Declare war on namespaces

Signed-off-by: Monis Khan <mok@vmware.com>

cmd/pinniped/cmd/cobra_util.go

@@ -22,3 +22,9 @@ func mustMarkHidden(cmd *cobra.Command, flags ...string) {
 		}
 	}
 }
+
+func mustMarkDeprecated(cmd *cobra.Command, flag, usageMessage string) {
+	if err := cmd.Flags().MarkDeprecated(flag, usageMessage); err != nil {
+		panic(err)
+	}
+}

cmd/pinniped/cmd/kubeconfig.go

@@ -74,7 +74,6 @@ type getKubeconfigOIDCParams struct {
 
 type getKubeconfigConciergeParams struct {
 	disabled          bool
-	namespace         string
 	authenticatorName string
 	authenticatorType string
 	apiGroupSuffix    string
@@ -91,13 +90,14 @@ type getKubeconfigParams struct {
 
 func kubeconfigCommand(deps kubeconfigDeps) *cobra.Command {
 	var (
-		cmd = cobra.Command{
+		cmd = &cobra.Command{
 			Args:         cobra.NoArgs,
 			Use:          "kubeconfig",
 			Short:        "Generate a Pinniped-based kubeconfig for a cluster",
 			SilenceUsage: true,
 		}
-		flags getKubeconfigParams
+		flags     getKubeconfigParams
+		namespace string // unused now
 	)
 
 	f := cmd.Flags()
@@ -105,7 +105,7 @@ func kubeconfigCommand(deps kubeconfigDeps) *cobra.Command {
 	f.StringVar(&flags.staticTokenEnvName, "static-token-env", "", "Instead of doing an OIDC-based login, read a static token from the environment")
 
 	f.BoolVar(&flags.concierge.disabled, "no-concierge", false, "Generate a configuration which does not use the concierge, but sends the credential to the cluster directly")
-	f.StringVar(&flags.concierge.namespace, "concierge-namespace", "pinniped-concierge", "Namespace in which the concierge was installed")
+	f.StringVar(&namespace, "concierge-namespace", "pinniped-concierge", "Namespace in which the concierge was installed")
 	f.StringVar(&flags.concierge.authenticatorType, "concierge-authenticator-type", "", "Concierge authenticator type (e.g., 'webhook', 'jwt') (default: autodiscover)")
 	f.StringVar(&flags.concierge.authenticatorName, "concierge-authenticator-name", "", "Concierge authenticator name (default: autodiscover)")
 	f.StringVar(&flags.concierge.apiGroupSuffix, "concierge-api-group-suffix", "pinniped.dev", "Concierge API group suffix")
@@ -122,10 +122,13 @@ func kubeconfigCommand(deps kubeconfigDeps) *cobra.Command {
 	f.StringVar(&flags.kubeconfigPath, "kubeconfig", os.Getenv("KUBECONFIG"), "Path to kubeconfig file")
 	f.StringVar(&flags.kubeconfigContextOverride, "kubeconfig-context", "", "Kubeconfig context name (default: current active context)")
 
-	mustMarkHidden(&cmd, "oidc-debug-session-cache")
+	mustMarkHidden(cmd, "oidc-debug-session-cache")
+
+	mustMarkDeprecated(cmd, "concierge-namespace", "not needed anymore")
+	mustMarkHidden(cmd, "concierge-namespace")
 
 	cmd.RunE = func(cmd *cobra.Command, args []string) error { return runGetKubeconfig(cmd.OutOrStdout(), deps, flags) }
-	return &cmd
+	return cmd
 }
 
 //nolint:funlen
@@ -170,7 +173,6 @@ func runGetKubeconfig(out io.Writer, deps kubeconfigDeps, flags getKubeconfigPar
 	if !flags.concierge.disabled {
 		authenticator, err := lookupAuthenticator(
 			clientset,
-			flags.concierge.namespace,
 			flags.concierge.authenticatorType,
 			flags.concierge.authenticatorName,
 		)
@@ -260,7 +262,7 @@ func configureConcierge(authenticator metav1.Object, flags *getKubeconfigParams,
 		if *oidcCABundle == "" && auth.Spec.TLS != nil && auth.Spec.TLS.CertificateAuthorityData != "" {
 			decoded, err := base64.StdEncoding.DecodeString(auth.Spec.TLS.CertificateAuthorityData)
 			if err != nil {
-				return fmt.Errorf("tried to autodiscover --oidc-ca-bundle, but JWTAuthenticator %s/%s has invalid spec.tls.certificateAuthorityData: %w", auth.Namespace, auth.Name, err)
+				return fmt.Errorf("tried to autodiscover --oidc-ca-bundle, but JWTAuthenticator %s has invalid spec.tls.certificateAuthorityData: %w", auth.Name, err)
 			}
 			*oidcCABundle = string(decoded)
 		}
@@ -270,7 +272,6 @@ func configureConcierge(authenticator metav1.Object, flags *getKubeconfigParams,
 	execConfig.Args = append(execConfig.Args,
 		"--enable-concierge",
 		"--concierge-api-group-suffix="+flags.concierge.apiGroupSuffix,
-		"--concierge-namespace="+flags.concierge.namespace,
 		"--concierge-authenticator-name="+flags.concierge.authenticatorName,
 		"--concierge-authenticator-type="+flags.concierge.authenticatorType,
 		"--concierge-endpoint="+v1Cluster.Server,
@@ -306,7 +307,7 @@ func newExecKubeconfig(cluster *clientcmdapi.Cluster, execConfig *clientcmdapi.E
 	}
 }
 
-func lookupAuthenticator(clientset conciergeclientset.Interface, namespace, authType, authName string) (metav1.Object, error) {
+func lookupAuthenticator(clientset conciergeclientset.Interface, authType, authName string) (metav1.Object, error) {
 	ctx, cancelFunc := context.WithTimeout(context.Background(), time.Second*20)
 	defer cancelFunc()
 
@@ -314,9 +315,9 @@ func lookupAuthenticator(clientset conciergeclientset.Interface, namespace, auth
 	if authName != "" && authType != "" {
 		switch strings.ToLower(authType) {
 		case "webhook":
-			return clientset.AuthenticationV1alpha1().WebhookAuthenticators(namespace).Get(ctx, authName, metav1.GetOptions{})
+			return clientset.AuthenticationV1alpha1().WebhookAuthenticators().Get(ctx, authName, metav1.GetOptions{})
 		case "jwt":
-			return clientset.AuthenticationV1alpha1().JWTAuthenticators(namespace).Get(ctx, authName, metav1.GetOptions{})
+			return clientset.AuthenticationV1alpha1().JWTAuthenticators().Get(ctx, authName, metav1.GetOptions{})
 		default:
 			return nil, fmt.Errorf(`invalid authenticator type %q, supported values are "webhook" and "jwt"`, authType)
 		}
@@ -324,11 +325,11 @@ func lookupAuthenticator(clientset conciergeclientset.Interface, namespace, auth
 
 	// Otherwise list all the available authenticators and hope there's just a single one.
 
-	jwtAuths, err := clientset.AuthenticationV1alpha1().JWTAuthenticators(namespace).List(ctx, metav1.ListOptions{})
+	jwtAuths, err := clientset.AuthenticationV1alpha1().JWTAuthenticators().List(ctx, metav1.ListOptions{})
 	if err != nil {
 		return nil, fmt.Errorf("failed to list JWTAuthenticator objects for autodiscovery: %w", err)
 	}
-	webhooks, err := clientset.AuthenticationV1alpha1().WebhookAuthenticators(namespace).List(ctx, metav1.ListOptions{})
+	webhooks, err := clientset.AuthenticationV1alpha1().WebhookAuthenticators().List(ctx, metav1.ListOptions{})
 	if err != nil {
 		return nil, fmt.Errorf("failed to list WebhookAuthenticator objects for autodiscovery: %w", err)
 	}
@@ -341,10 +342,10 @@ func lookupAuthenticator(clientset conciergeclientset.Interface, namespace, auth
 		results = append(results, &webhooks.Items[i])
 	}
 	if len(results) == 0 {
-		return nil, fmt.Errorf("no authenticators were found in namespace %q (try setting --concierge-namespace)", namespace)
+		return nil, fmt.Errorf("no authenticators were found")
 	}
 	if len(results) > 1 {
-		return nil, fmt.Errorf("multiple authenticators were found in namespace %q, so the --concierge-authenticator-type/--concierge-authenticator-name flags must be specified", namespace)
+		return nil, fmt.Errorf("multiple authenticators were found, so the --concierge-authenticator-type/--concierge-authenticator-name flags must be specified")
 	}
 	return results[0], nil
 }

cmd/pinniped/cmd/kubeconfig_test.go

@@ -61,7 +61,6 @@ func TestGetKubeconfig(t *testing.T) {
 				      --concierge-api-group-suffix string     Concierge API group suffix (default "pinniped.dev")
 				      --concierge-authenticator-name string   Concierge authenticator name (default: autodiscover)
 				      --concierge-authenticator-type string   Concierge authenticator type (e.g., 'webhook', 'jwt') (default: autodiscover)
-				      --concierge-namespace string            Namespace in which the concierge was installed (default "pinniped-concierge")
 				  -h, --help                                  help for kubeconfig
 				      --kubeconfig string                     Path to kubeconfig file
 				      --kubeconfig-context string             Kubeconfig context name (default: current active context)
@@ -210,34 +209,32 @@ func TestGetKubeconfig(t *testing.T) {
 			},
 			wantError: true,
 			wantStderr: here.Doc(`
-				Error: no authenticators were found in namespace "pinniped-concierge" (try setting --concierge-namespace)
+				Error: no authenticators were found
 			`),
 		},
 		{
 			name: "fail to autodetect authenticator, multiple found",
 			args: []string{
 				"--kubeconfig", "./testdata/kubeconfig.yaml",
-				"--concierge-namespace", "test-namespace",
 			},
 			conciergeObjects: []runtime.Object{
-				&conciergev1alpha1.JWTAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator-1", Namespace: "test-namespace"}},
+				&conciergev1alpha1.JWTAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator-1"}},
-				&conciergev1alpha1.JWTAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator-2", Namespace: "test-namespace"}},
+				&conciergev1alpha1.JWTAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator-2"}},
-				&conciergev1alpha1.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator-3", Namespace: "test-namespace"}},
+				&conciergev1alpha1.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator-3"}},
-				&conciergev1alpha1.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator-4", Namespace: "test-namespace"}},
+				&conciergev1alpha1.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator-4"}},
 			},
 			wantError: true,
 			wantStderr: here.Doc(`
-				Error: multiple authenticators were found in namespace "test-namespace", so the --concierge-authenticator-type/--concierge-authenticator-name flags must be specified
+				Error: multiple authenticators were found, so the --concierge-authenticator-type/--concierge-authenticator-name flags must be specified
 			`),
 		},
 		{
 			name: "autodetect webhook authenticator, missing --oidc-issuer",
 			args: []string{
 				"--kubeconfig", "./testdata/kubeconfig.yaml",
-				"--concierge-namespace", "test-namespace",
 			},
 			conciergeObjects: []runtime.Object{
-				&conciergev1alpha1.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator", Namespace: "test-namespace"}},
+				&conciergev1alpha1.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator"}},
 			},
 			wantError: true,
 			wantStderr: here.Doc(`
@@ -248,11 +245,10 @@ func TestGetKubeconfig(t *testing.T) {
 			name: "autodetect JWT authenticator, invalid TLS bundle",
 			args: []string{
 				"--kubeconfig", "./testdata/kubeconfig.yaml",
-				"--concierge-namespace", "test-namespace",
 			},
 			conciergeObjects: []runtime.Object{
 				&conciergev1alpha1.JWTAuthenticator{
-					ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator", Namespace: "test-namespace"},
+					ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator"},
 					Spec: conciergev1alpha1.JWTAuthenticatorSpec{
 						TLS: &conciergev1alpha1.TLSSpec{
 							CertificateAuthorityData: "invalid-base64",
@@ -262,19 +258,18 @@ func TestGetKubeconfig(t *testing.T) {
 			},
 			wantError: true,
 			wantStderr: here.Doc(`
-				Error: tried to autodiscover --oidc-ca-bundle, but JWTAuthenticator test-namespace/test-authenticator has invalid spec.tls.certificateAuthorityData: illegal base64 data at input byte 7
+				Error: tried to autodiscover --oidc-ca-bundle, but JWTAuthenticator test-authenticator has invalid spec.tls.certificateAuthorityData: illegal base64 data at input byte 7
 			`),
 		},
 		{
 			name: "invalid static token flags",
 			args: []string{
 				"--kubeconfig", "./testdata/kubeconfig.yaml",
-				"--concierge-namespace", "test-namespace",
 				"--static-token", "test-token",
 				"--static-token-env", "TEST_TOKEN",
 			},
 			conciergeObjects: []runtime.Object{
-				&conciergev1alpha1.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator", Namespace: "test-namespace"}},
+				&conciergev1alpha1.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator"}},
 			},
 			wantError: true,
 			wantStderr: here.Doc(`
@@ -295,11 +290,10 @@ func TestGetKubeconfig(t *testing.T) {
 			name: "valid static token",
 			args: []string{
 				"--kubeconfig", "./testdata/kubeconfig.yaml",
-				"--concierge-namespace", "test-namespace",
 				"--static-token", "test-token",
 			},
 			conciergeObjects: []runtime.Object{
-				&conciergev1alpha1.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator", Namespace: "test-namespace"}},
+				&conciergev1alpha1.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator"}},
 			},
 			wantStdout: here.Doc(`
         		apiVersion: v1
@@ -326,7 +320,6 @@ func TestGetKubeconfig(t *testing.T) {
         		      - static
         		      - --enable-concierge
         		      - --concierge-api-group-suffix=pinniped.dev
-        		      - --concierge-namespace=test-namespace
         		      - --concierge-authenticator-name=test-authenticator
         		      - --concierge-authenticator-type=webhook
         		      - --concierge-endpoint=https://fake-server-url-value
@@ -341,11 +334,10 @@ func TestGetKubeconfig(t *testing.T) {
 			name: "valid static token from env var",
 			args: []string{
 				"--kubeconfig", "./testdata/kubeconfig.yaml",
-				"--concierge-namespace", "test-namespace",
 				"--static-token-env", "TEST_TOKEN",
 			},
 			conciergeObjects: []runtime.Object{
-				&conciergev1alpha1.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator", Namespace: "test-namespace"}},
+				&conciergev1alpha1.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator"}},
 			},
 			wantStdout: here.Doc(`
         		apiVersion: v1
@@ -372,7 +364,6 @@ func TestGetKubeconfig(t *testing.T) {
         		      - static
         		      - --enable-concierge
         		      - --concierge-api-group-suffix=pinniped.dev
-        		      - --concierge-namespace=test-namespace
         		      - --concierge-authenticator-name=test-authenticator
         		      - --concierge-authenticator-type=webhook
         		      - --concierge-endpoint=https://fake-server-url-value
@@ -390,7 +381,7 @@ func TestGetKubeconfig(t *testing.T) {
 			},
 			conciergeObjects: []runtime.Object{
 				&conciergev1alpha1.JWTAuthenticator{
-					ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator", Namespace: "pinniped-concierge"},
+					ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator"},
 					Spec: conciergev1alpha1.JWTAuthenticatorSpec{
 						Issuer:   "https://example.com/issuer",
 						Audience: "test-audience",
@@ -425,7 +416,6 @@ func TestGetKubeconfig(t *testing.T) {
         		      - oidc
         		      - --enable-concierge
         		      - --concierge-api-group-suffix=pinniped.dev
-        		      - --concierge-namespace=pinniped-concierge
         		      - --concierge-authenticator-name=test-authenticator
         		      - --concierge-authenticator-type=jwt
         		      - --concierge-endpoint=https://fake-server-url-value
@@ -457,7 +447,7 @@ func TestGetKubeconfig(t *testing.T) {
 			},
 			conciergeObjects: []runtime.Object{
 				&conciergev1alpha1.WebhookAuthenticator{
-					ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator", Namespace: "pinniped-concierge"},
+					ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator"},
 				},
 			},
 			wantStdout: here.Docf(`
@@ -485,7 +475,6 @@ func TestGetKubeconfig(t *testing.T) {
         		      - oidc
         		      - --enable-concierge
         		      - --concierge-api-group-suffix=tuna.io
-        		      - --concierge-namespace=pinniped-concierge
         		      - --concierge-authenticator-name=test-authenticator
         		      - --concierge-authenticator-type=webhook
         		      - --concierge-endpoint=https://fake-server-url-value

cmd/pinniped/cmd/login_oidc.go

@@ -59,7 +59,6 @@ type oidcLoginFlags struct {
 	debugSessionCache          bool
 	requestAudience            string
 	conciergeEnabled           bool
-	conciergeNamespace         string
 	conciergeAuthenticatorType string
 	conciergeAuthenticatorName string
 	conciergeEndpoint          string
@@ -69,13 +68,14 @@ type oidcLoginFlags struct {
 
 func oidcLoginCommand(deps oidcLoginCommandDeps) *cobra.Command {
 	var (
-		cmd = cobra.Command{
+		cmd = &cobra.Command{
 			Args:         cobra.NoArgs,
 			Use:          "oidc --issuer ISSUER",
 			Short:        "Login using an OpenID Connect provider",
 			SilenceUsage: true,
 		}
-		flags oidcLoginFlags
+		flags              oidcLoginFlags
+		conciergeNamespace string // unused now
 	)
 	cmd.Flags().StringVar(&flags.issuer, "issuer", "", "OpenID Connect issuer URL")
 	cmd.Flags().StringVar(&flags.clientID, "client-id", "pinniped-cli", "OpenID Connect client ID")
@@ -88,17 +88,21 @@ func oidcLoginCommand(deps oidcLoginCommandDeps) *cobra.Command {
 	cmd.Flags().BoolVar(&flags.debugSessionCache, "debug-session-cache", false, "Print debug logs related to the session cache")
 	cmd.Flags().StringVar(&flags.requestAudience, "request-audience", "", "Request a token with an alternate audience using RFC8693 token exchange")
 	cmd.Flags().BoolVar(&flags.conciergeEnabled, "enable-concierge", false, "Exchange the OIDC ID token with the Pinniped concierge during login")
-	cmd.Flags().StringVar(&flags.conciergeNamespace, "concierge-namespace", "pinniped-concierge", "Namespace in which the concierge was installed")
+	cmd.Flags().StringVar(&conciergeNamespace, "concierge-namespace", "pinniped-concierge", "Namespace in which the concierge was installed")
 	cmd.Flags().StringVar(&flags.conciergeAuthenticatorType, "concierge-authenticator-type", "", "Concierge authenticator type (e.g., 'webhook', 'jwt')")
 	cmd.Flags().StringVar(&flags.conciergeAuthenticatorName, "concierge-authenticator-name", "", "Concierge authenticator name")
 	cmd.Flags().StringVar(&flags.conciergeEndpoint, "concierge-endpoint", "", "API base for the Pinniped concierge endpoint")
 	cmd.Flags().StringVar(&flags.conciergeCABundle, "concierge-ca-bundle-data", "", "CA bundle to use when connecting to the concierge")
 	cmd.Flags().StringVar(&flags.conciergeAPIGroupSuffix, "concierge-api-group-suffix", "pinniped.dev", "Concierge API group suffix")
 
-	mustMarkHidden(&cmd, "debug-session-cache")
+	mustMarkHidden(cmd, "debug-session-cache")
-	mustMarkRequired(&cmd, "issuer")
+	mustMarkRequired(cmd, "issuer")
 	cmd.RunE = func(cmd *cobra.Command, args []string) error { return runOIDCLogin(cmd, deps, flags) }
-	return &cmd
+
+	mustMarkDeprecated(cmd, "concierge-namespace", "not needed anymore")
+	mustMarkHidden(cmd, "concierge-namespace")
+
+	return cmd
 }
 
 func runOIDCLogin(cmd *cobra.Command, deps oidcLoginCommandDeps, flags oidcLoginFlags) error {
@@ -133,7 +137,6 @@ func runOIDCLogin(cmd *cobra.Command, deps oidcLoginCommandDeps, flags oidcLogin
 	if flags.conciergeEnabled {
 		var err error
 		concierge, err = conciergeclient.New(
-			conciergeclient.WithNamespace(flags.conciergeNamespace),
 			conciergeclient.WithEndpoint(flags.conciergeEndpoint),
 			conciergeclient.WithBase64CABundle(flags.conciergeCABundle),
 			conciergeclient.WithAuthenticator(flags.conciergeAuthenticatorType, flags.conciergeAuthenticatorName),

cmd/pinniped/cmd/login_oidc_test.go

@@ -65,7 +65,6 @@ func TestLoginOIDCCommand(t *testing.T) {
 				      --concierge-authenticator-type string   Concierge authenticator type (e.g., 'webhook', 'jwt')
 				      --concierge-ca-bundle-data string       CA bundle to use when connecting to the concierge
 				      --concierge-endpoint string             API base for the Pinniped concierge endpoint
-				      --concierge-namespace string            Namespace in which the concierge was installed (default "pinniped-concierge")
 				      --enable-concierge                      Exchange the OIDC ID token with the Pinniped concierge during login
 				  -h, --help                                  help for oidc
 				      --issuer string                         OpenID Connect issuer URL
@@ -186,7 +185,6 @@ func TestLoginOIDCCommand(t *testing.T) {
 				"--ca-bundle-data", base64.StdEncoding.EncodeToString(testCA.Bundle()),
 				"--ca-bundle", testCABundlePath,
 				"--enable-concierge",
-				"--concierge-namespace", "test-namespace",
 				"--concierge-authenticator-type", "webhook",
 				"--concierge-authenticator-name", "test-authenticator",
 				"--concierge-endpoint", "https://127.0.0.1:1234/",

cmd/pinniped/cmd/login_static.go

@@ -41,7 +41,6 @@ type staticLoginParams struct {
 	staticToken                string
 	staticTokenEnvName         string
 	conciergeEnabled           bool
-	conciergeNamespace         string
 	conciergeAuthenticatorType string
 	conciergeAuthenticatorName string
 	conciergeEndpoint          string
@@ -51,25 +50,30 @@ type staticLoginParams struct {
 
 func staticLoginCommand(deps staticLoginDeps) *cobra.Command {
 	var (
-		cmd = cobra.Command{
+		cmd = &cobra.Command{
 			Args:         cobra.NoArgs,
 			Use:          "static [--token TOKEN] [--token-env TOKEN_NAME]",
 			Short:        "Login using a static token",
 			SilenceUsage: true,
 		}
-		flags staticLoginParams
+		flags              staticLoginParams
+		conciergeNamespace string // unused now
 	)
 	cmd.Flags().StringVar(&flags.staticToken, "token", "", "Static token to present during login")
 	cmd.Flags().StringVar(&flags.staticTokenEnvName, "token-env", "", "Environment variable containing a static token")
 	cmd.Flags().BoolVar(&flags.conciergeEnabled, "enable-concierge", false, "Exchange the token with the Pinniped concierge during login")
-	cmd.Flags().StringVar(&flags.conciergeNamespace, "concierge-namespace", "pinniped-concierge", "Namespace in which the concierge was installed")
+	cmd.Flags().StringVar(&conciergeNamespace, "concierge-namespace", "pinniped-concierge", "Namespace in which the concierge was installed")
 	cmd.Flags().StringVar(&flags.conciergeAuthenticatorType, "concierge-authenticator-type", "", "Concierge authenticator type (e.g., 'webhook', 'jwt')")
 	cmd.Flags().StringVar(&flags.conciergeAuthenticatorName, "concierge-authenticator-name", "", "Concierge authenticator name")
 	cmd.Flags().StringVar(&flags.conciergeEndpoint, "concierge-endpoint", "", "API base for the Pinniped concierge endpoint")
 	cmd.Flags().StringVar(&flags.conciergeCABundle, "concierge-ca-bundle-data", "", "CA bundle to use when connecting to the concierge")
 	cmd.Flags().StringVar(&flags.conciergeAPIGroupSuffix, "concierge-api-group-suffix", "pinniped.dev", "Concierge API group suffix")
 	cmd.RunE = func(cmd *cobra.Command, args []string) error { return runStaticLogin(cmd.OutOrStdout(), deps, flags) }
-	return &cmd
+
+	mustMarkDeprecated(cmd, "concierge-namespace", "not needed anymore")
+	mustMarkHidden(cmd, "concierge-namespace")
+
+	return cmd
 }
 
 func runStaticLogin(out io.Writer, deps staticLoginDeps, flags staticLoginParams) error {
@@ -81,7 +85,6 @@ func runStaticLogin(out io.Writer, deps staticLoginDeps, flags staticLoginParams
 	if flags.conciergeEnabled {
 		var err error
 		concierge, err = conciergeclient.New(
-			conciergeclient.WithNamespace(flags.conciergeNamespace),
 			conciergeclient.WithEndpoint(flags.conciergeEndpoint),
 			conciergeclient.WithBase64CABundle(flags.conciergeCABundle),
 			conciergeclient.WithAuthenticator(flags.conciergeAuthenticatorType, flags.conciergeAuthenticatorName),

cmd/pinniped/cmd/login_static_test.go

@@ -56,7 +56,6 @@ func TestLoginStaticCommand(t *testing.T) {
 				      --concierge-authenticator-type string   Concierge authenticator type (e.g., 'webhook', 'jwt')
 				      --concierge-ca-bundle-data string       CA bundle to use when connecting to the concierge
 				      --concierge-endpoint string             API base for the Pinniped concierge endpoint
-				      --concierge-namespace string            Namespace in which the concierge was installed (default "pinniped-concierge")
 				      --enable-concierge                      Exchange the token with the Pinniped concierge during login
 				  -h, --help                                  help for static
 				      --token string                          Static token to present during login

deploy/concierge/rbac.yaml

@@ -31,6 +31,14 @@ rules:
     resources: [ securitycontextconstraints ]
     verbs: [ use ]
     resourceNames: [ nonroot ]
+  - apiGroups:
+      - #@ pinnipedDevAPIGroupWithPrefix("config.concierge")
+    resources: [ credentialissuers ]
+    verbs: [ get, list, watch, create, update ]
+  - apiGroups:
+      - #@ pinnipedDevAPIGroupWithPrefix("authentication.concierge")
+    resources: [ jwtauthenticators, webhookauthenticators ]
+    verbs: [ get, list, watch ]
 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
@@ -69,11 +77,6 @@ rules:
   - apiGroups: [ "" ]
     resources: [ pods/exec ]
     verbs: [ create ]
-  - apiGroups:
-      - #@ pinnipedDevAPIGroupWithPrefix("config.concierge")
-      - #@ pinnipedDevAPIGroupWithPrefix("authentication.concierge")
-    resources: [ "*" ]
-    verbs: [ create, get, list, update, watch ]
   - apiGroups: [apps]
     resources: [replicasets,deployments]
     verbs: [get]

internal/controller/authenticator/jwtcachefiller/jwtcachefiller.go

@@ -88,7 +88,7 @@ type controller struct {
 
 // Sync implements controllerlib.Syncer.
 func (c *controller) Sync(ctx controllerlib.Context) error {
-	obj, err := c.jwtAuthenticators.Lister().JWTAuthenticators(ctx.Key.Namespace).Get(ctx.Key.Name)
+	obj, err := c.jwtAuthenticators.Lister().Get(ctx.Key.Name)
 	if err != nil && errors.IsNotFound(err) {
 		c.log.Info("Sync() found that the JWTAuthenticator does not exist yet or was deleted")
 		return nil

internal/controller/authenticator/jwtcachefiller/jwtcachefiller_test.go

@@ -135,43 +135,41 @@ func TestController(t *testing.T) {
 	}{
 		{
 			name:    "not found",
-			syncKey: controllerlib.Key{Namespace: "test-namespace", Name: "test-name"},
+			syncKey: controllerlib.Key{Name: "test-name"},
 			wantLogs: []string{
 				`jwtcachefiller-controller "level"=0 "msg"="Sync() found that the JWTAuthenticator does not exist yet or was deleted"`,
 			},
 		},
 		{
 			name:    "valid jwt authenticator with CA",
-			syncKey: controllerlib.Key{Namespace: "test-namespace", Name: "test-name"},
+			syncKey: controllerlib.Key{Name: "test-name"},
 			jwtAuthenticators: []runtime.Object{
 				&auth1alpha1.JWTAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
-						Namespace: "test-namespace",
+						Name: "test-name",
-						Name:      "test-name",
 					},
 					Spec: *someJWTAuthenticatorSpec,
 				},
 			},
 			wantLogs: []string{
-				`jwtcachefiller-controller "level"=0 "msg"="added new jwt authenticator" "issuer"="` + goodIssuer + `" "jwtAuthenticator"={"name":"test-name","namespace":"test-namespace"}`,
+				`jwtcachefiller-controller "level"=0 "msg"="added new jwt authenticator" "issuer"="` + goodIssuer + `" "jwtAuthenticator"={"name":"test-name"}`,
 			},
 			wantCacheEntries:                 1,
 			runTestsOnResultingAuthenticator: true,
 		},
 		{
 			name:    "valid jwt authenticator with custom username claim",
-			syncKey: controllerlib.Key{Namespace: "test-namespace", Name: "test-name"},
+			syncKey: controllerlib.Key{Name: "test-name"},
 			jwtAuthenticators: []runtime.Object{
 				&auth1alpha1.JWTAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
-						Namespace: "test-namespace",
+						Name: "test-name",
-						Name:      "test-name",
 					},
 					Spec: *someJWTAuthenticatorSpecWithUsernameClaim,
 				},
 			},
 			wantLogs: []string{
-				`jwtcachefiller-controller "level"=0 "msg"="added new jwt authenticator" "issuer"="` + goodIssuer + `" "jwtAuthenticator"={"name":"test-name","namespace":"test-namespace"}`,
+				`jwtcachefiller-controller "level"=0 "msg"="added new jwt authenticator" "issuer"="` + goodIssuer + `" "jwtAuthenticator"={"name":"test-name"}`,
 			},
 			wantCacheEntries:                 1,
 			wantUsernameClaim:                someJWTAuthenticatorSpecWithUsernameClaim.Claims.Username,
@@ -179,18 +177,17 @@ func TestController(t *testing.T) {
 		},
 		{
 			name:    "valid jwt authenticator with custom groups claim",
-			syncKey: controllerlib.Key{Namespace: "test-namespace", Name: "test-name"},
+			syncKey: controllerlib.Key{Name: "test-name"},
 			jwtAuthenticators: []runtime.Object{
 				&auth1alpha1.JWTAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
-						Namespace: "test-namespace",
+						Name: "test-name",
-						Name:      "test-name",
 					},
 					Spec: *someJWTAuthenticatorSpecWithGroupsClaim,
 				},
 			},
 			wantLogs: []string{
-				`jwtcachefiller-controller "level"=0 "msg"="added new jwt authenticator" "issuer"="` + goodIssuer + `" "jwtAuthenticator"={"name":"test-name","namespace":"test-namespace"}`,
+				`jwtcachefiller-controller "level"=0 "msg"="added new jwt authenticator" "issuer"="` + goodIssuer + `" "jwtAuthenticator"={"name":"test-name"}`,
 			},
 			wantCacheEntries:                 1,
 			wantGroupsClaim:                  someJWTAuthenticatorSpecWithGroupsClaim.Claims.Groups,
@@ -201,27 +198,25 @@ func TestController(t *testing.T) {
 			cache: func(t *testing.T, cache *authncache.Cache, wantClose bool) {
 				cache.Store(
 					authncache.Key{
-						Name:      "test-name",
+						Name:     "test-name",
-						Namespace: "test-namespace",
+						Kind:     "JWTAuthenticator",
-						Kind:      "JWTAuthenticator",
+						APIGroup: auth1alpha1.SchemeGroupVersion.Group,
-						APIGroup:  auth1alpha1.SchemeGroupVersion.Group,
 					},
 					newCacheValue(t, *otherJWTAuthenticatorSpec, wantClose),
 				)
 			},
 			wantClose: true,
-			syncKey:   controllerlib.Key{Namespace: "test-namespace", Name: "test-name"},
+			syncKey:   controllerlib.Key{Name: "test-name"},
 			jwtAuthenticators: []runtime.Object{
 				&auth1alpha1.JWTAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
-						Namespace: "test-namespace",
+						Name: "test-name",
-						Name:      "test-name",
 					},
 					Spec: *someJWTAuthenticatorSpec,
 				},
 			},
 			wantLogs: []string{
-				`jwtcachefiller-controller "level"=0 "msg"="added new jwt authenticator" "issuer"="` + goodIssuer + `" "jwtAuthenticator"={"name":"test-name","namespace":"test-namespace"}`,
+				`jwtcachefiller-controller "level"=0 "msg"="added new jwt authenticator" "issuer"="` + goodIssuer + `" "jwtAuthenticator"={"name":"test-name"}`,
 			},
 			wantCacheEntries:                 1,
 			runTestsOnResultingAuthenticator: true,
@@ -231,27 +226,25 @@ func TestController(t *testing.T) {
 			cache: func(t *testing.T, cache *authncache.Cache, wantClose bool) {
 				cache.Store(
 					authncache.Key{
-						Name:      "test-name",
+						Name:     "test-name",
-						Namespace: "test-namespace",
+						Kind:     "JWTAuthenticator",
-						Kind:      "JWTAuthenticator",
+						APIGroup: auth1alpha1.SchemeGroupVersion.Group,
-						APIGroup:  auth1alpha1.SchemeGroupVersion.Group,
 					},
 					newCacheValue(t, *someJWTAuthenticatorSpec, wantClose),
 				)
 			},
 			wantClose: false,
-			syncKey:   controllerlib.Key{Namespace: "test-namespace", Name: "test-name"},
+			syncKey:   controllerlib.Key{Name: "test-name"},
 			jwtAuthenticators: []runtime.Object{
 				&auth1alpha1.JWTAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
-						Namespace: "test-namespace",
+						Name: "test-name",
-						Name:      "test-name",
 					},
 					Spec: *someJWTAuthenticatorSpec,
 				},
 			},
 			wantLogs: []string{
-				`jwtcachefiller-controller "level"=0 "msg"="actual jwt authenticator and desired jwt authenticator are the same" "issuer"="` + goodIssuer + `" "jwtAuthenticator"={"name":"test-name","namespace":"test-namespace"}`,
+				`jwtcachefiller-controller "level"=0 "msg"="actual jwt authenticator and desired jwt authenticator are the same" "issuer"="` + goodIssuer + `" "jwtAuthenticator"={"name":"test-name"}`,
 			},
 			wantCacheEntries:                 1,
 			runTestsOnResultingAuthenticator: false, // skip the tests because the authenticator left in the cache is the mock version that was added above
@@ -261,57 +254,53 @@ func TestController(t *testing.T) {
 			cache: func(t *testing.T, cache *authncache.Cache, wantClose bool) {
 				cache.Store(
 					authncache.Key{
-						Name:      "test-name",
+						Name:     "test-name",
-						Namespace: "test-namespace",
+						Kind:     "JWTAuthenticator",
-						Kind:      "JWTAuthenticator",
+						APIGroup: auth1alpha1.SchemeGroupVersion.Group,
-						APIGroup:  auth1alpha1.SchemeGroupVersion.Group,
 					},
 					struct{ authenticator.Token }{},
 				)
 			},
-			syncKey: controllerlib.Key{Namespace: "test-namespace", Name: "test-name"},
+			syncKey: controllerlib.Key{Name: "test-name"},
 			jwtAuthenticators: []runtime.Object{
 				&auth1alpha1.JWTAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
-						Namespace: "test-namespace",
+						Name: "test-name",
-						Name:      "test-name",
 					},
 					Spec: *someJWTAuthenticatorSpec,
 				},
 			},
 			wantLogs: []string{
 				`jwtcachefiller-controller "level"=0 "msg"="wrong JWT authenticator type in cache" "actualType"="struct { authenticator.Token }"`,
-				`jwtcachefiller-controller "level"=0 "msg"="added new jwt authenticator" "issuer"="` + goodIssuer + `" "jwtAuthenticator"={"name":"test-name","namespace":"test-namespace"}`,
+				`jwtcachefiller-controller "level"=0 "msg"="added new jwt authenticator" "issuer"="` + goodIssuer + `" "jwtAuthenticator"={"name":"test-name"}`,
 			},
 			wantCacheEntries:                 1,
 			runTestsOnResultingAuthenticator: true,
 		},
 		{
 			name:    "valid jwt authenticator without CA",
-			syncKey: controllerlib.Key{Namespace: "test-namespace", Name: "test-name"},
+			syncKey: controllerlib.Key{Name: "test-name"},
 			jwtAuthenticators: []runtime.Object{
 				&auth1alpha1.JWTAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
-						Namespace: "test-namespace",
+						Name: "test-name",
-						Name:      "test-name",
 					},
 					Spec: *missingTLSJWTAuthenticatorSpec,
 				},
 			},
 			wantLogs: []string{
-				`jwtcachefiller-controller "level"=0 "msg"="added new jwt authenticator" "issuer"="` + goodIssuer + `" "jwtAuthenticator"={"name":"test-name","namespace":"test-namespace"}`,
+				`jwtcachefiller-controller "level"=0 "msg"="added new jwt authenticator" "issuer"="` + goodIssuer + `" "jwtAuthenticator"={"name":"test-name"}`,
 			},
 			wantCacheEntries:                 1,
 			runTestsOnResultingAuthenticator: false, // skip the tests because the authenticator left in the cache doesn't have the CA for our test discovery server
 		},
 		{
 			name:    "invalid jwt authenticator CA",
-			syncKey: controllerlib.Key{Namespace: "test-namespace", Name: "test-name"},
+			syncKey: controllerlib.Key{Name: "test-name"},
 			jwtAuthenticators: []runtime.Object{
 				&auth1alpha1.JWTAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
-						Namespace: "test-namespace",
+						Name: "test-name",
-						Name:      "test-name",
 					},
 					Spec: *invalidTLSJWTAuthenticatorSpec,
 				},

internal/controller/authenticator/webhookcachefiller/webhookcachefiller.go

@@ -54,7 +54,7 @@ type controller struct {
 
 // Sync implements controllerlib.Syncer.
 func (c *controller) Sync(ctx controllerlib.Context) error {
-	obj, err := c.webhooks.Lister().WebhookAuthenticators(ctx.Key.Namespace).Get(ctx.Key.Name)
+	obj, err := c.webhooks.Lister().Get(ctx.Key.Name)
 	if err != nil && errors.IsNotFound(err) {
 		c.log.Info("Sync() found that the WebhookAuthenticator does not exist yet or was deleted")
 		return nil

internal/controller/authenticator/webhookcachefiller/webhookcachefiller_test.go

@@ -41,19 +41,18 @@ func TestController(t *testing.T) {
 	}{
 		{
 			name:    "not found",
-			syncKey: controllerlib.Key{Namespace: "test-namespace", Name: "test-name"},
+			syncKey: controllerlib.Key{Name: "test-name"},
 			wantLogs: []string{
 				`webhookcachefiller-controller "level"=0 "msg"="Sync() found that the WebhookAuthenticator does not exist yet or was deleted"`,
 			},
 		},
 		{
 			name:    "invalid webhook",
-			syncKey: controllerlib.Key{Namespace: "test-namespace", Name: "test-name"},
+			syncKey: controllerlib.Key{Name: "test-name"},
 			webhooks: []runtime.Object{
 				&auth1alpha1.WebhookAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
-						Namespace: "test-namespace",
+						Name: "test-name",
-						Name:      "test-name",
 					},
 					Spec: auth1alpha1.WebhookAuthenticatorSpec{
 						Endpoint: "invalid url",
@@ -64,12 +63,11 @@ func TestController(t *testing.T) {
 		},
 		{
 			name:    "valid webhook",
-			syncKey: controllerlib.Key{Namespace: "test-namespace", Name: "test-name"},
+			syncKey: controllerlib.Key{Name: "test-name"},
 			webhooks: []runtime.Object{
 				&auth1alpha1.WebhookAuthenticator{
 					ObjectMeta: metav1.ObjectMeta{
-						Namespace: "test-namespace",
+						Name: "test-name",
-						Name:      "test-name",
 					},
 					Spec: auth1alpha1.WebhookAuthenticatorSpec{
 						Endpoint: "https://example.com",
@@ -78,7 +76,7 @@ func TestController(t *testing.T) {
 				},
 			},
 			wantLogs: []string{
-				`webhookcachefiller-controller "level"=0 "msg"="added new webhook authenticator" "endpoint"="https://example.com" "webhook"={"name":"test-name","namespace":"test-namespace"}`,
+				`webhookcachefiller-controller "level"=0 "msg"="added new webhook authenticator" "endpoint"="https://example.com" "webhook"={"name":"test-name"}`,
 			},
 			wantCacheEntries: 1,
 		},

internal/controller/issuerconfig/create_or_update_credential_issuer_config.go

@@ -19,7 +19,6 @@ import (
 
 func CreateOrUpdateCredentialIssuer(
 	ctx context.Context,
-	credentialIssuerNamespace string,
 	credentialIssuerResourceName string,
 	credentialIssuerLabels map[string]string,
 	pinnipedClient pinnipedclientset.Interface,
@@ -28,7 +27,7 @@ func CreateOrUpdateCredentialIssuer(
 	err := retry.RetryOnConflict(retry.DefaultRetry, func() error {
 		existingCredentialIssuer, err := pinnipedClient.
 			ConfigV1alpha1().
-			CredentialIssuers(credentialIssuerNamespace).
+			CredentialIssuers().
 			Get(ctx, credentialIssuerResourceName, metav1.GetOptions{})
 
 		notFound := k8serrors.IsNotFound(err)
@@ -36,12 +35,12 @@ func CreateOrUpdateCredentialIssuer(
 			return fmt.Errorf("get failed: %w", err)
 		}
 
-		credentialIssuersClient := pinnipedClient.ConfigV1alpha1().CredentialIssuers(credentialIssuerNamespace)
+		credentialIssuersClient := pinnipedClient.ConfigV1alpha1().CredentialIssuers()
 
 		if notFound {
 			// Create it
 			credentialIssuer := minimalValidCredentialIssuer(
-				credentialIssuerResourceName, credentialIssuerNamespace, credentialIssuerLabels,
+				credentialIssuerResourceName, credentialIssuerLabels,
 			)
 			applyUpdatesToCredentialIssuerFunc(credentialIssuer)
 
@@ -73,15 +72,13 @@ func CreateOrUpdateCredentialIssuer(
 
 func minimalValidCredentialIssuer(
 	credentialIssuerName string,
-	credentialIssuerNamespace string,
 	credentialIssuerLabels map[string]string,
 ) *configv1alpha1.CredentialIssuer {
 	return &configv1alpha1.CredentialIssuer{
 		TypeMeta: metav1.TypeMeta{},
 		ObjectMeta: metav1.ObjectMeta{
-			Name:      credentialIssuerName,
+			Name:   credentialIssuerName,
-			Namespace: credentialIssuerNamespace,
+			Labels: credentialIssuerLabels,
-			Labels:    credentialIssuerLabels,
 		},
 		Status: configv1alpha1.CredentialIssuerStatus{
 			Strategies:     []configv1alpha1.CredentialIssuerStrategy{},

internal/controller/issuerconfig/create_or_update_credential_issuer_config_test.go

@@ -29,7 +29,6 @@ func TestCreateOrUpdateCredentialIssuer(t *testing.T) {
 		var ctx context.Context
 		var pinnipedAPIClient *pinnipedfake.Clientset
 		var credentialIssuerGVR schema.GroupVersionResource
-		const installationNamespace = "some-namespace"
 		const credentialIssuerResourceName = "some-resource-name"
 
 		it.Before(func() {
@@ -47,7 +46,6 @@ func TestCreateOrUpdateCredentialIssuer(t *testing.T) {
 			it("creates a new config which includes only the updates made by the func parameter", func() {
 				err := CreateOrUpdateCredentialIssuer(
 					ctx,
-					installationNamespace,
 					credentialIssuerResourceName,
 					map[string]string{
 						"myLabelKey1": "myLabelValue1",
@@ -62,16 +60,14 @@ func TestCreateOrUpdateCredentialIssuer(t *testing.T) {
 				)
 				r.NoError(err)
 
-				expectedGetAction := coretesting.NewGetAction(credentialIssuerGVR, installationNamespace, credentialIssuerResourceName)
+				expectedGetAction := coretesting.NewRootGetAction(credentialIssuerGVR, credentialIssuerResourceName)
 
-				expectedCreateAction := coretesting.NewCreateAction(
+				expectedCreateAction := coretesting.NewRootCreateAction(
 					credentialIssuerGVR,
-					installationNamespace,
 					&configv1alpha1.CredentialIssuer{
 						TypeMeta: metav1.TypeMeta{},
 						ObjectMeta: metav1.ObjectMeta{
-							Name:      credentialIssuerResourceName,
+							Name: credentialIssuerResourceName,
-							Namespace: installationNamespace,
 							Labels: map[string]string{
 								"myLabelKey1": "myLabelValue1",
 								"myLabelKey2": "myLabelValue2",
@@ -100,7 +96,6 @@ func TestCreateOrUpdateCredentialIssuer(t *testing.T) {
 				it("returns an error", func() {
 					err := CreateOrUpdateCredentialIssuer(
 						ctx,
-						installationNamespace,
 						credentialIssuerResourceName,
 						map[string]string{},
 						pinnipedAPIClient,
@@ -118,8 +113,7 @@ func TestCreateOrUpdateCredentialIssuer(t *testing.T) {
 				existingConfig = &configv1alpha1.CredentialIssuer{
 					TypeMeta: metav1.TypeMeta{},
 					ObjectMeta: metav1.ObjectMeta{
-						Name:      credentialIssuerResourceName,
+						Name: credentialIssuerResourceName,
-						Namespace: installationNamespace,
 						Labels: map[string]string{
 							"myLabelKey1": "myLabelValue1",
 						},
@@ -146,7 +140,6 @@ func TestCreateOrUpdateCredentialIssuer(t *testing.T) {
 			it("updates the existing config to only apply the updates made by the func parameter", func() {
 				err := CreateOrUpdateCredentialIssuer(
 					ctx,
-					installationNamespace,
 					credentialIssuerResourceName,
 					map[string]string{
 						"myLabelKey1": "myLabelValue1",
@@ -159,12 +152,12 @@ func TestCreateOrUpdateCredentialIssuer(t *testing.T) {
 				)
 				r.NoError(err)
 
-				expectedGetAction := coretesting.NewGetAction(credentialIssuerGVR, installationNamespace, credentialIssuerResourceName)
+				expectedGetAction := coretesting.NewRootGetAction(credentialIssuerGVR, credentialIssuerResourceName)
 
 				// Only the edited field should be changed.
 				expectedUpdatedConfig := existingConfig.DeepCopy()
 				expectedUpdatedConfig.Status.KubeConfigInfo.CertificateAuthorityData = "new-ca-value"
-				expectedUpdateAction := coretesting.NewUpdateAction(credentialIssuerGVR, installationNamespace, expectedUpdatedConfig)
+				expectedUpdateAction := coretesting.NewRootUpdateAction(credentialIssuerGVR, expectedUpdatedConfig)
 
 				r.Equal([]coretesting.Action{expectedGetAction, expectedUpdateAction}, pinnipedAPIClient.Actions())
 			})
@@ -172,7 +165,6 @@ func TestCreateOrUpdateCredentialIssuer(t *testing.T) {
 			it("avoids the cost of an update if the local updates made by the func parameter did not actually change anything", func() {
 				err := CreateOrUpdateCredentialIssuer(
 					ctx,
-					installationNamespace,
 					credentialIssuerResourceName,
 					map[string]string{},
 					pinnipedAPIClient,
@@ -187,7 +179,7 @@ func TestCreateOrUpdateCredentialIssuer(t *testing.T) {
 				)
 				r.NoError(err)
 
-				expectedGetAction := coretesting.NewGetAction(credentialIssuerGVR, installationNamespace, credentialIssuerResourceName)
+				expectedGetAction := coretesting.NewRootGetAction(credentialIssuerGVR, credentialIssuerResourceName)
 				r.Equal([]coretesting.Action{expectedGetAction}, pinnipedAPIClient.Actions())
 			})
 
@@ -201,7 +193,6 @@ func TestCreateOrUpdateCredentialIssuer(t *testing.T) {
 				it("returns an error", func() {
 					err := CreateOrUpdateCredentialIssuer(
 						ctx,
-						installationNamespace,
 						credentialIssuerResourceName,
 						map[string]string{},
 						pinnipedAPIClient,
@@ -221,7 +212,6 @@ func TestCreateOrUpdateCredentialIssuer(t *testing.T) {
 				it("returns an error", func() {
 					err := CreateOrUpdateCredentialIssuer(
 						ctx,
-						installationNamespace,
 						credentialIssuerResourceName,
 						map[string]string{},
 						pinnipedAPIClient,
@@ -246,7 +236,7 @@ func TestCreateOrUpdateCredentialIssuer(t *testing.T) {
 						if !hit {
 							// Before the update fails, also change the object that will be returned by the next Get(),
 							// to make sure that the production code does a fresh Get() after detecting a conflict.
-							r.NoError(pinnipedAPIClient.Tracker().Update(credentialIssuerGVR, slightlyDifferentExistingConfig, installationNamespace))
+							r.NoError(pinnipedAPIClient.Tracker().Update(credentialIssuerGVR, slightlyDifferentExistingConfig, ""))
 							hit = true
 							return true, nil, apierrors.NewConflict(schema.GroupResource{
 								Group:    apiregistrationv1.GroupName,
@@ -260,7 +250,6 @@ func TestCreateOrUpdateCredentialIssuer(t *testing.T) {
 				it("retries updates on conflict", func() {
 					err := CreateOrUpdateCredentialIssuer(
 						ctx,
-						installationNamespace,
 						credentialIssuerResourceName,
 						map[string]string{
 							"myLabelKey1": "myLabelValue1",
@@ -273,18 +262,18 @@ func TestCreateOrUpdateCredentialIssuer(t *testing.T) {
 					)
 					r.NoError(err)
 
-					expectedGetAction := coretesting.NewGetAction(credentialIssuerGVR, installationNamespace, credentialIssuerResourceName)
+					expectedGetAction := coretesting.NewRootGetAction(credentialIssuerGVR, credentialIssuerResourceName)
 
 					// The first attempted update only includes its own edits.
 					firstExpectedUpdatedConfig := existingConfig.DeepCopy()
 					firstExpectedUpdatedConfig.Status.KubeConfigInfo.CertificateAuthorityData = "new-ca-value"
-					firstExpectedUpdateAction := coretesting.NewUpdateAction(credentialIssuerGVR, installationNamespace, firstExpectedUpdatedConfig)
+					firstExpectedUpdateAction := coretesting.NewRootUpdateAction(credentialIssuerGVR, firstExpectedUpdatedConfig)
 
 					// Both the edits made by this update and the edits made by the conflicting update should be included.
 					secondExpectedUpdatedConfig := existingConfig.DeepCopy()
 					secondExpectedUpdatedConfig.Status.KubeConfigInfo.Server = "some-other-server-value-from-conflicting-update"
 					secondExpectedUpdatedConfig.Status.KubeConfigInfo.CertificateAuthorityData = "new-ca-value"
-					secondExpectedUpdateAction := coretesting.NewUpdateAction(credentialIssuerGVR, installationNamespace, secondExpectedUpdatedConfig)
+					secondExpectedUpdateAction := coretesting.NewRootUpdateAction(credentialIssuerGVR, secondExpectedUpdatedConfig)
 
 					expectedActions := []coretesting.Action{
 						expectedGetAction,

internal/controller/issuerconfig/kube_config_info_publisher.go

@@ -26,19 +26,17 @@ const (
 )
 
 type kubeConigInfoPublisherController struct {
-	credentialIssuerNamespaceName string
+	credentialIssuerResourceName string
-	credentialIssuerResourceName  string
+	credentialIssuerLabels       map[string]string
-	credentialIssuerLabels        map[string]string
+	serverOverride               *string
-	serverOverride                *string
+	pinnipedClient               pinnipedclientset.Interface
-	pinnipedClient                pinnipedclientset.Interface
+	configMapInformer            corev1informers.ConfigMapInformer
-	configMapInformer             corev1informers.ConfigMapInformer
 }
 
 // NewKubeConfigInfoPublisherController returns a controller that syncs the
 // configv1alpha1.CredentialIssuer.Status.KubeConfigInfo field with the cluster-info ConfigMap
 // in the kube-public namespace.
 func NewKubeConfigInfoPublisherController(
-	credentialIssuerNamespaceName string,
 	credentialIssuerResourceName string,
 	credentialIssuerLabels map[string]string,
 	serverOverride *string,
@@ -50,12 +48,11 @@ func NewKubeConfigInfoPublisherController(
 		controllerlib.Config{
 			Name: "publisher-controller",
 			Syncer: &kubeConigInfoPublisherController{
-				credentialIssuerResourceName:  credentialIssuerResourceName,
+				credentialIssuerResourceName: credentialIssuerResourceName,
-				credentialIssuerNamespaceName: credentialIssuerNamespaceName,
+				credentialIssuerLabels:       credentialIssuerLabels,
-				credentialIssuerLabels:        credentialIssuerLabels,
+				serverOverride:               serverOverride,
-				serverOverride:                serverOverride,
+				pinnipedClient:               pinnipedClient,
-				pinnipedClient:                pinnipedClient,
+				configMapInformer:            configMapInformer,
-				configMapInformer:             configMapInformer,
 			},
 		},
 		withInformer(
@@ -116,7 +113,6 @@ func (c *kubeConigInfoPublisherController) Sync(ctx controllerlib.Context) error
 
 	return CreateOrUpdateCredentialIssuer(
 		ctx.Context,
-		c.credentialIssuerNamespaceName,
 		c.credentialIssuerResourceName,
 		c.credentialIssuerLabels,
 		c.pinnipedClient,

internal/controller/issuerconfig/kube_config_info_publisher_test.go

@@ -30,7 +30,6 @@ import (
 func TestInformerFilters(t *testing.T) {
 	spec.Run(t, "informer filters", func(t *testing.T, when spec.G, it spec.S) {
 		const credentialIssuerResourceName = "some-resource-name"
-		const installedInNamespace = "some-namespace"
 
 		var r *require.Assertions
 		var observableWithInformerOption *testutil.ObservableWithInformerOption
@@ -41,7 +40,6 @@ func TestInformerFilters(t *testing.T) {
 			observableWithInformerOption = testutil.NewObservableWithInformerOption()
 			configMapInformer := kubeinformers.NewSharedInformerFactory(nil, 0).Core().V1().ConfigMaps()
 			_ = NewKubeConfigInfoPublisherController(
-				installedInNamespace,
 				credentialIssuerResourceName,
 				map[string]string{},
 				nil,
@@ -105,7 +103,6 @@ func TestInformerFilters(t *testing.T) {
 func TestSync(t *testing.T) {
 	spec.Run(t, "Sync", func(t *testing.T, when spec.G, it spec.S) {
 		const credentialIssuerResourceName = "some-resource-name"
-		const installedInNamespace = "some-namespace"
 
 		var r *require.Assertions
 
@@ -118,7 +115,7 @@ func TestSync(t *testing.T) {
 		var timeoutContextCancel context.CancelFunc
 		var syncContext *controllerlib.Context
 
-		var expectedCredentialIssuer = func(expectedNamespace, expectedServerURL, expectedCAData string) (schema.GroupVersionResource, *configv1alpha1.CredentialIssuer) {
+		var expectedCredentialIssuer = func(expectedServerURL, expectedCAData string) (schema.GroupVersionResource, *configv1alpha1.CredentialIssuer) {
 			expectedCredentialIssuerGVR := schema.GroupVersionResource{
 				Group:    configv1alpha1.GroupName,
 				Version:  "v1alpha1",
@@ -126,8 +123,7 @@ func TestSync(t *testing.T) {
 			}
 			expectedCredentialIssuer := &configv1alpha1.CredentialIssuer{
 				ObjectMeta: metav1.ObjectMeta{
-					Name:      credentialIssuerResourceName,
+					Name: credentialIssuerResourceName,
-					Namespace: expectedNamespace,
 					Labels: map[string]string{
 						"myLabelKey1": "myLabelValue1",
 						"myLabelKey2": "myLabelValue2",
@@ -149,7 +145,6 @@ func TestSync(t *testing.T) {
 		var startInformersAndController = func() {
 			// Set this at the last second to allow for injection of server override.
 			subject = NewKubeConfigInfoPublisherController(
-				installedInNamespace,
 				credentialIssuerResourceName,
 				map[string]string{
 					"myLabelKey1": "myLabelValue1",
@@ -223,17 +218,15 @@ func TestSync(t *testing.T) {
 						r.NoError(err)
 
 						expectedCredentialIssuerGVR, expectedCredentialIssuer := expectedCredentialIssuer(
-							installedInNamespace,
 							kubeServerURL,
 							caData,
 						)
 
 						r.Equal(
 							[]coretesting.Action{
-								coretesting.NewGetAction(expectedCredentialIssuerGVR, installedInNamespace, expectedCredentialIssuer.Name),
+								coretesting.NewRootGetAction(expectedCredentialIssuerGVR, expectedCredentialIssuer.Name),
-								coretesting.NewCreateAction(
+								coretesting.NewRootCreateAction(
 									expectedCredentialIssuerGVR,
-									installedInNamespace,
 									expectedCredentialIssuer,
 								),
 							},
@@ -269,7 +262,6 @@ func TestSync(t *testing.T) {
 							r.NoError(err)
 
 							expectedCredentialIssuerGVR, expectedCredentialIssuer := expectedCredentialIssuer(
-								installedInNamespace,
 								kubeServerURL,
 								caData,
 							)
@@ -277,10 +269,9 @@ func TestSync(t *testing.T) {
 
 							r.Equal(
 								[]coretesting.Action{
-									coretesting.NewGetAction(expectedCredentialIssuerGVR, installedInNamespace, expectedCredentialIssuer.Name),
+									coretesting.NewRootGetAction(expectedCredentialIssuerGVR, expectedCredentialIssuer.Name),
-									coretesting.NewCreateAction(
+									coretesting.NewRootCreateAction(
 										expectedCredentialIssuerGVR,
-										installedInNamespace,
 										expectedCredentialIssuer,
 									),
 								},
@@ -297,7 +288,6 @@ func TestSync(t *testing.T) {
 
 						it.Before(func() {
 							credentialIssuerGVR, credentialIssuer = expectedCredentialIssuer(
-								installedInNamespace,
 								kubeServerURL,
 								caData,
 							)
@@ -312,7 +302,7 @@ func TestSync(t *testing.T) {
 
 							r.Equal(
 								[]coretesting.Action{
-									coretesting.NewGetAction(credentialIssuerGVR, installedInNamespace, credentialIssuer.Name),
+									coretesting.NewRootGetAction(credentialIssuerGVR, credentialIssuer.Name),
 								},
 								pinnipedAPIClient.Actions(),
 							)
@@ -322,7 +312,6 @@ func TestSync(t *testing.T) {
 					when("the CredentialIssuer is stale compared to the data in the ConfigMap", func() {
 						it.Before(func() {
 							_, expectedCredentialIssuer := expectedCredentialIssuer(
-								installedInNamespace,
 								kubeServerURL,
 								caData,
 							)
@@ -336,15 +325,13 @@ func TestSync(t *testing.T) {
 							r.NoError(err)
 
 							expectedCredentialIssuerGVR, expectedCredentialIssuer := expectedCredentialIssuer(
-								installedInNamespace,
 								kubeServerURL,
 								caData,
 							)
 							expectedActions := []coretesting.Action{
-								coretesting.NewGetAction(expectedCredentialIssuerGVR, installedInNamespace, expectedCredentialIssuer.Name),
+								coretesting.NewRootGetAction(expectedCredentialIssuerGVR, expectedCredentialIssuer.Name),
-								coretesting.NewUpdateAction(
+								coretesting.NewRootUpdateAction(
 									expectedCredentialIssuerGVR,
-									installedInNamespace,
 									expectedCredentialIssuer,
 								),
 							}

internal/controller/kubecertagent/annotater_test.go

@@ -59,7 +59,6 @@ func TestAnnotaterControllerSync(t *testing.T) {
 		const agentPodNamespace = "agent-pod-namespace"
 		const defaultKubeControllerManagerClusterSigningCertFileFlagValue = "/etc/kubernetes/ca/ca.pem"
 		const defaultKubeControllerManagerClusterSigningKeyFileFlagValue = "/etc/kubernetes/ca/ca.key"
-		const credentialIssuerNamespaceName = "ci-namespace-name"
 		const credentialIssuerResourceName = "ci-resource-name"
 
 		const (
@@ -102,8 +101,7 @@ func TestAnnotaterControllerSync(t *testing.T) {
 					},
 				},
 				&CredentialIssuerLocationConfig{
-					Namespace: credentialIssuerNamespaceName,
+					Name: credentialIssuerResourceName,
-					Name:      credentialIssuerResourceName,
 				},
 				clock.NewFakeClock(frozenNow),
 				kubeAPIClient,
@@ -236,8 +234,7 @@ func TestAnnotaterControllerSync(t *testing.T) {
 							initialCredentialIssuer = &configv1alpha1.CredentialIssuer{
 								TypeMeta: metav1.TypeMeta{},
 								ObjectMeta: metav1.ObjectMeta{
-									Name:      credentialIssuerResourceName,
+									Name: credentialIssuerResourceName,
-									Namespace: credentialIssuerNamespaceName,
 								},
 								Status: configv1alpha1.CredentialIssuerStatus{
 									Strategies: []configv1alpha1.CredentialIssuerStrategy{},
@@ -264,14 +261,12 @@ func TestAnnotaterControllerSync(t *testing.T) {
 									LastUpdateTime: metav1.NewTime(frozenNow),
 								},
 							}
-							expectedGetAction := coretesting.NewGetAction(
+							expectedGetAction := coretesting.NewRootGetAction(
 								credentialIssuerGVR,
-								credentialIssuerNamespaceName,
 								credentialIssuerResourceName,
 							)
-							expectedUpdateAction := coretesting.NewUpdateAction(
+							expectedUpdateAction := coretesting.NewRootUpdateAction(
 								credentialIssuerGVR,
-								credentialIssuerNamespaceName,
 								expectedCredentialIssuer,
 							)
 
@@ -312,8 +307,7 @@ func TestAnnotaterControllerSync(t *testing.T) {
 							expectedCredentialIssuer := &configv1alpha1.CredentialIssuer{
 								TypeMeta: metav1.TypeMeta{},
 								ObjectMeta: metav1.ObjectMeta{
-									Name:      credentialIssuerResourceName,
+									Name: credentialIssuerResourceName,
-									Namespace: credentialIssuerNamespaceName,
 								},
 								Status: configv1alpha1.CredentialIssuerStatus{
 									Strategies: []configv1alpha1.CredentialIssuerStrategy{
@@ -327,14 +321,12 @@ func TestAnnotaterControllerSync(t *testing.T) {
 									},
 								},
 							}
-							expectedGetAction := coretesting.NewGetAction(
+							expectedGetAction := coretesting.NewRootGetAction(
 								credentialIssuerGVR,
-								credentialIssuerNamespaceName,
 								credentialIssuerResourceName,
 							)
-							expectedCreateAction := coretesting.NewCreateAction(
+							expectedCreateAction := coretesting.NewRootCreateAction(
 								credentialIssuerGVR,
-								credentialIssuerNamespaceName,
 								expectedCredentialIssuer,
 							)
 

internal/controller/kubecertagent/creater_test.go

@@ -83,7 +83,6 @@ func TestCreaterControllerSync(t *testing.T) {
 	spec.Run(t, "CreaterControllerSync", func(t *testing.T, when spec.G, it spec.S) {
 		const kubeSystemNamespace = "kube-system"
 		const agentPodNamespace = "agent-pod-namespace"
-		const credentialIssuerNamespaceName = "ci-namespace-name"
 		const credentialIssuerResourceName = "ci-resource-name"
 
 		var r *require.Assertions
@@ -119,8 +118,7 @@ func TestCreaterControllerSync(t *testing.T) {
 					},
 				},
 				&CredentialIssuerLocationConfig{
-					Namespace: credentialIssuerNamespaceName,
+					Name: credentialIssuerResourceName,
-					Name:      credentialIssuerResourceName,
 				},
 				map[string]string{
 					"myLabelKey1": "myLabelValue1",
@@ -307,8 +305,7 @@ func TestCreaterControllerSync(t *testing.T) {
 							initialCredentialIssuer = &configv1alpha1.CredentialIssuer{
 								TypeMeta: metav1.TypeMeta{},
 								ObjectMeta: metav1.ObjectMeta{
-									Name:      credentialIssuerResourceName,
+									Name: credentialIssuerResourceName,
-									Namespace: credentialIssuerNamespaceName,
 								},
 								Status: configv1alpha1.CredentialIssuerStatus{
 									Strategies: []configv1alpha1.CredentialIssuerStrategy{},
@@ -335,14 +332,12 @@ func TestCreaterControllerSync(t *testing.T) {
 									LastUpdateTime: metav1.NewTime(frozenNow),
 								},
 							}
-							expectedGetAction := coretesting.NewGetAction(
+							expectedGetAction := coretesting.NewRootGetAction(
 								credentialIssuerGVR,
-								credentialIssuerNamespaceName,
 								credentialIssuerResourceName,
 							)
-							expectedUpdateAction := coretesting.NewUpdateAction(
+							expectedUpdateAction := coretesting.NewRootUpdateAction(
 								credentialIssuerGVR,
-								credentialIssuerNamespaceName,
 								expectedCredentialIssuer,
 							)
 
@@ -383,8 +378,7 @@ func TestCreaterControllerSync(t *testing.T) {
 							expectedCredentialIssuer := &configv1alpha1.CredentialIssuer{
 								TypeMeta: metav1.TypeMeta{},
 								ObjectMeta: metav1.ObjectMeta{
-									Name:      credentialIssuerResourceName,
+									Name: credentialIssuerResourceName,
-									Namespace: credentialIssuerNamespaceName,
 									Labels: map[string]string{
 										"myLabelKey1": "myLabelValue1",
 										"myLabelKey2": "myLabelValue2",
@@ -402,14 +396,12 @@ func TestCreaterControllerSync(t *testing.T) {
 									},
 								},
 							}
-							expectedGetAction := coretesting.NewGetAction(
+							expectedGetAction := coretesting.NewRootGetAction(
 								credentialIssuerGVR,
-								credentialIssuerNamespaceName,
 								credentialIssuerResourceName,
 							)
-							expectedCreateAction := coretesting.NewCreateAction(
+							expectedCreateAction := coretesting.NewRootCreateAction(
 								credentialIssuerGVR,
-								credentialIssuerNamespaceName,
 								expectedCredentialIssuer,
 							)
 
@@ -435,8 +427,7 @@ func TestCreaterControllerSync(t *testing.T) {
 					initialCredentialIssuer = &configv1alpha1.CredentialIssuer{
 						TypeMeta: metav1.TypeMeta{},
 						ObjectMeta: metav1.ObjectMeta{
-							Name:      credentialIssuerResourceName,
+							Name: credentialIssuerResourceName,
-							Namespace: credentialIssuerNamespaceName,
 						},
 						Status: configv1alpha1.CredentialIssuerStatus{
 							Strategies: []configv1alpha1.CredentialIssuerStrategy{},
@@ -463,14 +454,12 @@ func TestCreaterControllerSync(t *testing.T) {
 							LastUpdateTime: metav1.NewTime(frozenNow),
 						},
 					}
-					expectedGetAction := coretesting.NewGetAction(
+					expectedGetAction := coretesting.NewRootGetAction(
 						credentialIssuerGVR,
-						credentialIssuerNamespaceName,
 						credentialIssuerResourceName,
 					)
-					expectedUpdateAction := coretesting.NewUpdateAction(
+					expectedUpdateAction := coretesting.NewRootUpdateAction(
 						credentialIssuerGVR,
-						credentialIssuerNamespaceName,
 						expectedCredentialIssuer,
 					)
 
@@ -528,8 +517,7 @@ func TestCreaterControllerSync(t *testing.T) {
 					expectedCredentialIssuer := &configv1alpha1.CredentialIssuer{
 						TypeMeta: metav1.TypeMeta{},
 						ObjectMeta: metav1.ObjectMeta{
-							Name:      credentialIssuerResourceName,
+							Name: credentialIssuerResourceName,
-							Namespace: credentialIssuerNamespaceName,
 							Labels: map[string]string{
 								"myLabelKey1": "myLabelValue1",
 								"myLabelKey2": "myLabelValue2",
@@ -547,14 +535,12 @@ func TestCreaterControllerSync(t *testing.T) {
 							},
 						},
 					}
-					expectedGetAction := coretesting.NewGetAction(
+					expectedGetAction := coretesting.NewRootGetAction(
 						credentialIssuerGVR,
-						credentialIssuerNamespaceName,
 						credentialIssuerResourceName,
 					)
-					expectedCreateAction := coretesting.NewCreateAction(
+					expectedCreateAction := coretesting.NewRootCreateAction(
 						credentialIssuerGVR,
-						credentialIssuerNamespaceName,
 						expectedCredentialIssuer,
 					)
 

internal/controller/kubecertagent/execer_test.go

@@ -44,8 +44,7 @@ func TestExecerControllerOptions(t *testing.T) {
 			agentPodsInformer := kubeinformers.NewSharedInformerFactory(nil, 0).Core().V1().Pods()
 			_ = NewExecerController(
 				&CredentialIssuerLocationConfig{
-					Namespace: "ignored by this test",
+					Name: "ignored by this test",
-					Name:      "ignored by this test",
 				},
 				nil, // dynamicCertProvider, not needed for this test
 				nil, // podCommandExecutor, not needed for this test
@@ -136,7 +135,6 @@ func TestManagerControllerSync(t *testing.T) {
 		const fakeKeyPath = "/some/key/path"
 		const defaultDynamicCertProviderCert = "initial-cert"
 		const defaultDynamicCertProviderKey = "initial-key"
-		const credentialIssuerNamespaceName = "ci-namespace-name"
 		const credentialIssuerResourceName = "ci-resource-name"
 
 		var r *require.Assertions
@@ -160,8 +158,7 @@ func TestManagerControllerSync(t *testing.T) {
 			// Set this at the last second to allow for injection of server override.
 			subject = NewExecerController(
 				&CredentialIssuerLocationConfig{
-					Namespace: credentialIssuerNamespaceName,
+					Name: credentialIssuerResourceName,
-					Name:      credentialIssuerResourceName,
 				},
 				dynamicCertProvider,
 				fakeExecutor,
@@ -333,8 +330,7 @@ func TestManagerControllerSync(t *testing.T) {
 						initialCredentialIssuer = &configv1alpha1.CredentialIssuer{
 							TypeMeta: metav1.TypeMeta{},
 							ObjectMeta: metav1.ObjectMeta{
-								Name:      credentialIssuerResourceName,
+								Name: credentialIssuerResourceName,
-								Namespace: credentialIssuerNamespaceName,
 							},
 							Status: configv1alpha1.CredentialIssuerStatus{
 								Strategies: []configv1alpha1.CredentialIssuerStrategy{},
@@ -361,8 +357,8 @@ func TestManagerControllerSync(t *testing.T) {
 								LastUpdateTime: metav1.NewTime(frozenNow),
 							},
 						}
-						expectedGetAction := coretesting.NewGetAction(credentialIssuerGVR, credentialIssuerNamespaceName, credentialIssuerResourceName)
+						expectedGetAction := coretesting.NewRootGetAction(credentialIssuerGVR, credentialIssuerResourceName)
-						expectedCreateAction := coretesting.NewUpdateAction(credentialIssuerGVR, credentialIssuerNamespaceName, expectedCredentialIssuer)
+						expectedCreateAction := coretesting.NewRootUpdateAction(credentialIssuerGVR, expectedCredentialIssuer)
 						r.Equal([]coretesting.Action{expectedGetAction, expectedCreateAction}, pinnipedAPIClient.Actions())
 					})
 
@@ -396,8 +392,7 @@ func TestManagerControllerSync(t *testing.T) {
 						expectedCredentialIssuer := &configv1alpha1.CredentialIssuer{
 							TypeMeta: metav1.TypeMeta{},
 							ObjectMeta: metav1.ObjectMeta{
-								Name:      credentialIssuerResourceName,
+								Name: credentialIssuerResourceName,
-								Namespace: credentialIssuerNamespaceName,
 							},
 							Status: configv1alpha1.CredentialIssuerStatus{
 								Strategies: []configv1alpha1.CredentialIssuerStrategy{
@@ -411,8 +406,8 @@ func TestManagerControllerSync(t *testing.T) {
 								},
 							},
 						}
-						expectedGetAction := coretesting.NewGetAction(credentialIssuerGVR, credentialIssuerNamespaceName, credentialIssuerResourceName)
+						expectedGetAction := coretesting.NewRootGetAction(credentialIssuerGVR, credentialIssuerResourceName)
-						expectedCreateAction := coretesting.NewCreateAction(credentialIssuerGVR, credentialIssuerNamespaceName, expectedCredentialIssuer)
+						expectedCreateAction := coretesting.NewRootCreateAction(credentialIssuerGVR, expectedCredentialIssuer)
 						r.Equal([]coretesting.Action{expectedGetAction, expectedCreateAction}, pinnipedAPIClient.Actions())
 					})
 				})
@@ -439,8 +434,7 @@ func TestManagerControllerSync(t *testing.T) {
 					expectedCredentialIssuer := &configv1alpha1.CredentialIssuer{
 						TypeMeta: metav1.TypeMeta{},
 						ObjectMeta: metav1.ObjectMeta{
-							Name:      credentialIssuerResourceName,
+							Name: credentialIssuerResourceName,
-							Namespace: credentialIssuerNamespaceName,
 						},
 						Status: configv1alpha1.CredentialIssuerStatus{
 							Strategies: []configv1alpha1.CredentialIssuerStrategy{
@@ -454,8 +448,8 @@ func TestManagerControllerSync(t *testing.T) {
 							},
 						},
 					}
-					expectedGetAction := coretesting.NewGetAction(credentialIssuerGVR, credentialIssuerNamespaceName, credentialIssuerResourceName)
+					expectedGetAction := coretesting.NewRootGetAction(credentialIssuerGVR, credentialIssuerResourceName)
-					expectedCreateAction := coretesting.NewCreateAction(credentialIssuerGVR, credentialIssuerNamespaceName, expectedCredentialIssuer)
+					expectedCreateAction := coretesting.NewRootCreateAction(credentialIssuerGVR, expectedCredentialIssuer)
 					r.Equal([]coretesting.Action{expectedGetAction, expectedCreateAction}, pinnipedAPIClient.Actions())
 				})
 			})
@@ -481,8 +475,7 @@ func TestManagerControllerSync(t *testing.T) {
 					expectedCredentialIssuer := &configv1alpha1.CredentialIssuer{
 						TypeMeta: metav1.TypeMeta{},
 						ObjectMeta: metav1.ObjectMeta{
-							Name:      credentialIssuerResourceName,
+							Name: credentialIssuerResourceName,
-							Namespace: credentialIssuerNamespaceName,
 						},
 						Status: configv1alpha1.CredentialIssuerStatus{
 							Strategies: []configv1alpha1.CredentialIssuerStrategy{
@@ -496,8 +489,8 @@ func TestManagerControllerSync(t *testing.T) {
 							},
 						},
 					}
-					expectedGetAction := coretesting.NewGetAction(credentialIssuerGVR, credentialIssuerNamespaceName, credentialIssuerResourceName)
+					expectedGetAction := coretesting.NewRootGetAction(credentialIssuerGVR, credentialIssuerResourceName)
-					expectedCreateAction := coretesting.NewCreateAction(credentialIssuerGVR, credentialIssuerNamespaceName, expectedCredentialIssuer)
+					expectedCreateAction := coretesting.NewRootCreateAction(credentialIssuerGVR, expectedCredentialIssuer)
 					r.Equal([]coretesting.Action{expectedGetAction, expectedCreateAction}, pinnipedAPIClient.Actions())
 				})
 			})

internal/controller/kubecertagent/kubecertagent.go

@@ -74,9 +74,6 @@ type AgentPodConfig struct {
 }
 
 type CredentialIssuerLocationConfig struct {
-	// The namespace in which the CredentialIssuer should be created/updated.
-	Namespace string
-
 	// The resource name for the CredentialIssuer to be created/updated.
 	Name string
 }
@@ -292,7 +289,6 @@ func createOrUpdateCredentialIssuer(ctx context.Context,
 ) error {
 	return issuerconfig.CreateOrUpdateCredentialIssuer(
 		ctx,
-		ciConfig.Namespace,
 		ciConfig.Name,
 		credentialIssuerLabels,
 		pinnipedAPIClient,

internal/controllermanager/prepare_controllers.go

@@ -109,8 +109,7 @@ func PrepareControllers(c *Config) (func(ctx context.Context), error) {
 		AdditionalLabels:          c.Labels,
 	}
 	credentialIssuerLocationConfig := &kubecertagent.CredentialIssuerLocationConfig{
-		Namespace: c.ServerInstallationInfo.Namespace,
+		Name: c.NamesConfig.CredentialIssuer,
-		Name:      c.NamesConfig.CredentialIssuer,
 	}
 
 	groupName, ok := groupsuffix.Replace(loginv1alpha1.GroupName, c.APIGroupSuffix)
@@ -127,7 +126,6 @@ func PrepareControllers(c *Config) (func(ctx context.Context), error) {
 		// CredentialIssuer resource and keeping that information up to date.
 		WithController(
 			issuerconfig.NewKubeConfigInfoPublisherController(
-				c.ServerInstallationInfo.Namespace,
 				c.NamesConfig.CredentialIssuer,
 				c.Labels,
 				c.DiscoveryURLOverride,
@@ -245,7 +243,7 @@ func PrepareControllers(c *Config) (func(ctx context.Context), error) {
 		WithController(
 			webhookcachefiller.New(
 				c.AuthenticatorCache,
-				informers.installationNamespacePinniped.Authentication().V1alpha1().WebhookAuthenticators(),
+				informers.pinniped.Authentication().V1alpha1().WebhookAuthenticators(),
 				klogr.New(),
 			),
 			singletonWorker,
@@ -253,7 +251,7 @@ func PrepareControllers(c *Config) (func(ctx context.Context), error) {
 		WithController(
 			jwtcachefiller.New(
 				c.AuthenticatorCache,
-				informers.installationNamespacePinniped.Authentication().V1alpha1().JWTAuthenticators(),
+				informers.pinniped.Authentication().V1alpha1().JWTAuthenticators(),
 				klogr.New(),
 			),
 			singletonWorker,
@@ -261,8 +259,8 @@ func PrepareControllers(c *Config) (func(ctx context.Context), error) {
 		WithController(
 			cachecleaner.New(
 				c.AuthenticatorCache,
-				informers.installationNamespacePinniped.Authentication().V1alpha1().WebhookAuthenticators(),
+				informers.pinniped.Authentication().V1alpha1().WebhookAuthenticators(),
-				informers.installationNamespacePinniped.Authentication().V1alpha1().JWTAuthenticators(),
+				informers.pinniped.Authentication().V1alpha1().JWTAuthenticators(),
 				klogr.New(),
 			),
 			singletonWorker,
@@ -276,10 +274,10 @@ func PrepareControllers(c *Config) (func(ctx context.Context), error) {
 }
 
 type informers struct {
-	kubePublicNamespaceK8s        k8sinformers.SharedInformerFactory
+	kubePublicNamespaceK8s   k8sinformers.SharedInformerFactory
-	kubeSystemNamespaceK8s        k8sinformers.SharedInformerFactory
+	kubeSystemNamespaceK8s   k8sinformers.SharedInformerFactory
-	installationNamespaceK8s      k8sinformers.SharedInformerFactory
+	installationNamespaceK8s k8sinformers.SharedInformerFactory
-	installationNamespacePinniped pinnipedinformers.SharedInformerFactory
+	pinniped                 pinnipedinformers.SharedInformerFactory
 }
 
 // Create the informers that will be used by the controllers.
@@ -304,10 +302,9 @@ func createInformers(
 			defaultResyncInterval,
 			k8sinformers.WithNamespace(serverInstallationNamespace),
 		),
-		installationNamespacePinniped: pinnipedinformers.NewSharedInformerFactoryWithOptions(
+		pinniped: pinnipedinformers.NewSharedInformerFactoryWithOptions(
 			pinnipedClient,
 			defaultResyncInterval,
-			pinnipedinformers.WithNamespace(serverInstallationNamespace),
 		),
 	}
 }
@@ -316,10 +313,10 @@ func (i *informers) startAndWaitForSync(ctx context.Context) {
 	i.kubePublicNamespaceK8s.Start(ctx.Done())
 	i.kubeSystemNamespaceK8s.Start(ctx.Done())
 	i.installationNamespaceK8s.Start(ctx.Done())
-	i.installationNamespacePinniped.Start(ctx.Done())
+	i.pinniped.Start(ctx.Done())
 
 	i.kubePublicNamespaceK8s.WaitForCacheSync(ctx.Done())
 	i.kubeSystemNamespaceK8s.WaitForCacheSync(ctx.Done())
 	i.installationNamespaceK8s.WaitForCacheSync(ctx.Done())
-	i.installationNamespacePinniped.WaitForCacheSync(ctx.Done())
+	i.pinniped.WaitForCacheSync(ctx.Done())
 }

internal/kubeclient/kubeclient_test.go

@@ -259,7 +259,7 @@ func TestKubeclient(t *testing.T) {
 				// create
 				tokenCredentialRequest, err := c.PinnipedConcierge.
 					LoginV1alpha1().
-					TokenCredentialRequests(goodTokenCredentialRequest.Namespace).
+					TokenCredentialRequests().
 					Create(context.Background(), goodTokenCredentialRequest, metav1.CreateOptions{})
 				require.NoError(t, err)
 				require.Equal(t, goodTokenCredentialRequest, tokenCredentialRequest)
@@ -267,7 +267,7 @@ func TestKubeclient(t *testing.T) {
 				// read
 				tokenCredentialRequest, err = c.PinnipedConcierge.
 					LoginV1alpha1().
-					TokenCredentialRequests(tokenCredentialRequest.Namespace).
+					TokenCredentialRequests().
 					Get(context.Background(), tokenCredentialRequest.Name, metav1.GetOptions{})
 				require.NoError(t, err)
 				require.Equal(t, with(goodTokenCredentialRequest, annotations(), labels()), tokenCredentialRequest)
@@ -276,7 +276,7 @@ func TestKubeclient(t *testing.T) {
 				goodTokenCredentialRequestWithAnnotationsAndLabelsAndClusterName := with(goodTokenCredentialRequest, annotations(), labels(), clusterName()).(*loginv1alpha1.TokenCredentialRequest)
 				tokenCredentialRequest, err = c.PinnipedConcierge.
 					LoginV1alpha1().
-					TokenCredentialRequests(tokenCredentialRequest.Namespace).
+					TokenCredentialRequests().
 					Update(context.Background(), goodTokenCredentialRequestWithAnnotationsAndLabelsAndClusterName, metav1.UpdateOptions{})
 				require.NoError(t, err)
 				require.Equal(t, goodTokenCredentialRequestWithAnnotationsAndLabelsAndClusterName, tokenCredentialRequest)
@@ -284,7 +284,7 @@ func TestKubeclient(t *testing.T) {
 				// delete
 				err = c.PinnipedConcierge.
 					LoginV1alpha1().
-					TokenCredentialRequests(tokenCredentialRequest.Namespace).
+					TokenCredentialRequests().
 					Delete(context.Background(), tokenCredentialRequest.Name, metav1.DeleteOptions{})
 				require.NoError(t, err)
 			},

pkg/conciergeclient/conciergeclient.go

@@ -27,28 +27,19 @@ import (
 )
 
 // ErrLoginFailed is returned by Client.ExchangeToken when the concierge server rejects the login request for any reason.
-var ErrLoginFailed = constable.Error("login failed")
+const ErrLoginFailed = constable.Error("login failed")
 
 // Option is an optional configuration for New().
 type Option func(*Client) error
 
 // Client is a configuration for talking to the Pinniped concierge.
 type Client struct {
-	namespace      string
 	authenticator  *corev1.TypedLocalObjectReference
 	caBundle       string
 	endpoint       *url.URL
 	apiGroupSuffix string
 }
 
-// WithNamespace configures the namespace where the TokenCredentialRequest is to be sent.
-func WithNamespace(namespace string) Option {
-	return func(c *Client) error {
-		c.namespace = namespace
-		return nil
-	}
-}
-
 // WithAuthenticator configures the authenticator reference (spec.authenticator) of the TokenCredentialRequests.
 func WithAuthenticator(authType, authName string) Option {
 	return func(c *Client) error {
@@ -127,7 +118,7 @@ func WithAPIGroupSuffix(apiGroupSuffix string) Option {
 
 // New validates the specified options and returns a newly initialized *Client.
 func New(opts ...Option) (*Client, error) {
-	c := Client{namespace: "pinniped-concierge", apiGroupSuffix: "pinniped.dev"}
+	c := Client{apiGroupSuffix: "pinniped.dev"}
 	for _, opt := range opts {
 		if err := opt(&c); err != nil {
 			return nil, err
@@ -180,10 +171,7 @@ func (c *Client) ExchangeToken(ctx context.Context, token string) (*clientauthen
 	if err != nil {
 		return nil, err
 	}
-	resp, err := clientset.LoginV1alpha1().TokenCredentialRequests(c.namespace).Create(ctx, &loginv1alpha1.TokenCredentialRequest{
+	resp, err := clientset.LoginV1alpha1().TokenCredentialRequests().Create(ctx, &loginv1alpha1.TokenCredentialRequest{
-		ObjectMeta: metav1.ObjectMeta{
-			Namespace: c.namespace,
-		},
 		Spec: loginv1alpha1.TokenCredentialRequestSpec{
 			Token:         token,
 			Authenticator: *c.authenticator,

pkg/conciergeclient/conciergeclient_test.go

@@ -125,7 +125,6 @@ func TestNew(t *testing.T) {
 		{
 			name: "valid",
 			opts: []Option{
-				WithNamespace("test-namespace"),
 				WithEndpoint("https://example.com"),
 				WithCABundle(""),
 				WithCABundle(string(testCA.Bundle())),
@@ -223,7 +222,7 @@ func TestExchangeToken(t *testing.T) {
 		// Start a test server that returns successfully and asserts various properties of the request.
 		caBundle, endpoint := testutil.TLSTestServer(t, func(w http.ResponseWriter, r *http.Request) {
 			require.Equal(t, http.MethodPost, r.Method)
-			require.Equal(t, "/apis/login.concierge.pinniped.dev/v1alpha1/namespaces/test-namespace/tokencredentialrequests", r.URL.Path)
+			require.Equal(t, "/apis/login.concierge.pinniped.dev/v1alpha1/tokencredentialrequests", r.URL.Path)
 			require.Equal(t, "application/json", r.Header.Get("content-type"))
 
 			body, err := ioutil.ReadAll(r.Body)
@@ -233,8 +232,7 @@ func TestExchangeToken(t *testing.T) {
 				  "kind": "TokenCredentialRequest",
 				  "apiVersion": "login.concierge.pinniped.dev/v1alpha1",
 				  "metadata": {
-					"creationTimestamp": null,
+					"creationTimestamp": null
-					"namespace": "test-namespace"
 				  },
 				  "spec": {
 					"token": "test-token",
@@ -262,7 +260,7 @@ func TestExchangeToken(t *testing.T) {
 			})
 		})
 
-		client, err := New(WithNamespace("test-namespace"), WithEndpoint(endpoint), WithCABundle(caBundle), WithAuthenticator("webhook", "test-webhook"))
+		client, err := New(WithEndpoint(endpoint), WithCABundle(caBundle), WithAuthenticator("webhook", "test-webhook"))
 		require.NoError(t, err)
 
 		got, err := client.ExchangeToken(ctx, "test-token")

site/content/docs/concierge-and-supervisor-demo.md

@@ -163,7 +163,7 @@ to authenticate federated identities from the Supervisor.
    object to configure the Pinniped Concierge to authenticate using the Pinniped Supervisor.
 
     ```bash
-    cat <<EOF | kubectl create --context kind-pinniped-concierge --namespace pinniped-concierge -f -
+    cat <<EOF | kubectl create --context kind-pinniped-concierge -f -
     apiVersion: authentication.concierge.pinniped.dev/v1alpha1
     kind: JWTAuthenticator
     metadata:
@@ -185,7 +185,6 @@ to authenticate federated identities from the Supervisor.
    ```bash
    pinniped get kubeconfig \
      --kubeconfig-context kind-pinniped-concierge \
-     --concierge-namespace pinniped-concierge \
      > /tmp/pinniped-kubeconfig
    ```
 

site/content/docs/concierge-only-demo.md

@@ -102,7 +102,7 @@ as the authenticator.
 1. Create a `WebhookAuthenticator` object to configure the Pinniped Concierge to authenticate using local-user-authenticator.
 
     ```bash
-    cat <<EOF | kubectl create --namespace pinniped-concierge -f -
+    cat <<EOF | kubectl create -f -
     apiVersion: authentication.concierge.pinniped.dev/v1alpha1
     kind: WebhookAuthenticator
     metadata:
@@ -124,7 +124,7 @@ as the authenticator.
    allow you to authenticate as the user that you created above.
 
    ```bash
-   pinniped get kubeconfig --concierge-namespace pinniped-concierge --static-token "pinny-the-seal:password123" --concierge-authenticator-type webhook --concierge-authenticator-name local-user-authenticator > /tmp/pinniped-kubeconfig
+   pinniped get kubeconfig --static-token "pinny-the-seal:password123" --concierge-authenticator-type webhook --concierge-authenticator-name local-user-authenticator > /tmp/pinniped-kubeconfig
    ```
 
    If you are using MacOS, you may get an error dialog that says

test/integration/cli_test.go

@@ -57,7 +57,6 @@ func TestCLIGetKubeconfigStaticToken(t *testing.T) {
 				"get", "kubeconfig",
 				"--static-token", env.TestUser.Token,
 				"--concierge-api-group-suffix", env.APIGroupSuffix,
-				"--concierge-namespace", env.ConciergeNamespace,
 				"--concierge-authenticator-type", "webhook",
 				"--concierge-authenticator-name", authenticator.Name,
 			},

test/integration/concierge_api_serving_certs_test.go

@@ -146,7 +146,7 @@ func TestAPIServingCertificateAutoCreationAndRotation(t *testing.T) {
 			// pod has rotated their cert, but not the other ones sitting behind the service.
 			aggregatedAPIWorking := func() bool {
 				for i := 0; i < 10; i++ {
-					_, err = conciergeClient.LoginV1alpha1().TokenCredentialRequests(env.ConciergeNamespace).Create(ctx, &loginv1alpha1.TokenCredentialRequest{
+					_, err = conciergeClient.LoginV1alpha1().TokenCredentialRequests().Create(ctx, &loginv1alpha1.TokenCredentialRequest{
 						TypeMeta:   metav1.TypeMeta{},
 						ObjectMeta: metav1.ObjectMeta{},
 						Spec:       loginv1alpha1.TokenCredentialRequestSpec{Token: "not a good token", Authenticator: testWebhook},

test/integration/concierge_client_test.go

@@ -72,7 +72,6 @@ func TestClient(t *testing.T) {
 	// Using the CA bundle and host from the current (admin) kubeconfig, do the token exchange.
 	clientConfig := library.NewClientConfig(t)
 	client, err := conciergeclient.New(
-		conciergeclient.WithNamespace(env.ConciergeNamespace),
 		conciergeclient.WithCABundle(string(clientConfig.CAData)),
 		conciergeclient.WithEndpoint(clientConfig.Host),
 		conciergeclient.WithAuthenticator("webhook", webhook.Name),

test/integration/concierge_credentialissuerconfig_test.go

@@ -29,7 +29,7 @@ func TestCredentialIssuer(t *testing.T) {
 	t.Run("test successful CredentialIssuer", func(t *testing.T) {
 		actualConfigList, err := client.
 			ConfigV1alpha1().
-			CredentialIssuers(env.ConciergeNamespace).
+			CredentialIssuers().
 			List(ctx, metav1.ListOptions{})
 		require.NoError(t, err)
 

test/integration/concierge_credentialrequest_test.go

@@ -211,7 +211,7 @@ func makeRequest(ctx context.Context, t *testing.T, spec loginv1alpha1.TokenCred
 	ctx, cancel := context.WithTimeout(ctx, 10*time.Second)
 	defer cancel()
 
-	return client.LoginV1alpha1().TokenCredentialRequests(env.ConciergeNamespace).Create(ctx, &loginv1alpha1.TokenCredentialRequest{
+	return client.LoginV1alpha1().TokenCredentialRequests().Create(ctx, &loginv1alpha1.TokenCredentialRequest{
 		TypeMeta:   metav1.TypeMeta{},
 		ObjectMeta: metav1.ObjectMeta{Namespace: env.ConciergeNamespace},
 		Spec:       spec,

test/integration/e2e_test.go

@@ -142,7 +142,6 @@ func TestE2EFullIntegration(t *testing.T) {
 	// Run "pinniped get kubeconfig" to get a kubeconfig YAML.
 	kubeconfigYAML, stderr := runPinnipedCLI(t, pinnipedExe, "get", "kubeconfig",
 		"--concierge-api-group-suffix", env.APIGroupSuffix,
-		"--concierge-namespace", env.ConciergeNamespace,
 		"--concierge-authenticator-type", "jwt",
 		"--concierge-authenticator-name", authenticator.Name,
 		"--oidc-skip-browser",

test/integration/kubeclient_test.go

@@ -167,7 +167,7 @@ func TestKubeClientOwnerRef(t *testing.T) {
 	require.NoError(t, err)
 
 	// sanity check concierge client
-	credentialIssuer, err := ownerRefClient.PinnipedConcierge.ConfigV1alpha1().CredentialIssuers(namespace.Name).Create(
+	credentialIssuer, err := ownerRefClient.PinnipedConcierge.ConfigV1alpha1().CredentialIssuers().Create(
 		ctx,
 		&conciergeconfigv1alpha1.CredentialIssuer{
 			ObjectMeta: metav1.ObjectMeta{
@@ -184,7 +184,7 @@ func TestKubeClientOwnerRef(t *testing.T) {
 	hasOwnerRef(t, credentialIssuer, ref)
 	// this owner has already been deleted so the cred issuer should be immediately deleted
 	isEventuallyDeleted(t, func() error {
-		_, err := ownerRefClient.PinnipedConcierge.ConfigV1alpha1().CredentialIssuers(namespace.Name).Get(ctx, credentialIssuer.Name, metav1.GetOptions{})
+		_, err := ownerRefClient.PinnipedConcierge.ConfigV1alpha1().CredentialIssuers().Get(ctx, credentialIssuer.Name, metav1.GetOptions{})
 		return err
 	})
 

test/library/client.go

@@ -153,7 +153,7 @@ func CreateTestWebhookAuthenticator(ctx context.Context, t *testing.T) corev1.Ty
 	testEnv := IntegrationEnv(t)
 
 	client := NewConciergeClientset(t)
-	webhooks := client.AuthenticationV1alpha1().WebhookAuthenticators(testEnv.ConciergeNamespace)
+	webhooks := client.AuthenticationV1alpha1().WebhookAuthenticators()
 
 	createContext, cancel := context.WithTimeout(ctx, 5*time.Second)
 	defer cancel()
@@ -220,10 +220,9 @@ func CreateTestJWTAuthenticatorForCLIUpstream(ctx context.Context, t *testing.T)
 // authenticator within the test namespace.
 func CreateTestJWTAuthenticator(ctx context.Context, t *testing.T, spec auth1alpha1.JWTAuthenticatorSpec) corev1.TypedLocalObjectReference {
 	t.Helper()
-	testEnv := IntegrationEnv(t)
 
 	client := NewConciergeClientset(t)
-	jwtAuthenticators := client.AuthenticationV1alpha1().JWTAuthenticators(testEnv.ConciergeNamespace)
+	jwtAuthenticators := client.AuthenticationV1alpha1().JWTAuthenticators()
 
 	createContext, cancel := context.WithTimeout(ctx, 5*time.Second)
 	defer cancel()