Replace the OIDCProvider field SNICertificateSecretName with a TLS.SecretName field.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-02 16:55:29 -06:00 · 2020-11-02 16:55:29 -06:00 · 2bf5c8b48b
parent 2b8773aa54
commit 2bf5c8b48b
24 changed files with 634 additions and 403 deletions
--- a/apis/supervisor/config/v1alpha1/types_oidcprovider.go.tmpl
+++ b/apis/supervisor/config/v1alpha1/types_oidcprovider.go.tmpl
@ -18,6 +18,29 @@ const (
 	InvalidOIDCProviderStatusCondition                         = OIDCProviderStatusCondition("Invalid")
 )

+// OIDCProviderTLSSpec is a struct that describes the TLS configuration for an OIDC Provider.
+type OIDCProviderTLSSpec struct {
+	// SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains
+	// the TLS serving certificate for the HTTPS endpoints served by this OIDCProvider. When provided, the TLS Secret
+	// named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use
+	// for TLS.
+	//
+	// Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.
+	//
+	// SecretName is required if you would like to use different TLS certificates for issuers of different hostnames.
+	// SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same
+	// SecretName value even if they have different port numbers.
+	//
+	// SecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an
+	// Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to
+	// use the default TLS certificate, which is configured elsewhere.
+	//
+	// When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses.
+	//
+	// +optional
+	SecretName string `json:"secretName,omitempty"`
+}
+
 // OIDCProviderSpec is a struct that describes an OIDC Provider.
 type OIDCProviderSpec struct {
 	// Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the
@ -31,27 +54,9 @@ type OIDCProviderSpec struct {
 	// +kubebuilder:validation:MinLength=1
 	Issuer string `json:"issuer"`

-	// SNICertificateSecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`,
-	// which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider.
-	// When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that
-	// contain the certificate and private key to use for TLS.
-	//
-	// Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.
-	//
-	// SNICertificateSecretName is required if you would like to use different TLS certificates for
-	// issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same
-	// DNS hostname must use the same SNICertificateSecretName value even if they have different port numbers.
-	//
-	// SNICertificateSecretName is not required when you would like to use only the
-	// HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you
-	// would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate,
-	// which is configured elsewhere.
-	//
-	// When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work
-	// for IP addresses.
-	//
+	// TLS configures how this OIDCProvider is served over Transport Layer Security (TLS).
 	// +optional
-	SNICertificateSecretName string `json:"sniCertificateSecretName,omitempty"`
+	TLS *OIDCProviderTLSSpec `json:"tls,omitempty"`
 }

 // OIDCProviderStatus is a struct that describes the actual state of an OIDC Provider.
--- a/deploy/supervisor/README.md
+++ b/deploy/supervisor/README.md
@ -146,9 +146,11 @@ spec:
  # The hostname would typically match the DNS name of the public ingress or load balancer for the cluster.
  # Any path can be specified, which allows a single hostname to have multiple different issuers. The path is optional.
  issuer: https://my-issuer.example.com/any/path
+
  # Optionally configure the name of a Secret in the same namespace, of type `kubernetes.io/tls`,
  # which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider.
-  sniCertificateSecretName: my-tls-cert-secret
+  tls:
+    secretName: my-tls-cert-secret
 ```

 #### Configuring TLS for the Supervisor OIDC Endpoints
@ -159,17 +161,17 @@ configure TLS certificates on the OIDCProvider.
 If you are using a LoadBalancer Service to expose the Supervisor app outside your cluster, then you will
 also need to configure the Supervisor app to terminate TLS. There are two places to configure TLS certificates:

-1. Each `OIDCProvider` can be configured with TLS certificates, using the `sniCertificateSecretName` field.
+1. Each `OIDCProvider` can be configured with TLS certificates, using the `spec.tls.secretName` field.

 1. The default TLS certificate for all OIDC providers can be configured by creating a Secret called
 `pinniped-supervisor-default-tls-certificate` in the same namespace in which the Supervisor was installed.

-The default TLS certificate will be used for all OIDC providers which did not declare an `sniCertificateSecretName`.
-Also, the `sniCertificateSecretName` will be ignored for incoming requests to the OIDC endpoints
+The default TLS certificate will be used for all OIDC providers which did not declare a `spec.tls.secretName`.
+Also, the `spec.tls.secretName` will be ignored for incoming requests to the OIDC endpoints
 that use an IP address as the host, so those requests will always present the default TLS certificates
 to the client. When the request includes the hostname, and that hostname matches the hostname of an `Issuer`,
-then the TLS certificate defined by the `sniCertificateSecretName` will be used. If that issuer did not
-define `sniCertificateSecretName` then the default TLS certificate will be used. If neither exists,
+then the TLS certificate defined by the `spec.tls.secretName` will be used. If that issuer did not
+define `spec.tls.secretName` then the default TLS certificate will be used. If neither exists,
 then the client will get a TLS error because the server will not present any TLS certificate.

 It is recommended that you have a DNS entry for your load balancer or Ingress, and that you configure the
--- a/deploy/supervisor/config.supervisor.pinniped.dev_oidcproviders.yaml
+++ b/deploy/supervisor/config.supervisor.pinniped.dev_oidcproviders.yaml
@ -47,26 +47,32 @@ spec:
                  for more information."
                minLength: 1
                type: string
-              sniCertificateSecretName:
-                description: "SNICertificateSecretName is an optional name of a Secret
-                  in the same namespace, of type `kubernetes.io/tls`, which contains
-                  the TLS serving certificate for the HTTPS endpoints served by this
-                  OIDC Provider. When provided, the TLS Secret named here must contain
-                  keys named `tls.crt` and `tls.key` that contain the certificate
-                  and private key to use for TLS. \n Server Name Indication (SNI)
-                  is an extension to the Transport Layer Security (TLS) supported
-                  by all major browsers. \n SNICertificateSecretName is required if
-                  you would like to use different TLS certificates for issuers of
-                  different hostnames. SNI requests do not include port numbers, so
-                  all issuers with the same DNS hostname must use the same SNICertificateSecretName
-                  value even if they have different port numbers. \n SNICertificateSecretName
-                  is not required when you would like to use only the HTTP endpoints
-                  (e.g. when terminating TLS at an Ingress). It is also not required
-                  when you would like all requests to this OIDC Provider's HTTPS endpoints
-                  to use the default TLS certificate, which is configured elsewhere.
-                  \n When your Issuer URL's host is an IP address, then this field
-                  is ignored. SNI does not work for IP addresses."
-                type: string
+              tls:
+                description: TLS configures how this OIDCProvider is served over Transport
+                  Layer Security (TLS).
+                properties:
+                  secretName:
+                    description: "SecretName is an optional name of a Secret in the
+                      same namespace, of type `kubernetes.io/tls`, which contains
+                      the TLS serving certificate for the HTTPS endpoints served by
+                      this OIDCProvider. When provided, the TLS Secret named here
+                      must contain keys named `tls.crt` and `tls.key` that contain
+                      the certificate and private key to use for TLS. \n Server Name
+                      Indication (SNI) is an extension to the Transport Layer Security
+                      (TLS) supported by all major browsers. \n SecretName is required
+                      if you would like to use different TLS certificates for issuers
+                      of different hostnames. SNI requests do not include port numbers,
+                      so all issuers with the same DNS hostname must use the same
+                      SecretName value even if they have different port numbers. \n
+                      SecretName is not required when you would like to use only the
+                      HTTP endpoints (e.g. when terminating TLS at an Ingress). It
+                      is also not required when you would like all requests to this
+                      OIDC Provider's HTTPS endpoints to use the default TLS certificate,
+                      which is configured elsewhere. \n When your Issuer URL's host
+                      is an IP address, then this field is ignored. SNI does not work
+                      for IP addresses."
+                    type: string
+                type: object
            required:
            - issuer
            type: object
--- a/generated/1.17/README.adoc
+++ b/generated/1.17/README.adoc
@ -254,11 +254,7 @@ OIDCProviderSpec is a struct that describes an OIDC Provider.
 | Field | Description
 | *`issuer`* __string__ | Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the identifier that it will use for the iss claim in issued JWTs. This field will also be used as the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is https://example.com/foo, then your authorization endpoint will look like https://example.com/foo/some/path/to/auth/endpoint). 
 See https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information.
-| *`sniCertificateSecretName`* __string__ | SNICertificateSecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider. When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS. 
- Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers. 
- SNICertificateSecretName is required if you would like to use different TLS certificates for issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same SNICertificateSecretName value even if they have different port numbers. 
- SNICertificateSecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, which is configured elsewhere. 
- When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses.
+| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-config-v1alpha1-oidcprovidertlsspec[$$OIDCProviderTLSSpec$$]__ | TLS configures how this OIDCProvider is served over Transport Layer Security (TLS).
 |===


@ -282,6 +278,27 @@ OIDCProviderStatus is a struct that describes the actual state of an OIDC Provid
 |===


+[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-config-v1alpha1-oidcprovidertlsspec"]
+==== OIDCProviderTLSSpec 
+
+OIDCProviderTLSSpec is a struct that describes the TLS configuration for an OIDC Provider.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-config-v1alpha1-oidcproviderspec[$$OIDCProviderSpec$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`secretName`* __string__ | SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDCProvider. When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS. 
+ Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers. 
+ SecretName is required if you would like to use different TLS certificates for issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same SecretName value even if they have different port numbers. 
+ SecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, which is configured elsewhere. 
+ When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses.
+|===
+
+

 [id="{anchor_prefix}-login-concierge-pinniped-dev-v1alpha1"]
 === login.concierge.pinniped.dev/v1alpha1
--- a/generated/1.17/apis/supervisor/config/v1alpha1/types_oidcprovider.go
+++ b/generated/1.17/apis/supervisor/config/v1alpha1/types_oidcprovider.go
@ -18,6 +18,29 @@ const (
 	InvalidOIDCProviderStatusCondition                         = OIDCProviderStatusCondition("Invalid")
 )

+// OIDCProviderTLSSpec is a struct that describes the TLS configuration for an OIDC Provider.
+type OIDCProviderTLSSpec struct {
+	// SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains
+	// the TLS serving certificate for the HTTPS endpoints served by this OIDCProvider. When provided, the TLS Secret
+	// named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use
+	// for TLS.
+	//
+	// Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.
+	//
+	// SecretName is required if you would like to use different TLS certificates for issuers of different hostnames.
+	// SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same
+	// SecretName value even if they have different port numbers.
+	//
+	// SecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an
+	// Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to
+	// use the default TLS certificate, which is configured elsewhere.
+	//
+	// When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses.
+	//
+	// +optional
+	SecretName string `json:"secretName,omitempty"`
+}
+
 // OIDCProviderSpec is a struct that describes an OIDC Provider.
 type OIDCProviderSpec struct {
 	// Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the
@ -31,27 +54,9 @@ type OIDCProviderSpec struct {
 	// +kubebuilder:validation:MinLength=1
 	Issuer string `json:"issuer"`

-	// SNICertificateSecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`,
-	// which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider.
-	// When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that
-	// contain the certificate and private key to use for TLS.
-	//
-	// Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.
-	//
-	// SNICertificateSecretName is required if you would like to use different TLS certificates for
-	// issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same
-	// DNS hostname must use the same SNICertificateSecretName value even if they have different port numbers.
-	//
-	// SNICertificateSecretName is not required when you would like to use only the
-	// HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you
-	// would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate,
-	// which is configured elsewhere.
-	//
-	// When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work
-	// for IP addresses.
-	//
+	// TLS configures how this OIDCProvider is served over Transport Layer Security (TLS).
 	// +optional
-	SNICertificateSecretName string `json:"sniCertificateSecretName,omitempty"`
+	TLS *OIDCProviderTLSSpec `json:"tls,omitempty"`
 }

 // OIDCProviderStatus is a struct that describes the actual state of an OIDC Provider.
--- a/generated/1.17/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go
+++ b/generated/1.17/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go
@ -16,7 +16,7 @@ func (in *OIDCProvider) DeepCopyInto(out *OIDCProvider) {
 	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
-	out.Spec = in.Spec
+	in.Spec.DeepCopyInto(&out.Spec)
 	in.Status.DeepCopyInto(&out.Status)
 	return
 }
@ -75,6 +75,11 @@ func (in *OIDCProviderList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OIDCProviderSpec) DeepCopyInto(out *OIDCProviderSpec) {
 	*out = *in
+	if in.TLS != nil {
+		in, out := &in.TLS, &out.TLS
+		*out = new(OIDCProviderTLSSpec)
+		**out = **in
+	}
 	return
 }

@ -108,3 +113,19 @@ func (in *OIDCProviderStatus) DeepCopy() *OIDCProviderStatus {
 	in.DeepCopyInto(out)
 	return out
 }
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OIDCProviderTLSSpec) DeepCopyInto(out *OIDCProviderTLSSpec) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCProviderTLSSpec.
+func (in *OIDCProviderTLSSpec) DeepCopy() *OIDCProviderTLSSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(OIDCProviderTLSSpec)
+	in.DeepCopyInto(out)
+	return out
+}
--- a/generated/1.17/client/supervisor/openapi/zz_generated.openapi.go
+++ b/generated/1.17/client/supervisor/openapi/zz_generated.openapi.go
@ -17,61 +17,62 @@ import (

 func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenAPIDefinition {
 	return map[string]common.OpenAPIDefinition{
-		"go.pinniped.dev/generated/1.17/apis/supervisor/config/v1alpha1.OIDCProvider":       schema_apis_supervisor_config_v1alpha1_OIDCProvider(ref),
-		"go.pinniped.dev/generated/1.17/apis/supervisor/config/v1alpha1.OIDCProviderList":   schema_apis_supervisor_config_v1alpha1_OIDCProviderList(ref),
-		"go.pinniped.dev/generated/1.17/apis/supervisor/config/v1alpha1.OIDCProviderSpec":   schema_apis_supervisor_config_v1alpha1_OIDCProviderSpec(ref),
-		"go.pinniped.dev/generated/1.17/apis/supervisor/config/v1alpha1.OIDCProviderStatus": schema_apis_supervisor_config_v1alpha1_OIDCProviderStatus(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroup":                                     schema_pkg_apis_meta_v1_APIGroup(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroupList":                                 schema_pkg_apis_meta_v1_APIGroupList(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResource":                                  schema_pkg_apis_meta_v1_APIResource(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResourceList":                              schema_pkg_apis_meta_v1_APIResourceList(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIVersions":                                  schema_pkg_apis_meta_v1_APIVersions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.CreateOptions":                                schema_pkg_apis_meta_v1_CreateOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.DeleteOptions":                                schema_pkg_apis_meta_v1_DeleteOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Duration":                                     schema_pkg_apis_meta_v1_Duration(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ExportOptions":                                schema_pkg_apis_meta_v1_ExportOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.FieldsV1":                                     schema_pkg_apis_meta_v1_FieldsV1(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GetOptions":                                   schema_pkg_apis_meta_v1_GetOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupKind":                                    schema_pkg_apis_meta_v1_GroupKind(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupResource":                                schema_pkg_apis_meta_v1_GroupResource(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersion":                                 schema_pkg_apis_meta_v1_GroupVersion(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionForDiscovery":                     schema_pkg_apis_meta_v1_GroupVersionForDiscovery(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionKind":                             schema_pkg_apis_meta_v1_GroupVersionKind(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionResource":                         schema_pkg_apis_meta_v1_GroupVersionResource(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.InternalEvent":                                schema_pkg_apis_meta_v1_InternalEvent(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector":                                schema_pkg_apis_meta_v1_LabelSelector(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelectorRequirement":                     schema_pkg_apis_meta_v1_LabelSelectorRequirement(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.List":                                         schema_pkg_apis_meta_v1_List(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta":                                     schema_pkg_apis_meta_v1_ListMeta(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ListOptions":                                  schema_pkg_apis_meta_v1_ListOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ManagedFieldsEntry":                           schema_pkg_apis_meta_v1_ManagedFieldsEntry(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.MicroTime":                                    schema_pkg_apis_meta_v1_MicroTime(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta":                                   schema_pkg_apis_meta_v1_ObjectMeta(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.OwnerReference":                               schema_pkg_apis_meta_v1_OwnerReference(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadata":                        schema_pkg_apis_meta_v1_PartialObjectMetadata(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadataList":                    schema_pkg_apis_meta_v1_PartialObjectMetadataList(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Patch":                                        schema_pkg_apis_meta_v1_Patch(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.PatchOptions":                                 schema_pkg_apis_meta_v1_PatchOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Preconditions":                                schema_pkg_apis_meta_v1_Preconditions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.RootPaths":                                    schema_pkg_apis_meta_v1_RootPaths(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ServerAddressByClientCIDR":                    schema_pkg_apis_meta_v1_ServerAddressByClientCIDR(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Status":                                       schema_pkg_apis_meta_v1_Status(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.StatusCause":                                  schema_pkg_apis_meta_v1_StatusCause(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.StatusDetails":                                schema_pkg_apis_meta_v1_StatusDetails(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Table":                                        schema_pkg_apis_meta_v1_Table(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableColumnDefinition":                        schema_pkg_apis_meta_v1_TableColumnDefinition(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableOptions":                                 schema_pkg_apis_meta_v1_TableOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableRow":                                     schema_pkg_apis_meta_v1_TableRow(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableRowCondition":                            schema_pkg_apis_meta_v1_TableRowCondition(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Time":                                         schema_pkg_apis_meta_v1_Time(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Timestamp":                                    schema_pkg_apis_meta_v1_Timestamp(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TypeMeta":                                     schema_pkg_apis_meta_v1_TypeMeta(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.UpdateOptions":                                schema_pkg_apis_meta_v1_UpdateOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.WatchEvent":                                   schema_pkg_apis_meta_v1_WatchEvent(ref),
-		"k8s.io/apimachinery/pkg/runtime.RawExtension":                                      schema_k8sio_apimachinery_pkg_runtime_RawExtension(ref),
-		"k8s.io/apimachinery/pkg/runtime.TypeMeta":                                          schema_k8sio_apimachinery_pkg_runtime_TypeMeta(ref),
-		"k8s.io/apimachinery/pkg/runtime.Unknown":                                           schema_k8sio_apimachinery_pkg_runtime_Unknown(ref),
-		"k8s.io/apimachinery/pkg/version.Info":                                              schema_k8sio_apimachinery_pkg_version_Info(ref),
+		"go.pinniped.dev/generated/1.17/apis/supervisor/config/v1alpha1.OIDCProvider":        schema_apis_supervisor_config_v1alpha1_OIDCProvider(ref),
+		"go.pinniped.dev/generated/1.17/apis/supervisor/config/v1alpha1.OIDCProviderList":    schema_apis_supervisor_config_v1alpha1_OIDCProviderList(ref),
+		"go.pinniped.dev/generated/1.17/apis/supervisor/config/v1alpha1.OIDCProviderSpec":    schema_apis_supervisor_config_v1alpha1_OIDCProviderSpec(ref),
+		"go.pinniped.dev/generated/1.17/apis/supervisor/config/v1alpha1.OIDCProviderStatus":  schema_apis_supervisor_config_v1alpha1_OIDCProviderStatus(ref),
+		"go.pinniped.dev/generated/1.17/apis/supervisor/config/v1alpha1.OIDCProviderTLSSpec": schema_apis_supervisor_config_v1alpha1_OIDCProviderTLSSpec(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroup":                                      schema_pkg_apis_meta_v1_APIGroup(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroupList":                                  schema_pkg_apis_meta_v1_APIGroupList(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResource":                                   schema_pkg_apis_meta_v1_APIResource(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResourceList":                               schema_pkg_apis_meta_v1_APIResourceList(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIVersions":                                   schema_pkg_apis_meta_v1_APIVersions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.CreateOptions":                                 schema_pkg_apis_meta_v1_CreateOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.DeleteOptions":                                 schema_pkg_apis_meta_v1_DeleteOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Duration":                                      schema_pkg_apis_meta_v1_Duration(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ExportOptions":                                 schema_pkg_apis_meta_v1_ExportOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.FieldsV1":                                      schema_pkg_apis_meta_v1_FieldsV1(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GetOptions":                                    schema_pkg_apis_meta_v1_GetOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupKind":                                     schema_pkg_apis_meta_v1_GroupKind(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupResource":                                 schema_pkg_apis_meta_v1_GroupResource(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersion":                                  schema_pkg_apis_meta_v1_GroupVersion(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionForDiscovery":                      schema_pkg_apis_meta_v1_GroupVersionForDiscovery(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionKind":                              schema_pkg_apis_meta_v1_GroupVersionKind(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionResource":                          schema_pkg_apis_meta_v1_GroupVersionResource(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.InternalEvent":                                 schema_pkg_apis_meta_v1_InternalEvent(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector":                                 schema_pkg_apis_meta_v1_LabelSelector(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelectorRequirement":                      schema_pkg_apis_meta_v1_LabelSelectorRequirement(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.List":                                          schema_pkg_apis_meta_v1_List(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta":                                      schema_pkg_apis_meta_v1_ListMeta(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ListOptions":                                   schema_pkg_apis_meta_v1_ListOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ManagedFieldsEntry":                            schema_pkg_apis_meta_v1_ManagedFieldsEntry(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.MicroTime":                                     schema_pkg_apis_meta_v1_MicroTime(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta":                                    schema_pkg_apis_meta_v1_ObjectMeta(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.OwnerReference":                                schema_pkg_apis_meta_v1_OwnerReference(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadata":                         schema_pkg_apis_meta_v1_PartialObjectMetadata(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadataList":                     schema_pkg_apis_meta_v1_PartialObjectMetadataList(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Patch":                                         schema_pkg_apis_meta_v1_Patch(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.PatchOptions":                                  schema_pkg_apis_meta_v1_PatchOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Preconditions":                                 schema_pkg_apis_meta_v1_Preconditions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.RootPaths":                                     schema_pkg_apis_meta_v1_RootPaths(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ServerAddressByClientCIDR":                     schema_pkg_apis_meta_v1_ServerAddressByClientCIDR(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Status":                                        schema_pkg_apis_meta_v1_Status(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.StatusCause":                                   schema_pkg_apis_meta_v1_StatusCause(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.StatusDetails":                                 schema_pkg_apis_meta_v1_StatusDetails(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Table":                                         schema_pkg_apis_meta_v1_Table(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TableColumnDefinition":                         schema_pkg_apis_meta_v1_TableColumnDefinition(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TableOptions":                                  schema_pkg_apis_meta_v1_TableOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TableRow":                                      schema_pkg_apis_meta_v1_TableRow(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TableRowCondition":                             schema_pkg_apis_meta_v1_TableRowCondition(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Time":                                          schema_pkg_apis_meta_v1_Time(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Timestamp":                                     schema_pkg_apis_meta_v1_Timestamp(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TypeMeta":                                      schema_pkg_apis_meta_v1_TypeMeta(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.UpdateOptions":                                 schema_pkg_apis_meta_v1_UpdateOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.WatchEvent":                                    schema_pkg_apis_meta_v1_WatchEvent(ref),
+		"k8s.io/apimachinery/pkg/runtime.RawExtension":                                       schema_k8sio_apimachinery_pkg_runtime_RawExtension(ref),
+		"k8s.io/apimachinery/pkg/runtime.TypeMeta":                                           schema_k8sio_apimachinery_pkg_runtime_TypeMeta(ref),
+		"k8s.io/apimachinery/pkg/runtime.Unknown":                                            schema_k8sio_apimachinery_pkg_runtime_Unknown(ref),
+		"k8s.io/apimachinery/pkg/version.Info":                                               schema_k8sio_apimachinery_pkg_version_Info(ref),
 	}
 }

@ -183,17 +184,18 @@ func schema_apis_supervisor_config_v1alpha1_OIDCProviderSpec(ref common.Referenc
 							Format:      "",
 						},
 					},
-					"sniCertificateSecretName": {
+					"tls": {
 						SchemaProps: spec.SchemaProps{
-							Description: "SNICertificateSecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider. When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS.\n\nServer Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.\n\nSNICertificateSecretName is required if you would like to use different TLS certificates for issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same SNICertificateSecretName value even if they have different port numbers.\n\nSNICertificateSecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, which is configured elsewhere.\n\nWhen your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses.",
-							Type:        []string{"string"},
-							Format:      "",
+							Description: "TLS configures how this OIDCProvider is served over Transport Layer Security (TLS).",
+							Ref:         ref("go.pinniped.dev/generated/1.17/apis/supervisor/config/v1alpha1.OIDCProviderTLSSpec"),
 						},
 					},
 				},
 				Required: []string{"issuer"},
 			},
 		},
+		Dependencies: []string{
+			"go.pinniped.dev/generated/1.17/apis/supervisor/config/v1alpha1.OIDCProviderTLSSpec"},
 	}
 }

@ -238,6 +240,26 @@ func schema_apis_supervisor_config_v1alpha1_OIDCProviderStatus(ref common.Refere
 	}
 }

+func schema_apis_supervisor_config_v1alpha1_OIDCProviderTLSSpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "OIDCProviderTLSSpec is a struct that describes the TLS configuration for an OIDC Provider.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"secretName": {
+						SchemaProps: spec.SchemaProps{
+							Description: "SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDCProvider. When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS.\n\nServer Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.\n\nSecretName is required if you would like to use different TLS certificates for issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same SecretName value even if they have different port numbers.\n\nSecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, which is configured elsewhere.\n\nWhen your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses.",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+				},
+			},
+		},
+	}
+}
+
 func schema_pkg_apis_meta_v1_APIGroup(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
--- a/generated/1.17/crds/config.supervisor.pinniped.dev_oidcproviders.yaml
+++ b/generated/1.17/crds/config.supervisor.pinniped.dev_oidcproviders.yaml
@ -47,26 +47,32 @@ spec:
                  for more information."
                minLength: 1
                type: string
-              sniCertificateSecretName:
-                description: "SNICertificateSecretName is an optional name of a Secret
-                  in the same namespace, of type `kubernetes.io/tls`, which contains
-                  the TLS serving certificate for the HTTPS endpoints served by this
-                  OIDC Provider. When provided, the TLS Secret named here must contain
-                  keys named `tls.crt` and `tls.key` that contain the certificate
-                  and private key to use for TLS. \n Server Name Indication (SNI)
-                  is an extension to the Transport Layer Security (TLS) supported
-                  by all major browsers. \n SNICertificateSecretName is required if
-                  you would like to use different TLS certificates for issuers of
-                  different hostnames. SNI requests do not include port numbers, so
-                  all issuers with the same DNS hostname must use the same SNICertificateSecretName
-                  value even if they have different port numbers. \n SNICertificateSecretName
-                  is not required when you would like to use only the HTTP endpoints
-                  (e.g. when terminating TLS at an Ingress). It is also not required
-                  when you would like all requests to this OIDC Provider's HTTPS endpoints
-                  to use the default TLS certificate, which is configured elsewhere.
-                  \n When your Issuer URL's host is an IP address, then this field
-                  is ignored. SNI does not work for IP addresses."
-                type: string
+              tls:
+                description: TLS configures how this OIDCProvider is served over Transport
+                  Layer Security (TLS).
+                properties:
+                  secretName:
+                    description: "SecretName is an optional name of a Secret in the
+                      same namespace, of type `kubernetes.io/tls`, which contains
+                      the TLS serving certificate for the HTTPS endpoints served by
+                      this OIDCProvider. When provided, the TLS Secret named here
+                      must contain keys named `tls.crt` and `tls.key` that contain
+                      the certificate and private key to use for TLS. \n Server Name
+                      Indication (SNI) is an extension to the Transport Layer Security
+                      (TLS) supported by all major browsers. \n SecretName is required
+                      if you would like to use different TLS certificates for issuers
+                      of different hostnames. SNI requests do not include port numbers,
+                      so all issuers with the same DNS hostname must use the same
+                      SecretName value even if they have different port numbers. \n
+                      SecretName is not required when you would like to use only the
+                      HTTP endpoints (e.g. when terminating TLS at an Ingress). It
+                      is also not required when you would like all requests to this
+                      OIDC Provider's HTTPS endpoints to use the default TLS certificate,
+                      which is configured elsewhere. \n When your Issuer URL's host
+                      is an IP address, then this field is ignored. SNI does not work
+                      for IP addresses."
+                    type: string
+                type: object
            required:
            - issuer
            type: object
--- a/generated/1.18/README.adoc
+++ b/generated/1.18/README.adoc
@ -254,11 +254,7 @@ OIDCProviderSpec is a struct that describes an OIDC Provider.
 | Field | Description
 | *`issuer`* __string__ | Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the identifier that it will use for the iss claim in issued JWTs. This field will also be used as the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is https://example.com/foo, then your authorization endpoint will look like https://example.com/foo/some/path/to/auth/endpoint). 
 See https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information.
-| *`sniCertificateSecretName`* __string__ | SNICertificateSecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider. When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS. 
- Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers. 
- SNICertificateSecretName is required if you would like to use different TLS certificates for issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same SNICertificateSecretName value even if they have different port numbers. 
- SNICertificateSecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, which is configured elsewhere. 
- When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses.
+| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-config-v1alpha1-oidcprovidertlsspec[$$OIDCProviderTLSSpec$$]__ | TLS configures how this OIDCProvider is served over Transport Layer Security (TLS).
 |===


@ -282,6 +278,27 @@ OIDCProviderStatus is a struct that describes the actual state of an OIDC Provid
 |===


+[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-config-v1alpha1-oidcprovidertlsspec"]
+==== OIDCProviderTLSSpec 
+
+OIDCProviderTLSSpec is a struct that describes the TLS configuration for an OIDC Provider.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-config-v1alpha1-oidcproviderspec[$$OIDCProviderSpec$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`secretName`* __string__ | SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDCProvider. When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS. 
+ Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers. 
+ SecretName is required if you would like to use different TLS certificates for issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same SecretName value even if they have different port numbers. 
+ SecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, which is configured elsewhere. 
+ When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses.
+|===
+
+

 [id="{anchor_prefix}-login-concierge-pinniped-dev-v1alpha1"]
 === login.concierge.pinniped.dev/v1alpha1
--- a/generated/1.18/apis/supervisor/config/v1alpha1/types_oidcprovider.go
+++ b/generated/1.18/apis/supervisor/config/v1alpha1/types_oidcprovider.go
@ -18,6 +18,29 @@ const (
 	InvalidOIDCProviderStatusCondition                         = OIDCProviderStatusCondition("Invalid")
 )

+// OIDCProviderTLSSpec is a struct that describes the TLS configuration for an OIDC Provider.
+type OIDCProviderTLSSpec struct {
+	// SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains
+	// the TLS serving certificate for the HTTPS endpoints served by this OIDCProvider. When provided, the TLS Secret
+	// named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use
+	// for TLS.
+	//
+	// Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.
+	//
+	// SecretName is required if you would like to use different TLS certificates for issuers of different hostnames.
+	// SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same
+	// SecretName value even if they have different port numbers.
+	//
+	// SecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an
+	// Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to
+	// use the default TLS certificate, which is configured elsewhere.
+	//
+	// When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses.
+	//
+	// +optional
+	SecretName string `json:"secretName,omitempty"`
+}
+
 // OIDCProviderSpec is a struct that describes an OIDC Provider.
 type OIDCProviderSpec struct {
 	// Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the
@ -31,27 +54,9 @@ type OIDCProviderSpec struct {
 	// +kubebuilder:validation:MinLength=1
 	Issuer string `json:"issuer"`

-	// SNICertificateSecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`,
-	// which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider.
-	// When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that
-	// contain the certificate and private key to use for TLS.
-	//
-	// Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.
-	//
-	// SNICertificateSecretName is required if you would like to use different TLS certificates for
-	// issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same
-	// DNS hostname must use the same SNICertificateSecretName value even if they have different port numbers.
-	//
-	// SNICertificateSecretName is not required when you would like to use only the
-	// HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you
-	// would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate,
-	// which is configured elsewhere.
-	//
-	// When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work
-	// for IP addresses.
-	//
+	// TLS configures how this OIDCProvider is served over Transport Layer Security (TLS).
 	// +optional
-	SNICertificateSecretName string `json:"sniCertificateSecretName,omitempty"`
+	TLS *OIDCProviderTLSSpec `json:"tls,omitempty"`
 }

 // OIDCProviderStatus is a struct that describes the actual state of an OIDC Provider.
--- a/generated/1.18/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go
+++ b/generated/1.18/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go
@ -16,7 +16,7 @@ func (in *OIDCProvider) DeepCopyInto(out *OIDCProvider) {
 	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
-	out.Spec = in.Spec
+	in.Spec.DeepCopyInto(&out.Spec)
 	in.Status.DeepCopyInto(&out.Status)
 	return
 }
@ -75,6 +75,11 @@ func (in *OIDCProviderList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OIDCProviderSpec) DeepCopyInto(out *OIDCProviderSpec) {
 	*out = *in
+	if in.TLS != nil {
+		in, out := &in.TLS, &out.TLS
+		*out = new(OIDCProviderTLSSpec)
+		**out = **in
+	}
 	return
 }

@ -108,3 +113,19 @@ func (in *OIDCProviderStatus) DeepCopy() *OIDCProviderStatus {
 	in.DeepCopyInto(out)
 	return out
 }
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OIDCProviderTLSSpec) DeepCopyInto(out *OIDCProviderTLSSpec) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCProviderTLSSpec.
+func (in *OIDCProviderTLSSpec) DeepCopy() *OIDCProviderTLSSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(OIDCProviderTLSSpec)
+	in.DeepCopyInto(out)
+	return out
+}
--- a/generated/1.18/client/supervisor/openapi/zz_generated.openapi.go
+++ b/generated/1.18/client/supervisor/openapi/zz_generated.openapi.go
@ -17,61 +17,62 @@ import (

 func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenAPIDefinition {
 	return map[string]common.OpenAPIDefinition{
-		"go.pinniped.dev/generated/1.18/apis/supervisor/config/v1alpha1.OIDCProvider":       schema_apis_supervisor_config_v1alpha1_OIDCProvider(ref),
-		"go.pinniped.dev/generated/1.18/apis/supervisor/config/v1alpha1.OIDCProviderList":   schema_apis_supervisor_config_v1alpha1_OIDCProviderList(ref),
-		"go.pinniped.dev/generated/1.18/apis/supervisor/config/v1alpha1.OIDCProviderSpec":   schema_apis_supervisor_config_v1alpha1_OIDCProviderSpec(ref),
-		"go.pinniped.dev/generated/1.18/apis/supervisor/config/v1alpha1.OIDCProviderStatus": schema_apis_supervisor_config_v1alpha1_OIDCProviderStatus(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroup":                                     schema_pkg_apis_meta_v1_APIGroup(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroupList":                                 schema_pkg_apis_meta_v1_APIGroupList(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResource":                                  schema_pkg_apis_meta_v1_APIResource(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResourceList":                              schema_pkg_apis_meta_v1_APIResourceList(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIVersions":                                  schema_pkg_apis_meta_v1_APIVersions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.CreateOptions":                                schema_pkg_apis_meta_v1_CreateOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.DeleteOptions":                                schema_pkg_apis_meta_v1_DeleteOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Duration":                                     schema_pkg_apis_meta_v1_Duration(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ExportOptions":                                schema_pkg_apis_meta_v1_ExportOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.FieldsV1":                                     schema_pkg_apis_meta_v1_FieldsV1(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GetOptions":                                   schema_pkg_apis_meta_v1_GetOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupKind":                                    schema_pkg_apis_meta_v1_GroupKind(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupResource":                                schema_pkg_apis_meta_v1_GroupResource(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersion":                                 schema_pkg_apis_meta_v1_GroupVersion(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionForDiscovery":                     schema_pkg_apis_meta_v1_GroupVersionForDiscovery(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionKind":                             schema_pkg_apis_meta_v1_GroupVersionKind(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionResource":                         schema_pkg_apis_meta_v1_GroupVersionResource(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.InternalEvent":                                schema_pkg_apis_meta_v1_InternalEvent(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector":                                schema_pkg_apis_meta_v1_LabelSelector(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelectorRequirement":                     schema_pkg_apis_meta_v1_LabelSelectorRequirement(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.List":                                         schema_pkg_apis_meta_v1_List(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta":                                     schema_pkg_apis_meta_v1_ListMeta(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ListOptions":                                  schema_pkg_apis_meta_v1_ListOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ManagedFieldsEntry":                           schema_pkg_apis_meta_v1_ManagedFieldsEntry(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.MicroTime":                                    schema_pkg_apis_meta_v1_MicroTime(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta":                                   schema_pkg_apis_meta_v1_ObjectMeta(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.OwnerReference":                               schema_pkg_apis_meta_v1_OwnerReference(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadata":                        schema_pkg_apis_meta_v1_PartialObjectMetadata(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadataList":                    schema_pkg_apis_meta_v1_PartialObjectMetadataList(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Patch":                                        schema_pkg_apis_meta_v1_Patch(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.PatchOptions":                                 schema_pkg_apis_meta_v1_PatchOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Preconditions":                                schema_pkg_apis_meta_v1_Preconditions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.RootPaths":                                    schema_pkg_apis_meta_v1_RootPaths(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ServerAddressByClientCIDR":                    schema_pkg_apis_meta_v1_ServerAddressByClientCIDR(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Status":                                       schema_pkg_apis_meta_v1_Status(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.StatusCause":                                  schema_pkg_apis_meta_v1_StatusCause(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.StatusDetails":                                schema_pkg_apis_meta_v1_StatusDetails(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Table":                                        schema_pkg_apis_meta_v1_Table(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableColumnDefinition":                        schema_pkg_apis_meta_v1_TableColumnDefinition(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableOptions":                                 schema_pkg_apis_meta_v1_TableOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableRow":                                     schema_pkg_apis_meta_v1_TableRow(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableRowCondition":                            schema_pkg_apis_meta_v1_TableRowCondition(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Time":                                         schema_pkg_apis_meta_v1_Time(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Timestamp":                                    schema_pkg_apis_meta_v1_Timestamp(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TypeMeta":                                     schema_pkg_apis_meta_v1_TypeMeta(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.UpdateOptions":                                schema_pkg_apis_meta_v1_UpdateOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.WatchEvent":                                   schema_pkg_apis_meta_v1_WatchEvent(ref),
-		"k8s.io/apimachinery/pkg/runtime.RawExtension":                                      schema_k8sio_apimachinery_pkg_runtime_RawExtension(ref),
-		"k8s.io/apimachinery/pkg/runtime.TypeMeta":                                          schema_k8sio_apimachinery_pkg_runtime_TypeMeta(ref),
-		"k8s.io/apimachinery/pkg/runtime.Unknown":                                           schema_k8sio_apimachinery_pkg_runtime_Unknown(ref),
-		"k8s.io/apimachinery/pkg/version.Info":                                              schema_k8sio_apimachinery_pkg_version_Info(ref),
+		"go.pinniped.dev/generated/1.18/apis/supervisor/config/v1alpha1.OIDCProvider":        schema_apis_supervisor_config_v1alpha1_OIDCProvider(ref),
+		"go.pinniped.dev/generated/1.18/apis/supervisor/config/v1alpha1.OIDCProviderList":    schema_apis_supervisor_config_v1alpha1_OIDCProviderList(ref),
+		"go.pinniped.dev/generated/1.18/apis/supervisor/config/v1alpha1.OIDCProviderSpec":    schema_apis_supervisor_config_v1alpha1_OIDCProviderSpec(ref),
+		"go.pinniped.dev/generated/1.18/apis/supervisor/config/v1alpha1.OIDCProviderStatus":  schema_apis_supervisor_config_v1alpha1_OIDCProviderStatus(ref),
+		"go.pinniped.dev/generated/1.18/apis/supervisor/config/v1alpha1.OIDCProviderTLSSpec": schema_apis_supervisor_config_v1alpha1_OIDCProviderTLSSpec(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroup":                                      schema_pkg_apis_meta_v1_APIGroup(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroupList":                                  schema_pkg_apis_meta_v1_APIGroupList(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResource":                                   schema_pkg_apis_meta_v1_APIResource(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResourceList":                               schema_pkg_apis_meta_v1_APIResourceList(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIVersions":                                   schema_pkg_apis_meta_v1_APIVersions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.CreateOptions":                                 schema_pkg_apis_meta_v1_CreateOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.DeleteOptions":                                 schema_pkg_apis_meta_v1_DeleteOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Duration":                                      schema_pkg_apis_meta_v1_Duration(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ExportOptions":                                 schema_pkg_apis_meta_v1_ExportOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.FieldsV1":                                      schema_pkg_apis_meta_v1_FieldsV1(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GetOptions":                                    schema_pkg_apis_meta_v1_GetOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupKind":                                     schema_pkg_apis_meta_v1_GroupKind(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupResource":                                 schema_pkg_apis_meta_v1_GroupResource(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersion":                                  schema_pkg_apis_meta_v1_GroupVersion(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionForDiscovery":                      schema_pkg_apis_meta_v1_GroupVersionForDiscovery(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionKind":                              schema_pkg_apis_meta_v1_GroupVersionKind(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionResource":                          schema_pkg_apis_meta_v1_GroupVersionResource(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.InternalEvent":                                 schema_pkg_apis_meta_v1_InternalEvent(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector":                                 schema_pkg_apis_meta_v1_LabelSelector(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelectorRequirement":                      schema_pkg_apis_meta_v1_LabelSelectorRequirement(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.List":                                          schema_pkg_apis_meta_v1_List(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta":                                      schema_pkg_apis_meta_v1_ListMeta(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ListOptions":                                   schema_pkg_apis_meta_v1_ListOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ManagedFieldsEntry":                            schema_pkg_apis_meta_v1_ManagedFieldsEntry(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.MicroTime":                                     schema_pkg_apis_meta_v1_MicroTime(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta":                                    schema_pkg_apis_meta_v1_ObjectMeta(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.OwnerReference":                                schema_pkg_apis_meta_v1_OwnerReference(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadata":                         schema_pkg_apis_meta_v1_PartialObjectMetadata(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadataList":                     schema_pkg_apis_meta_v1_PartialObjectMetadataList(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Patch":                                         schema_pkg_apis_meta_v1_Patch(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.PatchOptions":                                  schema_pkg_apis_meta_v1_PatchOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Preconditions":                                 schema_pkg_apis_meta_v1_Preconditions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.RootPaths":                                     schema_pkg_apis_meta_v1_RootPaths(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ServerAddressByClientCIDR":                     schema_pkg_apis_meta_v1_ServerAddressByClientCIDR(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Status":                                        schema_pkg_apis_meta_v1_Status(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.StatusCause":                                   schema_pkg_apis_meta_v1_StatusCause(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.StatusDetails":                                 schema_pkg_apis_meta_v1_StatusDetails(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Table":                                         schema_pkg_apis_meta_v1_Table(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TableColumnDefinition":                         schema_pkg_apis_meta_v1_TableColumnDefinition(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TableOptions":                                  schema_pkg_apis_meta_v1_TableOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TableRow":                                      schema_pkg_apis_meta_v1_TableRow(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TableRowCondition":                             schema_pkg_apis_meta_v1_TableRowCondition(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Time":                                          schema_pkg_apis_meta_v1_Time(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Timestamp":                                     schema_pkg_apis_meta_v1_Timestamp(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TypeMeta":                                      schema_pkg_apis_meta_v1_TypeMeta(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.UpdateOptions":                                 schema_pkg_apis_meta_v1_UpdateOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.WatchEvent":                                    schema_pkg_apis_meta_v1_WatchEvent(ref),
+		"k8s.io/apimachinery/pkg/runtime.RawExtension":                                       schema_k8sio_apimachinery_pkg_runtime_RawExtension(ref),
+		"k8s.io/apimachinery/pkg/runtime.TypeMeta":                                           schema_k8sio_apimachinery_pkg_runtime_TypeMeta(ref),
+		"k8s.io/apimachinery/pkg/runtime.Unknown":                                            schema_k8sio_apimachinery_pkg_runtime_Unknown(ref),
+		"k8s.io/apimachinery/pkg/version.Info":                                               schema_k8sio_apimachinery_pkg_version_Info(ref),
 	}
 }

@ -183,17 +184,18 @@ func schema_apis_supervisor_config_v1alpha1_OIDCProviderSpec(ref common.Referenc
 							Format:      "",
 						},
 					},
-					"sniCertificateSecretName": {
+					"tls": {
 						SchemaProps: spec.SchemaProps{
-							Description: "SNICertificateSecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider. When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS.\n\nServer Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.\n\nSNICertificateSecretName is required if you would like to use different TLS certificates for issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same SNICertificateSecretName value even if they have different port numbers.\n\nSNICertificateSecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, which is configured elsewhere.\n\nWhen your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses.",
-							Type:        []string{"string"},
-							Format:      "",
+							Description: "TLS configures how this OIDCProvider is served over Transport Layer Security (TLS).",
+							Ref:         ref("go.pinniped.dev/generated/1.18/apis/supervisor/config/v1alpha1.OIDCProviderTLSSpec"),
 						},
 					},
 				},
 				Required: []string{"issuer"},
 			},
 		},
+		Dependencies: []string{
+			"go.pinniped.dev/generated/1.18/apis/supervisor/config/v1alpha1.OIDCProviderTLSSpec"},
 	}
 }

@ -238,6 +240,26 @@ func schema_apis_supervisor_config_v1alpha1_OIDCProviderStatus(ref common.Refere
 	}
 }

+func schema_apis_supervisor_config_v1alpha1_OIDCProviderTLSSpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "OIDCProviderTLSSpec is a struct that describes the TLS configuration for an OIDC Provider.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"secretName": {
+						SchemaProps: spec.SchemaProps{
+							Description: "SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDCProvider. When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS.\n\nServer Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.\n\nSecretName is required if you would like to use different TLS certificates for issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same SecretName value even if they have different port numbers.\n\nSecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, which is configured elsewhere.\n\nWhen your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses.",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+				},
+			},
+		},
+	}
+}
+
 func schema_pkg_apis_meta_v1_APIGroup(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
--- a/generated/1.18/crds/config.supervisor.pinniped.dev_oidcproviders.yaml
+++ b/generated/1.18/crds/config.supervisor.pinniped.dev_oidcproviders.yaml
@ -47,26 +47,32 @@ spec:
                  for more information."
                minLength: 1
                type: string
-              sniCertificateSecretName:
-                description: "SNICertificateSecretName is an optional name of a Secret
-                  in the same namespace, of type `kubernetes.io/tls`, which contains
-                  the TLS serving certificate for the HTTPS endpoints served by this
-                  OIDC Provider. When provided, the TLS Secret named here must contain
-                  keys named `tls.crt` and `tls.key` that contain the certificate
-                  and private key to use for TLS. \n Server Name Indication (SNI)
-                  is an extension to the Transport Layer Security (TLS) supported
-                  by all major browsers. \n SNICertificateSecretName is required if
-                  you would like to use different TLS certificates for issuers of
-                  different hostnames. SNI requests do not include port numbers, so
-                  all issuers with the same DNS hostname must use the same SNICertificateSecretName
-                  value even if they have different port numbers. \n SNICertificateSecretName
-                  is not required when you would like to use only the HTTP endpoints
-                  (e.g. when terminating TLS at an Ingress). It is also not required
-                  when you would like all requests to this OIDC Provider's HTTPS endpoints
-                  to use the default TLS certificate, which is configured elsewhere.
-                  \n When your Issuer URL's host is an IP address, then this field
-                  is ignored. SNI does not work for IP addresses."
-                type: string
+              tls:
+                description: TLS configures how this OIDCProvider is served over Transport
+                  Layer Security (TLS).
+                properties:
+                  secretName:
+                    description: "SecretName is an optional name of a Secret in the
+                      same namespace, of type `kubernetes.io/tls`, which contains
+                      the TLS serving certificate for the HTTPS endpoints served by
+                      this OIDCProvider. When provided, the TLS Secret named here
+                      must contain keys named `tls.crt` and `tls.key` that contain
+                      the certificate and private key to use for TLS. \n Server Name
+                      Indication (SNI) is an extension to the Transport Layer Security
+                      (TLS) supported by all major browsers. \n SecretName is required
+                      if you would like to use different TLS certificates for issuers
+                      of different hostnames. SNI requests do not include port numbers,
+                      so all issuers with the same DNS hostname must use the same
+                      SecretName value even if they have different port numbers. \n
+                      SecretName is not required when you would like to use only the
+                      HTTP endpoints (e.g. when terminating TLS at an Ingress). It
+                      is also not required when you would like all requests to this
+                      OIDC Provider's HTTPS endpoints to use the default TLS certificate,
+                      which is configured elsewhere. \n When your Issuer URL's host
+                      is an IP address, then this field is ignored. SNI does not work
+                      for IP addresses."
+                    type: string
+                type: object
            required:
            - issuer
            type: object
--- a/generated/1.19/README.adoc
+++ b/generated/1.19/README.adoc
@ -254,11 +254,7 @@ OIDCProviderSpec is a struct that describes an OIDC Provider.
 | Field | Description
 | *`issuer`* __string__ | Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the identifier that it will use for the iss claim in issued JWTs. This field will also be used as the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is https://example.com/foo, then your authorization endpoint will look like https://example.com/foo/some/path/to/auth/endpoint). 
 See https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information.
-| *`sniCertificateSecretName`* __string__ | SNICertificateSecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider. When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS. 
- Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers. 
- SNICertificateSecretName is required if you would like to use different TLS certificates for issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same SNICertificateSecretName value even if they have different port numbers. 
- SNICertificateSecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, which is configured elsewhere. 
- When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses.
+| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-config-v1alpha1-oidcprovidertlsspec[$$OIDCProviderTLSSpec$$]__ | TLS configures how this OIDCProvider is served over Transport Layer Security (TLS).
 |===


@ -282,6 +278,27 @@ OIDCProviderStatus is a struct that describes the actual state of an OIDC Provid
 |===


+[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-config-v1alpha1-oidcprovidertlsspec"]
+==== OIDCProviderTLSSpec 
+
+OIDCProviderTLSSpec is a struct that describes the TLS configuration for an OIDC Provider.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-config-v1alpha1-oidcproviderspec[$$OIDCProviderSpec$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`secretName`* __string__ | SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDCProvider. When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS. 
+ Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers. 
+ SecretName is required if you would like to use different TLS certificates for issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same SecretName value even if they have different port numbers. 
+ SecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, which is configured elsewhere. 
+ When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses.
+|===
+
+

 [id="{anchor_prefix}-login-concierge-pinniped-dev-v1alpha1"]
 === login.concierge.pinniped.dev/v1alpha1
--- a/generated/1.19/apis/supervisor/config/v1alpha1/types_oidcprovider.go
+++ b/generated/1.19/apis/supervisor/config/v1alpha1/types_oidcprovider.go
@ -18,6 +18,29 @@ const (
 	InvalidOIDCProviderStatusCondition                         = OIDCProviderStatusCondition("Invalid")
 )

+// OIDCProviderTLSSpec is a struct that describes the TLS configuration for an OIDC Provider.
+type OIDCProviderTLSSpec struct {
+	// SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains
+	// the TLS serving certificate for the HTTPS endpoints served by this OIDCProvider. When provided, the TLS Secret
+	// named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use
+	// for TLS.
+	//
+	// Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.
+	//
+	// SecretName is required if you would like to use different TLS certificates for issuers of different hostnames.
+	// SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same
+	// SecretName value even if they have different port numbers.
+	//
+	// SecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an
+	// Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to
+	// use the default TLS certificate, which is configured elsewhere.
+	//
+	// When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses.
+	//
+	// +optional
+	SecretName string `json:"secretName,omitempty"`
+}
+
 // OIDCProviderSpec is a struct that describes an OIDC Provider.
 type OIDCProviderSpec struct {
 	// Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the
@ -31,27 +54,9 @@ type OIDCProviderSpec struct {
 	// +kubebuilder:validation:MinLength=1
 	Issuer string `json:"issuer"`

-	// SNICertificateSecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`,
-	// which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider.
-	// When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that
-	// contain the certificate and private key to use for TLS.
-	//
-	// Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.
-	//
-	// SNICertificateSecretName is required if you would like to use different TLS certificates for
-	// issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same
-	// DNS hostname must use the same SNICertificateSecretName value even if they have different port numbers.
-	//
-	// SNICertificateSecretName is not required when you would like to use only the
-	// HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you
-	// would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate,
-	// which is configured elsewhere.
-	//
-	// When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work
-	// for IP addresses.
-	//
+	// TLS configures how this OIDCProvider is served over Transport Layer Security (TLS).
 	// +optional
-	SNICertificateSecretName string `json:"sniCertificateSecretName,omitempty"`
+	TLS *OIDCProviderTLSSpec `json:"tls,omitempty"`
 }

 // OIDCProviderStatus is a struct that describes the actual state of an OIDC Provider.
--- a/generated/1.19/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go
+++ b/generated/1.19/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go
@ -16,7 +16,7 @@ func (in *OIDCProvider) DeepCopyInto(out *OIDCProvider) {
 	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
-	out.Spec = in.Spec
+	in.Spec.DeepCopyInto(&out.Spec)
 	in.Status.DeepCopyInto(&out.Status)
 	return
 }
@ -75,6 +75,11 @@ func (in *OIDCProviderList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OIDCProviderSpec) DeepCopyInto(out *OIDCProviderSpec) {
 	*out = *in
+	if in.TLS != nil {
+		in, out := &in.TLS, &out.TLS
+		*out = new(OIDCProviderTLSSpec)
+		**out = **in
+	}
 	return
 }

@ -108,3 +113,19 @@ func (in *OIDCProviderStatus) DeepCopy() *OIDCProviderStatus {
 	in.DeepCopyInto(out)
 	return out
 }
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OIDCProviderTLSSpec) DeepCopyInto(out *OIDCProviderTLSSpec) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCProviderTLSSpec.
+func (in *OIDCProviderTLSSpec) DeepCopy() *OIDCProviderTLSSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(OIDCProviderTLSSpec)
+	in.DeepCopyInto(out)
+	return out
+}
--- a/generated/1.19/client/supervisor/openapi/zz_generated.openapi.go
+++ b/generated/1.19/client/supervisor/openapi/zz_generated.openapi.go
@ -17,62 +17,63 @@ import (

 func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenAPIDefinition {
 	return map[string]common.OpenAPIDefinition{
-		"go.pinniped.dev/generated/1.19/apis/supervisor/config/v1alpha1.OIDCProvider":       schema_apis_supervisor_config_v1alpha1_OIDCProvider(ref),
-		"go.pinniped.dev/generated/1.19/apis/supervisor/config/v1alpha1.OIDCProviderList":   schema_apis_supervisor_config_v1alpha1_OIDCProviderList(ref),
-		"go.pinniped.dev/generated/1.19/apis/supervisor/config/v1alpha1.OIDCProviderSpec":   schema_apis_supervisor_config_v1alpha1_OIDCProviderSpec(ref),
-		"go.pinniped.dev/generated/1.19/apis/supervisor/config/v1alpha1.OIDCProviderStatus": schema_apis_supervisor_config_v1alpha1_OIDCProviderStatus(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroup":                                     schema_pkg_apis_meta_v1_APIGroup(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroupList":                                 schema_pkg_apis_meta_v1_APIGroupList(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResource":                                  schema_pkg_apis_meta_v1_APIResource(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResourceList":                              schema_pkg_apis_meta_v1_APIResourceList(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIVersions":                                  schema_pkg_apis_meta_v1_APIVersions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Condition":                                    schema_pkg_apis_meta_v1_Condition(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.CreateOptions":                                schema_pkg_apis_meta_v1_CreateOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.DeleteOptions":                                schema_pkg_apis_meta_v1_DeleteOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Duration":                                     schema_pkg_apis_meta_v1_Duration(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ExportOptions":                                schema_pkg_apis_meta_v1_ExportOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.FieldsV1":                                     schema_pkg_apis_meta_v1_FieldsV1(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GetOptions":                                   schema_pkg_apis_meta_v1_GetOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupKind":                                    schema_pkg_apis_meta_v1_GroupKind(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupResource":                                schema_pkg_apis_meta_v1_GroupResource(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersion":                                 schema_pkg_apis_meta_v1_GroupVersion(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionForDiscovery":                     schema_pkg_apis_meta_v1_GroupVersionForDiscovery(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionKind":                             schema_pkg_apis_meta_v1_GroupVersionKind(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionResource":                         schema_pkg_apis_meta_v1_GroupVersionResource(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.InternalEvent":                                schema_pkg_apis_meta_v1_InternalEvent(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector":                                schema_pkg_apis_meta_v1_LabelSelector(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelectorRequirement":                     schema_pkg_apis_meta_v1_LabelSelectorRequirement(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.List":                                         schema_pkg_apis_meta_v1_List(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta":                                     schema_pkg_apis_meta_v1_ListMeta(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ListOptions":                                  schema_pkg_apis_meta_v1_ListOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ManagedFieldsEntry":                           schema_pkg_apis_meta_v1_ManagedFieldsEntry(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.MicroTime":                                    schema_pkg_apis_meta_v1_MicroTime(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta":                                   schema_pkg_apis_meta_v1_ObjectMeta(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.OwnerReference":                               schema_pkg_apis_meta_v1_OwnerReference(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadata":                        schema_pkg_apis_meta_v1_PartialObjectMetadata(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadataList":                    schema_pkg_apis_meta_v1_PartialObjectMetadataList(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Patch":                                        schema_pkg_apis_meta_v1_Patch(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.PatchOptions":                                 schema_pkg_apis_meta_v1_PatchOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Preconditions":                                schema_pkg_apis_meta_v1_Preconditions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.RootPaths":                                    schema_pkg_apis_meta_v1_RootPaths(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ServerAddressByClientCIDR":                    schema_pkg_apis_meta_v1_ServerAddressByClientCIDR(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Status":                                       schema_pkg_apis_meta_v1_Status(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.StatusCause":                                  schema_pkg_apis_meta_v1_StatusCause(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.StatusDetails":                                schema_pkg_apis_meta_v1_StatusDetails(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Table":                                        schema_pkg_apis_meta_v1_Table(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableColumnDefinition":                        schema_pkg_apis_meta_v1_TableColumnDefinition(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableOptions":                                 schema_pkg_apis_meta_v1_TableOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableRow":                                     schema_pkg_apis_meta_v1_TableRow(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableRowCondition":                            schema_pkg_apis_meta_v1_TableRowCondition(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Time":                                         schema_pkg_apis_meta_v1_Time(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Timestamp":                                    schema_pkg_apis_meta_v1_Timestamp(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TypeMeta":                                     schema_pkg_apis_meta_v1_TypeMeta(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.UpdateOptions":                                schema_pkg_apis_meta_v1_UpdateOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.WatchEvent":                                   schema_pkg_apis_meta_v1_WatchEvent(ref),
-		"k8s.io/apimachinery/pkg/runtime.RawExtension":                                      schema_k8sio_apimachinery_pkg_runtime_RawExtension(ref),
-		"k8s.io/apimachinery/pkg/runtime.TypeMeta":                                          schema_k8sio_apimachinery_pkg_runtime_TypeMeta(ref),
-		"k8s.io/apimachinery/pkg/runtime.Unknown":                                           schema_k8sio_apimachinery_pkg_runtime_Unknown(ref),
-		"k8s.io/apimachinery/pkg/version.Info":                                              schema_k8sio_apimachinery_pkg_version_Info(ref),
+		"go.pinniped.dev/generated/1.19/apis/supervisor/config/v1alpha1.OIDCProvider":        schema_apis_supervisor_config_v1alpha1_OIDCProvider(ref),
+		"go.pinniped.dev/generated/1.19/apis/supervisor/config/v1alpha1.OIDCProviderList":    schema_apis_supervisor_config_v1alpha1_OIDCProviderList(ref),
+		"go.pinniped.dev/generated/1.19/apis/supervisor/config/v1alpha1.OIDCProviderSpec":    schema_apis_supervisor_config_v1alpha1_OIDCProviderSpec(ref),
+		"go.pinniped.dev/generated/1.19/apis/supervisor/config/v1alpha1.OIDCProviderStatus":  schema_apis_supervisor_config_v1alpha1_OIDCProviderStatus(ref),
+		"go.pinniped.dev/generated/1.19/apis/supervisor/config/v1alpha1.OIDCProviderTLSSpec": schema_apis_supervisor_config_v1alpha1_OIDCProviderTLSSpec(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroup":                                      schema_pkg_apis_meta_v1_APIGroup(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroupList":                                  schema_pkg_apis_meta_v1_APIGroupList(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResource":                                   schema_pkg_apis_meta_v1_APIResource(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResourceList":                               schema_pkg_apis_meta_v1_APIResourceList(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIVersions":                                   schema_pkg_apis_meta_v1_APIVersions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Condition":                                     schema_pkg_apis_meta_v1_Condition(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.CreateOptions":                                 schema_pkg_apis_meta_v1_CreateOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.DeleteOptions":                                 schema_pkg_apis_meta_v1_DeleteOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Duration":                                      schema_pkg_apis_meta_v1_Duration(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ExportOptions":                                 schema_pkg_apis_meta_v1_ExportOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.FieldsV1":                                      schema_pkg_apis_meta_v1_FieldsV1(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GetOptions":                                    schema_pkg_apis_meta_v1_GetOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupKind":                                     schema_pkg_apis_meta_v1_GroupKind(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupResource":                                 schema_pkg_apis_meta_v1_GroupResource(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersion":                                  schema_pkg_apis_meta_v1_GroupVersion(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionForDiscovery":                      schema_pkg_apis_meta_v1_GroupVersionForDiscovery(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionKind":                              schema_pkg_apis_meta_v1_GroupVersionKind(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionResource":                          schema_pkg_apis_meta_v1_GroupVersionResource(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.InternalEvent":                                 schema_pkg_apis_meta_v1_InternalEvent(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector":                                 schema_pkg_apis_meta_v1_LabelSelector(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelectorRequirement":                      schema_pkg_apis_meta_v1_LabelSelectorRequirement(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.List":                                          schema_pkg_apis_meta_v1_List(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta":                                      schema_pkg_apis_meta_v1_ListMeta(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ListOptions":                                   schema_pkg_apis_meta_v1_ListOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ManagedFieldsEntry":                            schema_pkg_apis_meta_v1_ManagedFieldsEntry(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.MicroTime":                                     schema_pkg_apis_meta_v1_MicroTime(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta":                                    schema_pkg_apis_meta_v1_ObjectMeta(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.OwnerReference":                                schema_pkg_apis_meta_v1_OwnerReference(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadata":                         schema_pkg_apis_meta_v1_PartialObjectMetadata(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadataList":                     schema_pkg_apis_meta_v1_PartialObjectMetadataList(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Patch":                                         schema_pkg_apis_meta_v1_Patch(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.PatchOptions":                                  schema_pkg_apis_meta_v1_PatchOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Preconditions":                                 schema_pkg_apis_meta_v1_Preconditions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.RootPaths":                                     schema_pkg_apis_meta_v1_RootPaths(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ServerAddressByClientCIDR":                     schema_pkg_apis_meta_v1_ServerAddressByClientCIDR(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Status":                                        schema_pkg_apis_meta_v1_Status(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.StatusCause":                                   schema_pkg_apis_meta_v1_StatusCause(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.StatusDetails":                                 schema_pkg_apis_meta_v1_StatusDetails(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Table":                                         schema_pkg_apis_meta_v1_Table(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TableColumnDefinition":                         schema_pkg_apis_meta_v1_TableColumnDefinition(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TableOptions":                                  schema_pkg_apis_meta_v1_TableOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TableRow":                                      schema_pkg_apis_meta_v1_TableRow(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TableRowCondition":                             schema_pkg_apis_meta_v1_TableRowCondition(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Time":                                          schema_pkg_apis_meta_v1_Time(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Timestamp":                                     schema_pkg_apis_meta_v1_Timestamp(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TypeMeta":                                      schema_pkg_apis_meta_v1_TypeMeta(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.UpdateOptions":                                 schema_pkg_apis_meta_v1_UpdateOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.WatchEvent":                                    schema_pkg_apis_meta_v1_WatchEvent(ref),
+		"k8s.io/apimachinery/pkg/runtime.RawExtension":                                       schema_k8sio_apimachinery_pkg_runtime_RawExtension(ref),
+		"k8s.io/apimachinery/pkg/runtime.TypeMeta":                                           schema_k8sio_apimachinery_pkg_runtime_TypeMeta(ref),
+		"k8s.io/apimachinery/pkg/runtime.Unknown":                                            schema_k8sio_apimachinery_pkg_runtime_Unknown(ref),
+		"k8s.io/apimachinery/pkg/version.Info":                                               schema_k8sio_apimachinery_pkg_version_Info(ref),
 	}
 }

@ -184,17 +185,18 @@ func schema_apis_supervisor_config_v1alpha1_OIDCProviderSpec(ref common.Referenc
 							Format:      "",
 						},
 					},
-					"sniCertificateSecretName": {
+					"tls": {
 						SchemaProps: spec.SchemaProps{
-							Description: "SNICertificateSecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider. When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS.\n\nServer Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.\n\nSNICertificateSecretName is required if you would like to use different TLS certificates for issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same SNICertificateSecretName value even if they have different port numbers.\n\nSNICertificateSecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, which is configured elsewhere.\n\nWhen your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses.",
-							Type:        []string{"string"},
-							Format:      "",
+							Description: "TLS configures how this OIDCProvider is served over Transport Layer Security (TLS).",
+							Ref:         ref("go.pinniped.dev/generated/1.19/apis/supervisor/config/v1alpha1.OIDCProviderTLSSpec"),
 						},
 					},
 				},
 				Required: []string{"issuer"},
 			},
 		},
+		Dependencies: []string{
+			"go.pinniped.dev/generated/1.19/apis/supervisor/config/v1alpha1.OIDCProviderTLSSpec"},
 	}
 }

@ -239,6 +241,26 @@ func schema_apis_supervisor_config_v1alpha1_OIDCProviderStatus(ref common.Refere
 	}
 }

+func schema_apis_supervisor_config_v1alpha1_OIDCProviderTLSSpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "OIDCProviderTLSSpec is a struct that describes the TLS configuration for an OIDC Provider.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"secretName": {
+						SchemaProps: spec.SchemaProps{
+							Description: "SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDCProvider. When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS.\n\nServer Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.\n\nSecretName is required if you would like to use different TLS certificates for issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same SecretName value even if they have different port numbers.\n\nSecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, which is configured elsewhere.\n\nWhen your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses.",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+				},
+			},
+		},
+	}
+}
+
 func schema_pkg_apis_meta_v1_APIGroup(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
--- a/generated/1.19/crds/config.supervisor.pinniped.dev_oidcproviders.yaml
+++ b/generated/1.19/crds/config.supervisor.pinniped.dev_oidcproviders.yaml
@ -47,26 +47,32 @@ spec:
                  for more information."
                minLength: 1
                type: string
-              sniCertificateSecretName:
-                description: "SNICertificateSecretName is an optional name of a Secret
-                  in the same namespace, of type `kubernetes.io/tls`, which contains
-                  the TLS serving certificate for the HTTPS endpoints served by this
-                  OIDC Provider. When provided, the TLS Secret named here must contain
-                  keys named `tls.crt` and `tls.key` that contain the certificate
-                  and private key to use for TLS. \n Server Name Indication (SNI)
-                  is an extension to the Transport Layer Security (TLS) supported
-                  by all major browsers. \n SNICertificateSecretName is required if
-                  you would like to use different TLS certificates for issuers of
-                  different hostnames. SNI requests do not include port numbers, so
-                  all issuers with the same DNS hostname must use the same SNICertificateSecretName
-                  value even if they have different port numbers. \n SNICertificateSecretName
-                  is not required when you would like to use only the HTTP endpoints
-                  (e.g. when terminating TLS at an Ingress). It is also not required
-                  when you would like all requests to this OIDC Provider's HTTPS endpoints
-                  to use the default TLS certificate, which is configured elsewhere.
-                  \n When your Issuer URL's host is an IP address, then this field
-                  is ignored. SNI does not work for IP addresses."
-                type: string
+              tls:
+                description: TLS configures how this OIDCProvider is served over Transport
+                  Layer Security (TLS).
+                properties:
+                  secretName:
+                    description: "SecretName is an optional name of a Secret in the
+                      same namespace, of type `kubernetes.io/tls`, which contains
+                      the TLS serving certificate for the HTTPS endpoints served by
+                      this OIDCProvider. When provided, the TLS Secret named here
+                      must contain keys named `tls.crt` and `tls.key` that contain
+                      the certificate and private key to use for TLS. \n Server Name
+                      Indication (SNI) is an extension to the Transport Layer Security
+                      (TLS) supported by all major browsers. \n SecretName is required
+                      if you would like to use different TLS certificates for issuers
+                      of different hostnames. SNI requests do not include port numbers,
+                      so all issuers with the same DNS hostname must use the same
+                      SecretName value even if they have different port numbers. \n
+                      SecretName is not required when you would like to use only the
+                      HTTP endpoints (e.g. when terminating TLS at an Ingress). It
+                      is also not required when you would like all requests to this
+                      OIDC Provider's HTTPS endpoints to use the default TLS certificate,
+                      which is configured elsewhere. \n When your Issuer URL's host
+                      is an IP address, then this field is ignored. SNI does not work
+                      for IP addresses."
+                    type: string
+                type: object
            required:
            - issuer
            type: object
--- a/internal/controller/supervisorconfig/oidcproviderconfig_watcher.go
+++ b/internal/controller/supervisorconfig/oidcproviderconfig_watcher.go
@ -102,7 +102,9 @@ func (c *oidcProviderWatcherController) Sync(ctx controllerlib.Context) error {
 			setOfSecretNames = make(map[string]bool)
 			uniqueSecretNamesPerIssuerAddress[issuerURLToHostnameKey(issuerURL)] = setOfSecretNames
 		}
-		setOfSecretNames[opc.Spec.SNICertificateSecretName] = true
+		if opc.Spec.TLS != nil {
+			setOfSecretNames[opc.Spec.TLS.SecretName] = true
+		}
 	}

 	errs := multierror.New()
--- a/internal/controller/supervisorconfig/oidcproviderconfig_watcher_test.go
+++ b/internal/controller/supervisorconfig/oidcproviderconfig_watcher_test.go
@ -819,8 +819,8 @@ func TestSync(t *testing.T) {
 				oidcProviderSameIssuerAddress1 = &v1alpha1.OIDCProvider{
 					ObjectMeta: metav1.ObjectMeta{Name: "provider1", Namespace: namespace},
 					Spec: v1alpha1.OIDCProviderSpec{
-						Issuer:                   "https://iSSueR-duPlicAte-adDress.cOm/path1",
-						SNICertificateSecretName: "secret1",
+						Issuer: "https://iSSueR-duPlicAte-adDress.cOm/path1",
+						TLS:    &v1alpha1.OIDCProviderTLSSpec{SecretName: "secret1"},
 					},
 				}
 				r.NoError(pinnipedAPIClient.Tracker().Add(oidcProviderSameIssuerAddress1))
@ -830,8 +830,8 @@ func TestSync(t *testing.T) {
 					Spec: v1alpha1.OIDCProviderSpec{
 						// Validation treats these as the same DNS hostname even though they have different port numbers,
 						// because SNI information on the incoming requests is not going to include port numbers.
-						Issuer:                   "https://issuer-duplicate-address.com:1234/path2",
-						SNICertificateSecretName: "secret2",
+						Issuer: "https://issuer-duplicate-address.com:1234/path2",
+						TLS:    &v1alpha1.OIDCProviderTLSSpec{SecretName: "secret2"},
 					},
 				}
 				r.NoError(pinnipedAPIClient.Tracker().Add(oidcProviderSameIssuerAddress2))
@ -840,8 +840,8 @@ func TestSync(t *testing.T) {
 				oidcProviderDifferentIssuerAddress = &v1alpha1.OIDCProvider{
 					ObjectMeta: metav1.ObjectMeta{Name: "differentIssuerAddressProvider", Namespace: namespace},
 					Spec: v1alpha1.OIDCProviderSpec{
-						Issuer:                   "https://issuer-not-duplicate.com",
-						SNICertificateSecretName: "secret1",
+						Issuer: "https://issuer-not-duplicate.com",
+						TLS:    &v1alpha1.OIDCProviderTLSSpec{SecretName: "secret1"},
 					},
 				}
 				r.NoError(pinnipedAPIClient.Tracker().Add(oidcProviderDifferentIssuerAddress))
@ -855,8 +855,8 @@ func TestSync(t *testing.T) {
 				oidcProviderWithInvalidIssuerURL = &v1alpha1.OIDCProvider{
 					ObjectMeta: metav1.ObjectMeta{Name: "invalidIssuerURLProvider", Namespace: namespace},
 					Spec: v1alpha1.OIDCProviderSpec{
-						Issuer:                   invalidIssuerURL,
-						SNICertificateSecretName: "secret1",
+						Issuer: invalidIssuerURL,
+						TLS:    &v1alpha1.OIDCProviderTLSSpec{SecretName: "secret1"},
 					},
 				}
 				r.NoError(pinnipedAPIClient.Tracker().Add(oidcProviderWithInvalidIssuerURL))
--- a/internal/controller/supervisorconfig/tls_cert_observer.go
+++ b/internal/controller/supervisorconfig/tls_cert_observer.go
@ -72,7 +72,10 @@ func (c *tlsCertObserverController) Sync(ctx controllerlib.Context) error {
 	issuerHostToTLSCertMap := map[string]*tls.Certificate{}

 	for _, provider := range allProviders {
-		secretName := provider.Spec.SNICertificateSecretName
+		secretName := ""
+		if provider.Spec.TLS != nil {
+			secretName = provider.Spec.TLS.SecretName
+		}
 		issuerURL, err := url.Parse(provider.Spec.Issuer)
 		if err != nil {
 			klog.InfoS("tlsCertObserverController Sync found an invalid issuer URL", "namespace", ns, "issuer", provider.Spec.Issuer)
--- a/internal/controller/supervisorconfig/tls_cert_observer_test.go
+++ b/internal/controller/supervisorconfig/tls_cert_observer_test.go
@ -225,8 +225,8 @@ func TestTLSCertObserverControllerSync(t *testing.T) {
 						Namespace: installedInNamespace,
 					},
 					Spec: v1alpha1.OIDCProviderSpec{
-						Issuer:                   "https://no-secret-issuer2.com",
-						SNICertificateSecretName: "",
+						Issuer: "https://no-secret-issuer2.com",
+						TLS:    &v1alpha1.OIDCProviderTLSSpec{SecretName: ""},
 					},
 				}
 				oidcProviderWithBadSecret := &v1alpha1.OIDCProvider{
@ -235,8 +235,8 @@ func TestTLSCertObserverControllerSync(t *testing.T) {
 						Namespace: installedInNamespace,
 					},
 					Spec: v1alpha1.OIDCProviderSpec{
-						Issuer:                   "https://bad-secret-issuer.com",
-						SNICertificateSecretName: "bad-tls-secret-name",
+						Issuer: "https://bad-secret-issuer.com",
+						TLS:    &v1alpha1.OIDCProviderTLSSpec{SecretName: "bad-tls-secret-name"},
 					},
 				}
 				// Also add one with a URL that cannot be parsed to make sure that the controller is not confused by invalid URLs.
@ -257,8 +257,8 @@ func TestTLSCertObserverControllerSync(t *testing.T) {
 					},
 					// Issuer hostname should be treated in a case-insensitive way and SNI ignores port numbers. Test without a port number.
 					Spec: v1alpha1.OIDCProviderSpec{
-						Issuer:                   "https://www.iSSuer-wiTh-goOd-secRet1.cOm/path",
-						SNICertificateSecretName: "good-tls-secret-name1",
+						Issuer: "https://www.iSSuer-wiTh-goOd-secRet1.cOm/path",
+						TLS:    &v1alpha1.OIDCProviderTLSSpec{SecretName: "good-tls-secret-name1"},
 					},
 				}
 				oidcProviderWithGoodSecret2 := &v1alpha1.OIDCProvider{
@ -268,8 +268,8 @@ func TestTLSCertObserverControllerSync(t *testing.T) {
 					},
 					// Issuer hostname should be treated in a case-insensitive way and SNI ignores port numbers. Test with a port number.
 					Spec: v1alpha1.OIDCProviderSpec{
-						Issuer:                   "https://www.issUEr-WIth-gOOd-seCret2.com:1234/path",
-						SNICertificateSecretName: "good-tls-secret-name2",
+						Issuer: "https://www.issUEr-WIth-gOOd-seCret2.com:1234/path",
+						TLS:    &v1alpha1.OIDCProviderTLSSpec{SecretName: "good-tls-secret-name2"},
 					},
 				}
 				testCrt1 := readTestFile("testdata/test.crt")
--- a/test/integration/supervisor_discovery_test.go
+++ b/test/integration/supervisor_discovery_test.go
@ -159,26 +159,26 @@ func TestSupervisorTLSTerminationWithSNI(t *testing.T) {

 	hostname1 := strings.Split(address, ":")[0]
 	issuer1 := fmt.Sprintf("%s://%s/issuer1", scheme, address)
-	sniCertificateSecretName1 := "integration-test-sni-cert-1"
+	certSecretName1 := "integration-test-cert-1"

-	// Create an OIDCProvider with an sniCertificateSecretName.
-	oidcProvider1 := library.CreateTestOIDCProvider(ctx, t, issuer1, sniCertificateSecretName1)
+	// Create an OIDCProvider with a spec.tls.secretName.
+	oidcProvider1 := library.CreateTestOIDCProvider(ctx, t, issuer1, certSecretName1)
 	requireStatus(t, pinnipedClient, oidcProvider1.Namespace, oidcProvider1.Name, v1alpha1.SuccessOIDCProviderStatusCondition)

-	// The sniCertificateSecretName Secret does not exist, so the endpoints should fail with TLS errors.
+	// The spec.tls.secretName Secret does not exist, so the endpoints should fail with TLS errors.
 	requireEndpointHasTLSErrorBecauseCertificatesAreNotReady(t, issuer1)

 	// Create the Secret.
-	ca1 := createTLSCertificateSecret(ctx, t, ns, hostname1, nil, sniCertificateSecretName1, kubeClient)
+	ca1 := createTLSCertificateSecret(ctx, t, ns, hostname1, nil, certSecretName1, kubeClient)

 	// Now that the Secret exists, we should be able to access the endpoints by hostname using the CA.
 	_ = requireDiscoveryEndpointsAreWorking(t, scheme, address, string(ca1.Bundle()), issuer1, nil)

-	// Update the config to take away the sniCertificateSecretName.
-	sniCertificateSecretName1update := "integration-test-sni-cert-1-update"
+	// Update the config to with a new .spec.tls.secretName.
+	certSecretName1update := "integration-test-cert-1-update"
 	oidcProvider1LatestVersion, err := pinnipedClient.ConfigV1alpha1().OIDCProviders(ns).Get(ctx, oidcProvider1.Name, metav1.GetOptions{})
 	require.NoError(t, err)
-	oidcProvider1LatestVersion.Spec.SNICertificateSecretName = sniCertificateSecretName1update
+	oidcProvider1LatestVersion.Spec.TLS = &v1alpha1.OIDCProviderTLSSpec{SecretName: certSecretName1update}
 	_, err = pinnipedClient.ConfigV1alpha1().OIDCProviders(ns).Update(ctx, oidcProvider1LatestVersion, metav1.UpdateOptions{})
 	require.NoError(t, err)

@ -186,7 +186,7 @@ func TestSupervisorTLSTerminationWithSNI(t *testing.T) {
 	requireEndpointHasTLSErrorBecauseCertificatesAreNotReady(t, issuer1)

 	// Create a Secret at the updated name.
-	ca1update := createTLSCertificateSecret(ctx, t, ns, hostname1, nil, sniCertificateSecretName1update, kubeClient)
+	ca1update := createTLSCertificateSecret(ctx, t, ns, hostname1, nil, certSecretName1update, kubeClient)

 	// Now that the Secret exists at the new name, we should be able to access the endpoints by hostname using the CA.
 	_ = requireDiscoveryEndpointsAreWorking(t, scheme, address, string(ca1update.Bundle()), issuer1, nil)
@ -195,14 +195,14 @@ func TestSupervisorTLSTerminationWithSNI(t *testing.T) {
 	hostname2 := "some-issuer-host-and-port-that-doesnt-match-public-supervisor-address.com"
 	hostnamePort2 := "2684"
 	issuer2 := fmt.Sprintf("%s://%s:%s/issuer2", scheme, hostname2, hostnamePort2)
-	sniCertificateSecretName2 := "integration-test-sni-cert-2"
+	certSecretName2 := "integration-test-cert-2"

-	// Create an OIDCProvider with an sniCertificateSecretName.
-	oidcProvider2 := library.CreateTestOIDCProvider(ctx, t, issuer2, sniCertificateSecretName2)
+	// Create an OIDCProvider with a spec.tls.secretName.
+	oidcProvider2 := library.CreateTestOIDCProvider(ctx, t, issuer2, certSecretName2)
 	requireStatus(t, pinnipedClient, oidcProvider2.Namespace, oidcProvider2.Name, v1alpha1.SuccessOIDCProviderStatusCondition)

 	// Create the Secret.
-	ca2 := createTLSCertificateSecret(ctx, t, ns, hostname2, nil, sniCertificateSecretName2, kubeClient)
+	ca2 := createTLSCertificateSecret(ctx, t, ns, hostname2, nil, certSecretName2, kubeClient)

 	// Now that the Secret exists, we should be able to access the endpoints by hostname using the CA.
 	_ = requireDiscoveryEndpointsAreWorking(t, scheme, hostname2+":"+hostnamePort2, string(ca2.Bundle()), issuer2, map[string]string{
@ -240,11 +240,11 @@ func TestSupervisorTLSTerminationWithDefaultCerts(t *testing.T) {
 	issuerUsingIPAddress := fmt.Sprintf("%s://%s/issuer1", scheme, ipWithPort)
 	issuerUsingHostname := fmt.Sprintf("%s://%s/issuer1", scheme, address)

-	// Create an OIDCProvider without an sniCertificateSecretName.
+	// Create an OIDCProvider without a spec.tls.secretName.
 	oidcProvider1 := library.CreateTestOIDCProvider(ctx, t, issuerUsingIPAddress, "")
 	requireStatus(t, pinnipedClient, oidcProvider1.Namespace, oidcProvider1.Name, v1alpha1.SuccessOIDCProviderStatusCondition)

-	// There is no default TLS cert and the sniCertificateSecretName was not set, so the endpoints should fail with TLS errors.
+	// There is no default TLS cert and the spec.tls.secretName was not set, so the endpoints should fail with TLS errors.
 	requireEndpointHasTLSErrorBecauseCertificatesAreNotReady(t, issuerUsingIPAddress)

 	// Create a Secret at the special name which represents the default TLS cert.
@ -253,18 +253,18 @@ func TestSupervisorTLSTerminationWithDefaultCerts(t *testing.T) {
 	// Now that the Secret exists, we should be able to access the endpoints by IP address using the CA.
 	_ = requireDiscoveryEndpointsAreWorking(t, scheme, ipWithPort, string(defaultCA.Bundle()), issuerUsingIPAddress, nil)

-	// Create an OIDCProvider with an sniCertificateSecretName.
-	sniCertificateSecretName := "integration-test-sni-cert-1"
-	oidcProvider2 := library.CreateTestOIDCProvider(ctx, t, issuerUsingHostname, sniCertificateSecretName)
+	// Create an OIDCProvider with a spec.tls.secretName.
+	certSecretName := "integration-test-cert-1"
+	oidcProvider2 := library.CreateTestOIDCProvider(ctx, t, issuerUsingHostname, certSecretName)
 	requireStatus(t, pinnipedClient, oidcProvider2.Namespace, oidcProvider2.Name, v1alpha1.SuccessOIDCProviderStatusCondition)

 	// Create the Secret.
-	sniCA := createTLSCertificateSecret(ctx, t, ns, hostname, nil, sniCertificateSecretName, kubeClient)
+	certCA := createTLSCertificateSecret(ctx, t, ns, hostname, nil, certSecretName, kubeClient)

 	// Now that the Secret exists, we should be able to access the endpoints by hostname using the CA from the SNI cert.
 	// Hostnames are case-insensitive, so the request should still work even if the case of the hostname is different
 	// from the case of the issuer URL's hostname.
-	_ = requireDiscoveryEndpointsAreWorking(t, scheme, strings.ToUpper(hostname)+":"+port, string(sniCA.Bundle()), issuerUsingHostname, nil)
+	_ = requireDiscoveryEndpointsAreWorking(t, scheme, strings.ToUpper(hostname)+":"+port, string(certCA.Bundle()), issuerUsingHostname, nil)

 	// And we can still access the other issuer using the default cert.
 	_ = requireDiscoveryEndpointsAreWorking(t, scheme, ipWithPort, string(defaultCA.Bundle()), issuerUsingIPAddress, nil)
--- a/test/library/client.go
+++ b/test/library/client.go
@ -172,7 +172,7 @@ func CreateTestWebhookAuthenticator(ctx context.Context, t *testing.T) corev1.Ty
 //
 // If the provided issuer is not the empty string, then it will be used for the
 // OIDCProvider.Spec.Issuer field. Else, a random issuer will be generated.
-func CreateTestOIDCProvider(ctx context.Context, t *testing.T, issuer, sniCertificateSecretName string) *configv1alpha1.OIDCProvider {
+func CreateTestOIDCProvider(ctx context.Context, t *testing.T, issuer, certSecretName string) *configv1alpha1.OIDCProvider {
 	t.Helper()
 	testEnv := IntegrationEnv(t)

@ -193,8 +193,8 @@ func CreateTestOIDCProvider(ctx context.Context, t *testing.T, issuer, sniCertif
 			Annotations:  map[string]string{"pinniped.dev/testName": t.Name()},
 		},
 		Spec: configv1alpha1.OIDCProviderSpec{
-			Issuer:                   issuer,
-			SNICertificateSecretName: sniCertificateSecretName,
+			Issuer: issuer,
+			TLS:    &configv1alpha1.OIDCProviderTLSSpec{SecretName: certSecretName},
 		},
 	}, metav1.CreateOptions{})
 	require.NoError(t, err, "could not create test OIDCProvider")