From 40d93ff33bbf80d39586ff0b1370619e1df3da85 Mon Sep 17 00:00:00 2001
From: Andrew Keesler <akeesler@vmware.com>
Date: Fri, 18 Dec 2020 09:39:36 -0500
Subject: [PATCH] site/content/docs/architecture.md: another coat of paint with
 Supervisor updates

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
---
 site/content/docs/architecture.md             | 80 ++++++++++++++-----
 site/content/docs/demo.md                     |  4 +-
 site/content/docs/img/README.md               | 11 ++-
 ...ed.svg => pinniped-concierge-sequence.svg} |  0
 ...ed.txt => pinniped-concierge-sequence.txt} |  0
 ...pinniped-concierge-supervisor-sequence.svg | 60 ++++++++++++++
 ...pinniped-concierge-supervisor-sequence.txt | 52 ++++++++++++
 7 files changed, 181 insertions(+), 26 deletions(-)
 rename site/content/docs/img/{pinniped.svg => pinniped-concierge-sequence.svg} (100%)
 rename site/content/docs/img/{pinniped.txt => pinniped-concierge-sequence.txt} (100%)
 create mode 100644 site/content/docs/img/pinniped-concierge-supervisor-sequence.svg
 create mode 100644 site/content/docs/img/pinniped-concierge-supervisor-sequence.txt

diff --git a/site/content/docs/architecture.md b/site/content/docs/architecture.md
index 8181259c..c3bfb531 100644
--- a/site/content/docs/architecture.md
+++ b/site/content/docs/architecture.md
@@ -10,14 +10,14 @@ The principal purpose of Pinniped is to allow users to access Kubernetes
 clusters. Pinniped hopes to enable this access across a wide range of Kubernetes
 environments with zero configuration.
 
-This integration is composed of two parts. 
-One part, the supervisor, is an OIDC server which allows users
-to authenticate with their external Identity Provider,
-then issues its own federation id tokens to be passed on to clusters
-based on the information from the external Identity Provider's token. 
-The other, the concierge, is a credential exchange API which takes as input a token
-(from the supervisor or elsewhere), and returns a credential which is understood by 
-the host Kubernetes cluster.
+Pinniped is composed of two parts.
+1. The Pinniped Supervisor is an OIDC server which allows users to authenticate
+with an external identity provider (IDP), and then issues its own federation ID tokens
+to be passed on to clusters based on the user information from the IDP.
+1. The Pinniped Concierge is a credential exchange API which takes as input a
+credential from an identity source (e.g., Pinniped Supervisor, proprietary IDP),
+authenticates the user via that credential, and returns another credential which is
+understood by the host Kubernetes cluster.
 
 ![Pinniped Architecture Sketch](/docs/img/pinniped_architecture.svg)
 
@@ -34,15 +34,29 @@ Support for other types of Kubernetes distributions is coming soon.
 
 ## External Identity Provider Integrations
 
-Pinniped will consume identity from one or more external identity providers
-(IDPs). Administrators will configure external IDPs via Kubernetes custom
-resources allowing Pinniped to be managed using GitOps and standard Kubernetes tools.
+The Pinniped Supervisor will federate identity from one or more IDPs.
+Administrators will configure the Pinniped Supervisor to use IDPs via Kubernetes
+custom resources allowing Pinniped to be managed using GitOps and standard
+Kubernetes tools.
+
+Pinniped supports the following IDPs.
+
+1. Any [OIDC-compliant](https://openid.net/specs/openid-connect-core-1_0.html)
+   identity provider (e.g., [Dex](https://github.com/dexidp/dex),
+   [Okta](https://www.okta.com/)).
+
+The
+[`idp.supervisor.pinniped.dev`](https://github.com/vmware-tanzu/pinniped/blob/main/generated/1.19/README.adoc#k8s-api-idp-supervisor-pinniped-dev-v1alpha1)
+API group contains the Kubernetes custom resources that configure the Pinniped
+Supervisor's upstream IDPs.
+
+More IDP integrations are coming soon.
 
 ## Authenticators
 
-The Pinniped concierge requires one or more **authenticators** to validate tokens before
-issuing cluster specific certificates. 
-Administrators will configure external IDPs via Kubernetes custom
+The Pinniped Concierge requires one or more **authenticators** to validate external credentials in order to
+issue cluster specific credentials.
+Administrators will configure authenticators via Kubernetes custom
 resources allowing Pinniped to be managed using GitOps and standard Kubernetes tools.
 
 Pinniped supports the following authenticator types.
@@ -56,9 +70,20 @@ Pinniped supports the following authenticator types.
    sample implementation in Golang. See the `ServeHTTP` method of
    [cmd/local-user-authenticator/main.go](https://github.com/vmware-tanzu/pinniped/blob/main/cmd/local-user-authenticator/main.go).
 
-1. A JwtAuthenticator resource, which will validate and parse claims from
-   JWT id tokens.
-   This can be used to validate tokens that are issued by the supervisor.
+1. A JSON Web Token (JWT) authenticator, which will validate and parse claims
+   from JWTs.  This can be used to validate tokens that are issued by the
+   Pinniped Supervisor, any
+   [OIDC-compliant](https://openid.net/specs/openid-connect-core-1_0.html)
+   identity provider, or various other identity sources. The JWT authenticator
+   provides the same functionality as the [Kubernetes OIDC authentication
+   mechanism](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens),
+   but it is configurable at cluster runtime instead of requiring flags to be
+   set on the `kube-apiserver` process.
+
+The
+[`authentication.concierge.pinniped.dev`](https://github.com/vmware-tanzu/pinniped/blob/main/generated/1.19/README.adoc#k8s-api-authentication-concierge-pinniped-dev-v1alpha1)
+API group contains the Kubernetes custom resources that configure the Pinniped
+Concierge's authenticators.
 
 ## Cluster Integration Strategies
 
@@ -80,15 +105,26 @@ support more Kubernetes cluster types.
 
 ## kubectl Integration
 
-With any of the above IDPs and integration strategies, `kubectl` commands receive the
+With any of the above IDPs, authentication methods, and cluster integration strategies, `kubectl` commands receive the
 cluster-specific credential via a
 [Kubernetes client-go credential plugin](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins).
 Users may use the Pinniped CLI as the credential plugin, or they may use any proprietary CLI
 built with the [Pinniped Go client library](https://github.com/vmware-tanzu/pinniped/tree/main/generated).
 
-## Example Cluster Authentication Sequence Diagram
+## Example Cluster Authentication Sequence Diagrams
 
-This diagram demonstrates using `kubectl get pods` with the Pinniped CLI configured as the credential plugin,
-and with a webhook IDP configured as the identity provider for the Pinniped server.
+### Concierge With Webhook
 
-![example-cluster-authentication-sequence-diagram](/docs/img/pinniped.svg)
+This diagram demonstrates using `kubectl get pods` with a [Kubernetes client-go credential plugin](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins)
+that obtains an external credential to be sent to a webhook authenticator via the Pinniped Concierge.
+
+![concierge-with-webhook-sequence-diagram](/docs/img/pinniped-concierge-sequence.svg)
+
+### Concierge with Supervisor
+
+This diagram demonstrates using `kubectl get pods` with the Pinniped CLI
+functioning as a [Kubernetes client-go credential plugin](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins)
+that obtains a federation ID token from the Pinniped Supervisor to be sent to a
+JWT authenticator via the Pinniped Concierge.
+
+![concierge-with-supervisor-sequence-diagram](/docs/img/pinniped-concierge-supervisor-sequence.svg)
diff --git a/site/content/docs/demo.md b/site/content/docs/demo.md
index 53254385..0e4be526 100644
--- a/site/content/docs/demo.md
+++ b/site/content/docs/demo.md
@@ -5,5 +5,5 @@ cascade:
 ---
 
 # Trying Pinniped
-1. [Concierge with webhook demo](/docs/concierge-only-demo) 
-1. [Concierge with supervisor and JWTAuthenticator demo](/docs/concierge-and-supervisor-demo)
+1. [Concierge with webhook demo](/docs/concierge-only-demo)
+1. [Concierge with Supervisor and JWT authenticator demo](/docs/concierge-and-supervisor-demo)
diff --git a/site/content/docs/img/README.md b/site/content/docs/img/README.md
index e4db879a..6383c42e 100644
--- a/site/content/docs/img/README.md
+++ b/site/content/docs/img/README.md
@@ -2,8 +2,15 @@
 
 ## How to Update these Images
 
-- [pinniped.svg](pinniped.svg) was generated using [`plantuml`](https://plantuml.com/).
-  To regenerate the image, run `plantuml -tsvg pinniped.txt` from this directory.
+- [pinniped-concierge-sequence.svg](pinniped-concierge-sequence.svg) was
+  generated using [`plantuml`](https://plantuml.com/).  To regenerate the image,
+  run `plantuml -tsvg pinniped.txt` from this directory, or go to
+  https://www.planttext.com/.
+
+- [pinniped-concierge-supervisor-sequence.svg](pinniped-concierge-supervisor-sequence.svg)
+  was generated using [`plantuml`](https://plantuml.com/).  To regenerate the
+  image, run `plantuml -tsvg pinniped.txt` from this directory, or go to
+  https://www.planttext.com/.
 
 - [pinniped_architecture.svg](pinniped_architecture.svg) was created on [draw.io](https://draw.io).
   It can be opened again for editing on that site by choosing "File" -> "Open from" -> "Device".
diff --git a/site/content/docs/img/pinniped.svg b/site/content/docs/img/pinniped-concierge-sequence.svg
similarity index 100%
rename from site/content/docs/img/pinniped.svg
rename to site/content/docs/img/pinniped-concierge-sequence.svg
diff --git a/site/content/docs/img/pinniped.txt b/site/content/docs/img/pinniped-concierge-sequence.txt
similarity index 100%
rename from site/content/docs/img/pinniped.txt
rename to site/content/docs/img/pinniped-concierge-sequence.txt
diff --git a/site/content/docs/img/pinniped-concierge-supervisor-sequence.svg b/site/content/docs/img/pinniped-concierge-supervisor-sequence.svg
new file mode 100644
index 00000000..60cc5cef
--- /dev/null
+++ b/site/content/docs/img/pinniped-concierge-supervisor-sequence.svg
@@ -0,0 +1,60 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?><svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" contentScriptType="application/ecmascript" contentStyleType="text/css" height="1115px" preserveAspectRatio="none" style="width:1570px;height:1115px;" version="1.1" viewBox="0 0 1570 1115" width="1570px" zoomAndPan="magnify"><defs><filter height="300%" id="fazmj0hiken0e" width="300%" x="-1" y="-1"><feGaussianBlur result="blurOut" stdDeviation="2.0"/><feColorMatrix in="blurOut" result="blurOut2" type="matrix" values="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 .4 0"/><feOffset dx="4.0" dy="4.0" in="blurOut2" result="blurOut3"/><feBlend in="SourceGraphic" in2="blurOut3" mode="normal"/></filter></defs><g><rect fill="#DDDDDD" height="1103.0517" style="stroke:#A80036;stroke-width:1.0;" width="461.5" x="64.5" y="6"/><text fill="#000000" font-family="sans-serif" font-size="13" font-weight="bold" lengthAdjust="spacingAndGlyphs" textLength="96" x="247.25" y="18.0669">Workstation</text><rect fill="#DDDDDD" height="1103.0517" style="stroke:#A80036;stroke-width:1.0;" width="146" x="795" y="6"/><text fill="#000000" font-family="sans-serif" font-size="13" font-weight="bold" lengthAdjust="spacingAndGlyphs" textLength="140" x="798" y="18.0669">Supervisor Cluster</text><rect fill="#DDDDDD" height="1103.0517" style="stroke:#A80036;stroke-width:1.0;" width="141" x="1017" y="6"/><text fill="#000000" font-family="sans-serif" font-size="13" font-weight="bold" lengthAdjust="spacingAndGlyphs" textLength="135" x="1020" y="18.0669">Concierge Cluster</text><rect fill="#DDDDDD" height="1103.0517" style="stroke:#A80036;stroke-width:1.0;" width="156" x="1333.5" y="6"/><text fill="#000000" font-family="sans-serif" font-size="13" font-weight="bold" lengthAdjust="spacingAndGlyphs" textLength="150" x="1336.5" y="18.0669">Corporate Network</text><line style="stroke:#A80036;stroke-width:1.0;stroke-dasharray:5.0,5.0;" x1="23" x2="23" y1="88.2969" y2="1022.7549"/><line style="stroke:#A80036;stroke-width:1.0;stroke-dasharray:5.0,5.0;" x1="106.5" x2="106.5" y1="88.2969" y2="1022.7549"/><line style="stroke:#A80036;stroke-width:1.0;stroke-dasharray:5.0,5.0;" x1="191.5" x2="191.5" y1="88.2969" y2="1022.7549"/><line style="stroke:#A80036;stroke-width:1.0;stroke-dasharray:5.0,5.0;" x1="468" x2="468" y1="88.2969" y2="1022.7549"/><line style="stroke:#A80036;stroke-width:1.0;stroke-dasharray:5.0,5.0;" x1="867.5" x2="867.5" y1="88.2969" y2="1022.7549"/><line style="stroke:#A80036;stroke-width:1.0;stroke-dasharray:5.0,5.0;" x1="1087" x2="1087" y1="88.2969" y2="1022.7549"/><line style="stroke:#A80036;stroke-width:1.0;stroke-dasharray:5.0,5.0;" x1="1411.5" x2="1411.5" y1="88.2969" y2="1022.7549"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacingAndGlyphs" textLength="31" x="5" y="84.9951">User</text><ellipse cx="23.5" cy="15" fill="#FEFECE" filter="url(#fazmj0hiken0e)" rx="8" ry="8" style="stroke:#A80036;stroke-width:2.0;"/><path d="M23.5,23 L23.5,50 M10.5,31 L36.5,31 M23.5,50 L10.5,65 M23.5,50 L36.5,65 " fill="none" filter="url(#fazmj0hiken0e)" style="stroke:#A80036;stroke-width:2.0;"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacingAndGlyphs" textLength="31" x="5" y="1034.75">User</text><ellipse cx="23.5" cy="1048.0517" fill="#FEFECE" filter="url(#fazmj0hiken0e)" rx="8" ry="8" style="stroke:#A80036;stroke-width:2.0;"/><path d="M23.5,1056.0517 L23.5,1083.0517 M10.5,1064.0517 L36.5,1064.0517 M23.5,1083.0517 L10.5,1098.0517 M23.5,1083.0517 L36.5,1098.0517 " fill="none" filter="url(#fazmj0hiken0e)" style="stroke:#A80036;stroke-width:2.0;"/><rect fill="#FEFECE" filter="url(#fazmj0hiken0e)" height="30.2969" style="stroke:#A80036;stroke-width:1.5;" width="72" x="68.5" y="53"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacingAndGlyphs" textLength="58" x="75.5" y="72.9951">Browser</text><rect fill="#FEFECE" filter="url(#fazmj0hiken0e)" height="30.2969" style="stroke:#A80036;stroke-width:1.5;" width="72" x="68.5" y="1021.7549"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacingAndGlyphs" textLength="58" x="75.5" y="1041.75">Browser</text><rect fill="#FEFECE" filter="url(#fazmj0hiken0e)" height="30.2969" style="stroke:#A80036;stroke-width:1.5;" width="70" x="154.5" y="53"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacingAndGlyphs" textLength="56" x="161.5" y="72.9951">Kubectl</text><rect fill="#FEFECE" filter="url(#fazmj0hiken0e)" height="30.2969" style="stroke:#A80036;stroke-width:1.5;" width="70" x="154.5" y="1021.7549"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacingAndGlyphs" textLength="56" x="161.5" y="1041.75">Kubectl</text><rect fill="#FEFECE" filter="url(#fazmj0hiken0e)" height="30.2969" style="stroke:#A80036;stroke-width:1.5;" width="103" x="415" y="53"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacingAndGlyphs" textLength="89" x="422" y="72.9951">Pinniped CLI</text><rect fill="#FEFECE" filter="url(#fazmj0hiken0e)" height="30.2969" style="stroke:#A80036;stroke-width:1.5;" width="103" x="415" y="1021.7549"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacingAndGlyphs" textLength="89" x="422" y="1041.75">Pinniped CLI</text><rect fill="#FEFECE" filter="url(#fazmj0hiken0e)" height="30.2969" style="stroke:#A80036;stroke-width:1.5;" width="77" x="827.5" y="53"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacingAndGlyphs" textLength="63" x="834.5" y="72.9951">Pinniped</text><rect fill="#FEFECE" filter="url(#fazmj0hiken0e)" height="30.2969" style="stroke:#A80036;stroke-width:1.5;" width="77" x="827.5" y="1021.7549"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacingAndGlyphs" textLength="63" x="834.5" y="1041.75">Pinniped</text><rect fill="#FEFECE" filter="url(#fazmj0hiken0e)" height="30.2969" style="stroke:#A80036;stroke-width:1.5;" width="77" x="1047" y="53"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacingAndGlyphs" textLength="63" x="1054" y="72.9951">Pinniped</text><rect fill="#FEFECE" filter="url(#fazmj0hiken0e)" height="30.2969" style="stroke:#A80036;stroke-width:1.5;" width="77" x="1047" y="1021.7549"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacingAndGlyphs" textLength="63" x="1054" y="1041.75">Pinniped</text><rect fill="#FEFECE" filter="url(#fazmj0hiken0e)" height="30.2969" style="stroke:#A80036;stroke-width:1.5;" width="78" x="1370.5" y="53"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacingAndGlyphs" textLength="64" x="1377.5" y="72.9951">OIDC IDP</text><rect fill="#FEFECE" filter="url(#fazmj0hiken0e)" height="30.2969" style="stroke:#A80036;stroke-width:1.5;" width="78" x="1370.5" y="1021.7549"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacingAndGlyphs" textLength="64" x="1377.5" y="1041.75">OIDC IDP</text><polygon fill="#A80036" points="179.5,115.4297,189.5,119.4297,179.5,123.4297,183.5,119.4297" style="stroke:#A80036;stroke-width:1.0;"/><line style="stroke:#A80036;stroke-width:1.0;" x1="23.5" x2="185.5" y1="119.4297" y2="119.4297"/><text fill="#000000" font-family="sans-serif" font-size="13" lengthAdjust="spacingAndGlyphs" textLength="106" x="30.5" y="114.3638">kubectl get pods</text><polygon fill="#A80036" points="456.5,144.5625,466.5,148.5625,456.5,152.5625,460.5,148.5625" style="stroke:#A80036;stroke-width:1.0;"/><line style="stroke:#A80036;stroke-width:1.0;" x1="191.5" x2="462.5" y1="148.5625" y2="148.5625"/><text fill="#000000" font-family="sans-serif" font-size="13" lengthAdjust="spacingAndGlyphs" textLength="253" x="198.5" y="143.4966">get credential for cluster authentication</text><line style="stroke:#A80036;stroke-width:1.0;" x1="468.5" x2="510.5" y1="177.6953" y2="177.6953"/><line style="stroke:#A80036;stroke-width:1.0;" x1="510.5" x2="510.5" y1="177.6953" y2="190.6953"/><line style="stroke:#A80036;stroke-width:1.0;" x1="469.5" x2="510.5" y1="190.6953" y2="190.6953"/><polygon fill="#A80036" points="479.5,186.6953,469.5,190.6953,479.5,194.6953,475.5,190.6953" style="stroke:#A80036;stroke-width:1.0;"/><text fill="#000000" font-family="sans-serif" font-size="13" lengthAdjust="spacingAndGlyphs" textLength="149" x="475.5" y="172.6294">starts localhost listener</text><polygon fill="#A80036" points="34.5,215.8281,24.5,219.8281,34.5,223.8281,30.5,219.8281" style="stroke:#A80036;stroke-width:1.0;"/><line style="stroke:#A80036;stroke-width:1.0;" x1="28.5" x2="467.5" y1="219.8281" y2="219.8281"/><text fill="#000000" font-family="sans-serif" font-size="13" lengthAdjust="spacingAndGlyphs" textLength="157" x="40.5" y="214.7622">"open browser to URL X"</text><polygon fill="#A80036" points="94.5,244.9609,104.5,248.9609,94.5,252.9609,98.5,248.9609" style="stroke:#A80036;stroke-width:1.0;"/><line style="stroke:#A80036;stroke-width:1.0;" x1="23.5" x2="100.5" y1="248.9609" y2="248.9609"/><text fill="#000000" font-family="sans-serif" font-size="13" lengthAdjust="spacingAndGlyphs" textLength="59" x="30.5" y="243.895">clicks link</text><polygon fill="#A80036" points="856,274.561,866,278.561,856,282.561,860,278.561" style="stroke:#A80036;stroke-width:1.0;"/><line style="stroke:#A80036;stroke-width:1.0;" x1="106.5" x2="862" y1="278.561" y2="278.561"/><text fill="#000000" font-family="monospace" font-size="13" lengthAdjust="spacingAndGlyphs" textLength="344" x="113.5" y="272.9989">GET https://supervisor.com/oauth2/authorize</text><polygon fill="#A80036" points="117.5,304.161,107.5,308.161,117.5,312.161,113.5,308.161" style="stroke:#A80036;stroke-width:1.0;"/><line style="stroke:#A80036;stroke-width:1.0;" x1="111.5" x2="867" y1="308.161" y2="308.161"/><text fill="#000000" font-family="sans-serif" font-size="13" lengthAdjust="spacingAndGlyphs" textLength="66" x="123.5" y="303.095">302 to IDP</text><text fill="#000000" font-family="monospace" font-size="13" lengthAdjust="spacingAndGlyphs" textLength="440" x="193.5" y="302.599">/authorize?redirect_uri=https://supervisor.com/callback</text><polygon fill="#A80036" points="1399.5,333.761,1409.5,337.761,1399.5,341.761,1403.5,337.761" style="stroke:#A80036;stroke-width:1.0;"/><line style="stroke:#A80036;stroke-width:1.0;" x1="106.5" x2="1405.5" y1="337.761" y2="337.761"/><text fill="#000000" font-family="monospace" font-size="13" lengthAdjust="spacingAndGlyphs" textLength="472" x="113.5" y="332.199">GET /authorize?redirect_uri=https://supervisor.com/callback</text><line style="stroke:#A80036;stroke-width:1.0;" x1="1411.5" x2="1453.5" y1="366.8938" y2="366.8938"/><line style="stroke:#A80036;stroke-width:1.0;" x1="1453.5" x2="1453.5" y1="366.8938" y2="379.8938"/><line style="stroke:#A80036;stroke-width:1.0;" x1="1412.5" x2="1453.5" y1="379.8938" y2="379.8938"/><polygon fill="#A80036" points="1422.5,375.8938,1412.5,379.8938,1422.5,383.8938,1418.5,379.8938" style="stroke:#A80036;stroke-width:1.0;"/><text fill="#000000" font-family="sans-serif" font-size="13" lengthAdjust="spacingAndGlyphs" textLength="145" x="1418.5" y="361.8279">IDP authenticates user</text><polygon fill="#A80036" points="117.5,405.4938,107.5,409.4938,117.5,413.4938,113.5,409.4938" style="stroke:#A80036;stroke-width:1.0;"/><line style="stroke:#A80036;stroke-width:1.0;" x1="111.5" x2="1410.5" y1="409.4938" y2="409.4938"/><text fill="#000000" font-family="sans-serif" font-size="13" lengthAdjust="spacingAndGlyphs" textLength="41" x="123.5" y="404.4279">302 to</text><text fill="#000000" font-family="monospace" font-size="13" lengthAdjust="spacingAndGlyphs" textLength="248" x="168.5" y="403.9318">https://supervisor.com/callback</text><polygon fill="#A80036" points="856,435.0938,866,439.0938,856,443.0938,860,439.0938" style="stroke:#A80036;stroke-width:1.0;"/><line style="stroke:#A80036;stroke-width:1.0;" x1="106.5" x2="862" y1="439.0938" y2="439.0938"/><text fill="#000000" font-family="monospace" font-size="13" lengthAdjust="spacingAndGlyphs" textLength="280" x="113.5" y="433.5318">GET https://supervisor.com/callback</text><polygon fill="#A80036" points="1399.5,464.6938,1409.5,468.6938,1399.5,472.6938,1403.5,468.6938" style="stroke:#A80036;stroke-width:1.0;"/><line style="stroke:#A80036;stroke-width:1.0;" x1="868" x2="1405.5" y1="468.6938" y2="468.6938"/><text fill="#000000" font-family="monospace" font-size="13" lengthAdjust="spacingAndGlyphs" textLength="88" x="875" y="463.1318">POST /token</text><polygon fill="#A80036" points="879,493.8266,869,497.8266,879,501.8266,875,497.8266" style="stroke:#A80036;stroke-width:1.0;"/><line style="stroke:#A80036;stroke-width:1.0;" x1="873" x2="1410.5" y1="497.8266" y2="497.8266"/><text fill="#000000" font-family="sans-serif" font-size="13" lengthAdjust="spacingAndGlyphs" textLength="239" x="885" y="492.7607">access token, ID token, refresh token</text><polygon fill="#A80036" points="117.5,523.4267,107.5,527.4267,117.5,531.4267,113.5,527.4267" style="stroke:#A80036;stroke-width:1.0;"/><line style="stroke:#A80036;stroke-width:1.0;" x1="111.5" x2="867" y1="527.4267" y2="527.4267"/><text fill="#000000" font-family="sans-serif" font-size="13" lengthAdjust="spacingAndGlyphs" textLength="41" x="123.5" y="522.3607">302 to</text><text fill="#000000" font-family="monospace" font-size="13" lengthAdjust="spacingAndGlyphs" textLength="240" x="168.5" y="521.8647">http://localhost:1234/callback</text><polygon fill="#A80036" points="456.5,553.0267,466.5,557.0267,456.5,561.0267,460.5,557.0267" style="stroke:#A80036;stroke-width:1.0;"/><line style="stroke:#A80036;stroke-width:1.0;" x1="106.5" x2="462.5" y1="557.0267" y2="557.0267"/><text fill="#000000" font-family="monospace" font-size="13" lengthAdjust="spacingAndGlyphs" textLength="272" x="113.5" y="551.4647">GET http://localhost:1234/callback</text><polygon fill="#A80036" points="856,582.6267,866,586.6267,856,590.6267,860,586.6267" style="stroke:#A80036;stroke-width:1.0;"/><line style="stroke:#A80036;stroke-width:1.0;" x1="468.5" x2="862" y1="586.6267" y2="586.6267"/><text fill="#000000" font-family="monospace" font-size="13" lengthAdjust="spacingAndGlyphs" textLength="320" x="475.5" y="581.0647">POST https://supervisor.com/oauth2/token</text><line style="stroke:#A80036;stroke-width:1.0;" x1="868" x2="910" y1="615.7595" y2="615.7595"/><line style="stroke:#A80036;stroke-width:1.0;" x1="910" x2="910" y1="615.7595" y2="628.7595"/><line style="stroke:#A80036;stroke-width:1.0;" x1="869" x2="910" y1="628.7595" y2="628.7595"/><polygon fill="#A80036" points="879,624.7595,869,628.7595,879,632.7595,875,628.7595" style="stroke:#A80036;stroke-width:1.0;"/><text fill="#000000" font-family="sans-serif" font-size="13" lengthAdjust="spacingAndGlyphs" textLength="110" x="875" y="610.6936">lookup auth code</text><line style="stroke:#A80036;stroke-width:1.0;" x1="868" x2="910" y1="657.8923" y2="657.8923"/><line style="stroke:#A80036;stroke-width:1.0;" x1="910" x2="910" y1="657.8923" y2="670.8923"/><line style="stroke:#A80036;stroke-width:1.0;" x1="869" x2="910" y1="670.8923" y2="670.8923"/><polygon fill="#A80036" points="879,666.8923,869,670.8923,879,674.8923,875,670.8923" style="stroke:#A80036;stroke-width:1.0;"/><text fill="#000000" font-family="sans-serif" font-size="13" lengthAdjust="spacingAndGlyphs" textLength="123" x="875" y="652.8264">issue refresh token</text><line style="stroke:#A80036;stroke-width:1.0;" x1="868" x2="910" y1="700.0251" y2="700.0251"/><line style="stroke:#A80036;stroke-width:1.0;" x1="910" x2="910" y1="700.0251" y2="713.0251"/><line style="stroke:#A80036;stroke-width:1.0;" x1="869" x2="910" y1="713.0251" y2="713.0251"/><polygon fill="#A80036" points="879,709.0251,869,713.0251,879,717.0251,875,713.0251" style="stroke:#A80036;stroke-width:1.0;"/><text fill="#000000" font-family="sans-serif" font-size="13" lengthAdjust="spacingAndGlyphs" textLength="151" x="875" y="694.9592">issue ID+access tokens</text><polygon fill="#A80036" points="479.5,738.1579,469.5,742.1579,479.5,746.1579,475.5,742.1579" style="stroke:#A80036;stroke-width:1.0;"/><line style="stroke:#A80036;stroke-width:1.0;" x1="473.5" x2="867" y1="742.1579" y2="742.1579"/><text fill="#000000" font-family="sans-serif" font-size="13" lengthAdjust="spacingAndGlyphs" textLength="170" x="485.5" y="737.092">refresh+access+ID tokens</text><polygon fill="#A80036" points="856,767.7579,866,771.7579,856,775.7579,860,771.7579" style="stroke:#A80036;stroke-width:1.0;"/><line style="stroke:#A80036;stroke-width:1.0;" x1="468.5" x2="862" y1="771.7579" y2="771.7579"/><text fill="#000000" font-family="monospace" font-size="13" lengthAdjust="spacingAndGlyphs" textLength="144" x="475.5" y="766.1959">POST /oauth2/token</text><text fill="#000000" font-family="sans-serif" font-size="13" lengthAdjust="spacingAndGlyphs" textLength="199" x="623.5" y="766.692">(w/ access token per RFC8693)</text><polygon fill="#A80036" points="479.5,796.8908,469.5,800.8908,479.5,804.8908,475.5,800.8908" style="stroke:#A80036;stroke-width:1.0;"/><line style="stroke:#A80036;stroke-width:1.0;" x1="473.5" x2="867" y1="800.8908" y2="800.8908"/><text fill="#000000" font-family="sans-serif" font-size="13" lengthAdjust="spacingAndGlyphs" textLength="153" x="485.5" y="795.8248">cluster-specific ID token</text><polygon fill="#A80036" points="1075.5,826.0236,1085.5,830.0236,1075.5,834.0236,1079.5,830.0236" style="stroke:#A80036;stroke-width:1.0;"/><line style="stroke:#A80036;stroke-width:1.0;" x1="468.5" x2="1081.5" y1="830.0236" y2="830.0236"/><text fill="#000000" font-family="sans-serif" font-size="13" lengthAdjust="spacingAndGlyphs" textLength="388" x="475.5" y="824.9577">create TokenCredentialRequest (w/ cluster-specific ID token)</text><polygon fill="#A80036" points="479.5,855.1564,469.5,859.1564,479.5,863.1564,475.5,859.1564" style="stroke:#A80036;stroke-width:1.0;"/><line style="stroke:#A80036;stroke-width:1.0;" x1="473.5" x2="1086.5" y1="859.1564" y2="859.1564"/><text fill="#000000" font-family="sans-serif" font-size="13" lengthAdjust="spacingAndGlyphs" textLength="219" x="485.5" y="854.0905">cluster-specific certificate and key</text><polygon fill="#A80036" points="202.5,884.2892,192.5,888.2892,202.5,892.2892,198.5,888.2892" style="stroke:#A80036;stroke-width:1.0;"/><line style="stroke:#A80036;stroke-width:1.0;" x1="196.5" x2="467.5" y1="888.2892" y2="888.2892"/><text fill="#000000" font-family="sans-serif" font-size="13" lengthAdjust="spacingAndGlyphs" textLength="219" x="208.5" y="883.2233">cluster-specific certificate and key</text><polygon fill="#A80036" points="1075.5,913.8892,1085.5,917.8892,1075.5,921.8892,1079.5,917.8892" style="stroke:#A80036;stroke-width:1.0;"/><line style="stroke:#A80036;stroke-width:1.0;" x1="191.5" x2="1081.5" y1="917.8892" y2="917.8892"/><text fill="#000000" font-family="monospace" font-size="13" lengthAdjust="spacingAndGlyphs" textLength="128" x="198.5" y="912.3272">GET /api/v1/pods</text><line style="stroke:#A80036;stroke-width:1.0;" x1="1087.5" x2="1129.5" y1="962.1548" y2="962.1548"/><line style="stroke:#A80036;stroke-width:1.0;" x1="1129.5" x2="1129.5" y1="962.1548" y2="975.1548"/><line style="stroke:#A80036;stroke-width:1.0;" x1="1088.5" x2="1129.5" y1="975.1548" y2="975.1548"/><polygon fill="#A80036" points="1098.5,971.1548,1088.5,975.1548,1098.5,979.1548,1094.5,975.1548" style="stroke:#A80036;stroke-width:1.0;"/><text fill="#000000" font-family="sans-serif" font-size="13" lengthAdjust="spacingAndGlyphs" textLength="251" x="1094.5" y="941.9561">Glean user and group information from</text><text fill="#000000" font-family="sans-serif" font-size="13" lengthAdjust="spacingAndGlyphs" textLength="163" x="1094.5" y="957.0889">cluster-specific credential</text><polygon fill="#A80036" points="202.5,1000.7549,192.5,1004.7549,202.5,1008.7549,198.5,1004.7549" style="stroke:#A80036;stroke-width:1.0;"/><line style="stroke:#A80036;stroke-width:1.0;" x1="196.5" x2="1086.5" y1="1004.7549" y2="1004.7549"/><text fill="#000000" font-family="monospace" font-size="13" lengthAdjust="spacingAndGlyphs" textLength="48" x="208.5" y="999.1928">200 OK</text><text fill="#000000" font-family="sans-serif" font-size="13" lengthAdjust="spacingAndGlyphs" textLength="62" x="260.5" y="999.6889">with pods</text><!--MD5=[49d02181e46ae9cfb93bcee05d19a828]
+@startuml
+actor User
+
+box "Workstation"
+participant Browser
+participant Kubectl
+participant "Pinniped CLI"
+end box
+
+box "Supervisor Cluster"
+participant Pinniped as sp
+end box
+
+box "Concierge Cluster"
+participant Pinniped as wp
+end box
+
+box "Corporate Network"
+participant "OIDC IDP" as IDP
+end box
+
+User -> Kubectl: kubectl get pods
+Kubectl -> "Pinniped CLI" : get credential for cluster authentication
+"Pinniped CLI" -> "Pinniped CLI": starts localhost listener
+"Pinniped CLI" -> User: "open browser to URL X"
+User -> Browser: clicks link
+Browser -> sp : ""GET https://supervisor.com/oauth2/authorize""
+sp -> Browser: 302 to IDP ""/authorize?redirect_uri=https://supervisor.com/callback""
+Browser -> IDP: ""GET /authorize?redirect_uri=https://supervisor.com/callback""
+IDP -> IDP: IDP authenticates user
+IDP -> Browser: 302 to ""https://supervisor.com/callback""
+Browser -> sp: ""GET https://supervisor.com/callback""
+sp -> IDP: ""POST /token""
+IDP -> sp: access token, ID token, refresh token
+sp -> Browser: 302 to ""http://localhost:1234/callback""
+Browser -> "Pinniped CLI": ""GET http://localhost:1234/callback""
+"Pinniped CLI" -> sp: ""POST https://supervisor.com/oauth2/token""
+sp -> sp: lookup auth code
+sp -> sp: issue refresh token
+sp -> sp: issue ID+access tokens
+sp -> "Pinniped CLI": refresh+access+ID tokens
+"Pinniped CLI" -> sp: ""POST /oauth2/token"" (w/ access token per RFC8693)
+sp -> "Pinniped CLI": cluster-specific ID token
+"Pinniped CLI" -> wp: create TokenCredentialRequest (w/ cluster-specific ID token)
+wp -> "Pinniped CLI": cluster-specific certificate and key
+"Pinniped CLI" -> Kubectl: cluster-specific certificate and key
+Kubectl -> wp : ""GET /api/v1/pods""
+wp -> wp : Glean user and group information from\ncluster-specific credential
+wp -> Kubectl : ""200 OK"" with pods
+@enduml
+
+PlantUML version 1.2020.24beta4(Unknown compile time)
+(GPL source distribution)
+Java Runtime: Java(TM) SE Runtime Environment
+JVM: Java HotSpot(TM) 64-Bit Server VM
+Default Encoding: UTF-8
+Language: en
+Country: US
+--></g></svg>
diff --git a/site/content/docs/img/pinniped-concierge-supervisor-sequence.txt b/site/content/docs/img/pinniped-concierge-supervisor-sequence.txt
new file mode 100644
index 00000000..a006b508
--- /dev/null
+++ b/site/content/docs/img/pinniped-concierge-supervisor-sequence.txt
@@ -0,0 +1,52 @@
+@startuml Login
+
+actor User
+
+box "Workstation"
+participant Browser
+participant Kubectl
+participant "Pinniped CLI"
+end box
+
+box "Supervisor Cluster"
+participant Pinniped as sp
+end box
+
+box "Concierge Cluster"
+participant Pinniped as wp
+end box
+
+box "Corporate Network"
+participant "OIDC IDP" as IDP
+end box
+
+User -> Kubectl: kubectl get pods
+Kubectl -> "Pinniped CLI" : get credential for cluster authentication
+"Pinniped CLI" -> "Pinniped CLI": starts localhost listener
+"Pinniped CLI" -> User: open browser to URL X
+User -> Browser: clicks link
+Browser -> sp : ""GET https://supervisor.com/oauth2/authorize""
+sp -> Browser: 302 to IDP ""/authorize?redirect_uri=https://supervisor.com/callback""
+Browser -> IDP: ""GET /authorize?redirect_uri=https://supervisor.com/callback""
+IDP -> IDP: IDP authenticates user
+IDP -> Browser: 302 to ""https://supervisor.com/callback""
+Browser -> sp: ""GET https://supervisor.com/callback""
+sp -> IDP: ""POST /token""
+IDP -> sp: access token, ID token, refresh token
+sp -> Browser: 302 to ""http://localhost:1234/callback""
+Browser -> "Pinniped CLI": ""GET http://localhost:1234/callback""
+"Pinniped CLI" -> sp: ""POST https://supervisor.com/oauth2/token""
+sp -> sp: lookup auth code
+sp -> sp: issue refresh token
+sp -> sp: issue ID+access tokens
+sp -> "Pinniped CLI": refresh+access+ID tokens
+"Pinniped CLI" -> sp: ""POST /oauth2/token"" (w/ access token per RFC8693)
+sp -> "Pinniped CLI": cluster-specific ID token
+"Pinniped CLI" -> wp: create TokenCredentialRequest (w/ cluster-specific ID token)
+wp -> "Pinniped CLI": cluster-specific certificate and key
+"Pinniped CLI" -> Kubectl: cluster-specific certificate and key
+Kubectl -> wp : ""GET /api/v1/pods""
+wp -> wp : Glean user and group information from\ncluster-specific credential
+wp -> Kubectl : ""200 OK"" with pods
+
+@enduml