WIP aggregated api for oidcclientsecretrequest

Signed-off-by: Margo Crawford <margaretc@vmware.com>

apis/supervisor/virtual/oauth/doc.go.tmpl

@@ -0,0 +1,8 @@
+// Copyright 2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// +k8s:deepcopy-gen=package
+// +groupName=oauth.virtual.supervisor.pinniped.dev
+
+// Package oauth is the internal version of the Pinniped virtual oauth API.
+package oauth

apis/supervisor/virtual/oauth/register.go.tmpl

@@ -0,0 +1,37 @@
+// Copyright 2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package oauth
+
+import (
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+const GroupName = "oauth.virtual.supervisor.pinniped.dev"
+
+// SchemeGroupVersion is group version used to register these objects.
+var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: runtime.APIVersionInternal}
+
+// Kind takes an unqualified kind and returns back a Group qualified GroupKind.
+func Kind(kind string) schema.GroupKind {
+	return SchemeGroupVersion.WithKind(kind).GroupKind()
+}
+
+// Resource takes an unqualified resource and returns back a Group qualified GroupResource.
+func Resource(resource string) schema.GroupResource {
+	return SchemeGroupVersion.WithResource(resource).GroupResource()
+}
+
+var (
+	SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes)
+	AddToScheme   = SchemeBuilder.AddToScheme
+)
+
+// Adds the list of known types to the given scheme.
+func addKnownTypes(scheme *runtime.Scheme) error {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&OIDCClientSecretRequest{},
+	)
+	return nil
+}

apis/supervisor/virtual/oauth/types_oidcclientsecretrequest.go.tmpl

@@ -0,0 +1,25 @@
+// Copyright 2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package oauth
+
+import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+type OIDCClientSecretRequestSpec struct {
+	GenerateNewSecret bool `json:"generateNewSecret"`
+	RevokeOldSecrets  bool `json:"revokeOldSecrets"`
+}
+
+type OIDCClientSecretRequestStatus struct {
+	GeneratedSecret    string `json:"generatedSecret,omitempty"`
+	TotalClientSecrets int    `json:"totalClientSecrets"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type OIDCClientSecretRequest struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"` // metadata.name must be set to the client ID
+
+	Spec   OIDCClientSecretRequestSpec   `json:"spec"`
+	Status OIDCClientSecretRequestStatus `json:"status"`
+}

apis/supervisor/virtual/oauth/v1alpha1/conversion.go.tmpl

@@ -0,0 +1,4 @@
+// Copyright 2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1

apis/supervisor/virtual/oauth/v1alpha1/defaults.go.tmpl

@@ -0,0 +1,12 @@
+// Copyright 2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+import (
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+func addDefaultingFuncs(scheme *runtime.Scheme) error {
+	return RegisterDefaults(scheme)
+}

apis/supervisor/virtual/oauth/v1alpha1/doc.go.tmpl

@@ -0,0 +1,11 @@
+// Copyright 2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// +k8s:openapi-gen=true
+// +k8s:deepcopy-gen=package
+// +k8s:conversion-gen=go.pinniped.dev/GENERATED_PKG/apis/supervisor/virtual/oauth
+// +k8s:defaulter-gen=TypeMeta
+// +groupName=oauth.virtual.supervisor.pinniped.dev
+
+// Package v1alpha1 is the v1alpha1 version of the Pinniped virtual oauth API.
+package v1alpha1

apis/supervisor/virtual/oauth/v1alpha1/register.go.tmpl

@@ -0,0 +1,42 @@
+// Copyright 2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+const GroupName = "oauth.virtual.supervisor.pinniped.dev"
+
+// SchemeGroupVersion is group version used to register these objects.
+var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"}
+
+var (
+	SchemeBuilder      runtime.SchemeBuilder
+	localSchemeBuilder = &SchemeBuilder
+	AddToScheme        = SchemeBuilder.AddToScheme
+)
+
+func init() {
+	// We only register manually written functions here. The registration of the
+	// generated functions takes place in the generated files. The separation
+	// makes the code compile even when the generated files are missing.
+	localSchemeBuilder.Register(addKnownTypes, addDefaultingFuncs)
+}
+
+// Adds the list of known types to the given scheme.
+func addKnownTypes(scheme *runtime.Scheme) error {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&OIDCClientSecretRequest{},
+	)
+	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
+	return nil
+}
+
+// Resource takes an unqualified resource and returns back a Group qualified GroupResource.
+func Resource(resource string) schema.GroupResource {
+	return SchemeGroupVersion.WithResource(resource).GroupResource()
+}

apis/supervisor/virtual/oauth/v1alpha1/types_oidcclientsecretrequest.go.tmpl

@@ -0,0 +1,28 @@
+// Copyright 2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+type OIDCClientSecretRequestSpec struct {
+	GenerateNewSecret bool `json:"generateNewSecret"`
+	RevokeOldSecrets  bool `json:"revokeOldSecrets"`
+}
+
+type OIDCClientSecretRequestStatus struct {
+	GeneratedSecret    string `json:"generatedSecret,omitempty"`
+	TotalClientSecrets int    `json:"totalClientSecrets"`
+}
+
+// +genclient
+// +genclient:onlyVerbs=create
+// +kubebuilder:subresource:status
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type OIDCClientSecretRequest struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"` // metadata.name must be set to the client ID
+
+	Spec   OIDCClientSecretRequestSpec   `json:"spec"`
+	Status OIDCClientSecretRequestStatus `json:"status"`
+}

deploy/supervisor/deployment.yaml

@@ -10,6 +10,7 @@
 #@   "namespace",
 #@   "defaultResourceName",
 #@   "defaultResourceNameWithSuffix",
+#@   "pinnipedDevAPIGroupWithPrefix",
 #@   "getPinnipedConfigMapData",
 #@   "hasUnixNetworkEndpoint",
 #@  )
@@ -174,3 +175,37 @@ spec:
                 labelSelector:
                   matchLabels: #@ deploymentPodLabel()
                 topologyKey: kubernetes.io/hostname
+---
+apiVersion: v1
+kind: Service
+metadata:
+  #! If name is changed, must also change names.apiService in the ConfigMap above and spec.service.name in the APIService below.
+  name: #@ defaultResourceNameWithSuffix("api")
+  namespace: #@ namespace()
+  labels: #@ labels()
+  #! prevent kapp from altering the selector of our services to match kubectl behavior
+  annotations:
+    kapp.k14s.io/disable-default-label-scoping-rules: ""
+spec:
+  type: ClusterIP
+  selector: #@ deploymentPodLabel()
+  ports:
+    - protocol: TCP
+      port: 443
+      targetPort: 10250
+---
+apiVersion: apiregistration.k8s.io/v1
+kind: APIService
+metadata:
+  name: #@ pinnipedDevAPIGroupWithPrefix("v1alpha1.oauth.virtual.supervisor")
+  labels: #@ labels()
+spec:
+  version: v1alpha1
+  group: #@ pinnipedDevAPIGroupWithPrefix("oauth.virtual.supervisor")
+  groupPriorityMinimum: 9900
+  versionPriority: 15
+  #! caBundle: Do not include this key here. Starts out null, will be updated/owned by the golang code.
+  service:
+    name: #@ defaultResourceNameWithSuffix("api")
+    namespace: #@ namespace()
+    port: 443

deploy/supervisor/helpers.lib.yaml

@@ -50,6 +50,7 @@ _: #@ template.replace(data.values.custom_labels)
 #@     "apiGroupSuffix": data.values.api_group_suffix,
 #@     "names": {
 #@       "defaultTLSCertificateSecret": defaultResourceNameWithSuffix("default-tls-certificate"),
+#@       "apiService": defaultResourceNameWithSuffix("api"),
 #@     },
 #@     "labels": labels(),
 #@     "insecureAcceptExternalUnencryptedHttpRequests": data.values.deprecated_insecure_accept_external_unencrypted_http_requests

deploy/supervisor/rbac.yaml

@@ -1,4 +1,4 @@
-#! Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
+#! Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 #! SPDX-License-Identifier: Apache-2.0
 
 #@ load("@ytt:data", "data")
@@ -74,3 +74,98 @@ roleRef:
   kind: Role
   name: #@ defaultResourceName()
   apiGroup: rbac.authorization.k8s.io
+
+#! Give permissions for a special configmap of CA bundles that is needed by aggregated api servers
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: #@ defaultResourceNameWithSuffix("extension-apiserver-authentication-reader")
+  namespace: kube-system
+  labels: #@ labels()
+subjects:
+  - kind: ServiceAccount
+    name: #@ defaultResourceName()
+    namespace: #@ namespace()
+roleRef:
+  kind: Role
+  name: extension-apiserver-authentication-reader
+  apiGroup: rbac.authorization.k8s.io
+
+#! Give permission to list and watch ConfigMaps in kube-public
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: #@ defaultResourceNameWithSuffix("cluster-info-lister-watcher")
+  namespace: kube-public
+  labels: #@ labels()
+rules:
+  - apiGroups: [ "" ]
+    resources: [ configmaps ]
+    verbs: [ list, watch ]
+#! Give permissions for subjectaccessreviews, tokenreview that is needed by aggregated api servers
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: #@ defaultResourceName()
+  labels: #@ labels()
+subjects:
+  - kind: ServiceAccount
+    name: #@ defaultResourceName()
+    namespace: #@ namespace()
+roleRef:
+  kind: ClusterRole
+  name: system:auth-delegator
+  apiGroup: rbac.authorization.k8s.io
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: #@ defaultResourceNameWithSuffix("cluster-info-lister-watcher")
+  namespace: kube-public
+  labels: #@ labels()
+subjects:
+  - kind: ServiceAccount
+    name: #@ defaultResourceName()
+    namespace: #@ namespace()
+roleRef:
+  kind: Role
+  name: #@ defaultResourceNameWithSuffix("cluster-info-lister-watcher")
+  apiGroup: rbac.authorization.k8s.io
+
+#! Give permission to various cluster-scoped objects
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: #@ defaultResourceNameWithSuffix("aggregated-api-server")
+  labels: #@ labels()
+rules:
+  - apiGroups: [ "" ]
+    resources: [ namespaces ]
+    verbs: [ get, list, watch ]
+  - apiGroups: [ apiregistration.k8s.io ]
+    resources: [ apiservices ]
+    verbs: [ get, list, patch, update, watch ]
+  - apiGroups: [ admissionregistration.k8s.io ]
+    resources: [ validatingwebhookconfigurations, mutatingwebhookconfigurations ]
+    verbs: [ get, list, watch ]
+  - apiGroups: [ flowcontrol.apiserver.k8s.io ]
+    resources: [ flowschemas, prioritylevelconfigurations ]
+    verbs: [ get, list, watch ]
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: #@ defaultResourceNameWithSuffix("aggregated-api-server")
+  labels: #@ labels()
+subjects:
+  - kind: ServiceAccount
+    name: #@ defaultResourceName()
+    namespace: #@ namespace()
+roleRef:
+  kind: ClusterRole
+  name: #@ defaultResourceNameWithSuffix("aggregated-api-server")
+  apiGroup: rbac.authorization.k8s.io

generated/1.17/README.adoc

@@ -13,6 +13,8 @@
 - xref:{anchor_prefix}-idp-supervisor-pinniped-dev-v1alpha1[$$idp.supervisor.pinniped.dev/v1alpha1$$]
 - xref:{anchor_prefix}-login-concierge-pinniped-dev-v1alpha1[$$login.concierge.pinniped.dev/v1alpha1$$]
 - xref:{anchor_prefix}-oauth-supervisor-pinniped-dev-v1alpha1[$$oauth.supervisor.pinniped.dev/v1alpha1$$]
+- xref:{anchor_prefix}-oauth-virtual-supervisor-pinniped-dev-oauth[$$oauth.virtual.supervisor.pinniped.dev/oauth$$]
+- xref:{anchor_prefix}-oauth-virtual-supervisor-pinniped-dev-v1alpha1[$$oauth.virtual.supervisor.pinniped.dev/v1alpha1$$]
 
 
 [id="{anchor_prefix}-authentication-concierge-pinniped-dev-v1alpha1"]
@@ -1386,3 +1388,95 @@ OIDCClientSpec is a struct that describes an OIDC Client.
 
 
 
+
+[id="{anchor_prefix}-oauth-virtual-supervisor-pinniped-dev-oauth"]
+=== oauth.virtual.supervisor.pinniped.dev/oauth
+
+Package oauth is the internal version of the Pinniped virtual oauth API.
+
+
+
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-virtual-oauth-oidcclientsecretrequestspec"]
+==== OIDCClientSecretRequestSpec 
+
+
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-virtual-oauth-oidcclientsecretrequest[$$OIDCClientSecretRequest$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`generateNewSecret`* __boolean__ | 
+| *`revokeOldSecrets`* __boolean__ | 
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-virtual-oauth-oidcclientsecretrequeststatus"]
+==== OIDCClientSecretRequestStatus 
+
+
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-virtual-oauth-oidcclientsecretrequest[$$OIDCClientSecretRequest$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`generatedSecret`* __string__ | 
+| *`totalClientSecrets`* __integer__ | 
+|===
+
+
+
+[id="{anchor_prefix}-oauth-virtual-supervisor-pinniped-dev-v1alpha1"]
+=== oauth.virtual.supervisor.pinniped.dev/v1alpha1
+
+Package v1alpha1 is the v1alpha1 version of the Pinniped virtual oauth API.
+
+
+
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-virtual-oauth-v1alpha1-oidcclientsecretrequestspec"]
+==== OIDCClientSecretRequestSpec 
+
+
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-virtual-oauth-v1alpha1-oidcclientsecretrequest[$$OIDCClientSecretRequest$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`generateNewSecret`* __boolean__ | 
+| *`revokeOldSecrets`* __boolean__ | 
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-virtual-oauth-v1alpha1-oidcclientsecretrequeststatus"]
+==== OIDCClientSecretRequestStatus 
+
+
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-virtual-oauth-v1alpha1-oidcclientsecretrequest[$$OIDCClientSecretRequest$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`generatedSecret`* __string__ | 
+| *`totalClientSecrets`* __integer__ | 
+|===
+
+

generated/1.17/apis/supervisor/virtual/oauth/doc.go

@@ -0,0 +1,8 @@
+// Copyright 2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// +k8s:deepcopy-gen=package
+// +groupName=oauth.virtual.supervisor.pinniped.dev
+
+// Package oauth is the internal version of the Pinniped virtual oauth API.
+package oauth

generated/1.17/apis/supervisor/virtual/oauth/register.go

@@ -0,0 +1,37 @@
+// Copyright 2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package oauth
+
+import (
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+const GroupName = "oauth.virtual.supervisor.pinniped.dev"
+
+// SchemeGroupVersion is group version used to register these objects.
+var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: runtime.APIVersionInternal}
+
+// Kind takes an unqualified kind and returns back a Group qualified GroupKind.
+func Kind(kind string) schema.GroupKind {
+	return SchemeGroupVersion.WithKind(kind).GroupKind()
+}
+
+// Resource takes an unqualified resource and returns back a Group qualified GroupResource.
+func Resource(resource string) schema.GroupResource {
+	return SchemeGroupVersion.WithResource(resource).GroupResource()
+}
+
+var (
+	SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes)
+	AddToScheme   = SchemeBuilder.AddToScheme
+)
+
+// Adds the list of known types to the given scheme.
+func addKnownTypes(scheme *runtime.Scheme) error {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&OIDCClientSecretRequest{},
+	)
+	return nil
+}

generated/1.17/apis/supervisor/virtual/oauth/types_oidcclientsecretrequest.go

@@ -0,0 +1,25 @@
+// Copyright 2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package oauth
+
+import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+type OIDCClientSecretRequestSpec struct {
+	GenerateNewSecret bool `json:"generateNewSecret"`
+	RevokeOldSecrets  bool `json:"revokeOldSecrets"`
+}
+
+type OIDCClientSecretRequestStatus struct {
+	GeneratedSecret    string `json:"generatedSecret,omitempty"`
+	TotalClientSecrets int    `json:"totalClientSecrets"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type OIDCClientSecretRequest struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"` // metadata.name must be set to the client ID
+
+	Spec   OIDCClientSecretRequestSpec   `json:"spec"`
+	Status OIDCClientSecretRequestStatus `json:"status"`
+}

generated/1.17/apis/supervisor/virtual/oauth/v1alpha1/conversion.go

@@ -0,0 +1,4 @@
+// Copyright 2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1

generated/1.17/apis/supervisor/virtual/oauth/v1alpha1/defaults.go

@@ -0,0 +1,12 @@
+// Copyright 2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+import (
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+func addDefaultingFuncs(scheme *runtime.Scheme) error {
+	return RegisterDefaults(scheme)
+}

generated/1.17/apis/supervisor/virtual/oauth/v1alpha1/doc.go

@@ -0,0 +1,11 @@
+// Copyright 2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// +k8s:openapi-gen=true
+// +k8s:deepcopy-gen=package
+// +k8s:conversion-gen=go.pinniped.dev/generated/1.17/apis/supervisor/virtual/oauth
+// +k8s:defaulter-gen=TypeMeta
+// +groupName=oauth.virtual.supervisor.pinniped.dev
+
+// Package v1alpha1 is the v1alpha1 version of the Pinniped virtual oauth API.
+package v1alpha1

generated/1.17/apis/supervisor/virtual/oauth/v1alpha1/register.go

@@ -0,0 +1,42 @@
+// Copyright 2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+const GroupName = "oauth.virtual.supervisor.pinniped.dev"
+
+// SchemeGroupVersion is group version used to register these objects.
+var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"}
+
+var (
+	SchemeBuilder      runtime.SchemeBuilder
+	localSchemeBuilder = &SchemeBuilder
+	AddToScheme        = SchemeBuilder.AddToScheme
+)
+
+func init() {
+	// We only register manually written functions here. The registration of the
+	// generated functions takes place in the generated files. The separation
+	// makes the code compile even when the generated files are missing.
+	localSchemeBuilder.Register(addKnownTypes, addDefaultingFuncs)
+}
+
+// Adds the list of known types to the given scheme.
+func addKnownTypes(scheme *runtime.Scheme) error {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&OIDCClientSecretRequest{},
+	)
+	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
+	return nil
+}
+
+// Resource takes an unqualified resource and returns back a Group qualified GroupResource.
+func Resource(resource string) schema.GroupResource {
+	return SchemeGroupVersion.WithResource(resource).GroupResource()
+}

generated/1.17/apis/supervisor/virtual/oauth/v1alpha1/types_oidcclientsecretrequest.go

@@ -0,0 +1,28 @@
+// Copyright 2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+type OIDCClientSecretRequestSpec struct {
+	GenerateNewSecret bool `json:"generateNewSecret"`
+	RevokeOldSecrets  bool `json:"revokeOldSecrets"`
+}
+
+type OIDCClientSecretRequestStatus struct {
+	GeneratedSecret    string `json:"generatedSecret,omitempty"`
+	TotalClientSecrets int    `json:"totalClientSecrets"`
+}
+
+// +genclient
+// +genclient:onlyVerbs=create
+// +kubebuilder:subresource:status
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type OIDCClientSecretRequest struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"` // metadata.name must be set to the client ID
+
+	Spec   OIDCClientSecretRequestSpec   `json:"spec"`
+	Status OIDCClientSecretRequestStatus `json:"status"`
+}

generated/1.17/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.conversion.go

@@ -0,0 +1,131 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by conversion-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	oauth "go.pinniped.dev/generated/1.17/apis/supervisor/virtual/oauth"
+	conversion "k8s.io/apimachinery/pkg/conversion"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+)
+
+func init() {
+	localSchemeBuilder.Register(RegisterConversions)
+}
+
+// RegisterConversions adds conversion functions to the given scheme.
+// Public to allow building arbitrary schemes.
+func RegisterConversions(s *runtime.Scheme) error {
+	if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequest)(nil), (*oauth.OIDCClientSecretRequest)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest(a.(*OIDCClientSecretRequest), b.(*oauth.OIDCClientSecretRequest), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*oauth.OIDCClientSecretRequest)(nil), (*OIDCClientSecretRequest)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(a.(*oauth.OIDCClientSecretRequest), b.(*OIDCClientSecretRequest), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequestSpec)(nil), (*oauth.OIDCClientSecretRequestSpec)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(a.(*OIDCClientSecretRequestSpec), b.(*oauth.OIDCClientSecretRequestSpec), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*oauth.OIDCClientSecretRequestSpec)(nil), (*OIDCClientSecretRequestSpec)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(a.(*oauth.OIDCClientSecretRequestSpec), b.(*OIDCClientSecretRequestSpec), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequestStatus)(nil), (*oauth.OIDCClientSecretRequestStatus)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(a.(*OIDCClientSecretRequestStatus), b.(*oauth.OIDCClientSecretRequestStatus), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*oauth.OIDCClientSecretRequestStatus)(nil), (*OIDCClientSecretRequestStatus)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(a.(*oauth.OIDCClientSecretRequestStatus), b.(*OIDCClientSecretRequestStatus), scope)
+	}); err != nil {
+		return err
+	}
+	return nil
+}
+
+func autoConvert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest(in *OIDCClientSecretRequest, out *oauth.OIDCClientSecretRequest, s conversion.Scope) error {
+	out.ObjectMeta = in.ObjectMeta
+	if err := Convert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(&in.Spec, &out.Spec, s); err != nil {
+		return err
+	}
+	if err := Convert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(&in.Status, &out.Status, s); err != nil {
+		return err
+	}
+	return nil
+}
+
+// Convert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest is an autogenerated conversion function.
+func Convert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest(in *OIDCClientSecretRequest, out *oauth.OIDCClientSecretRequest, s conversion.Scope) error {
+	return autoConvert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest(in, out, s)
+}
+
+func autoConvert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in *oauth.OIDCClientSecretRequest, out *OIDCClientSecretRequest, s conversion.Scope) error {
+	out.ObjectMeta = in.ObjectMeta
+	if err := Convert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(&in.Spec, &out.Spec, s); err != nil {
+		return err
+	}
+	if err := Convert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(&in.Status, &out.Status, s); err != nil {
+		return err
+	}
+	return nil
+}
+
+// Convert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest is an autogenerated conversion function.
+func Convert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in *oauth.OIDCClientSecretRequest, out *OIDCClientSecretRequest, s conversion.Scope) error {
+	return autoConvert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in, out, s)
+}
+
+func autoConvert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(in *OIDCClientSecretRequestSpec, out *oauth.OIDCClientSecretRequestSpec, s conversion.Scope) error {
+	out.GenerateNewSecret = in.GenerateNewSecret
+	out.RevokeOldSecrets = in.RevokeOldSecrets
+	return nil
+}
+
+// Convert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec is an autogenerated conversion function.
+func Convert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(in *OIDCClientSecretRequestSpec, out *oauth.OIDCClientSecretRequestSpec, s conversion.Scope) error {
+	return autoConvert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(in, out, s)
+}
+
+func autoConvert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(in *oauth.OIDCClientSecretRequestSpec, out *OIDCClientSecretRequestSpec, s conversion.Scope) error {
+	out.GenerateNewSecret = in.GenerateNewSecret
+	out.RevokeOldSecrets = in.RevokeOldSecrets
+	return nil
+}
+
+// Convert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec is an autogenerated conversion function.
+func Convert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(in *oauth.OIDCClientSecretRequestSpec, out *OIDCClientSecretRequestSpec, s conversion.Scope) error {
+	return autoConvert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(in, out, s)
+}
+
+func autoConvert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(in *OIDCClientSecretRequestStatus, out *oauth.OIDCClientSecretRequestStatus, s conversion.Scope) error {
+	out.GeneratedSecret = in.GeneratedSecret
+	out.TotalClientSecrets = in.TotalClientSecrets
+	return nil
+}
+
+// Convert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus is an autogenerated conversion function.
+func Convert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(in *OIDCClientSecretRequestStatus, out *oauth.OIDCClientSecretRequestStatus, s conversion.Scope) error {
+	return autoConvert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(in, out, s)
+}
+
+func autoConvert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(in *oauth.OIDCClientSecretRequestStatus, out *OIDCClientSecretRequestStatus, s conversion.Scope) error {
+	out.GeneratedSecret = in.GeneratedSecret
+	out.TotalClientSecrets = in.TotalClientSecrets
+	return nil
+}
+
+// Convert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus is an autogenerated conversion function.
+func Convert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(in *oauth.OIDCClientSecretRequestStatus, out *OIDCClientSecretRequestStatus, s conversion.Scope) error {
+	return autoConvert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(in, out, s)
+}

generated/1.17/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.deepcopy.go

@@ -0,0 +1,73 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by deepcopy-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	runtime "k8s.io/apimachinery/pkg/runtime"
+)
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OIDCClientSecretRequest) DeepCopyInto(out *OIDCClientSecretRequest) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	out.Spec = in.Spec
+	out.Status = in.Status
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequest.
+func (in *OIDCClientSecretRequest) DeepCopy() *OIDCClientSecretRequest {
+	if in == nil {
+		return nil
+	}
+	out := new(OIDCClientSecretRequest)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *OIDCClientSecretRequest) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OIDCClientSecretRequestSpec) DeepCopyInto(out *OIDCClientSecretRequestSpec) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestSpec.
+func (in *OIDCClientSecretRequestSpec) DeepCopy() *OIDCClientSecretRequestSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(OIDCClientSecretRequestSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OIDCClientSecretRequestStatus) DeepCopyInto(out *OIDCClientSecretRequestStatus) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestStatus.
+func (in *OIDCClientSecretRequestStatus) DeepCopy() *OIDCClientSecretRequestStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(OIDCClientSecretRequestStatus)
+	in.DeepCopyInto(out)
+	return out
+}

generated/1.17/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.defaults.go

@@ -0,0 +1,20 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by defaulter-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	runtime "k8s.io/apimachinery/pkg/runtime"
+)
+
+// RegisterDefaults adds defaulters functions to the given scheme.
+// Public to allow building arbitrary schemes.
+// All generated defaulters are covering - they call all nested defaulters.
+func RegisterDefaults(scheme *runtime.Scheme) error {
+	return nil
+}

generated/1.17/apis/supervisor/virtual/oauth/zz_generated.deepcopy.go

@@ -0,0 +1,73 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by deepcopy-gen. DO NOT EDIT.
+
+package oauth
+
+import (
+	runtime "k8s.io/apimachinery/pkg/runtime"
+)
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OIDCClientSecretRequest) DeepCopyInto(out *OIDCClientSecretRequest) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	out.Spec = in.Spec
+	out.Status = in.Status
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequest.
+func (in *OIDCClientSecretRequest) DeepCopy() *OIDCClientSecretRequest {
+	if in == nil {
+		return nil
+	}
+	out := new(OIDCClientSecretRequest)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *OIDCClientSecretRequest) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OIDCClientSecretRequestSpec) DeepCopyInto(out *OIDCClientSecretRequestSpec) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestSpec.
+func (in *OIDCClientSecretRequestSpec) DeepCopy() *OIDCClientSecretRequestSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(OIDCClientSecretRequestSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OIDCClientSecretRequestStatus) DeepCopyInto(out *OIDCClientSecretRequestStatus) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestStatus.
+func (in *OIDCClientSecretRequestStatus) DeepCopy() *OIDCClientSecretRequestStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(OIDCClientSecretRequestStatus)
+	in.DeepCopyInto(out)
+	return out
+}

generated/1.17/client/supervisor/virtual/clientset/versioned/clientset.go

@@ -0,0 +1,84 @@
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package versioned
+
+import (
+	"fmt"
+
+	oauthv1alpha1 "go.pinniped.dev/generated/1.17/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1"
+	discovery "k8s.io/client-go/discovery"
+	rest "k8s.io/client-go/rest"
+	flowcontrol "k8s.io/client-go/util/flowcontrol"
+)
+
+type Interface interface {
+	Discovery() discovery.DiscoveryInterface
+	OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface
+}
+
+// Clientset contains the clients for groups. Each group has exactly one
+// version included in a Clientset.
+type Clientset struct {
+	*discovery.DiscoveryClient
+	oauthV1alpha1 *oauthv1alpha1.OauthV1alpha1Client
+}
+
+// OauthV1alpha1 retrieves the OauthV1alpha1Client
+func (c *Clientset) OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface {
+	return c.oauthV1alpha1
+}
+
+// Discovery retrieves the DiscoveryClient
+func (c *Clientset) Discovery() discovery.DiscoveryInterface {
+	if c == nil {
+		return nil
+	}
+	return c.DiscoveryClient
+}
+
+// NewForConfig creates a new Clientset for the given config.
+// If config's RateLimiter is not set and QPS and Burst are acceptable,
+// NewForConfig will generate a rate-limiter in configShallowCopy.
+func NewForConfig(c *rest.Config) (*Clientset, error) {
+	configShallowCopy := *c
+	if configShallowCopy.RateLimiter == nil && configShallowCopy.QPS > 0 {
+		if configShallowCopy.Burst <= 0 {
+			return nil, fmt.Errorf("Burst is required to be greater than 0 when RateLimiter is not set and QPS is set to greater than 0")
+		}
+		configShallowCopy.RateLimiter = flowcontrol.NewTokenBucketRateLimiter(configShallowCopy.QPS, configShallowCopy.Burst)
+	}
+	var cs Clientset
+	var err error
+	cs.oauthV1alpha1, err = oauthv1alpha1.NewForConfig(&configShallowCopy)
+	if err != nil {
+		return nil, err
+	}
+
+	cs.DiscoveryClient, err = discovery.NewDiscoveryClientForConfig(&configShallowCopy)
+	if err != nil {
+		return nil, err
+	}
+	return &cs, nil
+}
+
+// NewForConfigOrDie creates a new Clientset for the given config and
+// panics if there is an error in the config.
+func NewForConfigOrDie(c *rest.Config) *Clientset {
+	var cs Clientset
+	cs.oauthV1alpha1 = oauthv1alpha1.NewForConfigOrDie(c)
+
+	cs.DiscoveryClient = discovery.NewDiscoveryClientForConfigOrDie(c)
+	return &cs
+}
+
+// New creates a new Clientset for the given RESTClient.
+func New(c rest.Interface) *Clientset {
+	var cs Clientset
+	cs.oauthV1alpha1 = oauthv1alpha1.New(c)
+
+	cs.DiscoveryClient = discovery.NewDiscoveryClient(c)
+	return &cs
+}

generated/1.17/client/supervisor/virtual/clientset/versioned/doc.go

@@ -0,0 +1,7 @@
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+// This package has the automatically generated clientset.
+package versioned

generated/1.17/client/supervisor/virtual/clientset/versioned/fake/clientset_generated.go

@@ -0,0 +1,69 @@
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package fake
+
+import (
+	clientset "go.pinniped.dev/generated/1.17/client/supervisor/virtual/clientset/versioned"
+	oauthv1alpha1 "go.pinniped.dev/generated/1.17/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1"
+	fakeoauthv1alpha1 "go.pinniped.dev/generated/1.17/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/watch"
+	"k8s.io/client-go/discovery"
+	fakediscovery "k8s.io/client-go/discovery/fake"
+	"k8s.io/client-go/testing"
+)
+
+// NewSimpleClientset returns a clientset that will respond with the provided objects.
+// It's backed by a very simple object tracker that processes creates, updates and deletions as-is,
+// without applying any validations and/or defaults. It shouldn't be considered a replacement
+// for a real clientset and is mostly useful in simple unit tests.
+func NewSimpleClientset(objects ...runtime.Object) *Clientset {
+	o := testing.NewObjectTracker(scheme, codecs.UniversalDecoder())
+	for _, obj := range objects {
+		if err := o.Add(obj); err != nil {
+			panic(err)
+		}
+	}
+
+	cs := &Clientset{tracker: o}
+	cs.discovery = &fakediscovery.FakeDiscovery{Fake: &cs.Fake}
+	cs.AddReactor("*", "*", testing.ObjectReaction(o))
+	cs.AddWatchReactor("*", func(action testing.Action) (handled bool, ret watch.Interface, err error) {
+		gvr := action.GetResource()
+		ns := action.GetNamespace()
+		watch, err := o.Watch(gvr, ns)
+		if err != nil {
+			return false, nil, err
+		}
+		return true, watch, nil
+	})
+
+	return cs
+}
+
+// Clientset implements clientset.Interface. Meant to be embedded into a
+// struct to get a default implementation. This makes faking out just the method
+// you want to test easier.
+type Clientset struct {
+	testing.Fake
+	discovery *fakediscovery.FakeDiscovery
+	tracker   testing.ObjectTracker
+}
+
+func (c *Clientset) Discovery() discovery.DiscoveryInterface {
+	return c.discovery
+}
+
+func (c *Clientset) Tracker() testing.ObjectTracker {
+	return c.tracker
+}
+
+var _ clientset.Interface = &Clientset{}
+
+// OauthV1alpha1 retrieves the OauthV1alpha1Client
+func (c *Clientset) OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface {
+	return &fakeoauthv1alpha1.FakeOauthV1alpha1{Fake: &c.Fake}
+}

generated/1.17/client/supervisor/virtual/clientset/versioned/fake/doc.go

@@ -0,0 +1,7 @@
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+// This package has the automatically generated fake clientset.
+package fake

generated/1.17/client/supervisor/virtual/clientset/versioned/fake/register.go

@@ -0,0 +1,43 @@
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package fake
+
+import (
+	oauthv1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/virtual/oauth/v1alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	schema "k8s.io/apimachinery/pkg/runtime/schema"
+	serializer "k8s.io/apimachinery/pkg/runtime/serializer"
+	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
+)
+
+var scheme = runtime.NewScheme()
+var codecs = serializer.NewCodecFactory(scheme)
+var parameterCodec = runtime.NewParameterCodec(scheme)
+var localSchemeBuilder = runtime.SchemeBuilder{
+	oauthv1alpha1.AddToScheme,
+}
+
+// AddToScheme adds all types of this clientset into the given scheme. This allows composition
+// of clientsets, like in:
+//
+//   import (
+//     "k8s.io/client-go/kubernetes"
+//     clientsetscheme "k8s.io/client-go/kubernetes/scheme"
+//     aggregatorclientsetscheme "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset/scheme"
+//   )
+//
+//   kclientset, _ := kubernetes.NewForConfig(c)
+//   _ = aggregatorclientsetscheme.AddToScheme(clientsetscheme.Scheme)
+//
+// After this, RawExtensions in Kubernetes types will serialize kube-aggregator types
+// correctly.
+var AddToScheme = localSchemeBuilder.AddToScheme
+
+func init() {
+	v1.AddToGroupVersion(scheme, schema.GroupVersion{Version: "v1"})
+	utilruntime.Must(AddToScheme(scheme))
+}

generated/1.17/client/supervisor/virtual/clientset/versioned/scheme/doc.go

@@ -0,0 +1,7 @@
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+// This package contains the scheme of the automatically generated clientset.
+package scheme

generated/1.17/client/supervisor/virtual/clientset/versioned/scheme/register.go

@@ -0,0 +1,43 @@
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package scheme
+
+import (
+	oauthv1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/virtual/oauth/v1alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	schema "k8s.io/apimachinery/pkg/runtime/schema"
+	serializer "k8s.io/apimachinery/pkg/runtime/serializer"
+	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
+)
+
+var Scheme = runtime.NewScheme()
+var Codecs = serializer.NewCodecFactory(Scheme)
+var ParameterCodec = runtime.NewParameterCodec(Scheme)
+var localSchemeBuilder = runtime.SchemeBuilder{
+	oauthv1alpha1.AddToScheme,
+}
+
+// AddToScheme adds all types of this clientset into the given scheme. This allows composition
+// of clientsets, like in:
+//
+//   import (
+//     "k8s.io/client-go/kubernetes"
+//     clientsetscheme "k8s.io/client-go/kubernetes/scheme"
+//     aggregatorclientsetscheme "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset/scheme"
+//   )
+//
+//   kclientset, _ := kubernetes.NewForConfig(c)
+//   _ = aggregatorclientsetscheme.AddToScheme(clientsetscheme.Scheme)
+//
+// After this, RawExtensions in Kubernetes types will serialize kube-aggregator types
+// correctly.
+var AddToScheme = localSchemeBuilder.AddToScheme
+
+func init() {
+	v1.AddToGroupVersion(Scheme, schema.GroupVersion{Version: "v1"})
+	utilruntime.Must(AddToScheme(Scheme))
+}

generated/1.17/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/doc.go

@@ -0,0 +1,7 @@
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+// This package has the automatically generated typed clients.
+package v1alpha1

generated/1.17/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go

@@ -0,0 +1,7 @@
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+// Package fake has the automatically generated clients.
+package fake

generated/1.17/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go

@@ -0,0 +1,27 @@
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package fake
+
+import (
+	v1alpha1 "go.pinniped.dev/generated/1.17/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1"
+	rest "k8s.io/client-go/rest"
+	testing "k8s.io/client-go/testing"
+)
+
+type FakeOauthV1alpha1 struct {
+	*testing.Fake
+}
+
+func (c *FakeOauthV1alpha1) OIDCClientSecretRequests(namespace string) v1alpha1.OIDCClientSecretRequestInterface {
+	return &FakeOIDCClientSecretRequests{c, namespace}
+}
+
+// RESTClient returns a RESTClient that is used to communicate
+// with API server by this client implementation.
+func (c *FakeOauthV1alpha1) RESTClient() rest.Interface {
+	var ret *rest.RESTClient
+	return ret
+}

generated/1.17/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclientsecretrequest.go

@@ -0,0 +1,33 @@
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package fake
+
+import (
+	v1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/virtual/oauth/v1alpha1"
+	schema "k8s.io/apimachinery/pkg/runtime/schema"
+	testing "k8s.io/client-go/testing"
+)
+
+// FakeOIDCClientSecretRequests implements OIDCClientSecretRequestInterface
+type FakeOIDCClientSecretRequests struct {
+	Fake *FakeOauthV1alpha1
+	ns   string
+}
+
+var oidcclientsecretrequestsResource = schema.GroupVersionResource{Group: "oauth.virtual.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "oidcclientsecretrequests"}
+
+var oidcclientsecretrequestsKind = schema.GroupVersionKind{Group: "oauth.virtual.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "OIDCClientSecretRequest"}
+
+// Create takes the representation of a oIDCClientSecretRequest and creates it.  Returns the server's representation of the oIDCClientSecretRequest, and an error, if there is any.
+func (c *FakeOIDCClientSecretRequests) Create(oIDCClientSecretRequest *v1alpha1.OIDCClientSecretRequest) (result *v1alpha1.OIDCClientSecretRequest, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewCreateAction(oidcclientsecretrequestsResource, c.ns, oIDCClientSecretRequest), &v1alpha1.OIDCClientSecretRequest{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.OIDCClientSecretRequest), err
+}

generated/1.17/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go

@@ -0,0 +1,8 @@
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package v1alpha1
+
+type OIDCClientSecretRequestExpansion interface{}

generated/1.17/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go

@@ -0,0 +1,76 @@
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	v1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/virtual/oauth/v1alpha1"
+	"go.pinniped.dev/generated/1.17/client/supervisor/virtual/clientset/versioned/scheme"
+	rest "k8s.io/client-go/rest"
+)
+
+type OauthV1alpha1Interface interface {
+	RESTClient() rest.Interface
+	OIDCClientSecretRequestsGetter
+}
+
+// OauthV1alpha1Client is used to interact with features provided by the oauth.virtual.supervisor.pinniped.dev group.
+type OauthV1alpha1Client struct {
+	restClient rest.Interface
+}
+
+func (c *OauthV1alpha1Client) OIDCClientSecretRequests(namespace string) OIDCClientSecretRequestInterface {
+	return newOIDCClientSecretRequests(c, namespace)
+}
+
+// NewForConfig creates a new OauthV1alpha1Client for the given config.
+func NewForConfig(c *rest.Config) (*OauthV1alpha1Client, error) {
+	config := *c
+	if err := setConfigDefaults(&config); err != nil {
+		return nil, err
+	}
+	client, err := rest.RESTClientFor(&config)
+	if err != nil {
+		return nil, err
+	}
+	return &OauthV1alpha1Client{client}, nil
+}
+
+// NewForConfigOrDie creates a new OauthV1alpha1Client for the given config and
+// panics if there is an error in the config.
+func NewForConfigOrDie(c *rest.Config) *OauthV1alpha1Client {
+	client, err := NewForConfig(c)
+	if err != nil {
+		panic(err)
+	}
+	return client
+}
+
+// New creates a new OauthV1alpha1Client for the given RESTClient.
+func New(c rest.Interface) *OauthV1alpha1Client {
+	return &OauthV1alpha1Client{c}
+}
+
+func setConfigDefaults(config *rest.Config) error {
+	gv := v1alpha1.SchemeGroupVersion
+	config.GroupVersion = &gv
+	config.APIPath = "/apis"
+	config.NegotiatedSerializer = scheme.Codecs.WithoutConversion()
+
+	if config.UserAgent == "" {
+		config.UserAgent = rest.DefaultKubernetesUserAgent()
+	}
+
+	return nil
+}
+
+// RESTClient returns a RESTClient that is used to communicate
+// with API server by this client implementation.
+func (c *OauthV1alpha1Client) RESTClient() rest.Interface {
+	if c == nil {
+		return nil
+	}
+	return c.restClient
+}

generated/1.17/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oidcclientsecretrequest.go

@@ -0,0 +1,49 @@
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	v1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/virtual/oauth/v1alpha1"
+	rest "k8s.io/client-go/rest"
+)
+
+// OIDCClientSecretRequestsGetter has a method to return a OIDCClientSecretRequestInterface.
+// A group's client should implement this interface.
+type OIDCClientSecretRequestsGetter interface {
+	OIDCClientSecretRequests(namespace string) OIDCClientSecretRequestInterface
+}
+
+// OIDCClientSecretRequestInterface has methods to work with OIDCClientSecretRequest resources.
+type OIDCClientSecretRequestInterface interface {
+	Create(*v1alpha1.OIDCClientSecretRequest) (*v1alpha1.OIDCClientSecretRequest, error)
+	OIDCClientSecretRequestExpansion
+}
+
+// oIDCClientSecretRequests implements OIDCClientSecretRequestInterface
+type oIDCClientSecretRequests struct {
+	client rest.Interface
+	ns     string
+}
+
+// newOIDCClientSecretRequests returns a OIDCClientSecretRequests
+func newOIDCClientSecretRequests(c *OauthV1alpha1Client, namespace string) *oIDCClientSecretRequests {
+	return &oIDCClientSecretRequests{
+		client: c.RESTClient(),
+		ns:     namespace,
+	}
+}
+
+// Create takes the representation of a oIDCClientSecretRequest and creates it.  Returns the server's representation of the oIDCClientSecretRequest, and an error, if there is any.
+func (c *oIDCClientSecretRequests) Create(oIDCClientSecretRequest *v1alpha1.OIDCClientSecretRequest) (result *v1alpha1.OIDCClientSecretRequest, err error) {
+	result = &v1alpha1.OIDCClientSecretRequest{}
+	err = c.client.Post().
+		Namespace(c.ns).
+		Resource("oidcclientsecretrequests").
+		Body(oIDCClientSecretRequest).
+		Do().
+		Into(result)
+	return
+}

generated/1.18/README.adoc

@@ -13,6 +13,8 @@
 - xref:{anchor_prefix}-idp-supervisor-pinniped-dev-v1alpha1[$$idp.supervisor.pinniped.dev/v1alpha1$$]
 - xref:{anchor_prefix}-login-concierge-pinniped-dev-v1alpha1[$$login.concierge.pinniped.dev/v1alpha1$$]
 - xref:{anchor_prefix}-oauth-supervisor-pinniped-dev-v1alpha1[$$oauth.supervisor.pinniped.dev/v1alpha1$$]
+- xref:{anchor_prefix}-oauth-virtual-supervisor-pinniped-dev-oauth[$$oauth.virtual.supervisor.pinniped.dev/oauth$$]
+- xref:{anchor_prefix}-oauth-virtual-supervisor-pinniped-dev-v1alpha1[$$oauth.virtual.supervisor.pinniped.dev/v1alpha1$$]
 
 
 [id="{anchor_prefix}-authentication-concierge-pinniped-dev-v1alpha1"]
@@ -1386,3 +1388,95 @@ OIDCClientSpec is a struct that describes an OIDC Client.
 
 
 
+
+[id="{anchor_prefix}-oauth-virtual-supervisor-pinniped-dev-oauth"]
+=== oauth.virtual.supervisor.pinniped.dev/oauth
+
+Package oauth is the internal version of the Pinniped virtual oauth API.
+
+
+
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-virtual-oauth-oidcclientsecretrequestspec"]
+==== OIDCClientSecretRequestSpec 
+
+
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-virtual-oauth-oidcclientsecretrequest[$$OIDCClientSecretRequest$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`generateNewSecret`* __boolean__ | 
+| *`revokeOldSecrets`* __boolean__ | 
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-virtual-oauth-oidcclientsecretrequeststatus"]
+==== OIDCClientSecretRequestStatus 
+
+
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-virtual-oauth-oidcclientsecretrequest[$$OIDCClientSecretRequest$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`generatedSecret`* __string__ | 
+| *`totalClientSecrets`* __integer__ | 
+|===
+
+
+
+[id="{anchor_prefix}-oauth-virtual-supervisor-pinniped-dev-v1alpha1"]
+=== oauth.virtual.supervisor.pinniped.dev/v1alpha1
+
+Package v1alpha1 is the v1alpha1 version of the Pinniped virtual oauth API.
+
+
+
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-virtual-oauth-v1alpha1-oidcclientsecretrequestspec"]
+==== OIDCClientSecretRequestSpec 
+
+
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-virtual-oauth-v1alpha1-oidcclientsecretrequest[$$OIDCClientSecretRequest$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`generateNewSecret`* __boolean__ | 
+| *`revokeOldSecrets`* __boolean__ | 
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-virtual-oauth-v1alpha1-oidcclientsecretrequeststatus"]
+==== OIDCClientSecretRequestStatus 
+
+
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-virtual-oauth-v1alpha1-oidcclientsecretrequest[$$OIDCClientSecretRequest$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`generatedSecret`* __string__ | 
+| *`totalClientSecrets`* __integer__ | 
+|===
+
+

generated/1.18/apis/supervisor/virtual/oauth/doc.go

@@ -0,0 +1,8 @@
+// Copyright 2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// +k8s:deepcopy-gen=package
+// +groupName=oauth.virtual.supervisor.pinniped.dev
+
+// Package oauth is the internal version of the Pinniped virtual oauth API.
+package oauth

generated/1.18/apis/supervisor/virtual/oauth/register.go

@@ -0,0 +1,37 @@
+// Copyright 2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package oauth
+
+import (
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+const GroupName = "oauth.virtual.supervisor.pinniped.dev"
+
+// SchemeGroupVersion is group version used to register these objects.
+var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: runtime.APIVersionInternal}
+
+// Kind takes an unqualified kind and returns back a Group qualified GroupKind.
+func Kind(kind string) schema.GroupKind {
+	return SchemeGroupVersion.WithKind(kind).GroupKind()
+}
+
+// Resource takes an unqualified resource and returns back a Group qualified GroupResource.
+func Resource(resource string) schema.GroupResource {
+	return SchemeGroupVersion.WithResource(resource).GroupResource()
+}
+
+var (
+	SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes)
+	AddToScheme   = SchemeBuilder.AddToScheme
+)
+
+// Adds the list of known types to the given scheme.
+func addKnownTypes(scheme *runtime.Scheme) error {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&OIDCClientSecretRequest{},
+	)
+	return nil
+}

generated/1.18/apis/supervisor/virtual/oauth/types_oidcclientsecretrequest.go

@@ -0,0 +1,25 @@
+// Copyright 2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package oauth
+
+import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+type OIDCClientSecretRequestSpec struct {
+	GenerateNewSecret bool `json:"generateNewSecret"`
+	RevokeOldSecrets  bool `json:"revokeOldSecrets"`
+}
+
+type OIDCClientSecretRequestStatus struct {
+	GeneratedSecret    string `json:"generatedSecret,omitempty"`
+	TotalClientSecrets int    `json:"totalClientSecrets"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type OIDCClientSecretRequest struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"` // metadata.name must be set to the client ID
+
+	Spec   OIDCClientSecretRequestSpec   `json:"spec"`
+	Status OIDCClientSecretRequestStatus `json:"status"`
+}

generated/1.18/apis/supervisor/virtual/oauth/v1alpha1/conversion.go

@@ -0,0 +1,4 @@
+// Copyright 2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1

generated/1.18/apis/supervisor/virtual/oauth/v1alpha1/defaults.go

@@ -0,0 +1,12 @@
+// Copyright 2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+import (
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+func addDefaultingFuncs(scheme *runtime.Scheme) error {
+	return RegisterDefaults(scheme)
+}

generated/1.18/apis/supervisor/virtual/oauth/v1alpha1/doc.go

@@ -0,0 +1,11 @@
+// Copyright 2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// +k8s:openapi-gen=true
+// +k8s:deepcopy-gen=package
+// +k8s:conversion-gen=go.pinniped.dev/generated/1.18/apis/supervisor/virtual/oauth
+// +k8s:defaulter-gen=TypeMeta
+// +groupName=oauth.virtual.supervisor.pinniped.dev
+
+// Package v1alpha1 is the v1alpha1 version of the Pinniped virtual oauth API.
+package v1alpha1

generated/1.18/apis/supervisor/virtual/oauth/v1alpha1/register.go

@@ -0,0 +1,42 @@
+// Copyright 2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+const GroupName = "oauth.virtual.supervisor.pinniped.dev"
+
+// SchemeGroupVersion is group version used to register these objects.
+var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"}
+
+var (
+	SchemeBuilder      runtime.SchemeBuilder
+	localSchemeBuilder = &SchemeBuilder
+	AddToScheme        = SchemeBuilder.AddToScheme
+)
+
+func init() {
+	// We only register manually written functions here. The registration of the
+	// generated functions takes place in the generated files. The separation
+	// makes the code compile even when the generated files are missing.
+	localSchemeBuilder.Register(addKnownTypes, addDefaultingFuncs)
+}
+
+// Adds the list of known types to the given scheme.
+func addKnownTypes(scheme *runtime.Scheme) error {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&OIDCClientSecretRequest{},
+	)
+	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
+	return nil
+}
+
+// Resource takes an unqualified resource and returns back a Group qualified GroupResource.
+func Resource(resource string) schema.GroupResource {
+	return SchemeGroupVersion.WithResource(resource).GroupResource()
+}

generated/1.18/apis/supervisor/virtual/oauth/v1alpha1/types_oidcclientsecretrequest.go

@@ -0,0 +1,28 @@
+// Copyright 2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+type OIDCClientSecretRequestSpec struct {
+	GenerateNewSecret bool `json:"generateNewSecret"`
+	RevokeOldSecrets  bool `json:"revokeOldSecrets"`
+}
+
+type OIDCClientSecretRequestStatus struct {
+	GeneratedSecret    string `json:"generatedSecret,omitempty"`
+	TotalClientSecrets int    `json:"totalClientSecrets"`
+}
+
+// +genclient
+// +genclient:onlyVerbs=create
+// +kubebuilder:subresource:status
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type OIDCClientSecretRequest struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"` // metadata.name must be set to the client ID
+
+	Spec   OIDCClientSecretRequestSpec   `json:"spec"`
+	Status OIDCClientSecretRequestStatus `json:"status"`
+}

generated/1.18/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.conversion.go

@@ -0,0 +1,131 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by conversion-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	oauth "go.pinniped.dev/generated/1.18/apis/supervisor/virtual/oauth"
+	conversion "k8s.io/apimachinery/pkg/conversion"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+)
+
+func init() {
+	localSchemeBuilder.Register(RegisterConversions)
+}
+
+// RegisterConversions adds conversion functions to the given scheme.
+// Public to allow building arbitrary schemes.
+func RegisterConversions(s *runtime.Scheme) error {
+	if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequest)(nil), (*oauth.OIDCClientSecretRequest)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest(a.(*OIDCClientSecretRequest), b.(*oauth.OIDCClientSecretRequest), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*oauth.OIDCClientSecretRequest)(nil), (*OIDCClientSecretRequest)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(a.(*oauth.OIDCClientSecretRequest), b.(*OIDCClientSecretRequest), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequestSpec)(nil), (*oauth.OIDCClientSecretRequestSpec)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(a.(*OIDCClientSecretRequestSpec), b.(*oauth.OIDCClientSecretRequestSpec), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*oauth.OIDCClientSecretRequestSpec)(nil), (*OIDCClientSecretRequestSpec)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(a.(*oauth.OIDCClientSecretRequestSpec), b.(*OIDCClientSecretRequestSpec), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequestStatus)(nil), (*oauth.OIDCClientSecretRequestStatus)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(a.(*OIDCClientSecretRequestStatus), b.(*oauth.OIDCClientSecretRequestStatus), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*oauth.OIDCClientSecretRequestStatus)(nil), (*OIDCClientSecretRequestStatus)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(a.(*oauth.OIDCClientSecretRequestStatus), b.(*OIDCClientSecretRequestStatus), scope)
+	}); err != nil {
+		return err
+	}
+	return nil
+}
+
+func autoConvert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest(in *OIDCClientSecretRequest, out *oauth.OIDCClientSecretRequest, s conversion.Scope) error {
+	out.ObjectMeta = in.ObjectMeta
+	if err := Convert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(&in.Spec, &out.Spec, s); err != nil {
+		return err
+	}
+	if err := Convert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(&in.Status, &out.Status, s); err != nil {
+		return err
+	}
+	return nil
+}
+
+// Convert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest is an autogenerated conversion function.
+func Convert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest(in *OIDCClientSecretRequest, out *oauth.OIDCClientSecretRequest, s conversion.Scope) error {
+	return autoConvert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest(in, out, s)
+}
+
+func autoConvert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in *oauth.OIDCClientSecretRequest, out *OIDCClientSecretRequest, s conversion.Scope) error {
+	out.ObjectMeta = in.ObjectMeta
+	if err := Convert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(&in.Spec, &out.Spec, s); err != nil {
+		return err
+	}
+	if err := Convert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(&in.Status, &out.Status, s); err != nil {
+		return err
+	}
+	return nil
+}
+
+// Convert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest is an autogenerated conversion function.
+func Convert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in *oauth.OIDCClientSecretRequest, out *OIDCClientSecretRequest, s conversion.Scope) error {
+	return autoConvert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in, out, s)
+}
+
+func autoConvert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(in *OIDCClientSecretRequestSpec, out *oauth.OIDCClientSecretRequestSpec, s conversion.Scope) error {
+	out.GenerateNewSecret = in.GenerateNewSecret
+	out.RevokeOldSecrets = in.RevokeOldSecrets
+	return nil
+}
+
+// Convert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec is an autogenerated conversion function.
+func Convert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(in *OIDCClientSecretRequestSpec, out *oauth.OIDCClientSecretRequestSpec, s conversion.Scope) error {
+	return autoConvert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(in, out, s)
+}
+
+func autoConvert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(in *oauth.OIDCClientSecretRequestSpec, out *OIDCClientSecretRequestSpec, s conversion.Scope) error {
+	out.GenerateNewSecret = in.GenerateNewSecret
+	out.RevokeOldSecrets = in.RevokeOldSecrets
+	return nil
+}
+
+// Convert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec is an autogenerated conversion function.
+func Convert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(in *oauth.OIDCClientSecretRequestSpec, out *OIDCClientSecretRequestSpec, s conversion.Scope) error {
+	return autoConvert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(in, out, s)
+}
+
+func autoConvert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(in *OIDCClientSecretRequestStatus, out *oauth.OIDCClientSecretRequestStatus, s conversion.Scope) error {
+	out.GeneratedSecret = in.GeneratedSecret
+	out.TotalClientSecrets = in.TotalClientSecrets
+	return nil
+}
+
+// Convert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus is an autogenerated conversion function.
+func Convert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(in *OIDCClientSecretRequestStatus, out *oauth.OIDCClientSecretRequestStatus, s conversion.Scope) error {
+	return autoConvert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(in, out, s)
+}
+
+func autoConvert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(in *oauth.OIDCClientSecretRequestStatus, out *OIDCClientSecretRequestStatus, s conversion.Scope) error {
+	out.GeneratedSecret = in.GeneratedSecret
+	out.TotalClientSecrets = in.TotalClientSecrets
+	return nil
+}
+
+// Convert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus is an autogenerated conversion function.
+func Convert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(in *oauth.OIDCClientSecretRequestStatus, out *OIDCClientSecretRequestStatus, s conversion.Scope) error {
+	return autoConvert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(in, out, s)
+}

generated/1.18/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.deepcopy.go

@@ -0,0 +1,73 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by deepcopy-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	runtime "k8s.io/apimachinery/pkg/runtime"
+)
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OIDCClientSecretRequest) DeepCopyInto(out *OIDCClientSecretRequest) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	out.Spec = in.Spec
+	out.Status = in.Status
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequest.
+func (in *OIDCClientSecretRequest) DeepCopy() *OIDCClientSecretRequest {
+	if in == nil {
+		return nil
+	}
+	out := new(OIDCClientSecretRequest)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *OIDCClientSecretRequest) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OIDCClientSecretRequestSpec) DeepCopyInto(out *OIDCClientSecretRequestSpec) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestSpec.
+func (in *OIDCClientSecretRequestSpec) DeepCopy() *OIDCClientSecretRequestSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(OIDCClientSecretRequestSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OIDCClientSecretRequestStatus) DeepCopyInto(out *OIDCClientSecretRequestStatus) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestStatus.
+func (in *OIDCClientSecretRequestStatus) DeepCopy() *OIDCClientSecretRequestStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(OIDCClientSecretRequestStatus)
+	in.DeepCopyInto(out)
+	return out
+}

generated/1.18/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.defaults.go

@@ -0,0 +1,20 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by defaulter-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	runtime "k8s.io/apimachinery/pkg/runtime"
+)
+
+// RegisterDefaults adds defaulters functions to the given scheme.
+// Public to allow building arbitrary schemes.
+// All generated defaulters are covering - they call all nested defaulters.
+func RegisterDefaults(scheme *runtime.Scheme) error {
+	return nil
+}

generated/1.18/apis/supervisor/virtual/oauth/zz_generated.deepcopy.go

@@ -0,0 +1,73 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by deepcopy-gen. DO NOT EDIT.
+
+package oauth
+
+import (
+	runtime "k8s.io/apimachinery/pkg/runtime"
+)
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OIDCClientSecretRequest) DeepCopyInto(out *OIDCClientSecretRequest) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	out.Spec = in.Spec
+	out.Status = in.Status
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequest.
+func (in *OIDCClientSecretRequest) DeepCopy() *OIDCClientSecretRequest {
+	if in == nil {
+		return nil
+	}
+	out := new(OIDCClientSecretRequest)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *OIDCClientSecretRequest) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OIDCClientSecretRequestSpec) DeepCopyInto(out *OIDCClientSecretRequestSpec) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestSpec.
+func (in *OIDCClientSecretRequestSpec) DeepCopy() *OIDCClientSecretRequestSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(OIDCClientSecretRequestSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OIDCClientSecretRequestStatus) DeepCopyInto(out *OIDCClientSecretRequestStatus) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestStatus.
+func (in *OIDCClientSecretRequestStatus) DeepCopy() *OIDCClientSecretRequestStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(OIDCClientSecretRequestStatus)
+	in.DeepCopyInto(out)
+	return out
+}

generated/1.18/client/supervisor/virtual/clientset/versioned/clientset.go

@@ -0,0 +1,84 @@
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package versioned
+
+import (
+	"fmt"
+
+	oauthv1alpha1 "go.pinniped.dev/generated/1.18/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1"
+	discovery "k8s.io/client-go/discovery"
+	rest "k8s.io/client-go/rest"
+	flowcontrol "k8s.io/client-go/util/flowcontrol"
+)
+
+type Interface interface {
+	Discovery() discovery.DiscoveryInterface
+	OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface
+}
+
+// Clientset contains the clients for groups. Each group has exactly one
+// version included in a Clientset.
+type Clientset struct {
+	*discovery.DiscoveryClient
+	oauthV1alpha1 *oauthv1alpha1.OauthV1alpha1Client
+}
+
+// OauthV1alpha1 retrieves the OauthV1alpha1Client
+func (c *Clientset) OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface {
+	return c.oauthV1alpha1
+}
+
+// Discovery retrieves the DiscoveryClient
+func (c *Clientset) Discovery() discovery.DiscoveryInterface {
+	if c == nil {
+		return nil
+	}
+	return c.DiscoveryClient
+}
+
+// NewForConfig creates a new Clientset for the given config.
+// If config's RateLimiter is not set and QPS and Burst are acceptable,
+// NewForConfig will generate a rate-limiter in configShallowCopy.
+func NewForConfig(c *rest.Config) (*Clientset, error) {
+	configShallowCopy := *c
+	if configShallowCopy.RateLimiter == nil && configShallowCopy.QPS > 0 {
+		if configShallowCopy.Burst <= 0 {
+			return nil, fmt.Errorf("burst is required to be greater than 0 when RateLimiter is not set and QPS is set to greater than 0")
+		}
+		configShallowCopy.RateLimiter = flowcontrol.NewTokenBucketRateLimiter(configShallowCopy.QPS, configShallowCopy.Burst)
+	}
+	var cs Clientset
+	var err error
+	cs.oauthV1alpha1, err = oauthv1alpha1.NewForConfig(&configShallowCopy)
+	if err != nil {
+		return nil, err
+	}
+
+	cs.DiscoveryClient, err = discovery.NewDiscoveryClientForConfig(&configShallowCopy)
+	if err != nil {
+		return nil, err
+	}
+	return &cs, nil
+}
+
+// NewForConfigOrDie creates a new Clientset for the given config and
+// panics if there is an error in the config.
+func NewForConfigOrDie(c *rest.Config) *Clientset {
+	var cs Clientset
+	cs.oauthV1alpha1 = oauthv1alpha1.NewForConfigOrDie(c)
+
+	cs.DiscoveryClient = discovery.NewDiscoveryClientForConfigOrDie(c)
+	return &cs
+}
+
+// New creates a new Clientset for the given RESTClient.
+func New(c rest.Interface) *Clientset {
+	var cs Clientset
+	cs.oauthV1alpha1 = oauthv1alpha1.New(c)
+
+	cs.DiscoveryClient = discovery.NewDiscoveryClient(c)
+	return &cs
+}

generated/1.18/client/supervisor/virtual/clientset/versioned/doc.go

@@ -0,0 +1,7 @@
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+// This package has the automatically generated clientset.
+package versioned

generated/1.18/client/supervisor/virtual/clientset/versioned/fake/clientset_generated.go

@@ -0,0 +1,69 @@
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package fake
+
+import (
+	clientset "go.pinniped.dev/generated/1.18/client/supervisor/virtual/clientset/versioned"
+	oauthv1alpha1 "go.pinniped.dev/generated/1.18/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1"
+	fakeoauthv1alpha1 "go.pinniped.dev/generated/1.18/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/watch"
+	"k8s.io/client-go/discovery"
+	fakediscovery "k8s.io/client-go/discovery/fake"
+	"k8s.io/client-go/testing"
+)
+
+// NewSimpleClientset returns a clientset that will respond with the provided objects.
+// It's backed by a very simple object tracker that processes creates, updates and deletions as-is,
+// without applying any validations and/or defaults. It shouldn't be considered a replacement
+// for a real clientset and is mostly useful in simple unit tests.
+func NewSimpleClientset(objects ...runtime.Object) *Clientset {
+	o := testing.NewObjectTracker(scheme, codecs.UniversalDecoder())
+	for _, obj := range objects {
+		if err := o.Add(obj); err != nil {
+			panic(err)
+		}
+	}
+
+	cs := &Clientset{tracker: o}
+	cs.discovery = &fakediscovery.FakeDiscovery{Fake: &cs.Fake}
+	cs.AddReactor("*", "*", testing.ObjectReaction(o))
+	cs.AddWatchReactor("*", func(action testing.Action) (handled bool, ret watch.Interface, err error) {
+		gvr := action.GetResource()
+		ns := action.GetNamespace()
+		watch, err := o.Watch(gvr, ns)
+		if err != nil {
+			return false, nil, err
+		}
+		return true, watch, nil
+	})
+
+	return cs
+}
+
+// Clientset implements clientset.Interface. Meant to be embedded into a
+// struct to get a default implementation. This makes faking out just the method
+// you want to test easier.
+type Clientset struct {
+	testing.Fake
+	discovery *fakediscovery.FakeDiscovery
+	tracker   testing.ObjectTracker
+}
+
+func (c *Clientset) Discovery() discovery.DiscoveryInterface {
+	return c.discovery
+}
+
+func (c *Clientset) Tracker() testing.ObjectTracker {
+	return c.tracker
+}
+
+var _ clientset.Interface = &Clientset{}
+
+// OauthV1alpha1 retrieves the OauthV1alpha1Client
+func (c *Clientset) OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface {
+	return &fakeoauthv1alpha1.FakeOauthV1alpha1{Fake: &c.Fake}
+}

generated/1.18/client/supervisor/virtual/clientset/versioned/fake/doc.go

@@ -0,0 +1,7 @@
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+// This package has the automatically generated fake clientset.
+package fake

generated/1.18/client/supervisor/virtual/clientset/versioned/fake/register.go

@@ -0,0 +1,43 @@
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package fake
+
+import (
+	oauthv1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/virtual/oauth/v1alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	schema "k8s.io/apimachinery/pkg/runtime/schema"
+	serializer "k8s.io/apimachinery/pkg/runtime/serializer"
+	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
+)
+
+var scheme = runtime.NewScheme()
+var codecs = serializer.NewCodecFactory(scheme)
+var parameterCodec = runtime.NewParameterCodec(scheme)
+var localSchemeBuilder = runtime.SchemeBuilder{
+	oauthv1alpha1.AddToScheme,
+}
+
+// AddToScheme adds all types of this clientset into the given scheme. This allows composition
+// of clientsets, like in:
+//
+//   import (
+//     "k8s.io/client-go/kubernetes"
+//     clientsetscheme "k8s.io/client-go/kubernetes/scheme"
+//     aggregatorclientsetscheme "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset/scheme"
+//   )
+//
+//   kclientset, _ := kubernetes.NewForConfig(c)
+//   _ = aggregatorclientsetscheme.AddToScheme(clientsetscheme.Scheme)
+//
+// After this, RawExtensions in Kubernetes types will serialize kube-aggregator types
+// correctly.
+var AddToScheme = localSchemeBuilder.AddToScheme
+
+func init() {
+	v1.AddToGroupVersion(scheme, schema.GroupVersion{Version: "v1"})
+	utilruntime.Must(AddToScheme(scheme))
+}

generated/1.18/client/supervisor/virtual/clientset/versioned/scheme/doc.go

@@ -0,0 +1,7 @@
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+// This package contains the scheme of the automatically generated clientset.
+package scheme

generated/1.18/client/supervisor/virtual/clientset/versioned/scheme/register.go

@@ -0,0 +1,43 @@
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package scheme
+
+import (
+	oauthv1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/virtual/oauth/v1alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	schema "k8s.io/apimachinery/pkg/runtime/schema"
+	serializer "k8s.io/apimachinery/pkg/runtime/serializer"
+	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
+)
+
+var Scheme = runtime.NewScheme()
+var Codecs = serializer.NewCodecFactory(Scheme)
+var ParameterCodec = runtime.NewParameterCodec(Scheme)
+var localSchemeBuilder = runtime.SchemeBuilder{
+	oauthv1alpha1.AddToScheme,
+}
+
+// AddToScheme adds all types of this clientset into the given scheme. This allows composition
+// of clientsets, like in:
+//
+//   import (
+//     "k8s.io/client-go/kubernetes"
+//     clientsetscheme "k8s.io/client-go/kubernetes/scheme"
+//     aggregatorclientsetscheme "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset/scheme"
+//   )
+//
+//   kclientset, _ := kubernetes.NewForConfig(c)
+//   _ = aggregatorclientsetscheme.AddToScheme(clientsetscheme.Scheme)
+//
+// After this, RawExtensions in Kubernetes types will serialize kube-aggregator types
+// correctly.
+var AddToScheme = localSchemeBuilder.AddToScheme
+
+func init() {
+	v1.AddToGroupVersion(Scheme, schema.GroupVersion{Version: "v1"})
+	utilruntime.Must(AddToScheme(Scheme))
+}

generated/1.18/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/doc.go

@@ -0,0 +1,7 @@
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+// This package has the automatically generated typed clients.
+package v1alpha1

generated/1.18/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go

@@ -0,0 +1,7 @@
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+// Package fake has the automatically generated clients.
+package fake

generated/1.18/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go

@@ -0,0 +1,27 @@
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package fake
+
+import (
+	v1alpha1 "go.pinniped.dev/generated/1.18/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1"
+	rest "k8s.io/client-go/rest"
+	testing "k8s.io/client-go/testing"
+)
+
+type FakeOauthV1alpha1 struct {
+	*testing.Fake
+}
+
+func (c *FakeOauthV1alpha1) OIDCClientSecretRequests(namespace string) v1alpha1.OIDCClientSecretRequestInterface {
+	return &FakeOIDCClientSecretRequests{c, namespace}
+}
+
+// RESTClient returns a RESTClient that is used to communicate
+// with API server by this client implementation.
+func (c *FakeOauthV1alpha1) RESTClient() rest.Interface {
+	var ret *rest.RESTClient
+	return ret
+}

generated/1.18/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclientsecretrequest.go

@@ -0,0 +1,36 @@
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package fake
+
+import (
+	"context"
+
+	v1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/virtual/oauth/v1alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	schema "k8s.io/apimachinery/pkg/runtime/schema"
+	testing "k8s.io/client-go/testing"
+)
+
+// FakeOIDCClientSecretRequests implements OIDCClientSecretRequestInterface
+type FakeOIDCClientSecretRequests struct {
+	Fake *FakeOauthV1alpha1
+	ns   string
+}
+
+var oidcclientsecretrequestsResource = schema.GroupVersionResource{Group: "oauth.virtual.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "oidcclientsecretrequests"}
+
+var oidcclientsecretrequestsKind = schema.GroupVersionKind{Group: "oauth.virtual.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "OIDCClientSecretRequest"}
+
+// Create takes the representation of a oIDCClientSecretRequest and creates it.  Returns the server's representation of the oIDCClientSecretRequest, and an error, if there is any.
+func (c *FakeOIDCClientSecretRequests) Create(ctx context.Context, oIDCClientSecretRequest *v1alpha1.OIDCClientSecretRequest, opts v1.CreateOptions) (result *v1alpha1.OIDCClientSecretRequest, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewCreateAction(oidcclientsecretrequestsResource, c.ns, oIDCClientSecretRequest), &v1alpha1.OIDCClientSecretRequest{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.OIDCClientSecretRequest), err
+}

generated/1.18/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go

@@ -0,0 +1,8 @@
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package v1alpha1
+
+type OIDCClientSecretRequestExpansion interface{}

generated/1.18/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go

@@ -0,0 +1,76 @@
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	v1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/virtual/oauth/v1alpha1"
+	"go.pinniped.dev/generated/1.18/client/supervisor/virtual/clientset/versioned/scheme"
+	rest "k8s.io/client-go/rest"
+)
+
+type OauthV1alpha1Interface interface {
+	RESTClient() rest.Interface
+	OIDCClientSecretRequestsGetter
+}
+
+// OauthV1alpha1Client is used to interact with features provided by the oauth.virtual.supervisor.pinniped.dev group.
+type OauthV1alpha1Client struct {
+	restClient rest.Interface
+}
+
+func (c *OauthV1alpha1Client) OIDCClientSecretRequests(namespace string) OIDCClientSecretRequestInterface {
+	return newOIDCClientSecretRequests(c, namespace)
+}
+
+// NewForConfig creates a new OauthV1alpha1Client for the given config.
+func NewForConfig(c *rest.Config) (*OauthV1alpha1Client, error) {
+	config := *c
+	if err := setConfigDefaults(&config); err != nil {
+		return nil, err
+	}
+	client, err := rest.RESTClientFor(&config)
+	if err != nil {
+		return nil, err
+	}
+	return &OauthV1alpha1Client{client}, nil
+}
+
+// NewForConfigOrDie creates a new OauthV1alpha1Client for the given config and
+// panics if there is an error in the config.
+func NewForConfigOrDie(c *rest.Config) *OauthV1alpha1Client {
+	client, err := NewForConfig(c)
+	if err != nil {
+		panic(err)
+	}
+	return client
+}
+
+// New creates a new OauthV1alpha1Client for the given RESTClient.
+func New(c rest.Interface) *OauthV1alpha1Client {
+	return &OauthV1alpha1Client{c}
+}
+
+func setConfigDefaults(config *rest.Config) error {
+	gv := v1alpha1.SchemeGroupVersion
+	config.GroupVersion = &gv
+	config.APIPath = "/apis"
+	config.NegotiatedSerializer = scheme.Codecs.WithoutConversion()
+
+	if config.UserAgent == "" {
+		config.UserAgent = rest.DefaultKubernetesUserAgent()
+	}
+
+	return nil
+}
+
+// RESTClient returns a RESTClient that is used to communicate
+// with API server by this client implementation.
+func (c *OauthV1alpha1Client) RESTClient() rest.Interface {
+	if c == nil {
+		return nil
+	}
+	return c.restClient
+}

generated/1.18/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oidcclientsecretrequest.go

@@ -0,0 +1,54 @@
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	"context"
+
+	v1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/virtual/oauth/v1alpha1"
+	scheme "go.pinniped.dev/generated/1.18/client/supervisor/virtual/clientset/versioned/scheme"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	rest "k8s.io/client-go/rest"
+)
+
+// OIDCClientSecretRequestsGetter has a method to return a OIDCClientSecretRequestInterface.
+// A group's client should implement this interface.
+type OIDCClientSecretRequestsGetter interface {
+	OIDCClientSecretRequests(namespace string) OIDCClientSecretRequestInterface
+}
+
+// OIDCClientSecretRequestInterface has methods to work with OIDCClientSecretRequest resources.
+type OIDCClientSecretRequestInterface interface {
+	Create(ctx context.Context, oIDCClientSecretRequest *v1alpha1.OIDCClientSecretRequest, opts v1.CreateOptions) (*v1alpha1.OIDCClientSecretRequest, error)
+	OIDCClientSecretRequestExpansion
+}
+
+// oIDCClientSecretRequests implements OIDCClientSecretRequestInterface
+type oIDCClientSecretRequests struct {
+	client rest.Interface
+	ns     string
+}
+
+// newOIDCClientSecretRequests returns a OIDCClientSecretRequests
+func newOIDCClientSecretRequests(c *OauthV1alpha1Client, namespace string) *oIDCClientSecretRequests {
+	return &oIDCClientSecretRequests{
+		client: c.RESTClient(),
+		ns:     namespace,
+	}
+}
+
+// Create takes the representation of a oIDCClientSecretRequest and creates it.  Returns the server's representation of the oIDCClientSecretRequest, and an error, if there is any.
+func (c *oIDCClientSecretRequests) Create(ctx context.Context, oIDCClientSecretRequest *v1alpha1.OIDCClientSecretRequest, opts v1.CreateOptions) (result *v1alpha1.OIDCClientSecretRequest, err error) {
+	result = &v1alpha1.OIDCClientSecretRequest{}
+	err = c.client.Post().
+		Namespace(c.ns).
+		Resource("oidcclientsecretrequests").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(oIDCClientSecretRequest).
+		Do(ctx).
+		Into(result)
+	return
+}

generated/1.19/README.adoc

@@ -13,6 +13,8 @@
 - xref:{anchor_prefix}-idp-supervisor-pinniped-dev-v1alpha1[$$idp.supervisor.pinniped.dev/v1alpha1$$]
 - xref:{anchor_prefix}-login-concierge-pinniped-dev-v1alpha1[$$login.concierge.pinniped.dev/v1alpha1$$]
 - xref:{anchor_prefix}-oauth-supervisor-pinniped-dev-v1alpha1[$$oauth.supervisor.pinniped.dev/v1alpha1$$]
+- xref:{anchor_prefix}-oauth-virtual-supervisor-pinniped-dev-oauth[$$oauth.virtual.supervisor.pinniped.dev/oauth$$]
+- xref:{anchor_prefix}-oauth-virtual-supervisor-pinniped-dev-v1alpha1[$$oauth.virtual.supervisor.pinniped.dev/v1alpha1$$]
 
 
 [id="{anchor_prefix}-authentication-concierge-pinniped-dev-v1alpha1"]
@@ -1386,3 +1388,95 @@ OIDCClientSpec is a struct that describes an OIDC Client.
 
 
 
+
+[id="{anchor_prefix}-oauth-virtual-supervisor-pinniped-dev-oauth"]
+=== oauth.virtual.supervisor.pinniped.dev/oauth
+
+Package oauth is the internal version of the Pinniped virtual oauth API.
+
+
+
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-virtual-oauth-oidcclientsecretrequestspec"]
+==== OIDCClientSecretRequestSpec 
+
+
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-virtual-oauth-oidcclientsecretrequest[$$OIDCClientSecretRequest$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`generateNewSecret`* __boolean__ | 
+| *`revokeOldSecrets`* __boolean__ | 
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-virtual-oauth-oidcclientsecretrequeststatus"]
+==== OIDCClientSecretRequestStatus 
+
+
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-virtual-oauth-oidcclientsecretrequest[$$OIDCClientSecretRequest$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`generatedSecret`* __string__ | 
+| *`totalClientSecrets`* __integer__ | 
+|===
+
+
+
+[id="{anchor_prefix}-oauth-virtual-supervisor-pinniped-dev-v1alpha1"]
+=== oauth.virtual.supervisor.pinniped.dev/v1alpha1
+
+Package v1alpha1 is the v1alpha1 version of the Pinniped virtual oauth API.
+
+
+
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-virtual-oauth-v1alpha1-oidcclientsecretrequestspec"]
+==== OIDCClientSecretRequestSpec 
+
+
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-virtual-oauth-v1alpha1-oidcclientsecretrequest[$$OIDCClientSecretRequest$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`generateNewSecret`* __boolean__ | 
+| *`revokeOldSecrets`* __boolean__ | 
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-virtual-oauth-v1alpha1-oidcclientsecretrequeststatus"]
+==== OIDCClientSecretRequestStatus 
+
+
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-virtual-oauth-v1alpha1-oidcclientsecretrequest[$$OIDCClientSecretRequest$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`generatedSecret`* __string__ | 
+| *`totalClientSecrets`* __integer__ | 
+|===
+
+

generated/1.19/apis/supervisor/virtual/oauth/doc.go

@@ -0,0 +1,8 @@
+// Copyright 2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// +k8s:deepcopy-gen=package
+// +groupName=oauth.virtual.supervisor.pinniped.dev
+
+// Package oauth is the internal version of the Pinniped virtual oauth API.
+package oauth

generated/1.19/apis/supervisor/virtual/oauth/register.go

@@ -0,0 +1,37 @@
+// Copyright 2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package oauth
+
+import (
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+const GroupName = "oauth.virtual.supervisor.pinniped.dev"
+
+// SchemeGroupVersion is group version used to register these objects.
+var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: runtime.APIVersionInternal}
+
+// Kind takes an unqualified kind and returns back a Group qualified GroupKind.
+func Kind(kind string) schema.GroupKind {
+	return SchemeGroupVersion.WithKind(kind).GroupKind()
+}
+
+// Resource takes an unqualified resource and returns back a Group qualified GroupResource.
+func Resource(resource string) schema.GroupResource {
+	return SchemeGroupVersion.WithResource(resource).GroupResource()
+}
+
+var (
+	SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes)
+	AddToScheme   = SchemeBuilder.AddToScheme
+)
+
+// Adds the list of known types to the given scheme.
+func addKnownTypes(scheme *runtime.Scheme) error {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&OIDCClientSecretRequest{},
+	)
+	return nil
+}

generated/1.19/apis/supervisor/virtual/oauth/types_oidcclientsecretrequest.go

@@ -0,0 +1,25 @@
+// Copyright 2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package oauth
+
+import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+type OIDCClientSecretRequestSpec struct {
+	GenerateNewSecret bool `json:"generateNewSecret"`
+	RevokeOldSecrets  bool `json:"revokeOldSecrets"`
+}
+
+type OIDCClientSecretRequestStatus struct {
+	GeneratedSecret    string `json:"generatedSecret,omitempty"`
+	TotalClientSecrets int    `json:"totalClientSecrets"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type OIDCClientSecretRequest struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"` // metadata.name must be set to the client ID
+
+	Spec   OIDCClientSecretRequestSpec   `json:"spec"`
+	Status OIDCClientSecretRequestStatus `json:"status"`
+}

generated/1.19/apis/supervisor/virtual/oauth/v1alpha1/conversion.go

@@ -0,0 +1,4 @@
+// Copyright 2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1

generated/1.19/apis/supervisor/virtual/oauth/v1alpha1/defaults.go

@@ -0,0 +1,12 @@
+// Copyright 2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+import (
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+func addDefaultingFuncs(scheme *runtime.Scheme) error {
+	return RegisterDefaults(scheme)
+}

generated/1.19/apis/supervisor/virtual/oauth/v1alpha1/doc.go

@@ -0,0 +1,11 @@
+// Copyright 2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// +k8s:openapi-gen=true
+// +k8s:deepcopy-gen=package
+// +k8s:conversion-gen=go.pinniped.dev/generated/1.19/apis/supervisor/virtual/oauth
+// +k8s:defaulter-gen=TypeMeta
+// +groupName=oauth.virtual.supervisor.pinniped.dev
+
+// Package v1alpha1 is the v1alpha1 version of the Pinniped virtual oauth API.
+package v1alpha1

generated/1.19/apis/supervisor/virtual/oauth/v1alpha1/register.go

@@ -0,0 +1,42 @@
+// Copyright 2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+const GroupName = "oauth.virtual.supervisor.pinniped.dev"
+
+// SchemeGroupVersion is group version used to register these objects.
+var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"}
+
+var (
+	SchemeBuilder      runtime.SchemeBuilder
+	localSchemeBuilder = &SchemeBuilder
+	AddToScheme        = SchemeBuilder.AddToScheme
+)
+
+func init() {
+	// We only register manually written functions here. The registration of the
+	// generated functions takes place in the generated files. The separation
+	// makes the code compile even when the generated files are missing.
+	localSchemeBuilder.Register(addKnownTypes, addDefaultingFuncs)
+}
+
+// Adds the list of known types to the given scheme.
+func addKnownTypes(scheme *runtime.Scheme) error {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&OIDCClientSecretRequest{},
+	)
+	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
+	return nil
+}
+
+// Resource takes an unqualified resource and returns back a Group qualified GroupResource.
+func Resource(resource string) schema.GroupResource {
+	return SchemeGroupVersion.WithResource(resource).GroupResource()
+}

generated/1.19/apis/supervisor/virtual/oauth/v1alpha1/types_oidcclientsecretrequest.go

@@ -0,0 +1,28 @@
+// Copyright 2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+type OIDCClientSecretRequestSpec struct {
+	GenerateNewSecret bool `json:"generateNewSecret"`
+	RevokeOldSecrets  bool `json:"revokeOldSecrets"`
+}
+
+type OIDCClientSecretRequestStatus struct {
+	GeneratedSecret    string `json:"generatedSecret,omitempty"`
+	TotalClientSecrets int    `json:"totalClientSecrets"`
+}
+
+// +genclient
+// +genclient:onlyVerbs=create
+// +kubebuilder:subresource:status
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type OIDCClientSecretRequest struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"` // metadata.name must be set to the client ID
+
+	Spec   OIDCClientSecretRequestSpec   `json:"spec"`
+	Status OIDCClientSecretRequestStatus `json:"status"`
+}

generated/1.19/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.conversion.go

@@ -0,0 +1,131 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by conversion-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	oauth "go.pinniped.dev/generated/1.19/apis/supervisor/virtual/oauth"
+	conversion "k8s.io/apimachinery/pkg/conversion"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+)
+
+func init() {
+	localSchemeBuilder.Register(RegisterConversions)
+}
+
+// RegisterConversions adds conversion functions to the given scheme.
+// Public to allow building arbitrary schemes.
+func RegisterConversions(s *runtime.Scheme) error {
+	if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequest)(nil), (*oauth.OIDCClientSecretRequest)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest(a.(*OIDCClientSecretRequest), b.(*oauth.OIDCClientSecretRequest), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*oauth.OIDCClientSecretRequest)(nil), (*OIDCClientSecretRequest)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(a.(*oauth.OIDCClientSecretRequest), b.(*OIDCClientSecretRequest), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequestSpec)(nil), (*oauth.OIDCClientSecretRequestSpec)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(a.(*OIDCClientSecretRequestSpec), b.(*oauth.OIDCClientSecretRequestSpec), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*oauth.OIDCClientSecretRequestSpec)(nil), (*OIDCClientSecretRequestSpec)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(a.(*oauth.OIDCClientSecretRequestSpec), b.(*OIDCClientSecretRequestSpec), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequestStatus)(nil), (*oauth.OIDCClientSecretRequestStatus)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(a.(*OIDCClientSecretRequestStatus), b.(*oauth.OIDCClientSecretRequestStatus), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*oauth.OIDCClientSecretRequestStatus)(nil), (*OIDCClientSecretRequestStatus)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(a.(*oauth.OIDCClientSecretRequestStatus), b.(*OIDCClientSecretRequestStatus), scope)
+	}); err != nil {
+		return err
+	}
+	return nil
+}
+
+func autoConvert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest(in *OIDCClientSecretRequest, out *oauth.OIDCClientSecretRequest, s conversion.Scope) error {
+	out.ObjectMeta = in.ObjectMeta
+	if err := Convert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(&in.Spec, &out.Spec, s); err != nil {
+		return err
+	}
+	if err := Convert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(&in.Status, &out.Status, s); err != nil {
+		return err
+	}
+	return nil
+}
+
+// Convert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest is an autogenerated conversion function.
+func Convert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest(in *OIDCClientSecretRequest, out *oauth.OIDCClientSecretRequest, s conversion.Scope) error {
+	return autoConvert_v1alpha1_OIDCClientSecretRequest_To_oauth_OIDCClientSecretRequest(in, out, s)
+}
+
+func autoConvert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in *oauth.OIDCClientSecretRequest, out *OIDCClientSecretRequest, s conversion.Scope) error {
+	out.ObjectMeta = in.ObjectMeta
+	if err := Convert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(&in.Spec, &out.Spec, s); err != nil {
+		return err
+	}
+	if err := Convert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(&in.Status, &out.Status, s); err != nil {
+		return err
+	}
+	return nil
+}
+
+// Convert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest is an autogenerated conversion function.
+func Convert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in *oauth.OIDCClientSecretRequest, out *OIDCClientSecretRequest, s conversion.Scope) error {
+	return autoConvert_oauth_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in, out, s)
+}
+
+func autoConvert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(in *OIDCClientSecretRequestSpec, out *oauth.OIDCClientSecretRequestSpec, s conversion.Scope) error {
+	out.GenerateNewSecret = in.GenerateNewSecret
+	out.RevokeOldSecrets = in.RevokeOldSecrets
+	return nil
+}
+
+// Convert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec is an autogenerated conversion function.
+func Convert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(in *OIDCClientSecretRequestSpec, out *oauth.OIDCClientSecretRequestSpec, s conversion.Scope) error {
+	return autoConvert_v1alpha1_OIDCClientSecretRequestSpec_To_oauth_OIDCClientSecretRequestSpec(in, out, s)
+}
+
+func autoConvert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(in *oauth.OIDCClientSecretRequestSpec, out *OIDCClientSecretRequestSpec, s conversion.Scope) error {
+	out.GenerateNewSecret = in.GenerateNewSecret
+	out.RevokeOldSecrets = in.RevokeOldSecrets
+	return nil
+}
+
+// Convert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec is an autogenerated conversion function.
+func Convert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(in *oauth.OIDCClientSecretRequestSpec, out *OIDCClientSecretRequestSpec, s conversion.Scope) error {
+	return autoConvert_oauth_OIDCClientSecretRequestSpec_To_v1alpha1_OIDCClientSecretRequestSpec(in, out, s)
+}
+
+func autoConvert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(in *OIDCClientSecretRequestStatus, out *oauth.OIDCClientSecretRequestStatus, s conversion.Scope) error {
+	out.GeneratedSecret = in.GeneratedSecret
+	out.TotalClientSecrets = in.TotalClientSecrets
+	return nil
+}
+
+// Convert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus is an autogenerated conversion function.
+func Convert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(in *OIDCClientSecretRequestStatus, out *oauth.OIDCClientSecretRequestStatus, s conversion.Scope) error {
+	return autoConvert_v1alpha1_OIDCClientSecretRequestStatus_To_oauth_OIDCClientSecretRequestStatus(in, out, s)
+}
+
+func autoConvert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(in *oauth.OIDCClientSecretRequestStatus, out *OIDCClientSecretRequestStatus, s conversion.Scope) error {
+	out.GeneratedSecret = in.GeneratedSecret
+	out.TotalClientSecrets = in.TotalClientSecrets
+	return nil
+}
+
+// Convert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus is an autogenerated conversion function.
+func Convert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(in *oauth.OIDCClientSecretRequestStatus, out *OIDCClientSecretRequestStatus, s conversion.Scope) error {
+	return autoConvert_oauth_OIDCClientSecretRequestStatus_To_v1alpha1_OIDCClientSecretRequestStatus(in, out, s)
+}

generated/1.19/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.deepcopy.go

@@ -0,0 +1,73 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by deepcopy-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	runtime "k8s.io/apimachinery/pkg/runtime"
+)
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OIDCClientSecretRequest) DeepCopyInto(out *OIDCClientSecretRequest) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	out.Spec = in.Spec
+	out.Status = in.Status
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequest.
+func (in *OIDCClientSecretRequest) DeepCopy() *OIDCClientSecretRequest {
+	if in == nil {
+		return nil
+	}
+	out := new(OIDCClientSecretRequest)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *OIDCClientSecretRequest) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OIDCClientSecretRequestSpec) DeepCopyInto(out *OIDCClientSecretRequestSpec) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestSpec.
+func (in *OIDCClientSecretRequestSpec) DeepCopy() *OIDCClientSecretRequestSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(OIDCClientSecretRequestSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OIDCClientSecretRequestStatus) DeepCopyInto(out *OIDCClientSecretRequestStatus) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestStatus.
+func (in *OIDCClientSecretRequestStatus) DeepCopy() *OIDCClientSecretRequestStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(OIDCClientSecretRequestStatus)
+	in.DeepCopyInto(out)
+	return out
+}

generated/1.19/apis/supervisor/virtual/oauth/v1alpha1/zz_generated.defaults.go

@@ -0,0 +1,20 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by defaulter-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	runtime "k8s.io/apimachinery/pkg/runtime"
+)
+
+// RegisterDefaults adds defaulters functions to the given scheme.
+// Public to allow building arbitrary schemes.
+// All generated defaulters are covering - they call all nested defaulters.
+func RegisterDefaults(scheme *runtime.Scheme) error {
+	return nil
+}

generated/1.19/apis/supervisor/virtual/oauth/zz_generated.deepcopy.go

@@ -0,0 +1,73 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by deepcopy-gen. DO NOT EDIT.
+
+package oauth
+
+import (
+	runtime "k8s.io/apimachinery/pkg/runtime"
+)
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OIDCClientSecretRequest) DeepCopyInto(out *OIDCClientSecretRequest) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	out.Spec = in.Spec
+	out.Status = in.Status
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequest.
+func (in *OIDCClientSecretRequest) DeepCopy() *OIDCClientSecretRequest {
+	if in == nil {
+		return nil
+	}
+	out := new(OIDCClientSecretRequest)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *OIDCClientSecretRequest) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OIDCClientSecretRequestSpec) DeepCopyInto(out *OIDCClientSecretRequestSpec) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestSpec.
+func (in *OIDCClientSecretRequestSpec) DeepCopy() *OIDCClientSecretRequestSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(OIDCClientSecretRequestSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OIDCClientSecretRequestStatus) DeepCopyInto(out *OIDCClientSecretRequestStatus) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestStatus.
+func (in *OIDCClientSecretRequestStatus) DeepCopy() *OIDCClientSecretRequestStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(OIDCClientSecretRequestStatus)
+	in.DeepCopyInto(out)
+	return out
+}

generated/1.19/client/supervisor/virtual/clientset/versioned/clientset.go

@@ -0,0 +1,84 @@
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package versioned
+
+import (
+	"fmt"
+
+	oauthv1alpha1 "go.pinniped.dev/generated/1.19/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1"
+	discovery "k8s.io/client-go/discovery"
+	rest "k8s.io/client-go/rest"
+	flowcontrol "k8s.io/client-go/util/flowcontrol"
+)
+
+type Interface interface {
+	Discovery() discovery.DiscoveryInterface
+	OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface
+}
+
+// Clientset contains the clients for groups. Each group has exactly one
+// version included in a Clientset.
+type Clientset struct {
+	*discovery.DiscoveryClient
+	oauthV1alpha1 *oauthv1alpha1.OauthV1alpha1Client
+}
+
+// OauthV1alpha1 retrieves the OauthV1alpha1Client
+func (c *Clientset) OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface {
+	return c.oauthV1alpha1
+}
+
+// Discovery retrieves the DiscoveryClient
+func (c *Clientset) Discovery() discovery.DiscoveryInterface {
+	if c == nil {
+		return nil
+	}
+	return c.DiscoveryClient
+}
+
+// NewForConfig creates a new Clientset for the given config.
+// If config's RateLimiter is not set and QPS and Burst are acceptable,
+// NewForConfig will generate a rate-limiter in configShallowCopy.
+func NewForConfig(c *rest.Config) (*Clientset, error) {
+	configShallowCopy := *c
+	if configShallowCopy.RateLimiter == nil && configShallowCopy.QPS > 0 {
+		if configShallowCopy.Burst <= 0 {
+			return nil, fmt.Errorf("burst is required to be greater than 0 when RateLimiter is not set and QPS is set to greater than 0")
+		}
+		configShallowCopy.RateLimiter = flowcontrol.NewTokenBucketRateLimiter(configShallowCopy.QPS, configShallowCopy.Burst)
+	}
+	var cs Clientset
+	var err error
+	cs.oauthV1alpha1, err = oauthv1alpha1.NewForConfig(&configShallowCopy)
+	if err != nil {
+		return nil, err
+	}
+
+	cs.DiscoveryClient, err = discovery.NewDiscoveryClientForConfig(&configShallowCopy)
+	if err != nil {
+		return nil, err
+	}
+	return &cs, nil
+}
+
+// NewForConfigOrDie creates a new Clientset for the given config and
+// panics if there is an error in the config.
+func NewForConfigOrDie(c *rest.Config) *Clientset {
+	var cs Clientset
+	cs.oauthV1alpha1 = oauthv1alpha1.NewForConfigOrDie(c)
+
+	cs.DiscoveryClient = discovery.NewDiscoveryClientForConfigOrDie(c)
+	return &cs
+}
+
+// New creates a new Clientset for the given RESTClient.
+func New(c rest.Interface) *Clientset {
+	var cs Clientset
+	cs.oauthV1alpha1 = oauthv1alpha1.New(c)
+
+	cs.DiscoveryClient = discovery.NewDiscoveryClient(c)
+	return &cs
+}

generated/1.19/client/supervisor/virtual/clientset/versioned/doc.go

@@ -0,0 +1,7 @@
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+// This package has the automatically generated clientset.
+package versioned

generated/1.19/client/supervisor/virtual/clientset/versioned/fake/clientset_generated.go

@@ -0,0 +1,69 @@
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package fake
+
+import (
+	clientset "go.pinniped.dev/generated/1.19/client/supervisor/virtual/clientset/versioned"
+	oauthv1alpha1 "go.pinniped.dev/generated/1.19/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1"
+	fakeoauthv1alpha1 "go.pinniped.dev/generated/1.19/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/watch"
+	"k8s.io/client-go/discovery"
+	fakediscovery "k8s.io/client-go/discovery/fake"
+	"k8s.io/client-go/testing"
+)
+
+// NewSimpleClientset returns a clientset that will respond with the provided objects.
+// It's backed by a very simple object tracker that processes creates, updates and deletions as-is,
+// without applying any validations and/or defaults. It shouldn't be considered a replacement
+// for a real clientset and is mostly useful in simple unit tests.
+func NewSimpleClientset(objects ...runtime.Object) *Clientset {
+	o := testing.NewObjectTracker(scheme, codecs.UniversalDecoder())
+	for _, obj := range objects {
+		if err := o.Add(obj); err != nil {
+			panic(err)
+		}
+	}
+
+	cs := &Clientset{tracker: o}
+	cs.discovery = &fakediscovery.FakeDiscovery{Fake: &cs.Fake}
+	cs.AddReactor("*", "*", testing.ObjectReaction(o))
+	cs.AddWatchReactor("*", func(action testing.Action) (handled bool, ret watch.Interface, err error) {
+		gvr := action.GetResource()
+		ns := action.GetNamespace()
+		watch, err := o.Watch(gvr, ns)
+		if err != nil {
+			return false, nil, err
+		}
+		return true, watch, nil
+	})
+
+	return cs
+}
+
+// Clientset implements clientset.Interface. Meant to be embedded into a
+// struct to get a default implementation. This makes faking out just the method
+// you want to test easier.
+type Clientset struct {
+	testing.Fake
+	discovery *fakediscovery.FakeDiscovery
+	tracker   testing.ObjectTracker
+}
+
+func (c *Clientset) Discovery() discovery.DiscoveryInterface {
+	return c.discovery
+}
+
+func (c *Clientset) Tracker() testing.ObjectTracker {
+	return c.tracker
+}
+
+var _ clientset.Interface = &Clientset{}
+
+// OauthV1alpha1 retrieves the OauthV1alpha1Client
+func (c *Clientset) OauthV1alpha1() oauthv1alpha1.OauthV1alpha1Interface {
+	return &fakeoauthv1alpha1.FakeOauthV1alpha1{Fake: &c.Fake}
+}

generated/1.19/client/supervisor/virtual/clientset/versioned/fake/doc.go

@@ -0,0 +1,7 @@
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+// This package has the automatically generated fake clientset.
+package fake

generated/1.19/client/supervisor/virtual/clientset/versioned/fake/register.go

@@ -0,0 +1,43 @@
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package fake
+
+import (
+	oauthv1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/virtual/oauth/v1alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	schema "k8s.io/apimachinery/pkg/runtime/schema"
+	serializer "k8s.io/apimachinery/pkg/runtime/serializer"
+	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
+)
+
+var scheme = runtime.NewScheme()
+var codecs = serializer.NewCodecFactory(scheme)
+
+var localSchemeBuilder = runtime.SchemeBuilder{
+	oauthv1alpha1.AddToScheme,
+}
+
+// AddToScheme adds all types of this clientset into the given scheme. This allows composition
+// of clientsets, like in:
+//
+//   import (
+//     "k8s.io/client-go/kubernetes"
+//     clientsetscheme "k8s.io/client-go/kubernetes/scheme"
+//     aggregatorclientsetscheme "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset/scheme"
+//   )
+//
+//   kclientset, _ := kubernetes.NewForConfig(c)
+//   _ = aggregatorclientsetscheme.AddToScheme(clientsetscheme.Scheme)
+//
+// After this, RawExtensions in Kubernetes types will serialize kube-aggregator types
+// correctly.
+var AddToScheme = localSchemeBuilder.AddToScheme
+
+func init() {
+	v1.AddToGroupVersion(scheme, schema.GroupVersion{Version: "v1"})
+	utilruntime.Must(AddToScheme(scheme))
+}

generated/1.19/client/supervisor/virtual/clientset/versioned/scheme/doc.go

@@ -0,0 +1,7 @@
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+// This package contains the scheme of the automatically generated clientset.
+package scheme

generated/1.19/client/supervisor/virtual/clientset/versioned/scheme/register.go

@@ -0,0 +1,43 @@
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package scheme
+
+import (
+	oauthv1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/virtual/oauth/v1alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	schema "k8s.io/apimachinery/pkg/runtime/schema"
+	serializer "k8s.io/apimachinery/pkg/runtime/serializer"
+	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
+)
+
+var Scheme = runtime.NewScheme()
+var Codecs = serializer.NewCodecFactory(Scheme)
+var ParameterCodec = runtime.NewParameterCodec(Scheme)
+var localSchemeBuilder = runtime.SchemeBuilder{
+	oauthv1alpha1.AddToScheme,
+}
+
+// AddToScheme adds all types of this clientset into the given scheme. This allows composition
+// of clientsets, like in:
+//
+//   import (
+//     "k8s.io/client-go/kubernetes"
+//     clientsetscheme "k8s.io/client-go/kubernetes/scheme"
+//     aggregatorclientsetscheme "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset/scheme"
+//   )
+//
+//   kclientset, _ := kubernetes.NewForConfig(c)
+//   _ = aggregatorclientsetscheme.AddToScheme(clientsetscheme.Scheme)
+//
+// After this, RawExtensions in Kubernetes types will serialize kube-aggregator types
+// correctly.
+var AddToScheme = localSchemeBuilder.AddToScheme
+
+func init() {
+	v1.AddToGroupVersion(Scheme, schema.GroupVersion{Version: "v1"})
+	utilruntime.Must(AddToScheme(Scheme))
+}

generated/1.19/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/doc.go

@@ -0,0 +1,7 @@
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+// This package has the automatically generated typed clients.
+package v1alpha1

generated/1.19/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/doc.go

@@ -0,0 +1,7 @@
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+// Package fake has the automatically generated clients.
+package fake

generated/1.19/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oauth_client.go

@@ -0,0 +1,27 @@
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package fake
+
+import (
+	v1alpha1 "go.pinniped.dev/generated/1.19/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1"
+	rest "k8s.io/client-go/rest"
+	testing "k8s.io/client-go/testing"
+)
+
+type FakeOauthV1alpha1 struct {
+	*testing.Fake
+}
+
+func (c *FakeOauthV1alpha1) OIDCClientSecretRequests(namespace string) v1alpha1.OIDCClientSecretRequestInterface {
+	return &FakeOIDCClientSecretRequests{c, namespace}
+}
+
+// RESTClient returns a RESTClient that is used to communicate
+// with API server by this client implementation.
+func (c *FakeOauthV1alpha1) RESTClient() rest.Interface {
+	var ret *rest.RESTClient
+	return ret
+}

generated/1.19/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/fake/fake_oidcclientsecretrequest.go

@@ -0,0 +1,36 @@
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package fake
+
+import (
+	"context"
+
+	v1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/virtual/oauth/v1alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	schema "k8s.io/apimachinery/pkg/runtime/schema"
+	testing "k8s.io/client-go/testing"
+)
+
+// FakeOIDCClientSecretRequests implements OIDCClientSecretRequestInterface
+type FakeOIDCClientSecretRequests struct {
+	Fake *FakeOauthV1alpha1
+	ns   string
+}
+
+var oidcclientsecretrequestsResource = schema.GroupVersionResource{Group: "oauth.virtual.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "oidcclientsecretrequests"}
+
+var oidcclientsecretrequestsKind = schema.GroupVersionKind{Group: "oauth.virtual.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "OIDCClientSecretRequest"}
+
+// Create takes the representation of a oIDCClientSecretRequest and creates it.  Returns the server's representation of the oIDCClientSecretRequest, and an error, if there is any.
+func (c *FakeOIDCClientSecretRequests) Create(ctx context.Context, oIDCClientSecretRequest *v1alpha1.OIDCClientSecretRequest, opts v1.CreateOptions) (result *v1alpha1.OIDCClientSecretRequest, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewCreateAction(oidcclientsecretrequestsResource, c.ns, oIDCClientSecretRequest), &v1alpha1.OIDCClientSecretRequest{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.OIDCClientSecretRequest), err
+}

generated/1.19/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/generated_expansion.go

@@ -0,0 +1,8 @@
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package v1alpha1
+
+type OIDCClientSecretRequestExpansion interface{}

generated/1.19/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oauth_client.go

@@ -0,0 +1,76 @@
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	v1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/virtual/oauth/v1alpha1"
+	"go.pinniped.dev/generated/1.19/client/supervisor/virtual/clientset/versioned/scheme"
+	rest "k8s.io/client-go/rest"
+)
+
+type OauthV1alpha1Interface interface {
+	RESTClient() rest.Interface
+	OIDCClientSecretRequestsGetter
+}
+
+// OauthV1alpha1Client is used to interact with features provided by the oauth.virtual.supervisor.pinniped.dev group.
+type OauthV1alpha1Client struct {
+	restClient rest.Interface
+}
+
+func (c *OauthV1alpha1Client) OIDCClientSecretRequests(namespace string) OIDCClientSecretRequestInterface {
+	return newOIDCClientSecretRequests(c, namespace)
+}
+
+// NewForConfig creates a new OauthV1alpha1Client for the given config.
+func NewForConfig(c *rest.Config) (*OauthV1alpha1Client, error) {
+	config := *c
+	if err := setConfigDefaults(&config); err != nil {
+		return nil, err
+	}
+	client, err := rest.RESTClientFor(&config)
+	if err != nil {
+		return nil, err
+	}
+	return &OauthV1alpha1Client{client}, nil
+}
+
+// NewForConfigOrDie creates a new OauthV1alpha1Client for the given config and
+// panics if there is an error in the config.
+func NewForConfigOrDie(c *rest.Config) *OauthV1alpha1Client {
+	client, err := NewForConfig(c)
+	if err != nil {
+		panic(err)
+	}
+	return client
+}
+
+// New creates a new OauthV1alpha1Client for the given RESTClient.
+func New(c rest.Interface) *OauthV1alpha1Client {
+	return &OauthV1alpha1Client{c}
+}
+
+func setConfigDefaults(config *rest.Config) error {
+	gv := v1alpha1.SchemeGroupVersion
+	config.GroupVersion = &gv
+	config.APIPath = "/apis"
+	config.NegotiatedSerializer = scheme.Codecs.WithoutConversion()
+
+	if config.UserAgent == "" {
+		config.UserAgent = rest.DefaultKubernetesUserAgent()
+	}
+
+	return nil
+}
+
+// RESTClient returns a RESTClient that is used to communicate
+// with API server by this client implementation.
+func (c *OauthV1alpha1Client) RESTClient() rest.Interface {
+	if c == nil {
+		return nil
+	}
+	return c.restClient
+}

generated/1.19/client/supervisor/virtual/clientset/versioned/typed/oauth/v1alpha1/oidcclientsecretrequest.go

@@ -0,0 +1,54 @@
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	"context"
+
+	v1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/virtual/oauth/v1alpha1"
+	scheme "go.pinniped.dev/generated/1.19/client/supervisor/virtual/clientset/versioned/scheme"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	rest "k8s.io/client-go/rest"
+)
+
+// OIDCClientSecretRequestsGetter has a method to return a OIDCClientSecretRequestInterface.
+// A group's client should implement this interface.
+type OIDCClientSecretRequestsGetter interface {
+	OIDCClientSecretRequests(namespace string) OIDCClientSecretRequestInterface
+}
+
+// OIDCClientSecretRequestInterface has methods to work with OIDCClientSecretRequest resources.
+type OIDCClientSecretRequestInterface interface {
+	Create(ctx context.Context, oIDCClientSecretRequest *v1alpha1.OIDCClientSecretRequest, opts v1.CreateOptions) (*v1alpha1.OIDCClientSecretRequest, error)
+	OIDCClientSecretRequestExpansion
+}
+
+// oIDCClientSecretRequests implements OIDCClientSecretRequestInterface
+type oIDCClientSecretRequests struct {
+	client rest.Interface
+	ns     string
+}
+
+// newOIDCClientSecretRequests returns a OIDCClientSecretRequests
+func newOIDCClientSecretRequests(c *OauthV1alpha1Client, namespace string) *oIDCClientSecretRequests {
+	return &oIDCClientSecretRequests{
+		client: c.RESTClient(),
+		ns:     namespace,
+	}
+}
+
+// Create takes the representation of a oIDCClientSecretRequest and creates it.  Returns the server's representation of the oIDCClientSecretRequest, and an error, if there is any.
+func (c *oIDCClientSecretRequests) Create(ctx context.Context, oIDCClientSecretRequest *v1alpha1.OIDCClientSecretRequest, opts v1.CreateOptions) (result *v1alpha1.OIDCClientSecretRequest, err error) {
+	result = &v1alpha1.OIDCClientSecretRequest{}
+	err = c.client.Post().
+		Namespace(c.ns).
+		Resource("oidcclientsecretrequests").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(oIDCClientSecretRequest).
+		Do(ctx).
+		Into(result)
+	return
+}

generated/1.20/README.adoc

@@ -13,6 +13,8 @@
 - xref:{anchor_prefix}-idp-supervisor-pinniped-dev-v1alpha1[$$idp.supervisor.pinniped.dev/v1alpha1$$]
 - xref:{anchor_prefix}-login-concierge-pinniped-dev-v1alpha1[$$login.concierge.pinniped.dev/v1alpha1$$]
 - xref:{anchor_prefix}-oauth-supervisor-pinniped-dev-v1alpha1[$$oauth.supervisor.pinniped.dev/v1alpha1$$]
+- xref:{anchor_prefix}-oauth-virtual-supervisor-pinniped-dev-oauth[$$oauth.virtual.supervisor.pinniped.dev/oauth$$]
+- xref:{anchor_prefix}-oauth-virtual-supervisor-pinniped-dev-v1alpha1[$$oauth.virtual.supervisor.pinniped.dev/v1alpha1$$]
 
 
 [id="{anchor_prefix}-authentication-concierge-pinniped-dev-v1alpha1"]
@@ -1386,3 +1388,95 @@ OIDCClientSpec is a struct that describes an OIDC Client.
 
 
 
+
+[id="{anchor_prefix}-oauth-virtual-supervisor-pinniped-dev-oauth"]
+=== oauth.virtual.supervisor.pinniped.dev/oauth
+
+Package oauth is the internal version of the Pinniped virtual oauth API.
+
+
+
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-virtual-oauth-oidcclientsecretrequestspec"]
+==== OIDCClientSecretRequestSpec 
+
+
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-virtual-oauth-oidcclientsecretrequest[$$OIDCClientSecretRequest$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`generateNewSecret`* __boolean__ | 
+| *`revokeOldSecrets`* __boolean__ | 
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-virtual-oauth-oidcclientsecretrequeststatus"]
+==== OIDCClientSecretRequestStatus 
+
+
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-virtual-oauth-oidcclientsecretrequest[$$OIDCClientSecretRequest$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`generatedSecret`* __string__ | 
+| *`totalClientSecrets`* __integer__ | 
+|===
+
+
+
+[id="{anchor_prefix}-oauth-virtual-supervisor-pinniped-dev-v1alpha1"]
+=== oauth.virtual.supervisor.pinniped.dev/v1alpha1
+
+Package v1alpha1 is the v1alpha1 version of the Pinniped virtual oauth API.
+
+
+
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-virtual-oauth-v1alpha1-oidcclientsecretrequestspec"]
+==== OIDCClientSecretRequestSpec 
+
+
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-virtual-oauth-v1alpha1-oidcclientsecretrequest[$$OIDCClientSecretRequest$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`generateNewSecret`* __boolean__ | 
+| *`revokeOldSecrets`* __boolean__ | 
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-virtual-oauth-v1alpha1-oidcclientsecretrequeststatus"]
+==== OIDCClientSecretRequestStatus 
+
+
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-virtual-oauth-v1alpha1-oidcclientsecretrequest[$$OIDCClientSecretRequest$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`generatedSecret`* __string__ | 
+| *`totalClientSecrets`* __integer__ | 
+|===
+
+

generated/1.20/apis/supervisor/virtual/oauth/doc.go

@@ -0,0 +1,8 @@
+// Copyright 2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// +k8s:deepcopy-gen=package
+// +groupName=oauth.virtual.supervisor.pinniped.dev
+
+// Package oauth is the internal version of the Pinniped virtual oauth API.
+package oauth

generated/1.20/apis/supervisor/virtual/oauth/register.go

@@ -0,0 +1,37 @@
+// Copyright 2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package oauth
+
+import (
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+const GroupName = "oauth.virtual.supervisor.pinniped.dev"
+
+// SchemeGroupVersion is group version used to register these objects.
+var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: runtime.APIVersionInternal}
+
+// Kind takes an unqualified kind and returns back a Group qualified GroupKind.
+func Kind(kind string) schema.GroupKind {
+	return SchemeGroupVersion.WithKind(kind).GroupKind()
+}
+
+// Resource takes an unqualified resource and returns back a Group qualified GroupResource.
+func Resource(resource string) schema.GroupResource {
+	return SchemeGroupVersion.WithResource(resource).GroupResource()
+}
+
+var (
+	SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes)
+	AddToScheme   = SchemeBuilder.AddToScheme
+)
+
+// Adds the list of known types to the given scheme.
+func addKnownTypes(scheme *runtime.Scheme) error {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&OIDCClientSecretRequest{},
+	)
+	return nil
+}

generated/1.20/apis/supervisor/virtual/oauth/types_oidcclientsecretrequest.go

@@ -0,0 +1,25 @@
+// Copyright 2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package oauth
+
+import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+type OIDCClientSecretRequestSpec struct {
+	GenerateNewSecret bool `json:"generateNewSecret"`
+	RevokeOldSecrets  bool `json:"revokeOldSecrets"`
+}
+
+type OIDCClientSecretRequestStatus struct {
+	GeneratedSecret    string `json:"generatedSecret,omitempty"`
+	TotalClientSecrets int    `json:"totalClientSecrets"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type OIDCClientSecretRequest struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"` // metadata.name must be set to the client ID
+
+	Spec   OIDCClientSecretRequestSpec   `json:"spec"`
+	Status OIDCClientSecretRequestStatus `json:"status"`
+}

generated/1.20/apis/supervisor/virtual/oauth/v1alpha1/conversion.go

@@ -0,0 +1,4 @@
+// Copyright 2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1

generated/1.20/apis/supervisor/virtual/oauth/v1alpha1/defaults.go

@@ -0,0 +1,12 @@
+// Copyright 2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+import (
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+func addDefaultingFuncs(scheme *runtime.Scheme) error {
+	return RegisterDefaults(scheme)
+}

generated/1.20/apis/supervisor/virtual/oauth/v1alpha1/doc.go

@@ -0,0 +1,11 @@
+// Copyright 2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// +k8s:openapi-gen=true
+// +k8s:deepcopy-gen=package
+// +k8s:conversion-gen=go.pinniped.dev/generated/1.20/apis/supervisor/virtual/oauth
+// +k8s:defaulter-gen=TypeMeta
+// +groupName=oauth.virtual.supervisor.pinniped.dev
+
+// Package v1alpha1 is the v1alpha1 version of the Pinniped virtual oauth API.
+package v1alpha1

generated/1.20/apis/supervisor/virtual/oauth/v1alpha1/register.go

@@ -0,0 +1,42 @@
+// Copyright 2022 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+const GroupName = "oauth.virtual.supervisor.pinniped.dev"
+
+// SchemeGroupVersion is group version used to register these objects.
+var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"}
+
+var (
+	SchemeBuilder      runtime.SchemeBuilder
+	localSchemeBuilder = &SchemeBuilder
+	AddToScheme        = SchemeBuilder.AddToScheme
+)
+
+func init() {
+	// We only register manually written functions here. The registration of the
+	// generated functions takes place in the generated files. The separation
+	// makes the code compile even when the generated files are missing.
+	localSchemeBuilder.Register(addKnownTypes, addDefaultingFuncs)
+}
+
+// Adds the list of known types to the given scheme.
+func addKnownTypes(scheme *runtime.Scheme) error {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&OIDCClientSecretRequest{},
+	)
+	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
+	return nil
+}
+
+// Resource takes an unqualified resource and returns back a Group qualified GroupResource.
+func Resource(resource string) schema.GroupResource {
+	return SchemeGroupVersion.WithResource(resource).GroupResource()
+}