Updates based on code review

Signed-off-by: Margo Crawford <margaretc@vmware.com>

apis/supervisor/clientsecret/register.go.tmpl

@@ -32,6 +32,7 @@ var (
 func addKnownTypes(scheme *runtime.Scheme) error {
 	scheme.AddKnownTypes(SchemeGroupVersion,
 		&OIDCClientSecretRequest{},
+		&OIDCClientSecretRequestList{},
 	)
 	return nil
 }

apis/supervisor/clientsecret/types_oidcclientsecretrequest.go.tmpl

@@ -6,15 +6,26 @@ package clientsecret
 import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
 type OIDCClientSecretRequestSpec struct {
+	// Request a new client secret to for the OIDCClient referenced by the metadata.name field.
 	GenerateNewSecret bool `json:"generateNewSecret"`
-	RevokeOldSecrets  bool `json:"revokeOldSecrets"`
+
+	// Revoke the old client secrets associated with the OIDCClient referenced by the metadata.name
+	// field.
+	RevokeOldSecrets bool `json:"revokeOldSecrets"`
 }
 
 type OIDCClientSecretRequestStatus struct {
-	GeneratedSecret    string `json:"generatedSecret,omitempty"`
+	// The unencrypted OIDC Client Secret. This will only be shared upon creation and cannot
-	TotalClientSecrets int    `json:"totalClientSecrets"`
+	// be recovered if you lose it.
+	GeneratedSecret string `json:"generatedSecret,omitempty"`
+
+	// The total number of client secrets associated with the OIDCClient referenced by the
+	// metadata.name field.
+	TotalClientSecrets int `json:"totalClientSecrets"`
 }
 
+// OIDCClientSecretRequest can be used to update the client secrets associated with an
+// OIDCClient.
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 type OIDCClientSecretRequest struct {
 	metav1.TypeMeta   `json:",inline"`
@@ -23,3 +34,13 @@ type OIDCClientSecretRequest struct {
 	Spec   OIDCClientSecretRequestSpec   `json:"spec"`
 	Status OIDCClientSecretRequestStatus `json:"status"`
 }
+
+// OIDCClientSecretList is a list of OIDCClientSecretRequest objects.
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type OIDCClientSecretRequestList struct {
+	metav1.TypeMeta
+	metav1.ListMeta
+
+	// Items is a list of OIDCClientSecretRequest
+	Items []OIDCClientSecretRequest
+}

apis/supervisor/clientsecret/v1alpha1/register.go.tmpl

@@ -31,6 +31,7 @@ func init() {
 func addKnownTypes(scheme *runtime.Scheme) error {
 	scheme.AddKnownTypes(SchemeGroupVersion,
 		&OIDCClientSecretRequest{},
+		&OIDCClientSecretRequestList{},
 	)
 	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
 	return nil

apis/supervisor/clientsecret/v1alpha1/types_oidcclientsecretrequest.go.tmpl

@@ -26,3 +26,11 @@ type OIDCClientSecretRequest struct {
 	Spec   OIDCClientSecretRequestSpec   `json:"spec"`
 	Status OIDCClientSecretRequestStatus `json:"status"`
 }
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type OIDCClientSecretRequestList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+
+	Items []OIDCClientSecretRequest `json:"items"`
+}

generated/1.17/README.adoc

@@ -219,6 +219,26 @@ Package clientsecret is the internal version of the Pinniped client secret API.
 
 
 
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-clientsecret-oidcclientsecretrequest"]
+==== OIDCClientSecretRequest 
+
+OIDCClientSecretRequest can be used to update the client secrets associated with an OIDCClient.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-clientsecret-oidcclientsecretrequestlist[$$OIDCClientSecretRequestList$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.17/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`.
+
+| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-clientsecret-oidcclientsecretrequestspec[$$OIDCClientSecretRequestSpec$$]__ | 
+| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-clientsecret-oidcclientsecretrequeststatus[$$OIDCClientSecretRequestStatus$$]__ | 
+|===
+
+
 
 
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-clientsecret-oidcclientsecretrequestspec"]
@@ -234,8 +254,8 @@ Package clientsecret is the internal version of the Pinniped client secret API.
 [cols="25a,75a", options="header"]
 |===
 | Field | Description
-| *`generateNewSecret`* __boolean__ | 
+| *`generateNewSecret`* __boolean__ | Request a new client secret to for the OIDCClient referenced by the metadata.name field.
-| *`revokeOldSecrets`* __boolean__ | 
+| *`revokeOldSecrets`* __boolean__ | Revoke the old client secrets associated with the OIDCClient referenced by the metadata.name field.
 |===
 
 
@@ -252,8 +272,8 @@ Package clientsecret is the internal version of the Pinniped client secret API.
 [cols="25a,75a", options="header"]
 |===
 | Field | Description
-| *`generatedSecret`* __string__ | 
+| *`generatedSecret`* __string__ | The unencrypted OIDC Client Secret. This will only be shared upon creation and cannot be recovered if you lose it.
-| *`totalClientSecrets`* __integer__ | 
+| *`totalClientSecrets`* __integer__ | The total number of client secrets associated with the OIDCClient referenced by the metadata.name field.
 |===
 
 
@@ -265,6 +285,26 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped client secret API.
 
 
 
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequest"]
+==== OIDCClientSecretRequest 
+
+
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequestlist[$$OIDCClientSecretRequestList$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.17/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`.
+
+| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequestspec[$$OIDCClientSecretRequestSpec$$]__ | 
+| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequeststatus[$$OIDCClientSecretRequestStatus$$]__ | 
+|===
+
+
 
 
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequestspec"]

generated/1.17/apis/supervisor/clientsecret/register.go

@@ -32,6 +32,7 @@ var (
 func addKnownTypes(scheme *runtime.Scheme) error {
 	scheme.AddKnownTypes(SchemeGroupVersion,
 		&OIDCClientSecretRequest{},
+		&OIDCClientSecretRequestList{},
 	)
 	return nil
 }

generated/1.17/apis/supervisor/clientsecret/types_oidcclientsecretrequest.go

@@ -6,15 +6,26 @@ package clientsecret
 import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
 type OIDCClientSecretRequestSpec struct {
+	// Request a new client secret to for the OIDCClient referenced by the metadata.name field.
 	GenerateNewSecret bool `json:"generateNewSecret"`
-	RevokeOldSecrets  bool `json:"revokeOldSecrets"`
+
+	// Revoke the old client secrets associated with the OIDCClient referenced by the metadata.name
+	// field.
+	RevokeOldSecrets bool `json:"revokeOldSecrets"`
 }
 
 type OIDCClientSecretRequestStatus struct {
-	GeneratedSecret    string `json:"generatedSecret,omitempty"`
+	// The unencrypted OIDC Client Secret. This will only be shared upon creation and cannot
-	TotalClientSecrets int    `json:"totalClientSecrets"`
+	// be recovered if you lose it.
+	GeneratedSecret string `json:"generatedSecret,omitempty"`
+
+	// The total number of client secrets associated with the OIDCClient referenced by the
+	// metadata.name field.
+	TotalClientSecrets int `json:"totalClientSecrets"`
 }
 
+// OIDCClientSecretRequest can be used to update the client secrets associated with an
+// OIDCClient.
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 type OIDCClientSecretRequest struct {
 	metav1.TypeMeta   `json:",inline"`
@@ -23,3 +34,13 @@ type OIDCClientSecretRequest struct {
 	Spec   OIDCClientSecretRequestSpec   `json:"spec"`
 	Status OIDCClientSecretRequestStatus `json:"status"`
 }
+
+// OIDCClientSecretList is a list of OIDCClientSecretRequest objects.
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type OIDCClientSecretRequestList struct {
+	metav1.TypeMeta
+	metav1.ListMeta
+
+	// Items is a list of OIDCClientSecretRequest
+	Items []OIDCClientSecretRequest
+}

generated/1.17/apis/supervisor/clientsecret/v1alpha1/register.go

@@ -31,6 +31,7 @@ func init() {
 func addKnownTypes(scheme *runtime.Scheme) error {
 	scheme.AddKnownTypes(SchemeGroupVersion,
 		&OIDCClientSecretRequest{},
+		&OIDCClientSecretRequestList{},
 	)
 	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
 	return nil

generated/1.17/apis/supervisor/clientsecret/v1alpha1/types_oidcclientsecretrequest.go

@@ -26,3 +26,11 @@ type OIDCClientSecretRequest struct {
 	Spec   OIDCClientSecretRequestSpec   `json:"spec"`
 	Status OIDCClientSecretRequestStatus `json:"status"`
 }
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type OIDCClientSecretRequestList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+
+	Items []OIDCClientSecretRequest `json:"items"`
+}

generated/1.17/apis/supervisor/clientsecret/v1alpha1/zz_generated.conversion.go

@@ -9,6 +9,8 @@
 package v1alpha1
 
 import (
+	unsafe "unsafe"
+
 	clientsecret "go.pinniped.dev/generated/1.17/apis/supervisor/clientsecret"
 	conversion "k8s.io/apimachinery/pkg/conversion"
 	runtime "k8s.io/apimachinery/pkg/runtime"
@@ -31,6 +33,16 @@ func RegisterConversions(s *runtime.Scheme) error {
 	}); err != nil {
 		return err
 	}
+	if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequestList)(nil), (*clientsecret.OIDCClientSecretRequestList)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1alpha1_OIDCClientSecretRequestList_To_clientsecret_OIDCClientSecretRequestList(a.(*OIDCClientSecretRequestList), b.(*clientsecret.OIDCClientSecretRequestList), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*clientsecret.OIDCClientSecretRequestList)(nil), (*OIDCClientSecretRequestList)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_clientsecret_OIDCClientSecretRequestList_To_v1alpha1_OIDCClientSecretRequestList(a.(*clientsecret.OIDCClientSecretRequestList), b.(*OIDCClientSecretRequestList), scope)
+	}); err != nil {
+		return err
+	}
 	if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequestSpec)(nil), (*clientsecret.OIDCClientSecretRequestSpec)(nil), func(a, b interface{}, scope conversion.Scope) error {
 		return Convert_v1alpha1_OIDCClientSecretRequestSpec_To_clientsecret_OIDCClientSecretRequestSpec(a.(*OIDCClientSecretRequestSpec), b.(*clientsecret.OIDCClientSecretRequestSpec), scope)
 	}); err != nil {
@@ -86,6 +98,28 @@ func Convert_clientsecret_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRe
 	return autoConvert_clientsecret_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in, out, s)
 }
 
+func autoConvert_v1alpha1_OIDCClientSecretRequestList_To_clientsecret_OIDCClientSecretRequestList(in *OIDCClientSecretRequestList, out *clientsecret.OIDCClientSecretRequestList, s conversion.Scope) error {
+	out.ListMeta = in.ListMeta
+	out.Items = *(*[]clientsecret.OIDCClientSecretRequest)(unsafe.Pointer(&in.Items))
+	return nil
+}
+
+// Convert_v1alpha1_OIDCClientSecretRequestList_To_clientsecret_OIDCClientSecretRequestList is an autogenerated conversion function.
+func Convert_v1alpha1_OIDCClientSecretRequestList_To_clientsecret_OIDCClientSecretRequestList(in *OIDCClientSecretRequestList, out *clientsecret.OIDCClientSecretRequestList, s conversion.Scope) error {
+	return autoConvert_v1alpha1_OIDCClientSecretRequestList_To_clientsecret_OIDCClientSecretRequestList(in, out, s)
+}
+
+func autoConvert_clientsecret_OIDCClientSecretRequestList_To_v1alpha1_OIDCClientSecretRequestList(in *clientsecret.OIDCClientSecretRequestList, out *OIDCClientSecretRequestList, s conversion.Scope) error {
+	out.ListMeta = in.ListMeta
+	out.Items = *(*[]OIDCClientSecretRequest)(unsafe.Pointer(&in.Items))
+	return nil
+}
+
+// Convert_clientsecret_OIDCClientSecretRequestList_To_v1alpha1_OIDCClientSecretRequestList is an autogenerated conversion function.
+func Convert_clientsecret_OIDCClientSecretRequestList_To_v1alpha1_OIDCClientSecretRequestList(in *clientsecret.OIDCClientSecretRequestList, out *OIDCClientSecretRequestList, s conversion.Scope) error {
+	return autoConvert_clientsecret_OIDCClientSecretRequestList_To_v1alpha1_OIDCClientSecretRequestList(in, out, s)
+}
+
 func autoConvert_v1alpha1_OIDCClientSecretRequestSpec_To_clientsecret_OIDCClientSecretRequestSpec(in *OIDCClientSecretRequestSpec, out *clientsecret.OIDCClientSecretRequestSpec, s conversion.Scope) error {
 	out.GenerateNewSecret = in.GenerateNewSecret
 	out.RevokeOldSecrets = in.RevokeOldSecrets

generated/1.17/apis/supervisor/clientsecret/v1alpha1/zz_generated.deepcopy.go

@@ -40,6 +40,39 @@ func (in *OIDCClientSecretRequest) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OIDCClientSecretRequestList) DeepCopyInto(out *OIDCClientSecretRequestList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]OIDCClientSecretRequest, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestList.
+func (in *OIDCClientSecretRequestList) DeepCopy() *OIDCClientSecretRequestList {
+	if in == nil {
+		return nil
+	}
+	out := new(OIDCClientSecretRequestList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *OIDCClientSecretRequestList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OIDCClientSecretRequestSpec) DeepCopyInto(out *OIDCClientSecretRequestSpec) {
 	*out = *in

generated/1.17/apis/supervisor/clientsecret/zz_generated.deepcopy.go

@@ -40,6 +40,39 @@ func (in *OIDCClientSecretRequest) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OIDCClientSecretRequestList) DeepCopyInto(out *OIDCClientSecretRequestList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]OIDCClientSecretRequest, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestList.
+func (in *OIDCClientSecretRequestList) DeepCopy() *OIDCClientSecretRequestList {
+	if in == nil {
+		return nil
+	}
+	out := new(OIDCClientSecretRequestList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *OIDCClientSecretRequestList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OIDCClientSecretRequestSpec) DeepCopyInto(out *OIDCClientSecretRequestSpec) {
 	*out = *in

generated/1.18/README.adoc

@@ -219,6 +219,26 @@ Package clientsecret is the internal version of the Pinniped client secret API.
 
 
 
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-clientsecret-oidcclientsecretrequest"]
+==== OIDCClientSecretRequest 
+
+OIDCClientSecretRequest can be used to update the client secrets associated with an OIDCClient.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-clientsecret-oidcclientsecretrequestlist[$$OIDCClientSecretRequestList$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`.
+
+| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-clientsecret-oidcclientsecretrequestspec[$$OIDCClientSecretRequestSpec$$]__ | 
+| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-clientsecret-oidcclientsecretrequeststatus[$$OIDCClientSecretRequestStatus$$]__ | 
+|===
+
+
 
 
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-clientsecret-oidcclientsecretrequestspec"]
@@ -234,8 +254,8 @@ Package clientsecret is the internal version of the Pinniped client secret API.
 [cols="25a,75a", options="header"]
 |===
 | Field | Description
-| *`generateNewSecret`* __boolean__ | 
+| *`generateNewSecret`* __boolean__ | Request a new client secret to for the OIDCClient referenced by the metadata.name field.
-| *`revokeOldSecrets`* __boolean__ | 
+| *`revokeOldSecrets`* __boolean__ | Revoke the old client secrets associated with the OIDCClient referenced by the metadata.name field.
 |===
 
 
@@ -252,8 +272,8 @@ Package clientsecret is the internal version of the Pinniped client secret API.
 [cols="25a,75a", options="header"]
 |===
 | Field | Description
-| *`generatedSecret`* __string__ | 
+| *`generatedSecret`* __string__ | The unencrypted OIDC Client Secret. This will only be shared upon creation and cannot be recovered if you lose it.
-| *`totalClientSecrets`* __integer__ | 
+| *`totalClientSecrets`* __integer__ | The total number of client secrets associated with the OIDCClient referenced by the metadata.name field.
 |===
 
 
@@ -265,6 +285,26 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped client secret API.
 
 
 
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequest"]
+==== OIDCClientSecretRequest 
+
+
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequestlist[$$OIDCClientSecretRequestList$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`.
+
+| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequestspec[$$OIDCClientSecretRequestSpec$$]__ | 
+| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequeststatus[$$OIDCClientSecretRequestStatus$$]__ | 
+|===
+
+
 
 
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequestspec"]

generated/1.18/apis/supervisor/clientsecret/register.go

@@ -32,6 +32,7 @@ var (
 func addKnownTypes(scheme *runtime.Scheme) error {
 	scheme.AddKnownTypes(SchemeGroupVersion,
 		&OIDCClientSecretRequest{},
+		&OIDCClientSecretRequestList{},
 	)
 	return nil
 }

generated/1.18/apis/supervisor/clientsecret/types_oidcclientsecretrequest.go

@@ -6,15 +6,26 @@ package clientsecret
 import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
 type OIDCClientSecretRequestSpec struct {
+	// Request a new client secret to for the OIDCClient referenced by the metadata.name field.
 	GenerateNewSecret bool `json:"generateNewSecret"`
-	RevokeOldSecrets  bool `json:"revokeOldSecrets"`
+
+	// Revoke the old client secrets associated with the OIDCClient referenced by the metadata.name
+	// field.
+	RevokeOldSecrets bool `json:"revokeOldSecrets"`
 }
 
 type OIDCClientSecretRequestStatus struct {
-	GeneratedSecret    string `json:"generatedSecret,omitempty"`
+	// The unencrypted OIDC Client Secret. This will only be shared upon creation and cannot
-	TotalClientSecrets int    `json:"totalClientSecrets"`
+	// be recovered if you lose it.
+	GeneratedSecret string `json:"generatedSecret,omitempty"`
+
+	// The total number of client secrets associated with the OIDCClient referenced by the
+	// metadata.name field.
+	TotalClientSecrets int `json:"totalClientSecrets"`
 }
 
+// OIDCClientSecretRequest can be used to update the client secrets associated with an
+// OIDCClient.
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 type OIDCClientSecretRequest struct {
 	metav1.TypeMeta   `json:",inline"`
@@ -23,3 +34,13 @@ type OIDCClientSecretRequest struct {
 	Spec   OIDCClientSecretRequestSpec   `json:"spec"`
 	Status OIDCClientSecretRequestStatus `json:"status"`
 }
+
+// OIDCClientSecretList is a list of OIDCClientSecretRequest objects.
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type OIDCClientSecretRequestList struct {
+	metav1.TypeMeta
+	metav1.ListMeta
+
+	// Items is a list of OIDCClientSecretRequest
+	Items []OIDCClientSecretRequest
+}

generated/1.18/apis/supervisor/clientsecret/v1alpha1/register.go

@@ -31,6 +31,7 @@ func init() {
 func addKnownTypes(scheme *runtime.Scheme) error {
 	scheme.AddKnownTypes(SchemeGroupVersion,
 		&OIDCClientSecretRequest{},
+		&OIDCClientSecretRequestList{},
 	)
 	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
 	return nil

generated/1.18/apis/supervisor/clientsecret/v1alpha1/types_oidcclientsecretrequest.go

@@ -26,3 +26,11 @@ type OIDCClientSecretRequest struct {
 	Spec   OIDCClientSecretRequestSpec   `json:"spec"`
 	Status OIDCClientSecretRequestStatus `json:"status"`
 }
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type OIDCClientSecretRequestList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+
+	Items []OIDCClientSecretRequest `json:"items"`
+}

generated/1.18/apis/supervisor/clientsecret/v1alpha1/zz_generated.conversion.go

@@ -9,6 +9,8 @@
 package v1alpha1
 
 import (
+	unsafe "unsafe"
+
 	clientsecret "go.pinniped.dev/generated/1.18/apis/supervisor/clientsecret"
 	conversion "k8s.io/apimachinery/pkg/conversion"
 	runtime "k8s.io/apimachinery/pkg/runtime"
@@ -31,6 +33,16 @@ func RegisterConversions(s *runtime.Scheme) error {
 	}); err != nil {
 		return err
 	}
+	if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequestList)(nil), (*clientsecret.OIDCClientSecretRequestList)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1alpha1_OIDCClientSecretRequestList_To_clientsecret_OIDCClientSecretRequestList(a.(*OIDCClientSecretRequestList), b.(*clientsecret.OIDCClientSecretRequestList), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*clientsecret.OIDCClientSecretRequestList)(nil), (*OIDCClientSecretRequestList)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_clientsecret_OIDCClientSecretRequestList_To_v1alpha1_OIDCClientSecretRequestList(a.(*clientsecret.OIDCClientSecretRequestList), b.(*OIDCClientSecretRequestList), scope)
+	}); err != nil {
+		return err
+	}
 	if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequestSpec)(nil), (*clientsecret.OIDCClientSecretRequestSpec)(nil), func(a, b interface{}, scope conversion.Scope) error {
 		return Convert_v1alpha1_OIDCClientSecretRequestSpec_To_clientsecret_OIDCClientSecretRequestSpec(a.(*OIDCClientSecretRequestSpec), b.(*clientsecret.OIDCClientSecretRequestSpec), scope)
 	}); err != nil {
@@ -86,6 +98,28 @@ func Convert_clientsecret_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRe
 	return autoConvert_clientsecret_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in, out, s)
 }
 
+func autoConvert_v1alpha1_OIDCClientSecretRequestList_To_clientsecret_OIDCClientSecretRequestList(in *OIDCClientSecretRequestList, out *clientsecret.OIDCClientSecretRequestList, s conversion.Scope) error {
+	out.ListMeta = in.ListMeta
+	out.Items = *(*[]clientsecret.OIDCClientSecretRequest)(unsafe.Pointer(&in.Items))
+	return nil
+}
+
+// Convert_v1alpha1_OIDCClientSecretRequestList_To_clientsecret_OIDCClientSecretRequestList is an autogenerated conversion function.
+func Convert_v1alpha1_OIDCClientSecretRequestList_To_clientsecret_OIDCClientSecretRequestList(in *OIDCClientSecretRequestList, out *clientsecret.OIDCClientSecretRequestList, s conversion.Scope) error {
+	return autoConvert_v1alpha1_OIDCClientSecretRequestList_To_clientsecret_OIDCClientSecretRequestList(in, out, s)
+}
+
+func autoConvert_clientsecret_OIDCClientSecretRequestList_To_v1alpha1_OIDCClientSecretRequestList(in *clientsecret.OIDCClientSecretRequestList, out *OIDCClientSecretRequestList, s conversion.Scope) error {
+	out.ListMeta = in.ListMeta
+	out.Items = *(*[]OIDCClientSecretRequest)(unsafe.Pointer(&in.Items))
+	return nil
+}
+
+// Convert_clientsecret_OIDCClientSecretRequestList_To_v1alpha1_OIDCClientSecretRequestList is an autogenerated conversion function.
+func Convert_clientsecret_OIDCClientSecretRequestList_To_v1alpha1_OIDCClientSecretRequestList(in *clientsecret.OIDCClientSecretRequestList, out *OIDCClientSecretRequestList, s conversion.Scope) error {
+	return autoConvert_clientsecret_OIDCClientSecretRequestList_To_v1alpha1_OIDCClientSecretRequestList(in, out, s)
+}
+
 func autoConvert_v1alpha1_OIDCClientSecretRequestSpec_To_clientsecret_OIDCClientSecretRequestSpec(in *OIDCClientSecretRequestSpec, out *clientsecret.OIDCClientSecretRequestSpec, s conversion.Scope) error {
 	out.GenerateNewSecret = in.GenerateNewSecret
 	out.RevokeOldSecrets = in.RevokeOldSecrets

generated/1.18/apis/supervisor/clientsecret/v1alpha1/zz_generated.deepcopy.go

@@ -40,6 +40,39 @@ func (in *OIDCClientSecretRequest) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OIDCClientSecretRequestList) DeepCopyInto(out *OIDCClientSecretRequestList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]OIDCClientSecretRequest, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestList.
+func (in *OIDCClientSecretRequestList) DeepCopy() *OIDCClientSecretRequestList {
+	if in == nil {
+		return nil
+	}
+	out := new(OIDCClientSecretRequestList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *OIDCClientSecretRequestList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OIDCClientSecretRequestSpec) DeepCopyInto(out *OIDCClientSecretRequestSpec) {
 	*out = *in

generated/1.18/apis/supervisor/clientsecret/zz_generated.deepcopy.go

@@ -40,6 +40,39 @@ func (in *OIDCClientSecretRequest) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OIDCClientSecretRequestList) DeepCopyInto(out *OIDCClientSecretRequestList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]OIDCClientSecretRequest, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestList.
+func (in *OIDCClientSecretRequestList) DeepCopy() *OIDCClientSecretRequestList {
+	if in == nil {
+		return nil
+	}
+	out := new(OIDCClientSecretRequestList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *OIDCClientSecretRequestList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OIDCClientSecretRequestSpec) DeepCopyInto(out *OIDCClientSecretRequestSpec) {
 	*out = *in

generated/1.19/README.adoc

@@ -219,6 +219,26 @@ Package clientsecret is the internal version of the Pinniped client secret API.
 
 
 
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-clientsecret-oidcclientsecretrequest"]
+==== OIDCClientSecretRequest 
+
+OIDCClientSecretRequest can be used to update the client secrets associated with an OIDCClient.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-clientsecret-oidcclientsecretrequestlist[$$OIDCClientSecretRequestList$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`.
+
+| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-clientsecret-oidcclientsecretrequestspec[$$OIDCClientSecretRequestSpec$$]__ | 
+| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-clientsecret-oidcclientsecretrequeststatus[$$OIDCClientSecretRequestStatus$$]__ | 
+|===
+
+
 
 
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-clientsecret-oidcclientsecretrequestspec"]
@@ -234,8 +254,8 @@ Package clientsecret is the internal version of the Pinniped client secret API.
 [cols="25a,75a", options="header"]
 |===
 | Field | Description
-| *`generateNewSecret`* __boolean__ | 
+| *`generateNewSecret`* __boolean__ | Request a new client secret to for the OIDCClient referenced by the metadata.name field.
-| *`revokeOldSecrets`* __boolean__ | 
+| *`revokeOldSecrets`* __boolean__ | Revoke the old client secrets associated with the OIDCClient referenced by the metadata.name field.
 |===
 
 
@@ -252,8 +272,8 @@ Package clientsecret is the internal version of the Pinniped client secret API.
 [cols="25a,75a", options="header"]
 |===
 | Field | Description
-| *`generatedSecret`* __string__ | 
+| *`generatedSecret`* __string__ | The unencrypted OIDC Client Secret. This will only be shared upon creation and cannot be recovered if you lose it.
-| *`totalClientSecrets`* __integer__ | 
+| *`totalClientSecrets`* __integer__ | The total number of client secrets associated with the OIDCClient referenced by the metadata.name field.
 |===
 
 
@@ -265,6 +285,26 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped client secret API.
 
 
 
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequest"]
+==== OIDCClientSecretRequest 
+
+
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequestlist[$$OIDCClientSecretRequestList$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`.
+
+| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequestspec[$$OIDCClientSecretRequestSpec$$]__ | 
+| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequeststatus[$$OIDCClientSecretRequestStatus$$]__ | 
+|===
+
+
 
 
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequestspec"]

generated/1.19/apis/supervisor/clientsecret/register.go

@@ -32,6 +32,7 @@ var (
 func addKnownTypes(scheme *runtime.Scheme) error {
 	scheme.AddKnownTypes(SchemeGroupVersion,
 		&OIDCClientSecretRequest{},
+		&OIDCClientSecretRequestList{},
 	)
 	return nil
 }

generated/1.19/apis/supervisor/clientsecret/types_oidcclientsecretrequest.go

@@ -6,15 +6,26 @@ package clientsecret
 import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
 type OIDCClientSecretRequestSpec struct {
+	// Request a new client secret to for the OIDCClient referenced by the metadata.name field.
 	GenerateNewSecret bool `json:"generateNewSecret"`
-	RevokeOldSecrets  bool `json:"revokeOldSecrets"`
+
+	// Revoke the old client secrets associated with the OIDCClient referenced by the metadata.name
+	// field.
+	RevokeOldSecrets bool `json:"revokeOldSecrets"`
 }
 
 type OIDCClientSecretRequestStatus struct {
-	GeneratedSecret    string `json:"generatedSecret,omitempty"`
+	// The unencrypted OIDC Client Secret. This will only be shared upon creation and cannot
-	TotalClientSecrets int    `json:"totalClientSecrets"`
+	// be recovered if you lose it.
+	GeneratedSecret string `json:"generatedSecret,omitempty"`
+
+	// The total number of client secrets associated with the OIDCClient referenced by the
+	// metadata.name field.
+	TotalClientSecrets int `json:"totalClientSecrets"`
 }
 
+// OIDCClientSecretRequest can be used to update the client secrets associated with an
+// OIDCClient.
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 type OIDCClientSecretRequest struct {
 	metav1.TypeMeta   `json:",inline"`
@@ -23,3 +34,13 @@ type OIDCClientSecretRequest struct {
 	Spec   OIDCClientSecretRequestSpec   `json:"spec"`
 	Status OIDCClientSecretRequestStatus `json:"status"`
 }
+
+// OIDCClientSecretList is a list of OIDCClientSecretRequest objects.
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type OIDCClientSecretRequestList struct {
+	metav1.TypeMeta
+	metav1.ListMeta
+
+	// Items is a list of OIDCClientSecretRequest
+	Items []OIDCClientSecretRequest
+}

generated/1.19/apis/supervisor/clientsecret/v1alpha1/register.go

@@ -31,6 +31,7 @@ func init() {
 func addKnownTypes(scheme *runtime.Scheme) error {
 	scheme.AddKnownTypes(SchemeGroupVersion,
 		&OIDCClientSecretRequest{},
+		&OIDCClientSecretRequestList{},
 	)
 	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
 	return nil

generated/1.19/apis/supervisor/clientsecret/v1alpha1/types_oidcclientsecretrequest.go

@@ -26,3 +26,11 @@ type OIDCClientSecretRequest struct {
 	Spec   OIDCClientSecretRequestSpec   `json:"spec"`
 	Status OIDCClientSecretRequestStatus `json:"status"`
 }
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type OIDCClientSecretRequestList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+
+	Items []OIDCClientSecretRequest `json:"items"`
+}

generated/1.19/apis/supervisor/clientsecret/v1alpha1/zz_generated.conversion.go

@@ -9,6 +9,8 @@
 package v1alpha1
 
 import (
+	unsafe "unsafe"
+
 	clientsecret "go.pinniped.dev/generated/1.19/apis/supervisor/clientsecret"
 	conversion "k8s.io/apimachinery/pkg/conversion"
 	runtime "k8s.io/apimachinery/pkg/runtime"
@@ -31,6 +33,16 @@ func RegisterConversions(s *runtime.Scheme) error {
 	}); err != nil {
 		return err
 	}
+	if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequestList)(nil), (*clientsecret.OIDCClientSecretRequestList)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1alpha1_OIDCClientSecretRequestList_To_clientsecret_OIDCClientSecretRequestList(a.(*OIDCClientSecretRequestList), b.(*clientsecret.OIDCClientSecretRequestList), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*clientsecret.OIDCClientSecretRequestList)(nil), (*OIDCClientSecretRequestList)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_clientsecret_OIDCClientSecretRequestList_To_v1alpha1_OIDCClientSecretRequestList(a.(*clientsecret.OIDCClientSecretRequestList), b.(*OIDCClientSecretRequestList), scope)
+	}); err != nil {
+		return err
+	}
 	if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequestSpec)(nil), (*clientsecret.OIDCClientSecretRequestSpec)(nil), func(a, b interface{}, scope conversion.Scope) error {
 		return Convert_v1alpha1_OIDCClientSecretRequestSpec_To_clientsecret_OIDCClientSecretRequestSpec(a.(*OIDCClientSecretRequestSpec), b.(*clientsecret.OIDCClientSecretRequestSpec), scope)
 	}); err != nil {
@@ -86,6 +98,28 @@ func Convert_clientsecret_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRe
 	return autoConvert_clientsecret_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in, out, s)
 }
 
+func autoConvert_v1alpha1_OIDCClientSecretRequestList_To_clientsecret_OIDCClientSecretRequestList(in *OIDCClientSecretRequestList, out *clientsecret.OIDCClientSecretRequestList, s conversion.Scope) error {
+	out.ListMeta = in.ListMeta
+	out.Items = *(*[]clientsecret.OIDCClientSecretRequest)(unsafe.Pointer(&in.Items))
+	return nil
+}
+
+// Convert_v1alpha1_OIDCClientSecretRequestList_To_clientsecret_OIDCClientSecretRequestList is an autogenerated conversion function.
+func Convert_v1alpha1_OIDCClientSecretRequestList_To_clientsecret_OIDCClientSecretRequestList(in *OIDCClientSecretRequestList, out *clientsecret.OIDCClientSecretRequestList, s conversion.Scope) error {
+	return autoConvert_v1alpha1_OIDCClientSecretRequestList_To_clientsecret_OIDCClientSecretRequestList(in, out, s)
+}
+
+func autoConvert_clientsecret_OIDCClientSecretRequestList_To_v1alpha1_OIDCClientSecretRequestList(in *clientsecret.OIDCClientSecretRequestList, out *OIDCClientSecretRequestList, s conversion.Scope) error {
+	out.ListMeta = in.ListMeta
+	out.Items = *(*[]OIDCClientSecretRequest)(unsafe.Pointer(&in.Items))
+	return nil
+}
+
+// Convert_clientsecret_OIDCClientSecretRequestList_To_v1alpha1_OIDCClientSecretRequestList is an autogenerated conversion function.
+func Convert_clientsecret_OIDCClientSecretRequestList_To_v1alpha1_OIDCClientSecretRequestList(in *clientsecret.OIDCClientSecretRequestList, out *OIDCClientSecretRequestList, s conversion.Scope) error {
+	return autoConvert_clientsecret_OIDCClientSecretRequestList_To_v1alpha1_OIDCClientSecretRequestList(in, out, s)
+}
+
 func autoConvert_v1alpha1_OIDCClientSecretRequestSpec_To_clientsecret_OIDCClientSecretRequestSpec(in *OIDCClientSecretRequestSpec, out *clientsecret.OIDCClientSecretRequestSpec, s conversion.Scope) error {
 	out.GenerateNewSecret = in.GenerateNewSecret
 	out.RevokeOldSecrets = in.RevokeOldSecrets

generated/1.19/apis/supervisor/clientsecret/v1alpha1/zz_generated.deepcopy.go

@@ -40,6 +40,39 @@ func (in *OIDCClientSecretRequest) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OIDCClientSecretRequestList) DeepCopyInto(out *OIDCClientSecretRequestList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]OIDCClientSecretRequest, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestList.
+func (in *OIDCClientSecretRequestList) DeepCopy() *OIDCClientSecretRequestList {
+	if in == nil {
+		return nil
+	}
+	out := new(OIDCClientSecretRequestList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *OIDCClientSecretRequestList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OIDCClientSecretRequestSpec) DeepCopyInto(out *OIDCClientSecretRequestSpec) {
 	*out = *in

generated/1.19/apis/supervisor/clientsecret/zz_generated.deepcopy.go

@@ -40,6 +40,39 @@ func (in *OIDCClientSecretRequest) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OIDCClientSecretRequestList) DeepCopyInto(out *OIDCClientSecretRequestList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]OIDCClientSecretRequest, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestList.
+func (in *OIDCClientSecretRequestList) DeepCopy() *OIDCClientSecretRequestList {
+	if in == nil {
+		return nil
+	}
+	out := new(OIDCClientSecretRequestList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *OIDCClientSecretRequestList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OIDCClientSecretRequestSpec) DeepCopyInto(out *OIDCClientSecretRequestSpec) {
 	*out = *in

generated/1.20/README.adoc

@@ -219,6 +219,26 @@ Package clientsecret is the internal version of the Pinniped client secret API.
 
 
 
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-clientsecret-oidcclientsecretrequest"]
+==== OIDCClientSecretRequest 
+
+OIDCClientSecretRequest can be used to update the client secrets associated with an OIDCClient.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-clientsecret-oidcclientsecretrequestlist[$$OIDCClientSecretRequestList$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.2/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`.
+
+| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-clientsecret-oidcclientsecretrequestspec[$$OIDCClientSecretRequestSpec$$]__ | 
+| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-clientsecret-oidcclientsecretrequeststatus[$$OIDCClientSecretRequestStatus$$]__ | 
+|===
+
+
 
 
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-clientsecret-oidcclientsecretrequestspec"]
@@ -234,8 +254,8 @@ Package clientsecret is the internal version of the Pinniped client secret API.
 [cols="25a,75a", options="header"]
 |===
 | Field | Description
-| *`generateNewSecret`* __boolean__ | 
+| *`generateNewSecret`* __boolean__ | Request a new client secret to for the OIDCClient referenced by the metadata.name field.
-| *`revokeOldSecrets`* __boolean__ | 
+| *`revokeOldSecrets`* __boolean__ | Revoke the old client secrets associated with the OIDCClient referenced by the metadata.name field.
 |===
 
 
@@ -252,8 +272,8 @@ Package clientsecret is the internal version of the Pinniped client secret API.
 [cols="25a,75a", options="header"]
 |===
 | Field | Description
-| *`generatedSecret`* __string__ | 
+| *`generatedSecret`* __string__ | The unencrypted OIDC Client Secret. This will only be shared upon creation and cannot be recovered if you lose it.
-| *`totalClientSecrets`* __integer__ | 
+| *`totalClientSecrets`* __integer__ | The total number of client secrets associated with the OIDCClient referenced by the metadata.name field.
 |===
 
 
@@ -265,6 +285,26 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped client secret API.
 
 
 
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequest"]
+==== OIDCClientSecretRequest 
+
+
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequestlist[$$OIDCClientSecretRequestList$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.2/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`.
+
+| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequestspec[$$OIDCClientSecretRequestSpec$$]__ | 
+| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequeststatus[$$OIDCClientSecretRequestStatus$$]__ | 
+|===
+
+
 
 
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequestspec"]

generated/1.20/apis/supervisor/clientsecret/register.go

@@ -32,6 +32,7 @@ var (
 func addKnownTypes(scheme *runtime.Scheme) error {
 	scheme.AddKnownTypes(SchemeGroupVersion,
 		&OIDCClientSecretRequest{},
+		&OIDCClientSecretRequestList{},
 	)
 	return nil
 }

generated/1.20/apis/supervisor/clientsecret/types_oidcclientsecretrequest.go

@@ -6,15 +6,26 @@ package clientsecret
 import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
 type OIDCClientSecretRequestSpec struct {
+	// Request a new client secret to for the OIDCClient referenced by the metadata.name field.
 	GenerateNewSecret bool `json:"generateNewSecret"`
-	RevokeOldSecrets  bool `json:"revokeOldSecrets"`
+
+	// Revoke the old client secrets associated with the OIDCClient referenced by the metadata.name
+	// field.
+	RevokeOldSecrets bool `json:"revokeOldSecrets"`
 }
 
 type OIDCClientSecretRequestStatus struct {
-	GeneratedSecret    string `json:"generatedSecret,omitempty"`
+	// The unencrypted OIDC Client Secret. This will only be shared upon creation and cannot
-	TotalClientSecrets int    `json:"totalClientSecrets"`
+	// be recovered if you lose it.
+	GeneratedSecret string `json:"generatedSecret,omitempty"`
+
+	// The total number of client secrets associated with the OIDCClient referenced by the
+	// metadata.name field.
+	TotalClientSecrets int `json:"totalClientSecrets"`
 }
 
+// OIDCClientSecretRequest can be used to update the client secrets associated with an
+// OIDCClient.
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 type OIDCClientSecretRequest struct {
 	metav1.TypeMeta   `json:",inline"`
@@ -23,3 +34,13 @@ type OIDCClientSecretRequest struct {
 	Spec   OIDCClientSecretRequestSpec   `json:"spec"`
 	Status OIDCClientSecretRequestStatus `json:"status"`
 }
+
+// OIDCClientSecretList is a list of OIDCClientSecretRequest objects.
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type OIDCClientSecretRequestList struct {
+	metav1.TypeMeta
+	metav1.ListMeta
+
+	// Items is a list of OIDCClientSecretRequest
+	Items []OIDCClientSecretRequest
+}

generated/1.20/apis/supervisor/clientsecret/v1alpha1/register.go

@@ -31,6 +31,7 @@ func init() {
 func addKnownTypes(scheme *runtime.Scheme) error {
 	scheme.AddKnownTypes(SchemeGroupVersion,
 		&OIDCClientSecretRequest{},
+		&OIDCClientSecretRequestList{},
 	)
 	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
 	return nil

generated/1.20/apis/supervisor/clientsecret/v1alpha1/types_oidcclientsecretrequest.go

@@ -26,3 +26,11 @@ type OIDCClientSecretRequest struct {
 	Spec   OIDCClientSecretRequestSpec   `json:"spec"`
 	Status OIDCClientSecretRequestStatus `json:"status"`
 }
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type OIDCClientSecretRequestList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+
+	Items []OIDCClientSecretRequest `json:"items"`
+}

generated/1.20/apis/supervisor/clientsecret/v1alpha1/zz_generated.conversion.go

@@ -9,6 +9,8 @@
 package v1alpha1
 
 import (
+	unsafe "unsafe"
+
 	clientsecret "go.pinniped.dev/generated/1.20/apis/supervisor/clientsecret"
 	conversion "k8s.io/apimachinery/pkg/conversion"
 	runtime "k8s.io/apimachinery/pkg/runtime"
@@ -31,6 +33,16 @@ func RegisterConversions(s *runtime.Scheme) error {
 	}); err != nil {
 		return err
 	}
+	if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequestList)(nil), (*clientsecret.OIDCClientSecretRequestList)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1alpha1_OIDCClientSecretRequestList_To_clientsecret_OIDCClientSecretRequestList(a.(*OIDCClientSecretRequestList), b.(*clientsecret.OIDCClientSecretRequestList), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*clientsecret.OIDCClientSecretRequestList)(nil), (*OIDCClientSecretRequestList)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_clientsecret_OIDCClientSecretRequestList_To_v1alpha1_OIDCClientSecretRequestList(a.(*clientsecret.OIDCClientSecretRequestList), b.(*OIDCClientSecretRequestList), scope)
+	}); err != nil {
+		return err
+	}
 	if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequestSpec)(nil), (*clientsecret.OIDCClientSecretRequestSpec)(nil), func(a, b interface{}, scope conversion.Scope) error {
 		return Convert_v1alpha1_OIDCClientSecretRequestSpec_To_clientsecret_OIDCClientSecretRequestSpec(a.(*OIDCClientSecretRequestSpec), b.(*clientsecret.OIDCClientSecretRequestSpec), scope)
 	}); err != nil {
@@ -86,6 +98,28 @@ func Convert_clientsecret_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRe
 	return autoConvert_clientsecret_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in, out, s)
 }
 
+func autoConvert_v1alpha1_OIDCClientSecretRequestList_To_clientsecret_OIDCClientSecretRequestList(in *OIDCClientSecretRequestList, out *clientsecret.OIDCClientSecretRequestList, s conversion.Scope) error {
+	out.ListMeta = in.ListMeta
+	out.Items = *(*[]clientsecret.OIDCClientSecretRequest)(unsafe.Pointer(&in.Items))
+	return nil
+}
+
+// Convert_v1alpha1_OIDCClientSecretRequestList_To_clientsecret_OIDCClientSecretRequestList is an autogenerated conversion function.
+func Convert_v1alpha1_OIDCClientSecretRequestList_To_clientsecret_OIDCClientSecretRequestList(in *OIDCClientSecretRequestList, out *clientsecret.OIDCClientSecretRequestList, s conversion.Scope) error {
+	return autoConvert_v1alpha1_OIDCClientSecretRequestList_To_clientsecret_OIDCClientSecretRequestList(in, out, s)
+}
+
+func autoConvert_clientsecret_OIDCClientSecretRequestList_To_v1alpha1_OIDCClientSecretRequestList(in *clientsecret.OIDCClientSecretRequestList, out *OIDCClientSecretRequestList, s conversion.Scope) error {
+	out.ListMeta = in.ListMeta
+	out.Items = *(*[]OIDCClientSecretRequest)(unsafe.Pointer(&in.Items))
+	return nil
+}
+
+// Convert_clientsecret_OIDCClientSecretRequestList_To_v1alpha1_OIDCClientSecretRequestList is an autogenerated conversion function.
+func Convert_clientsecret_OIDCClientSecretRequestList_To_v1alpha1_OIDCClientSecretRequestList(in *clientsecret.OIDCClientSecretRequestList, out *OIDCClientSecretRequestList, s conversion.Scope) error {
+	return autoConvert_clientsecret_OIDCClientSecretRequestList_To_v1alpha1_OIDCClientSecretRequestList(in, out, s)
+}
+
 func autoConvert_v1alpha1_OIDCClientSecretRequestSpec_To_clientsecret_OIDCClientSecretRequestSpec(in *OIDCClientSecretRequestSpec, out *clientsecret.OIDCClientSecretRequestSpec, s conversion.Scope) error {
 	out.GenerateNewSecret = in.GenerateNewSecret
 	out.RevokeOldSecrets = in.RevokeOldSecrets

generated/1.20/apis/supervisor/clientsecret/v1alpha1/zz_generated.deepcopy.go

@@ -40,6 +40,39 @@ func (in *OIDCClientSecretRequest) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OIDCClientSecretRequestList) DeepCopyInto(out *OIDCClientSecretRequestList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]OIDCClientSecretRequest, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestList.
+func (in *OIDCClientSecretRequestList) DeepCopy() *OIDCClientSecretRequestList {
+	if in == nil {
+		return nil
+	}
+	out := new(OIDCClientSecretRequestList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *OIDCClientSecretRequestList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OIDCClientSecretRequestSpec) DeepCopyInto(out *OIDCClientSecretRequestSpec) {
 	*out = *in

generated/1.20/apis/supervisor/clientsecret/zz_generated.deepcopy.go

@@ -40,6 +40,39 @@ func (in *OIDCClientSecretRequest) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OIDCClientSecretRequestList) DeepCopyInto(out *OIDCClientSecretRequestList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]OIDCClientSecretRequest, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestList.
+func (in *OIDCClientSecretRequestList) DeepCopy() *OIDCClientSecretRequestList {
+	if in == nil {
+		return nil
+	}
+	out := new(OIDCClientSecretRequestList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *OIDCClientSecretRequestList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OIDCClientSecretRequestSpec) DeepCopyInto(out *OIDCClientSecretRequestSpec) {
 	*out = *in

generated/1.21/README.adoc

@@ -219,6 +219,26 @@ Package clientsecret is the internal version of the Pinniped client secret API.
 
 
 
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-clientsecret-oidcclientsecretrequest"]
+==== OIDCClientSecretRequest 
+
+OIDCClientSecretRequest can be used to update the client secrets associated with an OIDCClient.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-clientsecret-oidcclientsecretrequestlist[$$OIDCClientSecretRequestList$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.21/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`.
+
+| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-clientsecret-oidcclientsecretrequestspec[$$OIDCClientSecretRequestSpec$$]__ | 
+| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-clientsecret-oidcclientsecretrequeststatus[$$OIDCClientSecretRequestStatus$$]__ | 
+|===
+
+
 
 
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-clientsecret-oidcclientsecretrequestspec"]
@@ -234,8 +254,8 @@ Package clientsecret is the internal version of the Pinniped client secret API.
 [cols="25a,75a", options="header"]
 |===
 | Field | Description
-| *`generateNewSecret`* __boolean__ | 
+| *`generateNewSecret`* __boolean__ | Request a new client secret to for the OIDCClient referenced by the metadata.name field.
-| *`revokeOldSecrets`* __boolean__ | 
+| *`revokeOldSecrets`* __boolean__ | Revoke the old client secrets associated with the OIDCClient referenced by the metadata.name field.
 |===
 
 
@@ -252,8 +272,8 @@ Package clientsecret is the internal version of the Pinniped client secret API.
 [cols="25a,75a", options="header"]
 |===
 | Field | Description
-| *`generatedSecret`* __string__ | 
+| *`generatedSecret`* __string__ | The unencrypted OIDC Client Secret. This will only be shared upon creation and cannot be recovered if you lose it.
-| *`totalClientSecrets`* __integer__ | 
+| *`totalClientSecrets`* __integer__ | The total number of client secrets associated with the OIDCClient referenced by the metadata.name field.
 |===
 
 
@@ -265,6 +285,26 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped client secret API.
 
 
 
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequest"]
+==== OIDCClientSecretRequest 
+
+
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequestlist[$$OIDCClientSecretRequestList$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.21/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`.
+
+| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequestspec[$$OIDCClientSecretRequestSpec$$]__ | 
+| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequeststatus[$$OIDCClientSecretRequestStatus$$]__ | 
+|===
+
+
 
 
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequestspec"]

generated/1.21/apis/supervisor/clientsecret/register.go

@@ -32,6 +32,7 @@ var (
 func addKnownTypes(scheme *runtime.Scheme) error {
 	scheme.AddKnownTypes(SchemeGroupVersion,
 		&OIDCClientSecretRequest{},
+		&OIDCClientSecretRequestList{},
 	)
 	return nil
 }

generated/1.21/apis/supervisor/clientsecret/types_oidcclientsecretrequest.go

@@ -6,15 +6,26 @@ package clientsecret
 import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
 type OIDCClientSecretRequestSpec struct {
+	// Request a new client secret to for the OIDCClient referenced by the metadata.name field.
 	GenerateNewSecret bool `json:"generateNewSecret"`
-	RevokeOldSecrets  bool `json:"revokeOldSecrets"`
+
+	// Revoke the old client secrets associated with the OIDCClient referenced by the metadata.name
+	// field.
+	RevokeOldSecrets bool `json:"revokeOldSecrets"`
 }
 
 type OIDCClientSecretRequestStatus struct {
-	GeneratedSecret    string `json:"generatedSecret,omitempty"`
+	// The unencrypted OIDC Client Secret. This will only be shared upon creation and cannot
-	TotalClientSecrets int    `json:"totalClientSecrets"`
+	// be recovered if you lose it.
+	GeneratedSecret string `json:"generatedSecret,omitempty"`
+
+	// The total number of client secrets associated with the OIDCClient referenced by the
+	// metadata.name field.
+	TotalClientSecrets int `json:"totalClientSecrets"`
 }
 
+// OIDCClientSecretRequest can be used to update the client secrets associated with an
+// OIDCClient.
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 type OIDCClientSecretRequest struct {
 	metav1.TypeMeta   `json:",inline"`
@@ -23,3 +34,13 @@ type OIDCClientSecretRequest struct {
 	Spec   OIDCClientSecretRequestSpec   `json:"spec"`
 	Status OIDCClientSecretRequestStatus `json:"status"`
 }
+
+// OIDCClientSecretList is a list of OIDCClientSecretRequest objects.
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type OIDCClientSecretRequestList struct {
+	metav1.TypeMeta
+	metav1.ListMeta
+
+	// Items is a list of OIDCClientSecretRequest
+	Items []OIDCClientSecretRequest
+}

generated/1.21/apis/supervisor/clientsecret/v1alpha1/register.go

@@ -31,6 +31,7 @@ func init() {
 func addKnownTypes(scheme *runtime.Scheme) error {
 	scheme.AddKnownTypes(SchemeGroupVersion,
 		&OIDCClientSecretRequest{},
+		&OIDCClientSecretRequestList{},
 	)
 	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
 	return nil

generated/1.21/apis/supervisor/clientsecret/v1alpha1/types_oidcclientsecretrequest.go

@@ -26,3 +26,11 @@ type OIDCClientSecretRequest struct {
 	Spec   OIDCClientSecretRequestSpec   `json:"spec"`
 	Status OIDCClientSecretRequestStatus `json:"status"`
 }
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type OIDCClientSecretRequestList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+
+	Items []OIDCClientSecretRequest `json:"items"`
+}

generated/1.21/apis/supervisor/clientsecret/v1alpha1/zz_generated.conversion.go

@@ -9,6 +9,8 @@
 package v1alpha1
 
 import (
+	unsafe "unsafe"
+
 	clientsecret "go.pinniped.dev/generated/1.21/apis/supervisor/clientsecret"
 	conversion "k8s.io/apimachinery/pkg/conversion"
 	runtime "k8s.io/apimachinery/pkg/runtime"
@@ -31,6 +33,16 @@ func RegisterConversions(s *runtime.Scheme) error {
 	}); err != nil {
 		return err
 	}
+	if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequestList)(nil), (*clientsecret.OIDCClientSecretRequestList)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1alpha1_OIDCClientSecretRequestList_To_clientsecret_OIDCClientSecretRequestList(a.(*OIDCClientSecretRequestList), b.(*clientsecret.OIDCClientSecretRequestList), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*clientsecret.OIDCClientSecretRequestList)(nil), (*OIDCClientSecretRequestList)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_clientsecret_OIDCClientSecretRequestList_To_v1alpha1_OIDCClientSecretRequestList(a.(*clientsecret.OIDCClientSecretRequestList), b.(*OIDCClientSecretRequestList), scope)
+	}); err != nil {
+		return err
+	}
 	if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequestSpec)(nil), (*clientsecret.OIDCClientSecretRequestSpec)(nil), func(a, b interface{}, scope conversion.Scope) error {
 		return Convert_v1alpha1_OIDCClientSecretRequestSpec_To_clientsecret_OIDCClientSecretRequestSpec(a.(*OIDCClientSecretRequestSpec), b.(*clientsecret.OIDCClientSecretRequestSpec), scope)
 	}); err != nil {
@@ -86,6 +98,28 @@ func Convert_clientsecret_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRe
 	return autoConvert_clientsecret_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in, out, s)
 }
 
+func autoConvert_v1alpha1_OIDCClientSecretRequestList_To_clientsecret_OIDCClientSecretRequestList(in *OIDCClientSecretRequestList, out *clientsecret.OIDCClientSecretRequestList, s conversion.Scope) error {
+	out.ListMeta = in.ListMeta
+	out.Items = *(*[]clientsecret.OIDCClientSecretRequest)(unsafe.Pointer(&in.Items))
+	return nil
+}
+
+// Convert_v1alpha1_OIDCClientSecretRequestList_To_clientsecret_OIDCClientSecretRequestList is an autogenerated conversion function.
+func Convert_v1alpha1_OIDCClientSecretRequestList_To_clientsecret_OIDCClientSecretRequestList(in *OIDCClientSecretRequestList, out *clientsecret.OIDCClientSecretRequestList, s conversion.Scope) error {
+	return autoConvert_v1alpha1_OIDCClientSecretRequestList_To_clientsecret_OIDCClientSecretRequestList(in, out, s)
+}
+
+func autoConvert_clientsecret_OIDCClientSecretRequestList_To_v1alpha1_OIDCClientSecretRequestList(in *clientsecret.OIDCClientSecretRequestList, out *OIDCClientSecretRequestList, s conversion.Scope) error {
+	out.ListMeta = in.ListMeta
+	out.Items = *(*[]OIDCClientSecretRequest)(unsafe.Pointer(&in.Items))
+	return nil
+}
+
+// Convert_clientsecret_OIDCClientSecretRequestList_To_v1alpha1_OIDCClientSecretRequestList is an autogenerated conversion function.
+func Convert_clientsecret_OIDCClientSecretRequestList_To_v1alpha1_OIDCClientSecretRequestList(in *clientsecret.OIDCClientSecretRequestList, out *OIDCClientSecretRequestList, s conversion.Scope) error {
+	return autoConvert_clientsecret_OIDCClientSecretRequestList_To_v1alpha1_OIDCClientSecretRequestList(in, out, s)
+}
+
 func autoConvert_v1alpha1_OIDCClientSecretRequestSpec_To_clientsecret_OIDCClientSecretRequestSpec(in *OIDCClientSecretRequestSpec, out *clientsecret.OIDCClientSecretRequestSpec, s conversion.Scope) error {
 	out.GenerateNewSecret = in.GenerateNewSecret
 	out.RevokeOldSecrets = in.RevokeOldSecrets

generated/1.21/apis/supervisor/clientsecret/v1alpha1/zz_generated.deepcopy.go

@@ -40,6 +40,39 @@ func (in *OIDCClientSecretRequest) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OIDCClientSecretRequestList) DeepCopyInto(out *OIDCClientSecretRequestList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]OIDCClientSecretRequest, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestList.
+func (in *OIDCClientSecretRequestList) DeepCopy() *OIDCClientSecretRequestList {
+	if in == nil {
+		return nil
+	}
+	out := new(OIDCClientSecretRequestList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *OIDCClientSecretRequestList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OIDCClientSecretRequestSpec) DeepCopyInto(out *OIDCClientSecretRequestSpec) {
 	*out = *in

generated/1.21/apis/supervisor/clientsecret/zz_generated.deepcopy.go

@@ -40,6 +40,39 @@ func (in *OIDCClientSecretRequest) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OIDCClientSecretRequestList) DeepCopyInto(out *OIDCClientSecretRequestList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]OIDCClientSecretRequest, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestList.
+func (in *OIDCClientSecretRequestList) DeepCopy() *OIDCClientSecretRequestList {
+	if in == nil {
+		return nil
+	}
+	out := new(OIDCClientSecretRequestList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *OIDCClientSecretRequestList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OIDCClientSecretRequestSpec) DeepCopyInto(out *OIDCClientSecretRequestSpec) {
 	*out = *in

generated/1.22/README.adoc

@@ -219,6 +219,26 @@ Package clientsecret is the internal version of the Pinniped client secret API.
 
 
 
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-clientsecret-oidcclientsecretrequest"]
+==== OIDCClientSecretRequest 
+
+OIDCClientSecretRequest can be used to update the client secrets associated with an OIDCClient.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-clientsecret-oidcclientsecretrequestlist[$$OIDCClientSecretRequestList$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.22/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`.
+
+| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-clientsecret-oidcclientsecretrequestspec[$$OIDCClientSecretRequestSpec$$]__ | 
+| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-clientsecret-oidcclientsecretrequeststatus[$$OIDCClientSecretRequestStatus$$]__ | 
+|===
+
+
 
 
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-clientsecret-oidcclientsecretrequestspec"]
@@ -234,8 +254,8 @@ Package clientsecret is the internal version of the Pinniped client secret API.
 [cols="25a,75a", options="header"]
 |===
 | Field | Description
-| *`generateNewSecret`* __boolean__ | 
+| *`generateNewSecret`* __boolean__ | Request a new client secret to for the OIDCClient referenced by the metadata.name field.
-| *`revokeOldSecrets`* __boolean__ | 
+| *`revokeOldSecrets`* __boolean__ | Revoke the old client secrets associated with the OIDCClient referenced by the metadata.name field.
 |===
 
 
@@ -252,8 +272,8 @@ Package clientsecret is the internal version of the Pinniped client secret API.
 [cols="25a,75a", options="header"]
 |===
 | Field | Description
-| *`generatedSecret`* __string__ | 
+| *`generatedSecret`* __string__ | The unencrypted OIDC Client Secret. This will only be shared upon creation and cannot be recovered if you lose it.
-| *`totalClientSecrets`* __integer__ | 
+| *`totalClientSecrets`* __integer__ | The total number of client secrets associated with the OIDCClient referenced by the metadata.name field.
 |===
 
 
@@ -265,6 +285,26 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped client secret API.
 
 
 
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequest"]
+==== OIDCClientSecretRequest 
+
+
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequestlist[$$OIDCClientSecretRequestList$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.22/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`.
+
+| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequestspec[$$OIDCClientSecretRequestSpec$$]__ | 
+| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequeststatus[$$OIDCClientSecretRequestStatus$$]__ | 
+|===
+
+
 
 
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequestspec"]

generated/1.22/apis/supervisor/clientsecret/register.go

@@ -32,6 +32,7 @@ var (
 func addKnownTypes(scheme *runtime.Scheme) error {
 	scheme.AddKnownTypes(SchemeGroupVersion,
 		&OIDCClientSecretRequest{},
+		&OIDCClientSecretRequestList{},
 	)
 	return nil
 }

generated/1.22/apis/supervisor/clientsecret/types_oidcclientsecretrequest.go

@@ -6,15 +6,26 @@ package clientsecret
 import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
 type OIDCClientSecretRequestSpec struct {
+	// Request a new client secret to for the OIDCClient referenced by the metadata.name field.
 	GenerateNewSecret bool `json:"generateNewSecret"`
-	RevokeOldSecrets  bool `json:"revokeOldSecrets"`
+
+	// Revoke the old client secrets associated with the OIDCClient referenced by the metadata.name
+	// field.
+	RevokeOldSecrets bool `json:"revokeOldSecrets"`
 }
 
 type OIDCClientSecretRequestStatus struct {
-	GeneratedSecret    string `json:"generatedSecret,omitempty"`
+	// The unencrypted OIDC Client Secret. This will only be shared upon creation and cannot
-	TotalClientSecrets int    `json:"totalClientSecrets"`
+	// be recovered if you lose it.
+	GeneratedSecret string `json:"generatedSecret,omitempty"`
+
+	// The total number of client secrets associated with the OIDCClient referenced by the
+	// metadata.name field.
+	TotalClientSecrets int `json:"totalClientSecrets"`
 }
 
+// OIDCClientSecretRequest can be used to update the client secrets associated with an
+// OIDCClient.
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 type OIDCClientSecretRequest struct {
 	metav1.TypeMeta   `json:",inline"`
@@ -23,3 +34,13 @@ type OIDCClientSecretRequest struct {
 	Spec   OIDCClientSecretRequestSpec   `json:"spec"`
 	Status OIDCClientSecretRequestStatus `json:"status"`
 }
+
+// OIDCClientSecretList is a list of OIDCClientSecretRequest objects.
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type OIDCClientSecretRequestList struct {
+	metav1.TypeMeta
+	metav1.ListMeta
+
+	// Items is a list of OIDCClientSecretRequest
+	Items []OIDCClientSecretRequest
+}

generated/1.22/apis/supervisor/clientsecret/v1alpha1/register.go

@@ -31,6 +31,7 @@ func init() {
 func addKnownTypes(scheme *runtime.Scheme) error {
 	scheme.AddKnownTypes(SchemeGroupVersion,
 		&OIDCClientSecretRequest{},
+		&OIDCClientSecretRequestList{},
 	)
 	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
 	return nil

generated/1.22/apis/supervisor/clientsecret/v1alpha1/types_oidcclientsecretrequest.go

@@ -26,3 +26,11 @@ type OIDCClientSecretRequest struct {
 	Spec   OIDCClientSecretRequestSpec   `json:"spec"`
 	Status OIDCClientSecretRequestStatus `json:"status"`
 }
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type OIDCClientSecretRequestList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+
+	Items []OIDCClientSecretRequest `json:"items"`
+}

generated/1.22/apis/supervisor/clientsecret/v1alpha1/zz_generated.conversion.go

@@ -9,6 +9,8 @@
 package v1alpha1
 
 import (
+	unsafe "unsafe"
+
 	clientsecret "go.pinniped.dev/generated/1.22/apis/supervisor/clientsecret"
 	conversion "k8s.io/apimachinery/pkg/conversion"
 	runtime "k8s.io/apimachinery/pkg/runtime"
@@ -31,6 +33,16 @@ func RegisterConversions(s *runtime.Scheme) error {
 	}); err != nil {
 		return err
 	}
+	if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequestList)(nil), (*clientsecret.OIDCClientSecretRequestList)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1alpha1_OIDCClientSecretRequestList_To_clientsecret_OIDCClientSecretRequestList(a.(*OIDCClientSecretRequestList), b.(*clientsecret.OIDCClientSecretRequestList), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*clientsecret.OIDCClientSecretRequestList)(nil), (*OIDCClientSecretRequestList)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_clientsecret_OIDCClientSecretRequestList_To_v1alpha1_OIDCClientSecretRequestList(a.(*clientsecret.OIDCClientSecretRequestList), b.(*OIDCClientSecretRequestList), scope)
+	}); err != nil {
+		return err
+	}
 	if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequestSpec)(nil), (*clientsecret.OIDCClientSecretRequestSpec)(nil), func(a, b interface{}, scope conversion.Scope) error {
 		return Convert_v1alpha1_OIDCClientSecretRequestSpec_To_clientsecret_OIDCClientSecretRequestSpec(a.(*OIDCClientSecretRequestSpec), b.(*clientsecret.OIDCClientSecretRequestSpec), scope)
 	}); err != nil {
@@ -86,6 +98,28 @@ func Convert_clientsecret_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRe
 	return autoConvert_clientsecret_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in, out, s)
 }
 
+func autoConvert_v1alpha1_OIDCClientSecretRequestList_To_clientsecret_OIDCClientSecretRequestList(in *OIDCClientSecretRequestList, out *clientsecret.OIDCClientSecretRequestList, s conversion.Scope) error {
+	out.ListMeta = in.ListMeta
+	out.Items = *(*[]clientsecret.OIDCClientSecretRequest)(unsafe.Pointer(&in.Items))
+	return nil
+}
+
+// Convert_v1alpha1_OIDCClientSecretRequestList_To_clientsecret_OIDCClientSecretRequestList is an autogenerated conversion function.
+func Convert_v1alpha1_OIDCClientSecretRequestList_To_clientsecret_OIDCClientSecretRequestList(in *OIDCClientSecretRequestList, out *clientsecret.OIDCClientSecretRequestList, s conversion.Scope) error {
+	return autoConvert_v1alpha1_OIDCClientSecretRequestList_To_clientsecret_OIDCClientSecretRequestList(in, out, s)
+}
+
+func autoConvert_clientsecret_OIDCClientSecretRequestList_To_v1alpha1_OIDCClientSecretRequestList(in *clientsecret.OIDCClientSecretRequestList, out *OIDCClientSecretRequestList, s conversion.Scope) error {
+	out.ListMeta = in.ListMeta
+	out.Items = *(*[]OIDCClientSecretRequest)(unsafe.Pointer(&in.Items))
+	return nil
+}
+
+// Convert_clientsecret_OIDCClientSecretRequestList_To_v1alpha1_OIDCClientSecretRequestList is an autogenerated conversion function.
+func Convert_clientsecret_OIDCClientSecretRequestList_To_v1alpha1_OIDCClientSecretRequestList(in *clientsecret.OIDCClientSecretRequestList, out *OIDCClientSecretRequestList, s conversion.Scope) error {
+	return autoConvert_clientsecret_OIDCClientSecretRequestList_To_v1alpha1_OIDCClientSecretRequestList(in, out, s)
+}
+
 func autoConvert_v1alpha1_OIDCClientSecretRequestSpec_To_clientsecret_OIDCClientSecretRequestSpec(in *OIDCClientSecretRequestSpec, out *clientsecret.OIDCClientSecretRequestSpec, s conversion.Scope) error {
 	out.GenerateNewSecret = in.GenerateNewSecret
 	out.RevokeOldSecrets = in.RevokeOldSecrets

generated/1.22/apis/supervisor/clientsecret/v1alpha1/zz_generated.deepcopy.go

@@ -40,6 +40,39 @@ func (in *OIDCClientSecretRequest) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OIDCClientSecretRequestList) DeepCopyInto(out *OIDCClientSecretRequestList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]OIDCClientSecretRequest, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestList.
+func (in *OIDCClientSecretRequestList) DeepCopy() *OIDCClientSecretRequestList {
+	if in == nil {
+		return nil
+	}
+	out := new(OIDCClientSecretRequestList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *OIDCClientSecretRequestList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OIDCClientSecretRequestSpec) DeepCopyInto(out *OIDCClientSecretRequestSpec) {
 	*out = *in

generated/1.22/apis/supervisor/clientsecret/zz_generated.deepcopy.go

@@ -40,6 +40,39 @@ func (in *OIDCClientSecretRequest) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OIDCClientSecretRequestList) DeepCopyInto(out *OIDCClientSecretRequestList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]OIDCClientSecretRequest, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestList.
+func (in *OIDCClientSecretRequestList) DeepCopy() *OIDCClientSecretRequestList {
+	if in == nil {
+		return nil
+	}
+	out := new(OIDCClientSecretRequestList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *OIDCClientSecretRequestList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OIDCClientSecretRequestSpec) DeepCopyInto(out *OIDCClientSecretRequestSpec) {
 	*out = *in

generated/1.23/README.adoc

@@ -219,6 +219,26 @@ Package clientsecret is the internal version of the Pinniped client secret API.
 
 
 
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-clientsecret-oidcclientsecretrequest"]
+==== OIDCClientSecretRequest 
+
+OIDCClientSecretRequest can be used to update the client secrets associated with an OIDCClient.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-clientsecret-oidcclientsecretrequestlist[$$OIDCClientSecretRequestList$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`.
+
+| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-clientsecret-oidcclientsecretrequestspec[$$OIDCClientSecretRequestSpec$$]__ | 
+| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-clientsecret-oidcclientsecretrequeststatus[$$OIDCClientSecretRequestStatus$$]__ | 
+|===
+
+
 
 
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-clientsecret-oidcclientsecretrequestspec"]
@@ -234,8 +254,8 @@ Package clientsecret is the internal version of the Pinniped client secret API.
 [cols="25a,75a", options="header"]
 |===
 | Field | Description
-| *`generateNewSecret`* __boolean__ | 
+| *`generateNewSecret`* __boolean__ | Request a new client secret to for the OIDCClient referenced by the metadata.name field.
-| *`revokeOldSecrets`* __boolean__ | 
+| *`revokeOldSecrets`* __boolean__ | Revoke the old client secrets associated with the OIDCClient referenced by the metadata.name field.
 |===
 
 
@@ -252,8 +272,8 @@ Package clientsecret is the internal version of the Pinniped client secret API.
 [cols="25a,75a", options="header"]
 |===
 | Field | Description
-| *`generatedSecret`* __string__ | 
+| *`generatedSecret`* __string__ | The unencrypted OIDC Client Secret. This will only be shared upon creation and cannot be recovered if you lose it.
-| *`totalClientSecrets`* __integer__ | 
+| *`totalClientSecrets`* __integer__ | The total number of client secrets associated with the OIDCClient referenced by the metadata.name field.
 |===
 
 
@@ -265,6 +285,26 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped client secret API.
 
 
 
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequest"]
+==== OIDCClientSecretRequest 
+
+
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequestlist[$$OIDCClientSecretRequestList$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`.
+
+| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequestspec[$$OIDCClientSecretRequestSpec$$]__ | 
+| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequeststatus[$$OIDCClientSecretRequestStatus$$]__ | 
+|===
+
+
 
 
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequestspec"]

generated/1.23/apis/supervisor/clientsecret/register.go

@@ -32,6 +32,7 @@ var (
 func addKnownTypes(scheme *runtime.Scheme) error {
 	scheme.AddKnownTypes(SchemeGroupVersion,
 		&OIDCClientSecretRequest{},
+		&OIDCClientSecretRequestList{},
 	)
 	return nil
 }

generated/1.23/apis/supervisor/clientsecret/types_oidcclientsecretrequest.go

@@ -6,15 +6,26 @@ package clientsecret
 import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
 type OIDCClientSecretRequestSpec struct {
+	// Request a new client secret to for the OIDCClient referenced by the metadata.name field.
 	GenerateNewSecret bool `json:"generateNewSecret"`
-	RevokeOldSecrets  bool `json:"revokeOldSecrets"`
+
+	// Revoke the old client secrets associated with the OIDCClient referenced by the metadata.name
+	// field.
+	RevokeOldSecrets bool `json:"revokeOldSecrets"`
 }
 
 type OIDCClientSecretRequestStatus struct {
-	GeneratedSecret    string `json:"generatedSecret,omitempty"`
+	// The unencrypted OIDC Client Secret. This will only be shared upon creation and cannot
-	TotalClientSecrets int    `json:"totalClientSecrets"`
+	// be recovered if you lose it.
+	GeneratedSecret string `json:"generatedSecret,omitempty"`
+
+	// The total number of client secrets associated with the OIDCClient referenced by the
+	// metadata.name field.
+	TotalClientSecrets int `json:"totalClientSecrets"`
 }
 
+// OIDCClientSecretRequest can be used to update the client secrets associated with an
+// OIDCClient.
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 type OIDCClientSecretRequest struct {
 	metav1.TypeMeta   `json:",inline"`
@@ -23,3 +34,13 @@ type OIDCClientSecretRequest struct {
 	Spec   OIDCClientSecretRequestSpec   `json:"spec"`
 	Status OIDCClientSecretRequestStatus `json:"status"`
 }
+
+// OIDCClientSecretList is a list of OIDCClientSecretRequest objects.
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type OIDCClientSecretRequestList struct {
+	metav1.TypeMeta
+	metav1.ListMeta
+
+	// Items is a list of OIDCClientSecretRequest
+	Items []OIDCClientSecretRequest
+}

generated/1.23/apis/supervisor/clientsecret/v1alpha1/register.go

@@ -31,6 +31,7 @@ func init() {
 func addKnownTypes(scheme *runtime.Scheme) error {
 	scheme.AddKnownTypes(SchemeGroupVersion,
 		&OIDCClientSecretRequest{},
+		&OIDCClientSecretRequestList{},
 	)
 	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
 	return nil

generated/1.23/apis/supervisor/clientsecret/v1alpha1/types_oidcclientsecretrequest.go

@@ -26,3 +26,11 @@ type OIDCClientSecretRequest struct {
 	Spec   OIDCClientSecretRequestSpec   `json:"spec"`
 	Status OIDCClientSecretRequestStatus `json:"status"`
 }
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type OIDCClientSecretRequestList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+
+	Items []OIDCClientSecretRequest `json:"items"`
+}

generated/1.23/apis/supervisor/clientsecret/v1alpha1/zz_generated.conversion.go

@@ -9,6 +9,8 @@
 package v1alpha1
 
 import (
+	unsafe "unsafe"
+
 	clientsecret "go.pinniped.dev/generated/1.23/apis/supervisor/clientsecret"
 	conversion "k8s.io/apimachinery/pkg/conversion"
 	runtime "k8s.io/apimachinery/pkg/runtime"
@@ -31,6 +33,16 @@ func RegisterConversions(s *runtime.Scheme) error {
 	}); err != nil {
 		return err
 	}
+	if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequestList)(nil), (*clientsecret.OIDCClientSecretRequestList)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1alpha1_OIDCClientSecretRequestList_To_clientsecret_OIDCClientSecretRequestList(a.(*OIDCClientSecretRequestList), b.(*clientsecret.OIDCClientSecretRequestList), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*clientsecret.OIDCClientSecretRequestList)(nil), (*OIDCClientSecretRequestList)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_clientsecret_OIDCClientSecretRequestList_To_v1alpha1_OIDCClientSecretRequestList(a.(*clientsecret.OIDCClientSecretRequestList), b.(*OIDCClientSecretRequestList), scope)
+	}); err != nil {
+		return err
+	}
 	if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequestSpec)(nil), (*clientsecret.OIDCClientSecretRequestSpec)(nil), func(a, b interface{}, scope conversion.Scope) error {
 		return Convert_v1alpha1_OIDCClientSecretRequestSpec_To_clientsecret_OIDCClientSecretRequestSpec(a.(*OIDCClientSecretRequestSpec), b.(*clientsecret.OIDCClientSecretRequestSpec), scope)
 	}); err != nil {
@@ -86,6 +98,28 @@ func Convert_clientsecret_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRe
 	return autoConvert_clientsecret_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in, out, s)
 }
 
+func autoConvert_v1alpha1_OIDCClientSecretRequestList_To_clientsecret_OIDCClientSecretRequestList(in *OIDCClientSecretRequestList, out *clientsecret.OIDCClientSecretRequestList, s conversion.Scope) error {
+	out.ListMeta = in.ListMeta
+	out.Items = *(*[]clientsecret.OIDCClientSecretRequest)(unsafe.Pointer(&in.Items))
+	return nil
+}
+
+// Convert_v1alpha1_OIDCClientSecretRequestList_To_clientsecret_OIDCClientSecretRequestList is an autogenerated conversion function.
+func Convert_v1alpha1_OIDCClientSecretRequestList_To_clientsecret_OIDCClientSecretRequestList(in *OIDCClientSecretRequestList, out *clientsecret.OIDCClientSecretRequestList, s conversion.Scope) error {
+	return autoConvert_v1alpha1_OIDCClientSecretRequestList_To_clientsecret_OIDCClientSecretRequestList(in, out, s)
+}
+
+func autoConvert_clientsecret_OIDCClientSecretRequestList_To_v1alpha1_OIDCClientSecretRequestList(in *clientsecret.OIDCClientSecretRequestList, out *OIDCClientSecretRequestList, s conversion.Scope) error {
+	out.ListMeta = in.ListMeta
+	out.Items = *(*[]OIDCClientSecretRequest)(unsafe.Pointer(&in.Items))
+	return nil
+}
+
+// Convert_clientsecret_OIDCClientSecretRequestList_To_v1alpha1_OIDCClientSecretRequestList is an autogenerated conversion function.
+func Convert_clientsecret_OIDCClientSecretRequestList_To_v1alpha1_OIDCClientSecretRequestList(in *clientsecret.OIDCClientSecretRequestList, out *OIDCClientSecretRequestList, s conversion.Scope) error {
+	return autoConvert_clientsecret_OIDCClientSecretRequestList_To_v1alpha1_OIDCClientSecretRequestList(in, out, s)
+}
+
 func autoConvert_v1alpha1_OIDCClientSecretRequestSpec_To_clientsecret_OIDCClientSecretRequestSpec(in *OIDCClientSecretRequestSpec, out *clientsecret.OIDCClientSecretRequestSpec, s conversion.Scope) error {
 	out.GenerateNewSecret = in.GenerateNewSecret
 	out.RevokeOldSecrets = in.RevokeOldSecrets

generated/1.23/apis/supervisor/clientsecret/v1alpha1/zz_generated.deepcopy.go

@@ -40,6 +40,39 @@ func (in *OIDCClientSecretRequest) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OIDCClientSecretRequestList) DeepCopyInto(out *OIDCClientSecretRequestList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]OIDCClientSecretRequest, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestList.
+func (in *OIDCClientSecretRequestList) DeepCopy() *OIDCClientSecretRequestList {
+	if in == nil {
+		return nil
+	}
+	out := new(OIDCClientSecretRequestList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *OIDCClientSecretRequestList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OIDCClientSecretRequestSpec) DeepCopyInto(out *OIDCClientSecretRequestSpec) {
 	*out = *in

generated/1.23/apis/supervisor/clientsecret/zz_generated.deepcopy.go

@@ -40,6 +40,39 @@ func (in *OIDCClientSecretRequest) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OIDCClientSecretRequestList) DeepCopyInto(out *OIDCClientSecretRequestList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]OIDCClientSecretRequest, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestList.
+func (in *OIDCClientSecretRequestList) DeepCopy() *OIDCClientSecretRequestList {
+	if in == nil {
+		return nil
+	}
+	out := new(OIDCClientSecretRequestList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *OIDCClientSecretRequestList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OIDCClientSecretRequestSpec) DeepCopyInto(out *OIDCClientSecretRequestSpec) {
 	*out = *in

generated/1.24/README.adoc

@@ -219,6 +219,26 @@ Package clientsecret is the internal version of the Pinniped client secret API.
 
 
 
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-clientsecret-oidcclientsecretrequest"]
+==== OIDCClientSecretRequest 
+
+OIDCClientSecretRequest can be used to update the client secrets associated with an OIDCClient.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-clientsecret-oidcclientsecretrequestlist[$$OIDCClientSecretRequestList$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`.
+
+| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-clientsecret-oidcclientsecretrequestspec[$$OIDCClientSecretRequestSpec$$]__ | 
+| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-clientsecret-oidcclientsecretrequeststatus[$$OIDCClientSecretRequestStatus$$]__ | 
+|===
+
+
 
 
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-clientsecret-oidcclientsecretrequestspec"]
@@ -234,8 +254,8 @@ Package clientsecret is the internal version of the Pinniped client secret API.
 [cols="25a,75a", options="header"]
 |===
 | Field | Description
-| *`generateNewSecret`* __boolean__ | 
+| *`generateNewSecret`* __boolean__ | Request a new client secret to for the OIDCClient referenced by the metadata.name field.
-| *`revokeOldSecrets`* __boolean__ | 
+| *`revokeOldSecrets`* __boolean__ | Revoke the old client secrets associated with the OIDCClient referenced by the metadata.name field.
 |===
 
 
@@ -252,8 +272,8 @@ Package clientsecret is the internal version of the Pinniped client secret API.
 [cols="25a,75a", options="header"]
 |===
 | Field | Description
-| *`generatedSecret`* __string__ | 
+| *`generatedSecret`* __string__ | The unencrypted OIDC Client Secret. This will only be shared upon creation and cannot be recovered if you lose it.
-| *`totalClientSecrets`* __integer__ | 
+| *`totalClientSecrets`* __integer__ | The total number of client secrets associated with the OIDCClient referenced by the metadata.name field.
 |===
 
 
@@ -265,6 +285,26 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped client secret API.
 
 
 
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequest"]
+==== OIDCClientSecretRequest 
+
+
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequestlist[$$OIDCClientSecretRequestList$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`.
+
+| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequestspec[$$OIDCClientSecretRequestSpec$$]__ | 
+| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequeststatus[$$OIDCClientSecretRequestStatus$$]__ | 
+|===
+
+
 
 
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-clientsecret-v1alpha1-oidcclientsecretrequestspec"]

generated/1.24/apis/supervisor/clientsecret/register.go

@@ -32,6 +32,7 @@ var (
 func addKnownTypes(scheme *runtime.Scheme) error {
 	scheme.AddKnownTypes(SchemeGroupVersion,
 		&OIDCClientSecretRequest{},
+		&OIDCClientSecretRequestList{},
 	)
 	return nil
 }

generated/1.24/apis/supervisor/clientsecret/types_oidcclientsecretrequest.go

@@ -6,15 +6,26 @@ package clientsecret
 import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
 type OIDCClientSecretRequestSpec struct {
+	// Request a new client secret to for the OIDCClient referenced by the metadata.name field.
 	GenerateNewSecret bool `json:"generateNewSecret"`
-	RevokeOldSecrets  bool `json:"revokeOldSecrets"`
+
+	// Revoke the old client secrets associated with the OIDCClient referenced by the metadata.name
+	// field.
+	RevokeOldSecrets bool `json:"revokeOldSecrets"`
 }
 
 type OIDCClientSecretRequestStatus struct {
-	GeneratedSecret    string `json:"generatedSecret,omitempty"`
+	// The unencrypted OIDC Client Secret. This will only be shared upon creation and cannot
-	TotalClientSecrets int    `json:"totalClientSecrets"`
+	// be recovered if you lose it.
+	GeneratedSecret string `json:"generatedSecret,omitempty"`
+
+	// The total number of client secrets associated with the OIDCClient referenced by the
+	// metadata.name field.
+	TotalClientSecrets int `json:"totalClientSecrets"`
 }
 
+// OIDCClientSecretRequest can be used to update the client secrets associated with an
+// OIDCClient.
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 type OIDCClientSecretRequest struct {
 	metav1.TypeMeta   `json:",inline"`
@@ -23,3 +34,13 @@ type OIDCClientSecretRequest struct {
 	Spec   OIDCClientSecretRequestSpec   `json:"spec"`
 	Status OIDCClientSecretRequestStatus `json:"status"`
 }
+
+// OIDCClientSecretList is a list of OIDCClientSecretRequest objects.
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type OIDCClientSecretRequestList struct {
+	metav1.TypeMeta
+	metav1.ListMeta
+
+	// Items is a list of OIDCClientSecretRequest
+	Items []OIDCClientSecretRequest
+}

generated/1.24/apis/supervisor/clientsecret/v1alpha1/register.go

@@ -31,6 +31,7 @@ func init() {
 func addKnownTypes(scheme *runtime.Scheme) error {
 	scheme.AddKnownTypes(SchemeGroupVersion,
 		&OIDCClientSecretRequest{},
+		&OIDCClientSecretRequestList{},
 	)
 	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
 	return nil

generated/1.24/apis/supervisor/clientsecret/v1alpha1/types_oidcclientsecretrequest.go

@@ -26,3 +26,11 @@ type OIDCClientSecretRequest struct {
 	Spec   OIDCClientSecretRequestSpec   `json:"spec"`
 	Status OIDCClientSecretRequestStatus `json:"status"`
 }
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type OIDCClientSecretRequestList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+
+	Items []OIDCClientSecretRequest `json:"items"`
+}

generated/1.24/apis/supervisor/clientsecret/v1alpha1/zz_generated.conversion.go

@@ -9,6 +9,8 @@
 package v1alpha1
 
 import (
+	unsafe "unsafe"
+
 	clientsecret "go.pinniped.dev/generated/1.24/apis/supervisor/clientsecret"
 	conversion "k8s.io/apimachinery/pkg/conversion"
 	runtime "k8s.io/apimachinery/pkg/runtime"
@@ -31,6 +33,16 @@ func RegisterConversions(s *runtime.Scheme) error {
 	}); err != nil {
 		return err
 	}
+	if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequestList)(nil), (*clientsecret.OIDCClientSecretRequestList)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1alpha1_OIDCClientSecretRequestList_To_clientsecret_OIDCClientSecretRequestList(a.(*OIDCClientSecretRequestList), b.(*clientsecret.OIDCClientSecretRequestList), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*clientsecret.OIDCClientSecretRequestList)(nil), (*OIDCClientSecretRequestList)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_clientsecret_OIDCClientSecretRequestList_To_v1alpha1_OIDCClientSecretRequestList(a.(*clientsecret.OIDCClientSecretRequestList), b.(*OIDCClientSecretRequestList), scope)
+	}); err != nil {
+		return err
+	}
 	if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequestSpec)(nil), (*clientsecret.OIDCClientSecretRequestSpec)(nil), func(a, b interface{}, scope conversion.Scope) error {
 		return Convert_v1alpha1_OIDCClientSecretRequestSpec_To_clientsecret_OIDCClientSecretRequestSpec(a.(*OIDCClientSecretRequestSpec), b.(*clientsecret.OIDCClientSecretRequestSpec), scope)
 	}); err != nil {
@@ -86,6 +98,28 @@ func Convert_clientsecret_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRe
 	return autoConvert_clientsecret_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in, out, s)
 }
 
+func autoConvert_v1alpha1_OIDCClientSecretRequestList_To_clientsecret_OIDCClientSecretRequestList(in *OIDCClientSecretRequestList, out *clientsecret.OIDCClientSecretRequestList, s conversion.Scope) error {
+	out.ListMeta = in.ListMeta
+	out.Items = *(*[]clientsecret.OIDCClientSecretRequest)(unsafe.Pointer(&in.Items))
+	return nil
+}
+
+// Convert_v1alpha1_OIDCClientSecretRequestList_To_clientsecret_OIDCClientSecretRequestList is an autogenerated conversion function.
+func Convert_v1alpha1_OIDCClientSecretRequestList_To_clientsecret_OIDCClientSecretRequestList(in *OIDCClientSecretRequestList, out *clientsecret.OIDCClientSecretRequestList, s conversion.Scope) error {
+	return autoConvert_v1alpha1_OIDCClientSecretRequestList_To_clientsecret_OIDCClientSecretRequestList(in, out, s)
+}
+
+func autoConvert_clientsecret_OIDCClientSecretRequestList_To_v1alpha1_OIDCClientSecretRequestList(in *clientsecret.OIDCClientSecretRequestList, out *OIDCClientSecretRequestList, s conversion.Scope) error {
+	out.ListMeta = in.ListMeta
+	out.Items = *(*[]OIDCClientSecretRequest)(unsafe.Pointer(&in.Items))
+	return nil
+}
+
+// Convert_clientsecret_OIDCClientSecretRequestList_To_v1alpha1_OIDCClientSecretRequestList is an autogenerated conversion function.
+func Convert_clientsecret_OIDCClientSecretRequestList_To_v1alpha1_OIDCClientSecretRequestList(in *clientsecret.OIDCClientSecretRequestList, out *OIDCClientSecretRequestList, s conversion.Scope) error {
+	return autoConvert_clientsecret_OIDCClientSecretRequestList_To_v1alpha1_OIDCClientSecretRequestList(in, out, s)
+}
+
 func autoConvert_v1alpha1_OIDCClientSecretRequestSpec_To_clientsecret_OIDCClientSecretRequestSpec(in *OIDCClientSecretRequestSpec, out *clientsecret.OIDCClientSecretRequestSpec, s conversion.Scope) error {
 	out.GenerateNewSecret = in.GenerateNewSecret
 	out.RevokeOldSecrets = in.RevokeOldSecrets

generated/1.24/apis/supervisor/clientsecret/v1alpha1/zz_generated.deepcopy.go

@@ -40,6 +40,39 @@ func (in *OIDCClientSecretRequest) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OIDCClientSecretRequestList) DeepCopyInto(out *OIDCClientSecretRequestList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]OIDCClientSecretRequest, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestList.
+func (in *OIDCClientSecretRequestList) DeepCopy() *OIDCClientSecretRequestList {
+	if in == nil {
+		return nil
+	}
+	out := new(OIDCClientSecretRequestList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *OIDCClientSecretRequestList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OIDCClientSecretRequestSpec) DeepCopyInto(out *OIDCClientSecretRequestSpec) {
 	*out = *in

generated/1.24/apis/supervisor/clientsecret/zz_generated.deepcopy.go

@@ -40,6 +40,39 @@ func (in *OIDCClientSecretRequest) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OIDCClientSecretRequestList) DeepCopyInto(out *OIDCClientSecretRequestList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]OIDCClientSecretRequest, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestList.
+func (in *OIDCClientSecretRequestList) DeepCopy() *OIDCClientSecretRequestList {
+	if in == nil {
+		return nil
+	}
+	out := new(OIDCClientSecretRequestList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *OIDCClientSecretRequestList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OIDCClientSecretRequestSpec) DeepCopyInto(out *OIDCClientSecretRequestSpec) {
 	*out = *in

generated/latest/apis/supervisor/clientsecret/register.go

@@ -32,6 +32,7 @@ var (
 func addKnownTypes(scheme *runtime.Scheme) error {
 	scheme.AddKnownTypes(SchemeGroupVersion,
 		&OIDCClientSecretRequest{},
+		&OIDCClientSecretRequestList{},
 	)
 	return nil
 }

generated/latest/apis/supervisor/clientsecret/types_oidcclientsecretrequest.go

@@ -6,15 +6,26 @@ package clientsecret
 import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
 type OIDCClientSecretRequestSpec struct {
+	// Request a new client secret to for the OIDCClient referenced by the metadata.name field.
 	GenerateNewSecret bool `json:"generateNewSecret"`
-	RevokeOldSecrets  bool `json:"revokeOldSecrets"`
+
+	// Revoke the old client secrets associated with the OIDCClient referenced by the metadata.name
+	// field.
+	RevokeOldSecrets bool `json:"revokeOldSecrets"`
 }
 
 type OIDCClientSecretRequestStatus struct {
-	GeneratedSecret    string `json:"generatedSecret,omitempty"`
+	// The unencrypted OIDC Client Secret. This will only be shared upon creation and cannot
-	TotalClientSecrets int    `json:"totalClientSecrets"`
+	// be recovered if you lose it.
+	GeneratedSecret string `json:"generatedSecret,omitempty"`
+
+	// The total number of client secrets associated with the OIDCClient referenced by the
+	// metadata.name field.
+	TotalClientSecrets int `json:"totalClientSecrets"`
 }
 
+// OIDCClientSecretRequest can be used to update the client secrets associated with an
+// OIDCClient.
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 type OIDCClientSecretRequest struct {
 	metav1.TypeMeta   `json:",inline"`
@@ -23,3 +34,13 @@ type OIDCClientSecretRequest struct {
 	Spec   OIDCClientSecretRequestSpec   `json:"spec"`
 	Status OIDCClientSecretRequestStatus `json:"status"`
 }
+
+// OIDCClientSecretList is a list of OIDCClientSecretRequest objects.
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type OIDCClientSecretRequestList struct {
+	metav1.TypeMeta
+	metav1.ListMeta
+
+	// Items is a list of OIDCClientSecretRequest
+	Items []OIDCClientSecretRequest
+}

generated/latest/apis/supervisor/clientsecret/v1alpha1/register.go

@@ -31,6 +31,7 @@ func init() {
 func addKnownTypes(scheme *runtime.Scheme) error {
 	scheme.AddKnownTypes(SchemeGroupVersion,
 		&OIDCClientSecretRequest{},
+		&OIDCClientSecretRequestList{},
 	)
 	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
 	return nil

generated/latest/apis/supervisor/clientsecret/v1alpha1/types_oidcclientsecretrequest.go

@@ -26,3 +26,11 @@ type OIDCClientSecretRequest struct {
 	Spec   OIDCClientSecretRequestSpec   `json:"spec"`
 	Status OIDCClientSecretRequestStatus `json:"status"`
 }
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type OIDCClientSecretRequestList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+
+	Items []OIDCClientSecretRequest `json:"items"`
+}

generated/latest/apis/supervisor/clientsecret/v1alpha1/zz_generated.conversion.go

@@ -9,6 +9,8 @@
 package v1alpha1
 
 import (
+	unsafe "unsafe"
+
 	clientsecret "go.pinniped.dev/generated/latest/apis/supervisor/clientsecret"
 	conversion "k8s.io/apimachinery/pkg/conversion"
 	runtime "k8s.io/apimachinery/pkg/runtime"
@@ -31,6 +33,16 @@ func RegisterConversions(s *runtime.Scheme) error {
 	}); err != nil {
 		return err
 	}
+	if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequestList)(nil), (*clientsecret.OIDCClientSecretRequestList)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1alpha1_OIDCClientSecretRequestList_To_clientsecret_OIDCClientSecretRequestList(a.(*OIDCClientSecretRequestList), b.(*clientsecret.OIDCClientSecretRequestList), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*clientsecret.OIDCClientSecretRequestList)(nil), (*OIDCClientSecretRequestList)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_clientsecret_OIDCClientSecretRequestList_To_v1alpha1_OIDCClientSecretRequestList(a.(*clientsecret.OIDCClientSecretRequestList), b.(*OIDCClientSecretRequestList), scope)
+	}); err != nil {
+		return err
+	}
 	if err := s.AddGeneratedConversionFunc((*OIDCClientSecretRequestSpec)(nil), (*clientsecret.OIDCClientSecretRequestSpec)(nil), func(a, b interface{}, scope conversion.Scope) error {
 		return Convert_v1alpha1_OIDCClientSecretRequestSpec_To_clientsecret_OIDCClientSecretRequestSpec(a.(*OIDCClientSecretRequestSpec), b.(*clientsecret.OIDCClientSecretRequestSpec), scope)
 	}); err != nil {
@@ -86,6 +98,28 @@ func Convert_clientsecret_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRe
 	return autoConvert_clientsecret_OIDCClientSecretRequest_To_v1alpha1_OIDCClientSecretRequest(in, out, s)
 }
 
+func autoConvert_v1alpha1_OIDCClientSecretRequestList_To_clientsecret_OIDCClientSecretRequestList(in *OIDCClientSecretRequestList, out *clientsecret.OIDCClientSecretRequestList, s conversion.Scope) error {
+	out.ListMeta = in.ListMeta
+	out.Items = *(*[]clientsecret.OIDCClientSecretRequest)(unsafe.Pointer(&in.Items))
+	return nil
+}
+
+// Convert_v1alpha1_OIDCClientSecretRequestList_To_clientsecret_OIDCClientSecretRequestList is an autogenerated conversion function.
+func Convert_v1alpha1_OIDCClientSecretRequestList_To_clientsecret_OIDCClientSecretRequestList(in *OIDCClientSecretRequestList, out *clientsecret.OIDCClientSecretRequestList, s conversion.Scope) error {
+	return autoConvert_v1alpha1_OIDCClientSecretRequestList_To_clientsecret_OIDCClientSecretRequestList(in, out, s)
+}
+
+func autoConvert_clientsecret_OIDCClientSecretRequestList_To_v1alpha1_OIDCClientSecretRequestList(in *clientsecret.OIDCClientSecretRequestList, out *OIDCClientSecretRequestList, s conversion.Scope) error {
+	out.ListMeta = in.ListMeta
+	out.Items = *(*[]OIDCClientSecretRequest)(unsafe.Pointer(&in.Items))
+	return nil
+}
+
+// Convert_clientsecret_OIDCClientSecretRequestList_To_v1alpha1_OIDCClientSecretRequestList is an autogenerated conversion function.
+func Convert_clientsecret_OIDCClientSecretRequestList_To_v1alpha1_OIDCClientSecretRequestList(in *clientsecret.OIDCClientSecretRequestList, out *OIDCClientSecretRequestList, s conversion.Scope) error {
+	return autoConvert_clientsecret_OIDCClientSecretRequestList_To_v1alpha1_OIDCClientSecretRequestList(in, out, s)
+}
+
 func autoConvert_v1alpha1_OIDCClientSecretRequestSpec_To_clientsecret_OIDCClientSecretRequestSpec(in *OIDCClientSecretRequestSpec, out *clientsecret.OIDCClientSecretRequestSpec, s conversion.Scope) error {
 	out.GenerateNewSecret = in.GenerateNewSecret
 	out.RevokeOldSecrets = in.RevokeOldSecrets

generated/latest/apis/supervisor/clientsecret/v1alpha1/zz_generated.deepcopy.go

@@ -40,6 +40,39 @@ func (in *OIDCClientSecretRequest) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OIDCClientSecretRequestList) DeepCopyInto(out *OIDCClientSecretRequestList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]OIDCClientSecretRequest, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestList.
+func (in *OIDCClientSecretRequestList) DeepCopy() *OIDCClientSecretRequestList {
+	if in == nil {
+		return nil
+	}
+	out := new(OIDCClientSecretRequestList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *OIDCClientSecretRequestList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OIDCClientSecretRequestSpec) DeepCopyInto(out *OIDCClientSecretRequestSpec) {
 	*out = *in

generated/latest/apis/supervisor/clientsecret/zz_generated.deepcopy.go

@@ -40,6 +40,39 @@ func (in *OIDCClientSecretRequest) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OIDCClientSecretRequestList) DeepCopyInto(out *OIDCClientSecretRequestList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]OIDCClientSecretRequest, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSecretRequestList.
+func (in *OIDCClientSecretRequestList) DeepCopy() *OIDCClientSecretRequestList {
+	if in == nil {
+		return nil
+	}
+	out := new(OIDCClientSecretRequestList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *OIDCClientSecretRequestList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OIDCClientSecretRequestSpec) DeepCopyInto(out *OIDCClientSecretRequestSpec) {
 	*out = *in

internal/config/supervisor/config.go

@@ -24,6 +24,12 @@ const (
 	NetworkDisabled = "disabled"
 	NetworkUnix     = "unix"
 	NetworkTCP      = "tcp"
+
+	// Use 10250 because it happens to be the same port on which the Kubelet listens, so some cluster types
+	// are more permissive with servers that run on this port. For example, GKE private clusters do not
+	// allow traffic from the control plane to most ports, but do allow traffic to port 10250. This allows
+	// the Concierge to work without additional configuration on these types of clusters.
+	aggregatedAPIServerPortDefault = 10250
 )
 
 // FromPath loads an Config from a provided local file path, inserts any
@@ -50,6 +56,12 @@ func FromPath(ctx context.Context, path string) (*Config, error) {
 		return nil, fmt.Errorf("validate apiGroupSuffix: %w", err)
 	}
 
+	maybeSetAggregatedAPIServerPortDefaults(&config.AggregatedAPIServerPort)
+
+	if err := validateServerPort(config.AggregatedAPIServerPort); err != nil {
+		return nil, fmt.Errorf("validate aggregatedAPIServerPort: %w", err)
+	}
+
 	if err := validateNames(&config.NamesConfig); err != nil {
 		return nil, fmt.Errorf("validate names: %w", err)
 	}
@@ -105,6 +117,12 @@ func validateAPIGroupSuffix(apiGroupSuffix string) error {
 	return groupsuffix.Validate(apiGroupSuffix)
 }
 
+func maybeSetAggregatedAPIServerPortDefaults(port **int64) {
+	if *port == nil {
+		*port = pointer.Int64Ptr(aggregatedAPIServerPortDefault)
+	}
+}
+
 func validateNames(names *NamesConfigSpec) error {
 	missingNames := []string{}
 	if names.DefaultTLSCertificateSecret == "" {
@@ -193,3 +211,11 @@ func addrIsOnlyOnLoopback(addr string) bool {
 	}
 	return ip.IsLoopback()
 }
+
+func validateServerPort(port *int64) error {
+	// It cannot be below 1024 because the container is not running as root.
+	if *port < 1024 || *port > 65535 {
+		return constable.Error("must be within range 1024 to 65535")
+	}
+	return nil
+}

internal/config/supervisor/config_test.go

@@ -43,6 +43,7 @@ func TestFromPath(t *testing.T) {
 					address: 127.0.0.1:1234
 				insecureAcceptExternalUnencryptedHttpRequests: false
 				logLevel: trace
+				aggregatedAPIServerPort: 12345
 			`),
 			wantConfig: &Config{
 				APIGroupSuffix: pointer.StringPtr("some.suffix.com"),
@@ -68,6 +69,7 @@ func TestFromPath(t *testing.T) {
 				Log: plog.LogSpec{
 					Level: plog.LevelTrace,
 				},
+				AggregatedAPIServerPort: pointer.Int64Ptr(12345),
 			},
 		},
 		{
@@ -91,6 +93,7 @@ func TestFromPath(t *testing.T) {
 				log:
 				  level: info
 				  format: text
+				aggregatedAPIServerPort: 12345
 			`),
 			wantConfig: &Config{
 				APIGroupSuffix: pointer.StringPtr("some.suffix.com"),
@@ -116,6 +119,7 @@ func TestFromPath(t *testing.T) {
 					Level:  plog.LevelInfo,
 					Format: plog.FormatText,
 				},
+				AggregatedAPIServerPort: pointer.Int64Ptr(12345),
 			},
 		},
 		{
@@ -166,6 +170,7 @@ func TestFromPath(t *testing.T) {
 					Level:  plog.LevelTrace,
 					Format: plog.FormatText,
 				},
+				AggregatedAPIServerPort: pointer.Int64Ptr(10250),
 			},
 		},
 		{
@@ -202,7 +207,8 @@ func TestFromPath(t *testing.T) {
 						Network: "disabled",
 					},
 				},
-				AllowExternalHTTP: false,
+				AllowExternalHTTP:       false,
+				AggregatedAPIServerPort: pointer.Int64Ptr(10250),
 			},
 		},
 		{
@@ -332,7 +338,8 @@ func TestFromPath(t *testing.T) {
 						Address: ":1234",
 					},
 				},
-				AllowExternalHTTP: true,
+				AllowExternalHTTP:       true,
+				AggregatedAPIServerPort: pointer.Int64Ptr(10250),
 			},
 		},
 		{
@@ -363,7 +370,8 @@ func TestFromPath(t *testing.T) {
 						Address: ":1234",
 					},
 				},
-				AllowExternalHTTP: true,
+				AllowExternalHTTP:       true,
+				AggregatedAPIServerPort: pointer.Int64Ptr(10250),
 			},
 		},
 		{
@@ -420,6 +428,22 @@ func TestFromPath(t *testing.T) {
 			`),
 			wantError: "validate apiGroupSuffix: a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*')",
 		},
+		{
+			name: "AggregatedAPIServerPortDefault too small",
+			yaml: here.Doc(`
+				---
+				aggregatedAPIServerPort: 1023
+			`),
+			wantError: "validate aggregatedAPIServerPort: must be within range 1024 to 65535",
+		},
+		{
+			name: "AggregatedAPIServerPortDefault too large",
+			yaml: here.Doc(`
+				---
+				aggregatedAPIServerPort: 65536
+			`),
+			wantError: "validate aggregatedAPIServerPort: must be within range 1024 to 65535",
+		},
 	}
 	for _, test := range tests {
 		test := test

internal/config/supervisor/types.go

@@ -15,10 +15,11 @@ type Config struct {
 	Labels         map[string]string `json:"labels"`
 	NamesConfig    NamesConfigSpec   `json:"names"`
 	// Deprecated: use log.level instead
-	LogLevel          *plog.LogLevel     `json:"logLevel"`
+	LogLevel                *plog.LogLevel     `json:"logLevel"`
-	Log               plog.LogSpec       `json:"log"`
+	Log                     plog.LogSpec       `json:"log"`
-	Endpoints         *Endpoints         `json:"endpoints"`
+	Endpoints               *Endpoints         `json:"endpoints"`
-	AllowExternalHTTP stringOrBoolAsBool `json:"insecureAcceptExternalUnencryptedHttpRequests"`
+	AllowExternalHTTP       stringOrBoolAsBool `json:"insecureAcceptExternalUnencryptedHttpRequests"`
+	AggregatedAPIServerPort *int64             `json:"aggregatedAPIServerPort"`
 }
 
 // NamesConfigSpec configures the names of some Kubernetes resources for the Supervisor.

internal/registry/clientsecretrequest/rest.go

@@ -9,19 +9,24 @@ import (
 	"fmt"
 
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	metainternalversion "k8s.io/apimachinery/pkg/apis/meta/internalversion"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apiserver/pkg/registry/rest"
 	"k8s.io/utils/trace"
 
 	clientsecretapi "go.pinniped.dev/generated/latest/apis/supervisor/clientsecret"
 )
 
-func NewREST() *REST {
+func NewREST(resource schema.GroupResource) *REST {
-	return &REST{}
+	return &REST{
+		tableConvertor: rest.NewDefaultTableConvertor(resource),
+	}
 }
 
 type REST struct {
+	tableConvertor rest.TableConvertor
 }
 
 // Assert that our *REST implements all the optional interfaces that we expect it to implement.
@@ -30,19 +35,38 @@ var _ interface {
 	rest.NamespaceScopedStrategy
 	rest.Scoper
 	rest.Storage
+	rest.CategoriesProvider
+	rest.Lister
+	rest.TableConvertor
 } = (*REST)(nil)
 
 func (*REST) New() runtime.Object {
 	return &clientsecretapi.OIDCClientSecretRequest{}
 }
 
+func (*REST) NewList() runtime.Object {
+	return &clientsecretapi.OIDCClientSecretRequestList{}
+}
+
+func (*REST) List(_ context.Context, _ *metainternalversion.ListOptions) (runtime.Object, error) {
+	return &clientsecretapi.OIDCClientSecretRequestList{
+		ListMeta: metav1.ListMeta{
+			ResourceVersion: "0", // this resource version means "from the API server cache"
+		},
+		Items: []clientsecretapi.OIDCClientSecretRequest{}, // avoid sending nil items list
+	}, nil
+}
+
+func (r *REST) ConvertToTable(ctx context.Context, obj runtime.Object, tableOptions runtime.Object) (*metav1.Table, error) {
+	return r.tableConvertor.ConvertToTable(ctx, obj, tableOptions)
+}
+
 func (*REST) NamespaceScoped() bool {
 	return true
 }
 
 func (*REST) Categories() []string {
-	// because we haven't implemented lister, adding it to categories breaks things.
+	return []string{"pinniped"}
-	return []string{}
 }
 
 func (r *REST) Create(ctx context.Context, obj runtime.Object, createValidation rest.ValidateObjectFunc, options *metav1.CreateOptions) (runtime.Object, error) {

internal/supervisor/apiserver/apiserver.go

@@ -30,7 +30,7 @@ type ExtraConfig struct {
 	BuildControllersPostStartHook      controllerinit.RunnerBuilder
 	Scheme                             *runtime.Scheme
 	NegotiatedSerializer               runtime.NegotiatedSerializer
-	OauthVirtualSupervisorGroupVersion schema.GroupVersion
+	ClientSecretSupervisorGroupVersion schema.GroupVersion
 }
 
 type PinnipedServer struct {
@@ -74,8 +74,8 @@ func (c completedConfig) New() (*PinnipedServer, error) {
 	var errs []error //nolint: prealloc
 	for _, f := range []func() (schema.GroupVersionResource, rest.Storage){
 		func() (schema.GroupVersionResource, rest.Storage) {
-			clientSecretReqGVR := c.ExtraConfig.OauthVirtualSupervisorGroupVersion.WithResource("oidcclientsecretrequests")
+			clientSecretReqGVR := c.ExtraConfig.ClientSecretSupervisorGroupVersion.WithResource("oidcclientsecretrequests")
-			clientSecretReqStorage := clientsecretrequest.NewREST()
+			clientSecretReqStorage := clientsecretrequest.NewREST(clientSecretReqGVR.GroupResource())
 			return clientSecretReqGVR, clientSecretReqStorage
 		},
 	} {

internal/supervisor/scheme/scheme.go

@@ -38,9 +38,9 @@ func New(apiGroupSuffix string) (_ *runtime.Scheme, oauth schema.GroupVersion) {
 		return scheme, clientsecretv1alpha1.SchemeGroupVersion
 	}
 
-	oauthVirtualSupervisorGroupData := groupsuffix.SupervisorAggregatedGroups(apiGroupSuffix)
+	clientSecretSupervisorGroupData := groupsuffix.SupervisorAggregatedGroups(apiGroupSuffix)
 
-	addToSchemeAtNewGroup(scheme, clientsecretv1alpha1.GroupName, oauthVirtualSupervisorGroupData.Group, clientsecretv1alpha1.AddToScheme, clientsecretapi.AddToScheme)
+	addToSchemeAtNewGroup(scheme, clientsecretv1alpha1.GroupName, clientSecretSupervisorGroupData.Group, clientsecretv1alpha1.AddToScheme, clientsecretapi.AddToScheme)
 
 	// manually register conversions and defaulting into the correct scheme since we cannot directly call AddToScheme
 	schemeBuilder := runtime.NewSchemeBuilder(
@@ -57,7 +57,7 @@ func New(apiGroupSuffix string) (_ *runtime.Scheme, oauth schema.GroupVersion) {
 	// defaulting func registered, but it will almost certainly panic if one is added.
 	scheme.Default((*clientsecretv1alpha1.OIDCClientSecretRequest)(nil))
 
-	return scheme, schema.GroupVersion(oauthVirtualSupervisorGroupData)
+	return scheme, schema.GroupVersion(clientSecretSupervisorGroupData)
 }
 
 func addToSchemeAtNewGroup(scheme *runtime.Scheme, oldGroup, newGroup string, funcs ...func(*runtime.Scheme) error) {

internal/supervisor/scheme/scheme_test.go

@@ -44,10 +44,10 @@ func TestNew(t *testing.T) {
 	}
 
 	tests := []struct {
-		name                  string
+		name                         string
-		apiGroupSuffix        string
+		apiGroupSuffix               string
-		want                  map[schema.GroupVersionKind]reflect.Type
+		want                         map[schema.GroupVersionKind]reflect.Type
-		wantOAuthGroupVersion schema.GroupVersion
+		wantClientSecretGroupVersion schema.GroupVersion
 	}{
 		{
 			name:           "regular api group",
@@ -55,9 +55,11 @@ func TestNew(t *testing.T) {
 			want: map[schema.GroupVersionKind]reflect.Type{
 				// all the types that are in the aggregated API group
 
-				regularClientSecretGV.WithKind("OIDCClientSecretRequest"): reflect.TypeOf(&clientsecretv1alpha1.OIDCClientSecretRequest{}).Elem(),
+				regularClientSecretGV.WithKind("OIDCClientSecretRequest"):     reflect.TypeOf(&clientsecretv1alpha1.OIDCClientSecretRequest{}).Elem(),
+				regularClientSecretGV.WithKind("OIDCClientSecretRequestList"): reflect.TypeOf(&clientsecretv1alpha1.OIDCClientSecretRequestList{}).Elem(),
 
-				regularClientSecretGVInternal.WithKind("OIDCClientSecretRequest"): reflect.TypeOf(&clientsecretapi.OIDCClientSecretRequest{}).Elem(),
+				regularClientSecretGVInternal.WithKind("OIDCClientSecretRequest"):     reflect.TypeOf(&clientsecretapi.OIDCClientSecretRequest{}).Elem(),
+				regularClientSecretGVInternal.WithKind("OIDCClientSecretRequestList"): reflect.TypeOf(&clientsecretapi.OIDCClientSecretRequestList{}).Elem(),
 
 				regularClientSecretGV.WithKind("CreateOptions"): reflect.TypeOf(&metav1.CreateOptions{}).Elem(),
 				regularClientSecretGV.WithKind("DeleteOptions"): reflect.TypeOf(&metav1.DeleteOptions{}).Elem(),
@@ -86,7 +88,7 @@ func TestNew(t *testing.T) {
 				metav1.Unversioned.WithKind("UpdateOptions"):   reflect.TypeOf(&metav1.UpdateOptions{}).Elem(),
 				metav1.Unversioned.WithKind("WatchEvent"):      reflect.TypeOf(&metav1.WatchEvent{}).Elem(),
 			},
-			wantOAuthGroupVersion: regularClientSecretGV,
+			wantClientSecretGroupVersion: regularClientSecretGV,
 		},
 		{
 			name:           "other api group",
@@ -94,9 +96,11 @@ func TestNew(t *testing.T) {
 			want: map[schema.GroupVersionKind]reflect.Type{
 				// all the types that are in the aggregated API group
 
-				otherClientSecretGV.WithKind("OIDCClientSecretRequest"): reflect.TypeOf(&clientsecretv1alpha1.OIDCClientSecretRequest{}).Elem(),
+				otherClientSecretGV.WithKind("OIDCClientSecretRequest"):     reflect.TypeOf(&clientsecretv1alpha1.OIDCClientSecretRequest{}).Elem(),
+				otherClientSecretGV.WithKind("OIDCClientSecretRequestList"): reflect.TypeOf(&clientsecretv1alpha1.OIDCClientSecretRequestList{}).Elem(),
 
-				otherClientSecretGVInternal.WithKind("OIDCClientSecretRequest"): reflect.TypeOf(&clientsecretapi.OIDCClientSecretRequest{}).Elem(),
+				otherClientSecretGVInternal.WithKind("OIDCClientSecretRequest"):     reflect.TypeOf(&clientsecretapi.OIDCClientSecretRequest{}).Elem(),
+				otherClientSecretGVInternal.WithKind("OIDCClientSecretRequestList"): reflect.TypeOf(&clientsecretapi.OIDCClientSecretRequestList{}).Elem(),
 
 				otherClientSecretGV.WithKind("CreateOptions"): reflect.TypeOf(&metav1.CreateOptions{}).Elem(),
 				otherClientSecretGV.WithKind("DeleteOptions"): reflect.TypeOf(&metav1.DeleteOptions{}).Elem(),
@@ -125,15 +129,15 @@ func TestNew(t *testing.T) {
 				metav1.Unversioned.WithKind("UpdateOptions"):   reflect.TypeOf(&metav1.UpdateOptions{}).Elem(),
 				metav1.Unversioned.WithKind("WatchEvent"):      reflect.TypeOf(&metav1.WatchEvent{}).Elem(),
 			},
-			wantOAuthGroupVersion: otherClientSecretGV,
+			wantClientSecretGroupVersion: otherClientSecretGV,
 		},
 	}
 	for _, tt := range tests {
 		tt := tt
 		t.Run(tt.name, func(t *testing.T) {
-			scheme, oauthGV := New(tt.apiGroupSuffix)
+			scheme, clientSecretGV := New(tt.apiGroupSuffix)
 			require.Equal(t, tt.want, scheme.AllKnownTypes())
-			require.Equal(t, tt.wantOAuthGroupVersion, oauthGV)
+			require.Equal(t, tt.wantClientSecretGroupVersion, clientSecretGV)
 		})
 	}
 }

internal/supervisor/server/server.go

@@ -138,7 +138,8 @@ func prepareControllers(
 	leaderElector controllerinit.RunnerWrapper,
 	podInfo *downward.PodInfo,
 ) controllerinit.RunnerBuilder {
-	oauthSupervisorGroupData := groupsuffix.SupervisorAggregatedGroups(*cfg.APIGroupSuffix)
+	const certificateName string = "pinniped-supervisor-api-tls-serving-certificate"
+	clientSecretSupervisorGroupData := groupsuffix.SupervisorAggregatedGroups(*cfg.APIGroupSuffix)
 	federationDomainInformer := pinnipedInformers.Config().V1alpha1().FederationDomains()
 	secretInformer := kubeInformers.Core().V1().Secrets()
 
@@ -310,14 +311,14 @@ func prepareControllers(
 		WithController(
 			apicerts.NewCertsManagerController(
 				podInfo.Namespace,
-				"pinniped-supervisor-api-tls-serving-certificate",
+				certificateName,
 				cfg.Labels,
 				kubeClient,
 				secretInformer,
 				controllerlib.WithInformer,
 				controllerlib.WithInitialEvent,
-				31536000*time.Second,
+				365*24*time.Hour, // about one year
-				"Pinniped Aggregation CA",
+				"Pinniped Supervisor Aggregation CA",
 				cfg.NamesConfig.APIService,
 			),
 			singletonWorker,
@@ -325,8 +326,8 @@ func prepareControllers(
 		WithController(
 			apicerts.NewAPIServiceUpdaterController(
 				podInfo.Namespace,
-				"pinniped-supervisor-api-tls-serving-certificate",
+				certificateName,
-				oauthSupervisorGroupData.APIServiceName(),
+				clientSecretSupervisorGroupData.APIServiceName(),
 				aggregatorClient,
 				secretInformer,
 				controllerlib.WithInformer,
@@ -336,7 +337,7 @@ func prepareControllers(
 		WithController(
 			apicerts.NewCertsObserverController(
 				podInfo.Namespace,
-				"pinniped-supervisor-api-tls-serving-certificate",
+				certificateName,
 				dynamicServingCertProvider,
 				secretInformer,
 				controllerlib.WithInformer,
@@ -346,11 +347,11 @@ func prepareControllers(
 		WithController(
 			apicerts.NewCertsExpirerController(
 				podInfo.Namespace,
-				"pinniped-supervisor-api-tls-serving-certificate",
+				certificateName,
 				kubeClient,
 				secretInformer,
 				controllerlib.WithInformer,
-				23328000*time.Second,
+				9*30*24*time.Hour, // about 9 months
 				apicerts.TLSCertificateChainSecretKey,
 				plog.New(),
 			),
@@ -363,9 +364,9 @@ func prepareControllers(
 //nolint:funlen
 func runSupervisor(ctx context.Context, podInfo *downward.PodInfo, cfg *supervisor.Config) error {
 	serverInstallationNamespace := podInfo.Namespace
-	oauthSupervisorGroupData := groupsuffix.SupervisorAggregatedGroups(*cfg.APIGroupSuffix)
+	clientSecretSupervisorGroupData := groupsuffix.SupervisorAggregatedGroups(*cfg.APIGroupSuffix)
 
-	apiServiceRef, err := apiserviceref.New(oauthSupervisorGroupData.APIServiceName())
+	apiServiceRef, err := apiserviceref.New(clientSecretSupervisorGroupData.APIServiceName())
 	if err != nil {
 		return fmt.Errorf("cannot create API service ref: %w", err)
 	}
@@ -429,9 +430,9 @@ func runSupervisor(ctx context.Context, podInfo *downward.PodInfo, cfg *supervis
 		clientWithoutLeaderElection.Kubernetes.CoreV1().Secrets(serverInstallationNamespace), // writes to kube storage are allowed for non-leaders
 	)
 
-	// Get the "real" name of the oauth virtual supervisor API group (i.e., the API group name with the
+	// Get the "real" name of the client secret supervisor API group (i.e., the API group name with the
 	// injected suffix).
-	scheme, oauthGV := supervisorscheme.New(*cfg.APIGroupSuffix)
+	scheme, clientSecretGV := supervisorscheme.New(*cfg.APIGroupSuffix)
 
 	buildControllersFunc := prepareControllers(
 		cfg,
@@ -458,9 +459,9 @@ func runSupervisor(ctx context.Context, podInfo *downward.PodInfo, cfg *supervis
 		dynamicServingCertProvider,
 		buildControllersFunc,
 		*cfg.APIGroupSuffix,
-		10250,
+		*cfg.AggregatedAPIServerPort,
 		scheme,
-		oauthGV,
+		clientSecretGV,
 	)
 	if err != nil {
 		return fmt.Errorf("could not configure aggregated API server: %w", err)
@@ -561,16 +562,16 @@ func getAggregatedAPIServerConfig(
 	apiGroupSuffix string,
 	aggregatedAPIServerPort int64,
 	scheme *runtime.Scheme,
-	oauthVirtualSupervisorGroupVersion schema.GroupVersion,
+	clientSecretSupervisorGroupVersion schema.GroupVersion,
 ) (*apiserver.Config, error) {
 	codecs := serializer.NewCodecFactory(scheme)
 
 	// this is unused for now but it is a safe value that we could use in the future
-	defaultEtcdPathPrefix := fmt.Sprintf("/pinniped-concierge-registry/%s", apiGroupSuffix)
+	defaultEtcdPathPrefix := fmt.Sprintf("/pinniped-supervisor-registry/%s", apiGroupSuffix)
 
 	recommendedOptions := genericoptions.NewRecommendedOptions(
 		defaultEtcdPathPrefix,
-		codecs.LegacyCodec(oauthVirtualSupervisorGroupVersion),
+		codecs.LegacyCodec(clientSecretSupervisorGroupVersion),
 	)
 	recommendedOptions.Etcd = nil // turn off etcd storage because we don't need it yet
 	recommendedOptions.SecureServing.ServerCert.GeneratedCert = dynamicCertProvider
@@ -605,7 +606,7 @@ func getAggregatedAPIServerConfig(
 			BuildControllersPostStartHook:      buildControllers,
 			Scheme:                             scheme,
 			NegotiatedSerializer:               codecs,
-			OauthVirtualSupervisorGroupVersion: oauthVirtualSupervisorGroupVersion,
+			ClientSecretSupervisorGroupVersion: clientSecretSupervisorGroupVersion,
 		},
 	}
 	return apiServerConfig, nil

test/integration/kube_api_discovery_test.go

@@ -53,7 +53,7 @@ func TestGetAPIResourceList(t *testing.T) {
 	configConciergeGV := makeGV("config", "concierge")
 	idpSupervisorGV := makeGV("idp", "supervisor")
 	configSupervisorGV := makeGV("config", "supervisor")
-	oauthVirtualSupervisorGV := makeGV("clientsecret", "supervisor")
+	clientSecretSupervisorGV := makeGV("clientsecret", "supervisor")
 
 	tests := []struct {
 		group             metav1.APIGroup
@@ -113,26 +113,26 @@ func TestGetAPIResourceList(t *testing.T) {
 		},
 		{
 			group: metav1.APIGroup{
-				Name: oauthVirtualSupervisorGV.Group,
+				Name: clientSecretSupervisorGV.Group,
 				Versions: []metav1.GroupVersionForDiscovery{
 					{
-						GroupVersion: oauthVirtualSupervisorGV.String(),
+						GroupVersion: clientSecretSupervisorGV.String(),
-						Version:      oauthVirtualSupervisorGV.Version,
+						Version:      clientSecretSupervisorGV.Version,
 					},
 				},
 				PreferredVersion: metav1.GroupVersionForDiscovery{
-					GroupVersion: oauthVirtualSupervisorGV.String(),
+					GroupVersion: clientSecretSupervisorGV.String(),
-					Version:      oauthVirtualSupervisorGV.Version,
+					Version:      clientSecretSupervisorGV.Version,
 				},
 			},
 			resourceByVersion: map[string][]metav1.APIResource{
-				oauthVirtualSupervisorGV.String(): {
+				clientSecretSupervisorGV.String(): {
 					{
 						Name:       "oidcclientsecretrequests",
 						Kind:       "OIDCClientSecretRequest",
-						Verbs:      []string{"create"},
+						Verbs:      []string{"create", "list"},
 						Namespaced: true,
-						Categories: nil,
+						Categories: []string{"pinniped"},
 					},
 				},
 			},
@@ -354,11 +354,6 @@ func TestGetAPIResourceList(t *testing.T) {
 				if strings.HasSuffix(a.Name, "/status") {
 					continue
 				}
-				if a.Name == "oidcclientsecretrequests" {
-					// OIDCClientSecretRequest does not implement list,
-					// so it doesn't make sense for it to belong to a category.
-					continue
-				}
 				assert.Containsf(t, a.Categories, "pinniped", "expected resource %q to be in the 'pinniped' category", a.Name)
 				assert.NotContainsf(t, a.Categories, "all", "expected resource %q not to be in the 'all' category", a.Name)
 			}