update FederationDomain.status.conditions to come from metav1

2023-09-11 12:51:35 -07:00 · 2023-09-11 12:51:35 -07:00 · a7bd494ec3
parent b6f0dc3ba7
commit a7bd494ec3
57 changed files with 545 additions and 474 deletions
--- a/apis/supervisor/config/v1alpha1/types_federationdomain.go.tmpl
+++ b/apis/supervisor/config/v1alpha1/types_federationdomain.go.tmpl
@ -276,7 +276,7 @@ type FederationDomainStatus struct {
 	// +patchStrategy=merge
 	// +listType=map
 	// +listMapKey=type
-	Conditions []Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
+	Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`

 	// Secrets contains information about this OIDC Provider's secrets.
 	// +optional
--- a/deploy/supervisor/config.supervisor.pinniped.dev_federationdomains.yaml
+++ b/deploy/supervisor/config.supervisor.pinniped.dev_federationdomains.yaml
@ -352,9 +352,15 @@ spec:
                description: Conditions represent the observations of an FederationDomain's
                  current state.
                items:
-                  description: Condition status of a resource (mirrored from the metav1.Condition
-                    type added in Kubernetes 1.19). In a future API version we can
-                    switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413.
+                  description: "Condition contains details for one aspect of the current
+                    state of this API Resource. --- This struct is intended for direct
+                    use as an array at the field path .status.conditions.  For example,
+                    \n type FooStatus struct{ // Represents the observations of a
+                    foo's current state. // Known .status.conditions.type are: \"Available\",
+                    \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
+                    // +listType=map // +listMapKey=type Conditions []metav1.Condition
+                    `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
+                    protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
                  properties:
                    lastTransitionTime:
                      description: lastTransitionTime is the last time the condition
--- a/generated/1.21/README.adoc
+++ b/generated/1.21/README.adoc
@ -455,7 +455,7 @@ CredentialIssuerStrategy describes the status of an integration strategy that wa


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-concierge-config-v1alpha1-frontendtype"]
-==== FrontendType (string)
+==== FrontendType (string) 

 FrontendType enumerates a type of "frontend" used to provide access to users of a cluster.

@ -571,7 +571,7 @@ ImpersonationProxyTLSSpec contains information about how the Concierge impersona


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-concierge-config-v1alpha1-strategyreason"]
-==== StrategyReason (string)
+==== StrategyReason (string) 

 StrategyReason enumerates the detailed reason why a strategy is in a particular status.

@ -583,7 +583,7 @@ StrategyReason enumerates the detailed reason why a strategy is in a particular


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-concierge-config-v1alpha1-strategystatus"]
-==== StrategyStatus (string)
+==== StrategyStatus (string) 

 StrategyStatus enumerates whether a strategy is working on a cluster.

@ -595,7 +595,7 @@ StrategyStatus enumerates whether a strategy is working on a cluster.


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-concierge-config-v1alpha1-strategytype"]
-==== StrategyType (string)
+==== StrategyType (string) 

 StrategyType enumerates a type of "strategy" used to implement credential access on a cluster.

@ -653,7 +653,7 @@ FederationDomain describes the configuration of an OIDC provider.


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-federationdomainidentityprovider"]
-==== FederationDomainIdentityProvider
+==== FederationDomainIdentityProvider 

 FederationDomainIdentityProvider describes how an identity provider is made available in this FederationDomain.

@ -674,7 +674,7 @@ FederationDomainIdentityProvider describes how an identity provider is made avai


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-federationdomainphase"]
-==== FederationDomainPhase (string)
+==== FederationDomainPhase (string) 



@ -721,8 +721,8 @@ FederationDomainSpec is a struct that describes an OIDC Provider.
 | *`issuer`* __string__ | Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the identifier that it will use for the iss claim in issued JWTs. This field will also be used as the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is https://example.com/foo, then your authorization endpoint will look like https://example.com/foo/some/path/to/auth/endpoint). 
 See https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information.
 | *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-federationdomaintlsspec[$$FederationDomainTLSSpec$$]__ | TLS specifies a secret which will contain Transport Layer Security (TLS) configuration for the FederationDomain.
-| *`identityProviders`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-federationdomainidentityprovider[$$FederationDomainIdentityProvider$$] array__ | IdentityProviders is the list of identity providers available for use by this FederationDomain.
- An identity provider CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes how to connect to a server, how to talk in a specific protocol for authentication, and how to use the schema of that server/protocol to extract a normalized user identity. Normalized user identities include a username and a list of group names. In contrast, IdentityProviders describes how to use that normalized identity in those Kubernetes clusters which belong to this FederationDomain. Each entry in IdentityProviders can be configured with arbitrary transformations on that normalized identity. For example, a transformation can add a prefix to all usernames to help avoid accidental conflicts when multiple identity providers have different users with the same username (e.g. "idp1:ryan" versus "idp2:ryan"). Each entry in IdentityProviders can also implement arbitrary authentication rejection policies. Even though a user was able to authenticate with the identity provider, a policy can disallow the authentication to the Kubernetes clusters that belong to this FederationDomain. For example, a policy could disallow the authentication unless the user belongs to a specific group in the identity provider.
+| *`identityProviders`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-federationdomainidentityprovider[$$FederationDomainIdentityProvider$$] array__ | IdentityProviders is the list of identity providers available for use by this FederationDomain. 
+ An identity provider CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes how to connect to a server, how to talk in a specific protocol for authentication, and how to use the schema of that server/protocol to extract a normalized user identity. Normalized user identities include a username and a list of group names. In contrast, IdentityProviders describes how to use that normalized identity in those Kubernetes clusters which belong to this FederationDomain. Each entry in IdentityProviders can be configured with arbitrary transformations on that normalized identity. For example, a transformation can add a prefix to all usernames to help avoid accidental conflicts when multiple identity providers have different users with the same username (e.g. "idp1:ryan" versus "idp2:ryan"). Each entry in IdentityProviders can also implement arbitrary authentication rejection policies. Even though a user was able to authenticate with the identity provider, a policy can disallow the authentication to the Kubernetes clusters that belong to this FederationDomain. For example, a policy could disallow the authentication unless the user belongs to a specific group in the identity provider. 
 For backwards compatibility with versions of Pinniped which predate support for multiple identity providers, an empty IdentityProviders list will cause the FederationDomain to use all available identity providers which exist in the same namespace, but also to reject all authentication requests when there is more than one identity provider currently defined. In this backwards compatibility mode, the name of the identity provider resource (e.g. the Name of an OIDCIdentityProvider resource) will be used as the name of the identity provider in this FederationDomain. This mode is provided to make upgrading from older versions easier. However, instead of relying on this backwards compatibility mode, please consider this mode to be deprecated and please instead explicitly list the identity provider using this IdentityProviders field.
 |===

@ -741,7 +741,7 @@ FederationDomainStatus is a struct that describes the actual state of an OIDC Pr
 |===
 | Field | Description
 | *`phase`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-federationdomainphase[$$FederationDomainPhase$$]__ | Phase summarizes the overall status of the FederationDomain.
-| *`conditions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-condition[$$Condition$$] array__ | Conditions represent the observations of an FederationDomain's current state.
+| *`conditions`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.21/#condition-v1-meta[$$Condition$$] array__ | Conditions represent the observations of an FederationDomain's current state.
 | *`secrets`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-federationdomainsecrets[$$FederationDomainSecrets$$]__ | Secrets contains information about this OIDC Provider's secrets.
 |===

@ -768,7 +768,7 @@ FederationDomainTLSSpec is a struct that describes the TLS configuration for an


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-federationdomaintransforms"]
-==== FederationDomainTransforms
+==== FederationDomainTransforms 

 FederationDomainTransforms defines identity transformations for an identity provider's usage on a FederationDomain.

@ -781,16 +781,16 @@ FederationDomainTransforms defines identity transformations for an identity prov
 |===
 | Field | Description
 | *`constants`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-federationdomaintransformsconstant[$$FederationDomainTransformsConstant$$] array__ | Constants defines constant variables and their values which will be made available to the transform expressions.
-| *`expressions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-federationdomaintransformsexpression[$$FederationDomainTransformsExpression$$] array__ | Expressions are an optional list of transforms and policies to be executed in the order given during every authentication attempt, including during every session refresh. Each is a CEL expression. It may use the basic CEL language as defined in https://github.com/google/cel-spec/blob/master/doc/langdef.md plus the CEL string extensions defined in https://github.com/google/cel-go/tree/master/ext#strings.
- The username and groups extracted from the identity provider, and the constants defined in this CR, are available as variables in all expressions. The username is provided via a variable called `username` and the list of group names is provided via a variable called `groups` (which may be an empty list). Each user-provided constants is provided via a variable named `strConst.varName` for string constants and `strListConst.varName` for string list constants.
- The only allowed types for expressions are currently policy/v1, username/v1, and groups/v1. Each policy/v1 must return a boolean, and when it returns false, no more expressions from the list are evaluated and the authentication attempt is rejected. Transformations of type policy/v1 do not return usernames or group names, and therefore cannot change the username or group names. Each username/v1 transform must return the new username (a string), which can be the same as the old username. Transformations of type username/v1 do not return group names, and therefore cannot change the group names. Each groups/v1 transform must return the new groups list (list of strings), which can be the same as the old groups list. Transformations of type groups/v1 do not return usernames, and therefore cannot change the usernames. After each expression, the new (potentially changed) username or groups get passed to the following expression.
+| *`expressions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-federationdomaintransformsexpression[$$FederationDomainTransformsExpression$$] array__ | Expressions are an optional list of transforms and policies to be executed in the order given during every authentication attempt, including during every session refresh. Each is a CEL expression. It may use the basic CEL language as defined in https://github.com/google/cel-spec/blob/master/doc/langdef.md plus the CEL string extensions defined in https://github.com/google/cel-go/tree/master/ext#strings. 
+ The username and groups extracted from the identity provider, and the constants defined in this CR, are available as variables in all expressions. The username is provided via a variable called `username` and the list of group names is provided via a variable called `groups` (which may be an empty list). Each user-provided constants is provided via a variable named `strConst.varName` for string constants and `strListConst.varName` for string list constants. 
+ The only allowed types for expressions are currently policy/v1, username/v1, and groups/v1. Each policy/v1 must return a boolean, and when it returns false, no more expressions from the list are evaluated and the authentication attempt is rejected. Transformations of type policy/v1 do not return usernames or group names, and therefore cannot change the username or group names. Each username/v1 transform must return the new username (a string), which can be the same as the old username. Transformations of type username/v1 do not return group names, and therefore cannot change the group names. Each groups/v1 transform must return the new groups list (list of strings), which can be the same as the old groups list. Transformations of type groups/v1 do not return usernames, and therefore cannot change the usernames. After each expression, the new (potentially changed) username or groups get passed to the following expression. 
 Any compilation or static type-checking failure of any expression will cause an error status on the FederationDomain. During an authentication attempt, any unexpected runtime evaluation errors (e.g. division by zero) cause the authentication attempt to fail. When all expressions evaluate successfully, then the (potentially changed) username and group names have been decided for that authentication attempt.
 | *`examples`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-federationdomaintransformsexample[$$FederationDomainTransformsExample$$] array__ | Examples can optionally be used to ensure that the sequence of transformation expressions are working as expected. Examples define sample input identities which are then run through the expression list, and the results are compared to the expected results. If any example in this list fails, then this identity provider will not be available for use within this FederationDomain, and the error(s) will be added to the FederationDomain status. This can be used to help guard against programming mistakes in the expressions, and also act as living documentation for other administrators to better understand the expressions.
 |===


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-federationdomaintransformsconstant"]
-==== FederationDomainTransformsConstant
+==== FederationDomainTransformsConstant 

 FederationDomainTransformsConstant defines a constant variable and its value which will be made available to the transform expressions. This is a union type, and Type is the discriminator field.

@ -810,7 +810,7 @@ FederationDomainTransformsConstant defines a constant variable and its value whi


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-federationdomaintransformsexample"]
-==== FederationDomainTransformsExample
+==== FederationDomainTransformsExample 

 FederationDomainTransformsExample defines a transform example.

@ -829,7 +829,7 @@ FederationDomainTransformsExample defines a transform example.


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-federationdomaintransformsexampleexpects"]
-==== FederationDomainTransformsExampleExpects
+==== FederationDomainTransformsExampleExpects 

 FederationDomainTransformsExampleExpects defines the expected result for a transforms example.

@ -849,7 +849,7 @@ FederationDomainTransformsExampleExpects defines the expected result for a trans


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-federationdomaintransformsexpression"]
-==== FederationDomainTransformsExpression
+==== FederationDomainTransformsExpression 

 FederationDomainTransformsExpression defines a transform expression.

@ -868,7 +868,7 @@ FederationDomainTransformsExpression defines a transform expression.


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-granttype"]
-==== GrantType (string)
+==== GrantType (string) 



@ -902,7 +902,7 @@ OIDCClient describes the configuration of an OIDC client.


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-oidcclientphase"]
-==== OIDCClientPhase (string)
+==== OIDCClientPhase (string) 



@ -927,9 +927,9 @@ OIDCClientSpec is a struct that describes an OIDCClient.
 |===
 | Field | Description
 | *`allowedRedirectURIs`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-redirecturi[$$RedirectURI$$] array__ | allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this client. Any other uris will be rejected. Must be a URI with the https scheme, unless the hostname is 127.0.0.1 or ::1 which may use the http scheme. Port numbers are not required for 127.0.0.1 or ::1 and are ignored when checking for a matching redirect_uri.
-| *`allowedGrantTypes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-granttype[$$GrantType$$] array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client.
+| *`allowedGrantTypes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-granttype[$$GrantType$$] array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. 
 Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience.
-| *`allowedScopes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-scope[$$Scope$$] array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client.
+| *`allowedScopes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-scope[$$Scope$$] array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. 
 Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups.
 |===

@ -954,7 +954,7 @@ OIDCClientStatus is a struct that describes the actual state of an OIDCClient.


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-redirecturi"]
-==== RedirectURI (string)
+==== RedirectURI (string) 



@ -966,7 +966,7 @@ OIDCClientStatus is a struct that describes the actual state of an OIDCClient.


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-config-v1alpha1-scope"]
-==== Scope (string)
+==== Scope (string) 



@ -1286,7 +1286,7 @@ ActiveDirectoryIdentityProvider describes the configuration of an upstream Micro


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-idp-v1alpha1-activedirectoryidentityproviderphase"]
-==== ActiveDirectoryIdentityProviderPhase (string)
+==== ActiveDirectoryIdentityProviderPhase (string) 



@ -1454,7 +1454,7 @@ LDAPIdentityProvider describes the configuration of an upstream Lightweight Dire


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-idp-v1alpha1-ldapidentityproviderphase"]
-==== LDAPIdentityProviderPhase (string)
+==== LDAPIdentityProviderPhase (string) 



@ -1619,7 +1619,7 @@ OIDCIdentityProvider describes the configuration of an upstream OpenID Connect i


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-idp-v1alpha1-oidcidentityproviderphase"]
-==== OIDCIdentityProviderPhase (string)
+==== OIDCIdentityProviderPhase (string) 



--- a/generated/1.21/apis/supervisor/config/v1alpha1/types_federationdomain.go
+++ b/generated/1.21/apis/supervisor/config/v1alpha1/types_federationdomain.go
@ -276,7 +276,7 @@ type FederationDomainStatus struct {
 	// +patchStrategy=merge
 	// +listType=map
 	// +listMapKey=type
-	Conditions []Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
+	Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`

 	// Secrets contains information about this OIDC Provider's secrets.
 	// +optional
--- a/generated/1.21/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go
+++ b/generated/1.21/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go
@ -145,7 +145,7 @@ func (in *FederationDomainStatus) DeepCopyInto(out *FederationDomainStatus) {
 	*out = *in
 	if in.Conditions != nil {
 		in, out := &in.Conditions, &out.Conditions
-		*out = make([]Condition, len(*in))
+		*out = make([]v1.Condition, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
--- a/generated/1.21/crds/config.supervisor.pinniped.dev_federationdomains.yaml
+++ b/generated/1.21/crds/config.supervisor.pinniped.dev_federationdomains.yaml
@ -352,9 +352,15 @@ spec:
                description: Conditions represent the observations of an FederationDomain's
                  current state.
                items:
-                  description: Condition status of a resource (mirrored from the metav1.Condition
-                    type added in Kubernetes 1.19). In a future API version we can
-                    switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413.
+                  description: "Condition contains details for one aspect of the current
+                    state of this API Resource. --- This struct is intended for direct
+                    use as an array at the field path .status.conditions.  For example,
+                    type FooStatus struct{ // Represents the observations of a foo's
+                    current state. // Known .status.conditions.type are: \"Available\",
+                    \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
+                    // +listType=map // +listMapKey=type Conditions []metav1.Condition
+                    `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
+                    protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
                  properties:
                    lastTransitionTime:
                      description: lastTransitionTime is the last time the condition
--- a/generated/1.22/README.adoc
+++ b/generated/1.22/README.adoc
@ -455,7 +455,7 @@ CredentialIssuerStrategy describes the status of an integration strategy that wa


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-concierge-config-v1alpha1-frontendtype"]
-==== FrontendType (string)
+==== FrontendType (string) 

 FrontendType enumerates a type of "frontend" used to provide access to users of a cluster.

@ -571,7 +571,7 @@ ImpersonationProxyTLSSpec contains information about how the Concierge impersona


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-concierge-config-v1alpha1-strategyreason"]
-==== StrategyReason (string)
+==== StrategyReason (string) 

 StrategyReason enumerates the detailed reason why a strategy is in a particular status.

@ -583,7 +583,7 @@ StrategyReason enumerates the detailed reason why a strategy is in a particular


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-concierge-config-v1alpha1-strategystatus"]
-==== StrategyStatus (string)
+==== StrategyStatus (string) 

 StrategyStatus enumerates whether a strategy is working on a cluster.

@ -595,7 +595,7 @@ StrategyStatus enumerates whether a strategy is working on a cluster.


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-concierge-config-v1alpha1-strategytype"]
-==== StrategyType (string)
+==== StrategyType (string) 

 StrategyType enumerates a type of "strategy" used to implement credential access on a cluster.

@ -653,7 +653,7 @@ FederationDomain describes the configuration of an OIDC provider.


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-federationdomainidentityprovider"]
-==== FederationDomainIdentityProvider
+==== FederationDomainIdentityProvider 

 FederationDomainIdentityProvider describes how an identity provider is made available in this FederationDomain.

@ -674,7 +674,7 @@ FederationDomainIdentityProvider describes how an identity provider is made avai


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-federationdomainphase"]
-==== FederationDomainPhase (string)
+==== FederationDomainPhase (string) 



@ -721,8 +721,8 @@ FederationDomainSpec is a struct that describes an OIDC Provider.
 | *`issuer`* __string__ | Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the identifier that it will use for the iss claim in issued JWTs. This field will also be used as the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is https://example.com/foo, then your authorization endpoint will look like https://example.com/foo/some/path/to/auth/endpoint). 
 See https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information.
 | *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-federationdomaintlsspec[$$FederationDomainTLSSpec$$]__ | TLS specifies a secret which will contain Transport Layer Security (TLS) configuration for the FederationDomain.
-| *`identityProviders`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-federationdomainidentityprovider[$$FederationDomainIdentityProvider$$] array__ | IdentityProviders is the list of identity providers available for use by this FederationDomain.
- An identity provider CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes how to connect to a server, how to talk in a specific protocol for authentication, and how to use the schema of that server/protocol to extract a normalized user identity. Normalized user identities include a username and a list of group names. In contrast, IdentityProviders describes how to use that normalized identity in those Kubernetes clusters which belong to this FederationDomain. Each entry in IdentityProviders can be configured with arbitrary transformations on that normalized identity. For example, a transformation can add a prefix to all usernames to help avoid accidental conflicts when multiple identity providers have different users with the same username (e.g. "idp1:ryan" versus "idp2:ryan"). Each entry in IdentityProviders can also implement arbitrary authentication rejection policies. Even though a user was able to authenticate with the identity provider, a policy can disallow the authentication to the Kubernetes clusters that belong to this FederationDomain. For example, a policy could disallow the authentication unless the user belongs to a specific group in the identity provider.
+| *`identityProviders`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-federationdomainidentityprovider[$$FederationDomainIdentityProvider$$] array__ | IdentityProviders is the list of identity providers available for use by this FederationDomain. 
+ An identity provider CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes how to connect to a server, how to talk in a specific protocol for authentication, and how to use the schema of that server/protocol to extract a normalized user identity. Normalized user identities include a username and a list of group names. In contrast, IdentityProviders describes how to use that normalized identity in those Kubernetes clusters which belong to this FederationDomain. Each entry in IdentityProviders can be configured with arbitrary transformations on that normalized identity. For example, a transformation can add a prefix to all usernames to help avoid accidental conflicts when multiple identity providers have different users with the same username (e.g. "idp1:ryan" versus "idp2:ryan"). Each entry in IdentityProviders can also implement arbitrary authentication rejection policies. Even though a user was able to authenticate with the identity provider, a policy can disallow the authentication to the Kubernetes clusters that belong to this FederationDomain. For example, a policy could disallow the authentication unless the user belongs to a specific group in the identity provider. 
 For backwards compatibility with versions of Pinniped which predate support for multiple identity providers, an empty IdentityProviders list will cause the FederationDomain to use all available identity providers which exist in the same namespace, but also to reject all authentication requests when there is more than one identity provider currently defined. In this backwards compatibility mode, the name of the identity provider resource (e.g. the Name of an OIDCIdentityProvider resource) will be used as the name of the identity provider in this FederationDomain. This mode is provided to make upgrading from older versions easier. However, instead of relying on this backwards compatibility mode, please consider this mode to be deprecated and please instead explicitly list the identity provider using this IdentityProviders field.
 |===

@ -741,7 +741,7 @@ FederationDomainStatus is a struct that describes the actual state of an OIDC Pr
 |===
 | Field | Description
 | *`phase`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-federationdomainphase[$$FederationDomainPhase$$]__ | Phase summarizes the overall status of the FederationDomain.
-| *`conditions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-condition[$$Condition$$] array__ | Conditions represent the observations of an FederationDomain's current state.
+| *`conditions`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.22/#condition-v1-meta[$$Condition$$] array__ | Conditions represent the observations of an FederationDomain's current state.
 | *`secrets`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-federationdomainsecrets[$$FederationDomainSecrets$$]__ | Secrets contains information about this OIDC Provider's secrets.
 |===

@ -768,7 +768,7 @@ FederationDomainTLSSpec is a struct that describes the TLS configuration for an


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-federationdomaintransforms"]
-==== FederationDomainTransforms
+==== FederationDomainTransforms 

 FederationDomainTransforms defines identity transformations for an identity provider's usage on a FederationDomain.

@ -781,16 +781,16 @@ FederationDomainTransforms defines identity transformations for an identity prov
 |===
 | Field | Description
 | *`constants`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-federationdomaintransformsconstant[$$FederationDomainTransformsConstant$$] array__ | Constants defines constant variables and their values which will be made available to the transform expressions.
-| *`expressions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-federationdomaintransformsexpression[$$FederationDomainTransformsExpression$$] array__ | Expressions are an optional list of transforms and policies to be executed in the order given during every authentication attempt, including during every session refresh. Each is a CEL expression. It may use the basic CEL language as defined in https://github.com/google/cel-spec/blob/master/doc/langdef.md plus the CEL string extensions defined in https://github.com/google/cel-go/tree/master/ext#strings.
- The username and groups extracted from the identity provider, and the constants defined in this CR, are available as variables in all expressions. The username is provided via a variable called `username` and the list of group names is provided via a variable called `groups` (which may be an empty list). Each user-provided constants is provided via a variable named `strConst.varName` for string constants and `strListConst.varName` for string list constants.
- The only allowed types for expressions are currently policy/v1, username/v1, and groups/v1. Each policy/v1 must return a boolean, and when it returns false, no more expressions from the list are evaluated and the authentication attempt is rejected. Transformations of type policy/v1 do not return usernames or group names, and therefore cannot change the username or group names. Each username/v1 transform must return the new username (a string), which can be the same as the old username. Transformations of type username/v1 do not return group names, and therefore cannot change the group names. Each groups/v1 transform must return the new groups list (list of strings), which can be the same as the old groups list. Transformations of type groups/v1 do not return usernames, and therefore cannot change the usernames. After each expression, the new (potentially changed) username or groups get passed to the following expression.
+| *`expressions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-federationdomaintransformsexpression[$$FederationDomainTransformsExpression$$] array__ | Expressions are an optional list of transforms and policies to be executed in the order given during every authentication attempt, including during every session refresh. Each is a CEL expression. It may use the basic CEL language as defined in https://github.com/google/cel-spec/blob/master/doc/langdef.md plus the CEL string extensions defined in https://github.com/google/cel-go/tree/master/ext#strings. 
+ The username and groups extracted from the identity provider, and the constants defined in this CR, are available as variables in all expressions. The username is provided via a variable called `username` and the list of group names is provided via a variable called `groups` (which may be an empty list). Each user-provided constants is provided via a variable named `strConst.varName` for string constants and `strListConst.varName` for string list constants. 
+ The only allowed types for expressions are currently policy/v1, username/v1, and groups/v1. Each policy/v1 must return a boolean, and when it returns false, no more expressions from the list are evaluated and the authentication attempt is rejected. Transformations of type policy/v1 do not return usernames or group names, and therefore cannot change the username or group names. Each username/v1 transform must return the new username (a string), which can be the same as the old username. Transformations of type username/v1 do not return group names, and therefore cannot change the group names. Each groups/v1 transform must return the new groups list (list of strings), which can be the same as the old groups list. Transformations of type groups/v1 do not return usernames, and therefore cannot change the usernames. After each expression, the new (potentially changed) username or groups get passed to the following expression. 
 Any compilation or static type-checking failure of any expression will cause an error status on the FederationDomain. During an authentication attempt, any unexpected runtime evaluation errors (e.g. division by zero) cause the authentication attempt to fail. When all expressions evaluate successfully, then the (potentially changed) username and group names have been decided for that authentication attempt.
 | *`examples`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-federationdomaintransformsexample[$$FederationDomainTransformsExample$$] array__ | Examples can optionally be used to ensure that the sequence of transformation expressions are working as expected. Examples define sample input identities which are then run through the expression list, and the results are compared to the expected results. If any example in this list fails, then this identity provider will not be available for use within this FederationDomain, and the error(s) will be added to the FederationDomain status. This can be used to help guard against programming mistakes in the expressions, and also act as living documentation for other administrators to better understand the expressions.
 |===


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-federationdomaintransformsconstant"]
-==== FederationDomainTransformsConstant
+==== FederationDomainTransformsConstant 

 FederationDomainTransformsConstant defines a constant variable and its value which will be made available to the transform expressions. This is a union type, and Type is the discriminator field.

@ -810,7 +810,7 @@ FederationDomainTransformsConstant defines a constant variable and its value whi


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-federationdomaintransformsexample"]
-==== FederationDomainTransformsExample
+==== FederationDomainTransformsExample 

 FederationDomainTransformsExample defines a transform example.

@ -829,7 +829,7 @@ FederationDomainTransformsExample defines a transform example.


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-federationdomaintransformsexampleexpects"]
-==== FederationDomainTransformsExampleExpects
+==== FederationDomainTransformsExampleExpects 

 FederationDomainTransformsExampleExpects defines the expected result for a transforms example.

@ -849,7 +849,7 @@ FederationDomainTransformsExampleExpects defines the expected result for a trans


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-federationdomaintransformsexpression"]
-==== FederationDomainTransformsExpression
+==== FederationDomainTransformsExpression 

 FederationDomainTransformsExpression defines a transform expression.

@ -868,7 +868,7 @@ FederationDomainTransformsExpression defines a transform expression.


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-granttype"]
-==== GrantType (string)
+==== GrantType (string) 



@ -902,7 +902,7 @@ OIDCClient describes the configuration of an OIDC client.


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-oidcclientphase"]
-==== OIDCClientPhase (string)
+==== OIDCClientPhase (string) 



@ -927,9 +927,9 @@ OIDCClientSpec is a struct that describes an OIDCClient.
 |===
 | Field | Description
 | *`allowedRedirectURIs`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-redirecturi[$$RedirectURI$$] array__ | allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this client. Any other uris will be rejected. Must be a URI with the https scheme, unless the hostname is 127.0.0.1 or ::1 which may use the http scheme. Port numbers are not required for 127.0.0.1 or ::1 and are ignored when checking for a matching redirect_uri.
-| *`allowedGrantTypes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-granttype[$$GrantType$$] array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client.
+| *`allowedGrantTypes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-granttype[$$GrantType$$] array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. 
 Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience.
-| *`allowedScopes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-scope[$$Scope$$] array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client.
+| *`allowedScopes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-scope[$$Scope$$] array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. 
 Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups.
 |===

@ -954,7 +954,7 @@ OIDCClientStatus is a struct that describes the actual state of an OIDCClient.


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-redirecturi"]
-==== RedirectURI (string)
+==== RedirectURI (string) 



@ -966,7 +966,7 @@ OIDCClientStatus is a struct that describes the actual state of an OIDCClient.


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-config-v1alpha1-scope"]
-==== Scope (string)
+==== Scope (string) 



@ -1286,7 +1286,7 @@ ActiveDirectoryIdentityProvider describes the configuration of an upstream Micro


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-idp-v1alpha1-activedirectoryidentityproviderphase"]
-==== ActiveDirectoryIdentityProviderPhase (string)
+==== ActiveDirectoryIdentityProviderPhase (string) 



@ -1454,7 +1454,7 @@ LDAPIdentityProvider describes the configuration of an upstream Lightweight Dire


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-idp-v1alpha1-ldapidentityproviderphase"]
-==== LDAPIdentityProviderPhase (string)
+==== LDAPIdentityProviderPhase (string) 



@ -1619,7 +1619,7 @@ OIDCIdentityProvider describes the configuration of an upstream OpenID Connect i


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-idp-v1alpha1-oidcidentityproviderphase"]
-==== OIDCIdentityProviderPhase (string)
+==== OIDCIdentityProviderPhase (string) 



--- a/generated/1.22/apis/supervisor/config/v1alpha1/types_federationdomain.go
+++ b/generated/1.22/apis/supervisor/config/v1alpha1/types_federationdomain.go
@ -276,7 +276,7 @@ type FederationDomainStatus struct {
 	// +patchStrategy=merge
 	// +listType=map
 	// +listMapKey=type
-	Conditions []Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
+	Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`

 	// Secrets contains information about this OIDC Provider's secrets.
 	// +optional
--- a/generated/1.22/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go
+++ b/generated/1.22/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go
@ -145,7 +145,7 @@ func (in *FederationDomainStatus) DeepCopyInto(out *FederationDomainStatus) {
 	*out = *in
 	if in.Conditions != nil {
 		in, out := &in.Conditions, &out.Conditions
-		*out = make([]Condition, len(*in))
+		*out = make([]v1.Condition, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
--- a/generated/1.22/crds/config.supervisor.pinniped.dev_federationdomains.yaml
+++ b/generated/1.22/crds/config.supervisor.pinniped.dev_federationdomains.yaml
@ -352,9 +352,15 @@ spec:
                description: Conditions represent the observations of an FederationDomain's
                  current state.
                items:
-                  description: Condition status of a resource (mirrored from the metav1.Condition
-                    type added in Kubernetes 1.19). In a future API version we can
-                    switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413.
+                  description: "Condition contains details for one aspect of the current
+                    state of this API Resource. --- This struct is intended for direct
+                    use as an array at the field path .status.conditions.  For example,
+                    type FooStatus struct{ // Represents the observations of a foo's
+                    current state. // Known .status.conditions.type are: \"Available\",
+                    \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
+                    // +listType=map // +listMapKey=type Conditions []metav1.Condition
+                    `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
+                    protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
                  properties:
                    lastTransitionTime:
                      description: lastTransitionTime is the last time the condition
--- a/generated/1.23/README.adoc
+++ b/generated/1.23/README.adoc
@ -455,7 +455,7 @@ CredentialIssuerStrategy describes the status of an integration strategy that wa


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-concierge-config-v1alpha1-frontendtype"]
-==== FrontendType (string)
+==== FrontendType (string) 

 FrontendType enumerates a type of "frontend" used to provide access to users of a cluster.

@ -571,7 +571,7 @@ ImpersonationProxyTLSSpec contains information about how the Concierge impersona


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-concierge-config-v1alpha1-strategyreason"]
-==== StrategyReason (string)
+==== StrategyReason (string) 

 StrategyReason enumerates the detailed reason why a strategy is in a particular status.

@ -583,7 +583,7 @@ StrategyReason enumerates the detailed reason why a strategy is in a particular


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-concierge-config-v1alpha1-strategystatus"]
-==== StrategyStatus (string)
+==== StrategyStatus (string) 

 StrategyStatus enumerates whether a strategy is working on a cluster.

@ -595,7 +595,7 @@ StrategyStatus enumerates whether a strategy is working on a cluster.


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-concierge-config-v1alpha1-strategytype"]
-==== StrategyType (string)
+==== StrategyType (string) 

 StrategyType enumerates a type of "strategy" used to implement credential access on a cluster.

@ -653,7 +653,7 @@ FederationDomain describes the configuration of an OIDC provider.


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-federationdomainidentityprovider"]
-==== FederationDomainIdentityProvider
+==== FederationDomainIdentityProvider 

 FederationDomainIdentityProvider describes how an identity provider is made available in this FederationDomain.

@ -674,7 +674,7 @@ FederationDomainIdentityProvider describes how an identity provider is made avai


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-federationdomainphase"]
-==== FederationDomainPhase (string)
+==== FederationDomainPhase (string) 



@ -721,8 +721,8 @@ FederationDomainSpec is a struct that describes an OIDC Provider.
 | *`issuer`* __string__ | Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the identifier that it will use for the iss claim in issued JWTs. This field will also be used as the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is https://example.com/foo, then your authorization endpoint will look like https://example.com/foo/some/path/to/auth/endpoint). 
 See https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information.
 | *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-federationdomaintlsspec[$$FederationDomainTLSSpec$$]__ | TLS specifies a secret which will contain Transport Layer Security (TLS) configuration for the FederationDomain.
-| *`identityProviders`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-federationdomainidentityprovider[$$FederationDomainIdentityProvider$$] array__ | IdentityProviders is the list of identity providers available for use by this FederationDomain.
- An identity provider CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes how to connect to a server, how to talk in a specific protocol for authentication, and how to use the schema of that server/protocol to extract a normalized user identity. Normalized user identities include a username and a list of group names. In contrast, IdentityProviders describes how to use that normalized identity in those Kubernetes clusters which belong to this FederationDomain. Each entry in IdentityProviders can be configured with arbitrary transformations on that normalized identity. For example, a transformation can add a prefix to all usernames to help avoid accidental conflicts when multiple identity providers have different users with the same username (e.g. "idp1:ryan" versus "idp2:ryan"). Each entry in IdentityProviders can also implement arbitrary authentication rejection policies. Even though a user was able to authenticate with the identity provider, a policy can disallow the authentication to the Kubernetes clusters that belong to this FederationDomain. For example, a policy could disallow the authentication unless the user belongs to a specific group in the identity provider.
+| *`identityProviders`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-federationdomainidentityprovider[$$FederationDomainIdentityProvider$$] array__ | IdentityProviders is the list of identity providers available for use by this FederationDomain. 
+ An identity provider CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes how to connect to a server, how to talk in a specific protocol for authentication, and how to use the schema of that server/protocol to extract a normalized user identity. Normalized user identities include a username and a list of group names. In contrast, IdentityProviders describes how to use that normalized identity in those Kubernetes clusters which belong to this FederationDomain. Each entry in IdentityProviders can be configured with arbitrary transformations on that normalized identity. For example, a transformation can add a prefix to all usernames to help avoid accidental conflicts when multiple identity providers have different users with the same username (e.g. "idp1:ryan" versus "idp2:ryan"). Each entry in IdentityProviders can also implement arbitrary authentication rejection policies. Even though a user was able to authenticate with the identity provider, a policy can disallow the authentication to the Kubernetes clusters that belong to this FederationDomain. For example, a policy could disallow the authentication unless the user belongs to a specific group in the identity provider. 
 For backwards compatibility with versions of Pinniped which predate support for multiple identity providers, an empty IdentityProviders list will cause the FederationDomain to use all available identity providers which exist in the same namespace, but also to reject all authentication requests when there is more than one identity provider currently defined. In this backwards compatibility mode, the name of the identity provider resource (e.g. the Name of an OIDCIdentityProvider resource) will be used as the name of the identity provider in this FederationDomain. This mode is provided to make upgrading from older versions easier. However, instead of relying on this backwards compatibility mode, please consider this mode to be deprecated and please instead explicitly list the identity provider using this IdentityProviders field.
 |===

@ -741,7 +741,7 @@ FederationDomainStatus is a struct that describes the actual state of an OIDC Pr
 |===
 | Field | Description
 | *`phase`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-federationdomainphase[$$FederationDomainPhase$$]__ | Phase summarizes the overall status of the FederationDomain.
-| *`conditions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-condition[$$Condition$$] array__ | Conditions represent the observations of an FederationDomain's current state.
+| *`conditions`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#condition-v1-meta[$$Condition$$] array__ | Conditions represent the observations of an FederationDomain's current state.
 | *`secrets`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-federationdomainsecrets[$$FederationDomainSecrets$$]__ | Secrets contains information about this OIDC Provider's secrets.
 |===

@ -768,7 +768,7 @@ FederationDomainTLSSpec is a struct that describes the TLS configuration for an


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-federationdomaintransforms"]
-==== FederationDomainTransforms
+==== FederationDomainTransforms 

 FederationDomainTransforms defines identity transformations for an identity provider's usage on a FederationDomain.

@ -781,16 +781,16 @@ FederationDomainTransforms defines identity transformations for an identity prov
 |===
 | Field | Description
 | *`constants`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-federationdomaintransformsconstant[$$FederationDomainTransformsConstant$$] array__ | Constants defines constant variables and their values which will be made available to the transform expressions.
-| *`expressions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-federationdomaintransformsexpression[$$FederationDomainTransformsExpression$$] array__ | Expressions are an optional list of transforms and policies to be executed in the order given during every authentication attempt, including during every session refresh. Each is a CEL expression. It may use the basic CEL language as defined in https://github.com/google/cel-spec/blob/master/doc/langdef.md plus the CEL string extensions defined in https://github.com/google/cel-go/tree/master/ext#strings.
- The username and groups extracted from the identity provider, and the constants defined in this CR, are available as variables in all expressions. The username is provided via a variable called `username` and the list of group names is provided via a variable called `groups` (which may be an empty list). Each user-provided constants is provided via a variable named `strConst.varName` for string constants and `strListConst.varName` for string list constants.
- The only allowed types for expressions are currently policy/v1, username/v1, and groups/v1. Each policy/v1 must return a boolean, and when it returns false, no more expressions from the list are evaluated and the authentication attempt is rejected. Transformations of type policy/v1 do not return usernames or group names, and therefore cannot change the username or group names. Each username/v1 transform must return the new username (a string), which can be the same as the old username. Transformations of type username/v1 do not return group names, and therefore cannot change the group names. Each groups/v1 transform must return the new groups list (list of strings), which can be the same as the old groups list. Transformations of type groups/v1 do not return usernames, and therefore cannot change the usernames. After each expression, the new (potentially changed) username or groups get passed to the following expression.
+| *`expressions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-federationdomaintransformsexpression[$$FederationDomainTransformsExpression$$] array__ | Expressions are an optional list of transforms and policies to be executed in the order given during every authentication attempt, including during every session refresh. Each is a CEL expression. It may use the basic CEL language as defined in https://github.com/google/cel-spec/blob/master/doc/langdef.md plus the CEL string extensions defined in https://github.com/google/cel-go/tree/master/ext#strings. 
+ The username and groups extracted from the identity provider, and the constants defined in this CR, are available as variables in all expressions. The username is provided via a variable called `username` and the list of group names is provided via a variable called `groups` (which may be an empty list). Each user-provided constants is provided via a variable named `strConst.varName` for string constants and `strListConst.varName` for string list constants. 
+ The only allowed types for expressions are currently policy/v1, username/v1, and groups/v1. Each policy/v1 must return a boolean, and when it returns false, no more expressions from the list are evaluated and the authentication attempt is rejected. Transformations of type policy/v1 do not return usernames or group names, and therefore cannot change the username or group names. Each username/v1 transform must return the new username (a string), which can be the same as the old username. Transformations of type username/v1 do not return group names, and therefore cannot change the group names. Each groups/v1 transform must return the new groups list (list of strings), which can be the same as the old groups list. Transformations of type groups/v1 do not return usernames, and therefore cannot change the usernames. After each expression, the new (potentially changed) username or groups get passed to the following expression. 
 Any compilation or static type-checking failure of any expression will cause an error status on the FederationDomain. During an authentication attempt, any unexpected runtime evaluation errors (e.g. division by zero) cause the authentication attempt to fail. When all expressions evaluate successfully, then the (potentially changed) username and group names have been decided for that authentication attempt.
 | *`examples`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-federationdomaintransformsexample[$$FederationDomainTransformsExample$$] array__ | Examples can optionally be used to ensure that the sequence of transformation expressions are working as expected. Examples define sample input identities which are then run through the expression list, and the results are compared to the expected results. If any example in this list fails, then this identity provider will not be available for use within this FederationDomain, and the error(s) will be added to the FederationDomain status. This can be used to help guard against programming mistakes in the expressions, and also act as living documentation for other administrators to better understand the expressions.
 |===


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-federationdomaintransformsconstant"]
-==== FederationDomainTransformsConstant
+==== FederationDomainTransformsConstant 

 FederationDomainTransformsConstant defines a constant variable and its value which will be made available to the transform expressions. This is a union type, and Type is the discriminator field.

@ -810,7 +810,7 @@ FederationDomainTransformsConstant defines a constant variable and its value whi


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-federationdomaintransformsexample"]
-==== FederationDomainTransformsExample
+==== FederationDomainTransformsExample 

 FederationDomainTransformsExample defines a transform example.

@ -829,7 +829,7 @@ FederationDomainTransformsExample defines a transform example.


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-federationdomaintransformsexampleexpects"]
-==== FederationDomainTransformsExampleExpects
+==== FederationDomainTransformsExampleExpects 

 FederationDomainTransformsExampleExpects defines the expected result for a transforms example.

@ -849,7 +849,7 @@ FederationDomainTransformsExampleExpects defines the expected result for a trans


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-federationdomaintransformsexpression"]
-==== FederationDomainTransformsExpression
+==== FederationDomainTransformsExpression 

 FederationDomainTransformsExpression defines a transform expression.

@ -868,7 +868,7 @@ FederationDomainTransformsExpression defines a transform expression.


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-granttype"]
-==== GrantType (string)
+==== GrantType (string) 



@ -902,7 +902,7 @@ OIDCClient describes the configuration of an OIDC client.


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-oidcclientphase"]
-==== OIDCClientPhase (string)
+==== OIDCClientPhase (string) 



@ -927,9 +927,9 @@ OIDCClientSpec is a struct that describes an OIDCClient.
 |===
 | Field | Description
 | *`allowedRedirectURIs`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-redirecturi[$$RedirectURI$$] array__ | allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this client. Any other uris will be rejected. Must be a URI with the https scheme, unless the hostname is 127.0.0.1 or ::1 which may use the http scheme. Port numbers are not required for 127.0.0.1 or ::1 and are ignored when checking for a matching redirect_uri.
-| *`allowedGrantTypes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-granttype[$$GrantType$$] array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client.
+| *`allowedGrantTypes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-granttype[$$GrantType$$] array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. 
 Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience.
-| *`allowedScopes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-scope[$$Scope$$] array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client.
+| *`allowedScopes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-scope[$$Scope$$] array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. 
 Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups.
 |===

@ -954,7 +954,7 @@ OIDCClientStatus is a struct that describes the actual state of an OIDCClient.


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-redirecturi"]
-==== RedirectURI (string)
+==== RedirectURI (string) 



@ -966,7 +966,7 @@ OIDCClientStatus is a struct that describes the actual state of an OIDCClient.


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-config-v1alpha1-scope"]
-==== Scope (string)
+==== Scope (string) 



@ -1286,7 +1286,7 @@ ActiveDirectoryIdentityProvider describes the configuration of an upstream Micro


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-idp-v1alpha1-activedirectoryidentityproviderphase"]
-==== ActiveDirectoryIdentityProviderPhase (string)
+==== ActiveDirectoryIdentityProviderPhase (string) 



@ -1454,7 +1454,7 @@ LDAPIdentityProvider describes the configuration of an upstream Lightweight Dire


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-idp-v1alpha1-ldapidentityproviderphase"]
-==== LDAPIdentityProviderPhase (string)
+==== LDAPIdentityProviderPhase (string) 



@ -1619,7 +1619,7 @@ OIDCIdentityProvider describes the configuration of an upstream OpenID Connect i


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-idp-v1alpha1-oidcidentityproviderphase"]
-==== OIDCIdentityProviderPhase (string)
+==== OIDCIdentityProviderPhase (string) 



--- a/generated/1.23/apis/supervisor/config/v1alpha1/types_federationdomain.go
+++ b/generated/1.23/apis/supervisor/config/v1alpha1/types_federationdomain.go
@ -276,7 +276,7 @@ type FederationDomainStatus struct {
 	// +patchStrategy=merge
 	// +listType=map
 	// +listMapKey=type
-	Conditions []Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
+	Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`

 	// Secrets contains information about this OIDC Provider's secrets.
 	// +optional
--- a/generated/1.23/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go
+++ b/generated/1.23/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go
@ -145,7 +145,7 @@ func (in *FederationDomainStatus) DeepCopyInto(out *FederationDomainStatus) {
 	*out = *in
 	if in.Conditions != nil {
 		in, out := &in.Conditions, &out.Conditions
-		*out = make([]Condition, len(*in))
+		*out = make([]v1.Condition, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
--- a/generated/1.23/crds/config.supervisor.pinniped.dev_federationdomains.yaml
+++ b/generated/1.23/crds/config.supervisor.pinniped.dev_federationdomains.yaml
@ -352,9 +352,15 @@ spec:
                description: Conditions represent the observations of an FederationDomain's
                  current state.
                items:
-                  description: Condition status of a resource (mirrored from the metav1.Condition
-                    type added in Kubernetes 1.19). In a future API version we can
-                    switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413.
+                  description: "Condition contains details for one aspect of the current
+                    state of this API Resource. --- This struct is intended for direct
+                    use as an array at the field path .status.conditions.  For example,
+                    \n type FooStatus struct{ // Represents the observations of a
+                    foo's current state. // Known .status.conditions.type are: \"Available\",
+                    \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
+                    // +listType=map // +listMapKey=type Conditions []metav1.Condition
+                    `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
+                    protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
                  properties:
                    lastTransitionTime:
                      description: lastTransitionTime is the last time the condition
--- a/generated/1.24/README.adoc
+++ b/generated/1.24/README.adoc
@ -455,7 +455,7 @@ CredentialIssuerStrategy describes the status of an integration strategy that wa


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-concierge-config-v1alpha1-frontendtype"]
-==== FrontendType (string)
+==== FrontendType (string) 

 FrontendType enumerates a type of "frontend" used to provide access to users of a cluster.

@ -571,7 +571,7 @@ ImpersonationProxyTLSSpec contains information about how the Concierge impersona


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-concierge-config-v1alpha1-strategyreason"]
-==== StrategyReason (string)
+==== StrategyReason (string) 

 StrategyReason enumerates the detailed reason why a strategy is in a particular status.

@ -583,7 +583,7 @@ StrategyReason enumerates the detailed reason why a strategy is in a particular


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-concierge-config-v1alpha1-strategystatus"]
-==== StrategyStatus (string)
+==== StrategyStatus (string) 

 StrategyStatus enumerates whether a strategy is working on a cluster.

@ -595,7 +595,7 @@ StrategyStatus enumerates whether a strategy is working on a cluster.


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-concierge-config-v1alpha1-strategytype"]
-==== StrategyType (string)
+==== StrategyType (string) 

 StrategyType enumerates a type of "strategy" used to implement credential access on a cluster.

@ -653,7 +653,7 @@ FederationDomain describes the configuration of an OIDC provider.


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-federationdomainidentityprovider"]
-==== FederationDomainIdentityProvider
+==== FederationDomainIdentityProvider 

 FederationDomainIdentityProvider describes how an identity provider is made available in this FederationDomain.

@ -674,7 +674,7 @@ FederationDomainIdentityProvider describes how an identity provider is made avai


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-federationdomainphase"]
-==== FederationDomainPhase (string)
+==== FederationDomainPhase (string) 



@ -721,8 +721,8 @@ FederationDomainSpec is a struct that describes an OIDC Provider.
 | *`issuer`* __string__ | Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the identifier that it will use for the iss claim in issued JWTs. This field will also be used as the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is https://example.com/foo, then your authorization endpoint will look like https://example.com/foo/some/path/to/auth/endpoint). 
 See https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information.
 | *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-federationdomaintlsspec[$$FederationDomainTLSSpec$$]__ | TLS specifies a secret which will contain Transport Layer Security (TLS) configuration for the FederationDomain.
-| *`identityProviders`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-federationdomainidentityprovider[$$FederationDomainIdentityProvider$$] array__ | IdentityProviders is the list of identity providers available for use by this FederationDomain.
- An identity provider CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes how to connect to a server, how to talk in a specific protocol for authentication, and how to use the schema of that server/protocol to extract a normalized user identity. Normalized user identities include a username and a list of group names. In contrast, IdentityProviders describes how to use that normalized identity in those Kubernetes clusters which belong to this FederationDomain. Each entry in IdentityProviders can be configured with arbitrary transformations on that normalized identity. For example, a transformation can add a prefix to all usernames to help avoid accidental conflicts when multiple identity providers have different users with the same username (e.g. "idp1:ryan" versus "idp2:ryan"). Each entry in IdentityProviders can also implement arbitrary authentication rejection policies. Even though a user was able to authenticate with the identity provider, a policy can disallow the authentication to the Kubernetes clusters that belong to this FederationDomain. For example, a policy could disallow the authentication unless the user belongs to a specific group in the identity provider.
+| *`identityProviders`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-federationdomainidentityprovider[$$FederationDomainIdentityProvider$$] array__ | IdentityProviders is the list of identity providers available for use by this FederationDomain. 
+ An identity provider CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes how to connect to a server, how to talk in a specific protocol for authentication, and how to use the schema of that server/protocol to extract a normalized user identity. Normalized user identities include a username and a list of group names. In contrast, IdentityProviders describes how to use that normalized identity in those Kubernetes clusters which belong to this FederationDomain. Each entry in IdentityProviders can be configured with arbitrary transformations on that normalized identity. For example, a transformation can add a prefix to all usernames to help avoid accidental conflicts when multiple identity providers have different users with the same username (e.g. "idp1:ryan" versus "idp2:ryan"). Each entry in IdentityProviders can also implement arbitrary authentication rejection policies. Even though a user was able to authenticate with the identity provider, a policy can disallow the authentication to the Kubernetes clusters that belong to this FederationDomain. For example, a policy could disallow the authentication unless the user belongs to a specific group in the identity provider. 
 For backwards compatibility with versions of Pinniped which predate support for multiple identity providers, an empty IdentityProviders list will cause the FederationDomain to use all available identity providers which exist in the same namespace, but also to reject all authentication requests when there is more than one identity provider currently defined. In this backwards compatibility mode, the name of the identity provider resource (e.g. the Name of an OIDCIdentityProvider resource) will be used as the name of the identity provider in this FederationDomain. This mode is provided to make upgrading from older versions easier. However, instead of relying on this backwards compatibility mode, please consider this mode to be deprecated and please instead explicitly list the identity provider using this IdentityProviders field.
 |===

@ -741,7 +741,7 @@ FederationDomainStatus is a struct that describes the actual state of an OIDC Pr
 |===
 | Field | Description
 | *`phase`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-federationdomainphase[$$FederationDomainPhase$$]__ | Phase summarizes the overall status of the FederationDomain.
-| *`conditions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-condition[$$Condition$$] array__ | Conditions represent the observations of an FederationDomain's current state.
+| *`conditions`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#condition-v1-meta[$$Condition$$] array__ | Conditions represent the observations of an FederationDomain's current state.
 | *`secrets`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-federationdomainsecrets[$$FederationDomainSecrets$$]__ | Secrets contains information about this OIDC Provider's secrets.
 |===

@ -768,7 +768,7 @@ FederationDomainTLSSpec is a struct that describes the TLS configuration for an


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-federationdomaintransforms"]
-==== FederationDomainTransforms
+==== FederationDomainTransforms 

 FederationDomainTransforms defines identity transformations for an identity provider's usage on a FederationDomain.

@ -781,16 +781,16 @@ FederationDomainTransforms defines identity transformations for an identity prov
 |===
 | Field | Description
 | *`constants`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-federationdomaintransformsconstant[$$FederationDomainTransformsConstant$$] array__ | Constants defines constant variables and their values which will be made available to the transform expressions.
-| *`expressions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-federationdomaintransformsexpression[$$FederationDomainTransformsExpression$$] array__ | Expressions are an optional list of transforms and policies to be executed in the order given during every authentication attempt, including during every session refresh. Each is a CEL expression. It may use the basic CEL language as defined in https://github.com/google/cel-spec/blob/master/doc/langdef.md plus the CEL string extensions defined in https://github.com/google/cel-go/tree/master/ext#strings.
- The username and groups extracted from the identity provider, and the constants defined in this CR, are available as variables in all expressions. The username is provided via a variable called `username` and the list of group names is provided via a variable called `groups` (which may be an empty list). Each user-provided constants is provided via a variable named `strConst.varName` for string constants and `strListConst.varName` for string list constants.
- The only allowed types for expressions are currently policy/v1, username/v1, and groups/v1. Each policy/v1 must return a boolean, and when it returns false, no more expressions from the list are evaluated and the authentication attempt is rejected. Transformations of type policy/v1 do not return usernames or group names, and therefore cannot change the username or group names. Each username/v1 transform must return the new username (a string), which can be the same as the old username. Transformations of type username/v1 do not return group names, and therefore cannot change the group names. Each groups/v1 transform must return the new groups list (list of strings), which can be the same as the old groups list. Transformations of type groups/v1 do not return usernames, and therefore cannot change the usernames. After each expression, the new (potentially changed) username or groups get passed to the following expression.
+| *`expressions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-federationdomaintransformsexpression[$$FederationDomainTransformsExpression$$] array__ | Expressions are an optional list of transforms and policies to be executed in the order given during every authentication attempt, including during every session refresh. Each is a CEL expression. It may use the basic CEL language as defined in https://github.com/google/cel-spec/blob/master/doc/langdef.md plus the CEL string extensions defined in https://github.com/google/cel-go/tree/master/ext#strings. 
+ The username and groups extracted from the identity provider, and the constants defined in this CR, are available as variables in all expressions. The username is provided via a variable called `username` and the list of group names is provided via a variable called `groups` (which may be an empty list). Each user-provided constants is provided via a variable named `strConst.varName` for string constants and `strListConst.varName` for string list constants. 
+ The only allowed types for expressions are currently policy/v1, username/v1, and groups/v1. Each policy/v1 must return a boolean, and when it returns false, no more expressions from the list are evaluated and the authentication attempt is rejected. Transformations of type policy/v1 do not return usernames or group names, and therefore cannot change the username or group names. Each username/v1 transform must return the new username (a string), which can be the same as the old username. Transformations of type username/v1 do not return group names, and therefore cannot change the group names. Each groups/v1 transform must return the new groups list (list of strings), which can be the same as the old groups list. Transformations of type groups/v1 do not return usernames, and therefore cannot change the usernames. After each expression, the new (potentially changed) username or groups get passed to the following expression. 
 Any compilation or static type-checking failure of any expression will cause an error status on the FederationDomain. During an authentication attempt, any unexpected runtime evaluation errors (e.g. division by zero) cause the authentication attempt to fail. When all expressions evaluate successfully, then the (potentially changed) username and group names have been decided for that authentication attempt.
 | *`examples`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-federationdomaintransformsexample[$$FederationDomainTransformsExample$$] array__ | Examples can optionally be used to ensure that the sequence of transformation expressions are working as expected. Examples define sample input identities which are then run through the expression list, and the results are compared to the expected results. If any example in this list fails, then this identity provider will not be available for use within this FederationDomain, and the error(s) will be added to the FederationDomain status. This can be used to help guard against programming mistakes in the expressions, and also act as living documentation for other administrators to better understand the expressions.
 |===


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-federationdomaintransformsconstant"]
-==== FederationDomainTransformsConstant
+==== FederationDomainTransformsConstant 

 FederationDomainTransformsConstant defines a constant variable and its value which will be made available to the transform expressions. This is a union type, and Type is the discriminator field.

@ -810,7 +810,7 @@ FederationDomainTransformsConstant defines a constant variable and its value whi


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-federationdomaintransformsexample"]
-==== FederationDomainTransformsExample
+==== FederationDomainTransformsExample 

 FederationDomainTransformsExample defines a transform example.

@ -829,7 +829,7 @@ FederationDomainTransformsExample defines a transform example.


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-federationdomaintransformsexampleexpects"]
-==== FederationDomainTransformsExampleExpects
+==== FederationDomainTransformsExampleExpects 

 FederationDomainTransformsExampleExpects defines the expected result for a transforms example.

@ -849,7 +849,7 @@ FederationDomainTransformsExampleExpects defines the expected result for a trans


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-federationdomaintransformsexpression"]
-==== FederationDomainTransformsExpression
+==== FederationDomainTransformsExpression 

 FederationDomainTransformsExpression defines a transform expression.

@ -868,7 +868,7 @@ FederationDomainTransformsExpression defines a transform expression.


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-granttype"]
-==== GrantType (string)
+==== GrantType (string) 



@ -902,7 +902,7 @@ OIDCClient describes the configuration of an OIDC client.


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-oidcclientphase"]
-==== OIDCClientPhase (string)
+==== OIDCClientPhase (string) 



@ -927,9 +927,9 @@ OIDCClientSpec is a struct that describes an OIDCClient.
 |===
 | Field | Description
 | *`allowedRedirectURIs`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-redirecturi[$$RedirectURI$$] array__ | allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this client. Any other uris will be rejected. Must be a URI with the https scheme, unless the hostname is 127.0.0.1 or ::1 which may use the http scheme. Port numbers are not required for 127.0.0.1 or ::1 and are ignored when checking for a matching redirect_uri.
-| *`allowedGrantTypes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-granttype[$$GrantType$$] array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client.
+| *`allowedGrantTypes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-granttype[$$GrantType$$] array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. 
 Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience.
-| *`allowedScopes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-scope[$$Scope$$] array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client.
+| *`allowedScopes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-scope[$$Scope$$] array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. 
 Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups.
 |===

@ -954,7 +954,7 @@ OIDCClientStatus is a struct that describes the actual state of an OIDCClient.


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-redirecturi"]
-==== RedirectURI (string)
+==== RedirectURI (string) 



@ -966,7 +966,7 @@ OIDCClientStatus is a struct that describes the actual state of an OIDCClient.


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-config-v1alpha1-scope"]
-==== Scope (string)
+==== Scope (string) 



@ -1286,7 +1286,7 @@ ActiveDirectoryIdentityProvider describes the configuration of an upstream Micro


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-activedirectoryidentityproviderphase"]
-==== ActiveDirectoryIdentityProviderPhase (string)
+==== ActiveDirectoryIdentityProviderPhase (string) 



@ -1454,7 +1454,7 @@ LDAPIdentityProvider describes the configuration of an upstream Lightweight Dire


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-ldapidentityproviderphase"]
-==== LDAPIdentityProviderPhase (string)
+==== LDAPIdentityProviderPhase (string) 



@ -1619,7 +1619,7 @@ OIDCIdentityProvider describes the configuration of an upstream OpenID Connect i


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-oidcidentityproviderphase"]
-==== OIDCIdentityProviderPhase (string)
+==== OIDCIdentityProviderPhase (string) 



--- a/generated/1.24/apis/supervisor/config/v1alpha1/types_federationdomain.go
+++ b/generated/1.24/apis/supervisor/config/v1alpha1/types_federationdomain.go
@ -276,7 +276,7 @@ type FederationDomainStatus struct {
 	// +patchStrategy=merge
 	// +listType=map
 	// +listMapKey=type
-	Conditions []Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
+	Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`

 	// Secrets contains information about this OIDC Provider's secrets.
 	// +optional
--- a/generated/1.24/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go
+++ b/generated/1.24/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go
@ -145,7 +145,7 @@ func (in *FederationDomainStatus) DeepCopyInto(out *FederationDomainStatus) {
 	*out = *in
 	if in.Conditions != nil {
 		in, out := &in.Conditions, &out.Conditions
-		*out = make([]Condition, len(*in))
+		*out = make([]v1.Condition, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
--- a/generated/1.24/crds/config.supervisor.pinniped.dev_federationdomains.yaml
+++ b/generated/1.24/crds/config.supervisor.pinniped.dev_federationdomains.yaml
@ -352,9 +352,15 @@ spec:
                description: Conditions represent the observations of an FederationDomain's
                  current state.
                items:
-                  description: Condition status of a resource (mirrored from the metav1.Condition
-                    type added in Kubernetes 1.19). In a future API version we can
-                    switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413.
+                  description: "Condition contains details for one aspect of the current
+                    state of this API Resource. --- This struct is intended for direct
+                    use as an array at the field path .status.conditions.  For example,
+                    \n type FooStatus struct{ // Represents the observations of a
+                    foo's current state. // Known .status.conditions.type are: \"Available\",
+                    \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
+                    // +listType=map // +listMapKey=type Conditions []metav1.Condition
+                    `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
+                    protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
                  properties:
                    lastTransitionTime:
                      description: lastTransitionTime is the last time the condition
--- a/generated/1.25/README.adoc
+++ b/generated/1.25/README.adoc
@ -453,7 +453,7 @@ CredentialIssuerStrategy describes the status of an integration strategy that wa


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-concierge-config-v1alpha1-frontendtype"]
-==== FrontendType (string)
+==== FrontendType (string) 

 FrontendType enumerates a type of "frontend" used to provide access to users of a cluster.

@ -569,7 +569,7 @@ ImpersonationProxyTLSSpec contains information about how the Concierge impersona


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-concierge-config-v1alpha1-strategyreason"]
-==== StrategyReason (string)
+==== StrategyReason (string) 

 StrategyReason enumerates the detailed reason why a strategy is in a particular status.

@ -581,7 +581,7 @@ StrategyReason enumerates the detailed reason why a strategy is in a particular


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-concierge-config-v1alpha1-strategystatus"]
-==== StrategyStatus (string)
+==== StrategyStatus (string) 

 StrategyStatus enumerates whether a strategy is working on a cluster.

@ -593,7 +593,7 @@ StrategyStatus enumerates whether a strategy is working on a cluster.


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-concierge-config-v1alpha1-strategytype"]
-==== StrategyType (string)
+==== StrategyType (string) 

 StrategyType enumerates a type of "strategy" used to implement credential access on a cluster.

@ -651,7 +651,7 @@ FederationDomain describes the configuration of an OIDC provider.


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-config-v1alpha1-federationdomainidentityprovider"]
-==== FederationDomainIdentityProvider
+==== FederationDomainIdentityProvider 

 FederationDomainIdentityProvider describes how an identity provider is made available in this FederationDomain.

@ -672,7 +672,7 @@ FederationDomainIdentityProvider describes how an identity provider is made avai


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-config-v1alpha1-federationdomainphase"]
-==== FederationDomainPhase (string)
+==== FederationDomainPhase (string) 



@ -719,8 +719,8 @@ FederationDomainSpec is a struct that describes an OIDC Provider.
 | *`issuer`* __string__ | Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the identifier that it will use for the iss claim in issued JWTs. This field will also be used as the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is https://example.com/foo, then your authorization endpoint will look like https://example.com/foo/some/path/to/auth/endpoint). 
 See https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information.
 | *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-config-v1alpha1-federationdomaintlsspec[$$FederationDomainTLSSpec$$]__ | TLS specifies a secret which will contain Transport Layer Security (TLS) configuration for the FederationDomain.
-| *`identityProviders`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-config-v1alpha1-federationdomainidentityprovider[$$FederationDomainIdentityProvider$$] array__ | IdentityProviders is the list of identity providers available for use by this FederationDomain.
- An identity provider CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes how to connect to a server, how to talk in a specific protocol for authentication, and how to use the schema of that server/protocol to extract a normalized user identity. Normalized user identities include a username and a list of group names. In contrast, IdentityProviders describes how to use that normalized identity in those Kubernetes clusters which belong to this FederationDomain. Each entry in IdentityProviders can be configured with arbitrary transformations on that normalized identity. For example, a transformation can add a prefix to all usernames to help avoid accidental conflicts when multiple identity providers have different users with the same username (e.g. "idp1:ryan" versus "idp2:ryan"). Each entry in IdentityProviders can also implement arbitrary authentication rejection policies. Even though a user was able to authenticate with the identity provider, a policy can disallow the authentication to the Kubernetes clusters that belong to this FederationDomain. For example, a policy could disallow the authentication unless the user belongs to a specific group in the identity provider.
+| *`identityProviders`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-config-v1alpha1-federationdomainidentityprovider[$$FederationDomainIdentityProvider$$] array__ | IdentityProviders is the list of identity providers available for use by this FederationDomain. 
+ An identity provider CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes how to connect to a server, how to talk in a specific protocol for authentication, and how to use the schema of that server/protocol to extract a normalized user identity. Normalized user identities include a username and a list of group names. In contrast, IdentityProviders describes how to use that normalized identity in those Kubernetes clusters which belong to this FederationDomain. Each entry in IdentityProviders can be configured with arbitrary transformations on that normalized identity. For example, a transformation can add a prefix to all usernames to help avoid accidental conflicts when multiple identity providers have different users with the same username (e.g. "idp1:ryan" versus "idp2:ryan"). Each entry in IdentityProviders can also implement arbitrary authentication rejection policies. Even though a user was able to authenticate with the identity provider, a policy can disallow the authentication to the Kubernetes clusters that belong to this FederationDomain. For example, a policy could disallow the authentication unless the user belongs to a specific group in the identity provider. 
 For backwards compatibility with versions of Pinniped which predate support for multiple identity providers, an empty IdentityProviders list will cause the FederationDomain to use all available identity providers which exist in the same namespace, but also to reject all authentication requests when there is more than one identity provider currently defined. In this backwards compatibility mode, the name of the identity provider resource (e.g. the Name of an OIDCIdentityProvider resource) will be used as the name of the identity provider in this FederationDomain. This mode is provided to make upgrading from older versions easier. However, instead of relying on this backwards compatibility mode, please consider this mode to be deprecated and please instead explicitly list the identity provider using this IdentityProviders field.
 |===

@ -739,7 +739,7 @@ FederationDomainStatus is a struct that describes the actual state of an OIDC Pr
 |===
 | Field | Description
 | *`phase`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-config-v1alpha1-federationdomainphase[$$FederationDomainPhase$$]__ | Phase summarizes the overall status of the FederationDomain.
-| *`conditions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-config-v1alpha1-condition[$$Condition$$] array__ | Conditions represent the observations of an FederationDomain's current state.
+| *`conditions`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#condition-v1-meta[$$Condition$$] array__ | Conditions represent the observations of an FederationDomain's current state.
 | *`secrets`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-config-v1alpha1-federationdomainsecrets[$$FederationDomainSecrets$$]__ | Secrets contains information about this OIDC Provider's secrets.
 |===

@ -766,7 +766,7 @@ FederationDomainTLSSpec is a struct that describes the TLS configuration for an


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-config-v1alpha1-federationdomaintransforms"]
-==== FederationDomainTransforms
+==== FederationDomainTransforms 

 FederationDomainTransforms defines identity transformations for an identity provider's usage on a FederationDomain.

@ -779,16 +779,16 @@ FederationDomainTransforms defines identity transformations for an identity prov
 |===
 | Field | Description
 | *`constants`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-config-v1alpha1-federationdomaintransformsconstant[$$FederationDomainTransformsConstant$$] array__ | Constants defines constant variables and their values which will be made available to the transform expressions.
-| *`expressions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-config-v1alpha1-federationdomaintransformsexpression[$$FederationDomainTransformsExpression$$] array__ | Expressions are an optional list of transforms and policies to be executed in the order given during every authentication attempt, including during every session refresh. Each is a CEL expression. It may use the basic CEL language as defined in https://github.com/google/cel-spec/blob/master/doc/langdef.md plus the CEL string extensions defined in https://github.com/google/cel-go/tree/master/ext#strings.
- The username and groups extracted from the identity provider, and the constants defined in this CR, are available as variables in all expressions. The username is provided via a variable called `username` and the list of group names is provided via a variable called `groups` (which may be an empty list). Each user-provided constants is provided via a variable named `strConst.varName` for string constants and `strListConst.varName` for string list constants.
- The only allowed types for expressions are currently policy/v1, username/v1, and groups/v1. Each policy/v1 must return a boolean, and when it returns false, no more expressions from the list are evaluated and the authentication attempt is rejected. Transformations of type policy/v1 do not return usernames or group names, and therefore cannot change the username or group names. Each username/v1 transform must return the new username (a string), which can be the same as the old username. Transformations of type username/v1 do not return group names, and therefore cannot change the group names. Each groups/v1 transform must return the new groups list (list of strings), which can be the same as the old groups list. Transformations of type groups/v1 do not return usernames, and therefore cannot change the usernames. After each expression, the new (potentially changed) username or groups get passed to the following expression.
+| *`expressions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-config-v1alpha1-federationdomaintransformsexpression[$$FederationDomainTransformsExpression$$] array__ | Expressions are an optional list of transforms and policies to be executed in the order given during every authentication attempt, including during every session refresh. Each is a CEL expression. It may use the basic CEL language as defined in https://github.com/google/cel-spec/blob/master/doc/langdef.md plus the CEL string extensions defined in https://github.com/google/cel-go/tree/master/ext#strings. 
+ The username and groups extracted from the identity provider, and the constants defined in this CR, are available as variables in all expressions. The username is provided via a variable called `username` and the list of group names is provided via a variable called `groups` (which may be an empty list). Each user-provided constants is provided via a variable named `strConst.varName` for string constants and `strListConst.varName` for string list constants. 
+ The only allowed types for expressions are currently policy/v1, username/v1, and groups/v1. Each policy/v1 must return a boolean, and when it returns false, no more expressions from the list are evaluated and the authentication attempt is rejected. Transformations of type policy/v1 do not return usernames or group names, and therefore cannot change the username or group names. Each username/v1 transform must return the new username (a string), which can be the same as the old username. Transformations of type username/v1 do not return group names, and therefore cannot change the group names. Each groups/v1 transform must return the new groups list (list of strings), which can be the same as the old groups list. Transformations of type groups/v1 do not return usernames, and therefore cannot change the usernames. After each expression, the new (potentially changed) username or groups get passed to the following expression. 
 Any compilation or static type-checking failure of any expression will cause an error status on the FederationDomain. During an authentication attempt, any unexpected runtime evaluation errors (e.g. division by zero) cause the authentication attempt to fail. When all expressions evaluate successfully, then the (potentially changed) username and group names have been decided for that authentication attempt.
 | *`examples`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-config-v1alpha1-federationdomaintransformsexample[$$FederationDomainTransformsExample$$] array__ | Examples can optionally be used to ensure that the sequence of transformation expressions are working as expected. Examples define sample input identities which are then run through the expression list, and the results are compared to the expected results. If any example in this list fails, then this identity provider will not be available for use within this FederationDomain, and the error(s) will be added to the FederationDomain status. This can be used to help guard against programming mistakes in the expressions, and also act as living documentation for other administrators to better understand the expressions.
 |===


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-config-v1alpha1-federationdomaintransformsconstant"]
-==== FederationDomainTransformsConstant
+==== FederationDomainTransformsConstant 

 FederationDomainTransformsConstant defines a constant variable and its value which will be made available to the transform expressions. This is a union type, and Type is the discriminator field.

@ -808,7 +808,7 @@ FederationDomainTransformsConstant defines a constant variable and its value whi


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-config-v1alpha1-federationdomaintransformsexample"]
-==== FederationDomainTransformsExample
+==== FederationDomainTransformsExample 

 FederationDomainTransformsExample defines a transform example.

@ -827,7 +827,7 @@ FederationDomainTransformsExample defines a transform example.


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-config-v1alpha1-federationdomaintransformsexampleexpects"]
-==== FederationDomainTransformsExampleExpects
+==== FederationDomainTransformsExampleExpects 

 FederationDomainTransformsExampleExpects defines the expected result for a transforms example.

@ -847,7 +847,7 @@ FederationDomainTransformsExampleExpects defines the expected result for a trans


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-config-v1alpha1-federationdomaintransformsexpression"]
-==== FederationDomainTransformsExpression
+==== FederationDomainTransformsExpression 

 FederationDomainTransformsExpression defines a transform expression.

@ -866,7 +866,7 @@ FederationDomainTransformsExpression defines a transform expression.


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-config-v1alpha1-granttype"]
-==== GrantType (string)
+==== GrantType (string) 



@ -900,7 +900,7 @@ OIDCClient describes the configuration of an OIDC client.


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-config-v1alpha1-oidcclientphase"]
-==== OIDCClientPhase (string)
+==== OIDCClientPhase (string) 



@ -925,9 +925,9 @@ OIDCClientSpec is a struct that describes an OIDCClient.
 |===
 | Field | Description
 | *`allowedRedirectURIs`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-config-v1alpha1-redirecturi[$$RedirectURI$$] array__ | allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this client. Any other uris will be rejected. Must be a URI with the https scheme, unless the hostname is 127.0.0.1 or ::1 which may use the http scheme. Port numbers are not required for 127.0.0.1 or ::1 and are ignored when checking for a matching redirect_uri.
-| *`allowedGrantTypes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-config-v1alpha1-granttype[$$GrantType$$] array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client.
+| *`allowedGrantTypes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-config-v1alpha1-granttype[$$GrantType$$] array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. 
 Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience.
-| *`allowedScopes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-config-v1alpha1-scope[$$Scope$$] array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client.
+| *`allowedScopes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-config-v1alpha1-scope[$$Scope$$] array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. 
 Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups.
 |===

@ -952,7 +952,7 @@ OIDCClientStatus is a struct that describes the actual state of an OIDCClient.


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-config-v1alpha1-redirecturi"]
-==== RedirectURI (string)
+==== RedirectURI (string) 



@ -964,7 +964,7 @@ OIDCClientStatus is a struct that describes the actual state of an OIDCClient.


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-config-v1alpha1-scope"]
-==== Scope (string)
+==== Scope (string) 



@ -1282,7 +1282,7 @@ ActiveDirectoryIdentityProvider describes the configuration of an upstream Micro


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-activedirectoryidentityproviderphase"]
-==== ActiveDirectoryIdentityProviderPhase (string)
+==== ActiveDirectoryIdentityProviderPhase (string) 



@ -1450,7 +1450,7 @@ LDAPIdentityProvider describes the configuration of an upstream Lightweight Dire


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-ldapidentityproviderphase"]
-==== LDAPIdentityProviderPhase (string)
+==== LDAPIdentityProviderPhase (string) 



@ -1615,7 +1615,7 @@ OIDCIdentityProvider describes the configuration of an upstream OpenID Connect i


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-oidcidentityproviderphase"]
-==== OIDCIdentityProviderPhase (string)
+==== OIDCIdentityProviderPhase (string) 



--- a/generated/1.25/apis/supervisor/config/v1alpha1/types_federationdomain.go
+++ b/generated/1.25/apis/supervisor/config/v1alpha1/types_federationdomain.go
@ -276,7 +276,7 @@ type FederationDomainStatus struct {
 	// +patchStrategy=merge
 	// +listType=map
 	// +listMapKey=type
-	Conditions []Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
+	Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`

 	// Secrets contains information about this OIDC Provider's secrets.
 	// +optional
--- a/generated/1.25/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go
+++ b/generated/1.25/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go
@ -145,7 +145,7 @@ func (in *FederationDomainStatus) DeepCopyInto(out *FederationDomainStatus) {
 	*out = *in
 	if in.Conditions != nil {
 		in, out := &in.Conditions, &out.Conditions
-		*out = make([]Condition, len(*in))
+		*out = make([]v1.Condition, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
--- a/generated/1.25/crds/config.supervisor.pinniped.dev_federationdomains.yaml
+++ b/generated/1.25/crds/config.supervisor.pinniped.dev_federationdomains.yaml
@ -352,9 +352,15 @@ spec:
                description: Conditions represent the observations of an FederationDomain's
                  current state.
                items:
-                  description: Condition status of a resource (mirrored from the metav1.Condition
-                    type added in Kubernetes 1.19). In a future API version we can
-                    switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413.
+                  description: "Condition contains details for one aspect of the current
+                    state of this API Resource. --- This struct is intended for direct
+                    use as an array at the field path .status.conditions.  For example,
+                    \n type FooStatus struct{ // Represents the observations of a
+                    foo's current state. // Known .status.conditions.type are: \"Available\",
+                    \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
+                    // +listType=map // +listMapKey=type Conditions []metav1.Condition
+                    `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
+                    protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
                  properties:
                    lastTransitionTime:
                      description: lastTransitionTime is the last time the condition
--- a/generated/1.26/README.adoc
+++ b/generated/1.26/README.adoc
@ -453,7 +453,7 @@ CredentialIssuerStrategy describes the status of an integration strategy that wa


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-concierge-config-v1alpha1-frontendtype"]
-==== FrontendType (string)
+==== FrontendType (string) 

 FrontendType enumerates a type of "frontend" used to provide access to users of a cluster.

@ -569,7 +569,7 @@ ImpersonationProxyTLSSpec contains information about how the Concierge impersona


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-concierge-config-v1alpha1-strategyreason"]
-==== StrategyReason (string)
+==== StrategyReason (string) 

 StrategyReason enumerates the detailed reason why a strategy is in a particular status.

@ -581,7 +581,7 @@ StrategyReason enumerates the detailed reason why a strategy is in a particular


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-concierge-config-v1alpha1-strategystatus"]
-==== StrategyStatus (string)
+==== StrategyStatus (string) 

 StrategyStatus enumerates whether a strategy is working on a cluster.

@ -593,7 +593,7 @@ StrategyStatus enumerates whether a strategy is working on a cluster.


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-concierge-config-v1alpha1-strategytype"]
-==== StrategyType (string)
+==== StrategyType (string) 

 StrategyType enumerates a type of "strategy" used to implement credential access on a cluster.

@ -651,7 +651,7 @@ FederationDomain describes the configuration of an OIDC provider.


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-config-v1alpha1-federationdomainidentityprovider"]
-==== FederationDomainIdentityProvider
+==== FederationDomainIdentityProvider 

 FederationDomainIdentityProvider describes how an identity provider is made available in this FederationDomain.

@ -672,7 +672,7 @@ FederationDomainIdentityProvider describes how an identity provider is made avai


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-config-v1alpha1-federationdomainphase"]
-==== FederationDomainPhase (string)
+==== FederationDomainPhase (string) 



@ -719,8 +719,8 @@ FederationDomainSpec is a struct that describes an OIDC Provider.
 | *`issuer`* __string__ | Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the identifier that it will use for the iss claim in issued JWTs. This field will also be used as the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is https://example.com/foo, then your authorization endpoint will look like https://example.com/foo/some/path/to/auth/endpoint). 
 See https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information.
 | *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-config-v1alpha1-federationdomaintlsspec[$$FederationDomainTLSSpec$$]__ | TLS specifies a secret which will contain Transport Layer Security (TLS) configuration for the FederationDomain.
-| *`identityProviders`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-config-v1alpha1-federationdomainidentityprovider[$$FederationDomainIdentityProvider$$] array__ | IdentityProviders is the list of identity providers available for use by this FederationDomain.
- An identity provider CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes how to connect to a server, how to talk in a specific protocol for authentication, and how to use the schema of that server/protocol to extract a normalized user identity. Normalized user identities include a username and a list of group names. In contrast, IdentityProviders describes how to use that normalized identity in those Kubernetes clusters which belong to this FederationDomain. Each entry in IdentityProviders can be configured with arbitrary transformations on that normalized identity. For example, a transformation can add a prefix to all usernames to help avoid accidental conflicts when multiple identity providers have different users with the same username (e.g. "idp1:ryan" versus "idp2:ryan"). Each entry in IdentityProviders can also implement arbitrary authentication rejection policies. Even though a user was able to authenticate with the identity provider, a policy can disallow the authentication to the Kubernetes clusters that belong to this FederationDomain. For example, a policy could disallow the authentication unless the user belongs to a specific group in the identity provider.
+| *`identityProviders`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-config-v1alpha1-federationdomainidentityprovider[$$FederationDomainIdentityProvider$$] array__ | IdentityProviders is the list of identity providers available for use by this FederationDomain. 
+ An identity provider CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes how to connect to a server, how to talk in a specific protocol for authentication, and how to use the schema of that server/protocol to extract a normalized user identity. Normalized user identities include a username and a list of group names. In contrast, IdentityProviders describes how to use that normalized identity in those Kubernetes clusters which belong to this FederationDomain. Each entry in IdentityProviders can be configured with arbitrary transformations on that normalized identity. For example, a transformation can add a prefix to all usernames to help avoid accidental conflicts when multiple identity providers have different users with the same username (e.g. "idp1:ryan" versus "idp2:ryan"). Each entry in IdentityProviders can also implement arbitrary authentication rejection policies. Even though a user was able to authenticate with the identity provider, a policy can disallow the authentication to the Kubernetes clusters that belong to this FederationDomain. For example, a policy could disallow the authentication unless the user belongs to a specific group in the identity provider. 
 For backwards compatibility with versions of Pinniped which predate support for multiple identity providers, an empty IdentityProviders list will cause the FederationDomain to use all available identity providers which exist in the same namespace, but also to reject all authentication requests when there is more than one identity provider currently defined. In this backwards compatibility mode, the name of the identity provider resource (e.g. the Name of an OIDCIdentityProvider resource) will be used as the name of the identity provider in this FederationDomain. This mode is provided to make upgrading from older versions easier. However, instead of relying on this backwards compatibility mode, please consider this mode to be deprecated and please instead explicitly list the identity provider using this IdentityProviders field.
 |===

@ -739,7 +739,7 @@ FederationDomainStatus is a struct that describes the actual state of an OIDC Pr
 |===
 | Field | Description
 | *`phase`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-config-v1alpha1-federationdomainphase[$$FederationDomainPhase$$]__ | Phase summarizes the overall status of the FederationDomain.
-| *`conditions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-config-v1alpha1-condition[$$Condition$$] array__ | Conditions represent the observations of an FederationDomain's current state.
+| *`conditions`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#condition-v1-meta[$$Condition$$] array__ | Conditions represent the observations of an FederationDomain's current state.
 | *`secrets`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-config-v1alpha1-federationdomainsecrets[$$FederationDomainSecrets$$]__ | Secrets contains information about this OIDC Provider's secrets.
 |===

@ -766,7 +766,7 @@ FederationDomainTLSSpec is a struct that describes the TLS configuration for an


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-config-v1alpha1-federationdomaintransforms"]
-==== FederationDomainTransforms
+==== FederationDomainTransforms 

 FederationDomainTransforms defines identity transformations for an identity provider's usage on a FederationDomain.

@ -779,16 +779,16 @@ FederationDomainTransforms defines identity transformations for an identity prov
 |===
 | Field | Description
 | *`constants`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-config-v1alpha1-federationdomaintransformsconstant[$$FederationDomainTransformsConstant$$] array__ | Constants defines constant variables and their values which will be made available to the transform expressions.
-| *`expressions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-config-v1alpha1-federationdomaintransformsexpression[$$FederationDomainTransformsExpression$$] array__ | Expressions are an optional list of transforms and policies to be executed in the order given during every authentication attempt, including during every session refresh. Each is a CEL expression. It may use the basic CEL language as defined in https://github.com/google/cel-spec/blob/master/doc/langdef.md plus the CEL string extensions defined in https://github.com/google/cel-go/tree/master/ext#strings.
- The username and groups extracted from the identity provider, and the constants defined in this CR, are available as variables in all expressions. The username is provided via a variable called `username` and the list of group names is provided via a variable called `groups` (which may be an empty list). Each user-provided constants is provided via a variable named `strConst.varName` for string constants and `strListConst.varName` for string list constants.
- The only allowed types for expressions are currently policy/v1, username/v1, and groups/v1. Each policy/v1 must return a boolean, and when it returns false, no more expressions from the list are evaluated and the authentication attempt is rejected. Transformations of type policy/v1 do not return usernames or group names, and therefore cannot change the username or group names. Each username/v1 transform must return the new username (a string), which can be the same as the old username. Transformations of type username/v1 do not return group names, and therefore cannot change the group names. Each groups/v1 transform must return the new groups list (list of strings), which can be the same as the old groups list. Transformations of type groups/v1 do not return usernames, and therefore cannot change the usernames. After each expression, the new (potentially changed) username or groups get passed to the following expression.
+| *`expressions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-config-v1alpha1-federationdomaintransformsexpression[$$FederationDomainTransformsExpression$$] array__ | Expressions are an optional list of transforms and policies to be executed in the order given during every authentication attempt, including during every session refresh. Each is a CEL expression. It may use the basic CEL language as defined in https://github.com/google/cel-spec/blob/master/doc/langdef.md plus the CEL string extensions defined in https://github.com/google/cel-go/tree/master/ext#strings. 
+ The username and groups extracted from the identity provider, and the constants defined in this CR, are available as variables in all expressions. The username is provided via a variable called `username` and the list of group names is provided via a variable called `groups` (which may be an empty list). Each user-provided constants is provided via a variable named `strConst.varName` for string constants and `strListConst.varName` for string list constants. 
+ The only allowed types for expressions are currently policy/v1, username/v1, and groups/v1. Each policy/v1 must return a boolean, and when it returns false, no more expressions from the list are evaluated and the authentication attempt is rejected. Transformations of type policy/v1 do not return usernames or group names, and therefore cannot change the username or group names. Each username/v1 transform must return the new username (a string), which can be the same as the old username. Transformations of type username/v1 do not return group names, and therefore cannot change the group names. Each groups/v1 transform must return the new groups list (list of strings), which can be the same as the old groups list. Transformations of type groups/v1 do not return usernames, and therefore cannot change the usernames. After each expression, the new (potentially changed) username or groups get passed to the following expression. 
 Any compilation or static type-checking failure of any expression will cause an error status on the FederationDomain. During an authentication attempt, any unexpected runtime evaluation errors (e.g. division by zero) cause the authentication attempt to fail. When all expressions evaluate successfully, then the (potentially changed) username and group names have been decided for that authentication attempt.
 | *`examples`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-config-v1alpha1-federationdomaintransformsexample[$$FederationDomainTransformsExample$$] array__ | Examples can optionally be used to ensure that the sequence of transformation expressions are working as expected. Examples define sample input identities which are then run through the expression list, and the results are compared to the expected results. If any example in this list fails, then this identity provider will not be available for use within this FederationDomain, and the error(s) will be added to the FederationDomain status. This can be used to help guard against programming mistakes in the expressions, and also act as living documentation for other administrators to better understand the expressions.
 |===


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-config-v1alpha1-federationdomaintransformsconstant"]
-==== FederationDomainTransformsConstant
+==== FederationDomainTransformsConstant 

 FederationDomainTransformsConstant defines a constant variable and its value which will be made available to the transform expressions. This is a union type, and Type is the discriminator field.

@ -808,7 +808,7 @@ FederationDomainTransformsConstant defines a constant variable and its value whi


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-config-v1alpha1-federationdomaintransformsexample"]
-==== FederationDomainTransformsExample
+==== FederationDomainTransformsExample 

 FederationDomainTransformsExample defines a transform example.

@ -827,7 +827,7 @@ FederationDomainTransformsExample defines a transform example.


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-config-v1alpha1-federationdomaintransformsexampleexpects"]
-==== FederationDomainTransformsExampleExpects
+==== FederationDomainTransformsExampleExpects 

 FederationDomainTransformsExampleExpects defines the expected result for a transforms example.

@ -847,7 +847,7 @@ FederationDomainTransformsExampleExpects defines the expected result for a trans


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-config-v1alpha1-federationdomaintransformsexpression"]
-==== FederationDomainTransformsExpression
+==== FederationDomainTransformsExpression 

 FederationDomainTransformsExpression defines a transform expression.

@ -866,7 +866,7 @@ FederationDomainTransformsExpression defines a transform expression.


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-config-v1alpha1-granttype"]
-==== GrantType (string)
+==== GrantType (string) 



@ -900,7 +900,7 @@ OIDCClient describes the configuration of an OIDC client.


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-config-v1alpha1-oidcclientphase"]
-==== OIDCClientPhase (string)
+==== OIDCClientPhase (string) 



@ -925,9 +925,9 @@ OIDCClientSpec is a struct that describes an OIDCClient.
 |===
 | Field | Description
 | *`allowedRedirectURIs`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-config-v1alpha1-redirecturi[$$RedirectURI$$] array__ | allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this client. Any other uris will be rejected. Must be a URI with the https scheme, unless the hostname is 127.0.0.1 or ::1 which may use the http scheme. Port numbers are not required for 127.0.0.1 or ::1 and are ignored when checking for a matching redirect_uri.
-| *`allowedGrantTypes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-config-v1alpha1-granttype[$$GrantType$$] array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client.
+| *`allowedGrantTypes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-config-v1alpha1-granttype[$$GrantType$$] array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. 
 Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience.
-| *`allowedScopes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-config-v1alpha1-scope[$$Scope$$] array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client.
+| *`allowedScopes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-config-v1alpha1-scope[$$Scope$$] array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. 
 Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups.
 |===

@ -952,7 +952,7 @@ OIDCClientStatus is a struct that describes the actual state of an OIDCClient.


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-config-v1alpha1-redirecturi"]
-==== RedirectURI (string)
+==== RedirectURI (string) 



@ -964,7 +964,7 @@ OIDCClientStatus is a struct that describes the actual state of an OIDCClient.


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-config-v1alpha1-scope"]
-==== Scope (string)
+==== Scope (string) 



@ -1282,7 +1282,7 @@ ActiveDirectoryIdentityProvider describes the configuration of an upstream Micro


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-activedirectoryidentityproviderphase"]
-==== ActiveDirectoryIdentityProviderPhase (string)
+==== ActiveDirectoryIdentityProviderPhase (string) 



@ -1450,7 +1450,7 @@ LDAPIdentityProvider describes the configuration of an upstream Lightweight Dire


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-ldapidentityproviderphase"]
-==== LDAPIdentityProviderPhase (string)
+==== LDAPIdentityProviderPhase (string) 



@ -1615,7 +1615,7 @@ OIDCIdentityProvider describes the configuration of an upstream OpenID Connect i


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-oidcidentityproviderphase"]
-==== OIDCIdentityProviderPhase (string)
+==== OIDCIdentityProviderPhase (string) 



--- a/generated/1.26/apis/supervisor/config/v1alpha1/types_federationdomain.go
+++ b/generated/1.26/apis/supervisor/config/v1alpha1/types_federationdomain.go
@ -276,7 +276,7 @@ type FederationDomainStatus struct {
 	// +patchStrategy=merge
 	// +listType=map
 	// +listMapKey=type
-	Conditions []Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
+	Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`

 	// Secrets contains information about this OIDC Provider's secrets.
 	// +optional
--- a/generated/1.26/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go
+++ b/generated/1.26/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go
@ -145,7 +145,7 @@ func (in *FederationDomainStatus) DeepCopyInto(out *FederationDomainStatus) {
 	*out = *in
 	if in.Conditions != nil {
 		in, out := &in.Conditions, &out.Conditions
-		*out = make([]Condition, len(*in))
+		*out = make([]v1.Condition, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
--- a/generated/1.26/crds/config.supervisor.pinniped.dev_federationdomains.yaml
+++ b/generated/1.26/crds/config.supervisor.pinniped.dev_federationdomains.yaml
@ -352,9 +352,15 @@ spec:
                description: Conditions represent the observations of an FederationDomain's
                  current state.
                items:
-                  description: Condition status of a resource (mirrored from the metav1.Condition
-                    type added in Kubernetes 1.19). In a future API version we can
-                    switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413.
+                  description: "Condition contains details for one aspect of the current
+                    state of this API Resource. --- This struct is intended for direct
+                    use as an array at the field path .status.conditions.  For example,
+                    \n type FooStatus struct{ // Represents the observations of a
+                    foo's current state. // Known .status.conditions.type are: \"Available\",
+                    \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
+                    // +listType=map // +listMapKey=type Conditions []metav1.Condition
+                    `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
+                    protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
                  properties:
                    lastTransitionTime:
                      description: lastTransitionTime is the last time the condition
--- a/generated/1.27/README.adoc
+++ b/generated/1.27/README.adoc
@ -453,7 +453,7 @@ CredentialIssuerStrategy describes the status of an integration strategy that wa


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-concierge-config-v1alpha1-frontendtype"]
-==== FrontendType (string)
+==== FrontendType (string) 

 FrontendType enumerates a type of "frontend" used to provide access to users of a cluster.

@ -569,7 +569,7 @@ ImpersonationProxyTLSSpec contains information about how the Concierge impersona


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-concierge-config-v1alpha1-strategyreason"]
-==== StrategyReason (string)
+==== StrategyReason (string) 

 StrategyReason enumerates the detailed reason why a strategy is in a particular status.

@ -581,7 +581,7 @@ StrategyReason enumerates the detailed reason why a strategy is in a particular


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-concierge-config-v1alpha1-strategystatus"]
-==== StrategyStatus (string)
+==== StrategyStatus (string) 

 StrategyStatus enumerates whether a strategy is working on a cluster.

@ -593,7 +593,7 @@ StrategyStatus enumerates whether a strategy is working on a cluster.


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-concierge-config-v1alpha1-strategytype"]
-==== StrategyType (string)
+==== StrategyType (string) 

 StrategyType enumerates a type of "strategy" used to implement credential access on a cluster.

@ -651,7 +651,7 @@ FederationDomain describes the configuration of an OIDC provider.


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-config-v1alpha1-federationdomainidentityprovider"]
-==== FederationDomainIdentityProvider
+==== FederationDomainIdentityProvider 

 FederationDomainIdentityProvider describes how an identity provider is made available in this FederationDomain.

@ -672,7 +672,7 @@ FederationDomainIdentityProvider describes how an identity provider is made avai


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-config-v1alpha1-federationdomainphase"]
-==== FederationDomainPhase (string)
+==== FederationDomainPhase (string) 



@ -719,8 +719,8 @@ FederationDomainSpec is a struct that describes an OIDC Provider.
 | *`issuer`* __string__ | Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the identifier that it will use for the iss claim in issued JWTs. This field will also be used as the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is https://example.com/foo, then your authorization endpoint will look like https://example.com/foo/some/path/to/auth/endpoint). 
 See https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information.
 | *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-config-v1alpha1-federationdomaintlsspec[$$FederationDomainTLSSpec$$]__ | TLS specifies a secret which will contain Transport Layer Security (TLS) configuration for the FederationDomain.
-| *`identityProviders`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-config-v1alpha1-federationdomainidentityprovider[$$FederationDomainIdentityProvider$$] array__ | IdentityProviders is the list of identity providers available for use by this FederationDomain.
- An identity provider CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes how to connect to a server, how to talk in a specific protocol for authentication, and how to use the schema of that server/protocol to extract a normalized user identity. Normalized user identities include a username and a list of group names. In contrast, IdentityProviders describes how to use that normalized identity in those Kubernetes clusters which belong to this FederationDomain. Each entry in IdentityProviders can be configured with arbitrary transformations on that normalized identity. For example, a transformation can add a prefix to all usernames to help avoid accidental conflicts when multiple identity providers have different users with the same username (e.g. "idp1:ryan" versus "idp2:ryan"). Each entry in IdentityProviders can also implement arbitrary authentication rejection policies. Even though a user was able to authenticate with the identity provider, a policy can disallow the authentication to the Kubernetes clusters that belong to this FederationDomain. For example, a policy could disallow the authentication unless the user belongs to a specific group in the identity provider.
+| *`identityProviders`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-config-v1alpha1-federationdomainidentityprovider[$$FederationDomainIdentityProvider$$] array__ | IdentityProviders is the list of identity providers available for use by this FederationDomain. 
+ An identity provider CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes how to connect to a server, how to talk in a specific protocol for authentication, and how to use the schema of that server/protocol to extract a normalized user identity. Normalized user identities include a username and a list of group names. In contrast, IdentityProviders describes how to use that normalized identity in those Kubernetes clusters which belong to this FederationDomain. Each entry in IdentityProviders can be configured with arbitrary transformations on that normalized identity. For example, a transformation can add a prefix to all usernames to help avoid accidental conflicts when multiple identity providers have different users with the same username (e.g. "idp1:ryan" versus "idp2:ryan"). Each entry in IdentityProviders can also implement arbitrary authentication rejection policies. Even though a user was able to authenticate with the identity provider, a policy can disallow the authentication to the Kubernetes clusters that belong to this FederationDomain. For example, a policy could disallow the authentication unless the user belongs to a specific group in the identity provider. 
 For backwards compatibility with versions of Pinniped which predate support for multiple identity providers, an empty IdentityProviders list will cause the FederationDomain to use all available identity providers which exist in the same namespace, but also to reject all authentication requests when there is more than one identity provider currently defined. In this backwards compatibility mode, the name of the identity provider resource (e.g. the Name of an OIDCIdentityProvider resource) will be used as the name of the identity provider in this FederationDomain. This mode is provided to make upgrading from older versions easier. However, instead of relying on this backwards compatibility mode, please consider this mode to be deprecated and please instead explicitly list the identity provider using this IdentityProviders field.
 |===

@ -739,7 +739,7 @@ FederationDomainStatus is a struct that describes the actual state of an OIDC Pr
 |===
 | Field | Description
 | *`phase`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-config-v1alpha1-federationdomainphase[$$FederationDomainPhase$$]__ | Phase summarizes the overall status of the FederationDomain.
-| *`conditions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-config-v1alpha1-condition[$$Condition$$] array__ | Conditions represent the observations of an FederationDomain's current state.
+| *`conditions`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#condition-v1-meta[$$Condition$$] array__ | Conditions represent the observations of an FederationDomain's current state.
 | *`secrets`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-config-v1alpha1-federationdomainsecrets[$$FederationDomainSecrets$$]__ | Secrets contains information about this OIDC Provider's secrets.
 |===

@ -766,7 +766,7 @@ FederationDomainTLSSpec is a struct that describes the TLS configuration for an


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-config-v1alpha1-federationdomaintransforms"]
-==== FederationDomainTransforms
+==== FederationDomainTransforms 

 FederationDomainTransforms defines identity transformations for an identity provider's usage on a FederationDomain.

@ -779,16 +779,16 @@ FederationDomainTransforms defines identity transformations for an identity prov
 |===
 | Field | Description
 | *`constants`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-config-v1alpha1-federationdomaintransformsconstant[$$FederationDomainTransformsConstant$$] array__ | Constants defines constant variables and their values which will be made available to the transform expressions.
-| *`expressions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-config-v1alpha1-federationdomaintransformsexpression[$$FederationDomainTransformsExpression$$] array__ | Expressions are an optional list of transforms and policies to be executed in the order given during every authentication attempt, including during every session refresh. Each is a CEL expression. It may use the basic CEL language as defined in https://github.com/google/cel-spec/blob/master/doc/langdef.md plus the CEL string extensions defined in https://github.com/google/cel-go/tree/master/ext#strings.
- The username and groups extracted from the identity provider, and the constants defined in this CR, are available as variables in all expressions. The username is provided via a variable called `username` and the list of group names is provided via a variable called `groups` (which may be an empty list). Each user-provided constants is provided via a variable named `strConst.varName` for string constants and `strListConst.varName` for string list constants.
- The only allowed types for expressions are currently policy/v1, username/v1, and groups/v1. Each policy/v1 must return a boolean, and when it returns false, no more expressions from the list are evaluated and the authentication attempt is rejected. Transformations of type policy/v1 do not return usernames or group names, and therefore cannot change the username or group names. Each username/v1 transform must return the new username (a string), which can be the same as the old username. Transformations of type username/v1 do not return group names, and therefore cannot change the group names. Each groups/v1 transform must return the new groups list (list of strings), which can be the same as the old groups list. Transformations of type groups/v1 do not return usernames, and therefore cannot change the usernames. After each expression, the new (potentially changed) username or groups get passed to the following expression.
+| *`expressions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-config-v1alpha1-federationdomaintransformsexpression[$$FederationDomainTransformsExpression$$] array__ | Expressions are an optional list of transforms and policies to be executed in the order given during every authentication attempt, including during every session refresh. Each is a CEL expression. It may use the basic CEL language as defined in https://github.com/google/cel-spec/blob/master/doc/langdef.md plus the CEL string extensions defined in https://github.com/google/cel-go/tree/master/ext#strings. 
+ The username and groups extracted from the identity provider, and the constants defined in this CR, are available as variables in all expressions. The username is provided via a variable called `username` and the list of group names is provided via a variable called `groups` (which may be an empty list). Each user-provided constants is provided via a variable named `strConst.varName` for string constants and `strListConst.varName` for string list constants. 
+ The only allowed types for expressions are currently policy/v1, username/v1, and groups/v1. Each policy/v1 must return a boolean, and when it returns false, no more expressions from the list are evaluated and the authentication attempt is rejected. Transformations of type policy/v1 do not return usernames or group names, and therefore cannot change the username or group names. Each username/v1 transform must return the new username (a string), which can be the same as the old username. Transformations of type username/v1 do not return group names, and therefore cannot change the group names. Each groups/v1 transform must return the new groups list (list of strings), which can be the same as the old groups list. Transformations of type groups/v1 do not return usernames, and therefore cannot change the usernames. After each expression, the new (potentially changed) username or groups get passed to the following expression. 
 Any compilation or static type-checking failure of any expression will cause an error status on the FederationDomain. During an authentication attempt, any unexpected runtime evaluation errors (e.g. division by zero) cause the authentication attempt to fail. When all expressions evaluate successfully, then the (potentially changed) username and group names have been decided for that authentication attempt.
 | *`examples`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-config-v1alpha1-federationdomaintransformsexample[$$FederationDomainTransformsExample$$] array__ | Examples can optionally be used to ensure that the sequence of transformation expressions are working as expected. Examples define sample input identities which are then run through the expression list, and the results are compared to the expected results. If any example in this list fails, then this identity provider will not be available for use within this FederationDomain, and the error(s) will be added to the FederationDomain status. This can be used to help guard against programming mistakes in the expressions, and also act as living documentation for other administrators to better understand the expressions.
 |===


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-config-v1alpha1-federationdomaintransformsconstant"]
-==== FederationDomainTransformsConstant
+==== FederationDomainTransformsConstant 

 FederationDomainTransformsConstant defines a constant variable and its value which will be made available to the transform expressions. This is a union type, and Type is the discriminator field.

@ -808,7 +808,7 @@ FederationDomainTransformsConstant defines a constant variable and its value whi


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-config-v1alpha1-federationdomaintransformsexample"]
-==== FederationDomainTransformsExample
+==== FederationDomainTransformsExample 

 FederationDomainTransformsExample defines a transform example.

@ -827,7 +827,7 @@ FederationDomainTransformsExample defines a transform example.


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-config-v1alpha1-federationdomaintransformsexampleexpects"]
-==== FederationDomainTransformsExampleExpects
+==== FederationDomainTransformsExampleExpects 

 FederationDomainTransformsExampleExpects defines the expected result for a transforms example.

@ -847,7 +847,7 @@ FederationDomainTransformsExampleExpects defines the expected result for a trans


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-config-v1alpha1-federationdomaintransformsexpression"]
-==== FederationDomainTransformsExpression
+==== FederationDomainTransformsExpression 

 FederationDomainTransformsExpression defines a transform expression.

@ -866,7 +866,7 @@ FederationDomainTransformsExpression defines a transform expression.


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-config-v1alpha1-granttype"]
-==== GrantType (string)
+==== GrantType (string) 



@ -900,7 +900,7 @@ OIDCClient describes the configuration of an OIDC client.


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-config-v1alpha1-oidcclientphase"]
-==== OIDCClientPhase (string)
+==== OIDCClientPhase (string) 



@ -925,9 +925,9 @@ OIDCClientSpec is a struct that describes an OIDCClient.
 |===
 | Field | Description
 | *`allowedRedirectURIs`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-config-v1alpha1-redirecturi[$$RedirectURI$$] array__ | allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this client. Any other uris will be rejected. Must be a URI with the https scheme, unless the hostname is 127.0.0.1 or ::1 which may use the http scheme. Port numbers are not required for 127.0.0.1 or ::1 and are ignored when checking for a matching redirect_uri.
-| *`allowedGrantTypes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-config-v1alpha1-granttype[$$GrantType$$] array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client.
+| *`allowedGrantTypes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-config-v1alpha1-granttype[$$GrantType$$] array__ | allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this client. 
 Must only contain the following values: - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to authenticate users. This grant must always be listed. - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. This grant must be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. This grant must be listed if allowedScopes lists pinniped:request-audience.
-| *`allowedScopes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-config-v1alpha1-scope[$$Scope$$] array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client.
+| *`allowedScopes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-config-v1alpha1-scope[$$Scope$$] array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. 
 Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups.
 |===

@ -952,7 +952,7 @@ OIDCClientStatus is a struct that describes the actual state of an OIDCClient.


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-config-v1alpha1-redirecturi"]
-==== RedirectURI (string)
+==== RedirectURI (string) 



@ -964,7 +964,7 @@ OIDCClientStatus is a struct that describes the actual state of an OIDCClient.


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-config-v1alpha1-scope"]
-==== Scope (string)
+==== Scope (string) 



@ -1282,7 +1282,7 @@ ActiveDirectoryIdentityProvider describes the configuration of an upstream Micro


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-activedirectoryidentityproviderphase"]
-==== ActiveDirectoryIdentityProviderPhase (string)
+==== ActiveDirectoryIdentityProviderPhase (string) 



@ -1450,7 +1450,7 @@ LDAPIdentityProvider describes the configuration of an upstream Lightweight Dire


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-ldapidentityproviderphase"]
-==== LDAPIdentityProviderPhase (string)
+==== LDAPIdentityProviderPhase (string) 



@ -1615,7 +1615,7 @@ OIDCIdentityProvider describes the configuration of an upstream OpenID Connect i


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-oidcidentityproviderphase"]
-==== OIDCIdentityProviderPhase (string)
+==== OIDCIdentityProviderPhase (string) 



--- a/generated/1.27/apis/supervisor/config/v1alpha1/types_federationdomain.go
+++ b/generated/1.27/apis/supervisor/config/v1alpha1/types_federationdomain.go
@ -276,7 +276,7 @@ type FederationDomainStatus struct {
 	// +patchStrategy=merge
 	// +listType=map
 	// +listMapKey=type
-	Conditions []Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
+	Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`

 	// Secrets contains information about this OIDC Provider's secrets.
 	// +optional
--- a/generated/1.27/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go
+++ b/generated/1.27/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go
@ -145,7 +145,7 @@ func (in *FederationDomainStatus) DeepCopyInto(out *FederationDomainStatus) {
 	*out = *in
 	if in.Conditions != nil {
 		in, out := &in.Conditions, &out.Conditions
-		*out = make([]Condition, len(*in))
+		*out = make([]v1.Condition, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
--- a/generated/1.27/crds/config.supervisor.pinniped.dev_federationdomains.yaml
+++ b/generated/1.27/crds/config.supervisor.pinniped.dev_federationdomains.yaml
@ -352,9 +352,15 @@ spec:
                description: Conditions represent the observations of an FederationDomain's
                  current state.
                items:
-                  description: Condition status of a resource (mirrored from the metav1.Condition
-                    type added in Kubernetes 1.19). In a future API version we can
-                    switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413.
+                  description: "Condition contains details for one aspect of the current
+                    state of this API Resource. --- This struct is intended for direct
+                    use as an array at the field path .status.conditions.  For example,
+                    \n type FooStatus struct{ // Represents the observations of a
+                    foo's current state. // Known .status.conditions.type are: \"Available\",
+                    \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
+                    // +listType=map // +listMapKey=type Conditions []metav1.Condition
+                    `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
+                    protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
                  properties:
                    lastTransitionTime:
                      description: lastTransitionTime is the last time the condition
--- a/generated/1.28/README.adoc
+++ b/generated/1.28/README.adoc
@ -651,7 +651,7 @@ FederationDomain describes the configuration of an OIDC provider.


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-config-v1alpha1-federationdomainidentityprovider"]
-==== FederationDomainIdentityProvider
+==== FederationDomainIdentityProvider 

 FederationDomainIdentityProvider describes how an identity provider is made available in this FederationDomain.

@ -672,7 +672,7 @@ FederationDomainIdentityProvider describes how an identity provider is made avai


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-config-v1alpha1-federationdomainphase"]
-==== FederationDomainPhase (string)
+==== FederationDomainPhase (string) 



@ -719,8 +719,8 @@ FederationDomainSpec is a struct that describes an OIDC Provider.
 | *`issuer`* __string__ | Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the identifier that it will use for the iss claim in issued JWTs. This field will also be used as the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is https://example.com/foo, then your authorization endpoint will look like https://example.com/foo/some/path/to/auth/endpoint). 
 See https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information.
 | *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-config-v1alpha1-federationdomaintlsspec[$$FederationDomainTLSSpec$$]__ | TLS specifies a secret which will contain Transport Layer Security (TLS) configuration for the FederationDomain.
-| *`identityProviders`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-config-v1alpha1-federationdomainidentityprovider[$$FederationDomainIdentityProvider$$] array__ | IdentityProviders is the list of identity providers available for use by this FederationDomain.
- An identity provider CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes how to connect to a server, how to talk in a specific protocol for authentication, and how to use the schema of that server/protocol to extract a normalized user identity. Normalized user identities include a username and a list of group names. In contrast, IdentityProviders describes how to use that normalized identity in those Kubernetes clusters which belong to this FederationDomain. Each entry in IdentityProviders can be configured with arbitrary transformations on that normalized identity. For example, a transformation can add a prefix to all usernames to help avoid accidental conflicts when multiple identity providers have different users with the same username (e.g. "idp1:ryan" versus "idp2:ryan"). Each entry in IdentityProviders can also implement arbitrary authentication rejection policies. Even though a user was able to authenticate with the identity provider, a policy can disallow the authentication to the Kubernetes clusters that belong to this FederationDomain. For example, a policy could disallow the authentication unless the user belongs to a specific group in the identity provider.
+| *`identityProviders`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-config-v1alpha1-federationdomainidentityprovider[$$FederationDomainIdentityProvider$$] array__ | IdentityProviders is the list of identity providers available for use by this FederationDomain. 
+ An identity provider CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes how to connect to a server, how to talk in a specific protocol for authentication, and how to use the schema of that server/protocol to extract a normalized user identity. Normalized user identities include a username and a list of group names. In contrast, IdentityProviders describes how to use that normalized identity in those Kubernetes clusters which belong to this FederationDomain. Each entry in IdentityProviders can be configured with arbitrary transformations on that normalized identity. For example, a transformation can add a prefix to all usernames to help avoid accidental conflicts when multiple identity providers have different users with the same username (e.g. "idp1:ryan" versus "idp2:ryan"). Each entry in IdentityProviders can also implement arbitrary authentication rejection policies. Even though a user was able to authenticate with the identity provider, a policy can disallow the authentication to the Kubernetes clusters that belong to this FederationDomain. For example, a policy could disallow the authentication unless the user belongs to a specific group in the identity provider. 
 For backwards compatibility with versions of Pinniped which predate support for multiple identity providers, an empty IdentityProviders list will cause the FederationDomain to use all available identity providers which exist in the same namespace, but also to reject all authentication requests when there is more than one identity provider currently defined. In this backwards compatibility mode, the name of the identity provider resource (e.g. the Name of an OIDCIdentityProvider resource) will be used as the name of the identity provider in this FederationDomain. This mode is provided to make upgrading from older versions easier. However, instead of relying on this backwards compatibility mode, please consider this mode to be deprecated and please instead explicitly list the identity provider using this IdentityProviders field.
 |===

@ -739,7 +739,7 @@ FederationDomainStatus is a struct that describes the actual state of an OIDC Pr
 |===
 | Field | Description
 | *`phase`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-config-v1alpha1-federationdomainphase[$$FederationDomainPhase$$]__ | Phase summarizes the overall status of the FederationDomain.
-| *`conditions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-config-v1alpha1-condition[$$Condition$$] array__ | Conditions represent the observations of an FederationDomain's current state.
+| *`conditions`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#condition-v1-meta[$$Condition$$] array__ | Conditions represent the observations of an FederationDomain's current state.
 | *`secrets`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-config-v1alpha1-federationdomainsecrets[$$FederationDomainSecrets$$]__ | Secrets contains information about this OIDC Provider's secrets.
 |===

@ -766,7 +766,7 @@ FederationDomainTLSSpec is a struct that describes the TLS configuration for an


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-config-v1alpha1-federationdomaintransforms"]
-==== FederationDomainTransforms
+==== FederationDomainTransforms 

 FederationDomainTransforms defines identity transformations for an identity provider's usage on a FederationDomain.

@ -779,16 +779,16 @@ FederationDomainTransforms defines identity transformations for an identity prov
 |===
 | Field | Description
 | *`constants`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-config-v1alpha1-federationdomaintransformsconstant[$$FederationDomainTransformsConstant$$] array__ | Constants defines constant variables and their values which will be made available to the transform expressions.
-| *`expressions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-config-v1alpha1-federationdomaintransformsexpression[$$FederationDomainTransformsExpression$$] array__ | Expressions are an optional list of transforms and policies to be executed in the order given during every authentication attempt, including during every session refresh. Each is a CEL expression. It may use the basic CEL language as defined in https://github.com/google/cel-spec/blob/master/doc/langdef.md plus the CEL string extensions defined in https://github.com/google/cel-go/tree/master/ext#strings.
- The username and groups extracted from the identity provider, and the constants defined in this CR, are available as variables in all expressions. The username is provided via a variable called `username` and the list of group names is provided via a variable called `groups` (which may be an empty list). Each user-provided constants is provided via a variable named `strConst.varName` for string constants and `strListConst.varName` for string list constants.
- The only allowed types for expressions are currently policy/v1, username/v1, and groups/v1. Each policy/v1 must return a boolean, and when it returns false, no more expressions from the list are evaluated and the authentication attempt is rejected. Transformations of type policy/v1 do not return usernames or group names, and therefore cannot change the username or group names. Each username/v1 transform must return the new username (a string), which can be the same as the old username. Transformations of type username/v1 do not return group names, and therefore cannot change the group names. Each groups/v1 transform must return the new groups list (list of strings), which can be the same as the old groups list. Transformations of type groups/v1 do not return usernames, and therefore cannot change the usernames. After each expression, the new (potentially changed) username or groups get passed to the following expression.
+| *`expressions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-config-v1alpha1-federationdomaintransformsexpression[$$FederationDomainTransformsExpression$$] array__ | Expressions are an optional list of transforms and policies to be executed in the order given during every authentication attempt, including during every session refresh. Each is a CEL expression. It may use the basic CEL language as defined in https://github.com/google/cel-spec/blob/master/doc/langdef.md plus the CEL string extensions defined in https://github.com/google/cel-go/tree/master/ext#strings. 
+ The username and groups extracted from the identity provider, and the constants defined in this CR, are available as variables in all expressions. The username is provided via a variable called `username` and the list of group names is provided via a variable called `groups` (which may be an empty list). Each user-provided constants is provided via a variable named `strConst.varName` for string constants and `strListConst.varName` for string list constants. 
+ The only allowed types for expressions are currently policy/v1, username/v1, and groups/v1. Each policy/v1 must return a boolean, and when it returns false, no more expressions from the list are evaluated and the authentication attempt is rejected. Transformations of type policy/v1 do not return usernames or group names, and therefore cannot change the username or group names. Each username/v1 transform must return the new username (a string), which can be the same as the old username. Transformations of type username/v1 do not return group names, and therefore cannot change the group names. Each groups/v1 transform must return the new groups list (list of strings), which can be the same as the old groups list. Transformations of type groups/v1 do not return usernames, and therefore cannot change the usernames. After each expression, the new (potentially changed) username or groups get passed to the following expression. 
 Any compilation or static type-checking failure of any expression will cause an error status on the FederationDomain. During an authentication attempt, any unexpected runtime evaluation errors (e.g. division by zero) cause the authentication attempt to fail. When all expressions evaluate successfully, then the (potentially changed) username and group names have been decided for that authentication attempt.
 | *`examples`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-config-v1alpha1-federationdomaintransformsexample[$$FederationDomainTransformsExample$$] array__ | Examples can optionally be used to ensure that the sequence of transformation expressions are working as expected. Examples define sample input identities which are then run through the expression list, and the results are compared to the expected results. If any example in this list fails, then this identity provider will not be available for use within this FederationDomain, and the error(s) will be added to the FederationDomain status. This can be used to help guard against programming mistakes in the expressions, and also act as living documentation for other administrators to better understand the expressions.
 |===


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-config-v1alpha1-federationdomaintransformsconstant"]
-==== FederationDomainTransformsConstant
+==== FederationDomainTransformsConstant 

 FederationDomainTransformsConstant defines a constant variable and its value which will be made available to the transform expressions. This is a union type, and Type is the discriminator field.

@ -808,7 +808,7 @@ FederationDomainTransformsConstant defines a constant variable and its value whi


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-config-v1alpha1-federationdomaintransformsexample"]
-==== FederationDomainTransformsExample
+==== FederationDomainTransformsExample 

 FederationDomainTransformsExample defines a transform example.

@ -827,7 +827,7 @@ FederationDomainTransformsExample defines a transform example.


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-config-v1alpha1-federationdomaintransformsexampleexpects"]
-==== FederationDomainTransformsExampleExpects
+==== FederationDomainTransformsExampleExpects 

 FederationDomainTransformsExampleExpects defines the expected result for a transforms example.

@ -847,7 +847,7 @@ FederationDomainTransformsExampleExpects defines the expected result for a trans


 [id="{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-config-v1alpha1-federationdomaintransformsexpression"]
-==== FederationDomainTransformsExpression
+==== FederationDomainTransformsExpression 

 FederationDomainTransformsExpression defines a transform expression.

--- a/generated/1.28/apis/supervisor/config/v1alpha1/types_federationdomain.go
+++ b/generated/1.28/apis/supervisor/config/v1alpha1/types_federationdomain.go
@ -276,7 +276,7 @@ type FederationDomainStatus struct {
 	// +patchStrategy=merge
 	// +listType=map
 	// +listMapKey=type
-	Conditions []Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
+	Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`

 	// Secrets contains information about this OIDC Provider's secrets.
 	// +optional
--- a/generated/1.28/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go
+++ b/generated/1.28/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go
@ -145,7 +145,7 @@ func (in *FederationDomainStatus) DeepCopyInto(out *FederationDomainStatus) {
 	*out = *in
 	if in.Conditions != nil {
 		in, out := &in.Conditions, &out.Conditions
-		*out = make([]Condition, len(*in))
+		*out = make([]v1.Condition, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
--- a/generated/1.28/crds/config.supervisor.pinniped.dev_federationdomains.yaml
+++ b/generated/1.28/crds/config.supervisor.pinniped.dev_federationdomains.yaml
@ -352,9 +352,15 @@ spec:
                description: Conditions represent the observations of an FederationDomain's
                  current state.
                items:
-                  description: Condition status of a resource (mirrored from the metav1.Condition
-                    type added in Kubernetes 1.19). In a future API version we can
-                    switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413.
+                  description: "Condition contains details for one aspect of the current
+                    state of this API Resource. --- This struct is intended for direct
+                    use as an array at the field path .status.conditions.  For example,
+                    \n type FooStatus struct{ // Represents the observations of a
+                    foo's current state. // Known .status.conditions.type are: \"Available\",
+                    \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
+                    // +listType=map // +listMapKey=type Conditions []metav1.Condition
+                    `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
+                    protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
                  properties:
                    lastTransitionTime:
                      description: lastTransitionTime is the last time the condition
--- a/generated/latest/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go
+++ b/generated/latest/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go
@ -1,4 +1,5 @@
 //go:build !ignore_autogenerated
+// +build !ignore_autogenerated

 // Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
--- a/generated/latest/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go
+++ b/generated/latest/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go
@ -1,4 +1,5 @@
 //go:build !ignore_autogenerated
+// +build !ignore_autogenerated

 // Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
--- a/generated/latest/apis/concierge/identity/v1alpha1/zz_generated.conversion.go
+++ b/generated/latest/apis/concierge/identity/v1alpha1/zz_generated.conversion.go
@ -1,4 +1,5 @@
 //go:build !ignore_autogenerated
+// +build !ignore_autogenerated

 // Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
--- a/generated/latest/apis/concierge/identity/v1alpha1/zz_generated.deepcopy.go
+++ b/generated/latest/apis/concierge/identity/v1alpha1/zz_generated.deepcopy.go
@ -1,4 +1,5 @@
 //go:build !ignore_autogenerated
+// +build !ignore_autogenerated

 // Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
--- a/generated/latest/apis/concierge/identity/v1alpha1/zz_generated.defaults.go
+++ b/generated/latest/apis/concierge/identity/v1alpha1/zz_generated.defaults.go
@ -1,4 +1,5 @@
 //go:build !ignore_autogenerated
+// +build !ignore_autogenerated

 // Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
--- a/generated/latest/apis/concierge/identity/zz_generated.deepcopy.go
+++ b/generated/latest/apis/concierge/identity/zz_generated.deepcopy.go
@ -1,4 +1,5 @@
 //go:build !ignore_autogenerated
+// +build !ignore_autogenerated

 // Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
--- a/generated/latest/apis/concierge/login/v1alpha1/zz_generated.conversion.go
+++ b/generated/latest/apis/concierge/login/v1alpha1/zz_generated.conversion.go
@ -1,4 +1,5 @@
 //go:build !ignore_autogenerated
+// +build !ignore_autogenerated

 // Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
--- a/generated/latest/apis/concierge/login/v1alpha1/zz_generated.deepcopy.go
+++ b/generated/latest/apis/concierge/login/v1alpha1/zz_generated.deepcopy.go
@ -1,4 +1,5 @@
 //go:build !ignore_autogenerated
+// +build !ignore_autogenerated

 // Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
--- a/generated/latest/apis/concierge/login/v1alpha1/zz_generated.defaults.go
+++ b/generated/latest/apis/concierge/login/v1alpha1/zz_generated.defaults.go
@ -1,4 +1,5 @@
 //go:build !ignore_autogenerated
+// +build !ignore_autogenerated

 // Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
--- a/generated/latest/apis/concierge/login/zz_generated.deepcopy.go
+++ b/generated/latest/apis/concierge/login/zz_generated.deepcopy.go
@ -1,4 +1,5 @@
 //go:build !ignore_autogenerated
+// +build !ignore_autogenerated

 // Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
--- a/generated/latest/apis/supervisor/clientsecret/v1alpha1/zz_generated.conversion.go
+++ b/generated/latest/apis/supervisor/clientsecret/v1alpha1/zz_generated.conversion.go
@ -1,4 +1,5 @@
 //go:build !ignore_autogenerated
+// +build !ignore_autogenerated

 // Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
--- a/generated/latest/apis/supervisor/clientsecret/v1alpha1/zz_generated.deepcopy.go
+++ b/generated/latest/apis/supervisor/clientsecret/v1alpha1/zz_generated.deepcopy.go
@ -1,4 +1,5 @@
 //go:build !ignore_autogenerated
+// +build !ignore_autogenerated

 // Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
--- a/generated/latest/apis/supervisor/clientsecret/v1alpha1/zz_generated.defaults.go
+++ b/generated/latest/apis/supervisor/clientsecret/v1alpha1/zz_generated.defaults.go
@ -1,4 +1,5 @@
 //go:build !ignore_autogenerated
+// +build !ignore_autogenerated

 // Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
--- a/generated/latest/apis/supervisor/clientsecret/zz_generated.deepcopy.go
+++ b/generated/latest/apis/supervisor/clientsecret/zz_generated.deepcopy.go
@ -1,4 +1,5 @@
 //go:build !ignore_autogenerated
+// +build !ignore_autogenerated

 // Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
--- a/generated/latest/apis/supervisor/config/v1alpha1/types_federationdomain.go
+++ b/generated/latest/apis/supervisor/config/v1alpha1/types_federationdomain.go
@ -276,7 +276,7 @@ type FederationDomainStatus struct {
 	// +patchStrategy=merge
 	// +listType=map
 	// +listMapKey=type
-	Conditions []Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
+	Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`

 	// Secrets contains information about this OIDC Provider's secrets.
 	// +optional
--- a/generated/latest/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go
+++ b/generated/latest/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go
@ -1,4 +1,5 @@
 //go:build !ignore_autogenerated
+// +build !ignore_autogenerated

 // Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
@ -144,7 +145,7 @@ func (in *FederationDomainStatus) DeepCopyInto(out *FederationDomainStatus) {
 	*out = *in
 	if in.Conditions != nil {
 		in, out := &in.Conditions, &out.Conditions
-		*out = make([]Condition, len(*in))
+		*out = make([]v1.Condition, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
--- a/generated/latest/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go
+++ b/generated/latest/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go
@ -1,4 +1,5 @@
 //go:build !ignore_autogenerated
+// +build !ignore_autogenerated

 // Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
--- a/generated/latest/client/supervisor/openapi/zz_generated.openapi.go
+++ b/generated/latest/client/supervisor/openapi/zz_generated.openapi.go
@ -1,4 +1,5 @@
 //go:build !ignore_autogenerated
+// +build !ignore_autogenerated

 // Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
@ -21,58 +22,58 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA
 		"go.pinniped.dev/generated/latest/apis/supervisor/clientsecret/v1alpha1.OIDCClientSecretRequestList":   schema_apis_supervisor_clientsecret_v1alpha1_OIDCClientSecretRequestList(ref),
 		"go.pinniped.dev/generated/latest/apis/supervisor/clientsecret/v1alpha1.OIDCClientSecretRequestSpec":   schema_apis_supervisor_clientsecret_v1alpha1_OIDCClientSecretRequestSpec(ref),
 		"go.pinniped.dev/generated/latest/apis/supervisor/clientsecret/v1alpha1.OIDCClientSecretRequestStatus": schema_apis_supervisor_clientsecret_v1alpha1_OIDCClientSecretRequestStatus(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroup":                                                        schema_pkg_apis_meta_v1_APIGroup(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroupList":                                                    schema_pkg_apis_meta_v1_APIGroupList(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResource":                                                     schema_pkg_apis_meta_v1_APIResource(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResourceList":                                                 schema_pkg_apis_meta_v1_APIResourceList(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIVersions":                                                     schema_pkg_apis_meta_v1_APIVersions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ApplyOptions":                                                    schema_pkg_apis_meta_v1_ApplyOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Condition":                                                       schema_pkg_apis_meta_v1_Condition(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.CreateOptions":                                                   schema_pkg_apis_meta_v1_CreateOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.DeleteOptions":                                                   schema_pkg_apis_meta_v1_DeleteOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Duration":                                                        schema_pkg_apis_meta_v1_Duration(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.FieldsV1":                                                        schema_pkg_apis_meta_v1_FieldsV1(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GetOptions":                                                      schema_pkg_apis_meta_v1_GetOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupKind":                                                       schema_pkg_apis_meta_v1_GroupKind(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupResource":                                                   schema_pkg_apis_meta_v1_GroupResource(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersion":                                                    schema_pkg_apis_meta_v1_GroupVersion(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionForDiscovery":                                        schema_pkg_apis_meta_v1_GroupVersionForDiscovery(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionKind":                                                schema_pkg_apis_meta_v1_GroupVersionKind(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionResource":                                            schema_pkg_apis_meta_v1_GroupVersionResource(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.InternalEvent":                                                   schema_pkg_apis_meta_v1_InternalEvent(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector":                                                   schema_pkg_apis_meta_v1_LabelSelector(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelectorRequirement":                                        schema_pkg_apis_meta_v1_LabelSelectorRequirement(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.List":                                                            schema_pkg_apis_meta_v1_List(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta":                                                        schema_pkg_apis_meta_v1_ListMeta(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ListOptions":                                                     schema_pkg_apis_meta_v1_ListOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ManagedFieldsEntry":                                              schema_pkg_apis_meta_v1_ManagedFieldsEntry(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.MicroTime":                                                       schema_pkg_apis_meta_v1_MicroTime(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta":                                                      schema_pkg_apis_meta_v1_ObjectMeta(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.OwnerReference":                                                  schema_pkg_apis_meta_v1_OwnerReference(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadata":                                           schema_pkg_apis_meta_v1_PartialObjectMetadata(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadataList":                                       schema_pkg_apis_meta_v1_PartialObjectMetadataList(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Patch":                                                           schema_pkg_apis_meta_v1_Patch(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.PatchOptions":                                                    schema_pkg_apis_meta_v1_PatchOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Preconditions":                                                   schema_pkg_apis_meta_v1_Preconditions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.RootPaths":                                                       schema_pkg_apis_meta_v1_RootPaths(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ServerAddressByClientCIDR":                                       schema_pkg_apis_meta_v1_ServerAddressByClientCIDR(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Status":                                                          schema_pkg_apis_meta_v1_Status(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.StatusCause":                                                     schema_pkg_apis_meta_v1_StatusCause(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.StatusDetails":                                                   schema_pkg_apis_meta_v1_StatusDetails(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Table":                                                           schema_pkg_apis_meta_v1_Table(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableColumnDefinition":                                           schema_pkg_apis_meta_v1_TableColumnDefinition(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableOptions":                                                    schema_pkg_apis_meta_v1_TableOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableRow":                                                        schema_pkg_apis_meta_v1_TableRow(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableRowCondition":                                               schema_pkg_apis_meta_v1_TableRowCondition(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Time":                                                            schema_pkg_apis_meta_v1_Time(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Timestamp":                                                       schema_pkg_apis_meta_v1_Timestamp(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TypeMeta":                                                        schema_pkg_apis_meta_v1_TypeMeta(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.UpdateOptions":                                                   schema_pkg_apis_meta_v1_UpdateOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.WatchEvent":                                                      schema_pkg_apis_meta_v1_WatchEvent(ref),
-		"k8s.io/apimachinery/pkg/runtime.RawExtension":                                                         schema_k8sio_apimachinery_pkg_runtime_RawExtension(ref),
-		"k8s.io/apimachinery/pkg/runtime.TypeMeta":                                                             schema_k8sio_apimachinery_pkg_runtime_TypeMeta(ref),
-		"k8s.io/apimachinery/pkg/runtime.Unknown":                                                              schema_k8sio_apimachinery_pkg_runtime_Unknown(ref),
-		"k8s.io/apimachinery/pkg/version.Info":                                                                 schema_k8sio_apimachinery_pkg_version_Info(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroup":                                                      schema_pkg_apis_meta_v1_APIGroup(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroupList":                                                  schema_pkg_apis_meta_v1_APIGroupList(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResource":                                                   schema_pkg_apis_meta_v1_APIResource(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResourceList":                                               schema_pkg_apis_meta_v1_APIResourceList(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIVersions":                                                   schema_pkg_apis_meta_v1_APIVersions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ApplyOptions":                                                  schema_pkg_apis_meta_v1_ApplyOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Condition":                                                     schema_pkg_apis_meta_v1_Condition(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.CreateOptions":                                                 schema_pkg_apis_meta_v1_CreateOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.DeleteOptions":                                                 schema_pkg_apis_meta_v1_DeleteOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Duration":                                                      schema_pkg_apis_meta_v1_Duration(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.FieldsV1":                                                      schema_pkg_apis_meta_v1_FieldsV1(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GetOptions":                                                    schema_pkg_apis_meta_v1_GetOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupKind":                                                     schema_pkg_apis_meta_v1_GroupKind(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupResource":                                                 schema_pkg_apis_meta_v1_GroupResource(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersion":                                                  schema_pkg_apis_meta_v1_GroupVersion(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionForDiscovery":                                      schema_pkg_apis_meta_v1_GroupVersionForDiscovery(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionKind":                                              schema_pkg_apis_meta_v1_GroupVersionKind(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionResource":                                          schema_pkg_apis_meta_v1_GroupVersionResource(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.InternalEvent":                                                 schema_pkg_apis_meta_v1_InternalEvent(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector":                                                 schema_pkg_apis_meta_v1_LabelSelector(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelectorRequirement":                                      schema_pkg_apis_meta_v1_LabelSelectorRequirement(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.List":                                                          schema_pkg_apis_meta_v1_List(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta":                                                      schema_pkg_apis_meta_v1_ListMeta(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ListOptions":                                                   schema_pkg_apis_meta_v1_ListOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ManagedFieldsEntry":                                            schema_pkg_apis_meta_v1_ManagedFieldsEntry(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.MicroTime":                                                     schema_pkg_apis_meta_v1_MicroTime(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta":                                                    schema_pkg_apis_meta_v1_ObjectMeta(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.OwnerReference":                                                schema_pkg_apis_meta_v1_OwnerReference(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadata":                                         schema_pkg_apis_meta_v1_PartialObjectMetadata(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadataList":                                     schema_pkg_apis_meta_v1_PartialObjectMetadataList(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Patch":                                                         schema_pkg_apis_meta_v1_Patch(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.PatchOptions":                                                  schema_pkg_apis_meta_v1_PatchOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Preconditions":                                                 schema_pkg_apis_meta_v1_Preconditions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.RootPaths":                                                     schema_pkg_apis_meta_v1_RootPaths(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ServerAddressByClientCIDR":                                     schema_pkg_apis_meta_v1_ServerAddressByClientCIDR(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Status":                                                        schema_pkg_apis_meta_v1_Status(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.StatusCause":                                                   schema_pkg_apis_meta_v1_StatusCause(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.StatusDetails":                                                 schema_pkg_apis_meta_v1_StatusDetails(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Table":                                                         schema_pkg_apis_meta_v1_Table(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TableColumnDefinition":                                         schema_pkg_apis_meta_v1_TableColumnDefinition(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TableOptions":                                                  schema_pkg_apis_meta_v1_TableOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TableRow":                                                      schema_pkg_apis_meta_v1_TableRow(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TableRowCondition":                                             schema_pkg_apis_meta_v1_TableRowCondition(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Time":                                                          schema_pkg_apis_meta_v1_Time(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Timestamp":                                                     schema_pkg_apis_meta_v1_Timestamp(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TypeMeta":                                                      schema_pkg_apis_meta_v1_TypeMeta(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.UpdateOptions":                                                 schema_pkg_apis_meta_v1_UpdateOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.WatchEvent":                                                    schema_pkg_apis_meta_v1_WatchEvent(ref),
+		"k8s.io/apimachinery/pkg/runtime.RawExtension":                                                       schema_k8sio_apimachinery_pkg_runtime_RawExtension(ref),
+		"k8s.io/apimachinery/pkg/runtime.TypeMeta":                                                           schema_k8sio_apimachinery_pkg_runtime_TypeMeta(ref),
+		"k8s.io/apimachinery/pkg/runtime.Unknown":                                                            schema_k8sio_apimachinery_pkg_runtime_Unknown(ref),
+		"k8s.io/apimachinery/pkg/version.Info":                                                               schema_k8sio_apimachinery_pkg_version_Info(ref),
 	}
 }

--- a/internal/controller/supervisorconfig/federation_domain_watcher.go
+++ b/internal/controller/supervisorconfig/federation_domain_watcher.go
@ -191,13 +191,13 @@ func (c *federationDomainWatcherController) Sync(ctx controllerlib.Context) erro
 func (c *federationDomainWatcherController) processAllFederationDomains(
 	ctx context.Context,
 	federationDomains []*configv1alpha1.FederationDomain,
-) ([]*federationdomainproviders.FederationDomainIssuer, map[*configv1alpha1.FederationDomain][]*configv1alpha1.Condition, error) {
+) ([]*federationdomainproviders.FederationDomainIssuer, map[*configv1alpha1.FederationDomain][]*metav1.Condition, error) {
 	federationDomainIssuers := make([]*federationdomainproviders.FederationDomainIssuer, 0)
-	fdToConditionsMap := map[*configv1alpha1.FederationDomain][]*configv1alpha1.Condition{}
+	fdToConditionsMap := map[*configv1alpha1.FederationDomain][]*metav1.Condition{}
 	crossDomainConfigValidator := newCrossFederationDomainConfigValidator(federationDomains)

 	for _, federationDomain := range federationDomains {
-		conditions := make([]*configv1alpha1.Condition, 0)
+		conditions := make([]*metav1.Condition, 0)

 		conditions = crossDomainConfigValidator.Validate(federationDomain, conditions)

@ -223,8 +223,8 @@ func (c *federationDomainWatcherController) processAllFederationDomains(
 func (c *federationDomainWatcherController) makeFederationDomainIssuer(
 	ctx context.Context,
 	federationDomain *configv1alpha1.FederationDomain,
-	conditions []*configv1alpha1.Condition,
-) (*federationdomainproviders.FederationDomainIssuer, []*configv1alpha1.Condition, error) {
+	conditions []*metav1.Condition,
+) (*federationdomainproviders.FederationDomainIssuer, []*metav1.Condition, error) {
 	var err error
 	// Create the list of IDPs for this FederationDomain.
 	// Don't worry if the IDP CRs themselves is phase=Ready because those which are not ready will not be loaded
@ -247,8 +247,8 @@ func (c *federationDomainWatcherController) makeFederationDomainIssuer(

 func (c *federationDomainWatcherController) makeLegacyFederationDomainIssuer(
 	federationDomain *configv1alpha1.FederationDomain,
-	conditions []*configv1alpha1.Condition,
-) (*federationdomainproviders.FederationDomainIssuer, []*configv1alpha1.Condition, error) {
+	conditions []*metav1.Condition,
+) (*federationdomainproviders.FederationDomainIssuer, []*metav1.Condition, error) {
 	var defaultFederationDomainIdentityProvider *federationdomainproviders.FederationDomainIdentityProvider

 	// When the FederationDomain does not list any IDPs, then we might be in backwards compatibility mode.
@ -290,9 +290,9 @@ func (c *federationDomainWatcherController) makeLegacyFederationDomainIssuer(
 		// Backwards compatibility mode always uses an empty identity transformation pipeline since no
 		// transformations are defined on the FederationDomain.
 		defaultFederationDomainIdentityProvider.Transforms = idtransform.NewTransformationPipeline()
-		conditions = append(conditions, &configv1alpha1.Condition{
+		conditions = append(conditions, &metav1.Condition{
 			Type:   typeIdentityProvidersFound,
-			Status: configv1alpha1.ConditionTrue,
+			Status: metav1.ConditionTrue,
 			Reason: reasonLegacyConfigurationSuccess,
 			Message: fmt.Sprintf("no resources were specified by .spec.identityProviders[].objectRef but exactly one "+
 				"identity provider resource has been found: using %q as "+
@ -300,9 +300,9 @@ func (c *federationDomainWatcherController) makeLegacyFederationDomainIssuer(
 				"(this legacy configuration mode may be removed in a future version of Pinniped)", foundIDPName),
 		})
 	case idpCRsCount > 1:
-		conditions = append(conditions, &configv1alpha1.Condition{
+		conditions = append(conditions, &metav1.Condition{
 			Type:   typeIdentityProvidersFound,
-			Status: configv1alpha1.ConditionFalse,
+			Status: metav1.ConditionFalse,
 			Reason: reasonIdentityProviderNotSpecified, // vs LegacyConfigurationIdentityProviderNotFound as this is more specific
 			Message: fmt.Sprintf("no resources were specified by .spec.identityProviders[].objectRef "+
 				"and %d identity provider resources have been found: "+
@ -310,9 +310,9 @@ func (c *federationDomainWatcherController) makeLegacyFederationDomainIssuer(
 				"this federation domain should use", idpCRsCount),
 		})
 	default:
-		conditions = append(conditions, &configv1alpha1.Condition{
+		conditions = append(conditions, &metav1.Condition{
 			Type:   typeIdentityProvidersFound,
-			Status: configv1alpha1.ConditionFalse,
+			Status: metav1.ConditionFalse,
 			Reason: reasonLegacyConfigurationIdentityProviderNotFound,
 			Message: "no resources were specified by .spec.identityProviders[].objectRef and no identity provider " +
 				"resources have been found: please create an identity provider resource",
@ -338,8 +338,8 @@ func (c *federationDomainWatcherController) makeLegacyFederationDomainIssuer(
 func (c *federationDomainWatcherController) makeFederationDomainIssuerWithExplicitIDPs(
 	ctx context.Context,
 	federationDomain *configv1alpha1.FederationDomain,
-	conditions []*configv1alpha1.Condition,
-) (*federationdomainproviders.FederationDomainIssuer, []*configv1alpha1.Condition, error) {
+	conditions []*metav1.Condition,
+) (*federationdomainproviders.FederationDomainIssuer, []*metav1.Condition, error) {
 	federationDomainIdentityProviders := []*federationdomainproviders.FederationDomainIdentityProvider{}
 	idpNotFoundIndices := []int{}
 	displayNames := sets.Set[string]{}
@ -640,19 +640,19 @@ func (c *federationDomainWatcherController) evaluateExamplesForIdentityProvider(
 	return true, ""
 }

-func appendIdentityProviderObjectRefKindCondition(expectedKinds []string, badSuffixNames []string, conditions []*configv1alpha1.Condition) []*configv1alpha1.Condition {
+func appendIdentityProviderObjectRefKindCondition(expectedKinds []string, badSuffixNames []string, conditions []*metav1.Condition) []*metav1.Condition {
 	if len(badSuffixNames) > 0 {
-		conditions = append(conditions, &configv1alpha1.Condition{
+		conditions = append(conditions, &metav1.Condition{
 			Type:   typeIdentityProvidersObjectRefKindValid,
-			Status: configv1alpha1.ConditionFalse,
+			Status: metav1.ConditionFalse,
 			Reason: reasonKindUnrecognized,
 			Message: fmt.Sprintf("some kinds specified by .spec.identityProviders[].objectRef.kind are not recognized (should be one of %s): %s",
 				strings.Join(expectedKinds, ", "), strings.Join(sortAndQuote(badSuffixNames), ", ")),
 		})
 	} else {
-		conditions = append(conditions, &configv1alpha1.Condition{
+		conditions = append(conditions, &metav1.Condition{
 			Type:    typeIdentityProvidersObjectRefKindValid,
-			Status:  configv1alpha1.ConditionTrue,
+			Status:  metav1.ConditionTrue,
 			Reason:  reasonSuccess,
 			Message: "the kinds specified by .spec.identityProviders[].objectRef.kind are recognized",
 		})
@ -663,24 +663,24 @@ func appendIdentityProviderObjectRefKindCondition(expectedKinds []string, badSuf
 func appendIdentityProvidersFoundCondition(
 	idpNotFoundIndices []int,
 	federationDomainIdentityProviders []configv1alpha1.FederationDomainIdentityProvider,
-	conditions []*configv1alpha1.Condition,
-) []*configv1alpha1.Condition {
+	conditions []*metav1.Condition,
+) []*metav1.Condition {
 	if len(idpNotFoundIndices) != 0 {
 		messages := []string{}
 		for _, idpNotFoundIndex := range idpNotFoundIndices {
 			messages = append(messages, fmt.Sprintf("cannot find resource specified by .spec.identityProviders[%d].objectRef (with name %q)",
 				idpNotFoundIndex, federationDomainIdentityProviders[idpNotFoundIndex].ObjectRef.Name))
 		}
-		conditions = append(conditions, &configv1alpha1.Condition{
+		conditions = append(conditions, &metav1.Condition{
 			Type:    typeIdentityProvidersFound,
-			Status:  configv1alpha1.ConditionFalse,
+			Status:  metav1.ConditionFalse,
 			Reason:  reasonIdentityProvidersObjectRefsNotFound,
 			Message: strings.Join(messages, "\n\n"),
 		})
 	} else if len(federationDomainIdentityProviders) != 0 {
-		conditions = append(conditions, &configv1alpha1.Condition{
+		conditions = append(conditions, &metav1.Condition{
 			Type:    typeIdentityProvidersFound,
-			Status:  configv1alpha1.ConditionTrue,
+			Status:  metav1.ConditionTrue,
 			Reason:  reasonSuccess,
 			Message: "the resources specified by .spec.identityProviders[].objectRef were found",
 		})
@ -688,19 +688,19 @@ func appendIdentityProvidersFoundCondition(
 	return conditions
 }

-func appendIdentityProviderObjectRefAPIGroupSuffixCondition(expectedSuffixName string, badSuffixNames []string, conditions []*configv1alpha1.Condition) []*configv1alpha1.Condition {
+func appendIdentityProviderObjectRefAPIGroupSuffixCondition(expectedSuffixName string, badSuffixNames []string, conditions []*metav1.Condition) []*metav1.Condition {
 	if len(badSuffixNames) > 0 {
-		conditions = append(conditions, &configv1alpha1.Condition{
+		conditions = append(conditions, &metav1.Condition{
 			Type:   typeIdentityProvidersAPIGroupSuffixValid,
-			Status: configv1alpha1.ConditionFalse,
+			Status: metav1.ConditionFalse,
 			Reason: reasonAPIGroupNameUnrecognized,
 			Message: fmt.Sprintf("some API groups specified by .spec.identityProviders[].objectRef.apiGroup are not recognized (should be %q): %s",
 				expectedSuffixName, strings.Join(sortAndQuote(badSuffixNames), ", ")),
 		})
 	} else {
-		conditions = append(conditions, &configv1alpha1.Condition{
+		conditions = append(conditions, &metav1.Condition{
 			Type:    typeIdentityProvidersAPIGroupSuffixValid,
-			Status:  configv1alpha1.ConditionTrue,
+			Status:  metav1.ConditionTrue,
 			Reason:  reasonSuccess,
 			Message: "the API groups specified by .spec.identityProviders[].objectRef.apiGroup are recognized",
 		})
@ -708,18 +708,18 @@ func appendIdentityProviderObjectRefAPIGroupSuffixCondition(expectedSuffixName s
 	return conditions
 }

-func appendTransformsExpressionsValidCondition(messages []string, conditions []*configv1alpha1.Condition) []*configv1alpha1.Condition {
+func appendTransformsExpressionsValidCondition(messages []string, conditions []*metav1.Condition) []*metav1.Condition {
 	if len(messages) > 0 {
-		conditions = append(conditions, &configv1alpha1.Condition{
+		conditions = append(conditions, &metav1.Condition{
 			Type:    typeTransformsExpressionsValid,
-			Status:  configv1alpha1.ConditionFalse,
+			Status:  metav1.ConditionFalse,
 			Reason:  reasonInvalidTransformsExpressions,
 			Message: strings.Join(messages, "\n\n"),
 		})
 	} else {
-		conditions = append(conditions, &configv1alpha1.Condition{
+		conditions = append(conditions, &metav1.Condition{
 			Type:    typeTransformsExpressionsValid,
-			Status:  configv1alpha1.ConditionTrue,
+			Status:  metav1.ConditionTrue,
 			Reason:  reasonSuccess,
 			Message: "the expressions specified by .spec.identityProviders[].transforms.expressions[] are valid",
 		})
@ -727,18 +727,18 @@ func appendTransformsExpressionsValidCondition(messages []string, conditions []*
 	return conditions
 }

-func appendTransformsExamplesPassedCondition(messages []string, conditions []*configv1alpha1.Condition) []*configv1alpha1.Condition {
+func appendTransformsExamplesPassedCondition(messages []string, conditions []*metav1.Condition) []*metav1.Condition {
 	if len(messages) > 0 {
-		conditions = append(conditions, &configv1alpha1.Condition{
+		conditions = append(conditions, &metav1.Condition{
 			Type:    typeTransformsExamplesPassed,
-			Status:  configv1alpha1.ConditionFalse,
+			Status:  metav1.ConditionFalse,
 			Reason:  reasonTransformsExamplesFailed,
 			Message: strings.Join(messages, "\n\n"),
 		})
 	} else {
-		conditions = append(conditions, &configv1alpha1.Condition{
+		conditions = append(conditions, &metav1.Condition{
 			Type:    typeTransformsExamplesPassed,
-			Status:  configv1alpha1.ConditionTrue,
+			Status:  metav1.ConditionTrue,
 			Reason:  reasonSuccess,
 			Message: "the examples specified by .spec.identityProviders[].transforms.examples[] had no errors",
 		})
@ -746,19 +746,19 @@ func appendTransformsExamplesPassedCondition(messages []string, conditions []*co
 	return conditions
 }

-func appendIdentityProviderDuplicateDisplayNamesCondition(duplicateDisplayNames sets.Set[string], conditions []*configv1alpha1.Condition) []*configv1alpha1.Condition {
+func appendIdentityProviderDuplicateDisplayNamesCondition(duplicateDisplayNames sets.Set[string], conditions []*metav1.Condition) []*metav1.Condition {
 	if duplicateDisplayNames.Len() > 0 {
-		conditions = append(conditions, &configv1alpha1.Condition{
+		conditions = append(conditions, &metav1.Condition{
 			Type:   typeIdentityProvidersDisplayNamesUnique,
-			Status: configv1alpha1.ConditionFalse,
+			Status: metav1.ConditionFalse,
 			Reason: reasonDuplicateDisplayNames,
 			Message: fmt.Sprintf("the names specified by .spec.identityProviders[].displayName contain duplicates: %s",
 				strings.Join(sortAndQuote(duplicateDisplayNames.UnsortedList()), ", ")),
 		})
 	} else {
-		conditions = append(conditions, &configv1alpha1.Condition{
+		conditions = append(conditions, &metav1.Condition{
 			Type:    typeIdentityProvidersDisplayNamesUnique,
-			Status:  configv1alpha1.ConditionTrue,
+			Status:  metav1.ConditionTrue,
 			Reason:  reasonSuccess,
 			Message: "the names specified by .spec.identityProviders[].displayName are unique",
 		})
@ -766,20 +766,20 @@ func appendIdentityProviderDuplicateDisplayNamesCondition(duplicateDisplayNames
 	return conditions
 }

-func appendIssuerURLValidCondition(err error, conditions []*configv1alpha1.Condition) []*configv1alpha1.Condition {
+func appendIssuerURLValidCondition(err error, conditions []*metav1.Condition) []*metav1.Condition {
 	if err != nil {
 		// Note that the FederationDomainIssuer constructors only validate the Issuer URL,
 		// so these are always issuer URL validation errors.
-		conditions = append(conditions, &configv1alpha1.Condition{
+		conditions = append(conditions, &metav1.Condition{
 			Type:    typeIssuerURLValid,
-			Status:  configv1alpha1.ConditionFalse,
+			Status:  metav1.ConditionFalse,
 			Reason:  reasonInvalidIssuerURL,
 			Message: err.Error(),
 		})
 	} else {
-		conditions = append(conditions, &configv1alpha1.Condition{
+		conditions = append(conditions, &metav1.Condition{
 			Type:    typeIssuerURLValid,
-			Status:  configv1alpha1.ConditionTrue,
+			Status:  metav1.ConditionTrue,
 			Reason:  reasonSuccess,
 			Message: "spec.issuer is a valid URL",
 		})
@ -790,23 +790,23 @@ func appendIssuerURLValidCondition(err error, conditions []*configv1alpha1.Condi
 func (c *federationDomainWatcherController) updateStatus(
 	ctx context.Context,
 	federationDomain *configv1alpha1.FederationDomain,
-	conditions []*configv1alpha1.Condition,
+	conditions []*metav1.Condition,
 ) error {
 	updated := federationDomain.DeepCopy()

 	if hadErrorCondition(conditions) {
 		updated.Status.Phase = configv1alpha1.FederationDomainPhaseError
-		conditions = append(conditions, &configv1alpha1.Condition{
+		conditions = append(conditions, &metav1.Condition{
 			Type:    typeReady,
-			Status:  configv1alpha1.ConditionFalse,
+			Status:  metav1.ConditionFalse,
 			Reason:  reasonNotReady,
 			Message: "the FederationDomain is not ready: see other conditions for details",
 		})
 	} else {
 		updated.Status.Phase = configv1alpha1.FederationDomainPhaseReady
-		conditions = append(conditions, &configv1alpha1.Condition{
+		conditions = append(conditions, &metav1.Condition{
 			Type:   typeReady,
-			Status: configv1alpha1.ConditionTrue,
+			Status: metav1.ConditionTrue,
 			Reason: reasonSuccess,
 			Message: fmt.Sprintf("the FederationDomain is ready and its endpoints are available: "+
 				"the discovery endpoint is %s/.well-known/openid-configuration", federationDomain.Spec.Issuer),
@ -858,20 +858,20 @@ func issuerURLToIssuerKey(issuerURL *url.URL) string {
 	return fmt.Sprintf("%s://%s%s", issuerURL.Scheme, strings.ToLower(issuerURL.Host), issuerURL.Path)
 }

-func (v *crossFederationDomainConfigValidator) Validate(federationDomain *configv1alpha1.FederationDomain, conditions []*configv1alpha1.Condition) []*configv1alpha1.Condition {
+func (v *crossFederationDomainConfigValidator) Validate(federationDomain *configv1alpha1.FederationDomain, conditions []*metav1.Condition) []*metav1.Condition {
 	issuerURL, urlParseErr := url.Parse(federationDomain.Spec.Issuer)

 	if urlParseErr != nil {
 		// Don't write a condition about the issuer URL being invalid because that is added elsewhere in the controller.
-		conditions = append(conditions, &configv1alpha1.Condition{
+		conditions = append(conditions, &metav1.Condition{
 			Type:    typeIssuerIsUnique,
-			Status:  configv1alpha1.ConditionUnknown,
+			Status:  metav1.ConditionUnknown,
 			Reason:  reasonUnableToValidate,
 			Message: "unable to check if spec.issuer is unique among all FederationDomains because URL cannot be parsed",
 		})
-		conditions = append(conditions, &configv1alpha1.Condition{
+		conditions = append(conditions, &metav1.Condition{
 			Type:    typeOneTLSSecretPerIssuerHostname,
-			Status:  configv1alpha1.ConditionUnknown,
+			Status:  metav1.ConditionUnknown,
 			Reason:  reasonUnableToValidate,
 			Message: "unable to check if all FederationDomains are using the same TLS secret when using the same hostname in the spec.issuer URL because URL cannot be parsed",
 		})
@ -879,32 +879,32 @@ func (v *crossFederationDomainConfigValidator) Validate(federationDomain *config
 	}

 	if issuerCount := v.issuerCounts[issuerURLToIssuerKey(issuerURL)]; issuerCount > 1 {
-		conditions = append(conditions, &configv1alpha1.Condition{
+		conditions = append(conditions, &metav1.Condition{
 			Type:    typeIssuerIsUnique,
-			Status:  configv1alpha1.ConditionFalse,
+			Status:  metav1.ConditionFalse,
 			Reason:  reasonDuplicateIssuer,
 			Message: "multiple FederationDomains have the same spec.issuer URL: these URLs must be unique (can use different hosts or paths)",
 		})
 	} else {
-		conditions = append(conditions, &configv1alpha1.Condition{
+		conditions = append(conditions, &metav1.Condition{
 			Type:    typeIssuerIsUnique,
-			Status:  configv1alpha1.ConditionTrue,
+			Status:  metav1.ConditionTrue,
 			Reason:  reasonSuccess,
 			Message: "spec.issuer is unique among all FederationDomains",
 		})
 	}

 	if len(v.uniqueSecretNamesPerIssuerAddress[issuerURLToHostnameKey(issuerURL)]) > 1 {
-		conditions = append(conditions, &configv1alpha1.Condition{
+		conditions = append(conditions, &metav1.Condition{
 			Type:    typeOneTLSSecretPerIssuerHostname,
-			Status:  configv1alpha1.ConditionFalse,
+			Status:  metav1.ConditionFalse,
 			Reason:  reasonDifferentSecretRefsFound,
 			Message: "when different FederationDomains are using the same hostname in the spec.issuer URL then they must also use the same TLS secretRef: different secretRefs found",
 		})
 	} else {
-		conditions = append(conditions, &configv1alpha1.Condition{
+		conditions = append(conditions, &metav1.Condition{
 			Type:    typeOneTLSSecretPerIssuerHostname,
-			Status:  configv1alpha1.ConditionTrue,
+			Status:  metav1.ConditionTrue,
 			Reason:  reasonSuccess,
 			Message: "all FederationDomains are using the same TLS secret when using the same hostname in the spec.issuer URL",
 		})
@ -950,9 +950,9 @@ func newCrossFederationDomainConfigValidator(federationDomains []*configv1alpha1
 	}
 }

-func hadErrorCondition(conditions []*configv1alpha1.Condition) bool {
+func hadErrorCondition(conditions []*metav1.Condition) bool {
 	for _, c := range conditions {
-		if c.Status != configv1alpha1.ConditionTrue {
+		if c.Status != metav1.ConditionTrue {
 			return true
 		}
 	}
--- a/internal/controller/supervisorconfig/federation_domain_watcher_test.go
+++ b/internal/controller/supervisorconfig/federation_domain_watcher_test.go
@ -194,8 +194,8 @@ func TestTestFederationDomainWatcherControllerSync(t *testing.T) {
 		return fdIssuer
 	}

-	happyReadyCondition := func(issuer string, time metav1.Time, observedGeneration int64) configv1alpha1.Condition {
-		return configv1alpha1.Condition{
+	happyReadyCondition := func(issuer string, time metav1.Time, observedGeneration int64) metav1.Condition {
+		return metav1.Condition{
 			Type:               "Ready",
 			Status:             "True",
 			ObservedGeneration: observedGeneration,
@ -206,8 +206,8 @@ func TestTestFederationDomainWatcherControllerSync(t *testing.T) {
 		}
 	}

-	sadReadyCondition := func(time metav1.Time, observedGeneration int64) configv1alpha1.Condition {
-		return configv1alpha1.Condition{
+	sadReadyCondition := func(time metav1.Time, observedGeneration int64) metav1.Condition {
+		return metav1.Condition{
 			Type:               "Ready",
 			Status:             "False",
 			ObservedGeneration: observedGeneration,
@ -217,8 +217,8 @@ func TestTestFederationDomainWatcherControllerSync(t *testing.T) {
 		}
 	}

-	happyIssuerIsUniqueCondition := func(time metav1.Time, observedGeneration int64) configv1alpha1.Condition {
-		return configv1alpha1.Condition{
+	happyIssuerIsUniqueCondition := func(time metav1.Time, observedGeneration int64) metav1.Condition {
+		return metav1.Condition{
 			Type:               "IssuerIsUnique",
 			Status:             "True",
 			ObservedGeneration: observedGeneration,
@ -228,8 +228,8 @@ func TestTestFederationDomainWatcherControllerSync(t *testing.T) {
 		}
 	}

-	unknownIssuerIsUniqueCondition := func(time metav1.Time, observedGeneration int64) configv1alpha1.Condition {
-		return configv1alpha1.Condition{
+	unknownIssuerIsUniqueCondition := func(time metav1.Time, observedGeneration int64) metav1.Condition {
+		return metav1.Condition{
 			Type:               "IssuerIsUnique",
 			Status:             "Unknown",
 			ObservedGeneration: observedGeneration,
@ -239,8 +239,8 @@ func TestTestFederationDomainWatcherControllerSync(t *testing.T) {
 		}
 	}

-	sadIssuerIsUniqueCondition := func(time metav1.Time, observedGeneration int64) configv1alpha1.Condition {
-		return configv1alpha1.Condition{
+	sadIssuerIsUniqueCondition := func(time metav1.Time, observedGeneration int64) metav1.Condition {
+		return metav1.Condition{
 			Type:               "IssuerIsUnique",
 			Status:             "False",
 			ObservedGeneration: observedGeneration,
@ -250,8 +250,8 @@ func TestTestFederationDomainWatcherControllerSync(t *testing.T) {
 		}
 	}

-	happyOneTLSSecretPerIssuerHostnameCondition := func(time metav1.Time, observedGeneration int64) configv1alpha1.Condition {
-		return configv1alpha1.Condition{
+	happyOneTLSSecretPerIssuerHostnameCondition := func(time metav1.Time, observedGeneration int64) metav1.Condition {
+		return metav1.Condition{
 			Type:               "OneTLSSecretPerIssuerHostname",
 			Status:             "True",
 			ObservedGeneration: observedGeneration,
@ -261,8 +261,8 @@ func TestTestFederationDomainWatcherControllerSync(t *testing.T) {
 		}
 	}

-	unknownOneTLSSecretPerIssuerHostnameCondition := func(time metav1.Time, observedGeneration int64) configv1alpha1.Condition {
-		return configv1alpha1.Condition{
+	unknownOneTLSSecretPerIssuerHostnameCondition := func(time metav1.Time, observedGeneration int64) metav1.Condition {
+		return metav1.Condition{
 			Type:               "OneTLSSecretPerIssuerHostname",
 			Status:             "Unknown",
 			ObservedGeneration: observedGeneration,
@ -272,8 +272,8 @@ func TestTestFederationDomainWatcherControllerSync(t *testing.T) {
 		}
 	}

-	sadOneTLSSecretPerIssuerHostnameCondition := func(time metav1.Time, observedGeneration int64) configv1alpha1.Condition {
-		return configv1alpha1.Condition{
+	sadOneTLSSecretPerIssuerHostnameCondition := func(time metav1.Time, observedGeneration int64) metav1.Condition {
+		return metav1.Condition{
 			Type:               "OneTLSSecretPerIssuerHostname",
 			Status:             "False",
 			ObservedGeneration: observedGeneration,
@ -283,8 +283,8 @@ func TestTestFederationDomainWatcherControllerSync(t *testing.T) {
 		}
 	}

-	happyIssuerURLValidCondition := func(time metav1.Time, observedGeneration int64) configv1alpha1.Condition {
-		return configv1alpha1.Condition{
+	happyIssuerURLValidCondition := func(time metav1.Time, observedGeneration int64) metav1.Condition {
+		return metav1.Condition{
 			Type:               "IssuerURLValid",
 			Status:             "True",
 			ObservedGeneration: observedGeneration,
@ -294,8 +294,8 @@ func TestTestFederationDomainWatcherControllerSync(t *testing.T) {
 		}
 	}

-	sadIssuerURLValidConditionCannotHaveQuery := func(time metav1.Time, observedGeneration int64) configv1alpha1.Condition {
-		return configv1alpha1.Condition{
+	sadIssuerURLValidConditionCannotHaveQuery := func(time metav1.Time, observedGeneration int64) metav1.Condition {
+		return metav1.Condition{
 			Type:               "IssuerURLValid",
 			Status:             "False",
 			ObservedGeneration: observedGeneration,
@ -305,8 +305,8 @@ func TestTestFederationDomainWatcherControllerSync(t *testing.T) {
 		}
 	}

-	sadIssuerURLValidConditionCannotParse := func(time metav1.Time, observedGeneration int64) configv1alpha1.Condition {
-		return configv1alpha1.Condition{
+	sadIssuerURLValidConditionCannotParse := func(time metav1.Time, observedGeneration int64) metav1.Condition {
+		return metav1.Condition{
 			Type:               "IssuerURLValid",
 			Status:             "False",
 			ObservedGeneration: observedGeneration,
@ -316,8 +316,8 @@ func TestTestFederationDomainWatcherControllerSync(t *testing.T) {
 		}
 	}

-	happyIdentityProvidersFoundConditionLegacyConfigurationSuccess := func(idpName string, time metav1.Time, observedGeneration int64) configv1alpha1.Condition {
-		return configv1alpha1.Condition{
+	happyIdentityProvidersFoundConditionLegacyConfigurationSuccess := func(idpName string, time metav1.Time, observedGeneration int64) metav1.Condition {
+		return metav1.Condition{
 			Type:               "IdentityProvidersFound",
 			Status:             "True",
 			ObservedGeneration: observedGeneration,
@ -330,8 +330,8 @@ func TestTestFederationDomainWatcherControllerSync(t *testing.T) {
 		}
 	}

-	happyIdentityProvidersFoundConditionSuccess := func(time metav1.Time, observedGeneration int64) configv1alpha1.Condition {
-		return configv1alpha1.Condition{
+	happyIdentityProvidersFoundConditionSuccess := func(time metav1.Time, observedGeneration int64) metav1.Condition {
+		return metav1.Condition{
 			Type:               "IdentityProvidersFound",
 			Status:             "True",
 			ObservedGeneration: observedGeneration,
@ -341,8 +341,8 @@ func TestTestFederationDomainWatcherControllerSync(t *testing.T) {
 		}
 	}

-	sadIdentityProvidersFoundConditionLegacyConfigurationIdentityProviderNotFound := func(time metav1.Time, observedGeneration int64) configv1alpha1.Condition {
-		return configv1alpha1.Condition{
+	sadIdentityProvidersFoundConditionLegacyConfigurationIdentityProviderNotFound := func(time metav1.Time, observedGeneration int64) metav1.Condition {
+		return metav1.Condition{
 			Type:               "IdentityProvidersFound",
 			Status:             "False",
 			ObservedGeneration: observedGeneration,
@ -353,8 +353,8 @@ func TestTestFederationDomainWatcherControllerSync(t *testing.T) {
 		}
 	}

-	sadIdentityProvidersFoundConditionIdentityProviderNotSpecified := func(idpCRsCount int, time metav1.Time, observedGeneration int64) configv1alpha1.Condition {
-		return configv1alpha1.Condition{
+	sadIdentityProvidersFoundConditionIdentityProviderNotSpecified := func(idpCRsCount int, time metav1.Time, observedGeneration int64) metav1.Condition {
+		return metav1.Condition{
 			Type:               "IdentityProvidersFound",
 			Status:             "False",
 			ObservedGeneration: observedGeneration,
@ -367,8 +367,8 @@ func TestTestFederationDomainWatcherControllerSync(t *testing.T) {
 		}
 	}

-	sadIdentityProvidersFoundConditionIdentityProvidersObjectRefsNotFound := func(errorMessages string, time metav1.Time, observedGeneration int64) configv1alpha1.Condition {
-		return configv1alpha1.Condition{
+	sadIdentityProvidersFoundConditionIdentityProvidersObjectRefsNotFound := func(errorMessages string, time metav1.Time, observedGeneration int64) metav1.Condition {
+		return metav1.Condition{
 			Type:               "IdentityProvidersFound",
 			Status:             "False",
 			ObservedGeneration: observedGeneration,
@ -378,8 +378,8 @@ func TestTestFederationDomainWatcherControllerSync(t *testing.T) {
 		}
 	}

-	happyDisplayNamesUniqueCondition := func(time metav1.Time, observedGeneration int64) configv1alpha1.Condition {
-		return configv1alpha1.Condition{
+	happyDisplayNamesUniqueCondition := func(time metav1.Time, observedGeneration int64) metav1.Condition {
+		return metav1.Condition{
 			Type:               "IdentityProvidersDisplayNamesUnique",
 			Status:             "True",
 			ObservedGeneration: observedGeneration,
@ -389,8 +389,8 @@ func TestTestFederationDomainWatcherControllerSync(t *testing.T) {
 		}
 	}

-	sadDisplayNamesUniqueCondition := func(duplicateNames string, time metav1.Time, observedGeneration int64) configv1alpha1.Condition {
-		return configv1alpha1.Condition{
+	sadDisplayNamesUniqueCondition := func(duplicateNames string, time metav1.Time, observedGeneration int64) metav1.Condition {
+		return metav1.Condition{
 			Type:               "IdentityProvidersDisplayNamesUnique",
 			Status:             "False",
 			ObservedGeneration: observedGeneration,
@ -400,8 +400,8 @@ func TestTestFederationDomainWatcherControllerSync(t *testing.T) {
 		}
 	}

-	happyTransformationExpressionsCondition := func(time metav1.Time, observedGeneration int64) configv1alpha1.Condition {
-		return configv1alpha1.Condition{
+	happyTransformationExpressionsCondition := func(time metav1.Time, observedGeneration int64) metav1.Condition {
+		return metav1.Condition{
 			Type:               "TransformsExpressionsValid",
 			Status:             "True",
 			ObservedGeneration: observedGeneration,
@ -411,8 +411,8 @@ func TestTestFederationDomainWatcherControllerSync(t *testing.T) {
 		}
 	}

-	sadTransformationExpressionsCondition := func(errorMessages string, time metav1.Time, observedGeneration int64) configv1alpha1.Condition {
-		return configv1alpha1.Condition{
+	sadTransformationExpressionsCondition := func(errorMessages string, time metav1.Time, observedGeneration int64) metav1.Condition {
+		return metav1.Condition{
 			Type:               "TransformsExpressionsValid",
 			Status:             "False",
 			ObservedGeneration: observedGeneration,
@ -422,8 +422,8 @@ func TestTestFederationDomainWatcherControllerSync(t *testing.T) {
 		}
 	}

-	happyTransformationExamplesCondition := func(time metav1.Time, observedGeneration int64) configv1alpha1.Condition {
-		return configv1alpha1.Condition{
+	happyTransformationExamplesCondition := func(time metav1.Time, observedGeneration int64) metav1.Condition {
+		return metav1.Condition{
 			Type:               "TransformsExamplesPassed",
 			Status:             "True",
 			ObservedGeneration: observedGeneration,
@ -433,8 +433,8 @@ func TestTestFederationDomainWatcherControllerSync(t *testing.T) {
 		}
 	}

-	sadTransformationExamplesCondition := func(errorMessages string, time metav1.Time, observedGeneration int64) configv1alpha1.Condition {
-		return configv1alpha1.Condition{
+	sadTransformationExamplesCondition := func(errorMessages string, time metav1.Time, observedGeneration int64) metav1.Condition {
+		return metav1.Condition{
 			Type:               "TransformsExamplesPassed",
 			Status:             "False",
 			ObservedGeneration: observedGeneration,
@ -444,8 +444,8 @@ func TestTestFederationDomainWatcherControllerSync(t *testing.T) {
 		}
 	}

-	happyAPIGroupSuffixCondition := func(time metav1.Time, observedGeneration int64) configv1alpha1.Condition {
-		return configv1alpha1.Condition{
+	happyAPIGroupSuffixCondition := func(time metav1.Time, observedGeneration int64) metav1.Condition {
+		return metav1.Condition{
 			Type:               "IdentityProvidersObjectRefAPIGroupSuffixValid",
 			Status:             "True",
 			ObservedGeneration: observedGeneration,
@ -455,8 +455,8 @@ func TestTestFederationDomainWatcherControllerSync(t *testing.T) {
 		}
 	}

-	sadAPIGroupSuffixCondition := func(badApiGroups string, time metav1.Time, observedGeneration int64) configv1alpha1.Condition {
-		return configv1alpha1.Condition{
+	sadAPIGroupSuffixCondition := func(badApiGroups string, time metav1.Time, observedGeneration int64) metav1.Condition {
+		return metav1.Condition{
 			Type:               "IdentityProvidersObjectRefAPIGroupSuffixValid",
 			Status:             "False",
 			ObservedGeneration: observedGeneration,
@ -467,8 +467,8 @@ func TestTestFederationDomainWatcherControllerSync(t *testing.T) {
 		}
 	}

-	happyKindCondition := func(time metav1.Time, observedGeneration int64) configv1alpha1.Condition {
-		return configv1alpha1.Condition{
+	happyKindCondition := func(time metav1.Time, observedGeneration int64) metav1.Condition {
+		return metav1.Condition{
 			Type:               "IdentityProvidersObjectRefKindValid",
 			Status:             "True",
 			ObservedGeneration: observedGeneration,
@ -478,8 +478,8 @@ func TestTestFederationDomainWatcherControllerSync(t *testing.T) {
 		}
 	}

-	sadKindCondition := func(badKinds string, time metav1.Time, observedGeneration int64) configv1alpha1.Condition {
-		return configv1alpha1.Condition{
+	sadKindCondition := func(badKinds string, time metav1.Time, observedGeneration int64) metav1.Condition {
+		return metav1.Condition{
 			Type:               "IdentityProvidersObjectRefKindValid",
 			Status:             "False",
 			ObservedGeneration: observedGeneration,
@ -490,8 +490,8 @@ func TestTestFederationDomainWatcherControllerSync(t *testing.T) {
 		}
 	}

-	sortConditionsByType := func(c []configv1alpha1.Condition) []configv1alpha1.Condition {
-		cp := make([]configv1alpha1.Condition, len(c))
+	sortConditionsByType := func(c []metav1.Condition) []metav1.Condition {
+		cp := make([]metav1.Condition, len(c))
 		copy(cp, c)
 		sort.SliceStable(cp, func(i, j int) bool {
 			return cp[i].Type < cp[j].Type
@ -499,7 +499,7 @@ func TestTestFederationDomainWatcherControllerSync(t *testing.T) {
 		return cp
 	}

-	replaceConditions := func(conditions []configv1alpha1.Condition, sadConditions []configv1alpha1.Condition) []configv1alpha1.Condition {
+	replaceConditions := func(conditions []metav1.Condition, sadConditions []metav1.Condition) []metav1.Condition {
 		for _, sadReplaceCondition := range sadConditions {
 			for origIndex, origCondition := range conditions {
 				if origCondition.Type == sadReplaceCondition.Type {
@ -511,8 +511,8 @@ func TestTestFederationDomainWatcherControllerSync(t *testing.T) {
 		return conditions
 	}

-	allHappyConditionsSuccess := func(issuer string, time metav1.Time, observedGeneration int64) []configv1alpha1.Condition {
-		return sortConditionsByType([]configv1alpha1.Condition{
+	allHappyConditionsSuccess := func(issuer string, time metav1.Time, observedGeneration int64) []metav1.Condition {
+		return sortConditionsByType([]metav1.Condition{
 			happyTransformationExamplesCondition(frozenMetav1Now, 123),
 			happyTransformationExpressionsCondition(frozenMetav1Now, 123),
 			happyKindCondition(frozenMetav1Now, 123),
@ -526,10 +526,10 @@ func TestTestFederationDomainWatcherControllerSync(t *testing.T) {
 		})
 	}

-	allHappyConditionsLegacyConfigurationSuccess := func(issuer string, idpName string, time metav1.Time, observedGeneration int64) []configv1alpha1.Condition {
+	allHappyConditionsLegacyConfigurationSuccess := func(issuer string, idpName string, time metav1.Time, observedGeneration int64) []metav1.Condition {
 		return replaceConditions(
 			allHappyConditionsSuccess(issuer, time, observedGeneration),
-			[]configv1alpha1.Condition{
+			[]metav1.Condition{
 				happyIdentityProvidersFoundConditionLegacyConfigurationSuccess(idpName, time, observedGeneration),
 			},
 		)
@ -738,7 +738,7 @@ func TestTestFederationDomainWatcherControllerSync(t *testing.T) {
 					configv1alpha1.FederationDomainPhaseError,
 					replaceConditions(
 						allHappyConditionsLegacyConfigurationSuccess(federationDomain2.Spec.Issuer, oidcIdentityProvider.Name, frozenMetav1Now, 123),
-						[]configv1alpha1.Condition{
+						[]metav1.Condition{
 							sadIssuerURLValidConditionCannotHaveQuery(frozenMetav1Now, 123),
 							sadReadyCondition(frozenMetav1Now, 123),
 						}),
@ -780,7 +780,7 @@ func TestTestFederationDomainWatcherControllerSync(t *testing.T) {
 					configv1alpha1.FederationDomainPhaseError,
 					replaceConditions(
 						allHappyConditionsLegacyConfigurationSuccess(federationDomain2.Spec.Issuer, oidcIdentityProvider.Name, frozenMetav1Now, 123),
-						[]configv1alpha1.Condition{
+						[]metav1.Condition{
 							sadIssuerURLValidConditionCannotHaveQuery(frozenMetav1Now, 123),
 							sadReadyCondition(frozenMetav1Now, 123),
 						}),
@ -820,7 +820,7 @@ func TestTestFederationDomainWatcherControllerSync(t *testing.T) {
 					configv1alpha1.FederationDomainPhaseError,
 					replaceConditions(
 						allHappyConditionsLegacyConfigurationSuccess("https://iSSueR-duPlicAte.cOm/a", oidcIdentityProvider.Name, frozenMetav1Now, 123),
-						[]configv1alpha1.Condition{
+						[]metav1.Condition{
 							sadIssuerIsUniqueCondition(frozenMetav1Now, 123),
 							sadReadyCondition(frozenMetav1Now, 123),
 						}),
@ -832,7 +832,7 @@ func TestTestFederationDomainWatcherControllerSync(t *testing.T) {
 					configv1alpha1.FederationDomainPhaseError,
 					replaceConditions(
 						allHappyConditionsLegacyConfigurationSuccess("https://issuer-duplicate.com/a", oidcIdentityProvider.Name, frozenMetav1Now, 123),
-						[]configv1alpha1.Condition{
+						[]metav1.Condition{
 							sadIssuerIsUniqueCondition(frozenMetav1Now, 123),
 							sadReadyCondition(frozenMetav1Now, 123),
 						}),
@ -893,7 +893,7 @@ func TestTestFederationDomainWatcherControllerSync(t *testing.T) {
 					configv1alpha1.FederationDomainPhaseError,
 					replaceConditions(
 						allHappyConditionsLegacyConfigurationSuccess("https://iSSueR-duPlicAte-adDress.cOm/path1", oidcIdentityProvider.Name, frozenMetav1Now, 123),
-						[]configv1alpha1.Condition{
+						[]metav1.Condition{
 							sadOneTLSSecretPerIssuerHostnameCondition(frozenMetav1Now, 123),
 							sadReadyCondition(frozenMetav1Now, 123),
 						}),
@ -905,7 +905,7 @@ func TestTestFederationDomainWatcherControllerSync(t *testing.T) {
 					configv1alpha1.FederationDomainPhaseError,
 					replaceConditions(
 						allHappyConditionsLegacyConfigurationSuccess("https://issuer-duplicate-address.com:1234/path2", oidcIdentityProvider.Name, frozenMetav1Now, 123),
-						[]configv1alpha1.Condition{
+						[]metav1.Condition{
 							sadOneTLSSecretPerIssuerHostnameCondition(frozenMetav1Now, 123),
 							sadReadyCondition(frozenMetav1Now, 123),
 						}),
@ -917,7 +917,7 @@ func TestTestFederationDomainWatcherControllerSync(t *testing.T) {
 					configv1alpha1.FederationDomainPhaseError,
 					replaceConditions(
 						allHappyConditionsLegacyConfigurationSuccess(invalidIssuerURL, oidcIdentityProvider.Name, frozenMetav1Now, 123),
-						[]configv1alpha1.Condition{
+						[]metav1.Condition{
 							unknownIssuerIsUniqueCondition(frozenMetav1Now, 123),
 							sadIssuerURLValidConditionCannotParse(frozenMetav1Now, 123),
 							unknownOneTLSSecretPerIssuerHostnameCondition(frozenMetav1Now, 123),
@ -945,7 +945,7 @@ func TestTestFederationDomainWatcherControllerSync(t *testing.T) {
 					configv1alpha1.FederationDomainPhaseError,
 					replaceConditions(
 						allHappyConditionsLegacyConfigurationSuccess(federationDomain1.Spec.Issuer, "", frozenMetav1Now, 123),
-						[]configv1alpha1.Condition{
+						[]metav1.Condition{
 							sadIdentityProvidersFoundConditionLegacyConfigurationIdentityProviderNotFound(frozenMetav1Now, 123),
 							sadReadyCondition(frozenMetav1Now, 123),
 						}),
@ -954,7 +954,7 @@ func TestTestFederationDomainWatcherControllerSync(t *testing.T) {
 					configv1alpha1.FederationDomainPhaseError,
 					replaceConditions(
 						allHappyConditionsLegacyConfigurationSuccess(federationDomain2.Spec.Issuer, "", frozenMetav1Now, 123),
-						[]configv1alpha1.Condition{
+						[]metav1.Condition{
 							sadIdentityProvidersFoundConditionLegacyConfigurationIdentityProviderNotFound(frozenMetav1Now, 123),
 							sadReadyCondition(frozenMetav1Now, 123),
 						}),
@ -975,7 +975,7 @@ func TestTestFederationDomainWatcherControllerSync(t *testing.T) {
 					configv1alpha1.FederationDomainPhaseError,
 					replaceConditions(
 						allHappyConditionsLegacyConfigurationSuccess(federationDomain1.Spec.Issuer, "", frozenMetav1Now, 123),
-						[]configv1alpha1.Condition{
+						[]metav1.Condition{
 							sadIdentityProvidersFoundConditionIdentityProviderNotSpecified(3, frozenMetav1Now, 123),
 							sadReadyCondition(frozenMetav1Now, 123),
 						}),
@ -1027,7 +1027,7 @@ func TestTestFederationDomainWatcherControllerSync(t *testing.T) {
 					configv1alpha1.FederationDomainPhaseError,
 					replaceConditions(
 						allHappyConditionsSuccess("https://issuer1.com", frozenMetav1Now, 123),
-						[]configv1alpha1.Condition{
+						[]metav1.Condition{
 							sadIdentityProvidersFoundConditionIdentityProvidersObjectRefsNotFound(here.Doc(
 								`cannot find resource specified by .spec.identityProviders[0].objectRef (with name "cant-find-me-name")

@ -1181,7 +1181,7 @@ func TestTestFederationDomainWatcherControllerSync(t *testing.T) {
 					configv1alpha1.FederationDomainPhaseError,
 					replaceConditions(
 						allHappyConditionsSuccess("https://issuer1.com", frozenMetav1Now, 123),
-						[]configv1alpha1.Condition{
+						[]metav1.Condition{
 							sadDisplayNamesUniqueCondition(`"duplicate1", "duplicate2"`, frozenMetav1Now, 123),
 							sadReadyCondition(frozenMetav1Now, 123),
 						}),
@ -1244,7 +1244,7 @@ func TestTestFederationDomainWatcherControllerSync(t *testing.T) {
 					configv1alpha1.FederationDomainPhaseError,
 					replaceConditions(
 						allHappyConditionsSuccess("https://issuer1.com", frozenMetav1Now, 123),
-						[]configv1alpha1.Condition{
+						[]metav1.Condition{
 							sadAPIGroupSuffixCondition(`"", "", "wrong.example.com"`, frozenMetav1Now, 123),
 							sadIdentityProvidersFoundConditionIdentityProvidersObjectRefsNotFound(here.Doc(
 								`cannot find resource specified by .spec.identityProviders[0].objectRef (with name "some-oidc-idp")
@ -1306,7 +1306,7 @@ func TestTestFederationDomainWatcherControllerSync(t *testing.T) {
 					configv1alpha1.FederationDomainPhaseError,
 					replaceConditions(
 						allHappyConditionsSuccess("https://issuer1.com", frozenMetav1Now, 123),
-						[]configv1alpha1.Condition{
+						[]metav1.Condition{
 							sadKindCondition(`"", "wrong"`, frozenMetav1Now, 123),
 							sadIdentityProvidersFoundConditionIdentityProvidersObjectRefsNotFound(here.Doc(
 								`cannot find resource specified by .spec.identityProviders[1].objectRef (with name "some-ldap-idp")
@ -1356,7 +1356,7 @@ func TestTestFederationDomainWatcherControllerSync(t *testing.T) {
 					configv1alpha1.FederationDomainPhaseError,
 					replaceConditions(
 						allHappyConditionsSuccess("https://issuer1.com", frozenMetav1Now, 123),
-						[]configv1alpha1.Condition{
+						[]metav1.Condition{
 							sadTransformationExpressionsCondition(here.Doc(
 								`spec.identityProvider[0].transforms.expressions[0].expression was invalid:
 								 CEL expression compile error: ERROR: <input>:1:6: Syntax error: mismatched input 'is' expecting <EOF>
@ -1502,7 +1502,7 @@ func TestTestFederationDomainWatcherControllerSync(t *testing.T) {
 					configv1alpha1.FederationDomainPhaseError,
 					replaceConditions(
 						allHappyConditionsSuccess("https://issuer1.com", frozenMetav1Now, 123),
-						[]configv1alpha1.Condition{
+						[]metav1.Condition{
 							sadTransformationExamplesCondition(here.Doc(
 								`.spec.identityProviders[0].transforms.examples[2] example failed:
 								 expected: authentication to be rejected
@ -1601,7 +1601,7 @@ func TestTestFederationDomainWatcherControllerSync(t *testing.T) {
 					configv1alpha1.FederationDomainPhaseError,
 					replaceConditions(
 						allHappyConditionsSuccess("https://issuer1.com", frozenMetav1Now, 123),
-						[]configv1alpha1.Condition{
+						[]metav1.Condition{
 							sadTransformationExamplesCondition(here.Doc(
 								`.spec.identityProviders[0].transforms.examples[0] example failed:
 								 expected: no transformation errors
@ -1748,7 +1748,7 @@ func TestTestFederationDomainWatcherControllerSync(t *testing.T) {
 					configv1alpha1.FederationDomainPhaseError,
 					replaceConditions(
 						allHappyConditionsSuccess("https://not-unique.com", frozenMetav1Now, 123),
-						[]configv1alpha1.Condition{
+						[]metav1.Condition{
 							sadAPIGroupSuffixCondition(`"this is wrong"`, frozenMetav1Now, 123),
 							sadDisplayNamesUniqueCondition(`"not unique"`, frozenMetav1Now, 123),
 							sadIdentityProvidersFoundConditionIdentityProvidersObjectRefsNotFound(here.Doc(
@ -1808,7 +1808,7 @@ func TestTestFederationDomainWatcherControllerSync(t *testing.T) {
 					configv1alpha1.FederationDomainPhaseError,
 					replaceConditions(
 						allHappyConditionsSuccess("https://not-unique.com", frozenMetav1Now, 123),
-						[]configv1alpha1.Condition{
+						[]metav1.Condition{
 							sadIssuerIsUniqueCondition(frozenMetav1Now, 123),
 							sadTransformationExpressionsCondition(here.Doc(
 								`spec.identityProvider[0].transforms.expressions[1].expression was invalid:
@ -2135,7 +2135,7 @@ func convertToComparableType(fdis []*federationdomainproviders.FederationDomainI
 func expectedFederationDomainStatusUpdate(
 	fd *configv1alpha1.FederationDomain,
 	phase configv1alpha1.FederationDomainPhase,
-	conditions []configv1alpha1.Condition,
+	conditions []metav1.Condition,
 ) *configv1alpha1.FederationDomain {
 	fdCopy := fd.DeepCopy()

--- a/test/integration/supervisor_discovery_test.go
+++ b/test/integration/supervisor_discovery_test.go
@ -658,26 +658,26 @@ func requireDelete(t *testing.T, client pinnipedclientset.Interface, ns, name st
 	require.NoError(t, err)
 }

-func withAllSuccessfulConditions() map[string]v1alpha1.ConditionStatus {
-	return map[string]v1alpha1.ConditionStatus{
-		"Ready":                                         v1alpha1.ConditionTrue,
-		"IssuerIsUnique":                                v1alpha1.ConditionTrue,
-		"IdentityProvidersFound":                        v1alpha1.ConditionTrue,
-		"OneTLSSecretPerIssuerHostname":                 v1alpha1.ConditionTrue,
-		"IssuerURLValid":                                v1alpha1.ConditionTrue,
-		"IdentityProvidersObjectRefKindValid":           v1alpha1.ConditionTrue,
-		"IdentityProvidersObjectRefAPIGroupSuffixValid": v1alpha1.ConditionTrue,
-		"IdentityProvidersDisplayNamesUnique":           v1alpha1.ConditionTrue,
-		"TransformsExpressionsValid":                    v1alpha1.ConditionTrue,
-		"TransformsExamplesPassed":                      v1alpha1.ConditionTrue,
+func withAllSuccessfulConditions() map[string]metav1.ConditionStatus {
+	return map[string]metav1.ConditionStatus{
+		"Ready":                                         metav1.ConditionTrue,
+		"IssuerIsUnique":                                metav1.ConditionTrue,
+		"IdentityProvidersFound":                        metav1.ConditionTrue,
+		"OneTLSSecretPerIssuerHostname":                 metav1.ConditionTrue,
+		"IssuerURLValid":                                metav1.ConditionTrue,
+		"IdentityProvidersObjectRefKindValid":           metav1.ConditionTrue,
+		"IdentityProvidersObjectRefAPIGroupSuffixValid": metav1.ConditionTrue,
+		"IdentityProvidersDisplayNamesUnique":           metav1.ConditionTrue,
+		"TransformsExpressionsValid":                    metav1.ConditionTrue,
+		"TransformsExamplesPassed":                      metav1.ConditionTrue,
 	}
 }

-func withFalseConditions(falseConditionTypes []string) map[string]v1alpha1.ConditionStatus {
-	c := map[string]v1alpha1.ConditionStatus{}
+func withFalseConditions(falseConditionTypes []string) map[string]metav1.ConditionStatus {
+	c := map[string]metav1.ConditionStatus{}
 	for k, v := range withAllSuccessfulConditions() {
 		if slices.Contains(falseConditionTypes, k) {
-			c[k] = v1alpha1.ConditionFalse
+			c[k] = metav1.ConditionFalse
 		} else {
 			c[k] = v
 		}
@ -685,7 +685,7 @@ func withFalseConditions(falseConditionTypes []string) map[string]v1alpha1.Condi
 	return c
 }

-func requireStatus(t *testing.T, client pinnipedclientset.Interface, ns, name string, wantPhase v1alpha1.FederationDomainPhase, wantConditionTypeToStatus map[string]v1alpha1.ConditionStatus) {
+func requireStatus(t *testing.T, client pinnipedclientset.Interface, ns, name string, wantPhase v1alpha1.FederationDomainPhase, wantConditionTypeToStatus map[string]metav1.ConditionStatus) {
 	t.Helper()

 	testlib.RequireEventually(t, func(requireEventually *require.Assertions) {
@ -699,7 +699,7 @@ func requireStatus(t *testing.T, client pinnipedclientset.Interface, ns, name st
 		t.Logf("found FederationDomain %s/%s with phase %s, wanted phase %s", ns, name, actualPhase, wantPhase)
 		requireEventually.Equalf(wantPhase, actualPhase, "unexpected phase (conditions = '%#v')", federationDomain.Status.Conditions)

-		actualConditionTypeToStatus := map[string]v1alpha1.ConditionStatus{}
+		actualConditionTypeToStatus := map[string]metav1.ConditionStatus{}
 		for _, c := range federationDomain.Status.Conditions {
 			actualConditionTypeToStatus[c.Type] = c.Status
 		}
--- a/test/integration/supervisor_federationdomain_status_test.go
+++ b/test/integration/supervisor_federationdomain_status_test.go
@ -48,7 +48,7 @@ func TestSupervisorFederationDomainStatus_Disruptive(t *testing.T) {
 				}, v1alpha1.FederationDomainPhaseError)
 				testlib.WaitForFederationDomainStatusConditions(ctx, t, fd.Name, replaceSomeConditions(
 					allSuccessfulLegacyFederationDomainConditions("", fd.Spec),
-					[]v1alpha1.Condition{
+					[]metav1.Condition{
 						{
 							Type: "IdentityProvidersFound", Status: "False", Reason: "LegacyConfigurationIdentityProviderNotFound",
 							Message: "no resources were specified by .spec.identityProviders[].objectRef and no identity provider resources have been found: please create an identity provider resource",
@ -77,7 +77,7 @@ func TestSupervisorFederationDomainStatus_Disruptive(t *testing.T) {
 				testlib.WaitForFederationDomainStatusPhase(ctx, t, fd.Name, v1alpha1.FederationDomainPhaseError)
 				testlib.WaitForFederationDomainStatusConditions(ctx, t, fd.Name, replaceSomeConditions(
 					allSuccessfulLegacyFederationDomainConditions(oidcIdentityProvider2.Name, fd.Spec),
-					[]v1alpha1.Condition{
+					[]metav1.Condition{
 						{
 							Type: "IdentityProvidersFound", Status: "False", Reason: "IdentityProviderNotSpecified",
 							Message: "no resources were specified by .spec.identityProviders[].objectRef and 2 identity provider " +
@ -123,7 +123,7 @@ func TestSupervisorFederationDomainStatus_Disruptive(t *testing.T) {
 				}, v1alpha1.FederationDomainPhaseError)
 				testlib.WaitForFederationDomainStatusConditions(ctx, t, fd.Name, replaceSomeConditions(
 					allSuccessfulFederationDomainConditions(fd.Spec),
-					[]v1alpha1.Condition{
+					[]metav1.Condition{
 						{
 							Type: "IdentityProvidersFound", Status: "False", Reason: "IdentityProvidersObjectRefsNotFound",
 							Message: here.Docf(`
@ -147,7 +147,7 @@ func TestSupervisorFederationDomainStatus_Disruptive(t *testing.T) {
 				testlib.WaitForFederationDomainStatusPhase(ctx, t, fd.Name, v1alpha1.FederationDomainPhaseError)
 				testlib.WaitForFederationDomainStatusConditions(ctx, t, fd.Name, replaceSomeConditions(
 					allSuccessfulFederationDomainConditions(fd.Spec),
-					[]v1alpha1.Condition{
+					[]metav1.Condition{
 						{
 							Type: "IdentityProvidersFound", Status: "False", Reason: "IdentityProvidersObjectRefsNotFound",
 							Message: fmt.Sprintf(`cannot find resource specified by .spec.identityProviders[1].objectRef (with name "%s")`, oidcIDP2Meta.Name),
@ -175,7 +175,7 @@ func TestSupervisorFederationDomainStatus_Disruptive(t *testing.T) {
 				testlib.WaitForFederationDomainStatusPhase(ctx, t, fd.Name, v1alpha1.FederationDomainPhaseError)
 				testlib.WaitForFederationDomainStatusConditions(ctx, t, fd.Name, replaceSomeConditions(
 					allSuccessfulFederationDomainConditions(fd.Spec),
-					[]v1alpha1.Condition{
+					[]metav1.Condition{
 						{
 							Type: "IdentityProvidersFound", Status: "False", Reason: "IdentityProvidersObjectRefsNotFound",
 							Message: fmt.Sprintf(`cannot find resource specified by .spec.identityProviders[0].objectRef (with name "%s")`, oidcIDP1Meta.Name),
@ -342,7 +342,7 @@ func TestSupervisorFederationDomainStatus_Disruptive(t *testing.T) {

 				testlib.WaitForFederationDomainStatusConditions(ctx, t, fd.Name, replaceSomeConditions(
 					allSuccessfulFederationDomainConditions(fd.Spec),
-					[]v1alpha1.Condition{
+					[]metav1.Condition{
 						{
 							Type: "IdentityProvidersDisplayNamesUnique", Status: "False", Reason: "DuplicateDisplayNames",
 							Message: `the names specified by .spec.identityProviders[].displayName contain duplicates: "not unique"`,
@ -485,7 +485,7 @@ func TestSupervisorFederationDomainStatus_Disruptive(t *testing.T) {

 				testlib.WaitForFederationDomainStatusConditions(ctx, t, fd.Name, replaceSomeConditions(
 					allSuccessfulFederationDomainConditions(fd.Spec),
-					[]v1alpha1.Condition{
+					[]metav1.Condition{
 						{
 							Type: "IdentityProvidersFound", Status: "False", Reason: "IdentityProvidersObjectRefsNotFound",
 							Message: `cannot find resource specified by .spec.identityProviders[2].objectRef (with name "also will not be found")`,
@ -950,8 +950,8 @@ func TestSupervisorFederationDomainCRDValidations_Parallel(t *testing.T) {
 	}
 }

-func replaceSomeConditions(conditions []v1alpha1.Condition, replaceWithTheseConditions []v1alpha1.Condition) []v1alpha1.Condition {
-	cp := make([]v1alpha1.Condition, len(conditions))
+func replaceSomeConditions(conditions []metav1.Condition, replaceWithTheseConditions []metav1.Condition) []metav1.Condition {
+	cp := make([]metav1.Condition, len(conditions))
 	copy(cp, conditions)
 	for _, replacementCond := range replaceWithTheseConditions {
 		for i, cond := range cp {
@ -964,10 +964,10 @@ func replaceSomeConditions(conditions []v1alpha1.Condition, replaceWithTheseCond
 	return cp
 }

-func allSuccessfulLegacyFederationDomainConditions(idpName string, federationDomainSpec v1alpha1.FederationDomainSpec) []v1alpha1.Condition {
+func allSuccessfulLegacyFederationDomainConditions(idpName string, federationDomainSpec v1alpha1.FederationDomainSpec) []metav1.Condition {
 	return replaceSomeConditions(
 		allSuccessfulFederationDomainConditions(federationDomainSpec),
-		[]v1alpha1.Condition{
+		[]metav1.Condition{
 			{
 				Type: "IdentityProvidersFound", Status: "True", Reason: "LegacyConfigurationSuccess",
 				Message: fmt.Sprintf(`no resources were specified by .spec.identityProviders[].objectRef but exactly one `+
@ -979,8 +979,8 @@ func allSuccessfulLegacyFederationDomainConditions(idpName string, federationDom
 	)
 }

-func allSuccessfulFederationDomainConditions(federationDomainSpec v1alpha1.FederationDomainSpec) []v1alpha1.Condition {
-	return []v1alpha1.Condition{
+func allSuccessfulFederationDomainConditions(federationDomainSpec v1alpha1.FederationDomainSpec) []metav1.Condition {
+	return []metav1.Condition{
 		{
 			Type: "IdentityProvidersDisplayNamesUnique", Status: "True", Reason: "Success",
 			Message: "the names specified by .spec.identityProviders[].displayName are unique",
--- a/test/testlib/client.go
+++ b/test/testlib/client.go
@ -329,7 +329,7 @@ func WaitForFederationDomainStatusPhase(ctx context.Context, t *testing.T, feder
 	}, 60*time.Second, 1*time.Second, "expected the FederationDomain to have status %q", expectPhase)
 }

-func WaitForFederationDomainStatusConditions(ctx context.Context, t *testing.T, federationDomainName string, expectConditions []configv1alpha1.Condition) {
+func WaitForFederationDomainStatusConditions(ctx context.Context, t *testing.T, federationDomainName string, expectConditions []metav1.Condition) {
 	t.Helper()
 	testEnv := IntegrationEnv(t)
 	federationDomainsClient := NewSupervisorClientset(t).ConfigV1alpha1().FederationDomains(testEnv.SupervisorNamespace)