Merge branch 'main' into impersonation-proxy

2021-03-01 17:03:56 -08:00 · 2021-03-01 17:03:56 -08:00 · 045c427317
parent ac404af48f a778a5ef81
commit 045c427317
21 changed files with 363 additions and 147 deletions
--- a/2
+++ b/2
@ -3,7 +3,7 @@
 # Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0

-FROM golang:1.15.8 as build-env
+FROM golang:1.16.0 as build-env

 WORKDIR /work
 COPY . .
--- a/go.mod
+++ b/go.mod
@ -9,17 +9,15 @@ require (
 	github.com/davecgh/go-spew v1.1.1
 	github.com/go-logr/logr v0.4.0
 	github.com/go-logr/stdr v0.4.0
-	github.com/go-openapi/spec v0.19.9
+	github.com/go-openapi/spec v0.20.3
 	github.com/gofrs/flock v0.8.0
-	github.com/golang/mock v1.4.4
+	github.com/golang/mock v1.5.0
 	github.com/google/go-cmp v0.5.4
 	github.com/google/gofuzz v1.2.0
 	github.com/gorilla/securecookie v1.1.1
-	github.com/kr/text v0.2.0 // indirect
-	github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e // indirect
 	github.com/oleiade/reflections v1.0.1 // indirect
 	github.com/onsi/ginkgo v1.13.0 // indirect
-	github.com/ory/fosite v0.36.0
+	github.com/ory/fosite v0.38.0
 	github.com/pkg/browser v0.0.0-20201207095918-0426ae3fba23
 	github.com/pkg/errors v0.9.1
 	github.com/sclevine/agouti v3.0.0+incompatible
@ -31,9 +29,7 @@ require (
 	golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d
 	golang.org/x/sync v0.0.0-20201207232520-09787c993a3a
 	golang.org/x/tools v0.0.0-20200825202427-b303f430e36d // indirect
-	gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f // indirect
 	gopkg.in/square/go-jose.v2 v2.5.1
-	gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776 // indirect
 	k8s.io/api v0.20.4
 	k8s.io/apimachinery v0.20.4
 	k8s.io/apiserver v0.20.4
--- a/go.sum
+++ b/go.sum
@ -216,16 +216,20 @@ github.com/go-logr/stdr v0.4.0/go.mod h1:NO1vneyJDqKVgJYnxhwXWWmQPOvNM391IG3H8ql
 github.com/go-openapi/jsonpointer v0.19.2/go.mod h1:3akKfEdA7DF1sugOqz1dVQHBcuDBPKZGEoHC/NkiQRg=
 github.com/go-openapi/jsonpointer v0.19.3 h1:gihV7YNZK1iK6Tgwwsxo2rJbD1GTbdm72325Bq8FI3w=
 github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg=
+github.com/go-openapi/jsonpointer v0.19.5 h1:gZr+CIYByUqjcgeLXnQu2gHYQC9o73G2XUeOFYEICuY=
+github.com/go-openapi/jsonpointer v0.19.5/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg=
 github.com/go-openapi/jsonreference v0.19.2/go.mod h1:jMjeRr2HHw6nAVajTXJ4eiUwohSTlpa0o73RUL1owJc=
 github.com/go-openapi/jsonreference v0.19.3/go.mod h1:rjx6GuL8TTa9VaixXglHmQmIL98+wF9xc8zWvFonSJ8=
-github.com/go-openapi/jsonreference v0.19.4 h1:3Vw+rh13uq2JFNxgnMTGE1rnoieU9FmyE1gvnyylsYg=
-github.com/go-openapi/jsonreference v0.19.4/go.mod h1:RdybgQwPxbL4UEjuAruzK1x3nE69AqPYEJeo/TWfEeg=
+github.com/go-openapi/jsonreference v0.19.5 h1:1WJP/wi4OjB4iV8KVbH73rQaoialJrqv8gitZLxGLtM=
+github.com/go-openapi/jsonreference v0.19.5/go.mod h1:RdybgQwPxbL4UEjuAruzK1x3nE69AqPYEJeo/TWfEeg=
 github.com/go-openapi/spec v0.19.3/go.mod h1:FpwSN1ksY1eteniUU7X0N/BgJ7a4WvBFVA8Lj9mJglo=
-github.com/go-openapi/spec v0.19.9 h1:9z9cbFuZJ7AcvOHKIY+f6Aevb4vObNDkTEyoMfO7rAc=
-github.com/go-openapi/spec v0.19.9/go.mod h1:vqK/dIdLGCosfvYsQV3WfC7N3TiZSnGY2RZKoFK7X28=
+github.com/go-openapi/spec v0.20.3 h1:uH9RQ6vdyPSs2pSy9fL8QPspDF2AMIMPtmK5coSSjtQ=
+github.com/go-openapi/spec v0.20.3/go.mod h1:gG4F8wdEDN+YPBMVnzE85Rbhf+Th2DTvA9nFPQ5AYEg=
 github.com/go-openapi/swag v0.19.2/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk=
 github.com/go-openapi/swag v0.19.5 h1:lTz6Ys4CmqqCQmZPBlbQENR1/GucA2bzYTE12Pw4tFY=
 github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk=
+github.com/go-openapi/swag v0.19.14 h1:gm3vOOXfiuw5i9p5N9xJvfjvuofpyvLA9Wr6QfK5Fng=
+github.com/go-openapi/swag v0.19.14/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ=
 github.com/go-sql-driver/mysql v1.4.0/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w=
 github.com/go-sql-driver/mysql v1.4.1/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w=
 github.com/go-sql-driver/mysql v1.5.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg=
@ -486,8 +490,9 @@ github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFU
 github.com/golang/mock v1.4.0/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=
 github.com/golang/mock v1.4.1/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=
 github.com/golang/mock v1.4.3/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=
-github.com/golang/mock v1.4.4 h1:l75CXGRSwbaYNpl/Z2X1XIIAMSCquvXgpVZDhwEIJsc=
 github.com/golang/mock v1.4.4/go.mod h1:l3mdAwkq5BuhzHwde/uurv3sEJeZMXNpwsxVWU71h+4=
+github.com/golang/mock v1.5.0 h1:jlYHihg//f7RRwuPfptm04yp4s7O6Kw8EZiVYIGcH0g=
+github.com/golang/mock v1.5.0/go.mod h1:CWnOUgYIOo4TcNZ0wHX3YZCqsaM1I1Jvs6v3mP3KVu8=
 github.com/golang/protobuf v1.1.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
@ -635,6 +640,8 @@ github.com/joho/godotenv v1.2.0/go.mod h1:7hK45KPybAkOC6peb+G5yklZfMxEjkZhHbwpqx
 github.com/joho/godotenv v1.3.0/go.mod h1:7hK45KPybAkOC6peb+G5yklZfMxEjkZhHbwpqxOKXbg=
 github.com/jonboulle/clockwork v0.1.0 h1:VKV+ZcuP6l3yW9doeqz6ziZGgcynBVQO+obU0+0hcPo=
 github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo=
+github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
+github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
 github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
 github.com/json-iterator/go v1.1.7/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
 github.com/json-iterator/go v1.1.10 h1:Kz6Cvnvv2wGdaG/V8yMvfkmNiXq9Ya2KUv4rouJJr68=
@ -688,6 +695,8 @@ github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN
 github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
 github.com/mailru/easyjson v0.7.0 h1:aizVhC/NAAcKWb+5QsU1iNOZb4Yws5UO2I+aIprQITM=
 github.com/mailru/easyjson v0.7.0/go.mod h1:KAzv3t3aY1NaHWoQz1+4F1ccyAH66Jk7yos7ldAVICs=
+github.com/mailru/easyjson v0.7.6 h1:8yTIVnZgCoiM1TgqoeTl+LfU5Jg6/xL3QhGQnimLYnA=
+github.com/mailru/easyjson v0.7.6/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
 github.com/markbates/deplist v1.0.4/go.mod h1:gRRbPbbuA8TmMiRvaOzUlRfzfjeCCBqX2A6arxN01MM=
 github.com/markbates/deplist v1.0.5/go.mod h1:gRRbPbbuA8TmMiRvaOzUlRfzfjeCCBqX2A6arxN01MM=
 github.com/markbates/deplist v1.1.3/go.mod h1:BF7ioVzAJYEtzQN/os4rt8H8Ti3h0T7EoN+7eyALktE=
@ -809,8 +818,8 @@ github.com/ory/analytics-go/v4 v4.0.0/go.mod h1:FMx9cLRD9xN+XevPvZ5FDMfignpmcqPP
 github.com/ory/dockertest v3.3.5+incompatible/go.mod h1:1vX4m9wsvi00u5bseYwXaSnhNrne+V0E6LAcBILJdPs=
 github.com/ory/dockertest/v3 v3.5.4/go.mod h1:J8ZUbNB2FOhm1cFZW9xBpDsODqsSWcyYgtJYVPcnF70=
 github.com/ory/fosite v0.29.0/go.mod h1:0atSZmXO7CAcs6NPMI/Qtot8tmZYj04Nddoold4S2h0=
-github.com/ory/fosite v0.36.0 h1:6XGd9sE0h/y6XJx3L3iRm/UFPHVEnARQch0YFxvxziQ=
-github.com/ory/fosite v0.36.0/go.mod h1:NE15bS1ya8E4J8VmminFY+nsZdoBQu+5/vGF2ELvDsY=
+github.com/ory/fosite v0.38.0 h1:4y+IurqBAu/Gf0NlW47gabRJZyYIqda+OFHMx5fsy6Q=
+github.com/ory/fosite v0.38.0/go.mod h1:37r59qkOSPueYKmaA7EHiXrDMF1B+XPN+MgkZgTRg3Y=
 github.com/ory/go-acc v0.0.0-20181118080137-ddc355013f90/go.mod h1:sxnvPCxChFuSmTJGj8FdMupeq1BezCiEpDjTUXQ4hf4=
 github.com/ory/go-acc v0.2.5 h1:31irXHzG2vnKQSE4weJm7AdfrnpaVjVCq3nD7viXCJE=
 github.com/ory/go-acc v0.2.5/go.mod h1:4Kb/UnPcT8qRAk3IAxta+hvVapdxTLWtrr7bFLlEgpw=
@ -1083,8 +1092,8 @@ golang.org/x/crypto v0.0.0-20200320181102-891825fb96df/go.mod h1:LzIPMQfyMNhhGPh
 golang.org/x/crypto v0.0.0-20200323165209-0ec3e9974c59/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20200510223506-06a226fb4e37/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.0.0-20200709230013-948cd5f35899/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20201002170205-7f63de1d35b0/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.0.0-20201203163018-be400aefbc4c/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
 golang.org/x/crypto v0.0.0-20201217014255-9d1352758620 h1:3wPMTskHO3+O6jqTEXyFcsnuxMQOqYSaHsDxcbUXpqA=
 golang.org/x/crypto v0.0.0-20201217014255-9d1352758620/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
 golang.org/x/exp v0.0.0-20180321215751-8460e604b9de/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
@ -1171,6 +1180,8 @@ golang.org/x/net v0.0.0-20200520182314-0ba52f642ac2/go.mod h1:qpuaurCH72eLCgpAm/
 golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
 golang.org/x/net v0.0.0-20201110031124-69a78807bb2b h1:uwuIcX0g4Yl1NC5XAz37xsr2lTtcqevgzYNVt49waME=
 golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
+golang.org/x/net v0.0.0-20210119194325-5f4716e94777 h1:003p0dJM77cxMSyCPFphvZf/Y5/NXf5fzg6ufd1/Oew=
+golang.org/x/net v0.0.0-20210119194325-5f4716e94777/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20181003184128-c57b0facaced/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@ -1257,8 +1268,12 @@ golang.org/x/sys v0.0.0-20200720211630-cb9d2d5c5666/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201112073958-5cba982894dd h1:5CtCZbICpIOFdgO940moixOPjc0178IU44m4EjOO5IY=
 golang.org/x/sys v0.0.0-20201112073958-5cba982894dd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20201119102817-f84b799fce68 h1:nxC68pudNYkKU6jWhgrqdreuFiOQWj1Fs7T3VrH4Pjw=
+golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221 h1:/ZHdbVpdR/jk3g30/d4yUL0JU9kksj8+F/bnQUVLGDM=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
+golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1 h1:v+OssWQX+hTHEmOBgwxdZxK4zHq3yOs8F9J7mk0PY8E=
+golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@ -1266,6 +1281,8 @@ golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.4 h1:0YWbFKbhXG/wIiuHDSKpS0Iy7FSA+u45VtBMfQcFTTc=
 golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.5 h1:i6eZZ+zk0SOf0xgBpEpPD18qWcJda6q1sxt3S0kzyUQ=
+golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
--- a/internal/controller/issuerconfig/update_strategy.go
+++ b/internal/controller/issuerconfig/update_strategy.go
@ -0,0 +1,52 @@
+// Copyright 2021 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package issuerconfig
+
+import (
+	"context"
+	"sort"
+
+	"go.pinniped.dev/generated/latest/apis/concierge/config/v1alpha1"
+	"go.pinniped.dev/generated/latest/client/concierge/clientset/versioned"
+)
+
+// UpdateStrategy creates or updates the desired strategy in the CredentialIssuer status.strategies field.
+// The CredentialIssuer will be created if it does not already exist.
+func UpdateStrategy(ctx context.Context,
+	name string,
+	credentialIssuerLabels map[string]string,
+	pinnipedAPIClient versioned.Interface,
+	strategy v1alpha1.CredentialIssuerStrategy,
+) error {
+	return CreateOrUpdateCredentialIssuerStatus(
+		ctx,
+		name,
+		credentialIssuerLabels,
+		pinnipedAPIClient,
+		func(configToUpdate *v1alpha1.CredentialIssuerStatus) { mergeStrategy(configToUpdate, strategy) },
+	)
+}
+
+func mergeStrategy(configToUpdate *v1alpha1.CredentialIssuerStatus, strategy v1alpha1.CredentialIssuerStrategy) {
+	var existing *v1alpha1.CredentialIssuerStrategy
+	for i := range configToUpdate.Strategies {
+		if configToUpdate.Strategies[i].Type == strategy.Type {
+			existing = &configToUpdate.Strategies[i]
+			break
+		}
+	}
+	if existing != nil {
+		strategy.DeepCopyInto(existing)
+	} else {
+		configToUpdate.Strategies = append(configToUpdate.Strategies, strategy)
+	}
+	sort.Stable(sortableStrategies(configToUpdate.Strategies))
+}
+
+// TODO: sort strategies by server preference rather than alphanumerically by type.
+type sortableStrategies []v1alpha1.CredentialIssuerStrategy
+
+func (s sortableStrategies) Len() int           { return len(s) }
+func (s sortableStrategies) Less(i, j int) bool { return s[i].Type < s[j].Type }
+func (s sortableStrategies) Swap(i, j int)      { s[i], s[j] = s[j], s[i] }
--- a/internal/controller/issuerconfig/update_strategy_test.go
+++ b/internal/controller/issuerconfig/update_strategy_test.go
@ -0,0 +1,145 @@
+// Copyright 2021 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package issuerconfig
+
+import (
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/require"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	"go.pinniped.dev/generated/latest/apis/concierge/config/v1alpha1"
+)
+
+func TestMergeStrategy(t *testing.T) {
+	t1 := metav1.Now()
+	t2 := metav1.NewTime(metav1.Now().Add(-1 * time.Hour))
+
+	tests := []struct {
+		name           string
+		configToUpdate v1alpha1.CredentialIssuerStatus
+		strategy       v1alpha1.CredentialIssuerStrategy
+		expected       v1alpha1.CredentialIssuerStatus
+	}{
+		{
+			name: "new entry",
+			configToUpdate: v1alpha1.CredentialIssuerStatus{
+				Strategies: nil,
+			},
+			strategy: v1alpha1.CredentialIssuerStrategy{
+				Type:           "Type1",
+				Status:         v1alpha1.SuccessStrategyStatus,
+				Reason:         "some reason",
+				Message:        "some message",
+				LastUpdateTime: t1,
+			},
+			expected: v1alpha1.CredentialIssuerStatus{
+				Strategies: []v1alpha1.CredentialIssuerStrategy{
+					{
+						Type:           "Type1",
+						Status:         v1alpha1.SuccessStrategyStatus,
+						Reason:         "some reason",
+						Message:        "some message",
+						LastUpdateTime: t1,
+					},
+				},
+			},
+		},
+		{
+			name: "existing entry to update",
+			configToUpdate: v1alpha1.CredentialIssuerStatus{
+				Strategies: []v1alpha1.CredentialIssuerStrategy{
+					{
+						Type:           "Type1",
+						Status:         v1alpha1.ErrorStrategyStatus,
+						Reason:         "some starting reason",
+						Message:        "some starting message",
+						LastUpdateTime: t2,
+					},
+				},
+			},
+			strategy: v1alpha1.CredentialIssuerStrategy{
+				Type:           "Type1",
+				Status:         v1alpha1.SuccessStrategyStatus,
+				Reason:         "some reason",
+				Message:        "some message",
+				LastUpdateTime: t1,
+			},
+			expected: v1alpha1.CredentialIssuerStatus{
+				Strategies: []v1alpha1.CredentialIssuerStrategy{
+					{
+						Type:           "Type1",
+						Status:         v1alpha1.SuccessStrategyStatus,
+						Reason:         "some reason",
+						Message:        "some message",
+						LastUpdateTime: t1,
+					},
+				},
+			},
+		},
+		{
+			name: "new entry among others",
+			configToUpdate: v1alpha1.CredentialIssuerStatus{
+				Strategies: []v1alpha1.CredentialIssuerStrategy{
+					{
+						Type:           "Type0",
+						Status:         v1alpha1.ErrorStrategyStatus,
+						Reason:         "some starting reason 0",
+						Message:        "some starting message 0",
+						LastUpdateTime: t2,
+					},
+					{
+						Type:           "Type2",
+						Status:         v1alpha1.ErrorStrategyStatus,
+						Reason:         "some starting reason 0",
+						Message:        "some starting message 0",
+						LastUpdateTime: t2,
+					},
+				},
+			},
+			strategy: v1alpha1.CredentialIssuerStrategy{
+				Type:           "Type1",
+				Status:         v1alpha1.SuccessStrategyStatus,
+				Reason:         "some reason",
+				Message:        "some message",
+				LastUpdateTime: t1,
+			},
+			expected: v1alpha1.CredentialIssuerStatus{
+				Strategies: []v1alpha1.CredentialIssuerStrategy{
+					{
+						Type:           "Type0",
+						Status:         v1alpha1.ErrorStrategyStatus,
+						Reason:         "some starting reason 0",
+						Message:        "some starting message 0",
+						LastUpdateTime: t2,
+					},
+					// Expect the Type1 entry to be sorted alphanumerically between the existing entries.
+					{
+						Type:           "Type1",
+						Status:         v1alpha1.SuccessStrategyStatus,
+						Reason:         "some reason",
+						Message:        "some message",
+						LastUpdateTime: t1,
+					},
+					{
+						Type:           "Type2",
+						Status:         v1alpha1.ErrorStrategyStatus,
+						Reason:         "some starting reason 0",
+						Message:        "some starting message 0",
+						LastUpdateTime: t2,
+					},
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		tt := tt
+		t.Run(tt.name, func(t *testing.T) {
+			updated := tt.configToUpdate.DeepCopy()
+			mergeStrategy(updated, tt.strategy)
+			require.Equal(t, &tt.expected, updated)
+		})
+	}
+}
--- a/internal/controller/kubecertagent/annotater.go
+++ b/internal/controller/kubecertagent/annotater.go
@ -18,6 +18,7 @@ import (

 	pinnipedclientset "go.pinniped.dev/generated/latest/client/concierge/clientset/versioned"
 	pinnipedcontroller "go.pinniped.dev/internal/controller"
+	"go.pinniped.dev/internal/controller/issuerconfig"
 	"go.pinniped.dev/internal/controllerlib"
 	"go.pinniped.dev/internal/plog"
 )
@ -121,7 +122,13 @@ func (c *annotaterController) Sync(ctx controllerlib.Context) error {
 			keyPath,
 		); err != nil {
 			err = fmt.Errorf("cannot update agent pod: %w", err)
-			strategyResultUpdateErr := createOrUpdateCredentialIssuer(ctx.Context, *c.credentialIssuerLocationConfig, nil, c.clock, c.pinnipedAPIClient, err)
+			strategyResultUpdateErr := issuerconfig.UpdateStrategy(
+				ctx.Context,
+				c.credentialIssuerLocationConfig.Name,
+				nil,
+				c.pinnipedAPIClient,
+				strategyError(c.clock, err),
+			)
 			if strategyResultUpdateErr != nil {
 				// If the CI update fails, then we probably want to try again. This controller will get
 				// called again because of the pod create failure, so just try the CI update again then.
--- a/internal/controller/kubecertagent/creater.go
+++ b/internal/controller/kubecertagent/creater.go
@ -17,6 +17,7 @@ import (
 	pinnipedclientset "go.pinniped.dev/generated/latest/client/concierge/clientset/versioned"
 	"go.pinniped.dev/internal/constable"
 	pinnipedcontroller "go.pinniped.dev/internal/controller"
+	"go.pinniped.dev/internal/controller/issuerconfig"
 	"go.pinniped.dev/internal/controllerlib"
 	"go.pinniped.dev/internal/plog"
 )
@ -96,13 +97,12 @@ func (c *createrController) Sync(ctx controllerlib.Context) error {
 	if len(controllerManagerPods) == 0 {
 		// If there are no controller manager pods, we alert the user that we can't find the keypair via
 		// the CredentialIssuer.
-		return createOrUpdateCredentialIssuer(
+		return issuerconfig.UpdateStrategy(
 			ctx.Context,
-			*c.credentialIssuerLocationConfig,
+			c.credentialIssuerLocationConfig.Name,
 			c.credentialIssuerLabels,
-			c.clock,
 			c.pinnipedAPIClient,
-			constable.Error("did not find kube-controller-manager pod(s)"),
+			strategyError(c.clock, constable.Error("did not find kube-controller-manager pod(s)")),
 		)
 	}

@ -131,13 +131,12 @@ func (c *createrController) Sync(ctx controllerlib.Context) error {
 				Create(ctx.Context, agentPod, metav1.CreateOptions{})
 			if err != nil {
 				err = fmt.Errorf("cannot create agent pod: %w", err)
-				strategyResultUpdateErr := createOrUpdateCredentialIssuer(
+				strategyResultUpdateErr := issuerconfig.UpdateStrategy(
 					ctx.Context,
-					*c.credentialIssuerLocationConfig,
+					c.credentialIssuerLocationConfig.Name,
 					c.credentialIssuerLabels,
-					c.clock,
 					c.pinnipedAPIClient,
-					err,
+					strategyError(c.clock, err),
 				)
 				if strategyResultUpdateErr != nil {
 					// If the CI update fails, then we probably want to try again. This controller will get
--- a/internal/controller/kubecertagent/execer.go
+++ b/internal/controller/kubecertagent/execer.go
@ -14,6 +14,7 @@ import (

 	pinnipedclientset "go.pinniped.dev/generated/latest/client/concierge/clientset/versioned"
 	pinnipedcontroller "go.pinniped.dev/internal/controller"
+	"go.pinniped.dev/internal/controller/issuerconfig"
 	"go.pinniped.dev/internal/controllerlib"
 	"go.pinniped.dev/internal/dynamiccert"
 )
@ -87,21 +88,39 @@ func (c *execerController) Sync(ctx controllerlib.Context) error {

 	certPEM, err := c.podCommandExecutor.Exec(agentPod.Namespace, agentPod.Name, "cat", certPath)
 	if err != nil {
-		strategyResultUpdateErr := createOrUpdateCredentialIssuer(ctx.Context, *c.credentialIssuerLocationConfig, nil, c.clock, c.pinnipedAPIClient, err)
+		strategyResultUpdateErr := issuerconfig.UpdateStrategy(
+			ctx.Context,
+			c.credentialIssuerLocationConfig.Name,
+			nil,
+			c.pinnipedAPIClient,
+			strategyError(c.clock, err),
+		)
 		klog.ErrorS(strategyResultUpdateErr, "could not create or update CredentialIssuer with strategy success")
 		return err
 	}

 	keyPEM, err := c.podCommandExecutor.Exec(agentPod.Namespace, agentPod.Name, "cat", keyPath)
 	if err != nil {
-		strategyResultUpdateErr := createOrUpdateCredentialIssuer(ctx.Context, *c.credentialIssuerLocationConfig, nil, c.clock, c.pinnipedAPIClient, err)
+		strategyResultUpdateErr := issuerconfig.UpdateStrategy(
+			ctx.Context,
+			c.credentialIssuerLocationConfig.Name,
+			nil,
+			c.pinnipedAPIClient,
+			strategyError(c.clock, err),
+		)
 		klog.ErrorS(strategyResultUpdateErr, "could not create or update CredentialIssuer with strategy success")
 		return err
 	}

 	c.dynamicCertProvider.Set([]byte(certPEM), []byte(keyPEM))

-	err = createOrUpdateCredentialIssuer(ctx.Context, *c.credentialIssuerLocationConfig, nil, c.clock, c.pinnipedAPIClient, nil)
+	err = issuerconfig.UpdateStrategy(
+		ctx.Context,
+		c.credentialIssuerLocationConfig.Name,
+		nil,
+		c.pinnipedAPIClient,
+		strategySuccess(c.clock),
+	)
 	if err != nil {
 		return err
 	}
--- a/internal/controller/kubecertagent/kubecertagent.go
+++ b/internal/controller/kubecertagent/kubecertagent.go
@ -10,7 +10,6 @@
 package kubecertagent

 import (
-	"context"
 	"encoding/hex"
 	"fmt"
 	"hash/fnv"
@ -25,8 +24,6 @@ import (
 	corev1informers "k8s.io/client-go/informers/core/v1"

 	configv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/config/v1alpha1"
-	pinnipedclientset "go.pinniped.dev/generated/latest/client/concierge/clientset/versioned"
-	"go.pinniped.dev/internal/controller/issuerconfig"
 	"go.pinniped.dev/internal/plog"
 )

@ -280,32 +277,6 @@ func findControllerManagerPodForSpecificAgentPod(
 	return maybeControllerManagerPod, nil
 }

-func createOrUpdateCredentialIssuer(ctx context.Context,
-	ciConfig CredentialIssuerLocationConfig,
-	credentialIssuerLabels map[string]string,
-	clock clock.Clock,
-	pinnipedAPIClient pinnipedclientset.Interface,
-	err error,
-) error {
-	return issuerconfig.CreateOrUpdateCredentialIssuerStatus(
-		ctx,
-		ciConfig.Name,
-		credentialIssuerLabels,
-		pinnipedAPIClient,
-		func(configToUpdate *configv1alpha1.CredentialIssuerStatus) {
-			var strategyResult configv1alpha1.CredentialIssuerStrategy
-			if err == nil {
-				strategyResult = strategySuccess(clock)
-			} else {
-				strategyResult = strategyError(clock, err)
-			}
-			configToUpdate.Strategies = []configv1alpha1.CredentialIssuerStrategy{
-				strategyResult,
-			}
-		},
-	)
-}
-
 func strategySuccess(clock clock.Clock) configv1alpha1.CredentialIssuerStrategy {
 	return configv1alpha1.CredentialIssuerStrategy{
 		Type:           configv1alpha1.KubeClusterSigningCertificateStrategyType,
--- a/internal/mocks/credentialrequestmocks/credentialrequestmocks.go
+++ b/internal/mocks/credentialrequestmocks/credentialrequestmocks.go
@ -15,35 +15,34 @@ import (
 	time "time"

 	gomock "github.com/golang/mock/gomock"
-	user "k8s.io/apiserver/pkg/authentication/user"
-
 	login "go.pinniped.dev/generated/latest/apis/concierge/login"
+	user "k8s.io/apiserver/pkg/authentication/user"
 )

-// MockCertIssuer is a mock of CertIssuer interface
+// MockCertIssuer is a mock of CertIssuer interface.
 type MockCertIssuer struct {
 	ctrl     *gomock.Controller
 	recorder *MockCertIssuerMockRecorder
 }

-// MockCertIssuerMockRecorder is the mock recorder for MockCertIssuer
+// MockCertIssuerMockRecorder is the mock recorder for MockCertIssuer.
 type MockCertIssuerMockRecorder struct {
 	mock *MockCertIssuer
 }

-// NewMockCertIssuer creates a new mock instance
+// NewMockCertIssuer creates a new mock instance.
 func NewMockCertIssuer(ctrl *gomock.Controller) *MockCertIssuer {
 	mock := &MockCertIssuer{ctrl: ctrl}
 	mock.recorder = &MockCertIssuerMockRecorder{mock}
 	return mock
 }

-// EXPECT returns an object that allows the caller to indicate expected use
+// EXPECT returns an object that allows the caller to indicate expected use.
 func (m *MockCertIssuer) EXPECT() *MockCertIssuerMockRecorder {
 	return m.recorder
 }

-// IssuePEM mocks base method
+// IssuePEM mocks base method.
 func (m *MockCertIssuer) IssuePEM(arg0 pkix.Name, arg1 []string, arg2 time.Duration) ([]byte, []byte, error) {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "IssuePEM", arg0, arg1, arg2)
@ -53,36 +52,36 @@ func (m *MockCertIssuer) IssuePEM(arg0 pkix.Name, arg1 []string, arg2 time.Durat
 	return ret0, ret1, ret2
 }

-// IssuePEM indicates an expected call of IssuePEM
+// IssuePEM indicates an expected call of IssuePEM.
 func (mr *MockCertIssuerMockRecorder) IssuePEM(arg0, arg1, arg2 interface{}) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "IssuePEM", reflect.TypeOf((*MockCertIssuer)(nil).IssuePEM), arg0, arg1, arg2)
 }

-// MockTokenCredentialRequestAuthenticator is a mock of TokenCredentialRequestAuthenticator interface
+// MockTokenCredentialRequestAuthenticator is a mock of TokenCredentialRequestAuthenticator interface.
 type MockTokenCredentialRequestAuthenticator struct {
 	ctrl     *gomock.Controller
 	recorder *MockTokenCredentialRequestAuthenticatorMockRecorder
 }

-// MockTokenCredentialRequestAuthenticatorMockRecorder is the mock recorder for MockTokenCredentialRequestAuthenticator
+// MockTokenCredentialRequestAuthenticatorMockRecorder is the mock recorder for MockTokenCredentialRequestAuthenticator.
 type MockTokenCredentialRequestAuthenticatorMockRecorder struct {
 	mock *MockTokenCredentialRequestAuthenticator
 }

-// NewMockTokenCredentialRequestAuthenticator creates a new mock instance
+// NewMockTokenCredentialRequestAuthenticator creates a new mock instance.
 func NewMockTokenCredentialRequestAuthenticator(ctrl *gomock.Controller) *MockTokenCredentialRequestAuthenticator {
 	mock := &MockTokenCredentialRequestAuthenticator{ctrl: ctrl}
 	mock.recorder = &MockTokenCredentialRequestAuthenticatorMockRecorder{mock}
 	return mock
 }

-// EXPECT returns an object that allows the caller to indicate expected use
+// EXPECT returns an object that allows the caller to indicate expected use.
 func (m *MockTokenCredentialRequestAuthenticator) EXPECT() *MockTokenCredentialRequestAuthenticatorMockRecorder {
 	return m.recorder
 }

-// AuthenticateTokenCredentialRequest mocks base method
+// AuthenticateTokenCredentialRequest mocks base method.
 func (m *MockTokenCredentialRequestAuthenticator) AuthenticateTokenCredentialRequest(arg0 context.Context, arg1 *login.TokenCredentialRequest) (user.Info, error) {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "AuthenticateTokenCredentialRequest", arg0, arg1)
@ -91,7 +90,7 @@ func (m *MockTokenCredentialRequestAuthenticator) AuthenticateTokenCredentialReq
 	return ret0, ret1
 }

-// AuthenticateTokenCredentialRequest indicates an expected call of AuthenticateTokenCredentialRequest
+// AuthenticateTokenCredentialRequest indicates an expected call of AuthenticateTokenCredentialRequest.
 func (mr *MockTokenCredentialRequestAuthenticatorMockRecorder) AuthenticateTokenCredentialRequest(arg0, arg1 interface{}) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AuthenticateTokenCredentialRequest", reflect.TypeOf((*MockTokenCredentialRequestAuthenticator)(nil).AuthenticateTokenCredentialRequest), arg0, arg1)
--- a/internal/mocks/mockkeyset/mockkeyset.go
+++ b/internal/mocks/mockkeyset/mockkeyset.go
@ -1,43 +1,44 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 //

 // Code generated by MockGen. DO NOT EDIT.
-// Source: github.com/coreos/go-oidc (interfaces: KeySet)
+// Source: github.com/coreos/go-oidc/v3/oidc (interfaces: KeySet)

 // Package mockkeyset is a generated GoMock package.
 package mockkeyset

 import (
 	context "context"
-	gomock "github.com/golang/mock/gomock"
 	reflect "reflect"
+
+	gomock "github.com/golang/mock/gomock"
 )

-// MockKeySet is a mock of KeySet interface
+// MockKeySet is a mock of KeySet interface.
 type MockKeySet struct {
 	ctrl     *gomock.Controller
 	recorder *MockKeySetMockRecorder
 }

-// MockKeySetMockRecorder is the mock recorder for MockKeySet
+// MockKeySetMockRecorder is the mock recorder for MockKeySet.
 type MockKeySetMockRecorder struct {
 	mock *MockKeySet
 }

-// NewMockKeySet creates a new mock instance
+// NewMockKeySet creates a new mock instance.
 func NewMockKeySet(ctrl *gomock.Controller) *MockKeySet {
 	mock := &MockKeySet{ctrl: ctrl}
 	mock.recorder = &MockKeySetMockRecorder{mock}
 	return mock
 }

-// EXPECT returns an object that allows the caller to indicate expected use
+// EXPECT returns an object that allows the caller to indicate expected use.
 func (m *MockKeySet) EXPECT() *MockKeySetMockRecorder {
 	return m.recorder
 }

-// VerifySignature mocks base method
+// VerifySignature mocks base method.
 func (m *MockKeySet) VerifySignature(arg0 context.Context, arg1 string) ([]byte, error) {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "VerifySignature", arg0, arg1)
@ -46,7 +47,7 @@ func (m *MockKeySet) VerifySignature(arg0 context.Context, arg1 string) ([]byte,
 	return ret0, ret1
 }

-// VerifySignature indicates an expected call of VerifySignature
+// VerifySignature indicates an expected call of VerifySignature.
 func (mr *MockKeySetMockRecorder) VerifySignature(arg0, arg1 interface{}) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "VerifySignature", reflect.TypeOf((*MockKeySet)(nil).VerifySignature), arg0, arg1)
--- a/internal/mocks/mocksecrethelper/mocksecrethelper.go
+++ b/internal/mocks/mocksecrethelper/mocksecrethelper.go
@ -12,36 +12,35 @@ import (
 	reflect "reflect"

 	gomock "github.com/golang/mock/gomock"
+	v1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1"
 	v1 "k8s.io/api/core/v1"
 	v10 "k8s.io/apimachinery/pkg/apis/meta/v1"
-
-	v1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1"
 )

-// MockSecretHelper is a mock of SecretHelper interface
+// MockSecretHelper is a mock of SecretHelper interface.
 type MockSecretHelper struct {
 	ctrl     *gomock.Controller
 	recorder *MockSecretHelperMockRecorder
 }

-// MockSecretHelperMockRecorder is the mock recorder for MockSecretHelper
+// MockSecretHelperMockRecorder is the mock recorder for MockSecretHelper.
 type MockSecretHelperMockRecorder struct {
 	mock *MockSecretHelper
 }

-// NewMockSecretHelper creates a new mock instance
+// NewMockSecretHelper creates a new mock instance.
 func NewMockSecretHelper(ctrl *gomock.Controller) *MockSecretHelper {
 	mock := &MockSecretHelper{ctrl: ctrl}
 	mock.recorder = &MockSecretHelperMockRecorder{mock}
 	return mock
 }

-// EXPECT returns an object that allows the caller to indicate expected use
+// EXPECT returns an object that allows the caller to indicate expected use.
 func (m *MockSecretHelper) EXPECT() *MockSecretHelperMockRecorder {
 	return m.recorder
 }

-// Generate mocks base method
+// Generate mocks base method.
 func (m *MockSecretHelper) Generate(arg0 *v1alpha1.FederationDomain) (*v1.Secret, error) {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "Generate", arg0)
@ -50,13 +49,13 @@ func (m *MockSecretHelper) Generate(arg0 *v1alpha1.FederationDomain) (*v1.Secret
 	return ret0, ret1
 }

-// Generate indicates an expected call of Generate
+// Generate indicates an expected call of Generate.
 func (mr *MockSecretHelperMockRecorder) Generate(arg0 interface{}) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Generate", reflect.TypeOf((*MockSecretHelper)(nil).Generate), arg0)
 }

-// Handles mocks base method
+// Handles mocks base method.
 func (m *MockSecretHelper) Handles(arg0 v10.Object) bool {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "Handles", arg0)
@ -64,13 +63,13 @@ func (m *MockSecretHelper) Handles(arg0 v10.Object) bool {
 	return ret0
 }

-// Handles indicates an expected call of Handles
+// Handles indicates an expected call of Handles.
 func (mr *MockSecretHelperMockRecorder) Handles(arg0 interface{}) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Handles", reflect.TypeOf((*MockSecretHelper)(nil).Handles), arg0)
 }

-// IsValid mocks base method
+// IsValid mocks base method.
 func (m *MockSecretHelper) IsValid(arg0 *v1alpha1.FederationDomain, arg1 *v1.Secret) bool {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "IsValid", arg0, arg1)
@ -78,13 +77,13 @@ func (m *MockSecretHelper) IsValid(arg0 *v1alpha1.FederationDomain, arg1 *v1.Sec
 	return ret0
 }

-// IsValid indicates an expected call of IsValid
+// IsValid indicates an expected call of IsValid.
 func (mr *MockSecretHelperMockRecorder) IsValid(arg0, arg1 interface{}) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "IsValid", reflect.TypeOf((*MockSecretHelper)(nil).IsValid), arg0, arg1)
 }

-// NamePrefix mocks base method
+// NamePrefix mocks base method.
 func (m *MockSecretHelper) NamePrefix() string {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "NamePrefix")
@ -92,13 +91,13 @@ func (m *MockSecretHelper) NamePrefix() string {
 	return ret0
 }

-// NamePrefix indicates an expected call of NamePrefix
+// NamePrefix indicates an expected call of NamePrefix.
 func (mr *MockSecretHelperMockRecorder) NamePrefix() *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "NamePrefix", reflect.TypeOf((*MockSecretHelper)(nil).NamePrefix))
 }

-// ObserveActiveSecretAndUpdateParentFederationDomain mocks base method
+// ObserveActiveSecretAndUpdateParentFederationDomain mocks base method.
 func (m *MockSecretHelper) ObserveActiveSecretAndUpdateParentFederationDomain(arg0 *v1alpha1.FederationDomain, arg1 *v1.Secret) *v1alpha1.FederationDomain {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "ObserveActiveSecretAndUpdateParentFederationDomain", arg0, arg1)
@ -106,7 +105,7 @@ func (m *MockSecretHelper) ObserveActiveSecretAndUpdateParentFederationDomain(ar
 	return ret0
 }

-// ObserveActiveSecretAndUpdateParentFederationDomain indicates an expected call of ObserveActiveSecretAndUpdateParentFederationDomain
+// ObserveActiveSecretAndUpdateParentFederationDomain indicates an expected call of ObserveActiveSecretAndUpdateParentFederationDomain.
 func (mr *MockSecretHelperMockRecorder) ObserveActiveSecretAndUpdateParentFederationDomain(arg0, arg1 interface{}) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ObserveActiveSecretAndUpdateParentFederationDomain", reflect.TypeOf((*MockSecretHelper)(nil).ObserveActiveSecretAndUpdateParentFederationDomain), arg0, arg1)
--- a/internal/mocks/mocktokenauthenticator/mocktokenauthenticator.go
+++ b/internal/mocks/mocktokenauthenticator/mocktokenauthenticator.go
@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 //

@ -10,35 +10,36 @@ package mocktokenauthenticator

 import (
 	context "context"
+	reflect "reflect"
+
 	gomock "github.com/golang/mock/gomock"
 	authenticator "k8s.io/apiserver/pkg/authentication/authenticator"
-	reflect "reflect"
 )

-// MockToken is a mock of Token interface
+// MockToken is a mock of Token interface.
 type MockToken struct {
 	ctrl     *gomock.Controller
 	recorder *MockTokenMockRecorder
 }

-// MockTokenMockRecorder is the mock recorder for MockToken
+// MockTokenMockRecorder is the mock recorder for MockToken.
 type MockTokenMockRecorder struct {
 	mock *MockToken
 }

-// NewMockToken creates a new mock instance
+// NewMockToken creates a new mock instance.
 func NewMockToken(ctrl *gomock.Controller) *MockToken {
 	mock := &MockToken{ctrl: ctrl}
 	mock.recorder = &MockTokenMockRecorder{mock}
 	return mock
 }

-// EXPECT returns an object that allows the caller to indicate expected use
+// EXPECT returns an object that allows the caller to indicate expected use.
 func (m *MockToken) EXPECT() *MockTokenMockRecorder {
 	return m.recorder
 }

-// AuthenticateToken mocks base method
+// AuthenticateToken mocks base method.
 func (m *MockToken) AuthenticateToken(arg0 context.Context, arg1 string) (*authenticator.Response, bool, error) {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "AuthenticateToken", arg0, arg1)
@ -48,7 +49,7 @@ func (m *MockToken) AuthenticateToken(arg0 context.Context, arg1 string) (*authe
 	return ret0, ret1, ret2
 }

-// AuthenticateToken indicates an expected call of AuthenticateToken
+// AuthenticateToken indicates an expected call of AuthenticateToken.
 func (mr *MockTokenMockRecorder) AuthenticateToken(arg0, arg1 interface{}) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AuthenticateToken", reflect.TypeOf((*MockToken)(nil).AuthenticateToken), arg0, arg1)
--- a/internal/mocks/mocktokenauthenticatorcloser/mocktokenauthenticatorcloser.go
+++ b/internal/mocks/mocktokenauthenticatorcloser/mocktokenauthenticatorcloser.go
@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 //

@ -10,35 +10,36 @@ package mocktokenauthenticatorcloser

 import (
 	context "context"
+	reflect "reflect"
+
 	gomock "github.com/golang/mock/gomock"
 	authenticator "k8s.io/apiserver/pkg/authentication/authenticator"
-	reflect "reflect"
 )

-// MockTokenAuthenticatorCloser is a mock of TokenAuthenticatorCloser interface
+// MockTokenAuthenticatorCloser is a mock of TokenAuthenticatorCloser interface.
 type MockTokenAuthenticatorCloser struct {
 	ctrl     *gomock.Controller
 	recorder *MockTokenAuthenticatorCloserMockRecorder
 }

-// MockTokenAuthenticatorCloserMockRecorder is the mock recorder for MockTokenAuthenticatorCloser
+// MockTokenAuthenticatorCloserMockRecorder is the mock recorder for MockTokenAuthenticatorCloser.
 type MockTokenAuthenticatorCloserMockRecorder struct {
 	mock *MockTokenAuthenticatorCloser
 }

-// NewMockTokenAuthenticatorCloser creates a new mock instance
+// NewMockTokenAuthenticatorCloser creates a new mock instance.
 func NewMockTokenAuthenticatorCloser(ctrl *gomock.Controller) *MockTokenAuthenticatorCloser {
 	mock := &MockTokenAuthenticatorCloser{ctrl: ctrl}
 	mock.recorder = &MockTokenAuthenticatorCloserMockRecorder{mock}
 	return mock
 }

-// EXPECT returns an object that allows the caller to indicate expected use
+// EXPECT returns an object that allows the caller to indicate expected use.
 func (m *MockTokenAuthenticatorCloser) EXPECT() *MockTokenAuthenticatorCloserMockRecorder {
 	return m.recorder
 }

-// AuthenticateToken mocks base method
+// AuthenticateToken mocks base method.
 func (m *MockTokenAuthenticatorCloser) AuthenticateToken(arg0 context.Context, arg1 string) (*authenticator.Response, bool, error) {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "AuthenticateToken", arg0, arg1)
@ -48,19 +49,19 @@ func (m *MockTokenAuthenticatorCloser) AuthenticateToken(arg0 context.Context, a
 	return ret0, ret1, ret2
 }

-// AuthenticateToken indicates an expected call of AuthenticateToken
+// AuthenticateToken indicates an expected call of AuthenticateToken.
 func (mr *MockTokenAuthenticatorCloserMockRecorder) AuthenticateToken(arg0, arg1 interface{}) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AuthenticateToken", reflect.TypeOf((*MockTokenAuthenticatorCloser)(nil).AuthenticateToken), arg0, arg1)
 }

-// Close mocks base method
+// Close mocks base method.
 func (m *MockTokenAuthenticatorCloser) Close() {
 	m.ctrl.T.Helper()
 	m.ctrl.Call(m, "Close")
 }

-// Close indicates an expected call of Close
+// Close indicates an expected call of Close.
 func (mr *MockTokenAuthenticatorCloserMockRecorder) Close() *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Close", reflect.TypeOf((*MockTokenAuthenticatorCloser)(nil).Close))
--- a/internal/mocks/mockupstreamoidcidentityprovider/mockupstreamoidcidentityprovider.go
+++ b/internal/mocks/mockupstreamoidcidentityprovider/mockupstreamoidcidentityprovider.go
@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 //

@ -10,39 +10,40 @@ package mockupstreamoidcidentityprovider

 import (
 	context "context"
+	url "net/url"
+	reflect "reflect"
+
 	gomock "github.com/golang/mock/gomock"
 	nonce "go.pinniped.dev/pkg/oidcclient/nonce"
 	oidctypes "go.pinniped.dev/pkg/oidcclient/oidctypes"
 	pkce "go.pinniped.dev/pkg/oidcclient/pkce"
 	oauth2 "golang.org/x/oauth2"
-	url "net/url"
-	reflect "reflect"
 )

-// MockUpstreamOIDCIdentityProviderI is a mock of UpstreamOIDCIdentityProviderI interface
+// MockUpstreamOIDCIdentityProviderI is a mock of UpstreamOIDCIdentityProviderI interface.
 type MockUpstreamOIDCIdentityProviderI struct {
 	ctrl     *gomock.Controller
 	recorder *MockUpstreamOIDCIdentityProviderIMockRecorder
 }

-// MockUpstreamOIDCIdentityProviderIMockRecorder is the mock recorder for MockUpstreamOIDCIdentityProviderI
+// MockUpstreamOIDCIdentityProviderIMockRecorder is the mock recorder for MockUpstreamOIDCIdentityProviderI.
 type MockUpstreamOIDCIdentityProviderIMockRecorder struct {
 	mock *MockUpstreamOIDCIdentityProviderI
 }

-// NewMockUpstreamOIDCIdentityProviderI creates a new mock instance
+// NewMockUpstreamOIDCIdentityProviderI creates a new mock instance.
 func NewMockUpstreamOIDCIdentityProviderI(ctrl *gomock.Controller) *MockUpstreamOIDCIdentityProviderI {
 	mock := &MockUpstreamOIDCIdentityProviderI{ctrl: ctrl}
 	mock.recorder = &MockUpstreamOIDCIdentityProviderIMockRecorder{mock}
 	return mock
 }

-// EXPECT returns an object that allows the caller to indicate expected use
+// EXPECT returns an object that allows the caller to indicate expected use.
 func (m *MockUpstreamOIDCIdentityProviderI) EXPECT() *MockUpstreamOIDCIdentityProviderIMockRecorder {
 	return m.recorder
 }

-// ExchangeAuthcodeAndValidateTokens mocks base method
+// ExchangeAuthcodeAndValidateTokens mocks base method.
 func (m *MockUpstreamOIDCIdentityProviderI) ExchangeAuthcodeAndValidateTokens(arg0 context.Context, arg1 string, arg2 pkce.Code, arg3 nonce.Nonce, arg4 string) (*oidctypes.Token, error) {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "ExchangeAuthcodeAndValidateTokens", arg0, arg1, arg2, arg3, arg4)
@ -51,13 +52,13 @@ func (m *MockUpstreamOIDCIdentityProviderI) ExchangeAuthcodeAndValidateTokens(ar
 	return ret0, ret1
 }

-// ExchangeAuthcodeAndValidateTokens indicates an expected call of ExchangeAuthcodeAndValidateTokens
+// ExchangeAuthcodeAndValidateTokens indicates an expected call of ExchangeAuthcodeAndValidateTokens.
 func (mr *MockUpstreamOIDCIdentityProviderIMockRecorder) ExchangeAuthcodeAndValidateTokens(arg0, arg1, arg2, arg3, arg4 interface{}) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ExchangeAuthcodeAndValidateTokens", reflect.TypeOf((*MockUpstreamOIDCIdentityProviderI)(nil).ExchangeAuthcodeAndValidateTokens), arg0, arg1, arg2, arg3, arg4)
 }

-// GetAuthorizationURL mocks base method
+// GetAuthorizationURL mocks base method.
 func (m *MockUpstreamOIDCIdentityProviderI) GetAuthorizationURL() *url.URL {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "GetAuthorizationURL")
@ -65,13 +66,13 @@ func (m *MockUpstreamOIDCIdentityProviderI) GetAuthorizationURL() *url.URL {
 	return ret0
 }

-// GetAuthorizationURL indicates an expected call of GetAuthorizationURL
+// GetAuthorizationURL indicates an expected call of GetAuthorizationURL.
 func (mr *MockUpstreamOIDCIdentityProviderIMockRecorder) GetAuthorizationURL() *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetAuthorizationURL", reflect.TypeOf((*MockUpstreamOIDCIdentityProviderI)(nil).GetAuthorizationURL))
 }

-// GetClientID mocks base method
+// GetClientID mocks base method.
 func (m *MockUpstreamOIDCIdentityProviderI) GetClientID() string {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "GetClientID")
@ -79,13 +80,13 @@ func (m *MockUpstreamOIDCIdentityProviderI) GetClientID() string {
 	return ret0
 }

-// GetClientID indicates an expected call of GetClientID
+// GetClientID indicates an expected call of GetClientID.
 func (mr *MockUpstreamOIDCIdentityProviderIMockRecorder) GetClientID() *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetClientID", reflect.TypeOf((*MockUpstreamOIDCIdentityProviderI)(nil).GetClientID))
 }

-// GetGroupsClaim mocks base method
+// GetGroupsClaim mocks base method.
 func (m *MockUpstreamOIDCIdentityProviderI) GetGroupsClaim() string {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "GetGroupsClaim")
@ -93,13 +94,13 @@ func (m *MockUpstreamOIDCIdentityProviderI) GetGroupsClaim() string {
 	return ret0
 }

-// GetGroupsClaim indicates an expected call of GetGroupsClaim
+// GetGroupsClaim indicates an expected call of GetGroupsClaim.
 func (mr *MockUpstreamOIDCIdentityProviderIMockRecorder) GetGroupsClaim() *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetGroupsClaim", reflect.TypeOf((*MockUpstreamOIDCIdentityProviderI)(nil).GetGroupsClaim))
 }

-// GetName mocks base method
+// GetName mocks base method.
 func (m *MockUpstreamOIDCIdentityProviderI) GetName() string {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "GetName")
@ -107,13 +108,13 @@ func (m *MockUpstreamOIDCIdentityProviderI) GetName() string {
 	return ret0
 }

-// GetName indicates an expected call of GetName
+// GetName indicates an expected call of GetName.
 func (mr *MockUpstreamOIDCIdentityProviderIMockRecorder) GetName() *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetName", reflect.TypeOf((*MockUpstreamOIDCIdentityProviderI)(nil).GetName))
 }

-// GetScopes mocks base method
+// GetScopes mocks base method.
 func (m *MockUpstreamOIDCIdentityProviderI) GetScopes() []string {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "GetScopes")
@ -121,13 +122,13 @@ func (m *MockUpstreamOIDCIdentityProviderI) GetScopes() []string {
 	return ret0
 }

-// GetScopes indicates an expected call of GetScopes
+// GetScopes indicates an expected call of GetScopes.
 func (mr *MockUpstreamOIDCIdentityProviderIMockRecorder) GetScopes() *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetScopes", reflect.TypeOf((*MockUpstreamOIDCIdentityProviderI)(nil).GetScopes))
 }

-// GetUsernameClaim mocks base method
+// GetUsernameClaim mocks base method.
 func (m *MockUpstreamOIDCIdentityProviderI) GetUsernameClaim() string {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "GetUsernameClaim")
@ -135,13 +136,13 @@ func (m *MockUpstreamOIDCIdentityProviderI) GetUsernameClaim() string {
 	return ret0
 }

-// GetUsernameClaim indicates an expected call of GetUsernameClaim
+// GetUsernameClaim indicates an expected call of GetUsernameClaim.
 func (mr *MockUpstreamOIDCIdentityProviderIMockRecorder) GetUsernameClaim() *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetUsernameClaim", reflect.TypeOf((*MockUpstreamOIDCIdentityProviderI)(nil).GetUsernameClaim))
 }

-// ValidateToken mocks base method
+// ValidateToken mocks base method.
 func (m *MockUpstreamOIDCIdentityProviderI) ValidateToken(arg0 context.Context, arg1 *oauth2.Token, arg2 nonce.Nonce) (*oidctypes.Token, error) {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "ValidateToken", arg0, arg1, arg2)
@ -150,7 +151,7 @@ func (m *MockUpstreamOIDCIdentityProviderI) ValidateToken(arg0 context.Context,
 	return ret0, ret1
 }

-// ValidateToken indicates an expected call of ValidateToken
+// ValidateToken indicates an expected call of ValidateToken.
 func (mr *MockUpstreamOIDCIdentityProviderIMockRecorder) ValidateToken(arg0, arg1, arg2 interface{}) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ValidateToken", reflect.TypeOf((*MockUpstreamOIDCIdentityProviderI)(nil).ValidateToken), arg0, arg1, arg2)
--- a/internal/oidc/token_exchange.go
+++ b/internal/oidc/token_exchange.go
@ -40,8 +40,10 @@ type TokenExchangeHandler struct {
 	accessTokenStorage  oauth2.AccessTokenStorage
 }

+var _ fosite.TokenEndpointHandler = (*TokenExchangeHandler)(nil)
+
 func (t *TokenExchangeHandler) HandleTokenEndpointRequest(ctx context.Context, requester fosite.AccessRequester) error {
-	if !(requester.GetGrantTypes().ExactOne("urn:ietf:params:oauth:grant-type:token-exchange")) {
+	if !t.CanHandleTokenEndpointRequest(requester) {
 		return errors.WithStack(fosite.ErrUnknownRequest)
 	}
 	return nil
@ -139,3 +141,11 @@ func (t *TokenExchangeHandler) validateAccessToken(ctx context.Context, requeste
 	}
 	return originalRequester, nil
 }
+
+func (t *TokenExchangeHandler) CanSkipClientAuth(_ fosite.AccessRequester) bool {
+	return false
+}
+
+func (t *TokenExchangeHandler) CanHandleTokenEndpointRequest(requester fosite.AccessRequester) bool {
+	return requester.GetGrantTypes().ExactOne("urn:ietf:params:oauth:grant-type:token-exchange")
+}
--- a/site/config.yaml
+++ b/site/config.yaml
@ -32,3 +32,5 @@ related:
    weight: 50
  threshold: 0
  toLower: true
+
+enableGitInfo: true
--- a/site/content/docs/_index.md
+++ b/site/content/docs/_index.md
@ -1,4 +1,5 @@
 ---
+title: Getting Started with Pinniped
 cascade:
  layout: docs
 menu:
@ -7,8 +8,6 @@ menu:
    weight: 1
 ---

-# Getting started with Pinniped
-
 Pinniped is an authentication service for Kubernetes clusters.
 As a Kubernetes cluster administrator or user, you can learn how Pinniped works, see how to use it on your clusters, and dive into internals of Pinniped's APIs and architecture.

--- a/site/content/docs/background/_index.md
+++ b/site/content/docs/background/_index.md
@ -1,4 +1,5 @@
 ---
+title: Pinniped Background
 cascade:
  layout: docs
 menu:
@ -8,6 +9,4 @@ menu:
    weight: 110
 ---

-# Pinniped background
-
 {{< docsmenu "background" >}}
--- a/site/content/docs/reference/_index.md
+++ b/site/content/docs/reference/_index.md
@ -1,4 +1,5 @@
 ---
+title: Pinniped Reference
 cascade:
  layout: docs
 menu:
@ -8,6 +9,4 @@ menu:
    weight: 100
 ---

-# Pinniped reference
-
 {{< docsmenu "reference" >}}
--- a/site/content/docs/tutorials/_index.md
+++ b/site/content/docs/tutorials/_index.md
@ -1,4 +1,5 @@
 ---
+title: Pinniped Tutorials
 cascade:
  layout: docs
 menu:
@ -8,8 +9,6 @@ menu:
    weight: 40
 ---

-# Pinniped tutorials
-
 These tutorials demonstrate how to use the Pinniped command-line tool, Concierge, and Supervisor:

 {{< docsmenu "tutorials" >}}