OpenIDConnectIdentityProvider CRD: first draft

All fields are required right now for forwards-compatibility.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>

apis/idp/v1alpha1/types_openidconnect.go.tmpl

@@ -0,0 +1,98 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// Status of an OIDC identity provider.
+type OpenIDConnectIdentityProviderStatus struct {
+	// Represents the observations of an identity provider's current state.
+	// +patchMergeKey=type
+	// +patchStrategy=merge
+	// +listType=map
+	// +listMapKey=type
+	Conditions []Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
+}
+
+// OpenIDConnectAuthorizationConfig provides information about how to form the OAuth2 authorization
+// request parameters.
+type OpenIDConnectAuthorizationConfig struct {
+	// RedirectURI is the URI of the redirect endpoint that will be used in the OAuth2 authorization
+	// request flow with an OIDC identity provider.
+	// +kubebuilder:validation:Pattern=`^https://`
+	RedirectURI string `json:"redirectURI"`
+
+	// Scopes are the scopes that will be requested as part of the authorization request flow with
+	// an OIDC identity provider.
+	Scopes []string `json:"scopes"`
+}
+
+// OpenIDConnectClaims provides a mapping from upstream claims into identities.
+type OpenIDConnectClaims struct {
+	// Groups provides the name of the token claim that will be used to ascertain the groups to which
+	// an identity belongs.
+	Groups string `json:"groups"`
+
+	// Username provides the name of the token claim that will be used to ascertain an identity's
+	// username.
+	Username string `json:"username"`
+}
+
+// OpenIDConnectClient contains information about an OIDC client (e.g., client ID and client
+// secret).
+type OpenIDConnectClient struct {
+	// SecretName contains the name of a namespace-local Secret object that provides the clientID and
+	// clientSecret for an OIDC client. If only the SecretName is specified in an OpenIDConnectClient
+	// struct, then it is expected that the Secret is of type "secrets.pinniped.dev/oidc" with keys
+	// "clientID" and "clientSecret".
+	SecretName string `json:"secretName"`
+}
+
+// Spec for configuring an OIDC identity provider.
+type OpenIDConnectIdentityProviderSpec struct {
+	// Issuer is the issuer URL of this OIDC identity provider, i.e., where to fetch
+	// /.well-known/openid-configuration.
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:Pattern=`^https://`
+	Issuer string `json:"issuer"`
+
+	// AuthorizationConfig holds information about how to form the OAuth2 authorization request
+	// parameters to be used with this OIDC identity provider.
+	AuthorizationConfig OpenIDConnectAuthorizationConfig `json:"authorizationConfig"`
+
+	// Claims provides the names of token claims that will be used when inspecting an identity from
+	// this OIDC identity provider.
+	Claims OpenIDConnectClaims `json:"claims"`
+
+	// OpenIDConnectClient contains OIDC client information to be used used with this OIDC identity
+	// provider.
+	Client OpenIDConnectClient `json:"client"`
+}
+
+// OpenIDConnectIdentityProvider describes the configuration of a Pinniped OIDC identity provider.
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +kubebuilder:resource:categories=all;idp;idps,shortName=openidconnectidp;openidconnectidps
+// +kubebuilder:printcolumn:name="Issuer",type=string,JSONPath=`.spec.issuer`
+type OpenIDConnectIdentityProvider struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	// Spec for configuring the identity provider.
+	Spec OpenIDConnectIdentityProviderSpec `json:"spec"`
+
+	// Status of the identity provider.
+	Status OpenIDConnectIdentityProviderStatus `json:"status,omitempty"`
+}
+
+// List of OpenIDConnectIdentityProvider objects.
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type OpenIDConnectIdentityProviderList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+
+	Items []OpenIDConnectIdentityProvider `json:"items"`
+}

deploy/idp.pinniped.dev_openidconnectidentityproviders.yaml

@@ -0,0 +1,196 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.4.0
+  creationTimestamp: null
+  name: openidconnectidentityproviders.idp.pinniped.dev
+spec:
+  group: idp.pinniped.dev
+  names:
+    categories:
+    - all
+    - idp
+    - idps
+    kind: OpenIDConnectIdentityProvider
+    listKind: OpenIDConnectIdentityProviderList
+    plural: openidconnectidentityproviders
+    shortNames:
+    - openidconnectidp
+    - openidconnectidps
+    singular: openidconnectidentityprovider
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .spec.issuer
+      name: Issuer
+      type: string
+    name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: OpenIDConnectIdentityProvider describes the configuration of
+          a Pinniped OIDC identity provider.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: Spec for configuring the identity provider.
+            properties:
+              authorizationConfig:
+                description: AuthorizationConfig holds information about how to form
+                  the OAuth2 authorization request parameters to be used with this
+                  OIDC identity provider.
+                properties:
+                  redirectURI:
+                    description: RedirectURI is the URI of the redirect endpoint that
+                      will be used in the OAuth2 authorization request flow with an
+                      OIDC identity provider.
+                    pattern: ^https?://
+                    type: string
+                  scopes:
+                    description: Scopes are the scopes that will be requested as part
+                      of the authorization request flow with an OIDC identity provider.
+                    items:
+                      type: string
+                    type: array
+                required:
+                - redirectURI
+                - scopes
+                type: object
+              claims:
+                description: Claims provides the names of token claims that will be
+                  used when inspecting an identity from this OIDC identity provider.
+                properties:
+                  groups:
+                    description: Groups provides the name of the token claim that
+                      will be used to ascertain the groups to which an identity belongs.
+                    type: string
+                  username:
+                    description: Username provides the name of the token claim that
+                      will be used to ascertain an identity's username.
+                    type: string
+                required:
+                - groups
+                - username
+                type: object
+              client:
+                description: OpenIDConnectClient contains OIDC client information
+                  to be used used with this OIDC identity provider.
+                properties:
+                  secretName:
+                    description: SecretName contains the name of a namespace-local
+                      Secret object that provides the clientID and clientSecret for
+                      an OIDC client. If only the SecretName is specified in an OpenIDConnectClient
+                      struct, then it is expected that the Secret is of type "secrets.pinniped.dev/oidc"
+                      with keys "clientID" and "clientSecret".
+                    type: string
+                required:
+                - secretName
+                type: object
+              issuer:
+                description: Issuer is the issuer URL of this OIDC identity provider,
+                  i.e., where to fetch /.well-known/openid-configuration.
+                minLength: 1
+                pattern: ^https://
+                type: string
+            required:
+            - authorizationConfig
+            - claims
+            - client
+            - issuer
+            type: object
+          status:
+            description: Status of the identity provider.
+            properties:
+              conditions:
+                description: Represents the observations of an identity provider's
+                  current state.
+                items:
+                  description: Condition status of a resource (mirrored from the metav1.Condition
+                    type added in Kubernetes 1.19). In a future API version we can
+                    switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413.
+                  properties:
+                    lastTransitionTime:
+                      description: lastTransitionTime is the last time the condition
+                        transitioned from one status to another. This should be when
+                        the underlying condition changed.  If that is not known, then
+                        using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: message is a human readable message indicating
+                        details about the transition. This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: observedGeneration represents the .metadata.generation
+                        that the condition was set based upon. For instance, if .metadata.generation
+                        is currently 12, but the .status.conditions[x].observedGeneration
+                        is 9, the condition is out of date with respect to the current
+                        state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: reason contains a programmatic identifier indicating
+                        the reason for the condition's last transition. Producers
+                        of specific condition types may define expected values and
+                        meanings for this field, and whether the values are considered
+                        a guaranteed API. The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
+                        --- Many .condition.type values are consistent across resources
+                        like Available, but because arbitrary conditions can be useful
+                        (see .node.status.conditions), the ability to deconflict is
+                        important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                type: array
+                x-kubernetes-list-map-keys:
+                - type
+                x-kubernetes-list-type: map
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: true
+    subresources: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

generated/1.17/README.adoc

@@ -110,6 +110,7 @@ Condition status of a resource (mirrored from the metav1.Condition type added in
 
 .Appears In:
 ****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-idp-v1alpha1-openidconnectidentityproviderstatus[$$OpenIDConnectIdentityProviderStatus$$]
 - xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-idp-v1alpha1-webhookidentityproviderstatus[$$WebhookIdentityProviderStatus$$]
 ****
 
@@ -125,6 +126,118 @@ Condition status of a resource (mirrored from the metav1.Condition type added in
 |===
 
 
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-idp-v1alpha1-openidconnectauthorizationconfig"]
+==== OpenIDConnectAuthorizationConfig 
+
+OpenIDConnectAuthorizationConfig provides information about how to form the OAuth2 authorization request parameters.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-idp-v1alpha1-openidconnectidentityproviderspec[$$OpenIDConnectIdentityProviderSpec$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`redirectURI`* __string__ | RedirectURI is the URI of the redirect endpoint that will be used in the OAuth2 authorization request flow with an OIDC identity provider.
+| *`scopes`* __string array__ | Scopes are the scopes that will be requested as part of the authorization request flow with an OIDC identity provider.
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-idp-v1alpha1-openidconnectclaims"]
+==== OpenIDConnectClaims 
+
+OpenIDConnectClaims provides a mapping from upstream claims into identities.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-idp-v1alpha1-openidconnectidentityproviderspec[$$OpenIDConnectIdentityProviderSpec$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`groups`* __string__ | Groups provides the name of the token claim that will be used to ascertain the groups to which an identity belongs.
+| *`username`* __string__ | Username provides the name of the token claim that will be used to ascertain an identity's username.
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-idp-v1alpha1-openidconnectclient"]
+==== OpenIDConnectClient 
+
+OpenIDConnectClient contains information about an OIDC client (e.g., client ID and client secret).
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-idp-v1alpha1-openidconnectidentityproviderspec[$$OpenIDConnectIdentityProviderSpec$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`secretName`* __string__ | SecretName contains the name of a namespace-local Secret object that provides the clientID and clientSecret for an OIDC client. If only the SecretName is specified in an OpenIDConnectClient struct, then it is expected that the Secret is of type "secrets.pinniped.dev/oidc" with keys "clientID" and "clientSecret".
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-idp-v1alpha1-openidconnectidentityprovider"]
+==== OpenIDConnectIdentityProvider 
+
+OpenIDConnectIdentityProvider describes the configuration of a Pinniped OIDC identity provider.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-idp-v1alpha1-openidconnectidentityproviderlist[$$OpenIDConnectIdentityProviderList$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.17/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`.
+
+| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-idp-v1alpha1-openidconnectidentityproviderspec[$$OpenIDConnectIdentityProviderSpec$$]__ | Spec for configuring the identity provider.
+| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-idp-v1alpha1-openidconnectidentityproviderstatus[$$OpenIDConnectIdentityProviderStatus$$]__ | Status of the identity provider.
+|===
+
+
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-idp-v1alpha1-openidconnectidentityproviderspec"]
+==== OpenIDConnectIdentityProviderSpec 
+
+Spec for configuring an OIDC identity provider.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-idp-v1alpha1-openidconnectidentityprovider[$$OpenIDConnectIdentityProvider$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`issuer`* __string__ | Issuer is the issuer URL of this OIDC identity provider, i.e., where to fetch /.well-known/openid-configuration.
+| *`authorizationConfig`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-idp-v1alpha1-openidconnectauthorizationconfig[$$OpenIDConnectAuthorizationConfig$$]__ | AuthorizationConfig holds information about how to form the OAuth2 authorization request parameters to be used with this OIDC identity provider.
+| *`claims`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-idp-v1alpha1-openidconnectclaims[$$OpenIDConnectClaims$$]__ | Claims provides the names of token claims that will be used when inspecting an identity from this OIDC identity provider.
+| *`client`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-idp-v1alpha1-openidconnectclient[$$OpenIDConnectClient$$]__ | OpenIDConnectClient contains OIDC client information to be used used with this OIDC identity provider.
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-idp-v1alpha1-openidconnectidentityproviderstatus"]
+==== OpenIDConnectIdentityProviderStatus 
+
+Status of an OIDC identity provider.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-idp-v1alpha1-openidconnectidentityprovider[$$OpenIDConnectIdentityProvider$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`conditions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-idp-v1alpha1-condition[$$Condition$$]__ | Represents the observations of an identity provider's current state.
+|===
+
+
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-idp-v1alpha1-tlsspec"]
 ==== TLSSpec 
 

generated/1.17/apis/idp/v1alpha1/types_openidconnect.go

@@ -0,0 +1,98 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// Status of an OIDC identity provider.
+type OpenIDConnectIdentityProviderStatus struct {
+	// Represents the observations of an identity provider's current state.
+	// +patchMergeKey=type
+	// +patchStrategy=merge
+	// +listType=map
+	// +listMapKey=type
+	Conditions []Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
+}
+
+// OpenIDConnectAuthorizationConfig provides information about how to form the OAuth2 authorization
+// request parameters.
+type OpenIDConnectAuthorizationConfig struct {
+	// RedirectURI is the URI of the redirect endpoint that will be used in the OAuth2 authorization
+	// request flow with an OIDC identity provider.
+	// +kubebuilder:validation:Pattern=`^https?://`
+	RedirectURI string `json:"redirectURI"`
+
+	// Scopes are the scopes that will be requested as part of the authorization request flow with
+	// an OIDC identity provider.
+	Scopes []string `json:"scopes"`
+}
+
+// OpenIDConnectClaims provides a mapping from upstream claims into identities.
+type OpenIDConnectClaims struct {
+	// Groups provides the name of the token claim that will be used to ascertain the groups to which
+	// an identity belongs.
+	Groups string `json:"groups"`
+
+	// Username provides the name of the token claim that will be used to ascertain an identity's
+	// username.
+	Username string `json:"username"`
+}
+
+// OpenIDConnectClient contains information about an OIDC client (e.g., client ID and client
+// secret).
+type OpenIDConnectClient struct {
+	// SecretName contains the name of a namespace-local Secret object that provides the clientID and
+	// clientSecret for an OIDC client. If only the SecretName is specified in an OpenIDConnectClient
+	// struct, then it is expected that the Secret is of type "secrets.pinniped.dev/oidc" with keys
+	// "clientID" and "clientSecret".
+	SecretName string `json:"secretName"`
+}
+
+// Spec for configuring an OIDC identity provider.
+type OpenIDConnectIdentityProviderSpec struct {
+	// Issuer is the issuer URL of this OIDC identity provider, i.e., where to fetch
+	// /.well-known/openid-configuration.
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:Pattern=`^https://`
+	Issuer string `json:"issuer"`
+
+	// AuthorizationConfig holds information about how to form the OAuth2 authorization request
+	// parameters to be used with this OIDC identity provider.
+	AuthorizationConfig OpenIDConnectAuthorizationConfig `json:"authorizationConfig"`
+
+	// Claims provides the names of token claims that will be used when inspecting an identity from
+	// this OIDC identity provider.
+	Claims OpenIDConnectClaims `json:"claims"`
+
+	// OpenIDConnectClient contains OIDC client information to be used used with this OIDC identity
+	// provider.
+	Client OpenIDConnectClient `json:"client"`
+}
+
+// OpenIDConnectIdentityProvider describes the configuration of a Pinniped OIDC identity provider.
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +kubebuilder:resource:categories=all;idp;idps,shortName=openidconnectidp;openidconnectidps
+// +kubebuilder:printcolumn:name="Issuer",type=string,JSONPath=`.spec.issuer`
+type OpenIDConnectIdentityProvider struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	// Spec for configuring the identity provider.
+	Spec OpenIDConnectIdentityProviderSpec `json:"spec"`
+
+	// Status of the identity provider.
+	Status OpenIDConnectIdentityProviderStatus `json:"status,omitempty"`
+}
+
+// List of OpenIDConnectIdentityProvider objects.
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type OpenIDConnectIdentityProviderList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+
+	Items []OpenIDConnectIdentityProvider `json:"items"`
+}

generated/1.17/apis/idp/v1alpha1/zz_generated.deepcopy.go

@@ -28,6 +28,162 @@ func (in *Condition) DeepCopy() *Condition {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OpenIDConnectAuthorizationConfig) DeepCopyInto(out *OpenIDConnectAuthorizationConfig) {
+	*out = *in
+	if in.Scopes != nil {
+		in, out := &in.Scopes, &out.Scopes
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OpenIDConnectAuthorizationConfig.
+func (in *OpenIDConnectAuthorizationConfig) DeepCopy() *OpenIDConnectAuthorizationConfig {
+	if in == nil {
+		return nil
+	}
+	out := new(OpenIDConnectAuthorizationConfig)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OpenIDConnectClaims) DeepCopyInto(out *OpenIDConnectClaims) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OpenIDConnectClaims.
+func (in *OpenIDConnectClaims) DeepCopy() *OpenIDConnectClaims {
+	if in == nil {
+		return nil
+	}
+	out := new(OpenIDConnectClaims)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OpenIDConnectClient) DeepCopyInto(out *OpenIDConnectClient) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OpenIDConnectClient.
+func (in *OpenIDConnectClient) DeepCopy() *OpenIDConnectClient {
+	if in == nil {
+		return nil
+	}
+	out := new(OpenIDConnectClient)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OpenIDConnectIdentityProvider) DeepCopyInto(out *OpenIDConnectIdentityProvider) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OpenIDConnectIdentityProvider.
+func (in *OpenIDConnectIdentityProvider) DeepCopy() *OpenIDConnectIdentityProvider {
+	if in == nil {
+		return nil
+	}
+	out := new(OpenIDConnectIdentityProvider)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *OpenIDConnectIdentityProvider) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OpenIDConnectIdentityProviderList) DeepCopyInto(out *OpenIDConnectIdentityProviderList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]OpenIDConnectIdentityProvider, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OpenIDConnectIdentityProviderList.
+func (in *OpenIDConnectIdentityProviderList) DeepCopy() *OpenIDConnectIdentityProviderList {
+	if in == nil {
+		return nil
+	}
+	out := new(OpenIDConnectIdentityProviderList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *OpenIDConnectIdentityProviderList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OpenIDConnectIdentityProviderSpec) DeepCopyInto(out *OpenIDConnectIdentityProviderSpec) {
+	*out = *in
+	in.AuthorizationConfig.DeepCopyInto(&out.AuthorizationConfig)
+	out.Claims = in.Claims
+	out.Client = in.Client
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OpenIDConnectIdentityProviderSpec.
+func (in *OpenIDConnectIdentityProviderSpec) DeepCopy() *OpenIDConnectIdentityProviderSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(OpenIDConnectIdentityProviderSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OpenIDConnectIdentityProviderStatus) DeepCopyInto(out *OpenIDConnectIdentityProviderStatus) {
+	*out = *in
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]Condition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OpenIDConnectIdentityProviderStatus.
+func (in *OpenIDConnectIdentityProviderStatus) DeepCopy() *OpenIDConnectIdentityProviderStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(OpenIDConnectIdentityProviderStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TLSSpec) DeepCopyInto(out *TLSSpec) {
 	*out = *in

generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go

@@ -15,6 +15,10 @@ type FakeIDPV1alpha1 struct {
 	*testing.Fake
 }
 
+func (c *FakeIDPV1alpha1) OpenIDConnectIdentityProviders(namespace string) v1alpha1.OpenIDConnectIdentityProviderInterface {
+	return &FakeOpenIDConnectIdentityProviders{c, namespace}
+}
+
 func (c *FakeIDPV1alpha1) WebhookIdentityProviders(namespace string) v1alpha1.WebhookIdentityProviderInterface {
 	return &FakeWebhookIdentityProviders{c, namespace}
 }

generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/fake/fake_openidconnectidentityprovider.go

@@ -0,0 +1,127 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package fake
+
+import (
+	v1alpha1 "go.pinniped.dev/generated/1.17/apis/idp/v1alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	labels "k8s.io/apimachinery/pkg/labels"
+	schema "k8s.io/apimachinery/pkg/runtime/schema"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	testing "k8s.io/client-go/testing"
+)
+
+// FakeOpenIDConnectIdentityProviders implements OpenIDConnectIdentityProviderInterface
+type FakeOpenIDConnectIdentityProviders struct {
+	Fake *FakeIDPV1alpha1
+	ns   string
+}
+
+var openidconnectidentityprovidersResource = schema.GroupVersionResource{Group: "idp.pinniped.dev", Version: "v1alpha1", Resource: "openidconnectidentityproviders"}
+
+var openidconnectidentityprovidersKind = schema.GroupVersionKind{Group: "idp.pinniped.dev", Version: "v1alpha1", Kind: "OpenIDConnectIdentityProvider"}
+
+// Get takes name of the openIDConnectIdentityProvider, and returns the corresponding openIDConnectIdentityProvider object, and an error if there is any.
+func (c *FakeOpenIDConnectIdentityProviders) Get(name string, options v1.GetOptions) (result *v1alpha1.OpenIDConnectIdentityProvider, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewGetAction(openidconnectidentityprovidersResource, c.ns, name), &v1alpha1.OpenIDConnectIdentityProvider{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.OpenIDConnectIdentityProvider), err
+}
+
+// List takes label and field selectors, and returns the list of OpenIDConnectIdentityProviders that match those selectors.
+func (c *FakeOpenIDConnectIdentityProviders) List(opts v1.ListOptions) (result *v1alpha1.OpenIDConnectIdentityProviderList, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewListAction(openidconnectidentityprovidersResource, openidconnectidentityprovidersKind, c.ns, opts), &v1alpha1.OpenIDConnectIdentityProviderList{})
+
+	if obj == nil {
+		return nil, err
+	}
+
+	label, _, _ := testing.ExtractFromListOptions(opts)
+	if label == nil {
+		label = labels.Everything()
+	}
+	list := &v1alpha1.OpenIDConnectIdentityProviderList{ListMeta: obj.(*v1alpha1.OpenIDConnectIdentityProviderList).ListMeta}
+	for _, item := range obj.(*v1alpha1.OpenIDConnectIdentityProviderList).Items {
+		if label.Matches(labels.Set(item.Labels)) {
+			list.Items = append(list.Items, item)
+		}
+	}
+	return list, err
+}
+
+// Watch returns a watch.Interface that watches the requested openIDConnectIdentityProviders.
+func (c *FakeOpenIDConnectIdentityProviders) Watch(opts v1.ListOptions) (watch.Interface, error) {
+	return c.Fake.
+		InvokesWatch(testing.NewWatchAction(openidconnectidentityprovidersResource, c.ns, opts))
+
+}
+
+// Create takes the representation of a openIDConnectIdentityProvider and creates it.  Returns the server's representation of the openIDConnectIdentityProvider, and an error, if there is any.
+func (c *FakeOpenIDConnectIdentityProviders) Create(openIDConnectIdentityProvider *v1alpha1.OpenIDConnectIdentityProvider) (result *v1alpha1.OpenIDConnectIdentityProvider, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewCreateAction(openidconnectidentityprovidersResource, c.ns, openIDConnectIdentityProvider), &v1alpha1.OpenIDConnectIdentityProvider{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.OpenIDConnectIdentityProvider), err
+}
+
+// Update takes the representation of a openIDConnectIdentityProvider and updates it. Returns the server's representation of the openIDConnectIdentityProvider, and an error, if there is any.
+func (c *FakeOpenIDConnectIdentityProviders) Update(openIDConnectIdentityProvider *v1alpha1.OpenIDConnectIdentityProvider) (result *v1alpha1.OpenIDConnectIdentityProvider, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewUpdateAction(openidconnectidentityprovidersResource, c.ns, openIDConnectIdentityProvider), &v1alpha1.OpenIDConnectIdentityProvider{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.OpenIDConnectIdentityProvider), err
+}
+
+// UpdateStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+func (c *FakeOpenIDConnectIdentityProviders) UpdateStatus(openIDConnectIdentityProvider *v1alpha1.OpenIDConnectIdentityProvider) (*v1alpha1.OpenIDConnectIdentityProvider, error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewUpdateSubresourceAction(openidconnectidentityprovidersResource, "status", c.ns, openIDConnectIdentityProvider), &v1alpha1.OpenIDConnectIdentityProvider{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.OpenIDConnectIdentityProvider), err
+}
+
+// Delete takes name of the openIDConnectIdentityProvider and deletes it. Returns an error if one occurs.
+func (c *FakeOpenIDConnectIdentityProviders) Delete(name string, options *v1.DeleteOptions) error {
+	_, err := c.Fake.
+		Invokes(testing.NewDeleteAction(openidconnectidentityprovidersResource, c.ns, name), &v1alpha1.OpenIDConnectIdentityProvider{})
+
+	return err
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *FakeOpenIDConnectIdentityProviders) DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error {
+	action := testing.NewDeleteCollectionAction(openidconnectidentityprovidersResource, c.ns, listOptions)
+
+	_, err := c.Fake.Invokes(action, &v1alpha1.OpenIDConnectIdentityProviderList{})
+	return err
+}
+
+// Patch applies the patch and returns the patched openIDConnectIdentityProvider.
+func (c *FakeOpenIDConnectIdentityProviders) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.OpenIDConnectIdentityProvider, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewPatchSubresourceAction(openidconnectidentityprovidersResource, c.ns, name, pt, data, subresources...), &v1alpha1.OpenIDConnectIdentityProvider{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.OpenIDConnectIdentityProvider), err
+}

generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go

@@ -5,4 +5,6 @@
 
 package v1alpha1
 
+type OpenIDConnectIdentityProviderExpansion interface{}
+
 type WebhookIdentityProviderExpansion interface{}

generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/idp_client.go

@@ -13,6 +13,7 @@ import (
 
 type IDPV1alpha1Interface interface {
 	RESTClient() rest.Interface
+	OpenIDConnectIdentityProvidersGetter
 	WebhookIdentityProvidersGetter
 }
 
@@ -21,6 +22,10 @@ type IDPV1alpha1Client struct {
 	restClient rest.Interface
 }
 
+func (c *IDPV1alpha1Client) OpenIDConnectIdentityProviders(namespace string) OpenIDConnectIdentityProviderInterface {
+	return newOpenIDConnectIdentityProviders(c, namespace)
+}
+
 func (c *IDPV1alpha1Client) WebhookIdentityProviders(namespace string) WebhookIdentityProviderInterface {
 	return newWebhookIdentityProviders(c, namespace)
 }

generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/openidconnectidentityprovider.go

@@ -0,0 +1,178 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	"time"
+
+	v1alpha1 "go.pinniped.dev/generated/1.17/apis/idp/v1alpha1"
+	scheme "go.pinniped.dev/generated/1.17/client/clientset/versioned/scheme"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	rest "k8s.io/client-go/rest"
+)
+
+// OpenIDConnectIdentityProvidersGetter has a method to return a OpenIDConnectIdentityProviderInterface.
+// A group's client should implement this interface.
+type OpenIDConnectIdentityProvidersGetter interface {
+	OpenIDConnectIdentityProviders(namespace string) OpenIDConnectIdentityProviderInterface
+}
+
+// OpenIDConnectIdentityProviderInterface has methods to work with OpenIDConnectIdentityProvider resources.
+type OpenIDConnectIdentityProviderInterface interface {
+	Create(*v1alpha1.OpenIDConnectIdentityProvider) (*v1alpha1.OpenIDConnectIdentityProvider, error)
+	Update(*v1alpha1.OpenIDConnectIdentityProvider) (*v1alpha1.OpenIDConnectIdentityProvider, error)
+	UpdateStatus(*v1alpha1.OpenIDConnectIdentityProvider) (*v1alpha1.OpenIDConnectIdentityProvider, error)
+	Delete(name string, options *v1.DeleteOptions) error
+	DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error
+	Get(name string, options v1.GetOptions) (*v1alpha1.OpenIDConnectIdentityProvider, error)
+	List(opts v1.ListOptions) (*v1alpha1.OpenIDConnectIdentityProviderList, error)
+	Watch(opts v1.ListOptions) (watch.Interface, error)
+	Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.OpenIDConnectIdentityProvider, err error)
+	OpenIDConnectIdentityProviderExpansion
+}
+
+// openIDConnectIdentityProviders implements OpenIDConnectIdentityProviderInterface
+type openIDConnectIdentityProviders struct {
+	client rest.Interface
+	ns     string
+}
+
+// newOpenIDConnectIdentityProviders returns a OpenIDConnectIdentityProviders
+func newOpenIDConnectIdentityProviders(c *IDPV1alpha1Client, namespace string) *openIDConnectIdentityProviders {
+	return &openIDConnectIdentityProviders{
+		client: c.RESTClient(),
+		ns:     namespace,
+	}
+}
+
+// Get takes name of the openIDConnectIdentityProvider, and returns the corresponding openIDConnectIdentityProvider object, and an error if there is any.
+func (c *openIDConnectIdentityProviders) Get(name string, options v1.GetOptions) (result *v1alpha1.OpenIDConnectIdentityProvider, err error) {
+	result = &v1alpha1.OpenIDConnectIdentityProvider{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("openidconnectidentityproviders").
+		Name(name).
+		VersionedParams(&options, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// List takes label and field selectors, and returns the list of OpenIDConnectIdentityProviders that match those selectors.
+func (c *openIDConnectIdentityProviders) List(opts v1.ListOptions) (result *v1alpha1.OpenIDConnectIdentityProviderList, err error) {
+	var timeout time.Duration
+	if opts.TimeoutSeconds != nil {
+		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
+	}
+	result = &v1alpha1.OpenIDConnectIdentityProviderList{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("openidconnectidentityproviders").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Do().
+		Into(result)
+	return
+}
+
+// Watch returns a watch.Interface that watches the requested openIDConnectIdentityProviders.
+func (c *openIDConnectIdentityProviders) Watch(opts v1.ListOptions) (watch.Interface, error) {
+	var timeout time.Duration
+	if opts.TimeoutSeconds != nil {
+		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
+	}
+	opts.Watch = true
+	return c.client.Get().
+		Namespace(c.ns).
+		Resource("openidconnectidentityproviders").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Watch()
+}
+
+// Create takes the representation of a openIDConnectIdentityProvider and creates it.  Returns the server's representation of the openIDConnectIdentityProvider, and an error, if there is any.
+func (c *openIDConnectIdentityProviders) Create(openIDConnectIdentityProvider *v1alpha1.OpenIDConnectIdentityProvider) (result *v1alpha1.OpenIDConnectIdentityProvider, err error) {
+	result = &v1alpha1.OpenIDConnectIdentityProvider{}
+	err = c.client.Post().
+		Namespace(c.ns).
+		Resource("openidconnectidentityproviders").
+		Body(openIDConnectIdentityProvider).
+		Do().
+		Into(result)
+	return
+}
+
+// Update takes the representation of a openIDConnectIdentityProvider and updates it. Returns the server's representation of the openIDConnectIdentityProvider, and an error, if there is any.
+func (c *openIDConnectIdentityProviders) Update(openIDConnectIdentityProvider *v1alpha1.OpenIDConnectIdentityProvider) (result *v1alpha1.OpenIDConnectIdentityProvider, err error) {
+	result = &v1alpha1.OpenIDConnectIdentityProvider{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("openidconnectidentityproviders").
+		Name(openIDConnectIdentityProvider.Name).
+		Body(openIDConnectIdentityProvider).
+		Do().
+		Into(result)
+	return
+}
+
+// UpdateStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+
+func (c *openIDConnectIdentityProviders) UpdateStatus(openIDConnectIdentityProvider *v1alpha1.OpenIDConnectIdentityProvider) (result *v1alpha1.OpenIDConnectIdentityProvider, err error) {
+	result = &v1alpha1.OpenIDConnectIdentityProvider{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("openidconnectidentityproviders").
+		Name(openIDConnectIdentityProvider.Name).
+		SubResource("status").
+		Body(openIDConnectIdentityProvider).
+		Do().
+		Into(result)
+	return
+}
+
+// Delete takes name of the openIDConnectIdentityProvider and deletes it. Returns an error if one occurs.
+func (c *openIDConnectIdentityProviders) Delete(name string, options *v1.DeleteOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("openidconnectidentityproviders").
+		Name(name).
+		Body(options).
+		Do().
+		Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *openIDConnectIdentityProviders) DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error {
+	var timeout time.Duration
+	if listOptions.TimeoutSeconds != nil {
+		timeout = time.Duration(*listOptions.TimeoutSeconds) * time.Second
+	}
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("openidconnectidentityproviders").
+		VersionedParams(&listOptions, scheme.ParameterCodec).
+		Timeout(timeout).
+		Body(options).
+		Do().
+		Error()
+}
+
+// Patch applies the patch and returns the patched openIDConnectIdentityProvider.
+func (c *openIDConnectIdentityProviders) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.OpenIDConnectIdentityProvider, err error) {
+	result = &v1alpha1.OpenIDConnectIdentityProvider{}
+	err = c.client.Patch(pt).
+		Namespace(c.ns).
+		Resource("openidconnectidentityproviders").
+		SubResource(subresources...).
+		Name(name).
+		Body(data).
+		Do().
+		Into(result)
+	return
+}

generated/1.17/client/informers/externalversions/generic.go

@@ -46,6 +46,8 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource
 		return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().CredentialIssuerConfigs().Informer()}, nil
 
 		// Group=idp.pinniped.dev, Version=v1alpha1
+	case idpv1alpha1.SchemeGroupVersion.WithResource("openidconnectidentityproviders"):
+		return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().OpenIDConnectIdentityProviders().Informer()}, nil
 	case idpv1alpha1.SchemeGroupVersion.WithResource("webhookidentityproviders"):
 		return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().WebhookIdentityProviders().Informer()}, nil
 

generated/1.17/client/informers/externalversions/idp/v1alpha1/interface.go

@@ -11,6 +11,8 @@ import (
 
 // Interface provides access to all the informers in this group version.
 type Interface interface {
+	// OpenIDConnectIdentityProviders returns a OpenIDConnectIdentityProviderInformer.
+	OpenIDConnectIdentityProviders() OpenIDConnectIdentityProviderInformer
 	// WebhookIdentityProviders returns a WebhookIdentityProviderInformer.
 	WebhookIdentityProviders() WebhookIdentityProviderInformer
 }
@@ -26,6 +28,11 @@ func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakList
 	return &version{factory: f, namespace: namespace, tweakListOptions: tweakListOptions}
 }
 
+// OpenIDConnectIdentityProviders returns a OpenIDConnectIdentityProviderInformer.
+func (v *version) OpenIDConnectIdentityProviders() OpenIDConnectIdentityProviderInformer {
+	return &openIDConnectIdentityProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
+}
+
 // WebhookIdentityProviders returns a WebhookIdentityProviderInformer.
 func (v *version) WebhookIdentityProviders() WebhookIdentityProviderInformer {
 	return &webhookIdentityProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}

generated/1.17/client/informers/externalversions/idp/v1alpha1/openidconnectidentityprovider.go

@@ -0,0 +1,76 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by informer-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	time "time"
+
+	idpv1alpha1 "go.pinniped.dev/generated/1.17/apis/idp/v1alpha1"
+	versioned "go.pinniped.dev/generated/1.17/client/clientset/versioned"
+	internalinterfaces "go.pinniped.dev/generated/1.17/client/informers/externalversions/internalinterfaces"
+	v1alpha1 "go.pinniped.dev/generated/1.17/client/listers/idp/v1alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	watch "k8s.io/apimachinery/pkg/watch"
+	cache "k8s.io/client-go/tools/cache"
+)
+
+// OpenIDConnectIdentityProviderInformer provides access to a shared informer and lister for
+// OpenIDConnectIdentityProviders.
+type OpenIDConnectIdentityProviderInformer interface {
+	Informer() cache.SharedIndexInformer
+	Lister() v1alpha1.OpenIDConnectIdentityProviderLister
+}
+
+type openIDConnectIdentityProviderInformer struct {
+	factory          internalinterfaces.SharedInformerFactory
+	tweakListOptions internalinterfaces.TweakListOptionsFunc
+	namespace        string
+}
+
+// NewOpenIDConnectIdentityProviderInformer constructs a new informer for OpenIDConnectIdentityProvider type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewOpenIDConnectIdentityProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
+	return NewFilteredOpenIDConnectIdentityProviderInformer(client, namespace, resyncPeriod, indexers, nil)
+}
+
+// NewFilteredOpenIDConnectIdentityProviderInformer constructs a new informer for OpenIDConnectIdentityProvider type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewFilteredOpenIDConnectIdentityProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
+	return cache.NewSharedIndexInformer(
+		&cache.ListWatch{
+			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.IDPV1alpha1().OpenIDConnectIdentityProviders(namespace).List(options)
+			},
+			WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.IDPV1alpha1().OpenIDConnectIdentityProviders(namespace).Watch(options)
+			},
+		},
+		&idpv1alpha1.OpenIDConnectIdentityProvider{},
+		resyncPeriod,
+		indexers,
+	)
+}
+
+func (f *openIDConnectIdentityProviderInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
+	return NewFilteredOpenIDConnectIdentityProviderInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
+}
+
+func (f *openIDConnectIdentityProviderInformer) Informer() cache.SharedIndexInformer {
+	return f.factory.InformerFor(&idpv1alpha1.OpenIDConnectIdentityProvider{}, f.defaultInformer)
+}
+
+func (f *openIDConnectIdentityProviderInformer) Lister() v1alpha1.OpenIDConnectIdentityProviderLister {
+	return v1alpha1.NewOpenIDConnectIdentityProviderLister(f.Informer().GetIndexer())
+}

generated/1.17/client/listers/idp/v1alpha1/expansion_generated.go

@@ -5,6 +5,14 @@
 
 package v1alpha1
 
+// OpenIDConnectIdentityProviderListerExpansion allows custom methods to be added to
+// OpenIDConnectIdentityProviderLister.
+type OpenIDConnectIdentityProviderListerExpansion interface{}
+
+// OpenIDConnectIdentityProviderNamespaceListerExpansion allows custom methods to be added to
+// OpenIDConnectIdentityProviderNamespaceLister.
+type OpenIDConnectIdentityProviderNamespaceListerExpansion interface{}
+
 // WebhookIdentityProviderListerExpansion allows custom methods to be added to
 // WebhookIdentityProviderLister.
 type WebhookIdentityProviderListerExpansion interface{}

generated/1.17/client/listers/idp/v1alpha1/openidconnectidentityprovider.go

@@ -0,0 +1,81 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by lister-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	v1alpha1 "go.pinniped.dev/generated/1.17/apis/idp/v1alpha1"
+	"k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/client-go/tools/cache"
+)
+
+// OpenIDConnectIdentityProviderLister helps list OpenIDConnectIdentityProviders.
+type OpenIDConnectIdentityProviderLister interface {
+	// List lists all OpenIDConnectIdentityProviders in the indexer.
+	List(selector labels.Selector) (ret []*v1alpha1.OpenIDConnectIdentityProvider, err error)
+	// OpenIDConnectIdentityProviders returns an object that can list and get OpenIDConnectIdentityProviders.
+	OpenIDConnectIdentityProviders(namespace string) OpenIDConnectIdentityProviderNamespaceLister
+	OpenIDConnectIdentityProviderListerExpansion
+}
+
+// openIDConnectIdentityProviderLister implements the OpenIDConnectIdentityProviderLister interface.
+type openIDConnectIdentityProviderLister struct {
+	indexer cache.Indexer
+}
+
+// NewOpenIDConnectIdentityProviderLister returns a new OpenIDConnectIdentityProviderLister.
+func NewOpenIDConnectIdentityProviderLister(indexer cache.Indexer) OpenIDConnectIdentityProviderLister {
+	return &openIDConnectIdentityProviderLister{indexer: indexer}
+}
+
+// List lists all OpenIDConnectIdentityProviders in the indexer.
+func (s *openIDConnectIdentityProviderLister) List(selector labels.Selector) (ret []*v1alpha1.OpenIDConnectIdentityProvider, err error) {
+	err = cache.ListAll(s.indexer, selector, func(m interface{}) {
+		ret = append(ret, m.(*v1alpha1.OpenIDConnectIdentityProvider))
+	})
+	return ret, err
+}
+
+// OpenIDConnectIdentityProviders returns an object that can list and get OpenIDConnectIdentityProviders.
+func (s *openIDConnectIdentityProviderLister) OpenIDConnectIdentityProviders(namespace string) OpenIDConnectIdentityProviderNamespaceLister {
+	return openIDConnectIdentityProviderNamespaceLister{indexer: s.indexer, namespace: namespace}
+}
+
+// OpenIDConnectIdentityProviderNamespaceLister helps list and get OpenIDConnectIdentityProviders.
+type OpenIDConnectIdentityProviderNamespaceLister interface {
+	// List lists all OpenIDConnectIdentityProviders in the indexer for a given namespace.
+	List(selector labels.Selector) (ret []*v1alpha1.OpenIDConnectIdentityProvider, err error)
+	// Get retrieves the OpenIDConnectIdentityProvider from the indexer for a given namespace and name.
+	Get(name string) (*v1alpha1.OpenIDConnectIdentityProvider, error)
+	OpenIDConnectIdentityProviderNamespaceListerExpansion
+}
+
+// openIDConnectIdentityProviderNamespaceLister implements the OpenIDConnectIdentityProviderNamespaceLister
+// interface.
+type openIDConnectIdentityProviderNamespaceLister struct {
+	indexer   cache.Indexer
+	namespace string
+}
+
+// List lists all OpenIDConnectIdentityProviders in the indexer for a given namespace.
+func (s openIDConnectIdentityProviderNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.OpenIDConnectIdentityProvider, err error) {
+	err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) {
+		ret = append(ret, m.(*v1alpha1.OpenIDConnectIdentityProvider))
+	})
+	return ret, err
+}
+
+// Get retrieves the OpenIDConnectIdentityProvider from the indexer for a given namespace and name.
+func (s openIDConnectIdentityProviderNamespaceLister) Get(name string) (*v1alpha1.OpenIDConnectIdentityProvider, error) {
+	obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name)
+	if err != nil {
+		return nil, err
+	}
+	if !exists {
+		return nil, errors.NewNotFound(v1alpha1.Resource("openidconnectidentityprovider"), name)
+	}
+	return obj.(*v1alpha1.OpenIDConnectIdentityProvider), nil
+}

generated/1.17/client/openapi/zz_generated.openapi.go

@@ -23,6 +23,13 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA
 		"go.pinniped.dev/generated/1.17/apis/config/v1alpha1.CredentialIssuerConfigStatus":         schema_117_apis_config_v1alpha1_CredentialIssuerConfigStatus(ref),
 		"go.pinniped.dev/generated/1.17/apis/config/v1alpha1.CredentialIssuerConfigStrategy":       schema_117_apis_config_v1alpha1_CredentialIssuerConfigStrategy(ref),
 		"go.pinniped.dev/generated/1.17/apis/idp/v1alpha1.Condition":                               schema_117_apis_idp_v1alpha1_Condition(ref),
+		"go.pinniped.dev/generated/1.17/apis/idp/v1alpha1.OpenIDConnectAuthorizationConfig":        schema_117_apis_idp_v1alpha1_OpenIDConnectAuthorizationConfig(ref),
+		"go.pinniped.dev/generated/1.17/apis/idp/v1alpha1.OpenIDConnectClaims":                     schema_117_apis_idp_v1alpha1_OpenIDConnectClaims(ref),
+		"go.pinniped.dev/generated/1.17/apis/idp/v1alpha1.OpenIDConnectClient":                     schema_117_apis_idp_v1alpha1_OpenIDConnectClient(ref),
+		"go.pinniped.dev/generated/1.17/apis/idp/v1alpha1.OpenIDConnectIdentityProvider":           schema_117_apis_idp_v1alpha1_OpenIDConnectIdentityProvider(ref),
+		"go.pinniped.dev/generated/1.17/apis/idp/v1alpha1.OpenIDConnectIdentityProviderList":       schema_117_apis_idp_v1alpha1_OpenIDConnectIdentityProviderList(ref),
+		"go.pinniped.dev/generated/1.17/apis/idp/v1alpha1.OpenIDConnectIdentityProviderSpec":       schema_117_apis_idp_v1alpha1_OpenIDConnectIdentityProviderSpec(ref),
+		"go.pinniped.dev/generated/1.17/apis/idp/v1alpha1.OpenIDConnectIdentityProviderStatus":     schema_117_apis_idp_v1alpha1_OpenIDConnectIdentityProviderStatus(ref),
 		"go.pinniped.dev/generated/1.17/apis/idp/v1alpha1.TLSSpec":                                 schema_117_apis_idp_v1alpha1_TLSSpec(ref),
 		"go.pinniped.dev/generated/1.17/apis/idp/v1alpha1.WebhookIdentityProvider":                 schema_117_apis_idp_v1alpha1_WebhookIdentityProvider(ref),
 		"go.pinniped.dev/generated/1.17/apis/idp/v1alpha1.WebhookIdentityProviderList":             schema_117_apis_idp_v1alpha1_WebhookIdentityProviderList(ref),
@@ -343,6 +350,263 @@ func schema_117_apis_idp_v1alpha1_Condition(ref common.ReferenceCallback) common
 	}
 }
 
+func schema_117_apis_idp_v1alpha1_OpenIDConnectAuthorizationConfig(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "OpenIDConnectAuthorizationConfig provides information about how to form the OAuth2 authorization request parameters.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"redirectURI": {
+						SchemaProps: spec.SchemaProps{
+							Description: "RedirectURI is the URI of the redirect endpoint that will be used in the OAuth2 authorization request flow with an OIDC identity provider.",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"scopes": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Scopes are the scopes that will be requested as part of the authorization request flow with an OIDC identity provider.",
+							Type:        []string{"array"},
+							Items: &spec.SchemaOrArray{
+								Schema: &spec.Schema{
+									SchemaProps: spec.SchemaProps{
+										Type:   []string{"string"},
+										Format: "",
+									},
+								},
+							},
+						},
+					},
+				},
+				Required: []string{"redirectURI", "scopes"},
+			},
+		},
+	}
+}
+
+func schema_117_apis_idp_v1alpha1_OpenIDConnectClaims(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "OpenIDConnectClaims provides a mapping from upstream claims into identities.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"groups": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Groups provides the name of the token claim that will be used to ascertain the groups to which an identity belongs.",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"username": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Username provides the name of the token claim that will be used to ascertain an identity's username.",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+				},
+				Required: []string{"groups", "username"},
+			},
+		},
+	}
+}
+
+func schema_117_apis_idp_v1alpha1_OpenIDConnectClient(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "OpenIDConnectClient contains information about an OIDC client (e.g., client ID and client secret).",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"secretName": {
+						SchemaProps: spec.SchemaProps{
+							Description: "SecretName contains the name of a namespace-local Secret object that provides the clientID and clientSecret for an OIDC client. If only the SecretName is specified in an OpenIDConnectClient struct, then it is expected that the Secret is of type \"secrets.pinniped.dev/oidc\" with keys \"clientID\" and \"clientSecret\".",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+				},
+				Required: []string{"secretName"},
+			},
+		},
+	}
+}
+
+func schema_117_apis_idp_v1alpha1_OpenIDConnectIdentityProvider(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "OpenIDConnectIdentityProvider describes the configuration of a Pinniped OIDC identity provider.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"kind": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"apiVersion": {
+						SchemaProps: spec.SchemaProps{
+							Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"metadata": {
+						SchemaProps: spec.SchemaProps{
+							Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+						},
+					},
+					"spec": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Spec for configuring the identity provider.",
+							Ref:         ref("go.pinniped.dev/generated/1.17/apis/idp/v1alpha1.OpenIDConnectIdentityProviderSpec"),
+						},
+					},
+					"status": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Status of the identity provider.",
+							Ref:         ref("go.pinniped.dev/generated/1.17/apis/idp/v1alpha1.OpenIDConnectIdentityProviderStatus"),
+						},
+					},
+				},
+				Required: []string{"spec"},
+			},
+		},
+		Dependencies: []string{
+			"go.pinniped.dev/generated/1.17/apis/idp/v1alpha1.OpenIDConnectIdentityProviderSpec", "go.pinniped.dev/generated/1.17/apis/idp/v1alpha1.OpenIDConnectIdentityProviderStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+	}
+}
+
+func schema_117_apis_idp_v1alpha1_OpenIDConnectIdentityProviderList(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "List of OpenIDConnectIdentityProvider objects.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"kind": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"apiVersion": {
+						SchemaProps: spec.SchemaProps{
+							Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"metadata": {
+						SchemaProps: spec.SchemaProps{
+							Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+						},
+					},
+					"items": {
+						SchemaProps: spec.SchemaProps{
+							Type: []string{"array"},
+							Items: &spec.SchemaOrArray{
+								Schema: &spec.Schema{
+									SchemaProps: spec.SchemaProps{
+										Ref: ref("go.pinniped.dev/generated/1.17/apis/idp/v1alpha1.OpenIDConnectIdentityProvider"),
+									},
+								},
+							},
+						},
+					},
+				},
+				Required: []string{"items"},
+			},
+		},
+		Dependencies: []string{
+			"go.pinniped.dev/generated/1.17/apis/idp/v1alpha1.OpenIDConnectIdentityProvider", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+	}
+}
+
+func schema_117_apis_idp_v1alpha1_OpenIDConnectIdentityProviderSpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "Spec for configuring an OIDC identity provider.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"issuer": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Issuer is the issuer URL of this OIDC identity provider, i.e., where to fetch /.well-known/openid-configuration.",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"authorizationConfig": {
+						SchemaProps: spec.SchemaProps{
+							Description: "AuthorizationConfig holds information about how to form the OAuth2 authorization request parameters to be used with this OIDC identity provider.",
+							Ref:         ref("go.pinniped.dev/generated/1.17/apis/idp/v1alpha1.OpenIDConnectAuthorizationConfig"),
+						},
+					},
+					"claims": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Claims provides the names of token claims that will be used when inspecting an identity from this OIDC identity provider.",
+							Ref:         ref("go.pinniped.dev/generated/1.17/apis/idp/v1alpha1.OpenIDConnectClaims"),
+						},
+					},
+					"client": {
+						SchemaProps: spec.SchemaProps{
+							Description: "OpenIDConnectClient contains OIDC client information to be used used with this OIDC identity provider.",
+							Ref:         ref("go.pinniped.dev/generated/1.17/apis/idp/v1alpha1.OpenIDConnectClient"),
+						},
+					},
+				},
+				Required: []string{"issuer", "authorizationConfig", "claims", "client"},
+			},
+		},
+		Dependencies: []string{
+			"go.pinniped.dev/generated/1.17/apis/idp/v1alpha1.OpenIDConnectAuthorizationConfig", "go.pinniped.dev/generated/1.17/apis/idp/v1alpha1.OpenIDConnectClaims", "go.pinniped.dev/generated/1.17/apis/idp/v1alpha1.OpenIDConnectClient"},
+	}
+}
+
+func schema_117_apis_idp_v1alpha1_OpenIDConnectIdentityProviderStatus(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "Status of an OIDC identity provider.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"conditions": {
+						VendorExtensible: spec.VendorExtensible{
+							Extensions: spec.Extensions{
+								"x-kubernetes-list-map-keys": []interface{}{
+									"type",
+								},
+								"x-kubernetes-list-type":       "map",
+								"x-kubernetes-patch-merge-key": "type",
+								"x-kubernetes-patch-strategy":  "merge",
+							},
+						},
+						SchemaProps: spec.SchemaProps{
+							Description: "Represents the observations of an identity provider's current state.",
+							Type:        []string{"array"},
+							Items: &spec.SchemaOrArray{
+								Schema: &spec.Schema{
+									SchemaProps: spec.SchemaProps{
+										Ref: ref("go.pinniped.dev/generated/1.17/apis/idp/v1alpha1.Condition"),
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+		Dependencies: []string{
+			"go.pinniped.dev/generated/1.17/apis/idp/v1alpha1.Condition"},
+	}
+}
+
 func schema_117_apis_idp_v1alpha1_TLSSpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{

generated/1.17/crds/idp.pinniped.dev_openidconnectidentityproviders.yaml

@@ -0,0 +1,196 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.4.0
+  creationTimestamp: null
+  name: openidconnectidentityproviders.idp.pinniped.dev
+spec:
+  group: idp.pinniped.dev
+  names:
+    categories:
+    - all
+    - idp
+    - idps
+    kind: OpenIDConnectIdentityProvider
+    listKind: OpenIDConnectIdentityProviderList
+    plural: openidconnectidentityproviders
+    shortNames:
+    - openidconnectidp
+    - openidconnectidps
+    singular: openidconnectidentityprovider
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .spec.issuer
+      name: Issuer
+      type: string
+    name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: OpenIDConnectIdentityProvider describes the configuration of
+          a Pinniped OIDC identity provider.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: Spec for configuring the identity provider.
+            properties:
+              authorizationConfig:
+                description: AuthorizationConfig holds information about how to form
+                  the OAuth2 authorization request parameters to be used with this
+                  OIDC identity provider.
+                properties:
+                  redirectURI:
+                    description: RedirectURI is the URI of the redirect endpoint that
+                      will be used in the OAuth2 authorization request flow with an
+                      OIDC identity provider.
+                    pattern: ^https?://
+                    type: string
+                  scopes:
+                    description: Scopes are the scopes that will be requested as part
+                      of the authorization request flow with an OIDC identity provider.
+                    items:
+                      type: string
+                    type: array
+                required:
+                - redirectURI
+                - scopes
+                type: object
+              claims:
+                description: Claims provides the names of token claims that will be
+                  used when inspecting an identity from this OIDC identity provider.
+                properties:
+                  groups:
+                    description: Groups provides the name of the token claim that
+                      will be used to ascertain the groups to which an identity belongs.
+                    type: string
+                  username:
+                    description: Username provides the name of the token claim that
+                      will be used to ascertain an identity's username.
+                    type: string
+                required:
+                - groups
+                - username
+                type: object
+              client:
+                description: OpenIDConnectClient contains OIDC client information
+                  to be used used with this OIDC identity provider.
+                properties:
+                  secretName:
+                    description: SecretName contains the name of a namespace-local
+                      Secret object that provides the clientID and clientSecret for
+                      an OIDC client. If only the SecretName is specified in an OpenIDConnectClient
+                      struct, then it is expected that the Secret is of type "secrets.pinniped.dev/oidc"
+                      with keys "clientID" and "clientSecret".
+                    type: string
+                required:
+                - secretName
+                type: object
+              issuer:
+                description: Issuer is the issuer URL of this OIDC identity provider,
+                  i.e., where to fetch /.well-known/openid-configuration.
+                minLength: 1
+                pattern: ^https://
+                type: string
+            required:
+            - authorizationConfig
+            - claims
+            - client
+            - issuer
+            type: object
+          status:
+            description: Status of the identity provider.
+            properties:
+              conditions:
+                description: Represents the observations of an identity provider's
+                  current state.
+                items:
+                  description: Condition status of a resource (mirrored from the metav1.Condition
+                    type added in Kubernetes 1.19). In a future API version we can
+                    switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413.
+                  properties:
+                    lastTransitionTime:
+                      description: lastTransitionTime is the last time the condition
+                        transitioned from one status to another. This should be when
+                        the underlying condition changed.  If that is not known, then
+                        using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: message is a human readable message indicating
+                        details about the transition. This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: observedGeneration represents the .metadata.generation
+                        that the condition was set based upon. For instance, if .metadata.generation
+                        is currently 12, but the .status.conditions[x].observedGeneration
+                        is 9, the condition is out of date with respect to the current
+                        state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: reason contains a programmatic identifier indicating
+                        the reason for the condition's last transition. Producers
+                        of specific condition types may define expected values and
+                        meanings for this field, and whether the values are considered
+                        a guaranteed API. The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
+                        --- Many .condition.type values are consistent across resources
+                        like Available, but because arbitrary conditions can be useful
+                        (see .node.status.conditions), the ability to deconflict is
+                        important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                type: array
+                x-kubernetes-list-map-keys:
+                - type
+                x-kubernetes-list-type: map
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: true
+    subresources: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

generated/1.18/README.adoc

@@ -110,6 +110,7 @@ Condition status of a resource (mirrored from the metav1.Condition type added in
 
 .Appears In:
 ****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-idp-v1alpha1-openidconnectidentityproviderstatus[$$OpenIDConnectIdentityProviderStatus$$]
 - xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-idp-v1alpha1-webhookidentityproviderstatus[$$WebhookIdentityProviderStatus$$]
 ****
 
@@ -125,6 +126,118 @@ Condition status of a resource (mirrored from the metav1.Condition type added in
 |===
 
 
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-idp-v1alpha1-openidconnectauthorizationconfig"]
+==== OpenIDConnectAuthorizationConfig 
+
+OpenIDConnectAuthorizationConfig provides information about how to form the OAuth2 authorization request parameters.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-idp-v1alpha1-openidconnectidentityproviderspec[$$OpenIDConnectIdentityProviderSpec$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`redirectURI`* __string__ | RedirectURI is the URI of the redirect endpoint that will be used in the OAuth2 authorization request flow with an OIDC identity provider.
+| *`scopes`* __string array__ | Scopes are the scopes that will be requested as part of the authorization request flow with an OIDC identity provider.
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-idp-v1alpha1-openidconnectclaims"]
+==== OpenIDConnectClaims 
+
+OpenIDConnectClaims provides a mapping from upstream claims into identities.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-idp-v1alpha1-openidconnectidentityproviderspec[$$OpenIDConnectIdentityProviderSpec$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`groups`* __string__ | Groups provides the name of the token claim that will be used to ascertain the groups to which an identity belongs.
+| *`username`* __string__ | Username provides the name of the token claim that will be used to ascertain an identity's username.
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-idp-v1alpha1-openidconnectclient"]
+==== OpenIDConnectClient 
+
+OpenIDConnectClient contains information about an OIDC client (e.g., client ID and client secret).
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-idp-v1alpha1-openidconnectidentityproviderspec[$$OpenIDConnectIdentityProviderSpec$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`secretName`* __string__ | SecretName contains the name of a namespace-local Secret object that provides the clientID and clientSecret for an OIDC client. If only the SecretName is specified in an OpenIDConnectClient struct, then it is expected that the Secret is of type "secrets.pinniped.dev/oidc" with keys "clientID" and "clientSecret".
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-idp-v1alpha1-openidconnectidentityprovider"]
+==== OpenIDConnectIdentityProvider 
+
+OpenIDConnectIdentityProvider describes the configuration of a Pinniped OIDC identity provider.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-idp-v1alpha1-openidconnectidentityproviderlist[$$OpenIDConnectIdentityProviderList$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`.
+
+| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-idp-v1alpha1-openidconnectidentityproviderspec[$$OpenIDConnectIdentityProviderSpec$$]__ | Spec for configuring the identity provider.
+| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-idp-v1alpha1-openidconnectidentityproviderstatus[$$OpenIDConnectIdentityProviderStatus$$]__ | Status of the identity provider.
+|===
+
+
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-idp-v1alpha1-openidconnectidentityproviderspec"]
+==== OpenIDConnectIdentityProviderSpec 
+
+Spec for configuring an OIDC identity provider.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-idp-v1alpha1-openidconnectidentityprovider[$$OpenIDConnectIdentityProvider$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`issuer`* __string__ | Issuer is the issuer URL of this OIDC identity provider, i.e., where to fetch /.well-known/openid-configuration.
+| *`authorizationConfig`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-idp-v1alpha1-openidconnectauthorizationconfig[$$OpenIDConnectAuthorizationConfig$$]__ | AuthorizationConfig holds information about how to form the OAuth2 authorization request parameters to be used with this OIDC identity provider.
+| *`claims`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-idp-v1alpha1-openidconnectclaims[$$OpenIDConnectClaims$$]__ | Claims provides the names of token claims that will be used when inspecting an identity from this OIDC identity provider.
+| *`client`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-idp-v1alpha1-openidconnectclient[$$OpenIDConnectClient$$]__ | OpenIDConnectClient contains OIDC client information to be used used with this OIDC identity provider.
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-idp-v1alpha1-openidconnectidentityproviderstatus"]
+==== OpenIDConnectIdentityProviderStatus 
+
+Status of an OIDC identity provider.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-idp-v1alpha1-openidconnectidentityprovider[$$OpenIDConnectIdentityProvider$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`conditions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-idp-v1alpha1-condition[$$Condition$$]__ | Represents the observations of an identity provider's current state.
+|===
+
+
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-idp-v1alpha1-tlsspec"]
 ==== TLSSpec 
 

generated/1.18/apis/idp/v1alpha1/types_openidconnect.go

@@ -0,0 +1,98 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// Status of an OIDC identity provider.
+type OpenIDConnectIdentityProviderStatus struct {
+	// Represents the observations of an identity provider's current state.
+	// +patchMergeKey=type
+	// +patchStrategy=merge
+	// +listType=map
+	// +listMapKey=type
+	Conditions []Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
+}
+
+// OpenIDConnectAuthorizationConfig provides information about how to form the OAuth2 authorization
+// request parameters.
+type OpenIDConnectAuthorizationConfig struct {
+	// RedirectURI is the URI of the redirect endpoint that will be used in the OAuth2 authorization
+	// request flow with an OIDC identity provider.
+	// +kubebuilder:validation:Pattern=`^https?://`
+	RedirectURI string `json:"redirectURI"`
+
+	// Scopes are the scopes that will be requested as part of the authorization request flow with
+	// an OIDC identity provider.
+	Scopes []string `json:"scopes"`
+}
+
+// OpenIDConnectClaims provides a mapping from upstream claims into identities.
+type OpenIDConnectClaims struct {
+	// Groups provides the name of the token claim that will be used to ascertain the groups to which
+	// an identity belongs.
+	Groups string `json:"groups"`
+
+	// Username provides the name of the token claim that will be used to ascertain an identity's
+	// username.
+	Username string `json:"username"`
+}
+
+// OpenIDConnectClient contains information about an OIDC client (e.g., client ID and client
+// secret).
+type OpenIDConnectClient struct {
+	// SecretName contains the name of a namespace-local Secret object that provides the clientID and
+	// clientSecret for an OIDC client. If only the SecretName is specified in an OpenIDConnectClient
+	// struct, then it is expected that the Secret is of type "secrets.pinniped.dev/oidc" with keys
+	// "clientID" and "clientSecret".
+	SecretName string `json:"secretName"`
+}
+
+// Spec for configuring an OIDC identity provider.
+type OpenIDConnectIdentityProviderSpec struct {
+	// Issuer is the issuer URL of this OIDC identity provider, i.e., where to fetch
+	// /.well-known/openid-configuration.
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:Pattern=`^https://`
+	Issuer string `json:"issuer"`
+
+	// AuthorizationConfig holds information about how to form the OAuth2 authorization request
+	// parameters to be used with this OIDC identity provider.
+	AuthorizationConfig OpenIDConnectAuthorizationConfig `json:"authorizationConfig"`
+
+	// Claims provides the names of token claims that will be used when inspecting an identity from
+	// this OIDC identity provider.
+	Claims OpenIDConnectClaims `json:"claims"`
+
+	// OpenIDConnectClient contains OIDC client information to be used used with this OIDC identity
+	// provider.
+	Client OpenIDConnectClient `json:"client"`
+}
+
+// OpenIDConnectIdentityProvider describes the configuration of a Pinniped OIDC identity provider.
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +kubebuilder:resource:categories=all;idp;idps,shortName=openidconnectidp;openidconnectidps
+// +kubebuilder:printcolumn:name="Issuer",type=string,JSONPath=`.spec.issuer`
+type OpenIDConnectIdentityProvider struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	// Spec for configuring the identity provider.
+	Spec OpenIDConnectIdentityProviderSpec `json:"spec"`
+
+	// Status of the identity provider.
+	Status OpenIDConnectIdentityProviderStatus `json:"status,omitempty"`
+}
+
+// List of OpenIDConnectIdentityProvider objects.
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type OpenIDConnectIdentityProviderList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+
+	Items []OpenIDConnectIdentityProvider `json:"items"`
+}

generated/1.18/apis/idp/v1alpha1/zz_generated.deepcopy.go

@@ -28,6 +28,162 @@ func (in *Condition) DeepCopy() *Condition {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OpenIDConnectAuthorizationConfig) DeepCopyInto(out *OpenIDConnectAuthorizationConfig) {
+	*out = *in
+	if in.Scopes != nil {
+		in, out := &in.Scopes, &out.Scopes
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OpenIDConnectAuthorizationConfig.
+func (in *OpenIDConnectAuthorizationConfig) DeepCopy() *OpenIDConnectAuthorizationConfig {
+	if in == nil {
+		return nil
+	}
+	out := new(OpenIDConnectAuthorizationConfig)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OpenIDConnectClaims) DeepCopyInto(out *OpenIDConnectClaims) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OpenIDConnectClaims.
+func (in *OpenIDConnectClaims) DeepCopy() *OpenIDConnectClaims {
+	if in == nil {
+		return nil
+	}
+	out := new(OpenIDConnectClaims)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OpenIDConnectClient) DeepCopyInto(out *OpenIDConnectClient) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OpenIDConnectClient.
+func (in *OpenIDConnectClient) DeepCopy() *OpenIDConnectClient {
+	if in == nil {
+		return nil
+	}
+	out := new(OpenIDConnectClient)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OpenIDConnectIdentityProvider) DeepCopyInto(out *OpenIDConnectIdentityProvider) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OpenIDConnectIdentityProvider.
+func (in *OpenIDConnectIdentityProvider) DeepCopy() *OpenIDConnectIdentityProvider {
+	if in == nil {
+		return nil
+	}
+	out := new(OpenIDConnectIdentityProvider)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *OpenIDConnectIdentityProvider) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OpenIDConnectIdentityProviderList) DeepCopyInto(out *OpenIDConnectIdentityProviderList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]OpenIDConnectIdentityProvider, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OpenIDConnectIdentityProviderList.
+func (in *OpenIDConnectIdentityProviderList) DeepCopy() *OpenIDConnectIdentityProviderList {
+	if in == nil {
+		return nil
+	}
+	out := new(OpenIDConnectIdentityProviderList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *OpenIDConnectIdentityProviderList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OpenIDConnectIdentityProviderSpec) DeepCopyInto(out *OpenIDConnectIdentityProviderSpec) {
+	*out = *in
+	in.AuthorizationConfig.DeepCopyInto(&out.AuthorizationConfig)
+	out.Claims = in.Claims
+	out.Client = in.Client
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OpenIDConnectIdentityProviderSpec.
+func (in *OpenIDConnectIdentityProviderSpec) DeepCopy() *OpenIDConnectIdentityProviderSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(OpenIDConnectIdentityProviderSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OpenIDConnectIdentityProviderStatus) DeepCopyInto(out *OpenIDConnectIdentityProviderStatus) {
+	*out = *in
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]Condition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OpenIDConnectIdentityProviderStatus.
+func (in *OpenIDConnectIdentityProviderStatus) DeepCopy() *OpenIDConnectIdentityProviderStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(OpenIDConnectIdentityProviderStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TLSSpec) DeepCopyInto(out *TLSSpec) {
 	*out = *in

generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go

@@ -15,6 +15,10 @@ type FakeIDPV1alpha1 struct {
 	*testing.Fake
 }
 
+func (c *FakeIDPV1alpha1) OpenIDConnectIdentityProviders(namespace string) v1alpha1.OpenIDConnectIdentityProviderInterface {
+	return &FakeOpenIDConnectIdentityProviders{c, namespace}
+}
+
 func (c *FakeIDPV1alpha1) WebhookIdentityProviders(namespace string) v1alpha1.WebhookIdentityProviderInterface {
 	return &FakeWebhookIdentityProviders{c, namespace}
 }

generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/fake/fake_openidconnectidentityprovider.go

@@ -0,0 +1,129 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package fake
+
+import (
+	"context"
+
+	v1alpha1 "go.pinniped.dev/generated/1.18/apis/idp/v1alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	labels "k8s.io/apimachinery/pkg/labels"
+	schema "k8s.io/apimachinery/pkg/runtime/schema"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	testing "k8s.io/client-go/testing"
+)
+
+// FakeOpenIDConnectIdentityProviders implements OpenIDConnectIdentityProviderInterface
+type FakeOpenIDConnectIdentityProviders struct {
+	Fake *FakeIDPV1alpha1
+	ns   string
+}
+
+var openidconnectidentityprovidersResource = schema.GroupVersionResource{Group: "idp.pinniped.dev", Version: "v1alpha1", Resource: "openidconnectidentityproviders"}
+
+var openidconnectidentityprovidersKind = schema.GroupVersionKind{Group: "idp.pinniped.dev", Version: "v1alpha1", Kind: "OpenIDConnectIdentityProvider"}
+
+// Get takes name of the openIDConnectIdentityProvider, and returns the corresponding openIDConnectIdentityProvider object, and an error if there is any.
+func (c *FakeOpenIDConnectIdentityProviders) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.OpenIDConnectIdentityProvider, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewGetAction(openidconnectidentityprovidersResource, c.ns, name), &v1alpha1.OpenIDConnectIdentityProvider{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.OpenIDConnectIdentityProvider), err
+}
+
+// List takes label and field selectors, and returns the list of OpenIDConnectIdentityProviders that match those selectors.
+func (c *FakeOpenIDConnectIdentityProviders) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.OpenIDConnectIdentityProviderList, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewListAction(openidconnectidentityprovidersResource, openidconnectidentityprovidersKind, c.ns, opts), &v1alpha1.OpenIDConnectIdentityProviderList{})
+
+	if obj == nil {
+		return nil, err
+	}
+
+	label, _, _ := testing.ExtractFromListOptions(opts)
+	if label == nil {
+		label = labels.Everything()
+	}
+	list := &v1alpha1.OpenIDConnectIdentityProviderList{ListMeta: obj.(*v1alpha1.OpenIDConnectIdentityProviderList).ListMeta}
+	for _, item := range obj.(*v1alpha1.OpenIDConnectIdentityProviderList).Items {
+		if label.Matches(labels.Set(item.Labels)) {
+			list.Items = append(list.Items, item)
+		}
+	}
+	return list, err
+}
+
+// Watch returns a watch.Interface that watches the requested openIDConnectIdentityProviders.
+func (c *FakeOpenIDConnectIdentityProviders) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
+	return c.Fake.
+		InvokesWatch(testing.NewWatchAction(openidconnectidentityprovidersResource, c.ns, opts))
+
+}
+
+// Create takes the representation of a openIDConnectIdentityProvider and creates it.  Returns the server's representation of the openIDConnectIdentityProvider, and an error, if there is any.
+func (c *FakeOpenIDConnectIdentityProviders) Create(ctx context.Context, openIDConnectIdentityProvider *v1alpha1.OpenIDConnectIdentityProvider, opts v1.CreateOptions) (result *v1alpha1.OpenIDConnectIdentityProvider, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewCreateAction(openidconnectidentityprovidersResource, c.ns, openIDConnectIdentityProvider), &v1alpha1.OpenIDConnectIdentityProvider{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.OpenIDConnectIdentityProvider), err
+}
+
+// Update takes the representation of a openIDConnectIdentityProvider and updates it. Returns the server's representation of the openIDConnectIdentityProvider, and an error, if there is any.
+func (c *FakeOpenIDConnectIdentityProviders) Update(ctx context.Context, openIDConnectIdentityProvider *v1alpha1.OpenIDConnectIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.OpenIDConnectIdentityProvider, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewUpdateAction(openidconnectidentityprovidersResource, c.ns, openIDConnectIdentityProvider), &v1alpha1.OpenIDConnectIdentityProvider{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.OpenIDConnectIdentityProvider), err
+}
+
+// UpdateStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+func (c *FakeOpenIDConnectIdentityProviders) UpdateStatus(ctx context.Context, openIDConnectIdentityProvider *v1alpha1.OpenIDConnectIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.OpenIDConnectIdentityProvider, error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewUpdateSubresourceAction(openidconnectidentityprovidersResource, "status", c.ns, openIDConnectIdentityProvider), &v1alpha1.OpenIDConnectIdentityProvider{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.OpenIDConnectIdentityProvider), err
+}
+
+// Delete takes name of the openIDConnectIdentityProvider and deletes it. Returns an error if one occurs.
+func (c *FakeOpenIDConnectIdentityProviders) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
+	_, err := c.Fake.
+		Invokes(testing.NewDeleteAction(openidconnectidentityprovidersResource, c.ns, name), &v1alpha1.OpenIDConnectIdentityProvider{})
+
+	return err
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *FakeOpenIDConnectIdentityProviders) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
+	action := testing.NewDeleteCollectionAction(openidconnectidentityprovidersResource, c.ns, listOpts)
+
+	_, err := c.Fake.Invokes(action, &v1alpha1.OpenIDConnectIdentityProviderList{})
+	return err
+}
+
+// Patch applies the patch and returns the patched openIDConnectIdentityProvider.
+func (c *FakeOpenIDConnectIdentityProviders) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.OpenIDConnectIdentityProvider, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewPatchSubresourceAction(openidconnectidentityprovidersResource, c.ns, name, pt, data, subresources...), &v1alpha1.OpenIDConnectIdentityProvider{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.OpenIDConnectIdentityProvider), err
+}

generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go

@@ -5,4 +5,6 @@
 
 package v1alpha1
 
+type OpenIDConnectIdentityProviderExpansion interface{}
+
 type WebhookIdentityProviderExpansion interface{}

generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/idp_client.go

@@ -13,6 +13,7 @@ import (
 
 type IDPV1alpha1Interface interface {
 	RESTClient() rest.Interface
+	OpenIDConnectIdentityProvidersGetter
 	WebhookIdentityProvidersGetter
 }
 
@@ -21,6 +22,10 @@ type IDPV1alpha1Client struct {
 	restClient rest.Interface
 }
 
+func (c *IDPV1alpha1Client) OpenIDConnectIdentityProviders(namespace string) OpenIDConnectIdentityProviderInterface {
+	return newOpenIDConnectIdentityProviders(c, namespace)
+}
+
 func (c *IDPV1alpha1Client) WebhookIdentityProviders(namespace string) WebhookIdentityProviderInterface {
 	return newWebhookIdentityProviders(c, namespace)
 }

generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/openidconnectidentityprovider.go

@@ -0,0 +1,182 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	"context"
+	"time"
+
+	v1alpha1 "go.pinniped.dev/generated/1.18/apis/idp/v1alpha1"
+	scheme "go.pinniped.dev/generated/1.18/client/clientset/versioned/scheme"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	rest "k8s.io/client-go/rest"
+)
+
+// OpenIDConnectIdentityProvidersGetter has a method to return a OpenIDConnectIdentityProviderInterface.
+// A group's client should implement this interface.
+type OpenIDConnectIdentityProvidersGetter interface {
+	OpenIDConnectIdentityProviders(namespace string) OpenIDConnectIdentityProviderInterface
+}
+
+// OpenIDConnectIdentityProviderInterface has methods to work with OpenIDConnectIdentityProvider resources.
+type OpenIDConnectIdentityProviderInterface interface {
+	Create(ctx context.Context, openIDConnectIdentityProvider *v1alpha1.OpenIDConnectIdentityProvider, opts v1.CreateOptions) (*v1alpha1.OpenIDConnectIdentityProvider, error)
+	Update(ctx context.Context, openIDConnectIdentityProvider *v1alpha1.OpenIDConnectIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.OpenIDConnectIdentityProvider, error)
+	UpdateStatus(ctx context.Context, openIDConnectIdentityProvider *v1alpha1.OpenIDConnectIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.OpenIDConnectIdentityProvider, error)
+	Delete(ctx context.Context, name string, opts v1.DeleteOptions) error
+	DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error
+	Get(ctx context.Context, name string, opts v1.GetOptions) (*v1alpha1.OpenIDConnectIdentityProvider, error)
+	List(ctx context.Context, opts v1.ListOptions) (*v1alpha1.OpenIDConnectIdentityProviderList, error)
+	Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error)
+	Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.OpenIDConnectIdentityProvider, err error)
+	OpenIDConnectIdentityProviderExpansion
+}
+
+// openIDConnectIdentityProviders implements OpenIDConnectIdentityProviderInterface
+type openIDConnectIdentityProviders struct {
+	client rest.Interface
+	ns     string
+}
+
+// newOpenIDConnectIdentityProviders returns a OpenIDConnectIdentityProviders
+func newOpenIDConnectIdentityProviders(c *IDPV1alpha1Client, namespace string) *openIDConnectIdentityProviders {
+	return &openIDConnectIdentityProviders{
+		client: c.RESTClient(),
+		ns:     namespace,
+	}
+}
+
+// Get takes name of the openIDConnectIdentityProvider, and returns the corresponding openIDConnectIdentityProvider object, and an error if there is any.
+func (c *openIDConnectIdentityProviders) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.OpenIDConnectIdentityProvider, err error) {
+	result = &v1alpha1.OpenIDConnectIdentityProvider{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("openidconnectidentityproviders").
+		Name(name).
+		VersionedParams(&options, scheme.ParameterCodec).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// List takes label and field selectors, and returns the list of OpenIDConnectIdentityProviders that match those selectors.
+func (c *openIDConnectIdentityProviders) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.OpenIDConnectIdentityProviderList, err error) {
+	var timeout time.Duration
+	if opts.TimeoutSeconds != nil {
+		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
+	}
+	result = &v1alpha1.OpenIDConnectIdentityProviderList{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("openidconnectidentityproviders").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// Watch returns a watch.Interface that watches the requested openIDConnectIdentityProviders.
+func (c *openIDConnectIdentityProviders) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
+	var timeout time.Duration
+	if opts.TimeoutSeconds != nil {
+		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
+	}
+	opts.Watch = true
+	return c.client.Get().
+		Namespace(c.ns).
+		Resource("openidconnectidentityproviders").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Watch(ctx)
+}
+
+// Create takes the representation of a openIDConnectIdentityProvider and creates it.  Returns the server's representation of the openIDConnectIdentityProvider, and an error, if there is any.
+func (c *openIDConnectIdentityProviders) Create(ctx context.Context, openIDConnectIdentityProvider *v1alpha1.OpenIDConnectIdentityProvider, opts v1.CreateOptions) (result *v1alpha1.OpenIDConnectIdentityProvider, err error) {
+	result = &v1alpha1.OpenIDConnectIdentityProvider{}
+	err = c.client.Post().
+		Namespace(c.ns).
+		Resource("openidconnectidentityproviders").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(openIDConnectIdentityProvider).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// Update takes the representation of a openIDConnectIdentityProvider and updates it. Returns the server's representation of the openIDConnectIdentityProvider, and an error, if there is any.
+func (c *openIDConnectIdentityProviders) Update(ctx context.Context, openIDConnectIdentityProvider *v1alpha1.OpenIDConnectIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.OpenIDConnectIdentityProvider, err error) {
+	result = &v1alpha1.OpenIDConnectIdentityProvider{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("openidconnectidentityproviders").
+		Name(openIDConnectIdentityProvider.Name).
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(openIDConnectIdentityProvider).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// UpdateStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+func (c *openIDConnectIdentityProviders) UpdateStatus(ctx context.Context, openIDConnectIdentityProvider *v1alpha1.OpenIDConnectIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.OpenIDConnectIdentityProvider, err error) {
+	result = &v1alpha1.OpenIDConnectIdentityProvider{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("openidconnectidentityproviders").
+		Name(openIDConnectIdentityProvider.Name).
+		SubResource("status").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(openIDConnectIdentityProvider).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// Delete takes name of the openIDConnectIdentityProvider and deletes it. Returns an error if one occurs.
+func (c *openIDConnectIdentityProviders) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("openidconnectidentityproviders").
+		Name(name).
+		Body(&opts).
+		Do(ctx).
+		Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *openIDConnectIdentityProviders) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
+	var timeout time.Duration
+	if listOpts.TimeoutSeconds != nil {
+		timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second
+	}
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("openidconnectidentityproviders").
+		VersionedParams(&listOpts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Body(&opts).
+		Do(ctx).
+		Error()
+}
+
+// Patch applies the patch and returns the patched openIDConnectIdentityProvider.
+func (c *openIDConnectIdentityProviders) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.OpenIDConnectIdentityProvider, err error) {
+	result = &v1alpha1.OpenIDConnectIdentityProvider{}
+	err = c.client.Patch(pt).
+		Namespace(c.ns).
+		Resource("openidconnectidentityproviders").
+		Name(name).
+		SubResource(subresources...).
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(data).
+		Do(ctx).
+		Into(result)
+	return
+}

generated/1.18/client/informers/externalversions/generic.go

@@ -46,6 +46,8 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource
 		return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().CredentialIssuerConfigs().Informer()}, nil
 
 		// Group=idp.pinniped.dev, Version=v1alpha1
+	case idpv1alpha1.SchemeGroupVersion.WithResource("openidconnectidentityproviders"):
+		return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().OpenIDConnectIdentityProviders().Informer()}, nil
 	case idpv1alpha1.SchemeGroupVersion.WithResource("webhookidentityproviders"):
 		return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().WebhookIdentityProviders().Informer()}, nil
 

generated/1.18/client/informers/externalversions/idp/v1alpha1/interface.go

@@ -11,6 +11,8 @@ import (
 
 // Interface provides access to all the informers in this group version.
 type Interface interface {
+	// OpenIDConnectIdentityProviders returns a OpenIDConnectIdentityProviderInformer.
+	OpenIDConnectIdentityProviders() OpenIDConnectIdentityProviderInformer
 	// WebhookIdentityProviders returns a WebhookIdentityProviderInformer.
 	WebhookIdentityProviders() WebhookIdentityProviderInformer
 }
@@ -26,6 +28,11 @@ func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakList
 	return &version{factory: f, namespace: namespace, tweakListOptions: tweakListOptions}
 }
 
+// OpenIDConnectIdentityProviders returns a OpenIDConnectIdentityProviderInformer.
+func (v *version) OpenIDConnectIdentityProviders() OpenIDConnectIdentityProviderInformer {
+	return &openIDConnectIdentityProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
+}
+
 // WebhookIdentityProviders returns a WebhookIdentityProviderInformer.
 func (v *version) WebhookIdentityProviders() WebhookIdentityProviderInformer {
 	return &webhookIdentityProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}

generated/1.18/client/informers/externalversions/idp/v1alpha1/openidconnectidentityprovider.go

@@ -0,0 +1,77 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by informer-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	"context"
+	time "time"
+
+	idpv1alpha1 "go.pinniped.dev/generated/1.18/apis/idp/v1alpha1"
+	versioned "go.pinniped.dev/generated/1.18/client/clientset/versioned"
+	internalinterfaces "go.pinniped.dev/generated/1.18/client/informers/externalversions/internalinterfaces"
+	v1alpha1 "go.pinniped.dev/generated/1.18/client/listers/idp/v1alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	watch "k8s.io/apimachinery/pkg/watch"
+	cache "k8s.io/client-go/tools/cache"
+)
+
+// OpenIDConnectIdentityProviderInformer provides access to a shared informer and lister for
+// OpenIDConnectIdentityProviders.
+type OpenIDConnectIdentityProviderInformer interface {
+	Informer() cache.SharedIndexInformer
+	Lister() v1alpha1.OpenIDConnectIdentityProviderLister
+}
+
+type openIDConnectIdentityProviderInformer struct {
+	factory          internalinterfaces.SharedInformerFactory
+	tweakListOptions internalinterfaces.TweakListOptionsFunc
+	namespace        string
+}
+
+// NewOpenIDConnectIdentityProviderInformer constructs a new informer for OpenIDConnectIdentityProvider type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewOpenIDConnectIdentityProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
+	return NewFilteredOpenIDConnectIdentityProviderInformer(client, namespace, resyncPeriod, indexers, nil)
+}
+
+// NewFilteredOpenIDConnectIdentityProviderInformer constructs a new informer for OpenIDConnectIdentityProvider type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewFilteredOpenIDConnectIdentityProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
+	return cache.NewSharedIndexInformer(
+		&cache.ListWatch{
+			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.IDPV1alpha1().OpenIDConnectIdentityProviders(namespace).List(context.TODO(), options)
+			},
+			WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.IDPV1alpha1().OpenIDConnectIdentityProviders(namespace).Watch(context.TODO(), options)
+			},
+		},
+		&idpv1alpha1.OpenIDConnectIdentityProvider{},
+		resyncPeriod,
+		indexers,
+	)
+}
+
+func (f *openIDConnectIdentityProviderInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
+	return NewFilteredOpenIDConnectIdentityProviderInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
+}
+
+func (f *openIDConnectIdentityProviderInformer) Informer() cache.SharedIndexInformer {
+	return f.factory.InformerFor(&idpv1alpha1.OpenIDConnectIdentityProvider{}, f.defaultInformer)
+}
+
+func (f *openIDConnectIdentityProviderInformer) Lister() v1alpha1.OpenIDConnectIdentityProviderLister {
+	return v1alpha1.NewOpenIDConnectIdentityProviderLister(f.Informer().GetIndexer())
+}

generated/1.18/client/listers/idp/v1alpha1/expansion_generated.go

@@ -5,6 +5,14 @@
 
 package v1alpha1
 
+// OpenIDConnectIdentityProviderListerExpansion allows custom methods to be added to
+// OpenIDConnectIdentityProviderLister.
+type OpenIDConnectIdentityProviderListerExpansion interface{}
+
+// OpenIDConnectIdentityProviderNamespaceListerExpansion allows custom methods to be added to
+// OpenIDConnectIdentityProviderNamespaceLister.
+type OpenIDConnectIdentityProviderNamespaceListerExpansion interface{}
+
 // WebhookIdentityProviderListerExpansion allows custom methods to be added to
 // WebhookIdentityProviderLister.
 type WebhookIdentityProviderListerExpansion interface{}

generated/1.18/client/listers/idp/v1alpha1/openidconnectidentityprovider.go

@@ -0,0 +1,81 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by lister-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	v1alpha1 "go.pinniped.dev/generated/1.18/apis/idp/v1alpha1"
+	"k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/client-go/tools/cache"
+)
+
+// OpenIDConnectIdentityProviderLister helps list OpenIDConnectIdentityProviders.
+type OpenIDConnectIdentityProviderLister interface {
+	// List lists all OpenIDConnectIdentityProviders in the indexer.
+	List(selector labels.Selector) (ret []*v1alpha1.OpenIDConnectIdentityProvider, err error)
+	// OpenIDConnectIdentityProviders returns an object that can list and get OpenIDConnectIdentityProviders.
+	OpenIDConnectIdentityProviders(namespace string) OpenIDConnectIdentityProviderNamespaceLister
+	OpenIDConnectIdentityProviderListerExpansion
+}
+
+// openIDConnectIdentityProviderLister implements the OpenIDConnectIdentityProviderLister interface.
+type openIDConnectIdentityProviderLister struct {
+	indexer cache.Indexer
+}
+
+// NewOpenIDConnectIdentityProviderLister returns a new OpenIDConnectIdentityProviderLister.
+func NewOpenIDConnectIdentityProviderLister(indexer cache.Indexer) OpenIDConnectIdentityProviderLister {
+	return &openIDConnectIdentityProviderLister{indexer: indexer}
+}
+
+// List lists all OpenIDConnectIdentityProviders in the indexer.
+func (s *openIDConnectIdentityProviderLister) List(selector labels.Selector) (ret []*v1alpha1.OpenIDConnectIdentityProvider, err error) {
+	err = cache.ListAll(s.indexer, selector, func(m interface{}) {
+		ret = append(ret, m.(*v1alpha1.OpenIDConnectIdentityProvider))
+	})
+	return ret, err
+}
+
+// OpenIDConnectIdentityProviders returns an object that can list and get OpenIDConnectIdentityProviders.
+func (s *openIDConnectIdentityProviderLister) OpenIDConnectIdentityProviders(namespace string) OpenIDConnectIdentityProviderNamespaceLister {
+	return openIDConnectIdentityProviderNamespaceLister{indexer: s.indexer, namespace: namespace}
+}
+
+// OpenIDConnectIdentityProviderNamespaceLister helps list and get OpenIDConnectIdentityProviders.
+type OpenIDConnectIdentityProviderNamespaceLister interface {
+	// List lists all OpenIDConnectIdentityProviders in the indexer for a given namespace.
+	List(selector labels.Selector) (ret []*v1alpha1.OpenIDConnectIdentityProvider, err error)
+	// Get retrieves the OpenIDConnectIdentityProvider from the indexer for a given namespace and name.
+	Get(name string) (*v1alpha1.OpenIDConnectIdentityProvider, error)
+	OpenIDConnectIdentityProviderNamespaceListerExpansion
+}
+
+// openIDConnectIdentityProviderNamespaceLister implements the OpenIDConnectIdentityProviderNamespaceLister
+// interface.
+type openIDConnectIdentityProviderNamespaceLister struct {
+	indexer   cache.Indexer
+	namespace string
+}
+
+// List lists all OpenIDConnectIdentityProviders in the indexer for a given namespace.
+func (s openIDConnectIdentityProviderNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.OpenIDConnectIdentityProvider, err error) {
+	err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) {
+		ret = append(ret, m.(*v1alpha1.OpenIDConnectIdentityProvider))
+	})
+	return ret, err
+}
+
+// Get retrieves the OpenIDConnectIdentityProvider from the indexer for a given namespace and name.
+func (s openIDConnectIdentityProviderNamespaceLister) Get(name string) (*v1alpha1.OpenIDConnectIdentityProvider, error) {
+	obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name)
+	if err != nil {
+		return nil, err
+	}
+	if !exists {
+		return nil, errors.NewNotFound(v1alpha1.Resource("openidconnectidentityprovider"), name)
+	}
+	return obj.(*v1alpha1.OpenIDConnectIdentityProvider), nil
+}

generated/1.18/client/openapi/zz_generated.openapi.go

@@ -23,6 +23,13 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA
 		"go.pinniped.dev/generated/1.18/apis/config/v1alpha1.CredentialIssuerConfigStatus":         schema_118_apis_config_v1alpha1_CredentialIssuerConfigStatus(ref),
 		"go.pinniped.dev/generated/1.18/apis/config/v1alpha1.CredentialIssuerConfigStrategy":       schema_118_apis_config_v1alpha1_CredentialIssuerConfigStrategy(ref),
 		"go.pinniped.dev/generated/1.18/apis/idp/v1alpha1.Condition":                               schema_118_apis_idp_v1alpha1_Condition(ref),
+		"go.pinniped.dev/generated/1.18/apis/idp/v1alpha1.OpenIDConnectAuthorizationConfig":        schema_118_apis_idp_v1alpha1_OpenIDConnectAuthorizationConfig(ref),
+		"go.pinniped.dev/generated/1.18/apis/idp/v1alpha1.OpenIDConnectClaims":                     schema_118_apis_idp_v1alpha1_OpenIDConnectClaims(ref),
+		"go.pinniped.dev/generated/1.18/apis/idp/v1alpha1.OpenIDConnectClient":                     schema_118_apis_idp_v1alpha1_OpenIDConnectClient(ref),
+		"go.pinniped.dev/generated/1.18/apis/idp/v1alpha1.OpenIDConnectIdentityProvider":           schema_118_apis_idp_v1alpha1_OpenIDConnectIdentityProvider(ref),
+		"go.pinniped.dev/generated/1.18/apis/idp/v1alpha1.OpenIDConnectIdentityProviderList":       schema_118_apis_idp_v1alpha1_OpenIDConnectIdentityProviderList(ref),
+		"go.pinniped.dev/generated/1.18/apis/idp/v1alpha1.OpenIDConnectIdentityProviderSpec":       schema_118_apis_idp_v1alpha1_OpenIDConnectIdentityProviderSpec(ref),
+		"go.pinniped.dev/generated/1.18/apis/idp/v1alpha1.OpenIDConnectIdentityProviderStatus":     schema_118_apis_idp_v1alpha1_OpenIDConnectIdentityProviderStatus(ref),
 		"go.pinniped.dev/generated/1.18/apis/idp/v1alpha1.TLSSpec":                                 schema_118_apis_idp_v1alpha1_TLSSpec(ref),
 		"go.pinniped.dev/generated/1.18/apis/idp/v1alpha1.WebhookIdentityProvider":                 schema_118_apis_idp_v1alpha1_WebhookIdentityProvider(ref),
 		"go.pinniped.dev/generated/1.18/apis/idp/v1alpha1.WebhookIdentityProviderList":             schema_118_apis_idp_v1alpha1_WebhookIdentityProviderList(ref),
@@ -343,6 +350,263 @@ func schema_118_apis_idp_v1alpha1_Condition(ref common.ReferenceCallback) common
 	}
 }
 
+func schema_118_apis_idp_v1alpha1_OpenIDConnectAuthorizationConfig(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "OpenIDConnectAuthorizationConfig provides information about how to form the OAuth2 authorization request parameters.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"redirectURI": {
+						SchemaProps: spec.SchemaProps{
+							Description: "RedirectURI is the URI of the redirect endpoint that will be used in the OAuth2 authorization request flow with an OIDC identity provider.",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"scopes": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Scopes are the scopes that will be requested as part of the authorization request flow with an OIDC identity provider.",
+							Type:        []string{"array"},
+							Items: &spec.SchemaOrArray{
+								Schema: &spec.Schema{
+									SchemaProps: spec.SchemaProps{
+										Type:   []string{"string"},
+										Format: "",
+									},
+								},
+							},
+						},
+					},
+				},
+				Required: []string{"redirectURI", "scopes"},
+			},
+		},
+	}
+}
+
+func schema_118_apis_idp_v1alpha1_OpenIDConnectClaims(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "OpenIDConnectClaims provides a mapping from upstream claims into identities.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"groups": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Groups provides the name of the token claim that will be used to ascertain the groups to which an identity belongs.",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"username": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Username provides the name of the token claim that will be used to ascertain an identity's username.",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+				},
+				Required: []string{"groups", "username"},
+			},
+		},
+	}
+}
+
+func schema_118_apis_idp_v1alpha1_OpenIDConnectClient(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "OpenIDConnectClient contains information about an OIDC client (e.g., client ID and client secret).",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"secretName": {
+						SchemaProps: spec.SchemaProps{
+							Description: "SecretName contains the name of a namespace-local Secret object that provides the clientID and clientSecret for an OIDC client. If only the SecretName is specified in an OpenIDConnectClient struct, then it is expected that the Secret is of type \"secrets.pinniped.dev/oidc\" with keys \"clientID\" and \"clientSecret\".",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+				},
+				Required: []string{"secretName"},
+			},
+		},
+	}
+}
+
+func schema_118_apis_idp_v1alpha1_OpenIDConnectIdentityProvider(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "OpenIDConnectIdentityProvider describes the configuration of a Pinniped OIDC identity provider.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"kind": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"apiVersion": {
+						SchemaProps: spec.SchemaProps{
+							Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"metadata": {
+						SchemaProps: spec.SchemaProps{
+							Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+						},
+					},
+					"spec": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Spec for configuring the identity provider.",
+							Ref:         ref("go.pinniped.dev/generated/1.18/apis/idp/v1alpha1.OpenIDConnectIdentityProviderSpec"),
+						},
+					},
+					"status": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Status of the identity provider.",
+							Ref:         ref("go.pinniped.dev/generated/1.18/apis/idp/v1alpha1.OpenIDConnectIdentityProviderStatus"),
+						},
+					},
+				},
+				Required: []string{"spec"},
+			},
+		},
+		Dependencies: []string{
+			"go.pinniped.dev/generated/1.18/apis/idp/v1alpha1.OpenIDConnectIdentityProviderSpec", "go.pinniped.dev/generated/1.18/apis/idp/v1alpha1.OpenIDConnectIdentityProviderStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+	}
+}
+
+func schema_118_apis_idp_v1alpha1_OpenIDConnectIdentityProviderList(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "List of OpenIDConnectIdentityProvider objects.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"kind": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"apiVersion": {
+						SchemaProps: spec.SchemaProps{
+							Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"metadata": {
+						SchemaProps: spec.SchemaProps{
+							Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+						},
+					},
+					"items": {
+						SchemaProps: spec.SchemaProps{
+							Type: []string{"array"},
+							Items: &spec.SchemaOrArray{
+								Schema: &spec.Schema{
+									SchemaProps: spec.SchemaProps{
+										Ref: ref("go.pinniped.dev/generated/1.18/apis/idp/v1alpha1.OpenIDConnectIdentityProvider"),
+									},
+								},
+							},
+						},
+					},
+				},
+				Required: []string{"items"},
+			},
+		},
+		Dependencies: []string{
+			"go.pinniped.dev/generated/1.18/apis/idp/v1alpha1.OpenIDConnectIdentityProvider", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+	}
+}
+
+func schema_118_apis_idp_v1alpha1_OpenIDConnectIdentityProviderSpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "Spec for configuring an OIDC identity provider.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"issuer": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Issuer is the issuer URL of this OIDC identity provider, i.e., where to fetch /.well-known/openid-configuration.",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"authorizationConfig": {
+						SchemaProps: spec.SchemaProps{
+							Description: "AuthorizationConfig holds information about how to form the OAuth2 authorization request parameters to be used with this OIDC identity provider.",
+							Ref:         ref("go.pinniped.dev/generated/1.18/apis/idp/v1alpha1.OpenIDConnectAuthorizationConfig"),
+						},
+					},
+					"claims": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Claims provides the names of token claims that will be used when inspecting an identity from this OIDC identity provider.",
+							Ref:         ref("go.pinniped.dev/generated/1.18/apis/idp/v1alpha1.OpenIDConnectClaims"),
+						},
+					},
+					"client": {
+						SchemaProps: spec.SchemaProps{
+							Description: "OpenIDConnectClient contains OIDC client information to be used used with this OIDC identity provider.",
+							Ref:         ref("go.pinniped.dev/generated/1.18/apis/idp/v1alpha1.OpenIDConnectClient"),
+						},
+					},
+				},
+				Required: []string{"issuer", "authorizationConfig", "claims", "client"},
+			},
+		},
+		Dependencies: []string{
+			"go.pinniped.dev/generated/1.18/apis/idp/v1alpha1.OpenIDConnectAuthorizationConfig", "go.pinniped.dev/generated/1.18/apis/idp/v1alpha1.OpenIDConnectClaims", "go.pinniped.dev/generated/1.18/apis/idp/v1alpha1.OpenIDConnectClient"},
+	}
+}
+
+func schema_118_apis_idp_v1alpha1_OpenIDConnectIdentityProviderStatus(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "Status of an OIDC identity provider.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"conditions": {
+						VendorExtensible: spec.VendorExtensible{
+							Extensions: spec.Extensions{
+								"x-kubernetes-list-map-keys": []interface{}{
+									"type",
+								},
+								"x-kubernetes-list-type":       "map",
+								"x-kubernetes-patch-merge-key": "type",
+								"x-kubernetes-patch-strategy":  "merge",
+							},
+						},
+						SchemaProps: spec.SchemaProps{
+							Description: "Represents the observations of an identity provider's current state.",
+							Type:        []string{"array"},
+							Items: &spec.SchemaOrArray{
+								Schema: &spec.Schema{
+									SchemaProps: spec.SchemaProps{
+										Ref: ref("go.pinniped.dev/generated/1.18/apis/idp/v1alpha1.Condition"),
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+		Dependencies: []string{
+			"go.pinniped.dev/generated/1.18/apis/idp/v1alpha1.Condition"},
+	}
+}
+
 func schema_118_apis_idp_v1alpha1_TLSSpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{

generated/1.18/crds/idp.pinniped.dev_openidconnectidentityproviders.yaml

@@ -0,0 +1,196 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.4.0
+  creationTimestamp: null
+  name: openidconnectidentityproviders.idp.pinniped.dev
+spec:
+  group: idp.pinniped.dev
+  names:
+    categories:
+    - all
+    - idp
+    - idps
+    kind: OpenIDConnectIdentityProvider
+    listKind: OpenIDConnectIdentityProviderList
+    plural: openidconnectidentityproviders
+    shortNames:
+    - openidconnectidp
+    - openidconnectidps
+    singular: openidconnectidentityprovider
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .spec.issuer
+      name: Issuer
+      type: string
+    name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: OpenIDConnectIdentityProvider describes the configuration of
+          a Pinniped OIDC identity provider.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: Spec for configuring the identity provider.
+            properties:
+              authorizationConfig:
+                description: AuthorizationConfig holds information about how to form
+                  the OAuth2 authorization request parameters to be used with this
+                  OIDC identity provider.
+                properties:
+                  redirectURI:
+                    description: RedirectURI is the URI of the redirect endpoint that
+                      will be used in the OAuth2 authorization request flow with an
+                      OIDC identity provider.
+                    pattern: ^https?://
+                    type: string
+                  scopes:
+                    description: Scopes are the scopes that will be requested as part
+                      of the authorization request flow with an OIDC identity provider.
+                    items:
+                      type: string
+                    type: array
+                required:
+                - redirectURI
+                - scopes
+                type: object
+              claims:
+                description: Claims provides the names of token claims that will be
+                  used when inspecting an identity from this OIDC identity provider.
+                properties:
+                  groups:
+                    description: Groups provides the name of the token claim that
+                      will be used to ascertain the groups to which an identity belongs.
+                    type: string
+                  username:
+                    description: Username provides the name of the token claim that
+                      will be used to ascertain an identity's username.
+                    type: string
+                required:
+                - groups
+                - username
+                type: object
+              client:
+                description: OpenIDConnectClient contains OIDC client information
+                  to be used used with this OIDC identity provider.
+                properties:
+                  secretName:
+                    description: SecretName contains the name of a namespace-local
+                      Secret object that provides the clientID and clientSecret for
+                      an OIDC client. If only the SecretName is specified in an OpenIDConnectClient
+                      struct, then it is expected that the Secret is of type "secrets.pinniped.dev/oidc"
+                      with keys "clientID" and "clientSecret".
+                    type: string
+                required:
+                - secretName
+                type: object
+              issuer:
+                description: Issuer is the issuer URL of this OIDC identity provider,
+                  i.e., where to fetch /.well-known/openid-configuration.
+                minLength: 1
+                pattern: ^https://
+                type: string
+            required:
+            - authorizationConfig
+            - claims
+            - client
+            - issuer
+            type: object
+          status:
+            description: Status of the identity provider.
+            properties:
+              conditions:
+                description: Represents the observations of an identity provider's
+                  current state.
+                items:
+                  description: Condition status of a resource (mirrored from the metav1.Condition
+                    type added in Kubernetes 1.19). In a future API version we can
+                    switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413.
+                  properties:
+                    lastTransitionTime:
+                      description: lastTransitionTime is the last time the condition
+                        transitioned from one status to another. This should be when
+                        the underlying condition changed.  If that is not known, then
+                        using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: message is a human readable message indicating
+                        details about the transition. This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: observedGeneration represents the .metadata.generation
+                        that the condition was set based upon. For instance, if .metadata.generation
+                        is currently 12, but the .status.conditions[x].observedGeneration
+                        is 9, the condition is out of date with respect to the current
+                        state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: reason contains a programmatic identifier indicating
+                        the reason for the condition's last transition. Producers
+                        of specific condition types may define expected values and
+                        meanings for this field, and whether the values are considered
+                        a guaranteed API. The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
+                        --- Many .condition.type values are consistent across resources
+                        like Available, but because arbitrary conditions can be useful
+                        (see .node.status.conditions), the ability to deconflict is
+                        important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                type: array
+                x-kubernetes-list-map-keys:
+                - type
+                x-kubernetes-list-type: map
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: true
+    subresources: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

generated/1.19/README.adoc

@@ -110,6 +110,7 @@ Condition status of a resource (mirrored from the metav1.Condition type added in
 
 .Appears In:
 ****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-idp-v1alpha1-openidconnectidentityproviderstatus[$$OpenIDConnectIdentityProviderStatus$$]
 - xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-idp-v1alpha1-webhookidentityproviderstatus[$$WebhookIdentityProviderStatus$$]
 ****
 
@@ -125,6 +126,118 @@ Condition status of a resource (mirrored from the metav1.Condition type added in
 |===
 
 
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-idp-v1alpha1-openidconnectauthorizationconfig"]
+==== OpenIDConnectAuthorizationConfig 
+
+OpenIDConnectAuthorizationConfig provides information about how to form the OAuth2 authorization request parameters.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-idp-v1alpha1-openidconnectidentityproviderspec[$$OpenIDConnectIdentityProviderSpec$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`redirectURI`* __string__ | RedirectURI is the URI of the redirect endpoint that will be used in the OAuth2 authorization request flow with an OIDC identity provider.
+| *`scopes`* __string array__ | Scopes are the scopes that will be requested as part of the authorization request flow with an OIDC identity provider.
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-idp-v1alpha1-openidconnectclaims"]
+==== OpenIDConnectClaims 
+
+OpenIDConnectClaims provides a mapping from upstream claims into identities.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-idp-v1alpha1-openidconnectidentityproviderspec[$$OpenIDConnectIdentityProviderSpec$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`groups`* __string__ | Groups provides the name of the token claim that will be used to ascertain the groups to which an identity belongs.
+| *`username`* __string__ | Username provides the name of the token claim that will be used to ascertain an identity's username.
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-idp-v1alpha1-openidconnectclient"]
+==== OpenIDConnectClient 
+
+OpenIDConnectClient contains information about an OIDC client (e.g., client ID and client secret).
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-idp-v1alpha1-openidconnectidentityproviderspec[$$OpenIDConnectIdentityProviderSpec$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`secretName`* __string__ | SecretName contains the name of a namespace-local Secret object that provides the clientID and clientSecret for an OIDC client. If only the SecretName is specified in an OpenIDConnectClient struct, then it is expected that the Secret is of type "secrets.pinniped.dev/oidc" with keys "clientID" and "clientSecret".
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-idp-v1alpha1-openidconnectidentityprovider"]
+==== OpenIDConnectIdentityProvider 
+
+OpenIDConnectIdentityProvider describes the configuration of a Pinniped OIDC identity provider.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-idp-v1alpha1-openidconnectidentityproviderlist[$$OpenIDConnectIdentityProviderList$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`.
+
+| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-idp-v1alpha1-openidconnectidentityproviderspec[$$OpenIDConnectIdentityProviderSpec$$]__ | Spec for configuring the identity provider.
+| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-idp-v1alpha1-openidconnectidentityproviderstatus[$$OpenIDConnectIdentityProviderStatus$$]__ | Status of the identity provider.
+|===
+
+
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-idp-v1alpha1-openidconnectidentityproviderspec"]
+==== OpenIDConnectIdentityProviderSpec 
+
+Spec for configuring an OIDC identity provider.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-idp-v1alpha1-openidconnectidentityprovider[$$OpenIDConnectIdentityProvider$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`issuer`* __string__ | Issuer is the issuer URL of this OIDC identity provider, i.e., where to fetch /.well-known/openid-configuration.
+| *`authorizationConfig`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-idp-v1alpha1-openidconnectauthorizationconfig[$$OpenIDConnectAuthorizationConfig$$]__ | AuthorizationConfig holds information about how to form the OAuth2 authorization request parameters to be used with this OIDC identity provider.
+| *`claims`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-idp-v1alpha1-openidconnectclaims[$$OpenIDConnectClaims$$]__ | Claims provides the names of token claims that will be used when inspecting an identity from this OIDC identity provider.
+| *`client`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-idp-v1alpha1-openidconnectclient[$$OpenIDConnectClient$$]__ | OpenIDConnectClient contains OIDC client information to be used used with this OIDC identity provider.
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-idp-v1alpha1-openidconnectidentityproviderstatus"]
+==== OpenIDConnectIdentityProviderStatus 
+
+Status of an OIDC identity provider.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-idp-v1alpha1-openidconnectidentityprovider[$$OpenIDConnectIdentityProvider$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`conditions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-idp-v1alpha1-condition[$$Condition$$]__ | Represents the observations of an identity provider's current state.
+|===
+
+
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-idp-v1alpha1-tlsspec"]
 ==== TLSSpec 
 

generated/1.19/apis/idp/v1alpha1/types_openidconnect.go

@@ -0,0 +1,98 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// Status of an OIDC identity provider.
+type OpenIDConnectIdentityProviderStatus struct {
+	// Represents the observations of an identity provider's current state.
+	// +patchMergeKey=type
+	// +patchStrategy=merge
+	// +listType=map
+	// +listMapKey=type
+	Conditions []Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
+}
+
+// OpenIDConnectAuthorizationConfig provides information about how to form the OAuth2 authorization
+// request parameters.
+type OpenIDConnectAuthorizationConfig struct {
+	// RedirectURI is the URI of the redirect endpoint that will be used in the OAuth2 authorization
+	// request flow with an OIDC identity provider.
+	// +kubebuilder:validation:Pattern=`^https?://`
+	RedirectURI string `json:"redirectURI"`
+
+	// Scopes are the scopes that will be requested as part of the authorization request flow with
+	// an OIDC identity provider.
+	Scopes []string `json:"scopes"`
+}
+
+// OpenIDConnectClaims provides a mapping from upstream claims into identities.
+type OpenIDConnectClaims struct {
+	// Groups provides the name of the token claim that will be used to ascertain the groups to which
+	// an identity belongs.
+	Groups string `json:"groups"`
+
+	// Username provides the name of the token claim that will be used to ascertain an identity's
+	// username.
+	Username string `json:"username"`
+}
+
+// OpenIDConnectClient contains information about an OIDC client (e.g., client ID and client
+// secret).
+type OpenIDConnectClient struct {
+	// SecretName contains the name of a namespace-local Secret object that provides the clientID and
+	// clientSecret for an OIDC client. If only the SecretName is specified in an OpenIDConnectClient
+	// struct, then it is expected that the Secret is of type "secrets.pinniped.dev/oidc" with keys
+	// "clientID" and "clientSecret".
+	SecretName string `json:"secretName"`
+}
+
+// Spec for configuring an OIDC identity provider.
+type OpenIDConnectIdentityProviderSpec struct {
+	// Issuer is the issuer URL of this OIDC identity provider, i.e., where to fetch
+	// /.well-known/openid-configuration.
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:Pattern=`^https://`
+	Issuer string `json:"issuer"`
+
+	// AuthorizationConfig holds information about how to form the OAuth2 authorization request
+	// parameters to be used with this OIDC identity provider.
+	AuthorizationConfig OpenIDConnectAuthorizationConfig `json:"authorizationConfig"`
+
+	// Claims provides the names of token claims that will be used when inspecting an identity from
+	// this OIDC identity provider.
+	Claims OpenIDConnectClaims `json:"claims"`
+
+	// OpenIDConnectClient contains OIDC client information to be used used with this OIDC identity
+	// provider.
+	Client OpenIDConnectClient `json:"client"`
+}
+
+// OpenIDConnectIdentityProvider describes the configuration of a Pinniped OIDC identity provider.
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +kubebuilder:resource:categories=all;idp;idps,shortName=openidconnectidp;openidconnectidps
+// +kubebuilder:printcolumn:name="Issuer",type=string,JSONPath=`.spec.issuer`
+type OpenIDConnectIdentityProvider struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	// Spec for configuring the identity provider.
+	Spec OpenIDConnectIdentityProviderSpec `json:"spec"`
+
+	// Status of the identity provider.
+	Status OpenIDConnectIdentityProviderStatus `json:"status,omitempty"`
+}
+
+// List of OpenIDConnectIdentityProvider objects.
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type OpenIDConnectIdentityProviderList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+
+	Items []OpenIDConnectIdentityProvider `json:"items"`
+}

generated/1.19/apis/idp/v1alpha1/zz_generated.deepcopy.go

@@ -28,6 +28,162 @@ func (in *Condition) DeepCopy() *Condition {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OpenIDConnectAuthorizationConfig) DeepCopyInto(out *OpenIDConnectAuthorizationConfig) {
+	*out = *in
+	if in.Scopes != nil {
+		in, out := &in.Scopes, &out.Scopes
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OpenIDConnectAuthorizationConfig.
+func (in *OpenIDConnectAuthorizationConfig) DeepCopy() *OpenIDConnectAuthorizationConfig {
+	if in == nil {
+		return nil
+	}
+	out := new(OpenIDConnectAuthorizationConfig)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OpenIDConnectClaims) DeepCopyInto(out *OpenIDConnectClaims) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OpenIDConnectClaims.
+func (in *OpenIDConnectClaims) DeepCopy() *OpenIDConnectClaims {
+	if in == nil {
+		return nil
+	}
+	out := new(OpenIDConnectClaims)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OpenIDConnectClient) DeepCopyInto(out *OpenIDConnectClient) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OpenIDConnectClient.
+func (in *OpenIDConnectClient) DeepCopy() *OpenIDConnectClient {
+	if in == nil {
+		return nil
+	}
+	out := new(OpenIDConnectClient)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OpenIDConnectIdentityProvider) DeepCopyInto(out *OpenIDConnectIdentityProvider) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OpenIDConnectIdentityProvider.
+func (in *OpenIDConnectIdentityProvider) DeepCopy() *OpenIDConnectIdentityProvider {
+	if in == nil {
+		return nil
+	}
+	out := new(OpenIDConnectIdentityProvider)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *OpenIDConnectIdentityProvider) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OpenIDConnectIdentityProviderList) DeepCopyInto(out *OpenIDConnectIdentityProviderList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]OpenIDConnectIdentityProvider, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OpenIDConnectIdentityProviderList.
+func (in *OpenIDConnectIdentityProviderList) DeepCopy() *OpenIDConnectIdentityProviderList {
+	if in == nil {
+		return nil
+	}
+	out := new(OpenIDConnectIdentityProviderList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *OpenIDConnectIdentityProviderList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OpenIDConnectIdentityProviderSpec) DeepCopyInto(out *OpenIDConnectIdentityProviderSpec) {
+	*out = *in
+	in.AuthorizationConfig.DeepCopyInto(&out.AuthorizationConfig)
+	out.Claims = in.Claims
+	out.Client = in.Client
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OpenIDConnectIdentityProviderSpec.
+func (in *OpenIDConnectIdentityProviderSpec) DeepCopy() *OpenIDConnectIdentityProviderSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(OpenIDConnectIdentityProviderSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OpenIDConnectIdentityProviderStatus) DeepCopyInto(out *OpenIDConnectIdentityProviderStatus) {
+	*out = *in
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]Condition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OpenIDConnectIdentityProviderStatus.
+func (in *OpenIDConnectIdentityProviderStatus) DeepCopy() *OpenIDConnectIdentityProviderStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(OpenIDConnectIdentityProviderStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TLSSpec) DeepCopyInto(out *TLSSpec) {
 	*out = *in

generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go

@@ -15,6 +15,10 @@ type FakeIDPV1alpha1 struct {
 	*testing.Fake
 }
 
+func (c *FakeIDPV1alpha1) OpenIDConnectIdentityProviders(namespace string) v1alpha1.OpenIDConnectIdentityProviderInterface {
+	return &FakeOpenIDConnectIdentityProviders{c, namespace}
+}
+
 func (c *FakeIDPV1alpha1) WebhookIdentityProviders(namespace string) v1alpha1.WebhookIdentityProviderInterface {
 	return &FakeWebhookIdentityProviders{c, namespace}
 }

generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/fake/fake_openidconnectidentityprovider.go

@@ -0,0 +1,129 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package fake
+
+import (
+	"context"
+
+	v1alpha1 "go.pinniped.dev/generated/1.19/apis/idp/v1alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	labels "k8s.io/apimachinery/pkg/labels"
+	schema "k8s.io/apimachinery/pkg/runtime/schema"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	testing "k8s.io/client-go/testing"
+)
+
+// FakeOpenIDConnectIdentityProviders implements OpenIDConnectIdentityProviderInterface
+type FakeOpenIDConnectIdentityProviders struct {
+	Fake *FakeIDPV1alpha1
+	ns   string
+}
+
+var openidconnectidentityprovidersResource = schema.GroupVersionResource{Group: "idp.pinniped.dev", Version: "v1alpha1", Resource: "openidconnectidentityproviders"}
+
+var openidconnectidentityprovidersKind = schema.GroupVersionKind{Group: "idp.pinniped.dev", Version: "v1alpha1", Kind: "OpenIDConnectIdentityProvider"}
+
+// Get takes name of the openIDConnectIdentityProvider, and returns the corresponding openIDConnectIdentityProvider object, and an error if there is any.
+func (c *FakeOpenIDConnectIdentityProviders) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.OpenIDConnectIdentityProvider, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewGetAction(openidconnectidentityprovidersResource, c.ns, name), &v1alpha1.OpenIDConnectIdentityProvider{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.OpenIDConnectIdentityProvider), err
+}
+
+// List takes label and field selectors, and returns the list of OpenIDConnectIdentityProviders that match those selectors.
+func (c *FakeOpenIDConnectIdentityProviders) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.OpenIDConnectIdentityProviderList, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewListAction(openidconnectidentityprovidersResource, openidconnectidentityprovidersKind, c.ns, opts), &v1alpha1.OpenIDConnectIdentityProviderList{})
+
+	if obj == nil {
+		return nil, err
+	}
+
+	label, _, _ := testing.ExtractFromListOptions(opts)
+	if label == nil {
+		label = labels.Everything()
+	}
+	list := &v1alpha1.OpenIDConnectIdentityProviderList{ListMeta: obj.(*v1alpha1.OpenIDConnectIdentityProviderList).ListMeta}
+	for _, item := range obj.(*v1alpha1.OpenIDConnectIdentityProviderList).Items {
+		if label.Matches(labels.Set(item.Labels)) {
+			list.Items = append(list.Items, item)
+		}
+	}
+	return list, err
+}
+
+// Watch returns a watch.Interface that watches the requested openIDConnectIdentityProviders.
+func (c *FakeOpenIDConnectIdentityProviders) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
+	return c.Fake.
+		InvokesWatch(testing.NewWatchAction(openidconnectidentityprovidersResource, c.ns, opts))
+
+}
+
+// Create takes the representation of a openIDConnectIdentityProvider and creates it.  Returns the server's representation of the openIDConnectIdentityProvider, and an error, if there is any.
+func (c *FakeOpenIDConnectIdentityProviders) Create(ctx context.Context, openIDConnectIdentityProvider *v1alpha1.OpenIDConnectIdentityProvider, opts v1.CreateOptions) (result *v1alpha1.OpenIDConnectIdentityProvider, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewCreateAction(openidconnectidentityprovidersResource, c.ns, openIDConnectIdentityProvider), &v1alpha1.OpenIDConnectIdentityProvider{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.OpenIDConnectIdentityProvider), err
+}
+
+// Update takes the representation of a openIDConnectIdentityProvider and updates it. Returns the server's representation of the openIDConnectIdentityProvider, and an error, if there is any.
+func (c *FakeOpenIDConnectIdentityProviders) Update(ctx context.Context, openIDConnectIdentityProvider *v1alpha1.OpenIDConnectIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.OpenIDConnectIdentityProvider, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewUpdateAction(openidconnectidentityprovidersResource, c.ns, openIDConnectIdentityProvider), &v1alpha1.OpenIDConnectIdentityProvider{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.OpenIDConnectIdentityProvider), err
+}
+
+// UpdateStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+func (c *FakeOpenIDConnectIdentityProviders) UpdateStatus(ctx context.Context, openIDConnectIdentityProvider *v1alpha1.OpenIDConnectIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.OpenIDConnectIdentityProvider, error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewUpdateSubresourceAction(openidconnectidentityprovidersResource, "status", c.ns, openIDConnectIdentityProvider), &v1alpha1.OpenIDConnectIdentityProvider{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.OpenIDConnectIdentityProvider), err
+}
+
+// Delete takes name of the openIDConnectIdentityProvider and deletes it. Returns an error if one occurs.
+func (c *FakeOpenIDConnectIdentityProviders) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
+	_, err := c.Fake.
+		Invokes(testing.NewDeleteAction(openidconnectidentityprovidersResource, c.ns, name), &v1alpha1.OpenIDConnectIdentityProvider{})
+
+	return err
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *FakeOpenIDConnectIdentityProviders) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
+	action := testing.NewDeleteCollectionAction(openidconnectidentityprovidersResource, c.ns, listOpts)
+
+	_, err := c.Fake.Invokes(action, &v1alpha1.OpenIDConnectIdentityProviderList{})
+	return err
+}
+
+// Patch applies the patch and returns the patched openIDConnectIdentityProvider.
+func (c *FakeOpenIDConnectIdentityProviders) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.OpenIDConnectIdentityProvider, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewPatchSubresourceAction(openidconnectidentityprovidersResource, c.ns, name, pt, data, subresources...), &v1alpha1.OpenIDConnectIdentityProvider{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.OpenIDConnectIdentityProvider), err
+}

generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go

@@ -5,4 +5,6 @@
 
 package v1alpha1
 
+type OpenIDConnectIdentityProviderExpansion interface{}
+
 type WebhookIdentityProviderExpansion interface{}

generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/idp_client.go

@@ -13,6 +13,7 @@ import (
 
 type IDPV1alpha1Interface interface {
 	RESTClient() rest.Interface
+	OpenIDConnectIdentityProvidersGetter
 	WebhookIdentityProvidersGetter
 }
 
@@ -21,6 +22,10 @@ type IDPV1alpha1Client struct {
 	restClient rest.Interface
 }
 
+func (c *IDPV1alpha1Client) OpenIDConnectIdentityProviders(namespace string) OpenIDConnectIdentityProviderInterface {
+	return newOpenIDConnectIdentityProviders(c, namespace)
+}
+
 func (c *IDPV1alpha1Client) WebhookIdentityProviders(namespace string) WebhookIdentityProviderInterface {
 	return newWebhookIdentityProviders(c, namespace)
 }

generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/openidconnectidentityprovider.go

@@ -0,0 +1,182 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	"context"
+	"time"
+
+	v1alpha1 "go.pinniped.dev/generated/1.19/apis/idp/v1alpha1"
+	scheme "go.pinniped.dev/generated/1.19/client/clientset/versioned/scheme"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	rest "k8s.io/client-go/rest"
+)
+
+// OpenIDConnectIdentityProvidersGetter has a method to return a OpenIDConnectIdentityProviderInterface.
+// A group's client should implement this interface.
+type OpenIDConnectIdentityProvidersGetter interface {
+	OpenIDConnectIdentityProviders(namespace string) OpenIDConnectIdentityProviderInterface
+}
+
+// OpenIDConnectIdentityProviderInterface has methods to work with OpenIDConnectIdentityProvider resources.
+type OpenIDConnectIdentityProviderInterface interface {
+	Create(ctx context.Context, openIDConnectIdentityProvider *v1alpha1.OpenIDConnectIdentityProvider, opts v1.CreateOptions) (*v1alpha1.OpenIDConnectIdentityProvider, error)
+	Update(ctx context.Context, openIDConnectIdentityProvider *v1alpha1.OpenIDConnectIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.OpenIDConnectIdentityProvider, error)
+	UpdateStatus(ctx context.Context, openIDConnectIdentityProvider *v1alpha1.OpenIDConnectIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.OpenIDConnectIdentityProvider, error)
+	Delete(ctx context.Context, name string, opts v1.DeleteOptions) error
+	DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error
+	Get(ctx context.Context, name string, opts v1.GetOptions) (*v1alpha1.OpenIDConnectIdentityProvider, error)
+	List(ctx context.Context, opts v1.ListOptions) (*v1alpha1.OpenIDConnectIdentityProviderList, error)
+	Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error)
+	Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.OpenIDConnectIdentityProvider, err error)
+	OpenIDConnectIdentityProviderExpansion
+}
+
+// openIDConnectIdentityProviders implements OpenIDConnectIdentityProviderInterface
+type openIDConnectIdentityProviders struct {
+	client rest.Interface
+	ns     string
+}
+
+// newOpenIDConnectIdentityProviders returns a OpenIDConnectIdentityProviders
+func newOpenIDConnectIdentityProviders(c *IDPV1alpha1Client, namespace string) *openIDConnectIdentityProviders {
+	return &openIDConnectIdentityProviders{
+		client: c.RESTClient(),
+		ns:     namespace,
+	}
+}
+
+// Get takes name of the openIDConnectIdentityProvider, and returns the corresponding openIDConnectIdentityProvider object, and an error if there is any.
+func (c *openIDConnectIdentityProviders) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.OpenIDConnectIdentityProvider, err error) {
+	result = &v1alpha1.OpenIDConnectIdentityProvider{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("openidconnectidentityproviders").
+		Name(name).
+		VersionedParams(&options, scheme.ParameterCodec).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// List takes label and field selectors, and returns the list of OpenIDConnectIdentityProviders that match those selectors.
+func (c *openIDConnectIdentityProviders) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.OpenIDConnectIdentityProviderList, err error) {
+	var timeout time.Duration
+	if opts.TimeoutSeconds != nil {
+		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
+	}
+	result = &v1alpha1.OpenIDConnectIdentityProviderList{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("openidconnectidentityproviders").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// Watch returns a watch.Interface that watches the requested openIDConnectIdentityProviders.
+func (c *openIDConnectIdentityProviders) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
+	var timeout time.Duration
+	if opts.TimeoutSeconds != nil {
+		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
+	}
+	opts.Watch = true
+	return c.client.Get().
+		Namespace(c.ns).
+		Resource("openidconnectidentityproviders").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Watch(ctx)
+}
+
+// Create takes the representation of a openIDConnectIdentityProvider and creates it.  Returns the server's representation of the openIDConnectIdentityProvider, and an error, if there is any.
+func (c *openIDConnectIdentityProviders) Create(ctx context.Context, openIDConnectIdentityProvider *v1alpha1.OpenIDConnectIdentityProvider, opts v1.CreateOptions) (result *v1alpha1.OpenIDConnectIdentityProvider, err error) {
+	result = &v1alpha1.OpenIDConnectIdentityProvider{}
+	err = c.client.Post().
+		Namespace(c.ns).
+		Resource("openidconnectidentityproviders").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(openIDConnectIdentityProvider).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// Update takes the representation of a openIDConnectIdentityProvider and updates it. Returns the server's representation of the openIDConnectIdentityProvider, and an error, if there is any.
+func (c *openIDConnectIdentityProviders) Update(ctx context.Context, openIDConnectIdentityProvider *v1alpha1.OpenIDConnectIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.OpenIDConnectIdentityProvider, err error) {
+	result = &v1alpha1.OpenIDConnectIdentityProvider{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("openidconnectidentityproviders").
+		Name(openIDConnectIdentityProvider.Name).
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(openIDConnectIdentityProvider).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// UpdateStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+func (c *openIDConnectIdentityProviders) UpdateStatus(ctx context.Context, openIDConnectIdentityProvider *v1alpha1.OpenIDConnectIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.OpenIDConnectIdentityProvider, err error) {
+	result = &v1alpha1.OpenIDConnectIdentityProvider{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("openidconnectidentityproviders").
+		Name(openIDConnectIdentityProvider.Name).
+		SubResource("status").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(openIDConnectIdentityProvider).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// Delete takes name of the openIDConnectIdentityProvider and deletes it. Returns an error if one occurs.
+func (c *openIDConnectIdentityProviders) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("openidconnectidentityproviders").
+		Name(name).
+		Body(&opts).
+		Do(ctx).
+		Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *openIDConnectIdentityProviders) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
+	var timeout time.Duration
+	if listOpts.TimeoutSeconds != nil {
+		timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second
+	}
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("openidconnectidentityproviders").
+		VersionedParams(&listOpts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Body(&opts).
+		Do(ctx).
+		Error()
+}
+
+// Patch applies the patch and returns the patched openIDConnectIdentityProvider.
+func (c *openIDConnectIdentityProviders) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.OpenIDConnectIdentityProvider, err error) {
+	result = &v1alpha1.OpenIDConnectIdentityProvider{}
+	err = c.client.Patch(pt).
+		Namespace(c.ns).
+		Resource("openidconnectidentityproviders").
+		Name(name).
+		SubResource(subresources...).
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(data).
+		Do(ctx).
+		Into(result)
+	return
+}

generated/1.19/client/informers/externalversions/generic.go

@@ -46,6 +46,8 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource
 		return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().CredentialIssuerConfigs().Informer()}, nil
 
 		// Group=idp.pinniped.dev, Version=v1alpha1
+	case idpv1alpha1.SchemeGroupVersion.WithResource("openidconnectidentityproviders"):
+		return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().OpenIDConnectIdentityProviders().Informer()}, nil
 	case idpv1alpha1.SchemeGroupVersion.WithResource("webhookidentityproviders"):
 		return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().WebhookIdentityProviders().Informer()}, nil
 

generated/1.19/client/informers/externalversions/idp/v1alpha1/interface.go

@@ -11,6 +11,8 @@ import (
 
 // Interface provides access to all the informers in this group version.
 type Interface interface {
+	// OpenIDConnectIdentityProviders returns a OpenIDConnectIdentityProviderInformer.
+	OpenIDConnectIdentityProviders() OpenIDConnectIdentityProviderInformer
 	// WebhookIdentityProviders returns a WebhookIdentityProviderInformer.
 	WebhookIdentityProviders() WebhookIdentityProviderInformer
 }
@@ -26,6 +28,11 @@ func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakList
 	return &version{factory: f, namespace: namespace, tweakListOptions: tweakListOptions}
 }
 
+// OpenIDConnectIdentityProviders returns a OpenIDConnectIdentityProviderInformer.
+func (v *version) OpenIDConnectIdentityProviders() OpenIDConnectIdentityProviderInformer {
+	return &openIDConnectIdentityProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
+}
+
 // WebhookIdentityProviders returns a WebhookIdentityProviderInformer.
 func (v *version) WebhookIdentityProviders() WebhookIdentityProviderInformer {
 	return &webhookIdentityProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}

generated/1.19/client/informers/externalversions/idp/v1alpha1/openidconnectidentityprovider.go

@@ -0,0 +1,77 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by informer-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	"context"
+	time "time"
+
+	idpv1alpha1 "go.pinniped.dev/generated/1.19/apis/idp/v1alpha1"
+	versioned "go.pinniped.dev/generated/1.19/client/clientset/versioned"
+	internalinterfaces "go.pinniped.dev/generated/1.19/client/informers/externalversions/internalinterfaces"
+	v1alpha1 "go.pinniped.dev/generated/1.19/client/listers/idp/v1alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	watch "k8s.io/apimachinery/pkg/watch"
+	cache "k8s.io/client-go/tools/cache"
+)
+
+// OpenIDConnectIdentityProviderInformer provides access to a shared informer and lister for
+// OpenIDConnectIdentityProviders.
+type OpenIDConnectIdentityProviderInformer interface {
+	Informer() cache.SharedIndexInformer
+	Lister() v1alpha1.OpenIDConnectIdentityProviderLister
+}
+
+type openIDConnectIdentityProviderInformer struct {
+	factory          internalinterfaces.SharedInformerFactory
+	tweakListOptions internalinterfaces.TweakListOptionsFunc
+	namespace        string
+}
+
+// NewOpenIDConnectIdentityProviderInformer constructs a new informer for OpenIDConnectIdentityProvider type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewOpenIDConnectIdentityProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
+	return NewFilteredOpenIDConnectIdentityProviderInformer(client, namespace, resyncPeriod, indexers, nil)
+}
+
+// NewFilteredOpenIDConnectIdentityProviderInformer constructs a new informer for OpenIDConnectIdentityProvider type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewFilteredOpenIDConnectIdentityProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
+	return cache.NewSharedIndexInformer(
+		&cache.ListWatch{
+			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.IDPV1alpha1().OpenIDConnectIdentityProviders(namespace).List(context.TODO(), options)
+			},
+			WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.IDPV1alpha1().OpenIDConnectIdentityProviders(namespace).Watch(context.TODO(), options)
+			},
+		},
+		&idpv1alpha1.OpenIDConnectIdentityProvider{},
+		resyncPeriod,
+		indexers,
+	)
+}
+
+func (f *openIDConnectIdentityProviderInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
+	return NewFilteredOpenIDConnectIdentityProviderInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
+}
+
+func (f *openIDConnectIdentityProviderInformer) Informer() cache.SharedIndexInformer {
+	return f.factory.InformerFor(&idpv1alpha1.OpenIDConnectIdentityProvider{}, f.defaultInformer)
+}
+
+func (f *openIDConnectIdentityProviderInformer) Lister() v1alpha1.OpenIDConnectIdentityProviderLister {
+	return v1alpha1.NewOpenIDConnectIdentityProviderLister(f.Informer().GetIndexer())
+}

generated/1.19/client/listers/idp/v1alpha1/expansion_generated.go

@@ -5,6 +5,14 @@
 
 package v1alpha1
 
+// OpenIDConnectIdentityProviderListerExpansion allows custom methods to be added to
+// OpenIDConnectIdentityProviderLister.
+type OpenIDConnectIdentityProviderListerExpansion interface{}
+
+// OpenIDConnectIdentityProviderNamespaceListerExpansion allows custom methods to be added to
+// OpenIDConnectIdentityProviderNamespaceLister.
+type OpenIDConnectIdentityProviderNamespaceListerExpansion interface{}
+
 // WebhookIdentityProviderListerExpansion allows custom methods to be added to
 // WebhookIdentityProviderLister.
 type WebhookIdentityProviderListerExpansion interface{}

generated/1.19/client/listers/idp/v1alpha1/openidconnectidentityprovider.go

@@ -0,0 +1,86 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by lister-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	v1alpha1 "go.pinniped.dev/generated/1.19/apis/idp/v1alpha1"
+	"k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/client-go/tools/cache"
+)
+
+// OpenIDConnectIdentityProviderLister helps list OpenIDConnectIdentityProviders.
+// All objects returned here must be treated as read-only.
+type OpenIDConnectIdentityProviderLister interface {
+	// List lists all OpenIDConnectIdentityProviders in the indexer.
+	// Objects returned here must be treated as read-only.
+	List(selector labels.Selector) (ret []*v1alpha1.OpenIDConnectIdentityProvider, err error)
+	// OpenIDConnectIdentityProviders returns an object that can list and get OpenIDConnectIdentityProviders.
+	OpenIDConnectIdentityProviders(namespace string) OpenIDConnectIdentityProviderNamespaceLister
+	OpenIDConnectIdentityProviderListerExpansion
+}
+
+// openIDConnectIdentityProviderLister implements the OpenIDConnectIdentityProviderLister interface.
+type openIDConnectIdentityProviderLister struct {
+	indexer cache.Indexer
+}
+
+// NewOpenIDConnectIdentityProviderLister returns a new OpenIDConnectIdentityProviderLister.
+func NewOpenIDConnectIdentityProviderLister(indexer cache.Indexer) OpenIDConnectIdentityProviderLister {
+	return &openIDConnectIdentityProviderLister{indexer: indexer}
+}
+
+// List lists all OpenIDConnectIdentityProviders in the indexer.
+func (s *openIDConnectIdentityProviderLister) List(selector labels.Selector) (ret []*v1alpha1.OpenIDConnectIdentityProvider, err error) {
+	err = cache.ListAll(s.indexer, selector, func(m interface{}) {
+		ret = append(ret, m.(*v1alpha1.OpenIDConnectIdentityProvider))
+	})
+	return ret, err
+}
+
+// OpenIDConnectIdentityProviders returns an object that can list and get OpenIDConnectIdentityProviders.
+func (s *openIDConnectIdentityProviderLister) OpenIDConnectIdentityProviders(namespace string) OpenIDConnectIdentityProviderNamespaceLister {
+	return openIDConnectIdentityProviderNamespaceLister{indexer: s.indexer, namespace: namespace}
+}
+
+// OpenIDConnectIdentityProviderNamespaceLister helps list and get OpenIDConnectIdentityProviders.
+// All objects returned here must be treated as read-only.
+type OpenIDConnectIdentityProviderNamespaceLister interface {
+	// List lists all OpenIDConnectIdentityProviders in the indexer for a given namespace.
+	// Objects returned here must be treated as read-only.
+	List(selector labels.Selector) (ret []*v1alpha1.OpenIDConnectIdentityProvider, err error)
+	// Get retrieves the OpenIDConnectIdentityProvider from the indexer for a given namespace and name.
+	// Objects returned here must be treated as read-only.
+	Get(name string) (*v1alpha1.OpenIDConnectIdentityProvider, error)
+	OpenIDConnectIdentityProviderNamespaceListerExpansion
+}
+
+// openIDConnectIdentityProviderNamespaceLister implements the OpenIDConnectIdentityProviderNamespaceLister
+// interface.
+type openIDConnectIdentityProviderNamespaceLister struct {
+	indexer   cache.Indexer
+	namespace string
+}
+
+// List lists all OpenIDConnectIdentityProviders in the indexer for a given namespace.
+func (s openIDConnectIdentityProviderNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.OpenIDConnectIdentityProvider, err error) {
+	err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) {
+		ret = append(ret, m.(*v1alpha1.OpenIDConnectIdentityProvider))
+	})
+	return ret, err
+}
+
+// Get retrieves the OpenIDConnectIdentityProvider from the indexer for a given namespace and name.
+func (s openIDConnectIdentityProviderNamespaceLister) Get(name string) (*v1alpha1.OpenIDConnectIdentityProvider, error) {
+	obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name)
+	if err != nil {
+		return nil, err
+	}
+	if !exists {
+		return nil, errors.NewNotFound(v1alpha1.Resource("openidconnectidentityprovider"), name)
+	}
+	return obj.(*v1alpha1.OpenIDConnectIdentityProvider), nil
+}

generated/1.19/client/openapi/zz_generated.openapi.go

@@ -23,6 +23,13 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA
 		"go.pinniped.dev/generated/1.19/apis/config/v1alpha1.CredentialIssuerConfigStatus":         schema_119_apis_config_v1alpha1_CredentialIssuerConfigStatus(ref),
 		"go.pinniped.dev/generated/1.19/apis/config/v1alpha1.CredentialIssuerConfigStrategy":       schema_119_apis_config_v1alpha1_CredentialIssuerConfigStrategy(ref),
 		"go.pinniped.dev/generated/1.19/apis/idp/v1alpha1.Condition":                               schema_119_apis_idp_v1alpha1_Condition(ref),
+		"go.pinniped.dev/generated/1.19/apis/idp/v1alpha1.OpenIDConnectAuthorizationConfig":        schema_119_apis_idp_v1alpha1_OpenIDConnectAuthorizationConfig(ref),
+		"go.pinniped.dev/generated/1.19/apis/idp/v1alpha1.OpenIDConnectClaims":                     schema_119_apis_idp_v1alpha1_OpenIDConnectClaims(ref),
+		"go.pinniped.dev/generated/1.19/apis/idp/v1alpha1.OpenIDConnectClient":                     schema_119_apis_idp_v1alpha1_OpenIDConnectClient(ref),
+		"go.pinniped.dev/generated/1.19/apis/idp/v1alpha1.OpenIDConnectIdentityProvider":           schema_119_apis_idp_v1alpha1_OpenIDConnectIdentityProvider(ref),
+		"go.pinniped.dev/generated/1.19/apis/idp/v1alpha1.OpenIDConnectIdentityProviderList":       schema_119_apis_idp_v1alpha1_OpenIDConnectIdentityProviderList(ref),
+		"go.pinniped.dev/generated/1.19/apis/idp/v1alpha1.OpenIDConnectIdentityProviderSpec":       schema_119_apis_idp_v1alpha1_OpenIDConnectIdentityProviderSpec(ref),
+		"go.pinniped.dev/generated/1.19/apis/idp/v1alpha1.OpenIDConnectIdentityProviderStatus":     schema_119_apis_idp_v1alpha1_OpenIDConnectIdentityProviderStatus(ref),
 		"go.pinniped.dev/generated/1.19/apis/idp/v1alpha1.TLSSpec":                                 schema_119_apis_idp_v1alpha1_TLSSpec(ref),
 		"go.pinniped.dev/generated/1.19/apis/idp/v1alpha1.WebhookIdentityProvider":                 schema_119_apis_idp_v1alpha1_WebhookIdentityProvider(ref),
 		"go.pinniped.dev/generated/1.19/apis/idp/v1alpha1.WebhookIdentityProviderList":             schema_119_apis_idp_v1alpha1_WebhookIdentityProviderList(ref),
@@ -344,6 +351,263 @@ func schema_119_apis_idp_v1alpha1_Condition(ref common.ReferenceCallback) common
 	}
 }
 
+func schema_119_apis_idp_v1alpha1_OpenIDConnectAuthorizationConfig(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "OpenIDConnectAuthorizationConfig provides information about how to form the OAuth2 authorization request parameters.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"redirectURI": {
+						SchemaProps: spec.SchemaProps{
+							Description: "RedirectURI is the URI of the redirect endpoint that will be used in the OAuth2 authorization request flow with an OIDC identity provider.",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"scopes": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Scopes are the scopes that will be requested as part of the authorization request flow with an OIDC identity provider.",
+							Type:        []string{"array"},
+							Items: &spec.SchemaOrArray{
+								Schema: &spec.Schema{
+									SchemaProps: spec.SchemaProps{
+										Type:   []string{"string"},
+										Format: "",
+									},
+								},
+							},
+						},
+					},
+				},
+				Required: []string{"redirectURI", "scopes"},
+			},
+		},
+	}
+}
+
+func schema_119_apis_idp_v1alpha1_OpenIDConnectClaims(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "OpenIDConnectClaims provides a mapping from upstream claims into identities.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"groups": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Groups provides the name of the token claim that will be used to ascertain the groups to which an identity belongs.",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"username": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Username provides the name of the token claim that will be used to ascertain an identity's username.",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+				},
+				Required: []string{"groups", "username"},
+			},
+		},
+	}
+}
+
+func schema_119_apis_idp_v1alpha1_OpenIDConnectClient(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "OpenIDConnectClient contains information about an OIDC client (e.g., client ID and client secret).",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"secretName": {
+						SchemaProps: spec.SchemaProps{
+							Description: "SecretName contains the name of a namespace-local Secret object that provides the clientID and clientSecret for an OIDC client. If only the SecretName is specified in an OpenIDConnectClient struct, then it is expected that the Secret is of type \"secrets.pinniped.dev/oidc\" with keys \"clientID\" and \"clientSecret\".",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+				},
+				Required: []string{"secretName"},
+			},
+		},
+	}
+}
+
+func schema_119_apis_idp_v1alpha1_OpenIDConnectIdentityProvider(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "OpenIDConnectIdentityProvider describes the configuration of a Pinniped OIDC identity provider.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"kind": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"apiVersion": {
+						SchemaProps: spec.SchemaProps{
+							Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"metadata": {
+						SchemaProps: spec.SchemaProps{
+							Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+						},
+					},
+					"spec": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Spec for configuring the identity provider.",
+							Ref:         ref("go.pinniped.dev/generated/1.19/apis/idp/v1alpha1.OpenIDConnectIdentityProviderSpec"),
+						},
+					},
+					"status": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Status of the identity provider.",
+							Ref:         ref("go.pinniped.dev/generated/1.19/apis/idp/v1alpha1.OpenIDConnectIdentityProviderStatus"),
+						},
+					},
+				},
+				Required: []string{"spec"},
+			},
+		},
+		Dependencies: []string{
+			"go.pinniped.dev/generated/1.19/apis/idp/v1alpha1.OpenIDConnectIdentityProviderSpec", "go.pinniped.dev/generated/1.19/apis/idp/v1alpha1.OpenIDConnectIdentityProviderStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+	}
+}
+
+func schema_119_apis_idp_v1alpha1_OpenIDConnectIdentityProviderList(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "List of OpenIDConnectIdentityProvider objects.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"kind": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"apiVersion": {
+						SchemaProps: spec.SchemaProps{
+							Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"metadata": {
+						SchemaProps: spec.SchemaProps{
+							Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+						},
+					},
+					"items": {
+						SchemaProps: spec.SchemaProps{
+							Type: []string{"array"},
+							Items: &spec.SchemaOrArray{
+								Schema: &spec.Schema{
+									SchemaProps: spec.SchemaProps{
+										Ref: ref("go.pinniped.dev/generated/1.19/apis/idp/v1alpha1.OpenIDConnectIdentityProvider"),
+									},
+								},
+							},
+						},
+					},
+				},
+				Required: []string{"items"},
+			},
+		},
+		Dependencies: []string{
+			"go.pinniped.dev/generated/1.19/apis/idp/v1alpha1.OpenIDConnectIdentityProvider", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+	}
+}
+
+func schema_119_apis_idp_v1alpha1_OpenIDConnectIdentityProviderSpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "Spec for configuring an OIDC identity provider.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"issuer": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Issuer is the issuer URL of this OIDC identity provider, i.e., where to fetch /.well-known/openid-configuration.",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"authorizationConfig": {
+						SchemaProps: spec.SchemaProps{
+							Description: "AuthorizationConfig holds information about how to form the OAuth2 authorization request parameters to be used with this OIDC identity provider.",
+							Ref:         ref("go.pinniped.dev/generated/1.19/apis/idp/v1alpha1.OpenIDConnectAuthorizationConfig"),
+						},
+					},
+					"claims": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Claims provides the names of token claims that will be used when inspecting an identity from this OIDC identity provider.",
+							Ref:         ref("go.pinniped.dev/generated/1.19/apis/idp/v1alpha1.OpenIDConnectClaims"),
+						},
+					},
+					"client": {
+						SchemaProps: spec.SchemaProps{
+							Description: "OpenIDConnectClient contains OIDC client information to be used used with this OIDC identity provider.",
+							Ref:         ref("go.pinniped.dev/generated/1.19/apis/idp/v1alpha1.OpenIDConnectClient"),
+						},
+					},
+				},
+				Required: []string{"issuer", "authorizationConfig", "claims", "client"},
+			},
+		},
+		Dependencies: []string{
+			"go.pinniped.dev/generated/1.19/apis/idp/v1alpha1.OpenIDConnectAuthorizationConfig", "go.pinniped.dev/generated/1.19/apis/idp/v1alpha1.OpenIDConnectClaims", "go.pinniped.dev/generated/1.19/apis/idp/v1alpha1.OpenIDConnectClient"},
+	}
+}
+
+func schema_119_apis_idp_v1alpha1_OpenIDConnectIdentityProviderStatus(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "Status of an OIDC identity provider.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"conditions": {
+						VendorExtensible: spec.VendorExtensible{
+							Extensions: spec.Extensions{
+								"x-kubernetes-list-map-keys": []interface{}{
+									"type",
+								},
+								"x-kubernetes-list-type":       "map",
+								"x-kubernetes-patch-merge-key": "type",
+								"x-kubernetes-patch-strategy":  "merge",
+							},
+						},
+						SchemaProps: spec.SchemaProps{
+							Description: "Represents the observations of an identity provider's current state.",
+							Type:        []string{"array"},
+							Items: &spec.SchemaOrArray{
+								Schema: &spec.Schema{
+									SchemaProps: spec.SchemaProps{
+										Ref: ref("go.pinniped.dev/generated/1.19/apis/idp/v1alpha1.Condition"),
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+		Dependencies: []string{
+			"go.pinniped.dev/generated/1.19/apis/idp/v1alpha1.Condition"},
+	}
+}
+
 func schema_119_apis_idp_v1alpha1_TLSSpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{

generated/1.19/crds/idp.pinniped.dev_openidconnectidentityproviders.yaml

@@ -0,0 +1,196 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.4.0
+  creationTimestamp: null
+  name: openidconnectidentityproviders.idp.pinniped.dev
+spec:
+  group: idp.pinniped.dev
+  names:
+    categories:
+    - all
+    - idp
+    - idps
+    kind: OpenIDConnectIdentityProvider
+    listKind: OpenIDConnectIdentityProviderList
+    plural: openidconnectidentityproviders
+    shortNames:
+    - openidconnectidp
+    - openidconnectidps
+    singular: openidconnectidentityprovider
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .spec.issuer
+      name: Issuer
+      type: string
+    name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: OpenIDConnectIdentityProvider describes the configuration of
+          a Pinniped OIDC identity provider.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: Spec for configuring the identity provider.
+            properties:
+              authorizationConfig:
+                description: AuthorizationConfig holds information about how to form
+                  the OAuth2 authorization request parameters to be used with this
+                  OIDC identity provider.
+                properties:
+                  redirectURI:
+                    description: RedirectURI is the URI of the redirect endpoint that
+                      will be used in the OAuth2 authorization request flow with an
+                      OIDC identity provider.
+                    pattern: ^https?://
+                    type: string
+                  scopes:
+                    description: Scopes are the scopes that will be requested as part
+                      of the authorization request flow with an OIDC identity provider.
+                    items:
+                      type: string
+                    type: array
+                required:
+                - redirectURI
+                - scopes
+                type: object
+              claims:
+                description: Claims provides the names of token claims that will be
+                  used when inspecting an identity from this OIDC identity provider.
+                properties:
+                  groups:
+                    description: Groups provides the name of the token claim that
+                      will be used to ascertain the groups to which an identity belongs.
+                    type: string
+                  username:
+                    description: Username provides the name of the token claim that
+                      will be used to ascertain an identity's username.
+                    type: string
+                required:
+                - groups
+                - username
+                type: object
+              client:
+                description: OpenIDConnectClient contains OIDC client information
+                  to be used used with this OIDC identity provider.
+                properties:
+                  secretName:
+                    description: SecretName contains the name of a namespace-local
+                      Secret object that provides the clientID and clientSecret for
+                      an OIDC client. If only the SecretName is specified in an OpenIDConnectClient
+                      struct, then it is expected that the Secret is of type "secrets.pinniped.dev/oidc"
+                      with keys "clientID" and "clientSecret".
+                    type: string
+                required:
+                - secretName
+                type: object
+              issuer:
+                description: Issuer is the issuer URL of this OIDC identity provider,
+                  i.e., where to fetch /.well-known/openid-configuration.
+                minLength: 1
+                pattern: ^https://
+                type: string
+            required:
+            - authorizationConfig
+            - claims
+            - client
+            - issuer
+            type: object
+          status:
+            description: Status of the identity provider.
+            properties:
+              conditions:
+                description: Represents the observations of an identity provider's
+                  current state.
+                items:
+                  description: Condition status of a resource (mirrored from the metav1.Condition
+                    type added in Kubernetes 1.19). In a future API version we can
+                    switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413.
+                  properties:
+                    lastTransitionTime:
+                      description: lastTransitionTime is the last time the condition
+                        transitioned from one status to another. This should be when
+                        the underlying condition changed.  If that is not known, then
+                        using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: message is a human readable message indicating
+                        details about the transition. This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: observedGeneration represents the .metadata.generation
+                        that the condition was set based upon. For instance, if .metadata.generation
+                        is currently 12, but the .status.conditions[x].observedGeneration
+                        is 9, the condition is out of date with respect to the current
+                        state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: reason contains a programmatic identifier indicating
+                        the reason for the condition's last transition. Producers
+                        of specific condition types may define expected values and
+                        meanings for this field, and whether the values are considered
+                        a guaranteed API. The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
+                        --- Many .condition.type values are consistent across resources
+                        like Available, but because arbitrary conditions can be useful
+                        (see .node.status.conditions), the ability to deconflict is
+                        important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                type: array
+                x-kubernetes-list-map-keys:
+                - type
+                x-kubernetes-list-type: map
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: true
+    subresources: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

test/integration/api_discovery_test.go

@@ -106,6 +106,15 @@ func TestGetAPIResourceList(t *testing.T) {
 						ShortNames:   []string{"webhookidp", "webhookidps"},
 						Categories:   []string{"all", "idp", "idps"},
 					},
+					{
+						Name:         "openidconnectidentityproviders",
+						SingularName: "openidconnectidentityprovider",
+						Namespaced:   true,
+						Kind:         "OpenIDConnectIdentityProvider",
+						Verbs:        []string{"delete", "deletecollection", "get", "list", "patch", "create", "update", "watch"},
+						ShortNames:   []string{"openidconnectidp", "openidconnectidps"},
+						Categories:   []string{"all", "idp", "idps"},
+					},
 				},
 			},
 		},

test/integration/oidc_test.go

@@ -0,0 +1,69 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package integration
+
+import (
+	"context"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/require"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	idpv1alpha1 "go.pinniped.dev/generated/1.19/apis/idp/v1alpha1"
+	"go.pinniped.dev/test/library"
+)
+
+func TestOIDC(t *testing.T) {
+	// Right now, we simply validate that we can create an OIDC provider CR. As we move forward with
+	// OIDC support, we will most likely remove this test in favor of one that actually tests real
+	// functionality.
+	namespace := library.GetEnv(t, "PINNIPED_NAMESPACE")
+	client := library.NewPinnipedClientset(t)
+
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	oidcProvider := &idpv1alpha1.OpenIDConnectIdentityProvider{
+		ObjectMeta: metav1.ObjectMeta{
+			GenerateName: "test-oidc-provider-",
+			Labels:       map[string]string{"pinniped.dev/test": ""},
+			Annotations:  map[string]string{"pinniped.dev/testName": t.Name()},
+		},
+		TypeMeta: metav1.TypeMeta{
+			Kind:       "OpenIDConnectIdentityProvider",
+			APIVersion: idpv1alpha1.SchemeGroupVersion.String(),
+		},
+		Spec: idpv1alpha1.OpenIDConnectIdentityProviderSpec{
+			Issuer: "https://some-issuer",
+			AuthorizationConfig: idpv1alpha1.OpenIDConnectAuthorizationConfig{
+				RedirectURI: "http://localhost:12345",
+				Scopes: []string{
+					"tuna",
+					"fish",
+					"marlin",
+				},
+			},
+			Claims: idpv1alpha1.OpenIDConnectClaims{
+				Groups:   "something",
+				Username: "something-else",
+			},
+			Client: idpv1alpha1.OpenIDConnectClient{
+				SecretName: "some-secret-name",
+			},
+		},
+	}
+	var err error
+	oidcProvider, err = client.
+		IDPV1alpha1().
+		OpenIDConnectIdentityProviders(namespace).
+		Create(ctx, oidcProvider, metav1.CreateOptions{})
+	require.NoError(t, err)
+
+	err = client.
+		IDPV1alpha1().
+		OpenIDConnectIdentityProviders(namespace).
+		Delete(ctx, oidcProvider.Name, metav1.DeleteOptions{})
+	require.NoError(t, err)
+}