Register a second APIService for the login.pinniped.dev.

This is handled by a second instance of the APIServiceUpdaterController.

Signed-off-by: Matt Moyer <moyerm@vmware.com>

deploy/deployment.yaml

@@ -173,3 +173,20 @@ spec:
     name: pinniped-api
     namespace: #@ data.values.namespace
     port: 443
+---
+apiVersion: apiregistration.k8s.io/v1
+kind: APIService
+metadata:
+  name: v1alpha1.login.pinniped.dev
+  labels:
+    app: #@ data.values.app_name
+spec:
+  version: v1alpha1
+  group: login.pinniped.dev
+  groupPriorityMinimum: 2500
+  versionPriority: 10
+  #! caBundle: Do not include this key here. Starts out null, will be updated/owned by the golang code.
+  service:
+    name: pinniped-api
+    namespace: #@ data.values.namespace
+    port: 443

internal/controllermanager/prepare_controllers.go

@@ -15,6 +15,7 @@ import (
 	"k8s.io/klog/v2/klogr"
 	aggregatorclient "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset"
 
+	loginv1alpha1 "github.com/suzerain-io/pinniped/generated/1.19/apis/login/v1alpha1"
 	pinnipedv1alpha1 "github.com/suzerain-io/pinniped/generated/1.19/apis/pinniped/v1alpha1"
 	pinnipedclientset "github.com/suzerain-io/pinniped/generated/1.19/client/clientset/versioned"
 	pinnipedinformers "github.com/suzerain-io/pinniped/generated/1.19/client/informers/externalversions"
@@ -91,6 +92,16 @@ func PrepareControllers(
 			),
 			singletonWorker,
 		).
+		WithController(
+			apicerts.NewAPIServiceUpdaterController(
+				serverInstallationNamespace,
+				loginv1alpha1.SchemeGroupVersion.Version+"."+loginv1alpha1.GroupName,
+				aggregatorClient,
+				installationNamespaceK8sInformers.Core().V1().Secrets(),
+				controllerlib.WithInformer,
+			),
+			singletonWorker,
+		).
 		WithController(
 			apicerts.NewCertsObserverController(
 				serverInstallationNamespace,