CredentialIssuer contains Impersonation Proxy spec

apis/concierge/config/v1alpha1/types_credentialissuer.go.tmpl

@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
@@ -65,6 +65,25 @@ type CredentialIssuerStrategy struct {
 	LastUpdateTime metav1.Time `json:"lastUpdateTime"`
 }
 
+type TLSConfig struct {
+    // The CA that clients should validate when connecting to the impersonation proxy endpoint
+	CertificateAuthorityData string `json:"certificateAuthorityData"`
+	// The name of a secret of type "kubernetes.io/tls" that will be used to serve the endpoint
+	SecretName string `json:"secretName"`
+}
+
+type ImpersonationProxySpec struct {
+	// specify the external endpoint name that will route to the impersonation proxy port
+	ExternalEndpoint string `json:"externalEndpoint"`
+	// TLS configuration to communicate with the impersonation proxy
+	TLS TLSConfig `json:"tls"`
+}
+
+// Spec for the credential issuer
+type CredentialIssuerSpec struct {
+	ImpersonationProxy ImpersonationProxySpec `json:"impersonationProxy"`
+}
+
 // Describes the configuration status of a Pinniped credential issuer.
 // +genclient
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
@@ -75,6 +94,8 @@ type CredentialIssuer struct {
 
 	// Status of the credential issuer.
 	Status CredentialIssuerStatus `json:"status"`
+
+	Spec CredentialIssuerSpec `json:"spec"`
 }
 
 // List of CredentialIssuer objects.

deploy/concierge/config.concierge.pinniped.dev_credentialissuers.yaml

@@ -35,6 +35,38 @@ spec:
             type: string
           metadata:
             type: object
+          spec:
+            description: Spec for the credential issuer
+            properties:
+              impersonationProxy:
+                properties:
+                  externalEndpoint:
+                    description: specify the external endpoint name that will route
+                      to the impersonation proxy port
+                    type: string
+                  tls:
+                    description: TLS configuration to communicate with the impersonation
+                      proxy
+                    properties:
+                      certificateAuthorityData:
+                        description: The CA that clients should validate when connecting
+                          to the impersonation proxy endpoint
+                        type: string
+                      secretName:
+                        description: The name of a secret of type "kubernetes.io/tls"
+                          that will be used to serve the endpoint
+                        type: string
+                    required:
+                    - certificateAuthorityData
+                    - secretName
+                    type: object
+                required:
+                - externalEndpoint
+                - tls
+                type: object
+            required:
+            - impersonationProxy
+            type: object
           status:
             description: Status of the credential issuer.
             properties:
@@ -99,6 +131,7 @@ spec:
             - strategies
             type: object
         required:
+        - spec
         - status
         type: object
     served: true

generated/1.17/README.adoc

@@ -231,6 +231,7 @@ Describes the configuration status of a Pinniped credential issuer.
 | *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.17/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`.
 
 | *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-credentialissuerstatus[$$CredentialIssuerStatus$$]__ | Status of the credential issuer.
+| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-credentialissuerspec[$$CredentialIssuerSpec$$]__ | 
 |===
 
 
@@ -254,6 +255,23 @@ Describes the configuration status of a Pinniped credential issuer.
 
 
 
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-credentialissuerspec"]
+==== CredentialIssuerSpec 
+
+Spec for the credential issuer
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-credentialissuer[$$CredentialIssuer$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`impersonationProxy`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-impersonationproxyspec[$$ImpersonationProxySpec$$]__ | 
+|===
+
+
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-credentialissuerstatus"]
 ==== CredentialIssuerStatus 
 
@@ -293,6 +311,42 @@ Status of a credential issuer.
 |===
 
 
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-impersonationproxyspec"]
+==== ImpersonationProxySpec 
+
+
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-credentialissuerspec[$$CredentialIssuerSpec$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`externalEndpoint`* __string__ | specify the external endpoint name that will route to the impersonation proxy port
+| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-tlsconfig[$$TLSConfig$$]__ | TLS configuration to communicate with the impersonation proxy
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-tlsconfig"]
+==== TLSConfig 
+
+
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-impersonationproxyspec[$$ImpersonationProxySpec$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`certificateAuthorityData`* __string__ | The CA that clients should validate when connecting to the impersonation proxy endpoint
+| *`secretName`* __string__ | The name of a secret of type "kubernetes.io/tls" that will be used to serve the endpoint
+|===
+
+
 
 [id="{anchor_prefix}-config-supervisor-pinniped-dev-v1alpha1"]
 === config.supervisor.pinniped.dev/v1alpha1

generated/1.17/apis/concierge/config/v1alpha1/types_credentialissuer.go

@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
@@ -65,6 +65,25 @@ type CredentialIssuerStrategy struct {
 	LastUpdateTime metav1.Time `json:"lastUpdateTime"`
 }
 
+type TLSConfig struct {
+    // The CA that clients should validate when connecting to the impersonation proxy endpoint
+	CertificateAuthorityData string `json:"certificateAuthorityData"`
+	// The name of a secret of type "kubernetes.io/tls" that will be used to serve the endpoint
+	SecretName string `json:"secretName"`
+}
+
+type ImpersonationProxySpec struct {
+	// specify the external endpoint name that will route to the impersonation proxy port
+	ExternalEndpoint string `json:"externalEndpoint"`
+	// TLS configuration to communicate with the impersonation proxy
+	TLS TLSConfig `json:"tls"`
+}
+
+// Spec for the credential issuer
+type CredentialIssuerSpec struct {
+	ImpersonationProxy ImpersonationProxySpec `json:"impersonationProxy"`
+}
+
 // Describes the configuration status of a Pinniped credential issuer.
 // +genclient
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
@@ -75,6 +94,8 @@ type CredentialIssuer struct {
 
 	// Status of the credential issuer.
 	Status CredentialIssuerStatus `json:"status"`
+
+	Spec CredentialIssuerSpec `json:"spec"`
 }
 
 // List of CredentialIssuer objects.

generated/1.17/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go

@@ -1,6 +1,6 @@
 // +build !ignore_autogenerated
 
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 // Code generated by deepcopy-gen. DO NOT EDIT.
@@ -17,6 +17,7 @@ func (in *CredentialIssuer) DeepCopyInto(out *CredentialIssuer) {
 	out.TypeMeta = in.TypeMeta
 	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
 	in.Status.DeepCopyInto(&out.Status)
+	out.Spec = in.Spec
 	return
 }
 
@@ -87,6 +88,23 @@ func (in *CredentialIssuerList) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CredentialIssuerSpec) DeepCopyInto(out *CredentialIssuerSpec) {
+	*out = *in
+	out.ImpersonationProxy = in.ImpersonationProxy
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialIssuerSpec.
+func (in *CredentialIssuerSpec) DeepCopy() *CredentialIssuerSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(CredentialIssuerSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CredentialIssuerStatus) DeepCopyInto(out *CredentialIssuerStatus) {
 	*out = *in
@@ -131,3 +149,36 @@ func (in *CredentialIssuerStrategy) DeepCopy() *CredentialIssuerStrategy {
 	in.DeepCopyInto(out)
 	return out
 }
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ImpersonationProxySpec) DeepCopyInto(out *ImpersonationProxySpec) {
+	*out = *in
+	out.TLS = in.TLS
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImpersonationProxySpec.
+func (in *ImpersonationProxySpec) DeepCopy() *ImpersonationProxySpec {
+	if in == nil {
+		return nil
+	}
+	out := new(ImpersonationProxySpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TLSConfig) DeepCopyInto(out *TLSConfig) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TLSConfig.
+func (in *TLSConfig) DeepCopy() *TLSConfig {
+	if in == nil {
+		return nil
+	}
+	out := new(TLSConfig)
+	in.DeepCopyInto(out)
+	return out
+}

generated/1.17/crds/config.concierge.pinniped.dev_credentialissuers.yaml

@@ -35,6 +35,38 @@ spec:
             type: string
           metadata:
             type: object
+          spec:
+            description: Spec for the credential issuer
+            properties:
+              impersonationProxy:
+                properties:
+                  externalEndpoint:
+                    description: specify the external endpoint name that will route
+                      to the impersonation proxy port
+                    type: string
+                  tls:
+                    description: TLS configuration to communicate with the impersonation
+                      proxy
+                    properties:
+                      certificateAuthorityData:
+                        description: The CA that clients should validate when connecting
+                          to the impersonation proxy endpoint
+                        type: string
+                      secretName:
+                        description: The name of a secret of type "kubernetes.io/tls"
+                          that will be used to serve the endpoint
+                        type: string
+                    required:
+                    - certificateAuthorityData
+                    - secretName
+                    type: object
+                required:
+                - externalEndpoint
+                - tls
+                type: object
+            required:
+            - impersonationProxy
+            type: object
           status:
             description: Status of the credential issuer.
             properties:
@@ -99,6 +131,7 @@ spec:
             - strategies
             type: object
         required:
+        - spec
         - status
         type: object
     served: true

generated/1.18/README.adoc

@@ -231,6 +231,7 @@ Describes the configuration status of a Pinniped credential issuer.
 | *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`.
 
 | *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-credentialissuerstatus[$$CredentialIssuerStatus$$]__ | Status of the credential issuer.
+| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-credentialissuerspec[$$CredentialIssuerSpec$$]__ | 
 |===
 
 
@@ -254,6 +255,23 @@ Describes the configuration status of a Pinniped credential issuer.
 
 
 
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-credentialissuerspec"]
+==== CredentialIssuerSpec 
+
+Spec for the credential issuer
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-credentialissuer[$$CredentialIssuer$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`impersonationProxy`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-impersonationproxyspec[$$ImpersonationProxySpec$$]__ | 
+|===
+
+
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-credentialissuerstatus"]
 ==== CredentialIssuerStatus 
 
@@ -293,6 +311,42 @@ Status of a credential issuer.
 |===
 
 
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-impersonationproxyspec"]
+==== ImpersonationProxySpec 
+
+
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-credentialissuerspec[$$CredentialIssuerSpec$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`externalEndpoint`* __string__ | specify the external endpoint name that will route to the impersonation proxy port
+| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-tlsconfig[$$TLSConfig$$]__ | TLS configuration to communicate with the impersonation proxy
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-tlsconfig"]
+==== TLSConfig 
+
+
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-impersonationproxyspec[$$ImpersonationProxySpec$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`certificateAuthorityData`* __string__ | The CA that clients should validate when connecting to the impersonation proxy endpoint
+| *`secretName`* __string__ | The name of a secret of type "kubernetes.io/tls" that will be used to serve the endpoint
+|===
+
+
 
 [id="{anchor_prefix}-config-supervisor-pinniped-dev-v1alpha1"]
 === config.supervisor.pinniped.dev/v1alpha1

generated/1.18/apis/concierge/config/v1alpha1/types_credentialissuer.go

@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
@@ -65,6 +65,25 @@ type CredentialIssuerStrategy struct {
 	LastUpdateTime metav1.Time `json:"lastUpdateTime"`
 }
 
+type TLSConfig struct {
+    // The CA that clients should validate when connecting to the impersonation proxy endpoint
+	CertificateAuthorityData string `json:"certificateAuthorityData"`
+	// The name of a secret of type "kubernetes.io/tls" that will be used to serve the endpoint
+	SecretName string `json:"secretName"`
+}
+
+type ImpersonationProxySpec struct {
+	// specify the external endpoint name that will route to the impersonation proxy port
+	ExternalEndpoint string `json:"externalEndpoint"`
+	// TLS configuration to communicate with the impersonation proxy
+	TLS TLSConfig `json:"tls"`
+}
+
+// Spec for the credential issuer
+type CredentialIssuerSpec struct {
+	ImpersonationProxy ImpersonationProxySpec `json:"impersonationProxy"`
+}
+
 // Describes the configuration status of a Pinniped credential issuer.
 // +genclient
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
@@ -75,6 +94,8 @@ type CredentialIssuer struct {
 
 	// Status of the credential issuer.
 	Status CredentialIssuerStatus `json:"status"`
+
+	Spec CredentialIssuerSpec `json:"spec"`
 }
 
 // List of CredentialIssuer objects.

generated/1.18/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go

@@ -1,6 +1,6 @@
 // +build !ignore_autogenerated
 
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 // Code generated by deepcopy-gen. DO NOT EDIT.
@@ -17,6 +17,7 @@ func (in *CredentialIssuer) DeepCopyInto(out *CredentialIssuer) {
 	out.TypeMeta = in.TypeMeta
 	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
 	in.Status.DeepCopyInto(&out.Status)
+	out.Spec = in.Spec
 	return
 }
 
@@ -87,6 +88,23 @@ func (in *CredentialIssuerList) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CredentialIssuerSpec) DeepCopyInto(out *CredentialIssuerSpec) {
+	*out = *in
+	out.ImpersonationProxy = in.ImpersonationProxy
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialIssuerSpec.
+func (in *CredentialIssuerSpec) DeepCopy() *CredentialIssuerSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(CredentialIssuerSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CredentialIssuerStatus) DeepCopyInto(out *CredentialIssuerStatus) {
 	*out = *in
@@ -131,3 +149,36 @@ func (in *CredentialIssuerStrategy) DeepCopy() *CredentialIssuerStrategy {
 	in.DeepCopyInto(out)
 	return out
 }
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ImpersonationProxySpec) DeepCopyInto(out *ImpersonationProxySpec) {
+	*out = *in
+	out.TLS = in.TLS
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImpersonationProxySpec.
+func (in *ImpersonationProxySpec) DeepCopy() *ImpersonationProxySpec {
+	if in == nil {
+		return nil
+	}
+	out := new(ImpersonationProxySpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TLSConfig) DeepCopyInto(out *TLSConfig) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TLSConfig.
+func (in *TLSConfig) DeepCopy() *TLSConfig {
+	if in == nil {
+		return nil
+	}
+	out := new(TLSConfig)
+	in.DeepCopyInto(out)
+	return out
+}

generated/1.18/crds/config.concierge.pinniped.dev_credentialissuers.yaml

@@ -35,6 +35,38 @@ spec:
             type: string
           metadata:
             type: object
+          spec:
+            description: Spec for the credential issuer
+            properties:
+              impersonationProxy:
+                properties:
+                  externalEndpoint:
+                    description: specify the external endpoint name that will route
+                      to the impersonation proxy port
+                    type: string
+                  tls:
+                    description: TLS configuration to communicate with the impersonation
+                      proxy
+                    properties:
+                      certificateAuthorityData:
+                        description: The CA that clients should validate when connecting
+                          to the impersonation proxy endpoint
+                        type: string
+                      secretName:
+                        description: The name of a secret of type "kubernetes.io/tls"
+                          that will be used to serve the endpoint
+                        type: string
+                    required:
+                    - certificateAuthorityData
+                    - secretName
+                    type: object
+                required:
+                - externalEndpoint
+                - tls
+                type: object
+            required:
+            - impersonationProxy
+            type: object
           status:
             description: Status of the credential issuer.
             properties:
@@ -99,6 +131,7 @@ spec:
             - strategies
             type: object
         required:
+        - spec
         - status
         type: object
     served: true

generated/1.19/README.adoc

@@ -231,6 +231,7 @@ Describes the configuration status of a Pinniped credential issuer.
 | *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`.
 
 | *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-config-v1alpha1-credentialissuerstatus[$$CredentialIssuerStatus$$]__ | Status of the credential issuer.
+| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-config-v1alpha1-credentialissuerspec[$$CredentialIssuerSpec$$]__ | 
 |===
 
 
@@ -254,6 +255,23 @@ Describes the configuration status of a Pinniped credential issuer.
 
 
 
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-config-v1alpha1-credentialissuerspec"]
+==== CredentialIssuerSpec 
+
+Spec for the credential issuer
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-config-v1alpha1-credentialissuer[$$CredentialIssuer$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`impersonationProxy`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-config-v1alpha1-impersonationproxyspec[$$ImpersonationProxySpec$$]__ | 
+|===
+
+
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-config-v1alpha1-credentialissuerstatus"]
 ==== CredentialIssuerStatus 
 
@@ -293,6 +311,42 @@ Status of a credential issuer.
 |===
 
 
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-config-v1alpha1-impersonationproxyspec"]
+==== ImpersonationProxySpec 
+
+
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-config-v1alpha1-credentialissuerspec[$$CredentialIssuerSpec$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`externalEndpoint`* __string__ | specify the external endpoint name that will route to the impersonation proxy port
+| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-config-v1alpha1-tlsconfig[$$TLSConfig$$]__ | TLS configuration to communicate with the impersonation proxy
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-config-v1alpha1-tlsconfig"]
+==== TLSConfig 
+
+
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-config-v1alpha1-impersonationproxyspec[$$ImpersonationProxySpec$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`certificateAuthorityData`* __string__ | The CA that clients should validate when connecting to the impersonation proxy endpoint
+| *`secretName`* __string__ | The name of a secret of type "kubernetes.io/tls" that will be used to serve the endpoint
+|===
+
+
 
 [id="{anchor_prefix}-config-supervisor-pinniped-dev-v1alpha1"]
 === config.supervisor.pinniped.dev/v1alpha1

generated/1.19/apis/concierge/config/v1alpha1/types_credentialissuer.go

@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
@@ -65,6 +65,25 @@ type CredentialIssuerStrategy struct {
 	LastUpdateTime metav1.Time `json:"lastUpdateTime"`
 }
 
+type TLSConfig struct {
+    // The CA that clients should validate when connecting to the impersonation proxy endpoint
+	CertificateAuthorityData string `json:"certificateAuthorityData"`
+	// The name of a secret of type "kubernetes.io/tls" that will be used to serve the endpoint
+	SecretName string `json:"secretName"`
+}
+
+type ImpersonationProxySpec struct {
+	// specify the external endpoint name that will route to the impersonation proxy port
+	ExternalEndpoint string `json:"externalEndpoint"`
+	// TLS configuration to communicate with the impersonation proxy
+	TLS TLSConfig `json:"tls"`
+}
+
+// Spec for the credential issuer
+type CredentialIssuerSpec struct {
+	ImpersonationProxy ImpersonationProxySpec `json:"impersonationProxy"`
+}
+
 // Describes the configuration status of a Pinniped credential issuer.
 // +genclient
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
@@ -75,6 +94,8 @@ type CredentialIssuer struct {
 
 	// Status of the credential issuer.
 	Status CredentialIssuerStatus `json:"status"`
+
+	Spec CredentialIssuerSpec `json:"spec"`
 }
 
 // List of CredentialIssuer objects.

generated/1.19/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go

@@ -1,6 +1,6 @@
 // +build !ignore_autogenerated
 
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 // Code generated by deepcopy-gen. DO NOT EDIT.
@@ -17,6 +17,7 @@ func (in *CredentialIssuer) DeepCopyInto(out *CredentialIssuer) {
 	out.TypeMeta = in.TypeMeta
 	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
 	in.Status.DeepCopyInto(&out.Status)
+	out.Spec = in.Spec
 	return
 }
 
@@ -87,6 +88,23 @@ func (in *CredentialIssuerList) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CredentialIssuerSpec) DeepCopyInto(out *CredentialIssuerSpec) {
+	*out = *in
+	out.ImpersonationProxy = in.ImpersonationProxy
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialIssuerSpec.
+func (in *CredentialIssuerSpec) DeepCopy() *CredentialIssuerSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(CredentialIssuerSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CredentialIssuerStatus) DeepCopyInto(out *CredentialIssuerStatus) {
 	*out = *in
@@ -131,3 +149,36 @@ func (in *CredentialIssuerStrategy) DeepCopy() *CredentialIssuerStrategy {
 	in.DeepCopyInto(out)
 	return out
 }
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ImpersonationProxySpec) DeepCopyInto(out *ImpersonationProxySpec) {
+	*out = *in
+	out.TLS = in.TLS
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImpersonationProxySpec.
+func (in *ImpersonationProxySpec) DeepCopy() *ImpersonationProxySpec {
+	if in == nil {
+		return nil
+	}
+	out := new(ImpersonationProxySpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TLSConfig) DeepCopyInto(out *TLSConfig) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TLSConfig.
+func (in *TLSConfig) DeepCopy() *TLSConfig {
+	if in == nil {
+		return nil
+	}
+	out := new(TLSConfig)
+	in.DeepCopyInto(out)
+	return out
+}

generated/1.19/crds/config.concierge.pinniped.dev_credentialissuers.yaml

@@ -35,6 +35,38 @@ spec:
             type: string
           metadata:
             type: object
+          spec:
+            description: Spec for the credential issuer
+            properties:
+              impersonationProxy:
+                properties:
+                  externalEndpoint:
+                    description: specify the external endpoint name that will route
+                      to the impersonation proxy port
+                    type: string
+                  tls:
+                    description: TLS configuration to communicate with the impersonation
+                      proxy
+                    properties:
+                      certificateAuthorityData:
+                        description: The CA that clients should validate when connecting
+                          to the impersonation proxy endpoint
+                        type: string
+                      secretName:
+                        description: The name of a secret of type "kubernetes.io/tls"
+                          that will be used to serve the endpoint
+                        type: string
+                    required:
+                    - certificateAuthorityData
+                    - secretName
+                    type: object
+                required:
+                - externalEndpoint
+                - tls
+                type: object
+            required:
+            - impersonationProxy
+            type: object
           status:
             description: Status of the credential issuer.
             properties:
@@ -99,6 +131,7 @@ spec:
             - strategies
             type: object
         required:
+        - spec
         - status
         type: object
     served: true

generated/1.20/README.adoc

@@ -231,6 +231,7 @@ Describes the configuration status of a Pinniped credential issuer.
 | *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.2/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`.
 
 | *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-concierge-config-v1alpha1-credentialissuerstatus[$$CredentialIssuerStatus$$]__ | Status of the credential issuer.
+| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-concierge-config-v1alpha1-credentialissuerspec[$$CredentialIssuerSpec$$]__ | 
 |===
 
 
@@ -254,6 +255,23 @@ Describes the configuration status of a Pinniped credential issuer.
 
 
 
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-concierge-config-v1alpha1-credentialissuerspec"]
+==== CredentialIssuerSpec 
+
+Spec for the credential issuer
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-concierge-config-v1alpha1-credentialissuer[$$CredentialIssuer$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`impersonationProxy`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-concierge-config-v1alpha1-impersonationproxyspec[$$ImpersonationProxySpec$$]__ | 
+|===
+
+
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-concierge-config-v1alpha1-credentialissuerstatus"]
 ==== CredentialIssuerStatus 
 
@@ -293,6 +311,42 @@ Status of a credential issuer.
 |===
 
 
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-concierge-config-v1alpha1-impersonationproxyspec"]
+==== ImpersonationProxySpec 
+
+
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-concierge-config-v1alpha1-credentialissuerspec[$$CredentialIssuerSpec$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`externalEndpoint`* __string__ | specify the external endpoint name that will route to the impersonation proxy port
+| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-concierge-config-v1alpha1-tlsconfig[$$TLSConfig$$]__ | TLS configuration to communicate with the impersonation proxy
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-concierge-config-v1alpha1-tlsconfig"]
+==== TLSConfig 
+
+
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-concierge-config-v1alpha1-impersonationproxyspec[$$ImpersonationProxySpec$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`certificateAuthorityData`* __string__ | The CA that clients should validate when connecting to the impersonation proxy endpoint
+| *`secretName`* __string__ | The name of a secret of type "kubernetes.io/tls" that will be used to serve the endpoint
+|===
+
+
 
 [id="{anchor_prefix}-config-supervisor-pinniped-dev-v1alpha1"]
 === config.supervisor.pinniped.dev/v1alpha1

generated/1.20/apis/concierge/config/v1alpha1/types_credentialissuer.go

@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
@@ -65,6 +65,25 @@ type CredentialIssuerStrategy struct {
 	LastUpdateTime metav1.Time `json:"lastUpdateTime"`
 }
 
+type TLSConfig struct {
+    // The CA that clients should validate when connecting to the impersonation proxy endpoint
+	CertificateAuthorityData string `json:"certificateAuthorityData"`
+	// The name of a secret of type "kubernetes.io/tls" that will be used to serve the endpoint
+	SecretName string `json:"secretName"`
+}
+
+type ImpersonationProxySpec struct {
+	// specify the external endpoint name that will route to the impersonation proxy port
+	ExternalEndpoint string `json:"externalEndpoint"`
+	// TLS configuration to communicate with the impersonation proxy
+	TLS TLSConfig `json:"tls"`
+}
+
+// Spec for the credential issuer
+type CredentialIssuerSpec struct {
+	ImpersonationProxy ImpersonationProxySpec `json:"impersonationProxy"`
+}
+
 // Describes the configuration status of a Pinniped credential issuer.
 // +genclient
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
@@ -75,6 +94,8 @@ type CredentialIssuer struct {
 
 	// Status of the credential issuer.
 	Status CredentialIssuerStatus `json:"status"`
+
+	Spec CredentialIssuerSpec `json:"spec"`
 }
 
 // List of CredentialIssuer objects.

generated/1.20/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go

@@ -1,6 +1,6 @@
 // +build !ignore_autogenerated
 
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 // Code generated by deepcopy-gen. DO NOT EDIT.
@@ -17,6 +17,7 @@ func (in *CredentialIssuer) DeepCopyInto(out *CredentialIssuer) {
 	out.TypeMeta = in.TypeMeta
 	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
 	in.Status.DeepCopyInto(&out.Status)
+	out.Spec = in.Spec
 	return
 }
 
@@ -87,6 +88,23 @@ func (in *CredentialIssuerList) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CredentialIssuerSpec) DeepCopyInto(out *CredentialIssuerSpec) {
+	*out = *in
+	out.ImpersonationProxy = in.ImpersonationProxy
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialIssuerSpec.
+func (in *CredentialIssuerSpec) DeepCopy() *CredentialIssuerSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(CredentialIssuerSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CredentialIssuerStatus) DeepCopyInto(out *CredentialIssuerStatus) {
 	*out = *in
@@ -131,3 +149,36 @@ func (in *CredentialIssuerStrategy) DeepCopy() *CredentialIssuerStrategy {
 	in.DeepCopyInto(out)
 	return out
 }
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ImpersonationProxySpec) DeepCopyInto(out *ImpersonationProxySpec) {
+	*out = *in
+	out.TLS = in.TLS
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImpersonationProxySpec.
+func (in *ImpersonationProxySpec) DeepCopy() *ImpersonationProxySpec {
+	if in == nil {
+		return nil
+	}
+	out := new(ImpersonationProxySpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TLSConfig) DeepCopyInto(out *TLSConfig) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TLSConfig.
+func (in *TLSConfig) DeepCopy() *TLSConfig {
+	if in == nil {
+		return nil
+	}
+	out := new(TLSConfig)
+	in.DeepCopyInto(out)
+	return out
+}

generated/1.20/crds/config.concierge.pinniped.dev_credentialissuers.yaml

@@ -35,6 +35,38 @@ spec:
             type: string
           metadata:
             type: object
+          spec:
+            description: Spec for the credential issuer
+            properties:
+              impersonationProxy:
+                properties:
+                  externalEndpoint:
+                    description: specify the external endpoint name that will route
+                      to the impersonation proxy port
+                    type: string
+                  tls:
+                    description: TLS configuration to communicate with the impersonation
+                      proxy
+                    properties:
+                      certificateAuthorityData:
+                        description: The CA that clients should validate when connecting
+                          to the impersonation proxy endpoint
+                        type: string
+                      secretName:
+                        description: The name of a secret of type "kubernetes.io/tls"
+                          that will be used to serve the endpoint
+                        type: string
+                    required:
+                    - certificateAuthorityData
+                    - secretName
+                    type: object
+                required:
+                - externalEndpoint
+                - tls
+                type: object
+            required:
+            - impersonationProxy
+            type: object
           status:
             description: Status of the credential issuer.
             properties:
@@ -99,6 +131,7 @@ spec:
             - strategies
             type: object
         required:
+        - spec
         - status
         type: object
     served: true