Add CredentialIssuer.Spec.ImpersonationProxy.TLS to configure an externally provided TLS secret

apis/concierge/config/v1alpha1/types_credentialissuer.go.tmpl

@@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
@@ -80,6 +80,22 @@ const (
 	ImpersonationProxyServiceTypeNone = ImpersonationProxyServiceType("None")
 )
 
+// ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should
+// serve TLS.
+type ImpersonationProxyTLSSpec struct {
+	// X.509 Certificate Authority (base64-encoded PEM bundle).
+	// Used to advertise the CA bundle for the impersonation proxy endpoint.
+	//
+	// +optional
+	CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"`
+
+	// SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains
+	// the TLS serving certificate for the Concierge impersonation proxy endpoint.
+	//
+	// +kubebuilder:validation:MinLength=1
+	SecretName string `json:"secretName,omitempty"`
+}
+
 // ImpersonationProxySpec describes the intended configuration of the Concierge impersonation proxy.
 type ImpersonationProxySpec struct {
 	// Mode configures whether the impersonation proxy should be started:
@@ -100,6 +116,11 @@ type ImpersonationProxySpec struct {
 	//
 	// +optional
 	ExternalEndpoint string `json:"externalEndpoint,omitempty"`
+
+	// TLS contains information about how the Concierge impersonation proxy should serve TLS.
+	//
+	// +optional
+	TLS *ImpersonationProxyTLSSpec `json:"tls,omitempty"`
 }
 
 // ImpersonationProxyServiceSpec describes how the Concierge should provision a Service to expose the impersonation proxy.

deploy/concierge/config.concierge.pinniped.dev_credentialissuers.yaml

@@ -103,6 +103,23 @@ spec:
                         - None
                         type: string
                     type: object
+                  tls:
+                    description: TLS contains information about how the Concierge
+                      impersonation proxy should serve TLS.
+                    properties:
+                      certificateAuthorityData:
+                        description: X.509 Certificate Authority (base64-encoded PEM
+                          bundle). Used to advertise the CA bundle for the impersonation
+                          proxy endpoint.
+                        type: string
+                      secretName:
+                        description: SecretName is the name of a Secret in the same
+                          namespace, of type `kubernetes.io/tls`, which contains the
+                          TLS serving certificate for the Concierge impersonation
+                          proxy endpoint.
+                        minLength: 1
+                        type: string
+                    type: object
                 required:
                 - mode
                 - service

generated/1.17/README.adoc

@@ -568,6 +568,25 @@ ImpersonationProxySpec describes the intended configuration of the Concierge imp
 | *`service`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-impersonationproxyservicespec[$$ImpersonationProxyServiceSpec$$]__ | Service describes the configuration of the Service provisioned to expose the impersonation proxy to clients.
 | *`externalEndpoint`* __string__ | ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will be served using the external name of the LoadBalancer service or the cluster service DNS name. 
  This field must be non-empty when spec.impersonationProxy.service.type is "None".
+| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-impersonationproxytlsspec[$$ImpersonationProxyTLSSpec$$]__ | TLS contains information about how the Concierge impersonation proxy should serve TLS.
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-impersonationproxytlsspec"]
+==== ImpersonationProxyTLSSpec 
+
+ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should serve TLS.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-impersonationproxyspec[$$ImpersonationProxySpec$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). Used to advertise the CA bundle for the impersonation proxy endpoint.
+| *`secretName`* __string__ | SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the Concierge impersonation proxy endpoint.
 |===
 
 

generated/1.17/apis/concierge/config/v1alpha1/types_credentialissuer.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
@@ -80,6 +80,22 @@ const (
 	ImpersonationProxyServiceTypeNone = ImpersonationProxyServiceType("None")
 )
 
+// ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should
+// serve TLS.
+type ImpersonationProxyTLSSpec struct {
+	// X.509 Certificate Authority (base64-encoded PEM bundle).
+	// Used to advertise the CA bundle for the impersonation proxy endpoint.
+	//
+	// +optional
+	CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"`
+
+	// SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains
+	// the TLS serving certificate for the Concierge impersonation proxy endpoint.
+	//
+	// +kubebuilder:validation:MinLength=1
+	SecretName string `json:"secretName,omitempty"`
+}
+
 // ImpersonationProxySpec describes the intended configuration of the Concierge impersonation proxy.
 type ImpersonationProxySpec struct {
 	// Mode configures whether the impersonation proxy should be started:
@@ -100,6 +116,11 @@ type ImpersonationProxySpec struct {
 	//
 	// +optional
 	ExternalEndpoint string `json:"externalEndpoint,omitempty"`
+
+	// TLS contains information about how the Concierge impersonation proxy should serve TLS.
+	//
+	// +optional
+	TLS *ImpersonationProxyTLSSpec `json:"tls,omitempty"`
 }
 
 // ImpersonationProxyServiceSpec describes how the Concierge should provision a Service to expose the impersonation proxy.

generated/1.17/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go

@@ -229,6 +229,11 @@ func (in *ImpersonationProxyServiceSpec) DeepCopy() *ImpersonationProxyServiceSp
 func (in *ImpersonationProxySpec) DeepCopyInto(out *ImpersonationProxySpec) {
 	*out = *in
 	in.Service.DeepCopyInto(&out.Service)
+	if in.TLS != nil {
+		in, out := &in.TLS, &out.TLS
+		*out = new(ImpersonationProxyTLSSpec)
+		**out = **in
+	}
 	return
 }
 
@@ -242,6 +247,22 @@ func (in *ImpersonationProxySpec) DeepCopy() *ImpersonationProxySpec {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ImpersonationProxyTLSSpec) DeepCopyInto(out *ImpersonationProxyTLSSpec) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImpersonationProxyTLSSpec.
+func (in *ImpersonationProxyTLSSpec) DeepCopy() *ImpersonationProxyTLSSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(ImpersonationProxyTLSSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TokenCredentialRequestAPIInfo) DeepCopyInto(out *TokenCredentialRequestAPIInfo) {
 	*out = *in

generated/1.17/crds/config.concierge.pinniped.dev_credentialissuers.yaml

@@ -103,6 +103,23 @@ spec:
                         - None
                         type: string
                     type: object
+                  tls:
+                    description: TLS contains information about how the Concierge
+                      impersonation proxy should serve TLS.
+                    properties:
+                      certificateAuthorityData:
+                        description: X.509 Certificate Authority (base64-encoded PEM
+                          bundle). Used to advertise the CA bundle for the impersonation
+                          proxy endpoint.
+                        type: string
+                      secretName:
+                        description: SecretName is the name of a Secret in the same
+                          namespace, of type `kubernetes.io/tls`, which contains the
+                          TLS serving certificate for the Concierge impersonation
+                          proxy endpoint.
+                        minLength: 1
+                        type: string
+                    type: object
                 required:
                 - mode
                 - service

generated/1.18/README.adoc

@@ -568,6 +568,25 @@ ImpersonationProxySpec describes the intended configuration of the Concierge imp
 | *`service`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-impersonationproxyservicespec[$$ImpersonationProxyServiceSpec$$]__ | Service describes the configuration of the Service provisioned to expose the impersonation proxy to clients.
 | *`externalEndpoint`* __string__ | ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will be served using the external name of the LoadBalancer service or the cluster service DNS name. 
  This field must be non-empty when spec.impersonationProxy.service.type is "None".
+| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-impersonationproxytlsspec[$$ImpersonationProxyTLSSpec$$]__ | TLS contains information about how the Concierge impersonation proxy should serve TLS.
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-impersonationproxytlsspec"]
+==== ImpersonationProxyTLSSpec 
+
+ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should serve TLS.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-impersonationproxyspec[$$ImpersonationProxySpec$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). Used to advertise the CA bundle for the impersonation proxy endpoint.
+| *`secretName`* __string__ | SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the Concierge impersonation proxy endpoint.
 |===
 
 

generated/1.18/apis/concierge/config/v1alpha1/types_credentialissuer.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
@@ -80,6 +80,22 @@ const (
 	ImpersonationProxyServiceTypeNone = ImpersonationProxyServiceType("None")
 )
 
+// ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should
+// serve TLS.
+type ImpersonationProxyTLSSpec struct {
+	// X.509 Certificate Authority (base64-encoded PEM bundle).
+	// Used to advertise the CA bundle for the impersonation proxy endpoint.
+	//
+	// +optional
+	CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"`
+
+	// SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains
+	// the TLS serving certificate for the Concierge impersonation proxy endpoint.
+	//
+	// +kubebuilder:validation:MinLength=1
+	SecretName string `json:"secretName,omitempty"`
+}
+
 // ImpersonationProxySpec describes the intended configuration of the Concierge impersonation proxy.
 type ImpersonationProxySpec struct {
 	// Mode configures whether the impersonation proxy should be started:
@@ -100,6 +116,11 @@ type ImpersonationProxySpec struct {
 	//
 	// +optional
 	ExternalEndpoint string `json:"externalEndpoint,omitempty"`
+
+	// TLS contains information about how the Concierge impersonation proxy should serve TLS.
+	//
+	// +optional
+	TLS *ImpersonationProxyTLSSpec `json:"tls,omitempty"`
 }
 
 // ImpersonationProxyServiceSpec describes how the Concierge should provision a Service to expose the impersonation proxy.

generated/1.18/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go

@@ -229,6 +229,11 @@ func (in *ImpersonationProxyServiceSpec) DeepCopy() *ImpersonationProxyServiceSp
 func (in *ImpersonationProxySpec) DeepCopyInto(out *ImpersonationProxySpec) {
 	*out = *in
 	in.Service.DeepCopyInto(&out.Service)
+	if in.TLS != nil {
+		in, out := &in.TLS, &out.TLS
+		*out = new(ImpersonationProxyTLSSpec)
+		**out = **in
+	}
 	return
 }
 
@@ -242,6 +247,22 @@ func (in *ImpersonationProxySpec) DeepCopy() *ImpersonationProxySpec {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ImpersonationProxyTLSSpec) DeepCopyInto(out *ImpersonationProxyTLSSpec) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImpersonationProxyTLSSpec.
+func (in *ImpersonationProxyTLSSpec) DeepCopy() *ImpersonationProxyTLSSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(ImpersonationProxyTLSSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TokenCredentialRequestAPIInfo) DeepCopyInto(out *TokenCredentialRequestAPIInfo) {
 	*out = *in

generated/1.18/crds/config.concierge.pinniped.dev_credentialissuers.yaml

@@ -103,6 +103,23 @@ spec:
                         - None
                         type: string
                     type: object
+                  tls:
+                    description: TLS contains information about how the Concierge
+                      impersonation proxy should serve TLS.
+                    properties:
+                      certificateAuthorityData:
+                        description: X.509 Certificate Authority (base64-encoded PEM
+                          bundle). Used to advertise the CA bundle for the impersonation
+                          proxy endpoint.
+                        type: string
+                      secretName:
+                        description: SecretName is the name of a Secret in the same
+                          namespace, of type `kubernetes.io/tls`, which contains the
+                          TLS serving certificate for the Concierge impersonation
+                          proxy endpoint.
+                        minLength: 1
+                        type: string
+                    type: object
                 required:
                 - mode
                 - service

generated/1.19/README.adoc

@@ -568,6 +568,25 @@ ImpersonationProxySpec describes the intended configuration of the Concierge imp
 | *`service`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-config-v1alpha1-impersonationproxyservicespec[$$ImpersonationProxyServiceSpec$$]__ | Service describes the configuration of the Service provisioned to expose the impersonation proxy to clients.
 | *`externalEndpoint`* __string__ | ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will be served using the external name of the LoadBalancer service or the cluster service DNS name. 
  This field must be non-empty when spec.impersonationProxy.service.type is "None".
+| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-config-v1alpha1-impersonationproxytlsspec[$$ImpersonationProxyTLSSpec$$]__ | TLS contains information about how the Concierge impersonation proxy should serve TLS.
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-config-v1alpha1-impersonationproxytlsspec"]
+==== ImpersonationProxyTLSSpec 
+
+ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should serve TLS.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-config-v1alpha1-impersonationproxyspec[$$ImpersonationProxySpec$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). Used to advertise the CA bundle for the impersonation proxy endpoint.
+| *`secretName`* __string__ | SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the Concierge impersonation proxy endpoint.
 |===
 
 

generated/1.19/apis/concierge/config/v1alpha1/types_credentialissuer.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
@@ -80,6 +80,22 @@ const (
 	ImpersonationProxyServiceTypeNone = ImpersonationProxyServiceType("None")
 )
 
+// ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should
+// serve TLS.
+type ImpersonationProxyTLSSpec struct {
+	// X.509 Certificate Authority (base64-encoded PEM bundle).
+	// Used to advertise the CA bundle for the impersonation proxy endpoint.
+	//
+	// +optional
+	CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"`
+
+	// SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains
+	// the TLS serving certificate for the Concierge impersonation proxy endpoint.
+	//
+	// +kubebuilder:validation:MinLength=1
+	SecretName string `json:"secretName,omitempty"`
+}
+
 // ImpersonationProxySpec describes the intended configuration of the Concierge impersonation proxy.
 type ImpersonationProxySpec struct {
 	// Mode configures whether the impersonation proxy should be started:
@@ -100,6 +116,11 @@ type ImpersonationProxySpec struct {
 	//
 	// +optional
 	ExternalEndpoint string `json:"externalEndpoint,omitempty"`
+
+	// TLS contains information about how the Concierge impersonation proxy should serve TLS.
+	//
+	// +optional
+	TLS *ImpersonationProxyTLSSpec `json:"tls,omitempty"`
 }
 
 // ImpersonationProxyServiceSpec describes how the Concierge should provision a Service to expose the impersonation proxy.

generated/1.19/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go

@@ -229,6 +229,11 @@ func (in *ImpersonationProxyServiceSpec) DeepCopy() *ImpersonationProxyServiceSp
 func (in *ImpersonationProxySpec) DeepCopyInto(out *ImpersonationProxySpec) {
 	*out = *in
 	in.Service.DeepCopyInto(&out.Service)
+	if in.TLS != nil {
+		in, out := &in.TLS, &out.TLS
+		*out = new(ImpersonationProxyTLSSpec)
+		**out = **in
+	}
 	return
 }
 
@@ -242,6 +247,22 @@ func (in *ImpersonationProxySpec) DeepCopy() *ImpersonationProxySpec {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ImpersonationProxyTLSSpec) DeepCopyInto(out *ImpersonationProxyTLSSpec) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImpersonationProxyTLSSpec.
+func (in *ImpersonationProxyTLSSpec) DeepCopy() *ImpersonationProxyTLSSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(ImpersonationProxyTLSSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TokenCredentialRequestAPIInfo) DeepCopyInto(out *TokenCredentialRequestAPIInfo) {
 	*out = *in

generated/1.19/crds/config.concierge.pinniped.dev_credentialissuers.yaml

@@ -103,6 +103,23 @@ spec:
                         - None
                         type: string
                     type: object
+                  tls:
+                    description: TLS contains information about how the Concierge
+                      impersonation proxy should serve TLS.
+                    properties:
+                      certificateAuthorityData:
+                        description: X.509 Certificate Authority (base64-encoded PEM
+                          bundle). Used to advertise the CA bundle for the impersonation
+                          proxy endpoint.
+                        type: string
+                      secretName:
+                        description: SecretName is the name of a Secret in the same
+                          namespace, of type `kubernetes.io/tls`, which contains the
+                          TLS serving certificate for the Concierge impersonation
+                          proxy endpoint.
+                        minLength: 1
+                        type: string
+                    type: object
                 required:
                 - mode
                 - service

generated/1.20/README.adoc

@@ -568,6 +568,25 @@ ImpersonationProxySpec describes the intended configuration of the Concierge imp
 | *`service`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-concierge-config-v1alpha1-impersonationproxyservicespec[$$ImpersonationProxyServiceSpec$$]__ | Service describes the configuration of the Service provisioned to expose the impersonation proxy to clients.
 | *`externalEndpoint`* __string__ | ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will be served using the external name of the LoadBalancer service or the cluster service DNS name. 
  This field must be non-empty when spec.impersonationProxy.service.type is "None".
+| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-concierge-config-v1alpha1-impersonationproxytlsspec[$$ImpersonationProxyTLSSpec$$]__ | TLS contains information about how the Concierge impersonation proxy should serve TLS.
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-concierge-config-v1alpha1-impersonationproxytlsspec"]
+==== ImpersonationProxyTLSSpec 
+
+ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should serve TLS.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-concierge-config-v1alpha1-impersonationproxyspec[$$ImpersonationProxySpec$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). Used to advertise the CA bundle for the impersonation proxy endpoint.
+| *`secretName`* __string__ | SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the Concierge impersonation proxy endpoint.
 |===
 
 

generated/1.20/apis/concierge/config/v1alpha1/types_credentialissuer.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
@@ -80,6 +80,22 @@ const (
 	ImpersonationProxyServiceTypeNone = ImpersonationProxyServiceType("None")
 )
 
+// ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should
+// serve TLS.
+type ImpersonationProxyTLSSpec struct {
+	// X.509 Certificate Authority (base64-encoded PEM bundle).
+	// Used to advertise the CA bundle for the impersonation proxy endpoint.
+	//
+	// +optional
+	CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"`
+
+	// SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains
+	// the TLS serving certificate for the Concierge impersonation proxy endpoint.
+	//
+	// +kubebuilder:validation:MinLength=1
+	SecretName string `json:"secretName,omitempty"`
+}
+
 // ImpersonationProxySpec describes the intended configuration of the Concierge impersonation proxy.
 type ImpersonationProxySpec struct {
 	// Mode configures whether the impersonation proxy should be started:
@@ -100,6 +116,11 @@ type ImpersonationProxySpec struct {
 	//
 	// +optional
 	ExternalEndpoint string `json:"externalEndpoint,omitempty"`
+
+	// TLS contains information about how the Concierge impersonation proxy should serve TLS.
+	//
+	// +optional
+	TLS *ImpersonationProxyTLSSpec `json:"tls,omitempty"`
 }
 
 // ImpersonationProxyServiceSpec describes how the Concierge should provision a Service to expose the impersonation proxy.

generated/1.20/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go

@@ -229,6 +229,11 @@ func (in *ImpersonationProxyServiceSpec) DeepCopy() *ImpersonationProxyServiceSp
 func (in *ImpersonationProxySpec) DeepCopyInto(out *ImpersonationProxySpec) {
 	*out = *in
 	in.Service.DeepCopyInto(&out.Service)
+	if in.TLS != nil {
+		in, out := &in.TLS, &out.TLS
+		*out = new(ImpersonationProxyTLSSpec)
+		**out = **in
+	}
 	return
 }
 
@@ -242,6 +247,22 @@ func (in *ImpersonationProxySpec) DeepCopy() *ImpersonationProxySpec {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ImpersonationProxyTLSSpec) DeepCopyInto(out *ImpersonationProxyTLSSpec) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImpersonationProxyTLSSpec.
+func (in *ImpersonationProxyTLSSpec) DeepCopy() *ImpersonationProxyTLSSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(ImpersonationProxyTLSSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TokenCredentialRequestAPIInfo) DeepCopyInto(out *TokenCredentialRequestAPIInfo) {
 	*out = *in

generated/1.20/crds/config.concierge.pinniped.dev_credentialissuers.yaml

@@ -103,6 +103,23 @@ spec:
                         - None
                         type: string
                     type: object
+                  tls:
+                    description: TLS contains information about how the Concierge
+                      impersonation proxy should serve TLS.
+                    properties:
+                      certificateAuthorityData:
+                        description: X.509 Certificate Authority (base64-encoded PEM
+                          bundle). Used to advertise the CA bundle for the impersonation
+                          proxy endpoint.
+                        type: string
+                      secretName:
+                        description: SecretName is the name of a Secret in the same
+                          namespace, of type `kubernetes.io/tls`, which contains the
+                          TLS serving certificate for the Concierge impersonation
+                          proxy endpoint.
+                        minLength: 1
+                        type: string
+                    type: object
                 required:
                 - mode
                 - service

generated/1.21/README.adoc

@@ -568,6 +568,25 @@ ImpersonationProxySpec describes the intended configuration of the Concierge imp
 | *`service`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-concierge-config-v1alpha1-impersonationproxyservicespec[$$ImpersonationProxyServiceSpec$$]__ | Service describes the configuration of the Service provisioned to expose the impersonation proxy to clients.
 | *`externalEndpoint`* __string__ | ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will be served using the external name of the LoadBalancer service or the cluster service DNS name. 
  This field must be non-empty when spec.impersonationProxy.service.type is "None".
+| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-concierge-config-v1alpha1-impersonationproxytlsspec[$$ImpersonationProxyTLSSpec$$]__ | TLS contains information about how the Concierge impersonation proxy should serve TLS.
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-concierge-config-v1alpha1-impersonationproxytlsspec"]
+==== ImpersonationProxyTLSSpec 
+
+ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should serve TLS.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-concierge-config-v1alpha1-impersonationproxyspec[$$ImpersonationProxySpec$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). Used to advertise the CA bundle for the impersonation proxy endpoint.
+| *`secretName`* __string__ | SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the Concierge impersonation proxy endpoint.
 |===
 
 

generated/1.21/apis/concierge/config/v1alpha1/types_credentialissuer.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
@@ -80,6 +80,22 @@ const (
 	ImpersonationProxyServiceTypeNone = ImpersonationProxyServiceType("None")
 )
 
+// ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should
+// serve TLS.
+type ImpersonationProxyTLSSpec struct {
+	// X.509 Certificate Authority (base64-encoded PEM bundle).
+	// Used to advertise the CA bundle for the impersonation proxy endpoint.
+	//
+	// +optional
+	CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"`
+
+	// SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains
+	// the TLS serving certificate for the Concierge impersonation proxy endpoint.
+	//
+	// +kubebuilder:validation:MinLength=1
+	SecretName string `json:"secretName,omitempty"`
+}
+
 // ImpersonationProxySpec describes the intended configuration of the Concierge impersonation proxy.
 type ImpersonationProxySpec struct {
 	// Mode configures whether the impersonation proxy should be started:
@@ -100,6 +116,11 @@ type ImpersonationProxySpec struct {
 	//
 	// +optional
 	ExternalEndpoint string `json:"externalEndpoint,omitempty"`
+
+	// TLS contains information about how the Concierge impersonation proxy should serve TLS.
+	//
+	// +optional
+	TLS *ImpersonationProxyTLSSpec `json:"tls,omitempty"`
 }
 
 // ImpersonationProxyServiceSpec describes how the Concierge should provision a Service to expose the impersonation proxy.

generated/1.21/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go

@@ -229,6 +229,11 @@ func (in *ImpersonationProxyServiceSpec) DeepCopy() *ImpersonationProxyServiceSp
 func (in *ImpersonationProxySpec) DeepCopyInto(out *ImpersonationProxySpec) {
 	*out = *in
 	in.Service.DeepCopyInto(&out.Service)
+	if in.TLS != nil {
+		in, out := &in.TLS, &out.TLS
+		*out = new(ImpersonationProxyTLSSpec)
+		**out = **in
+	}
 	return
 }
 
@@ -242,6 +247,22 @@ func (in *ImpersonationProxySpec) DeepCopy() *ImpersonationProxySpec {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ImpersonationProxyTLSSpec) DeepCopyInto(out *ImpersonationProxyTLSSpec) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImpersonationProxyTLSSpec.
+func (in *ImpersonationProxyTLSSpec) DeepCopy() *ImpersonationProxyTLSSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(ImpersonationProxyTLSSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TokenCredentialRequestAPIInfo) DeepCopyInto(out *TokenCredentialRequestAPIInfo) {
 	*out = *in

generated/1.21/crds/config.concierge.pinniped.dev_credentialissuers.yaml

@@ -103,6 +103,23 @@ spec:
                         - None
                         type: string
                     type: object
+                  tls:
+                    description: TLS contains information about how the Concierge
+                      impersonation proxy should serve TLS.
+                    properties:
+                      certificateAuthorityData:
+                        description: X.509 Certificate Authority (base64-encoded PEM
+                          bundle). Used to advertise the CA bundle for the impersonation
+                          proxy endpoint.
+                        type: string
+                      secretName:
+                        description: SecretName is the name of a Secret in the same
+                          namespace, of type `kubernetes.io/tls`, which contains the
+                          TLS serving certificate for the Concierge impersonation
+                          proxy endpoint.
+                        minLength: 1
+                        type: string
+                    type: object
                 required:
                 - mode
                 - service

generated/1.22/README.adoc

@@ -568,6 +568,25 @@ ImpersonationProxySpec describes the intended configuration of the Concierge imp
 | *`service`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-concierge-config-v1alpha1-impersonationproxyservicespec[$$ImpersonationProxyServiceSpec$$]__ | Service describes the configuration of the Service provisioned to expose the impersonation proxy to clients.
 | *`externalEndpoint`* __string__ | ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will be served using the external name of the LoadBalancer service or the cluster service DNS name. 
  This field must be non-empty when spec.impersonationProxy.service.type is "None".
+| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-concierge-config-v1alpha1-impersonationproxytlsspec[$$ImpersonationProxyTLSSpec$$]__ | TLS contains information about how the Concierge impersonation proxy should serve TLS.
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-concierge-config-v1alpha1-impersonationproxytlsspec"]
+==== ImpersonationProxyTLSSpec 
+
+ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should serve TLS.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-concierge-config-v1alpha1-impersonationproxyspec[$$ImpersonationProxySpec$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). Used to advertise the CA bundle for the impersonation proxy endpoint.
+| *`secretName`* __string__ | SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the Concierge impersonation proxy endpoint.
 |===
 
 

generated/1.22/apis/concierge/config/v1alpha1/types_credentialissuer.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
@@ -80,6 +80,22 @@ const (
 	ImpersonationProxyServiceTypeNone = ImpersonationProxyServiceType("None")
 )
 
+// ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should
+// serve TLS.
+type ImpersonationProxyTLSSpec struct {
+	// X.509 Certificate Authority (base64-encoded PEM bundle).
+	// Used to advertise the CA bundle for the impersonation proxy endpoint.
+	//
+	// +optional
+	CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"`
+
+	// SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains
+	// the TLS serving certificate for the Concierge impersonation proxy endpoint.
+	//
+	// +kubebuilder:validation:MinLength=1
+	SecretName string `json:"secretName,omitempty"`
+}
+
 // ImpersonationProxySpec describes the intended configuration of the Concierge impersonation proxy.
 type ImpersonationProxySpec struct {
 	// Mode configures whether the impersonation proxy should be started:
@@ -100,6 +116,11 @@ type ImpersonationProxySpec struct {
 	//
 	// +optional
 	ExternalEndpoint string `json:"externalEndpoint,omitempty"`
+
+	// TLS contains information about how the Concierge impersonation proxy should serve TLS.
+	//
+	// +optional
+	TLS *ImpersonationProxyTLSSpec `json:"tls,omitempty"`
 }
 
 // ImpersonationProxyServiceSpec describes how the Concierge should provision a Service to expose the impersonation proxy.

generated/1.22/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go

@@ -229,6 +229,11 @@ func (in *ImpersonationProxyServiceSpec) DeepCopy() *ImpersonationProxyServiceSp
 func (in *ImpersonationProxySpec) DeepCopyInto(out *ImpersonationProxySpec) {
 	*out = *in
 	in.Service.DeepCopyInto(&out.Service)
+	if in.TLS != nil {
+		in, out := &in.TLS, &out.TLS
+		*out = new(ImpersonationProxyTLSSpec)
+		**out = **in
+	}
 	return
 }
 
@@ -242,6 +247,22 @@ func (in *ImpersonationProxySpec) DeepCopy() *ImpersonationProxySpec {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ImpersonationProxyTLSSpec) DeepCopyInto(out *ImpersonationProxyTLSSpec) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImpersonationProxyTLSSpec.
+func (in *ImpersonationProxyTLSSpec) DeepCopy() *ImpersonationProxyTLSSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(ImpersonationProxyTLSSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TokenCredentialRequestAPIInfo) DeepCopyInto(out *TokenCredentialRequestAPIInfo) {
 	*out = *in

generated/1.22/crds/config.concierge.pinniped.dev_credentialissuers.yaml

@@ -103,6 +103,23 @@ spec:
                         - None
                         type: string
                     type: object
+                  tls:
+                    description: TLS contains information about how the Concierge
+                      impersonation proxy should serve TLS.
+                    properties:
+                      certificateAuthorityData:
+                        description: X.509 Certificate Authority (base64-encoded PEM
+                          bundle). Used to advertise the CA bundle for the impersonation
+                          proxy endpoint.
+                        type: string
+                      secretName:
+                        description: SecretName is the name of a Secret in the same
+                          namespace, of type `kubernetes.io/tls`, which contains the
+                          TLS serving certificate for the Concierge impersonation
+                          proxy endpoint.
+                        minLength: 1
+                        type: string
+                    type: object
                 required:
                 - mode
                 - service

generated/1.23/README.adoc

@@ -568,6 +568,25 @@ ImpersonationProxySpec describes the intended configuration of the Concierge imp
 | *`service`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-concierge-config-v1alpha1-impersonationproxyservicespec[$$ImpersonationProxyServiceSpec$$]__ | Service describes the configuration of the Service provisioned to expose the impersonation proxy to clients.
 | *`externalEndpoint`* __string__ | ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will be served using the external name of the LoadBalancer service or the cluster service DNS name. 
  This field must be non-empty when spec.impersonationProxy.service.type is "None".
+| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-concierge-config-v1alpha1-impersonationproxytlsspec[$$ImpersonationProxyTLSSpec$$]__ | TLS contains information about how the Concierge impersonation proxy should serve TLS.
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-concierge-config-v1alpha1-impersonationproxytlsspec"]
+==== ImpersonationProxyTLSSpec 
+
+ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should serve TLS.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-concierge-config-v1alpha1-impersonationproxyspec[$$ImpersonationProxySpec$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). Used to advertise the CA bundle for the impersonation proxy endpoint.
+| *`secretName`* __string__ | SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the Concierge impersonation proxy endpoint.
 |===
 
 

generated/1.23/apis/concierge/config/v1alpha1/types_credentialissuer.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
@@ -80,6 +80,22 @@ const (
 	ImpersonationProxyServiceTypeNone = ImpersonationProxyServiceType("None")
 )
 
+// ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should
+// serve TLS.
+type ImpersonationProxyTLSSpec struct {
+	// X.509 Certificate Authority (base64-encoded PEM bundle).
+	// Used to advertise the CA bundle for the impersonation proxy endpoint.
+	//
+	// +optional
+	CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"`
+
+	// SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains
+	// the TLS serving certificate for the Concierge impersonation proxy endpoint.
+	//
+	// +kubebuilder:validation:MinLength=1
+	SecretName string `json:"secretName,omitempty"`
+}
+
 // ImpersonationProxySpec describes the intended configuration of the Concierge impersonation proxy.
 type ImpersonationProxySpec struct {
 	// Mode configures whether the impersonation proxy should be started:
@@ -100,6 +116,11 @@ type ImpersonationProxySpec struct {
 	//
 	// +optional
 	ExternalEndpoint string `json:"externalEndpoint,omitempty"`
+
+	// TLS contains information about how the Concierge impersonation proxy should serve TLS.
+	//
+	// +optional
+	TLS *ImpersonationProxyTLSSpec `json:"tls,omitempty"`
 }
 
 // ImpersonationProxyServiceSpec describes how the Concierge should provision a Service to expose the impersonation proxy.

generated/1.23/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go

@@ -229,6 +229,11 @@ func (in *ImpersonationProxyServiceSpec) DeepCopy() *ImpersonationProxyServiceSp
 func (in *ImpersonationProxySpec) DeepCopyInto(out *ImpersonationProxySpec) {
 	*out = *in
 	in.Service.DeepCopyInto(&out.Service)
+	if in.TLS != nil {
+		in, out := &in.TLS, &out.TLS
+		*out = new(ImpersonationProxyTLSSpec)
+		**out = **in
+	}
 	return
 }
 
@@ -242,6 +247,22 @@ func (in *ImpersonationProxySpec) DeepCopy() *ImpersonationProxySpec {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ImpersonationProxyTLSSpec) DeepCopyInto(out *ImpersonationProxyTLSSpec) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImpersonationProxyTLSSpec.
+func (in *ImpersonationProxyTLSSpec) DeepCopy() *ImpersonationProxyTLSSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(ImpersonationProxyTLSSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TokenCredentialRequestAPIInfo) DeepCopyInto(out *TokenCredentialRequestAPIInfo) {
 	*out = *in

generated/1.23/crds/config.concierge.pinniped.dev_credentialissuers.yaml

@@ -103,6 +103,23 @@ spec:
                         - None
                         type: string
                     type: object
+                  tls:
+                    description: TLS contains information about how the Concierge
+                      impersonation proxy should serve TLS.
+                    properties:
+                      certificateAuthorityData:
+                        description: X.509 Certificate Authority (base64-encoded PEM
+                          bundle). Used to advertise the CA bundle for the impersonation
+                          proxy endpoint.
+                        type: string
+                      secretName:
+                        description: SecretName is the name of a Secret in the same
+                          namespace, of type `kubernetes.io/tls`, which contains the
+                          TLS serving certificate for the Concierge impersonation
+                          proxy endpoint.
+                        minLength: 1
+                        type: string
+                    type: object
                 required:
                 - mode
                 - service

generated/1.24/README.adoc

@@ -568,6 +568,25 @@ ImpersonationProxySpec describes the intended configuration of the Concierge imp
 | *`service`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-concierge-config-v1alpha1-impersonationproxyservicespec[$$ImpersonationProxyServiceSpec$$]__ | Service describes the configuration of the Service provisioned to expose the impersonation proxy to clients.
 | *`externalEndpoint`* __string__ | ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will be served using the external name of the LoadBalancer service or the cluster service DNS name. 
  This field must be non-empty when spec.impersonationProxy.service.type is "None".
+| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-concierge-config-v1alpha1-impersonationproxytlsspec[$$ImpersonationProxyTLSSpec$$]__ | TLS contains information about how the Concierge impersonation proxy should serve TLS.
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-concierge-config-v1alpha1-impersonationproxytlsspec"]
+==== ImpersonationProxyTLSSpec 
+
+ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should serve TLS.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-concierge-config-v1alpha1-impersonationproxyspec[$$ImpersonationProxySpec$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). Used to advertise the CA bundle for the impersonation proxy endpoint.
+| *`secretName`* __string__ | SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the Concierge impersonation proxy endpoint.
 |===
 
 

generated/1.24/apis/concierge/config/v1alpha1/types_credentialissuer.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
@@ -80,6 +80,22 @@ const (
 	ImpersonationProxyServiceTypeNone = ImpersonationProxyServiceType("None")
 )
 
+// ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should
+// serve TLS.
+type ImpersonationProxyTLSSpec struct {
+	// X.509 Certificate Authority (base64-encoded PEM bundle).
+	// Used to advertise the CA bundle for the impersonation proxy endpoint.
+	//
+	// +optional
+	CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"`
+
+	// SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains
+	// the TLS serving certificate for the Concierge impersonation proxy endpoint.
+	//
+	// +kubebuilder:validation:MinLength=1
+	SecretName string `json:"secretName,omitempty"`
+}
+
 // ImpersonationProxySpec describes the intended configuration of the Concierge impersonation proxy.
 type ImpersonationProxySpec struct {
 	// Mode configures whether the impersonation proxy should be started:
@@ -100,6 +116,11 @@ type ImpersonationProxySpec struct {
 	//
 	// +optional
 	ExternalEndpoint string `json:"externalEndpoint,omitempty"`
+
+	// TLS contains information about how the Concierge impersonation proxy should serve TLS.
+	//
+	// +optional
+	TLS *ImpersonationProxyTLSSpec `json:"tls,omitempty"`
 }
 
 // ImpersonationProxyServiceSpec describes how the Concierge should provision a Service to expose the impersonation proxy.

generated/1.24/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go

@@ -229,6 +229,11 @@ func (in *ImpersonationProxyServiceSpec) DeepCopy() *ImpersonationProxyServiceSp
 func (in *ImpersonationProxySpec) DeepCopyInto(out *ImpersonationProxySpec) {
 	*out = *in
 	in.Service.DeepCopyInto(&out.Service)
+	if in.TLS != nil {
+		in, out := &in.TLS, &out.TLS
+		*out = new(ImpersonationProxyTLSSpec)
+		**out = **in
+	}
 	return
 }
 
@@ -242,6 +247,22 @@ func (in *ImpersonationProxySpec) DeepCopy() *ImpersonationProxySpec {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ImpersonationProxyTLSSpec) DeepCopyInto(out *ImpersonationProxyTLSSpec) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImpersonationProxyTLSSpec.
+func (in *ImpersonationProxyTLSSpec) DeepCopy() *ImpersonationProxyTLSSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(ImpersonationProxyTLSSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TokenCredentialRequestAPIInfo) DeepCopyInto(out *TokenCredentialRequestAPIInfo) {
 	*out = *in

generated/1.24/crds/config.concierge.pinniped.dev_credentialissuers.yaml

@@ -103,6 +103,23 @@ spec:
                         - None
                         type: string
                     type: object
+                  tls:
+                    description: TLS contains information about how the Concierge
+                      impersonation proxy should serve TLS.
+                    properties:
+                      certificateAuthorityData:
+                        description: X.509 Certificate Authority (base64-encoded PEM
+                          bundle). Used to advertise the CA bundle for the impersonation
+                          proxy endpoint.
+                        type: string
+                      secretName:
+                        description: SecretName is the name of a Secret in the same
+                          namespace, of type `kubernetes.io/tls`, which contains the
+                          TLS serving certificate for the Concierge impersonation
+                          proxy endpoint.
+                        minLength: 1
+                        type: string
+                    type: object
                 required:
                 - mode
                 - service

generated/1.25/README.adoc

@@ -566,6 +566,25 @@ ImpersonationProxySpec describes the intended configuration of the Concierge imp
 | *`service`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-concierge-config-v1alpha1-impersonationproxyservicespec[$$ImpersonationProxyServiceSpec$$]__ | Service describes the configuration of the Service provisioned to expose the impersonation proxy to clients.
 | *`externalEndpoint`* __string__ | ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will be served using the external name of the LoadBalancer service or the cluster service DNS name. 
  This field must be non-empty when spec.impersonationProxy.service.type is "None".
+| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-concierge-config-v1alpha1-impersonationproxytlsspec[$$ImpersonationProxyTLSSpec$$]__ | TLS contains information about how the Concierge impersonation proxy should serve TLS.
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-concierge-config-v1alpha1-impersonationproxytlsspec"]
+==== ImpersonationProxyTLSSpec 
+
+ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should serve TLS.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-concierge-config-v1alpha1-impersonationproxyspec[$$ImpersonationProxySpec$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). Used to advertise the CA bundle for the impersonation proxy endpoint.
+| *`secretName`* __string__ | SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the Concierge impersonation proxy endpoint.
 |===
 
 

generated/1.25/apis/concierge/config/v1alpha1/types_credentialissuer.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
@@ -80,6 +80,22 @@ const (
 	ImpersonationProxyServiceTypeNone = ImpersonationProxyServiceType("None")
 )
 
+// ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should
+// serve TLS.
+type ImpersonationProxyTLSSpec struct {
+	// X.509 Certificate Authority (base64-encoded PEM bundle).
+	// Used to advertise the CA bundle for the impersonation proxy endpoint.
+	//
+	// +optional
+	CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"`
+
+	// SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains
+	// the TLS serving certificate for the Concierge impersonation proxy endpoint.
+	//
+	// +kubebuilder:validation:MinLength=1
+	SecretName string `json:"secretName,omitempty"`
+}
+
 // ImpersonationProxySpec describes the intended configuration of the Concierge impersonation proxy.
 type ImpersonationProxySpec struct {
 	// Mode configures whether the impersonation proxy should be started:
@@ -100,6 +116,11 @@ type ImpersonationProxySpec struct {
 	//
 	// +optional
 	ExternalEndpoint string `json:"externalEndpoint,omitempty"`
+
+	// TLS contains information about how the Concierge impersonation proxy should serve TLS.
+	//
+	// +optional
+	TLS *ImpersonationProxyTLSSpec `json:"tls,omitempty"`
 }
 
 // ImpersonationProxyServiceSpec describes how the Concierge should provision a Service to expose the impersonation proxy.

generated/1.25/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go

@@ -229,6 +229,11 @@ func (in *ImpersonationProxyServiceSpec) DeepCopy() *ImpersonationProxyServiceSp
 func (in *ImpersonationProxySpec) DeepCopyInto(out *ImpersonationProxySpec) {
 	*out = *in
 	in.Service.DeepCopyInto(&out.Service)
+	if in.TLS != nil {
+		in, out := &in.TLS, &out.TLS
+		*out = new(ImpersonationProxyTLSSpec)
+		**out = **in
+	}
 	return
 }
 
@@ -242,6 +247,22 @@ func (in *ImpersonationProxySpec) DeepCopy() *ImpersonationProxySpec {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ImpersonationProxyTLSSpec) DeepCopyInto(out *ImpersonationProxyTLSSpec) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImpersonationProxyTLSSpec.
+func (in *ImpersonationProxyTLSSpec) DeepCopy() *ImpersonationProxyTLSSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(ImpersonationProxyTLSSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TokenCredentialRequestAPIInfo) DeepCopyInto(out *TokenCredentialRequestAPIInfo) {
 	*out = *in

generated/1.25/crds/config.concierge.pinniped.dev_credentialissuers.yaml

@@ -103,6 +103,23 @@ spec:
                         - None
                         type: string
                     type: object
+                  tls:
+                    description: TLS contains information about how the Concierge
+                      impersonation proxy should serve TLS.
+                    properties:
+                      certificateAuthorityData:
+                        description: X.509 Certificate Authority (base64-encoded PEM
+                          bundle). Used to advertise the CA bundle for the impersonation
+                          proxy endpoint.
+                        type: string
+                      secretName:
+                        description: SecretName is the name of a Secret in the same
+                          namespace, of type `kubernetes.io/tls`, which contains the
+                          TLS serving certificate for the Concierge impersonation
+                          proxy endpoint.
+                        minLength: 1
+                        type: string
+                    type: object
                 required:
                 - mode
                 - service

generated/1.26/README.adoc

@@ -566,6 +566,25 @@ ImpersonationProxySpec describes the intended configuration of the Concierge imp
 | *`service`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-concierge-config-v1alpha1-impersonationproxyservicespec[$$ImpersonationProxyServiceSpec$$]__ | Service describes the configuration of the Service provisioned to expose the impersonation proxy to clients.
 | *`externalEndpoint`* __string__ | ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will be served using the external name of the LoadBalancer service or the cluster service DNS name. 
  This field must be non-empty when spec.impersonationProxy.service.type is "None".
+| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-concierge-config-v1alpha1-impersonationproxytlsspec[$$ImpersonationProxyTLSSpec$$]__ | TLS contains information about how the Concierge impersonation proxy should serve TLS.
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-concierge-config-v1alpha1-impersonationproxytlsspec"]
+==== ImpersonationProxyTLSSpec 
+
+ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should serve TLS.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-concierge-config-v1alpha1-impersonationproxyspec[$$ImpersonationProxySpec$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). Used to advertise the CA bundle for the impersonation proxy endpoint.
+| *`secretName`* __string__ | SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the Concierge impersonation proxy endpoint.
 |===
 
 

generated/1.26/apis/concierge/config/v1alpha1/types_credentialissuer.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
@@ -80,6 +80,22 @@ const (
 	ImpersonationProxyServiceTypeNone = ImpersonationProxyServiceType("None")
 )
 
+// ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should
+// serve TLS.
+type ImpersonationProxyTLSSpec struct {
+	// X.509 Certificate Authority (base64-encoded PEM bundle).
+	// Used to advertise the CA bundle for the impersonation proxy endpoint.
+	//
+	// +optional
+	CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"`
+
+	// SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains
+	// the TLS serving certificate for the Concierge impersonation proxy endpoint.
+	//
+	// +kubebuilder:validation:MinLength=1
+	SecretName string `json:"secretName,omitempty"`
+}
+
 // ImpersonationProxySpec describes the intended configuration of the Concierge impersonation proxy.
 type ImpersonationProxySpec struct {
 	// Mode configures whether the impersonation proxy should be started:
@@ -100,6 +116,11 @@ type ImpersonationProxySpec struct {
 	//
 	// +optional
 	ExternalEndpoint string `json:"externalEndpoint,omitempty"`
+
+	// TLS contains information about how the Concierge impersonation proxy should serve TLS.
+	//
+	// +optional
+	TLS *ImpersonationProxyTLSSpec `json:"tls,omitempty"`
 }
 
 // ImpersonationProxyServiceSpec describes how the Concierge should provision a Service to expose the impersonation proxy.

generated/1.26/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go

@@ -229,6 +229,11 @@ func (in *ImpersonationProxyServiceSpec) DeepCopy() *ImpersonationProxyServiceSp
 func (in *ImpersonationProxySpec) DeepCopyInto(out *ImpersonationProxySpec) {
 	*out = *in
 	in.Service.DeepCopyInto(&out.Service)
+	if in.TLS != nil {
+		in, out := &in.TLS, &out.TLS
+		*out = new(ImpersonationProxyTLSSpec)
+		**out = **in
+	}
 	return
 }
 
@@ -242,6 +247,22 @@ func (in *ImpersonationProxySpec) DeepCopy() *ImpersonationProxySpec {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ImpersonationProxyTLSSpec) DeepCopyInto(out *ImpersonationProxyTLSSpec) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImpersonationProxyTLSSpec.
+func (in *ImpersonationProxyTLSSpec) DeepCopy() *ImpersonationProxyTLSSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(ImpersonationProxyTLSSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TokenCredentialRequestAPIInfo) DeepCopyInto(out *TokenCredentialRequestAPIInfo) {
 	*out = *in

generated/1.26/crds/config.concierge.pinniped.dev_credentialissuers.yaml

@@ -103,6 +103,23 @@ spec:
                         - None
                         type: string
                     type: object
+                  tls:
+                    description: TLS contains information about how the Concierge
+                      impersonation proxy should serve TLS.
+                    properties:
+                      certificateAuthorityData:
+                        description: X.509 Certificate Authority (base64-encoded PEM
+                          bundle). Used to advertise the CA bundle for the impersonation
+                          proxy endpoint.
+                        type: string
+                      secretName:
+                        description: SecretName is the name of a Secret in the same
+                          namespace, of type `kubernetes.io/tls`, which contains the
+                          TLS serving certificate for the Concierge impersonation
+                          proxy endpoint.
+                        minLength: 1
+                        type: string
+                    type: object
                 required:
                 - mode
                 - service

generated/1.27/README.adoc

@@ -566,6 +566,25 @@ ImpersonationProxySpec describes the intended configuration of the Concierge imp
 | *`service`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-concierge-config-v1alpha1-impersonationproxyservicespec[$$ImpersonationProxyServiceSpec$$]__ | Service describes the configuration of the Service provisioned to expose the impersonation proxy to clients.
 | *`externalEndpoint`* __string__ | ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will be served using the external name of the LoadBalancer service or the cluster service DNS name. 
  This field must be non-empty when spec.impersonationProxy.service.type is "None".
+| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-concierge-config-v1alpha1-impersonationproxytlsspec[$$ImpersonationProxyTLSSpec$$]__ | TLS contains information about how the Concierge impersonation proxy should serve TLS.
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-concierge-config-v1alpha1-impersonationproxytlsspec"]
+==== ImpersonationProxyTLSSpec 
+
+ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should serve TLS.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-concierge-config-v1alpha1-impersonationproxyspec[$$ImpersonationProxySpec$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). Used to advertise the CA bundle for the impersonation proxy endpoint.
+| *`secretName`* __string__ | SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the Concierge impersonation proxy endpoint.
 |===
 
 

generated/1.27/apis/concierge/config/v1alpha1/types_credentialissuer.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
@@ -80,6 +80,22 @@ const (
 	ImpersonationProxyServiceTypeNone = ImpersonationProxyServiceType("None")
 )
 
+// ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should
+// serve TLS.
+type ImpersonationProxyTLSSpec struct {
+	// X.509 Certificate Authority (base64-encoded PEM bundle).
+	// Used to advertise the CA bundle for the impersonation proxy endpoint.
+	//
+	// +optional
+	CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"`
+
+	// SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains
+	// the TLS serving certificate for the Concierge impersonation proxy endpoint.
+	//
+	// +kubebuilder:validation:MinLength=1
+	SecretName string `json:"secretName,omitempty"`
+}
+
 // ImpersonationProxySpec describes the intended configuration of the Concierge impersonation proxy.
 type ImpersonationProxySpec struct {
 	// Mode configures whether the impersonation proxy should be started:
@@ -100,6 +116,11 @@ type ImpersonationProxySpec struct {
 	//
 	// +optional
 	ExternalEndpoint string `json:"externalEndpoint,omitempty"`
+
+	// TLS contains information about how the Concierge impersonation proxy should serve TLS.
+	//
+	// +optional
+	TLS *ImpersonationProxyTLSSpec `json:"tls,omitempty"`
 }
 
 // ImpersonationProxyServiceSpec describes how the Concierge should provision a Service to expose the impersonation proxy.

generated/1.27/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go

@@ -229,6 +229,11 @@ func (in *ImpersonationProxyServiceSpec) DeepCopy() *ImpersonationProxyServiceSp
 func (in *ImpersonationProxySpec) DeepCopyInto(out *ImpersonationProxySpec) {
 	*out = *in
 	in.Service.DeepCopyInto(&out.Service)
+	if in.TLS != nil {
+		in, out := &in.TLS, &out.TLS
+		*out = new(ImpersonationProxyTLSSpec)
+		**out = **in
+	}
 	return
 }
 
@@ -242,6 +247,22 @@ func (in *ImpersonationProxySpec) DeepCopy() *ImpersonationProxySpec {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ImpersonationProxyTLSSpec) DeepCopyInto(out *ImpersonationProxyTLSSpec) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImpersonationProxyTLSSpec.
+func (in *ImpersonationProxyTLSSpec) DeepCopy() *ImpersonationProxyTLSSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(ImpersonationProxyTLSSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TokenCredentialRequestAPIInfo) DeepCopyInto(out *TokenCredentialRequestAPIInfo) {
 	*out = *in

generated/1.27/crds/config.concierge.pinniped.dev_credentialissuers.yaml

@@ -103,6 +103,23 @@ spec:
                         - None
                         type: string
                     type: object
+                  tls:
+                    description: TLS contains information about how the Concierge
+                      impersonation proxy should serve TLS.
+                    properties:
+                      certificateAuthorityData:
+                        description: X.509 Certificate Authority (base64-encoded PEM
+                          bundle). Used to advertise the CA bundle for the impersonation
+                          proxy endpoint.
+                        type: string
+                      secretName:
+                        description: SecretName is the name of a Secret in the same
+                          namespace, of type `kubernetes.io/tls`, which contains the
+                          TLS serving certificate for the Concierge impersonation
+                          proxy endpoint.
+                        minLength: 1
+                        type: string
+                    type: object
                 required:
                 - mode
                 - service

generated/latest/apis/concierge/config/v1alpha1/types_credentialissuer.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
@@ -80,6 +80,22 @@ const (
 	ImpersonationProxyServiceTypeNone = ImpersonationProxyServiceType("None")
 )
 
+// ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should
+// serve TLS.
+type ImpersonationProxyTLSSpec struct {
+	// X.509 Certificate Authority (base64-encoded PEM bundle).
+	// Used to advertise the CA bundle for the impersonation proxy endpoint.
+	//
+	// +optional
+	CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"`
+
+	// SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains
+	// the TLS serving certificate for the Concierge impersonation proxy endpoint.
+	//
+	// +kubebuilder:validation:MinLength=1
+	SecretName string `json:"secretName,omitempty"`
+}
+
 // ImpersonationProxySpec describes the intended configuration of the Concierge impersonation proxy.
 type ImpersonationProxySpec struct {
 	// Mode configures whether the impersonation proxy should be started:
@@ -100,6 +116,11 @@ type ImpersonationProxySpec struct {
 	//
 	// +optional
 	ExternalEndpoint string `json:"externalEndpoint,omitempty"`
+
+	// TLS contains information about how the Concierge impersonation proxy should serve TLS.
+	//
+	// +optional
+	TLS *ImpersonationProxyTLSSpec `json:"tls,omitempty"`
 }
 
 // ImpersonationProxyServiceSpec describes how the Concierge should provision a Service to expose the impersonation proxy.

generated/latest/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go

@@ -229,6 +229,11 @@ func (in *ImpersonationProxyServiceSpec) DeepCopy() *ImpersonationProxyServiceSp
 func (in *ImpersonationProxySpec) DeepCopyInto(out *ImpersonationProxySpec) {
 	*out = *in
 	in.Service.DeepCopyInto(&out.Service)
+	if in.TLS != nil {
+		in, out := &in.TLS, &out.TLS
+		*out = new(ImpersonationProxyTLSSpec)
+		**out = **in
+	}
 	return
 }
 
@@ -242,6 +247,22 @@ func (in *ImpersonationProxySpec) DeepCopy() *ImpersonationProxySpec {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ImpersonationProxyTLSSpec) DeepCopyInto(out *ImpersonationProxyTLSSpec) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImpersonationProxyTLSSpec.
+func (in *ImpersonationProxyTLSSpec) DeepCopy() *ImpersonationProxyTLSSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(ImpersonationProxyTLSSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TokenCredentialRequestAPIInfo) DeepCopyInto(out *TokenCredentialRequestAPIInfo) {
 	*out = *in