0.15.1 // indirect
-	go.opentelemetry.io/otel v1.28.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace v0.57.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.57.0 // indirect
+	go.opentelemetry.io/contrib/propagators/b3 v1.32.0 // indirect
+	go.opentelemetry.io/contrib/propagators/jaeger v1.32.0 // indirect
+	go.opentelemetry.io/contrib/samplers/jaegerremote v0.26.0 // indirect
+	go.opentelemetry.io/otel v1.32.0 // indirect
 	go.opentelemetry.io/otel/exporters/jaeger v1.17.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.32.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.27.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.21.0 // indirect
-	go.opentelemetry.io/otel/exporters/zipkin v1.21.0 // indirect
-	go.opentelemetry.io/otel/metric v1.28.0 // indirect
-	go.opentelemetry.io/otel/sdk v1.28.0 // indirect
-	go.opentelemetry.io/otel/trace v1.28.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.32.0 // indirect
+	go.opentelemetry.io/otel/exporters/zipkin v1.32.0 // indirect
+	go.opentelemetry.io/otel/metric v1.32.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.32.0 // indirect
+	go.opentelemetry.io/otel/trace v1.32.0 // indirect
 	go.opentelemetry.io/proto/otlp v1.3.1 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
-	golang.org/x/mod v0.20.0 // indirect
-	golang.org/x/sys v0.28.0 // indirect
-	golang.org/x/time v0.4.0 // indirect
-	golang.org/x/tools v0.24.0 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20240826202546-f6391c0de4c7 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20240826202546-f6391c0de4c7 // indirect
-	google.golang.org/grpc v1.65.0 // indirect
+	golang.org/x/mod v0.21.0 // indirect
+	golang.org/x/sys v0.29.0 // indirect
+	golang.org/x/time v0.7.0 // indirect
+	golang.org/x/tools v0.26.0 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20241104194629-dd2ea8efbc28 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20241104194629-dd2ea8efbc28 // indirect
+	google.golang.org/grpc v1.67.1 // indirect
 	google.golang.org/protobuf v1.35.1 // indirect
 	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
@@ -176,8 +177,8 @@ require (
 	gopkg.in/square/go-jose.v2 v2.6.0 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/kms v0.31.3 // indirect
-	sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.30.3 // indirect
-	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
+	k8s.io/kms v0.32.0 // indirect
+	sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.0 // indirect
+	sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.4.2 // indirect
 )
--- a/go.sum
+++ b/go.sum
@@ -65,8 +65,8 @@ github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyY
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
 github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
 github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
-github.com/chromedp/cdproto v0.0.0-20241208230723-d1c7de7e5dd2 h1:fJob5N/Eprtd427U84kFpQhAHIEqJYuDzveaL6T4Xsk=
-github.com/chromedp/cdproto v0.0.0-20241208230723-d1c7de7e5dd2/go.mod h1:4XqMl3iIW08jtieURWL6Tt5924w21pxirC6th662XUM=
+github.com/chromedp/cdproto v0.0.0-20250113203156-3ff4b409e0d4 h1:xO38R20PvryeuBgQYnRU3WsNXFtr/iMyQVJednQVoZw=
+github.com/chromedp/cdproto v0.0.0-20250113203156-3ff4b409e0d4/go.mod h1:4XqMl3iIW08jtieURWL6Tt5924w21pxirC6th662XUM=
 github.com/chromedp/chromedp v0.11.2 h1:ZRHTh7DjbNTlfIv3NFTbB7eVeu5XCNkgrpcGSpn2oX0=
 github.com/chromedp/chromedp v0.11.2/go.mod h1:lr8dFRLKsdTTWb75C/Ttol2vnBKOSnt0BW8R9Xaupi8=
 github.com/chromedp/sysutil v1.1.0 h1:PUFNv5EcprjqXZD9nJb9b/c9ibAbxiYo4exNWZyipwM=
@@ -81,8 +81,8 @@ github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnht
 github.com/cockroachdb/apd v1.1.0/go.mod h1:8Sl8LxpKi29FqWXR16WEFZRNSz3SoPzUzeMeY4+DwBQ=
 github.com/coreos/go-oidc v2.2.1+incompatible h1:mh48q/BqXqgjVHpy2ZY7WnWAbenxRjsz9N1i1YxjHAk=
 github.com/coreos/go-oidc v2.2.1+incompatible/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc=
-github.com/coreos/go-oidc/v3 v3.11.0 h1:Ia3MxdwpSw702YW0xgfmP1GVCMA9aEFWu12XUZ3/OtI=
-github.com/coreos/go-oidc/v3 v3.11.0/go.mod h1:gE3LgjOgFoHi9a4ce4/tJczr0Ai2/BoDhf0r5lltWI0=
+github.com/coreos/go-oidc/v3 v3.12.0 h1:sJk+8G2qq94rDI6ehZ71Bol3oUHy63qNYmkiSjrc/Jo=
+github.com/coreos/go-oidc/v3 v3.12.0/go.mod h1:gE3LgjOgFoHi9a4ce4/tJczr0Ai2/BoDhf0r5lltWI0=
 github.com/coreos/go-semver v0.3.1 h1:yi21YpKnrx1gt5R+la8n5WgS0kCrsPp33dmEyHReZr4=
 github.com/coreos/go-semver v0.3.1/go.mod h1:irMmmIw/7yzSRPWryHsK7EYSg09caPQL03VsM8rvUec=
 github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
@@ -123,12 +123,12 @@ github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2
 github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
 github.com/frankban/quicktest v1.14.4 h1:g2rn0vABPOOXmZUj+vbmUp0lPoXEMuhTpIluN0XL9UY=
 github.com/frankban/quicktest v1.14.4/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0=
-github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA=
-github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM=
+github.com/fsnotify/fsnotify v1.8.0 h1:dAwr6QBTBZIkG8roQaJjGof0pp0EeF+tNV7YBP3F/8M=
+github.com/fsnotify/fsnotify v1.8.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=
 github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E=
 github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ=
-github.com/go-asn1-ber/asn1-ber v1.5.5 h1:MNHlNMBDgEKD4TcKr36vQN68BA00aDfjIt3/bD50WnA=
-github.com/go-asn1-ber/asn1-ber v1.5.5/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
+github.com/go-asn1-ber/asn1-ber v1.5.7 h1:DTX+lbVTWaTw1hQ+PbZPlnDZPEIs0SS/GCZAl535dDk=
+github.com/go-asn1-ber/asn1-ber v1.5.7/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
 github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
@@ -137,8 +137,8 @@ github.com/go-jose/go-jose/v3 v3.0.3/go.mod h1:5b+7YgP7ZICgJDBdfjZaIt+H/9L9T/YQr
 github.com/go-jose/go-jose/v4 v4.0.4 h1:VsjPI33J0SB9vQM6PLmNjoHqMQNGPiZ0rHL7Ni7Q6/E=
 github.com/go-jose/go-jose/v4 v4.0.4/go.mod h1:NKb5HO1EZccyMpiZNbdUw/14tiXNyUJh188dfnMCAfc=
 github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vbaY=
-github.com/go-ldap/ldap/v3 v3.4.8 h1:loKJyspcRezt2Q3ZRMq2p/0v8iOurlmeXDPw6fikSvQ=
-github.com/go-ldap/ldap/v3 v3.4.8/go.mod h1:qS3Sjlu76eHfHGpUdWkAXQTw4beih+cHsco2jXlIXrk=
+github.com/go-ldap/ldap/v3 v3.4.10 h1:ot/iwPOhfpNVgB1o+AVXljizWZ9JTp7YF5oeyONmcJU=
+github.com/go-ldap/ldap/v3 v3.4.10/go.mod h1:JXh4Uxgi40P6E9rdsYqpUtbW46D9UTjJ9QSwGRznplY=
 github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A=
 github.com/go-logr/logr v0.2.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
@@ -246,8 +246,8 @@ github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-github/v64 v64.0.0 h1:4G61sozmY3eiPAjjoOHponXDBONm+utovTKbyUb2Qdg=
 github.com/google/go-github/v64 v64.0.0/go.mod h1:xB3vqMQNdHzilXBiO2I+M7iEFtHf+DP/omBOv6tQzVo=
-github.com/google/go-github/v67 v67.0.0 h1:g11NDAmfaBaCO8qYdI9fsmbaRipHNWRIU/2YGvlh4rg=
-github.com/google/go-github/v67 v67.0.0/go.mod h1:zH3K7BxjFndr9QSeFibx4lTKkYS3K9nDanoI1NjaOtY=
+github.com/google/go-github/v68 v68.0.0 h1:ZW57zeNZiXTdQ16qrDiZ0k6XucrxZ2CGmoTvcCyQG6s=
+github.com/google/go-github/v68 v68.0.0/go.mod h1:K9HAUBovM2sLwM408A18h+wd9vqdLOEqTUCbnRIcx68=
 github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD/fhyJ8=
 github.com/google/go-querystring v1.1.0/go.mod h1:Kcdr2DB4koayq7X8pmAG4sNG59So17icRSOU623lUBU=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
@@ -267,8 +267,8 @@ github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hf
 github.com/google/pprof v0.0.0-20201023163331-3e6fc7fc9c4c/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
 github.com/google/pprof v0.0.0-20201203190320-1bf35d6f28c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
 github.com/google/pprof v0.0.0-20201218002935-b9804c9f04c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
-github.com/google/pprof v0.0.0-20240727154555-813a5fbdbec8 h1:FKHo8hFI3A+7w0aUQuYXQ+6EN5stWmeY/AZqtM8xk9k=
-github.com/google/pprof v0.0.0-20240727154555-813a5fbdbec8/go.mod h1:K1liHPHnj73Fdn/EKuT8nrFqBihUSKXoLYU0BuatOYo=
+github.com/google/pprof v0.0.0-20240525223248-4bfdf5a9a2af h1:kmjWCqn2qkEml422C2Rrd27c3VGxi6a/6HNq8QmHRKM=
+github.com/google/pprof v0.0.0-20240525223248-4bfdf5a9a2af/go.mod h1:K1liHPHnj73Fdn/EKuT8nrFqBihUSKXoLYU0BuatOYo=
 github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
 github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
@@ -291,8 +291,8 @@ github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 h1:Ovs26xHkKqVztRpIrF/92Bcuy
 github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk=
 github.com/grpc-ecosystem/grpc-gateway v1.16.0 h1:gmcG1KaJ57LophUzW0Hy8NmPhnMZb4M0+kPpLofRdBo=
 github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0 h1:bkypFPDjIYGfCYD5mRBvpqxfYX1YCS1PXdKYWi8FsN0=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0/go.mod h1:P+Lt/0by1T8bfcF3z737NnSbmxQAppXMRziHUxPOC8k=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.23.0 h1:ad0vkEBuk23VJzZR9nkLVG0YAoN9coASF1GusYX6AlU=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.23.0/go.mod h1:igFoXX2ELCW06bol23DWPB5BEWfZISOzSP5K2sbLea0=
 github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ=
 github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48=
 github.com/hashicorp/go-hclog v1.6.3 h1:Qr2kF+eVWjTiYmU7Y31tYlP1h0q/X3Nl3tPGdaB11/k=
@@ -439,8 +439,8 @@ github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyua
 github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
 github.com/mitchellh/reflectwalk v1.0.2 h1:G2LzWKi524PWgd3mLHV8Y5k7s6XUvT0Gef6zxSIeXaQ=
 github.com/mitchellh/reflectwalk v1.0.2/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw=
-github.com/moby/spdystream v0.4.0 h1:Vy79D6mHeJJjiPdFEL2yku1kl0chZpJfZcPpb16BRl8=
-github.com/moby/spdystream v0.4.0/go.mod h1:xBAYlnt/ay+11ShkdFKNAG7LsyK/tmNBVvVOwrfMgdI=
+github.com/moby/spdystream v0.5.0 h1:7r0J1Si3QO/kjRitvSLVVFUjxMEb/YLj6S9FF62JBCU=
+github.com/moby/spdystream v0.5.0/go.mod h1:xBAYlnt/ay+11ShkdFKNAG7LsyK/tmNBVvVOwrfMgdI=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
@@ -460,12 +460,12 @@ github.com/onsi/ginkgo/v2 v2.19.0 h1:9Cnnf7UHo57Hy3k6/m5k3dRfGTMXGvxhHFvkDTCTpvA
 github.com/onsi/ginkgo/v2 v2.19.0/go.mod h1:rlwLi9PilAFJ8jCg9UE1QP6VBpd6/xj3SRC0d6TU0To=
 github.com/onsi/gomega v1.33.1 h1:dsYjIxxSR755MDmKVsaFQTE22ChNBcuuTWgkUDSubOk=
 github.com/onsi/gomega v1.33.1/go.mod h1:U4R44UsT+9eLIaYRB2a5qajjtQYn0hauxvRm16AVYg0=
-github.com/openzipkin/zipkin-go v0.4.2 h1:zjqfqHjUpPmB3c1GlCvvgsM1G4LkvqQbBDueDOCg/jA=
-github.com/openzipkin/zipkin-go v0.4.2/go.mod h1:ZeVkFjuuBiSy13y8vpSDCjMi9GoI3hPpCJSBx/EYFhY=
+github.com/openzipkin/zipkin-go v0.4.3 h1:9EGwpqkgnwdEIJ+Od7QVSEIH+ocmm5nPat0G7sjsSdg=
+github.com/openzipkin/zipkin-go v0.4.3/go.mod h1:M9wCJZFWCo2RiY+o1eBCEMe0Dp2S5LDHcMZmk3RmK7c=
 github.com/orisano/pixelmatch v0.0.0-20220722002657-fb0b55479cde h1:x0TT0RDC7UhAVbbWWBzr41ElhJx5tXPWkIHA2HWPRuw=
 github.com/orisano/pixelmatch v0.0.0-20220722002657-fb0b55479cde/go.mod h1:nZgzbfBr3hhjoZnS66nKrHmduYNpc34ny7RK4z5/HM0=
-github.com/ory/fosite v0.48.1-0.20241204153806-6c26dc54eb64 h1:EFceZAYrvvkh/ODW4EpNWLbVoRbNv2tDmxKDGqhrpS8=
-github.com/ory/fosite v0.48.1-0.20241204153806-6c26dc54eb64/go.mod h1:M+C+Ng1UDNgwX4SaErnuZwEw26uDN7I3kNUt0WyValI=
+github.com/ory/fosite v0.49.1-0.20250102135636-049ed1924cd0 h1:/nSkF1lW5wwD2bfUy8PRPVoFTLl1am/sZlX2gkgnepA=
+github.com/ory/fosite v0.49.1-0.20250102135636-049ed1924cd0/go.mod h1:6XCoaTdHP3fF76sy6uLFfUCTjgJNdNspjny7azuTxoQ=
 github.com/ory/go-acc v0.2.9-0.20230103102148-6b1c9a70dbbe h1:rvu4obdvqR0fkSIJ8IfgzKOWwZ5kOT2UNfLq81Qk7rc=
 github.com/ory/go-acc v0.2.9-0.20230103102148-6b1c9a70dbbe/go.mod h1:z4n3u6as84LbV4YmgjHhnwtccQqzf4cZlSk9f1FhygI=
 github.com/ory/go-convenience v0.1.0 h1:zouLKfF2GoSGnJwGq+PE/nJAE6dj2Zj5QlTgmMTsTS8=
@@ -474,8 +474,8 @@ github.com/ory/herodot v0.10.2 h1:gGvNMHgAwWzdP/eo+roSiT5CGssygHSjDU7MSQNlJ4E=
 github.com/ory/herodot v0.10.2/go.mod h1:MMNmY6MG1uB6fnXYFaHoqdV23DTWctlPsmRCeq/2+wc=
 github.com/ory/jsonschema/v3 v3.0.8 h1:Ssdb3eJ4lDZ/+XnGkvQS/te0p+EkolqwTsDOCxr/FmU=
 github.com/ory/jsonschema/v3 v3.0.8/go.mod h1:ZPzqjDkwd3QTnb2Z6PAS+OTvBE2x5i6m25wCGx54W/0=
-github.com/ory/x v0.0.665 h1:61vv0ObCDSX1vOQYbxBeqDiv4YiPmMT91lYxDaaKX08=
-github.com/ory/x v0.0.665/go.mod h1:7SCTki3N0De3ZpqlxhxU/94ZrOCfNEnXwVtd0xVt+L8=
+github.com/ory/x v0.0.677 h1:ZulzE4EBhNBXNotWmGSmGsVNbgbZpIr4snMURRkski0=
+github.com/ory/x v0.0.677/go.mod h1:zJmnDtKje2FCP4EeFvRsKk94XXiqKCSGJMZcirAfhUs=
 github.com/pelletier/go-toml/v2 v2.0.9 h1:uH2qQXheeefCCkuBBSLi7jCiSmj3VRh2+Goq2N7Xxu0=
 github.com/pelletier/go-toml/v2 v2.0.9/go.mod h1:tJU2Z3ZkXwnxa4DPO899bsyIoywizdUvyaeZurnPPDc=
 github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c h1:+mdjkGKdHQG3305AYmdv1U2eRNDiU2ErMBj1gwrq8eQ=
@@ -501,8 +501,8 @@ github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0leargg
 github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
 github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs=
-github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8=
-github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4=
+github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
+github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
 github.com/rs/xid v1.2.1/go.mod h1:+uKXf+4Djp6Md1KODXJxgGQPKngRmWyn10oCKFzNHOQ=
 github.com/rs/zerolog v1.13.0/go.mod h1:YbFCdg8HfsridGWAh22vktObvhZbQsZXe4/zB0OKkWU=
 github.com/rs/zerolog v1.15.0/go.mod h1:xYTKnLHcpfU2225ny5qZjxnj9NvkumZYjJHlAThCjNc=
@@ -538,8 +538,8 @@ github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/spf13/viper v1.16.0 h1:rGGH0XDZhdUOryiDWjmIvUSWpbNqisK8Wk0Vyefw8hc=
 github.com/spf13/viper v1.16.0/go.mod h1:yg78JgCJcbrQOvV9YLXgkLaZqUidkY9K+Dd1FofRzQg=
-github.com/stoewer/go-strcase v1.2.0 h1:Z2iHWqGXH00XYgqDmNgQbIBxf3wrNq0F3feEy0ainaU=
-github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag1KpM8ahLw8=
+github.com/stoewer/go-strcase v1.3.0 h1:g0eASXYtp+yvN9fK8sH94oCIk0fau9uV1/ZdJ0AVEzs=
+github.com/stoewer/go-strcase v1.3.0/go.mod h1:fAH5hQ5pehh+j3nZfvwdk2RgEgQjAoM8wodgtPmh1xo=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE=
@@ -561,8 +561,8 @@ github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOf
 github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/subosito/gotenv v1.4.2 h1:X1TuBLAMDFbaTAChgCBLu3DU3UPyELpnF2jjJ2cz/S8=
 github.com/subosito/gotenv v1.4.2/go.mod h1:ayKnFf/c6rvx/2iiLrJUk1e6plDbT3edrFNGqEflhK0=
-github.com/tdewolff/minify/v2 v2.21.2 h1:VfTvmGVtBYhMTlUAeHtXM7XOsW0JT/6uMwUPPqgUs9k=
-github.com/tdewolff/minify/v2 v2.21.2/go.mod h1:Olje3eHdBnrMjINKffDsil/3NV98Iv7MhWf7556WQVg=
+github.com/tdewolff/minify/v2 v2.21.3 h1:KmhKNGrN/dGcvb2WDdB5yA49bo37s+hcD8RiF+lioV8=
+github.com/tdewolff/minify/v2 v2.21.3/go.mod h1:iGxHaGiONAnsYuo8CRyf8iPUcqRJVB/RhtEcTpqS7xw=
 github.com/tdewolff/parse/v2 v2.7.19 h1:7Ljh26yj+gdLFEq/7q9LT4SYyKtwQX4ocNrj45UCePg=
 github.com/tdewolff/parse/v2 v2.7.19/go.mod h1:3FbJWZp3XT9OWVN3Hmfp0p/a08v4h8J9W1aghka0soA=
 github.com/tdewolff/test v1.0.11-0.20231101010635-f1265d231d52/go.mod h1:6DAvZliBAAnD7rhVgwaM7DE5/d9NMOAJ09SqYqeK4QE=
@@ -593,14 +593,14 @@ github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5t
 github.com/zenazn/goji v0.9.0/go.mod h1:7S9M489iMyHBNxwZnk9/EHS098H4/F6TATF2mIxtB1Q=
 go.etcd.io/bbolt v1.3.9 h1:8x7aARPEXiXbHmtUwAIv7eV2fQFHrLLavdiJ3uzJXoI=
 go.etcd.io/bbolt v1.3.9/go.mod h1:zaO32+Ti0PK1ivdPtgMESzuzL2VPoIG1PCQNvOdo/dE=
-go.etcd.io/etcd/api/v3 v3.5.14 h1:vHObSCxyB9zlF60w7qzAdTcGaglbJOpSj1Xj9+WGxq0=
-go.etcd.io/etcd/api/v3 v3.5.14/go.mod h1:BmtWcRlQvwa1h3G2jvKYwIQy4PkHlDej5t7uLMUdJUU=
-go.etcd.io/etcd/client/pkg/v3 v3.5.14 h1:SaNH6Y+rVEdxfpA2Jr5wkEvN6Zykme5+YnbCkxvuWxQ=
-go.etcd.io/etcd/client/pkg/v3 v3.5.14/go.mod h1:8uMgAokyG1czCtIdsq+AGyYQMvpIKnSvPjFMunkgeZI=
+go.etcd.io/etcd/api/v3 v3.5.16 h1:WvmyJVbjWqK4R1E+B12RRHz3bRGy9XVfh++MgbN+6n0=
+go.etcd.io/etcd/api/v3 v3.5.16/go.mod h1:1P4SlIP/VwkDmGo3OlOD7faPeP8KDIFhqvciH5EfN28=
+go.etcd.io/etcd/client/pkg/v3 v3.5.16 h1:ZgY48uH6UvB+/7R9Yf4x574uCO3jIx0TRDyetSfId3Q=
+go.etcd.io/etcd/client/pkg/v3 v3.5.16/go.mod h1:V8acl8pcEK0Y2g19YlOV9m9ssUe6MgiDSobSoaBAM0E=
 go.etcd.io/etcd/client/v2 v2.305.13 h1:RWfV1SX5jTU0lbCvpVQe3iPQeAHETWdOTb6pxhd77C8=
 go.etcd.io/etcd/client/v2 v2.305.13/go.mod h1:iQnL7fepbiomdXMb3om1rHq96htNNGv2sJkEcZGDRRg=
-go.etcd.io/etcd/client/v3 v3.5.14 h1:CWfRs4FDaDoSz81giL7zPpZH2Z35tbOrAJkkjMqOupg=
-go.etcd.io/etcd/client/v3 v3.5.14/go.mod h1:k3XfdV/VIHy/97rqWjoUzrj9tk7GgJGH9J8L4dNXmAk=
+go.etcd.io/etcd/client/v3 v3.5.16 h1:sSmVYOAHeC9doqi0gv7v86oY/BTld0SEFGaxsU9eRhE=
+go.etcd.io/etcd/client/v3 v3.5.16/go.mod h1:X+rExSGkyqxvu276cr2OwPLBaeqFu1cIl4vmRjAD/50=
 go.etcd.io/etcd/pkg/v3 v3.5.13 h1:st9bDWNsKkBNpP4PR1MvM/9NqUPfvYZx/YXegsYEH8M=
 go.etcd.io/etcd/pkg/v3 v3.5.13/go.mod h1:N+4PLrp7agI/Viy+dUYpX7iRtSPvKq+w8Y14d1vX+m0=
 go.etcd.io/etcd/raft/v3 v3.5.13 h1:7r/NKAOups1YnKcfro2RvGGo2PTuizF/xh26Z2CTAzA=
@@ -615,34 +615,34 @@ go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk=
 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.53.0 h1:9G6E0TXzGFVfTnawRzrPl83iHOAV7L8NJiR8RSGYV1g=
 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.53.0/go.mod h1:azvtTADFQJA8mX80jIH/akaE7h+dbm/sVuaHqN13w74=
-go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace v0.46.1 h1:gbhw/u49SS3gkPWiYweQNJGm/uJN5GkI/FrosxSHT7A=
-go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace v0.46.1/go.mod h1:GnOaBaFQ2we3b9AGWJpsBa7v1S5RlQzlC3O7dRMxZhM=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 h1:4K4tsIXefpVJtvA/8srF4V4y0akAoPHkIslgAkjixJA=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0/go.mod h1:jjdQuTGVsXV4vSs+CJ2qYDeDPf9yIJV23qlIzBm73Vg=
-go.opentelemetry.io/contrib/propagators/b3 v1.21.0 h1:uGdgDPNzwQWRwCXJgw/7h29JaRqcq9B87Iv4hJDKAZw=
-go.opentelemetry.io/contrib/propagators/b3 v1.21.0/go.mod h1:D9GQXvVGT2pzyTfp1QBOnD1rzKEWzKjjwu5q2mslCUI=
-go.opentelemetry.io/contrib/propagators/jaeger v1.21.1 h1:f4beMGDKiVzg9IcX7/VuWVy+oGdjx3dNJ72YehmtY5k=
-go.opentelemetry.io/contrib/propagators/jaeger v1.21.1/go.mod h1:U9jhkEl8d1LL+QXY7q3kneJWJugiN3kZJV2OWz3hkBY=
-go.opentelemetry.io/contrib/samplers/jaegerremote v0.15.1 h1:Qb+5A+JbIjXwO7l4HkRUhgIn4Bzz0GNS2q+qdmSx+0c=
-go.opentelemetry.io/contrib/samplers/jaegerremote v0.15.1/go.mod h1:G4vNCm7fRk0kjZ6pGNLo5SpLxAUvOfSrcaegnT8TPck=
-go.opentelemetry.io/otel v1.28.0 h1:/SqNcYk+idO0CxKEUOtKQClMK/MimZihKYMruSMViUo=
-go.opentelemetry.io/otel v1.28.0/go.mod h1:q68ijF8Fc8CnMHKyzqL6akLO46ePnjkgfIMIjUIX9z4=
+go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace v0.57.0 h1:7F3XCD6WYzDkwbi8I8N+oYJWquPVScnRosKGgqjsR8c=
+go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace v0.57.0/go.mod h1:Dk3C0BfIlZDZ5c6eVS7TYiH2vssuyUU3vUsgbrR+5V4=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.57.0 h1:DheMAlT6POBP+gh8RUH19EOTnQIor5QE0uSRPtzCpSw=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.57.0/go.mod h1:wZcGmeVO9nzP67aYSLDqXNWK87EZWhi7JWj1v7ZXf94=
+go.opentelemetry.io/contrib/propagators/b3 v1.32.0 h1:MazJBz2Zf6HTN/nK/s3Ru1qme+VhWU5hm83QxEP+dvw=
+go.opentelemetry.io/contrib/propagators/b3 v1.32.0/go.mod h1:B0s70QHYPrJwPOwD1o3V/R8vETNOG9N3qZf4LDYvA30=
+go.opentelemetry.io/contrib/propagators/jaeger v1.32.0 h1:K/fOyTMD6GELKTIJBaJ9k3ppF2Njt8MeUGBOwfaWXXA=
+go.opentelemetry.io/contrib/propagators/jaeger v1.32.0/go.mod h1:ISE6hda//MTWvtngG7p4et3OCngsrTVfl7c6DjN17f8=
+go.opentelemetry.io/contrib/samplers/jaegerremote v0.26.0 h1:/SKXyZLAnuj981HVc8G5ZylYK3qD2W6AYR6cJx5kIHw=
+go.opentelemetry.io/contrib/samplers/jaegerremote v0.26.0/go.mod h1:cOEzME0M2OKeHB45lJiOKfvUCdg/r75mf7YS5w0tbmE=
+go.opentelemetry.io/otel v1.32.0 h1:WnBN+Xjcteh0zdk01SVqV55d/m62NJLJdIyb4y/WO5U=
+go.opentelemetry.io/otel v1.32.0/go.mod h1:00DCVSB0RQcnzlwyTfqtxSm+DRr9hpYrHjNGiBHVQIg=
 go.opentelemetry.io/otel/exporters/jaeger v1.17.0 h1:D7UpUy2Xc2wsi1Ras6V40q806WM07rqoCWzXu7Sqy+4=
 go.opentelemetry.io/otel/exporters/jaeger v1.17.0/go.mod h1:nPCqOnEH9rNLKqH/+rrUjiMzHJdV1BlpKcTwRTyKkKI=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0 h1:3Q/xZUyC1BBkualc9ROb4G8qkH90LXEIICcs5zv1OYY=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0/go.mod h1:s75jGIWA9OfCMzF0xr+ZgfrB5FEbbV7UuYo32ahUiFI=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.32.0 h1:IJFEoHiytixx8cMiVAO+GmHR6Frwu+u5Ur8njpFO6Ac=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.32.0/go.mod h1:3rHrKNtLIoS0oZwkY2vxi+oJcwFRWdtUyRII+so45p8=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.27.0 h1:qFffATk0X+HD+f1Z8lswGiOQYKHRlzfmdJm0wEaVrFA=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.27.0/go.mod h1:MOiCmryaYtc+V0Ei+Tx9o5S1ZjA7kzLucuVuyzBZloQ=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.21.0 h1:digkEZCJWobwBqMwC0cwCq8/wkkRy/OowZg5OArWZrM=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.21.0/go.mod h1:/OpE/y70qVkndM0TrxT4KBoN3RsFZP0QaofcfYrj76I=
-go.opentelemetry.io/otel/exporters/zipkin v1.21.0 h1:D+Gv6lSfrFBWmQYyxKjDd0Zuld9SRXpIrEsKZvE4DO4=
-go.opentelemetry.io/otel/exporters/zipkin v1.21.0/go.mod h1:83oMKR6DzmHisFOW3I+yIMGZUTjxiWaiBI8M8+TU5zE=
-go.opentelemetry.io/otel/metric v1.28.0 h1:f0HGvSl1KRAU1DLgLGFjrwVyismPlnuU6JD6bOeuA5Q=
-go.opentelemetry.io/otel/metric v1.28.0/go.mod h1:Fb1eVBFZmLVTMb6PPohq3TO9IIhUisDsbJoL/+uQW4s=
-go.opentelemetry.io/otel/sdk v1.28.0 h1:b9d7hIry8yZsgtbmM0DKyPWMMUMlK9NEKuIG4aBqWyE=
-go.opentelemetry.io/otel/sdk v1.28.0/go.mod h1:oYj7ClPUA7Iw3m+r7GeEjz0qckQRJK2B8zjcZEfu7Pg=
-go.opentelemetry.io/otel/trace v1.28.0 h1:GhQ9cUuQGmNDd5BTCP2dAvv75RdMxEfTmYejp+lkx9g=
-go.opentelemetry.io/otel/trace v1.28.0/go.mod h1:jPyXzNPg6da9+38HEwElrQiHlVMTnVfM3/yv2OlIHaI=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.32.0 h1:cMyu9O88joYEaI47CnQkxO1XZdpoTF9fEnW2duIddhw=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.32.0/go.mod h1:6Am3rn7P9TVVeXYG+wtcGE7IE1tsQ+bP3AuWcKt/gOI=
+go.opentelemetry.io/otel/exporters/zipkin v1.32.0 h1:6O8HgLHPXtXE9QEKEWkBImL9mEKCGEl+m+OncVO53go=
+go.opentelemetry.io/otel/exporters/zipkin v1.32.0/go.mod h1:+MFvorlowjy0iWnsKaNxC1kzczSxe71mw85h4p8yEvg=
+go.opentelemetry.io/otel/metric v1.32.0 h1:xV2umtmNcThh2/a/aCP+h64Xx5wsj8qqnkYZktzNa0M=
+go.opentelemetry.io/otel/metric v1.32.0/go.mod h1:jH7CIbbK6SH2V2wE16W05BHCtIDzauciCRLoc/SyMv8=
+go.opentelemetry.io/otel/sdk v1.32.0 h1:RNxepc9vK59A8XsgZQouW8ue8Gkb4jpWtJm9ge5lEG4=
+go.opentelemetry.io/otel/sdk v1.32.0/go.mod h1:LqgegDBjKMmb2GC6/PrTnteJG39I8/vJCAP9LlJXEjU=
+go.opentelemetry.io/otel/trace v1.32.0 h1:WIC9mYrXf8TmY/EXuULKc8hR17vE+Hjv2cssQDe03fM=
+go.opentelemetry.io/otel/trace v1.32.0/go.mod h1:+i4rkvCraA+tG6AzwloGaCtkx53Fa+L+V8e9a7YvhT8=
 go.opentelemetry.io/proto/otlp v1.3.1 h1:TrMUixzpM0yuc/znrFTP9MMRh8trP93mkCiDVeXrui0=
 go.opentelemetry.io/proto/otlp v1.3.1/go.mod h1:0X1WI4de4ZsLrrJNLAQbFeLCm3T7yBkR0XqQ7niQU+8=
 go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
@@ -678,10 +678,12 @@ golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97/go.mod h1:GvvjBRRGRdwPK5y
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58=
+golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
 golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
-golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs=
-golang.org/x/crypto v0.30.0 h1:RwoQn3GkWiMkzlX562cLB7OxWvjH1L8xutO2WoJcRoY=
-golang.org/x/crypto v0.30.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
+golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
+golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
+golang.org/x/crypto v0.32.0 h1:euUpcYgM8WcP71gNpTqQCn6rC2t6ULUPiOzfWaXVVfc=
+golang.org/x/crypto v0.32.0/go.mod h1:ZnnJkOaASj8g0AjIduWNlq2NRxL0PlBrbKVyZ6V/Ugc=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -721,8 +723,11 @@ golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.10.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
-golang.org/x/mod v0.20.0 h1:utOm6MM3R3dnawAiJgn0y+xvuYRsm1RKM/4giyfDgV0=
-golang.org/x/mod v0.20.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/mod v0.15.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/mod v0.21.0 h1:vvrHzRwRfVKSiLrG+d4FMl/Qi4ukBCE6kZlTUkDYRT0=
+golang.org/x/mod v0.21.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -764,10 +769,12 @@ golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.9.0/go.mod h1:d48xBJpPfHeWQsugry2m+kC02ZBRGRgulfHnEXEuWns=
 golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
+golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
 golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
-golang.org/x/net v0.22.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
-golang.org/x/net v0.32.0 h1:ZqPmj8Kzc+Y6e0+skZsuACbx+wzMgo5MQsJh9Qd6aYI=
-golang.org/x/net v0.32.0/go.mod h1:CwU0IoeOlnQQWJ6ioyFrfRuomB8GKF6KbYXZVyeXNfs=
+golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
+golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
+golang.org/x/net v0.34.0 h1:Mb7Mrk043xzHgnRM88suvJFwzVrRfHEHJEl5/71CKw0=
+golang.org/x/net v0.34.0/go.mod h1:di0qlW3YNM5oh6GqDGQr92MyTozJPmybPK4Ev/Gm31k=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -777,8 +784,8 @@ golang.org/x/oauth2 v0.0.0-20200902213428-5d25da1a8d43/go.mod h1:KelEdhl1UZF7XfJ
 golang.org/x/oauth2 v0.0.0-20201109201403-9fd604954f58/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20201208152858-08078c50e5b5/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.24.0 h1:KTBBxWqUa0ykRPLtV69rRto9TLXcqYkeswu48x/gvNE=
-golang.org/x/oauth2 v0.24.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
+golang.org/x/oauth2 v0.25.0 h1:CY4y7XT9v0cRI9oupztF8AgiIu99L/ksR/Xp/6jrZ70=
+golang.org/x/oauth2 v0.25.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -793,6 +800,9 @@ golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220929204114-8fcdb60fdcc0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
+golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ=
 golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -849,10 +859,13 @@ golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.7.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA=
+golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.29.0 h1:TPYlXGxvx1MGTn2GiZDhnjPA9wZzZeGKHHmKhHYvgaU=
+golang.org/x/sys v0.29.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/telemetry v0.0.0-20240228155512-f48c80bd79b2/go.mod h1:TeRTkGYfJXctD9OcfyVLyj2J3IxLnKwHJR8f4D8a3YE=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
@@ -860,10 +873,12 @@ golang.org/x/term v0.0.0-20220722155259-a9ba230a4035/go.mod h1:jbD1KX2456YbFQfuX
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
 golang.org/x/term v0.7.0/go.mod h1:P32HKFT3hSsZrRxla30E9HqToFYAQPCMs/zFMBUFqPY=
 golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
+golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU=
 golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
-golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58=
-golang.org/x/term v0.27.0 h1:WP60Sv1nlK1T6SupCHbXzSaN0b9wUmsPoRS9b61A23Q=
+golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY=
 golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM=
+golang.org/x/term v0.28.0 h1:/Ts8HFuMR2E6IP/jlo7QVLZHggjKQbhu/7H0LJFr3Gg=
+golang.org/x/term v0.28.0/go.mod h1:Sw/lC2IAUZ92udQNf3WodGtn4k/XoLyZoh8v/8uiwek=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -874,14 +889,16 @@ golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
+golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
 golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/time v0.4.0 h1:Z81tqI5ddIoXDPvVQ7/7CC9TnLM7ubaFG2qXYd5BbYY=
-golang.org/x/time v0.4.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
+golang.org/x/time v0.7.0 h1:ntUhktv3OPE6TgYxXWv9vKvUSJyIFJlyohwbkEwPrKQ=
+golang.org/x/time v0.7.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
@@ -941,8 +958,10 @@ golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
 golang.org/x/tools v0.8.0/go.mod h1:JxBZ99ISMI5ViVkT1tr6tdNmXeTrcpVSD3vZ1RsRdN4=
-golang.org/x/tools v0.24.0 h1:J1shsA93PJUEVaUSaay7UXAyE8aimq3GW0pjlolpa24=
-golang.org/x/tools v0.24.0/go.mod h1:YhNqVBIfWHdzvTLs0d8LCuMhkKUgSUKldakyV7W/WDQ=
+golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
+golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
+golang.org/x/tools v0.26.0 h1:v/60pFQmzmT9ExmjDv2gGIfi3OqfKoEP6I5+umXlbnQ=
+golang.org/x/tools v0.26.0/go.mod h1:TPVVj70c7JJ3WCazhD8OdXcZg/og+b9+tH/KxylGwH0=
 golang.org/x/xerrors v0.0.0-20190410155217-1f06c39b4373/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20190513163551-3ee3066db522/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -1011,12 +1030,12 @@ google.golang.org/genproto v0.0.0-20201210142538-e3217bee35cc/go.mod h1:FWY/as6D
 google.golang.org/genproto v0.0.0-20201214200347-8c77b98c765d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/genproto v0.0.0-20210108203827-ffc7fda8c3d7/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/genproto v0.0.0-20210226172003-ab064af71705/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20231106174013-bbf56f31fb17 h1:wpZ8pe2x1Q3f2KyT5f8oP/fa9rHAKgFPr/HZdNuS+PQ=
-google.golang.org/genproto v0.0.0-20231106174013-bbf56f31fb17/go.mod h1:J7XzRzVy1+IPwWHZUzoD0IccYZIrXILAQpc+Qy9CMhY=
-google.golang.org/genproto/googleapis/api v0.0.0-20240826202546-f6391c0de4c7 h1:YcyjlL1PRr2Q17/I0dPk2JmYS5CDXfcdb2Z3YRioEbw=
-google.golang.org/genproto/googleapis/api v0.0.0-20240826202546-f6391c0de4c7/go.mod h1:OCdP9MfskevB/rbYvHTsXTtKC+3bHWajPdoKgjcYkfo=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20240826202546-f6391c0de4c7 h1:2035KHhUv+EpyB+hWgJnaWKJOdX1E95w2S8Rr4uWKTs=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20240826202546-f6391c0de4c7/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU=
+google.golang.org/genproto v0.0.0-20230822172742-b8732ec3820d h1:VBu5YqKPv6XiJ199exd8Br+Aetz+o08F+PLMnwJQHAY=
+google.golang.org/genproto v0.0.0-20230822172742-b8732ec3820d/go.mod h1:yZTlhN0tQnXo3h00fuXNCxJdLdIdnVFVBaRJ5LWBbw4=
+google.golang.org/genproto/googleapis/api v0.0.0-20241104194629-dd2ea8efbc28 h1:M0KvPgPmDZHPlbRbaNU1APr28TvwvvdUPlSv7PUvy8g=
+google.golang.org/genproto/googleapis/api v0.0.0-20241104194629-dd2ea8efbc28/go.mod h1:dguCy7UOdZhTvLzDyt15+rOrawrpM4q7DD9dQ1P11P4=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20241104194629-dd2ea8efbc28 h1:XVhgTWWV3kGQlwJHR3upFWZeTsei6Oks1apkZSeonIE=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20241104194629-dd2ea8efbc28/go.mod h1:GX3210XPVPUjJbTUbvwI8f2IpZDMZuPJWDzDuebbviI=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
 google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
@@ -1033,8 +1052,8 @@ google.golang.org/grpc v1.31.1/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM
 google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc=
 google.golang.org/grpc v1.34.0/go.mod h1:WotjhfgOW/POjDeRt8vscBtXq+2VjORFy659qA51WJ8=
 google.golang.org/grpc v1.35.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
-google.golang.org/grpc v1.65.0 h1:bs/cUb4lp1G5iImFFd3u5ixQzweKizoZJAwBNLR42lc=
-google.golang.org/grpc v1.65.0/go.mod h1:WgYC2ypjlB0EiQi6wdKixMqukr6lBc0Vo+oOgjrM5ZQ=
+google.golang.org/grpc v1.67.1 h1:zWnc1Vrcno+lHZCOofnIMvycFcc0QRGIzm9dhnDX68E=
+google.golang.org/grpc v1.67.1/go.mod h1:1gLDyUQU7CTLJI90u3nXZ9ekeghjeM7pTDZlqFNg2AA=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
 google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
@@ -1080,38 +1099,38 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh
 honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
 honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
 honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
-k8s.io/api v0.31.3 h1:umzm5o8lFbdN/hIXbrK9oRpOproJO62CV1zqxXrLgk8=
-k8s.io/api v0.31.3/go.mod h1:UJrkIp9pnMOI9K2nlL6vwpxRzzEX5sWgn8kGQe92kCE=
-k8s.io/apiextensions-apiserver v0.31.3 h1:+GFGj2qFiU7rGCsA5o+p/rul1OQIq6oYpQw4+u+nciE=
-k8s.io/apiextensions-apiserver v0.31.3/go.mod h1:2DSpFhUZZJmn/cr/RweH1cEVVbzFw9YBu4T+U3mf1e4=
-k8s.io/apimachinery v0.31.3 h1:6l0WhcYgasZ/wk9ktLq5vLaoXJJr5ts6lkaQzgeYPq4=
-k8s.io/apimachinery v0.31.3/go.mod h1:rsPdaZJfTfLsNJSQzNHQvYoTmxhoOEofxtOsF3rtsMo=
-k8s.io/apiserver v0.31.3 h1:+1oHTtCB+OheqFEz375D0IlzHZ5VeQKX1KGXnx+TTuY=
-k8s.io/apiserver v0.31.3/go.mod h1:PrxVbebxrxQPFhJk4powDISIROkNMKHibTg9lTRQ0Qg=
-k8s.io/client-go v0.31.3 h1:CAlZuM+PH2cm+86LOBemaJI/lQ5linJ6UFxKX/SoG+4=
-k8s.io/client-go v0.31.3/go.mod h1:2CgjPUTpv3fE5dNygAr2NcM8nhHzXvxB8KL5gYc3kJs=
-k8s.io/component-base v0.31.3 h1:DMCXXVx546Rfvhj+3cOm2EUxhS+EyztH423j+8sOwhQ=
-k8s.io/component-base v0.31.3/go.mod h1:xME6BHfUOafRgT0rGVBGl7TuSg8Z9/deT7qq6w7qjIU=
-k8s.io/gengo v0.0.0-20240911193312-2b36238f13e9 h1:B0l8GxRsVc/tP/uCLBQdAjf2nBARx6u/r2OGuL/CyXQ=
-k8s.io/gengo v0.0.0-20240911193312-2b36238f13e9/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E=
+k8s.io/api v0.31.4 h1:I2QNzitPVsPeLQvexMEsj945QumYraqv9m74isPDKhM=
+k8s.io/api v0.31.4/go.mod h1:d+7vgXLvmcdT1BCo79VEgJxHHryww3V5np2OYTr6jdw=
+k8s.io/apiextensions-apiserver v0.31.4 h1:FxbqzSvy92Ca9DIs5jqot883G0Ln/PGXfm/07t39LS0=
+k8s.io/apiextensions-apiserver v0.31.4/go.mod h1:hIW9YU8UsqZqIWGG99/gsdIU0Ar45Qd3A12QOe/rvpg=
+k8s.io/apimachinery v0.31.4 h1:8xjE2C4CzhYVm9DGf60yohpNUh5AEBnPxCryPBECmlM=
+k8s.io/apimachinery v0.31.4/go.mod h1:rsPdaZJfTfLsNJSQzNHQvYoTmxhoOEofxtOsF3rtsMo=
+k8s.io/apiserver v0.31.4 h1:JbtnTaXVYEAYIHJil6Wd74Wif9sd8jVcBw84kwEmp7o=
+k8s.io/apiserver v0.31.4/go.mod h1:JJjoTjZ9PTMLdIFq7mmcJy2B9xLN3HeAUebW6xZyIP0=
+k8s.io/client-go v0.31.4 h1:t4QEXt4jgHIkKKlx06+W3+1JOwAFU/2OPiOo7H92eRQ=
+k8s.io/client-go v0.31.4/go.mod h1:kvuMro4sFYIa8sulL5Gi5GFqUPvfH2O/dXuKstbaaeg=
+k8s.io/component-base v0.31.4 h1:wCquJh4ul9O8nNBSB8N/o8+gbfu3BVQkVw9jAUY/Qtw=
+k8s.io/component-base v0.31.4/go.mod h1:G4dgtf5BccwiDT9DdejK0qM6zTK0jwDGEKnCmb9+u/s=
+k8s.io/gengo v0.0.0-20250106234829-0359904fc2a6 h1:1+JP7kneHC0+mprySiI1c9c9QsBsXMMaozt6+asWx3Y=
+k8s.io/gengo v0.0.0-20250106234829-0359904fc2a6/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E=
 k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y=
 k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
 k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
-k8s.io/kms v0.31.3 h1:XCFmiJn5CCKs8xoOLpCmu42Ubm/KW85wNHybGFcSAYc=
-k8s.io/kms v0.31.3/go.mod h1:OZKwl1fan3n3N5FFxnW5C4V3ygrah/3YXeJWS3O6+94=
-k8s.io/kube-aggregator v0.31.3 h1:DqHPdTglJHgOfB884AaroyxrML/aL82ASYOh65m7MSk=
-k8s.io/kube-aggregator v0.31.3/go.mod h1:Kx59Xjnf0SnY47qf9Or++4y3XCHQ3kR0xk1Di6KFiFU=
-k8s.io/kube-openapi v0.0.0-20241127205056-99599406b04f h1:nLHvOvs1CZ+FAEwR4EqLeRLfbtWQNlIu5g393Hq/1UM=
-k8s.io/kube-openapi v0.0.0-20241127205056-99599406b04f/go.mod h1:iZjdMQzunI7O/sUrf/5WRX1gvaAIam32lKx9+paoLbU=
-k8s.io/utils v0.0.0-20241104163129-6fe5fd82f078 h1:jGnCPejIetjiy2gqaJ5V0NLwTpF4wbQ6cZIItJCSHno=
-k8s.io/utils v0.0.0-20241104163129-6fe5fd82f078/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+k8s.io/kms v0.32.0 h1:jwOfunHIrcdYl5FRcA+uUKKtg6qiqoPCwmS2T3XTYL4=
+k8s.io/kms v0.32.0/go.mod h1:Bk2evz/Yvk0oVrvm4MvZbgq8BD34Ksxs2SRHn4/UiOM=
+k8s.io/kube-aggregator v0.31.4 h1:4hWVeNo4vLWstckMCo223cb9j7cCt7KD6b+RhQ8hTNE=
+k8s.io/kube-aggregator v0.31.4/go.mod h1:R1wXjopE/VgW947R1axTzwEmyuatUp/a2lKn/ZGo2yo=
+k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 h1:BZqlfIlq5YbRMFko6/PM7FjZpUb45WallggurYhKGag=
+k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340/go.mod h1:yD4MZYeKMBwQKVht279WycxKyM84kkAx2DPrTXaeb98=
+k8s.io/utils v0.0.0-20241210054802-24370beab758 h1:sdbE21q2nlQtFh65saZY+rRM6x6aJJI8IUa1AmH/qa0=
+k8s.io/utils v0.0.0-20241210054802-24370beab758/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
 rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
 rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
-sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.30.3 h1:2770sDpzrjjsAtVhSeUFseziht227YAWYHLGNM8QPwY=
-sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.30.3/go.mod h1:Ve9uj1L+deCXFrPOk1LpFXqTg7LCFzFso6PA48q/XZw=
-sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo=
-sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0=
+sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.0 h1:CPT0ExVicCzcpeN4baWEV2ko2Z/AsiZgEdwgcfwLgMo=
+sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.0/go.mod h1:Ve9uj1L+deCXFrPOk1LpFXqTg7LCFzFso6PA48q/XZw=
+sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 h1:/Rv+M11QRah1itp8VhT6HoVx1Ray9eB4DBr+K+/sCJ8=
+sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3/go.mod h1:18nIHnGi6636UCz6m8i4DhaJ65T6EruyzmoQqI2BVDo=
 sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4=
 sigs.k8s.io/structured-merge-diff/v4 v4.4.1/go.mod h1:N8hJocpFajUSSeSJ9bOZ77VzejKZaXsTtZo4/u7Io08=
 sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc=
--- a/hack/Dockerfile_fips
+++ b/hack/Dockerfile_fips
@@ -16,8 +16,8 @@
 # See https://go.googlesource.com/go/+/dev.boringcrypto/README.boringcrypto.md
 # and https://kupczynski.info/posts/fips-golang/ for details.

-ARG BUILD_IMAGE=golang:1.23.4@sha256:574185e5c6b9d09873f455a7c205ea0514bfd99738c5dc7750196403a44ed4b7
-ARG BASE_IMAGE=gcr.io/distroless/static:nonroot@sha256:6cd937e9155bdfd805d1b94e037f9d6a899603306030936a3b11680af0c2ed58
+ARG BUILD_IMAGE=golang:1.23.4@sha256:585103a29aa6d4c98bbb45d2446e1fdf41441698bbdf707d1801f5708e479f04
+ARG BASE_IMAGE=gcr.io/distroless/static:nonroot@sha256:6ec5aa99dc335666e79dc64e4a6c8b89c33a543a1967f20d360922a80dd21f02

 # This is not currently using --platform to prepare to cross-compile because we use gcc below to build
 # platform-specific GCO code. This makes multi-arch builds slow due to target platform emulation.
@@ -35,6 +35,9 @@ ENV KUBE_GIT_VERSION=$KUBE_GIT_VERSION
 ARG TARGETOS
 ARG TARGETARCH

+# If provided, must be a comma-separated list of Go build tags.
+ARG ADDITIONAL_BUILD_TAGS
+
 # Build the executable binary (CGO_ENABLED=1 is required for go boring).
 # Even though we need cgo to call the boring crypto C functions, these
 # functions are statically linked into the binary.  We also want to statically
@@ -59,8 +62,8 @@ RUN \
  --mount=type=cache,target=/cache/gocache \
  --mount=type=cache,target=/cache/gomodcache \
  export GOCACHE=/cache/gocache GOMODCACHE=/cache/gomodcache CGO_ENABLED=1 GOOS=$TARGETOS GOARCH=$TARGETARCH GOEXPERIMENT=boringcrypto && \
-  go build -tags fips_strict,osusergo,netgo -v -trimpath -ldflags "$(hack/get-ldflags.sh) -w -linkmode=external -extldflags -static" -o /usr/local/bin/pinniped-concierge-kube-cert-agent ./cmd/pinniped-concierge-kube-cert-agent/... && \
-  go build -tags fips_strict,osusergo,netgo -v -trimpath -ldflags "$(hack/get-ldflags.sh) -w -linkmode=external -extldflags -static" -o /usr/local/bin/pinniped-server ./cmd/pinniped-server/... && \
+  go build -tags fips_strict,osusergo,netgo,$ADDITIONAL_BUILD_TAGS -v -trimpath -ldflags "$(hack/get-ldflags.sh) -w -linkmode=external -extldflags -static" -o /usr/local/bin/pinniped-concierge-kube-cert-agent ./cmd/pinniped-concierge-kube-cert-agent/... && \
+  go build -tags fips_strict,osusergo,netgo,$ADDITIONAL_BUILD_TAGS -v -trimpath -ldflags "$(hack/get-ldflags.sh) -w -linkmode=external -extldflags -static" -o /usr/local/bin/pinniped-server ./cmd/pinniped-server/... && \
  ln -s /usr/local/bin/pinniped-server /usr/local/bin/pinniped-concierge && \
  ln -s /usr/local/bin/pinniped-server /usr/local/bin/pinniped-supervisor && \
  ln -s /usr/local/bin/pinniped-server /usr/local/bin/local-user-authenticator
--- a/hack/lib/kube-versions.txt
+++ b/hack/lib/kube-versions.txt
@@ -12,9 +12,9 @@
 # Whenever a new version is added to this file, or when a version number
 # is edited in this file, please run hack/update.sh.
 #
-1.31.3
-1.30.7
-1.29.11
+1.31.4
+1.30.8
+1.29.12
 1.28.15
 1.27.16
 1.26.15
--- a/hack/lib/lint-version.txt
+++ b/hack/lib/lint-version.txt
@@ -1 +1 @@
-1.61.0
+1.63.4
--- a/hack/update-go-mod/overrides.conf
+++ b/hack/update-go-mod/overrides.conf
@@ -3,3 +3,18 @@

 # Fosite has not had a release for a long time, so use the head of their main branch.
 github.com/ory/fosite github.com/ory/fosite@master
+
+# Temporarily prevent upgrading the Kube packages due to a bug in v0.32.0 which
+# causes the race detector to fail our unit tests. We hope to remove these
+# version locks as soon as possible.
+# See https://github.com/vmware-tanzu/pinniped/issues/2157.
+k8s.io/api k8s.io/api@v0.31.4
+k8s.io/apiextensions-apiserver k8s.io/apiextensions-apiserver@v0.31.4
+k8s.io/apimachinery k8s.io/apimachinery@v0.31.4
+k8s.io/apiserver k8s.io/apiserver@v0.31.4
+k8s.io/client-go k8s.io/client-go@v0.31.4
+k8s.io/component-base k8s.io/component-base@v0.31.4
+k8s.io/kube-aggregator k8s.io/kube-aggregator@v0.31.4
+# When using v0.31.4, need to use this version of kube-openapi.
+# See https://github.com/kubernetes/apiserver/blob/v0.31.4/go.mod#L54
+k8s.io/kube-openapi k8s.io/kube-openapi@v0.0.0-20240228011516-70dd3763d340
--- a/internal/controllerlib/test/integration/examplecontroller/controller/creating.go
+++ b/internal/controllerlib/test/integration/examplecontroller/controller/creating.go
@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package controller
@@ -20,7 +20,6 @@ import (
 	"go.pinniped.dev/internal/plog"
 )

-//nolint:funlen
 func NewExampleCreatingController(
 	services corev1informers.ServiceInformer,
 	secrets corev1informers.SecretInformer,
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Joshua Casey	2ab11dccfc	Merge pull request #2185 from vmware-tanzu/pinny/bump-deps Bump dependencies	2025-01-15 12:21:55 -06:00
Pinny	d64b4677b9	Bump dependencies	2025-01-15 10:07:13 -06:00
Ryan Richard	f040f098dc	rerun codegen after bumping controller-gen and crd-ref-docs	2025-01-14 11:04:42 -08:00
Ryan Richard	abe3391cce	use github.Ptr where deprecated github.String and github.Int64 were used	2025-01-14 09:40:48 -08:00
Ryan Richard	6ae27c87f6	upgrade dep to github.com/google/go-github/v68/github	2025-01-14 09:03:06 -08:00
Joshua Casey	3d2446d235	Merge pull request #2182 from vmware-tanzu/pinny/bump-deps Bump dependencies	2025-01-14 09:54:48 -06:00
Pinny	4f01b3157f	Bump dependencies	2025-01-14 14:06:38 +00:00
Joshua Casey	14e728aa0d	Merge pull request #2177 from vmware-tanzu/doc_updates Doc updates	2025-01-13 16:33:32 -06:00
Joshua Casey	4a266a44db	Merge pull request #2181 from vmware-tanzu/pinny/bump-deps Bump dependencies	2025-01-13 16:20:07 -06:00
Pinny	900db0d3a3	Bump dependencies	2025-01-13 14:00:50 +00:00
Joshua Casey	8b95b141b2	Merge pull request #2179 from vmware-tanzu/pinny/bump-deps Bump dependencies	2025-01-13 07:10:57 -06:00
Pinny	5a9f2f3181	Bump dependencies	2025-01-10 14:02:04 +00:00
Ryan Richard	4f43f01e55	update architecture.md	2025-01-08 12:35:47 -08:00
Ryan Richard	7221be5a8a	add doc describing all tokens and credentials	2025-01-08 12:35:34 -08:00
Joshua Casey	83ab099b84	Merge pull request #2176 from vmware-tanzu/pinny/bump-deps Bump dependencies	2025-01-07 11:12:33 -06:00
Pinny	5f79860c8c	Bump dependencies	2025-01-07 14:06:50 +00:00
Joshua Casey	e4f7b5d181	Merge pull request #2174 from vmware-tanzu/audit_sourceips change `remoteAddr` to `sourceIPs` in Supervisor audit log for incoming http requests	2025-01-06 23:09:03 -06:00
Ryan Richard	9619a0f226	change remoteAddr to sourceIPs in Supervisor audit log for incoming reqs	2025-01-06 21:21:01 -06:00
Joshua Casey	23f414c384	Merge pull request #2175 from vmware-tanzu/upgrade_linter upgrade golangci-lint to v1.63.4	2025-01-06 19:22:05 -06:00
Ryan Richard	4872be0a84	upgrade golangci-lint to v1.63.4	2025-01-06 13:03:46 -08:00
Joshua Casey	691307a269	Merge pull request #2173 from vmware-tanzu/pinny/bump-deps Bump dependencies	2025-01-06 10:39:13 -06:00
Pinny	6d846ad2a9	Bump dependencies	2025-01-06 14:03:30 +00:00
Joshua Casey	ff24c757b7	Merge pull request #2171 from vmware-tanzu/pinny/bump-deps Bump dependencies	2025-01-02 09:51:32 -06:00
Pinny	ee4663aa19	Bump dependencies	2025-01-02 14:05:57 +00:00
Joshua Casey	119c591500	Merge pull request #2170 from vmware-tanzu/pinny/bump-deps Bump dependencies	2024-12-30 10:47:57 -06:00
Pinny	275412e902	Bump dependencies	2024-12-30 14:03:31 +00:00
Joshua Casey	fe75ebe4b2	Merge pull request #2169 from vmware-tanzu/pinny/bump-deps Bump dependencies	2024-12-27 11:01:39 -06:00
Pinny	fabb80cf19	Bump dependencies	2024-12-27 14:09:36 +00:00
Joshua Casey	7577f20c61	Merge pull request #2166 from vmware-tanzu/avoid_kube_32 temporarily avoid upgrades to kube v0.32.0 without using replace directives for direct deps	2024-12-26 13:16:18 -06:00
Joshua Casey	f441714f93	Bump codegen for 1.31, 1.30, and 1.29	2024-12-26 11:31:19 -06:00
Ryan Richard	2c9547e6a4	bump build image to latest	2024-12-24 12:38:55 -08:00
Ryan Richard	3bf3ed03f5	temporarily avoid upgrades to kube v0.32.0 without replace directives	2024-12-24 12:37:48 -08:00
Joshua Casey	c279253e20	Merge pull request #2163 from vmware-tanzu/jtc/pin-k8s-to-1-31-4 Pin k8s.io libs to 1.31.4	2024-12-23 12:59:01 -06:00
Joshua Casey	fa9ddf48d5	Pin k8s.io dependencies to v0.31.4	2024-12-20 15:39:26 -06:00
Joshua Casey	b8a9c4d1e5	Bump all dependencies	2024-12-20 15:38:57 -06:00
Joshua Casey	b4365c100f	Merge pull request #2162 from vmware-tanzu/build_tags_for_tls_versions Introduce new build tags to optionally override some min and max TLS settings	2024-12-20 14:25:22 -06:00
Ryan Richard	ef4b0c9cff	bump golang.org/x/net	2024-12-20 10:28:32 -08:00
Ryan Richard	b625b4a076	introduce build tags to optionally override some TLS settings	2024-12-20 10:28:32 -08:00
Joshua Casey	acbe9ce23d	Merge pull request #2158 from vmware-tanzu/upgrade_fosite upgrade fosite to v0.49.0 and handle its API changes	2024-12-13 14:11:25 -06:00
Ryan Richard	90c95866d1	upgrade fosite to v0.49.0 and handle its API changes	2024-12-13 10:17:42 -08:00
Ryan Richard	57fc177266	Merge pull request #2156 from vmware-tanzu/pinny/bump-deps Bump dependencies	2024-12-11 10:53:48 -08:00
Pinny	0366f4087f	Bump dependencies	2024-12-11 14:00:52 +00:00
Joshua Casey	3f6d287b44	Merge pull request #2155 from vmware-tanzu/pinny/bump-deps Bump dependencies	2024-12-10 16:28:15 -06:00
Joshua Casey	36aa701b56	Merge branch 'main' into pinny/bump-deps	2024-12-10 13:29:48 -06:00
Pinny	fc5a776645	Updated versions in docs for v0.36.0 release	2024-12-10 19:00:02 +00:00
Pinny	c2b4390bfa	Bump dependencies	2024-12-10 14:06:14 +00:00
@@ -1 +1 @@
 .61.0
 .63.4