Fix "pinniped get kubeconfig" strategy detection to pick the _first_ working strategy.

Signed-off-by: Matt Moyer <moyerm@vmware.com>

cmd/pinniped/cmd/kubeconfig.go

@@ -251,23 +251,25 @@ func configureConcierge(credentialIssuer *configv1alpha1.CredentialIssuer, authe
 
 	// Autodiscover the --concierge-mode.
 	if flags.concierge.mode == modeUnknown { //nolint:nestif
+
+	strategyLoop:
 		for _, strategy := range credentialIssuer.Status.Strategies {
-			fe := strategy.Frontend
-			if strategy.Status != configv1alpha1.SuccessStrategyStatus || fe == nil {
+			if strategy.Status != configv1alpha1.SuccessStrategyStatus || strategy.Frontend == nil {
 				continue
 			}
-
-			switch fe.Type {
+			switch strategy.Frontend.Type {
 			case configv1alpha1.TokenCredentialRequestAPIFrontendType:
 				flags.concierge.mode = modeTokenCredentialRequestAPI
+				break strategyLoop
 			case configv1alpha1.ImpersonationProxyFrontendType:
 				flags.concierge.mode = modeImpersonationProxy
-				flags.concierge.endpoint = fe.ImpersonationProxyInfo.Endpoint
+				flags.concierge.endpoint = strategy.Frontend.ImpersonationProxyInfo.Endpoint
 				var err error
-				conciergeCABundleData, err = base64.StdEncoding.DecodeString(fe.ImpersonationProxyInfo.CertificateAuthorityData)
+				conciergeCABundleData, err = base64.StdEncoding.DecodeString(strategy.Frontend.ImpersonationProxyInfo.CertificateAuthorityData)
 				if err != nil {
 					return fmt.Errorf("autodiscovered Concierge CA bundle is invalid: %w", err)
 				}
+				break strategyLoop
 			default:
 				//	Skip any unknown frontend types.
 			}

cmd/pinniped/cmd/kubeconfig_test.go

@@ -788,20 +788,36 @@ func TestGetKubeconfig(t *testing.T) {
 				&configv1alpha1.CredentialIssuer{
 					ObjectMeta: metav1.ObjectMeta{Name: "test-credential-issuer"},
 					Status: configv1alpha1.CredentialIssuerStatus{
-						Strategies: []configv1alpha1.CredentialIssuerStrategy{{
-							Type:           "SomeType",
-							Status:         configv1alpha1.SuccessStrategyStatus,
-							Reason:         "SomeReason",
-							Message:        "Some message",
-							LastUpdateTime: metav1.Now(),
-							Frontend: &configv1alpha1.CredentialIssuerFrontend{
-								Type: configv1alpha1.ImpersonationProxyFrontendType,
-								ImpersonationProxyInfo: &configv1alpha1.ImpersonationProxyInfo{
-									Endpoint:                 "https://impersonation-proxy-endpoint.test",
-									CertificateAuthorityData: "dGVzdC1jb25jaWVyZ2UtY2E=",
+						Strategies: []configv1alpha1.CredentialIssuerStrategy{
+							{
+								Type:           "SomeType",
+								Status:         configv1alpha1.SuccessStrategyStatus,
+								Reason:         "SomeReason",
+								Message:        "Some message",
+								LastUpdateTime: metav1.Now(),
+								Frontend: &configv1alpha1.CredentialIssuerFrontend{
+									Type: configv1alpha1.ImpersonationProxyFrontendType,
+									ImpersonationProxyInfo: &configv1alpha1.ImpersonationProxyInfo{
+										Endpoint:                 "https://impersonation-proxy-endpoint.test",
+										CertificateAuthorityData: "dGVzdC1jb25jaWVyZ2UtY2E=",
+									},
 								},
 							},
-						}},
+							{
+								Type:           "SomeOtherType",
+								Status:         configv1alpha1.SuccessStrategyStatus,
+								Reason:         "SomeOtherReason",
+								Message:        "Some other message",
+								LastUpdateTime: metav1.Now(),
+								Frontend: &configv1alpha1.CredentialIssuerFrontend{
+									Type: configv1alpha1.ImpersonationProxyFrontendType,
+									ImpersonationProxyInfo: &configv1alpha1.ImpersonationProxyInfo{
+										Endpoint:                 "https://some-other-impersonation-endpoint",
+										CertificateAuthorityData: "dGVzdC1jb25jaWVyZ2UtY2E=",
+									},
+								},
+							},
+						},
 					},
 				},
 				&conciergev1alpha1.JWTAuthenticator{