Merge pull request #114 from mattmoyer/new-token-credential-request-api

New "login.pinniped.dev/v1alpha1" group with TokenCredentialRequest API.

apis/login/doc.go.tmpl

@@ -0,0 +1,8 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// +k8s:deepcopy-gen=package
+// +groupName=login.pinniped.dev
+
+// Package login is the internal version of the Pinniped login API.
+package login

apis/login/register.go.tmpl

@@ -0,0 +1,38 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package login
+
+import (
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+const GroupName = "login.pinniped.dev"
+
+// SchemeGroupVersion is group version used to register these objects.
+var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: runtime.APIVersionInternal}
+
+// Kind takes an unqualified kind and returns back a Group qualified GroupKind.
+func Kind(kind string) schema.GroupKind {
+	return SchemeGroupVersion.WithKind(kind).GroupKind()
+}
+
+// Resource takes an unqualified resource and returns back a Group qualified GroupResource.
+func Resource(resource string) schema.GroupResource {
+	return SchemeGroupVersion.WithResource(resource).GroupResource()
+}
+
+var (
+	SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes)
+	AddToScheme   = SchemeBuilder.AddToScheme
+)
+
+// Adds the list of known types to the given scheme.
+func addKnownTypes(scheme *runtime.Scheme) error {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&TokenCredentialRequest{},
+		&TokenCredentialRequestList{},
+	)
+	return nil
+}

apis/login/types_clustercred.go.tmpl

@@ -0,0 +1,21 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package login
+
+import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+// ClusterCredential is a credential (token or certificate) which is valid on the Kubernetes cluster.
+type ClusterCredential struct {
+	// ExpirationTimestamp indicates a time when the provided credentials expire.
+	ExpirationTimestamp metav1.Time
+
+	// Token is a bearer token used by the client for request authentication.
+	Token string
+
+	// PEM-encoded client TLS certificates (including intermediates, if any).
+	ClientCertificateData string
+
+	// PEM-encoded private key for the above certificate.
+	ClientKeyData string
+}

apis/login/types_token.go.tmpl

@@ -0,0 +1,42 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package login
+
+import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+type TokenCredentialRequestSpec struct {
+	// Bearer token supplied with the credential request.
+	Token string
+}
+
+type TokenCredentialRequestStatus struct {
+	// A ClusterCredential will be returned for a successful credential request.
+	// +optional
+	Credential *ClusterCredential
+
+	// An error message will be returned for an unsuccessful credential request.
+	// +optional
+	Message *string
+}
+
+// TokenCredentialRequest submits an IDP-specific credential to Pinniped in exchange for a cluster-specific credential.
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type TokenCredentialRequest struct {
+	metav1.TypeMeta
+	metav1.ObjectMeta
+
+	Spec   TokenCredentialRequestSpec
+	Status TokenCredentialRequestStatus
+}
+
+// TokenCredentialRequestList is a list of TokenCredentialRequest objects.
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type TokenCredentialRequestList struct {
+	metav1.TypeMeta
+	metav1.ListMeta
+
+	// Items is a list of TokenCredentialRequest
+	Items []TokenCredentialRequest
+}

apis/login/v1alpha1/conversion.go.tmpl

@@ -0,0 +1,4 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1

apis/login/v1alpha1/defaults.go.tmpl

@@ -0,0 +1,12 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+import (
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+func addDefaultingFuncs(scheme *runtime.Scheme) error {
+	return RegisterDefaults(scheme)
+}

apis/login/v1alpha1/doc.go.tmpl

@@ -0,0 +1,11 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// +k8s:openapi-gen=true
+// +k8s:deepcopy-gen=package
+// +k8s:conversion-gen=github.com/suzerain-io/pinniped/GENERATED_PKG/apis/login
+// +k8s:defaulter-gen=TypeMeta
+// +groupName=login.pinniped.dev
+
+// Package v1alpha1 is the v1alpha1 version of the Pinniped login API.
+package v1alpha1

apis/login/v1alpha1/register.go.tmpl

@@ -0,0 +1,43 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+const GroupName = "login.pinniped.dev"
+
+// SchemeGroupVersion is group version used to register these objects.
+var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"}
+
+var (
+	SchemeBuilder      runtime.SchemeBuilder
+	localSchemeBuilder = &SchemeBuilder
+	AddToScheme        = localSchemeBuilder.AddToScheme
+)
+
+func init() {
+	// We only register manually written functions here. The registration of the
+	// generated functions takes place in the generated files. The separation
+	// makes the code compile even when the generated files are missing.
+	localSchemeBuilder.Register(addKnownTypes, addDefaultingFuncs)
+}
+
+// Adds the list of known types to the given scheme.
+func addKnownTypes(scheme *runtime.Scheme) error {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&TokenCredentialRequest{},
+		&TokenCredentialRequestList{},
+	)
+	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
+	return nil
+}
+
+// Resource takes an unqualified resource and returns a Group qualified GroupResource.
+func Resource(resource string) schema.GroupResource {
+	return SchemeGroupVersion.WithResource(resource).GroupResource()
+}

apis/login/v1alpha1/types_clustercred.go.tmpl

@@ -0,0 +1,22 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+// ClusterCredential is the cluster-specific credential returned on a successful credential request. It
+// contains either a valid bearer token or a valid TLS certificate and corresponding private key for the cluster.
+type ClusterCredential struct {
+	// ExpirationTimestamp indicates a time when the provided credentials expire.
+	ExpirationTimestamp metav1.Time `json:"expirationTimestamp,omitempty"`
+
+	// Token is a bearer token used by the client for request authentication.
+	Token string `json:"token,omitempty"`
+
+	// PEM-encoded client TLS certificates (including intermediates, if any).
+	ClientCertificateData string `json:"clientCertificateData,omitempty"`
+
+	// PEM-encoded private key for the above certificate.
+	ClientKeyData string `json:"clientKeyData,omitempty"`
+}

apis/login/v1alpha1/types_token.go.tmpl

@@ -0,0 +1,43 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+// TokenCredentialRequestSpec is the specification of a TokenCredentialRequest, expected on requests to the Pinniped API.
+type TokenCredentialRequestSpec struct {
+	// Bearer token supplied with the credential request.
+	Token string `json:"token,omitempty"`
+}
+
+// TokenCredentialRequestStatus is the status of a TokenCredentialRequest, returned on responses to the Pinniped API.
+type TokenCredentialRequestStatus struct {
+	// A Credential will be returned for a successful credential request.
+	// +optional
+	Credential *ClusterCredential `json:"credential,omitempty"`
+
+	// An error message will be returned for an unsuccessful credential request.
+	// +optional
+	Message *string `json:"message,omitempty"`
+}
+
+// TokenCredentialRequest submits an IDP-specific credential to Pinniped in exchange for a cluster-specific credential.
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type TokenCredentialRequest struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   TokenCredentialRequestSpec   `json:"spec,omitempty"`
+	Status TokenCredentialRequestStatus `json:"status,omitempty"`
+}
+
+// TokenCredentialRequestList is a list of TokenCredentialRequest objects.
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type TokenCredentialRequestList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+
+	Items []TokenCredentialRequest `json:"items"`
+}

cmd/pinniped/cmd/exchange_credential.go

@@ -75,7 +75,7 @@ func newExchangeCredentialCmd(args []string, stdout, stderr io.Writer) *exchange
 }
 
 type envGetter func(string) (string, bool)
-type tokenExchanger func(ctx context.Context, token, caBundle, apiEndpoint string) (*clientauthenticationv1beta1.ExecCredential, error)
+type tokenExchanger func(ctx context.Context, namespace, token, caBundle, apiEndpoint string) (*clientauthenticationv1beta1.ExecCredential, error)
 
 const ErrMissingEnvVar = constable.Error("failed to get credential: environment variable not set")
 
@@ -91,6 +91,11 @@ func exchangeCredential(envGetter envGetter, tokenExchanger tokenExchanger, outp
 	ctx, cancel := context.WithTimeout(context.Background(), timeout)
 	defer cancel()
 
+	namespace, varExists := envGetter("PINNIPED_NAMESPACE")
+	if !varExists {
+		return envVarNotSetError("PINNIPED_NAMESPACE")
+	}
+
 	token, varExists := envGetter("PINNIPED_TOKEN")
 	if !varExists {
 		return envVarNotSetError("PINNIPED_TOKEN")
@@ -106,7 +111,7 @@ func exchangeCredential(envGetter envGetter, tokenExchanger tokenExchanger, outp
 		return envVarNotSetError("PINNIPED_K8S_API_ENDPOINT")
 	}
 
-	cred, err := tokenExchanger(ctx, token, caBundle, apiEndpoint)
+	cred, err := tokenExchanger(ctx, namespace, token, caBundle, apiEndpoint)
 	if err != nil {
 		return fmt.Errorf("failed to get credential: %w", err)
 	}

cmd/pinniped/cmd/exchange_credential_test.go

@@ -135,6 +135,7 @@ func TestExchangeCredential(t *testing.T) {
 			r = require.New(t)
 			buffer = new(bytes.Buffer)
 			fakeEnv = map[string]string{
+				"PINNIPED_NAMESPACE":        "namespace from env",
 				"PINNIPED_TOKEN":            "token from env",
 				"PINNIPED_CA_BUNDLE":        "ca bundle from env",
 				"PINNIPED_K8S_API_ENDPOINT": "k8s api from env",
@@ -142,6 +143,12 @@ func TestExchangeCredential(t *testing.T) {
 		})
 
 		when("env vars are missing", func() {
+			it("returns an error when PINNIPED_NAMESPACE is missing", func() {
+				delete(fakeEnv, "PINNIPED_NAMESPACE")
+				err := exchangeCredential(envGetter, tokenExchanger, buffer, 30*time.Second)
+				r.EqualError(err, "failed to get credential: environment variable not set: PINNIPED_NAMESPACE")
+			})
+
 			it("returns an error when PINNIPED_TOKEN is missing", func() {
 				delete(fakeEnv, "PINNIPED_TOKEN")
 				err := exchangeCredential(envGetter, tokenExchanger, buffer, 30*time.Second)
@@ -163,7 +170,7 @@ func TestExchangeCredential(t *testing.T) {
 
 		when("the token exchange fails", func() {
 			it.Before(func() {
-				tokenExchanger = func(ctx context.Context, token, caBundle, apiEndpoint string) (*clientauthenticationv1beta1.ExecCredential, error) {
+				tokenExchanger = func(ctx context.Context, namespace, token, caBundle, apiEndpoint string) (*clientauthenticationv1beta1.ExecCredential, error) {
 					return nil, fmt.Errorf("some error")
 				}
 			})
@@ -176,7 +183,7 @@ func TestExchangeCredential(t *testing.T) {
 
 		when("the JSON encoder fails", func() {
 			it.Before(func() {
-				tokenExchanger = func(ctx context.Context, token, caBundle, apiEndpoint string) (*clientauthenticationv1beta1.ExecCredential, error) {
+				tokenExchanger = func(ctx context.Context, namespace, token, caBundle, apiEndpoint string) (*clientauthenticationv1beta1.ExecCredential, error) {
 					return &clientauthenticationv1beta1.ExecCredential{
 						Status: &clientauthenticationv1beta1.ExecCredentialStatus{
 							Token: "some token",
@@ -193,7 +200,7 @@ func TestExchangeCredential(t *testing.T) {
 
 		when("the token exchange times out", func() {
 			it.Before(func() {
-				tokenExchanger = func(ctx context.Context, token, caBundle, apiEndpoint string) (*clientauthenticationv1beta1.ExecCredential, error) {
+				tokenExchanger = func(ctx context.Context, namespace, token, caBundle, apiEndpoint string) (*clientauthenticationv1beta1.ExecCredential, error) {
 					select {
 					case <-time.After(100 * time.Millisecond):
 						return &clientauthenticationv1beta1.ExecCredential{
@@ -214,11 +221,11 @@ func TestExchangeCredential(t *testing.T) {
 		})
 
 		when("the token exchange succeeds", func() {
-			var actualToken, actualCaBundle, actualAPIEndpoint string
+			var actualNamespace, actualToken, actualCaBundle, actualAPIEndpoint string
 
 			it.Before(func() {
-				tokenExchanger = func(ctx context.Context, token, caBundle, apiEndpoint string) (*clientauthenticationv1beta1.ExecCredential, error) {
+				tokenExchanger = func(ctx context.Context, namespace, token, caBundle, apiEndpoint string) (*clientauthenticationv1beta1.ExecCredential, error) {
-					actualToken, actualCaBundle, actualAPIEndpoint = token, caBundle, apiEndpoint
+					actualNamespace, actualToken, actualCaBundle, actualAPIEndpoint = namespace, token, caBundle, apiEndpoint
 					now := metav1.NewTime(time.Date(2020, 7, 29, 1, 2, 3, 0, time.UTC))
 					return &clientauthenticationv1beta1.ExecCredential{
 						TypeMeta: metav1.TypeMeta{
@@ -238,6 +245,7 @@ func TestExchangeCredential(t *testing.T) {
 			it("writes the execCredential to the given writer", func() {
 				err := exchangeCredential(envGetter, tokenExchanger, buffer, 30*time.Second)
 				r.NoError(err)
+				r.Equal(fakeEnv["PINNIPED_NAMESPACE"], actualNamespace)
 				r.Equal(fakeEnv["PINNIPED_TOKEN"], actualToken)
 				r.Equal(fakeEnv["PINNIPED_CA_BUNDLE"], actualCaBundle)
 				r.Equal(fakeEnv["PINNIPED_K8S_API_ENDPOINT"], actualAPIEndpoint)

deploy/deployment.yaml

@@ -173,3 +173,20 @@ spec:
     name: pinniped-api
     namespace: #@ data.values.namespace
     port: 443
+---
+apiVersion: apiregistration.k8s.io/v1
+kind: APIService
+metadata:
+  name: v1alpha1.login.pinniped.dev
+  labels:
+    app: #@ data.values.app_name
+spec:
+  version: v1alpha1
+  group: login.pinniped.dev
+  groupPriorityMinimum: 2500
+  versionPriority: 10
+  #! caBundle: Do not include this key here. Starts out null, will be updated/owned by the golang code.
+  service:
+    name: pinniped-api
+    namespace: #@ data.values.namespace
+    port: 443

deploy/rbac.yaml

@@ -104,6 +104,9 @@ rules:
   - apiGroups: [pinniped.dev]
     resources: [credentialrequests]
     verbs: [create]
+  - apiGroups: [login.pinniped.dev]
+    resources: [tokencredentialrequests]
+    verbs: [create]
 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1

generated/1.17/README.adoc

@@ -7,6 +7,7 @@
 .Packages
 - xref:{anchor_prefix}-crd-pinniped-dev-v1alpha1[$$crd.pinniped.dev/v1alpha1$$]
 - xref:{anchor_prefix}-idp-pinniped-dev-v1alpha1[$$idp.pinniped.dev/v1alpha1$$]
+- xref:{anchor_prefix}-login-pinniped-dev-v1alpha1[$$login.pinniped.dev/v1alpha1$$]
 - xref:{anchor_prefix}-pinniped-dev-v1alpha1[$$pinniped.dev/v1alpha1$$]
 
 
@@ -200,6 +201,91 @@ Status of a webhook identity provider.
 
 
 
+[id="{anchor_prefix}-login-pinniped-dev-v1alpha1"]
+=== login.pinniped.dev/v1alpha1
+
+Package v1alpha1 is the v1alpha1 version of the Pinniped login API.
+
+
+
+[id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-17-apis-login-v1alpha1-clustercredential"]
+==== ClusterCredential 
+
+ClusterCredential is the cluster-specific credential returned on a successful credential request. It contains either a valid bearer token or a valid TLS certificate and corresponding private key for the cluster.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-17-apis-login-v1alpha1-tokencredentialrequeststatus[$$TokenCredentialRequestStatus$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`expirationTimestamp`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.17/#time-v1-meta[$$Time$$]__ | ExpirationTimestamp indicates a time when the provided credentials expire.
+| *`token`* __string__ | Token is a bearer token used by the client for request authentication.
+| *`clientCertificateData`* __string__ | PEM-encoded client TLS certificates (including intermediates, if any).
+| *`clientKeyData`* __string__ | PEM-encoded private key for the above certificate.
+|===
+
+
+[id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-17-apis-login-v1alpha1-tokencredentialrequest"]
+==== TokenCredentialRequest 
+
+TokenCredentialRequest submits an IDP-specific credential to Pinniped in exchange for a cluster-specific credential.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-17-apis-login-v1alpha1-tokencredentialrequestlist[$$TokenCredentialRequestList$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.17/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`.
+
+| *`spec`* __xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-17-apis-login-v1alpha1-tokencredentialrequestspec[$$TokenCredentialRequestSpec$$]__ | 
+| *`status`* __xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-17-apis-login-v1alpha1-tokencredentialrequeststatus[$$TokenCredentialRequestStatus$$]__ | 
+|===
+
+
+
+
+[id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-17-apis-login-v1alpha1-tokencredentialrequestspec"]
+==== TokenCredentialRequestSpec 
+
+TokenCredentialRequestSpec is the specification of a TokenCredentialRequest, expected on requests to the Pinniped API.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-17-apis-login-v1alpha1-tokencredentialrequest[$$TokenCredentialRequest$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`token`* __string__ | Bearer token supplied with the credential request.
+|===
+
+
+[id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-17-apis-login-v1alpha1-tokencredentialrequeststatus"]
+==== TokenCredentialRequestStatus 
+
+TokenCredentialRequestStatus is the status of a TokenCredentialRequest, returned on responses to the Pinniped API.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-17-apis-login-v1alpha1-tokencredentialrequest[$$TokenCredentialRequest$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`credential`* __xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-17-apis-login-v1alpha1-clustercredential[$$ClusterCredential$$]__ | A Credential will be returned for a successful credential request.
+| *`message`* __string__ | An error message will be returned for an unsuccessful credential request.
+|===
+
+
+
 [id="{anchor_prefix}-pinniped-dev-v1alpha1"]
 === pinniped.dev/v1alpha1
 

generated/1.17/apis/login/doc.go

@@ -0,0 +1,8 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// +k8s:deepcopy-gen=package
+// +groupName=login.pinniped.dev
+
+// Package login is the internal version of the Pinniped login API.
+package login

generated/1.17/apis/login/register.go

@@ -0,0 +1,38 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package login
+
+import (
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+const GroupName = "login.pinniped.dev"
+
+// SchemeGroupVersion is group version used to register these objects.
+var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: runtime.APIVersionInternal}
+
+// Kind takes an unqualified kind and returns back a Group qualified GroupKind.
+func Kind(kind string) schema.GroupKind {
+	return SchemeGroupVersion.WithKind(kind).GroupKind()
+}
+
+// Resource takes an unqualified resource and returns back a Group qualified GroupResource.
+func Resource(resource string) schema.GroupResource {
+	return SchemeGroupVersion.WithResource(resource).GroupResource()
+}
+
+var (
+	SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes)
+	AddToScheme   = SchemeBuilder.AddToScheme
+)
+
+// Adds the list of known types to the given scheme.
+func addKnownTypes(scheme *runtime.Scheme) error {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&TokenCredentialRequest{},
+		&TokenCredentialRequestList{},
+	)
+	return nil
+}

generated/1.17/apis/login/types_clustercred.go

@@ -0,0 +1,21 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package login
+
+import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+// ClusterCredential is a credential (token or certificate) which is valid on the Kubernetes cluster.
+type ClusterCredential struct {
+	// ExpirationTimestamp indicates a time when the provided credentials expire.
+	ExpirationTimestamp metav1.Time
+
+	// Token is a bearer token used by the client for request authentication.
+	Token string
+
+	// PEM-encoded client TLS certificates (including intermediates, if any).
+	ClientCertificateData string
+
+	// PEM-encoded private key for the above certificate.
+	ClientKeyData string
+}

generated/1.17/apis/login/types_token.go

@@ -0,0 +1,42 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package login
+
+import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+type TokenCredentialRequestSpec struct {
+	// Bearer token supplied with the credential request.
+	Token string
+}
+
+type TokenCredentialRequestStatus struct {
+	// A ClusterCredential will be returned for a successful credential request.
+	// +optional
+	Credential *ClusterCredential
+
+	// An error message will be returned for an unsuccessful credential request.
+	// +optional
+	Message *string
+}
+
+// TokenCredentialRequest submits an IDP-specific credential to Pinniped in exchange for a cluster-specific credential.
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type TokenCredentialRequest struct {
+	metav1.TypeMeta
+	metav1.ObjectMeta
+
+	Spec   TokenCredentialRequestSpec
+	Status TokenCredentialRequestStatus
+}
+
+// TokenCredentialRequestList is a list of TokenCredentialRequest objects.
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type TokenCredentialRequestList struct {
+	metav1.TypeMeta
+	metav1.ListMeta
+
+	// Items is a list of TokenCredentialRequest
+	Items []TokenCredentialRequest
+}

generated/1.17/apis/login/v1alpha1/conversion.go

@@ -0,0 +1,4 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1

generated/1.17/apis/login/v1alpha1/defaults.go

@@ -0,0 +1,12 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+import (
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+func addDefaultingFuncs(scheme *runtime.Scheme) error {
+	return RegisterDefaults(scheme)
+}

generated/1.17/apis/login/v1alpha1/doc.go

@@ -0,0 +1,11 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// +k8s:openapi-gen=true
+// +k8s:deepcopy-gen=package
+// +k8s:conversion-gen=github.com/suzerain-io/pinniped/generated/1.17/apis/login
+// +k8s:defaulter-gen=TypeMeta
+// +groupName=login.pinniped.dev
+
+// Package v1alpha1 is the v1alpha1 version of the Pinniped login API.
+package v1alpha1

generated/1.17/apis/login/v1alpha1/register.go

@@ -0,0 +1,43 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+const GroupName = "login.pinniped.dev"
+
+// SchemeGroupVersion is group version used to register these objects.
+var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"}
+
+var (
+	SchemeBuilder      runtime.SchemeBuilder
+	localSchemeBuilder = &SchemeBuilder
+	AddToScheme        = localSchemeBuilder.AddToScheme
+)
+
+func init() {
+	// We only register manually written functions here. The registration of the
+	// generated functions takes place in the generated files. The separation
+	// makes the code compile even when the generated files are missing.
+	localSchemeBuilder.Register(addKnownTypes, addDefaultingFuncs)
+}
+
+// Adds the list of known types to the given scheme.
+func addKnownTypes(scheme *runtime.Scheme) error {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&TokenCredentialRequest{},
+		&TokenCredentialRequestList{},
+	)
+	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
+	return nil
+}
+
+// Resource takes an unqualified resource and returns a Group qualified GroupResource.
+func Resource(resource string) schema.GroupResource {
+	return SchemeGroupVersion.WithResource(resource).GroupResource()
+}

generated/1.17/apis/login/v1alpha1/types_clustercred.go

@@ -0,0 +1,22 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+// ClusterCredential is the cluster-specific credential returned on a successful credential request. It
+// contains either a valid bearer token or a valid TLS certificate and corresponding private key for the cluster.
+type ClusterCredential struct {
+	// ExpirationTimestamp indicates a time when the provided credentials expire.
+	ExpirationTimestamp metav1.Time `json:"expirationTimestamp,omitempty"`
+
+	// Token is a bearer token used by the client for request authentication.
+	Token string `json:"token,omitempty"`
+
+	// PEM-encoded client TLS certificates (including intermediates, if any).
+	ClientCertificateData string `json:"clientCertificateData,omitempty"`
+
+	// PEM-encoded private key for the above certificate.
+	ClientKeyData string `json:"clientKeyData,omitempty"`
+}

generated/1.17/apis/login/v1alpha1/types_token.go

@@ -0,0 +1,43 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+// TokenCredentialRequestSpec is the specification of a TokenCredentialRequest, expected on requests to the Pinniped API.
+type TokenCredentialRequestSpec struct {
+	// Bearer token supplied with the credential request.
+	Token string `json:"token,omitempty"`
+}
+
+// TokenCredentialRequestStatus is the status of a TokenCredentialRequest, returned on responses to the Pinniped API.
+type TokenCredentialRequestStatus struct {
+	// A Credential will be returned for a successful credential request.
+	// +optional
+	Credential *ClusterCredential `json:"credential,omitempty"`
+
+	// An error message will be returned for an unsuccessful credential request.
+	// +optional
+	Message *string `json:"message,omitempty"`
+}
+
+// TokenCredentialRequest submits an IDP-specific credential to Pinniped in exchange for a cluster-specific credential.
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type TokenCredentialRequest struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   TokenCredentialRequestSpec   `json:"spec,omitempty"`
+	Status TokenCredentialRequestStatus `json:"status,omitempty"`
+}
+
+// TokenCredentialRequestList is a list of TokenCredentialRequest objects.
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type TokenCredentialRequestList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+
+	Items []TokenCredentialRequest `json:"items"`
+}

generated/1.17/apis/login/v1alpha1/zz_generated.conversion.go

@@ -0,0 +1,198 @@
+// +build !ignore_autogenerated
+
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by conversion-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	unsafe "unsafe"
+
+	login "github.com/suzerain-io/pinniped/generated/1.17/apis/login"
+	conversion "k8s.io/apimachinery/pkg/conversion"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+)
+
+func init() {
+	localSchemeBuilder.Register(RegisterConversions)
+}
+
+// RegisterConversions adds conversion functions to the given scheme.
+// Public to allow building arbitrary schemes.
+func RegisterConversions(s *runtime.Scheme) error {
+	if err := s.AddGeneratedConversionFunc((*ClusterCredential)(nil), (*login.ClusterCredential)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1alpha1_ClusterCredential_To_login_ClusterCredential(a.(*ClusterCredential), b.(*login.ClusterCredential), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*login.ClusterCredential)(nil), (*ClusterCredential)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_login_ClusterCredential_To_v1alpha1_ClusterCredential(a.(*login.ClusterCredential), b.(*ClusterCredential), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*TokenCredentialRequest)(nil), (*login.TokenCredentialRequest)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1alpha1_TokenCredentialRequest_To_login_TokenCredentialRequest(a.(*TokenCredentialRequest), b.(*login.TokenCredentialRequest), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*login.TokenCredentialRequest)(nil), (*TokenCredentialRequest)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_login_TokenCredentialRequest_To_v1alpha1_TokenCredentialRequest(a.(*login.TokenCredentialRequest), b.(*TokenCredentialRequest), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*TokenCredentialRequestList)(nil), (*login.TokenCredentialRequestList)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1alpha1_TokenCredentialRequestList_To_login_TokenCredentialRequestList(a.(*TokenCredentialRequestList), b.(*login.TokenCredentialRequestList), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*login.TokenCredentialRequestList)(nil), (*TokenCredentialRequestList)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_login_TokenCredentialRequestList_To_v1alpha1_TokenCredentialRequestList(a.(*login.TokenCredentialRequestList), b.(*TokenCredentialRequestList), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*TokenCredentialRequestSpec)(nil), (*login.TokenCredentialRequestSpec)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1alpha1_TokenCredentialRequestSpec_To_login_TokenCredentialRequestSpec(a.(*TokenCredentialRequestSpec), b.(*login.TokenCredentialRequestSpec), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*login.TokenCredentialRequestSpec)(nil), (*TokenCredentialRequestSpec)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_login_TokenCredentialRequestSpec_To_v1alpha1_TokenCredentialRequestSpec(a.(*login.TokenCredentialRequestSpec), b.(*TokenCredentialRequestSpec), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*TokenCredentialRequestStatus)(nil), (*login.TokenCredentialRequestStatus)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1alpha1_TokenCredentialRequestStatus_To_login_TokenCredentialRequestStatus(a.(*TokenCredentialRequestStatus), b.(*login.TokenCredentialRequestStatus), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*login.TokenCredentialRequestStatus)(nil), (*TokenCredentialRequestStatus)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_login_TokenCredentialRequestStatus_To_v1alpha1_TokenCredentialRequestStatus(a.(*login.TokenCredentialRequestStatus), b.(*TokenCredentialRequestStatus), scope)
+	}); err != nil {
+		return err
+	}
+	return nil
+}
+
+func autoConvert_v1alpha1_ClusterCredential_To_login_ClusterCredential(in *ClusterCredential, out *login.ClusterCredential, s conversion.Scope) error {
+	out.ExpirationTimestamp = in.ExpirationTimestamp
+	out.Token = in.Token
+	out.ClientCertificateData = in.ClientCertificateData
+	out.ClientKeyData = in.ClientKeyData
+	return nil
+}
+
+// Convert_v1alpha1_ClusterCredential_To_login_ClusterCredential is an autogenerated conversion function.
+func Convert_v1alpha1_ClusterCredential_To_login_ClusterCredential(in *ClusterCredential, out *login.ClusterCredential, s conversion.Scope) error {
+	return autoConvert_v1alpha1_ClusterCredential_To_login_ClusterCredential(in, out, s)
+}
+
+func autoConvert_login_ClusterCredential_To_v1alpha1_ClusterCredential(in *login.ClusterCredential, out *ClusterCredential, s conversion.Scope) error {
+	out.ExpirationTimestamp = in.ExpirationTimestamp
+	out.Token = in.Token
+	out.ClientCertificateData = in.ClientCertificateData
+	out.ClientKeyData = in.ClientKeyData
+	return nil
+}
+
+// Convert_login_ClusterCredential_To_v1alpha1_ClusterCredential is an autogenerated conversion function.
+func Convert_login_ClusterCredential_To_v1alpha1_ClusterCredential(in *login.ClusterCredential, out *ClusterCredential, s conversion.Scope) error {
+	return autoConvert_login_ClusterCredential_To_v1alpha1_ClusterCredential(in, out, s)
+}
+
+func autoConvert_v1alpha1_TokenCredentialRequest_To_login_TokenCredentialRequest(in *TokenCredentialRequest, out *login.TokenCredentialRequest, s conversion.Scope) error {
+	out.ObjectMeta = in.ObjectMeta
+	if err := Convert_v1alpha1_TokenCredentialRequestSpec_To_login_TokenCredentialRequestSpec(&in.Spec, &out.Spec, s); err != nil {
+		return err
+	}
+	if err := Convert_v1alpha1_TokenCredentialRequestStatus_To_login_TokenCredentialRequestStatus(&in.Status, &out.Status, s); err != nil {
+		return err
+	}
+	return nil
+}
+
+// Convert_v1alpha1_TokenCredentialRequest_To_login_TokenCredentialRequest is an autogenerated conversion function.
+func Convert_v1alpha1_TokenCredentialRequest_To_login_TokenCredentialRequest(in *TokenCredentialRequest, out *login.TokenCredentialRequest, s conversion.Scope) error {
+	return autoConvert_v1alpha1_TokenCredentialRequest_To_login_TokenCredentialRequest(in, out, s)
+}
+
+func autoConvert_login_TokenCredentialRequest_To_v1alpha1_TokenCredentialRequest(in *login.TokenCredentialRequest, out *TokenCredentialRequest, s conversion.Scope) error {
+	out.ObjectMeta = in.ObjectMeta
+	if err := Convert_login_TokenCredentialRequestSpec_To_v1alpha1_TokenCredentialRequestSpec(&in.Spec, &out.Spec, s); err != nil {
+		return err
+	}
+	if err := Convert_login_TokenCredentialRequestStatus_To_v1alpha1_TokenCredentialRequestStatus(&in.Status, &out.Status, s); err != nil {
+		return err
+	}
+	return nil
+}
+
+// Convert_login_TokenCredentialRequest_To_v1alpha1_TokenCredentialRequest is an autogenerated conversion function.
+func Convert_login_TokenCredentialRequest_To_v1alpha1_TokenCredentialRequest(in *login.TokenCredentialRequest, out *TokenCredentialRequest, s conversion.Scope) error {
+	return autoConvert_login_TokenCredentialRequest_To_v1alpha1_TokenCredentialRequest(in, out, s)
+}
+
+func autoConvert_v1alpha1_TokenCredentialRequestList_To_login_TokenCredentialRequestList(in *TokenCredentialRequestList, out *login.TokenCredentialRequestList, s conversion.Scope) error {
+	out.ListMeta = in.ListMeta
+	out.Items = *(*[]login.TokenCredentialRequest)(unsafe.Pointer(&in.Items))
+	return nil
+}
+
+// Convert_v1alpha1_TokenCredentialRequestList_To_login_TokenCredentialRequestList is an autogenerated conversion function.
+func Convert_v1alpha1_TokenCredentialRequestList_To_login_TokenCredentialRequestList(in *TokenCredentialRequestList, out *login.TokenCredentialRequestList, s conversion.Scope) error {
+	return autoConvert_v1alpha1_TokenCredentialRequestList_To_login_TokenCredentialRequestList(in, out, s)
+}
+
+func autoConvert_login_TokenCredentialRequestList_To_v1alpha1_TokenCredentialRequestList(in *login.TokenCredentialRequestList, out *TokenCredentialRequestList, s conversion.Scope) error {
+	out.ListMeta = in.ListMeta
+	out.Items = *(*[]TokenCredentialRequest)(unsafe.Pointer(&in.Items))
+	return nil
+}
+
+// Convert_login_TokenCredentialRequestList_To_v1alpha1_TokenCredentialRequestList is an autogenerated conversion function.
+func Convert_login_TokenCredentialRequestList_To_v1alpha1_TokenCredentialRequestList(in *login.TokenCredentialRequestList, out *TokenCredentialRequestList, s conversion.Scope) error {
+	return autoConvert_login_TokenCredentialRequestList_To_v1alpha1_TokenCredentialRequestList(in, out, s)
+}
+
+func autoConvert_v1alpha1_TokenCredentialRequestSpec_To_login_TokenCredentialRequestSpec(in *TokenCredentialRequestSpec, out *login.TokenCredentialRequestSpec, s conversion.Scope) error {
+	out.Token = in.Token
+	return nil
+}
+
+// Convert_v1alpha1_TokenCredentialRequestSpec_To_login_TokenCredentialRequestSpec is an autogenerated conversion function.
+func Convert_v1alpha1_TokenCredentialRequestSpec_To_login_TokenCredentialRequestSpec(in *TokenCredentialRequestSpec, out *login.TokenCredentialRequestSpec, s conversion.Scope) error {
+	return autoConvert_v1alpha1_TokenCredentialRequestSpec_To_login_TokenCredentialRequestSpec(in, out, s)
+}
+
+func autoConvert_login_TokenCredentialRequestSpec_To_v1alpha1_TokenCredentialRequestSpec(in *login.TokenCredentialRequestSpec, out *TokenCredentialRequestSpec, s conversion.Scope) error {
+	out.Token = in.Token
+	return nil
+}
+
+// Convert_login_TokenCredentialRequestSpec_To_v1alpha1_TokenCredentialRequestSpec is an autogenerated conversion function.
+func Convert_login_TokenCredentialRequestSpec_To_v1alpha1_TokenCredentialRequestSpec(in *login.TokenCredentialRequestSpec, out *TokenCredentialRequestSpec, s conversion.Scope) error {
+	return autoConvert_login_TokenCredentialRequestSpec_To_v1alpha1_TokenCredentialRequestSpec(in, out, s)
+}
+
+func autoConvert_v1alpha1_TokenCredentialRequestStatus_To_login_TokenCredentialRequestStatus(in *TokenCredentialRequestStatus, out *login.TokenCredentialRequestStatus, s conversion.Scope) error {
+	out.Credential = (*login.ClusterCredential)(unsafe.Pointer(in.Credential))
+	out.Message = (*string)(unsafe.Pointer(in.Message))
+	return nil
+}
+
+// Convert_v1alpha1_TokenCredentialRequestStatus_To_login_TokenCredentialRequestStatus is an autogenerated conversion function.
+func Convert_v1alpha1_TokenCredentialRequestStatus_To_login_TokenCredentialRequestStatus(in *TokenCredentialRequestStatus, out *login.TokenCredentialRequestStatus, s conversion.Scope) error {
+	return autoConvert_v1alpha1_TokenCredentialRequestStatus_To_login_TokenCredentialRequestStatus(in, out, s)
+}
+
+func autoConvert_login_TokenCredentialRequestStatus_To_v1alpha1_TokenCredentialRequestStatus(in *login.TokenCredentialRequestStatus, out *TokenCredentialRequestStatus, s conversion.Scope) error {
+	out.Credential = (*ClusterCredential)(unsafe.Pointer(in.Credential))
+	out.Message = (*string)(unsafe.Pointer(in.Message))
+	return nil
+}
+
+// Convert_login_TokenCredentialRequestStatus_To_v1alpha1_TokenCredentialRequestStatus is an autogenerated conversion function.
+func Convert_login_TokenCredentialRequestStatus_To_v1alpha1_TokenCredentialRequestStatus(in *login.TokenCredentialRequestStatus, out *TokenCredentialRequestStatus, s conversion.Scope) error {
+	return autoConvert_login_TokenCredentialRequestStatus_To_v1alpha1_TokenCredentialRequestStatus(in, out, s)
+}

generated/1.17/apis/login/v1alpha1/zz_generated.deepcopy.go

@@ -0,0 +1,132 @@
+// +build !ignore_autogenerated
+
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by deepcopy-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	runtime "k8s.io/apimachinery/pkg/runtime"
+)
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ClusterCredential) DeepCopyInto(out *ClusterCredential) {
+	*out = *in
+	in.ExpirationTimestamp.DeepCopyInto(&out.ExpirationTimestamp)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterCredential.
+func (in *ClusterCredential) DeepCopy() *ClusterCredential {
+	if in == nil {
+		return nil
+	}
+	out := new(ClusterCredential)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TokenCredentialRequest) DeepCopyInto(out *TokenCredentialRequest) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	out.Spec = in.Spec
+	in.Status.DeepCopyInto(&out.Status)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TokenCredentialRequest.
+func (in *TokenCredentialRequest) DeepCopy() *TokenCredentialRequest {
+	if in == nil {
+		return nil
+	}
+	out := new(TokenCredentialRequest)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *TokenCredentialRequest) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TokenCredentialRequestList) DeepCopyInto(out *TokenCredentialRequestList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]TokenCredentialRequest, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TokenCredentialRequestList.
+func (in *TokenCredentialRequestList) DeepCopy() *TokenCredentialRequestList {
+	if in == nil {
+		return nil
+	}
+	out := new(TokenCredentialRequestList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *TokenCredentialRequestList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TokenCredentialRequestSpec) DeepCopyInto(out *TokenCredentialRequestSpec) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TokenCredentialRequestSpec.
+func (in *TokenCredentialRequestSpec) DeepCopy() *TokenCredentialRequestSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(TokenCredentialRequestSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TokenCredentialRequestStatus) DeepCopyInto(out *TokenCredentialRequestStatus) {
+	*out = *in
+	if in.Credential != nil {
+		in, out := &in.Credential, &out.Credential
+		*out = new(ClusterCredential)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Message != nil {
+		in, out := &in.Message, &out.Message
+		*out = new(string)
+		**out = **in
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TokenCredentialRequestStatus.
+func (in *TokenCredentialRequestStatus) DeepCopy() *TokenCredentialRequestStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(TokenCredentialRequestStatus)
+	in.DeepCopyInto(out)
+	return out
+}

generated/1.17/apis/login/v1alpha1/zz_generated.defaults.go

@@ -0,0 +1,19 @@
+// +build !ignore_autogenerated
+
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by defaulter-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	runtime "k8s.io/apimachinery/pkg/runtime"
+)
+
+// RegisterDefaults adds defaulters functions to the given scheme.
+// Public to allow building arbitrary schemes.
+// All generated defaulters are covering - they call all nested defaulters.
+func RegisterDefaults(scheme *runtime.Scheme) error {
+	return nil
+}

generated/1.17/apis/login/zz_generated.deepcopy.go

@@ -0,0 +1,132 @@
+// +build !ignore_autogenerated
+
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by deepcopy-gen. DO NOT EDIT.
+
+package login
+
+import (
+	runtime "k8s.io/apimachinery/pkg/runtime"
+)
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ClusterCredential) DeepCopyInto(out *ClusterCredential) {
+	*out = *in
+	in.ExpirationTimestamp.DeepCopyInto(&out.ExpirationTimestamp)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterCredential.
+func (in *ClusterCredential) DeepCopy() *ClusterCredential {
+	if in == nil {
+		return nil
+	}
+	out := new(ClusterCredential)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TokenCredentialRequest) DeepCopyInto(out *TokenCredentialRequest) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	out.Spec = in.Spec
+	in.Status.DeepCopyInto(&out.Status)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TokenCredentialRequest.
+func (in *TokenCredentialRequest) DeepCopy() *TokenCredentialRequest {
+	if in == nil {
+		return nil
+	}
+	out := new(TokenCredentialRequest)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *TokenCredentialRequest) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TokenCredentialRequestList) DeepCopyInto(out *TokenCredentialRequestList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]TokenCredentialRequest, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TokenCredentialRequestList.
+func (in *TokenCredentialRequestList) DeepCopy() *TokenCredentialRequestList {
+	if in == nil {
+		return nil
+	}
+	out := new(TokenCredentialRequestList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *TokenCredentialRequestList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TokenCredentialRequestSpec) DeepCopyInto(out *TokenCredentialRequestSpec) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TokenCredentialRequestSpec.
+func (in *TokenCredentialRequestSpec) DeepCopy() *TokenCredentialRequestSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(TokenCredentialRequestSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TokenCredentialRequestStatus) DeepCopyInto(out *TokenCredentialRequestStatus) {
+	*out = *in
+	if in.Credential != nil {
+		in, out := &in.Credential, &out.Credential
+		*out = new(ClusterCredential)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Message != nil {
+		in, out := &in.Message, &out.Message
+		*out = new(string)
+		**out = **in
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TokenCredentialRequestStatus.
+func (in *TokenCredentialRequestStatus) DeepCopy() *TokenCredentialRequestStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(TokenCredentialRequestStatus)
+	in.DeepCopyInto(out)
+	return out
+}

generated/1.17/client/clientset/versioned/clientset.go

@@ -10,6 +10,7 @@ import (
 
 	crdv1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/client/clientset/versioned/typed/crdpinniped/v1alpha1"
 	idpv1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/client/clientset/versioned/typed/idp/v1alpha1"
+	loginv1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/client/clientset/versioned/typed/login/v1alpha1"
 	pinnipedv1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/client/clientset/versioned/typed/pinniped/v1alpha1"
 	discovery "k8s.io/client-go/discovery"
 	rest "k8s.io/client-go/rest"
@@ -20,6 +21,7 @@ type Interface interface {
 	Discovery() discovery.DiscoveryInterface
 	CrdV1alpha1() crdv1alpha1.CrdV1alpha1Interface
 	IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface
+	LoginV1alpha1() loginv1alpha1.LoginV1alpha1Interface
 	PinnipedV1alpha1() pinnipedv1alpha1.PinnipedV1alpha1Interface
 }
 
@@ -29,6 +31,7 @@ type Clientset struct {
 	*discovery.DiscoveryClient
 	crdV1alpha1      *crdv1alpha1.CrdV1alpha1Client
 	iDPV1alpha1      *idpv1alpha1.IDPV1alpha1Client
+	loginV1alpha1    *loginv1alpha1.LoginV1alpha1Client
 	pinnipedV1alpha1 *pinnipedv1alpha1.PinnipedV1alpha1Client
 }
 
@@ -42,6 +45,11 @@ func (c *Clientset) IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface {
 	return c.iDPV1alpha1
 }
 
+// LoginV1alpha1 retrieves the LoginV1alpha1Client
+func (c *Clientset) LoginV1alpha1() loginv1alpha1.LoginV1alpha1Interface {
+	return c.loginV1alpha1
+}
+
 // PinnipedV1alpha1 retrieves the PinnipedV1alpha1Client
 func (c *Clientset) PinnipedV1alpha1() pinnipedv1alpha1.PinnipedV1alpha1Interface {
 	return c.pinnipedV1alpha1
@@ -76,6 +84,10 @@ func NewForConfig(c *rest.Config) (*Clientset, error) {
 	if err != nil {
 		return nil, err
 	}
+	cs.loginV1alpha1, err = loginv1alpha1.NewForConfig(&configShallowCopy)
+	if err != nil {
+		return nil, err
+	}
 	cs.pinnipedV1alpha1, err = pinnipedv1alpha1.NewForConfig(&configShallowCopy)
 	if err != nil {
 		return nil, err
@@ -94,6 +106,7 @@ func NewForConfigOrDie(c *rest.Config) *Clientset {
 	var cs Clientset
 	cs.crdV1alpha1 = crdv1alpha1.NewForConfigOrDie(c)
 	cs.iDPV1alpha1 = idpv1alpha1.NewForConfigOrDie(c)
+	cs.loginV1alpha1 = loginv1alpha1.NewForConfigOrDie(c)
 	cs.pinnipedV1alpha1 = pinnipedv1alpha1.NewForConfigOrDie(c)
 
 	cs.DiscoveryClient = discovery.NewDiscoveryClientForConfigOrDie(c)
@@ -105,6 +118,7 @@ func New(c rest.Interface) *Clientset {
 	var cs Clientset
 	cs.crdV1alpha1 = crdv1alpha1.New(c)
 	cs.iDPV1alpha1 = idpv1alpha1.New(c)
+	cs.loginV1alpha1 = loginv1alpha1.New(c)
 	cs.pinnipedV1alpha1 = pinnipedv1alpha1.New(c)
 
 	cs.DiscoveryClient = discovery.NewDiscoveryClient(c)

generated/1.17/client/clientset/versioned/fake/clientset_generated.go

@@ -11,6 +11,8 @@ import (
 	fakecrdv1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/client/clientset/versioned/typed/crdpinniped/v1alpha1/fake"
 	idpv1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/client/clientset/versioned/typed/idp/v1alpha1"
 	fakeidpv1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/fake"
+	loginv1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/client/clientset/versioned/typed/login/v1alpha1"
+	fakeloginv1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/client/clientset/versioned/typed/login/v1alpha1/fake"
 	pinnipedv1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/client/clientset/versioned/typed/pinniped/v1alpha1"
 	fakepinnipedv1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/client/clientset/versioned/typed/pinniped/v1alpha1/fake"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -77,6 +79,11 @@ func (c *Clientset) IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface {
 	return &fakeidpv1alpha1.FakeIDPV1alpha1{Fake: &c.Fake}
 }
 
+// LoginV1alpha1 retrieves the LoginV1alpha1Client
+func (c *Clientset) LoginV1alpha1() loginv1alpha1.LoginV1alpha1Interface {
+	return &fakeloginv1alpha1.FakeLoginV1alpha1{Fake: &c.Fake}
+}
+
 // PinnipedV1alpha1 retrieves the PinnipedV1alpha1Client
 func (c *Clientset) PinnipedV1alpha1() pinnipedv1alpha1.PinnipedV1alpha1Interface {
 	return &fakepinnipedv1alpha1.FakePinnipedV1alpha1{Fake: &c.Fake}

generated/1.17/client/clientset/versioned/fake/register.go

@@ -8,6 +8,7 @@ package fake
 import (
 	crdv1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/apis/crdpinniped/v1alpha1"
 	idpv1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/apis/idp/v1alpha1"
+	loginv1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/apis/login/v1alpha1"
 	pinnipedv1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/apis/pinniped/v1alpha1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	runtime "k8s.io/apimachinery/pkg/runtime"
@@ -22,6 +23,7 @@ var parameterCodec = runtime.NewParameterCodec(scheme)
 var localSchemeBuilder = runtime.SchemeBuilder{
 	crdv1alpha1.AddToScheme,
 	idpv1alpha1.AddToScheme,
+	loginv1alpha1.AddToScheme,
 	pinnipedv1alpha1.AddToScheme,
 }
 

generated/1.17/client/clientset/versioned/scheme/register.go

@@ -8,6 +8,7 @@ package scheme
 import (
 	crdv1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/apis/crdpinniped/v1alpha1"
 	idpv1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/apis/idp/v1alpha1"
+	loginv1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/apis/login/v1alpha1"
 	pinnipedv1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/apis/pinniped/v1alpha1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	runtime "k8s.io/apimachinery/pkg/runtime"
@@ -22,6 +23,7 @@ var ParameterCodec = runtime.NewParameterCodec(Scheme)
 var localSchemeBuilder = runtime.SchemeBuilder{
 	crdv1alpha1.AddToScheme,
 	idpv1alpha1.AddToScheme,
+	loginv1alpha1.AddToScheme,
 	pinnipedv1alpha1.AddToScheme,
 }
 

generated/1.17/client/clientset/versioned/typed/login/v1alpha1/doc.go

@@ -0,0 +1,7 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+// This package has the automatically generated typed clients.
+package v1alpha1

generated/1.17/client/clientset/versioned/typed/login/v1alpha1/fake/doc.go

@@ -0,0 +1,7 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+// Package fake has the automatically generated clients.
+package fake

generated/1.17/client/clientset/versioned/typed/login/v1alpha1/fake/fake_login_client.go

@@ -0,0 +1,27 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package fake
+
+import (
+	v1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/client/clientset/versioned/typed/login/v1alpha1"
+	rest "k8s.io/client-go/rest"
+	testing "k8s.io/client-go/testing"
+)
+
+type FakeLoginV1alpha1 struct {
+	*testing.Fake
+}
+
+func (c *FakeLoginV1alpha1) TokenCredentialRequests(namespace string) v1alpha1.TokenCredentialRequestInterface {
+	return &FakeTokenCredentialRequests{c, namespace}
+}
+
+// RESTClient returns a RESTClient that is used to communicate
+// with API server by this client implementation.
+func (c *FakeLoginV1alpha1) RESTClient() rest.Interface {
+	var ret *rest.RESTClient
+	return ret
+}

generated/1.17/client/clientset/versioned/typed/login/v1alpha1/fake/fake_tokencredentialrequest.go

@@ -0,0 +1,127 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package fake
+
+import (
+	v1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/apis/login/v1alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	labels "k8s.io/apimachinery/pkg/labels"
+	schema "k8s.io/apimachinery/pkg/runtime/schema"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	testing "k8s.io/client-go/testing"
+)
+
+// FakeTokenCredentialRequests implements TokenCredentialRequestInterface
+type FakeTokenCredentialRequests struct {
+	Fake *FakeLoginV1alpha1
+	ns   string
+}
+
+var tokencredentialrequestsResource = schema.GroupVersionResource{Group: "login.pinniped.dev", Version: "v1alpha1", Resource: "tokencredentialrequests"}
+
+var tokencredentialrequestsKind = schema.GroupVersionKind{Group: "login.pinniped.dev", Version: "v1alpha1", Kind: "TokenCredentialRequest"}
+
+// Get takes name of the tokenCredentialRequest, and returns the corresponding tokenCredentialRequest object, and an error if there is any.
+func (c *FakeTokenCredentialRequests) Get(name string, options v1.GetOptions) (result *v1alpha1.TokenCredentialRequest, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewGetAction(tokencredentialrequestsResource, c.ns, name), &v1alpha1.TokenCredentialRequest{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.TokenCredentialRequest), err
+}
+
+// List takes label and field selectors, and returns the list of TokenCredentialRequests that match those selectors.
+func (c *FakeTokenCredentialRequests) List(opts v1.ListOptions) (result *v1alpha1.TokenCredentialRequestList, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewListAction(tokencredentialrequestsResource, tokencredentialrequestsKind, c.ns, opts), &v1alpha1.TokenCredentialRequestList{})
+
+	if obj == nil {
+		return nil, err
+	}
+
+	label, _, _ := testing.ExtractFromListOptions(opts)
+	if label == nil {
+		label = labels.Everything()
+	}
+	list := &v1alpha1.TokenCredentialRequestList{ListMeta: obj.(*v1alpha1.TokenCredentialRequestList).ListMeta}
+	for _, item := range obj.(*v1alpha1.TokenCredentialRequestList).Items {
+		if label.Matches(labels.Set(item.Labels)) {
+			list.Items = append(list.Items, item)
+		}
+	}
+	return list, err
+}
+
+// Watch returns a watch.Interface that watches the requested tokenCredentialRequests.
+func (c *FakeTokenCredentialRequests) Watch(opts v1.ListOptions) (watch.Interface, error) {
+	return c.Fake.
+		InvokesWatch(testing.NewWatchAction(tokencredentialrequestsResource, c.ns, opts))
+
+}
+
+// Create takes the representation of a tokenCredentialRequest and creates it.  Returns the server's representation of the tokenCredentialRequest, and an error, if there is any.
+func (c *FakeTokenCredentialRequests) Create(tokenCredentialRequest *v1alpha1.TokenCredentialRequest) (result *v1alpha1.TokenCredentialRequest, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewCreateAction(tokencredentialrequestsResource, c.ns, tokenCredentialRequest), &v1alpha1.TokenCredentialRequest{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.TokenCredentialRequest), err
+}
+
+// Update takes the representation of a tokenCredentialRequest and updates it. Returns the server's representation of the tokenCredentialRequest, and an error, if there is any.
+func (c *FakeTokenCredentialRequests) Update(tokenCredentialRequest *v1alpha1.TokenCredentialRequest) (result *v1alpha1.TokenCredentialRequest, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewUpdateAction(tokencredentialrequestsResource, c.ns, tokenCredentialRequest), &v1alpha1.TokenCredentialRequest{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.TokenCredentialRequest), err
+}
+
+// UpdateStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+func (c *FakeTokenCredentialRequests) UpdateStatus(tokenCredentialRequest *v1alpha1.TokenCredentialRequest) (*v1alpha1.TokenCredentialRequest, error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewUpdateSubresourceAction(tokencredentialrequestsResource, "status", c.ns, tokenCredentialRequest), &v1alpha1.TokenCredentialRequest{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.TokenCredentialRequest), err
+}
+
+// Delete takes name of the tokenCredentialRequest and deletes it. Returns an error if one occurs.
+func (c *FakeTokenCredentialRequests) Delete(name string, options *v1.DeleteOptions) error {
+	_, err := c.Fake.
+		Invokes(testing.NewDeleteAction(tokencredentialrequestsResource, c.ns, name), &v1alpha1.TokenCredentialRequest{})
+
+	return err
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *FakeTokenCredentialRequests) DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error {
+	action := testing.NewDeleteCollectionAction(tokencredentialrequestsResource, c.ns, listOptions)
+
+	_, err := c.Fake.Invokes(action, &v1alpha1.TokenCredentialRequestList{})
+	return err
+}
+
+// Patch applies the patch and returns the patched tokenCredentialRequest.
+func (c *FakeTokenCredentialRequests) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.TokenCredentialRequest, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewPatchSubresourceAction(tokencredentialrequestsResource, c.ns, name, pt, data, subresources...), &v1alpha1.TokenCredentialRequest{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.TokenCredentialRequest), err
+}

generated/1.17/client/clientset/versioned/typed/login/v1alpha1/generated_expansion.go

@@ -0,0 +1,8 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package v1alpha1
+
+type TokenCredentialRequestExpansion interface{}

generated/1.17/client/clientset/versioned/typed/login/v1alpha1/login_client.go

@@ -0,0 +1,76 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	v1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/apis/login/v1alpha1"
+	"github.com/suzerain-io/pinniped/generated/1.17/client/clientset/versioned/scheme"
+	rest "k8s.io/client-go/rest"
+)
+
+type LoginV1alpha1Interface interface {
+	RESTClient() rest.Interface
+	TokenCredentialRequestsGetter
+}
+
+// LoginV1alpha1Client is used to interact with features provided by the login.pinniped.dev group.
+type LoginV1alpha1Client struct {
+	restClient rest.Interface
+}
+
+func (c *LoginV1alpha1Client) TokenCredentialRequests(namespace string) TokenCredentialRequestInterface {
+	return newTokenCredentialRequests(c, namespace)
+}
+
+// NewForConfig creates a new LoginV1alpha1Client for the given config.
+func NewForConfig(c *rest.Config) (*LoginV1alpha1Client, error) {
+	config := *c
+	if err := setConfigDefaults(&config); err != nil {
+		return nil, err
+	}
+	client, err := rest.RESTClientFor(&config)
+	if err != nil {
+		return nil, err
+	}
+	return &LoginV1alpha1Client{client}, nil
+}
+
+// NewForConfigOrDie creates a new LoginV1alpha1Client for the given config and
+// panics if there is an error in the config.
+func NewForConfigOrDie(c *rest.Config) *LoginV1alpha1Client {
+	client, err := NewForConfig(c)
+	if err != nil {
+		panic(err)
+	}
+	return client
+}
+
+// New creates a new LoginV1alpha1Client for the given RESTClient.
+func New(c rest.Interface) *LoginV1alpha1Client {
+	return &LoginV1alpha1Client{c}
+}
+
+func setConfigDefaults(config *rest.Config) error {
+	gv := v1alpha1.SchemeGroupVersion
+	config.GroupVersion = &gv
+	config.APIPath = "/apis"
+	config.NegotiatedSerializer = scheme.Codecs.WithoutConversion()
+
+	if config.UserAgent == "" {
+		config.UserAgent = rest.DefaultKubernetesUserAgent()
+	}
+
+	return nil
+}
+
+// RESTClient returns a RESTClient that is used to communicate
+// with API server by this client implementation.
+func (c *LoginV1alpha1Client) RESTClient() rest.Interface {
+	if c == nil {
+		return nil
+	}
+	return c.restClient
+}

generated/1.17/client/clientset/versioned/typed/login/v1alpha1/tokencredentialrequest.go

@@ -0,0 +1,178 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	"time"
+
+	v1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/apis/login/v1alpha1"
+	scheme "github.com/suzerain-io/pinniped/generated/1.17/client/clientset/versioned/scheme"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	rest "k8s.io/client-go/rest"
+)
+
+// TokenCredentialRequestsGetter has a method to return a TokenCredentialRequestInterface.
+// A group's client should implement this interface.
+type TokenCredentialRequestsGetter interface {
+	TokenCredentialRequests(namespace string) TokenCredentialRequestInterface
+}
+
+// TokenCredentialRequestInterface has methods to work with TokenCredentialRequest resources.
+type TokenCredentialRequestInterface interface {
+	Create(*v1alpha1.TokenCredentialRequest) (*v1alpha1.TokenCredentialRequest, error)
+	Update(*v1alpha1.TokenCredentialRequest) (*v1alpha1.TokenCredentialRequest, error)
+	UpdateStatus(*v1alpha1.TokenCredentialRequest) (*v1alpha1.TokenCredentialRequest, error)
+	Delete(name string, options *v1.DeleteOptions) error
+	DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error
+	Get(name string, options v1.GetOptions) (*v1alpha1.TokenCredentialRequest, error)
+	List(opts v1.ListOptions) (*v1alpha1.TokenCredentialRequestList, error)
+	Watch(opts v1.ListOptions) (watch.Interface, error)
+	Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.TokenCredentialRequest, err error)
+	TokenCredentialRequestExpansion
+}
+
+// tokenCredentialRequests implements TokenCredentialRequestInterface
+type tokenCredentialRequests struct {
+	client rest.Interface
+	ns     string
+}
+
+// newTokenCredentialRequests returns a TokenCredentialRequests
+func newTokenCredentialRequests(c *LoginV1alpha1Client, namespace string) *tokenCredentialRequests {
+	return &tokenCredentialRequests{
+		client: c.RESTClient(),
+		ns:     namespace,
+	}
+}
+
+// Get takes name of the tokenCredentialRequest, and returns the corresponding tokenCredentialRequest object, and an error if there is any.
+func (c *tokenCredentialRequests) Get(name string, options v1.GetOptions) (result *v1alpha1.TokenCredentialRequest, err error) {
+	result = &v1alpha1.TokenCredentialRequest{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("tokencredentialrequests").
+		Name(name).
+		VersionedParams(&options, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// List takes label and field selectors, and returns the list of TokenCredentialRequests that match those selectors.
+func (c *tokenCredentialRequests) List(opts v1.ListOptions) (result *v1alpha1.TokenCredentialRequestList, err error) {
+	var timeout time.Duration
+	if opts.TimeoutSeconds != nil {
+		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
+	}
+	result = &v1alpha1.TokenCredentialRequestList{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("tokencredentialrequests").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Do().
+		Into(result)
+	return
+}
+
+// Watch returns a watch.Interface that watches the requested tokenCredentialRequests.
+func (c *tokenCredentialRequests) Watch(opts v1.ListOptions) (watch.Interface, error) {
+	var timeout time.Duration
+	if opts.TimeoutSeconds != nil {
+		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
+	}
+	opts.Watch = true
+	return c.client.Get().
+		Namespace(c.ns).
+		Resource("tokencredentialrequests").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Watch()
+}
+
+// Create takes the representation of a tokenCredentialRequest and creates it.  Returns the server's representation of the tokenCredentialRequest, and an error, if there is any.
+func (c *tokenCredentialRequests) Create(tokenCredentialRequest *v1alpha1.TokenCredentialRequest) (result *v1alpha1.TokenCredentialRequest, err error) {
+	result = &v1alpha1.TokenCredentialRequest{}
+	err = c.client.Post().
+		Namespace(c.ns).
+		Resource("tokencredentialrequests").
+		Body(tokenCredentialRequest).
+		Do().
+		Into(result)
+	return
+}
+
+// Update takes the representation of a tokenCredentialRequest and updates it. Returns the server's representation of the tokenCredentialRequest, and an error, if there is any.
+func (c *tokenCredentialRequests) Update(tokenCredentialRequest *v1alpha1.TokenCredentialRequest) (result *v1alpha1.TokenCredentialRequest, err error) {
+	result = &v1alpha1.TokenCredentialRequest{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("tokencredentialrequests").
+		Name(tokenCredentialRequest.Name).
+		Body(tokenCredentialRequest).
+		Do().
+		Into(result)
+	return
+}
+
+// UpdateStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+
+func (c *tokenCredentialRequests) UpdateStatus(tokenCredentialRequest *v1alpha1.TokenCredentialRequest) (result *v1alpha1.TokenCredentialRequest, err error) {
+	result = &v1alpha1.TokenCredentialRequest{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("tokencredentialrequests").
+		Name(tokenCredentialRequest.Name).
+		SubResource("status").
+		Body(tokenCredentialRequest).
+		Do().
+		Into(result)
+	return
+}
+
+// Delete takes name of the tokenCredentialRequest and deletes it. Returns an error if one occurs.
+func (c *tokenCredentialRequests) Delete(name string, options *v1.DeleteOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("tokencredentialrequests").
+		Name(name).
+		Body(options).
+		Do().
+		Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *tokenCredentialRequests) DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error {
+	var timeout time.Duration
+	if listOptions.TimeoutSeconds != nil {
+		timeout = time.Duration(*listOptions.TimeoutSeconds) * time.Second
+	}
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("tokencredentialrequests").
+		VersionedParams(&listOptions, scheme.ParameterCodec).
+		Timeout(timeout).
+		Body(options).
+		Do().
+		Error()
+}
+
+// Patch applies the patch and returns the patched tokenCredentialRequest.
+func (c *tokenCredentialRequests) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.TokenCredentialRequest, err error) {
+	result = &v1alpha1.TokenCredentialRequest{}
+	err = c.client.Patch(pt).
+		Namespace(c.ns).
+		Resource("tokencredentialrequests").
+		SubResource(subresources...).
+		Name(name).
+		Body(data).
+		Do().
+		Into(result)
+	return
+}

generated/1.17/client/informers/externalversions/factory.go

@@ -14,6 +14,7 @@ import (
 	crdpinniped "github.com/suzerain-io/pinniped/generated/1.17/client/informers/externalversions/crdpinniped"
 	idp "github.com/suzerain-io/pinniped/generated/1.17/client/informers/externalversions/idp"
 	internalinterfaces "github.com/suzerain-io/pinniped/generated/1.17/client/informers/externalversions/internalinterfaces"
+	login "github.com/suzerain-io/pinniped/generated/1.17/client/informers/externalversions/login"
 	pinniped "github.com/suzerain-io/pinniped/generated/1.17/client/informers/externalversions/pinniped"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	runtime "k8s.io/apimachinery/pkg/runtime"
@@ -163,6 +164,7 @@ type SharedInformerFactory interface {
 
 	Crd() crdpinniped.Interface
 	IDP() idp.Interface
+	Login() login.Interface
 	Pinniped() pinniped.Interface
 }
 
@@ -174,6 +176,10 @@ func (f *sharedInformerFactory) IDP() idp.Interface {
 	return idp.New(f, f.namespace, f.tweakListOptions)
 }
 
+func (f *sharedInformerFactory) Login() login.Interface {
+	return login.New(f, f.namespace, f.tweakListOptions)
+}
+
 func (f *sharedInformerFactory) Pinniped() pinniped.Interface {
 	return pinniped.New(f, f.namespace, f.tweakListOptions)
 }

generated/1.17/client/informers/externalversions/generic.go

@@ -10,6 +10,7 @@ import (
 
 	v1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/apis/crdpinniped/v1alpha1"
 	idpv1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/apis/idp/v1alpha1"
+	loginv1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/apis/login/v1alpha1"
 	pinnipedv1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/apis/pinniped/v1alpha1"
 	schema "k8s.io/apimachinery/pkg/runtime/schema"
 	cache "k8s.io/client-go/tools/cache"
@@ -49,6 +50,10 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource
 	case idpv1alpha1.SchemeGroupVersion.WithResource("webhookidentityproviders"):
 		return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().WebhookIdentityProviders().Informer()}, nil
 
+		// Group=login.pinniped.dev, Version=v1alpha1
+	case loginv1alpha1.SchemeGroupVersion.WithResource("tokencredentialrequests"):
+		return &genericInformer{resource: resource.GroupResource(), informer: f.Login().V1alpha1().TokenCredentialRequests().Informer()}, nil
+
 		// Group=pinniped.dev, Version=v1alpha1
 	case pinnipedv1alpha1.SchemeGroupVersion.WithResource("credentialrequests"):
 		return &genericInformer{resource: resource.GroupResource(), informer: f.Pinniped().V1alpha1().CredentialRequests().Informer()}, nil

generated/1.17/client/informers/externalversions/login/interface.go

@@ -0,0 +1,33 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by informer-gen. DO NOT EDIT.
+
+package login
+
+import (
+	internalinterfaces "github.com/suzerain-io/pinniped/generated/1.17/client/informers/externalversions/internalinterfaces"
+	v1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/client/informers/externalversions/login/v1alpha1"
+)
+
+// Interface provides access to each of this group's versions.
+type Interface interface {
+	// V1alpha1 provides access to shared informers for resources in V1alpha1.
+	V1alpha1() v1alpha1.Interface
+}
+
+type group struct {
+	factory          internalinterfaces.SharedInformerFactory
+	namespace        string
+	tweakListOptions internalinterfaces.TweakListOptionsFunc
+}
+
+// New returns a new Interface.
+func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface {
+	return &group{factory: f, namespace: namespace, tweakListOptions: tweakListOptions}
+}
+
+// V1alpha1 returns a new v1alpha1.Interface.
+func (g *group) V1alpha1() v1alpha1.Interface {
+	return v1alpha1.New(g.factory, g.namespace, g.tweakListOptions)
+}

generated/1.17/client/informers/externalversions/login/v1alpha1/interface.go

@@ -0,0 +1,32 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by informer-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	internalinterfaces "github.com/suzerain-io/pinniped/generated/1.17/client/informers/externalversions/internalinterfaces"
+)
+
+// Interface provides access to all the informers in this group version.
+type Interface interface {
+	// TokenCredentialRequests returns a TokenCredentialRequestInformer.
+	TokenCredentialRequests() TokenCredentialRequestInformer
+}
+
+type version struct {
+	factory          internalinterfaces.SharedInformerFactory
+	namespace        string
+	tweakListOptions internalinterfaces.TweakListOptionsFunc
+}
+
+// New returns a new Interface.
+func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface {
+	return &version{factory: f, namespace: namespace, tweakListOptions: tweakListOptions}
+}
+
+// TokenCredentialRequests returns a TokenCredentialRequestInformer.
+func (v *version) TokenCredentialRequests() TokenCredentialRequestInformer {
+	return &tokenCredentialRequestInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
+}

generated/1.17/client/informers/externalversions/login/v1alpha1/tokencredentialrequest.go

@@ -0,0 +1,76 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by informer-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	time "time"
+
+	loginv1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/apis/login/v1alpha1"
+	versioned "github.com/suzerain-io/pinniped/generated/1.17/client/clientset/versioned"
+	internalinterfaces "github.com/suzerain-io/pinniped/generated/1.17/client/informers/externalversions/internalinterfaces"
+	v1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/client/listers/login/v1alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	watch "k8s.io/apimachinery/pkg/watch"
+	cache "k8s.io/client-go/tools/cache"
+)
+
+// TokenCredentialRequestInformer provides access to a shared informer and lister for
+// TokenCredentialRequests.
+type TokenCredentialRequestInformer interface {
+	Informer() cache.SharedIndexInformer
+	Lister() v1alpha1.TokenCredentialRequestLister
+}
+
+type tokenCredentialRequestInformer struct {
+	factory          internalinterfaces.SharedInformerFactory
+	tweakListOptions internalinterfaces.TweakListOptionsFunc
+	namespace        string
+}
+
+// NewTokenCredentialRequestInformer constructs a new informer for TokenCredentialRequest type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewTokenCredentialRequestInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
+	return NewFilteredTokenCredentialRequestInformer(client, namespace, resyncPeriod, indexers, nil)
+}
+
+// NewFilteredTokenCredentialRequestInformer constructs a new informer for TokenCredentialRequest type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewFilteredTokenCredentialRequestInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
+	return cache.NewSharedIndexInformer(
+		&cache.ListWatch{
+			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.LoginV1alpha1().TokenCredentialRequests(namespace).List(options)
+			},
+			WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.LoginV1alpha1().TokenCredentialRequests(namespace).Watch(options)
+			},
+		},
+		&loginv1alpha1.TokenCredentialRequest{},
+		resyncPeriod,
+		indexers,
+	)
+}
+
+func (f *tokenCredentialRequestInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
+	return NewFilteredTokenCredentialRequestInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
+}
+
+func (f *tokenCredentialRequestInformer) Informer() cache.SharedIndexInformer {
+	return f.factory.InformerFor(&loginv1alpha1.TokenCredentialRequest{}, f.defaultInformer)
+}
+
+func (f *tokenCredentialRequestInformer) Lister() v1alpha1.TokenCredentialRequestLister {
+	return v1alpha1.NewTokenCredentialRequestLister(f.Informer().GetIndexer())
+}

generated/1.17/client/listers/login/v1alpha1/expansion_generated.go

@@ -0,0 +1,14 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by lister-gen. DO NOT EDIT.
+
+package v1alpha1
+
+// TokenCredentialRequestListerExpansion allows custom methods to be added to
+// TokenCredentialRequestLister.
+type TokenCredentialRequestListerExpansion interface{}
+
+// TokenCredentialRequestNamespaceListerExpansion allows custom methods to be added to
+// TokenCredentialRequestNamespaceLister.
+type TokenCredentialRequestNamespaceListerExpansion interface{}

generated/1.17/client/listers/login/v1alpha1/tokencredentialrequest.go

@@ -0,0 +1,81 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by lister-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	v1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/apis/login/v1alpha1"
+	"k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/client-go/tools/cache"
+)
+
+// TokenCredentialRequestLister helps list TokenCredentialRequests.
+type TokenCredentialRequestLister interface {
+	// List lists all TokenCredentialRequests in the indexer.
+	List(selector labels.Selector) (ret []*v1alpha1.TokenCredentialRequest, err error)
+	// TokenCredentialRequests returns an object that can list and get TokenCredentialRequests.
+	TokenCredentialRequests(namespace string) TokenCredentialRequestNamespaceLister
+	TokenCredentialRequestListerExpansion
+}
+
+// tokenCredentialRequestLister implements the TokenCredentialRequestLister interface.
+type tokenCredentialRequestLister struct {
+	indexer cache.Indexer
+}
+
+// NewTokenCredentialRequestLister returns a new TokenCredentialRequestLister.
+func NewTokenCredentialRequestLister(indexer cache.Indexer) TokenCredentialRequestLister {
+	return &tokenCredentialRequestLister{indexer: indexer}
+}
+
+// List lists all TokenCredentialRequests in the indexer.
+func (s *tokenCredentialRequestLister) List(selector labels.Selector) (ret []*v1alpha1.TokenCredentialRequest, err error) {
+	err = cache.ListAll(s.indexer, selector, func(m interface{}) {
+		ret = append(ret, m.(*v1alpha1.TokenCredentialRequest))
+	})
+	return ret, err
+}
+
+// TokenCredentialRequests returns an object that can list and get TokenCredentialRequests.
+func (s *tokenCredentialRequestLister) TokenCredentialRequests(namespace string) TokenCredentialRequestNamespaceLister {
+	return tokenCredentialRequestNamespaceLister{indexer: s.indexer, namespace: namespace}
+}
+
+// TokenCredentialRequestNamespaceLister helps list and get TokenCredentialRequests.
+type TokenCredentialRequestNamespaceLister interface {
+	// List lists all TokenCredentialRequests in the indexer for a given namespace.
+	List(selector labels.Selector) (ret []*v1alpha1.TokenCredentialRequest, err error)
+	// Get retrieves the TokenCredentialRequest from the indexer for a given namespace and name.
+	Get(name string) (*v1alpha1.TokenCredentialRequest, error)
+	TokenCredentialRequestNamespaceListerExpansion
+}
+
+// tokenCredentialRequestNamespaceLister implements the TokenCredentialRequestNamespaceLister
+// interface.
+type tokenCredentialRequestNamespaceLister struct {
+	indexer   cache.Indexer
+	namespace string
+}
+
+// List lists all TokenCredentialRequests in the indexer for a given namespace.
+func (s tokenCredentialRequestNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.TokenCredentialRequest, err error) {
+	err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) {
+		ret = append(ret, m.(*v1alpha1.TokenCredentialRequest))
+	})
+	return ret, err
+}
+
+// Get retrieves the TokenCredentialRequest from the indexer for a given namespace and name.
+func (s tokenCredentialRequestNamespaceLister) Get(name string) (*v1alpha1.TokenCredentialRequest, error) {
+	obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name)
+	if err != nil {
+		return nil, err
+	}
+	if !exists {
+		return nil, errors.NewNotFound(v1alpha1.Resource("tokencredentialrequest"), name)
+	}
+	return obj.(*v1alpha1.TokenCredentialRequest), nil
+}

generated/1.17/client/openapi/zz_generated.openapi.go

@@ -28,6 +28,11 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA
 		"github.com/suzerain-io/pinniped/generated/1.17/apis/idp/v1alpha1.WebhookIdentityProviderList":                  schema_117_apis_idp_v1alpha1_WebhookIdentityProviderList(ref),
 		"github.com/suzerain-io/pinniped/generated/1.17/apis/idp/v1alpha1.WebhookIdentityProviderSpec":                  schema_117_apis_idp_v1alpha1_WebhookIdentityProviderSpec(ref),
 		"github.com/suzerain-io/pinniped/generated/1.17/apis/idp/v1alpha1.WebhookIdentityProviderStatus":                schema_117_apis_idp_v1alpha1_WebhookIdentityProviderStatus(ref),
+		"github.com/suzerain-io/pinniped/generated/1.17/apis/login/v1alpha1.ClusterCredential":                          schema_117_apis_login_v1alpha1_ClusterCredential(ref),
+		"github.com/suzerain-io/pinniped/generated/1.17/apis/login/v1alpha1.TokenCredentialRequest":                     schema_117_apis_login_v1alpha1_TokenCredentialRequest(ref),
+		"github.com/suzerain-io/pinniped/generated/1.17/apis/login/v1alpha1.TokenCredentialRequestList":                 schema_117_apis_login_v1alpha1_TokenCredentialRequestList(ref),
+		"github.com/suzerain-io/pinniped/generated/1.17/apis/login/v1alpha1.TokenCredentialRequestSpec":                 schema_117_apis_login_v1alpha1_TokenCredentialRequestSpec(ref),
+		"github.com/suzerain-io/pinniped/generated/1.17/apis/login/v1alpha1.TokenCredentialRequestStatus":               schema_117_apis_login_v1alpha1_TokenCredentialRequestStatus(ref),
 		"github.com/suzerain-io/pinniped/generated/1.17/apis/pinniped/v1alpha1.CredentialRequest":                       schema_117_apis_pinniped_v1alpha1_CredentialRequest(ref),
 		"github.com/suzerain-io/pinniped/generated/1.17/apis/pinniped/v1alpha1.CredentialRequestCredential":             schema_117_apis_pinniped_v1alpha1_CredentialRequestCredential(ref),
 		"github.com/suzerain-io/pinniped/generated/1.17/apis/pinniped/v1alpha1.CredentialRequestList":                   schema_117_apis_pinniped_v1alpha1_CredentialRequestList(ref),
@@ -525,6 +530,187 @@ func schema_117_apis_idp_v1alpha1_WebhookIdentityProviderStatus(ref common.Refer
 	}
 }
 
+func schema_117_apis_login_v1alpha1_ClusterCredential(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "ClusterCredential is the cluster-specific credential returned on a successful credential request. It contains either a valid bearer token or a valid TLS certificate and corresponding private key for the cluster.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"expirationTimestamp": {
+						SchemaProps: spec.SchemaProps{
+							Description: "ExpirationTimestamp indicates a time when the provided credentials expire.",
+							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+						},
+					},
+					"token": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Token is a bearer token used by the client for request authentication.",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"clientCertificateData": {
+						SchemaProps: spec.SchemaProps{
+							Description: "PEM-encoded client TLS certificates (including intermediates, if any).",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"clientKeyData": {
+						SchemaProps: spec.SchemaProps{
+							Description: "PEM-encoded private key for the above certificate.",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+				},
+			},
+		},
+		Dependencies: []string{
+			"k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+	}
+}
+
+func schema_117_apis_login_v1alpha1_TokenCredentialRequest(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "TokenCredentialRequest submits an IDP-specific credential to Pinniped in exchange for a cluster-specific credential.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"kind": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"apiVersion": {
+						SchemaProps: spec.SchemaProps{
+							Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"metadata": {
+						SchemaProps: spec.SchemaProps{
+							Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+						},
+					},
+					"spec": {
+						SchemaProps: spec.SchemaProps{
+							Ref: ref("github.com/suzerain-io/pinniped/generated/1.17/apis/login/v1alpha1.TokenCredentialRequestSpec"),
+						},
+					},
+					"status": {
+						SchemaProps: spec.SchemaProps{
+							Ref: ref("github.com/suzerain-io/pinniped/generated/1.17/apis/login/v1alpha1.TokenCredentialRequestStatus"),
+						},
+					},
+				},
+			},
+		},
+		Dependencies: []string{
+			"github.com/suzerain-io/pinniped/generated/1.17/apis/login/v1alpha1.TokenCredentialRequestSpec", "github.com/suzerain-io/pinniped/generated/1.17/apis/login/v1alpha1.TokenCredentialRequestStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+	}
+}
+
+func schema_117_apis_login_v1alpha1_TokenCredentialRequestList(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "TokenCredentialRequestList is a list of TokenCredentialRequest objects.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"kind": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"apiVersion": {
+						SchemaProps: spec.SchemaProps{
+							Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"metadata": {
+						SchemaProps: spec.SchemaProps{
+							Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+						},
+					},
+					"items": {
+						SchemaProps: spec.SchemaProps{
+							Type: []string{"array"},
+							Items: &spec.SchemaOrArray{
+								Schema: &spec.Schema{
+									SchemaProps: spec.SchemaProps{
+										Ref: ref("github.com/suzerain-io/pinniped/generated/1.17/apis/login/v1alpha1.TokenCredentialRequest"),
+									},
+								},
+							},
+						},
+					},
+				},
+				Required: []string{"items"},
+			},
+		},
+		Dependencies: []string{
+			"github.com/suzerain-io/pinniped/generated/1.17/apis/login/v1alpha1.TokenCredentialRequest", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+	}
+}
+
+func schema_117_apis_login_v1alpha1_TokenCredentialRequestSpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "TokenCredentialRequestSpec is the specification of a TokenCredentialRequest, expected on requests to the Pinniped API.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"token": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Bearer token supplied with the credential request.",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+				},
+			},
+		},
+	}
+}
+
+func schema_117_apis_login_v1alpha1_TokenCredentialRequestStatus(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "TokenCredentialRequestStatus is the status of a TokenCredentialRequest, returned on responses to the Pinniped API.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"credential": {
+						SchemaProps: spec.SchemaProps{
+							Description: "A Credential will be returned for a successful credential request.",
+							Ref:         ref("github.com/suzerain-io/pinniped/generated/1.17/apis/login/v1alpha1.ClusterCredential"),
+						},
+					},
+					"message": {
+						SchemaProps: spec.SchemaProps{
+							Description: "An error message will be returned for an unsuccessful credential request.",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+				},
+			},
+		},
+		Dependencies: []string{
+			"github.com/suzerain-io/pinniped/generated/1.17/apis/login/v1alpha1.ClusterCredential"},
+	}
+}
+
 func schema_117_apis_pinniped_v1alpha1_CredentialRequest(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{

generated/1.18/README.adoc

@@ -7,6 +7,7 @@
 .Packages
 - xref:{anchor_prefix}-crd-pinniped-dev-v1alpha1[$$crd.pinniped.dev/v1alpha1$$]
 - xref:{anchor_prefix}-idp-pinniped-dev-v1alpha1[$$idp.pinniped.dev/v1alpha1$$]
+- xref:{anchor_prefix}-login-pinniped-dev-v1alpha1[$$login.pinniped.dev/v1alpha1$$]
 - xref:{anchor_prefix}-pinniped-dev-v1alpha1[$$pinniped.dev/v1alpha1$$]
 
 
@@ -200,6 +201,91 @@ Status of a webhook identity provider.
 
 
 
+[id="{anchor_prefix}-login-pinniped-dev-v1alpha1"]
+=== login.pinniped.dev/v1alpha1
+
+Package v1alpha1 is the v1alpha1 version of the Pinniped login API.
+
+
+
+[id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-18-apis-login-v1alpha1-clustercredential"]
+==== ClusterCredential 
+
+ClusterCredential is the cluster-specific credential returned on a successful credential request. It contains either a valid bearer token or a valid TLS certificate and corresponding private key for the cluster.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-18-apis-login-v1alpha1-tokencredentialrequeststatus[$$TokenCredentialRequestStatus$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`expirationTimestamp`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#time-v1-meta[$$Time$$]__ | ExpirationTimestamp indicates a time when the provided credentials expire.
+| *`token`* __string__ | Token is a bearer token used by the client for request authentication.
+| *`clientCertificateData`* __string__ | PEM-encoded client TLS certificates (including intermediates, if any).
+| *`clientKeyData`* __string__ | PEM-encoded private key for the above certificate.
+|===
+
+
+[id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-18-apis-login-v1alpha1-tokencredentialrequest"]
+==== TokenCredentialRequest 
+
+TokenCredentialRequest submits an IDP-specific credential to Pinniped in exchange for a cluster-specific credential.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-18-apis-login-v1alpha1-tokencredentialrequestlist[$$TokenCredentialRequestList$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`.
+
+| *`spec`* __xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-18-apis-login-v1alpha1-tokencredentialrequestspec[$$TokenCredentialRequestSpec$$]__ | 
+| *`status`* __xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-18-apis-login-v1alpha1-tokencredentialrequeststatus[$$TokenCredentialRequestStatus$$]__ | 
+|===
+
+
+
+
+[id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-18-apis-login-v1alpha1-tokencredentialrequestspec"]
+==== TokenCredentialRequestSpec 
+
+TokenCredentialRequestSpec is the specification of a TokenCredentialRequest, expected on requests to the Pinniped API.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-18-apis-login-v1alpha1-tokencredentialrequest[$$TokenCredentialRequest$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`token`* __string__ | Bearer token supplied with the credential request.
+|===
+
+
+[id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-18-apis-login-v1alpha1-tokencredentialrequeststatus"]
+==== TokenCredentialRequestStatus 
+
+TokenCredentialRequestStatus is the status of a TokenCredentialRequest, returned on responses to the Pinniped API.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-18-apis-login-v1alpha1-tokencredentialrequest[$$TokenCredentialRequest$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`credential`* __xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-18-apis-login-v1alpha1-clustercredential[$$ClusterCredential$$]__ | A Credential will be returned for a successful credential request.
+| *`message`* __string__ | An error message will be returned for an unsuccessful credential request.
+|===
+
+
+
 [id="{anchor_prefix}-pinniped-dev-v1alpha1"]
 === pinniped.dev/v1alpha1
 

generated/1.18/apis/login/doc.go

@@ -0,0 +1,8 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// +k8s:deepcopy-gen=package
+// +groupName=login.pinniped.dev
+
+// Package login is the internal version of the Pinniped login API.
+package login

generated/1.18/apis/login/register.go

@@ -0,0 +1,38 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package login
+
+import (
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+const GroupName = "login.pinniped.dev"
+
+// SchemeGroupVersion is group version used to register these objects.
+var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: runtime.APIVersionInternal}
+
+// Kind takes an unqualified kind and returns back a Group qualified GroupKind.
+func Kind(kind string) schema.GroupKind {
+	return SchemeGroupVersion.WithKind(kind).GroupKind()
+}
+
+// Resource takes an unqualified resource and returns back a Group qualified GroupResource.
+func Resource(resource string) schema.GroupResource {
+	return SchemeGroupVersion.WithResource(resource).GroupResource()
+}
+
+var (
+	SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes)
+	AddToScheme   = SchemeBuilder.AddToScheme
+)
+
+// Adds the list of known types to the given scheme.
+func addKnownTypes(scheme *runtime.Scheme) error {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&TokenCredentialRequest{},
+		&TokenCredentialRequestList{},
+	)
+	return nil
+}

generated/1.18/apis/login/types_clustercred.go

@@ -0,0 +1,21 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package login
+
+import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+// ClusterCredential is a credential (token or certificate) which is valid on the Kubernetes cluster.
+type ClusterCredential struct {
+	// ExpirationTimestamp indicates a time when the provided credentials expire.
+	ExpirationTimestamp metav1.Time
+
+	// Token is a bearer token used by the client for request authentication.
+	Token string
+
+	// PEM-encoded client TLS certificates (including intermediates, if any).
+	ClientCertificateData string
+
+	// PEM-encoded private key for the above certificate.
+	ClientKeyData string
+}

generated/1.18/apis/login/types_token.go

@@ -0,0 +1,42 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package login
+
+import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+type TokenCredentialRequestSpec struct {
+	// Bearer token supplied with the credential request.
+	Token string
+}
+
+type TokenCredentialRequestStatus struct {
+	// A ClusterCredential will be returned for a successful credential request.
+	// +optional
+	Credential *ClusterCredential
+
+	// An error message will be returned for an unsuccessful credential request.
+	// +optional
+	Message *string
+}
+
+// TokenCredentialRequest submits an IDP-specific credential to Pinniped in exchange for a cluster-specific credential.
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type TokenCredentialRequest struct {
+	metav1.TypeMeta
+	metav1.ObjectMeta
+
+	Spec   TokenCredentialRequestSpec
+	Status TokenCredentialRequestStatus
+}
+
+// TokenCredentialRequestList is a list of TokenCredentialRequest objects.
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type TokenCredentialRequestList struct {
+	metav1.TypeMeta
+	metav1.ListMeta
+
+	// Items is a list of TokenCredentialRequest
+	Items []TokenCredentialRequest
+}

generated/1.18/apis/login/v1alpha1/conversion.go

@@ -0,0 +1,4 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1

generated/1.18/apis/login/v1alpha1/defaults.go

@@ -0,0 +1,12 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+import (
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+func addDefaultingFuncs(scheme *runtime.Scheme) error {
+	return RegisterDefaults(scheme)
+}

generated/1.18/apis/login/v1alpha1/doc.go

@@ -0,0 +1,11 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// +k8s:openapi-gen=true
+// +k8s:deepcopy-gen=package
+// +k8s:conversion-gen=github.com/suzerain-io/pinniped/generated/1.18/apis/login
+// +k8s:defaulter-gen=TypeMeta
+// +groupName=login.pinniped.dev
+
+// Package v1alpha1 is the v1alpha1 version of the Pinniped login API.
+package v1alpha1

generated/1.18/apis/login/v1alpha1/register.go

@@ -0,0 +1,43 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+const GroupName = "login.pinniped.dev"
+
+// SchemeGroupVersion is group version used to register these objects.
+var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"}
+
+var (
+	SchemeBuilder      runtime.SchemeBuilder
+	localSchemeBuilder = &SchemeBuilder
+	AddToScheme        = localSchemeBuilder.AddToScheme
+)
+
+func init() {
+	// We only register manually written functions here. The registration of the
+	// generated functions takes place in the generated files. The separation
+	// makes the code compile even when the generated files are missing.
+	localSchemeBuilder.Register(addKnownTypes, addDefaultingFuncs)
+}
+
+// Adds the list of known types to the given scheme.
+func addKnownTypes(scheme *runtime.Scheme) error {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&TokenCredentialRequest{},
+		&TokenCredentialRequestList{},
+	)
+	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
+	return nil
+}
+
+// Resource takes an unqualified resource and returns a Group qualified GroupResource.
+func Resource(resource string) schema.GroupResource {
+	return SchemeGroupVersion.WithResource(resource).GroupResource()
+}

generated/1.18/apis/login/v1alpha1/types_clustercred.go

@@ -0,0 +1,22 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+// ClusterCredential is the cluster-specific credential returned on a successful credential request. It
+// contains either a valid bearer token or a valid TLS certificate and corresponding private key for the cluster.
+type ClusterCredential struct {
+	// ExpirationTimestamp indicates a time when the provided credentials expire.
+	ExpirationTimestamp metav1.Time `json:"expirationTimestamp,omitempty"`
+
+	// Token is a bearer token used by the client for request authentication.
+	Token string `json:"token,omitempty"`
+
+	// PEM-encoded client TLS certificates (including intermediates, if any).
+	ClientCertificateData string `json:"clientCertificateData,omitempty"`
+
+	// PEM-encoded private key for the above certificate.
+	ClientKeyData string `json:"clientKeyData,omitempty"`
+}

generated/1.18/apis/login/v1alpha1/types_token.go

@@ -0,0 +1,43 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+// TokenCredentialRequestSpec is the specification of a TokenCredentialRequest, expected on requests to the Pinniped API.
+type TokenCredentialRequestSpec struct {
+	// Bearer token supplied with the credential request.
+	Token string `json:"token,omitempty"`
+}
+
+// TokenCredentialRequestStatus is the status of a TokenCredentialRequest, returned on responses to the Pinniped API.
+type TokenCredentialRequestStatus struct {
+	// A Credential will be returned for a successful credential request.
+	// +optional
+	Credential *ClusterCredential `json:"credential,omitempty"`
+
+	// An error message will be returned for an unsuccessful credential request.
+	// +optional
+	Message *string `json:"message,omitempty"`
+}
+
+// TokenCredentialRequest submits an IDP-specific credential to Pinniped in exchange for a cluster-specific credential.
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type TokenCredentialRequest struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   TokenCredentialRequestSpec   `json:"spec,omitempty"`
+	Status TokenCredentialRequestStatus `json:"status,omitempty"`
+}
+
+// TokenCredentialRequestList is a list of TokenCredentialRequest objects.
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type TokenCredentialRequestList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+
+	Items []TokenCredentialRequest `json:"items"`
+}

generated/1.18/apis/login/v1alpha1/zz_generated.conversion.go

@@ -0,0 +1,198 @@
+// +build !ignore_autogenerated
+
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by conversion-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	unsafe "unsafe"
+
+	login "github.com/suzerain-io/pinniped/generated/1.18/apis/login"
+	conversion "k8s.io/apimachinery/pkg/conversion"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+)
+
+func init() {
+	localSchemeBuilder.Register(RegisterConversions)
+}
+
+// RegisterConversions adds conversion functions to the given scheme.
+// Public to allow building arbitrary schemes.
+func RegisterConversions(s *runtime.Scheme) error {
+	if err := s.AddGeneratedConversionFunc((*ClusterCredential)(nil), (*login.ClusterCredential)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1alpha1_ClusterCredential_To_login_ClusterCredential(a.(*ClusterCredential), b.(*login.ClusterCredential), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*login.ClusterCredential)(nil), (*ClusterCredential)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_login_ClusterCredential_To_v1alpha1_ClusterCredential(a.(*login.ClusterCredential), b.(*ClusterCredential), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*TokenCredentialRequest)(nil), (*login.TokenCredentialRequest)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1alpha1_TokenCredentialRequest_To_login_TokenCredentialRequest(a.(*TokenCredentialRequest), b.(*login.TokenCredentialRequest), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*login.TokenCredentialRequest)(nil), (*TokenCredentialRequest)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_login_TokenCredentialRequest_To_v1alpha1_TokenCredentialRequest(a.(*login.TokenCredentialRequest), b.(*TokenCredentialRequest), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*TokenCredentialRequestList)(nil), (*login.TokenCredentialRequestList)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1alpha1_TokenCredentialRequestList_To_login_TokenCredentialRequestList(a.(*TokenCredentialRequestList), b.(*login.TokenCredentialRequestList), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*login.TokenCredentialRequestList)(nil), (*TokenCredentialRequestList)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_login_TokenCredentialRequestList_To_v1alpha1_TokenCredentialRequestList(a.(*login.TokenCredentialRequestList), b.(*TokenCredentialRequestList), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*TokenCredentialRequestSpec)(nil), (*login.TokenCredentialRequestSpec)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1alpha1_TokenCredentialRequestSpec_To_login_TokenCredentialRequestSpec(a.(*TokenCredentialRequestSpec), b.(*login.TokenCredentialRequestSpec), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*login.TokenCredentialRequestSpec)(nil), (*TokenCredentialRequestSpec)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_login_TokenCredentialRequestSpec_To_v1alpha1_TokenCredentialRequestSpec(a.(*login.TokenCredentialRequestSpec), b.(*TokenCredentialRequestSpec), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*TokenCredentialRequestStatus)(nil), (*login.TokenCredentialRequestStatus)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1alpha1_TokenCredentialRequestStatus_To_login_TokenCredentialRequestStatus(a.(*TokenCredentialRequestStatus), b.(*login.TokenCredentialRequestStatus), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*login.TokenCredentialRequestStatus)(nil), (*TokenCredentialRequestStatus)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_login_TokenCredentialRequestStatus_To_v1alpha1_TokenCredentialRequestStatus(a.(*login.TokenCredentialRequestStatus), b.(*TokenCredentialRequestStatus), scope)
+	}); err != nil {
+		return err
+	}
+	return nil
+}
+
+func autoConvert_v1alpha1_ClusterCredential_To_login_ClusterCredential(in *ClusterCredential, out *login.ClusterCredential, s conversion.Scope) error {
+	out.ExpirationTimestamp = in.ExpirationTimestamp
+	out.Token = in.Token
+	out.ClientCertificateData = in.ClientCertificateData
+	out.ClientKeyData = in.ClientKeyData
+	return nil
+}
+
+// Convert_v1alpha1_ClusterCredential_To_login_ClusterCredential is an autogenerated conversion function.
+func Convert_v1alpha1_ClusterCredential_To_login_ClusterCredential(in *ClusterCredential, out *login.ClusterCredential, s conversion.Scope) error {
+	return autoConvert_v1alpha1_ClusterCredential_To_login_ClusterCredential(in, out, s)
+}
+
+func autoConvert_login_ClusterCredential_To_v1alpha1_ClusterCredential(in *login.ClusterCredential, out *ClusterCredential, s conversion.Scope) error {
+	out.ExpirationTimestamp = in.ExpirationTimestamp
+	out.Token = in.Token
+	out.ClientCertificateData = in.ClientCertificateData
+	out.ClientKeyData = in.ClientKeyData
+	return nil
+}
+
+// Convert_login_ClusterCredential_To_v1alpha1_ClusterCredential is an autogenerated conversion function.
+func Convert_login_ClusterCredential_To_v1alpha1_ClusterCredential(in *login.ClusterCredential, out *ClusterCredential, s conversion.Scope) error {
+	return autoConvert_login_ClusterCredential_To_v1alpha1_ClusterCredential(in, out, s)
+}
+
+func autoConvert_v1alpha1_TokenCredentialRequest_To_login_TokenCredentialRequest(in *TokenCredentialRequest, out *login.TokenCredentialRequest, s conversion.Scope) error {
+	out.ObjectMeta = in.ObjectMeta
+	if err := Convert_v1alpha1_TokenCredentialRequestSpec_To_login_TokenCredentialRequestSpec(&in.Spec, &out.Spec, s); err != nil {
+		return err
+	}
+	if err := Convert_v1alpha1_TokenCredentialRequestStatus_To_login_TokenCredentialRequestStatus(&in.Status, &out.Status, s); err != nil {
+		return err
+	}
+	return nil
+}
+
+// Convert_v1alpha1_TokenCredentialRequest_To_login_TokenCredentialRequest is an autogenerated conversion function.
+func Convert_v1alpha1_TokenCredentialRequest_To_login_TokenCredentialRequest(in *TokenCredentialRequest, out *login.TokenCredentialRequest, s conversion.Scope) error {
+	return autoConvert_v1alpha1_TokenCredentialRequest_To_login_TokenCredentialRequest(in, out, s)
+}
+
+func autoConvert_login_TokenCredentialRequest_To_v1alpha1_TokenCredentialRequest(in *login.TokenCredentialRequest, out *TokenCredentialRequest, s conversion.Scope) error {
+	out.ObjectMeta = in.ObjectMeta
+	if err := Convert_login_TokenCredentialRequestSpec_To_v1alpha1_TokenCredentialRequestSpec(&in.Spec, &out.Spec, s); err != nil {
+		return err
+	}
+	if err := Convert_login_TokenCredentialRequestStatus_To_v1alpha1_TokenCredentialRequestStatus(&in.Status, &out.Status, s); err != nil {
+		return err
+	}
+	return nil
+}
+
+// Convert_login_TokenCredentialRequest_To_v1alpha1_TokenCredentialRequest is an autogenerated conversion function.
+func Convert_login_TokenCredentialRequest_To_v1alpha1_TokenCredentialRequest(in *login.TokenCredentialRequest, out *TokenCredentialRequest, s conversion.Scope) error {
+	return autoConvert_login_TokenCredentialRequest_To_v1alpha1_TokenCredentialRequest(in, out, s)
+}
+
+func autoConvert_v1alpha1_TokenCredentialRequestList_To_login_TokenCredentialRequestList(in *TokenCredentialRequestList, out *login.TokenCredentialRequestList, s conversion.Scope) error {
+	out.ListMeta = in.ListMeta
+	out.Items = *(*[]login.TokenCredentialRequest)(unsafe.Pointer(&in.Items))
+	return nil
+}
+
+// Convert_v1alpha1_TokenCredentialRequestList_To_login_TokenCredentialRequestList is an autogenerated conversion function.
+func Convert_v1alpha1_TokenCredentialRequestList_To_login_TokenCredentialRequestList(in *TokenCredentialRequestList, out *login.TokenCredentialRequestList, s conversion.Scope) error {
+	return autoConvert_v1alpha1_TokenCredentialRequestList_To_login_TokenCredentialRequestList(in, out, s)
+}
+
+func autoConvert_login_TokenCredentialRequestList_To_v1alpha1_TokenCredentialRequestList(in *login.TokenCredentialRequestList, out *TokenCredentialRequestList, s conversion.Scope) error {
+	out.ListMeta = in.ListMeta
+	out.Items = *(*[]TokenCredentialRequest)(unsafe.Pointer(&in.Items))
+	return nil
+}
+
+// Convert_login_TokenCredentialRequestList_To_v1alpha1_TokenCredentialRequestList is an autogenerated conversion function.
+func Convert_login_TokenCredentialRequestList_To_v1alpha1_TokenCredentialRequestList(in *login.TokenCredentialRequestList, out *TokenCredentialRequestList, s conversion.Scope) error {
+	return autoConvert_login_TokenCredentialRequestList_To_v1alpha1_TokenCredentialRequestList(in, out, s)
+}
+
+func autoConvert_v1alpha1_TokenCredentialRequestSpec_To_login_TokenCredentialRequestSpec(in *TokenCredentialRequestSpec, out *login.TokenCredentialRequestSpec, s conversion.Scope) error {
+	out.Token = in.Token
+	return nil
+}
+
+// Convert_v1alpha1_TokenCredentialRequestSpec_To_login_TokenCredentialRequestSpec is an autogenerated conversion function.
+func Convert_v1alpha1_TokenCredentialRequestSpec_To_login_TokenCredentialRequestSpec(in *TokenCredentialRequestSpec, out *login.TokenCredentialRequestSpec, s conversion.Scope) error {
+	return autoConvert_v1alpha1_TokenCredentialRequestSpec_To_login_TokenCredentialRequestSpec(in, out, s)
+}
+
+func autoConvert_login_TokenCredentialRequestSpec_To_v1alpha1_TokenCredentialRequestSpec(in *login.TokenCredentialRequestSpec, out *TokenCredentialRequestSpec, s conversion.Scope) error {
+	out.Token = in.Token
+	return nil
+}
+
+// Convert_login_TokenCredentialRequestSpec_To_v1alpha1_TokenCredentialRequestSpec is an autogenerated conversion function.
+func Convert_login_TokenCredentialRequestSpec_To_v1alpha1_TokenCredentialRequestSpec(in *login.TokenCredentialRequestSpec, out *TokenCredentialRequestSpec, s conversion.Scope) error {
+	return autoConvert_login_TokenCredentialRequestSpec_To_v1alpha1_TokenCredentialRequestSpec(in, out, s)
+}
+
+func autoConvert_v1alpha1_TokenCredentialRequestStatus_To_login_TokenCredentialRequestStatus(in *TokenCredentialRequestStatus, out *login.TokenCredentialRequestStatus, s conversion.Scope) error {
+	out.Credential = (*login.ClusterCredential)(unsafe.Pointer(in.Credential))
+	out.Message = (*string)(unsafe.Pointer(in.Message))
+	return nil
+}
+
+// Convert_v1alpha1_TokenCredentialRequestStatus_To_login_TokenCredentialRequestStatus is an autogenerated conversion function.
+func Convert_v1alpha1_TokenCredentialRequestStatus_To_login_TokenCredentialRequestStatus(in *TokenCredentialRequestStatus, out *login.TokenCredentialRequestStatus, s conversion.Scope) error {
+	return autoConvert_v1alpha1_TokenCredentialRequestStatus_To_login_TokenCredentialRequestStatus(in, out, s)
+}
+
+func autoConvert_login_TokenCredentialRequestStatus_To_v1alpha1_TokenCredentialRequestStatus(in *login.TokenCredentialRequestStatus, out *TokenCredentialRequestStatus, s conversion.Scope) error {
+	out.Credential = (*ClusterCredential)(unsafe.Pointer(in.Credential))
+	out.Message = (*string)(unsafe.Pointer(in.Message))
+	return nil
+}
+
+// Convert_login_TokenCredentialRequestStatus_To_v1alpha1_TokenCredentialRequestStatus is an autogenerated conversion function.
+func Convert_login_TokenCredentialRequestStatus_To_v1alpha1_TokenCredentialRequestStatus(in *login.TokenCredentialRequestStatus, out *TokenCredentialRequestStatus, s conversion.Scope) error {
+	return autoConvert_login_TokenCredentialRequestStatus_To_v1alpha1_TokenCredentialRequestStatus(in, out, s)
+}

generated/1.18/apis/login/v1alpha1/zz_generated.deepcopy.go

@@ -0,0 +1,132 @@
+// +build !ignore_autogenerated
+
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by deepcopy-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	runtime "k8s.io/apimachinery/pkg/runtime"
+)
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ClusterCredential) DeepCopyInto(out *ClusterCredential) {
+	*out = *in
+	in.ExpirationTimestamp.DeepCopyInto(&out.ExpirationTimestamp)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterCredential.
+func (in *ClusterCredential) DeepCopy() *ClusterCredential {
+	if in == nil {
+		return nil
+	}
+	out := new(ClusterCredential)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TokenCredentialRequest) DeepCopyInto(out *TokenCredentialRequest) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	out.Spec = in.Spec
+	in.Status.DeepCopyInto(&out.Status)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TokenCredentialRequest.
+func (in *TokenCredentialRequest) DeepCopy() *TokenCredentialRequest {
+	if in == nil {
+		return nil
+	}
+	out := new(TokenCredentialRequest)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *TokenCredentialRequest) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TokenCredentialRequestList) DeepCopyInto(out *TokenCredentialRequestList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]TokenCredentialRequest, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TokenCredentialRequestList.
+func (in *TokenCredentialRequestList) DeepCopy() *TokenCredentialRequestList {
+	if in == nil {
+		return nil
+	}
+	out := new(TokenCredentialRequestList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *TokenCredentialRequestList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TokenCredentialRequestSpec) DeepCopyInto(out *TokenCredentialRequestSpec) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TokenCredentialRequestSpec.
+func (in *TokenCredentialRequestSpec) DeepCopy() *TokenCredentialRequestSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(TokenCredentialRequestSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TokenCredentialRequestStatus) DeepCopyInto(out *TokenCredentialRequestStatus) {
+	*out = *in
+	if in.Credential != nil {
+		in, out := &in.Credential, &out.Credential
+		*out = new(ClusterCredential)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Message != nil {
+		in, out := &in.Message, &out.Message
+		*out = new(string)
+		**out = **in
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TokenCredentialRequestStatus.
+func (in *TokenCredentialRequestStatus) DeepCopy() *TokenCredentialRequestStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(TokenCredentialRequestStatus)
+	in.DeepCopyInto(out)
+	return out
+}

generated/1.18/apis/login/v1alpha1/zz_generated.defaults.go

@@ -0,0 +1,19 @@
+// +build !ignore_autogenerated
+
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by defaulter-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	runtime "k8s.io/apimachinery/pkg/runtime"
+)
+
+// RegisterDefaults adds defaulters functions to the given scheme.
+// Public to allow building arbitrary schemes.
+// All generated defaulters are covering - they call all nested defaulters.
+func RegisterDefaults(scheme *runtime.Scheme) error {
+	return nil
+}

generated/1.18/apis/login/zz_generated.deepcopy.go

@@ -0,0 +1,132 @@
+// +build !ignore_autogenerated
+
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by deepcopy-gen. DO NOT EDIT.
+
+package login
+
+import (
+	runtime "k8s.io/apimachinery/pkg/runtime"
+)
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ClusterCredential) DeepCopyInto(out *ClusterCredential) {
+	*out = *in
+	in.ExpirationTimestamp.DeepCopyInto(&out.ExpirationTimestamp)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterCredential.
+func (in *ClusterCredential) DeepCopy() *ClusterCredential {
+	if in == nil {
+		return nil
+	}
+	out := new(ClusterCredential)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TokenCredentialRequest) DeepCopyInto(out *TokenCredentialRequest) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	out.Spec = in.Spec
+	in.Status.DeepCopyInto(&out.Status)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TokenCredentialRequest.
+func (in *TokenCredentialRequest) DeepCopy() *TokenCredentialRequest {
+	if in == nil {
+		return nil
+	}
+	out := new(TokenCredentialRequest)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *TokenCredentialRequest) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TokenCredentialRequestList) DeepCopyInto(out *TokenCredentialRequestList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]TokenCredentialRequest, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TokenCredentialRequestList.
+func (in *TokenCredentialRequestList) DeepCopy() *TokenCredentialRequestList {
+	if in == nil {
+		return nil
+	}
+	out := new(TokenCredentialRequestList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *TokenCredentialRequestList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TokenCredentialRequestSpec) DeepCopyInto(out *TokenCredentialRequestSpec) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TokenCredentialRequestSpec.
+func (in *TokenCredentialRequestSpec) DeepCopy() *TokenCredentialRequestSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(TokenCredentialRequestSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TokenCredentialRequestStatus) DeepCopyInto(out *TokenCredentialRequestStatus) {
+	*out = *in
+	if in.Credential != nil {
+		in, out := &in.Credential, &out.Credential
+		*out = new(ClusterCredential)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Message != nil {
+		in, out := &in.Message, &out.Message
+		*out = new(string)
+		**out = **in
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TokenCredentialRequestStatus.
+func (in *TokenCredentialRequestStatus) DeepCopy() *TokenCredentialRequestStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(TokenCredentialRequestStatus)
+	in.DeepCopyInto(out)
+	return out
+}

generated/1.18/client/clientset/versioned/clientset.go

@@ -10,6 +10,7 @@ import (
 
 	crdv1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/client/clientset/versioned/typed/crdpinniped/v1alpha1"
 	idpv1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/client/clientset/versioned/typed/idp/v1alpha1"
+	loginv1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/client/clientset/versioned/typed/login/v1alpha1"
 	pinnipedv1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/client/clientset/versioned/typed/pinniped/v1alpha1"
 	discovery "k8s.io/client-go/discovery"
 	rest "k8s.io/client-go/rest"
@@ -20,6 +21,7 @@ type Interface interface {
 	Discovery() discovery.DiscoveryInterface
 	CrdV1alpha1() crdv1alpha1.CrdV1alpha1Interface
 	IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface
+	LoginV1alpha1() loginv1alpha1.LoginV1alpha1Interface
 	PinnipedV1alpha1() pinnipedv1alpha1.PinnipedV1alpha1Interface
 }
 
@@ -29,6 +31,7 @@ type Clientset struct {
 	*discovery.DiscoveryClient
 	crdV1alpha1      *crdv1alpha1.CrdV1alpha1Client
 	iDPV1alpha1      *idpv1alpha1.IDPV1alpha1Client
+	loginV1alpha1    *loginv1alpha1.LoginV1alpha1Client
 	pinnipedV1alpha1 *pinnipedv1alpha1.PinnipedV1alpha1Client
 }
 
@@ -42,6 +45,11 @@ func (c *Clientset) IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface {
 	return c.iDPV1alpha1
 }
 
+// LoginV1alpha1 retrieves the LoginV1alpha1Client
+func (c *Clientset) LoginV1alpha1() loginv1alpha1.LoginV1alpha1Interface {
+	return c.loginV1alpha1
+}
+
 // PinnipedV1alpha1 retrieves the PinnipedV1alpha1Client
 func (c *Clientset) PinnipedV1alpha1() pinnipedv1alpha1.PinnipedV1alpha1Interface {
 	return c.pinnipedV1alpha1
@@ -76,6 +84,10 @@ func NewForConfig(c *rest.Config) (*Clientset, error) {
 	if err != nil {
 		return nil, err
 	}
+	cs.loginV1alpha1, err = loginv1alpha1.NewForConfig(&configShallowCopy)
+	if err != nil {
+		return nil, err
+	}
 	cs.pinnipedV1alpha1, err = pinnipedv1alpha1.NewForConfig(&configShallowCopy)
 	if err != nil {
 		return nil, err
@@ -94,6 +106,7 @@ func NewForConfigOrDie(c *rest.Config) *Clientset {
 	var cs Clientset
 	cs.crdV1alpha1 = crdv1alpha1.NewForConfigOrDie(c)
 	cs.iDPV1alpha1 = idpv1alpha1.NewForConfigOrDie(c)
+	cs.loginV1alpha1 = loginv1alpha1.NewForConfigOrDie(c)
 	cs.pinnipedV1alpha1 = pinnipedv1alpha1.NewForConfigOrDie(c)
 
 	cs.DiscoveryClient = discovery.NewDiscoveryClientForConfigOrDie(c)
@@ -105,6 +118,7 @@ func New(c rest.Interface) *Clientset {
 	var cs Clientset
 	cs.crdV1alpha1 = crdv1alpha1.New(c)
 	cs.iDPV1alpha1 = idpv1alpha1.New(c)
+	cs.loginV1alpha1 = loginv1alpha1.New(c)
 	cs.pinnipedV1alpha1 = pinnipedv1alpha1.New(c)
 
 	cs.DiscoveryClient = discovery.NewDiscoveryClient(c)

generated/1.18/client/clientset/versioned/fake/clientset_generated.go

@@ -11,6 +11,8 @@ import (
 	fakecrdv1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/client/clientset/versioned/typed/crdpinniped/v1alpha1/fake"
 	idpv1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/client/clientset/versioned/typed/idp/v1alpha1"
 	fakeidpv1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/fake"
+	loginv1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/client/clientset/versioned/typed/login/v1alpha1"
+	fakeloginv1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/client/clientset/versioned/typed/login/v1alpha1/fake"
 	pinnipedv1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/client/clientset/versioned/typed/pinniped/v1alpha1"
 	fakepinnipedv1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/client/clientset/versioned/typed/pinniped/v1alpha1/fake"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -77,6 +79,11 @@ func (c *Clientset) IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface {
 	return &fakeidpv1alpha1.FakeIDPV1alpha1{Fake: &c.Fake}
 }
 
+// LoginV1alpha1 retrieves the LoginV1alpha1Client
+func (c *Clientset) LoginV1alpha1() loginv1alpha1.LoginV1alpha1Interface {
+	return &fakeloginv1alpha1.FakeLoginV1alpha1{Fake: &c.Fake}
+}
+
 // PinnipedV1alpha1 retrieves the PinnipedV1alpha1Client
 func (c *Clientset) PinnipedV1alpha1() pinnipedv1alpha1.PinnipedV1alpha1Interface {
 	return &fakepinnipedv1alpha1.FakePinnipedV1alpha1{Fake: &c.Fake}

generated/1.18/client/clientset/versioned/fake/register.go

@@ -8,6 +8,7 @@ package fake
 import (
 	crdv1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/apis/crdpinniped/v1alpha1"
 	idpv1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/apis/idp/v1alpha1"
+	loginv1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/apis/login/v1alpha1"
 	pinnipedv1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/apis/pinniped/v1alpha1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	runtime "k8s.io/apimachinery/pkg/runtime"
@@ -22,6 +23,7 @@ var parameterCodec = runtime.NewParameterCodec(scheme)
 var localSchemeBuilder = runtime.SchemeBuilder{
 	crdv1alpha1.AddToScheme,
 	idpv1alpha1.AddToScheme,
+	loginv1alpha1.AddToScheme,
 	pinnipedv1alpha1.AddToScheme,
 }
 

generated/1.18/client/clientset/versioned/scheme/register.go

@@ -8,6 +8,7 @@ package scheme
 import (
 	crdv1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/apis/crdpinniped/v1alpha1"
 	idpv1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/apis/idp/v1alpha1"
+	loginv1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/apis/login/v1alpha1"
 	pinnipedv1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/apis/pinniped/v1alpha1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	runtime "k8s.io/apimachinery/pkg/runtime"
@@ -22,6 +23,7 @@ var ParameterCodec = runtime.NewParameterCodec(Scheme)
 var localSchemeBuilder = runtime.SchemeBuilder{
 	crdv1alpha1.AddToScheme,
 	idpv1alpha1.AddToScheme,
+	loginv1alpha1.AddToScheme,
 	pinnipedv1alpha1.AddToScheme,
 }
 

generated/1.18/client/clientset/versioned/typed/login/v1alpha1/doc.go

@@ -0,0 +1,7 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+// This package has the automatically generated typed clients.
+package v1alpha1

generated/1.18/client/clientset/versioned/typed/login/v1alpha1/fake/doc.go

@@ -0,0 +1,7 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+// Package fake has the automatically generated clients.
+package fake

generated/1.18/client/clientset/versioned/typed/login/v1alpha1/fake/fake_login_client.go

@@ -0,0 +1,27 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package fake
+
+import (
+	v1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/client/clientset/versioned/typed/login/v1alpha1"
+	rest "k8s.io/client-go/rest"
+	testing "k8s.io/client-go/testing"
+)
+
+type FakeLoginV1alpha1 struct {
+	*testing.Fake
+}
+
+func (c *FakeLoginV1alpha1) TokenCredentialRequests(namespace string) v1alpha1.TokenCredentialRequestInterface {
+	return &FakeTokenCredentialRequests{c, namespace}
+}
+
+// RESTClient returns a RESTClient that is used to communicate
+// with API server by this client implementation.
+func (c *FakeLoginV1alpha1) RESTClient() rest.Interface {
+	var ret *rest.RESTClient
+	return ret
+}

generated/1.18/client/clientset/versioned/typed/login/v1alpha1/fake/fake_tokencredentialrequest.go

@@ -0,0 +1,129 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package fake
+
+import (
+	"context"
+
+	v1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/apis/login/v1alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	labels "k8s.io/apimachinery/pkg/labels"
+	schema "k8s.io/apimachinery/pkg/runtime/schema"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	testing "k8s.io/client-go/testing"
+)
+
+// FakeTokenCredentialRequests implements TokenCredentialRequestInterface
+type FakeTokenCredentialRequests struct {
+	Fake *FakeLoginV1alpha1
+	ns   string
+}
+
+var tokencredentialrequestsResource = schema.GroupVersionResource{Group: "login.pinniped.dev", Version: "v1alpha1", Resource: "tokencredentialrequests"}
+
+var tokencredentialrequestsKind = schema.GroupVersionKind{Group: "login.pinniped.dev", Version: "v1alpha1", Kind: "TokenCredentialRequest"}
+
+// Get takes name of the tokenCredentialRequest, and returns the corresponding tokenCredentialRequest object, and an error if there is any.
+func (c *FakeTokenCredentialRequests) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.TokenCredentialRequest, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewGetAction(tokencredentialrequestsResource, c.ns, name), &v1alpha1.TokenCredentialRequest{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.TokenCredentialRequest), err
+}
+
+// List takes label and field selectors, and returns the list of TokenCredentialRequests that match those selectors.
+func (c *FakeTokenCredentialRequests) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.TokenCredentialRequestList, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewListAction(tokencredentialrequestsResource, tokencredentialrequestsKind, c.ns, opts), &v1alpha1.TokenCredentialRequestList{})
+
+	if obj == nil {
+		return nil, err
+	}
+
+	label, _, _ := testing.ExtractFromListOptions(opts)
+	if label == nil {
+		label = labels.Everything()
+	}
+	list := &v1alpha1.TokenCredentialRequestList{ListMeta: obj.(*v1alpha1.TokenCredentialRequestList).ListMeta}
+	for _, item := range obj.(*v1alpha1.TokenCredentialRequestList).Items {
+		if label.Matches(labels.Set(item.Labels)) {
+			list.Items = append(list.Items, item)
+		}
+	}
+	return list, err
+}
+
+// Watch returns a watch.Interface that watches the requested tokenCredentialRequests.
+func (c *FakeTokenCredentialRequests) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
+	return c.Fake.
+		InvokesWatch(testing.NewWatchAction(tokencredentialrequestsResource, c.ns, opts))
+
+}
+
+// Create takes the representation of a tokenCredentialRequest and creates it.  Returns the server's representation of the tokenCredentialRequest, and an error, if there is any.
+func (c *FakeTokenCredentialRequests) Create(ctx context.Context, tokenCredentialRequest *v1alpha1.TokenCredentialRequest, opts v1.CreateOptions) (result *v1alpha1.TokenCredentialRequest, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewCreateAction(tokencredentialrequestsResource, c.ns, tokenCredentialRequest), &v1alpha1.TokenCredentialRequest{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.TokenCredentialRequest), err
+}
+
+// Update takes the representation of a tokenCredentialRequest and updates it. Returns the server's representation of the tokenCredentialRequest, and an error, if there is any.
+func (c *FakeTokenCredentialRequests) Update(ctx context.Context, tokenCredentialRequest *v1alpha1.TokenCredentialRequest, opts v1.UpdateOptions) (result *v1alpha1.TokenCredentialRequest, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewUpdateAction(tokencredentialrequestsResource, c.ns, tokenCredentialRequest), &v1alpha1.TokenCredentialRequest{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.TokenCredentialRequest), err
+}
+
+// UpdateStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+func (c *FakeTokenCredentialRequests) UpdateStatus(ctx context.Context, tokenCredentialRequest *v1alpha1.TokenCredentialRequest, opts v1.UpdateOptions) (*v1alpha1.TokenCredentialRequest, error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewUpdateSubresourceAction(tokencredentialrequestsResource, "status", c.ns, tokenCredentialRequest), &v1alpha1.TokenCredentialRequest{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.TokenCredentialRequest), err
+}
+
+// Delete takes name of the tokenCredentialRequest and deletes it. Returns an error if one occurs.
+func (c *FakeTokenCredentialRequests) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
+	_, err := c.Fake.
+		Invokes(testing.NewDeleteAction(tokencredentialrequestsResource, c.ns, name), &v1alpha1.TokenCredentialRequest{})
+
+	return err
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *FakeTokenCredentialRequests) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
+	action := testing.NewDeleteCollectionAction(tokencredentialrequestsResource, c.ns, listOpts)
+
+	_, err := c.Fake.Invokes(action, &v1alpha1.TokenCredentialRequestList{})
+	return err
+}
+
+// Patch applies the patch and returns the patched tokenCredentialRequest.
+func (c *FakeTokenCredentialRequests) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.TokenCredentialRequest, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewPatchSubresourceAction(tokencredentialrequestsResource, c.ns, name, pt, data, subresources...), &v1alpha1.TokenCredentialRequest{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.TokenCredentialRequest), err
+}

generated/1.18/client/clientset/versioned/typed/login/v1alpha1/generated_expansion.go

@@ -0,0 +1,8 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package v1alpha1
+
+type TokenCredentialRequestExpansion interface{}

generated/1.18/client/clientset/versioned/typed/login/v1alpha1/login_client.go

@@ -0,0 +1,76 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	v1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/apis/login/v1alpha1"
+	"github.com/suzerain-io/pinniped/generated/1.18/client/clientset/versioned/scheme"
+	rest "k8s.io/client-go/rest"
+)
+
+type LoginV1alpha1Interface interface {
+	RESTClient() rest.Interface
+	TokenCredentialRequestsGetter
+}
+
+// LoginV1alpha1Client is used to interact with features provided by the login.pinniped.dev group.
+type LoginV1alpha1Client struct {
+	restClient rest.Interface
+}
+
+func (c *LoginV1alpha1Client) TokenCredentialRequests(namespace string) TokenCredentialRequestInterface {
+	return newTokenCredentialRequests(c, namespace)
+}
+
+// NewForConfig creates a new LoginV1alpha1Client for the given config.
+func NewForConfig(c *rest.Config) (*LoginV1alpha1Client, error) {
+	config := *c
+	if err := setConfigDefaults(&config); err != nil {
+		return nil, err
+	}
+	client, err := rest.RESTClientFor(&config)
+	if err != nil {
+		return nil, err
+	}
+	return &LoginV1alpha1Client{client}, nil
+}
+
+// NewForConfigOrDie creates a new LoginV1alpha1Client for the given config and
+// panics if there is an error in the config.
+func NewForConfigOrDie(c *rest.Config) *LoginV1alpha1Client {
+	client, err := NewForConfig(c)
+	if err != nil {
+		panic(err)
+	}
+	return client
+}
+
+// New creates a new LoginV1alpha1Client for the given RESTClient.
+func New(c rest.Interface) *LoginV1alpha1Client {
+	return &LoginV1alpha1Client{c}
+}
+
+func setConfigDefaults(config *rest.Config) error {
+	gv := v1alpha1.SchemeGroupVersion
+	config.GroupVersion = &gv
+	config.APIPath = "/apis"
+	config.NegotiatedSerializer = scheme.Codecs.WithoutConversion()
+
+	if config.UserAgent == "" {
+		config.UserAgent = rest.DefaultKubernetesUserAgent()
+	}
+
+	return nil
+}
+
+// RESTClient returns a RESTClient that is used to communicate
+// with API server by this client implementation.
+func (c *LoginV1alpha1Client) RESTClient() rest.Interface {
+	if c == nil {
+		return nil
+	}
+	return c.restClient
+}

generated/1.18/client/clientset/versioned/typed/login/v1alpha1/tokencredentialrequest.go

@@ -0,0 +1,182 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	"context"
+	"time"
+
+	v1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/apis/login/v1alpha1"
+	scheme "github.com/suzerain-io/pinniped/generated/1.18/client/clientset/versioned/scheme"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	rest "k8s.io/client-go/rest"
+)
+
+// TokenCredentialRequestsGetter has a method to return a TokenCredentialRequestInterface.
+// A group's client should implement this interface.
+type TokenCredentialRequestsGetter interface {
+	TokenCredentialRequests(namespace string) TokenCredentialRequestInterface
+}
+
+// TokenCredentialRequestInterface has methods to work with TokenCredentialRequest resources.
+type TokenCredentialRequestInterface interface {
+	Create(ctx context.Context, tokenCredentialRequest *v1alpha1.TokenCredentialRequest, opts v1.CreateOptions) (*v1alpha1.TokenCredentialRequest, error)
+	Update(ctx context.Context, tokenCredentialRequest *v1alpha1.TokenCredentialRequest, opts v1.UpdateOptions) (*v1alpha1.TokenCredentialRequest, error)
+	UpdateStatus(ctx context.Context, tokenCredentialRequest *v1alpha1.TokenCredentialRequest, opts v1.UpdateOptions) (*v1alpha1.TokenCredentialRequest, error)
+	Delete(ctx context.Context, name string, opts v1.DeleteOptions) error
+	DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error
+	Get(ctx context.Context, name string, opts v1.GetOptions) (*v1alpha1.TokenCredentialRequest, error)
+	List(ctx context.Context, opts v1.ListOptions) (*v1alpha1.TokenCredentialRequestList, error)
+	Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error)
+	Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.TokenCredentialRequest, err error)
+	TokenCredentialRequestExpansion
+}
+
+// tokenCredentialRequests implements TokenCredentialRequestInterface
+type tokenCredentialRequests struct {
+	client rest.Interface
+	ns     string
+}
+
+// newTokenCredentialRequests returns a TokenCredentialRequests
+func newTokenCredentialRequests(c *LoginV1alpha1Client, namespace string) *tokenCredentialRequests {
+	return &tokenCredentialRequests{
+		client: c.RESTClient(),
+		ns:     namespace,
+	}
+}
+
+// Get takes name of the tokenCredentialRequest, and returns the corresponding tokenCredentialRequest object, and an error if there is any.
+func (c *tokenCredentialRequests) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.TokenCredentialRequest, err error) {
+	result = &v1alpha1.TokenCredentialRequest{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("tokencredentialrequests").
+		Name(name).
+		VersionedParams(&options, scheme.ParameterCodec).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// List takes label and field selectors, and returns the list of TokenCredentialRequests that match those selectors.
+func (c *tokenCredentialRequests) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.TokenCredentialRequestList, err error) {
+	var timeout time.Duration
+	if opts.TimeoutSeconds != nil {
+		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
+	}
+	result = &v1alpha1.TokenCredentialRequestList{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("tokencredentialrequests").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// Watch returns a watch.Interface that watches the requested tokenCredentialRequests.
+func (c *tokenCredentialRequests) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
+	var timeout time.Duration
+	if opts.TimeoutSeconds != nil {
+		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
+	}
+	opts.Watch = true
+	return c.client.Get().
+		Namespace(c.ns).
+		Resource("tokencredentialrequests").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Watch(ctx)
+}
+
+// Create takes the representation of a tokenCredentialRequest and creates it.  Returns the server's representation of the tokenCredentialRequest, and an error, if there is any.
+func (c *tokenCredentialRequests) Create(ctx context.Context, tokenCredentialRequest *v1alpha1.TokenCredentialRequest, opts v1.CreateOptions) (result *v1alpha1.TokenCredentialRequest, err error) {
+	result = &v1alpha1.TokenCredentialRequest{}
+	err = c.client.Post().
+		Namespace(c.ns).
+		Resource("tokencredentialrequests").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(tokenCredentialRequest).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// Update takes the representation of a tokenCredentialRequest and updates it. Returns the server's representation of the tokenCredentialRequest, and an error, if there is any.
+func (c *tokenCredentialRequests) Update(ctx context.Context, tokenCredentialRequest *v1alpha1.TokenCredentialRequest, opts v1.UpdateOptions) (result *v1alpha1.TokenCredentialRequest, err error) {
+	result = &v1alpha1.TokenCredentialRequest{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("tokencredentialrequests").
+		Name(tokenCredentialRequest.Name).
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(tokenCredentialRequest).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// UpdateStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+func (c *tokenCredentialRequests) UpdateStatus(ctx context.Context, tokenCredentialRequest *v1alpha1.TokenCredentialRequest, opts v1.UpdateOptions) (result *v1alpha1.TokenCredentialRequest, err error) {
+	result = &v1alpha1.TokenCredentialRequest{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("tokencredentialrequests").
+		Name(tokenCredentialRequest.Name).
+		SubResource("status").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(tokenCredentialRequest).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// Delete takes name of the tokenCredentialRequest and deletes it. Returns an error if one occurs.
+func (c *tokenCredentialRequests) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("tokencredentialrequests").
+		Name(name).
+		Body(&opts).
+		Do(ctx).
+		Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *tokenCredentialRequests) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
+	var timeout time.Duration
+	if listOpts.TimeoutSeconds != nil {
+		timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second
+	}
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("tokencredentialrequests").
+		VersionedParams(&listOpts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Body(&opts).
+		Do(ctx).
+		Error()
+}
+
+// Patch applies the patch and returns the patched tokenCredentialRequest.
+func (c *tokenCredentialRequests) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.TokenCredentialRequest, err error) {
+	result = &v1alpha1.TokenCredentialRequest{}
+	err = c.client.Patch(pt).
+		Namespace(c.ns).
+		Resource("tokencredentialrequests").
+		Name(name).
+		SubResource(subresources...).
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(data).
+		Do(ctx).
+		Into(result)
+	return
+}

generated/1.18/client/informers/externalversions/factory.go

@@ -14,6 +14,7 @@ import (
 	crdpinniped "github.com/suzerain-io/pinniped/generated/1.18/client/informers/externalversions/crdpinniped"
 	idp "github.com/suzerain-io/pinniped/generated/1.18/client/informers/externalversions/idp"
 	internalinterfaces "github.com/suzerain-io/pinniped/generated/1.18/client/informers/externalversions/internalinterfaces"
+	login "github.com/suzerain-io/pinniped/generated/1.18/client/informers/externalversions/login"
 	pinniped "github.com/suzerain-io/pinniped/generated/1.18/client/informers/externalversions/pinniped"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	runtime "k8s.io/apimachinery/pkg/runtime"
@@ -163,6 +164,7 @@ type SharedInformerFactory interface {
 
 	Crd() crdpinniped.Interface
 	IDP() idp.Interface
+	Login() login.Interface
 	Pinniped() pinniped.Interface
 }
 
@@ -174,6 +176,10 @@ func (f *sharedInformerFactory) IDP() idp.Interface {
 	return idp.New(f, f.namespace, f.tweakListOptions)
 }
 
+func (f *sharedInformerFactory) Login() login.Interface {
+	return login.New(f, f.namespace, f.tweakListOptions)
+}
+
 func (f *sharedInformerFactory) Pinniped() pinniped.Interface {
 	return pinniped.New(f, f.namespace, f.tweakListOptions)
 }

generated/1.18/client/informers/externalversions/generic.go

@@ -10,6 +10,7 @@ import (
 
 	v1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/apis/crdpinniped/v1alpha1"
 	idpv1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/apis/idp/v1alpha1"
+	loginv1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/apis/login/v1alpha1"
 	pinnipedv1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/apis/pinniped/v1alpha1"
 	schema "k8s.io/apimachinery/pkg/runtime/schema"
 	cache "k8s.io/client-go/tools/cache"
@@ -49,6 +50,10 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource
 	case idpv1alpha1.SchemeGroupVersion.WithResource("webhookidentityproviders"):
 		return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().WebhookIdentityProviders().Informer()}, nil
 
+		// Group=login.pinniped.dev, Version=v1alpha1
+	case loginv1alpha1.SchemeGroupVersion.WithResource("tokencredentialrequests"):
+		return &genericInformer{resource: resource.GroupResource(), informer: f.Login().V1alpha1().TokenCredentialRequests().Informer()}, nil
+
 		// Group=pinniped.dev, Version=v1alpha1
 	case pinnipedv1alpha1.SchemeGroupVersion.WithResource("credentialrequests"):
 		return &genericInformer{resource: resource.GroupResource(), informer: f.Pinniped().V1alpha1().CredentialRequests().Informer()}, nil

generated/1.18/client/informers/externalversions/login/interface.go

@@ -0,0 +1,33 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by informer-gen. DO NOT EDIT.
+
+package login
+
+import (
+	internalinterfaces "github.com/suzerain-io/pinniped/generated/1.18/client/informers/externalversions/internalinterfaces"
+	v1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/client/informers/externalversions/login/v1alpha1"
+)
+
+// Interface provides access to each of this group's versions.
+type Interface interface {
+	// V1alpha1 provides access to shared informers for resources in V1alpha1.
+	V1alpha1() v1alpha1.Interface
+}
+
+type group struct {
+	factory          internalinterfaces.SharedInformerFactory
+	namespace        string
+	tweakListOptions internalinterfaces.TweakListOptionsFunc
+}
+
+// New returns a new Interface.
+func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface {
+	return &group{factory: f, namespace: namespace, tweakListOptions: tweakListOptions}
+}
+
+// V1alpha1 returns a new v1alpha1.Interface.
+func (g *group) V1alpha1() v1alpha1.Interface {
+	return v1alpha1.New(g.factory, g.namespace, g.tweakListOptions)
+}

generated/1.18/client/informers/externalversions/login/v1alpha1/interface.go

@@ -0,0 +1,32 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by informer-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	internalinterfaces "github.com/suzerain-io/pinniped/generated/1.18/client/informers/externalversions/internalinterfaces"
+)
+
+// Interface provides access to all the informers in this group version.
+type Interface interface {
+	// TokenCredentialRequests returns a TokenCredentialRequestInformer.
+	TokenCredentialRequests() TokenCredentialRequestInformer
+}
+
+type version struct {
+	factory          internalinterfaces.SharedInformerFactory
+	namespace        string
+	tweakListOptions internalinterfaces.TweakListOptionsFunc
+}
+
+// New returns a new Interface.
+func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface {
+	return &version{factory: f, namespace: namespace, tweakListOptions: tweakListOptions}
+}
+
+// TokenCredentialRequests returns a TokenCredentialRequestInformer.
+func (v *version) TokenCredentialRequests() TokenCredentialRequestInformer {
+	return &tokenCredentialRequestInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
+}

generated/1.18/client/informers/externalversions/login/v1alpha1/tokencredentialrequest.go

@@ -0,0 +1,77 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by informer-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	"context"
+	time "time"
+
+	loginv1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/apis/login/v1alpha1"
+	versioned "github.com/suzerain-io/pinniped/generated/1.18/client/clientset/versioned"
+	internalinterfaces "github.com/suzerain-io/pinniped/generated/1.18/client/informers/externalversions/internalinterfaces"
+	v1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/client/listers/login/v1alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	watch "k8s.io/apimachinery/pkg/watch"
+	cache "k8s.io/client-go/tools/cache"
+)
+
+// TokenCredentialRequestInformer provides access to a shared informer and lister for
+// TokenCredentialRequests.
+type TokenCredentialRequestInformer interface {
+	Informer() cache.SharedIndexInformer
+	Lister() v1alpha1.TokenCredentialRequestLister
+}
+
+type tokenCredentialRequestInformer struct {
+	factory          internalinterfaces.SharedInformerFactory
+	tweakListOptions internalinterfaces.TweakListOptionsFunc
+	namespace        string
+}
+
+// NewTokenCredentialRequestInformer constructs a new informer for TokenCredentialRequest type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewTokenCredentialRequestInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
+	return NewFilteredTokenCredentialRequestInformer(client, namespace, resyncPeriod, indexers, nil)
+}
+
+// NewFilteredTokenCredentialRequestInformer constructs a new informer for TokenCredentialRequest type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewFilteredTokenCredentialRequestInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
+	return cache.NewSharedIndexInformer(
+		&cache.ListWatch{
+			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.LoginV1alpha1().TokenCredentialRequests(namespace).List(context.TODO(), options)
+			},
+			WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.LoginV1alpha1().TokenCredentialRequests(namespace).Watch(context.TODO(), options)
+			},
+		},
+		&loginv1alpha1.TokenCredentialRequest{},
+		resyncPeriod,
+		indexers,
+	)
+}
+
+func (f *tokenCredentialRequestInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
+	return NewFilteredTokenCredentialRequestInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
+}
+
+func (f *tokenCredentialRequestInformer) Informer() cache.SharedIndexInformer {
+	return f.factory.InformerFor(&loginv1alpha1.TokenCredentialRequest{}, f.defaultInformer)
+}
+
+func (f *tokenCredentialRequestInformer) Lister() v1alpha1.TokenCredentialRequestLister {
+	return v1alpha1.NewTokenCredentialRequestLister(f.Informer().GetIndexer())
+}

generated/1.18/client/listers/login/v1alpha1/expansion_generated.go

@@ -0,0 +1,14 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by lister-gen. DO NOT EDIT.
+
+package v1alpha1
+
+// TokenCredentialRequestListerExpansion allows custom methods to be added to
+// TokenCredentialRequestLister.
+type TokenCredentialRequestListerExpansion interface{}
+
+// TokenCredentialRequestNamespaceListerExpansion allows custom methods to be added to
+// TokenCredentialRequestNamespaceLister.
+type TokenCredentialRequestNamespaceListerExpansion interface{}

generated/1.18/client/listers/login/v1alpha1/tokencredentialrequest.go

@@ -0,0 +1,81 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by lister-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	v1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/apis/login/v1alpha1"
+	"k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/client-go/tools/cache"
+)
+
+// TokenCredentialRequestLister helps list TokenCredentialRequests.
+type TokenCredentialRequestLister interface {
+	// List lists all TokenCredentialRequests in the indexer.
+	List(selector labels.Selector) (ret []*v1alpha1.TokenCredentialRequest, err error)
+	// TokenCredentialRequests returns an object that can list and get TokenCredentialRequests.
+	TokenCredentialRequests(namespace string) TokenCredentialRequestNamespaceLister
+	TokenCredentialRequestListerExpansion
+}
+
+// tokenCredentialRequestLister implements the TokenCredentialRequestLister interface.
+type tokenCredentialRequestLister struct {
+	indexer cache.Indexer
+}
+
+// NewTokenCredentialRequestLister returns a new TokenCredentialRequestLister.
+func NewTokenCredentialRequestLister(indexer cache.Indexer) TokenCredentialRequestLister {
+	return &tokenCredentialRequestLister{indexer: indexer}
+}
+
+// List lists all TokenCredentialRequests in the indexer.
+func (s *tokenCredentialRequestLister) List(selector labels.Selector) (ret []*v1alpha1.TokenCredentialRequest, err error) {
+	err = cache.ListAll(s.indexer, selector, func(m interface{}) {
+		ret = append(ret, m.(*v1alpha1.TokenCredentialRequest))
+	})
+	return ret, err
+}
+
+// TokenCredentialRequests returns an object that can list and get TokenCredentialRequests.
+func (s *tokenCredentialRequestLister) TokenCredentialRequests(namespace string) TokenCredentialRequestNamespaceLister {
+	return tokenCredentialRequestNamespaceLister{indexer: s.indexer, namespace: namespace}
+}
+
+// TokenCredentialRequestNamespaceLister helps list and get TokenCredentialRequests.
+type TokenCredentialRequestNamespaceLister interface {
+	// List lists all TokenCredentialRequests in the indexer for a given namespace.
+	List(selector labels.Selector) (ret []*v1alpha1.TokenCredentialRequest, err error)
+	// Get retrieves the TokenCredentialRequest from the indexer for a given namespace and name.
+	Get(name string) (*v1alpha1.TokenCredentialRequest, error)
+	TokenCredentialRequestNamespaceListerExpansion
+}
+
+// tokenCredentialRequestNamespaceLister implements the TokenCredentialRequestNamespaceLister
+// interface.
+type tokenCredentialRequestNamespaceLister struct {
+	indexer   cache.Indexer
+	namespace string
+}
+
+// List lists all TokenCredentialRequests in the indexer for a given namespace.
+func (s tokenCredentialRequestNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.TokenCredentialRequest, err error) {
+	err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) {
+		ret = append(ret, m.(*v1alpha1.TokenCredentialRequest))
+	})
+	return ret, err
+}
+
+// Get retrieves the TokenCredentialRequest from the indexer for a given namespace and name.
+func (s tokenCredentialRequestNamespaceLister) Get(name string) (*v1alpha1.TokenCredentialRequest, error) {
+	obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name)
+	if err != nil {
+		return nil, err
+	}
+	if !exists {
+		return nil, errors.NewNotFound(v1alpha1.Resource("tokencredentialrequest"), name)
+	}
+	return obj.(*v1alpha1.TokenCredentialRequest), nil
+}

generated/1.18/client/openapi/zz_generated.openapi.go

@@ -28,6 +28,11 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA
 		"github.com/suzerain-io/pinniped/generated/1.18/apis/idp/v1alpha1.WebhookIdentityProviderList":                  schema_118_apis_idp_v1alpha1_WebhookIdentityProviderList(ref),
 		"github.com/suzerain-io/pinniped/generated/1.18/apis/idp/v1alpha1.WebhookIdentityProviderSpec":                  schema_118_apis_idp_v1alpha1_WebhookIdentityProviderSpec(ref),
 		"github.com/suzerain-io/pinniped/generated/1.18/apis/idp/v1alpha1.WebhookIdentityProviderStatus":                schema_118_apis_idp_v1alpha1_WebhookIdentityProviderStatus(ref),
+		"github.com/suzerain-io/pinniped/generated/1.18/apis/login/v1alpha1.ClusterCredential":                          schema_118_apis_login_v1alpha1_ClusterCredential(ref),
+		"github.com/suzerain-io/pinniped/generated/1.18/apis/login/v1alpha1.TokenCredentialRequest":                     schema_118_apis_login_v1alpha1_TokenCredentialRequest(ref),
+		"github.com/suzerain-io/pinniped/generated/1.18/apis/login/v1alpha1.TokenCredentialRequestList":                 schema_118_apis_login_v1alpha1_TokenCredentialRequestList(ref),
+		"github.com/suzerain-io/pinniped/generated/1.18/apis/login/v1alpha1.TokenCredentialRequestSpec":                 schema_118_apis_login_v1alpha1_TokenCredentialRequestSpec(ref),
+		"github.com/suzerain-io/pinniped/generated/1.18/apis/login/v1alpha1.TokenCredentialRequestStatus":               schema_118_apis_login_v1alpha1_TokenCredentialRequestStatus(ref),
 		"github.com/suzerain-io/pinniped/generated/1.18/apis/pinniped/v1alpha1.CredentialRequest":                       schema_118_apis_pinniped_v1alpha1_CredentialRequest(ref),
 		"github.com/suzerain-io/pinniped/generated/1.18/apis/pinniped/v1alpha1.CredentialRequestCredential":             schema_118_apis_pinniped_v1alpha1_CredentialRequestCredential(ref),
 		"github.com/suzerain-io/pinniped/generated/1.18/apis/pinniped/v1alpha1.CredentialRequestList":                   schema_118_apis_pinniped_v1alpha1_CredentialRequestList(ref),
@@ -525,6 +530,187 @@ func schema_118_apis_idp_v1alpha1_WebhookIdentityProviderStatus(ref common.Refer
 	}
 }
 
+func schema_118_apis_login_v1alpha1_ClusterCredential(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "ClusterCredential is the cluster-specific credential returned on a successful credential request. It contains either a valid bearer token or a valid TLS certificate and corresponding private key for the cluster.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"expirationTimestamp": {
+						SchemaProps: spec.SchemaProps{
+							Description: "ExpirationTimestamp indicates a time when the provided credentials expire.",
+							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+						},
+					},
+					"token": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Token is a bearer token used by the client for request authentication.",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"clientCertificateData": {
+						SchemaProps: spec.SchemaProps{
+							Description: "PEM-encoded client TLS certificates (including intermediates, if any).",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"clientKeyData": {
+						SchemaProps: spec.SchemaProps{
+							Description: "PEM-encoded private key for the above certificate.",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+				},
+			},
+		},
+		Dependencies: []string{
+			"k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+	}
+}
+
+func schema_118_apis_login_v1alpha1_TokenCredentialRequest(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "TokenCredentialRequest submits an IDP-specific credential to Pinniped in exchange for a cluster-specific credential.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"kind": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"apiVersion": {
+						SchemaProps: spec.SchemaProps{
+							Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"metadata": {
+						SchemaProps: spec.SchemaProps{
+							Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+						},
+					},
+					"spec": {
+						SchemaProps: spec.SchemaProps{
+							Ref: ref("github.com/suzerain-io/pinniped/generated/1.18/apis/login/v1alpha1.TokenCredentialRequestSpec"),
+						},
+					},
+					"status": {
+						SchemaProps: spec.SchemaProps{
+							Ref: ref("github.com/suzerain-io/pinniped/generated/1.18/apis/login/v1alpha1.TokenCredentialRequestStatus"),
+						},
+					},
+				},
+			},
+		},
+		Dependencies: []string{
+			"github.com/suzerain-io/pinniped/generated/1.18/apis/login/v1alpha1.TokenCredentialRequestSpec", "github.com/suzerain-io/pinniped/generated/1.18/apis/login/v1alpha1.TokenCredentialRequestStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+	}
+}
+
+func schema_118_apis_login_v1alpha1_TokenCredentialRequestList(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "TokenCredentialRequestList is a list of TokenCredentialRequest objects.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"kind": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"apiVersion": {
+						SchemaProps: spec.SchemaProps{
+							Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"metadata": {
+						SchemaProps: spec.SchemaProps{
+							Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+						},
+					},
+					"items": {
+						SchemaProps: spec.SchemaProps{
+							Type: []string{"array"},
+							Items: &spec.SchemaOrArray{
+								Schema: &spec.Schema{
+									SchemaProps: spec.SchemaProps{
+										Ref: ref("github.com/suzerain-io/pinniped/generated/1.18/apis/login/v1alpha1.TokenCredentialRequest"),
+									},
+								},
+							},
+						},
+					},
+				},
+				Required: []string{"items"},
+			},
+		},
+		Dependencies: []string{
+			"github.com/suzerain-io/pinniped/generated/1.18/apis/login/v1alpha1.TokenCredentialRequest", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+	}
+}
+
+func schema_118_apis_login_v1alpha1_TokenCredentialRequestSpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "TokenCredentialRequestSpec is the specification of a TokenCredentialRequest, expected on requests to the Pinniped API.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"token": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Bearer token supplied with the credential request.",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+				},
+			},
+		},
+	}
+}
+
+func schema_118_apis_login_v1alpha1_TokenCredentialRequestStatus(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "TokenCredentialRequestStatus is the status of a TokenCredentialRequest, returned on responses to the Pinniped API.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"credential": {
+						SchemaProps: spec.SchemaProps{
+							Description: "A Credential will be returned for a successful credential request.",
+							Ref:         ref("github.com/suzerain-io/pinniped/generated/1.18/apis/login/v1alpha1.ClusterCredential"),
+						},
+					},
+					"message": {
+						SchemaProps: spec.SchemaProps{
+							Description: "An error message will be returned for an unsuccessful credential request.",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+				},
+			},
+		},
+		Dependencies: []string{
+			"github.com/suzerain-io/pinniped/generated/1.18/apis/login/v1alpha1.ClusterCredential"},
+	}
+}
+
 func schema_118_apis_pinniped_v1alpha1_CredentialRequest(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{

generated/1.19/README.adoc

@@ -7,6 +7,7 @@
 .Packages
 - xref:{anchor_prefix}-crd-pinniped-dev-v1alpha1[$$crd.pinniped.dev/v1alpha1$$]
 - xref:{anchor_prefix}-idp-pinniped-dev-v1alpha1[$$idp.pinniped.dev/v1alpha1$$]
+- xref:{anchor_prefix}-login-pinniped-dev-v1alpha1[$$login.pinniped.dev/v1alpha1$$]
 - xref:{anchor_prefix}-pinniped-dev-v1alpha1[$$pinniped.dev/v1alpha1$$]
 
 
@@ -200,6 +201,91 @@ Status of a webhook identity provider.
 
 
 
+[id="{anchor_prefix}-login-pinniped-dev-v1alpha1"]
+=== login.pinniped.dev/v1alpha1
+
+Package v1alpha1 is the v1alpha1 version of the Pinniped login API.
+
+
+
+[id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-19-apis-login-v1alpha1-clustercredential"]
+==== ClusterCredential 
+
+ClusterCredential is the cluster-specific credential returned on a successful credential request. It contains either a valid bearer token or a valid TLS certificate and corresponding private key for the cluster.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-19-apis-login-v1alpha1-tokencredentialrequeststatus[$$TokenCredentialRequestStatus$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`expirationTimestamp`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#time-v1-meta[$$Time$$]__ | ExpirationTimestamp indicates a time when the provided credentials expire.
+| *`token`* __string__ | Token is a bearer token used by the client for request authentication.
+| *`clientCertificateData`* __string__ | PEM-encoded client TLS certificates (including intermediates, if any).
+| *`clientKeyData`* __string__ | PEM-encoded private key for the above certificate.
+|===
+
+
+[id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-19-apis-login-v1alpha1-tokencredentialrequest"]
+==== TokenCredentialRequest 
+
+TokenCredentialRequest submits an IDP-specific credential to Pinniped in exchange for a cluster-specific credential.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-19-apis-login-v1alpha1-tokencredentialrequestlist[$$TokenCredentialRequestList$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`.
+
+| *`spec`* __xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-19-apis-login-v1alpha1-tokencredentialrequestspec[$$TokenCredentialRequestSpec$$]__ | 
+| *`status`* __xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-19-apis-login-v1alpha1-tokencredentialrequeststatus[$$TokenCredentialRequestStatus$$]__ | 
+|===
+
+
+
+
+[id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-19-apis-login-v1alpha1-tokencredentialrequestspec"]
+==== TokenCredentialRequestSpec 
+
+TokenCredentialRequestSpec is the specification of a TokenCredentialRequest, expected on requests to the Pinniped API.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-19-apis-login-v1alpha1-tokencredentialrequest[$$TokenCredentialRequest$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`token`* __string__ | Bearer token supplied with the credential request.
+|===
+
+
+[id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-19-apis-login-v1alpha1-tokencredentialrequeststatus"]
+==== TokenCredentialRequestStatus 
+
+TokenCredentialRequestStatus is the status of a TokenCredentialRequest, returned on responses to the Pinniped API.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-19-apis-login-v1alpha1-tokencredentialrequest[$$TokenCredentialRequest$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`credential`* __xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-19-apis-login-v1alpha1-clustercredential[$$ClusterCredential$$]__ | A Credential will be returned for a successful credential request.
+| *`message`* __string__ | An error message will be returned for an unsuccessful credential request.
+|===
+
+
+
 [id="{anchor_prefix}-pinniped-dev-v1alpha1"]
 === pinniped.dev/v1alpha1
 

generated/1.19/apis/login/doc.go

@@ -0,0 +1,8 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// +k8s:deepcopy-gen=package
+// +groupName=login.pinniped.dev
+
+// Package login is the internal version of the Pinniped login API.
+package login

generated/1.19/apis/login/register.go

@@ -0,0 +1,38 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package login
+
+import (
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+const GroupName = "login.pinniped.dev"
+
+// SchemeGroupVersion is group version used to register these objects.
+var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: runtime.APIVersionInternal}
+
+// Kind takes an unqualified kind and returns back a Group qualified GroupKind.
+func Kind(kind string) schema.GroupKind {
+	return SchemeGroupVersion.WithKind(kind).GroupKind()
+}
+
+// Resource takes an unqualified resource and returns back a Group qualified GroupResource.
+func Resource(resource string) schema.GroupResource {
+	return SchemeGroupVersion.WithResource(resource).GroupResource()
+}
+
+var (
+	SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes)
+	AddToScheme   = SchemeBuilder.AddToScheme
+)
+
+// Adds the list of known types to the given scheme.
+func addKnownTypes(scheme *runtime.Scheme) error {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&TokenCredentialRequest{},
+		&TokenCredentialRequestList{},
+	)
+	return nil
+}

generated/1.19/apis/login/types_clustercred.go

@@ -0,0 +1,21 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package login
+
+import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+// ClusterCredential is a credential (token or certificate) which is valid on the Kubernetes cluster.
+type ClusterCredential struct {
+	// ExpirationTimestamp indicates a time when the provided credentials expire.
+	ExpirationTimestamp metav1.Time
+
+	// Token is a bearer token used by the client for request authentication.
+	Token string
+
+	// PEM-encoded client TLS certificates (including intermediates, if any).
+	ClientCertificateData string
+
+	// PEM-encoded private key for the above certificate.
+	ClientKeyData string
+}

generated/1.19/apis/login/types_token.go

@@ -0,0 +1,42 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package login
+
+import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+type TokenCredentialRequestSpec struct {
+	// Bearer token supplied with the credential request.
+	Token string
+}
+
+type TokenCredentialRequestStatus struct {
+	// A ClusterCredential will be returned for a successful credential request.
+	// +optional
+	Credential *ClusterCredential
+
+	// An error message will be returned for an unsuccessful credential request.
+	// +optional
+	Message *string
+}
+
+// TokenCredentialRequest submits an IDP-specific credential to Pinniped in exchange for a cluster-specific credential.
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type TokenCredentialRequest struct {
+	metav1.TypeMeta
+	metav1.ObjectMeta
+
+	Spec   TokenCredentialRequestSpec
+	Status TokenCredentialRequestStatus
+}
+
+// TokenCredentialRequestList is a list of TokenCredentialRequest objects.
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type TokenCredentialRequestList struct {
+	metav1.TypeMeta
+	metav1.ListMeta
+
+	// Items is a list of TokenCredentialRequest
+	Items []TokenCredentialRequest
+}

generated/1.19/apis/login/v1alpha1/conversion.go

@@ -0,0 +1,4 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1

generated/1.19/apis/login/v1alpha1/defaults.go

@@ -0,0 +1,12 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+import (
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+func addDefaultingFuncs(scheme *runtime.Scheme) error {
+	return RegisterDefaults(scheme)
+}

generated/1.19/apis/login/v1alpha1/doc.go

@@ -0,0 +1,11 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// +k8s:openapi-gen=true
+// +k8s:deepcopy-gen=package
+// +k8s:conversion-gen=github.com/suzerain-io/pinniped/generated/1.19/apis/login
+// +k8s:defaulter-gen=TypeMeta
+// +groupName=login.pinniped.dev
+
+// Package v1alpha1 is the v1alpha1 version of the Pinniped login API.
+package v1alpha1

generated/1.19/apis/login/v1alpha1/register.go

@@ -0,0 +1,43 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+const GroupName = "login.pinniped.dev"
+
+// SchemeGroupVersion is group version used to register these objects.
+var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"}
+
+var (
+	SchemeBuilder      runtime.SchemeBuilder
+	localSchemeBuilder = &SchemeBuilder
+	AddToScheme        = localSchemeBuilder.AddToScheme
+)
+
+func init() {
+	// We only register manually written functions here. The registration of the
+	// generated functions takes place in the generated files. The separation
+	// makes the code compile even when the generated files are missing.
+	localSchemeBuilder.Register(addKnownTypes, addDefaultingFuncs)
+}
+
+// Adds the list of known types to the given scheme.
+func addKnownTypes(scheme *runtime.Scheme) error {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&TokenCredentialRequest{},
+		&TokenCredentialRequestList{},
+	)
+	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
+	return nil
+}
+
+// Resource takes an unqualified resource and returns a Group qualified GroupResource.
+func Resource(resource string) schema.GroupResource {
+	return SchemeGroupVersion.WithResource(resource).GroupResource()
+}

generated/1.19/apis/login/v1alpha1/types_clustercred.go

@@ -0,0 +1,22 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+// ClusterCredential is the cluster-specific credential returned on a successful credential request. It
+// contains either a valid bearer token or a valid TLS certificate and corresponding private key for the cluster.
+type ClusterCredential struct {
+	// ExpirationTimestamp indicates a time when the provided credentials expire.
+	ExpirationTimestamp metav1.Time `json:"expirationTimestamp,omitempty"`
+
+	// Token is a bearer token used by the client for request authentication.
+	Token string `json:"token,omitempty"`
+
+	// PEM-encoded client TLS certificates (including intermediates, if any).
+	ClientCertificateData string `json:"clientCertificateData,omitempty"`
+
+	// PEM-encoded private key for the above certificate.
+	ClientKeyData string `json:"clientKeyData,omitempty"`
+}

generated/1.19/apis/login/v1alpha1/types_token.go

@@ -0,0 +1,43 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+// TokenCredentialRequestSpec is the specification of a TokenCredentialRequest, expected on requests to the Pinniped API.
+type TokenCredentialRequestSpec struct {
+	// Bearer token supplied with the credential request.
+	Token string `json:"token,omitempty"`
+}
+
+// TokenCredentialRequestStatus is the status of a TokenCredentialRequest, returned on responses to the Pinniped API.
+type TokenCredentialRequestStatus struct {
+	// A Credential will be returned for a successful credential request.
+	// +optional
+	Credential *ClusterCredential `json:"credential,omitempty"`
+
+	// An error message will be returned for an unsuccessful credential request.
+	// +optional
+	Message *string `json:"message,omitempty"`
+}
+
+// TokenCredentialRequest submits an IDP-specific credential to Pinniped in exchange for a cluster-specific credential.
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type TokenCredentialRequest struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   TokenCredentialRequestSpec   `json:"spec,omitempty"`
+	Status TokenCredentialRequestStatus `json:"status,omitempty"`
+}
+
+// TokenCredentialRequestList is a list of TokenCredentialRequest objects.
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type TokenCredentialRequestList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+
+	Items []TokenCredentialRequest `json:"items"`
+}

generated/1.19/apis/login/v1alpha1/zz_generated.conversion.go

@@ -0,0 +1,198 @@
+// +build !ignore_autogenerated
+
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by conversion-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	unsafe "unsafe"
+
+	login "github.com/suzerain-io/pinniped/generated/1.19/apis/login"
+	conversion "k8s.io/apimachinery/pkg/conversion"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+)
+
+func init() {
+	localSchemeBuilder.Register(RegisterConversions)
+}
+
+// RegisterConversions adds conversion functions to the given scheme.
+// Public to allow building arbitrary schemes.
+func RegisterConversions(s *runtime.Scheme) error {
+	if err := s.AddGeneratedConversionFunc((*ClusterCredential)(nil), (*login.ClusterCredential)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1alpha1_ClusterCredential_To_login_ClusterCredential(a.(*ClusterCredential), b.(*login.ClusterCredential), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*login.ClusterCredential)(nil), (*ClusterCredential)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_login_ClusterCredential_To_v1alpha1_ClusterCredential(a.(*login.ClusterCredential), b.(*ClusterCredential), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*TokenCredentialRequest)(nil), (*login.TokenCredentialRequest)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1alpha1_TokenCredentialRequest_To_login_TokenCredentialRequest(a.(*TokenCredentialRequest), b.(*login.TokenCredentialRequest), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*login.TokenCredentialRequest)(nil), (*TokenCredentialRequest)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_login_TokenCredentialRequest_To_v1alpha1_TokenCredentialRequest(a.(*login.TokenCredentialRequest), b.(*TokenCredentialRequest), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*TokenCredentialRequestList)(nil), (*login.TokenCredentialRequestList)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1alpha1_TokenCredentialRequestList_To_login_TokenCredentialRequestList(a.(*TokenCredentialRequestList), b.(*login.TokenCredentialRequestList), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*login.TokenCredentialRequestList)(nil), (*TokenCredentialRequestList)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_login_TokenCredentialRequestList_To_v1alpha1_TokenCredentialRequestList(a.(*login.TokenCredentialRequestList), b.(*TokenCredentialRequestList), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*TokenCredentialRequestSpec)(nil), (*login.TokenCredentialRequestSpec)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1alpha1_TokenCredentialRequestSpec_To_login_TokenCredentialRequestSpec(a.(*TokenCredentialRequestSpec), b.(*login.TokenCredentialRequestSpec), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*login.TokenCredentialRequestSpec)(nil), (*TokenCredentialRequestSpec)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_login_TokenCredentialRequestSpec_To_v1alpha1_TokenCredentialRequestSpec(a.(*login.TokenCredentialRequestSpec), b.(*TokenCredentialRequestSpec), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*TokenCredentialRequestStatus)(nil), (*login.TokenCredentialRequestStatus)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1alpha1_TokenCredentialRequestStatus_To_login_TokenCredentialRequestStatus(a.(*TokenCredentialRequestStatus), b.(*login.TokenCredentialRequestStatus), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*login.TokenCredentialRequestStatus)(nil), (*TokenCredentialRequestStatus)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_login_TokenCredentialRequestStatus_To_v1alpha1_TokenCredentialRequestStatus(a.(*login.TokenCredentialRequestStatus), b.(*TokenCredentialRequestStatus), scope)
+	}); err != nil {
+		return err
+	}
+	return nil
+}
+
+func autoConvert_v1alpha1_ClusterCredential_To_login_ClusterCredential(in *ClusterCredential, out *login.ClusterCredential, s conversion.Scope) error {
+	out.ExpirationTimestamp = in.ExpirationTimestamp
+	out.Token = in.Token
+	out.ClientCertificateData = in.ClientCertificateData
+	out.ClientKeyData = in.ClientKeyData
+	return nil
+}
+
+// Convert_v1alpha1_ClusterCredential_To_login_ClusterCredential is an autogenerated conversion function.
+func Convert_v1alpha1_ClusterCredential_To_login_ClusterCredential(in *ClusterCredential, out *login.ClusterCredential, s conversion.Scope) error {
+	return autoConvert_v1alpha1_ClusterCredential_To_login_ClusterCredential(in, out, s)
+}
+
+func autoConvert_login_ClusterCredential_To_v1alpha1_ClusterCredential(in *login.ClusterCredential, out *ClusterCredential, s conversion.Scope) error {
+	out.ExpirationTimestamp = in.ExpirationTimestamp
+	out.Token = in.Token
+	out.ClientCertificateData = in.ClientCertificateData
+	out.ClientKeyData = in.ClientKeyData
+	return nil
+}
+
+// Convert_login_ClusterCredential_To_v1alpha1_ClusterCredential is an autogenerated conversion function.
+func Convert_login_ClusterCredential_To_v1alpha1_ClusterCredential(in *login.ClusterCredential, out *ClusterCredential, s conversion.Scope) error {
+	return autoConvert_login_ClusterCredential_To_v1alpha1_ClusterCredential(in, out, s)
+}
+
+func autoConvert_v1alpha1_TokenCredentialRequest_To_login_TokenCredentialRequest(in *TokenCredentialRequest, out *login.TokenCredentialRequest, s conversion.Scope) error {
+	out.ObjectMeta = in.ObjectMeta
+	if err := Convert_v1alpha1_TokenCredentialRequestSpec_To_login_TokenCredentialRequestSpec(&in.Spec, &out.Spec, s); err != nil {
+		return err
+	}
+	if err := Convert_v1alpha1_TokenCredentialRequestStatus_To_login_TokenCredentialRequestStatus(&in.Status, &out.Status, s); err != nil {
+		return err
+	}
+	return nil
+}
+
+// Convert_v1alpha1_TokenCredentialRequest_To_login_TokenCredentialRequest is an autogenerated conversion function.
+func Convert_v1alpha1_TokenCredentialRequest_To_login_TokenCredentialRequest(in *TokenCredentialRequest, out *login.TokenCredentialRequest, s conversion.Scope) error {
+	return autoConvert_v1alpha1_TokenCredentialRequest_To_login_TokenCredentialRequest(in, out, s)
+}
+
+func autoConvert_login_TokenCredentialRequest_To_v1alpha1_TokenCredentialRequest(in *login.TokenCredentialRequest, out *TokenCredentialRequest, s conversion.Scope) error {
+	out.ObjectMeta = in.ObjectMeta
+	if err := Convert_login_TokenCredentialRequestSpec_To_v1alpha1_TokenCredentialRequestSpec(&in.Spec, &out.Spec, s); err != nil {
+		return err
+	}
+	if err := Convert_login_TokenCredentialRequestStatus_To_v1alpha1_TokenCredentialRequestStatus(&in.Status, &out.Status, s); err != nil {
+		return err
+	}
+	return nil
+}
+
+// Convert_login_TokenCredentialRequest_To_v1alpha1_TokenCredentialRequest is an autogenerated conversion function.
+func Convert_login_TokenCredentialRequest_To_v1alpha1_TokenCredentialRequest(in *login.TokenCredentialRequest, out *TokenCredentialRequest, s conversion.Scope) error {
+	return autoConvert_login_TokenCredentialRequest_To_v1alpha1_TokenCredentialRequest(in, out, s)
+}
+
+func autoConvert_v1alpha1_TokenCredentialRequestList_To_login_TokenCredentialRequestList(in *TokenCredentialRequestList, out *login.TokenCredentialRequestList, s conversion.Scope) error {
+	out.ListMeta = in.ListMeta
+	out.Items = *(*[]login.TokenCredentialRequest)(unsafe.Pointer(&in.Items))
+	return nil
+}
+
+// Convert_v1alpha1_TokenCredentialRequestList_To_login_TokenCredentialRequestList is an autogenerated conversion function.
+func Convert_v1alpha1_TokenCredentialRequestList_To_login_TokenCredentialRequestList(in *TokenCredentialRequestList, out *login.TokenCredentialRequestList, s conversion.Scope) error {
+	return autoConvert_v1alpha1_TokenCredentialRequestList_To_login_TokenCredentialRequestList(in, out, s)
+}
+
+func autoConvert_login_TokenCredentialRequestList_To_v1alpha1_TokenCredentialRequestList(in *login.TokenCredentialRequestList, out *TokenCredentialRequestList, s conversion.Scope) error {
+	out.ListMeta = in.ListMeta
+	out.Items = *(*[]TokenCredentialRequest)(unsafe.Pointer(&in.Items))
+	return nil
+}
+
+// Convert_login_TokenCredentialRequestList_To_v1alpha1_TokenCredentialRequestList is an autogenerated conversion function.
+func Convert_login_TokenCredentialRequestList_To_v1alpha1_TokenCredentialRequestList(in *login.TokenCredentialRequestList, out *TokenCredentialRequestList, s conversion.Scope) error {
+	return autoConvert_login_TokenCredentialRequestList_To_v1alpha1_TokenCredentialRequestList(in, out, s)
+}
+
+func autoConvert_v1alpha1_TokenCredentialRequestSpec_To_login_TokenCredentialRequestSpec(in *TokenCredentialRequestSpec, out *login.TokenCredentialRequestSpec, s conversion.Scope) error {
+	out.Token = in.Token
+	return nil
+}
+
+// Convert_v1alpha1_TokenCredentialRequestSpec_To_login_TokenCredentialRequestSpec is an autogenerated conversion function.
+func Convert_v1alpha1_TokenCredentialRequestSpec_To_login_TokenCredentialRequestSpec(in *TokenCredentialRequestSpec, out *login.TokenCredentialRequestSpec, s conversion.Scope) error {
+	return autoConvert_v1alpha1_TokenCredentialRequestSpec_To_login_TokenCredentialRequestSpec(in, out, s)
+}
+
+func autoConvert_login_TokenCredentialRequestSpec_To_v1alpha1_TokenCredentialRequestSpec(in *login.TokenCredentialRequestSpec, out *TokenCredentialRequestSpec, s conversion.Scope) error {
+	out.Token = in.Token
+	return nil
+}
+
+// Convert_login_TokenCredentialRequestSpec_To_v1alpha1_TokenCredentialRequestSpec is an autogenerated conversion function.
+func Convert_login_TokenCredentialRequestSpec_To_v1alpha1_TokenCredentialRequestSpec(in *login.TokenCredentialRequestSpec, out *TokenCredentialRequestSpec, s conversion.Scope) error {
+	return autoConvert_login_TokenCredentialRequestSpec_To_v1alpha1_TokenCredentialRequestSpec(in, out, s)
+}
+
+func autoConvert_v1alpha1_TokenCredentialRequestStatus_To_login_TokenCredentialRequestStatus(in *TokenCredentialRequestStatus, out *login.TokenCredentialRequestStatus, s conversion.Scope) error {
+	out.Credential = (*login.ClusterCredential)(unsafe.Pointer(in.Credential))
+	out.Message = (*string)(unsafe.Pointer(in.Message))
+	return nil
+}
+
+// Convert_v1alpha1_TokenCredentialRequestStatus_To_login_TokenCredentialRequestStatus is an autogenerated conversion function.
+func Convert_v1alpha1_TokenCredentialRequestStatus_To_login_TokenCredentialRequestStatus(in *TokenCredentialRequestStatus, out *login.TokenCredentialRequestStatus, s conversion.Scope) error {
+	return autoConvert_v1alpha1_TokenCredentialRequestStatus_To_login_TokenCredentialRequestStatus(in, out, s)
+}
+
+func autoConvert_login_TokenCredentialRequestStatus_To_v1alpha1_TokenCredentialRequestStatus(in *login.TokenCredentialRequestStatus, out *TokenCredentialRequestStatus, s conversion.Scope) error {
+	out.Credential = (*ClusterCredential)(unsafe.Pointer(in.Credential))
+	out.Message = (*string)(unsafe.Pointer(in.Message))
+	return nil
+}
+
+// Convert_login_TokenCredentialRequestStatus_To_v1alpha1_TokenCredentialRequestStatus is an autogenerated conversion function.
+func Convert_login_TokenCredentialRequestStatus_To_v1alpha1_TokenCredentialRequestStatus(in *login.TokenCredentialRequestStatus, out *TokenCredentialRequestStatus, s conversion.Scope) error {
+	return autoConvert_login_TokenCredentialRequestStatus_To_v1alpha1_TokenCredentialRequestStatus(in, out, s)
+}

generated/1.19/apis/login/v1alpha1/zz_generated.deepcopy.go

@@ -0,0 +1,132 @@
+// +build !ignore_autogenerated
+
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by deepcopy-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	runtime "k8s.io/apimachinery/pkg/runtime"
+)
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ClusterCredential) DeepCopyInto(out *ClusterCredential) {
+	*out = *in
+	in.ExpirationTimestamp.DeepCopyInto(&out.ExpirationTimestamp)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterCredential.
+func (in *ClusterCredential) DeepCopy() *ClusterCredential {
+	if in == nil {
+		return nil
+	}
+	out := new(ClusterCredential)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TokenCredentialRequest) DeepCopyInto(out *TokenCredentialRequest) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	out.Spec = in.Spec
+	in.Status.DeepCopyInto(&out.Status)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TokenCredentialRequest.
+func (in *TokenCredentialRequest) DeepCopy() *TokenCredentialRequest {
+	if in == nil {
+		return nil
+	}
+	out := new(TokenCredentialRequest)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *TokenCredentialRequest) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TokenCredentialRequestList) DeepCopyInto(out *TokenCredentialRequestList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]TokenCredentialRequest, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TokenCredentialRequestList.
+func (in *TokenCredentialRequestList) DeepCopy() *TokenCredentialRequestList {
+	if in == nil {
+		return nil
+	}
+	out := new(TokenCredentialRequestList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *TokenCredentialRequestList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TokenCredentialRequestSpec) DeepCopyInto(out *TokenCredentialRequestSpec) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TokenCredentialRequestSpec.
+func (in *TokenCredentialRequestSpec) DeepCopy() *TokenCredentialRequestSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(TokenCredentialRequestSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TokenCredentialRequestStatus) DeepCopyInto(out *TokenCredentialRequestStatus) {
+	*out = *in
+	if in.Credential != nil {
+		in, out := &in.Credential, &out.Credential
+		*out = new(ClusterCredential)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Message != nil {
+		in, out := &in.Message, &out.Message
+		*out = new(string)
+		**out = **in
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TokenCredentialRequestStatus.
+func (in *TokenCredentialRequestStatus) DeepCopy() *TokenCredentialRequestStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(TokenCredentialRequestStatus)
+	in.DeepCopyInto(out)
+	return out
+}

generated/1.19/apis/login/v1alpha1/zz_generated.defaults.go

@@ -0,0 +1,19 @@
+// +build !ignore_autogenerated
+
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by defaulter-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	runtime "k8s.io/apimachinery/pkg/runtime"
+)
+
+// RegisterDefaults adds defaulters functions to the given scheme.
+// Public to allow building arbitrary schemes.
+// All generated defaulters are covering - they call all nested defaulters.
+func RegisterDefaults(scheme *runtime.Scheme) error {
+	return nil
+}

generated/1.19/apis/login/zz_generated.deepcopy.go

@@ -0,0 +1,132 @@
+// +build !ignore_autogenerated
+
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by deepcopy-gen. DO NOT EDIT.
+
+package login
+
+import (
+	runtime "k8s.io/apimachinery/pkg/runtime"
+)
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ClusterCredential) DeepCopyInto(out *ClusterCredential) {
+	*out = *in
+	in.ExpirationTimestamp.DeepCopyInto(&out.ExpirationTimestamp)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterCredential.
+func (in *ClusterCredential) DeepCopy() *ClusterCredential {
+	if in == nil {
+		return nil
+	}
+	out := new(ClusterCredential)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TokenCredentialRequest) DeepCopyInto(out *TokenCredentialRequest) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	out.Spec = in.Spec
+	in.Status.DeepCopyInto(&out.Status)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TokenCredentialRequest.
+func (in *TokenCredentialRequest) DeepCopy() *TokenCredentialRequest {
+	if in == nil {
+		return nil
+	}
+	out := new(TokenCredentialRequest)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *TokenCredentialRequest) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TokenCredentialRequestList) DeepCopyInto(out *TokenCredentialRequestList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]TokenCredentialRequest, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TokenCredentialRequestList.
+func (in *TokenCredentialRequestList) DeepCopy() *TokenCredentialRequestList {
+	if in == nil {
+		return nil
+	}
+	out := new(TokenCredentialRequestList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *TokenCredentialRequestList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TokenCredentialRequestSpec) DeepCopyInto(out *TokenCredentialRequestSpec) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TokenCredentialRequestSpec.
+func (in *TokenCredentialRequestSpec) DeepCopy() *TokenCredentialRequestSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(TokenCredentialRequestSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TokenCredentialRequestStatus) DeepCopyInto(out *TokenCredentialRequestStatus) {
+	*out = *in
+	if in.Credential != nil {
+		in, out := &in.Credential, &out.Credential
+		*out = new(ClusterCredential)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Message != nil {
+		in, out := &in.Message, &out.Message
+		*out = new(string)
+		**out = **in
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TokenCredentialRequestStatus.
+func (in *TokenCredentialRequestStatus) DeepCopy() *TokenCredentialRequestStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(TokenCredentialRequestStatus)
+	in.DeepCopyInto(out)
+	return out
+}

generated/1.19/client/clientset/versioned/clientset.go

@@ -10,6 +10,7 @@ import (
 
 	crdv1alpha1 "github.com/suzerain-io/pinniped/generated/1.19/client/clientset/versioned/typed/crdpinniped/v1alpha1"
 	idpv1alpha1 "github.com/suzerain-io/pinniped/generated/1.19/client/clientset/versioned/typed/idp/v1alpha1"
+	loginv1alpha1 "github.com/suzerain-io/pinniped/generated/1.19/client/clientset/versioned/typed/login/v1alpha1"
 	pinnipedv1alpha1 "github.com/suzerain-io/pinniped/generated/1.19/client/clientset/versioned/typed/pinniped/v1alpha1"
 	discovery "k8s.io/client-go/discovery"
 	rest "k8s.io/client-go/rest"
@@ -20,6 +21,7 @@ type Interface interface {
 	Discovery() discovery.DiscoveryInterface
 	CrdV1alpha1() crdv1alpha1.CrdV1alpha1Interface
 	IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface
+	LoginV1alpha1() loginv1alpha1.LoginV1alpha1Interface
 	PinnipedV1alpha1() pinnipedv1alpha1.PinnipedV1alpha1Interface
 }
 
@@ -29,6 +31,7 @@ type Clientset struct {
 	*discovery.DiscoveryClient
 	crdV1alpha1      *crdv1alpha1.CrdV1alpha1Client
 	iDPV1alpha1      *idpv1alpha1.IDPV1alpha1Client
+	loginV1alpha1    *loginv1alpha1.LoginV1alpha1Client
 	pinnipedV1alpha1 *pinnipedv1alpha1.PinnipedV1alpha1Client
 }
 
@@ -42,6 +45,11 @@ func (c *Clientset) IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface {
 	return c.iDPV1alpha1
 }
 
+// LoginV1alpha1 retrieves the LoginV1alpha1Client
+func (c *Clientset) LoginV1alpha1() loginv1alpha1.LoginV1alpha1Interface {
+	return c.loginV1alpha1
+}
+
 // PinnipedV1alpha1 retrieves the PinnipedV1alpha1Client
 func (c *Clientset) PinnipedV1alpha1() pinnipedv1alpha1.PinnipedV1alpha1Interface {
 	return c.pinnipedV1alpha1
@@ -76,6 +84,10 @@ func NewForConfig(c *rest.Config) (*Clientset, error) {
 	if err != nil {
 		return nil, err
 	}
+	cs.loginV1alpha1, err = loginv1alpha1.NewForConfig(&configShallowCopy)
+	if err != nil {
+		return nil, err
+	}
 	cs.pinnipedV1alpha1, err = pinnipedv1alpha1.NewForConfig(&configShallowCopy)
 	if err != nil {
 		return nil, err
@@ -94,6 +106,7 @@ func NewForConfigOrDie(c *rest.Config) *Clientset {
 	var cs Clientset
 	cs.crdV1alpha1 = crdv1alpha1.NewForConfigOrDie(c)
 	cs.iDPV1alpha1 = idpv1alpha1.NewForConfigOrDie(c)
+	cs.loginV1alpha1 = loginv1alpha1.NewForConfigOrDie(c)
 	cs.pinnipedV1alpha1 = pinnipedv1alpha1.NewForConfigOrDie(c)
 
 	cs.DiscoveryClient = discovery.NewDiscoveryClientForConfigOrDie(c)
@@ -105,6 +118,7 @@ func New(c rest.Interface) *Clientset {
 	var cs Clientset
 	cs.crdV1alpha1 = crdv1alpha1.New(c)
 	cs.iDPV1alpha1 = idpv1alpha1.New(c)
+	cs.loginV1alpha1 = loginv1alpha1.New(c)
 	cs.pinnipedV1alpha1 = pinnipedv1alpha1.New(c)
 
 	cs.DiscoveryClient = discovery.NewDiscoveryClient(c)

generated/1.19/client/clientset/versioned/fake/clientset_generated.go

@@ -11,6 +11,8 @@ import (
 	fakecrdv1alpha1 "github.com/suzerain-io/pinniped/generated/1.19/client/clientset/versioned/typed/crdpinniped/v1alpha1/fake"
 	idpv1alpha1 "github.com/suzerain-io/pinniped/generated/1.19/client/clientset/versioned/typed/idp/v1alpha1"
 	fakeidpv1alpha1 "github.com/suzerain-io/pinniped/generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/fake"
+	loginv1alpha1 "github.com/suzerain-io/pinniped/generated/1.19/client/clientset/versioned/typed/login/v1alpha1"
+	fakeloginv1alpha1 "github.com/suzerain-io/pinniped/generated/1.19/client/clientset/versioned/typed/login/v1alpha1/fake"
 	pinnipedv1alpha1 "github.com/suzerain-io/pinniped/generated/1.19/client/clientset/versioned/typed/pinniped/v1alpha1"
 	fakepinnipedv1alpha1 "github.com/suzerain-io/pinniped/generated/1.19/client/clientset/versioned/typed/pinniped/v1alpha1/fake"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -77,6 +79,11 @@ func (c *Clientset) IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface {
 	return &fakeidpv1alpha1.FakeIDPV1alpha1{Fake: &c.Fake}
 }
 
+// LoginV1alpha1 retrieves the LoginV1alpha1Client
+func (c *Clientset) LoginV1alpha1() loginv1alpha1.LoginV1alpha1Interface {
+	return &fakeloginv1alpha1.FakeLoginV1alpha1{Fake: &c.Fake}
+}
+
 // PinnipedV1alpha1 retrieves the PinnipedV1alpha1Client
 func (c *Clientset) PinnipedV1alpha1() pinnipedv1alpha1.PinnipedV1alpha1Interface {
 	return &fakepinnipedv1alpha1.FakePinnipedV1alpha1{Fake: &c.Fake}

generated/1.19/client/clientset/versioned/fake/register.go

@@ -8,6 +8,7 @@ package fake
 import (
 	crdv1alpha1 "github.com/suzerain-io/pinniped/generated/1.19/apis/crdpinniped/v1alpha1"
 	idpv1alpha1 "github.com/suzerain-io/pinniped/generated/1.19/apis/idp/v1alpha1"
+	loginv1alpha1 "github.com/suzerain-io/pinniped/generated/1.19/apis/login/v1alpha1"
 	pinnipedv1alpha1 "github.com/suzerain-io/pinniped/generated/1.19/apis/pinniped/v1alpha1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	runtime "k8s.io/apimachinery/pkg/runtime"
@@ -22,6 +23,7 @@ var codecs = serializer.NewCodecFactory(scheme)
 var localSchemeBuilder = runtime.SchemeBuilder{
 	crdv1alpha1.AddToScheme,
 	idpv1alpha1.AddToScheme,
+	loginv1alpha1.AddToScheme,
 	pinnipedv1alpha1.AddToScheme,
 }