supervisor-oidc: add OIDCProviderConfig CRD

This will hopefully come in handy later if we ever decide to add
support for multiple OIDC providers as a part of one supervisor.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>

apis/config/v1alpha1/types_oidcproviderconfig.go.tmpl

@@ -0,0 +1,42 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+// OIDCProviderConfigSpec is a struct that describes an OIDC Provider.
+type OIDCProviderConfigSpec struct {
+	// Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the
+	// identifier that it will use for the iss claim in issued JWTs. This field will also be used as
+	// the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is
+	// https://example.com/foo, then your authorization endpoint will look like
+	// https://example.com/foo/some/path/to/auth/endpoint).
+	//
+	// See
+	// https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information.
+	// +kubebuilder:validation:MinLength=1
+	Issuer string `json:"issuer"`
+}
+
+// OIDCProviderConfig describes the configuration of an OIDC provider.
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +kubebuilder:resource:shortName=opc
+type OIDCProviderConfig struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	// Spec of the OIDC provider.
+	Spec OIDCProviderConfigSpec `json:"status"`
+}
+
+// List of OIDCProviderConfig objects.
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+type OIDCProviderConfigList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+
+	Items []OIDCProviderConfig `json:"items"`
+}

deploy/config.pinniped.dev_oidcproviderconfigs.yaml

@@ -0,0 +1,65 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.4.0
+  creationTimestamp: null
+  name: oidcproviderconfigs.config.pinniped.dev
+spec:
+  group: config.pinniped.dev
+  names:
+    kind: OIDCProviderConfig
+    listKind: OIDCProviderConfigList
+    plural: oidcproviderconfigs
+    shortNames:
+    - opc
+    singular: oidcproviderconfig
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: OIDCProviderConfig describes the configuration of an OIDC provider.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          status:
+            description: Spec of the OIDC provider.
+            properties:
+              issuer:
+                description: "Issuer is the OIDC Provider's issuer, per the OIDC Discovery
+                  Metadata document, as well as the identifier that it will use for
+                  the iss claim in issued JWTs. This field will also be used as the
+                  base URL for any endpoints used by the OIDC Provider (e.g., if your
+                  issuer is https://example.com/foo, then your authorization endpoint
+                  will look like https://example.com/foo/some/path/to/auth/endpoint).
+                  \n See https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3
+                  for more information."
+                minLength: 1
+                type: string
+            required:
+            - issuer
+            type: object
+        required:
+        - status
+        type: object
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

generated/1.17/README.adoc

@@ -95,6 +95,45 @@ Status of a credential issuer.
 |===
 
 
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-config-v1alpha1-oidcproviderconfig"]
+==== OIDCProviderConfig 
+
+OIDCProviderConfig describes the configuration of an OIDC provider.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-config-v1alpha1-oidcproviderconfiglist[$$OIDCProviderConfigList$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.17/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`.
+
+| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-config-v1alpha1-oidcproviderconfigspec[$$OIDCProviderConfigSpec$$]__ | Spec of the OIDC provider.
+|===
+
+
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-config-v1alpha1-oidcproviderconfigspec"]
+==== OIDCProviderConfigSpec 
+
+OIDCProviderConfigSpec is a struct that describes an OIDC Provider.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-config-v1alpha1-oidcproviderconfig[$$OIDCProviderConfig$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`issuer`* __string__ | Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the identifier that it will use for the iss claim in issued JWTs. This field will also be used as the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is https://example.com/foo, then your authorization endpoint will look like https://example.com/foo/some/path/to/auth/endpoint). 
+ See https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information.
+|===
+
+
 
 [id="{anchor_prefix}-idp-pinniped-dev-v1alpha1"]
 === idp.pinniped.dev/v1alpha1

generated/1.17/apis/config/v1alpha1/types_oidcproviderconfig.go

@@ -0,0 +1,42 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+// OIDCProviderConfigSpec is a struct that describes an OIDC Provider.
+type OIDCProviderConfigSpec struct {
+	// Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the
+	// identifier that it will use for the iss claim in issued JWTs. This field will also be used as
+	// the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is
+	// https://example.com/foo, then your authorization endpoint will look like
+	// https://example.com/foo/some/path/to/auth/endpoint).
+	//
+	// See
+	// https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information.
+	// +kubebuilder:validation:MinLength=1
+	Issuer string `json:"issuer"`
+}
+
+// OIDCProviderConfig describes the configuration of an OIDC provider.
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +kubebuilder:resource:shortName=opc
+type OIDCProviderConfig struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	// Spec of the OIDC provider.
+	Spec OIDCProviderConfigSpec `json:"status"`
+}
+
+// List of OIDCProviderConfig objects.
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+type OIDCProviderConfigList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+
+	Items []OIDCProviderConfig `json:"items"`
+}

generated/1.17/apis/config/v1alpha1/zz_generated.deepcopy.go

@@ -131,3 +131,79 @@ func (in *CredentialIssuerConfigStrategy) DeepCopy() *CredentialIssuerConfigStra
 	in.DeepCopyInto(out)
 	return out
 }
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OIDCProviderConfig) DeepCopyInto(out *OIDCProviderConfig) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	out.Spec = in.Spec
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCProviderConfig.
+func (in *OIDCProviderConfig) DeepCopy() *OIDCProviderConfig {
+	if in == nil {
+		return nil
+	}
+	out := new(OIDCProviderConfig)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *OIDCProviderConfig) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OIDCProviderConfigList) DeepCopyInto(out *OIDCProviderConfigList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]OIDCProviderConfig, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCProviderConfigList.
+func (in *OIDCProviderConfigList) DeepCopy() *OIDCProviderConfigList {
+	if in == nil {
+		return nil
+	}
+	out := new(OIDCProviderConfigList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *OIDCProviderConfigList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OIDCProviderConfigSpec) DeepCopyInto(out *OIDCProviderConfigSpec) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCProviderConfigSpec.
+func (in *OIDCProviderConfigSpec) DeepCopy() *OIDCProviderConfigSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(OIDCProviderConfigSpec)
+	in.DeepCopyInto(out)
+	return out
+}

generated/1.17/client/clientset/versioned/typed/config/v1alpha1/config_client.go

@@ -14,6 +14,7 @@ import (
 type ConfigV1alpha1Interface interface {
 	RESTClient() rest.Interface
 	CredentialIssuerConfigsGetter
+	OIDCProviderConfigsGetter
 }
 
 // ConfigV1alpha1Client is used to interact with features provided by the config.pinniped.dev group.
@@ -25,6 +26,10 @@ func (c *ConfigV1alpha1Client) CredentialIssuerConfigs(namespace string) Credent
 	return newCredentialIssuerConfigs(c, namespace)
 }
 
+func (c *ConfigV1alpha1Client) OIDCProviderConfigs(namespace string) OIDCProviderConfigInterface {
+	return newOIDCProviderConfigs(c, namespace)
+}
+
 // NewForConfig creates a new ConfigV1alpha1Client for the given config.
 func NewForConfig(c *rest.Config) (*ConfigV1alpha1Client, error) {
 	config := *c

generated/1.17/client/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go

@@ -19,6 +19,10 @@ func (c *FakeConfigV1alpha1) CredentialIssuerConfigs(namespace string) v1alpha1.
 	return &FakeCredentialIssuerConfigs{c, namespace}
 }
 
+func (c *FakeConfigV1alpha1) OIDCProviderConfigs(namespace string) v1alpha1.OIDCProviderConfigInterface {
+	return &FakeOIDCProviderConfigs{c, namespace}
+}
+
 // RESTClient returns a RESTClient that is used to communicate
 // with API server by this client implementation.
 func (c *FakeConfigV1alpha1) RESTClient() rest.Interface {

generated/1.17/client/clientset/versioned/typed/config/v1alpha1/fake/fake_oidcproviderconfig.go

@@ -0,0 +1,115 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package fake
+
+import (
+	v1alpha1 "go.pinniped.dev/generated/1.17/apis/config/v1alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	labels "k8s.io/apimachinery/pkg/labels"
+	schema "k8s.io/apimachinery/pkg/runtime/schema"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	testing "k8s.io/client-go/testing"
+)
+
+// FakeOIDCProviderConfigs implements OIDCProviderConfigInterface
+type FakeOIDCProviderConfigs struct {
+	Fake *FakeConfigV1alpha1
+	ns   string
+}
+
+var oidcproviderconfigsResource = schema.GroupVersionResource{Group: "config.pinniped.dev", Version: "v1alpha1", Resource: "oidcproviderconfigs"}
+
+var oidcproviderconfigsKind = schema.GroupVersionKind{Group: "config.pinniped.dev", Version: "v1alpha1", Kind: "OIDCProviderConfig"}
+
+// Get takes name of the oIDCProviderConfig, and returns the corresponding oIDCProviderConfig object, and an error if there is any.
+func (c *FakeOIDCProviderConfigs) Get(name string, options v1.GetOptions) (result *v1alpha1.OIDCProviderConfig, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewGetAction(oidcproviderconfigsResource, c.ns, name), &v1alpha1.OIDCProviderConfig{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.OIDCProviderConfig), err
+}
+
+// List takes label and field selectors, and returns the list of OIDCProviderConfigs that match those selectors.
+func (c *FakeOIDCProviderConfigs) List(opts v1.ListOptions) (result *v1alpha1.OIDCProviderConfigList, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewListAction(oidcproviderconfigsResource, oidcproviderconfigsKind, c.ns, opts), &v1alpha1.OIDCProviderConfigList{})
+
+	if obj == nil {
+		return nil, err
+	}
+
+	label, _, _ := testing.ExtractFromListOptions(opts)
+	if label == nil {
+		label = labels.Everything()
+	}
+	list := &v1alpha1.OIDCProviderConfigList{ListMeta: obj.(*v1alpha1.OIDCProviderConfigList).ListMeta}
+	for _, item := range obj.(*v1alpha1.OIDCProviderConfigList).Items {
+		if label.Matches(labels.Set(item.Labels)) {
+			list.Items = append(list.Items, item)
+		}
+	}
+	return list, err
+}
+
+// Watch returns a watch.Interface that watches the requested oIDCProviderConfigs.
+func (c *FakeOIDCProviderConfigs) Watch(opts v1.ListOptions) (watch.Interface, error) {
+	return c.Fake.
+		InvokesWatch(testing.NewWatchAction(oidcproviderconfigsResource, c.ns, opts))
+
+}
+
+// Create takes the representation of a oIDCProviderConfig and creates it.  Returns the server's representation of the oIDCProviderConfig, and an error, if there is any.
+func (c *FakeOIDCProviderConfigs) Create(oIDCProviderConfig *v1alpha1.OIDCProviderConfig) (result *v1alpha1.OIDCProviderConfig, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewCreateAction(oidcproviderconfigsResource, c.ns, oIDCProviderConfig), &v1alpha1.OIDCProviderConfig{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.OIDCProviderConfig), err
+}
+
+// Update takes the representation of a oIDCProviderConfig and updates it. Returns the server's representation of the oIDCProviderConfig, and an error, if there is any.
+func (c *FakeOIDCProviderConfigs) Update(oIDCProviderConfig *v1alpha1.OIDCProviderConfig) (result *v1alpha1.OIDCProviderConfig, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewUpdateAction(oidcproviderconfigsResource, c.ns, oIDCProviderConfig), &v1alpha1.OIDCProviderConfig{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.OIDCProviderConfig), err
+}
+
+// Delete takes name of the oIDCProviderConfig and deletes it. Returns an error if one occurs.
+func (c *FakeOIDCProviderConfigs) Delete(name string, options *v1.DeleteOptions) error {
+	_, err := c.Fake.
+		Invokes(testing.NewDeleteAction(oidcproviderconfigsResource, c.ns, name), &v1alpha1.OIDCProviderConfig{})
+
+	return err
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *FakeOIDCProviderConfigs) DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error {
+	action := testing.NewDeleteCollectionAction(oidcproviderconfigsResource, c.ns, listOptions)
+
+	_, err := c.Fake.Invokes(action, &v1alpha1.OIDCProviderConfigList{})
+	return err
+}
+
+// Patch applies the patch and returns the patched oIDCProviderConfig.
+func (c *FakeOIDCProviderConfigs) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.OIDCProviderConfig, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewPatchSubresourceAction(oidcproviderconfigsResource, c.ns, name, pt, data, subresources...), &v1alpha1.OIDCProviderConfig{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.OIDCProviderConfig), err
+}

generated/1.17/client/clientset/versioned/typed/config/v1alpha1/generated_expansion.go

@@ -6,3 +6,5 @@
 package v1alpha1
 
 type CredentialIssuerConfigExpansion interface{}
+
+type OIDCProviderConfigExpansion interface{}

generated/1.17/client/clientset/versioned/typed/config/v1alpha1/oidcproviderconfig.go

@@ -0,0 +1,161 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	"time"
+
+	v1alpha1 "go.pinniped.dev/generated/1.17/apis/config/v1alpha1"
+	scheme "go.pinniped.dev/generated/1.17/client/clientset/versioned/scheme"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	rest "k8s.io/client-go/rest"
+)
+
+// OIDCProviderConfigsGetter has a method to return a OIDCProviderConfigInterface.
+// A group's client should implement this interface.
+type OIDCProviderConfigsGetter interface {
+	OIDCProviderConfigs(namespace string) OIDCProviderConfigInterface
+}
+
+// OIDCProviderConfigInterface has methods to work with OIDCProviderConfig resources.
+type OIDCProviderConfigInterface interface {
+	Create(*v1alpha1.OIDCProviderConfig) (*v1alpha1.OIDCProviderConfig, error)
+	Update(*v1alpha1.OIDCProviderConfig) (*v1alpha1.OIDCProviderConfig, error)
+	Delete(name string, options *v1.DeleteOptions) error
+	DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error
+	Get(name string, options v1.GetOptions) (*v1alpha1.OIDCProviderConfig, error)
+	List(opts v1.ListOptions) (*v1alpha1.OIDCProviderConfigList, error)
+	Watch(opts v1.ListOptions) (watch.Interface, error)
+	Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.OIDCProviderConfig, err error)
+	OIDCProviderConfigExpansion
+}
+
+// oIDCProviderConfigs implements OIDCProviderConfigInterface
+type oIDCProviderConfigs struct {
+	client rest.Interface
+	ns     string
+}
+
+// newOIDCProviderConfigs returns a OIDCProviderConfigs
+func newOIDCProviderConfigs(c *ConfigV1alpha1Client, namespace string) *oIDCProviderConfigs {
+	return &oIDCProviderConfigs{
+		client: c.RESTClient(),
+		ns:     namespace,
+	}
+}
+
+// Get takes name of the oIDCProviderConfig, and returns the corresponding oIDCProviderConfig object, and an error if there is any.
+func (c *oIDCProviderConfigs) Get(name string, options v1.GetOptions) (result *v1alpha1.OIDCProviderConfig, err error) {
+	result = &v1alpha1.OIDCProviderConfig{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("oidcproviderconfigs").
+		Name(name).
+		VersionedParams(&options, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// List takes label and field selectors, and returns the list of OIDCProviderConfigs that match those selectors.
+func (c *oIDCProviderConfigs) List(opts v1.ListOptions) (result *v1alpha1.OIDCProviderConfigList, err error) {
+	var timeout time.Duration
+	if opts.TimeoutSeconds != nil {
+		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
+	}
+	result = &v1alpha1.OIDCProviderConfigList{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("oidcproviderconfigs").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Do().
+		Into(result)
+	return
+}
+
+// Watch returns a watch.Interface that watches the requested oIDCProviderConfigs.
+func (c *oIDCProviderConfigs) Watch(opts v1.ListOptions) (watch.Interface, error) {
+	var timeout time.Duration
+	if opts.TimeoutSeconds != nil {
+		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
+	}
+	opts.Watch = true
+	return c.client.Get().
+		Namespace(c.ns).
+		Resource("oidcproviderconfigs").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Watch()
+}
+
+// Create takes the representation of a oIDCProviderConfig and creates it.  Returns the server's representation of the oIDCProviderConfig, and an error, if there is any.
+func (c *oIDCProviderConfigs) Create(oIDCProviderConfig *v1alpha1.OIDCProviderConfig) (result *v1alpha1.OIDCProviderConfig, err error) {
+	result = &v1alpha1.OIDCProviderConfig{}
+	err = c.client.Post().
+		Namespace(c.ns).
+		Resource("oidcproviderconfigs").
+		Body(oIDCProviderConfig).
+		Do().
+		Into(result)
+	return
+}
+
+// Update takes the representation of a oIDCProviderConfig and updates it. Returns the server's representation of the oIDCProviderConfig, and an error, if there is any.
+func (c *oIDCProviderConfigs) Update(oIDCProviderConfig *v1alpha1.OIDCProviderConfig) (result *v1alpha1.OIDCProviderConfig, err error) {
+	result = &v1alpha1.OIDCProviderConfig{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("oidcproviderconfigs").
+		Name(oIDCProviderConfig.Name).
+		Body(oIDCProviderConfig).
+		Do().
+		Into(result)
+	return
+}
+
+// Delete takes name of the oIDCProviderConfig and deletes it. Returns an error if one occurs.
+func (c *oIDCProviderConfigs) Delete(name string, options *v1.DeleteOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("oidcproviderconfigs").
+		Name(name).
+		Body(options).
+		Do().
+		Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *oIDCProviderConfigs) DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error {
+	var timeout time.Duration
+	if listOptions.TimeoutSeconds != nil {
+		timeout = time.Duration(*listOptions.TimeoutSeconds) * time.Second
+	}
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("oidcproviderconfigs").
+		VersionedParams(&listOptions, scheme.ParameterCodec).
+		Timeout(timeout).
+		Body(options).
+		Do().
+		Error()
+}
+
+// Patch applies the patch and returns the patched oIDCProviderConfig.
+func (c *oIDCProviderConfigs) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.OIDCProviderConfig, err error) {
+	result = &v1alpha1.OIDCProviderConfig{}
+	err = c.client.Patch(pt).
+		Namespace(c.ns).
+		Resource("oidcproviderconfigs").
+		SubResource(subresources...).
+		Name(name).
+		Body(data).
+		Do().
+		Into(result)
+	return
+}

generated/1.17/client/informers/externalversions/config/v1alpha1/interface.go

@@ -13,6 +13,8 @@ import (
 type Interface interface {
 	// CredentialIssuerConfigs returns a CredentialIssuerConfigInformer.
 	CredentialIssuerConfigs() CredentialIssuerConfigInformer
+	// OIDCProviderConfigs returns a OIDCProviderConfigInformer.
+	OIDCProviderConfigs() OIDCProviderConfigInformer
 }
 
 type version struct {
@@ -30,3 +32,8 @@ func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakList
 func (v *version) CredentialIssuerConfigs() CredentialIssuerConfigInformer {
 	return &credentialIssuerConfigInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
 }
+
+// OIDCProviderConfigs returns a OIDCProviderConfigInformer.
+func (v *version) OIDCProviderConfigs() OIDCProviderConfigInformer {
+	return &oIDCProviderConfigInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
+}

generated/1.17/client/informers/externalversions/config/v1alpha1/oidcproviderconfig.go

@@ -0,0 +1,76 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by informer-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	time "time"
+
+	configv1alpha1 "go.pinniped.dev/generated/1.17/apis/config/v1alpha1"
+	versioned "go.pinniped.dev/generated/1.17/client/clientset/versioned"
+	internalinterfaces "go.pinniped.dev/generated/1.17/client/informers/externalversions/internalinterfaces"
+	v1alpha1 "go.pinniped.dev/generated/1.17/client/listers/config/v1alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	watch "k8s.io/apimachinery/pkg/watch"
+	cache "k8s.io/client-go/tools/cache"
+)
+
+// OIDCProviderConfigInformer provides access to a shared informer and lister for
+// OIDCProviderConfigs.
+type OIDCProviderConfigInformer interface {
+	Informer() cache.SharedIndexInformer
+	Lister() v1alpha1.OIDCProviderConfigLister
+}
+
+type oIDCProviderConfigInformer struct {
+	factory          internalinterfaces.SharedInformerFactory
+	tweakListOptions internalinterfaces.TweakListOptionsFunc
+	namespace        string
+}
+
+// NewOIDCProviderConfigInformer constructs a new informer for OIDCProviderConfig type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewOIDCProviderConfigInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
+	return NewFilteredOIDCProviderConfigInformer(client, namespace, resyncPeriod, indexers, nil)
+}
+
+// NewFilteredOIDCProviderConfigInformer constructs a new informer for OIDCProviderConfig type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewFilteredOIDCProviderConfigInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
+	return cache.NewSharedIndexInformer(
+		&cache.ListWatch{
+			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.ConfigV1alpha1().OIDCProviderConfigs(namespace).List(options)
+			},
+			WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.ConfigV1alpha1().OIDCProviderConfigs(namespace).Watch(options)
+			},
+		},
+		&configv1alpha1.OIDCProviderConfig{},
+		resyncPeriod,
+		indexers,
+	)
+}
+
+func (f *oIDCProviderConfigInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
+	return NewFilteredOIDCProviderConfigInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
+}
+
+func (f *oIDCProviderConfigInformer) Informer() cache.SharedIndexInformer {
+	return f.factory.InformerFor(&configv1alpha1.OIDCProviderConfig{}, f.defaultInformer)
+}
+
+func (f *oIDCProviderConfigInformer) Lister() v1alpha1.OIDCProviderConfigLister {
+	return v1alpha1.NewOIDCProviderConfigLister(f.Informer().GetIndexer())
+}

generated/1.17/client/informers/externalversions/generic.go

@@ -44,6 +44,8 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource
 	// Group=config.pinniped.dev, Version=v1alpha1
 	case v1alpha1.SchemeGroupVersion.WithResource("credentialissuerconfigs"):
 		return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().CredentialIssuerConfigs().Informer()}, nil
+	case v1alpha1.SchemeGroupVersion.WithResource("oidcproviderconfigs"):
+		return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().OIDCProviderConfigs().Informer()}, nil
 
 		// Group=idp.pinniped.dev, Version=v1alpha1
 	case idpv1alpha1.SchemeGroupVersion.WithResource("webhookidentityproviders"):

generated/1.17/client/listers/config/v1alpha1/expansion_generated.go

@@ -12,3 +12,11 @@ type CredentialIssuerConfigListerExpansion interface{}
 // CredentialIssuerConfigNamespaceListerExpansion allows custom methods to be added to
 // CredentialIssuerConfigNamespaceLister.
 type CredentialIssuerConfigNamespaceListerExpansion interface{}
+
+// OIDCProviderConfigListerExpansion allows custom methods to be added to
+// OIDCProviderConfigLister.
+type OIDCProviderConfigListerExpansion interface{}
+
+// OIDCProviderConfigNamespaceListerExpansion allows custom methods to be added to
+// OIDCProviderConfigNamespaceLister.
+type OIDCProviderConfigNamespaceListerExpansion interface{}

generated/1.17/client/listers/config/v1alpha1/oidcproviderconfig.go

@@ -0,0 +1,81 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by lister-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	v1alpha1 "go.pinniped.dev/generated/1.17/apis/config/v1alpha1"
+	"k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/client-go/tools/cache"
+)
+
+// OIDCProviderConfigLister helps list OIDCProviderConfigs.
+type OIDCProviderConfigLister interface {
+	// List lists all OIDCProviderConfigs in the indexer.
+	List(selector labels.Selector) (ret []*v1alpha1.OIDCProviderConfig, err error)
+	// OIDCProviderConfigs returns an object that can list and get OIDCProviderConfigs.
+	OIDCProviderConfigs(namespace string) OIDCProviderConfigNamespaceLister
+	OIDCProviderConfigListerExpansion
+}
+
+// oIDCProviderConfigLister implements the OIDCProviderConfigLister interface.
+type oIDCProviderConfigLister struct {
+	indexer cache.Indexer
+}
+
+// NewOIDCProviderConfigLister returns a new OIDCProviderConfigLister.
+func NewOIDCProviderConfigLister(indexer cache.Indexer) OIDCProviderConfigLister {
+	return &oIDCProviderConfigLister{indexer: indexer}
+}
+
+// List lists all OIDCProviderConfigs in the indexer.
+func (s *oIDCProviderConfigLister) List(selector labels.Selector) (ret []*v1alpha1.OIDCProviderConfig, err error) {
+	err = cache.ListAll(s.indexer, selector, func(m interface{}) {
+		ret = append(ret, m.(*v1alpha1.OIDCProviderConfig))
+	})
+	return ret, err
+}
+
+// OIDCProviderConfigs returns an object that can list and get OIDCProviderConfigs.
+func (s *oIDCProviderConfigLister) OIDCProviderConfigs(namespace string) OIDCProviderConfigNamespaceLister {
+	return oIDCProviderConfigNamespaceLister{indexer: s.indexer, namespace: namespace}
+}
+
+// OIDCProviderConfigNamespaceLister helps list and get OIDCProviderConfigs.
+type OIDCProviderConfigNamespaceLister interface {
+	// List lists all OIDCProviderConfigs in the indexer for a given namespace.
+	List(selector labels.Selector) (ret []*v1alpha1.OIDCProviderConfig, err error)
+	// Get retrieves the OIDCProviderConfig from the indexer for a given namespace and name.
+	Get(name string) (*v1alpha1.OIDCProviderConfig, error)
+	OIDCProviderConfigNamespaceListerExpansion
+}
+
+// oIDCProviderConfigNamespaceLister implements the OIDCProviderConfigNamespaceLister
+// interface.
+type oIDCProviderConfigNamespaceLister struct {
+	indexer   cache.Indexer
+	namespace string
+}
+
+// List lists all OIDCProviderConfigs in the indexer for a given namespace.
+func (s oIDCProviderConfigNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.OIDCProviderConfig, err error) {
+	err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) {
+		ret = append(ret, m.(*v1alpha1.OIDCProviderConfig))
+	})
+	return ret, err
+}
+
+// Get retrieves the OIDCProviderConfig from the indexer for a given namespace and name.
+func (s oIDCProviderConfigNamespaceLister) Get(name string) (*v1alpha1.OIDCProviderConfig, error) {
+	obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name)
+	if err != nil {
+		return nil, err
+	}
+	if !exists {
+		return nil, errors.NewNotFound(v1alpha1.Resource("oidcproviderconfig"), name)
+	}
+	return obj.(*v1alpha1.OIDCProviderConfig), nil
+}

generated/1.17/client/openapi/zz_generated.openapi.go

@@ -22,6 +22,9 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA
 		"go.pinniped.dev/generated/1.17/apis/config/v1alpha1.CredentialIssuerConfigList":           schema_117_apis_config_v1alpha1_CredentialIssuerConfigList(ref),
 		"go.pinniped.dev/generated/1.17/apis/config/v1alpha1.CredentialIssuerConfigStatus":         schema_117_apis_config_v1alpha1_CredentialIssuerConfigStatus(ref),
 		"go.pinniped.dev/generated/1.17/apis/config/v1alpha1.CredentialIssuerConfigStrategy":       schema_117_apis_config_v1alpha1_CredentialIssuerConfigStrategy(ref),
+		"go.pinniped.dev/generated/1.17/apis/config/v1alpha1.OIDCProviderConfig":                   schema_117_apis_config_v1alpha1_OIDCProviderConfig(ref),
+		"go.pinniped.dev/generated/1.17/apis/config/v1alpha1.OIDCProviderConfigList":               schema_117_apis_config_v1alpha1_OIDCProviderConfigList(ref),
+		"go.pinniped.dev/generated/1.17/apis/config/v1alpha1.OIDCProviderConfigSpec":               schema_117_apis_config_v1alpha1_OIDCProviderConfigSpec(ref),
 		"go.pinniped.dev/generated/1.17/apis/idp/v1alpha1.Condition":                               schema_117_apis_idp_v1alpha1_Condition(ref),
 		"go.pinniped.dev/generated/1.17/apis/idp/v1alpha1.TLSSpec":                                 schema_117_apis_idp_v1alpha1_TLSSpec(ref),
 		"go.pinniped.dev/generated/1.17/apis/idp/v1alpha1.WebhookIdentityProvider":                 schema_117_apis_idp_v1alpha1_WebhookIdentityProvider(ref),
@@ -286,6 +289,114 @@ func schema_117_apis_config_v1alpha1_CredentialIssuerConfigStrategy(ref common.R
 	}
 }
 
+func schema_117_apis_config_v1alpha1_OIDCProviderConfig(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "OIDCProviderConfig describes the configuration of an OIDC provider.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"kind": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"apiVersion": {
+						SchemaProps: spec.SchemaProps{
+							Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"metadata": {
+						SchemaProps: spec.SchemaProps{
+							Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+						},
+					},
+					"status": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Spec of the OIDC provider.",
+							Ref:         ref("go.pinniped.dev/generated/1.17/apis/config/v1alpha1.OIDCProviderConfigSpec"),
+						},
+					},
+				},
+				Required: []string{"status"},
+			},
+		},
+		Dependencies: []string{
+			"go.pinniped.dev/generated/1.17/apis/config/v1alpha1.OIDCProviderConfigSpec", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+	}
+}
+
+func schema_117_apis_config_v1alpha1_OIDCProviderConfigList(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Type: []string{"object"},
+				Properties: map[string]spec.Schema{
+					"kind": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"apiVersion": {
+						SchemaProps: spec.SchemaProps{
+							Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"metadata": {
+						SchemaProps: spec.SchemaProps{
+							Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+						},
+					},
+					"items": {
+						SchemaProps: spec.SchemaProps{
+							Type: []string{"array"},
+							Items: &spec.SchemaOrArray{
+								Schema: &spec.Schema{
+									SchemaProps: spec.SchemaProps{
+										Ref: ref("go.pinniped.dev/generated/1.17/apis/config/v1alpha1.OIDCProviderConfig"),
+									},
+								},
+							},
+						},
+					},
+				},
+				Required: []string{"items"},
+			},
+		},
+		Dependencies: []string{
+			"go.pinniped.dev/generated/1.17/apis/config/v1alpha1.OIDCProviderConfig", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+	}
+}
+
+func schema_117_apis_config_v1alpha1_OIDCProviderConfigSpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "OIDCProviderConfigSpec is a struct that describes an OIDC Provider.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"issuer": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the identifier that it will use for the iss claim in issued JWTs. This field will also be used as the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is https://example.com/foo, then your authorization endpoint will look like https://example.com/foo/some/path/to/auth/endpoint).\n\nSee https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information.",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+				},
+				Required: []string{"issuer"},
+			},
+		},
+	}
+}
+
 func schema_117_apis_idp_v1alpha1_Condition(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{

generated/1.17/crds/config.pinniped.dev_oidcproviderconfigs.yaml

@@ -0,0 +1,65 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.4.0
+  creationTimestamp: null
+  name: oidcproviderconfigs.config.pinniped.dev
+spec:
+  group: config.pinniped.dev
+  names:
+    kind: OIDCProviderConfig
+    listKind: OIDCProviderConfigList
+    plural: oidcproviderconfigs
+    shortNames:
+    - opc
+    singular: oidcproviderconfig
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: OIDCProviderConfig describes the configuration of an OIDC provider.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          status:
+            description: Spec of the OIDC provider.
+            properties:
+              issuer:
+                description: "Issuer is the OIDC Provider's issuer, per the OIDC Discovery
+                  Metadata document, as well as the identifier that it will use for
+                  the iss claim in issued JWTs. This field will also be used as the
+                  base URL for any endpoints used by the OIDC Provider (e.g., if your
+                  issuer is https://example.com/foo, then your authorization endpoint
+                  will look like https://example.com/foo/some/path/to/auth/endpoint).
+                  \n See https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3
+                  for more information."
+                minLength: 1
+                type: string
+            required:
+            - issuer
+            type: object
+        required:
+        - status
+        type: object
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

generated/1.18/README.adoc

@@ -95,6 +95,45 @@ Status of a credential issuer.
 |===
 
 
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-config-v1alpha1-oidcproviderconfig"]
+==== OIDCProviderConfig 
+
+OIDCProviderConfig describes the configuration of an OIDC provider.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-config-v1alpha1-oidcproviderconfiglist[$$OIDCProviderConfigList$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`.
+
+| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-config-v1alpha1-oidcproviderconfigspec[$$OIDCProviderConfigSpec$$]__ | Spec of the OIDC provider.
+|===
+
+
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-config-v1alpha1-oidcproviderconfigspec"]
+==== OIDCProviderConfigSpec 
+
+OIDCProviderConfigSpec is a struct that describes an OIDC Provider.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-config-v1alpha1-oidcproviderconfig[$$OIDCProviderConfig$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`issuer`* __string__ | Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the identifier that it will use for the iss claim in issued JWTs. This field will also be used as the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is https://example.com/foo, then your authorization endpoint will look like https://example.com/foo/some/path/to/auth/endpoint). 
+ See https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information.
+|===
+
+
 
 [id="{anchor_prefix}-idp-pinniped-dev-v1alpha1"]
 === idp.pinniped.dev/v1alpha1

generated/1.18/apis/config/v1alpha1/types_oidcproviderconfig.go

@@ -0,0 +1,42 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+// OIDCProviderConfigSpec is a struct that describes an OIDC Provider.
+type OIDCProviderConfigSpec struct {
+	// Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the
+	// identifier that it will use for the iss claim in issued JWTs. This field will also be used as
+	// the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is
+	// https://example.com/foo, then your authorization endpoint will look like
+	// https://example.com/foo/some/path/to/auth/endpoint).
+	//
+	// See
+	// https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information.
+	// +kubebuilder:validation:MinLength=1
+	Issuer string `json:"issuer"`
+}
+
+// OIDCProviderConfig describes the configuration of an OIDC provider.
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +kubebuilder:resource:shortName=opc
+type OIDCProviderConfig struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	// Spec of the OIDC provider.
+	Spec OIDCProviderConfigSpec `json:"status"`
+}
+
+// List of OIDCProviderConfig objects.
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+type OIDCProviderConfigList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+
+	Items []OIDCProviderConfig `json:"items"`
+}

generated/1.18/apis/config/v1alpha1/zz_generated.deepcopy.go

@@ -131,3 +131,79 @@ func (in *CredentialIssuerConfigStrategy) DeepCopy() *CredentialIssuerConfigStra
 	in.DeepCopyInto(out)
 	return out
 }
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OIDCProviderConfig) DeepCopyInto(out *OIDCProviderConfig) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	out.Spec = in.Spec
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCProviderConfig.
+func (in *OIDCProviderConfig) DeepCopy() *OIDCProviderConfig {
+	if in == nil {
+		return nil
+	}
+	out := new(OIDCProviderConfig)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *OIDCProviderConfig) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OIDCProviderConfigList) DeepCopyInto(out *OIDCProviderConfigList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]OIDCProviderConfig, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCProviderConfigList.
+func (in *OIDCProviderConfigList) DeepCopy() *OIDCProviderConfigList {
+	if in == nil {
+		return nil
+	}
+	out := new(OIDCProviderConfigList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *OIDCProviderConfigList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OIDCProviderConfigSpec) DeepCopyInto(out *OIDCProviderConfigSpec) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCProviderConfigSpec.
+func (in *OIDCProviderConfigSpec) DeepCopy() *OIDCProviderConfigSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(OIDCProviderConfigSpec)
+	in.DeepCopyInto(out)
+	return out
+}

generated/1.18/client/clientset/versioned/typed/config/v1alpha1/config_client.go

@@ -14,6 +14,7 @@ import (
 type ConfigV1alpha1Interface interface {
 	RESTClient() rest.Interface
 	CredentialIssuerConfigsGetter
+	OIDCProviderConfigsGetter
 }
 
 // ConfigV1alpha1Client is used to interact with features provided by the config.pinniped.dev group.
@@ -25,6 +26,10 @@ func (c *ConfigV1alpha1Client) CredentialIssuerConfigs(namespace string) Credent
 	return newCredentialIssuerConfigs(c, namespace)
 }
 
+func (c *ConfigV1alpha1Client) OIDCProviderConfigs(namespace string) OIDCProviderConfigInterface {
+	return newOIDCProviderConfigs(c, namespace)
+}
+
 // NewForConfig creates a new ConfigV1alpha1Client for the given config.
 func NewForConfig(c *rest.Config) (*ConfigV1alpha1Client, error) {
 	config := *c

generated/1.18/client/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go

@@ -19,6 +19,10 @@ func (c *FakeConfigV1alpha1) CredentialIssuerConfigs(namespace string) v1alpha1.
 	return &FakeCredentialIssuerConfigs{c, namespace}
 }
 
+func (c *FakeConfigV1alpha1) OIDCProviderConfigs(namespace string) v1alpha1.OIDCProviderConfigInterface {
+	return &FakeOIDCProviderConfigs{c, namespace}
+}
+
 // RESTClient returns a RESTClient that is used to communicate
 // with API server by this client implementation.
 func (c *FakeConfigV1alpha1) RESTClient() rest.Interface {

generated/1.18/client/clientset/versioned/typed/config/v1alpha1/fake/fake_oidcproviderconfig.go

@@ -0,0 +1,117 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package fake
+
+import (
+	"context"
+
+	v1alpha1 "go.pinniped.dev/generated/1.18/apis/config/v1alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	labels "k8s.io/apimachinery/pkg/labels"
+	schema "k8s.io/apimachinery/pkg/runtime/schema"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	testing "k8s.io/client-go/testing"
+)
+
+// FakeOIDCProviderConfigs implements OIDCProviderConfigInterface
+type FakeOIDCProviderConfigs struct {
+	Fake *FakeConfigV1alpha1
+	ns   string
+}
+
+var oidcproviderconfigsResource = schema.GroupVersionResource{Group: "config.pinniped.dev", Version: "v1alpha1", Resource: "oidcproviderconfigs"}
+
+var oidcproviderconfigsKind = schema.GroupVersionKind{Group: "config.pinniped.dev", Version: "v1alpha1", Kind: "OIDCProviderConfig"}
+
+// Get takes name of the oIDCProviderConfig, and returns the corresponding oIDCProviderConfig object, and an error if there is any.
+func (c *FakeOIDCProviderConfigs) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.OIDCProviderConfig, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewGetAction(oidcproviderconfigsResource, c.ns, name), &v1alpha1.OIDCProviderConfig{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.OIDCProviderConfig), err
+}
+
+// List takes label and field selectors, and returns the list of OIDCProviderConfigs that match those selectors.
+func (c *FakeOIDCProviderConfigs) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.OIDCProviderConfigList, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewListAction(oidcproviderconfigsResource, oidcproviderconfigsKind, c.ns, opts), &v1alpha1.OIDCProviderConfigList{})
+
+	if obj == nil {
+		return nil, err
+	}
+
+	label, _, _ := testing.ExtractFromListOptions(opts)
+	if label == nil {
+		label = labels.Everything()
+	}
+	list := &v1alpha1.OIDCProviderConfigList{ListMeta: obj.(*v1alpha1.OIDCProviderConfigList).ListMeta}
+	for _, item := range obj.(*v1alpha1.OIDCProviderConfigList).Items {
+		if label.Matches(labels.Set(item.Labels)) {
+			list.Items = append(list.Items, item)
+		}
+	}
+	return list, err
+}
+
+// Watch returns a watch.Interface that watches the requested oIDCProviderConfigs.
+func (c *FakeOIDCProviderConfigs) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
+	return c.Fake.
+		InvokesWatch(testing.NewWatchAction(oidcproviderconfigsResource, c.ns, opts))
+
+}
+
+// Create takes the representation of a oIDCProviderConfig and creates it.  Returns the server's representation of the oIDCProviderConfig, and an error, if there is any.
+func (c *FakeOIDCProviderConfigs) Create(ctx context.Context, oIDCProviderConfig *v1alpha1.OIDCProviderConfig, opts v1.CreateOptions) (result *v1alpha1.OIDCProviderConfig, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewCreateAction(oidcproviderconfigsResource, c.ns, oIDCProviderConfig), &v1alpha1.OIDCProviderConfig{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.OIDCProviderConfig), err
+}
+
+// Update takes the representation of a oIDCProviderConfig and updates it. Returns the server's representation of the oIDCProviderConfig, and an error, if there is any.
+func (c *FakeOIDCProviderConfigs) Update(ctx context.Context, oIDCProviderConfig *v1alpha1.OIDCProviderConfig, opts v1.UpdateOptions) (result *v1alpha1.OIDCProviderConfig, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewUpdateAction(oidcproviderconfigsResource, c.ns, oIDCProviderConfig), &v1alpha1.OIDCProviderConfig{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.OIDCProviderConfig), err
+}
+
+// Delete takes name of the oIDCProviderConfig and deletes it. Returns an error if one occurs.
+func (c *FakeOIDCProviderConfigs) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
+	_, err := c.Fake.
+		Invokes(testing.NewDeleteAction(oidcproviderconfigsResource, c.ns, name), &v1alpha1.OIDCProviderConfig{})
+
+	return err
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *FakeOIDCProviderConfigs) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
+	action := testing.NewDeleteCollectionAction(oidcproviderconfigsResource, c.ns, listOpts)
+
+	_, err := c.Fake.Invokes(action, &v1alpha1.OIDCProviderConfigList{})
+	return err
+}
+
+// Patch applies the patch and returns the patched oIDCProviderConfig.
+func (c *FakeOIDCProviderConfigs) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.OIDCProviderConfig, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewPatchSubresourceAction(oidcproviderconfigsResource, c.ns, name, pt, data, subresources...), &v1alpha1.OIDCProviderConfig{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.OIDCProviderConfig), err
+}

generated/1.18/client/clientset/versioned/typed/config/v1alpha1/generated_expansion.go

@@ -6,3 +6,5 @@
 package v1alpha1
 
 type CredentialIssuerConfigExpansion interface{}
+
+type OIDCProviderConfigExpansion interface{}

generated/1.18/client/clientset/versioned/typed/config/v1alpha1/oidcproviderconfig.go

@@ -0,0 +1,165 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	"context"
+	"time"
+
+	v1alpha1 "go.pinniped.dev/generated/1.18/apis/config/v1alpha1"
+	scheme "go.pinniped.dev/generated/1.18/client/clientset/versioned/scheme"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	rest "k8s.io/client-go/rest"
+)
+
+// OIDCProviderConfigsGetter has a method to return a OIDCProviderConfigInterface.
+// A group's client should implement this interface.
+type OIDCProviderConfigsGetter interface {
+	OIDCProviderConfigs(namespace string) OIDCProviderConfigInterface
+}
+
+// OIDCProviderConfigInterface has methods to work with OIDCProviderConfig resources.
+type OIDCProviderConfigInterface interface {
+	Create(ctx context.Context, oIDCProviderConfig *v1alpha1.OIDCProviderConfig, opts v1.CreateOptions) (*v1alpha1.OIDCProviderConfig, error)
+	Update(ctx context.Context, oIDCProviderConfig *v1alpha1.OIDCProviderConfig, opts v1.UpdateOptions) (*v1alpha1.OIDCProviderConfig, error)
+	Delete(ctx context.Context, name string, opts v1.DeleteOptions) error
+	DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error
+	Get(ctx context.Context, name string, opts v1.GetOptions) (*v1alpha1.OIDCProviderConfig, error)
+	List(ctx context.Context, opts v1.ListOptions) (*v1alpha1.OIDCProviderConfigList, error)
+	Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error)
+	Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.OIDCProviderConfig, err error)
+	OIDCProviderConfigExpansion
+}
+
+// oIDCProviderConfigs implements OIDCProviderConfigInterface
+type oIDCProviderConfigs struct {
+	client rest.Interface
+	ns     string
+}
+
+// newOIDCProviderConfigs returns a OIDCProviderConfigs
+func newOIDCProviderConfigs(c *ConfigV1alpha1Client, namespace string) *oIDCProviderConfigs {
+	return &oIDCProviderConfigs{
+		client: c.RESTClient(),
+		ns:     namespace,
+	}
+}
+
+// Get takes name of the oIDCProviderConfig, and returns the corresponding oIDCProviderConfig object, and an error if there is any.
+func (c *oIDCProviderConfigs) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.OIDCProviderConfig, err error) {
+	result = &v1alpha1.OIDCProviderConfig{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("oidcproviderconfigs").
+		Name(name).
+		VersionedParams(&options, scheme.ParameterCodec).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// List takes label and field selectors, and returns the list of OIDCProviderConfigs that match those selectors.
+func (c *oIDCProviderConfigs) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.OIDCProviderConfigList, err error) {
+	var timeout time.Duration
+	if opts.TimeoutSeconds != nil {
+		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
+	}
+	result = &v1alpha1.OIDCProviderConfigList{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("oidcproviderconfigs").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// Watch returns a watch.Interface that watches the requested oIDCProviderConfigs.
+func (c *oIDCProviderConfigs) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
+	var timeout time.Duration
+	if opts.TimeoutSeconds != nil {
+		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
+	}
+	opts.Watch = true
+	return c.client.Get().
+		Namespace(c.ns).
+		Resource("oidcproviderconfigs").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Watch(ctx)
+}
+
+// Create takes the representation of a oIDCProviderConfig and creates it.  Returns the server's representation of the oIDCProviderConfig, and an error, if there is any.
+func (c *oIDCProviderConfigs) Create(ctx context.Context, oIDCProviderConfig *v1alpha1.OIDCProviderConfig, opts v1.CreateOptions) (result *v1alpha1.OIDCProviderConfig, err error) {
+	result = &v1alpha1.OIDCProviderConfig{}
+	err = c.client.Post().
+		Namespace(c.ns).
+		Resource("oidcproviderconfigs").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(oIDCProviderConfig).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// Update takes the representation of a oIDCProviderConfig and updates it. Returns the server's representation of the oIDCProviderConfig, and an error, if there is any.
+func (c *oIDCProviderConfigs) Update(ctx context.Context, oIDCProviderConfig *v1alpha1.OIDCProviderConfig, opts v1.UpdateOptions) (result *v1alpha1.OIDCProviderConfig, err error) {
+	result = &v1alpha1.OIDCProviderConfig{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("oidcproviderconfigs").
+		Name(oIDCProviderConfig.Name).
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(oIDCProviderConfig).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// Delete takes name of the oIDCProviderConfig and deletes it. Returns an error if one occurs.
+func (c *oIDCProviderConfigs) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("oidcproviderconfigs").
+		Name(name).
+		Body(&opts).
+		Do(ctx).
+		Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *oIDCProviderConfigs) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
+	var timeout time.Duration
+	if listOpts.TimeoutSeconds != nil {
+		timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second
+	}
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("oidcproviderconfigs").
+		VersionedParams(&listOpts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Body(&opts).
+		Do(ctx).
+		Error()
+}
+
+// Patch applies the patch and returns the patched oIDCProviderConfig.
+func (c *oIDCProviderConfigs) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.OIDCProviderConfig, err error) {
+	result = &v1alpha1.OIDCProviderConfig{}
+	err = c.client.Patch(pt).
+		Namespace(c.ns).
+		Resource("oidcproviderconfigs").
+		Name(name).
+		SubResource(subresources...).
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(data).
+		Do(ctx).
+		Into(result)
+	return
+}

generated/1.18/client/informers/externalversions/config/v1alpha1/interface.go

@@ -13,6 +13,8 @@ import (
 type Interface interface {
 	// CredentialIssuerConfigs returns a CredentialIssuerConfigInformer.
 	CredentialIssuerConfigs() CredentialIssuerConfigInformer
+	// OIDCProviderConfigs returns a OIDCProviderConfigInformer.
+	OIDCProviderConfigs() OIDCProviderConfigInformer
 }
 
 type version struct {
@@ -30,3 +32,8 @@ func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakList
 func (v *version) CredentialIssuerConfigs() CredentialIssuerConfigInformer {
 	return &credentialIssuerConfigInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
 }
+
+// OIDCProviderConfigs returns a OIDCProviderConfigInformer.
+func (v *version) OIDCProviderConfigs() OIDCProviderConfigInformer {
+	return &oIDCProviderConfigInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
+}

generated/1.18/client/informers/externalversions/config/v1alpha1/oidcproviderconfig.go

@@ -0,0 +1,77 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by informer-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	"context"
+	time "time"
+
+	configv1alpha1 "go.pinniped.dev/generated/1.18/apis/config/v1alpha1"
+	versioned "go.pinniped.dev/generated/1.18/client/clientset/versioned"
+	internalinterfaces "go.pinniped.dev/generated/1.18/client/informers/externalversions/internalinterfaces"
+	v1alpha1 "go.pinniped.dev/generated/1.18/client/listers/config/v1alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	watch "k8s.io/apimachinery/pkg/watch"
+	cache "k8s.io/client-go/tools/cache"
+)
+
+// OIDCProviderConfigInformer provides access to a shared informer and lister for
+// OIDCProviderConfigs.
+type OIDCProviderConfigInformer interface {
+	Informer() cache.SharedIndexInformer
+	Lister() v1alpha1.OIDCProviderConfigLister
+}
+
+type oIDCProviderConfigInformer struct {
+	factory          internalinterfaces.SharedInformerFactory
+	tweakListOptions internalinterfaces.TweakListOptionsFunc
+	namespace        string
+}
+
+// NewOIDCProviderConfigInformer constructs a new informer for OIDCProviderConfig type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewOIDCProviderConfigInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
+	return NewFilteredOIDCProviderConfigInformer(client, namespace, resyncPeriod, indexers, nil)
+}
+
+// NewFilteredOIDCProviderConfigInformer constructs a new informer for OIDCProviderConfig type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewFilteredOIDCProviderConfigInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
+	return cache.NewSharedIndexInformer(
+		&cache.ListWatch{
+			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.ConfigV1alpha1().OIDCProviderConfigs(namespace).List(context.TODO(), options)
+			},
+			WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.ConfigV1alpha1().OIDCProviderConfigs(namespace).Watch(context.TODO(), options)
+			},
+		},
+		&configv1alpha1.OIDCProviderConfig{},
+		resyncPeriod,
+		indexers,
+	)
+}
+
+func (f *oIDCProviderConfigInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
+	return NewFilteredOIDCProviderConfigInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
+}
+
+func (f *oIDCProviderConfigInformer) Informer() cache.SharedIndexInformer {
+	return f.factory.InformerFor(&configv1alpha1.OIDCProviderConfig{}, f.defaultInformer)
+}
+
+func (f *oIDCProviderConfigInformer) Lister() v1alpha1.OIDCProviderConfigLister {
+	return v1alpha1.NewOIDCProviderConfigLister(f.Informer().GetIndexer())
+}

generated/1.18/client/informers/externalversions/generic.go

@@ -44,6 +44,8 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource
 	// Group=config.pinniped.dev, Version=v1alpha1
 	case v1alpha1.SchemeGroupVersion.WithResource("credentialissuerconfigs"):
 		return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().CredentialIssuerConfigs().Informer()}, nil
+	case v1alpha1.SchemeGroupVersion.WithResource("oidcproviderconfigs"):
+		return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().OIDCProviderConfigs().Informer()}, nil
 
 		// Group=idp.pinniped.dev, Version=v1alpha1
 	case idpv1alpha1.SchemeGroupVersion.WithResource("webhookidentityproviders"):

generated/1.18/client/listers/config/v1alpha1/expansion_generated.go

@@ -12,3 +12,11 @@ type CredentialIssuerConfigListerExpansion interface{}
 // CredentialIssuerConfigNamespaceListerExpansion allows custom methods to be added to
 // CredentialIssuerConfigNamespaceLister.
 type CredentialIssuerConfigNamespaceListerExpansion interface{}
+
+// OIDCProviderConfigListerExpansion allows custom methods to be added to
+// OIDCProviderConfigLister.
+type OIDCProviderConfigListerExpansion interface{}
+
+// OIDCProviderConfigNamespaceListerExpansion allows custom methods to be added to
+// OIDCProviderConfigNamespaceLister.
+type OIDCProviderConfigNamespaceListerExpansion interface{}

generated/1.18/client/listers/config/v1alpha1/oidcproviderconfig.go

@@ -0,0 +1,81 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by lister-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	v1alpha1 "go.pinniped.dev/generated/1.18/apis/config/v1alpha1"
+	"k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/client-go/tools/cache"
+)
+
+// OIDCProviderConfigLister helps list OIDCProviderConfigs.
+type OIDCProviderConfigLister interface {
+	// List lists all OIDCProviderConfigs in the indexer.
+	List(selector labels.Selector) (ret []*v1alpha1.OIDCProviderConfig, err error)
+	// OIDCProviderConfigs returns an object that can list and get OIDCProviderConfigs.
+	OIDCProviderConfigs(namespace string) OIDCProviderConfigNamespaceLister
+	OIDCProviderConfigListerExpansion
+}
+
+// oIDCProviderConfigLister implements the OIDCProviderConfigLister interface.
+type oIDCProviderConfigLister struct {
+	indexer cache.Indexer
+}
+
+// NewOIDCProviderConfigLister returns a new OIDCProviderConfigLister.
+func NewOIDCProviderConfigLister(indexer cache.Indexer) OIDCProviderConfigLister {
+	return &oIDCProviderConfigLister{indexer: indexer}
+}
+
+// List lists all OIDCProviderConfigs in the indexer.
+func (s *oIDCProviderConfigLister) List(selector labels.Selector) (ret []*v1alpha1.OIDCProviderConfig, err error) {
+	err = cache.ListAll(s.indexer, selector, func(m interface{}) {
+		ret = append(ret, m.(*v1alpha1.OIDCProviderConfig))
+	})
+	return ret, err
+}
+
+// OIDCProviderConfigs returns an object that can list and get OIDCProviderConfigs.
+func (s *oIDCProviderConfigLister) OIDCProviderConfigs(namespace string) OIDCProviderConfigNamespaceLister {
+	return oIDCProviderConfigNamespaceLister{indexer: s.indexer, namespace: namespace}
+}
+
+// OIDCProviderConfigNamespaceLister helps list and get OIDCProviderConfigs.
+type OIDCProviderConfigNamespaceLister interface {
+	// List lists all OIDCProviderConfigs in the indexer for a given namespace.
+	List(selector labels.Selector) (ret []*v1alpha1.OIDCProviderConfig, err error)
+	// Get retrieves the OIDCProviderConfig from the indexer for a given namespace and name.
+	Get(name string) (*v1alpha1.OIDCProviderConfig, error)
+	OIDCProviderConfigNamespaceListerExpansion
+}
+
+// oIDCProviderConfigNamespaceLister implements the OIDCProviderConfigNamespaceLister
+// interface.
+type oIDCProviderConfigNamespaceLister struct {
+	indexer   cache.Indexer
+	namespace string
+}
+
+// List lists all OIDCProviderConfigs in the indexer for a given namespace.
+func (s oIDCProviderConfigNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.OIDCProviderConfig, err error) {
+	err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) {
+		ret = append(ret, m.(*v1alpha1.OIDCProviderConfig))
+	})
+	return ret, err
+}
+
+// Get retrieves the OIDCProviderConfig from the indexer for a given namespace and name.
+func (s oIDCProviderConfigNamespaceLister) Get(name string) (*v1alpha1.OIDCProviderConfig, error) {
+	obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name)
+	if err != nil {
+		return nil, err
+	}
+	if !exists {
+		return nil, errors.NewNotFound(v1alpha1.Resource("oidcproviderconfig"), name)
+	}
+	return obj.(*v1alpha1.OIDCProviderConfig), nil
+}

generated/1.18/client/openapi/zz_generated.openapi.go

@@ -22,6 +22,9 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA
 		"go.pinniped.dev/generated/1.18/apis/config/v1alpha1.CredentialIssuerConfigList":           schema_118_apis_config_v1alpha1_CredentialIssuerConfigList(ref),
 		"go.pinniped.dev/generated/1.18/apis/config/v1alpha1.CredentialIssuerConfigStatus":         schema_118_apis_config_v1alpha1_CredentialIssuerConfigStatus(ref),
 		"go.pinniped.dev/generated/1.18/apis/config/v1alpha1.CredentialIssuerConfigStrategy":       schema_118_apis_config_v1alpha1_CredentialIssuerConfigStrategy(ref),
+		"go.pinniped.dev/generated/1.18/apis/config/v1alpha1.OIDCProviderConfig":                   schema_118_apis_config_v1alpha1_OIDCProviderConfig(ref),
+		"go.pinniped.dev/generated/1.18/apis/config/v1alpha1.OIDCProviderConfigList":               schema_118_apis_config_v1alpha1_OIDCProviderConfigList(ref),
+		"go.pinniped.dev/generated/1.18/apis/config/v1alpha1.OIDCProviderConfigSpec":               schema_118_apis_config_v1alpha1_OIDCProviderConfigSpec(ref),
 		"go.pinniped.dev/generated/1.18/apis/idp/v1alpha1.Condition":                               schema_118_apis_idp_v1alpha1_Condition(ref),
 		"go.pinniped.dev/generated/1.18/apis/idp/v1alpha1.TLSSpec":                                 schema_118_apis_idp_v1alpha1_TLSSpec(ref),
 		"go.pinniped.dev/generated/1.18/apis/idp/v1alpha1.WebhookIdentityProvider":                 schema_118_apis_idp_v1alpha1_WebhookIdentityProvider(ref),
@@ -286,6 +289,114 @@ func schema_118_apis_config_v1alpha1_CredentialIssuerConfigStrategy(ref common.R
 	}
 }
 
+func schema_118_apis_config_v1alpha1_OIDCProviderConfig(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "OIDCProviderConfig describes the configuration of an OIDC provider.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"kind": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"apiVersion": {
+						SchemaProps: spec.SchemaProps{
+							Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"metadata": {
+						SchemaProps: spec.SchemaProps{
+							Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+						},
+					},
+					"status": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Spec of the OIDC provider.",
+							Ref:         ref("go.pinniped.dev/generated/1.18/apis/config/v1alpha1.OIDCProviderConfigSpec"),
+						},
+					},
+				},
+				Required: []string{"status"},
+			},
+		},
+		Dependencies: []string{
+			"go.pinniped.dev/generated/1.18/apis/config/v1alpha1.OIDCProviderConfigSpec", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+	}
+}
+
+func schema_118_apis_config_v1alpha1_OIDCProviderConfigList(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Type: []string{"object"},
+				Properties: map[string]spec.Schema{
+					"kind": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"apiVersion": {
+						SchemaProps: spec.SchemaProps{
+							Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"metadata": {
+						SchemaProps: spec.SchemaProps{
+							Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+						},
+					},
+					"items": {
+						SchemaProps: spec.SchemaProps{
+							Type: []string{"array"},
+							Items: &spec.SchemaOrArray{
+								Schema: &spec.Schema{
+									SchemaProps: spec.SchemaProps{
+										Ref: ref("go.pinniped.dev/generated/1.18/apis/config/v1alpha1.OIDCProviderConfig"),
+									},
+								},
+							},
+						},
+					},
+				},
+				Required: []string{"items"},
+			},
+		},
+		Dependencies: []string{
+			"go.pinniped.dev/generated/1.18/apis/config/v1alpha1.OIDCProviderConfig", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+	}
+}
+
+func schema_118_apis_config_v1alpha1_OIDCProviderConfigSpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "OIDCProviderConfigSpec is a struct that describes an OIDC Provider.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"issuer": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the identifier that it will use for the iss claim in issued JWTs. This field will also be used as the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is https://example.com/foo, then your authorization endpoint will look like https://example.com/foo/some/path/to/auth/endpoint).\n\nSee https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information.",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+				},
+				Required: []string{"issuer"},
+			},
+		},
+	}
+}
+
 func schema_118_apis_idp_v1alpha1_Condition(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{

generated/1.18/crds/config.pinniped.dev_oidcproviderconfigs.yaml

@@ -0,0 +1,65 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.4.0
+  creationTimestamp: null
+  name: oidcproviderconfigs.config.pinniped.dev
+spec:
+  group: config.pinniped.dev
+  names:
+    kind: OIDCProviderConfig
+    listKind: OIDCProviderConfigList
+    plural: oidcproviderconfigs
+    shortNames:
+    - opc
+    singular: oidcproviderconfig
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: OIDCProviderConfig describes the configuration of an OIDC provider.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          status:
+            description: Spec of the OIDC provider.
+            properties:
+              issuer:
+                description: "Issuer is the OIDC Provider's issuer, per the OIDC Discovery
+                  Metadata document, as well as the identifier that it will use for
+                  the iss claim in issued JWTs. This field will also be used as the
+                  base URL for any endpoints used by the OIDC Provider (e.g., if your
+                  issuer is https://example.com/foo, then your authorization endpoint
+                  will look like https://example.com/foo/some/path/to/auth/endpoint).
+                  \n See https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3
+                  for more information."
+                minLength: 1
+                type: string
+            required:
+            - issuer
+            type: object
+        required:
+        - status
+        type: object
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

generated/1.19/README.adoc

@@ -95,6 +95,45 @@ Status of a credential issuer.
 |===
 
 
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-config-v1alpha1-oidcproviderconfig"]
+==== OIDCProviderConfig 
+
+OIDCProviderConfig describes the configuration of an OIDC provider.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-config-v1alpha1-oidcproviderconfiglist[$$OIDCProviderConfigList$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`.
+
+| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-config-v1alpha1-oidcproviderconfigspec[$$OIDCProviderConfigSpec$$]__ | Spec of the OIDC provider.
+|===
+
+
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-config-v1alpha1-oidcproviderconfigspec"]
+==== OIDCProviderConfigSpec 
+
+OIDCProviderConfigSpec is a struct that describes an OIDC Provider.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-config-v1alpha1-oidcproviderconfig[$$OIDCProviderConfig$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`issuer`* __string__ | Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the identifier that it will use for the iss claim in issued JWTs. This field will also be used as the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is https://example.com/foo, then your authorization endpoint will look like https://example.com/foo/some/path/to/auth/endpoint). 
+ See https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information.
+|===
+
+
 
 [id="{anchor_prefix}-idp-pinniped-dev-v1alpha1"]
 === idp.pinniped.dev/v1alpha1

generated/1.19/apis/config/v1alpha1/types_oidcproviderconfig.go

@@ -0,0 +1,42 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+// OIDCProviderConfigSpec is a struct that describes an OIDC Provider.
+type OIDCProviderConfigSpec struct {
+	// Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the
+	// identifier that it will use for the iss claim in issued JWTs. This field will also be used as
+	// the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is
+	// https://example.com/foo, then your authorization endpoint will look like
+	// https://example.com/foo/some/path/to/auth/endpoint).
+	//
+	// See
+	// https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information.
+	// +kubebuilder:validation:MinLength=1
+	Issuer string `json:"issuer"`
+}
+
+// OIDCProviderConfig describes the configuration of an OIDC provider.
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +kubebuilder:resource:shortName=opc
+type OIDCProviderConfig struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	// Spec of the OIDC provider.
+	Spec OIDCProviderConfigSpec `json:"status"`
+}
+
+// List of OIDCProviderConfig objects.
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+type OIDCProviderConfigList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+
+	Items []OIDCProviderConfig `json:"items"`
+}

generated/1.19/apis/config/v1alpha1/zz_generated.deepcopy.go

@@ -131,3 +131,79 @@ func (in *CredentialIssuerConfigStrategy) DeepCopy() *CredentialIssuerConfigStra
 	in.DeepCopyInto(out)
 	return out
 }
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OIDCProviderConfig) DeepCopyInto(out *OIDCProviderConfig) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	out.Spec = in.Spec
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCProviderConfig.
+func (in *OIDCProviderConfig) DeepCopy() *OIDCProviderConfig {
+	if in == nil {
+		return nil
+	}
+	out := new(OIDCProviderConfig)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *OIDCProviderConfig) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OIDCProviderConfigList) DeepCopyInto(out *OIDCProviderConfigList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]OIDCProviderConfig, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCProviderConfigList.
+func (in *OIDCProviderConfigList) DeepCopy() *OIDCProviderConfigList {
+	if in == nil {
+		return nil
+	}
+	out := new(OIDCProviderConfigList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *OIDCProviderConfigList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OIDCProviderConfigSpec) DeepCopyInto(out *OIDCProviderConfigSpec) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCProviderConfigSpec.
+func (in *OIDCProviderConfigSpec) DeepCopy() *OIDCProviderConfigSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(OIDCProviderConfigSpec)
+	in.DeepCopyInto(out)
+	return out
+}

generated/1.19/client/clientset/versioned/typed/config/v1alpha1/config_client.go

@@ -14,6 +14,7 @@ import (
 type ConfigV1alpha1Interface interface {
 	RESTClient() rest.Interface
 	CredentialIssuerConfigsGetter
+	OIDCProviderConfigsGetter
 }
 
 // ConfigV1alpha1Client is used to interact with features provided by the config.pinniped.dev group.
@@ -25,6 +26,10 @@ func (c *ConfigV1alpha1Client) CredentialIssuerConfigs(namespace string) Credent
 	return newCredentialIssuerConfigs(c, namespace)
 }
 
+func (c *ConfigV1alpha1Client) OIDCProviderConfigs(namespace string) OIDCProviderConfigInterface {
+	return newOIDCProviderConfigs(c, namespace)
+}
+
 // NewForConfig creates a new ConfigV1alpha1Client for the given config.
 func NewForConfig(c *rest.Config) (*ConfigV1alpha1Client, error) {
 	config := *c

generated/1.19/client/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go

@@ -19,6 +19,10 @@ func (c *FakeConfigV1alpha1) CredentialIssuerConfigs(namespace string) v1alpha1.
 	return &FakeCredentialIssuerConfigs{c, namespace}
 }
 
+func (c *FakeConfigV1alpha1) OIDCProviderConfigs(namespace string) v1alpha1.OIDCProviderConfigInterface {
+	return &FakeOIDCProviderConfigs{c, namespace}
+}
+
 // RESTClient returns a RESTClient that is used to communicate
 // with API server by this client implementation.
 func (c *FakeConfigV1alpha1) RESTClient() rest.Interface {

generated/1.19/client/clientset/versioned/typed/config/v1alpha1/fake/fake_oidcproviderconfig.go

@@ -0,0 +1,117 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package fake
+
+import (
+	"context"
+
+	v1alpha1 "go.pinniped.dev/generated/1.19/apis/config/v1alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	labels "k8s.io/apimachinery/pkg/labels"
+	schema "k8s.io/apimachinery/pkg/runtime/schema"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	testing "k8s.io/client-go/testing"
+)
+
+// FakeOIDCProviderConfigs implements OIDCProviderConfigInterface
+type FakeOIDCProviderConfigs struct {
+	Fake *FakeConfigV1alpha1
+	ns   string
+}
+
+var oidcproviderconfigsResource = schema.GroupVersionResource{Group: "config.pinniped.dev", Version: "v1alpha1", Resource: "oidcproviderconfigs"}
+
+var oidcproviderconfigsKind = schema.GroupVersionKind{Group: "config.pinniped.dev", Version: "v1alpha1", Kind: "OIDCProviderConfig"}
+
+// Get takes name of the oIDCProviderConfig, and returns the corresponding oIDCProviderConfig object, and an error if there is any.
+func (c *FakeOIDCProviderConfigs) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.OIDCProviderConfig, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewGetAction(oidcproviderconfigsResource, c.ns, name), &v1alpha1.OIDCProviderConfig{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.OIDCProviderConfig), err
+}
+
+// List takes label and field selectors, and returns the list of OIDCProviderConfigs that match those selectors.
+func (c *FakeOIDCProviderConfigs) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.OIDCProviderConfigList, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewListAction(oidcproviderconfigsResource, oidcproviderconfigsKind, c.ns, opts), &v1alpha1.OIDCProviderConfigList{})
+
+	if obj == nil {
+		return nil, err
+	}
+
+	label, _, _ := testing.ExtractFromListOptions(opts)
+	if label == nil {
+		label = labels.Everything()
+	}
+	list := &v1alpha1.OIDCProviderConfigList{ListMeta: obj.(*v1alpha1.OIDCProviderConfigList).ListMeta}
+	for _, item := range obj.(*v1alpha1.OIDCProviderConfigList).Items {
+		if label.Matches(labels.Set(item.Labels)) {
+			list.Items = append(list.Items, item)
+		}
+	}
+	return list, err
+}
+
+// Watch returns a watch.Interface that watches the requested oIDCProviderConfigs.
+func (c *FakeOIDCProviderConfigs) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
+	return c.Fake.
+		InvokesWatch(testing.NewWatchAction(oidcproviderconfigsResource, c.ns, opts))
+
+}
+
+// Create takes the representation of a oIDCProviderConfig and creates it.  Returns the server's representation of the oIDCProviderConfig, and an error, if there is any.
+func (c *FakeOIDCProviderConfigs) Create(ctx context.Context, oIDCProviderConfig *v1alpha1.OIDCProviderConfig, opts v1.CreateOptions) (result *v1alpha1.OIDCProviderConfig, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewCreateAction(oidcproviderconfigsResource, c.ns, oIDCProviderConfig), &v1alpha1.OIDCProviderConfig{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.OIDCProviderConfig), err
+}
+
+// Update takes the representation of a oIDCProviderConfig and updates it. Returns the server's representation of the oIDCProviderConfig, and an error, if there is any.
+func (c *FakeOIDCProviderConfigs) Update(ctx context.Context, oIDCProviderConfig *v1alpha1.OIDCProviderConfig, opts v1.UpdateOptions) (result *v1alpha1.OIDCProviderConfig, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewUpdateAction(oidcproviderconfigsResource, c.ns, oIDCProviderConfig), &v1alpha1.OIDCProviderConfig{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.OIDCProviderConfig), err
+}
+
+// Delete takes name of the oIDCProviderConfig and deletes it. Returns an error if one occurs.
+func (c *FakeOIDCProviderConfigs) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
+	_, err := c.Fake.
+		Invokes(testing.NewDeleteAction(oidcproviderconfigsResource, c.ns, name), &v1alpha1.OIDCProviderConfig{})
+
+	return err
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *FakeOIDCProviderConfigs) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
+	action := testing.NewDeleteCollectionAction(oidcproviderconfigsResource, c.ns, listOpts)
+
+	_, err := c.Fake.Invokes(action, &v1alpha1.OIDCProviderConfigList{})
+	return err
+}
+
+// Patch applies the patch and returns the patched oIDCProviderConfig.
+func (c *FakeOIDCProviderConfigs) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.OIDCProviderConfig, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewPatchSubresourceAction(oidcproviderconfigsResource, c.ns, name, pt, data, subresources...), &v1alpha1.OIDCProviderConfig{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.OIDCProviderConfig), err
+}

generated/1.19/client/clientset/versioned/typed/config/v1alpha1/generated_expansion.go

@@ -6,3 +6,5 @@
 package v1alpha1
 
 type CredentialIssuerConfigExpansion interface{}
+
+type OIDCProviderConfigExpansion interface{}

generated/1.19/client/clientset/versioned/typed/config/v1alpha1/oidcproviderconfig.go

@@ -0,0 +1,165 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	"context"
+	"time"
+
+	v1alpha1 "go.pinniped.dev/generated/1.19/apis/config/v1alpha1"
+	scheme "go.pinniped.dev/generated/1.19/client/clientset/versioned/scheme"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	rest "k8s.io/client-go/rest"
+)
+
+// OIDCProviderConfigsGetter has a method to return a OIDCProviderConfigInterface.
+// A group's client should implement this interface.
+type OIDCProviderConfigsGetter interface {
+	OIDCProviderConfigs(namespace string) OIDCProviderConfigInterface
+}
+
+// OIDCProviderConfigInterface has methods to work with OIDCProviderConfig resources.
+type OIDCProviderConfigInterface interface {
+	Create(ctx context.Context, oIDCProviderConfig *v1alpha1.OIDCProviderConfig, opts v1.CreateOptions) (*v1alpha1.OIDCProviderConfig, error)
+	Update(ctx context.Context, oIDCProviderConfig *v1alpha1.OIDCProviderConfig, opts v1.UpdateOptions) (*v1alpha1.OIDCProviderConfig, error)
+	Delete(ctx context.Context, name string, opts v1.DeleteOptions) error
+	DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error
+	Get(ctx context.Context, name string, opts v1.GetOptions) (*v1alpha1.OIDCProviderConfig, error)
+	List(ctx context.Context, opts v1.ListOptions) (*v1alpha1.OIDCProviderConfigList, error)
+	Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error)
+	Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.OIDCProviderConfig, err error)
+	OIDCProviderConfigExpansion
+}
+
+// oIDCProviderConfigs implements OIDCProviderConfigInterface
+type oIDCProviderConfigs struct {
+	client rest.Interface
+	ns     string
+}
+
+// newOIDCProviderConfigs returns a OIDCProviderConfigs
+func newOIDCProviderConfigs(c *ConfigV1alpha1Client, namespace string) *oIDCProviderConfigs {
+	return &oIDCProviderConfigs{
+		client: c.RESTClient(),
+		ns:     namespace,
+	}
+}
+
+// Get takes name of the oIDCProviderConfig, and returns the corresponding oIDCProviderConfig object, and an error if there is any.
+func (c *oIDCProviderConfigs) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.OIDCProviderConfig, err error) {
+	result = &v1alpha1.OIDCProviderConfig{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("oidcproviderconfigs").
+		Name(name).
+		VersionedParams(&options, scheme.ParameterCodec).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// List takes label and field selectors, and returns the list of OIDCProviderConfigs that match those selectors.
+func (c *oIDCProviderConfigs) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.OIDCProviderConfigList, err error) {
+	var timeout time.Duration
+	if opts.TimeoutSeconds != nil {
+		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
+	}
+	result = &v1alpha1.OIDCProviderConfigList{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("oidcproviderconfigs").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// Watch returns a watch.Interface that watches the requested oIDCProviderConfigs.
+func (c *oIDCProviderConfigs) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
+	var timeout time.Duration
+	if opts.TimeoutSeconds != nil {
+		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
+	}
+	opts.Watch = true
+	return c.client.Get().
+		Namespace(c.ns).
+		Resource("oidcproviderconfigs").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Watch(ctx)
+}
+
+// Create takes the representation of a oIDCProviderConfig and creates it.  Returns the server's representation of the oIDCProviderConfig, and an error, if there is any.
+func (c *oIDCProviderConfigs) Create(ctx context.Context, oIDCProviderConfig *v1alpha1.OIDCProviderConfig, opts v1.CreateOptions) (result *v1alpha1.OIDCProviderConfig, err error) {
+	result = &v1alpha1.OIDCProviderConfig{}
+	err = c.client.Post().
+		Namespace(c.ns).
+		Resource("oidcproviderconfigs").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(oIDCProviderConfig).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// Update takes the representation of a oIDCProviderConfig and updates it. Returns the server's representation of the oIDCProviderConfig, and an error, if there is any.
+func (c *oIDCProviderConfigs) Update(ctx context.Context, oIDCProviderConfig *v1alpha1.OIDCProviderConfig, opts v1.UpdateOptions) (result *v1alpha1.OIDCProviderConfig, err error) {
+	result = &v1alpha1.OIDCProviderConfig{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("oidcproviderconfigs").
+		Name(oIDCProviderConfig.Name).
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(oIDCProviderConfig).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// Delete takes name of the oIDCProviderConfig and deletes it. Returns an error if one occurs.
+func (c *oIDCProviderConfigs) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("oidcproviderconfigs").
+		Name(name).
+		Body(&opts).
+		Do(ctx).
+		Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *oIDCProviderConfigs) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
+	var timeout time.Duration
+	if listOpts.TimeoutSeconds != nil {
+		timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second
+	}
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("oidcproviderconfigs").
+		VersionedParams(&listOpts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Body(&opts).
+		Do(ctx).
+		Error()
+}
+
+// Patch applies the patch and returns the patched oIDCProviderConfig.
+func (c *oIDCProviderConfigs) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.OIDCProviderConfig, err error) {
+	result = &v1alpha1.OIDCProviderConfig{}
+	err = c.client.Patch(pt).
+		Namespace(c.ns).
+		Resource("oidcproviderconfigs").
+		Name(name).
+		SubResource(subresources...).
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(data).
+		Do(ctx).
+		Into(result)
+	return
+}

generated/1.19/client/informers/externalversions/config/v1alpha1/interface.go

@@ -13,6 +13,8 @@ import (
 type Interface interface {
 	// CredentialIssuerConfigs returns a CredentialIssuerConfigInformer.
 	CredentialIssuerConfigs() CredentialIssuerConfigInformer
+	// OIDCProviderConfigs returns a OIDCProviderConfigInformer.
+	OIDCProviderConfigs() OIDCProviderConfigInformer
 }
 
 type version struct {
@@ -30,3 +32,8 @@ func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakList
 func (v *version) CredentialIssuerConfigs() CredentialIssuerConfigInformer {
 	return &credentialIssuerConfigInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
 }
+
+// OIDCProviderConfigs returns a OIDCProviderConfigInformer.
+func (v *version) OIDCProviderConfigs() OIDCProviderConfigInformer {
+	return &oIDCProviderConfigInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
+}

generated/1.19/client/informers/externalversions/config/v1alpha1/oidcproviderconfig.go

@@ -0,0 +1,77 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by informer-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	"context"
+	time "time"
+
+	configv1alpha1 "go.pinniped.dev/generated/1.19/apis/config/v1alpha1"
+	versioned "go.pinniped.dev/generated/1.19/client/clientset/versioned"
+	internalinterfaces "go.pinniped.dev/generated/1.19/client/informers/externalversions/internalinterfaces"
+	v1alpha1 "go.pinniped.dev/generated/1.19/client/listers/config/v1alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	watch "k8s.io/apimachinery/pkg/watch"
+	cache "k8s.io/client-go/tools/cache"
+)
+
+// OIDCProviderConfigInformer provides access to a shared informer and lister for
+// OIDCProviderConfigs.
+type OIDCProviderConfigInformer interface {
+	Informer() cache.SharedIndexInformer
+	Lister() v1alpha1.OIDCProviderConfigLister
+}
+
+type oIDCProviderConfigInformer struct {
+	factory          internalinterfaces.SharedInformerFactory
+	tweakListOptions internalinterfaces.TweakListOptionsFunc
+	namespace        string
+}
+
+// NewOIDCProviderConfigInformer constructs a new informer for OIDCProviderConfig type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewOIDCProviderConfigInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
+	return NewFilteredOIDCProviderConfigInformer(client, namespace, resyncPeriod, indexers, nil)
+}
+
+// NewFilteredOIDCProviderConfigInformer constructs a new informer for OIDCProviderConfig type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewFilteredOIDCProviderConfigInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
+	return cache.NewSharedIndexInformer(
+		&cache.ListWatch{
+			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.ConfigV1alpha1().OIDCProviderConfigs(namespace).List(context.TODO(), options)
+			},
+			WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.ConfigV1alpha1().OIDCProviderConfigs(namespace).Watch(context.TODO(), options)
+			},
+		},
+		&configv1alpha1.OIDCProviderConfig{},
+		resyncPeriod,
+		indexers,
+	)
+}
+
+func (f *oIDCProviderConfigInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
+	return NewFilteredOIDCProviderConfigInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
+}
+
+func (f *oIDCProviderConfigInformer) Informer() cache.SharedIndexInformer {
+	return f.factory.InformerFor(&configv1alpha1.OIDCProviderConfig{}, f.defaultInformer)
+}
+
+func (f *oIDCProviderConfigInformer) Lister() v1alpha1.OIDCProviderConfigLister {
+	return v1alpha1.NewOIDCProviderConfigLister(f.Informer().GetIndexer())
+}

generated/1.19/client/informers/externalversions/generic.go

@@ -44,6 +44,8 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource
 	// Group=config.pinniped.dev, Version=v1alpha1
 	case v1alpha1.SchemeGroupVersion.WithResource("credentialissuerconfigs"):
 		return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().CredentialIssuerConfigs().Informer()}, nil
+	case v1alpha1.SchemeGroupVersion.WithResource("oidcproviderconfigs"):
+		return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().OIDCProviderConfigs().Informer()}, nil
 
 		// Group=idp.pinniped.dev, Version=v1alpha1
 	case idpv1alpha1.SchemeGroupVersion.WithResource("webhookidentityproviders"):

generated/1.19/client/listers/config/v1alpha1/expansion_generated.go

@@ -12,3 +12,11 @@ type CredentialIssuerConfigListerExpansion interface{}
 // CredentialIssuerConfigNamespaceListerExpansion allows custom methods to be added to
 // CredentialIssuerConfigNamespaceLister.
 type CredentialIssuerConfigNamespaceListerExpansion interface{}
+
+// OIDCProviderConfigListerExpansion allows custom methods to be added to
+// OIDCProviderConfigLister.
+type OIDCProviderConfigListerExpansion interface{}
+
+// OIDCProviderConfigNamespaceListerExpansion allows custom methods to be added to
+// OIDCProviderConfigNamespaceLister.
+type OIDCProviderConfigNamespaceListerExpansion interface{}

generated/1.19/client/listers/config/v1alpha1/oidcproviderconfig.go

@@ -0,0 +1,86 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by lister-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	v1alpha1 "go.pinniped.dev/generated/1.19/apis/config/v1alpha1"
+	"k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/client-go/tools/cache"
+)
+
+// OIDCProviderConfigLister helps list OIDCProviderConfigs.
+// All objects returned here must be treated as read-only.
+type OIDCProviderConfigLister interface {
+	// List lists all OIDCProviderConfigs in the indexer.
+	// Objects returned here must be treated as read-only.
+	List(selector labels.Selector) (ret []*v1alpha1.OIDCProviderConfig, err error)
+	// OIDCProviderConfigs returns an object that can list and get OIDCProviderConfigs.
+	OIDCProviderConfigs(namespace string) OIDCProviderConfigNamespaceLister
+	OIDCProviderConfigListerExpansion
+}
+
+// oIDCProviderConfigLister implements the OIDCProviderConfigLister interface.
+type oIDCProviderConfigLister struct {
+	indexer cache.Indexer
+}
+
+// NewOIDCProviderConfigLister returns a new OIDCProviderConfigLister.
+func NewOIDCProviderConfigLister(indexer cache.Indexer) OIDCProviderConfigLister {
+	return &oIDCProviderConfigLister{indexer: indexer}
+}
+
+// List lists all OIDCProviderConfigs in the indexer.
+func (s *oIDCProviderConfigLister) List(selector labels.Selector) (ret []*v1alpha1.OIDCProviderConfig, err error) {
+	err = cache.ListAll(s.indexer, selector, func(m interface{}) {
+		ret = append(ret, m.(*v1alpha1.OIDCProviderConfig))
+	})
+	return ret, err
+}
+
+// OIDCProviderConfigs returns an object that can list and get OIDCProviderConfigs.
+func (s *oIDCProviderConfigLister) OIDCProviderConfigs(namespace string) OIDCProviderConfigNamespaceLister {
+	return oIDCProviderConfigNamespaceLister{indexer: s.indexer, namespace: namespace}
+}
+
+// OIDCProviderConfigNamespaceLister helps list and get OIDCProviderConfigs.
+// All objects returned here must be treated as read-only.
+type OIDCProviderConfigNamespaceLister interface {
+	// List lists all OIDCProviderConfigs in the indexer for a given namespace.
+	// Objects returned here must be treated as read-only.
+	List(selector labels.Selector) (ret []*v1alpha1.OIDCProviderConfig, err error)
+	// Get retrieves the OIDCProviderConfig from the indexer for a given namespace and name.
+	// Objects returned here must be treated as read-only.
+	Get(name string) (*v1alpha1.OIDCProviderConfig, error)
+	OIDCProviderConfigNamespaceListerExpansion
+}
+
+// oIDCProviderConfigNamespaceLister implements the OIDCProviderConfigNamespaceLister
+// interface.
+type oIDCProviderConfigNamespaceLister struct {
+	indexer   cache.Indexer
+	namespace string
+}
+
+// List lists all OIDCProviderConfigs in the indexer for a given namespace.
+func (s oIDCProviderConfigNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.OIDCProviderConfig, err error) {
+	err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) {
+		ret = append(ret, m.(*v1alpha1.OIDCProviderConfig))
+	})
+	return ret, err
+}
+
+// Get retrieves the OIDCProviderConfig from the indexer for a given namespace and name.
+func (s oIDCProviderConfigNamespaceLister) Get(name string) (*v1alpha1.OIDCProviderConfig, error) {
+	obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name)
+	if err != nil {
+		return nil, err
+	}
+	if !exists {
+		return nil, errors.NewNotFound(v1alpha1.Resource("oidcproviderconfig"), name)
+	}
+	return obj.(*v1alpha1.OIDCProviderConfig), nil
+}

generated/1.19/client/openapi/zz_generated.openapi.go

@@ -22,6 +22,9 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA
 		"go.pinniped.dev/generated/1.19/apis/config/v1alpha1.CredentialIssuerConfigList":           schema_119_apis_config_v1alpha1_CredentialIssuerConfigList(ref),
 		"go.pinniped.dev/generated/1.19/apis/config/v1alpha1.CredentialIssuerConfigStatus":         schema_119_apis_config_v1alpha1_CredentialIssuerConfigStatus(ref),
 		"go.pinniped.dev/generated/1.19/apis/config/v1alpha1.CredentialIssuerConfigStrategy":       schema_119_apis_config_v1alpha1_CredentialIssuerConfigStrategy(ref),
+		"go.pinniped.dev/generated/1.19/apis/config/v1alpha1.OIDCProviderConfig":                   schema_119_apis_config_v1alpha1_OIDCProviderConfig(ref),
+		"go.pinniped.dev/generated/1.19/apis/config/v1alpha1.OIDCProviderConfigList":               schema_119_apis_config_v1alpha1_OIDCProviderConfigList(ref),
+		"go.pinniped.dev/generated/1.19/apis/config/v1alpha1.OIDCProviderConfigSpec":               schema_119_apis_config_v1alpha1_OIDCProviderConfigSpec(ref),
 		"go.pinniped.dev/generated/1.19/apis/idp/v1alpha1.Condition":                               schema_119_apis_idp_v1alpha1_Condition(ref),
 		"go.pinniped.dev/generated/1.19/apis/idp/v1alpha1.TLSSpec":                                 schema_119_apis_idp_v1alpha1_TLSSpec(ref),
 		"go.pinniped.dev/generated/1.19/apis/idp/v1alpha1.WebhookIdentityProvider":                 schema_119_apis_idp_v1alpha1_WebhookIdentityProvider(ref),
@@ -287,6 +290,114 @@ func schema_119_apis_config_v1alpha1_CredentialIssuerConfigStrategy(ref common.R
 	}
 }
 
+func schema_119_apis_config_v1alpha1_OIDCProviderConfig(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "OIDCProviderConfig describes the configuration of an OIDC provider.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"kind": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"apiVersion": {
+						SchemaProps: spec.SchemaProps{
+							Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"metadata": {
+						SchemaProps: spec.SchemaProps{
+							Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+						},
+					},
+					"status": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Spec of the OIDC provider.",
+							Ref:         ref("go.pinniped.dev/generated/1.19/apis/config/v1alpha1.OIDCProviderConfigSpec"),
+						},
+					},
+				},
+				Required: []string{"status"},
+			},
+		},
+		Dependencies: []string{
+			"go.pinniped.dev/generated/1.19/apis/config/v1alpha1.OIDCProviderConfigSpec", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+	}
+}
+
+func schema_119_apis_config_v1alpha1_OIDCProviderConfigList(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Type: []string{"object"},
+				Properties: map[string]spec.Schema{
+					"kind": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"apiVersion": {
+						SchemaProps: spec.SchemaProps{
+							Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"metadata": {
+						SchemaProps: spec.SchemaProps{
+							Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+						},
+					},
+					"items": {
+						SchemaProps: spec.SchemaProps{
+							Type: []string{"array"},
+							Items: &spec.SchemaOrArray{
+								Schema: &spec.Schema{
+									SchemaProps: spec.SchemaProps{
+										Ref: ref("go.pinniped.dev/generated/1.19/apis/config/v1alpha1.OIDCProviderConfig"),
+									},
+								},
+							},
+						},
+					},
+				},
+				Required: []string{"items"},
+			},
+		},
+		Dependencies: []string{
+			"go.pinniped.dev/generated/1.19/apis/config/v1alpha1.OIDCProviderConfig", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+	}
+}
+
+func schema_119_apis_config_v1alpha1_OIDCProviderConfigSpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "OIDCProviderConfigSpec is a struct that describes an OIDC Provider.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"issuer": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the identifier that it will use for the iss claim in issued JWTs. This field will also be used as the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is https://example.com/foo, then your authorization endpoint will look like https://example.com/foo/some/path/to/auth/endpoint).\n\nSee https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information.",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+				},
+				Required: []string{"issuer"},
+			},
+		},
+	}
+}
+
 func schema_119_apis_idp_v1alpha1_Condition(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{

generated/1.19/crds/config.pinniped.dev_oidcproviderconfigs.yaml

@@ -0,0 +1,65 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.4.0
+  creationTimestamp: null
+  name: oidcproviderconfigs.config.pinniped.dev
+spec:
+  group: config.pinniped.dev
+  names:
+    kind: OIDCProviderConfig
+    listKind: OIDCProviderConfigList
+    plural: oidcproviderconfigs
+    shortNames:
+    - opc
+    singular: oidcproviderconfig
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: OIDCProviderConfig describes the configuration of an OIDC provider.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          status:
+            description: Spec of the OIDC provider.
+            properties:
+              issuer:
+                description: "Issuer is the OIDC Provider's issuer, per the OIDC Discovery
+                  Metadata document, as well as the identifier that it will use for
+                  the iss claim in issued JWTs. This field will also be used as the
+                  base URL for any endpoints used by the OIDC Provider (e.g., if your
+                  issuer is https://example.com/foo, then your authorization endpoint
+                  will look like https://example.com/foo/some/path/to/auth/endpoint).
+                  \n See https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3
+                  for more information."
+                minLength: 1
+                type: string
+            required:
+            - issuer
+            type: object
+        required:
+        - status
+        type: object
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

test/integration/supervisor_discovery_test.go

@@ -0,0 +1,37 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package integration
+
+import (
+	"context"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/require"
+	"go.pinniped.dev/test/library"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+func TestSupervisorOIDCDiscovery(t *testing.T) {
+	env := library.IntegrationEnv(t)
+	client := library.NewPinnipedClientset(t)
+
+	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+	defer cancel()
+
+	_, err := client.
+		ConfigV1alpha1().
+		OIDCProviderConfigs(env.Namespace).
+		List(ctx, metav1.ListOptions{})
+	require.NoError(t, err)
+
+	// 0. Create CRD with single issuer field in config group and generate code.
+	// 1. Add test hook that restores these CRDs at the end of the test.
+	// 2. Get all CRDs and save them in an array somewhere; also delete them after we store them.
+	// 3. Test behavior of when we have no CRD - make sure we get the status code that we want back
+	// from the discovery endpoint?
+	// 4. Add a CRD with a known issuer.
+	// 5. Test behavior of when we have a CRD - make sure we get the status code and response body
+	// that we want back from the discovery endpoint?
+}