Add generated API/client code for new UpstreamOIDCProvider CRD.

Signed-off-by: Matt Moyer <moyerm@vmware.com>

deploy/supervisor/idp.supervisor.pinniped.dev_upstreamoidcproviders.yaml

@@ -0,0 +1,203 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.4.0
+  creationTimestamp: null
+  name: upstreamoidcproviders.idp.supervisor.pinniped.dev
+spec:
+  group: idp.supervisor.pinniped.dev
+  names:
+    categories:
+    - pinniped
+    - pinniped-idp
+    - pinniped-idps
+    kind: UpstreamOIDCProvider
+    listKind: UpstreamOIDCProviderList
+    plural: upstreamoidcproviders
+    singular: upstreamoidcprovider
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .spec.issuer
+      name: Issuer
+      type: string
+    - jsonPath: .status.phase
+      name: Status
+      type: string
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: UpstreamOIDCProvider describes the configuration of an upstream
+          OpenID Connect identity provider.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: Spec for configuring the identity provider.
+            properties:
+              authorizationConfig:
+                description: AuthorizationConfig holds information about how to form
+                  the OAuth2 authorization request parameters to be used with this
+                  OIDC identity provider.
+                properties:
+                  additionalScopes:
+                    description: AdditionalScopes are the scopes in addition to "openid"
+                      that will be requested as part of the authorization request
+                      flow with an OIDC identity provider. By default only the "openid"
+                      scope will be requested.
+                    items:
+                      type: string
+                    type: array
+                required:
+                - additionalScopes
+                type: object
+              claims:
+                description: Claims provides the names of token claims that will be
+                  used when inspecting an identity from this OIDC identity provider.
+                properties:
+                  groups:
+                    description: Groups provides the name of the token claim that
+                      will be used to ascertain the groups to which an identity belongs.
+                    type: string
+                  username:
+                    description: Username provides the name of the token claim that
+                      will be used to ascertain an identity's username.
+                    type: string
+                required:
+                - groups
+                - username
+                type: object
+              client:
+                description: OIDCClient contains OIDC client information to be used
+                  used with this OIDC identity provider.
+                properties:
+                  secretName:
+                    description: SecretName contains the name of a namespace-local
+                      Secret object that provides the clientID and clientSecret for
+                      an OIDC client. If only the SecretName is specified in an OIDCClient
+                      struct, then it is expected that the Secret is of type "secrets.pinniped.dev/oidc"
+                      with keys "clientID" and "clientSecret".
+                    type: string
+                required:
+                - secretName
+                type: object
+              issuer:
+                description: Issuer is the issuer URL of this OIDC identity provider,
+                  i.e., where to fetch /.well-known/openid-configuration.
+                minLength: 1
+                pattern: ^https://
+                type: string
+            required:
+            - authorizationConfig
+            - claims
+            - client
+            - issuer
+            type: object
+          status:
+            description: Status of the identity provider.
+            properties:
+              conditions:
+                description: Represents the observations of an identity provider's
+                  current state.
+                items:
+                  description: Condition status of a resource (mirrored from the metav1.Condition
+                    type added in Kubernetes 1.19). In a future API version we can
+                    switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413.
+                  properties:
+                    lastTransitionTime:
+                      description: lastTransitionTime is the last time the condition
+                        transitioned from one status to another. This should be when
+                        the underlying condition changed.  If that is not known, then
+                        using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: message is a human readable message indicating
+                        details about the transition. This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: observedGeneration represents the .metadata.generation
+                        that the condition was set based upon. For instance, if .metadata.generation
+                        is currently 12, but the .status.conditions[x].observedGeneration
+                        is 9, the condition is out of date with respect to the current
+                        state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: reason contains a programmatic identifier indicating
+                        the reason for the condition's last transition. Producers
+                        of specific condition types may define expected values and
+                        meanings for this field, and whether the values are considered
+                        a guaranteed API. The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
+                        --- Many .condition.type values are consistent across resources
+                        like Available, but because arbitrary conditions can be useful
+                        (see .node.status.conditions), the ability to deconflict is
+                        important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                type: array
+                x-kubernetes-list-map-keys:
+                - type
+                x-kubernetes-list-type: map
+              phase:
+                default: Pending
+                description: Phase summarizes the overall status of the UpstreamOIDCProvider.
+                enum:
+                - Pending
+                - Ready
+                - Error
+                type: string
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

generated/1.17/README.adoc

@@ -8,6 +8,7 @@
 - xref:{anchor_prefix}-authentication-concierge-pinniped-dev-v1alpha1[$$authentication.concierge.pinniped.dev/v1alpha1$$]
 - xref:{anchor_prefix}-config-concierge-pinniped-dev-v1alpha1[$$config.concierge.pinniped.dev/v1alpha1$$]
 - xref:{anchor_prefix}-config-supervisor-pinniped-dev-v1alpha1[$$config.supervisor.pinniped.dev/v1alpha1$$]
+- xref:{anchor_prefix}-idp-supervisor-pinniped-dev-v1alpha1[$$idp.supervisor.pinniped.dev/v1alpha1$$]
 - xref:{anchor_prefix}-login-concierge-pinniped-dev-v1alpha1[$$login.concierge.pinniped.dev/v1alpha1$$]
 
 
@@ -291,6 +292,148 @@ OIDCProviderTLSSpec is a struct that describes the TLS configuration for an OIDC
 
 
 
+[id="{anchor_prefix}-idp-supervisor-pinniped-dev-v1alpha1"]
+=== idp.supervisor.pinniped.dev/v1alpha1
+
+Package v1alpha1 is the v1alpha1 version of the Pinniped supervisor identity provider (IDP) API.
+
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-condition"]
+==== Condition 
+
+Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API version we can switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-upstreamoidcproviderstatus[$$UpstreamOIDCProviderStatus$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`type`* __string__ | type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+| *`status`* __ConditionStatus__ | status of the condition, one of True, False, Unknown.
+| *`observedGeneration`* __integer__ | observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.
+| *`lastTransitionTime`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.17/#time-v1-meta[$$Time$$]__ | lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+| *`reason`* __string__ | reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.
+| *`message`* __string__ | message is a human readable message indicating details about the transition. This may be an empty string.
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-oidcauthorizationconfig"]
+==== OIDCAuthorizationConfig 
+
+OIDCAuthorizationConfig provides information about how to form the OAuth2 authorization request parameters.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-upstreamoidcproviderspec[$$UpstreamOIDCProviderSpec$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`additionalScopes`* __string array__ | AdditionalScopes are the scopes in addition to "openid" that will be requested as part of the authorization request flow with an OIDC identity provider. By default only the "openid" scope will be requested.
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-oidcclaims"]
+==== OIDCClaims 
+
+OIDCClaims provides a mapping from upstream claims into identities.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-upstreamoidcproviderspec[$$UpstreamOIDCProviderSpec$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`groups`* __string__ | Groups provides the name of the token claim that will be used to ascertain the groups to which an identity belongs.
+| *`username`* __string__ | Username provides the name of the token claim that will be used to ascertain an identity's username.
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-oidcclient"]
+==== OIDCClient 
+
+OIDCClient contains information about an OIDC client (e.g., client ID and client secret).
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-upstreamoidcproviderspec[$$UpstreamOIDCProviderSpec$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`secretName`* __string__ | SecretName contains the name of a namespace-local Secret object that provides the clientID and clientSecret for an OIDC client. If only the SecretName is specified in an OIDCClient struct, then it is expected that the Secret is of type "secrets.pinniped.dev/oidc" with keys "clientID" and "clientSecret".
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-upstreamoidcprovider"]
+==== UpstreamOIDCProvider 
+
+UpstreamOIDCProvider describes the configuration of an upstream OpenID Connect identity provider.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-upstreamoidcproviderlist[$$UpstreamOIDCProviderList$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.17/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`.
+
+| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-upstreamoidcproviderspec[$$UpstreamOIDCProviderSpec$$]__ | Spec for configuring the identity provider.
+| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-upstreamoidcproviderstatus[$$UpstreamOIDCProviderStatus$$]__ | Status of the identity provider.
+|===
+
+
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-upstreamoidcproviderspec"]
+==== UpstreamOIDCProviderSpec 
+
+Spec for configuring an OIDC identity provider.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-upstreamoidcprovider[$$UpstreamOIDCProvider$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`issuer`* __string__ | Issuer is the issuer URL of this OIDC identity provider, i.e., where to fetch /.well-known/openid-configuration.
+| *`authorizationConfig`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-oidcauthorizationconfig[$$OIDCAuthorizationConfig$$]__ | AuthorizationConfig holds information about how to form the OAuth2 authorization request parameters to be used with this OIDC identity provider.
+| *`claims`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-oidcclaims[$$OIDCClaims$$]__ | Claims provides the names of token claims that will be used when inspecting an identity from this OIDC identity provider.
+| *`client`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-oidcclient[$$OIDCClient$$]__ | OIDCClient contains OIDC client information to be used used with this OIDC identity provider.
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-upstreamoidcproviderstatus"]
+==== UpstreamOIDCProviderStatus 
+
+Status of an OIDC identity provider.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-upstreamoidcprovider[$$UpstreamOIDCProvider$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`phase`* __UpstreamOIDCProviderPhase__ | Phase summarizes the overall status of the UpstreamOIDCProvider.
+| *`conditions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-condition[$$Condition$$]__ | Represents the observations of an identity provider's current state.
+|===
+
+
+
 [id="{anchor_prefix}-login-concierge-pinniped-dev-v1alpha1"]
 === login.concierge.pinniped.dev/v1alpha1
 

generated/1.17/apis/supervisor/idp/v1alpha1/doc.go

@@ -0,0 +1,11 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// +k8s:openapi-gen=true
+// +k8s:deepcopy-gen=package
+// +k8s:defaulter-gen=TypeMeta
+// +groupName=idp.supervisor.pinniped.dev
+// +groupGoName=IDP
+
+// Package v1alpha1 is the v1alpha1 version of the Pinniped supervisor identity provider (IDP) API.
+package v1alpha1

generated/1.17/apis/supervisor/idp/v1alpha1/register.go

@@ -0,0 +1,43 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+const GroupName = "idp.supervisor.pinniped.dev"
+
+// SchemeGroupVersion is group version used to register these objects.
+var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"}
+
+var (
+	SchemeBuilder      runtime.SchemeBuilder
+	localSchemeBuilder = &SchemeBuilder
+	AddToScheme        = localSchemeBuilder.AddToScheme
+)
+
+func init() {
+	// We only register manually written functions here. The registration of the
+	// generated functions takes place in the generated files. The separation
+	// makes the code compile even when the generated files are missing.
+	localSchemeBuilder.Register(addKnownTypes)
+}
+
+// Adds the list of known types to the given scheme.
+func addKnownTypes(scheme *runtime.Scheme) error {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&UpstreamOIDCProvider{},
+		&UpstreamOIDCProviderList{},
+	)
+	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
+	return nil
+}
+
+// Resource takes an unqualified resource and returns a Group qualified GroupResource.
+func Resource(resource string) schema.GroupResource {
+	return SchemeGroupVersion.WithResource(resource).GroupResource()
+}

generated/1.17/apis/supervisor/idp/v1alpha1/types_meta.go

@@ -0,0 +1,75 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+// ConditionStatus is effectively an enum type for Condition.Status.
+type ConditionStatus string
+
+// These are valid condition statuses. "ConditionTrue" means a resource is in the condition.
+// "ConditionFalse" means a resource is not in the condition. "ConditionUnknown" means kubernetes
+// can't decide if a resource is in the condition or not. In the future, we could add other
+// intermediate conditions, e.g. ConditionDegraded.
+const (
+	ConditionTrue    ConditionStatus = "True"
+	ConditionFalse   ConditionStatus = "False"
+	ConditionUnknown ConditionStatus = "Unknown"
+)
+
+// Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API
+// version we can switch to using the upstream type.
+// See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413.
+type Condition struct {
+	// type of condition in CamelCase or in foo.example.com/CamelCase.
+	// ---
+	// Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
+	// useful (see .node.status.conditions), the ability to deconflict is important.
+	// The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+	// +required
+	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:Pattern=`^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$`
+	// +kubebuilder:validation:MaxLength=316
+	Type string `json:"type"`
+
+	// status of the condition, one of True, False, Unknown.
+	// +required
+	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:Enum=True;False;Unknown
+	Status ConditionStatus `json:"status"`
+
+	// observedGeneration represents the .metadata.generation that the condition was set based upon.
+	// For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+	// with respect to the current state of the instance.
+	// +optional
+	// +kubebuilder:validation:Minimum=0
+	ObservedGeneration int64 `json:"observedGeneration,omitempty"`
+
+	// lastTransitionTime is the last time the condition transitioned from one status to another.
+	// This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+	// +required
+	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:Type=string
+	// +kubebuilder:validation:Format=date-time
+	LastTransitionTime metav1.Time `json:"lastTransitionTime"`
+
+	// reason contains a programmatic identifier indicating the reason for the condition's last transition.
+	// Producers of specific condition types may define expected values and meanings for this field,
+	// and whether the values are considered a guaranteed API.
+	// The value should be a CamelCase string.
+	// This field may not be empty.
+	// +required
+	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:MaxLength=1024
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:Pattern=`^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$`
+	Reason string `json:"reason"`
+
+	// message is a human readable message indicating details about the transition.
+	// This may be an empty string.
+	// +required
+	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:MaxLength=32768
+	Message string `json:"message"`
+}

generated/1.17/apis/supervisor/idp/v1alpha1/types_upstreamoidcprovider.go

@@ -0,0 +1,114 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+type UpstreamOIDCProviderPhase string
+
+const (
+	// PhasePending is the default phase for newly-created UpstreamOIDCProvider resources.
+	PhasePending UpstreamOIDCProviderPhase = "Pending"
+
+	// PhaseReady is the phase for an UpstreamOIDCProvider resource in a healthy state.
+	PhaseReady UpstreamOIDCProviderPhase = "Ready"
+
+	// PhaseErorr is the phase for an UpstreamOIDCProvider in an unhealthy state.
+	PhaseError UpstreamOIDCProviderPhase = "Error"
+)
+
+// Status of an OIDC identity provider.
+type UpstreamOIDCProviderStatus struct {
+	// Phase summarizes the overall status of the UpstreamOIDCProvider.
+	// +kubebuilder:default=Pending
+	// +kubebuilder:validation:Enum=Pending;Ready;Error
+	Phase UpstreamOIDCProviderPhase `json:"phase,omitempty"`
+
+	// Represents the observations of an identity provider's current state.
+	// +patchMergeKey=type
+	// +patchStrategy=merge
+	// +listType=map
+	// +listMapKey=type
+	Conditions []Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
+}
+
+// OIDCAuthorizationConfig provides information about how to form the OAuth2 authorization
+// request parameters.
+type OIDCAuthorizationConfig struct {
+	// AdditionalScopes are the scopes in addition to "openid" that will be requested as part of the authorization
+	// request flow with an OIDC identity provider. By default only the "openid" scope will be requested.
+	AdditionalScopes []string `json:"additionalScopes"`
+}
+
+// OIDCClaims provides a mapping from upstream claims into identities.
+type OIDCClaims struct {
+	// Groups provides the name of the token claim that will be used to ascertain the groups to which
+	// an identity belongs.
+	Groups string `json:"groups"`
+
+	// Username provides the name of the token claim that will be used to ascertain an identity's
+	// username.
+	Username string `json:"username"`
+}
+
+// OIDCClient contains information about an OIDC client (e.g., client ID and client
+// secret).
+type OIDCClient struct {
+	// SecretName contains the name of a namespace-local Secret object that provides the clientID and
+	// clientSecret for an OIDC client. If only the SecretName is specified in an OIDCClient
+	// struct, then it is expected that the Secret is of type "secrets.pinniped.dev/oidc" with keys
+	// "clientID" and "clientSecret".
+	SecretName string `json:"secretName"`
+}
+
+// Spec for configuring an OIDC identity provider.
+type UpstreamOIDCProviderSpec struct {
+	// Issuer is the issuer URL of this OIDC identity provider, i.e., where to fetch
+	// /.well-known/openid-configuration.
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:Pattern=`^https://`
+	Issuer string `json:"issuer"`
+
+	// AuthorizationConfig holds information about how to form the OAuth2 authorization request
+	// parameters to be used with this OIDC identity provider.
+	AuthorizationConfig OIDCAuthorizationConfig `json:"authorizationConfig"`
+
+	// Claims provides the names of token claims that will be used when inspecting an identity from
+	// this OIDC identity provider.
+	Claims OIDCClaims `json:"claims"`
+
+	// OIDCClient contains OIDC client information to be used used with this OIDC identity
+	// provider.
+	Client OIDCClient `json:"client"`
+}
+
+// UpstreamOIDCProvider describes the configuration of an upstream OpenID Connect identity provider.
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +kubebuilder:resource:categories=pinniped;pinniped-idp;pinniped-idps
+// +kubebuilder:printcolumn:name="Issuer",type=string,JSONPath=`.spec.issuer`
+// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase`
+// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
+// +kubebuilder:subresource:status
+type UpstreamOIDCProvider struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	// Spec for configuring the identity provider.
+	Spec UpstreamOIDCProviderSpec `json:"spec"`
+
+	// Status of the identity provider.
+	Status UpstreamOIDCProviderStatus `json:"status,omitempty"`
+}
+
+// List of UpstreamOIDCProvider objects.
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type UpstreamOIDCProviderList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+
+	Items []UpstreamOIDCProvider `json:"items"`
+}

generated/1.17/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go

@@ -0,0 +1,185 @@
+// +build !ignore_autogenerated
+
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by deepcopy-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	runtime "k8s.io/apimachinery/pkg/runtime"
+)
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Condition) DeepCopyInto(out *Condition) {
+	*out = *in
+	in.LastTransitionTime.DeepCopyInto(&out.LastTransitionTime)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Condition.
+func (in *Condition) DeepCopy() *Condition {
+	if in == nil {
+		return nil
+	}
+	out := new(Condition)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OIDCAuthorizationConfig) DeepCopyInto(out *OIDCAuthorizationConfig) {
+	*out = *in
+	if in.AdditionalScopes != nil {
+		in, out := &in.AdditionalScopes, &out.AdditionalScopes
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCAuthorizationConfig.
+func (in *OIDCAuthorizationConfig) DeepCopy() *OIDCAuthorizationConfig {
+	if in == nil {
+		return nil
+	}
+	out := new(OIDCAuthorizationConfig)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OIDCClaims) DeepCopyInto(out *OIDCClaims) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClaims.
+func (in *OIDCClaims) DeepCopy() *OIDCClaims {
+	if in == nil {
+		return nil
+	}
+	out := new(OIDCClaims)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OIDCClient) DeepCopyInto(out *OIDCClient) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClient.
+func (in *OIDCClient) DeepCopy() *OIDCClient {
+	if in == nil {
+		return nil
+	}
+	out := new(OIDCClient)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *UpstreamOIDCProvider) DeepCopyInto(out *UpstreamOIDCProvider) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UpstreamOIDCProvider.
+func (in *UpstreamOIDCProvider) DeepCopy() *UpstreamOIDCProvider {
+	if in == nil {
+		return nil
+	}
+	out := new(UpstreamOIDCProvider)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *UpstreamOIDCProvider) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *UpstreamOIDCProviderList) DeepCopyInto(out *UpstreamOIDCProviderList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]UpstreamOIDCProvider, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UpstreamOIDCProviderList.
+func (in *UpstreamOIDCProviderList) DeepCopy() *UpstreamOIDCProviderList {
+	if in == nil {
+		return nil
+	}
+	out := new(UpstreamOIDCProviderList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *UpstreamOIDCProviderList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *UpstreamOIDCProviderSpec) DeepCopyInto(out *UpstreamOIDCProviderSpec) {
+	*out = *in
+	in.AuthorizationConfig.DeepCopyInto(&out.AuthorizationConfig)
+	out.Claims = in.Claims
+	out.Client = in.Client
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UpstreamOIDCProviderSpec.
+func (in *UpstreamOIDCProviderSpec) DeepCopy() *UpstreamOIDCProviderSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(UpstreamOIDCProviderSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *UpstreamOIDCProviderStatus) DeepCopyInto(out *UpstreamOIDCProviderStatus) {
+	*out = *in
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]Condition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UpstreamOIDCProviderStatus.
+func (in *UpstreamOIDCProviderStatus) DeepCopy() *UpstreamOIDCProviderStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(UpstreamOIDCProviderStatus)
+	in.DeepCopyInto(out)
+	return out
+}

generated/1.17/client/supervisor/clientset/versioned/clientset.go

@@ -9,6 +9,7 @@ import (
 	"fmt"
 
 	configv1alpha1 "go.pinniped.dev/generated/1.17/client/supervisor/clientset/versioned/typed/config/v1alpha1"
+	idpv1alpha1 "go.pinniped.dev/generated/1.17/client/supervisor/clientset/versioned/typed/idp/v1alpha1"
 	discovery "k8s.io/client-go/discovery"
 	rest "k8s.io/client-go/rest"
 	flowcontrol "k8s.io/client-go/util/flowcontrol"
@@ -17,6 +18,7 @@ import (
 type Interface interface {
 	Discovery() discovery.DiscoveryInterface
 	ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface
+	IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface
 }
 
 // Clientset contains the clients for groups. Each group has exactly one
@@ -24,6 +26,7 @@ type Interface interface {
 type Clientset struct {
 	*discovery.DiscoveryClient
 	configV1alpha1 *configv1alpha1.ConfigV1alpha1Client
+	iDPV1alpha1    *idpv1alpha1.IDPV1alpha1Client
 }
 
 // ConfigV1alpha1 retrieves the ConfigV1alpha1Client
@@ -31,6 +34,11 @@ func (c *Clientset) ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface {
 	return c.configV1alpha1
 }
 
+// IDPV1alpha1 retrieves the IDPV1alpha1Client
+func (c *Clientset) IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface {
+	return c.iDPV1alpha1
+}
+
 // Discovery retrieves the DiscoveryClient
 func (c *Clientset) Discovery() discovery.DiscoveryInterface {
 	if c == nil {
@@ -56,6 +64,10 @@ func NewForConfig(c *rest.Config) (*Clientset, error) {
 	if err != nil {
 		return nil, err
 	}
+	cs.iDPV1alpha1, err = idpv1alpha1.NewForConfig(&configShallowCopy)
+	if err != nil {
+		return nil, err
+	}
 
 	cs.DiscoveryClient, err = discovery.NewDiscoveryClientForConfig(&configShallowCopy)
 	if err != nil {
@@ -69,6 +81,7 @@ func NewForConfig(c *rest.Config) (*Clientset, error) {
 func NewForConfigOrDie(c *rest.Config) *Clientset {
 	var cs Clientset
 	cs.configV1alpha1 = configv1alpha1.NewForConfigOrDie(c)
+	cs.iDPV1alpha1 = idpv1alpha1.NewForConfigOrDie(c)
 
 	cs.DiscoveryClient = discovery.NewDiscoveryClientForConfigOrDie(c)
 	return &cs
@@ -78,6 +91,7 @@ func NewForConfigOrDie(c *rest.Config) *Clientset {
 func New(c rest.Interface) *Clientset {
 	var cs Clientset
 	cs.configV1alpha1 = configv1alpha1.New(c)
+	cs.iDPV1alpha1 = idpv1alpha1.New(c)
 
 	cs.DiscoveryClient = discovery.NewDiscoveryClient(c)
 	return &cs

generated/1.17/client/supervisor/clientset/versioned/fake/clientset_generated.go

@@ -9,6 +9,8 @@ import (
 	clientset "go.pinniped.dev/generated/1.17/client/supervisor/clientset/versioned"
 	configv1alpha1 "go.pinniped.dev/generated/1.17/client/supervisor/clientset/versioned/typed/config/v1alpha1"
 	fakeconfigv1alpha1 "go.pinniped.dev/generated/1.17/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake"
+	idpv1alpha1 "go.pinniped.dev/generated/1.17/client/supervisor/clientset/versioned/typed/idp/v1alpha1"
+	fakeidpv1alpha1 "go.pinniped.dev/generated/1.17/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/watch"
 	"k8s.io/client-go/discovery"
@@ -67,3 +69,8 @@ var _ clientset.Interface = &Clientset{}
 func (c *Clientset) ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface {
 	return &fakeconfigv1alpha1.FakeConfigV1alpha1{Fake: &c.Fake}
 }
+
+// IDPV1alpha1 retrieves the IDPV1alpha1Client
+func (c *Clientset) IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface {
+	return &fakeidpv1alpha1.FakeIDPV1alpha1{Fake: &c.Fake}
+}

generated/1.17/client/supervisor/clientset/versioned/fake/register.go

@@ -7,6 +7,7 @@ package fake
 
 import (
 	configv1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/config/v1alpha1"
+	idpv1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/idp/v1alpha1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	runtime "k8s.io/apimachinery/pkg/runtime"
 	schema "k8s.io/apimachinery/pkg/runtime/schema"
@@ -19,6 +20,7 @@ var codecs = serializer.NewCodecFactory(scheme)
 var parameterCodec = runtime.NewParameterCodec(scheme)
 var localSchemeBuilder = runtime.SchemeBuilder{
 	configv1alpha1.AddToScheme,
+	idpv1alpha1.AddToScheme,
 }
 
 // AddToScheme adds all types of this clientset into the given scheme. This allows composition

generated/1.17/client/supervisor/clientset/versioned/scheme/register.go

@@ -7,6 +7,7 @@ package scheme
 
 import (
 	configv1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/config/v1alpha1"
+	idpv1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/idp/v1alpha1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	runtime "k8s.io/apimachinery/pkg/runtime"
 	schema "k8s.io/apimachinery/pkg/runtime/schema"
@@ -19,6 +20,7 @@ var Codecs = serializer.NewCodecFactory(Scheme)
 var ParameterCodec = runtime.NewParameterCodec(Scheme)
 var localSchemeBuilder = runtime.SchemeBuilder{
 	configv1alpha1.AddToScheme,
+	idpv1alpha1.AddToScheme,
 }
 
 // AddToScheme adds all types of this clientset into the given scheme. This allows composition

generated/1.17/client/supervisor/clientset/versioned/typed/idp/v1alpha1/doc.go

@@ -0,0 +1,7 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+// This package has the automatically generated typed clients.
+package v1alpha1

generated/1.17/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/doc.go

@@ -0,0 +1,7 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+// Package fake has the automatically generated clients.
+package fake

generated/1.17/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go

@@ -0,0 +1,27 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package fake
+
+import (
+	v1alpha1 "go.pinniped.dev/generated/1.17/client/supervisor/clientset/versioned/typed/idp/v1alpha1"
+	rest "k8s.io/client-go/rest"
+	testing "k8s.io/client-go/testing"
+)
+
+type FakeIDPV1alpha1 struct {
+	*testing.Fake
+}
+
+func (c *FakeIDPV1alpha1) UpstreamOIDCProviders(namespace string) v1alpha1.UpstreamOIDCProviderInterface {
+	return &FakeUpstreamOIDCProviders{c, namespace}
+}
+
+// RESTClient returns a RESTClient that is used to communicate
+// with API server by this client implementation.
+func (c *FakeIDPV1alpha1) RESTClient() rest.Interface {
+	var ret *rest.RESTClient
+	return ret
+}

generated/1.17/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_upstreamoidcprovider.go

@@ -0,0 +1,127 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package fake
+
+import (
+	v1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/idp/v1alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	labels "k8s.io/apimachinery/pkg/labels"
+	schema "k8s.io/apimachinery/pkg/runtime/schema"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	testing "k8s.io/client-go/testing"
+)
+
+// FakeUpstreamOIDCProviders implements UpstreamOIDCProviderInterface
+type FakeUpstreamOIDCProviders struct {
+	Fake *FakeIDPV1alpha1
+	ns   string
+}
+
+var upstreamoidcprovidersResource = schema.GroupVersionResource{Group: "idp.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "upstreamoidcproviders"}
+
+var upstreamoidcprovidersKind = schema.GroupVersionKind{Group: "idp.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "UpstreamOIDCProvider"}
+
+// Get takes name of the upstreamOIDCProvider, and returns the corresponding upstreamOIDCProvider object, and an error if there is any.
+func (c *FakeUpstreamOIDCProviders) Get(name string, options v1.GetOptions) (result *v1alpha1.UpstreamOIDCProvider, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewGetAction(upstreamoidcprovidersResource, c.ns, name), &v1alpha1.UpstreamOIDCProvider{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.UpstreamOIDCProvider), err
+}
+
+// List takes label and field selectors, and returns the list of UpstreamOIDCProviders that match those selectors.
+func (c *FakeUpstreamOIDCProviders) List(opts v1.ListOptions) (result *v1alpha1.UpstreamOIDCProviderList, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewListAction(upstreamoidcprovidersResource, upstreamoidcprovidersKind, c.ns, opts), &v1alpha1.UpstreamOIDCProviderList{})
+
+	if obj == nil {
+		return nil, err
+	}
+
+	label, _, _ := testing.ExtractFromListOptions(opts)
+	if label == nil {
+		label = labels.Everything()
+	}
+	list := &v1alpha1.UpstreamOIDCProviderList{ListMeta: obj.(*v1alpha1.UpstreamOIDCProviderList).ListMeta}
+	for _, item := range obj.(*v1alpha1.UpstreamOIDCProviderList).Items {
+		if label.Matches(labels.Set(item.Labels)) {
+			list.Items = append(list.Items, item)
+		}
+	}
+	return list, err
+}
+
+// Watch returns a watch.Interface that watches the requested upstreamOIDCProviders.
+func (c *FakeUpstreamOIDCProviders) Watch(opts v1.ListOptions) (watch.Interface, error) {
+	return c.Fake.
+		InvokesWatch(testing.NewWatchAction(upstreamoidcprovidersResource, c.ns, opts))
+
+}
+
+// Create takes the representation of a upstreamOIDCProvider and creates it.  Returns the server's representation of the upstreamOIDCProvider, and an error, if there is any.
+func (c *FakeUpstreamOIDCProviders) Create(upstreamOIDCProvider *v1alpha1.UpstreamOIDCProvider) (result *v1alpha1.UpstreamOIDCProvider, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewCreateAction(upstreamoidcprovidersResource, c.ns, upstreamOIDCProvider), &v1alpha1.UpstreamOIDCProvider{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.UpstreamOIDCProvider), err
+}
+
+// Update takes the representation of a upstreamOIDCProvider and updates it. Returns the server's representation of the upstreamOIDCProvider, and an error, if there is any.
+func (c *FakeUpstreamOIDCProviders) Update(upstreamOIDCProvider *v1alpha1.UpstreamOIDCProvider) (result *v1alpha1.UpstreamOIDCProvider, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewUpdateAction(upstreamoidcprovidersResource, c.ns, upstreamOIDCProvider), &v1alpha1.UpstreamOIDCProvider{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.UpstreamOIDCProvider), err
+}
+
+// UpdateStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+func (c *FakeUpstreamOIDCProviders) UpdateStatus(upstreamOIDCProvider *v1alpha1.UpstreamOIDCProvider) (*v1alpha1.UpstreamOIDCProvider, error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewUpdateSubresourceAction(upstreamoidcprovidersResource, "status", c.ns, upstreamOIDCProvider), &v1alpha1.UpstreamOIDCProvider{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.UpstreamOIDCProvider), err
+}
+
+// Delete takes name of the upstreamOIDCProvider and deletes it. Returns an error if one occurs.
+func (c *FakeUpstreamOIDCProviders) Delete(name string, options *v1.DeleteOptions) error {
+	_, err := c.Fake.
+		Invokes(testing.NewDeleteAction(upstreamoidcprovidersResource, c.ns, name), &v1alpha1.UpstreamOIDCProvider{})
+
+	return err
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *FakeUpstreamOIDCProviders) DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error {
+	action := testing.NewDeleteCollectionAction(upstreamoidcprovidersResource, c.ns, listOptions)
+
+	_, err := c.Fake.Invokes(action, &v1alpha1.UpstreamOIDCProviderList{})
+	return err
+}
+
+// Patch applies the patch and returns the patched upstreamOIDCProvider.
+func (c *FakeUpstreamOIDCProviders) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.UpstreamOIDCProvider, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewPatchSubresourceAction(upstreamoidcprovidersResource, c.ns, name, pt, data, subresources...), &v1alpha1.UpstreamOIDCProvider{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.UpstreamOIDCProvider), err
+}

generated/1.17/client/supervisor/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go

@@ -0,0 +1,8 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package v1alpha1
+
+type UpstreamOIDCProviderExpansion interface{}

generated/1.17/client/supervisor/clientset/versioned/typed/idp/v1alpha1/idp_client.go

@@ -0,0 +1,76 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	v1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/idp/v1alpha1"
+	"go.pinniped.dev/generated/1.17/client/supervisor/clientset/versioned/scheme"
+	rest "k8s.io/client-go/rest"
+)
+
+type IDPV1alpha1Interface interface {
+	RESTClient() rest.Interface
+	UpstreamOIDCProvidersGetter
+}
+
+// IDPV1alpha1Client is used to interact with features provided by the idp.supervisor.pinniped.dev group.
+type IDPV1alpha1Client struct {
+	restClient rest.Interface
+}
+
+func (c *IDPV1alpha1Client) UpstreamOIDCProviders(namespace string) UpstreamOIDCProviderInterface {
+	return newUpstreamOIDCProviders(c, namespace)
+}
+
+// NewForConfig creates a new IDPV1alpha1Client for the given config.
+func NewForConfig(c *rest.Config) (*IDPV1alpha1Client, error) {
+	config := *c
+	if err := setConfigDefaults(&config); err != nil {
+		return nil, err
+	}
+	client, err := rest.RESTClientFor(&config)
+	if err != nil {
+		return nil, err
+	}
+	return &IDPV1alpha1Client{client}, nil
+}
+
+// NewForConfigOrDie creates a new IDPV1alpha1Client for the given config and
+// panics if there is an error in the config.
+func NewForConfigOrDie(c *rest.Config) *IDPV1alpha1Client {
+	client, err := NewForConfig(c)
+	if err != nil {
+		panic(err)
+	}
+	return client
+}
+
+// New creates a new IDPV1alpha1Client for the given RESTClient.
+func New(c rest.Interface) *IDPV1alpha1Client {
+	return &IDPV1alpha1Client{c}
+}
+
+func setConfigDefaults(config *rest.Config) error {
+	gv := v1alpha1.SchemeGroupVersion
+	config.GroupVersion = &gv
+	config.APIPath = "/apis"
+	config.NegotiatedSerializer = scheme.Codecs.WithoutConversion()
+
+	if config.UserAgent == "" {
+		config.UserAgent = rest.DefaultKubernetesUserAgent()
+	}
+
+	return nil
+}
+
+// RESTClient returns a RESTClient that is used to communicate
+// with API server by this client implementation.
+func (c *IDPV1alpha1Client) RESTClient() rest.Interface {
+	if c == nil {
+		return nil
+	}
+	return c.restClient
+}

generated/1.17/client/supervisor/clientset/versioned/typed/idp/v1alpha1/upstreamoidcprovider.go

@@ -0,0 +1,178 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	"time"
+
+	v1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/idp/v1alpha1"
+	scheme "go.pinniped.dev/generated/1.17/client/supervisor/clientset/versioned/scheme"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	rest "k8s.io/client-go/rest"
+)
+
+// UpstreamOIDCProvidersGetter has a method to return a UpstreamOIDCProviderInterface.
+// A group's client should implement this interface.
+type UpstreamOIDCProvidersGetter interface {
+	UpstreamOIDCProviders(namespace string) UpstreamOIDCProviderInterface
+}
+
+// UpstreamOIDCProviderInterface has methods to work with UpstreamOIDCProvider resources.
+type UpstreamOIDCProviderInterface interface {
+	Create(*v1alpha1.UpstreamOIDCProvider) (*v1alpha1.UpstreamOIDCProvider, error)
+	Update(*v1alpha1.UpstreamOIDCProvider) (*v1alpha1.UpstreamOIDCProvider, error)
+	UpdateStatus(*v1alpha1.UpstreamOIDCProvider) (*v1alpha1.UpstreamOIDCProvider, error)
+	Delete(name string, options *v1.DeleteOptions) error
+	DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error
+	Get(name string, options v1.GetOptions) (*v1alpha1.UpstreamOIDCProvider, error)
+	List(opts v1.ListOptions) (*v1alpha1.UpstreamOIDCProviderList, error)
+	Watch(opts v1.ListOptions) (watch.Interface, error)
+	Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.UpstreamOIDCProvider, err error)
+	UpstreamOIDCProviderExpansion
+}
+
+// upstreamOIDCProviders implements UpstreamOIDCProviderInterface
+type upstreamOIDCProviders struct {
+	client rest.Interface
+	ns     string
+}
+
+// newUpstreamOIDCProviders returns a UpstreamOIDCProviders
+func newUpstreamOIDCProviders(c *IDPV1alpha1Client, namespace string) *upstreamOIDCProviders {
+	return &upstreamOIDCProviders{
+		client: c.RESTClient(),
+		ns:     namespace,
+	}
+}
+
+// Get takes name of the upstreamOIDCProvider, and returns the corresponding upstreamOIDCProvider object, and an error if there is any.
+func (c *upstreamOIDCProviders) Get(name string, options v1.GetOptions) (result *v1alpha1.UpstreamOIDCProvider, err error) {
+	result = &v1alpha1.UpstreamOIDCProvider{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("upstreamoidcproviders").
+		Name(name).
+		VersionedParams(&options, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// List takes label and field selectors, and returns the list of UpstreamOIDCProviders that match those selectors.
+func (c *upstreamOIDCProviders) List(opts v1.ListOptions) (result *v1alpha1.UpstreamOIDCProviderList, err error) {
+	var timeout time.Duration
+	if opts.TimeoutSeconds != nil {
+		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
+	}
+	result = &v1alpha1.UpstreamOIDCProviderList{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("upstreamoidcproviders").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Do().
+		Into(result)
+	return
+}
+
+// Watch returns a watch.Interface that watches the requested upstreamOIDCProviders.
+func (c *upstreamOIDCProviders) Watch(opts v1.ListOptions) (watch.Interface, error) {
+	var timeout time.Duration
+	if opts.TimeoutSeconds != nil {
+		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
+	}
+	opts.Watch = true
+	return c.client.Get().
+		Namespace(c.ns).
+		Resource("upstreamoidcproviders").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Watch()
+}
+
+// Create takes the representation of a upstreamOIDCProvider and creates it.  Returns the server's representation of the upstreamOIDCProvider, and an error, if there is any.
+func (c *upstreamOIDCProviders) Create(upstreamOIDCProvider *v1alpha1.UpstreamOIDCProvider) (result *v1alpha1.UpstreamOIDCProvider, err error) {
+	result = &v1alpha1.UpstreamOIDCProvider{}
+	err = c.client.Post().
+		Namespace(c.ns).
+		Resource("upstreamoidcproviders").
+		Body(upstreamOIDCProvider).
+		Do().
+		Into(result)
+	return
+}
+
+// Update takes the representation of a upstreamOIDCProvider and updates it. Returns the server's representation of the upstreamOIDCProvider, and an error, if there is any.
+func (c *upstreamOIDCProviders) Update(upstreamOIDCProvider *v1alpha1.UpstreamOIDCProvider) (result *v1alpha1.UpstreamOIDCProvider, err error) {
+	result = &v1alpha1.UpstreamOIDCProvider{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("upstreamoidcproviders").
+		Name(upstreamOIDCProvider.Name).
+		Body(upstreamOIDCProvider).
+		Do().
+		Into(result)
+	return
+}
+
+// UpdateStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+
+func (c *upstreamOIDCProviders) UpdateStatus(upstreamOIDCProvider *v1alpha1.UpstreamOIDCProvider) (result *v1alpha1.UpstreamOIDCProvider, err error) {
+	result = &v1alpha1.UpstreamOIDCProvider{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("upstreamoidcproviders").
+		Name(upstreamOIDCProvider.Name).
+		SubResource("status").
+		Body(upstreamOIDCProvider).
+		Do().
+		Into(result)
+	return
+}
+
+// Delete takes name of the upstreamOIDCProvider and deletes it. Returns an error if one occurs.
+func (c *upstreamOIDCProviders) Delete(name string, options *v1.DeleteOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("upstreamoidcproviders").
+		Name(name).
+		Body(options).
+		Do().
+		Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *upstreamOIDCProviders) DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error {
+	var timeout time.Duration
+	if listOptions.TimeoutSeconds != nil {
+		timeout = time.Duration(*listOptions.TimeoutSeconds) * time.Second
+	}
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("upstreamoidcproviders").
+		VersionedParams(&listOptions, scheme.ParameterCodec).
+		Timeout(timeout).
+		Body(options).
+		Do().
+		Error()
+}
+
+// Patch applies the patch and returns the patched upstreamOIDCProvider.
+func (c *upstreamOIDCProviders) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.UpstreamOIDCProvider, err error) {
+	result = &v1alpha1.UpstreamOIDCProvider{}
+	err = c.client.Patch(pt).
+		Namespace(c.ns).
+		Resource("upstreamoidcproviders").
+		SubResource(subresources...).
+		Name(name).
+		Body(data).
+		Do().
+		Into(result)
+	return
+}

generated/1.17/client/supervisor/informers/externalversions/factory.go

@@ -12,6 +12,7 @@ import (
 
 	versioned "go.pinniped.dev/generated/1.17/client/supervisor/clientset/versioned"
 	config "go.pinniped.dev/generated/1.17/client/supervisor/informers/externalversions/config"
+	idp "go.pinniped.dev/generated/1.17/client/supervisor/informers/externalversions/idp"
 	internalinterfaces "go.pinniped.dev/generated/1.17/client/supervisor/informers/externalversions/internalinterfaces"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	runtime "k8s.io/apimachinery/pkg/runtime"
@@ -160,8 +161,13 @@ type SharedInformerFactory interface {
 	WaitForCacheSync(stopCh <-chan struct{}) map[reflect.Type]bool
 
 	Config() config.Interface
+	IDP() idp.Interface
 }
 
 func (f *sharedInformerFactory) Config() config.Interface {
 	return config.New(f, f.namespace, f.tweakListOptions)
 }
+
+func (f *sharedInformerFactory) IDP() idp.Interface {
+	return idp.New(f, f.namespace, f.tweakListOptions)
+}

generated/1.17/client/supervisor/informers/externalversions/generic.go

@@ -9,6 +9,7 @@ import (
 	"fmt"
 
 	v1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/config/v1alpha1"
+	idpv1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/idp/v1alpha1"
 	schema "k8s.io/apimachinery/pkg/runtime/schema"
 	cache "k8s.io/client-go/tools/cache"
 )
@@ -43,6 +44,10 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource
 	case v1alpha1.SchemeGroupVersion.WithResource("oidcproviders"):
 		return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().OIDCProviders().Informer()}, nil
 
+		// Group=idp.supervisor.pinniped.dev, Version=v1alpha1
+	case idpv1alpha1.SchemeGroupVersion.WithResource("upstreamoidcproviders"):
+		return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().UpstreamOIDCProviders().Informer()}, nil
+
 	}
 
 	return nil, fmt.Errorf("no informer found for %v", resource)

generated/1.17/client/supervisor/informers/externalversions/idp/interface.go

@@ -0,0 +1,33 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by informer-gen. DO NOT EDIT.
+
+package idp
+
+import (
+	v1alpha1 "go.pinniped.dev/generated/1.17/client/supervisor/informers/externalversions/idp/v1alpha1"
+	internalinterfaces "go.pinniped.dev/generated/1.17/client/supervisor/informers/externalversions/internalinterfaces"
+)
+
+// Interface provides access to each of this group's versions.
+type Interface interface {
+	// V1alpha1 provides access to shared informers for resources in V1alpha1.
+	V1alpha1() v1alpha1.Interface
+}
+
+type group struct {
+	factory          internalinterfaces.SharedInformerFactory
+	namespace        string
+	tweakListOptions internalinterfaces.TweakListOptionsFunc
+}
+
+// New returns a new Interface.
+func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface {
+	return &group{factory: f, namespace: namespace, tweakListOptions: tweakListOptions}
+}
+
+// V1alpha1 returns a new v1alpha1.Interface.
+func (g *group) V1alpha1() v1alpha1.Interface {
+	return v1alpha1.New(g.factory, g.namespace, g.tweakListOptions)
+}

generated/1.17/client/supervisor/informers/externalversions/idp/v1alpha1/interface.go

@@ -0,0 +1,32 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by informer-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	internalinterfaces "go.pinniped.dev/generated/1.17/client/supervisor/informers/externalversions/internalinterfaces"
+)
+
+// Interface provides access to all the informers in this group version.
+type Interface interface {
+	// UpstreamOIDCProviders returns a UpstreamOIDCProviderInformer.
+	UpstreamOIDCProviders() UpstreamOIDCProviderInformer
+}
+
+type version struct {
+	factory          internalinterfaces.SharedInformerFactory
+	namespace        string
+	tweakListOptions internalinterfaces.TweakListOptionsFunc
+}
+
+// New returns a new Interface.
+func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface {
+	return &version{factory: f, namespace: namespace, tweakListOptions: tweakListOptions}
+}
+
+// UpstreamOIDCProviders returns a UpstreamOIDCProviderInformer.
+func (v *version) UpstreamOIDCProviders() UpstreamOIDCProviderInformer {
+	return &upstreamOIDCProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
+}

generated/1.17/client/supervisor/informers/externalversions/idp/v1alpha1/upstreamoidcprovider.go

@@ -0,0 +1,76 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by informer-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	time "time"
+
+	idpv1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/idp/v1alpha1"
+	versioned "go.pinniped.dev/generated/1.17/client/supervisor/clientset/versioned"
+	internalinterfaces "go.pinniped.dev/generated/1.17/client/supervisor/informers/externalversions/internalinterfaces"
+	v1alpha1 "go.pinniped.dev/generated/1.17/client/supervisor/listers/idp/v1alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	watch "k8s.io/apimachinery/pkg/watch"
+	cache "k8s.io/client-go/tools/cache"
+)
+
+// UpstreamOIDCProviderInformer provides access to a shared informer and lister for
+// UpstreamOIDCProviders.
+type UpstreamOIDCProviderInformer interface {
+	Informer() cache.SharedIndexInformer
+	Lister() v1alpha1.UpstreamOIDCProviderLister
+}
+
+type upstreamOIDCProviderInformer struct {
+	factory          internalinterfaces.SharedInformerFactory
+	tweakListOptions internalinterfaces.TweakListOptionsFunc
+	namespace        string
+}
+
+// NewUpstreamOIDCProviderInformer constructs a new informer for UpstreamOIDCProvider type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewUpstreamOIDCProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
+	return NewFilteredUpstreamOIDCProviderInformer(client, namespace, resyncPeriod, indexers, nil)
+}
+
+// NewFilteredUpstreamOIDCProviderInformer constructs a new informer for UpstreamOIDCProvider type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewFilteredUpstreamOIDCProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
+	return cache.NewSharedIndexInformer(
+		&cache.ListWatch{
+			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.IDPV1alpha1().UpstreamOIDCProviders(namespace).List(options)
+			},
+			WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.IDPV1alpha1().UpstreamOIDCProviders(namespace).Watch(options)
+			},
+		},
+		&idpv1alpha1.UpstreamOIDCProvider{},
+		resyncPeriod,
+		indexers,
+	)
+}
+
+func (f *upstreamOIDCProviderInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
+	return NewFilteredUpstreamOIDCProviderInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
+}
+
+func (f *upstreamOIDCProviderInformer) Informer() cache.SharedIndexInformer {
+	return f.factory.InformerFor(&idpv1alpha1.UpstreamOIDCProvider{}, f.defaultInformer)
+}
+
+func (f *upstreamOIDCProviderInformer) Lister() v1alpha1.UpstreamOIDCProviderLister {
+	return v1alpha1.NewUpstreamOIDCProviderLister(f.Informer().GetIndexer())
+}

generated/1.17/client/supervisor/listers/idp/v1alpha1/expansion_generated.go

@@ -0,0 +1,14 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by lister-gen. DO NOT EDIT.
+
+package v1alpha1
+
+// UpstreamOIDCProviderListerExpansion allows custom methods to be added to
+// UpstreamOIDCProviderLister.
+type UpstreamOIDCProviderListerExpansion interface{}
+
+// UpstreamOIDCProviderNamespaceListerExpansion allows custom methods to be added to
+// UpstreamOIDCProviderNamespaceLister.
+type UpstreamOIDCProviderNamespaceListerExpansion interface{}

generated/1.17/client/supervisor/listers/idp/v1alpha1/upstreamoidcprovider.go

@@ -0,0 +1,81 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by lister-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	v1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/idp/v1alpha1"
+	"k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/client-go/tools/cache"
+)
+
+// UpstreamOIDCProviderLister helps list UpstreamOIDCProviders.
+type UpstreamOIDCProviderLister interface {
+	// List lists all UpstreamOIDCProviders in the indexer.
+	List(selector labels.Selector) (ret []*v1alpha1.UpstreamOIDCProvider, err error)
+	// UpstreamOIDCProviders returns an object that can list and get UpstreamOIDCProviders.
+	UpstreamOIDCProviders(namespace string) UpstreamOIDCProviderNamespaceLister
+	UpstreamOIDCProviderListerExpansion
+}
+
+// upstreamOIDCProviderLister implements the UpstreamOIDCProviderLister interface.
+type upstreamOIDCProviderLister struct {
+	indexer cache.Indexer
+}
+
+// NewUpstreamOIDCProviderLister returns a new UpstreamOIDCProviderLister.
+func NewUpstreamOIDCProviderLister(indexer cache.Indexer) UpstreamOIDCProviderLister {
+	return &upstreamOIDCProviderLister{indexer: indexer}
+}
+
+// List lists all UpstreamOIDCProviders in the indexer.
+func (s *upstreamOIDCProviderLister) List(selector labels.Selector) (ret []*v1alpha1.UpstreamOIDCProvider, err error) {
+	err = cache.ListAll(s.indexer, selector, func(m interface{}) {
+		ret = append(ret, m.(*v1alpha1.UpstreamOIDCProvider))
+	})
+	return ret, err
+}
+
+// UpstreamOIDCProviders returns an object that can list and get UpstreamOIDCProviders.
+func (s *upstreamOIDCProviderLister) UpstreamOIDCProviders(namespace string) UpstreamOIDCProviderNamespaceLister {
+	return upstreamOIDCProviderNamespaceLister{indexer: s.indexer, namespace: namespace}
+}
+
+// UpstreamOIDCProviderNamespaceLister helps list and get UpstreamOIDCProviders.
+type UpstreamOIDCProviderNamespaceLister interface {
+	// List lists all UpstreamOIDCProviders in the indexer for a given namespace.
+	List(selector labels.Selector) (ret []*v1alpha1.UpstreamOIDCProvider, err error)
+	// Get retrieves the UpstreamOIDCProvider from the indexer for a given namespace and name.
+	Get(name string) (*v1alpha1.UpstreamOIDCProvider, error)
+	UpstreamOIDCProviderNamespaceListerExpansion
+}
+
+// upstreamOIDCProviderNamespaceLister implements the UpstreamOIDCProviderNamespaceLister
+// interface.
+type upstreamOIDCProviderNamespaceLister struct {
+	indexer   cache.Indexer
+	namespace string
+}
+
+// List lists all UpstreamOIDCProviders in the indexer for a given namespace.
+func (s upstreamOIDCProviderNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.UpstreamOIDCProvider, err error) {
+	err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) {
+		ret = append(ret, m.(*v1alpha1.UpstreamOIDCProvider))
+	})
+	return ret, err
+}
+
+// Get retrieves the UpstreamOIDCProvider from the indexer for a given namespace and name.
+func (s upstreamOIDCProviderNamespaceLister) Get(name string) (*v1alpha1.UpstreamOIDCProvider, error) {
+	obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name)
+	if err != nil {
+		return nil, err
+	}
+	if !exists {
+		return nil, errors.NewNotFound(v1alpha1.Resource("upstreamoidcprovider"), name)
+	}
+	return obj.(*v1alpha1.UpstreamOIDCProvider), nil
+}

generated/1.17/crds/idp.supervisor.pinniped.dev_upstreamoidcproviders.yaml

@@ -0,0 +1,203 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.4.0
+  creationTimestamp: null
+  name: upstreamoidcproviders.idp.supervisor.pinniped.dev
+spec:
+  group: idp.supervisor.pinniped.dev
+  names:
+    categories:
+    - pinniped
+    - pinniped-idp
+    - pinniped-idps
+    kind: UpstreamOIDCProvider
+    listKind: UpstreamOIDCProviderList
+    plural: upstreamoidcproviders
+    singular: upstreamoidcprovider
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .spec.issuer
+      name: Issuer
+      type: string
+    - jsonPath: .status.phase
+      name: Status
+      type: string
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: UpstreamOIDCProvider describes the configuration of an upstream
+          OpenID Connect identity provider.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: Spec for configuring the identity provider.
+            properties:
+              authorizationConfig:
+                description: AuthorizationConfig holds information about how to form
+                  the OAuth2 authorization request parameters to be used with this
+                  OIDC identity provider.
+                properties:
+                  additionalScopes:
+                    description: AdditionalScopes are the scopes in addition to "openid"
+                      that will be requested as part of the authorization request
+                      flow with an OIDC identity provider. By default only the "openid"
+                      scope will be requested.
+                    items:
+                      type: string
+                    type: array
+                required:
+                - additionalScopes
+                type: object
+              claims:
+                description: Claims provides the names of token claims that will be
+                  used when inspecting an identity from this OIDC identity provider.
+                properties:
+                  groups:
+                    description: Groups provides the name of the token claim that
+                      will be used to ascertain the groups to which an identity belongs.
+                    type: string
+                  username:
+                    description: Username provides the name of the token claim that
+                      will be used to ascertain an identity's username.
+                    type: string
+                required:
+                - groups
+                - username
+                type: object
+              client:
+                description: OIDCClient contains OIDC client information to be used
+                  used with this OIDC identity provider.
+                properties:
+                  secretName:
+                    description: SecretName contains the name of a namespace-local
+                      Secret object that provides the clientID and clientSecret for
+                      an OIDC client. If only the SecretName is specified in an OIDCClient
+                      struct, then it is expected that the Secret is of type "secrets.pinniped.dev/oidc"
+                      with keys "clientID" and "clientSecret".
+                    type: string
+                required:
+                - secretName
+                type: object
+              issuer:
+                description: Issuer is the issuer URL of this OIDC identity provider,
+                  i.e., where to fetch /.well-known/openid-configuration.
+                minLength: 1
+                pattern: ^https://
+                type: string
+            required:
+            - authorizationConfig
+            - claims
+            - client
+            - issuer
+            type: object
+          status:
+            description: Status of the identity provider.
+            properties:
+              conditions:
+                description: Represents the observations of an identity provider's
+                  current state.
+                items:
+                  description: Condition status of a resource (mirrored from the metav1.Condition
+                    type added in Kubernetes 1.19). In a future API version we can
+                    switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413.
+                  properties:
+                    lastTransitionTime:
+                      description: lastTransitionTime is the last time the condition
+                        transitioned from one status to another. This should be when
+                        the underlying condition changed.  If that is not known, then
+                        using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: message is a human readable message indicating
+                        details about the transition. This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: observedGeneration represents the .metadata.generation
+                        that the condition was set based upon. For instance, if .metadata.generation
+                        is currently 12, but the .status.conditions[x].observedGeneration
+                        is 9, the condition is out of date with respect to the current
+                        state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: reason contains a programmatic identifier indicating
+                        the reason for the condition's last transition. Producers
+                        of specific condition types may define expected values and
+                        meanings for this field, and whether the values are considered
+                        a guaranteed API. The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
+                        --- Many .condition.type values are consistent across resources
+                        like Available, but because arbitrary conditions can be useful
+                        (see .node.status.conditions), the ability to deconflict is
+                        important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                type: array
+                x-kubernetes-list-map-keys:
+                - type
+                x-kubernetes-list-type: map
+              phase:
+                default: Pending
+                description: Phase summarizes the overall status of the UpstreamOIDCProvider.
+                enum:
+                - Pending
+                - Ready
+                - Error
+                type: string
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

generated/1.18/README.adoc

@@ -8,6 +8,7 @@
 - xref:{anchor_prefix}-authentication-concierge-pinniped-dev-v1alpha1[$$authentication.concierge.pinniped.dev/v1alpha1$$]
 - xref:{anchor_prefix}-config-concierge-pinniped-dev-v1alpha1[$$config.concierge.pinniped.dev/v1alpha1$$]
 - xref:{anchor_prefix}-config-supervisor-pinniped-dev-v1alpha1[$$config.supervisor.pinniped.dev/v1alpha1$$]
+- xref:{anchor_prefix}-idp-supervisor-pinniped-dev-v1alpha1[$$idp.supervisor.pinniped.dev/v1alpha1$$]
 - xref:{anchor_prefix}-login-concierge-pinniped-dev-v1alpha1[$$login.concierge.pinniped.dev/v1alpha1$$]
 
 
@@ -291,6 +292,148 @@ OIDCProviderTLSSpec is a struct that describes the TLS configuration for an OIDC
 
 
 
+[id="{anchor_prefix}-idp-supervisor-pinniped-dev-v1alpha1"]
+=== idp.supervisor.pinniped.dev/v1alpha1
+
+Package v1alpha1 is the v1alpha1 version of the Pinniped supervisor identity provider (IDP) API.
+
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-condition"]
+==== Condition 
+
+Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API version we can switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-upstreamoidcproviderstatus[$$UpstreamOIDCProviderStatus$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`type`* __string__ | type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+| *`status`* __ConditionStatus__ | status of the condition, one of True, False, Unknown.
+| *`observedGeneration`* __integer__ | observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.
+| *`lastTransitionTime`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#time-v1-meta[$$Time$$]__ | lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+| *`reason`* __string__ | reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.
+| *`message`* __string__ | message is a human readable message indicating details about the transition. This may be an empty string.
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-oidcauthorizationconfig"]
+==== OIDCAuthorizationConfig 
+
+OIDCAuthorizationConfig provides information about how to form the OAuth2 authorization request parameters.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-upstreamoidcproviderspec[$$UpstreamOIDCProviderSpec$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`additionalScopes`* __string array__ | AdditionalScopes are the scopes in addition to "openid" that will be requested as part of the authorization request flow with an OIDC identity provider. By default only the "openid" scope will be requested.
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-oidcclaims"]
+==== OIDCClaims 
+
+OIDCClaims provides a mapping from upstream claims into identities.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-upstreamoidcproviderspec[$$UpstreamOIDCProviderSpec$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`groups`* __string__ | Groups provides the name of the token claim that will be used to ascertain the groups to which an identity belongs.
+| *`username`* __string__ | Username provides the name of the token claim that will be used to ascertain an identity's username.
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-oidcclient"]
+==== OIDCClient 
+
+OIDCClient contains information about an OIDC client (e.g., client ID and client secret).
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-upstreamoidcproviderspec[$$UpstreamOIDCProviderSpec$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`secretName`* __string__ | SecretName contains the name of a namespace-local Secret object that provides the clientID and clientSecret for an OIDC client. If only the SecretName is specified in an OIDCClient struct, then it is expected that the Secret is of type "secrets.pinniped.dev/oidc" with keys "clientID" and "clientSecret".
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-upstreamoidcprovider"]
+==== UpstreamOIDCProvider 
+
+UpstreamOIDCProvider describes the configuration of an upstream OpenID Connect identity provider.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-upstreamoidcproviderlist[$$UpstreamOIDCProviderList$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`.
+
+| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-upstreamoidcproviderspec[$$UpstreamOIDCProviderSpec$$]__ | Spec for configuring the identity provider.
+| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-upstreamoidcproviderstatus[$$UpstreamOIDCProviderStatus$$]__ | Status of the identity provider.
+|===
+
+
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-upstreamoidcproviderspec"]
+==== UpstreamOIDCProviderSpec 
+
+Spec for configuring an OIDC identity provider.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-upstreamoidcprovider[$$UpstreamOIDCProvider$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`issuer`* __string__ | Issuer is the issuer URL of this OIDC identity provider, i.e., where to fetch /.well-known/openid-configuration.
+| *`authorizationConfig`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-oidcauthorizationconfig[$$OIDCAuthorizationConfig$$]__ | AuthorizationConfig holds information about how to form the OAuth2 authorization request parameters to be used with this OIDC identity provider.
+| *`claims`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-oidcclaims[$$OIDCClaims$$]__ | Claims provides the names of token claims that will be used when inspecting an identity from this OIDC identity provider.
+| *`client`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-oidcclient[$$OIDCClient$$]__ | OIDCClient contains OIDC client information to be used used with this OIDC identity provider.
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-upstreamoidcproviderstatus"]
+==== UpstreamOIDCProviderStatus 
+
+Status of an OIDC identity provider.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-upstreamoidcprovider[$$UpstreamOIDCProvider$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`phase`* __UpstreamOIDCProviderPhase__ | Phase summarizes the overall status of the UpstreamOIDCProvider.
+| *`conditions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-condition[$$Condition$$]__ | Represents the observations of an identity provider's current state.
+|===
+
+
+
 [id="{anchor_prefix}-login-concierge-pinniped-dev-v1alpha1"]
 === login.concierge.pinniped.dev/v1alpha1
 

generated/1.18/apis/supervisor/idp/v1alpha1/doc.go

@@ -0,0 +1,11 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// +k8s:openapi-gen=true
+// +k8s:deepcopy-gen=package
+// +k8s:defaulter-gen=TypeMeta
+// +groupName=idp.supervisor.pinniped.dev
+// +groupGoName=IDP
+
+// Package v1alpha1 is the v1alpha1 version of the Pinniped supervisor identity provider (IDP) API.
+package v1alpha1

generated/1.18/apis/supervisor/idp/v1alpha1/register.go

@@ -0,0 +1,43 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+const GroupName = "idp.supervisor.pinniped.dev"
+
+// SchemeGroupVersion is group version used to register these objects.
+var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"}
+
+var (
+	SchemeBuilder      runtime.SchemeBuilder
+	localSchemeBuilder = &SchemeBuilder
+	AddToScheme        = localSchemeBuilder.AddToScheme
+)
+
+func init() {
+	// We only register manually written functions here. The registration of the
+	// generated functions takes place in the generated files. The separation
+	// makes the code compile even when the generated files are missing.
+	localSchemeBuilder.Register(addKnownTypes)
+}
+
+// Adds the list of known types to the given scheme.
+func addKnownTypes(scheme *runtime.Scheme) error {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&UpstreamOIDCProvider{},
+		&UpstreamOIDCProviderList{},
+	)
+	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
+	return nil
+}
+
+// Resource takes an unqualified resource and returns a Group qualified GroupResource.
+func Resource(resource string) schema.GroupResource {
+	return SchemeGroupVersion.WithResource(resource).GroupResource()
+}

generated/1.18/apis/supervisor/idp/v1alpha1/types_meta.go

@@ -0,0 +1,75 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+// ConditionStatus is effectively an enum type for Condition.Status.
+type ConditionStatus string
+
+// These are valid condition statuses. "ConditionTrue" means a resource is in the condition.
+// "ConditionFalse" means a resource is not in the condition. "ConditionUnknown" means kubernetes
+// can't decide if a resource is in the condition or not. In the future, we could add other
+// intermediate conditions, e.g. ConditionDegraded.
+const (
+	ConditionTrue    ConditionStatus = "True"
+	ConditionFalse   ConditionStatus = "False"
+	ConditionUnknown ConditionStatus = "Unknown"
+)
+
+// Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API
+// version we can switch to using the upstream type.
+// See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413.
+type Condition struct {
+	// type of condition in CamelCase or in foo.example.com/CamelCase.
+	// ---
+	// Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
+	// useful (see .node.status.conditions), the ability to deconflict is important.
+	// The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+	// +required
+	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:Pattern=`^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$`
+	// +kubebuilder:validation:MaxLength=316
+	Type string `json:"type"`
+
+	// status of the condition, one of True, False, Unknown.
+	// +required
+	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:Enum=True;False;Unknown
+	Status ConditionStatus `json:"status"`
+
+	// observedGeneration represents the .metadata.generation that the condition was set based upon.
+	// For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+	// with respect to the current state of the instance.
+	// +optional
+	// +kubebuilder:validation:Minimum=0
+	ObservedGeneration int64 `json:"observedGeneration,omitempty"`
+
+	// lastTransitionTime is the last time the condition transitioned from one status to another.
+	// This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+	// +required
+	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:Type=string
+	// +kubebuilder:validation:Format=date-time
+	LastTransitionTime metav1.Time `json:"lastTransitionTime"`
+
+	// reason contains a programmatic identifier indicating the reason for the condition's last transition.
+	// Producers of specific condition types may define expected values and meanings for this field,
+	// and whether the values are considered a guaranteed API.
+	// The value should be a CamelCase string.
+	// This field may not be empty.
+	// +required
+	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:MaxLength=1024
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:Pattern=`^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$`
+	Reason string `json:"reason"`
+
+	// message is a human readable message indicating details about the transition.
+	// This may be an empty string.
+	// +required
+	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:MaxLength=32768
+	Message string `json:"message"`
+}

generated/1.18/apis/supervisor/idp/v1alpha1/types_upstreamoidcprovider.go

@@ -0,0 +1,114 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+type UpstreamOIDCProviderPhase string
+
+const (
+	// PhasePending is the default phase for newly-created UpstreamOIDCProvider resources.
+	PhasePending UpstreamOIDCProviderPhase = "Pending"
+
+	// PhaseReady is the phase for an UpstreamOIDCProvider resource in a healthy state.
+	PhaseReady UpstreamOIDCProviderPhase = "Ready"
+
+	// PhaseErorr is the phase for an UpstreamOIDCProvider in an unhealthy state.
+	PhaseError UpstreamOIDCProviderPhase = "Error"
+)
+
+// Status of an OIDC identity provider.
+type UpstreamOIDCProviderStatus struct {
+	// Phase summarizes the overall status of the UpstreamOIDCProvider.
+	// +kubebuilder:default=Pending
+	// +kubebuilder:validation:Enum=Pending;Ready;Error
+	Phase UpstreamOIDCProviderPhase `json:"phase,omitempty"`
+
+	// Represents the observations of an identity provider's current state.
+	// +patchMergeKey=type
+	// +patchStrategy=merge
+	// +listType=map
+	// +listMapKey=type
+	Conditions []Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
+}
+
+// OIDCAuthorizationConfig provides information about how to form the OAuth2 authorization
+// request parameters.
+type OIDCAuthorizationConfig struct {
+	// AdditionalScopes are the scopes in addition to "openid" that will be requested as part of the authorization
+	// request flow with an OIDC identity provider. By default only the "openid" scope will be requested.
+	AdditionalScopes []string `json:"additionalScopes"`
+}
+
+// OIDCClaims provides a mapping from upstream claims into identities.
+type OIDCClaims struct {
+	// Groups provides the name of the token claim that will be used to ascertain the groups to which
+	// an identity belongs.
+	Groups string `json:"groups"`
+
+	// Username provides the name of the token claim that will be used to ascertain an identity's
+	// username.
+	Username string `json:"username"`
+}
+
+// OIDCClient contains information about an OIDC client (e.g., client ID and client
+// secret).
+type OIDCClient struct {
+	// SecretName contains the name of a namespace-local Secret object that provides the clientID and
+	// clientSecret for an OIDC client. If only the SecretName is specified in an OIDCClient
+	// struct, then it is expected that the Secret is of type "secrets.pinniped.dev/oidc" with keys
+	// "clientID" and "clientSecret".
+	SecretName string `json:"secretName"`
+}
+
+// Spec for configuring an OIDC identity provider.
+type UpstreamOIDCProviderSpec struct {
+	// Issuer is the issuer URL of this OIDC identity provider, i.e., where to fetch
+	// /.well-known/openid-configuration.
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:Pattern=`^https://`
+	Issuer string `json:"issuer"`
+
+	// AuthorizationConfig holds information about how to form the OAuth2 authorization request
+	// parameters to be used with this OIDC identity provider.
+	AuthorizationConfig OIDCAuthorizationConfig `json:"authorizationConfig"`
+
+	// Claims provides the names of token claims that will be used when inspecting an identity from
+	// this OIDC identity provider.
+	Claims OIDCClaims `json:"claims"`
+
+	// OIDCClient contains OIDC client information to be used used with this OIDC identity
+	// provider.
+	Client OIDCClient `json:"client"`
+}
+
+// UpstreamOIDCProvider describes the configuration of an upstream OpenID Connect identity provider.
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +kubebuilder:resource:categories=pinniped;pinniped-idp;pinniped-idps
+// +kubebuilder:printcolumn:name="Issuer",type=string,JSONPath=`.spec.issuer`
+// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase`
+// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
+// +kubebuilder:subresource:status
+type UpstreamOIDCProvider struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	// Spec for configuring the identity provider.
+	Spec UpstreamOIDCProviderSpec `json:"spec"`
+
+	// Status of the identity provider.
+	Status UpstreamOIDCProviderStatus `json:"status,omitempty"`
+}
+
+// List of UpstreamOIDCProvider objects.
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type UpstreamOIDCProviderList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+
+	Items []UpstreamOIDCProvider `json:"items"`
+}

generated/1.18/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go

@@ -0,0 +1,185 @@
+// +build !ignore_autogenerated
+
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by deepcopy-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	runtime "k8s.io/apimachinery/pkg/runtime"
+)
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Condition) DeepCopyInto(out *Condition) {
+	*out = *in
+	in.LastTransitionTime.DeepCopyInto(&out.LastTransitionTime)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Condition.
+func (in *Condition) DeepCopy() *Condition {
+	if in == nil {
+		return nil
+	}
+	out := new(Condition)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OIDCAuthorizationConfig) DeepCopyInto(out *OIDCAuthorizationConfig) {
+	*out = *in
+	if in.AdditionalScopes != nil {
+		in, out := &in.AdditionalScopes, &out.AdditionalScopes
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCAuthorizationConfig.
+func (in *OIDCAuthorizationConfig) DeepCopy() *OIDCAuthorizationConfig {
+	if in == nil {
+		return nil
+	}
+	out := new(OIDCAuthorizationConfig)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OIDCClaims) DeepCopyInto(out *OIDCClaims) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClaims.
+func (in *OIDCClaims) DeepCopy() *OIDCClaims {
+	if in == nil {
+		return nil
+	}
+	out := new(OIDCClaims)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OIDCClient) DeepCopyInto(out *OIDCClient) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClient.
+func (in *OIDCClient) DeepCopy() *OIDCClient {
+	if in == nil {
+		return nil
+	}
+	out := new(OIDCClient)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *UpstreamOIDCProvider) DeepCopyInto(out *UpstreamOIDCProvider) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UpstreamOIDCProvider.
+func (in *UpstreamOIDCProvider) DeepCopy() *UpstreamOIDCProvider {
+	if in == nil {
+		return nil
+	}
+	out := new(UpstreamOIDCProvider)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *UpstreamOIDCProvider) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *UpstreamOIDCProviderList) DeepCopyInto(out *UpstreamOIDCProviderList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]UpstreamOIDCProvider, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UpstreamOIDCProviderList.
+func (in *UpstreamOIDCProviderList) DeepCopy() *UpstreamOIDCProviderList {
+	if in == nil {
+		return nil
+	}
+	out := new(UpstreamOIDCProviderList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *UpstreamOIDCProviderList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *UpstreamOIDCProviderSpec) DeepCopyInto(out *UpstreamOIDCProviderSpec) {
+	*out = *in
+	in.AuthorizationConfig.DeepCopyInto(&out.AuthorizationConfig)
+	out.Claims = in.Claims
+	out.Client = in.Client
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UpstreamOIDCProviderSpec.
+func (in *UpstreamOIDCProviderSpec) DeepCopy() *UpstreamOIDCProviderSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(UpstreamOIDCProviderSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *UpstreamOIDCProviderStatus) DeepCopyInto(out *UpstreamOIDCProviderStatus) {
+	*out = *in
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]Condition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UpstreamOIDCProviderStatus.
+func (in *UpstreamOIDCProviderStatus) DeepCopy() *UpstreamOIDCProviderStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(UpstreamOIDCProviderStatus)
+	in.DeepCopyInto(out)
+	return out
+}

generated/1.18/client/supervisor/clientset/versioned/clientset.go

@@ -9,6 +9,7 @@ import (
 	"fmt"
 
 	configv1alpha1 "go.pinniped.dev/generated/1.18/client/supervisor/clientset/versioned/typed/config/v1alpha1"
+	idpv1alpha1 "go.pinniped.dev/generated/1.18/client/supervisor/clientset/versioned/typed/idp/v1alpha1"
 	discovery "k8s.io/client-go/discovery"
 	rest "k8s.io/client-go/rest"
 	flowcontrol "k8s.io/client-go/util/flowcontrol"
@@ -17,6 +18,7 @@ import (
 type Interface interface {
 	Discovery() discovery.DiscoveryInterface
 	ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface
+	IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface
 }
 
 // Clientset contains the clients for groups. Each group has exactly one
@@ -24,6 +26,7 @@ type Interface interface {
 type Clientset struct {
 	*discovery.DiscoveryClient
 	configV1alpha1 *configv1alpha1.ConfigV1alpha1Client
+	iDPV1alpha1    *idpv1alpha1.IDPV1alpha1Client
 }
 
 // ConfigV1alpha1 retrieves the ConfigV1alpha1Client
@@ -31,6 +34,11 @@ func (c *Clientset) ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface {
 	return c.configV1alpha1
 }
 
+// IDPV1alpha1 retrieves the IDPV1alpha1Client
+func (c *Clientset) IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface {
+	return c.iDPV1alpha1
+}
+
 // Discovery retrieves the DiscoveryClient
 func (c *Clientset) Discovery() discovery.DiscoveryInterface {
 	if c == nil {
@@ -56,6 +64,10 @@ func NewForConfig(c *rest.Config) (*Clientset, error) {
 	if err != nil {
 		return nil, err
 	}
+	cs.iDPV1alpha1, err = idpv1alpha1.NewForConfig(&configShallowCopy)
+	if err != nil {
+		return nil, err
+	}
 
 	cs.DiscoveryClient, err = discovery.NewDiscoveryClientForConfig(&configShallowCopy)
 	if err != nil {
@@ -69,6 +81,7 @@ func NewForConfig(c *rest.Config) (*Clientset, error) {
 func NewForConfigOrDie(c *rest.Config) *Clientset {
 	var cs Clientset
 	cs.configV1alpha1 = configv1alpha1.NewForConfigOrDie(c)
+	cs.iDPV1alpha1 = idpv1alpha1.NewForConfigOrDie(c)
 
 	cs.DiscoveryClient = discovery.NewDiscoveryClientForConfigOrDie(c)
 	return &cs
@@ -78,6 +91,7 @@ func NewForConfigOrDie(c *rest.Config) *Clientset {
 func New(c rest.Interface) *Clientset {
 	var cs Clientset
 	cs.configV1alpha1 = configv1alpha1.New(c)
+	cs.iDPV1alpha1 = idpv1alpha1.New(c)
 
 	cs.DiscoveryClient = discovery.NewDiscoveryClient(c)
 	return &cs

generated/1.18/client/supervisor/clientset/versioned/fake/clientset_generated.go

@@ -9,6 +9,8 @@ import (
 	clientset "go.pinniped.dev/generated/1.18/client/supervisor/clientset/versioned"
 	configv1alpha1 "go.pinniped.dev/generated/1.18/client/supervisor/clientset/versioned/typed/config/v1alpha1"
 	fakeconfigv1alpha1 "go.pinniped.dev/generated/1.18/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake"
+	idpv1alpha1 "go.pinniped.dev/generated/1.18/client/supervisor/clientset/versioned/typed/idp/v1alpha1"
+	fakeidpv1alpha1 "go.pinniped.dev/generated/1.18/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/watch"
 	"k8s.io/client-go/discovery"
@@ -67,3 +69,8 @@ var _ clientset.Interface = &Clientset{}
 func (c *Clientset) ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface {
 	return &fakeconfigv1alpha1.FakeConfigV1alpha1{Fake: &c.Fake}
 }
+
+// IDPV1alpha1 retrieves the IDPV1alpha1Client
+func (c *Clientset) IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface {
+	return &fakeidpv1alpha1.FakeIDPV1alpha1{Fake: &c.Fake}
+}

generated/1.18/client/supervisor/clientset/versioned/fake/register.go

@@ -7,6 +7,7 @@ package fake
 
 import (
 	configv1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/config/v1alpha1"
+	idpv1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/idp/v1alpha1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	runtime "k8s.io/apimachinery/pkg/runtime"
 	schema "k8s.io/apimachinery/pkg/runtime/schema"
@@ -19,6 +20,7 @@ var codecs = serializer.NewCodecFactory(scheme)
 var parameterCodec = runtime.NewParameterCodec(scheme)
 var localSchemeBuilder = runtime.SchemeBuilder{
 	configv1alpha1.AddToScheme,
+	idpv1alpha1.AddToScheme,
 }
 
 // AddToScheme adds all types of this clientset into the given scheme. This allows composition

generated/1.18/client/supervisor/clientset/versioned/scheme/register.go

@@ -7,6 +7,7 @@ package scheme
 
 import (
 	configv1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/config/v1alpha1"
+	idpv1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/idp/v1alpha1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	runtime "k8s.io/apimachinery/pkg/runtime"
 	schema "k8s.io/apimachinery/pkg/runtime/schema"
@@ -19,6 +20,7 @@ var Codecs = serializer.NewCodecFactory(Scheme)
 var ParameterCodec = runtime.NewParameterCodec(Scheme)
 var localSchemeBuilder = runtime.SchemeBuilder{
 	configv1alpha1.AddToScheme,
+	idpv1alpha1.AddToScheme,
 }
 
 // AddToScheme adds all types of this clientset into the given scheme. This allows composition

generated/1.18/client/supervisor/clientset/versioned/typed/idp/v1alpha1/doc.go

@@ -0,0 +1,7 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+// This package has the automatically generated typed clients.
+package v1alpha1

generated/1.18/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/doc.go

@@ -0,0 +1,7 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+// Package fake has the automatically generated clients.
+package fake

generated/1.18/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go

@@ -0,0 +1,27 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package fake
+
+import (
+	v1alpha1 "go.pinniped.dev/generated/1.18/client/supervisor/clientset/versioned/typed/idp/v1alpha1"
+	rest "k8s.io/client-go/rest"
+	testing "k8s.io/client-go/testing"
+)
+
+type FakeIDPV1alpha1 struct {
+	*testing.Fake
+}
+
+func (c *FakeIDPV1alpha1) UpstreamOIDCProviders(namespace string) v1alpha1.UpstreamOIDCProviderInterface {
+	return &FakeUpstreamOIDCProviders{c, namespace}
+}
+
+// RESTClient returns a RESTClient that is used to communicate
+// with API server by this client implementation.
+func (c *FakeIDPV1alpha1) RESTClient() rest.Interface {
+	var ret *rest.RESTClient
+	return ret
+}

generated/1.18/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_upstreamoidcprovider.go

@@ -0,0 +1,129 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package fake
+
+import (
+	"context"
+
+	v1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/idp/v1alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	labels "k8s.io/apimachinery/pkg/labels"
+	schema "k8s.io/apimachinery/pkg/runtime/schema"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	testing "k8s.io/client-go/testing"
+)
+
+// FakeUpstreamOIDCProviders implements UpstreamOIDCProviderInterface
+type FakeUpstreamOIDCProviders struct {
+	Fake *FakeIDPV1alpha1
+	ns   string
+}
+
+var upstreamoidcprovidersResource = schema.GroupVersionResource{Group: "idp.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "upstreamoidcproviders"}
+
+var upstreamoidcprovidersKind = schema.GroupVersionKind{Group: "idp.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "UpstreamOIDCProvider"}
+
+// Get takes name of the upstreamOIDCProvider, and returns the corresponding upstreamOIDCProvider object, and an error if there is any.
+func (c *FakeUpstreamOIDCProviders) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.UpstreamOIDCProvider, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewGetAction(upstreamoidcprovidersResource, c.ns, name), &v1alpha1.UpstreamOIDCProvider{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.UpstreamOIDCProvider), err
+}
+
+// List takes label and field selectors, and returns the list of UpstreamOIDCProviders that match those selectors.
+func (c *FakeUpstreamOIDCProviders) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.UpstreamOIDCProviderList, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewListAction(upstreamoidcprovidersResource, upstreamoidcprovidersKind, c.ns, opts), &v1alpha1.UpstreamOIDCProviderList{})
+
+	if obj == nil {
+		return nil, err
+	}
+
+	label, _, _ := testing.ExtractFromListOptions(opts)
+	if label == nil {
+		label = labels.Everything()
+	}
+	list := &v1alpha1.UpstreamOIDCProviderList{ListMeta: obj.(*v1alpha1.UpstreamOIDCProviderList).ListMeta}
+	for _, item := range obj.(*v1alpha1.UpstreamOIDCProviderList).Items {
+		if label.Matches(labels.Set(item.Labels)) {
+			list.Items = append(list.Items, item)
+		}
+	}
+	return list, err
+}
+
+// Watch returns a watch.Interface that watches the requested upstreamOIDCProviders.
+func (c *FakeUpstreamOIDCProviders) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
+	return c.Fake.
+		InvokesWatch(testing.NewWatchAction(upstreamoidcprovidersResource, c.ns, opts))
+
+}
+
+// Create takes the representation of a upstreamOIDCProvider and creates it.  Returns the server's representation of the upstreamOIDCProvider, and an error, if there is any.
+func (c *FakeUpstreamOIDCProviders) Create(ctx context.Context, upstreamOIDCProvider *v1alpha1.UpstreamOIDCProvider, opts v1.CreateOptions) (result *v1alpha1.UpstreamOIDCProvider, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewCreateAction(upstreamoidcprovidersResource, c.ns, upstreamOIDCProvider), &v1alpha1.UpstreamOIDCProvider{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.UpstreamOIDCProvider), err
+}
+
+// Update takes the representation of a upstreamOIDCProvider and updates it. Returns the server's representation of the upstreamOIDCProvider, and an error, if there is any.
+func (c *FakeUpstreamOIDCProviders) Update(ctx context.Context, upstreamOIDCProvider *v1alpha1.UpstreamOIDCProvider, opts v1.UpdateOptions) (result *v1alpha1.UpstreamOIDCProvider, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewUpdateAction(upstreamoidcprovidersResource, c.ns, upstreamOIDCProvider), &v1alpha1.UpstreamOIDCProvider{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.UpstreamOIDCProvider), err
+}
+
+// UpdateStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+func (c *FakeUpstreamOIDCProviders) UpdateStatus(ctx context.Context, upstreamOIDCProvider *v1alpha1.UpstreamOIDCProvider, opts v1.UpdateOptions) (*v1alpha1.UpstreamOIDCProvider, error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewUpdateSubresourceAction(upstreamoidcprovidersResource, "status", c.ns, upstreamOIDCProvider), &v1alpha1.UpstreamOIDCProvider{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.UpstreamOIDCProvider), err
+}
+
+// Delete takes name of the upstreamOIDCProvider and deletes it. Returns an error if one occurs.
+func (c *FakeUpstreamOIDCProviders) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
+	_, err := c.Fake.
+		Invokes(testing.NewDeleteAction(upstreamoidcprovidersResource, c.ns, name), &v1alpha1.UpstreamOIDCProvider{})
+
+	return err
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *FakeUpstreamOIDCProviders) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
+	action := testing.NewDeleteCollectionAction(upstreamoidcprovidersResource, c.ns, listOpts)
+
+	_, err := c.Fake.Invokes(action, &v1alpha1.UpstreamOIDCProviderList{})
+	return err
+}
+
+// Patch applies the patch and returns the patched upstreamOIDCProvider.
+func (c *FakeUpstreamOIDCProviders) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.UpstreamOIDCProvider, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewPatchSubresourceAction(upstreamoidcprovidersResource, c.ns, name, pt, data, subresources...), &v1alpha1.UpstreamOIDCProvider{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.UpstreamOIDCProvider), err
+}

generated/1.18/client/supervisor/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go

@@ -0,0 +1,8 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package v1alpha1
+
+type UpstreamOIDCProviderExpansion interface{}

generated/1.18/client/supervisor/clientset/versioned/typed/idp/v1alpha1/idp_client.go

@@ -0,0 +1,76 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	v1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/idp/v1alpha1"
+	"go.pinniped.dev/generated/1.18/client/supervisor/clientset/versioned/scheme"
+	rest "k8s.io/client-go/rest"
+)
+
+type IDPV1alpha1Interface interface {
+	RESTClient() rest.Interface
+	UpstreamOIDCProvidersGetter
+}
+
+// IDPV1alpha1Client is used to interact with features provided by the idp.supervisor.pinniped.dev group.
+type IDPV1alpha1Client struct {
+	restClient rest.Interface
+}
+
+func (c *IDPV1alpha1Client) UpstreamOIDCProviders(namespace string) UpstreamOIDCProviderInterface {
+	return newUpstreamOIDCProviders(c, namespace)
+}
+
+// NewForConfig creates a new IDPV1alpha1Client for the given config.
+func NewForConfig(c *rest.Config) (*IDPV1alpha1Client, error) {
+	config := *c
+	if err := setConfigDefaults(&config); err != nil {
+		return nil, err
+	}
+	client, err := rest.RESTClientFor(&config)
+	if err != nil {
+		return nil, err
+	}
+	return &IDPV1alpha1Client{client}, nil
+}
+
+// NewForConfigOrDie creates a new IDPV1alpha1Client for the given config and
+// panics if there is an error in the config.
+func NewForConfigOrDie(c *rest.Config) *IDPV1alpha1Client {
+	client, err := NewForConfig(c)
+	if err != nil {
+		panic(err)
+	}
+	return client
+}
+
+// New creates a new IDPV1alpha1Client for the given RESTClient.
+func New(c rest.Interface) *IDPV1alpha1Client {
+	return &IDPV1alpha1Client{c}
+}
+
+func setConfigDefaults(config *rest.Config) error {
+	gv := v1alpha1.SchemeGroupVersion
+	config.GroupVersion = &gv
+	config.APIPath = "/apis"
+	config.NegotiatedSerializer = scheme.Codecs.WithoutConversion()
+
+	if config.UserAgent == "" {
+		config.UserAgent = rest.DefaultKubernetesUserAgent()
+	}
+
+	return nil
+}
+
+// RESTClient returns a RESTClient that is used to communicate
+// with API server by this client implementation.
+func (c *IDPV1alpha1Client) RESTClient() rest.Interface {
+	if c == nil {
+		return nil
+	}
+	return c.restClient
+}

generated/1.18/client/supervisor/clientset/versioned/typed/idp/v1alpha1/upstreamoidcprovider.go

@@ -0,0 +1,182 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	"context"
+	"time"
+
+	v1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/idp/v1alpha1"
+	scheme "go.pinniped.dev/generated/1.18/client/supervisor/clientset/versioned/scheme"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	rest "k8s.io/client-go/rest"
+)
+
+// UpstreamOIDCProvidersGetter has a method to return a UpstreamOIDCProviderInterface.
+// A group's client should implement this interface.
+type UpstreamOIDCProvidersGetter interface {
+	UpstreamOIDCProviders(namespace string) UpstreamOIDCProviderInterface
+}
+
+// UpstreamOIDCProviderInterface has methods to work with UpstreamOIDCProvider resources.
+type UpstreamOIDCProviderInterface interface {
+	Create(ctx context.Context, upstreamOIDCProvider *v1alpha1.UpstreamOIDCProvider, opts v1.CreateOptions) (*v1alpha1.UpstreamOIDCProvider, error)
+	Update(ctx context.Context, upstreamOIDCProvider *v1alpha1.UpstreamOIDCProvider, opts v1.UpdateOptions) (*v1alpha1.UpstreamOIDCProvider, error)
+	UpdateStatus(ctx context.Context, upstreamOIDCProvider *v1alpha1.UpstreamOIDCProvider, opts v1.UpdateOptions) (*v1alpha1.UpstreamOIDCProvider, error)
+	Delete(ctx context.Context, name string, opts v1.DeleteOptions) error
+	DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error
+	Get(ctx context.Context, name string, opts v1.GetOptions) (*v1alpha1.UpstreamOIDCProvider, error)
+	List(ctx context.Context, opts v1.ListOptions) (*v1alpha1.UpstreamOIDCProviderList, error)
+	Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error)
+	Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.UpstreamOIDCProvider, err error)
+	UpstreamOIDCProviderExpansion
+}
+
+// upstreamOIDCProviders implements UpstreamOIDCProviderInterface
+type upstreamOIDCProviders struct {
+	client rest.Interface
+	ns     string
+}
+
+// newUpstreamOIDCProviders returns a UpstreamOIDCProviders
+func newUpstreamOIDCProviders(c *IDPV1alpha1Client, namespace string) *upstreamOIDCProviders {
+	return &upstreamOIDCProviders{
+		client: c.RESTClient(),
+		ns:     namespace,
+	}
+}
+
+// Get takes name of the upstreamOIDCProvider, and returns the corresponding upstreamOIDCProvider object, and an error if there is any.
+func (c *upstreamOIDCProviders) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.UpstreamOIDCProvider, err error) {
+	result = &v1alpha1.UpstreamOIDCProvider{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("upstreamoidcproviders").
+		Name(name).
+		VersionedParams(&options, scheme.ParameterCodec).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// List takes label and field selectors, and returns the list of UpstreamOIDCProviders that match those selectors.
+func (c *upstreamOIDCProviders) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.UpstreamOIDCProviderList, err error) {
+	var timeout time.Duration
+	if opts.TimeoutSeconds != nil {
+		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
+	}
+	result = &v1alpha1.UpstreamOIDCProviderList{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("upstreamoidcproviders").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// Watch returns a watch.Interface that watches the requested upstreamOIDCProviders.
+func (c *upstreamOIDCProviders) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
+	var timeout time.Duration
+	if opts.TimeoutSeconds != nil {
+		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
+	}
+	opts.Watch = true
+	return c.client.Get().
+		Namespace(c.ns).
+		Resource("upstreamoidcproviders").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Watch(ctx)
+}
+
+// Create takes the representation of a upstreamOIDCProvider and creates it.  Returns the server's representation of the upstreamOIDCProvider, and an error, if there is any.
+func (c *upstreamOIDCProviders) Create(ctx context.Context, upstreamOIDCProvider *v1alpha1.UpstreamOIDCProvider, opts v1.CreateOptions) (result *v1alpha1.UpstreamOIDCProvider, err error) {
+	result = &v1alpha1.UpstreamOIDCProvider{}
+	err = c.client.Post().
+		Namespace(c.ns).
+		Resource("upstreamoidcproviders").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(upstreamOIDCProvider).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// Update takes the representation of a upstreamOIDCProvider and updates it. Returns the server's representation of the upstreamOIDCProvider, and an error, if there is any.
+func (c *upstreamOIDCProviders) Update(ctx context.Context, upstreamOIDCProvider *v1alpha1.UpstreamOIDCProvider, opts v1.UpdateOptions) (result *v1alpha1.UpstreamOIDCProvider, err error) {
+	result = &v1alpha1.UpstreamOIDCProvider{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("upstreamoidcproviders").
+		Name(upstreamOIDCProvider.Name).
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(upstreamOIDCProvider).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// UpdateStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+func (c *upstreamOIDCProviders) UpdateStatus(ctx context.Context, upstreamOIDCProvider *v1alpha1.UpstreamOIDCProvider, opts v1.UpdateOptions) (result *v1alpha1.UpstreamOIDCProvider, err error) {
+	result = &v1alpha1.UpstreamOIDCProvider{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("upstreamoidcproviders").
+		Name(upstreamOIDCProvider.Name).
+		SubResource("status").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(upstreamOIDCProvider).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// Delete takes name of the upstreamOIDCProvider and deletes it. Returns an error if one occurs.
+func (c *upstreamOIDCProviders) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("upstreamoidcproviders").
+		Name(name).
+		Body(&opts).
+		Do(ctx).
+		Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *upstreamOIDCProviders) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
+	var timeout time.Duration
+	if listOpts.TimeoutSeconds != nil {
+		timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second
+	}
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("upstreamoidcproviders").
+		VersionedParams(&listOpts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Body(&opts).
+		Do(ctx).
+		Error()
+}
+
+// Patch applies the patch and returns the patched upstreamOIDCProvider.
+func (c *upstreamOIDCProviders) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.UpstreamOIDCProvider, err error) {
+	result = &v1alpha1.UpstreamOIDCProvider{}
+	err = c.client.Patch(pt).
+		Namespace(c.ns).
+		Resource("upstreamoidcproviders").
+		Name(name).
+		SubResource(subresources...).
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(data).
+		Do(ctx).
+		Into(result)
+	return
+}

generated/1.18/client/supervisor/informers/externalversions/factory.go

@@ -12,6 +12,7 @@ import (
 
 	versioned "go.pinniped.dev/generated/1.18/client/supervisor/clientset/versioned"
 	config "go.pinniped.dev/generated/1.18/client/supervisor/informers/externalversions/config"
+	idp "go.pinniped.dev/generated/1.18/client/supervisor/informers/externalversions/idp"
 	internalinterfaces "go.pinniped.dev/generated/1.18/client/supervisor/informers/externalversions/internalinterfaces"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	runtime "k8s.io/apimachinery/pkg/runtime"
@@ -160,8 +161,13 @@ type SharedInformerFactory interface {
 	WaitForCacheSync(stopCh <-chan struct{}) map[reflect.Type]bool
 
 	Config() config.Interface
+	IDP() idp.Interface
 }
 
 func (f *sharedInformerFactory) Config() config.Interface {
 	return config.New(f, f.namespace, f.tweakListOptions)
 }
+
+func (f *sharedInformerFactory) IDP() idp.Interface {
+	return idp.New(f, f.namespace, f.tweakListOptions)
+}

generated/1.18/client/supervisor/informers/externalversions/generic.go

@@ -9,6 +9,7 @@ import (
 	"fmt"
 
 	v1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/config/v1alpha1"
+	idpv1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/idp/v1alpha1"
 	schema "k8s.io/apimachinery/pkg/runtime/schema"
 	cache "k8s.io/client-go/tools/cache"
 )
@@ -43,6 +44,10 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource
 	case v1alpha1.SchemeGroupVersion.WithResource("oidcproviders"):
 		return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().OIDCProviders().Informer()}, nil
 
+		// Group=idp.supervisor.pinniped.dev, Version=v1alpha1
+	case idpv1alpha1.SchemeGroupVersion.WithResource("upstreamoidcproviders"):
+		return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().UpstreamOIDCProviders().Informer()}, nil
+
 	}
 
 	return nil, fmt.Errorf("no informer found for %v", resource)

generated/1.18/client/supervisor/informers/externalversions/idp/interface.go

@@ -0,0 +1,33 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by informer-gen. DO NOT EDIT.
+
+package idp
+
+import (
+	v1alpha1 "go.pinniped.dev/generated/1.18/client/supervisor/informers/externalversions/idp/v1alpha1"
+	internalinterfaces "go.pinniped.dev/generated/1.18/client/supervisor/informers/externalversions/internalinterfaces"
+)
+
+// Interface provides access to each of this group's versions.
+type Interface interface {
+	// V1alpha1 provides access to shared informers for resources in V1alpha1.
+	V1alpha1() v1alpha1.Interface
+}
+
+type group struct {
+	factory          internalinterfaces.SharedInformerFactory
+	namespace        string
+	tweakListOptions internalinterfaces.TweakListOptionsFunc
+}
+
+// New returns a new Interface.
+func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface {
+	return &group{factory: f, namespace: namespace, tweakListOptions: tweakListOptions}
+}
+
+// V1alpha1 returns a new v1alpha1.Interface.
+func (g *group) V1alpha1() v1alpha1.Interface {
+	return v1alpha1.New(g.factory, g.namespace, g.tweakListOptions)
+}

generated/1.18/client/supervisor/informers/externalversions/idp/v1alpha1/interface.go

@@ -0,0 +1,32 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by informer-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	internalinterfaces "go.pinniped.dev/generated/1.18/client/supervisor/informers/externalversions/internalinterfaces"
+)
+
+// Interface provides access to all the informers in this group version.
+type Interface interface {
+	// UpstreamOIDCProviders returns a UpstreamOIDCProviderInformer.
+	UpstreamOIDCProviders() UpstreamOIDCProviderInformer
+}
+
+type version struct {
+	factory          internalinterfaces.SharedInformerFactory
+	namespace        string
+	tweakListOptions internalinterfaces.TweakListOptionsFunc
+}
+
+// New returns a new Interface.
+func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface {
+	return &version{factory: f, namespace: namespace, tweakListOptions: tweakListOptions}
+}
+
+// UpstreamOIDCProviders returns a UpstreamOIDCProviderInformer.
+func (v *version) UpstreamOIDCProviders() UpstreamOIDCProviderInformer {
+	return &upstreamOIDCProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
+}

generated/1.18/client/supervisor/informers/externalversions/idp/v1alpha1/upstreamoidcprovider.go

@@ -0,0 +1,77 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by informer-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	"context"
+	time "time"
+
+	idpv1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/idp/v1alpha1"
+	versioned "go.pinniped.dev/generated/1.18/client/supervisor/clientset/versioned"
+	internalinterfaces "go.pinniped.dev/generated/1.18/client/supervisor/informers/externalversions/internalinterfaces"
+	v1alpha1 "go.pinniped.dev/generated/1.18/client/supervisor/listers/idp/v1alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	watch "k8s.io/apimachinery/pkg/watch"
+	cache "k8s.io/client-go/tools/cache"
+)
+
+// UpstreamOIDCProviderInformer provides access to a shared informer and lister for
+// UpstreamOIDCProviders.
+type UpstreamOIDCProviderInformer interface {
+	Informer() cache.SharedIndexInformer
+	Lister() v1alpha1.UpstreamOIDCProviderLister
+}
+
+type upstreamOIDCProviderInformer struct {
+	factory          internalinterfaces.SharedInformerFactory
+	tweakListOptions internalinterfaces.TweakListOptionsFunc
+	namespace        string
+}
+
+// NewUpstreamOIDCProviderInformer constructs a new informer for UpstreamOIDCProvider type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewUpstreamOIDCProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
+	return NewFilteredUpstreamOIDCProviderInformer(client, namespace, resyncPeriod, indexers, nil)
+}
+
+// NewFilteredUpstreamOIDCProviderInformer constructs a new informer for UpstreamOIDCProvider type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewFilteredUpstreamOIDCProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
+	return cache.NewSharedIndexInformer(
+		&cache.ListWatch{
+			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.IDPV1alpha1().UpstreamOIDCProviders(namespace).List(context.TODO(), options)
+			},
+			WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.IDPV1alpha1().UpstreamOIDCProviders(namespace).Watch(context.TODO(), options)
+			},
+		},
+		&idpv1alpha1.UpstreamOIDCProvider{},
+		resyncPeriod,
+		indexers,
+	)
+}
+
+func (f *upstreamOIDCProviderInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
+	return NewFilteredUpstreamOIDCProviderInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
+}
+
+func (f *upstreamOIDCProviderInformer) Informer() cache.SharedIndexInformer {
+	return f.factory.InformerFor(&idpv1alpha1.UpstreamOIDCProvider{}, f.defaultInformer)
+}
+
+func (f *upstreamOIDCProviderInformer) Lister() v1alpha1.UpstreamOIDCProviderLister {
+	return v1alpha1.NewUpstreamOIDCProviderLister(f.Informer().GetIndexer())
+}

generated/1.18/client/supervisor/listers/idp/v1alpha1/expansion_generated.go

@@ -0,0 +1,14 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by lister-gen. DO NOT EDIT.
+
+package v1alpha1
+
+// UpstreamOIDCProviderListerExpansion allows custom methods to be added to
+// UpstreamOIDCProviderLister.
+type UpstreamOIDCProviderListerExpansion interface{}
+
+// UpstreamOIDCProviderNamespaceListerExpansion allows custom methods to be added to
+// UpstreamOIDCProviderNamespaceLister.
+type UpstreamOIDCProviderNamespaceListerExpansion interface{}

generated/1.18/client/supervisor/listers/idp/v1alpha1/upstreamoidcprovider.go

@@ -0,0 +1,81 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by lister-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	v1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/idp/v1alpha1"
+	"k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/client-go/tools/cache"
+)
+
+// UpstreamOIDCProviderLister helps list UpstreamOIDCProviders.
+type UpstreamOIDCProviderLister interface {
+	// List lists all UpstreamOIDCProviders in the indexer.
+	List(selector labels.Selector) (ret []*v1alpha1.UpstreamOIDCProvider, err error)
+	// UpstreamOIDCProviders returns an object that can list and get UpstreamOIDCProviders.
+	UpstreamOIDCProviders(namespace string) UpstreamOIDCProviderNamespaceLister
+	UpstreamOIDCProviderListerExpansion
+}
+
+// upstreamOIDCProviderLister implements the UpstreamOIDCProviderLister interface.
+type upstreamOIDCProviderLister struct {
+	indexer cache.Indexer
+}
+
+// NewUpstreamOIDCProviderLister returns a new UpstreamOIDCProviderLister.
+func NewUpstreamOIDCProviderLister(indexer cache.Indexer) UpstreamOIDCProviderLister {
+	return &upstreamOIDCProviderLister{indexer: indexer}
+}
+
+// List lists all UpstreamOIDCProviders in the indexer.
+func (s *upstreamOIDCProviderLister) List(selector labels.Selector) (ret []*v1alpha1.UpstreamOIDCProvider, err error) {
+	err = cache.ListAll(s.indexer, selector, func(m interface{}) {
+		ret = append(ret, m.(*v1alpha1.UpstreamOIDCProvider))
+	})
+	return ret, err
+}
+
+// UpstreamOIDCProviders returns an object that can list and get UpstreamOIDCProviders.
+func (s *upstreamOIDCProviderLister) UpstreamOIDCProviders(namespace string) UpstreamOIDCProviderNamespaceLister {
+	return upstreamOIDCProviderNamespaceLister{indexer: s.indexer, namespace: namespace}
+}
+
+// UpstreamOIDCProviderNamespaceLister helps list and get UpstreamOIDCProviders.
+type UpstreamOIDCProviderNamespaceLister interface {
+	// List lists all UpstreamOIDCProviders in the indexer for a given namespace.
+	List(selector labels.Selector) (ret []*v1alpha1.UpstreamOIDCProvider, err error)
+	// Get retrieves the UpstreamOIDCProvider from the indexer for a given namespace and name.
+	Get(name string) (*v1alpha1.UpstreamOIDCProvider, error)
+	UpstreamOIDCProviderNamespaceListerExpansion
+}
+
+// upstreamOIDCProviderNamespaceLister implements the UpstreamOIDCProviderNamespaceLister
+// interface.
+type upstreamOIDCProviderNamespaceLister struct {
+	indexer   cache.Indexer
+	namespace string
+}
+
+// List lists all UpstreamOIDCProviders in the indexer for a given namespace.
+func (s upstreamOIDCProviderNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.UpstreamOIDCProvider, err error) {
+	err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) {
+		ret = append(ret, m.(*v1alpha1.UpstreamOIDCProvider))
+	})
+	return ret, err
+}
+
+// Get retrieves the UpstreamOIDCProvider from the indexer for a given namespace and name.
+func (s upstreamOIDCProviderNamespaceLister) Get(name string) (*v1alpha1.UpstreamOIDCProvider, error) {
+	obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name)
+	if err != nil {
+		return nil, err
+	}
+	if !exists {
+		return nil, errors.NewNotFound(v1alpha1.Resource("upstreamoidcprovider"), name)
+	}
+	return obj.(*v1alpha1.UpstreamOIDCProvider), nil
+}

generated/1.18/crds/idp.supervisor.pinniped.dev_upstreamoidcproviders.yaml

@@ -0,0 +1,203 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.4.0
+  creationTimestamp: null
+  name: upstreamoidcproviders.idp.supervisor.pinniped.dev
+spec:
+  group: idp.supervisor.pinniped.dev
+  names:
+    categories:
+    - pinniped
+    - pinniped-idp
+    - pinniped-idps
+    kind: UpstreamOIDCProvider
+    listKind: UpstreamOIDCProviderList
+    plural: upstreamoidcproviders
+    singular: upstreamoidcprovider
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .spec.issuer
+      name: Issuer
+      type: string
+    - jsonPath: .status.phase
+      name: Status
+      type: string
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: UpstreamOIDCProvider describes the configuration of an upstream
+          OpenID Connect identity provider.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: Spec for configuring the identity provider.
+            properties:
+              authorizationConfig:
+                description: AuthorizationConfig holds information about how to form
+                  the OAuth2 authorization request parameters to be used with this
+                  OIDC identity provider.
+                properties:
+                  additionalScopes:
+                    description: AdditionalScopes are the scopes in addition to "openid"
+                      that will be requested as part of the authorization request
+                      flow with an OIDC identity provider. By default only the "openid"
+                      scope will be requested.
+                    items:
+                      type: string
+                    type: array
+                required:
+                - additionalScopes
+                type: object
+              claims:
+                description: Claims provides the names of token claims that will be
+                  used when inspecting an identity from this OIDC identity provider.
+                properties:
+                  groups:
+                    description: Groups provides the name of the token claim that
+                      will be used to ascertain the groups to which an identity belongs.
+                    type: string
+                  username:
+                    description: Username provides the name of the token claim that
+                      will be used to ascertain an identity's username.
+                    type: string
+                required:
+                - groups
+                - username
+                type: object
+              client:
+                description: OIDCClient contains OIDC client information to be used
+                  used with this OIDC identity provider.
+                properties:
+                  secretName:
+                    description: SecretName contains the name of a namespace-local
+                      Secret object that provides the clientID and clientSecret for
+                      an OIDC client. If only the SecretName is specified in an OIDCClient
+                      struct, then it is expected that the Secret is of type "secrets.pinniped.dev/oidc"
+                      with keys "clientID" and "clientSecret".
+                    type: string
+                required:
+                - secretName
+                type: object
+              issuer:
+                description: Issuer is the issuer URL of this OIDC identity provider,
+                  i.e., where to fetch /.well-known/openid-configuration.
+                minLength: 1
+                pattern: ^https://
+                type: string
+            required:
+            - authorizationConfig
+            - claims
+            - client
+            - issuer
+            type: object
+          status:
+            description: Status of the identity provider.
+            properties:
+              conditions:
+                description: Represents the observations of an identity provider's
+                  current state.
+                items:
+                  description: Condition status of a resource (mirrored from the metav1.Condition
+                    type added in Kubernetes 1.19). In a future API version we can
+                    switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413.
+                  properties:
+                    lastTransitionTime:
+                      description: lastTransitionTime is the last time the condition
+                        transitioned from one status to another. This should be when
+                        the underlying condition changed.  If that is not known, then
+                        using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: message is a human readable message indicating
+                        details about the transition. This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: observedGeneration represents the .metadata.generation
+                        that the condition was set based upon. For instance, if .metadata.generation
+                        is currently 12, but the .status.conditions[x].observedGeneration
+                        is 9, the condition is out of date with respect to the current
+                        state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: reason contains a programmatic identifier indicating
+                        the reason for the condition's last transition. Producers
+                        of specific condition types may define expected values and
+                        meanings for this field, and whether the values are considered
+                        a guaranteed API. The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
+                        --- Many .condition.type values are consistent across resources
+                        like Available, but because arbitrary conditions can be useful
+                        (see .node.status.conditions), the ability to deconflict is
+                        important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                type: array
+                x-kubernetes-list-map-keys:
+                - type
+                x-kubernetes-list-type: map
+              phase:
+                default: Pending
+                description: Phase summarizes the overall status of the UpstreamOIDCProvider.
+                enum:
+                - Pending
+                - Ready
+                - Error
+                type: string
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

generated/1.19/README.adoc

@@ -8,6 +8,7 @@
 - xref:{anchor_prefix}-authentication-concierge-pinniped-dev-v1alpha1[$$authentication.concierge.pinniped.dev/v1alpha1$$]
 - xref:{anchor_prefix}-config-concierge-pinniped-dev-v1alpha1[$$config.concierge.pinniped.dev/v1alpha1$$]
 - xref:{anchor_prefix}-config-supervisor-pinniped-dev-v1alpha1[$$config.supervisor.pinniped.dev/v1alpha1$$]
+- xref:{anchor_prefix}-idp-supervisor-pinniped-dev-v1alpha1[$$idp.supervisor.pinniped.dev/v1alpha1$$]
 - xref:{anchor_prefix}-login-concierge-pinniped-dev-v1alpha1[$$login.concierge.pinniped.dev/v1alpha1$$]
 
 
@@ -291,6 +292,148 @@ OIDCProviderTLSSpec is a struct that describes the TLS configuration for an OIDC
 
 
 
+[id="{anchor_prefix}-idp-supervisor-pinniped-dev-v1alpha1"]
+=== idp.supervisor.pinniped.dev/v1alpha1
+
+Package v1alpha1 is the v1alpha1 version of the Pinniped supervisor identity provider (IDP) API.
+
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-condition"]
+==== Condition 
+
+Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API version we can switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-upstreamoidcproviderstatus[$$UpstreamOIDCProviderStatus$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`type`* __string__ | type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+| *`status`* __ConditionStatus__ | status of the condition, one of True, False, Unknown.
+| *`observedGeneration`* __integer__ | observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.
+| *`lastTransitionTime`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#time-v1-meta[$$Time$$]__ | lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+| *`reason`* __string__ | reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.
+| *`message`* __string__ | message is a human readable message indicating details about the transition. This may be an empty string.
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-oidcauthorizationconfig"]
+==== OIDCAuthorizationConfig 
+
+OIDCAuthorizationConfig provides information about how to form the OAuth2 authorization request parameters.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-upstreamoidcproviderspec[$$UpstreamOIDCProviderSpec$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`additionalScopes`* __string array__ | AdditionalScopes are the scopes in addition to "openid" that will be requested as part of the authorization request flow with an OIDC identity provider. By default only the "openid" scope will be requested.
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-oidcclaims"]
+==== OIDCClaims 
+
+OIDCClaims provides a mapping from upstream claims into identities.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-upstreamoidcproviderspec[$$UpstreamOIDCProviderSpec$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`groups`* __string__ | Groups provides the name of the token claim that will be used to ascertain the groups to which an identity belongs.
+| *`username`* __string__ | Username provides the name of the token claim that will be used to ascertain an identity's username.
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-oidcclient"]
+==== OIDCClient 
+
+OIDCClient contains information about an OIDC client (e.g., client ID and client secret).
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-upstreamoidcproviderspec[$$UpstreamOIDCProviderSpec$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`secretName`* __string__ | SecretName contains the name of a namespace-local Secret object that provides the clientID and clientSecret for an OIDC client. If only the SecretName is specified in an OIDCClient struct, then it is expected that the Secret is of type "secrets.pinniped.dev/oidc" with keys "clientID" and "clientSecret".
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-upstreamoidcprovider"]
+==== UpstreamOIDCProvider 
+
+UpstreamOIDCProvider describes the configuration of an upstream OpenID Connect identity provider.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-upstreamoidcproviderlist[$$UpstreamOIDCProviderList$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`.
+
+| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-upstreamoidcproviderspec[$$UpstreamOIDCProviderSpec$$]__ | Spec for configuring the identity provider.
+| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-upstreamoidcproviderstatus[$$UpstreamOIDCProviderStatus$$]__ | Status of the identity provider.
+|===
+
+
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-upstreamoidcproviderspec"]
+==== UpstreamOIDCProviderSpec 
+
+Spec for configuring an OIDC identity provider.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-upstreamoidcprovider[$$UpstreamOIDCProvider$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`issuer`* __string__ | Issuer is the issuer URL of this OIDC identity provider, i.e., where to fetch /.well-known/openid-configuration.
+| *`authorizationConfig`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-oidcauthorizationconfig[$$OIDCAuthorizationConfig$$]__ | AuthorizationConfig holds information about how to form the OAuth2 authorization request parameters to be used with this OIDC identity provider.
+| *`claims`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-oidcclaims[$$OIDCClaims$$]__ | Claims provides the names of token claims that will be used when inspecting an identity from this OIDC identity provider.
+| *`client`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-oidcclient[$$OIDCClient$$]__ | OIDCClient contains OIDC client information to be used used with this OIDC identity provider.
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-upstreamoidcproviderstatus"]
+==== UpstreamOIDCProviderStatus 
+
+Status of an OIDC identity provider.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-upstreamoidcprovider[$$UpstreamOIDCProvider$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`phase`* __UpstreamOIDCProviderPhase__ | Phase summarizes the overall status of the UpstreamOIDCProvider.
+| *`conditions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-condition[$$Condition$$]__ | Represents the observations of an identity provider's current state.
+|===
+
+
+
 [id="{anchor_prefix}-login-concierge-pinniped-dev-v1alpha1"]
 === login.concierge.pinniped.dev/v1alpha1
 

generated/1.19/apis/supervisor/idp/v1alpha1/doc.go

@@ -0,0 +1,11 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// +k8s:openapi-gen=true
+// +k8s:deepcopy-gen=package
+// +k8s:defaulter-gen=TypeMeta
+// +groupName=idp.supervisor.pinniped.dev
+// +groupGoName=IDP
+
+// Package v1alpha1 is the v1alpha1 version of the Pinniped supervisor identity provider (IDP) API.
+package v1alpha1

generated/1.19/apis/supervisor/idp/v1alpha1/register.go

@@ -0,0 +1,43 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+const GroupName = "idp.supervisor.pinniped.dev"
+
+// SchemeGroupVersion is group version used to register these objects.
+var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"}
+
+var (
+	SchemeBuilder      runtime.SchemeBuilder
+	localSchemeBuilder = &SchemeBuilder
+	AddToScheme        = localSchemeBuilder.AddToScheme
+)
+
+func init() {
+	// We only register manually written functions here. The registration of the
+	// generated functions takes place in the generated files. The separation
+	// makes the code compile even when the generated files are missing.
+	localSchemeBuilder.Register(addKnownTypes)
+}
+
+// Adds the list of known types to the given scheme.
+func addKnownTypes(scheme *runtime.Scheme) error {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&UpstreamOIDCProvider{},
+		&UpstreamOIDCProviderList{},
+	)
+	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
+	return nil
+}
+
+// Resource takes an unqualified resource and returns a Group qualified GroupResource.
+func Resource(resource string) schema.GroupResource {
+	return SchemeGroupVersion.WithResource(resource).GroupResource()
+}

generated/1.19/apis/supervisor/idp/v1alpha1/types_meta.go

@@ -0,0 +1,75 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+// ConditionStatus is effectively an enum type for Condition.Status.
+type ConditionStatus string
+
+// These are valid condition statuses. "ConditionTrue" means a resource is in the condition.
+// "ConditionFalse" means a resource is not in the condition. "ConditionUnknown" means kubernetes
+// can't decide if a resource is in the condition or not. In the future, we could add other
+// intermediate conditions, e.g. ConditionDegraded.
+const (
+	ConditionTrue    ConditionStatus = "True"
+	ConditionFalse   ConditionStatus = "False"
+	ConditionUnknown ConditionStatus = "Unknown"
+)
+
+// Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API
+// version we can switch to using the upstream type.
+// See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413.
+type Condition struct {
+	// type of condition in CamelCase or in foo.example.com/CamelCase.
+	// ---
+	// Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
+	// useful (see .node.status.conditions), the ability to deconflict is important.
+	// The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+	// +required
+	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:Pattern=`^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$`
+	// +kubebuilder:validation:MaxLength=316
+	Type string `json:"type"`
+
+	// status of the condition, one of True, False, Unknown.
+	// +required
+	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:Enum=True;False;Unknown
+	Status ConditionStatus `json:"status"`
+
+	// observedGeneration represents the .metadata.generation that the condition was set based upon.
+	// For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+	// with respect to the current state of the instance.
+	// +optional
+	// +kubebuilder:validation:Minimum=0
+	ObservedGeneration int64 `json:"observedGeneration,omitempty"`
+
+	// lastTransitionTime is the last time the condition transitioned from one status to another.
+	// This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+	// +required
+	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:Type=string
+	// +kubebuilder:validation:Format=date-time
+	LastTransitionTime metav1.Time `json:"lastTransitionTime"`
+
+	// reason contains a programmatic identifier indicating the reason for the condition's last transition.
+	// Producers of specific condition types may define expected values and meanings for this field,
+	// and whether the values are considered a guaranteed API.
+	// The value should be a CamelCase string.
+	// This field may not be empty.
+	// +required
+	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:MaxLength=1024
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:Pattern=`^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$`
+	Reason string `json:"reason"`
+
+	// message is a human readable message indicating details about the transition.
+	// This may be an empty string.
+	// +required
+	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:MaxLength=32768
+	Message string `json:"message"`
+}

generated/1.19/apis/supervisor/idp/v1alpha1/types_upstreamoidcprovider.go

@@ -0,0 +1,114 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+type UpstreamOIDCProviderPhase string
+
+const (
+	// PhasePending is the default phase for newly-created UpstreamOIDCProvider resources.
+	PhasePending UpstreamOIDCProviderPhase = "Pending"
+
+	// PhaseReady is the phase for an UpstreamOIDCProvider resource in a healthy state.
+	PhaseReady UpstreamOIDCProviderPhase = "Ready"
+
+	// PhaseErorr is the phase for an UpstreamOIDCProvider in an unhealthy state.
+	PhaseError UpstreamOIDCProviderPhase = "Error"
+)
+
+// Status of an OIDC identity provider.
+type UpstreamOIDCProviderStatus struct {
+	// Phase summarizes the overall status of the UpstreamOIDCProvider.
+	// +kubebuilder:default=Pending
+	// +kubebuilder:validation:Enum=Pending;Ready;Error
+	Phase UpstreamOIDCProviderPhase `json:"phase,omitempty"`
+
+	// Represents the observations of an identity provider's current state.
+	// +patchMergeKey=type
+	// +patchStrategy=merge
+	// +listType=map
+	// +listMapKey=type
+	Conditions []Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
+}
+
+// OIDCAuthorizationConfig provides information about how to form the OAuth2 authorization
+// request parameters.
+type OIDCAuthorizationConfig struct {
+	// AdditionalScopes are the scopes in addition to "openid" that will be requested as part of the authorization
+	// request flow with an OIDC identity provider. By default only the "openid" scope will be requested.
+	AdditionalScopes []string `json:"additionalScopes"`
+}
+
+// OIDCClaims provides a mapping from upstream claims into identities.
+type OIDCClaims struct {
+	// Groups provides the name of the token claim that will be used to ascertain the groups to which
+	// an identity belongs.
+	Groups string `json:"groups"`
+
+	// Username provides the name of the token claim that will be used to ascertain an identity's
+	// username.
+	Username string `json:"username"`
+}
+
+// OIDCClient contains information about an OIDC client (e.g., client ID and client
+// secret).
+type OIDCClient struct {
+	// SecretName contains the name of a namespace-local Secret object that provides the clientID and
+	// clientSecret for an OIDC client. If only the SecretName is specified in an OIDCClient
+	// struct, then it is expected that the Secret is of type "secrets.pinniped.dev/oidc" with keys
+	// "clientID" and "clientSecret".
+	SecretName string `json:"secretName"`
+}
+
+// Spec for configuring an OIDC identity provider.
+type UpstreamOIDCProviderSpec struct {
+	// Issuer is the issuer URL of this OIDC identity provider, i.e., where to fetch
+	// /.well-known/openid-configuration.
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:Pattern=`^https://`
+	Issuer string `json:"issuer"`
+
+	// AuthorizationConfig holds information about how to form the OAuth2 authorization request
+	// parameters to be used with this OIDC identity provider.
+	AuthorizationConfig OIDCAuthorizationConfig `json:"authorizationConfig"`
+
+	// Claims provides the names of token claims that will be used when inspecting an identity from
+	// this OIDC identity provider.
+	Claims OIDCClaims `json:"claims"`
+
+	// OIDCClient contains OIDC client information to be used used with this OIDC identity
+	// provider.
+	Client OIDCClient `json:"client"`
+}
+
+// UpstreamOIDCProvider describes the configuration of an upstream OpenID Connect identity provider.
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +kubebuilder:resource:categories=pinniped;pinniped-idp;pinniped-idps
+// +kubebuilder:printcolumn:name="Issuer",type=string,JSONPath=`.spec.issuer`
+// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase`
+// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
+// +kubebuilder:subresource:status
+type UpstreamOIDCProvider struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	// Spec for configuring the identity provider.
+	Spec UpstreamOIDCProviderSpec `json:"spec"`
+
+	// Status of the identity provider.
+	Status UpstreamOIDCProviderStatus `json:"status,omitempty"`
+}
+
+// List of UpstreamOIDCProvider objects.
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type UpstreamOIDCProviderList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+
+	Items []UpstreamOIDCProvider `json:"items"`
+}

generated/1.19/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go

@@ -0,0 +1,185 @@
+// +build !ignore_autogenerated
+
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by deepcopy-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	runtime "k8s.io/apimachinery/pkg/runtime"
+)
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Condition) DeepCopyInto(out *Condition) {
+	*out = *in
+	in.LastTransitionTime.DeepCopyInto(&out.LastTransitionTime)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Condition.
+func (in *Condition) DeepCopy() *Condition {
+	if in == nil {
+		return nil
+	}
+	out := new(Condition)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OIDCAuthorizationConfig) DeepCopyInto(out *OIDCAuthorizationConfig) {
+	*out = *in
+	if in.AdditionalScopes != nil {
+		in, out := &in.AdditionalScopes, &out.AdditionalScopes
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCAuthorizationConfig.
+func (in *OIDCAuthorizationConfig) DeepCopy() *OIDCAuthorizationConfig {
+	if in == nil {
+		return nil
+	}
+	out := new(OIDCAuthorizationConfig)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OIDCClaims) DeepCopyInto(out *OIDCClaims) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClaims.
+func (in *OIDCClaims) DeepCopy() *OIDCClaims {
+	if in == nil {
+		return nil
+	}
+	out := new(OIDCClaims)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OIDCClient) DeepCopyInto(out *OIDCClient) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClient.
+func (in *OIDCClient) DeepCopy() *OIDCClient {
+	if in == nil {
+		return nil
+	}
+	out := new(OIDCClient)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *UpstreamOIDCProvider) DeepCopyInto(out *UpstreamOIDCProvider) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UpstreamOIDCProvider.
+func (in *UpstreamOIDCProvider) DeepCopy() *UpstreamOIDCProvider {
+	if in == nil {
+		return nil
+	}
+	out := new(UpstreamOIDCProvider)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *UpstreamOIDCProvider) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *UpstreamOIDCProviderList) DeepCopyInto(out *UpstreamOIDCProviderList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]UpstreamOIDCProvider, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UpstreamOIDCProviderList.
+func (in *UpstreamOIDCProviderList) DeepCopy() *UpstreamOIDCProviderList {
+	if in == nil {
+		return nil
+	}
+	out := new(UpstreamOIDCProviderList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *UpstreamOIDCProviderList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *UpstreamOIDCProviderSpec) DeepCopyInto(out *UpstreamOIDCProviderSpec) {
+	*out = *in
+	in.AuthorizationConfig.DeepCopyInto(&out.AuthorizationConfig)
+	out.Claims = in.Claims
+	out.Client = in.Client
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UpstreamOIDCProviderSpec.
+func (in *UpstreamOIDCProviderSpec) DeepCopy() *UpstreamOIDCProviderSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(UpstreamOIDCProviderSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *UpstreamOIDCProviderStatus) DeepCopyInto(out *UpstreamOIDCProviderStatus) {
+	*out = *in
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]Condition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UpstreamOIDCProviderStatus.
+func (in *UpstreamOIDCProviderStatus) DeepCopy() *UpstreamOIDCProviderStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(UpstreamOIDCProviderStatus)
+	in.DeepCopyInto(out)
+	return out
+}

generated/1.19/client/supervisor/clientset/versioned/clientset.go

@@ -9,6 +9,7 @@ import (
 	"fmt"
 
 	configv1alpha1 "go.pinniped.dev/generated/1.19/client/supervisor/clientset/versioned/typed/config/v1alpha1"
+	idpv1alpha1 "go.pinniped.dev/generated/1.19/client/supervisor/clientset/versioned/typed/idp/v1alpha1"
 	discovery "k8s.io/client-go/discovery"
 	rest "k8s.io/client-go/rest"
 	flowcontrol "k8s.io/client-go/util/flowcontrol"
@@ -17,6 +18,7 @@ import (
 type Interface interface {
 	Discovery() discovery.DiscoveryInterface
 	ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface
+	IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface
 }
 
 // Clientset contains the clients for groups. Each group has exactly one
@@ -24,6 +26,7 @@ type Interface interface {
 type Clientset struct {
 	*discovery.DiscoveryClient
 	configV1alpha1 *configv1alpha1.ConfigV1alpha1Client
+	iDPV1alpha1    *idpv1alpha1.IDPV1alpha1Client
 }
 
 // ConfigV1alpha1 retrieves the ConfigV1alpha1Client
@@ -31,6 +34,11 @@ func (c *Clientset) ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface {
 	return c.configV1alpha1
 }
 
+// IDPV1alpha1 retrieves the IDPV1alpha1Client
+func (c *Clientset) IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface {
+	return c.iDPV1alpha1
+}
+
 // Discovery retrieves the DiscoveryClient
 func (c *Clientset) Discovery() discovery.DiscoveryInterface {
 	if c == nil {
@@ -56,6 +64,10 @@ func NewForConfig(c *rest.Config) (*Clientset, error) {
 	if err != nil {
 		return nil, err
 	}
+	cs.iDPV1alpha1, err = idpv1alpha1.NewForConfig(&configShallowCopy)
+	if err != nil {
+		return nil, err
+	}
 
 	cs.DiscoveryClient, err = discovery.NewDiscoveryClientForConfig(&configShallowCopy)
 	if err != nil {
@@ -69,6 +81,7 @@ func NewForConfig(c *rest.Config) (*Clientset, error) {
 func NewForConfigOrDie(c *rest.Config) *Clientset {
 	var cs Clientset
 	cs.configV1alpha1 = configv1alpha1.NewForConfigOrDie(c)
+	cs.iDPV1alpha1 = idpv1alpha1.NewForConfigOrDie(c)
 
 	cs.DiscoveryClient = discovery.NewDiscoveryClientForConfigOrDie(c)
 	return &cs
@@ -78,6 +91,7 @@ func NewForConfigOrDie(c *rest.Config) *Clientset {
 func New(c rest.Interface) *Clientset {
 	var cs Clientset
 	cs.configV1alpha1 = configv1alpha1.New(c)
+	cs.iDPV1alpha1 = idpv1alpha1.New(c)
 
 	cs.DiscoveryClient = discovery.NewDiscoveryClient(c)
 	return &cs

generated/1.19/client/supervisor/clientset/versioned/fake/clientset_generated.go

@@ -9,6 +9,8 @@ import (
 	clientset "go.pinniped.dev/generated/1.19/client/supervisor/clientset/versioned"
 	configv1alpha1 "go.pinniped.dev/generated/1.19/client/supervisor/clientset/versioned/typed/config/v1alpha1"
 	fakeconfigv1alpha1 "go.pinniped.dev/generated/1.19/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake"
+	idpv1alpha1 "go.pinniped.dev/generated/1.19/client/supervisor/clientset/versioned/typed/idp/v1alpha1"
+	fakeidpv1alpha1 "go.pinniped.dev/generated/1.19/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/watch"
 	"k8s.io/client-go/discovery"
@@ -67,3 +69,8 @@ var _ clientset.Interface = &Clientset{}
 func (c *Clientset) ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface {
 	return &fakeconfigv1alpha1.FakeConfigV1alpha1{Fake: &c.Fake}
 }
+
+// IDPV1alpha1 retrieves the IDPV1alpha1Client
+func (c *Clientset) IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface {
+	return &fakeidpv1alpha1.FakeIDPV1alpha1{Fake: &c.Fake}
+}

generated/1.19/client/supervisor/clientset/versioned/fake/register.go

@@ -7,6 +7,7 @@ package fake
 
 import (
 	configv1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/config/v1alpha1"
+	idpv1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/idp/v1alpha1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	runtime "k8s.io/apimachinery/pkg/runtime"
 	schema "k8s.io/apimachinery/pkg/runtime/schema"
@@ -19,6 +20,7 @@ var codecs = serializer.NewCodecFactory(scheme)
 
 var localSchemeBuilder = runtime.SchemeBuilder{
 	configv1alpha1.AddToScheme,
+	idpv1alpha1.AddToScheme,
 }
 
 // AddToScheme adds all types of this clientset into the given scheme. This allows composition

generated/1.19/client/supervisor/clientset/versioned/scheme/register.go

@@ -7,6 +7,7 @@ package scheme
 
 import (
 	configv1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/config/v1alpha1"
+	idpv1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/idp/v1alpha1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	runtime "k8s.io/apimachinery/pkg/runtime"
 	schema "k8s.io/apimachinery/pkg/runtime/schema"
@@ -19,6 +20,7 @@ var Codecs = serializer.NewCodecFactory(Scheme)
 var ParameterCodec = runtime.NewParameterCodec(Scheme)
 var localSchemeBuilder = runtime.SchemeBuilder{
 	configv1alpha1.AddToScheme,
+	idpv1alpha1.AddToScheme,
 }
 
 // AddToScheme adds all types of this clientset into the given scheme. This allows composition

generated/1.19/client/supervisor/clientset/versioned/typed/idp/v1alpha1/doc.go

@@ -0,0 +1,7 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+// This package has the automatically generated typed clients.
+package v1alpha1

generated/1.19/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/doc.go

@@ -0,0 +1,7 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+// Package fake has the automatically generated clients.
+package fake

generated/1.19/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go

@@ -0,0 +1,27 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package fake
+
+import (
+	v1alpha1 "go.pinniped.dev/generated/1.19/client/supervisor/clientset/versioned/typed/idp/v1alpha1"
+	rest "k8s.io/client-go/rest"
+	testing "k8s.io/client-go/testing"
+)
+
+type FakeIDPV1alpha1 struct {
+	*testing.Fake
+}
+
+func (c *FakeIDPV1alpha1) UpstreamOIDCProviders(namespace string) v1alpha1.UpstreamOIDCProviderInterface {
+	return &FakeUpstreamOIDCProviders{c, namespace}
+}
+
+// RESTClient returns a RESTClient that is used to communicate
+// with API server by this client implementation.
+func (c *FakeIDPV1alpha1) RESTClient() rest.Interface {
+	var ret *rest.RESTClient
+	return ret
+}

generated/1.19/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_upstreamoidcprovider.go

@@ -0,0 +1,129 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package fake
+
+import (
+	"context"
+
+	v1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/idp/v1alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	labels "k8s.io/apimachinery/pkg/labels"
+	schema "k8s.io/apimachinery/pkg/runtime/schema"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	testing "k8s.io/client-go/testing"
+)
+
+// FakeUpstreamOIDCProviders implements UpstreamOIDCProviderInterface
+type FakeUpstreamOIDCProviders struct {
+	Fake *FakeIDPV1alpha1
+	ns   string
+}
+
+var upstreamoidcprovidersResource = schema.GroupVersionResource{Group: "idp.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "upstreamoidcproviders"}
+
+var upstreamoidcprovidersKind = schema.GroupVersionKind{Group: "idp.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "UpstreamOIDCProvider"}
+
+// Get takes name of the upstreamOIDCProvider, and returns the corresponding upstreamOIDCProvider object, and an error if there is any.
+func (c *FakeUpstreamOIDCProviders) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.UpstreamOIDCProvider, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewGetAction(upstreamoidcprovidersResource, c.ns, name), &v1alpha1.UpstreamOIDCProvider{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.UpstreamOIDCProvider), err
+}
+
+// List takes label and field selectors, and returns the list of UpstreamOIDCProviders that match those selectors.
+func (c *FakeUpstreamOIDCProviders) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.UpstreamOIDCProviderList, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewListAction(upstreamoidcprovidersResource, upstreamoidcprovidersKind, c.ns, opts), &v1alpha1.UpstreamOIDCProviderList{})
+
+	if obj == nil {
+		return nil, err
+	}
+
+	label, _, _ := testing.ExtractFromListOptions(opts)
+	if label == nil {
+		label = labels.Everything()
+	}
+	list := &v1alpha1.UpstreamOIDCProviderList{ListMeta: obj.(*v1alpha1.UpstreamOIDCProviderList).ListMeta}
+	for _, item := range obj.(*v1alpha1.UpstreamOIDCProviderList).Items {
+		if label.Matches(labels.Set(item.Labels)) {
+			list.Items = append(list.Items, item)
+		}
+	}
+	return list, err
+}
+
+// Watch returns a watch.Interface that watches the requested upstreamOIDCProviders.
+func (c *FakeUpstreamOIDCProviders) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
+	return c.Fake.
+		InvokesWatch(testing.NewWatchAction(upstreamoidcprovidersResource, c.ns, opts))
+
+}
+
+// Create takes the representation of a upstreamOIDCProvider and creates it.  Returns the server's representation of the upstreamOIDCProvider, and an error, if there is any.
+func (c *FakeUpstreamOIDCProviders) Create(ctx context.Context, upstreamOIDCProvider *v1alpha1.UpstreamOIDCProvider, opts v1.CreateOptions) (result *v1alpha1.UpstreamOIDCProvider, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewCreateAction(upstreamoidcprovidersResource, c.ns, upstreamOIDCProvider), &v1alpha1.UpstreamOIDCProvider{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.UpstreamOIDCProvider), err
+}
+
+// Update takes the representation of a upstreamOIDCProvider and updates it. Returns the server's representation of the upstreamOIDCProvider, and an error, if there is any.
+func (c *FakeUpstreamOIDCProviders) Update(ctx context.Context, upstreamOIDCProvider *v1alpha1.UpstreamOIDCProvider, opts v1.UpdateOptions) (result *v1alpha1.UpstreamOIDCProvider, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewUpdateAction(upstreamoidcprovidersResource, c.ns, upstreamOIDCProvider), &v1alpha1.UpstreamOIDCProvider{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.UpstreamOIDCProvider), err
+}
+
+// UpdateStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+func (c *FakeUpstreamOIDCProviders) UpdateStatus(ctx context.Context, upstreamOIDCProvider *v1alpha1.UpstreamOIDCProvider, opts v1.UpdateOptions) (*v1alpha1.UpstreamOIDCProvider, error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewUpdateSubresourceAction(upstreamoidcprovidersResource, "status", c.ns, upstreamOIDCProvider), &v1alpha1.UpstreamOIDCProvider{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.UpstreamOIDCProvider), err
+}
+
+// Delete takes name of the upstreamOIDCProvider and deletes it. Returns an error if one occurs.
+func (c *FakeUpstreamOIDCProviders) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
+	_, err := c.Fake.
+		Invokes(testing.NewDeleteAction(upstreamoidcprovidersResource, c.ns, name), &v1alpha1.UpstreamOIDCProvider{})
+
+	return err
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *FakeUpstreamOIDCProviders) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
+	action := testing.NewDeleteCollectionAction(upstreamoidcprovidersResource, c.ns, listOpts)
+
+	_, err := c.Fake.Invokes(action, &v1alpha1.UpstreamOIDCProviderList{})
+	return err
+}
+
+// Patch applies the patch and returns the patched upstreamOIDCProvider.
+func (c *FakeUpstreamOIDCProviders) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.UpstreamOIDCProvider, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewPatchSubresourceAction(upstreamoidcprovidersResource, c.ns, name, pt, data, subresources...), &v1alpha1.UpstreamOIDCProvider{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.UpstreamOIDCProvider), err
+}

generated/1.19/client/supervisor/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go

@@ -0,0 +1,8 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package v1alpha1
+
+type UpstreamOIDCProviderExpansion interface{}

generated/1.19/client/supervisor/clientset/versioned/typed/idp/v1alpha1/idp_client.go

@@ -0,0 +1,76 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	v1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/idp/v1alpha1"
+	"go.pinniped.dev/generated/1.19/client/supervisor/clientset/versioned/scheme"
+	rest "k8s.io/client-go/rest"
+)
+
+type IDPV1alpha1Interface interface {
+	RESTClient() rest.Interface
+	UpstreamOIDCProvidersGetter
+}
+
+// IDPV1alpha1Client is used to interact with features provided by the idp.supervisor.pinniped.dev group.
+type IDPV1alpha1Client struct {
+	restClient rest.Interface
+}
+
+func (c *IDPV1alpha1Client) UpstreamOIDCProviders(namespace string) UpstreamOIDCProviderInterface {
+	return newUpstreamOIDCProviders(c, namespace)
+}
+
+// NewForConfig creates a new IDPV1alpha1Client for the given config.
+func NewForConfig(c *rest.Config) (*IDPV1alpha1Client, error) {
+	config := *c
+	if err := setConfigDefaults(&config); err != nil {
+		return nil, err
+	}
+	client, err := rest.RESTClientFor(&config)
+	if err != nil {
+		return nil, err
+	}
+	return &IDPV1alpha1Client{client}, nil
+}
+
+// NewForConfigOrDie creates a new IDPV1alpha1Client for the given config and
+// panics if there is an error in the config.
+func NewForConfigOrDie(c *rest.Config) *IDPV1alpha1Client {
+	client, err := NewForConfig(c)
+	if err != nil {
+		panic(err)
+	}
+	return client
+}
+
+// New creates a new IDPV1alpha1Client for the given RESTClient.
+func New(c rest.Interface) *IDPV1alpha1Client {
+	return &IDPV1alpha1Client{c}
+}
+
+func setConfigDefaults(config *rest.Config) error {
+	gv := v1alpha1.SchemeGroupVersion
+	config.GroupVersion = &gv
+	config.APIPath = "/apis"
+	config.NegotiatedSerializer = scheme.Codecs.WithoutConversion()
+
+	if config.UserAgent == "" {
+		config.UserAgent = rest.DefaultKubernetesUserAgent()
+	}
+
+	return nil
+}
+
+// RESTClient returns a RESTClient that is used to communicate
+// with API server by this client implementation.
+func (c *IDPV1alpha1Client) RESTClient() rest.Interface {
+	if c == nil {
+		return nil
+	}
+	return c.restClient
+}

generated/1.19/client/supervisor/clientset/versioned/typed/idp/v1alpha1/upstreamoidcprovider.go

@@ -0,0 +1,182 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	"context"
+	"time"
+
+	v1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/idp/v1alpha1"
+	scheme "go.pinniped.dev/generated/1.19/client/supervisor/clientset/versioned/scheme"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	rest "k8s.io/client-go/rest"
+)
+
+// UpstreamOIDCProvidersGetter has a method to return a UpstreamOIDCProviderInterface.
+// A group's client should implement this interface.
+type UpstreamOIDCProvidersGetter interface {
+	UpstreamOIDCProviders(namespace string) UpstreamOIDCProviderInterface
+}
+
+// UpstreamOIDCProviderInterface has methods to work with UpstreamOIDCProvider resources.
+type UpstreamOIDCProviderInterface interface {
+	Create(ctx context.Context, upstreamOIDCProvider *v1alpha1.UpstreamOIDCProvider, opts v1.CreateOptions) (*v1alpha1.UpstreamOIDCProvider, error)
+	Update(ctx context.Context, upstreamOIDCProvider *v1alpha1.UpstreamOIDCProvider, opts v1.UpdateOptions) (*v1alpha1.UpstreamOIDCProvider, error)
+	UpdateStatus(ctx context.Context, upstreamOIDCProvider *v1alpha1.UpstreamOIDCProvider, opts v1.UpdateOptions) (*v1alpha1.UpstreamOIDCProvider, error)
+	Delete(ctx context.Context, name string, opts v1.DeleteOptions) error
+	DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error
+	Get(ctx context.Context, name string, opts v1.GetOptions) (*v1alpha1.UpstreamOIDCProvider, error)
+	List(ctx context.Context, opts v1.ListOptions) (*v1alpha1.UpstreamOIDCProviderList, error)
+	Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error)
+	Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.UpstreamOIDCProvider, err error)
+	UpstreamOIDCProviderExpansion
+}
+
+// upstreamOIDCProviders implements UpstreamOIDCProviderInterface
+type upstreamOIDCProviders struct {
+	client rest.Interface
+	ns     string
+}
+
+// newUpstreamOIDCProviders returns a UpstreamOIDCProviders
+func newUpstreamOIDCProviders(c *IDPV1alpha1Client, namespace string) *upstreamOIDCProviders {
+	return &upstreamOIDCProviders{
+		client: c.RESTClient(),
+		ns:     namespace,
+	}
+}
+
+// Get takes name of the upstreamOIDCProvider, and returns the corresponding upstreamOIDCProvider object, and an error if there is any.
+func (c *upstreamOIDCProviders) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.UpstreamOIDCProvider, err error) {
+	result = &v1alpha1.UpstreamOIDCProvider{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("upstreamoidcproviders").
+		Name(name).
+		VersionedParams(&options, scheme.ParameterCodec).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// List takes label and field selectors, and returns the list of UpstreamOIDCProviders that match those selectors.
+func (c *upstreamOIDCProviders) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.UpstreamOIDCProviderList, err error) {
+	var timeout time.Duration
+	if opts.TimeoutSeconds != nil {
+		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
+	}
+	result = &v1alpha1.UpstreamOIDCProviderList{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("upstreamoidcproviders").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// Watch returns a watch.Interface that watches the requested upstreamOIDCProviders.
+func (c *upstreamOIDCProviders) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
+	var timeout time.Duration
+	if opts.TimeoutSeconds != nil {
+		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
+	}
+	opts.Watch = true
+	return c.client.Get().
+		Namespace(c.ns).
+		Resource("upstreamoidcproviders").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Watch(ctx)
+}
+
+// Create takes the representation of a upstreamOIDCProvider and creates it.  Returns the server's representation of the upstreamOIDCProvider, and an error, if there is any.
+func (c *upstreamOIDCProviders) Create(ctx context.Context, upstreamOIDCProvider *v1alpha1.UpstreamOIDCProvider, opts v1.CreateOptions) (result *v1alpha1.UpstreamOIDCProvider, err error) {
+	result = &v1alpha1.UpstreamOIDCProvider{}
+	err = c.client.Post().
+		Namespace(c.ns).
+		Resource("upstreamoidcproviders").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(upstreamOIDCProvider).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// Update takes the representation of a upstreamOIDCProvider and updates it. Returns the server's representation of the upstreamOIDCProvider, and an error, if there is any.
+func (c *upstreamOIDCProviders) Update(ctx context.Context, upstreamOIDCProvider *v1alpha1.UpstreamOIDCProvider, opts v1.UpdateOptions) (result *v1alpha1.UpstreamOIDCProvider, err error) {
+	result = &v1alpha1.UpstreamOIDCProvider{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("upstreamoidcproviders").
+		Name(upstreamOIDCProvider.Name).
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(upstreamOIDCProvider).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// UpdateStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+func (c *upstreamOIDCProviders) UpdateStatus(ctx context.Context, upstreamOIDCProvider *v1alpha1.UpstreamOIDCProvider, opts v1.UpdateOptions) (result *v1alpha1.UpstreamOIDCProvider, err error) {
+	result = &v1alpha1.UpstreamOIDCProvider{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("upstreamoidcproviders").
+		Name(upstreamOIDCProvider.Name).
+		SubResource("status").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(upstreamOIDCProvider).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// Delete takes name of the upstreamOIDCProvider and deletes it. Returns an error if one occurs.
+func (c *upstreamOIDCProviders) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("upstreamoidcproviders").
+		Name(name).
+		Body(&opts).
+		Do(ctx).
+		Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *upstreamOIDCProviders) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
+	var timeout time.Duration
+	if listOpts.TimeoutSeconds != nil {
+		timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second
+	}
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("upstreamoidcproviders").
+		VersionedParams(&listOpts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Body(&opts).
+		Do(ctx).
+		Error()
+}
+
+// Patch applies the patch and returns the patched upstreamOIDCProvider.
+func (c *upstreamOIDCProviders) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.UpstreamOIDCProvider, err error) {
+	result = &v1alpha1.UpstreamOIDCProvider{}
+	err = c.client.Patch(pt).
+		Namespace(c.ns).
+		Resource("upstreamoidcproviders").
+		Name(name).
+		SubResource(subresources...).
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(data).
+		Do(ctx).
+		Into(result)
+	return
+}

generated/1.19/client/supervisor/informers/externalversions/factory.go

@@ -12,6 +12,7 @@ import (
 
 	versioned "go.pinniped.dev/generated/1.19/client/supervisor/clientset/versioned"
 	config "go.pinniped.dev/generated/1.19/client/supervisor/informers/externalversions/config"
+	idp "go.pinniped.dev/generated/1.19/client/supervisor/informers/externalversions/idp"
 	internalinterfaces "go.pinniped.dev/generated/1.19/client/supervisor/informers/externalversions/internalinterfaces"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	runtime "k8s.io/apimachinery/pkg/runtime"
@@ -160,8 +161,13 @@ type SharedInformerFactory interface {
 	WaitForCacheSync(stopCh <-chan struct{}) map[reflect.Type]bool
 
 	Config() config.Interface
+	IDP() idp.Interface
 }
 
 func (f *sharedInformerFactory) Config() config.Interface {
 	return config.New(f, f.namespace, f.tweakListOptions)
 }
+
+func (f *sharedInformerFactory) IDP() idp.Interface {
+	return idp.New(f, f.namespace, f.tweakListOptions)
+}

generated/1.19/client/supervisor/informers/externalversions/generic.go

@@ -9,6 +9,7 @@ import (
 	"fmt"
 
 	v1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/config/v1alpha1"
+	idpv1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/idp/v1alpha1"
 	schema "k8s.io/apimachinery/pkg/runtime/schema"
 	cache "k8s.io/client-go/tools/cache"
 )
@@ -43,6 +44,10 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource
 	case v1alpha1.SchemeGroupVersion.WithResource("oidcproviders"):
 		return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().OIDCProviders().Informer()}, nil
 
+		// Group=idp.supervisor.pinniped.dev, Version=v1alpha1
+	case idpv1alpha1.SchemeGroupVersion.WithResource("upstreamoidcproviders"):
+		return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().UpstreamOIDCProviders().Informer()}, nil
+
 	}
 
 	return nil, fmt.Errorf("no informer found for %v", resource)

generated/1.19/client/supervisor/informers/externalversions/idp/interface.go

@@ -0,0 +1,33 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by informer-gen. DO NOT EDIT.
+
+package idp
+
+import (
+	v1alpha1 "go.pinniped.dev/generated/1.19/client/supervisor/informers/externalversions/idp/v1alpha1"
+	internalinterfaces "go.pinniped.dev/generated/1.19/client/supervisor/informers/externalversions/internalinterfaces"
+)
+
+// Interface provides access to each of this group's versions.
+type Interface interface {
+	// V1alpha1 provides access to shared informers for resources in V1alpha1.
+	V1alpha1() v1alpha1.Interface
+}
+
+type group struct {
+	factory          internalinterfaces.SharedInformerFactory
+	namespace        string
+	tweakListOptions internalinterfaces.TweakListOptionsFunc
+}
+
+// New returns a new Interface.
+func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface {
+	return &group{factory: f, namespace: namespace, tweakListOptions: tweakListOptions}
+}
+
+// V1alpha1 returns a new v1alpha1.Interface.
+func (g *group) V1alpha1() v1alpha1.Interface {
+	return v1alpha1.New(g.factory, g.namespace, g.tweakListOptions)
+}

generated/1.19/client/supervisor/informers/externalversions/idp/v1alpha1/interface.go

@@ -0,0 +1,32 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by informer-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	internalinterfaces "go.pinniped.dev/generated/1.19/client/supervisor/informers/externalversions/internalinterfaces"
+)
+
+// Interface provides access to all the informers in this group version.
+type Interface interface {
+	// UpstreamOIDCProviders returns a UpstreamOIDCProviderInformer.
+	UpstreamOIDCProviders() UpstreamOIDCProviderInformer
+}
+
+type version struct {
+	factory          internalinterfaces.SharedInformerFactory
+	namespace        string
+	tweakListOptions internalinterfaces.TweakListOptionsFunc
+}
+
+// New returns a new Interface.
+func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface {
+	return &version{factory: f, namespace: namespace, tweakListOptions: tweakListOptions}
+}
+
+// UpstreamOIDCProviders returns a UpstreamOIDCProviderInformer.
+func (v *version) UpstreamOIDCProviders() UpstreamOIDCProviderInformer {
+	return &upstreamOIDCProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
+}

generated/1.19/client/supervisor/informers/externalversions/idp/v1alpha1/upstreamoidcprovider.go

@@ -0,0 +1,77 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by informer-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	"context"
+	time "time"
+
+	idpv1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/idp/v1alpha1"
+	versioned "go.pinniped.dev/generated/1.19/client/supervisor/clientset/versioned"
+	internalinterfaces "go.pinniped.dev/generated/1.19/client/supervisor/informers/externalversions/internalinterfaces"
+	v1alpha1 "go.pinniped.dev/generated/1.19/client/supervisor/listers/idp/v1alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	watch "k8s.io/apimachinery/pkg/watch"
+	cache "k8s.io/client-go/tools/cache"
+)
+
+// UpstreamOIDCProviderInformer provides access to a shared informer and lister for
+// UpstreamOIDCProviders.
+type UpstreamOIDCProviderInformer interface {
+	Informer() cache.SharedIndexInformer
+	Lister() v1alpha1.UpstreamOIDCProviderLister
+}
+
+type upstreamOIDCProviderInformer struct {
+	factory          internalinterfaces.SharedInformerFactory
+	tweakListOptions internalinterfaces.TweakListOptionsFunc
+	namespace        string
+}
+
+// NewUpstreamOIDCProviderInformer constructs a new informer for UpstreamOIDCProvider type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewUpstreamOIDCProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
+	return NewFilteredUpstreamOIDCProviderInformer(client, namespace, resyncPeriod, indexers, nil)
+}
+
+// NewFilteredUpstreamOIDCProviderInformer constructs a new informer for UpstreamOIDCProvider type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewFilteredUpstreamOIDCProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
+	return cache.NewSharedIndexInformer(
+		&cache.ListWatch{
+			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.IDPV1alpha1().UpstreamOIDCProviders(namespace).List(context.TODO(), options)
+			},
+			WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.IDPV1alpha1().UpstreamOIDCProviders(namespace).Watch(context.TODO(), options)
+			},
+		},
+		&idpv1alpha1.UpstreamOIDCProvider{},
+		resyncPeriod,
+		indexers,
+	)
+}
+
+func (f *upstreamOIDCProviderInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
+	return NewFilteredUpstreamOIDCProviderInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
+}
+
+func (f *upstreamOIDCProviderInformer) Informer() cache.SharedIndexInformer {
+	return f.factory.InformerFor(&idpv1alpha1.UpstreamOIDCProvider{}, f.defaultInformer)
+}
+
+func (f *upstreamOIDCProviderInformer) Lister() v1alpha1.UpstreamOIDCProviderLister {
+	return v1alpha1.NewUpstreamOIDCProviderLister(f.Informer().GetIndexer())
+}

generated/1.19/client/supervisor/listers/idp/v1alpha1/expansion_generated.go

@@ -0,0 +1,14 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by lister-gen. DO NOT EDIT.
+
+package v1alpha1
+
+// UpstreamOIDCProviderListerExpansion allows custom methods to be added to
+// UpstreamOIDCProviderLister.
+type UpstreamOIDCProviderListerExpansion interface{}
+
+// UpstreamOIDCProviderNamespaceListerExpansion allows custom methods to be added to
+// UpstreamOIDCProviderNamespaceLister.
+type UpstreamOIDCProviderNamespaceListerExpansion interface{}

generated/1.19/client/supervisor/listers/idp/v1alpha1/upstreamoidcprovider.go

@@ -0,0 +1,86 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by lister-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	v1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/idp/v1alpha1"
+	"k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/client-go/tools/cache"
+)
+
+// UpstreamOIDCProviderLister helps list UpstreamOIDCProviders.
+// All objects returned here must be treated as read-only.
+type UpstreamOIDCProviderLister interface {
+	// List lists all UpstreamOIDCProviders in the indexer.
+	// Objects returned here must be treated as read-only.
+	List(selector labels.Selector) (ret []*v1alpha1.UpstreamOIDCProvider, err error)
+	// UpstreamOIDCProviders returns an object that can list and get UpstreamOIDCProviders.
+	UpstreamOIDCProviders(namespace string) UpstreamOIDCProviderNamespaceLister
+	UpstreamOIDCProviderListerExpansion
+}
+
+// upstreamOIDCProviderLister implements the UpstreamOIDCProviderLister interface.
+type upstreamOIDCProviderLister struct {
+	indexer cache.Indexer
+}
+
+// NewUpstreamOIDCProviderLister returns a new UpstreamOIDCProviderLister.
+func NewUpstreamOIDCProviderLister(indexer cache.Indexer) UpstreamOIDCProviderLister {
+	return &upstreamOIDCProviderLister{indexer: indexer}
+}
+
+// List lists all UpstreamOIDCProviders in the indexer.
+func (s *upstreamOIDCProviderLister) List(selector labels.Selector) (ret []*v1alpha1.UpstreamOIDCProvider, err error) {
+	err = cache.ListAll(s.indexer, selector, func(m interface{}) {
+		ret = append(ret, m.(*v1alpha1.UpstreamOIDCProvider))
+	})
+	return ret, err
+}
+
+// UpstreamOIDCProviders returns an object that can list and get UpstreamOIDCProviders.
+func (s *upstreamOIDCProviderLister) UpstreamOIDCProviders(namespace string) UpstreamOIDCProviderNamespaceLister {
+	return upstreamOIDCProviderNamespaceLister{indexer: s.indexer, namespace: namespace}
+}
+
+// UpstreamOIDCProviderNamespaceLister helps list and get UpstreamOIDCProviders.
+// All objects returned here must be treated as read-only.
+type UpstreamOIDCProviderNamespaceLister interface {
+	// List lists all UpstreamOIDCProviders in the indexer for a given namespace.
+	// Objects returned here must be treated as read-only.
+	List(selector labels.Selector) (ret []*v1alpha1.UpstreamOIDCProvider, err error)
+	// Get retrieves the UpstreamOIDCProvider from the indexer for a given namespace and name.
+	// Objects returned here must be treated as read-only.
+	Get(name string) (*v1alpha1.UpstreamOIDCProvider, error)
+	UpstreamOIDCProviderNamespaceListerExpansion
+}
+
+// upstreamOIDCProviderNamespaceLister implements the UpstreamOIDCProviderNamespaceLister
+// interface.
+type upstreamOIDCProviderNamespaceLister struct {
+	indexer   cache.Indexer
+	namespace string
+}
+
+// List lists all UpstreamOIDCProviders in the indexer for a given namespace.
+func (s upstreamOIDCProviderNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.UpstreamOIDCProvider, err error) {
+	err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) {
+		ret = append(ret, m.(*v1alpha1.UpstreamOIDCProvider))
+	})
+	return ret, err
+}
+
+// Get retrieves the UpstreamOIDCProvider from the indexer for a given namespace and name.
+func (s upstreamOIDCProviderNamespaceLister) Get(name string) (*v1alpha1.UpstreamOIDCProvider, error) {
+	obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name)
+	if err != nil {
+		return nil, err
+	}
+	if !exists {
+		return nil, errors.NewNotFound(v1alpha1.Resource("upstreamoidcprovider"), name)
+	}
+	return obj.(*v1alpha1.UpstreamOIDCProvider), nil
+}

generated/1.19/crds/idp.supervisor.pinniped.dev_upstreamoidcproviders.yaml

@@ -0,0 +1,203 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.4.0
+  creationTimestamp: null
+  name: upstreamoidcproviders.idp.supervisor.pinniped.dev
+spec:
+  group: idp.supervisor.pinniped.dev
+  names:
+    categories:
+    - pinniped
+    - pinniped-idp
+    - pinniped-idps
+    kind: UpstreamOIDCProvider
+    listKind: UpstreamOIDCProviderList
+    plural: upstreamoidcproviders
+    singular: upstreamoidcprovider
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .spec.issuer
+      name: Issuer
+      type: string
+    - jsonPath: .status.phase
+      name: Status
+      type: string
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: UpstreamOIDCProvider describes the configuration of an upstream
+          OpenID Connect identity provider.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: Spec for configuring the identity provider.
+            properties:
+              authorizationConfig:
+                description: AuthorizationConfig holds information about how to form
+                  the OAuth2 authorization request parameters to be used with this
+                  OIDC identity provider.
+                properties:
+                  additionalScopes:
+                    description: AdditionalScopes are the scopes in addition to "openid"
+                      that will be requested as part of the authorization request
+                      flow with an OIDC identity provider. By default only the "openid"
+                      scope will be requested.
+                    items:
+                      type: string
+                    type: array
+                required:
+                - additionalScopes
+                type: object
+              claims:
+                description: Claims provides the names of token claims that will be
+                  used when inspecting an identity from this OIDC identity provider.
+                properties:
+                  groups:
+                    description: Groups provides the name of the token claim that
+                      will be used to ascertain the groups to which an identity belongs.
+                    type: string
+                  username:
+                    description: Username provides the name of the token claim that
+                      will be used to ascertain an identity's username.
+                    type: string
+                required:
+                - groups
+                - username
+                type: object
+              client:
+                description: OIDCClient contains OIDC client information to be used
+                  used with this OIDC identity provider.
+                properties:
+                  secretName:
+                    description: SecretName contains the name of a namespace-local
+                      Secret object that provides the clientID and clientSecret for
+                      an OIDC client. If only the SecretName is specified in an OIDCClient
+                      struct, then it is expected that the Secret is of type "secrets.pinniped.dev/oidc"
+                      with keys "clientID" and "clientSecret".
+                    type: string
+                required:
+                - secretName
+                type: object
+              issuer:
+                description: Issuer is the issuer URL of this OIDC identity provider,
+                  i.e., where to fetch /.well-known/openid-configuration.
+                minLength: 1
+                pattern: ^https://
+                type: string
+            required:
+            - authorizationConfig
+            - claims
+            - client
+            - issuer
+            type: object
+          status:
+            description: Status of the identity provider.
+            properties:
+              conditions:
+                description: Represents the observations of an identity provider's
+                  current state.
+                items:
+                  description: Condition status of a resource (mirrored from the metav1.Condition
+                    type added in Kubernetes 1.19). In a future API version we can
+                    switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413.
+                  properties:
+                    lastTransitionTime:
+                      description: lastTransitionTime is the last time the condition
+                        transitioned from one status to another. This should be when
+                        the underlying condition changed.  If that is not known, then
+                        using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: message is a human readable message indicating
+                        details about the transition. This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: observedGeneration represents the .metadata.generation
+                        that the condition was set based upon. For instance, if .metadata.generation
+                        is currently 12, but the .status.conditions[x].observedGeneration
+                        is 9, the condition is out of date with respect to the current
+                        state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: reason contains a programmatic identifier indicating
+                        the reason for the condition's last transition. Producers
+                        of specific condition types may define expected values and
+                        meanings for this field, and whether the values are considered
+                        a guaranteed API. The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
+                        --- Many .condition.type values are consistent across resources
+                        like Available, but because arbitrary conditions can be useful
+                        (see .node.status.conditions), the ability to deconflict is
+                        important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                type: array
+                x-kubernetes-list-map-keys:
+                - type
+                x-kubernetes-list-type: map
+              phase:
+                default: Pending
+                description: Phase summarizes the overall status of the UpstreamOIDCProvider.
+                enum:
+                - Pending
+                - Ready
+                - Error
+                type: string
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []