Add generated code for new CredentialIssuer API fields.

Signed-off-by: Matt Moyer <moyerm@vmware.com>

deploy/concierge/config.concierge.pinniped.dev_credentialissuers.yaml

@@ -38,16 +38,34 @@ spec:
           status:
             description: Status of the credential issuer.
             properties:
-              kubeConfigInfo:
+              impersonationProxyInfo:
                 description: Information needed to form a valid Pinniped-based kubeconfig
-                  using this credential issuer.
+                  using the impersonation proxy.
                 properties:
                   certificateAuthorityData:
-                    description: The K8s API server CA bundle.
+                    description: The CA bundle to validate connections to the impersonation
+                      proxy.
+                    minLength: 1
+                    type: string
+                  endpoint:
+                    description: The HTTPS endpoint of the impersonation proxy.
+                    minLength: 1
+                    pattern: ^https://
+                    type: string
+                required:
+                - certificateAuthorityData
+                - endpoint
+                type: object
+              kubeConfigInfo:
+                description: Information needed to form a valid Pinniped-based kubeconfig
+                  using the TokenCredentialRequest API.
+                properties:
+                  certificateAuthorityData:
+                    description: The Kubernetes API server CA bundle.
                     minLength: 1
                     type: string
                   server:
-                    description: The K8s API server URL.
+                    description: The Kubernetes API server URL.
                     minLength: 1
                     pattern: ^https://|^http://
                     type: string

generated/1.17/README.adoc

@@ -236,6 +236,24 @@ Describes the configuration status of a Pinniped credential issuer.
 |===
 
 
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-credentialissuerimpersonationproxyinfo"]
+==== CredentialIssuerImpersonationProxyInfo 
+
+
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-credentialissuerstatus[$$CredentialIssuerStatus$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`endpoint`* __string__ | The HTTPS endpoint of the impersonation proxy.
+| *`certificateAuthorityData`* __string__ | The CA bundle to validate connections to the impersonation proxy.
+|===
+
+
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-credentialissuerkubeconfiginfo"]
 ==== CredentialIssuerKubeConfigInfo 
 
@@ -249,8 +267,8 @@ Describes the configuration status of a Pinniped credential issuer.
 [cols="25a,75a", options="header"]
 |===
 | Field | Description
-| *`server`* __string__ | The K8s API server URL.
-| *`certificateAuthorityData`* __string__ | The K8s API server CA bundle.
+| *`server`* __string__ | The Kubernetes API server URL.
+| *`certificateAuthorityData`* __string__ | The Kubernetes API server CA bundle.
 |===
 
 
@@ -270,7 +288,8 @@ Status of a credential issuer.
 |===
 | Field | Description
 | *`strategies`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-credentialissuerstrategy[$$CredentialIssuerStrategy$$] array__ | List of integration strategies that were attempted by Pinniped.
-| *`kubeConfigInfo`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-credentialissuerkubeconfiginfo[$$CredentialIssuerKubeConfigInfo$$]__ | Information needed to form a valid Pinniped-based kubeconfig using this credential issuer.
+| *`kubeConfigInfo`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-credentialissuerkubeconfiginfo[$$CredentialIssuerKubeConfigInfo$$]__ | Information needed to form a valid Pinniped-based kubeconfig using the TokenCredentialRequest API.
+| *`impersonationProxyInfo`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-credentialissuerimpersonationproxyinfo[$$CredentialIssuerImpersonationProxyInfo$$]__ | Information needed to form a valid Pinniped-based kubeconfig using the impersonation proxy.
 |===
 
 

generated/1.17/apis/concierge/config/v1alpha1/types_credentialissuer.go

@@ -16,12 +16,15 @@ type StrategyReason string
 
 const (
 	KubeClusterSigningCertificateStrategyType = StrategyType("KubeClusterSigningCertificate")
+	ImpersonationProxyStrategyType            = StrategyType("ImpersonationProxy")
 
 	SuccessStrategyStatus = StrategyStatus("Success")
 	ErrorStrategyStatus   = StrategyStatus("Error")
 
 	CouldNotFetchKeyStrategyReason = StrategyReason("CouldNotFetchKey")
 	FetchedKeyStrategyReason       = StrategyReason("FetchedKey")
+	ListeningStrategyReason        = StrategyReason("Listening")
+	DisabledStrategyReason         = StrategyReason("Disabled")
 )
 
 // Status of a credential issuer.
@@ -29,19 +32,35 @@ type CredentialIssuerStatus struct {
 	// List of integration strategies that were attempted by Pinniped.
 	Strategies []CredentialIssuerStrategy `json:"strategies"`
 
-	// Information needed to form a valid Pinniped-based kubeconfig using this credential issuer.
+	// Information needed to form a valid Pinniped-based kubeconfig using the TokenCredentialRequest API.
 	// +optional
 	KubeConfigInfo *CredentialIssuerKubeConfigInfo `json:"kubeConfigInfo,omitempty"`
+
+	// Information needed to form a valid Pinniped-based kubeconfig using the impersonation proxy.
+	// +optional
+	ImpersonationProxyInfo *CredentialIssuerImpersonationProxyInfo `json:"impersonationProxyInfo,omitempty"`
 }
 
-// Information needed to form a valid Pinniped-based kubeconfig using this credential issuer.
+// Information needed to connect to the TokenCredentialRequest API on this cluster.
 type CredentialIssuerKubeConfigInfo struct {
-	// The K8s API server URL.
+	// The Kubernetes API server URL.
 	// +kubebuilder:validation:MinLength=1
 	// +kubebuilder:validation:Pattern=`^https://|^http://`
 	Server string `json:"server"`
 
-	// The K8s API server CA bundle.
+	// The Kubernetes API server CA bundle.
+	// +kubebuilder:validation:MinLength=1
+	CertificateAuthorityData string `json:"certificateAuthorityData"`
+}
+
+// Information needed to connect to the TokenCredentialRequest API on this cluster.
+type CredentialIssuerImpersonationProxyInfo struct {
+	// The HTTPS endpoint of the impersonation proxy.
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:Pattern=`^https://`
+	Endpoint string `json:"endpoint"`
+
+	// The CA bundle to validate connections to the impersonation proxy.
 	// +kubebuilder:validation:MinLength=1
 	CertificateAuthorityData string `json:"certificateAuthorityData"`
 }

generated/1.17/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go

@@ -38,6 +38,22 @@ func (in *CredentialIssuer) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CredentialIssuerImpersonationProxyInfo) DeepCopyInto(out *CredentialIssuerImpersonationProxyInfo) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialIssuerImpersonationProxyInfo.
+func (in *CredentialIssuerImpersonationProxyInfo) DeepCopy() *CredentialIssuerImpersonationProxyInfo {
+	if in == nil {
+		return nil
+	}
+	out := new(CredentialIssuerImpersonationProxyInfo)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CredentialIssuerKubeConfigInfo) DeepCopyInto(out *CredentialIssuerKubeConfigInfo) {
 	*out = *in
@@ -102,6 +118,11 @@ func (in *CredentialIssuerStatus) DeepCopyInto(out *CredentialIssuerStatus) {
 		*out = new(CredentialIssuerKubeConfigInfo)
 		**out = **in
 	}
+	if in.ImpersonationProxyInfo != nil {
+		in, out := &in.ImpersonationProxyInfo, &out.ImpersonationProxyInfo
+		*out = new(CredentialIssuerImpersonationProxyInfo)
+		**out = **in
+	}
 	return
 }
 

generated/1.17/crds/config.concierge.pinniped.dev_credentialissuers.yaml

@@ -38,16 +38,34 @@ spec:
           status:
             description: Status of the credential issuer.
             properties:
-              kubeConfigInfo:
+              impersonationProxyInfo:
                 description: Information needed to form a valid Pinniped-based kubeconfig
-                  using this credential issuer.
+                  using the impersonation proxy.
                 properties:
                   certificateAuthorityData:
-                    description: The K8s API server CA bundle.
+                    description: The CA bundle to validate connections to the impersonation
+                      proxy.
+                    minLength: 1
+                    type: string
+                  endpoint:
+                    description: The HTTPS endpoint of the impersonation proxy.
+                    minLength: 1
+                    pattern: ^https://
+                    type: string
+                required:
+                - certificateAuthorityData
+                - endpoint
+                type: object
+              kubeConfigInfo:
+                description: Information needed to form a valid Pinniped-based kubeconfig
+                  using the TokenCredentialRequest API.
+                properties:
+                  certificateAuthorityData:
+                    description: The Kubernetes API server CA bundle.
                     minLength: 1
                     type: string
                   server:
-                    description: The K8s API server URL.
+                    description: The Kubernetes API server URL.
                     minLength: 1
                     pattern: ^https://|^http://
                     type: string

generated/1.18/README.adoc

@@ -236,6 +236,24 @@ Describes the configuration status of a Pinniped credential issuer.
 |===
 
 
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-credentialissuerimpersonationproxyinfo"]
+==== CredentialIssuerImpersonationProxyInfo 
+
+
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-credentialissuerstatus[$$CredentialIssuerStatus$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`endpoint`* __string__ | The HTTPS endpoint of the impersonation proxy.
+| *`certificateAuthorityData`* __string__ | The CA bundle to validate connections to the impersonation proxy.
+|===
+
+
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-credentialissuerkubeconfiginfo"]
 ==== CredentialIssuerKubeConfigInfo 
 
@@ -249,8 +267,8 @@ Describes the configuration status of a Pinniped credential issuer.
 [cols="25a,75a", options="header"]
 |===
 | Field | Description
-| *`server`* __string__ | The K8s API server URL.
-| *`certificateAuthorityData`* __string__ | The K8s API server CA bundle.
+| *`server`* __string__ | The Kubernetes API server URL.
+| *`certificateAuthorityData`* __string__ | The Kubernetes API server CA bundle.
 |===
 
 
@@ -270,7 +288,8 @@ Status of a credential issuer.
 |===
 | Field | Description
 | *`strategies`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-credentialissuerstrategy[$$CredentialIssuerStrategy$$] array__ | List of integration strategies that were attempted by Pinniped.
-| *`kubeConfigInfo`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-credentialissuerkubeconfiginfo[$$CredentialIssuerKubeConfigInfo$$]__ | Information needed to form a valid Pinniped-based kubeconfig using this credential issuer.
+| *`kubeConfigInfo`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-credentialissuerkubeconfiginfo[$$CredentialIssuerKubeConfigInfo$$]__ | Information needed to form a valid Pinniped-based kubeconfig using the TokenCredentialRequest API.
+| *`impersonationProxyInfo`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-credentialissuerimpersonationproxyinfo[$$CredentialIssuerImpersonationProxyInfo$$]__ | Information needed to form a valid Pinniped-based kubeconfig using the impersonation proxy.
 |===
 
 

generated/1.18/apis/concierge/config/v1alpha1/types_credentialissuer.go

@@ -16,12 +16,15 @@ type StrategyReason string
 
 const (
 	KubeClusterSigningCertificateStrategyType = StrategyType("KubeClusterSigningCertificate")
+	ImpersonationProxyStrategyType            = StrategyType("ImpersonationProxy")
 
 	SuccessStrategyStatus = StrategyStatus("Success")
 	ErrorStrategyStatus   = StrategyStatus("Error")
 
 	CouldNotFetchKeyStrategyReason = StrategyReason("CouldNotFetchKey")
 	FetchedKeyStrategyReason       = StrategyReason("FetchedKey")
+	ListeningStrategyReason        = StrategyReason("Listening")
+	DisabledStrategyReason         = StrategyReason("Disabled")
 )
 
 // Status of a credential issuer.
@@ -29,19 +32,35 @@ type CredentialIssuerStatus struct {
 	// List of integration strategies that were attempted by Pinniped.
 	Strategies []CredentialIssuerStrategy `json:"strategies"`
 
-	// Information needed to form a valid Pinniped-based kubeconfig using this credential issuer.
+	// Information needed to form a valid Pinniped-based kubeconfig using the TokenCredentialRequest API.
 	// +optional
 	KubeConfigInfo *CredentialIssuerKubeConfigInfo `json:"kubeConfigInfo,omitempty"`
+
+	// Information needed to form a valid Pinniped-based kubeconfig using the impersonation proxy.
+	// +optional
+	ImpersonationProxyInfo *CredentialIssuerImpersonationProxyInfo `json:"impersonationProxyInfo,omitempty"`
 }
 
-// Information needed to form a valid Pinniped-based kubeconfig using this credential issuer.
+// Information needed to connect to the TokenCredentialRequest API on this cluster.
 type CredentialIssuerKubeConfigInfo struct {
-	// The K8s API server URL.
+	// The Kubernetes API server URL.
 	// +kubebuilder:validation:MinLength=1
 	// +kubebuilder:validation:Pattern=`^https://|^http://`
 	Server string `json:"server"`
 
-	// The K8s API server CA bundle.
+	// The Kubernetes API server CA bundle.
+	// +kubebuilder:validation:MinLength=1
+	CertificateAuthorityData string `json:"certificateAuthorityData"`
+}
+
+// Information needed to connect to the TokenCredentialRequest API on this cluster.
+type CredentialIssuerImpersonationProxyInfo struct {
+	// The HTTPS endpoint of the impersonation proxy.
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:Pattern=`^https://`
+	Endpoint string `json:"endpoint"`
+
+	// The CA bundle to validate connections to the impersonation proxy.
 	// +kubebuilder:validation:MinLength=1
 	CertificateAuthorityData string `json:"certificateAuthorityData"`
 }

generated/1.18/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go

@@ -38,6 +38,22 @@ func (in *CredentialIssuer) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CredentialIssuerImpersonationProxyInfo) DeepCopyInto(out *CredentialIssuerImpersonationProxyInfo) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialIssuerImpersonationProxyInfo.
+func (in *CredentialIssuerImpersonationProxyInfo) DeepCopy() *CredentialIssuerImpersonationProxyInfo {
+	if in == nil {
+		return nil
+	}
+	out := new(CredentialIssuerImpersonationProxyInfo)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CredentialIssuerKubeConfigInfo) DeepCopyInto(out *CredentialIssuerKubeConfigInfo) {
 	*out = *in
@@ -102,6 +118,11 @@ func (in *CredentialIssuerStatus) DeepCopyInto(out *CredentialIssuerStatus) {
 		*out = new(CredentialIssuerKubeConfigInfo)
 		**out = **in
 	}
+	if in.ImpersonationProxyInfo != nil {
+		in, out := &in.ImpersonationProxyInfo, &out.ImpersonationProxyInfo
+		*out = new(CredentialIssuerImpersonationProxyInfo)
+		**out = **in
+	}
 	return
 }
 

generated/1.18/crds/config.concierge.pinniped.dev_credentialissuers.yaml

@@ -38,16 +38,34 @@ spec:
           status:
             description: Status of the credential issuer.
             properties:
-              kubeConfigInfo:
+              impersonationProxyInfo:
                 description: Information needed to form a valid Pinniped-based kubeconfig
-                  using this credential issuer.
+                  using the impersonation proxy.
                 properties:
                   certificateAuthorityData:
-                    description: The K8s API server CA bundle.
+                    description: The CA bundle to validate connections to the impersonation
+                      proxy.
+                    minLength: 1
+                    type: string
+                  endpoint:
+                    description: The HTTPS endpoint of the impersonation proxy.
+                    minLength: 1
+                    pattern: ^https://
+                    type: string
+                required:
+                - certificateAuthorityData
+                - endpoint
+                type: object
+              kubeConfigInfo:
+                description: Information needed to form a valid Pinniped-based kubeconfig
+                  using the TokenCredentialRequest API.
+                properties:
+                  certificateAuthorityData:
+                    description: The Kubernetes API server CA bundle.
                     minLength: 1
                     type: string
                   server:
-                    description: The K8s API server URL.
+                    description: The Kubernetes API server URL.
                     minLength: 1
                     pattern: ^https://|^http://
                     type: string

generated/1.19/README.adoc

@@ -236,6 +236,24 @@ Describes the configuration status of a Pinniped credential issuer.
 |===
 
 
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-config-v1alpha1-credentialissuerimpersonationproxyinfo"]
+==== CredentialIssuerImpersonationProxyInfo 
+
+
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-config-v1alpha1-credentialissuerstatus[$$CredentialIssuerStatus$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`endpoint`* __string__ | The HTTPS endpoint of the impersonation proxy.
+| *`certificateAuthorityData`* __string__ | The CA bundle to validate connections to the impersonation proxy.
+|===
+
+
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-config-v1alpha1-credentialissuerkubeconfiginfo"]
 ==== CredentialIssuerKubeConfigInfo 
 
@@ -249,8 +267,8 @@ Describes the configuration status of a Pinniped credential issuer.
 [cols="25a,75a", options="header"]
 |===
 | Field | Description
-| *`server`* __string__ | The K8s API server URL.
-| *`certificateAuthorityData`* __string__ | The K8s API server CA bundle.
+| *`server`* __string__ | The Kubernetes API server URL.
+| *`certificateAuthorityData`* __string__ | The Kubernetes API server CA bundle.
 |===
 
 
@@ -270,7 +288,8 @@ Status of a credential issuer.
 |===
 | Field | Description
 | *`strategies`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-config-v1alpha1-credentialissuerstrategy[$$CredentialIssuerStrategy$$] array__ | List of integration strategies that were attempted by Pinniped.
-| *`kubeConfigInfo`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-config-v1alpha1-credentialissuerkubeconfiginfo[$$CredentialIssuerKubeConfigInfo$$]__ | Information needed to form a valid Pinniped-based kubeconfig using this credential issuer.
+| *`kubeConfigInfo`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-config-v1alpha1-credentialissuerkubeconfiginfo[$$CredentialIssuerKubeConfigInfo$$]__ | Information needed to form a valid Pinniped-based kubeconfig using the TokenCredentialRequest API.
+| *`impersonationProxyInfo`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-config-v1alpha1-credentialissuerimpersonationproxyinfo[$$CredentialIssuerImpersonationProxyInfo$$]__ | Information needed to form a valid Pinniped-based kubeconfig using the impersonation proxy.
 |===
 
 

generated/1.19/apis/concierge/config/v1alpha1/types_credentialissuer.go

@@ -16,12 +16,15 @@ type StrategyReason string
 
 const (
 	KubeClusterSigningCertificateStrategyType = StrategyType("KubeClusterSigningCertificate")
+	ImpersonationProxyStrategyType            = StrategyType("ImpersonationProxy")
 
 	SuccessStrategyStatus = StrategyStatus("Success")
 	ErrorStrategyStatus   = StrategyStatus("Error")
 
 	CouldNotFetchKeyStrategyReason = StrategyReason("CouldNotFetchKey")
 	FetchedKeyStrategyReason       = StrategyReason("FetchedKey")
+	ListeningStrategyReason        = StrategyReason("Listening")
+	DisabledStrategyReason         = StrategyReason("Disabled")
 )
 
 // Status of a credential issuer.
@@ -29,19 +32,35 @@ type CredentialIssuerStatus struct {
 	// List of integration strategies that were attempted by Pinniped.
 	Strategies []CredentialIssuerStrategy `json:"strategies"`
 
-	// Information needed to form a valid Pinniped-based kubeconfig using this credential issuer.
+	// Information needed to form a valid Pinniped-based kubeconfig using the TokenCredentialRequest API.
 	// +optional
 	KubeConfigInfo *CredentialIssuerKubeConfigInfo `json:"kubeConfigInfo,omitempty"`
+
+	// Information needed to form a valid Pinniped-based kubeconfig using the impersonation proxy.
+	// +optional
+	ImpersonationProxyInfo *CredentialIssuerImpersonationProxyInfo `json:"impersonationProxyInfo,omitempty"`
 }
 
-// Information needed to form a valid Pinniped-based kubeconfig using this credential issuer.
+// Information needed to connect to the TokenCredentialRequest API on this cluster.
 type CredentialIssuerKubeConfigInfo struct {
-	// The K8s API server URL.
+	// The Kubernetes API server URL.
 	// +kubebuilder:validation:MinLength=1
 	// +kubebuilder:validation:Pattern=`^https://|^http://`
 	Server string `json:"server"`
 
-	// The K8s API server CA bundle.
+	// The Kubernetes API server CA bundle.
+	// +kubebuilder:validation:MinLength=1
+	CertificateAuthorityData string `json:"certificateAuthorityData"`
+}
+
+// Information needed to connect to the TokenCredentialRequest API on this cluster.
+type CredentialIssuerImpersonationProxyInfo struct {
+	// The HTTPS endpoint of the impersonation proxy.
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:Pattern=`^https://`
+	Endpoint string `json:"endpoint"`
+
+	// The CA bundle to validate connections to the impersonation proxy.
 	// +kubebuilder:validation:MinLength=1
 	CertificateAuthorityData string `json:"certificateAuthorityData"`
 }

generated/1.19/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go

@@ -38,6 +38,22 @@ func (in *CredentialIssuer) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CredentialIssuerImpersonationProxyInfo) DeepCopyInto(out *CredentialIssuerImpersonationProxyInfo) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialIssuerImpersonationProxyInfo.
+func (in *CredentialIssuerImpersonationProxyInfo) DeepCopy() *CredentialIssuerImpersonationProxyInfo {
+	if in == nil {
+		return nil
+	}
+	out := new(CredentialIssuerImpersonationProxyInfo)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CredentialIssuerKubeConfigInfo) DeepCopyInto(out *CredentialIssuerKubeConfigInfo) {
 	*out = *in
@@ -102,6 +118,11 @@ func (in *CredentialIssuerStatus) DeepCopyInto(out *CredentialIssuerStatus) {
 		*out = new(CredentialIssuerKubeConfigInfo)
 		**out = **in
 	}
+	if in.ImpersonationProxyInfo != nil {
+		in, out := &in.ImpersonationProxyInfo, &out.ImpersonationProxyInfo
+		*out = new(CredentialIssuerImpersonationProxyInfo)
+		**out = **in
+	}
 	return
 }
 

generated/1.19/crds/config.concierge.pinniped.dev_credentialissuers.yaml

@@ -38,16 +38,34 @@ spec:
           status:
             description: Status of the credential issuer.
             properties:
-              kubeConfigInfo:
+              impersonationProxyInfo:
                 description: Information needed to form a valid Pinniped-based kubeconfig
-                  using this credential issuer.
+                  using the impersonation proxy.
                 properties:
                   certificateAuthorityData:
-                    description: The K8s API server CA bundle.
+                    description: The CA bundle to validate connections to the impersonation
+                      proxy.
+                    minLength: 1
+                    type: string
+                  endpoint:
+                    description: The HTTPS endpoint of the impersonation proxy.
+                    minLength: 1
+                    pattern: ^https://
+                    type: string
+                required:
+                - certificateAuthorityData
+                - endpoint
+                type: object
+              kubeConfigInfo:
+                description: Information needed to form a valid Pinniped-based kubeconfig
+                  using the TokenCredentialRequest API.
+                properties:
+                  certificateAuthorityData:
+                    description: The Kubernetes API server CA bundle.
                     minLength: 1
                     type: string
                   server:
-                    description: The K8s API server URL.
+                    description: The Kubernetes API server URL.
                     minLength: 1
                     pattern: ^https://|^http://
                     type: string

generated/1.20/README.adoc

@@ -236,6 +236,24 @@ Describes the configuration status of a Pinniped credential issuer.
 |===
 
 
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-concierge-config-v1alpha1-credentialissuerimpersonationproxyinfo"]
+==== CredentialIssuerImpersonationProxyInfo 
+
+
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-concierge-config-v1alpha1-credentialissuerstatus[$$CredentialIssuerStatus$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`endpoint`* __string__ | The HTTPS endpoint of the impersonation proxy.
+| *`certificateAuthorityData`* __string__ | The CA bundle to validate connections to the impersonation proxy.
+|===
+
+
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-concierge-config-v1alpha1-credentialissuerkubeconfiginfo"]
 ==== CredentialIssuerKubeConfigInfo 
 
@@ -249,8 +267,8 @@ Describes the configuration status of a Pinniped credential issuer.
 [cols="25a,75a", options="header"]
 |===
 | Field | Description
-| *`server`* __string__ | The K8s API server URL.
-| *`certificateAuthorityData`* __string__ | The K8s API server CA bundle.
+| *`server`* __string__ | The Kubernetes API server URL.
+| *`certificateAuthorityData`* __string__ | The Kubernetes API server CA bundle.
 |===
 
 
@@ -270,7 +288,8 @@ Status of a credential issuer.
 |===
 | Field | Description
 | *`strategies`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-concierge-config-v1alpha1-credentialissuerstrategy[$$CredentialIssuerStrategy$$] array__ | List of integration strategies that were attempted by Pinniped.
-| *`kubeConfigInfo`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-concierge-config-v1alpha1-credentialissuerkubeconfiginfo[$$CredentialIssuerKubeConfigInfo$$]__ | Information needed to form a valid Pinniped-based kubeconfig using this credential issuer.
+| *`kubeConfigInfo`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-concierge-config-v1alpha1-credentialissuerkubeconfiginfo[$$CredentialIssuerKubeConfigInfo$$]__ | Information needed to form a valid Pinniped-based kubeconfig using the TokenCredentialRequest API.
+| *`impersonationProxyInfo`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-concierge-config-v1alpha1-credentialissuerimpersonationproxyinfo[$$CredentialIssuerImpersonationProxyInfo$$]__ | Information needed to form a valid Pinniped-based kubeconfig using the impersonation proxy.
 |===
 
 

generated/1.20/apis/concierge/config/v1alpha1/types_credentialissuer.go

@@ -16,12 +16,15 @@ type StrategyReason string
 
 const (
 	KubeClusterSigningCertificateStrategyType = StrategyType("KubeClusterSigningCertificate")
+	ImpersonationProxyStrategyType            = StrategyType("ImpersonationProxy")
 
 	SuccessStrategyStatus = StrategyStatus("Success")
 	ErrorStrategyStatus   = StrategyStatus("Error")
 
 	CouldNotFetchKeyStrategyReason = StrategyReason("CouldNotFetchKey")
 	FetchedKeyStrategyReason       = StrategyReason("FetchedKey")
+	ListeningStrategyReason        = StrategyReason("Listening")
+	DisabledStrategyReason         = StrategyReason("Disabled")
 )
 
 // Status of a credential issuer.
@@ -29,19 +32,35 @@ type CredentialIssuerStatus struct {
 	// List of integration strategies that were attempted by Pinniped.
 	Strategies []CredentialIssuerStrategy `json:"strategies"`
 
-	// Information needed to form a valid Pinniped-based kubeconfig using this credential issuer.
+	// Information needed to form a valid Pinniped-based kubeconfig using the TokenCredentialRequest API.
 	// +optional
 	KubeConfigInfo *CredentialIssuerKubeConfigInfo `json:"kubeConfigInfo,omitempty"`
+
+	// Information needed to form a valid Pinniped-based kubeconfig using the impersonation proxy.
+	// +optional
+	ImpersonationProxyInfo *CredentialIssuerImpersonationProxyInfo `json:"impersonationProxyInfo,omitempty"`
 }
 
-// Information needed to form a valid Pinniped-based kubeconfig using this credential issuer.
+// Information needed to connect to the TokenCredentialRequest API on this cluster.
 type CredentialIssuerKubeConfigInfo struct {
-	// The K8s API server URL.
+	// The Kubernetes API server URL.
 	// +kubebuilder:validation:MinLength=1
 	// +kubebuilder:validation:Pattern=`^https://|^http://`
 	Server string `json:"server"`
 
-	// The K8s API server CA bundle.
+	// The Kubernetes API server CA bundle.
+	// +kubebuilder:validation:MinLength=1
+	CertificateAuthorityData string `json:"certificateAuthorityData"`
+}
+
+// Information needed to connect to the TokenCredentialRequest API on this cluster.
+type CredentialIssuerImpersonationProxyInfo struct {
+	// The HTTPS endpoint of the impersonation proxy.
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:Pattern=`^https://`
+	Endpoint string `json:"endpoint"`
+
+	// The CA bundle to validate connections to the impersonation proxy.
 	// +kubebuilder:validation:MinLength=1
 	CertificateAuthorityData string `json:"certificateAuthorityData"`
 }

generated/1.20/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go

@@ -38,6 +38,22 @@ func (in *CredentialIssuer) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CredentialIssuerImpersonationProxyInfo) DeepCopyInto(out *CredentialIssuerImpersonationProxyInfo) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialIssuerImpersonationProxyInfo.
+func (in *CredentialIssuerImpersonationProxyInfo) DeepCopy() *CredentialIssuerImpersonationProxyInfo {
+	if in == nil {
+		return nil
+	}
+	out := new(CredentialIssuerImpersonationProxyInfo)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CredentialIssuerKubeConfigInfo) DeepCopyInto(out *CredentialIssuerKubeConfigInfo) {
 	*out = *in
@@ -102,6 +118,11 @@ func (in *CredentialIssuerStatus) DeepCopyInto(out *CredentialIssuerStatus) {
 		*out = new(CredentialIssuerKubeConfigInfo)
 		**out = **in
 	}
+	if in.ImpersonationProxyInfo != nil {
+		in, out := &in.ImpersonationProxyInfo, &out.ImpersonationProxyInfo
+		*out = new(CredentialIssuerImpersonationProxyInfo)
+		**out = **in
+	}
 	return
 }
 

generated/1.20/crds/config.concierge.pinniped.dev_credentialissuers.yaml

@@ -38,16 +38,34 @@ spec:
           status:
             description: Status of the credential issuer.
             properties:
-              kubeConfigInfo:
+              impersonationProxyInfo:
                 description: Information needed to form a valid Pinniped-based kubeconfig
-                  using this credential issuer.
+                  using the impersonation proxy.
                 properties:
                   certificateAuthorityData:
-                    description: The K8s API server CA bundle.
+                    description: The CA bundle to validate connections to the impersonation
+                      proxy.
+                    minLength: 1
+                    type: string
+                  endpoint:
+                    description: The HTTPS endpoint of the impersonation proxy.
+                    minLength: 1
+                    pattern: ^https://
+                    type: string
+                required:
+                - certificateAuthorityData
+                - endpoint
+                type: object
+              kubeConfigInfo:
+                description: Information needed to form a valid Pinniped-based kubeconfig
+                  using the TokenCredentialRequest API.
+                properties:
+                  certificateAuthorityData:
+                    description: The Kubernetes API server CA bundle.
                     minLength: 1
                     type: string
                   server:
-                    description: The K8s API server URL.
+                    description: The Kubernetes API server URL.
                     minLength: 1
                     pattern: ^https://|^http://
                     type: string

generated/latest/apis/concierge/config/v1alpha1/types_credentialissuer.go

@@ -16,12 +16,15 @@ type StrategyReason string
 
 const (
 	KubeClusterSigningCertificateStrategyType = StrategyType("KubeClusterSigningCertificate")
+	ImpersonationProxyStrategyType            = StrategyType("ImpersonationProxy")
 
 	SuccessStrategyStatus = StrategyStatus("Success")
 	ErrorStrategyStatus   = StrategyStatus("Error")
 
 	CouldNotFetchKeyStrategyReason = StrategyReason("CouldNotFetchKey")
 	FetchedKeyStrategyReason       = StrategyReason("FetchedKey")
+	ListeningStrategyReason        = StrategyReason("Listening")
+	DisabledStrategyReason         = StrategyReason("Disabled")
 )
 
 // Status of a credential issuer.
@@ -29,19 +32,35 @@ type CredentialIssuerStatus struct {
 	// List of integration strategies that were attempted by Pinniped.
 	Strategies []CredentialIssuerStrategy `json:"strategies"`
 
-	// Information needed to form a valid Pinniped-based kubeconfig using this credential issuer.
+	// Information needed to form a valid Pinniped-based kubeconfig using the TokenCredentialRequest API.
 	// +optional
 	KubeConfigInfo *CredentialIssuerKubeConfigInfo `json:"kubeConfigInfo,omitempty"`
+
+	// Information needed to form a valid Pinniped-based kubeconfig using the impersonation proxy.
+	// +optional
+	ImpersonationProxyInfo *CredentialIssuerImpersonationProxyInfo `json:"impersonationProxyInfo,omitempty"`
 }
 
-// Information needed to form a valid Pinniped-based kubeconfig using this credential issuer.
+// Information needed to connect to the TokenCredentialRequest API on this cluster.
 type CredentialIssuerKubeConfigInfo struct {
-	// The K8s API server URL.
+	// The Kubernetes API server URL.
 	// +kubebuilder:validation:MinLength=1
 	// +kubebuilder:validation:Pattern=`^https://|^http://`
 	Server string `json:"server"`
 
-	// The K8s API server CA bundle.
+	// The Kubernetes API server CA bundle.
+	// +kubebuilder:validation:MinLength=1
+	CertificateAuthorityData string `json:"certificateAuthorityData"`
+}
+
+// Information needed to connect to the TokenCredentialRequest API on this cluster.
+type CredentialIssuerImpersonationProxyInfo struct {
+	// The HTTPS endpoint of the impersonation proxy.
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:Pattern=`^https://`
+	Endpoint string `json:"endpoint"`
+
+	// The CA bundle to validate connections to the impersonation proxy.
 	// +kubebuilder:validation:MinLength=1
 	CertificateAuthorityData string `json:"certificateAuthorityData"`
 }

generated/latest/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go

@@ -38,6 +38,22 @@ func (in *CredentialIssuer) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CredentialIssuerImpersonationProxyInfo) DeepCopyInto(out *CredentialIssuerImpersonationProxyInfo) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialIssuerImpersonationProxyInfo.
+func (in *CredentialIssuerImpersonationProxyInfo) DeepCopy() *CredentialIssuerImpersonationProxyInfo {
+	if in == nil {
+		return nil
+	}
+	out := new(CredentialIssuerImpersonationProxyInfo)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CredentialIssuerKubeConfigInfo) DeepCopyInto(out *CredentialIssuerKubeConfigInfo) {
 	*out = *in
@@ -102,6 +118,11 @@ func (in *CredentialIssuerStatus) DeepCopyInto(out *CredentialIssuerStatus) {
 		*out = new(CredentialIssuerKubeConfigInfo)
 		**out = **in
 	}
+	if in.ImpersonationProxyInfo != nil {
+		in, out := &in.ImpersonationProxyInfo, &out.ImpersonationProxyInfo
+		*out = new(CredentialIssuerImpersonationProxyInfo)
+		**out = **in
+	}
 	return
 }